Re: Dynamic IP log retention = 0?

[JC Dill]

Ross wrote:

We can all improve in our operations, public shaming
for not dropping ones other duties to hand over information that you
aren't privileged to is a bit sad.


No one asked anyone to "hand over information that they weren't 
privileged to".  Trying to publicly shame someone for asking for this, 
when they asked for no such thing, is more than a bit sad.


What was requested is that Covad deal with their problem customer.  
Covad tried to claim that they couldn't deal with it because supposedly 
they don't have any logs of which customer had the IP less than 48 hours 
ago, which is just not very believable.  There also wasn't any 
indication that Covad claimed they had more important duties to attend 
to and that this wasn't important to address - they just claimed they 
"can't" address it because they don't have log data to link the IP to 
the customer. 


jc

Re: Dynamic IP log retention = 0?

[Ross]

Vladis,

I'm not going to argue with you on a socio economic opinion that companies
who have stock holders are evil because they don't spend their funds where
they want you to and promote anti-social behavior by doing so. If you
think society's biggest problem is to stop port scanning then I hope you
succeed in your crusade. I think many of us have bigger problems than you
getting port scanned but if you every truly get attacked, I'll be there to
help.

As a good friend of mine says "no one ever goes to work and says, how am I
going to suck today." We can all improve in our operations, public shaming
for not dropping ones other duties to hand over information that you
aren't privileged to is a bit sad.


*nite*

-- 
Ross
ross [at] dillio.net

> On Sat, 14 Mar 2009 00:56:24 CDT, Ross said:
>> I know I won't be able to change your mind. Saying a company's business
>> decisions are antisocial just because they aren't doing you want is very
>> unhelpful. I don't know how many large ISPs you have worked for but I'm
>> not sure if you understand corporate budgets or politics.
>
> Ross - it doesn't help when you turn around and present another false
> dichotomy.
>
> It's quite possible that Joe *does* understand corporate budgets and
> politics,
> and *still* thinks that business decisions are antisocial.  In fact, one
> can
> fairly easily argue that *many* of our current socio-economic issues are
> due
> to the fact that corporate decisions are in general required to be in the
> stockholder's interests, not society's.  In other words, they are in
> general
> *by definition* anti-social.
>
> So the correct phrasing is "How do we change the anti-social behavior into
> something less anti-social which still pleases the stockholders?"
>
>> Seriously, what will be your next analogy, pedophiles are the same as
>> file
>> sharers?
>
> Paging Jack Valenti...
>

Re: Dynamic IP log retention = 0?

[Valdis . Kletnieks]

On Sat, 14 Mar 2009 00:56:24 CDT, Ross said:
> I know I won't be able to change your mind. Saying a company's business
> decisions are antisocial just because they aren't doing you want is very
> unhelpful. I don't know how many large ISPs you have worked for but I'm
> not sure if you understand corporate budgets or politics.

Ross - it doesn't help when you turn around and present another false dichotomy.

It's quite possible that Joe *does* understand corporate budgets and politics,
and *still* thinks that business decisions are antisocial.  In fact, one can
fairly easily argue that *many* of our current socio-economic issues are due
to the fact that corporate decisions are in general required to be in the
stockholder's interests, not society's.  In other words, they are in general
*by definition* anti-social.

So the correct phrasing is "How do we change the anti-social behavior into
something less anti-social which still pleases the stockholders?"

> Seriously, what will be your next analogy, pedophiles are the same as file
> sharers?

Paging Jack Valenti...


pgpzhHk2QTCfD.pgp
Description: PGP signature

Re: Dynamic IP log retention = 0?

[Ross]

Joe,

I'll respond to you and this will be my last reply to this thread because
I know I won't be able to change your mind. Saying a company's business
decisions are antisocial just because they aren't doing you want is very
unhelpful. I don't know how many large ISPs you have worked for but I'm
not sure if you understand corporate budgets or politics.

If you consider people who port scan the bad guys of the internet then
obviously you and I are two different planes of reality. I had a
discussion today with someone who I immensely respect where I talked about
port scanning and how people compare it to trying to break in to someone's
house. He disagreed and said that port scanning was like being a part of
the neighborhood watch and that trying to exploit any vulnerabilities you
find would be an attempted break in, I have to agree.

As for your second point of comparing port scanning to the heinous crimes
of rape I'll just ask, "have you lost your damn mind"? Seriously, port
scanning a machine compared to the horrid act of abusing someone sexually?
Seriously, what will be your next analogy, pedophiles are the same as file
sharers?

Port scanning can be a method to find vulnerabilities indeed but what of
those of us who port scan before we use certain services? I often scan
certain hosts before I use them to make sure they don't have gaping
vulnerabilities, should I go to jail? The op said nothing about an attack
but only a scan, so don't go there.

Your idea of operations seems simple because you have the black and white
barrier, there is no gray for you. Some of us actually have a larger
userbase and very small budgets. Now I'll say that the company I work for
goes after network abusers vigorously. To say that port scanners are
miscreants and abusers is your view.

I think everyone wants to stop botnets and exploits from spreading but
Joe, people don't have to answer to you just because you feel that you are
privileged because you have a role in the internet. Scanning and attacks
are two different things and I hope you realize this. If a host on my
network is attacking a host on yours I'm sure we will work to stop it
quickly. If you demand that I turn over the person who scanned you last
night at 12:52 am I may ignore you.

I wish you the best of luck against your crusade against the evil of port
scanning.


-- 
Ross
ross [at] dillio.net

>> Whether Covad chooses to enforce their AUP against port scanning is a
>> business decision up to them.
>
> Yes, it's all a business decision.  That kind of antisocial thinking is
> the sort of thing that has allowed all manner of bad guys to remain
> attached to the Internet.
>
>> Again, why worry about things out of your
>> control, especially when we are talking about port scanning.
>
> Yes, why not talk about rapists and drug dealers instead.  They're much
> worse.  It's just that this forum ... isn't for that.
>
>> I would think people have more pressing issues, guess not.
>
> While I am all for increasing overall security on the Internet, the
> reality is that there will often be devices that are attached that
> are found to be vulnerable in new and intriguing ways.  Port scanning
> is a primary method for finding these vulnerabilities.  To the extent
> that an ISP might proactively port scan its own userbase, that's a good
> use and probably a good idea (has tradeoffs), but bad guys finding
> holes in random devices so that they can launch multiGbps attacks
> against random destinations is a bad thing.
>
> If your idea of "operations" is to make your router work and collect
> your paycheck for another day, then this discussion probably does not
> make any sense to you and you probably don't understand the importance
> of the issue.
>
> If your idea of "operations" is to ensure the reliable operation and
> uphold the performance standards of an IP network, then it should not
> be beyond comprehension that allowing miscreants access to the network
> is one of many things that can adversely affect operations.  If you
> accept that the presence of miscreants on the network is a negative,
> it shouldn't be hard to see that complaining about consistent and
> persistent port scans from what is probably an identifiable host is
> one way to make an impact.
>
> ... JG
> --
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and]
> then I
> won't contact you again." - Direct Marketing Ass'n position on e-mail
> spam(CNN)
> With 24 million small businesses in the US alone, that's way too many
> apples.
>

Re: Dynamic IP log retention = 0?

[Bill Stewart]

On Fri, Mar 13, 2009 at 2:15 PM,   wrote:
>  After all, you didn't *really* care that the IP was assigned to
> a computer belonging to Herman Munster, 1313 Mockingbird Lane.  What you
> actually *wanted* was for somebody (preferably Covad) to hand Herman a clue.

Yeah.  I miss the days that you could fix Covad problems by calling Brent,
or by sending the attacker a Ping of Death :-)

In practice, of course, the chances are extremely high that
the attacker is a zombie pc whose owner is not aware
that it's infected, and they really need their ISP to
quarantine them somewhere until they can get it fixed.


-- 

 Thanks; Bill

Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.

RE: SBC NOC contact

[Frank Bulk]

Try dnscont...@att.com; that's what comes up when I WHOIS the domain
pbi.net.

Frank

-Original Message-
From: William Pitcock [mailto:neno...@systeminplace.net] 
Sent: Friday, March 13, 2009 12:21 PM
To: nanog@nanog.org
Subject: SBC NOC contact

Hello,

Does anyone here have an SBC/AT&T NOC contact that goes to an actual
human being? Their NOC handle email, supp...@swbell.net bounces with the
following message:

| Dear SBC Yahoo! Member,
|
| Our Support Request site has recently changed.
| Please submit your question or comment via our new online form available
at
| http://help.sbcglobal.net/techquestions.php.
|
| Thank you for contacting SBC Yahoo! Technical Support.

Which is especially funny because I don't do business with SBC at all.
Also, their website leads us to a "we don't take emails anymore"
message.

But I digress, their nameservers are out of sync, causing problems with
reverse DNS suddenly going away for some SBC IPs in our logs. Appears to
be an issue with ns1.pbi.net...

So yeah, if someone knows somebody who could fix that, that would be
fantastic.
--
William Pitcock
SystemInPlace - Simple Hosting Solutions
1-866-519-6149

Re: Dynamic IP log retention = 0?

[Charles]

Um Aren't dsl addresses handed out over ipcp? So perhaps a bit more static 
then dhcp? 
Sent via BlackBerry from T-Mobile

-Original Message-
From: Bobby Mac 

Date: Fri, 13 Mar 2009 13:57:56 
To: 
Subject: Re: Dynamic IP log retention = 0?


Just wondering but the knowledge I have of DHCP is that an IP address is
assigned to the same computer (or host) and will continue to do so until the
pool of IP's is exhausted.  Once that occurs,  a new request is parsed by
the DHCP server and the oldest non-renewed lease address is checked to see
if it is live.  If no response occurs then the DHCP server assigns that IP
to the requesting host.  It's much more efficient to write once and check
that then it is to write everytime.This is done to save resources on the
DHCP server not much unlike the cache on a DNS server.  Every look up does
not travers the root servers and the auth server,  only those that have
expired cached entries.  Wouldn't it create a DOS against the DHCP server if
every host constantly required the server go through the aformentioned
process?  It does whit in DNS.  Change the expire to 2 and the ttl to 2 and
see what happens.  This did happen for boxsports dot com (what rhymes with
box? not sure of the legalities around saying the name). An SA, while
trouble shooting, did just that and about 1 month later BOOM! crap hit the
fan. It appearedd as though our DNS auth servers were being DOS'd but all
requests were legit.  The entry was not cached.

That said,  unless Covad is constantly exhausting it's pool or they mandate
that after the lease expires to give a different IP a reverse lookup would
give you the hostname of the offender which should remain accurate for some
amount of time.  No action on Covads part constitutes legal action on yoru
part...
-Bobbyjim
On Fri, Mar 13, 2009 at 8:53 AM, Joe Greco  wrote:

> > On Thu, Mar 12, 2009 at 8:52 PM, Joe Greco  wrote:
> > > >   Well most port scanning is from compromised boxes.  Once a
> > > >   box is compromised it can be used for *any* sort of attack.
> > > >   If you really care about security you take reports of ports
> > > >   scans seriously.
> > >
> > > Yeahbut, the real problem is that port scanning is typically used as
> > > part of a process to infect _other_ boxes.  If you allow this sort of
> > > illness to spread, the patient (that is, the Internet) doesn't get
> > > better.
> >
> > Port scanning is the Internet equivelant of the common cold. They're a
> dime
> > a dozen.
> >
> > I recommend taking some Vitamin B and D. Block, and Drop.
>
> No, it's more comparable to the jerk who not only doesn't stay at home
> with his cold, but actively walks around the workplace coughing and
> sneezing without covering his mouth/nose with a kleenex, spraying people.
>
> The reality is that it fails the "if everybody did this, would it be a
> good thing" test.  While some "B&D" is common sense on the receiving end,
> this does not make it any more correct for the originating site to let it
> keep happening.  If every PC on the Internet (conservatively, let's
> assume a billion devices that are sufficiently sophisticated that they
> could be infected) were to send you a single packet per day, you'd be
> seeing over 10,000pps.  That should suggest that the behaviour is not
> something to be encouraged.
>
> My locking my doors does not mean it's okay for you to check if my door
> is locked.
>
> ... JG
> --
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then
> I
> won't contact you again." - Direct Marketing Ass'n position on e-mail
> spam(CNN)
> With 24 million small businesses in the US alone, that's way too many
> apples.
>
>

Re: wires mess thread

[Gadi Evron]

This came across my RSS feed today from gizmodo:
http://www.reddit.com/r/technology/comments/845v3/this_data_center_has_got_its_shit_together/

DNS support for DKIM

[Dave CROCKER]

Folks,

Hi.  I maintain DKIM's  web site, which includes:

 DKIM Software and Services Deployment Reports
 

and am interested in adding entries for relevant DNS services.

The page lists software, services and consultants that perform DKIM functions.

Recent discussions about the use of DNS for DKIM have made clear that we need
the page to provide a more detailed listing of specific DKIM-related DNS 
functions.

So the template for the page now covers:


DNS =Supports DNS administration

 _names:  Creation of domain names that include underscores
 TXT: Creation of DKIM parameters, under underscore name
 NS:  Creation, under underscore name
 wizard:  User interface that facilitates creating DKIM-specific
  records.


I'm interested in adding entries for /all/ software and services (packages,
ISPs, DNS providers, etc.) that can perform the necessary DNS functions needed
by DKIM.

For those wishing to, please complete the template for an entry, per:

   

and send it to me.

Thanks.

d/

--

  Dave Crocker
  Brandenburg InternetWorking
  bbiw.net

Re: Dynamic IP log retention = 0?

[Valdis . Kletnieks]

On Fri, 13 Mar 2009 13:57:56 CDT, Bobby Mac said:

> That said,  unless Covad is constantly exhausting it's pool or they mandate
> that after the lease expires to give a different IP a reverse lookup would
> give you the hostname of the offender which should remain accurate for some
> amount of time.  No action on Covads part constitutes legal action on yoru
> part...

OK. So you get hit by 129.257.34.98. You look up the PTR and get back
98.34.257.129.cable-pool-slash-12.covad.net.

What did you gain here? You knew it was in a Covad /12 before, and that's
all you know after, and Covad *still* isn't stopping their customer's bad
behavior.  After all, you didn't *really* care that the IP was assigned to
a computer belonging to Herman Munster, 1313 Mockingbird Lane.  What you
actually *wanted* was for somebody (preferably Covad) to hand Herman a clue.



pgpVcCUD4HqCv.pgp
Description: PGP signature

Re: Multi-home with same provider, BGP convergence issues

[Scott Weeks]

--- n...@switchtower.org wrote:
From: "Nicholas R. Cappelletti" 

I can provide a .png of our current setup for reference or any further 
information needed.  Any help anyone can provide will be greatly appreciated.
-


The best thing to do is put the diagram and configs on a web site and give us 
the link.

scott

Re: Dynamic IP log retention = 0?

[Bobby Mac]

Just wondering but the knowledge I have of DHCP is that an IP address is
assigned to the same computer (or host) and will continue to do so until the
pool of IP's is exhausted.  Once that occurs,  a new request is parsed by
the DHCP server and the oldest non-renewed lease address is checked to see
if it is live.  If no response occurs then the DHCP server assigns that IP
to the requesting host.  It's much more efficient to write once and check
that then it is to write everytime.This is done to save resources on the
DHCP server not much unlike the cache on a DNS server.  Every look up does
not travers the root servers and the auth server,  only those that have
expired cached entries.  Wouldn't it create a DOS against the DHCP server if
every host constantly required the server go through the aformentioned
process?  It does whit in DNS.  Change the expire to 2 and the ttl to 2 and
see what happens.  This did happen for boxsports dot com (what rhymes with
box? not sure of the legalities around saying the name). An SA, while
trouble shooting, did just that and about 1 month later BOOM! crap hit the
fan. It appearedd as though our DNS auth servers were being DOS'd but all
requests were legit.  The entry was not cached.

That said,  unless Covad is constantly exhausting it's pool or they mandate
that after the lease expires to give a different IP a reverse lookup would
give you the hostname of the offender which should remain accurate for some
amount of time.  No action on Covads part constitutes legal action on yoru
part...
-Bobbyjim
On Fri, Mar 13, 2009 at 8:53 AM, Joe Greco  wrote:

> > On Thu, Mar 12, 2009 at 8:52 PM, Joe Greco  wrote:
> > > >   Well most port scanning is from compromised boxes.  Once a
> > > >   box is compromised it can be used for *any* sort of attack.
> > > >   If you really care about security you take reports of ports
> > > >   scans seriously.
> > >
> > > Yeahbut, the real problem is that port scanning is typically used as
> > > part of a process to infect _other_ boxes.  If you allow this sort of
> > > illness to spread, the patient (that is, the Internet) doesn't get
> > > better.
> >
> > Port scanning is the Internet equivelant of the common cold. They're a
> dime
> > a dozen.
> >
> > I recommend taking some Vitamin B and D. Block, and Drop.
>
> No, it's more comparable to the jerk who not only doesn't stay at home
> with his cold, but actively walks around the workplace coughing and
> sneezing without covering his mouth/nose with a kleenex, spraying people.
>
> The reality is that it fails the "if everybody did this, would it be a
> good thing" test.  While some "B&D" is common sense on the receiving end,
> this does not make it any more correct for the originating site to let it
> keep happening.  If every PC on the Internet (conservatively, let's
> assume a billion devices that are sufficiently sophisticated that they
> could be infected) were to send you a single packet per day, you'd be
> seeing over 10,000pps.  That should suggest that the behaviour is not
> something to be encouraged.
>
> My locking my doors does not mean it's okay for you to check if my door
> is locked.
>
> ... JG
> --
> Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
> "We call it the 'one bite at the apple' rule. Give me one chance [and] then
> I
> won't contact you again." - Direct Marketing Ass'n position on e-mail
> spam(CNN)
> With 24 million small businesses in the US alone, that's way too many
> apples.
>
>

Weekly Routing Table Report

[Routing Analysis Role Account]

This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.
Daily listings are sent to bgp-st...@lists.apnic.net

For historical data, please see http://thyme.apnic.net.

If you have any comments please contact Philip Smith .

Routing Table Report   04:00 +10GMT Sat 14 Mar, 2009

Report Website: http://thyme.apnic.net
Detailed Analysis:  http://thyme.apnic.net/current/

Analysis Summary


BGP routing table entries examined:  282891
Prefixes after maximum aggregation:  134061
Deaggregation factor:  2.11
Unique aggregates announced to Internet: 138798
Total ASes present in the Internet Routing Table: 30808
Prefixes per ASN:  9.18
Origin-only ASes present in the Internet Routing Table:   26818
Origin ASes announcing only one prefix:   13049
Transit ASes present in the Internet Routing Table:3990
Transit-only ASes present in the Internet Routing Table: 89
Average AS path length visible in the Internet Routing Table:   3.6
Max AS path length visible:  25
Max AS path prepend of ASN (18678)   21
Prefixes from unregistered ASNs in the Routing Table:   500
Unregistered ASNs in the Routing Table: 168
Number of 32-bit ASNs allocated by the RIRs:128
Prefixes from 32-bit ASNs in the Routing Table:  19
Special use prefixes present in the Routing Table:0
Prefixes being announced from unallocated address space:237
Number of addresses announced to Internet:   2015333504
Equivalent to 120 /8s, 31 /16s and 140 /24s
Percentage of available address space announced:   54.4
Percentage of allocated address space announced:   63.6
Percentage of available address space allocated:   85.5
Percentage of address space in use by end-sites:   76.0
Total number of prefixes smaller than registry allocations:  139285

APNIC Region Analysis Summary
-

Prefixes being announced by APNIC Region ASes:65455
Total APNIC prefixes after maximum aggregation:   23364
APNIC Deaggregation factor:2.80
Prefixes being announced from the APNIC address blocks:   62237
Unique aggregates announced from the APNIC address blocks:28362
APNIC Region origin ASes present in the Internet Routing Table:3567
APNIC Prefixes per ASN:   17.45
APNIC Region origin ASes announcing only one prefix:966
APNIC Region transit ASes present in the Internet Routing Table:545
Average APNIC Region AS path length visible:3.5
Max APNIC Region AS path length visible: 19
Number of APNIC addresses announced to Internet:  404953248
Equivalent to 24 /8s, 35 /16s and 24 /24s
Percentage of available APNIC address space announced: 80.5

APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations)  23552-24575, 37888-38911, 45056-46079
APNIC Address Blocks58/8,  59/8,  60/8,  61/8, 110/8, 111/8, 112/8,
   113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8,
   120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8,
   202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8,
   221/8, 222/8,

ARIN Region Analysis Summary


Prefixes being announced by ARIN Region ASes:124056
Total ARIN prefixes after maximum aggregation:65410
ARIN Deaggregation factor: 1.90
Prefixes being announced from the ARIN address blocks:93499
Unique aggregates announced from the ARIN address blocks: 36106
ARIN Region origin ASes present in the Internet Routing Table:12836
ARIN Prefixes per ASN: 7.28
ARIN Region origin ASes announcing only one prefix:4935
ARIN Region transit ASes present in the Internet Routing Table:1235
Average ARIN Region AS path length visible: 3.3
Max ARIN Region AS path length visible:  20
Number of ARIN addresses announced to Internet:   419494464
Equivalent to 25 /8s, 0 /16s and 250 /24s
Percentage of available ARIN address space announced:  80.7

ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106
(pre-ERX allocations)  2138-2584, 2615-2772, 2823-2829, 2880-3153
  

Re: Multi-home with same provider, BGP convergence issues

[Raymond Macharia]

Hi Nicholas,a simple schematic would help together with configs of how you
are announcing your IP blocks. But with what you have indicated, you may
need to manipulate your announcements (for example using prepend)  and make
sure that you don't have the same IP blocks  being advertised from the two
links at the same time.
Again with more info I may provide you with a more accurate response

Regards

Raymond Macharia

On Fri, Mar 13, 2009 at 3:19 PM, Nicholas R. Cappelletti <
n...@switchtower.org> wrote:

> Hello,
>
> I have sort of an interesting problem, that probably has an easy fix.  I've
> ran into a continuous BGP convergence problem on the cores of the network I
> administer every time I bring up both of our Savvis connections (we have a
> single OC-12 and 2 1GigE connections in a multi-hop configuration).
>
> The connections are on separate border devices separated again by a set of
> cores routers.  There is a set of core routers per building and each
> building has its own Savvis connection along with other connections from
> other providers.  All the equipment is Cisco gear.  We've been running with
> multiple connections from Savvis for some time, but recently reconfigured
> the GigE lines to multi-hop to help with balancing, only then, did we
> experience this BGP convergence issue.
>
> >From what my colleagues and I have read so far is that turning on "bgp
> deterministic-med" on all the BGP speaking devices should help in this
> situation, but I don't see how using MEDS is going to help us.
>
> I can provide a .png of our current setup for reference or any further
> information needed.  Any help anyone can provide will be greatly
> appreciated.
>
> ---
>
> Nick Cappelletti
> n...@switchtower.org
>
>


-- 
Raymond Macharia

SBC NOC contact

[William Pitcock]

Hello,

Does anyone here have an SBC/AT&T NOC contact that goes to an actual
human being? Their NOC handle email, supp...@swbell.net bounces with the
following message:

| Dear SBC Yahoo! Member,
| 
| Our Support Request site has recently changed.
| Please submit your question or comment via our new online form available at
| http://help.sbcglobal.net/techquestions.php.
| 
| Thank you for contacting SBC Yahoo! Technical Support.

Which is especially funny because I don't do business with SBC at all.
Also, their website leads us to a "we don't take emails anymore"
message.

But I digress, their nameservers are out of sync, causing problems with
reverse DNS suddenly going away for some SBC IPs in our logs. Appears to
be an issue with ns1.pbi.net...

So yeah, if someone knows somebody who could fix that, that would be
fantastic.
-- 
William Pitcock
SystemInPlace - Simple Hosting Solutions
1-866-519-6149

Comcast postmaster contact

[Darryl Dunkin]

Does anyone have a valid postmaster contact for Comcast? They are
currently blocking one of my mailservers, yet using the forms on their
site to request removal, they report that it is not blocked by them.
They are ignoring the actual content of my reports (such as the actual
error returned by their servers) and sending the same canned answer back
to every request.

Re: Network SLA

[Athanasios Douitsis]

Anyone interested in setting up his own IP SLA probes by hand and then
collect the measurements into a database, can use a Perl tool we developed
at 2005:

http://sourceforge.net/projects/saa-collector

It's rather old (SAA got renamed into IPSLA in the meantime) and, in
retrospect, the code is a little rough around the edges, but it's
nevertheless usable.

Regards,
Athanasios



On Wed, Mar 11, 2009 at 10:20 PM, Andreas, Rich <
rich_andr...@cable.comcast.com> wrote:

> I have found that Cisco IPSLA is heavily used in the MSO/Service
> Provider Space.  Juniper has equivalent functionality via RPM.
>
> Rich
>
>
> -Original Message-
> From: Saqib Ilyas [mailto:msa...@gmail.com]
> Sent: Saturday, March 07, 2009 6:12 AM
> To: nanog@nanog.org
> Subject: Re: Network SLA
>
> I must thank everyone who has answered my queries. Just a couple more
> short questions.
> For instance, if one is using MRTG, and wants to check if we can meet
> a 1 Mbps end-to-end throughput between a couple of customer sites, I
> believe you would need to use some traffic generator tools, because
> MRTG merely imports counters from routers and plots them. Is that
> correct?
> We've heard of the BRIX active measurement tool in replies to my
> earlier email. Also, I've found Cisco IP SLA that also sends traffic
> into the service provider network and measures performance. How many
> people really use IP SLA feature?
> Thanks and best regards
>
> On Mon, Feb 23, 2009 at 1:19 PM, Zartash Uzmi  wrote:
> > As I gather, there is a mix of answers, ranging from "building the
> resources
> > according to requirements and HOPE for the best" to "use of arguably
> > sophisticated tools and perhaps sharing the results with the legal
> > department".
> >
> > I would be particularly interested in hearing the service providers'
> > viewpoint on the following situation.
> >
> > Consider a service provider with MPLS deployed within its own network.
> >
> > (A) When the SP enters into a relation with the customer, does the SP
> > establish new MPLS paths based on customer demands (this is perhaps
> similar
> > to "building" based on requirements as pointed out by David)? If yes,
> > between what sites/POPs? I assume the answer may be different
> depending upon
> > a single-site customer or a customer with multiple sites.
> >
> > (B) For entering into the relationship for providing X units of
> bandwidth
> > (to another site of same customer or to the Tier-1 backbone), does the
> SP
> > use any wisdom (in addition to MRTG and the likes)? If so, what
> scientific
> > parameters are kept in mind?
> >
> > (C) How does the customer figure out that a promise for X units of
> bandwidth
> > is maintained by the SP? I believe customers may install some
> measuring
> > tools but is that really the case in practice?
> >
> > Thanks,
> > Zartash
> >
> > On Fri, Feb 20, 2009 at 1:16 AM, Stefan  wrote:
> >
> >> Saqib Ilyas wrote:
> >>
> >>> Greetings
> >>> I am curious to know about any tools/techniques that a service
> provider
> >>> uses
> >>> to assess an SLA before signing it. That is to say, how does an
> >>> administrator know if he/she can meet what he is promising. Is it
> based on
> >>> experience? Are there commonly used tools for this?
> >>> Thanks and best regards
> >>>
> >>>
> >> Not necessarily as a direct answer (I am pretty sure there'll be
> others on
> >> this list giving details in the area of specific tools and
> standards), but I
> >> think this may be a question (especially considering your end result
> >> concern: *signing the SLA!) equally applicable to your legal
> department. In
> >> the environment we live, nowadays, the SLA could (should?!? ...
> >> unfortunately) be "refined" and (at the other end - i.e. receiving)
> >> "interpreted" by the lawyers, with possibly equal effects (mostly
> financial
> >> and as overall impact on the business) as the tools we (the technical
> >> people) would be using to measure latency, uptime, bandwidth, jitter,
> etc...
> >>
> >> Stefan
> >>
> >>
> >
>
>
>
> --
> Muhammad Saqib Ilyas
> PhD Student, Computer Science and Engineering
> Lahore University of Management Sciences
>
>
>
>

Re: Dynamic IP log retention = 0?

[Joe Greco]

> On Thu, Mar 12, 2009 at 8:52 PM, Joe Greco  wrote:
> > >   Well most port scanning is from compromised boxes.  Once a
> > >   box is compromised it can be used for *any* sort of attack.
> > >   If you really care about security you take reports of ports
> > >   scans seriously.
> >
> > Yeahbut, the real problem is that port scanning is typically used as
> > part of a process to infect _other_ boxes.  If you allow this sort of
> > illness to spread, the patient (that is, the Internet) doesn't get
> > better.
> 
> Port scanning is the Internet equivelant of the common cold. They're a dime
> a dozen.
> 
> I recommend taking some Vitamin B and D. Block, and Drop.

No, it's more comparable to the jerk who not only doesn't stay at home
with his cold, but actively walks around the workplace coughing and
sneezing without covering his mouth/nose with a kleenex, spraying people.

The reality is that it fails the "if everybody did this, would it be a
good thing" test.  While some "B&D" is common sense on the receiving end,
this does not make it any more correct for the originating site to let it 
keep happening.  If every PC on the Internet (conservatively, let's
assume a billion devices that are sufficiently sophisticated that they
could be infected) were to send you a single packet per day, you'd be
seeing over 10,000pps.  That should suggest that the behaviour is not
something to be encouraged.

My locking my doors does not mean it's okay for you to check if my door
is locked.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Multi-home with same provider, BGP convergence issues

[Nicholas R. Cappelletti]

Hello,

I have sort of an interesting problem, that probably has an easy fix.  I've ran 
into a continuous BGP convergence problem on the cores of the network I 
administer every time I bring up both of our Savvis connections (we have a 
single OC-12 and 2 1GigE connections in a multi-hop configuration).

The connections are on separate border devices separated again by a set of 
cores routers.  There is a set of core routers per building and each building 
has its own Savvis connection along with other connections from other 
providers.  All the equipment is Cisco gear.  We've been running with multiple 
connections from Savvis for some time, but recently reconfigured the GigE lines 
to multi-hop to help with balancing, only then, did we experience this BGP 
convergence issue.

>From what my colleagues and I have read so far is that turning on "bgp 
>deterministic-med" on all the BGP speaking devices should help in this 
>situation, but I don't see how using MEDS is going to help us.

I can provide a .png of our current setup for reference or any further 
information needed.  Any help anyone can provide will be greatly appreciated.

---

Nick Cappelletti
n...@switchtower.org

The Cidr Report

[cidr-report]

This report has been generated at Fri Mar 13 21:13:26 2009 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.

Check http://www.cidr-report.org for a current version of this report.

Recent Table History
Date  PrefixesCIDR Agg
06-03-09288940  180094
07-03-09289342  180309
08-03-09289456  180310
09-03-09289455  180230
10-03-09289539  180436
11-03-09289739  180492
12-03-09289542  180833
13-03-09289939  180722


AS Summary
 30907  Number of ASes in routing system
 13132  Number of ASes announcing only one prefix
  4321  Largest number of prefixes announced by an AS
AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc.
  89808640  Largest address span announced by an AS (/32s)
AS27064: DDN-ASNBLK1 - DoD Network Information Center


Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as 
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').

 --- 13Mar09 ---
ASnumNetsNow NetsAggr  NetGain   % Gain   Description

Table 289860   180735   10912537.6%   All ASes

AS6389  4321  350 397191.9%   BELLSOUTH-NET-BLK -
   BellSouth.net Inc.
AS4323  4243 1833 241056.8%   TWTC - tw telecom holdings,
   inc.
AS209   2842 1263 157955.6%   ASN-QWEST - Qwest
   Communications Corporation
AS4766  1815  529 128670.9%   KIXS-AS-KR Korea Telecom
AS17488 1529  326 120378.7%   HATHWAY-NET-AP Hathway IP Over
   Cable Internet
AS22773 1033   66  96793.6%   ASN-CXA-ALL-CCI-22773-RDC -
   Cox Communications Inc.
AS4755  1217  261  95678.6%   TATACOMM-AS TATA
   Communications formerly VSNL
   is Leading ISP
AS8452  1238  326  91273.7%   TEDATA TEDATA
AS1785  1733  837  89651.7%   AS-PAETEC-NET - PaeTec
   Communications, Inc.
AS8151  1442  628  81456.4%   Uninet S.A. de C.V.
AS11492 1194  481  71359.7%   CABLEONE - CABLE ONE, INC.
AS19262  959  248  71174.1%   VZGNI-TRANSIT - Verizon
   Internet Services Inc.
AS7545   764  197  56774.2%   TPG-INTERNET-AP TPG Internet
   Pty Ltd
AS6478  1287  727  56043.5%   ATT-INTERNET3 - AT&T WorldNet
   Services
AS18101  753  195  55874.1%   RIL-IDC Reliance Infocom Ltd
   Internet Data Centre,
AS3356  1172  616  55647.4%   LEVEL3 Level 3 Communications
AS2706   544   26  51895.2%   HKSUPER-HK-AP Pacific Internet
   (Hong Kong) Limited
AS22047  596  115  48180.7%   VTR BANDA ANCHA S.A.
AS17908  601  122  47979.7%   TCISL Tata Communications
AS4808   607  157  45074.1%   CHINA169-BJ CNCGROUP IP
   network China169 Beijing
   Province Network
AS7018  1449 1014  43530.0%   ATT-INTERNET4 - AT&T WorldNet
   Services
AS24560  675  243  43264.0%   AIRTELBROADBAND-AS-AP Bharti
   Airtel Ltd., Telemedia
   Services
AS4134   927  506  42145.4%   CHINANET-BACKBONE
   No.31,Jin-rong Street
AS9443   509   90  41982.3%   INTERNETPRIMUS-AS-AP Primus
   Telecommunications
AS10620  827  415  41249.8%   TV Cable S.A.
AS17676  530  119  41177.5%   GIGAINFRA BB TECHNOLOGY Corp.
AS4668   691  284  40758.9%   LGNET-AS-KR LG CNS
AS7011   953  552  40142.1%   FRONTIER-AND-CITIZENS -
   Frontier Communications of
   America, Inc.
AS6471   440   62  37885.9%   ENTEL CHILE S.A.
AS16814  491  130  36173.5%   NSS S.A.

Total  37382127182466466.0%   Top 30 total


Possible B

BGP Update Report

[cidr-report]

BGP Update Report
Interval: 09-Feb-09 -to- 12-Mar-09 (32 days)
Observation Point: BGP Peering with AS131072

TOP 20 Unstable Origin AS
Rank ASNUpds %  Upds/PfxAS-Name
 1 - AS9583   340993  7.2% 296.8 -- SIFY-AS-IN Sify Limited
 2 - AS313089740  1.9% 690.3 -- RGNET-3130 RGnet/PSGnet
 3 - AS662948665  1.0% 748.7 -- NOAA-AS - NOAA
 4 - AS35805   42241  0.9% 139.0 -- UTG-AS United Telecom AS
 5 - AS764338671  0.8%  34.9 -- VNN-AS-AP Vietnam Posts and 
Telecommunications (VNPT)
 6 - AS30890   35698  0.8%  79.9 -- EVOLVA Evolva Telecom
 7 - AS17974   35138  0.7%  69.4 -- TELKOMNET-AS2-AP PT 
Telekomunikasi Indonesia
 8 - AS505633187  0.7% 286.1 -- INS-NET-2 - Iowa Network 
Services
 9 - AS645830871  0.7%  85.5 -- Telgua
10 - AS30306   29280  0.6%7320.0 -- AfOL-Sz-AS
11 - AS17488   27622  0.6%  16.8 -- HATHWAY-NET-AP Hathway IP Over 
Cable Internet
12 - AS477127137  0.6% 102.0 -- NZTELECOM Netgate
13 - AS29372   25369  0.5% 281.9 -- SFR-NETWORK SFR
14 - AS505024198  0.5%1728.4 -- PSC-EXT - Pittsburgh 
Supercomputing Center
15 - AS27757   23122  0.5% 189.5 -- ANDINATEL S.A.
16 - AS982922760  0.5%  35.6 -- BSNL-NIB National Internet 
Backbone
17 - AS464822122  0.5% 107.9 -- NZIX-2 Netgate
18 - AS810319727  0.4%  32.8 -- STATE-OF-FLA - Florida 
Department of Management Services - Technology Program
19 - AS30969   19371  0.4%2421.4 -- TAN-NET TransAfrica Networks
20 - AS20115   19086  0.4%  11.6 -- CHARTER-NET-HKY-NC - Charter 
Communications


TOP 20 Unstable Origin AS (Updates per announced prefix)
Rank ASNUpds %  Upds/PfxAS-Name
 1 - AS30306   29280  0.6%7320.0 -- AfOL-Sz-AS
 2 - AS190175390  0.1%5390.0 -- QUALCOMM-QWBS-LV - Qualcomm, 
Inc.
 3 - AS302874700  0.1%4700.0 -- ALON-USA - ALON USA, LP
 4 - AS12500   12162  0.3%4054.0 -- RCS-AS RCS Autonomus System
 5 - AS413435895  0.1%2947.5 -- TRIUNFOTEL-ASN TRIUNFOTEL
 6 - AS281945460  0.1%2730.0 -- 
 7 - AS30969   19371  0.4%2421.4 -- TAN-NET TransAfrica Networks
 8 - AS8755 2070  0.0%2070.0 -- CITYLINESPB-AS CityLine-SPb 
Autonomous System
 9 - AS481441882  0.0%1882.0 -- NETWORKTECH Network Technology
10 - AS505024198  0.5%1728.4 -- PSC-EXT - Pittsburgh 
Supercomputing Center
11 - AS353351627  0.0%1627.0 -- ESSTU-AS East-Siberian State 
Technological University AS
12 - AS354109009  0.2%1501.5 -- RU-LVS-AS LVS AS Number
13 - AS32398   11438  0.2%1429.8 -- REALNET-ASN-1
14 - AS46328   10964  0.2%1218.2 -- PTCNEBRASKA - PIERCE TELEPHONE 
COMPANY, INCORPORATED
15 - AS391072249  0.1%1124.5 -- INTERLAN-AS Asociatia Interlan
16 - AS413821038  0.0%1038.0 -- TELEPORT-AS Teleport LLC 
Network AS
17 - AS46781 916  0.0% 916.0 -- ASN1 - White Nile Group, Inc.
18 - AS19634 896  0.0% 896.0 -- HGL-22-ASN - Heidenreich GP, LLC
19 - AS466532601  0.1% 867.0 -- FREDRIKSON---BYRON - Fredrikson 
& Byron, P.A.
20 - AS292241676  0.0% 838.0 -- HELLMANN Hellmann Worldwide 
Logistics GmbH & Co KG


TOP 20 Unstable Prefixes
Rank Prefix Upds % Origin AS -- AS Name
 1 - 221.134.32.0/24   32037  0.6%   AS9583  -- SIFY-AS-IN Sify Limited
 2 - 210.214.177.0/24  27706  0.5%   AS9583  -- SIFY-AS-IN Sify Limited
 3 - 221.135.105.0/24  27697  0.5%   AS9583  -- SIFY-AS-IN Sify Limited
 4 - 210.214.184.0/24  27562  0.5%   AS9583  -- SIFY-AS-IN Sify Limited
 5 - 210.214.232.0/24  27525  0.5%   AS9583  -- SIFY-AS-IN Sify Limited
 6 - 210.214.132.0/24  27428  0.5%   AS9583  -- SIFY-AS-IN Sify Limited
 7 - 210.214.156.0/24  27408  0.5%   AS9583  -- SIFY-AS-IN Sify Limited
 8 - 210.214.222.0/24  27343  0.5%   AS9583  -- SIFY-AS-IN Sify Limited
 9 - 210.214.146.0/24  27261  0.5%   AS9583  -- SIFY-AS-IN Sify Limited
10 - 210.214.117.0/24  26981  0.5%   AS9583  -- SIFY-AS-IN Sify Limited
11 - 210.210.127.0/24  26875  0.5%   AS9583  -- SIFY-AS-IN Sify Limited
12 - 72.23.246.0/2424056  0.5%   AS5050  -- PSC-EXT - Pittsburgh 
Supercomputing Center
13 - 192.35.129.0/24   16266  0.3%   AS6629  -- NOAA-AS - NOAA
14 - 192.102.88.0/24   16109  0.3%   AS6629  -- NOAA-AS - NOAA
15 - 198.77.177.0/24   16028  0.3%   AS6629  -- NOAA-AS - NOAA
16 - 212.85.223.0/24   14248  0.3%   AS30306 -- AfOL-Sz-AS
17 - 212.85.220.0/24   14236  0.3%   AS19711 -- SWAZI-NET
 AS30306 -- AfOL-Sz-AS
18 - 190.152.100.0/24  12940  0.2%   AS27757 -- ANDINATEL S.A.
19 - 41.204.2.0/24 11173  0.2%   AS32398 -- REALNET-ASN-1
20 - 222.255.51.64/26  11063  0.2%   AS7643  -- VNN