Re: rack power question

[Robert Boyle]

At 03:50 PM 4/3/2008, Derek J. Balling wrote:
So your theoretical maximum draw is NOT "1/2 the total"... in a nicely

populated chassis it will draw more than 1/2 the total and complain
the whole time about it.


That should probably have read in a well designed and fully populated 
chassis... I personally know for a fact that the Dell blade chassis 
can be fully loaded and operate with only two of four power supplies 
when fully loaded on the old 10 slot chassis and 3 of 6 in the new 16 
slot chassis when fully loaded. HP also claims the C7000 chassis is 
fully redundant with only 3 of 6 power supplies. This is true for all 
configurations I have ever seen.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: cooling door

[Robert Boyle]

At 02:11 PM 3/29/2008, Alex Pilosov wrote:

Can someone please, pretty please with sugar on top, explain the point
behind high power density?


More equipment in your existing space means more revenue and more profit.


Raw real estate is cheap (basically, nearly free). Increasing power
density per sqft will *not* decrease cost, beyond 100W/sqft, the real
estate costs are a tiny portion of total cost. Moving enough air to cool
400 (or, in your case, 2000) watts per square foot is *hard*.


It depends on where you are located, but I understand what you are 
saying. However, the space is the cheap part. Installing the 
electrical power, switchgear, ATS gear, Gensets, UPS units, power 
distribution, cable/fiber distribution, connectivity to the 
datacenter, core and distribution routers/switches are all basically 
stepped incremental costs. If you can leverage the existing floor 
infrastructure then you maximize the return on your investment.



I've started to recently price things as "cost per square amp". (That is,
1A power, conditioned, delivered to the customer rack and cooled). Space
is really irrelevant - to me, as colo provider, whether I have 100A going
into a single rack or 5 racks, is irrelevant. In fact, my *costs*
(including real estate) are likely to be lower when the load is spread
over 5 racks. Similarly, to a customer, all they care about is getting
their gear online, and can care less whether it needs to be in 1 rack or
in 5 racks.


I don't disagree with what you have written above, but if you can get 
100A into all 5 racks (and cool it!), then you have five times the 
revenue with the same fixed infrastructure costs (with the exception 
of a bit more power, GenSet, UPS and cooling, but the rest of my 
costs stay the same.)



To rephrase vijay, "what is the problem being solved"?


For us in our datacenters, the problem being solved is getting as 
much return out of our investment as possible.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: data center loading (was:Re: rack power question)

[Robert Boyle]

At 10:15 AM 3/26/2008, Lamar Owen wrote:

One thing I haven't seen discussed, though, is the other big issue with
high-density equipment, and that is weight.

Those raised floors have a weight limit.  In our case, our floors, built out
in the early 90's, have a 1500 lb per square inch point load rating, and
7,000 pound per pedestal max weight.  The static load rating of 300 pounds
per square foot on top of the point load rating doesn't sound too great, but
it's ok; we just have to be careful.  Our floors are concrete-in-steel, on 24
inch pedestals, with stringers.


I don't know about others, but we don't use raised floors. If you 
look at the airflow required and how high your raised floor actually 
has to be (5-6 ft) in our case, it simply doesn't make sense. We use 
doors at the ends of aisles, blanking panels, and a lexan cover over 
all aisles. We sequester all air and force the air to flow through 
the equipment. This typically cuts energy used for cooling roughly by 
30-45% We have seen dual 20 ton Lieberts used for a double row 
(typically 20-22 racks per row) actually cycle on and off once air is 
no longer allowed to mix. We typically will also use two Challenger 
3000 5 ton units in the middle of the row for a total of 50 tons of 
cooling and about 150KW of electrical use for 35-40 cabinets. That is 
a mix of some cabinets with fewer servers and some with high density 
10 slot dual quad core blade chassis units. We also like to build our 
datacenters on 8-12" slabs at or slightly above ground level so we 
don't really need to worry about weight loads either. Not possible if 
you are on the 20th floor of headquarters, but something to consider 
when talking about greenfield datacenter development.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

RE: 10GE router resource

[Robert Boyle]

At 09:59 AM 3/26/2008, you wrote:

> Is there a multiport card out there on to which some of the
> forwarding responsibilities can be offloaded?  Perhaps the
> CPU doesn't need to see every packet that arrives on the machine.

Am I the only person who has heard of Google?

It didn't take me long to find this wiki page
http://www.bro-ids.org/wiki/index.php/ClusterFrontends
for an Opensource Intrusion Detection System that lists
various 10G cards for Linux and a couple of FPGA cards
so that you can roll your own ASICs. Anyway, this one
http://www.lewiz.com/talon3220.html
has two ports and claims to reach 8.8 Gbps with 1500 byte
packets.

People rolling their own router are not the only ones who
want to do 10G on Linux.


Anyone who wants to roll your own more advanced apps on Linux without 
reinventing the wheel may want to check out my friend's company:


http://www.bivio.net/products/bivio7000.htm

Even with their specialized hardware platform, bus, and extensive 
tuning, they only get 10Gb/s throughput on the dual or quad 10G 
modules. However you can do 100,000 line ACLs at that speed. It is 
built for a different application than core routing. However, an XMR 
or Sup720 will still be a lot cheaper and give better performance.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: 10GE router resource

[Robert Boyle]

At 09:44 PM 3/25/2008, you wrote:
On Tue, Mar 25, 2008 at 1:59 PM, Chris Grundemann 
<[EMAIL PROTECTED]> wrote:

> Greg has laid out a great bit of information and I would like to add just
> one possibility to the list of budget 10GE routers: Vyatta.  According to a
> recent press release from that company
> (http://www.vyatta.com/about/pressreleases.php?id=51) they offer a product
> that is "2 to 3X higher performance at a cost savings of more than 75
> percent" when compared to Cisco's 7200.  Unfortunately I have not had the

when did the 7200 go 10ge?


Shh... It's a secret and hasn't been released yet. We have have a few 
NPE-40Gs with four 10G XFP interfaces. ;) Nah... I'm just wishing...


-Robert


Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Carrier Hotels in Chicago

[Robert Boyle]

Hello all,

I located our new midwest datacenter site, but I'm going to need 
connectivity to Chicago. At which other middle of the country places 
should we connect? We will obviously connect back to our network in 
New York and Los Angeles, but I'm not familiar with other carrier 
hotels or IXs in the middle of the US. What is in Dallas? Does anyone 
have any strong feelings about Telx in 
Chicago, 
IL @ 350 E. Cermak Road or 
600 
S. Federal Street? Are those the best places in the midwest? Any 
other suggestions? I am asking here because I am looking for a 
carrier and ISP perspective. I am going to colocate core and edge 
routers and I need connectivity to a large pool of carriers and no 
MRC on cross connections. Any help or advice would be appreciated. Thanks!


-Robert


Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: South America Peering

[Robert Boyle]

At 07:39 PM 12/27/2007, AD wrote:

hello,

 does anyone have any experience with peering in S. America?  I am 
looking to move a lot of data between NewYork/LA and a few south 
american countries and looking for some ISPs that have reliable 
peering into those countries.


 Any recommendations would be appreciated.  The one i did find was 
Terremark, but no others yet.


Adam,

If you want connectivity to Latin America (inc. S. America) from the 
US (LA & NY),  then you probably want to be at NOA in Miami. That is 
a Terremark facility, but lots of carriers are there. Look at their 
carrier customer list and you will see all of the carriers connected 
to them in Miami:


http://marketplace.terremark.com/bysegment.asp?s=1

We have a few connections which go through NOA and we have found the 
pricing to get high speed circuits to NY and LA from Miami to be very 
reasonable. Good luck with your project.


-Robert




Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: L3 in NYC

[Robert Boyle]

At 10:10 PM 8/8/2007, you wrote:


Is anyone else having trouble with Level 3 in New York ? We have
circuits down, etc.


An OC192 is down we have about 80 T1s down on the Broadwing/L3 network.

-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Cisco CRS-1 vs Juniper 1600 vs Huawei NE5000E

[Robert Boyle]

At 02:17 AM 8/3/2007, you wrote:

Hi,, group

 I need some help.

  Which equipment is better ( perfomance, availability,
scalability, features, Support, and Price ($$$) ) ???

 Some experience in the real life 


Dependent on your interface needs, if GigE, 10G, (40G & 100G in the 
future) and POS are all you need, include the Foundry XMR in your 
eval too. Very solid software and excellent support at a price point 
which is significantly lower than C & J. I don't know the pricing for H.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Seeking Comcast Contact: need to troubleshoot packet loss and/or asymmetric routing issue between Comcast & Onvoy

[Robert Boyle]

At 09:30 AM 8/2/2007, Craig D. Rice wrote:
For four months dozens of our users who are Comcast subscribers have 
had difficulty reaching St. Olaf College's and Carleton College's 
network services.


We have worked through everything we can think of with our Onvoy 
(regional ISP) network engineers. We have isolated the problem a 
couple of Comcast's IP subnets, but need a contact within Comcast to 
further troubleshoot.


(snip)

Either your firewall/router or the customer's firewall/router is 
blocking PMTUD packets. Fragment needed, but don't fragment bit set. 
Look at your ICMP access list and make sure you are allowing: permit 
icmp any any unreachable from any Internet address. I suspect an 
overzealous firewall admin is blocking all icmp. Read the acronym to 
him/her and explain that some icmp is necesary for the Internet to work.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: An Internet IPv6 Transition Plan

[Robert Boyle]

At 01:22 PM 7/26/2007, you wrote:
Let us not forget that network vendors are now capitalising on the 
requirement to purchase expensive licensing for such features as 
native IPv6 routing and 6PE, on their mid to high end kit.


I dont feel this sort of behaviour is helpful, I can understand 
asking for licensing fees for L2VPN/L3VPN technologies since these 
are products that service providers can levvy a reasonable charge 
for, but to charge for IPv6 routing capability alone, at the time 
where the discussion of which has never been so serious, leaves a 
bit of a bad taste in one's mouth.


This is one reason we moved to the Foundry XMR. Their purchase price 
includes all features such as ISIS, BGP, MPLS, IPv6, etc. Since other 
vendors charge too much (imho) for licensing, some projects like MPLS 
enabling a network or moving to IPv6 will not happen right away. New 
services will not be added which will not lead to new gear being 
purchased to help keep up with the growth of new services. If a few 
engineers want to play with some features or add a new service for a 
single client or two as a trial, but it is a multi-million dollar 
exercise in licensing, it won't happen until there is a business case 
and by then you are following the herd and not leading it. By that 
time your people are 2-3 years behind their peers in learning how to 
implement and support the new technology and you've lost potential 
clients and services too. Just my $.02.


-R



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: History of the EPO (Emergency Power Off)

[Robert Boyle]

At 08:10 PM 7/25/2007, Sean Donelan wrote:

Sometimes you need to revisit the rules.  For example, for folks
thought having automatic water sprinklers in data centers was a bad 
thing. Slowly folks have started to rethink it, and now automatic 
sprinklers are

found in more data centers.  I don't have hard data, but my experience
is there have been fewer outages from accidental sprinkler discharges
than from accidental EPO activations.


There was an interesting study conducted by the US Air Force about 
fires and other failure modes in computing facilities protected with 
Halon/FM200/FE227 vs. dry pipe preaction. I know I saved the PDF, but 
I can't seem to find it at the moment. If my memory is correct, it 
boiled down to the fact that there had only been two fire incidents 
at all US Air Force installations and both were due to (surprise, 
surprise) human factors. One was a stray incendiary munition which 
breached the datacenter and other was due to a Jet A fuel spill and 
fire - which is odd because it is hard to ignite kero, diesel, jet A 
without atomization. The point of the study was that there was zero 
damage over a 30 year period from water based fire protection systems 
and I suspect it was pretty handy to have sprinklers when both 
datacenter fires happened. The munition breach of the physical 
structure would have rendered any gas based fire suppression system 
ineffective.


In theory, I'm not a big fan of EPOs due to the "Is this the button 
to exit/open the door?" problem. One of our redundant 150KVA UPS 
units caught fire a couple years ago, the input breaker became the 
EPO since the on-board front panel EPO was completely ineffective 
(and it still would have been ineffective had it been connected to an 
external EPO button.) That incident prompted a design change in all 
of our new datacenter power systems since and all existing systems 
were also updated. Now all UPS units have separate input and bypass 
breakers and feeds. Previously we used a single feed, but you can't 
isolate a burning UPS without dropping your attached load when they 
share a single breaker and are tied together inside the unit where 
the fire is happening. Having discrete A & B power systems is also a 
very good thing!


Many years ago when we were much, much smaller, the EPO was wired to 
a special EPO circuit breaker on the main panel which fed the 
subpanel for the datacenter room. A short on that breaker was like 
pressing the "test" switch on a GFCI breaker. Do most people who do 
have functional (as opposed to decorative) EPO buttons have them 
connected to the building/suite mains disconnect? or to the output of 
your UPS units? to a special EPO panel which trips the EPO cutoffs on 
other units?


-Robert


Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Cisco 7200 series and G2 NPEs

[Robert Boyle]

At 11:29 PM 7/15/2007, Steven Haigh wrote:

I'm wondering if there is anyone willing to share any experiences they
have had with Cisco 7200 series equipment (specifically relating to
the G2 NPE) and any 12.4 based IOS.

We were initially advised by Cisco to run 12.4(4)-XD7, however upon
introducing our first G2 into the network, the vpdn target routers had
a ~20% CPU usage increase, while the G2 itself showed signs of
incorrectly establishing tunnels. Changing back to a G1 NPE (same
config) and everything works as expected.


It didn't seem quite right to us either.


Cisco has recommended that we move to a 12.2 SB IOS for the G2,
however I'm wondering what other people are doing.


We are running 12.2(31)SB5 and we have been very pleased. We are 
using MPLS, BGP, ISIS, CEF, SNMP, and TACACS+ with I/O-2FE,  3 GE 
fiber SFPs, PA-MC-T3s, and PA-FEs.



On another note, it seems as though it is not possible to recover a G2
from a rommon state with invalid bootloader images or corrupt
bootflash:. There are no commands in the rommon to allow Xmodem
uploads via the console, nor any networking functions. I also noticed
that it seems to be impossible to load the bootloader from a CF card -
even though you can list the contents of the CF card.

Does anyone have any recovery techniques that I'm not aware about in a
real world failure scenario?


That sounds disturbing. I can't imagine they would not have a way to 
recover using TFTP or flash.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Omaha, NE Carrier Hotels???

[Robert Boyle]

Omaha is right in the middle of the US and it seems to be a point on 
most carriers' national backbone maps. There has to be some type of 
carrier hotel there somehere, but I can't seem to find it. Can anyone 
provide insight on the 60 Hudson or One Wilshire or 111 8th or Westin 
of Omaha? Thanks!


-Robert


Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: DR plan template

[Robert Boyle]

At 02:22 PM 4/26/2007, Dennis Dayman wrote:


Can anyone point me to or send me a copy of a standard disaster recovery plan.



Many resources including a template are available here:

http://www.drj.com/

http://www.drj.com/new2dr/samples.htm

R



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: TCP and WAN issue

[Robert Boyle]

A lot of different theoretical things have been discussed, but 
basically, if you are running Windows XP, 2000, or 2003 over a WAN 
with anything more than 10-20ms of latency, make the following change 
to the registry and you will find a world of difference. Ideally, you 
would make the change to both sides, but as long as one side has 
this, it will auto-negotiate with the other side to adjust the


Start, Run, regedt32

Go to:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters

Edit, New -> DWORD Value

Then name it "Tcp1323Opts" (without the quotes) and change the value to 3

That will give you far better performance by enabling automatic TCP 
window size scaling as per RFC 1323 over your WAN links (hence the 
key name), but only to other computers which support RFC1323. XP and 
2003 default to allowing scalable windows if the far side intiates 
the negotiation, but that will never happen unless one side has this key set.


Values are:
0 (disable RFC 1323 options) - default before creating the key
1 (window scale enabled only)
2 (timestamps enabled only)
3 (both options enabled)

Try this and let us know what you see.

-Robert




Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: TCP and WAN issue

[Robert Boyle]

At 04:26 PM 3/27/2007, Philip Lavine wrote:
I have an east coast and west coast data center connected with a 
DS3. I am running into issues with streaming data via TCP and was 
wondering besides hardware acceleration, is there any options at 
increasing throughput and maximizing the bandwidth? How can I 
overcome the TCP stack limitations inherent in Windows (registry 
tweaks seem to not functions too well)?


You will have problems obtaining anything more than 5-7Mbit/s based 
on 1500 byte Ethernet packets and a RTT latency of 70-90ms. You can 
increase your window size or use Jumbo Ethernet frames. Almost all 
GigE gear supports jumbo frames. I'm not sure of your application, 
but without OS tweaks, each stream is limited to 5-7Mbit/s. You can 
open multiple streams between the same two hosts or you can use 
multiple hosts to transfer your data. You can utilize the entire DS3, 
but not without OS TCP stack tweaks or a move to jumbo frames. You 
can also use UDP or another connectionless packet method to move the 
data between sites. Good luck.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Linksys WAG200G - Information disclosure (fwd)

[Robert Boyle]

At 05:48 PM 3/20/2007, you wrote:

I wonder what their security process is for other types of routers?


Try [EMAIL PROTECTED]

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html#Problems

-Robert



-- Forwarded message --
Date: 20 Mar 2007 20:31:01 -
From: [EMAIL PROTECTED]
To: bugtraq@securityfocus.com
Subject: Linksys WAG200G - Information disclosure

Hi there,

About 2 months ago I bought a wireless ADSL 
modem/router, the Linksys WAG200G. Just did some 
basic security checks and to my utter surprise 
the device responded with about all sensitive information it knows:


* Product model
* Password webinterface
* Username PPPoA
* Password PPPoA
* SSID
* WPA Passphrase

I notified Linksys, got some regular support 
questions and was then assured my concerns would 
be forwarded to the product engineers. Some 
weeks later I tried again, same message, silence since then.


My firmware version is 1.01.01, latest available for this type.

'Technical' info:
Sent a packet to UDP port 916.
Answer contains mentioned information.
(LAN interface and Wireless interface)

Greetings,
Daniël Niggebrugge


Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Philly area Broadwing / Focal / Level3 fiber cut?

[Robert Boyle]

At 02:10 PM 3/12/2007, you wrote:

| I cannot even call their toll-free help lines, as the figer cut apparently
| is affecting that as well, according to their local NOC people, who cannot
| chd any more light on this.

I was able to get through to their NOC.
there was a cut, but the person I spoke with
did not have much in the way of details.

broadwing master ticket #59210


There was a Broadwing/L3 fiber cut in Sacramento yesterday (3/12/07), 
but I don't know if that was the cause for what you were 
experiencing. We did not see anything on our network which rides L3 
on the east coast affected at all.


R



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Foundry XMR/MLX Experience - Update

[Robert Boyle]

Hello all,

In December 2006, I asked for input from people on their experience 
with Foundry since we were leaning toward them for our new core 
router standard for our current backbone upgrade cycle. About 50 
people replied and asked me to update them with my choice and 
information I gathered since they were also considering Foundry. We 
also looked at Juniper and Cisco's offerings, but they weren't 
competitive in the price/performance ratio and Juniper's annual 
maintenance fees were astronomical and their sales people arrogant. 
The feedback on Force10 from people who said they were also looking 
at them was that their software was not mature or stable enough and 
their financial picture was questionable while the hardware per port 
cost was higher than Foundry. I never contacted Force10 based on the 
premilinary feedback I received from their actual users. Everyone who 
actually used Foundry loved their boxes. Two people said stay away 
from Foundry, but upon further inquiry, one had not actually 
personally used any Foundry gear and the other had a problem, but 
never contacted Foundry support for help. Foundry openly admits that 
they had some quality problems in the past with certain older 
hardware models which had a bad ASIC production run and those issues 
have been addressed and the customers made whole. That certainly 
seems to be the case based on the feedback I received. I am very 
pleased with the current generation of hardware. We also liked the 
fact that the Foundry CLI language is basically IOS with a Santa 
Clara accent which minimizes staff training requirements. We love our 
Cisco gear, but it just isn't price competitive for high density and 
line rate without any oversubscription. I also don't like the 
imminent, uncertain, and nebulous maybe/maybe-not IOS feature-set 
code-base split between the 7600 and 6500 series platforms. We 
evaluated a Foundry MLX, but we decided to purchase an XMR which is 
the big brother of the MLX. The main difference between the MLX and 
the XMR is that the XMR will take 1 million routes in the CAM vs. 
512k for the MLX. The XMR also has a higher limit on the number of 
BGP peers and it has more RAM. Both models run the exact same code. 
The XMR will also so MPLS and IPV6 routing (in hardware) without any 
special feature licenses. You buy the box and you can do anything it 
is capable of. I like that way of doing business too. Our evaluation 
period was flawless. We didn't run into any bugs and the box just 
worked as advertised. In fact, I copied and pasted a Cisco config to 
get the box up and running and I think I only had to change 3 or 4 
lines. We told Foundry we also wanted 100Mbit SM SFP support and BFD 
support and they were both included in the new release of the 
software. It works with ISIS, BGP, and SNMP without any issues at 
all. We have been very pleased. They work with any SFP optics 
although the official position is that only factory optics are 
supported. We just purchased four XMR routers which we will be 
deploying shortly. The MLX which has been in production for almost 3 
months has had zero issues interoperating with our Cisco gear 
including 7200s and 6500s speaking ISIS and BGP. Foundry's support 
team goes above and beyond. They have been extremely helpful with any 
questions and they really want to make sure their customers are happy 
and willing to recommend their products. I have been converted. We 
are also planning to roll out MPLS once the routers are in place. POS 
cards are out now too in OC12/OC48 and OC192. The chassis is 40GE and 
100GE capable and will support the cards once they are released.



Here are some quotes which I received:


"We're looking at replacing our current routers as well. I'm currently
looking at Force10 (E600), Foundry (XMR), and Juniper (MX960). Since
we're primarily a commodity internet shop, we don't need MPLS today,
which is the only reason I'm considering Force10.
We use Foundry for L2 today and have had great luck using 3rd party
SFPs. We buy all our SFPs from Calix (OEM'd Finisar)."


"Like every vendor, Foundry has it's quirks but they're putting real
efforts into getting things handled. We've worked closely with them
for the past 3 years and helped them understand better how to move
from enterprise support into the ISP market.
They're still doing a little catch up in code but getting there pretty
fast. I'd venture that by the end of 2007, they will have every bit of
feature support you could find from juniper or cisco. Many of the most
important things for even a large network are there now and are being
beaten to hell and back in various people's networks. The end result
is that the bugs that make it in there are getting ferreted out
pretty fast."


"A summarization of the answers you receive would be great. We have a few
of the MLX16 and MLX8's in our lab right now, but not in the same
capacity that your using them, so I can't comment on the number of BGP
peers and how they

Re: Cable-Tying with Waxed Twine

[Robert Boyle]

At 07:30 PM 1/24/2007, you wrote:
Upon leaving a router at telx and asking one of their techs to plug 
in the equipment for me, I came back to find all my cat5 cables 
neatly tied with some sort of waxed twine, using an interesting 
looping knot pattern that repeated every six inches or so using a 
single piece of string.  For some reason, I found this trick really cool.


I have tried googling for the method, (it's apparently standard, 
I've seen it in play elsewhere), and for the type of twine, but had 
little luck.  I was wondering if any of the gurus out there would 
care to share what this knot-pattern is actually called, and/or if 
there's a (illustrated) howto somewhere?


Someone else already mentioned Tecra Tools. We use Tecra. However, we 
use Specialized too.


http://www.specialized.net/ecommerce/shop/seriesmaster.asp?series_id=Cable+Lacing+Tools

Our guys prefer the Chicago style straight blade needles since the 
curved tools are too unwieldy when dealing with high cable density. 
Here is a picture from one of our datacenters:


http://www.tellurian.com/california/img_8065_std.jpg

We use lacing at all of our facilities. As far as I'm concerned, it 
is the only way to go.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

ISIS SNMP monitoring help

[Robert Boyle]

Hello,

I am posting here because I haven't been able to find what I need 
despite much searching and a previous unanswered post to cisco-nsp 
and I'm hoping someone here will have the answer. I need to find the 
SNMP OID for monitoring ISIS / CLNS neighbors:


I tried walking:

1.3.6.1.3.37.

and

1.3.6.1.3.37.1.5.

and

1.3.6.1.3.37.1.5.1.1.2.

and 1.3.6.1.3.37 which is the only OID I have found for ISIS seem to 
be invalid. I tried on a 7206 running 12.3(19) and a 6506 Sup720-3BXL 
running 12.2(18)SXF7 both of which are running ISIS and have many 
neighbors. I am looking for the ISIS roughly equivalent command to 
the BGP OID which we use to monitor BGP peers, but instead to monitor 
ISIS neighbor adjacencies:


For BGP: 1.3.6.1.2.1.15.3.1.2.a.b.c.d

For ISIS: 

Thanks,
Robert

btw- For those who helped with my Foundry questions and those who 
wanted a summary, I am working on the summary now and we are also 
wrapping up our testing of the MLX/XMR boxes.



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: i wanna be a kpn peer

[Robert Boyle]

At 10:29 PM 1/10/2007, you wrote:

route-views.oregon-ix.net>sh ip bg 203.10.63.0
BGP routing table entry for 0.0.0.0/, version 2
Paths: (1 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  286
134.222.85.45 from 134.222.85.45 (134.222.85.45)
  Origin IGP, localpref 100, valid, external, best
  Community: 286:286 286:3031 286:3809


Provided you don't do any sanity checks on what you accept from KPN, 
I have a feeling your traffic ratio would be highly asymmetrical. :)


-Robert


Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Network end users to pull down 2 gigabytes a day, continuously?

[Robert Boyle]

At 01:52 AM 1/6/2007, Thomas Leavitt <[EMAIL PROTECTED]> wrote:
If this application takes off, I have to presume that everyone's 
baseline network usage metrics can be tossed out the window...


Interesting. Why does it send so much data? Is it a peer to peer type 
of system where it redistributes a portion of the stream as you are 
viewing it to other users?


R



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Foundry MLX experience?

[Robert Boyle]

Hello all,

I am looking for a faster solution for our core. Our backbone 
connections are almost all exclusively Fast Ethernet, GigE, with some 
10GE stuff on the horizon. We need something which can run at wire 
speed and take full routes now and for for the next 3-4 years. The 
Foundry MLX looks like the right box at the right price, but I wanted 
to know if anyone else has these running with 10-15 iBGP peers, 
60-100 eBGP peers, and full routes from up to 10 transit connections. 
How do they stand up to high traffic loads, DOS attacks, etc. How is 
their BGP implementation, how do 3rd party SFPs work, and how stable 
is the hardware and software? If you happen to have experience 
running ISIS on them too any info on that would be great. Offlist is 
fine and I can summarize for the group. Thanks for any input you can offer!


-Robert


Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link]

[Robert Boyle]

At 06:58 PM 11/9/2006, you wrote:
automatic systems are fine if you decide you want to do them, i was 
specifically responding to the author who suggested he would build 
the filters himself, my point was that this seemingly good intention 
is in fact causing real operational problems on The Internet right 
now as anyone receiving addresses from newly allocated blocks will attest to


Since I am the OP, I never said that filtering bogons was a miracle 
cure all. If we put static bogon filters on customer routers, I would 
agree that would be stupid and would cause maintenance and routing 
problems. As an ISP several assignments from formerly bogon blocks, I 
agree and understand your point. However, we are religious about 
updating our bogon filters and we never block legitimate traffic or 
announcements. Bogon filtering is just one thing among many which I 
think should be done. Following BCP38 and filtering what comes in 
from customers and transit/peer connections all help to ensure that 
you aren't part of the problem to the community or to your own 
clients. The original poster who I replied to stated that it appeared 
that some traffic of unknown origin on a private address was being 
routed across his network between routers and he didn't have any 
routes for that network in his routing tables. My response was that 
those announcements and traffic should be filtered at his edge. This 
turned into a thread about whether filtering was a good thing or not 
which in my mind is absurd. However, if you run a network and want to 
accept traffic from bogon and RFC1918 space over your customer, 
peering, and transit connections then that's your problem. I just 
choose to not make it mine.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link]

[Robert Boyle]

At 09:23 AM 11/9/2006, you wrote:

On Thu, Nov 09, 2006, Robert Boyle wrote:

> You should also create a bogons list for your BGP routes which you
> accept from your upstream. Block all RFC1918 space and unassigned
> public addresses too. Just keep on top of it when new allocations are
> put into use. We see all kinds of crazy things which people try to
> announce (and successfully too - up to our borders anyway.)

Is there a somewhat-reliable bogon BGP feed that can be subscribed to
these days?


We just maintain our own. I remember hearing about one a while ago, 
but we don't use it so I don't know any details.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: [c-nsp] [Re: huge amount of weird traffic on poin-to-point ethernet link]

[Robert Boyle]

You should also create a bogons list for your BGP routes which you 
accept from your upstream. Block all RFC1918 space and unassigned 
public addresses too. Just keep on top of it when new allocations are 
put into use. We see all kinds of crazy things which people try to 
announce (and successfully too - up to our borders anyway.)


-Robert




Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Need a gigabit loop - hard to find in our area - referrals?

[Robert Boyle]

At 06:55 PM 11/8/2006, you wrote:

Were looking for something which is difficult to find in the area we are in.
I need a gigabit loop between us and a provider or two...


We have successfully used SBC in southern CA for Ethernet loops and 
their prices are pretty reasonable and their footprint is pretty much 
everywhere.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: adviCe on network security report

[Robert Boyle]

At 05:09 PM 11/2/2006, [EMAIL PROTECTED] (Dave Rand) wrote:

Over the last few years, I have worked with many ISPs.  The majority of the
problems had little to do with the format/style/volume of abuse complaints,
and a lot to do with empowering the abuse desks to take action.  "you
suck" was not an enabling message :-)


I don't know about other ISP networks because I am only responsible 
for one, but we find the huge volume of garbage/bogus/automated abuse 
messages makes it difficult to find the real abuse issues which we 
need to address. A customer who may forwarding all their email 
including spam to their /bigcommericalisp/ account which is then 
tagged as spam by the same user when it arrives at their account and 
then bounced to [EMAIL PROTECTED] doesn't constitute a valid abuse 
complaint in my mind. An ICMP echo packet received by some random 
idiot online running some broken and poorly designed "firewall" 
software which says he is being attacked by one of our customers does 
not merit an abuse report or response. However, an infected box on 
our network or a customer with an open smtp relay or an owned box on 
one of our client's transit connections from us does merit a reaction 
and as quickly as possible to limit the damage they can inflict on 
the rest of the community and likewise from a selfish standpoint - 
based on the retaliation which may be directed back at us. We try to 
be good neighbors, but all the garbage we receive makes it difficult 
to be as responsive as I would like. We have our dialup support folks 
check through the abuse box and forward anything which falls into the 
interested bucket to our NOC team. However, it simply doesn't make 
financial sense to have a full time person or people checking through 
the abuse box. When something is a real problem and the person on the 
other end needs a quick response, they can call us or check ARIN for 
netblock contact info. The addresses and numbers listed there will go 
straight to someone who can help. I wish abuse was used as intended 
instead of my every idiot programmer and script writer for their own 
"helpful" stuff we never asked for nor does it help us at all nor 
does it help the users.


-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: DNS DDoS [was: register.com down sev0?]

[Robert Boyle]

At 11:21 AM 10/26/2006, you wrote:
Unfortunately, as Jared has pointed out, the equipment vendors have

to help the operators support this.  So let's all call your favorite
router vendor and ask them when they will have the "ip bcp38" config
option. :)


Even better would be the option: "no ip bcp38"

Make it so a conscious action is needed to disable it, but PLEASE put 
that in the release notes so when the config doesn't "change" we know 
that something really did change... :)


R



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: comast email issues, who else has them?

[Robert Boyle]

At 03:24 PM 9/6/2006, you wrote:

Once upon a time, Sean Donelan <[EMAIL PROTECTED]> said:
> You don't have to exchange E-mail with either Google, Comcast or any other
> Mail Service Provider if you don't want to.

Just wait until "Net Neutrality" laws require you to.


...or with spammers! That's always been my fear about net neutrality laws.

-Robert



Tellurian Networks - Global Hosting Solutions Since 1995
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Who wants to be in charge of the Internet today?

[Robert Boyle]

At 10:04 AM 6/23/2006, you wrote:
Then again, this is the same person that tried to tell me that 768 
OC-192s are carried on a single DS1.


Now THAT is impressive compression! I don't know what your former 
company did, but they should focus on selling that compression 
technology. ;) The buffers must be enormous!


-Robert



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Fwd: At Dig BIG, Nothing Runs Like a Deere (Really Backhoes and Fiber together)

[Robert Boyle]

All,

Just in case any of you want to see how the other half lives... and 
destroy some infrastructure after learning more about how to build it 
this week. :)



  Work with
JOHN DEERE Equipment
  to build REAL utilities in a REAL work setting.

Dig BIG takes place at the best place on the planet for underground 
working and learning - The Planet Underground.


For two BIG days, The Planet Underground becomes a huge work site 
with acres of REAL underground utilities.


You won't want to miss this REAL BIG opportunity to use the John 
Deere equipment at Dig BIG.   Work side by side with colleagues with 
the best equipment available!


Free registration available for a limited 
time.


I subscribe to Underground Focus magazine and I just received this in my inbox.

Register at http://www.underspace.com/TPU/register_digbig.php in case 
you really do want to attend.


Now back to the regularly scheduled noise with some content due to NANOG 37.

-Robert



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Black Frog - the botnets keep coming

[Robert Boyle]

At 11:33 AM 5/25/2006, you wrote:

Citation on the $1M/day, please? (I'm sure the *aggregate* take is well
over that, but what *single entity* is seeing that magnitude losses?)


Although we all see lots of attempts at phishing and it gets lots of 
press coverage, it is very small compared to regular credit card and 
bank fraud which happens all the time. According to a study which I 
recently read (I wish I could remember where) phishing accounts for 
less than 1-2% of all banking and credit card fraud in the US.


-Robert



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Philly Carrier Hotels?

[Robert Boyle]

Hello all,

Is  401 West Broad in Philadelphia equivalent to 1 Wilshire, 60 
Hudson, 165 Halsey, 55 Market Post Tower, the Westin Building, etc? 
or is it much smaller? I have been given this address as THE carrier 
hotel for the Philadelphia area by one of our fiber providers. I 
would appreciate it if anyone who is familiar can give me any 
additional info. I need to build out a new POP in PA in May and I 
want to be in the right building. All suggestions are welcome. I 
really like TelX and Telehouse models with lots of carriers and no 
MRC on x connections. I'll gladly buy you a Philly cheesesteak when 
I'm there for any advice or info you can provide. Thanks!


-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: data center space

[Robert Boyle]

At 06:51 AM 4/21/2006, you wrote:

On Tue, Apr 18, 2006 at 09:34:41AM -0700, Philip Lavine wrote:
>
> Can someone tell me if I am out of luck. I am trying to get a 
10x10 cage in New Jersey (Jersey City area) but it seems everybody 
is at capacity. What happened?


My guess (this being NJ) is an aftereffect of the 9/11/2001 disaster.
By five years after, most companies who could be affected by such an
outage may have relocated a continuing-operations set of machines to one
or more colo data centers.  I don't know why the data centers would not
have expanded to meet the influx, though.


I think most of us have expanded. :)  I know Focal/Broadwing has 
space in Jersey City at 1 Evertrust Plaza. Joe, I know you aren't the 
original poster, but I'm hoping he or she is still reading this thread too.


-Robert



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Is your ISP Influenza-ready?

[Robert Boyle]

At 09:50 PM 4/17/2006, Christopher L. Morrow wrote:

How about this idea... are your corporate VPN services (assuming there is
one aside fromm 'ssh to the bastion host' of course) prepared to
double/quadruple/more-uple their normal concurrent user counts? During the
fallout of Katrina we observed this being a problem for some of the
corporations in region :( I know that quite a few folks plan for 50% or
less of their employees to be 'dialed in' :( If 100%, or some majority,
how do the corp folks plan on supporting that? :(


I don't know about the rest of the country, but in the northeast, 
there are MANY days during the winter when only a couple of people 
can make it to our office and a number of our clients have the same 
situation. On those days at Tellurian, everyone who can't make it in 
works from home. It is completely transparent to our clients. People 
in NJ may understand if we have a blizzard, but our clients in CA 
don't care and expect the same level of service. As an ISP/ASP, we 
have the bandwidth, phone lines, and VPN concentrator capacity 
available for our own use, but what about your clients who may only 
use their connection for email and web access and a few road warriors 
and sales folks normally. Perhaps 200-300 people can share a T1 with 
light to moderate use in one office, but with 200+ people connecting 
back in via VPN, a T1 isn't going to cut it. Scale up or down DSL to 
OC3 based on the client. I don't think it is something people design 
for and I know it isn't something most clients will pay for until 
they need it and don't have it. Then they will want more bandwidth 
installed immediately.


-Robert



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: AT&T: 15 Mbps Internet connections "irrelevant"

[Robert Boyle]

At 02:02 PM 4/1/2006, you wrote:
Could be either.  Did you happen to catch the woman from Verizon at 
the last NANOG who was sure parts of New Orleans were 2 miles below 
sea level? Maybe that was a really early AFJ.


Maybe it's the lost city of Atlantis or maybe she was confused about 
meters vs. miles. She does work for Verizon...


-Robert

btw-We all know Atlantis is really in the Pegasus galaxy now and not in NOL. ;)



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

RE: Fire in bakery fries fiber optic cable

[Robert Boyle]

At 11:37 AM 3/27/2006, you wrote:

Speaking of Backhoes, there was a picture I had saved at one point,
can't find it now, maybe someone else has it..

It shows a backhoe, half-fallen down into a hole, on fire, huge tower of
flames coming up out of the hole. Sitting right next to the hole (this
picture was pre-popularity of photoshop, so I assume it to be legit) was
a big sign that said "Natural Gas Pipeline, do not dig".


It was posted on underspace.

http://www.underspace.com/UFM_files/photographs_page.php

I don't see that photo there anymore, but it is a classic! :)

-Robert




Anyone who has this picture, email me offline.

-donn


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: [c-nsp] Which IOS do *you* use?

[Robert Boyle]

Sorry folks,

I'm up too late. I replied to the wrong list! Have a good night everyone.

-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: [c-nsp] Which IOS do *you* use?

[Robert Boyle]

At 05:29 PM 3/20/2006, you wrote:

I've got a customer running a few 3660s with 12.2.29 on them. We
went back to 12.2.29 because we saw all sorts of evil stuff with 12.3.16
on our test box - we'd drop all BGP sessions and end up with half a
dozen obviously foreign prefixes listed as directly connected. The 12.2
train shows none of this sort of stuff.

   I touch BGP on 3660s, 7200s, and 7500s and this is a common theme -
the customers I have are sticking to the 12.2 train. Is anyone seeing
different trends than this? I'd be curious to know if there are certain
12.3 versions that act better than others, etc.


We run mostly on 7200s. 12.3 definitely still has some bugs. Esp. 
with odd things like directly connected routes and networks 
disappearing from the routing table when using CEF - at least until 
you globally disable and re-enable CEF. However, there are some 
scenarios where we have to use the 12.3 train. We run 12.2(20 
something) wherever possible. We have some customers running super 
new gear with 12.4T. Craziness I say! I'm not directly involved with 
those clients at all, but I certainly wouldn't want to run that in 
production yet. :)


-Robert



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Presumed RF Interference

[Robert Boyle]

At 06:20 PM 3/5/2006, Steven M. Bellovin wrote:

What might be useful -- ask an EE, not me -- is a circuit with an
isolated ground.  In that case, the ground wire from the power plug is
routed all the way back to the breaker panel, and isn't connected to,
say, the local electrical box that the cord is plugged into.  I've seen
computer equipment wired that way in the past.


In the US, the NEC code states that the only place a neutral and a 
ground should be bonded together is in the primary service entrance 
facility or where the neutral is created. All subpanels will have 
isolated grounds and neutrals. If you have three phase service and 
use a delta (wye without the neutral) to wye transformer to create 
the neutral, the neutral will be bonded to ground inside the 
transformer cabinet. Eliminating the neutral is typically done to 
save money when converting 277/480V to 120/208V (no neutral means a 
reduced conductor count inside the conduit so smaller conduit can be 
used since the extra copper for the neutral is eliminated on the 
input side.) All grounds must be connected to the first metal box or 
conduit they touch. If you are using plastic boxes with Romex, your 
grounds will go all the back to your subpanel ground bar which will 
not meet the neutral until the main breaker panel. More often in a 
datacenter environment or a commercial facility, the wiring will be 
BX under a raised floor or BX or EMT with THHN overhead. Either way, 
the ground is connected inside the outlet box and wired directly back 
to the breaker panel. The bonding in the box is to ensure there is no 
voltage potential carried on any metal conduit. My NEC book is at the 
office now and I'm home, but I'm pretty sure everything I have stated 
from memory is accurate.


-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: The Backhoe: A Real Cyberthreat?

[Robert Boyle]

At 12:01 PM 1/19/2006, you wrote:
This is really stupid. Assuming the terrorist actually have the 
dozens of backhoes needed to completely erase meaningfull internet 
connectivity in north america, they would probably prefer to use them 
to smash cars and kill people on the interstate highways or something.


Terrorist inflict terror by killing people, not by forcing internet 
explorer to display "page cannot be displayed".


Let us not assume that murderous terrorist are as dumb as people in DHS.


Agreed. However, if you disappear now, we'll know why! :P

-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Intradomain Traffic Engineering

[Robert Boyle]

At 12:06 AM 1/18/2006, you wrote:

(snip)
wrong prediction, the technique suffers very high MLU (as high as 140%).
Basically, I have the following two questions:
1. In the traces I have, there exist several intervals with a 
huge, sudden increase of traffic on some links. The prediction 
model I use cannot predict those 'big spikes'. Do these 'big 
spikes' really happen in operational networks? Or are they merely 
measurement errors? If they really happen, is there a gradual ramp 
up of traffic in smaller time scale, say, on the order of tens of 
seconds? Or do these 'big spikes' really occur very quickly, say, 
in a few seconds?


Nobody can predict them so you build your network with excess 
capacity from an overhead standpoint as well as a link standpoint. 
Here are several reasons for variation and unpredictability. This is 
not a comprehensive list and I'm sure others will add to it.


CNN or other major network coverage including major advertising 
events - super bowl, victoria's secret show, etc. (10s of seconds)
SQL Slammer / Code Red / Nimda / or other major fast moving outbreaks 
(10s of seconds - maybe. We saw the spread of SQL slammer within 2 
seconds to many unmanaged colo customer machines)
depeering of any two or more large networks or routing mistakes or 
flapping thus dampening (a few seconds to 10s of seconds to hours)
major provider outage which moves flows to other paths (a few seconds 
to 10s of seconds)

fiber cuts / regional power outages (a few seconds to 10s of seconds)
significant events such as 9/11 & Katrina (a few seconds to many hours)

2. I have the option to make a tradeoff between average case 
performance and worst case performance guarantee, but I don't know 
which one is deemed more important by you. Are ISP networks 
currently optimized for worst case or average case performance? Is 
the trade-off between these two an appealing idea, or may the ISP 
networks are already doing it?


Each ISP makes their own decisions based on their business needs, 
budgets, and promised SLAs to customers


-Robert



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: WMF patch

[Robert Boyle]

At 12:54 PM 1/5/2006, you wrote:
Thanks Thomas, something really useful. One thing I am still curious 
about, I read that there were other image formats can be used in an 
exploit, GIF, .BMP, .JPG, .TIF  can also be used, according to 
F-Secure. I find this a little confusing, if that dll only deals 
with WMF file type then the exploit must not be directly connected 
with that dll Or does that dll handle all of those as well?


But then I found this http://www.pcworld.com/howto/article/0,aid,119993,00.asp

Which makes sense. The way a lot of things I have been seeing go on 
about this they act like WMF is the only format of issue and that 
obviously is not at all true. I would have more likely ignored this 
if it really was only WMF files and the MS patch a week or so away.


I believe Windows uses the file header/descriptor data as well as or 
instead of the extension to know how to handle images. Otherwise, 
simply renaming/blocking all WMF files would result in an effective 
mitigation method.


-Robert



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Bogon stupidity... warning... operational post.

[Robert Boyle]

At 12:56 PM 12/22/2005, you wrote:
P.S. 204/8 was not the only problem, there were problems with 128/8 and

133/8 as well so my apologies to people who may have noticed problems
overnight.


199.128.0.0/9 too.

-Robert



Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Networking Pearl Harbor in the Making

[Robert Boyle]

At 08:52 AM 11/7/2005, you wrote:

On Mon, Nov 07, 2005 at 06:43:35AM -0500, J. Oquendo wrote:
> the center of the information security vortex. Because IOS controls the
> routers that underpin most business networks as well as the Internet,

I think in general this is an argument against converged networks,
the added complexity and outages may not be worth the gains..


It is an argument for proper patching policy and procedures. There is 
no zero day exploit for this exploit and to my knowledge, there 
hasn't been one yet which came out at the same time as the advisory 
for ANY major vendor although the window is shrinking. All worms and 
other exploits which have achieved press coverage and caused major 
network disruption would have been avoided by proper patching. All of 
our network is now patched for the latest Cisco advisory. We were 
already running fixed code on a few routers when the advisory came 
out so we knew the code was stable and moved to it on all other 
boxes. I understand that not everyone can act as quickly as we do, 
but to delay patching indefinitely until the problem occurs - for 
"stability" reasons is not the solution either. Better code is part 
of the solution and teaching and enforcing proper programming 
techniques to create secure code in the first place are just part of 
the solution. Getting people to install (so far) secure code is 
another bigger problem which can be solved today. I think all the 
major vendors are aware of the extent of the problem and are making 
their systems more secure by auditing their existing code more 
thoroughly as well as teaching their programmers to code securely in 
the first place.


-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Turkey has switched Root-Servers

[Robert Boyle]

At 03:32 PM 9/28/2005, Paul Vixie wrote:


> PS. Is there some sort of secret net.kook cabal which I was not aware of?

i thought this (nanog) was it.  maybe i'm not in the loop, though.
--
Paul Vixie


Paul,

That's the _secret_ part! ;)

-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Apologies...

[Robert Boyle]

...for the terrible grammar and incomplete sentences in the message I just 
sent. It was the result of replying to a post while performing other tasks 
and not taking the time to properly proofread before hitting send.


-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Turkey has switched Root-Servers

[Robert Boyle]

At 10:39 PM 9/27/2005, you wrote:

Actually, I think you've got it backwards. .us and all of the other
country-specific TLDs are the last vestiges of nationalism.  The
Internet is only the second piece of truly global infrastructure.  As
a key component in the ongoing trend towards a unified global
administration, we should do what we can to encourage cooperation and
equality across borders, not intensify their differences.


Well said! Other than government entities, I never understood why anyone 
would want a country specific name. Tellurian Networks provides the same 
services to our clients in AU as we do to those in DE and PK and those in 
the US of course (where we are located.) I don't want 200+ domain names and 
I don't think Cisco, Sun, Microsoft, or any other companies do either. When 
I look for a company, I don't care or need to know where they are located 
most of the time - unless I am ordering a pizza, but that is a different 
story... Communities of interest - such as my personal favorite 
356registry.org are global in scope and by their very nature! My $0.02 and 
contribution to the non operational noise on nanog today.


-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: TIA-942 Datacenter Standardization

[Robert Boyle]

At 10:20 PM 8/31/2005, you wrote:
Eesh... I grabbed a copy of this thing. In a cursory over-read... I am 
afraid if people (people defined by lim(clue) -> 0) start implementing 
datacenters by this guide. This would be a BRILLIANT document as the 
reading material for a college-level course. However, I'd be concerned if 
a CxO reads this and assumes they are great if the document has no 
conflicts with their implementation and they think they are in good shae.


Before I comment publicly on the issues I think I have with it, I want to 
verify that the points I raise aren't covered in some sort of disclaimer 
about being "out of scope" etc.  Essentially 90% of the conversations 
folks have on nanog about datacenter designs are outside of what this 
advocates building (in a very cursory overread).


We have already been asked about where our datacenters fit in with the 
TIA942 spec in several RFPs! It does cover some good topics, but it also 
leaves out the design and structure of many things which are far more 
likely to cause an outage than the copper and fiber physical plants.


-R


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: as numbers

[Robert Boyle]

At 10:51 AM 7/31/2005, Joe Abley wrote:
I agree that implementation sooner rather than later is a good idea, but 
all of us already have a 2-Byte AS so although we care in theory and 
believe it is a good idea, we don't _really_ care as much as the first 
guy who gets a 4-Byte AS will.


The first guy who gets a 4-byte AS number is going to be one of our 
customers. If we want to be able to talk BGP with him, we need 4-byte AS 
number support in our edge routers.


I know, understand, and agree. He is going to be one of our customers, but 
he isn't us and the new 4-byte AS allocations aren't real yet either. I'm 
just saying that of all the things that we (nanog collectively, not just 
Tellurian) need our router vendors to do, this is on the list, but it isn't 
#1 or maybe even in the top ten. However, I would also rather have it 
BEFORE we need it. Is 2005 too soon for people to _demand_ it? Maybe...


ISPs who have an interest in continuing to win transit customers past 
2008/2009 should be interested in getting 4-byte AS number support, 
regardless of how many 2-byte AS numbers they already have. ISPs who plan 
to stop getting new customers don't need to bother :-)


Of course! I agree with you, but the point I'm trying to make is that I 
don't expect most ISPs to prioritize this feature with their vendors until 
about January 2008. That means we'll have buggy 4-byte AS code until about 
summer 2009. :P


-R


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: as numbers

[Robert Boyle]

At 01:12 AM 7/31/2005, you wrote:
This kind of response does have a certain market-based logic to it, I must 
admit, but its highly risky. I don't think its all that wise for this to be 
delayed indefinitely until the point at which its turning from an orderly 
transition into a last second panic, and I don't think that many customers 
will place this high on their vendor support priority list until they are 
actually allocated a 4-byte AS number because the 2-byte pool has been 
exhausted. .


So - to NANOG at large - if you want your vendor to include 4-Byte AS 
support in their BGP code anytime soon, in order to avoid some last minute 
panic in a couple of years hence, then it would appear that you should 
talk to them now and say clearly that you want 4-Byte AS support in your 
BGP software right now.


I agree that implementation sooner rather than later is a good idea, but 
all of us already have a 2-Byte AS so although we care in theory and 
believe it is a good idea, we don't _really_ care as much as the first guy 
who gets a 4-Byte AS will. Eventually one of our BGP speaking transit 
customers will be assigned these AS numbers and other newer providers will 
too, but unless someone plans to chop up their network or split into two 
companies, I don't see that there will be much clamoring for this - yet. 
When we can't provide connectivity to a potential customer because we can't 
accept or wrap up their 4B AS, then there will be demand. Just some food 
for thought...


-R


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: NETGEAR in the core...

[Robert Boyle]

At 11:32 PM 7/30/2005, Henry Yen wrote:


On Sat, Jul 30, 2005 at 10:11:28AM -0400, Robert Boyle wrote:
> >I'm interested in people's experiences with consumer-grade routers
> >functioning in non-NAT mode; that is to say, running PPPoE to the ISP
> >and routing a /29 or a /28.  A sane filtering language and stateful
> >firewall that can operate in non-NAT mode is a plus.

> http://www.cyberguard.com/products/firewall/SG_Family/

I think linux runs inside those.  Vendor-supplied, yes, but if the OP
wants to avoid linux altogether...


That's correct. It is claimed to be quite hardened. We have around one 
hundred of their 550 and 575 boxes deployed and they seem to work pretty 
well although I prefer the PIX. The SG can do much more, but the PIX does 
what it does better.



No personal experience, but could a LinkSys/WRT45g with
custom linux load be even cheaper?


Probably.


Can a cisco 1600 run PPPoE?


I've never tried it, but if they can run 12.2, they should do PPPoE.

R


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: NETGEAR in the core...

[Robert Boyle]

At 09:41 PM 7/30/2005, Robert E.Seastrom wrote:

OK, not really "in the core", but the subject made you look at least.  :)


That's for sure! ;)


I'm interested in people's experiences with consumer-grade routers
functioning in non-NAT mode; that is to say, running PPPoE to the ISP
and routing a /29 or a /28.  A sane filtering language and stateful
firewall that can operate in non-NAT mode is a plus.


Have you looked at the cheaper (<$200) Netopia routers which have built in 
hardware IPSec, stateful inspection, and reasonably useful packet filtering 
capabilities? We also use and like the CyberGuard SnapGear series of 
routers which are cheap, fast, and reliable and the PIX501 is a great basic 
firewall for low traffic loads. Here are some links:


http://www.netopia.com/equipment/products/3000/3300_bus.html

http://www.cyberguard.com/products/firewall/SG_Family/

The 1721 is a good little box, but not in the same range with throughput 
(too low) or price (too high.)


We have used NetGear's little 5 port switches for smaller colo clients, but 
their routers are too flaky to deploy to customers. Linksys is the same 
way. They work great 99% of the time, but every once in a while they have 
to be power cycled for some unknown reason. Good luck with your search!


-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Cisco IPv6 Exploit, was Re: 6to4 routes disappeared from most of North America

[Robert Boyle]

At 11:20 PM 7/29/2005, you wrote:

Naah.  My money's on laziness; it's usually the case.  8-)


Never attribute to laziness that which can be explained by incompetence. :)

R


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: mobile user strawman argument

[Robert Boyle]

At 05:02 PM 6/30/2005, you wrote:

>   Of course, if you're going to do this, you should also be doing
> at least SMTPAUTH and preferably TLSSMTP, but then again many clients
> are broken and don't support these technologies or don't support them
> correctly.

Or you support POP AUTH, which just works, is in widespread use (probably
the most widespread of the methods of authenticating the submit port after
allowing relaying by IP), and was implemented years ago when open relays
were closed.


We support all of the above - including only authenticated submit port use. 
I don't really understand the religious discussion of which protocols 
should be supported and which should not be. Support them all and let your 
customers decide which ones work for them based on their particular 
circumstances at the time and the network they happen to be using.


-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: ISP phishing

[Robert Boyle]

At 10:30 PM 6/28/2005, Paul Wouters wrote:

I applaud his move, and wish more groups did the same.


It would have been better if he had just installed SPF, and published DNS
records for his own domain, and rejected them based on that. Then other
people receiving forged emails with his domain would also be able to just
drop those emails.


Of course we already do this! Dig before you speak. :) However, we do not 
filter our customer's email unless they turn on filtering. We tag 
everything including SPF failures and customers can turn on rejection based 
solely on SPF failures if they want, but that still doesn't help our users 
who haven't turned on filtering. Our "admin|root|support|etc" filter 
previously mentioned in this thread does. We do not have any ethical 
problem filtering those messages since they are impersonating us. We 
wouldn't presume that any other mail should be filtered unless a customer 
requested for us to do so.


-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: ISP phishing

[Robert Boyle]

At 05:17 PM 6/28/2005, Mark Tombaugh wrote:

On Thu, 2005-06-23 at 09:54 -0400, Robert Boyle wrote:
> we enabled a global rule which blocks
> any email from accounts such as billing, root, postmaster, antivirus,
> abuse, security, etc. which don't originate from our management IP space
> where our people work. As a result, we have stopped these phishing scams
> for our users dead in their tracks.

You sound so sure about that... Am I missing something?



From: E-gold Safeharbor Department <[EMAIL PROTECTED]>
Subject: Attention! Your account has been violated!

From: "SOUTHTRUST" <[EMAIL PROTECTED]>
Subject: SouthTrust Bank: important account notification



We have stopped the phishing which looks like it is from 
us(tellurian.net/tellurian.com/garden.net). Not from "their" bank, paypal, 
ebay, credit card companies, etc. Our main concern was with messages which 
looked like they were from [EMAIL PROTECTED] telling people there was a 
problem with their email and they have to run this file or a problem with 
their account payment from [EMAIL PROTECTED] and the details were in 
the attached file. To the novice user, it may look legitimate since we are 
their ISP and with that comes a certain amount of trust - despite the fact 
that we would never send files to our customers and tell them to run them. 
However, the spoofed messages from us have completely stopped now. The 
regular phishing scams continue, but SPF does help with this if the 
customers have turned it on for their account. Unfortunately, the customers 
smart enough to turn it on usually won't be suckered by phishing scams in 
the first place.


-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: rackmount DC power inverters?

[Robert Boyle]

At 03:16 AM 6/25/2005, you wrote:

I have no idea if this is on or off topic (apolgies if the latter).

Right now we're running 48 1u servers in a cabinet off AC.  We're 
considering switching to DC power supplies with the hope that any cost 
increase in the power supply and rectifier would be more than offset by 
the cost savings in electrical and cooling.


Maybe I'm missing something, but I don't expect they will generate any less 
heat nor will your electric bill go down. Modern switching power supplies 
are very efficient. A DC power supply would either use a linear regulation 
circuit which is less efficient or using a DC-DC converter which is simply 
a switching power supply again to convert the -48VDC into the +/-5VDC and 
+/-12VDC needed by your servers internally. I suspect that if anything, the 
additional DC supplies combined with the loss in efficiency of the 
AC-DC-AC-DC conversion vs. AC-DC will produce more heat and use more 
electricity. Setup a DC power supply on the bench and setup an AC supply 
too. Measure the number of watts used in both cases. Make sure the 
computers are processing the normal workload. DC-DC converters rise from 
40-50% efficiency to near 90% when they are at or near full design power 
output. The efficiency of the CPU, HDDs, etc. will remain the same so any 
variation is due to power supply efficiency differences. More power in with 
the same work out = more heat generated! Also factor in the efficiency loss 
of the DC rectifier you want to buy. If I am off-base here, I welcome any 
differing opinions. Matt, please let us know what your experiment tells 
you.


-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: ISP phishing

[Robert Boyle]

At 10:41 AM 6/23/2005, you wrote:

We did as well, but we did not yet find a solution for legit bounces..
it naturally breaks that.


I've been thinking about what you said, but I can't imagine a scenario in 
which this would affect bounce delivery to or from our admin-type 
addresses. Incoming bounces would be from <> and to [EMAIL PROTECTED] 
Outgoing bounces would be from <> and to [EMAIL PROTECTED] We only block 
mail sent with the from as one of our admin addresses when it was not sent 
from our management / customer service / noc address space. If there is a 
problem which this creates which I haven't thought of, please explain since 
I would like to eliminate the problem or be aware of it if elimination 
isn't an option.



It's a temporary solution to what I see that is going to become very big.


x% of people are stupid and will never cease to be stupid. Provided these 
users are easy enough to reach, they will continue to open naked pictures, 
free pirated software emailed to them, password protected zip files with 
really important executables, antivirus "cleaners", microsoft updates from 
[EMAIL PROTECTED], 'You gotta see this!' IM URL links from friends, etc. 
My goal is not to stop stupid people from infecting themselves, but to stop 
our users from thinking WE infected them by eliminating the one threat 
vector over which we have absolute control and hence responsibility in the 
eyes of our customers. "Why did you allow someone to send mail as 
[EMAIL PROTECTED] to my account if it had a virus in it?"


-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: ISP phishing

[Robert Boyle]

At 05:37 AM 6/23/2005, you wrote:

Hi guys. I notice a large increase in recent weeks of ISP directed
phishing - largely because of worms moving backward to using the user's
own domain for the spam, but not just in the from: address.

I believe this started out as a "let's feel this out" or "wow, that
worked, let's phish ISP's directly too". I now have several reports that 
point to this becoming a serious problem.


Old with a spark of new, but definitely a problem.

Anyone else dealing with this?


Due to the huge number of variants in the wild, our AV software can't keep 
up (probably nobody's can). Instead, we enabled a global rule which blocks 
any email from accounts such as billing, root, postmaster, antivirus, 
abuse, security, etc. which don't originate from our management IP space 
where our people work. As a result, we have stopped these phishing scams 
for our users dead in their tracks.


-Robert


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: FCC To Require 911 for VoIP

[Robert Boyle]

> How about an anycast address implement(ed|able) by every network
> provider that would return a zipcode?
>
> $ telnet 10.255.255.254
> Connected
> 33709
> Disconnected.
> $
>
are you -REALLY- arguing for the return of "finger" ??
--bill
Not finger, but something like this could work. The server would return the 
physical address of the customer of record assigned that IP address. Kind 
of a uni-directional rwhois. The VoIP phone could connect to the anycast 
address and the ISP would lookup the allocation for the connecting IP and 
return a text string with the physical service location. The VoIP provider 
would be handed this location as part of the SIP registration (or other 
proprietary protocol used). In the event of a 911 call, the phone may check 
the location again to make sure the address of record/IP address hasn't 
changed before the registration expires. This would work fine for all 
customers except those who are mobile and served by a wireless base station 
which serves a large geographic region. If the provider was using some type 
of authentication before handing out IP addresses (I think most probably 
are) they could at least hand out the serving wireless AP location - some 
of the newer adjustable directional APs could even be modified to give an 
approximate relative location. I doubt that VoIP will be exempt from 911 
regulations forever as much as I would like to see that. In lieu of the 
regulatory state going away, it makes sense to come up with a workable 
technology solution which is easy for IP providers and VoIP carriers to 
implement. VoIP providers could recommend IP transit players who support 
IP911 location services. Once it becomes a competitive advantage, the smart 
players will quickly adapt their systems to support IP911. I think we could 
do this within a couple of days with a few hours of coding. It isn't 
terribly difficult to setup. Those providers who don't use a centralized 
database for provisioning and IP allocation would definitely have a harder 
time, but it could still be done with some effort. The extra message 
elements of the SIP registration message could be used immediately once a 
standard is decided upon much as the TXT DNS records have been used for SPF 
records to fight email forgery.

-Robert
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: djbdns: An alternative to BIND

[Robert Boyle]

At 07:32 PM 4/9/2005, you wrote:
David Conrad wrote:
- Amount of code
Again, what should be counted?  Should you include rsync?  Should you 
include utility programs like check-namedconf, axfr-get, rbldns, walldns, 
walldns-conf, etc.?
You need only count the lines of code needed by the daemon/s
servicing requests.  That is, IMO, bind's only major failing.  Too
much code, too many little used features (nobody I know needs or
wants rndc), and no way to compile without them.  If you read Bruce
Schneier, as every developer should, you know how important that
"Amount of code" is.
How do you add zones to your servers? We certainly don't connect to a shell 
on all of them for simple configuration tasks. Network shares and rndc make 
short work of most DNS tasks.

rndc -s ns1 reconfig
and
rndc -s ns1 reload zone.com
are the two most frequently used DNS tools used by our support staff. For 
automated tasks, writing a zone file to disk from the database on change 
and issuing an rndc reload is very useful.

On the djb vs. BIND debate, for database driven zones, just output BIND 
format files (or djb if that floats your boat) from your database. Calling 
the actual zone files the "database" doesn't make sense anyway. If you 
manage your information well, the file format of the server application 
doesn't really matter. The security, performance and standards compliance 
matter most - to us anyway.

-Robert
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

RE: Cisco to merge with Nabisco

[Robert Boyle]

At 01:09 PM 4/1/2005, you wrote:
On Fri, 1 Apr 2005, Church, Chuck wrote:
Incorrectly chosen switching path can now result in lost packets AND
indigestion.
Is this mitigated by activating Nabisco Express Forwarding?
That would be really bad! You would almost immediately gain 300lbs if you 
enabled NEF! The path goes from process switched to almost 100% efficient 
switching path for the energy from the cookies, crackers, and other goodies 
directly to your fat cells. You have been warned. COS (Cookie Operating 
System) 14.5(T)XB7 should resolve that bug though and allow full pleasure 
with no path to the fat cells. DO NOT try to eat any cookies from anyone 
other than NaCisco at the same time though. There may be compatibility 
problems...

-R
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Cisco to merge with Nabisco

[Robert Boyle]

At 11:45 AM 4/1/2005, you wrote:
Priceless. ;-)
The Register:
Published Friday 1st April 2005 15:22 GMT
"Cisco Systems and Kraft Foods shocked investors today
with an unlikely mega-acquisition that will see Cisco
buy Kraft's Nabisco unit for $15bn. Perhaps even more
surprising, former RJR Nabisco and IBM CEO Lou Gerstner
has come out of retirement to head the new firm
tentatively called NaCisco."
http://www.theregister.co.uk/2005/04/01/cisco_buys_nabisco/
Brilliant move Cisco! This should give Cisco a keen and unprecedented 
insight into the inner workings of the cracker culture which will enable 
better network security.

-Robert
I know it's terrible, but I just couldn't help myself! ;)
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: Verizon wins MCI

[Robert Boyle]

At 11:45 PM 2/14/2005, Christopher L. Morrow wrote:
uhm, thats the '70 billing departments' ... or so said the SEC's info
about how many billing systems were 'integrated' during the
bernie-dynastic-times.
I remember reading in IT Week or Infoweek or some other trade rag that they 
had over 2400 software packages used for billing and provisioning and they 
were going to reduce that down to 1500 within 10 years! We have never 
gotten a correct bill from MCI - ever! In over 10 years of dealing with 
them and their divisions - MFS, UU, WCom, etc. After C&W took over MCI's 
network in the mid 90's, their billing department took a couple of months 
to grasp the enormity of the problem. Once they did, they made changes and 
the C&W bills were always right after that. :) That is an enormous project...

-Robert
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: radius question

[Robert Boyle]

At 06:14 PM 1/21/2005, you wrote:
are authentication packets between routers and radius
servers encrypted or clear-text?
All clear text, but passwords are sent as an MD5 hash which is the result 
of a shared secret on both the radius server and the router.

-Robert
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Well done is better than well said." - Benjamin Franklin

Re: website to display AS No and ip info also

[Robert Boyle]

At 03:19 PM 10/13/2004, you wrote:
ls there any websites to provide the information
about AS no and IP?
When typing the AS no, it can display all the
information fo the company
and IP belongs to this company also
http://www.fixedorbit.com/search.htm
Have fun!
-Robert
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Cisco moves even more to china.

[Robert Boyle]

At 02:23 PM 9/25/2004, you wrote:
engagement is fair trade.  Lessaiz Faire economics was tried about 100 
years ago.  It resulted in the Great Depression and children dying of 
tuberculosis in the factories.  Why does anyone think it'll work today?

Curtis,
I tried to stay out of this since it isn't really on topic at all, but your 
statement above is so completely wrong that I can't let it pass without 
correcting it.

Actually, the Smoot-Hawley Tariff which was intended to be "fair trade" in 
your parlance CAUSED the Great Depression, NOT free trade. Some economists 
particularly those of the Keynesian school wrongly (imho) see the S-H 
Tariff as a result of the Great Depression rather than a cause. However, 
all parties agree that it did nothing but prolong the depression. Properly 
analyzing the facts and knowing the time which is involved in passing 
legislation and Hoover's promises to enact the tariff if he was elected 
caused the capital markets to dry up when it became evident that he would 
win and that the tariff would be enacted. The anticipation of the act was 
enough to scare away the smart money from the market which caused the stock 
market crash of '29. The depression lasted as a result of the tariff 
essentially killing trade between the US and the rest of the world. Those 
who fail to learn from history are doomed to repeat it!

Here are a few references for you:
http://www.state.gov/r/pa/ho/time/id/17606.htm
http://www.buyandhold.com/bh/en/education/history/2002/smoot_hawley.html
http://www.encyclopedia.com/html/H/HawleyS1m.asp
-Robert
btw- The good news is that Bush or Kerry will loose. The bad news is that 
the other one of them will win. :(


Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: T1 short-haul vs. long-haul

[Robert Boyle]

At 08:25 AM 7/21/2004, you wrote:
Normally in Europe when you order an E1 (G.703) connection the Telco 
delivers a
NTU (Network termination Unit) which normally is a (S)HDSL modem 
converting from
two-wire DSL to four-wire E1 electrical.  The cable between the NTU and 
the Router
is normally very short, a few feet/meters.
You can travel up to 655 ft. with a T1 cable from the NTU which the phone 
company will drop at your site. According to the letter of the specs, you 
are supposed to use "T1 cable" two 22AWG pairs individually shielded to 
prevent cross-talk. In practice, we have extended DMarcs up to 200-300 feet 
with regular Cat 3/4/5/6 cable and have never had any problems or out of 
spec. cross-talk as a result.

o How is this normally done in the US by the Telcos for T1 lines?
Same basic procedure, the telco will drop off a T1 smartjack (NTU) and you 
will plug your equipment into this box.

o I assume the difference between T1 short-haul and long-haul is the cable 
length.
  But what is it used for?  Is it still common to have long-haul T1 
connections
  either within buildings or towards the central office of the 
Telco?  Would I be
  fine with buying short-haul-only interfaces in any common scenario?
Most modern equipment allows you to set the tx/rx gain on the DSU. We use 
mostly Cisco WIC-1DSU-T1 cards which fit into any 1600/1700/2600/3600/3700 
router and provide better diagnostic capabilities than older standalone 
DSUs. It is also nice to have a single box rather than two power cables and 
a serial cable to worry about at a remote site.

o What is "Wet T1 Capable"?  What is it used for and who needs this?
This is one of the "features" of the new WIC-1DSU-T1-V2. It seems that some 
DSUs can be powered by the telco remotely. In 15 years of working in 
communications, I've never seen this, but that doesn't mean it isn't used 
by some remote telco using old style T1 without HDSL or HDSL2 running over 
the line.

In almost all cases today, the T1 spam itself will be powered from the CO 
and the smartjack will convert 2 HDSL pairs or one HDSL2 pair to   a T1 
signal with distinct TX/RX pairs.

Does anyone else have more/better info?
o What else is important in dealings with US Telcos when ordering and using T1
  leased-line services?
If the service is available in your office areas, make sure to specify ESF 
framing and B8ZS encoding when you order the line. AMI is robbed bit 
signaling and will give you 24 56k channels instead of the 24 64k channels 
of B8ZS. The biggest problem is keeping after the carrier to actually 
install the circuit.

-Robert
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: VeriSign's rapid DNS updates in .com/.net

[Robert Boyle]

At 03:20 PM 7/9/2004, you wrote:
time.  After the rapid DNS update is implemented, the elapsed time
from registrars' add or change operations to the visibility of those
adds or changes in all 13 .com/.net authoritative name servers is
expected to average less than five minutes.
Very cool! Kudos! This is good news from Verisign on NANOG for a change. :) 
Does this also apply to domains with other registrars? From your message 
wording above, it appears that is the case which is great news. Does this 
apply to authoritative name server changes as well? Also, does this apply 
to customers who have had their domains suspended due to non-payment? That 
is always tough for our support desk to tell a customer they need to pay 
their bill to registrar X then wait 24-48 hours. If this will end that mess 
too, that's even better.

-Robert
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: IT security people sleep well

[Robert Boyle]

At 12:11 PM 6/7/2004, you wrote:
ever heard of multilayer security?
Absolutely and I am a huge believer in it and all of our systems and our 
network is designed with many layers of protection... which is why I am 
against running ssh AND leaving it open to the world since that leaves only 
a single layer of security. My point is simply that having SSH is a good 
tool, but I still don't think that having SSH relieves any of the other 
responsibility for proper network security.

some little problem somewhere that allows an attacker to sniff your
telnet traffic and you are d00med. that might be as simple as a routing
fuckup.
That would have to be a pretty major screwup.
You loose nothing with using ssh instead of telnet.
You win a lot.
I agree 100%. However, is that worth $x thousand more per IOS image? Maybe. 
Should it be included by default, yes.

ssh is a basic component for secure network management.
it is not the one magic piece that turns a collection of crap into an
ubersecure network of course, as some people seem to imply.
Exactly and that is my point. Especially when leaving SSH open to the world 
on all routers because it is "secure" is LESS secure than having secure 
passwords and ACLs and using telnet from the local LAN only. In an ideal 
world, you would have an ACL, a secure password, AND SSL.

not seeing the problem with cleartext telnet for remote logins in 2004,
wether ACL'd or not, is just ... oh man, I don't have words for this.
I see the theoretical problem with telnet, but in the real world, I think 
there are many other more basic security practices which should be focused 
on perhaps even before worrying about ssh for routers. How many people have 
a dictionary word as their password for SSH? How many times have you 
purchased a used router which was used by (insert big ISP here) and found 
the password to be a simple dictionary word - on multiple routers purchased 
from multiple ISPs. My only point is that there are many other things to 
worry about for building comprehensive security as part of a network than 
simply enabling a protocol for remote management. That should be one of 
MANY issues which should constantly be addressed.

R
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: IT security people sleep well

[Robert Boyle]

At 07:14 PM 6/6/2004, you wrote:
On the SSH/SSL front: IMHO these technologies give a false sense of
security.  Sniffing cleartext management sessions is a concern, yes, but
actual incidents where it occurs, especially within your own network
infrastructure, are vanishingly rare compared to the commonplace compromise
of individual hosts.  Creating a secure link between hosts is wasted effort
at best if you can't trust the host at the other end of that link.
Agreed. I really truly don't see the problem with plaintext telnet 
management of routers. We have access-lists on vty 0 15 specifying which 
networks can even connect. We can't connect except for from a trusted 
internal management network and I control all the routers and circuits in 
the path. If someone is in the middle of one of my circuits doing some type 
of dump of the data to disk, they are probably the NSA or CIA, and I've got 
much bigger problems. Can someone please provide a situation where doing 
this can lead to compromise or any type of problem at all? I just don't see 
it. However, I see people having unpatched servers running without proper 
ACLs every day and this is rarely discussed and as Stephen Sprunk points 
out, lot of people here on nanog don't apply bogon filters or even source 
filter their customers - and this doesn't require a feature set upgrade to 
IOS. (All of which we do, btw) So I'm still not convinced that SSL on 
routers is needed. Nice, sure, but needed? no. Please convince me otherwise 
if you feel this is such a hugely pressing need or at least explain your 
position.

R
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Microsoft XP SP2 (was Re: Lazy network operators - NOT)

[Robert Boyle]

At 02:27 PM 4/19/2004, you wrote:
> >I can burn a CD from ISO in about 5 minutes - how about you?
> >I'm talking about XP users who haven't even updated as far as SP1.
> >Win98 users who have never run an update in their life...
> >Win2k users are usually the most patched up that I've seen - because
> >that went into mostly business environments.
> >
> >This would at least get them up to the level of the playing field,
> >where the routine updates are not as much of a hassle.  Sure, you'll
> >get the little old ladies and gentlemen who will drop by every month
> >for their service pack fix, but that's just customer service.
>
> Doesn't Windows XP automatically do this by default currently?
No, but it will ask you if you want to configure automatic updates.
That's still not going to do much for the dialup user who has to
download SP1.  And we're also talking about the majority of customers
who don't have WinXP - and won't be getting it.
http://v4.windowsupdate.microsoft.com/en/default.asp?corporate=true

You can download anything on Windows Update here. We make many of this 
update files part of our standard dialup install CD. Especially service 
packs. They aren't installed by default, but they are on the CD if they 
need them. No 24 hour downloads needed.

R

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: UPS and generator interaction?

[Robert Boyle]

At 01:26 PM 3/29/2004, you wrote:
I'd be very grateful to hear of any solutions that you guys have come up
with in this arena.  Also, any recommendations for generators?  I'm not
looking for something huge, just something that can be mounted on a roof.
If I have to pour diesel into it every couple hours, that's fine too.
You need an automatic transfer switch. Asco and Kohler both make very good 
ones. Square-D, GE and the other electrical component companies make medium 
and huge units, but it sounds like you need a small one. This would 
normally be installed along with your generator.

R

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Cisco website www.cisco.com 403 forbidden?

[Robert Boyle]

At 04:04 PM 3/16/2004, Petri Helenius wrote:
No. It´s "self defending network".
It was the little girl with the really cool game! :)

R

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: "Information Warfare"

[Robert Boyle]

At 12:32 PM 3/6/2004, Brian Bruns wrote:
Lovely.  So not only do we now have to fend off attacks from script kiddies
and packet monkies, we now have to fend off attacks from idiot sysadmins who
set this tool up and allow it to go all out on supposed 'attacks' against
their systems.
I think the company's name Symbiot, which is apparently a witty contraction 
of two English words, says it all:

Main Entry: sym·bi·o·sis
Pronunciation: "sim-bE-'O-s&s, -"bI-
Function: noun
Inflected Form(s): plural sym·bi·o·ses  /-"sEz/
Etymology: New Latin, from German Symbiose, from Greek symbiOsis state of 
living together, from symbioun to live together, from symbios living 
together, from syn- + bios life -- more at QUICK
1 : the living together in more or less intimate association or close union 
of two dissimilar organisms
2 : the intimate living together of two dissimilar organisms in a mutually 
beneficial relationship; especially : MUTUALISM
3 : a cooperative relationship (as between two persons or groups) 
- sym·bi·ot·ic  /-'ä-tik/ adjective
- sym·bi·ot·i·cal·ly  /-ti-k(&-)lE/ adverb

Main Entry: id·i·ot
Pronunciation: 'i-dE-&t
Function: noun
Etymology: Middle English, from Anglo-French ydiote, from Latin idiota 
ignorant person, from Greek idiOtEs one in a private station, layman, 
ignorant person, from idios one's own, private; akin to Latin suus one's 
own -- more at SUICIDE
1 usually offensive : a person affected with idiocy
2 : a foolish or stupid person
- idiot adjective

It is apparently a system to allow idiots to live together with other 
idiots. I'm assuming that one of the idiots is the device manufacturer and 
the other is the customer. :)

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Anycast and windows servers

[Robert Boyle]

At 05:43 AM 2/20/2004, you wrote:
Hence the reason why I want the route to cease being advertised if the box
"fails."
I'm trying to avoid putting yet another server load balancer box in front
of the windows box to withdraw the route so a different "working" box will
be closest.  It may be an oxymoron, but I'm trying to make the windows
service (if not a particular windows box) as "reliable" as possible
without introducing more boxes than necessary.
You haven't said what type of service you want to make as reliable as 
possible. It sounds like you want to use clustering or network load 
balancing. With clustering, you can have the service present on both 
machines and if the link between the two fails or if the service on the 
primary machine fails, the second machine will take over. You can also use 
shared Fiber-channel or SCSI devices between the two servers. You can also 
use network load balancing to share a non-transaction based service between 
servers. If you do it this way, you will get automatic load balancing to 
double the speed and capacity between the two or more servers in the NLB 
cluster since they all service requests all the time. In both cases, you 
will create a virtual IP address which receives all connections and both 
machines in the cluster will determine which machine handles each 
connection. This isn't hard and we do it all the time.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Dumb users spread viruses

[Robert Boyle]

At 12:24 PM 2/9/2004, you wrote:
Do you honestly think that any IT manager is going to be successful getting 
an entire company to dump Outlook/Exchange and stop using anti-virus 
software?  Do you have an example (within the North American area of 
interest to NANOG members) where this has actually happened?

IMHO, if you can convince an Outlook/Exchange using company to dump MS for 
email, you can convince them to dump MS/Windoze OSs entirely, which is a 
much more complete way to solve this problem.
I have been using Eudora for Windows since v1.3. I am now using 6.011. It 
works flawlessly and I have all my email for the past 10 years (3+GB in 
100s of mailboxes). This is our corporate standard for email. We turn off 
inline images, MS's HTML viewer and we don't allow automatic html downloads 
and we don't allow executable HTML content. We strip all useless 
executables on the mail server (com,exe,vbs,scr,shs,js, etc.) and all other 
attachments  are renamed so they must be renamed THEN opened. We have mail 
server AV (AVAST - no bogus infected message replies) and desktop/server AV 
(Norton AV Corp Ed) on all workstations. We have never had a single virus 
or worm infection since 1995. I banned Outlook years ago. However, as we 
grow and as Outlook adds more and more features, I am getting lots of 
pressure to allow it. I allowed a few people to use it for calendaring and 
task management (One-note) and they LOVE it and want to use it for 
everything. I am VERY hesitant to allow this. I have been focused on 
security for 10+ years. I am an engineer and I am also CEO of the company 
and even I am wondering if it might make sense to allow use of Outlook for 
email at this point. Microsoft has made a lot of progress with Office XP 
and most features which caused problems in the past are off by default - 
until the next exploit of course. :( Oulook simply has the features and the 
usability that people want. As much as you may hate Microsoft for making 
security an afterthought, their software is powerful, feature-rich and VERY 
intuitive for people to use. So I guess my point is that after years of 
resistance to Outlook, even I am reconsidering due to high user demand and 
a void in the market for a robust group calendaring and task management 
application. Does anyone have any pointers for me. Something that fills the 
organizations needs and that will work with Eudora? Please help me resist 
the siren song of Outlook 2003.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Stopping open proxies and open relays

[Robert Boyle]

At 12:00 AM 2/7/2004, Adi Linden wrote:

> > There are valid reasons not to run antivirus software,
>
> And they are?
P90w/32MB running Win95 used for email only...
Odd... When that was a state of the art machine for which I paid $3k+ in 
1995 (IRC) I used a CLI virus scanner and before I opened anything from a 
BBS or the Internet, I would scan it. AVAST, FSecure, Norton, McAfee, and 
all others with which I am familiar still have a CLI version too. If it is 
only used for email, they can probably wait a few seconds longer to access 
files. They are already waiting a long time to do anything with that 
computer. :)

or insufficient finances to purchase anti virus software... to name a couple.
Not a valid excuse/reason. www.avast.com - It is excellent AV software and 
it is completely FREE for non-commercial use.

R

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: "Third Level" domains not patented

[Robert Boyle]

At 09:41 AM 1/16/2004, you wrote:
>>According to the article, somebody maanged to patent the selling of
>>www.something.somethng.com.  Which seems a bit assanine to me, since the
>>ISP I worked for in 1993 offered custoemrs www.customer.ccnet.com.
Uh, no, that's not what the article said and it's not what the patent,
which is linked from the article, says.  The patent is on the tiny
tweak of selling matching e-mail addresses and domains (it says URLs
but their examples show domains) of the form [EMAIL PROTECTED] and
argle.bargle.tld.
I agree that's obvious and trivial, and there's debatably prior art
from about 1980 in the way that the contact address is encoded in an
SOA DNS record, but it's not about selling third level domains per se.
We have been doing the same thing since 1995.

R

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: GSR, 7600, Juniper M?, oh my!

[Robert Boyle]

At 09:37 PM 1/6/2004, you wrote:
Oh, also, on the subject of used market pricing...

It's been a while since I looked at Cisco ChDS3 PA
pricing in any serious detail, but as I recall they
were valued as though they were made of gold and
personally blessed by Pope John Chambers when compared
to used Juniper ChDS3s. If this is really your
Last time I bought a PA-MC-T3, I paid $4700.00 and that is a GREAT price. 
They usually sell for $5k+ Two years ago, I sold some extras for 
$1500-2000/ea. They have more than doubled in price. The PA-MC-2T3 cards 
are going for $10-12k used now! I bought them in 2000 and 2001 for $4500 each.

application, you could probably sell your load of
ChDS3 PAs to the waiting crowd of suckers on eBay and
trade up to a Juniper with money left over, on any
decent number of chds3's.
So... Everyone always says Juniper is so great. How does one get a 
legitimate copy of JunOS and a software support contract. I have called and 
emailed Juniper at least 3-4 times via each method and never received any 
response regarding getting a license for a used router. I would like to buy 
a used M5/10/20/40 just to play with it so I can learn more about them and 
how they work. We are interesting in the scalability and the cheap PIC 
cards available for the Juniper gear - especially the channelized DS3 
interfaces. Does anyone have a useful contact or number for software 
maintenance at Juniper? I don't want to spend $5-10k on used Juniper gear 
if I can't get an OS to run on it. Any Juniper lovers care to help? TIA!

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

RE: Low end router alternative?

[Robert Boyle]

At 05:18 PM 12/19/2003, you wrote:
On Fri, 19 Dec 2003, Ejay Hire wrote:

> Lucent Pipeline 130, Superpipe 95, or Superpipe 155.

Well 2 minutes on Froogle tell me your definition of cheap and mine don't
match. For the same price range I would get a netopia R4522 or 5300 which
will reliably do NAT and all.
With a little more research, I think I can better clarify that I'm looking
for just about any router (<$50-100) that has a HSSI port and an RJ45
port. For what I'm looking for at the moment (experimenting)
used/refurbished doesn't matter so long as it works.
Then you probably want a Netopia PN660. v.35 serial port, NAT, RJ45 
Ethernet, etc. They can't be upgraded with a Netopia OS later than 2 years 
ago due to flash and RAM limitations so they have limited VPN capability, 
but they work great for what they are. You can get them for < $25 on eBay.

This one is currently $9.99.

http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=3066361701&category=3706

DO NOT buy a PN630/640 or any other model except the PN660 since that is 
the only one which will work for your specs. I would have given you one, 
but I threw them away a few months ago.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Most up to date packet size distribution info

[Robert Boyle]

At 04:08 PM 12/17/2003, Jared wrote:
Close to what we see at one location:

Router#sh ip ca flow
IP packet size distribution (17137M total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .004 .621 .068 .029 .013 .007 .005 .006 .003 .005 .006 .006 .006 .004 .004
512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .004 .003 .016 .018 .159 .000 .000 .000 .000 .000 .000
Here is what we see:

core1-jcnj>sh ip ca fl
IP packet size distribution (20372M total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .001 .411 .251 .018 .015 .006 .027 .004 .003 .003 .003 .004 .003 .002 .003
512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .003 .002 .139 .012 .082 .000 .000 .000 .000 .000 .000
and

core1-nwtnj>sh ip ca fl
IP packet size distribution (22181M total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .001 .429 .158 .023 .021 .010 .011 .006 .005 .004 .004 .006 .004 .003 .003
512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .003 .002 .054 .025 .219 .000 .000 .000 .000 .000 .000
I see an interesting variation in 1536 byte packets on our network anyway. 
core1-nwtnj is primarily a colo router and core1-jcnj is a backbone router 
connected to edge routers with lots of dialup, dsl, t1 and t3 customers. Of 
course traffic can pass through both routers en route, but it appears that 
most 1536 byte traffic does not.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Site Finder

[Robert Boyle]

At 09:27 PM 10/16/2003, you wrote:
I agree that an application level solution at the edge is the best.

I like the idea of having a user configurable parameter in the client
browser to allow the ``finder'' URL to be set. The browser
``manufacturer'' would of course put their own default and the ISP would
be able to ``configure'' their own defaults and the
end user could ``change'' it to suit their preferences.

This would allow competing ``URL finder'' type services, allow ISPs to
fine tune the interface for their customers and allow end users to
customize their own interface to the ``web''.
Maybe its time for some ``finder'' API specifications,
mozilla patches, and ``finder'' reference implementations.
The Internet Explorer Administration Kit has enabled this functionality for 
many years. We changed our default search page to Google about 3 years ago 
for all of our users who install our branded IE and dialer CD.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Juniper M7i, M10i and the US DREN's IPV6 project

[Robert Boyle]

At 06:03 PM 10/13/2003, you wrote:
 From the PDF, regarding DREN implemention of ipv6:

No great incentive for DREN sites to implement IPv6
no near term win
additional effort and complexity, generally not funded
Can't deploy in a safe and secure manner
Existing DREN intrusion detection (IDS) architecture incompatible with 
maturity of products in use
Juniper port mirror lacks IPv6 support

Anybody know what a the new M7i and M10i routers are?  Specs, price 
estimates, release dates, etc?
The M7i is supposed to compete with the Cisco 7100/7200. It is designed as 
a provider managed CPE for DS3 and OC3 level customers. At least that is 
the niche they are targeting. It will come in two flavors - integrated dual 
port 100Base-T or single GigE. It also has an optional service engine for 
firewall, VPN, IDS, etc. which plugs into the SCB/FPC. I don't think they 
have been released into production yet, but I could be wrong.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Extreme BlackDiamond

[Robert Boyle]

At 04:43 PM 10/13/2003, [EMAIL PROTECTED] wrote:

> 7600 is also vertical boards whereas the 6500 is horizontal.

Yep, I think from now on, we should make this a primary distinction
between switch and a router: If a device has vertical line cards, it is a
router, if horizontal, it is a switch.
Works well for 7500/12000/5x00/6500. ;)
A small problem... all of my 7200s have horizontal line cards as do the 
Juniper M5/7/10/20. The smaller 7100, 3700, 3600, 2600 also have horizontal 
line cards too. So... here is a correction.

"From now on, we should make this a primary distinction between switch and 
a router: If a device has vertical line cards, it is a router, if 
horizontal, it is a switch, unless there are two or more vertical slots 
within any horizontal slot plane, then it is, in fact, a router."

How does that sound?

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Sitefinder fan - this guy needs a clue.

[Robert Boyle]

At 02:06 PM 10/8/2003, you wrote:
> Let's hope we can append "not for long" if they keep this stuff up. :)

The great thing about the web is a newspaper can bury its mistakes without
having to admit it in the "Corrections" page.
ZD.NET has modified the article the originally posted.  ZD.NET added the
biography and changed the byline in the last hour or so.
The original article did not identify Mark McLaughlin nor include his
biography.
Correct! If it had, I never would have posted. :)

R

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Sitefinder fan - this guy needs a clue.

[Robert Boyle]

Wow. This guy is completely delusional.

http://zdnet.com.com/2100-1107_2-5087746.html

I have been up for 24 hours working on a router upgrade and a simultaneous 
DS3 problem so I'm in no frame of mind to respond. Perhaps one of the more 
eloquent (and less tired) folks here can politely beat this guy with a clue 
stick.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Is there anything that actually gets users to fix their computers?

[Robert Boyle]

At 12:57 AM 10/5/2003, you wrote:

At 2:11 AM + 10/5/03, Suresh Ramasubramanian wrote:
For more fun, consider that you are [EMAIL PROTECTED], and get those
It's the anti-virus ones that drive me nuts.  "Someone in your domain sent 
us a virus which always forges the from line, but we're going to tell you 
anyway because we'd like you to buy our software..."
What gets me is the moron admins who track down every "attack" they see. 
"Attacks" such as ICMP echo requests, Port 80 connections, etc. If they get 
huge logs that's one thing, but for four pings from a windows box or a 
mistyped IP address in a URL and they are worried about our "attack" These 
bogus reports outnumber legitimate complaints 4:1.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Alternative Satellite news feed needed

[Robert Boyle]

At 02:57 PM 10/2/2003, you wrote:
On Thu, 2 Oct 2003, Marshall Eubanks wrote:
> I have found a possible source of satellite bandwidth for this, assuming a
> critical mass of users could be accumulated to pay for it. Interested 
parties
> should send me an email off list please.

If a critical mass of users could be accumulated to pay for it, I imagine
Cidera would still be in business.
If Cidera had ever returned our calls or email to tell us the services they 
offered after they installed the dish on the roof of our datacenter and the 
server and satellite receiver in our rack, they might still be in business. 
:P From those I've talked to, I'm not the only one who never actually used 
any services from them because we weren't sure exactly what those services 
were or what they cost. Something about a DS3 of bandwidth for an ihave 
news feed for $350-500/month was mentioned before they installed anything 
and I agreed to it verbally. They were awfully anxious to get that dish 
installed. Perhaps due to loan covenants that they deploy x installations 
per month?

-Robert

btw- Installation of the dish and the PIII 1U server with mirrored HDDs 
were all given to us for free. I REALLY didn't get their business model and 
I still don't...

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: what happened to ARIN tonight ?

[Robert Boyle]

At 10:07 PM 9/28/2003, you wrote:

I am seeing the same. ARIN is completely off the air

box02rsm-en01.twdx.net> sh ip bgp 192.149.252.16
% Network not in table
I see them via a UUNet announcement through Veroxity and Sprint transit, 
but I don't see it via any other peer or transit provider. Are they 
multi-homed?

R

core1-nwtnj#sho ip bgp 192.149.252.16
BGP routing table entry for 192.149.252.0/24, version 3225401
Paths: (2 available, best #1, table Default-IP-Routing-Table)
  Not advertised to any peer
  14985 701 7046
216.182.0.65 (metric 311040) from 216.182.0.65 (216.182.0.65)
  Origin IGP, localpref 100, valid, internal, best
  1239 701 7046
144.228.242.224 from 144.228.242.224 (144.228.242.224)
  Origin IGP, localpref 90, valid, external
  Dampinfo: penalty 706, flapped 4 times in 00:58:57
Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: Cheap temperature sensors

[Robert Boyle]

At 06:29 AM 9/23/2003, you wrote:
I hate to point this out but this sounds spammy as hell, and while I've 
been on this list a very short time, very very big alarm bells went off 
when I read it.
I have no financial interest in the company and I was just letting the list 
know about a cheap solution that works really, really well for a tremendous 
price. That's an elusive thing to find and I managed to locate something 
that many of us need.

If you aren't a spammer, compare your review with what spammers write, 
noting key phrases "I bought one and WOW!" rings IMMEDIATE spam bells, 
further you went from buying one (note above) to "I  purchased 10 
individual temperature sensors and two temp/humidity sensors," for a total 
of 12.
All comparable solutions were $2000-3000 for the same number of sensors. I 
was half expecting to loose $445 to a scam company in Slovakia. I was very 
pleasantly surprised and I wanted to share my positive experience. I was 
excited because of the ease of setup and the dirt cheap price. If you don't 
need them. Ignore the post. If you do, or if someone searching the archives 
does, they will find my post useful.  It is a lot more on topic than a lot 
of the nanog noise.

So I figure I'm going to call Tellurian tomorrow, and confirm you exist, 
hoping you'll forgive me for my lack of faith.
Look at the archives. I've been a nanog poster for years and an ISP for 
even longer. Tellurian has been providing Internet access since 1995. I am 
_clearly_ not a spammer!

Relatedly, don't capitalize words for emphasis,
It's a stylistic choice. I don't believe in html posting. In plain text, I 
have caps and _underlines_. That's it.

 I note a previous post that stated that people will be able to search 
these lists when you're looking for employment and one must chose one's 
words carefully.
I haven't done anything wrong and I never wrote anything I will regret in 
the future. I really don't get it.

Anyway, I will give you a ring tomorrow, hoping that you do exist, and 
that you did send this, if not we can figure out exactly what's going on, 
and get it back to the list.
I am real. Look at our web site and look at the archives. I bought a cheap 
and elegant solution to a problem we all have and I wanted to share that 
positive experience with the list to benefit others. I was hesitant to buy 
it because it looked too good to be true and they are located in Slovakia 
(no offense to others from SK), but it works and I'm very impressed. Again, 
I have absolutely NO connection to them other than as a satisfied customer.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Cheap temperature sensors

[Robert Boyle]

From time to time this thread pops up. I found something which looked 
interesting and the price was right. I bought one and WOW! It is VERY 
impressive stuff for any price especially considering how cheap it was. I 
purchased 10 individual temperature sensors and two temp/humidity sensors, 
and the SNMP Ethernet module. From unpacking the box to installing the 
eight sensors in the inlet and outlet ducting of our four A/C units, two 
more to the inside of two server racks and yet two more to the UPS and 
general rack areas for ambient temp/humidity monitoring to setting up MRTG 
graphing and SNMP traps total time was under 4 hours! Very nice stuff. It 
works out of the box with minimal setup and no fabrication, or 
development/programming needed. All of this for $445.00 delivered!!! I'm 
going to order a spare because I like the equipment so much and it is so cheap.

http://dcf.sk/microweb/snmpmain.html

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: BMITU

[Robert Boyle]

At 05:54 PM 9/4/2003, you wrote:
Communigate Pro is not a Windows mail server... It runs on nearly
everything; and can handle millions of accounts (it has extensive
clustering support).  Check their website: www.stalker.com for specs.
I stand corrected. I was only familiar with the Windows version. Thanks for 
the heads up. Apologies to all.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: BMITU

[Robert Boyle]

At 02:35 PM 9/4/2003, Brad Knowles wrote:
 and most *nix platforms, look at Surgemail from http://www.netwinsite.com
 It is incredibly scalable and VERY fast.
Got any benchmarks?
We have tested all of them. We process several million messages per day for 
tellurian.com. The only server which doesn't die immediately or within 
30-60 minutes is Surgemail. All others are crippled by multi-threaded and 
multi-homed dictionary attacks very quickly. I am speaking only of Win32 
servers. That is what he asked for.

   It uses a spam assassin-like
 filter which is written in C so it is at least 20-100 times faster than
 spam assassin and 95% as effective.
Again, benchmarks, please.
Spam assassin could not handle the load and choked on the mail volume. We 
were only able to process 1-2 messages per second with spam assassin. (not 
running spamc/spamd since it doesn't work on Win32) We can now peak at 
50-100 messages per second without any problem. The ruleset is completely 
customizable and it includes a distributed razor-like checksuming spamtrap 
database. Even without Bayes capability, with thousands of messages per 
day, I only receive one or two false positves or false negatives per week.

In particular, I'd also like to see effectiveness benchmarks, 
such as the ones recently reported at 
.  Here, SpamAssassin won as a 
non-learning filter, but it also has a Bayesian/learning mode that would 
allow it to perform as well as or better than any of the other learning 
types.  Of course, they tested version 2.55 and 2.60 is already 
available, so that would also make a difference.
Unfortunately, spam assassin is so effective and popular that spammers are 
using the rules to game SA now. We use a different ruleset than SA so we 
are less susceptible to forced false negatives.

  It includes support for AVAST
 anti-virus
Any other anti-virus solutions supported?  AMaViS and amavisd-new 
support something like thirty different plug-in modules that you can use.
Sure. You can use any command line scanner. Norton, McAfee, RAV, 
whatever... We were using RAV until a week ago when we decided to switch to 
AVAST.

 and the webmail program is powerful, fast, and includes
 support for PGP.
Webmail is another aspect of the overall system.  Myself, I've 
found that many webmail systems are too dependant on support for 
javascript in the browser.  In particular, IMP/horde has a problem in 
this area.  We found that TWIG was the best webmail application we could 
find, although I've also heard good things about SquirrelMail. There are 
many others also listed at 
.
It is a standard IMAP/POP/SMTP server so you can use any webmail you want. 
The one which is included is very fast and powerful. It includes almost any 
feature a full featured email client should have. View source, view 
headers, PGP, redirect, rules, anti-spam rules and exceptions.

   It is an AWESOME product and the support and
 developers are top notch too. I don't have any vested interest in
 the company, but I am a very happy customer. (They also make DNews
 which many people here are probably familiar with)
DNews I am familiar with.  Not bad for what it is, but Diablo is 
much more scalable.  It's also more difficult to manage, but the best-run 
large news providers in the world that I know of are all using Diablo.
Many also use Cyclone and Typhoon too. I didn't say that DNews was the most 
scalable server, but that people would know the company by it. :) I haven't 
wasted my time or bandwidth running a news server for many years so I can't 
comment on news server scalability.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: BMITU

[Robert Boyle]

At 11:02 AM 9/4/2003, you wrote:
This is my first post so please be gentle.

I would like to get some opinions on the Best Mailserver in the Universe.
Is there a more appropriate list for this question?
I have looked at Communigate Pro, IMAIL, and others.

I am interested in integrated solution that can scale to handle 500k
accounts
Any experience good / bad would be great.
None of the Windows mail servers listed above or the others such as 
Mailsite, MDaemon, Merak, etc. are capable of more than 10-20k active 
users. Forget about 500k with any you have listed. If you want a solid mail 
server which WILL handle 500k users and will run on Windows and most *nix 
platforms, look at Surgemail from http://www.netwinsite.com It is 
incredibly scalable and VERY fast. It uses a spam assassin-like filter 
which is written in C so it is at least 20-100 times faster than spam 
assassin and 95% as effective. It includes support for AVAST anti-virus and 
the webmail program is powerful, fast, and includes support for PGP. It is 
an AWESOME product and the support and developers are top notch too. I 
don't have any vested interest in the company, but I am a very happy 
customer. (They also make DNews which many people here are probably 
familiar with)

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey

Re: GLBX ICMP rate limiting (was RE: Tier-1 without their own backbone?)

[Robert Boyle]

At 12:39 PM 8/28/2003, you wrote:
> Along these lines, how does this limiting affect akamai or other 'ping for
> distance' type localization services? I'd think their data would get
> somewhat skewed, right?
Perhaps they'll come up with a more advanced system of
monitoring?
probally the best way to do that is to track the download speed
either with cookies (with subnet info) or by subnet only to determine
the best localization.
With an imperfect system of tracking localization, you will
get imperfect results.
I'm not sure about other implementations, but our Akamai boxes in our 
datacenter receive all traffic requests which originate from our address 
space as predefined with Akamai. I believe they also somehow factor in 
address space announcements originated via our AS as well since they asked 
for our AS when we originally started working with them.

-Robert

Tellurian Networks - The Ultimate Internet Connection
http://www.tellurian.com | 888-TELLURIAN | 973-300-9211
"Good will, like a good name, is got by many actions, and lost by one." - 
Francis Jeffrey