Any tool or theorical method on detecting number of computer behind a NAT box?
hi, Sharing internet access bandwidth between multiple computers is common today. Usually, bandwidth sharer bought a little router with NAT/PAT function. After connecting that box to a ADSL/LAN access link, multiple computer could share a single access link. I heard some company provide prdouct for detecting number of computers behind NAT/PAT box. Is there any paper or document on how such product work? where could I fint them ? Joe __ Search, browse and book your hotels and flights through Yahoo! Travel. http://sg.travel.yahoo.com
load balancing and fault tolerance without load balancer
hi, we plan to set up a web site with two web servers. The two servers should be under the same domain name. Normally, web surfing load should be distributed between the servers. when one server fails, the other server should take all of load automatically. When fault sever recovers, load balancing should be achived automatically.There is no buget for load balancer. we plan to use DNS to balance load between the two servers. But, it seems DNS based solution could not direct all load to one server automatically when the other is down. Is there any way to solve problem above? we use HP-UX with MC-Service Guard installed. thanks in advance. Joe __ Tired of visiting multiple sites for showtimes? Yahoo! Movies is all you need http://sg.movies.yahoo.com
Tools to measure TCP connection speed
hi, is there any tool could measue e2e TCP connection speed? e.g. we want to measue the delay between the TCP SYN and receiving SYN ACK packet. Joe __ Search, browse and book your hotels and flights through Yahoo! Travel. http://sg.travel.yahoo.com
RE: Tools to measure TCP connection speed
we do not just want to analyze e2e performance, but to monitor network performance at IP and TCP layer. We monitor end-to-end ping with smokeping, but as you know, ICMP data does not reflect application layer permance at any time. So, we set up two hosts to measure TCP permance. Is there tools like smokeping to monitoring e2e TCP connecting speed? Joe --- Darden, Patrick S. [EMAIL PROTECTED] wrote: Best way to do it is right after the SYN just count one one thousand, two one thousand until you get the ACK. This works best for RFC 1149 traffic, but is applicable for certain others as well. I don't know of any automated tool, per se. You really couldn't do it *well* on the software side. I see a few options: 1. this invalidates itself, but it is easily doable: get one of those ethernet cards that includes all stack processing, and write a simple driver that includes a timing mechanism and a logger. It invalidates itself because your real-life connection speeds would depend on the actual card you usually use, the OS, etc. ad nauseum, and you would be bypassing all of those. 2. if you are using a free as in open source OS, specifically as in Linux or FreeBSD, then you could write a simple kernel module that could do it. It would still be wrong--but depending on your skill it wouldn't be too wrong. 3. this might actually work for you. Check to see how many total TCP connections your OS can handle, make sure your TCP timeout is set to the default 15 minutes, then set up a simple perl script that simply starts a timer, opens sockets as fast as it can, and when it reaches the total the OS can handle it lets you know the time passed. Take that and divide by total number of connections and you get the average It won't be very accurate, but it will give you some kind of idea. Please forgive the humor --Patrick Darden -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Joe Shen Sent: Monday, March 10, 2008 5:00 AM To: NANGO Subject: Tools to measure TCP connection speed hi, is there any tool could measue e2e TCP connection speed? e.g. we want to measue the delay between the TCP SYN and receiving SYN ACK packet. Joe __ Search, browse and book your hotels and flights through Yahoo! Travel. http://sg.travel.yahoo.com __ Yahoo! Singapore Answers Real people. Real questions. Real answers. Share what you know at http://answers.yahoo.com.sg
question on algorithm for radius based accouting
hi, I 'google' algorithm for radius based accounting. but can't find anything. My question is: what's the best algorithm for constrcting broadband access record from radius accouting packets? To my knowledge, some system takes: Record Accouting-on packet arriving time - record Accouting-Off packet's Acct-Session-Time and Acct-Delay-Time - The Log-off time is calculated as: Accouting-on time + ( Acct-Session-Time - Acct_delay-Time) But, some other takes : Record Accouting-off arriving time -- record Accouting-Off packet's Acct-Session-Time and Acct-Delay-Time -- Log-on time is calculated as: Accouting-off arriving time - ( Acct-Session-Time - Acct_delay-Time) Are the two methods have the same effect on calculating result? If radius packets were sent to two accouting systems simulataneusly, while the two system takes the different algorithm, will there be any difference between the result of accouting ? regards Joe __ Yahoo! Movies - Search movie info and celeb profiles and photos. http://sg.movies.yahoo.com/
Network Parameters on Subscriber side feelings
hi, is there any work or research on measuring method for subscriber (customer)side feelings of network service? It seems that e2e ping delay, packet loss may miss some important factor when we consider subscriber's feelings. Joe __ Yahoo! Movies - Search movie info and celeb profiles and photos. http://sg.movies.yahoo.com/
Policy of Dial-up session processing
hi, Maybe this is out-of-topic ,but I can't find any place where could find answer for this question. If this is intrusive, just ingore it please. my question is : how does ISP do with DSL dial-up sessions which pass the accouting period time. E.g. If a customer subscribe DSL service at 15USD/month for 150hours. If the subscriber used 145hours by 30th May. He get online at 21:00 on 31th, and get offline at 5:00 on June 2th. The radius server could only export the customer's session when he get offline. So, problem comes to accouting system which was designed to calculate customer usage on first day of each month. The cut-off line of each month usage is set to 00:00 on first day of each month. Someone says , ISP should force those session closed at 00:00 on first day of each month, because they must ensure dial-up session of last month sould not be accouted in next month. Is this true ? thanks in advance. Joe __ Yahoo! Movies - Search movie info and celeb profiles and photos. http://sg.movies.yahoo.com/
Re: barak-online.net icmp performance vs. traceroute/tcptraceroute, ssh, ipsec
I agree with Dale. The problem should be with e2e TCP performance. Maybe there is misconfigured firewall which block SYN or ACK packet. Or, packet larger than 128B is dropped. As you can find in your data, ping and traceroute show different response speed. Maybe you could try layer4 traceroute, and try packet size bigger than 1000Byte. It will show you where the problem may exist. Joe ICMP or traceroute usually use small packet. --- Joe Maimon [EMAIL PROTECTED] wrote: Lincoln Dale wrote: traceroute/tcptraceroute show packet loss and MUCH higher rtt than the corresponding direct pings on the reported hop entries. Is this some sort of massaging or plain just faking it? Or is such things merely net-urban myth? the vast majority of routers on the internet respond very differently to traffic 'directed at them' as opposed to traffic 'routed through them'. Thanks for your reply. I did include icmp echo directly to each hop as a comparison. Yahoo! Singapore Answers Real people. Real questions. Real answers. Share what you know at http://answers.yahoo.com.sg
Ratio between Number of Radius Accouting Server and Number of Radiuis Authentication Server
Is there any recommendation on Ratio between number of radius accouting server and number of radius authentication server, if accouting and authentication are executed by different hardware platform ? Is there any way to estimate the burst rate of radius protocol packet in ISP network? thanks in advance. Joe Yahoo! Singapore Answers Real people. Real questions. Real answers. Share what you know at http://answers.yahoo.com.sg
Re: Ratio between Number of Radius Accouting Server and Number of Radiuis Authentication Server
We establish two server farm which service on two IP. BAS use that two IP as AAA server addresses. Currently , number of accouting server is much less than authentication server although DB connection allocated to accouting server is nearly the same to authentication servers. The problem is, radius server responding speed may become very slow ( more than 100s) at peak time. some of radius accouting packets overflows when they are sent to radius server process queue. As radius responding speed is slow, BAS retransmit those packets in queue, the system performance worsen for duplicated packets. some dial-session is not closed normally because Accouting-off packets are lost or overflowed. I plan to deal with the problem by starting at incoming packets rate measurement, and server structure optimization. But, there seems to be too few material available. Joe --- K K [EMAIL PROTECTED] wrote: On 5/3/07, Joe Shen [EMAIL PROTECTED] wrote: Is there any recommendation on Ratio between number of radius accouting server and number of radius authentication server, if accouting and authentication are executed by different hardware platform ? I generally deploy just two accounting servers, because (most) RADIUS-enabled devices deal with caching/retransmitting accounting data in a reasonable fashion if the accounting servers are slow or unresponsive -- users won't notice if Accounting is slow, quite the opposite of Authentication. Many (most?) RAS/VPN/etc devices only support configuring two RadAcct servers, even devices which offer up to 4 total auth servers might only allow 2 for accounting. Also keep in mind that some devices use a primary/backup configuration, while other implementations send all Accounting records to *both* servers at all times. Is there any way to estimate the burst rate of radius protocol packet in ISP network? You can calculate your burst rate by either post-processing the RADIUS event logs from the servers, or from NetFlow data. The real-world PPS rate and BPS for RADIUS should be very low, even on a busy ISP -- our biggest problem with RADIUS traffic isn't the traffic itself, but rather giving the protocol priority on congested WAN links so it isn't dropped by an oversubscribed router. Dropped packets are primarily a problem for authentication requests, particularly if you're using RADIUS with SecurID (due to the built-in multi-second delay ACE/Server forces for all authentication requests, RADIUS or otherwise). Kevin -- Moderator, unofficial RSA ACE/Server + SecurID users group: http://tech.groups.yahoo.com/group/securid-users/ __ Yahoo! Movies - Search movie info and celeb profiles and photos. http://sg.movies.yahoo.com/
Re: Could it be possible to extend PPPoE Error code?
client device. In my experience there are almost no client devices that actually display the Reply-Message, but as always YMMV. It seems to me this would be something best reserved for the radius server, not the end-user to track. To my opion, if customer's PC could show the exact reason for dial-up error, CSR could deal with customer complaint easily. As most of customer use microsoft windowsxx, could it be possible to display replay-message on it? or if we develop a standalone PPPoE software, could it be possible to display it? Joe __ Meet your soulmate! Yahoo! Asia presents Meetic - where millions of singles gather http://asia.yahoo.com/meetic
Could it be possible to extend PPPoE Error code?
hi, We provide broadband access by ADSL. The cucurrent session number and access port is controled by radius server. E.g. an PPPoE account can ONLY be used with a designated access port, and current session of that account is limited to 3 or 5. If a subscriber dials with a username. mismatching username and password, illegal access port and exceeding current session number reach the same error code 691 on subscriber's computer. We want to identify the exact reason for customer complaint. So, it that possible to extend radius server and Broadband Access Server ( Juniper E series) to echo different error code for different reason. E.g. Error code 691 for wrong password Error code 851 for wrong access port Error code 852 for exceeding limit of concurrent session number .. regards Joe __ Yahoo! Movies - Search movie info and celeb profiles and photos. http://sg.movies.yahoo.com/
Application management in ISP network
It is heard many ISPs are implementing or plan to implement application management facilities. With such tools/facilities, it is said they could control applications in their network, such as blocking BT, degrade QoS of e2e VoIP , or control attacking traffic. Is there anyone could tell me how many ISPs have done as above ? To my knowledge, there is few traffic management product which could work with 10Gbps links. But, ISP network is usually made up of 10Gbps links (even 40Gbps). Could current technology deal with such situation? Joe __ What is the internet to you? Contribute to the Yahoo! Time Capsule and be a part of internet history. http://timecapsule.yahoo.com/capsule.php?intl=sg
Re: Anycast applicable to Radius Server Farm ?
Can you indicate in more detail what the problems were with the L4 switch? We seperate our Radius servers into two farms, each farm has a L4 switch in front. To our understanding, radius authentication info. and accounting info. of a PPPoE session should be processed by the same Radius server. So, although L4 switch provides a single IP for BRAS configuration each BRAS is specified a real server IP in L4 switch. So, there comes the problem: 1) Load is not balanced automatically but by human estimation; there is server whose load is twice of some other server. 2) L4 switch becomes bottleneck of service availability. In past years, L4 switch caused several times of service failure. Just last friday, L4 switch does not repond to any network packets while its ethernet interface seems OK. 3) As L4 switch is the only entrance to a single server farm, DoS attack or some other kind of software bug will surely degrade security level. While, a farm using ECMP rely on server groups to resist DoS attack. 4) Maintence is a little bit costy. Any maintence , no matter on radius server or on L4 switch, need a scheduled time window. 5) Service protection is hard ( as you mentioned as 'cascade' one). As there are two server farms, if one farm failed it takes ten or more minute to migrate those Radius traffic to the other farm. This is unacceptable. So, we consider to find a more scable, reliable, secure and automatic multi-farm radius solution. Joe If the loadbalancing is done by source/destination IP address pairs, then you can have problems when a target goes down, as all of the source/destination IP address pairs will get switched to another target which then gets into difficulty and you end up with a cascading failure. It is generally preferable to have the loadbalancing done on a weighted per-packet basis, ideally distributed according to round-trip times. Also note that you can only do per-packet loadbalancing with simple RADIUS, things like EAP that require multiple exchanges of RADIUS requests typically require state to be maintained in the single RADIUS server that is processing the entire EAP sequence. regards Hugh On 8 May 2006, at 14:07, Joe Shen wrote: Hi, we have a radius server farm. there is a L4 switch installed behind all servers. Incoming AAA packets are switched by L4 switch to different servers. In previous days we met a couple of problems with L4 switch which degraded our service a lot. Could it be possible to implement IPv4 Anycast architecture for radius server farm? Could it be any problem with AAA procedure? Any advice will be highly appreciated Joe __ Do you Yahoo!? Yahoo! Movies - Search movie info and celeb profiles and photos. http://sg.movies.yahoo.com/ NB: Have you read the reference manual (doc/ref.html)? Have you searched the mailing list archive (www.open.com.au/archives/ radiator)? Have you had a quick look on Google (www.google.com)? Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. __ Do you Yahoo!? Yahoo! Movies - Search movie info and celeb profiles and photos. http://sg.movies.yahoo.com/
Re: Anycast applicable to Radius Server Farm - further questions?
JS Could it be any problem with AAA procedure? UDP is anycast-friendly. Your biggest problems are likely to be authentication database replication/synchronization and merging accounting records... i.e., nothing really different from standard RADIUS deployments. What I met problem to understand is, 1) Is that required to route traffic from a specific BRAS to exact one server if DB behind radius server is syncronized periodically 2) There is two Farm, each has several servers. As number of paths supported by cisco/Juniper router is limited ( = 8 or 16), we could not mix those server into one farm. is there any way to balance load between two or more farms automatically? Load balancing is trickier when RADIUS servers and NASes live on the same network segment. You'll need something a la Windows Advanced Server or distributed 802.3ad. I know of no turn-key implementation of the latter; Do you mean aggregate interfaces of several servers into one 802.3ad trunk? I think even NASes and radius live on the same ethernet, OSPF/IS-IS could establish equal cost paths. thanks Joe __ Do you Yahoo!? Yahoo! Movies - Search movie info and celeb profiles and photos. http://sg.movies.yahoo.com/
Anycast applicable to Radius Server Farm ?
Hi, we have a radius server farm. there is a L4 switch installed behind all servers. Incoming AAA packets are switched by L4 switch to different servers. In previous days we met a couple of problems with L4 switch which degraded our service a lot. Could it be possible to implement IPv4 Anycast architecture for radius server farm? Could it be any problem with AAA procedure? Any advice will be highly appreciated Joe __ Do you Yahoo!? Yahoo! Movies - Search movie info and celeb profiles and photos. http://sg.movies.yahoo.com/
Security control in DSL access network
Hi, Is there any books or papers on carrier level DSL access network and LAN access network? Specifically, it should analysis the futures of DSL network and security problems in DSL networks. Joe __ Meet your soulmate! Yahoo! Asia presents Meetic - where millions of singles gather http://asia.yahoo.com/meetic
Re: Security problem in PPPoE connection
What's your method to deal with such problem? Will CHAP in PPPoE help? That may help against password sniffing but won't help against sniffing traffic by an active attacker once the session has been established. Also, you'll have to revisit all CPE to explicitly disable PAP, or an active attacker could still steal the password if he impersonates the real PPPoE server. If we enable CHAP on BRAS, is it enough that asking subscriber to enable Chap on MS-windows dial connection or Linux ? Need we install some other tools? Regards Joe __ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.whatsnew.mail.yahoo.com
Security problem in PPPoE connection
Hi, We are facing problem with PPPoE in ethernet access network. To provide high speed access, 10Mbps/100Mbps ethernet is used as access method. But, we found some guy 'steal' some other's account by listening to broadcasting packets, and they also set up 'phishing' PPPoE server to catch those PPPoE authentication packets. With ATM DSLAM,we could solve this by binding account with PVC. With ethernet, although we could seperate subscribers into VLANs there is more than 100 subscribers within one VLAN. What's your method to deal with such problem? Will CHAP in PPPoE help? thanks Joe __ Do you Yahoo!? Yahoo! Movies - Search movie info and celeb profiles and photos. http://sg.movies.yahoo.com/
Re: FYI - China To Launch Alternate Country Code Domains
I've read the public announcement of Chinese Ministry of Information Industry. It just state that: there will be another sub-domain mil.cn created besides another six english lettter sub domain in .cn And, it also states: three Chinese Character TLD is establish which is China/Cooperation/Network. In fact, these top level chinese character TLD exist for years; and these TLD is supported by public-root.com for years. Could this be NEWs? From viewpoint of computer science, domain name is just a database structure which is used to represent IP address. So, it should NOT be limited to 7-bit code and should allow 8-bit code scheme. Considering robustness of Internet, a distributed service system is surely better than a central one. Joe --- Martin Hannigan [EMAIL PROTECTED] wrote: At 06:54 PM 2/28/2006, Gadi Evron wrote: william(at)elan.net wrote: From: Michael Geist [EMAIL PROTECTED] Date: February 28, 2006 9:24:09 AM EST To: [EMAIL PROTECTED] Subject: China To Launch Alternate Country Code Domains Dave, China is preparing to launch what appears to be an alternate root. China is creating an alternate root, which it can control while using the Chinese language. I doubt I need to tell any of you about ICANN, VeriSign, Internet Governance, alternate roots or the history of these issues. Everyone else will. It may not be so clear cut. Check out Mark Jeftovic, a trusted source on DNS information, and a director of CIRA: http://blog.easydns.org/archives/60-China-Top-Level-Domain-news-possibly-not-news..html -M -- Martin Hannigan(c) 617-388-2663 Renesys Corporation(w) 617-395-8574 Member of Technical Staff Network Operations [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Movies - Search movie info and celeb profiles and photos. http://sg.movies.yahoo.com/
Re: Identify amount of traffic to special IP address in Radius
why in the world would you want to do something like that rather than have another device generate flow records which you then can correlate with RADIUS accounting data? The reason is the cost of system building. As there are a lot of broadband subscribers, if we want to corelate subscriber with web site they visit we have to make Radius allocate a fixed IP to a special subscriber. Netflow based accounting is costy and we could not guarantee its accuracy. In fact, we only need to identify a small set of IPs which should not be considered in accounting. Joe Send instant messages to your online friends http://asia.messenger.yahoo.com
dnsauth3.sys.gtei.net DNS record is poisoned???
Hi, Today, some of our customers could not resolve state.gov by our cache server. I found state.gov is served by dnsauth1.sys.gtei.net, dnsauth2.sys.gtei.net, dnsauth3.sys.gtei.net. Using some others' DNS servers I found their IP addresses should be 4.2.49.2, 4.2.49.3, 4.2.49.4. But, our cache server(BIND9.3.1) got some othere IPs( I've tried restart bind9.3.1). So, it always failed to resolve state.gov. After restarting BIND9.3.1 again, I did rndc flush for several times, then it comes back. Why? is there something poisoned ? Joe === BIND9 got wrong server IP set debug dnsauth1.sys.gtei.net Server: dnsv2.zjhzptt.net.cn Address: 202.101.172.133 ;; res_nmkquery(QUERY, dnsauth1.sys.gtei.net, IN, A) Got answer: HEADER: opcode = QUERY, id = 58203, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 3, additional = 2 QUESTIONS: dnsauth1.sys.gtei.net, type = A, class = IN ANSWERS: - dnsauth1.sys.gtei.net internet address = 128.121.126.139 ttl = 86084 (86084) AUTHORITY RECORDS: - gtei.net nameserver = dnsauth2.sys.gtei.net ttl = 172565 (172565) - gtei.net nameserver = dnsauth3.sys.gtei.net ttl = 172565 (172565) - gtei.net nameserver = dnsauth1.sys.gtei.net ttl = 172565 (172565) ADDITIONAL RECORDS: - dnsauth2.sys.gtei.net internet address = 169.132.13.103 ttl = 86084 (86084) - dnsauth3.sys.gtei.net internet address = 192.67.198.6 ttl = 86084 (86084) Non-authoritative answer: Name:dnsauth1.sys.gtei.net Address: 128.121.126.139 == Restart bind and do rndc flush 6 times, I got: == set debug state.gov Server: hzdnsv2.zjhzptt.net.cn Address: 202.101.172.133 ;; res_nmkquery(QUERY, state.gov, IN, A) Got answer: HEADER: opcode = QUERY, id = 20953, rcode = NOERROR header flags: response, want recursion, recursion avail. questions = 1, answers = 1, authority records = 3, additional = 3 QUESTIONS: state.gov, type = A, class = IN ANSWERS: - state.gov internet address = 164.109.48.80 ttl = 1778 (1778) AUTHORITY RECORDS: - state.gov nameserver = dnsauth3.sys.gtei.net ttl = 1778 (1778) - state.gov nameserver = dnsauth1.sys.gtei.net ttl = 1778 (1778) - state.gov nameserver = dnsauth2.sys.gtei.net ttl = 1778 (1778) ADDITIONAL RECORDS: - dnsauth1.sys.gtei.net internet address = 4.2.49.2 ttl = 172767 (172767) - dnsauth2.sys.gtei.net internet address = 4.2.49.3 ttl = 172767 (172767) - dnsauth3.sys.gtei.net internet address = 4.2.49.4 ttl = 172767 (172767) Non-authoritative answer: Name:state.gov Address: 164.109.48.80 == __ Meet your soulmate! Yahoo! Asia presents Meetic - where millions of singles gather http://asia.yahoo.com/meetic
Re: DOS attack against DNS?
Last saturday one of our Web server experienced a TCP SYN attck which make the system down for four hours. It seems there is not a good solution which could detect defend DoS traffic at any time. So, to the class ANY queries, should we only filtering out class any queries on public cache servers ? To my understandings, the amplifying result could also be reached by query type any. Joe --- Alon Tirosh [EMAIL PROTECTED] wrote: Admitted, i did not notice the type/class difference. I responded as a knee jerk reaction, and that is my mistake. For the second part, the any query type is useful (when targeted at either your NS and/or public NS servers) to quickly alert to issues such as the one being discussed with GoDaddy and Nectartech right now on this list. Pick and/or set up an NS server that is TTL agnostic (flameArmor: this system is to be used for disparate up-to-date checks only, and I know by spec this is far from foolproof but its saved my ass a couple times in the past) and checks disparate roots and its useful for finding or alerting to major name system, registrar ,and provider issues quickly. Im diverging off-topic, im sure. gnight. On 1/17/06, william(at)elan.net [EMAIL PROTECTED] wrote: Did you notice that it was class ANY and not type ANY that Paul noted? I've never ever heard of it being used anywhere As for ANY query type, what do you think will happen when you query with ANY to a host in a domain that is not in your local dns server cache? And btw if it is in your dns cache, how predictable do you think such results are going to be??? On Tue, 17 Jan 2006, Alon Tirosh wrote: Not true,. the ANY query has mutliple uses for consolidating multiple diagnostic queries into a single display, and also for diversion monitoring systems on small domains or groups of same. Not all of us have the resources (or time) of large ISPs behind us. On 15 Jan 2006 17:27:40 +, Paul Vixie [EMAIL PROTECTED] wrote: client xx.xx.xx.xx#6704: query: z.tn.co.za ANY ANY +E class ANY has no purpose in the real world, not even for debugging. if you see it in a query, you can assume malicious intent. if you hear it in a query, you can safely ignore that query, or at best, map it to class IN. -- Paul Vixie __ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.whatsnew.mail.yahoo.com
Gmail Contact and Gmail bugs
Hi, Is there way to contact Gmail? Message in my gmail account could not be access for three days. When I tried to click on any message ( or search, move to othe folder .. ) it always pop up with Ooops, the system was unable to perform your operation.Please try again in a few seconds. Joe __ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.whatsnew.mail.yahoo.com
Re: Two Tiered Internet
What I'm interested in is how the two service providers will build a two tiered Internet. To our experience, current QoS mechanism ( WRR + multiple_Queue) could not differentiate service quality when bandwidth is overprivisioned. If there is congestion, why should I stay with it while there is another ISP who says their is no congestion in their network ? If hard limited bandwidth allocation mechanism is available, how could they calculate the bandwidth of each service class ? how could they do with the complexity of nework management? How could they do with security problems? Looking at IPTV, I'm not sure where is millions of people use such service; but I do know P2P IPTV application (like ppstream) could provide good quality and multiple TV programs even bandwidth is limited. So, IMO this is game between ISPs, new technology, content providers and internet users. Currently, content providers are the ONLY winner. Joe --- Jared Mauch [EMAIL PROTECTED] wrote: On Wed, Dec 14, 2005 at 05:14:46PM -0800, Tony Li wrote: I guess you missed all those trenches being dug in Verizon land to install fiber to the home. I guess you missed all the network upgrades in ATT/SBC and Bellsouth land to shorten their copper loop distances. Sounds like they are manufacturing more bandwidth and the zero sum game is getting bigger. I believe it when it gets to my street. So far, the reality is Really Slow DSL, with service and installation times measured in weeks at costs that aren't competitive. So yes, I missed all of that. Ditto. No matter how many million IPTV users there are, it's not reaching the area where i live. I'd love Verizon to come into the chunk of the SBC area where i live that is adjancent to their existing service area and attempt to compete with each other. - jared -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine. __ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.whatsnew.mail.yahoo.com
RE: QoS for ADSL customers
Could IPtables control traffic with inspecting layer7 information? As someone suggested, bandwidth allocation could be done with TCP protocol control ( ACK dropping or so); How can we do that? NBAR only limit the bandwidth, and to our experience with cisco7609 it cost a lot of cpu time! Where can I find QoS experiemnt result and sample configuration of ERX14xx? Joe --- Ejay Hire [EMAIL PROTECTED] wrote: Hello. Going back to your original question, how to keep from saturating the network with residential users using bittorrent/edonkey et al, while suffocating business customers. Here goes. Netfilter/IpTables (and a slew of commercial products I'm sure) has a Layer 7 traffic classifier, meaning it can identify specific file transfer applications and set a DiffServ bit. This means it can tell between a real http request and a edonkey transfer, even if they are both using http. It also has rate-limiting capability. So... If you pass all of the traffic destined for your DSL customers through an iptables box (single point of failure) then you can classify and rate-limit the downstream rate on a per-application basis. Fwiw, if you are using diffserv bits, you could push the rate-limits down to the router with a qos policy in it instead of doing it all in the iptables box. References on this.. The netfilter website (for classification info) and the Linux advanced router tools (LART) (qos info/rate limiting) -e -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kim Onnel Sent: Thursday, December 01, 2005 3:26 AM To: NANGO Subject: Re: QoS for ADSL customers Can any one please suggest to me any commercial or none solution to cap the download stream traffic, our upstream will not recieve marked traffic from us, so what can be done ? On 11/29/05, Kim Onnel [EMAIL PROTECTED] wrote: Hello everyone, We have Juniper ERX as BRAS for ADSL, its GigE interface is on an old Cisco 3508 switch with an old IOS, its gateway to the internet is a 7609, our transit internet links terminate on GigaE, Flexwan on the 7600 The links are now almost always fully utilized, we want to do some QoS to cap our ADSL downstream, to give room for the Corp. customers traffic to flow without pain. I'm here to collect ideas, comments, advises and experiences for such situations. Our humble approach was to collect some p2p ports and police traffic to these ports, but the traffic wasnt much, one other thing is rate-limiting per ADSL customers IPs, but that wasnt supported by management, so we thought of matching ADSL www traffic and doing exceed action is transmit, and police other IP traffic. Doing so on the ERX wasnt a nice experience, so we're trying to do it on the cisco. Thanks __ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.whatsnew.mail.yahoo.com
Re: QoS for ADSL customers
While some people will cry network neutrality and think the Yellow Pages must sell only one size listing, some people are willing to pay for differentiated service. Trying to classify bad traffic can be done using products like Sandvine. But it may be easier to classify premium traffic and mark it for special handling, and then treating everything that isn't marked as premium traffic as best effort traffic. That may be a simple method to differentiate service between customers. considering e2e qos parameter requirement by different network applications, multiple service levels are required to supported in ISP network ( both intra-ISPnetwork and inter-ISPnetwork). But expect great wailing and gnashing of teeth over setting or changing DSCP/TOS bits or creating different queues for different traffic. Should DSCP bits in IP headers be treated like TTL bits which are modified by the network. Should ISPs use anti-spoofing techniques similar to prevent the use of arbitrary IP addresses to control DSCP/TOS values in packet headers? To Kim's situation, IP packet header based (or access interface based) traffic classification is pratical. If application based traffic classification is required, tools from sandvine or packeteer may have to be sitted between ERX1440 and Cisco7609. IMHO, ISP network should NOT trust any TOS/DSCP set by their customers; so, classifying and (re)tagging must be done in PE or BRAS. On the other hand, anti-spoofing configuration must be enabled in ERX1440 or 7609. Anyway, I don't trust current router's ability on content based traffic delivery. Most routers already give priority to some types of traffic, such as routing update packets. Only with routing protocol packets, it's far from what we need for service differentiation. Would Kim share his experience with this work? Joe __ Meet your soulmate! Yahoo! Asia presents Meetic - where millions of singles gather http://asia.yahoo.com/meetic
P2P Skype traffic control in ISP networks
it seems some ISPs have started to introduce management facilities into their networks. Is those products of carrier level? reference: http://webreprints.djreprints.com/1341970908457.html Joe __ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.whatsnew.mail.yahoo.com
Re: the iab simplifies internet architecture!
Maybe Bob Braden's presentaion in e2e task group could do some help. In fact, they just start to discusss what will be the next generation architecture, but does not reach agreement at all. http://www.isi.edu/~braden/e2e-tf/braden.newarch.ppt Joe --- Randy Bush [EMAIL PROTECTED] wrote: it is bad in the long term to add hierarchy to routing url for the stream? i -have- to see this ... reported verbatim separately by two friends who have routing clue but not enough clue to stay away from the iitf. so you may just have to wait. but it will be a classic. if you can get and edit it, send it to boing boing or /. randy __ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.whatsnew.mail.yahoo.com
To get internet full routing table
Hi, Is that possible to get full internet routing table without help from upstream ISP? or is there anyway to get some backbone network's internet routing table directly? thanks Joe Send instant messages to your online friends http://asia.messenger.yahoo.com
estimating VoIP data traffic size from VoIP signaling traffic size ?
Hi, is there any statistics on aggregated VoIP signaling bandwidth and aggregated VoIP data bandwidth? eg. if we monitored there is 2Mbps(average) traffic on VoIP signaling protocol ports ( including SIP, H.323, MGCP), how could we estimate average VoIP data bandwidth? Joe __ Meet your soulmate! Yahoo! Asia presents Meetic - where millions of singles gather http://asia.yahoo.com/meetic
First step of network optimization
Hi, this may be a OOO..LD topic which is talked, discussed or agrued for year. ISP networks may need to be optimized continuously. But, it seems people have different view of optimization when they use this word at different place; sometimes optimization means adding more access router, add more link bandwidth or add more servers; while it could be used to point the requirement on removing subareas in OSPF or simplify network structure. Is there a common sense on the target of network optimization? or is there common startup line of such work? What should be the model of a optimized ISP network ( or PoP site) ? Is there books on this topic? Joe __ Meet your soulmate! Yahoo! Asia presents Meetic - where millions of singles gather http://asia.yahoo.com/meetic
Re: First step of network optimization
Thanks for the response. You want to optimize for the lowest monetary cost network that still allows you to meet all the SLA's you've negotiated. And this depends on what you negotiated - for instance, if the SLA specifies 3 9's of reliability, spending money to build a 4 9's network is cutting into your profits. Of course, if the SLA's are biased towards latency or bandwidth, you'll have to consider those. There is always someone claims his network could reach availability 99.9% or so, but I don't understand how a network availability should be measured or figured out. Is there any paper on this? Focusing on SLA of a network, ISP network or PoP site should not carry only one type of business traffic ( e.g. broadband access, MPLS-VPN, L2 VPN etc.), if we consider it simply by taking network as a single system optimization will surely be of no usage. Looking at PoP site , is there any recommendation on its design? a layer-2 access model is better than router based system? Joe And remember that there usually isn't one right answer for anything but the most simple problems - almost always, some constraint will be placed on the solution. Often it's of the form The salesdroid just promised XYZ, also known as the Don't let your mouth write no check your router can't cash syndrome. If it isn't that, it's a financial issue inside the company - there's always the network you *want* to build, which is almost never the network that your revenue stream will allow you to build __ Meet your soulmate! Yahoo! Asia presents Meetic - where millions of singles gather http://asia.yahoo.com/meetic
Tools classifying network traffic to applications
Hi, As I know there is tools designed to analyze VoIP traffic, but for viewpoint of traffic management this is not enough. Is there tool which could classify network traffic to its applications? e.g. the tools catch network traffic and recognize its application type automatically. If 80% of (80/tcp) is web browsing (tcp/80) is recognized as WEB browsing; if 80% of (1234/tcp) is Edonky, it is recognized as Edonkey application. Joe Send instant messages to your online friends http://asia.messenger.yahoo.com
Re: Tools classifying network traffic to applications
hi, Christopher L. Morrow wrote: which can't really tell bittorrent (or ssh or aim or...) over tcp/80 from http over tcp/80... I think Joe's looking for something that knows what protocols look like below the port number and can spit out numbers for that... these, it would seem to me, would all require in-line traffic capture or mirrored port (mirrored traffic, not necessarily an ethernet port mirror) to be effective. Yes, that's what I want-- Find out what application use what protocol and what number, then apply that result to netflow analysis system which could be used to get statistics of multiple sites. We can do that up to 2Gbps; http://www.rommon.com/ , BitTorrent, KaZaa, eDonkey, HTTP, etc. supported. It seems to focus on P2P application. Is there tool to support applications as more as possible( include p2p, voip, web, ftp, network game, etc. ) regards Joe Send instant messages to your online friends http://asia.messenger.yahoo.com
Load Balancing between multiple BGP peer connections
Hi, How could load on multiple BGP peer links be balanced automatically? The situation we are facing: ---| | Service provider| | | --R1R2--- |\ | | \ E-BGP| | \ \ | | \| R3R4-| | Our Network| | (OSPF)| - The three links between our network and Service provider network are all 1Gbps. Now, we noticed that load on link R1-R3, R1-R4 is about 50% (in/out), but load on R2-R4 are about 90% ( in/out). How could we balance those load on the three links automatically? or must we tune the route mannually? Is there any technical guide on this? thanks in advance. Joe Send instant messages to your online friends http://asia.messenger.yahoo.com
Arbor's technical support contact?
Hi, How can I contact Arbor's technical support enigneer? Joe Send instant messages to your online friends http://asia.messenger.yahoo.com
SNMP tool summrizing multiple interfaces traffic data
Hi, Beside monitoring in/out traffic on each egress links, is there a tool which could provide a summary bandwidth utilization on two or more router interfaces? thanks Joe __ Meet your soulmate! Yahoo! Asia presents Meetic - where millions of singles gather http://asia.yahoo.com/meetic
What application runs on port 8094?
Hi, Using netflow based monitor tool, I noticed there is a lot of traffic on 8094/UDP and 4662/TCP( both exceed 1Gbps, and exist all the time) What application use that port? Is there any P2P application use UDP as transportation protocol? thanks in advance. Joe __ Do you Yahoo!? New and Improved Yahoo! Mail - 1GB free storage! http://sg.whatsnew.mail.yahoo.com
Re:Provider-based DDoS Protection Services
Hi, I'm very interested in technical solutions of ISP based (D)DOS solutions. Where can I find document/information on it? thanks. Joe Send instant messages to your online friends http://asia.messenger.yahoo.com
Enable BIND cache server to resolve chinese domain name?
Hi, Some of our customer complaint they could not visit back to their web site, which use chinese domain name. I google the net and found some one recommend to use public-root.com servers in hint file. I found domain name like xn--8pru44h.xn--55qx5d could not be resolved either. Our cache server runs BIND9.3.1 with root server list from rs.internic.net. Do I need to modify our cache server configuration to enable it? regards Joe __ Meet your soulmate! Yahoo! Asia presents Meetic - where millions of singles gather http://asia.yahoo.com/meetic
Re: Enable BIND cache server to resolve chinese domain name?
Hi, Only if you wish to do all your other customers a disfavour by configuring your caching servers to support a private namespace then yes. The problem is chinese domain name is hosted and could be registered by people around. So, we just have to enable service as more as possible. Joe Send instant messages to your online friends http://asia.messenger.yahoo.com
Re: Is my BIND Server's Cache Poisioned ?
Hi, thanks for the help. Because IPv6 aware nameservers make queries for the IPv6 addresses of the nameservers and as a result see the NXDOMAIN / CNAME. The IPv4 only nameservers don't make these queries, as a matter of practice, and only see the problems if some client of the nameserver makes a query for some records with the same name as that of the nameservers. I've run BIND9 cache server with -4 option. Is there any way to make BIND9 fault tolerant? Joe __ Meet your soulmate! Yahoo! Asia presents Meetic - where millions of singles gather http://asia.yahoo.com/meetic
Is my BIND Server's Cache Poisioned ?
Hi, I met a strange problem with my cache server, which runs BIND9.3.1. In past days, our customers complaint that three domain names (www.hangzhou.gov.cn, www.zpepc.com.cn) could not be resolved frequently. I checked on the cache server and found, when the cache server could not resolve www.hangzhou.gov.cn (www.zpepc.com.cn) I can solve the problem by running rndc flush. The debugging output of named process has the following output when it could not resolve www.hangzhou.gov.cn. Do that mean my cache server is poisioned for these two domain name? === 24-Jun-2005 19:02:00.015 client 202.101.172.148#32769: UDP request 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: request is not signed 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: recursion available 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: query 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: query (cache) 'www.hangzhou.gov.cn/A/I N' approved 24-Jun-2005 19:02:00.026 client 202.101.172.148#32769: view internal-in: replace 24-Jun-2005 19:02:00.026 clientmgr @2addf8: createclients 24-Jun-2005 19:02:00.026 clientmgr @2addf8: create new 24-Jun-2005 19:02:00.026 client @3c19f28: create 24-Jun-2005 19:02:00.026 createfetch: www.hangzhou.gov.cn A 24-Jun-2005 19:02:00.026 client @3c19f28: udprecv 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): create 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): join 24-Jun-2005 19:02:00.026 fetch 2739250 (fctx 37ad318(www.hangzhou.gov.cn/A)): created 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): start 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): try 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 24-Jun-2005 19:02:00.026 fctx 37ad318(www.hangzhou.gov.cn/A'): getaddresses 24-Jun-2005 19:02:00.027 fctx 37ad318(www.hangzhou.gov.cn/A'): query 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): send 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): sent 24-Jun-2005 19:02:00.027 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone 24-Jun-2005 19:02:00.049 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): response 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): noanswer_response 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cache_message 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelquery 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): try 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 24-Jun-2005 19:02:00.049 fctx 37ad318(www.hangzhou.gov.cn/A'): getaddresses 24-Jun-2005 19:02:00.050 fctx 37ad318(www.hangzhou.gov.cn/A'): query 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): send 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): sent 24-Jun-2005 19:02:00.050 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone 36 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): noanswer_response 37 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cache_message 38 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelquery 39 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 40 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): try 41 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 42 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): getaddresses 43 24-Jun-2005 19:02:00.052 fctx 37ad318(www.hangzhou.gov.cn/A'): query 44 24-Jun-2005 19:02:00.052 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): send 45 24-Jun-2005 19:02:00.053 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): sent 46 24-Jun-2005 19:02:00.053 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): senddone 47 24-Jun-2005 19:02:00.054 resquery 74b4870 (fctx 37ad318(www.hangzhou.gov.cn/A)): response 48 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): answer_response 49 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): cache_message 50 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): clone_results 51 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelquery 52 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): done 53 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): stopeverything 54 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): cancelqueries 55 24-Jun-2005 19:02:00.054 fctx 37ad318(www.hangzhou.gov.cn/A'): sendevents 56 24-Jun-2005 19:02:00.054 fetch 2739250 (fctx 37ad318(www.hangzhou.gov.cn/A)):
Re: Malicious DNS request?
Hi, thanks for your help. I noticed that the requests of those non-exist domain name disappeared yesterday. But the NXDOMAIN record in named.stats keep increasing. ( see attachment) I'm using BIND9.2.5 BIND9.3.1 on two Solaris box, each box has two CPUs installed. it's found BIND8.4.6 running on one CPU could reach the throughput of BIND9.*.* running on two CPUs. Could we improve server throughput or lower lower the effect of those requests on NXDOMAIN? Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Malicious DNS request?
Sorry to attach the rndc stats result. I run rndc stats continuously( interval is less than 2 seconds), it's shown: success 17950622 referral 225680 nxrrset 1691861 nxdomain 11203490 recursion 3648017 failure 1363923 ... --- Statistics Dump --- (1116319437) +++ Statistics Dump +++ (1116322885) success 18889882 referral 229772 nxrrset 1809835 nxdomain 11474755 recursion 3825876 failure 1415044 --- Statistics Dump --- (1116322885) +++ Statistics Dump +++ (1116322886) success 18890342 referral 229772 nxrrset 1809868 nxdomain 11474873 recursion 3825976 failure 1415052 --- Statistics Dump --- (1116322886) Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Malicious DNS request?
Sorry to attach the rndc stats result. I run rndc stats continuously( interval is less than 2 seconds), it's shown: success 17950622 referral 225680 nxrrset 1691861 nxdomain 11203490 recursion 3648017 failure 1363923 ... --- Statistics Dump --- (1116319437) +++ Statistics Dump +++ (1116322885) success 18889882 referral 229772 nxrrset 1809835 nxdomain 11474755 recursion 3825876 failure 1415044 --- Statistics Dump --- (1116322885) +++ Statistics Dump +++ (1116322886) success 18890342 referral 229772 nxrrset 1809868 nxdomain 11474873 recursion 3825976 failure 1415052 --- Statistics Dump --- (1116322886) Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Malicious DNS request?
Paul, I'm sorry if this is JUST to BIND or some other specific software. But, IMHO this is just a sample that requests which only generate NXDOMAIN responds. According to someone's presentation on NANOG (DNS anomailies and their impact on DNS Cache Server ), such record may be type of attack. If we only rely on cacheing to remove paient of CPU time, cache server load will be increased. So, what I'm tryting to ask is , is there some mechanism proposed to deal with such problem? BIND is just a sample. joe --- Paul Vixie [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] (Joe Shen) writes: I'm using BIND9.2.5 BIND9.3.1 on two Solaris box, each box has two CPUs installed. it's found BIND8.4.6 running on one CPU could reach the throughput of BIND9.*.* running on two CPUs. Could we improve server throughput or lower lower the effect of those requests on NXDOMAIN? yes. but we isn't nanog. can you take your bind-specific questions to a bind-related mailing list or newsgroup? www.isc.org has pointers. -- Paul Vixie __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Malicious DNS request?
Hi, In past days I noticed the nxdomain statistics in named.stats keeps increasing.( I run it every 5 min) By tcpdump, it's found a remote computer keep asking address for record like 999d38e693b9e6293b450.0existence.com, 60d38e693b9e6293b450.0be6c1xfa.net. is that a virus affacted computer? How could such request be filtered or minimize its affaction on DNS server? regards Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Schneier: ISPs should bear security burden
Hi, maybe this is an OLD topic, but the problem is what is security? or how to define a secure internet access service . E.g. should ISP respond for managing application transmitted across its backbone? if so, how to define standard appliation model while keeping internet a flexible platform? Could we maintein the scalability of IP network while keeping it secure high performance? To business consideration , would people pay more money for a limited, secure internet access service while his/her child is able to visit those Nude website? So, IMHO, it's a good idea but it's not a feasible proposal. Joe --- Jerry Pasker [EMAIL PROTECTED] wrote: I've been there -- I know how I feel about it -- but I'd love to know how ISP operations folk feel about this. It means 10 different things to 10 different people. The article was vague. Security could mean blocking a few ports, simple Proxy/NAT, blocking port 25 (or 139... or 53.. heh heh) or a thousand different things. There is a market for this, it's called managed services. _ Do You Yahoo!? http://cn.rd.yahoo.com/mail_cn/tag/10m/*http://cn.mail.yahoo.com/event/10m.html
Detecting VoIP traffic in ISP network
Hi, we want to collect statistics in our backbone networks. Is there any good method to this? is there any product for this ? Joe _ Do You Yahoo!? http://cn.rd.yahoo.com/mail_cn/tag/10m/*http://cn.mail.yahoo.com/event/10m.html
Re: Detecting VoIP traffic in ISP network
No, it's not for legislation. In fact, we're planning to collect information on how people use internet as Voice carrier and the Voice communication quality they got. By this way, it could be evaluated that what's the possible best way of resource provisioning how NGN voice traffic should be carried at the best performance/cost rate. joe --- Suresh Ramasubramanian [EMAIL PROTECTED] wrote: Local telco concerned about voip eating into their revenues, and wants to push through legislation or something? :) On 4/27/05, Joe Shen [EMAIL PROTECTED] wrote: we want to collect statistics in our backbone networks. Is there any good method to this? is there any product for this ? Joe _ Do You Yahoo!? ÏÓÓÊÏä̫С£¿ÑÅ»¢µçÓÊ×ÔÖúÀ©ÈÝ£¡ http://cn.rd.yahoo.com/mail_cn/tag/10m/*http://cn.mail.yahoo.com/event/10m.html -- Suresh Ramasubramanian ([EMAIL PROTECTED]) __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Intradomain DNS Anycast revisited
Hi, I'm trying to set up a anycast DNS server farm for customer service. In order to improve availability, we plan to install those servers in one LAN which has the similar structure like : server-(1,3)---switch1---router-1---(outside) | | server-(2,4)---switch2---router-2---(outside) The four unix servers are all unix boxes, switch-1 switch-2 are interconnected to guarantee the availability. BIND is to be used as DNS cache server software, Quagga OSPFD is used to be routing software. According to above configuration, both routers will know multiple paths to dns cache server, while dns cache server should know two paths to outside network. Here comes my questions: 1) should each dns cache server be configured a static default route (0.0.0.0/0.0.0.0)? If server-(1,3) is configured statically to use router-1 as default router, will Quagga make it use router-2 when router-1 is not reachable? 2) If each server is configured two default router ( router-1 router-2), or each server learn route 0.0.0.0/0.0.0.0 by OSPF ( our border router inject default route into OSPF ); there should be two equal cost path to 0.0.0.0/0.0.0.0 on each DNS server, the DNS server should disperse any outgoing packets onto the two paths, will that do harm to DNS service ? 3) Is there any requirement on BIND to fit to such multipath routing situation? Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Intradomain DNS Anycast revisited
thanks. No, because both routers are reached through the same L1/L2 medium, so Quagga can't use link-state to determine reachability of the next-hop. You could fix that by getting rid of the switches, and just having a bunch of router interfaces facing two Ethernet interfaces on each server, which would remove some points of failure, and would be a good idea if you can spare the router interfaces... Do you mean Quagga's OSPF route has higher priority than static route? or even there is static default route configured, once Quagga detects link to default router is down it will replace 0.0.0.0/0.0.0.0 in host routing table? 2) If each server is configured two default router ( router-1 router-2), or each server learn route 0.0.0.0/0.0.0.0 by OSPF ( our border router inject default route into OSPF ); there should be two equal cost path to 0.0.0.0/0.0.0.0 on each DNS server, the DNS server should disperse any outgoing packets onto the two paths, will that do harm to DNS service ? Nope, no problem, particularly so long as the two routers are iBGP peers, so they'll both (for the most part) have the same idea of what selected paths are. I don't understand why should both routers be iBGP peers. In fact, iBGP does not run on that two routers; the two routers are only members of OSPF backbone area who only run OSPF; only border router ( at the edge of our network) runs BGP and enject default route into OSPF backbone area. Although all DNS servers are cache server, we have to open 53/TCP to allow resolver using TCP protocol. For example, server-(1,3)--switch--router-1--\ | (OSPF only) router3--host server-(2,4)--switch--router-2--/ if that possible that router3 or router-1 dispers packets of the same TCP connection to different path? Is there possibility that a DNS requests are divided into multiple UDP packets? 3) Is there any requirement on BIND to fit to such multipath routing situation? Nope. BIND doesn't know what's going on that far below it. Do I only need to configure BIND to origin request from administration IP address ( configured on NIC and different from DNS service address)? regards Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Traceroute with ASN
Hi, maybe this is a OLD question. But, where can I get a traceroute program which can show ASN beside each hop IP address? I know router with full BGP routes could traceroute with ASN, but can a linux box do the same? thanks Joe __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
How to identify interconnection relationship between AS?
Hi, I'm trying to identify how an AS is interconnected with other ASes. For example, I can access our border router which has BGP run, and I want to know how another AS ( e.g. 1234 ) is connected to internetwork ( e.g. as1234 interconnects with as1235, as1236, as1345 ). How can I do it? thanks Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Is current DDoS detecting method effective?
Hi, you aren't distinguishing between 'dos attack' and 'scan' or 'probe' or 'welcome to the Internet!' traffic. The Arbor systems may see 'scan' traffic (depending upon sample rates and traffic loads) and they may not... They aren't designed to see that, they are designed to: (speaking of peakflow SP, peakflow Traffic, peakflow DoS only... peakflow X isn't really a 'provider' solution as much as a 'enterprise' tool) That's what I think current tool not enough, because we can not think ongoing traffic is not malicious when tools are building up 'normal' traffic model in ISP networks. But, in enterprise network this could be achived because traffic pattern for a enterprise could be estimated, and load on special server could be controled by threshhold (but, think about CNN website on 911 ) 1) to watch traffic and alarm against thresholds 2) track traffic trends over time 3) report traffic trends over time So, it need to define what should be monitored ( port, protocol, application data set ...) ? (possibly some other things out of scope of this discussion... someone from Arbor could/should clarify) Some of your cflowd gathering should also see these things, but they will need data correlation, something Arbor already went to the trouble of doing for you... So, define: attack and then see if your tool fits that definition. So, I think current tool is just for enterprise , or for ISPs who want to provide anti-DoS services. regards Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Is current DDoS detecting method effective?
Hi, I use flow-tools to monitor the link bandwidth utilization on three backbone interfaces. The total bandwidth utilized is about 11Gbps, and netflow data is analyzed to show statistics on some special port (e.g. port 0, port 445 etc.). I think this could give us some indication of possible DoS attach, but it's hard to monitor DoS attack on all hosts or all ports. In fact, I'm not sure whether traffic monitoring could REALLY help to identify some DoS attack, esp. in ISP networks. My questions include: 1) what should be protected in ISP networks? the ISP's own network or both ISP's network and its customers? I think the answer is, ISP should only care about the safety of its own network, which should be overprovisioned ( not only link bandwidth but also CPU/MEM etc.); we could use some technique like reverse route checking and ACL to immunize those core router/switch from DoS. 2) What's the cost should we take to identify any possible DoS in ISP network? I think it will cost a lot if we keep monitoring traffic on all edge routers ( both to backbone network and to customers), because we have to set up traffic monitoring on all interfaces and we have to set up analysis hosts whose ability have to be increased time to time. While the gainback is not obivious ( at least Botnet could not be crashed easily). 3) Is those technique use in current days really effective ? Where can I find some theretical analysis on the method Arbor used to identify DoS? To my experience, network attack is continuous. I do a experiment in our network, I put a Win2003 server on access layer. After 24 hours, the software firewall on it recorded about 10, scanattack attemps. Arbor says its product build up traffic model before identify DoS, while DoS may have been on its peak point when Arbor's box is building up its traffic model!! So, how can we do with DoS in ISP network? --- David J. Hughes [EMAIL PROTECTED] wrote: On 04/03/2005, at 5:17 AM, Chris Roberts wrote: I know you said not Arbor, but I'd second this opinion. I used Arbor at a medium-sized European ISP and it was fantastic at the job. Just in the trial period found a lot of smaller DoS attacks on our network that we didn't even know were there, and this was without a particular baseline. I think the development time you'd spend building something like (we tried building similar with cflowd et al) would outweigh the costs... This is always a moot point if you don't have the cash though I guess :-) Another option on the commercial front is from Esphion in New Zealand (www.esphion.com). I've been involved with deploying their products at a large hosting provider in Australia and I've been very impressed with the performance and reliability. It's now an integral part (if not the corner stone) of our DOS mitigation procedure. Good bit of kit. David ... __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Is current DDoS detecting method effective?
Hi, It frightens me that you're sitting on 11Gb/s+ and unable to utilize existing toold to determine what is within profile for your network and what is not. That what makes me think it's not possible to determine legal traffic model by available tools. The total BW keeps increasing, and network attack keeps going on. We could estimate traffic scheme by monitoring BW utilized, but it may has exhaust customer's server resource when we consider those DoS packet with our traffic scheme. So, Arbor and alike may be useful to enterprise users, but to ISPs its effectiveness is questionable. I'm certain that you'll be contacted by many commercial vendors who have working profiling solutions. I've discussed with some persons, they just disclame but no demonstration and analysis. Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Measure overall network availability
Hi, is there any recommended method to measure overall network availability? Currently we use packet loss rate as indication of network availability, but to my understanding this just means the possiblity of e2e communication degrade but not the network availability. regards Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Anycast 101
Hi, That's what I want to discuss about. The paper gives a very detailed explanation on anycast with OSPF_ecmp, and what I want to know is: is there anything not included in it but must be considered carefully when anycast cache server farm is to be established in MAN ? Will there be any problem with OSPF-ECMP convergence ? is there any request with DNS software(BIND, CNS, powerdns etc. ) selection? Considering such a situation, a big ISP want to set up hierachical cache DNS service, it has several MAN interconnected by backbone. each MAN uses a reserved ASN. The backbone has a public ASN and connect to each MAN with e-BGP. Should BGP multipath be considered ? or should each MAN announce same DNS server address block in each e-bgp session ? will there be any possible problem in such situation? what I do care about is, convergence speed, reliablity, load balancing within cache server farm, or load sharing between different cache server farm when one of them failed, cost of administration. Joe Also, be mindful of ECMP. http://www.isc.org/pubs/tn/isc-tn-2004-1.html http://www.isc.org/pubs/tn/isc-tn-2004-1.txt Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Anycast 101
I don't think PPLB is compatible with anycast esp. in situation when we consider end-to-end communication with multiple packets. As PPLB may derive to out-of-sequence between TCP pacekets different DNS server destination of the same UDP stream, it will broke anycast DNS service in some situation. So, if TCP based DNS requests is considered, flow-based load balancing should be considered which is total differnt from PPLB. Joe --- Iljitsch van Beijnum [EMAIL PROTECTED] wrote: On 18-dec-04, at 22:31, Paul Vixie wrote: i would be interested in hearing from anybody else who thinks that turning on pplb in a eyeball-centric isp that has multiple upstream paths is a reasonable thing to do, even if there were no anycast services deployed anywhere in the world. so far, no takers. i've heard from rfc-writers who say pplb was never meant to be used the way Iljitsch is describing it, and i've heard from equipment vendors who say their customers don't do that and that if some customer did that and asked for support the response would be don't do that!, and i've heard from network operators who say they would never do that, and i've heard from customers of network operators who did that with notable bad effects. but so far nobody has said yes, what Iljitsch is describing should work. Apparently you also didn't get any pointers to RFCs or other authoritative sources that say each and every packet injected into the internet must be delivered in sequence. You feel you get to decide what other people should and shouldn't do. I find that dangerous. As long as there is no standard or law that says something can't be done, people are free to do it. Apart from that, I'm not convinced per packet load balancing is as bad as people keep saying. In the absense of any research that I know of, my position is that per packet load balancing does have potential adverse effects, so per destination load balancing is preferred, but if there is a reason why pdlb doesn't fit the bill, pplb is a reasonable choice. let me summarize. Iljitsch says that pplb is incompatible with anycast, No. What I'm saying in general is that anycast isn't 100% problem free, so: 1. There should always be non-anycast alternatives 2. It would be good if we had a way (= BGP community) to make sure that anycasted routes aren't load balanced across I don't think either of these is unreasonable. since a pplb-using access router at the inner edge of an ISP could hear two different IGP routes to some destination, which ended up taking different exits from the ISP and thus different BGP paths. I'm not even sure if I understand this sentence, but it sure doesn't look like something I said. What I said was, that if you inject packets towards an anycasted address into two different routers within a certain AS, there is a very real possibility these two packets will end up at different anycast instances. I'm on very firm ground here as this follows directly from the BGP path selection rules. (Although in real life this wouldn't happen too often because customers tend to connect to two routers in the same or neighboring pops.) whereas pplb would normally only operate on equal-cost paths, the BGP-IGP path would hide the variance in BGP paths and make these paths eligible for pplb. Again: huh? i've said that pplb is only useful for turning two OC3's into an OC6 (or similar circuit bundling where a pair of routers has multiple connections to eachother) and that even in this case, packet reordering is likely to occur, which will make tcp-flow performance suffer across this link. But would the TCP performance over this OC6 link be better than that over a single OC3 link? That's the real question. i have also said that turning pplb on across non-parallel links, such as to multiple providers or through multiple tunnels or whatever, would pretty much guaranty that a word rhyming with massive suckage would occur. and i've made these claims independent of anycast -- that is, life will be bad if you use pplb outside its intended purpose, even if nobody anywhere was using anycast. Your argument is that since it's a bad idea to do this, nobody will, so making it even worse is ok. My argument is that even though it's a bad idea, some people will do it we shouldn't unnecessarily make things worse and/or make a reasonable effort to repair the damage. loath though i am to treat a preponderance of assertion as equivilent to proof, i see no alternative on this issue. noone is defending the use case Iljitsch is proposing. noone is even saying i tried that and it was OK. lots of people are saying various things like don't do that! and are you crazy? And we all know that when you tell people not to do
Re: Anycast 101
My question: I noticed that people always talked about BGP when they talked about anycast dns server farm. But, is there any problem or anything must be taken care about when anycast is employed within a DNS server farm within MAN? What I mean is, if we want to employ anycast in a cache server farm which is located within a big OSPF network, is there anything problemetic ? or should we consider anycast only when root server is to be installed ? Some people said, it's not needed to set up anycast in MAN because DNS system in such situation is very small ( less than 10 SUN servers ). regards Joe --- Iljitsch van Beijnum [EMAIL PROTECTED] wrote: I got some messages from people who weren't exactly clear on how anycast works and fails. So let me try to explain... In IPv6, there are three ways to address a packet: one-to-one (unicast), one-to-many (multicast), or one-to-any (anycast). Like multicast addresses, anycast addresses are shared by a group of systems, but a packet addressed to the group address is only delivered to a single member of the group. IPv6 has round robin ARP functionality that allows anycast to work on local subnets. Anycast DNS is a very different beast. Unlike IPv6, IPv4 has no specific support for anycast, and the point here is to distribute the group address very widely, rather than over a single subnet anyway. So what happens is that a BGP announcement that covers the service address is sourced in different locations, and each location is basically configured to think it's the owner of the address. The idea is that BGP will see the different paths towards the different anycast instances, and select the best one. Now note that the only real benefit of doing this is reducing the network distance between the users and the service. (Some people cite DoS benefits but DoSsers play the distribution game too, and they're much better at it.) Anycast is now deployed for a significant number of root and gtld servers. Before anycast, most of those servers were located in the US, and most of the rest of the world suffered significant latency in querying them. Due to limitations in the DNS protocol, it's not possible to increase the number of authoritative DNS servers for a zone beyond around 13. With anycast, a much larger part of the world now has regional access to the root and com and net zones, and probably many more that I don't know about. However, there are some issues. The first one is that different packets can end up at different anycast instances. This can happen when BGP reconverges after some network event (or after an anycast instance goes offline and stops announcing the anycast prefix), but under some very specific circumstances it can also happen with per packet load balancing. Most DNS traffic consists of single packets, but the DNS also uses TCP for queries sometimes, and when intermediate MTUs are small there may be fragmentation. Another issue is the increased risk of fait sharing. In the old root setup, it was very unlikely for a non-single homed network to see all the root DNS servers behind the same next hop address. With anycast, this is much more likely to happen. The pathological case is one where a small network connects to one or more transit networks and has local/regional peering, and then sees an anycast instance for all root servers over peering. If then something bad happens to the peering connection (peering router melts down, a peer pulls an AS7007, peering fabric goes down, or worse, starts flapping), all the anycasted addresses become unreachable at the same time. Obviously this won't happen to the degree of unreachability in practice (well, unless there are only two addresses that are both anycast for a certain TLD, then your milage may vary), but even if 5 or 8 or 12 addresses become unreachable the timeouts get bad enough for users to notice. The 64000 ms timeout query is: at what point do the downsides listed above (along with troubleshooting hell) start to overtake the benefit of better latency? I think the answer lies in the answers to these three questions: - How good is BGP in selecting the lowest latency path? - How fast is BGP convergence? - Which percentage of queries go to the first or fastest server in the list? __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
RE: identifying application type of network traffic
Thanks for all your reply. My situation is not to apply QoS policy to those application but to get statistics of applications. According to netflow records, the traffic across our egress interface has port number range from 11 to 65534 , there is record for port 0! So, what are those applications ? regards Joe Hi, if you run Cisco routers have a look at NBAR, it might do what you want. http://www.cisco.com/warp/public/cc/so/neso/ienesv/cxne/nbar_ov.htm http://www.cisco.com/warp/public/105/custompdlms.html Regards Olav Langeland - Active 24 - [EMAIL PROTECTED] __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
identifying application type of network traffic
Hi, I'm trying to identify applications which generate those traffic on our border routers. I use sampled netflow as data source and some flow-tools as analizer. Currently, I use (protocol, port_number) as indicator of application. Referring to rfc on wellknown protocol and port allocation, I can only identity about 50% of traffic type. Is there a complete (protocol, port_number) list ? or is there a better way to identify application type based on netflow data? regards Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Topology of current network
Hi, I'm looking for information on backbone/PoP topology . To my memory there is a web has a lot of topology graphs but I can't call it. Could anybody do some help? thanks Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
How to monitor BGP route stability ?
Hi, Is there any tool to monitor BGP route stablity? thanks Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Problems receiving emails from china...
Hi, Is there similar problem existing with sending email to email server inside china? maybe you could check end-to-end delay and packet loss rate. Another method, ask your customer to cut the attachment to several parts and send them seperately. Joe --- Lou Laczo [EMAIL PROTECTED] wrote: Hi all, I did a quick search of the archives and was unable to find any previous discussions relevant to this topic. One of our clients has been having problems receiving some legitmate emails from business associates in China. The client's mailserver is running qmail. In almost all of the cases, the failing email has at least one attachment and is larger than what might be considered normal. Our client's mailserver receives part of the message and then the smtp connection hangs and eventyally times out. Many times, the sending mail server will attempt to send the message again and again before finally giving up. The failing messages can be successfully delivered to hotmail and/or yahoo accounts. I've observed this problem while it was occuring and there are multiple smtp connections open between the clients server and the sender's server. The connections are in various states, some established, some in fin_wait, etc. I've tried tracerouting to the sender's server and in every case I've observed the trace times are terrible. I've looked at various aspects of the mail server's configuration and all looks well there. I've even tried having the senders email to a totally different mailserver on our network and get similar failures. It's staring to look like this is just a simple case of bad network connectivity from the sender. My guess is that the big free email systems have relay servers all over the world, so the sender in China would be talking to a server much closer to home. This would explain why the mail can be successfully delivered to hotmail, yahoo, etc. Has anyone ever experienced a problem similar to this? Thanks in advance for your attention and any responses/help. --Lou. - Technical Support - INetU Managed Hosting - http://www.INetU.net [EMAIL PROTECTED] - Phone: (610) 266-7441 __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Netflow analysis best pratice and tools ?
Hi, We plan to set up netflow analysis in our backbone. It's hoped to be able to track communication demand inside our AS as well as our AS and other ASes. It also expected to be able to support route optimization and to detect abnormal network behavior . And, report generation is needed too. Is there any best pratice or recommendation on how to employ netflow collecting in ISP backbone? Is there any software or products covering all above ? thanks Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: How to Blocking VoIP ( H.323) ?
After reading your kindly reply, I got following list for blocking VoIP at edge router: 1. block traffic on port 1719, 1720 (both tcp/udp), but this could not deal with those who modified signaling port; 2. content filtering by using some special euqipment; , very expensive 3. legismation by gov., well I don't think this could be a method possible 4. for IM with voice ability 5. change QoS level for marked packets, (how could it be done with no QoS network, RED ?) here goes my further question: a) Could WRED be applied with current network for VoIP packets selectively? ( I means RTP packets carrying unwanted VoIP ) b) Is there anyway to cache those equipment modifying signaling port number? c) any better way ? any experience? regards Joe --- Robert Mathews [EMAIL PROTECTED] wrote: On Thu, 11 Nov 2004, Christopher L. Morrow wrote: Date: Thu, 11 Nov 2004 19:49:10 + (GMT) From: Christopher L. Morrow [EMAIL PROTECTED] To: Robert Mathews [EMAIL PROTECTED] Cc: NANOG [EMAIL PROTECTED] Subject: Re: How to Blocking VoIP ( H.323) ? On Thu, 11 Nov 2004, Robert Mathews wrote: To Joe Shen: Perhaps 'I am failing to see it' but, what can be gained by blocking VoIP traffic other than freeing bandwidth and CPU churnings? reference panamanian gov'ts choice to protect legacy/incumbant carrier business by blocking voip. no one said it was 'smart' just that it was what the gov't wanted. Perhaps Joe lives in a similar situation? Hi Chris: Indeed hegemonic tendencies/behaviour by telcos aside, I was attempting to understand if there were 'some' ORGANIZATIONAL dyscrasias that prohibited 'operationlizing' of VoIP. To be brief, I would humbly submit that any malady in this area is worthy of greater exploration IF ONLY to expedite and effectuate the alignment of org-to-org operational instruments and their respective interfaces. Best, Robert. --- __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
How to Blocking VoIP ( H.323) ?
Hi, How could it be done to block VoIP at access router? I've thought about using ACL to block UDP port 1719,but this could be overcome by modifying protocol port number. regards Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Network Monitoring System - Recommendations?
Hi, I googled with CCR but it seems nothing useful in 5 pages. Would you please do me a favor to give the URL of that tool ? I tried to set up MRTG monitoring Unishpere BRAS 1400 and M160, but I failed with data collection because wrong OID used ( CPU, mem, tempreture, BW etc ) :-( regards --- Alexei Roudnev [EMAIL PROTECTED] wrote: I read document of these tools and find they work with Cisco products. But, how about Juniper M160 or M320, Unishpere's BRAS products? Where can I find Juniper's OID on its tempreture, chassis, CPU, bandwidth ? Does They use standart MIB2 and a little of Cisco specific MIB's. As I already said, it is a good tool to view and monitor traffic, utilisation, errors, and use additional tiool to deep monitor vendor specific parameters. We use 'snmpstat' to monitor routers, switches, ports and interfaces (and bgp) and cricket to watch few additional parameters (to configure alerts, we use aliases and mhonarc mail archives with auto expiration - for alerts, warnings, reports and audits, and for 'root' and 'oracle' e-mail. anyone have a running configuration for M160 or Unishpere's BRAS products? CCR can work with anything which (1) allow telnet or ssh, and (2) can 'write net' config (in any syntax). You can use encrypted password file (using passphrase) if you want. Using SNMP was rejected, because it is absolutely device-specific, impossible in many cases, and we never saw it as a security problem, because all devices are restricted to allow ssh or telnet from 2 or 3 servers only, because passwords are encrypted, and because automated config reading and web access aree much more important vs very abstract possibility of hacking (in reality, problem can come from insiders, not from hackers, so no extra accounst are allowed on monitoring server). You can get configuratuion (initialize tftp transfer) using some snmp (WRITE) variable and pre-configured tftp parameters, but it works on a very few Cisco devices only. As I said, CCR uses 3 methods: - password file encrypted by public key - password file encrypted by 3des passphrase; - explicit password. In all cases, problem is with root user only - root can alway decrypt password or interseipt web session. User, who have permission to edit CCR config and know passphrase, can (in theory) see passwords as well. Other users can not, even if they know passphrase - they can only initiate config reading. Network admins do not know enable passwords, if they do not need it - they use passphrase To have automated config reading, any of first 2 methods can be used (passphrase must be written into special file, if method 2 is used, root-only readable). For manual reading, any methgod can be used, without any file with passphrase. In reality, it is not serious security problem because all devices can be accessed from a very few servers only, and because we can use 'ssh' instead of 'telnet' (CCR can be configured or select ssh/telnet automatically). You can, in turn, play with security level , but it (again) does not work on generic case (any cisco device) and is very tricky. For Juniper or other device - you can try to program 'expect' script, or use 'snmp' initiated transfer - all other things will work. On configuration bankup, rancid use telnet (ssh). But, I take this a not-secure methode as it has to code password in login script. Is there any tool to get configuration file from read-only SNMP cumminity? Joe --- Jon Lyons [EMAIL PROTECTED] wrote: Checkout http://perfparse.sourceforge.net/ lets you graph the data from the nagios plugins... --- Alexei Roudnev [EMAIL PROTECTED] wrote: I generated config for 'snmpstatd' automatically, from user;'s database (it was simple; all I need was Router, Interface, User-name, number for this user, priority). For automated config backups, I use CCR (fully web based Cisco configuration - CVS system). - Original Message - From: Andy Dills [EMAIL PROTECTED] To: Charlie Khanna - NextWeb [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 11:46 AM Subject: Re: Network Monitoring System - Recommendations? On Thu, 28 Oct 2004, Charlie Khanna - NextWeb wrote: Hi - I was interested in finding out what software applications other ISPs are using for network monitoring? For example: 1) Overall network health - uptime reports http://www.nagios.org 2) Backup router config automatically http://www.shrubbery.net/rancid/ 3) Bandwidth reporting (or integration with an MRTG-type app) http://cricket.sourceforge.net/ 4) SNMP trap support (BGP/OSPF session drops - emails out)
Re: why upload with adsl is faster than 100M ethernet ?
Thanks. I've done the experiments. The reason is: the 100Mbps ethernet is so fast that it could fill the buffer of bottleneck link very quickly ( Path_mtu, burstness of traffic). There may also exist ACK compression in reverse path . Joe --- Dave Crocker [EMAIL PROTECTED] wrote: On Fri, 15 Oct 2004 00:14:11 -0800, Joe Shen wrote: |-(ADSL)\ customer/ --Edge_router---...---Japan Server \-(100Methernet)-/ it is probably worth doing an experiment, by placing a target host just before the edge router, inside your net, and verify that you do not get the (bad) differential performance there. d/ -- Dave Crocker Brandenburg InternetWorking +1.408.246.8253 dcrocker a t ... www.brandenburg.com __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: Network Monitoring System - Recommendations?
I read document of these tools and find they work with Cisco products. But, how about Juniper M160 or M320, Unishpere's BRAS products? Where can I find Juniper's OID on its tempreture, chassis, CPU, bandwidth ? Does anyone have a running configuration for M160 or Unishpere's BRAS products? On configuration bankup, rancid use telnet (ssh). But, I take this a not-secure methode as it has to code password in login script. Is there any tool to get configuration file from read-only SNMP cumminity? Joe --- Jon Lyons [EMAIL PROTECTED] wrote: Checkout http://perfparse.sourceforge.net/ lets you graph the data from the nagios plugins... --- Alexei Roudnev [EMAIL PROTECTED] wrote: I generated config for 'snmpstatd' automatically, from user;'s database (it was simple; all I need was Router, Interface, User-name, number for this user, priority). For automated config backups, I use CCR (fully web based Cisco configuration - CVS system). - Original Message - From: Andy Dills [EMAIL PROTECTED] To: Charlie Khanna - NextWeb [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 28, 2004 11:46 AM Subject: Re: Network Monitoring System - Recommendations? On Thu, 28 Oct 2004, Charlie Khanna - NextWeb wrote: Hi - I was interested in finding out what software applications other ISPs are using for network monitoring? For example: 1) Overall network health - uptime reports http://www.nagios.org 2) Backup router config automatically http://www.shrubbery.net/rancid/ 3) Bandwidth reporting (or integration with an MRTG-type app) http://cricket.sourceforge.net/ 4) SNMP trap support (BGP/OSPF session drops - emails out) http://www.snmptt.org/ http://www.nagios.org 5) Database back end (port info into or over to other apps) I'm just looking for something well rounded for a small ISP. I've heard about OpenNMS and other apps but I'd like to get everyone's feedback. Thanks! Nothing all in one place, that I'm aware of. But with a little work, you could probably integrate it all into nagios. After all, you can make the host names or descriptions URLs that link to bandwidth and error graphs or other tools. Andy --- Andy Dills Xecunet, Inc. www.xecu.net 301-682-9972 --- __ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: why upload with adsl is faster than 100M ethernet ?
Hi, the network path is: |-(ADSL)\ customer/ --Edge_router---...---Japan Server \-(100Methernet)-/ So, from edge_router to Japan server the path is identical. There is something wrong with both scenarios. A 5 Mbyte file is 40 megabits. With overhead, it should transfer in about one-half second over a 100 Mbps ethernet connection and somewhat less than 30 seconds on a 2Mbps connection. Yes. But, for ftp TCP control real end-to-end transmission speed. I attached a monitor computer to our core router along the path between customer's site and server. Monitoring computer ping customer's site by targeting both ends of ADSL line and ethernet line. The measuring is scheduled 20packet per 20seconds, we also ping each hop address along the path to server. The result shows there is no packet loss along from monitoring computer to customer site, but packet loss increase at a special hop along the path to server in japan. So, we think the bottleneck is not inside our network. And, TCP connection between customer's computer and its server should be affacted by same bottleneck. So, the uploading speed should be similar (?), but it shows so much difference! Look for duplex mismatch or something similar. I disable autonegotiation of ethernet. So, there is no such situation. Oh! There's another WAN link in the picture! What are the MTU settings? Are the packets being fragmented? Iis a firewall blocking all ICMP somewhere including path MTU discovery? the measurement is taken without firewall in customer site. And, no packet filtering is enabled inside our network. Note that this isn't exactly within the realm of the NA(North American) Network Operators Group, but the photons don't respect political boundaries so you may get appropriate answers here. Thanks for all your helps. To me, knowledge should be shared around world no matter where people live. Luckly, NANOG/RIPE and some other group open to the wolrd. regards Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Re: why upload with adsl is faster than 100M ethernet ?
It's generally a bad idea to turn of ethernet autonegotiation unless the equipment at the other side doesn't support it. Yes, we've checked the configuration, both access router interface and customer's ethernet interface are forced to be (100Mbsp, full duplex). And, there is no CRC records shows. Your explanation on TCP behavior seems reasonable, but why TCP over fast access line express so much packet loss than slow access line ? Do WindowsXP/Win2k determine its startup sending window according to access speed or path MTU ? regards Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
why upload with adsl is faster than 100M ethernet ?
Hi, I met a question with upload speed and network access speed. One of our customer lease two lines from us. One is 2Mbps ADSL line the other is 100Mbps fiber ethernet link. The customer needs to upload files to server in Japan usually. Now, the customer complaint that the upload speed of ADSL is much slower than fiber link. For a 5MB file, it takes 420 seconds with fiber link to finish uploading while the time for ADSL is 170 seconds. There is no difference in routing path between ADSL far end and fiber ethernet far end other than the access method. ( from the first acess router ). We measured the latency between our core router and customer's computer, and find there is no packet loss between with both line while latency on ADSL is 0.3ms higher than fiber ethernet. And, no link along the path inside our network is over burdened. That is, bottleneck locates somewhere outside our network. And there is asymetric route between our network and Japan server. But, why TCP throughput experience so much difference between ADSL acess and fiber link access? Thanks. Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Question on IP address used by anycast DNS cache server
Hi, I'm , but I met some questions when reading those paper from ISC on F-root anycasting. 1. As it's descripted in J.Abley's paper, DNS server in anycast group should be configured with a real IP on its NIC and one or two service IP on loopback interface(s). BIND listen on both real IP and service IPs. Any DNS answer packet will be encapsulated with source address as service IP. To my understanding, this is OK for root servers because they do not invoke recursive lookup procedure. But, if the DNS server is a member of ISP's DNS Cache server farm, recursive lookup packets to other DNS server MUST be encapsulated with real IP address. Is BIND or other DNS software capable of distinguishing between DNS answer back packet and recursive lookup packets? or could this be done automatically by operating system like Solaris, Linux, FreeBSD? 2. If we want to design a hierachical DNS service system which distribute across multiple private AS of an ISP, is there any problem to select service IP randomly from unused address pool? thanks in advance. Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
Is those ICP crazy -- 10GB free emailbox?
Hi, I just received an email from one of my friends and he told me http://www.hriders.com/ is providing free 10GB email box for subscribers. Is that crazy in competition of BIG size free email account? Joe __ Do You Yahoo!? Log on to Messenger with your mobile phone! http://sg.messenger.yahoo.com
RE: Email Complexes
Hi, Is there any free tools or methods to measure SMTP performance and email service quality between two email server ? Is there any implementation of message track? thanks Joe --- Hosman, Ross [EMAIL PROTECTED] wrote: I've gotten a few emails asking why we are doing this. We are doing this in order to provider better service to our Customers. Charter need's pop3 access at the following companies so that we can monitor track and monitor SMTP performance between our network and yours. AOL Yahoo Gmail MSN/Hotmail Cox Comcast Adelphia Earthlink Verizon __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
Re: Network Configuration Management Practices
There has been some public available software for backing up Cisco router configuration. The backup is not in CVS but in plain file. Joe --- Alexei Roudnev [EMAIL PROTECTED] wrote: Hmm, there are many approaches, starting with _what is primary_ (in Moscow's ISP files was primary, in enterprise here configs are primary). In my case, I use some hard rules: - no matter what is primary, configurations should be stored into CVS or simular system, and made available (for network engineers) on the internal web (with restricted access); - system should collect all changes automatically (or update configs from files automatically), make diffs and send change reports. - In any case, I must be able to see real configuration and see all changes, applying for last few weeks, without telnetting to the box. Without such things, I am blind ( I feel myself blind, when I come to the new network, and they have not such things in their system, making changes _on live servers_ and making 'telnet' to evaluate configuration). Few tools (opensource and commercial) allows to automate this job. One more thing. We tried to review _proposed changes_ and _changed applied_. Practice showed, that it is impossible to see errors in proposed updates, even if 3 - 4 engineers review it (not design flaws, but syntac and semantics errors), so we did not got many use from pre-change reviews (except design ones). But we got extremely high profit from post-change reviews (verifying, what really changed on the router / firewall after maintanance window) - it allows to see some unwanted changes and avoid few possible service disruptions. - Original Message - From: Scott Weeks [EMAIL PROTECTED] To: Carl W.Kalbfleisch [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Tuesday, September 14, 2004 3:08 PM Subject: Re: Network Configuration Management Practices On Tue, 14 Sep 2004, Carl W.Kalbfleisch wrote: : I am doing some independent research on Network Configuration : Management Practices. I am trying to get information from service : providers and enterprises on how they handle this function. I have the : following specific questions: : : 1) What configuration issues most affect the performance and : reliability of your network? Fingers... ;-) scott __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
Re: Excessive Internet Traffic
Is that a variant of Nachi B. ? The source address may be generated. joe --- Robert Scott [EMAIL PROTECTED] wrote: The University of Central Florida has seen a sudden jump in tcp 445 denies. It began a little after 9:00 AM EDST. New Worm? I am denying about 32 thousand packets per second. IP Cache flow show them well spread over a wide range of addresses, targeted at what apeears to be a random sample of my class B. The ACL on our border router is taking 21 million denies every 10 minutes. 60 deny tcp any any eq 445 (346740094 matches) The packets are small, since I am seeing a large nuber of packets, but the bit count is low. 30 second input rate 72679000 bits/sec, 41033 packets/sec 30 second output rate 29208000 bits/sec, 7687 packets/sec Input bits per second are a little above normal, but the packet count would normally be under 1 not 41000. Ideas? TIA AppleBees says No Anheuser Robert Scott says NO APPLEBEES! Join The Boycott! Robert D. Scott Associate Director Computer Services and Telecommunications Network Operations University of Central Florida [EMAIL PROTECTED] CSB-310 407-823-0662 Voice 407-823-5476 FAX 345-0662 Sun-Com 877-549-5390 Pager __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
Re: EVENT - Building a network and system management open source tool - talk at BayLISA, Cupertino, California, USA, Thursday 16 Sept. 2004 19:30-21:00
In those network administration software it seems configuration management, e.g. periodic backup, integrity checking etc, is not covered. Is that possible to include this ? Joe --- Philippe Ombredanne [EMAIL PROTECTED] wrote: If you are in the San Francisco Bay Area, you can join us for a talk I am giving for the BayLISA (Bay Area Large Installations Systems Administrators User Group). http://ww:w.baylisa.org/ and participate to a talk on the design and building of a new open source system and network management tool. Attendance is free, hosted in the luxurious Apple RD building in Cupertino. Quite often, water and fresh krispy-kremes are served a geek delight! No registration is required, free and open to the public. September 16, 2004 7:30 pm - 9:30 pm Apple Campus, Infinite Loop, Cupertino, CA, USA Town Hall *BLDG 4* Here is the event intro : Forests and Trees://Building an Open Source Discovery Management Tool with XML In a an ideal world everything on the network would have a simple management interface, and every tool could access it. Well, in our real world, large shops typically have at least one version of every major network equipment, hardware, and software produced in the last ten years As sysadmins and network admins, we rely on a mixture of commercial and open source network management tools and a lot of scripting and elbow grease to accomplish our magic. What about an open source system where all management data could be accessed remotely, without an agent to install on your 1000 servers and all protocols could be used with a friendly URL, and return standardized data that could queried and combined together regardless of where they are coming from? The recipe? Put a dose of ssh, sftp, http, nmap, smb, snmp, wbem, wmi, nfs, webdav, dns, dhcp, smtp, wins, ldap, sql, mibs, mofs, ping, arp and a couple other in a large pot. Stir well your alphabet soup, throw in a couple RFCs for spice, then add a pinch of URI, XML, Xpath and Xquery, some scripting, heat up to a gentle boil, and you get something that might taste good, or at least different. In this presentation, we will walk through design issues and trade-offs for such an open source system, and show new ways to extend the web and XML to network management, using existing tools, techniques, and skills. Some live demo will be made of the kind of weird and funny capabilities that are exposed. -- Cheers Philippe philippe ombredanne | nexB - Open IT Asset Management 1 650 799 0949 | pombredanne at nexb.com http://www.nexb.com __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
Re: DNS Weather Report 2004-09-07
What does find in the report mean? no lookup timeout or no out-of-sync? Joe --- Daniel Roesen [EMAIL PROTECTED] wrote: DNS WEATHER REPORT for selected infrastructure zones Issue 2004-09-07 Zones analyzed and their SOA contacts: - . - arpa. [EMAIL PROTECTED] - int. [EMAIL PROTECTED] - in-addr.arpa [EMAIL PROTECTED] - ip6.arpa. [EMAIL PROTECTED] - ip6.int. [EMAIL PROTECTED] Operators: please let me know wether you do want a copy when there's no problem with your zone(s) or not. Don't want to annoy anyone unnecessarily! Some people have approached me wether it would be possible to receive personal copies of the report. Please let me know wether you are interested in such a service yourself. If there is enough interest, I will set up a distro list for that. Executive summary: * the IP6.ARPA problems regarding delegation NS RRset got fixed! * ns.isi.edu is _still_ out of sync for the INT zone. * ns.isi.edu is _still_ auth for IP6.INT where it shouldn't be. The state of the root zone === fine! The state of the ARPA zone == fine! The state of the INT zone = - ns.isi.edu is not in sync with the other nameservers Current SOA serial of the INT TLD: 2004090400, ns.isi.edu has still 2002080104 and is publishing stale data (e.g. an old NS RRset for the zone). Problem exists since at least 2004-08-24 The state of the IN-ADDR.ARPA zone == fine! The state of the IP6.ARPA zone == fine! The state of the IP6.INT zone = - ns.isi.edu (one of the INT TLD servers) feels authoritative for the IP6.INT zone, but is neither listed in the delegation NS RRset, nor in the in-zone NS RRset of IP6.INT. Luckily, ns.isi.edu carries ip6.int with the same SOA serial as the official servers, so induces no operational problems so far. Problem exists since at least 2004-08-24 Regards, Daniel __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
WRED and QoS provisioning in ISP network
Hi, We are evaluting whether we should implement DiffServ Based e2e QoS provisioning in our network. Someone recommend that WRED should be used on each node which is setup to send traffic according to DSCP/IP_precedence. They disclame that DiffServ+WRED is the best solution for current network. But, as I know WRED will bias normal TCP flows, while UDP and greedy TCP flows(like BT download) will win in Bandwidth competition. Is there anybody could do some help on telling me: 1. Is there any ISP use WRED in there network and gain much from it? How do they use it ? 2. Is there any information available on how ISP plan their network according DiffServ architecture? 3. Is there any tool to monitor bandwidth utilization of each QoS class on each node ? Is there any tool to monitor e2e QoS performance of each QoS class? 4. How does they plan trunk capacity in a dynamic network environment? esp. in DiffServ network 5. Is there any possible security problem in a QoS enabled network? 6. How could we optimize network architecutre according to QoS policy? Each word will be highly appreciated. Joe Shen __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
Re: OT - 3 Free Gmail invites
At least three months. I use IE 6.0.2800.1106.xpsp2( Chinese Version). And, this problem does not come up on my notebook which runs the same version of WinXP IE. Maybe they could not remake the situation Joe --- Dre G. [EMAIL PROTECTED] wrote: How long has it been since you have used it? What browsers were you using? I have had a few issues but they have all been resolved so Im unsure as to were your problems stem from. Just curious. Andre On Thu, 2004-08-19 at 02:28, Joe Shen wrote: Gmail seems to be in Beta stage. I got a Gmail account months ago, but I do not use it by now. The reason is it does not solve two bugs I met. The first is, after logining into gmail it will prompt with Ooops, the system was unable to perform your operation. Please try again in a few seconds if I click Compose Mail. Sometime this message comes up after I FINALLY succeed with Compose MAIL and click Send. Another thing I met is, when trying to log in. After typing in username/password, it shows Gmail is not available by now, and I have to reload one or two times to log in. This is really contrast to what Yahoo! could provide. Joe --- Brett [EMAIL PROTECTED] wrote: WOW! Overwhelming response. Haven't sent them all out yet, but all accounted for. Brett On Wed, 18 Aug 2004 13:51:43 -0700, Brett [EMAIL PROTECTED] wrote: I've got a few to give out as well. Email me off-list and if I have any left, I'll send an invite. Brett On Wed, 18 Aug 2004 16:43:30 -0400, Joshua Brady [EMAIL PROTECTED] wrote: All gone __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
Re: OT - 3 Free Gmail invites
Gmail seems to be in Beta stage. I got a Gmail account months ago, but I do not use it by now. The reason is it does not solve two bugs I met. The first is, after logining into gmail it will prompt with Ooops, the system was unable to perform your operation. Please try again in a few seconds if I click Compose Mail. Sometime this message comes up after I FINALLY succeed with Compose MAIL and click Send. Another thing I met is, when trying to log in. After typing in username/password, it shows Gmail is not available by now, and I have to reload one or two times to log in. This is really contrast to what Yahoo! could provide. Joe --- Brett [EMAIL PROTECTED] wrote: WOW! Overwhelming response. Haven't sent them all out yet, but all accounted for. Brett On Wed, 18 Aug 2004 13:51:43 -0700, Brett [EMAIL PROTECTED] wrote: I've got a few to give out as well. Email me off-list and if I have any left, I'll send an invite. Brett On Wed, 18 Aug 2004 16:43:30 -0400, Joshua Brady [EMAIL PROTECTED] wrote: All gone __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
Re: Summary with further Question: Domain Name System protection
Hi, in situation of DoS attack or situation of high session rate; Routers with hardware based access lists. No problem. What I'm not sure about ACL on router is, how to survive DNS server under DoS/DDos attack. We suffered from DoS attack last year, and we found the source IPs of that attack locate in our customers IP address blocks. ACL on router could only filter those traffic not meaningful to DNS server, but how about those DDoS attacking packets? We currently have the Nominum CNS on trial here, and we are very impressed. It performs much better than BIND 8/9 - our measurements show even greater differences than Brad Knowles' tests. Example: One server running BIND 9 shows more than 30% CPU usage during peak hours, but only 2-3% with Nominum CNS. We also have the issue that BIND 9 seems to start *failing* when it reaches a certain cache size (as in: Some queries are either not answered at all, or they are answered with SERVFAIL). Impressive! What's the peak value of concurrent DNS requests in your trial? Thanks. Joe __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
Summary with further Question: Domain Name System protection
Hi, thanks for your help on my question. After reading carefully those comments, I reach the following conclusion: 1. ISPs use firewall to protect their DNS server; 2. ACL on router may be a good solution for protecting DNS servers, the policy could be only pass those packets, whose originate from incustomers' IP address blocks and destinate to UDP port 53 of DNS server; 3. Currently, it maybe a little difficult for firewall to filter DNS requests not conforming to DNS document; but, Nominum's product could; 4. Anycast is the most scalable and standard solution for dispersed DNS server farm, while layer-4 switch could deal could do with centralized server farm; 5. 'bogon'in BIND configuration could be used to filter requests from RFC1918 address; 6. Firewall may become bottleneck of DNS server farm in situation of DoS attack or situation of high session rate; 7. It's good solution to divide DNS servers into two groups, one for recursive lookup the other for no-recuresive; 8. BIND should be configured carefully and there is BIND secure template to follow Have I missed something? And, I got another two questions: a) If firewall is used to protect DNS server farm, could it do more than router's ACL while reaching the same performance-cost ratio ? which one is usually chosen by those ISPs having big customer numbers? (we noticed DNS requests from our customers keep increase in past months) b) Is there any public available performance evaluation on Nominum's product? Any of your words will be highly appreciated. Joe __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
Domain Name System protection
Hi, We are trying to extend our DNS service system in near future. In current stage, it consist of 2 SUN FIRE Server with Solaris8 and BIND9 installed. Each server is configured with a IP address which is known to our customers. The DNS server is set up as Cache Server because it only servers our customers to lookup domain names. We noticed there is continous name resolution requests from IP address outside of our address pool and also there is requests not conforming to DNS documents ( like those from 10/8, 192.168/16 or something for microsoft proxy server name). We think these request waste our resource and we don't want these system stable, secure and high performance. The amount of DNS requests processed in past week is about 0.8Billion. What I'm not sure with designing new Cache Server farm is : 1. Is that really required to protect DNS server by firewall? How does those ISPs, e.g. ATT, Sprint,mae their DNS system highly available? Could we do that by filtering traffic besides port destinated to port 53? 2. How could we extend our server farm by adding new servers while announcing the same IP addresses to our customers? 3. Is there any evaluation result of DNS server software? e.g. performance, resource required, stability, security etc.? 4. Which hardware/OS platform is better for DNS service? 5. Is that possible to filter those requests not conforming to DNS documents? Each word will be highly appreciated! Joe __ Do You Yahoo!? Download the latest ringtones, games, and more! http://sg.mobile.yahoo.com
Re: That MIT paper
Hi, The paper doesn't pass any judgement on types of lookups, but obviously not all DNS lookups are equal from the end user perspective. In our observation, looking for IP address consists 70% of our cache server load, MX consists of 14% and PTR only occupies 5%. And, on the other hand, the coarse analysis of our network traffic shows, Web traffic occupies only 8% while stream meadia occupies the most part of traffic. So, the authors the conclusion may be correct as viewing film online does not rely on DNS so much as browsing web pages. But, to my understanding a too short TTL will do harm to cache server performance esp. the amount of RR cached is so large that BIND have to wait for swapping I/O and re-fetching those timeout RR again. In our follow-up measurement study, [we found] that DNSBL related DNS lookups at CSAIL in February 2004 account for 14% of all DNS lookups. In comparison, DNSBL related traffic accounted for merely 0.4% of all DNS lookups at CSAIL in December 2000. Is these work published or available publicly? Any work done with performance tuning with cache server? 1. almost nobody has time to invest in reading this kind of paper. 2. almost everybody is willing to form a strong opinion regardless of that. 3. people from #2 use the paper they didn't read in #1 to justify an opinion. people rely on their experience, but science tries to find on basis of analysis. Usually, we met problems which is caused by people replace scientific conclusion with their experience. Joe Introducing Spymac MailPro: http://www.spymac.com/mailpro/
Relationship between DNS requests and server's CPU load
Hi, I want to know, is there any research or analysis on relationship between DNS server load ( e.g. CPU load, Memory utilized) and incoming DNS resolution requests ? Besides those research on name system architecture and cache policy, is there any guideline on planing or optimizing domain name service system ? thanks in advance. Joe Cool Things Happen When Mac Users Meet! Join the community in Boston this July: www.macworldexpo.com
Relationship between DNS requests and server's CPU load
Hi, I want to know, is there any research or analysis on relationship between DNS server load ( e.g. CPU load, Memory utilized) and incoming DNS resolution requests ? Besides those research on name system architecture and cache policy, is there any guideline on planing or optimizing domain name service system ? thanks in advance. Joe Cool Things Happen When Mac Users Meet! Join the community in Boston this July: www.macworldexpo.com
RE: Strange behavior of Catalyst4006
I'm sorry I made a mistake the subnet between catalyst4006 and customer's firewall is 10.10.1.213/30, Catalyst4006's interface address is 10.10.1.213, firewall's interface address is 10.10.1.214. Sorry. Joe On Mon, 28 Jun 2004 21:24 , Tony Rall [EMAIL PROTECTED] sent: On Monday, 2004-06-28 at 20:41 MST, Greg Schwimer [EMAIL PROTECTED] wrote: Some things you can look into: firewall interface(10.10.1.122/30). ip route 192.168.5.0 255.255.255.0 10.10.1.124 Is that the firewall interface is 10.10.1.122, or is it 10.10.1.124? 10.10.1.122 is a host address in the 10.10.1.120/30 subnet. 10.10.1.124 is a /30 network. Either way, you're dealing with two different subnets. Oddly, it's working sometimes. On top of that, we have this discrepancy: On Monday, 2004-06-28 at 19:01 CST, Joe Shen [EMAIL PROTECTED] wrote: interface FastEthernet4/41 ip address 10.10.1.213 255.255.255.252 So the router's address isn't even on the same subnet as the firewall's. Again, it's not clear how it ever worked. Tony Rall Cool Things Happen When Mac Users Meet! Join the community in Boston this July: www.macworldexpo.com
Strange behavior of Catalyst4006
Hi, We met a strange problem with Catalyst 4006 when provideing leased line service to one of our customers. Catalyst4006 Customer's firewall ---Customer's Intranet The customer is allocated a Class C address block 192.168.5/24. And , they connect their network to our network by using a firewall. The Interface on Cata4006 is set up as no switchport, and inter-connecting subnet is configured between Cata4006 and firewall interface(10.10.1.122/30). Static route is used on Catalyst4006 to designate route to customer's intranet address. ( ip route 192.168.5.0 255.255.255.0 10.10.1.124 ). Customer setup their email server at 192.168.5.7, dns server at 192.168.5.1, web server at 192.168.5.9. At the very begining all system works fine. After sometime they said they could not acces their email/web/dns server from host outside their company's network. But, when we telnet to Cata4006, we could 'ping' 192.168.5.7, but if we move to host in NOC ping failed all the time. ( ping to server is allowed on firewall). At the same time, their intranet host could access our network. We restart ( shut; noshut) the fastethernet interface on Catalyst4006, and then servers' network access recovered. The phenomon comes up frequently, and our customer said this is a bug with catalyst4006. But, to my understanding, if this is a bug to catos, it should not only affact only three servers. But, why it could be solved by restart catalyst interface? Would you please do some help? ( I attach system info below) Joe Shen ==-= 4006#sh version Cisco Internetwork Operating System Software IOS (tm) Catalyst 4000 L3 Switch Software (cat4000-IS-M), Version 12.1(12c)EW1, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2002 by cisco Systems, Inc. Compiled Thu 24- Oct-02 23:05 by eaarmas Image text-base: 0x, data-base: 0x00CA7368 ROM: 12.1(12r)EW Dagobah Revision 63, Swamp Revision 24 4006-wulin uptime is 41 weeks, 12 hours, 34 minutes System returned to ROM by power-on System restarted at 05:40:46 RPC Mon Sep 15 2003 System image file is bootflash:cat4000-is-mz.121-12c.EW1.bin cisco WS-C4006 (XPC8245) processor (revision 5) with 524288K bytes of memory. Processor board ID FOX05200BRH Last reset from PowerUp 144 FastEthernet/IEEE 802.3 interface(s) 2 Gigabit Ethernet/IEEE 802.3 interface(s) 403K bytes of non- volatile configuration memory. Configuration register is 0x2102 4006# 4006-wulin#sh run int f4/41 Building configuration... Current configuration : 141 bytes ! interface FastEthernet4/41 no switchport ip address 10.10.1.213 255.255.255.252 duplex full speed 100 end 4006# === Cool Things Happen When Mac Users Meet! Join the community in Boston this July: www.macworldexpo.com
RE: Unplugging spamming PCs
Hi, Mail servers should be registered just like domains and shutdown by a registrar if they are misusing their registered services. This really needs to be handled by a multi-lateral legal solution, industry will not fix it alone. No, I don't think this is good solution First of all, we could not ask customers to register everything they planned with leased line without legal reasons. Second, if I hire DSL/leased_line service from ISP and set up domain name for myself, ISP could not ask me to tell them which port should be opened as I'm not taking a firewalling service, I'm not a member of my service provider. I should be able to do anything that are not perhibited by law or affact someothers. Blocking_port_25 indicates ISP pre-assume that customers will SPAM their network. But, SPAMmer is just a very small group of people. Maybe most of them comes from other countries ( what happens in China). To me, the proper way of anti-spam may ask cooperation between ISPs and Email service providers. Anyway, strengthening anti-spam ability in Email server is a must. regards Joe LP Best Regards, Larry Cool Things Happen When Mac Users Meet! Join the community in Boston this July: www.macworldexpo.com
Re: what's going on with yahoo and gmail lately?
As mail.yahoo.com directs incoming login/mail_box_accessing request to some other host, the long latency of DNS resolution time may derive to timeout of webpage access. I solve this problem by set those name-to-ip record in /etc/hosts before ( a bad choice, :-() A question out of focusing, who know when Google will open Gmail to public? regards joe On Sun, 20 Jun 2004 21:54 , Mike Sawicki [EMAIL PROTECTED] sent: On Sun, Jun 20, 2004 at 09:22:33PM -0400, Sean Donelan wrote: On Sun, 20 Jun 2004, Matthew McGehrin wrote: 4 srp-8-1-ar01.verona.nj.nj01.comcast.net (68.87.47.193) 12.870 ms 9.725 ms 5 pos-7-0-cr01.plainfield.nj.core.comcast.net (68.87.19.253) 9.891 ms 8.937 ms 6 12.118.149.5 (12.118.149.5) 10.761 ms 10.216 ms Comcast offers toll-free customer assistance for all of its paying customers. Have you tried contacting them? The number is on your bill every month. Yes, try calling them. You *might* get through. These days they seem to hang up on about 1 of 3 customers who call in. I've been back on their "High Speed Internet" for about 3 months now and it seems to be getting worse every day. They are either overselling, or this new wholly-owned network of theirs is built very wrong. Honestly though.. if you use your home 'Net connection for anything important, I'd look for an alternative. I routinely have 19ms to my next hop.. about 4 miles away. I happen to have Verona and Plainfield directly in front of me as well.. I think it's our area. cheers, -- Mike Sawicki [EMAIL PROTECTED] Msg sent via Spymac Mail - http://www.spymac.com
Re: Akamai DNS issue
Confirm here in China. mail.yahoo.com is not reachable. I met this problem with www.toshiba.com about a month before, when www.toshiba.com could only be resolved by using ATT's DNS server cache. joe Msg sent via Spymac Mail - http://www.spymac.com
Best Pratice for MAN security?
Hi, Is there any paper/document on best-pratice for MAN security? Is there a recommended version list for IOS or Juniper OS? thanks in advance joe Msg sent via Spymac Mail - http://www.spymac.com
Catalyst6509 GE interface hang without any indication
Hi, We are using a Catalyst6509 as distribution layer switch which is connected to M160 by GE interface( OSPF run on both side).. Yesterday we noticed that no traffic occur on that GE link at some special time. When trying to ping the other side on either platform, no responds got. But, on either M160 or Catalyst6509 sh interface showed no errors information. When checking syslog, there is no error record either. We also checked the configuration record for both system, and found there is no modification in configuration at the time when link load becomes zero. As last resort, we solved this problem by shutdown GE VLAN interface on Catalyst6509, and no shut consequently, then everything come up. But, today another Catalyst6509 of our system hanged on its uplink GE. We have to restarted the box to solve. Different from the catalyst6509 hanged yesterday, this catalyst6509 have netflow-export enabled for month. ( I included the detailed info at the end ) I tried hard to find out the reason but can't find any information related on Cisco's site. Is there anybody could do me a favor to do some help? Each word will be highly appreciated. regards Joe Shen / info for the first Catalyst 6509C-SUP-hz sh ver WARNING: This product contains cryptographic features and is subject to United States and local country laws governing import, export, transfer and use. Delivery of Cisco cryptographic products does not imply third-party authority to import, export, distribute or use encryption. Importers, exporters, distributors and users are responsible for compliance with U.S. and local country laws. By using this product you agree to comply with applicable laws and regulations. If you are unable to comply with U.S. and local laws, return this product immediately. WS-C6509-NEB Software, Version NmpSW: 7.6(1) Copyright (c) 1995-2003 by Cisco Systems NMP S/W compiled on Apr 16 2003, 18:33:31 System Bootstrap Version: 7.1(1) System Boot Image File is 'bootflash:cat6000-sup2k9.7-6-1.bin' System Configuration register is 0x102 Hardware Version: 3.0 Model: WS-C6509-NEB Serial #: TBM07201366 PS1 Module: WS-CDC-1300WSerial #: SON07221E2W PS2 Module: WS-CDC-1300WSerial #: SON07221E25 Mod Port Model Serial #Versions --- --- --- -- 1 2WS-X6K-SUP2-2GE SAL0725F92G Hw : 4.2 Fw : 7.1(1) Fw1: 6.1(3) Sw : 7.6(1) Sw1: 7.6(1) WS-X6K-SUP2-2GE SAL0725F92G Hw : 4.2 Sw : 2 2WS-X6K-SUP2-2GE SAL0725F90A Hw : 4.2 Fw : 7.1(1) Fw1: 6.1(3) Sw : 7.6(1) Sw1: 7.6(1) WS-X6K-SUP2-2GE SAL0725F90A Hw : 4.2 Sw : 4 48 WS-X6148-RJ-45 SAL0723ELCS Hw : 1.3 Fw : 5.4(2) Sw : 7.6(1) 5 48 WS-X6148-RJ-45 SAL0723ELEG Hw : 1.3 Fw : 5.4(2) Sw : 7.6(1) 15 1WS-F6K-MSFC2SAL0723ENQ9 Hw : 2.5 Fw : 12.1(13)E7 Sw : 12.1(13)E7 16 1WS-F6K-MSFC2SAL0723ENPQ Hw : 2.5 Fw : 12.1(13)E7 Sw : 12.1(13)E7 DRAMFLASH NVRAM Module Total UsedFreeTotal UsedFreeTotal Used Free -- --- --- --- --- --- --- - - - 2 131072K 67144K 63928K 32768K 9043K 23725K 512K 296K 216K Uptime is 260 days, 0 hour, 23 minutes 6509C-SUP-hz 6509C-msfc-hzsh hard Cisco Internetwork Operating System Software IOS (tm) MSFC2 Software (C6MSFC2-PO3SV-M), Version 12.1(13)E7, EARLY DEPLOYMENT RELEASE SOFTWARE (fc2) TAC Support: http://www.cisco.com/tac Copyright (c) 1986-2003 by cisco Systems, Inc. Compiled Fri 20-Jun-03 09:24 by hqluong Image text-base: 0x40008C00, data- base: 0x419D8000 ROM: System Bootstrap, Version 12.1(11r)E1, RELEASE SOFTWARE (fc1) BOOTLDR: MSFC2 Software (C6MSFC2-BOOT-M), Version 12.1(8a)EX, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1) idc6509C-msfc-hz uptime is 37 weeks, 1 day, 31 minutes System returned to ROM by power-on System restarted at 15:26:41 RPC Mon Sep 8 2003 Running default software cisco Cat6k-MSFC2 (R7000) processor with 114688K/16384K bytes of memory. Processor board ID SAL0723ENPQ R7000 CPU at 300Mhz