Re: large organization nameservers sending icmp packets to dns servers.
On Aug 7, 2007, at 4:33 PM, Donald Stahl wrote: [...] If you don't like the rules- then change the damned protocol. Stop just doing whatever you want and then complaining when other people disagree with you. I think this last part is the key. Remember the old adage: "My network, My rules"? Have we forgotten that? Should I not block ports for MS protocols when a new worm spreads because it would break the E-2-E principal? What about spam filtering? Or a myriad of other things. Everyone here is breaking some RFC somehow. And most of us don't give a rats ass. Which is the way it should be. But when you decide that YOUR violation is MY problem to fix, then you are just being silly. And worse, annoying. Let's all just agree to run our own networks the way we damned well please, as long as we are not hurting anyone else. We just have to define "omplaining to you about things I b0rk'ed by myself" as "hurting you". Which isn't a stretch, support costs money, and costing me money because you screwed up is definitely hurtful. -- TTFN, patrick P.S. To be clear, no, your pr0n site not resolving because I don't support TCP does not qualify as "hurting you" unless I call you to complain about it, even if it loses you revenue.
Re: bandwidth for PyCon 08 in Chicago
Wireless connection may be depends on clear sight between their presence and the hotel. Or contact local cable modem provider for short term arrangement if they have coverage for the hotel using existing coax cable. ^.^ Hyun Matt Liotta wrote: If you are looking for wireless in Chicago I would suggest Business Only Broadband. I don't have any direct experience with them, but others have had good things to say. Regardless, I agree with David; wireless is ideal for short-term bandwidth needs. -Matt David E. Smith wrote: On Tue, August 7, 2007 6:48 pm, Carl Karsten wrote: 1. bandwidth for PyCon, and no one else. This is the easiest, but most costly. (20k ish total) That seems awfully high for a short-term hookup, though from the rest of the email I'm guessing you're mainly looking at wireline hookups. Have you shopped around for a short-term wireless link? If you can get on the roof of the hotel, and the roof of someone else nearby that has more bandwidth, and point a pair of radios at each other, that's probably do-able for far less than 20k. In Chicago, the folks at CW Lab (www.cwlab.com) may be able to get you started. They're more of a consulting firm now, from the looks of their Web site, but they've done things like this before, and they're local to Chicago; if they can't help they probably know someone who can. David Smith MVN.net
Re: bandwidth for PyCon 08 in Chicago
Did you check with hotel whether they have available fiber or coax from local CO ? In that case, installation cost may be reduced since it is matter of cross-connection with local ISP. Hotel may have special arrangement with local ISP just in case of conference or something like that. Hyun Carl Karsten wrote: Let me start with: I pretty much have no clue. but it is ok, because I don't get to spend any money. But I do get to help figure out how to get internet bandwidth to a hotel near Chicago (Crown in Rosemont) for a week in March 08 and figured maybe someone here can help. There are 2 aspects to this: 1. bandwidth for PyCon, and no one else. This is the easiest, but most costly. (20k ish total) 2. help the Crown upgrade their setup from 3 T1s to a DS3. (the fiber is there.) so they have it for other conventions. more hassle, more money, but less cost to PyCon. Below are some 'details' that a PyCon guy has collected. Anyone here feel this is there line of work? Carl K Highlights from Sean Reifschneider posts: -- begin quote -- 04/02/07 I've gotten a quote from Time Warner, one of the providers we use at our hosting facility. Their price would be $5,543/month with $750 setup for month-to-month DS-3 service. This would be a fully DS-3 running at 45mbps. On top of this, we would probably need to spend a couple of grand on a router to terminate the line. So far, this is the only place I've gotten who is willing to do a month-to-month DS-3, this pricing is quite good *** 4/8/07 Here are my preliminary numbers for networking for 2008 and 2009: 45mbps DS-3 for 2008: $6,300 45mbps DS-3 for 2009: $6,300 Router to terminate DS-3 for 2008&9: $4600 Additional access points for 2008&9: $2300 Switches, network, and power cables 2008&9: $500 Stands or mounting for APs for 2008&9: $1000 This largely assumes we are going to go with the DS-3, so things may change depending on that. The first year outlay would be around $14,700, second year I would expect to be more like $6,300. I did see one price saying $1300/month for a DS-3 with 10mbps, and 130mbps above that. This is burstable service, up to 45mbps, so we would just pay for what we'd use above 10mbps. *** 06/28/07 I believe the cost is something around $2500 for a single month term *** 7/7/07 I've asked Randy of TWTC what needs to be done about getting the contract signed for 2008. I've asked him to work with you, David, about the date and any other information he needs for the contrac -- end quote --
Re: bandwidth for PyCon 08 in Chicago
If you are looking for wireless in Chicago I would suggest Business Only Broadband. I don't have any direct experience with them, but others have had good things to say. Regardless, I agree with David; wireless is ideal for short-term bandwidth needs. -Matt David E. Smith wrote: On Tue, August 7, 2007 6:48 pm, Carl Karsten wrote: 1. bandwidth for PyCon, and no one else. This is the easiest, but most costly. (20k ish total) That seems awfully high for a short-term hookup, though from the rest of the email I'm guessing you're mainly looking at wireline hookups. Have you shopped around for a short-term wireless link? If you can get on the roof of the hotel, and the roof of someone else nearby that has more bandwidth, and point a pair of radios at each other, that's probably do-able for far less than 20k. In Chicago, the folks at CW Lab (www.cwlab.com) may be able to get you started. They're more of a consulting firm now, from the looks of their Web site, but they've done things like this before, and they're local to Chicago; if they can't help they probably know someone who can. David Smith MVN.net
cwlab? (WAS: Re: bandwidth for PyCon 08 in Chicago)
> In Chicago, the folks at CW Lab (www.cwlab.com) may be able to get you > started. They're more of a consulting firm now, from the looks of their > Web site, but they've done things like this before, and they're local to > Chicago; if they can't help they probably know someone who can. Isn't Charles Wu of cwlab the one who would only donate wireless hardware to the Katrina effort if they put his logo on or near the podium during official press events? -joe - Joseph A. Johnson, MCSE, MCP, A+ Chief Technology Officer Riverside Consulting Group, Ltd. Email: [EMAIL PROTECTED] Web: www.riversidecg.com Phone: 312-231-8315
Re: bandwidth for PyCon 08 in Chicago
On Tue, August 7, 2007 6:48 pm, Carl Karsten wrote: > 1. bandwidth for PyCon, and no one else. This is the easiest, but most > costly. > (20k ish total) That seems awfully high for a short-term hookup, though from the rest of the email I'm guessing you're mainly looking at wireline hookups. Have you shopped around for a short-term wireless link? If you can get on the roof of the hotel, and the roof of someone else nearby that has more bandwidth, and point a pair of radios at each other, that's probably do-able for far less than 20k. In Chicago, the folks at CW Lab (www.cwlab.com) may be able to get you started. They're more of a consulting firm now, from the looks of their Web site, but they've done things like this before, and they're local to Chicago; if they can't help they probably know someone who can. David Smith MVN.net
bandwidth for PyCon 08 in Chicago
Let me start with: I pretty much have no clue. but it is ok, because I don't get to spend any money. But I do get to help figure out how to get internet bandwidth to a hotel near Chicago (Crown in Rosemont) for a week in March 08 and figured maybe someone here can help. There are 2 aspects to this: 1. bandwidth for PyCon, and no one else. This is the easiest, but most costly. (20k ish total) 2. help the Crown upgrade their setup from 3 T1s to a DS3. (the fiber is there.) so they have it for other conventions. more hassle, more money, but less cost to PyCon. Below are some 'details' that a PyCon guy has collected. Anyone here feel this is there line of work? Carl K Highlights from Sean Reifschneider posts: -- begin quote -- 04/02/07 I've gotten a quote from Time Warner, one of the providers we use at our hosting facility. Their price would be $5,543/month with $750 setup for month-to-month DS-3 service. This would be a fully DS-3 running at 45mbps. On top of this, we would probably need to spend a couple of grand on a router to terminate the line. So far, this is the only place I've gotten who is willing to do a month-to-month DS-3, this pricing is quite good *** 4/8/07 Here are my preliminary numbers for networking for 2008 and 2009: 45mbps DS-3 for 2008: $6,300 45mbps DS-3 for 2009: $6,300 Router to terminate DS-3 for 2008&9: $4600 Additional access points for 2008&9: $2300 Switches, network, and power cables 2008&9: $500 Stands or mounting for APs for 2008&9: $1000 This largely assumes we are going to go with the DS-3, so things may change depending on that. The first year outlay would be around $14,700, second year I would expect to be more like $6,300. I did see one price saying $1300/month for a DS-3 with 10mbps, and 130mbps above that. This is burstable service, up to 45mbps, so we would just pay for what we'd use above 10mbps. *** 06/28/07 I believe the cost is something around $2500 for a single month term *** 7/7/07 I've asked Randy of TWTC what needs to be done about getting the contract signed for 2008. I've asked him to work with you, David, about the date and any other information he needs for the contrac -- end quote --
Re: large organization nameservers sending icmp packets to dns servers.
> From: Joe Abley <[EMAIL PROTECTED]> > Date: Tue, 7 Aug 2007 15:19:30 -0400 > Sender: [EMAIL PROTECTED] > > > > On 7-Aug-2007, at 14:38, Patrick W. Gilmore wrote: > > > On Aug 7, 2007, at 2:14 PM, Donald Stahl wrote: > > > >>> All things being equal (which they're usually not) you could use > >>> the ACK > >>> response time of the TCP handshake if they've got TCP DNS resolution > >>> available. Though again most don't for security reasons... > >> > >> Then most are incredibly stupid. > > > > Those are impressively harsh words. > > But they are hard to argue with. > > >> In addition, any UDP truncated response needs to be retried via > >> TCP- blocking it would cause a variety of problems. > > > > Since we are talking about authorities here, one can control the > > size of ones responses. > > "Never reply with anything big and hence never set TC" seems like a > reasonable, expedient way to circumvent the problem of wholesale 53/ > tcp-blocking stupidity. It doesn't make the behaviour any less > stupid, though. > > The "security" argument looks even more bizarre when you consider > what the DO bit in a request will do in general to the size of a > response, in the case of an authority server which has signed zone data. This has been a pain for me for years. I have tried to reason with security people about this and, while they don't dispute my reasoning, they always end up saying that it is the "standard" practice and that, lacking any evidence of what it might be breaking, it will continue to be blocked. And I don't mean small companies, either. One of the biggest issues I have is with one of the countries largest government funded research labs. Wonder how often DNSSEC might make non-transfer queries tickle this and really break things? (Assuming we ever get wide use of DNSSEC.) -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: [EMAIL PROTECTED] Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 pgpU18YPgK72t.pgp Description: PGP signature
Re: Content Delivery Networks
5) User redirection - You have to implement a scalable mechanisms that redirects users to the closes POP. You can use application redirect (fast, but not so much scalable), DNS redirect (scalable, but not so fast) or anycasting (this needs cooperation with ISP). What is slow about handing back different answers to the same query via DNS, especially when they are pre-calculated? Seems very fast to me. Yes DNS-based redirection scales very pretty. But there are two problems: 1) Client may not be in same network as DNS server (I'm using my home DNS server even if I'm at IETF or I2 meeting on other side of globe) This has been discussed. Operational experience posted here by Owen shows < 10% of users are "far" from their recursive NS. Sure, but 10% of 5 Gb/s is 500 Mb/s. In my streaming scenario. I respect CDN for HTTP delivery has probably other experience. Also I'm using housing contracts for "deliver only to ISP users" and use no transit connectivity of housing ISPs (frankly - this is much cheaper). You are the tiny minority. (Don't feel bad, so am I. :) Most "users" either use the NS handed out by their local DHCP server, or they are VPN'ing anyway. 10% is tiny minority, but in real world with real costs, this minority can squeeze my profit :-) 2) DNS TTL makes realtime traffic management inpossible. Remember you may not distribute network traffic, but sometimes also server load. If one server/POP fails or is overloaded, you need to redirect users to another one in realtime. Define "real time"? To do it in 1 second or less is nigh impossible. But I challenge you to fail anything over in 1 second when IP communication with end users not on your LAN is involved. I've seen TTLs as low as 20s, giving you a mean fail-over time of 10 seconds. That's more than fast enough for most applications these days. I've tested (year ago) real scenario and got very disappointing feedback. It seemed that some corporate gateways here don't respect zone TTL. I'm so far to recommend my solutions to the community. I think that every CND provider has to choose its own solution that fits it's own services. Regards MK
Re: large organization nameservers sending icmp packets to dns servers.
Hi Donald, I'm not prepared to call it stupid, but you're right it can cause issues. -J Sent via BlackBerry - Original Message - From: Donald Stahl <[EMAIL PROTECTED]> To: Jason J. W. Williams Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]>; John Levine <[EMAIL PROTECTED]>; [EMAIL PROTECTED] <[EMAIL PROTECTED]> Sent: Tue Aug 07 12:14:11 2007 Subject: RE: large organization nameservers sending icmp packets to dns servers. > All things being equal (which they're usually not) you could use the ACK > response time of the TCP handshake if they've got TCP DNS resolution > available. Though again most don't for security reasons... Then most are incredibly stupid. Several anti DoS utilities force unknown hosts to initiate a query via TCP in order to be whitelisted. If the host can't perform a TCP query then they get blacklisted. In addition, any UDP truncated response needs to be retried via TCP- blocking it would cause a variety of problems. -Don !SIG:46b8b686156533728213125!
RE: large organization nameservers sending icmp packets to dns servers.
All things being equal (which they're usually not) you could use the ACK response time of the TCP handshake if they've got TCP DNS resolution available. Though again most don't for security reasons... Then most are incredibly stupid. Several anti DoS utilities force unknown hosts to initiate a query via TCP in order to be whitelisted. If the host can't perform a TCP query then they get blacklisted. In addition, any UDP truncated response needs to be retried via TCP- blocking it would cause a variety of problems. -Don
Re: Content Delivery Networks
On Aug 7, 2007, at 10:05 AM, Michal Krsek wrote: 5) User redirection - You have to implement a scalable mechanisms that redirects users to the closes POP. You can use application redirect (fast, but not so much scalable), DNS redirect (scalable, but not so fast) or anycasting (this needs cooperation with ISP). What is slow about handing back different answers to the same query via DNS, especially when they are pre-calculated? Seems very fast to me. Yes DNS-based redirection scales very pretty. But there are two problems: 1) Client may not be in same network as DNS server (I'm using my home DNS server even if I'm at IETF or I2 meeting on other side of globe) This has been discussed. Operational experience posted here by Owen shows < 10% of users are "far" from their recursive NS. You are the tiny minority. (Don't feel bad, so am I. :) Most "users" either use the NS handed out by their local DHCP server, or they are VPN'ing anyway. 2) DNS TTL makes realtime traffic management inpossible. Remember you may not distribute network traffic, but sometimes also server load. If one server/POP fails or is overloaded, you need to redirect users to another one in realtime. Define "real time"? To do it in 1 second or less is nigh impossible. But I challenge you to fail anything over in 1 second when IP communication with end users not on your LAN is involved. I've seen TTLs as low as 20s, giving you a mean fail-over time of 10 seconds. That's more than fast enough for most applications these days. -- TTFN, patrick
Re: Content Delivery Networks
Hi Patrick, 5) User redirection - You have to implement a scalable mechanisms that redirects users to the closes POP. You can use application redirect (fast, but not so much scalable), DNS redirect (scalable, but not so fast) or anycasting (this needs cooperation with ISP). What is slow about handing back different answers to the same query via DNS, especially when they are pre-calculated? Seems very fast to me. Yes DNS-based redirection scales very pretty. But there are two problems: 1) Client may not be in same network as DNS server (I'm using my home DNS server even if I'm at IETF or I2 meeting on other side of globe) 2) DNS TTL makes realtime traffic management inpossible. Remember you may not distribute network traffic, but sometimes also server load. If one server/POP fails or is overloaded, you need to redirect users to another one in realtime. Application redirection is far, far slower. (I am assuming you are talking about something like HTTP level redirects. Did you mean something else?) Yes, it is slower, but in some scenarios (streaming hours of content for thousands of spectators) works nicely. Currently I'm using both mechanisms. Typically I'm using application level redirets and when I know there will be significant peak (e.g. ten times more than average), I'll provide DNS FQDN :-) As for anycast, with your own backbone, you don't need any cooperation. Even if you don't, the cooperation you need from your providers & peers is minimal at worst. (At least relative to writing the code for, say, DNS redirection.) But anycast assumes "BGP knows best", and we all know that is not even close to the truth. I'm definitelly not talking about situation when you are running your own backbone. Anycast in general works for small transactions (root DNS fits perfectly), but Internet is "living beast" and if you provide live stream that lasts two hours, one flipping BGP session makes the content almost unusable for part of your users. Regards Michal
Re: Content Delivery Networks
On Aug 7, 2007, at 3:59 AM, Michal Krsek wrote: 5) User redirection - You have to implement a scalable mechanisms that redirects users to the closes POP. You can use application redirect (fast, but not so much scalable), DNS redirect (scalable, but not so fast) or anycasting (this needs cooperation with ISP). What is slow about handing back different answers to the same query via DNS, especially when they are pre-calculated? Seems very fast to me. Application redirection is far, far slower. (I am assuming you are talking about something like HTTP level redirects. Did you mean something else?) As for anycast, with your own backbone, you don't need any cooperation. Even if you don't, the cooperation you need from your providers & peers is minimal at worst. (At least relative to writing the code for, say, DNS redirection.) But anycast assumes "BGP knows best", and we all know that is not even close to the truth. -- TTFN, patrick
What's up at NTL/VirginMedia?
Seems to be a large-scale outage going on at Virgin Media ex-NTL, AS5089 in the UK. Lost service about 1600GMT yesterday to a wide range of locations throughout the country. Recorded phone message now saying several post code areas in SW London suburbs still dark, but status page shows lots'o'tickets open all over the country. Anyone know what's up?
Re: Content Delivery Networks
Content Delivery NetworksRod, I run a small CDN oriented to audio/video distribution in Central Europe region. You mentioned challenges that CDN are facing. There are several of these: 1) Geographic load distribution - in example, you have to have enough capacity in each distribution area that is being potentionally served by your customers (media companies). 2) Computing power - you have to have in each POP adequate computing power that allows you to use full bandwidth available in that POP 3) Network capacity in each POP - self explaining 4) Content moving - you have to optimise internal data flows between POPs 5) User redirection - You have to implement a scalable mechanisms that redirects users to the closes POP. You can use application redirect (fast, but not so much scalable), DNS redirect (scalable, but not so fast) or anycasting (this needs cooperation with ISP). 6) Costs of the system - Most CDNs are designed for peaking traffic, but load is more dynamic that in traditional networks. 7) Play alone There is almost no way for handover traffic to other CDN. No standards, no kinf of interconnection agreement. These points are only a rough overview, this ecosystem is developping and challenges also depend on the starting conditions and region where you are running you CDN. Regards Michal - Original Message - From: Rod Beck To: Jason J. W. Williams ; Pekka Savola ; Robert Boyle Cc: ALEJANDRO ESQUIVEL RODRIGUEZ ; nanog@merit.edu Sent: Monday, August 06, 2007 23:10 Subject: Content Delivery Networks Can anyone give a breakdown of the different kinds of content deliver networks? For example, we have Akamai, which appears to be a pure Layer 3 network that is tailored to pushing relatively small files like web pages and we have Lime Light Networks, which is a mix of Layer 1 and Layer 3, that focuses on bigger files like video streams. Any insights out there? And what are the major challenges in making scalable content delivery networks? Roderick S. Beck Director of EMEA Sales Hibernia Atlantic 1, Passage du Chantier, 75012 Paris http://www.hiberniaatlantic.com Wireless: 1-212-444-8829. Landline: 33-1-4346-3209 AOL Messenger: GlobalBandwidth [EMAIL PROTECTED] [EMAIL PROTECTED] ``Unthinking respect for authority is the greatest enemy of truth.'' Albert Einstein.