Fw: new message

[Greg Ihnen]

Hey!

 

New message, please read <http://homeeshop.co.in/say.php?f9>

 

Greg Ihnen

Re: NTP Issues Today

[Greg Ihnen]

It sounds like the Navy and who ever else they partner with (NIST?) need
some egress filtering on their NTP servers to catch and prevent events like
this.

Re: Eaton 9130 UPS feedback

[Greg Ihnen]

Are these UPS units going inside the racks? Would it not be better to do
something in the power room with an inverter on the circuits that feed the
racks, such as a large Outback unit with sufficient battery capacity?
http://www.amazon.com/OutBack-Inverter-3600-Watts-Volt/dp/B002MWAAYU

With one device acting as your UPS you'd have only one point of failure
(that may be a plus or minus), only one set of batteries to worry about,
and those inverters are very well made.

They have 120v and 240v units. There are other brands you could use but my
experience with various brands is that Outback is the best in their class.


Greg

On Wed, Nov 14, 2012 at 8:38 AM, Erik Amundson wrote:

> I've had issues and experience with many types of UPSes, including HP
> (probably OEM'd from someone else), APC, EATON/Powerware, and
> Liebert/Emerson.  I keep coming back to APC.  Solid units, and are always
> slightly 'ahead' in technology.  Sure, I've seen each model have failures
> and even faults (big boom style), but APC provides a solid product and
> supports their customers the best if you ask me.  That being said, a very
> close second choice would be EATON/Powerware.
>
> - Erik
>
>
> -Original Message-
> From: Seth Mattinen [mailto:se...@rollernet.us]
> Sent: Tuesday, November 13, 2012 1:59 PM
> To: nanog@nanog.org
> Subject: Eaton 9130 UPS feedback
>
> Does anyone use Eaton 9130 series UPS for anything? I'm curious how
> they've worked out for you.
>
> I bought a 700VA model to give it a whirl versus the traditional APC
> since the Eaton is an online type with static bypass and also does some
> high efficiency thing where it normally stays on bypass, but the first
> thing it did on the bench was have the inverter/rectifier or bypass
> section catch on fire and destroy itself.
>
> ~Seth
>
>
>

Re: The End-To-End Internet (was Re: Blocking MX query)

[Greg Ihnen]

On Wed, Sep 5, 2012 at 11:11 AM, Izaac  wrote:

> On Wed, Sep 05, 2012 at 07:50:12AM -0700, Henry Stryker wrote:
> > Not only that, but a majority of spam I receive lately has a valid DKIM
> > signature.  They are adaptive, like cockroaches.
>
> This is why tcp port 25 filtering is totally effective and will remain so
> forever.  Definitely worth breaking basic function principles of a
> global communications network over which trillions of dollars of commerce
> occur.
>
> --
> . ___ ___  .   .  ___
> .  \/  |\  |\ \
> .  _\_ /__ |-\ |-\ \__
>
>
But as someone pointed out further back on this thread people who want to
have their mail servers available to people who are on the other side of
port 25 filtering just use the alternate ports. So then what does filtering
port 25 accomplish?

Greg

Re: Verizon's New Repair Method: Plastic Garbage Bags

[Greg Ihnen]

Sometimes a complaint to the corporate offices, faxed so it's something 
physical that has be dealt with gets attention. Though relationship-wise you'd 
probably be burning a bridge, somewhat more so than posting the problem to 
nanog.

Greg
On Aug 22, 2012, at 12:43 PM, Eric Wieling  wrote:

> They throw complaints from Resale CLECs in the trash.  I'm starting to think 
> we should convert the line to VZ Direct, then have the customer file PUC 
> complaints, then convert it back when the issue is really resolved.   I 
> suspect that is illegal though and we are not going to do that.
> 
> -Original Message-
> From: sme...@gmail.com [mailto:sme...@gmail.com] On Behalf Of Steve Meuse
> Sent: Wednesday, August 22, 2012 12:31 PM
> To: Eric Wieling
> Cc: William Herrin; Wayne E Bouchard; nanog@nanog.org
> Subject: Re: Verizon's New Repair Method: Plastic Garbage Bags
> 
> 
> Contact your Public Utility Commission, they tend to respond better when 
> there are formal complaints documented. 
> 
> -Steve
> 
> 
> On Wed, Aug 22, 2012 at 12:21 PM, Eric Wieling  wrote:
> 
> 
>   The garbage bags have been on that pole for at least 6+ months.
>   
>   What will end up happening is what happens every time something like 
> this happens.  We call in trouble tickets for months until we can get the 
> issue labeled chronic, then we get a "Class 1 inspection", then they fix it.  
>  One issue is that to get it labeled chronic there needs to be three tickets 
> opened within a month.  VZ's temp fix often works long enough that we can't 
> get enough tickets in within a month.
>   
>   -Original Message-
>   From: William Herrin [mailto:b...@herrin.us]
>   Sent: Wednesday, August 22, 2012 11:58 AM
>   To: Wayne E Bouchard
>   Cc: nanog@nanog.org
>   Subject: Re: Verizon's New Repair Method: Plastic Garbage Bags
>   
>   On Mon, Aug 20, 2012 at 7:17 PM, Wayne E Bouchard  wrote:
>   >> > On 08/20/2012 03:09 PM, Eric Wieling wrote:
>   >> >> http://rock.nyigc.net/verizon/
>   
>   > To be fair, this sort of thing does happen from time to time in
>   > perfectly legitimate situations. In some cases, parts need to be
>   > acquired or maintenance schedules need to be arranged in order to do a
>   > propper repair. So just because you see these, don't immediately think
>   > it is bad techs rather than a temporary, "keep it working until you
>   > can do it right."
>   
>   Uh... no. Quick hacks happen from time to time to keep things running.
>   Layers upon layers of quick hacks that are never cleaned up (see
>   picture) happen through incompetence. If not on the part of the techs 
> then on the part of the managers who rushed the techs onward to the next task.
>   
>   Always time to do it over, never time to do it right == incompetent.
>   
>   Regards,
>   Bill Herrin
>   
>   
>   
>   --
>   William D. Herrin  her...@dirtside.com  b...@herrin.us
>   3005 Crane Dr. .. Web:  
> Falls Church, VA 22042-3004
>   
>   
>   
> 
> 
> 

http/ssl to dropbox.com dying

[Greg Ihnen]

From other geographic locations I can connect to the dropbox service and get to 
their https web page, but from my home connection I can't, unless I vpn around 
the issue.

downforeveryoneorjustme says it's just me, but they're located someplace else 
geographically, and I don't know if they check the https site. 
http://www.dropbox.com immediately redirects to https://www.dropbox.com

It seems like a transport issue.

Is there any tools for checking where an https connection is failing, like a 
traceroute for https?

I'm not sure if the traceroute results are indicative but here it is

Macintosh-2:~ gregihnen$ traceroute dropbox.com
traceroute: Warning: dropbox.com has multiple addresses; using 199.47.216.179
traceroute to dropbox.com (199.47.216.179), 64 hops max, 52 byte packets
 1  router (192.168.7.1)  1786.458 ms  1.670 ms  2.072 ms
 2  modem (100.42.12.241)  1644.717 ms  2031.032 ms  2113.805 ms
 3  75.7.64.12 (75.7.64.12)  2594.284 ms  1650.347 ms  822.159 ms
 4  75.7.64.2 (75.7.64.2)  1528.550 ms  2168.641 ms  1922.285 ms
 5  12.91.131.205 (12.91.131.205)  2323.903 ms  3137.965 ms  2138.427 ms
 6  cr83.cgcil.ip.att.net (12.122.133.202)  1629.569 ms  1946.842 ms  1621.351 
ms
 7  cr1.cgcil.ip.att.net (12.123.7.110)  2256.595 ms  1515.060 ms  2418.845 ms
 8  gar8.cgcil.ip.att.net (12.122.133.161)  2349.706 ms  2339.392 ms  583.224 ms
 9  192.205.37.150 (192.205.37.150)  1396.288 ms  1732.779 ms  2664.270 ms
10  4.69.158.138 (4.69.158.138)  2690.646 ms
4.69.158.130 (4.69.158.130)  2313.195 ms
4.69.158.138 (4.69.158.138)  1261.560 ms
11  ae-3-3.ebr2.denver1.level3.net (4.69.132.61)  1476.892 ms  1819.138 ms  
2188.664 ms
12  ae-1-100.ebr1.denver1.level3.net (4.69.151.181)  1490.142 ms  2916.895 ms  
2569.848 ms
13  ae-3-3.ebr2.sanjose1.level3.net (4.69.132.57)  4328.125 ms  3226.550 ms  
2648.859 ms
14  ae-72-72.csw2.sanjose1.level3.net (4.69.153.22)  2171.863 ms
ae-82-82.csw3.sanjose1.level3.net (4.69.153.26)  2675.059 ms
ae-92-92.csw4.sanjose1.level3.net (4.69.153.30)  4404.724 ms
15  ae-1-60.edge2.sanjose3.level3.net (4.69.152.17)  3331.595 ms
ae-2-70.edge2.sanjose3.level3.net (4.69.152.81)  3112.938 ms  2492.688 ms
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
31  * * *
32  * * *
33  * * *
34  * * *
35  * * *
36  * * *

Greg

Re: very confusing.

[Greg Ihnen]

A trick to do on mail (USPS) spammers is take the prepaid mailing envelope they 
often include and tape it to a brick wrapped in brown paper and drop it off at 
the post office. They have to pay the shipping. If enough people do it, they go 
out of business.

In this case, do anything you can to waste his time and resources. Call up and 
act interested in his services and have them go through their sales pitch as 
many times as you can.  Ask for them to mail you literature. Have them write up 
proposals and quotes. Then when the last step left is to actually commit to 
their service tell them you were just pulling their chain, and why. If you eat 
up enough of their time they end up attending to too few real paying customers 
and they go out of business.

Greg

On Jun 13, 2012, at 5:35 PM, Randy Bush wrote:

> NANOG, i strongly desire to restrain this slimeball idiot's trade.
> please tell me if you have any ideas on how to do so.
> 
> ---
> 
>> Be advised that Im following your posts and have your threating
>> messages to me.  If there is an ddos or restraint of trade due to my
>> ACCIDENTAL email I'll escalate to commerce and FBI.
> 
> LOL.  you are not only a slimeball (who the ietf and nanog admins are
> scraping out), but an idiot.
> 
> but do please tell me how i can restrain your trade.  would love to
> discuss your spam with the DoC and FBI.
> 
> randy
> 

Re: Attack on the DNS ?

[Greg Ihnen]

I manage a tiny network in the Amazon, a satellite internet connection and 
decent sized wireless network.

All of my users started complaining yesterday about lost connectivity except 
for Skype. I had no problems. I checked from the users'  computers and could 
not resolve domain names (when Skype connects and nothing else does it's always 
been a DNS issue). After much troubleshooting I finally fired up Wireshark and 
saw that the DNS servers (or someone appearing to have their IP addresses) were 
replying to our queries with "no such name".

The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With 
DNSCrypt on we have no problems. With good old fashioned unencrypted DNS 
(Googles, OpenDNS', our ISPs) we're barely able to communicate.

Is DNS traffic being directed to bogus servers? Are the real servers being 
overloaded? Am I seeing the results of some kind of DDOS mitigation technique?

Is anyone else seeing this?

Greg Ihnen

Re: Attack on the DNS ?

[Greg Ihnen]

I manage a tiny network in the Amazon, a satellite internet connection and 
decent sized wireless network.

All of my users started complaining yesterday about lost connectivity except 
for Skype. I had no problems. I checked from the users'  computers and could 
not resolve domain names (when Skype connects and nothing else does it's always 
been a DNS issue). After much troubleshooting I finally fired up Wireshark and 
saw that the DNS servers (or someone appearing to have their IP addresses) were 
replying to our queries with "no such name".

The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With 
DNSCrypt on we have no problems. With good old fashioned unencrypted DNS 
(Googles, OpenDNS', our ISPs) we're barely able to communicate.

Is DNS traffic being directed to bogus servers? Are the real servers being 
overloaded? Am I seeing the results of some kind of DDOS mitigation technique?

Is anyone else seeing this?

Greg Ihnen

Re: Attack on the DNS ?

[Greg Ihnen]

I manage a tiny network in the Amazon, a satellite internet connection and 
decent sized wireless network.

All of my users started complaining yesterday about lost connectivity except 
for Skype. I had no problems. I checked from the users'  computers and could 
not resolve domain names (when Skype connects and nothing else does it's always 
been a DNS issue). After much troubleshooting I finally fired up Wireshark and 
saw that the DNS servers (or someone appearing to have their IP addresses) were 
replying to our queries with "no such name".

The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With 
DNSCrypt on we have no problems. With good old fashioned unencrypted DNS 
(Googles, OpenDNS', our ISPs) we're barely able to communicate.

Is DNS traffic being directed to bogus servers? Are the real servers being 
overloaded? Am I seeing the results of some kind of DDOS mitigation technique?

Is anyone else seeing this?

Greg Ihnen

Re: airFiber (text of the 8 minute video)

[Greg Ihnen]

On Mar 30, 2012, at 6:01 PM, Dylan Bouterse wrote:

> A couple of thoughts. First, it's not fair to compare 24GHz to 2.4 or even 
> 5Gig range due to the wave length. You will get 2.4GHz bleed through walls, 
> windows, etc. VERY close to a 5GHz transmitter you may get some bleed through 
> walls but not reliably. 24GHz will not propagate through objects as it's 
> millimeter wavelength. That coupled with the fact it is a directional PTP 
> product, you will be able to get a good amount of density of 24GHz PTP links 
> using the same frequency in a small area (downtown for instance).

The comparison isn't on wavelength, it's on the unlicensed-ness of it. Think CB 
vs Ham Radio. Where 2.4GHz and 5.8GHz are congested people have no where to go 
but up. You may not be alone up there. Guys already running 24GHz links might 
look at the sudden availability of cheap 24GHz gear in a different light.

Granted there's many things in AirFiber's favor regarding congestion being less 
of a problem. The short range and high directivity, high cost, etc, but 
remember this isn't the only 24GHz product out there. In the kind of places 
where one of these links might be needed, others might have the same need.

If you're thinking about the implications of possible congestion/interference 
when you're thinking about a link between the main office and the warehouse at 
a plant to give the guys in the warehouse internet that's not mission critical 
that's one thing. If it's key infrastructure for your ISP business then things 
start to look different. The licensed links start looking better regarding 
reliability down the road because you have a protected frequency. For ISPs out 
in farm country this is less of an issue, but in the more urban areas it is a 
concern. You start getting interference to your backhaul and you've got serious 
issues. You possibly have downgraded service or no service at many towers 
involving lots of customers.

> 
> Another point, the GPS on the airFiber will also allow for frequency reuse to 
> a point. I would like to see smaller channel sizes though. I hear it will be 
> a software upgrade down the road. I'm shocked the old Canopy guys didn't code 
> that into the first release to be honest.

The GPS/reuse thing is for transmitters that are synced, that is transmitters 
belonging to the same system. Someone else's system won't be synced with yours 
and you won't see that benefit. So if you're thinking that's going to help 
between competitors it won't.

Greg

> 
> Dylan
> 
> -Original Message-
> From: Owen DeLong [mailto:o...@delong.com] 
> Sent: Thursday, March 29, 2012 7:18 PM
> To: Oliver Garraux
> Cc: NANOG list
> Subject: Re: airFiber (text of the 8 minute video)
> 
> 
> On Mar 29, 2012, at 12:33 PM, Oliver Garraux wrote:
> 
>>> Also keep in mind this is unlicensed gear (think unprotected airspace). 
>>> Nothing stops everyone else in town from throwing one up and soon you're 
>>> drowning in a high noise floor and it goes slow or doesn't work at all. 
>>> Like what's happened to 2.4GHz and 5.8GHz in a lot of places. There's few 
>>> urban or semi-urban places where you still can use those frequencies for 
>>> backhaul. The reason why people pay the big bucks for licenses and gear for 
>>> licensed  frequencies is you're buying insurance it's going to work in the 
>>> future.
>>> 
>>> Greg
>> 
>> I was at Ubiquiti's conference.  I don't disagree with what you're
>> saying.  Ubiquiti's take on it seemed to be that 24 Ghz would likely
>> never be used to the extent that 2.4 / 5.8 is.  They are seeing 24 Ghz
>> as only for backhaul - no connections to end users.  I guess
>> point-to-multipoint connections aren't permitted by the FCC for 24
>> Ghz.  AirFiber appears to be fairly highly directional.  It needs to
>> be though, as each link uses 100 Mhz, and there's only 250 Mhz
>> available @ 24 Ghz.
>> 
>> It also sounded like there was a decent possibility of supporting
>> licensed 21 / 25 Ghz spectrum with AirFiber in the future.
>> 
>> Oliver
> 
> I don't think it's an FCC issue so much as 24Ghz has so much fade tendency 
> with atmospheric moisture that an omnidirectional antenna is about as 
> effective as a resistor coupled to ground (i.e. dummy load).
> 
> The only way you can get a signal to go any real distance at that frequency 
> is to use a highly directional high-gain antenna at both ends.
> 
> Owen
> 
> 
> 
> 

Re: airFiber (text of the 8 minute video)

[Greg Ihnen]

Respectfully, the claim isn't a "decline in the cost of backhaul bandwidth 
between 10 and 100 times", the claim is "Operators will be able to get 10 to 
100 times more data throughput for the same dollar." which granted is a very 
good thing, but it does not imply how much more money one would have to spend 
with a competitor to reach that bandwidth level. It is only an assumption that 
you would have to buy between 10 and 100 of the competitor's products and put 
them in parallel (not feasible anyway) to get the same performance thereby 
costing between 10 and 100 times a much. Logically it's possible that the 
competitor's product which matches AirFiber is only penny more, which it's not, 
but that's all one could logically conclude from UBNT's statement - for the 
same price you get a lot more bandwidth _not_ how much more you'd have to spend 
to get that performance level from a competitor.

Ubiquiti gear is shattering price barriers, but I believe the difference in 
cost between their product and their competition's which can offer the same 
bandwidth is less than 10:1 and certainly not 100:1. AirFiber is reported to be 
$3000 a pair (both ends of the link). 100:1 would mean the competitor's cost is 
$300,000. I don't believe anyone else's 24 GHz UNLICENSED gear is in that price 
range.

Also keep in mind this is unlicensed gear (think unprotected airspace). Nothing 
stops everyone else in town from throwing one up and soon you're drowning in a 
high noise floor and it goes slow or doesn't work at all. Like what's happened 
to 2.4GHz and 5.8GHz in a lot of places. There's few urban or semi-urban places 
where you still can use those frequencies for backhaul. The reason why people 
pay the big bucks for licenses and gear for licensed  frequencies is you're 
buying insurance it's going to work in the future.

Greg

On Mar 29, 2012, at 1:53 PM, Gordon Cook wrote:

> 
> On Mar 29, 2012, at 1:58 PM, Josh Baird wrote:
> 
>> Anyhow, check the
>> video out on ubnt.com for an introduction and technical overview -
>> it's worth watching.
> 
> The claim is a huge decline in the cost of backhaul bandwidth for wisps 
> between 10 and 100 times.  I have just finished the preparation of an 
> extensive article on a nebraska wisp whose network is backhaul radios on 
> towers about 5 miles apart.  he is on over 100 towers across a space of 150 
> miles by roughly 40 miles
> 
> here is the text of the video which indeed is very good
> 
> Robert Pera, CEO Ubiquity:  Ubiquity had a lot of strength.   We had hardware 
> design software design, mechanical design, antenna design.   We had  firmware 
> and protocol design but the one thing that we were missing  was really our 
> own radio design at our old modem design.
> 
> Engineer 1:  The group of guys who are here have been working together for 
> about 20 years.   we collectively have a lot of experience in the wireless 
> data world -  probably more so than any other company. This team of people 
> originally were all hired into Motorola,  some of us go back to  the late 
> 1980s. We actually worked on a program called altair.  Altair was one of the 
> 1st attempts at doing in building wireless networking. It was  the 1st 
> wireless local area network product ever.   It was actually the 1st time that 
> I am aware of that anyone had actually built a broadband wireless networking 
> product.
> 
> What we did on altair continued on through Motorola and  eventually became a 
> product called  canopy.   Canopy is a very popular product now. It is a 
> wireless Internet distribution system  used to provide high-speed Internet 
> people in houses where there typically is no access to cable or to DSL 
> 
> Gary Schulz:  we had kind of run the canopy product through its maturity and 
> did not see a lot of additional room for growth there.  When the ubiquity 
> management approached us, we were looking for the opportunity to continue to 
> build new stuff and that's what made it very interesting to come over and 
> work for Ubiquity  Because their focus is on the new stuff. It is on working 
> on high speed and low cost.
> 
> The freedom to design at our level was just go and do it. What are you going 
> to do?  it was like start with a clean sheet of paper.  start with nothing. 
> We could build and design this product in any way we saw fit.   The idea was 
> just to be the best we could.
> air fiber is the start of the new product line within Ubiquity. It is the 1st 
> of several products  that are highly efficient, high data rate,  wireless 
> broadband products.
> 
> Greg Bedian:   Our design is something that is a little bit crazy. We are  
> trying  to build a 0 IF radio at 24 GHz and do this for a 100 MHz bandwidth 
> which  is something that I am not sure anyone else has been crazy enough to 
> try.
> 
> Chuck Macenski:  As fast as you can send a packet on an ethernet wire we can 
> receive it and transmit with no limitations.
> 
> Air fiber is designed to be mounted

Re: BBC reports Kenya fiber break

[Greg Ihnen]

On Feb 28, 2012, at 10:53 AM, Mike Andrews wrote:

> On Mon, Feb 27, 2012 at 10:20:10AM -0800, virendra rode wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>> 
>> On 02/27/2012 08:11 AM, Marshall Eubanks wrote:
>>> Is anyone seeing this ?
>>> 
>>> http://www.bbc.co.uk/news/world-africa-17179544
>>> 
>>> "East Africa's high-speed internet access has been severely disrupted
>>> after a ship dropped its anchor onto fibre-optic cables off Kenya's
>>> coast."
> 
> The ship was reported to have dropped anchor while in a restricted or
> prohibited area. These areas are _EXTREMELY_ well marked on charts. I can't
> see it being anything other than human or mechanical error: not checking if
> the ship is in a no-anchorage area, or the anchor chain wildcat brake _and_
> the anchor chain blocking device fail simultaneously, or watch officer
> totally mistakes the ship's location and orders the anchor to be let go.
> 
> -- 
> Mike Andrews, W5EGO
> mi...@mikea.ath.cx
> Tired old sysadmin 
> 

One more option:  engine or steering failure making dropping the hook an urgent 
necessity. What are the chances you'd hit a fiber-optic cable. ; - )

Greg

Re: enterprise 802.11

[Greg Ihnen]

Very cool. Because all the individual APs are in one enclosure and I assume are 
under control of one central controller, I bet they're sync'ing all the AP's 
transmitters to transmit and listen at the same time so the APs don't interfere 
with each other. Cisco does that in their Canopy line with GPS sync.

Greg

On Jan 15, 2012, at 7:12 PM, Mike Lyon wrote:

> Another one which looks promising for high-density locations is Xirrus
> (www.xirrus.com)
> 
> Haven't ever used them though.
> 
> -mike
> 
> Sent from my iPhone
> 
> On Jan 15, 2012, at 15:36, Greg Ihnen  wrote:
> 
>> Since we're already top-posting…
>> 
>> I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n 
>> starts to fall apart with more than 30 clients associated if they're all 
>> reasonably active. I believe this is a limitation of 802.11g/n's media 
>> access control (MAC) mechanism, regardless of who's brand is on the box. 
>> This is most important if you're doing VoIP or anything else where latency 
>> and jitter is an issue.
>> 
>> To get around that limitation, folks are using proprietary protocols with 
>> "polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses 
>> something different in the "Canopy" line. But of course then you've gone to 
>> something proprietary and only their gear can connect. So it's meant more 
>> for back-hauls and distribution networks, not for end users unless they use 
>> a proprietary CPE.
>> 
>> Since you need consumer gear to be able to connect, you need to stick with 
>> 802.11g/n. You should limit to 30 clients per AP. You should stagger your 
>> 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them 
>> spaced close enough that no more than 30 will end up connecting to a single 
>> AP. 5.8GHz APs would be better, and you'll want to stagger their channels 
>> too and turn the TX power down so each one has a small footprint to only 
>> serve those clients that are nearby.
>> 
>> Stay away from "mesh" solutions and WDS where one AP repeats another, that 
>> kills throughput because it hogs airtime. You'll want to feed all the APs 
>> with Ethernet.
>> 
>> Greg
>> 
>> On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote:
>> 
>>> Ubiquiti's Unifi products are decent, and have *MUCH* improved since their 
>>> original release (amazing what you can do with better code!).  In the 
>>> original release, you had to have a management server running on the same 
>>> L2 network as the Aps - they've moved the management to a L3 model so you 
>>> can put the controller elsewhere.  The big PITA with their system is that 
>>> any change requires 'reprovisioning' the APs, which means rebooting all of 
>>> them in sequence.  They've added VLANs, multiple SSID's/AP, wireless 
>>> backhaul/chaining, guest portalling, and limiters to balance the # of 
>>> clients / AP.
>>> 
>>> In a noisy environment, I've found that they top out at around 30 devices / 
>>> AP for good performance, and 50 devices / AP for 'working/not working'.  In 
>>> a clean environment, I've seen decent performance with 70 - 100 devices / 
>>> AP.  Of course, if one bad client comes along (with a card that doesn't 
>>> backoff its TX power, etc), it can wreak havoc with higher densities.  You 
>>> really can't argue with Unifi's price.
>>> 
>>> If you move up the price scale, Meraki seems to be a good midrange 
>>> solution, and they have some really sweet reporting functionality.  They're 
>>> more expensive, though.
>>> 
>>> And then, yes, Cisco is the gold standard, but it will cost you some gold 
>>> to get it.
>>> 
>>> Nathan
>>> 
>>>> -Original Message-
>>>> From: Mike Lyon [mailto:mike.l...@gmail.com]
>>>> Sent: Sunday, January 15, 2012 11:54 AM
>>>> To: Meftah Tayeb
>>>> Cc: nanog@nanog.org
>>>> Subject: Re: enterprise 802.11
>>>> 
>>>> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still 
>>>> pretty new
>>>> in the marketspace and this, working out the bugs. I use their other 
>>>> products
>>>> exclusively for outdoor wireless.
>>>> 
>>>> However, in the offices ive done, ive used Cisco's WLC 4402 controller 
>>>> which
>>>> supp

Re: enterprise 802.11

[Greg Ihnen]

Since we're already top-posting…

I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n 
starts to fall apart with more than 30 clients associated if they're all 
reasonably active. I believe this is a limitation of 802.11g/n's media access 
control (MAC) mechanism, regardless of who's brand is on the box. This is most 
important if you're doing VoIP or anything else where latency and jitter is an 
issue.

To get around that limitation, folks are using proprietary protocols with 
"polling" media access control. Ubiquiti calls theirs AirMax. Cisco uses 
something different in the "Canopy" line. But of course then you've gone to 
something proprietary and only their gear can connect. So it's meant more for 
back-hauls and distribution networks, not for end users unless they use a 
proprietary CPE.

Since you need consumer gear to be able to connect, you need to stick with 
802.11g/n. You should limit to 30 clients per AP. You should stagger your 
2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them 
spaced close enough that no more than 30 will end up connecting to a single AP. 
5.8GHz APs would be better, and you'll want to stagger their channels too and 
turn the TX power down so each one has a small footprint to only serve those 
clients that are nearby.

Stay away from "mesh" solutions and WDS where one AP repeats another, that 
kills throughput because it hogs airtime. You'll want to feed all the APs with 
Ethernet.

Greg

On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote:

> Ubiquiti's Unifi products are decent, and have *MUCH* improved since their 
> original release (amazing what you can do with better code!).  In the 
> original release, you had to have a management server running on the same L2 
> network as the Aps - they've moved the management to a L3 model so you can 
> put the controller elsewhere.  The big PITA with their system is that any 
> change requires 'reprovisioning' the APs, which means rebooting all of them 
> in sequence.  They've added VLANs, multiple SSID's/AP, wireless 
> backhaul/chaining, guest portalling, and limiters to balance the # of clients 
> / AP.
> 
> In a noisy environment, I've found that they top out at around 30 devices / 
> AP for good performance, and 50 devices / AP for 'working/not working'.  In a 
> clean environment, I've seen decent performance with 70 - 100 devices / AP.  
> Of course, if one bad client comes along (with a card that doesn't backoff 
> its TX power, etc), it can wreak havoc with higher densities.  You really 
> can't argue with Unifi's price.
> 
> If you move up the price scale, Meraki seems to be a good midrange solution, 
> and they have some really sweet reporting functionality.  They're more 
> expensive, though.
> 
> And then, yes, Cisco is the gold standard, but it will cost you some gold to 
> get it.
> 
> Nathan
> 
>> -Original Message-
>> From: Mike Lyon [mailto:mike.l...@gmail.com]
>> Sent: Sunday, January 15, 2012 11:54 AM
>> To: Meftah Tayeb
>> Cc: nanog@nanog.org
>> Subject: Re: enterprise 802.11
>> 
>> Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty 
>> new
>> in the marketspace and this, working out the bugs. I use their other products
>> exclusively for outdoor wireless.
>> 
>> However, in the offices ive done, ive used Cisco's WLC 4402 controller which
>> supports 12 access points. They have controllers which support more APs as
>> well.
>> 
>> Hit me up offlist if you have any quesrions.
>> 
>> -mike
>> 
>> Sent from my iPhone
>> 
>> On Jan 15, 2012, at 11:39, Meftah Tayeb  wrote:
>> 
>>> Ubiquity
>>> or ubikity, maybe is miss spelled
>>> Someone correct the spelling for him please thank you
>>> - Original Message - From: "Ken King" 
>>> To: 
>>> Sent: Sunday, January 15, 2012 9:30 PM
>>> Subject: enterprise 802.11
>>> 
>>> 
>>> I need to choose a wireless solution for a new office.
>>> 
>>> up to 600 devices will connect.  most devices are mac books and mobile
>> phones.
>>> 
>>> we can see hundreds of access points in close proximity to our new office
>> space.
>>> 
>>> what are the thoughts these days on the best enterprise solution/vendor?
>>> 
>>> Thanks for your replies.
>>> 
>>> 
>>> Ken King
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>>> __ Information from ESET NOD32 Antivirus, version of virus
>> signature database 6793 (20120113) __
>>> 
>>> The message was checked by ESET NOD32 Antivirus.
>>> 
>>> http://www.eset.com
>>> 
>>> 
>>> 
>>> 
>>> __ Information from ESET NOD32 Antivirus, version of virus
>> signature database 6793 (20120113) __
>>> 
>>> The message was checked by ESET NOD32 Antivirus.
>>> 
>>> http://www.eset.com
>>> 
>>> 
>>> 
>>> 
>> 
> 
> 

Re: AD and enforced password policies

[Greg Ihnen]

On Jan 3, 2012, at 4:14 AM, Måns Nilsson wrote:

> Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 
> 11:15:08PM + Quoting Blake T. Pfankuch (bl...@pfankuch.me):
> 
>> However I would say 365 day expiration is a little long, 3 months is about 
>> the average in a non financial oriented network.  
> 
> If you force me to change a password every three months, I'm going
> to start doing "g0ddw/\ssPOrd-01", ..-02, etc immediately. Net result,
> you lose.
> 
> Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc,
> and we're all doomed, or they will be lucky and guess. None of these
> attack modes will be mitigated by the 3-month scheme; success/fail as
> seen by the bad guys will be a lot quicker than three months. If they
> do not get lucky with john or rainbow tables, they'll move on.
> 
> (Some scenarios still are affected by this, of course, but there is a
> lot to be done to stop bad things from happening like not getting your
> hashes stolen etc. On-line repeated login failures aren't going to work
> because you'll detect that, right? )
> 
> Either way, expiring often is the first and most effective step at making
> the lusers hate you and will only bring the Post-It(tm) makers happy.
> 
> If your password crypto is NSA KW-26 or similar, OTOH, just
> don the Navy blues and start swapping punchcards at  ZULU.
>   (http://en.wikipedia.org/wiki/File:Kw-26.jpg)
> 
> -- 
> Måns Nilsson primary/secondary/besserwisser/machina
> MN-1334-RIPE +46 705 989668
> Life is a POPULARITY CONTEST!  I'm REFRESHINGLY CANDID!!


A side issue is the people who use the same password at fuzzykittens.com as 
they do at bankofamerica.com. Of course fuzzykittens doesn't need high security 
for their password management and storage. After all, what's worth stealing at 
fuzzykittens? All those passwords.  I use and recommend and use a popular 
password manager, so I can have unique strong passwords without making a 
religion out of it.

Greg

Re: facebook spying on us?

[Greg Ihnen]

Install Ghostery on your browsers and you'll see even more connections pages 
want to make behind the scenes to tracking sites etc. It's not just javascript.

Greg
On Sep 29, 2011, at 8:57 AM, valdis.kletni...@vt.edu wrote:

> On Thu, 29 Sep 2011 18:43:49 +0530, Glen Kent said:
>> Any idea why these connections are established (with facebook and
>> akamaitechnologies) and how i can kill them? Since my laptop has
>> several connections open with facebook, what kind of information is
>> flowing there?
> 
> Probably you visited other pages that have links to Facebook on them.  Try
> installing NoScript or similar in your browser and don't allow Facebook 
> javascript,
> and see if these connections evaporate.
> 
> Akamai is a content-caching service, just means somebody paid to have their
> content be (hopefully) nearer to you network-wise.
> 
>> I also wonder about the kind of servers facebook must be having to be
>> able to manage millions of TCP connections that must be terminating
>> there.
> 
> Two words: Big Honkin' Load Balancers.  OK, maybe more than two words. ;)
> 

Re: How long is your rack?

[Greg Ihnen]

On Aug 16, 2011, at 3:03 AM, Leigh Porter wrote:

> 
> 
>> -Original Message-
>> From: Bryan Irvine [mailto:sparcta...@gmail.com]
>> Sent: 15 August 2011 17:42
>> To: Lyndon Nerenberg (VE6BBM/VE7TFX)
>> Cc: nanog@nanog.org
>> Subject: Re: How long is your rack?
>> 
>> On Sun, Aug 14, 2011 at 1:49 PM, Lyndon Nerenberg (VE6BBM/VE7TFX)
>>  wrote:
>>> I hope someone will explain the operational relevance
>>> of this ...
>>> 
>>> Sun V100 FreeBSD firewall/border gateway
>>> Sun V100 Plan 9 kernel porting test bed
>>> Sun V100 OpenBSD build/test/port box
>>> Intel 8-core Solaris fileserver and zones host
>>> AMDx4Random OS workstation crash box
>>> Epia-EK  Plan 9 terminal
>>> MacBook xSnow Leopard build/test host
>>> Intel-mumble-ITX Win2K8.2 development host
>>> Supermicro XLS7A Plan 9 File server
>>> Supermicro XLS7A Plan 9 CPU/Auth server
>>> Sun V100 Oracle (blech) new-Solaris test/porting box
>>> Sun V100 crashbox for *BSD firewall failover tests
>>> Sun V100 *BSD ham radio stuff, plus Plan9 terminal
>>> kernal testing.
>> 
>> OK, you've piqued my interest.  What use have you found for Plan 9?
>> 
> 
> How do you guys find time for all this? I used to have a couple of racks of 
> boxes in the basement, then I got married, had three kids and started a 
> Theology PhD program.. Now anything I do at home is purely practical.
> 
> I took on some ideas for backup though, so I am sorting out a backblaze 
> account and using Randy's fantastic sync thing that he mentioned. I really do 
> not want 18 months of research to vanish.
> 
> 
> --
> Leigh Porter
> 

One thing about Backblaze is they don't have redundant sites. They have only 
one facility so if a giant meteor takes it out your data is gone. Amazon's S3 
is the way to go for data that matters.


Greg

Re: NANOG Digest, Vol 43, Issue 53

[Greg Ihnen]

On Aug 13, 2011, at 11:28 AM, Dorn Hetzel wrote:

> On Sat, Aug 13, 2011 at 11:41 AM, Greg Ihnen  wrote:
> On Aug 13, 2011, at 7:23 AM, Dorn Hetzel wrote:
> 
> > I live on a farm and I have a number of data runs between buildings that are
> > copper ethernet pulled through buried conduits.  (It was what I could afford
> > when I put it in).  We have trouble from time to time with damage from
> > lightning. (I've taken to using an intermediate "throwaway" 5-port switch
> > after the surge suppressors on the cable after building entry, but still
> > stuff gets blown up now and then.  The longer runs of outside ethernet have
> > one or more toadstools with small switches used as repeaters in the middle.
> >
> >
> > Well, I would like to convert the whole outside mess to fiber to eliminate
> > this problem, and the per-foot price of 6 or 12 strand single mode cables is
> > pretty reasonable nowadays...  But, I'm not very current on the most
> > economical methods for splicing and terminating the fiber, which of course I
> > would need to do on a "personal" sized budget.  Any suggestions?
> 
> 
> This is somewhat off topic but have you tried any ethernet surge protectors? 
> I use them here in the jungle with lots of lightning and it works good if 
> your overall install is sound. Also you have to have your electrical ground 
> tied to the conduit so it all stays at the same potential. But still fiber is 
> the way to go. You could also go wireless with a pair of Ubiquiti Nanostation 
> M2's
> 
> Greg
> 
> Greg,
> 
> Yes, that's the part about "5-port switch after the surge suppressors on the 
> cable after building entry".
> 
> Immediately after building entry I use HyperLink HGLN-CAT6 Lightning 
> Protectors  (See: http://www.l-com.com/item.aspx?id=22171 )
> 
> Then I connect to a "throwaway" 5-port switch (whatever was on sale last time 
> I ran out).  This switch is connected to it's own throwaway UPS, which is 
> plugged into a separate power circuit from everything else.
> 
> [[[ Note: If I could find cheap enough switches with an optical interface I 
> would be switching to optical at this point! ]]]
> 
> Then I connect from the throwaway switch to the real switch.
> 
> But STILL I lose ports on the real switch from time to time.  So converting 
> the outside plant to fiber is a real goal.
> 
> And the fiber prices are darn reasonable nowadays for 6 or 12 strands of 
> 9/125:  (Example http://www.showmecables.com/viewItem.asp?idProduct=10493  )
> 
> But outside plant fiber was never my thing, and I have no decent idea about 
> how to get it spliced and terminated for reasonable costs, or really even 
> what would be reasonable.
> 
> 
> Regards,
> 
> -Dorn
> 

Dom,

If you're still losing the switches then you've got issues that would 
be cheaper to solve with fiber or wireless instead of grounding.

The folks on with Wireless Internet Service Provider's Association 
(WISPA) www.wispa.org do these kinds of installs all the time, doing short 
fiber runs up towers etc. If you put out a message there I'm sure you'll get 
all kinds of help.

Greg

Re: NANOG Digest, Vol 43, Issue 53

[Greg Ihnen]

On Aug 13, 2011, at 7:23 AM, Dorn Hetzel wrote:

> I live on a farm and I have a number of data runs between buildings that are
> copper ethernet pulled through buried conduits.  (It was what I could afford
> when I put it in).  We have trouble from time to time with damage from
> lightning. (I've taken to using an intermediate "throwaway" 5-port switch
> after the surge suppressors on the cable after building entry, but still
> stuff gets blown up now and then.  The longer runs of outside ethernet have
> one or more toadstools with small switches used as repeaters in the middle.
> 
> 
> Well, I would like to convert the whole outside mess to fiber to eliminate
> this problem, and the per-foot price of 6 or 12 strand single mode cables is
> pretty reasonable nowadays...  But, I'm not very current on the most
> economical methods for splicing and terminating the fiber, which of course I
> would need to do on a "personal" sized budget.  Any suggestions?


This is somewhat off topic but have you tried any ethernet surge protectors? I 
use them here in the jungle with lots of lightning and it works good if your 
overall install is sound. Also you have to have your electrical ground tied to 
the conduit so it all stays at the same potential. But still fiber is the way 
to go. You could also go wireless with a pair of Ubiquiti Nanostation M2's

Greg

Re: IPv6 end user addressing

[Greg Ihnen]

On Aug 11, 2011, at 5:05 PM, Owen DeLong wrote:

>> 
>> I respectfully disagree. If appliance manufacturers jump on the bandwagon to 
>> make their device *Internet Ready!* we'll see appliance makers who have way 
>> less networking experience than Linksys/Cisco getting into the fray. I 
>> highly doubt the pontifications of these Good Morning America technology 
>> gurus who predict all these changes are coming to the home. Do we really 
>> think appliance manufacturers are going to agree on standards for keeping 
>> track of how much milk is in the fridge, especially as not just 
>> manufacturing but also engineering is moving to countries like China? How 
>> about the predictions that have been around for years about appliances which 
>> will alert the manufacturer about impending failure so they can call you and 
>> you can schedule the repair before there's a breakdown? Remember that one? 
>> We don't even have an "appliance about to break, call repairman" idiot light 
>> on appliances yet.
>> 
> What standards?  The RFID tag on the milk carton will, essentially, replace 
> the bar code once RFID tags become cheap enough. It'll be like an 
> uber-barcode with a bunch more information.
> 
> For keeping track of how much, cheap sensitive pressure transducers will know 
> by the position of the RFID tag combined with the weight of the thing at that 
> location in the refrigerator. There's no new standard required.
> 
> The technology to do this exists today. The integration and mainstream 
> acceptance is still years, if not decades off, but, IPv6 should last for 
> decades, so, if we don't plan for at least the things we can see coming today 
> and already know feasible ways to implement, we're doomed for the other 
> unexpected things we don't see coming.
> 

What reads the RFID's and the pressure sensors? What server or application 
receives this data and deals with it according to the user's desires? How does 
that data or the information and alerts this system would generate get to the 
user's devices? There has to be a device in the home or a server somewhere for 
a service the home owner subscribes to which keeps an inventory of all these 
things and acts on it. 

Do you really think it's going to be common place for people to have this kind 
of technology and more importantly use it?

I think the kitchen you foresee is the kind of dream kitchen the kind of people 
who imbed RFID chips in themselves so they can have a house that opens the 
doors and turns on the lights as they approach.

You don't have a chip in you, do you?


>> But I predict the coming of IPv6 to the home in a big way will have 
>> unintended consequences.
>> 
> 
> Definitely.
> 
> 
>> I think the big shock for home users regarding IPv6 will be suddenly having 
>> their IPv4 NAT firewall being gone and all their devices being exposed naked 
>> to everyone on the internet. Suddenly all their security shortcomings (no 
>> passwords, "password" for the password etc) are going to have catastrophic 
>> consequences. I foresee an exponential leap in the  number of hacks of 
>> consumer devices which will have repercussions well beyond their local 
>> network. In my opinion that's going to be the biggest problem with IPv6, not 
>> all the concerns about the inner workings of the protocols. I'm guessing the 
>> manufacturers of consumer grade networkable devices are still thinking about 
>> security as it applies to LANs with rfc 1918 address space behind a firewall 
>> and haven't rethought security as it applies to IPv6.
>> 
> 
> Sigh... 
> 
> Continuing to propagate this myth doesn't make it any more true than it was 
> 10 years ago.

I'm sorry, what was the myth there? The public overall uses bad passwords and 
knowingly does not comply with security best practices? More connectivity is 
going to bring more problems and exploits? Those myths?

> 
> NAT != Security
> End-to-End addressing != End-to-End connectivity
> It will not be long before the average residential IPv6 gateway comes with a 
> default deny all inbound stateful firewall built in. Once you have that, your 
> hosts are not exposed naked to everyone on the internet. In fact, they are no 
> more exposed than with NAT with the key difference being that if you choose 
> to expose one or more hosts, you have the option of deliberately doing so.

We'll see.

> 
> Actually, I know for certain that most of the CPE manufacturers are 
> participating in the effort to draft better security requirements for 
> residential gateways as a current ID and hopefully an RFC soon. I believe, as 
> a matter of fact, that this is a BIS document being intended as a more 
> comprehensive improvement over the initial version.
> 
> Owen
> 

Re: IPv6 end user addressing

[Greg Ihnen]

On Aug 11, 2011, at 1:04 PM, Owen DeLong wrote:

> 
> On Aug 11, 2011, at 5:41 AM, Jamie Bowden wrote:
> 
>> Owen wrote:
>> 
>>> -Original Message-
>>> From: Owen DeLong [mailto:o...@delong.com]
>>> Sent: Wednesday, August 10, 2011 9:58 PM
>>> To: William Herrin
>>> Cc: nanog@nanog.org
>>> Subject: Re: IPv6 end user addressing
>>> 
>>> 
>>> On Aug 10, 2011, at 6:46 PM, William Herrin wrote:
>>> 
 On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong 
>> wrote:
>> Someday, I expect the pantry to have a barcode reader on it
>>> connected back
>> a computer setup for the kitchen someday.  Most of us already use
>>> barcode
>> readers when we shop so its not a big step to home use.
> 
> Nah... That's short-term thinking. The future holds advanced
>>> pantries with
> RFID sensors that know what is in the pantry and when they were
>>> manufactured,
> what their expiration date is, etc.
 
 And since your can of creamed corn is globally addressable, the rest
 of the world knows what's in your pantry too. ;)
 
>>> 
>>> This definitely helps explain your misconceptions about NAT as a
>>> security tool.
>>> 
>>> 
>>> Globally addressable != globally reachable.
>>> 
>>> Things can have global addresses without having global reachability.
>>> There are
>>> these tools called access control lists and routing policies. Perhaps
>>> you've heard
>>> of them. They can be quite useful.
>> 
>> And your average home user, whose WiFi network is an open network named
>> "linksys" is going to do that how?
>> 
> 
> Because the routers that come on pantries and refrigerators will probably be
> made by people smarter than the folks at Linksys?
> 
> Owen
> 
> 

I respectfully disagree. If appliance manufacturers jump on the bandwagon to 
make their device *Internet Ready!* we'll see appliance makers who have way 
less networking experience than Linksys/Cisco getting into the fray. I highly 
doubt the pontifications of these Good Morning America technology gurus who 
predict all these changes are coming to the home. Do we really think appliance 
manufacturers are going to agree on standards for keeping track of how much 
milk is in the fridge, especially as not just manufacturing but also 
engineering is moving to countries like China? How about the predictions that 
have been around for years about appliances which will alert the manufacturer 
about impending failure so they can call you and you can schedule the repair 
before there's a breakdown? Remember that one? We don't even have an "appliance 
about to break, call repairman" idiot light on appliances yet.

But I predict the coming of IPv6 to the home in a big way will have unintended 
consequences.

I think the big shock for home users regarding IPv6 will be suddenly having 
their IPv4 NAT firewall being gone and all their devices being exposed naked to 
everyone on the internet. Suddenly all their security shortcomings (no 
passwords, "password" for the password etc) are going to have catastrophic 
consequences. I foresee an exponential leap in the  number of hacks of consumer 
devices which will have repercussions well beyond their local network. In my 
opinion that's going to be the biggest problem with IPv6, not all the concerns 
about the inner workings of the protocols. I'm guessing the manufacturers of 
consumer grade networkable devices are still thinking about security as it 
applies to LANs with rfc 1918 address space behind a firewall and haven't 
rethought security as it applies to IPv6.

Greg

Re: Yup; the Internet is screwed up.

[Greg Ihnen]

On Jun 10, 2011, at 10:06 AM, Ricardo Ferreira wrote:

> I live in europe and we have at home 100Mbps . Mid sized city of 500k
> people. Some ISPs even spread WiFi across town so that subscribers can have
> internet access outside their homes.

Cablevision does that somewhat.

Greg

Re: Cablevision's company line on IPv6 to the home

[Greg Ihnen]

On May 30, 2011, at 8:56 PM, Bob Snyder wrote:

> On Sat, May 28, 2011 at 4:21 PM, Greg Ihnen  wrote:
>> I just got off the phone with a level 1 tech support guy about an issue with 
>> my parents Cablevision/Optimum Online service and decided to ask the fellow 
>> if there's any official company news about IPv6 being in the works. His 
>> comments were that there is a test coming up (he was referring to World IPv6 
>> Day), though he admitted that Cablevision is choosing not to participate in 
>> the "test" because they want to wait to see that IPv6 actually works without 
>> problems before they turn it on. He said it with a tone that seemed to 
>> express that the World IPv6 Day "test" is an irresponsible diversion. I 
>> politely and without any noticeable condescension (I believe) told him 
>> "that's what I expected" and bid him adieu.
>> 
>> It's neat how they're going to skip that irresponsible testing phase and 
>> just turn it on one day and it's going to work perfectly.
> 
> Because when I want to know details of future major architectural
> changes to a network, I usually ask a level 1 tech support guy since
> he's the one most likely to know, right?

Should I answer that? No, that was sarcasm. Nice touch.

See my post where I address the fact that I wanted to know what the company's 
official public position is, as you said, the "script". In that post I mention 
I qualified the fact that the fellow was level 1 for obvious reasons. I wasn't 
trying to say he had technical insight. The official script does possibly say 
something about the company's desire/willingness/urgency/felt need to deploy 
IPv6. Does hearing that there's fast and furious work going on in the NOC to 
bring IPv6 capability mean it will be rolled out to the customer in short 
order? I'd say the answer to that is "who knows".

It's not an apples to apples comparison with Cablevision's territory but down 
in my neck of the woods where I live the guys who work the telco's switch in 
town have been telling me for years that the "banda ancha" (broadband) gear is 
all installed as is the fiber back to the capitol and they're just waiting for 
the bureaucratic "OK" to turn it on. They've cut grooves in the town's 
"perimetral" (perimeter) road and ran fiber in the road ringing the town. That 
was almost two years ago. Sure seems like broadband could be just around the 
corner right? And the years drag on, no broadband. Sometimes the company's 
official public stance (from like... um... the level 1 guys) is highly 
indicative of what's coming.

I'm surprised that all ISPs aren't trying to glom onto IPv6 the way so many 
companies now feel the need to claim to be "green" just because you don't want 
to be the last one in your market place not claiming to be "green".

Then again, maybe you're just trolling. For trolling I like a Rapala lure 
(negative buoyancy) or live bait with a weight.

Here in the jungle they take an empty jug, tie a line on it and put a big hook 
on the end with some kind of meat or fish and throw them out in the river and 
them float down river with the current, mostly for the big catfish. It's the 
lazy man's trolling.

Greg

> He'll know it's being rolled out when they create a script for him to
> follow. One that'll likely say something like "For IPv6 problems,
> immediately escalate to someone we've actually training in IPv6."
> 
> Bob
> 

Cablevision's company line on IPv6 to the home

[Greg Ihnen]

I just got off the phone with a level 1 tech support guy about an issue with my 
parents Cablevision/Optimum Online service and decided to ask the fellow if 
there's any official company news about IPv6 being in the works. His comments 
were that there is a test coming up (he was referring to World IPv6 Day), 
though he admitted that Cablevision is choosing not to participate in the 
"test" because they want to wait to see that IPv6 actually works without 
problems before they turn it on. He said it with a tone that seemed to express 
that the World IPv6 Day "test" is an irresponsible diversion. I politely and 
without any noticeable condescension (I believe) told him "that's what I 
expected" and bid him adieu.

It's neat how they're going to skip that irresponsible testing phase and just 
turn it on one day and it's going to work perfectly.

And I wonder how they'll know when IPv6 is done. Maybe is has one of those 
things that frozen turkeys have, that pops out when it's done.

I've got my HE tunnels up and running on a Mikrotik hardware on the little 
networks I manage. I can't wait for IPv6 Day.

So someone on the list please let Cablevision/Optonline know when you've 
finished IPv6. I'm sure they'd appreciate it.

Greg

Re: A BGP issue?

[Greg Ihnen]

On Mar 7, 2011, at 10:19 PM, Patrick W. Gilmore wrote:

> On Mar 7, 2011, at 14:27, Greg Ihnen  wrote:
> 
>> I run a small network on a mission base in the Amazon jungle which is fed by 
>> a satellite internet connection. We had an outage from Feb 25th to the 28th 
>> where we had no connectivity with email, http/s, ftp, Skype would indicate 
>> it's connected but even chatting failed, basically everything stopped 
>> working except for ICMP. I could ping everywhere just fine. I started doing 
>> traceroutes and they all were very odd, all not reaching their destination 
>> and some hopping all over creation before dying. But if I did traceroute 
>> with ICMP it worked fine. Does this indicate our upstream (Bantel.net) had a 
>> BGP issue? Bantel blamed Hughesnet which is the service they resell. I'm 
>> wondering what kind of problem would let ping work fine but not any of the 
>> other protocols. It also seems odd that I could traceroute via UDP part way 
>> to a destination but then it would fail if the problem was my own provider. 
>> Thanks.
>> 
>> If this is the wrong forum for this post I'm sorry and please just hit 
>> delete. If this is the wrong forum but you'd be kind enough to share your 
>> expertise please reply off-list. Thanks!
> 
> Honestly, I would rate this as one of the most on-topic posts in a while.
> 
> BGP only handles reachability, not higher level protocols.  (Of course, you 
> can h4x0r anything to do jus about anything, but we are talking the general 
> case here.)
> 
> If you can ping, BGP is working.  If you can ping and cannot use TCP, then 
> something other than BGP is at fault. 
> 
> I've seen strange things like someone enabling TCP compression (common on 
> very small or very expensive links) one side but not the other, which then 
> allowed ICMP and UDP but not TCP.  It is a great way to annoy someone.  "See, 
> I can ping, it must be your side!"
> 
> Have you tried TCP traceroute?  Or telnetting to port 80?
> 
> -- 
> TTFN,
> patrick

Patrick,

Thank you very much! Thank you to everyone else who replied.

I did try TCP traceroute and it failed too. I didn't have a machine to 
telnet to on port 80 but I did try an ssh tunnel on port  and it failed too.

From what everyone is saying it sounds like it was the satellite 
internet provider's compression scheme that was having trouble or some kind of 
an MTU issue.

What I don't understand is why when using traceroute UDP/TCP/GRE I 
could get replies from some routers but not all routers to the destination, and 
why some routes were bizarre. If it was a failure of the sat internet 
provider's compression scheme or an MTU issue wouldn't traceroute UDP/TCP/GRE 
fail completely? What could have happened to my packets that would make them go 
only part way or go the wrong way?

According to our satellite internet service provider Bantel the outage 
was system wide.

Thank again!
Greg

A BGP issue?

[Greg Ihnen]

I run a small network on a mission base in the Amazon jungle which is fed by a 
satellite internet connection. We had an outage from Feb 25th to the 28th where 
we had no connectivity with email, http/s, ftp, Skype would indicate it's 
connected but even chatting failed, basically everything stopped working except 
for ICMP. I could ping everywhere just fine. I started doing traceroutes and 
they all were very odd, all not reaching their destination and some hopping all 
over creation before dying. But if I did traceroute with ICMP it worked fine. 
Does this indicate our upstream (Bantel.net) had a BGP issue? Bantel blamed 
Hughesnet which is the service they resell. I'm wondering what kind of problem 
would let ping work fine but not any of the other protocols. It also seems odd 
that I could traceroute via UDP part way to a destination but then it would 
fail if the problem was my own provider. Thanks.

If this is the wrong forum for this post I'm sorry and please just hit delete. 
If this is the wrong forum but you'd be kind enough to share your expertise 
please reply off-list. Thanks!

 Here's some examples of the traceroutes I saved during the outage.

Using UDP:

Gregs-MacBook-Pro:~ GregIhnen$ traceroute metaconi.com
traceroute to metaconi.com (70.32.39.205), 64 hops max, 52 byte packets
 1  192.168.7.1 (192.168.7.1)  1541.165 ms  25.665 ms  39.211 ms
 2  * * *
 3  192.168.14.254 (192.168.14.254)  625.710 ms  860.264 ms  694.238 ms
 4  192.168.180.5 (192.168.180.5)  645.666 ms  757.161 ms  664.785 ms
 5  10.254.253.158 (10.254.253.158)  738.661 ms  801.487 ms  728.139 ms
 6  fe11-0-5.miami1.mia.seabone.net (195.22.199.77)  726.884 ms  733.989 ms  
647.736 ms
 7  te3-4.miami7.mia.seabone.net (195.22.199.97)  740.233 ms  694.619 ms  
685.464 ms
 8  206.111.1.161.ptr.us.xo.net (206.111.1.161)  639.077 ms  741.495 ms  
679.880 ms
 9  te-4-1-0.rar3.miami-fl.us.xo.net (207.88.12.161)  650.312 ms  612.386 ms  
660.452 ms
10  te-3-2-0.rar3.atlanta-ga.us.xo.net (207.88.12.5)  787.079 ms  725.495 ms  
685.068 ms
11  te-11-0-0.rar3.washington-dc.us.xo.net (207.88.12.10)  760.002 ms  828.076 
ms  702.041 ms
12  ae0d0.mcr2.chicago-il.us.xo.net (216.156.0.166)  719.324 ms  641.274 ms  
689.997 ms
13  ae1d0.mcr1.chicago-il.us.xo.net (216.156.1.81)  669.613 ms  813.794 ms  
737.211 ms
14  edge1.chi1.ubiquityservers.com (216.55.8.30)  729.875 ms  751.481 ms  
730.088 ms
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * *


Now here it is again doing traceroute via ICMP:

Gregs-MacBook-Pro:~ GregIhnen$ traceroute -I metaconi.com
traceroute to metaconi.com (70.32.39.205), 64 hops max, 72 byte packets
 1  192.168.7.1 (192.168.7.1)  5.254 ms  3.059 ms  2.578 ms
 2  * * *
 3  192.168.14.254 (192.168.14.254)  1511.146 ms  711.304 ms  822.967 ms
 4  192.168.180.5 (192.168.180.5)  712.672 ms  821.990 ms  713.009 ms
 5  10.254.253.158 (10.254.253.158)  823.244 ms  711.764 ms  823.219 ms
 6  fe11-0-5.miami1.mia.seabone.net (195.22.199.77)  712.640 ms  613.306 ms  
614.429 ms
 7  te3-4.miami7.mia.seabone.net (195.22.199.97)  823.232 ms  711.881 ms  
823.166 ms
 8  206.111.1.161.ptr.us.xo.net (206.111.1.161)  712.765 ms  822.398 ms  
712.531 ms
 9  te-4-1-0.rar3.miami-fl.us.xo.net (207.88.12.161)  822.809 ms  920.831 ms  
712.399 ms
10  te-3-2-0.rar3.atlanta-ga.us.xo.net (207.88.12.5)  823.288 ms  711.478 ms  
822.887 ms
11  te-11-0-0.rar3.washington-dc.us.xo.net (207.88.12.10)  712.705 ms  822.287 
ms  712.713 ms
12  * ae0d0.mcr2.chicago-il.us.xo.net (216.156.0.166)  738.656 ms  919.752 ms
13  ae1d0.mcr1.chicago-il.us.xo.net (216.156.1.81)  921.381 ms  920.884 ms  
1228.683 ms
14  edge1.chi1.ubiquityservers.com (216.55.8.30)  921.560 ms  920.482 ms  
921.634 ms
15  relativity.mrk.com (70.32.39.205)  880.318 ms  753.150 ms  823.285 ms
Gregs-MacBook-Pro:~ GregIhnen$ 

Here's an example of a UDP traceroute going all over creation:

Gregs-MacBook-Pro:~ GregIhnen$ traceroute skype.com
traceroute to skype.com (78.141.177.7), 64 hops max, 52 byte packets
 1  192.168.7.1 (192.168.7.1)  18.939 ms  4.596 ms  27.124 ms
 2  * * *
 3  192.168.14.254 (192.168.14.254)  724.034 ms  704.520 ms  823.886 ms
 4  192.168.180.5 (192.168.180.5)  711.962 ms  704.606 ms  823.208 ms
 5  10.254.253.158 (10.254.253.158)  712.622 ms  912.870 ms  921.471 ms
 6  fe11-0-5.miami1.mia.seabone.net (195.22.199.77)  712.642 ms  822.307 ms  
712.720 ms
 7  * te9-1.ccr01.mia03.atlas.cogentco.com (154.54.11.37)  3692.277 ms  702.345 
ms
 8  te9-1.ccr01.mia03.atlas.cogentco.com (154.54.11.37)  823.172 ms  920.050 ms 
 921.612 ms
 9  te8-2.ccr01.mia01.atlas.cogentco.com (154.54.28.245)  921.681 ms
te8-7.ccr02.mia01.atlas.cogentco.com (154.54.1.185)  703.270 ms
te8-2.ccr02.mia01.atlas.cogentco.com (154.54.2.153)  730.152 ms
10  te0-0-0-5.ccr21.atl01.atlas.cogentco.com (154.54.30.33)  797.769 ms
te2-1.ccr02.atl01.atlas.cogentco.com (154.54.3.25)  913.513 ms
te0-1-0-4.ccr21.atl01.

Hughesnet outage - where can I ask?

[Greg Ihnen]

I run a small network in the jungle of Venezuela which is fed by a rebranded 
Hughesnet connection. We just had a four day failure where the only protocol 
that worked was ICMP and we were completely without communication. Traceroutes 
all failed in a bizarre way when using UDP, TCP or GRE packets but traceroute 
with ICMP worked fine. Our provider (Bantel) is blaming Hughesnet but I'm not 
finding anything to back that up in forums or in searching the web. I don't 
want to bother this forum's members with my questions regarding what the 
traceroute results show and what the problem might be. Is there another forum 
where these questions would be appropriate? Thanks in advance.

Greg

Re: Is NAT can provide some kind of protection?

[Greg Ihnen]

+1 on Nick's comment. If you're doing 1:1 NAT or port forwarding your server is 
still public facing.

If your firewall is merely stateful and not deep packet inspecting all it's 
doing is seeing is that the statefulness of the connection meets it's 
requirements. You could have that and still have all kinds of naughtiness going 
on.

Greg

On Mar 21, 2007, at 6:25 AM, Tarig Ahmed wrote:

> In fact our firewall is stateful.
> This is why I thought, we no need to Nat at least our servers.
> 
> 
> Tarig Yassin Ahmed
> 
> 
> On Jan 12, 2011, at 4:59 PM, Nick Hilliard  wrote:
> 
>> On 21/03/2007 09:41, Tarig Ahmed wrote:
>>> Is it true that NAT can provide more security?
>> 
>> No.
>> 
>> Your security person is probably confusing NAT with firewalling, as NAT 
>> devices will intrinsically do firewalling of various forms, sometimes 
>> stateful, sometimes not.  Stateful firewalling _may_ provide more security 
>> in some situations for low bandwidth applications, at least before you're 
>> hit by a DoS attack;  for high bandwidth applications, stateful firewalling 
>> is usually a complete waste of time.
>> 
>> Your security guy will probably say that a private IP address will give 
>> better protection because it's not reachable on the internet.  But the 
>> reality is if you have 1:1 NAT to a server port, then you have reachability 
>> and his argument becomes substantially invalid.  Most security problems are 
>> going to be related to poor coding anyway (XSS, improper data validation, 
>> etc), rather than port reachability, which is easy to fix.
>> 
>> Unfortunately, many security people from large organisations do not 
>> appreciate these arguments, but instead write their own and other peoples' 
>> opinions down and call them "policy".  Changing policy can be difficult.
>> 
>> Nick
>> 
>> 
>