Re: Enterprise DNS providers
On 18 October 2010 06:53, Jonas Björklund jo...@bjorklund.cn wrote: I have worked for one of the biggest poker networks and we used UltraDNS. The company was first operated from Sweden and later Austria. /Jonas I would tend to agree... I have also used UltraDNS in the past for other companies, however we needed them urgently and someone else responded faster and they seem to be doing a good job so far. Regards, Ken
Re: network name 101100010100110.net
On 10/17/10 8:24 PM, Joe Hamelin wrote: That's why 3M registered mmm.com back in 1988. and not just because minnestoaminingandmanufacturing.com is hard to type... they've since officially change the name of the company to 3m... -- Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474 On Sun, Oct 17, 2010 at 8:18 PM, Mark Andrews ma...@isc.org wrote: In message 20101018024021.gc8...@vacation.karoshi.com., bmann...@vacation.kar oshi.com writes: On Sun, Oct 17, 2010 at 09:16:04PM -0500, James Hess wrote: On Sat, Oct 16, 2010 at 11:46 PM, Day Domes daydo...@gmail.com wrote: I have been tasked with coming up with a new name for are transit data network. I am thinking of using 101100010100110.net does anyone see any issues with this? The domain-name starts with a digit, which is not really recommended, RFC 1034, due to the fact a valid actual hostname cannot start with a digit, and, for example, some MTAs/MUAs, that comply with earlier versions of standards still in us e, will possibly have a problem sending e-mail to the flat domain, even if the actual hostname is something legal such as mail.101100010100110.net. if there is code that old still out there, it desrves to die. the leading character restriction was lifted when the company 3com was created. its been nearly 18 years since that advice held true. Which goes back to one of the standard-provided definitions of domain name syntax used by RFC 821 page 29: domain ::= element | element . domain element ::= name | # number | [ dotnum ] mailbox ::= local-part @ domain ... name ::= a ldh-str let-dig ... a ::= any one of the 52 alphabetic characters A through Z in upper case and a through z in lower case d ::= any one of the ten digits 0 through 9 at least three times in the past decade, the issues of RFC 821 vs Domain lables has come up on the DNSEXT mailing list in the IETF (or its predacessor). RFC 821 hostnames are not the convention for Domain Labels, esp as we enter the age of Non-Ascii labels. Correct but if you want to be able to send email to them then you *also* need to follow RFC 821 as modified by RFC 1123 so effectively you are limited to LDLDH*LD*{.LDLDH*LD*}+. If you want to buy !#$%^*.com go ahead but please don't expect anyone to change their mail software to support b...@!#$%^*.com as a email address. The DNS has very liberal labels (any octet stream up to 63 octets in length). If you want to store information about a host, in the DNS, using its name then you still need to abide by the rules for naming hosts. Yes this is spelt out in RFC 1035. There are lots of RFCs which confuse domain name with domain style host name. Or confuse domain name with a host name stored in the DNS. Mark That said, the world was much simpler last century. --bill -- -Jh -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Enterprise DNS providers
I have used UltraDNS before. They are decent. I am however evaluating Dynect (www.dyn.com) who are very popular with social media companies like Twitter. On Sun, Oct 17, 2010 at 11:17 PM, Ken Gilmour ken.gilm...@gmail.com wrote: On 18 October 2010 06:53, Jonas Björklund jo...@bjorklund.cn wrote: I have worked for one of the biggest poker networks and we used UltraDNS. The company was first operated from Sweden and later Austria. /Jonas I would tend to agree... I have also used UltraDNS in the past for other companies, however we needed them urgently and someone else responded faster and they seem to be doing a good job so far. Regards, Ken
Re: network name 101100010100110.net
Joel said: and not just because minnestoaminingandmanufacturing.com is hard to type... Also back then you could only have eight letters in your domain name. But it was free and only took 6-8 weeks to get. -- Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474
Terminology Request, WAS: Enterprise DNS providers
Hi, I have been following this thread, and am mostly curious - can somebody (or preferably several folks) define what is meant by 'Enterprise DNS' ? Thanks, - Mike On Oct 16, 2010, at 3:03 AM, Ken Gilmour wrote: Hello any weekend workers :) We are looking at urgently deploying an outsourced DNS provider for a critical domain which is currently unavailable but are having some difficulty. I've tried contacting UltraDNS who only allow customers from US / Canada to sign up (we are in Malta) and their Sales dept are closed, and Easy DNS who don't have .com.mt as an option in the dropdown for transferring domain names (and also support is closed). Black Lotus looks like the next best contender, has anyone had experience with these or any other recommendations for how we can transfer a .com.mt to a reliable hosting provider during the weekend? Thanks! Ken
Re: Terminology Request, WAS: Enterprise DNS providers
Subject: Terminology Request, WAS: Enterprise DNS providers Date: Mon, Oct 18, 2010 at 12:36:33AM -0700 Quoting Michael DeMan (na...@deman.com): Hi, I have been following this thread, and am mostly curious - can somebody (or preferably several folks) define what is meant by 'Enterprise DNS' ? Quality DNS operations for people with lots of money and not so lots of operational capacity (dare I say clue?) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 ... I'm IMAGINING a sensuous GIRAFFE, CAVORTING in the BACK ROOM of a KOSHER DELI -- pgpzgNgU3reCY.pgp Description: PGP signature
Network Operators Europe?
What is the name of the mailing list for Network Operators Europe?
Re: Network Operators Europe?
On 2010-10-18 12:02, Day Domes wrote: What is the name of the mailing list for Network Operators Europe? RIPE which has several mailing lists on a subject basis. Most simply use nanog though ;) and per-country there are several other *NOGs too. See Wikipedia for an extended list. Greets, Jeroen
Re: Pica8 - Open Source Cloud Switch
Cool story bro. On Mon, Oct 18, 2010 at 3:55 PM, Lin Pica8 pica8@gmail.com wrote: Hello, We are starting to distribute Pica8 Open Source Cloud Switches : http://www.pica8.com/ Especially, a Pica8 Switch with the following specifications (including Open Source Firmware) : -HW : 48x1Gbps + 4x10 Gbps -Firmware : L2/L3 management for VLAN, LACP, STP/RSTP, LLDP, OSPF, RIP, static route, PIM-SM, VRRP, IGMP, IGMP Snooping, IPv6, Radius/Tacacs+ as well as OpenFlow 1.0 would compete with a Cisco Catalyst 2960-S, Model WS-C2960S-48TD-L for half the price (~2k USD). Mail : pica8@gmail.com -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Network Operators Europe?
Day Domes wrote: What is the name of the mailing list for Network Operators Europe? Hi Day, As Jeroen pointed out, the European operators group is called RIPE. You can find information about the mailing list here: http://www.ripe.net/mailman/listinfo/ripe-list There are also a bunch of works groups on various topics (IPv6, routing, dns etc.). See a list here: http://www.ripe.net/ripe/wg Regards, Mirjam
Only 5x IPv4 /8 remaining at IANA
APNIC just got another IPv4 /8 thus only 5 left: http://www.nro.net/media/remaining-ipv4-address-below-5.html (And the spammers will take the rest...) So, if your company is not doing IPv6 yet, you really are really getting late now. Greets, Jeroen (PS: There seems to be a trend for people calling themselvesIPv6 Pioneers as they recently did something with IPv6, if you didn't play in the 6bone/early-RIR allocs you are not a pioneer as you are 10 years late)
Re: network name 101100010100110.net
On Mon, 18 Oct 2010, bmann...@vacation.karoshi.com wrote: On Sun, Oct 17, 2010 at 09:16:04PM -0500, James Hess wrote: Which goes back to one of the standard-provided definitions of domain name syntax used by RFC 821 page 29: RFC 821 defines the syntax for mail domains, not domain names in general. RFC 821 hostnames are not the convention for Domain Labels, esp as we enter the age of Non-Ascii labels. Host names are not mail domains. RFC 952 defined the syntax for host names. RFC 1034 recommends that labels in the DNS follow either 822 or 952 syntax (which are mostly the same). All of these were updated by RFC 1123 to allow leading digits. Internationalized domain names do not affect the restrictions on the syntax of what is put in the DNS. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/ HUMBER THAMES DOVER WIGHT PORTLAND: NORTH BACKING WEST OR NORTHWEST, 5 TO 7, DECREASING 4 OR 5, OCCASIONALLY 6 LATER IN HUMBER AND THAMES. MODERATE OR ROUGH. RAIN THEN FAIR. GOOD.
Re: Only 5x IPv4 /8 remaining at IANA
Jeroen Massar wrote: APNIC just got another IPv4 /8 thus only 5 left: http://www.nro.net/media/remaining-ipv4-address-below-5.html (And the spammers will take the rest...) Just for clarification, that article says 5% left, not 5x /8. According to Leo's E-mail earlier, they have 12 /8s left in the free pool. And +1 on the pioneers comment too. Paul.
Re: 12 years ago today...
On 16/10/10 10:02, Warren Bailey wrote: While we are on the subject of the godfathers of the Internet, when is a documentary coming out that tells the story? There was a really long documentary done on the BBS, surely someone (myself included) would find it interesting. I can recommend Where Wizards Stay Up Late by Katie Hafner http://www.amazon.com/Where-Wizards-Stay-Up-Late/dp/0684832674 A really good read IMHO. Will
Re: Only 5x IPv4 /8 remaining at IANA
And +1 on the pioneers comment too. Paul. IPv6 Hipsters..Doing it before it was cool.
Re: Pica8 - Open Source Cloud Switch
On 18/10/2010 12:25, Lin Pica8 wrote: We are starting to distribute Pica8 Open Source Cloud Switches : Sounds interesting. What chipset does this run on? Also, what's a cloud switch? Is this a switch which forwards L2 traffic, or did I miss something? Nick
Re: Only 5x IPv4 /8 remaining at IANA
On 10/18/2010 8:16 AM, ML wrote: And +1 on the pioneers comment too. Paul. IPv6 Hipsters..Doing it before it was cool. IPV4 -easy(); IPV6-really().Really().Difficult();
Re: Definitive Guide to IPv6 adoption
Dobbins, Roland rdobb...@arbor.net writes: Eric Vyncke's IPv6 security book is definitely worthwhile, http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945 A good companion to Eric's book is Deploying IPv6 Networks http://www.ciscopress.com/bookstore/product.asp?isbn=1587052105 Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | -
Re: Pica8 - Open Source Cloud Switch
* Lin Pica8 pica8@gmail.com [2010-10-18 13:27]: We are starting to distribute Pica8 Open Source Cloud Switches : open source? you gotta be joking. Currently, the Pica8 driver is released in binary form none of the interesting low-level drivers is open. none. zero. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: Only 5x IPv4 /8 remaining at IANA
I'll listen, but I need my vendors, carriers, etc. to all get on board first. Jeff On Mon, Oct 18, 2010 at 5:11 PM, Jens Link li...@quux.de wrote: Jeroen Massar jer...@unfix.org writes: So, if your company is not doing IPv6 yet, you really are really getting late now. They won't listen. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany | +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | - -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Only 5x IPv4 /8 remaining at IANA
Nah... Get IPv6 for your clients today, think about your servers for later... Then you will be able to ask all the right questions and apply the right pressure to your vendors, carriers, etc - Original Message - From: Jeffrey Lyon jeffrey.l...@blacklotus.net To: Jens Link li...@quux.de Cc: nanog@nanog.org Sent: Tuesday, 19 October, 2010 1:15:16 AM Subject: Re: Only 5x IPv4 /8 remaining at IANA I'll listen, but I need my vendors, carriers, etc. to all get on board first. Jeff On Mon, Oct 18, 2010 at 5:11 PM, Jens Link li...@quux.de wrote: Jeroen Massar jer...@unfix.org writes: So, if your company is not doing IPv6 yet, you really are really getting late now. They won't listen.
RE: Pica8 - Open Source Cloud Switch
Good question Nick, what is a cloud switch? Is this like VSS in cisco where you have a virtual chassis? Date: Mon, 18 Oct 2010 13:21:29 +0100 From: n...@foobar.org To: pica8@gmail.com Subject: Re: Pica8 - Open Source Cloud Switch CC: nanog@nanog.org On 18/10/2010 12:25, Lin Pica8 wrote: We are starting to distribute Pica8 Open Source Cloud Switches : Sounds interesting. What chipset does this run on? Also, what's a cloud switch? Is this a switch which forwards L2 traffic, or did I miss something? Nick
Re: Only 5x IPv4 /8 remaining at IANA
My clients can't use IPv6 when my infrastructure and carriers don't support it. Jeff On Mon, Oct 18, 2010 at 5:52 PM, Franck Martin fra...@genius.com wrote: Nah... Get IPv6 for your clients today, think about your servers for later... Then you will be able to ask all the right questions and apply the right pressure to your vendors, carriers, etc - Original Message - From: Jeffrey Lyon jeffrey.l...@blacklotus.net To: Jens Link li...@quux.de Cc: nanog@nanog.org Sent: Tuesday, 19 October, 2010 1:15:16 AM Subject: Re: Only 5x IPv4 /8 remaining at IANA I'll listen, but I need my vendors, carriers, etc. to all get on board first. Jeff On Mon, Oct 18, 2010 at 5:11 PM, Jens Link li...@quux.de wrote: Jeroen Massar jer...@unfix.org writes: So, if your company is not doing IPv6 yet, you really are really getting late now. They won't listen. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Only 5x IPv4 /8 remaining at IANA
On Oct 18, 2010, at 9:39 AM, Jeffrey Lyon wrote: My clients can't use IPv6 when my infrastructure and carriers don't support it. Smells like a business opportunity to steal your customers. Thanx! -- TTFN, patrick On Mon, Oct 18, 2010 at 5:52 PM, Franck Martin fra...@genius.com wrote: Nah... Get IPv6 for your clients today, think about your servers for later... Then you will be able to ask all the right questions and apply the right pressure to your vendors, carriers, etc - Original Message - From: Jeffrey Lyon jeffrey.l...@blacklotus.net To: Jens Link li...@quux.de Cc: nanog@nanog.org Sent: Tuesday, 19 October, 2010 1:15:16 AM Subject: Re: Only 5x IPv4 /8 remaining at IANA I'll listen, but I need my vendors, carriers, etc. to all get on board first. Jeff On Mon, Oct 18, 2010 at 5:11 PM, Jens Link li...@quux.de wrote: Jeroen Massar jer...@unfix.org writes: So, if your company is not doing IPv6 yet, you really are really getting late now. They won't listen. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Only 5x IPv4 /8 remaining at IANA
Only if you're prepared for the bloody onslaught of DDoS. Jeff On Mon, Oct 18, 2010 at 6:27 PM, Patrick W. Gilmore patr...@ianai.net wrote: On Oct 18, 2010, at 9:39 AM, Jeffrey Lyon wrote: My clients can't use IPv6 when my infrastructure and carriers don't support it. Smells like a business opportunity to steal your customers. Thanx! -- TTFN, patrick On Mon, Oct 18, 2010 at 5:52 PM, Franck Martin fra...@genius.com wrote: Nah... Get IPv6 for your clients today, think about your servers for later... Then you will be able to ask all the right questions and apply the right pressure to your vendors, carriers, etc - Original Message - From: Jeffrey Lyon jeffrey.l...@blacklotus.net To: Jens Link li...@quux.de Cc: nanog@nanog.org Sent: Tuesday, 19 October, 2010 1:15:16 AM Subject: Re: Only 5x IPv4 /8 remaining at IANA I'll listen, but I need my vendors, carriers, etc. to all get on board first. Jeff On Mon, Oct 18, 2010 at 5:11 PM, Jens Link li...@quux.de wrote: Jeroen Massar jer...@unfix.org writes: So, if your company is not doing IPv6 yet, you really are really getting late now. They won't listen. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Pica8 - Open Source Cloud Switch
On 18/10/2010 14:27, Brandon Kim wrote: Good question Nick, what is a cloud switch? Is this like VSS in cisco where you have a virtual chassis? The vss is virtual management software for a virtual switch. This box looks like a piece of hardware that you can plug things into, so I'm just wondering what makes this a cloud switch and some other piece of kit not a cloud switch. Nick
RE: Pica8 - Open Source Cloud Switch
Because 'cloud computing' is the latest buzzword, and their marketing department thought that by attaching that buzzword to it, that would increase sales? :) Nevermind that clouds contain nothing but vapor. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: Nick Hilliard [mailto:n...@foobar.org] Sent: Monday, October 18, 2010 8:14 AM To: Brandon Kim Cc: nanog@nanog.org Subject: Re: Pica8 - Open Source Cloud Switch On 18/10/2010 14:27, Brandon Kim wrote: Good question Nick, what is a cloud switch? Is this like VSS in cisco where you have a virtual chassis? The vss is virtual management software for a virtual switch. This box looks like a piece of hardware that you can plug things into, so I'm just wondering what makes this a cloud switch and some other piece of kit not a cloud switch. Nick
Re: Co-Lo and Connectivity options in Kuwait
On Thu, Oct 14, 2010 at 07:34:18PM +0100, Rod Beck wrote: Good luck. }The Middle East is generally a horror. Prices are sky high. i was generally happy with my co-lo with etisalat in Dubai. that would also provide connectivity to kuwait and other places in the region as etisalat/emix seem to be pretty core to the connectivity in the middle east. email me if you need help working yoru way throught their maze. --jim Roderick S. Beck Director of European Sales Hibernia Atlantic Budapest, New York, and Paris -Original Message- From: Dylan Ebner [mailto:dylan.eb...@crlmed.com] Sent: Thu 10/14/2010 3:53 PM To: nanog@nanog.org Subject: Co-Lo and Connectivity options in Kuwait Does anyone have any experience with Co-lo and connectivity in Kuwait. This would be my first time depolying in the middle east. Any advice, experiences anyone wishes to share is welcome. Thanks Dylan Ebner -- Jim Mercerj...@reptiles.org+1 416 410-5633 You are more likely to be arrested as a terrorist than you are to be blown up by one. -- Dianora
Re: Only 5x IPv4 /8 remaining at IANA
On 10/18/10 5:16 AM, ML wrote: And +1 on the pioneers comment too. Paul. IPv6 Hipsters..Doing it before it was cool. Late to the party... The hipsters have already moved on having grown bored with their v6 deployments around 2004.
RE: Pica8 - Open Source Cloud Switch
Has our industry ever really fundamentally defined what is cloud computing? Even though MPLS is sort of a buzzword too, we can define it, how it works, it's protocol and such... But cloud computing? Subject: RE: Pica8 - Open Source Cloud Switch Date: Mon, 18 Oct 2010 08:26:29 -0600 From: matlo...@exempla.org To: n...@foobar.org; brandon@brandontek.com CC: nanog@nanog.org Because 'cloud computing' is the latest buzzword, and their marketing department thought that by attaching that buzzword to it, that would increase sales? :) Nevermind that clouds contain nothing but vapor. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: Nick Hilliard [mailto:n...@foobar.org] Sent: Monday, October 18, 2010 8:14 AM To: Brandon Kim Cc: nanog@nanog.org Subject: Re: Pica8 - Open Source Cloud Switch On 18/10/2010 14:27, Brandon Kim wrote: Good question Nick, what is a cloud switch? Is this like VSS in cisco where you have a virtual chassis? The vss is virtual management software for a virtual switch. This box looks like a piece of hardware that you can plug things into, so I'm just wondering what makes this a cloud switch and some other piece of kit not a cloud switch. Nick
Re: Pica8 - Open Source Cloud Switch
But cloud computing? Yes, it is distributed high performance computing on a rainy day with a 99% chance of marketing hype and a 100% chance of non interoperability between clouds ... forecast may vary in your area. -J
Re: Only 5x IPv4 /8 remaining at IANA
Hello, ML wrote: IPv6 Hipsters..Doing it before it was cool. I'm afraid I'm still doing it before it's cool. )-; -- Aleksi Suhonen () ascii ribbon campaign /\ support plain text e-mail
Re: [Nanog] Re: 12 years ago today...
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/18/2010 08:03 AM, Will Hargrave wrote: I can recommend Where Wizards Stay Up Late by Katie Hafner http://www.amazon.com/Where-Wizards-Stay-Up-Late/dp/0684832674 A really good read IMHO. An excellent read, highly recommended! Also check out Steven Levy's Hackers. It goes a bit beyond the Internet, but the first part is definitely relevant. I would love to see an actual documentary put together, though. Surely there has to be footage out there of the early days. Will - -- - --- Jason 'XenoPhage' Frisvold xenoph...@godshell.com - --- Any sufficiently advanced magic is indistinguishable from technology. - - Niven's Inverse of Clarke's Third Law -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.14 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAky8Yy4ACgkQ8CjzPZyTUTRKAACglM2TermfAYHX/Mo6nIqDpQ4M oTsAn2dxeZXDhBdET2QHwYBFPiOHVwPQ =sZ3V -END PGP SIGNATURE-
RE: Pica8 - Open Source Cloud Switch
-Original Message- From: Brandon Kim Sent: Monday, October 18, 2010 7:58 AM Cc: nanog@nanog.org Subject: RE: Pica8 - Open Source Cloud Switch Has our industry ever really fundamentally defined what is cloud computing? Even though MPLS is sort of a buzzword too, we can define it, how it works, it's protocol and such... But cloud computing? My take on cloud computing is simply the provisioning servers or virtual servers (say, VMWare or KVM) on the fly as needed. So you would have a pool of servers. When load for one application rises, more servers for that application are taken from the pool and added to the mix as needed. When load drops, that instances are removed from the rotation handling that application and returned to the pool of free (virtual) servers. Providers of network gear have been working on applications that monitor the gear in the application delivery path (e.g. metrics on load balancers) and automatically deploy instances as needed to handle that application. This would be more of interest to providers of bursty applications where they might have high load sometimes but a relatively low base load. It could also be of interest to people who serve customers in different time zones, such as the US and Europe where the US application can be turned down at night and an application serving Europe loaded up during their business day. It could also be of interest for someone who is expecting a temporary surge of activity. It leads, though, to a completely different kind of attack called the denial of sustainability attack where a cloud-based provider is hit with a flood of legitimate transactions causing the cloud management to kick in more servers to handle the additional load. If that cloud is rented, a content provider could be hit with a huge bill.
Re: Only 5x IPv4 /8 remaining at IANA
Uh that would be 12 left -- 7 general distribution and 5 reserved for the global end allocation policy. That's 5%, not 5 /8s. Owen On Oct 18, 2010, at 4:44 AM, Jeroen Massar wrote: APNIC just got another IPv4 /8 thus only 5 left: http://www.nro.net/media/remaining-ipv4-address-below-5.html (And the spammers will take the rest...) So, if your company is not doing IPv6 yet, you really are really getting late now. Greets, Jeroen (PS: There seems to be a trend for people calling themselvesIPv6 Pioneers as they recently did something with IPv6, if you didn't play in the 6bone/early-RIR allocs you are not a pioneer as you are 10 years late)
Re: Only 5x IPv4 /8 remaining at IANA
On Oct 18, 2010, at 5:28 AM, Curtis Maurand wrote: On 10/18/2010 8:16 AM, ML wrote: And +1 on the pioneers comment too. Paul. IPv6 Hipsters..Doing it before it was cool. IPV4 -easy(); IPV6-really().Really().Difficult(); Have you done IPv6? I have... It's not even difficult(), let alone really().Really().Difficult(). Owen
Re: Only 5x IPv4 /8 remaining at IANA
If you aren't telling your existing vendors that you need IPv6 now, you need to be. If your vendors aren't getting the message, it's well past time to take action and start looking for other vendors. Owen On Oct 18, 2010, at 6:15 AM, Jeffrey Lyon wrote: I'll listen, but I need my vendors, carriers, etc. to all get on board first. Jeff On Mon, Oct 18, 2010 at 5:11 PM, Jens Link li...@quux.de wrote: Jeroen Massar jer...@unfix.org writes: So, if your company is not doing IPv6 yet, you really are really getting late now. They won't listen. Jens -- - | Foelderichstr. 40 | 13595 Berlin, Germany| +49-151-18721264 | | http://blog.quux.de | jabber: jensl...@guug.de | --- | - -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: [Nanog] Re: 12 years ago today...
Greetings, On Mon, 18 Oct 2010, Jason 'XenoPhage' Frisvold wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 10/18/2010 08:03 AM, Will Hargrave wrote: I can recommend Where Wizards Stay Up Late by Katie Hafner http://www.amazon.com/Where-Wizards-Stay-Up-Late/dp/0684832674 A really good read IMHO. An excellent read, highly recommended! Also check out Steven Levy's Hackers. It goes a bit beyond the Internet, but the first part is definitely relevant. I would love to see an actual documentary put together, though. Surely there has to be footage out there of the early days. I have video footage of the ANS / NSFnet NOC in the days of the T1 and T3 NSFnet. Also have many early network maps of NSFnet. And stored away in my collection are 9 of the IBM RT's that were used in the T1 NSFnet, some still with their original software and configurations, along with all the Token Ring gear and cables. One of these RT's was the software development machine used by Merit to develop rcp-routed, with all the source code still on the hard drive. And hanging on my wall in my office is the backdrop used in a promotional video (when ANS was bidding for the T3-NSFnet grant). This consisted of a view of mostly the Northern hemisphere, with blinky lights, and arrows, and lines showing the first T3 link between Ann Arbor and Virginia(?). I know of one other ex-ANS employee who collected old hardware and documentation, as well. Guess we both figured it was something that shouldn't be lost to the dumpster... --- Jay Nugent ++ | Jay Nugent j...@nuge.com(734)484-5105(734)649-0850/Cell | | Nugent Telecommunications [www.nuge.com]| | Internet Consulting/Linux SysAdmin/Engineering Design/ISP Reseller | | ISP Monitoring [www.ispmonitor.org] ISP Modem Performance Monitoring | | Web-Pegasus[www.webpegasus.com] Web Hosting/DNS Hosting/Shell Accts| ++ 11:01am up 40 days, 19:11, 3 users, load average: 0.64, 0.20, 0.13
Re: Only 5x IPv4 /8 remaining at IANA
* Owen DeLong o...@delong.com [2010-10-18 17:27]: Have you done IPv6? I have... It's not even difficult(), let alone really().Really().Difficult(). maybe not from a users standpoint (that comes later when it misbehaves again). from an implementors (I have written a lot of kernel-side networking code and networking related daemons, including a full-blown bgpd, and that unfortunately included having to deal with v6) viewpoint - IPv6 is a desaster. Why people take up that crap is beyond me, instead of working on a viable alternative that doesn't suck. Which is certainly possible. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting
Re: Only 5x IPv4 /8 remaining at IANA
Owen, He did not display the return values of these functions. I think his IPv6 one returns FALSE; - Jared On Oct 18, 2010, at 11:18 AM, Owen DeLong wrote: On Oct 18, 2010, at 5:28 AM, Curtis Maurand wrote: On 10/18/2010 8:16 AM, ML wrote: And +1 on the pioneers comment too. Paul. IPv6 Hipsters..Doing it before it was cool. IPV4 -easy(); IPV6-really().Really().Difficult(); Have you done IPv6? I have... It's not even difficult(), let alone really().Really().Difficult(). Owen
Re: Only 5x IPv4 /8 remaining at IANA
On Oct 18, 2010, at 11:35 AM, Henning Brauer wrote: * Owen DeLong o...@delong.com [2010-10-18 17:27]: Have you done IPv6? I have... It's not even difficult(), let alone really().Really().Difficult(). maybe not from a users standpoint (that comes later when it misbehaves again). from an implementors (I have written a lot of kernel-side networking code and networking related daemons, including a full-blown bgpd, and that unfortunately included having to deal with v6) viewpoint - IPv6 is a desaster. Why people take up that crap is beyond me, instead of working on a viable alternative that doesn't suck. Which is certainly possible. Most of that junk can honestly be ignored. :) - Jared
RE: Only 5x IPv4 /8 remaining at IANA
-Original Message- From: Henning Brauer Sent: Monday, October 18, 2010 8:36 AM To: nanog@nanog.org Subject: Re: Only 5x IPv4 /8 remaining at IANA instead of working on a viable alternative that doesn't suck. Which is certainly possible. I would say that at this point it is too late to resist v6 deployment but it might be a good time to work on the next thing and use v6 as an example of how not to do it next time. It certainly is going to present some security challenges for some folks, particularly the ones that have been using dynamic nat pools to, in effect, block inbound connections. Firewall vendors are going to see a windfall from v6, I think. G
RE: Pica8 - Open Source Cloud Switch
George: Nice answer. Do you think cloud services is based on an oversubscription model? Where they hope those who purchase servers don't actually max them out memory/CPU wise? Do you also believer that cloud services should never have any downtime? To me, cloud services is synonymous with redundancy Subject: RE: Pica8 - Open Source Cloud Switch Date: Mon, 18 Oct 2010 08:17:09 -0700 From: gbon...@seven.com To: brandon@brandontek.com CC: nanog@nanog.org -Original Message- From: Brandon Kim Sent: Monday, October 18, 2010 7:58 AM Cc: nanog@nanog.org Subject: RE: Pica8 - Open Source Cloud Switch Has our industry ever really fundamentally defined what is cloud computing? Even though MPLS is sort of a buzzword too, we can define it, how it works, it's protocol and such... But cloud computing? My take on cloud computing is simply the provisioning servers or virtual servers (say, VMWare or KVM) on the fly as needed. So you would have a pool of servers. When load for one application rises, more servers for that application are taken from the pool and added to the mix as needed. When load drops, that instances are removed from the rotation handling that application and returned to the pool of free (virtual) servers. Providers of network gear have been working on applications that monitor the gear in the application delivery path (e.g. metrics on load balancers) and automatically deploy instances as needed to handle that application. This would be more of interest to providers of bursty applications where they might have high load sometimes but a relatively low base load. It could also be of interest to people who serve customers in different time zones, such as the US and Europe where the US application can be turned down at night and an application serving Europe loaded up during their business day. It could also be of interest for someone who is expecting a temporary surge of activity. It leads, though, to a completely different kind of attack called the denial of sustainability attack where a cloud-based provider is hit with a flood of legitimate transactions causing the cloud management to kick in more servers to handle the additional load. If that cloud is rented, a content provider could be hit with a huge bill.
Re: Pica8 - Open Source Cloud Switch
On Mon, 18 Oct 2010 13:21:29 +0100 Nick Hilliard n...@foobar.org wrote: On 18/10/2010 12:25, Lin Pica8 wrote: We are starting to distribute Pica8 Open Source Cloud Switches : Sounds interesting. What chipset does this run on? Also, what's a cloud switch? Is this a switch which forwards L2 traffic, or did I miss something? Cloud is the new mainframe i.e. it's running somewhere else ... And the Emperor is naked ... ;-)
Re: Pica8 - Open Source Cloud Switch
How does it compare to the OpenFlow design ideas? Djamel On Mon, Oct 18, 2010 at 11:26 AM, Matlock, Kenneth L matlo...@exempla.orgwrote: Because 'cloud computing' is the latest buzzword, and their marketing department thought that by attaching that buzzword to it, that would increase sales? :) Nevermind that clouds contain nothing but vapor. Ken Matlock Network Analyst Exempla Healthcare (303) 467-4671 matlo...@exempla.org -Original Message- From: Nick Hilliard [mailto:n...@foobar.org] Sent: Monday, October 18, 2010 8:14 AM To: Brandon Kim Cc: nanog@nanog.org Subject: Re: Pica8 - Open Source Cloud Switch On 18/10/2010 14:27, Brandon Kim wrote: Good question Nick, what is a cloud switch? Is this like VSS in cisco where you have a virtual chassis? The vss is virtual management software for a virtual switch. This box looks like a piece of hardware that you can plug things into, so I'm just wondering what makes this a cloud switch and some other piece of kit not a cloud switch. Nick
Re: Enterprise DNS providers
I haven't used UltraDNS, but given some of their unsavory sales tactics, I'm pretty biased against them. They spend awhile spamming people, and calling up CTOs. seph Jeffrey Lyon jeffrey.l...@blacklotus.net writes: We're using Afilias now, we had nothing short of a horrendous experience dealing with Neustar / UltraDNS and their uninformed, blood hungry sales team. Best regards, Jeff On Mon, Oct 18, 2010 at 9:23 AM, Jonas Björklund jo...@bjorklund.cn wrote: On Sat, 16 Oct 2010, Ken Gilmour wrote: Hello any weekend workers :) We are looking at urgently deploying an outsourced DNS provider for a critical domain which is currently unavailable but are having some difficulty. I've tried contacting UltraDNS who only allow customers from US / Canada to sign up (we are in Malta) and their Sales dept are closed, and Easy DNS who don't have .com.mt as an option in the dropdown for transferring domain names (and also support is closed). I have worked for one of the biggest poker networks and we used UltraDNS. The company was first operated from Sweden and later Austria. /Jonas -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions
Re: Only 5x IPv4 /8 remaining at IANA
On 10/18/10 8:35 AM, Henning Brauer wrote: * Owen DeLong o...@delong.com [2010-10-18 17:27]: Have you done IPv6? I have... It's not even difficult(), let alone really().Really().Difficult(). maybe not from a users standpoint (that comes later when it misbehaves again). from an implementors (I have written a lot of kernel-side networking code and networking related daemons, including a full-blown bgpd, and that unfortunately included having to deal with v6) viewpoint - IPv6 is a desaster. Why people take up that crap is beyond me, instead of working on a viable alternative that doesn't suck. Which is certainly possible. Wait, and OpenBSD developer that thinks everyone else's work is crap? Shocking... I encourage you to build and deploy your viable alternative... thanks joel
Re: Pica8 - Open Source Cloud Switch
George: Nice answer. Do you think cloud services is based on an oversubscription mo= del? Where they hope those who purchase servers don't actually max them out memo= ry/CPU wise? Do you also believer that cloud services should never have any downtime? To= me=2C cloud services is synonymous with redundancy That's an interesting question, and really points more to the fact that cloud is rather poorly defined. For example, consider the T-Mobile Sidekick Danger server crash/disaster. This is frequently pointed to as a failure of the cloud, but in reality, it appears to have been trusting data to a company that wasn't exercising proper care in maintaining its servers. People glommed onto the concept that it was a failure of the cloud. However, one could argue that quite often, anytime something magically disappears into a part of the Internet we don't have physical control over... I've been toying with defining cloud in a different direction. We have dedicated servers. You get a 10 GHz 24-core CPU with 1TB of RAM. That's pretty clear and familiar to server geeks. We have virtual servers. You get (up to) M GHz and N cores of that same machine. Oversubscription is possible, but not required. In many cases, oversubscription is desirable because that's where the capex and opex savings of less hardware comes in. In both those cases, we get tied up in the specifics of hertz and cores and amount of memory. In the virtual server case, we make some progress towards a model where a VM could be migrated around onto more suitable hardware. This is useful for allowing the proper sizing of a virtual server, for redundancy, upgrades, etc. It seems, though, that ultimately what people seem to be thinking of when they think of the cloud, is the ability to just have stuff run without necessarily having to worry so much about the details. In some cases, they're looking for redundancy, or reliability. In many cases, they just want something to be out there without so much effort on their part. They want it to run fast if it gets busy, and don't care if the CPU is oversubscribed ... as long as they can get what they're paying for when they need it. I don't think cloud service purchasers will ultimately be that interested in worrying about whether they max out memory/CPU. I think they don't want to have to worry about it too much, though they probably want to be protected from bill shock. That means a model where their server might actually be hosted on a large host with a few hundred other mostly idle VM's, when their VM is idle, and then get migrated onto other hardware if demand spiked. We have technology that can even power on additional host hardware, so there are ways to save on power/cooling during non-peak times. I think you'd find such models are harder to implement if you're too focused on the evil of oversubscription. I think what you want to avoid are providers who are unable to maintain sufficient spare capacity to cope with peak demand. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Only 5x IPv4 /8 remaining at IANA
I'm wondering how long it'll be until HE starts spamming their IPv6 service... Tim Burke (815) 556-2000 Sent from my iPhone On Oct 18, 2010, at 6:44, Jeroen Massar jer...@unfix.org wrote: APNIC just got another IPv4 /8 thus only 5 left: http://www.nro.net/media/remaining-ipv4-address-below-5.html (And the spammers will take the rest...) So, if your company is not doing IPv6 yet, you really are really getting late now. Greets, Jeroen (PS: There seems to be a trend for people calling themselvesIPv6 Pioneers as they recently did something with IPv6, if you didn't play in the 6bone/early-RIR allocs you are not a pioneer as you are 10 years late)
Re: Only 5x IPv4 /8 remaining at IANA
On Mon, 18 Oct 2010 08:18:57 -0700 Owen DeLong o...@delong.com wrote: On Oct 18, 2010, at 5:28 AM, Curtis Maurand wrote: On 10/18/2010 8:16 AM, ML wrote: And +1 on the pioneers comment too. Paul. IPv6 Hipsters..Doing it before it was cool. IPV4 -easy(); IPV6-really().Really().Difficult(); Have you done IPv6? I have... It's not even difficult(), let alone really().Really().Difficult(). A lot of things are hard if you've never dealt with anything else. If, OTOH, you'd dealt with IPX or Appletalk before IPv4, then IPv4 was quite hard (why the complexity?! I do know now, but only after having looked into the history of IPv4 - it's a just series of neat hacks!) ... Regards, Mark.
Re: Only 5x IPv4 /8 remaining at IANA
On Oct 18, 2010, at 8:47 AM, George Bonser wrote: -Original Message- From: Henning Brauer Sent: Monday, October 18, 2010 8:36 AM To: nanog@nanog.org Subject: Re: Only 5x IPv4 /8 remaining at IANA instead of working on a viable alternative that doesn't suck. Which is certainly possible. I would say that at this point it is too late to resist v6 deployment but it might be a good time to work on the next thing and use v6 as an example of how not to do it next time. It certainly is going to present some security challenges for some folks, particularly the ones that have been using dynamic nat pools to, in effect, block inbound connections. Firewall vendors are going to see a windfall from v6, I think. G Nobody is using dynamic nat pools to block inbound connections. Many people are using dynamic NAT on top of stateful inspection where stateful inspection blocks inbound connections. The good news is that stateful inspection doesn't go away in IPv6. It works just fine. All that goes away is the header mangling. It's really unfortunate that most people don't understand the distinction. If they did, it would help them to realize that NAT doesn't actually do anything for security, it just helps with address conservation (although it has some limits there, as well). IPv6 with SI is no less secure than IPv4 with SI+NAT. If you're worried about address and/or topological obfuscation, then, IPv6 offers you privacy addresses with rotating numbers. However, that's more a privacy issue than a security issue, unless you believe in the idea of security through obscurity which is pretty well proven false. Owen
RE: Definitive Guide to IPv6 adoption
This 'get a /32' BAD ADVICE has got to stop. There are way too many people trying to force fit their customers into a block that is intended for a start-up with ZERO customers. Develop a plan for /48 per customer, then go to ARIN and get that size block. Figure out exactly what you are going to assign to customers later, but don't tie your hands by asking for a block that is way too small to begin with. Any ISP with more than 30k customers SHOULD NOT have a /32, and if they got one either trade it in or put it in a lab and get a REAL block. Tony -Original Message- From: Brandon Kim [mailto:brandon@brandontek.com] Sent: Saturday, October 16, 2010 1:59 PM To: nanog@nanog.org Subject: RE: Definitive Guide to IPv6 adoption Thanks everyone who responded. This list is such a valuable wealth of information. Apparently I was wrong about the /64 as that should be /32 so thanks for that correction Thanks again especially on a Saturday weekend! From: rdobb...@arbor.net To: nanog@nanog.org Date: Sat, 16 Oct 2010 16:09:43 + Subject: Re: Definitive Guide to IPv6 adoption On Oct 16, 2010, at 10:56 PM, Joel Jaeggli wrote: Then move on to the Internet which as with most things is where the most cuurent if not helpful information resides. Eric Vyncke's IPv6 security book is definitely worthwhile, as well, in combination with Schudel Smith's infrastructure security book (the latter isn't IPv6-specific, but is the best book out there on infrastructure security): http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945 http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365 - -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar. =
RE: Only 5x IPv4 /8 remaining at IANA
Owen DeLong wrote: ... It's really unfortunate that most people don't understand the distinction. If they did, it would help them to realize that NAT doesn't actually do anything for security, it just helps with address conservation (although it has some limits there, as well). Actually nat does something for security, it decimates it. Any 'real' security system (physical, technology, ...) includes some form of audit trail. NAT explicitly breaks any form of audit trail, unless you are the one operating the header mangling device. Given that there is no limit to the number of nat devices along a path, there can be no limit to the number of people operating them. This means there is no audit trail, and therefore NO SECURITY. IPv6 with SI is no less secure than IPv4 with SI+NAT. If you're worried about address and/or topological obfuscation, then, IPv6 offers you privacy addresses with rotating numbers. However, that's more a privacy issue than a security issue, unless you believe in the idea of security through obscurity which is pretty well proven false. A different way to look at this is less about obscurity, and more about reducing your overall attack surface. A node using a temporal address is vulnerable while that address is live, but as soon as it is released that attack vector goes away. Attackers that harvest addresses through the variety of transactions that a node my conduct will have a limited period of time to try to exploit that. This is not to say that you don't want stateful controls, just that if something inside the stateful firewall has been compromised there will be a limited period of time to use the dated knowledge. Tony
Re: Definitive Guide to IPv6 adoption
Unfortunately, it is not as easy as that in practice. I recently worked with a customer that has ~60,000 customers currently. We tried to get a larger block, but were denied. ARIN said they would only issue a /32, unless immediate usage could be shown that required more than that. Their guidelines also state /56 for end-users. I am a big proponent of nibble boundaries, too. I think if you are too big to use only a /32, you should get a /28, /24, and so forth. It would make routing so much nicer to deal with. /31 and such is just nasty. -Randy -- | Randy Carpenter | Vice President, IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (419)739-9240, x1 - Original Message - This 'get a /32' BAD ADVICE has got to stop. There are way too many people trying to force fit their customers into a block that is intended for a start-up with ZERO customers. Develop a plan for /48 per customer, then go to ARIN and get that size block. Figure out exactly what you are going to assign to customers later, but don't tie your hands by asking for a block that is way too small to begin with. Any ISP with more than 30k customers SHOULD NOT have a /32, and if they got one either trade it in or put it in a lab and get a REAL block. Tony -Original Message- From: Brandon Kim [mailto:brandon@brandontek.com] Sent: Saturday, October 16, 2010 1:59 PM To: nanog@nanog.org Subject: RE: Definitive Guide to IPv6 adoption Thanks everyone who responded. This list is such a valuable wealth of information. Apparently I was wrong about the /64 as that should be /32 so thanks for that correction Thanks again especially on a Saturday weekend! From: rdobb...@arbor.net To: nanog@nanog.org Date: Sat, 16 Oct 2010 16:09:43 + Subject: Re: Definitive Guide to IPv6 adoption On Oct 16, 2010, at 10:56 PM, Joel Jaeggli wrote: Then move on to the Internet which as with most things is where the most cuurent if not helpful information resides. Eric Vyncke's IPv6 security book is definitely worthwhile, as well, in combination with Schudel Smith's infrastructure security book (the latter isn't IPv6-specific, but is the best book out there on infrastructure security): http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945 http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365 - -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar. =
Re: Definitive Guide to IPv6 adoption
On Oct 18, 2010, at 9:33 AM, Tony Hain wrote: This 'get a /32' BAD ADVICE has got to stop. There are way too many people trying to force fit their customers into a block that is intended for a start-up with ZERO customers. +1 Develop a plan for /48 per customer, then go to ARIN and get that size block. Figure out exactly what you are going to assign to customers later, More accurately... A /48 per customer end-site... but don't tie your hands by asking for a block that is way too small to begin with. Any ISP with more than 30k customers SHOULD NOT have a /32, and if they got one either trade it in or put it in a lab and get a REAL block. But otherwise, yes, Tony is right. Owen
Re: Definitive Guide to IPv6 adoption
On 10/18/10 9:33 AM, Tony Hain wrote: This 'get a /32' BAD ADVICE has got to stop. There are way too many people trying to force fit their customers into a block that is intended for a start-up with ZERO customers. Develop a plan for /48 per customer, then go to ARIN and get that size block. Develop a plan, consider the prior art, consider the possibly that you might deploy 6rd, consider what your peers are doing, consider the projections for your business. Go to arin with a request that meets your current and anticipated needs and that is defensible. don't decide without thinking it through that you're assigning a customer a /64 a /60 a /56 or even /48. this should be defensible as part of a business plan, otherwise what's the point? Figure out exactly what you are going to assign to customers later, but don't tie your hands by asking for a block that is way too small to begin with. Any ISP with more than 30k customers SHOULD NOT have a /32, and if they got one either trade it in or put it in a lab and get a REAL block. Tony -Original Message- From: Brandon Kim [mailto:brandon@brandontek.com] Sent: Saturday, October 16, 2010 1:59 PM To: nanog@nanog.org Subject: RE: Definitive Guide to IPv6 adoption Thanks everyone who responded. This list is such a valuable wealth of information. Apparently I was wrong about the /64 as that should be /32 so thanks for that correction Thanks again especially on a Saturday weekend! From: rdobb...@arbor.net To: nanog@nanog.org Date: Sat, 16 Oct 2010 16:09:43 + Subject: Re: Definitive Guide to IPv6 adoption On Oct 16, 2010, at 10:56 PM, Joel Jaeggli wrote: Then move on to the Internet which as with most things is where the most cuurent if not helpful information resides. Eric Vyncke's IPv6 security book is definitely worthwhile, as well, in combination with Schudel Smith's infrastructure security book (the latter isn't IPv6-specific, but is the best book out there on infrastructure security): http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945 http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365 - -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar. =
Re: Definitive Guide to IPv6 adoption
On 10/18/2010 11:47 AM, Randy Carpenter wrote: Unfortunately, it is not as easy as that in practice. I recently worked with a customer that has ~60,000 customers currently. We tried to get a larger block, but were denied. ARIN said they would only issue a /32, unless immediate usage could be shown that required more than that. Their guidelines also state /56 for end-users. I am a big proponent of nibble boundaries, too. I think if you are too big to use only a /32, you should get a /28, /24, and so forth. It would make routing so much nicer to deal with. /31 and such is just nasty. ARIN does reservations (unsure at what length, but at least down to /31). If you were to fill the /32 quickly, you could easily request the next block. To my knowledge, they've only handed out 1 or 2 networks shorter than /32. Correct me if I'm wrong, but isn't 60,000 customers at /56 2^24 assignments from a /32? Seems plenty. Even at /48 assignments, you'd get 65,536 assignments. So how can you justify more than a /32? Jack
Re: Only 5x IPv4 /8 remaining at IANA
How do you want to do that without IPv6 connectivity? :-) -Jonas Am Montag, den 18.10.2010, 18:42 +0430 schrieb Jeffrey Lyon: Only if you're prepared for the bloody onslaught of DDoS. Jeff On Mon, Oct 18, 2010 at 6:27 PM, Patrick W. Gilmore patr...@ianai.net wrote: On Oct 18, 2010, at 9:39 AM, Jeffrey Lyon wrote: My clients can't use IPv6 when my infrastructure and carriers don't support it. Smells like a business opportunity to steal your customers. Thanx! -- TTFN, patrick On Mon, Oct 18, 2010 at 5:52 PM, Franck Martin fra...@genius.com wrote: Nah... Get IPv6 for your clients today, think about your servers for later... Then you will be able to ask all the right questions and apply the right pressure to your vendors, carriers, etc - Original Message - From: Jeffrey Lyon jeffrey.l...@blacklotus.net To: Jens Link li...@quux.de Cc: nanog@nanog.org Sent: Tuesday, 19 October, 2010 1:15:16 AM Subject: Re: Only 5x IPv4 /8 remaining at IANA I'll listen, but I need my vendors, carriers, etc. to all get on board first. Jeff On Mon, Oct 18, 2010 at 5:11 PM, Jens Link li...@quux.de wrote: Jeroen Massar jer...@unfix.org writes: So, if your company is not doing IPv6 yet, you really are really getting late now. They won't listen. -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions signature.asc Description: This is a digitally signed message part
Re: Definitive Guide to IPv6 adoption
On 10/18/2010 11:45 AM, Owen DeLong wrote: More accurately... A /48 per customer end-site... Define end0-site. Residential customers, for example, don't need more than a /56. More would just be obscene. Most small businesses don't need more than a /56 either, especially if you are breaking them up into different sites (versus assigning a /48 to customer and dividing that block up to different sites). Jack
Re: 12 years ago today...
On Mon, 18 Oct 2010 13:03:54 +0100 Will Hargrave w...@harg.net wrote: On 16/10/10 10:02, Warren Bailey wrote: While we are on the subject of the godfathers of the Internet, when is a documentary coming out that tells the story? There was a really long documentary done on the BBS, surely someone (myself included) would find it interesting. I can recommend Where Wizards Stay Up Late by Katie Hafner http://www.amazon.com/Where-Wizards-Stay-Up-Late/dp/0684832674 A really good read IMHO. As is RFC2468 (Who do we appreciate!) - I REMEMBER IANA Will
[NANOG-announce] NANOG 51 Call For Presentations now open
Folks, Please take a look at the NANOG 51 Call For Presentations ( http://nanog.org/meetings/nanog51/callforpresent.php): he North American Network Operators' Group (NANOG) will hold its 51st meeting in Miami on January 30 to February 2, 2011. NANOG51http://nanog.org/meetings/nanog51/index.phpwill be hosted by Terremark http://www.terremark.com/. The NANOG Program Committee is now seeking proposals for presentations, panels, tutorials, tracks sessions, and keynote materials for the NANOG51 program. We invite presentations highlighting issues relating to technology already deployed or soon-to-be deployed in the Internet. Vendors are encouraged to work with operators to present real-world deployment experiences with the vendor's products and interoperability. NANOG51 submissions are welcome at http://pc.nanog.org. Acceptance notifications for NANOG51 will be sent by the Program Committee starting December 9, 2010, and will continue through January 13, 2011. Time to start thinking about the talk(s) you want to give in Miami! Thanks, Dave ___ NANOG-announce mailing list nanog-annou...@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-announce
Re: Definitive Guide to IPv6 adoption
On 10/18/10 10:10 AM, Jack Bates wrote: On 10/18/2010 11:45 AM, Owen DeLong wrote: More accurately... A /48 per customer end-site... Define end0-site. Residential customers, for example, don't need more than a /56. This is a matter of opinion not gospel. larger, this size, or smaller needs to be justified by your deployment plan. More would just be obscene. Most small businesses don't need more than a /56 either, especially if you are breaking them up into different sites (versus assigning a /48 to customer and dividing that block up to different sites). business customers can and will do whatever is necessary to support their model. I have sought and received a /43 direct assignment for a business will multiple sites. I have no trouble imagining that my upstreams would accommodate requests for PA /48s for each location as well. joel Jack
Re: Enterprise DNS providers
Working with a previous client about 1.5 years ago, we asked Dyn and UltraDNS to send proposals over. UltraDNS was 3x the Dyn quote, and we were satisfied from personal experience with Dyn before. When I explained to the UltraDNS rep why we went with Dyn, they said Oh, I thought you were looking for an enterprise provide. Another vendor I don't plan on ever using (or even considering) again. On Mon, Oct 18, 2010 at 11:03 AM, seph s...@directionless.org wrote: I haven't used UltraDNS, but given some of their unsavory sales tactics, I'm pretty biased against them. They spend awhile spamming people, and calling up CTOs. seph Jeffrey Lyon jeffrey.l...@blacklotus.net writes: We're using Afilias now, we had nothing short of a horrendous experience dealing with Neustar / UltraDNS and their uninformed, blood hungry sales team. Best regards, Jeff On Mon, Oct 18, 2010 at 9:23 AM, Jonas Björklund jo...@bjorklund.cn wrote: On Sat, 16 Oct 2010, Ken Gilmour wrote: Hello any weekend workers :) We are looking at urgently deploying an outsourced DNS provider for a critical domain which is currently unavailable but are having some difficulty. I've tried contacting UltraDNS who only allow customers from US / Canada to sign up (we are in Malta) and their Sales dept are closed, and Easy DNS who don't have .com.mt as an option in the dropdown for transferring domain names (and also support is closed). I have worked for one of the biggest poker networks and we used UltraDNS. The company was first operated from Sweden and later Austria. /Jonas -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications - AS32421 First and Leading in DDoS Protection Solutions -- Brandon Galbraith US Voice: 630.492.0464
Re: network name 101100010100110.net
On October 17, 2010 at 20:24 j...@nethead.com (Joe Hamelin) wrote: That's why 3M registered mmm.com back in 1988. When BU joined the internet and promptly brought down about a third of it with their host table entries one of the problems was a host named 3b (.bu.edu, it was an ATT 3B5) which caused a 4bsd script to go into an infinite loop filling roots (/tmp) which back then crashed systems. Also, one-letter hostnames (a.bu.edu as an alias for bucsa.bu.edu, etc.) I know because basically it was my fault. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: Enterprise DNS providers
On Sat, 16 Oct 2010, Ken Gilmour wrote: We are looking at urgently deploying an outsourced DNS provider for a critical domain which is currently unavailable but are having some difficulty. I've tried contacting UltraDNS who only allow customers from US / Canada to sign up (we are in Malta) and their Sales dept are closed, and Easy DNS who don't have .com.mt as an option in the dropdown for transferring domain names (and also support is closed). Just throwing my hat in the ring. DNSmadeEasy has handled my DNS traffic, both personal and professional, for several years with an uptime of 99.%* over 8 years of service (I've been with them for at least 4). Very honest, very responsive, great service, and very good pricing for an Enterprise Anycasted DNS network. Beckman * They were DDOSed recently with an enormous amount of traffic. First outage in their 8 year history. www.dnsmadeeasy.com --- Peter Beckman Internet Guy beck...@angryox.com http://www.angryox.com/ ---
RE: Only 5x IPv4 /8 remaining at IANA
-Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Monday, October 18, 2010 9:25 AM To: George Bonser Cc: Henning Brauer; nanog@nanog.org Subject: Re: Only 5x IPv4 /8 remaining at IANA Nobody is using dynamic nat pools to block inbound connections. Many people are using dynamic NAT on top of stateful inspection where stateful inspection blocks inbound connections. The good news is that stateful inspection doesn't go away in IPv6. It works just fine. All that goes away is the header mangling. Exactly true but there are people out there who experience it as dynamic nat prevents inbound connections. And the extent to which state is inspected varies widely on different gear (is it just looking for an ACK flag to determine an established connection or is it making sure that at least one packet has gone in the other direction first?). At least with dynamic (overload) NAT, a packet had to travel in the opposite (outbound) direction in order to establish the NAT in the first place. Then with an established acl, the two things give you fairly decent assurance that things went as planned but are still not a substitute for packet inspection. It's really unfortunate that most people don't understand the distinction. Concur. IPv6 with SI is no less secure than IPv4 with SI+NAT. Yup, the difference is going to be the extent to which the state is inspected in various gear. Again, I believe firewall vendors are going to see a windfall here. And to address your comment in an email subsequent to this one about accounting, I wholeheartedly agree. NAT can make it much more difficult to find what is causing a problem or even who is talking to whom.
Re: network name 101100010100110.net
Day, does anyone see any issues with this? Please, I strongly urge you to consider the ergonomics in question. That name is REALLY hard to read, spell, pronounce, type, recognize, etc. Agreed that there are no technical roadblocks, but again, please use common sense and choose something that doesn't make everybody's life more complicated. A domain name is something that sticks for many years and is of daily use in many many areas, and even more when it is for designating a transit ISP. my 2 cents, cl.
Re: Enterprise DNS providers
I have been quite happy with Dynect so far. They were very flexbile on a number of items and the service has been great. On Mon, Oct 18, 2010 at 12:13 AM, Shacolby Jackson shaco...@bluejeansnet.com wrote: I have used UltraDNS before. They are decent. I am however evaluating Dynect (www.dyn.com) who are very popular with social media companies like Twitter. On Sun, Oct 17, 2010 at 11:17 PM, Ken Gilmour ken.gilm...@gmail.com wrote: On 18 October 2010 06:53, Jonas Björklund jo...@bjorklund.cn wrote: I have worked for one of the biggest poker networks and we used UltraDNS. The company was first operated from Sweden and later Austria. /Jonas I would tend to agree... I have also used UltraDNS in the past for other companies, however we needed them urgently and someone else responded faster and they seem to be doing a good job so far. Regards, Ken -- -- Darren Bolding -- -- dar...@bolding.org --
Re: Definitive Guide to IPv6 adoption
On Oct 18, 2010, at 9:47 AM, Randy Carpenter wrote: Unfortunately, it is not as easy as that in practice. I recently worked with a customer that has ~60,000 customers currently. We tried to get a larger block, but were denied. ARIN said they would only issue a /32, unless immediate usage could be shown that required more than that. Their guidelines also state /56 for end-users. I am a big proponent of nibble boundaries, too. I think if you are too big to use only a /32, you should get a /28, /24, and so forth. It would make routing so much nicer to deal with. /31 and such is just nasty. ARIN policy allows for a /48 per end user. There are guidelines included in the policy that allow for a /56 per end-user, but, they are explicitly called out as just guidelines, not policy. I am working on changing the ARIN policy (I've currently circulated a draft to some co-authors and expect to be posting it to pol...@arin.net and p...@arin.net within the next couple of weeks) along the lines you mention. I think that IPv4think is a largely temporary problem, but, it is a problem even at the RIRs. Owen -Randy -- | Randy Carpenter | Vice President, IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (419)739-9240, x1 - Original Message - This 'get a /32' BAD ADVICE has got to stop. There are way too many people trying to force fit their customers into a block that is intended for a start-up with ZERO customers. Develop a plan for /48 per customer, then go to ARIN and get that size block. Figure out exactly what you are going to assign to customers later, but don't tie your hands by asking for a block that is way too small to begin with. Any ISP with more than 30k customers SHOULD NOT have a /32, and if they got one either trade it in or put it in a lab and get a REAL block. Tony -Original Message- From: Brandon Kim [mailto:brandon@brandontek.com] Sent: Saturday, October 16, 2010 1:59 PM To: nanog@nanog.org Subject: RE: Definitive Guide to IPv6 adoption Thanks everyone who responded. This list is such a valuable wealth of information. Apparently I was wrong about the /64 as that should be /32 so thanks for that correction Thanks again especially on a Saturday weekend! From: rdobb...@arbor.net To: nanog@nanog.org Date: Sat, 16 Oct 2010 16:09:43 + Subject: Re: Definitive Guide to IPv6 adoption On Oct 16, 2010, at 10:56 PM, Joel Jaeggli wrote: Then move on to the Internet which as with most things is where the most cuurent if not helpful information resides. Eric Vyncke's IPv6 security book is definitely worthwhile, as well, in combination with Schudel Smith's infrastructure security book (the latter isn't IPv6-specific, but is the best book out there on infrastructure security): http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945 http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365 - -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar. =
Re: Definitive Guide to IPv6 adoption
On Oct 18, 2010, at 9:59 AM, Jack Bates wrote: On 10/18/2010 11:47 AM, Randy Carpenter wrote: Unfortunately, it is not as easy as that in practice. I recently worked with a customer that has ~60,000 customers currently. We tried to get a larger block, but were denied. ARIN said they would only issue a /32, unless immediate usage could be shown that required more than that. Their guidelines also state /56 for end-users. I am a big proponent of nibble boundaries, too. I think if you are too big to use only a /32, you should get a /28, /24, and so forth. It would make routing so much nicer to deal with. /31 and such is just nasty. ARIN does reservations (unsure at what length, but at least down to /31). If you were to fill the /32 quickly, you could easily request the next block. To my knowledge, they've only handed out 1 or 2 networks shorter than /32. Not any more... ARIN now uses allocation by bisection. Correct me if I'm wrong, but isn't 60,000 customers at /56 2^24 assignments from a /32? Seems plenty. Even at /48 assignments, you'd get 65,536 assignments. So how can you justify more than a /32? The customers should get /48s. The /56 guideline is merely that and only for the smallest of sites. It's also subsequently turned out to be bad advice. 60,000 customers may well be more than 65,536 end sites. Also, you need to leave room for numbering infrastructure, sizing POPs to prefixes, etc. It's much more complex than just number of customers = number of /48s. Unfortunately, current policy doesn't recognize that other than HD ratio. However, 60,000 customers each with a /48 would far exceed the .94 HD ratio requirement for larger than a /32. IIRC, under current policy it would justify a /30 or possibly a /29. Owen
Re: Definitive Guide to IPv6 adoption
On Oct 18, 2010, at 9:53 AM, Joel Jaeggli wrote: On 10/18/10 9:33 AM, Tony Hain wrote: This 'get a /32' BAD ADVICE has got to stop. There are way too many people trying to force fit their customers into a block that is intended for a start-up with ZERO customers. Develop a plan for /48 per customer, then go to ARIN and get that size block. Develop a plan, consider the prior art, consider the possibly that you might deploy 6rd, consider what your peers are doing, consider the projections for your business. Go to arin with a request that meets your current and anticipated needs and that is defensible. don't decide without thinking it through that you're assigning a customer a /64 a /60 a /56 or even /48. this should be defensible as part of a business plan, otherwise what's the point? A /48 is defensible. It's the architecturally intended end-site configuration, it is allowed by policy, and, it is a reasonable starting point. There is no real reason to assign less than a /48 to any end-site other than hyper- conservatism due to IPv4-think. Owen Figure out exactly what you are going to assign to customers later, but don't tie your hands by asking for a block that is way too small to begin with. Any ISP with more than 30k customers SHOULD NOT have a /32, and if they got one either trade it in or put it in a lab and get a REAL block. Tony -Original Message- From: Brandon Kim [mailto:brandon@brandontek.com] Sent: Saturday, October 16, 2010 1:59 PM To: nanog@nanog.org Subject: RE: Definitive Guide to IPv6 adoption Thanks everyone who responded. This list is such a valuable wealth of information. Apparently I was wrong about the /64 as that should be /32 so thanks for that correction Thanks again especially on a Saturday weekend! From: rdobb...@arbor.net To: nanog@nanog.org Date: Sat, 16 Oct 2010 16:09:43 + Subject: Re: Definitive Guide to IPv6 adoption On Oct 16, 2010, at 10:56 PM, Joel Jaeggli wrote: Then move on to the Internet which as with most things is where the most cuurent if not helpful information resides. Eric Vyncke's IPv6 security book is definitely worthwhile, as well, in combination with Schudel Smith's infrastructure security book (the latter isn't IPv6-specific, but is the best book out there on infrastructure security): http://www.ciscopress.com/bookstore/product.asp?isbn=1587055945 http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365 - -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Sell your computer and buy a guitar. =
Re: Definitive Guide to IPv6 adoption
On Oct 18, 2010, at 10:10 AM, Jack Bates wrote: On 10/18/2010 11:45 AM, Owen DeLong wrote: More accurately... A /48 per customer end-site... Define end0-site. Residential customers, for example, don't need more than a /56. More would just be obscene. Most small businesses don't need more than a /56 either, especially if you are breaking them up into different sites (versus assigning a /48 to customer and dividing that block up to different sites). You are wrong. Residential customers should get /48s. /56s seemed like a good idea at the time, but, they aren't. It's not just about counting subnets. There's also the issue of needing bits for self-defining hierarchical topologies. 8 bits isn't enough for that. 16 is. Seriously... This isn't IPv4. The scarcity mentality is causing harm and driving decisions that will have a limiting effect on innovation that is already in progress. Owen
Re: Definitive Guide to IPv6 adoption
On Oct 18, 2010, at 6:59 AM, Jack Bates wrote: ARIN does reservations (unsure at what length, but at least down to /31). Do they still do that? Back when I was at IANA, one of the justifications the RIRs gave for the /12s they received was that they were going to be using the 'bisection' method of allocation which removes the need for reservation. Last I heard, APNIC was using the bisection method... Regards, -drc
Re: Only 5x IPv4 /8 remaining at IANA
On Oct 18, 2010, at 10:52 AM, George Bonser wrote: -Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Monday, October 18, 2010 9:25 AM To: George Bonser Cc: Henning Brauer; nanog@nanog.org Subject: Re: Only 5x IPv4 /8 remaining at IANA Nobody is using dynamic nat pools to block inbound connections. Many people are using dynamic NAT on top of stateful inspection where stateful inspection blocks inbound connections. The good news is that stateful inspection doesn't go away in IPv6. It works just fine. All that goes away is the header mangling. Exactly true but there are people out there who experience it as dynamic nat prevents inbound connections. And the extent to which state is inspected varies widely on different gear (is it just looking for an ACK flag to determine an established connection or is it making sure that at least one packet has gone in the other direction first?). Looking for an ACK flag isn't Stateful inspection. Stateful inspection involves comparison against a state table of known connections. People perceive many things that are combined as having the systemic effect without understanding which component actually performs which underlying function. In cases where that doesn't matter, it's not an issue. In IPv4, it didn't matter if people understood the difference between security provided by stateful inspection and security eliminated by NAT. Now, it matters because some people are claiming IPv6 is less secure as a result of the lack of NAT. This claim comes from the misunderstanding you have restated above. At least with dynamic (overload) NAT, a packet had to travel in the opposite (outbound) direction in order to establish the NAT in the first place. Then with an established acl, the two things give you fairly This is true of stateful inspection as well. Stateful inspection != static packet filters. It's not the same thing. The ACK flag test you describe above is a static packet filter, not stateful inspection. decent assurance that things went as planned but are still not a substitute for packet inspection. Again, this doesn't come form the overloaded NAT. It comes from the state table mechanism and the comparison of the packet against known flows in the state table. While NAT requires this underlying state table to function, there is nothing preventing implementation of that state table without NAT. Such an implementation is equally secure without NAT. In fact, it's slightly better because NAT destroys audit trail while SI without NAT does not. It's really unfortunate that most people don't understand the distinction. Concur. IPv6 with SI is no less secure than IPv4 with SI+NAT. Yup, the difference is going to be the extent to which the state is inspected in various gear. Again, I believe firewall vendors are going to see a windfall here. You are confusing SI with Packet Filters. The technologies are different and it is, also, important to understand this distinction as well. And to address your comment in an email subsequent to this one about accounting, I wholeheartedly agree. NAT can make it much more difficult to find what is causing a problem or even who is talking to whom. Actually, that was Tony Hain's comment, but, yes, he's correct. Owen
Re: Pica8 - Open Source Cloud Switch
On Mon, 18 Oct 2010 08:30:48 -0400, Henning Brauer hb-na...@bsws.de wrote: Currently, the Pica8 driver is released in binary form none of the interesting low-level drivers is open. none. zero. If it's based on a Broadcom chip, trust me, they are doing the world a favor by not exposing you to the SoC SDK. (It's so horribly un-documented that it took a week to figure out how to build it and another two weeks to actually get it to build something that could be used.)
Re: Only 5x IPv4 /8 remaining at IANA
On 10/18/2010 11:19, Henning Brauer wrote: * Owen DeLong o...@delong.com [2010-10-18 18:29]: The good news is that stateful inspection doesn't go away in IPv6. that is right. It works just fine. All that goes away is the header mangling. that is partially true. it can work just fine, but all the bloat in v6 makes it way harder to implement the state tracking than it should be. What bloat? Larger address space? ~Seth
RE: Only 5x IPv4 /8 remaining at IANA
You are confusing SI with Packet Filters. The technologies are different and it is, also, important to understand this distinction as well. I don't think I am confusing the two. I am saying that I have seen people use them and think they are secure when they aren't. IPv6 is going to make it a little harder for people to make this mistake (or easier to make it, I haven't decided yet which way it will go) and you will see more people purchasing equipment that does real state inspection which is my reason for predicting an increase in firewall sales. They won't have that dynamic NAT that lulls some into a false sense of security. Also, I believe the fire suit approach will become more important to people rather than the fire wall approach with IPv6. G
Re: Terminology Request, WAS: Enterprise DNS providers
On 18 October 2010 10:21, Mans Nilsson mansa...@besserwisser.org wrote: Subject: Terminology Request, WAS: Enterprise DNS providers Date: Mon, Oct 18, 2010 at 12:36:33AM -0700 Quoting Michael DeMan (na...@deman.com): Hi, I have been following this thread, and am mostly curious - can somebody (or preferably several folks) define what is meant by 'Enterprise DNS' ? Quality DNS operations for people with lots of money and not so lots of operational capacity (dare I say clue?) Or maybe for some random company who doesn't have the burstable capacity to handle a multi-gigabit network attack with a couple of office DNS servers. Or maybe just a company who requires a guaranteed SLA... etc... Had we moved to a free provider I have no doubt they would have gone down as well which is not a very nice thing for us to do, so we moved to someone who could shout at us and we could shout at.
Re: Definitive Guide to IPv6 adoption - Sparse IPv6 allocation
On Oct 18, 2010, at 2:18 PM, David Conrad wrote: On Oct 18, 2010, at 6:59 AM, Jack Bates wrote: ARIN does reservations (unsure at what length, but at least down to /31). Do they still do that? Back when I was at IANA, one of the justifications the RIRs gave for the /12s they received was that they were going to be using the 'bisection' method of allocation which removes the need for reservation. Last I heard, APNIC was using the bisection method... ARIN is doing the same (the 'bisection' method) with our IPv6 management since January 2010: we refer to the sparse allocation approach and it was requested by the community during the ARIN/NANOG Dearborn meeting. FYI, /John John Curran President and CEO ARIN
Re: Only 5x IPv4 /8 remaining at IANA
On Oct 18, 2010, at 11:19 AM, Henning Brauer wrote: * Owen DeLong o...@delong.com [2010-10-18 18:29]: The good news is that stateful inspection doesn't go away in IPv6. that is right. It works just fine. All that goes away is the header mangling. that is partially true. it can work just fine, but all the bloat in v6 makes it way harder to implement the state tracking than it should be. Actually, the state tracking in IPv6 requires a little more memory, but, it's actually easier on the silicon and has significant improvements over IPv4 for ASIC parsing of the headers. It's really unfortunate that most people don't understand the distinction. If they did, it would help them to realize that NAT doesn't actually do anything for security, it just helps with address conservation (although it has some limits there, as well). right. IPv6 with SI is no less secure than IPv4 with SI+NAT. well, it is. the extension headers are horrible. the v4 mapping horror is an insane trap, too. link-local is the most horrid concept ever. all hail 160 bit addresses. We can agree to disagree. Owen
Re: Definitive Guide to IPv6 adoption
On Oct 18, 2010, at 11:18 AM, Jon Lewis wrote: On Mon, 18 Oct 2010, Owen DeLong wrote: The customers should get /48s. The /56 guideline is merely that and only for the smallest of sites. It's also subsequently turned out to be bad advice. Can you elaborate on why /56 is bad advice and if you're saying it only for this case or if you're saying assignment of /56 to any customers is a bad idea? Dealing with a data center where customer machines typically get by today with a /29 of IPv4, is a /56 really not enough for their forseeable future? I think it's generally a bad idea. /48 is the design architecture for IPv6. It allows for significant innovation in the SOHO arena that we haven't accounted for in some of our current thinking. In a datacenter environment, you might want to actually assign /64s to needed subnets, but, in a situation where you are serving remote end-sites, a /48 per end-site is, IMHO, the minimum size that should be issued. I realize our /32 could support more customers than we're likely to fit in the data center at /48 per customer, but is that enough of a reason to assign 65k /64 subnets to each customer machine? Datacenter is a whole different ball of wax. Nothing wrong with giving your customers /48s, but, the right size in a datacenter may well depend on a lot of things about your business model, the nature of your customers, etc. Certainly I would not deny a /48 to any customer that requested one. Owen
Re: Definitive Guide to IPv6 adoption - Sparse IPv6 allocation
John, Can you tell us at what degree the bisection stops? i.e. does it keep going until there are no spaces left, or will you leave some space in between each one to leave some room for future needs for orgs that already have allocations? -Randy -- | Randy Carpenter | Vice President, IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (419)739-9240, x1 - Original Message - On Oct 18, 2010, at 2:18 PM, David Conrad wrote: On Oct 18, 2010, at 6:59 AM, Jack Bates wrote: ARIN does reservations (unsure at what length, but at least down to /31). Do they still do that? Back when I was at IANA, one of the justifications the RIRs gave for the /12s they received was that they were going to be using the 'bisection' method of allocation which removes the need for reservation. Last I heard, APNIC was using the bisection method... ARIN is doing the same (the 'bisection' method) with our IPv6 management since January 2010: we refer to the sparse allocation approach and it was requested by the community during the ARIN/NANOG Dearborn meeting. FYI, /John John Curran President and CEO ARIN
Re: Only 5x IPv4 /8 remaining at IANA
On Oct 18, 2010, at 12:26 PM, Johnny Eriksson wrote: Tony Hain alh-i...@tndh.net wrote: Actually nat does something for security, it decimates it. Any 'real' security system (physical, technology, ...) includes some form of audit trail. NAT explicitly breaks any form of audit trail, unless you are the one operating the header mangling device. Given that there is no limit to the number of nat devices along a path, there can be no limit to the number of people operating them. This means there is no audit trail, and therefore NO SECURITY. So an audit trail implies security? I don't agree. It may make post-mortem analysis easier, thou. An audit trail improves security because post-mortem analysis of breaches is an important tool in improving security. Does end-to-end crypto break security? Which security? The security of the endpoints or the security of someone else who cannot now audit the communication in question fully? No, end-to-end crypto does not, by itself, break security. Arguably, end-to-end crypto MAY bypass security in some environments, but, those environments do have controls available to disable end-to-end crypto. Owen
Re: Network Operators Europe?
On Mon, Oct 18, 2010 at 06:02:56AM -0400, Day Domes wrote: What is the name of the mailing list for Network Operators Europe? The closest one to that is RIPE's European Operators Forum WG mailing list, but that one has zero traffic. http://www.ripe.net/ripe/wg/eof/index.html Best regards, Daniel -- CLUE-RIPE -- Jabber: d...@cluenet.de -- d...@ircnet -- PGP: 0xA85C8AA0
Re: Definitive Guide to IPv6 adoption - Sparse IPv6 allocation
I have a few customers whose allocations are /29 away from their nearest neighbor (half a nibble). That seems a little close considering there is a lot of talk about doing nibble boundaries, and there doesn't seem to be consensus yet. For these customers, I don't think they will need more than a /29, but if we collectively decide that a /28 is the next step from a /32, how will the older allocations be dealt with? This is pretty much a rhetorical question at this point, and I suppose the proper thing to do is to channel these questions toward the PPML for discussion as potential policy. thanks, -Randy -- | Randy Carpenter | Vice President, IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (419)739-9240, x1 - Original Message - Randy - We'll likely put that out to the ARIN community for consultation at the point in time when becomes a potential issue. I expect we will have plenty of time before that needs to be considered at the present rate of allocation. /John John Curran President and CEO ARIN On Oct 18, 2010, at 3:08 PM, Randy Carpenter wrote: John, Can you tell us at what degree the bisection stops? i.e. does it keep going until there are no spaces left, or will you leave some space in between each one to leave some room for future needs for orgs that already have allocations? -Randy -- | Randy Carpenter | Vice President, IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (419)739-9240, x1 - Original Message - On Oct 18, 2010, at 2:18 PM, David Conrad wrote: On Oct 18, 2010, at 6:59 AM, Jack Bates wrote: ARIN does reservations (unsure at what length, but at least down to /31). Do they still do that? Back when I was at IANA, one of the justifications the RIRs gave for the /12s they received was that they were going to be using the 'bisection' method of allocation which removes the need for reservation. Last I heard, APNIC was using the bisection method... ARIN is doing the same (the 'bisection' method) with our IPv6 management since January 2010: we refer to the sparse allocation approach and it was requested by the community during the ARIN/NANOG Dearborn meeting. FYI, /John John Curran President and CEO ARIN
Re: Definitive Guide to IPv6 adoption
On 10/18/2010 1:20 PM, sth...@nethelp.no wrote: I still haven't seen any good argument for why residential users need /48s. No, I don't think that makes all the address assignments the same size is a particularly relevant or convincing argument. We're doing /56 for residential users, and have no plans to change this. +1 This not only makes pop assignments easier, it gives a much larger prefix rotation pool. Don't start the flame on rotating prefixes being evil. It's my implementation to at least give customers some chance at prefix privacy. Jack
Re: Definitive Guide to IPv6 adoption - Sparse IPv6 allocation
On 10/18/10 12:42 PM, Randy Carpenter wrote: I have a few customers whose allocations are /29 away from their nearest neighbor (half a nibble). That seems a little close considering there is a lot of talk about doing nibble boundaries, and there doesn't seem to be consensus yet. For these customers, I don't think they will need more than a /29, but if we collectively decide that a /28 is the next step from a /32, how will the older allocations be dealt with? This is pretty much a rhetorical question at this point, and I suppose the proper thing to do is to channel these questions toward the PPML for discussion as potential policy. back in the distant past we were issued a /35, policy changed, we returned it and on 2001 7/11 we were issued our current /32 thanks, -Randy -- | Randy Carpenter | Vice President, IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (419)739-9240, x1 - Original Message - Randy - We'll likely put that out to the ARIN community for consultation at the point in time when becomes a potential issue. I expect we will have plenty of time before that needs to be considered at the present rate of allocation. /John John Curran President and CEO ARIN On Oct 18, 2010, at 3:08 PM, Randy Carpenter wrote: John, Can you tell us at what degree the bisection stops? i.e. does it keep going until there are no spaces left, or will you leave some space in between each one to leave some room for future needs for orgs that already have allocations? -Randy -- | Randy Carpenter | Vice President, IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (419)739-9240, x1 - Original Message - On Oct 18, 2010, at 2:18 PM, David Conrad wrote: On Oct 18, 2010, at 6:59 AM, Jack Bates wrote: ARIN does reservations (unsure at what length, but at least down to /31). Do they still do that? Back when I was at IANA, one of the justifications the RIRs gave for the /12s they received was that they were going to be using the 'bisection' method of allocation which removes the need for reservation. Last I heard, APNIC was using the bisection method... ARIN is doing the same (the 'bisection' method) with our IPv6 management since January 2010: we refer to the sparse allocation approach and it was requested by the community during the ARIN/NANOG Dearborn meeting. FYI, /John John Curran President and CEO ARIN
Re: Definitive Guide to IPv6 adoption
So they can't run their own services from home and have to request premium connectivity from you? Beside the IPv4 scarcity mentality we have the Telco mentality to fight... Happy days still ahead... - Original Message - From: Jack Bates jba...@brightok.net To: sth...@nethelp.no Cc: nanog@nanog.org Sent: Tuesday, 19 October, 2010 8:10:35 AM Subject: Re: Definitive Guide to IPv6 adoption On 10/18/2010 1:20 PM, sth...@nethelp.no wrote: I still haven't seen any good argument for why residential users need /48s. No, I don't think that makes all the address assignments the same size is a particularly relevant or convincing argument. We're doing /56 for residential users, and have no plans to change this. +1 This not only makes pop assignments easier, it gives a much larger prefix rotation pool. Don't start the flame on rotating prefixes being evil. It's my implementation to at least give customers some chance at prefix privacy. Jack
Re: Only 5x IPv4 /8 remaining at IANA
On 10/18/10 1:38 PM, Franck Martin wrote: I'm an IPv6 pioneer, because I did it the year, you could really go IPv6 only. That was when ICANN put IPv6 glue in the root zone, which fell a few days before the IETF did an IPv4 blackout. I thank Russ to come up with this IPv4 blackout, because it certainly encouraged ICANN to get its act and Google to do ipv6.google.com. Insofar as I am aware the first ipv6 hour was the brainchild of Randy Bush and Mark Tinka at apricot 2008. Not experienced first at the IETF. I'm not sure which came first in this story, but for me IPv6 left research to production on that year. The problem it should have happened 5 years earlier, now everyone is struggling to catch up... This is the year also IETF (and carriers, vendors,...) started to realize all the issues that were left to tackle. People before that were Mavericks! - Original Message - From: Aleksi Suhonen nanog-pos...@axu.tm To: nanog@nanog.org Sent: Tuesday, 19 October, 2010 3:07:32 AM Subject: Re: Only 5x IPv4 /8 remaining at IANA Hello, ML wrote: IPv6 Hipsters..Doing it before it was cool. I'm afraid I'm still doing it before it's cool. )-;
Re: Definitive Guide to IPv6 adoption - Sparse IPv6 allocation
Generally the older allocations would be left in place until deprecated by attrition. At least that's what I plan to advocate in my policy proposal. Owen Sent from my iPad On Oct 18, 2010, at 12:42 PM, Randy Carpenter rcar...@network1.net wrote: I have a few customers whose allocations are /29 away from their nearest neighbor (half a nibble). That seems a little close considering there is a lot of talk about doing nibble boundaries, and there doesn't seem to be consensus yet. For these customers, I don't think they will need more than a /29, but if we collectively decide that a /28 is the next step from a /32, how will the older allocations be dealt with? This is pretty much a rhetorical question at this point, and I suppose the proper thing to do is to channel these questions toward the PPML for discussion as potential policy. thanks, -Randy -- | Randy Carpenter | Vice President, IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (419)739-9240, x1 - Original Message - Randy - We'll likely put that out to the ARIN community for consultation at the point in time when becomes a potential issue. I expect we will have plenty of time before that needs to be considered at the present rate of allocation. /John John Curran President and CEO ARIN On Oct 18, 2010, at 3:08 PM, Randy Carpenter wrote: John, Can you tell us at what degree the bisection stops? i.e. does it keep going until there are no spaces left, or will you leave some space in between each one to leave some room for future needs for orgs that already have allocations? -Randy -- | Randy Carpenter | Vice President, IT Services | Red Hat Certified Engineer | First Network Group, Inc. | (419)739-9240, x1 - Original Message - On Oct 18, 2010, at 2:18 PM, David Conrad wrote: On Oct 18, 2010, at 6:59 AM, Jack Bates wrote: ARIN does reservations (unsure at what length, but at least down to /31). Do they still do that? Back when I was at IANA, one of the justifications the RIRs gave for the /12s they received was that they were going to be using the 'bisection' method of allocation which removes the need for reservation. Last I heard, APNIC was using the bisection method... ARIN is doing the same (the 'bisection' method) with our IPv6 management since January 2010: we refer to the sparse allocation approach and it was requested by the community during the ARIN/NANOG Dearborn meeting. FYI, /John John Curran President and CEO ARIN
Re: Definitive Guide to IPv6 adoption
On 10/18/2010 3:51 PM, Franck Martin wrote: So they can't run their own services from home and have to request premium connectivity from you? Beside the IPv4 scarcity mentality we have the Telco mentality to fight... Happy days still ahead... Of course they can run their own services at home. How does renumber effect that (outside of poor v6 implementations at this late stage)? v6 is designed to support multiple prefixes and the ability to change from one prefix to another with limited disruption, especially if I give 24 hours to complete the transition. If servers and services can't handle this, I'd say they need to improve, or the customer will need a static allocation, which we may or may not charge for (depending on how automated we make it). A sane default of rotation is appropriate for us, though, and no amount of fighting by anyone will make the Telco think that google or others have the right to track their users. It's unfair for our users who block cookies, do due diligence to not be tracked, and then we throw them to the wolves with a constant trackable prefix. Jack (knew this would start an argument. *sigh*)
Re: Only 5x IPv4 /8 remaining at IANA
On Mon, 18 Oct 2010 14:41:36 +0200, Jens Link said: Jeroen Massar jer...@unfix.org writes: So, if your company is not doing IPv6 yet, you really are really getting late now. They won't listen. Consider it evolution in action. :) pgpBYy5yKbRFN.pgp Description: PGP signature
Re: Only 5x IPv4 /8 remaining at IANA
- Original Message - From: Joel Jaeggli joe...@bogus.com To: Franck Martin fra...@genius.com Cc: nanog@nanog.org Sent: Tuesday, 19 October, 2010 8:58:57 AM Subject: Re: Only 5x IPv4 /8 remaining at IANA On 10/18/10 1:38 PM, Franck Martin wrote: I'm an IPv6 pioneer, because I did it the year, you could really go IPv6 only. That was when ICANN put IPv6 glue in the root zone, which fell a few days before the IETF did an IPv4 blackout. I thank Russ to come up with this IPv4 blackout, because it certainly encouraged ICANN to get its act and Google to do ipv6.google.com. Insofar as I am aware the first ipv6 hour was the brainchild of Randy Bush and Mark Tinka at apricot 2008. Not experienced first at the IETF. https://wiki.tools.isoc.org/IETF71_IPv4_Outage March 2008 Apricot 2008 was in Feb 2008 there was also an IPv6 hour at NANOG 42 in February 2008 But Russ spoke about it in 2007, knowing there will be resistance... And they must have been all talking to each others, so I'm not sure who to credit for the idea, but I can credit Russ for his IETF leadership in making it happen there. ICANN had just put the glue in February. Google decided to make it in time, seeing the opportunity and convergence of will. Anyhow the year it all happened was 2008, there was a convergence of ideas. So I would say since 2008 we have made great progress on IPv6 deployment, but we started very late...
Re: Definitive Guide to IPv6 adoption
On Mon, 18 Oct 2010, Owen DeLong wrote: I think it's generally a bad idea. /48 is the design architecture for IPv6. It allows for significant innovation in the SOHO arena that we haven't accounted for in some of our current thinking. Q: Why are /48s everywhere a good idea? A: Because it's the design! Q: Why are /48s everywhere in the design? A? Because it's a good idea! This kind of crap is one of the reasons people get frustrated with IPv6 zealotry. If people are actually interested in deploying IPv6 then by all means, STOP BITCHING AT THEM ABOUT HOW THEY DO IT. Problems like the wrong allocation to end users are fixable, especially given that the vast majority of end user assignments are dynamic in the first place. The model I've been advocating is for ISPs (who have enough space) to start off reserving a /48 per customer and then assigning the first /56 from it. If after real operational experience it turns out /48 is the right answer, you're all set. If /56 turns out to be sufficient, when you use up all of the first /56s you can start on the first /56 in the second /49, etc. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso
Re: Pica8 - Open Source Cloud Switch
On Mon, 18 Oct 2010, Joe Greco wrote: For example, consider the T-Mobile Sidekick Danger server crash/disaster. This is frequently pointed to as a failure of the cloud, but in reality, it appears to have been trusting data to a company that wasn't exercising proper care in maintaining its servers. In at least one sense I think that those are the same thing. Doug -- Improve the effectiveness of your Internet presence with a domain name makeover!http://SupersetSolutions.com/ Computers are useless. They can only give you answers. -- Pablo Picasso
Re: Only 5x IPv4 /8 remaining at IANA
Wouldn't it be better to leave such labels and judgements to future generations? I'm sure they'll be the best judge of who led them to paradise /ruin. -dorian
Re: Definitive Guide to IPv6 adoption
On 10/18/2010 14:39, Doug Barton wrote: On Mon, 18 Oct 2010, Owen DeLong wrote: I think it's generally a bad idea. /48 is the design architecture for IPv6. It allows for significant innovation in the SOHO arena that we haven't accounted for in some of our current thinking. Q:Why are /48s everywhere a good idea? A:Because it's the design! Q:Why are /48s everywhere in the design? A?Because it's a good idea! This kind of crap is one of the reasons people get frustrated with IPv6 zealotry. If people are actually interested in deploying IPv6 then by all means, STOP BITCHING AT THEM ABOUT HOW THEY DO IT. Problems like the wrong allocation to end users are fixable, especially given that the vast majority of end user assignments are dynamic in the first place. Dynamic under IPv4, that is. It could be argued that IPv6 brings back the ability to go static everywhere again. ~Seth
Re: Only 5x IPv4 /8 remaining at IANA
On Mon, 18 Oct 2010 10:52:18 PDT, George Bonser said: From: Owen DeLong [mailto:o...@delong.com] The good news is that stateful inspection doesn't go away in IPv6. It works just fine. All that goes away is the header mangling. Exactly true but there are people out there who experience it as dynamic nat prevents inbound connections. Those people are next on my hit list, after we've finally eliminated those who still talk about class A/B/C addresses. :) pgpLvKjETH7lI.pgp Description: PGP signature
Re: Definitive Guide to IPv6 adoption
On Mon, 18 Oct 2010 14:39:19 -0700 (PDT) Doug Barton do...@dougbarton.us wrote: On Mon, 18 Oct 2010, Owen DeLong wrote: I think it's generally a bad idea. /48 is the design architecture for IPv6. It allows for significant innovation in the SOHO arena that we haven't accounted for in some of our current thinking. Q:Why are /48s everywhere a good idea? A:Because it's the design! Q:Why are /48s everywhere in the design? A?Because it's a good idea! This kind of crap is one of the reasons people get frustrated with IPv6 zealotry. If people are actually interested in deploying IPv6 then by all means, STOP BITCHING AT THEM ABOUT HOW THEY DO IT. Problems like the wrong allocation to end users are fixable, especially given that the vast majority of end user assignments are dynamic in the first place. The model I've been advocating is for ISPs (who have enough space) to start off reserving a /48 per customer and then assigning the first /56 from it. If after real operational experience it turns out /48 is the right answer, you're all set. If /56 turns out to be sufficient, when you use up all of the first /56s you can start on the first /56 in the second /49, etc. While I like the idea of /48s per customer (per-nearly everybody), I do think this approach is a good, slightly more conservative approach. Regards, Mark.
Re: Pica8 - Open Source Cloud Switch
* Ricky Beam jfb...@gmail.com [2010-10-18 21:32]: On Mon, 18 Oct 2010 08:30:48 -0400, Henning Brauer hb-na...@bsws.de wrote: Currently, the Pica8 driver is released in binary form none of the interesting low-level drivers is open. none. zero. If it's based on a Broadcom chip, trust me, they are doing the world a favor by not exposing you to the SoC SDK. broadcom being too ashamed to show their code would not surprise me at all. however, that is no excuse. especially not when they try to market this as an open source switch. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting