Re: PPPoE vs. Bridged ADSL
On Wed, 28 Oct 2009, JD wrote: I think the important thing is to have a separate L2 isolation per customer so you can more easily deploy IPv6 in the future. q-in-q or PPPoX will both solve this problem, but deploying multicast TV offering might be harder in this deployment model. There is really no devices out there to securely do IPv6 to the end user natively when you have a shared L2 domain (in v4 this implies the L2 device will do DHCP snooping and do filtering based on that). I don't really like tunneling, so I'd advocate the q-in-q model with separate vlan per customer (or having the L3 routing very close to the customer so you don't need to do q-in-q but still can do separate vlan per customer). -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Re: dealing with bogon spam ?
Justin Shore wrote: Michiel Klaver wrote: I would suggest to report that netblock to SpamHaus to have it included at their DROP list, and also use that DROP list as extra filter in addition to your bogon filter setup at your border routers. The SpamHaus DROP (Don't Route Or Peer) list was specially designed for this kind of abuse of stolen 'hijacked' netblocks and netblocks controlled entirely by professional spammers. As a brief off-shoot of the original topic, has anyone scripted the use of Spamhaus's DROP list in a RTBH, ACLs, null-routes, etc? I'm not asking if people think it's safe; that's up to the network wanting to deploy it. I'm wondering if anyone has any scripts for pulling down the DROP list, parsing it into whatever you need (static routes on a RTBH trigger router or ACLs on a border router and then deployed the config change(s). I don't want to reinvent the wheel is someone else has already done this. Thanks Justin SpamHaus already provides a link to a nice script for Cisco gear at their FAQ page: http://www.spamhaus.org/faq/answers.lasso?section=DROP%20FAQ And this shell command shoud give you a Juniper style prefix-list to include at your filter terms: wget -q -O - http://www.spamhaus.org/drop/drop.lasso | sed -e "s/;.*//" -e '/^[0-9]/ !d' -e "s/^/set policy-options prefix-list drop-lasso /" Hope it's helpfull! With kind regards, Michiel Klaver IT Professional
Re: PPPoE vs. Bridged ADSL
On Wed, 28 Oct 2009, David E. Smith wrote: With PPPoE, however, the end-user can't just plug in and go - they'll have to configure their PC, or a DSL modem, or something. That means a phone call to your tech support, most likely. In many cases, DHCP can lead to plug-and-play simplicity, which means they don't have to call you, and you don't have to answer their calls. Everyone wins. :) One of the reasons for UUNET's PPPOE design was to reduce phone calls and configuration hassles. But in a different way. In the "old" days, people thought there would be separation between the ISP and the wholesale network. The idea that the provider could control/manage the CPE, like a cable set-top box, was probably more radical at the time than a dumb modem and PPPOE client on the PC. PPPOE can allow changing ISPs just by changing the usern...@domain, without needing to call wholesale provider's tech support and reconfiguring the circuit. You could even have multiple PC's sharing the same circuit, each connecting to different ISPs at the same time. Or use PPPOE to "call" a business' DSLAM pool for work access, and then call AOL's DSLAM pool for personal use. The concept of multiple "dialers" was well supported on most operating systems, and more familar to the public at the time than trying to set hostnames or read MAC addresses in DHCP configurations. In those days, VPN/IPSEC tunnel support wasn't very common. Businesses still had dial-up modem pools, X.25 PADs, and private PPP/PPPOE/PPPOA/PPPOx connections. Compared to the overhead for other point-to-point and tunneling protocols at the time, PPPOE's overhead didn't look that bad. And since it was based on PPP, PPPOE made route addressing (and other routing stuff) easy. Addressing a single host is the simple case of the more general router PPP information. As Milo used to say, with enough thrust you could get DHCP to do many of those same things too. There were a lot of experiments, and not all of them worked well. As they say, the world changed. Ethernet won, vertically integrated ISPs won, VPN won, and yes DHCP (with lots of options) won too. We can have a betamax/vhs-style argument of technical superiority; but the market made a choice.
Cox.net issues with their DNSBL
I'm not sure if this is the proper place to put this so I'll make this short. Cox.net is showing errors when I'm sending mail indicating that we're blocked by Invaluement, Cox error IPBL100. I've checked and my mx isn't listed. Attempts to contact the postmas...@cox.net address result in an autoresponder and then a bounce as that address is over quota. Is anyone else seeing this problem? Please feel free to contact me off list. -- Micheal Patterson Senior Communications Systems Engineer Southern Plains Medical Group 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message
Unable to reach security.debian.org through an HurricaneElectric IPv6 pipe
Hi, I'm currently unable to reach security.debian.org (2001:8d8:2:1:6564:a62:0:2) through IPv6. donald:~# traceroute -M tcpconn -p 80 wieck.debian.org -n -6 traceroute to wieck.debian.org (2001:8d8:2:1:6564:a62:0:2), 30 hops max, 80 byte packets 1 2001:7a8:820:1::1 0.170 ms 0.151 ms 0.126 ms 2 2001:7a8:820::1 0.317 ms 0.274 ms 0.515 ms 3 2001:7a8:1:9ff2::1 1.753 ms 1.745 ms 1.724 ms 4 2001:7a8:0:ff22::1 2.384 ms 2.374 ms 2.355 ms 5 2001:7a8:1:91::1 48.524 ms 48.530 ms 48.495 ms 6 2001:7a8:0:ffe1::fffe 10.203 ms 10.345 ms 10.270 ms 7 2001:7f8:4::2170:1 10.457 ms 10.390 ms 10.572 ms 8 2001:8d8:0:2::6 20.535 ms 19.820 ms 20.003 ms 9 2001:8d8:0:2::a 19.953 ms 20.517 ms 20.458 ms 10 2001:8d8:0:2::12 22.901 ms 2001:8d8:0:2::2a 22.333 ms 22.707 ms 11 2001:8d8:0:4::11 23.908 ms 2001:8d8:0:4::10 23.388 ms 2001:8d8:0:5::11 23.338 ms 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * donald:~# traceroute -M tcpconn -p 25 wieck.debian.org -n -6 traceroute to wieck.debian.org (2001:8d8:2:1:6564:a62:0:2), 30 hops max, 80 byte packets 1 2001:7a8:820:1::1 0.185 ms 0.147 ms 0.128 ms 2 2001:7a8:820::1 0.435 ms 0.417 ms 0.396 ms 3 2001:7a8:1:9ff2::1 1.633 ms 1.860 ms 1.849 ms 4 2001:7a8:0:ff22::1 2.317 ms 2.305 ms 2.287 ms 5 2001:7a8:1:91::1 108.936 ms 108.943 ms 108.926 ms 6 2001:7a8:0:ffe1::fffe 10.407 ms 10.354 ms 10.305 ms 7 2001:7f8:4::2170:1 14.970 ms 15.158 ms 15.114 ms 8 2001:8d8:0:2::6 20.555 ms 20.161 ms 19.901 ms 9 2001:8d8:0:2::a 19.862 ms 19.425 ms 20.330 ms 10 2001:8d8:0:2::2a 22.282 ms 2001:8d8:0:2::12 23.129 ms 2001:8d8:0:2::2a 22.314 ms 11 2001:8d8:0:4::10 23.035 ms 2001:8d8:0:5::10 22.910 ms 2001:8d8:0:4::10 23.190 ms 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * -- lca...@unix-scripts.info
Re: Unable to reach security.debian.org through an HurricaneElectric IPv6 pipe
On Thu, 29 Oct 2009, Laurent CARON wrote: I'm currently unable to reach security.debian.org (2001:8d8:2:1:6564:a62:0:2) through IPv6. Judging from the traceroute, it seems that Hurricane Electric and OneAndOne are peering, but perhaps there's a problem between Nerim and one of the other two? My traceroutes reach wieck, but the Nerim sTLA (2001:7a8::/32) isn't in my routing tables. Have you contacted Nerim NOC? wfms
Re: Unable to reach security.debian.org through an HurricaneElectric IPv6 pipe
On 29/10/2009 12:20, William F. Maton Sotomayor wrote: On Thu, 29 Oct 2009, Laurent CARON wrote: I'm currently unable to reach security.debian.org (2001:8d8:2:1:6564:a62:0:2) through IPv6. Judging from the traceroute, it seems that Hurricane Electric and OneAndOne are peering, but perhaps there's a problem between Nerim and one of the other two? My traceroutes reach wieck, but the Nerim sTLA (2001:7a8::/32) isn't in my routing tables. Have you contacted Nerim NOC? Thanks for your input. I'm gonna check with HE as I already checked with Nerim NOC. Thanks
Re: Unable to reach security.debian.org through an HurricaneElectric IPv6 pipe
* Laurent CARON: > I'm currently unable to reach security.debian.org > (2001:8d8:2:1:6564:a62:0:2) through IPv6. > > donald:~# traceroute -M tcpconn -p 80 wieck.debian.org -n -6 > traceroute to wieck.debian.org (2001:8d8:2:1:6564:a62:0:2), 30 hops max, 80 > byte packets It helps if you mention your own IP address. Using 2001:7a8:820:1::1 instead, I get this in the reverse direction (from wieck): traceroute to 2001:7a8:820:1::1 (2001:7a8:820:1::1), 30 hops max, 40 byte packets 1 vl-121.gw-dists-a.bs.ka.oneandone.net (2001:8d8:2:1::1) 1.530 ms 1.614 ms 1.709 ms 2 te-1-2.bb-c.bs.kae.de.oneandone.net (2001:8d8:0:5::1) 1.116 ms 1.169 ms 1.104 ms 3 te-4-2.bb-c.act.fra.de.oneandone.net (2001:8d8:0:2::11) 3.479 ms 3.540 ms 3.591 ms 4 te-1-1.bb-c.nkf.ams.nl.oneandone.net (2001:8d8:0:2::9) 10.139 ms 10.200 ms 10.247 ms 5 te-1-2.bb-c.the.lon.gb.oneandone.net (2001:8d8:0:2::5) 17.257 ms 17.321 ms 17.377 ms 6 linx.he.net (2001:7f8:4::1b1b:1) 17.281 ms 16.399 ms 16.456 ms 7 gige-g0-1.tserv17.lon1.ipv6.he.net (2001:470:0:a3::2) 16.546 ms 16.562 ms 16.512 ms 8 * * * [and nothing more] A traceroute from 2001:14b0:200:6::4 looks similar, despite taking a different entry point into HE: traceroute to 2001:7a8:820:1::1 (2001:7a8:820:1::1) from 2001:14b0:200:6::4, 30 hops max, 24 byte packets 1 2001:14b0:200:6::3 (2001:14b0:200:6::3) 27.324 ms 29.593 ms 26.593 ms 2 2a01:1e8:2:3::1 (2a01:1e8:2:3::1) 26.827 ms 26.772 ms * 3 2a01:1e8:2:4::1 (2a01:1e8:2:4::1) 30.685 ms 30.684 ms 30.767 ms 4 de-cix.he.net (2001:7f8::1b1b:0:1) 31.821 ms 35.31 ms 33.465 ms 5 gige-g0-1.tserv18.fra1.ipv6.he.net (2001:470:0:a5::2) 33.738 ms 33.368 ms 30.792 ms 6 * * * So this seems to be something beyound our (that is, Debian's) control, assuming that 2001:7a8:820:1::1 is as good as the IP address you've actually been assigned.
Re: Unable to reach security.debian.org through an HurricaneElectric IPv6 pipe
On Thu, Oct 29, 2009 at 12:52:07PM +0100, Florian Weimer wrote: > It helps if you mention your own IP address. Using 2001:7a8:820:1::1 > instead, I get this in the reverse direction (from wieck): My desktop's IP: 2001:7a8:820:1::31 > traceroute to 2001:7a8:820:1::1 (2001:7a8:820:1::1), 30 hops max, 40 byte > packets > 1 vl-121.gw-dists-a.bs.ka.oneandone.net (2001:8d8:2:1::1) 1.530 ms 1.614 > ms 1.709 ms > 2 te-1-2.bb-c.bs.kae.de.oneandone.net (2001:8d8:0:5::1) 1.116 ms 1.169 ms > 1.104 ms > 3 te-4-2.bb-c.act.fra.de.oneandone.net (2001:8d8:0:2::11) 3.479 ms 3.540 > ms 3.591 ms > 4 te-1-1.bb-c.nkf.ams.nl.oneandone.net (2001:8d8:0:2::9) 10.139 ms 10.200 > ms 10.247 ms > 5 te-1-2.bb-c.the.lon.gb.oneandone.net (2001:8d8:0:2::5) 17.257 ms 17.321 > ms 17.377 ms > 6 linx.he.net (2001:7f8:4::1b1b:1) 17.281 ms 16.399 ms 16.456 ms > 7 gige-g0-1.tserv17.lon1.ipv6.he.net (2001:470:0:a3::2) 16.546 ms 16.562 > ms 16.512 ms > 8 * * * > [and nothing more] > > A traceroute from 2001:14b0:200:6::4 looks similar, despite taking a > different entry point into HE: > > traceroute to 2001:7a8:820:1::1 (2001:7a8:820:1::1) from 2001:14b0:200:6::4, > 30 hops max, 24 byte packets > 1 2001:14b0:200:6::3 (2001:14b0:200:6::3) 27.324 ms 29.593 ms 26.593 ms > 2 2a01:1e8:2:3::1 (2a01:1e8:2:3::1) 26.827 ms 26.772 ms * > 3 2a01:1e8:2:4::1 (2a01:1e8:2:4::1) 30.685 ms 30.684 ms 30.767 ms > 4 de-cix.he.net (2001:7f8::1b1b:0:1) 31.821 ms 35.31 ms 33.465 ms > 5 gige-g0-1.tserv18.fra1.ipv6.he.net (2001:470:0:a5::2) 33.738 ms 33.368 > ms 30.792 ms > 6 * * * > > So this seems to be something beyound our (that is, Debian's) control, > assuming that 2001:7a8:820:1::1 is as good as the IP address you've > actually been assigned. This is the IP of one of my BGP routers.
Re: Unable to reach security.debian.org through an HurricaneElectric IPv6 pipe
* Laurent CARON: > On Thu, Oct 29, 2009 at 12:52:07PM +0100, Florian Weimer wrote: >> It helps if you mention your own IP address. Using 2001:7a8:820:1::1 >> instead, I get this in the reverse direction (from wieck): > > My desktop's IP: 2001:7a8:820:1::31 I can ping it from both locations, and latency is actually pretty good. Apparently, it's already been fixed, or it was a temporary glitch.
[NANOG-announce] Communications Committee (formerly Mailing List Committee) Nominations close today!
The nominations for the NANOG Committee (formerly known as the Mailing List Committee) close today, October 29. As Steve said in his last note, the new direction from the recent amendments means this is a chance to break new ground for NANOG and help define the future path for this team. If you are interested or know someone who is, please send the nomination to . If you are being nominated, please be prepared to confirm your interest and provide some bio data and a statement of interest (like those up on http://www.nanog.org/governance/elections/2009elections/2009mlc_candidates.php) before the Steering Committee meets on 3 November. Cheers! Joe Provo -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE ___ NANOG-announce mailing list nanog-annou...@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-announce
RE: PPPoE vs. Bridged ADSL
This current draft DHCP Authentication http://www.ietf.org/id/draft-pruss-dhcp-auth-dsl-06.txt Adds the username/password that PPP has to DHCP and I believe support IPv6. Vince -Original Message- From: Sean Donelan [mailto:s...@donelan.com] Sent: Thursday, October 29, 2009 5:07 AM To: nanog@nanog.org Subject: Re: PPPoE vs. Bridged ADSL On Wed, 28 Oct 2009, David E. Smith wrote: > With PPPoE, however, the end-user can't just plug in and go - they'll > have to configure their PC, or a DSL modem, or something. That means a > phone call to your tech support, most likely. In many cases, DHCP can > lead to plug-and-play simplicity, which means they don't have to call > you, and you don't have to answer their calls. Everyone wins. :) One of the reasons for UUNET's PPPOE design was to reduce phone calls and configuration hassles. But in a different way. In the "old" days, people thought there would be separation between the ISP and the wholesale network. The idea that the provider could control/manage the CPE, like a cable set-top box, was probably more radical at the time than a dumb modem and PPPOE client on the PC. PPPOE can allow changing ISPs just by changing the usern...@domain, without needing to call wholesale provider's tech support and reconfiguring the circuit. You could even have multiple PC's sharing the same circuit, each connecting to different ISPs at the same time. Or use PPPOE to "call" a business' DSLAM pool for work access, and then call AOL's DSLAM pool for personal use. The concept of multiple "dialers" was well supported on most operating systems, and more familar to the public at the time than trying to set hostnames or read MAC addresses in DHCP configurations. In those days, VPN/IPSEC tunnel support wasn't very common. Businesses still had dial-up modem pools, X.25 PADs, and private PPP/PPPOE/PPPOA/PPPOx connections. Compared to the overhead for other point-to-point and tunneling protocols at the time, PPPOE's overhead didn't look that bad. And since it was based on PPP, PPPOE made route addressing (and other routing stuff) easy. Addressing a single host is the simple case of the more general router PPP information. As Milo used to say, with enough thrust you could get DHCP to do many of those same things too. There were a lot of experiments, and not all of them worked well. As they say, the world changed. Ethernet won, vertically integrated ISPs won, VPN won, and yes DHCP (with lots of options) won too. We can have a betamax/vhs-style argument of technical superiority; but the market made a choice.
Re: Cox.net issues with their DNSBL
not sure about seeing the same problem, but I am at MAAWG and their postmaster/abuse team is here. need an intro? -Dennis On Oct 29, 2009, at 6:06 AM, Micheal Patterson wrote: I'm not sure if this is the proper place to put this so I'll make this short. Cox.net is showing errors when I'm sending mail indicating that we're blocked by Invaluement, Cox error IPBL100. I've checked and my mx isn't listed. Attempts to contact the postmas...@cox.net address result in an autoresponder and then a bounce as that address is over quota. Is anyone else seeing this problem? Please feel free to contact me off list. -- Micheal Patterson Senior Communications Systems Engineer Southern Plains Medical Group 405-917-0600 Confidentiality Notice: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message
RBS Worldpay
Hi NANOG, Long time lurker here - this is my first post. Is there anyone here from RBS Worldpay? I could do with a hand troubleshooting an HTTP POST timeout reported from their from their end causing trouble on a customer server during the payment stages. I can't figure out if this is a network or server issue. Regards, Richard Maynard Wessex Networks Linchmere Place Ifield Crawley West Sussex RH11 0EX www.wessexnetworks.com r...@wessexnetworks.com T: 01293 542080 F: 01293 553849
Re: PPPoE vs. Bridged ADSL
Mikael Abrahamsson wrote: I think the important thing is to have a separate L2 isolation per customer so you can more easily deploy IPv6 in the future. q-in-q or PPPoX will both solve this problem, but deploying multicast TV offering might be harder in this deployment model. In general, it shouldn't be. Local multicast TV offerings should be transmitted out of band from the standard internet connection, either different vlan or outside of the PPPoE. The nature of it usually indicates a specialized CPE maintained by the provider to support the necessary QOS, and division of Internet and Video traffic. For public multicast, splitting in the local pop just doesn't matter much. There is really no devices out there to securely do IPv6 to the end user natively when you have a shared L2 domain (in v4 this implies the L2 device will do DHCP snooping and do filtering based on that). Several vendors claim to have v6 support for this in the next year. Currently, many of them completely break v6 due to the v4 security. Jack
Re: PPPoE vs. Bridged ADSL
Vince Mammoliti wrote: This current draft DHCP Authentication http://www.ietf.org/id/draft-pruss-dhcp-auth-dsl-06.txt Adds the username/password that PPP has to DHCP and I believe support IPv6. Now if we could just tweak things perfectly so customers can hook up, log in to the ISP, and use tickets to access everything and it's dog, that would rock. :) A nice extension to allow corporate networks to interface with that system would be even cooler. *dreams of a secure authenticate once world* Jack
Avantel Contact Information
Does anyone have a technical or peering contact at Avantel who can address an apparent netblock hijacking issue? It seems that Avantel is advertising the 200.23.91.0/24 address space to their peers but they are unable to route to it for some reason. Level3's customers can though, and so can a whole bunch of the rest of the internet. Without posting all my traceroutes and route-views I'll just ask first as I'm sure there is a way to resolve this peacefully =] Any suggestions?
Re: Power Analysis/Management Tools
Nathan Ward wrote: I haven't used cacti in a while, but does it let you combine several RRD files in to one graph? If so that's useful for power stuff, because you're likely to want to graph an aggregate of several things across different devices - for example a+b power of a server, or aggregate power usage for one customer with multiple power feeds. Yes this is possible, without going into it too deeply since this is nanog, not cacti-users. You create the individual graphs, then create a new graph Graph management-> Add (with host and template set to none) then add data sources from other graphs/hosts. The nice thing about doing it this way is if you already have data being graphed, it will use the history to create the new graph. We use this with our bandwidth usage graph for our individual providers to show the aggregate bandwidth, and some other internal graphs that have history going back years. And at $oldjob I used it to show rf usage on our towers, quite handy with equipment that automatically changed frequency.
RE: PPPoE vs. Bridged ADSL
Others commented on things I already had in mind only the username/password thing of PPPoE. We use the same username/pw on the modem as the customer users for their e-mail, so a password change necessitates a truck roll (I know, I know, TR-069). We started with PPPoE for our FTTH, because we were familiar with it, but we moved over to a "VLAN per service" model which ends up something like RBE in function. We can track customers based on the Option 82 info, so we're good to go in terms of tracking them. Frank -Original Message- From: JD [mailto:jdupuy-l...@socket.net] Sent: Wednesday, October 28, 2009 4:21 PM To: NANOG list Subject: PPPoE vs. Bridged ADSL There is a debate among our engineering staff as to the best means of provisioning broadband service over copper facilities. Due to our history, we have a mix out in the field. Some customers are on DSLAMS set up for bridged connections with DHCP; isolated by a variety of means including VLANS. Some customers are on PPPoE over ATM. Some customers are on PPPoE over ethernet (PPPoEoE ?? :) ). There seem to be pros and cons to both directions. Certainly true bridging has less overhead. But modern CPEs can minimize the impact of PPPoE. PPPoE allows for more flexible provisioning; including via RADIUS. Useful for the call center turning customers on/off without NOC help. But VLAN tricks can sometimes do many of the same things. Opinions on this? I'd be interested in hearing the latest real world experience for both and the direction most folks are going in. BTW, I doubt it is relevant to the discussion, but most of our DSLAMS are Adtran TA5000s (or are being migrated to that platform.) We are mostly a cisco shop for the upstream routers. Thanks, John
Tucows vs Postini
Hi folks... Anyone have much experience with outsourcing antispam/antivirus to Tucows? We use Postini today and are overall pleased. The Tucows pricing seems to be MUCH lower so curious on any feedback... Thanks, Paul "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
Re: Tucows vs Postini
Depends on your operational needs and size. For some people, nowadays you can go to a hosted email solution for the price of filtering.. and besides, any form of 'filtering' appliance or service comes at a price compared to solutions built into your mail servers.. It would be helpful if you provided the following: Type of Email Server/Service you want to protect Number of Email Boxes. Any other custom wants/needs. I never want to slag on anyones' service, but even if I did, I am sure you will get votes both ways. Your decision might need to be based on other factors that you are not aware of at this time. Cost is an obvious concern, but if say you are an ISP, and end up with more support calls with one company or the other.. it might outweigh the monthly cost differences. You would get better results if people with the same size and environment commented -- Michael -- On October 29, 2009, Paul Stewart wrote: > Hi folks... > > > > Anyone have much experience with outsourcing antispam/antivirus to > Tucows? We use Postini today and are overall pleased. The Tucows > pricing seems to be MUCH lower so curious on any feedback... > > > > Thanks, > > > > Paul > > > > > > > > > --- > - > > "The information transmitted is intended only for the person or entity to > which it is addressed and contains confidential and/or privileged > material. If you received this in error, please contact the sender > immediately and then destroy this transmission, including all attachments, > without copying, distributing or disclosing same. Thank you." > -- -- "Catch the Magic of Linux..." Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company.
EdgeWater EdgeMarc 4610W
Has anyone had any recent direct experience with the EdgeWater EdgeMarc 4610W multi-service appliance used as a CPE device? I was recently handed a sales sheet on this swiss-army knife appliance, but there doesn't seem to be much publically available review of the beastie at the moment. If it is as advertised, it would be a very handy device as a CPE option... Thanks, Jaimie L.
Re: PPPoE vs. Bridged ADSL
On Thu, Oct 29, 2009 at 11:10 AM, Jack Bates wrote: > *dreams of a secure authenticate once world* It may be worth noting here that there are times were one wants barriers between automation to keep malfunction or malice from spreading too far without human involvement. Of course, most of the current barriers we have are accidental, random, and ill-defined, so there's clearly room for improvement either way. :) -- Ben
RE: Tucows vs Postini
Thank you I apologize if this is off-topic... a couple of folks have answered me offline and mentioned that it might be... Basically, we are interested in one particular domain name containing 35,000 email addresses as an ISP. Antispam/Antivirus and a quarantine option for 14 days minimum. Preferably an API of some type that can automate against our SQL backend. Open to ideas (on-list or offline by all means). I'm very happy to stay where we are, but our GM got a phone call today from a sales rep at Tucows and now price is of great interest.. Basically the Tucows price is a fraction of our Postini costs so it's getting attention and I'm just looking for input... Paul -Original Message- From: Michael Peddemors [mailto:mich...@linuxmagic.com] Sent: October 29, 2009 6:38 PM To: nanog@nanog.org Subject: Re: Tucows vs Postini Depends on your operational needs and size. For some people, nowadays you can go to a hosted email solution for the price of filtering.. and besides, any form of 'filtering' appliance or service comes at a price compared to solutions built into your mail servers.. It would be helpful if you provided the following: Type of Email Server/Service you want to protect Number of Email Boxes. Any other custom wants/needs. I never want to slag on anyones' service, but even if I did, I am sure you will get votes both ways. Your decision might need to be based on other factors that you are not aware of at this time. Cost is an obvious concern, but if say you are an ISP, and end up with more support calls with one company or the other.. it might outweigh the monthly cost differences. You would get better results if people with the same size and environment commented -- Michael -- On October 29, 2009, Paul Stewart wrote: > Hi folks... > > > > Anyone have much experience with outsourcing antispam/antivirus to > Tucows? We use Postini today and are overall pleased. The Tucows > pricing seems to be MUCH lower so curious on any feedback... > > > > Thanks, > > > > Paul > > > > > > > > > --- > - > > "The information transmitted is intended only for the person or entity to > which it is addressed and contains confidential and/or privileged > material. If you received this in error, please contact the sender > immediately and then destroy this transmission, including all attachments, > without copying, distributing or disclosing same. Thank you." > -- -- "Catch the Magic of Linux..." Michael Peddemors - President/CEO - LinuxMagic Products, Services, Support and Development Visit us at http://www.linuxmagic.com A Wizard IT Company - For More Info http://www.wizard.ca "LinuxMagic" is a Registered TradeMark of Wizard Tower TechnoServices Ltd. 604-589-0037 Beautiful British Columbia, Canada This email and any electronic data contained are confidential and intended solely for the use of the individual or entity to which they are addressed. Please note that any views or opinions presented in this email are solely those of the author and are not intended to represent those of the company. "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
Re: dealing with bogon spam ?
Avoid broken/slow servers: "afrinic" => "ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest";, "apnic" => "ftp://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest";, "lacnic"=> "ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-latest";, ); Yes, generally the latter three are broken, but as they are mirrored to RIPE anyway, you can just pull them off there. Having checked with Jeroen, I would like to observe that in the case of APNIC this is almost certainly IPv6 and pMTU problems. As he observes elsewhere in the email, we all shadow each others data in the FTP trees so you can very probably choose one RIR, and use it as a fetch-point for all of this data. BTW The last time this cropped up in any public eye facing NANOG type people it was the rfc editor. It can happen to anyone. Geoff wrote it up at: http://www.potaroo.net/ispcol/2009-01/mtu6.html So, this is not APNIC having "broken" FTP, its the innate problem of IPv6 in the wild. If you fall back to V4, the fetch works just fine. If tomorrow you have problems fetching the stats from ARIN or RIPE, you might want to look at your path.. -George
Re: EdgeWater EdgeMarc 4610W
I am scatter brained at the moment so I will kind of babble along some bullet points. We have been using Edgemarcs for a while and we love it for hosted VoIP situation. Their strength is VoIP. Being able to failover SIP servers and Internet access connection is great. You can configure it so you can still make internal calls when the SIP server is unavailable or your internet connection is down. I have not used the wireless model so I don't know much about that part. We had some problem with some VPN to Cisco when you have more than one subnet that needed to tunnel through. The annoying part is when you change anything on the device, it will say voice traffic may get interrupted. I have not gotten around to test what kind of affect it has on voice when you change simple configuration. But it kind of gets old when you get the message when you are changing the DHCP server setting and you know it has nothing to do with passing VoIP packets along. Their support is pretty good. This thing is basically a linux box with Asterisk and Swan rolled into one. Sometimes if you need to do things that can't be done from the GUI, you can get around it by using some basic Linux/Asterisk CLI/config files. But that can get ugly fast. If you have VoIP, it's great! If not, I usually stick with a Cisco ISR. On Thu, Oct 29, 2009 at 6:44 PM, Jaimie Livingston wrote: > Has anyone had any recent direct experience with the EdgeWater EdgeMarc 4610W > multi-service appliance used as a CPE device? > I was recently handed a sales sheet on this swiss-army knife appliance, but > there doesn't seem to be much publically available review of the beastie at > the moment. If it is as advertised, it would be a very handy device as a CPE > option... > > Thanks, > > Jaimie L. >
Re: Tucows vs Postini
> nowadays you can go to a hosted email solution for the price of > filtering iff you do not care about the privacy of your communications. i am horrified at the folk using gmail for corporate communication. their mommies need to read the google eula and tos. randy
Re: IPv6 Deployment for the LAN
On Thu, 29 Oct 2009 08:40:46 +0900 Randy Bush wrote: > >> This would be a big mistake. Fate sharing between the device that > >> advertises the presence of a router and the device that forwards > >> packets makes RAs much more robust than DHCPv4. > > No, what we want are better first hop redundancy protocols, and > > DHCP for v6, so that everyone who has extracted any value from DHCP > > in their toolkit can continue to do so, and roll out v6 ! > > no. what we need is more religious v6 fanatics to make use of v6 hard > to roll out on existing networks. after all, v6 is s wonderful we > should be happy to double our opex for the privilege of using such a > fantastic protocol. > > v6 fanaticism has done vastly more damage to v6 deployment than the v6 > haters. arrogance kills. > As does excessive pessimism.
RE: EdgeWater EdgeMarc 4610W
Haven't had my hands on the 4610W yet, but I've been using (and have been a big fan of) Edgemarcs for some time. It does what it says and well, I love the support guys, and their price point is much better than most of the competitors. Some of my favorite features do come from the fact that they are Linux based, such as being able to run tcpdump for troubleshooting SIP signaling (or any network issue) in real time. They also have a really nice EMS that's quite worth it if you have enough of these deployed. It can alert on call quality issues based on MOS score, as well as standard up/down status. The only real "downside" is the licensing of concurrent calls. The licensing of the T1's is actually really nice so that you can get the box at a lower pricepoint, but grow it in service if you need more T1 capacity later on. If anyone has any more specific questions about using these in the real world I'd be happy to answer. -Scott -Original Message- From: Jaimie Livingston [mailto:jai...@featuretel.com] Sent: Thursday, October 29, 2009 6:45 PM To: nanog@nanog.org Subject: EdgeWater EdgeMarc 4610W Has anyone had any recent direct experience with the EdgeWater EdgeMarc 4610W multi-service appliance used as a CPE device? I was recently handed a sales sheet on this swiss-army knife appliance, but there doesn't seem to be much publically available review of the beastie at the moment. If it is as advertised, it would be a very handy device as a CPE option... Thanks, Jaimie L.
Re: Tucows vs Postini
>Anyone have much experience with outsourcing antispam/antivirus to >Tucows? We use Postini today and are overall pleased. The Tucows >pricing seems to be MUCH lower so curious on any feedback... Tucows' mail system had some fairly bad operational problems last year (no mail lost, but offline for a while). They've fixed them and in recent months they've been quite solid. I have some customers' mail hosted there and they've been happy. I also happen to know several of their managers who are reasonable people and actually respond to problem reports. If you're thinking of using them, it's also worth thinking about letting them handle the entire mail setup. Along with POP and IMAP they have usable web mail and a web management portal so your customers can do the usual stuff, add and remove accounts, reset passwords, and also an xml/http interface if you want to provide your own management front end. R's, John
more ISP regulation for UK ?
After Nederlands, things may also move in UK against eCrime + apComms backs ISP cleanup activity http://www.lightbluetouchpaper.org/2009/10/17/apcomms-backs-isp-cleanup-activity/ Extract: The All Party Parliamentary Communications Group (apComms) recently published their report into an inquiry entitled “Can we keep our hands off the net?” They looked at a number of issues, from “network neutrality” to how best to deal with child sexual abuse images. Read the report for the all the details; in this post I’m just going to draw attention to one of the most interesting, and timely, recommendations: 51. We recommend that UK ISPs, through Ofcom, ISPA or another appropriate organisation, immediately start the process of agreeing a voluntary code for detection of, and effective dealing with, malware infected machines in the UK. 52. If this voluntary approach fails to yield results in a timely manner, then we further recommend that Ofcom unilaterally create such a code, and impose it upon the UK ISP industry on a statutory basis. Best regards, Julien
