Re: Practical effects of DNSSEC deployment

[Geoff Huston]

Hi Steve,

> There was an interesting paper at Usenix Security on the effects of deploying 
> DNSSEC; see 
> https://www.usenix.org/conference/usenixsecurity13/measuring-practical-impact-dnssec-deployment
>  .  The difference in geographical impact was quite striking.
> 

George Michaelson and I have been undertaking similar work in DNSSEC, using an 
advertisement to enrol users' browsers to perform a set of URL loads that tests 
their ability to perform DNSSEC validation. Our methodology differed from that 
in the Usenix paper - we worked hard at setting up name structures that 
eliminated any benefits from DNS caching as well as web caching. We presented 
on this work at the IEPG meeting at IETF 87 a couple of weeks ago.

The bottom line: around 8% of clients across the Internet will perform DNSSEC 
validation - i.e. they are seen to fetch the DS and DNSKEY RRs for the signed 
objects, and will fetch the object that is correctly signed, and will not fetch 
the object that is badly signed. A further 4% of clients appears to use a set 
of resolvers where there is a mix of validating resolvers and non-validating 
resolvers. What we see is that the client's resolver will perform a set of 
fetches of the DS and DNSKEY records for the badly signed onject, then ask for 
the A record a second time (generally using a different resolver) and then 
fetch the object anyway - i.e. the original SERV FAIL response causes the 
client to turn to another resolver in its list, and use that result. 87% of 
clients only ask for A records - no signs of DNSSEC life for them.

We did some basic mapping of client to country (there is a LOT of DNSSEC 
validation in Sweden!) and network service provider bu origin AS, and also 
looked at the performance implications, both if you serve a zone thats signed, 
and if you serve a zone that is signed badly.

The presentation is at http://www.iepg.org/2013-07-ietf87/2013-07-28-dnssec.pdf 
if you are interested.


  Geoff

RE: Google having issues?

[Frank Bulk]

Confirmed:
http://www.google.com/appsstatus#hl=en&v=issue&ts=1376715599000&sid=1&iid=0a668851fc3f5856b360e2bdb8781fc1

Frank

-Original Message-
From: win...@team-metro.net [mailto:win...@team-metro.net] 
Sent: Friday, August 16, 2013 6:30 PM
To: nanog@nanog.org
Subject: Google having issues?


Hey guys,


I’m hearing reports of Google services (Search, Youtube, Mail, etc) going down 
all over the place, providing extremely spotty service. Works fine for me right 
now, but a lot of people seem to be having problems all over the world.

Any ideas what’s going on?



Thanks!

~ Em

Re: APC UPS Advice/Guidance for Canada 120/240

[Michael Brown]

On 13-08-16 10:33 PM, Michael Brown wrote:
> VOLTAGE = 5 | 6 | 14 (5?120V, 6?208 or 240V, 14?120/240V combo i.e. 2
> hots, neutral and ground)
That would be:

VOLTAGE = 5 | 6 | 14 (5->120V, 6->208 or 240V, 14->120/240V combo i.e. 2 hots, 
neutral and ground)

The mailing list ate my Unicode arrows. Nom nom.

M.

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: APC UPS Advice/Guidance for Canada 120/240

[Michael Brown]

On 13-08-16 05:47 PM, Nick Khamis wrote:
> We are in the market for a APC UPS, and had a few questions. We are not
> that familiar with APC, and was hoping for some clarity. Our power demands
> will be for a unit that will sustain 3 kW/4 kVA scalable to 8 kVA.
The model you're looking at looks good for your needs. The electrical
spec sheet seems WAY more readable than the webpage by the way:
http://www.apcmedia.com/salestools/ASTE-6Z8LSA/ASTE-6Z8LSA_R0_EN.pdf

The reason you're looking at the input voltage on the webpage and
getting confused is probably:
"Input voltage range for main operations: 96 - 138V (Line to Neutral)"

What that REALLY means is that it will function as long as the incoming
line voltage is in the 122±16V bracket (i.e. the UPS can tolerate under
and over-voltages). That's hot-to-neutral voltage.

Now, in Canada when you're running on 208V you're USUALLY getting two
hot phases at 120° phase offset (each at 120V hot-to-neutral) giving you
a RMS voltage (think of it as the time-based mean voltage) of 208V, not
the 240V hot-to-neutral you may used to... elsewhere. Sometimes you'll
get two hot lines of 120V at 180° phase offset, giving you 240V. In rare
cases you'll actually get 240V hot-to-neutral.

This UPS will be happy with either (it says on the spec sheet: Input
voltage: 200, 208,  or 240).

As for the output, first a quick primer on reading the NEMA plug types:

*$LOCK$VOLTAGE-$AMPERAGE$END*
LOCK = L | "" (if L, it means twist lock end)
VOLTAGE = 5 | 6 | 14 (5?120V, 6?208 or 240V, 14?120/240V combo i.e. 2
hots, neutral and ground)
AMPERAGE = 15 | 20 | 30 (literally 15A / 20A / 30A)
END = P | R (Plug or Receptacle)

So you'll want to plug your 120V PDU into the L5-20R receptacle and
you'll need a cable with a L5-20P at one end an a C13 or C19 (depending
on what your PDU takes as input) on the other. Such as:
http://ca.startech.com/Cables/Computer-Power/External/8ft-IEC320-C-19-to-NEMA-L5-20P-123C-Power-Cord~PXTL520C198

(btw, do note that those two L5-20R outlets only give you 4800VA × 0.8
of total power. You'll need to hardwire or use the L14 receptacles as well)

As far as STONITH goes, the only control you'll have is all ports off or
all ports on. You'll want a PDU with switched outlets if you need more
granular control.

(plug time: if you want more help speccing this out and a quote, feel
free to email me at netdirect.ca as we can sell this).

M.

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

Re: Google having issues?

[Hannes Frederic Sowa]

On Fri, Aug 16, 2013 at 11:29:30PM +, win...@team-metro.net wrote:
> I’m hearing reports of Google services (Search, Youtube, Mail, etc) going 
> down all over the place, providing extremely spotty service. Works fine for 
> me right now, but a lot of people seem to be having problems all over the 
> world.
> 
> Any ideas what’s going on?

Google rolled out an erroneous update for gmail. See

and comments.

Maybe this has something to do with these problems?

Greetings,

  Hannes

RE: Google having issues?

[Nathan Anderson]

At about 5 minutes to 4:00p PDT, downforeveryoneorjustme.com confirmed that 
"it's not just you!" for google.com; in fact, it's still saying that, although 
I can reach Google services on our network now.

I could also ping Google, but I tried to open a connection to port 80 on 
google.com via telnet around the time I started having problems, and I was just 
getting connection refused (immediate RST received upon transmission of SYN) 
across multiple Google IPs.  I then VPN'd over to an off-net DSL connection, 
and from there I had no trouble accessing Google, but OS X telnet (which 
apparently will automatically try multiple IPs if DNS resolution comes back 
with multiple A records) showed that it was still getting "connection refused" 
on a few IPs before it finally struck gold.

-- Nathan

-Original Message-
From: Derek Ivey [mailto:de...@derekivey.com] 
Sent: Friday, August 16, 2013 4:34 PM
To: win...@team-metro.net
Cc: nanog@nanog.org
Subject: Re: Google having issues?

I was having a hard time getting to Google Maps from my Verizon FiOS
connection and also from my Hurricane Electric IPv6 tunnel. I was able
to ping them though. Didn't try any other google services.

Derek

On Aug 16, 2013, at 7:32 PM, "win...@team-metro.net"
 wrote:

>
> Hey guys,
>
>
> I'm hearing reports of Google services (Search, Youtube, Mail, etc) going 
> down all over the place, providing extremely spotty service. Works fine for 
> me right now, but a lot of people seem to be having problems all over the 
> world.
>
> Any ideas what's going on?
>
>
>
> Thanks!
>
> ~ Em

Re: Google having issues?

[Scott Howard]

I've two 2 short outages to both Google Search and Google Mail/Apps over
the last 30 mins.  Both cleared after a few minutes.  For Search at least
it was returning a Google error page.

Comcast in the Bay Area.

  Scott



On Fri, Aug 16, 2013 at 4:29 PM,  wrote:

>
> Hey guys,
>
>
> I’m hearing reports of Google services (Search, Youtube, Mail, etc) going
> down all over the place, providing extremely spotty service. Works fine for
> me right now, but a lot of people seem to be having problems all over the
> world.
>
> Any ideas what’s going on?
>
>
>
> Thanks!
>
> ~ Em

Re: Google having issues?

[Derek Ivey]

I was having a hard time getting to Google Maps from my Verizon FiOS
connection and also from my Hurricane Electric IPv6 tunnel. I was able
to ping them though. Didn't try any other google services.

Derek

On Aug 16, 2013, at 7:32 PM, "win...@team-metro.net"
 wrote:

>
> Hey guys,
>
>
> I’m hearing reports of Google services (Search, Youtube, Mail, etc) going 
> down all over the place, providing extremely spotty service. Works fine for 
> me right now, but a lot of people seem to be having problems all over the 
> world.
>
> Any ideas what’s going on?
>
>
>
> Thanks!
>
> ~ Em


smime.p7s
Description: S/MIME cryptographic signature

Google having issues?

[wingar]

Hey guys,


I’m hearing reports of Google services (Search, Youtube, Mail, etc) going down 
all over the place, providing extremely spotty service. Works fine for me right 
now, but a lot of people seem to be having problems all over the world.

Any ideas what’s going on?



Thanks!

~ Em

BGP Update Report

[cidr-report]

BGP Update Report
Interval: 08-Aug-13 -to- 15-Aug-13 (7 days)
Observation Point: BGP Peering with AS131072

TOP 20 Unstable Origin AS
Rank ASNUpds %  Upds/PfxAS-Name
 1 - AS580049023  2.8% 215.0 -- DNIC-ASBLK-05800-06055 - DoD 
Network Information Center
 2 - AS840232813  1.9%  20.9 -- CORBINA-AS OJSC "Vimpelcom"
 3 - AS982929704  1.7%  35.4 -- BSNL-NIB National Internet 
Backbone
 4 - AS27738   28447  1.6%  49.4 -- Ecuadortelecom S.A.
 5 - AS755221849  1.3%  18.6 -- VIETEL-AS-AP Vietel Corporation
 6 - AS941618573  1.1%9286.5 -- MULTIMEDIA-AS-AP Hoshin 
Multimedia Center Inc.
 7 - AS15003   17601  1.0%  33.9 -- NOBIS-TECH - Nobis Technology 
Group, LLC
 8 - AS477515874  0.9% 345.1 -- GLOBE-TELECOM-AS Globe Telecoms
 9 - AS18403   15147  0.9%  30.4 -- FPT-AS-AP The Corporation for 
Financing & Promoting Technology
10 - AS28573   14422  0.8%   8.0 -- NET Serviços de Comunicação S.A.
11 - AS211814252  0.8%  10.4 -- RELCOM-AS OOO "NPO Relcom"
12 - AS34969   11840  0.7%1480.0 -- PASJONET-AS Pasjo.Net Sp, z o.o.
13 - AS45899   10004  0.6%  29.0 -- VNPT-AS-VN VNPT Corp
14 - AS486129975  0.6%1425.0 -- RTC-ORENBURG-AS CJSC 
"Comstar-Regions"
15 - AS6325 9425  0.6% 428.4 -- ILLINOIS-CENTURY - Illinois 
Century Network
16 - AS9808 9183  0.5%  11.4 -- CMNET-GD Guangdong Mobile 
Communication Co.Ltd.
17 - AS6629 9081  0.5%1816.2 -- NOAA-AS - NOAA
18 - AS142878886  0.5%1481.0 -- TRIAD-TELECOM - Triad Telecom, 
Inc.
19 - AS9299 8514  0.5% 137.3 -- IPG-AS-AP Philippine Long 
Distance Telephone Company
20 - AS647  8229  0.5%  72.2 -- DNIC-ASBLK-00616-00665 - DoD 
Network Information Center


TOP 20 Unstable Origin AS (Updates per announced prefix)
Rank ASNUpds %  Upds/PfxAS-Name
 1 - AS941618573  1.1%9286.5 -- MULTIMEDIA-AS-AP Hoshin 
Multimedia Center Inc.
 2 - AS386546098  0.3%6098.0 -- INES-NETWORK INES Corporation.
 3 - AS1880 4706  0.3%4706.0 -- STUPI Svensk Teleutveckling & 
Produktinnovation, STUPI AB
 4 - AS194064669  0.3%4669.0 -- TWRS-MA - Towerstream I, Inc.
 5 - AS423343927  0.2%3927.0 -- BBP-AS Broadband Plus s.a.l.
 6 - AS6174 7111  0.4%3555.5 -- SPRINTLINK8 - Sprint
 7 - AS247726659  0.4%3329.5 -- ASIP-AIE-AS Agrupacion de 
dervicios de internet y prensa AIE
 8 - AS6629 9081  0.5%1816.2 -- NOAA-AS - NOAA
 9 - AS34902  0.3%1779.0 -- CMED-AS Cmed Technology Ltd
10 - AS142878886  0.5%1481.0 -- TRIAD-TELECOM - Triad Telecom, 
Inc.
11 - AS34969   11840  0.7%1480.0 -- PASJONET-AS Pasjo.Net Sp, z o.o.
12 - AS486129975  0.6%1425.0 -- RTC-ORENBURG-AS CJSC 
"Comstar-Regions"
13 - AS336483571  0.2%1190.3 -- ELEPHANT - ColoFlorida / 
Elephant Outlook
14 - AS4434 6719  0.4%1119.8 -- ERX-RADNET1-AS PT Rahajasa 
Media Internet
15 - AS373671056  0.1%1056.0 -- CALLKEY
16 - AS33158 923  0.1% 923.0 -- DATA-SERVICES-INC - Data 
Services Incorporated
17 - AS19111 617  0.0% 617.0 -- NATURES-BOUN - NBTY, Inc.
18 - AS107045973  0.3% 597.3 -- Microlink Telecom (LNCC)
19 - AS45357  0.3% 871.0 -- INFOWAY COMERCIO DE INFORM E 
TELECOMUNICACOES LTDA
20 - AS20157 582  0.0% 582.0 -- AHL - American Heritage Life 
Insurance Company


TOP 20 Unstable Prefixes
Rank Prefix Upds % Origin AS -- AS Name
 1 - 92.246.207.0/249963  0.5%   AS48612 -- RTC-ORENBURG-AS CJSC 
"Comstar-Regions"
 2 - 203.118.232.0/21   9298  0.5%   AS9416  -- MULTIMEDIA-AS-AP Hoshin 
Multimedia Center Inc.
 3 - 203.118.224.0/21   9275  0.5%   AS9416  -- MULTIMEDIA-AS-AP Hoshin 
Multimedia Center Inc.
 4 - 207.63.128.0/189049  0.5%   AS6325  -- ILLINOIS-CENTURY - Illinois 
Century Network
 5 - 192.58.232.0/249022  0.5%   AS6629  -- NOAA-AS - NOAA
 6 - 112.203.192.0/19   8338  0.5%   AS9299  -- IPG-AS-AP Philippine Long 
Distance Telephone Company
 7 - 222.127.0.0/24 7785  0.4%   AS4775  -- GLOBE-TELECOM-AS Globe Telecoms
 8 - 120.28.62.0/24 7717  0.4%   AS4775  -- GLOBE-TELECOM-AS Globe Telecoms
 9 - 202.154.17.0/246714  0.4%   AS4434  -- ERX-RADNET1-AS PT Rahajasa 
Media Internet
10 - 62.22.10.0/24  6657  0.4%   AS24772 -- ASIP-AIE-AS Agrupacion de 
dervicios de internet y prensa AIE
11 - 150.39.0.0/16  6098  0.3%   AS38654 -- INES-NETWORK INES Corporation.
12 - 115.170.128.0/17   5507  0.3%   AS4847  -- CNIX-AP China Networks 
Inter-Exchange
13 - 204.29.132.0/234706  0.3%   AS1880  -- STUPI Svensk Teleutveckling & 
Produktinnovation, STUPI AB
14 - 69.38.178.0/24   

The Cidr Report

[cidr-report]

This report has been generated at Fri Aug 16 21:13:27 2013 AEST.
The report analyses the BGP Routing Table of AS2.0 router
and generates a report on aggregation potential within the table.

Check http://www.cidr-report.org for a current version of this report.

Recent Table History
Date  PrefixesCIDR Agg
09-08-13474589  270059
10-08-13475137  269735
11-08-13474298  269858
12-08-13474715  269811
13-08-13474587  269367
14-08-13474622  269399
15-08-13475163  269913
16-08-13475291  269993


AS Summary
 44881  Number of ASes in routing system
 18477  Number of ASes announcing only one prefix
  4235  Largest number of prefixes announced by an AS
AS7029 : WINDSTREAM - Windstream Communications Inc
  117395680  Largest address span announced by an AS (/32s)
AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street


Aggregation Summary
The algorithm used in this report proposes aggregation only
when there is a precise match using the AS path, so as 
to preserve traffic transit policies. Aggregation is also
proposed across non-advertised address space ('holes').

 --- 16Aug13 ---
ASnumNetsNow NetsAggr  NetGain   % Gain   Description

Table 474901   269997   20490443.1%   All ASes

AS6389  2978   65 291397.8%   BELLSOUTH-NET-BLK -
   BellSouth.net Inc.
AS28573 3154  690 246478.1%   NET Serviços de Comunicação
   S.A.
AS17974 2654  434 222083.6%   TELKOMNET-AS2-AP PT
   Telekomunikasi Indonesia
AS7029  4235 2069 216651.1%   WINDSTREAM - Windstream
   Communications Inc
AS4766  2922  933 198968.1%   KIXS-AS-KR Korea Telecom
AS22773 2006  247 175987.7%   ASN-CXA-ALL-CCI-22773-RDC -
   Cox Communications Inc.
AS18566 2065  468 159777.3%   COVAD - Covad Communications
   Co.
AS4323  2992 1542 145048.5%   TWTC - tw telecom holdings,
   inc.
AS36998 1861  434 142776.7%   SDN-MOBITEL
AS10620 2668 1345 132349.6%   Telmex Colombia S.A.
AS7303  1730  453 127773.8%   Telecom Argentina S.A.
AS18881 1359   92 126793.2%   Global Village Telecom
AS4755  1778  592 118666.7%   TATACOMM-AS TATA
   Communications formerly VSNL
   is Leading ISP
AS7552  1139   95 104491.7%   VIETEL-AS-AP Vietel
   Corporation
AS22561 1208  226  98281.3%   DIGITAL-TELEPORT - Digital
   Teleport Inc.
AS2118   962   88  87490.9%   RELCOM-AS OOO "NPO Relcom"
AS1785  2006 1157  84942.3%   AS-PAETEC-NET - PaeTec
   Communications, Inc.
AS11830  946  101  84589.3%   Instituto Costarricense de
   Electricidad y Telecom.
AS7545  2060 1225  83540.5%   TPG-INTERNET-AP TPG Telecom
   Limited
AS18101  985  177  80882.0%   RELIANCE-COMMUNICATIONS-IN
   Reliance Communications
   Ltd.DAKC MUMBAI
AS4808  1153  389  76466.3%   CHINA169-BJ CNCGROUP IP
   network China169 Beijing
   Province Network
AS33363 1761 1038  72341.1%   BHN-TAMPA - BRIGHT HOUSE
   NETWORKS, LLC
AS701   1522  801  72147.4%   UUNET - MCI Communications
   Services, Inc. d/b/a Verizon
   Business
AS13977  847  140  70783.5%   CTELCO - FAIRPOINT
   COMMUNICATIONS, INC.
AS8151  1286  589  69754.2%   Uninet S.A. de C.V.
AS15003  842  147  69582.5%   NOBIS-TECH - Nobis Technology
   Group, LLC
AS6147   740   51  68993.1%   Telefonica del Peru S.A.A.
AS855735   55  68092.5%   CANET-ASN-4 - Bell Aliant
   Regional Communications, Inc.
AS6983  1152  484  66858.0%   ITCDELTA - ITC^Deltacom
AS24560 1088

Re: APC UPS Advice/Guidance for Canada 120/240

[Joe Hamelin]

http://www.amazon.com/Conntek-Locking-Adapter-Straight-Connector/dp/B001H9TSEW

If you're not sure, then spend for an hour with a licensed electrician.

--
Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474


On Fri, Aug 16, 2013 at 2:47 PM, Nick Khamis  wrote:

> Hello Everyone,
>
> We are in the market for a APC UPS, and had a few questions. We are not
> that familiar with APC, and was hoping for some clarity. Our power demands
> will be for a unit that will sustain 3 kW/4 kVA scalable to 8 kVA.
>
> Input:
>
> The first issue is that I see all the units default with 208v input (other
> inputs 240v). At my location we only have 120 or 240. Also, we do not want
> to use a transformer (240-120) as it adds another failure point that can be
> avoided...
>
> The unit we are looking is found here:
>
> http://www.apc.com/products/resource/include/techspec_index.cfm?base_sku=SYA4K8RMP&total_watts=500
>
> Output:
>
> Hard Wire 4-wire (2PH + N +G)NEMA L14-30R[image: NEMA L14-30R]NEMA
> L5-20R[image:
> NEMA L5-20R]
>
> What? How do I plug our 120 PDU into this?
>
>
> STONITH:
>
> This will be for a cluster that will require stonith capability. Does
> anyone know if this unit supports that? Not so important as the previous
> two questions...
>
> Kind Regards,
>
> Nick.
>

APC UPS Advice/Guidance for Canada 120/240

[Nick Khamis]

Hello Everyone,

We are in the market for a APC UPS, and had a few questions. We are not
that familiar with APC, and was hoping for some clarity. Our power demands
will be for a unit that will sustain 3 kW/4 kVA scalable to 8 kVA.

Input:

The first issue is that I see all the units default with 208v input (other
inputs 240v). At my location we only have 120 or 240. Also, we do not want
to use a transformer (240-120) as it adds another failure point that can be
avoided...

The unit we are looking is found here:
http://www.apc.com/products/resource/include/techspec_index.cfm?base_sku=SYA4K8RMP&total_watts=500

Output:

Hard Wire 4-wire (2PH + N +G)NEMA L14-30R[image: NEMA L14-30R]NEMA
L5-20R[image:
NEMA L5-20R]

What? How do I plug our 120 PDU into this?


STONITH:

This will be for a cluster that will require stonith capability. Does
anyone know if this unit supports that? Not so important as the previous
two questions...

Kind Regards,

Nick.

RE: will ISP peer with 2 local WAN routers?

[Adam Greene]

Pete,

Good point, thanks. Yes, in this case, there is some cause to believe that
the switches will prove more reliable than the routers. They're older
7200VXR's and have had some lockups in the past, possibly due to PA card /
IOS incompatibilities. 

But you're right, we are also considering accepting full or partial routes
from both providers, one provider per router, and then doing iBGP between
them to balance the load. We're thinking of deploying default routes and
HSRP to stacked 3750's for round-robin load balancing on the LAN side. 

Thanks for the help!

Adam


-Original Message-
From: Peter Kristolaitis [mailto:alte...@alter3d.ca] 
Sent: Friday, August 16, 2013 5:30 PM
To: nanog@nanog.org
Subject: Re: will ISP peer with 2 local WAN routers?

But the switches themselves are a single point of failure, so if a switch
dies you still only have a single provider (assuming one switch per
provider).  ;)

All you're doing is moving the your single point of failure from the routers
to the switches, with arguably very little increase in actual reliability
(if any, depending on whether you think switches are less likely to fail
than routers).

- Pete



On 08/16/2013 05:21 PM, Adam Greene wrote:
> Thanks, Justin. Yes, we considered that option, too. But then if one 
> WAN router goes down, the customer will only have connectivity through 
> a single upstream provider. We'd prefer to maintain connectivity to 
> both even if a router fails. Switches in front of the routers is no
problem.
>
> -Original Message-
> From: Justin Vocke [mailto:justin.vo...@gmail.com]
> Sent: Friday, August 16, 2013 4:47 PM
> To: Adam Greene
> Cc: 
> Subject: Re: will ISP peer with 2 local WAN routers?
>
> The gotcha with that is then you need a switch in front of the 
> routers. I'd just setup a carrier on each router and run ibgp between.
>
> Sent from my iPhone
>
> On Aug 16, 2013, at 3:35 PM, "Adam Greene"  wrote:
>
>> Hi guys,
>>
>>
>>
>> I have a customer who peers via eBGP with Lightpath aka Cablevision 
>> (AS
>> 6128) and Level3 (AS 3356) and wants to do some dual-WAN router
> redundancy.
>>
>>
>> I have heard that carriers will sometimes agree to set up a /29 WAN 
>> subnet for a customer and peer with (2) customer routers.
>>
>>
>>
>> The customer is delaying on providing me with the proper circuit ID & 
>> contact information to be able to call Lightpath and Level3 directly 
>> and find out if they will do this, so I thought of asking this list.
>>
>>
>>
>> Is anyone aware if Lightpath and Level3 will agree to something like
this?
>>
>>
>> Thanks,
>>
>> Adam
>>
>>
>>
>>
>>
>

Re: will ISP peer with 2 local WAN routers?

[Peter Kristolaitis]

But the switches themselves are a single point of failure, so if a 
switch dies you still only have a single provider (assuming one switch 
per provider).  ;)


All you're doing is moving the your single point of failure from the 
routers to the switches, with arguably very little increase in actual 
reliability (if any, depending on whether you think switches are less 
likely to fail than routers).


- Pete



On 08/16/2013 05:21 PM, Adam Greene wrote:

Thanks, Justin. Yes, we considered that option, too. But then if one WAN
router goes down, the customer will only have connectivity through a single
upstream provider. We'd prefer to maintain connectivity to both even if a
router fails. Switches in front of the routers is no problem.

-Original Message-
From: Justin Vocke [mailto:justin.vo...@gmail.com]
Sent: Friday, August 16, 2013 4:47 PM
To: Adam Greene
Cc: 
Subject: Re: will ISP peer with 2 local WAN routers?

The gotcha with that is then you need a switch in front of the routers. I'd
just setup a carrier on each router and run ibgp between.

Sent from my iPhone

On Aug 16, 2013, at 3:35 PM, "Adam Greene"  wrote:


Hi guys,



I have a customer who peers via eBGP with Lightpath aka Cablevision
(AS
6128) and Level3 (AS 3356) and wants to do some dual-WAN router

redundancy.



I have heard that carriers will sometimes agree to set up a /29 WAN
subnet for a customer and peer with (2) customer routers.



The customer is delaying on providing me with the proper circuit ID &
contact information to be able to call Lightpath and Level3 directly
and find out if they will do this, so I thought of asking this list.



Is anyone aware if Lightpath and Level3 will agree to something like this?


Thanks,

Adam

RE: will ISP peer with 2 local WAN routers?

[Adam Greene]

Thanks, Justin. Yes, we considered that option, too. But then if one WAN
router goes down, the customer will only have connectivity through a single
upstream provider. We'd prefer to maintain connectivity to both even if a
router fails. Switches in front of the routers is no problem.

-Original Message-
From: Justin Vocke [mailto:justin.vo...@gmail.com] 
Sent: Friday, August 16, 2013 4:47 PM
To: Adam Greene
Cc: 
Subject: Re: will ISP peer with 2 local WAN routers?

The gotcha with that is then you need a switch in front of the routers. I'd
just setup a carrier on each router and run ibgp between.

Sent from my iPhone

On Aug 16, 2013, at 3:35 PM, "Adam Greene"  wrote:

> Hi guys,
> 
> 
> 
> I have a customer who peers via eBGP with Lightpath aka Cablevision 
> (AS
> 6128) and Level3 (AS 3356) and wants to do some dual-WAN router
redundancy.
> 
> 
> 
> I have heard that carriers will sometimes agree to set up a /29 WAN 
> subnet for a customer and peer with (2) customer routers.
> 
> 
> 
> The customer is delaying on providing me with the proper circuit ID & 
> contact information to be able to call Lightpath and Level3 directly 
> and find out if they will do this, so I thought of asking this list.
> 
> 
> 
> Is anyone aware if Lightpath and Level3 will agree to something like this?

> 
> 
> 
> Thanks,
> 
> Adam
> 
> 
> 
> 
> 

Re: will ISP peer with 2 local WAN routers?

[Randy Carpenter]

Time Warner installed a Juniper EX4200 as the CPE device for us, so we 
connected 2 routers and had two separate BGP sessions. They have us a /29 to 
accomplish it.


-Randy

On Aug 16, 2013, at 16:53, Justin Vocke  wrote:

> The gotcha with that is then you need a switch in front of the routers. I'd 
> just setup a carrier on each router and run ibgp between.
> 
> Sent from my iPhone
> 
> On Aug 16, 2013, at 3:35 PM, "Adam Greene"  wrote:
> 
>> Hi guys,
>> 
>> 
>> 
>> I have a customer who peers via eBGP with Lightpath aka Cablevision (AS
>> 6128) and Level3 (AS 3356) and wants to do some dual-WAN router redundancy.
>> 
>> 
>> 
>> I have heard that carriers will sometimes agree to set up a /29 WAN subnet
>> for a customer and peer with (2) customer routers.
>> 
>> 
>> 
>> The customer is delaying on providing me with the proper circuit ID &
>> contact information to be able to call Lightpath and Level3 directly and
>> find out if they will do this, so I thought of asking this list.
>> 
>> 
>> 
>> Is anyone aware if Lightpath and Level3 will agree to something like this? 
>> 
>> 
>> 
>> Thanks,
>> 
>> Adam
> 
> 

Re: will ISP peer with 2 local WAN routers?

[Justin Vocke]

The gotcha with that is then you need a switch in front of the routers. I'd 
just setup a carrier on each router and run ibgp between.

Sent from my iPhone

On Aug 16, 2013, at 3:35 PM, "Adam Greene"  wrote:

> Hi guys,
> 
> 
> 
> I have a customer who peers via eBGP with Lightpath aka Cablevision (AS
> 6128) and Level3 (AS 3356) and wants to do some dual-WAN router redundancy.
> 
> 
> 
> I have heard that carriers will sometimes agree to set up a /29 WAN subnet
> for a customer and peer with (2) customer routers.
> 
> 
> 
> The customer is delaying on providing me with the proper circuit ID &
> contact information to be able to call Lightpath and Level3 directly and
> find out if they will do this, so I thought of asking this list.
> 
> 
> 
> Is anyone aware if Lightpath and Level3 will agree to something like this? 
> 
> 
> 
> Thanks,
> 
> Adam
> 
> 
> 
> 
> 

will ISP peer with 2 local WAN routers?

[Adam Greene]

Hi guys,

 

I have a customer who peers via eBGP with Lightpath aka Cablevision (AS
6128) and Level3 (AS 3356) and wants to do some dual-WAN router redundancy.

 

I have heard that carriers will sometimes agree to set up a /29 WAN subnet
for a customer and peer with (2) customer routers.

 

The customer is delaying on providing me with the proper circuit ID &
contact information to be able to call Lightpath and Level3 directly and
find out if they will do this, so I thought of asking this list.

 

Is anyone aware if Lightpath and Level3 will agree to something like this? 

 

Thanks,

Adam

 

 

Re: How big is the Internet? - Results

[Jon Lewis]

On Fri, 16 Aug 2013, Sean Donelan wrote:



Thanks for all the comments.  Through the entire thread on-line and off-line 
only one person contributed an estimate


Patrick Gilmore said:
 All that said: My back-of-the-envelope math says the Internet is order
 of 1 exabyte/day, as defined by my own rules on what counts as "the
 Internet"[*].  I could easily be wrong, but you asked.


Perhaps the answers would have made more sense if everyone knew exactly 
what the question was.  :)


You asked for an estimate of the "size of the Internet", but didn't 
specify if you meant number of networks comprising the Internet, number of 
devices connected to the Internet, combined total transit for all ASNs 
connected to the Internet, etc.  The nature of the Internet is that nobody 
knows the answers to any of these questions.  How do you know what goes on 
in my networks?  So any "answers" are really only wild guesses.


--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

How big is the Internet? - Results

[Sean Donelan]

Thanks for all the comments.  Through the entire thread on-line and 
off-line only one person contributed an estimate


Patrick Gilmore said:
  All that said: My back-of-the-envelope math says the Internet is order
  of 1 exabyte/day, as defined by my own rules on what counts as "the
  Internet"[*].  I could easily be wrong, but you asked.

  [*] I count Company-to-Company traffic. This is _mostly_ inter-AS
  traffic, but on-net nodes (e.g. Akamai, Google, NF) -> Provider _do_
  count. Things like Google -> Google over Google backbone do not count.
  Things like as701 -> as702 would count, but not as701 -> as701, even if
  the traffic is between two single-homed customers. It is a weird
  definition, but that's how I define it. (Although I may be biased,
  since counting only inter-AS traffic leaves off $SOME_PERCENTAGE of the
  traffic from my company.)

Since there weren't any other estimates to choose between, looks like 
I'll go with Gilmore's number.  Gilmore's estimate was signifcantly lower 
than Cisco's VNI.

Re: How big is the Internet?

[Sean Donelan]

On Fri, 16 Aug 2013, bmann...@vacation.karoshi.com wrote:

On Fri, Aug 16, 2013 at 12:37:20AM -0400, Sean Donelan wrote:

Even the researchers at the Library of Congress, if you give them
enough beer and beg them enough, will eventually give you an estimate
about the Library collection size as of the end of the last year.

What so special about the Internet that it can't be measured?


The problem is that is can be measured, along a large number variables.

The LOC question, How Big?  Might be linear shelf space, sqft, number of
items, number of warehouses, number of employees, budget, etc.  The
base question, How Big needs a qualifier or two.


So, in the context of the LOC question about using it as a unit of 
measurement for comparison with storage size or transmission volume; which

of those things are information that can be transmitted or electronically
stored?

If I asked "how big is an elephant?" some zoologists would look for 
ways the question can't be answered like "elephants grow from birth to 
death, have different species, may have illnesses, have not measured every
elephant, etc."; others might give an answer like "Adult male elephants 
usually stand ten to thirteen feet tall and can weigh seven to twenty-six 
thousand pounds. Females elephants tend to be smaller smaller."



Same with the Internet.  How big makes no sense.  How much traffic begs
the question of measured from where.  A unique attribute of IP based
transport is that -as far as I know- there is no measurement point between
-every- pair of nodes that might exchange traffic.


That is true of most transportation networks: roads do not have 
measurement points between every destination point, oceans do not have a
measurement point between every port.  Intangiable things like the 
"economy" don't have measurement points at every economic transaction.


Yet there are relatively accepted estimates of the size Gross Domestic 
Product, annual miles driven on US Highways, shipping between countries.




And since the instrumentation does not exist, you'll never get the numbers.

Select other vectors and the problem remains, the instrumentation is poor
or non-existant.

Any numbers that are derived are incomplete and/or estimates.

Pick your poision.


Ed Felten gave the keynote talk at Usenix Security this week. One
of the examples he gave was a out-of-town friend asking a technologist
for recommendations for a good resturant.  Hilarity ensured.

If you wonder why other people don't ask technologists for answers,
Dr. Felten's talk is a good starting point.

Weekly Routing Table Report

[Routing Analysis Role Account]

This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG,
TRNOG, CaribNOG and the RIPE Routing Working Group.

Daily listings are sent to bgp-st...@lists.apnic.net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith .

Routing Table Report   04:00 +10GMT Sat 17 Aug, 2013

Report Website: http://thyme.rand.apnic.net
Detailed Analysis:  http://thyme.rand.apnic.net/current/

Analysis Summary


BGP routing table entries examined:  462841
Prefixes after maximum aggregation:  187161
Deaggregation factor:  2.47
Unique aggregates announced to Internet: 229257
Total ASes present in the Internet Routing Table: 44722
Prefixes per ASN: 10.35
Origin-only ASes present in the Internet Routing Table:   34987
Origin ASes announcing only one prefix:   16208
Transit ASes present in the Internet Routing Table:5885
Transit-only ASes present in the Internet Routing Table:156
Average AS path length visible in the Internet Routing Table:   4.6
Max AS path length visible:  29
Max AS path prepend of ASN ( 19037)  22
Prefixes from unregistered ASNs in the Routing Table:  4596
Unregistered ASNs in the Routing Table:1584
Number of 32-bit ASNs allocated by the RIRs:   4955
Number of 32-bit ASNs visible in the Routing Table:3850
Prefixes from 32-bit ASNs in the Routing Table:   11664
Special use prefixes present in the Routing Table:1
Prefixes being announced from unallocated address space:304
Number of addresses announced to Internet:   2635027852
Equivalent to 157 /8s, 15 /16s and 85 /24s
Percentage of available address space announced:   71.2
Percentage of allocated address space announced:   71.2
Percentage of available address space allocated:  100.0
Percentage of address space in use by end-sites:   94.9
Total number of prefixes smaller than registry allocations:  162142

APNIC Region Analysis Summary
-

Prefixes being announced by APNIC Region ASes:   110903
Total APNIC prefixes after maximum aggregation:   33605
APNIC Deaggregation factor:3.30
Prefixes being announced from the APNIC address blocks:  112709
Unique aggregates announced from the APNIC address blocks:46196
APNIC Region origin ASes present in the Internet Routing Table:4867
APNIC Prefixes per ASN:   23.16
APNIC Region origin ASes announcing only one prefix:   1223
APNIC Region transit ASes present in the Internet Routing Table:824
Average APNIC Region AS path length visible:4.7
Max APNIC Region AS path length visible: 28
Number of APNIC region 32-bit ASNs visible in the Routing Table:638
Number of APNIC addresses announced to Internet:  725990208
Equivalent to 43 /8s, 69 /16s and 187 /24s
Percentage of available APNIC address space announced: 84.8

APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations)  23552-24575, 37888-38911, 45056-46079, 55296-56319,
   58368-59391, 131072-133119
APNIC Address Blocks 1/8,  14/8,  27/8,  36/8,  39/8,  42/8,  43/8,
49/8,  58/8,  59/8,  60/8,  61/8, 101/8, 103/8,
   106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8,
   116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
   123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8,
   163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8,
   203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8,
   222/8, 223/8,

ARIN Region Analysis Summary


Prefixes being announced by ARIN Region ASes:160372
Total ARIN prefixes after maximum aggregation:80867
ARIN Deaggregation factor: 1.98
Prefixes being announced from the ARIN address blocks:   160922
Unique aggregates announced from the ARIN address blocks: 74720
ARIN Region origin ASes present in the Internet Routing Table:15828
ARIN Prefixes per ASN:10.17
ARIN Region origin ASes announcing only on

Re: Cisco DMVPN Configuration Question

[Garrett Skjelstad]

No way around this with DMVPN.

Sent from my iPhone

On Aug 16, 2013, at 9:05, Ray Soucy  wrote:

> Don't usually poke NANOG for a second pair of eyes, but got hit with an
> urgent need to get connectivity up on a small budget.
> 
> I've run into a situation where I require multiple DMVPN spokes to be
> behind a single NAT IP (picture of things to come with CGN?)
> 
> The DMVPN endpoint works fine behind NAT until a 2nd is added behind the
> same IP address.  At that point the hub gets confused and I start seeing
> packet loss to the endpoints in a round-robin fashion.
> 
> As far as I can see Cisco documentation says pretty clearly that each DMVPN
> spoke requires a unique IP address.  Is there any way around this, or do I
> need to be looking at an alternative VPN solution?
> 
> Hub config:
> 
> 8<
> description DMVPN
> bandwidth 10
> ip address 10.231.254.1 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication ! removed
> ip nhrp map multicast dynamic
> ip nhrp network-id 1
> ip nhrp redirect
> ip tcp adjust-mss 1360
> tunnel source ! removed
> tunnel mode gre multipoint
> tunnel key 0
> tunnel protection ipsec profile DMVPN
> 8<
> 
> Spoke:
> 
> 8<
> interface Tunnel2
> description DMVPN
> bandwidth 10
> ip vrf forwarding DMVPN
> ip address 10.231.254.10 255.255.255.0
> no ip redirects
> ip mtu 1400
> ip nhrp authentication ! removed
> ip nhrp map multicast ! removed
> ip nhrp map 10.231.254.1 ! removed
> ip nhrp network-id 1
> ip nhrp nhs 10.231.254.1
> ip nhrp shortcut
> ip tcp adjust-mss 1360
> tunnel source FastEthernet0/0
> tunnel mode gre multipoint
> tunnel key 0
> tunnel protection ipsec profile DMVPN
> end
> 8<
> 
> -- 
> Ray Patrick Soucy
> Network Engineer
> University of Maine System
> 
> T: 207-561-3526
> F: 207-561-3531
> 
> MaineREN, Maine's Research and Education Network
> www.maineren.net

mail.mil contact?

[Antonio Querubin]

Wondering if anyone else is receiving reports of email to mail.mil 
addresses being delayed or refused?  The mail.mil mx appear to be 
selectively refusing mail.


If anyone has good (non-email) contact info for the mail.mil operators 
please send it my way.  Thanks.


Antonio Querubin
e-mail:  t...@lavanauts.org
xmpp:  antonioqueru...@gmail.com

Cisco DMVPN Configuration Question

[Ray Soucy]

Don't usually poke NANOG for a second pair of eyes, but got hit with an
urgent need to get connectivity up on a small budget.

I've run into a situation where I require multiple DMVPN spokes to be
behind a single NAT IP (picture of things to come with CGN?)

The DMVPN endpoint works fine behind NAT until a 2nd is added behind the
same IP address.  At that point the hub gets confused and I start seeing
packet loss to the endpoints in a round-robin fashion.

As far as I can see Cisco documentation says pretty clearly that each DMVPN
spoke requires a unique IP address.  Is there any way around this, or do I
need to be looking at an alternative VPN solution?

Hub config:

8<
 description DMVPN
 bandwidth 10
 ip address 10.231.254.1 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication ! removed
 ip nhrp map multicast dynamic
 ip nhrp network-id 1
 ip nhrp redirect
 ip tcp adjust-mss 1360
 tunnel source ! removed
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile DMVPN
8<

Spoke:

8<
interface Tunnel2
 description DMVPN
 bandwidth 10
 ip vrf forwarding DMVPN
 ip address 10.231.254.10 255.255.255.0
 no ip redirects
 ip mtu 1400
 ip nhrp authentication ! removed
 ip nhrp map multicast ! removed
 ip nhrp map 10.231.254.1 ! removed
 ip nhrp network-id 1
 ip nhrp nhs 10.231.254.1
 ip nhrp shortcut
 ip tcp adjust-mss 1360
 tunnel source FastEthernet0/0
 tunnel mode gre multipoint
 tunnel key 0
 tunnel protection ipsec profile DMVPN
end
8<

-- 
Ray Patrick Soucy
Network Engineer
University of Maine System

T: 207-561-3526
F: 207-561-3531

MaineREN, Maine's Research and Education Network
www.maineren.net

Practical effects of DNSSEC deployment

[Steven Bellovin]

There was an interesting paper at Usenix Security on the effects of deploying 
DNSSEC; see 
https://www.usenix.org/conference/usenixsecurity13/measuring-practical-impact-dnssec-deployment
 .  The difference in geographical impact was quite striking.

--Steve Bellovin, https://www.cs.columbia.edu/~smb

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

[Alain Hebert]

Hi,

I find it odd that this is suddenly news...

There is plenty of security updates for iBMC/iDrac/etc from
IBM/HP/Dell/etc over the years.

But:

You can use ipmitool, rootkit/exploit some Linux box and upload your
own firmware in that iBMC/iDrac/etc... for example the BMC firmware for
a Dell C1100 leave plenty of space to inject your own shell in it.  And
Voila! access to the management network =D.

BTW I got ipmitool working even on VMWare 5.1 :(

Counter:

We (PCIDSS hat) always check for those management interfaces and
"proposed" to move those interfaces into they own VLANs+Subnets. 
Meaning: PCI DMZ Zone has its own DMZ iBMC VLAN/Subnet/FW Rules, PCI DB
Zone has its own iBMC VLAN/Subnet/FW Rules, etc.

It is a few more VLAN/Subnets... but modern Firewall can handle this
easy.

PS: "proposed" as in not giving them a choice =D

-
Alain Hebertaheb...@pubnix.net   
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

On 08/16/13 00:22, Kyle Creyts wrote:
> just so we're all clear, SuperMicro wasn't the only one...
>
> link: http://pastebin.com/syXHLuC5
>
> 1.  CVE-2013-4782 CVSS Base Score = 10.0
> 2.  The SuperMicro BMC implementation allows remote attackers to
> bypass authentication and execute arbitrary IPMI commands by using
> cipher suite 0 (aka cipher zero) and an arbitrary password.
> 3.
> 4.  CVE-2013-4783 CVSS Base Score = 10.0
> 5.  The Dell iDRAC 6 BMC implementation allows remote attackers to
> bypass authentication and execute arbitrary IPMI commands by using
> cipher suite 0 (aka cipher zero) and an arbitrary password.
> 6.
> 7.  CVE-2013-4784 CVSS Base Score = 10.0
> 8.  The HP Integrated Lights-Out (iLO) BMC implementation allows
> remote attackers to bypass authentication and execute arbitrary IPMI
> commands by using cipher suite 0 (aka cipher zero) and an arbitrary
> password.
> 9.
> 10. CVE-2013-4785 CVSS Base Score = 10.0
> 11. iDRAC 6 firmware 1.7, and possibly other versions, allows remote
> attackers to modify the CLP interface for arbitrary users and possibly
> have other impact via a request to an unspecified form that is
> accessible from testurls.html.
> 12.
> 13. CVE-2013-4786 CVSS Base Score = 7.8
> 14. The IPMI 2.0 specification supports RMCP+ Authenticated
> Key-Exchange Protocol (RAKP) authentication, which allows remote
> attackers to obtain password hashes and conduct offline password
> guessing attacks by obtaining the HMAC from a RAKP message 2 responses
> from a BMC.
>
>
> References:
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4782
> =>  http://fish2.com/ipmi/cipherzero.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4783
> => http://fish2.com/ipmi/cipherzero.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4784
> =>  http://fish2.com/ipmi/cipherzero.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4785
> =>  http://fish2.com/ipmi/dell/secret.html
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4786
> =>  http://fish2.com/ipmi/remote-pw-cracking.html
>
> On Thu, Aug 15, 2013 at 6:00 PM, Jay Ashworth  wrote:
>> Presumably, everyone else's are very religious as well.
>>
>> Is anyone here stupid enough not to put the management interfaces behind
>> a firewall/VPN?
>>
>>   
>> http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/14/researchers-figure-out-how-to-hack-tens-of-thousands-of-servers/
>>
>> And should I be nervous that Usenix pointed me *there* for the story,
>> rather than a tech press outlet?
>>
>> Cheers,
>> -- jra
>> --
>> Jay R. Ashworth  Baylink   
>> j...@baylink.com
>> Designer The Things I Think   RFC 
>> 2100
>> Ashworth & Associates http://baylink.pitas.com 2000 Land Rover 
>> DII
>> St Petersburg FL USA   #natog  +1 727 647 
>> 1274
>>
>
>

Re: WaPo writes about vulnerabilities in Supermicro IPMIs

[Leo Bicknell]

On Aug 15, 2013, at 9:18 PM, Brandon Martin  wrote:

> As to why people wouldn't put them behind dedicated firewalls, imagine 
> something like a single-server colo scenario. 

I have asked about this on other lists, but I'll ask here.

Does anyone know of a small (think Raspberry Pi sized) device that is:

  1) USB powered.
  2) Has two ethernet ports.
  3) Runs some sort of standard open source OS?

You might already see where I'm going with this, a small 2-port firewall device 
sitting in front of IPMI, and powered off the USB bus of the server.  That way 
another RU isn't required.  Making it fit in an expansion card slot and using 
an internal USB header might be interesting too, so from the outside it wasn't 
obvious what it was.

I would actually like to see the thing only respond on the USB side, power + 
console, enabling consoling in and changing L2 firewall rules.  No IP stack on 
it what so ever.  That would be highly secure and simple.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/

Re: How big is the Internet?

[bmanning]

On Fri, Aug 16, 2013 at 12:37:20AM -0400, Sean Donelan wrote:
> Even the researchers at the Library of Congress, if you give them 
> enough beer and beg them enough, will eventually give you an estimate
> about the Library collection size as of the end of the last year.
> 
> What so special about the Internet that it can't be measured?

The problem is that is can be measured, along a large number variables.

The LOC question, How Big?  Might be linear shelf space, sqft, number of
items, number of warehouses, number of employees, budget, etc.  The
base question, How Big needs a qualifier or two.

Same with the Internet.  How big makes no sense.  How much traffic begs 
the question of measured from where.  A unique attribute of IP based
transport is that -as far as I know- there is no measurement point between
-every- pair of nodes that might exchange traffic.

And since the instrumentation does not exist, you'll never get the numbers.

Select other vectors and the problem remains, the instrumentation is poor
or non-existant.

Any numbers that are derived are incomplete and/or estimates.

Pick your poision.

/bill

Re: How big is the Internet?

[Dave Sparro]

On 8/16/2013 12:46 AM, Patrick W. Gilmore wrote:

On Aug 16, 2013, at 00:37 , Sean Donelan  wrote:

On Thu, 15 Aug 2013, Seth Mattinen wrote:

We'll also need this data in units of number of Libraries of Congress.

The researchers at the Library of Congress are more than happy to explain why 
you are wrong to attempt to use the Library of Congress as a unit of measure, 
and why the estimates being used are wrong.

http://blogs.loc.gov/digitalpreservation/2011/07/transferring-libraries-of-congress-of-data/

along with several other blog posts over the years.

But it doesn't seem to stop people from wanting to 1) know how big the Library 
of Congress is and 2) using it as a unit of measure.

It seems odd that there are relatively good estimates for other communication 
networks and utilities; i.e. how big is the PSTN, how many television or radio 
stations, how much freight is carried by railroads, trucks and ships.  But 
asking how big is the Internet, how much data does it carry, ends up with no 
answer.

Even the researchers at the Library of Congress, if you give them enough beer 
and beg them enough, will eventually give you an estimate
about the Library collection size as of the end of the last year.

What so special about the Internet that it can't be measured?

Complete lack of regulation, and in many cases, even billing.

You cannot make a call on the PSTN without someone getting money from someone else and a 
CDR () being created. Television 
& radio stations are trivially countable and probably literally a a dozen or more 
orders of magnitude off the number of packets on the Internet. Railroads are similarly 
tiny in number and bill for freight. Roads are built by taxpayer dollars, so the gov't 
keeps a good account. Etc., etc.

The Internet is the first world-wide "thing" that doesn't bill based on where 
you send something, what you are doing, why you do it, and in many cases, even how much 
you do. Moreover, anyone can set up anything on it without asking the gov't for 
permission.

This has enabled the impossible growth curve seen the last 20 years, but also made 
it impossible to count, categorize, or control. Which pisses off some people 
(usually governments), but makes others (e.g. me!) all warm & fuzzy inside.

That's probably the best answer, but I'd add that nobody has gathered 
sufficient quantities of beer to give to the for-profit companies that 
are in a position to gather the requested data.  If somebody wants to 
collect that much beer, what would the rest of us drink?


--
Dave

Re: How big is the Internet? usage of electricity = coal for ICT

[Vesna Manojlovic]

Hi,

On 14/08/13 9:00 , Sean Donelan wrote:


I should have remembered, NANOG prefers to correct things.  So here are
several estimates about how much IP/Internet traffic is downloaded
in a month.  Does anyone have better numbers, or better souces of
numbers that can be shared?


No source, but a pretty quote:

"In the near future, hourly Internet traffic will exceed the Internet’s 
annual traffic in the year 2000."


http://thebreakthrough.org/index.php/programs/economic-growth/bracing-for-the-cloud/ 



Vesna