Re: Shortest path to the world
On Wed, 15 Jul 2009, Leo Bicknell wrote: Quite frankly, your question reminds me a bit of the geography question where is the center of the US. http://en.wikipedia.org/wiki/Geographic_center_of_the_contiguous_United_States While nifty trivia, it acutally has no useful value for well, anything. If it did, there would be more there than a small monument. Unless you were Federal Express, and wanted to understand where the center of your service area was to help pick better airport hub locations. Add in some offsets for time zones, weather, and even more complexity and your hub ends up in Memphis. Optimal can sometimes mean its good enough, even the momument at the center of the United States isn't actually located at the precise center. http://ardent.mit.edu/airports/ASP_exercises/ASP%20matl%20for%20posting%202007/UPS%20and%20FedEx%20Hub%20Operations%20Cosmas%20Martini.pdf Operations research is filled with people trying to figure out the optimal number of hubs, hub locations, routes between them for all sorts of stuff. So where are the operations research people studying the Internet?
Re: Shortest path to the world
Sean Donelan wrote: The typical network architecture problem, what are the best (shortest latency, greatest bandwidth, etc) locations to connect to the every nation in the world? As you increase the number of locations, how do the choices change? If you only had small (2 3 5 7 11) number of locations, where would they be? And what data do you have to prove the choices are best? Just a quick wikipedia and google search would provide you the answers to that: http://en.wikipedia.org/wiki/List_of_countries_by_number_of_Internet_users http://en.wikipedia.org/wiki/List_of_Internet_exchange_points_by_size http://www.internetworldstats.com/stats.htm http://www.internetworldstats.com/stats1.htm http://www.internetworldstats.com/stats4.htm etc... have fun with all that data! Kind regards, Michiel Klaver IT Professional
Re: The actual value, from a security standpoint, of using a proxy domain registrar?
* Mike Lyon: So the question I have is this: What actual security are these proxy companies providing to the end-user? You can register domains without alerting your competition that you plan to provide a particular service (which could be guessed based on the domain name). Or a merger is coming up, and you want to quietly get the domain for the new company name. OTOH, there doesn't seem to be a legitimate long-term use for business purposes. (In my view, the secondary domain market is not legitimate---online advertisers keep it alive to artificially increase conversion rates, essentially defrauding brand owners who are structurally unable to cope with this situation.) -- Florian Weimerfwei...@bfk.de BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99
Re: Issues accessing hulu.com from new(ish) US range
Thanks to all that contacted me offlist and on, I believe it should be sorted shortly in all the relevant databases. Thanks again, Chris
Re: Shortest path to the world
On Thu, Jul 16, 2009 at 4:14 AM, Michiel Klaver mich...@klaver.it wrote: Sean Donelan wrote: The typical network architecture problem, what are the best (shortest latency, greatest bandwidth, etc) locations to connect to the every nation in the world? As you increase the number of locations, how do the choices change? If you only had small (2 3 5 7 11) number of locations, where would they be? And what data do you have to prove the choices are best? Just a quick wikipedia and google search would provide you the answers to that: http://en.wikipedia.org/wiki/List_of_countries_by_number_of_Internet_users it's possibly useful to take into consideration _overall population since broadband penetration is likely to grow in a population vs. remain stagnant or decrease. That may suggest that the largest submarine cable landing points agggregators (Telehouse, 111 8th, etc. NOTA MIA) would be optimal for shortest reach to multitudes of networks and large amounts of capacity and give you reach as well as decent performance. My picks were NOTA facing the Americans, 118th/60 Hudson US, and Telehouse London for Europe. I'm not suggesting that an IX is required. Would be nice to keep costs down if that's also part of the objective, but not required. There's a project that is mapping datacenters onto Google Earth globally and if I could recall the URL I would suggest that a visualization of these answers may be interesting. Best Regards, Martin -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Data Centers and Occupants
Re: The actual value, from a security standpoint, of using a proxy domain registrar?
On Wed, Jul 15, 2009 at 03:13:26PM -0700, Ray Sanders wrote: A lot of these places use scare tactics to convince domain buyers that privacy is essential, otherwise one would get spam, telemarketing calls and junk mail. Well, that's partly true, as some companies do scrape whois data. Not so much anymore. It's far more cost-effective and efficient for them to buy the data in bulk, and there are plenty of suppliers offering it. Now as to whether they're bad actors inside registrars, or registrars themselves, or folks who've cracked registrar security and helped themselves to the contents of their databases: who knows? But the bottom line is that the data's out there. ---Rsk
Quick question about inbound route-selection
Howdy, Keep in mind I am basing this 'idea' off of fixed orbit's data which can sometimes be a bit out of date, etc. (in theory, and based upon number of peers, data): If you have a network with these upstream connections to the Internet you should see inbound traffic utilization in this order: AS Name - 3356 Level3 7018 ATT 3549 Global Crossing 4323 Time Warner Telecom 10796 TimeWarnerCable/RR I am trying to determine why I am seeing it in this order: 3356 Level3 4323 Time Warner Telecom 3549 Global Crossing 10796 TimeWarnerCable/RR 7018 ATT I suppose there is a certain level of convergence where these providers inter-connect, and also the source network of the traffic plays a big part of it, i.e. if most of the sources are directly connected to Level3, etc. I am mainly wondering why 7018 sends us such a little amount compared to even 10796. Also, with the providers already connected, if we added a new one, which one would (in your opinion) benefit us the most on spreading the inbound traffic out better? I realize that we can use communities, and prepends to control the inbound flow, I am just speaking from a purely natural standpoint. thanks, -Drew
Re: Quick question about inbound route-selection
On Thu, Jul 16, 2009 at 09:45:24AM -0400, Drew Weaver wrote: Howdy, Keep in mind I am basing this 'idea' off of fixed orbit's data which can sometimes be a bit out of date, etc. Understatement. [snip] I realize that we can use communities, and prepends to control the inbound flow, I am just speaking from a purely natural standpoint. Since your inbound is someone else's outbound, presuming any kind of natural flow without accounting for the remote end's sending policies is unreasonable. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Re: Shortest path to the world
In a message written on Thu, Jul 16, 2009 at 02:07:12AM -0400, Sean Donelan wrote: Unless you were Federal Express, and wanted to understand where the center of your service area was to help pick better airport hub locations. Add in some offsets for time zones, weather, and even more complexity and your hub ends up in Memphis. Optimal can sometimes mean its good enough, even the momument at the center of the United States isn't actually located at the precise center. The center of FedEx's world has nothing to do with geography, it has to do with flight times. JFK's prennial 1 hour delays make that flight an hour longer, even though it is no further away. Also, if I had 20 flights to the east coast, and 1 flight to the west coast, I may well shift my center east choosing to burn more fuel and time on one flight to save fuel on 20. Oh yeah, and then there are the other hubs in Indianapolis, Fort Worth, Oakland, Newark, Anchorage, Paris, Guangzhou, Toronto and Miami. Guess Memphis isn't the best, all by itself. Anchorage you might say? That's odd. Well, turns out a fully loaded freight aircraft have trouble making it from many Asian countries to the US on one tank of fuel. If you have to stop to refuel you might as well sort some packages while your waiting for it to pump into the plane. Operations research is filled with people trying to figure out the optimal number of hubs, hub locations, routes between them for all sorts of stuff. So where are the operations research people studying the Internet? At every ISP and content provider out there. The answer is different for every company. FedEx and UPS don't have the same hubs, because they don't serve the same customer base. Akamai, NTT, and DTAG all have different points of presense based on their customer bases. Each one has the optimal network for their customer base. Your question is akin to tell me the best car, house, boat, airline, ISP, operating system. Magazines love to crown the king, but we all know making the right choice has orders of magnitude more to do with your specific situation than it does with the product or service in the abstract. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgpkFrbZPiV32.pgp Description: PGP signature
RE: The actual value, from a security standpoint, of using a proxy domain registrar?
I am curious what others in the industry think on this topic. When one registers a domain they can put in their real information or they can use a proxy, like Go-Daddy's Domains By Proxy. More food for thought: http://blog.easydns.org/archives/247-Why-we-do-not-offer-Whois-masking-at -easyDNS.html#extended ~JasonG -- smime.p7s Description: S/MIME cryptographic signature
Re: Quick question about inbound route-selection
On Thu, Jul 16, 2009 at 09:45:24AM -0400, Drew Weaver wrote: I realize that we can use communities, and prepends to control the inbound flow, I am just speaking from a purely natural standpoint. I don't know where people are getting this natural bgp path selection concept from, but it is completely misguided and needs to be corrected before any more misinformation is spread. On the modern Internet, the vast majority of paths look pretty much the same across any major networks, even via metrics as irrelevent as as-path hop length. A natural path selection would be based on such garbage data as who has the lowest router id, which network has the smallest numeric value in their igp cost scheme when setting MEDs, or the wonderfully non-deterministic which path has been up the longest. I recently heard some complaints from a bunch of customers who were upset that they couldn't send us any traffic using natural bgp, and they didn't want to artificially alter bgp's best path selection with route-maps and localprefs. After trying to explain that there was really no such thing as natural bgp, and having it fall on deaf ears, I went to take a look at their routing tables to see what they were talking about. It turned out that we were sending them MED values based on our IGP costs while their other networks were sending them 0's, which was making the tie-breaking decision go the other way for the vast majority of the routes. The BGP best path selection algorithm is really nothing special, it provides almost no useful data for selecting between major well connected networks on the modern Internet, and if you refuse to alter any attributes you're going to end up with a giant mess of path selection which would be better accomplished by asking a magic 8ball. As for trying to determine where your inbound traffic is coming from by looking at natural bgp, this is absolutely impossible to do correctly. First off, your inbound is someone else's outbound, and the person sending the traffic outbound is in complete and total control. The vast majority of the traffic on the Internet is being picked by local-prefs based on policies like what does this make/cost me monetarily or which major networks can I grab in a simple as-path regexp to balance some traffic. But even if you ignore all of that, the natural path selection is based on criteria which is specific to the other network or even to a specific session which you can't possibly know about remotely (e.g. their router id). -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Border routers
Hello guys, I need to buy 2 border routers to handle 2 155Mbps links using BGP full route with each ISP. What may I analyse at the routers hardware? I'm asking for: 1Giga Byte of RAM expansible to 1,5GB 1.000.000 FIB capacity in hardware (since 512K won't be enought soon) 1.000.000 RIB capacity. What do you recommend to ask for? Are these specifications ok? Do I need more RAM or less FIB? Is there any site I can use to see specifications for border routers? Anyone knows of any PoC involving routers? -- []'s Lívio Zanol Puppim
Re: The actual value, from a security standpoint, of using a proxy domain registrar?
On Jul 16, 2009, at 4:27 AM, Florian Weimer wrote: OTOH, there doesn't seem to be a legitimate long-term use for business purposes. (In my view, the secondary domain market is not legitimate---online advertisers keep it alive to artificially increase conversion rates, essentially defrauding brand owners who are structurally unable to cope with this situation.) Don't be myopic about this. There are very legitimate business cases for these services. Example: I work for a VoIP provider that sells to large customers. Their customers sell to smaller customers that want to operate their own small scale VoIP business. No one 2 or 3 levels down knows who we are, and the people upstream want it that way. Sure, most have their own domain names, but maintaining that for SBCs and very small customers who don't have/want their own domain name (to check call logs, etc) simply isn't feasible (you can doubt this assertion, but unless you know the middle eastern VoIP markets you have no business doing so). Solution? Generic sounding domain name with private registration. Cheap. Effective. Done. Daryl
Re: Shortest path to the world
On Wed, 15 Jul 2009 22:03:56 +0900, Randy Bush said: The typical network architecture problem, what are the best (shortest latency, greatest bandwidth, etc) locations to connect to the every nation in the world? As you increase the number of locations, how do the choices change? And what data do you have to prove the choices are best? it would help if you said how you measure 'best' or 'better'. Given that it's Sean asking, I have to conclude he's either dropping a very interesting thought experiment on us, or he's just trolled us, with a long list of well-known names replying. Quite possibly both at once. Well played, Sean. ;) pgp6vroiVvFOL.pgp Description: PGP signature
Re: The actual value, from a security standpoint, of using a proxy domain registrar?
Example: I work for a VoIP provider that sells to large customers. Their customers sell to smaller customers that want to operate their own small scale VoIP business. No one 2 or 3 levels down knows who we are, and the people upstream want it that way. Sure. Solution? Generic sounding domain name Right. with private registration. Wrong. Proxy registration just makes you look sleazy. Voxbone does just dandy as a VoIP wholesaler without proxy registration. What do they know that you don't? Some proxy registration is just stupid, e.g., there's proxy registration for betamax.com, but not for their brands such as voipdiscount.com, phonefreecalls.com, internetcalls.com, and nowcall.com. R's, John PS:
Re: The actual value, from a security standpoint, of using a proxy domain registrar?
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Wed Jul 15 16:52:59 2009 Date: Wed, 15 Jul 2009 14:52:44 -0700 Subject: The actual value, from a security standpoint, of using a proxy domain registrar? From: Mike Lyon mike.l...@gmail.com To: NANOG nanog@nanog.org Howdy, I am curious what others in the industry think on this topic. When one registers a domain they can put in their real information or they can use a proxy, like Go-Daddy's Domains By Proxy. Now, personally, I would prefer just to get a PO Box and put that address on my domain info instead of doing a proxy. I could also put down a phone number in the registration that just goes to my general business phone line which is just a DVR. So the question I have is this: What actual security are these proxy companies providing to the end-user? My company website has my real address, my real phone number, exec bio's and pictures of them yet upper management (and our marketing company) think using a proxy is a good thing. What's the difference between using a proxy vs using a PO Box except that a PO Box is cheaper? I'd just like to get thoughts from others to see what the general feeling is on this topic. Cheers, Mike
RE: Quick question about inbound route-selection
As for trying to determine where your inbound traffic is coming from by looking at natural bgp, this is absolutely impossible to do correctly. First off, your inbound is someone else's outbound, and the person sending the traffic outbound is in complete and total control. The vast majority of the traffic on the Internet is being picked by local-prefs based on policies like what does this make/cost me monetarily or which major networks can I grab in a simple as-path regexp to balance some traffic. But even if you ignore all of that, the natural path selection is based on criteria which is specific to the other network or even to a specific session which you can't possibly know about remotely (e.g. their router id). Another way to say what Richard is getting at (which was full of good information) is: Just because you aren't modifying what your BGP process sees, at this stage of the Internet's maturity, it is safe to assume almost everyone else is. Therefore, rather than pray for BGP to make a logical selection, even though its *probably* being fed prefs based on other people's engineering, you should take charge of the parts you can. HTH, Deepak Jain AiNET
Probes from root servers
One of our IP addresses is being probed by up to 8 of the 13 root dns servers every 15 seconds. I'm looking for input on how to contact the admins for the servers or perhaps a way to figure out if perhaps someone is spoofing the affected customer IP address, causing the root servers to send the following: sh mls netflow ip destination 74.1.32.205 /32 module 2 Displaying Netflow entries in module 2 DstIP SrcIP Prot:SrcPort:DstPort Src i/f :AdjPtr - Pkts Bytes Age LastSeen Attributes --- 74.1.32.205 193.0.14.129udp :dns:1039 Fa2/11 :0x0 00 1 22:49:03 L3 - Dynamic 74.1.32.205 202.12.27.33udp :dns:1039 Fa2/11 :0x0 00 2 22:49:03 L3 - Dynamic 74.1.32.205 192.36.148.17 udp :dns:1039 Fa2/11 :0x0 00 2 22:49:03 L3 - Dynamic Is it practical to attempt to work the issue with the root server admins or is it quite likely this is spoofing and there's no hope to track this down? Thanks, Kris
Re: Quick question about inbound route-selection
On Thu, Jul 16, 2009 at 06:32:32PM -0400, Deepak Jain wrote: As for trying to determine where your inbound traffic is coming from by looking at natural bgp, this is absolutely impossible to do correctly. First off, your inbound is someone else's outbound, and the person sending the traffic outbound is in complete and total control. The vast majority of the traffic on the Internet is being picked by local-prefs based on policies like what does this make/cost me monetarily or which major networks can I grab in a simple as-path regexp to balance some traffic. But even if you ignore all of that, the natural path selection is based on criteria which is specific to the other network or even to a specific session which you can't possibly know about remotely (e.g. their router id). I would actually disagree with that and go one step further. Look at content providers. They're not concerned about best path. They're not even concerned about shortest path. Since bandwidth consuming services are what they provide, they're interested in cheapest path as much as they are the shortest path. Another way to say what Richard is getting at (which was full of good information) is: Just because you aren't modifying what your BGP process sees, at this stage of the Internet's maturity, it is safe to assume almost everyone else is. Therefore, rather than pray for BGP to make a logical selection, even though its *probably* being fed prefs based on other people's engineering, you should take charge of the parts you can. Take the traffic shaping products. They completely override the normal BGP mechanisms and force traffic out a given circuit. So as long as there is a usable route down that interface, it will get used whether the neighbor wants it or not. The long and short of it is that via MEDS, prepending, and your neighbor's community policies, you can *hint* where you want traffic to come in but ultimately you may have very little say in the matter. (Community exchanges are probably the best mechanism since the existance of them in your peer's network means they will be most likely to honor your hints.) As Deepak indicated, don't rely on the originally the protocol's best effort. Take control of your own world wherever you can. It's the only way to ensure a good measure of predictability. -Wayne --- Wayne Bouchard w...@typo.org Network Dude http://www.typo.org/~web/
Re: Border routers
Livio, You can use one M7i from Juniper Networks (new 09 bundle with enhanced cfeb): - 1 x M7iE-5GE-RE850-US-B or M7iE-2GE-RE850-US-B - 1 x PE-2OC3-SON-SFP It will work very well for your environment. Att, Giuliano
Re: Probes from root servers
On Thu, 16 Jul 2009 15:56:29 -0700 Pederson, Krishna peder...@covad.com wrote: One of our IP addresses is being probed by up to 8 of the 13 root dns servers every 15 seconds. I'm looking for input on how to contact the admins for the servers or perhaps a way to figure out if perhaps someone is spoofing the affected customer IP address, causing the root servers to send the following: Hi Krishna, You may want to make sure a second set of eyes confirms that these are not real responses to real queries from 74.1.32.205. If you're certain there are no outgoing queries that solicit these messages, how about getting a peek inside those packets? If you can do that, you should be able to get a better idea of what may be happening. It is somewhat peculiar that the destination port is 1039 in the 3 flow records you've shown and that you're only seeing packets from 8 of the 13 root addresses. Its a clue, but inconclusive. It seems like it might be legitimate traffic from a resolver that is not doing source port randomization. Being that its only every 15 seconds that would seem too slow for an attack against 74.1.32.205, poisoning or otherwise. Could be backscatter. I can't speak for the root ops, but I think they would prefer you perform a bit more investigation if you can. John