Re: Redistribute routes from EIGRP into BGP VRF

2007-08-09 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Bailey Stephen wrote:
> Hello all,
> 
>  
> 
> Currently working on a solution at the moment where I receive specific
> /25 routes via a leased line into the global routing table via EIGRP on
> a Cisco 2801.
> 
>  
> 
> I then need to inject these routes into a BGP VRF to be advertised onto
> BGP Peers within the VRF Network.
> 
>  
> 
> The /24 routes for the Site LAN are injected via Radius on the DSL
> Routers so this task makes the /25 more favourable via the Leased Line
> Router.
> 
>  
> 
> ==
> 
> IOS Version on 2801 (Router B) = Version 12.4(12a)
> 
>  
> 
> BGP VRF Config:
> 
> router bgp 65xxx
> 
>  no synchronization
> 
>  no bgp log-neighbor-changes
> 
>  bgp scan-time 10
> 
>  no auto-summary
> 
>  !   
> 
>  address-family ipv4 vrf test1
> 
>  redistribute connected
> 
>  redistribute static
> 
>  redistribute eigrp
> 
> ?
> 
> ==
> 
> Simple Diagram attached
> 
>  
> 
> Routers C & D do not see the redistributed routes from Router B via BGP.
> 
>  
> 
> Not sure if this is an IOS Bug, but this should work??
> 
>  

You need support for "BGP Support for IP Prefix Import from Global Table
into a VRF Table"

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124cg/hirp_c/ch05/h_bgivt.htm

Support is available starting in 12.0(29)S, 12.2(25)S, and 12.3(14)T.

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGu7iRE1XcgMgrtyYRAtiSAJ9g+GWFNTdSgCmiuFM6IFX6+rKUFQCeOk92
B9sK68gPcKvLedXhPFwH9+w=
=o9ot
-END PGP SIGNATURE-

Re: Load balancing

2007-05-07 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

dan wrote:
> Hello,
> I currently have 2 routers with a single gigabit link (and corresponding
> internal BGP session) between them.
> router1 <-gigabit--->router2
> 
> Simple setup. Now that we have reached the limit on this gigabit link,
> we are adding a second gigabit link between the same 2 routers, and we
> wish to load balance across them. Traffic is about 5:1 ratio of out:in.
> router2 has bgp sessions with several upstreams, and router 1 has bgp
> sessions with further internal routers. What is the best way to balance
> across these 2 links?
> 

Depending on the platforms, etherchannel/port-channel would be a fairly
straightforward solution.

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGP7FGE1XcgMgrtyYRApnKAKCZgpq4x2jR/Ma0xNWVJBID9KFTVwCfUcqH
yq4Bp01i+Bopv8tu8erN5V8=
=WoFF
-END PGP SIGNATURE-

Re: NOC Personel Question (Possibly OT)

2007-03-14 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

K. Graham wrote:
> I was called a "nocling" but I doubt that would pass the HR test.   
> 

I'm kinda partial to NOC Knuklehead.

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF+N7OE1XcgMgrtyYRAp34AKD+OyJUT2aF6Q3BqH0azwSnL17xrQCePxio
A53VI9r/Zph5Oac9EsChoks=
=W0Ca
-END PGP SIGNATURE-

Re: problem with BGP or I am an Idiot

2006-11-17 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Philip Lavine wrote:
> To all,
> 
> Probabaly the the latter; however here is the situation. I am advertising a 
> rte 1.1.1.1 via BGP to the Internet via ISP_A via my location in NJ. At my 
> other location in CA where I am advertising another rte 2.2.2.2 via BGP to 
> the Internet via the same ISP_A. I am using the same AS for both routes. 
> 
> For some reason on my rtr advertising the 2.2.2.2 rte I am unable to see the 
> 1.1.1.1 rte "% Network not in table". I know 1.1.1.1 rte is valid it shows up 
> in looking glass and ISP_A has it on the peer 2.2.2.2 recevies full Internet 
> rtes from. Further verification: I add a static rte on 2.2.2.2 rtr to 1.1.1.1 
> and its routable???
> 
> How is this possible? I have the following filters but I removed them and it 
> seems to not make a diff.
> OUTBOUND - ip as-path access-list 1 permit ^$
>  ip as-path access-list 1 deny .*
> INBOUND - ip as-path access-list 2 permit .*
> 

Loop protection.  Throw away any route I hear from someone else with my AS.

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFXc3VE1XcgMgrtyYRAkUqAJ0WYsnAikAZnQc4tldqthD9f4TtBwCg8aUO
OE57J9SYPYPRwue7VCUPvec=
=3Cki
-END PGP SIGNATURE-

Re: AT&T: 15 Mbps Internet connections "irrelevant"

2006-03-31 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mikael Abrahamsson wrote:
> 
> 
> http://arstechnica.com/news.ars/post/20060331-6498.html
> 
> "In the foreseeable future, having a 15 Mbps Internet capability is
> irrelevant because the backbone doesn't transport at those speeds," he
> told the conference attendees. Stephenson said that AT&T's field tests
> have shown "no discernable difference" between AT&T's 1.5 Mbps service
> and Comcast's 6 Mbps because the problem is not in the last mile but in
> the backbone."
> 
> 
> 
> Is this something held generally true in the US, or is it just pointed
> hair-talk? Sounds like "nobody should need more than 640kb of memory"
> all over again.
> 
> I can definately see a difference between 2 meg, 8 meg and even faster,
> even when web browsing, especially transferring large pictures when
> running gallery or alike. When I load www.cnn.com with 130ms latency I
> get over 1 megabit/s and that's transatlantic with a lot of small
> objects to fetch. Most major newspapers here in Sweden will load at 5-10
> megabit/s for me, and downloading streaming content (www.youtube.com)
> will easily download at 10-20 megabit/s if bw is available. flickr.com
> around a couple of megabits/s. (all measured with task-manager in XP,
> very scientific :P)
> 
> I can relate to there being a sweetspot around 1.5-3 megs/s when larger
> speed doesn't really give you a whole lot of more experience with
> webbrowsing, but the more people will start to use services like
> youtube.com, the more bw they will need at their local pipe and of
> course backbone should be non-blocking or close to it...
> 


Sounds like FUD to me...

Perhaps trying to downplay the push to FIOS?

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFELiK/E1XcgMgrtyYRAuxsAKDbn3HfYeEw7aSESqnniC1B23KENACdHkXc
Bcxm4o1CnWKXkpMvoM7qsno=
=Xg6U
-END PGP SIGNATURE-

Re: IRS goes IPv6!

2006-02-14 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jeroen Massar wrote:
> I Ar Es,
> 
> At least they have received the 2610:30::/32 allocation from ARIN.
> Lets see if they how taxing they find IPv6 ;)
> 


And who'd have thought they would be such late filers :-)


[IPv6 whois information for NET6-2001-49C8-1 ]
[whois.arin.net]

OrgName:US Department of the Interior
OrgID:  UDI-5
Address:625 Herndon Parkway
Address:MS 012
City:   Herndon
StateProv:  VA
PostalCode: 20170-5416
Country:US

NetRange:   2001:49C8:::::: -
2001:49C8::::::
CIDR:   2001:49C8::::::/32
NetName:USDOI
NetHandle:  NET6-2001-49C8-1
Parent: NET6-2001-4800-0
NetType:Direct Allocation
Comment:
RegDate:2005-11-10
Updated:2005-11-10



> Greets,
>  Jeroen
> 
> --
> 
> OrgName:Internal Revenue Service 
> OrgID:  IRS
> Address: Constitution Ave. NW
> City:   Washington
> StateProv:  DC
> PostalCode: 20224
> Country:US
> 
> NetRange:   2610:0030:::::: -
> 2610:0030:::::: 
> CIDR:   2610:0030::::::/32 
> NetName:IRSNET6
> NetHandle:  NET6-2610-30-1
> Parent: NET6-2610-1
> NetType:Direct Allocation
> NameServer: NS1.TREAS.GOV
> NameServer: NS2.TREAS.GOV
> NameServer: NS21.TREAS.GOV
> NameServer: NS1.CIS.FED.GOV
> Comment:
> RegDate:2006-02-13
> Updated:2006-02-13
> 


- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFD8ipJE1XcgMgrtyYRApkdAJ9oRi468Hv+I9xbiqx2OdA50a5eWACg8tRS
7KOT+k6IS8v4ArRo0Avs0NU=
=QGN4
-END PGP SIGNATURE-

Re: IP Database

2005-09-30 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Kevin Billings wrote:
> I am looking for an IP database for our Company that can be used from a
> service provider needs and also from an Enterprise that will need to
> track IP's down to the host level. Also need to have RWhois integration
> for ARIN swip's.   Does anyone have any suggestions or recommendation? I
> have looked at two.  ipplan which is a free open source and TCAM/ECAM by
> Parabola IP Solutions.  Has anyone used either of these two system and
> what did you think of them.
> 

Lucent VitalQIP might fit the bill.

http://www.lucent.com/products/solution/0,,CTID+2020-STID+10439-SOID+1068-LOCL+1,00.html

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDPiOgE1XcgMgrtyYRAiheAJ9umlMj+20m5r28dPNX2/bQLU/4XgCeNh9m
jM31c0vJ1WtT2FFyBCSdpLI=
=k+2N
-END PGP SIGNATURE-

Re: [eng/rtg] changing loopbacks

2005-09-29 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Randy Bush wrote:
> so i have junipers, ciscos, and a few  zebras in an ospf
> and ibgp mesh.  they're peering via loopbacks, of course.
> unfortunately, i need to recover the space from which the
> loopbacks are taken.  of course, i would like to do so with
> minimal disruption.  i am thinking of something like the
> following:
> 
>   o add second loopbacks to all routers with new address in new
> block
>   o set up ibgp peerings to new addresses from existing
> peerings
>   o change the source of routing updates to new addresses
>   o remove old peerings
>   o remove old loopbacks
> 
> what [else] am i missing?
> 

In addition to what others have said, I'd ask:

- - Any ACL's anywhere that filter based on the old loopbacks?
- - Any VTY access controls on the router based on the old loopbacks?
- - Any external systems like authentication servers, management systems,
etc, etc that need the old loopbacks and can't dynamically adapt?
- - Any internal routing policies that reference the old loopbacks?
- - Any DNS entries that need to be migrated (CNAME->A references)?

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDPE3ME1XcgMgrtyYRApizAKDUz+80NvW2tdMfyivgLGA8+uJ1dQCdF54a
VzUeshCuqbV0dlI3D3Poqxw=
=jOI/
-END PGP SIGNATURE-

Re: Any issue with www.cisco.com

2005-09-06 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Chip Mefford wrote:
> Gerry Boudreaux wrote:
> 
>>>mtr shows the packet loss in the last hop for me:
>>>
>>>14. sjck-dmzbb-gw1.cisco.com 
>>>0.0%62   66.6  75.4  64.5 293.7  37.1
>>>15. sjck-dmzdc-gw2.cisco.com 
>>>0.0%62   62.5  65.4  59.2 155.4  13.1
>>>16. www.cisco.com   
>>>14.8%62   59.2  64.7  58.1  88.4   7.2
> 
> 
> I'm seeing roughly ~25 percent packet loss, it varies.
> 

If you are relying on ping and traceroute tests to measure packet loss,
then you are coming to false conclusions.

ICMP responses are throttled by many, many devices including routers, load
balancers, firewalls, IPS devices, etc, etc.

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFDHdMFE1XcgMgrtyYRAsjzAKDniJ5MAj+PWxH6vgYaImbJc/9A9wCfdNCx
aBMSXJIsAm4NaGvJTVUpIVg=
=rKlr
-END PGP SIGNATURE-

Re: Fwd: Re: Dst. ports 33438, 33437 (64.95.255.255) [data393]

2005-08-11 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Fergie (Paul Ferguson) wrote:
> The following is some dialogue that I posted to the
> DShield.org list last night, trying to figure out
> why I was seeing these odd traceroute probes in my firewall
> logs at home.
> 
> I post it here for two reasons:
> 
> [1] Does anyone have any experience with InterNAP's FCP-500
> product? I was looking for some additional technical info beyond
> what is on their web site. Contact me off-list, of course.
> 
> And,
> 
> [2] Just thought some of you might be interested. :-)
> 

That is the product/technology they got from their acquisition of netVmg,
one of the companies in the so-called "route optimization" space (see also
Routescience, Proficient Networks, Sockeye Networks).

Cisco also has a similar feature/functionality called Optimized Exit
Routing (OER).

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)

iD8DBQFC++VvE1XcgMgrtyYRAlUfAJ9e7p0JUMEhrrMUCBFiLTiiXXvWfACfVHZq
1deKfWLhTxBRET8efNXhlx8=
=0qfZ
-END PGP SIGNATURE-

Re: VoIP operators given 120-day deadline to implement E911 services

2005-05-19 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Fergie (Paul Ferguson) wrote:
|
| Yep:
|
|
http://news.yahoo.com/news?tmpl=story&u=/ap/20050519/ap_on_hi_te/911_internet_phones
|
That last part ought to be interesting to try and implement in 120 days:
"...must provide the emergency operator with the customer's callback number
and location, regardless of whether the call is being made from the
customer's home or elsewhere."
So what's the local 911 center I should be routed to when I'm at the Cebu
Phillipines airport and making a VoIP call?
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCjNmpE1XcgMgrtyYRAmGxAJ9mSpa/nlzPFIWUlcb+bir4X/Vi2QCdGBU/
BqqsjKTF1Z6spxpWaON4Qqs=
=6c+t
-END PGP SIGNATURE-

Re: what will all you who work for private isp's be doing in a few years?

2005-05-11 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Adam Jacob Muller wrote:
|
| It's simple,
| A DSL provider like speakeasy offers much more to a technical user  like
| myself than Comcast does, plus they have an incentive to keep me  happy,
| if i'm not i can leave and go with a competitor, comcast does,  and has
| on many occasions, simply told me to go f*ck myself when i  have service
| issues. (Sorry your modem died sir, the next we can get  a tech out to
| your place is 2 weeks, when i don't need a tech I know  what it means
| when a modem has a failure code).
|
| The fact is, DSL is a competitive market, Cable is not, competitive
| markets keep customers happy, monopolies anger people.
|
And more than the technical user is the benefit to corporations and
businesses that DSL providers offer.  We see many companies using DSL as a
cost effective replacement for backup services formerly run over dialup,
ISDN, and other on-demand technologies.  The AUPs, filtering policies,
routing policies, etc of cable operators are simply not geared to meet the
needs of even the most simplistic of corporate requirements.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCgl0nE1XcgMgrtyYRAnKBAJ9kPK2/CQ9A+bqMIe4S/9oEZOEFjwCgw/bY
k1AnnyyKLRIsNMZby0KBa/8=
=dsjN
-END PGP SIGNATURE-

Re: Acceptable DSL Speeds (ms based)

2005-05-04 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Luke Parrish wrote:
| My email was confusing since I said the word speed, I would like to ms
| roundtrip for the following:
|
| *1. CPE to first layer 3 hop
| 2. CPE to first layer 3 upstream hop
| 3. CPE to layer 3 exit point of upstream
|
| *Example:
|
| Trace route to www.yahoo.com
|
| 1. 10.10.10.1 (CPE) 1ms
| 2. 10.10.10.254 (DSLAM)(cte) 21ms*(first layer 3 hop)
| *3. 11.1.1.1 (Router)(cte) 24ms
| 4. 5.5.1.3 (upstream interface)(level3) 68ms*(first layer 3 upstream hop)
| *5. 5.4.3.2 (exit point of upstream)(handoff from level3 to at&t) 94ms
| *(layer 3 exit point of upstream)
|
| *Those ms values are what I am curious about. What are other providers
| seeing and what are, in your opinion, acceptable ms times for a home
| 1.5M dsl user...
|
Those times seem high to me.  I have a 1.5/768 ADSL circuit and I routinely
see 13-15ms to my 1st IP hop and 15-18 to the upstream handoff.  I'm
14.5Kft from my CO and my IP is backhauled to SFO from SJC.  Here are a few
examples:
[EMAIL PROTECTED] traceroute www.yahoo.com
traceroute to www.yahoo.akadns.net (66.94.230.44), 30 hops max, 40 byte packets
~ 1  cerberus-internal.pinskyfamily.org (172.16.77.1)  3 ms  1 ms  1 ms
~ 2  er1.sfo1.speakeasy.net (66.92.1.1)  18 ms  17 ms  17 ms
~ 3  220.ge-0-1-0.cr2.sfo1.speakeasy.net (69.17.83.177)  16 ms  15 ms  15 ms
~ 4  bas1-m.pao.yahoo.com (198.32.176.135)  16 ms  15 ms  14 ms
~ 5  ge-1-0-2.msr1.scd.yahoo.com (66.218.82.193)  17 ms  15 ms  17 ms
~ 6  UNKNOWN-66-218-82-230.yahoo.com (66.218.82.230)  16 ms
vl42.bas1-m.scd.yahoo.com (66.218.82.226)  16 ms  16 ms
~ 7  p13.www.scd.yahoo.com (66.94.230.44)  18 ms  16 ms  15 ms
[EMAIL PROTECTED] traceroute www.nytimes.com
traceroute to www.nytimes.com (199.239.137.245), 30 hops max, 40 byte packets
~ 1  cerberus-internal.pinskyfamily.org (172.16.77.1)  2 ms  1 ms  1 ms
~ 2  er1.sfo1.speakeasy.net (66.92.1.1)  19 ms  16 ms  16 ms
~ 3  110.ge-0-0-0.cr1.sfo1.speakeasy.net (69.17.83.189)  17 ms  14 ms  33 ms
~ 4  g8-1.mpr2.pao1.us.above.net (209.249.11.177)  14 ms  16 ms  14 ms
~ 5  so-0-0-0.mpr4.pao1.us.above.net (64.125.27.82)  13 ms  13 ms  13 ms
~ 6  p4-2-0-0.r06.plalca01.us.bb.verio.net (129.250.9.129)  15 ms  13 ms  18 ms
~ 7  p16-0-1-0.r21.plalca01.us.bb.verio.net (129.250.3.82)  15 ms  17 ms  16 ms
..

[EMAIL PROTECTED] traceroute www.cisco.com
traceroute to www.cisco.com (198.133.219.25), 30 hops max, 40 byte packets
~ 1  cerberus-internal.pinskyfamily.org (172.16.77.1)  3 ms  2 ms  1 ms
~ 2  er1.sfo1.speakeasy.net (66.92.1.1)  14 ms  14 ms  15 ms
~ 3  120.ge-0-0-0.cr2.sfo1.speakeasy.net (69.17.83.185)  13 ms  50 ms  14 ms
~ 4  ge-4-0-440.ipcolo1.SanJose1.Level3.net (209.247.156.221)  13 ms  12 ms
~ 13 ms
~ 5  p1-0.cisco.bbnplanet.net (4.0.26.14)  19 ms  13 ms  14 ms
~ 6  sjce-dmzbb-gw1.cisco.com (128.107.239.53)  13 ms  13 ms  13 ms
~ 7  sjck-dmzdc-gw1.cisco.com (128.107.224.69)  15 ms  13 ms  13 ms
..
[EMAIL PROTECTED] traceroute www.cnn.com
traceroute to cnn.com (64.236.24.12), 30 hops max, 40 byte packets
~ 1  cerberus-internal.pinskyfamily.org (172.16.77.1)  2 ms  1 ms  1 ms
~ 2  er1.sfo1.speakeasy.net (66.92.1.1)  19 ms  15 ms  15 ms
~ 3  210.ge-0-1-0.cr1.sfo1.speakeasy.net (69.17.83.181)  17 ms  15 ms  13 ms
~ 4  g8-1.mpr2.pao1.us.above.net (209.249.11.177)  17 ms  14 ms  14 ms
~ 5  so-4-2-0.mpr3.sjc2.us.above.net (64.125.28.222)  17 ms  16 ms  16 ms
~ 6  so-0-0-0.mpr4.sjc2.us.above.net (64.125.30.2)  18 ms  16 ms  16 ms
~ 7  so-3-3-0.cr1.dfw2.us.above.net (64.125.29.58)  64 ms  61 ms  61 ms
~ 8  so-4-0-0.mpr1.iah1.us.above.net (64.125.31.37)  65 ms  66 ms  75 ms
~ 9  so-0-0-0.mpr2.iah1.us.above.net (64.125.31.62)  65 ms  66 ms  65 ms
10  so-5-0-0.mpr1.atl6.us.above.net (64.125.29.65)  77 ms  77 ms  75 ms
11  aol-above.atl4.above.net (209.249.119.242)  75 ms  85 ms  79 ms
12  bb1-atm-P0-0.atdn.net (66.185.147.192)  76 ms  76 ms  75 ms
13  pop1-atl-P4-0.atdn.net (66.185.136.17)  74 ms  75 ms  75 ms
...
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCePmbE1XcgMgrtyYRAi+4AKCjkDORywCXLwDXZbaYXqj46wUg8QCgk6u9
9rDku/rcETQoFR96u97UKn8=
=a1+I
-END PGP SIGNATURE-

Re: Verizon Offering Naked DSL in Northeast...

2005-04-18 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Fergie (Paul Ferguson) wrote:
|
| Wow -- I wish SBC would follow suit. :-/
|
| http://apnews.myway.com/article/20050418/D89I0KP00.html
|
You can already get this from Covad through providers like Speakeasy.
I recently switched from SDSL on a dedicated pair to ADSL.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCZB4WE1XcgMgrtyYRApdQAKCtSPzmEnmpe7m+rrllHNkmWiR9dgCfbKon
9UbB9kIWE0CXzoFdVtej8x8=
=UJaD
-END PGP SIGNATURE-

Re: Blog...

2005-04-11 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] wrote:
|>I have to agree...  Paul's been doing an excellent job of picking out
|
| the
|
|>one or two things that really matter each day,
|
|
| Several other NANOG-affiliated projects post regular reports to the list.
| CIDR report, weekly routing table report, Bogon project...
| I think it would be great if Paul posted a regular
| headlines update from his blog, either daily, or
| whenever some reasonable number of articles has
| accumulated, say half a dozen.
|
| His service is a real value-add and it is a good
| idea to incorporate some more of the latest Internet
| communication tools into NANOG.
|
Or turn his posts into an RSS feed.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCWrkDE1XcgMgrtyYRAo8RAJ4149IGp0O6Q1Yyh3z6KtLANDoprwCfV6Rj
N2HyQ2uaU2/nxwxbeJZcCpI=
=y0uF
-END PGP SIGNATURE-

Re: Traceroute with ASN

2005-03-15 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Brett Watson wrote:
| On 3/15/05 3:11 AM, "Ziggy David Lubowa" <[EMAIL PROTECTED]> wrote:
|
|
|>
|>On Tue, 15 Mar 2005 17:51:32 +0800 (CST), Joe Shen wrote
|>
|>>Yes.  Can I do this on a Linux box without having to
|>>install Zebra BGP on it?
|>
|>Doesnt look like you have to,  below is the link to the tarball
|>
|>http://oppleman.com/dl/?file=lft-2.3.tar.gz
|
|
| I believe the author of LFT is working on a new release that does *not* use
| the oft-times incorrect radb data, but instead pulls from a router (not sure
| of the source) somewhere.
|
Would probably be nice to have a command-line option to specify the source
from either:
- - an RADB formatted source
- - a Zebra or Quaaga BGP daemon
- - via SNMP from a BGP capable device
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCN2mvE1XcgMgrtyYRArtOAKCTq6pq6VNIHH60q+VAJCaM6d00kgCePns8
5pgjTfF1TW5ISm5OdzQM4TA=
=i6cq
-END PGP SIGNATURE-

Re: Traceroute with ASN

2005-03-15 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Ziggy David Lubowa wrote:
| On Tue, 15 Mar 2005 17:51:32 +0800 (CST), Joe Shen wrote
|
|>Yes.  Can I do this on a Linux box without having to
|>install Zebra BGP on it?
|
|
| Doesnt look like you have to,  below is the link to the tarball
|
| http://oppleman.com/dl/?file=lft-2.3.tar.gz
|
According to the doc, it relies on RADB for its info, so it *might* not be
as accurate as an actual BGP feed.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.0 (MingW32)
iD8DBQFCNrd5E1XcgMgrtyYRAuUqAJ0d91XAhcKIRS9M36SNdoWI9yHrSACbBnR/
bC7+Z8YXVMRitOr6piglHk0=
=by/r
-END PGP SIGNATURE-

Re: using sniffer on high-bandwidth pipes

2004-12-03 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Steve Francis wrote:
|
| It probably depends more on pps than bandwidth.
| At a prior job, I used FreeBSD 4.x machines to capture over 400,000 pps,
| I think, on gigabit links.
| You need a nic that is supported with one of the device polling drivers
| to keep CPU manageable. (Intel, not yet broadcom.)
|
| FreeBSD far surpassed Solaris in packet capture performance.
|
| Linux 2.6 machines may do OK, using NAPI - but I've no experience with
| that.
|
Eric Weigle and Wu-Chen Feng presented a paper at PAM2002 entitled
"TICKETing High-Speed Traffic with Commodity Hardware and Software"
where they showed collecting traffic at greater than 600Mbps and to 1Gbps
in some configurations.  See http://public.lanl.gov/radiant/pubs.html#TICKET
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFBsJS1E1XcgMgrtyYRAsHiAKCRHj6cIEuxut3vcNMHZf+RIA3/QACg2txD
4fEavciBOTN4TwuigotN14c=
=VEBQ
-END PGP SIGNATURE-

Re: Load balancing outgoing connections automatically.

2004-12-03 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Drew Weaver wrote:
| Howdy. We?re looking at upgrading our border router(s) from
| 7500s to (something) yet undetermined. What we would like to do is
| perhaps find a platform that is smart enough to not route more outgoing
| traffic across a circuit than it can handle. We have 4 outgoing links to
| the net at the moment. They all have the same amount of bandwidth, BGP
| tends to want to send all of the traffic out to the same two, so usually
| those two will carry 80-90% of our traffic while the other two will
| carry like 20-30% combined. So if the first two connections burst up a
| little bit, sometimes it can cause congestion its fairly rare; but any
| congestion is unacceptable as you all know.
|
|
|
|  I know the way BGP works, it will use it rules to determine the way
| traffic will go.  I was wondering if anyone has heard of any good ways
| to handle this becoming more well known within the last year or so I
| researched this last year and found that prepending and doing things
| manually is pretty much the only way to load balance it. (i.e. manually
| setting routes based on the best paths through our upstreams for each
| connected network) I really just want to tell my router to load balance
| it; since that is kind of what I?m paying $100,000 for in the first
| place, no? I?ve also heard of gear from companies like route science
| that could possibly achieve the same thing. But I?ve heard that it runs
| like $300,000 for a box, is there anything a bit smaller for companies
| within the oc-3 range? That could accompany my router?
|
|
Cisco Optimized Edge Routing (OER)
http://www.cisco.com/en/US/netsol/ns471/networking_solutions_white_paper09186a008022dbfa.shtml
http://www.cisco.com/en/US/netsol/ns471/netqa0900aecd800f5584.html
http://www.cisco.com/en/US/netsol/ns471/networking_solutions_package.html
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFBsJBIE1XcgMgrtyYRAjMoAJ4iCaV5OCRdgZ4Os1JurhoCpJa/xQCgqYt9
uFlSaSX5OYeD2Aoh0OVdZZA=
=8LT2
-END PGP SIGNATURE-

Re: Setting up DS-3 and 2 4xT1

2004-12-02 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Joshua Brady wrote:
| My apologies if some may find this a little off-topic.
|
| However, here is my issue. I need a router, which can take 2 4xT1's
| and a DS-3, while handing a Gbit for internal use. Now to complicate
| the entire situation, this needs to go into a 3 bedroom apartment, so
| I need to keep the power bills down if I can :)
|
| What would everyone recommend? Off-List replies are fine, I will
| summarize at the end.
|
Cisco 3800 ISR would do the job.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFBr0c2E1XcgMgrtyYRAjg7AKDFUsS0Fvnc3wTY5+9Az/kcUAIVQwCeK2Sr
0kviF9GThRHzk5MMLdxZcgw=
=DdR8
-END PGP SIGNATURE-

Re: Domain Name System protection

2004-08-16 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Suresh Ramasubramanian wrote:
|
| Joe Shen wrote:
|
|> We noticed there is continous name resolution requests
|> from IP address outside of our address pool and also
|> there is requests not conforming to DNS documents (
|> like those from 10/8, 192.168/16 or something for
|> microsoft proxy server name). We think these request
|> waste our resource and we don't want these system
|> stable, secure and high performance.
|
|
| If the resolver caches are only supposed to be accessed from your IP
| space, I am sure you can easily throw in a router ACL to accept
| connections on port 53 only from these IPs.
|
| Oh, and filter out bogons at your borders while you are at it (like for
| example rfc1918 source addresses from outside your network)
|
And check out the CYMRU Secure Bind template at
http://www.cymru.com/Documents/secure-bind-template.html
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFBIQ3HE1XcgMgrtyYRAuAXAJ4z6GI+X7nPL3wZZ2kvB30YGQ+B/QCeIagA
mqIz2gcRVeY+g2LVBjLc6dQ=
=iAkf
-END PGP SIGNATURE-

Re: 2511 line break

2004-07-26 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Randy Bush wrote:
| on a 2511, which i am using as a serial console server for a bunch
| of boxes, how do i send a  on one of the lines?
|
The terminal emulation app that you use should have the capability to send
a telnet break to the terminal server.  The terminal server in turn will
assert physical break on the line connected to the device.
There are a couple of line commands that can affect the behavior when
certain telnet commands are received.  Specifically:
telnet break-on-ip
To cause the system to generate a hardware BREAK signal on the EIA/TIA-232
line that is associated with a reverse Telnet connection when a Telnet
Interrupt-Process command is received on that connection, use the telnet
break-on-ip command in line configuration mode.
telnet sync-on-break
To configure the Cisco IOS software to cause an incoming connection to
send a Telnet Synchronize signal when it receives a Telnet BREAK signal,
use the telnet sync-on-break command in line configuration mode. To disable
this function, use the no form of this command.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFBBUP8E1XcgMgrtyYRAlPNAJ4j/K5crtjriCSJMAHhKXeSEJKd5ACgrjHD
vzE7+4PiokLTJby/cV4kbJA=
=CBzv
-END PGP SIGNATURE-

Re: T1 short-haul vs. long-haul

2004-07-22 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michel Py wrote:
|>What is the "demarc"?
|
|
| The demarc is the service demarcation. On your side of the demarc,
| things are your responsibility. On the telco side of the demarc, it's
| your provider and/or the LEC responsibility.
|
| http://192.20.13.157/planner/tab003a.pdf look at figure 1
| http://192.20.13.157/planner/tab003b.pdf look at figure 1
| http://192.20.13.157/planner/ip.html
| [note: this is for AT&T, but other carriers are similar]
|
|
|>Is it the jack/punch-block where the SmartJack is connected to?
|
|
| Maybe, maybe not.
|
|
|
|>What is an "MPOE"?
|
|
| Minimum Point Of Entry. That's where the LEC brings the cables from the
| street into the building. Unless you own the entire building, this
| typically is a closet (on the first floor, no temperature control) that
| the building manager and/or every tenant will have access to and that is
| not located in your office.
|
|
|>What is the "NIU"?
|
|
| The box that converts the signal from the street (that can run for
| miles) into the signal you find on the smartjack (that can only go a few
| hundred feet). Although I don't like the term, it's some kind of a
| digital modem. The smartjack is dumb (no lights); the NIU is the brains
| of the smartjack, what has the lights and can be looped.
|
|
|>Where is the SmartJack normally located? In your offices
|>or somewhere else in the building (maybe some room where
|>the cable to the CO is terminated)?
|
|
| - If you don't ask for extended demarc, it will be located in the MPOE
| room.
|
| - If you do ask for extended demarc (which I strongly recommend), either
| the smart jack will remain in the MPOE and your provider will bring a
| router (which becomes the demarc) in your office, or your provider will
| extend the smartjack (which will remains the demarc) in your office.
| Whether or not they move the NIU (which is preferred since you can look
| at the lights but will be difficult) or only move the jack itself is not
| your problem, all you really care is that they move their responsibility
| line, the demarc. You want the location of the demarc in WRITING.
|
| What you want is your provider to be responsible for the circuit coming
| into YOUR office, not the building. If you don't have this, you will get
| that:
|
It is also worth noting that in some buildings, the owners or management
group will not allow the telco or provider to extend the demarc.  This is
particularly true in multi-story and high-rises in metro areas where they
want to control access to the building risers.  This allows them to make
money off bringing the circuit from the MPOE to the wiring closet on your
floor. Of course they typically hire a company that does that so you have
yet another player involved in troubleshooting a faulty circuit and
coordination during install.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFA//18E1XcgMgrtyYRAhk4AJ9gs5PIMwOu/EoRa4T/VbraABtyeQCeKyWv
29CxE2vv7fb7GGmQudVFBaE=
=4d4I
-END PGP SIGNATURE-

Re: BGP Dampening question

2004-07-20 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
D Train wrote:
| <<
Have you considered IP Event Dampening?
http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps1829/products_feature_guide09186a00800ad25b.html

| <
| - You start. We finish.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFA/ViAE1XcgMgrtyYRAstxAKDDA87duQEKntO5TE7KMNq5J5e0ngCgrqhe
QtGQ0yf62GlI+T1Aq4yTWX4=
=7VWA
-END PGP SIGNATURE-

Re: Teaching/developing troubleshooting skills

2004-06-29 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
[EMAIL PROTECTED] wrote:
|>>It's also important that one avoid:
|>>
|>>* The faulty assumption there is but one problem
|
|
| Here's an interesting example that I came across
| several years ago. It was in an office with lots
| of PCs plugged into RJ45 10baseT ports near each desk.
| One PC had lost connectivity.
|
| I came and checked that the software was
| installed and running. Probably did something
| like ping 127.0.0.1 to satisfy myself that it
| wasn't a problem on the PC itself. Then I unplugged
| the cable from the RJ45 port in the wall and tried
| another port. It still did not work. I swapped
| in a new cable and it worked fine.
|
| Most people would stop right there, but I
| followed up and tested the existing cable
| in the lab. It worked just fine. Why did
| it not work before? There must be some problem
| with the switch or the wall wiring and somehow
| two RJ45 ports did not work. After a bit of
| poking and discussions with the employee at
| that desk, it turned out that the cable lay
| in a bad spot and often got caught on her foot
| as she rushed off somewhere. It turns out that
| the little metal pins inside the RJ45 socket
| had been bent. It was just sheer luck that
| swapping the cable caused contact to be made again.
| And the second socket was also bent. When that
| one ceased to work the employee had swapped
| cables themselves.
|
| The real solution was to replace both sockets
| and install a longer patch cable that could be
| placed where feet would not get caught up in it.
|
| Troubleshooting is made easier by methodically
| doing the work and following through. If I had
| not had the lab handy I probably would have
| swapped the "bad " cable back in to verify that
| "trouble" accompanied the cable. But it is also
| easier to troubleshoot when you have a stock of
| interesting war stories in your memory to encourage
| you to "think outside the box". It's the blend of
| creativity and methodical work practices that makes
| a good troubleshooter, technical or otherwise.
|
You've described Closed Loop Corrective Action to the tee.  It's not enough
to know what the problem is, but how to correct it, and what to do to
prevent it in the future.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFA4c0KE1XcgMgrtyYRArh6AJ9yOTkxGOv7iloTegO/DtUENYXmygCgiNnO
m6XSOg2EPejbV4ZqOHvmPO0=
=AwT9
-END PGP SIGNATURE-

Re: Teaching/developing troubleshooting skills

2004-06-24 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pete Kruckenberg wrote:
| I'm working on trying to teach others in my group (usually
| less-experienced, but not always) how to improve their
| large-network troubleshooting skills (the techniques of
| isolating a problem, etc).
|
| It's been so long since I learned network troubleshooting
| techniques I can't remember how I learned them or even how I
| used to do it (so poorly).
|
| Does anyone have experience with developing a
| skills-improvement program on this topic? If you've tried
| such a thing, what worked/didn't work for you? Outside
| training? Books? Mentoring? Motivational posters?
|
| I'm particularly sensitive to the "I got my CCNA, therefore
| I know everything there is to know about troubleshooting"
| perspective, and how to encourage improving troubleshooting
| skills without making it insultingly basic.
|
If you are looking for some courses on just analytical troubleshooting
and/or problem solving techniques, you might want to look at the Kepner
Tregoe stuff (www.kepner-tregoe.com).  It is not network specific but
rather teaches techniques.  Some of their courses include:
Problem Solving and Decision Making
Analytic Trouble Shooting
Implementing Corrective and Preventive Actions
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFA23J8E1XcgMgrtyYRAun6AKCmtmTkq8Pyq5xYBud478424x67kACeP6w9
uBUJo/El3rVXRC7TBkpb2DA=
=q+YH
-END PGP SIGNATURE-

Re: Open Source BGP Route Optimization?

2004-05-28 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Per Gregers Bilse wrote:
| On May 28, 10:37am, "Sam Stickland" <[EMAIL PROTECTED]> wrote:
|
|>Are there any BGP extensions that would cause a BGP speaker to foward all of
|>it's paths, not just it best? I believe quagga had made some recent attempts
|
|
| It has been discussed and been on wish lists, but:
|
And as I said in my other post, there were two drafts submitted that never
went anywhere.
|
|>in this direction. IIRC the problem isn't to do with the route annoucements,
|>it's the route withdrawals. I believe BGP only specifies the prefix being
|>withdrawn and not the path, so if it's advertised multiple paths to a prefix
|>it's impossible to know which has been withdrawn.
|
|
But the "optimizing" device is in need of receiving all potential paths
from the border routers.  Essentially, it needs a complete picture of all
viable paths, not just the best that each border has.  It would not be
advertising multiple paths.
| That is 100% correct, yes.  Selective withdrawal is not supported.
|
But the "optimizing" device wouldn't be advertising multiple paths.  It
would be advertising its selected path from all viable paths based on the
selection criteria/policy implemented by the user.  The optimizing device
can then keep track of what it has advertised and withdraw as
appropriate/necessary.
| Another issue is that there isn't much point, as far as regular BGP
| and routing considerations go.  Whichever is the best path for a border
| router is the best path; telling other routers about paths it will not
| use serves no (or at best very little) point in this context.
|
The point is not to tell other borders about paths it will not use, but for
the "optimizing" device to select the desired path from all available paths
and cause that path to become "best path" for all border routers.  And
"best" in this case is a user influenced choice based on any number of
factors including path performance, cost, load, or other policies that the
device can use as a selection criteria.
| Funny coincidence, just earlier today I was talking to somebody about
| BGP and its general applicability, and while there can be no question
| that BGP has stood the test of time and achieved all its objectives,
| there are things one would do differently if one were to start over.
| But that's always the case.
|
Does a great job at what it was designed for as appropriate for the time it
was conceived.  As always, times change.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFAt5SKE1XcgMgrtyYRAt+MAKDNboo++qImRl1eAofO/ICi5BsKEgCfVdzW
jrVxUmirv7Hc2ZhlJCuV+bw=
=TUny
-END PGP SIGNATURE-

Re: Open Source BGP Route Optimization?

2004-05-28 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Per Gregers Bilse wrote:
| At first I wasn't sure what a "route optimizer" was supposed to do --
| the term is rather generic and could have a lot of different
| interpretations.
|
| A multi-path traffic balancing solution in the style of Cisco's OER has
| to be tightly integrated with the routing infrastructure.  Specifically,
| it needs first hand BGP peer data in order to work reliably.  There will
| be a number of cases where an add-on solution might be able to improve on
| certain things, but there is one major hurdle: a BGP speaker only forwards
| its own best paths, so an add-on analyzer might well never learn about
| alternative paths.  The only way for any implementation to reliably learn
| (all) alternative paths and otherwise maintain routing integrity is by
| receiving BGP data first hand, ie directly peer with transit providers
| and other peers.
|
Having helped design and implement one such a system, I can tell you that
there are alternatives to peering directly with transit providers.  We were
able to learn alternate paths directly from the border routers of the
entity whose exit paths our product was "optimizing".
I am also aware of other implementations that did not rely on BGP NLRI data
for determining if an exit path was valid for any given destination or
prefix.  In those implemenations, BGP was used merely as a mechanism to
influence the outbound routing decision.
Additionally, there were two RFC drafts published regarding the capability
to negotiate for receiving both the active and inactive paths.
draft-fletcher-bgp-inactive-path
draft-walton-bgp-add-paths
Given the failure of this market segment to mature, I suspect both of those
are expired by now.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFAt5ITE1XcgMgrtyYRAn14AJ4ruf+9zpTxjwwlHqDnCRaClhWq5gCgmArk
jXgwS/2xiwqQlfUFqfpWg/Y=
=qKz1
-END PGP SIGNATURE-

Re: Barracuda Networks Spam Firewall

2004-05-19 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
James Couzens wrote:
| On Wed, 2004-05-19 at 16:24, Eric A. Hall wrote:
|
|>extract hostname from url, dig on hostname, whois on addr, and nine times
|>out of ten the host is in a CN netblock. that's from the spam that gets
|>into my mailbox.
|
|
| Yes I understand that is what you meant.  I just did this on 5 spam in
| my mail box, I got:
|
| Domain Name: AAFMALE.BIZ (www.aafmale.biz)
| Registrant Country: Canada
| Resolves to address: 218.232.109.220 (KRNIC-K) (Korea)
|
| Domain Name: PLANENEWS.COM
| Registrant Country: France
| Resolves to address: 216.92.194.65 (PAIRNET-BLK-3) (United States)
|
| Domain Name: MIRGOS.ORG
| Registrant Country: Russia
| Resolves to address: 211.198.200.208 (KRNIC-KR) (Korea)
|
| Domain Name: WINSPR.BIZ  (iityvzbtpvw.winspr.biz)
| Registrant Country: New Zealand
| Resolves to address: 221.233.29.33 (CHINANET-HB-JZ7) (China)
|
| While it is only 5 mails, and certainly nothing to judge by, it does not
| seem to be 90%.  Although Korea under APNIC it is not China.
|
|
Similar results.  Got 2 in the US, one in Brazil, one in Korea, and one in
China.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFAq/f4E1XcgMgrtyYRAhyJAKCrFKCYtQXJKaaqS52mQprWhIrb7gCgxvNY
0iH1BTcznV3Q1d2bFhI+mHo=
=nIXz
-END PGP SIGNATURE-

Re: New cisco exploit published in the media today

2004-03-29 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Scott Call wrote:
| Forgive the not panicing, but none of the exploits utilized by this tool
| are new, the newest being a year old, most being 2-3 years old, judging by
| the dates on the cisco pages.
|
Yes, but the toolkit and the simplicity with which these exploits can now
be executed IS new.  This notification serves as a reminder to those who
may not have addressed these vulnerabilities in their networks even where
there have been fixes for several years.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFAaKNSE1XcgMgrtyYRAgWyAKCebXMbePjRFZVKMeUYpUYc6JE76QCfcEJa
PeZKPuual+8U1/90cFn7cUk=
=JU67
-END PGP SIGNATURE-

Re: Firewall opinions wanted please

2004-03-17 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Erik Haagsman wrote:

| On Wed, 2004-03-17 at 21:02, Petri Helenius wrote:
|
|>No, the applications should accept only authorized connections. If that
|>would be the case, there would be no need to filter at packet level.
|
|
| No, since this would be assuming that each application is perfect and
| there's no such thing as buffer overflows and other software bugs
| (including those in authentication routines). A firewall is an extra
| line of defence in preventing malicious packets from reaching the
| destination app and the more people have one the better (although I'm
| not sure whether grandma would be too bothered)
| It's not bulletproof (and could potentially contain a gut itself) but it
| provides additional security, regardless of authenticaion of
| connections.
|
|
|
And I think you have hit it right on the head...another line of defense.
Everything I've ever read about security (network or otherwise) suggests
that a layered approach increases effectiveness.  I certainly don't trust a
firewall appliance as my only security device, so I also do prudent things
like disable ports and applications that are not in use on my network and
enforce authentication and authorization for access to legitimate services.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFAWLiWE1XcgMgrtyYRAjh+AJ9Cio8w/iPuT+EfUK26ku2RdDl9JwCgrN9P
Qll6/VX0Z4xVBRf+G0S5HXA=
=uFwS
-END PGP SIGNATURE-

Re: Load Balancing Multiple DS3s (outgoing) on a 7500

2004-03-15 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Joe Abley wrote:

|
|
| On 12 Mar 2004, at 23:24, joe mcguckin wrote:
|
|> Patrick,
|>
|> I suspect that each FE goes to a different AS...
|
|
| In that case, sample/count outbound traffic volumes by
| (prefix/AS/AS_PATH/something), sort the resulting list, and develop an
| import policy based on the top N entries which shares the traffic by
| tweaking some other attribute to avoid the last-resort tie-break.
|
| Or bypass the measurement part, and make wild guesses about where your
| traffic is going, and apply an import policy based on that. Either way,
| lather, rinse, repeat.
|
| There might be something relevant in the slot I did in this tutorial in
| Richmond Hill:
|
|   http://www.nanog.org/mtg-0206/te.html
|
And products from folks like Proficient Networks and Routescience can
automate the process for you.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQFAVgGrE1XcgMgrtyYRAo3xAJ4qwszZ/lXxMeMJ5jF2OD9LDaMR/QCeOjz+
a8Mzb383mIOoEE2J0IzVq+I=
=4QaS
-END PGP SIGNATURE-

Re: good cabling in real environments [Re: Request for submissions: messy cabling and other broken things]

2003-12-17 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
John Kinsella wrote:

| On Wed, Dec 17, 2003 at 07:07:13PM +0200, Pekka Savola wrote:
|
|>How do you do good cabling in dynamic, real environments? :-)
|
|
| You hide the spiders nest with lots of panduit covers? ;)
|
| Honestly, I think it comes down to two things:  Planning before
| implementation - you pre-wire your net gear to patch panels before it
| goes into production;  This keeps most hands off the back end stuff
| except for the occasional test to verify that a patch is working.  This
| same planning goes into a second set of patch panels which you terminate
| in the racks, that removes another major part of one-off cable pulls.
| Rack server, crosconnect to top of rack, back to your patch panels,
| cross connect to network patch panel, you're set.
|
I've even found some examples of some of that and posted them at
http://www.pinskyfamily.org/dcstuff/
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQE/4LQbE1XcgMgrtyYRAjR+AKCpCx+zs/ck+52GzSnbyVruM/r45ACcD4SO
u59oMBKiEuEAtkqXWw/qeio=
=zd7o
-END PGP SIGNATURE-

Re: good cabling in real environments [Re: Request for submissions: messy cabling and other broken things]

2003-12-17 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Henry Linneweh wrote:

| Any good software out there for cable documenting and even routing and for
| ECO when things are changed?
|
I've looked at ITRACS (www.itracs.com) and Telsoft's stuff
(http://telsoft-solutions.com/cable.html) before.
ITT also has LANSense which is based on ITRACS.  See
http://www.ittnss.com/kb/kb.asp?id=82&catid=86&skbid=82
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQE/4KxtE1XcgMgrtyYRAqp9AKClTJ3TqsQSnFYNjLU82CFsDctr8ACdHfOZ
tcE+n4uOy0zFFJ09mehw54Q=
=EU/l
-END PGP SIGNATURE-

Re: good cabling in real environments [Re: Request for submissions: messy cabling and other broken things]

2003-12-17 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Pekka Savola wrote:

| On Tue, 16 Dec 2003, John Kinsella wrote:
|
|>Always liked the work my fellow coworkers at Globix used to do - I don't
|>have any shots of SJC or NYC online (too bad - a few projects I went to
|>alot of trouble on to show the rest how it should be done ;) ), but
|>here's one of our demo panels from LHR:
|>
|>http://thrashyour.com/lhr1-wiringdemo.jpg
|>
|>And yeah, most of what was under the floors in all the DCs looked like
|>that, and yeah I hear for strict cat5 regs that they shouldn't be
|>velcroed together like that.  Wire wraps were never used (only velcro),
|>bundles are laid down so that shortest is on the bottom side, longest
|>on the top.
|
|
| Now, we've seen a few pics of "good" cabling as well.
|
| However, I'm forced to ask which kind of "good cabling" is possible in
| a dynamic environment when you plug in/out, change, etc. the cables.
| This seems to invariably lead to total chaos :-).
|
| For example, consider the case of a patch panel of 200 plugs, where
| you'd have to wire cables to 20 different physical locations (where
| the switches/routers are)?  How do you manage that elegantly, at the
| patch panel side and the switch/router side?  :-)
|
One of the things we did was to not allow cabling directly to the switches
and routers.  We would always extend switch and router ports to structured
wiring infrastructure and then do patching from structured panel to
structured panel.  This would insure that clean wiring technique was
employed near the gear and that cables would not cross cards making them
inaccessible in the event of failure.  It also isolated the dynamic portion
of the wiring infrastructure to patch fields and away from user cabinets
and network gear.
| I mean, it's fine if you take 100 cables, and wire them between the
| patches and the switches (or the racks if you have the patch
| cross-connect there) in bulk, but consider the case where you have 15
| different switches (different subnets), a computer moving in/out of
| the room in a daily basis etc.  You can't just go around wiring like
| http://thrashyour.com/lhr1-wiringdemo.jpg or
| http://new.onecall.net/timages/cat5patch.jpg
|
| How do you do good cabling in dynamic, real environments? :-)
|
You also have to plan for plenty of cable management.  In our patch fields
we had cable mgmt at the top, the middle, the bottom, and the left and
right sides of each rack.  Took extra room and required extra racks, but it
helped mitigate sloppy patch jobs.  Additionally, we kept a ton of extra
patch cords of various lengths around.  We had preplanned the necessary
lengths and instituted a color coding scheme to denote different services
running through the cables.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQE/4J+tE1XcgMgrtyYRAhkcAKDaVC3UQX2thJc4sbQSw2o+2D98RACeIT3b
Wd2JEKAT56/0BRR4eQsMjZQ=
=RPyz
-END PGP SIGNATURE-

Re: Microsoft Probes Flaw That Could Help Fraudsters Create Fake Web Sites

2003-12-11 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Mike Tomasura wrote:

| Did anyone else see this?
|
| http://www.secunia.com/internet_explorer_address_bar_spoofing_test
|
| http://news.google.com/url?ntc=0M4C0&q=http://www.informationweek.com/story/
| showArticle.jhtml%3FarticleID%3D16700218
|
|
|
|
|
Whole discussion on Slashdot as well:

http://slashdot.org/articles/03/12/11/1319212.shtml?tid=109&tid=113&tid=126&tid=128&tid=187&tid=95

- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQE/2Oa4E1XcgMgrtyYRAr6aAKD2l1EX+mjU5K+VcZr82LlkfPoW1QCg79L2
ZUjkh2kh/ZHCix8OQrKl1R0=
=/cdn
-END PGP SIGNATURE-

Re: Yankee Group declares core routing obsolete (was Re: Anybody using GBICs?)

2003-10-30 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Richard A Steenbergen wrote:

| On Tue, Oct 28, 2003 at 03:25:43PM -0500, Richard A Steenbergen wrote:
|
|>On Tue, Oct 28, 2003 at 09:48:01AM -0800, [EMAIL PROTECTED] wrote:
|>
|>>I'm looking into doing some research that will make use of GBICs(Gigabit
Interface Converters),
|>>but I need to know how many of you are using GBICs in your networks?
|>>If you are using them, where do they fit into your topology?
|>
|>Hello,
|>
|>I am also doing some research and would like to know how many of you are
|>using routers in your networks? I am considering making use of them, but
|>first I need to know where they fit into your topology?
|
|
| http://story.news.yahoo.com/news?tmpl=story&cid=75&e=18&u=/nf/22581
|
| Plainly stated, routers no longer have a home in the core of the network.
| "You might have found a router there five years ago, but most certainly
| you have a switch today," said Yankee Group vice president Zeus Kerravala.
|
| Whew, good thing I checked, I almost went out and bought routers for my
| network. :)
|
Hmm, was that a news story or an advertisement for a certain N vendor
disguised as one?
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQE/oVUqE1XcgMgrtyYRAnaJAJ43oxMogei/SdvcdJQNLzPrRUptXgCfYH3b
sQRR5ZpSZ/U14oNGV1Krj3A=
=Rvna
-END PGP SIGNATURE-

Re: [arin-announce] IPv4 Address Space (fwd)

2003-10-28 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Andy Dills wrote:

| On Tue, 28 Oct 2003 [EMAIL PROTECTED] wrote:
|
|
|>The bottom line is that there are three different models
|>which may predict when we run out of IPv4 addresses. The
|>models predict dates ranging from 2022 to 2045. None of
|>the models predict an exact year, they all predict a range
|>of 4 to 8 years and the above dates are the earliest and
|>latest of those ranges.
|
|
| Ok, so let's assume 2022, for the sake of argument. That is, after all,
| nearly 20 years from now.
|
|
|>>Does anybody honestly think companies will commit the capex needed to
|>>implement IPv6?
|>
|>Yes, because IPv6 is merely and incremental improvement, not a grand
|>elegant solution to world hunger like ATM. Look at how we managed the
|>incremental step of adding MPLS to our IPv4 networks. It was fairly
|>painless because it uses the same boxes, the same people and the same
|>management systems. And over time, the pain of doing MPLS is reduced
|>because the bugs get worked out.
|
|
| Yes, but did MPLS require different ASICs?
|
|
|>Similarly, IPv6 is an incremental change that uses the same boxes,
|>people and management systems.
|
|
| People need training (but not all that much), management systems need
| rewritten (not majorly), and boxes need hardware replacements to forward
| at line rate (CAPEX ALERT).
|
|
|>In fact, if you've put MPLS into your core, you only need to worry about
|>IPv6 at the edge from the PE router to the CE router because you can use
|>6PE. The capex is being spent anyway by upgrading boxes to meet capacity
|>needs. You didn't notice it but the new core boxes are all capable of
|>IPv6 with a simple software feature upgrade.
|
|
| Yes, but there will always be this issue of billions of dollars of
| exisiting, perfectly functional, unable-to-forward-v6-at-linerate routing
| gear. If you have a router completely filled with attached customers, why
| would you upgrade that router? You would buy another one for future new
| customers, but not upgrade the existing one. The new one might forward
| IPv6 at linerate, but the old one still doesn't, and there is still not
| sufficient motivation to upgrade that old router.
|
|
|>NANOG rarely takes the lead in new product development and driving
|>market demand. Someone else will sort out that problem.
|
|
| Yes, but the growing consensus among network operators is that IPv6 is a
| waste of time and money, a technology that solved a problem that no longer
| exists.
|
| If we won't sign off on it, these "other people" won't even have a chance
| to.
|
|
|>I know that I said IPv6 is an incremental change, but the world that it
|>enables is not incremental. Imagine 30 years from now where the majority
|>of people in the developed world have full two-way voice, video, and
|>data communications capability seamlessly integrated into their
|>clothing, their vehicles, their workplace cubicles and their homes. X10
|>is obsolete replaced by IPv6 over power networks and IPv6 over Bluetooth
|>v.3. Networks are everywhere and it is common for even small devices to
|>have multiple IPv6 addresses.  My belt (containing the cellphone
|>transceiver) will have 20 IPv6 addresses in 20 different subnets
|>corresponding to 20 VPNs. If you know about today's SIP networks, it's
|>like having a phone number in INOC-DBA, FWD, SIPPhone, IAXtel etc.
|>Except that these will be IPv6 addresses because they aren't for voice
|>traffic. One of the 20 VPNs will be for a heart-rate monitoring service
|>that coordinates with my gym and my personal trainer. Another one might
|>be for an insulin level monitor that connects to my physician and
|>pharmacy. The pharmacist will know when the insulin pack in my shirt
|>collar will be depleted and will dispatch a refill to my home
|>automatically.
|
|
| Like I said, I don't think people will be all that excited about their
| heart-monitor being reachable with a globally routed IP. People only want
| to be connected to a certain degree.
|
| Hell, there are people JUST NOW getting cell phones, and even more people
| who will never get them. Most people aren't interested in being
| "reachable" 24/7. Even more people aren't interested in having critical
| functions rely on technical mumbo-jumbo when they have grown up taking
| care of themselves just fine.
|
| I think you're WAY overestimating our culture's thirst for technology.
| As a society, we're still coming to grips with DVDs, MP3s, and cell
| phones.
|
While this may be NANOG, that's a pretty U.S.-centric point of view.  The
appetite for technology and connectivity in Asian countries is
mind-boggling.  If just 50% of the college students in China had IP enabled
cell phones, that would be 160 million users.  I don't know if most U.S.
providers have requirements on that kind of scale.
- --
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQE/nrZQE1XcgMgrtyYRAmDIAJ9fRT/7jbAHE9LSL+Ot8NlbAuiv+ACg1/hP
dc7ob/VJ8u3dTzRDO

Re: Extreme BlackDiamond

2003-10-13 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Robert Boyle wrote:

|
| At 04:43 PM 10/13/2003, [EMAIL PROTECTED] wrote:
|
|> > 7600 is also vertical boards whereas the 6500 is horizontal.
|>
|> Yep, I think from now on, we should make this a primary distinction
|> between switch and a router: If a device has vertical line cards, it is a
|> router, if horizontal, it is a switch.
|>
|> Works well for 7500/12000/5x00/6500. ;)
|
|
| A small problem... all of my 7200s have horizontal line cards as do the
| Juniper M5/7/10/20. The smaller 7100, 3700, 3600, 2600 also have
| horizontal line cards too. So... here is a correction.
|
| "From now on, we should make this a primary distinction between switch
| and a router: If a device has vertical line cards, it is a router, if
| horizontal, it is a switch, unless there are two or more vertical slots
| within any horizontal slot plane, then it is, in fact, a router."
|
| How does that sound?
Like the start of some new RFC :-)

=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQE/ixZ9E1XcgMgrtyYRAvFMAJ9UQJtGWCn+U3rtPRPyhJLVohevGwCgxtc5
EgQ3xgSwH4u/R7RBEQZ4sk0=
=Nklr
-END PGP SIGNATURE-

Re: Fun new policy at AOL

2003-08-29 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Omachonu Ogali wrote:
|>trusted-mx.crocker.com uses DNSRTTL (Real Time Trust List) to only
|>accept connections from IPs it trusts.
|
|
| Hate to break up your envisionary experiences and insight into
| reinventing the wheel, but what happened to consideration of
| SMTP authentication?
It's only as good as the strength of your user community's passwords.  A
friend of mine supports a school's servers and they were brute forced the
other day resulting in essentially an open relay for the spammers.  Auth is
nice, but not enough.
=
bep
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.2 (MingW32)
iD8DBQE/T5N3E1XcgMgrtyYRAhEqAJ0WiFj5AsQ/PxVngx2UGglN9QkPfACg3rKY
gr9y5pQalwSdaqKVgkuJKQM=
=UF7i
-END PGP SIGNATURE-

Re: Atm-t1 8t1-ima

2003-08-29 Thread Bruce Pinsky 
Ejay Hire wrote:

Hi all.  Can anyone tell me if the 8 port IMA network module is
supported in the 3640s?  I used the Compatibility tool, and it said I'd
be good with 12.2.11 YT but I'm having no success.
Any advice is appreciated.  

*Mar  1 00:00:05.211: %PA-2-UNDEFPA: Undefined Port Adaptor type BD in
bay 2
Cisco Internetwork Operating System Software 
IOS (tm) 3600 Software (C3640-I-M), Version 12.2(11)YT2, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2003 by cisco Systems, Inc.
Compiled Thu 27-Feb-03 16:41 by cmong

Ejay Hire
... ln -s /dev/null /dev/clue


Could be that the boot image is complaining and not the run image.  Can't 
tell from your email snippet.  Check what version of boot image is the min 
req't for the module.

=
bep

Re: Blocking port 135?

2003-08-01 Thread Bruce Pinsky 
Bob German wrote:

Absolutely.  All of the NetBIOS ports: 135, 137, 138, 139, 445.  

And filtering 445 in the outbound direction to prevent attacks from the inside 
out is probably prudent as well.

=
bep

Re: State Super-DMCA Too True

2003-03-30 Thread Bruce Pinsky 
Jack Bates wrote:
Dan Hollis wrote:

Using the law to defend deceptive business practices. Makes perfect 
sense.

It's either that or start charging the customer's what it really costs. 
They've been so happy to get away from that. Large networks have cut 
their rates based on oversell so that mid-sized networks could cut their 
rates, so that small networks could cut their rates, so that @home can 
have service for $50/mo. If @home uses full bandwidth, and each of the 
networks steps up to meet the bandwidth, either a) @home gets billed no 
less than 4 times as much or b) any network that doesn't step up pricing 
goes into Chapter 11. In addition, it's questionable if the overall 
network infrastructure can handle that amount of throughput. 1.5Mb/s to 
the house sounds so wonderful, but at $50/mo, it's not really feasible 
without a lot of oversell. People traditionally base oversell per 
computer connection (taken from dialup overselling).

I disagree with the method, but who am I to say someone else's business 
plan is faulty and they shouldn't be allowed to enforce it?

Then charge what it really costs.

Look, I'm buying transit from an ISP.  You know, moving bits.  This kind 
of legislation is as absurd as telling me what devices I'm allowed to 
view my DVD's on, listen to my CD's on, or how I should watch a movie 
because it happens to come on a little silver disk vs a dark stream of tape.

If ISPs have to resort to these kind of tactics to preserve "value" of 
their services, perhaps they need to find a way to offer more "value" 
than they do today.

As for the security aspects, I have privacy of communication when I put 
a letter into an envelope.  Just because I'm communicating 
electronically doesn't mean I've abdicated that right.

==
bep

Re: State Super-DMCA Too True

2003-03-30 Thread Bruce Pinsky 
William Allen Simpson wrote:
...snip...snip...
(a) “Telecommunications” and “telecommunications service” mean any
service lawfully provided for a charge or compensation to facilitate
the origination, transmission, retransmission, emission, or
reception of signs, data, images, signals, writings, sounds, or
other intelligence or equivalence of intelligence of any nature over
any telecommunications system by any method, including, but not
limited to, electronic, electromagnetic, magnetic, optical,
photo-optical, digital, or analog technologies.
[everything from a DVD, to the network, to the monitor, to t-shirts]

Sounds like I better start charging my neighbors a $0.01/month :-)

==
bep

Re: how to get people to upgrade? (Re: The weak link? DNS)

2003-03-26 Thread Bruce Pinsky 
Charles Sprickman wrote:
On Wed, 26 Mar 2003 [EMAIL PROTECTED] wrote:


One obvious problem with this would be that certain vendors prefer to
backport security fixes to older versions rather than test and release
new versions...so an insecure-looking version string may actually have
had fixes applied.


I think you're talking about RedHat, right?  What other vendors take this
approach?  I know that at a recent job I set out to scan for what versions
of things were running on a bunch of boxes, and all the RedHat boxes were
showing as running vulnerable versions of OpenSSH.
Debian does as well.  Since they run 3 different primary release 
branches (stable, testing, unstable), they often backport security fixes 
onto the stable branch without introducing additional functionality from 
later revisions that would be introduced via the unstable and then 
testing branches.  For example, I'm running sendmail 8.12.3/Debian-5 
which is security patched up to sendmail version 8.12.8.  However, the 
current testing version is 8.12.6/Debian-7 and the unstable version is 
8.12.8/Debian-2.

While personally I think this is a bogus way to manage security fixes,
there are probably many many RedHat boxes out there running BIND.  Short
of pointing out the error of their ways or expecting them to roll
something into their own patches to fix the notification system, how would
you handle that?  I mean, at least on the ssh thing, they didn't even
change the version string one bit, not even a 'rh-p1' or something.  So as
far as your scanner knows, and as far as the script kiddies know, you're
running a vulnerable version.
Actually, it's a very good way to run a stable environment and still get 
the benefit of fixes that address security or severe operational issues. 
 In fact, the packages with the fixes were available the morning after 
sendmail 8.12.8 was posted and the CERT advisory went out.  I had it 
installed by the afternoon.

Can't speak for how RH handles their versioning, but as you can see 
above, Debian includes the source version on which a package is based 
plus a revision to indicate additional changes specifically added for 
Debian.  It makes it very easy to keep track of what I have installed 
even if kiddie scripts think I'm running downrev versions (which I'm not).

==
bep

Re: att.net domain expired

2003-03-13 Thread Bruce Pinsky 
Ejay Hire wrote:
Hello all. Expect some calls from people who can't reach *.att.net. The
att.net domain has expired and is in Verisign's new "not working and not for
sale" hold queue.
Ok, I'll bite  It's not Dec 2003 yet, so how is it expired?

-Ejay

Registrant:
AT&T Corp. (ATT2-DOM)
55 Corporate Drive
null
US 
Domain Name: ATT.NET 
Administrative Contact, Technical Contact:
GNMC (VXGTRUVDOO) [EMAIL PROTECTED] 
GNMC
3324 Hollenberg
Bridgeton, MO 63044
US
314-264-9672 fax: 281-664-9975 

Record expires on 14-Dec-2003.
Record created on 13-Dec-1993.
Database last updated on 13-Mar-2003 03:25:00 EST. 
Domain servers in listed order: 
ORCU.OR.BR.NP.ELS-GMS.ATT.NET 199.191.129.139
WYCU.WY.BR.NP.ELS-GMS.ATT.NET 199.191.128.43
OHCU.OH.MT.NP.ELS-GMS.ATT.NET 199.191.144.75
MACU.MA.MT.NP.ELS-GMS.ATT.NET 199.191.145.136




--
==
bep

Re: BGP to doom us all

2003-02-28 Thread Bruce Pinsky 
Jim Deleskie wrote:
Bruce,

  I agree, while we all need to 'do the right thing' and only announce what
we are suppose to, we also need to maintain the right level being paranoid
to protect the networks we are responsible for.
Right.  And so while authentication and encryption of routing protocol exchanges 
is a necessary future to insure authenticity, it doesn't and won't absolve 
providers from the responsiblity of filtering both what they receive and what 
they transmit.

And ideally, a goal of tying a route filtering mechanism to the authentication 
mechanism (i.e. adding authorization on top of authentication) would 
significantly reduce the burden and complexity of maintaining good route filters 
and thereby increase the chance that providers will implement them.

==
bep

Re: BGP to doom us all

2003-02-28 Thread Bruce Pinsky 
Jim Deleskie wrote:
http://news.com.com/2100-1009-990608.html?tag=fd_lede1_hed

Seems the BGP will be the down fall of the internet, the sky is falling the
sky is falling


What a crock of crap.  Knowing who someone is doesn't stop them from causing 
intentional or unintentional problems.  In fact, authentication is more likely 
to cause people to become complacent wrt their filtering policies.  Hey I've 
authenticated that router so it's going to only send me correct routes. 
Puleeeaaa...

==
bep

Re: two questions

2002-11-08 Thread Bruce Pinsky 

Jeff Aitken wrote:

On Fri, Nov 08, 2002 at 11:32:43AM -0800, Scott Granados wrote:


I have seen some router cpu questions.  I know this is not the place for
router questions specifically could someone pass on the name of the group
for cisco users I remember there was one. 


[EMAIL PROTECTED] may be the list to which you're referring.
See http://puck.nether.net/mailman/listinfo/ for more info.



[EMAIL PROTECTED] aka the newsgroup comp.dcom.sys.cisco may be the other.

==
bep

Re: Talked about this before

2002-09-09 Thread Bruce Pinsky 


Forrest W. Christian wrote:
> On Mon, 9 Sep 2002, Pawlukiewicz Jane wrote:
> 
> 
>>Quick Question, how much memory does the bgp tables actually take. I'm
>>estimating 32 mb in my plan, but I'm worried that's not enough.
> 
> 
> Two views:
> 
> hln-cs1#sh ip bgp summ
> BGP router identifier 206.127.65.1, local AS number 4043
> BGP table version is 132881, main routing table version 132881
> 112575 network entries and 336143 paths using 24365495 bytes of memory
> 60397 BGP path attribute entries using 3624720 bytes of memory
> 53004 BGP AS-PATH entries using 1426946 bytes of memory
> 0 BGP route-map cache entries using 0 bytes of memory
> 20536 BGP filter-list cache entries using 246432 bytes of memory
> Dampening enabled. 96 history paths, 45 dampened paths
> 111752 received paths for inbound soft reconfiguration
> BGP activity 112575/456 prefixes, 336319/176 paths, scan interval 15 secs
> 
> That said:
> 
> hln-cs1#sh mem
> HeadTotal(b) Used(b) Free(b)   Lowest(b)
> Largest(b)
> Processor   623C83E0   219380768   117525008   101855760   100536360
> 100521172
>   I/OF5011534336 8157292 3377044 3365952
> 3352444
> 
> By the time you populate the routing table and/or cef, and do a few other
> things, you probably want at least 256MB.
> 
> If you are using something else, YMMV - it all depends on how efficient
> the software is at storing it in memory.
> 

And add to that the below, noting the 20%+ difference between what the process 
holds and what is reported via the bgp commands :

router#sh proc mem
Total: 226435680, Used: 98336472, Free: 128099208
  PID TTY  Allocated  FreedHoldingGetbufsRetbufs Process
0   0  98188   18485744500  0  0 *Init*
0   0716  473572020716  0  0 *Sched*
0   0 1695597520  282572480  48536 182184  0 *Dead*
...
  103   0  394643684 1139584448   91248608  13000  0 BGP Router
...



router#sh ip bgp sum
BGP table version is 45578905, main routing table version 45578905
112990 network entries and 338257 paths using 23363262 bytes of memory
59466 BGP path attribute entries using 3568080 bytes of memory
52666 BGP AS-PATH entries using 1780032 bytes of memory
1 BGP community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP activity 7862100/10119105 prefixes, 24954823/24616566 paths, scan interval 
60 secs

router#sh mem
 HeadTotal(b) Used(b) Free(b)   Lowest(b)  Largest(b)
Processor   6210DDA0   22643568098330588   128105092   122426928   124143936
   I/OF90 7340032 2345240 4994792 4859760 4994748


FYI, 3660 w/256MB and 3 transit peers with 112K+ routes each.

-- 
==
bep