Re: Any enterprise operators very happy with their MPLS providers?
Subject: Any enterprise operators very happy with their MPLS providers? Date: Wed, Dec 05, 2012 at 02:14:25PM + Quoting McCall, Gabriel (gabriel.mcc...@thyssenkrupp.com): I'm getting ready to prepare an RFP for our next generation WAN, and would like feedback from anyone else who has 100+ MPLS nodes on their quality of account service and technical performance. My current landscape includes ATT, Sprint, and Verizon. I'm almost completely happy with Sprint- they're about in the A- range. ATT is muddling along at about a C, and Verizon is a solid F. I've heard very good things from some CenturyLink customers and will definitely include them in the bidder list- is anyone else doing a very good job for you? We did a survey around 2008-9 in Sweden and concluded that the risk of large hysteresis IPDV and Q-in-Q outweighed the attractiveness (mainly price) of running on top of somebody elses MPLS. A major contributing factor was, and is, also that we ourselves are running MPLS for our logical separation needs, and that we predicted and got a lot of real-time critical RTP streams on the internal WAN. We bought Gigabit Ethernet compatible channels over mainly dark fiber or WDM and included text in the call for tender about not even trying to offer MPLS-based L2.. This was done under EU Public call for tender legislation, which was a challenge. We are quite happy, and slashed our old inflated price for relatively small SDH links by a lot. If, OTOH, you are not a very distributed radio company trying to do RTP in 48kHz 24-bit linear stereo over internal WAN, using multicast, you might be fine with a MPLS offering... -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 I have a VISION! It's a RANCID double-FISHWICH on an ENRICHED BUN!! signature.asc Description: Digital signature
RE: /. ITU Approves Deep Packet Inspection
So is it recommended now to go over all the NGN core routers and restore them to default with: no lawful-intercept disable cmd? :) adam
Google Fiber - keeps you regular
http://www.youtube.com/watch?v=re0VRK6ouwIfeature=share you'll probably laugh so hard you won't even need the fiber
Re: TCP time_wait and port exhaustion for servers
On 5 Dec 2012, r...@maine.edu wrote: Where there is no way to change this though /proc ... Those netfilter connection tracking tunables have nothing to do with the kernel's TCP socket handling. No, but these do... net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_time = 90 net.ipv4.tcp_fin_timeout = 30 I think the OP was wrong, and missed something. I'm no TCP/IP expert, but IME connections go into TIME_WAIT for a period pertaining to the above tuneables (X number of probes at Y interval until the remote end is declared likely dead and gone), and then go into FIN_WAIT and then IIRC FIN_WAIT2 or some other state like that before they are finally killed off. Those tunables certainly seem to have actually worked in the real world for me, whether they are right in theory or not is possibly another matter. Broadly speaking I agree with the other posters who've suggested adding other IP addresses and opening up the local port range available. I'm assuming the talk of 30k connections is because the OP's proxy has a 'one in one out' situation going on with connections, and that's why your ~65k pool for connections is halved. K.
Re: TCP time_wait and port exhaustion for servers
It does require a fixed source address. The box is also a router and firewall, so it has many IP addresses available to it. On Wed, Dec 5, 2012 at 5:24 PM, William Herrin b...@herrin.us wrote: On Wed, Dec 5, 2012 at 5:01 PM, Mark Andrews ma...@isc.org wrote: In message CAP-guGW6oXo=UfTfg+SDiFjB4=qxpsho+yfk6vxnlkcc58p...@mail.gmail.com, William Herrin writes: The thing is, Linux doesn't behave quite that way. If you do an anonymous connect(), that is you socket() and then connect() without a bind() in the middle, then the limit applies *per destination IP:port pair*. So, you should be able to do 30,000 connections to 192.168.1.1 port 80, another 30,000 connections to 192.168.1.2 port 80, and so on. The socket api is missing a bind + connect call which restricts the source address when making the connect. This is needed when you are required to use a fixed source address. Hi Mark, There are ways around this problem in Linux. For example you can mark a packet with iptables based on the uid of the process which created it and then you can NAT the source address based on the mark. Little messy but the tools are there. Anyway, Ray didn't indicate that he needed a fixed source address other than the one the machine would ordinarily choose for itself. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004 -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: TCP time_wait and port exhaustion for servers
This tunes conntrack, not local TCP on the server itself. On Wed, Dec 5, 2012 at 4:18 PM, Cyril Bouthors cy...@bouthors.org wrote: On 5 Dec 2012, r...@maine.edu wrote: Where there is no way to change this though /proc 10:17PM lenovo:~% sudo sysctl -a |grep wait net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120 net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60 net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_fin_wait = 120 net.ipv4.netfilter.ip_conntrack_tcp_timeout_close_wait = 60 net.ipv4.netfilter.ip_conntrack_tcp_timeout_time_wait = 120 10:17PM lenovo:~% ? We use this to work around the default limit on our internal load balancers. HIH. -- Cyril Bouthors - Administration Système, Infogérance ISVTEC SARL, 14 avenue de l'Opéra, 75001 Paris 1 rue Émile Zola, 69002 Lyon Tél : 01 84 16 16 17 - Fax : 01 77 72 57 24 Ligne directe : 0x7B9EE3B0E -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Fwd: [Infowarrior] - Leaked: ITU's secret Internet surveillance standard discussion draft]
- Forwarded message from Richard Forno rfo...@infowarrior.org - From: Richard Forno rfo...@infowarrior.org Date: Thu, 6 Dec 2012 08:21:15 -0500 To: Infowarrior List infowarr...@attrition.org Subject: [Infowarrior] - Leaked: ITU's secret Internet surveillance standard discussion draft Leaked: ITU's secret Internet surveillance standard discussion draft http://boingboing.net/2012/12/05/leaked-itus-secret-internet.html --- Just because i'm near the punchbowl doesn't mean I'm also drinking from it. ___ Infowarrior mailing list infowarr...@attrition.org https://attrition.org/mailman/listinfo/infowarrior - End forwarded message -
Re: TCP time_wait and port exhaustion for servers
net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_time = 90 net.ipv4.tcp_fin_timeout = 30 As discussed, those do not affect TCP_TIMEWAIT_LEN. There is a lot of misinformation out there on this subject so please don't just Google for 5 min. and chime in with a solution that you haven't verified yourself. We can expand the ephemeral port range to be a full 60K (and we have as a band-aid), but that only delays the issue as use grows. I can verify that changing it via: echo 1025 65535 /proc/sys/net/ipv4/ip_local_port_range Does work for the full range, as a spot check shows ports as low as 2000 and as high as 64000 being used. While this works fine for the majority of our sites as they average well below that, for a handful peak hours can spike above 1000 connections per second; so we would really like to see something closer to an ability to provide closer to 2000 or 2500 connections a second for the amount of bandwidth being delivered through the unit (full gigabit). But ideally we would find a way to significantly reduce the number of ports being chewed up for outgoing connections. On the incoming side everything just makes use of the server port locally so it's not an issue. Trying to avoid using multiple source addresses for this as it would involve a fairly large configuration change to about 100+ units; each requiring coordination with the end-user, but it is a last resort option. The other issue is that this is all essentially squid, so a drastic re-design of how it handles networking is not ideal either. On Thu, Dec 6, 2012 at 8:25 AM, Kyrian kyr...@ore.org wrote: On 5 Dec 2012, r...@maine.edu wrote: Where there is no way to change this though /proc ... Those netfilter connection tracking tunables have nothing to do with the kernel's TCP socket handling. No, but these do... net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_time = 90 net.ipv4.tcp_fin_timeout = 30 I think the OP was wrong, and missed something. I'm no TCP/IP expert, but IME connections go into TIME_WAIT for a period pertaining to the above tuneables (X number of probes at Y interval until the remote end is declared likely dead and gone), and then go into FIN_WAIT and then IIRC FIN_WAIT2 or some other state like that before they are finally killed off. Those tunables certainly seem to have actually worked in the real world for me, whether they are right in theory or not is possibly another matter. Broadly speaking I agree with the other posters who've suggested adding other IP addresses and opening up the local port range available. I'm assuming the talk of 30k connections is because the OP's proxy has a 'one in one out' situation going on with connections, and that's why your ~65k pool for connections is halved. K. -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: TCP time_wait and port exhaustion for servers
Quoting Ray Soucy r...@maine.edu: net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_time = 90 net.ipv4.tcp_fin_timeout = 30 As discussed, those do not affect TCP_TIMEWAIT_LEN. There is a lot of misinformation out there on this subject so please don't just Google for 5 min. and chime in with a solution that you haven't verified yourself. ... Those tunables certainly seem to have actually worked in the real world for me, whether they are right in theory or not is possibly another matter. TLDR? They worked for me, to reduce connections in a TIME_WAIT state, in a real situation, after well over 5 minutes of Googling. Exactly as I said. Further, they differed from the (netfilter) ones posted previously that were stated as not having anything to do with it by someone or other. There's no cause at all for your snotty message back. What you didn't state in your email was whether these connections were being left in TIME_WAIT because they had not been closed (eg. mobile devices or similar that are somewhat notorious for not closing connections properly), or whether the normal close process was taking too long. I suspect that if you had clarified that point initially, things would have made more sense all round. The tunables listed above, AIUI handle connections that were not properly terminated, and idling out, whereas I believe (having had the opportunity to consider it in more depth) your situation seems more to do with properly terminated connections that have hard-coded behaviours in the kernel. Perhaps you can clarify for the benefit of the masses. Also, if you are going to hack the kernel to make that change, I urge you to make it part of the sysctl mechanism as well, and to send a patch back to the kernel developers to help out others who might be in a similar situation to you. This is both to help the community, and give you an easier means to tweak the setting as needed in future without a further kernel recompile. K. -- Kev Green, aka Kyrian. E: kyrian#64;ore.org WWW: http://kyrian.ore.org/ ISP/Perl/PHP/Linux/Security Contractor, via http://www.orenet.co.uk/
Re: TCP time_wait and port exhaustion for servers
On 12/6/12 10:20 AM, Kyrian wrote: Also, if you are going to hack the kernel to make that change, I urge you to make it part of the sysctl mechanism as well, and to send a patch back to the kernel developers to help out others who might be in a similar situation to you. This is both to help the community, and give you an easier means to tweak the setting as needed in future without a further kernel recompile. Of course, this whole problem would have gone away years ago, had more folks implemented RFC6013. Or prior recommendations going back 15+ years. Meanwhile, my experience with the Linux kernel team is that about 1/2 of the tweak will go in, and the rest will fall by the wayside. Only about 1/3 of RFC6013 made it into 2.6.32, even though I started feeding them code 6 months before publication.
Re: TCP time_wait and port exhaustion for servers
Question: If a TCP connection is left hanging and continues to hoard the port for some time before it times out, shouldn't the work to be focused on finding out why the connection is not properly closed instead of trying to support a greater number of hung connections waiting to time out ?
Cogent outage?
About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 smime.p7s Description: S/MIME cryptographic signature
Re: Cogent outage?
On 12/06/2012 11:11 AM, Matthew Huff wrote: About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Passing normal traffic in Kansas City. Steve -- -- Steven Saner ssa...@hubris.net Voice: 316-858-3000 Director of Network Operations Fax: 316-858-3001 Hubris Communicationshttp://www.hubris.net
RE: Cogent outage?
I may have seen this as well. I touch Cogent in Boston. Seems to be returning as of 1717 GMT. ERM Evan R Moore Network Engineer Sovernet Communications -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Thursday, December 06, 2012 12:12 PM To: 'nanog@nanog.org' Subject: Cogent outage? About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
Re: TCP time_wait and port exhaustion for servers
This issue is for really for connections that close properly and without any issue. The application closes the socket and doesn't care about it; but the OS keeps it in the TIME_WAIT state as required by the RFC for TCP in case data tries to be sent after the connection has closed (out of order transmission). I think we're going to go with dropping it to 30 seconds instead of 60 seconds and seeing how that goes. It seems to be the direction taken by people who have implemented high traffic load balancers and proxy servers. I was hoping someone would have real data on what a realistic time window is for keeping a socket in a TIME_WAIT state, but it doesn't seem like anyone has collected data on it. On Thu, Dec 6, 2012 at 11:33 AM, Jean-Francois Mezei jfmezei_na...@vaxination.ca wrote: Question: If a TCP connection is left hanging and continues to hoard the port for some time before it times out, shouldn't the work to be focused on finding out why the connection is not properly closed instead of trying to support a greater number of hung connections waiting to time out ? -- Ray Patrick Soucy Network Engineer University of Maine System T: 207-561-3526 F: 207-561-3531 MaineREN, Maine's Research and Education Network www.maineren.net
Re: Cogent outage?
Passing normal traffic in San Jose and Ashburn. On Thu, Dec 6, 2012 at 12:11 PM, Matthew Huff mh...@ox.com wrote: About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 -- Christopher Nielsen They who can give up essential liberty for temporary safety, deserve neither liberty nor safety. --Benjamin Franklin The tree of liberty must be refreshed from time to time with the blood of patriots tyrants. --Thomas Jefferson
Re: Cogent outage?
No issues seen in Orlando either. Nick Olsen Network Operations (855) FLSPEED x106 From: Steven Saner ssa...@hubris.net Sent: Thursday, December 06, 2012 12:17 PM To: nanog@nanog.org Subject: Re: Cogent outage? On 12/06/2012 11:11 AM, Matthew Huff wrote: About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Passing normal traffic in Kansas City. Steve -- -- Steven Saner ssa...@hubris.net Voice: 316-858-3000 Director of Network Operations Fax: 316-858-3001 Hubris Communicationshttp://www.hubris.net
Re: Cogent outage?
No visible issues in the DC area. On Thu, Dec 6, 2012 at 10:17 AM, Evan Moore emo...@sover.net wrote: I may have seen this as well. I touch Cogent in Boston. Seems to be returning as of 1717 GMT. ERM Evan R Moore Network Engineer Sovernet Communications -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Thursday, December 06, 2012 12:12 PM To: 'nanog@nanog.org' Subject: Cogent outage? About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139
RE: Cogent outage?
Evan, We are hearing reports of this from our customers as well. We connect to them in NY and Boston. Jeremiah Millay Network Engineer Vermont Telephone Co., Inc. Phone: 802 885-7796 Mobile: 802 289-2116 E-Mail: jmil...@vermontel.com -Original Message- From: Evan Moore [mailto:emo...@sover.net] Sent: Thursday, December 06, 2012 12:17 PM To: 'Matthew Huff'; 'nanog@nanog.org' Subject: RE: Cogent outage? I may have seen this as well. I touch Cogent in Boston. Seems to be returning as of 1717 GMT. ERM Evan R Moore Network Engineer Sovernet Communications -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Thursday, December 06, 2012 12:12 PM To: 'nanog@nanog.org' Subject: Cogent outage? About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
Re: Cogent outage?
Internet pulse shows cogent being difficult. From my Galaxy Note II, please excuse any mistakes. Original message From: Nick Olsen n...@flhsi.com Date: 12/06/2012 9:28 AM (GMT-08:00) To: Steven Saner ssa...@hubris.net,nanog@nanog.org Subject: Re: Cogent outage? No issues seen in Orlando either. Nick Olsen Network Operations (855) FLSPEED x106 From: Steven Saner ssa...@hubris.net Sent: Thursday, December 06, 2012 12:17 PM To: nanog@nanog.org Subject: Re: Cogent outage? On 12/06/2012 11:11 AM, Matthew Huff wrote: About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Passing normal traffic in Kansas City. Steve -- -- Steven Saner ssa...@hubris.net Voice: 316-858-3000 Director of Network Operations Fax: 316-858-3001 Hubris Communicationshttp://www.hubris.net
Re: Cogent outage?
I'm seeing packet loss between my Atlanta Cogent connection and some servers we have in both Dallas and London. According to Cogent's status page they're having an outage in the NYC area. -Proto http://status.cogentco.com/ On Thu, Dec 6, 2012 at 12:11 PM, Matthew Huff mh...@ox.com wrote: About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139
RE: Cogent outage?
We are peered in Westchester Co, NY (north of NYC). Reports from status.cogentco.com suggest a problem in NYC. I wonder if it's related to the 75 Broad Street explosion this morning. According to Cogent status, they are running on generator. Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139 -Original Message- From: Michael Proto [mailto:m...@jellydonut.org] Sent: Thursday, December 06, 2012 12:31 PM To: Matthew Huff Cc: nanog@nanog.org Subject: Re: Cogent outage? I'm seeing packet loss between my Atlanta Cogent connection and some servers we have in both Dallas and London. According to Cogent's status page they're having an outage in the NYC area. -Proto http://status.cogentco.com/ On Thu, Dec 6, 2012 at 12:11 PM, Matthew Huff mh...@ox.com wrote: About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 smime.p7s Description: S/MIME cryptographic signature
Re: Cogent outage?
Internet pulse now shows cogent with increased latency on nearly every peer. From my Galaxy Note II, please excuse any mistakes. Original message From: Christopher Nielsen m4dh4t...@gmail.com Date: 12/06/2012 9:31 AM (GMT-08:00) To: Matthew Huff mh...@ox.com Cc: nanog@nanog.org Subject: Re: Cogent outage? Passing normal traffic in San Jose and Ashburn. On Thu, Dec 6, 2012 at 12:11 PM, Matthew Huff mh...@ox.com wrote: About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139 -- Christopher Nielsen They who can give up essential liberty for temporary safety, deserve neither liberty nor safety. --Benjamin Franklin The tree of liberty must be refreshed from time to time with the blood of patriots tyrants. --Thomas Jefferson
RE: Cogent outage?
We just disabled our peering with Cogent in Boston and things have improved. We still have peering with them established in NYC (60 Hudson). Jeremiah Millay Network Engineer Vermont Telephone Co., Inc. Phone: 802 885-7796 Mobile: 802 289-2116 E-Mail: jmil...@vermontel.com -Original Message- From: Michael Proto [mailto:m...@jellydonut.org] Sent: Thursday, December 06, 2012 12:31 PM To: Matthew Huff Cc: nanog@nanog.org Subject: Re: Cogent outage? I'm seeing packet loss between my Atlanta Cogent connection and some servers we have in both Dallas and London. According to Cogent's status page they're having an outage in the NYC area. -Proto http://status.cogentco.com/ On Thu, Dec 6, 2012 at 12:11 PM, Matthew Huff mh...@ox.com wrote: About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff| Fax: 914-460-4139
Solutions for DoS DDoS
Hello Everyone, I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source. I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions. Thanks, -- Michael Gatti 949.371.5474 (UTC -8)
RE: Streaming video traffic increase from Level3?
We think we found out the source of usage -- the local college's Men's Volleyball team played last night against the neighboring (rival) school. The local college's streams are fixed at 1.5 Mbps, so you just need a few people watching to make it add up in hurry. That would explain the usage and why we saw the traffic as streaming video. Sorry for the noise, Frank -Original Message- From: Frank Bulk [mailto:frnk...@iname.com] Sent: Wednesday, December 05, 2012 11:01 PM To: nanog@nanog.org Subject: Streaming video traffic increase from Level3? This evening I saw a quadruple increase in traffic volume from Level3 address space, a one-third increase in peak streaming video usage overall, and when I did a few checks with our netflow tool, it looks like customers that were streaming Netflix content just days before are now getting it out of Level3 space rather than our local cache or our upstream provider's Netflix cache. We also exceeded our previous peak usage by 12%. Did something change with Netflix that would have resulted in greater usage? Did Netflix defaults change so that customers are now using HD, or a higher-rate bitrate HD? Frank
RE: China Telecom VPN problems (again)
Make sure you check this out in detail. My export / import people found out that if the device is going to be in control of and used by a US company doing business in China, there are a lot less encryption restrictions. The ruling was that it was not an export if the device remains the property of and in control of a US company. The thought is that they want US companies to be able to secure their own VPN traffic. There are also apparently some key escrow rules whereby you are supposed to give the Chinese government your keys. I am told by US gov't employee that almost no one does that and the Chinese government makes it a point not to hassle US companies. Your mileage may vary and I am not an import / export expert. Steven Naslund -Original Message- From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] Sent: Wednesday, December 05, 2012 2:11 PM To: Warren Bailey Cc: nanog@nanog.org Subject: Re: China Telecom VPN problems (again) On Wed, 05 Dec 2012 19:48:31 +, Warren Bailey said: Since when is heavy encryption cool in China? Export restrictions smoke all of the decent crypto options. OK, I'll bite.. What crypto options are getting stuck due to export restrictions (as opposed to import restrictions on the other end)?
RE: China Telecom VPN problems (again)
Agreed. I have run IPsec over MPLS with no problem in China on several carriers. Internet connectivity also worked but performance was spotty due to overloaded firewall or circuits in and out of the country. Steven Naslund -Original Message- From: Tom Paseka [mailto:t...@cloudflare.com] Sent: Wednesday, December 05, 2012 1:27 PM To: Christopher Morrow Cc: nanog@nanog.org Subject: Re: China Telecom VPN problems (again) On Wed, Dec 5, 2012 at 11:25 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Wed, Dec 5, 2012 at 2:19 PM, Tom Paseka t...@cloudflare.com wrote: Its quite easy to get MPLS-VPN connectivity into China (Pacnet, Singtel, CPCNet, etc, will offer), but at a price. mpls != ipsec ... perhaps the OP wants some privacy and authentication and such? run IPSEC over the MPLS-VPN. It'll be a lot more stable than over public internet.
RE: China Telecom VPN problems (again)
There are lots of carriers but unfortunately they all seem to use China Telecom infrastructure for transport so there is not really a way to get better Internet service there. In our experience MPLS performs better because China Telecom seems to hand off service to the international MPLS carriers before the big Internet bottleneck. Steven Naslund -Original Message- From: Christopher Morrow [mailto:morrowc.li...@gmail.com] Sent: Wednesday, December 05, 2012 1:25 PM To: Tom Paseka Cc: nanog@nanog.org Subject: Re: China Telecom VPN problems (again) On Wed, Dec 5, 2012 at 2:19 PM, Tom Paseka t...@cloudflare.com wrote: Its quite easy to get MPLS-VPN connectivity into China (Pacnet, Singtel, CPCNet, etc, will offer), but at a price. mpls != ipsec ... perhaps the OP wants some privacy and authentication and such? Suzhou and Shenzhen are easily in reach of all the above listed providers. On Wed, Dec 5, 2012 at 7:50 AM, Warren Bailey wbai...@satelliteintelligencegroup.com wrote: We tried to get our VPN work from the China Telecom/China Unicom beijing POP for over a year. The Chinese always claimed it was kosher, but we had something like 60%+ loss across our 4 hop VPN for the entirety of the project. Private circuits don't really exist on the mainland, HK and (maybe) Shanghai are about the only places for decent connectivity. :/ On 12/5/12 7:38 AM, Suresh Ramasubramanian ops.li...@gmail.com wrote: It's called the great firewall of china. Feel free to shift vendors but it won't help. Meanwhile make sure none of your users are surfing for falun gong, dalai lama, ai weiwei or whoever else the chicom censors don't like on that particular day On Wednesday, December 5, 2012, Thomas York wrote: It looks like I'm having China Telecom issues yet again. They're batting down our SSL VPN tunnels. Switching ports doesn't help. Tunneling the SSL tunnel inside of another tunnel doesn't help. At this point I'm tired of listening to the screaming by the business users. Can someone contact me (here or off-list, I don't care) about circuits in China so that we don't have to use China Telecom? We'd only need 2-10 Mbit and Ethernet hand off. We don't need BGP or MPLS or anything remotely fancy. Our main concern is getting connectivity to the business district in Suzhou, but it'd be nice if we could also use the same carrier in Shenzhen. Thanks! -- Thomas York -- --srs (iPad)
RE: How to get DID local numbers (IP Telephony)
You can get DID numbers from a carrier when you buy a service from them. There is usually a ratio of how many DIDs you can get for a certain service. I know you will need state utilities commission licenses at least if you want to become a telephone carrier. IP only voice service I am not sure about, could be considered a data service but I think if you are handing out DOD numbers, you are a phone carrier. There is a lot of regulatory stuff for utilities in the US. A lot more than can be explained here. Involves lots of taxes, law enforcement access, insurance, 911 communications, etc. There is probably no more regulated business in the US than communications. Steven Naslund -Original Message- From: Сергей Харламов [mailto:men...@bk.ru] Sent: Tuesday, December 04, 2012 4:04 PM To: nanog@nanog.org Subject: How to get DID local numbers (IP Telephony) Hi there, Can someone explain me how can I get an block of DID (Telephony numbers)? For example I need 200 numbers. Is that special organization or I must buy it somewhere? What the rule for USA (NY) about telephony providing ? Should I have a licence to sale ip telephony? Thanks.
Re: How to get DID local numbers (IP Telephony)
If you're looking to use SIP, I've had a good experience with Flowroute.com. I got one of my customers a block of 20 DIDs from them. Flowroute had to order the block from the CLEC in their area code and it took about two weeks. Derek On Dec 4, 2012, at 5:03 PM, Сергей Харламов men...@bk.ru wrote: Hi there, Can someone explain me how can I get an block of DID (Telephony numbers)? For example I need 200 numbers. Is that special organization or I must buy it somewhere? What the rule for USA (NY) about telephony providing ? Should I have a licence to sale ip telephony? Thanks.
RE: Six Strike Rule (Was: William was raided...)
If you are a facilities based broadband provider in the US you have to comply with CALEA. There is no coming to some agreement, you have a legal obligation to comply. No more, and no less. You don't have to comply with requests from agencies other than law enforcement under CALEA but you may need to under other requirements such as DMCA. You should know what the minimum legal requirements are and if you don't want to do more than that, fine. However, you could get a court order telling you to do almost anything and it would be expensive and potentially put you in contempt not to comply with them. I am not a lawyer but dealt with these requirements for years on the job. Steven Naslund -Original Message- From: Barry Shein [mailto:b...@world.std.com] Sent: Wednesday, December 05, 2012 11:22 AM To: nanog@nanog.org Subject: Re: Six Strike Rule (Was: William was raided...) On December 4, 2012 at 11:10 ja...@thebaughers.com (Jason Baugher) wrote: We don't do content inspection. We don't really want to know what our customers are doing, and even if we did, there's not enough time in the day to spend paying attention. When we get complaints from the various copyright agencies, we warn the customer to stop. When we hit a certain number of complaints, its bye-bye customer. This is why there's a need for some sort of reasonable, organized response outlined in writing. In my experience law enforcement (and others) will try to shift whatever investigative tasks are convenient to them to anyone in the loop. Why not, it costs them nothing to have you running around all day and night doing investigative work for them. They will generally cite the seriousness of the underlying crime as (bottomless) justification for your contribution. The rational response is to sit down as a group within some framework and come to some agreement* with them as to what is a reasonable and sufficient response in these cases. Otherwise you're just the complaint desk at Macy's taking all comers and subject to whatever they can dream up to try to get you to solve their problems. * Agreement with LEOs is best, a unilateral document would at least open discussion one would hope and move towards that end. -- -Barry Shein The World | b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada Software Tool Die| Public Access Internet | SINCE 1989 *oo*
Re: How to get DID local numbers (IP Telephony)
- Original Message - From: Сергей Харламов men...@bk.ru Can someone explain me how can I get an block of DID (Telephony numbers)? For example I need 200 numbers. Is that special organization or I must buy it somewhere? What the rule for USA (NY) about telephony providing ? Should I have a licence to sale ip telephony? DID numbers are actually E.164 addresses, which are relevant in the context of the IPSTN. Because they are addresses on a specific network, in order to have some assigned to you, you need to have a connection to that network. Generally, that connection is either via SIP+RTP over IP to a VoIP gateway provider, who in turn connects to the PSTN using PRI trunks to their supplier's switch, or who is themselves the operator of a switch which is connected to the PSTN by SS7... or you yourself do one of those two things, in (very) roughly increasing order of cost. We'll assume for the moment, that you do not want to become a CLEC. (The rest of this message is even more USAdian than the first part.) To get DID numbers in a given area, you need to purchase connectivity service from a telco or gateway provider with physical facilities in that area. On the VoIP side, it's common for the DID to be the actual thing you purchase, and the transport and minutes (if any) come along with it. If you're buying a local PRI circuit to a local RBOC/CLEC, then blocks of DID's are something you buy at extra cost, and you tell the telco how to group the channels on your PRIs, and which DIDs to route to which trunkgroups. In both cases, outbound-only service is possible to buy, so the DID(s) are actually optional. In short, though, if you have physical gear in the US somewhere, you can buy a PRI and put DIDs on it; if you don't, you can contract with one or more VoIP providers who do, and backhaul the traffic that way. If you ever decide you have to switch the DIDs to a different carrier, you will find that this is easier and harder depending on whom you're working with; I don't think there's a rule. Did that help? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
RE: Cogent outage?
Seeing 25% packet lost between Tampa and Munich at 19:59 UTC James Harris 727-571-9328 -Original Message- From: Matthew Huff [mailto:mh...@ox.com] Sent: Thursday, December 06, 2012 12:12 PM To: 'nanog@nanog.org' Subject: Cogent outage? About 10 minutes ago we stopped being able to pass traffic through cogent. I de-peered us from Cogent, and everything appears better. When I call cogent, all I get is a busy signal (must be a major outage). Anyone else seeing anything? Matthew Huff | 1 Manhattanville Rd Director of Operations | Purchase, NY 10577 OTA Management LLC | Phone: 914-460-4039 aim: matthewbhuff | Fax: 914-460-4139
Online/double-conversion UPS economy/high efficiency modes?
Hi folks, I'm looking at several brands of rackmount 3kva double-conversion UPSes, such as Tripp Lite and Eaton Powerware. I'm specifically looking for something that will work as a line-interactive UPS until the power starts to misbehave and will then switch to double-conversion mode until a while after the last power bump. Basically I want the best of both worlds: save money on my power bill most of the time (double-conversion UPSes generally waste 10%-15% of the consumed kilowatt hours) but switch to nice clean double-conversion when the storms roll through and the power gets rough. Here's where I'm looking for help: the vendor web sites have scanty details about how the UPSes behave in their high efficiency modes. I'm hoping folks here have used some of the UPSes with this feature and can offer feedback. When does the UPS decide to switch to double-conversion? When does it decide to switch back? Are the options tunable? Through what interface? Can I write software that monitors a weather report and sends an SNMP message to switch the UPS to double conversion mode ahead of a storm? Eaton's 9130 says On the High Efficiency setting, the UPS operates normally on Bypass, transfers to inverter in less than 10 ms when utility fails, and transfers back to Bypass in 1 minute after utility returns. The indicator illuminates when the UPS transfers to Bypass. http://lit.powerware.com/ll_download.asp?file=Eaton%209130%20UPS.pdf Tripp Lite's SU3000RTXL3U only says If the UPS has been placed into Economy Mode (available on select UPS systems), it configures an online UPS to function as a switching UPS. When the UPS system is in Economy Mode, it operates at increased efficiency while AC utility power is available (within +/- 10% nominal) and switches to battery power if AC utility power is interrupted. http://www.tripplite.com/shared/techdoc/Owners-Manual/932471.pdf What others should I consider? Can anyone offer details? Thanks, Bill -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004
Re: Solutions for DoS DDoS
The ideal solution is a carrier that has its own true DDoS mitigation platform, and does not rely on black hole routing . Have the carrier handle the the large bulk flood attacks, then have your own prem base mitigation platform take care of the more application specific attacks that get through . This represents the best solution , and also the most expensive . So it may not work for a non profit. This Email was sent from Steve's iPad Message: 4 Date: Thu, 6 Dec 2012 09:51:21 -0800 From: Mike Gatti ekim.it...@gmail.com To: NANOG list nanog@nanog.org Subject: Solutions for DoS DDoS Message-ID: 0d89d80c-d288-402f-8723-b837ea523...@gmail.com Content-Type: text/plain; charset=us-ascii Hello Everyone, I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source. I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions. Thanks, -- Michael Gatti 949.371.5474 (UTC -8) -- End of NANOG Digest, Vol 59, Issue 24 *
RE: Solutions for DoS DDoS
Is the cause of this non-profit a controversial one with a good likelihood of attracting the attention of demographics with the ability to mount DDoS attacks? If your upstream can do it for a good price (on account of being a non-profit organization) and they have lots of bandwidth along with a decent stack of mitigation gear, and some clue on how to operate them, then that should be the first choice. But DDoS mitigation is not their core business, so be prepared for them to blackhole your IP if things get difficult. Make sure your SLA is as bulletproof as possible or at least understand how bad things can get before they bail out on you. If the asset you want to protect is on standard web ports (ie 80 and 443) and is a likely DDoS target (per my first question), then one of the affordable DDoS-Mitigation-as-a-Service (DMaaS) providers would be a better fit for the task. Your upstream will appreciate not becoming collateral victim of the attack traffic. My good friend (who was also a co-founder of Peer1) founded dosarrest.com. They seem to be quite successful and have protected some high profile customers, so feel free to give them a call. If the non-profit is in the high risk of attack profile (ie any cause that is likely to offend techno-savvy bullies or religious fanatics), then you should talk to Prolexic/Verisign/Neustar/NexusGuard. If you are in the high risk category and you cause is that of free-speech, maybe the good folks at virtualroad.org (with help from Prolexic) can help. Regards, Joe -Original Message- From: Mike Gatti [mailto:ekim.it...@gmail.com] Sent: Thursday, December 06, 2012 5:51 PM To: NANOG list Subject: Solutions for DoS DDoS Hello Everyone, I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source. I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions. Thanks, -- Michael Gatti 949.371.5474 (UTC -8)
Re: Solutions for DoS DDoS
By coincidence we have just published the video archive of our Mitigating DDoS Attacks: Best Practices for an Evolving Threat Landscape event last Wednesday. It's at http://youtu.be/FR0660X9lGc We'll have a full transcript up early next week. j On Thu, Dec 6, 2012 at 12:51 PM, Mike Gatti ekim.it...@gmail.com wrote: Hello Everyone, I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source. I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions. Thanks, -- Michael Gatti 949.371.5474 (UTC -8) -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -- -
RE: Cogent outage?
We got a notice from Internap a few hours ago: At approximately 12:10 EST Internap shut down the BGP session with Cogent as we were widespread packet loss issues through their network out of our New York (NYM) PNAP. We are contacting Cogent to see if they are aware of what the issue is. They have not as yet updated this yrs Michael -- Michael Bubb +1.646.783.8769 https://www.google.com/profiles/michael.bubb The first principle is that you must not fool yourself--and you are the easiest person to fool. - Richard Feynman All things are a flowing, Sage Heraclitus says; But a tawdry cheapness Shall reign throughout our days. - Pound
Re: Online/double-conversion UPS economy/high efficiency modes?
On 12/06/2012 12:49 PM, William Herrin wrote: Hi folks, I'm looking at several brands of rackmount 3kva double-conversion UPSes, such as Tripp Lite and Eaton Powerware. I'm specifically looking for something that will work as a line-interactive UPS until the power starts to misbehave and will then switch to double-conversion mode until a while after the last power bump. I recently went to the tripplite 16kva online double conversion ups and did note the increased ineffeciency. However, the financial cost of that ineffeciency doesn't appear to be more than $40 - $60 / mo. So I am wondering at your scale with only a 3kva model, really, what is the final dollar cost to you versus the effort and dubious benefits of writing scripts or depending on embedded logic to do the right thing? The whole reason you have online double conversion vs line interactive, is to have the best available protection, and when you are on line interactive - even if it can switch - you are still taking that risk of power issues that will jump your ups and hit your connected equipment anyways. Mike-
Re: How to get DID local numbers (IP Telephony)
Can someone explain me how can I get an block of DID (Telephony numbers)? As I think recent messages have shown, it's not possible to provide a useful answer unless you give us some hint about what you want to do with the traffic from those numbers. If you want to deliver it via SIP over the public Internet, there's a set of specialist vendors like Voxbone. If you want to route it via dedicated trunks such as PRIs to a server physically located in the area where to which the DIDs are assigned, you should talk to a CLEC (or whatever they're called in other countries.) If you want to do something else, well what is it?
Re: Cogent outage?
We've seen BGP resets on our servers in Tampa...with Cogent no longer being the preferred route for outgoing traffic. The preferred path from out DC is now through Hurricane (AS6939). Blair Trosper Updraft Networks LEARN (North Texas GigaPOP) On Thu, Dec 6, 2012 at 3:09 PM, Michael Bubb michael.b...@gmail.com wrote: We got a notice from Internap a few hours ago: At approximately 12:10 EST Internap shut down the BGP session with Cogent as we were widespread packet loss issues through their network out of our New York (NYM) PNAP. We are contacting Cogent to see if they are aware of what the issue is. They have not as yet updated this yrs Michael -- Michael Bubb +1.646.783.8769 https://www.google.com/profiles/michael.bubb The first principle is that you must not fool yourself--and you are the easiest person to fool. - Richard Feynman All things are a flowing, Sage Heraclitus says; But a tawdry cheapness Shall reign throughout our days. - Pound
Re: Amazon Abuse contact
http://aws.amazon.com/security/vulnerability-reporting/ On Tue, Dec 4, 2012 at 11:40 PM, Mark Keymer m...@viviotech.net wrote: Hi, If there is a Amazon Abuse person our there or if someone has a good contact to someone at Amazon can you message me off-list. We have put in some Abuse request a couple of days ago and have not heard back. It would be great to talk with someone about an issue effecting one of our clients and the use of Amazon. (Cloud instances I believe) Thank you in advance. Sincerely, -- Mark Keymer CFO/COO Vivio Technologies 509-593-4207 x1002
RE: Online/double-conversion UPS economy/high efficiency modes?
That is so old-school FUD re line-interactive vs double-conversion. Very much the tubeless vs tubed tire debate all over again. Buy well-engineered quality brand products (ie Emerson/Liebert, Schneider/APC) then it will be a non-issue. -Original Message- From: Mike [mailto:mike-na...@tiedyenetworks.com] Sent: Thursday, December 06, 2012 9:17 PM To: nanog@nanog.org Subject: Re: Online/double-conversion UPS economy/high efficiency modes? On 12/06/2012 12:49 PM, William Herrin wrote: Hi folks, I'm looking at several brands of rackmount 3kva double-conversion UPSes, such as Tripp Lite and Eaton Powerware. I'm specifically looking for something that will work as a line-interactive UPS until the power starts to misbehave and will then switch to double-conversion mode until a while after the last power bump. I recently went to the tripplite 16kva online double conversion ups and did note the increased ineffeciency. However, the financial cost of that ineffeciency doesn't appear to be more than $40 - $60 / mo. So I am wondering at your scale with only a 3kva model, really, what is the final dollar cost to you versus the effort and dubious benefits of writing scripts or depending on embedded logic to do the right thing? The whole reason you have online double conversion vs line interactive, is to have the best available protection, and when you are on line interactive - even if it can switch - you are still taking that risk of power issues that will jump your ups and hit your connected equipment anyways. Mike-
Re: Cogent outage?
Internap just updated: Cogent has said that the issue they were having has been resolved. Internap's BGP session was turned back up at approximately 15:45 EST and traffic has been stable since that time. On Thu, Dec 6, 2012 at 4:36 PM, Blair Trosper blair.tros...@gmail.comwrote: We've seen BGP resets on our servers in Tampa...with Cogent no longer being the preferred route for outgoing traffic. The preferred path from out DC is now through Hurricane (AS6939). Blair Trosper Updraft Networks LEARN (North Texas GigaPOP) On Thu, Dec 6, 2012 at 3:09 PM, Michael Bubb michael.b...@gmail.comwrote: We got a notice from Internap a few hours ago: At approximately 12:10 EST Internap shut down the BGP session with Cogent as we were widespread packet loss issues through their network out of our New York (NYM) PNAP. We are contacting Cogent to see if they are aware of what the issue is. They have not as yet updated this yrs Michael -- Michael Bubb +1.646.783.8769 https://www.google.com/profiles/michael.bubb The first principle is that you must not fool yourself--and you are the easiest person to fool. - Richard Feynman All things are a flowing, Sage Heraclitus says; But a tawdry cheapness Shall reign throughout our days. - Pound -- Michael Bubb +1.646.783.8769 https://www.google.com/profiles/michael.bubb The first principle is that you must not fool yourself--and you are the easiest person to fool. - Richard Feynman All things are a flowing, Sage Heraclitus says; But a tawdry cheapness Shall reign throughout our days. - Pound
RE: Online/double-conversion UPS economy/high efficiency modes?
I'm looking at several brands of rackmount 3kva double-conversion UPSes, such as Tripp Lite and Eaton Powerware. I'm specifically looking for something that will work as a line-interactive UPS until the power starts to misbehave and will then switch to double-conversion mode until a while after the last power bump. Not entirely the topic asked, but we have good experience doing this at the 500 kva module level. We are using the 'eBoost' method from GE, which is more or less what you ask for. It keeps the inverter and rectifier alive and energized, but current flow is via the bypass static switch. We have used this for about a year or so now, and even including hurricane sandy craziness, have seen in excess of 98% usage of eBoost. When in that mode, system efficiency jumps from about 92% to 99.8% efficient. A huge savings per 500 kva / 450 kw. 450 kw * 24h * 30d * 7.8% increase in efficiency is 25,272 kw-hrs saved per month, or at $0.12/kw-hr is $3,032/month/450 kw of load. The point is that it works, works well, and is green. http://www.gedigitalenergy.com/products/brochures/PowerQuality/brochure-eBoost-GEA-D1050-GB.pdf To this point: even if it can switch - you are still taking that risk of power issues that will jump your ups and hit your connected equipment anyways. If the overall power system is designed correctly, this should never be an issue. We did pretty extensive testing on this. I don't know if anyone does this at the very-small level. I know GE's smallest unit is 300 kva for eBoost. Question everything, assume nothing, discuss all, and resolve quickly. -- Alex Rubenstein, AR97, K2AHR, a...@nac.net, latency, Al Reuben -- --Net Access Corporation, 800-NET-ME-36, http://www.nac.net --
Re: Online/double-conversion UPS economy/high efficiency modes?
On 12/6/12 12:49 PM, William Herrin wrote: Hi folks, I'm looking at several brands of rackmount 3kva double-conversion UPSes, such as Tripp Lite and Eaton Powerware. I'm specifically looking for something that will work as a line-interactive UPS until the power starts to misbehave and will then switch to double-conversion mode until a while after the last power bump. Basically I want the best of both worlds: save money on my power bill most of the time (double-conversion UPSes generally waste 10%-15% of the consumed kilowatt hours) but switch to nice clean double-conversion when the storms roll through and the power gets rough. Here's where I'm looking for help: the vendor web sites have scanty details about how the UPSes behave in their high efficiency modes. I'm hoping folks here have used some of the UPSes with this feature and can offer feedback. When does the UPS decide to switch to double-conversion? When does it decide to switch back? Are the options tunable? Through what interface? Can I write software that monitors a weather report and sends an SNMP message to switch the UPS to double conversion mode ahead of a storm? Eaton's 9130 says On the High Efficiency setting, the UPS operates normally on Bypass, transfers to inverter in less than 10 ms when utility fails, and transfers back to Bypass in 1 minute after utility returns. The indicator illuminates when the UPS transfers to Bypass. http://lit.powerware.com/ll_download.asp?file=Eaton%209130%20UPS.pdf I have a 700VA 9130 rackmount that I recently bought to give it an eval run (although the first was a dud). There is a 3kVA model. For my small load it reports a PF of 0.91 online. It is selectable between normal and high efficiency mode through the front panel. I would assume the tolerance settings in there related to bypass availability would trigger online mode. If it does kick over to online from high efficiency bypass it'll stay there for a minute to watch for stability before going back. The network card (Network Card-MS) is extremely sparse in being able to configure it remotely. It's mainly just for status. It does not have an option in the web interface to toggle the mode or change the bypass tolerance settings, however, there is a MIB object for power strategy that says it's read-write but I haven't tried writing to it yet. I guess I can try it and report back. ~Seth
Verizon ISP ATM ports
Hey All, Its that time of the year again, and I am looking for verizon ATM/DSL wholesale DSL ports for NY/NJ latas. Off-list replies are welcome. Thanks, Joe
RE: Google Fiber - keeps you regular
Why does the youtube video link lead back to their Fiber Internet/TV offering? Maybe I'm lost but the video is about a Google Fiber Bar right? Otis -Original Message- From: Suresh Ramasubramanian [mailto:ops.li...@gmail.com] Sent: Thursday, December 06, 2012 5:31 AM To: nanog@nanog.org Subject: Google Fiber - keeps you regular http://www.youtube.com/watch?v=re0VRK6ouwIfeature=share you'll probably laugh so hard you won't even need the fiber
Re: Google Fiber - keeps you regular
All jokes about crappy Internet service aside, that is? On Friday, December 7, 2012, Otis L. Surratt, Jr. wrote: Why does the youtube video link lead back to their Fiber Internet/TV offering? Maybe I'm lost but the video is about a Google Fiber Bar right? Otis -Original Message- From: Suresh Ramasubramanian [mailto:ops.li...@gmail.com javascript:;] Sent: Thursday, December 06, 2012 5:31 AM To: nanog@nanog.org javascript:; Subject: Google Fiber - keeps you regular Introducing the Google Fiber Barhttp://www.youtube.com/watch?v=re0VRK6ouwIfeature=share you'll probably laugh so hard you won't even need the fiber -- --srs (iPad)
RE: Google Fiber - keeps you regular
Yep. But you know I wouldn't be surprised if Google entered that market. That's why I was asking. You never know these days. From: Suresh Ramasubramanian [mailto:ops.li...@gmail.com] Sent: Thursday, December 06, 2012 5:36 PM To: Otis L. Surratt, Jr. Cc: nanog@nanog.org Subject: Re: Google Fiber - keeps you regular All jokes about crappy Internet service aside, that is? On Friday, December 7, 2012, Otis L. Surratt, Jr. wrote: Why does the youtube video link lead back to their Fiber Internet/TV offering? Maybe I'm lost but the video is about a Google Fiber Bar right? Otis -Original Message- From: Suresh Ramasubramanian [mailto:ops.li...@gmail.com] Sent: Thursday, December 06, 2012 5:31 AM To: nanog@nanog.org Subject: Google Fiber - keeps you regular Introducing the Google Fiber Bar you'll probably laugh so hard you won't even need the fiber -- --srs (iPad)
Re: Google Fiber - keeps you regular
If you look at www.google.com/fiber they do seem to be in that market now On Friday, December 7, 2012, Otis L. Surratt, Jr. wrote: Yep. But you know I wouldn't be surprised if Google entered that market. That's why I was asking. You never know these days. From: Suresh Ramasubramanian [mailto:ops.li...@gmail.com javascript:;] Sent: Thursday, December 06, 2012 5:36 PM To: Otis L. Surratt, Jr. Cc: nanog@nanog.org javascript:; Subject: Re: Google Fiber - keeps you regular All jokes about crappy Internet service aside, that is? On Friday, December 7, 2012, Otis L. Surratt, Jr. wrote: Why does the youtube video link lead back to their Fiber Internet/TV offering? Maybe I'm lost but the video is about a Google Fiber Bar right? Otis -Original Message- From: Suresh Ramasubramanian [mailto:ops.li...@gmail.com javascript:;] Sent: Thursday, December 06, 2012 5:31 AM To: nanog@nanog.org javascript:; Subject: Google Fiber - keeps you regular Introducing the Google Fiber Bar you'll probably laugh so hard you won't even need the fiber -- --srs (iPad) -- --srs (iPad)
RE: Online/double-conversion UPS economy/high efficiency modes?
I have a 700VA 9130 rackmount that I recently bought to give it an eval run (although the first was a dud). There is a 3kVA model. For my small load it reports a PF of 0.91 online. PF, as in power factor? That has nothing to do with UPS efficiency.
Re: Online/double-conversion UPS economy/high efficiency modes?
I apologize for mentioning it; thanks for taking the time to point out such data could not possibly be useful. ~Seth Sent from my iPad, please excuse my brevity. On Dec 6, 2012, at 16:19, Alex Rubenstein a...@corp.nac.net wrote: I have a 700VA 9130 rackmount that I recently bought to give it an eval run (although the first was a dud). There is a 3kVA model. For my small load it reports a PF of 0.91 online. PF, as in power factor? That has nothing to do with UPS efficiency.
Re: Amazon Abuse contact
Thank you for everyone's help. We were contacted by Amazon today. Sincerely, Mark Keymer On 12/6/2012 1:37 PM, Enrico Sorge wrote: http://aws.amazon.com/security/vulnerability-reporting/ On Tue, Dec 4, 2012 at 11:40 PM, Mark Keymer m...@viviotech.net mailto:m...@viviotech.net wrote: Hi, If there is a Amazon Abuse person our there or if someone has a good contact to someone at Amazon can you message me off-list. We have put in some Abuse request a couple of days ago and have not heard back. It would be great to talk with someone about an issue effecting one of our clients and the use of Amazon. (Cloud instances I believe) Thank you in advance. Sincerely, -- Mark Keymer CFO/COO Vivio Technologies 509-593-4207 x1002 tel:509-593-4207%20x1002
Re: Solutions for DoS DDoS
My experience with most providers has been that null routing is the industry standard when a DDoS hits their network. I would suggest approaching companies who specialize in DDoS mitigation - Prolexic and Blacklotus to name two I am familiar with. These outfits may have something that works for a non-profit from a pricing point of view. Ping me off list, I deal with a few providers and may be able to point you in the right direction. /e On 2012-12-06 3:53 PM, Steve wrote: The ideal solution is a carrier that has its own true DDoS mitigation platform, and does not rely on black hole routing . Have the carrier handle the the large bulk flood attacks, then have your own prem base mitigation platform take care of the more application specific attacks that get through . This represents the best solution , and also the most expensive . So it may not work for a non profit. This Email was sent from Steve's iPad Message: 4 Date: Thu, 6 Dec 2012 09:51:21 -0800 From: Mike Gatti ekim.it...@gmail.com To: NANOG list nanog@nanog.org Subject: Solutions for DoS DDoS Message-ID: 0d89d80c-d288-402f-8723-b837ea523...@gmail.com Content-Type: text/plain; charset=us-ascii Hello Everyone, I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source. I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions. Thanks, -- Michael Gatti 949.371.5474 (UTC -8) -- End of NANOG Digest, Vol 59, Issue 24 * -- Erol Blakely easyDNS Technologies Inc.
Re: Solutions for DoS DDoS
The most popular solution is Arbor Clean pipes. they have different ways you can get this : http://www.arbornetworks.com/ On Thu, Dec 6, 2012 at 5:26 PM, Erol Blakely e...@easydns.com wrote: My experience with most providers has been that null routing is the industry standard when a DDoS hits their network. I would suggest approaching companies who specialize in DDoS mitigation - Prolexic and Blacklotus to name two I am familiar with. These outfits may have something that works for a non-profit from a pricing point of view. Ping me off list, I deal with a few providers and may be able to point you in the right direction. /e On 2012-12-06 3:53 PM, Steve wrote: The ideal solution is a carrier that has its own true DDoS mitigation platform, and does not rely on black hole routing . Have the carrier handle the the large bulk flood attacks, then have your own prem base mitigation platform take care of the more application specific attacks that get through . This represents the best solution , and also the most expensive . So it may not work for a non profit. This Email was sent from Steve's iPad Message: 4 Date: Thu, 6 Dec 2012 09:51:21 -0800 From: Mike Gatti ekim.it...@gmail.com To: NANOG list nanog@nanog.org Subject: Solutions for DoS DDoS Message-ID: 0D89D80C-D288-402F-8723-**b837ea523...@gmail.com0d89d80c-d288-402f-8723-b837ea523...@gmail.com Content-Type: text/plain; charset=us-ascii Hello Everyone, I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source. I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions. Thanks, -- Michael Gatti 949.371.5474 (UTC -8) -- End of NANOG Digest, Vol 59, Issue 24 *** -- Erol Blakely easyDNS Technologies Inc.