Re: What happened to Cogent?
I'm guessing a routing loop and a bunch of red lights in their NOC. I'm sure they are working on it. I never understand why people post traceroute on NANOG and expect things to magically get fixed. Did you call Cogent? On Apr 25, 2007, at 3:55 PM, David Coulson wrote: About 20mins ago my connection to Cogent in Cleveland just went totally nuts. I can't even get to www.cogentco.com over their circuit: Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. v129.l3sw1.n2net.net 0.0% 1 1.1 1.1 1.1 1.1 0.0 2. v401.core1.n2net.net 0.0% 1 0.4 0.4 0.4 0.4 0.0 3. fa0-2.na01.b002352-3.cle01.atlas.cogentco.com 0.0% 1 1.5 1.5 1.5 1.5 0.0 4. g1-0-3501.core01.cle01.atlas.cogentco.com 0.0% 1 1.6 1.6 1.6 1.6 0.0 5. p6-0.core01.buf02.atlas.cogentco.com 0.0% 1 5.5 5.5 5.5 5.5 0.0 6. p6-0.core01.cle01.atlas.cogentco.com 0.0% 1 6.1 6.1 6.1 6.1 0.0 7. p6-0.core01.buf02.atlas.cogentco.com 0.0% 1 10.5 10.5 10.5 10.5 0.0 8. p6-0.core01.cle01.atlas.cogentco.com 0.0% 1 9.9 9.9 9.9 9.9 0.0 9. p6-0.core01.buf02.atlas.cogentco.com 0.0% 1 14.7 14.7 14.7 14.7 0.0 10. p6-0.core01.cle01.atlas.cogentco.com 0.0% 1 14.7 14.7 14.7 14.7 0.0 11. p6-0.core01.buf02.atlas.cogentco.com 0.0% 1 19.1 19.1 19.1 19.1 0.0 -- Matthew S. Crocker President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: ICANNs role [was: Re: On-going ...]
Seriously though- why do we keep blaming the infrastructure for the mind boggling stupidity of users? There will always be users that don't understand technology. You call them stupid, I call them mom dad, brother sister. If you maintain the attitude that it is the 'stupid' users fault the Internet is insecure then you will never see a secure Internet. The Infrastructure must be able to protect itself from its users. It isn't that hard to throw a outbound port 25 filter on your edge and force all of your users to send mail through your mail server. It isn't that hard to require SMTP_AUTH for all mail transactions on that server. It also isn't that hard to deploy a snort box to look for 'bad' traffic and kick the users PPPoE session offline. We need a 'drivers license' for the 'information super highway' companies/ISPs must be able to show a certain level of competency before they can buy bandwidth from the 'Internet'. If they don't have that competency then they need to purchase it from an ISP that can provide the competency. It is the ISPs job to protect the network from its users (IMHO). If it really concerns you, protect your corner of the IP world, run an IDS find the 'bad' traffic and dynamically update your BGP sessions to null route the ASNs you don't feel 'do the right thing'. If you get good enough at it maybe you could publish a eBGP feed of the 'ASNs I don't like' and people can subscribe to it. Sure there will be some pain, but when you swing a big axe, there is bound to be some blood. -Matt -- Matthew S. Crocker President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: single homed public-peer bandwidth ... pricing survey ?
Hello, I am currently hosted in a small, independent datacenter that has 4 or 5 public peers (L3, Sprint, UUnet, ATT and ... ?) They are most likely giving you a single feed to their core which has 4-5 upstream connections to transit providers. Not peers really, Im sure they are paying for their transit. They are a very nice facility, very technical and professional, and have real people on-site 24 hours per day ... remote hands, etc. All very high end and well managed. I'm sure some of the $$ you pay for bandwidth pays for their amazing support structure. But, I am charged between $150 and $180 per megabit/s for non-redundant, single-homed bandwidth (not sure which provider they put it on) and even if I commit to 20 or 30 megabits/s it still only drops down to $100 - $120 per megabit/s. So naturally, I am very interested when I see HE.NET offering bandwidth for $20/mb/s, and it looks like Level3 is selling for $30/mb/s... Are there two classes of bandwidth in the world ? Is it reasonable and expected that single homed public peered bandwidth is, circa Jan 2007, going for above $100/mb/s while private peered bandwidth like L3 and HE.NET is $30 and below ? Or am I just getting ripped off ? Probably not Where can I go to read and learn more about the advantages and disadvantages (from a networking standpoint) of switching from an independent, public peered datacenter to, say, L3 or HE.NET ? Search for the problems Cogent Level(3) had off and on over the past couple years and decide for yourself if you want to have a single connection to a 'tier 1' provider. Personally I like to have 1 connections to a 'tier 1' provider. Keep in mind that in order to be redundant your provider needs to buy your bandwidth twice from their upstream providers. If you are using 10mbps they need to buy 10mbps from Provider A 10 mbps from Provider B. That way if A fails then your traffic will automatically switch to Provider B. So, if your provider is paying $30/mbps for bandwidth that is really $60/mbps. That price also doesn't cover the amazing support or the insanely priced routers that are needed to handle the ever increasing bloat that is the Internet routing table. Not knowing all of your specifics I think you are paying a fair price. -- Matthew S. Crocker President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Repeated packet loss on ATT
I have had similar issues with ATT in NY. They have peering issues with MCI killing random access to random websites, (www.netflix.com, www.netbank.com). I trouble shot it with ATT a couple week ago and they killed a bad link. It fixed my problem. Last I knew the link was still down and they were looking to repair it this week. -Matt On Jan 16, 2007, at 12:44 PM, Donald Stahl wrote: I have a cage at an ATT hosting facility in NY. Every few weeks I end up with horrendous VPN problems to another site I have on MCI's network in Maryland, as well as to a partners site, in the same area, also on MCI. mtr -s 800 to either site shows 10% packet loss on the hop from: 12.122.105.45 - 192.205.34.50 Both of these appear to be ATT routers (I say appear to be because I am relying on the netblock information from ARIN- reverse DNS for routers seems to be uncool). Does anyone else run into this problem? Smaller pings show far fewer (if any) issues and other traffic is passable- but it kills my VPN's. -Don -- Matthew S. Crocker President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: 10,352 active botnets (was Re: register.com down sev0?
Maybe the new slogan needs to be Save the Internet! Train the chimps! Shouldnt 'ip verify unicast source reachable-by rx' be a default setting on all interfaces? Only to be removed by trained chimps? -Matt -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Router / Protocol Problem
Does your peer or you have any ACLs on the PtP link which may be dropping the packets? If your peer is doing uRPF and doesn't have your route properly installed it can cause problems on their edge. Are the sites you cannot reach akamaized? I've had issues with some akamaized sites when I was being redirected to akamai servers that weren't on my network. Do a dig on the website and see if it returns an akamai server Is there any packet loss/CRC errors on the link to your peer? A noisy line will affect large packets more than small packets, I've had issues where only the text/CSS of a website would come up but the images would not. Any MTU issues? Same as above, MTU issues causing large packets to get dropped and no images on websites. Pings, traceroute,telnet all work in those cases -Matt On Sep 6, 2006, at 9:04 AM, Mike Walter wrote: I normally would not post to the group, but I am 100% stumped and have talked with peers with no luck. I have (2) Cisco 7204 Routers running BGP with 3 peers and HSRP. I am not doing anything special with BGP, pretty much a default config that has not changed in years. Recently with no changes to my network, I have been having problems connecting to certain websites and mail servers. I am always able to ping the sites and trace route without error. If I telnet to port 80 or port 25 it does not connect. If I login to my router and telnet sourcing my each of Internet Providers ports, I am able to get to the sites. I have talked with all the providers and none can find a problem. If I shut down one specific peer, everything works fine. So I keep thinking it was that peers problem some how. I have tested with just that peer up and I still can not connect. However, when talking with that peer, they are able to telnet from their network to the sites I can not reach. I don't know what else to check besides shutting down that peer. Which since it is under a 3 year contract, not an option. That isn't the real solution anyhow. Can anyone shed some light on or off-list? Thanks, Mike Walter -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: WSJ: Big tech firms seeking power
I wonder just how much power it takes to cool 450,000 servers. 450,000 servers * 100 Watts/Server = 45,000,000 watts / 3.413 watts/ BTU = 13.1 Million BTU / 12000 BTU/Ton = 1100 Tons of cooling A 30 Ton Liebert system runs about 80 amps @ 480 volts or 38400 watts, you'll need at least 40 or them to cool 1100 tons which is 1536 Kw * 24 hours * 7 days * 4.3 weeks = 1,110,000 KwH/month * $0.10/ KwH = $111,000 /month in cooling. I think my math is right on this... -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Verizon disconnects GlobalNAPs knocking out dialup in MA
Although dialup modem pools are a dying breed they are still very much in use around the country. It appears that after many years of legal battles Verizon has decided to terminate all connections to GlobalNAPs in Massachusetts. As you may or may not know, GlobalNAPs handles a lot of dialup modem traffic, including my Tivo and a DS-3 worth of my modems. Billing dispute gone amuck, I don't know who's right or who's wrong but thousands of customers are off-line now because of it. Looks like it'll be a long night tonight :/ Anyone familiar with a Tekelec T7000/Taqua OCX switch and the maze of Verizon paperwork needed to finish getting it online? Once my LRN is activated I can port my modem numbers to my own switch. If they could have just waited a couple of days. -Matt -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Honest Cogent opinions without rhetoric.
On Mar 8, 2006, at 9:35 AM, Daniel Golding wrote: One way to look at this is that you are getting a very low price per mbps with Cogent. Therefore, when Cogent's CEO decides its in his best interest to partition for a week over a depeering situation, their customer's role is to suck it up. You get what you pay for, and in this case, that means mediocre to average transit with periodic partitioning. Frankly, for the price, that's pretty darn good. My biggest complaint about Cogent 'Customer Service' is that I'm not a Cogent customer, I'm a Verio customer that was sold to Cogent. I'm still paying the higher Verio bandwidth price but getting the 'not as good' Cogent bandwidth. When Cogent decides to depeer is affects me and I would like credits. Either that or cancel my Verio priced contact and replace it with a Cogent priced contact. If they did that, I wouldn't mind the occasional depeering. Trying to explain that to my sales guy with impossible. If your choice is between Cogent and some other provider, you are making a mistake. Cogent (and other low cost transit providers) can be part of a balanced stable of transit providers. Folks who single-home to Cogent deserve whatever Darwin delivers to them. That is why I also have 3 providers, just in case 2 of them decide they don't like each other. Anyone out there running a RouteScience/Internap box on some Cogent + other provider bandwidth? How many routes get moved off/onto Cogent? -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: What do we mean when we say competition?
Windows 98 price (in 1997) - $209 Office 97 Standard (in 1997) - $689 Windows XP price (now) - $199. Office 2003 (now) - $399. Verizon Retail 768k DSL, $14.95/month (includes everything) Verizon Wholesale 768k DSL, $13.95/month + DS3 ATM + IP + support + e- mail Verizon CLEC 2W DSL Conditioned loop, $15-18/month + COLO + DSLAM + Backhaul + IP + Support + e-mail You can't say that Verizon isn't selling DSL below their cost and using monopoly POTS revenue to subsidize the extermination of competition in the DSL market. Now, granted the CLEC can use the 2W DSL conditioned loop to run ADSL2 + and POTS and sell for more $$. Unfortunately in todays era of Wal*mart shoppers people buy on price alone. The problems most people have with microsoft's monopoly status have nothing whatsoever to do with the price of the software which forms the basis of their monopoly (windows + office), but rather their willingness to use the profits from them to subsidize other losing ventures to drive out other competitors. Exactly, Verizon is using the profits from the monopoly to subsidize losing ventures -Matt -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: What do we mean when we say competition? (was: Re: [Latest draft of Internet regulation bill])
Technically, lots of other providers CAN enter the market - it's just very expensive to do so. If there are customers who are not receiving service from one of the incumbent providers, a third party is certainly welcome to {dig a trench | build wireless towers | buy lots of well-trained pigeons for RFC 1419 access} and offer the services to the ignored customers. Technically anything is possible, I could walk on the moon if I had enough $$. The problem is that the capital expenditures required in doing so are very, very high, and most companies don't see the profit in doing so. That is the exact problem with a [mon|du]opoly. The incumbents drive the price so low (because they own the network) that it drives out an potential competition. We don't need 8 fiber networks overlaid to every home in the US to provide competition. We need a single high quality wholesale only fiber network which is open to use by all carriers. I don't want 200' telephone poles down my street with 10 rows of fiber. It doesn't make sense. Actually, here's where I'd disagree: market forces are exactly the thing which is keeping other providers OUT. It's too expensive for them to buy their way into these areas, and during all of the time when access was mandated to be (relatively) cheap by law, very few third parties actually built their own infrastructure all the way to homes. There are some competitive cable plants in some cities (I remember Starpower/RCN doing this in DC), but I'm not aware of any residential phone providers who built all the way out to houses exclusively on their own infrastructure. Again, because of the monopoly held by the incumbents keeping the price low enough that you can't afford to build your own infrastructure. We don't need competition in the infrastructure business, we need competition in the bandwidth business. That can only happen if the infrastructure is regulated, open and wholesale only. The RBOCs should be split up into a wholesale *only* division (owns the poles, wires, buildings,switches) and a services *retail* division (owns the dialtone, bandwidth, customers ). The wholesale division should sell service to the retail division at a regulated TELRIC based price which will allow the wholesale division to make enough money to build/ maintain the best infrastructure in the world. Any competitive service provider can buy the same services at the same price as RBOC Retail. Regulated such that wholesale profit can't subsidize retail services. In high density areas there may be alternate infrastructure providers that can sell to CSPs and in rural america there will be one infrastructure provider and many CSPs This IS the market at work. If you want it to be different, what you want is more, not less regulation. That may or may not be a good thing, but let's just be very clear about it. More regulation of the physical infrastructure (the expensive piece) and less regulation of the bits to foster competitive solutions and bring along new innovations. The future innovations are not going to revolve around new types of fiber. They will revolve around what can be done with high bandwidth to everyone. -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: What do we mean when we say competition?
That is the exact problem with a [mon|du]opoly. The incumbents drive the price so low (because they own the network) that it drives out an potential competition. So you're complaining that the problem with lack of competition is that the prices are too LOW? As a consumer, I'm thrilled with low price, and would only change providers for a well-defined benefit or a lower price. Low prices of the monopoly is driving out viable competition. Once competition is gone the prices WILL be raised. Competition brings innovation of products and services, not just lower prices. So should the government charter such a build? My understanding is that Verizon and SBC (maybe others, but I don't know about them) are currently working on doing a FTTH build at this time. Yes Verizon/SBC are building FTTH in limited areas. They are doing it with profit from their government granted monopolies and with FCC assurances that they will be able to maintain the monopoly on new fiber builds. So, in a sense the government is chartering a FTTH build. They just are doing it in such a way as to kill competition and eventually hurt the nations economic development. Short term it is a good thing, long term it is economic suicide. Presumably, as they're private companies doing it, they'd like to be able to be the ones that obtain the primary benefit. Do you think that a municipal build/new monopoly build as you describe would be cheaper or better than what SBC or Verizon are doing? If so, you should be able to convince some cities of the math. Yes, and I have there are 4 muni fiber builds around me of which I am building a PON deployment over 2 of them. I am a *little* service provider, couple hundred megs of bandwidth, couple million $/year in revenue. I just picked up/installed my phone switch so now I can offer voice/data over the PON. So, in my small market (Western MA) I can provide a competitive service to Verizon/Comcast in certain muni- built fiber networks. I'm also a CLEC building out COs to provide ADSL2+, g.SHDSL service in areas (new products/services). It is slow going because of limited budgets but I'm having a hell of a lot of fun while doing it :) Again, because of the monopoly held by the incumbents keeping the price low enough that you can't afford to build your own infrastructure. This is such an astounding comment that it needed to be singled out: most of the complaints about monopolies are that they artifically RAISE prices. Oh, you can bet that pricing will be raised. As a monopoly you use your monopoly advantage to squash the competition. You do this by driving the price down. Once the competition is cleared from the market you are free to raise pricing at will. The only thing that is saving us at this point is 'The Act' which is systematically getting dismantled by the RBOCs. My only hope is Congress grows a pair and comes out with a sane telecom act in 2006. Aren't you pretty much describing the '96 telecom act? The result has been the glut of inter-city fiber, and a dearth of advanced access services at the rural/suburban edge. Saying we don't need competition in infrastructure, only in bandwidth ignores the fact that infrastructure upgrades are required to support increased bandwidth. In addition, why treat L0/1 infrastructure in a different way than L2/3 infrastructure? The spirit of The Act maybe but not the implementation. Congress had a good idea, they just left that damn word in there (i.e. 'impairment') which is what all of the fighting has been about. As a CLEC I am no longer impaired when I don't have access to Verizon dark fiber. So now I have to build my own which required HUGE capital, taller telephone poles, uglier streets it is impractical to have 1 fiber networks in the markets that I serve (rural, suburban). This IS the market at work. If you want it to be different, what you want is more, not less regulation. That may or may not be a good thing, but let's just be very clear about it. More regulation of the physical infrastructure (the expensive piece) and less regulation of the bits to foster competitive solutions and bring along new innovations. The future innovations are not going to revolve around new types of fiber. They will revolve around what can be done with high bandwidth to everyone. First, I wouldn't be so sure to rule out new improvements in fiber or other physical transmission media as important - as an example, I think the widespread adoption of 802.11 has been part of a huge shift in the way people use the Internet. That said, I agree that the biggest innovations are likely to be applications, not media. So let me take the devil's advocate position: why should prices be raised so that multiple ISPs can get a layer-2/3 connection to customers without having their own layer-1 infrastructure? Is there some service which is provided which
Re: Problems
Philip, Go to a looking glass site and see what the 'internet' knows about your network. You can look for your netblocks and see if their are in BGP tables of routers around the globe http://www.bgp4.as/looking-glasses -Matt On Oct 11, 2005, at 10:37 AM, Philip Lavine wrote: I am having problems with people connecting from the East Coast to my AS 17021 via qwest AS 209 on the West Coast. How do I troubleshoot this? __ Yahoo! Mail - PC Magazine Editors' Choice 2005 http://mail.yahoo.com -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Level 3's side of the story
Level 3 claims Cogent is sending far more traffic than Level3 to Cogent. Thus, Level3's viewpoint is that Cogent relies on them more than they rely on Cogent. Thus, it no longer makes sense in their view point to maintain a free interconnection as there is no similar balance of traffic ratio. This has always bugged me. Is a Cogent customer sending traffic to a L3 customer or is a L3 customer requesting the traffic from a Cogent customer? Traffic is traffic, L3 has eyeballs, Cogent has content producers. Of course most of the traffic will flow from Cogent - L3. L3 chose to sell to eyeball customers, Cogent chose to sell to content producers. If the L3 customers didn't create the demand for the traffic then I'm sure Cogent wouldn't be sending them the traffic. IMHO the only valid complaint L3 has is wether Cogent is hot-potato routing the traffic causing L3 to 'incur more cost'. That should all be spelled out in the peering agreement. -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Cogent/Level 3 depeering
I opened a billing/support ticket with Cogent. I'm not planning on paying my bill or continuing the contract if they cannot provide full BGP tables and full Internet transport (barring outages). Luckily I have 2 other providers so I can still reach Level 3. Maybe I can buy the new 'Cogent - it is almost the Internet' service for less money. -Matt On Oct 5, 2005, at 11:29 AM, Vince Hoffman wrote: On Wed, 5 Oct 2005, Richard A Steenbergen wrote: A couple weeks later than expected, but as of Oct 5 02:51AM EDT it looks like 3356 and 174 are no longer reachable. lg.level3.net: Show Level 3 (Washington, DC) BGP routes for 38.9.51.20 No matching routes found for 38.9.51.20. www.cogentco.com looking glass: Tracing the route to www.Level3.com (209.245.19.42) 1 f29.ba01.b005944-0.dca01.atlas.cogentco.com (66.250.56.189) 4 msec 4 msec 0 msec 2 * * * 3 * * * I guess the earlier reports of (3)'s lack of testicular fortitude may have been exagerated after all. :) It's sure causing a few headaches here. (from level3 looking glass) Show Level 3 (London, England) BGP routes for 38.9.51.20 No matching routes found for 38.9.51.20 As of 16:22 BST Level3 still seems to have no routes for cogent's space. thats about 5 hours now. Vince -- Richard A Steenbergen [EMAIL PROTECTED] http://www.e- gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Cogent/Level 3 depeering
This is what I just got from Cogent support. I'm still waiting on the billing dispute ticket. I've already told our payables department to not pay any Cogent invoices, this should get fun. Hell, I wish Verio never sold me to Cogent in the first place, it is all their fault :/ quote Hello, As of 5:30 am EDT, October 5th, Level(3) terminated peering with Cogent without cause (as permitted under its peering agreement with Cogent) even though both Cogent and Level(3) remained in full compliance with the previously existing interconnection agreement. Cogent has left the peering circuits open in the hope that Level(3) will change its mind and allow traffic to be exchanged between our networks. We are extending a special offering to single homed Level 3 customers. Cogent will offer any Level 3 customer, who is single homed to the Level 3 network on the date of this notice, one year of full Internet transit free of charge at the same bandwidth currently being supplied by Level 3. Cogent will provide this connectivity in over 1,000 locations throughout North America and Europe. For status updates and further information on the special offering -- please see our status page at http://status.cogentco.com /quote -Matt On Oct 5, 2005, at 11:57 AM, Simon Lockhart wrote: On Wed Oct 05, 2005 at 11:50:52AM -0400, Matthew Crocker wrote: I opened a billing/support ticket with Cogent. I'm not planning on paying my bill or continuing the contract if they cannot provide full BGP tables and full Internet transport (barring outages). Luckily I have 2 other providers so I can still reach Level 3. We tried the same line with Level3 - and were told Tough, we're not paying service credit. The transit still works, just its coverage is slightly different. Maybe I can buy the new 'Cogent - it is almost the Internet' service for less money. Indeed, that's the natural next step. Simon -- Simon Lockhart | * Sun Server Colocation * ADSL * Domain Registration * Director|* Domain Web Hosting * Internet Consultancy * Bogons Ltd | * http://www.bogons.net/ * Email: [EMAIL PROTECTED] * -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Cogent/Level 3 depeering
I opened a billing/support ticket with Cogent. I'm not planning on paying my bill or continuing the contract if they cannot provide full BGP tables and full Internet transport (barring outages). Luckily I have 2 other providers so I can still reach Level 3. I'm curious where in your contract you think Cogent guaranteed you connectivity to Level 3? My original contract was with NTT/Verio which Cogent purchased last year when Verio nuked their Boston POP. I'm having the contract dug out of the archives to look at what it says. IMHO I pay Cogent for Transit to the whole Internet, If I wanted partial transit or local peering I would order/contract and pay for that. Cogent is not currently providing me full transit service. I really don't care who pulled the plug, it is Cogents job to fix it for me as I am their customer. Most transit contracts only guarantee packet delivery to the edge of their own networks. I'm pretty sure Cogent is doing that. (Hell, they have lots of spare capacity now. :) Most also have a clause to cover the inter-AS links, making sure that they are not overloaded. Maybe I can buy the new 'Cogent - it is almost the Internet' service for less money. Maybe. Would you pay L3 for almost the Internet as well? Yes, if the price were right. -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Cogent/Level 3 depeering
So perhaps the question you should be asking is: Why didn't routes for these networks fall over to the other upstream peers which *are* capable of moving the packets? Surely MCI, ATT, Sprint, and others would carry the packets to the right place. I can see the paths right here They did, and I'm not down. I see Level 3 via Sprint and GNAPs/CENT just fine. I didn't lose any connectivity to Level 3 at all. Bits moving down different pipes, not a big deal to me technically. The fact remains that Cogent is not providing the service I'm paying them for and they need to get it fixed. If that means picking up transit from another Tier 1 to get to Level 3 or making amends with Level 3 to get the existing peering working again. It doesn't matter to me, I just don't like paying for stuff I'm not getting. In the grand scheme of things I'm paying A LOT for my Cogent bandwidth (it started off as Verio remember). What nature of clause? I consider deliberately filtering prefixes or origin ASs to be a violation of common backbone BGP use. Too bad there aren't Equal Access laws for tier1s. slyly evil grin Ewww, I'll put up with these occasional pissing matches and build around them to avoid any government regulations. -Matt -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Cogent/Level 3 depeering
On Oct 5, 2005, at 2:47 PM, Douglas Dever wrote: On 10/5/05, Matthew Crocker [EMAIL PROTECTED] wrote: They did, and I'm not down. I see Level 3 via Sprint and GNAPs/CENT just fine. I didn't lose any connectivity to Level 3 at all. Bits moving down different pipes, not a big deal to me technically. The So, where's the problem, exactly? Um, I only have 2 routes to Level 3 when I should have 3 routes and I'm paying for 3 routes... fact remains that Cogent is not providing the service I'm paying them for and they need to get it fixed. Really? As you already pointed out, your packets are reaching their destination. So, they don't need to get anything fixed. Ok, I *pay* Cogent for 'Direct Internet Access' which is IP Transit service. I *cannot* get to part of the internet via Cogent right now. I also *pay* Sprint and GNAPS for 'Direct Internet Access' and I can get to all parts of the internet via their networks. I *used* to be triple redundant to *all* of the Internet but now I only have *two* connections to Level 3. My packets are reaching their destination because I'm smart enough to be multi-homed, that doesn't remove the responsibility of Cogent to do what I *pay them to do*. Cogent is *not* providing complete Internet access, I really don't care who's fault it is. What utter nonsense... *shakes head and walks away* Is it really that hard to understand? As a paying Cogent customer I expect to be able to get to the Internet through them. Isn't that the business they are in? -doug -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Weird DNS issues for domains
I'm hoping someone on the list can help confirm that I'm not going insane. I have a customer with the domain 'mtrsd.k12.ma.us' The domain should be handled by our DNS servers (dns-auth1.crocker.com dns- auth2.crocker.com) The customer has an A record for www.mtrsd.k12.ma.us pointing to their web server The customer has subdomains for each school in the district which have www records pointing to their web server via CNAME Everything looks like it is configured properly on my servers but the customer is reporting that certain parents (VerizonDSL, Comcast, DirectWAY) can connect to certain website and not others. At this point I think the problem is with the DNS servers at their ISP. Can someone confirm my sanity? My zone of control starts at mtrsd.k12.ma.us I do not have control over k12.ma.us What do you all see for sanderson.mtrsd.k12.ma.us www.sanderson.mtrsd.k12.ma.us. ; DiG 9.2.2 @204.97.12.2 mtrsd.k12.ma.us NS ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 522 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;mtrsd.k12.ma.us. IN NS ;; ANSWER SECTION: mtrsd.k12.ma.us.258796 IN NS dns-auth2.crocker.com. mtrsd.k12.ma.us.258796 IN NS dns-auth1.crocker.com. ;; Query time: 39 msec ;; SERVER: 204.97.12.2#53(204.97.12.2) ;; WHEN: Thu Sep 29 09:29:28 2005 ;; MSG SIZE rcvd: 92 ; DiG 9.2.2 @204.97.12.2 sanderson.mtrsd.k12.ma.us NS ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 15880 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;sanderson.mtrsd.k12.ma.us. IN NS ;; ANSWER SECTION: sanderson.mtrsd.k12.ma.us. 259200 INNS dns-auth2.crocker.com. sanderson.mtrsd.k12.ma.us. 259200 INNS dns-auth1.crocker.com. ;; Query time: 2 msec ;; SERVER: 204.97.12.2#53(204.97.12.2) ;; WHEN: Thu Sep 29 09:31:15 2005 ;; MSG SIZE rcvd: 102 ; DiG 9.2.2 @204.97.12.2 www.sanderson.mtrsd.k12.ma.us A ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 52155 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.sanderson.mtrsd.k12.ma.us. IN A ;; ANSWER SECTION: www.sanderson.mtrsd.k12.ma.us. 86400 IN CNAME www.mtrsd.k12.ma.us. www.mtrsd.k12.ma.us.51 IN A 159.250.29.161 ;; Query time: 48 msec ;; SERVER: 204.97.12.2#53(204.97.12.2) ;; WHEN: Thu Sep 29 09:31:52 2005 ;; MSG SIZE rcvd: 81 -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Weird DNS issues for domains
I just tested it from a Verizon DSL host and it worked. You might want to consider reading RFC 2182 though, particularly the part about geographically diverse nameservers. Yeah, yeah, that is overrated. If my site goes dark and my DNS goes down it doesn't really matter as the bandwidth and the web server will also be down. Having a live DNS server in another part of the country won't help if the access routers handling the traffic for the T1 to the school is also down. Geographically diverse name servers sounds great in theory but for this application it won't gain any redundancy. -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: router worms and International Infrastructure
At your borders (upstream/peers), you will naturally block all of 10/8 at egress. my border is very broad and it's not feasible to use acls on all equipment that makes up that edge :( (for the sake of arguement, which is now far afield from the original question: Feasible path won't stop someone spoofing space thats in my FIB, will it? The solution is a double border, possibly with VRF and inter-VRF routing Internal border sees 10/8 and 10/8 is in the FIB. 10/8 packets can be spoofed here, Infrastructure connects her External border doesn't see 10/8, 10/8 is NOT in the FIB, 10/8 packets can't be spoofed. Internet connects here. Internal - External links use routable IP space to not infect external with infrastructure routes. External border cannot talk to infrastructure IPs but it doesn't need to. External can route through infrastructure to customer CPE 10/8 can still be spoofed on the infrastructure but it will have to come from a customer, not from the Internet. Also, consider the cases where customers push packets your way (for uRPF strict, which isn't available for JunOS, but is for IOS depending on platform/code/hardware-rev... ugh!) and never send you a route for the traffic back to them? Maybe they are just a transit and don't even hear the routes for their customer who chose a 'cheaper' path that doesn't include them nor me directly on this link in question? This sounds like a broken design. Why have one way links? If a customer pushes packets my way and they don't announce that route to me I will drop the packets at my edge. If they want to send me those packets they need to announce. They can announce with AS path prepend x 1000 so I don't send them any traffic but the route needs to exist. does urpf feasible path stop a 'customer' from spoofing sources that are in the FIB? No, but you don't use feasible path on links aimed at your customer, you use strict. If your router doesn't support strict then talk to your purchasing department. -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: what will all you who work for private isp's be doing in a few years?
On May 12, 2005, at 4:23 PM, Jeff Rosowski wrote: | So imagine a residential area all pulling digital video over wireless. | Sound familiar? Ironically close to TV! (yet so different) You mean like VoIP over dsl ? I'm looking to setup DSL over VoIP over DSL next. smirk I'm going for v.90 over VoIP over DSL. Hopefully I'll be able to get a 28.8k connection over my DSL line ;) -- Matthew S. Crocker Vice President Crocker Communications, Inc. Internet Division PO BOX 710 Greenfield, MA 01302-0710 http://www.crocker.com
Re: Anyone familiar with the SBC product lingo?
SONET Circuit Service OC3-c (155Mbps) $2200 vs. Central Office Node Circuit Service OC3/3c (155Mbps) $675 SONET is a method of transporting TDM channels over fiber. SONET is made up of building blocks calls a STS. A STS is equivalent to a DS-3 + SONET Wrapper. An OC-3 equals 3 STSes. OC-3s come in two types, 'channelized' OC-3 which is 3 DS-3s in 3 STSes and Packet Over SONET (POS), concatenated OC-3c which is 155mbps. If you are planning on using this circuit for TDM based voice (84 T1s in 3 DS-3 chunks) then you will want an OC-3 not an OC-3c. If you are planning on running 155mbps POS IP traffic you want an OC-3c. OC-3 = 3 x STS-1 = 3 x DS-3 = 3 x 28 DS-1s, 84 DS-1s = 2016 DS0 voice channels. OC-3c = 1 x STS-3 = 155mbps You can use an Adtran OPTI-3 to break an OC-3 into 3 distinct DS-3 channels which can be plugged into M13 muxes (Carrier Access Widebank 28) which will break a DS-3 into 28 DS-1s. If you want IP bandwidth you can use an OC-3 POS line card from your router vendor of choice. -Matt
Re: Heads up: Long AS-sets announced in the next few days
On Mar 3, 2005, at 7:22 PM, James wrote: You certainly need their permission before you can advertise routes that falsely came to have passed through their network! What kind of specific _technical_ issue do I create by prepending another ASN on AS_PATHs I advertise, without such owner's permission? Oh, I don't know, increasing the size of an already bloated global routing table; possibly crashing routers which are already starving for FIB RAM? A certain level of stability is to be expected on the global routing table. Playing with it isn't a 'good thing'. Besides the fact that they are experimenting with the core of the Internet. What if their experiments had an unwanted effect? What is the global financial impact of backbone instability? That is an awful big grenade they are chucking about. I think it is irresponsible for someone, no matter how educated or well intentioned to throw experiments into the middle of the network. -Matt
Re: AOL scomp
Due to AOL scomp and SPF we have stopped forwarding all together. Existing accounts are grandfathered and we are working on migrating them all to IMAP-SSL. ALL new accounts have to IMAP their mail from our servers. I get WAY too much junk from forwarded mail going to AOL. I also get way too many tech support calls about forwarded mail being rejected because of SPF -Matt
Re: AOL scomp
Forwarded mail shouldn't be rejected as a result of SPF if your mail server is using SRS to rewrite the from addresses in the mail from part of the SMTP transaction of the forwarded emails... as long as your SPF record isn't messed up of course. :) I know but that just wreaks of a hack which I'm not currently willing to do. It works better for us to terminate the forwarding and sell the customer full mail service. My SPF record isn't messed up as far as I know. -Matt
Re: Vonage complains about VoIP-blocking
I can see where it may come to a LEC being able to block a competitor's port only if they offer a comparable service. It will be an interesting ride to be sure. What if a LEC added QoS to increase priority of their own VoIP product and reduced QoS on their competitors? Packets are still getting through but the voice quality sucks. Are the VoIP providers paying to have premium service on the LEC network? -Matt
Re: Any Sprint BGP people out there
I'm a Sprint customer going on 10 years now. I have always had good luck e-mailing their BGP4 admin address. Check out the website but I think it is [EMAIL PROTECTED] They normally respond in an hour or less. I'm sure if you e-mail the BGP group they will add the new AS to your as-path filter list. Either that or just announce their IPs under your AS. -Matt On Nov 12, 2004, at 3:51 PM, Todd Christell wrote: Greetings, We have a customer that has Internet access through SBC. They lost their connection yesterday morning and are about ready to go out of business. We got additional fiber to their location and are now trying to announce their prefixes to Sprint. Of course they don't belong to us and wondering what I have to do to prove it is a legit request. A contact off list would be greatly appreciated. tlc Todd Christell Network Manager SpringNet www.springnet.net 417.831.8688 Key fingerprint = 4F26 A0B4 5AAD 7FCA 48DD 7F40 A57E 9235 5202 D508
Re: SkyCache/Cidera replacement?
On Sep 20, 2004, at 7:54 PM, Dan Mahoney, System Admin wrote: On Mon, 20 Sep 2004, Majdi Abbas wrote: I'll bite, and reveal my ultimate cluelessness here. Assuming I wanted to go about setting up an NNTP server, how would I go about getting and maintaining the feeds? There's no central authority AFAIK, but does anyone have any knowledge as to relative price and/or bandwidth consumption? First, you go out and buy the biggest server you can find, buy more drive space than you can afford. Then, buy more. You *may* be able to get a feed from your upstream service providers. You'll want to have at least 2 feeds and you should have at least OC-3 to each provider to handle the feeds. Don't expect much of the OC-3 left over for other uses. In a couple days you'll have all the warez and pr0n you'll ever need. -Dan On Mon, Sep 20, 2004 at 03:15:47PM -0400, Jon Lewis wrote: Hadn't it gotten to the point shortly before Cidera folded that the satellite bandwidth was so insufficient for a full feed that it was of questionable value?...or was it still fine if you wanted a usenet feed with no binaries? Jon, I recall some reported problems along those lines. That even without binaries, they were running out of overhead. Given that USENET volume tends to grow, I'm betting that it would require a lot more capacity now. When I first talked to someone using SkyCache about 5 years ago, at the time, they were a very happy customer because they'd been able to offload 12-13 Mbit/s from one of their transit DS-3s by taking a SkyCache feed. However, that was late 1999 or so, and transit prices were more than an order of magnitude higher than they are now. In those days, a lot of SPs were still running their own newsservers, and very few companies were providing outsourced reader access to news. These days, it doesn't make a lot of sense for many SPs to deal with the hassle of taking feeds and maintaining a newsserver, so they outsource reader access for their 4 or 5 customers who are aware that there is something besides the WWW out there. SkyCache was a really nice idea, but given that the number of SPs running their own newsservers has shrunk considerably, and that the outsourced news people won't be interested, the market is much smaller overall. On top of that, the bandwidth requirements have increased, while transit cost has plummeted. As a service, it existed to mitigate the bandwidth requirements of running a newsserver -- now that transit costs have crashed, and many more people are outsourcing their news, I just don't see a viable market in providing push feeds over satellite. I don't know what transponder space is running, but I'm willing to bet it has not gotten much (if any) cheaper. --msa -- Zaren Christ almighty... my EYES! They're melting! -Zaren, Efnet #macintosh, in response to: www.geocities.com/CollegePark/Classroom/1944 The WEBSITE DESIGN class that gave my fiancee a D. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: BGP Load Sharing
Chris, Take a look at Cisco OER http://www.cisco.com/en/US/netsol/ns471/ networking_solutions_package.html or Route Science http://www.routescience.com/technology/index.html. You could also continue doing what you are doing, The 12k supports BGP, Netflow, SNMP and some custom scripts -Matt On Sep 17, 2004, at 8:40 PM, Chris Strandt wrote: I am hoping to learn from the great pool of experience on this list. We currently have 2 OC3 connections going to 2 seperate providers. We are using netflow statistics to balance our traffic flows (which outgoing is our major concern). Flow tools, snmp output, some custom scripts, and some bgp weighting does the trick. We are in the process of upgrading to Cisco 12012 GSRs, and adding additional connectivity. We need to find something we can use to do the same type of thing on the 12012 GSR. The custom scripts work fine.. but it appears some line cards don't support netflow. 1) Is there an open source software that will assist us in load sharing? 2) Are there specific cards we need for netflow on a 12000 series? Is the difference based on Line Card Engine (0,1,2,3,etc)? 3) Is there an alternate way to control outgoing traffic flow to multiple upstreams using bgp (besides splitting the address range up and blindly pointing chunks to each provider)? Thanks, -Chris Strandt Liquid Web Inc
Re: BGP Load Sharing
So back to the question at hand... to get netflow stats for outgoing traffic.. we need cards in the 12K router which will support netflow on the ingress ports of the router for outgoing traffic(ie Gigabit Ethernet Line Cards)... right? Correct, NetFlow is generated when the packet enters the router. you'll need Engine 3 or 4 cards on your ingress ports (GigE I assume for outbound traffic) in order to do line rate with full Netflow. Engine 0 1 cards can do sampled netflow which *may* be enough for your load balancing needs. -Matt
Re: Are AOL's MXs mass rejecting anyone else's emails?
I have had my mail rejected by AOL in the past. I found their error messages very descriptive and the AOL mail team very responsive. The problem was on my end and I found and fixed it. Have you gone to the AOL mail website yet? Go to http://postmaster.aol.com/ it pretty much tells you how AOL handles mail and why they will/will not block you. -Matt On Sep 7, 2004, at 7:15 AM, Peter Galbavy wrote: Robert Blayzor wrote: One would hope that they're rejecting the incoming mail with a 400 series error and not 500 series. Where does the 400lb gorilla lie down ? Whereever it likes. AOL does pretty much anything it wants to. If they start 500'ing your mail, it becomes your problem. Unless you have a large budget and a good legal team. Peter
Re: Barracuda Networks Spam Firewall
My Series 400 seems to be doing fine today. Average queue latency 4 seconds which is about normal. Do you have any special config settings? -Matt On Jul 27, 2004, at 7:21 PM, Joe Hamelin wrote: I just talked to Heather (sales) at Barracuda and was told that there would be a FIRMWARE release in the morning to fix a problem with virus detection. It seems that the support ppl can't really do anything right now and their phone system is melting. The word is to hold tight for a fix. -- Joe Hamelin Edmonds, WA, US
Re: Sipura VoIP phone adapters and DoS against name servers
\Get in contact with manufacturing vender for a fix, and then tell us what they did or what they intend to do to remedy the problem. We have already suggested this to the local VoIP provider. Steinar Haug, Nethelp consulting, [EMAIL PROTECTED] I guess the real question is why was the local VoIP provider giving the phones your DNS IP? Should they have been using their own DNS server? -matt
Re: E-Mail Snooping Ruled Permissible
I know Brad Councilman, This all happened in my back yard. He ran a competing ISP with me (www.valinet.com). Not only was he reading his customers e-mail and harvesting Amazon.com orders he also hacked into 4 of the local area ISPs. I still remember the day I received a call from the FBI office in Boston. 'Sir, you are not in trouble but we would like to talk to you about an important matter. I'll be out tomorrow, when will you have time?' He came in with a old copy of my /etc/passwd file (this was hacked from me back in '95,'96). I was happy when the arrested him, he is a jerk. The ISP he ran has since been sold to another company, still local and run as an honest business. Sorry for the rant, I just wish he got more than a slap on the wrist. They didn't prosecute him on the hacking attempts because the e-mail theft was a bigger crime. Gr -Matt
Re: Can a Customer take their IP's with them? (Court says yes!)
The TRO is irrelevant, The courts made the wrong decision, did anyone actually think they would have a clue? Here is the solution: Black ball the /24 that the customer is taking with them. Black hole any AS that announces that /24 'illegally'. The courts don't need to follow the RFC or even know what the acronym stands for. The Internet should follow the RFC and should come to the defense of NAC and the Internet routing table. Any AS that picks up that customer and announces the netblock gets their entire AS routed to Null0. Pretty simple really, doesn't matter what the courts do. They don't have jurisdiction over me or any other ISP for that matter. They cant tell me what I do to my routers. The result is NAC removes the offending /24 from their announcements and follows the TRO so they don't get in trouble. The Internet heals around the courts TRO by rejecting that /24 from anyone else. The customer must change to their own IPs or they lose access completely. OrgName:Net Access Corporation OrgID: NAC Address:1719 STE RT 10E Address:Suite 111 City: Parsippany StateProv: NJ PostalCode: 07054 Country:US ReferralServer: rwhois://rwhois.nac.net:43 NetRange: 207.99.0.0 - 207.99.127.255 CIDR: 207.99.0.0/17 NetName:NAC-NETBLK01 -Matt
OER ready for prime time?
Anyone out there running 12.3(8)T with OER in a production/semi production environment? I know it is only v1.0 just wondering what people are seeing. -Matt
DDoS mitigation with BGP communities
Hello, I just experienced my first official DDoS attack against my network. I never realized how helpless I was :(. I had roughly 70 mbps of traffic aimed at one IP. The IP wasn't even in use, I'm assuming someone typed the wrong IP and meant to send it somewhere else. I shut it down by removing the /24 announcement. This was fine except for the customers on that /24. I know my upstreams have special communities I can set via BGP announcements that effectively say 'route packets to this network to null0'. My question is, what do I need to put on my router (i.e. code examples) to inject the /32 into the BGP announcements. I try to be a good net citizen and announce aggregate blocks. I had to break my /21 up so I could announce everything but the /24 in the middle. Any help would be greatly appreciated. Routers are a couple 7500 series running 12.0.xx -Matt
Re: Even you can be hacked
It would be great if there always was a negligent party, but there is not always one. If Widgets Inc.'s otherwise ultra-secure web server gets 0wn3d by a 0-day, there is no negligence[0]. Who eats it, Widgets Inc. or the ISP? Widget Inc is still negligent. It is their server. They could have placed the server behind a firewall. The firewall could have been doing layer 7 inspection and noticed the 0-day event. They could also be running an IDS which would detect such an event and notify a network administer. The point is there are MANY ways to protect systems and to be notified in an event. As an ISP I would overlook a couple days worth of billing if my customer was responsible/reactive to the event. If they refuse to fix the problems they should be held liable. If we notice worm traffic entering our network from our customer we shut them down then notify them. We protect our network first, then we help with theirs. No matter how you slice it people need to be responsible for their own actions or inactions. Widget Inc, could have chosen different OS, Web server, etc that didn't have that particular 0-day event. Customers have choices, they need to be responsible for the choices they make. I can guide them in good design up to a certain extent for free. I'll design/build for them for a fee. IT is always the first cut in a budget crunch, Bean counters overlook IT issues. The problem is the way you run your network affects other networks. You can save $30,000 today and spend $100,000 in repairs for a failure, your choice. So how about this analogy: Someone breaks into my house and spends a few hours on the phone to Hong Kong. Who eats the bill, me or my LD carrier? Neither of us was negligent. Do you ever expect to call Hong Kong? No, call your LD carrier before the fact and block all international calls from your line. You can also put an access code on your outbound calls or block everything and use a calling card. You chose to make it easy for yourself, you get hacked, you should pay. [0] Unless someone can prove the software flaw was sloppy enough that it constitutes negligence and goes after the software authors. Good luck with that. Software flaw or not. Design your network so you have safe guards in place. Have other machines watching for irregular traffic, set off pagers when your traffic goes 300% above normal. Pay for a network engineer to watch it and make it better. React to problems, don't turn a blind eye and hope it all goes away. Come on, whatsup gold is cheap enough, SNMP monitor your switch traffic and set off pagers using thresholds, it really isn't that hard. I'm rambling, the root of the problem is not IT or MS or the Internet. It is society and everyone doing the bare minimum. Going with the least common denominator is not a way to live your life, run your business or your network. I'll take the high road, thank you very much. I have little patience for people who do not expend the effort complaining and looking for hand outs from those that do. -- Crist J. Clark [EMAIL PROTECTED] Globalstar Communications(408) 933-4387
EMS systems?
Hello, I have been looking through the archives and RFC and I can't seem to find what I'm looking for. I'm in search of an Element Management System or Inventory tracking system that can keep track of my hardware (routers, switches, SONET, patch panels) and ports (DS-1, DS-3, CDS-3, Ethernet, GigE, OC-x) and circuits (connecting two ports together). I don't need SNMP/NMS functionality per se but an add-on capability would be nice. I need a system that can track a customer circuit from their location (UNE DS1) to the Verizon CFA / circuit ID at my colo through my M13 mux into my SONET and into the router. It would be great if I could click on a customer and list all of their circuits and equipment involved with the circuits. Is there an RFC which defines such a database? Is there an open source system available to maintain the data? A database package where I can say 'I need an available DS-1 port in this CO and get a Verizon circuit ID I can use on the order'. I know the big guys have something, I'm a little guy, do I need to write it myself? -Matt
Re: best effort has problems
The PSTN doesn't offer guaranteed end-to-end transmission, and certainly statmuxes based on expected load. Looks like similar capacity planning. The PSTN does guarantee a certain service level, latency, call completion etc. Perhaps you refer to latency. Most people don't care as long as HTTP and POP3 latency is good enough -- and server response time is often a substantial consideration. SMTP really isn't picky about latency or jitter. Latency Jitter are very important when dealing with sound video. Or anything realtime for that matter. The Internet isn't just HTTP, NNTP, SMTP any more. Maybe you mean packet loss. Most everyone here can recall the days of 30% packet loss across congested MAE FDDI fabric, but that went away what seems like eons ago. I remember quite a bit of packet loss when the last series of worms hit
Re: Barracuda Networks Spam Firewall
On May 18, 2004, at 4:13 AM, Martin Hepworth wrote: Matthew Spamassassin needs quite a bit of tweaking above the out of the box setup. I run about 7000 messages a day here, 70% spam, .5% virus (clamav and Sophos), very very rarely a FP. I get bove 99% hit rate after adding in bayes, serveral additional rules from www.rulesemporium.org and the URI checkes. Runs on a 600mhz celeron with load avg .5 I agree that everything the Barracuda does can be done by hand. I had a choice of either spending $4k for a 'set it and forget it' type spam solution or continue to spend days per month of my time tweaking my old setup. I chose to go with the commercial route which will easily save me $$ and more importantly frustration over the course of this year. I can spend my time building my business now instead of tweaking my mail server. Barracuda is built on open source, It boots LILO then goes into 'secret' mode. I don't think they added any black magic to the box. They just assembled the open source parts and shrink wrapped it into a very easy to manage solution. -Matt
Re: Barracuda Networks Spam Firewall
On May 17, 2004, at 2:35 PM, Claydon, Tom wrote: Doing evaluations on anti-spam, anti-virus solutions, and ran across this: http://www.barracudanetworks.com/ Looks like a good box -- even won an Editor's Choice award from Network Computing recently. Does anyone on list have any experience with these boxes? If so, how are they with false positives, quarantine capabilities, etc? Tom, I have a Barracuda Spam Firewall 400, We handle about 9k users and the thing is AMAZING! My old setup was 4 dual-PIII 550Mhz, 1 GIg RAM running Qmail/Qmail-ldap/spamassasin/F-Secure AV. My inbox would get 300+ spams/day, many of them not tagged at all This setup would melt on a regular basis when spam floods would come in My current setup is a Barracuda 400 and 1 inbound mail server (dual P-III 550Mhz...). My inbox now gets 5 untagged spams/day and about 10 quarantined. This setup has been able to handle everything thrown at it so far with no noticeable performance hit My customers love it, I love it, best thing I have purchased in the last 12 months. Very low false positives and high hit rate. The quarantine box is very easy to handle for users, they will get an e-mail once per day with a list of messages and links to whitelist, deliver or delete. When they click on a link they will connect/log into the Barracuda. They can manage their own Bayesian filters from the quarantine interface. It really has had a dramatic effect on my spam, I'm wondering what I'll be doing with all my spare time now that I don't have to manage my mail server. I was watching the message log one day and noticed a spam flood in action. 10 messages came in and went to customers tagged about 0.5 or so 10 messages came in and went to customers tagged as ::SPAM:: with a score of 3.7 or so 10 messages came in and went to quarantine with a score of 5.5 or so a bazillion messages were blocked with a score 20 It learned very fast. My Barracuda is currently blocking 500k+ messages/day current stats (installed 13 days) Blocked (SPAM) :7453215 Blocked (Virus) : 24600 Quarantined : 82170 Tagged: 31552 Allowed : 580876 Average Queue latency : 4 seconds Unique Recipients : 8245 I just signed up as a reseller and I'm building a managed mail solution around it. If you are an ISP I recommend you get a 400 series or higher. You can customize the web interface a bit and it handles multiple domains better (per domain spam settings) -Matt
Re: Worms versus Bots
Its not manufacturers who did not caught up (in fact they did and offer very inexpensive personal dsl routers goes all the way to $20 range), its DSL providers who still offer free dsl modem (device at least twice more expensive then router) and free network card and complex and instructions on how to set this all up on each different type of pc. No clue at all that it would be only very marginally more expensive for them to integrate features of such small nat router into dsl modem and instead of offering PPPoverEthernet it could just offer NAT and DHCP and make it so much simpler for many of those lusers with only light computer skills to set this all up. Agreed, We require a NAT device or true firewall on all DSL customer connections. We sell cheap Linksys boxes to customers or they can upgrade to a SonicWall. We don't use an Integrated modem/router because most of them are junk. You won't find a single Windows/Linux/Mac machine directly connected to our DSL network. I still like PPPoE for customer authentication because I can place individual packet filters or re-assign users to different contexts based on username/password authentication. PPPoE/NAT is a good combination. Couple that with 3 levels of virus scanning on our mail server has reduced the effects of virus and worm spread inside the networks we control. We still get viruses worms to hit but it is at a more manageable rate. We are not a large provider by any means but I try my hardest to provide a solid network and protect the Internet from my users as much as possible. If only the users would not shop solely on price I would be all set :/ -Matt -- William Leibzon Elan Networks [EMAIL PROTECTED]
Re: Alternate and/or hidden infrastructure addresses (BGP/TCP RST/SYN vulnerability)
next thing to protect is customer ebgp sessions. some providers don't even route the p2p /30 links used between cust and their backbone (i.e. Sprint). so that's up to you. some backbones even filter all traffic destined to backbone prefixes at ingress points (border routers, cust edge routers)... for example.. att being one. for example, here comes random test: Couldn't we use 2 /30 subnets on PtP links? 1 /30 with real IPs for ICMP, MTU, reachability etc. and one RFC1918 /30 as secondary for eBGP sessions. I know when a router originates a packet (like with BGP) it sets the source IP to the IP of the interface the packet leaves. Is BGP smart enough when setting up BGP neighbors to use an IP in the same subnet as the neighbor (the secondary interface IP)?
Re: Any good Wave Boxes to do this?
On Apr 8, 2004, at 5:05 PM, Deepak Jain wrote: I have seen boxes from MRV and others that will do 2GE into an OC48. I really feel bad about wasting that 500mb/s on essentially an IP application, but can't really justify putting OC48 ports into a catalyst 6500 of this application. Likewise, uplinking to a GSR just to get cheaper OC48 ports doesn't make sense when you count the cost of the GE ports. Is there a good box out there that will say take 2xOC48 and give me 5 GEs? Have you looked at the ONS 15454 ? You won't waste the bandwidth and you TDM capabilities as well. You can use the muxponder cards to put 4 OC-48 IR1310s into 1 OC-192 as well. You could also use CWDM and just run straight GE, or do you have to use OC-48 for transport? -Matt
Re: Anti-Spam Router -- opinions?
If you rate-limit 2 million compromised machines to 20 msgs/day each, there's only 400 million spams. Total. IF you can rate-limit them across the whole Internet, If you limit 2 million machines to 20 msgs/day per mail server you are back up to your 10 Billion msgs/day mark. This is where DCC or other distributed checksum systems come into play. -Matt
Re: Anti-Spam Router -- opinions?
On Apr 5, 2004, at 10:49 AM, Andy Johnson wrote: Has anyone had any experience with this device? Turntide.com. Looks like a traffic-shaping device designed specifically for cutting down spammers throughput to your inbound SMTP servers. My main concern is, how does it make the distinction between legitimate mass-mailings (e.g.: mailing lists such as this one), and spam? Interesting approach to killing spam though I must say. Sounds like YABA (Yet Another Band Aid) solution for spam. If rate-limiting the spam packets does an effective job at killing spam. It will only make the spammers switch to a distrubuted attack method using trojaned virus hosts sending 1 mail message at a time. They are already doing this in some cases. SPAM is a living breathing entity that can learn and adapt. The smarter the network gets at killing it off, the smarter it gets in attacking. The evolution of spam/viruses is astounding and getting quicker all the time. The turntide box may be a good solution but it is expensive, I'll wait for the SNORT add-on that does the same thing ;) -Matt
Re: Converged Networks Threat (Was: Level3 Outage)
I'm saying that if a network had a FR/ATM/TDM failure in the past it would be limited to just the FR/ATM/TDM network. (well, aside from any IP circuits that are riding that FR/ATM/TDM network). We're now seeing the change from the TDM based network being the underlying network to the IP/MPLS Core being this underlying network. What it means is that a failure of the IP portion of the network that disrupts the underlying MPLS/GMPLS/whatnot core that is now transporting these FR/ATM/TDM services, does pose a risk. Is the risk greater than in the past, relying on the TDM/WDM network? I think that there could be some more spectacular network failures to come. Overall I think people will learn from these to make the resulting networks more reliable. (eg: there has been a lot learned as a result of the NE power outage last year). Internet traffic should run over an IP/MPLS core in a separate session (VRF, Virtual context, whatever..) so the MPLS core never sees the full BGP routing information of the Internet. So long as router vendors can provide proper protection between routing instances so one virtual router can't consume all memory/cpu; The MPLS core should be pretty stable. The core MPLS network and control plane should be completely separate from regular traffic and much less complex for any given carrier. VoIP, Internet, EoM, AToM, FRoM, TDMoM should all run in separate sessions all isolated from each other. A router should act like a unix machine treating each MPLS/VRF session as a separate user, isolating and protecting users from each other, providing resource allocation and limits. I'm not sure of the effectiveness of current generation routers but it should be coming down the line. That said, the IP/MPLS core should be more stable than traditional TDM networks, the Internet itself may not stabilize but that shouldn't affect the core. What happened at L3 was an internet outage, that shouldn't in theory affect the MPLS core. Think back 10 years when it was common for a unix binary to wipe out a machine by consuming all resources (fork bombs anyone?). Unix machines have come a long way since then. Routers need to follow the same progression. What is the routing equivalent of 'while (1) { fork(); };'? Currently it is massive BGP flapping that chew resources. A good router should be immune to that and can be with proper resource management. -Matt
Re: Converged Networks Threat (Was: Level3 Outage)
Yesterday we witnessed a large scale failure that has yet to be attributed to configuration, software, or hardware; however one need look no further than the 168.0.0.0/6 thread, or the GBLX customer who leaked several tens of thousands of their peers' routes to GBLX shortly This should be rewritten 'Or GLBX who LET one of their customers leak several tens of thousands of the peers routes...'. I'm sorry, a network should be able to protect itself from its users and customers. BGP filters are not that hard to figure out and peer prefix limits should be part of every config. Don't trust the guy at the other end of the pipe to do the right thing. -Matt
Re: Where can I find a list of IPs and their regions.
Hmmm ... ftp://ftp.ripe.net/ripe/stats/delegated-ripencc-latest exists and ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest as well ... Yep, my bad, I was only using ftp.arin.net to pull the data for all 4 RIRs. ARIN doesn't have the symlinks for ripe lacnic latest files. I'll pull the data from the correct FTP servers and chew up a tiny bit of international bandwidth ;) -Matt
Where can I find a list of IPs and their regions.
I've look at IANA but it doesn't give enough detailed information. I would like to find a list of /8 or /16s and what geographic region the exist in. I know it isn't an exact science but something close would be nice. I know 210/8 211/8 are APNIC, I likes to know stuff like 210.100/16 is Korea and 210.120/16 is China, etc. Does anyone have a list I can pull from? -Matt
Re: Where can I find a list of IPs and their regions.
On 10.02.2004 01:43 Matthew Crocker wrote: I've look at IANA but it doesn't give enough detailed information. I would like to find a list of /8 or /16s and what geographic region the exist in. I know it isn't an exact science but something close would be nice. I know 210/8 211/8 are APNIC, I likes to know stuff like 210.100/16 is Korea and 210.120/16 is China, etc. Does anyone have a list I can pull from? Have a look at http://www.aso.icann.org/stats/index.html and retrieve up-to-date files from APNIC, ARIN, LACNIC and RIPE. This is exactly what I want, thank you very much :) I wonder why APNIC ARIN have delegated-*-latest files but LACNIC RIPE do not. grrr. This data should be accurate enough for what I'm trying to accomplish Thanks again -Matt
Re: Strange public traceroutes return private RFC1918 addresses
Search the archives, Comcast and other cable/DSL providers use the 10/8 for their infrastructure. The Internet itself doesn't need to be Internet routable. Only the edges need to be routable. It is common practice to use RFC1918 address space inside the network. Companies like Sprint and Verio use 'real' IPs but don't announce them to their peers on customer edge routes. -Matt On Feb 2, 2004, at 6:01 PM, Brian (nanog-list) wrote: Any ideas how (or why) the following traceroutes are leaking private RFC1918 addresses back to me when I do a traceroute? Maybe try from your side of the internet and see if you get the same types of responses. It's really strange to see 10/8's and 192.168/16 addresses coming from the public internet. Has this phenomenon been documented anywhere? Connectivity to the end-sites is fine, it's just the traceroutes that are strange. (initial few hops sanitized) [EMAIL PROTECTED] /]# traceroute www.ibm.com traceroute: Warning: www.ibm.com has multiple addresses; using 129.42.17.99 traceroute to www.ibm.com (129.42.17.99), 30 hops max, 38 byte packets 1 (---.---.---.---) 2.481 ms 2.444 ms 2.379 ms 2 (---.---.---.---) 17.964 ms 17.529 ms 17.632 ms 3 so-1-2.core1.Chicago1.Level3.net (209.0.225.1) 17.891 ms 17.985 ms 18.026 ms 4 so-11-0.core2.chicago1.level3.net (4.68.112.194) 18.272 ms 18.109 ms 17.795 ms 5 so-4-1-0.bbr2.chicago1.level3.net (4.68.112.197) 17.851 ms 17.859 ms 18.094 ms 6 so-3-0-0.mp1.stlouis1.level3.net (64.159.0.49) 23.095 ms 22.975 ms 22.998 ms 7 ge-7-1.hsa2.stlouis1.level3.net (64.159.4.130) 23.106 ms 23.237 ms 22.977 ms 8 unknown.level3.net (63.20.48.6) 24.264 ms 24.099 ms 24.154 ms 9 10.16.255.10 (10.16.255.10) 24.164 ms 24.108 ms 24.105 ms 10 * * * [EMAIL PROTECTED] /]# traceroute www.att.net traceroute: Warning: www.att.net has multiple addresses; using 204.127.166.135 traceroute to www.att.net (204.127.166.135), 30 hops max, 38 byte packets 1 (---.---.---.---) 2.404 ms 2.576 ms 2.389 ms 2 (---.---.---.---) 17.953 ms 18.170 ms 17.435 ms 3 500.pos2-1.gw10.chi2.alter.net (63.84.96.9) 18.077 ms * 18.628 ms 4 0.so-6-2-0.xl1.chi2.alter.net (152.63.69.170) 18.238 ms 18.321 ms 18.213 ms 5 0.so-6-1-0.BR6.CHI2.ALTER.NET (152.63.64.49) 18.269 ms 18.396 ms 18.329 ms 6 204.255.169.146 (204.255.169.146) 19.231 ms 19.042 ms 18.982 ms 7 tbr2-p012702.cgcil.ip.att.net (12.122.11.209) 20.530 ms 20.542 ms 23.033 ms 8 tbr2-cl7.sl9mo.ip.att.net (12.122.10.46) 26.904 ms 27.378 ms 27.320 ms 9 tbr1-cl2.sl9mo.ip.att.net (12.122.9.141) 27.194 ms 27.673 ms 26.677 ms 10 gbr1-p10.bgtmo.ip.att.net (12.122.4.69) 26.606 ms 28.026 ms 26.246 ms 11 12.122.248.250 (12.122.248.250) 27.296 ms 28.321 ms 28.997 ms 12 192.168.254.46 (192.168.254.46) 28.522 ms 30.111 ms 27.439 ms 13 * * * 14 * * *
Re: Strange public traceroutes return private RFC1918 addresses
On Feb 2, 2004, at 6:20 PM, Jonas Frey (Probe Networks) wrote: This is quite often used. You cant (d)DoS the routers this way, nor try to do any harm to them as you cant reach them. Sure you can, easy, attack a router 1 hop past your real target and spoof your target as the source. The resulting ICMP responses will hammer the target. If the Internet edge actually protected itself against spoofing it would be harder but it is still very do-able now.
Re: pon's and ethernet to the home
www.carrieraccess.com makes PON CPE gear. http://www.carrieraccess.com/products/index.cfm/fuseaction/ default_prod/cat_id/118.htm www.alcatel.com makes PON 'head end' gear that works with CAC CPE. Basically, 1 strand of fiber (not a pair) can be used for 16 or 32 customers and will handle up/down data, down video, up/down T1 for voice at the customer. Head end voice, video and data is split apart. Carrier Access Corp hardware is rock solid, I have *never* had one fail. I don't use the PON stuff but I do use their DS1 DS3 stuff. -Matt On Dec 9, 2003, at 12:58 PM, Miguel Mata-Cardona wrote: Hi, I've been reading a little about passive optic networks and the idea is very good from my stand point. As far as I have understood, the idea is to use the fiber as it was coax, doing some kind of FDM (frequency division multiplexing) with the lambdas (somehow the same). This would give us the capability to move at leat n x 10mbps ethernet on the same fiber using diferent lambdas for each customer, until power budget goes down. If the idea is correct, this would mean next jump on bandwidth. Who would be making this ethernet/lambda multiplexors right now? Is it feasible to do it today? or should we wait a little more? I mean, there are solutions using packet over sonet or alike, but pure ethernet? -- Miguel Mata-Cardona Intercom El Salvador [EMAIL PROTECTED] voz: ++(503) 278-5068 fax: ++(503) 265-7024 -- Matthew S. Crocker Crocker Communications, Inc. Vice President PO BOX 710 Greenfield, MA 01302 P: 413-746-2760 F: 413-746-3704 W: http://www.crocker.com E: [EMAIL PROTECTED]
Re: AOL rejecting mail from IP's w/o reverse DNS ?
On Dec 3, 2003, at 10:42 AM, Christopher X. Candreva wrote: On Wed, 3 Dec 2003, Randy Bush wrote: you're right. it will be. people will have to clean up their in-addr.arpa. or am i missing some reason they can't, other than laziness? See, this is the war I didn't want to start again. Unless I'm thinking of a discussion on a different list -- I was sure in the whole Verizon spam measures hurting other servers thread, the whole blocking w/o IN PTR records had come up, with people saying they were on hosting where they couldn't change PTR records, and the clients who couldn't get mail from small offices with Exchange servers on DSL lines where the ISP hadn't configured reverse DNS . Then there was the comment on how reverse DNS was meaningless, and did you still run identd ? AOL says the PTR record needs to be assigned. It doesn't specify it has to match the @domain.com in the MAIL FROM: header. Wouldn't it be enough to make sure every IP address you announce has a PTR and matching A record? Hasn't this been a requirement for MANY services for MANY years? -- Matthew S. Crocker Crocker Communications, Inc. Vice President PO BOX 710 Greenfield, MA 01302 P: 413-746-2760 F: 413-746-3704 W: http://www.crocker.com E: [EMAIL PROTECTED] BEGIN:VCARD VERSION:3.0 N:Crocker;Matthew;;; FN:Matthew Crocker ORG:Crocker Communications\, Inc.; TITLE:Vice President EMAIL;type=INTERNET;type=HOME;type=pref:[EMAIL PROTECTED] EMAIL;type=INTERNET;type=HOME:[EMAIL PROTECTED] TEL;type=HOME;type=pref:413 746-2760 item1.ADR;type=WORK;type=pref:;;1 Federal Street\nBuilding 102-2;Springfield;MA;01105;United States item1.X-ABADR:us item2.ADR;type=WORK:;;PO Box 710;Greenfield;MA;01302;United States item2.X-ABADR:us URL:http://www.crocker.com X-AIM;type=HOME;type=pref:aiiyyeee PHOTO;BASE64: TU0AKggAFAD+AAQBAAEAAAMBADEBAAMBADECAAMD /gEDAAMBAAEAAAEGAAMBAAIAAAERAAQBAAA9rgEVAAMBAAMAAAEWAAMB ADEXAAQBAAAbAAEaAAUBAAABBAEbAAUBAAABDAEcAAMBAAEAAAEoAAMA AAABAAIAAAExAAIUAAABFAEyAAIUAAABKAK8AAEAABIpAAABPIZJAAEAACggAAATZodp AAQBAABYsIdzAAcAAAIoAAA7hgAACAAIAAgACvynEAAK/IAAACcQQWRvYmUgUGhv dG9zaG9wIDcuMAAyMDAyOjA2OjE5IDExOjExOjQyADw/eHBhY2tldCBiZWdpbj0n77u/JyBpZD0n VzVNME1wQ2VoaUh6cmVTek5UY3prYzlkJz8+Cjw/YWRvYmUteGFwLWZpbHRlcnMgZXNjPSJDUiI/ Pgo8eDp4YXBtZXRhIHhtbG5zOng9J2Fkb2JlOm5zOm1ldGEvJyB4OnhhcHRrPSdYTVAgdG9vbGtp dCAyLjguMi0zMywgZnJhbWV3b3JrIDEuNSc+CjxyZGY6UkRGIHhtbG5zOnJkZj0naHR0cDovL3d3 dy53My5vcmcvMTk5OS8wMi8yMi1yZGYtc3ludGF4LW5zIycgeG1sbnM6aVg9J2h0dHA6Ly9ucy5h ZG9iZS5jb20vaVgvMS4wLyc+CgogPHJkZjpEZXNjcmlwdGlvbiBhYm91dD0ndXVpZDphOTU4ZDk1 Ni04NTA3LTExZDYtOWQyNC1mYWJiZDFhN2M3ZGInCiAgeG1sbnM6eGFwTU09J2h0dHA6Ly9ucy5h ZG9iZS5jb20veGFwLzEuMC9tbS8nPgogIDx4YXBNTTpEb2N1bWVudElEPmFkb2JlOmRvY2lkOnBo b3Rvc2hvcDo4OTM3MDRkYS04NTA2LTExZDYtOWQyNC1mYWJiZDFhN2M3ZGI8L3hhcE1NOkRvY3Vt ZW50SUQ+CiA8L3JkZjpEZXNjcmlwdGlvbj4KCjwvcmRmOlJERj4KPC94OnhhcG1ldGE+CiAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAK ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCiAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAKICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIAogICAgICAgICAgICAgICAg
Re: What *are* they smoking?
On Monday, September 15, 2003, at 07:11 PM, George William Herbert wrote: A wildcard A record in the net TLD. It's Verisign's return shot at the web browser couldn't find this page searches. Doesn't seem to have much by way of advertising yet, but I'm sure that'll change. I heard about this coming from somewhere last week, though I don't recall where. Probably Wired or the WSJ. Verisign wants the revenue that all those typos are generating. It's just the next shot in the eyeball war. This is sufficiently technically and business slimy that I would null-route that IP, personally. Nah, just route it to a Linux box with transparent proxy and show your own 'Websites-R-Us' page to your customers.
Cisco ONS 15454 Password Recovery
Dear List, I know this isn't the correct forum and for that I apologize. I have been searching Ciscos website for the past 5 hours with no luck. I need to know how I can gain access to a Cisco ONS 15454 with TCC+ running 2.2.1 software rev. If anyone knows how to accomplish this please e-mail me off list. I have physical access to the unit, I can access it via Telnet, TL1 or CTC (web). The Node isn't in service now so I can power cycle it if needed. I need to get this into service tomorrow and I have exhausted all of my ideas on where to look for the information. Ideally I would like to reset the CISCO15 password to the default ('') without deleting the database. Thanks -Matt
Re: On the back of other 'security' posts....
As I'v said many times (so have a few others, more now than before) you have to define the 'edge' first... My definition is: as close to the end system as possible. For instance the LAN segment seems like the ideal place, its where there is the most CPU per packet, with the most simple routing config and most predictable traffic patterns/requirements. The 'edge' is the last piece of equipment on your network. It is what connects you to your customer and what connects you to your upstreams. Every ISP should put Anti spoofing filters on ALL edge interfaces. My entire customer edge (dialup,ISDN,DSL, T1, FR, ATM, Wireless, colo) is defined in LDAP/RADIUS. When a session is established my edge equipment configures itself over RADIUS. It isn't hard to use that information to build a customer specific filter for the session. For example, Every dialup (PPP) or DSL (PPPoE) session should have a filter which *only* allows packets sourced from the customer IP in. It should also deny packets coming from the customer out to the customer. It is pretty simple to do this but you do need to maintain proper customer records. Your customer edge is his equipment and they should also put anti-spoof filters in line. Security is not a single point on a map. Security must be established on every interface. Most people say that you can't filter an OC-48 at line speeds, or that it will increase the latency too much. If filtering increases latency by 5% but decreases junk traffic by 20% don't you think you and the network are better off? For true redundancy for dual-homed sites the links shouldn't be running above 40% capacity anyway. If your router can't filter at 40% line speed you need another router. I know in the core it gets much more complex but when I connected my Verio link I had to make sure all of my IRR entries were correct. They already filter my BGP prefixes I would assume they filter my IP as well. I know I filter my outbound to make sure it is only coming from me. such packets from ever getting past their edge routers. If edge filtering isn't considered a reasonably simple thing to do, I'd like to hear the reasons why. its not tough, you just have to define the edge in the right way. The edge is everywhere and the more specific you get the more specific your filters can be. In the core you can't be very specific. We have a bunch of routes that we announce (/16, 2 x /21, 3 x /24). It wouldn't be hard for my upstreams to filter my traffic. I already have to notify them (via IRR) when I have a new announcement. They can update my filter when they update the prefix-list -Matt
Re: Fun new policy at AOL
I travel around. I read my email by POP3/IMAP, I use local ISP's SMTP server for outgoing - surely that means I can't use my own domain for email? Your ISP should support SMTP_AUTH with TLS for you. You would continue to use their mail servers no matter where you are or how you are connected to the Internet. -Matt Simon -- Simon Lockhart | Tel: +44 (0)1628 407720 (x37720) | Si fractum Technology Manager | Fax: +44 (0)1628 407701 (x37701) | non sit, noli BBC Internet Operations | Email: [EMAIL PROTECTED]| id reficere BBC Technology, Maiden House, Vanwall Road, Maidenhead. SL6 4UB. UK
Re: Fun new policy at AOL
You switch service provider or give them a whack with the cluebat. And if the service provider is your employer/educational institution? You quit your job? Drop out of school? Swallow your pride and suffer with webmail? Spend $19.95 getting a dialup account for an ISP with a clue and use their mail servers. If employed charge the $20/month on your expense report.
Re: Fun new policy at AOL
You seem to be misunderstanding the issue. Let's say you work at someplace.edu. You want to send mail from home. With the SPF-type schemes being discussed, your mail MUST come from someplace.edu's server. If someplace.edu won't set up an SMTP AUTH relay, what do you do? Your dialup account will let you use the dialup ISP's mail server... But your mail will get bounced because it's not something from someplace.edu. Hence, if no SMTP AUTH relay, you're screwed. Port forward 127.0.0.1:25 through to someplace.edu:25 using SSH. Or VPN. Or ... More than one way to skin this cat. -matt
Re: Max TNT ping thing
On Wednesday, August 27, 2003, at 11:10 PM, Edward Murphy wrote: Is anyone having this problem on a unit with the mad-2 cards? We are not experiencing the reboots/lock ups on our APX 8000. We are using the Ethernet card with the dongle. E-100-V I think. We are using the Channelized DS-3 card We are using 96 port madd2 modem cards (5 modem cards, 480 modems) Our APX is not even close to 25% capacity. admin show Controller { left-controller } ( PRIMARY ): Reqd Oper Slot Type { right-controller } UPUP ( SECONDARY ) { shelf-1 slot-34 0 }UPUP madd2-card { shelf-1 slot-35 0 }UPUP madd2-card { shelf-1 slot-36 0 }UPUP madd2-card { shelf-1 slot-37 0 }UPUP madd2-card { shelf-1 slot-38 0 }UPUP madd2-card { shelf-1 slot-39 0 }UPUP t3-card { shelf-1 slot-40 0 }UPUP ether3-card admin admin list [in SLOT-INFO/{ shelf-1 slot-39 0 }] slot-address* = { shelf-1 slot-39 0 } serial-number = 1038406179 software-version = 10.0 software-revision = 2 software-level = hardware-level = K software-release = admin read slot-info {1 40 } SLOT-INFO/{ shelf-1 slot-40 0 } read admin list [in SLOT-INFO/{ shelf-1 slot-40 0 }] slot-address* = { shelf-1 slot-40 0 } serial-number = 10516825 software-version = 10.0 software-revision = 2 software-level = hardware-level = C software-release = admin ls ls Flash card 1: /: current/0 Fri Sep 29 11:36:36 2000 /current: tntt3.ffs 416034 Mon Dec 16 19:47:20 2002 Version 10.0.2 tntmadd.ffs 1726366 Mon Dec 16 19:51:10 2002 Version 10.0.2 tntenet3.ffs 446882 Mon Dec 16 19:48:22 2002 Version 10.0.2 apxsr.ffs 3031819 Mon Dec 16 19:46:34 2002 Version 10.0.2
Re: Fun new policy at AOL
In article [EMAIL PROTECTED], Richard Cox [EMAIL PROTECTED] writes We can thank the usual suspects - Cogent, Qwest, ATT, Comcast - and in Europe: BT, NTL and possibly the world-abuse-leader, Deutsche Telekom (who run dtag.de and t-dialin.net) for this being the situation. Here's another tale of undeliverable email. It seems that [at least] one of those organisations you mention assigns IP addresses for its ADSL customers from the same blocks as dial-up. Which means that organisations using MAPS-DUL reject email from teleworkers (or indeed people running businesses with an ADSL connection) who run their own SMTP servers. -- Roland Perry Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? We block outbound port 25 connections on our dialup and DSL pool. We ask our customers that have their own mail servers to configure them to forward through our mail servers. We get SPAM/abuse notifications that way and can kick the customer off the network. We also block inbound port 25 connections unless they are coming from our mail server and require the customer setup their MX record to forward through our mail server. We virus scan all mail coming and going that way. We protect our customers from the network and our network from our customers. We are currently blocking over 3k Sobigs/hour on our mail servers. I would rather have that then all my bandwidth eaten up by Sobig on all of my dialup/DSL connections. SMTP DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP) -Matt
Re: Fun new policy at AOL
On Thursday, August 28, 2003, at 11:07 AM, Joel Jaeggli wrote: On Thu, 28 Aug 2003, Matthew Crocker wrote: Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? applying that standard just how large do you have to get before you graduate to running your own smtp server. I'm sorry we won't accept mail from you because you're not an lir? If a larger corporation showed that they have a clue we remove the filters. If we start getting virus/spam notifications on again we re-enable the filter. We are either primary or backup MX for all of our customers. We can implement a port 25 inbound filter on a customer and their inbound mail is unaffected. We can then contact the customer and work with them to fix their broken mail server and remove the filter. We make the determination based on skill level of the customer, not their size. How does this sound for a new mail distribution network. Customers can only send mail through their direct provider ISPs can only send mail to their customers and their upstream provider. They purchase the ability to send mail to the upstream as part of their bandwidth. ISPs can contact and work out other direct mail routing arrangements between themselves. For example, ISP A could send directly to ISP B if there is a large amount of A - B mail. Both ISPs have to agree. ISPs form a trusted ring of mail servers for direct connection. All others get shipped upstream to the next available mail server. All mail servers are known, logged and can be kicked off the network by the upstream provider. A central core of distributed mail servers gets built by each backbone ISP. The backbone ISPs peer with one another (trust each others mail). backbone ISPs accept mail from their customers and can block that mail if their customer doesn't have a clue. Everything is logged, everything is validated. Setting up a mail server involves more than getting a static IP and setting up an MX record. SPAM is eliminated because it can't enter the trust ring unless it goes through an ISP. That ISP can be kicked off if they allow spammers. Viruses are managed because they can be tracked back to their origin. block at the core. virus protection could also be made a requirement for entering the trusted mail ring. Mail servers are set to deny all mail by default, opening up connections from trusted hosts as you build trusts relationships. Contact information needs to be maintained. I can't get into Sprints trust ring unless I can contact them This can be phased into service by setting up trusted and untrusted mail servers. All mail entering untrusted mail servers has a higher spam score and cannot be forwarded outside the local network. Trusted mail (i.e. from customers) can be forwarded upstream to other trusted,non-trusted mail servers. -Matt
Re: Fun new policy at AOL
On Thursday, August 28, 2003, at 11:31 AM, Petri Helenius wrote: Matthew Crocker wrote: SMTP DNS should be run through the servers provided by the ISP for the exact purpose. There is no valid reason for a dialup customer to go direct to root-servers.net and there is no reason why a dialup user should be sending mail directly to AOL, or any mail server for that matter (besides their host ISP) ...and there is no reason for dialup customer to have direct access to any other port either, they´ll just use the www-proxy and other ALG services from the ISP ? This is a self-solving problem. Technically no, There is no reason for a customer to have direct access to the net so long as the ISP can provide appropriate proxies for the services required. It gets complex, it gets hard to manage but it can be done. There is a stigma against proxing because of the early days when stale content was all over the place. Does a dynamically assigned dialup/DSL user even need a valid routable IP? For games? Maybe games should be more NAT friendly. We do remove the filters for customers that have a valid need and show that they have a clue out it all works. -Matt
Re: Fun new policy at AOL
This brings up a more general point about the dangers of blocking everything under the sun. When you limit yourself to just a few chokepoints, its easier for those who would stifle communications to shut things down. This is a very dangerous path to take. Not that we shouldn't consider some sort of port restrictions to stop spam, but there are undesirable long term effects that need to be considered. Those on the dark side will be considering them, you may be sure, while licking their chops. It can be built without choke points. ISPs could form trust relationships with each other and bypass the central mail relay. AOL for example could require ISPs to meet certain criteria before they are allowed direct connections. ISPs would need to contact AOL, provide valid contact into and accept some sort of AUP (I shall not spam AOL...) and then be allowed to connect from their IPs. AOL could kick that mail server off later if they determine they are spamming. -Matt
Re: Fun new policy at AOL
Shouldn't customers that purchase IP services from an ISP use the ISPs mail server as a smart host for outbound mail? Shouldn't. There are privacy implications of having mail to be recorded (even temporarily) at someone's disk drive. If your ISP violates your privacy or has a privacy policy you don't like, find another one. If your ISP doesn't allow your domain through, attachments of a certain size or quantity of RCPT TOs, find another one. If the ISP is too restrictive you can't do what you want, find another one If the ISP isn't restrictive and your IP gets black holed because of another customer, find another one. The market will decide what is acceptable. I filter a chunk of stuff for my users. It is a service to help protect them as well as me. If they ask for and appear to have a clue I will remove filters for customers. I'll never force them to do it 'my way or the highway' but by default customers are filtered. 99% of them are happy that I am doing it and think it is a good thing. 1% call and I remove the filters. Simple RADIUS update and they are back to full, unfiltered Internet. I do this on all my dialup, DSL, dedicated circuits. Everything is built from either LDAP or RADIUS (which comes from LDAP anyway) information about the customer. Pull down menu to select/deselect a filter and reconnect. It isn't all that hard and for 99% of my customers I am saving myself a ton of work in the long run. I'm not huge by any stretch of the imagination but I'm pretty good sized for my area. I think my current network design/management could easily scale to the 100's of thousands and/or millions of customers. I'm in the 10's of thousands now. -Matt
Re: Max TNT ping thing
On Wednesday, August 27, 2003, at 12:46 PM, Ejay Hire wrote: Here is a summary of our experiences with the bug. Last Thursday, A TNTs with years of uptime rebooted. No cause was apparent, and nothing relevant happened in the logs. On Friday, It happened to a different TNT. This occurred with increasing frequency over the weekend, and we didn't get a lot of sleep. We tried using a filter in the tnt to block port 135 and to no avail, and then tried a filter to block ICMP in the tnt also to no avail. Next, we removed the tnt filters and tried rate-limiting ICMP to the TNT's. That didn't work. Next we removed the rate-limit and applied the Cisco-supplied anti-nachi route-map to the upstream interfaces facing the Tnt's. This significantly reduced the problem, but we were still rebooting every 12 hours or so. Disabling route-caching on the TNT stopped the rebooting problem, but we were seeing 40% packet loss on one of the TNTs. (Note, both TNT's have a Ds-3 of PRI's, and use the TNT-SL-E10-100 four port Ethernet cards) The packet loss was only affecting one TNT, and we discovered that it was running 9.0.6 while the unaffected box was running 9.0.9. Upgrading the box to 9.0.9 fixed the packet loss issue. We are currently up and haven't had any blips in 24 hours. (knock on wood.) We have a Lucent APX 8000 which is essentially a TNT on steroids. We have not experienced any of the issues. We are running TAOS 10.0.2 -Matt