RE: RADB down?
Yep, works from my other desk machine... Same subnet, different IP as well. I note it appears to be breaking their web whois queries as well as I get a "connect failed: Connection timed out" notice on any of the webform updates. John -Original Message- From: Mike Tancsa [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2008 11:04 AM To: John van Oppen; nanog@merit.edu Subject: Re: RADB down? At 01:52 PM 3/5/2008, John van Oppen wrote: >Anyone else seeing the radb whois server as being down? Simple whois seems to work ok for me from one IP address, but not from another on the same subnet... % ping -S 199.212.134.1 whois.ra.net PING whois.radb.net (198.108.0.18) from 199.212.134.1: 56 data bytes ^C --- whois.radb.net ping statistics --- 5 packets transmitted, 0 packets received, 100% packet loss # ping -S 199.212.134.2 whois.ra.net PING whois.radb.net (198.108.0.18) from 199.212.134.2: 56 data bytes 64 bytes from 198.108.0.18: icmp_seq=0 ttl=56 time=25.556 ms 64 bytes from 198.108.0.18: icmp_seq=1 ttl=56 time=25.886 ms ^C --- whois.radb.net ping statistics --- 2 packets transmitted, 2 packets received, 0% packet loss round-trip min/avg/max/stddev = 25.556/25.721/25.886/0.165 ms # whois -h whois.ra.net AS11404 aut-num:AS11404 as-name:VOBIZ descr: vanoppen.biz LLC / Spectrum Networks LLC member-of: AS-VOBIZ import: from AS2914 accept ANY import: from AS3491 accept ANY import: from AS3356 accept ANY export: to AS2914 announce AS-VOBIZ export: to AS3491 announce AS-VOBIZ export: to AS3356 announce AS-VOBIZ admin-c:John van Oppen tech-c: John van Oppen mnt-by: MAINT-AS11404 changed:[EMAIL PROTECTED] 20070401 #16:20:39(UTC) changed:[EMAIL PROTECTED] 20070903 #17:42:34(UTC) changed:[EMAIL PROTECTED] 20080125 #07:55:53(UTC) source: RADB # traceroute -s 199.212.134.2 -q1 198.108.0.18 traceroute to 198.108.0.18 (198.108.0.18), 64 hops max, 44 byte packets 1 iolite4-fxp2 (199.212.134.10) 0.126 ms 2 cogent-vl108 (67.43.129.246) 2.950 ms 3 gi8-22.mpd01.yyz02.atlas.cogentco.com (38.104.158.77) 2.975 ms 4 vl3492.mpd01.yyz01.atlas.cogentco.com (154.54.5.81) 3.355 ms 5 te8-2.mpd01.ord01.atlas.cogentco.com (154.54.7.73) 18.345 ms 6 vl3489.mpd01.ord03.atlas.cogentco.com (154.54.5.18) 17.938 ms 7 Merit.demarc.cogentco.com (66.28.21.234) 18.053 ms 8 ge-0-2-0x43.aa1.mich.net (198.108.22.241) 27.641 ms 9 rpsl-p.merit.edu (198.108.0.18) 31.018 ms % traceroute -n -q1 198.108.0.18 traceroute to 198.108.0.18 (198.108.0.18), 64 hops max, 40 byte packets 1 199.212.134.10 0.180 ms 2 67.43.129.246 3.220 ms 3 38.104.158.77 3.977 ms 4 154.54.5.85 7.361 ms 5 154.54.2.161 18.714 ms 6 154.54.25.66 18.852 ms 7 38.112.7.10 20.107 ms 8 198.108.22.241 30.215 ms 9 * 10 * Bad Load balancer or busted MPLS silliness or firewall issue ? ---Mike
RADB down?
Anyone else seeing the radb whois server as being down? -John
Power outages in Florida
Major media outlets have been reporting massive power outages in Florida. Given the scope it seems interesting nobody has commented. >From the news reports it sounds like everyone in Miami just got an unscheduled generator test. The SIP proxies I deal with there are still up, so that is good, anyone having issues. Anyone got more info? Thanks, John
RE: YouTube IP Hijacking
Looks like it just went back to normal: cr1-sea-A>show ip bgp 208.65.153.253 BGP routing table entry for 208.65.153.0/24, version 41150187 Paths: (3 available, best #3) Flag: 0x8E0 Advertised to update-groups: 1 3 4 6 13 14 16 3356 3549 36561, (Received from a RR-client) 208.76.153.126 (metric 110) from 208.76.153.126 (208.76.153.126) Origin IGP, metric 0, localpref 50, valid, internal Community: 3356:3 3356:22 3356:86 3356:575 3356:666 3356:2011 3549:4142 3549:30840 11404:1000 11404:1030 2914 3549 36561, (Received from a RR-client) 208.76.153.125 (metric 310) from 208.76.153.125 (208.76.153.125) Origin IGP, metric 0, localpref 49, valid, internal Community: 2914:420 2914:2000 2914:3000 11404:1000 11404:1010 3491 3549 36561 63.216.14.137 from 63.216.14.137 (63.216.14.9) Origin IGP, localpref 51, valid, external, best Community: 3491:2000 3491:2003 3491:3549 11404:1000 11404:1020 cr1-sea-A> Probably worth noting that the performace at least from our perspective (via PCCW) is abysmal.As a side note, I know PCCW allows unfiltered route-announcement capability to a large number of their customers, our feed appears to be that way (or they apply RADB filters instantly which would be a bit impressive). John van Oppen Spectrum Networks LLC 206.973.8302 (Direct) 206.973.8300 (main office) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tomas L. Byrnes Sent: Sunday, February 24, 2008 12:50 PM To: Will Hargrave; nanog@merit.edu Subject: RE: YouTube IP Hijacking Pakistan is deliberately blocking Youtube. http://politics.slashdot.org/article.pl?sid=08/02/24/1628213 Maybe we should all block Pakistan. > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of Will Hargrave > Sent: Sunday, February 24, 2008 12:39 PM > To: [EMAIL PROTECTED] > Subject: Re: YouTube IP Hijacking > > > Sargun Dhillon wrote: > > > So, it seems that youtube's ip block has been hijacked by a more > > specific prefix being advertised. This is a case of IP > hijacking, not > > case of DNS poisoning, youtube engineers doing something > stupid, etc. > > For people that don't know. The router will try to get the most > > specific prefix. This is by design, not by accident. > > You are making the assumption of malice when the more likely > cause is one of accident on the part of probably stressed NOC > staff at 17557. > > They probably have that /24 going to a gateway walled garden > box which replies with a site saying 'we have banned this', > and that /24 route is leaking outside of their AS via PCCW > due to dodgy filters/communities. > > Will >
Anyone with clue at GBLX / AS3549 -- long duration fiber cut
Anyone have any detail on the apparent GBLX fiber cut between Seattle and northern California? The outage has been ongoing since mid-morning. Thanks, John van Oppen Spectrum Networks LLC 206.973.8302 (Direct) 206.973.8300 (main office)
RE: v6 subnet size for DSL & leased line customers
Yep, it is sure little or no maintenance is being performed. :) John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Leigh Porter Sent: Tuesday, December 25, 2007 4:06 PM To: Crawford, Scott Cc: nanog@merit.edu Subject: Re: v6 subnet size for DSL & leased line customers LOL.. Yeah, I am on call today - thankfully nothing happened. Anyway, I hope you had a peaceful day! -- Leigh Crawford, Scott wrote: > Well, I guess he told you. :) > > Merry Christmas > Scotte > > -Original Message- > From: "Jeroen Massar" <[EMAIL PROTECTED]> > To: "Leigh Porter" <[EMAIL PROTECTED]> > Cc: nanog@merit.edu > Sent: 07/12/25 11:48 AM > Subject: Re: v6 subnet size for DSL & leased line customers > > Leigh Porter wrote: > >> Wow, is this what you folks do at Christmas ? >> > > Clearly you yourself are affectionate about this thing called Christmas, > if you are so affectionate about it, then why are you making silly > comments which do not contribute at all to the topic at hand? > Must be very boring that Christmas of yours. > > > On a more operational topic: even during Christmas (that Coca Cola > induced commercialism party that gets attributed to some religion), > people are using the Internet, and stuff breaks on the Internet, as such > there will always be people who have to work on days like this. > > Greets, > Jeroen >
RE: IPv6 network boundaries vs. IPv4
We did the same thing... It seems easiest from a management perspective to copy the ipv4 logical layer with v6. The only change on our side was the fixed prefix length which if anything was a nice change. We did run into a few devices (old layer 3 switches) that don't support ipv6 and on those we either did not deploy IPv6 or moved the routing off for both v4 and v6 to the nearest "core" router that could handle v6 for any vlans that required the v6 capability. John van Oppen Spectrum Networks LLC 206.973.8302 (Direct) http://spectrumnetworks.us -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, August 27, 2007 10:25 AM To: John Osmon Cc: nanog@merit.edu Subject: Re: IPv6 network boundaries vs. IPv4 On Sat, 25 Aug 2007 23:56:29 MDT, John Osmon said: > > Is anyone out there setting up routing boundaries differently for > IPv4 and IPv6? I'm setting up a network where it seems to make > sense to route IPv4, while bridging IPv6 -- but I can be talked > out of it rather easily. We decided to map our IPv6 subnets one-to-one to our IPv4, so each of our routed /22 to /27 subnets gets a /64 IPv6 prefix. This however was just due to the fact that our topology permitted that - your mileage may vary.
RE: Possible Level3 Fibre Cut
Cogent's network is built mostly on wiltel fiber. For those who don't recall, wiltel was bought by level 3. I bet that is what he was referring to. John :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of virendra rode // Sent: Thursday, February 22, 2007 6:49 AM To: Rob Baxter Cc: nanog@merit.edu Subject: Re: Possible Level3 Fibre Cut -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Rob Baxter wrote: > I mean exactly what I said. I grabbed that info from > http://status.cogentco.com/ after seeing a few complaints from users. > > Rob - Sorry I meant your subject? regards, /virendra > > virendra rode // wrote: > Rob Baxter wrote: ** Cogent Network Status Report Last Updated Wed Feb 21 16:35:00 2007 ** Cogent Network Status/DNS Server Status Description: We currently have a possible fiber cut between Stamford, CT and New York City, NY. This may cause some latency for some of our customers between Boston and New York. We are working to correct the situation and currently do not have an ETA. Thank you. Rob Baxter > --- > You mean cogent, correct? I'm not seeing anything on level3 side. I know > there's level3 maintenance scheduled to occur within 36 hours. > > > regards, > /virendra > > -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF3a1gpbZvCIJx1bcRAm9TAKC2Qcvo64irbLU9sznkOv6YslAjRQCeLWRJ zZhUdN4mM/W6i0j11Kqmp14= =J0dD -END PGP SIGNATURE-
RE: broken DNS proxying at public wireless hotspots
My experience with swisscom's "eurospot" hotspots ended up involving my tunneling everything over my VPN. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Suresh Ramasubramanian Sent: Friday, February 02, 2007 10:08 PM To: nanog list Subject: broken DNS proxying at public wireless hotspots Right now, I'm on a swisscom eurospot wifi connection at Paris airport, and this - yet again - has a DNS proxy setup so that the first few queries for a host will return some nonsense value like 1.2.3.4, or will return the records for com instead. Some 4 or 5 minutes later, the dns server might actually return the right dns record. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25634 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 11 ;; QUESTION SECTION: ;www.kcircle.com. IN A ;; AUTHORITY SECTION: com.172573 IN NS j.gtld-servers.net. com.172573 IN NS k.gtld-servers.net. [etc] ;; Query time: 1032 msec ;; SERVER: 192.168.48.1#53(192.168.48.1) ;; WHEN: Sat Feb 3 11:33:07 2007 ;; MSG SIZE rcvd: 433 They're not the first provider I've seen doing this, and the obvious workarounds (setting another NS in resolv.conf, or running a local dns caching resolver) dont work either as all dns traffic is proxied. Sure I could route dns queries out through a ssh tunnel but the latency makes this kind of thing unusable at times. I'm then reduced to hardwiring some critical work server IPs into /etc/hosts What do nanogers usually do when caught in a situation like this? thanks srs -- Suresh Ramasubramanian ([EMAIL PROTECTED])
RE: Route Reflector architecture and how to get small customer blocks in to BGP?
Yep, that is a good strategy... No announcement without the right communities sure makes it much harder to leak. We redistribute lots of static routed stuff into BGP, but only announce globally using network statements with route map applying the right communities. So far, we have never leaked internal routes to customers, peers or transit that we are aware of. John :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Provo Sent: Sunday, January 28, 2007 1:12 PM To: NANOG Subject: Re: Route Reflector architecture and how to get small customer blocks in to BGP? On Sun, Jan 28, 2007 at 10:59:50AM -0700, Danny McPherson wrote: [snip] > o If you're going to use redistribution - or not - ensure that all > external advertisement policies require explicit match of advertise > communities and default is to deny This should be just good security policy. I think of it as a network-level instance of "that which is not expressly permitted is denied" which everyone applies for services on their hosts, right :-) Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
RE: Westin Seattle Outage?
This was not a building wide problem; apparently it did serve to find the failed UPSes in a few places. The building management does these tests several times a year, and at least to the one colo where we had visibility to the building electrical service, we saw the same outages we always see during such a test. It is also worth noting, that I only saw one of about 60 BGP sessions across the Seattle-IX (which is in the building) reset at the time of the work. John -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kunkel Sent: Friday, January 26, 2007 11:26 PM To: chuck goolsbee Cc: nanog@merit.edu Subject: Re: Westin Seattle Outage? We too had probs. I saw only two outages, one around 8PM PDT and one around 9:45PM PDT. I called during the first one, and the people I talked to were obviously in a state, and I had trouble hearing anyone, as they were in an extremely loud part of the data center or something. From what I could understand through the noise of some really loud fans or a generator, there was a power test of some kind, and a generator flaked or something. I've requested more detailed info, but have yet to receive it. >From what I understand, it affected more than just one provider. --Rick Kunkel On Fri, 26 Jan 2007, chuck goolsbee wrote: > > >We just saw one of our gig-e circuits to the Westin bounce three > >times and another just go flatline in the past hour. > > Answering my own question I know, but the OnFiber/Qwest guys I spoke > to informed me that they heard the Westin had some sort of backup > power scheduled maintenance go wrong. That was the 3 bouncer. I still > wouldn't mind independent verification of that. > > > The flatliner was XO, and it seems that it may not even touch the > Westin (instead goes to 1000 Denny.) I still don't know what happened > there. It did come back after 86 minutes of eerie silence. Anyone > else with XO circuits see anything odd tonight? > > > > --chuck > > Note to XO NOC: Your hold music is *awful* and on a way too short > loop. It is bad enough when it is bad music, but to hear it over and > over and over... for well over an hour, is customer torture. >
RE: Reclassification of NON-PORTABLE address space?
Title: Reclassification of NON-PORTABLE address space? Are you referring to space you got directly from ARIN? If so, it is by definition portable. If it is space from a provider it belongs to the provider, not you and is thus not portable. john From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roldan, Brad Sent: Friday, October 27, 2006 4:52 PM To: nanog@merit.edu Subject: Reclassification of NON-PORTABLE address space? Anyone know if there is a precedent for reclassifying blocks of non-portable address space to portable? I didn't see anything in ARIN archives (maybe I didn't look hard enough). Bribery? Threats? Acquisition of the assignor by the assignee? If such a reclassification were simple, I expect that the process would be heavily abused by smaller networks that would like to avoid renumbering. Brad -- Covad Communications 2510 Zanker Road San Jose, CA 95131 +1-408-434-2048
RE: NNTP feed.
I guess I should say that most people are outsourcing to the bigger news shops (at least the people I know are) due to the hardware demands of today's news volumes. john :) -Original Message- From: Jeroen Massar [mailto:[EMAIL PROTECTED] Sent: Tue 9/5/2006 4:10 PM To: John van Oppen Cc: [EMAIL PROTECTED]; Drew Weaver; nanog@merit.edu Subject: Re: NNTP feed. John van Oppen wrote: > we don't run one either... :) > > The last person I know who was running one, was in the proccess of killing > it. Apparently you found some people killing it off, while there are actually companies who specialize in NNTP access. It seems that for mysterious reasons which the RIAA and other such organizations apparently don't seem to understand that these companies are also causing quite a lot of traffic to be shifted over the internet. Peeking at for instance http://www.nextfeed.nl/ reveals that there is one ISP having 40 days retention which apparently maps to 6*50 TB (that is 300 Terabytes indeed) of storage space, while there are also another having 50 days of retention, most likely mapping to somewhat like 400 Tb. On average they seem to be shifting in the vicinity of 15Tb/day though, looking at the number 14 of the top1000.org list. For hardware freaks it of course gives some nice things like the dutch newszilla installation: http://wa.ter.net/gallery2/images/newszilla That single setup already makes quite some small hosting companies drool out of both corners ;) Networking freaks will love the "Core Juniper 640 handles newszilla traffic" comment Otherwise said: if you are setting up a full-nntp-feed capable box, you'll have to dig nice and deep into that money bag but on the other hand there seems to be loads of people doing a lot of posting and reading, where else would the volume of that traffic come from? For the people trying to find peers, check: http://www.usenet.com/peering/peeringpage.cfm and of course also: http://www.top1000.org/ where even google pops up in a 4th place. Greets, Jeroen
RE: NNTP feed.
we don't run one either... :) The last person I know who was running one, was in the proccess of killing it. john :) -Original Message- From: Deepak Jain [mailto:[EMAIL PROTECTED] Sent: Tue 9/5/2006 3:37 PM To: John van Oppen Cc: Drew Weaver; nanog@merit.edu Subject: Re: NNTP feed. What is the current BCP to establish a well-connected news server nowadays? All the guys I used to know who were experts in this... um, don't run news servers anymore. :) If you want to privately offer me an NNTP feed that would be welcome -- we'll even peer with you because of it. Thanks Deepak John van Oppen wrote: > They might as aleron used to offer it. That comes with the disclaimer > that I have never tried it. > > John :) > > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of > Drew Weaver > Sent: Tuesday, September 05, 2006 9:10 AM > To: nanog@merit.edu > Subject: NNTP feed. > > > Does anyone know if cogent offers NNTP feeds to their DIA customers? > Before we take the plunge we need to know and the sales fellas werent > able to tell me this. > > -Drew > > >
RE: NNTP feed.
They might as aleron used to offer it. That comes with the disclaimer that I have never tried it. John :) -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Drew Weaver Sent: Tuesday, September 05, 2006 9:10 AM To: nanog@merit.edu Subject: NNTP feed. Does anyone know if cogent offers NNTP feeds to their DIA customers? Before we take the plunge we need to know and the sales fellas werent able to tell me this. -Drew
RE: WSJ: Big tech firms seeking power
I can tell you that my home residential rate is just under 6 cents (after taxes) in eastern Washington and that you are in the ballpark with your large commercial customer numbers (irrigators get 2.5 cent rates).We work with another PUD in the area on data center type apps and find the pricing to be amazing when compared to other areas. There is also access to large amounts of water (for evaporative cooling as an example) in a lot of areas due to the ability to transfer water rights from agriculture to commercial use. If anybody really wants more info, email privately. John :) John van Oppen PocketiNet Communications Technical Operations "Guter Rat ist teuer." --Unbekannt Main: + 1 (509) 526 - 5026 Direct: +1 (509) 593 - 4707 -Ursprüngliche Nachricht- Von: chuck goolsbee [mailto:[EMAIL PROTECTED] Gesendet: Friday, June 16, 2006 10:48 AM An: nanog@merit.edu Betreff: Re: WSJ: Big tech firms seeking power >I wonder just how much power it takes to cool 450,000 servers. I've heard mumbles that the per kWh rates from Bonneville in the locations along the Columbia are in the sub-4¢ range. Grant county is seeing a huge fiber building boom as a result. It will be more wired up than King county soon. Woody was here last night and remarked (feel free to correct me if I misquote you Bill) that it was funny that nowadays "network geeks were more interested in kilowatts than kilobits" --chuck (in Seattle)
RE: Interesting new spam technique - getting a lot more popular.
We end up with customers asking for more IPs too. We just add additional subnets to the interface, perhaps they started with a /30 but now need three more IPs, we just add an additional /29 to the interface leaving both blocks. It is not often that anything needs to be explained to the customer other than the correct subnet mask and gateway for the IPs. This makes our configs look like this for each customer vlan: ip address 2.2.2.9 255.255.255.252 ip address 3.3.2.129 255.255.255.224 secondary That being said, I know at least one of our transit customers does hosting exactly how you are describing. Coincidentally, this customer is also one of the customers that asked if we could "give them a class C block." Using this strategy has never been a problem with ARIN for us, in fact I have applied for and received more space at intervals between 6 and 14 months for the last four years without any issue at all. John :) -Ursprüngliche Nachricht- Von: Richard A Steenbergen [mailto:[EMAIL PROTECTED] Gesendet: Wednesday, June 14, 2006 12:18 AM An: Christopher L. Morrow Cc: NANOG Betreff: Re: Interesting new spam technique - getting a lot more popular. On Wed, Jun 14, 2006 at 04:46:31AM +, Christopher L. Morrow wrote: > > is it really that hard to make your foudry/extreme/cisco l3 switch vlan > and subnet??? Is this a education thing or a laziness thing? Is this > perhaps covered in a 'bcp' (not even an official IETF thing, just a > hosters bible sort of thing) ? Simple: Subnets are hard, customers are stupid, and ARIN is not exactly a hosters best friend. When a hosting customer asks for 5 IPs today and 25 IPs tomorrow, it is infinitely easier for the hosting folks to just slap them into /24s and say "ok uhm you are now .69-.94" than to try and explain subnets, cidr, reserving IP space in cidr sized blocks etc to the customer. Hosters are also generally under-equipped in the paperwork and detailed documentation department, so they tend to run their IP allocations into the ground while attempting to explain their need for more space. CIDR allocations are "wasteful" to them, especially when a customer needs to expand from 30 IPs to 35 IPs and crosses a new boundry. Incase you've never seen hoster configs, they generally look a little something like this: ip address 1.1.1.1 255.255.255.0 ip address 1.1.2.1 255.255.255.0 secondary ip address 1.1.3.1 255.255.255.0 secondary ip address 1.1.4.1 255.255.255.0 secondary ip address 1.1.5.1 255.255.255.0 secondary ... Anything else is quite honestly beyond 99% of hosters out there, they're still blissfully calling these things "class c's". I've seen some truly godawful thins configured by hosters, like chains of 3548s all linking back to a single router interface in ways you can't even imagine. If you made it dirt simple for them they would probably be doing something better (I usually point folks who ask to pvlans, then take the opportunity to make a hasty retreat while they are distracted), but otherwise they don't see the benefit in it. Why bother configuring your router better when you can just send your $5/hr monkey over with a redhat cd and have them reinstall, right? :) -- Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
RE: Interesting new spam technique - getting a lot more popular.
It sure seems like this is a good demo of the best practice of having customers on their own VLANs with their own subnets. We have been doing this since we started offering colo services, is this less common than I thought? John -Ursprüngliche Nachricht- Von: Christopher L. Morrow [mailto:[EMAIL PROTECTED] Gesendet: Tuesday, June 13, 2006 9:23 PM An: Suresh Ramasubramanian Cc: NANOG Betreff: Re: Interesting new spam technique - getting a lot more popular. On Wed, 14 Jun 2006, Suresh Ramasubramanian wrote: > That was not my advice btw - just forwarding on what I saw. > oh,. apologies, i did cut the message down quite a bit :( I understood you were quoting from the spamdiaries website, I apologize to the other listeners (readers?) if it confused the issue. > What you say does seem like a "must do" all right - but putting ARP > filters in is actually a reasonable idea. > Atleast it'd trim down the 'problem' to the single customer subnet, I assume that dedicated hosting folks don't just drop machines behind a switch on one big flat subnet? That's probably a naive assumption though :( Perhaps this is clue #12 that that is a 'less than good' option? :) > On 6/14/06, Christopher L. Morrow > <[EMAIL PROTECTED]> wrote: > > > > On Wed, 14 Jun 2006, Suresh Ramasubramanian wrote: > > > > > > http://thespamdiaries.blogspot.com/2006/02/new-host-cloaking-technique-used-by.html > > > > > > * Monitor your local network for interfaces transmitting ARP > > > responses they shouldn't be. > > > > how about just mac security on switch ports? limit the number of mac's at > > each port to 1 or some number 'valid' ? > > > > > -- > Suresh Ramasubramanian ([EMAIL PROTECTED]) >
BGP community guide for AS7911 (willtel, now L3)
Does anybody have a list of communities that the old AS7911 accepts from customers? I can't find their guide anywhere and nobody at level3 seems to have it. I really need to keep traffic from a couple of ASes away from them if possible and prepending to them results in almost no usage. In any case, the list is not at http://www.onesc.net/communities/ with the others. Thanks, John
AW: Odd policy question.
Assuming that you are running separate authoritative and recursive servers this would only be a problem when someone goes to a lame-delegated domain. It is probably also good to note that it is a best practice to separate authoritative and recursive servers. john -Ursprüngliche Nachricht- Von: Christopher McCrory [mailto:[EMAIL PROTECTED] Gesendet: Friday, January 13, 2006 11:49 AM An: Randy Bush Cc: nanog@merit.edu Betreff: Re: Odd policy question. On Fri, 2006-01-13 at 08:32 -1000, Randy Bush wrote: > > Don't forget: > > wwwIN CNAME goatse.cx > > and don't forget the terminating dot on goatse.cx. > > but this did cause me to update those trapper zone files and > bump the serials. last time the serials had been bumped since > 1995. so you had the suggestion of a decade. mahalo. > Ouch. So you are going to punish the rest of the world for the mistakes of a few people (however annoying it is). /me just cannot imagine explaining this to my mother when she mis-types some URL. Granted that what your (former-) customers did was not any sort of best practice, but I think your "solution" is a little too extreme. > randy -- Christopher McCrory "The^W One of the guys that keeps the servers running" [EMAIL PROTECTED] http://www.pricegrabber.com Let's face it, there's no Hollow Earth, no robots, and no 'mute rays.' And even if there were, waxed paper is no defense. I tried it. Only tinfoil works.
AW: BGP Security and PKI Hierarchies
While I think $1250/year for a /24 of space seems a bit high, I see no reason that legacy allocations should remain free. Perhaps $100/year (like an ASN is) would be reasonable for small legacy allocations. This is especially important for end users who have these allocations as they would most likely be free from their upstream provider. That being said, if it is larger than a few /24s I see no reason to not have the regular rates apply. If you have a /16 and can't afford the fee, you can't possibly afford to fill it with machines and should simply be allowed to swap down to a smaller allocation.Such a scheme would be in the best interest of all as it would all for some reclamation of numbering resources. Charging something also seems as though it would help with the IP hording problem that is going on with legacy allocations. It would also help to "automatically" expire allocations which are not in use as users would be less willing to pay for resources they are not using. John :) -Ursprüngliche Nachricht- Von: Joe Abley [mailto:[EMAIL PROTECTED] Gesendet: Tuesday, November 29, 2005 11:20 AM An: David Barak Cc: [EMAIL PROTECTED] Betreff: Re: BGP Security and PKI Hierarchies On 29-Nov-2005, at 12:16, David Barak wrote: > Maybe my imagination just isn't good enough: could you > toss me an example-type of organization where that > would be problematic? Oh, my mistake -- you're talking about new organisations looking to acquire PI space. I was talking about organisations who have grandfathered (and hence zero-fee) PI space. I don't have any examples of the former, and I tend to agree with your assessment for that. Joe
RE: IANA Blackhole Servers Ill?
It is probably important to know that those servers are anycasted via the AS112 project (www.as112.net). Perhaps the AS112 operator you are seeing is having issues. You could try to identify which one and let them know. Thanks, John :) -Ursprüngliche Nachricht- Von: Peter Dambier [mailto:[EMAIL PROTECTED] Gesendet: Friday, October 21, 2005 2:20 PM An: [EMAIL PROTECTED] Cc: nanog Betreff: Re: IANA Blackhole Servers Ill? To me they do answer: ; <<>> DiG 9.1.3 <<>> -t any 10.in-addr.arpa. @blackhole-1.iana.org. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20469 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;10.in-addr.arpa. IN ANY ;; ANSWER SECTION: 10.in-addr.arpa.604800 IN SOA prisoner.iana.org. hostmaster.root-servers.org.\ 2002040800 1800 900 604800 604800 10.in-addr.arpa.604800 IN NS blackhole-1.iana.org. 10.in-addr.arpa.604800 IN NS blackhole-2.iana.org. ;; Query time: 113 msec ;; SERVER: 192.175.48.6#53(blackhole-1.iana.org.) ;; WHEN: Fri Oct 21 23:15:39 2005 ;; MSG SIZE rcvd: 162 ; <<>> DiG 9.1.3 <<>> -t any 10.in-addr.arpa. @blackhole-2.iana.org. ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43116 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;10.in-addr.arpa. IN ANY ;; ANSWER SECTION: 10.in-addr.arpa.604800 IN SOA prisoner.iana.org. hostmaster.root-servers.org.\ 2002040800 1800 900 604800 604800 10.in-addr.arpa.604800 IN NS blackhole-1.iana.org. 10.in-addr.arpa.604800 IN NS blackhole-2.iana.org. ;; Query time: 112 msec ;; SERVER: 192.175.48.42#53(blackhole-2.iana.org.) ;; WHEN: Fri Oct 21 23:15:49 2005 ;; MSG SIZE rcvd: 162 Regards, Peter and Karin Dambier Crist Clark wrote: > > We got some very weird compaints about applications "hanging." Tracked > it down to reverse lookups timing out. Reverse lookups to RFC1918 space. > Looks like the IANA blackhole servers for RFC1918 are not well? > > 1 0.0 207.88.152.10 -> 192.175.48.6 DNS C > 52.143.18.172.in-addr.arpa. Internet PTR ? > 2 0.01375 192.175.48.6 -> 207.88.152.10 ICMP Destination unreachable > (UDP port 53 unreachable) > 3 0.68455 207.88.152.10 -> 192.175.48.6 DNS C > 111.143.18.172.in-addr.arpa. Internet PTR ? > 4 0.00529 192.175.48.6 -> 207.88.152.10 ICMP Destination unreachable > (UDP port 53 unreachable) > 5 3.00417 207.88.152.10 -> 192.175.48.42 DNS C > 111.143.18.172.in-addr.arpa. Internet PTR ? > 6 0.00548 192.175.48.42 -> 207.88.152.10 ICMP Destination > unreachable (UDP port 53 unreachable) > 7 0.68462 207.88.152.10 -> 192.175.48.42 DNS C > 69.160.18.172.in-addr.arpa. Internet PTR ? > 8 0.00623 192.175.48.42 -> 207.88.152.10 ICMP Destination > unreachable (UDP port 53 unreachable) > 9 0.60348 207.88.152.10 -> 192.175.48.6 DNS C > 52.143.18.172.in-addr.arpa. Internet PTR ? > 10 0.00523 192.175.48.6 -> 207.88.152.10 ICMP Destination unreachable > (UDP port 53 unreachable) > > Looks like the hosts are up but not listening on 53/udp? Anyone else > seeing this? Heard about it? > > (Of course, the fix is to claim authority for the RFC1918 space you are > using in your own DNS servers.) -- Peter and Karin Dambier Public-Root Graeffstrasse 14 D-64646 Heppenheim +49-6252-671788 (Telekom) +49-179-108-3978 (O2 Genion) +49-6252-750308 (VoIP: sipgate.de) mail: [EMAIL PROTECTED] mail: [EMAIL PROTECTED] http://iason.site.voila.fr http://www.kokoom.com/iason
RE: /24 multihoming issue
A few questions that might help narrow down the problem you were seeing: How exactly did you test the fail over? How much time did you wait for things to stabilize before deciding the fail-over did not work and turning the second connection back on? How is your outbound routing setup? Default routes or full tables? If defaults, it would be helpful to see any static routes that might be present. Assuming that 19094 is still announcing the aggregate, the problem of filtering should be a non-issue (assuming they don't filter the 701 path from their upstreams). In any case, things seem to look ok from an outside perspective to most everyone who has commented. John :) -Ursprüngliche Nachricht- Von: Elmar K. Bins [mailto:[EMAIL PROTECTED] Gesendet: Thursday, October 20, 2005 1:43 AM An: Kyaw Khine Cc: nanog@merit.edu Betreff: Re: /24 multihoming issue [EMAIL PROTECTED] (Kyaw Khine) wrote: > I opened ticket with both 701 and 19094 when we did > failover 2 weeks ago. Both 701 and 19094 insist that > they just take the route and send it out to the rest > of the world. I do see the prefix via both 701 and 19094 (heavily prepended) here in Frankfurt, Germany: 5539 3549 701 33105 12312 3257 7911 19094 33105 33105 33105 33105 5669 286 209 701 33105, (received & used) 8220 2914 701 33105 (and some dupes) Neither one seems to filter wildly; I would believe that you hit aggregate-based (what's an allocation in ARIN terms?) ingress filters somewhere. Elmar. -- "Begehe nur nicht den Fehler, Meinung durch Sachverstand zu substituieren." (PLemken, <[EMAIL PROTECTED]>) --[ ELMI-RIPE ]---
AW: Cogent/Level 3 depeering
I think in all the recent cases, cogent ended up buying transit from verio. That was the case for access to AOL and Sprint when I turned off my cogent feed a week ago. I think that is also what they did with france telecom but I am not sure on that one as I never checked (I had other transit). Thanks, John van Oppen -Ursprüngliche Nachricht- Von: Christopher Woodfield [mailto:[EMAIL PROTECTED] Gesendet: Wednesday, October 05, 2005 9:39 AM An: Jon Lewis Cc: [EMAIL PROTECTED] Betreff: Re: Cogent/Level 3 depeering I am curious - how did prior depeering "events" wind up being eventually resolved? What were the resolution times, if anyone remembers? -C On Oct 5, 2005, at 12:32 PM, Jon Lewis wrote: > > In the end, both providers lose, as customers buy real Internet > transit from someone else. > > OTOH, the industry as a whole probably gains. I have a client > who's massively overprovisioned, multihomed with multiple Ts each > to 3 or 4 providers now after being bitten a couple years ago when > singlehomed to C&W and they depeered PSI. Funny that those PSI > customers are getting screwed again now. > > On Wed, 5 Oct 2005, Christopher Woodfield wrote: > > >> >> Ah, the problem with playing chicken is what happens when neither >> player blinks... >> >> -C >> >> On Oct 5, 2005, at 11:29 AM, Vince Hoffman wrote: >> >> >>> On Wed, 5 Oct 2005, Richard A Steenbergen wrote: >>> >>>> A couple weeks later than expected, but as of Oct 5 02:51AM EDT >>>> it looks >>>> like 3356 and 174 are no longer reachable. >>>> lg.level3.net: >>>> Show Level 3 (Washington, DC) BGP routes for 38.9.51.20 >>>> No matching routes found for 38.9.51.20. >>>> www.cogentco.com looking glass: >>>> Tracing the route to www.Level3.com (209.245.19.42) >>>> 1 f29.ba01.b005944-0.dca01.atlas.cogentco.com (66.250.56.189) 4 >>>> msec 4 msec 0 msec >>>> 2 * * * >>>> 3 * * * >>>> I guess the earlier reports of (3)'s lack of testicular >>>> fortitude may have >>>> been exagerated after all. :) >>>> >>> It's sure causing a few headaches here. >>> (from level3 looking glass) Show Level 3 (London, England) BGP >>> routes for 38.9.51.20 >>> No matching routes found for 38.9.51.20 >>> As of 16:22 BST Level3 still seems to have no routes for cogent's >>> space. thats about 5 hours now. >>> Vince >>> >>>> -- >>>> Richard A Steenbergen <[EMAIL PROTECTED]> http://www.e- >>>> gerbil.net/ras >>>> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA >>>> F8B1 2CBC) >>>> >> >> > > -- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net| _ http://www.lewis.org/ > ~jlewis/pgp for PGP public key_ > >
Cogent norther california fiber cut -- details?
Anyone know anything about the Fiber cut that took Cogent's Seattle POP out of commission at about 6 PM (PST) today? Their NOC seems a bit on the clueless side just saying there is no ETA and that the cut is somewhere in northern California. Apparently they have no backup into this market, as I am only receiving routes on my transit peer with them and have been since the cut. Good thing I am not single homed, but I feel sorry for those who are. John van Oppen PocketiNet Communications AS23265 See everyone in Seattle this weekend.
AW: Dual rackmountable power supply?
APC makes one, but it is a 1U device... IT does give you SNMP monitoring of the status of both circuits though, which is a rather cool feature. I have a similar situation at one of our POPs which is why I ended up needing the product. Thanks, John van Oppen PocketiNet Communications -Ursprüngliche Nachricht- Von: Mike Sawicki [mailto:[EMAIL PROTECTED] Gesendet: Friday, April 22, 2005 3:34 PM An: nanog@merit.edu Betreff: Dual rackmountable power supply? Do any of you know if there are companies who manufacture 1/2U rackmountable PDU's that take AC from redundant sources? I have equipment at a colo that seems to have issues with one of the two circuits in my cabinets about once a month. Since it would be a real pain in the neck for me to retrofit every server with dual-ps, I was thinking this could be a possible middle-of-the-road solution. Thanks. -- Mike Sawicki ([EMAIL PROTECTED])
AW: Getting a BGP table in to a lab
I agree... I have around 75 peers on a box that actually does the routing running quagga, and there appears to be no problem. My only issues have been with version upgrades having bugs in them, but those problems are due to my inadequate testing. I also utilize supervise scripts (daemontools)to keep all the The best feature is being able to use the same route maps I use on my cisco boxes. John :) -Ursprüngliche Nachricht- Von: Arnold Nipper [mailto:[EMAIL PROTECTED] Gesendet: Thursday, April 21, 2005 2:09 PM An: Reeves, Rob Cc: nanog@merit.edu Betreff: Re: Getting a BGP table in to a lab On 21.04.2005 17:17 Reeves, Rob wrote > > Quagga is great for smaller implementations, but it doesn't scale very > well. It eats up a lot of CPU, so once you hit a certain number of > BGP peers, it may start intermittently flapping BGP sessions, or even > just crash the bgpd process entirely. For what numbers? I've two quaggas, ~150 peers each, doing as-path and *full* prefix filtering for each peer (Config is around 9MB). CPU is idle 99.x% mostly ... Arnold -- Arnold Nipper, AN45
RE: OpenTransit (france telecom) depeers cogent
All, Here is an output of show ip bgp regexp _5511_ on my cogent facing router (ie with a full cogent feed)...Most of the prefixes with best paths that are not through cogent don't exist in my cogent route feed at all (even via a non FT path). It looks like things are still a bit wonky. http://as23265.net/cogent.txt Thanks, John van Oppen PocketiNet Communications AS23265 -Ursprüngliche Nachricht- Von: Patrick W. Gilmore [mailto:[EMAIL PROTECTED] Gesendet: Sunday, April 17, 2005 10:26 PM An: nanog@merit.edu Cc: Patrick W. Gilmore Betreff: Re: OpenTransit (france telecom) depeers cogent On Apr 17, 2005, at 11:16 PM, Patrick W. Gilmore wrote: > On Apr 17, 2005, at 10:49 PM, John van Oppen wrote: > > >> As a cogent customer, I still see no routes to 217.167.0.0/16 (the >> route that holds www.francetelecom.com) via my cogent feed. >> >> That /16 also appears to be unreachable from the looking glass on >> cogent's website still. >> > > I can trace from Cogent to FT just fine. > > Haven't checked all possible end points, but my spot check shows > connectivity. Replying to my own post, I still see some Cogent <-> FT strangeness. Tracing to www.opentransit.net works fine, but www.fracetelecom.com dies on the first hop. Spot checking other IPs in FT, they seem to work. Is it just the 'fracetelecom.com' sub-network that is still not connected? Anyone have any more info? -- TTFN, patrick
RE: OpenTransit (france telecom) depeers cogent
As a cogent customer, I still see no routes to 217.167.0.0/16 (the route that holds www.francetelecom.com) via my cogent feed. That /16 also appears to be unreachable from the looking glass on cogent's website still. John van Oppen PocketiNet Communications AS23265 -Ursprüngliche Nachricht- Von: Jonas Frey [mailto:[EMAIL PROTECTED] Gesendet: Sunday, April 17, 2005 7:36 PM An: [EMAIL PROTECTED] Betreff: Re: OpenTransit (france telecom) depeers cogent Cogent is now reachable from OT and vice versa, apparently Cogent dropped the filters, i see everything passing verio now. Not sure since when this works again. Regards, Jonas
Netlantis --- is it ever coming back?
Does anyone know if netlantis.org is coming back? That was a very useful site but it has been down for a long time (with a note saying that it will be back soon) now. I would love to have access to that BGP info again, it was very helpful... I am still contributing a route feed, and that session is up. Thanks, John van Oppen AS23265 / PocketiNet Communications
RE: The Cidr Report
Hank and Warren are right on. I have seen several ISPs (one of which has been around a long time) who don't even understand the basics of CIDR routing or why they should aggregate their announcements. This same group are the ones who are not subscribed to this mailing list and don't go to Nanog events, and there are surly a large number of them. I think one thing the CIDR report glosses over, with its ranking system is the sheer number of ASes which announce extra routes. At least that is what strikes me when I start punching my local peer (not customer) ASes into the cidr-report website, virtually all of them have an aggregation problem and by percentage of junk announcements, the small ASes are often far worse than the big guys. That being said, perhaps we need some sort of nanog outreach or BGP support community that larger (or clue full) providers can point their less clue full BGP customers towards. The question then becomes, who would maintain such a group and how do we get the large number of currently non-participating ASes involved? John van Oppen PocketiNet Communications AS23265 (which yes, is fully aggregated) -Ursprüngliche Nachricht- Von: Hank Nussbacher [mailto:[EMAIL PROTECTED] Gesendet: Monday, February 14, 2005 12:26 AM An: Philip Smith Cc: Nanog Betreff: Re: The Cidr Report At 10:27 AM 14-02-05 +1000, Philip Smith wrote: Well said. At NANOG you get the clueful people cuz they at least knew to come. That is a start. But there are hundreds of ISPs out there who don't have a clue. RIPE realized this without having to do a membership poll and rightly so, goes and does training where it is needed (and believe me - I am their biggest critic and all-around pain in the ass when it comes to their expenses as Leo and Rob can attest). NANOG is not the place to do it. ARIN, as part of their overhead should do an east coast, west coast and Chicago area tutorial at least once a year. And guess what - most of the training material has already been written by the other RIRs. -Hank >The BGP tutorials I've been doing on Sundays at NANOG all cover >aggregation - at least, I seem to end up talking about aggregation in each >one. Maybe I need to be more direct? But then again, who am I preaching >to? The choir maybe, I don't know. Maybe we need a specific aggregation >tutorial for those who don't know how to? Those who have operational and >technical reasons not to aggregate have made that decision with prior >knowledge. We should try and give everyone else the knowledge, then at >least we will know that all de-aggregation is done for a reason. > >Then it begs the question, is NANOG the conference actually reaching the >people who'd most benefit from it? I say this as I'm in transit in >Singapore heading back from a hugely successful and enjoyable SANOG (South >Asia NOG) in Bangladesh. Similar idea to NANOG, but heavier emphasis on >education (workshops & tutorials), and we had ISPs falling over themselves >to participate in the first Internet operations meeting held in that country. > >philip >-- >+++ >This Mail Was Scanned By Mail-seCure System >at the Tel-Aviv University CC.