Re: Experiences with Comcast Ethernet/Transit service

[Brent Jones]

On Wed, Dec 23, 2009 at 1:10 AM, Brandon Galbraith
 wrote:
> We're looking at using Comcast's (business) transit and private ethernet
> services at several client locations and I wanted to see what experiences
> others have had regarding this. Off-list replies are preferred.
>
> Thanks,
> -brandon
>
> --
> Brandon Galbraith
> Mobile: 630.400.6992
>

This was a timely question, as we've have a GigE fiber line with them
for 6 months now.
Largely, the link performs at ~999Mbit 99% of the time  :)
However, we've had two issues with connectivity that seem to originate
from their network. The link will show up, but both sides of our fiber
will show 0 frames received, and lots of transmit errors. It takes a
call into the Comcast NOC each time for them to resolve it, but
they've been silent on what may actually be going on. These
interruptions last anywhere from 30 minutes, to the last one almost 7
hours (luckily over a weekend).

Benefits to this, being Metro Ethernet, they do support tagged VLAN's,
so cost to entry is low in terms of equipment and setup/support.

Our link goes between downtown Portland, OR, to across the river to
East Vancouver and Mill Plain.

-- 
Brent Jones
br...@servuhome.net

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Joe Greco]

> While we're on the subject, a lot of leibert gear has a dip switch/jumper  
> block to turn passwords off entirely. (of course, that requires physical  
> access and a power cycle.)

So do a lot of HP/Compaq servers with integrated lights out management.
Don't think you even need to power cycle (whether you're brave enough to
go poking around the deep innards of an energized server is another
matter).  I know the DIP switch on older DL385's is a micro DIP switch
and it's inconveniently located in the middle of the server behind some
stuff.

The good part is that you can clear out unknown passwords as long as you
have access to the chassis innards.  The bad part is that I've seen these
left in password bypass mode (though the BIOS thoughtfully warns you of
the status if you do that).

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: I don't need no stinking firewall!

[Jay Hennigan]

Nenad Andric wrote:

On Tue Jan 05, 2010 at 01:04:01PM -0800, Jay Hennigan  wrote:



Or better:
- Allow from anywhere port 80 to server port > 1023 established


 Adding "established" brings us back to stateful firewall!


Not really.  It only looks to see if the ACK or RST bits are set.  This 
is different from a stateful firewall which memorizes each outbound 
packet and checks the return for a match source/destination/sequence.


--
Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
Impulse Internet Service  -  http://www.impulse.net/
Your local telephone and internet company - 805 884-6323 - WB6RDV

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Ricky Beam]

On Wed, 06 Jan 2010 19:13:28 -0500, Nick Hale  wrote:

I think the vendor you're thinking of was Cabletron (now Enterasys).  I
had to call them and give them the Serial Number for them to provide me
with the default password to the system after a hard reset (this was for
an ELS100-24TXG 'switch').


And their CPE gear had a 5 minute password reset window after power on.   
We hated the customers who'd figured that out.


While we're on the subject, a lot of leibert gear has a dip switch/jumper  
block to turn passwords off entirely. (of course, that requires physical  
access and a power cycle.)


--Ricky

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Ricky Beam]

On Wed, 06 Jan 2010 18:24:26 -0500, Jeffrey I. Schiller   
wrote:

An option I saw years ago (I forgot on whose equipment) was a default
password which was a function of the equipment's serial number. So you
had to have the algorithm and you needed the serial number which was not
related to the MAC. So if you didn't have physical access, you were not
in a good position to learn the password.


Gadzoox used to do that... the management modules for their hubs had  
factory set random passwords.  It's provided on a sticker with the card,  
so you can put it where you want -- just don't lose it, because that's  
only place it exists (without breaking out a JTAG debugger.)


Yes, their later gear has standard default passwords.

--Ricky

Re: qwest outage no notice

[Scott Weeks]

--- mike-na...@tiedyenetworks.com wrote:
From: Mike 

Ok, so the next question is, what harm would a simple advance notice of 
'emergency maintenance' caused, vs the very real hassle and 
inconvenience that DS3-down in the middle of the night caused for 
operations staff? I personally was yanked out of bed by my network 
--


Try no notice at all and 4 GigEs of upstream bandwidth down at 1:30am.  :-(

scott

Re: he.net down/slow?

[Valdis . Kletnieks]

On Thu, 07 Jan 2010 13:51:41 CST, Brian Johnson said:
> > On 7 Jan 2010, at 18:18, William Pitcock wrote:
> > > ...why would you have that on a mailing list post?
> > because the mail server that adds it is too dumb to differentiate
> > between list and direct mail?

> Bingo! ;)

That sort of gratuitous "add it to everything because our software is too
stupid to sort it out" is *this* close to what the legal eagles call
"overwarning".  Just sayin'.

(Basically, your site and everybody else's site sticks it on everything,
all the recipients just ignore it the same way we almost always ignore
Received: headers because they're on every message and very rarely have
any useful content - with the end result that if you stick it on a message
that *matters*, it will still get ignored)

Oh, and is your company ready to indemnify my employer for the costs of
"destroy all copies of the original message" sufficiently thoroughly to
prevent recovery by a competent forensics expert? This may include, but
not be limited to, the main mail store for 70,000 people, backup tapes,
and other mail systems where the data may have been logically deleted but
as yet not overwritten.  Just sayin'. ;)


pgpjWPhvjQy6V.pgp
Description: PGP signature

RE: qwest outage no notice

[Dylan Ebner]

Same thing for us in Minnesota. Brief outage and emergency outage notification 
came after the outage. The outage window was for 6:00-12:00GMT, and the outage 
came at 6:15GMT. We didn't get the notice until 10:30GMT.

Qwest had a major outage over the Xmas weekend in MN. I wonder if this is 
related. They told me it was a bad switch, but that sounded funny.






Dylan Ebner
-Original Message-
From: Jack Bates [mailto:jba...@brightok.net] 
Sent: Thursday, January 07, 2010 10:25 AM
To: sth...@nethelp.no
Cc: nanog@nanog.org
Subject: Re: qwest outage no notice

sth...@nethelp.no wrote:
> 
> We received 7 Juniper Security Advisories today. My guess is that this
> is the reason for the Qwest outage you've seen.
> 

Yeah, they refused to notify due to security concerns from what they 
told me last night. Notification was performed after maintenance was 
complete.


Jack

Re: 4.1 earthquake in SF Bay region (was Re: he.net down/slow?)

[Paul Ferguson]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Thu, Jan 7, 2010 at 11:32 AM, John Adams  wrote:

> I'm in downtown SF and felt nothing.
>

I live & work virtually on top of the epicenter of the quake this morning
- -- it was pretty mild, but still caused some dish rattling, building
swaying, etc., but connectivity around the Bay Area seems to have not been
affected by it as far as I can tell.

$.02,

- - ferg

-BEGIN PGP SIGNATURE-
Version: PGP Desktop 9.6.3 (Build 3017)

wj8DBQFLRkA+q1pz9mNUZTMRAshCAJ9bjARpt9Hma5OFbmVDKpXlzvgDlgCgogJX
GH+iE81XQ3AvdZqG0bJX6ys=
=FJXF
-END PGP SIGNATURE-


-- 
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawgster(at)gmail.com
 ferg's tech blog: http://fergdawg.blogspot.com/

RE: he.net down/slow?

[Brian Johnson]

> 
> On 7 Jan 2010, at 18:18, William Pitcock wrote:
> 
> > ...why would you have that on a mailing list post?
> 
> because the mail server that adds it is too dumb to differentiate
> between list and direct mail?
> 
>   f

Bingo! ;)

- Brian


 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for 
the sole use of the
intended recipient(s) and may contain confidential and privileged information. 
Any unauthorized review,
copying, use, disclosure, or distribution is prohibited. If you are not the 
intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original 
message. Thank you.

Re: 4.1 earthquake in SF Bay region (was Re: he.net down/slow?)

[John Adams]

I'm in downtown SF and felt nothing.

-j

On Jan 7, 2010, at 11:18 AM, Matthew Kaufman wrote:


Mike Lyon wrote:

I think the he.net problems occurred before the quake...
-Mike
They did. I was looking at what it looked like from here when the  
building started swaying.


Matthew Kaufman



---
John Adams (@netik)
Retina Communications
j...@retina.net
http://www.retina.net/tech
this email is: [  ] bloggable   [ x ] ask first   [   ] confidential

Re: 4.1 earthquake in SF Bay region (was Re: he.net down/slow?)

[Matthew Kaufman]

Mike Lyon wrote:

I think the he.net problems occurred before the quake...

-Mike

They did. I was looking at what it looked like from here when the 
building started swaying.


Matthew Kaufman

RE: qwest outage no notice

[Greg Olson]

Probably related to this:
http://www.theregister.co.uk/2010/01/07/juniper_critical_router_bug/



-Original Message-
From: Chris De Young [mailto:c...@arizona.edu] 
Sent: Thursday, January 07, 2010 9:32 AM
To: Mike
Cc: NANOG list
Subject: Re: qwest outage no notice

Mike wrote:
> We just had a qwest outage of about 2 mins at 1:41am pst. When I 
> called to report it I was told it was a 200+ emergency software 
> upgrade due to a security concern, and that we will get a notice later after 
> the fact.

Hmm - I got notice in advance. I'll have to go search for the email, but it was 
sometime before Christmas, since I had it on my calendar.

-C

Re: he.net down/slow?

[Fearghas McKay]

On 7 Jan 2010, at 18:18, William Pitcock wrote:


...why would you have that on a mailing list post?


because the mail server that adds it is too dumb to differentiate  
between list and direct mail?


f

Re: 4.1 earthquake in SF Bay region (was Re: he.net down/slow?)

[Mike Lyon]

I think the he.net problems occurred before the quake...

-Mike


On Thu, Jan 7, 2010 at 10:56 AM, JC Dill  wrote:

> Brian Johnson wrote:
>
>> Has anyone noticed that accessing http://www.he.net or
>> http://ipv6.he.net is either slow or inaccessible?
>>
>>
>
> We had a 4.1 earthquake here in the SF Bay area at about 10:09 PST.
> http://earthquake.usgs.gov/earthquakes/recenteqsus/Quakes/nc71336726.php
>
> I believe he.net's primary data center is located in the east bay,
> relatively near to the epicenter of this quake.
> This was a small quake, but perhaps a plug got jostled loose during the
> shaking.  Or perhaps the quake is entirely unrelated to your issue.
>
> jc
>
>
>
>

Re: 4.1 earthquake in SF Bay region (was Re: he.net down/slow?)

[Seth Mattinen]

JC Dill wrote:
> Brian Johnson wrote:
>> Has anyone noticed that accessing http://www.he.net or
>> http://ipv6.he.net is either slow or inaccessible?
>>   
> 
> We had a 4.1 earthquake here in the SF Bay area at about 10:09 PST.
> http://earthquake.usgs.gov/earthquakes/recenteqsus/Quakes/nc71336726.php
> 
> I believe he.net's primary data center is located in the east bay,
> relatively near to the epicenter of this quake.
> This was a small quake, but perhaps a plug got jostled loose during the
> shaking.  Or perhaps the quake is entirely unrelated to your issue.
> 

Not down for me (Reno). I also have an IPv6 tunnel to fremont2 that
never went down.

~Seth

4.1 earthquake in SF Bay region (was Re: he.net down/slow?)

[JC Dill]

Brian Johnson wrote:

Has anyone noticed that accessing http://www.he.net or
http://ipv6.he.net is either slow or inaccessible?
  


We had a 4.1 earthquake here in the SF Bay area at about 10:09 PST. 


http://earthquake.usgs.gov/earthquakes/recenteqsus/Quakes/nc71336726.php

I believe he.net's primary data center is located in the east bay, 
relatively near to the epicenter of this quake. 

This was a small quake, but perhaps a plug got jostled loose during the 
shaking.  Or perhaps the quake is entirely unrelated to your issue.


jc

Re: he.net down/slow?

[Jed Smith]

On Jan 7, 2010, at 12:30 PM, Brian Johnson wrote:

> Has anyone noticed that accessing http://www.he.net or
> http://ipv6.he.net is either slow or inaccessible?

Both are up here from both locations I'm bothered to try (business Comcast,
Net Access Corp MMU).

JS

Re: he.net down/slow?

[William Pitcock]

On Thu, 2010-01-07 at 11:30 -0600, Brian Johnson wrote:
> Has anyone noticed that accessing http://www.he.net or
> http://ipv6.he.net is either slow or inaccessible?
> 
> Please let me know if you have a different experience currently.

It is up here.

>  CONFIDENTIALITY NOTICE: This email message, including any attachments, is 
> for the sole use of the
> intended recipient(s) and may contain confidential and privileged 
> information. Any unauthorized review,
> copying, use, disclosure, or distribution is prohibited. If you are not the 
> intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the original 
> message. Thank you.

...why would you have that on a mailing list post?

William

Re: he.net down/slow?

[Brad Fleming]

no issues in Kansas City (area) via Internet2 at 12:10pm Central.

On Jan 7, 2010, at 11:30 AM, Brian Johnson wrote:


Has anyone noticed that accessing http://www.he.net or
http://ipv6.he.net is either slow or inaccessible?

Please let me know if you have a different experience currently.

Thanks

- Brian

CONFIDENTIALITY NOTICE: This email message, including any  
attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged  
information. Any unauthorized review,
copying, use, disclosure, or distribution is prohibited. If you are  
not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the  
original message. Thank you.

Re: rj21/centronics cable mounting

[Bryan Fields]

Ingo Flaschberger wrote:
> Any ideas where to get this or any other ideas how to get a good 
> connection? (retro-fit).

Easy way to solve this is to lace it in place with some no. 9 wax twine.
 I do this on most of these connectors, it's more secure then the cheesy
velcro loops.

http://en.wikipedia.org/wiki/Cable_lacing


-- 
Bryan Fields

727-409-1194 - Voice
727-214-2508 - Fax
http://bryanfields.net

RE: he.net down/slow?

[Paul Stewart]

No issues from Toronto area on an HE connection...

-Original Message-
From: Tim Burke [mailto:t...@tburke.us]
Sent: Thursday, January 07, 2010 12:43 PM
To: nanog@nanog.org
Subject: Re: he.net down/slow?

Can't access http://he.net from my location here in Chicago...

traceroute to he.net (216.218.186.2), 30 hops max, 40 byte packets
  1  10.65.44.1 (10.65.44.1)  2.504 ms  1.039 ms  0.653 ms
  2  * * *
  3  te-2-3-ur04.romeoville.il.chicago.comcast.net (68.86.119.205)
13.648 ms  13.693 ms  13.477 ms
  4  be-70-ar01.area4.il.chicago.comcast.net (68.87.230.121)  16.598
ms  16.109 ms  15.896 ms
  5  pos-1-12-0-0-cr01.chicago.il.ibone.comcast.net (68.86.90.53)
16.631 ms  16.550 ms  16.598 ms
  6  162.97.117.41 (162.97.117.41)  21.319 ms  21.136 ms  20.932 ms
  7  Hurrican-Electric-LLC.TenGigabitEthernet1-4.ar2.SJC2.gblx.net
(64.214.174.246
)  74.953 ms  72.685 ms  77.759 ms
  8  10gigabitethernet1-1.core1.fmt1.he.net (72.52.92.109)  78.804 ms
76.097 ms  79.715 ms
  9  * * *
10  * * *
11  * * *
12  * * *


On Jan 7, 2010, at 11:32, "Brian Johnson"  wrote:

> Has anyone noticed that accessing http://www.he.net or
> http://ipv6.he.net is either slow or inaccessible?
>
> Please let me know if you have a different experience currently.
>
> Thanks
>
> - Brian
>
> CONFIDENTIALITY NOTICE: This email message, including any
> attachments, is for the sole use of the
> intended recipient(s) and may contain confidential and privileged
> information. Any unauthorized review,
> copying, use, disclosure, or distribution is prohibited. If you are
> not the intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the
> original message. Thank you.
>








"The information transmitted is intended only for the person or entity to which 
it is addressed and contains confidential and/or privileged material. If you 
received this in error, please contact the sender immediately and then destroy 
this transmission, including all attachments, without copying, distributing or 
disclosing same. Thank you."

Re: he.net down/slow?

[Tim Burke]

Can't access http://he.net from my location here in Chicago...

traceroute to he.net (216.218.186.2), 30 hops max, 40 byte packets
  1  10.65.44.1 (10.65.44.1)  2.504 ms  1.039 ms  0.653 ms
  2  * * *
  3  te-2-3-ur04.romeoville.il.chicago.comcast.net (68.86.119.205)   
13.648 ms  13.693 ms  13.477 ms
  4  be-70-ar01.area4.il.chicago.comcast.net (68.87.230.121)  16.598  
ms  16.109 ms  15.896 ms
  5  pos-1-12-0-0-cr01.chicago.il.ibone.comcast.net (68.86.90.53)   
16.631 ms  16.550 ms  16.598 ms
  6  162.97.117.41 (162.97.117.41)  21.319 ms  21.136 ms  20.932 ms
  7  Hurrican-Electric-LLC.TenGigabitEthernet1-4.ar2.SJC2.gblx.net 
(64.214.174.246 
)  74.953 ms  72.685 ms  77.759 ms
  8  10gigabitethernet1-1.core1.fmt1.he.net (72.52.92.109)  78.804 ms   
76.097 ms  79.715 ms
  9  * * *
10  * * *
11  * * *
12  * * *


On Jan 7, 2010, at 11:32, "Brian Johnson"  wrote:

> Has anyone noticed that accessing http://www.he.net or
> http://ipv6.he.net is either slow or inaccessible?
>
> Please let me know if you have a different experience currently.
>
> Thanks
>
> - Brian
>
> CONFIDENTIALITY NOTICE: This email message, including any  
> attachments, is for the sole use of the
> intended recipient(s) and may contain confidential and privileged  
> information. Any unauthorized review,
> copying, use, disclosure, or distribution is prohibited. If you are  
> not the intended recipient, please
> contact the sender by reply e-mail and destroy all copies of the  
> original message. Thank you.
>

Re: qwest outage no notice

[Bret Clark]

This is one reason why companies should use twitter...great for those
impromptu emergency messages. Our electrical utility company uses
twitter and I have to admit that it's nice to know what is going on
ahead of time even if it is a short message! 

On Thu, 2010-01-07 at 10:31 -0700, Chris De Young wrote:
> Mike wrote:
> > We just had a qwest outage of about 2 mins at 1:41am pst. When I called
> > to report it I was told it was a 200+ emergency software upgrade due to
> > a security concern, and that we will get a notice later after the fact.
> 
> Hmm - I got notice in advance. I'll have to go search for the email, but it
> was sometime before Christmas, since I had it on my calendar.
> 
> -C
> 

Re: qwest outage no notice

[Chris De Young]

Mike wrote:
> We just had a qwest outage of about 2 mins at 1:41am pst. When I called
> to report it I was told it was a 200+ emergency software upgrade due to
> a security concern, and that we will get a notice later after the fact.

Hmm - I got notice in advance. I'll have to go search for the email, but it
was sometime before Christmas, since I had it on my calendar.

-C



signature.asc
Description: OpenPGP digital signature

he.net down/slow?

[Brian Johnson]

Has anyone noticed that accessing http://www.he.net or
http://ipv6.he.net is either slow or inaccessible?

Please let me know if you have a different experience currently.

Thanks

- Brian

 CONFIDENTIALITY NOTICE: This email message, including any attachments, is for 
the sole use of the
intended recipient(s) and may contain confidential and privileged information. 
Any unauthorized review,
copying, use, disclosure, or distribution is prohibited. If you are not the 
intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original 
message. Thank you.

RE: qwest outage no notice

[Richey]

That should read...

Yeah, they refused to notify due to [marketing] concerns from what they


Richey



-Original Message-
From: Mike [mailto:mike-na...@tiedyenetworks.com] 
Sent: Thursday, January 07, 2010 12:04 PM
Cc: nanog@nanog.org
Subject: Re: qwest outage no notice


> Yeah, they refused to notify due to security concerns from what they 
> told me last night. Notification was performed after maintenance was 
> complete.


Ok, so the next question is, what harm would a simple advance notice of
'emergency maintenance' caused, vs the very real hassle and inconvenience
that DS3-down in the middle of the night caused for operations staff? I
personally was yanked out of bed by my network monitoring systems and had to
spend at least 5 minutes looking at logs and perf monitors and so forth so I
had enough information before making the call to qwest support, thinking we
took a hit on our fiber. Some others reported getting 7 or more hours of
advance notice - this would have been enough for me, even tho of course I
don't like it - and I suspect it could have saved many many others from a
similar fate of responding to the event so late.

Just saying "we need to do this", does not give the bad guys any ammo with
which to attack, and would go a long ways twords preventing needless heroics
such as middle of the night investigations by senior staff. The follow up
email we subsequently received was fine and we appreciated learning it
really was a necessary upgrade and seems justified now with that knowledge,
I would simply have appreciated not having to engage my emergency processes
for something that was planned.

Mike-

Re: qwest outage no notice

[Mike]

Yeah, they refused to notify due to security concerns from what they 
told me last night. Notification was performed after maintenance was 
complete.



Ok, so the next question is, what harm would a simple advance notice of 
'emergency maintenance' caused, vs the very real hassle and 
inconvenience that DS3-down in the middle of the night caused for 
operations staff? I personally was yanked out of bed by my network 
monitoring systems and had to spend at least 5 minutes looking at logs 
and perf monitors and so forth so I had enough information before making 
the call to qwest support, thinking we took a hit on our fiber. Some 
others reported getting 7 or more hours of advance notice - this would 
have been enough for me, even tho of course I don't like it - and I 
suspect it could have saved many many others from a similar fate of 
responding to the event so late.


Just saying "we need to do this", does not give the bad guys any ammo 
with which to attack, and would go a long ways twords preventing 
needless heroics such as middle of the night investigations by senior 
staff. The follow up email we subsequently received was fine and we 
appreciated learning it really was a necessary upgrade and seems 
justified now with that knowledge, I would simply have appreciated not 
having to engage my emergency processes for something that was planned.


Mike-

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Steven Bellovin]

On Jan 6, 2010, at 11:38 PM, Joe Hamelin wrote:

> On Wed, Jan 6, 2010 at 7:19 PM, Dobbins, Roland  wrote:
>> Which goes to show that they just really don't get it when it comes to 
>> security.  Maybe they  should look here at all the entries for 'default 
>> credentials':
> 
> Roland, this isn't the home wi-fi market we're talking about.  Anyone
> that's going to buy one of these puppies is going to have a clue about
> putting their password in.

Again, look at 
http://ids.ftw.fm/Home/publications/RouterScan-RAID09-Poster.pdf?attredirects=0 
-- while consumer devices were much worse, there was a noticeable problem on 
enterprise devices and a significant problem with VoIP devices, and I suspect 
that those latter are largely enterprise-based.


--Steve Bellovin, http://www.cs.columbia.edu/~smb

Re: qwest outage no notice

[Jack Bates]

sth...@nethelp.no wrote:


We received 7 Juniper Security Advisories today. My guess is that this
is the reason for the Qwest outage you've seen.



Yeah, they refused to notify due to security concerns from what they 
told me last night. Notification was performed after maintenance was 
complete.



Jack

Re: rj21/centronics cable mounting

[Joe Greco]

> Dear William,
> 
> >> I'm searching "something", to secure mount/connect a rj21 cable to a 
> >> device.
> >> I have a angled plug like this:
> >> http://commons.wikimedia.org/wiki/File:RJ21-female-connector.jpg
> 
> > http://www.cisco.com/en/US/i/01-10/55001-6/55501-56000/55735.jpg
> >
> > http://www.patentstorm.us/patents/6080010/description.html
> > http://www.freepatentsonline.com/6080010.pdf
> 
> exactly
> 
> > I don't know where to get one after-market, no, but you could
> > conceivably buy some old gear and extract them.
> 
> found - keyword "was" bracket:
> http://www.connectworld.net/cgi-bin/dataw/CN50-VEL

Caution, caution...  when using those, velcro *first*, tightly, and then
attempt to wiggle/remove the connector.  It's only good when you can't
*actually* move the connector (much).  Only then should you tighten the
screw (if you're so inclined/holes allow/etc).

Personally, while I like velcro, I was not always impressed with the 
reliability of those sorts of brackets.  You can get better reliability
by taking a tie wrap base (maybe T&B TC102 or something like that) and
screwing it to the side of the socket the wire exits the plug from.
Then you screw the plug in with its one screw, and take a zip tie on
the other end, and you're very, very securely fastened without any hope
of inadvertent loosening.  This has the advantage of being visually
verifiable, rather than the "try wiggling it" method that's mandatory
with the velcro.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: rj21/centronics cable mounting

[Robert Boyle]

At 10:05 AM 1/7/2010, you wrote:

I'm searching "something", to secure mount/connect a rj21 cable to a device.
I have a angled plug like this:
http://commons.wikimedia.org/wiki/File:RJ21-female-connector.jpg

It can only be screwed to the device at the top side, and is "loose" 
at the down side.


Usually there is a small plastic or metal hook on the other side of 
the panel connector (opposite the screw side) which will allow you to 
use a small zip tie to secure the unscrewed side of the connector.


-Robert



"Well done is better than well said." - Benjamin Franklin

Re: rj21/centronics cable mounting

[Ingo Flaschberger]

Dear William,


I'm searching "something", to secure mount/connect a rj21 cable to a device.
I have a angled plug like this:
http://commons.wikimedia.org/wiki/File:RJ21-female-connector.jpg



http://www.cisco.com/en/US/i/01-10/55001-6/55501-56000/55735.jpg

http://www.patentstorm.us/patents/6080010/description.html
http://www.freepatentsonline.com/6080010.pdf


exactly


I don't know where to get one after-market, no, but you could
conceivably buy some old gear and extract them.


found - keyword "was" bracket:
http://www.connectworld.net/cgi-bin/dataw/CN50-VEL

Thanks & kind regards,
Ingo Flaschberger

RE: qwest outage no notice

[Matlock, Kenneth L]

We also got email notifications about 'emergency maintenance' on our
Qwest circuits, from their notice:

Reason For Maintenance:  EMERGENCY MAINTENANCE TO IMPLEMENT A SOFTWARE 
PATCH FOR NETWORK RELIABILITY

Sure sounds like it's all related to the Juniper advisory to me.

Ken Matlock
Network Analyst
Exempla Healthcare
(303) 467-4671
matlo...@exempla.org



-Original Message-
From: JoeSox [mailto:joe...@gmail.com] 
Sent: Thursday, January 07, 2010 8:25 AM
To: nanog@nanog.org
Subject: Re: qwest outage no notice


My QWest account manager called three different people at my business
7hrs before the maintenance. Also mentioned the Juniper Security
Advisories.
-- 
Later, Joe

Re: rj21/centronics cable mounting

[William Herrin]

On Thu, Jan 7, 2010 at 10:05 AM, Ingo Flaschberger  wrote:
> I'm searching "something", to secure mount/connect a rj21 cable to a device.
> I have a angled plug like this:
> http://commons.wikimedia.org/wiki/File:RJ21-female-connector.jpg
>
> It can only be screwed to the device at the top side, and is "loose" at the
> down side.
>
> I have seen a type of "knop" at the down side and also that a "hook-and-loop
> fastener" is used over the whole plug.
> (http://www.retrevo.com/r/23018bh245/18/ADSL+RJ21+Pinouts/)
>
> Any ideas where to get this or any other ideas how to get a good connection?
> (retro-fit).

You mean like this:

http://www.cisco.com/en/US/i/01-10/55001-6/55501-56000/55735.jpg

http://www.patentstorm.us/patents/6080010/description.html
http://www.freepatentsonline.com/6080010.pdf

I don't know where to get one after-market, no, but you could
conceivably buy some old gear and extract them.

http://cgi.ebay.com/a_W0QQitemZ380184008457QQcmdZViewItemQQptZCOMP_EN_Hubs
http://cgi.ebay.com/z_W0QQitemZ280444580224QQcmdZViewItemQQptZLH_DefaultDomain_0

-Regards,
Bill Herrin

--
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: qwest outage no notice

[JoeSox]

On Thu, Jan 7, 2010 at 4:06 AM,   wrote:
>> We just had a qwest outage of about 2 mins at 1:41am pst. When I called
>> to report it I was told it was a 200+ emergency software upgrade due to
>> a security concern, and that we will get a notice later after the fact.
>> Normally we get notices in advance, even for software upgrades due to
>> security or other important issues, so I am curious if other qwest
>> customers had the same experience and wether this is how it's going to
>> be from here on in? The affected platform was juniper and I'd love to
>> know the specfic case being addressed here.
>
> We received 7 Juniper Security Advisories today. My guess is that this
> is the reason for the Qwest outage you've seen.


My QWest account manager called three different people at my business
7hrs before the maintenance. Also mentioned the Juniper Security
Advisories.
-- 
Later, Joe

Re: qwest outage no notice

[Steven Saner]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Jan 7, 2010, at 4:04 AM, Mike wrote:

We just had a qwest outage of about 2 mins at 1:41am pst. When I  
called to report it I was told it was a 200+ emergency software  
upgrade due to a security concern, and that we will get a notice  
later after the fact. Normally we get notices in advance, even for  
software upgrades due to security or other important issues, so I am  
curious if other qwest customers had the same experience and wether  
this is how it's going to be from here on in? The affected platform  
was juniper and I'd love to know the specfic case being addressed  
here.


Mike-


We experienced the outage, but so far have not received any  
notifications.


Steve

- --
- ---
Steven Saner 
Director of Network Operations
Hubris Communications



-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (Darwin)

iEYEARECAAYFAktF+xsACgkQvgCxUpg3pZPDrwCgo9IPUGExaOlsmAkoctnpzzkR
SpYAniXz5P8Y/2YiCZMjD/t3Bx4/SmC0
=sqgK
-END PGP SIGNATURE-

rj21/centronics cable mounting

[Ingo Flaschberger]

Hi,

I'm searching "something", to secure mount/connect a rj21 cable to a 
device.

I have a angled plug like this:
http://commons.wikimedia.org/wiki/File:RJ21-female-connector.jpg

It can only be screwed to the device at the top side, and is "loose" at 
the down side.


I have seen a type of "knop" at the down side and also that a 
"hook-and-loop fastener" is used over the whole plug.

(http://www.retrevo.com/r/23018bh245/18/ADSL+RJ21+Pinouts/)

Any ideas where to get this or any other ideas how to get a good 
connection? (retro-fit).


I know, "straight" rj21 plugs would also solve the problem.

Kind regards,
ingo flaschberger

geschaeftsleitung

crossip communications gmbh
A-1020 Wien, Sebastian Kneipp Gasse 1
Tel: +43-1-7261522-0
Fax: +43-1-726 15 22-111
www.crossip.net
___
crossip communications gmbh

Re: qwest outage no notice

[Chris Adams]

Once upon a time, Mike  said:
> We just had a qwest outage of about 2 mins at 1:41am pst. When I called 
> to report it I was told it was a 200+ emergency software upgrade due to 
> a security concern, and that we will get a notice later after the fact. 
> Normally we get notices in advance, even for software upgrades due to 
> security or other important issues, so I am curious if other qwest 
> customers had the same experience and wether this is how it's going to 
> be from here on in? The affected platform was juniper and I'd love to 
> know the specfic case being addressed here.

I got 3 notices about the outage related to our 1 Qwest OC-3.

As for the Juniper security issues, see juniper-nsp archives.
-- 
Chris Adams 
Systems and Network Administrator - HiWAAY Internet Services
I don't speak for anybody but myself - that's enough trouble.

Re: qwest outage no notice

[Jeremy Rossi]

Give the nature of the issue from juniper I am guessing that a large number of 
companies were doing upgrades over the last few days as fast as they could. 
http://j.mp/8XaReK has the details I know of now.  

On Jan 7, 2010, at 5:14 AM, Steve Ryan wrote:

> Any other specifics?  Got a trouble ticket ID?
> 
> I'm located in the NW (Talent, Oregon, just over CA border..) and we have a 
> few customers on Qwest T1's and the like.  We also have a customer who gets 
> MPLS directly from Q.
> 
> We've yet to hear of any outages for our customers - but I suppose the night 
> is still young...
> 
> Any other information you got might be helpful..
> 
> Regards,
> 
> Steve
> 
> On 1/7/2010 2:04 AM, Mike wrote:
>> We just had a qwest outage of about 2 mins at 1:41am pst. When I called to 
>> report it I was told it was a 200+ emergency software upgrade due to a 
>> security concern, and that we will get a notice later after the fact. 
>> Normally we get notices in advance, even for software upgrades due to 
>> security or other important issues, so I am curious if other qwest customers 
>> had the same experience and wether this is how it's going to be from here on 
>> in? The affected platform was juniper and I'd love to know the specfic case 
>> being addressed here.
>> 
>> Mike-
>> 
> 

RE: qwest outage no notice

[Jason Shearer]

Notices were left at the discretion of Qwest account teams.  There was no mass 
notification.

Jason

-Original Message-
From: Mike [mailto:mike-na...@tiedyenetworks.com]
Sent: Thursday, January 07, 2010 4:04 AM
To: NANOG list
Subject: qwest outage no notice

We just had a qwest outage of about 2 mins at 1:41am pst. When I called
to report it I was told it was a 200+ emergency software upgrade due to
a security concern, and that we will get a notice later after the fact.
Normally we get notices in advance, even for software upgrades due to
security or other important issues, so I am curious if other qwest
customers had the same experience and wether this is how it's going to
be from here on in? The affected platform was juniper and I'd love to
know the specfic case being addressed here.

Mike-


*** NOTICE--The attached communication contains privileged and confidential 
information. If you are not the intended recipient, DO NOT read, copy, or 
disseminate this communication. Non-intended recipients are hereby placed on 
notice that any unauthorized disclosure, duplication, distribution, or taking 
of any action in reliance on the contents of these materials is expressly 
prohibited. If you have received this communication in error, please delete 
this information in its entirety and contact the Amedisys Privacy Hotline at 
1-866-518-6684. Also, please immediately notify the sender via e-mail that you 
have received this communication in error. ***

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Jason Shearer]

I kind of liked the way the Symantec Vraptor (piece of junk) firewalls used to 
do it.  Factory reset from the front panel, set addressing and it generates new 
passwords displayed on the LCD.

Jason

*** NOTICE--The attached communication contains privileged and confidential 
information. If you are not the intended recipient, DO NOT read, copy, or 
disseminate this communication. Non-intended recipients are hereby placed on 
notice that any unauthorized disclosure, duplication, distribution, or taking 
of any action in reliance on the contents of these materials is expressly 
prohibited. If you have received this communication in error, please delete 
this information in its entirety and contact the Amedisys Privacy Hotline at 
1-866-518-6684. Also, please immediately notify the sender via e-mail that you 
have received this communication in error. ***

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Sean Donelan]

On Thu, 7 Jan 2010, Dobbins, Roland wrote:

Which goes to show that they just really don't get it when it comes to 
security.  Maybe they should look here at all the entries for 'default 
credentials':


Actually, should be 'default password'.


Default credentials may be a more generic description of the problem 
(although "default password" is a better search term).  A problem with 
default credentials is history has demonstrated even an expert (i.e. 
the vendors own technical support) aren't always certain they've 
found and changed every default credential possible on complex devices. 
Its not just the usual console access, but also snmp protocals 
public/private, http protocols admin, ldap cn=admin, postscript none, 
decnet mop, and so on.  Even if you think you know every possible 
protocol, some vendors have had the habit of adding new protocols in 
updates with its own set of defaults for new remote access protocols.


Multiple protocols, using multiple authorization sources, with defaults.

Its not a suprise why old-timers get annoyed with vendor gear with 
default remote access methods enabled before the user configured the
access credentials for the access method.  Eventually you'll get bit by 
some device, some protocol, that has something enabled without your 
knowledge.  If you require your vendors not to ship stuff with remote
access enabled by default, its not a substitute for your own due 
dilgence, but in practice it helps reduce unexpected incidents.

Re: qwest outage no notice

[sthaug]

> We just had a qwest outage of about 2 mins at 1:41am pst. When I called 
> to report it I was told it was a 200+ emergency software upgrade due to 
> a security concern, and that we will get a notice later after the fact. 
> Normally we get notices in advance, even for software upgrades due to 
> security or other important issues, so I am curious if other qwest 
> customers had the same experience and wether this is how it's going to 
> be from here on in? The affected platform was juniper and I'd love to 
> know the specfic case being addressed here.

We received 7 Juniper Security Advisories today. My guess is that this
is the reason for the Qwest outage you've seen.

Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: qwest outage no notice

[Steve Ryan]

Any other specifics?  Got a trouble ticket ID?

I'm located in the NW (Talent, Oregon, just over CA border..) and we 
have a few customers on Qwest T1's and the like.  We also have a 
customer who gets MPLS directly from Q.


We've yet to hear of any outages for our customers - but I suppose the 
night is still young...


Any other information you got might be helpful..

Regards,

Steve

On 1/7/2010 2:04 AM, Mike wrote:
We just had a qwest outage of about 2 mins at 1:41am pst. When I 
called to report it I was told it was a 200+ emergency software 
upgrade due to a security concern, and that we will get a notice later 
after the fact. Normally we get notices in advance, even for software 
upgrades due to security or other important issues, so I am curious if 
other qwest customers had the same experience and wether this is how 
it's going to be from here on in? The affected platform was juniper 
and I'd love to know the specfic case being addressed here.


Mike-

qwest outage no notice

[Mike]

We just had a qwest outage of about 2 mins at 1:41am pst. When I called 
to report it I was told it was a 200+ emergency software upgrade due to 
a security concern, and that we will get a notice later after the fact. 
Normally we get notices in advance, even for software upgrades due to 
security or other important issues, so I am curious if other qwest 
customers had the same experience and wether this is how it's going to 
be from here on in? The affected platform was juniper and I'd love to 
know the specfic case being addressed here.


Mike-

RE: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Nathan Eisenberg]

Matthew Palmer [mpal...@hezmatt.org]
> To be fair, he was just asking about factory resetting the device
> because
> the current password was unknown, then reconfiguring the device (I'm
> willing
> to be generous and assume that the reconfiguration included setting a
> new,
> secure password).

Thank you - You're correct.  The administration and security of these devices 
is hardly magic - but one has to be able to access them in order to secure 
them.  The devices haven't even left my hotel room for the production site, and 
you would already be SOL if you didn't have access to the either the 
(management interface AND the Very Long Password) or the (reset button AND the 
management interface AND (the default password)).  

Dobbins, Roland [rdobb...@arbor.net]
> Which goes to show that they just really don't get it when it comes to
> security.  

So are you specifically opposed to globally default passwords, or are you 
opposed to being able to reset a device to factory defaults and somehow get 
into the device?  Because while I still maintain there's no real security issue 
with the former (if there is, there's a bigger issue), all that I'm really gung 
ho for is the ability to get into a piece of equipment I need to operate, even 
if I don't have credentials to it.  

Nothing grinds my gears more than equipment that has to be thrown out because 
there is no recovery mechanism.  I frankly don't much care if the default 
password on my WWP LE427 is 'wwp' or 
'wwp[serial-number-which-is-printed-on-the-back]' - as long as I can get it so 
I can get in and change it, I'm happy.

Steven Bellovin [...@cs.columbia.edu]
> And we all suffer from p0wned devices, because they
> get turned into bots.  Roland is 100% right.

Eh... I think this is confusing cause and effect.  We all suffer, but the fact 
that a device is compromised because of a default password is, at the root of 
the chain, the result of a faulty Operator.  Why was the password left at 
default?  Why was it possible to access the management interface to utilize the 
default password?  I would argue that the solution is to replace or modify the 
defective operator, rather than replacing, eliminating, or modifying the tool 
they misused.

Joe Hamelin [...@nethead.com]
> I've been in training with the WWP folks for the last two days (VERY
> GOOD TRAINING, BTW!) and they got quite a chuckle out of this thread.

Are they still around, or are they Ciena employees?  My understanding was that 
they were completely acquired.

> If you got some serious layer 2 stuff to do, these boxes have a really
> interesting architecture and some trick features (unix type shell, for
> one.)

Yep, they're rock solid devices.  Every deployment I've seen of them as worked 
very well.  Ciena certainly got a good deal out of buying them!  I'm actually 
not sure how much of the WWP gear is still manufactured.

Thank you all again for helping me sort out what the factory default WWP 
passwords are so that I can now have a secure and documented deployment out 
here!  I've received a couple offers of technical assistance from WWP veterans 
that I may well take up moving forward.

Best Regards,
Nathan Eisenberg

Re: Default Passwords for World Wide Packets/Lightning Edge Equipment

[Bjørn Mork]

"Jeffrey I. Schiller"  writes:

> An option I saw years ago (I forgot on whose equipment) was a default
> password which was a function of the equipment's serial number. So you
> had to have the algorithm and you needed the serial number which was not
> related to the MAC. So if you didn't have physical access, you were not
> in a good position to learn the password.
>
> I suspect this was a support nightmare for the vendor and I bet they
> went to a more standard (read: the same) factory password.

Another class of devices, but the Compaq OOM management cards for
servers ("RILOE") used to do this.  Really nice when the serial number
is placed on a sticker on a PCI card...  You would usually have to shut
down the server and pull out the card to read the sticker.  Unless it
had fallen off.  Did I mention that the cards had a number of stickers
with similar numbers on them with no indication which was the real
serial number?

Well, I'm not going to claim this was the reason why there is no Compaq
anymore, but it must have cost them *a lot* in support and frustrated
users.  For what passible gain?  It was still a default password, just a
tiny bit more obscure. 



Bjørn