Re: best of breed nowadays in DPI space?

[Rogelio]

For what it's worth, I just found this great report by Sandvine talking about 
bandwidth trends in various countries

(Gotta enter in an email address, unfortunately)

http://www.sandvine.com/news/global_broadband_trends.asp

Re: Barracuda Networks is at it again: Any Suggestions as to an Alternative?

[Rogelio]

On Apr 9, 2011, at 6:51 AM, John Palmer (NANOG Acct) wrote:

> OK, its been a year since my Barracuda subscription expired. The unit still 
> stops some spam. I figured that I would go and see what they would do if I 
> tried to renew my subscription EXACTLY one year after it expired. Would their 
> renewal website say "Oh, you are at your anniversary date", and renew me for 
> a year?
> 
> No such luck: They want me to PAY FOR AN ENTIRE YEAR for which I did NOT 
> receive service and then for the current (upcoming year). Sorry - I don't 
> allow myself to be ripped off like that. Sorry Barracuda - you get no money 
> from me and I'll tell everyone I know about this policy of yours.

While I agree with you (in theory), in practice, lots of companies do this 
baloney and there is little you can do if you need their product.

In fact, I just got screwed by this policy at Fluke Networks when I tried to 
renew my subscription to one of their tools. 

Re: Barracuda Networks is at it again: Any Suggestions as to an Alternative?

[Dorn Hetzel]

>
>
> While I agree with you (in theory), in practice, lots of companies do this
> baloney and there is little you can do if you need their product.
>
> In fact, I just got screwed by this policy at Fluke Networks when I tried
> to renew my subscription to one of their tools.
>

Would it turn out to be less expensive to just start a new subscription as
if you never had one before?

Re: Barracuda Networks is at it again: Any Suggestions as to an Alternative?

[Rogelio]

On Apr 26, 2011, at 1:54 PM, Dorn Hetzel wrote:

> 
> Would it turn out to be less expensive to just start a new subscription as if 
> you never had one before?

Usually places like this do it by serial number, in which case they don't let 
you update until you backpay.  :)

Multi-site, multi-path to Internet - customer question - off topic ?

[Steve Benoit]

Good day 

I have a question from a customer point of view.  We currently have a 
multi-site WAN with all our Internet connectivity at one site consisting of 3 
ISP type connections, full BGP, including our own ASN with IPv4 and v6 
addressing space.  All up and running.

I am now looking to add Internet connectivity from a second site on our WAN for 
fail over in the event of a site 1 failure.  My initial thoughts are towards 
another full BGP session at site 2, and perhaps something like Cisco's Global 
Site Selector, or F5's GTM to direct traffic.

I'm thinking of phasing this in over a couple of years since the "server" folks 
will not have full hot fail-over at that site for that period.  Of course, in a 
failure situation, the site will be expected to be live and operational 
immediately.

Any suggestions on where I should start looking ?  Any good white papers or 
case studies you have seen?  And technologies we should look at or stay away 
from ?

Thanks 

Steve Benoit

Re: SIXXS contact

[Pekka Savola]

On Mon, 25 Apr 2011, Andrew Kirch wrote:

On 4/25/2011 4:07 AM, Raymond Dijkxhoorn wrote:

Hi!


would someone at SIXXS please contact me off-list regarding an account
issue?


Contact
The main contact address for SixXS is i...@sixxs.net, which is the
sole email address one should use to contact SixXS. Non-English,
impolite, clueless, UCE and HTML email gets discarded automatically.
The official language used is English, due to archiving issues and the
international effort put into SixXS.

And you naturally trued that one before sending here, right?

Bye,
Raymond.


Yes, repeatedly.  The response was non-existent, or simply unfortunate,
so I'm trying other avenues.


Echo that.

IPv6 bgp peering for distributed looking glass has been down for some 
6 months or so now.  No responses via any channel.


It's sad because distributed looking glass has been very useful.

--
Pekka Savola "You each name yourselves king, yet the
Netcore Oykingdom bleeds."
Systems. Networks. Security. -- George R.R. Martin: A Clash of Kings

Re: SIXXS contact

[Brielle Bruns]

On 4/25/11 11:28 PM, Mikael Abrahamsson wrote:

But if these two groups want people to take IPv6 seriously (you know,
before the ceiling comes down on our heads), maybe they should take it
seriously.


Having run a volunteer service before, I can tell you there are a lot of
people complaining about the free service. I would imagine the only
alternative to doing what they do now is to either get more money and
resources (sponsorship or paying customers) or to shut the service down.

What is a preferrable service, a "not great" service, or no service at
all? I know I wouldn't have the energy to handle all the abuse I see
them getting, I would just tell people to go away and go home and watch
tv. I'm happy they have the energy to do what they're doing.

That's why I asked for SLA level services I can point people to who
complain. I'd imagine most of them wouldn't want to pay anyway, but I
hope it'll make them think about complaining too much about a free service.


I've run a volunteer/free hosting service since 1997 or so - it never 
ceases to amaze me how people will complain about free things, but when 
you ask them to pony up a little monthly support its like you killed 
their puppy.  I just term people who are more of a hassle then they are 
worth.


I confirmed that HE will offer paid tunnel services, however I think I 
have a good idea of why Andrew was having crazy ping times to some of 
the tunnel servers.


Literally anything I do from my home DSL through qwest that goes through 
Seattle sometimes doubles or triples the latency as soon as I enter the 
GBLX network.


If I go through my T1, which ends up taking routes through TWTelecom, 
latency is in the low 20ms-40ms.


I have a feeling that there's severe capacity issues on certain networks 
(may it be specifically between qwest and gblx, or just gblx in 
general), and unfortunately the lack of ISPs taking native IPv6 
seriously puts our dependencies on ipv4 networks that are being held 
together with duct tape and twine.



--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

IPv6 Prefix announcing

[Nick Olsen]

Greetings NANOG,
I've always been under the impression its best practice to only announce 
prefixes of a /24 and above when it comes to IPv4 and BGP.
I was wondering if something similar had been agreed upon regarding IPv6. 
And if That's the case, What's the magic number? /32? /48? /64?

Nick Olsen
Network Operations (855) FLSPEED  x106
 

Re: IPv6 Prefix announcing

[Justin M. Streiner]

On Tue, 26 Apr 2011, Nick Olsen wrote:


I've always been under the impression its best practice to only announce
prefixes of a /24 and above when it comes to IPv4 and BGP.
I was wondering if something similar had been agreed upon regarding IPv6.
And if That's the case, What's the magic number? /32? /48? /64?


You're likely to get different answers to this, but the 'magic number' 
appears to be /48.  Looking in the v6 BGP table, you will likely find 
smaller prefixes than that, but a number of the major carriers seem to be 
settling on /48 as the smallest prefix they will accept.  /48 is also the 
smallest block most of the RIRs will assign to end-users.


jms

RE: IPv6 Prefix announcing

[Kate Gerry]

Funny enough, some carriers actually require the 'smallest' as being /32... :(


-Original Message-
From: Justin M. Streiner [mailto:strei...@cluebyfour.org] 
Sent: Tuesday, April 26, 2011 9:34 AM
To: nanog@nanog.org
Subject: Re: IPv6 Prefix announcing

On Tue, 26 Apr 2011, Nick Olsen wrote:

> I've always been under the impression its best practice to only 
> announce prefixes of a /24 and above when it comes to IPv4 and BGP.
> I was wondering if something similar had been agreed upon regarding IPv6.
> And if That's the case, What's the magic number? /32? /48? /64?

You're likely to get different answers to this, but the 'magic number' 
appears to be /48.  Looking in the v6 BGP table, you will likely find smaller 
prefixes than that, but a number of the major carriers seem to be settling on 
/48 as the smallest prefix they will accept.  /48 is also the smallest block 
most of the RIRs will assign to end-users.

jms

Re: IPv6 Prefix announcing

[Patrick W. Gilmore]

On Apr 26, 2011, at 12:39 PM, Kate Gerry wrote:

> Funny enough, some carriers actually require the 'smallest' as being /32... :(

Vote with your wallet.

Some carriers would prefer if only transit free networks were allowed to 
originate routes.  Doesn't mean you should follow their lead.

-- 
TTFN,
patrick


> -Original Message-
> From: Justin M. Streiner [mailto:strei...@cluebyfour.org] 
> Sent: Tuesday, April 26, 2011 9:34 AM
> To: nanog@nanog.org
> Subject: Re: IPv6 Prefix announcing
> 
> On Tue, 26 Apr 2011, Nick Olsen wrote:
> 
>> I've always been under the impression its best practice to only 
>> announce prefixes of a /24 and above when it comes to IPv4 and BGP.
>> I was wondering if something similar had been agreed upon regarding IPv6.
>> And if That's the case, What's the magic number? /32? /48? /64?
> 
> You're likely to get different answers to this, but the 'magic number' 
> appears to be /48.  Looking in the v6 BGP table, you will likely find smaller 
> prefixes than that, but a number of the major carriers seem to be settling on 
> /48 as the smallest prefix they will accept.  /48 is also the smallest block 
> most of the RIRs will assign to end-users.
> 
> jms
> 
> 

RE: IPv6 Prefix announcing

[George Bonser]

> From: Kate Gerry 
> Sent: Tuesday, April 26, 2011 9:39 AM
> To: 'Justin M. Streiner'; nanog@nanog.org
> Subject: RE: IPv6 Prefix announcing
> 
> Funny enough, some carriers actually require the 'smallest' as being
> /32... :(
> 

That might be true in PA space, but PI space is issued down to /48.  I
am not aware of anyone who filters smaller than a /32 in PI space though
that doesn't mean it doesn't happen.  The largest holdout was Verizon
but my understanding is they now accept a /48 in PI space.

So: 

A /32 is the smallest prefix issued in PA and some networks will not
accept a prefix smaller than /32 from PA address space.
A /48 is the smallest prefix issued in PI and some networks will not
accept a prefix smaller than /48 from PI address space.

In other words, if you are going to attempt to multihome a /48
allocation from your provider's aggregate, you are better off getting
your own provider independent block.

Re: IPv6 Prefix announcing

[William Herrin]

On Tue, Apr 26, 2011 at 12:30 PM, Nick Olsen  wrote:
> Greetings NANOG,
> I've always been under the impression its best practice to only announce
> prefixes of a /24 and above when it comes to IPv4 and BGP.
> I was wondering if something similar had been agreed upon regarding IPv6.
> And if That's the case, What's the magic number? /32? /48? /64?

Hi Nick,

At this point, you can depend on being able to announce a /32 from any
block and a /48 from an RIR block designated for end-user assignments.
Many carriers have more permissive policies but all of any consequence
now allow at least that.

Regards,
Bill Herrin


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: IPv6 Prefix announcing

[Owen DeLong]

I know that used to be true, but, to the best of my knowledge, everyone is now 
accepting
down to /48s in provider independent ranges. Some still require /32 or shorter 
in the provider aggregate ranges.

Owen


Sent from my iPad

On Apr 26, 2011, at 10:39 AM, Kate Gerry  wrote:

> Funny enough, some carriers actually require the 'smallest' as being /32... :(
> 
> 
> -Original Message-
> From: Justin M. Streiner [mailto:strei...@cluebyfour.org] 
> Sent: Tuesday, April 26, 2011 9:34 AM
> To: nanog@nanog.org
> Subject: Re: IPv6 Prefix announcing
> 
> On Tue, 26 Apr 2011, Nick Olsen wrote:
> 
>> I've always been under the impression its best practice to only 
>> announce prefixes of a /24 and above when it comes to IPv4 and BGP.
>> I was wondering if something similar had been agreed upon regarding IPv6.
>> And if That's the case, What's the magic number? /32? /48? /64?
> 
> You're likely to get different answers to this, but the 'magic number' 
> appears to be /48.  Looking in the v6 BGP table, you will likely find smaller 
> prefixes than that, but a number of the major carriers seem to be settling on 
> /48 as the smallest prefix they will accept.  /48 is also the smallest block 
> most of the RIRs will assign to end-users.
> 
> jms
> 

Re: IPv6 Prefix announcing

[Seth Mattinen]

On 4/26/2011 09:39, Kate Gerry wrote:
> Funny enough, some carriers actually require the 'smallest' as being /32... :(
> 

This is becoming the exception now, not the rule.

Last year I was fighting with Verizon about their refusal to carry /48s.
That, together with the impasse of figuring out how to put dual stack
IPv6 on an Ethernet port (it was delivered as IPv4 only multiple times),
I never accepted it and went with a competitor who got it right the
first time. However, I've had several sources tell me Verizon has since
backpedaled and now accepts /48s.

~Seth

RE: IPv6 Prefix announcing

[Michael K. Smith - Adhost]

> -Original Message-
> From: Seth Mattinen [mailto:se...@rollernet.us]
> Sent: Tuesday, April 26, 2011 12:52 PM
> To: nanog@nanog.org
> Subject: Re: IPv6 Prefix announcing
> 
> On 4/26/2011 09:39, Kate Gerry wrote:
> > Funny enough, some carriers actually require the 'smallest' as being /32... 
> > :(
> >
> 
> This is becoming the exception now, not the rule.
> 
> Last year I was fighting with Verizon about their refusal to carry /48s.
> That, together with the impasse of figuring out how to put dual stack
> IPv6 on an Ethernet port (it was delivered as IPv4 only multiple times),
> I never accepted it and went with a competitor who got it right the
> first time. However, I've had several sources tell me Verizon has since
> backpedaled and now accepts /48s.
> 
> ~Seth

*> 2001:67C:120::/482001:504:16::1B1B   150  0 6939 701 12702 43751 
6716 i

Mike

Re: SIXXS contact

[Andrew Kirch]

On 4/26/2011 12:11 PM, Brielle Bruns wrote:
> I've run a volunteer/free hosting service since 1997 or so - it never
> ceases to amaze me how people will complain about free things, but
> when you ask them to pony up a little monthly support its like you
> killed their puppy.  I just term people who are more of a hassle then
> they are worth.

I'm not complaining, but I would point out that if these free brokers
are the public face of IPv6 for many hobbyists (and much of the various
software run on/over the internet is written by volunteers, and/or given
away for free), we aren't going to get there.  The big deafening silence
from SIXXS is really unfortunate in that it does actively affect my
opinion of IPv6, my willingness to spend time implementing it, pestering
my upstream about it, or having my business give a damn about it.  Yes I
know they're volunteers, but how much does that matter?

Andrew

Re: World of Warcraft may begin using IPv6 on Tuesday

[Bernhard Schmidt]

Kevin Day  wrote:

> Anyone from Activision/Blizzard who would like to chime in with more
> details? :)

I'm definitely not from either of those, but I've found this link:

http://us.blizzard.com/support/article.xml?locale=en_US&tag=IPv6&rhtml=true

---
What is IPv6?


Internet Protocol version 6 (IPv6) is the technology behind the
next-generation internet. IPv6 was designed to succeed the current
version of IP (known as IPv4) and solve many of the current version's
issues, such as the dwindling number of available IP addresses.

To get ahead of the issue, we've put an IPv6 option into the World of
Warcraft interface with patch 4.1. So as IPv6 starts to become more
widely available the game will already be prepared to handle the switch
over. For most players, the IPv6 checkbox will remain grayed out until
IPv6 becomes available in your area. Once available, enabling this
feature will require WoW.exe to detect a valid IPv6 connection to the
internet on the computer you are playing from.

At some point in the future, WoW realm servers will be able to use IPv6
in addition to the current IPv4. If IPv6 is enabled, the game will
attempt to establish an IPv6 connection first. If unable to find an IPv6
connection, or if the IPv6 option is disabled/grayed out, the game will
make an IPv4 connection instead. This should not cause any connection or
performance issues.
---

"At some point in the future" does not sound like we will see much IPv6
traffic immediately, but who knows. Is anyone seeing some traffic that
might point to IPv6 adoption on the servers?

Bernhard

Re: gmail dropping mesages

[J.D. Falk]

On Apr 25, 2011, at 10:12 AM, Jeff Mitchell wrote:

> If you trust the issued certificates(!) being used to sign the mail, you at 
> least have a good indication that the spam is coming from the domain that it 
> says it's coming from. This can make spam blocking much more effective 
> because instead of simply hoping that a domain-based blocklist will block 
> spam and not ham (due to spoofed sender addresses), you have a pretty good 
> feeling that this will be the case.
> 
> Of course this relies on various other bits and pieces to fall into place, 
> such as properly handling such messages (Gmail's detection and handling rules 
> aren't public AFAIK), CAs not being compromised, etc. Not to mention that the 
> spammers can simply register another domain and buy a new cert -- but then 
> the argument above still holds.

DKIM doesn't use purchased certificates.  It's all self-signed.

As for catching spammers, using d= as an identifier is more effective at 
finding the good stuff than the bad stuff.  So if this list were signed by 
nanog.org, we (or our reputation systems) could all recognize that mail signed 
d=nanog.org rarely resulted in user complaints, and thus it must be mail the 
users want to receive; conversely, mail which spoofs nanog.org but is not 
signed can safely* be stored in the big bit bucket in the cloud.

--
J.D. Falk
the leading purveyor of industry counter-rhetoric solutions

* assuming nanog.org signs ALL mail -- but that's another long discussion

Re: SIXXS contact

[TR Shaw]

On Apr 26, 2011, at 6:38 PM, Andrew Kirch wrote:

> On 4/26/2011 12:11 PM, Brielle Bruns wrote:
>> I've run a volunteer/free hosting service since 1997 or so - it never
>> ceases to amaze me how people will complain about free things, but
>> when you ask them to pony up a little monthly support its like you
>> killed their puppy.  I just term people who are more of a hassle then
>> they are worth.
> 
> I'm not complaining, but I would point out that if these free brokers
> are the public face of IPv6 for many hobbyists (and much of the various
> software run on/over the internet is written by volunteers, and/or given
> away for free), we aren't going to get there.  The big deafening silence
> from SIXXS is really unfortunate in that it does actively affect my
> opinion of IPv6, my willingness to spend time implementing it, pestering
> my upstream about it, or having my business give a damn about it.  Yes I
> know they're volunteers, but how much does that matter?

I can't say about SIXXS but HE has been great to me.  If it wasn't for them I 
would be out in the cold since neither ATT nor Brighthouse (my 2 options at my 
colo) can even spell IPv6!

Tom

Re: SIXXS contact

[Andrew Kirch]

On 4/26/2011 8:56 PM, TR Shaw wrote:
> On Apr 26, 2011, at 6:38 PM, Andrew Kirch wrote:
>
> I can't say about SIXXS but HE has been great to me.  If it wasn't for them I 
> would be out in the cold since neither ATT nor Brighthouse (my 2 options at 
> my colo) can even spell IPv6!
>
> Tom
>
>
My goal here isn't to bash HE, just to note that I have _REALLY_ bad
routes to it.  I had no trouble setting up a tunnel with them.

Andrew

Re: gmail dropping mesages

[Michael Thomas]

On 04/26/2011 05:08 PM, J.D. Falk wrote:

On Apr 25, 2011, at 10:12 AM, Jeff Mitchell wrote:

   

If you trust the issued certificates(!) being used to sign the mail, you at 
least have a good indication that the spam is coming from the domain that it 
says it's coming from. This can make spam blocking much more effective because 
instead of simply hoping that a domain-based blocklist will block spam and not 
ham (due to spoofed sender addresses), you have a pretty good feeling that this 
will be the case.

Of course this relies on various other bits and pieces to fall into place, such 
as properly handling such messages (Gmail's detection and handling rules aren't 
public AFAIK), CAs not being compromised, etc. Not to mention that the spammers 
can simply register another domain and buy a new cert -- but then the argument 
above still holds.
 

DKIM doesn't use purchased certificates.  It's all self-signed.
   


Well, they aren't self-signed either; DKIM doesn't use x.509
style certs at all. It's just RSAPublicKey DER-encoded public
keys that are placed in the DNS.

Mike, but it still requires some crufty ASN.1 which is prolly the
  confusion

Re: SIXXS contact

[Jima]

On 2011-04-26 20:00, Andrew Kirch wrote:

My goal here isn't to bash HE, just to note that I have _REALLY_ bad
routes to it.  I had no trouble setting up a tunnel with them.


 Have you checked Gogo6 at all?

 Jima

Re: SIXXS contact

[Mark Andrews]

In message <4db76ac1.6080...@trelane.net>, Andrew Kirch writes:
> On 4/26/2011 8:56 PM, TR Shaw wrote:
> > On Apr 26, 2011, at 6:38 PM, Andrew Kirch wrote:
> >
> > I can't say about SIXXS but HE has been great to me.  If it wasn't for them
>  I would be out in the cold since neither ATT nor Brighthouse (my 2 options a
> t my colo) can even spell IPv6!
> >
> > Tom
> >
> >
> My goal here isn't to bash HE, just to note that I have _REALLY_ bad
> routes to it.  I had no trouble setting up a tunnel with them.

Then I suggest that you complain to your current ISP.  This is a IPv4
problem that they should be able to deal with.  You are paying them
good money for IPv4 connectivity and this is a IPv4 connectivity issue.
 
> Andrew
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

6PE command for IOS and XR

[Vikas Sharma]

Hi,

I was trying command "mpls ipv6 source-interface <>" on SRE3 code,
look like there is no command like that on SRE. This command is
important for locally generated packets. Have someone used this
command?

Also what is the command on XR 4.0.1 to achieve the same?

Regards,
Vikas

Re: 6PE command for IOS and XR

[Mikael Abrahamsson]

On Wed, 27 Apr 2011, Vikas Sharma wrote:

I was trying command "mpls ipv6 source-interface <>" on SRE3 code, look 
like there is no command like that on SRE. This command is important for 
locally generated packets. Have someone used this command?


You already received a good answer on cisco-nsp yesterday, why are you 
asking the same thing here?


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: 6PE command for IOS and XR

[Vikas Sharma]

Sorry, I just saw it...

Regards,
Vikas

On Wed, Apr 27, 2011 at 11:03 AM, Mikael Abrahamsson  wrote:
> On Wed, 27 Apr 2011, Vikas Sharma wrote:
>
>> I was trying command "mpls ipv6 source-interface <>" on SRE3 code, look
>> like there is no command like that on SRE. This command is important for
>> locally generated packets. Have someone used this command?
>
> You already received a good answer on cisco-nsp yesterday, why are you
> asking the same thing here?
>
> --
> Mikael Abrahamsson    email: swm...@swm.pp.se
>

Re: SIXXS contact

[Seth Mos]

Op 27-4-2011 0:38, Andrew Kirch schreef:
> On 4/26/2011 12:11 PM, Brielle Bruns wrote:
>> I've run a volunteer/free hosting service since 1997 or so - it never
>> ceases to amaze me how people will complain about free things, but
>> when you ask them to pony up a little monthly support its like you
>> killed their puppy.  I just term people who are more of a hassle then
>> they are worth.
> 
> I'm not complaining, but I would point out that if these free brokers
> are the public face of IPv6 for many hobbyists (and much of the various
> software run on/over the internet is written by volunteers, and/or given
> away for free), we aren't going to get there.  The big deafening silence
> from SIXXS is really unfortunate in that it does actively affect my
> opinion of IPv6, my willingness to spend time implementing it, pestering
> my upstream about it, or having my business give a damn about it.  Yes I
> know they're volunteers, but how much does that matter?

This same silence you mention is also my personal experience.

I work on a open source firewall project in my spare time and found the
issue annoying, as such I've decided to forgot Sixxs (dynamic) tunnel
support and recommend the free Hurricane Electric tunnelbroker instead.

I can spend my time better in getting OpenVPN working with IPv6 then
waiting to accumulate kredits(tm).

Kind regards,

Seth