Re: An Attempt at Economically Rational Pricing: Time Warner Trial
On Sun, Jan 20, 2008 at 03:02:15PM -0500, Alex Rubenstein wrote: As long as the companies convince people that the cap is large enough to be essentially the same as unmetered then most people won't care and will take the savings. I don't agree. When we sold boatloads of dialup in the mid to late 90's, people did not like caps, no matter how high they were. We sold a product early on for $20/month which gave you 240 hours/month -- that was an average of 8 hours/day. However, most users never used more than 20 to 30 minutes a day -- but we often got told they were moving to other providers because they were 'unlimited.' So, we adapted. In any event, I've been watching this thread, and I'd have to say that going down the road of metered pricing will only cause other providers not to do this, and then market against TW. In fact, I'd bet on it. Am I the only one here who thinks that the major portion of the cost of having a customer is *not* the bandwidth they use? If we define customer to be an average user of the provided service, and bandwidth to be transit pipe cost, then no, bandwidth is not the major cost of their service. However, if you're advertising an 'unlimited' service and want to keep your promises, you can't plan your network around the average user -- there will be people who will want to hold you to your 'unlimited' promise. If you also call 'bandwidth cost' to include all the infrastructure costs required to provide that unlimited service, then yes, bandwidth cost would be a pretty major part of that customer's cost. (My point of view is Australia rather than the US, but I don't think 14Mbps of dedicated transit is $50/month even in the US). - Matt
Re: Using Mobile Phone email addys for monitoring
On Thu, Sep 06, 2007 at 01:46:18PM -0700, Rick Kunkel wrote: For instance, if an application fails to contact a certain service on a certain server, it sends an email (through it's own SMTP service, to avoid a chicken-and-egg prob if/when our main SMTP service fails) to [...] Is SMTP to a mobile phone a fundamentally flawed way to do this? Anyone else have any issues, past or present, with this kind of thing? Consider what other points of failure there are for your notification e-mails, other than your main SMTP server. I've got: * Failure of your Internet link * DNS failure at your end * SMTP failure at the other end * Failure of *their* Internet link * Some sort of SMTP blacklisting at their end There's probably some I've missed there, too. Notification of outages needs to be as robust as possible, and SMTP to an off-site location is about as fragile as they come these days. The only thing I spec for SMS notifications is a GSM modem physically connected to the monitoring box. There's still points of failure, but they're a lot fewer than SMTP to some third party. True paranoids (as we all should be) monitor their monitoring box, and it might be permissible to use an SMTP to SMS gateway for that monitoring, as long as you're monitoring all the appropriate things so that wide-scale failures (such as power loss) still get to you via your GSM modem (mmm, local UPSen). - Matt Professional Paranoid
Re: Using Mobile Phone email addys for monitoring
On Thu, Sep 06, 2007 at 02:22:10PM -0700, matthew zeier wrote: Ken Simpson wrote: It's more effective to spend the money on SMS messages. Mobile providers are forced to use very aggressive anti spam measures, which can add significant delays in message delivery. Recommendations on software and modems? We use Intercel modems with the bog-stock smstools package, and it works fine. - Matt
Re: Network Level Content Blocking (UK)
On Thu, Jun 07, 2007 at 04:01:54PM +, Chris L. Morrow wrote: On Thu, 7 Jun 2007, Alexander Harrowell wrote: I strongly recommend you read Richard Clayton's paper on how (among other things) one could hack the Cleanfeed system to *find* the really bad stuff. He and his colleagues at the Cambridge Computer Lab also yup, read it, which was part of the reason for the note I sent... these sorts of blocking mechanisms don't seem to achieve the goals expected, and even in many cases make the goals of the 'icky pict' crowd more achievable :( If a politician fixes a problem then he loses it as a campaign issue. But if he makes the problem worse while heroically fighting against it, then he's golden. -- Rex Tincher - Matt
Re: Security gain from NAT: Top 5
On Wed, Jun 06, 2007 at 08:49:21PM -0700, Roger Marquis wrote: Problem is that NAT will not go away or even become less common in IPv6 networks for a number of reasons. #1 NAT advantage: it protects consumers from vendor lock-in. Consider the advantage of globally unique public addressing to ISPs and telcos. Without NAT they have a very effective vendor lock-in. Want to change ISPs? It's only as easy as reconfiguring every device and/or DHCP server on your internal network. With NAT you only need to reconfigure a single device, sometimes not even that. Isn't this the problem that router advertisements are meant to solve? Do you have operational experience which suggests that they aren't a sufficient solution? #2 NAT advantage: it protects consumers from add-on fees for addresses space. Given the 100 to 10,000% mark-ups many telcos and ISPs already charge for more than a /29 it should come as no surprise they would be opposed to NAT. I was under the impression that each end-user of an IPv6 ISP got a /64 assigned to them when they connected. #3 NAT advantage: it prevents upstreams from limiting consumers' internal address space. Even after full implementation of IPv6 the trend of technology will continue to require more address space. Businesses will continue to grow and households will continue to acquire new IP-enabled devices. Without NAT consumers will be forced to request new netblocks from their upstream, often resulting in non-contiguous networks. Not surprisingly, often incurring additional fees as well. By my calculations, the /64 of address space given to each connection will provide about 18446744073709551616 addresses. Is that an insufficient quantity for the average user of an ISP? #4 NAT advantage: it requires new protocols to adhere to the ISO seven layer model. H.323, SIP and other badly designed protocols imbed the local address in the data portion of IP packets. This trend is somewhat discouraged by the layer-isolation requirements of NAT. NAT doesn't seem to have stopped the designers of these protocols from actually deploying their designs, though. #5 NAT advantage: it does not require replacement security measures to protect against netscans, portscans, broadcasts (particularly microsoft's netbios), and other malicious inbound traffic. The vendors of non-NAT devices would love to have you believe that their stateful inspection and filtering is a good substitute for the inspection and filtering required by NAT devices. Problem is the non-NAT devices all cost more, many are less secure in their default configurations, and the larger rulesets they are almost always configured with are less security than the equivalent NAT device. Haven't we already had this thread killed by the mailing list team today? - Matt -- If only more employers realized that people join companies, but leave bosses. A boss should be an insulator, not a conductor or an amplifier. -- Geoff Kinnel, in the Monastery
Re: Cacti 0.8.6j Released (fwd)
On Tue, May 08, 2007 at 08:10:56PM -0700, matthew zeier wrote: and more to the point how the whole shebang (I'm using net-snmpd) is typically used. Agent on device provides values, management app(s) collect data by polling (and possibly via traps), sysadmin gets to go home on time for once. I have yet to see this work in practice however. Yeah, I misread 'typically' as 'theoretically'. Practical experience is more like: Agent on device lies about it's values, management apps collect lies (and ignore/lose traps), and the sysadmin has yet more software to swear at. grin - Matt -- I'm seriously considering getting one of those bright-orange prison overalls and stencilling PASSENGER on the back. Along with the paper slippers, I ought to be able to walk right through security. Not. -- Brian Kantor, in the Monastery
Re: Cable-Tying with Waxed Twine
On Wed, Jan 24, 2007 at 07:30:06PM -0500, Dan Mahoney, System Admin wrote: Upon leaving a router at telx and asking one of their techs to plug in the equipment for me, I came back to find all my cat5 cables neatly tied with some sort of waxed twine, using an interesting looping knot pattern that repeated every six inches or so using a single piece of string. For some reason, I found this trick really cool. I have tried googling for the method, (it's apparently standard, I've seen it in play elsewhere), and for the type of twine, but had little luck. I was wondering if any of the gurus out there would care to share what this knot-pattern is actually called, and/or if there's a (illustrated) howto somewhere? From your description, it sounds like you might be describing a series of half hitches. I don't know if it has a more specific title than that. If you wanted to create it on (say) a vertical bundle, you just pass the line around the back of the bundle then put the working end between the line and the bundle, and tighten by pulling away from the knots you've already tied. Repeat this over and over up (or down) the bundle to get your nice pattern happening. A benefit of this knot is that if you pull the working end towards the knots you've already tied, the knot will slide back, so you can tie each knot quickly then pull it back to the right position, so you get a nice even run of loops. You'll need to secure each end of the line with something that can stand tension at a sharp angle. A quick examination of pikiwedia's knots list suggests something like an icicle hitch or rolling hitch, but they might be a bit tricky to tie in tight spaces. I've just tried two half hitches on a broomstick and it doesn't hold too badly, but I wouldn't guarantee it'll be safe long term. As to the line to use, I'd imagine that an office supplies store would probably have a range of possibilities. - Matt -- I have a cat, so I know that when she digs her very sharp claws into my chest or stomach it's really a sign of affection, but I don't see any reason for programming languages to show affection with pain. -- Erik Naggum, comp.lang.lisp
Why is RFC1918 space in public DNS evil?
I've been directed to put all of the internal hosts and such into the public DNS zone for a client. My typical policy is to have a subdomain of the zone served internally, and leave only the publically-reachable hosts in the public zone. But this client, having a large number of hosts on RFC1918 space and a VPN for external people to get to it, is pushing against this somewhat. Their reasoning is that there's no guarantee that forwarding DNS down the VPN will work nicely, and it's overhead. I know the common wisdom is that putting 192.168 addresses in a public zonefile is right up there with kicking babies who have just had their candy stolen, but I'm really struggling to come up with anything more authoritative than just because, now eat your brussel sprouts. My Google-fu isn't working, and none of the reasons I can come up with myself sound particularly convincing. Can someone give a lucid technical explanation, or a link, that explains it to me so I can explain it to Those In Power? Thanks, - Matt
Re: Open Source NMS Software
On Sat, Jul 22, 2006 at 12:16:28PM -0400, Gary T. Giesen wrote: I'm looking at depolying an open source-based NMS solution, and I'm Define what you want in your NMS -- not even the vendors can manage to agree on a meaning. looking at a couple products, mostly OpenNMS (http://www.opennms.org) What is OpenNMS makes it sound like Nagios and nothing more. They also insist on mentioning enterprise-grade and open source before listing features, which suggests their priorities might be a bit bass-ackwards. and Zenoss (http://www.zenoss.org). I like the looks of Zenoss, but It's written in Zope, and depends on half the Python world besides. I have a severe allergic reaction to anything involving Zope, since it's a mammoth pile of incomprehensible Python that only seems to produce shite that nobody wants to maintain (cf. Plone -- offlist if you want the full story on that). Even better would be someone who's used both products and could give me a quick comparison. I'd also welcome suggestions of another product (as long as it's not bb, nagios, or hobbit) that I should be looking at. Honestly, I find it hard to go past the combination of Nagios and Cacti. Perhaps that's just familiarity blinding me to the worst excesses of Nagios, (although I can give you the hit list of what's horribly wrong with it) normally by the time I've worked around the warts of whatever's being pushed as an alternative, it would have been less effort just to stick with what I know and tolerate. If you can identify what it is you can't stand about Nagios, and what features, exactly, you're looking for in your NMS, somebody can no doubt point you in the direction of your perfect dream-tool. - Matt -- And Jesus said unto them, And whom do you say that I am? They replied, You are the eschatological manifestation of the ground of our being, the ontological foundation of the context of our very selfhood revealed. And Jesus replied, What? -- Seen on the 'net signature.asc Description: Digital signature
Re: OT: Xen
On Mon, Apr 03, 2006 at 12:05:25PM -0700, Eric Frazier wrote: machine for stuff I know could lead to problems like that. But that brings up another question, how far isolated are different instances from each other really? Fairly well -- a lot better than (eg) vservers, and almost certainly better than UMLs. To get into the host, you'd need to subvert one of the backend drivers via the guest in such a way that you got the ability to run some sort of subversive command in the host. The possibility of a DoS (crash) is much higher than a take-over compromise, but even then it's not something I'd be inclined to worry about deeply. - Matt
Re: OT: Xen
On Mon, Apr 03, 2006 at 08:50:51AM -0700, Eric Frazier wrote: Xen can be. So one thing I am wondering, with Zones you can setup a new instance that is a copy of another pretty much instantly. Does Xen offer the same thing? Or do you still have to go through an install process for example? I am esp wondering about this with something like XP.. Xen itself: no. But LVM is a wonderful thing. - Matt
Re: optics pricing (Re: Weird GigE Media Converter Behavior)
On Tue, Aug 31, 2004 at 07:17:22AM +1200, Simon Lyall wrote: On Mon, 30 Aug 2004, Mark Borchers wrote: Peter Galbavy wrote: On the other hand, the use of patent licenses (like those that say free if you don't claim against us) for things like VRRP do worry me. Everybody's entitled to their opinion, but this excerpt from http://www.ietf.org/ietf/IPR//VRRP-CISCO does not seem to me to portend predatory pricing: However it does make an open source (and certainly a free) implimentation very difficult to do. A license of $1000 per machine is reasonable and nondiscriminatory terms for $100k routers but not for a something that I want to download and run on a few Linux boxes. In that case the $1000/machine licence discriminates against OSS implementations, and isn't reasonable and nondiscriminatory. grin - Matt signature.asc Description: Digital signature
Re: AOL fixing Microsoft default settings
On Fri, 24 Oct 2003, Sean Donelan wrote: b. Disable file/printer sharing That roots MSDE, and it's not an even vaguely obvious connection between the two. That's one of the problems with fiddling with Windows - screwing with one thing often breaks something apparently totally unrelated. -- --- #include disclaimer.h Matthew Palmer, Geek In Residence http://ieee.uow.edu.au/~mjp16
Re: NANOG 29 hotels
On Fri, 3 Oct 2003, Stephen J. Wilcox wrote: I have a twin room in the Marriott 18th-22nd (no ARIN), and am happy to share for half the cost with anyone who knows me. Do they have to know you *before* you share the room? Because they certainly will afterwards, but you didn't specify prior knowledge... grin - Matt
Re: What do you want your ISP to block today?
On Fri, 29 Aug 2003, Sean Donelan wrote: Which Microsoft protocols should ISP's break today? Microsoft Exchange? Microsoft file sharing? Microsoft Plug Play? Microsoft SQL/MSDE? Microsoft IIS? All of the above. g He added that ISPs have the view and ability to prevent en-masse attacks. All these attacks traverse their networks before they reach you and me. If they would simply stop attack traffic that has been identified and accepted as such, we'd all sleep better, Cooper said. Bwahahaha. Ghod I love a good comedian. Having recently pulped my head against the wall of a network provider too clueless to provision decent IP connectivity, the last thing I want is to have the ISP unilaterally decide what they're going to do with my packets. -- --- #include disclaimer.h Matthew Palmer, Geek In Residence http://ieee.uow.edu.au/~mjp16
Re: What if it doesn't affect the ISP? (was Re: What do you wantyour ISP to block today?)
On Sat, 30 Aug 2003, Sean Donelan wrote: The recurring theme is: I don't want my ISP to block anything I do, but ISPs should block other people from doing things I don't think they should do. That's about my position, I guess. g There's a difference between naively blocking ports or screwing with packets, though, and blocking known dodgy behaviour (spoofed source addresses, for one). Yes, port 135 is a known vector, and so is now, but they have their legitimate uses. If you have evidence that someone is doing something dodgy with them, then you should shut them down. But spanking everyone because some people can't/won't take responsibility for their systems reeks of schoolroom justice (We're all going to sit here until the guilty party owns up). So how long is reasonable for an ISP to give a customer to fix an infected computer; when you have cases like Slammer where it takes only a few minutes to infect the entire Internet? Do you wait 72 hours? or until the next business day? or block the traffic immediately? Immediately. The ISP is, IMO, responsible for the traffic of those they connect to the Internet. Maybe I'm just showing my old-fashioned values there, though. Or some major ISPs seem to have the practice of letting the infected computers continuing attacking as long as it doesn't hurt their network. Welcome to my null0, O provider of loose morals. -- --- #include disclaimer.h Matthew Palmer, Geek In Residence http://ieee.uow.edu.au/~mjp16