Re: Netflix Is Eating Up More Of North America's Bandwidth Than Any Other Company

[Randy Bush]

another view might be that netflix's customers are eating the bandwidth

randy

Re: IRRd Add New Maintainer (irr_rpsl_submit ?)

[Eduardo Meyer]

On Wed, May 18, 2011 at 2:23 AM, Eduardo Meyer  wrote:
> Hello,
>
> I have installed IRRd and I am trying to set it up, just for study
> purposes. I have successfully mirrored some DBs but I cant handle to
> make my very first maintainer creation. irrd-user.pdf seems to be the
> only documentation around and it says nothing about "How the admin
> creates a maintainer" it only says that the password used in irrd.conf
> is the one.
>
> Here's what I am trying:
>
> # cat /tmp/step-1
> mntner: MAINT-AS65500
> descr: Test Inc
> admin-c: Dudu M
> tech-c:  Dudu M
> upd-to: eduardo.me...@gmail.com
> mnt-nfy: eduardo.me...@gmail.com
> mnt-by: MAINT-AS65500
> auth: MAIL-FROM eduardo.me...@gmail.com
> changed: eduardo.me...@gmail.com 20110518
> source: SAMPLEDB
>
> And the command:
>
> # cat /tmp/step-1 | /usr/local/sbin/irr_rpsl_submit -x -D -v -E
> "db-ad...@testing123.net" -c "23AWrNgTooc32"
>
> I always get the following error:
>
> May 18 04:23:16 [18267] #ERROR: New maintainers must be added by a DB
> administrator.
> May 18 04:23:16 [18267] Forwarding new request to db-ad...@testing123.net
>
> Can someone please help me? I know it seems very simple but I have no
> idea how to do that.
>
> Thank you.

I managed adding the appropriated entries on my .db file by hand but I
believe there's a better way to do so, since this way a restart is
needed.

I am sorry asking it up here but I believe someone will be able to
help be since irrd-discuss mailing list is so quiet.

Re: Experience with Open Source load balancers?

[matthew zeier]

I'll pile on here too - there's very little of Mozilla's web infrastructure 
that isn't behind Zeus.

> +1 for Zeus. Use it in our production network with great success.
> Magnitudes cheaper than a solution from F5, and doesn't hide the inner
> workings of the product if you want to do some things outside the
> scope of support.

IRRd Add New Maintainer (irr_rpsl_submit ?)

[Eduardo Meyer]

Hello,

I have installed IRRd and I am trying to set it up, just for study
purposes. I have successfully mirrored some DBs but I cant handle to
make my very first maintainer creation. irrd-user.pdf seems to be the
only documentation around and it says nothing about "How the admin
creates a maintainer" it only says that the password used in irrd.conf
is the one.

Here's what I am trying:

# cat /tmp/step-1
mntner: MAINT-AS65500
descr: Test Inc
admin-c: Dudu M
tech-c:  Dudu M
upd-to: eduardo.me...@gmail.com
mnt-nfy: eduardo.me...@gmail.com
mnt-by: MAINT-AS65500
auth: MAIL-FROM eduardo.me...@gmail.com
changed: eduardo.me...@gmail.com 20110518
source: SAMPLEDB

And the command:

# cat /tmp/step-1 | /usr/local/sbin/irr_rpsl_submit -x -D -v -E
"db-ad...@testing123.net" -c "23AWrNgTooc32"

I always get the following error:

May 18 04:23:16 [18267] #ERROR: New maintainers must be added by a DB
administrator.
May 18 04:23:16 [18267] Forwarding new request to db-ad...@testing123.net

Can someone please help me? I know it seems very simple but I have no
idea how to do that.

Thank you.

-- 
===
pessoal: dudu.me...@gmail.com
profissional: ddm.farmac...@saude.gov.br

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Joel Maslak]

On Tue, May 17, 2011 at 9:37 PM,  wrote:


> Unless you end up behind a fascist firewall that actually checks that the
> EUI-64 half of the SLAAC address actually matches your MAC address - but we
> all
> know that firewalls are weak at IPv6 support, so probably nobody's actually
> doing that checking. :)
>


Nevermind you can change your MAC address easily on most networks, since
most don't provide any reasonable way of verifying that L2 packets are from
where they claim to be.

FWIW, Windows Vista and 7 default to using privacy addresses with SLAAC.
Even without that, today, in the IPv4 NAT world, it's pretty much possible
to uniquely identify a user nearly almost all of the time anyhow - at least
for web access.  This is thanks to browser fingerprinting - see
https://panopticlick.eff.org/browser-uniqueness.pdf

There's a lot of FUD about IPv6.  Yes, the addresses are longer.  But which
is easier - remembering all the intermediate layers of network translation
(likely two boxes for nearly every residential and small business user) or
an IPv6 address that is the same, regardless of whether you are another
customer on the same ISP, a public internet user, or an internal corporate
user?  Nevermind what it is like to debug IPSEC/PPTP/L2TP, SIP, or P2P
protocols with just one NAT involved.  Imagine doing that with two NAT
devices (CGN + home NAT).  If you haven't had that unfortunate pleasure,
than I envy you!  There's also no reason we should have to remember our IPv6
addresses.  Seriously.  There are about 50 protocols to name things on
networks, many of which are scope aware.  Among other things, it's why we
don't typically have to remember MAC addresses - ARP works and it works
well.  Just because bad design forced us to remember IPv4 addresses doesn't
mean our IPv6 networks should carry over that brokenness.

IPv6 is also already in widespread use (I would guess all 500 of the Fortune
500 have it somewhere on their network, albeit quite likely not
intentionally).  I use it almost daily for my Apple MobileMe account (albeit
typically tunneled over IPv4, all behind-the-scenes).  I also use it when I
stream music around my house (Bonjour will utilize IPv6, AirTunes typically
uses it).  Windows admins might be using it too (DirectAccess; MS Remote
Assistance if firewalls block connectivity then Windows will set up a direct
IPv6 link, tunneling through your firewalls and NAT...).  And Grandma very
well may be using it today (Windows "Home Groups" use IPv6).  I would guess
half of the family members of NANOG list subscribers are using IPv6 on a
daily basis - TODAY.  The danger is in ignoring what is already on your
networks.  Sure, you can't get to most websites via IPv6.  But it's being
used for plenty of useful work today, although mostly as a way around
firewalls and as isolated islands (not connected to the global IPv6
network).

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Valdis . Kletnieks]

On Tue, 17 May 2011 20:22:23 PDT, Joel Jaeggli said:
> On May 17, 2011, at 7:51 PM, Scott Weeks wrote:
> > Only if you design your network that way.  EUI-64 isn't required.
> don't much matter, if you move around you're going get them a lot.

Of course, if you're moving around and getting EUI-64 addresses via SLAAC, you
can almost certainly use RFC4941 privacy addresses (instead of/in addition to)
your MAC-address based address.

Unless you end up behind a fascist firewall that actually checks that the
EUI-64 half of the SLAAC address actually matches your MAC address - but we all
know that firewalls are weak at IPv6 support, so probably nobody's actually
doing that checking. :)



pgpTvb98PTcxj.pgp
Description: PGP signature

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Joel Jaeggli]

On May 17, 2011, at 7:51 PM, Scott Weeks wrote:

> 
> 
> --- joe...@bogus.com wrote:
> From: Joel Jaeggli 
> 
>> if you put something in the dns you do so because you want to discovered. 
>> scoping the nameservers such that they only express certain certain resource 
>> records to queriers in a particular scope is fairly straight forward.
>> 
>> 
>> 
>> The article was not about DNS.  It was about "Persistent Personal Names for 
>> Globally Connected Mobile Devices" where "Users normally create personal 
>> names by introducing devices locally, on a common WiFi network for example. 
>> Once created, these names remain persistently bound to their targets as 
>> devices move. Personal names are intended to supplement and not replace 
>> global DNS names."  
> 
> you mean like mac addresses? those have a tendency to follow you around in 
> ipv6...
> -
> 
> 
> 
>  
>   Still an IPv6 wussie...  :-) 
>   
> 
> 
> Only if you design your network that way.  EUI-64 isn't required.

don't much matter, if you move around you're going get them a lot.

> scott
> 

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Weeks]

--- joe...@bogus.com wrote:
From: Joel Jaeggli 

> if you put something in the dns you do so because you want to discovered. 
> scoping the nameservers such that they only express certain certain resource 
> records to queriers in a particular scope is fairly straight forward.
> 
> 
> 
> The article was not about DNS.  It was about "Persistent Personal Names for 
> Globally Connected Mobile Devices" where "Users normally create personal 
> names by introducing devices locally, on a common WiFi network for example. 
> Once created, these names remain persistently bound to their targets as 
> devices move. Personal names are intended to supplement and not replace 
> global DNS names."  

you mean like mac addresses? those have a tendency to follow you around in 
ipv6...
-



 
   Still an IPv6 wussie...  :-) 
  


Only if you design your network that way.  EUI-64 isn't required.


scott

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Weeks]

--- scott.b...@gmail.com wrote:
From: Scott Brim 

Yes indeed.  
-


Hm, that's a funny correlation to what I have been thinking and talking about 
lately.  I'll have to read the draft-brim-mobility-and-privacy-00 paper as the 
pdf-bullet-point-syndrome has overtaken my info absorption abilities.  I looked 
at the pdf, but bullet points make me have the deer-in-the-headlights look.  ;-)

scott

Re: IPv6 gateway, was: Re: IPv6 foot-dragging

[Erik Muller]

On Mon, 16 May 2011, Todd Lyons wrote:


Double check the kernel version you have.  IIRC kernels before 2.6.20
didn't have the ability to do RELATED,ESTABLISHED in ipv6.  This hit
me on a CentOS box that I was using as a gateway.  I am unaware if
there is a version of their 2.6.18 that has the patches backported
(googling seemed to indicate it has not been done, and most are just
waiting for new release of CentOS 6).  RH6 works properly.


From my experience, kernels older than 2.6.27 or so are simply to be 
avoided for anything v6 - in addition to no iptables state pre20, there 
were some RA processing bugs that would result in great fun if, for 
example, your upstream MTU ever changed.  Finding usable backports on 
CentOS was an exercise in futility.


-e

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Joel Jaeggli]

On May 17, 2011, at 6:09 PM, Scott Weeks wrote:

> --- joe...@bogus.com wrote:
> From: Joel Jaeggli 
> On May 17, 2011, at 4:30 PM, Scott Brim wrote:
>> On May 17, 2011 6:26 PM,  wrote:
>>> On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:
>>> 
 What about privacy concerns
>>> 
>>> "Privacy is dead.  Get used to it." -- Scott McNeely
>> 
>> Forget that attitude, Valdis. Just because privacy is blown at one level
>> doesn't mean you give it away at every other one. We establish the framework
>> for recovering privacy and make progress step by step, wherever we can.
>> Someday we'll get it all back under control.
> 
> if you put something in the dns you do so because you want to discovered. 
> scoping the nameservers such that they only express certain certain resource 
> records to queriers in a particular scope is fairly straight forward.
> 
> 
> 
> The article was not about DNS.  It was about "Persistent Personal Names for 
> Globally Connected Mobile Devices" where "Users normally create personal 
> names by introducing devices locally, on a common WiFi network for example. 
> Once created, these names remain persistently bound to their targets as 
> devices move. Personal names are intended to supplement and not replace 
> global DNS names."  

you mean like mac addresses? those have a tendency to follow you around in 
ipv6...

> I see a lot of folks on lists designing future networks where an identifier 
> follows you everywhere and we as operators will have to deal with a public 
> hostile to the idea of being followed.  It's happening now.  Just read all 
> the articles on privacy lost.  It's not going to go away.  People like their 
> privacy whether they're doing bad things or not.
> 
> scott
> 

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Brim]

Yes indeed.  

-- sent from a tiny screen

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Weeks]

--- valdis.kletni...@vt.edu wrote:
From: valdis.kletni...@vt.edu

> Why give the corpment (corporate/government contraction) an easy time at it?
> Just like the early days, security and privacy do not seem to be in folk's 
> mind
> when things are being designed.

But more importantly, who has more/better lobbyists, you or the people who
want things like COICA and ACTA?

You're going to have to fix *that* problem before trying to address it at the
protocol level will do any real, lasting good.  Either that or we need a *lot* 
more TOR
relays (while those are still legal).
---

It's a multi-layered problem and designers at all layers need to keep privacy 
in mind.  You can't solve the multi-layered privacy problem with a design at 
one layer.




Oh, and an article that coincidentally popped up since I hit 'send' on the
previous mail:

http://radar.oreilly.com/2011/05/anonymize-data-limits.html

Designing things to evade good data mining is a *lot* harder than it looks.


This article doesn't really address what we're discussing.  It looks at the 
'upper' layer only.  I'm just saying that we don't need an ID that follows us 
everywhere like, I believe, LOC/ID split and "Unmanaged Internet Architecture" 
(from the "Persistent Personal Names for Globally Connected Mobile Devices" 
paper) apparently does (I haven't read their paper thoroughly enough to comment 
in an authoritative manner, though).  There has got to be another way.  RINA 
(http://www.cs.bu.edu/fac/matta/Papers/rina-security.pdf) addresses 
privacy/security, but the nanog show-me-the-code folks were unimpressed with 
the existing code when I asked the list about it in the past.

scott

Re: Experience with Open Source load balancers?

[jkrejci]

In response to your query on dnssec in the browser, I use this.

https://addons.mozilla.org/en-us/firefox/addon/dnssec-validator/

--Original Message--
From: Jimmy Hess
To: Mark Andrews
Cc: Welch, Bryan
Cc: nanog@nanog.org
Subject: Re: Experience with Open Source load balancers?
Sent: May 17, 2011 7:07 PM

On Tue, May 17, 2011 at 6:23 PM, Mark Andrews  wrote:
[snip]
>
> Better still would be for them to return  records but until one
> is ready to do that the negative responses need to be correct.

Hm... better would be for  load balancers operate transparently at Layer 3 and
not tamper with the contents of answers from proper DNS servers.

Eating traffic based on application content, or turning  NOERROR,
0 matches into  NXDOMAIN is seriously f***'ed up.


I look forward to more domains having DS records published by TLDs w/
signed zones...
and possibly browsers displaying warnings trying to visit HTTPS
domains without a signed zone.

perhaps load balancers/middle box manufacturers will start to become a
little bit more honest
in what they do with DNS traffic  :)

--
-JH



Sent via BlackBerry from T-Mobile

Re: Experience with Open Source load balancers?

[Brent Jones]

On Tue, May 17, 2011 at 11:57 AM, LaDerrick H.  wrote:
> On Mon, May 16, 2011 at 04:15:45PM -0700, Welch, Bryan wrote:
>> Greetings all.
>>
>> I've been tasked with comparing the use of open source load balancing 
>> software against commercially available off the shelf hardware such as F5, 
>> which is what we currently use.  We use the load balancers for traditional 
>> load balancing, full proxy for http/ssl traffic, ssl termination and 
>> certificate management, ssl and http header manipulation, nat, high 
>> availability of the physical hardware and stateful failover of the tcp 
>> sessions.  These units will be placed at the customer prem supporting our 
>> applications and services and we'll need to support them accordingly.
>>
>> Now my "knee jerk" reaction to this is that it's a really bad idea.  It is 
>> the heart and soul of our data center network after all.  However, once I 
>> started to think about it I realized that I hadn't had any real experience 
>> with this solution beyond tinkering with it at home and reading about it in 
>> years past.
>>
>> Can anyone offer any operational insight and real world experiences with 
>> these solutions?
>
> I've used LVS and other Open Source solutions in the past.  As others
> have alluded to, these require knowledge and experience with the
> underlying OS and network stack that's often lacking in many
> organizations.  A good hybrid solution which implements all (I think) of
> your requirements is Zeus (http://www.zeus.com/)  It's a software
> solution which you can deploy on your own hardware.  It's been very
> solid in my experience.  You can deploy the software in a clustered
> configuration if needed, though I've only used it in an HA pair.
>
> LaDerrick
>
>>
>> TIA, replies off list are welcomed.
>>
>>
>> Regards,
>>
>> Bryan
>>
>
>

+1 for Zeus. Use it in our production network with great success.
Magnitudes cheaper than a solution from F5, and doesn't hide the inner
workings of the product if you want to do some things outside the
scope of support.
Zeus also does licensing just based on throughput, not arbitrary
transactions per second like F5 does/did. If you're hardware can push
the traffic, theres no limitations on the number of transactions or
sessions.

-- 
Brent Jones
br...@servuhome.net

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Weeks]

--- joe...@bogus.com wrote:
From: Joel Jaeggli 
On May 17, 2011, at 4:30 PM, Scott Brim wrote:
> On May 17, 2011 6:26 PM,  wrote:
>> On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:
>> 
>>> What about privacy concerns
>> 
>> "Privacy is dead.  Get used to it." -- Scott McNeely
> 
> Forget that attitude, Valdis. Just because privacy is blown at one level
> doesn't mean you give it away at every other one. We establish the framework
> for recovering privacy and make progress step by step, wherever we can.
> Someday we'll get it all back under control.

if you put something in the dns you do so because you want to discovered. 
scoping the nameservers such that they only express certain certain resource 
records to queriers in a particular scope is fairly straight forward.



The article was not about DNS.  It was about "Persistent Personal Names for 
Globally Connected Mobile Devices" where "Users normally create personal names 
by introducing devices locally, on a common WiFi network for example. Once 
created, these names remain persistently bound to their targets as devices 
move. Personal names are intended to supplement and not replace global DNS 
names."  

I see a lot of folks on lists designing future networks where an identifier 
follows you everywhere and we as operators will have to deal with a public 
hostile to the idea of being followed.  It's happening now.  Just read all the 
articles on privacy lost.  It's not going to go away.  People like their 
privacy whether they're doing bad things or not.

scott

Re: Experience with Open Source load balancers?

[Jimmy Hess]

On Tue, May 17, 2011 at 6:23 PM, Mark Andrews  wrote:
[snip]
>
> Better still would be for them to return  records but until one
> is ready to do that the negative responses need to be correct.

Hm... better would be for  load balancers operate transparently at Layer 3 and
not tamper with the contents of answers from proper DNS servers.

Eating traffic based on application content, or turning  NOERROR,
0 matches into  NXDOMAIN is seriously f***'ed up.


I look forward to more domains having DS records published by TLDs w/
signed zones...
and possibly browsers displaying warnings trying to visit HTTPS
domains without a signed zone.

perhaps load balancers/middle box manufacturers will start to become a
little bit more honest
in what they do with DNS traffic  :)

--
-JH

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Valdis . Kletnieks]

(And I get flamed by multiple people because I put in the quote and managed to
hit send before adding the commentary. Maybe one of these days I'll learn not
to try to mix replying to e-mail and dealing with vendor engineers doing a tape
library expansion at the same time. :)  Oh well, equivalent text follows as a
reply to Scott...)

On Tue, 17 May 2011 16:05:11 PDT, Scott Weeks said:
> It doesn't have to be that way.  We can design these things any way we want.

True.  The question is whether we get to *deploy* said designs.

> Why give the corpment (corporate/government contraction) an easy time at it?
> Just like the early days, security and privacy do not seem to be in folk's 
> mind
> when things are being designed.

But more importantly, who has more/better lobbyists, you or the people who
want things like COICA and ACTA?

You're going to have to fix *that* problem before trying to address it at the
protocol level will do any real, lasting good.  Either that or we need a *lot* 
more TOR
relays (while those are still legal).

Oh, and an article that coincidentally popped up since I hit 'send' on the
previous mail:

http://radar.oreilly.com/2011/05/anonymize-data-limits.html

Designing things to evade good data mining is a *lot* harder than it looks.




pgpREhdu7wqDC.pgp
Description: PGP signature

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Joel Jaeggli]

On May 17, 2011, at 4:30 PM, Scott Brim wrote:

> On May 17, 2011 6:26 PM,  wrote:
>> 
>> On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:
>> 
>>> What about privacy concerns
>> 
>> "Privacy is dead.  Get used to it." -- Scott McNeely
> 
> Forget that attitude, Valdis. Just because privacy is blown at one level
> doesn't mean you give it away at every other one. We establish the framework
> for recovering privacy and make progress step by step, wherever we can.
> Someday we'll get it all back under control.

if you put something in the dns you do so because you want to discovered. 
scoping the nameservers such that they only express certain certain resource 
records to queriers in a particular scope is fairly straight forward.

> Scott
> 

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Brim]

On May 17, 2011 6:26 PM,  wrote:
>
> On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:
>
> > What about privacy concerns
>
> "Privacy is dead.  Get used to it." -- Scott McNeely

Forget that attitude, Valdis. Just because privacy is blown at one level
doesn't mean you give it away at every other one. We establish the framework
for recovering privacy and make progress step by step, wherever we can.
Someday we'll get it all back under control.

Scott

Re: Experience with Open Source load balancers?

[Mark Andrews]

In message , Michael Loftis
 writes:
> On Mon, May 16, 2011 at 5:15 PM, Welch, Bryan  wrot=
> e:
> > Greetings all.
> >
> > I've been tasked with comparing the use of open source load balancing sof=
> tware against commercially available off the shelf hardware such as F5, whi=
> ch is what we currently use. =A0We use the load balancers for traditional l=
> oad balancing, full proxy for http/ssl traffic, ssl termination and certifi=
> cate management, ssl and http header manipulation, nat, high availability o=
> f the physical hardware and stateful failover of the tcp sessions. =A0These=
>  units will be placed at the customer prem supporting our applications and =
> services and we'll need to support them accordingly.
> >
> > Now my "knee jerk" reaction to this is that it's a really bad idea. =A0It=
>  is the heart and soul of our data center network after all. =A0However, on=
> ce I started to think about it I realized that I hadn't had any real experi=
> ence with this solution beyond tinkering with it at home and reading about =
> it in years past.
> >
> > Can anyone offer any operational insight and real world experiences with =
> these solutions?
> 
> Honestly I think to get *all* those features you're much better off
> with commercial solutions like the ones you're already using from F5,
> or something from Cisco, Coyote Point, Brocade, or others.  You can
> absolutely put together a solution based on any number of open source
> products, but you won't get the single integrated front end for
> management and configuration that any of the commercial options will
> provide, you may be missing features, and ultimately, you're on the
> hook for making it work.  In particular the stateful failover has been
> problematic in open source solutions in my experience.  They've come a
> VERY long way, but it is a hard problem to tackle.
> 
> I've worked with open source and commercial solutions, and while the
> open source systems were almost always far more flexible, and cheaper
> up front, they certainly required more work to get going..  Once setup
> and running though both types of solutions had pretty equal amounts of
> maintenance, with the commercial solutions requiring somewhat less
> time/babysitting for upgrades and to enable or use new features or
> functionality.

Just make sure the DNS components return valid responses to 
queries as well as valid responses to A queries.  Many load balancers
get this wrong.  They return NXDOMAIN instead of NOERROR, they drop
 queries, they don't return CNAMEs when the A response returns
a CNAME, they return the wrong SOA record (doesn't match the zone
delegated to the box).

Better still would be for them to return  records but until one
is ready to do that the negative responses need to be correct.

If they are returning  queries check NS, SOA, TXT and MX responses
for similar errors.   is just more visible as browsers make 
queries and the others are done in the background.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Scott Weeks]

--- valdis.kletni...@vt.edu wrote: -
From: 
On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:
 
> What about privacy concerns

"Privacy is dead.  Get used to it." -- Scott McNeely
--


It doesn't have to be that way.  We can design these things any way we want.  
Why give the corpment (corporate/government contraction) an easy time at it?  
Just like the early days, security and privacy do not seem to be in folk's mind 
when things are being designed.

scott

Re: user-relative names - was:[Re: Yahoo and IPv6]

[Valdis . Kletnieks]

On Tue, 17 May 2011 15:04:19 PDT, Scott Weeks said:
 
> What about privacy concerns

"Privacy is dead.  Get used to it." -- Scott McNeely




pgpsQx7TWOx0s.pgp
Description: PGP signature

user-relative names - was:[Re: Yahoo and IPv6]

[Scott Weeks]

--- d...@dotat.at wrote:
Or perhaps user-relative names.
http://www.brynosaurus.com/pub/net/uia-osdi.pdf
--


What about privacy concerns; stopping your every move being tracked through the 
personal name attached to all of your devices?  Did I miss something in the 
paper?

scott

Re: Yahoo and IPv6

[Mans Nilsson]

Subject: Re: Yahoo and IPv6 Date: Tue, May 17, 2011 at 12:56:37PM + Quoting 
Paul Vixie (vi...@isc.org):

> :-).
> 
> to be clear, the old pre-web T1 era internet did not have much content
> but what content there was, was not lopsided.  other than slip and ppp
> there weren't a lot of networks one would call "access" and a smaller
> number of networks one would call "content".  i am not wishing for that,
> i like the web, i like content, i know there will be specialized networks
> for access and content.  but i also think (as jim gettys does) that we
> ought to be able to get useful work done without being able to reach the
> whole internet all the time.  that's going to mean being able to reach
> other mostly-access networks in our same neighborhoods and multitenant
> buildings and towns and cities, directly, and by name.  it does not mean
> being able to start facebook 2.0 out of somebody's basement, but it does
> mean being able to run a personal smtp or web server in one's basement
> and have it mostly work for the whole internet and work best for accessors
> who are close by and still work even when the "upstream" path for the
> neighborhood is down.
 
Now I seem to have got time enough to fully agree with you.  

The next facebook will start in a low-price datacenter. These
facilities did not exist as products before, and it can be argued that
the access/content separation does drive that market -- as long as I
had working Internet (as opposed to access class "Internet" ) at home,
I had no use for a colo.

Still, the centralization of content into a few networks does raise a
number of issues -- mostly regarding stability. Do note here that
several factors negatively impact stability, be they technical,
economical or legal. Peter Löthberg long ago advocated a network
interconnection model that was pretty local (and I believe he still
does). Peer often and everywhere.  That would take care of packets
getting through (as long as we all have unique addresses to point at;
v6 fixes this) The services that take the Net from being a graph
problem for nerds with BGP CLI access into what it has become need to
undergo similar fine-graining to keep up.

Oh, sorry, got carried away. 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
My life is a patio of fun!


pgpPZGnyjJ3MI.pgp
Description: PGP signature

Netflix Is Eating Up More Of North America's Bandwidth Than Any Other Company

[Roy]

http://e.businessinsider.com/public/184962

Re: Experience with Open Source load balancers?

[LaDerrick H.]

On Mon, May 16, 2011 at 04:15:45PM -0700, Welch, Bryan wrote:
> Greetings all.
> 
> I've been tasked with comparing the use of open source load balancing 
> software against commercially available off the shelf hardware such as F5, 
> which is what we currently use.  We use the load balancers for traditional 
> load balancing, full proxy for http/ssl traffic, ssl termination and 
> certificate management, ssl and http header manipulation, nat, high 
> availability of the physical hardware and stateful failover of the tcp 
> sessions.  These units will be placed at the customer prem supporting our 
> applications and services and we'll need to support them accordingly.
> 
> Now my "knee jerk" reaction to this is that it's a really bad idea.  It is 
> the heart and soul of our data center network after all.  However, once I 
> started to think about it I realized that I hadn't had any real experience 
> with this solution beyond tinkering with it at home and reading about it in 
> years past.
> 
> Can anyone offer any operational insight and real world experiences with 
> these solutions?

I've used LVS and other Open Source solutions in the past.  As others
have alluded to, these require knowledge and experience with the
underlying OS and network stack that's often lacking in many
organizations.  A good hybrid solution which implements all (I think) of
your requirements is Zeus (http://www.zeus.com/)  It's a software
solution which you can deploy on your own hardware.  It's been very
solid in my experience.  You can deploy the software in a clustered
configuration if needed, though I've only used it in an HA pair.

LaDerrick

> 
> TIA, replies off list are welcomed.
> 
> 
> Regards,
> 
> Bryan
> 

Re: Experience with Open Source load balancers?

[Paul Graydon]

On 05/17/2011 08:23 AM, Tom Hill wrote:

I've worked with open source and commercial solutions, and while the
open source systems were almost always far more flexible, and cheaper
up front, they certainly required more work to get going..  Once setup
and running though both types of solutions had pretty equal amounts of
maintenance, with the commercial solutions requiring somewhat less
time/babysitting for upgrades and to enable or use new features or
functionality.

I worry far more about upgrades to proprietary appliances (where it's
often the whole system image), than I do about a few package updates on
a Linux machine (followed by a service restart, or two).

But still, pretty well worded. :)

Tom


Can't speak for other brands these days but F5s have two hard disks in 
them.  You can upgrade the software on the hot-spare, boot off that and 
confirm everything is working.  If it isn't you can just switch back.


Paul

Re: Experience with Open Source load balancers?

[Tom Hill]

On Tue, 2011-05-17 at 11:03 -0600, Michael Loftis wrote:
> On Mon, May 16, 2011 at 5:15 PM, Welch, Bryan  wrote:
> > Greetings all.
> >
> > I've been tasked with comparing the use of open source load balancing 
> > software against commercially available off the shelf hardware such as F5, 
> > which is what we currently use.  We use the load balancers for traditional 
> > load balancing, full proxy for http/ssl traffic, ssl termination and 
> > certificate management, ssl and http header manipulation, nat, high 
> > availability of the physical hardware and stateful failover of the tcp 
> > sessions.  These units will be placed at the customer prem supporting our 
> > applications and services and we'll need to support them accordingly.
> >
> > Now my "knee jerk" reaction to this is that it's a really bad idea.  It is 
> > the heart and soul of our data center network after all.  However, once I 
> > started to think about it I realized that I hadn't had any real experience 
> > with this solution beyond tinkering with it at home and reading about it in 
> > years past.
> >
> > Can anyone offer any operational insight and real world experiences with 
> > these solutions?
> 
> Honestly I think to get *all* those features you're much better off
> with commercial solutions like the ones you're already using from F5,
> or something from Cisco, Coyote Point, Brocade, or others.  You can
> absolutely put together a solution based on any number of open source
> products, but you won't get the single integrated front end for
> management and configuration that any of the commercial options will
> provide, you may be missing features, and ultimately, you're on the
> hook for making it work.  In particular the stateful failover has been
> problematic in open source solutions in my experience.  They've come a
> VERY long way, but it is a hard problem to tackle.

+1. I think the list of features covers more than just one FOSS project.

Whilst I've had no end of good experiences using LVS (as some others
have mentioned), I wouldn't expect it to do all that is requested in the
original post. At least, not by itself.

> I've worked with open source and commercial solutions, and while the
> open source systems were almost always far more flexible, and cheaper
> up front, they certainly required more work to get going..  Once setup
> and running though both types of solutions had pretty equal amounts of
> maintenance, with the commercial solutions requiring somewhat less
> time/babysitting for upgrades and to enable or use new features or
> functionality.

I worry far more about upgrades to proprietary appliances (where it's
often the whole system image), than I do about a few package updates on
a Linux machine (followed by a service restart, or two).

But still, pretty well worded. :)

Tom

Re: Experience with Open Source load balancers?

[Jeff Neuffer Jr]

We've use Linux LVS for many many years with success.
http://www.linuxvirtualserver.org/



On Mon, May 16, 2011 at 7:15 PM, Welch, Bryan wrote:

> Greetings all.
>
> I've been tasked with comparing the use of open source load balancing
> software against commercially available off the shelf hardware such as F5,
> which is what we currently use.  We use the load balancers for traditional
> load balancing, full proxy for http/ssl traffic, ssl termination and
> certificate management, ssl and http header manipulation, nat, high
> availability of the physical hardware and stateful failover of the tcp
> sessions.  These units will be placed at the customer prem supporting our
> applications and services and we'll need to support them accordingly.
>
> Now my "knee jerk" reaction to this is that it's a really bad idea.  It is
> the heart and soul of our data center network after all.  However, once I
> started to think about it I realized that I hadn't had any real experience
> with this solution beyond tinkering with it at home and reading about it in
> years past.
>
> Can anyone offer any operational insight and real world experiences with
> these solutions?
>
> TIA, replies off list are welcomed.
>
>
> Regards,
>
> Bryan
>
>


-- 
~Jeff

"It is not the critic who counts, nor the man who points how the strong man
stumbled or where the doer of deeds could have done them better. The credit
belongs to the man who is actually in the arena; whose face is marred by
dust and sweat and blood; who strives valiantly...who knows the great
enthusiasms, the great devotions, and spends himself in a worthy cause; who,
at best, knows the triumph of high achievement; and who, at the worst, if he
fails, at least fails while daring greatly, so that his place shall never be
with those cold and timid souls who know neither victory nor defeat."

Theodore Roosevelt (1858 - 1919), "Man in the Arena" Speech given April 23,
1910

Re: Yahoo and IPv6

[Tony Finch]

Paul Vixie  wrote:

> > This is all very confusing to me. How are meaningful names going to assigned
> > automatically?
>
> It'll probably be a lot like Apple's and Xerox's various multicast naming
> systems if we want it to work in non-globally connected networks.

Or perhaps user-relative names.
http://www.brynosaurus.com/pub/net/uia-osdi.pdf

Tony.
-- 
f.anthony.n.finchhttp://dotat.at/
Rockall, Malin, Hebrides: South 5 to 7, occasionally gale 8 at first in
Rockall and Malin, veering west or northwest 4 or 5, then backing southwest 5
or 6 later. Rough or very rough. Occasional rain. Moderate or good,
occasionally poor.

Re: Experience with Open Source load balancers?

[Michael Loftis]

On Mon, May 16, 2011 at 5:15 PM, Welch, Bryan  wrote:
> Greetings all.
>
> I've been tasked with comparing the use of open source load balancing 
> software against commercially available off the shelf hardware such as F5, 
> which is what we currently use.  We use the load balancers for traditional 
> load balancing, full proxy for http/ssl traffic, ssl termination and 
> certificate management, ssl and http header manipulation, nat, high 
> availability of the physical hardware and stateful failover of the tcp 
> sessions.  These units will be placed at the customer prem supporting our 
> applications and services and we'll need to support them accordingly.
>
> Now my "knee jerk" reaction to this is that it's a really bad idea.  It is 
> the heart and soul of our data center network after all.  However, once I 
> started to think about it I realized that I hadn't had any real experience 
> with this solution beyond tinkering with it at home and reading about it in 
> years past.
>
> Can anyone offer any operational insight and real world experiences with 
> these solutions?

Honestly I think to get *all* those features you're much better off
with commercial solutions like the ones you're already using from F5,
or something from Cisco, Coyote Point, Brocade, or others.  You can
absolutely put together a solution based on any number of open source
products, but you won't get the single integrated front end for
management and configuration that any of the commercial options will
provide, you may be missing features, and ultimately, you're on the
hook for making it work.  In particular the stateful failover has been
problematic in open source solutions in my experience.  They've come a
VERY long way, but it is a hard problem to tackle.

I've worked with open source and commercial solutions, and while the
open source systems were almost always far more flexible, and cheaper
up front, they certainly required more work to get going..  Once setup
and running though both types of solutions had pretty equal amounts of
maintenance, with the commercial solutions requiring somewhat less
time/babysitting for upgrades and to enable or use new features or
functionality.

Re: Yahoo and IPv6

[Paul Vixie]

> Date: Tue, 17 May 2011 11:49:47 -0400
> From: Steve Clark 
> 
> This is all very confusing to me. How are meaningful names going to assigned
> automatically?

It'll probably be a lot like Apple's and Xerox's various multicast naming
systems if we want it to work in non-globally connected networks.

> Right now I see something like ool-6038bdcc.static.optonline.net for
> one of our servers, how does this mean anything to anyone else?

It wouldn't of course.  I'm sorry if my earlier words on this were useless.

Dave Taht gave a wonderful talk a few weeks ago ("Finishing the Internet",
see http://amw.org/prog11.pdf) during which he had us start an rsync
from his wireless laptop to as many of ours as could run rsync, and then
had the conference organizer turn off the upstream link.  He noted that
those of us using the local resource (a giant file, either an ISO or a
MPEG or similar) were still getting work done whereas those of us trying
to "use the internet" were dead in the water.  Then, referring to his
time in Nicaragua he said that he has a lot of days like this and he'd
like more work to be possible when only local connectivity was available.

Compelling stuff.  Pity there's no global market for localized services
or we'd already have it.  Nevertheless this must and will get fixed, and
we should be the generation who does it.

Re: Yahoo and IPv6

[Iljitsch van Beijnum]

On 17 mei 2011, at 17:55, Matthew Kaufman wrote:

> firewall traversal

Smells like job security: first install a firewall, then traverse it anyway.

Re: Yahoo and IPv6

[Joel Jaeggli]

On May 17, 2011, at 8:49 AM, Steve Clark wrote:

> On 05/17/2011 08:56 AM, Paul Vixie wrote:
>>> Date: Tue, 17 May 2011 11:07:17 +0200
>>> From: Mans Nilsson
>>> 
> ... It's not like you can even reach anything at home now, let alone
> reach it by name.
 that must and will change.  let's be the generation who makes it possible.
>>> I'd like to respond to this by stating that I support this fully, but
>>> I'm busy making sure I can reach my machines at home from the IPv6
>>> Internet. By name. ;-)
>> :-).
>> 
>> to be clear, the old pre-web T1 era internet did not have much content
>> but what content there was, was not lopsided.  other than slip and ppp
>> there weren't a lot of networks one would call "access" and a smaller
>> number of networks one would call "content".  i am not wishing for that,
>> i like the web, i like content, i know there will be specialized networks
>> for access and content.  but i also think (as jim gettys does) that we
>> ought to be able to get useful work done without being able to reach the
>> whole internet all the time.  that's going to mean being able to reach
>> other mostly-access networks in our same neighborhoods and multitenant
>> buildings and towns and cities, directly, and by name.  it does not mean
>> being able to start facebook 2.0 out of somebody's basement, but it does
>> mean being able to run a personal smtp or web server in one's basement
>> and have it mostly work for the whole internet and work best for accessors
>> who are close by and still work even when the "upstream" path for the
>> neighborhood is down.
>> 
> This is all very confusing to me. How are meaningful names going to assigned 
> automatically?

dynamic dns updates seems like an obvious choice.

> Right now I see something like ool-6038bdcc.static.optonline.net for one of 
> our servers, how does this
> mean anything to anyone else?
> 
> 
> -- 
> Stephen Clark
> *NetWolves*
> Sr. Software Engineer III
> Phone: 813-579-3200
> Fax: 813-882-0209
> Email: steve.cl...@netwolves.com
> http://www.netwolves.com
> 

Re: Yahoo and IPv6

[Matthew Kaufman]

On 5/17/2011 5:25 AM, Owen DeLong wrote:


My point was that at least in IPv6, you can reach your boxes whereas with
IPv4, you couldn't reach them at all (unless you used a rendezvous service
and preconfigured stuff).


Actually almost everyone will *still* need a rendezvous service as even 
if there isn't NAT66 (which I strongly suspect there will be, as nobody 
has magically solved the rest of the renumbering problems) there will 
still be default firewall filters that the average end-user won't know 
how or why to change (and in some cases won't even have access to the CPE).


For the former we can only hope that NAT66 box builders can get guidance 
from IETF rather than having IETF stick its collective head in the 
sand... for the latter the firewall traversal has a chance of being more 
reliable than having to traversal both filtering and address translation.


Matthew Kaufman

Re: Yahoo and IPv6

[Steve Clark]

On 05/17/2011 08:56 AM, Paul Vixie wrote:

Date: Tue, 17 May 2011 11:07:17 +0200
From: Mans Nilsson


... It's not like you can even reach anything at home now, let alone
reach it by name.

that must and will change.  let's be the generation who makes it possible.

I'd like to respond to this by stating that I support this fully, but
I'm busy making sure I can reach my machines at home from the IPv6
Internet. By name. ;-)

:-).

to be clear, the old pre-web T1 era internet did not have much content
but what content there was, was not lopsided.  other than slip and ppp
there weren't a lot of networks one would call "access" and a smaller
number of networks one would call "content".  i am not wishing for that,
i like the web, i like content, i know there will be specialized networks
for access and content.  but i also think (as jim gettys does) that we
ought to be able to get useful work done without being able to reach the
whole internet all the time.  that's going to mean being able to reach
other mostly-access networks in our same neighborhoods and multitenant
buildings and towns and cities, directly, and by name.  it does not mean
being able to start facebook 2.0 out of somebody's basement, but it does
mean being able to run a personal smtp or web server in one's basement
and have it mostly work for the whole internet and work best for accessors
who are close by and still work even when the "upstream" path for the
neighborhood is down.


This is all very confusing to me. How are meaningful names going to assigned 
automatically?
Right now I see something like ool-6038bdcc.static.optonline.net for one of our 
servers, how does this
mean anything to anyone else?


--
Stephen Clark
*NetWolves*
Sr. Software Engineer III
Phone: 813-579-3200
Fax: 813-882-0209
Email: steve.cl...@netwolves.com
http://www.netwolves.com

Re: Yahoo and IPv6

[Paul Vixie]

> Date: Tue, 17 May 2011 11:07:17 +0200
> From: Mans Nilsson 
> 
> > > ... It's not like you can even reach anything at home now, let alone
> > > reach it by name.
> > 
> > that must and will change.  let's be the generation who makes it possible.
> 
> I'd like to respond to this by stating that I support this fully, but
> I'm busy making sure I can reach my machines at home from the IPv6
> Internet. By name. ;-)

:-).

to be clear, the old pre-web T1 era internet did not have much content
but what content there was, was not lopsided.  other than slip and ppp
there weren't a lot of networks one would call "access" and a smaller
number of networks one would call "content".  i am not wishing for that,
i like the web, i like content, i know there will be specialized networks
for access and content.  but i also think (as jim gettys does) that we
ought to be able to get useful work done without being able to reach the
whole internet all the time.  that's going to mean being able to reach
other mostly-access networks in our same neighborhoods and multitenant
buildings and towns and cities, directly, and by name.  it does not mean
being able to start facebook 2.0 out of somebody's basement, but it does
mean being able to run a personal smtp or web server in one's basement
and have it mostly work for the whole internet and work best for accessors
who are close by and still work even when the "upstream" path for the
neighborhood is down.

Re: Yahoo and IPv6

[Owen DeLong]

On May 17, 2011, at 2:07 AM, Mans Nilsson wrote:

> Subject: Re: Yahoo and IPv6 Date: Tue, May 17, 2011 at 04:22:54AM + 
> Quoting Paul Vixie (vi...@isc.org):
>>> From: Owen DeLong 
>>> Date: Mon, 16 May 2011 16:12:27 -0700
>>> 
>>> ... It's not like you can even reach anything at home now, let alone
>>> reach it by name.
>> 
>> that must and will change.  let's be the generation who makes it possible.
> 
> I'd like to respond to this by stating that I support this fully, but
> I'm busy making sure I can reach my machines at home from the IPv6
> Internet. By name. ;-) 

I think my statement has been taken out of context and misunderstood.

I was responding to a claim that having to understand DNS to reach your
IPv6 boxes by name was somehow a step backwards from IPv4.

My point was that at least in IPv6, you can reach your boxes whereas with
IPv4, you couldn't reach them at all (unless you used a rendezvous service
and preconfigured stuff).

To me, pre-configuring DNS through the web interface for one of the free
DNS services with the IPv6 address is not any more difficult than setting
up one of the rendezvous services (most of which you have to pay for
if you want any real utility).

To my mind, IPv6 is a giant leap forward here, not a step backwards.
At least you can reach your stuff, even if the administration of the naming
process isn't 100% automated and perfect just yet.

Owen

Re: Yahoo and IPv6

[Mans Nilsson]

Subject: Re: Yahoo and IPv6 Date: Tue, May 17, 2011 at 04:22:54AM + Quoting 
Paul Vixie (vi...@isc.org):
> > From: Owen DeLong 
> > Date: Mon, 16 May 2011 16:12:27 -0700
> > 
> > ... It's not like you can even reach anything at home now, let alone
> > reach it by name.
> 
> that must and will change.  let's be the generation who makes it possible.

I'd like to respond to this by stating that I support this fully, but
I'm busy making sure I can reach my machines at home from the IPv6
Internet. By name. ;-) 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
HELLO KITTY gang terrorizes town, family STICKERED to death!


pgp1BsNhT9zoS.pgp
Description: PGP signature