NAT444 or ?

[Serge Vautour]

Hello,

Things I understand: IPv6 is the long term solution to IPv4 exhaustion. For 
IPv6 to work correctly, most of the IPv4 content has to be on IPv6. That's not 
there yet. IPv6 deployment to end users is not trivial (end user support, CPE 
support, etc...). Translation techniques are generally evil. IPv6->IPv4 still 
requires 1 IPv4 IP per end user or else you're doing NAT. IPv4->IPv6 (1-1) 
doesn't solve our main problem of giving users access to the IPv4 Internet.


I expect like most companies we're faced with having to extend the life of IPv4 
since our users will continue to want access to the IPv4 content. Doing that by 
giving them an IPv6 address is not very feasible yet for many reasons. NAT444 
seems like the only solution available while we slowly transition over to IPv6 
over the next 20 years. Based on the this RFC, NAT444 breaks a lot of 
applications!

http://tools.ietf.org/html/draft-donley-nat444-impacts-01

Has anyone deployed NAT444? Can folks share their experiences? Does it really 
break this many apps? What other options do we have? 


Thanks,
Serge

Re: NAT444 or ?

[Cameron Byrne]

On Thu, Sep 1, 2011 at 11:36 AM, Serge Vautour  wrote:
> Hello,
>
> Things I understand: IPv6 is the long term solution to IPv4 exhaustion. For 
> IPv6 to work correctly, most of the IPv4 content has to be on IPv6. That's 
> not there yet. IPv6 deployment to end users is not trivial (end user support, 
> CPE support, etc...). Translation techniques are generally evil. IPv6->IPv4 
> still requires 1 IPv4 IP per end user or else you're doing NAT. IPv4->IPv6 
> (1-1) doesn't solve our main problem of giving users access to the IPv4 
> Internet.
>

Correct, all content is not there yet... but World IPv6 Day showed
that Google, Facebook, Yahoo, Microsoft and 400+ others are just about
ready to go.

http://en.wikipedia.org/wiki/World_IPv6_Day

IPv6->IPv4 does not require 1 to 1,  any protocol translation is a
form of NATish things, and stateful NAT64 has many desirable
properties IF you already do NAT44.  Specifically, it is nice that
IPv6 flows bypass the NAT  and as more content becomes  IPv6, NAT
becomes less and less used.  In this way, unlike NAT44 or NAT444,
NAT64 has an exit strategy that ends with proper E2E networking with
IPv6... the technology and economic incentives push the right way
(more IPv6...)

Have a look at http://tools.ietf.org/html/rfc6146

There are multiple opensource and big vendor (C, J, B, LB guys...)
implementation of NAT64 / DNS64 ... I have trialed it and plan to
deploy it, YMMV... It works great for web and email, not so great for
gaming and Skype.

>
> I expect like most companies we're faced with having to extend the life of 
> IPv4 since our users will continue to want access to the IPv4 content. Doing 
> that by giving them an IPv6 address is not very feasible yet for many 
> reasons. NAT444 seems like the only solution available while we slowly 
> transition over to IPv6 over the next 20 years. Based on the this RFC, NAT444 
> breaks a lot of applications!
>
> http://tools.ietf.org/html/draft-donley-nat444-impacts-01
>

This is just putting IPv4 on life support without moving needle
towards a long term solution. NAT64 = good investment to get IPv6 off
the blocks.  NAT444 = life support / money pit with forklift exit
required.

> Has anyone deployed NAT444? Can folks share their experiences? Does it really 
> break this many apps? What other options do we have?
>

Yes, expect it to be deployed in places where the access gear can only
do IPv4 and there is no money or technology available to bring in
IPv6.

Cameron

>
> Thanks,
> Serge
>

Re: [Nanog-futures] Admission for Committee Members

[Randy Bush]

i do not support getting paid for community service.  a primrose path.

randy

Re: [Nanog-futures] Admission for Committee Members

[Rob Thomas]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi, team.

> i do not support getting paid for community service.  a primrose path.

Bravo and agreed!

Thanks,
Rob.
- --
Rob Thomas
Team Cymru
https://www.team-cymru.org/
"Say little and do much." M Avot 1:15

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.5 (Darwin)

iQCVAwUBTl/prlkX3QAo5sgJAQLRYQP8DzUc9mjKMDFVe3QE7udfTa+pWKV4TbcQ
lM9EgatUnkyEPxahCAyAH9VKsM3YLJ0Brhnk8aJqzH4doXElKRijMw3A9DTxG+Qx
+KY+niCXQtF95XuK+kVcQsUBZHp/2evVr54B4CdMUZ9IywpB8w+FcMo6QS8sCttk
4kj7pqmigQU=
=C8gq
-END PGP SIGNATURE-

Access and Session Control System?

[Jones, Barry]

 
Hello all.
I am looking at a variety of systems/methods to provide (vendor, employee) 
access into my dmz's. I want to reduce the FW rule sets and connections to as 
minimal as possible. And I want the accessing party to only get to the 
destination I define (like a fw rule).

When I refer to access, I'm referring to the ability of a vendor or employee to 
perform maintenance tasks on a server(s). The server(s) will be running apps 
for doing different tasks - such as Shavlik, etc..,  (patching, reports, 
logging, etc..), so I am envisioning allowing an outside vendor/employee (from 
the internet or corp. net) to RDP or SSH to a given Windows or Unix based 
machines, then perform their application work from that jumping off point - 
kind of like a terminal server; but I'd like to control and audit the sessions 
as well.

Overall, I can allow a host/port through the FW to a single host, but I wanted 
to be able to do the session management and endpoint controls. FW's are ok, but 
you know as well as I that I now deal with lots of rules sets. And I need to 
also authenticate the user.

We are a couple smaller facilities (150 hosts each) and I need to be able to 
control and audit the sessions when requested. I have considered doing a 
meetingplace server, then providing escorted access for them, or doing just the 
FW and a "jump" host - but need the endpoint and session solution, or just 
using VPN - but don't want to install a host on the vendor machines. I also 
have looked at a product called EDMZ - wondered if anyone had experience with 
it?

And did I say I wanted to keep it as simple as possible? :-) It's been a few 
years since I've done hands-on networking work, so excuse the long-winded 
letter. Feel free to email me directly too.

Sincerely
Barry Jones
CISSP, GSNA

Re: Access and Session Control System?

[Rafael Rodriguez]

I recommend you look into the Juniper SSL VPN products (SA Series). Very power 
boxes, intuitive admin interface (web driven) and are perfect for the "Vendor 
Access" type of applications.

Sent from my iPhone

On Sep 1, 2011, at 16:30, "Jones, Barry"  wrote:

> 
> Hello all.
> I am looking at a variety of systems/methods to provide (vendor, employee) 
> access into my dmz's. I want to reduce the FW rule sets and connections to as 
> minimal as possible. And I want the accessing party to only get to the 
> destination I define (like a fw rule).
> 
> When I refer to access, I'm referring to the ability of a vendor or employee 
> to perform maintenance tasks on a server(s). The server(s) will be running 
> apps for doing different tasks - such as Shavlik, etc..,  (patching, reports, 
> logging, etc..), so I am envisioning allowing an outside vendor/employee 
> (from the internet or corp. net) to RDP or SSH to a given Windows or Unix 
> based machines, then perform their application work from that jumping off 
> point - kind of like a terminal server; but I'd like to control and audit the 
> sessions as well.
> 
> Overall, I can allow a host/port through the FW to a single host, but I 
> wanted to be able to do the session management and endpoint controls. FW's 
> are ok, but you know as well as I that I now deal with lots of rules sets. 
> And I need to also authenticate the user.
> 
> We are a couple smaller facilities (150 hosts each) and I need to be able to 
> control and audit the sessions when requested. I have considered doing a 
> meetingplace server, then providing escorted access for them, or doing just 
> the FW and a "jump" host - but need the endpoint and session solution, or 
> just using VPN - but don't want to install a host on the vendor machines. I 
> also have looked at a product called EDMZ - wondered if anyone had experience 
> with it?
> 
> And did I say I wanted to keep it as simple as possible? :-) It's been a few 
> years since I've done hands-on networking work, so excuse the long-winded 
> letter. Feel free to email me directly too.
> 
> Sincerely
> Barry Jones
> CISSP, GSNA

RE: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days

[Frank Bulk]

Charter.com has also remove the quad-A's for www.charter.com.  My monitoring
system alerted me this afternoon that it couldn't get to the v6 version of
their website.  Because of DNS caching, I don't know how many hours or days
ago it was removed.

Frank

-Original Message-
From: Frank Bulk [mailto:frnk...@iname.com] 
Sent: Friday, August 19, 2011 11:59 AM
To: nanog@nanog.org
Subject: RE: IPv6 version of www.qwest.com/www.centurylink.com has been down
for 10 days

I just noticed that the quad-A records for both those two hosts are now
gone.  DNS being what it is, I'm not sure when that happened, but our
monitoring system couldn't get the  for www.qwest.com about half an hour
ago.

Hopefully CenturyLink is actively working towards IPv6-enabling their sites
again.

Frank

-Original Message-
From: Frank Bulk [mailto:frnk...@iname.com] 
Sent: Thursday, August 18, 2011 11:14 PM
To: nanog@nanog.org
Subject: RE: IPv6 version of www.qwest.com/www.centurylink.com has been down
for 10 days

FYI, the issue is not resolved and I've not heard from either of the
companies suggesting that they're working on it.

Note their commitment to IPv6 in these releases:
http://www.prnewswire.com/news-releases/centurylink-joins-internet-community
-in-world-ipv6-day-123089908.html
http://news.centurylink.com/index.php?s=43&item=2129

Frank

-Original Message-
From: Matthew Moyle-Croft [mailto:m...@internode.com.au] 
Sent: Thursday, August 18, 2011 7:08 PM
To: Owen DeLong
Cc: nanog@nanog.org
Subject: Re: IPv6 version of www.qwest.com/www.centurylink.com has been down
for 10 days


On 19/08/2011, at 4:18 AM, Owen DeLong wrote:

It'd really suck for end users to start actively avoiding IPv6 connectivity
because it keeps breaking and for organisations that have active 
records to break peoples connectivity to their resources.



+1 -- I'm all for publishing  records as everyone knows, but, if you
publish  records for a consumer facing service, please support and
monitor that service with a similar level to what you do for your IPv4
versions of the service.

The coming years are going to be difficult enough for end-users without
adding unnecessary anti-IPv6 sentiments to the mix.

Owen

+1 to Owen's comment.

I'd also add some more comments:

A lot of eyeballs that have v6 right now are the people with a lot of clue.
Do you want these people, who'll often be buying or recommending your
services to rate your ability to deliver as a fail?  Our experience with
IPv6 consumer broadband has been that the early adopters are the people who,
well, goto IETF meetings, follow standards and ask the bloody hard
questions.

Even given the Happy Eyeballs (Did Hurricane PAY for it to be abbrievated as
HE?? :-) ) most end users prefer IPv6 over IPv4.  Deeply this means there is
a tendency for v6 traffic to grow and be more important to connectivity than
you may imagine.  The tipping point for IPv6 traffic being dominant I
suspect is going to be a lower threshold of take up than people might
expect.   Consider this when thinking about the level of thought you give to
IPv6 infrastructure and PPS rates.

MMC

Re: [Nanog-futures] Admission for Committee Members

[David Temkin]

Randy,

How is that "getting paid"?  Receiving services in kind?

Don't know if you've ever done Habitat for Humanity, but you get a free
lunch, paid for by those who have given cash to support the cause and not
labor.

To bring it closer to home - we give our presenters a free admission -
should we also stop that?

-Dave
On Sep 1, 2011 3:27 PM, "Randy Bush"  wrote:
> i do not support getting paid for community service. a primrose path.
>
> randy
>

Re: [Nanog-futures] Admission for Committee Members

[Jared Mauch]

I have had my registration fee refunded when I was a speaker when my employer 
was happy to pay. This frustrated me when the meeting had low registration and 
lost money. 

I'm fine with people getting it waived, but the idea of everyone showing up for 
a "roll-call" so they can get in free is certainly not the case. This is why I 
suggested the BoD would have the authority to waive the fee if recommended by 
someone else. The reason is less important to me honestly. 

Then again, the bar for giving a bad talk is really low. People can just put in 
that effort instead.

Jared Mauch

On Sep 1, 2011, at 6:12 PM, David Temkin  wrote:

> Randy,
> 
> How is that "getting paid"?  Receiving services in kind?
> 
> Don't know if you've ever done Habitat for Humanity, but you get a free
> lunch, paid for by those who have given cash to support the cause and not
> labor.
> 
> To bring it closer to home - we give our presenters a free admission -
> should we also stop that?
> 
> -Dave
> On Sep 1, 2011 3:27 PM, "Randy Bush"  wrote:
>> i do not support getting paid for community service. a primrose path.
>> 
>> randy
>> 

Re: [Nanog-futures] Admission for Committee Members

[Owen DeLong]

I support conference admission for volunteers who give their time to organize
the conference, etc. (such as program committee members, steering committee
members, speakers, etc.).

I would not support other forms of remuneration or expanding the free conference
admission beyond those directly involved in organizing and/or running the
conference.

Owen

On Sep 1, 2011, at 3:12 PM, David Temkin wrote:

> Randy,
> 
> How is that "getting paid"?  Receiving services in kind?
> 
> Don't know if you've ever done Habitat for Humanity, but you get a free
> lunch, paid for by those who have given cash to support the cause and not
> labor.
> 
> To bring it closer to home - we give our presenters a free admission -
> should we also stop that?
> 
> -Dave
> On Sep 1, 2011 3:27 PM, "Randy Bush"  wrote:
>> i do not support getting paid for community service. a primrose path.
>> 
>> randy
>> 

Covad / Telepacific BGP clue?

[Mike Lyon]

Hello Folks,

If there is anyone from Covad Wireless / Telepacifc Wireless with BGP clue,
would you contact me off list?

Thank You,
Mike

Re: [Nanog-futures] Admission for Committee Members

[Randy Bush]

> How is that "getting paid"?  

you're kidding, right?

> Don't know if you've ever done Habitat for Humanity

no.  i teach in the poor countries.  i pay my way.

> To bring it closer to home - we give our presenters a free admission -
> should we also stop that?

i am ambivalent.  i think there is some sort of untested assumption that
this attracts an otherwise unattracted resources we need.

otoh, committees seem to attract flies.  i will not comment on their
quality.

randy

Re: [Nanog-futures] Admission for Committee Members

[David Temkin]

On the flip side of this, many of our employers donate "our" time that they
are paying us for in order for us to serve NANOG with nary a benefit.  If
you take just committee calls for the PC alone, this is 48 hours a year - a
workweek.  Perhaps they should feel that this donation nets them something.

-Dave
On Sep 1, 2011 6:41 PM, "Jared Mauch"  wrote:
> I have had my registration fee refunded when I was a speaker when my
employer was happy to pay. This frustrated me when the meeting had low
registration and lost money.
>
> I'm fine with people getting it waived, but the idea of everyone showing
up for a "roll-call" so they can get in free is certainly not the case. This
is why I suggested the BoD would have the authority to waive the fee if
recommended by someone else. The reason is less important to me honestly.
>
> Then again, the bar for giving a bad talk is really low. People can just
put in that effort instead.
>
> Jared Mauch
>
> On Sep 1, 2011, at 6:12 PM, David Temkin  wrote:
>
>> Randy,
>>
>> How is that "getting paid"? Receiving services in kind?
>>
>> Don't know if you've ever done Habitat for Humanity, but you get a free
>> lunch, paid for by those who have given cash to support the cause and not
>> labor.
>>
>> To bring it closer to home - we give our presenters a free admission -
>> should we also stop that?
>>
>> -Dave
>> On Sep 1, 2011 3:27 PM, "Randy Bush"  wrote:
>>> i do not support getting paid for community service. a primrose path.
>>>
>>> randy
>>>

Re: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days

[PC]

The Qwest one died roughly around the time of their merger/migration to
Centurylink web sites.  I did bring up the issue with them as a customer,
and it seems the response was to disable publicly-facing IPV6 services (and
associated  records) for the time being, as you observed.

Not that I agree with the "fix", but it is what it is.



On Fri, Aug 19, 2011 at 10:59 AM, Frank Bulk  wrote:

> I just noticed that the quad-A records for both those two hosts are now
> gone.  DNS being what it is, I'm not sure when that happened, but our
> monitoring system couldn't get the  for www.qwest.com about half an
> hour
> ago.
>
> Hopefully CenturyLink is actively working towards IPv6-enabling their sites
> again.
>
> Frank
>
> -Original Message-
> From: Frank Bulk [mailto:frnk...@iname.com]
> Sent: Thursday, August 18, 2011 11:14 PM
> To: nanog@nanog.org
> Subject: RE: IPv6 version of www.qwest.com/www.centurylink.com has been
> down
> for 10 days
>
> FYI, the issue is not resolved and I've not heard from either of the
> companies suggesting that they're working on it.
>
> Note their commitment to IPv6 in these releases:
>
> http://www.prnewswire.com/news-releases/centurylink-joins-internet-community
> -in-world-ipv6-day-123089908.html
> http://news.centurylink.com/index.php?s=43&item=2129
>
> Frank
>
> -Original Message-
> From: Matthew Moyle-Croft [mailto:m...@internode.com.au]
> Sent: Thursday, August 18, 2011 7:08 PM
> To: Owen DeLong
> Cc: nanog@nanog.org
> Subject: Re: IPv6 version of www.qwest.com/www.centurylink.com has been
> down
> for 10 days
>
>
> On 19/08/2011, at 4:18 AM, Owen DeLong wrote:
>
> It'd really suck for end users to start actively avoiding IPv6 connectivity
> because it keeps breaking and for organisations that have active 
> records to break peoples connectivity to their resources.
>
>
>
> +1 -- I'm all for publishing  records as everyone knows, but, if you
> publish  records for a consumer facing service, please support and
> monitor that service with a similar level to what you do for your IPv4
> versions of the service.
>
> The coming years are going to be difficult enough for end-users without
> adding unnecessary anti-IPv6 sentiments to the mix.
>
> Owen
>
> +1 to Owen's comment.
>
> I'd also add some more comments:
>
> A lot of eyeballs that have v6 right now are the people with a lot of clue.
> Do you want these people, who'll often be buying or recommending your
> services to rate your ability to deliver as a fail?  Our experience with
> IPv6 consumer broadband has been that the early adopters are the people
> who,
> well, goto IETF meetings, follow standards and ask the bloody hard
> questions.
>
> Even given the Happy Eyeballs (Did Hurricane PAY for it to be abbrievated
> as
> HE?? :-) ) most end users prefer IPv6 over IPv4.  Deeply this means there
> is
> a tendency for v6 traffic to grow and be more important to connectivity
> than
> you may imagine.  The tipping point for IPv6 traffic being dominant I
> suspect is going to be a lower threshold of take up than people might
> expect.   Consider this when thinking about the level of thought you give
> to
> IPv6 infrastructure and PPS rates.
>
> MMC
>
>
>

Re: [Nanog-futures] Admission for Committee Members

[Randy Bush]

> On the flip side of this, many of our employers donate "our" time that
> they are paying us for in order for us to serve NANOG with nary a
> benefit.  If you take just committee calls for the PC alone, this is
> 48 hours a year - a workweek.  Perhaps they should feel that this
> donation nets them something.

it's "public service" not "public employment"

randy

Tampa small colo recs?

[Jay Ashworth]

Anyone got any opinions on small colo rental in Tampa; anywhere from 8RU to a 
half-rack?  I'd prefer at least one tier 1 uplink, and at least 1 tier 2,
dial-a-yield 100Base, and 24 hour access, but I'm flexible.  Pinellas County
is also fine.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

Re: [Nanog-futures] Admission for Committee Members

[David Temkin]

For context in this discussion, how many times have you personally accepted
free registration in return for presenting?

-Dave
 On Sep 1, 2011 8:13 PM, "Randy Bush"  wrote:
>> On the flip side of this, many of our employers donate "our" time that
>> they are paying us for in order for us to serve NANOG with nary a
>> benefit. If you take just committee calls for the PC alone, this is
>> 48 hours a year - a workweek. Perhaps they should feel that this
>> donation nets them something.
>
> it's "public service" not "public employment"
>
> randy

Re: [Nanog-futures] Admission for Committee Members

[Randy Bush]

> For context in this discussion, how many times have you personally
> accepted free registration in return for presenting?

no idea.  i also think i was comped for being on the SC.  like jared, i
would have paid.

randy

Re: [Nanog-futures] Admission for Committee Members

[Randy Bush]

> For context in this discussion, how many times have you personally
> accepted free registration in return for presenting?

btw, i do not remember a meeting where being comped as an SC member or a
speaker affected whether i would attend or not.

[ and no, senator mccarthy, i am not now nor have i ever been a member
  of the communist party. ]

and fwiw, i would strongly support comping hardship and place a low bar
on it.

i am recently back from sigcomm, where speakers are often introduced as
"looking for a {post-doc, research, teaching} position" and where i saw
tee shirts with "to hire a post-doc, ." 

randy

Re: [Nanog-futures] Admission for Committee Members

[William Herrin]

On Thu, Sep 1, 2011 at 8:13 PM, Randy Bush  wrote:
>> On the flip side of this, many of our employers donate "our" time that
>> they are paying us for in order for us to serve NANOG with nary a
>> benefit.  If you take just committee calls for the PC alone, this is
>> 48 hours a year - a workweek.  Perhaps they should feel that this
>> donation nets them something.
>
> it's "public service" not "public employment"

Pay me for the honor and privilege of doing volunteer work for me?
Nice scam if you can swing it.

File this one with "pay to beta test." Not unheard of, but ungrateful.

-Bill


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

serviceproviderworld.com

[Paul Stewart]

Hey folks...

 

I know a couple of folks behind this new site and thought it would be
worthwhile for the NANOG community to be made aware of it.
http://www.serviceproviderworld.com/

 

It's basically going to be a directory of service providers across the world
- that's the plan as I understand it.  End-users can visit and review their
service providers etc.

 

Personally, I think this is a great concept - I've seen some online
directories of providers and most of them are either entirely Canada based
or US based and in my opinion not that great.  Please bear in mind that this
site is literally getting started - there is an email link I  found at the
bottom of the site where you can email the group for
assistance/questions/feedback. 

 

Just an FYI ...

 

Thanks,

 

Paul

 

DNS: 8.8.8.8 won't resolve noaa.gov sites?

[Jay Ashworth]

[ Cross-posted to NANOG and Outages; replies to outages or outages-discussion;
I would set the header, but Zimbra sucks.  :-) ]

I've had my home box set to use 8.8.8.8 as its primary resolver, falling back
to the BBN anycast.

Sometime today, 8.8.8.8 appears to have stopped resolving www.noaa.gov and
www.nhc.noaa.gov:

; <<>> DiG 9.7.3-P3 <<>> @8.8.8.8 www.noaa.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34999
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.noaa.gov.  IN  A

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep  1 22:38:11 2011
;; MSG SIZE  rcvd: 30

though it resolves Yahoo and Google and Akamai.com and everything else
I throw at it.

Digging noaa.gov at 4.2.2.1 returns what I expect.

Interesting, too, that Firefox 5.0 wouldn't DTRT, even though 4.2.2.1-3 were
the backup nameservers in my resolv.conf.

Road Runner Tampa Bay connection.

Can anyone confirm or deny?  Google DNS or NOAA people here, before I go ping 
NOAA staff on Twitter?

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

Re: DNS: 8.8.8.8 won't resolve noaa.gov sites?

[Paul]

Working fine for me:

$ dig @8.8.8.8 www.noaa.gov

; <<>> DiG 9.7.3 <<>> @8.8.8.8 www.noaa.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64856
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.noaa.gov.  IN  A

;; ANSWER SECTION:
www.noaa.gov.   279 IN  CNAME   edge-hdq.woc.noaa.gov.
edge-hdq.woc.noaa.gov.  279 IN  CNAME   edge-rev.lb.noaa.gov.
edge-rev.lb.noaa.gov.   9   IN  A   140.90.200.23
edge-rev.lb.noaa.gov.   9   IN  A   140.172.17.23
edge-rev.lb.noaa.gov.   9   IN  A   129.15.96.23
edge-rev.lb.noaa.gov.   9   IN  A   140.90.33.23

;; Query time: 25 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep  2 02:54:13 2011
;; MSG SIZE  rcvd: 147



$ dig @8.8.8.8 www.nhc.noaa.gov

; <<>> DiG 9.7.3 <<>> @8.8.8.8 www.nhc.noaa.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 36145
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.nhc.noaa.gov.  IN  A

;; ANSWER SECTION:
www.nhc.noaa.gov.   293 IN  CNAME   edge-nws.woc.noaa.gov.
edge-nws.woc.noaa.gov.  293 IN  CNAME   edge-rev.lb.noaa.gov.
edge-rev.lb.noaa.gov.   23  IN  A   140.172.17.23
edge-rev.lb.noaa.gov.   23  IN  A   129.15.96.23
edge-rev.lb.noaa.gov.   23  IN  A   140.90.33.23
edge-rev.lb.noaa.gov.   23  IN  A   140.90.200.23

;; Query time: 24 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Sep  2 02:56:18 2011
;; MSG SIZE  rcvd: 151


On 09/01/2011 04:41 PM, Jay Ashworth wrote:

[ Cross-posted to NANOG and Outages; replies to outages or outages-discussion;
I would set the header, but Zimbra sucks.  :-) ]

I've had my home box set to use 8.8.8.8 as its primary resolver, falling back
to the BBN anycast.

Sometime today, 8.8.8.8 appears to have stopped resolving www.noaa.gov and
www.nhc.noaa.gov:

;<<>>  DiG 9.7.3-P3<<>>  @8.8.8.8 www.noaa.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 34999
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.noaa.gov.  IN  A

;; Query time: 33 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Sep  1 22:38:11 2011
;; MSG SIZE  rcvd: 30

though it resolves Yahoo and Google and Akamai.com and everything else
I throw at it.

Digging noaa.gov at 4.2.2.1 returns what I expect.

Interesting, too, that Firefox 5.0 wouldn't DTRT, even though 4.2.2.1-3 were
the backup nameservers in my resolv.conf.

Road Runner Tampa Bay connection.

Can anyone confirm or deny?  Google DNS or NOAA people here, before I go ping
NOAA staff on Twitter?

Cheers,
-- jra

WORKING: DNS: 8.8.8.8 won't resolve noaa.gov sites?

[Jay Ashworth]

- Original Message -
> From: "Paul" 
> To: nanog@nanog.org
> Sent: Thursday, September 1, 2011 10:56:39 PM
> Subject: Re: DNS: 8.8.8.8 won't resolve noaa.gov sites?
> Working fine for me:
> 
> $ dig @8.8.8.8 www.noaa.gov

Yeah; it was reliably broken all day, and of course, it's now fine here too.

Either someone at NOAA or Google saw that and applied a Magic Kick, or
I was just unlucky.

Sorry for the noise, folks.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

Re: Access and Session Control System?

[Bruce Pinsky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jones, Barry wrote:
> 
> Hello all. I am looking at a variety of systems/methods to provide
> (vendor, employee) access into my dmz's. I want to reduce the FW rule
> sets and connections to as minimal as possible. And I want the accessing
> party to only get to the destination I define (like a fw rule).
> 
> When I refer to access, I'm referring to the ability of a vendor or
> employee to perform maintenance tasks on a server(s). The server(s) will
> be running apps for doing different tasks - such as Shavlik, etc..,
> (patching, reports, logging, etc..), so I am envisioning allowing an
> outside vendor/employee (from the internet or corp. net) to RDP or SSH
> to a given Windows or Unix based machines, then perform their
> application work from that jumping off point - kind of like a terminal
> server; but I'd like to control and audit the sessions as well.
> 
> Overall, I can allow a host/port through the FW to a single host, but I
> wanted to be able to do the session management and endpoint controls.
> FW's are ok, but you know as well as I that I now deal with lots of
> rules sets. And I need to also authenticate the user.
> 
> We are a couple smaller facilities (150 hosts each) and I need to be
> able to control and audit the sessions when requested. I have considered
> doing a meetingplace server, then providing escorted access for them, or
> doing just the FW and a "jump" host - but need the endpoint and session
> solution, or just using VPN - but don't want to install a host on the
> vendor machines. I also have looked at a product called EDMZ - wondered
> if anyone had experience with it?
> 
> And did I say I wanted to keep it as simple as possible? :-) It's been a
> few years since I've done hands-on networking work, so excuse the
> long-winded letter. Feel free to email me directly too.
> 

The Cisco ASA firewall/VPN appliance with SSLVPN can provide the kind of
control you are asking for.  You can customize for different connection
profiles that are based individuals and/or groups that specify where they
can connect to and what types of connection protocols can be used.

- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5gacEACgkQE1XcgMgrtybBWgCgyh9YPD8eNMN1f/UknmL1kHoa
jUYAoNcCKqjxwo3QOv/0nSmp1aF+UPn/
=RtBT
-END PGP SIGNATURE-