Re: do ISPs keep track of end-user IP changes within thier network?

[Mikael Abrahamsson]

On Wed, 11 Dec 2013, Carlos Kamtha wrote:


just a general curiousity question. it's been a long time since ive worked at 
an ISP.

back then it was non-expiring DHCP leases and in some cases static IP for all.. 
(yes it was long ago..)

Any feedback would be greatly appreciated..


Yes, it's very common to keep track of what user account/line had what IP 
at what time.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: do ISPs keep track of end-user IP changes within thier network?

[Suresh Ramasubramanian]

Back then it was also short lease dialup and radius / tacacs to keep track.


Things have got rather better

On Thursday, December 12, 2013, Carlos Kamtha wrote:

> Hi,
>
> just a general curiousity question. it's been a long time since ive worked
> at an ISP.
>
> back then it was non-expiring DHCP leases and in some cases static IP for
> all.. (yes it was long ago..)
>
> Any feedback would be greatly appreciated..
>
> Carlos.
>
>

-- 
--srs (iPad)

do ISPs keep track of end-user IP changes within thier network?

[Carlos Kamtha]

Hi, 

just a general curiousity question. it's been a long time since ive worked at 
an ISP. 

back then it was non-expiring DHCP leases and in some cases static IP for all.. 
(yes it was long ago..) 

Any feedback would be greatly appreciated..

Carlos. 

Re: Facebook contact

[Suresh Ramasubramanian]

How to contact fb for this = contact law enforcement and they will subpoena
it from fb

Without that, you're SOL

--srs

On Thursday, December 12, 2013, Nathanael C. Cariaga wrote:

> Hi,
>
> Aside from the 'Help' menu inside the application, anyone here have an
> idea on how to contact Facebook (via email) regarding getting the
> information on a FB Page admin / creator?  Would appreciate if you could
> send it off the list.
>
>
> Regards,
>
> --
> -nathan
>
>
>

-- 
--srs (iPad)

Re: turning on comcast v6

[Rob Seastrom]

Eric Oosting  writes:

> It brings a tear to my eye that it takes:
>
> 0) A long standing and well informed internet technologist;
> 1) specific, and potentially high end, CPE for the res;
> 2) specific and custom firmware, unsupported by CPE manufacturer ... or
> anyone;
> 3) hand installing several additional packages;
> 4) hand editing config files;
> 5) sysctl kernel flags;
> 6) several shout outs to friends and coworkers for assistance (resources
> many don't have access to);
> 7) oh, and probably hours and hours twiddling with it.
>
> just to get IPv6 to work correctly.
>
> Yea, that's TOTALLY reasonable.

Pretty much works out of the box on Mikrotik RouterOS if you are
secure enough in your geek cred to admit to running such stuff here in
this august forum.

-r

Facebook contact

[Nathanael C. Cariaga]

Hi,

Aside from the 'Help' menu inside the application, anyone here have an 
idea on how to contact Facebook (via email) regarding getting the 
information on a FB Page admin / creator?  Would appreciate if you could 
send it off the list.



Regards,

--
-nathan

Re: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding?

[cb.list6]

On Dec 11, 2013 5:45 PM, "Larry Sheldon"  wrote:
>
> On 12/11/2013 9:21 AM, Tim Franklin wrote:
>>>
>>> Just because something is public doesn¹t mean you have to accept
>>> ALL traffic, it just means you have to anticipate any potential
>>> problems based on Larry knowing your address rather than imagining
>>> him standing at the front gate of your gated community. ;) (let¹s
>>> torture that analogy!)
>>
>>
>> There's still a gated community?  I thought that particular piece of
>> routing joy was long gone...
>>
>> Sorry, I'll get my coat. Tim.
>
>
> I'm not sure that was an analogy--it was exploring the exact meanings of
two words.
>
> In any case, I submit that an address behind a gate is not a "public
address".
>
> But my point is, my address is in fact public, not behind any
gates--displayed once on the post that supports the mail box, again inside
the mailbox door for the mail person, and on a sign on the house next to
the door.
>
> Which public display grants to no one any right of access to the interior
of my house (indeed to no part of the property save the path from the
street to the front door).
>
> Similarly, my IP address could be publicly visible but that does not
grant any right of access to the equipment it attaches to.
>
> (I might leave my front door wide open--that STILL does not grant any
RIGHT of access.  It does depend on archaic notions of honest and regard
for rights to keep people out.)
>
>
> I'm done.
>

It's maybe better to think of an ip address as a phone number. Most people
get a better experience if they can make and receive calls.

Your line of thinking is that you would only like to make outbound phone
calls. That's cool, for you.

The rest of us will be playing xbox online, which explicitly recommends
unsolicited inbound connections, meaning your result will be better if you
do not statefully firewall and allow xbox to form arbitrary meshes of ipsec

http://tools.ietf.org/agenda/88/slides/slides-88-v6ops-0.pdf

CB

> --
> Requiescas in pace o email   Two identifying characteristics
> of System Administrators:
> Ex turpi causa non oritur actio  Infallibility, and the ability to
> learn from their mistakes.
>   (Adapted from Stephen Pinker)
>

Re: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding?

[Larry Sheldon]

On 12/11/2013 9:21 AM, Tim Franklin wrote:

Just because something is public doesn¹t mean you have to accept
ALL traffic, it just means you have to anticipate any potential
problems based on Larry knowing your address rather than imagining
him standing at the front gate of your gated community. ;) (let¹s
torture that analogy!)


There's still a gated community?  I thought that particular piece of
routing joy was long gone...

Sorry, I'll get my coat. Tim.


I'm not sure that was an analogy--it was exploring the exact meanings of 
two words.


In any case, I submit that an address behind a gate is not a "public 
address".


But my point is, my address is in fact public, not behind any 
gates--displayed once on the post that supports the mail box, again 
inside the mailbox door for the mail person, and on a sign on the house 
next to the door.


Which public display grants to no one any right of access to the 
interior of my house (indeed to no part of the property save the path 
from the street to the front door).


Similarly, my IP address could be publicly visible but that does not 
grant any right of access to the equipment it attaches to.


(I might leave my front door wide open--that STILL does not grant any 
RIGHT of access.  It does depend on archaic notions of honest and regard 
for rights to keep people out.)



I'm done.
--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)

Re: turning on comcast v6

[Mark Andrews]

In message 
, George Michaelson writes:
> 
> I am probably closer to consumer behaviour at home than most of you. I
> don't regard my home router as a vehicle for hackery beyond clue I can find
> on the end user public lists and rarely if ever even apply that, and I run
> stock factory billion code on my billion ADSL2+ home gateway.
> 
> I just enabled the ADSL2+ profile which had IPv6 and restarted. It came up
> immediately with a /56 and I haven't touched it since. I have been using it
> to SSH back home quite comfortably with an almost unmodified ACLset to
> permit port 22 inbound.
> 
> This is on Internode, in Australia.
> 
> So, while I fully acknowledge the reality is that for a lot of people,
> cable and other complex head-end systems needed change and the experience
> of going dual-stack can be painful, I want to assert IT DOESNT HAVE TO BE
> and I am proof by example
> 
> It just worked.

And it should "just work" if you have two router daisy chained.  PD
was designed to allow this to work.  The home router vendors had
all the protocols required to make it work.  They choose not to
implement a working solution.

It isn't that hard to supply a take a PD request on one interface
and make a upstream request if you don't have unassigned space to
hand out then return the response add routing table entries to keep
it all working.

One can do more complicated stuff than that like running a routing
protocol but static routes also work.  It may not be optimal but
there was nothing stopping those other vendors from coding the
support.

Most home routers already do stuff like that in IPv4 for DNS servers
and other protocol elements.  They take what they have learnt from
upstream as supply it downstream.

Mark

> On Thu, Dec 12, 2013 at 8:01 AM, Mark Andrews  wrote:
> 
> >
> > In message , Sander
> > Steffann
> > writes:
> > > Hi,
> > >
> > > Op 11 dec. 2013, om 20:46 heeft Kinkaid, Kyle  het
> > > volgende geschreven:
> > > > I'm curious, do you know of a consumer-grade router which supports
> > > > DHCPv6-PD?
> > >
> > > I have tested a whole bunch of them more than a year ago. I can remember
> > > seeing IPv6 DHCPv6-PD client support on gear from AVM Fritz!box, D-Link,
> > > Draytek, Zyxel, Linksys, Asus, Thompson/Technicolor and I must be
> > > forgetting a few as well. Most of them weren't very advanced, but they
> > > worked to get IPv6 connectivity in the house. What I am missing these
> > > days is DHCPv6-PD server support to re-delegate parts of the prefix it
> > > got from the ISP downstream to other home routers. As far as I know AVM
> > > Fritz!box is the only one that does that today.
> >
> > And the need for it was obvious when all the other boxes were being
> > developed.  Daisy chaining routers has been part of home setups for
> > many, many years if only to get configuration control because the
> > ISP router is not configurable enough.  There was no reason to think
> > that this would change with IPv6.
> >
> > > Cheers,
> > > Sander
> > --
> > Mark Andrews, ISC
> > 1 Seymour St., Dundas Valley, NSW 2117, Australia
> > PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
> >
> >
> 
> --047d7b10ccc3ea2d0c04ed4a023d
> Content-Type: text/html; charset=ISO-8859-1
> Content-Transfer-Encoding: quoted-printable
> 
> I am probably closer to consumer behaviour at home than mo=
> st of you. I don't regard my home router as a vehicle for hackery beyon=
> d clue I can find on the end user public lists and rarely if ever even appl=
> y that, and I run stock factory billion code on my billion ADSL2+ home gate=
> way.
> I just enabled the ADSL2+ profile which had IPv6 and restart=
> ed. It came up immediately with a /56 and I haven't touched it since. I=
>  have been using it to SSH back home quite comfortably with an almost unmod=
> ified ACLset to permit port 22 inbound.
> This is on Internode, in Australia. >So, while I fully acknowledge the reality is that for a lot of people=
> , cable and other complex head-end systems needed change and the experience=
>  of going dual-stack can be painful, I want to assert IT DOESNT HAVE TO BE =
> and I am proof by example
> It just worked.<=
> br>On Thu, Dec 12, 2013 at 8:01 AM, Mark And=
> rews  k">ma...@isc.org> wrote:
>  x #ccc solid;padding-left:1ex">
> In message  ann.nl">a026246e-f884-47f0-9225-afaa87cd3...@steffann.nl>, Sander St=
> effann
> writes:
> > Hi,
> >
> > Op 11 dec. 2013, om 20:46 heeft Kinkaid, Kyle  ink...@usgs.gov">kkink...@usgs.gov> het
> > volgende geschreven:
> > > I'm curious, do you know of a consumer-grade router which sup=
> ports
> > > DHCPv6-PD?
> >
> > I have tested a whole bunch of them more than a year ago. I can rememb=
> er
> > seeing IPv6 DHCPv6-PD client support on gear from AVM Fritz!box, D-Lin=
> k,
> > Draytek, Zyxel, Linksys, Asus, Thompson/Technicolor and I must be
> > forgetting a few as well. Most of them w

Re: What routers do folks use these days?

[Paul WALL]

Based on what?


On Thu, Nov 28, 2013 at 9:59 PM, Mehmet Akcin  wrote:

> Look at Juniper, MX Series.
>
> mehmet
>
> On Nov 28, 2013, at 9:37 PM, Jawaid Desktop  wrote:
>
> > We're a service provider, and we have a network full of Cat6509's. We
> are finding that we are outgrowing them from the standpoint of their
> ability to handle lots of large routing tables. Obviously their switching
> capability is still superb but one of them with 20 peers is starting to
> groan a bit and RAM is going to be an issue soon.
> >
> > What do people use these days? Our backbone needs in the next 2-3 years
> are going to be sub-100Gbps.
> >
> >
> > Jawaid
> >
> >
>
>
>

Re: turning on comcast v6

[Livingood, Jason]

On 12/11/13, 2:32 PM, "Jared Mauch"  wrote:

>
>I'll chime in with a link to data:
>
>http://www.google.com/ipv6/statistics.html#tab=per-country-ipv6-adoption
>
>Looking at things, USA is at 5%+ adoption, which is due to the hard work
>of folks at Comcast (and other ISPs).
>
>Overall google is seeing 2.5%+ of traffic over native IPv6.  in several
>cases IPv6 is actually faster than IPv4:

Anyone else have a good base of comparative performance data with large
data sets / lots of end points?

- Jason

>
>16 bytes from 2001:418:3f4::5, icmp_seq=0 hlim=57 time=18.649 ms
>16 bytes from 2001:418:3f4::5, icmp_seq=1 hlim=57 time=19.008 ms
>16 bytes from 2001:418:3f4::5, icmp_seq=2 hlim=57 time=18.959 ms
>^C
>--- puck.nether.net ping6 statistics ---
>4 packets transmitted, 3 packets received, 25.0% packet loss
>round-trip min/avg/max/std-dev = 18.649/18.872/19.008/0.159 ms
>
>PING puck.nether.net (204.42.254.5): 56 data bytes
>64 bytes from 204.42.254.5: icmp_seq=0 ttl=55 time=32.920 ms
>64 bytes from 204.42.254.5: icmp_seq=1 ttl=55 time=18.467 ms
>64 bytes from 204.42.254.5: icmp_seq=2 ttl=55 time=22.014 ms
>64 bytes from 204.42.254.5: icmp_seq=3 ttl=55 time=20.807 ms
>64 bytes from 204.42.254.5: icmp_seq=4 ttl=55 time=19.096 ms
>^C
>--- puck.nether.net ping statistics ---
>5 packets transmitted, 5 packets received, 0.0% packet loss
>round-trip min/avg/max/stddev = 18.467/22.661/32.920/5.280 ms
>
>- jared

Re: BRAS

[Warren Bailey]

I sincerely hope those former coworkers can hook up some invitations to
the Mansion. If you can make that work, have I got a deal for you.. ;)


On 12/11/13, 3:03 PM, "jamie rishaw"  wrote:

>+1
>
>That was my first thought as well.
>
>"Well, I don't swing that way but I have an ex coworker or two at Playboy
>that might be able to give you a pointer, no pun intended"
>
>
>
>
>On Tue, Dec 10, 2013 at 11:10 PM, Larry Sheldon
>wrote:
>
>> On 12/10/2013 8:21 AM, Nilesh Kahar wrote:
>>
>>> Which is a good BRAS product, to handle 15000 subscribers sessions with
>>> full QoS & other features?
>>>
>>
>> Victoria's Secret has some nice ones.
>>
>>
>> --
>> Requiescas in pace o email   Two identifying characteristics
>> of System Administrators:
>> Ex turpi causa non oritur actio  Infallibility, and the ability to
>> learn from their mistakes.
>>   (Adapted from Stephen Pinker)
>>
>>
>
>
>-- 
>"sharp, dry wit and brash in his dealings with contestants." - Forbes
>If voting didn't matter, the GOP wouldn't make it more difficult than
>buying a gun.
>/* - teh jamie. ; uri -> http://about.me/jgr */

Re: BRAS

[jamie rishaw]

+1

That was my first thought as well.

"Well, I don't swing that way but I have an ex coworker or two at Playboy
that might be able to give you a pointer, no pun intended"




On Tue, Dec 10, 2013 at 11:10 PM, Larry Sheldon wrote:

> On 12/10/2013 8:21 AM, Nilesh Kahar wrote:
>
>> Which is a good BRAS product, to handle 15000 subscribers sessions with
>> full QoS & other features?
>>
>
> Victoria's Secret has some nice ones.
>
>
> --
> Requiescas in pace o email   Two identifying characteristics
> of System Administrators:
> Ex turpi causa non oritur actio  Infallibility, and the ability to
> learn from their mistakes.
>   (Adapted from Stephen Pinker)
>
>


-- 
"sharp, dry wit and brash in his dealings with contestants." - Forbes
If voting didn't matter, the GOP wouldn't make it more difficult than
buying a gun.
/* - teh jamie. ; uri -> http://about.me/jgr */

Re: BRAS

[Paul Stewart]

What kind of issues?  How many subs and what code?

Paul



On 12/11/2013, 11:14 AM, "Nilesh Kahar"  wrote:

>Basically I am facing issues with MX80 LNS scenario. So just to make sure
>with community whether anyone is having similar problem.
>Also wanted to know about any other good BRAS product which can act fine
>for LNS - LAC setup.
>Thanks for all the responses.
>Nil.

Re: BRAS

[Paul Stewart]

We have deployed several MX480 for BRAS and had good success - definitely
within the 11.4X27 release but also we have one box on 13.2 (nothing like
living on the edge haha).  I believe Juniper is starting to also recommend
12.3 for BRAS but would have to confirm that for sure.

On MX80 we also have them running at smaller sites - historically had
quite a few issues but lately been quite stable minus one bug we just
encountered with PPPOE subscriber sessions not getting torn down correctly
(PR is supposed to be resolved in new 11.4X release coming out Mon/Tues).

None of these deployments at this point have l2tp tunnels coming in (such
as wholesale from ILEC provider) but in early January we will have one in
production (wholesale AGAS service via Bell Canada).

Paul


On 12/11/2013, 1:44 PM, "Nitzan Tzelniker" 
wrote:

>MX480 works for me as LNS with Ericson Smartedge as LAC with more then 10K
>users
>it is very stable with 11.4x27 version
>The biggest limitations is that it is not possible to configure MTU for
>the
>subscriber interface  ( lower the MTU to1492 for PPPOE subscribers )
>
>Nitzan
>
>
>On Wed, Dec 11, 2013 at 5:15 PM, Dan White  wrote:
>
>> On 12/11/13 10:10 -0500, Clayton Zekelman wrote:
>>
>>>
>>>
>>>
>>> At 09:30 AM 11/12/2013, Dan White wrote:
>>>
 On 12/10/13 19:51 +0530, Nilesh Kahar wrote:

> Which is a good BRAS product, to handle 15000 subscribers sessions
>with
> full QoS & other features?
>

 Juniper MX (480).

>>>
>>> I heard there were some issues with the LAC/LNS functionality on the MX
>>> series vs. JUNOSe on the E series.  Is that still the case?
>>>
>>
>> I have not used those features with the platform, so I can't confirm.
>>The
>> box has been very solid for us as a subscriber management platform for
>> q-in-q termination.
>>
>> --
>> Dan White
>>
>>

Re: turning on comcast v6

[joel jaeggli]

On 12/11/13, 7:45 AM, Randy Bush wrote:
>> To be clear, I wasn't accusing you of whining. And thanks for documenting
>> it for the next guy.
> 
> it just works for gals, they have all the luck and the brains
> 
>> Stock netgear does PD and works out of the box? Didn't realize that.
> 
> so says my authority, joelja

I have been trying with some success to be a consumer rather than a
hacker with respect to my connectivity, and the results haven't been
that bad.

t-mobile cell
vzw wireless dongle
comcast broadband

All have nominally working v6.

Now if I could get the office vpn...

> randy
> 




signature.asc
Description: OpenPGP digital signature

Re: turning on comcast v6

[George Michaelson]

I am probably closer to consumer behaviour at home than most of you. I
don't regard my home router as a vehicle for hackery beyond clue I can find
on the end user public lists and rarely if ever even apply that, and I run
stock factory billion code on my billion ADSL2+ home gateway.

I just enabled the ADSL2+ profile which had IPv6 and restarted. It came up
immediately with a /56 and I haven't touched it since. I have been using it
to SSH back home quite comfortably with an almost unmodified ACLset to
permit port 22 inbound.

This is on Internode, in Australia.

So, while I fully acknowledge the reality is that for a lot of people,
cable and other complex head-end systems needed change and the experience
of going dual-stack can be painful, I want to assert IT DOESNT HAVE TO BE
and I am proof by example

It just worked.


On Thu, Dec 12, 2013 at 8:01 AM, Mark Andrews  wrote:

>
> In message , Sander
> Steffann
> writes:
> > Hi,
> >
> > Op 11 dec. 2013, om 20:46 heeft Kinkaid, Kyle  het
> > volgende geschreven:
> > > I'm curious, do you know of a consumer-grade router which supports
> > > DHCPv6-PD?
> >
> > I have tested a whole bunch of them more than a year ago. I can remember
> > seeing IPv6 DHCPv6-PD client support on gear from AVM Fritz!box, D-Link,
> > Draytek, Zyxel, Linksys, Asus, Thompson/Technicolor and I must be
> > forgetting a few as well. Most of them weren't very advanced, but they
> > worked to get IPv6 connectivity in the house. What I am missing these
> > days is DHCPv6-PD server support to re-delegate parts of the prefix it
> > got from the ISP downstream to other home routers. As far as I know AVM
> > Fritz!box is the only one that does that today.
>
> And the need for it was obvious when all the other boxes were being
> developed.  Daisy chaining routers has been part of home setups for
> many, many years if only to get configuration control because the
> ISP router is not configurable enough.  There was no reason to think
> that this would change with IPv6.
>
> > Cheers,
> > Sander
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
>

Re: turning on comcast v6

[jimb]

Hear hear.

Mark Andrews  wrote:
>
>In message , Sander
>Steffann 
>writes:
>> Hi,
>>
>> Op 11 dec. 2013, om 20:46 heeft Kinkaid, Kyle  het
>> volgende geschreven:
>> > I'm curious, do you know of a consumer-grade router which supports
>> > DHCPv6-PD?
>>
>> I have tested a whole bunch of them more than a year ago. I can
>remember
>> seeing IPv6 DHCPv6-PD client support on gear from AVM Fritz!box,
>D-Link,
>> Draytek, Zyxel, Linksys, Asus, Thompson/Technicolor and I must be
>> forgetting a few as well. Most of them weren't very advanced, but
>they
>> worked to get IPv6 connectivity in the house. What I am missing these
>> days is DHCPv6-PD server support to re-delegate parts of the prefix
>it
>> got from the ISP downstream to other home routers. As far as I know
>AVM
>> Fritz!box is the only one that does that today.
>
>And the need for it was obvious when all the other boxes were being
>developed.  Daisy chaining routers has been part of home setups for
>many, many years if only to get configuration control because the
>ISP router is not configurable enough.  There was no reason to think
>that this would change with IPv6.
>
>> Cheers,
>> Sander
>-- 
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

-- 
Sent from my Android phone with K-9 Mail. Please excuse my brevity.

Re: Best practice on TCP replies for ANY queries

[Carlos Vicente]

https://kb.isc.org/article/AA-01000


On Wed, Dec 11, 2013 at 2:17 PM, Arturo Servin wrote:

> I think is better idea to rate-limit your responses rather than
> limiting the size of them.
>
> AFAIK, bind has a way to do it.
>
> .as
>
>
> On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia 
> wrote:
> > Hi ML
> >
> >
> >
> > Yeah I can understand. Even DNSSEC will have issues with it which makes
> me
> > worry about rule even today.
> >
> >
> > On Wed, Dec 11, 2013 at 11:49 PM, ML  wrote:
> >
> >> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
> >> >
> >> > I am sure I am not first person experiencing this issue. Curious to
> hear
> >> > how you are managing it. Also under what circumstances I can get a
> >> > legitimate TCP query on port 53 whose reply exceeds a basic limit of
> less
> >> > then 1000 bytes?
> >> >
> >> >
> >> >
> >>
> >> I'm not a DNS guru so I don't have an exact answer.  However my gut
> >> feeling is that putting in a place a rule to drop or rate limit DNS
> >> replies greater than X bytes is probably going to come back to bite you
> >> in the future.
> >>
> >> No one can predict the future of what will constitute legitimate DNS
> >> traffic.
> >>
> >>
> >
> >
> > --
> >
> >
> > Anurag Bhatia
> > anuragbhatia.com
> >
> > Linkedin  |
> > Twitter
> > Skype: anuragbhatia.com
>
>

Re: turning on comcast v6

[Mark Andrews]

In message , Sander Steffann 
writes:
> Hi,
>
> Op 11 dec. 2013, om 20:46 heeft Kinkaid, Kyle  het
> volgende geschreven:
> > I'm curious, do you know of a consumer-grade router which supports
> > DHCPv6-PD?
>
> I have tested a whole bunch of them more than a year ago. I can remember
> seeing IPv6 DHCPv6-PD client support on gear from AVM Fritz!box, D-Link,
> Draytek, Zyxel, Linksys, Asus, Thompson/Technicolor and I must be
> forgetting a few as well. Most of them weren't very advanced, but they
> worked to get IPv6 connectivity in the house. What I am missing these
> days is DHCPv6-PD server support to re-delegate parts of the prefix it
> got from the ISP downstream to other home routers. As far as I know AVM
> Fritz!box is the only one that does that today.

And the need for it was obvious when all the other boxes were being
developed.  Daisy chaining routers has been part of home setups for
many, many years if only to get configuration control because the
ISP router is not configurable enough.  There was no reason to think
that this would change with IPv6.

> Cheers,
> Sander
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: turning on comcast v6

[Sander Steffann]

Hi,

Op 11 dec. 2013, om 20:46 heeft Kinkaid, Kyle  het volgende 
geschreven:
> I'm curious, do you know of a consumer-grade router which supports
> DHCPv6-PD?

I have tested a whole bunch of them more than a year ago. I can remember seeing 
IPv6 DHCPv6-PD client support on gear from AVM Fritz!box, D-Link, Draytek, 
Zyxel, Linksys, Asus, Thompson/Technicolor and I must be forgetting a few as 
well. Most of them weren't very advanced, but they worked to get IPv6 
connectivity in the house. What I am missing these days is DHCPv6-PD server 
support to re-delegate parts of the prefix it got from the ISP downstream to 
other home routers. As far as I know AVM Fritz!box is the only one that does 
that today.

Cheers,
Sander

Re: turning on comcast v6

[joel jaeggli]

On 12/11/13, 11:46 AM, Kinkaid, Kyle wrote:
> On Wed, Dec 11, 2013 at 11:18 AM, Owen DeLong  wrote:
> 
>> It doesn’t. You can get IPv6 working with off-the-shelf equipment if you
>> choose to.
>>
>> Randy chose to use that particular hardware and software combination.
> 
> 
> I'm curious, do you know of a consumer-grade router which supports
> DHCPv6-PD?

http://i.imgur.com/E7bsMsH.png

1. go to frys / newegg

2. buy netgear

3. ?

4. profit


 I have been making plans to put OpenWRT on my home router to get
> IPv6 and have found v6 support quite lacking.  Most of the routers seem to
> like to focus on various transition technologies like 6to4 tunnels.  I
> would love to go to NewEgg and get a home router for $50 (or even $100)
> that is ready to go.
> 
> What's more surprising is even Cisco and Juniper have been lagging.  The
> SRX only got DHCPv6-PD support in the last 6 months or so and I don't think
> the ASA has it yet.  However, ISR routers like the 88x and 86x support it.
> 
> -Kyle
> 




signature.asc
Description: OpenPGP digital signature

Re: turning on comcast v6

[Blake Dunlap]

The problem isn't the consumer devices. The problem is most of the open
source router software developers don't see ipv6 as a priority, or
something even worth "wasting time" on.


On Wed, Dec 11, 2013 at 1:57 PM, Leo Bicknell  wrote:

>
> On Dec 11, 2013, at 1:46 PM, "Kinkaid, Kyle"  wrote:
>
> >  I
> > would love to go to NewEgg and get a home router for $50 (or even $100)
> > that is ready to go.
>
> http://mydeviceinfo.comcast.net/?homegateway contains devices Comcast
> has actually tested in their lab, and so they are safer than most.
> There are devices not on this list that meet your criteria as well.
>
> I believe the absolute cheapest at NewEgg is the D-Link DIR 655,
> which is $63.99 with "Extra savings .. promo code" right now:
> http://www.newegg.com/Product/Product.aspx?Item=N82E16833127215
>
> --
>Leo Bicknell - bickn...@ufp.org - CCIE 3440
> PGP keys at http://www.ufp.org/~bicknell/
>
>
>
>
>
>

Re: turning on comcast v6

[Leo Bicknell]

On Dec 11, 2013, at 1:46 PM, "Kinkaid, Kyle"  wrote:

>  I
> would love to go to NewEgg and get a home router for $50 (or even $100)
> that is ready to go.

http://mydeviceinfo.comcast.net/?homegateway contains devices Comcast
has actually tested in their lab, and so they are safer than most.  
There are devices not on this list that meet your criteria as well.

I believe the absolute cheapest at NewEgg is the D-Link DIR 655,
which is $63.99 with "Extra savings .. promo code" right now:
http://www.newegg.com/Product/Product.aspx?Item=N82E16833127215

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/







signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: turning on comcast v6

[Kinkaid, Kyle]

On Wed, Dec 11, 2013 at 11:18 AM, Owen DeLong  wrote:

> It doesn’t. You can get IPv6 working with off-the-shelf equipment if you
> choose to.
>
> Randy chose to use that particular hardware and software combination.


I'm curious, do you know of a consumer-grade router which supports
DHCPv6-PD? I have been making plans to put OpenWRT on my home router to get
IPv6 and have found v6 support quite lacking.  Most of the routers seem to
like to focus on various transition technologies like 6to4 tunnels.  I
would love to go to NewEgg and get a home router for $50 (or even $100)
that is ready to go.

What's more surprising is even Cisco and Juniper have been lagging.  The
SRX only got DHCPv6-PD support in the last 6 months or so and I don't think
the ASA has it yet.  However, ISR routers like the 88x and 86x support it.

-Kyle

Re: turning on comcast v6

[Jared Mauch]

On Dec 11, 2013, at 2:18 PM, Owen DeLong  wrote:

> It doesn’t. You can get IPv6 working with off-the-shelf equipment if you 
> choose to.
> 
> Randy chose to use that particular hardware and software combination.

I'll chime in with a link to data:

http://www.google.com/ipv6/statistics.html#tab=per-country-ipv6-adoption

Looking at things, USA is at 5%+ adoption, which is due to the hard work of 
folks at Comcast (and other ISPs).

Overall google is seeing 2.5%+ of traffic over native IPv6.  in several cases 
IPv6 is actually faster than IPv4:

16 bytes from 2001:418:3f4::5, icmp_seq=0 hlim=57 time=18.649 ms
16 bytes from 2001:418:3f4::5, icmp_seq=1 hlim=57 time=19.008 ms
16 bytes from 2001:418:3f4::5, icmp_seq=2 hlim=57 time=18.959 ms
^C
--- puck.nether.net ping6 statistics ---
4 packets transmitted, 3 packets received, 25.0% packet loss
round-trip min/avg/max/std-dev = 18.649/18.872/19.008/0.159 ms

PING puck.nether.net (204.42.254.5): 56 data bytes
64 bytes from 204.42.254.5: icmp_seq=0 ttl=55 time=32.920 ms
64 bytes from 204.42.254.5: icmp_seq=1 ttl=55 time=18.467 ms
64 bytes from 204.42.254.5: icmp_seq=2 ttl=55 time=22.014 ms
64 bytes from 204.42.254.5: icmp_seq=3 ttl=55 time=20.807 ms
64 bytes from 204.42.254.5: icmp_seq=4 ttl=55 time=19.096 ms
^C
--- puck.nether.net ping statistics ---
5 packets transmitted, 5 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 18.467/22.661/32.920/5.280 ms

- jared

Re: Best practice on TCP replies for ANY queries

[Jared Mauch]

dns-operations list is likely best suited for this question, but...

If using BIND 9.9.4 you can set the system to use TCP for repeated queries to 
prevent spoofed ones from being replied to (ie: use yourself as an amplifier).

There's lists of domains published that are used in abuse, eg:

https://twitter.com/DnsSmurf
http://dnsamplificationattacks.blogspot.nl/
https://github.com/smurfmonitor/dns-iptables-rules/blob/master/domain-blacklist.txt

You should restrict your DNS server (as much as possible) to only respond to 
your customer base.

If you are using microsoft dns, STOP.  It has no way to restrict the clients it 
replies to queries for.  Set up real software to forward to it which does the 
filtering and scoping for your space.

NSD and others also have the ability to configure rate-limiting, knowing what 
software you are using is an important key here for proper recommendations and 
guide pointers.

Good luck,

- jared

On Dec 11, 2013, at 2:17 PM, Arturo Servin  wrote:

> I think is better idea to rate-limit your responses rather than
> limiting the size of them.
> 
> AFAIK, bind has a way to do it.
> 
> .as
> 
> 
> On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia  wrote:
>> Hi ML
>> 
>> 
>> 
>> Yeah I can understand. Even DNSSEC will have issues with it which makes me
>> worry about rule even today.
>> 
>> 
>> On Wed, Dec 11, 2013 at 11:49 PM, ML  wrote:
>> 
>>> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
 
 I am sure I am not first person experiencing this issue. Curious to hear
 how you are managing it. Also under what circumstances I can get a
 legitimate TCP query on port 53 whose reply exceeds a basic limit of less
 then 1000 bytes?
 
 
 
>>> 
>>> I'm not a DNS guru so I don't have an exact answer.  However my gut
>>> feeling is that putting in a place a rule to drop or rate limit DNS
>>> replies greater than X bytes is probably going to come back to bite you
>>> in the future.
>>> 
>>> No one can predict the future of what will constitute legitimate DNS
>>> traffic.
>>> 
>>> 
>> 
>> 
>> --
>> 
>> 
>> Anurag Bhatia
>> anuragbhatia.com
>> 
>> Linkedin  |
>> Twitter
>> Skype: anuragbhatia.com

Re: Best practice on TCP replies for ANY queries

[Carlos Vicente]

If you are using BIND, take a look at:

https://kb.isc.org/article/AA-01000

cv


On Wed, Dec 11, 2013 at 1:06 PM, Anurag Bhatia  wrote:

> Hello everyone
>
>
> I noticed some issues on one of DNS server I am managing. It was getting
> queries for couple of attacking domains and server was replying in TCP with
> 3700 bytes releasing very heavy packets. Now I see presence of some
> (legitimate) DNS forwarders and hence I don't wish to limit queries.
>
>
> As I understand there are two ways here for fix:
>
>
>1. I can put a DNS rate limit in reply to ANY packets like say 5 replies
>in every one min. (but again I have some forwarders with quite a few
>machines behind them).
>
>2. Other way is limiting TCP port 53 outbound size ...limiting to say
>600-700 bytes or so.
>
>
>
> I am sure I am not first person experiencing this issue. Curious to hear
> how you are managing it. Also under what circumstances I can get a
> legitimate TCP query on port 53 whose reply exceeds a basic limit of less
> then 1000 bytes?
>
>
>
>
> Thanks.
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>
> Linkedin  |
> Twitter
> Skype: anuragbhatia.com
>

Re: Best practice on TCP replies for ANY queries

[Anurag Bhatia]

Hi Doug


I am using PowerDNS recursor.


On Thu, Dec 12, 2013 at 12:51 AM, Doug Barton  wrote:

> You don't mention what software you're using. If you're using BIND, ask
> this question on bind-us...@isc.org. There is indeed a solution.
>
> Doug
>
>
>
> On 12/11/2013 10:06 AM, Anurag Bhatia wrote:
>
>> Hello everyone
>>
>>
>> I noticed some issues on one of DNS server I am managing.
>>
>


-- 


Anurag Bhatia
anuragbhatia.com

Linkedin  |
Twitter
Skype: anuragbhatia.com

Re: turning on comcast v6

[Owen DeLong]

It doesn’t. You can get IPv6 working with off-the-shelf equipment if you choose 
to.

Randy chose to use that particular hardware and software combination.

Owen

On Dec 11, 2013, at 7:11 AM, Eric Oosting  wrote:

> On Wed, Dec 11, 2013 at 8:17 AM, Randy Bush  wrote:
> 
>> Randy Bush wrote:
>>> http://comcast6.net/ tells me that the local cmts is v6 enabled.  my
>>> modem, a cisco dpc3008, is in the supported products list.  so how do
>>> i turn the sucker on?
>>> 
>>> randy
>> 
>> after a lot of messing about with the massive help of Chris Adams and
>> John Brzozowski, problem solved.  see http://rtechblog.psg.com/
> 
> 
> It brings a tear to my eye that it takes:
> 
> 0) A long standing and well informed internet technologist;
> 1) specific, and potentially high end, CPE for the res;
> 2) specific and custom firmware, unsupported by CPE manufacturer ... or
> anyone;
> 3) hand installing several additional packages;
> 4) hand editing config files;
> 5) sysctl kernel flags;
> 6) several shout outs to friends and coworkers for assistance (resources
> many don't have access to);
> 7) oh, and probably hours and hours twiddling with it.
> 
> just to get IPv6 to work correctly.
> 
> Yea, that's TOTALLY reasonable.
> 
> -e
> 
> 
>> 
>> 
>> randy
>> 
>> 

Re: Best practice on TCP replies for ANY queries

[Doug Barton]

You don't mention what software you're using. If you're using BIND, ask 
this question on bind-us...@isc.org. There is indeed a solution.


Doug


On 12/11/2013 10:06 AM, Anurag Bhatia wrote:

Hello everyone


I noticed some issues on one of DNS server I am managing.

Re: Best practice on TCP replies for ANY queries

[Arturo Servin]

I think is better idea to rate-limit your responses rather than
limiting the size of them.

AFAIK, bind has a way to do it.

.as


On Wed, Dec 11, 2013 at 4:25 PM, Anurag Bhatia  wrote:
> Hi ML
>
>
>
> Yeah I can understand. Even DNSSEC will have issues with it which makes me
> worry about rule even today.
>
>
> On Wed, Dec 11, 2013 at 11:49 PM, ML  wrote:
>
>> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
>> >
>> > I am sure I am not first person experiencing this issue. Curious to hear
>> > how you are managing it. Also under what circumstances I can get a
>> > legitimate TCP query on port 53 whose reply exceeds a basic limit of less
>> > then 1000 bytes?
>> >
>> >
>> >
>>
>> I'm not a DNS guru so I don't have an exact answer.  However my gut
>> feeling is that putting in a place a rule to drop or rate limit DNS
>> replies greater than X bytes is probably going to come back to bite you
>> in the future.
>>
>> No one can predict the future of what will constitute legitimate DNS
>> traffic.
>>
>>
>
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>
> Linkedin  |
> Twitter
> Skype: anuragbhatia.com

Re: Contact for www.army.mil (AS1503 )

[Mark Gallagher]

Probably looking for the DISA CONUS IPNOC.

Here's a good place to start:
http://www.disa.mil/About/Our-Organization-Structure/OD-Field-Office/CONUS

​T
​hanks,

Mark​





On Wed, Dec 11, 2013 at 2:24 PM, Miles Fidelman
wrote:

> Lots of luck there.  I'll bet this is all handled by a sub-contractor
> who's completely unresponsive. (Brings back memories of the days the Army
> cut all their email over to a DISA contractor, and stuff started bouncing
> all over the place.  Reaching one of our sponsors became a nightmare - and
> there was nobody to reach.  I expect that's only gotten worse.)
>
> Warren Bailey wrote:
>
>> I fully said to call DISA, not CALL THE GUB! ;)
>>
>> DISN GLOBAL SUPPORT CENTER
>>  DSN: (510) 376-3222 or (312) 850-4790
>> CML: (800) 554-3476 or (614) 692-4790
>> disa.d...@mail.mil
>> d...@cols.csd.disa.smil.mil
>>
>>
>> You probably arenšt on the DSN, and I donšt think they accept incoming
>>
>> calls from the PSTN. May want to try the CML first (probably a civilian
>> sitting at a DISA desk, so theyšll be useful).
>>
>>
>> Hope this helps.
>>
>> (I only know about this because of the satellite part of my life, and the
>> fact that DISA has threatened to slap my peepee several times ;) <3)
>>
>> On 12/10/13, 7:06 PM, "Scott Weeks"  wrote:
>>
>>   Original message 
>>> From: Christopher Morrell 
>>>
>>> We are currently having routing issues between one of our customers and
>>> www.army.mil which is originated from AS1503.
>>>
>>> Does anyone have a contact for AS1503?  We've tried the ARIN contacts for
>>> AS1503 but have not received any response.
>>> ---
>>>
>>>
>>> --- wbai...@satelliteintelligencegroup.com wrote:
>>> From: Warren Bailey 
>>>
>>> If memory serves me correctly army.mil is run by DISA. May get more
>>> traction with them.
>>> ---
>>>
>>>
>>> That's like saying "call the federal government".  :-)
>>>
>>> Poking around a bit I found:
>>> http://www.disa.mil/Services/Network-Services/Service-Support
>>> but I doubt you'll get very far there, either.
>>>
>>> nic.mil requires a CAC (www.cac.mil) and is only allowed access from
>>> certain IP address ranges AFAIK.
>>>
>>> scott
>>>
>>>
>
> --
> In theory, there is no difference between theory and practice.
> In practice, there is.    Yogi Berra
>
>
>

Re: BRAS

[Nitzan Tzelniker]

MX480 works for me as LNS with Ericson Smartedge as LAC with more then 10K
users
it is very stable with 11.4x27 version
The biggest limitations is that it is not possible to configure MTU for the
subscriber interface  ( lower the MTU to1492 for PPPOE subscribers )

Nitzan


On Wed, Dec 11, 2013 at 5:15 PM, Dan White  wrote:

> On 12/11/13 10:10 -0500, Clayton Zekelman wrote:
>
>>
>>
>>
>> At 09:30 AM 11/12/2013, Dan White wrote:
>>
>>> On 12/10/13 19:51 +0530, Nilesh Kahar wrote:
>>>
 Which is a good BRAS product, to handle 15000 subscribers sessions with
 full QoS & other features?

>>>
>>> Juniper MX (480).
>>>
>>
>> I heard there were some issues with the LAC/LNS functionality on the MX
>> series vs. JUNOSe on the E series.  Is that still the case?
>>
>
> I have not used those features with the platform, so I can't confirm. The
> box has been very solid for us as a subscriber management platform for
> q-in-q termination.
>
> --
> Dan White
>
>

Re: Best practice on TCP replies for ANY queries

[Anurag Bhatia]

Hi ML



Yeah I can understand. Even DNSSEC will have issues with it which makes me
worry about rule even today.


On Wed, Dec 11, 2013 at 11:49 PM, ML  wrote:

> On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
> >
> > I am sure I am not first person experiencing this issue. Curious to hear
> > how you are managing it. Also under what circumstances I can get a
> > legitimate TCP query on port 53 whose reply exceeds a basic limit of less
> > then 1000 bytes?
> >
> >
> >
>
> I'm not a DNS guru so I don't have an exact answer.  However my gut
> feeling is that putting in a place a rule to drop or rate limit DNS
> replies greater than X bytes is probably going to come back to bite you
> in the future.
>
> No one can predict the future of what will constitute legitimate DNS
> traffic.
>
>


-- 


Anurag Bhatia
anuragbhatia.com

Linkedin  |
Twitter
Skype: anuragbhatia.com

Re: Best practice on TCP replies for ANY queries

[ML]

On 12/11/2013 1:06 PM, Anurag Bhatia wrote:
>
> I am sure I am not first person experiencing this issue. Curious to hear
> how you are managing it. Also under what circumstances I can get a
> legitimate TCP query on port 53 whose reply exceeds a basic limit of less
> then 1000 bytes?
>
>
>

I'm not a DNS guru so I don't have an exact answer.  However my gut
feeling is that putting in a place a rule to drop or rate limit DNS
replies greater than X bytes is probably going to come back to bite you
in the future.

No one can predict the future of what will constitute legitimate DNS
traffic.

Best practice on TCP replies for ANY queries

[Anurag Bhatia]

Hello everyone


I noticed some issues on one of DNS server I am managing. It was getting
queries for couple of attacking domains and server was replying in TCP with
3700 bytes releasing very heavy packets. Now I see presence of some
(legitimate) DNS forwarders and hence I don't wish to limit queries.


As I understand there are two ways here for fix:


   1. I can put a DNS rate limit in reply to ANY packets like say 5 replies
   in every one min. (but again I have some forwarders with quite a few
   machines behind them).

   2. Other way is limiting TCP port 53 outbound size ...limiting to say
   600-700 bytes or so.



I am sure I am not first person experiencing this issue. Curious to hear
how you are managing it. Also under what circumstances I can get a
legitimate TCP query on port 53 whose reply exceeds a basic limit of less
then 1000 bytes?




Thanks.

-- 


Anurag Bhatia
anuragbhatia.com

Linkedin  |
Twitter
Skype: anuragbhatia.com

Re: Routing asymetry and RPF check

[Saku Ytti]

On (2013-12-11 16:10 +), R.P. Aditya wrote:

> Some problems never go away, just reappear periodically -- strict uRPF
> (and even loose uRPF) on transit provider peering interfaces are going
> to have unintended consequences as long as their is routing asymmetry

I can't imagine why uRPF/loose would be problematic. If you're originating
traffic from prefix which you're not advertising to DFZ and you still expect
it to work, your expectation are at fault, not uRPF/loose.

However uRPF/strict feasible won't work, while occasionally some people seem
to think it does.

-- 
  ++ytti

Re: BRAS

[Olivier Benghozi]

Hi,

Le 11 déc. 2013 à 17:14, Nilesh Kahar  a écrit :
> Also wanted to know about any other good BRAS product which can act fine for 
> LNS - LAC setup.

Ericsson SmartEdge
Cisco ASR1000

BRAS

[Nilesh Kahar]

Basically I am facing issues with MX80 LNS scenario. So just to make sure with 
community whether anyone is having similar problem.
Also wanted to know about any other good BRAS product which can act fine for 
LNS - LAC setup.
Thanks for all the responses.
Nil.

Re: Routing asymetry and RPF check

[R.P. Aditya]

Some problems never go away, just reappear periodically -- strict uRPF
(and even loose uRPF) on transit provider peering interfaces are going
to have unintended consequences as long as their is routing asymmetry
on the Internet (pretty much guaranteed to be forever):

  
http://www.nanog.org/mailinglist/mailarchives/old_archive/1999-03/msg00125.html

Adi

On 2013-12-09, Jean Benoit  wrote:
>
> --KdquIMZPjGJQvRdI
> Content-Type: text/plain; charset=utf-8
> Content-Disposition: inline
>
> Hello,
>
> It's probably an old problem which was already debated here.
> We (130.79/16, AS2259) can't reach 143.104/16 (AS20252).
> Actually, all packets are dropped on their way back to our network.
> The probable cause is a conjunction of routing asymetry and uRPF check :
>
> - 143.104/16 is behind a US university network. Packets sent
>   *from 143.104/16* to the rest of the Internet are going through National
>   Lambda Rail (NLR), a US. research and education network,
>
> - but, as 143.104/16 does not belong to the university but to a hospital
>   (the network has only a couple of hosts related to public research),
>   this prefix is not announced to NLR. So packets from the Internet
>   *to 143.104/16* go through the university commodity Internet link 
>   (a mix of different providers). Thus, there is a routing asymetry.
>
> - on the other side of the Atlantic, 130.79/16 is behind another research
>   network, RENATER (AS2200). Renater is connected to GEANT, which
>   federates mots of the European research and education networks.
>   GEANT peers with NLR.
>   So the path from 143.104/16 is :
> Hospital,University(20252),NLR(19401),GEANT(20965),RENATER(2200),Our 
> site(2259)
>
> - when a packet arrives from 143.104/16 on a specific RENATER router in
>   Geneva, geneve-rtr-021.noc.renater.fr, it is dropped.
>   
> - On this router, geneve-rtr-021.noc.renater.fr, RENATER peers with GEANT.
>
> - RENATER lookings glass (https://portail.noc.renater.fr/lookingglass/v2/)
>   tells me that the prefix 143.104/16 is not present in this router's
>   routing table (this prefix is not learnt by NLR, and not learnt by GEANT).
>   Moreover, this router seems not to have a full routing table.
>
> - On this router, unicast Reverse Path Forwarding check (unsure if it's
>   strict or loose) is enabled on the interface between RENATER
>   and GEANT (PortChannel4.160 to ae14.160 of rt1.gen.ch.geant.net or
>   mx1.gen.ch.geant.net, see https://tools.geant.net/portal/links/lg/)
>   The packets with source IP address 143.104/16 are dropped because the
>   uRPF check fails.
>
> So, what do you think should be done ?
>
> Thanks for your advice,
>
> --
> Jean Benoit
> University of Strasbourg
>
> --KdquIMZPjGJQvRdI
> Content-Type: text/plain; charset=utf-8
> Content-Disposition: attachment; 
> filename="traceroute_from_143.104_to_130.79.txt"
>
>
> --
>
> Traceroute from 143.103 to 130.79 :
>
>   1 143.104.11.49 0 msec 0 msec 0 msec
>   2 143.104.11.34 0 msec 0 msec 0 msec
>   3 10.174.255.146 0 msec 0 msec 0 msec
>   4 10.174.1.138 0 msec 0 msec 0 msec
>   5 te-7-1-nydc1-1300-d-core02.med.cornell.edu (10.10.100.6) 0 msec 0 msec 0 
> msec
>   6 gi-3-2-nydc1-1300-fw01.med.cornell.edu (157.139.0.129) 0 msec 0 msec 0 
> msec
>   7 vl-10-nydc1-1300-ingw01.med.cornell.edu (157.139.0.65) 0 msec 0 msec 4 
> msec
>   8 157.139.255.9 0 msec 0 msec 4 msec
>   9  *  *  *
>  10 216.24.184.86 84 msec 84 msec 84 msec
>  11 ae3.mx1.ams.nl.geant.net (62.40.98.115) 92 msec 84 msec 84 msec
>  12 ae0.mx1.fra.de.geant.net (62.40.98.128) 84 msec 84 msec 88 msec
>  13 ae1.mx1.gen.ch.geant.net (62.40.98.108) 108 msec 104 msec 96 msec
>  14 ae2.rt1.gen.ch.geant.net (62.40.112.13) 92 msec 92 msec 92 msec
>  15  *  *  *
>  16  *  *  *
>  17  *  *  *
>  18  *  *  *
>  19  *  *  *
>  20  *  *  *
>  21  *  *  *
>  22  *  *  *
>  23  *  *  *
>  24  *  *  *
>  25  *  *  *
>
> --
>
>
> --KdquIMZPjGJQvRdI--
>
>


-- 

Re: turning on comcast v6

[joel jaeggli]

On 12/11/13, 7:11 AM, Eric Oosting wrote:
> On Wed, Dec 11, 2013 at 8:17 AM, Randy Bush  wrote:
> 
>> Randy Bush wrote:
>>> http://comcast6.net/ tells me that the local cmts is v6 enabled.  my
>>> modem, a cisco dpc3008, is in the supported products list.  so how do
>>> i turn the sucker on?
>>>
>>> randy
>>
>> after a lot of messing about with the massive help of Chris Adams and
>> John Brzozowski, problem solved.  see http://rtechblog.psg.com/
> 
> 
> It brings a tear to my eye that it takes:
> 
> 0) A long standing and well informed internet technologist;
> 1) specific, and potentially high end, CPE for the res;
> 2) specific and custom firmware, unsupported by CPE manufacturer ... or
> anyone;

it's worth noting that, that cpe works just fine for this purpose with
the manufacturer supplied firmware. so the motivation for doing it this
way lies elsewhere.

If you approach this as consumer rather than futzing with it you'll
probably have a different experience.

At my appartment I have a mot sb6121 and a netgear wndr3700 and comcast
v6 works without apparent effort.

> 3) hand installing several additional packages;
> 4) hand editing config files;
> 5) sysctl kernel flags;
> 6) several shout outs to friends and coworkers for assistance (resources
> many don't have access to);
> 7) oh, and probably hours and hours twiddling with it.
> 
> just to get IPv6 to work correctly.
> 
> Yea, that's TOTALLY reasonable.
> 
> -e
> 
> 
>>
>>
>> randy
>>
>>
> 




signature.asc
Description: OpenPGP digital signature

Re: turning on comcast v6

[Randy Bush]

> To be clear, I wasn't accusing you of whining. And thanks for documenting
> it for the next guy.

it just works for gals, they have all the luck and the brains

> Stock netgear does PD and works out of the box? Didn't realize that.

so says my authority, joelja

randy

Re: turning on comcast v6

[Leo Bicknell]

On Dec 11, 2013, at 9:11 AM, Eric Oosting  wrote:

> It brings a tear to my eye that it takes:
> 
> 1) specific, and potentially high end, CPE for the res;
> 2) specific and custom firmware, unsupported by CPE manufacturer ... or
> anyone;

I think this says more about Randy's specific choice/luck in hardware
than the general state of play.  Unfortunately in low end CPE land
hardware ships with a specific set of software features, and generally
there is no (economic) model for the vendors to ever offer new features.
People don't buy "support" for low end CPE.  The way to get new software
is to buy new hardware, which is really only a good solution when the
feature set required is stable over long periods of time.

There are plenty of low end residential style boxes that "just work"
with Comcast's setup out of the box with vendor images.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/







signature.asc
Description: Message signed with OpenPGP using GPGMail

Re: turning on comcast v6

[Eric Oosting]

On Wed, Dec 11, 2013 at 10:40 AM, Randy Bush  wrote:

> > just to get IPv6 to work correctly.
>
> i would not have had this problem if i had not done the openwrt thing.
> the stock netgear would have been fine.  i brought this on myself
> because i wanted to also run things such as an openvpn server.
>
> i was documenting for the next to follow, not to whine.
>

To be clear, I wasn't accusing you of whining. And thanks for documenting
it for the next guy.

Stock netgear does PD and works out of the box? Didn't realize that.

-e


>
> randy
>

Re: turning on comcast v6

[Randy Bush]

> just to get IPv6 to work correctly.

i would not have had this problem if i had not done the openwrt thing.
the stock netgear would have been fine.  i brought this on myself
because i wanted to also run things such as an openvpn server.

i was documenting for the next to follow, not to whine.

randy

Re: turning on comcast v6

[Andrew D Kirch]

On 12/11/2013 10:11 AM, Eric Oosting wrote:



It brings a tear to my eye that it takes:

0) A long standing and well informed internet technologist;
1) specific, and potentially high end, CPE for the res;
2) specific and custom firmware, unsupported by CPE manufacturer ... or
anyone;
3) hand installing several additional packages;
4) hand editing config files;
5) sysctl kernel flags;
6) several shout outs to friends and coworkers for assistance (resources
many don't have access to);
7) oh, and probably hours and hours twiddling with it.

just to get IPv6 to work correctly.

Yea, that's TOTALLY reasonable.

-e




randy



I wonder if he got any better than a /60 for his troubles...

Andrew

Re: turning on comcast v6

[Nick Hilliard]

On 11/12/2013 15:11, Eric Oosting wrote:
> just to get IPv6 to work correctly.
> 
> Yea, that's TOTALLY reasonable.

Sounds a bit like configuring access layer ipv4 in the early 1990s.  It
took years of early production pain to turn it into a commodity product.

Nick

Re: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding?

[Tim Franklin]

> Just because something is public doesn¹t mean you have to accept ALL
> traffic, it just means you have to anticipate any potential problems based
> on Larry knowing your address rather than imagining him standing at the
> front gate of your gated community. ;) (let¹s torture that analogy!)

There's still a gated community?  I thought that particular piece of routing 
joy was long gone...

Sorry, I'll get my coat.
Tim.

Re: BRAS

[Dan White]

On 12/11/13 10:10 -0500, Clayton Zekelman wrote:




At 09:30 AM 11/12/2013, Dan White wrote:

On 12/10/13 19:51 +0530, Nilesh Kahar wrote:

Which is a good BRAS product, to handle 15000 subscribers sessions with
full QoS & other features?


Juniper MX (480).


I heard there were some issues with the LAC/LNS functionality on the 
MX series vs. JUNOSe on the E series.  Is that still the case?


I have not used those features with the platform, so I can't confirm. The
box has been very solid for us as a subscriber management platform for
q-in-q termination.

--
Dan White

Re: BRAS

[Gabriel Blanchard]

On 13-12-11 10:10 AM, Clayton Zekelman wrote:




At 09:30 AM 11/12/2013, Dan White wrote:

On 12/10/13 19:51 +0530, Nilesh Kahar wrote:

Which is a good BRAS product, to handle 15000 subscribers sessions with
full QoS & other features?


Juniper MX (480).

--
Dan White



I heard there were some issues with the LAC/LNS functionality on the 
MX series vs. JUNOSe on the E series.  Is that still the case?
Well I'm being told by my Juniper sales reps to stay away from LAC/LNS 
on the MX for now...so I have. Still rocking E320s


-Gabe

Re: turning on comcast v6

[Eric Oosting]

On Wed, Dec 11, 2013 at 8:17 AM, Randy Bush  wrote:

> Randy Bush wrote:
> > http://comcast6.net/ tells me that the local cmts is v6 enabled.  my
> > modem, a cisco dpc3008, is in the supported products list.  so how do
> > i turn the sucker on?
> >
> > randy
>
> after a lot of messing about with the massive help of Chris Adams and
> John Brzozowski, problem solved.  see http://rtechblog.psg.com/


It brings a tear to my eye that it takes:

0) A long standing and well informed internet technologist;
1) specific, and potentially high end, CPE for the res;
2) specific and custom firmware, unsupported by CPE manufacturer ... or
anyone;
3) hand installing several additional packages;
4) hand editing config files;
5) sysctl kernel flags;
6) several shout outs to friends and coworkers for assistance (resources
many don't have access to);
7) oh, and probably hours and hours twiddling with it.

just to get IPv6 to work correctly.

Yea, that's TOTALLY reasonable.

-e


>
>
> randy
>
>

Re: BRAS

[Clayton Zekelman]

At 09:30 AM 11/12/2013, Dan White wrote:

On 12/10/13 19:51 +0530, Nilesh Kahar wrote:

Which is a good BRAS product, to handle 15000 subscribers sessions with
full QoS & other features?


Juniper MX (480).

--
Dan White



I heard there were some issues with the LAC/LNS functionality on the 
MX series vs. JUNOSe on the E series.  Is that still the case?




---

Clayton Zekelman
Managed Network Systems Inc. (MNSi)
3363 Tecumseh Rd. E
Windsor, Ontario
N8W 1H4

tel. 519-985-8410
fax. 519-985-8409

Re: [nznog] Web Servers: Dual-homing or DNAT/Port Forwarding?

[Sholes, Joshua]

Public ipv6 address : firewall :: public street address : locked
door/fence/guard dog

Just because something is public doesn¹t mean you have to accept ALL
traffic, it just means you have to anticipate any potential problems based
on Larry knowing your address rather than imagining him standing at the
front gate of your gated community. ;) (let¹s torture that analogy!)
 
-- 
Josh Sholes




On 12/10/13, 7:47 PM, "Larry Sheldon"  wrote:

>On 12/10/2013 4:30 PM, Geraint Jones wrote:
>
 Number 1 gets you thinking along the IPv6 route (no pun, and imho :) )
 since you have to treat each boxes as if it was public.
>>>
>>> I see this kind of statement surprisingly often. Having a public
>>>address
>>> doesn't make a device public.
>>
>> Yes it does,
>
>Glad to hear that. We (the family, 8 of us, and the 4 dogs will be
>arriving at your house, with its public address, in time for your
>Christmas dinner and we will be staying at least through your New Years
>eve party--maybe longer depending on the weather here.
>
>-- 
>Requiescas in pace o email   Two identifying characteristics
> of System Administrators:
>Ex turpi causa non oritur actio  Infallibility, and the ability to
> learn from their mistakes.
>   (Adapted from Stephen Pinker)
>

Re: BRAS

[Dan White]

On 12/10/13 19:51 +0530, Nilesh Kahar wrote:

Which is a good BRAS product, to handle 15000 subscribers sessions with
full QoS & other features?


Juniper MX (480).

--
Dan White

Re: What routers do folks use these days?

[Pete Lumbis]

Even with a single chip architecture the overall scale performance is WAY
better than Sup720. Hell, even RSP720 was a huge improvement in scale

I know the question was specifically about CPU but Sup2T is also a
different forwarding ASIC allowing it to do natively things Sup720
couldn't, like VPLS and EVC

I would agree that Sup2t wouldn't be my first choice in ISP Edge. From
Cisco, ASR9k or ASR1k depending on bandwidth needs.

-Pete

disclaimer: I work for Cisco.


On Mon, Dec 9, 2013 at 10:34 PM, Jimmy Hess  wrote:

> On Fri, Nov 29, 2013 at 12:02 AM, Mikael Abrahamsson  >wrote:
>
> > [snip]
> >
> +1 for  MX or  ASR 9000.
>
>
> > Cisco ASR 9000, Juniper MX, Huawei NE40E, Alcatel-Lucent 7750, those
> kinds
> > of routers are the ones I hear people using. Some go for the new Sup2T
> for
> > the 6500, but I don't know how much more CPU it has compared to your
> > SUP/RSP720, perhaps someone else knows?
>
>
> Cat6500 Sup720 was a platform that used  two separate processors;  1 Switch
> Processor   CPU at 600mhz managing Layer 2 services, and 1 Route processor
> CPU at 600MHz on the MSFC to run the Layer 3 services.  these were MIPS
> CPUs --- sr71000.
>
> Cat650 Sup2T is shown as a single Dual core, 1.5GHz  per Core cpu.   There
> is one processor stack on the 2T,  instead of two separate CPUs; since
> route processor and switch processor are now combined into one shared
> processing unit under the new "merged" architecture that runs only one IOS
> image,  that controls both RP and SP features   Layer 2,  Layer 3,  and
> management services  do not run on separate processors,  with their own
> separate hw anymore.
>
>
> So the CPU is beefier --- but it is also now shared by multiple functions
> that previously had separate, isolated processing from one another.
>
> I believe the Sup2T  are using a E500 PowerPC chip.
> In any event,  neither old nor new are based on x86 architecture ---  keep
> in mind,  that comparison of MHz or GHz CPU frequency rates  is only
> meaningful within the same CPU architecture.
>
> There are not significant increases in FIB TCAM,  or other important memory
> capacities from RSP720,  that you would expect to need  for  scalability to
> larger tables.
>
>
> Even with 2T I would still describe  the 65xx as largely a great switching
> platform,  for  10/100/1000 aggregation -- due to limited chassis
> bandwidth: its days would seem to be numbered once desktops are sporting 10
> gigabit links:   definitely not (IMO) the best hardware router platform
>  for  carrying large routing tables at the ISP edge, anyways.
>
>
>
> > Mikael Abrahamssonemail: swm...@swm.pp.se
> >
> --
> -JH
>

Re: turning on comcast v6

[Randy Bush]

Randy Bush wrote:
> http://comcast6.net/ tells me that the local cmts is v6 enabled.  my
> modem, a cisco dpc3008, is in the supported products list.  so how do
> i turn the sucker on?
> 
> randy

after a lot of messing about with the massive help of Chris Adams and
John Brzozowski, problem solved.  see http://rtechblog.psg.com/

randy

Re: Contact for www.army.mil (AS1503 )

[Miles Fidelman]

Lots of luck there.  I'll bet this is all handled by a sub-contractor 
who's completely unresponsive. (Brings back memories of the days the 
Army cut all their email over to a DISA contractor, and stuff started 
bouncing all over the place.  Reaching one of our sponsors became a 
nightmare - and there was nobody to reach.  I expect that's only gotten 
worse.)


Warren Bailey wrote:

I fully said to call DISA, not CALL THE GUB! ;)

DISN GLOBAL SUPPORT CENTER
 DSN: (510) 376-3222 or (312) 850-4790
CML: (800) 554-3476 or (614) 692-4790
disa.d...@mail.mil
d...@cols.csd.disa.smil.mil


You probably aren¹t on the DSN, and I don¹t think they accept incoming
calls from the PSTN. May want to try the CML first (probably a civilian
sitting at a DISA desk, so they¹ll be useful).

Hope this helps.

(I only know about this because of the satellite part of my life, and the
fact that DISA has threatened to slap my peepee several times ;) <3)

On 12/10/13, 7:06 PM, "Scott Weeks"  wrote:


 Original message 
From: Christopher Morrell 

We are currently having routing issues between one of our customers and
www.army.mil which is originated from AS1503.

Does anyone have a contact for AS1503?  We've tried the ARIN contacts for
AS1503 but have not received any response.
---


--- wbai...@satelliteintelligencegroup.com wrote:
From: Warren Bailey 

If memory serves me correctly army.mil is run by DISA. May get more
traction with them.
---


That's like saying "call the federal government".  :-)

Poking around a bit I found:
http://www.disa.mil/Services/Network-Services/Service-Support
but I doubt you'll get very far there, either.

nic.mil requires a CAC (www.cac.mil) and is only allowed access from
certain IP address ranges AFAIK.

scott




--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: Contact for www.army.mil (AS1503 )

[Christopher Morrell]

Tried that.  No response by email. I haven't tried that phone number yet. 

> On Dec 10, 2013, at 23:18, bmann...@vacation.karoshi.com wrote:
> 
> 
> have you tried:
> 
> DoD NIC Registry Services
> DoD Network Information Center
> 3990 East Broad Street
> Columbus Ohio 43213
> United States
> Email: disa.columbus.ns.mbx.nic-netwo...@mail.mil
> Voice: (800)365-3642
> Fax: (614)692-3452
> 
> (always worked for me)
> /bill
> 
> 
>> On Tue, Dec 10, 2013 at 08:36:06PM -0500, Christopher Morrell wrote:
>> Hi,
>> 
>> We are currently having routing issues between one of our customers and
>> www.army.mil which is originated from AS1503.
>> 
>> Does anyone have a contact for AS1503?  We've tried the ARIN contacts for
>> AS1503 but have not received any response.
>> 
>> Thanks,
>> 
>> Chris
>> Fibrenoire AS22652