Re: iCloud - Is it going to hurt access providers?

[Scott Weeks]

--- v.jo...@networkingunlimited.com wrote:
From: Vincent C Jones 
> --- br...@bryanfields.net wrote:
> From: Bryan Fields 
> 
> I would love a world where engineering was consulted by marketing :(
> -
> 
> WAKE UP  You're dreaming out loud...  >;-)

Not necessarily...I've been in computer networking going on 40 years and
I've only had one employer where engineering was NOT consulted by
marketing, and that was the military, which did not have marketing :-) 

Of course, my case may be a few sigma away from normal, because I've
only had two other employers since then-- Hewlett Packard back when they
were still a techie company and myself. As an independent consultant, I
am marketing, so I can only blame myself if marketing does not consult
engineering :-D
---



How about (yelling again...)

WAKE UP  You're Rumpelstiltskining  :-)

scott

Re: NAT444 or ?

[Arturo Servin]

NAT444 alone is not enough.

You will need to deploy it along with 6rd or DS-lite.

Whilst you still have global v4, use it. The best is to deploy 
dual-stack, but that won't last for too long.

Regards,
as-



On 1 Sep 2011, at 15:36, Serge Vautour wrote:

> Hello,
> 
> Things I understand: IPv6 is the long term solution to IPv4 exhaustion. For 
> IPv6 to work correctly, most of the IPv4 content has to be on IPv6. That's 
> not there yet. IPv6 deployment to end users is not trivial (end user support, 
> CPE support, etc...). Translation techniques are generally evil. IPv6->IPv4 
> still requires 1 IPv4 IP per end user or else you're doing NAT. IPv4->IPv6 
> (1-1) doesn't solve our main problem of giving users access to the IPv4 
> Internet.
> 
> 
> I expect like most companies we're faced with having to extend the life of 
> IPv4 since our users will continue to want access to the IPv4 content. Doing 
> that by giving them an IPv6 address is not very feasible yet for many 
> reasons. NAT444 seems like the only solution available while we slowly 
> transition over to IPv6 over the next 20 years. Based on the this RFC, NAT444 
> breaks a lot of applications!
> 
> http://tools.ietf.org/html/draft-donley-nat444-impacts-01
> 
> Has anyone deployed NAT444? Can folks share their experiences? Does it really 
> break this many apps? What other options do we have? 
> 
> 
> Thanks,
> Serge

Re: iCloud - Is it going to hurt access providers?

[Vincent C Jones]

> --- br...@bryanfields.net wrote:
> From: Bryan Fields 
> 
> I would love a world where engineering was consulted by marketing :(
> -
> 
> WAKE UP  You're dreaming out loud...  >;-)

Not necessarily...I've been in computer networking going on 40 years and
I've only had one employer where engineering was NOT consulted by
marketing, and that was the military, which did not have marketing :-) 

Of course, my case may be a few sigma away from normal, because I've
only had two other employers since then-- Hewlett Packard back when they
were still a techie company and myself. As an independent consultant, I
am marketing, so I can only blame myself if marketing does not consult
engineering :-D

Vince
-- 
Vincent C. Jones
Networking Unlimited, Inc.
Phone: +1 201 568-7810
v.jo...@networkingunlimited.com

Re: iCloud - Is it going to hurt access providers?

[Bryan Fields]

On 9/5/2011 22:39, Jay Ashworth wrote:
> - Original Message -
>> From: "Joel jaeggli" 
> 
>> having customers that want to use your service is rarely a bad thing.
> 
> Ask a chief engineer at a national wireless carrier who told his 
> administrative
> bosses that selling "unlimited" wireless data was a Pretty Neat Idea if he
> thinks that's a good generalization to make, Joel.  :-)

Jay, are you saying the engineers in a wireless telecom company are driving
what plans to offer?  Hate to say it, but that's all done by marketing, and
engineering normally finds out about the plans they offer by seeing the
PDSN/SGSN going into overload :D

I would love a world where engineering was consulted by marketing :(
-- 
Bryan Fields

727-409-1194 - Voice
727-214-2508 - Fax
http://bryanfields.net

Re: iCloud - Is it going to hurt access providers?

[Scott Weeks]

--- br...@bryanfields.net wrote:
From: Bryan Fields 

I would love a world where engineering was consulted by marketing :(
-



WAKE UP  You're dreaming out loud...  >;-)

scott

RE: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days

[Frank Bulk]

...and the 's are back!  And port 80 responds.

Frank

-Original Message-
From: Frank Bulk [mailto:frnk...@iname.com] 
Sent: Thursday, September 01, 2011 5:03 PM
To: 'nanog@nanog.org'
Subject: RE: IPv6 version of www.qwest.com/www.centurylink.com has been down
for 10 days

Charter.com has also remove the quad-A's for www.charter.com.  My monitoring
system alerted me this afternoon that it couldn't get to the v6 version of
their website.  Because of DNS caching, I don't know how many hours or days
ago it was removed.

Frank

-Original Message-
From: Frank Bulk [mailto:frnk...@iname.com] 
Sent: Friday, August 19, 2011 11:59 AM
To: nanog@nanog.org
Subject: RE: IPv6 version of www.qwest.com/www.centurylink.com has been down
for 10 days

I just noticed that the quad-A records for both those two hosts are now
gone.  DNS being what it is, I'm not sure when that happened, but our
monitoring system couldn't get the  for www.qwest.com about half an hour
ago.

Hopefully CenturyLink is actively working towards IPv6-enabling their sites
again.

Frank

-Original Message-
From: Frank Bulk [mailto:frnk...@iname.com] 
Sent: Thursday, August 18, 2011 11:14 PM
To: nanog@nanog.org
Subject: RE: IPv6 version of www.qwest.com/www.centurylink.com has been down
for 10 days

FYI, the issue is not resolved and I've not heard from either of the
companies suggesting that they're working on it.

Note their commitment to IPv6 in these releases:
http://www.prnewswire.com/news-releases/centurylink-joins-internet-community
-in-world-ipv6-day-123089908.html
http://news.centurylink.com/index.php?s=43&item=2129

Frank

-Original Message-
From: Matthew Moyle-Croft [mailto:m...@internode.com.au] 
Sent: Thursday, August 18, 2011 7:08 PM
To: Owen DeLong
Cc: nanog@nanog.org
Subject: Re: IPv6 version of www.qwest.com/www.centurylink.com has been down
for 10 days


On 19/08/2011, at 4:18 AM, Owen DeLong wrote:

It'd really suck for end users to start actively avoiding IPv6 connectivity
because it keeps breaking and for organisations that have active 
records to break peoples connectivity to their resources.



+1 -- I'm all for publishing  records as everyone knows, but, if you
publish  records for a consumer facing service, please support and
monitor that service with a similar level to what you do for your IPv4
versions of the service.

The coming years are going to be difficult enough for end-users without
adding unnecessary anti-IPv6 sentiments to the mix.

Owen

+1 to Owen's comment.

I'd also add some more comments:

A lot of eyeballs that have v6 right now are the people with a lot of clue.
Do you want these people, who'll often be buying or recommending your
services to rate your ability to deliver as a fail?  Our experience with
IPv6 consumer broadband has been that the early adopters are the people who,
well, goto IETF meetings, follow standards and ask the bloody hard
questions.

Even given the Happy Eyeballs (Did Hurricane PAY for it to be abbrievated as
HE?? :-) ) most end users prefer IPv6 over IPv4.  Deeply this means there is
a tendency for v6 traffic to grow and be more important to connectivity than
you may imagine.  The tipping point for IPv6 traffic being dominant I
suspect is going to be a lower threshold of take up than people might
expect.   Consider this when thinking about the level of thought you give to
IPv6 infrastructure and PPS rates.

MMC

Re: Handicapped Supporting ISP's -- Was Re: NANOG Digest, Vol 44, Issue 21

[Valdis . Kletnieks]

On Tue, 06 Sep 2011 11:32:57 PDT, Everett Batey said:
> If you can offer any lead(s) to service providers who may subsidize /
> partially subsidize adult handicapped for internet service in LA County CA,
> please, advise me on or off net.

I can't help with the query as phrased - but would you also want to hear about
other programs that provide subsidies, even if the programs aren't run by the
service providers themselves (i.e "the LA County Deptartment of Foo will pay
half the basic monthly bill for low-income shut-ins" or similar)?



pgpcdH9DZD5c0.pgp
Description: PGP signature

Re: Point to MultiPoint VPN w/qos

[Brant I. Stevens]

I stand corrected.

Sent from my iPad

On Sep 6, 2011, at 2:19 PM, "Dylan Ebner"  wrote:

> it does. The older 87x only had a 4 port. The new 89x are the replacement for 
> the 181x series. 
> 
> Dylan 
> -Original Message-
> From: Seth Mattinen [mailto:se...@rollernet.us] 
> Sent: Tuesday, September 06, 2011 1:17 PM
> To: nanog@nanog.org
> Subject: Re: Point to MultiPoint VPN w/qos
> 
> On 9/6/11 11:10 AM, Brant I. Stevens wrote:
>> I'd say the 89x platform is the way to go if 8 ports weren't needed.  
>> Correct me if i am wrong...
>> 
> 
> I believe the 89x have a built-in 8 port switch plus 2 WAN Ethernet.
> 
> ~Seth
> 
> 
> 

Re: DDoS - CoD?

[George Herbert]

Arrgghhh

This reminds me of the WebNFS attack.  Which is why Sun aborted
WebNFS's public launch, after I pointed it out during its Solaris 2.6
early access program.

Never run a volume-multiplying service on UDP if you can help it,
exposed to the outside world, without serious in-band source
verification.  Amplification attacks are a classic easy DDOS win.


-george

On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter  wrote:
> Call of Duty is apparently using the same flawed protocol as Quake III
> servers, so you can think of it as an amplification attack.  (I wish I'd
> forgotten all about this stuff)
>
> You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
> source, and the server responds with everything you see.  With decent
> amplification (15B -> ~500B) and the number of CoD servers in world you
> could very easily build up a sizable attack.
>
> --
> Jeff Walter
> Network Engineer
> Hurricane Electric
>



-- 
-george william herbert
george.herb...@gmail.com

RE: Point to MultiPoint VPN w/qos

[Dylan Ebner]

it does. The older 87x only had a 4 port. The new 89x are the replacement for 
the 181x series. 

Dylan 
-Original Message-
From: Seth Mattinen [mailto:se...@rollernet.us] 
Sent: Tuesday, September 06, 2011 1:17 PM
To: nanog@nanog.org
Subject: Re: Point to MultiPoint VPN w/qos

On 9/6/11 11:10 AM, Brant I. Stevens wrote:
> I'd say the 89x platform is the way to go if 8 ports weren't needed.  Correct 
> me if i am wrong...
> 

I believe the 89x have a built-in 8 port switch plus 2 WAN Ethernet.

~Seth

Re: Point to MultiPoint VPN w/qos

[Seth Mattinen]

On 9/6/11 11:10 AM, Brant I. Stevens wrote:
> I'd say the 89x platform is the way to go if 8 ports weren't needed.  Correct 
> me if i am wrong...
> 

I believe the 89x have a built-in 8 port switch plus 2 WAN Ethernet.

~Seth

Re: Point to MultiPoint VPN w/qos

[Brant I. Stevens]

I'd say the 89x platform is the way to go if 8 ports weren't needed.  Correct 
me if i am wrong...

Sent from my iPad

On Sep 6, 2011, at 1:34 PM, "Garrett Skjelstad"  wrote:

> Yes, but look in 891s at the remotes, the 19xx are too expensive for only 4 
> devices Just my 2c
> 
> Sent from my iPhone
> 
> On Sep 6, 2011, at 10:22, "Ryan Finnesey"  wrote:
> 
>> DMVPN would only work with 100% cisco hardware right?  
>> 
>> -Original Message-
>> From: Brant I. Stevens [mailto:bra...@networking-architecture.com] 
>> Sent: Tuesday, September 06, 2011 10:26 AM
>> To: Brandon Kim; positivelyoptimis...@gmail.com; nanog group
>> Subject: Re: Point to MultiPoint VPN w/qos
>> 
>> I would go with Cisco's DMVPN, and its multiple endpoint offerings.  A 19xx
>> router sounds like it would meet your needs for the remotes.
>> 
>> Spoke-to-Spoke tunnels are created on-demand, can use dynamic routing, and
>> it supports multicast for things like Music on Hold, etc.
>> 
>> Contact me offline and I can share more.
>> 
>> -Brant
>> 
>> On 9/6/11 10:19 AM, "Brandon Kim"  wrote:
>> 
>>> 
>>> Yes, a SonicWALL NSA 240 has 8 interfaces built in
>>> 
>>> This sounds like a very fun project
>>> 
>>> 
>>> 
 Date: Tue, 6 Sep 2011 08:49:13 -0500
 Subject: Point to MultiPoint VPN w/qos
 From: positivelyoptimis...@gmail.com
 To: nanog@nanog.org
 
 Greetings
 
 We have acquired a new client that has 98 remote endpoints.  At each 
 site  there is a need for 4 ip telephones and two vpn tunnels back to
 two separate datacenters.  (1 voice, 1 citrix farm).   The sites don't
 talk
 to each other, just to the two data centers.
 
 Does anyone have a suggestion for a single piece of hardware that 
 would support 8 or less Ethernet interfaces and the two vpn tunnels ?
 
 Thanks
 -Optimistic
>>> 
>> 
>> 
>> 
>> 

RE: Point to MultiPoint VPN w/qos

[Dylan Ebner]

IFRC, the 19xx and 18xx are slower than the new 89x series. We are 
transitioning away from 18xx because of limitations on the platform that the 
89x doesn't have. When the 18xx came out a few years ago they were amazing, the 
new 89x are even better.
 



Dylan 


-Original Message-
From: Garrett Skjelstad [mailto:garr...@skjelstad.org] 
Sent: Tuesday, September 06, 2011 12:34 PM
To: Ryan Finnesey
Cc: nanoggroup
Subject: Re: Point to MultiPoint VPN w/qos

Yes, but look in 891s at the remotes, the 19xx are too expensive for only 4 
devices Just my 2c

Sent from my iPhone

On Sep 6, 2011, at 10:22, "Ryan Finnesey"  wrote:

> DMVPN would only work with 100% cisco hardware right?  
> 
> -Original Message-
> From: Brant I. Stevens [mailto:bra...@networking-architecture.com] 
> Sent: Tuesday, September 06, 2011 10:26 AM
> To: Brandon Kim; positivelyoptimis...@gmail.com; nanog group
> Subject: Re: Point to MultiPoint VPN w/qos
> 
> I would go with Cisco's DMVPN, and its multiple endpoint offerings.  A 19xx
> router sounds like it would meet your needs for the remotes.
> 
> Spoke-to-Spoke tunnels are created on-demand, can use dynamic routing, and
> it supports multicast for things like Music on Hold, etc.
> 
> Contact me offline and I can share more.
> 
> -Brant
> 
> On 9/6/11 10:19 AM, "Brandon Kim"  wrote:
> 
>> 
>> Yes, a SonicWALL NSA 240 has 8 interfaces built in
>> 
>> This sounds like a very fun project
>> 
>> 
>> 
>>> Date: Tue, 6 Sep 2011 08:49:13 -0500
>>> Subject: Point to MultiPoint VPN w/qos
>>> From: positivelyoptimis...@gmail.com
>>> To: nanog@nanog.org
>>> 
>>> Greetings
>>> 
>>> We have acquired a new client that has 98 remote endpoints.  At each 
>>> site  there is a need for 4 ip telephones and two vpn tunnels back to
>>> two separate datacenters.  (1 voice, 1 citrix farm).   The sites don't
>>> talk
>>> to each other, just to the two data centers.
>>> 
>>> Does anyone have a suggestion for a single piece of hardware that 
>>> would support 8 or less Ethernet interfaces and the two vpn tunnels ?
>>> 
>>> Thanks
>>> -Optimistic
>> 
> 
> 
> 
> 

Re: Point to MultiPoint VPN w/qos

[Garrett Skjelstad]

Yes, but look in 891s at the remotes, the 19xx are too expensive for only 4 
devices Just my 2c

Sent from my iPhone

On Sep 6, 2011, at 10:22, "Ryan Finnesey"  wrote:

> DMVPN would only work with 100% cisco hardware right?  
> 
> -Original Message-
> From: Brant I. Stevens [mailto:bra...@networking-architecture.com] 
> Sent: Tuesday, September 06, 2011 10:26 AM
> To: Brandon Kim; positivelyoptimis...@gmail.com; nanog group
> Subject: Re: Point to MultiPoint VPN w/qos
> 
> I would go with Cisco's DMVPN, and its multiple endpoint offerings.  A 19xx
> router sounds like it would meet your needs for the remotes.
> 
> Spoke-to-Spoke tunnels are created on-demand, can use dynamic routing, and
> it supports multicast for things like Music on Hold, etc.
> 
> Contact me offline and I can share more.
> 
> -Brant
> 
> On 9/6/11 10:19 AM, "Brandon Kim"  wrote:
> 
>> 
>> Yes, a SonicWALL NSA 240 has 8 interfaces built in
>> 
>> This sounds like a very fun project
>> 
>> 
>> 
>>> Date: Tue, 6 Sep 2011 08:49:13 -0500
>>> Subject: Point to MultiPoint VPN w/qos
>>> From: positivelyoptimis...@gmail.com
>>> To: nanog@nanog.org
>>> 
>>> Greetings
>>> 
>>> We have acquired a new client that has 98 remote endpoints.  At each 
>>> site  there is a need for 4 ip telephones and two vpn tunnels back to
>>> two separate datacenters.  (1 voice, 1 citrix farm).   The sites don't
>>> talk
>>> to each other, just to the two data centers.
>>> 
>>> Does anyone have a suggestion for a single piece of hardware that 
>>> would support 8 or less Ethernet interfaces and the two vpn tunnels ?
>>> 
>>> Thanks
>>> -Optimistic
>> 
> 
> 
> 
> 

RE: Point to MultiPoint VPN w/qos

[Ryan Finnesey]

DMVPN would only work with 100% cisco hardware right?  

-Original Message-
From: Brant I. Stevens [mailto:bra...@networking-architecture.com] 
Sent: Tuesday, September 06, 2011 10:26 AM
To: Brandon Kim; positivelyoptimis...@gmail.com; nanog group
Subject: Re: Point to MultiPoint VPN w/qos

I would go with Cisco's DMVPN, and its multiple endpoint offerings.  A 19xx
router sounds like it would meet your needs for the remotes.

Spoke-to-Spoke tunnels are created on-demand, can use dynamic routing, and
it supports multicast for things like Music on Hold, etc.

Contact me offline and I can share more.

-Brant

On 9/6/11 10:19 AM, "Brandon Kim"  wrote:

>
>Yes, a SonicWALL NSA 240 has 8 interfaces built in
>
>This sounds like a very fun project
>
>
>
>> Date: Tue, 6 Sep 2011 08:49:13 -0500
>> Subject: Point to MultiPoint VPN w/qos
>> From: positivelyoptimis...@gmail.com
>> To: nanog@nanog.org
>> 
>> Greetings
>> 
>> We have acquired a new client that has 98 remote endpoints.  At each 
>>site  there is a need for 4 ip telephones and two vpn tunnels back to
>> two separate datacenters.  (1 voice, 1 citrix farm).   The sites don't
>>talk
>> to each other, just to the two data centers.
>> 
>> Does anyone have a suggestion for a single piece of hardware that 
>> would support 8 or less Ethernet interfaces and the two vpn tunnels ?
>> 
>> Thanks
>> -Optimistic
> 

Re: Point to MultiPoint VPN w/qos

[Jason LeBlanc]

Correct.  But it works very well and is really simple to build and 
manage.  We use 8xx routers on our spokes, very cheap.


On 09/06/2011 01:22 PM, Ryan Finnesey wrote:

DMVPN would only work with 100% cisco hardware right?

-Original Message-
From: Brant I. Stevens [mailto:bra...@networking-architecture.com]
Sent: Tuesday, September 06, 2011 10:26 AM
To: Brandon Kim; positivelyoptimis...@gmail.com; nanog group
Subject: Re: Point to MultiPoint VPN w/qos

I would go with Cisco's DMVPN, and its multiple endpoint offerings.  A 19xx
router sounds like it would meet your needs for the remotes.

Spoke-to-Spoke tunnels are created on-demand, can use dynamic routing, and
it supports multicast for things like Music on Hold, etc.

Contact me offline and I can share more.

-Brant

On 9/6/11 10:19 AM, "Brandon Kim"  wrote:


Yes, a SonicWALL NSA 240 has 8 interfaces built in

This sounds like a very fun project




Date: Tue, 6 Sep 2011 08:49:13 -0500
Subject: Point to MultiPoint VPN w/qos
From: positivelyoptimis...@gmail.com
To: nanog@nanog.org

Greetings

We have acquired a new client that has 98 remote endpoints.  At each
site  there is a need for 4 ip telephones and two vpn tunnels back to
two separate datacenters.  (1 voice, 1 citrix farm).   The sites don't
talk
to each other, just to the two data centers.

Does anyone have a suggestion for a single piece of hardware that
would support 8 or less Ethernet interfaces and the two vpn tunnels ?

Thanks
-Optimistic

Re: DDoS - CoD?

[Mark Grigsby]

Recently (last month) Ryan Gordon (the person responsible for porting COD to
Linux) released a patch for cod4 servers to address this specific issue.
 Here is the announcement and a link to the original email as well.  The
discussion also indicated that all of the Quake III based games suffered
from the same issue.

http://icculus.org/pipermail/cod/2011-August/015397.html

So we're getting reports of DDoS attacks, where botnets will send
> infostring queries to COD4 dedicated servers as fast as possible with
> spoofed addresses. They send a small UDP packet, and the server replies
> with a larger packet to the faked address. Multiply this by however fast
> you can stuff UDP packets into the server's incoming packet buffer per
> frame, times 7500+ public COD4 servers, and you can really bring a
> victim to its knees with a serious flood of unwanted packets.
>
> I've got a patch for COD4 for this, and I need admins to test it before
> I make an official release.
>
> http://treefort.icculus.org/cod/cod4-lnxsrv-query-limit-test.tar.bz2
>
>
>
On Tue, Sep 6, 2011 at 6:47 AM, Jeff Walter  wrote:

> Call of Duty is apparently using the same flawed protocol as Quake III
> servers, so you can think of it as an amplification attack.  (I wish I'd
> forgotten all about this stuff)
>
> You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed
> source, and the server responds with everything you see.  With decent
> amplification (15B -> ~500B) and the number of CoD servers in world you
> could very easily build up a sizable attack.
>
> --
> Jeff Walter
> Network Engineer
> Hurricane Electric
>



-- 
Mark Grigsby
Network Operations Manager
PCINW (Preferred Connections Inc., NW)
3555 Gateway St. Ste. 205
Springfield, OR  97477
Voice: 800-787-3806 ext 408
DID: 541-762-1171
Fax:  541-684-0283

Re: Point to MultiPoint VPN w/qos

[-Hammer-]

CheckPoint Series 80 has 10 ports.
I think there is a Juniper option as well.

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 09/06/2011 09:36 AM, Seth Mos wrote:

On 6-9-2011 15:49, Positively Optimistic wrote:

Greetings



Does anyone have a suggestion for a single piece of hardware that would
support 8 or less Ethernet interfaces and the two vpn tunnels ?


Single piece of hardware, no. If 2, then yes.

A PCengines Alix 2D3 with pfSense/m0n0wall and OpenVPN UDP tunnels to 
the datacenter combined with a Power over Ethernet switch would seem a 
likely combination. A HP Procurve 8 Port gigabit desktop switch with 
PoE comes to mind. Not too expensive, fanless, quiet, reliable does 
VLANS.


That way you can power the router and phones from the same (smallish) 
UPS. Say a 700VA APC.


Regards,
Seth

Re: Point to MultiPoint VPN w/qos

[Seth Mos]

On 6-9-2011 15:49, Positively Optimistic wrote:

Greetings



Does anyone have a suggestion for a single piece of hardware that would
support 8 or less Ethernet interfaces and the two vpn tunnels ?


Single piece of hardware, no. If 2, then yes.

A PCengines Alix 2D3 with pfSense/m0n0wall and OpenVPN UDP tunnels to 
the datacenter combined with a Power over Ethernet switch would seem a 
likely combination. A HP Procurve 8 Port gigabit desktop switch with PoE 
comes to mind. Not too expensive, fanless, quiet, reliable does VLANS.


That way you can power the router and phones from the same (smallish) 
UPS. Say a 700VA APC.


Regards,
Seth

Re: Point to MultiPoint VPN w/qos

[Brant I. Stevens]

I would go with Cisco's DMVPN, and its multiple endpoint offerings.  A
19xx router sounds like it would meet your needs for the remotes.

Spoke-to-Spoke tunnels are created on-demand, can use dynamic routing, and
it supports multicast for things like Music on Hold, etc.

Contact me offline and I can share more.

-Brant

On 9/6/11 10:19 AM, "Brandon Kim"  wrote:

>
>Yes, a SonicWALL NSA 240 has 8 interfaces built in
>
>This sounds like a very fun project
>
>
>
>> Date: Tue, 6 Sep 2011 08:49:13 -0500
>> Subject: Point to MultiPoint VPN w/qos
>> From: positivelyoptimis...@gmail.com
>> To: nanog@nanog.org
>> 
>> Greetings
>> 
>> We have acquired a new client that has 98 remote endpoints.  At each
>>site
>> there is a need for 4 ip telephones and two vpn tunnels back to
>> two separate datacenters.  (1 voice, 1 citrix farm).   The sites don't
>>talk
>> to each other, just to the two data centers.
>> 
>> Does anyone have a suggestion for a single piece of hardware that would
>> support 8 or less Ethernet interfaces and the two vpn tunnels ?
>> 
>> Thanks
>> -Optimistic
> 

RE: Point to MultiPoint VPN w/qos

[Brandon Kim]

Yes, a SonicWALL NSA 240 has 8 interfaces built in

This sounds like a very fun project



> Date: Tue, 6 Sep 2011 08:49:13 -0500
> Subject: Point to MultiPoint VPN w/qos
> From: positivelyoptimis...@gmail.com
> To: nanog@nanog.org
> 
> Greetings
> 
> We have acquired a new client that has 98 remote endpoints.  At each site
> there is a need for 4 ip telephones and two vpn tunnels back to
> two separate datacenters.  (1 voice, 1 citrix farm).   The sites don't talk
> to each other, just to the two data centers.
> 
> Does anyone have a suggestion for a single piece of hardware that would
> support 8 or less Ethernet interfaces and the two vpn tunnels ?
> 
> Thanks
> -Optimistic
  

Point to MultiPoint VPN w/qos

[Positively Optimistic]

Greetings

We have acquired a new client that has 98 remote endpoints.  At each site
there is a need for 4 ip telephones and two vpn tunnels back to
two separate datacenters.  (1 voice, 1 citrix farm).   The sites don't talk
to each other, just to the two data centers.

Does anyone have a suggestion for a single piece of hardware that would
support 8 or less Ethernet interfaces and the two vpn tunnels ?

Thanks
-Optimistic

Re: DDoS - CoD?

[Jeff Walter]

Call of Duty is apparently using the same flawed protocol as Quake III 
servers, so you can think of it as an amplification attack.  (I wish I'd 
forgotten all about this stuff)


You send "\xff\xff\xff\xffgetstatus\n" in a UDP packet with a spoofed 
source, and the server responds with everything you see.  With decent 
amplification (15B -> ~500B) and the number of CoD servers in world you 
could very easily build up a sizable attack.


--
Jeff Walter
Network Engineer
Hurricane Electric
<>

Re: DDoS - CoD? - Activision contact

[BH]

Looking around, I believe the issue is that the IP has ended up on a 
master game list, so we are now getting the queries directed at US.


For anyone interested, there seems to be some info here:

http://forums.steampowered.com/forums/showthread.php?t=1670090

With the packet capture I have and the symptoms looking very alike the 
example in my original email.


I found an earlier example as well with similar symptoms:
http://forums.srcds.com/viewtopic/15737

Is there anyone from Activision on the list or does anyone have an 
Activision contact? Replies off list welcome, I can provide more details 
there.



On 6/09/2011 6:10 PM, Alexander Harrowell wrote:

On Tuesday 06 Sep 2011 09:14:26 Greg Chalmers wrote:

Could be legitimate CoD servers responding to a spoofed query?


My first thought looking at the packet dump. Interesting that some poor
sap's hotmail address is embedded in it.


How much
traffic are you talking about out of curiosity?

Regards
Greg


On Tue, Sep 6, 2011 at 6:03 PM, BH  wrote:


On 6/09/2011 4:00 PM, Dobbins, Roland wrote:

I've seen DDoS traffic on UDP/80 as far back as 2002

Hi Roland,

I should be a bit more clear sorry, I too have frequently seen

attacks

on 80/udp but mainly as a source (eg. compromised hosting accounts)
rather than the destination. I didn't in the past do a packet

capture,

but I lookes at a couple of scripts and the data was usually randm

or

just AA etc. The thing that perplexed me is why it appears to be
Call of Duty data more than anything...

Thanks

Re: DDoS - CoD?

[Alexander Harrowell]

On Tuesday 06 Sep 2011 09:14:26 Greg Chalmers wrote:
> Could be legitimate CoD servers responding to a spoofed query?

My first thought looking at the packet dump. Interesting that some poor 
sap's hotmail address is embedded in it.

> How much
> traffic are you talking about out of curiosity?
> 
> Regards
> Greg
> 
> 
> On Tue, Sep 6, 2011 at 6:03 PM, BH  wrote:
> 
> > On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
> > > I've seen DDoS traffic on UDP/80 as far back as 2002
> > Hi Roland,
> >
> > I should be a bit more clear sorry, I too have frequently seen 
attacks
> > on 80/udp but mainly as a source (eg. compromised hosting accounts)
> > rather than the destination. I didn't in the past do a packet 
capture,
> > but I lookes at a couple of scripts and the data was usually randm 
or
> > just AA etc. The thing that perplexed me is why it appears to be
> > Call of Duty data more than anything...
> >
> > Thanks
> >
> >
> 

-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: Do Not Complicate Routing Security with Voodoo Economics

[Alexander Harrowell]

On Monday 05 Sep 2011 15:53:38 Owen DeLong wrote:
> This is true in terms of whether you care or not, but, if one just 
looks at whether it changes the content of the FIB or not, changing 
which arbitrary tie breaker you use likely changes the contents of the 
FIB in at least some cases.
> 
> The key point is that if you are to secure a previously unsecured 
database such as the routing table, you will inherently be changing the 
contents of said database, or, your security isn't actually 
accomplishing anything.

This is true and should probably be considered a universal law. If the 
introduction of security precautions to a system does not change the 
system, the security precautions are ineffective. 

This is based on the principle that people and systems are imperfect, so 
it is extremely unlikely that there are no bad actors or wildlife in the 
pre-security state, and further that false-positive results are 
inevitable. It has the corollary that introducing security precautions 
is invariably costly, and therefore that you must consider the security 
gain relative to the inevitable costs before deciding to do so.

This is of course an intellectually difficult problem. With regard to 
BGP, the security gain is not so much determined by how bad the problem 
is now, as by how bad it could potentially be if someone took it into 
their heads to tear up the rules and declare war. The answer is "very, 
very bad indeed" which is why we're having this discussion.

It also reminds me of J.K. Galbraith's notion of the bezzle - at any 
time, there is an inventory of undiscovered embezzlement in the economy. 
Before it is discovered, both the fraudster and his or her victim 
believe themselves to possess the money that has been stolen - there is 
a net increase in psychic wealth, in JKG's words. In times of 
prosperity, the bezzle grows, and in times of recession, it shrinks.

There is a bezzle of indeterminate size in the routing table, but we 
won't find out how big it is until we audit it (i.e. deploy SBGP). Some 
of it will just be randomness - misconfigurations and errors - but some 
of it will be enemy action.


-- 
The only thing worse than e-mail disclaimers...is people who send e-mail 
to lists complaining about them


signature.asc
Description: This is a digitally signed message part.

Re: DDoS - CoD?

[Greg Chalmers]

Could be legitimate CoD servers responding to a spoofed query? How much
traffic are you talking about out of curiosity?

Regards
Greg


On Tue, Sep 6, 2011 at 6:03 PM, BH  wrote:

> On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
> > I've seen DDoS traffic on UDP/80 as far back as 2002
> Hi Roland,
>
> I should be a bit more clear sorry, I too have frequently seen attacks
> on 80/udp but mainly as a source (eg. compromised hosting accounts)
> rather than the destination. I didn't in the past do a packet capture,
> but I lookes at a couple of scripts and the data was usually randm or
> just AA etc. The thing that perplexed me is why it appears to be
> Call of Duty data more than anything...
>
> Thanks
>
>

Re: IPv6 version of www.qwest.com/www.centurylink.com has been down for 10 days

[Christian de Larrinaga]

via gogo6 tunnel box (http://gogo6.com/) from my UK location 
( not tested other tunnels nor native)
 
$  telnet -6 www.savvis.com 80
Trying 2001:460:100:1000::37...
Connected to www.savvis.net.

$ ping6 www.savvis.com
PING6(56=40+8+8 bytes) 2001:5c0:1110:8000:217:f2ff:fee6:ab79 --> 
2001:460:100:1000::37
16 bytes from 2001:460xx, icmp_seq=0 hlim=243 time=149.971 ms



Christian

On 6 Sep 2011, at 06:25, Mikael Abrahamsson wrote:

> On Mon, 5 Sep 2011, Jima wrote:
> 
>> I'm with Frank on this one: ICMP yes, HTTP/HTTPS no, via native IPv6 
>> (multiple locations).  No, wait -- it shows as open from a couple tunnels 
>> (both HE & SixXS).  So it's not consistent.  Lovely.
> 
> $ telnet -6 www.savvis.com 80
> Trying 2001:460:100:1000::37...
> telnet: Unable to connect to remote host: Connection refused
> 
> I checked, it's a TCP RST packet, not ICMP unreachable. This is from native 
> IPv6.
> 
> -- 
> Mikael Abrahamssonemail: swm...@swm.pp.se
> 

Re: DDoS - CoD?

[BH]

On 6/09/2011 4:00 PM, Dobbins, Roland wrote:
> I've seen DDoS traffic on UDP/80 as far back as 2002 
Hi Roland,

I should be a bit more clear sorry, I too have frequently seen attacks
on 80/udp but mainly as a source (eg. compromised hosting accounts)
rather than the destination. I didn't in the past do a packet capture,
but I lookes at a couple of scripts and the data was usually randm or
just AA etc. The thing that perplexed me is why it appears to be
Call of Duty data more than anything...

Thanks

RE: DDoS - CoD?

[John van Oppen]

i have seen many udp/80 floods as well...  pretty common.


John van Oppen
Spectrum Networks / AS11404


From: Dobbins, Roland [rdobb...@arbor.net]
Sent: Tuesday, September 06, 2011 1:00 AM
To: North American Network Operators' Group
Subject: Re: DDoS - CoD?

On Sep 6, 2011, at 2:53 PM, BH wrote:

> Has anyone seen similar traffic before? I

I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often 
don't know a lot about TCP/IP, and if something happens to work once, they 
incorporate it into their attack tool defaults and keep using it over and over.

In several recent high-profile DDoS attacks, UDP/80 traffic ended up causing 
state exhaustion on load-balancers, as the victim sites weren't following the 
BCP of enforcing network access policies via stateless ACLs in hardware-based 
routers/layer-3 switches, and the load-balancers kept trying to load-balance 
this traffic from multiple purported source IPs/source ports.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: DDoS - CoD?

[Dobbins, Roland]

On Sep 6, 2011, at 2:53 PM, BH wrote:

> Has anyone seen similar traffic before? I

I've seen DDoS traffic on UDP/80 as far back as 2002 - the miscreants often 
don't know a lot about TCP/IP, and if something happens to work once, they 
incorporate it into their attack tool defaults and keep using it over and over.

In several recent high-profile DDoS attacks, UDP/80 traffic ended up causing 
state exhaustion on load-balancers, as the victim sites weren't following the 
BCP of enforcing network access policies via stateless ACLs in hardware-based 
routers/layer-3 switches, and the load-balancers kept trying to load-balance 
this traffic from multiple purported source IPs/source ports.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

DDoS - CoD?

[BH]

Hi all,

I am wondering if anyone has seen a large DDoS before, specifically on
port 80 UDP with data that seems to be relating to Call of Duty 4. I did
a quick packet capture, and the payload looks like this:

14:50:42.716247 IP Y1.YY.YY.YY.28960 > XX.XX.XX.XX.80: UDP, length 499
0x:  4500 020f  4000 2a11 5203 58bf 8138  E.@.*.R.X..8
0x0010:  cbaa 5739 7120 0050 01fb 3e2e    ..W9q..P..>.
0x0020:  7374 6174 7573 5265 7370 6f6e 7365 0a5c  statusResponse.\
0x0030:  5f41 646d 696e 5c6b 696c 6c6b 7574 6572  _Admin\killkuter
0x0040:  5c5f 456d 6169 6c5c 6b69 6c6c 6b75 7465  \_Email\killkute
0x0050:  7240 686f 746d 6169 6c2e 636f 6d5c 5f4c  r...@hotmail.com\_L
0x0060:  6f63 6174 696f 6e5c 4652 5c5f 6d61 6e75  ocation\FR\_manu
0x0070:  6164 6d69 6e6d 6f64 5c30 2e31 312e 3320  adminmod\0.11.3.
0x0080:  6265 7461 5c5f 5765 6273 6974 655c 6874  beta\_Website\ht
0x0090:  7470 3a2f 2f77  2e73 7974 2e74 6561  tp://www.syt.tea
0x00a0:  6d2e 7374 5c67 5f63 6f6d 7061 7373 5368  m.st\g_compassSh
0x00b0:  6f77 456e 656d 6965 735c 305c 675f 6761  owEnemies\0\g_ga
0x00c0:  6d65 7479 7065 5c77 6172 5c67 616d 656e  metype\war\gamen
0x00d0:  616d 655c 4361 6c6c 206f 6620 4475 7479  ame\Call.of.Duty
0x00e0:  2034 5c6d 6170 6e61 6d65 5c6d 705f 626c  .4\mapname\mp_bl
0x00f0:  6f63 5c70 726f 746f 636f 6c5c 365c 7368  oc\protocol\6\sh
0x0100:  6f72 7476 6572 7369 6f6e 5c31 2e37 5c73  ortversion\1.7\s
0x0110:  765f 616c 6c6f 7741 6e6f 6e79 6d6f 7573  v_allowAnonymous
0x0120:  5c30 5c73 765f 6469 7361 626c 6543 6c69  \0\sv_disableCli
0x0130:  656e 7443 6f6e 736f 6c65 5c30 5c73 765f  entConsole\0\sv_
0x0140:  666c 6f6f 6470 726f 7465 6374 5c31 5c73  floodprotect\1\s
0x0150:  765f 686f 7374 6e61 6d65 5c5e 3120 5359  v_hostname\^1.SY
0x0160:  5420 2d20 5e33 5444 4d20 4843 202d 205e  T.-.^3TDM.HC.-.^
0x0170:  3120 6372 6163 6b20 5c73 765f 6d61 7863  1.crack.\sv_maxc
0x0180:  6c69 656e 7473 5c32 305c 7376 5f6d 6178  lients\20\sv_max
0x0190:  5069 6e67 5c31 3530 5c73 765f 6d61 7852  Ping\150\sv_maxR
0x01a0:  6174 655c 3235 3030 305c 7376 5f6d 696e  ate\25000\sv_min
0x01b0:  5069 6e67 5c30 5c73 765f 7072 6976 6174  Ping\0\sv_privat
0x01c0:  6543 6c69 656e 7473 5c36 5c73 765f 7075  eClients\6\sv_pu
0x01d0:  6e6b 6275 7374 6572 5c30 5c73 765f 7075  nkbuster\0\sv_pu
0x01e0:  7265 5c31 5c73 765f 766f 6963 655c 305c  re\1\sv_voice\0\
0x01f0:  7569 5f6d 6178 636c 6965 6e74 735c 3332  ui_maxclients\32
0x0200:  5c70 7377 7264 5c30 5c6d 6f64 5c30 0a\pswrd\0\mod\0.
14:50:42.716292 IP Y1.YY.YY.YY.28965 > XX.XX.XX.XX.80: UDP, length 870
0x:  4500 0382  4000 2f11 27e7 c1c0 3be0  E.@./.'...;.
0x0010:  cbaa 5739 7125 0050 036e 1547    ..W9q%.P.n.G
0x0020:  7374 6174 7573 5265 7370 6f6e 7365 0a5c  statusResponse.\
0x0030:  7368 6f72 7476 6572 7369 6f6e 5c30 2e34  shortversion\0.4
0x0040:  2d34 325c 7376 5f6d 6178 636c 6965 6e74  -42\sv_maxclient
0x0050:  735c 3138 5c5f 4164 6d69 6e5c 447a 696e  s\18\_Admin\Dzin
0x0060:  5c5f 456d 6169 6c5c 6164 6d69 6e40 6261  \_Email\admin@ba
0x0070:  6c6b 616e 2d77 6172 732e 636f 6d5c 5f4c  lkan-wars.com\_L
0x0080:  6f63 6174 696f 6e5c 5468 6520 556e 696f  ocation\The.Unio
0x0090:  6e20 6f66 2053 6f76 6965 7420 536f 6369  n.of.Soviet.Soci
0x00a0:  616c 6973 7469 6320 5265 7075 626c 6963  alistic.Republic
0x00b0:  735c 5f57 6562 7369 7465 5c68 7474 703a  s\_Website\http:
0x00c0:  2f2f 6261 6c6b 616e 2d77 6172 732e 636f  //balkan-wars.co
0x00d0:  6d5c 6169 775f 7265 6d6f 7465 4b69 636b  m\aiw_remoteKick
0x00e0:  5c31 5c61 6977 5f73 6563 7572 655c 305c  \1\aiw_secure\0\
0x00f0:  675f 6761 6d65 7479 7065 5c77 6172 5c67  g_gametype\war\g
0x0100:  5f68 6172 6463 6f72 655c 305c 6761 6d65  _hardcore\0\game
0x0110:  6e61 6d65 5c49 5734 5c6d 6170 6e61 6d65  name\IW4\mapname
0x0120:  5c6d 705f 6272 6563 6f75 7274 5c70 726f  \mp_brecourt\pro
0x0130:  746f 636f 6c5c 3134 345c 7363 725f 6761  tocol\144\scr_ga
0x0140:  6d65 5f61 6c6c 6f77 6b69 6c6c 6361 6d5c  me_allowkillcam\
0x0150:  315c 7363 725f 7465 616d 5f66 6674 7970  1\scr_team_fftyp
0x0160:  655c 305c 7376 5f61 6c6c 6f77 416e 6f6e  e\0\sv_allowAnon
0x0170:  796d 6f75 735c 305c 7376 5f61 6c6c 6f77  ymous\0\sv_allow
0x0180:  436c 6965 6e74 436f 6e73 6f6c 655c 315c  ClientConsole\1\
0x0190:  7376 5f66 6c6f 6f64 5072 6f74 6563 745c  sv_floodProtect\
0x01a0:  315c 7376 5f68 6f73 746e 616d 655c 7c46  1\sv_hostname\|F
0x01b0:  5233 3344 4f4d 7c20 4669 6768 7465 7273  R33DOM|.Fighters
0x01c0:  2055 4b20 4e6f 5475 6265 2d4e 6f41 6b69  .UK.NoTube-