Re: events

[Kevin Kadow]

On Fri, Sep 30, 2011 at 2:44 PM, Ukpong Ukpong  wrote:
> Have you tried qradar? It's rather good

I've used  Splunk and QRadar;  both are available as free VMware
appliances with limitations on log volume, sufficient for testing.  Or
if you're mostly looking at webserver/proxy/firewall logs, Sawmill is
worth checking out.

I've also been looking into using Lancope's replicator to take in
syslog UDP and send copies to multiple loggers, since some appliances
only support a single syslog destination.

Kevin

Latency issue - TWC NYC / Roadrunner - AS12271 / AS7843

[Greg B - NANOG]

Hi,
If anyone from Time Warner Cable / Roadrunner is monitoring, there's been a
high latency issue on your network in NYC both yesterday (for at least 10
hours) and again this evening to most/all of the internet. Please contact me
off-list if you need more information. Thanks.

Sample pings/traces below as of 10/01/2011 12:15 US Eastern:


1.
>From my home TWC connection - see hop 7:

ping www.xo.com
--- www.xo.com ping statistics ---
12 packets transmitted, 12 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 143.868/146.355/149.656/2.064 ms

traceroute www.xo.com
traceroute to www.xo.com (205.158.160.76), 64 hops max, 52 byte packets
 1  192.168.1.1 (192.168.1.1)  3.751 ms  0.587 ms  0.651 ms
 2  cpe-72-225-224-1.nyc.res.rr.com (72.225.224.1)  27.711 ms  29.453 ms
 12.336 ms
 3  g-2-0-nycmnya-rtr2.nyc.rr.com (24.29.139.66)  8.927 ms  8.468 ms  9.707
ms
 4  nycmnytg-10g-0-0-0.nyc.rr.com (24.29.148.29)  17.222 ms  21.110 ms
 15.531 ms
 5  * * *
 6  ae-4-0.cr0.nyc30.tbone.rr.com (66.109.6.78)  8.618 ms
107.14.19.24 (107.14.19.24)  8.880 ms
ae-4-0.cr0.nyc30.tbone.rr.com (66.109.6.78)  7.763 ms
 7  ae-1-0.pr0.nyc30.tbone.rr.com (66.109.6.161)  104.189 ms
107.14.19.153 (107.14.19.153)  100.793 ms  103.203 ms
 8  216.55.0.109 (216.55.0.109)  105.266 ms
216.55.0.65 (216.55.0.65)  104.000 ms
216.55.0.61 (216.55.0.61)  101.070 ms
 9  vb1011.rar3.washington-dc.us.xo.net (216.156.0.21)  138.200 ms  140.265
ms  142.332 ms
10  te-3-0-0.rar3.atlanta-ga.us.xo.net (207.88.12.9)  140.559 ms  140.501 ms
 145.405 ms
11  te-3-0-0.rar3.dallas-tx.us.xo.net (207.88.12.2)  139.805 ms  141.493 ms
 141.685 ms
12  ae0d0.mcr1.dallas-tx.us.xo.net (216.156.0.82)  140.758 ms  138.310 ms
 140.159 ms
13  216.55.13.100 (216.55.13.100)  139.605 ms  142.972 ms  140.269 ms
14  txplan01-fw01a-eth1.dc.xo.com (205.158.160.201)  141.185 ms  165.681 ms
 138.875 ms
15  xonlbvip.pla.dc.xo.com (205.158.160.76)  138.432 ms  136.816 ms  138.662
ms


2.
>From my home TWC connection - see hop 7:

ping www.level3.net
--- www.level3.net ping statistics ---
12 packets transmitted, 12 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 58.380/60.156/61.647/0.937 ms

traceroute www.level3.net
traceroute to www.level3.net (4.68.90.77), 64 hops max, 52 byte packets
1 192.168.1.1 (192.168.1.1) 3.703 ms 0.621 ms 0.588 ms
2 cpe-72-225-224-1.nyc.res.rr.com (72.225.224.1) 25.585 ms 30.256 ms 28.233
ms
3 g-2-0-nycmnya-rtr2.nyc.rr.com (24.29.139.66) 11.273 ms 11.575 ms 9.182 ms
4 nycmnytg-10g-0-0-0.nyc.rr.com (24.29.148.29) 21.087 ms 11.580 ms 11.638 ms
5 * * *
6 ae-4-0.cr0.nyc30.tbone.rr.com (66.109.6.78) 10.537 ms
107.14.19.24 (107.14.19.24) 8.745 ms 10.463 ms
7 ae-1-0.pr0.nyc30.tbone.rr.com (66.109.6.161) 108.194 ms
107.14.19.153 (107.14.19.153) 109.087 ms
ae-1-0.pr0.nyc30.tbone.rr.com (66.109.6.161) 109.317 ms
8 * * *
9 ae-31-51.ebr1.newark1.level3.net (4.69.156.30) 112.040 ms 108.726 ms
107.861 ms
10 ae-2-2.ebr1.newyork1.level3.net (4.69.132.97) 110.525 ms 110.807 ms
109.539 ms
11 ae-4-4.ebr1.newyork2.level3.net (4.69.141.18) 105.738 ms 109.069 ms
110.558 ms
12 ae-1-100.ebr2.newyork2.level3.net (4.69.135.254) 110.856 ms 106.272 ms
101.736 ms
13 ae-2-2.ebr1.chicago1.level3.net (4.69.132.65) 137.025 ms 133.715 ms
150.440 ms
14 ae-6-6.ebr1.chicago2.level3.net (4.69.140.190) 129.500 ms 131.001 ms
132.307 ms
15 ae-3-3.ebr2.denver1.level3.net (4.69.132.61) 61.386 ms 58.412 ms 61.884
ms
16 ge-9-0.hsa1.denver1.level3.net (4.69.147.101) 60.336 ms 59.978 ms 60.035
ms
17 4.68.94.26 (4.68.94.26) 58.137 ms 57.445 ms 58.010 ms
18 4.68.94.33 (4.68.94.33) 61.125 ms 59.451 ms 60.578 ms
19 eth2.l3hqdc7705.idc1.broomfield1.level3.net (4.68.92.2) 61.251 ms 58.341
ms 61.785 ms
20 4.68.92.33 (4.68.92.33) 60.866 ms 60.884 ms 60.179 ms
21 * * *
22 * * *

3.
>From my home TWC connection - see hop 7:

ping www.globalcrossing.com
--- wwwgblx.lb.globalcrossing.com ping statistics ---
12 packets transmitted, 12 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 115.264/119.452/123.780/2.929 ms

traceroute www.globalcrossing.com
traceroute: Warning: www.globalcrossing.com has multiple addresses; using
207.218.55.197
traceroute to wwwgblx.lb.globalcrossing.com (207.218.55.197), 64 hops max,
52 byte packets
 1  192.168.1.1 (192.168.1.1)  1.407 ms  0.758 ms  0.585 ms
 2  cpe-72-225-224-1.nyc.res.rr.com (72.225.224.1)  18.393 ms  18.194 ms
 10.682 ms
 3  g-2-0-nycmnya-rtr2.nyc.rr.com (24.29.139.66)  7.720 ms  8.155 ms  9.412
ms
 4  nycmnytg-10g-0-0-0.nyc.rr.com (24.29.148.29)  13.247 ms  11.104 ms
 12.423 ms
 5  * * *
 6  107.14.19.24 (107.14.19.24)  10.703 ms  8.618 ms  9.633 ms
 7  ae-1-0.pr0.nyc20.tbone.rr.com (66.109.6.163)  87.927 ms  88.377 ms
 86.158 ms
 8  tengigabitethernet3-3.ar7.nyc1.gblx.net (64.213.104.193)  88.005 ms
66.109.9.210 (66.109.9.210)  90.130 ms
te7-4.ar1.nyc8.gblx.net (208.48.23.1)  90.725 ms
 9  * * *
10  * * *

Re: Synology Disk DS211J

[Charles N Wyble]

On 09/30/2011 08:56 AM, Blake T. Pfankuch wrote:
> The easy way around the unhappy significant other/minion shaped offspring 
> solution is to put all of the "end user" devices On a separate VLAN, and then 
> treat that as an open DMZ.  Then everything operational (ironic in a home) on 
> your secured production network (restrict all outbound/inbound except what is 
> needed).  If you really want to complicate it you should even put your 
> wireless into a separate VLAN as well, and secure it as appropriate.  Gives 
> you the ability firewall between networks, thus making sure that when your 
> minions eventually get something nasty going on the PC they use, it doesn't 
> spread through the rest of the network.  Also means you can deploy some form 
> of content filtering policies through various solutions to prevent your 
> minions from discovering the sites running on the most recent TLD addition.  

Packet fence. Per user vlans. RADIUS back end auth with one time
passwords. I'm trying to package all this into a turnkey distro for my
own deployment across hundreds of sites. As such I need it anyway and
don't mind open sourcing it. It's been an on again/off again project but
it's really close to release.



> This assumes that most people reading this email have the ability to run 
> multiple routed subnets behind their home firewall.  Be it a layer 3 switch 
> with ACL's or multiple physical interfaces and the ability to have them act 
> independently.  

Routing on a stick to pfSense for me. Though I could use my l3 switch I
guess. *shrugs*

> Personally I run 8 separate networks (some with multiple routed subnets).  
> Wireless data, management network, voice networks, game consoles, storage, 
> internal servers, DMZ servers and Project network.  Only reason why there is 
> no "end user" network is that there are no wired drops anywhere in the house, 
> so that falls under the wireless data. That network gets internet access and 
> connectivity to file sharing off the internal servers and all internet 
> traffic runs through Anti-Virus/Anti-Spyware before going outbound and 
> inbound.

No. You aren't paranoid enough. See above. If it was turnkey, more
people would use it.

> Blake
>
> -Original Message-
> From: Matthew Palmer [mailto:mpal...@hezmatt.org] 
> Sent: Friday, September 30, 2011 12:19 AM
> To: nanog@nanog.org
> Subject: Re: Synology Disk DS211J
>
> On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote:
>

-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: Were A record domain names ever limited to 23 characters?

[Joe Hamelin]

> On Fri, Sep 30, 2011 at 02:54:38PM -0700, steve pirk [egrep] wrote:
>  I seem to recollect back the 1999 or 2000 times that I was unable to
>  register a domain name that was 24 characters long...

I remember tales from when there was an eight character limit.  But that was
back when you didn't have to pay for them and they assigned you a class-c
block automatically.  Of course it took six weeks to register because there
was only one person running the registry.

--
Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Christopher Morrow]

On Fri, Sep 30, 2011 at 9:44 PM, Christopher Morrow
 wrote:
> On Fri, Sep 30, 2011 at 9:32 PM, Dobbins, Roland  wrote:
>> On Sep 30, 2011, at 11:44 PM, Christopher Morrow wrote:
>>
>>> this is exactly why punting anything NOT management and/or 
>>> routing-protocols should be banned. Thanks for making that point explicitly.
>>
>> And this is the requirement which should be placed in RFPs, along with other 
>> specific requirements for ACL handling, flow telemetry functionality, uRPF, 
>> et. al.
>>
>> If folks want to influence vendors to do the Right Thing, they have to 
>> expend the time and effort to quantify and qualify said Right Thing(s), and 
>> then put it into RFP requirements.  Otherwise, complaining post-procurement 
>> isn't generally going to accomplish much.
>>
>
> yes, my bitchfest was also a 'could we all start asking for this, now?' ... :)
>

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Christopher Morrow]

On Fri, Sep 30, 2011 at 9:32 PM, Dobbins, Roland  wrote:
> On Sep 30, 2011, at 11:44 PM, Christopher Morrow wrote:
>
>> this is exactly why punting anything NOT management and/or routing-protocols 
>> should be banned. Thanks for making that point explicitly.
>
> And this is the requirement which should be placed in RFPs, along with other 
> specific requirements for ACL handling, flow telemetry functionality, uRPF, 
> et. al.
>
> If folks want to influence vendors to do the Right Thing, they have to expend 
> the time and effort to quantify and qualify said Right Thing(s), and then put 
> it into RFP requirements.  Otherwise, complaining post-procurement isn't 
> generally going to accomplish much.
>

yes, my bitchfest was also a 'could we all start asking for this, now?' ... :)

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Dobbins, Roland]

On Sep 30, 2011, at 11:44 PM, Christopher Morrow wrote:

> this is exactly why punting anything NOT management and/or routing-protocols 
> should be banned. Thanks for making that point explicitly.

And this is the requirement which should be placed in RFPs, along with other 
specific requirements for ACL handling, flow telemetry functionality, uRPF, et. 
al.

If folks want to influence vendors to do the Right Thing, they have to expend 
the time and effort to quantify and qualify said Right Thing(s), and then put 
it into RFP requirements.  Otherwise, complaining post-procurement isn't 
generally going to accomplish much.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Dobbins, Roland]

On Sep 30, 2011, at 9:45 PM, Christopher Morrow wrote:

> enough is enough please stop doing this.

Yes, but keep in mind that this particular issue has to do with an ASIC which 
is several years old and which contains other significant handicaps as well 
(viz. NetFlow caveats, no per-interface uRPF mode, etc.).

So, complaining about most anything on this particular ASIC isn't going to 
accomplish much, unfortunately.  The key is to a) evaluate newer ASICs on more 
operationally useful platforms in order to see how they handle this sort of 
thing (EARL8 should be fine, AFAICT) and b) put the appropriate requirements 
into RFCs so that vendors have a monetary value associated with doing the right 
thing.

---
Roland Dobbins  // 

The basis of optimism is sheer terror.

  -- Oscar Wilde

Cross posting: Call for Program Committee candidates for the NANOG PC

[Dave Temkin]

All,

If you've ever thought about helping to give back to the community and you regularly attend NANOG 
conferences, please consider running for the NANOG Program Committee.  Committee nominations close on 
10/11/2011, and we need your help!


The seventeen-member NANOG Program Committee solicits talks, works with potential speakers to refine 
presentations, and reviews proposals for technical accuracy and relevance to the NANOG audience.  We need 
people from all walks of life who can help us recruit and vet talks of interest to the broad spectrum of 
NANOG attendees.


More information can be found about how the NANOG community governs itself here:  
http://www.nanog.org/governance/ .


Thanks,
-Dave Temkin

Re: facebook spying on us?

[Joel jaeggli]

On 9/30/11 15:58 , Seth Mattinen wrote:
> On 9/30/11 3:41 PM, Michael Painter wrote:
>> Steven G. Huter wrote:
>>> this August 2011 article in the Economist outlines some relevant info
>>> about the prineville, oregon FB datacenter.
>>>
>>> http://www.economist.com/node/21525237
>>>
>>> steve
>>
>> Informative article..."It's the climate, stupid".
>>
>> Got a laugh out of:
>> "The server racks are nearly silent, and their internal fans whirr
>> almost imperceptibly.
>> The only exceptions are network switches which, Facebook staff notes,
>> are perversely designed by even the biggest firms to vent air out of
>> their sides. As a result, they run loud and hot-and are openly sworn at."
>>
> 
> 
> Which says to me that FB staff has no clue how chassis switches are
> constructed, or they don't like switches with vertically oriented line
> cards.

nobody puts a chassis switch at the top of a rack...

there are several 1u tors orderable with either ftb or btf airflow but,
it is a design consideration.

> ~Seth
> 

Re: facebook spying on us?

[Callahan Warlick]

It was a relative comparison, and it's off the shelf network gear.

-Callahan

On Fri, Sep 30, 2011 at 3:58 PM, Seth Mattinen  wrote:
> On 9/30/11 3:41 PM, Michael Painter wrote:
>> Steven G. Huter wrote:
>>> this August 2011 article in the Economist outlines some relevant info
>>> about the prineville, oregon FB datacenter.
>>>
>>> http://www.economist.com/node/21525237
>>>
>>> steve
>>
>> Informative article..."It's the climate, stupid".
>>
>> Got a laugh out of:
>> "The server racks are nearly silent, and their internal fans whirr
>> almost imperceptibly.
>> The only exceptions are network switches which, Facebook staff notes,
>> are perversely designed by even the biggest firms to vent air out of
>> their sides. As a result, they run loud and hot-and are openly sworn at."
>>
>
>
> Which says to me that FB staff has no clue how chassis switches are
> constructed, or they don't like switches with vertically oriented line
> cards.
>
> ~Seth
>
>

Re: facebook spying on us?

[Seth Mattinen]

On 9/30/11 3:41 PM, Michael Painter wrote:
> Steven G. Huter wrote:
>> this August 2011 article in the Economist outlines some relevant info
>> about the prineville, oregon FB datacenter.
>>
>> http://www.economist.com/node/21525237
>>
>> steve
> 
> Informative article..."It's the climate, stupid".
> 
> Got a laugh out of:
> "The server racks are nearly silent, and their internal fans whirr
> almost imperceptibly.
> The only exceptions are network switches which, Facebook staff notes,
> are perversely designed by even the biggest firms to vent air out of
> their sides. As a result, they run loud and hot-and are openly sworn at."
> 


Which says to me that FB staff has no clue how chassis switches are
constructed, or they don't like switches with vertically oriented line
cards.

~Seth

Re: facebook spying on us?

[Joel jaeggli]

On 9/30/11 15:19 , Steven G. Huter wrote:
>>> I can't tell you the kind of servers, but I can say that I was
>>> recently in Prineville, OR, where FB is building a data center (and a
>>> second data center). I was used to the ol data centers - you know,
>>> where there's raised floors, cabinets, cool air, a guard and a few
>>> guys around with some screens?
>>>
>>> But this was massive. I was amazed at the size - a few city blocks
>>> long and a city block wide, with a transformer and power line the
>>> size of a small city. I wonder if the Feds were involved.
>>
>> the bonneville power administration.
> 
> hey joelja
> 
> this August 2011 article in the Economist outlines some relevant info
> about the prineville, oregon FB datacenter.
> 
> http://www.economist.com/node/21525237

ambient cooling is important just like power is important, by sonic.net
gets ~240days of ambient in santa rosa so it's feasible

wholesale market prices a driven by availability from the largest
producer. so you'll pay market price as benchmarked at the bonnevilla
transmission yard just as is much of california and az the refence price
is at palo verde az.

there's only one coal plan in oregon and it's 600MW of generating
capacity in boardman that's portland general electric.

we've got a 20MW interuptable contract with siliconvalley power
precisely becuase it's vanishingly close to the wholesale rate compared
to PGEs pricing structure so if you ever wonder why the DCs are in
sunnyvale and santa clara but not mountainview, there's a good reason.

> steve
> 

Re: facebook spying on us?

[Michael Painter]

Steven G. Huter wrote:

this August 2011 article in the Economist outlines some relevant info
about the prineville, oregon FB datacenter.

http://www.economist.com/node/21525237

steve


Informative article..."It's the climate, stupid".

Got a laugh out of:
"The server racks are nearly silent, and their internal fans whirr almost 
imperceptibly.
The only exceptions are network switches which, Facebook staff notes, are perversely designed by even the biggest firms to 
vent air out of their sides. As a result, they run loud and hot-and are openly sworn at." 

RE: events

[Brandon Kim]

Good question, we do not use manageengine for NMS and I have no desire to use 
them either.
I tried their NMS platform last year and it was "ok", the interface just seemed 
a little clunky

Setting up ManageEngine syslog was a breeze and now we get alerts based on what 
kind of messages
we want, it's pretty hands off, I'm sure you could fine tune it further...

But I hear that solarwinds NPM has syslog built into it, so I'm thinking of 
going with one product that covers
it all



> Subject: Re: events
> From: ja...@lixfeld.ca
> Date: Fri, 30 Sep 2011 14:21:38 -0400
> To: nanog@nanog.org
> 
> On 2011-09-30, at 2:13 PM, Brandon Kim wrote:
> 
> > I've been happy with my basic ManageEngine's syslog, but I may be looking 
> > at Solarwinds too...
> 
> I've just installed the Splunk eval myself, but I'm curious about your 
> ManageEngine experiences.  I don't have any interest in using ManageEngine as 
> an NMS; I have a couple of tools that I use for that already.  Can you use 
> ManageEngine's syslog without having to set it up to monitor all of your 
> devices first?  Have you looked at the TRAP support in ManageEngine?
  

Re: Were A record domain names ever limited to 23 characters?

[steve pirk [egrep]]

Found a decent starting reference. It was a Network solutions limit... I
*knew* it! LOL
http://www.123-domain-register.com/longdomainnames.htm

The domain in question was inspectorgadgetthemovie.com 27 characters long
including the .tld. I was off by one, the limit was 22 characters for the A
record name and 4 characters for .com, .net, .org, .gov and .edu.

>From the 123-domain-register web page:

> The word is out... and the experts have been taking advantage of a change
> in Domain Name regulations that allows up to 67 characters in domain names.
>
> How this will impact you:
>
>-
>
>Long domain names filled with keywords can get you ranked higher on the
>search engines. (yes, the search engines will rank them)
>
>-
>
>For those who could not get a DOT.COM domain name, or were limited by
>the 22 character limit, those days are over...for awhile anyway.
>
>-
>
>This revolution is driven by entrepreneurs who can act quickly. If you
>do not act soon, all the good domains will be gone, and you will have to 
> pay
>premiums you do not want to in order get the domain name you want.
>
> Since 1993, Network Solutions has registered more than 3.4 million domain
> names -- all limited to 26 characters. Now that their exclusive government
> contract is ending, competitors have tossed this artificial limit and are
> allowing longer names.
>
Cool, I was not dreaming... ;-]
--steve

On Fri, Sep 30, 2011 at 15:00,  wrote:

> On Fri, Sep 30, 2011 at 02:54:38PM -0700, steve pirk [egrep] wrote:
> > I seem to recollect back the 1999 or 2000 times that I was unable to
> > register a domain name that was 24 characters long. Shortly after that, I
> > heard that the character limit had been increased to like 128 characters,
> > and we were able to register the name.
> >
> > Can anyone offer some input, or is this a memory of a bad dream?
> > ;-]
> >
> > -- Steve Pirk
> > Yensid
>
> the foundational DNS spec sez:
>
>
> http://www.ietf.org/rfc/rfc1035.txt
>
> 2.3.1
> [elided]
> There are also some restrictions on the length.  Labels must be 63
> characters or less.
>
> /bill
>



-- 
steve pirk
refiamerica.org
"father... the sleeper has awakened..." paul atreides - dune
kexp.org member august '09

Re: facebook spying on us?

[Steven G. Huter]

I can't tell you the kind of servers, but I can say that I was
recently in Prineville, OR, where FB is building a data center (and a
second data center). I was used to the ol data centers - you know,
where there's raised floors, cabinets, cool air, a guard and a few
guys around with some screens?

But this was massive. I was amazed at the size - a few city blocks
long and a city block wide, with a transformer and power line the
size of a small city. I wonder if the Feds were involved.


the bonneville power administration.


hey joelja

this August 2011 article in the Economist outlines some relevant info
about the prineville, oregon FB datacenter.

http://www.economist.com/node/21525237

steve

Re: facebook spying on us?

[Joel jaeggli]

On 9/30/11 14:59 , Jones, Barry wrote:
> I can't tell you the kind of servers, but I can say that I was
> recently in Prineville, OR, where FB is building a data center (and a
> second data center). I was used to the ol data centers - you know,
> where there's raised floors, cabinets, cool air, a guard and a few
> guys around with some screens?
> 
> But this was massive. I was amazed at the size - a few city blocks
> long and a city block wide, with a transformer and power line the
> size of a small city. I wonder if the Feds were involved.

the bonneville power administration.

Re: Were A record domain names ever limited to 23 characters?

[bmanning]

On Fri, Sep 30, 2011 at 02:54:38PM -0700, steve pirk [egrep] wrote:
> I seem to recollect back the 1999 or 2000 times that I was unable to
> register a domain name that was 24 characters long. Shortly after that, I
> heard that the character limit had been increased to like 128 characters,
> and we were able to register the name.
> 
> Can anyone offer some input, or is this a memory of a bad dream?
> ;-]
> 
> -- Steve Pirk
> Yensid

the foundational DNS spec sez:


http://www.ietf.org/rfc/rfc1035.txt

2.3.1
[elided]
There are also some restrictions on the length.  Labels must be 63 characters 
or less.

/bill

The Cidr Report

[cidr-report]

This report has been generated at Fri Sep 30 21:12:35 2011 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.

Check http://www.cidr-report.org for a current version of this report.

Recent Table History
Date  PrefixesCIDR Agg
23-09-11377111  221388
24-09-11377558  221596
25-09-11377652  221708
26-09-11377754  222001
27-09-11377784  221985
28-09-11378019  221838
29-09-11378145  221391
30-09-11377480  221774


AS Summary
 39016  Number of ASes in routing system
 16481  Number of ASes announcing only one prefix
  3556  Largest number of prefixes announced by an AS
AS6389 : BELLSOUTH-NET-BLK - BellSouth.net Inc.
  108295136  Largest address span announced by an AS (/32s)
AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street


Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as 
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').

 --- 30Sep11 ---
ASnumNetsNow NetsAggr  NetGain   % Gain   Description

Table 377614   221830   15578441.3%   All ASes

AS6389  3556  228 332893.6%   BELLSOUTH-NET-BLK -
   BellSouth.net Inc.
AS18566 1915  380 153580.2%   COVAD - Covad Communications
   Co.
AS4766  2509  979 153061.0%   KIXS-AS-KR Korea Telecom
AS22773 1457  110 134792.5%   ASN-CXA-ALL-CCI-22773-RDC -
   Cox Communications Inc.
AS4755  1543  231 131285.0%   TATACOMM-AS TATA
   Communications formerly VSNL
   is Leading ISP
AS4323  1629  394 123575.8%   TWTC - tw telecom holdings,
   inc.
AS28573 1368  319 104976.7%   NET Servicos de Comunicao S.A.
AS1785  1832  784 104857.2%   AS-PAETEC-NET - PaeTec
   Communications, Inc.
AS19262 1395  401  99471.3%   VZGNI-TRANSIT - Verizon Online
   LLC
AS7552  1392  430  96269.1%   VIETEL-AS-AP Vietel
   Corporation
AS7303  1164  321  84372.4%   Telecom Argentina S.A.
AS10620 1681  843  83849.9%   Telmex Colombia S.A.
AS18101  954  155  79983.8%   RELIANCE-COMMUNICATIONS-IN
   Reliance Communications
   Ltd.DAKC MUMBAI
AS24560 1173  391  78266.7%   AIRTELBROADBAND-AS-AP Bharti
   Airtel Ltd., Telemedia
   Services
AS8151  1415  649  76654.1%   Uninet S.A. de C.V.
AS4808  1074  335  73968.8%   CHINA169-BJ CNCGROUP IP
   network China169 Beijing
   Province Network
AS30036 1390  671  71951.7%   MEDIACOM-ENTERPRISE-BUSINESS -
   Mediacom Communications Corp
AS7545  1607  895  71244.3%   TPG-INTERNET-AP TPG Internet
   Pty Ltd
AS3356  1104  450  65459.2%   LEVEL3 Level 3 Communications
AS14420  742   91  65187.7%   CORPORACION NACIONAL DE
   TELECOMUNICACIONES - CNT EP
AS3549  1055  448  60757.5%   GBLX Global Crossing Ltd.
AS20115 1595  988  60738.1%   CHARTER-NET-HKY-NC - Charter
   Communications
AS22561  967  363  60462.5%   DIGITAL-TELEPORT - Digital
   Teleport Inc.
AS17676  673   70  60389.6%   GIGAINFRA Softbank BB Corp.
AS4804   677   89  58886.9%   MPX-AS Microplex PTY LTD
AS17974 1983 1414  56928.7%   TELKOMNET-AS2-AP PT
   Telekomunikasi Indonesia
AS22047  581   28  55395.2%   VTR BANDA ANCHA S.A.
AS8402  1186  637  54946.3%   CORBINA-AS OJSC "Vimpelcom"
AS7011  1173  647  52644.8%   FRONTIER-AND-CITIZENS -
   Frontier Communications of
   America, Inc.
AS17488  908  390  51857.0%  

BGP Update Report

[cidr-report]

BGP Update Report
Interval: 22-Sep-11 -to- 29-Sep-11 (7 days)
Observation Point: BGP Peering with AS131072

TOP 20 Unstable Origin AS
Rank ASNUpds %  Upds/PfxAS-Name
 1 - AS982944536  2.8%  61.9 -- BSNL-NIB National Internet 
Backbone
 2 - AS580036718  2.3% 180.9 -- DNIC-ASBLK-05800-06055 - DoD 
Network Information Center
 3 - AS38040   29537  1.9%2109.8 -- GLOBAL-TRANSIT-TOT-IIG-TH TOT 
Public Company Limited
 4 - AS631629336  1.9%1466.8 -- AS-PAETEC-NET - PaeTec 
Communications, Inc.
 5 - AS32528   23323  1.5%7774.3 -- ABBOTT Abbot Labs
 6 - AS924621941  1.4%2742.6 -- GTA-AP Teleguam Holdings, LLC
 7 - AS949820692  1.3%  25.0 -- BBIL-AP BHARTI Airtel Ltd.
 8 - AS16916   16874  1.1%3374.8 -- NETLOGIC-WEST - INFINIPLEX LLC 
DBA NETLOGIC
 9 - AS16010   15785  1.0% 129.4 -- RUSTAVI2ONLINEAS Caucasus 
Online LLC
10 - AS50975   14852  0.9%7426.0 -- AVX_AS AVX Czech republic s.r.o
11 - AS886614004  0.9%  30.0 -- BTC-AS Bulgarian 
Telecommunication Company Plc.
12 - AS947513406  0.8% 957.6 -- WU-TH-AP Walailuk University
13 - AS17974   13239  0.8%   8.7 -- TELKOMNET-AS2-AP PT 
Telekomunikasi Indonesia
14 - AS840212985  0.8%  12.8 -- CORBINA-AS OJSC "Vimpelcom"
15 - AS815112023  0.8%  12.3 -- Uninet S.A. de C.V.
16 - AS755211853  0.8%   8.5 -- VIETEL-AS-AP Vietel Corporation
17 - AS980811389  0.7%  17.1 -- CMNET-GD Guangdong Mobile 
Communication Co.Ltd.
18 - AS9562 9980  0.6%2495.0 -- MSU-TH-AP Mahasarakham 
University
19 - AS9649 9765  0.6% 184.2 -- MOPH-TH-AP Information 
Technology Office
20 - AS227939582  0.6%9582.0 -- CASSOCORP - CASSO Corporation


TOP 20 Unstable Origin AS (Updates per announced prefix)
Rank ASNUpds %  Upds/PfxAS-Name
 1 - AS227939582  0.6%9582.0 -- CASSOCORP - CASSO Corporation
 2 - AS32528   23323  1.5%7774.3 -- ABBOTT Abbot Labs
 3 - AS50975   14852  0.9%7426.0 -- AVX_AS AVX Czech republic s.r.o
 4 - AS8499 4650  0.3%4650.0 -- Space Hellas S.A.
 5 - AS16916   16874  1.1%3374.8 -- NETLOGIC-WEST - INFINIPLEX LLC 
DBA NETLOGIC
 6 - AS924621941  1.4%2742.6 -- GTA-AP Teleguam Holdings, LLC
 7 - AS9562 9980  0.6%2495.0 -- MSU-TH-AP Mahasarakham 
University
 8 - AS3976 2391  0.1%2391.0 -- ERX-NURI-ASN I.Net Technologies 
Inc.
 9 - AS38040   29537  1.9%2109.8 -- GLOBAL-TRANSIT-TOT-IIG-TH TOT 
Public Company Limited
10 - AS200982067  0.1%2067.0 -- BCBS-AL - Blue Cross Blue 
Shield of Alabama
11 - AS8011 3426  0.2%1713.0 -- AS8011 - CoreComm Internet 
Services Inc
12 - AS631629336  1.9%1466.8 -- AS-PAETEC-NET - PaeTec 
Communications, Inc.
13 - AS174257550  0.5%1258.3 -- EPA-AS-TH Provincial 
Electricity Authority of Thailand.
14 - AS440251218  0.1%1218.0 -- KAMTELEKOM-NET Kamtelekom Ltd.
15 - AS174083304  0.2%1101.3 -- ABOVE-AS-AP AboveNet 
Communications Taiwan
16 - AS947513406  0.8% 957.6 -- WU-TH-AP Walailuk University
17 - AS56772 920  0.1% 920.0 -- UFMOLDOVA-AS I.C.S. "RED UNION 
FENOSA" S.A.
18 - AS31787  0.1% 288.0 -- CICA Centro Informatico 
Cientifico de Andalucia
19 - AS3 593  0.0% 597.0 -- CICA Centro Informatico 
Cientifico de Andalucia
20 - AS385432260  0.1% 565.0 -- IBM-TH-AS-AP IBM THAILAND 
NETWORK


TOP 20 Unstable Prefixes
Rank Prefix Upds % Origin AS -- AS Name
 1 - 206.80.93.0/2416867  1.0%   AS16916 -- NETLOGIC-WEST - INFINIPLEX LLC 
DBA NETLOGIC
 2 - 202.92.235.0/24   14393  0.8%   AS9498  -- BBIL-AP BHARTI Airtel Ltd.
 3 - 213.16.48.0/2411975  0.7%   AS8866  -- BTC-AS Bulgarian 
Telecommunication Company Plc.
 4 - 130.36.34.0/2411657  0.7%   AS32528 -- ABBOTT Abbot Labs
 5 - 130.36.35.0/2411657  0.7%   AS32528 -- ABBOTT Abbot Labs
 6 - 66.248.120.0/21   10574  0.6%   AS6316  -- AS-PAETEC-NET - PaeTec 
Communications, Inc.
 7 - 66.248.96.0/21 9639  0.6%   AS6316  -- AS-PAETEC-NET - PaeTec 
Communications, Inc.
 8 - 207.53.145.0/249582  0.6%   AS22793 -- CASSOCORP - CASSO Corporation
 9 - 66.248.104.0/219064  0.5%   AS6316  -- AS-PAETEC-NET - PaeTec 
Communications, Inc.
10 - 109.75.0.0/21  8228  0.5%   AS50975 -- AVX_AS AVX Czech republic s.r.o
11 - 109.75.8.0/23  6624  0.4%   AS50975 -- AVX_AS AVX Czech republic s.r.o
12 - 180.180.253.0/24   5869  0.3%   AS38040 -- GLOBAL-TRANSIT-TOT-IIG-TH TOT 
Public Company Limited
13 - 180.180.250.0/24   5826  0.3%   AS38040 -- GLOBAL-TRANSIT-TOT-IIG-TH TOT 
Public Company Limited
14 - 180.180.248.0/24   5825  0.3%   AS38040 -- GLOBAL-TRANS

RE: facebook spying on us?

[Jones, Barry]

I can't tell you the kind of servers, but I can say that I was recently in 
Prineville, OR, where FB is building a data center (and a second data center). 
I was used to the ol data centers - you know, where there's raised floors, 
cabinets, cool air, a guard and a few guys around with some screens? 

But this was massive. I was amazed at the size - a few city blocks long and a 
city block wide, with a transformer and power line the size of a small city. I 
wonder if the Feds were involved. 

http://www.oregonlive.com/business/index.ssf/2010/01/facebook_picks_prineville_for.html


"I also wonder about the kind of servers facebook must be having to be 
> able to manage millions of TCP connections that must be terminating 
> there."


-Original Message-
From: Keegan Holley [mailto:keegan.hol...@sungard.com] 
Sent: Thursday, September 29, 2011 7:55 AM
To: Glen Kent
Cc: nanog@nanog.org
Subject: Re: facebook spying on us?

Well what's making the connection?  It looks like unencrypted http, if your 
social security number and last known addresses are streaming by you should be 
able to see them.  It's a bit of a jump to say that FB (not that I'm 
particularly fond of them) is spying on you from a single netstat command.
You probably clicked login with facebook for some site and it's just 
autologging you in or overzealous prefetching.  Either way, I think we can all 
stop making tinfoil hats now...


2011/9/29 Glen Kent 

> Hi,
>
> I see that i have multiple TCP sessions established with facebook.
> They come up even after i reboot my laptop and dont login to facebook!
>
> D:\Documents and Settings\gkent>netstat -a | more
>
> Active Connections
>
>  Proto  Local Address  Foreign AddressState
>  TCPgkent:3974www-10-02-snc5.facebook.com:http  ESTABLISHED
>  TCPgkent:3977www-11-05-prn1.facebook.com:http  ESTABLISHED
>  TCPgkent:3665
> a184-84-111-139.deploy.akamaitechnologies.com:http  ESTABLISHED
>
> [clipped]
>
> Any idea why these connections are established (with facebook and
> akamaitechnologies) and how i can kill them? Since my laptop has 
> several connections open with facebook, what kind of information is 
> flowing there?
>
> I also wonder about the kind of servers facebook must be having to be 
> able to manage millions of TCP connections that must be terminating 
> there.
>
> Glen
>
>
>

Were A record domain names ever limited to 23 characters?

[steve pirk [egrep]]

I seem to recollect back the 1999 or 2000 times that I was unable to
register a domain name that was 24 characters long. Shortly after that, I
heard that the character limit had been increased to like 128 characters,
and we were able to register the name.

Can anyone offer some input, or is this a memory of a bad dream?
;-]

-- Steve Pirk
Yensid

Re: Synology Disk DS211J

[bmanning]

On Fri, Sep 30, 2011 at 05:35:52PM -0400, valdis.kletni...@vt.edu wrote:
> On Fri, 30 Sep 2011 04:14:39 -, bmann...@vacation.karoshi.com said:
> 
> > > Tell me how that flys with the customers in your household...
> >
> > They are freeloaders, not customers.  If they -PAID-
> > for service, then it would be a different conversation.
> 
> Time to cue up "Move it on over" by George Thorogood, 'cause that kind of
> talk will leave you sleeping in the doghouse tonight. ;)

 the doghouse will have net then... :)

/bill

Re: Synology Disk DS211J

[Valdis . Kletnieks]

On Fri, 30 Sep 2011 04:14:39 -, bmann...@vacation.karoshi.com said:

> > Tell me how that flys with the customers in your household...
>
>   They are freeloaders, not customers.  If they -PAID-
>   for service, then it would be a different conversation.

Time to cue up "Move it on over" by George Thorogood, 'cause that kind of
talk will leave you sleeping in the doghouse tonight. ;)


pgpaWTFE1d6S6.pgp
Description: PGP signature

Re: FCC - with Klezmer backup

[Charles N Wyble]

On 09/30/2011 02:53 PM, bmann...@vacation.karoshi.com wrote:
> http://gcn.com/articles/2011/09/26/fcc-net-neutrality-rules-nov-20.aspx
>
> wondering who is going to publically announce any changes prior to the 20nov 
> date.
>
> Or is this a non-issue for the Internet as we know it?  
>
> /bill
>

What does

"commercial terms of their broadband services."

mean?

Peering arrangements? Transit pricing?

-- 
Charles N Wyble char...@knownelement.com @charlesnw on twitter

http://blog.knownelement.com

Building alternative,global scale,secure, cost effective bit moving platform
for tomorrows alternate default free zone.

Re: FCC - with Klezmer backup

[bmanning]

On Fri, Sep 30, 2011 at 03:13:50PM -0500, Robert Bonomi wrote:
> 
> > Date: Fri, 30 Sep 2011 19:53:46 +
> > From: bmann...@vacation.karoshi.com
> > To: nanog@nanog.org
> > Subject: FCC - with Klezmer backup
> >
> >
> > http://gcn.com/articles/2011/09/26/fcc-net-neutrality-rules-nov-20.aspx
> >
> > wondering who is going to publically announce any changes prior to the 
> > 20nov date.
> >
> > Or is this a non-issue for the Internet as we know it?
> 
> I suspect that anyone that was doing it hadn't made any noise about 
> _doing_ it, so they're unlikely to announce that they've _stopped_ do
> ing so.  All such an announcement would accomplish is to 'confirm
> suspicions', which is (obviously) not to that provider's advantage.
> 

but there -are- reporting requirements now... :)
and a formal complaint process...

flash mobs - ready to file complaints about Ameritech?  PacBell?  GTE?

/bill

RE: Environmental monitoring options

[Frank Bulk]

There's also DPS Telecom (http://www.dpstele.com).

Frank

-Original Message-
From: eric clark [mailto:cabe...@gmail.com] 
Sent: Tuesday, September 27, 2011 9:06 AM
To: NANOG list
Subject: Environmental monitoring options

I'd like to ask the list what products people are using to monitor their
environments. By this I'm referring to datacenters, and other equipment.
Temperature, humidity, airflow, cameras, dry contacts, door sensors, leak
detection, all that sort of thing.

I've used Netbotz in the past. Looking to see what else is out there that
people like.

Thanks

E

Re: FCC - with Klezmer backup

[Robert Bonomi]

> Date: Fri, 30 Sep 2011 19:53:46 +
> From: bmann...@vacation.karoshi.com
> To: nanog@nanog.org
> Subject: FCC - with Klezmer backup
>
>
> http://gcn.com/articles/2011/09/26/fcc-net-neutrality-rules-nov-20.aspx
>
> wondering who is going to publically announce any changes prior to the 
> 20nov date.
>
> Or is this a non-issue for the Internet as we know it?

I suspect that anyone that was doing it hadn't made any noise about 
_doing_ it, so they're unlikely to announce that they've _stopped_ do
ing so.  All such an announcement would accomplish is to 'confirm
suspicions', which is (obviously) not to that provider's advantage.

Re: Synology Disk DS211J

[Nick Olsen]

It's updates, I've got a 1511+ here and at the office. It phones home to 
check for updates. I noticed this the day I got it. Blocked the dst IP and 
that was the only thing that "broke".


Nick Olsen

Network Operations
(855) FLSPEED  x106



From: "Pierre-Yves Maunier" 

Sent: Friday, September 30, 2011 8:32 AM

To: "Jones, Barry" 

Subject: Re: Synology Disk DS211J


2011/9/29 Jones, Barry 


> Hey all.

> A little off topic, but wanted to share... I purchased a home storage

> Synology DS1511+. After configuring it on the home net, I did some 
captures

> to look at the protocols, and noticed that the DS1511+ is making 
outgoing

> connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & 89) on a

> regular basis. These addresses are owned by Synology and Chungwa Telecom 
in

> Taiwan.

>

> So far, I've not been able to find much information on their support 
sites,

> or Synology's wiki, but I wanted to put it out there.

>

>

>

Maybe it's for checking new firmware update availability...


-- 

Pierre-Yves Maunier

FCC - with Klezmer backup

[bmanning]

http://gcn.com/articles/2011/09/26/fcc-net-neutrality-rules-nov-20.aspx

wondering who is going to publically announce any changes prior to the 20nov 
date.

Or is this a non-issue for the Internet as we know it?  

/bill

Weekly Routing Table Report

[Routing Analysis Role Account]

This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG,
CaribNOG and the RIPE Routing Working Group.

Daily listings are sent to bgp-st...@lists.apnic.net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith .

Routing Table Report   04:00 +10GMT Sat 01 Oct, 2011

Report Website: http://thyme.rand.apnic.net
Detailed Analysis:  http://thyme.rand.apnic.net/current/

Analysis Summary


BGP routing table entries examined:  374848
Prefixes after maximum aggregation:  168719
Deaggregation factor:  2.22
Unique aggregates announced to Internet: 185153
Total ASes present in the Internet Routing Table: 38930
Prefixes per ASN:  9.63
Origin-only ASes present in the Internet Routing Table:   32252
Origin ASes announcing only one prefix:   15477
Transit ASes present in the Internet Routing Table:5218
Transit-only ASes present in the Internet Routing Table:137
Average AS path length visible in the Internet Routing Table:   4.4
Max AS path length visible:  33
Max AS path prepend of ASN (48687)   24
Prefixes from unregistered ASNs in the Routing Table:  1474
Unregistered ASNs in the Routing Table: 802
Number of 32-bit ASNs allocated by the RIRs:   1802
Number of 32-bit ASNs visible in the Routing Table:1460
Prefixes from 32-bit ASNs in the Routing Table:3347
Special use prefixes present in the Routing Table:0
Prefixes being announced from unallocated address space:103
Number of addresses announced to Internet:   2481536768
Equivalent to 147 /8s, 233 /16s and 63 /24s
Percentage of available address space announced:   67.0
Percentage of allocated address space announced:   67.0
Percentage of available address space allocated:  100.0
Percentage of address space in use by end-sites:   91.4
Total number of prefixes smaller than registry allocations:  156962

APNIC Region Analysis Summary
-

Prefixes being announced by APNIC Region ASes:93945
Total APNIC prefixes after maximum aggregation:   30799
APNIC Deaggregation factor:3.05
Prefixes being announced from the APNIC address blocks:   90409
Unique aggregates announced from the APNIC address blocks:37945
APNIC Region origin ASes present in the Internet Routing Table:4567
APNIC Prefixes per ASN:   19.80
APNIC Region origin ASes announcing only one prefix:   1260
APNIC Region transit ASes present in the Internet Routing Table:707
Average APNIC Region AS path length visible:4.5
Max APNIC Region AS path length visible: 19
Number of APNIC region 32-bit ASNs visible in the Routing Table: 90
Number of APNIC addresses announced to Internet:  628377696
Equivalent to 37 /8s, 116 /16s and 72 /24s
Percentage of available APNIC address space announced: 79.7

APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations)  23552-24575, 37888-38911, 45056-46079, 55296-56319,
   58368-59391, 131072-132095, 132096-133119
APNIC Address Blocks 1/8,  14/8,  27/8,  36/8,  39/8,  42/8,  43/8,
49/8,  58/8,  59/8,  60/8,  61/8, 101/8, 103/8,
   106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8,
   116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
   123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8,
   182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8,
   219/8, 220/8, 221/8, 222/8, 223/8,

ARIN Region Analysis Summary


Prefixes being announced by ARIN Region ASes:143988
Total ARIN prefixes after maximum aggregation:73994
ARIN Deaggregation factor: 1.95
Prefixes being announced from the ARIN address blocks:   116124
Unique aggregates announced from the ARIN address blocks: 47994
ARIN Region origin ASes present in the Internet Routing Table:14694
ARIN Prefixes per ASN: 7.90
ARIN Region origin ASes announcing only one prefix:5653
ARIN Region 

Re: events

[Jeff Gehlbach]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 09/30/2011 09:50 AM, harbor235 wrote:

> Soalrwinds, splunk, fwanalog, and others come to mind, any other
good ones
> out there?

We've made some great strides in OpenNMS in the area of syslog event
processing.  The upcoming 1.10 release will be much easier to get
going, particularly since we now have pluggable message parsers -- you
no longer need Wireshark and a black belt in regular expressions to
start receiving events from syslog sources.  We've also made it
possible to split the syslog rules across multiple files, which makes
maintaining your own rules much easier compared to the old monolithic
style.

It's still not going to be Splunk-easy to configure, but it's now
darned close to Netcool OMNIbus syslogd probe-easy.  Plus you get
pretty JasperReports reports based on your events like this one (or
roll your own):

http://opennms.org/~jeffg/event-analysis-sample.pdf

Also flexible event notifications, event de-duplication, and SNMP trap
handling as well as service-assurance polling, performance data
collection via SNMP, HTTP, WMI, SQL/JDBC, and other protocols.

Oh yeah, it's 100% free / libre / open source software.  And you can
get support for it from my employer.

PR hat off,
- -jeff
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6GEB0ACgkQB3953+hexDrEPACfRzSKZxijkirgVgTA0OTRrGjX
27IAoJ7Ef0Cv33zRsYVN50YNbL3tVvLq
=5v3H
-END PGP SIGNATURE-

Re: events

[Ukpong Ukpong]

Have you tried qradar? It's rather good



On 30 Sep 2011, at 19:21, Jason Lixfeld  wrote:

> On 2011-09-30, at 2:13 PM, Brandon Kim wrote:
>
>> I've been happy with my basic ManageEngine's syslog, but I may be looking at 
>> Solarwinds too...
>
> I've just installed the Splunk eval myself, but I'm curious about your 
> ManageEngine experiences.  I don't have any interest in using ManageEngine as 
> an NMS; I have a couple of tools that I use for that already.  Can you use 
> ManageEngine's syslog without having to set it up to monitor all of your 
> devices first?  Have you looked at the TRAP support in ManageEngine?

RE: events

[Stephens, Josh]

I'm obviously biased as I'm the Head Geek here at SolarWinds but if you need 
any help or guidance with our products feel free to ping me off list.

Josh

-Original Message-
From: Brandon Kim [mailto:brandon@brandontek.com] 
Sent: Friday, September 30, 2011 1:14 PM
To: mlof...@wgops.com
Cc: nanog group
Subject: RE: events


Thank you! That's a bummer about the way they license their product.

All it takes is another "splunk" company to come out with something just as 
competitive

I've been happy with my basic ManageEngine's syslog, but I may be looking at 
Solarwinds too...



> Date: Fri, 30 Sep 2011 11:36:58 -0600
> Subject: Re: events
> From: mlof...@wgops.com
> To: brandon@brandontek.com
> CC: pfu...@gmail.com; harbor...@gmail.com; nanog@nanog.org
> 
> On Fri, Sep 30, 2011 at 11:21 AM, Brandon Kim
>  wrote:
> >
> > Is it really that expensive, and WORTH the expense?
> 
> IMO, from price quotes I've gotten in the past, it's astronomically
> expensive.  As for worth it...depends.  If you're dealing with events
> for say payment processing systems, it might be.  But as a general use
> tool, it's way outside of being worth it.  You license based on the
> incoming bytes of logging data.  But you still have to buy the
> hardware to process it.  They also expect you to pay for that license
> time and time again.
  

Re: Synology Disk DS211J

[Doug Barton]

On 09/30/2011 06:13, Jay Ashworth wrote:
> "not everyone's a geek"

Right!


Doug (wait, what?!?)

-- 

Nothin' ever doesn't change, but nothin' changes much.
-- OK Go

Breadth of IT experience, and depth of knowledge in the DNS.
Yours for the right price.  :)  http://SupersetSolutions.com/

Re: events

[Jason Lixfeld]

On 2011-09-30, at 2:13 PM, Brandon Kim wrote:

> I've been happy with my basic ManageEngine's syslog, but I may be looking at 
> Solarwinds too...

I've just installed the Splunk eval myself, but I'm curious about your 
ManageEngine experiences.  I don't have any interest in using ManageEngine as 
an NMS; I have a couple of tools that I use for that already.  Can you use 
ManageEngine's syslog without having to set it up to monitor all of your 
devices first?  Have you looked at the TRAP support in ManageEngine?

RE: events

[Brandon Kim]

Thank you! That's a bummer about the way they license their product.

All it takes is another "splunk" company to come out with something just as 
competitive

I've been happy with my basic ManageEngine's syslog, but I may be looking at 
Solarwinds too...



> Date: Fri, 30 Sep 2011 11:36:58 -0600
> Subject: Re: events
> From: mlof...@wgops.com
> To: brandon@brandontek.com
> CC: pfu...@gmail.com; harbor...@gmail.com; nanog@nanog.org
> 
> On Fri, Sep 30, 2011 at 11:21 AM, Brandon Kim
>  wrote:
> >
> > Is it really that expensive, and WORTH the expense?
> 
> IMO, from price quotes I've gotten in the past, it's astronomically
> expensive.  As for worth it...depends.  If you're dealing with events
> for say payment processing systems, it might be.  But as a general use
> tool, it's way outside of being worth it.  You license based on the
> incoming bytes of logging data.  But you still have to buy the
> hardware to process it.  They also expect you to pay for that license
> time and time again.
  

Re: events

[Michael Loftis]

On Fri, Sep 30, 2011 at 11:21 AM, Brandon Kim
 wrote:
>
> Is it really that expensive, and WORTH the expense?

IMO, from price quotes I've gotten in the past, it's astronomically
expensive.  As for worth it...depends.  If you're dealing with events
for say payment processing systems, it might be.  But as a general use
tool, it's way outside of being worth it.  You license based on the
incoming bytes of logging data.  But you still have to buy the
hardware to process it.  They also expect you to pay for that license
time and time again.

Re: events

[Rafael Rodriguez]

Use Splunk here.

Cheers,
RR

On Fri, Sep 30, 2011 at 9:50 AM, harbor235  wrote:

> What is everyone using to collect, alert, and analyze syslog data?
> I am looking for something that can generate reports as well as support
> multiple vendors. We have done some home grown stuff in the past but
> would be interested in something  that incorprates all the best features.
>
> Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
> out there?
>
>
> Mike
>

RE: events

[Brandon Kim]

Is it really that expensive, and WORTH the expense?




> Date: Fri, 30 Sep 2011 10:37:22 -0600
> Subject: Re: events
> From: pfu...@gmail.com
> To: harbor...@gmail.com
> CC: nanog@nanog.org
> 
> We use splunk works ok except with the amount of text data you can
> process with it (depends on license).
> 
> -B
> 
> On Fri, Sep 30, 2011 at 7:50 AM, harbor235  wrote:
> > What is everyone using to collect, alert, and analyze syslog data?
> > I am looking for something that can generate reports as well as support
> > multiple vendors. We have done some home grown stuff in the past but
> > would be interested in something  that incorprates all the best features.
> >
> > Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
> > out there?
> >
> >
> > Mike
> >
> 
> 
> 
> -- 
> ()  ascii ribbon campaign - against html e-mail
> /\  www.asciiribbon.org   - against proprietary attachments
> 
> Disclaimer:
> http://goldmark.org/jeff/stupid-disclaimers/
> 
  

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Christopher Morrow]

On Fri, Sep 30, 2011 at 12:38 PM, Nick Hilliard  wrote:
> On 30/09/2011 17:30, Christopher Morrow wrote:
>> traceroute is really an example of 'packet expired, send
>> unreachable'... that, today is basically:
>>   o grab 64bytes of header (or something similar)
>>   o shove that in a payload
>>   o use the src as the dst
>>   o stick my src on
>>   o set icmp
>>   o crc and fire
>>
>> there's not really any need to do this in the slow path, is there?
>
> there are unconfirmed rumours that icmp ping and traceroute are handled by
> hardware on the asr1k.  I don't know if they are true.   But you're right -

some platforms do some/all of this in hardware, yes. (I forget the matrix)

> it would be good to support this without resorting to hammering the routing
> engine.  I don't really like the idea of punters running traceroutes
> reducing my bgp convergence time.

this is exactly why punting anything NOT management and/or
routing-protocols should be banned. Thanks for making that point
explicitly.

-chris

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Nick Hilliard]

On 30/09/2011 17:30, Christopher Morrow wrote:
> traceroute is really an example of 'packet expired, send
> unreachable'... that, today is basically:
>   o grab 64bytes of header (or something similar)
>   o shove that in a payload
>   o use the src as the dst
>   o stick my src on
>   o set icmp
>   o crc and fire
> 
> there's not really any need to do this in the slow path, is there?

there are unconfirmed rumours that icmp ping and traceroute are handled by
hardware on the asr1k.  I don't know if they are true.   But you're right -
it would be good to support this without resorting to hammering the routing
engine.  I don't really like the idea of punters running traceroutes
reducing my bgp convergence time.

Nick

Re: events

[Beavis]

We use splunk works ok except with the amount of text data you can
process with it (depends on license).

-B

On Fri, Sep 30, 2011 at 7:50 AM, harbor235  wrote:
> What is everyone using to collect, alert, and analyze syslog data?
> I am looking for something that can generate reports as well as support
> multiple vendors. We have done some home grown stuff in the past but
> would be interested in something  that incorprates all the best features.
>
> Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
> out there?
>
>
> Mike
>



-- 
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Disclaimer:
http://goldmark.org/jeff/stupid-disclaimers/

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Christopher Morrow]

On Fri, Sep 30, 2011 at 12:00 PM, Nick Hilliard  wrote:
> Of course, if you wanted a 10g capable service provider router and didn't
> want an asr9k, they were pushing the 7600 because the 6500 is a switch and
> the 7600 is a router and the two are totally different, no really you've
> gotta believe it.  But at least the rsp720 could handle ipv6 fragments better.
>

if I turn my head to the side I can almost believe you.

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Christopher Morrow]

On Fri, Sep 30, 2011 at 11:24 AM, Nick Hilliard  wrote:
> On 30/09/2011 15:45, Christopher Morrow wrote:
>> traceroute could certainly be handled in the fastpath.
>
> which traceroute?  icmp?  udp?  tcp?  Traceroute is not a single protocol.
>

traceroute is really an example of 'packet expired, send
unreachable'... that, today is basically:
  o grab 64bytes of header (or something similar)
  o shove that in a payload
  o use the src as the dst
  o stick my src on
  o set icmp
  o crc and fire

there's not really any need to do this in the slow path, is there?
-chris

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Nick Hilliard]

On 30/09/2011 16:38, Mohacsi Janos wrote:
> They are pushing sup2T - however more for enterprise ip layer (6500 series).

they are now, yes.  But until the sup2t started becoming available a couple
of weeks ago the only option for the 6500 was a sup720.  You're right that
this was only pushed on the enterprise market.

Of course, if you wanted a 10g capable service provider router and didn't
want an asr9k, they were pushing the 7600 because the 6500 is a switch and
the 7600 is a router and the two are totally different, no really you've
gotta believe it.  But at least the rsp720 could handle ipv6 fragments better.

Nick

RE: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Vinny_Abello]

Path MTU discovery would also break... oh wait, that's usually broken anyway.

-Vinny

-Original Message-
From: Saku Ytti [mailto:s...@ytti.fi] 
Sent: Friday, September 30, 2011 10:27 AM
To: nanog@nanog.org
Subject: Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

On (2011-09-30 10:09 -0400), Christopher Morrow wrote:

> a switch to be used that stops processing this sort of thing, in an
> internet core (and honestly most enterprise core) routers, all I want
> is packet-in/packet-out. there's no need for anything else, stop
> trying to send line-rate packets to the cpu.

This would break e.g. RSVP. For some instances dropping all of them in hardware
is an option, for other instances ignoring and forwarding without understanding
is ok but some situation you simply must punt.

> no. all you need is a default 'do not process these, just fwd them'
> switch. (or, a switch at any rate that the operator can select one way
> or the other, they SHOULD know what is the best for their deployment).

It would also break L4 ACL under certain situations, as well as RSVP as already
explained. And probably issues I'm not aware of. Unsure if blind forwarding is
best option. But I'm all for giving operator options, but calling it stupid
that vendors punt something is misguided.

> I really think zero limit is the right limit... (for a large number of
> deployments)

Traceroute would also break. Unpoliced punting certainly is extremely unwise,
but punting to a level that does not introduce significant CPU load, should be
safest default.


-- 
  ++ytti

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Mohacsi Janos]

On Fri, 30 Sep 2011, Nick Hilliard wrote:


On 30/09/2011 15:45, Christopher Morrow wrote:

traceroute could certainly be handled in the fastpath.


which traceroute?  icmp?  udp?  tcp?  Traceroute is not a single protocol.


what is that limit? from a single port? from a single linecard? from a
chassis? how about we remove complexity here and just deal with this
in the fastpath?


on a pfc3, the mls rate limiters deal with handling all punts from the
chassis to the RP.  It's difficult to handle this in any other way.


My point in calling this all 'stupid' is that by now we all have been
burned by this sort of behavior, vendors have heard from all of us
that 'this is really not a good answer', enough is enough please stop
doing this.


"This is a Hard Problem".  There is a balance to be drawn between hardware
complexity, cost and lifecycle.  In the case of the PFC3, we're talking
about hardware which was released in 2000 - 11 years ago.  The ipv6
fragment punting problem was fixed in the pfc3c, which was released in
2003.  I'm aware that cisco is still selling the pfc3b, but they really
only push the rsp720 for internet stuff (if they're pushing the 6500/7600
line at all).


They are pushing sup2T - however more for enterprise ip layer (6500 
series).

Regards,
Janos Mohacsi

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Nick Hilliard]

On 30/09/2011 15:45, Christopher Morrow wrote:
> traceroute could certainly be handled in the fastpath.

which traceroute?  icmp?  udp?  tcp?  Traceroute is not a single protocol.

> what is that limit? from a single port? from a single linecard? from a
> chassis? how about we remove complexity here and just deal with this
> in the fastpath?

on a pfc3, the mls rate limiters deal with handling all punts from the
chassis to the RP.  It's difficult to handle this in any other way.

> My point in calling this all 'stupid' is that by now we all have been
> burned by this sort of behavior, vendors have heard from all of us
> that 'this is really not a good answer', enough is enough please stop
> doing this.

"This is a Hard Problem".  There is a balance to be drawn between hardware
complexity, cost and lifecycle.  In the case of the PFC3, we're talking
about hardware which was released in 2000 - 11 years ago.  The ipv6
fragment punting problem was fixed in the pfc3c, which was released in
2003.  I'm aware that cisco is still selling the pfc3b, but they really
only push the rsp720 for internet stuff (if they're pushing the 6500/7600
line at all).

Nick

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Saku Ytti]

On (2011-09-30 10:45 -0400), Christopher Morrow wrote:

> after this long, yes... this is just dumb, there's no reason that the
> default should be punt. There are cases (you've brought up a few)
> where it's required today because of design limitations, there really
> shouldn't be cases like this anymore. this isn't our first rodeo,
> 'lessons learned' and all that...

Certainly possible, but will you pay the premium? I won't. To implement IPv6
according to standard your lookup engine needs to have MTU wide view, so up-to
65kB. Most common view today probably is 64B and highest I know 256B.
And for the corner cases where this isn't enough, I'm happy to handle it in
software, rather than pay premium to do it all in hardware.

> traceroute could certainly be handled in the fastpath.

Yup. But again who would pay for this? I cannot be dossed by TTL exceeds as
there is sufficient protetion mechanism in my hardware. So I would not pay
premium for this feature.

> what is that limit? from a single port? from a single linecard? from a
> chassis? how about we remove complexity here and just deal with this
> in the fastpath?

It would increase cost and complexity greatly. If I could get it for free, then
I would take it, but I have lot more important things I want router vendors fix
first. I do wish vendor would do is test box with attack vectors and implement
sane defaults (IOS-XR is relatively good in this respect, or maybe it just
looks that way as rest of them are really bad with their defaults).

Very recently I had chat with GSR owner who was happy how GSR/IOS is solid DDoS
resistant platform, while actually it is impossible to protect GSR/IOS (outside
iACL) as none of the protections (rACL/CoPP) are implemented in hardware. 7600
is reasonably good for its age in this matter.
But even modern examples, like MX80 completely fail with defaults. Killed MX80
in lab with bit over 5Mbps of IP options. Protection is quite easy but still
most people do not do it, so vendors really should ship boxes with saner
defaults.

-- 
  ++ytti

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Christopher Morrow]

On Fri, Sep 30, 2011 at 10:26 AM, Saku Ytti  wrote:
> explained. And probably issues I'm not aware of. Unsure if blind forwarding is
> best option. But I'm all for giving operator options, but calling it stupid
> that vendors punt something is misguided.

after this long, yes... this is just dumb, there's no reason that the
default should be punt. There are cases (you've brought up a few)
where it's required today because of design limitations, there really
shouldn't be cases like this anymore. this isn't our first rodeo,
'lessons learned' and all that...

>
>> I really think zero limit is the right limit... (for a large number of
>> deployments)
>
> Traceroute would also break. Unpoliced punting certainly is extremely unwise,

traceroute could certainly be handled in the fastpath.

> but punting to a level that does not introduce significant CPU load, should be
> safest default.

what is that limit? from a single port? from a single linecard? from a
chassis? how about we remove complexity here and just deal with this
in the fastpath?

My point in calling this all 'stupid' is that by now we all have been
burned by this sort of behavior, vendors have heard from all of us
that 'this is really not a good answer', enough is enough please stop
doing this.

-chris

Re: Synology Disk DS211J

[Leo Bicknell]

In a message written on Fri, Sep 30, 2011 at 01:56:42PM +, Blake T. 
Pfankuch wrote:
> Personally I run 8 separate networks (some with multiple routed subnets).  
> Wireless data, management network, voice networks, game consoles, storage, 
> internal servers, DMZ servers and Project network.  Only reason why there is 
> no "end user" network is that there are no wired drops anywhere in the house, 
> so that falls under the wireless data. That network gets internet access and 
> connectivity to file sharing off the internal servers and all internet 
> traffic runs through Anti-Virus/Anti-Spyware before going outbound and 
> inbound.

You've inspired me to go invest in Alcoa stock.  NYSE AA for anyone
else interested.  The tin-foil demand in this thread alone must
have them running an extra shift. :)

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/


pgpxU1jSo8iK8.pgp
Description: PGP signature

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Saku Ytti]

On (2011-09-30 10:09 -0400), Christopher Morrow wrote:

> a switch to be used that stops processing this sort of thing, in an
> internet core (and honestly most enterprise core) routers, all I want
> is packet-in/packet-out. there's no need for anything else, stop
> trying to send line-rate packets to the cpu.

This would break e.g. RSVP. For some instances dropping all of them in hardware
is an option, for other instances ignoring and forwarding without understanding
is ok but some situation you simply must punt.

> no. all you need is a default 'do not process these, just fwd them'
> switch. (or, a switch at any rate that the operator can select one way
> or the other, they SHOULD know what is the best for their deployment).

It would also break L4 ACL under certain situations, as well as RSVP as already
explained. And probably issues I'm not aware of. Unsure if blind forwarding is
best option. But I'm all for giving operator options, but calling it stupid
that vendors punt something is misguided.

> I really think zero limit is the right limit... (for a large number of
> deployments)

Traceroute would also break. Unpoliced punting certainly is extremely unwise,
but punting to a level that does not introduce significant CPU load, should be
safest default.


-- 
  ++ytti

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Christopher Morrow]

On Fri, Sep 30, 2011 at 6:02 AM, Saku Ytti  wrote:
> On (2011-09-30 01:55 -0400), Christopher Morrow wrote:
>
>> when will vendors learn that punting to the RE/RP/smarts for packets
>> in the fastpath is ... not just 'unwise' but wholesale stupid? :(
>
> What to do with IP options or IPv6 hop-by-hop options? What to do with IPv6
> packets which contain options which push TCP/UDP past your lookup view?

a switch to be used that stops processing this sort of thing, in an
internet core (and honestly most enterprise core) routers, all I want
is packet-in/packet-out. there's no need for anything else, stop
trying to send line-rate packets to the cpu.

> Punting transit is not only not stupid but also necessary in hardware routers
> which cannot handle every case in hardware (which is all routers).

no. all you need is a default 'do not process these, just fwd them'
switch. (or, a switch at any rate that the operator can select one way
or the other, they SHOULD know what is the best for their deployment).

> There should just be adequate way to limit these and there should exist 
> default
> limitation.

I really think zero limit is the right limit... (for a large number of
deployments)

RE: events

[Brandon Kim]

I've been testing ManageEngines Syslog application. It works pretty good so 
far, I haven't really hammered
it with a lot of devices. 

Splunk is suppose to be king of the hill I hear, but so is their pricing.





> Date: Fri, 30 Sep 2011 09:50:29 -0400
> Subject: events
> From: harbor...@gmail.com
> To: nanog@nanog.org
> 
> What is everyone using to collect, alert, and analyze syslog data?
> I am looking for something that can generate reports as well as support
> multiple vendors. We have done some home grown stuff in the past but
> would be interested in something  that incorprates all the best features.
> 
> Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
> out there?
> 
> 
> Mike
  

RE: Synology Disk DS211J

[Blake T. Pfankuch]

The easy way around the unhappy significant other/minion shaped offspring 
solution is to put all of the "end user" devices On a separate VLAN, and then 
treat that as an open DMZ.  Then everything operational (ironic in a home) on 
your secured production network (restrict all outbound/inbound except what is 
needed).  If you really want to complicate it you should even put your wireless 
into a separate VLAN as well, and secure it as appropriate.  Gives you the 
ability firewall between networks, thus making sure that when your minions 
eventually get something nasty going on the PC they use, it doesn't spread 
through the rest of the network.  Also means you can deploy some form of 
content filtering policies through various solutions to prevent your minions 
from discovering the sites running on the most recent TLD addition.  

This assumes that most people reading this email have the ability to run 
multiple routed subnets behind their home firewall.  Be it a layer 3 switch 
with ACL's or multiple physical interfaces and the ability to have them act 
independently.  

Personally I run 8 separate networks (some with multiple routed subnets).  
Wireless data, management network, voice networks, game consoles, storage, 
internal servers, DMZ servers and Project network.  Only reason why there is no 
"end user" network is that there are no wired drops anywhere in the house, so 
that falls under the wireless data. That network gets internet access and 
connectivity to file sharing off the internal servers and all internet traffic 
runs through Anti-Virus/Anti-Spyware before going outbound and inbound.

Blake

-Original Message-
From: Matthew Palmer [mailto:mpal...@hezmatt.org] 
Sent: Friday, September 30, 2011 12:19 AM
To: nanog@nanog.org
Subject: Re: Synology Disk DS211J

On Thu, Sep 29, 2011 at 07:10:10PM -0700, Joel jaeggli wrote:
> On 9/29/11 17:46 , Robert Bonomi wrote:
> >> From: Nathan Eisenberg 
> >> Subject: RE: Synology Disk DS211J
> >> Date: Thu, 29 Sep 2011 21:58:23 +
> >>
> >>> And this is why the prudent home admin runs a firewall device he 
> >>> or she can trust, and has a "default deny" rule in place even for 
> >>> outgoing connections.
> >>>
> >>> - Matt
> >>>
> >>>
> >>
> >> The prudent home admin has a default deny rule for outgoing HTTP to 
> >> port 80?  I doubt it.
> >>
> > 
> > No, the prudent nd knowledgable prudent home admin does not have 
> > default deny rule just for outgoing HTTP to port 80.
> > 
> > He has a  defult deny rule  for _everything_.  Every internal source 
> > address, and every destination port.  Then he pokes holes in that 'deny 
> > everything'
> > for specific machines to make the kinds of external connections that 
> > _they_ need to make.
> 
> Tell me how that flys with the customers in your household...

Perfectly fine.  My users know not to go plugging random devices in, and I 
properly configure the firewall to account for all legitimate traffic before 
the device is commissioned.

- Matt

Re: events

[Harry Hoffman]

It's a bit old but still works well. Russel Fulton and I worked on this 
when I was down in NZ.


You still need to run syslog-ng but this allows you to ignore, warn, 
alert on logs via regex.



http://www.ip-solutions.net/syslog-ng/


Cheers,
Harry



On 09/30/2011 09:50 AM, harbor235 wrote:

What is everyone using to collect, alert, and analyze syslog data?
I am looking for something that can generate reports as well as support
multiple vendors. We have done some home grown stuff in the past but
would be interested in something  that incorprates all the best features.

Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
out there?


Mike

events

[harbor235]

What is everyone using to collect, alert, and analyze syslog data?
I am looking for something that can generate reports as well as support
multiple vendors. We have done some home grown stuff in the past but
would be interested in something  that incorprates all the best features.

Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
out there?


Mike

Re: Synology Disk DS211J

[Jay Ashworth]

- Original Message -
> From: bmann...@vacation.karoshi.com

> > Tell me how that flys with the customers in your household...
> 
> They are freeloaders, not customers. If they -PAID-
> for service, then it would be a different conversation.

I'm pretty sure that was a "wife approval factor"/"not everyone's a geek"
observation, Bill.  

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

Re: Facebook insecure by design

[Ben Carleton]

Actually, the reason for what happened in your example is that Cee Lo's 
page has what is **technically** an app (called I Want You, as seen in 
the sidebar under his profile photo) set as the default screen for when 
you view his page. The app (that does admittedly looks like it could be 
an official feature from facebook) uses externally-hosted HTTP-only 
content, which Facebook will detect and warn you about.


-- Ben

On 9/30/2011 5:05 AM, William Allen Simpson wrote:

In accord with the recent thread, "facebook spying on us?"

We should also worry about other spying on us.  Without
some sort of rudimentary security, all that personally
identifiable information is exposed on our ISP networks,
over WiFi, etc.

Facebook claims to be able to run over TLS connections.
Not so much (see attached picture).

This wasn't an "app", this is the simple default content of a
page accessed after a Google search.

  https://www.facebook.com/ceelogreen

Re: Synology Disk DS211J

[Pierre-Yves Maunier]

2011/9/29 Jones, Barry 

> Hey all.
> A little off topic, but wanted to share... I purchased a home storage
> Synology DS1511+. After configuring it on the home net, I did some captures
> to look at the protocols, and noticed that the DS1511+ is making outgoing
> connections to 59.124.41.242 (www) and 59.124.41.245 (port 81 & 89) on a
> regular basis. These addresses are owned by Synology and Chungwa Telecom in
> Taiwan.
>
> So far, I've not been able to find much information on their support sites,
> or Synology's wiki, but I wanted to put it out there.
>
>
>
Maybe it's for checking new firmware update availability...

-- 
Pierre-Yves Maunier

RE: Mails to Google being blocked for illegal attachments

[Leigh Porter]

Yeah.. +1 reasons not to use Google Aps..

--
Leigh Porter


> -Original Message-
> From: Meftah Tayeb [mailto:tayeb.mef...@gmail.com]
> Sent: 30 September 2011 13:19
> To: foks; nanog@nanog.org
> Subject: Re: Mails to Google being blocked for illegal attachments
> 
> Hey
> my guess is that maybe the Image have bean built using a Non licensed
> version of Adobe fotoshop or some other software
> the US embassy refused it for me cause of that.
> 
> - Original Message -
> From: "foks" 
> To: 
> Sent: Friday, September 30, 2011 1:19 PM
> Subject: Mails to Google being blocked for illegal attachments
> 
> 
> Hello,
> 
> Since Sep 7 Google has bounced a specific type of our mails with this
> message:
> 
> host aspmx.l.google.com[74.125.43.27] said: 552-5.7.0 Our system
> detected an illegal attachment on your message. Please 552-5.7.0 visit
> http://mail.google.com/support/bin/answer.py?answer=6590 to 552 5.7.0
> review our attachment guidelines. z4si211085bkd.116 (in reply to end of
> DATA command)
> 
> The only attachment is a gif image so it seems that Googles check is
> wrong. Has anyone experienced this issue, or has any helpful contact
> information to Google? I have checked
> http://www.google.com/support/a/bin/static.py?page=contacting_support.h
> t
> ml and called these numbers, but they were not able to help me.
> 
> Regards,
> Jörgen Nilsson
> 
> __ Information from ESET NOD32 Antivirus, version of virus
> signature
> database 6505 (20110930) __
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 
> 
> __ Information from ESET NOD32 Antivirus, version of virus
> signature database 6505 (20110930) __
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: Mails to Google being blocked for illegal attachments

[Meftah Tayeb]

Hey
my guess is that maybe the Image have bean built using a Non licensed 
version of Adobe fotoshop or some other software

the US embassy refused it for me cause of that.

- Original Message - 
From: "foks" 

To: 
Sent: Friday, September 30, 2011 1:19 PM
Subject: Mails to Google being blocked for illegal attachments


Hello,

Since Sep 7 Google has bounced a specific type of our mails with this
message:

host aspmx.l.google.com[74.125.43.27] said: 552-5.7.0 Our system
detected an illegal attachment on your message. Please 552-5.7.0 visit
http://mail.google.com/support/bin/answer.py?answer=6590 to 552 5.7.0
review our attachment guidelines. z4si211085bkd.116 (in reply to end of
DATA command)

The only attachment is a gif image so it seems that Googles check is
wrong. Has anyone experienced this issue, or has any helpful contact
information to Google? I have checked
http://www.google.com/support/a/bin/static.py?page=contacting_support.ht
ml and called these numbers, but they were not able to help me.

Regards,
Jörgen Nilsson

__ Information from ESET NOD32 Antivirus, version of virus signature 
database 6505 (20110930) __


The message was checked by ESET NOD32 Antivirus.

http://www.eset.com




__ Information from ESET NOD32 Antivirus, version of virus signature 
database 6505 (20110930) __

The message was checked by ESET NOD32 Antivirus.

http://www.eset.com

Re: Mails to Google being blocked for illegal attachments

[Alex Brooks]

On Fri, Sep 30, 2011 at 12:19 PM, foks  wrote:
>
> Hello,
>
> Since Sep 7 Google has bounced a specific type of our mails with this
> message:
>
> host aspmx.l.google.com[74.125.43.27] said: 552-5.7.0 Our system
> detected an illegal attachment on your message. Please 552-5.7.0 visit
> http://mail.google.com/support/bin/answer.py?answer=6590 to 552 5.7.0
> review our attachment guidelines. z4si211085bkd.116 (in reply to end of
> DATA command)
>
> The only attachment is a gif image so it seems that Googles check is
> wrong. Has anyone experienced this issue, or has any helpful contact
> information to Google? I have checked
> http://www.google.com/support/a/bin/static.py?page=contacting_support.ht
> ml and called these numbers, but they were not able to help me.

Hi,

Have you reported it through their support pages?  The one you're
after is probably:
https://mail.google.com/support/bin/request.py?contact_type=gtag_headers&group=bugflow_attachmentsnewbug&trouble_type=attachments

Generally, checking
https://mail.google.com/support/bin/static.py?page=known_issues.cs is
the first place to go with GMail issues if you're not an Apps
customer; they have a link to reporting problems at the bottom.
Though if you're not an Apps customer (or can't find one to report the
issue on your behalf as not receiving e-mails from you), I wouldn't
hold out too much hope for a response from it.

Do let us know how you solve the problem in the end.

Alex

Mails to Google being blocked for illegal attachments

[foks]

Hello,

Since Sep 7 Google has bounced a specific type of our mails with this
message:

host aspmx.l.google.com[74.125.43.27] said: 552-5.7.0 Our system
detected an illegal attachment on your message. Please 552-5.7.0 visit
http://mail.google.com/support/bin/answer.py?answer=6590 to 552 5.7.0
review our attachment guidelines. z4si211085bkd.116 (in reply to end of
DATA command)

The only attachment is a gif image so it seems that Googles check is
wrong. Has anyone experienced this issue, or has any helpful contact
information to Google? I have checked
http://www.google.com/support/a/bin/static.py?page=contacting_support.ht
ml and called these numbers, but they were not able to help me.

Regards,
Jörgen Nilsson

Re: Cisco 7600 PFC3B(XL) and IPv6 packets with fragmentation header

[Saku Ytti]

On (2011-09-30 01:55 -0400), Christopher Morrow wrote:
 
> when will vendors learn that punting to the RE/RP/smarts for packets
> in the fastpath is ... not just 'unwise' but wholesale stupid? :(

What to do with IP options or IPv6 hop-by-hop options? What to do with IPv6
packets which contain options which push TCP/UDP past your lookup view?

Punting transit is not only not stupid but also necessary in hardware routers
which cannot handle every case in hardware (which is all routers).
There should just be adequate way to limit these and there should exist default
limitation.

-- 
  ++ytti

Facebook insecure by design

[William Allen Simpson]

In accord with the recent thread, "facebook spying on us?"

We should also worry about other spying on us.  Without
some sort of rudimentary security, all that personally
identifiable information is exposed on our ISP networks,
over WiFi, etc.

Facebook claims to be able to run over TLS connections.
Not so much (see attached picture).

This wasn't an "app", this is the simple default content of a
page accessed after a Google search.

  https://www.facebook.com/ceelogreen
<>