Re: Router for Metro Ethernet

[Mikael Abrahamsson]

On Mon, 12 Apr 2010, Jeffrey Negro wrote:


In our case I believe we would be dealing with just static routes and a
lines of ACL.  Do you think the routing protocols are your largest resource
usage in your scenario, or is it also just simple routing as well?


Get a used 3550 or a new 3400ME or something. Sounds likeyuou'll get by 
just fine using an L3 switch.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: Router for Metro Ethernet

[Owen DeLong]

I stand corrected on the Mikrotik... Apparently, while not well documented, they
do, indeed support IPv6 and their Wiki even includes tunnel configuration
information.

Apologies to Mikrotik (and some encouragement to add this to your main-line
documentation).


Owen

On Apr 12, 2010, at 8:56 PM, Frank Bulk wrote:

> We run a 3845 at over 300 Mbps and it's less than 50% CPUmost times less
> than 30%.  No BGP, just OSPF.
> 
> Frank
> 
> -Original Message-
> From: Bill Stewart [mailto:nonobvi...@gmail.com] 
> Sent: Monday, April 12, 2010 1:27 PM
> To: nanog@nanog.org
> Subject: Re: Router for Metro Ethernet
> 
> On Mon, Apr 12, 2010 at 10:55 AM, Dylan Ebner 
> wrote:
>> However, this router also has 2 100mb connections from local lans that it
> is also terminiating.
>> For our 100mb metro e connections we use 3845s. The 100 mb service
> terminates into NM-GEs, which have a faster throughput than the hwics.
> 
> Be careful using 3845s for 100 Mbps connections or above - Cisco rates
> them at 45 Mbps (and 3825 at half of that) but last time I checked
> doesn't make any promises at faster than T3.  They're being
> conservative about it, but one thing that really can burn the
> horsepower is traffic shaping, which you need with some MetroE
> carriers.
> 
> 
> -- 
> 
> Thanks; Bill
> 
> Note that this isn't my regular email account - It's still experimental so
> far.
> And Google probably logs and indexes everything you send it.
> 
> 

RE: Router for Metro Ethernet

[Frank Bulk]

We run a 3845 at over 300 Mbps and it's less than 50% CPUmost times less
than 30%.  No BGP, just OSPF.

Frank

-Original Message-
From: Bill Stewart [mailto:nonobvi...@gmail.com] 
Sent: Monday, April 12, 2010 1:27 PM
To: nanog@nanog.org
Subject: Re: Router for Metro Ethernet

On Mon, Apr 12, 2010 at 10:55 AM, Dylan Ebner 
wrote:
> However, this router also has 2 100mb connections from local lans that it
is also terminiating.
> For our 100mb metro e connections we use 3845s. The 100 mb service
terminates into NM-GEs, which have a faster throughput than the hwics.

Be careful using 3845s for 100 Mbps connections or above - Cisco rates
them at 45 Mbps (and 3825 at half of that) but last time I checked
doesn't make any promises at faster than T3.  They're being
conservative about it, but one thing that really can burn the
horsepower is traffic shaping, which you need with some MetroE
carriers.


-- 

 Thanks; Bill

Note that this isn't my regular email account - It's still experimental so
far.
And Google probably logs and indexes everything you send it.

Re: Mikrotik RouterOS

[Jorge Amodio]

On Mon, Apr 12, 2010 at 3:28 PM, Jake Khuon  wrote:
> On Mon, 2010-04-12 at 21:48 +0200, Grzegorz Janoszka wrote:
>> On 12-4-2010 21:44, Gustavo Santos wrote:
>> > its was an old bug, that had been fixed for a while..
>>
>> You should still keep in mind Mikrotik is just Linux, with all its
>> (dis)advantages, plus some scripts and weird CLI.
>
> That's like saying that a Juniper is just FreeBSD with a bunch of
> scripts and a weird CLI.

Yes but it has a fantastic and reliable power supply !!

Cheers
Jorge

Re: Router for Metro Ethernet

[Owen DeLong]

Yes, but, according to the Mikrotik web site they appear to be obsolete
and incapable of routing IPv6.

Owen

On Apr 12, 2010, at 10:32 AM, Dennis Burgess wrote:

> a PowerRouter at http://www.mikrotikrouter.com can handle several
> hundred meg without issues.  
> 
> ---
> Dennis Burgess, CCNA, Mikrotik Certified Trainer, MTCNA, MTCRE, MTCWE,
> MTCTCE, MTCUME 
> Link Technologies, Inc -- Mikrotik & WISP Support Services
> Office: 314-735-0270 Website: http://www.linktechs.net
> LIVE On-Line Mikrotik Training - Author of "Learn RouterOS"
> 
> 
> -Original Message-
> From: Jeffrey Negro [mailto:jne...@billtrust.com] 
> Sent: Monday, April 12, 2010 12:29 PM
> To: nanog@nanog.org
> Subject: Router for Metro Ethernet
> 
> Before I get taken for a ride by salespeople, I figured it would be best
> to
> ask the experts of Nanog
> 
> My company is currently in talks to bring an ethernet circuit into our
> headquarters, initially committing around 40Mbps.  The ISP will be
> providing
> ethernet handoff, but I do not want their managed router offering
> (Adtran
> 4430) since it is pricey, non-redundant and I'd rather manage it myself.
> My
> question is about hardware.  Can I assume that I can use something like
> a
> Cisco 2000 series router with two built in fast/gig ethernet ports,
> without
> a WIC?  and since both sides are ethernet would the routing throughput
> be
> near fast ethernet speed?  This is my first dealing with metro ethernet
> offerings, and I don't want to assume that the Cisco throughput rates
> listed
> for T1/ADSL etc. are the same for a metro ethernet as the WAN.
> 
> Any and all suggestions on the hardware would be greatly appreciated.
> Thank
> you in advance!

Re: Mikrotik RouterOS

[Persio Pucci]

I've been considering routerOS boxes to my "less important" POPs that are
candidates to be promoted to MPLS-enabled POPs, although I am still a
little skeptical about it. Still doing some lab trials with it, but have not
deployed it yet besides as a CE router. The reason is that I've ran into
problems with it going haywire for no apparent reasons as CE, lowering my
confidence on the box and keeping it a little longer into the test bed.

It would be nice to hear more experiences with this little box-that-could in
MPLS environments.


On Mon, Apr 12, 2010 at 9:56 PM, gordon b slater wrote:

> On Mon, 2010-04-12 at 16:06 -0400, James Jones wrote:
> > kind ofrouterOS supports MPLS, linux does not
>
> It could (unfortunately) be a while before a full linux implementation
> of MPLS gains enough speed, it's very much out on the fringe of what
> linux "does daily". This mean that getting enough developers, free time
> to develop and equipment to test with seems to be quite a steep problem
> right now.
>
> Likewise the FreeBSD MPLS effort, though this seems to be more like
> familiar territory for BSD-heads, but, as ever, funding and equipment
> are sorely needed.
>
> If anyone (I'm thinking of the bigger players) could lend a hand,
> loan/ship out a box, or offer a few test-box out onto the cloud by
> (arrangement) the lack of MPLS on BSD and Linux machines could probably
> be rectified a little quicker.
> Or maybe someone has a tiny pot of cash to sponsor some "bounty"
> development?
>
> back onto the main topic...
>
> +1 for routerOS, but never needed MPLS in my encounters with it.
>
>  I have to say the Microtiks do nothing (in my world, that is) that I
> couldn't do with half an hour and similar (but very slightly beefier)
> hardware and a generic/minimal BSD or linux install, but given the
> price, I'd be a fool to DIY if I need to hand over to others,  erm ,
> well, shall we say, `less interested` at the end of the day.
> It earns an extra Kibo Cookie for that, certainly.
>
> Gord
> --
> | * error 34 * | auto-sig could find no relevant content for the message
> text | please change to previous tape to continue searching or enable
> FidoNet searching
>
>
>

Re: Mikrotik RouterOS

[gordon b slater]

On Mon, 2010-04-12 at 16:06 -0400, James Jones wrote:
> kind ofrouterOS supports MPLS, linux does not

It could (unfortunately) be a while before a full linux implementation
of MPLS gains enough speed, it's very much out on the fringe of what
linux "does daily". This mean that getting enough developers, free time
to develop and equipment to test with seems to be quite a steep problem
right now.

Likewise the FreeBSD MPLS effort, though this seems to be more like
familiar territory for BSD-heads, but, as ever, funding and equipment
are sorely needed.

If anyone (I'm thinking of the bigger players) could lend a hand,
loan/ship out a box, or offer a few test-box out onto the cloud by
(arrangement) the lack of MPLS on BSD and Linux machines could probably
be rectified a little quicker. 
Or maybe someone has a tiny pot of cash to sponsor some "bounty"
development? 

back onto the main topic...

+1 for routerOS, but never needed MPLS in my encounters with it.

 I have to say the Microtiks do nothing (in my world, that is) that I
couldn't do with half an hour and similar (but very slightly beefier)
hardware and a generic/minimal BSD or linux install, but given the
price, I'd be a fool to DIY if I need to hand over to others,  erm ,
well, shall we say, `less interested` at the end of the day. 
It earns an extra Kibo Cookie for that, certainly. 

Gord
--
| * error 34 * | auto-sig could find no relevant content for the message
text | please change to previous tape to continue searching or enable
FidoNet searching

Re: ARIN IP6 policy for those with legacy IP4 Space

[Seth Mattinen]

On 4/9/10 5:27 AM, Joe Greco wrote:
> 
> ARIN might not have a contract with us, or with other legacy holders.
> It wasn't our choice for ARIN to be tasked with holding up InterNIC's
> end of things.  However, it's likely that they've concluded that they
> better do so, because if they don't, it'll probably turn into a costly
> legal battle on many fronts, and I doubt ARIN has the budget for that.
> 
> As a legacy holder, we don't really care who is currently "responsible"
> for legacy maintenance/etc.  However, whoever it is, if they're not
> going to take on those responsibilities, that's a problem.
> 
> The previous poster asked, "If you don't have a contract with ARIN, 
> why should ARIN provide you with anything?"
> 
> Well, the flip side to that is, "ARIN doesn't have a contract with us,
> but we still have copies of the InterNIC policies under which we were
> assigned space, and ARIN undertook those duties, so ARIN is actually 
> the one with significant worries if they were to try to pull anything,
> otherwise, we don't really care."
> 


What do those InterNIC policies say about getting IPv6 space?

If nothing, expect nothing. If something, hold them to it.

~Seth

Please do not respond to Dean and CC the NANOG list

[Patrick W. Gilmore]

[SNIP]

Richard, and anyone else who missed the last dozen or more times this has been 
discussed:

The NANOG list would appreciate if people who are sent Dean's private missives 
do not "reply all" and CC the list.  Those who were not CC'ed personally (and 
do not filter Dean) do not see his posts.  You are helping him circumvent that 
block.

Thank you.

-- 
TTFN,
patrick

Re: FCC dealt major blow in net neutrality ruling favoring, Comcast

[Richard Bennett]

   Thanks for pointing that out.
   RB
   On 4/12/2010 2:06 PM, Stonix Farstone wrote:

   On Mon, Apr 12, 2010 at 2:42 PM, Richard Bennett
   <[1]rich...@bennett.com> wrote:

 One of the things I like about e-mail lists is learning things about
 myself that I never knew before, especially regarding my occupation.
 For the last 9 months or so I've been working part-time with a
 Washington think tank in an analyst capacity, not as a lobbyist, and
 not on the Comcast payroll. My views about Internet regulation
 precede this job and haven't been altered by it. For purposes of the
 present discussion, I'd rather be known as the guy who wrote the
 first IEEE 802 standard for Ethernet over twisted pair, or designed
 the Wi-Fi MAC protocol, or the DRP for UWB, or something like that.

   You might want to ring up the IEEE and get them to fix their egregious
   omission of your name as the designer of the Wi-Fi MAC protocol.
   [2]http://standards.ieee.org/getieee802/download/802.11-2007.pdf

   Participants

   At the time the draft of this revision was sent to sponsor ballot, the
   IEEE 802.11 Working Group had the following officers:

   Stuart J. Kerry, Chair Al Petrick, Vice-Chair and Treasurer Harry R.
   Worstell, Vice-Chair Tim Godfrey, Secretary Nanci Vogtli, Publicity
   Standing Committee Teik-Kheong Tan, Chair, Wireless Next Generation
   Standing Committee Terry L. Cole and Simon Barber, Technical Editors

   Richard H. Paine, Chair, Task Group k Bruce P. Kraemer, Chair, Task
   Group n Sheung Li, Vice-Chair, Task Group n Lee Armstrong, Chair, Task
   Group p Clint Chaplin, Chair, Task Group r Donald E. Eastlake III,
   Chair, Task Group s Charles R. Wright, Chair, Task Group t Stephen
   McCann, Chair, Task Group u Pat R. Calhoun, Chair, Task Group v Jesse
   Walker, Chair, Task Group w Peter Ecclesine, Chair, Contention-Based
   Protocol Study Group

   When the IEEE 802.11 Working Group approved this revision, Task Group m
   had the following membership:

   Bernard D. Aboba Osama S. Aboul-Magd Santosh P. Abraham Tomoko Adachi
   Jonathan R. Agre Jon Adams Carlos H. Aldana Thomas Alexander Areg
   Alimian Keith Amann Veera Anantha Merwyn B. Andrade Carl F. Andren
   Scott Andrews David C. Andrus Hidenori Aoki Tsuguhide Aoki Michimasa
   Aramaki Takashi Aramaki Sirikiat Lek Ariyavisitakul Lee R. Armstrong
   Larry Arnett Yusuke Asai Arthur W. Astrin Malik Audeh Geert A. Awater
   David Bagby Michael Bahr Dennis J. Baker

   Robert O'Hara, Chair Terry L. Cole, Editor

   Ramanathan Balachander Simon Barber Richard N. Barnwell John R. Barr

   Kevin M. Barry Charles R. Bartel Burak H. Baysal John L. Benko Mathilde
   Benveniste Don Berry

   Nehru Bhandaru Yogesh B. Bhatt Bjorn A. Bjerke Simon Black Scott Blue

   Jan Boer Herve Bonneville William M. Brasier Alistair G. Buttar Pat R.
   Calhoun Nancy Cam-Winget Necati Canpolat Bill Carney Pat Carson Broady
   B. Cash RongFeng Chang Clint F. Chaplin Amalavoyal Chari James Chen

   Jeng-Hong Chen Shiuh Chen Ye Chen Yi-Ming Chen Alexander L. Cheng Hong
   Cheng

   Greg L. Chesson Aik Chindapol Sunghyun Choi Won-Joon Choi Liwen Chu
   Dong-Ming Chuang Ken Clements

   John T. Coffey W. Steven Conner Charles I. Cook Kenneth Cook Steven
   Crowley Marc de Courville Rolf J. De Vegt Sabine Demel Yoshiharu Doi
   Brett L. Douglas Baris B. Dundar Chris Durand Roger P. Durand Sebastien
   Dure Yaron Dycian Donald E. Eastlake Peter Ecclesine

   Copyright © 2007 IEEE. All rights reserved.

   vvi

   Copyright © 2007 IEEE. All rights reserved.

   Richard Eckard Jonathan P. Edney Bruce Edwards John Egan Stephen P.
   Emeott Marc Emmelmann Darwin Engwer Joseph Epstein Patrik Eriksson
   Mustafa Eroz Andrew X. Estrada Christoph Euscher Stefano M. Faccin John
   C. Fakatselis Lars P. Falk

   Steve W. Fantaske Michael Faulkner Paul H. Feinberg Alex Feldman
   Matthew J. Fischer Wayne K. Fisher Michael D. Foegelle Brian Ford

   Guido Frederiks Benoit Fremont Takashi Fukagawa Hiroshi Furukawa James
   Gardner Monisha Ghosh James P. K. Gilb Jeffrey M. Gilbert Tim Godfrey
   Sandesh Goel Wataru Gohda Sudheer Grandhi Gordon P. Gray Paul K. Gray
   Larry Green Daqing Gu Srikanth Gumamdi David Gurevich Fred Haisch
   Robert J. Hall

   Neil N. Hamady Seishi Hanaoka Christopher J. Hansen James J. Harford
   Daniel N. Harkins Brian D. Hart

   Chris Hartman Thomas Haslestad Amer A. Hassan Vann (William) Hasty
   James P. Hauser Yutaka Hayakawa Shigenori Hayase Kevin V. Hayes
   Haixiang He

   David J. Hedberg Robert F. Heile Gregory Scott Henderson Eleanor
   Hepworth

   Frans M. Hermodsson

   Karl F. Heubaum Odagiri Hideaki Guido R. Hiertz Garth D. Hillman
   Christopher S. Hinsz Michael M. Hoghooghi Allen Hollister Hooman Honary
   William D. Horne Henry Horng Yungping A. Hsu David Hunter Muhammad Z.
   Ikram Daichi Imamura Yasuhiko Inoue Kazuhito Ishida Takashi Ishidoshiro
   Takumi Ito

   Lakshmi Iyer Eric A. Jacobsen Marc Jalf

Re: FCC dealt major blow in net neutrality ruling favoring, Comcast

[Stonix Farstone]

On Mon, Apr 12, 2010 at 2:42 PM, Richard Bennett wrote:

> One of the things I like about e-mail lists is learning things about myself
> that I never knew before, especially regarding my occupation. For the last 9
> months or so I've been working part-time with a Washington think tank in an
> analyst capacity, not as a lobbyist, and not on the Comcast payroll. My
> views about Internet regulation precede this job and haven't been altered by
> it. For purposes of the present discussion, I'd rather be known as the guy
> who wrote the first IEEE 802 standard for Ethernet over twisted pair, or
> designed the Wi-Fi MAC protocol, or the DRP for UWB, or something like that.


You might want to ring up the IEEE and get them to fix their egregious
omission of your name as the designer of the Wi-Fi MAC protocol.

http://standards.ieee.org/getieee802/download/802.11-2007.pdf

*Participants*

At the time the draft of this revision was sent to sponsor ballot, the IEEE
802.11 Working Group had the following officers:

*Stuart J. Kerry*, *Chair **Al Petrick*, *Vice-Chair and Treasurer **Harry
R. Worstell*, *Vice-Chair **Tim Godfrey*, *Secretary **Nanci Vogtli*,
*Publicity
Standing Committee **Teik-Kheong Tan*, *Chair, Wireless Next Generation
Standing Committee **Terry L. Cole *and *Simon Barber*, *Technical Editors*

*Richard H. Paine*, *Chair, Task Group k **Bruce P. Kraemer*, *Chair, Task
Group n **Sheung Li*, *Vice-Chair, Task Group n **Lee Armstrong*, *Chair,
Task Group p **Clint Chaplin*, *Chair, Task Group r **Donald E. Eastlake III
*, *Chair, Task Group s **Charles R. Wright*, *Chair, Task Group t **Stephen
McCann*, *Chair, Task Group u **Pat R. Calhoun*, *Chair, Task Group v **Jesse
Walker*, *Chair, Task Group w **Peter Ecclesine*, *Chair, Contention-Based
Protocol Study Group*

When the IEEE 802.11 Working Group approved this revision, Task Group m had
the following membership:

Bernard D. Aboba Osama S. Aboul-Magd Santosh P. Abraham Tomoko Adachi
Jonathan R. Agre Jon Adams Carlos H. Aldana Thomas Alexander Areg Alimian
Keith Amann Veera Anantha Merwyn B. Andrade Carl F. Andren Scott Andrews
David C. Andrus Hidenori Aoki Tsuguhide Aoki Michimasa Aramaki Takashi
Aramaki Sirikiat Lek Ariyavisitakul Lee R. Armstrong Larry Arnett Yusuke
Asai Arthur W. Astrin Malik Audeh Geert A. Awater David Bagby Michael Bahr
Dennis J. Baker

*Robert O’Hara*, *Chair **Terry L. Cole*, *Editor*

Ramanathan Balachander Simon Barber Richard N. Barnwell John R. Barr

Kevin M. Barry Charles R. Bartel Burak H. Baysal John L. Benko Mathilde
Benveniste Don Berry

Nehru Bhandaru Yogesh B. Bhatt Bjorn A. Bjerke Simon Black Scott Blue

Jan Boer Herve Bonneville William M. Brasier Alistair G. Buttar Pat R.
Calhoun Nancy Cam-Winget Necati Canpolat Bill Carney Pat Carson Broady B.
Cash RongFeng Chang Clint F. Chaplin Amalavoyal Chari James Chen

Jeng-Hong Chen Shiuh Chen Ye Chen Yi-Ming Chen Alexander L. Cheng Hong Cheng

Greg L. Chesson Aik Chindapol Sunghyun Choi Won-Joon Choi Liwen Chu
Dong-Ming Chuang Ken Clements

John T. Coffey W. Steven Conner Charles I. Cook Kenneth Cook Steven Crowley
Marc de Courville Rolf J. De Vegt Sabine Demel Yoshiharu Doi Brett L.
Douglas Baris B. Dundar Chris Durand Roger P. Durand Sebastien Dure Yaron
Dycian Donald E. Eastlake Peter Ecclesine

Copyright © 2007 IEEE. All rights reserved.

vvi

Copyright © 2007 IEEE. All rights reserved.

Richard Eckard Jonathan P. Edney Bruce Edwards John Egan Stephen P. Emeott
Marc Emmelmann Darwin Engwer Joseph Epstein Patrik Eriksson Mustafa Eroz
Andrew X. Estrada Christoph Euscher Stefano M. Faccin John C. Fakatselis
Lars P. Falk

Steve W. Fantaske Michael Faulkner Paul H. Feinberg Alex Feldman Matthew J.
Fischer Wayne K. Fisher Michael D. Foegelle Brian Ford

Guido Frederiks Benoit Fremont Takashi Fukagawa Hiroshi Furukawa James
Gardner Monisha Ghosh James P. K. Gilb Jeffrey M. Gilbert Tim Godfrey
Sandesh Goel Wataru Gohda Sudheer Grandhi Gordon P. Gray Paul K. Gray Larry
Green Daqing Gu Srikanth Gumamdi David Gurevich Fred Haisch Robert J. Hall

Neil N. Hamady Seishi Hanaoka Christopher J. Hansen James J. Harford Daniel
N. Harkins Brian D. Hart

Chris Hartman Thomas Haslestad Amer A. Hassan Vann (William) Hasty James P.
Hauser Yutaka Hayakawa Shigenori Hayase Kevin V. Hayes Haixiang He

David J. Hedberg Robert F. Heile Gregory Scott Henderson Eleanor Hepworth

Frans M. Hermodsson

Karl F. Heubaum Odagiri Hideaki Guido R. Hiertz Garth D. Hillman Christopher
S. Hinsz Michael M. Hoghooghi Allen Hollister Hooman Honary William D. Horne
Henry Horng Yungping A. Hsu David Hunter Muhammad Z. Ikram Daichi Imamura
Yasuhiko Inoue Kazuhito Ishida Takashi Ishidoshiro Takumi Ito

Lakshmi Iyer Eric A. Jacobsen Marc Jalfon KyungHun Jang Yuh-Ren Jauh Ho-In
J. Jeon Taehyun Jeon Jorjeta G. Jetcheva Lusheng Ji Yung-Yih Jian Jari E.
Jokela VK Jones Bobby Jose Avinash Joshi Tyan-Shu Jou Carl W. Kain Naveen K.
Kakani Srinivas Kandala Shantanu Kangude Jeyhan Karaoguz Kevin J. Karcz
Pankaj R. Karni

Re: ARIN IP6 policy for those with legacy IP4 Space

[Gordon Cook]

David, in 1997 and 1998 I was spending about 25% of my time interview the 
principals and engaged in informal conversations with Ira Magaziner,Kim 
Hubbard, DonMitchell and others.  I was in Londone in late jan 1998 when Jon 
tried  to redirect the root.  Magaziner was there and daniel karenburg and 
others.  We did an entire day on these issues.

In addition to my published record, I have extensive electronic archives 
related to the manueverings in the founding of Arin.  Should it come to a court 
case i believe that arin will come court fine and i trust that  i will be able 
to asist the people involved in determining who did what to whom when and for 
what reasons.

Steve Wolff will remember attending with me a late afternoon meeting with 
magaziner in Ira office in mid december 1997 on the day that Ira took Jon to 
lunch and announced to Jon that he had put together funding to carry the IANA 
activities through Oct 1 of 1998 and the founding of newco.

Don Mitchel is Mr "cooperative agreement."  I  am quite confident that what 
John Curran is saying below is solid. Don did yeoman's work in ensuring the 
birth and independence of ARIN.

=
The COOK Report on Internet Protocol, 609 882-2572 (PSTN) 609 403-2067 (mjack) 
Back Issues: 
http://www.cookreport.com/index.php?option=com_docman&task=cat_view&gid=37&Itemid=61
  
 Cook's Collaborative Edge Blog http://gordoncook.net/wp/   Subscription info: 
http://www.cookreport.com/index.php?option=com_content&view=article&id=54&Itemid=65
=






On Apr 12, 2010, at 2:36 PM, David Conrad wrote:

> John,
> 
> On Apr 12, 2010, at 5:23 AM, John Curran wrote:
>> On this matter we do agree, since allocations prior to ARIN's formation were 
>> generally made pursuant to a US Government contract or cooperative 
>> agreement.  
> 
> As we're both aware, Jon was funded in part via the ISI Teranode Network 
> Technologies project. Folks who were directly involved have told me that 
> IANA-related activities weren't even identified in the original contracts 
> until the mid- to late-90s (around the time when lawsuits were being thrown 
> at Jon because of the domain name wars -- odd coincidence, that) when the 
> IANA activities were codified as "Task 4".  IANAL, but it seems a bit of a 
> stretch to me for ARIN to assert policy control over resources allocated 
> prior to ARIN's existence without any sort of documentation that explicitly 
> lists that policy control in ARIN's predecessor (ever).  Like I said, it'll 
> be an interesting court case.
> 
> Regards,
> -drc
> 
> 
> 
> 

Re: FCC dealt major blow in net neutrality ruling favoring, Comcast

[James Downs]

On Apr 12, 2010, at 1:05 PM, Richard Bennett wrote:


 You're speculating that ITIF gets funding from Comcast, and therefore


If only the ITIF released information about their funding sources.

So, does Comcast contribute funds or otherwise sponsor ITIF?
Does Google, Intel, or Microsoft?

Cheers,
-j

Re: Mikrotik RouterOS

[Jake Khuon]

On Mon, 2010-04-12 at 21:48 +0200, Grzegorz Janoszka wrote:
> On 12-4-2010 21:44, Gustavo Santos wrote:
> > its was an old bug, that had been fixed for a while..
> 
> You should still keep in mind Mikrotik is just Linux, with all its 
> (dis)advantages, plus some scripts and weird CLI.

That's like saying that a Juniper is just FreeBSD with a bunch of
scripts and a weird CLI.


-- 
/*=[ Jake Khuon  ]=+
 | Packet Plumber, Network Engineers /| / [~ [~ |) | |  |
 | for Effective Bandwidth Utilisation  / |/  [_ [_ |) |_| NETWORKS |   
 +==*/

RE: Mikrotik RouterOS

[Dennis Burgess]

Most of the major features of RouterOS are not "Linux" native apps
anymore.  Back in v2.9 this was the case, i.e. the Proxy server was
SQUID, OSPF was again, the same way using a Linux app.  However,
especially in v3, and 4, as well as now v5, MikroTik has really made
their own system.  

Not wishing to go into, what is better, the key here is that they have a
super small footprint, and their hardware (for the cost) can't be beat.
A sub 20-40 meg MPLS router with 5 ports for $40 USD. .  7200VXR
replacements for under 1500.  Other than they primary focus on
Ethernet/Fiber/Wireless hardware, virtually no Legacy WAN interfaces
anymore.  
  

---
Dennis Burgess, CCNA, Mikrotik Certified Trainer, MTCNA, MTCRE, MTCWE,
MTCTCE, MTCUME 
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270 Website: http://www.linktechs.net
LIVE On-Line Mikrotik Training - Author of "Learn RouterOS"


-Original Message-
From: James Jones [mailto:ja...@freedomnet.co.nz] 
Sent: Monday, April 12, 2010 3:07 PM
To: nanog@nanog.org
Subject: Re: Mikrotik RouterOS

kind ofrouterOS supports MPLS, linux does not


On 4/12/10 3:48 PM, Grzegorz Janoszka wrote:
> On 12-4-2010 21:44, Gustavo Santos wrote:
>> its was an old bug, that had been fixed for a while..
>
> You should still keep in mind Mikrotik is just Linux, with all its 
> (dis)advantages, plus some scripts and weird CLI.
>

Re: Mikrotik RouterOS

[James Jones]

kind ofrouterOS supports MPLS, linux does not


On 4/12/10 3:48 PM, Grzegorz Janoszka wrote:

On 12-4-2010 21:44, Gustavo Santos wrote:

its was an old bug, that had been fixed for a while..


You should still keep in mind Mikrotik is just Linux, with all its 
(dis)advantages, plus some scripts and weird CLI.

Re: Router for Metro Ethernet

[Franck Martin]

http://www.vyatta.com/ ?

Re: FCC dealt major blow in net neutrality ruling favoring, Comcast

[Richard Bennett]

   You're speculating that ITIF gets funding from Comcast, and therefore
   guessing I'm singing Comcast's song. But you don't know whether Comcast
   actually is an ITIF sponsor, just as you don't know whether Google,
   Intel, and Microsoft are ITIF sponsors. And then you're speculating
   again regarding the relationships between sponsors and fellows.
   Paul, it's obvious you don't know what you're talking about re:
   Internet regulation policy or the nature of DC think tanks, so why you
   you just STFU rather than embarrass yourself further?
   RB
   On 4/12/2010 12:08 PM, Paul WALL wrote:

On Mon, Apr 12, 2010 at 2:42 PM, Richard Bennett [1] wrote:

One of the things I like about e-mail lists is learning things about myself
that I never knew before, especially regarding my occupation. For the last 9
months or so I've been working part-time with a Washington think tank in an
analyst capacity, not as a lobbyist, and not on the Comcast payroll.

You neglected to mention that the "think tank" (where I'm from in
Houston, we call them lobbys) is funded by Comcast, among other big
cable/telecom players.

Drive Slow,
Paul Wall

--

References

   1. mailto:rich...@bennett.com

RE: Mikrotik RouterOS

[Dennis Burgess]

It runs the Linux kernal, bout it anymore!  A few existing linux apps
but super clean CLI, easy to use, awsome GUI.  ;)  Heck, the whole OS
runs within 64meg of disk space if you wanted it too!  

---
Dennis Burgess, CCNA, Mikrotik Certified Trainer, MTCNA, MTCRE, MTCWE,
MTCTCE, MTCUME 
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270 Website: http://www.linktechs.net
LIVE On-Line Mikrotik Training - Author of "Learn RouterOS"


-Original Message-
From: Grzegorz Janoszka [mailto:grzeg...@janoszka.pl] 
Sent: Monday, April 12, 2010 2:49 PM
To: nanog list
Subject: Re: Mikrotik RouterOS

On 12-4-2010 21:44, Gustavo Santos wrote:
> its was an old bug, that had been fixed for a while..

You should still keep in mind Mikrotik is just Linux, with all its 
(dis)advantages, plus some scripts and weird CLI.

-- 
Grzegorz Janoszka

Re: Mikrotik RouterOS

[Grzegorz Janoszka]

On 12-4-2010 21:44, Gustavo Santos wrote:

its was an old bug, that had been fixed for a while..


You should still keep in mind Mikrotik is just Linux, with all its 
(dis)advantages, plus some scripts and weird CLI.


--
Grzegorz Janoszka

RE: Mikrotik RouterOS

[Dennis Burgess]

As it said, it was two fold, one the MT allowed it, and 2, the Cisco's
crashed with it! 

---
Dennis Burgess, CCNA, Mikrotik Certified Trainer, MTCNA, MTCRE, MTCWE,
MTCTCE, MTCUME 
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270 Website: http://www.linktechs.net
LIVE On-Line Mikrotik Training - Author of "Learn RouterOS"


-Original Message-
From: Gustavo Santos [mailto:gustkil...@gmail.com] 
Sent: Monday, April 12, 2010 2:44 PM
To: Adrian Minta
Cc: nanog@nanog.org
Subject: Re: Mikrotik RouterOS

its was an old bug, that had been fixed for a while..

2010/4/12 Adrian Minta 

> James Jones wrote:
>
>>
>> I am currently looking at using RouterOS as a way to build a Metro
>> Ethernet solution. Does anyone have experience with the device and
the
>> OS? How is the performance? Are there any "Gotchas"?
>>
>>
>> -James
>>
>>
>>  Be carefull not to crash the whole internet:
> http://www.renesys.com/blog/2009/02/longer-is-not-better.shtml
>
>
>
>
>


-- 

Gustavo Santos
Analista de Redes
-Cisco Certified Network Associate
-Juniper Certified Internet Associate - ER
-Mikrotik Certified Consultant

Re: Mikrotik RouterOS

[Gustavo Santos]

its was an old bug, that had been fixed for a while..

2010/4/12 Adrian Minta 

> James Jones wrote:
>
>>
>> I am currently looking at using RouterOS as a way to build a Metro
>> Ethernet solution. Does anyone have experience with the device and the
>> OS? How is the performance? Are there any "Gotchas"?
>>
>>
>> -James
>>
>>
>>  Be carefull not to crash the whole internet:
> http://www.renesys.com/blog/2009/02/longer-is-not-better.shtml
>
>
>
>
>


-- 

Gustavo Santos
Analista de Redes
-Cisco Certified Network Associate
-Juniper Certified Internet Associate - ER
-Mikrotik Certified Consultant

Re: FCC dealt major blow in net neutrality ruling favoring, Comcast

[David Andersen]

On Apr 12, 2010, at 3:08 PM, Paul WALL wrote:

> On Mon, Apr 12, 2010 at 2:42 PM, Richard Bennett  wrote:
>> One of the things I like about e-mail lists is learning things about myself
>> that I never knew before, especially regarding my occupation. For the last 9
>> months or so I've been working part-time with a Washington think tank in an
>> analyst capacity, not as a lobbyist, and not on the Comcast payroll.
> 
> You neglected to mention that the "think tank" (where I'm from in
> Houston, we call them lobbys) is funded by Comcast, among other big
> cable/telecom players.

In fairness to to the ITIF (his current employer), they're well-respected in 
their core area, studying innovation policy.  I've seen some of the work done 
by Rob Atkinson (full disclosure:  Rob is currently visiting my university 
giving a talk), and it's good.

That said, I dislike strongly Richard's M.O. of trying to stir up hornets nests 
by playing the fool/troll in order to get NANOG and other venues to do his job 
for him, and I hope this statement doesn't come across as a defense of that.  
I've already plonked him.



  -Dave

Re: Mikrotik RouterOS

[Adrian Minta]

James Jones wrote:


I am currently looking at using RouterOS as a way to build a Metro
Ethernet solution. Does anyone have experience with the device and the
OS? How is the performance? Are there any "Gotchas"?


-James



Be carefull not to crash the whole internet:
http://www.renesys.com/blog/2009/02/longer-is-not-better.shtml

Re: Router for Metro Ethernet

[Jon Lewis]

On Mon, 12 Apr 2010, Jeffrey Negro wrote:


In our case I believe we would be dealing with just static routes and a
lines of ACL.  Do you think the routing protocols are your largest resource
usage in your scenario, or is it also just simple routing as well?


If your needs are simple IP routing + simple ACL, but you want line rate 
ethernet, a layer 3 switch might make sense.



--
--
 Jon Lewis   |  I route
 Senior Network Engineer |  therefore you are
 Atlantic Net|
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: FCC dealt major blow in net neutrality ruling favoring, Comcast

[Paul WALL]

On Mon, Apr 12, 2010 at 2:42 PM, Richard Bennett  wrote:
> One of the things I like about e-mail lists is learning things about myself
> that I never knew before, especially regarding my occupation. For the last 9
> months or so I've been working part-time with a Washington think tank in an
> analyst capacity, not as a lobbyist, and not on the Comcast payroll.

You neglected to mention that the "think tank" (where I'm from in
Houston, we call them lobbys) is funded by Comcast, among other big
cable/telecom players.

Drive Slow,
Paul Wall

RE: Router for Metro Ethernet

[Dylan Ebner]

Taffic shaping and eigrp eat a lot.  inspection is huge as well. I have  no ida 
what the new zone based firewalling will do to a 2800, but after seeing it on 
an 1800, I know it will not be pretty.  static acls should be easy if they are 
not really large. I wouldn't go out and grab the new CRYMU bogon list, that 
would kill you.
The problem is the router CAN do these things, but if you want any management 
on the back end you get in trouble. things like NBAR and netflow are incredibly 
important, but the router cannot handle all these services and the routing 
protocols and the traffic. If you are not doing nbar or netflow today, that 
doesn't mean you won't in the near future. I have been finding that getting a 
router that is too small puts you in a precarious position at times. You can 
either know where your traffic is going and have a router that drops packets, 
or you can run blind knowing that all those unmonitored packets are getting 
through.




Dylan Ebner, Network Engineer
Consulting Radiologists, Ltd.
1221 Nicollet Mall, Minneapolis, MN 55403
ph. 612.573.2236 fax. 612.573.2250
dylan.eb...@crlmed.com
www.consultingradiologists.com

From: Jeffrey Negro [mailto:jne...@billtrust.com]
Sent: Monday, April 12, 2010 1:26 PM
To: Dylan Ebner
Cc: nanog@nanog.org
Subject: Re: Router for Metro Ethernet

In our case I believe we would be dealing with just static routes and a lines 
of ACL.  Do you think the routing protocols are your largest resource usage in 
your scenario, or is it also just simple routing as well?


Jeffrey Negro, Network Engineer
Billtrust - Improving Your Billing, Improving Your Business
www.billtrust.com
609.235.1010 x137


On Mon, Apr 12, 2010 at 1:55 PM, Dylan Ebner 
mailto:dylan.eb...@crlmed.com>> wrote:
We use metro E for our WAN and our internet access delivery. The 2600 series 
routers do not have enough horsepower to do a 40 Mb connection and eigrp. The 
2811 can do 40 mb and eigrp but they start to have difficulty when you add in 
inspection or large ACLs. We just last week turned a 40mb metroe circuit into a 
60mb and the router, a 2811, is now have constant problems. We are replacing it 
with a 2921. However, this router also has 2 100mb connections from local lans 
that it is also terminiating. For our 100mb metro e connections we use 3845s. 
The 100 mb service terminates into NM-GEs, which have a faster throughput than 
the hwics. This setup works well.
On our internet edges we use 2811s with their memory maxed. We have partial BGP 
routers from 2 isps. One connection is a 30mb and the other is a 25mb. no 
inspection is done on these but we do have stateless acls running on the 
inbound. these are running just fine today, but they sit at about 20% cpu  all 
the time.
When doing a metro e connection, make sure the router/switch can do traffic 
shaping. If it can't, you are relying on the provider to shape your outgoing 
traffic, which of course will happen down the line, adding additional delay 
during high usage times.

You should also look at the new cisco small metro switches. They can traffic 
shape, do bgp and have more than one interface. one of the annoying thing about 
metro e(at least with qwest) is  they have a tendancy to install new pe 
switches at your locations when you upgrade your service. this means a new 
connection from them and unless you have extra fiber or copper ports on your 
router. So to transition to the new circuit, you need to unplug your existing 
service first. And that means downtime, which no one likes.



Dylan


-Original Message-
From: Jeffrey Negro [mailto:jne...@billtrust.com]
Sent: Monday, April 12, 2010 12:29 PM
To: nanog@nanog.org
Subject: Router for Metro Ethernet
Before I get taken for a ride by salespeople, I figured it would be best to
ask the experts of Nanog

My company is currently in talks to bring an ethernet circuit into our
headquarters, initially committing around 40Mbps.  The ISP will be providing
ethernet handoff, but I do not want their managed router offering (Adtran
4430) since it is pricey, non-redundant and I'd rather manage it myself.  My
question is about hardware.  Can I assume that I can use something like a
Cisco 2000 series router with two built in fast/gig ethernet ports, without
a WIC?  and since both sides are ethernet would the routing throughput be
near fast ethernet speed?  This is my first dealing with metro ethernet
offerings, and I don't want to assume that the Cisco throughput rates listed
for T1/ADSL etc. are the same for a metro ethernet as the WAN.

Any and all suggestions on the hardware would be greatly appreciated.  Thank
you in advance!

Mikrotik RouterOS

[James Jones]

I am currently looking at using RouterOS as a way to build a Metro
Ethernet solution. Does anyone have experience with the device and the
OS? How is the performance? Are there any "Gotchas"?


-James

RE: Router for Metro Ethernet

[Jason Gurtz]

> question is about hardware.  Can I assume that I can use something like
a
> Cisco 2000 series router with two built in fast/gig ethernet ports,
> without a WIC?

For Cisco, check out the ME3400 series of switches.  Be sure to look at
the IOS licensing carefully to see if the features you need are there.

~JasonG


smime.p7s
Description: S/MIME cryptographic signature

Re: FCC dealt major blow in net neutrality ruling favoring, Comcast

[Eric Brunner-Williams]

On 4/12/10 2:42 PM, Richard Bennett wrote:
> ... the guy who wrote the first IEEE 802 standard for
> Ethernet over twisted pair ...

I'm certain that's who you are. Hell, what I do for CORE means I'm a
ICANN lobbyist when I'm not writing code, and I'd prefer to be the guy
who wrote XPG/1 and XPG/4.2 (Single Unix Specification to those on
Redmond shared fate devices).

Eric

Re: FCC dealt major blow in net neutrality ruling favoring, Comcast

[Richard Bennett]

One of the things I like about e-mail lists is learning things about 
myself that I never knew before, especially regarding my occupation. For 
the last 9 months or so I've been working part-time with a Washington 
think tank in an analyst capacity, not as a lobbyist, and not on the 
Comcast payroll. My views about Internet regulation precede this job and 
haven't been altered by it. For purposes of the present discussion, I'd 
rather be known as the guy who wrote the first IEEE 802 standard for 
Ethernet over twisted pair, or designed the Wi-Fi MAC protocol, or the 
DRP for UWB, or something like that.


As Suresh notes, the idea that the FCC overstepped its bounds in the 
Comcast order is hardly controversial. It's not even a matter of opinion 
any more, as the decision written by the most liberal judge on the 3rd 
Circuit, David Tatel, means it's the law. The debate about how to 
regulate the Internet is now premised on the fact that the old rationale 
doesn't hold up to scrutiny, so deal with it.


RB

On 4/11/2010 11:23 PM, Suresh Ramasubramanian wrote:

On Mon, Apr 12, 2010 at 11:41 AM, Paul WALL  wrote:
   

It should probably be noted, for purpose of establishing bias, that
Richard is a Washington lobbyist, hired to represent Comcast on
regulatory matters.  What he views as overstepping legal bounds,
others may view as protecting consumers...
 

Hell, funnily enough Susan Crawford warned at the time that the FCC
action wouldn't stand up in court the way it was done.

http://www.circleid.com/posts/comcast_vs_the_fcc_a_reply_to_susan_crawfords_article/

--srs
   


--
Richard Bennett
Research Fellow
Information Technology and Innovation Foundation
Washington, DC

Re: ARIN IP6 policy for those with legacy IP4 Space

[David Conrad]

John,

On Apr 12, 2010, at 5:23 AM, John Curran wrote:
> On this matter we do agree, since allocations prior to ARIN's formation were 
> generally made pursuant to a US Government contract or cooperative agreement. 
>  

As we're both aware, Jon was funded in part via the ISI Teranode Network 
Technologies project. Folks who were directly involved have told me that 
IANA-related activities weren't even identified in the original contracts until 
the mid- to late-90s (around the time when lawsuits were being thrown at Jon 
because of the domain name wars -- odd coincidence, that) when the IANA 
activities were codified as "Task 4".  IANAL, but it seems a bit of a stretch 
to me for ARIN to assert policy control over resources allocated prior to 
ARIN's existence without any sort of documentation that explicitly lists that 
policy control in ARIN's predecessor (ever).  Like I said, it'll be an 
interesting court case.

Regards,
-drc

Re: Router for Metro Ethernet

[Kevin Loch]

Jeffrey Negro wrote:

In our case I believe we would be dealing with just static routes and a
lines of ACL. 


In that case a linux/FreeBSD router would work great.

- Kevin

Re: Router for Metro Ethernet

[Bill Stewart]

On Mon, Apr 12, 2010 at 10:55 AM, Dylan Ebner  wrote:
> However, this router also has 2 100mb connections from local lans that it is 
> also terminiating.
> For our 100mb metro e connections we use 3845s. The 100 mb service terminates 
> into NM-GEs, which have a faster throughput than the hwics.

Be careful using 3845s for 100 Mbps connections or above - Cisco rates
them at 45 Mbps (and 3825 at half of that) but last time I checked
doesn't make any promises at faster than T3.  They're being
conservative about it, but one thing that really can burn the
horsepower is traffic shaping, which you need with some MetroE
carriers.


-- 

 Thanks; Bill

Note that this isn't my regular email account - It's still experimental so far.
And Google probably logs and indexes everything you send it.

Re: Router for Metro Ethernet

[Jeffrey Negro]

In our case I believe we would be dealing with just static routes and a
lines of ACL.  Do you think the routing protocols are your largest resource
usage in your scenario, or is it also just simple routing as well?


Jeffrey Negro, Network Engineer
Billtrust - Improving Your Billing, Improving Your Business
www.billtrust.com
609.235.1010 x137



On Mon, Apr 12, 2010 at 1:55 PM, Dylan Ebner  wrote:

> We use metro E for our WAN and our internet access delivery. The 2600
> series routers do not have enough horsepower to do a 40 Mb connection and
> eigrp. The 2811 can do 40 mb and eigrp but they start to have difficulty
> when you add in inspection or large ACLs. We just last week turned a 40mb
> metroe circuit into a 60mb and the router, a 2811, is now have constant
> problems. We are replacing it with a 2921. However, this router also has 2
> 100mb connections from local lans that it is also terminiating. For our
> 100mb metro e connections we use 3845s. The 100 mb service terminates into
> NM-GEs, which have a faster throughput than the hwics. This setup works
> well.
> On our internet edges we use 2811s with their memory maxed. We have partial
> BGP routers from 2 isps. One connection is a 30mb and the other is a 25mb.
> no inspection is done on these but we do have stateless acls running on the
> inbound. these are running just fine today, but they sit at about 20% cpu
>  all the time.
> When doing a metro e connection, make sure the router/switch can do traffic
> shaping. If it can't, you are relying on the provider to shape your outgoing
> traffic, which of course will happen down the line, adding additional delay
> during high usage times.
>
> You should also look at the new cisco small metro switches. They can
> traffic shape, do bgp and have more than one interface. one of the annoying
> thing about metro e(at least with qwest) is  they have a tendancy to install
> new pe switches at your locations when you upgrade your service. this means
> a new connection from them and unless you have extra fiber or copper ports
> on your router. So to transition to the new circuit, you need to unplug your
> existing service first. And that means downtime, which no one likes.
>
>
>
> Dylan
>
>
> -Original Message-
> From: Jeffrey Negro [mailto:jne...@billtrust.com]
> Sent: Monday, April 12, 2010 12:29 PM
> To: nanog@nanog.org
> Subject: Router for Metro Ethernet
>
> Before I get taken for a ride by salespeople, I figured it would be best to
> ask the experts of Nanog
>
> My company is currently in talks to bring an ethernet circuit into our
> headquarters, initially committing around 40Mbps.  The ISP will be
> providing
> ethernet handoff, but I do not want their managed router offering (Adtran
> 4430) since it is pricey, non-redundant and I'd rather manage it myself.
>  My
> question is about hardware.  Can I assume that I can use something like a
> Cisco 2000 series router with two built in fast/gig ethernet ports, without
> a WIC?  and since both sides are ethernet would the routing throughput be
> near fast ethernet speed?  This is my first dealing with metro ethernet
> offerings, and I don't want to assume that the Cisco throughput rates
> listed
> for T1/ADSL etc. are the same for a metro ethernet as the WAN.
>
> Any and all suggestions on the hardware would be greatly appreciated.
>  Thank
> you in advance!
>

Re: Router for Metro Ethernet

[Christopher J. Pilkington]

On Mon, Apr 12, 2010 at 05:55:29PM +, Dylan Ebner wrote:
> also terminiating. For our 100mb metro e connections we use
> 3845s. The 100 mb service terminates into NM-GEs, which have a

FWIW, we made the mistake of going for 3825s on a 50Mb/s policed
GigE.  Running GRE/IPSec (AIM-VPN'd) and QoS, the boxes go to
100% CPU in the vicinity of 40Mb/s.

-cjp

RE: Router for Metro Ethernet

[Dylan Ebner]

We use metro E for our WAN and our internet access delivery. The 2600 series 
routers do not have enough horsepower to do a 40 Mb connection and eigrp. The 
2811 can do 40 mb and eigrp but they start to have difficulty when you add in 
inspection or large ACLs. We just last week turned a 40mb metroe circuit into a 
60mb and the router, a 2811, is now have constant problems. We are replacing it 
with a 2921. However, this router also has 2 100mb connections from local lans 
that it is also terminiating. For our 100mb metro e connections we use 3845s. 
The 100 mb service terminates into NM-GEs, which have a faster throughput than 
the hwics. This setup works well. 
On our internet edges we use 2811s with their memory maxed. We have partial BGP 
routers from 2 isps. One connection is a 30mb and the other is a 25mb. no 
inspection is done on these but we do have stateless acls running on the 
inbound. these are running just fine today, but they sit at about 20% cpu  all 
the time.
When doing a metro e connection, make sure the router/switch can do traffic 
shaping. If it can't, you are relying on the provider to shape your outgoing 
traffic, which of course will happen down the line, adding additional delay 
during high usage times.

You should also look at the new cisco small metro switches. They can traffic 
shape, do bgp and have more than one interface. one of the annoying thing about 
metro e(at least with qwest) is  they have a tendancy to install new pe 
switches at your locations when you upgrade your service. this means a new 
connection from them and unless you have extra fiber or copper ports on your 
router. So to transition to the new circuit, you need to unplug your existing 
service first. And that means downtime, which no one likes.

 

Dylan


-Original Message-
From: Jeffrey Negro [mailto:jne...@billtrust.com] 
Sent: Monday, April 12, 2010 12:29 PM
To: nanog@nanog.org
Subject: Router for Metro Ethernet

Before I get taken for a ride by salespeople, I figured it would be best to
ask the experts of Nanog

My company is currently in talks to bring an ethernet circuit into our
headquarters, initially committing around 40Mbps.  The ISP will be providing
ethernet handoff, but I do not want their managed router offering (Adtran
4430) since it is pricey, non-redundant and I'd rather manage it myself.  My
question is about hardware.  Can I assume that I can use something like a
Cisco 2000 series router with two built in fast/gig ethernet ports, without
a WIC?  and since both sides are ethernet would the routing throughput be
near fast ethernet speed?  This is my first dealing with metro ethernet
offerings, and I don't want to assume that the Cisco throughput rates listed
for T1/ADSL etc. are the same for a metro ethernet as the WAN.

Any and all suggestions on the hardware would be greatly appreciated.  Thank
you in advance!

RE: Router for Metro Ethernet

[Murphy, Jay, DOH]

Jeffrey,

We have deployed metro Ethernet in our network... some things to consider:

1) Is metro Ethernet available end to end, if not will you utilize MPLS?
2) We've deployed Juniper EX3200s, Cisco has great solutions as well... for 
example 2800 series router. We use Cisco as well.
3) Metro Ethernet is available in increments up to 1G, aka 1000Mbs, so I would 
explore cost solutions for scalability and future proofing.
4) Benchmark tests revealed near wire speed... however, this is contingent upon 
region, carrier, provider, locale, etc.
5) It's quick. We use it and it works!

Hope this sheds some light.

~Jay Murphy 
IP Network Specialist
NM State Government
IT Services Division
PSB – IP Network Management Center
Santa Fé, New México 87505 

"We move the information that moves your world." 
“Good engineering demands that we understand what we’re doing and why, keep an 
open mind, and learn from experience.”
“Engineering is about finding the sweet spot between what's solvable and what 
isn't."
   Radia Perlman
 Please consider the environment before printing e-mail


-Original Message-
From: Jeffrey Negro [mailto:jne...@billtrust.com] 
Sent: Monday, April 12, 2010 11:29 AM
To: nanog@nanog.org
Subject: Router for Metro Ethernet

Before I get taken for a ride by salespeople, I figured it would be best to
ask the experts of Nanog

My company is currently in talks to bring an ethernet circuit into our
headquarters, initially committing around 40Mbps.  The ISP will be providing
ethernet handoff, but I do not want their managed router offering (Adtran
4430) since it is pricey, non-redundant and I'd rather manage it myself.  My
question is about hardware.  Can I assume that I can use something like a
Cisco 2000 series router with two built in fast/gig ethernet ports, without
a WIC?  and since both sides are ethernet would the routing throughput be
near fast ethernet speed?  This is my first dealing with metro ethernet
offerings, and I don't want to assume that the Cisco throughput rates listed
for T1/ADSL etc. are the same for a metro ethernet as the WAN.

Any and all suggestions on the hardware would be greatly appreciated.  Thank
you in advance!


Confidentiality Notice: This e-mail, including all attachments is for the sole 
use of the intended recipient(s) and may contain confidential and privileged 
information. Any unauthorized review, use, disclosure or distribution is 
prohibited unless specifically provided under the New Mexico Inspection of 
Public Records Act. If you are not the intended recipient, please contact the 
sender and destroy all copies of this message. -- This email has been scanned 
by the Sybari - Antigen Email System. 

RE: Router for Metro Ethernet

[Dennis Burgess]

a PowerRouter at http://www.mikrotikrouter.com can handle several
hundred meg without issues.  

---
Dennis Burgess, CCNA, Mikrotik Certified Trainer, MTCNA, MTCRE, MTCWE,
MTCTCE, MTCUME 
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270 Website: http://www.linktechs.net
LIVE On-Line Mikrotik Training - Author of "Learn RouterOS"


-Original Message-
From: Jeffrey Negro [mailto:jne...@billtrust.com] 
Sent: Monday, April 12, 2010 12:29 PM
To: nanog@nanog.org
Subject: Router for Metro Ethernet

Before I get taken for a ride by salespeople, I figured it would be best
to
ask the experts of Nanog

My company is currently in talks to bring an ethernet circuit into our
headquarters, initially committing around 40Mbps.  The ISP will be
providing
ethernet handoff, but I do not want their managed router offering
(Adtran
4430) since it is pricey, non-redundant and I'd rather manage it myself.
My
question is about hardware.  Can I assume that I can use something like
a
Cisco 2000 series router with two built in fast/gig ethernet ports,
without
a WIC?  and since both sides are ethernet would the routing throughput
be
near fast ethernet speed?  This is my first dealing with metro ethernet
offerings, and I don't want to assume that the Cisco throughput rates
listed
for T1/ADSL etc. are the same for a metro ethernet as the WAN.

Any and all suggestions on the hardware would be greatly appreciated.
Thank
you in advance!

Router for Metro Ethernet

[Jeffrey Negro]

Before I get taken for a ride by salespeople, I figured it would be best to
ask the experts of Nanog

My company is currently in talks to bring an ethernet circuit into our
headquarters, initially committing around 40Mbps.  The ISP will be providing
ethernet handoff, but I do not want their managed router offering (Adtran
4430) since it is pricey, non-redundant and I'd rather manage it myself.  My
question is about hardware.  Can I assume that I can use something like a
Cisco 2000 series router with two built in fast/gig ethernet ports, without
a WIC?  and since both sides are ethernet would the routing throughput be
near fast ethernet speed?  This is my first dealing with metro ethernet
offerings, and I don't want to assume that the Cisco throughput rates listed
for T1/ADSL etc. are the same for a metro ethernet as the WAN.

Any and all suggestions on the hardware would be greatly appreciated.  Thank
you in advance!

Re: Seeking Amazon EC2 abuse contact

[Larry Sheldon]

On 4/12/2010 11:51, Erik L wrote:
> Many thanks again to the large number of off-list responses. After
> making human contact, the issue was very promptly resolved by Amazon
> and a gentleman there has promised to look into the error on the
> abuse form as well.

And people say talk of routing their traffic to 600-ohm resistors
doesn't do any good.


-- 
Somebody should have said:
A democracy is two wolves and a lamb voting on what to have for dinner.

Freedom under a constitutional republic is a well armed lamb contesting
the vote.

Requiescas in pace o email
Ex turpi causa non oritur actio
Eppure si rinfresca

ICBM Targeting Information:  http://tinyurl.com/4sqczs
http://tinyurl.com/7tp8ml

RE: Seeking Amazon EC2 abuse contact

[Erik L]

Many thanks again to the large number of off-list responses. After making human 
contact, the issue was very promptly resolved by Amazon and a gentleman there 
has promised to look into the error on the abuse form as well. 

Erik

From: Mark Scholten [m...@streamservice.nl]
Sent: Monday, April 12, 2010 9:39 AM
To: Erik L; 'Michael J McCafferty'
Cc: nanog@nanog.org
Subject: RE: Seeking Amazon EC2 abuse contact

Hello Erik,

Do you care to share the IP address? So everyone could update their
firewalls to block the attacks? Even only blocking known SIP ports (5060)
could be a good idea.

With kind regards,

Mark Scholten

> -Original Message-
> From: Erik L [mailto:erik_l...@caneris.com]
> Sent: Monday, April 12, 2010 3:05 PM
> To: Michael J McCafferty
> Cc: nanog@nanog.org
> Subject: RE: Seeking Amazon EC2 abuse contact
>
> Michael,
>
> I've received numerous off-list responses yesterday. Most of them were
> asking if I've made contact with anyone there as they were being
> attacked as well. One gentleman who works at AWS (but not EC2 abuse)
> promised to forward my e-mail to them. I've also been reading the
> asterisk-users list where many have reported attacks from Amazon EC2 as
> well over the past few days.
>
> At one point we were seeing 197 SIP brute force attempts per second
> against a customer's box. The intensity in terms of bandwidth is low,
> but if you do the math, you can see that this isn't the point.
>
> This morning I received an e-mail from Amazon which was basically the
> same as the one you received. The attack is still on-going and I've
> still not made contact with a human at Amazon.
>
> Erik
>
>
>
> > -Original Message-
> > From: Michael J McCafferty [mailto:m...@m5computersecurity.com]
> > Sent: April 12, 2010 05:16
> > To: Erik L
> > Cc: nanog@nanog.org
> > Subject: Re: Seeking Amazon EC2 abuse contact
> >
> > Erik,
> > We have several customers being attacked from the same
> > EC2 instance on
> > their network for 2 full days now. Contacted them at
> > ec2-ab...@amazon.com  and 25 hours later received a message that
> > basically said, "Yep, we can confirm that a customer of ours is
> > attacking you but that's their fault. We sometimes do stuff,
> > but not in
> > this case. Please don't block us, because the IP might be someone
> else
> > later. Have a nice day".
> > The telephone number in the WHOIS record goes to a
> > general voicemail
> > box for their legal department.
> > A few of our customers who are being attacked by this
> > same instance at
> > EC2 have also contacted Amazon, and were told essentially the same
> > thing.
> > While I appreciate that they sent a response, I do not
> > appreciate it's
> > uselessness.
> > Anyone over there at AWS that can do something willing
> > to reply to me
> > directly?
> >
> > Thanks!
> > Mike
> >
> >
> > On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote:
> > > Could someone from Amazon EC2 please contact me off-list
> > regarding an abuse issue from one of their IPs?
> > Alternatively, could someone please send me the contact
> > details of someone there?
> > >
> > > E-mailing the abuse e-mail listed in WHOIS per their
> > instructions, including all pertinent data, results in an
> > auto-reply indicating to use a form on their site. Submitting
> > the form results in "There has been an error while submitting
> > your data. Please try again later." Calling their supposed
> > NOC (as per WHOIS) results in "You have reached the legal
> > department at Amazon...please leave a message".
> > >
> > > Thanks
> > >
> > --
> > 
> > Michael J. McCafferty
> > Principal
> > M5 Hosting
> > http://www.m5hosting.com
> >
> > You can have your own custom Dedicated Server up and running today !
> > RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more
> > 
> >
> >

Re: Solar Flux

[James Downs]

On Apr 12, 2010, at 5:37 AM, todd glassey wrote:

Barbie is "geek girl" or "Engineer Barbie" the idea that being a  
geek is
offensive may have finally been put to death as it should have 20  
years ago.


Of course, Joel used the word "nerd", so..

So, does anyone actually talk about networks on nanog anymore?

-j

Re: Carrier class email security recommendation

[Suresh Ramasubramanian]

Scale it all.  Then manage it centrally. Provision users. Manage
security.  etc etc.

You use much the same IOS whether you run a router for a T1 or run
networks for a tier 1 :)

On Mon, Apr 12, 2010 at 9:51 PM, joel jaeggli  wrote:
>
> I build basically the same mail-system where is collapsed into a single box
> or spread out across a cluster.
>
> sendmail + clamav milter + milter graylist -> procmail -> spamd -> maildir
> delivery -> dovecot imap.
>
> When you need to scale the front end you deploy a load balancer and fire up
> more smtp boxes...
>
> When you need to scale the filestore you move it to nfs and divide and
> conquer.
>
> When you need to scale imap you shift it in front of the load balancer and
> deploy more boxes.
>
> For load balancer we used LVS back in the day.
>
> can replace sendmail with postfix or exim, it's mostly a place to hang the
> various on-connect filter regimes.



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Carrier class email security recommendation

[joel jaeggli]

On 4/12/2010 10:22 AM, Suresh Ramasubramanian wrote:

The man did say "carrier class" .. not "small webhost for four
families and dog".   You're talking multiple mailservers + filtering
gateways / appliances etc, clustered .. rather tough to do that with
one pizzabox 1U running a linux that's not updated in years and
configured with webmin.


I build basically the same mail-system where is collapsed into a single 
box or spread out across a cluster.


sendmail + clamav milter + milter graylist -> procmail -> spamd -> 
maildir delivery -> dovecot imap.


When you need to scale the front end you deploy a load balancer and fire 
up more smtp boxes...


When you need to scale the filestore you move it to nfs and divide and 
conquer.


When you need to scale imap you shift it in front of the load balancer 
and deploy more boxes.


For load balancer we used LVS back in the day.

can replace sendmail with postfix or exim, it's mostly a place to hang 
the various on-connect filter regimes.



And have you used / deployed any of those devices to claim they don't
support NTP?  Or whether that's a bigger constraint than an
underpowered linux box? :)

On Mon, Apr 12, 2010 at 7:48 PM, todd glassey  wrote:

Yes William, but realize that was an "easiest method" solution. There
are any number of others as well.

The point is that integrating an appliance type functionality is pretty
easy if you bother to take the time.

What I really wanted to point out is how many of the devices dont allow
authenticated NTP meaning they are worthless from an evidence
perspective, something that we as network engineers are constrained by
as well.

Re: Carrier class email security recommendation

[Suresh Ramasubramanian]

I did ask him how many users he was looking to size email for.  But a
lot of questions like, and beyond, that - you may or may not want to
answer on nanog.

The man said carrier class .. and you have a set of assumptions.  If
you say enterprise you're assuming like 300K..400K mailboxes for the
very largest enterprises.  Tops.

That'd be a small to mid sized carrier to spec carrier class for.

I'll end this thread here.

On Mon, Apr 12, 2010 at 9:47 PM, Zaid Ali  wrote:
> I think it is a perfectly reasonable question to ask in NANOG. If someone
> asks how much memory do I need on my router to do BGP, you have to ask the
> fundamental question of how big your routing table will be. I don't see this
> as any different. Its helpful to provide opinions when you are guided by
> some data :)
>



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Carrier class email security recommendation

[Zaid Ali]

I think it is a perfectly reasonable question to ask in NANOG. If someone
asks how much memory do I need on my router to do BGP, you have to ask the
fundamental question of how big your routing table will be. I don't see this
as any different. Its helpful to provide opinions when you are guided by
some data :)

Zaid


On 4/12/10 9:06 AM, "Suresh Ramasubramanian"  wrote:

> Its nanog and not an RFQ process or I'd have asked him that too :)
> 
> On Mon, Apr 12, 2010 at 9:29 PM, Zaid Ali  wrote:
>> I haven't seen the man ask support for messages/hour, 3M..10M..1B ? Or maybe
>> I missed this question?
> 
> 

Re: ARIN IP6 policy for those with legacy IP4 Space

[William Herrin]

On Mon, Apr 12, 2010 at 11:23 AM, John Curran  wrote:
> On Apr 12, 2010, at 8:51 AM, Joe Greco wrote:
>> Further, given the purported role that InterNIC played, "exchange of
>> value" as a prerequisite is a rather questionable position to rely on;
>> InterNIC had motivations other than a purely financial one to organize
>> IP allocations.  The number assignment function is critical to allowing
>> the Internet to work smoothly.
>
> On this matter we do agree, since allocations prior to ARIN's formation were
> generally made pursuant to a US Government contract or cooperative agreement.
> While I don't consider addresses to be property, if you take the opposite view
> then there's very likely a significant body of procurement law which already
> applies to property furnished in this manner and would be far more relevant
> than any documentation that an address block recipient received at the time.

John, Joe:

If you want to understand the general thinking circa 1993, find a copy
of the first edition, third printing of the crab book (TCP/IP Network
Administration, O'Reilly) and read chapter 4. That was the reference
many of us followed when getting our first address blocks.

Regards,
Bill Herrin




-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: ARIN IP6 policy for those with legacy IP4 Space

[Joe Greco]

> On Apr 12, 2010, at 8:51 AM, Joe Greco wrote:
> > Further, given the purported role that InterNIC played, "exchange of
> > value" as a prerequisite is a rather questionable position to rely on;
> > InterNIC had motivations other than a purely financial one to organize
> > IP allocations.  The number assignment function is critical to allowing
> > the Internet to work smoothly.
> 
> Joe - 
>  
> On this matter we do agree, since allocations prior to ARIN's formation were 
> generally made pursuant to a US Government contract or cooperative agreement. 
>  
> While I don't consider addresses to be property, if you take the opposite 
> view 
> then there's very likely a significant body of procurement law which already 
> applies to property furnished in this manner and would be far more relevant 
> than any documentation that an address block recipient received at the time..

There are all manner of theories.  Some have compared it to physical 
land (possibly apt due to the limited nature of both), or to the way
land was granted to the railroads to spur development, etc.  Spinning
the issue in any of several different ways could land you at wildly
differing results.  I'll bet that significant bodies of relevant law
for each are contradictory and confusing at best.  :-)

Anyways, my original intent was simply to point out that there are some
impediments to IPv6 adoption, somehow this morphed into a larger topic
than intended.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Carrier class email security recommendation

[Suresh Ramasubramanian]

Its nanog and not an RFQ process or I'd have asked him that too :)

On Mon, Apr 12, 2010 at 9:29 PM, Zaid Ali  wrote:
> I haven't seen the man ask support for messages/hour, 3M..10M..1B ? Or maybe
> I missed this question?



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Carrier class email security recommendation

[Zaid Ali]

I haven't seen the man ask support for messages/hour, 3M..10M..1B ? Or maybe
I missed this question?

Zaid


On 4/12/10 8:47 AM, "Suresh Ramasubramanian"  wrote:

> On Mon, Apr 12, 2010 at 8:45 PM, todd glassey  wrote:
>> On 4/12/2010 7:22 AM, Suresh Ramasubramanian wrote:
>>> The man did say "carrier class" .. not "small webhost for four
>>> families and dog".
>> 
>> yes he did Suresh ... meaning that something larger and more secure than
>> the off-the-shelf copy of Linux is needed. Funny the NSA and many others
>> would disagree with you.
> 
> I know of (and have been the postmaster for) multiple million user
> installations that run happily on linux + postfix (and sendmail,
> qmail..).
> 
> None that run on one server running webmin, even a 3U server.
> 
>> or layered as stages within a new system design based on GPU's which
>> allow for the specific assignment of threads of control to specific
>> processes. Imaging a cloud type environment running in a single GPU with
>> the abililty to properly map threads to GPU threads.
> 
> You don't have "single" of anything at all for large and well scaled
> environments.
> 
>> OK our server is 3U but that was because I wanted bigger fans inside
>> it... The 1U single TESLA based email GW is exactly what you describe -
>> a 512 thread CUDA based GPU with serious capabilities therein.
> 
> So how many users do you run on that one 3U box?  100K?  300K?  A
> couple of million?  :)
> 
> The man said carrier class.  And when you talk that you dont just talk
> features, you talk operations on a rather larger scale than what
> you're describing.
> 
> --srs

Re: Carrier class email security recommendation

[Suresh Ramasubramanian]

On Mon, Apr 12, 2010 at 8:45 PM, todd glassey  wrote:
> On 4/12/2010 7:22 AM, Suresh Ramasubramanian wrote:
>> The man did say "carrier class" .. not "small webhost for four
>> families and dog".
>
> yes he did Suresh ... meaning that something larger and more secure than
> the off-the-shelf copy of Linux is needed. Funny the NSA and many others
> would disagree with you.

I know of (and have been the postmaster for) multiple million user
installations that run happily on linux + postfix (and sendmail,
qmail..).

None that run on one server running webmin, even a 3U server.

> or layered as stages within a new system design based on GPU's which
> allow for the specific assignment of threads of control to specific
> processes. Imaging a cloud type environment running in a single GPU with
> the abililty to properly map threads to GPU threads.

You don't have "single" of anything at all for large and well scaled
environments.

> OK our server is 3U but that was because I wanted bigger fans inside
> it... The 1U single TESLA based email GW is exactly what you describe -
> a 512 thread CUDA based GPU with serious capabilities therein.

So how many users do you run on that one 3U box?  100K?  300K?  A
couple of million?  :)

The man said carrier class.  And when you talk that you dont just talk
features, you talk operations on a rather larger scale than what
you're describing.

--srs

-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Metering power in data center

[NOC]

Hi,

For our need, we use : http://www.lem.com/ They have a lot of products 
to do that. We use a magnetic meter. You don't need to break the circuit 
to implement it.


Regards,

Bastien


Wallace Keith a écrit :

-Original Message-
From: Jay Nakamura [mailto:zeusda...@gmail.com] 
Sent: Thursday, April 08, 2010 2:10 PM

To: NANOG
Subject: Metering power in data center

I am looking for suggestions on devices that can
monitor(A)/meter(kw/h) power usage in a data center.  Getting a
metered PDU everywhere seems a little expensive and cumbersome.

Are there devices you can wire into breaker box to meter each AC
circuit?

Thanks in advance for any suggestions.

-Jay

We have a few of these running: http://www.emon.com/products_webmon.html
-Keith

Re: Carrier class email security recommendation

[John Kristoff]

On Mon, 12 Apr 2010 07:09:12 -0700
todd glassey  wrote:

> Alex there are many email systems out there - but make sure that
> whatever you buy can support NTPv4 and not SNTP or unauthenticated NTP
> since this is how the GW is going to be able to put time-marks on
> receipts which must have legal authority.

Hi Todd,

I think this is the first I've heard that only authenticated NTP (and
maybe even NTPv4?) is sufficient for legal authority.  Can you say a
bit more about this?  Perhaps, what sorts of issues you've run into or
seen when this is not implemented?

> So that means any appliance system provider must have at least NTPv4
> tested with both Autokey and symmetric-key and the new interface
> specific ACL's in the 4.2.6 versions of NTP. Further the issues of the
> ECC/Parity memory become important here because time is moved over UDP
> and is subject to single-bit errors all over the place.

Authentication support for SNTP does exist in the protocol and I've
seen documentation where some gear supports it, though I suspect its
very rarely used in practice.

And 4.2.6p1 was released 3 days ago and 4.2.6 in December.  Might be
a tall order if you want it now.  :-)

I haven't work out the math, but I would have thought the UDP checksum,
coupled with a rigorous implementation (e.g. validates the originate and
transmit timestamps) and the various robustness mechanisms built into
the protocol should limit the effect of single-bit errors significantly.
I'd be interested in hearing or reading about experience that says
otherwise.

Nevertheless there are no doubt incorrect clocks all over the place.
As a simple example, for the open NTP servers we know about, here is
the top five most popular stratums by percent:

  stratum%
3   43
4   18
2   16
   16   14
55

The overall accuracy of all those stratum 16 clocks is likely going
to be poor.

John

Re: ARIN IP6 policy for those with legacy IP4 Space

[John Curran]

On Apr 12, 2010, at 8:51 AM, Joe Greco wrote:
> 
> Further, given the purported role that InterNIC played, "exchange of
> value" as a prerequisite is a rather questionable position to rely on;
> InterNIC had motivations other than a purely financial one to organize
> IP allocations.  The number assignment function is critical to allowing
> the Internet to work smoothly.

Joe - 
 
On this matter we do agree, since allocations prior to ARIN's formation were 
generally made pursuant to a US Government contract or cooperative agreement.  
While I don't consider addresses to be property, if you take the opposite view 
then there's very likely a significant body of procurement law which already 
applies to property furnished in this manner and would be far more relevant 
than any documentation that an address block recipient received at the time.

/John

John Curran
President and CEO
ARIN

Re: Carrier class email security recommendation

[todd glassey]

On 4/12/2010 7:22 AM, Suresh Ramasubramanian wrote:
> The man did say "carrier class" .. not "small webhost for four
> families and dog".  

yes he did Suresh ... meaning that something larger and more secure than
the off-the-shelf copy of Linux is needed. Funny the NSA and many others
would disagree with you.


> You're talking multiple mailservers + filtering
> gateways / appliances etc, clustered .. 

or layered as stages within a new system design based on GPU's which
allow for the specific assignment of threads of control to specific
processes. Imaging a cloud type environment running in a single GPU with
the abililty to properly map threads to GPU threads.

> rather tough to do that with
> one pizzabox 1U running a linux that's not updated in years and
> configured with webmin.

OK our server is 3U but that was because I wanted bigger fans inside
it... The 1U single TESLA based email GW is exactly what you describe -
a 512 thread CUDA based GPU with serious capabilities therein.

FYI CUDA, and the embedded nVidia GPU's changed that. Do have any idea
how fast the email filters run in a CUDA, I do... and its mindblowing.

Hell the TESLA family of card's 90 to 128 parallel threads of control
per GPU Core can be assigned through CUDA to specific processes and
whamo - more OS horse power than you know what to do with.

The high end cards generally have 2 or 4 GPU's making the total thread
count from 180 to 512 based on the model. The Pentium 4 sports a
whopping four (4) threads of control... 1 per core. We use 8800's for
end-node systems and the larger TESLA based service modules in scaleable
production systems.

The cool part is running NTP in the embedded CUDA card with permanently
assigned TOC's (*threads of control) so that the process never blocks.
That and the 1PPS disciplining makes time available to everything in the
system.

As to who's appliances do and dont' -
-
IronPORT is a FreeBSD type deployment so it does... most of the Linux
Appliance systems can but many of them don't like Barracuda for instance.

In fact you may want to call Barracuda and ask for Stephen Gee or Steven
Pao - both of them will tell you they will not be upgrading to a secure
NTP version for some time unless the customer's demand it.

Their emails (Stephen and Steven's)  are s...@barracuda.com and
s...@barracuda.com so now you can ask them for yourself.


 Or whether that's a bigger constraint than an
> underpowered linux box? :)

Yeah - see a linux box with a Quad Pentium and a CUDA is a carrier class
device especially if its a dual-processor and has redundant bus and
power supplies. In fact these same systems are also used in
submicrosecond trading (aka Algorthmic trading) so yes of course - they
are weak and unscaleable systems right??? (not really Suresh).


> 
> On Mon, Apr 12, 2010 at 7:48 PM, todd glassey  wrote:
>> Yes William, but realize that was an "easiest method" solution. There
>> are any number of others as well.
>>
>> The point is that integrating an appliance type functionality is pretty
>> easy if you bother to take the time.
>>
>> What I really wanted to point out is how many of the devices dont allow
>> authenticated NTP meaning they are worthless from an evidence
>> perspective, something that we as network engineers are constrained by
>> as well.
> 
> 
> 

<>

Major additions to Team Cymru's Bogon Feed

[Tim Wilde]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Greetings everyone!

Team Cymru is pleased to announce a significant addition to our bogon
reference project.  The new portions of the project are offered at no
cost to the community, and the original bogon lists and feeds are not
being changed or canceled, just augmented.

The new "fullbogon" feed includes prefixes allocated to RIRs, but not
assigned by the RIRs to end-users, ISPs, etc, providing a more complete
view of the unassigned space that should not be seen on the Internet.

This new service is therefore more granular than the original feed,
including a wide variety of non-routable prefixes as well as unassigned
prefixes.  We're also making IPv6 bogons available in these new feeds.

If you're interested in receiving the new "fullbogon" feeds via BGP,
simply e-mail bogo...@cymru.com with your ASN, peering IP addresses and
whether you use MD5 authentication.

See an overview in the 46th episode of Team Cymru's 'The Who and Why
Show' at www.youtube.com/teamcymru, as well as a more basic overview in
episode 12.  For a more detailed explanation of all the ways you can
track the bogons, see the newly-updated bogon reference pages at:

http://www.team-cymru.org/Services/Bogons/

Even more so than the original feed, there are significant changes to
the fullbogons lists every day and the feed automatically recalculates
the prefixes as they are allocated from the regional registries, so make
sure you are able to regularly update your lists.

Internet security is all about "the other guy." If one sizeable network
is insecure, it WILL be used to abuse other networks. We look forward to
continuing to help our community to secure the edge.

Best regards,
Tim Wilde, for Team Cymru

- -- 
Tim Wilde, Senior Software Engineer, Team Cymru, Inc.
twi...@cymru.com | +1-630-230-5433 | http://www.team-cymru.org/
-BEGIN PGP SIGNATURE-

iEYEARECAAYFAkvDOPMACgkQluRbRini9tg0JACfSKs3TaNgACE9LEdbbjYY8/JS
+DIAnjbFISSHMVfqe512mi70FQ6tQA+6
=0OAO
-END PGP SIGNATURE-

Re: Carrier class email security recommendation

[Joel M Snyder]

>I am in the process of sourcing for a carrier class email security
>solution that will replace our current edge spam gateways based on open
>source solutions. Some solutions that am currently considering are
>Ironport, Fortinet Fortimail, MailFoundry and Barracuda.

A lot of the answer depends on what you think of as "carrier class." 
Generally, I would consider a carrier-class device to have a couple of 
attributes that are different from a typical enterprise-class device:


Quarantine: carrier class: no (enterprise: maybe)
Per-user settings: carrier class: no (enterprise: maybe)
False positive rate: carrier class: very very low (enterprise: very low)
False negative rate: carrier class: low (enterprise: very low)
Performance: carrier class: critical (enterprise: important)

In other words, I think of a carrier-class product as something that 
sits in the mail stream and does a good job of blocking spam, but is 
setup so that no one needs to talk about it.  You don't want to get a 
stream of false-positive reports, but you are willing to let some spam 
through in order to avoid help desk calls.  The goal of this product is 
mostly to keep your mail servers happy, and as a secondary goal, keeps 
the users happy.


You could have a second level of anti-spam protection, something more 
Postini-esque, which is carrier-sized but has a lot more user 
interaction and user settings, for people who want to get premium 
anti-spam protection.  But that's more an enterprise product that scales 
up, which is subtly--but importantly--different from a carrier product.


We test anti-spam products for efficacy (essentially FP & FN 
performance), less so for performance.  If you are looking at Ironport, 
then you want to ask them about the Cloudmark anti-spam engine.  It is a 
"carrier-focused" engine, and you'll find that the pricing is MUCH 
better than their own engine once you get to large numbers of users.  In 
fact, I believe that they added the Cloudmark engine specifically to 
address queries like yours--people who like the product architecture, 
but are turned off by the licensing.  With Cloudmark inside, you get the 
same product flow and features, but a less expensive engine good for 
large ISPs.


In terms of speed, the obvious feature to look for is reputation 
services.  This gives you an enormous savings.  Symantec used to offer a 
box based on Turntide, which was a standalone throttle for spam; I don't 
know if they have that as a standalone or not, but if they do, I'd 
recommend something like that.  You may be able to roll your own as well 
fairly easily since there's no MTA to worry about.


The win with reputation services is fantastic.  For example, I did a 
test with a Crossbeam box and Trend a while ago 
(http://www.opus1.com/www/whitepapers/crossbeam-perf.pdf) and we were 
getting a steady-state 600 message/second without reputation filtering; 
with reputation filtering, about 1645 messages/second.  That's using 
MAPS RBL+, which is a low-risk reputation service.   Plug in a service 
like Spamhaus or Ironport's SenderBase, and you would get closer to 2500 
message/second (about 200 million messages/day).


Based on our testing, for a carrier-class deployment, I'd recommend 
looking at Ironport+Cloudmark, Trend, and Tumbleweed (now Axway).  There 
are other good products (Proofpoint, for example, turns in great scores 
as does Sophos), but performance-wise they may not be able to scale up 
to the kind of load you're talking about when you say "Carrier Class."


Feel free to contact me offline if you need more observations, etc.

jms

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One   Phone: +1 520 324 0494
j...@opus1.comhttp://www.opus1.com/jms

Re: Carrier class email security recommendation

[Suresh Ramasubramanian]

The man did say "carrier class" .. not "small webhost for four
families and dog".   You're talking multiple mailservers + filtering
gateways / appliances etc, clustered .. rather tough to do that with
one pizzabox 1U running a linux that's not updated in years and
configured with webmin.

And have you used / deployed any of those devices to claim they don't
support NTP?  Or whether that's a bigger constraint than an
underpowered linux box? :)

On Mon, Apr 12, 2010 at 7:48 PM, todd glassey  wrote:
> Yes William, but realize that was an "easiest method" solution. There
> are any number of others as well.
>
> The point is that integrating an appliance type functionality is pretty
> easy if you bother to take the time.
>
> What I really wanted to point out is how many of the devices dont allow
> authenticated NTP meaning they are worthless from an evidence
> perspective, something that we as network engineers are constrained by
> as well.



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Carrier class email security recommendation

[todd glassey]

On 4/12/2010 7:14 AM, William Pitcock wrote:
> On Mon, 2010-04-12 at 07:09 -0700, todd glassey wrote:
>> On 4/12/2010 2:49 AM, Alex Kamiru wrote:
>>> I am in the process of sourcing for a carrier class email security
>>> solution that will replace our current edge spam gateways based on open
>>> source solutions. Some solutions that am currently considering are
>>> Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore
>>> wish to know, based on your experiences, what works for you
>>> satisfactorily. 
>>
>>
>>> Areas that are key for me are centralized management and
>>> reporting, carrier class performance, per mailbox policy and quarantine,
>>> and favourable licensing for an MSSP. I know Ironport is rated highly in
>>> this space but I find its per user licensing is not favourable for a
>>> MSSP. 
>>
>> On the other hand installing a FreeBSD system with QMail/Procmail and/or
>> PostFIX for the other stuff is a no-brainer especially with a Webmin
>> Management front end.
> 
> Webmin?  Are you serious?

Yes William, but realize that was an "easiest method" solution. There
are any number of others as well.

The point is that integrating an appliance type functionality is pretty
easy if you bother to take the time.

What I really wanted to point out is how many of the devices dont allow
authenticated NTP meaning they are worthless from an evidence
perspective, something that we as network engineers are constrained by
as well.

Todd

> 
> William
> 
> 

<>

Re: Carrier class email security recommendation

[William Pitcock]

On Mon, 2010-04-12 at 07:09 -0700, todd glassey wrote:
> On 4/12/2010 2:49 AM, Alex Kamiru wrote:
> > I am in the process of sourcing for a carrier class email security
> > solution that will replace our current edge spam gateways based on open
> > source solutions. Some solutions that am currently considering are
> > Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore
> > wish to know, based on your experiences, what works for you
> > satisfactorily. 
> 
> 
> > Areas that are key for me are centralized management and
> > reporting, carrier class performance, per mailbox policy and quarantine,
> > and favourable licensing for an MSSP. I know Ironport is rated highly in
> > this space but I find its per user licensing is not favourable for a
> > MSSP. 
> 
> On the other hand installing a FreeBSD system with QMail/Procmail and/or
> PostFIX for the other stuff is a no-brainer especially with a Webmin
> Management front end.

Webmin?  Are you serious?

William

Re: Carrier class email security recommendation

[todd glassey]

On 4/12/2010 2:49 AM, Alex Kamiru wrote:
> I am in the process of sourcing for a carrier class email security
> solution that will replace our current edge spam gateways based on open
> source solutions. Some solutions that am currently considering are
> Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore
> wish to know, based on your experiences, what works for you
> satisfactorily. 


> Areas that are key for me are centralized management and
> reporting, carrier class performance, per mailbox policy and quarantine,
> and favourable licensing for an MSSP. I know Ironport is rated highly in
> this space but I find its per user licensing is not favourable for a
> MSSP. 

On the other hand installing a FreeBSD system with QMail/Procmail and/or
PostFIX for the other stuff is a no-brainer especially with a Webmin
Management front end.

> 
> Regards,
> Alex.
> 

Alex there are many email systems out there - but make sure that
whatever you buy can support NTPv4 and not SNTP or unauthenticated NTP
since this is how the GW is going to be able to put time-marks on
receipts which must have legal authority.

So that means any appliance system provider must have at least NTPv4
tested with both Autokey and symmetric-key and the new interface
specific ACL's in the 4.2.6 versions of NTP. Further the issues of the
ECC/Parity memory become important here because time is moved over UDP
and is subject to single-bit errors all over the place.

Todd Glassey
> 
> 
> 
> 

<>

Re: unsubscribe

[Justin M. Streiner]

On Sat, 10 Apr 2010, David Loutrel wrote:


  --
  David B. Loutrel, Operations Manager
  ACME Hosting & Design
  [1]www.acme-ent.net

References

  1. http://www.acme-ent.net/


If you look in the message headers, you will see list management info, 
including how to unsubscribe yourself from the list.


jms

Re: Seeking Amazon EC2 abuse contact

[todd glassey]

On 4/12/2010 6:39 AM, Mark Scholten wrote:
> Hello Erik,
> 
> Do you care to share the IP address? So everyone could update their
> firewalls to block the attacks? Even only blocking known SIP ports (5060)
> could be a good idea.

The easiest thing to do is to block all of EC2 and not worry about it.

> 
> With kind regards,
> 
> Mark Scholten


The person to formally put on notice now then is Amazon's general
counsel Michelle Wilson about the damage their (her) policies and
practices are causing when these types of attacks emanate out of their
IP Space since they apparently have dealt in bad faith by placing bogus
contact information therein.

I assure you Michelle will react VERY quickly to being notified.

http://people.forbes.com/profile/l-michelle-wilson/4002

Todd Glassey
> 
>> -Original Message-
>> From: Erik L [mailto:erik_l...@caneris.com]
>> Sent: Monday, April 12, 2010 3:05 PM
>> To: Michael J McCafferty
>> Cc: nanog@nanog.org
>> Subject: RE: Seeking Amazon EC2 abuse contact
>>
>> Michael,
>>
>> I've received numerous off-list responses yesterday. Most of them were
>> asking if I've made contact with anyone there as they were being
>> attacked as well. One gentleman who works at AWS (but not EC2 abuse)
>> promised to forward my e-mail to them. I've also been reading the
>> asterisk-users list where many have reported attacks from Amazon EC2 as
>> well over the past few days.
>>
>> At one point we were seeing 197 SIP brute force attempts per second
>> against a customer's box. The intensity in terms of bandwidth is low,
>> but if you do the math, you can see that this isn't the point.
>>
>> This morning I received an e-mail from Amazon which was basically the
>> same as the one you received. The attack is still on-going and I've
>> still not made contact with a human at Amazon.
>>
>> Erik
>>
>>
>>
>>> -Original Message-
>>> From: Michael J McCafferty [mailto:m...@m5computersecurity.com]
>>> Sent: April 12, 2010 05:16
>>> To: Erik L
>>> Cc: nanog@nanog.org
>>> Subject: Re: Seeking Amazon EC2 abuse contact
>>>
>>> Erik,
>>> We have several customers being attacked from the same
>>> EC2 instance on
>>> their network for 2 full days now. Contacted them at
>>> ec2-ab...@amazon.com  and 25 hours later received a message that
>>> basically said, "Yep, we can confirm that a customer of ours is
>>> attacking you but that's their fault. We sometimes do stuff,
>>> but not in
>>> this case. Please don't block us, because the IP might be someone
>> else
>>> later. Have a nice day".
>>> The telephone number in the WHOIS record goes to a
>>> general voicemail
>>> box for their legal department.
>>> A few of our customers who are being attacked by this
>>> same instance at
>>> EC2 have also contacted Amazon, and were told essentially the same
>>> thing.
>>> While I appreciate that they sent a response, I do not
>>> appreciate it's
>>> uselessness.
>>> Anyone over there at AWS that can do something willing
>>> to reply to me
>>> directly?
>>>
>>> Thanks!
>>> Mike
>>>
>>>
>>> On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote:
 Could someone from Amazon EC2 please contact me off-list
>>> regarding an abuse issue from one of their IPs?
>>> Alternatively, could someone please send me the contact
>>> details of someone there?

 E-mailing the abuse e-mail listed in WHOIS per their
>>> instructions, including all pertinent data, results in an
>>> auto-reply indicating to use a form on their site. Submitting
>>> the form results in "There has been an error while submitting
>>> your data. Please try again later." Calling their supposed
>>> NOC (as per WHOIS) results in "You have reached the legal
>>> department at Amazon...please leave a message".

 Thanks

>>> --
>>> 
>>> Michael J. McCafferty
>>> Principal
>>> M5 Hosting
>>> http://www.m5hosting.com
>>>
>>> You can have your own custom Dedicated Server up and running today !
>>> RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more
>>> 
>>>
>>>
> 
> 
> 

<>

unsubscribe

[David Loutrel]

   --
   David B. Loutrel, Operations Manager
   ACME Hosting & Design
   [1]www.acme-ent.net

References

   1. http://www.acme-ent.net/

RE: Seeking Amazon EC2 abuse contact

[Mark Scholten]

Hello Erik,

Do you care to share the IP address? So everyone could update their
firewalls to block the attacks? Even only blocking known SIP ports (5060)
could be a good idea.

With kind regards,

Mark Scholten

> -Original Message-
> From: Erik L [mailto:erik_l...@caneris.com]
> Sent: Monday, April 12, 2010 3:05 PM
> To: Michael J McCafferty
> Cc: nanog@nanog.org
> Subject: RE: Seeking Amazon EC2 abuse contact
> 
> Michael,
> 
> I've received numerous off-list responses yesterday. Most of them were
> asking if I've made contact with anyone there as they were being
> attacked as well. One gentleman who works at AWS (but not EC2 abuse)
> promised to forward my e-mail to them. I've also been reading the
> asterisk-users list where many have reported attacks from Amazon EC2 as
> well over the past few days.
> 
> At one point we were seeing 197 SIP brute force attempts per second
> against a customer's box. The intensity in terms of bandwidth is low,
> but if you do the math, you can see that this isn't the point.
> 
> This morning I received an e-mail from Amazon which was basically the
> same as the one you received. The attack is still on-going and I've
> still not made contact with a human at Amazon.
> 
> Erik
> 
> 
> 
> > -Original Message-
> > From: Michael J McCafferty [mailto:m...@m5computersecurity.com]
> > Sent: April 12, 2010 05:16
> > To: Erik L
> > Cc: nanog@nanog.org
> > Subject: Re: Seeking Amazon EC2 abuse contact
> >
> > Erik,
> > We have several customers being attacked from the same
> > EC2 instance on
> > their network for 2 full days now. Contacted them at
> > ec2-ab...@amazon.com  and 25 hours later received a message that
> > basically said, "Yep, we can confirm that a customer of ours is
> > attacking you but that's their fault. We sometimes do stuff,
> > but not in
> > this case. Please don't block us, because the IP might be someone
> else
> > later. Have a nice day".
> > The telephone number in the WHOIS record goes to a
> > general voicemail
> > box for their legal department.
> > A few of our customers who are being attacked by this
> > same instance at
> > EC2 have also contacted Amazon, and were told essentially the same
> > thing.
> > While I appreciate that they sent a response, I do not
> > appreciate it's
> > uselessness.
> > Anyone over there at AWS that can do something willing
> > to reply to me
> > directly?
> >
> > Thanks!
> > Mike
> >
> >
> > On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote:
> > > Could someone from Amazon EC2 please contact me off-list
> > regarding an abuse issue from one of their IPs?
> > Alternatively, could someone please send me the contact
> > details of someone there?
> > >
> > > E-mailing the abuse e-mail listed in WHOIS per their
> > instructions, including all pertinent data, results in an
> > auto-reply indicating to use a form on their site. Submitting
> > the form results in "There has been an error while submitting
> > your data. Please try again later." Calling their supposed
> > NOC (as per WHOIS) results in "You have reached the legal
> > department at Amazon...please leave a message".
> > >
> > > Thanks
> > >
> > --
> > 
> > Michael J. McCafferty
> > Principal
> > M5 Hosting
> > http://www.m5hosting.com
> >
> > You can have your own custom Dedicated Server up and running today !
> > RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more
> > 
> >
> >

RE: Seeking Amazon EC2 abuse contact

[Erik L]

Michael,

I've received numerous off-list responses yesterday. Most of them were asking 
if I've made contact with anyone there as they were being attacked as well. One 
gentleman who works at AWS (but not EC2 abuse) promised to forward my e-mail to 
them. I've also been reading the asterisk-users list where many have reported 
attacks from Amazon EC2 as well over the past few days.

At one point we were seeing 197 SIP brute force attempts per second against a 
customer's box. The intensity in terms of bandwidth is low, but if you do the 
math, you can see that this isn't the point.

This morning I received an e-mail from Amazon which was basically the same as 
the one you received. The attack is still on-going and I've still not made 
contact with a human at Amazon.

Erik



> -Original Message-
> From: Michael J McCafferty [mailto:m...@m5computersecurity.com] 
> Sent: April 12, 2010 05:16
> To: Erik L
> Cc: nanog@nanog.org
> Subject: Re: Seeking Amazon EC2 abuse contact
> 
> Erik,
>   We have several customers being attacked from the same 
> EC2 instance on
> their network for 2 full days now. Contacted them at
> ec2-ab...@amazon.com  and 25 hours later received a message that
> basically said, "Yep, we can confirm that a customer of ours is
> attacking you but that's their fault. We sometimes do stuff, 
> but not in
> this case. Please don't block us, because the IP might be someone else
> later. Have a nice day".
>   The telephone number in the WHOIS record goes to a 
> general voicemail
> box for their legal department.
>   A few of our customers who are being attacked by this 
> same instance at
> EC2 have also contacted Amazon, and were told essentially the same
> thing.
>   While I appreciate that they sent a response, I do not 
> appreciate it's
> uselessness.
>   Anyone over there at AWS that can do something willing 
> to reply to me
> directly?
> 
> Thanks!
> Mike
> 
> 
> On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote:
> > Could someone from Amazon EC2 please contact me off-list 
> regarding an abuse issue from one of their IPs? 
> Alternatively, could someone please send me the contact 
> details of someone there?
> > 
> > E-mailing the abuse e-mail listed in WHOIS per their 
> instructions, including all pertinent data, results in an 
> auto-reply indicating to use a form on their site. Submitting 
> the form results in "There has been an error while submitting 
> your data. Please try again later." Calling their supposed 
> NOC (as per WHOIS) results in "You have reached the legal 
> department at Amazon...please leave a message".
> > 
> > Thanks
> > 
> -- 
> 
> Michael J. McCafferty
> Principal
> M5 Hosting
> http://www.m5hosting.com
> 
> You can have your own custom Dedicated Server up and running today !
> RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more
> 
> 
> 

Re: ARIN IP6 policy for those with legacy IP4 Space

[Joe Greco]

> 
> 
> On Apr 11, 2010, at 9:17 AM, Joe Greco wrote:
> 
> >>> Put less tersely:
> >>> 
> >>> We were assigned space, under a policy whose purpose was primarily to
> >>> guarantee uniqueness in IPv4 numbering.  As with other legacy holders,
> >>> we obtained portable space to avoid the technical problems associated
> >>> with renumbering, problems with in-addr.arpa subdelegation, etc.
> >> 
> >> So far, correct.
> >> 
> >>> Part of that was an understanding that the space was ours (let's not
> >>> get distracted by any "ownership" debate, but just agree for the sake
> >>> of this point that it was definitely understood that we'd possess it).
> >>> This served the good of the Internet by promoting stability within an
> >>> AS and allowed us to spend engineering time on finer points (such as 
> >>> maintaining PTR's) rather than renumbering gear every time we changed
> >>> upstreams.
> >>> 
> >> This is fictitious unless you are claiming that your allocation predates:
> >> 
> >> RFC2050November, 1996
> >> RFC1466May, 1993
> >> RFC1174August, 1990
> >> 
> >> Prior to that, it was less clear, but, the concept was still generally
> >> justified need so long as that need persisted.
> > 
> > Which ours does.
> > 
> >>> Eventually InterNIC was disbanded, and components went in various
> >>> directions.  ARIN landed the numbering assignment portion of InterNIC.
> >>> Along with that, maintenance of the legacy resources drifted along to
> >>> ARIN.
> >> 
> >> Actually, ARIN was spun off from InterNIC (containing most of the same
> >> staff that had been doing the job at InterNIC) well before InterNIC was
> >> disbanded.
> > 
> > Is there an effective difference or are you just quibbling?  For the
> > purposes of this discussion, I submit my description was suitable to
> > describe what happened.
> 
> Your description makes it sound like there was limited or no continuity
> between the former and the current registration services entity.
> 
> I point out that ARIN was formed run by and including most of the
> IP-related staff from InterNIC.
> 
> I consider that a substantive distinction.
> 
> >>> ARIN might not have a contract with us, or with other legacy holders.
> >>> It wasn't our choice for ARIN to be tasked with holding up InterNIC's
> >>> end of things.  However, it's likely that they've concluded that they
> >>> better do so, because if they don't, it'll probably turn into a costly
> >>> legal battle on many fronts, and I doubt ARIN has the budget for that.
> >> 
> >> This is going to be one of those situations that could become a
> >> legal battle on many fronts either way.  On the one hand you have
> >> legacy holders who have no contractual right to services from
> >> anyone (If you want to pursue InterNIC for failing to live up to
> >> whatever agreement you have/had with them, I wish you the
> >> very best of luck in that endeavor, especially since you don't
> >> have a written contract from them, either).
> >> 
> >> On the other hand, in a relatively short timeframe, you are likely
> >> to have litigants asking why ARIN has failed to reclaim/reuse
> >> the underutilized IPv4 space sitting in so many legacy registrations.
> >> 
> >> Which of those two bodies of litigants is larger or better funded
> >> is left as an exercise for the reader. Nonetheless, ARIN is
> >> going to be in an interesting position between those two
> >> groups (which one is rock and which is hard place is also
> >> left as an exercise for the reader) going forward regardless
> >> of what action is taken by ARIN in this area.
> >> 
> >> That is why the legacy RSA is important. It represents ARIN
> >> trying very hard to codify and defend the rights of the legacy
> >> holders.
> > 
> > Yes, but according to the statistics provided by Mr. Curran, it looks
> > like few legacy space holders are actually adopting the LRSA. 
> > 
> So far, yes. That's unfortunate.
> 
> > Like many tech people, you seem to believe that the absence of a 
> > "contract" means that there's no responsibility, and that InterNIC's
> > having been disbanded absolves ARIN from responsibility.  In the real
> > world, things are not so simple.  The courts have much experience at
> > looking at real world situations and determining what should happen.
> > These outcomes are not always predictable and frequently don't seem to
> > have obvious results, but they're generally expensive fights.
> 
> No, actually, quite the opposite.  I believe that BOTH legacy holders and
> ARIN have responsibilities even though there is no contract. 

Certainly legacy holders have some responsibilities.

> I believe
> that ARIN is, however, responsible to the community as it exists today
> and not in any way responsible to legacy holders who choose to
> ignore that community and their responsibilities to it.

And what, exactly, does that mean?  Aside from things that were
documented at the time we received our allocation, what sort of
"responsibilities" do we have?

We agree

Re: Solar Flux

[todd glassey]

On 4/11/2010 10:04 AM, Joel M Snyder wrote:

SNIP

> 
> On the other hand, another effect of solar flares is UV radiation, so a
> good pair of sunglasses and some high-SPF sunblock would be good to
> have, plus make you look less like a nerd.  Unless you use that zinc
> stuff on your nose, in which case you look more like a nerd.  YMMV.
> 
> jms
> 
> 

Joel, one of my partners kid's collects Barbie dolls and since the new
Barbie is "geek girl" or "Engineer Barbie" the idea that being a geek is
offensive may have finally been put to death as it should have 20 years ago.

http://www.chipchick.com/2010/02/computer-engineer-barbie.html

Todd Glassey

<>

Re: Solar Flux

[Robert E. Seastrom]

"George Bonser"  writes:

>> -Original Message-
>> From: Pete Carah [mailto:p...@altadena.net]
>> Sent: Sunday, April 11, 2010 8:41 PM
>> To: nanog@nanog.org
>> Subject: Re: Solar Flux
>> 
>> And to top it all off, how many picojoules are stored in a modern ram
>> cell
>> compared to the same during the last sunspot peak.  There is a hidden
>> cost to memory density growth here...
>> 
>> -- Pete
>> 
>
> This cycle is currently predicted to be quite tame by recent standards.
> So far NASA is predicting cycle 24 to be much weaker than 23 was:
>
> http://solarscience.msfc.nasa.gov/images/f107_predict.gif
>
> http://solarscience.msfc.nasa.gov/predict.shtml

That said, nobody got it right in terms of the depth or length of the
current valley, and we are in the bear skins and flint knives era of
predicting Sol's activity.

Also, a weak cycle (integration over a period of 11 years) does not
mean there won't be brief periods of utter insanity.

-r

Re: Carrier class email security recommendation

[Suresh Ramasubramanian]

Right.  Just to add one more choice into your mix .. Bizanga is one
such vendor that I've seen deployed by carriers who want an appliance.
 They were recently acquired by Cloudmark.

There are also "rate limiting .. kind of like netflow for email" type
devices - Symantec E160, and Mailchannels (mailchannels.com).These
might be worth considering for systemwide filtering after which you
can apply your own policies per user.

ps: About Barracuda - I am not aware, they may have a carrier grade /
larger scale product too.   If you see one of those, or any other
vendor that meets your needs go for it.

-suresh

2010/4/12 Alex Kamiru :
> Suresh,
> I am more interested in option 1 and would want opinion from those with
> experience on that.
>
> -Original Message-
> From: Suresh Ramasubramanian 
> To: Alex Kamiru 
> Cc: nanog 
> Subject: Re: Carrier class email security recommendation
> Date: Mon, 12 Apr 2010 15:37:46 +0530
>
> You have multiple options
>
> 1. Ironport / Fortinet etc gateways.   [Not barracuda - hardly carrier
> class, enterprise grade more like it]
>
> 2. Outsource to a provider like Messagelabs or MXLogic that only
> handles the spam filtering, lets you host your own mailboxes
>
> 3. Outsource to one or more vendors of hosted email services - Google
> Apps, Microsoft BPOS, IBM Lotuslive etc
>
> your choice based on what meets your requirements.
>
> --srs (full disclosure - head, antispam @ ibm lotuslive)
>
> 2010/4/12 Alex Kamiru :
>> I am in the process of sourcing for a carrier class email security
>> solution that will replace our current edge spam gateways based on open
>> source solutions. Some solutions that am currently considering are
>> Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore
>> wish to know, based on your experiences, what works for you
>> satisfactorily. Areas that are key for me are centralized management and
>> reporting, carrier class performance, per mailbox policy and quarantine,
>> and favourable licensing for an MSSP. I know Ironport is rated highly in
>> this space but I find its per user licensing is not favourable for a
>> MSSP.
>
>
>
>



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: Carrier class email security recommendation

[Alex Kamiru]

Suresh,
I am more interested in option 1 and would want opinion from those with
experience on that. 

-Original Message-
From: Suresh Ramasubramanian 
To: Alex Kamiru 
Cc: nanog 
Subject: Re: Carrier class email security recommendation
Date: Mon, 12 Apr 2010 15:37:46 +0530


You have multiple options

1. Ironport / Fortinet etc gateways.   [Not barracuda - hardly carrier
class, enterprise grade more like it]

2. Outsource to a provider like Messagelabs or MXLogic that only
handles the spam filtering, lets you host your own mailboxes

3. Outsource to one or more vendors of hosted email services - Google
Apps, Microsoft BPOS, IBM Lotuslive etc

your choice based on what meets your requirements.

--srs (full disclosure - head, antispam @ ibm lotuslive)

2010/4/12 Alex Kamiru :
> I am in the process of sourcing for a carrier class email security
> solution that will replace our current edge spam gateways based on open
> source solutions. Some solutions that am currently considering are
> Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore
> wish to know, based on your experiences, what works for you
> satisfactorily. Areas that are key for me are centralized management and
> reporting, carrier class performance, per mailbox policy and quarantine,
> and favourable licensing for an MSSP. I know Ironport is rated highly in
> this space but I find its per user licensing is not favourable for a
> MSSP.

Re: Carrier class email security recommendation

[Suresh Ramasubramanian]

You have multiple options

1. Ironport / Fortinet etc gateways.   [Not barracuda - hardly carrier
class, enterprise grade more like it]

2. Outsource to a provider like Messagelabs or MXLogic that only
handles the spam filtering, lets you host your own mailboxes

3. Outsource to one or more vendors of hosted email services - Google
Apps, Microsoft BPOS, IBM Lotuslive etc

your choice based on what meets your requirements.

--srs (full disclosure - head, antispam @ ibm lotuslive)

2010/4/12 Alex Kamiru :
> I am in the process of sourcing for a carrier class email security
> solution that will replace our current edge spam gateways based on open
> source solutions. Some solutions that am currently considering are
> Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore
> wish to know, based on your experiences, what works for you
> satisfactorily. Areas that are key for me are centralized management and
> reporting, carrier class performance, per mailbox policy and quarantine,
> and favourable licensing for an MSSP. I know Ironport is rated highly in
> this space but I find its per user licensing is not favourable for a
> MSSP.



-- 
Suresh Ramasubramanian (ops.li...@gmail.com)

Re: legacy /8

[Florian Weimer]

* Paul Vixie:

> as you have pointed out many times, ipv6 offers the same number of /32's
> as ipv4.  however, a /32 worth of ipv6 is enough for a lifetime even for
> most multinationals,

With 6RD on the table, this is not quite correct anymore.

Carrier class email security recommendation

[Alex Kamiru]

I am in the process of sourcing for a carrier class email security
solution that will replace our current edge spam gateways based on open
source solutions. Some solutions that am currently considering are
Ironport, Fortinet Fortimail, MailFoundry and Barracuda. I'd therefore
wish to know, based on your experiences, what works for you
satisfactorily. Areas that are key for me are centralized management and
reporting, carrier class performance, per mailbox policy and quarantine,
and favourable licensing for an MSSP. I know Ironport is rated highly in
this space but I find its per user licensing is not favourable for a
MSSP. 

Regards,
Alex.

Re: Seeking Amazon EC2 abuse contact

[Michael J McCafferty]

Erik,
We have several customers being attacked from the same EC2 instance on
their network for 2 full days now. Contacted them at
ec2-ab...@amazon.com  and 25 hours later received a message that
basically said, "Yep, we can confirm that a customer of ours is
attacking you but that's their fault. We sometimes do stuff, but not in
this case. Please don't block us, because the IP might be someone else
later. Have a nice day".
The telephone number in the WHOIS record goes to a general voicemail
box for their legal department.
A few of our customers who are being attacked by this same instance at
EC2 have also contacted Amazon, and were told essentially the same
thing.
While I appreciate that they sent a response, I do not appreciate it's
uselessness.
Anyone over there at AWS that can do something willing to reply to me
directly?

Thanks!
Mike


On Sun, 2010-04-11 at 10:38 -0400, Erik L wrote:
> Could someone from Amazon EC2 please contact me off-list regarding an abuse 
> issue from one of their IPs? Alternatively, could someone please send me the 
> contact details of someone there?
> 
> E-mailing the abuse e-mail listed in WHOIS per their instructions, including 
> all pertinent data, results in an auto-reply indicating to use a form on 
> their site. Submitting the form results in "There has been an error while 
> submitting your data. Please try again later." Calling their supposed NOC (as 
> per WHOIS) results in "You have reached the legal department at 
> Amazon...please leave a message".
> 
> Thanks
> 
-- 

Michael J. McCafferty
Principal
M5 Hosting
http://www.m5hosting.com

You can have your own custom Dedicated Server up and running today !
RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more

Re: Solar Flux

[Leigh Porter]

Ahh so it was Cosmic Rays that caused all the VIPs to crash and CEF to 
route traffic up its own ass?


Now I understand..

--
Leigh Porter


On 11/04/10 22:06, Joe wrote:


The topic of sunspots is certainly familiar from long ago. We had a
7513
that crashed unexpectedly, upon a review of the data available, it was
determined
that a parity error had occurred. I can't remember the exact error as it was
several
years ago, but upon a quick search this article seems familiar.

http://www.ciscopress.info/en/US/products/hw/switches/ps700/products_tech_no
te09186a00801b42bf.shtml

Search on cosmic radiation and/or SEU within.

-Joe


   

Re: legacy /8

[Randy Bush]

> plenty of people have accused ipv6 of being a solution in search of a
> problem.  on this very mailing list within the last 72 hours i've seen
> another person assert that "ipv6 isn't needed."  while i tend to agree
> with tony li who of ipv6 famously said it was "too little and too
> soon" we have been Overtaken By Events and we now have to deploy it
> "or else".

http://www.hactrn.net/sra/vorlons

Re: legacy /8

[Paul Vixie]

> From: David Conrad 
> Date: Sun, 11 Apr 2010 13:52:24 -1000
> 
> On Apr 11, 2010, at 10:57 AM, Paul Vixie wrote:
> > ... i'd like to pick the easiest problem and for that reason i'm urging
> > dual-stack ipv4/ipv6 for all networks new or old.
> 
> Is anyone arguing against this?

yes.  plenty of people have accused ipv6 of being a solution in search of
a problem.  on this very mailing list within the last 72 hours i've seen
another person assert that "ipv6 isn't needed."  while i tend to agree
with tony li who of ipv6 famously said it was "too little and too soon" we
have been Overtaken By Events and we now have to deploy it "or else".  the
only way we're going to do that is with widescale dual-stack, either
native dual-stack (which is generally easy since ipv6 address space is
cheap and plentiful) or dual-stack-lite (which is ipv4-NAT ipv6-native
with aggregated encap/decap at the POP or edge) or with any other method
(or trick) that comes to mind or seems attractive.

what we can't do is presume that any form of "ipv4 steady state forever" or
"wait for something better than ipv6 before abandoning ipv4" is practical,
or that these would be less expensive (in both direct cost, indirect cost,
and network/market stability) than "dual-stack now, ipv6-mostly soon, and
ipv6-only eventually".

> The problem is what happens when there isn't sufficient IPv4 to do dual
> stack.

that problem has many low hanging solutions, some of which mark andrews
gave in his response to your note.  one popular address allocation policy
proposal is reserving the last IPv4 /8 for use in IPv6 deployment, for
example as public-facing dual-stack-lite gateways.

which brings me to the subject of address allocation policies, and meetings
that happen periodically to discuss same.  one such address allocator is
ARIN (American Registry for Internet Numbers) and one such public policy
meeting is next week in toronto.  details of this meeting can be found at:

https://www.arin.net/participate/meetings/ARIN-XXV/

and anyone, not just from the ARIN service region and not just ARIN members,
can attend.  there are also remote participation options, see above web page.
--
Paul Vixie
Chairman, ARIN BoT