Re: Any Google Mail admins on the list?
Please tell me if you get any feedback, as far as I know Gmail admins are not more connected to the world than hotmail's. Still, Gmail relies on domainkey/dkim, which could save your day. Mike Lyon a écrit : Howdy All, Trying to resolve a possible Google Mail blockage from a certain domain. Would like to check to see if you are blocking this domain or not. If you are with google and could help, please hit me up off-list. Cheers, Mike
RE: Cisco VSS-1440 migration query
Thanks to all on this. I've pretty much mitigated this by creating a VSS-ized version of the interface configs (chassis/slot/port) which I can then re-inject back into the system config after conversion. Shame that switch1 keeps its config and simply renumbers the interfaces, but switch2 just says I here am new .. but oh well. Leland On Mon, 2009-10-19 at 17:04 -0400, Mishka, Jason wrote: On Mon, 2009-10-19 at 13:06 -0400, Jason Giles wrote: From my test, all physical interfaces configs on switch 2 are factory defaulted and SVI interfaces deleted on switch 2 upon running the conversion commands. When you convert to vss mode the interfaces are renamed. The interface in switch 2 that was g1/1 becomes 2/1/1. Any configuration applied to g1/1 will be rejected because that interface no longer exists. If you intended to keep interface configuration, you will need to reapply that to the new interface name. Jason
Re: 109/8 - not a BOGON
I've found pinging a polite email to the whois contact on the ASN - sometimes- gives useful results, but not always. Be aware that you're not only dealing with router black-holes, but seemingly some people have applied bogon filtering to their BIND name servers also. If you can provide a non bogon IP within the same AS, it can be useful for the person at the other end-- shows them they have a problem. -Shane On 20/10/2009, at 4:51 PM, Matthew Walster wrote: 2009/10/10 Matthew Palmer mpal...@hezmatt.org A pingable address in the problem range would help people to quickly evaluate whether they have a problem in their network or upstreams... The router has the address 109.68.64.1 - saves giving out customer's IP. Does anyone have any recommendations for dealing with BOGON space that hasn't been defiltered by networks? Any ideas how to get people to update filter lists? Matthew Walster
Re: Science vs. bullshit
The thing about the data I presented, however, is that it is _differential_ ... it says set your knobs, look at four days over four years, and let's see if the migration among populations seems consistent. as we discussed this morning, this has the problem of not knowing how much of the change is in the lens through which you are looking and how much is in that at which you are looking. bgp is way too damned good at information hiding. randy
Re: 109/8 - not a BOGON
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/20/2009 8:01 AM, Shane Short wrote: I've found pinging a polite email to the whois contact on the ASN -sometimes- gives useful results, but not always. Be aware that you're not only dealing with router black-holes, but seemingly some people have applied bogon filtering to their BIND name servers also. If you can provide a non bogon IP within the same AS, it can be useful for the person at the other end-- shows them they have a problem. References to documents on bogon best practices are a good idea when trying to contact WHOIS contacts as well - our bogon reference page and the IANA IPv4 address space assignments page are probably good places to start on that: http://www.team-cymru.org/Services/Bogons/ http://www.iana.org/assignments/ipv4-address-space/ Shane makes a good point about BIND and other configs - we actually stopped including static bogons in our BIND and BGP/JunOS templates earlier this year because we found they were being used and not updated, despite our warnings not to do so. Best regards, Tim Wilde - -- Tim Wilde, Senior Software Engineer, Team Cymru, Inc. twi...@cymru.com | +1-630-230-5433 | http://www.team-cymru.org/ -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkrdzSwACgkQluRbRini9tgJaACfRnjhFKCv7sKUuNc98r+sn0cG DDUAn2K5ASv8Pmi+UCbLw0NM6k64r+AF =Lo8x -END PGP SIGNATURE-
[NANOG-announce] 2009 Elections
Everyone: Hope all at NANOG47 in person or remote are enjoying a great Program!! A couple of reminders PC Nominations have closed. Merit is working to process the last minute nominations and acceptance. As soon we we catch up the information will be posted on the website. MLC Nominations continue. 2009 Election process closes at 9:15 Wednesday am. Please do support the process, it is your community... so VOTE! http://nanog.org/governance/elections/2009elections/ Lastly, we need your input, do take a moment and complete the survey! http://www.surveymonkey.com/s.aspx?sm=OGYmCMKmi88ROAl_2fPAlEHw_3d_3d All Best. Betty Merit and SC representative ___ NANOG-announce mailing list nanog-annou...@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-announce
2009.10.20 NANOG47 Day 2 notes, morning sessions
Here's my notes from this morning's sessions. :) Off to lunch now! Matt 2009.10.20 NANOG day 2 notes, first half Dave Meyer kicks things off at 0934 hours Eastern time. Survey! Fill it out! http://tinyurl.com/nanog47 Cathy Aaronson will start off with a rememberance of Abha Ahuja. She mentored, chaired working groups, she helped found the net-grrls group; she was always in motion, always writing software to help other people. She always had a smile, always had lots to share with people. If you buy a tee shirt, Cathy will match the donation. John Curran is up next, chairman of ARIN Thanks to NANOG SC and Merit for the joint meeting; Add your operator perspective! Vote today in the NRO number council election! You can vote with your nanog registration email. https://www.arin.net/app/election Join us tonight for open policy hour (this room) and happy hour (rotunda) Participate in tomorrow's IPv6 panel discussion and the rest of the ARIN meeting. You can also talk to the people at the election help desk. During the open policy hour, they'll discuss the policies currently on the table. And please join in the IPv6 panel tomorrow! If you can, stay for the ARIN meeting, running through Friday. This includes policy for allocation of ASN blocks to RIRs Allocation of IPv4 blocks to RIRs Open access to IPv6 (make barriers even lower) IPv6 multiple discrete networks (if you have non connected network nodes) Equitable IPv4 run-out (what happens when the free pool gets smaller and smaller!) Tomorrow's Joint NANOG panel IPv6--emerging success stories Whois RESTful web service Lame DNS testing Use of ARIN templates consultation process ongoing now; do we want to maintain email-based access for all template types? Greg Hankins is up next for 40GbE and 100GbE standards update--IEEE P802.3ba Lots of activity to finalize the new standards specs many changes in 2006-2008 as objectives first developed After draft 1.0, less news to report as task force started comment resolution and began work towards the final standard Finished draft 2.2 in august, crossing Is, dotting Ts Working towards sponsor ballot and draft 3.0 On schedule for delivery in June 2010 Copper interface moved from 10meter to 7meter. 100m on multimode, added 125m on OM4 fiber, slightly better grade. CFP is the module people are working towards as a standard. Timeline slide--shows the draft milestones that IEEE must meet. It's actually hard to get hardware out the door based around standards definitions. If you do silicon development and you jump in too fast, the standard can change under you; but if you wait too long, you won't be ready when the standard is fully ratified. July 2009, Draft 2 (2.2), no more technical changes, so MSAs have gotten together and started rolling out pre-standard cards into market. Draft 3.0 is big next goal, it goes to ballot for approval for final standards track. After Draft 3.0, you'll see people start ramping up for volume production. Draft 2.x will be technically complete for WG ballot tech spec finalized first gen pre-standard components have hit market technology demonstrations and forums New media modules: QSFP modules created for high density short reach interfaces (came from Infiniband) Used for 40GBASE-CR4 and 40GBASE-SR4 CXP modules proposed for infiniband and 100GE 12 channels 100GbE uses 10 of 12 channels used for 100GBASE-10 CFP Modules long reach apps big package used for SR4, LR4, SR10, LR4, ER4 about twice the size of a Xenpak 100G and 40G options for it. MPO/MTP cable multi-fiber push-on high-density fiber option 40GBASE-SR4 12 fiber MPO uses 8 fibers 100GBASE-SR10 24 fiber MPO cable, uses 20 fibers this will make cross connects a challenge Switches and Routers several vendors working on pre-standard cards, you saw some at beer and gear last night. Alcatel, Juniper First gen tech will be somewhat expensive and low density geared for those who can afford it initially and really need it. Nx10G LAG may be more cost effective higher speed interfaces will make 10GbE denser and cheaper Density improves as vendors develop higher capacity systems to use these cards density requires 400Gbps/slot for 4x100GbE ports Cost will decrease as new technology becomes feasible. Future meetings September 2009, Draft 2.2 comment resolution Nov 2009 plenary Nov 15-20, Atlanta Draft 3.0 and sponsor ballot http://grouper.ieee.org/groups/802/3/ba/index.html You have to go to meeting to get password for the draft, unfortunately. Look at your roadmap for next few years get timelines from your vendors optical gear, switches, routers server vendors transport and IP transit providers, IXs Others? figure out what is missing and ask for it will it work with your optical systems what about your cabling infrastructure 40km 40GbE Ethernet OAM Jumbo frames? There's no 40km offering now; if you need it, start asking for it! Demand for other interfaces standard defines a
streaming problems
Or is it just me? None seem to come up now.
Amazon's EC2 Security contact
Hey all, apologies for shooting this on this list, but I've had greater success here. Anyone have a SECURITY contact for Amazon Web Services, Elastic Compute Cloud, EC2 outside of the typical: whois -h whois.arin.net $THEIRSPACE|grep @ I'm looking at a delicate situation here and would appreciate any OOB/non-tech-sup-spool-box contact. -- =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, C|EH, CNDA, CHFI, OSCP It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you'll do things differently. - Warren Buffett 227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Subject: Amazon's EC2 Security contact
secur...@amazon.com Little birdies from Amazon said that's the best contact point. Message: 4 Date: Tue, 20 Oct 2009 17:40:39 -0400 From: J. Oquendo s...@infiltrated.net Subject: Amazon's EC2 Security contact To: NANOG list nanog@nanog.org Message-ID: 4ade2e57.9030...@infiltrated.net Content-Type: text/plain; charset=ISO-8859-1 Hey all, apologies for shooting this on this list, but I've had greater success here. Anyone have a SECURITY contact for Amazon Web Services, Elastic Compute Cloud, EC2 outside of the typical: whois -h whois.arin.net $THEIRSPACE|grep @ I'm looking at a delicate situation here and would appreciate any OOB/non-tech-sup-spool-box contact.
Re: ISP customer assignments
On Mon, Oct 19, 2009 at 7:07 PM, Nathan Ward na...@daork.net wrote: On 20/10/2009, at 3:02 PM, Bill Stewart wrote: plus want the ability to take their address space with them when they change ISPs (because there are too many devices and applications that insist on having hard-coded IP addresses instead of using DNS, and because DNS tends to get cached more often than you'd sometimes like. That's why we have Unique Local Addresses. This is the opposite problem - ULAs are for internal devices, and what businesses often want is globally routable non-provider-owned public addresses. If you've got a VPN tunnel device, too often the remote end will want to contact you at some numerical IPv4 address and isn't smart enough to query DNS to get it. And even though most enterprises these days only use registered addresses outside the firewall and not inside the firewall, it's still a pain to have to renumber everything and wait for everybody's DNS caches to expire, so if you're using Provider-independent IP addresses, it's much easier to tell your ISP Sorry, ISP A, I've got a better price from ISP B and I'll move all my stuff if you don't beat their price. (Of course, customers like that are often telling ISP B You'll have to be X% cheaper/faster/somethinger than ISP A or I'll just stay where I am and telling ISP C My main choices are ISP A and ISP B but I'd take a lowball quote very seriously...) -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: ISP customer assignments
In message 18a5e7cb0910201638j7a24a10dwb8440a42f8f9c...@mail.gmail.com, Bill Stewart writes: On Mon, Oct 19, 2009 at 7:07 PM, Nathan Ward na...@daork.net wrote: On 20/10/2009, at 3:02 PM, Bill Stewart wrote: plus want the ability to take their address space with them when they change ISPs (because there are too many devices and applications that insist on having hard-coded IP addresses instead of using DNS, and because DNS tends to get cached more often than you'd sometimes like. That's why we have Unique Local Addresses. This is the opposite problem - ULAs are for internal devices, and what businesses often want is globally routable non-provider-owned public addresses. If you've got a VPN tunnel device, too often the remote end will want to contact you at some numerical IPv4 address and isn't smart enough to query DNS to get it. Which just means we should be fixing the VPN box. And even though most enterprises these days only use registered addresses outside the firewall and not inside the firewall, it's still a pain to have to renumber everything and wait for everybody's DNS caches to expire, so if you're using Provider-independent IP addresses, it's much easier to tell your ISP Sorry, ISP A, I've got a better price from ISP B and I'll move all my stuff if you don't beat their price. (Of course, customers like that are often telling ISP B You'll have to be X% cheaper/faster/somethinger than ISP A or I'll just stay where I am and telling ISP C My main choices are ISP A and ISP B but I'd take a lowball quote very seriously...) Renumbering in IPv6 is not the same as renumbering in IPv4. IPv6 is designed to support multiple prefixes on the one interface. There is actually enough address space to support doing this and allow renumber events to take weeks or months if needed. There is no need to say at XX:XX on DD/MM/ we will be switching prefixes. One can be much smarter about how you do it. You can just introduce the new prefix. Add second address to the DNS. Do your manual fixes. Remove the old addresses from the DNS. Stop using the old prefix when you are satisfied that there is no traffic over them. -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: ISP customer assignments
There is no need to say at XX:XX on DD/MM/ we will be switching prefixes. One can be much smarter about how you do it. You can just introduce the new prefix. Add second address to the DNS. Do your manual fixes. Remove the old addresses from the DNS. Stop using the old prefix when you are satisfied that there is no traffic over them. True in principle. In practice, changing stuff, especially globally, is not as simple as that. Many (most?) enterprises still have pretty primitive DNS/DHCP management. While there are good management systems out there, many of the largest are custom made for the enterprise concerned, and are not yet up to speed with IPv6. The practical experience is not yet there to drive the development of the right features - especially ones as rare as a complete renumbering. DHCPv6 server software is still pretty early days, too. The addressing on infrastructure kit like routers and switches, firewalls and IDS boxes and so on is also typically hard coded and difficult to change, as are the addresses used in ACLs and firewall rules. Renumbering means: - adding a new record to the DNS for every existing record, but using a different prefix (plus any other DNS changes needed - like giving the servers themselves addresses in the new prefix, and making sure they reply from the right address...) Reverse lookups may be an issue during the changeover, too. - updating DHCP configurations to issue addresses from the new prefixes, automatically divided along the same numbering plan - setting up reserved DHCP addresses with the same host parts as the old reserved addresses but using the new prefix etc - adding new addresses to every location where an address is hardcoded - such as in router and switch configurations - updating ACLs to account for the new addresses (without discarding the old rules yet) - updating firewall rules and what-have-you to account for the new prefix, without discarding the old ones yet - waiting the weeks or months until the old prefix may be safely discarded. During this time you have a prefix-schizo network. - updating firewall rules and what-have-you to remove the old prefix - updating ACLs to remove the old addresses - removing old addresses from every location where an address is hardcoded - such as in router and switch configurations - removing now-unused DHCP reservations - removing now-unwanted DHCP ranges - removing all records that reference the old prefix ... and this is by no means an exhaustive list. Many higher-level services will also need updating (twice) - your web server configurations, for example. And it gets more complicated if your prefix changes length as well. And what if the network was not set up with future renumbering in mind? DHCP servers issuing eternal leases, things like that. So once again the theory is good, but reality intrudes. Renumbering, even with the undeniably much better features of IPv6, is still going to be a royal pain. Of course, IPv6 may drive improvements in all these areas over time, but they're not there yet. Wouldn't it be cool to have a renumber router command that just took an old prefix, a new prefix and a number of seconds and did all the work? Regards, K. PS: If anyone knows of an IPAM that can do all the above, or even just some of the above, please let me know! -- ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF signature.asc Description: This is a digitally signed message part
Re: ISP customer assignments
In message 1256085698.30246.109.ca...@karl, Karl Auer writes: There is no need to say at XX:XX on DD/MM/ we will be switching prefixes. One can be much smarter about how you do it. =20 You can just introduce the new prefix. Add second address to the DNS. Do your manual fixes. Remove the old addresses from the DNS. Stop using the old prefix when you are satisfied that there is no traffic over them. True in principle. In practice, changing stuff, especially globally, is not as simple as that. Many (most?) enterprises still have pretty primitive DNS/DHCP management. While there are good management systems out there, many of the largest are custom made for the enterprise concerned, and are not yet up to speed with IPv6. The practical experience is not yet there to drive the development of the right features - especially ones as rare as a complete renumbering. DHCPv6 server software is still pretty early days, too. The addressing on infrastructure kit like routers and switches, firewalls and IDS boxes and so on is also typically hard coded and difficult to change, as are the addresses used in ACLs and firewall rules. Renumbering means: - adding a new record to the DNS for every existing record, but using a different prefix (plus any other DNS changes needed - like giving the servers themselves addresses in the new prefix, and making sure they reply from the right address...) Reverse lookups may be an issue during the changeover, too. - updating DHCP configurations to issue addresses from the new prefixes, automatically divided along the same numbering plan - setting up reserved DHCP addresses with the same host parts as the old reserved addresses but using the new prefix etc - adding new addresses to every location where an address is hardcoded - such as in router and switch configurations - updating ACLs to account for the new addresses (without discarding the old rules yet) - updating firewall rules and what-have-you to account for the new prefix, without discarding the old ones yet - waiting the weeks or months until the old prefix may be safely discarded. During this time you have a prefix-schizo network. - updating firewall rules and what-have-you to remove the old prefix - updating ACLs to remove the old addresses - removing old addresses from every location where an address is hardcoded - such as in router and switch configurations - removing now-unused DHCP reservations - removing now-unwanted DHCP ranges - removing all records that reference the old prefix ... and this is by no means an exhaustive list. Many higher-level services will also need updating (twice) - your web server configurations, for example. And it gets more complicated if your prefix changes length as well. And what if the network was not set up with future renumbering in mind? DHCP servers issuing eternal leases, things like that. So once again the theory is good, but reality intrudes. Renumbering, even with the undeniably much better features of IPv6, is still going to be a royal pain. Of course, IPv6 may drive improvements in all these areas over time, but they're not there yet. Wouldn't it be cool to have a renumber router command that just took an old prefix, a new prefix and a number of seconds and did all the work? Well request it from you favorite router vendors. Router/vpn/firewall vendors should be forced to renumber annually. That way they would have some incentive to make their products usable when a renumber event occurs. The same applies to other vendors. Regards, K. PS: If anyone knows of an IPAM that can do all the above, or even just some of the above, please let me know! --=20 ~~~ Karl Auer (ka...@biplane.com.au) +61-2-64957160 (h) http://www.biplane.com.au/~kauer/ +61-428-957160 (mob) GPG fingerprint: 07F3 1DF9 9D45 8BCD 7DD5 00CE 4A44 6A03 F43A 7DEF --=-lq/A/spfwZ9P7pLx73k/ Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEABECAAYFAkreWLgACgkQSkRqA/Q6fe//UACfcPMTlaufxR4sk8pfJ9d7Uk/W rW4AmgNnotHOzM4DnvcT90ow+0kDxMVF =aZzD -END PGP SIGNATURE- --=-lq/A/spfwZ9P7pLx73k/-- -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: ISP customer assignments
On Oct 20, 2009, at 8:41 PM, Karl Auer wrote: In practice, changing stuff, especially globally, is not as simple as that. From http://tools.ietf.org/html/rfc4192: 'Some took it on themselves to convince the authors that the concept of network renumbering as a normal or frequent procedure is daft.' --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sorry, sometimes I mistake your existential crises for technical insights. -- xkcd #625
Re: ISP customer assignments
In message 1069dfd4-87a3-4e38-aebc-43c05c16d...@arbor.net, Roland Dobbins wri tes: On Oct 20, 2009, at 8:41 PM, Karl Auer wrote: In practice, changing stuff, especially globally, is not as simple as that. From http://tools.ietf.org/html/rfc4192: 'Some took it on themselves to convince the authors that the concept of network renumbering as a normal or frequent procedure is daft.' There is a difference between renumbering every minute and renumber when required to optimise something else. We shouldn't be afraid to renumber. It should be something all vendors support. It should be as automated as possible. If there is a manual step you should be asking yourself does this need to be done by hand. Remember there are lots of machines that renumber themselves several times a day as they move between work and home. All machines should be in a position to renumber themselves as easily as we renumber a laptop. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: ISP customer assignments
On Oct 20, 2009, at 10:29 PM, Mark Andrews wrote: Remember there are lots of machines that renumber themselves several times a day as they move between work and home The problem isn't largely with the endpoints - it's with all the other devices/policies/etc. which overload the EID with inappropriate significance which tend to cause most of the problems. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sorry, sometimes I mistake your existential crises for technical insights. -- xkcd #625
Re: IPv6 internet broken, cogent/telia/hurricane not peering
On Mon, Oct 12, 2009 at 12:41 PM, Mike Leber mle...@he.net wrote: ... We don't ignore comments about connectivity, in fact quite the opposite. We study each AS and which ASes are behind them. We work on getting peering with the specific AS, in the case that they are unresponsive, getting the ASes behind them. Among the things we do to discuss peering: send email to any relevant contacts, call them, contact them on IRC, send people to the relevant conferences to seek them out specifically, send people to their offices, etc. So far we stop short of baking cakes, but hey... And tonight we saw in public that even that path is being attempted: http://www.flickr.com/photos/77519...@n00/4031434206/ (and yes, it was yummy and enjoyed by all at the peering BoF!) So Cogent...won't you please make nice with HE.net and get back together again? ^_^ Matt (speaking for neither party, but very happy to eat cake nonetheless)