[Nanog-futures] Philippe Couture is out of the office
Je serai absent(e) du 2010-12-20 au 2011-01-05. Pour toute urgence, veuillez contacter Juan Ramos jusqu'au 29 Décembre, et mon cellulaire après le 29 Décembre. ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: .gov DNSSEC operational message
Jay Ashworth j...@baylink.com writes: - Original Message - From: Doug Barton do...@dougbarton.us Now OTOH if someone wants to demonstrate the value in having a publication channel for TLD DNSKEYs outside of the root zone, I'm certainly willing to listen. Just be forewarned that you will have an uphill battle in trying to prove your case. :) If you do not, then your clients have little hope of spotting insider malfeasance changes, no? Or aren't such changes practical for other reasons which I don't understand, not being a DNSSEC maven? Can you provide us a scenario? -r
Re: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance
Wayne E. Bouchard w...@typo.org writes: Codes are usually defined in one of two ways... Either cannot be above the building parapet or cannot be visible from the street below (which allows you to position a stant at the center of the roof so you can clear the parapet) but when talking to building management, it can very easily be, can't put anything on the roof So to be certain we're not missing an opportunity, do you know that you don't actually have the second of those definitions as an option? In my area, neighboring jurisdictions adopt either the first or the second with building management usually adopting the first and making my life difficult. (IE, can do it in one place but not on the companion building.) The third consideration is someone notices and cares. The Nanostation Loco (again from Ubiquiti) is easily capable of the distances that you're talking about and is an all-in-out unit (antenna plus radio, fed with POE) about twice the size of a pack of cigarettes (does anyone use that as a point of reference anymore or have enough of us quit smoking that it's irrelevant?). It has a built-in mount on the back and is intended to be zip tied to an existing vent pipe or mast. They even include a zip tie in the packaging. As someone else noted, it is cheaper to buy Ubiquiti equipment and see if it works than it is to do the engineering. In this case, it may well be worth the investment to buy the Ubiquiti equipment and bring it to a meeting with the building management folks to do some *social engineering*. Most of these regulations are centered on the concern that your building not look like a tower site. An antenna that is sufficiently small that it can not be seen from the ground without resorting to optics may be on their oh, that's fine list once they see one sitting on the table in front of them. -r
Re: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance
On 12/28/2010 11:48 PM, Anonymous List User wrote: For architectural and building management reasons we cannot mount our antennas in a rooftop or outdoor location at either end. The distance between two buildings is 1.5 km, and the fresnel zone is clear. Antennas need to be located indoors at both ends and will be placed on small speaker stand tripod pointing at windows. This has been done successfully before with 2.4 GHz 802.11g equipment and a link from an office in the Westin to a nearby apartment building, but I am unsure of what effect glass will have on 5 GHz. Has anyone tried this? Low-E glass is brutal on radio waves. If the windows are tinted, multi-layer, or have metalic particles success may be difficult. You may want to test with some 802.11a network cards in ad-hoc mode to see if you can actually communicate over the 1500m path. We have had to deal with a condo association to get approval to mount some panels outside at one site. It can usually be discussed when presented with the facts and some photo-shop edits to show what visual impact it will have. However, be prepared for a significant delay in some cases and success is never a sure thing. Another item of concern is you are looking at IC/FCC unlicensed bands. Ten years ago 5.8 was fairly clean, but more recently we have found a lot more consumer devices invading the spectrum. We had a 1km path with a $15K microwave system knocked out by a consumer $50 cordless phone that was 1/2 block away. (We purchased a DECT6 phone for them and 'solved' the immediate issue... until we could obtain a license/path and the equipment to install something that wouldn't be interfered with.) -- Shane Allan Godmere Senior Telecommunications Engineer II Michigan Technological University 1400 Townsend Dr. EERC-B31 Houghton, MI 49931
Re: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance
On 12/29/2010 8:19 AM, Robert E. Seastrom wrote: The third consideration is someone notices and cares. The Nanostation Loco (again from Ubiquiti) is easily capable of the distances that you're talking about and is an all-in-out unit (antenna plus radio, fed with POE) about twice the size of a pack of cigarettes (does anyone use that as a point of reference anymore or have enough of us quit smoking that it's irrelevant?). Deck of cards, maybe? --Curtis
Re: medicare.gov / cms.gov DNSSEC Validation Failures
On Dec 28, 2010, at 11:39 PM, William Warren wrote: On 12/28/2010 8:43 PM, Nate Itkin wrote: On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation. Ditto. Similar to uspto.gov not too long ago. Try posting to dns-operations. https://lists.dns-oarc.net/mailman/listinfo/dns-operations Almost certainly some *.gov dns admins lurking there. Cheers, Nate Itkin There's a thread going on about .gov dnssec changes going on. This could be the source of your issues. Did you get a contact? If not, I know someone over there. J
Specific Network Querying
Good morning and happy holidays all. I'm in the process of creating an
automated filtering application and would like to know if anyone can
point me to the right place. I'd like to be able to query a
site/db/etc., and pull out specific netblocks to create fw rules. Since
IP space is always changing, it would be helpful if my queries can be
tailored to something like:
wget site | Parse IP space | grep Company | create rule
Or:
wget site | Parse IP space | grep {EDU_IP_SPACE,MIL_SPACE,GOV_SPACE} |
create rule
Follow?
Right now I am using potaroo with something like :
wget -qO -
http://bgp.potaroo.net/ipv4-stats/allocated-{apnic.html,ripe.html, etc}
But this just gives me entire blocks, not who is behind them. Is there
any site I could use to query specifics? E.g., for a gov client: wget
-qO - this.site.org | grep \.gov | parse_with_awk '{print fw_rule}'
Thanks in advance and Happy New Year to everyone.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently. - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: .gov DNSSEC operational message
On 29 Dec 2010, at 03:27, Jay Ashworth j...@baylink.com wrote: If you do not, then your clients have little hope of spotting insider malfeasance changes, no? No cryptography can expose the difference between data that is correctly signed by the proper procedures and data that is correctly signed by a corrupt procedure. Tony. -- f.anthony.n.finch d...@dotat.at http://dotat.at/
Re: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance
+1 on Alvarion. - Reply message - From: Bryan Fields br...@bryanfields.net Date: Wed, Dec 29, 2010 9:30 am Subject: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance To: nanog@nanog.org On 12/29/2010 08:19, Robert E. Seastrom wrote: Most of these regulations are centered on the concern that your building not look like a tower site. An antenna that is sufficiently small that it can not be seen from the ground without resorting to optics may be on their oh, that's fine list once they see one sitting on the table in front of them. Don't forget about OTARD, where so long as you control the space in your lease, no local government regulations can prevent installation of a internet reception radio. Also, the Ubiquiti is crap from a build/reliability standpoint. If you're doing anything serious, it would be worth it to buy a better product. I'm partial to the Alvarion and Motorola PtP links. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net
Re: Specific Network Querying
You may want to look at Capirca (http://code.google.com/p/capirca/) for
creating policy files from which to generate your firewall rulesets. I am
not aware of a simple categorization of netblocks. My first thought is that
an agreement with every RIR for bulk whois data and writing code to parse /
categorize would be quite difficult and may not get you a reasonable result
after all that work - maybe there is something commercially available.
-Ryan
On Wed, Dec 29, 2010 at 9:01 AM, J. Oquendo s...@infiltrated.net wrote:
Good morning and happy holidays all. I'm in the process of creating an
automated filtering application and would like to know if anyone can
point me to the right place. I'd like to be able to query a
site/db/etc., and pull out specific netblocks to create fw rules. Since
IP space is always changing, it would be helpful if my queries can be
tailored to something like:
wget site | Parse IP space | grep Company | create rule
Or:
wget site | Parse IP space | grep {EDU_IP_SPACE,MIL_SPACE,GOV_SPACE} |
create rule
Follow?
Right now I am using potaroo with something like :
wget -qO -
http://bgp.potaroo.net/ipv4-stats/allocated-{apnic.html,ripe.html, etc}
But this just gives me entire blocks, not who is behind them. Is there
any site I could use to query specifics? E.g., for a gov client: wget
-qO - this.site.org | grep \.gov | parse_with_awk '{print fw_rule}'
Thanks in advance and Happy New Year to everyone.
--
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT
It takes 20 years to build a reputation and five minutes to
ruin it. If you think about that, you'll do things
differently. - Warren Buffett
227C 5D35 7DCB 0893 95AA 4771 1DCE 1FD1 5CCD 6B5E
http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x5CCD6B5E
Re: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance
On Wed, Dec 29, 2010 at 10:30 AM, Bryan Fields br...@bryanfields.net wrote: On 12/29/2010 08:19, Robert E. Seastrom wrote: Most of these regulations are centered on the concern that your building not look like a tower site. An antenna that is sufficiently small that it can not be seen from the ground without resorting to optics may be on their oh, that's fine list once they see one sitting on the table in front of them. Don't forget about OTARD, where so long as you control the space in your lease, no local government regulations can prevent installation of a internet reception radio. Also, the Ubiquiti is crap from a build/reliability standpoint. If you're doing anything serious, it would be worth it to buy a better product. I'm partial to the Alvarion and Motorola PtP links. -- Bryan Fields 727-409-1194 - Voice 727-214-2508 - Fax http://bryanfields.net While certainly not the best stuff made I've found the ubiquiti equipment to be very nice for the price and have a few of their AP's which have been in service 24x7 for a couple of years now. Thanks, -- Josh Smith KD8HRX email/jabber: juice...@gmail.com phone: 304.237.9369(c)
Re: .gov DNSSEC operational message - picking a fight
On Wed, Dec 29, 2010 at 02:56:35PM +, Tony Finch wrote: On 28 Dec 2010, at 22:46, bmann...@vacation.karoshi.com wrote: IMHO, key management should be able to use an OOB channel when the in-band is corrupted or overlaoded. Reliance on strictly the IB channel presumes there will be no problems with that channel. EVER. For me, I don't want to take that risk. YMMV of course. If normal DNS resolution fails to work then there's no point in getting the keys from another source since there's no data for them to validate. oh resoultion works a treat. its the validation that gets hosed. :) --bill
Re: .gov DNSSEC operational message
On Wed, Dec 29, 2010 at 11:15:02AM -0500, valdis.kletni...@vt.edu wrote: On Wed, 29 Dec 2010 15:01:41 GMT, Tony Finch said: No cryptography can expose the difference between data that is correctly signed by the proper procedures and data that is correctly signed by a corrupt procedure. Amen... Well, it *would* help detect an intruder that's smart enough to subvert the signing of the zones on the DNS server, but unable to also subvert the copy stored on some FTP site. Rather esoteric threat model, fast approaching the Did you remember to take your meds? level. presuposes the attack was server directed. the DNS-sniper will take out your locally configured root KSK /or replace it w/ their own. no need to carpet-bomb all users of the vt.edu caches - right? Plus, if you're worried about foobar.com's zone being maliciously signed, do you *really* want to follow a pointer to www.foobar.com to fetch another copy? :) who intimated that the OOB channel would be http? since that is based on the DNS, i'd like to think it was suspect as well. :) --bill
Re: medicare.gov / cms.gov DNSSEC Validation Failures
On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation. Seeing it still broken, I contacted someone over at Lockheed who works over at CMS. They're escalating to the appropriate support vendor. -cjp
Re: medicare.gov / cms.gov DNSSEC Validation Failures
Ditto. On Dec 29, 2010, at 12:32 PM, Christopher J. Pilkington wrote: On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation. Seeing it still broken, I contacted someone over at Lockheed who works over at CMS. They're escalating to the appropriate support vendor. -cjp
Re: Specific Network Querying
On Wed, Dec 29, 2010 at 6:01 AM, J. Oquendo s...@infiltrated.net wrote:
Good morning and happy holidays all. I'm in the process of creating an
automated filtering application and would like to know if anyone can
point me to the right place. I'd like to be able to query a
site/db/etc., and pull out specific netblocks to create fw rules.
[...]
But this just gives me entire blocks, not who is behind them. Is there
any site I could use to query specifics? E.g., for a gov client: wget
-qO - this.site.org | grep \.gov | parse_with_awk '{print fw_rule}'
Given the current IPv4 climiate, this sounds like a terrible idea. The
landscape has changed dramatically from what it once was. Large
volumes of mobile carriers use NAT, many IPv6 to IPv4 gateways are out
there routing traffic, and we'll soon see a time in which entire
countries are transiting over small chunks of IPv4 space. Never mind
the fact that applications on services like Google App Engine have a
different IP nearly every time they connect because of outbound proxy
pools.
I think you're going to have a very difficult time resolving an IP to
the appropriate owner. Coarse calculation of who might be in charge of
a block is possible but fine-grained discovery and classification of
an owner is a difficult task.
That being said, the tools that I'm using on a daily basis to figure
out who actually owns an IP block (or is sending traffic over it) are:
- Senderbase (Cisco)
- cymru whois (whois.cymru.com - good for fast bgp lookups and geo)
- http://multirbl.valli.org/dnsbl-lookup (multi-rbl lookup , good for
finding abusers and other issues)
- SmartViper (Website ownership) http://www.markosweb.com/
-John
BGP SNMP OID Help
Hello folks, I would like to the OID number for displaying the number of routers that your EBGP peer has received. Thank you in advanced. Michael Ruiz
Re: BGP SNMP OID Help
--- mr...@lstfinancial.com wrote: From: Michael Ruiz mr...@lstfinancial.com I would like to the OID number for displaying the number of routers that your EBGP peer has received. Thank you in advanced. - http://www.oidview.com/mibs/detail.html scott
Re: medicare.gov / cms.gov DNSSEC Validation Failures
On Wed, 2010-12-29 at 12:32 -0500, Christopher J. Pilkington wrote: On Tue, Dec 28, 2010 at 06:39:21PM -0600, Richard Laager wrote: I'm looking for a DNS contact for medicare.gov (and cms.gov). They are failing DNSSEC validation. Seeing it still broken, I contacted someone over at Lockheed who works over at CMS. They're escalating to the appropriate support vendor. Thank you both for forwarding this. Some progress has been made: I received a response saying they believed they had it fixed. From my testing, medicare.gov is fixed, but cms.gov is still broken (though in a different way, I think). I replied as such and also requested corrected SOA records. Thanks again, Richard signature.asc Description: This is a digitally signed message part
Re: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance
On Dec 29, 2010, at 11:24 AM, Josh Smith wrote: While certainly not the best stuff made I've found the ubiquiti equipment to be very nice for the price and have a few of their AP's which have been in service 24x7 for a couple of years now. Same here. The price performance is hard (impossible?) to beat. Combine that with the Linux/SDK stuff and you can do some interesting things with it that you can't do with other devices. - Jared
Re: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance
On 12/29/2010 5:47 PM, Jared Mauch wrote: On Dec 29, 2010, at 11:24 AM, Josh Smith wrote: While certainly not the best stuff made I've found the ubiquiti equipment to be very nice for the price and have a few of their AP's which have been in service 24x7 for a couple of years now. Same here. The price performance is hard (impossible?) to beat. Combine that with the Linux/SDK stuff and you can do some interesting things with it that you can't do with other devices. - Jared With prices so low, you can even afford redundant links :-)
Re: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance
snip Combine that with the Linux/SDK stuff and you can do some interesting things with it that you can't do with other devices. - Jared Jared, I don't really have any experience with the Linux/SDK stuff care to share what you're using it for? Thanks, -- Josh Smith KD8HRX email/jabber: juice...@gmail.com phone: 304.237.9369(c)
Re: Specific Network Querying
On Wed, Dec 29, 2010 at 2:01 PM, John Adams j...@retina.net wrote:
On Wed, Dec 29, 2010 at 6:01 AM, J. Oquendo s...@infiltrated.net wrote:
Good morning and happy holidays all. I'm in the process of creating an
automated filtering application and would like to know if anyone can
point me to the right place. I'd like to be able to query a
site/db/etc., and pull out specific netblocks to create fw rules.
[...]
But this just gives me entire blocks, not who is behind them. Is there
any site I could use to query specifics? E.g., for a gov client: wget
-qO - this.site.org | grep \.gov | parse_with_awk '{print fw_rule}'
given an ASN you can query their announcements from RouteViews DNS no?
(or rsync that and do the lookup locally in whatever form you feel is
helpful)
That probably has some whois data easily tied to it as well...
Given the current IPv4 climiate, this sounds like a terrible idea. The
landscape has changed dramatically from what it once was. Large
if you are updating filters 'quickly' it shouldn't matter, right?
you'll catch things (presuming whois is updated and/or BGP is and you
can tie things back through asn/netblock relationships, oh...
RPKI...) pretty quickly as they move.
volumes of mobile carriers use NAT, many IPv6 to IPv4 gateways are out
there routing traffic, and we'll soon see a time in which entire
countries are transiting over small chunks of IPv4 space. Never mind
I don't recall the OP saying 'ipv4' only?
the fact that applications on services like Google App Engine have a
different IP nearly every time they connect because of outbound proxy
pools.
it's probably not 'every time they connect' there's probably some
sensible reasoning behind the decision process.. like your query that
triggers it comes into METRO-X and thus outbound queries come from a
netblock for NAT things inside METRO-X, my query goes to METRO-Y
so ... diff netblock.
Inside a set of queries (10-100?) you'll see a repeated set of ips, I suspect.
-chris
Best Customer Support Practices
Hi, Am looking towards formulating a document that will encompass best customer support practices. Am looking to formulate the document based on well known best practices and experience from different individuals. Any help will be greatly appreciated. Thanks. Regards, Jacob
