Re: Updating dns glue

[Joe Abley]

Hi Mike,

On 5 Sep 2015, at 0:34, Mike wrote:

 Due to a recent fiber cut in northern california, I've stepped up my 
plan to have one authoritative dns and backup mail exchanger located 
on another network far, far away. I am sadly having immense trouble 
with dotster understanding that I need to update the ip address of a 
glue record, as I host my own stuff,  for which their gui has no 
abillity and which phone support says open a ticket for which the 
e-mailed response was utter cluelessness, claiming they checked and 
it's already set... yeah, you recursed and hit my existing ns which 
gave you the answer, but it's the roots which need to know


Some ideas:

1. You could just add a nameserver. There's no rule that says you have 
to have exactly two. You could almost certainly have three. (There are 
some registry-specific rules that specify the minimum and maximum 
numbers, but I've never seen a registry where the maximum was two.) If 
you add a new nameserver, and leave your existing two as they are, 
you've achieved your diversity goal and avoided the problem you're 
currently struggling with. Apply a touch of mind bleach, and you'll 
forget that "glue records" are even a thing.


2. There's no universal answer to the question "how do I update glue 
records in a parent zone". It depends on the registry, and the data 
model they use to link all the various DNS and meta-DNS information they 
store.


[Incidentally, it's almost never the root server operators that need to 
know unless you're running a top-level domain (and even then, it's the 
administrator of the root zone that needs to know, not the root server 
operators). But when you said "roots" you didn't mean root servers, you 
meant "operator of the registry for the parent zone".]


For registries that follow the data model that was originally used for 
COM, NET and ORG, what you're looking for is a database operation 
"modify host object" to happen at the particular registry that contains 
that host object with addresses (a host object subordinate a the 
registry apex, you could call it, somewhat inelegantly).


Once you've found the right registry, you need to figure out how to make 
changes. Find the sponsoring registrar for the domain the host object is 
subordinate to. That's the organisation you need to talk to.


For example,

  QUIRKAFLEEG.NET

is a domain with the following listed nameservers:

[scallop:~]% whois quirkafleeg.net | egrep '^Name Server: .'
Name Server: NS1.P23.DYNECT.NET
Name Server: NS2.P23.DYNECT.NET
Name Server: NS4.P23.DYNECT.NET
Name Server: NS3.P23.DYNECT.NET
[scallop:~]%

If your whois client needs help in finding out what server to use, try 
Rodney's very handy .whois-servers.net, e.g.


[scallop:~]% host net.whois-servers.net
net.whois-servers.net is an alias for whois.verisign-grs.com.
whois.verisign-grs.com has address 199.7.50.74
whois.verisign-grs.com has IPv6 address 2001:503:5ae2:1000::74
[scallop:~]%

If I decided I wanted to rename NS3.P23.DYNECT.NET, I would need to 
identify the sponsoring registrar for the DYNECT.NET domain name:


[scallop:~]% whois dynect.net | egrep '^Registrar:'
Registrar: DYNAMIC NETWORK SERVICES, INC
[scallop:~]%

The registrant (the person who "owns" the domain) in this case is:

[scallop:~]% whois dynect.net | egrep '^Registrant'
Registrant Name: Dynamic Network Services
Registrant Organization: Dyn
Registrant Street: 150 Dow St, Tower 2
Registrant City: Manchester
Registrant State/Province: NH
Registrant Postal Code: 03101
Registrant Country: US
Registrant Phone: +1.6036684998
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: doma...@dyn.com
[scallop:~]%

So those are the people I would ask to rename (say) NS3.P23.DYNECT.NET. 
Of course in this case they would say "haha, no" and probably advise me 
to add a nameserver rather than trying to reconfigure their commercial 
DNS service. But you get the idea; if the nameserver you want to rename 
is subordinate to a domain name you have administrative control over, 
you could interact with the registrar for the domain and make the 
change.


The precise way a particular registrar will accept such a change varies 
by registrar. Sometimes (I hear) the user interface involves phone calls 
and shouting. But then you have a choice of registrar, if you can figure 
out how to make transfers work.


If your domain and/or nameservers are not named under NET, ORG or COM, 
the above may be useful or, quite possibly, completely irrelevant, 
depending on factors that your registrar is in theory supposed to hide 
from you. There are as many other data models as there are other TLDs, 
almost-maybe, and I certainly don't know the details of all or even many 
of them.


If this is sounding very XKCD-927, that's because it is. This is perhaps 
why lots of people pay others to do this for them (registry/registrar 
shenanigans and DNS hosting) so that they can live their lives with one 
less thing to be angry about.

Re: Weekly Routing Table Report

[Philip Smith]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Hugo,

Hugo Slabbert wrote on 5/09/2015 01:20 :
> 
>> BGP routing table entries examined:
>> 30167
> ...
>> Percentage of available address space announced:
>> 7.0 Percentage of allocated address space announced:
>> 7.0
> 
> erm...y'all missing some prefixes on the collector for the report?

Yes. :-(

Seems like the dump from the collector happened just after a BGP reset
(or something). I'm checking that now, or whether something else has
broken.

Sorry!!

philip
- --
-BEGIN PGP SIGNATURE-

iD8DBQFV6vZUnFcIO/K8+cERAtmoAKDjjz1Fzl3PvO7DY3OeMSYAUHrpfgCgh9PH
ttXi696fTFOS+6MpAmJdgv0=
=HExi
-END PGP SIGNATURE-

Weekly Routing Table Report

[Routing Analysis Role Account]

This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG,
CaribNOG and the RIPE Routing Working Group.

Daily listings are sent to bgp-st...@lists.apnic.net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith .

Routing Table Report   0400 +10GMT Sat 05 Sep, 2015

Report Website: http://thyme.rand.apnic.net
Detailed Analysis:  http://thyme.rand.apnic.net/current/

Analysis Summary


BGP routing table entries examined:  557095
Prefixes after maximum aggregation (per Origin AS):  210220
Deaggregation factor:  2.65
Unique aggregates announced (without unneeded subnets):  273158
Total ASes present in the Internet Routing Table: 51335
Prefixes per ASN: 10.85
Origin-only ASes present in the Internet Routing Table:   36652
Origin ASes announcing only one prefix:   16121
Transit ASes present in the Internet Routing Table:6394
Transit-only ASes present in the Internet Routing Table:174
Average AS path length visible in the Internet Routing Table:   4.5
Max AS path length visible:  45
Max AS path prepend of ASN ( 55644)  41
Prefixes from unregistered ASNs in the Routing Table:  1084
Unregistered ASNs in the Routing Table: 417
Number of 32-bit ASNs allocated by the RIRs:  10864
Number of 32-bit ASNs visible in the Routing Table:8289
Prefixes from 32-bit ASNs in the Routing Table:   31110
Number of bogon 32-bit ASNs visible in the Routing Table:19
Special use prefixes present in the Routing Table:1
Prefixes being announced from unallocated address space:549
Number of addresses announced to Internet:   2791677888
Equivalent to 166 /8s, 101 /16s and 159 /24s
Percentage of available address space announced:   75.4
Percentage of allocated address space announced:   75.4
Percentage of available address space allocated:  100.0
Percentage of address space in use by end-sites:   97.6
Total number of prefixes smaller than registry allocations:  185801

APNIC Region Analysis Summary
-

Prefixes being announced by APNIC Region ASes:   137442
Total APNIC prefixes after maximum aggregation:   39619
APNIC Deaggregation factor:3.47
Prefixes being announced from the APNIC address blocks:  144696
Unique aggregates announced from the APNIC address blocks:59649
APNIC Region origin ASes present in the Internet Routing Table:5082
APNIC Prefixes per ASN:   28.47
APNIC Region origin ASes announcing only one prefix:   1207
APNIC Region transit ASes present in the Internet Routing Table:890
Average APNIC Region AS path length visible:4.5
Max APNIC Region AS path length visible: 38
Number of APNIC region 32-bit ASNs visible in the Routing Table:   1616
Number of APNIC addresses announced to Internet:  752104064
Equivalent to 44 /8s, 212 /16s and 50 /24s
Percentage of available APNIC address space announced: 87.9

APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations)  23552-24575, 37888-38911, 45056-46079, 55296-56319,
   58368-59391, 63488-64098, 131072-135580
APNIC Address Blocks 1/8,  14/8,  27/8,  36/8,  39/8,  42/8,  43/8,
49/8,  58/8,  59/8,  60/8,  61/8, 101/8, 103/8,
   106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8,
   116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
   123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8,
   163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8,
   203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8,
   222/8, 223/8,

ARIN Region Analysis Summary


Prefixes being announced by ARIN Region ASes:180364
Total ARIN prefixes after maximum aggregation:88403
ARIN Deaggregation factor: 2.04
Prefixes being announced from the ARIN address blocks:   183248
Unique aggregates announced from the ARIN address blocks: 86047
ARIN Region origin ASes present in the Internet Routing Table:16586
ARIN Prefixes per ASN: 

Re: Updating dns glue

[Mike]

Some ideas:

1. You could just add a nameserver. There's no rule that says you have 
to have exactly two. You could almost certainly have three. (There are 
some registry-specific rules that specify the minimum and maximum 
numbers, but I've never seen a registry where the maximum was two.) If 
you add a new nameserver, and leave your existing two as they are, 
you've achieved your diversity goal and avoided the problem you're 
currently struggling with. Apply a touch of mind bleach, and you'll 
forget that "glue records" are even a thing.




Unfortunately, I have other customer hosted domains and they also are 
listed only with 'ns1' and 'ns2' of my domain, therefore, if there is an 
outage, unless I can actually update the ip of 'ns2' to my new 
off-network host, those other domains are still a fail. Changing the ip 
of the host is the right answer in this situation.


So those are the people I would ask to rename (say) 
NS3.P23.DYNECT.NET. Of course in this case they would say "haha, no" 
and probably advise me to add a nameserver rather than trying to 
reconfigure their commercial DNS service. But you get the idea; if the 
nameserver you want to rename is subordinate to a domain name you have 
administrative control over, you could interact with the registrar for 
the domain and make the change.


The precise way a particular registrar will accept such a change 
varies by registrar. Sometimes (I hear) the user interface involves 
phone calls and shouting. But then you have a choice of registrar, if 
you can figure out how to make transfers work.




This seems to be the case with dotster. I apologise to anyone over there 
who may be reading, but it seems that they are completely clueless. 
They've told me again in support they affected the change, but I can see 
that all they did was update their own customer hosting account zone 
data and not actually push it out to the roots (or more correctly the 
gtld's?).


If your domain and/or nameservers are not named under NET, ORG or COM, 
the above may be useful or, quite possibly, completely irrelevant, 
depending on factors that your registrar is in theory supposed to hide 
from you. There are as many other data models as there are other TLDs, 
almost-maybe, and I certainly don't know the details of all or even 
many of them.


If this is sounding very XKCD-927, that's because it is. This is 
perhaps why lots of people pay others to do this for them 
(registry/registrar shenanigans and DNS hosting) so that they can live 
their lives with one less thing to be angry about.




So what I need is a registrar with a clue about the glue... Open to 
suggestions here...



Mike-

Re: Whois.net down?

[David S.]

Hi Brian,

I'm able to access https://whois.net, have you check the nameserver of
numachi.com?
Is the other domain use same authoritative DNS?






Best regards,
David S.

e. da...@zeromail.us
w. http://blog.pnyet.web.id

On Thu, Sep 3, 2015 at 9:39 PM, Brian Reichert  wrote:

> I'm trying to use https://www.whois.net/ to resolve info about
> several domains, including my own (NUMACHI.COM).
>
> For several domains (but not all, I get 'Error extracting data. No
> data available'.  There's a 'please read' tag, but no text associated
> with it.
>
> Anyone know if they're having issues there?
>
> --
> Brian Reichert  
> BSD admin/developer at large
>

Re: Software Defined Networking

[Ignacio de castro]

For a more academic perspective:
"Software-defined networking: A comprehensive survey"
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6994333&tag=1


On Fri, Sep 4, 2015 at 5:35 PM, Ignacio de castro 
wrote:

> For a more academic perspective:
> "Software-defined networking: A comprehensive survey"
> http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6994333&tag=1
>
> On Fri, Sep 4, 2015 at 5:25 PM, John Kristoff  wrote:
>
>> On Fri, 4 Sep 2015 14:40:31 +
>> Rod Beck  wrote:
>>
>> > Can anyone provide references on this top so I can educate myself?
>>
>> A bit more effort will be required on your part to get the most out
>> it, but one potentially in depth resource would be Nick Feamster's
>> Software Defined Networking course, currently available through
>> Coursera:
>>
>>   
>>
>> John
>>
>
>

RE: BGP advertise-best-external on RR

[Jakob Heitz (jheitz)]

If your network is such that only a handful of routers supply redundant paths, 
then you can set up iBGP sessions with those directly without going via route 
reflectors. You can have most routes going through reflectors and a few through 
direct BGP sessions. Not everything needs to go through route reflectors. You 
can even do both: Have a router peer with a reflector as well as directly if 
you only need the redundant routes in a few places. You will end up with 
duplicate routes, but that's not a show stopper. You can avoid duplicate routes 
with route maps. You can have multiple route reflectors with different cluster 
IDs that carry the redundant routes only. Clients can peer with multiple 
clusters. Use route maps to avoid duplicate routes. These last things get 
complicated to manage, so I'd still go for add-path if at all possible.

--Jakob


> Message: 2
> Date: Tue, 1 Sep 2015 14:51:27 +0200
> From: Mohamed Kamal 
> To: Jeff Tantsura , Diptanshu Singh
>   
> Cc: NANOG 
> Subject: Re: BGP advertise-best-external on RR
> Message-ID: <55e59f4f.8010...@noor.net>
> Content-Type: text/plain; charset=windows-1252; format=flowed
> 
> Hi,
> 
> Diverse-path will only send the second best path, and in my case I have
> three routes not two. In addition to that, every PE will have to peer
> with the RR via a second session (on the same RR, as I will not deploy a
> new standalone shadow RR) and this will increase the BGP sessions to the
> double.
> 
> Add-path will have a network-wide IOS upgrade for this BGP capability to
> be supported which is not viable now.
> 
> So, is there any other recommendation other than the internet VRF with
> different RDs solution?
> 
> Regards,
> 
> Mohamed Kamal
> Core Network Sr. Engineer
> 
> On 8/25/2015 11:37 AM, Jeff Tantsura wrote:
> > Hi,
> >
> > In your case I?d recommend to use diverse path, due to its simplicity and
> > non disruptive deployment characteristics.
> > As you know - diverse path requires additional BGP session per additional
> > (second, next, etc) path, in most cases not a problem, however mileage
> > might vary.
> >
> > To my memory, in Cisco land - it has only been implemented in IOS, not XR,
> > please check.
> >
> > Cheers,
> > Jeff
> >
> >
> >
> >
> > -Original Message-
> > From: Diptanshu Singh 
> > Date: Monday, August 24, 2015 at 10:53 PM
> > To: Mohamed Kamal 
> > Cc: "nanog@nanog.org" 
> > Subject: Re: BGP advertise-best-external on RR
> >
> >> Yes . In the case of diverse path , shadow route reflector will be the
> >> one wherever  you enable commands to trigger diverse path computation.
> >>
> >> Good thing with diverse path is that the RR-Clients don't have to have
> >> any support but bad thing is that it can only reflect One additional
> >> best-path( second best path ) .
> >>
> >> Sent from my iPhone
> >>
> >>> On Aug 24, 2015, at 2:31 PM, Mohamed Kamal  wrote:
> >>>
> >>> It's only supported on the 15.2(4)S and later not the SRE train. I
> >>> might consider an upgrade.
> >>>
> >>> One more question regarding this, can you configure the RR to be the
> >>> main and shadow RR?
> >>>
> >>> Mohamed Kamal
> >>> Core Network Sr. Engineer
> >>>
>  On 8/24/2015 9:16 PM, Diptanshu Singh wrote:
>  BGP Add-Path might be your friend . You can look at diverse-path as
>  well .
> >

Re: Software Defined Networking

[Narseo Vallina Rodriguez]

There's also a quite comprehensive survey from an academic angle:

http://arxiv.org/abs/1406.0440

Re: Software Defined Networking

[Tyler Mills]

Would be hard to prove that you implicitly agreed to the constraints
mentioned within the email by just merely receiving it and reading it.
Even EULA's require you to check a box or click "I Accept."

On Fri, Sep 4, 2015, 2:30 PM Larry Sheldon  wrote:

> On 9/4/2015 12:57, Aaron C. de Bruyn wrote:
> > I think it's time to change my SMTP greeting to:
> >
> > 220-By submitting e-mail to this server, you agree all legal
> > disclaimers are null and void.
> > 220 You also agree that I am awesome.
>
> I like that.  Unfortunately, I no longer operate a mail host.
>
> I have been trying to figure out how to mechanically route messages
> containing them to the spam sump.
>
> IANAL, but I thing an interesting case would be trying to enforce that
> crap in a situation involving unsolicited email (as in this case).
>
> --
> sed quis custodiet ipsos custodes? (Juvenal)
>

Re: Software Defined Networking

[Jennifer Rexford]

For a short survey and history, see also "The road to SDN: An intellectual 
history of programmable networks"
http://queue.acm.org/detail.cfm?id=2560327

Also, the lectures and interviews from Nick Feamster's coursera course are 
available on YouTube: https://m.youtube.com/user/nfeamster?noapp=1

-- Jen


> On Sep 4, 2015, at 12:43 PM, Ignacio de castro  wrote:
> 
> For a more academic perspective:
> "Software-defined networking: A comprehensive survey"
> http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6994333&tag=1
> 
> 
> On Fri, Sep 4, 2015 at 5:35 PM, Ignacio de castro 
> wrote:
> 
>> For a more academic perspective:
>> "Software-defined networking: A comprehensive survey"
>> http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6994333&tag=1
>> 
>>> On Fri, Sep 4, 2015 at 5:25 PM, John Kristoff  wrote:
>>> 
>>> On Fri, 4 Sep 2015 14:40:31 +
>>> Rod Beck  wrote:
>>> 
 Can anyone provide references on this top so I can educate myself?
>>> 
>>> A bit more effort will be required on your part to get the most out
>>> it, but one potentially in depth resource would be Nick Feamster's
>>> Software Defined Networking course, currently available through
>>> Coursera:
>>> 
>>>  
>>> 
>>> John
>> 
>> 

Re: Software Defined Networking

[Jared Mauch]

These disclaimers have been proven to be added by the paranoid.

eg:

http://articles.chicagotribune.com/2011-08-26/business/ct-biz-0826-chicago-law-20110826_1_disclaimers-legal-obligations-binding

Basically, unless you already have an existing written NDA you’re likely not 
bound.  Your company may have an NDA between yourself and a vendor, carrier or 
otherwise.  If you’re not sure, ask.

- Jared

> On Sep 4, 2015, at 2:35 PM, Tyler Mills  wrote:
> 
> Would be hard to prove that you implicitly agreed to the constraints
> mentioned within the email by just merely receiving it and reading it.
> Even EULA's require you to check a box or click "I Accept."
> 
> On Fri, Sep 4, 2015, 2:30 PM Larry Sheldon  wrote:
> 
>> On 9/4/2015 12:57, Aaron C. de Bruyn wrote:
>>> I think it's time to change my SMTP greeting to:
>>> 
>>> 220-By submitting e-mail to this server, you agree all legal
>>> disclaimers are null and void.
>>> 220 You also agree that I am awesome.
>> 
>> I like that.  Unfortunately, I no longer operate a mail host.
>> 
>> I have been trying to figure out how to mechanically route messages
>> containing them to the spam sump.
>> 
>> IANAL, but I thing an interesting case would be trying to enforce that
>> crap in a situation involving unsolicited email (as in this case).
>> 
>> --
>> sed quis custodiet ipsos custodes? (Juvenal)
>> 

Re: Weekly Routing Table Report

[Colin Johnston]

that might be solved in future with a dump to a storage area, diff of previous 
dump and flag problem if diff show significant difference

colin

Sent from my iPhone

> On 5 Sep 2015, at 15:04, Philip Smith  wrote:
> 
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hi Hugo,
> 
> Hugo Slabbert wrote on 5/09/2015 01:20 :
>> 
>>> BGP routing table entries examined:
>>> 30167
>> ...
>>> Percentage of available address space announced:
>>> 7.0 Percentage of allocated address space announced:
>>> 7.0
>> 
>> erm...y'all missing some prefixes on the collector for the report?
> 
> Yes. :-(
> 
> Seems like the dump from the collector happened just after a BGP reset
> (or something). I'm checking that now, or whether something else has
> broken.
> 
> Sorry!!
> 
> philip
> - --
> -BEGIN PGP SIGNATURE-
> 
> iD8DBQFV6vZUnFcIO/K8+cERAtmoAKDjjz1Fzl3PvO7DY3OeMSYAUHrpfgCgh9PH
> ttXi696fTFOS+6MpAmJdgv0=
> =HExi
> -END PGP SIGNATURE-

RE: NetFlow - path from Routers to Collector

[Frank Bulk]

How many IPv6 addresses do you get?

Frank

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Avi Freedman
Sent: Tuesday, September 01, 2015 7:31 PM
To: Jared Mauch 
Cc: NANOG 
Subject: Re: NetFlow - path from Routers to Collector

(Jared wrote):



> Most people I've seen have little data or insight into their 
> networks, or don't have the level that they would desire as 
> tools are expensive or impossible to justify due to capital costs.  
> Tossing in a recurring opex cost of DC XC fee  + transport + XC fee + 
> redundant aggregation often doesn't have the ROI you infer here. 
> I've put together some models in this area.  It seems to me the 
> DC/real estate companies involved could make a lot (more) money by 
> offering an OOB service that is 10Mb/s flat-rate for the same as an XC 
> fee and compete with their customers.

Equinix does have a very aggressively priced 10Mb/s flat-rate OOB (single 
IP only but that's not that hard to work around) for essentially XC
pricing.  It's been stable but not something you'd rely on for 100%
packet delivery to some other point on the Internet (so more for
reaching a per-pop OOB than for making a coherent OOB network with
a bunch of monitoring running 24x7).

Still, it's a good value for what it is.



> - Jared

Avi Freedman
CEO, Kentik
avi at kentik dot com

Re: Software Defined Networking

[Scott Weeks]

--- ignac...@gmail.com wrote:
From: Ignacio de castro 

For a more academic perspective:
"Software-defined networking: A comprehensive survey"
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6994333&tag=1
--


Can't read it.  They suck:


You have been redirected to this page for one of the following reasons:

Either cookies are not enabled on your browser or Your network 
configuration is causing cookies to be lost or not function properly. 

IEEE Xplore requires cookies to maintain sessions and to access 
licensed content. Cookies are used temporarily to maintain sessions in 
IEEE Xplore and for no other purpose. The cookies will not persist after 
a session ends.

Please change your browser settings to accept cookies before you access 
IEEE Xplore.



scott

weather.gov invalid ssl cert

[Grant Ridder]

If someone that works with or knows someone who works with weather.gov
(National Weather Service) please take a look at this.  I did a whois on
weather.gov and there is no contact info.

www.weather.gov is serving an akami cert
weather.gov is serving a NWS SAN cert that does not cover weather.gov
(includes www though)

username@hostname ~ $ echo quit | openssl s_client -connect  weather.gov:443
| openssl x509 -text
depth=3 /C=US/O=The Go Daddy Group, Inc./OU=Go Daddy Class 2 Certification
Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
DONE
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
07:a2:c1:cb:fa:c1:18
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=
http://certs.godaddy.com/repository/, CN=Go Daddy Secure Certificate
Authority - G2
Validity
Not Before: Nov 13 20:54:35 2014 GMT
Not After : Nov 17 17:33:22 2015 GMT
Subject: OU=Domain Control Validated, CN=ucc.weather.gov
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:9d:36:e8:eb:5d:00:1d:ce:ab:f2:6a:3f:83:5a:
39:29:dd:95:e9:bd:58:d7:2b:0f:67:5a:16:20:97:
2d:4c:96:e1:3c:cc:8f:2f:16:88:ae:fe:9c:15:d0:
67:f1:c9:0d:5c:c0:ae:3f:36:32:aa:90:1d:03:bb:
d2:91:73:86:74:5f:e3:41:f2:e2:77:b3:5e:1c:a9:
cc:9c:68:3a:99:3a:de:7a:19:bd:6a:70:a1:9f:3f:
1f:ec:c3:63:fd:e9:f5:e6:44:14:0d:db:ae:b4:46:
fe:a8:b0:d7:07:01:ea:68:10:7f:9f:c8:f7:5a:20:
05:1d:77:47:d7:13:d1:f0:b8:8f:d2:94:a0:36:29:
95:c2:fd:3e:bc:80:14:1f:22:a2:5a:d0:56:5b:e6:
51:e1:94:3c:4c:dd:63:ae:81:42:7c:5e:87:f5:0c:
b8:6f:37:f4:a6:53:f6:56:5e:c8:ec:57:f8:ec:0c:
7d:e0:11:7f:3d:07:8c:37:38:4e:05:8e:cd:46:b3:
21:a3:c1:2f:96:ee:e2:d7:5f:ed:8c:1c:6d:88:d7:
17:ba:90:d8:cb:49:2e:8d:4f:ca:bf:8c:53:da:f7:
38:9c:bc:e1:6c:ac:8a:62:27:d1:ec:dc:59:a9:3b:
62:07:68:3b:bd:d0:06:35:79:26:2d:83:4d:69:00:
f3:d7
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 CRL Distribution Points:
URI:http://crl.godaddy.com/gdig2s1-87.crl

X509v3 Certificate Policies:
Policy: 2.16.840.1.114413.1.7.23.1
  CPS: http://certificates.godaddy.com/repository/

Authority Information Access:
OCSP - URI:http://ocsp.godaddy.com/
CA Issuers - URI:
http://certificates.godaddy.com/repository/gdig2.crt

X509v3 Authority Key Identifier:

keyid:40:C2:BD:27:8E:CC:34:83:30:A2:33:D7:FB:6C:B3:F0:B4:2C:80:CE

X509v3 Subject Alternative Name:
DNS:ucc.weather.gov, DNS:www.ucc.weather.gov, DNS:
alerts.weather.gov, DNS:nwschat.weather.gov, DNS:vpn.weather.gov, DNS:
www.weather.gov
X509v3 Subject Key Identifier:
01:7D:76:D9:61:68:EB:50:F7:C4:26:02:DC:94:56:62:45:0B:5B:58
Signature Algorithm: sha256WithRSAEncryption
96:4e:70:45:46:f8:69:80:48:b8:88:86:cd:06:2b:7b:d6:f1:
6b:0b:d8:89:ab:e8:9a:c0:f1:a8:99:0c:69:45:f8:a7:fb:ef:
af:b3:6b:0d:41:bd:4d:3c:76:11:10:89:fa:8f:12:a5:47:27:
50:44:e7:37:93:f3:6b:84:f2:66:34:0d:99:69:13:da:dd:08:
32:6c:30:be:2e:af:8b:25:aa:9a:40:bf:61:35:a9:d9:2d:da:
97:b0:0c:e6:98:72:54:fe:44:21:6d:ad:9a:0a:cd:0b:18:74:
be:f2:58:b0:d6:10:9b:dc:b7:fe:ae:81:b3:c0:21:f9:c8:eb:
d5:54:bc:9e:d6:d0:ca:12:5c:c0:0d:94:93:03:9b:54:46:b8:
af:86:46:e6:e0:4b:52:97:c2:8e:16:89:3c:8d:06:f8:f9:59:
d6:21:39:4c:25:82:58:49:59:07:43:db:63:8d:98:aa:04:c1:
42:f5:4f:8a:4d:35:5b:f7:79:e5:e1:31:13:72:50:87:bd:68:
3f:bd:23:e2:88:3e:cf:72:00:a7:c8:1d:40:b6:34:00:5b:7b:
73:9f:8f:17:05:53:13:a1:70:15:59:66:88:61:6a:d7:d0:bf:
df:89:1a:28:af:a8:cb:c7:95:e4:f9:01:7b:c2:99:51:93:33:
8f:94:fa:0b
-BEGIN CERTIFICATE-
MIIFdzCCBF+gAwIBAgIHB6LBy/rBGDANBgkqhkiG9w0BAQsFADCBtDELMAkGA1UE
BhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAY
BgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMS0wKwYDVQQLEyRodHRwOi8vY2VydHMu
Z29kYWRkeS5jb20vcmVwb3NpdG9yeS8xMzAxBgNVBAMTKkdvIERhZGR5IFNlY3Vy
ZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjAeFw0xNDExMTMyMDU0MzVaFw0x
NTExMTcxNzMzMjJaMD0xITAfBgNVBAsTGERvbWFpbiBDb250cm9sIFZhbGlkYXRl
ZDEYMBYGA1UEAxMPdW

internet visualization

[Jared Mauch]

OT: hit delete, or shameless plug disclaimer

one of my colleagues just posted this visualiation
of the internet from the as_path view of 2914.  if you are on
a mobile, you have to physically move your device around.

http://as2914.net/

If you love it, send Job your accolades.  If you hate it,
see above disclaimer.  If in a country with a holiday on monday,
enjoy it safely.

- Jared

-- 
Jared Mauch  | pgp key available via finger from ja...@puck.nether.net
clue++;  | http://puck.nether.net/~jared/  My statements are only mine.

Re: internet visualization

[Larry Sheldon]

On 9/5/2015 19:15, Jared Mauch wrote:


OT: hit delete, or shameless plug disclaimer

one of my colleagues just posted this visualiation
of the internet from the as_path view of 2914.  if you are on
a mobile, you have to physically move your device around.

http://as2914.net/

If you love it, send Job your accolades.  If you hate it,
see above disclaimer.  If in a country with a holiday on monday,
enjoy it safely.


FarOUT!

Outstanding.

Please forward my accolades.

(Is a "you are here" possible?)




- Jared




--
sed quis custodiet ipsos custodes? (Juvenal)

Any Tool to replace Peakflow CP

[Aluisio da Silva]

Hello,

Does anyone here have a suggestion for a tool to replace Peakflow CP from Arbor 
Networks?

Please if possible you would like hear some suggestions.

Thanks.

Aluísio da Silva
Coordenação de Planejamento e Engenharia
CTBC
(34) 3256-2471
(34) 9976-0471
www.ctbc.com.br




Esta mensagem,incluindo seus anexos,pode conter informação confidencial e/ou 
privilegiada,sendo de uso exclusivo dos destinatários. Seu conteúdo não deve 
ser revelado.Caso você não seja o destinatário autorizado a receber esta 
mensagem,não poderá usar,copiar ou divulgar as informações nela contidas ou 
tomar qualquer ação baseada nesse e-mail,por favor,comunique ao remetente e a 
elimine imediatamente.Não nos responsabilizamos por opiniões e/ou declarações 
veiculadas por e-mail não ficando obrigada ao cumprimento de qualquer condição 
constante deste instrumento.

This message,including its attachments,contains and/or may contain confidential 
and privileged information.If you are not the person authorized to receive this 
message,you may not use,copy or disclose the information contained therein or 
take any action based on this information.If this message is received by 
mistake,please notify the sender by immediately replying to this email and 
deleting its files.We appreciate your cooperation.

Re: Any Tool to replace Peakflow CP

[alvin nanog]

hi aluisio

On 09/06/15 at 02:01am, Aluisio da Silva wrote:
> Hello,
> 
> Does anyone here have a suggestion for a tool to replace Peakflow CP from 
> Arbor Networks?

# for reference
http://www.arbornetworks.com/products

> Please if possible you would like hear some suggestions.

- sflow based
http://www.sflow.com/products/floodprotect.php
http://www.inmon.com/technology/sflowTools.php

http://www.andrisoft.com/software/wanguard
http://www.github.com/FastVPSEestiOu/fastnetmon
http://www.packetdam.com
http://www.radware.com/Products/DefenseFlow

- netflow based
?cisco url?

http://nfdump.sourceforge.net
http://nfsen.sourceforge.net
http://sourceforge.net/projects/panoptis

- jflow based
?juniper?

magic pixie dust
alvin
#
# DDoS-Mitigator.com
#

> Thanks.
> 
> Aluísio da Silva
> Coordenação de Planejamento e Engenharia
> CTBC
> (34) 3256-2471
> (34) 9976-0471
> www.ctbc.com.br