RE: NMS/OSS commercial software : short summary from NANOG replies
do you mean kind of The box said 'Requires Windows 95, NT, or better,' so I installed FreeBSD : -- deejay -Original Message- From: Nipper, Arnold [mailto:arnold;nipper.de] Sent: 28. októbra 2002 15:51 To: Petri Helenius; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: NMS/OSS commercial software : short summary from NANOG replies Expansion of nothing is still nothing. Others call it insert your favorite OS ... Arnold That is very short summary, would you care to expand a little bit? Pete Hello, First of all, thanks for all the answers that I received from the list. Some of you asked me a feedback on the answers received, so here it is :
RE: Unrecognised packets
cw, i think the frame 5 was just misinterpreted by ethereal (probably it found some initial byte sequence that made it consider the frame this way). if you go through the decode you'll find out that the data contained in the (claimed) 'q.931' part is something really far from q.931 - most of the elements are unknown, with some weird data. just a wrong decoding teplate applied, possibly one that'd be used for decoding h.225 frames (but h.225 runs on different tcp port than 1199) hope this helps deejay -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: cw [mailto:[EMAIL PROTECTED]] Sent: 20. augusta 2002 12:48 To: [EMAIL PROTECTED] Subject: Unrecognised packets Hi there folks, sorry if you're on the securityfocus incidents list and have received another version of this but as this has protocol info I thought I might ask here. Background: Friday 9th I noticed my laptop running slowly and unstable. I assumed that applying SP3 had broken it so I reinstalled. Tue 13th I noticed logs in the firewall of my desktop which showed a prolonged scan of ports 5-50099 on my desktop machine. The scan had originated from the ip of my laptop. After a bit of thinking, I remember my desktop firewall complaining about some other packets at the time. IIRC there were packets from my laptop set at ip protocol 60 hitting my desktop. I also remember some packets set at ip protocol 0 coming from external ip addresses (not of our network). I was busy with work at the time so I blocked the packets and subsequently forgot about them. Due to my wiping the laptop before noticing the firewall logs I was unable to figure out what had happened. The thing is, now I'm starting to see some activity I'm not expecting again. Prior to last week I was running Win2K on it with SP2 (upgraded to SP3 around the same time). When I reinstalled I put WinXP on. The laptop has been running Kerio as a firewall with as many services as possible turned off. Today my firewall has picked up another packet from my laptop that was ip protocol 60 (not port 60 but protocol 60). After spotting this I loaded up ethereal and started capturing. aa.bb.cc.dd = laptop ip dd.cc.bb.aa = desktop ip I'm not familiar with all the protocols involved, so if my searches are correct Q.931 is an ISDN control protocol. This is odd because this is coming over a lan and neither machines have any ISDN hardware or software. Secondly there is the IP packets with a header length of 0. I'm not sure if these are related but the reason I include them is because the source MAC addresses are only a slight variation on that of my laptop. That is my laptop starts 00:50 whilst these packets start 45:00. The rest is the same. All these packets were captured using the host aa.bb.cc.dd (where aa.bb.cc.dd eq laptop ip) filter (details in attachment). If anyone can advise me on the purpose of these packets I would appreciate it as to the best of my knowledge they have no valid purpose. Cheers.
password stores?
hi, i'm wondering how large isps offering managed cpe services manage their password databases. let's say radius/tacacs is used for normal cpe user aaa, but there is some 'backup' local user account created on the cpe for situations when the radius server is unreachable. for security reasons, this backup account (as well as snmp communities, radius key etc.) is unique per cpe to avoid frauds caused by end-users (even if one does password recovery on the cpe, they still don't have the password for other cpe's). if there are hundreds or thousands of these cpe's that could mean storing of tens thousands of password. are there any crypto-based products available or do the people use their own stuff? thanks -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
RE: HP Openview
the newer openview you have the more alarms it generates... you need to spend a hell lot of time tuning alarm correlation etc. by the way did anyone see a nms that's capable of working in duplicate-ip environments like mpls vpns etc? e.g. one that'd use saa agents on cisco boxes (or vrf-aware remote commands) to poll the network... thanks -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Matt Duggan [mailto:[EMAIL PROTECTED]] Sent: 10. júla 2002 22:57 To: John Kinsella; Eric Whitehill Cc: [EMAIL PROTECTED] Subject: Re: HP Openview Also take a look at JFFNMS - http://jffnms.sourceforge.net/ It might be worth letting us know what your management requirements are before dismissing OpenView ;-) ta, Matt. - Original Message - From: John Kinsella [EMAIL PROTECTED] To: Eric Whitehill [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, July 10, 2002 9:40 PM Subject: Re: HP Openview Might want to take a peek at OpenNMS...http://www.opennms.org I'm not sure it'll be everything you dream of, but hey it's a hell of a lot cheaper... John On Wed, Jul 10, 2002 at 04:34:26PM -0400, Eric Whitehill wrote: NANOG: I am curious if anyone has been working with HP Openview as an NMS. I've been looking at it (Specifically the service call portion) and so far, have not been impressed - I'm just not seeing the feature set I would expect. Am I just being stubborn and not seeing the advantages of this? From my understanding the full HP Openview is in beta, but I'm not sure. I've done some researching on HP's website, and I can't seem to really find any relevant data. One of the large sticking points is I am trying to find a *nix based client, specifically one I can get working on Solaris, and so far, I'm having a difficut time tracking one down. Am I wasteing my time with HP Openview? If you are using it, are you pleased? Should I accept fate and life and eat chicken for supper tonight? Any advise and suggestions are welcomed. -Eric
RE: Ebone going off the air (at last)...
the shutdown is in process see the webcam or #ebone... -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 2. júla 2002 15:43 To: [EMAIL PROTECTED] Subject: Re: Ebone going off the air (at last)... From what I can see personally, all BGP sessions with Ebone at major peering points in Europe went down in the last two hours, and all their customer interfaces appear to be shut (or in the process of being shut down). SDH and DWDM customer circuits are also being torn down as we speak. Hmmm Try a traceroute from inside the Ebone IP network at http://www.ebone.net. A few minutes ago it was still working. Have you got any confirmation that they are, in fact, shutting down the DWDM equipment? This would leave everyone in the dark except for IRU customers... --Michael Dillon ex-Ebone
RE: Testing Bandwidth performance
a few months ago i was playing with a box from anritsu, they can do several gbps for very interesting price well yes - i could feel on the box they still are an startup - but they seemed very open as far as i know they developed the box by cisco's request and cisco is using it for lab measurements they also can do latency/jitter measurements with two such boxes clocked by gps deejay -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 26. júna 2002 11:02 To: Alan Sato Cc: [EMAIL PROTECTED] Subject: Re: Testing Bandwidth performance On Tue, 25 Jun 2002, Alan Sato wrote: What are some tools to test bandwidth perfomance? I've used iperf, but are there other tools or ways to generate traffic for testing purposes to see a links maximum capacity? Especially greater than a 100mb. Realistically, you will need commercial hardware/software to do this properly. Smartbits, Shomiti, are two examples (Shomiti is less than user friendly, but the thing can do almost anything) Alan -- Yours, J.A. Terranson [EMAIL PROTECTED] If Governments really want us to behave like civilized human beings, they should give serious consideration towards setting a better example: Ruling by force, rather than consensus; the unrestrained application of unjust laws (which the victim-populations were never allowed input on in the first place); the State policy of justice only for the rich and elected; the intentional abuse and occassionally destruction of entire populations merely to distract an already apathetic and numb electorate... This type of demogoguery must surely wipe out the fascist United States as surely as it wiped out the fascist Union of Soviet Socialist Republics. The views expressed here are mine, and NOT those of my employers, associates, or others. Besides, if it *were* the opinion of all of those people, I doubt there would be a problem to bitch about in the first place...
RE: Testing Bandwidth performance
ttcp is even included in ios try this hidden command: gw#ttcp transmit or receive [receive]: etc enjoy :) -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Wojtek Zlobicki [mailto:[EMAIL PROTECTED]] Sent: 26. júna 2002 5:30 To: Alan Sato; [EMAIL PROTECTED] Subject: Re: Testing Bandwidth performance I've found IPERF to work quite well. TTCP is also great. For a commercial solution, you may want to look for products from companies such as IXIA. - Original Message - From: Alan Sato [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 25, 2002 11:02 PM Subject: Testing Bandwidth performance What are some tools to test bandwidth perfomance? I've used iperf, but are there other tools or ways to generate traffic for testing purposes to see a links maximum capacity? Especially greater than a 100mb. Alan
RE: GigEth regenerators
a brief summary of responses up to now: - there are several vendors making some kind of sx-to-zx gbe converters (they call it gbe extenders), which gives an equivalent of a device with a zx gbic. these vendors include jdsu, luxn, extreme etc. - two companies were found making gbe optical regenerators - imcnetworks and transmode - other solution is to try with edfa mikael: which exact gbic did you use? i was comparing cisco-reselled gbics and their cwdm gbics seem to be more than 10dB better on power budget... anybody tried this in real life? thanks again -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Mikael Abrahamsson [mailto:[EMAIL PROTECTED]] Sent: 12. júna 2002 17:48 To: [EMAIL PROTECTED] Subject: Re: GigEth regenerators On Wed, 12 Jun 2002, Daniska Tomas wrote: but for gigeth in this case - we need to connect two sites about 200km apart over dark fiber Check out the 7020 from Transmode http://www.transmode.se/products/sing_dual.htm Btw, my personal best so far is 150km over dark fiber using a extra long haul GBIC, 32dB loss over the fiber and it worked perfectly. Only tested it for 10 minutes, but there were no CRC errors during that time. +4dB output from the GGBIC, now we have to worry to not look into the laser :) -- Mikael Abrahamssonemail: [EMAIL PROTECTED]
RE: What's wrong with provisioning tools?
bob, i was more interested in something emulating a vt100 that one could eventually plug to a console port and chat with the box... from someone's post sooner in this thread it seemed that someone is using it out there... i like the idea of talking with the box while let's say driving a car... e.g. vocollect does something close to this but it's more an in-building solution than an over-the-phone stuff http://www.vocollect.com/sitehtml/products/talkman01.php maybe it would be worth making some mediation to pstn and a proxy app which could ssh the boxes :) -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Bob Bradlee [mailto:[EMAIL PROTECTED]] Sent: 13. júna 2002 16:29 To: Daniska Tomas Subject: RE: What's wrong with provisioning tools? I have a client HTTP://www.CORRS.ORG using several speech-synthesis terminals, they even have a brail printer on the network. I donate my eyes to them from time to time, but they get along very well on their own. Bob --Original Message Text--- From: Daniska Tomas Date: Thu, 13 Jun 2002 15:15:23 +0200 Message by the way - those speech-synthesis terminals were a just joke or is anyone really using them? :))
GigEth regenerators
hi folks, is anybody aware of an optical long-haul gigabit ethernet regenerator box? anything like Cisco Optical Regenerator (COR) OC-48 STM-16 Bi-directional Regenerator http://www.cisco.com/univercd/cc/td/doc/pcat/oc48__l2.htm but for gigeth in this case - we need to connect two sites about 200km apart over dark fiber thanks -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
RE: Re: KPNQwest ns.eu.net server.
how would you guarantee connectivity? should each isp present should provide bandwidth as part of collocation expenses? should the opexes be included in the colo bill? and then - this would probably make the colo becoming a connectivity provider, wouldn't it? -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Nipper, Arnold [mailto:[EMAIL PROTECTED]] Sent: 6. júna 2002 16:07 To: Jan-Ahrent Czmok; Sabine Dolderer/Denic Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Re: KPNQwest ns.eu.net server. As a lot of people are offering secondary services: may be it's a good idea to place infrastructural services at IXP. IXP seem to be more stable than any ISPs and often more neutral than ISPs. Comments? Arnold -- Arnold Nipper, DE-CIX, the German Internet Exchange email: [EMAIL PROTECTED] mobile: +49 172 2650958 handle: an6695-ripe - Original Message - From: Sabine Dolderer/Denic [EMAIL PROTECTED] To: Jan-Ahrent Czmok [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, June 06, 2002 9:43 AM Subject: Re: Re: KPNQwest ns.eu.net server. Hello, DENIC runs currently several secondarys (not only DE but also for some other TLDs) in different places worldwide. We are willing to offer secondary service for other ccTLDs. But there will be because of security/stability reasons a limit on the number of ccTLDs we want to run on a single machine. Sabine -- Sabine Dolderer DENIC eG Wiesenhüttenplatz 26 D-60329 Frankfurt eMail: [EMAIL PROTECTED] Fon: +49 69 27235 0 Fax: +49 69 27235 235 Jan-Ahrent CzmokAn: Joao Luis Silva Damas [EMAIL PROTECTED] czmok@gatel.Kopie: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], net [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], Gesendet von:[EMAIL PROTECTED], [EMAIL PROTECTED] owner-lir-wg@Thema: Re: KPNQwest ns.eu.net server. ripe.net 06.06.2002 01:29 PostedDate: 06.06.2002 01:29:37 $MessageID: [EMAIL PROTECTED] From: [EMAIL PROTECTED] SendTo: Joao Luis Silva Damas [EMAIL PROTECTED] CopyTo: [EMAIL PROTECTED];[EMAIL PROTECTED];[EMAIL PROTECTED];[EMAIL PROTECTED] et;tech-l@ams- ix.net;[EMAIL PROTECTED];[EMAIL PROTECTED];apnic-talk@lists. apnic.net Subject: Re: KPNQwest ns.eu.net server. Received: from smtp.denic.de ([194.246.96.22]) by notes.denic.de (Lotus Domino Release 5.0.8) with ESMTP id 2002060601283597:15602 ; Thu, 6 Jun 2002 01:28:35 +0200 Received: from postman.ripe.net (postman.ripe.net [193.0.0.199]) by smtp.denic.de with smtp id 17FkCg-0004uX-00; Thu, 6 Jun 2002 01:28:34 +0200 Received: (qmail 11455 invoked by alias); 5 Jun 2002 23:28:15 - Received: (qmail 11452 invoked by uid 66); 5 Jun 2002 23:28:15 - Delivered_To: [EMAIL PROTECTED] PRINCIPAL: Jan-Ahrent Czmok [EMAIL PROTECTED] In_Reply_To: p05111700b92449b9ddee@[193.0.1.81] References: [EMAIL PROTECTED] [EMAIL PROTECTED] p05111700b92449b9ddee@[193.0.1.81] Organization: Global Access Telecommunications Inc. $Mailer: Sylpheed version 0.7.6claws16 (GTK+ 1.2.10; i386-debian-linux-gnu) X_Ncc_RegID: de.gatel MIME_Version: 1.0 Precedence: bulk X_Loop_Detect: RIPE NCC SMTPOriginator: [EMAIL PROTECTED] RouteServers: CN=notes/O=Denic RouteTimes: 06.06.2002 01:28:36-06.06.2002 01:28:38 DeliveredDate: 06.06.2002 01:28:38 DENICDOCOPENCOUNT: 1 $MIMETrack: Itemize by SMTP Server on notes/Denic(Release 5.0.8 |June 18, 2001) at 06.06.2002 01:28:36;MIME-CD by Notes Client on Sabine Dolderer/Denic(Release 5.0.6a |January 17, 2001) at 06.06.2002 09:32:28;MIME-CD complete at 06.06.2002 09:32:28 BlindCopyTo: WebSubject: Re: KPNQwest ns.eu.net server. On Thu, 6 Jun 2002 01:08:46 +0200 Joao Luis Silva Damas [EMAIL PROTECTED] wrote: At 11:04 -0700 5/6/02, Randy Bush wrote: Given the current situation of KPNQwest and the possibility of its services going offline sometime soon, the RIPE NCC in agreement with KPNQwest will be temporally hosting this server (ns.eu.net) in its premises. nice emergency hack and sorry to whine. but i used them both to get diversity. Hi Randy, there are 16 ccTLDs for which ns.ripe.net and ns.eu.net are
RE: Re: KPNQwest ns.eu.net server.
ok, let's suppose that usually provides the most appropriate environment for placing the dns servers and their co-infrastructure. taking it only technically, providing the connectivity for the ixp is a detail (to announce or not to announce). maybe the ixp could allocate a 'stub' subnet - separate from the transit subnet - and provide a voluntary mlpa to all the hosted isps. this would not break the isp policies on announcing the transit ixp subnet. all these are details. i see a space for another topic in this thread - updating the dns infrastrucure a bit. to be more specific: - would the ixp-located tld dns servers server only a small set of tld's each? if so, would it be region-based or agreement-based? - would it be worth the effort starting a project similar to irr that would serve as a common source for dns configurations? it'd be nice to hear your oppinions -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Arnold Nipper [mailto:[EMAIL PROTECTED]] Sent: 6. júna 2002 16:29 To: Daniska Tomas Cc: Nipper, Arnold; [EMAIL PROTECTED] Subject: Re: Re: KPNQwest ns.eu.net server. On Thu, Jun 06, 2002 at 04:13:08PM +0200, Daniska Tomas wrote: how would you guarantee connectivity? as you have a lot of ISPs around you it should be really easy to get some connectivity. Very easy: tell some friendly ISP to announce your prefix/AS to outside. should each isp present should provide bandwidth as part of collocation expenses? What do you mean by this? If some ISP want to donate bw, nice. If not also Ok. should the opexes be included in the colo bill? Which colo bill? and then - this would probably make the colo becoming a connectivity provider, wouldn't it? Not necessarily. This much depends on your IXP model. Let's take DE-CIX. There is an association running DE-CIX, but InterXion as colo partner takes cae for a lot of things. If DE-CIX would offer infrastructural services, InterXion still would remain a simple colo provider. Arnold -- Arnold Nipper Email: [EMAIL PROTECTED] DE-CIX, The German Internet Exchange Mobile: +49 172 2650958
packet sniffers and protocol decoders used by isps
Title: Message hi, this topic seemsbeing at least semi-operational to me :) i'd like to make an idea of which sniffers and (the more important part) decoders are included in the arsenal of engineering tools used by network engineers at various isp sizes practical experience would be the most valuable information please feel free to reply privately if you feel this does not fit the list topics thanks much -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
RE: Cisco 7200 VXR with NPE-400 (was RE: The market must be coming back)
did you do netflow switching or cef + netflow accounting that time? -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Ralph Doncaster [mailto:[EMAIL PROTECTED]] Sent: 22. mája 2002 16:15 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Cisco 7200 VXR with NPE-400 (was RE: The market must be coming back) Based on our testing it looks like it all has to do with packet size. With small packets the throughput is very low. With what Cisco calls an internet mix of packet sizes throughput is much better. When doing max MTU packets, the throughput is of course the best. The other thing I've found about traffic type is how sensitive netflow is. I was running it for a while, then I got a co-lo customer that had a lot of UDP traffic with small packet sizes and rarely more than a few packets between the same src/dest ip/port (much like DNS queries). It was enough to flatline the box and cause it to crash. -Ralph
RE: BGP and aggregation
actually gre fragmentation itself has nothing to do w/df bit. you either leave the tunnel with default mtu (and use ip fragmentation - of course depending on df) or you may cause it fragmenting packets and resembling them at the tunnel end. on cisco boxes this is triggered by using larger 'ip mtu' (not interface mtu) value. there are some memory and cpu drawbacks due to defragmentation (a hold queue for fragments until they all arive etc.) -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Forrest W. Christian [mailto:[EMAIL PROTECTED]] Sent: 14. mája 2002 0:02 To: Roger Marquis Cc: [EMAIL PROTECTED] Subject: Re: BGP and aggregation On Mon, 13 May 2002, Roger Marquis wrote: Last time I tried this (IOS11.X to IOS11.X GRE) it was unreliable due to MTU limits. Certain websites (mainly financial) send large packets and set DF. This probably works around some security issue but the result was that these SSL servers couldn't reach clients over the GRE. We have seen the same issue in recent history. Generally, we try to have most of the traffic not pass through a GRE tunnel. With some creative routing, we can pass the data back out to our upstream which knows the more specific for that route. That said, we do support /32 static dialups across our net - I.E. if you have a /32 static on your dialup, you get the same /32 no matter where you dialup. These generally pass through the GRE tunnel as we only know of them through OSPF through the GRE tunnel. We have found that setting a mtu of roughly 1514 on the tunnel fixes this. I think this forces the GRE encapsulation to frag the packets regardless of the setting of the DF bit. Whether the far end router reassembles them or not I'm not sure about and haven't had the opportunity to stick a packet sniffer on the far end to tell. Regardless, it seems to fix the broken sites. YMMV - Forrest W. Christian ([EMAIL PROTECTED]) AC7DE -- The Innovation Machine Ltd. P.O. Box 5749 http://www.imach.com/Helena, MT 59604 Home of PacketFlux Technogies and BackupDNS.com (406)-442-6648 -- Protect your personal freedoms - visit http://www.lp.org/
RE: Large ISPs doing NAT?
do you think fufme (http://www.fu-fme.com/) would work well over nat? : -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Scott Francis [mailto:[EMAIL PROTECTED]] Sent: 3. mája 2002 9:13 To: Dan Hollis Cc: [EMAIL PROTECTED] Subject: Re: Large ISPs doing NAT? On Thu, May 02, 2002 at 04:56:40PM -0700, [EMAIL PROTECTED] said: [snip] I'm not buying a phone I can't run ssh from. End of story. My current phone does all that and more. Why step back into the dark ages of analog-type services? The average customer doesn't even know what telnet is, let alone ssh. All they care about is browsing pr0n. Your phone can surf porn? Maybe the technology revolution has finally arrived after all ... -Dan -- [-] Omae no subete no kichi wa ore no mono da. [-] -- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
RE: Large ISPs doing NAT?
-Original Message- From: Jake Khuon [mailto:[EMAIL PROTECTED]] Sent: 2. mája 2002 10:32 To: [EMAIL PROTECTED] Subject: Re: Large ISPs doing NAT? Time to start thinking a little further down the line. What if the phone actually becomes an wireless IP gateway router? It routes packets from a PAN (personal area network) riding on top of Bluetooth or 802.11{a,b} to the 3G network for transit. NAT would certainly become very messy. grat and what if one of the devices behind that phone would also be a personal ip gateway router (or how you call that)... you could recursively iterate as deep as your mail size allows you to... hope this thread will not end in a router behind a router that serves as a router seving as a router to another router which has some other routers connected... -- /*===[ Jake Khuon [EMAIL PROTECTED] ]==+ | Packet Plumber, Network Engineers /| / [~ [~ |) | | --- | | for Effective Bandwidth Utilisation / |/ [_ [_ |) |_| N E T W O R K S | += */ -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
RE: Large ISPs doing NAT?
-Original Message- From: Jake Khuon [mailto:[EMAIL PROTECTED]] Sent: 2. mája 2002 10:51 To: [EMAIL PROTECTED] Subject: Re: Large ISPs doing NAT? DT and what if one of the devices behind that phone would also be a DT personal ip gateway router (or how you call that)... you could DT recursively iterate as deep as your mail size allows you to... It's possible. Could it get ugly? Yes. Do we just want to shut our eyes and say let's not go there well... maybe. I just don't think the solution is to say, this can never happen... we must limit all handheld devices to sitting behind a NAT gateway. no eye-shutting. it's just about considering HOW MANY (or WHAT PART) of your users will need the 'full' service. if you have 95% of bfu's with web+mail phones or pda's then nat is completely ok for them. and those 5% (if so many ever) phreaks - give them an opportunity to have public ip with no nat for a few bucks more you will end up with exactly two exactly specified services... not that bad, is it? -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
RE: DDOS attacks and Large ISPs doing NAT?
jon, 1000x ack and for all: i think this MOTD is something very close to the isp nat thread :) There are only 10 types of people in this world: those who understand binary, and those who don't. (Credits to Theodore Tzevelekis/Cisco) deejay -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first. -Original Message- From: Mansey, Jon [mailto:[EMAIL PROTECTED]] Sent: 2. mája 2002 19:31 To: [EMAIL PROTECTED] Subject: RE: DDOS attacks and Large ISPs doing NAT? To merge these 2 great threads, it is the case is it not that NAT is a great way to avoid DDOS problems. I don't even want to imagine what the billing/credit issues would be like if your always-on phone with a real IP is used as a zombie in a DDOS. Hey I didn't use all that traffic last monthetc etc I still maintain, since the last time this was on Nanog, that real IP addresses should not be entrusted to the great unwashed. And as for NAT breaking applications, I think its time the applications wised up and worked around the NAT issues. Look, if your application is important enough to you as the developer, you are going to want it to penetrate and work for as many ppl as possible right? Office workers, home users with gateways, GPRS/GSM/3G cell users etc etc. So you make it use protocols that traverse NAT without breaking. Look at the streaming media players out there, they try to use, in order, multicast (the most effcient and best quality), UDP,TCP then HTTP. If it cant get a connection with any of the first protocols, it falls back to http, and you get your stream. When you look at the economics of usability of your app, I think your going to want to make it work through firewalls. Jm
RE: DDOS attacks and Large ISPs doing NAT?
-Original Message- From: Gary E. Miller [mailto:[EMAIL PROTECTED]] Sent: 2. mája 2002 20:00 To: Mansey, Jon Cc: [EMAIL PROTECTED] Subject: RE: DDOS attacks and Large ISPs doing NAT? Who says a NATed host can not be a zombie? Get the NATed host to read an email virus. The virus then coonects to an IRC channel that tells the zombie when to spew. recursion again. the point was just about minimizing, not about completely avoiding. for every solution you do a new exploit will be invented in a short time, no matter how great the patch is Each phone would not spew much, but imagine you got 100M phones to do your DDoS for you... it's not about the number of phones but about capacity of the network even if you have 1k phones on one gsm sector they still only can generate as much as the radio allows for. how many channels you suppose to be available for gprs for the whole sector? three? four? several? maybe if you're optimistic enough. i definitely would not consider gprs being a broadband service. then - there are loads of different portable device on the market now and the diversity will increase. how would you manage to load your ddos clients to all these kinds of devices? in the end you maybe will get a few % (if lucky and tricky enough) of the portables. compare it to the aggregate traffic the whole gprs network could generate (not that much) and i don't think you can talk about a ddos in scale we are used to today -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.
RE: Large ISPs doing NAT?
-Original Message- From: Tony Rall [mailto:[EMAIL PROTECTED]] Sent: 30. apríla 2002 19:59 To: [EMAIL PROTECTED] Subject: Re: Large ISPs doing NAT? On Monday, 2002-04-29 at 08:43 MST, Beckmeyer [EMAIL PROTECTED] wrote: Is anybody here doing NAT for their customers? I hope not. If you're NATing your customers you're no longer an ISP. You're a sort-of-tcp-service-provider (maybe a little udp too). NAT (PAT even more so) breaks so many things that it would be unconscionable to advertise as an ISP. Even some tcp apps fail under NAT. The NAT box may include a number of fix-ups but such will never be equivalent to giving the customer a public address. well.. yes and no. depends on definition and how you set the services. i don't know how you treat this in u.s. but in europe gprs is mostly considered being a value-added service to gsm instead of a real internet connectivity replacement. if you think of gprs a bit it will never have enough capabilities to serve as a full-time inet service. it's a great solution for accessing your data remotely but it's very limited in means of capacity and then you have those 'pdp-contexts' or how they call it. it's just another acronym for a vpn... if a corporate user requires full ip connectivity then why not give him a vpn uplink directly to their hq and the users can safely use private addresses according to corporate policy. in this way gprs is very similar to mpls. i have worked on gprs-mpls vpn integration and it works just fine. An Internet Service Provider gives the customer a full connection to the Internet. All IP protocols should work. you also may give the [common] user an opportunity to have 'limited' service set (so you can use private addresses + nat/pat) for lower price or pay a bit more for 'full' service. i think the 'limited' in real life can safely cover requirements of 95% of the customers. do you think they will download mp3's and avi's via gprs? how? :)) from my point of view if you cover http, e-mail and various similar services you will provide most user with more than they ever would expect, wouldn't you? I'm in favor of using NAT only where there is a good argument for it and the customers are given the straight story about what they're buying and what it won't be able to do. Don't call yourself an ISP. ... Tony Rall deejay -- Tomas Daniska systems engineer Tronet Computer Networks Plynarenska 5, 829 75 Bratislava, Slovakia tel: +421 2 58224111, fax: +421 2 58224199 A transistor protected by a fast-acting fuse will protect the fuse by blowing first.