Re: NAT444 or ?
On Friday, September 09, 2011 01:44:08 AM Dan Wing wrote: Many of the problems are due to IPv4 address sharing, which will be problems for A+P, CGN, HTTP proxies, and other address sharing technologies. RFC6269 discusses most (or all) of those problems. There are workarounds to those problems, but most are not pretty. The solution is IPv6. I do expect some of these workarounds to be vendor and/or platform specific, as more units are deployed and the industry simply can't keep up with the various topologies and customer elasticities ISP's have to maintain. We're already seeing evidence of this as we discuss NAT64 options with vendors, particularly in the area of scale and customer experience perceptions. Mark. signature.asc Description: This is a digitally signed message part.
Re: NAT444 or ?
On Saturday, September 10, 2011 01:52:12 PM Dobbins, Roland wrote: All this problematic state should be broken up into smaller instantiations and distributed as close to the access edge (RAN, wireline, etc.) as possible in order to a) reduce the amount of state concentrated in a single device and b) to minimize the impact footprint when aberrant traffic inevitably fills up the state tables and said devices choke. Certainly a consideration when an ISP considers scaling avenues for LSN's. The issue is that there are simply too many variables, not least of which is what business the ISP is in. The mobile types are a lot more problematic because they tend to centralize IP intelligence, and keep the RAN's pretty simple (although the RAN's are now becoming more intelligent thanks to your garden-variety IP vendors getting into the game). What we've seen also, with some mobile carriers, is that if you ask them to consider distributed IP architectures, they/you quickly realize that IP routing isn't really their core business or skill. For your typical ISP, size notwithstanding, it will invariably come down to how much money and effort they're willing to spend or save with either centralized or distributed architectures. Mind you, they're also battling with other problems re: centralized or distributed solutions, e.g., broadband aggregation, the ratio of access:aggregation intelligence, access topology lay-outs, e.t.c. And somehow, in all this mix, LSN's must work, be they small units thrown around the network, or one or two large monsters sitting somewhere in the core. We've certainly considered both options very thoroughly. Mark. signature.asc Description: This is a digitally signed message part.
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
On Fri, Sep 9, 2011 at 4:48 PM, Marcus Reid mar...@blazingdot.com wrote: On Wed, Sep 07, 2011 at 09:17:10AM -0700, Network IP Dog wrote: I like this response; instant CA death penalty seems to put the incentives about where they need to be. I wouldn't necessarily count them dead just yet; although their legit customers must be very unhappy waking up one day to find their legitimate working SSL certs suddenly unusable So DigiNotar lost their browser trusted root CA status. That doesn't necessarily mean they will be unable to get other root CAs to cross-sign CA certificates they will make in the future, for the right price. A cross-sign with CA:TRUE is just as good as being installed in users' browser. -- -JH
Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates
On Sat, Sep 10, 2011 at 3:47 AM, Heinrich Strauss heinr...@hstrauss.co.za wrote: On 2011/09/10 05:06, Michael DeMan wrote: I though wildcards were limited to having a domain off a TLD - like '*.mydomain.tld'. The root CAs are have no technical limitation in regards to what kind of certificates they can issue. There is no inherent reason that technical limitations cannot be imposed... there are mechanisms available to do this, if the original CA certificates were issued with restrictions: http://tools.ietf.org/html/rfc3280#section-4.2.1.11 Special limitations or security warnings can be raised by individual browsers above and beyond the certificate validation rules. I would be in favor of each root CA certificate being name constrained to CNs of one TLD per CA certificate, so that root CA orgs would need a separate CA cert and separate private key for each TLD that CA is authorized to issue certificates in. It would be useful if the name restriction would be extended further to allow 2nd level wildcards to be prohibited such as CN=*.com or CN=*.*.com Browsers will honor * in hostname components of the CN field as required by the RFCs.. however a *.mydomain.tld certificate does not match www.mydomain.tld, *.*.mydomain.tld does. Some CAs have partaken in problematic practices such as issuing SSL certificates with RFC1918 IP addresses, or unofficial TLDs in the CN or subject alternative names section. see https://wiki.mozilla.org/CA:Problematic_Practices#Issuing_SSL_Certificates_for_Internal_Domains If all the root CA certificates become name constrained, such problematic practices should cease. -- -JH
Re: NAT444 or ?
On Sep 9, 2011 10:54 PM, Dobbins, Roland rdobb...@arbor.net wrote: On Sep 10, 2011, at 12:46 PM, Mark Tinka wrote: GPRS/3G/EDGE has made many a mobile provider especially notorious. All this problematic state should be broken up into smaller instantiations and distributed as close to the access edge (RAN, wireline, etc.) as possible in order to a) reduce the amount of state concentrated in a single device and b) to minimize the impact footprint when aberrant traffic inevitably fills up the state tables and said devices choke. Ip mobility via gtp or mobile ip generally does not work when you nat at the 'edge'. If you don't want your ip address to change every time you change cell sites, the nat has to be centralized. Cb --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com The basis of optimism is sheer terror. -- Oscar Wilde
Hurricane Katia
I'm hearing on the news wire 80mph winds will come to UK over the next 72 hours. Andrew
Re: Hurricane Katia
On Sep 10, 2011, at 9:55 AM, andrew.wallace wrote: I'm hearing on the news wire 80mph winds will come to UK over the next 72 hours. Andrew Andrew, 80 km maybe. TS force winds for Northern Scotland and Hebrides probably but I doubt the rest of the UK and it is only forcast to be a TS at that time See http://www.nhc.noaa.gov/refresh/graphics_at2+shtml/102512.shtml?tswind120 Follow Katia at http://www.nhc.noaa.gov/graphics_at2.shtml?5-daynl#contents Tom
Re: Hurricane Katia
Nar it's ok, it'll pass the UK and it'll all be fine, just like the other time.. -- Leigh Porter On 10 Sep 2011, at 14:57, andrew.wallace andrew.wall...@rocketmail.com wrote: I'm hearing on the news wire 80mph winds will come to UK over the next 72 hours. Andrew __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __ __ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email __
Administrivia - Recreating Archives
Hello Everyone: I am recreating the archives for the primary NANOG list, so they will be unavailable for a little while, probably a couple of hours. The list will function as expected and all messages to the list will be archived during this process. Regards, Mike
Re: Saudi Telecom sending route with invalid attributes 212.118.142.0/24
On Fri, Sep 9, 2011 at 9:26 PM, Kyle Duren pixitha.k...@gmail.com wrote: Is this announcement still showing up this way (no easy way to check myself). ripe ris? -Kyle On Thu, Sep 8, 2011 at 4:20 PM, Clay Haynes chay...@centracomm.net wrote: On Thu, Sep 8, 2011 at 7:11 PM, Jonas Frey (Probe Networks) j...@probe-networks.de wrote: Hello, anyone else getting a route for 212.118.142.0/24 with invalid attributes? Seems this is (again) causing problems with some (older) routers/software. Announcement bits (4): 0-KRT 3-KRT 5-Resolve tree 1 6-Resolve tree 2 AS path: 6453 39386 25019 I Unrecognized Attributes: 39 bytes AS path: Attr flags e0 code 80: 00 00 fd 88 40 01 01 02 40 02 04 02 01 5b a0 c0 11 04 02 01 fc da 80 04 04 00 00 00 01 40 05 04 00 00 00 64 Accepted Multipath -Jonas Yup! We're seeing the same thing too, and we're filtering it out. Originating AS is 25019 -Clay
Re: Hurricane Katia
On Sat, Sep 10, 2011 at 2:55 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: I'm hearing on the news wire 80mph winds will come to UK over the next 72 hours. Anyone worried about major weather events in the UK is probably best either checking or subscribing to the Met Office's weather warnings at http://www.metoffice.gov.uk/public/beta/weather/warnings/ rather than relying on a US source (and vice-versa for US weather). If worried about flooding, the Environment Agency's Flood Warnings are what you're after at http://www.environment-agency.gov.uk/homeandleisure/floods/31618.aspx. Both Weather Warnings and Flood Warnings come in three flavours, yellow, amber and red. Red is the danger to life / take action level. Currently, there is an amber 'be prepared' weather warning out for Monday for some areas of the UK. Currently the country wide detail is: Weather Report Stormy weather heading for the UK The forecast team at the Met Office are continuing to keep an eye on the remains of Hurricane Katia as it moves across the Atlantic Ocean. Currently the storm lies just southeast of Newfoundland in Canada, but it is expected to rapidly move towards northwestern parts of the UK during the next 36 to 48 hours, arriving on Monday morning. Please see our warnings page for further details. Issued at 1346 on Sat 10 Sep 2011. And the warning itself Issued at: 10 Sep 2011, 1138 Valid from: 12 Sep 2011, Valid to: 12 Sep 2011, 2359 The remains of Hurricane Katia are expected to come across the UK on Monday bringing a spell of wet and very windy weather. There remains some uncertainty about its track and intensity, although Scotland and Northern Ireland are most likely to bear the brunt of the winds, The public should be prepared for the risk of disruption to transport and of the possibility of damage to trees and structures. Chief Forecaster's Assessment Forecast models continue to show some differences in the handling of the transition of hurricane Katia to an intense extra tropical depression, though with increasing agreement that the centre will pass close to the north of Scotland on Monday, bringing strongest winds to Scotland and Northern Ireland. There is the potential for 60-70 mph gusts and 80 mph or more could occur over exposed coasts and hills. Heavy rain will be an additional hazard for the same regions, with as much as 50-100mm possible over parts of western Scotland. So not too bad really in the overall scheme of things. Alex
Re: Hurricane Katia
On Sat, 10 Sep 2011 06:55:33 PDT, andrew.wallace said: I'm hearing on the news wire 80mph winds will come to UK over the next 72 hours. Probably 80kph was intended. Why is this at all newsworthy? You've previously stated that Irene-like conditions are normal for Scotland, so it shouldn't be a big thing... pgpfIA2XZwfjN.pgp Description: PGP signature
Re: Saudi Telecom sending route with invalid attributes 212.118.142.0/24
Looks like the RIS collectors are seeing it originating mostly from STC and KACST ASNs: http://stat.ripe.net/212.118.142.0/24 Some of the show ip bgp reports on that screen are also showing AS8866 BTC-AS Bulgarian Telecommunication Company. Not sure what's up with that. --Richard On Sat, Sep 10, 2011 at 2:01 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Sep 9, 2011 at 9:26 PM, Kyle Duren pixitha.k...@gmail.com wrote: Is this announcement still showing up this way (no easy way to check myself). ripe ris? -Kyle On Thu, Sep 8, 2011 at 4:20 PM, Clay Haynes chay...@centracomm.net wrote: On Thu, Sep 8, 2011 at 7:11 PM, Jonas Frey (Probe Networks) j...@probe-networks.de wrote: Hello, anyone else getting a route for 212.118.142.0/24 with invalid attributes? Seems this is (again) causing problems with some (older) routers/software. Announcement bits (4): 0-KRT 3-KRT 5-Resolve tree 1 6-Resolve tree 2 AS path: 6453 39386 25019 I Unrecognized Attributes: 39 bytes AS path: Attr flags e0 code 80: 00 00 fd 88 40 01 01 02 40 02 04 02 01 5b a0 c0 11 04 02 01 fc da 80 04 04 00 00 00 01 40 05 04 00 00 00 64 Accepted Multipath -Jonas Yup! We're seeing the same thing too, and we're filtering it out. Originating AS is 25019 -Clay
Re: Saudi Telecom sending route with invalid attributes 212.118.142.0/24
with in the span of couple of hours this prefix was originated from 3 ASN i.e. AS3561 (Savvis), AS8866 (BTC) and AS25019 (STC original custodians). As per the STC it was orginated by one of their customer having Juniper router. but I still don't understand why/how they are adv this prefix with unrecog transitive attributes. Can any one suggest. Regards, Aftab A. Siddiqui On Sun, Sep 11, 2011 at 3:26 AM, Richard Barnes richard.bar...@gmail.comwrote: Looks like the RIS collectors are seeing it originating mostly from STC and KACST ASNs: http://stat.ripe.net/212.118.142.0/24 Some of the show ip bgp reports on that screen are also showing AS8866 BTC-AS Bulgarian Telecommunication Company. Not sure what's up with that. --Richard On Sat, Sep 10, 2011 at 2:01 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Sep 9, 2011 at 9:26 PM, Kyle Duren pixitha.k...@gmail.com wrote: Is this announcement still showing up this way (no easy way to check myself). ripe ris? -Kyle On Thu, Sep 8, 2011 at 4:20 PM, Clay Haynes chay...@centracomm.net wrote: On Thu, Sep 8, 2011 at 7:11 PM, Jonas Frey (Probe Networks) j...@probe-networks.de wrote: Hello, anyone else getting a route for 212.118.142.0/24 with invalid attributes? Seems this is (again) causing problems with some (older) routers/software. Announcement bits (4): 0-KRT 3-KRT 5-Resolve tree 1 6-Resolve tree 2 AS path: 6453 39386 25019 I Unrecognized Attributes: 39 bytes AS path: Attr flags e0 code 80: 00 00 fd 88 40 01 01 02 40 02 04 02 01 5b a0 c0 11 04 02 01 fc da 80 04 04 00 00 00 01 40 05 04 00 00 00 64 Accepted Multipath -Jonas Yup! We're seeing the same thing too, and we're filtering it out. Originating AS is 25019 -Clay
Re: Saudi Telecom sending route with invalid attributes 212.118.142.0/24
On Sun, Sep 11, 2011 at 8:49 AM, Aftab Siddiqui aftab.siddi...@gmail.com wrote: with in the span of couple of hours this prefix was originated from 3 ASN i.e. AS3561 (Savvis), AS8866 (BTC) and AS25019 (STC original custodians). As per the STC it was orginated by one of their customer having Juniper router. but I still don't understand why/how they are adv this prefix with unrecog transitive attributes. For example, AS_CONFED_SEQUENCE and/or AS_CONFED_SET in AS4_PATH again..;( On Sun, Sep 11, 2011 at 3:26 AM, Richard Barnes richard.bar...@gmail.comwrote: Looks like the RIS collectors are seeing it originating mostly from STC and KACST ASNs: http://stat.ripe.net/212.118.142.0/24 Some of the show ip bgp reports on that screen are also showing AS8866 BTC-AS Bulgarian Telecommunication Company. Not sure what's up with that. --Richard On Sat, Sep 10, 2011 at 2:01 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Sep 9, 2011 at 9:26 PM, Kyle Duren pixitha.k...@gmail.com wrote: Is this announcement still showing up this way (no easy way to check myself). ripe ris? -Kyle On Thu, Sep 8, 2011 at 4:20 PM, Clay Haynes chay...@centracomm.net wrote: On Thu, Sep 8, 2011 at 7:11 PM, Jonas Frey (Probe Networks) j...@probe-networks.de wrote: Hello, anyone else getting a route for 212.118.142.0/24 with invalid attributes? Seems this is (again) causing problems with some (older) routers/software. Announcement bits (4): 0-KRT 3-KRT 5-Resolve tree 1 6-Resolve tree 2 AS path: 6453 39386 25019 I Unrecognized Attributes: 39 bytes AS path: Attr flags e0 code 80: 00 00 fd 88 40 01 01 02 40 02 04 02 01 5b a0 c0 11 04 02 01 fc da 80 04 04 00 00 00 01 40 05 04 00 00 00 64 Accepted Multipath -Jonas Yup! We're seeing the same thing too, and we're filtering it out. Originating AS is 25019 -Clay -- SY, Jen Linkova aka Furry
Re: Hurricane Katia
Just another average day in Scotland... On 10/09/2011, at 11:55 PM, andrew.wallace andrew.wall...@rocketmail.com wrote: I'm hearing on the news wire 80mph winds will come to UK over the next 72 hours. Andrew
How to begin making my own ISP?
I want to begin making my own ISP, mainly for high speed servers and such, but also branching out to residential customers. I'm going to be in Germany for the next school year (probably either Frankfurt am Main or Berlin); any suggestions on what sort of classes I can take there that will be in English and will teach me all I need to know on how to build and manage my own ISP, AS, etc? Thanks.
Re: How to begin making my own ISP?
On 09/10/2011 08:55 PM, hass...@hushmail.com wrote: I want to begin making my own ISP, mainly for high speed servers and such, but also branching out to residential customers. I'm going to be in Germany for the next school year (probably either Frankfurt am Main or Berlin); any suggestions on what sort of classes I can take there that will be in English and will teach me all I need to know on how to build and manage my own ISP, AS, etc? Thanks. I too am very interested in this topic. I'm in the process of putting a small service provider network together. Starting with three points of presence (Los Angeles, Kansas City, undetermined east coast location). I'm in the process of securing an AS, IP space etc. Already have all the necessary networking gear. Working on getting it configured and deployed. I'm a data center guy coming into the WAN world. Learning as I go. -- Charles N Wyble char...@knownelement.com @charlesnw on twitter http://blog.knownelement.com Building alternative,global scale,secure, cost effective bit moving platform for tomorrows alternate default free zone.