RE: IPv6 allocations, deaggregation, etc.
Apologies in advance for the top post. My initial idea was to use a /48, divide it up into /56 nets for each facility with /64 subnets within each facility. We would announce a /48 to our transit providers that I would expect them to announce in turn to their peers and we would also announce the more specific /56 nets to the transit providers that I would expect them not to announce to their peers. My current vlan requirements per facility would support such an addressing plan. In order to make that work, we would need the same transit providers in each region as our locations are not meshed internally. We don’t have dedicated connectivity from the US to the UK or China, for example. Currently that is not a problem as far as connectivity is concerned as my US providers appear in Europe and my China provider appears in the US. BUT when I consider the possibilities of South America and Africa and finding a transit provider that has a robust presence everywhere, my choices are very limited. I need to be multihomed and I need to be provider agnostic in my addressing. Using that scheme above does create some potential performance issues. While my transit provider collects the traffic from a remote location and routes it to the more specific location in my network, If a provider in Europe, for example, sees only the /48 announced from the US, maybe they haul the traffic across an ocean to a point where they peer with my provider … who then must haul it back to Europe to the /56 corresponding to the destination because the original traffic source doesn’t see my /56 unless they are using the same transit provider I am. Then based on earlier discussion on the list a while back, I was concerned that a /48 wasn’t even enough to get me connected to some nets that were apparently filtering smaller than a /48 but my mind is somewhat eased in that respect and I believe that a /48 announced from space where /48s are issued will be accepted by most people. Then I was informed of ARIN 2009-5 which seems aimed at our situation; data centers widely separated by large geographical distances that are fairly autonomous and aren’t directly connected by dedicated links. It now seems that we (and the rest of the Internet) might be better served if we get a RIPE AS and net block for our Europe operations, and APNIC AS and net block for our APAC operations and get a regional /48 that I can split into /56 nets for the various satellite facilities within that region as those satellite offices CAN be directly connected to the regional data center which would act as the regional communications hub. There are probably 16 different ways to slice this but I would like to get it as close to “right” as possible to prevent us having to renumber later while at the same time not taking more space than we need. A /48 per region seems like the right way to go at the present time. So we would have a /48 for the US, a /48 for Asia (and possibly one /48 dedicated to China) and a /48 for Europe. Satellite facilities would collect a /56 (or two or three) out of that regional block for their local use. Then I am free from being nailed to the same providers globally and have less chance of traffic crossing an ocean twice. The probability of needing 200 /48s in the next several years is pretty slim and do not warrant our getting a /32 when currently three or four /48 nets will fill the requirements. Thanks again for the input, Mick. George From: Mick O'Rourke [mailto:mkorou...@gmail.com] Sent: Tuesday, December 22, 2009 10:43 PM To: Joel Jaeggli Cc: George Bonser; nanog@nanog.org Subject: Re: IPv6 allocations, deaggregation, etc. Is the idea behind the /48 being looked at (keeping in mind a mixed IPv4/IPv6 environment http://www.ietf.org/rfc/rfc5375.txt http://www.ietf.org/rfc/rfc5375.txt%20 page 8) to have a /64 per smaller branch or VLAN, larger campus /56, and advertise out the /48 for the region?; My previous thinking and biggest thinking point is enterprise level address allocation policy, impacts to device loopbacks, voice vlans, operational simplification requirements for management and security layers etc. The feel overall has been towards needing to have a /32, a /56 per site (campus to small branch) and internally within the site /64 per VLAN. A /48 becomes too small, a /32 very much borderline. Is this a similar scenario for you? How are you justifying a /48 vs a /32?
Experiences with Comcast Ethernet/Transit service
We're looking at using Comcast's (business) transit and private ethernet services at several client locations and I wanted to see what experiences others have had regarding this. Off-list replies are preferred. Thanks, -brandon -- Brandon Galbraith Mobile: 630.400.6992
[NANOG] Roport on internet business
Hi All Morgan Stanley has released a very interesting report on internet business with some tips to net operators: http://www.morganstanley.com/institutional/techresearch/mobile_internet_report122009.html Regards Takashi Tome CPqD www.cpqd.com.br
IGMP and PIM protection
Hi, Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering that if they do, then how would snooping switches work? Affably, Kent
Re: Article on spammers and their infrastructure
On Wed, Dec 23, 2009 at 01:58:47AM -0500, Christopher Morrow wrote: no real arguement, but... 'please provide some set of workable solutions' The set of workable solutions at this point looks something like null routes, firewall rules, blacklist entries -- in order to deny traffic to and from such locales. I agree just about entirely with Ferg: the policy angle is a dead end. The organizations involved are either clueless or entirely focused on other goals (e.g., profit) at the expense of sound policy. ---Rsk
Re: IGMP and PIM protection
Glen Kent wrote: Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering that if they do, then how would snooping switches work? Would encrypting multicast not fundamentally break the concept of multicast itself, unless you're encrypting multicast traffic over a backbone? Peter
Re: IGMP and PIM protection
Multicast encryption using GDOI works well, although I haven't seen that implemented on a LAN. If you're trying to provide encryption for LAN listeners (more accurately to exclude some LAN listeners) you'll probably find more bang for the buck in implementing this on a per-application basis. That leaves the IGMP request subject to eavesdropping, but the data itself flows over a secure channel. If instead you want the IGMP itself to be encrypted, then you'll need all of the switches to participate in the security protocol, and I would imagine that there are far easier ways to provide secure connections. I believe GDOI is esp-only. Cisco's term for GDOI is GETVPN. -David Barak On Wed Dec 23rd, 2009 7:26 AM EST Peter Hicks wrote: Glen Kent wrote: Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering that if they do, then how would snooping switches work? Would encrypting multicast not fundamentally break the concept of multicast itself, unless you're encrypting multicast traffic over a backbone? Peter
Re: IGMP and PIM protection
On Dec 23, 2009, at 6:41 PM, Glen Kent wrote: Any idea if folks use AH or ESP to protect IGMP/PIM packets What are you trying to 'protect' them against? --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
Re: IGMP and PIM protection
Would encrypting multicast not fundamentally break the concept of multicast itself, unless you're encrypting multicast traffic over a backbone? No, i wasnt alluding to encrypting the multicast traffic. I was thinking of using ESP-NULL (AH is optional) for the IGMP/PIM packets. Affably, Kent
Re: IGMP and PIM protection
On Wed, Dec 23, 2009 at 7:46 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Dec 23, 2009, at 6:41 PM, Glen Kent wrote: Any idea if folks use AH or ESP to protect IGMP/PIM packets What are you trying to 'protect' them against? Just integrity protection to ensure that my reports, etc. are not mangled when i recv them. OR to make sure that i only receive reports/leaves from the folks who are supposed to send them. Please note that i am NOT interested in encrypting the control traffic. Kent --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
Re: Article on spammers and their infrastructure
Rich Kulawiec wrote: On Wed, Dec 23, 2009 at 01:58:47AM -0500, Christopher Morrow wrote: no real arguement, but... 'please provide some set of workable solutions' The set of workable solutions at this point looks something like null routes, firewall rules, blacklist entries -- in order to deny traffic to and from such locales. I agree just about entirely with Ferg: the policy angle is a dead end. The organizations involved are either clueless or entirely focused on other goals (e.g., profit) at the expense of sound policy. Gosh, there's no way I can create this public good, because someone somewhere will use it in the commission of a crime notwithstanding all the benefits it confers. I'll just throw down props to Paul Samuelson since he's no longer with us and leave it at that. ---Rsk
Re: IGMP and PIM protection
So we're looking to complicate things for the same of complicating them? Using a predictable security doesn't exactly make things secure does it? On the links that you are running PIM or IGMP on, do you not have a predictable set of clients and therefore problems? Or are we trying to protect against something I'm not thinking of? ;) Scott Glen Kent wrote: Would encrypting multicast not fundamentally break the concept of multicast itself, unless you're encrypting multicast traffic over a backbone? No, i wasnt alluding to encrypting the multicast traffic. I was thinking of using ESP-NULL (AH is optional) for the IGMP/PIM packets. Affably, Kent
Re: IGMP and PIM protection
But IGMP IS the control traffic with users. And PIM IS the control traffic between multicast routers. ? Scott Glen Kent wrote: On Wed, Dec 23, 2009 at 7:46 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Dec 23, 2009, at 6:41 PM, Glen Kent wrote: Any idea if folks use AH or ESP to protect IGMP/PIM packets What are you trying to 'protect' them against? Just integrity protection to ensure that my reports, etc. are not mangled when i recv them. OR to make sure that i only receive reports/leaves from the folks who are supposed to send them. Please note that i am NOT interested in encrypting the control traffic. Kent --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Injustice is relatively easy to bear; what stings is justice. -- H.L. Mencken
RE: IGMP and PIM protection
-Original Message- From: Scott Morris [mailto:s...@emanon.com] Sent: Wednesday, December 23, 2009 9:27 AM To: Glen Kent Cc: nanog@nanog.org Subject: Re: IGMP and PIM protection But IGMP IS the control traffic with users. And PIM IS the control traffic between multicast routers. I think OP meant that he only wants an integrity check of the control traffic, not confidentiality, hence the statement that he does not want to encrypt the control traffic. Stefan Fouant www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
Re: FYI, new USG Cybersecurity Coordinator ...
On Wed, Dec 23, 2009 at 7:19 AM, Christopher Morrow morrowc.li...@gmail.com wrote: (again, this seems really off topic, but) On Tue, Dec 22, 2009 at 7:33 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: though Gadi is Israeli and Marcus Sachs Pakistani and couldn't be marcus is pakistani? He was born in Lahore, Pakistan in 1959 and moved to Tallahassee, Florida with his parents and younger brother in 1961. --Wikipedia. http://en.wikipedia.org/wiki/Marcus_Sachs To me its amazing how deep into U.S Intelligence and The White House he's been allowed to go up until now.
Re: FYI, new USG Cybersecurity Coordinator ...
andrew.wallace wrote: He was born in Lahore, Pakistan in 1959 and moved to Tallahassee, Florida with his parents and younger brother in 1961. --Wikipedia. http://en.wikipedia.org/wiki/Marcus_Sachs Just like many Americans. To me its amazing how deep into U.S Intelligence and The White House he's been allowed to go up until now. ... Georgia Institute of Technology in Atlanta, where he graduated in 1981 with a Bachelor of Civil Engineering degree. Commissioned as a Second Lieutenant of Engineers in the United States Army in 1981, he served over 20 years as an officer in the Army Corps of Engineers. He graduated from the United States Army Command and General Staff College, and holds a master's degree in Science and Technology Commercialization from the University of Texas and a master's degree in Computer Science from James Madison University. An un-American mole, loyal to a country and a long-time US allied government that he probably doesn't remember? I'm wondering whether you're related to: http://en.wikipedia.org/wiki/George_Wallace
Re: FYI, new USG Cybersecurity Coordinator ...
+BIGINT The real issues are (a) is this billet actually able to originate policy, (b) interpret existing policy, (c) at least find the RNC mail archive, (d) ... Who the hell cares if the billet is filled by a Soviet Mole (tm) if the job is decoration? Eric On 12/23/09 12:42 PM, William Allen Simpson wrote: andrew.wallace wrote: He was born in Lahore, Pakistan in 1959 and moved to Tallahassee, Florida with his parents and younger brother in 1961. --Wikipedia. http://en.wikipedia.org/wiki/Marcus_Sachs Just like many Americans. To me its amazing how deep into U.S Intelligence and The White House he's been allowed to go up until now. ... Georgia Institute of Technology in Atlanta, where he graduated in 1981 with a Bachelor of Civil Engineering degree. Commissioned as a Second Lieutenant of Engineers in the United States Army in 1981, he served over 20 years as an officer in the Army Corps of Engineers. He graduated from the United States Army Command and General Staff College, and holds a master's degree in Science and Technology Commercialization from the University of Texas and a master's degree in Computer Science from James Madison University. An un-American mole, loyal to a country and a long-time US allied government that he probably doesn't remember? I'm wondering whether you're related to: http://en.wikipedia.org/wiki/George_Wallace
Re: Article on spammers and their infrastructure
On Dec 22, 2009, at 11:58 PM, Christopher Morrow wrote: On Wed, Dec 23, 2009 at 1:12 AM, Paul Ferguson fergdawgs...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Folks should not be so obtuse about these activities. It's almost blatantly in-your-face, so to speak. These guys have no fear of retribution. no real arguement, but... 'please provide some set of workable solutions' The ARIN meetings (at least) are open, please come and help guide policies. I'm sure RIPE also wouldn't mind a discussion, if there could be some positive policy outcome. Rather than expecting anti-spam researchers to lobby at ARIN RIPE meetings, perhaps ARIN RIPE representatives could visit anti-spam meetings such as MAAWG to ask how they can help? I'd be happy to make some introductions. -- J.D. Falk jdf...@returnpath.net Return Path Inc
looking for a contact at Orange
if anyone has a contact at Orange or is from Orange, can you contact me off list. need help with some issues originating from the EU. -- Andrew Young Webair Internet Development, Inc. Phone: 1 866 WEBAIR 1 x143 http://www.webair.com Shift hours: Tues-Friday 12PM-8PM, Sat 9AM-5PM
IPv6 Training
Greetings, Just wondering if anyone has had any experience with IPv6 training courses. A quick search turns up a few results on the subject, but it would be handy to hear if anyone has any firsthand experiences or recommendations. We're based in western Canada but don't mind traveling a bit, but alternatively an online course would be acceptable as well. -M
Re: IPv6 Training
On Wed, Dec 23, 2009 at 12:00:28PM -0800, Marty Anstey wrote: Greetings, Just wondering if anyone has had any experience with IPv6 training courses. A quick search turns up a few results on the subject, but it would be handy to hear if anyone has any firsthand experiences or recommendations. We're based in western Canada but don't mind traveling a bit, but alternatively an online course would be acceptable as well. -M SANS has a course that's pretty good, from what I hear. I haven't taken it. fd: I work for SANS part-time, but I have not taken the course, nor am a course author (aka, i earn nothing by saying this)
Re: IPv6 Training
On Dec 23, 2009, at 12:00 PM, Marty Anstey wrote: Greetings, Just wondering if anyone has had any experience with IPv6 training courses. A quick search turns up a few results on the subject, but it would be handy to hear if anyone has any firsthand experiences or recommendations. We're based in western Canada but don't mind traveling a bit, but alternatively an online course would be acceptable as well. -M Depending on what you are looking for, check out tunnelbroker.net and you can learn quite a bit there. If you can be more specific about your needs, HE is actually actively working to provide training in this area, and, we are the ISP with more IPv6 experience than any other. Owen
Re: [NANOG] Roport on internet business
It's actually available for free on the World-Wide Internet at http://www.morganstanley.com/institutional/techresearch/pdfs/Mobile_Internet_Report_Key_Themes_Final.pdf , but you can purchase a paper copy if you'd rather. It's pretty slow going as it's mostly power points, some with lots and lots of words, but some of the graphs and insights are intriguing, esp. as they related to the non-USA parts of the world. The authors are pretty well convinced that the demand for more wireless spectrum will be handled by spectral efficiency improvements and deployment of more towers, they stress the importance of replacing copper with fiber and microwave in the middle mile, and don't think the telcos are doing the right things. There's a lot of discussion about how the wireless networks will handle voice and best-efforts at the same time which many will find troublesome, I suppose, but overall I'd give it 4 out of 5 stars. RB On 12/23/2009 3:01 PM, Scott Weeks wrote: --- taka...@cpqd.com.br wrote: From: Takashi Tometaka...@cpqd.com.br Morgan Stanley has released a very interesting report on internet business with some tips to net operators: http://www.morganstanley.com/institutional/techresearch/mobile_internet_report122009.html --- It must be purchased: -- The Mobile Internet Report To receive a printed copy of The Mobile Internet Report, please contact your Morgan Stanley Representative. To purchase a copy, please click here. -- scott
Re: IPv6 Training
On 12/23/2009 13:03, Mike Leber wrote: Marty Anstey wrote: Just wondering if anyone has had any experience with IPv6 training courses. A quick search turns up a few results on the subject, but it would be handy to hear if anyone has any firsthand experiences or recommendations. We're based in western Canada but don't mind traveling a bit, but alternatively an online course would be acceptable as well. Once you have IPv6 connectivity established (either native IPv6 or via a tunnel from anybody (for example tunnelbroker.net or sixxs.net) if you want a self teaching procedural guide where you can setup and test various IPv6 services (HTTP, SMTP, reverse DNS, forward DNS, host record glue) then you might checkout our free IPv6 certification service at: http://ipv6.he.net/certification It's a bit tongue in cheek and meant to be sort of like entertainment with education for engineers (for example the certification ranks are from Newb to Sage). By the time you are done you are done IPv6 won't seem weird. (In fact, you'll probably be thinking that's it?!) Tongue in cheek? You mean I'm not *really* a Sage? :p :p The tunnelbroker.net forum is also a good source of info/discussion about IPv6. It'd be nice if it was a bit more active though. smime.p7s Description: S/MIME Cryptographic Signature
Re: IGMP and PIM protection
Musing on the idea for a moment, it would surely be 'nice' to somehow know that PIM v2 joins from some other network were, in fact, 'good' or somehow well-formed, rate-limited, and/or somehow 'safe' to accept hold state for. However, it seems as if the OP isn't interested in inter-domain rp protection -- and probably more interested in authenticating more local igmp v2/3 joins for STB's and the like. Yup, i was currently looking at the IGMP v2/v3 joins only. Kent Glen, clarify? -Tk
Re: IGMP and PIM protection
I think OP meant that he only wants an integrity check of the control traffic, not confidentiality, hence the statement that he does not want to encrypt the control traffic. Yes, thats correct. Kent Stefan Fouant www.shortestpathfirst.net GPG Key ID: 0xB5E3803D
Re: [NANOG] Roport on internet business
On Dec 23, 2009, at 6:11 PM, Richard Bennett wrote: The authors are pretty well convinced that the demand for more wireless spectrum will be handled by spectral efficiency improvements and deployment of more towers, they stress the importance of replacing copper with fiber and microwave in the middle mile, and don't think the telcos are doing the right things. I know, watching my local incumbent they are not replacing damaged copper with fiber. I think they must have warehouses of it someplace. I can't imagine that it is good to replace buried copper w/copper during the wintertime. If you're out doing it, might as well *actually* install fiber in the conduit. (Unless it's about unions/job protection for the copper guys). - Jared (not saying unions are bad, but when you operate two assets and have a different union for each, it can limit your potential significantly).
Re: [NANOG] Roport on internet business
On Wed, Dec 23, 2009 at 3:01 PM, Scott Weeks sur...@mauigateway.com wrote: It must be purchased: Only if you want the dead-tree edition. The others are linked below the text you've quoted. Scott.
Re: [NANOG] Roport on internet business
Maybe we need to pass some laws that ban copper wire outdoors. On 12/23/2009 4:22 PM, Jared Mauch wrote: On Dec 23, 2009, at 6:11 PM, Richard Bennett wrote: The authors are pretty well convinced that the demand for more wireless spectrum will be handled by spectral efficiency improvements and deployment of more towers, they stress the importance of replacing copper with fiber and microwave in the middle mile, and don't think the telcos are doing the right things. I know, watching my local incumbent they are not replacing damaged copper with fiber. I think they must have warehouses of it someplace. I can't imagine that it is good to replace buried copper w/copper during the wintertime. If you're out doing it, might as well *actually* install fiber in the conduit. (Unless it's about unions/job protection for the copper guys). - Jared (not saying unions are bad, but when you operate two assets and have a different union for each, it can limit your potential significantly).
Re: UltraDNS Failure?
Mark Pace wrote: Anyone else having problems resolving DNS from UltraDNS? I'm seeing this: $ dig www.ultradns.com @8.8.8.8 Yeah, they went belly up in the last 20 or so. Hard. Looks like it's hitting some of Amazon's Cloud stuff too. It seems west coast related, by the way. -- Oh, mairzy doats and dozy doats and liddle lamzy divey A kiddley divey too, wooden chu? Three little fiddies in an iddy, bitty pooh, Three little fiddies and a mama fiddy too...
Re: UltraDNS Failure?
Anyone else having problems resolving DNS from UltraDNS? I'm seeing this: $ dig www.ultradns.com @8.8.8.8 Yeah, they went belly up in the last 20 or so. Hard. Looks like it's hitting some of Amazon's Cloud stuff too. It seems west coast related, by the way. On the west coast here. They went at 4:44pm (Pacific). pace
Re: UltraDNS Failure?
Anyone else having problems resolving DNS from UltraDNS? I'm seeing this: $ dig www.ultradns.com @8.8.8.8 Yeah, they went belly up in the last 20 or so. Hard. Looks like it's hitting some of Amazon's Cloud stuff too. It seems west coast related, by the way. On the west coast here. They went at 4:44pm (Pacific). Recovered at this point... pace
Re: [NANOG] Roport on internet business
--- sc...@doc.net.au wrote: -- From: Scott Howard sc...@doc.net.au On Wed, Dec 23, 2009 at 3:01 PM, Scott Weeks sur...@mauigateway.com wrote: It must be purchased: Only if you want the dead-tree edition. The others are linked below the text you've quoted. -- DOH! I blame it on Christmasits. It's a bad disease I recently caught... ;-) Apologies for the confusion. Have a great Christmas! scott
Re: UltraDNS Failure?
Clarification: www.ultradns.com is back. There are still other problems afoot, like amazon: $ dig amazon.com @8.8.8.8 ; DiG 9.6.0-P1 amazon.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 56390 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;amazon.com.IN A ;; Query time: 2042 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Dec 23 17:28:10 2009 ;; MSG SIZE rcvd: 28 On 12/23/2009 5:22 PM, Mark Pace wrote: Anyone else having problems resolving DNS from UltraDNS? I'm seeing this: $ dig www.ultradns.com @8.8.8.8 Yeah, they went belly up in the last 20 or so. Hard. Looks like it's hitting some of Amazon's Cloud stuff too. It seems west coast related, by the way. On the west coast here. They went at 4:44pm (Pacific). Recovered at this point... pace
Re: UltraDNS Failure?
Mark Pace wrote: Anyone else having problems resolving DNS from UltraDNS? I'm seeing this: $ dig www.ultradns.com @8.8.8.8 Yeah, they went belly up in the last 20 or so. Hard. Looks like it's hitting some of Amazon's Cloud stuff too. It seems west coast related, by the way. On the west coast here. They went at 4:44pm (Pacific). Recovered at this point... Not from Seattle WA via Comcast HSI: js...@spunky:$ dig www.ultradns.com @8.8.8.8 ; DiG 9.6.1-P2 www.ultradns.com @8.8.8.8 ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 21733 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.ultradns.com. IN A ;; Query time: 65 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed Dec 23 17:29:41 2009 ;; MSG SIZE rcvd: 34 Also images on my web site are not loading from s3.amazonaws.com - John
Re: UltraDNS Failure?
On Wed, Dec 23, 2009 at 05:38:21PM -0800, Shrdlu wrote: I'm still seeing the DNS servers at udns down, hard. Amazon's cloud will need a reboot when this is over. Dang, what the heck happened to all that anycast stuff? We have some DNS providing type customers (not UltraDNS) receiving a few million packets/sec of UDP/53 DoS traffic, starting at about the same time as the UltraDNS problems. No clue if it's related, but it certainly sounds suspicious. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
Re: UltraDNS Failure?
There have been several DNS based DDoS observed throughout the day targetting Ultra as well as a few other companies. They were first observed earlier in the morning on the East coast. --Original Message-- From: Richard A Steenbergen To: Shrdlu Cc: Nanog Subject: Re: UltraDNS Failure? Sent: Dec 23, 2009 8:42 PM On Wed, Dec 23, 2009 at 05:38:21PM -0800, Shrdlu wrote: I'm still seeing the DNS servers at udns down, hard. Amazon's cloud will need a reboot when this is over. Dang, what the heck happened to all that anycast stuff? We have some DNS providing type customers (not UltraDNS) receiving a few million packets/sec of UDP/53 DoS traffic, starting at about the same time as the UltraDNS problems. No clue if it's related, but it certainly sounds suspicious. :) -- Richard A Steenbergen r...@e-gerbil.net http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC) Sent from my Verizon Wireless BlackBerry
Re: UltraDNS Failure?
Richard A Steenbergen wrote: On Wed, Dec 23, 2009 at 05:38:21PM -0800, Shrdlu wrote: I'm still seeing the DNS servers at udns down, hard. Amazon's cloud will need a reboot when this is over. Dang, what the heck happened to all that anycast stuff? We have some DNS providing type customers (not UltraDNS) receiving a few million packets/sec of UDP/53 DoS traffic, starting at about the same time as the UltraDNS problems. No clue if it's related, but it certainly sounds suspicious. :) I saw close to a hundred hits on my local dns servers for one request, and they were mostly due to the crazy amazon cloud stuff. You looking at the packets? -- Oh, mairzy doats and dozy doats and liddle lamzy divey A kiddley divey too, wooden chu? Three little fiddies in an iddy, bitty pooh, Three little fiddies and a mama fiddy too...
Re: IPv6 Training
Marty A., Not an endorsement, but Aaron Hughes ahug...@bind.com has been doing training. I mention him because I'm aware that he has a track record, has done some +NOG presos and generally knowledgeable. He's also the only person I'm aware of outside of Europe doing training. Alternatively, I believe Jordi Palet Martinez is still an excellent trainer as well. Jordi is easily found in your favorite search engine. YMMV. Best, Marty (Yes, deliberately posted to nanog. For archives) -M On 12/23/09, Marty Anstey marty.ans...@sunwave.net wrote: Greetings, Just wondering if anyone has had any experience with IPv6 training courses. A quick search turns up a few results on the subject, but it would be handy to hear if anyone has any firsthand experiences or recommendations. We're based in western Canada but don't mind traveling a bit, but alternatively an online course would be acceptable as well. -M -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants
Re: [NANOG] Roport on internet business
- Original Message From: Jared Mauch ja...@puck.nether.net I know, watching my local incumbent they are not replacing damaged copper with fiber. I think they must have warehouses of it someplace. I can't imagine that it is good to replace buried copper w/copper during the wintertime. If you're out doing it, might as well *actually* install fiber in the conduit. (Unless it's about unions/job protection for the copper guys). - Jared (not saying unions are bad, but when you operate two assets and have a different union for each, it can limit your potential significantly). One of the very hard things about running a large, geographically distributed layer 0/1 organization is managing the various and sundry physical cables from point to point. Replacing one bad span with a good span which is qualitatively different introduces a level of version control and management headache, and if done in a haphazard fashion can reduce the overall availability of the network. I don't know who your incumbent is, but it's reasonable to assume that they have some strategy for cable plant management which includes overall technology refresh at some point, with like-for-like replacement until then. Also, last I checked, the specs on how to build a good layer 0/1 fiber infrastructure were different than those for copper - because the capabilities are different, the network architecture has different optimizations available. This doesn't mean that the provider shouldn't be moving toward a large-scale fiber rollout - far from it! I just wanted to provide a reason why they might not want to do said rollout in a piecemeal fashion. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
Re: Revisiting the Aviation Safety vs. Networking discussion
1. I grew up at the local airport watching my CFII pop train an endless stream of pilots. 2. The checklist for my last production gear swap had over 400 steps and 4 time/task gates (each with a rollback plan). As I did each sequence of steps, I called it out, and someone read their copy of the checklist and checked it off. An entire peanut gallery of rouges watched the whole thing on livemeeting, waiting to pounce on the first misstep or shortcut. 3. We migrated an entire nationwide phone system in 6 hours and nobody noticed anything. 4. We met afterward to in an after action review meeting that I picked up in the Army. I'm more persistent than smart, and I tell ya, if you prep well enough, you can hand your checklist to a stoned intern and you'll have no worries at all. David On Wed, Dec 23, 2009 at 12:48 PM, Owen DeLong o...@delong.com wrote: Those that remember the discussion may find this article interesting: http://abcnews.go.com/Health/wireStory?id=9394406 Owen
Re: used hardware
www.subspacecom.com -- gear ++ Shows up @ NANOG, doesn't spam and clue. Best, -M On 12/18/09, Barrett Lyon bl...@blyon.com wrote: I buy a lot of gear from Peter Giberd at Townsend. I have been working with him for a good 7 years. It's budded into a friendship, good people there. -B http://www.townsendassets.com/ On Dec 18, 2009, at 11:03 AM, Bill Lewis wrote: http://www.networkhardware.com/ContactNHR/ Mostly Cisco, but I think they'll do Juniper. Bill -- -Date: Fri, 18 Dec 2009 04:34:05 -0800 -From: Mehmet Akcin meh...@akcin.net -Subject: used hardware.. -To: nanog@nanog.org list nanog@nanog.org -Message-ID: 16e6d13c-ab9c-4ea5-8e73-59172dd28...@akcin.net -Content-Type: text/plain; charset=us-ascii -Hello there.. -I am looking to sell and buy some used hardware, where is the best place for this, other than ebay ? -Mostly juniper stuff -thanks in advance. -Mehmet -- Martin Hannigan mar...@theicelandguy.com p: +16178216079 Power, Network, and Costs Consulting for Iceland Datacenters and Occupants