Re: default routes question or any way to do the rebundant
NANOG is not a general purpose router help mailing list. Issues discussed here are supposed to be relevant to the North American ISP community. excuse? configuring routers is not operational in north america? have you gone completely layer 2 over there? Are you seriously going to sit there and claim that someone asking about how to set up 2 default routes on a FreeBSD box is operationally or technically relevant to the NANOG community at large? I believe their email fails the NANOG pre-posting guide (specifically #3) and furthermore that it would be far better answered on a FreeBSD specific mailing list. This same person posted a question on Wednesday about MTU's stating "Why? but I still don't know why mtu can cause this problem." I seriously doubt this was relevant to the thousands of people who read this list but I could be wrong about that one too. Perhaps someone from the MLC can comment on whether these sorts of posts qualify as relevant. On the other hand, if you really want to answer these sorts of questions then perhaps people can email you directly? I personally think NANOG has enough noise as it is. -Don
Re: default routes question or any way to do the rebundant
NANOG is not a general purpose router help mailing list. Issues discussed here are supposed to be relevant to the North American ISP community. Please take this question to a FreeBSD mailing list. Thanks, -Don ls it possible to have 2 default routes? or how can I do the rebundant when the route is still working either eth1 or eth2 down? Router2 192.168.0.2/20 eth1 192.168.0.18/20 eth2 10.0.0.1 eth3 ip route 0.0.0.0/0 192.168.0.1 ip route 0.0.0.0/0 192.168.0.17 or ip route 0.0.0.0/0 192.168.0.1 ip route 0.0.0.0/0 192.168.0.17 2 Router1 192.168.0.1 eth 192.168.0.17 eth2 172.16.0.1 eth3 host1 10.0.0.2 connects R2 couldn't ping host2 172.16.0.2 connects R1 when the link 192.168.0.1 is down host1-R1--Switch---R2-host2 --Switch--- i am using freebsd router Thank you for your help Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
Re: Assigning IPv6 /48's to CPE's?
Do you really think that today's allocations are going to be in use (unchanged) when people are building homes out of IPv6-addressed nanobots, or when people are trying to firewall the fridge from the TV remote, etc.? I certainly hope not- but then again I never thought IPv4 would be around this long either. I understand trying to plan for the future, but if someone is setting all this stuff up, getting a new (and larger) IPv6 block from their ISP is going to be the easiest part in the process. You're right of course. Again, why the hang-up on 8 bit boundaries? Why not /52 or /60? /60 is not much bigger than /64, but /52 gives an end-site 16 times as many subnets as /56 while giving the ISP 16 times as many blocks as /48. Because byte alignment makes for shortcuts in routing softare/hardware allowing higher speeds? Because ARIN says so? :) -Don
RE: Assigning IPv6 /48's to CPE's?
That's 281,474,976,710,656 /48 customer networks. It's 16 million times the number of class C's in the current IPv4 Internet. Am I just not thinking large or long term enough? No, you are just counting wrong. When you are talking /48's you are talking "number of bits of of subnet hierarchy", not "pile of pebbles on the beach". If you read the ARIN IPv6 policy you will see that they don't count /48's like pebbles, instead they use something called the HD Ratio. I'm fully aware of HD ratio thanks :) My point was to give a rough approximation of the size difference here, not to talk about the specific numbers. Basically, this recognizes that IP networks are not flat piles of pebbles, but have a hierarchical aggregation structure in them. At each level of aggregation, you have to do a fitting exercise, where you fit what you have into a power of two sized block. If you have 5 subnets that need to be aggregated into a single higher level subnet, then you must use 3 bits of your subnet hierarchy, even though those 3 bits could be used for as many as 8 subnets. This is not waste. It is a fact imposed by the structure of IPv6 (and IPv4) subnet addresses. In fact, when you "throw away" subnets (addresses) like that, you are actually following a prudent conservation policy. That's because this kind of bitwise network addressing is cheaper to implement in hardware and can be processed faster in hardware when doing things like FIB lookups. That conserves MONEY and TIME which are vastly more important to conserve than theoretical counting capacity of a bitstring. I'm not sure what your point is here. I'm not remotely trying to argue this. You made a point about HD ratio- 80% HD with 48 bits of network address still gives us 300,000,000,000 /48 networks (unless my math is very wrong). Again, I'm not sure how we're going to use that up in 50 or 100 years, but I'm sure history will prove me a fool. -Don
RE: Assigning IPv6 /48's to CPE's?
The only place in which people have noted that there is a possibility of running out of bits in the existing IPv6 addressing hierarchy is when they look at a model where every residential customer gets a /48. In that scenario there is a possibility that we might runout in 50 to 100 years from now. Is it even a possibility then? A /48 to everyone means 48 bits left over for the network portion of the address. That's 281,474,976,710,656 /48 customer networks. It's 16 million times the number of class C's in the current IPv4 Internet. Am I just not thinking large or long term enough? -Don
Re: Assigning IPv6 /48's to CPE's?
So if /64 is "subnet" rather than "node" then the practice of placing one and only one node per subnet is pretty wasteful. The whole point here is flexibility. IEEE defined several standards for globally unique identifiers including EUI-48/MAC-48 and EUI-64. MAC-48 should last us til 2100, but the IEEE seems to be thinking longer term and also came out with EUI-64. Rather than create a protocol that wouldn't be able to handle longer MAC addresses the IPv6 WG decided to use EUI-64 for the host address in IPv6. This works for two reasons, a) There is a defined method for converting from MAC-48 to EUI-64 addresses (and back) and b) Even if Ethernet (or whatever comes next) uses a longer MAC addresses (up to 64 bits obviously) it will still make sense in IPv6. 64 bits is also a nice multiple for 32 and 64 bit systems which doesn't hurt when you're writing routing software or designing hardware. And giving residential users a /48 will leave them with 80 bits for addressing. It leaves them with 65k subnets to choose from. Would a /56 make more sense? Right now- sure- becaue we lack the imagination to really guess what might happen in the future. Nanobots each with their own address, IP connected everything, who knows? Assigning a /48 to everyone gives everyone ample room and simplifies provisioning. I'd rather push for /48 and have people settle on /56 than push for /56 and have people settle on /64. Take someone like Comcast with ~12 million subscribers. It would take an IPv6 /24 to get 16.7 million /48's (2^24). With a net efficiency of 10% they are going to need to be allocated 120 million /48's. It would take a /21 to give them 2^(48-21) = ~134 million /48's. In answer- so what? So in short, a /48 to subscribers seems like complete overkill, and a /32 to ISP's seems completely inadequate (80 vs 16 bits). A /32 is the equivalent of a class A. How many small ISP's do you know with a class A? And larger networks? Give Comcast a /18. There is plenty of space. IPv4 is 32 bits and has room for 4 billion addresses. Adding one additional bit gives you 33 bits and room for 8 billion addresses. Adding two additional bits gives you room for 16 billion. Adding 32 additional bits gives you room for 4 billion times 4 billion addresses. Seriously- stop and think about that for a second. We've taken the entire IPv4 Internet, multiplied it by 4 billion, and set that aside JUST FOR THE NETWORK PORTION of addresses! We've got 4 billion times 4 billion networks- that's a mind numbing increase in size even if you only assign a single host to each /64 subnet. If you put multiple hosts on each subnet then you've got an even larger space. People just can't seem to wrap their head around how large the new address space is. -Don
Re: European ISP enables IPv6 for all?
doesn't more address space just give us more routes to handle? No. It only makes more possible prefixes. Migrating to IPv6 while keeping the current (IPv4) routing and current business relations, there would be somewhat less routes: bigger address space -> bigger chunks -> less need to incrementally add prefixes to the same place -> less prefixes You mean "more address space" -> "individual businesses want to multihome and are willing to pay for their own space" -> more prefixes. Every business that wants to multihome and can afford it already does. v6 isn't going to change that. v6 will allow more aggregation and a routing table closer in size to the number of AS's, which is a significant reduction. It should also reduce the problem of route churn and non-convergence. Whether everyone will play nicely and make it work is a different story. -Don
Re: AS 7018 BGP blackhole / AT&T contact sought
...but without a (public) reply. It has been suggested (both in the follow-ups to the above and elsewhere) that there are people involved with 7018 that are frequent readers here; I'm really hoping one of them will take pity on us and either reply here or communicate with me off-list. We are in need of an RFC3882-esque method of null-routing /32s on-demand on our provider's network before they are sent to us. I can provide details of our circumstances if requested. I have been trying to get the answer to this question from AT&T MIS support for days now, but have gotten nowhere. The telephone support guys won't talk to me about this and tell me to use "Life Cycle" / e-mail for this issue. E-mail replies from AWMIS are days in coming and not helpful (typically just providing me with more hoops that they want to make me jump through), and I'm becoming increasingly frustrated with the level of "support" being given. All I need is a "yes" or "no" response and, if "yes" is the answer, the proper community to use. They don't support it. Other communities yes. Blackhole no. At least that's what's I've always been told by them. -Don
Re: Good Stuff [was] Re: shameful-cabling gallery of infamy - does anybody know where it went?
I'll post some pictures when I get a chance. http://www.neener.info/gallery/v/cagebrackets/ In case anyone cares- those are the brackets we made. -Don
Re: Good Stuff [was] Re: shameful-cabling gallery of infamy - does anybody know where it went?
Then again, sometimes it requires a whole lot more dedication. In our case the racks we inherited were installed wrong (no space between them for vertical cable management). Getting our cabling organized meant welding our own cable management brackets that we could bolt onto the front of the racks. Nothing like some good old fashioned arc welding next to your $100k router. Wonder how you explain the scorch marks on the mounting bracket to support for an RMA Please read what I wrote: "brackets that we could _BOLT_ onto the front of the racks" No where, in any way shape or form, did I say or imply, that we were welding above, below, next to, or anywhere near our routers. I said we welded up cable management brackets that we then bolted on to our racks. -Don
Re: Good Stuff [was] Re: shameful-cabling gallery of infamy - does anybody know where it went?
Does anyone know if any good resources on best-practices at this sort of thing? I'm pretty sure that others must've already figured out the trickier stuff that I've thought about. Most good cabling jobs require one thing- dedication. If you are willing to put in the time and effort, you can do a good cabling job the first time. Think about how the cables will get used, what might change in the future, and then lay them out so as to minimize problems when things need to be moved or upgraded. Then again, sometimes it requires a whole lot more dedication. In our case the racks we inherited were installed wrong (no space between them for vertical cable management). Getting our cabling organized meant welding our own cable management brackets that we could bolt onto the front of the racks. I'll post some pictures when I get a chance. -Don
RE: "2M today, 10M with no change in technology"? An informal survey.
agree that this isn't "ideal", however Cisco has always been very specific about the h/w FIB & adjacency table sizes on the hardware in question. i know that vendor bashing is a sport in this list, but Can you please point out where I can find this information ... The only place I found information on the PFC3B was on a random page for the SUP 720-3B. I was completely unable to find the information on a Sup32 page. Now maybe my search technique isn't up to snuff- but I would hope I could find this information after searching for a couple of hours- I couldn't. I'm sure the information is on Cisco's site somewhere- but I honestly think that they could be a LOT more forward about it- rather then just very specific about it. -Don
Re: "2M today, 10M with no change in technology"? An informal survey.
1. Cisco is still selling the 7600 with the Sup32 bundle (which is what we bought) and saying you can take a full route table on it. I could already do MPLS and IPv6 on this box. This is pretty new hardware. Where are they saying that? The Sup32 sounded great until it became clear that it came with PFC3B (not 3BXL), and that there was no upgrade path to 3BXL. If it was/is being sold as a BGP routing solution, it was awfully short sighted. Their reps do it all the time. I worked with my rep to buy a couple of new routers. I specifically said I would be taking a full routing table on these boxes- Cisco's rep said the Sup-32 would be fine for my needs. Now I definitely didn't do as much checking as I should have but I was busy and that's why you have rep's in the first place. (I kept thinking the Sup32 was based on the 3BXL- I have no idea why). Thankfully I don't need to take a full table on these routers and their forwarding speed among the few ports I have is more important than the FIB size. That said- if I did need the full table I would be royally ticked off at Cisco right now. If I end up upgrading because of this it will probably be a forklift upgrade to another platform. And there's no guarantee that it would be a Cisco one. I guess cisco wants to play chicken with us and Juniper. Will you really do the forklift, or just bite the bullet and go Sup720-3BXL? I think they're better on the latter and counting on a bunch of hardware sales in the coming months. Given how many people are tired of being screwed over by Cisco I wouldn't make that bet if I were Cisco. -Don
RE: large organization nameservers sending icmp packets to dns servers.
All things being equal (which they're usually not) you could use the ACK response time of the TCP handshake if they've got TCP DNS resolution available. Though again most don't for security reasons... Then most are incredibly stupid. Several anti DoS utilities force unknown hosts to initiate a query via TCP in order to be whitelisted. If the host can't perform a TCP query then they get blacklisted. In addition, any UDP truncated response needs to be retried via TCP- blocking it would cause a variety of problems. -Don
Re: The Choice: IPv4 Exhaustion or Transition to IPv6
You can, and this will work for a while. When it stops working (which is not at all predictable) you're going to need a fairly sizable IPv6 Internet so that you can continue to connect new customers up, and unfortunately, that means we need to start getting folks moving ahead of time since we don't exactly know how long your workarounds will last. I'd like to know when Google is going to go IPv6. Vint Cerf's answer was (essentially) "I'm pushing for it." The problem is twofold. First, if Google isn't going to index IPv6 content, no one cares if their content isn't available that way. Second, when other people try to explain IPv6 to management they often hear "Is Google using IPv6?" Heck, Google could offer incentives for IPv6 deployment and suddenly people would clamor for it- say side by side results. Most appropriate IPv4 on the left, most appropriate IPv6 on the right. (Even just an IPv6 icon that people could click on to learn about IPv6 would help). -Don
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
This was a very curious experience. What they want to achieve is protecting children from abuse. This is of course a laudable goal. But they think they can do that by ridding the internet of images depicting said abuse. There are pretty strong laws against that in the Netherlands*, but this woman thought that wasn't enough: she felt it would be good to also outlaw _text_ describing child abuse. This is really scary. If these well-intentioned but extremely dangerous people get their way, someone can end up in jail for simply writing some text. "The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding." -Judge Louis Brandeis "Of all tyrannies a tyranny sincerely exercised for the good of its victims may be the most oppressive. It may be better to live under robber barons than under omnipotent moral busybodies, The robber baron's cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for own good will torment us without end, for they do so with the approval of their own conscience. - C.S. Lewis I'm not one to give up my civil liberties without a struggle, but protecting kids may be important enough to make it worth giving up a few. But is it too much to ask for something that actually works in return? "They that would give up essential liberty for a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, Historical Review of Pennsylvania, 1759 "Experience teaches us to be most on our guard to protect liberty when the government's purposes are beneficent." -Judge Louis Brandeis I am not willing to give up any of my own liberties to protect children. We already have laws that do that and judging by the number of people arrested they seem to work. You reach a point of diminishing returns. At some point you have to accept that the world is a dangerous place and that bad things happen. There is a balancing point and a greater good to think about. Making everyone elses life less free does not balance out with the prospect of maybe saving a few kids. As the laws become more invasive they will eventually breed resentment and hatred for the government and fellow citizens. The end result will be civil unrest and fighting and that helps noone. Sadly it's already happening. Americans hate each other more than at any almost any other time in our history- and the hatred is becoming vicious. -Don
Re: Network Level Content Blocking (UK) for people who cant be bothered to read the article..
It is quite odd really that governments want to implement something to prevent people from breaking a law. And some posts have been correct in asking what's next? Automatic copyright/patent infringing filtering? On that subject- we should probably change the language as well. Make it so that people can't even think of breaking the law because the words for such an action no longer exist. That would be doubleplusgood! -Don
Re: Security gain from NAT
I, for one, give up. No matter what you say I will never implement NAT, and you may or may not implement it if people make boxes that support it. Clearly ... This was supposed to be a private reply and was not meant to go to the list. My apologies. I will also refrain from further responses- something I definitely should have done 20 messages ago... -Don
Re: Security gain from NAT
Sure, very easily, by using NAT between the subnets. Have at it. Nothing like trying to reach 10.10.10.10 nad having to put in a dns entry pointing to 172.29.10.10, NAT'ing the address on your side to their side and from their side back to your side, and adding the rules. That's definitely simpler than allow a -> b for service c. Can you clarify this claim? What about managing NAT is allegedly difficult. Are you unable to easily map public addresses with private addresses on your own networks? Easily map them? Sure- I can do my external tcpdump, see some funny traffic, then match that up with the dynamic nat's. That's a lot easier than just going "oh, hey, it's this user" without any further steps. I, for one, give up. No matter what you say I will never implement NAT, and you may or may not implement it if people make boxes that support it. Clearly neither of us will change our minds so why bother. I'm sure we've both gotten supportive emails in private and both know we are "right." In the end it isn't going to change a thing. -Don
Re: Security gain from NAT
A core but often neglected factor in IT security is KIS. NAT, particularly in the form of PAT, is an order of magnitude simpler to administer than a stateful firewall with one-to-one address mappings. Why would a stateful firewall have one-to-one address mappings? I'm not even sure what you mean by this. Are you referring to static NAT with SI? Are you suggesting that someone would enter a rule for every individual host on the network rather than simply have one rule that says the entire subnet can get out but nothing can come in? PAT is not simple- it's the antithesis of KIS. It means added code in your apps and firewall. It means it takes longer to troubleshoot problems. It means thinking about firewall rules AND the NAT that accompanies them. A SI firewall ruleset equivalent to PAT is a single rule on a CheckPoint firewall (as an example): Src: Internal - Dst: Any - Action: Allow Done. Given the degree to which complexity negatively correlates with security, This is exactly why NAT is bad, not why it's good. Any security auditor will tell you that, in the real world, stateful one-to-one firewalls are rarely as secure as NAT gateways for the simple reason that the non-NAT firewalls have more rules. As a former security auditor I will tell you that you are wrong. I've done security audits for years, been certified by the NSA to perform IAM audits, worked extensively with a variety of firewalls and intrusion detections systems, and I co-moderate a firewall mailing list. I think I can safely state that NAT adds complexity to a firewall rule set, it does not remove it. A CheckPoint without NAT has N rules. A CheckPoint with NAT has N rules + M NAT rules where M is the number of NAT'd hosts. If you are doing port address translation rather than simpler static NAT then M is the number of NAT'd services as opposed to the number of NAT'd hosts. Either way it is definitely more complex. This is true of CheckPoint, ipfw and a myriad of other firewalls. (Sorry for all the CheckPoint examples- I just happened to have a client's CheckPoint ruleset open while responding). This debate mirrors one that took place in a large university where I worked several years ago. The network admins made passionate arguments against NAT but did little to firewall vulnerable departments. So because these network engineers were exceedingly lazy and or sloppy then NAT is somehow better? Even supposing you could always enter PAT rules as simple firewall rules- how are 20 PAT statements smaller and or simpler than 20 SI statements? The risk was obvious but so was the underlying motivation. They were simply protecting their turf. In this case multiple class-B allocations, awarded decades ago, before NAT and PAT became affordable technologies. How was this "protecting" their class-B? More than likely it was awarded before ARIN and there is no RSA agreement that would allow anyone to reclaim the addresses. I don't know all of the reasons but, having managed thousands of clients behind NAT and unNATted gateways I'll take NAT any day. Ever try to set up a VPN between two offices using the same address space? I'll stick with no NAT any day. -Don
Re: Cool IPv6 Stuff
Even people I have spoken that understand the difference between firewalling/reachability and NATing are still in favour of NAT. The argument basically goes "Yes, I understand that have a public address does not neccessarily mean being publically reachable. But having a private address means that [inbound] public reachability is simply not possible without explicit configuration to enable it". i.e. NAT is seen as a extra layer of security. I want NAT to die but I think it won't. Far too many "security" folks are dictating actual implementation details and that's fundamentally wrong. A security policy should read "no external access to the network" and it should be up to the network/firewall folks to determine how best to make that happen. Unfortunately many security policies go so far as to explicitly require NAT. -Don
Re: NAT Multihoming
The last time I renumbered, I found that quite a few people were not honoring the TTLs I put in my DNS zone files. [...] Custom customer zone files hosted elsewhere? Do not forget that applications have their own caches, too, and they typically ignore completely the DNS TTL. A typical Web brower calls getaddrinfo() once and use the IP address as long as it is not restarted. Not to mention java's caching which has screwed me up more times than I care to think about. I sincerley wish Sun had disabled it by default- I really don't think it's the JRE's responsibility to cache name service lookups- at least not by default. -Don
Re: NANOG 40 agenda posted
my favourite load balancer is OSPF ECMP, since there are no extra boxes, just the routers and switches and hosts i'd have to have anyway. quagga ospf6d works great, and currently lacks only a health check API. Health checks are unfortunately the most important aspect of a LB for some people. Can you elaborate on where you use ECMP and specifics about your implementation that might interest people? -Don
Re: NAT Multihoming
You write "when" rather than "if" - is ignoring reasonable TTLs current practice? Definitely. We've seen 15 minute TTLs regularly go 48 hours without updating on Cox or Comcast's name servers. I believe the most I've seen was 8 days (Cox). I definitely meant "when" not if. And Cox is by no means the only ISP to do this. -Don
Re: NANOG 40 agenda posted
[Update to earlier stats: The current v4 prefix/AS ratio is 8.7. However, there are ~11k ASes only announcing a single v4 route, so that means the other ~14k ASes are at a v4 ratio of 14.3. In contrast, the current v6 ratio is 1.1 and the deaggregate rate is 1.2%.] This is more than a little frightening :( The simplistic answer is that nearly all assigned/allocated blocks will be minimum-sized, which means ISPs will be capable of filtering deaggregates if they wish. Some folks have proposed allowing a few extra bits for routes with short AS_PATHs to allow TE to extend a few ASes away without impacting the entire community. This is an excellent solution- is there some reason people wouldn't want to implement it? It would seem to lead directly to a more heirarchical table. justification for larger-than-minimum blocks. OTOH, the community may see how small the v6 table is and decide that N bits of deaggregation wouldn't hurt. After all, with ~25k ASes today, and router vendors claiming to be able to handle 1M+ routes, it seems we could tolerate up to 5 bits of deaggregation -- and 3 bits would leave us with a table smaller than v4 has today. Combine this with the above system. Allow 2 bits of deagg anywhere but up to 4 bits for a short as_path for networks in the /48 range. Allow 3 bits for networks in the /32 range and up to 5 bits for a short as_path. (or whatever other numbers make sense). Either way we seem to be looking at a much smaller table as long as we decide on some sensible rules and actually stick to them. That is going to be the biggest problem though. -Don
Re: IPv6 Advertisements
First of all, there's disagreement about the definition of "site", and some folks hold the opinion that means physical location. Thus, if you have 100 sites, those folks would claim you have justified 100 /48s (or one /41). Other folks, like me, disagree with that, but there are orgs out there that have tens of thousands of locations with a need for multiple subnets per location, and that could justify more than a /48 as well via pure subnet counts. Companies with tens of thousands of sites, each needing multiple subnets is not the norm for end user allocations. And again- would the administrative overhead of a new /40 netblock really outweigh the benefits to our routing tables? I'm asking not stating... ARIN's goal in v6 is to try to issue blocks so that aggregation is _possible_, by reserving a larger block to allow growth, but ARIN can't prevent intentional (or accidental) deaggregation, But ARIN has the power to give the community the tools it needs to force aggregation (if the community decides they want)- even if it isn't ARIN's own policy. and there's too many folks who want to deaggregate for TE purposes to pass a policy officially condemning it. I understand limited deaggregation for TE purposes- but that doesn't mean you have to let people go nuts. 1 or two bits is one thing- 8 (or more) is another animal all together. I'd agree in principle, but all it takes is a brief look at the CIDR report and you'll see that nobody does anything in response to far more flagrant examples in v4. So because v4 is screwed up we should let v6 get just as bad? The time to fix these sorts of issues is now- before it's really live, rather than later. -Don
Re: IPv6 Advertisements
Current policy allows for greater-than-/48 PI assignments if the org can justify it. However, since we haven't told staff (via policy) what that justification should look like, they are currently approving all requests and several orgs have taken advantage of that. I can't imagine what an end-user could come up with to justify more than a /48 but what do I know. And if ARIN's primary goal is to prevent de-aggregation then shouldn't there be another fixed allocation size (/40) and block to prevent this? So, it's entirely possible someone could get a /40 and deaggregate that into 256 routes if they wanted to. Given the entire v6 routing table is around 700 routes today, it's obviously not a problem yet :) Obviously that's short sighted :) As for the deaggregation- anyone deaggregating a /40 into 256 routes should have there AS permanently bloackholed :) -Don
Re: IPv6 Advertisements
I don't think ARIN is planning on giving out more less a /48 but more than a /32- at least that was the impression I got. End sites get a /48- ISP's get a /32 or larger- and that's it (I could certainly be wrong). As such, deaggragation in the /48 block should not be an issue because no one will have more than a /48 in the first place. Yes, you can get a prefix between /32 and /48 if you can justify it. That is certainly in line with the policy which resulted from proposal 2005-1. You are of course correct- I misread "The minimum assignment size is /48" in terms of prefix length (ie minimum of /48- could be /56, etc.) which is not what was meant. The very next sentence should have clarified that for me but I probably skipped over it. mea culpa. I'm looking forward to seeing a realistic justification from an end user for more than a /48 :) As an aside- what is the address block for PI end user assignments from ARIN? (I can't seem to find it and 2005-1 only mentions a "distinctly identified prefix" without any mention of what that would be). The Microallocation blocks are: Internal Infrastructure: 2001:0506::/31 Exchange Points: 2001:0504::/31 Critical Infrastructure: 2001:0500::/30 (all of which are /48's so far). But I see no mention of end-user assignments (unless they fall into one of the above categories- though I don't see how). -Don
Re: IPv6 Advertisements
The upside is that in the block you're expected to accept /48s, nobody will have a /32. The downside is that anyone who gets a larger-than-minimum sized allocation/assignment can deaggregate down to that level. I don't think ARIN is planning on giving out more less a /48 but more than a /32- at least that was the impression I got. End sites get a /48- ISP's get a /32 or larger- and that's it (I could certainly be wrong). As such, deaggragation in the /48 block should not be an issue because no one will have more than a /48 in the first place. -Don
Re: NANOG 40 agenda posted
and this means getting a good story in front of bean-counters about expending opex/capex to do this transition work. Today the simplest answer is: "if we expend Z dollars on new equipment, and A dollars on IT work we will be able to capture X number of users for Y new service" or some version of that story. IPv6 should simply be a requirement of all new equipment purchases (in large ISP's this should have been the case for a while now). The bean counters don't see a cost for new equipmnent just to run IPv6- they see the normal costs to upgrade older equipment. At least that's the way I'm doing my upgrades. -Don
Re: IPv6 Advertisements
I understand the problems but I think there are clear cut cases where /48's make sense- a large scale anycast DNS provider would seem to be a good candidate for a /48 and I would hope it would get routed. Then again that might be the only sensible reason... Don't give people an excuse to deagg their /32 RIPE may only give out /32's but ARIN gives out /48's so there wouldn't be any deaggregation in that case. It's a question of cost versus benefit. Does it make more sense to save a routing table entry- or reduce traffic by localizing DNS through anycasting? -Don
Re: Juniper M10i sufficient for BGP, or go with M20?
Strange. My rep always took pride in the fact that M- and T- series devices have no overcommit at all.. Maybe things changed, we use no quad-gig. Many of Junipers cards for the M7/M10 are oversubscribed- just look at their pdf's on the subject: http://www.juniper.net/products/modules/100044.pdf http://www.juniper.net/products/modules/100163.pdf I'm very happy about the Juniper devices I manage. They're expensive but very reliable, and their config interface has lots of unique features. Juniper's greatest asset over Cisco is the single software image for all their systems. In my latest purchase that didn't justify paying 4 times as much no matter how much I love the software. -Don
Re: Juniper M10i sufficient for BGP, or go with M20?
choice. Layout here is such that I'd expect to use a single quad gigabit port ethernet blade in each of a pair of M10i/M20 to achieve redundancy. he said 'blade' to which I read '4 pics in a FPC'... maybe it's a terminology thing? Neal? The M10i doesn't have an FPC blade per se (it's built into the chassis) so in the context of the M10i I assumed "single quad gigabit port ethernet blade" meant a single card- though I could definitely be wrong. My knowledge of the Juniper line is sadly pretty limited. -Don
Re: Juniper M10i sufficient for BGP, or go with M20?
I don't know much about Juniper but I'm about to learn with a new job. If I'm going to take full routes from a couple of upstreams and have a couple of peers will the M10i (768M max) be enough or is the M20 (2048M max) a better choice. Layout here is such that I'd expect to use a single quad gigabit port ethernet blade in each of a pair of M10i/M20 to achieve redundancy. The M10i is perfectly capable of handling the full table and then some. The only question is whether you want to buy more just in case your needs grow. That said- Last time I spoke to a Juniper rep I was told that their 4 port GigE card for the M7/M10 is oversubscribed 4:1- ie the backplane connection is only gigabit. Check into that if it is important to you. I may have been misled or things may have changed- frankly I didn't look into it much as an equivalent Cisco solution with additional ports came in at 1/4 of the price :( Is there a pricing resource for this stuff online some where? I do *not* want to hear from any sales people over this comment ... The pricing for all of this stuff is so ludicrously flexible it isn't funny. If the company wants you as a client (for marketing reasons or whatever) then suddenly a $50k router becomes a $25k (or less) router. If you point out a competitors router is xyz dollars less you may suddenly find yourself with yet another discount. Get quotes from everyone, compare features, and don't hesitate to push for better pricing from everyone. -Don
Re: HSRP availability in datacenters?
On routers, you have your choice as of 12.2 (I believe). On the small 3550/3560 type MLS products only HSRP is offered. Sorry- wasn't thinking. Of course the "new" animal in town is GLBP which offers load sharing. GLBP being completely Cisco proprietary unfortunately. -Don
RE: HSRP availability in datacenters?
No, in fact those are very interesting as they're a stop-gap between 3750s and 4500s at a good price per port. Are there any HSRP limitations on them? Guess I need to do some more research, as those are pretty hot. Hasn't Cisco said for years that HSRP should not be used in new deployments and that VRRP should be used instead? Just curious. -Don
Re: ISP CALEA compliance
A _much_ longer version of this was sent privately- but I had to take public exception to the following comment: I'm not surprised that when they are dealing with companies that delete all evidence they might need or push as much red tape as possible, that the LEA turns around and scrutinizes the company to find where they might be in breach of the law. You are saying it's ok for people in power to be vindictive assholes. You are saying it is ok to govern through intimidation. I am both incredulous as well as fearful for the future of our country. -Don
Re: ISP CALEA compliance
You work so hard to defend people that exploit children? Interesting. We are talking LEA here and not the latest in piracy law suits. The #1 request from a LEA in my experience concerns child exploitation. ?? ??? Working hard to defend privacy does not automatically equal protecting people who exploit children- and I'm getting sick and tired of people screaming "Think of the children!" It's a stupid, fear mongering tactic- and hopefully one day people will think of it in the same way as crying wolf. If law enforcement could be trusted to be competent you might have an argument- but considering the avalanche of cases where cops a) get their information wrong and go after the wrong person b) go out of their way to ignore evidence exhonerating people because it might screw up their records c) simply don't have a clue or d) plant evidence (on a 90 year old woman for gods sake)- then it's nice to know that there are people out there forcing LE to play by the rules, get actual warrants, etc. Then again perhaps I am biased- The USSS use to hold meetings at 7 World Trade Center to facilitate interaction between computer security firms and LE. In those meetings after I realized that LE is split about 50/50- those who get it (ie those I would help)- and those who are so clueless wrt computers that is makes me cringe (ie those I wouldn't talk to, let along try to help). Unfortunately it seems to have gotten worse- The agents who use to deal with this stuff were those who actually wanted to- now every agent likes to play with computers. Hmmm, you must have been one of those types the agents I talked to were referring to. They said that those who give them the most flack usually get the least amount of slack. Play hardball with the government, and it will play hardball back at you. I'd definitely make sure you stick to #4 if following #1-3. Great- so a bunch of people who want the laws bent for them go on a power trip because you expect them to OBEY THE LAW and you end up with no recourse against them. Yeah- this is the America I want to live in. You're absolutely right- it's a crying shame we aren't all buddies with the fed's- after all- they only want what's best for us! I'm looking forward to the day when the government tells me what to think- thinking is hard after all. If you don't have anything to hide- then why should you care right? On the other hand- these sorts of laws may just be enough to push everyone to use encryption- and then what will LE do? Sigh- I give up. -Don
Re: UK ISP threatens security researcher
In my personal opinion, ISPs, vendors, and such should legally be held responsible for their product's security and unconditionally be made to repair any security holes. -- if a vendor or ISP maintains good security practices, there will be nothing for them to fear from this. What's really upsetting is that often it's faster to just fix the problem than it is to complain about it. Unfortunately companies seem to feel that legally threatening people is the wiser course of action. I'd like to know when people stopped taking pride in their work. When I screw up- I'm upset with myself, not with the guy who pointed out the mistake. Now if he used my screwup to wreck everything I've worked- then to hell with him- but if all he did is point out the mistake- then I should learn from it and make sure it doesn't happen again. -Don
Re: UK ISP threatens security researcher
It *is* a criminal offence under extensions to the original CMA1990 in the Police and Justice Act 2006. The maximum penalty was also increased to two years imprisonment. I don't think this particular incident is enough to attract a custodial sentence, but he will almost certainly end up with a well-deserved criminal record for his stupidity if somebody can be bothered to press charges. Some people's opinions are truly astounding. Why do we even bother having best practices if people aren't going to follow them? No damage was done- that's a hell of a lot more than you can ask from a damned hacker. And if your provisioning system doesn't blow- then fixing the problem isn't a big deal either. Would your insurance company pay a claim on your stolen car if you left it running, with the doors wide open, in Harlem? Of course not. Nobody wants to take any responsibility for their own stupidity. The only criminal act here was the negligence on the part of the ISP. They got embarrassed- no harm was done- get on with your damned life. The fact is that people will ALWAYS be curious- it's what makes human beings so amazing. People will explore their surroundings and if you don't want them to- then try taking some basic steps to ensure they can't. As for the laws? Prison is for people who irrevocably harm society- some stupid kid who went exploring his cable modem DOES NOT QUALIFY. And what about a criminal record? Who the hell does that help? Give the guy a record and force him to go to work for the spammers and botnet writers? Great thinking. "well-deserved criminal record for his stupidity." Where is the criminal record for the idiot who allowed remote access with a single username and password to every single cable modem? That's pretty damned stupid. Honetly- when did we all become such vindictive assholes? Had the guy caused any real damage then you might have an argument. He didn't. We need to stop letting companies abuse the law instead of performing due dilligence. -Don
RE: summarising [was: Re: ICANNs role]
offers 5 minutes from curb to seat checkin service. The need exists but it ain't gonna be filled anytime soon because the government prohibits such things. The government mandates delays and multiple vetting processes between the time you step on the curb and the time you sit in your airplane seat. And government interference has been such a boon for the airlines and air travelers? Or just about any industry for that matter? Come on. Do you really want a group of people who think the Internet is a bunch of tubes telling you how things should be run?? God help us all if that happens. Same with buying a handgun in most states and in Canada. Same with opening a business in most jurisdictions. You have to go to cityhall and apply for a license first. Why should domain name registries be special and be exempt from these normal processes of vetting and registering? Did you seriously, honestly, just compare a domain name to a handgun?? I have NO idea what to say to this ... This was originally a much longer email but your statement made me realize the futility of my arguments... -Don
Re: ICANNs role [was: Re: On-going ...]
Well, you're not likely to get it for the $8.95 that Godaddy charges. Their abuse department does a remarkably good job, considering their volume and margins. Perhaps the message here is that you get what you pay for. For a rock bottom price, You get rock bottom service. There are registrars that charge considerably more and provide considerably more service. The problem here is that the community gets screwed not the guy paying $8.95. If he was getting what he paid for- well who cares. The problem is everyone else. That said- even if domains were more expensive it wouldn't change anything for the phishers using their stolen credit cards. There simply needs to be a better way for the community to quickly identify phishing sites- verified by some independent body (such as CERT) that can quickly verify the domain is a phishing site and alert the registrars to shut them down. Don't let it be used for copyright or any other non-sense complaint. -Don
Re: ICANNs role [was: Re: On-going ...]
I know the head abuse guy at Godaddy. He is a reasonable person. He turns off large numbers of domains but he is human and makes the occasional mistake. The fact that everyone cites the same mistake tells me that he doesn't make very many of them. We cite this one because it was such an unbelievable cock-up it wasn't funny. Fyodor a blackhat? Seclists.org a malicious site? Honest to god did the guy do even the teensiest little bit of due diligence before shutting the site down? I don't believe he did. There have been plenty of other examples of GoDaddy deleting stuff they shouldn't have. Seclists.org just takes the cake. An even better question would be why doesn't he read seclists.org in the first place? It would be an excellent way to keep on top of security problems- something someone in your friends position should probably be doing. Actually, I have never seen any evidence that phishers use domain tasting. Phishers use stolen credit cards, so why would they bother asking for a refund? The motivation for tasting is typosquatting and "monetization", parking web pages full of pay per click ads on them. Tasting is a bad idea that should go away, but phishing isn't the reason. I agree that typosquatters and the like are the primary reason and that it should go away. As for the phishers- fine- say the problem is stolen credit cards. What then is the solution? -Don
Re: ICANNs role [was: Re: On-going ...]
What are your thoughts on basic suggestions such as: 1. Allowing registrars to terminate domains based on abuse, rather than just fake contact details. I don't like this because its impossible to define abuse clearly enough in this context. If a fictitious web-shop 'nice-but-dim.com' get a box owned which has the reverse dns set to something in that zone, is this abuse ? Yes .. sort of, but it's no business of the registry. Is registering a domain name which causes offense to some people abuse ? It might be, but its no reason not to let the domain name registration go through. What if you and I fall out, and I manage to build a case against you to get linuxbox.org de-registered ? Do you want to spend time and effort fighting it ? Who arbitrates/polices this scheme ? Who pays for any mistakes ? I think the shutdown of seclists.org by GoDaddy is a perfect example of exactly why the registrars should NOT be making these decisions. And exactly what good is 24 hour notice (as some people have suggested) going to do? With 2 million domains registered every single day (according to a recent techworld article) who could possibly go through such a list and make informed decisions? If you want a really simple, and probably very effective first step- then stop domain tasting. It doesn't help anyone but the phishers. An even better idea would be for companies to send out their own phishing emails. Every user that falls for it gets an email/phone call informing them just how stupid they are and notifying them that if they fall for it again they are going to lose their account. The next time fall for it you shut down their account. Seriously though- why do we keep blaming the infrastructure for the mind boggling stupidity of users? -Don
Re: On-going Internet Emergency and Domain Names
You got me there. I will add: "You can NEVER make the Pirates go away" but; "You can make sure they never enter your seas" Enough analogies though. :) The Flying Spaghetti Monster is not at all happy about this talk of stopping pirates. He will likely smite you all with his noodly appendage. RAmen. -Don
Re: On-going Internet Emergency and Domain Names (kill this thread)
You do realize this post is not about Microsoft or IE 0days, right? I would prefer not to turn this into an OS flamefest, my only point is that *this list* is not the proper venue to discuss this issue; nor the methods that you suggest as a remedy, regardless of merit. Again if the rest of the list wants to continue, then so be it. In the end, phishing and scams work because people are stupid (or possibly ignorant- but then again with all the warnings they've received you'd have to be stupid to still be ignorant at this point). Period. End of discussion. Every time we come up with another "solution" - the universe comes up with a bigger idiot. Honestly- I, as well as everyone I know, receives a million warning messages from banks, web sites, etc. warning people not to trust email claming to be from said institution. And yet, every single day, thousands upon thousands of people keep falling for it. Where do you draw the line? Since we seem to love analogies: Imagine you have a high voltage outlet and people keep sticking their fingers in it and getting electrocuted. So you put up a sign that says "Danger- high voltage," and people continue sticking their fingers in it. Then you warn them about it personally, and you have segments on the tv news and articles in the papers and people STILL do it. At what point do you just have to walk away and let nature take it's course? Everybody in the world has been _repeatedly_ warned about phishing and other scams, and yet just like 419 scams, they KEEP falling for it. Nobody stops to think. Enough is enough already. Do I think certain policies should be changed? Sure. Domain tasting is an idea that I can not believe benefits anyone but a scammer (or a domain advertiser- which is no better). There are plenty of other examples but in the end, no matter what we do, users are going to continue to do mind-bogglingly stupid things. -Don *Please don't think for a second I want to see the scammers given carte blanche to do what they want- or that we shouldn't try to stop them- but pretending we can solve the problem of user stupidity through technology is disingenuous and laughable.
Re: NOC Personel Question (Possibly OT)
1) Expected to have above-average UNIX skills, above-average exposure to DNS (understanding SOAs, must have familiarity with dig, etc.), familiarity with HTTP (manual fetches/form queries, etc.), SSH and ... and do not hire people who tote themselves as superior or "too proud to work in a NOC". Then these people should have the title System Administrator (or something similar). Just because they work in a "NOC" doesn't mean they have to have NOC-anything in their title. But for the type of NOC most people are describing- NOC-anything would be fine- it really doesn't matter. Some of those NOC people (The ones that want to learn) will move on to become SA's or NA's or whatever. Others will not, or do not want to, learn anything and will never move out of the NOC. -Don
RE: NOC Personel Question (Possibly OT)
Anyway, I have a friend who used managed to get "Not A Janitor" on his business card. "Rear Admiral" was my favorite business card title if only because that was also the caller ID on my phone (I managed the PBX at the time). I've seen "Systems/Unix/DNS Ninja." At my current job I make breakfast on Thursday mornings for the team I work with- I'm trying to get business cards that say either "Head Chef" or "Chief Cook and Bottle Wash." Before this gets too wildly off-topic- perhaps the original poster can comment as to why NOC Specialist is a problem? We call our level 1 NOC people "Operators." We reserve Network Analyst for the level 2 people who also do some small amount of scripting and other more advanced troubleshooting. Network Analyst makes me think of Stock Analysts, though. The problem is that they aren't very good at telling me what kind of returns I can expect on my equipment and what the future holds for the network :) Has anyone thought to clearly define these titles somewhere so that everyone can standardize on them? -Don
Re: Google wants to be your Internet
Especially in rural areas (where physically reading meters sucks the most due to long inter-house distances), you have no guarantee of good cellular coverage. The electric company *can* however assume they have copper connectivity to the meter by definition Doesn't have to be copper- it could be aluminum :) -Don
nanog@merit.edu
I have a cage at an AT&T hosting facility in NY. Every few weeks I end up with horrendous VPN problems to another site I have on MCI's network in Maryland, as well as to a partners site, in the same area, also on MCI. mtr -s 800 to either site shows 10% packet loss on the hop from: 12.122.105.45 -> 192.205.34.50 Both of these appear to be AT&T routers (I say appear to be because I am relying on the netblock information from ARIN- reverse DNS for routers seems to be uncool). Does anyone else run into this problem? Smaller pings show far fewer (if any) issues and other traffic is passable- but it kills my VPN's. -Don
Re: AS41961 not seen in many networks
now pingable addresses are: 194.60.78.254 194.60.204.254 194.153.114.254 From one location, things die as soon as they hit AT&T, another location things work perfectly. I have a couple of networks off AT&T and I am not seeing these routes in my tables. I do see them off other networks, however. -Don
Re: Collocation Access
throughout the US. In recent memory, I can think of two large collocation centers that retain your ID. One is in Miami and one in New York (I don't think I need to name names, most of you know to which I refer). All others (including AT&T) have never asked to retain my ID. I dont mind naming names. telex. I left. AT&T's colocation facility in mid town retains your ID. So do a lot of others I've been to. And that happens whether or not they give you a cage key. -Don
RE: Bogon Filter - Please check for 77/8 78/8 79/8
So we're saying that a lawsuit is an intelligent method to force someone else to correct something that you are simply using to avoid the irritation of manually updating things yourself??? That seems to be the epitomy of laziness vs. litigousness. I think the point is that people are trusting this "self appointed" authority and thus others are blocking _his_ legitimate traffic. If you're going to appoint yourself an "authority" then you have a responsibility to be accurate. If you're too lazy to keep your lists up to date then you need to stop offering said lists. As an admin I can't stop other people from using such an idiotic list. However I can sue the list for libel- after all they are printing the incorrect fact that the traffic I am sending is bogus and thus are harming my reputation and impacting my business. Seems to me like this is _exactly_ what the courts are for. There is no gray area- it's not a question of whether or not this is spam for example. This list is publishing the false statement that the traffic this ISP is trying to send is bogus. If they won't correct their mistake then you absolutely should be able to petition the courts to get them to stop publishing false information about you. -Don
Re: The IESG Approved the Expansion of the AS Number Registry
agreed, let's NOT do the v6 thing... do the 32-bit asn's give us more than just 'more bits' ? :) (Sorry, I couldn't resist). So, yes, let's get someone to start testing, I'd just caution on assigning the 32-bit asn's for real-users, since much of the net might not be able to use them, partial reachability will/could-be a problem. The good news is that 32 bit ASN's won't be assigned by default until 2009. Starting on January 1, 32 bit ASN's will be assigned- but only to those people explicitly requesting them. All in all it seems like a sensible migration strategy. -Don
Re: The IESG Approved the Expansion of the AS Number Registry
So, all of the current devices need to get upgraded before 'day one' of 32-bit ASN use... that'll be fun :) Why is RIPE passing out the 32-bit ASN's now? ARIN will begin passing out 32 bit ASN's to anyone who asks as of January 1, 2007. This is the same policy as RIPE so I don't see what the big deal is. aren't there still plenty (+20k or so) 16-bit ASN's out there for assignment? (perhaps I'm missing something on the need to allocate the new asn's?) By all means let's wait until the last possible second to upgrade ASN support. The waiting approach has worked so well for IPV6 :) Seriously though- why not let people start registering now. The only way we'll know if 32 bit ASN's will work is if we start using them. -Don
Re: IP adresss management verification
At some point, it will become cheaper to just deploy IPv6 than to do the things needed to get more IPv4 space. What's this week's forcast for the event horizon, anyhow? It keeps moving around That's what I'd like to know. Is the DoD "deadline" going to motivate anyone? When are we going to be able to announce IPv6 blocks through the major backbones, etc.? Or is Google simply going to require IPv6 and overnight it will happen? :) -Don
RE: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link]
Steve's 100% spot-on here. I don't have bogon filters at all and it hasn't hurt me in the least. I think the notion that this is somehow a good practice needs to be quashed. Some people don't use condoms with hookers either. Just because they haven't caught anything yet doesn't make it a smart practice. Sorry I have to agree with Steve as well. I know I've left networks with Bogon lists in place and then gotten calls a year or more later asking why traffic can't isn't coming in from XYZ new client. Turns out the new admin never updated the bogon list. If this was done through a central repository and updated daily, or required the list to be refreshed periodically otherwise it timed out- fine. The problem is people leave these lists in and forget about them. If you are going to keep on top of them, and make sure to remove them when you leave- then that's great. But if you are going to do it half way- please don't bother. -Don
Router Options & Support Experiences
I've got a client looking to upgrade their edge routers and they want to consider all of their options. Right now we're looking at Cisco, Juniper and Foundry. I'd like to hear what other people have to say about the vendors, their offerings and their support. Do their products have particular strengths or weaknesses? Also, if anyone has another vendor we should be considering- we are open to suggestions. In this case the router requirements are small- 5 GigE interfaces, BGP, OSPF, VRRP and the ability to handle as many PPS as possible so as to avoid a router DoS in the event of an attack (10 Mpps minimum). I have my own opinions about each vendor but I'd like another perspective this time around. Thanks in advance, -Don
Re: UUNET issues?
As for the LSA issue- rebooting would have fixed the problem, assuming it was done by all nodes at the same time. All of the Link State tables would have been rebuilt from scratch by the IMPs and the corrupt announcements would have been gone. Turns out this is actually mentioned on page 14 of RFC 789. As I recall the IMP software was actually patched to ignore the problematic announcements from IMP 51. Not that it matters- but it was IMP 50 not 51. -Don
Re: UUNET issues?
Anyway, I don't think that would have helped if you're talking about the same incident I'm thinking of. There were application-level retransmissions of (corrupted) packets, complete with building new bad packets from bad data structures, all over the net The problem is documented in RFC 789 It and "The Bug Heard 'Round the World" are two of my favorite "how complex systems fail" papers; all system designers should read, memorize, and undertand both. I actually asked Stephen if he was referring to the LSA corruption problem and he said he was referring to an earlier issue (circa 1972). As for the LSA issue- rebooting would have fixed the problem, assuming it was done by all nodes at the same time. All of the Link State tables would have been rebuilt from scratch by the IMPs and the corrupt announcements would have been gone. As I recall the IMP software was actually patched to ignore the problematic announcements from IMP 51. -Don
Re: register.com down sev0?
My tests from 2 years ago showed the same thing, both /24s were behind the same system in Exodus' NYC DC in Manhattan (IIRC). That is what prompted me to move everything to the rcom partner side which uses eNom. I don't know about a "partner" side but their premium service was always run by Register.com themselves. The servers were in a number of locations across the world. Whether any of this remains true today I have no idea. Register.com may have also resold eNom services but I doubt that had anything to do with their premium service. -Don
Re: register.com down sev0?
I submitted both spams to spamcop and the appropriate abuse addresses would have been notified in both cases. I got no response from either of my submissions. As for a "reason for ignoring" my complaint I really couldn't say since, well they ignored me. Did you ever send a complaint to [EMAIL PROTECTED] and [EMAIL PROTECTED] personally (so that you could actually verify it was sent and delivered)? I've never dealt with a company that didn't at least acknowledge receipt of a complaint. -Don
Re: register.com down sev0?
It's pretty well-known that register.com has been a source of spam, and that complaints to them have been ineffective. Albert, I don't know about Register.com's opinion but I dare say the statement above isn't very helpful to me as an admin. When you say "has been a source of spam" is there a time frame involved? Was this in the last week? Month? Year? When you say "register.com" has been the source do you mean a) their netblocks b) their mail servers or c) partners acting on their behalf? You also state that complaints have been ineffective. Again is there a time frame? Did anyone get back to you? Did they investigate? Did they give you a reason for ignoring or doing nothing about your complaint? I ask this not because I want to know but because if someone from the company came here to address the issue then perhaps we should give them as much information as possible (After all- you have a contact now) Simply saying that "it's pretty well-known" doesn't really help. I frankly doubt they would bother posting here with "let us know" if they had no intention of looking into it- this isn't exactly a group likely to be pacified by empty promises. (It's also possible that in the past the right people never found out- or that there are new people there who take the issue more seriously). will be happy to hear that. If you're here to tell us that there never was a problem and that we're all just imagining it... you'll need these: I don't think they are going to claim there was never a problem- unfortunately sometimes the marketing folks don't consult or listen to their technical folks- it's happened at a lot of companies. That said- I haven't had spam from a register.com netblock in a long time. Then again maybe I've just been lucky. -Don
Re: register.com down sev0? - More information
5. AT&T (at least when I've dealt with them in their datacenters) does not support BGP community strings for null routing (or any strings for that matter :) Lest anyone take me too seriously on that last point- AT&T hosting does have community strings for certain features- unfortunately not for null routing. -Don (My apologies for the earlier lack of a full email name)