Re: U.S. Plans Cyber Shield for Utilities, Companies
On Wed, Jul 07, 2010, Patrick Giagnocavo wrote: > Why does it cost $100 million to install and configure OpenBSD on a > bunch of old systems? I think you've misunderstood the question if you think "openbsd on old systems" is the answer. :) Adrian
Re: White House net security paper
On Mon, Jun 01, 2009, Randy Bush wrote: > and why do we think that throwing a jillion bodies at the problem is a > useful approach? No, but it does keep people employed. Sorry, I think I reached a new low in my "stabby, jaded" level when a past employer (a network consulting firm) blasted me for being "too efficient" at solving a problem. Adrian
Re: tor
On Thu, Jun 25, 2009, Suresh Ramasubramanian wrote: > Rod - you wouldnt qualify as an ISP - or even a "provider of an > interactive computer service" to go by the language in 47 USC 230, by > simply running a TOR exit node. Ah, but would an ISP which currently enjoys whatever the current definition of "common carrier" is these days, running a TOR node, still be covered by said provisions? Adrian
Re: tor
On Thu, Jun 25, 2009, Suresh Ramasubramanian wrote: > On Thu, Jun 25, 2009 at 9:44 AM, Adrian Chadd wrote: > > On Thu, Jun 25, 2009, Suresh Ramasubramanian wrote: > >> Rod - you wouldnt qualify as an ISP - or even a "provider of an > >> interactive computer service" to go by the language in 47 USC 230, by > >> simply running a TOR exit node. > > > > Ah, but would an ISP which currently enjoys whatever the current definition > > of "common carrier" is these days, running a TOR node, still be covered by > > said provisions? > > ISPs are not common carriers. Geoff Huston is - as always - the guy > who explains it best. > http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_5-3/uncommon_carrier.html Fine; re-phrase my question as "an organisation currently enjoying common carrier status." Adrian (Apologies for off-topic noise.)
Re: Using twitter as an outage notification
On Sun, Jul 05, 2009, Roland Perry wrote: > Unfortunately, the number of students polling the website for news means > it can't cope with the traffic. I don't believe they can justify paying > more for better web hosting, just to manage this once-a-year half hour > event. Is Twitter making a profit or not? This discussion about (ab)using a publicly available message system which isn't currently being charged for would makes me worried^Wamused as hell. (Not that I can't see possible ways of making money off twitter - especially if you offer reliable message dissemination services to companies for a fee, but AFAIK they aren't doing this at the moment.) Adrian
Re: Request for contact and procedure information
On Thu, Jul 09, 2009, Charles Wyble wrote: > I did. Still getting pounded. And its not covered by your SLA? Adrian
Re: What is good in modular routers these days?
On Mon, Jul 20, 2009, William Pitcock wrote: > I don't need any of that stuff, just BGP, OSPF and fast packet > forwarding for IPv4. But the point is that I need only routing > functionality, I don't need switching functionality like on a Cisco > 6500-class system. I bet if you went and spoke to the right people in the correct open source kernel/distribution project, -given the right clue-, very fast forwarding and QoS could start appearing in *NIX OSes. The problem I see is there's a lot of demand -once it is done-, but no one org or group willing to pony up to see it happen. The clue is out there. They're just looking for a way to pay the rent. Adrian (Not looking to do this, I have enough going on atm..)
Re: What is good in modular routers these days?
On Tue, Jul 21, 2009, Petersen, Mark wrote: > FreeBSD provides support for 802.11q, bgpd, ospfd, pf(firewall) and > ALTQ(QOS) but since I haven't tested it I have no idea what kind of real > world performance you can get with all these features in use. > > This is one group trying to pony up at least with support of many major > vendors. The main current funding source for work being committed back to FreeBSD's 10GE performance has a very big focus on server performance, not forwarding performance. Hence the flow cache, which benefits TCP stream performance. Adrian
RE: What else shall we test?
I will sugest to test the throughput when a BGP peer is flapping. -Original Message- From: Michael J McCafferty Sent: 23 iulie 2009 03:05 To: nanog Subject: What else shall we test? All, We are putting together a test plan to test a pair of Cisco 7206 VXR's, each with with NPE-G2. The purpose of the test is just to make sure we know where their realistic limits are with a real configuration, full route tables from two providers, etc. We have one JDSU T-Berd 8000 test system with interfaces and software to test a single stream through multi-mode fiber interfaces. We plan to test through the interfaces on the NPE and through PA-GE cards with a variety of packet sizes (especially 64 Byte). I'd be interested in any thoughts on additional testing or testing methodologies we might want to do, to help us set our expectations for this setup and to plan when we need to go bigger as we grow traffic, hosts, etc. We plan to get 1 to 3 additional full tables and peer with Any2 Easy on this network within the next year. We want to determine how this platform will behave under moderate DoS attacks, BGP updates, etc. Is there anything else we need to be mindful of? Can we get a realistic test of the routers with the T-Berd? What else should we test while we have the maintenance window and the test system on hand? Your thoughts and experience are appreciated! Thanks ! Mike -- Michael J. McCafferty Principal, Security Engineer M5 Hosting http://www.m5hosting.com You can have your own custom Dedicated Server up and running today ! RedHat Enterprise, CentOS, Ubuntu, Debian, OpenBSD, FreeBSD, and more
Re: Subnet Size for BGP peers.
Shared link for BGP connectivity is a bad idea. Imagine that one of your customer leave proxy-arp on his interface, or imagine that he makes a Layer2 loop. Then all other customers will be affected. Usually a customer with BGP is on another level, so a gain of some IP's doesn't worth the trouble IMHO. -- Best regards, Adrian Minta
Re: Hijacked Blocks
In Europe RIPE has a nice database. Hijacking is not possible since most ISP's use filters based on RIPE Database. Why ARIN don't use a similar tool ?
Re: Google Pagerank and "Class-C Addresses"
On Mon, Sep 21, 2009, Jeffrey Lyon wrote: > We used to have a lot of people buying IP's in bulk for SEO. They > would all cancel within one or two months citing that they couldn't > afford it or the project failed, etc. Guess they realized that the > whole thing is a myth. .. or, which is more likely given my brief exposure to this crap, the search engines cottoned on and changed the metrics again. adrian
Re: UDP and IP fragmentation
On Tue, Sep 22, 2009, Philip Lavine wrote: > To all, > > I am running a Windows based high performance computing application that uses > "reliable" multicast (29West) on a gigabit LAN. All systems are logically on > the same VLAN and even on the same physical switch The application is set to > use an 8k buffer and therefore results in IP fragmentation when datagrams are > transmitted. The application is sensitive to any latency or data loss (of > course) and uses a proprietary mechanism to create TCP-like retransmissions > in case there is any actual data loss. Unfortunately, becasue of the > fragmentation during the retransmission window all ip fragments must be > resent even though only one may have been lost. > > If the buffer size is tweeked to the ~1460 this may fix the fragmentation but > will the side effects be less throughput and possibly more latency. Is there > a sweet spot for UDP on an ethernet segment? First, figure out whether all of the above matters. :) Invest in a switch and NIC infrastructure that lets you stuff said 8k frames into an >8k jumbo frame. Then make sure you've read and understood QoS basics, including the generic stuff (packet scheduling, queuing/dequeuing concepts); investigate what various vendors claim their switches do and then actually look around for feedback about what others have -seen-. Finally, use all of that clue to make sure that the consultant you then hire to do the work is actually doing their job. No, I'm not (mostly) being facetious. It is mostly easy to get it "right" when it works, but it is -not- right to get it "right enough" when it doesn't work. Adrian
Re: ISP customer assignments
On Mon, Oct 05, 2009, Antonio Querubin wrote: > On Mon, 5 Oct 2009, robert.e.vanor...@frb.gov wrote: > > >The address space is daunting in scale as you have noted, but I don't see > >any lessons learned in address allocation between IPv6 and IPv4. Consider > > A lesson learned is that thinking about address allocation is something > you do not want to spend too many precious seconds of your life on. > That's one reason why the space was designed to be so big. Being > penny-wise and pound-foolish doesn't really save you much in the IPv6 > address space. .. address aggregation? .. convergence time? I'm sorry, but seeing a good fraction of my local IX simply containing a few ISP's deaggregated view of their "local" internal networks versus a sensible allocation policy makes me cry. IPv6 may just make this worse. IPv6 certainly won't make it "better". adrian
Re: ISP customer assignments
On Mon, Oct 05, 2009, Joe Greco wrote: > > I'm sorry, but seeing a good fraction of my local IX simply containing > > a few ISP's deaggregated view of their "local" internal networks versus > > a sensible allocation policy makes me cry. IPv6 may just make this > > worse. IPv6 certainly won't make it "better". > > That would seem to be an IX administrative problem. Sure, if you don't want to see those local networks. But since the cost of getting from "Perth" to "! Perth" is (was?) a lot higher than what you guys even pay for international transit at non-Cogent rates, we have some sort of desire to keep as much traffic local as possible. Hence "Local only" announcements. > As it stands, there are lots and lots and lots of AS's that advertise > multiple blocks of space. Ideally, one would rather see a large ISP > get a single delegation, rather than advertising 50 or 500. .. and what about their customers with portable address space? What if every single customer decides they now want to multihome, dynamic endpoint resolution stuff (LISA?) isn't ready, and companies simply join the RIR and buy their own IP space? :) Adrian
Re: Does Internet Speed Vary by Season?
Please don't forget moisture content. DSL speeds may drop during wet winters because cable pits fill with water. :) Those with real statistics, please stand up. I know ISPs who run large DSL infrastructures have these stats. I've even seen them at conferences. :) Adrian On Wed, Oct 07, 2009, Bryan Campbell wrote: > No, I did not read the article . . . But, . . . > > Yes, DSL speed varies by season . . . or rather, temperature. > > But, this is really only the case for _aerial_copper_plant. Buried > plant is nearly the same temperature year round. > > Copper pair resistance changes with temperature. And, therefore, the > link speed of DSL will change depending upon the time of the year > (temperature) and geographic location. > > If there is a difference of but a few degrees of temperature year round, > then no there will be no difference. But, if you live in the desert > southwest or even the mid-west where the temperatures can be 70-120 > degrees different between seasons or even 40-70 degrees different > between night and day . . . you are going to have pronounced differences > in link speed. > > Worst cast, your link speed might vary 10-20%. The longer the cable > length from the central office, the more the variance will be. But, > this is something that must be measured on a case by case basis. And, > since much of the aerial plant has been replaced with buried plant, this > really isn't much of a problem anymore. > > BBC > > Joe Greco wrote: > >>http://www.wired.com/gadgets/miscellaneous/magazine/17-10/ts_burningquestion > > > >It used to be that we would notice this, except that it had everything to > >do with temperature *and* dampness. In the '90's, it was still quite > >common for a lot of older outside plant to be really only "voice grade" > >and it wasn't unusual for copper to run all the way back to the CO, > >through a variety of taps and splice points. Even though Ma Bell would > >typically do a careful job handling their copper, the sheer number of > >potential points of failure meant that it wasn't unusual for water to > >infiltrate and penetrate. If I recall correctly, the worst was usually > >a long, hard cold rain (hey we're in Wisconsin) after which people who > >had been getting solidly high speed modem connects would see a somewhat > >slower speed. > > > >... JG -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
wanted: facebook technical contact
howdy, I'm chasing a technical contact at Facebook. There's some broken HTTP being served which is confusing Squid in a way that isn't easily, cleanly worked around. Please feel free to contact me off-list. Thanks, Adrian
Re: wanted: facebook technical contact
A few people have asked what the specific problem is. http://www.squid-cache.org/mail-archive/squid-dev/200910/0089.html Adrian On Sat, Oct 10, 2009, Adrian Chadd wrote: > howdy, > > I'm chasing a technical contact at Facebook. There's some broken HTTP being > served which is confusing Squid in a way that isn't easily, cleanly > worked around. > > Please feel free to contact me off-list.
Re: wanted: facebook technical contact
It is a HTTP/1.0 vs HTTP/1.1 thing (Chunked encoding for HTTP/1.1 doesn't require you to calculate and send a Content-Length.) Adrian On Fri, Oct 09, 2009, Jared Mauch wrote: > I've been having the same issue when going through my Linux+Squid+WCCP > setup, but if the browser is configured to go direct to the proxy it > does not seem to have the same issue. (At least so far). > > - Jared > > On Oct 9, 2009, at 2:48 PM, Adrian Chadd wrote: > > >A few people have asked what the specific problem is. > > > >http://www.squid-cache.org/mail-archive/squid-dev/200910/0089.html > > > > > > > > > >Adrian > > > >On Sat, Oct 10, 2009, Adrian Chadd wrote: > >>howdy, > >> > >>I'm chasing a technical contact at Facebook. There's some broken > >>HTTP being > >>served which is confusing Squid in a way that isn't easily, cleanly > >>worked around. > >> > >>Please feel free to contact me off-list. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Does Internet Speed Vary by Season?
On Sat, Oct 10, 2009, Fred Baker wrote: > Are we talking about bit rate, which one might expect to be modified > by environmental characteristics and is in fact very tightly > controlled to prevent that, or traffic volume? Not true with modem type technologies, where the available transmission rate is a function of how many available frequency space slices are deemed to be "good" at any one time. This isn't really like SDH (from what I've read of SDH, anyway.) Adrian
Re: IPv6 internet broken, Verizon route prefix length policy
On Mon, Oct 12, 2009, Seth Mattinen wrote: > It's not the RIR's fault. IPv6 wasn't designed with any kind of workable > site multihoming. The only goal seems to have been to limit /32's to an > "ISP" but screw you if you aren't one. There was no alternative and it's > been how long now? PI, multihoming, multicast, etc. is reality because > the internet is now Very Serious Business for many, many people. IPv6 -policy- wasn't initially designed for any workable site multihoming. The addressing and BGP stuff works fine for it. Its just not "different" to the issues faced with IPv4. adrian
Re: IPv6 internet broken, Verizon route prefix length policy
On Tue, Oct 13, 2009, valdis.kletni...@vt.edu wrote: > You get some substantial wins for the non-TE case by being able to fix > the legacy cruft. For instance, AS1312 advertises 4 prefixes: > 63.164.28.0/22, 128.173.0.0/16, 192.70.187.0/24, 198.82.0.0/16 > but on the IPv6 side we've just got 2001:468:c80::/48. > > And we're currently advertising *more* address space in one /48 than we > are in the 4 IPv4 prefixes - we have a large chunk of wireless network that > is currently NAT'ed into the 172.31 space because we simply ran out of room > in our 2 /16s - but we give those users globally routed IPv6 addresses. I suggest you're not yet doing enough IPv6 traffic to have to care about IPv6 TE. 2c, Adrian
Re: ISP customer assignments
Nathan Ward, please stand up. Adrian On Tue, Oct 13, 2009, TJ wrote: > > -Original Message- > From: Justin > To go along with Dan's query from above, what are the preferred methods > that other SPs are using to deploy IPv6 with non-IPv6-capable edge > hardware? We too have a very limited number of dialup customers and > will never sink another dollar in the product. Unfortunately I also > have brand-new ADSL2+ hardware that doesn't support IPv6 and according > to the vendors (Pannaway) never will. We also have CMTSs that don't > support IPv6, even though they too are brand-new. Those CMTSs top out > at DOCSIS 2.0 and the vendor decided not to allow IPv6 to the CPEs > regardless of the underlying CM's IPv6 support or lack thereof (like > Cisco allowed for example). Are providers implementing tunneling > solutions? Pros/cons of the various solutions? > > > > My first (potentially ignorant) response would be to get your acquisitions > > > people aligned with your business, and by that I mean they should be > making > > a concerted effort to only buy IPv6 capable gear, especially when IPv6 is > > > coming to you within that gears lifecycle. > > I guess your customers will need to tunnel, as long as you give them a > public > > IP they have 6to4 (and possibly Teredo, tunnel broker) - but native is > better. > > -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: multicast nightmare #42
Philip Lavine wrote: Please explain how this would be possible: 1 sender 1 mcast group 1 receiver = no data loss 1 sender 1 mcast group 2+ receivers on same VLAN and physical segment = data loss Probably a crappy switch. -- Best regards, Adrian Minta
Re: multicast nightmare #42
On Wed, Oct 14, 2009, Adrian Minta wrote: > >1 sender > >1 mcast group > >2+ receivers on same VLAN and physical segment > > > >= data loss > Probably a crappy switch. specifically, is your switch doing frame replication on ingress or egress? :) adrian
Re: multicast nightmare #42 - REDUX
Philip Lavine wrote: More info if this helps: Switch Platform: 4500 SUPII+ with gig line cards Data rate is <100Mbps Server OS: Windows 2003 R2 (please withhold snickering). Multicast traffic is routed ? -- Best regards, Adrian Minta
Re: Science vs. bullshit
On Mon, Oct 19, 2009, Patrick W. Gilmore wrote: > Corner cases like the one above are barely noise, so the curve it > still valid. Strictly speaking, with the subject of "Science vs bullshit", you and msa have named a hypothesis, no? Can either of you think of a way to disprove that, and if so, where's your data? :) Adrian
Re: ISP/VPN's to China?
On Wed, Oct 21, 2009, Alex Balashov wrote: > >oh my goodness. You're behind on your reading... > > I didn't mean DPI. I meant in a way that can be inferred from the > headers themselves, and aside from the port number. You don't think that statistical analysis of traffic patterns of your UDP traffic wouldn't identify it as a likely tunnel? :) Adrian
Re: ISP/VPN's to China?
On Wed, Oct 21, 2009, Alex Balashov wrote: > I was not aware that tools or techniques to do this are widespread or > highly functional in a way that would get them adopted in an Internet > access control application of a national scope. > > Tell me more? It's been a while since I tinkered with this for fun, but a quick abuse of google gives one relatively useful starting paper: http://ccr.sigcomm.org/online/files/p7-v37n1b-crotti.pdf Now, if you were getting multiple overlapping fingerprints inside a UDP packet stream you may conclude that it is a VPN tunnel of some sort. Just randomly padding the tunnel with a few bytes either side will probably just fuzz the classifier somewhat. Aggregating the packets up into larger packets may fuzz the classification methods but it certainly won't make the traffic look like "something else". It'll likely still stick out as being "different". :) Adrian
Re: IPv6 Deployment for the LAN
On Thu, Oct 22, 2009, Iljitsch van Beijnum wrote: > What does that have to with anything? IPv6 stateless autoconfig > predates the widespread use of DHCPv4. So does IPX and IPX/RIP. Why does this thread seem to rehash some big disconnect between academics, IETF and actual deployment-oriented people who have a job to do? Silly architecture groups.. Adrian (Glad I'm not involved. I'd lose patience and punch people.)
Re: IPv6 could change things - Was: DMCA takedowns of networks
On Tue, Oct 27, 2009, Jeroen Massar wrote: > But yes, the network stack itself is a different question, then again, > you can just route a /64 into the loopback device and let your apache > listen there... (which also allows you to do easy-failover as you can > move that complete /64 to a different box ;) Funny you should mention that. A couple of tricks I've seen: * instead of a linked list and O(n) searching of interface aliases, use some kind of tree to map local IP -> interface. * hacks to do a "bind to all damned IP addresses and let userspace sort it out". I've done the former for a few thousand aliases with no degredation in performance. The hacks available for freebsd-4.x for the Web Polygraph software did something similar. 2c, Adrian
Re: Strip AS in BGP peer
Take a read of the quagga documentation. There's a BGP neighbor option for stripping out the local AS when speaking eBGP. Adrian On Wed, Oct 28, 2009, Sherwin Ang wrote: > Hello Nanog, > > am not sure if i should have placed this on the cisco-nsp or the > juniper-nsp but someone may have a direct answer. > > well here it goes. we'll soon form a new internet exchange and i > would like to suggest a model in the route-server wherein the > route-server would strip out it's own AS and give the neighbors/peers > the AS's of the members. I have seen this in Any2IX but i have no > idea on how to implement it as if i am the Any2 route-server. > > if you could point me to the right direction or reading, i could take > it from there.
Re: Small guys with BGP issues
On Mon, Nov 02, 2009, Richard A Steenbergen wrote: > If you don't like the service you're getting, vote with your money and > buy from someone else. This is quite simply not a NANOG issue, but in > the interests of being helpful the best advice I can give you is this: > > "Your request is unreasonable, and you should adjust your expectations > that you'll ever get it from the service you are purchasing". > > Sorry if that's not the answer you want. :) Or you could look at alternatives with your provider, ie: "Ok, so we can't speak BGP over that particular link. May I colocate some router with you at extra cost and connect to you via -that-, so I may then speak BGP to you over that and then tunnel my data back to me over your DSL network?" That way you don't require your ISP to speak BGP over a DSL link and all of the headaches they may not be prepared for, and you get control over your own network. 2c, Adrian
Re: Chinese bgp metering story
On Sat, Dec 19, 2009, Dobbins, Roland wrote: > Existing hardware does this today with NetFlow, et. al. .. not only that, we've been doing this for a bloody long time in internet years. About all that really matter is figuring out how to engineer your network to allow for netflow based billing without having subtle duplicate flows everywhere.. Adrian (Ah, thinking about this stuff brings back memories, and I'm only 30..)
Re: D/DoS mitigation hardware/software needed.
On Tue, Jan 05, 2010, Dobbins, Roland wrote: > None of the large, well-known Web properties on the Internet today - at > least, the ones which stay up and running, heh - have stateful firewalls in > front of them. Including prominent vendors of said stateful firewall > solutions. But as you said, they're willing to sell them to you. Then claim that the traffic you're receiving is out of profile. :) (I'm not jaded about this, oh no..) Adrian
Re: D/DoS mitigation hardware/software needed.
On Tue, Jan 05, 2010, Stefan Fouant wrote: > Almost all of the scalable DDoS mitigation architectures deployed in > carriers or other large enterprises employ the use of an offramp method. > These devices perform a lot better when you can forward just the subset of > the traffic through as opposed to all. It just a simple matter of using > static routing / RTBH techniques / etc. to automate the offramp. Has anyone deployed a DDoS distributed enough to inject ETOOMANY routes into the hardware forwarding tables of routers? I mean, I assume that there's checks and balances in place to limit then number of routes being injected into the network so one doesn't overload the tables, but what's the behaviour if/when this limit is reached? Does mitigation cease being as effective? Adrian
Re: Broadband routers and botnets - being proactive
On Tue, May 15, 2007, Joel Jaeggli wrote: > [EMAIL PROTECTED] wrote: > >> Addressing the complaint that my response to Gadi was too harsh, I can > >> only say > >> that, to someone who isn't aware of the history, my response may seem > >> harsh, > > > > I *AM* aware of the history and your response seems harsh. Especially so > > because you complained about a message which was about exploits in CPE > > access routers, not botnets. Any kind of router vulnerability/exploit is > > on topic for NANOG. And people who don't take the trouble to read > > messages and critique the message content, should not post to the list > > at all. We don't need you using NANOG to fight your personal flamewar > > with Gadi. > > I don't see cpe as being all that different than hosts, except that > they're slower and less flexible. I see them as more flexible - they don't have a CPE in front of them potentially being a firewall, they can listen() on ports for p2p botnet type action, and they can silently redirect your traffic to completely different IPs or return bogus DNS info, they can see inside your home network and be counted as "internal internet zone" to IE.. (perhaps not operational per-se, but pretty freaking scary.) Adrian
Re: NANOG 40 agenda posted
On Tue, May 29, 2007, [EMAIL PROTECTED] wrote: > That's why I suggested that NANOG run some kind of IPv6 vendor showcase > in which all the vendors would be running an interoperable IPv6 network. > As many have pointed out, this is not just about routers since Cisco and > Juniper have had IPv6 support for years and both are in use on > production IPv6 networks in Asia. People need to see things like the > Hexago gateways, Teredo servers, proxies, management consoles/tools, and > so on. Even the easy stuff needs to be on display because if it can't be > seen then people will not believe that it is easy. >From someone who hasn't looked into IPv6 customer deployments: * So is DHCPv6 the "way to go" for deploying IPv6 range(s) to end-customers? Considering the current models of L2TP over IP for broadband aggregation and wholesaling where the customer device speaks PPPoX. * Has anyone sat down and thought about the security implications for running native IPv6 addresses on end-devices which, at the moment, don't have 'direct' access to the internet (ie sitting behind a NAT.) * Has anyone looked into the effects of oppertunistic IPSEC on stuff like network IDSes? k Adrian
Re: NANOG 40 agenda posted
On Tue, May 29, 2007, Donald Stahl wrote: > There is something to be said for not being able to blindly spew worm > traffic and still expect to get a sensible hit ratio as with IPv4. You don't need to blindly spew worm traffic anymore; you can just spew based on p2p traffic. Adrian
Re: Microsoft and Teredo
On Thu, May 31, 2007, Sean Siler wrote: > > Nathan, > > While these are really good questions, I'm afraid I don't have really good > answers to them yet. We haven't made the bits available for customers to > install their own Teredo Servers/Relays at this point, and because we > haven't, we also don't have good deployment guidance to go along with that. > > I have my own feelings, but let me ask this: what do you all feel about > installing a Teredo server in order to provide v6 connectivity to your > clients? Is this something that you are really interested in? I'd prefer to throw IPv6 network ranges at customer links, so they can have "other" devices on IPv6. IPv6 isn't just for desktops. How's Teredo servers tie into network security? Does the act of tunneling from v4 to a v6 broker bypass firewalls, IDSes, etc? Adrian
Re: Microsoft and Teredo
On Thu, May 31, 2007, JORDI PALET MARTINEZ wrote: > > In windows, you have IPv6 firewall, so even if Teredo traverses the "IPv4 > security", there is still something there. > > A good description of all this is available at: > http://www.microsoft.com/technet/network/ipv6/teredo.mspx I've read that; but again enterprise and ISPs may impose restrictions on the types of traffic to/from end users, and this circumvents that. Host-based firewalls are not the be all or end all of network security. Adrian
Re: Cool IPv6 Stuff
On Mon, Jun 04, 2007, Sam Stickland wrote: > Personally I hate NAT. But I currently work in a large enterprise > environment and NAT is suprisingly popular. I came from a service > provider background and some of the attitudes I've discovered towards > private addresses in enterprise environments are quite surprising. Aside > for the usual proponents of using NAT to hide your internal address > infrastructure (which security always seem to insist upon) quite a > popular design rule of from seems to be "Only carry public addresses on > the public Internet and only carry private addresses on your private > network" :-| > > If an Enterprise doesn't have a great deal for IP addresses that need to > be routed on the public internet, and they thing that NAT is a _good_ > design choice, it seems to me that they don't have a great deal of > pressure to move to IPv6. In fact, and call me crazy, but I can't help but wonder how many enterprises out there will see IPv6 and its concept of "real IPs for all machines, internal and external!" and respond with "Hell No." Anyone got any numbers for that? I'm happy to admit I don't. :) Adrian
Re: Cool IPv6 Stuff
On Mon, Jun 04, 2007, Iljitsch van Beijnum wrote: > > On 4-jun-2007, at 17:37, Donald Stahl wrote: > > >>I want NAT to die but I think it won't. > > >Far too many "security" folks are dictating actual implementation > >details and that's fundamentally wrong. > > >A security policy should read "no external access to the network" > >and it should be up to the network/firewall folks to determine how > >best to make that happen. Unfortunately many security policies go > >so far as to explicitly require NAT. > > Don't forget that the reason NAT works to the degree that it does > today is because of all the workarounds in applications or protocol- > specific workarounds in the NATs (ALGs). In IPv6, you don't have any > of this stuff, so IPv6 NAT gets you nowhere fast with any protocol > that does more than something HTTP-like. (Yes, I've tried it.) Won't stateful firewalls have similar issues? Ie, if you craft a stateful firewall to allow an office to have real IPv6 addresses but not to allow arbitrary connections in/out (ie, the "stateful" bit), won't said stateful require protocol tracking modules with similar (but not -as-) complexity to the existing NAT modules? Adrian
Re: Cool IPv6 Stuff
On Mon, Jun 04, 2007, Donald Stahl wrote: > >Won't stateful firewalls have similar issues? Ie, if you craft a stateful > >firewall to allow an office to have real IPv6 addresses but not to allow > >arbitrary connections in/out (ie, the "stateful" bit), won't said stateful > >require protocol tracking modules with similar (but not -as-) complexity > >to the existing NAT modules? > It's a lot easier to write a firewall module that monitors a SIP > connection to allow for bi-directional traffic than it is to monitor for > such connections and rewrite the packets. Yes yes, people have pointed this out already. > Not to mention- what happens when the SIP traffic (for example) goes out > with 1918 addresses in the packets? The firewall never sees the return > traffic because the destination system is trying to send traffic to a > private address- it gets lost in the ether and troubleshooting becomes a > pain. With real addresses in the packets the traffic will at least make it > back to the firewall- even if the firewall doesn't know how to handle > them. At that point you know what's happening and can either correct the > rules, enable a proxy, or yell at your firewall vendor. And its still not "as simple as tracking connections" stateful firewall. You still need to stick your grubby fingers into (this example) the SIP handshake and add in related rules for the RTP session to occur. There's still similar room for screwing up in the firewall implementation. There's still similar angst possible with broken stateful protocol tracking. Anyway, this is the last post from me on this topic. Time's going to tell whether vendors implement IPv6 NAT; since their featuresets are customer driven, not nanog@ driven. :) Adrian
Re: An IPv6 address for new cars in 3 years?
On Fri, Jun 29, 2007, Suresh Ramasubramanian wrote: > > On 6/29/07, Rich Emmings <[EMAIL PROTECTED]> wrote: > > > >Topicality: Looks like someone, somewhere intends to be live with IPv6 in > >3-5 years. > >Off Topic: The privacy and security ramifications boggle the mind > > > > Fully mobile, high speed botnets? Lets hope the iPhone and the (probably) rush of imitators following suit don't give this a swifter kickstart.. Adrian
Re: How should ISPs notify customers about Bots (Was Re: DNS Hijacking )
On Tue, Jul 24, 2007, Chris L. Morrow wrote: > note that this will take out vhost systems... unless they are vetted off > the list, which is certainly possible of course. Unless you use it as part of a feed of "stuff our abuse department might want to investigate further" .. Adrian
Re: large organization nameservers sending icmp packets to dns servers.
On Wed, Aug 08, 2007, Jamie Bowden wrote: > > Forgive my broken formatting, but LookOut, it's Microsoft! Is what we > use, period. > > I have a question related to what you posted below, and it's a pretty > simple one: > > How is answering a query on TCP/53 any MORE dangerous than answering it > on UDP/53? Really. I'd like to know how one of these security nitwits > justifies it. It's the SAME piece of software answering the query > either way. I'd hazard a guess and say something like "TCP state complexity > UDP state complexity" and that possibly leading to a potential DoS. But then, there's also stuff like stateful firewalls which can more aggressively timeout UDP flows (and not break DNS ones, since they're not exactly long-living!) but die under large TCP loads. And TCP takes CPU to setup/teardown, and requires client-side state. Adrian
Re: [ppml] too many variables
On Tue, Aug 14, 2007, Leo Bicknell wrote: > Of course, I think if the RE were an external 2RU PC that they sold > for $5,000 (which is still highway robbery) ISP's might upgrade > more than once every 10 years Sounds like an experiment. Anyone have a spare J M40? (*duck*) Adrian
Re: [Nanog] ATT VP: Internet to hit capacity by 2010
On Tue, Apr 22, 2008, Marc Manthey wrote:
> hmm sorry i did not get it IMHO multicast ist uselese for VOD ,
> correct ?
As a delivery mechanism to end-users? Sure.
As a way of feeding content to edge boxes which then serve VOD?
Maybe not so useless. But then, its been years since I toyed with
IP over satellite to feed ${STUFF}.. :)
Adrian
___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] would ip6 help us safeing energy ?
On Sat, Apr 26, 2008, Marc Manthey wrote: > hello > > i have a question : > > " IF we would use multicast" streaming ONLY, for appropriet > content , would `nt this " decrease " the overall internet traffic ? > > Isn?t this an argument for ip6 / greenip6 ;) aswell ? Some people make more money shipping more bits. They may not have any motivation or desire to decrease traffic. Adrian ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] would ip6 help us safeing energy ?
On Mon, May 05, 2008, Marc Manthey wrote: > evening all , > > found an related article about the power consumtion saving in ip6. > > - > > Up to 300 Megawatt Worth of Keepalive Messages to be Saved by IPv6? > > http://www.circleid.com/posts/81072_megawatts_keepalive_ipv6/ > > http://www.niksula.hut.fi/~peronen/publications/haverinen_siren_eronen_vtc2007.pdf I'd seriously be looking at making current -software- run more efficiently before counting ipv6-related power savings. Adrian ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] Larger packets to save power, was: Re: would ip6 help us safeing energy ?
On Tue, May 06, 2008, Nathan Ward wrote: > Maybe you just start calling "10Mbps" "10Mbps, assuming a 500b average > packet size." > > Anyway, nice idea in theory - putting more real world limitations in > to sold product limitations - but I don't see it working out with > marketing people, etc. unless someone has been doing it for years > already. It'd be good if the world were all engineers though, huh? NPE-XXX, anyone? Adrian ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: Hauling gear around a NANOG meeting
On Sat, May 24, 2008, Randy Bush wrote: > i am greatly amused by all the poor country hicks so worried about > having to go to the big scary city. when arriving, sweet virginia, > please be sure to scrape that right off your shoes. Meh. I'm from the most remote pretend-city in the western world and New York seemed fine to me. The subway wasn't dangerous in midtown right out past three/four AM; there's always people going places and in general seemed friendly enough to answer questions (and ask questions; I had a native NY'er ask me how to get somewhere on the subway system!) I'm sure there are places which are labelled "Don't go at night if you're an unarmed middle-class white guy by yourself" but frankly, this place isn't anywhere near as bad as historically portrayed. I'm pleasantly surprised. :) (And annoyed that I'm leaving..) adrian
Re: IOS Rookit: the sky isn't falling (yet)
On Tue, May 27, 2008, [EMAIL PROTECTED] wrote: > There's basically 2 classes of Cisco routers out there: > > 1) Ones managed by Jared and similarly clued people, who can quite rightfully > yawn because the specter of "IOS rootkits" changes nothing in their actual > threat model - they put stuff in place 3 years ago to mitigate "Lynn-style IOS > pwnage", and it will stop this just as well. Move along, nothing to see. > > 2) Ones managed by unclued people. And quite frankly, if Lynn didn't wake > them up 3 years ago, this isn't going to wake them up either. Move along, > nothing new to see here either. > > "60% of routers run by bozos who shouldn't have enable. Film at 11". Bloody network people, always assuming their network security stops at their router. So nowthat someone's done the hard lifting to backdoor an IOS binary, and I'm assuming you all either upgrade by downloading from the cisco.com website or maintain a set of your own images somewhere, all one needs to do is insert themselves into -that- path and you're screwed. Hijacking prefixes isn't hard. That was presented at the same security conference. Cracking a UNIX/Windows management/FTP/TFTP host isn't impossible - how many large networks have their server infrastructure run by different people to their network infrastructure? Lots and lots? :) Sure, its not all fire and brimstone, but the bar -was- dropped a little, and somehow you need to make sure that the IOS thats sitting on your network management site is indeed the IOS that you put there in the first place.. Adrian
Re: IOS Rookit: the sky isn't falling (yet)
On Tue, May 27, 2008, Chris Grundemann wrote: > > Sure, its not all fire and brimstone, but the bar -was- dropped a little, > > and somehow you need to make sure that the IOS thats sitting on your > > network management site is indeed the IOS that you put there in the > > first place.. > > Like MD5 File Validation? - "MD5 values are now made available on > Cisco.com for all Cisco IOS software images for comparison against > local system image values." Yes, but the only thing the router checks iirc is the old-style checksum, and not some oob provided md5 hash? And if you can exploit the management box itself, you can load your own MD5 hash in. This is all the sort of stuff that public key crypto and chains of trust were meant to solve, IIRC.. Adrian
Re: OT: www.Amazon.com down?
> I expect this means that DNS has been compromised somewhere. Ehr.. no: http://www.google.ch/search?q=AMAZON.COM.IS.N0T.AS.1337.AS.WWW.GULLI.COM -- RFC 1925: (11) Every old idea will be proposed again with a different name and a different presentation, regardless of whether it works.
Re: P2P agents for software distribution - saving the WAN from meltdown?!?
On Tue, Jun 17, 2008, Christopher Morrow wrote: > most of the larger free-nix's do BT downloads on release day(s). > Revision3 distributes their content via BT. There were rumors of > Disney and Apple moving to BT models for their content distribution at > one point as well. If only there was a way for a SP to run a BitTorrent type service for their clients, subscribing the BT server(s) to known-good (ie, not warez-y) torrents pre-seeded from trusted sources and then leaving it the hell alone and not having to continuously dump specific torrent files into it. Hm! Adrian
Re: P2P agents for software distribution - saving the WAN from meltdown?!?
On Wed, Jun 18, 2008, Warren Kumari wrote: > Yes, P2P is not the web, but the general principle still applies -- I > don't think that handing over the censorship keys to my ISP is a > reasonable solution... I dunno, an RSS type feed of bittorrent files which can be subscribed to would be useful. You could then just subscribe to certain content, implictly trusting that they're publishing sensible content (and filtering the content you seed your torrent with using tags or some such.) You could then subscribe to various projects' downloads and mirror appropriately. Of course, this could already be being done; I haven't any idea. :) Adrian
Re: Cloud service [was: RE: EC2 and GAE means end of ip addressreputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)]
On Tue, Jun 24, 2008, Suresh Ramasubramanian wrote: > Hate to point out the obvious, but ... That isnt "network gear" as such. > > It is an appliance that'll require repointing of MX records Please don't tell my test kit at home; Cisco WCCPv2 redirects TCP/25 as easy as it does TCP/80(*1). No MX rejiggery required. Adrian *1: unless you're the lucky owner of specially crafted gems like the Catalyst 3550 - WCCPv2 is limited to port 80 only ..
Re: virtual aggregation in IETF
On Sun, Jul 20, 2008, Joel Jaeggli wrote: > Software switched routers have little pressure on fib limitions. For a > certain class of application the software switched edge router is in a > much better position to accommodate fib growth than a device with a > fixed sized cam. I dunno about that; there's some papers floating about which look at trie type FIB representations which note significant savings in compressing FIB to unique entry set. Less memory, less comparsions, less nodes, etc. Rather interesting stuff. Try http://www.academypublisher.com/jnw/vol02/no03/jnw02031827.pdf for fun. Adrian
Re: virtual aggregation in IETF
On Sun, Jul 20, 2008, Joel Jaeggli wrote: > Not saying that they couldn't benefit from it, however on one hand we > have a device with a 36Mbit cam on the other, one with 2GB of ram, which > one fills up first? Well, the actual data point you should look at is "160k odd FIB from a couple years ago can fit in under 2 megabytes of memory." The random fetch time for dynamic RAM is pretty shocking compared to L2 cache access time, and you probably want to arrange your FIB to play well with your cache. Its nice that the higher end CPUs have megabytes and megabytes of L2 cache but placing a high-end Xeon on each of your interface processors is probably asking a lot. So there's still room for optimising for sensibly-specced hardware. Of course, -my- applied CPU-cache clue comes from the act of parsing HTTP requests/ replies, not from building FIBs. I'm just going off the papers I've read on the subject. :) Adrian
Re: Software router state of the art
On Wed, Jul 23, 2008, Charles Wyble wrote: > This might be of interest: > > http://nrg.cs.ucl.ac.uk/mjh/tmp/vrouter-perf.pdf Various FreeBSD related guys are working on parallelising the forwarding layer enough to use the multiple tx/rx queues in some chipsets such as the Intel gig/10ge stuff. 1 mil pps has been broken that way, but it uses lots of cores to get there. (8, I think?) Linux apparently is/has headed down this path. If someone were to spend some time dissecting the rest of the code to also optimise the single-core throughput then you may see some interesting software routers using commodity hardware (for values of "commodity" roughly equal to "PC servers", rather than "magic lotsacore core MIPS with some extra glue for jacking packets around." Sure its not a CRS-1, but reliably doing a mil pps with a smattering of low-touch features would be rather useful, no? (Then, add say, l2tp/ppp into that mix, just as a crazy on-topic example..) Adrian
Re: Software router state of the art
On Wed, Jul 23, 2008, Chris Marlatt wrote: > http://unix.derkeiler.com/Mailing-Lists/FreeBSD/net/2008-06/msg00364.html > has all the details. It's rather long thread but 1mpps was achieved on a > single cpu IIRC (the server had multiple cpus but only one being used > for forwarding). Firewall rules slowed it down quite a bit but theres > also some work out there being done to minimize this. Yah, all of that is happening. Some people keep asking why FreeBSD-4 forwarding was always much faster than same-hardware forwarding under current FreeBSD but at least thats finally being worked on. Of course, with my FreeBSD advocacy hat on, if you -want- to see something like FreeBSD handle 1mil+ pps forwarding then you should really drop the FreeBSD Foundation a line and introduce yourself. There are developers working on this (note: not me! :) who would benefit from equipment and funding. Anyway. Some PC class hardware is pretty damned fast. Some vendors even build highish-throughput firewalls and proxies out of PC class hardware. :) The "wah wah PC class hardware has anemic bus IO/memory IO/ CPU speed/ethernet modules and is thus too crap for serious routing" argument is pretty much over for at least 1 mil pps, perhaps more. 2c, Adrian
Re: Software router state of the art
On Sat, Jul 26, 2008, Florian Weimer wrote: > Was this with one packet flow, or with millions of them? I believe it was >1 flow. The guy is using an Ixia; I don't know how he has it configured. > Traditionally, software routing performance on hosts systems has been > optimized for few and rather long flows. Yup. And I always ask that question when people claim really high(!) throughput on software forwarding. It turns out their throughput was single source/single dest, and/or large packets (so high throughput, but low pps.) Adrian
Re: Software router state of the art
On Sat, Jul 26, 2008, Colin Alston wrote: > >And I always ask that question when people claim really high(!) throughput > >on > >software forwarding. It turns out their throughput was single source/single > >dest, and/or large packets (so high throughput, but low pps.) > > I assume though that all of this is on x86 platform hardware. How does > this compare to Linux or FreeBSD running on something else like the > Cavium Octeon and other 64bit MIPS based processors? You'll have to ask the people playing with it on that. Me, I've been looking for some multicore MIPS + fruit for some Squid related hackery but I've been busy with other things (like, you know, making Squid-2 be able to be run on multi-core hardware in the first place..) so it'll have to wait.. :) Adrian
Test Cases for Network Management
Hi Everyone Does anyone have any network management test cases or templates (particularly based around fault management, performance and security) which I could have access to help with some evaluation of some open source network management platforms for SME clients. Ideally test cases which support IP based networks (both local and wide area) and Cisco/Nortel equipment would be excellent. Many thanks in advance Adrian __ Not happy with your email address?. Get the one you really want - millions of new email addresses available now at Yahoo! http://uk.docs.yahoo.com/ymail/new.html
Re: Revealed: The Internet's well known BGP behavior
On Wed, Aug 27, 2008, John Lee wrote: > Patrick, > > VPN's and MPLS control intermediate hops and IPsec and SSL do not allow the > info to be seen. > > Rewriting the TTL only hides the number of hop count, trace route will still > show the hops the packet has transited. No, traceroute shows the hops which returned "time to live exceeded." This only maps to "the hops the packet has transited" if the TTL is setup and decremented correctly. Adrian
Re: Revealed: The Internet's well known BGP behavior
On Fri, Aug 29, 2008, jim deleskie wrote: > Announcing a smaller bit of one of you block is fine, more then that > most everyone I know does it or has done and is commonly accepted. > Breaking up someone else' s block and making that announcement even if > its to modify traffic between 2 peered networks is typically not > looked as proper. Modify your taffic good. Do it to anyone other > traffic = bad. The question shouldn't really be "would people do this to others' traffic"; the question should be "has it already happened and noone noticed." Adrian
Re: GLBX De-Peers Intercage
On Mon, Sep 01, 2008, William Waites wrote: > As mentioned in private email, I think where there is *evidence* of > *criminal* activity, show this to a judge, get the judge to order ARIN > to revoke the ASN/netblock, the traffic then becomes bogon and can/ > should be filtered. Oh come on, how quickly would that migrate to enforcing copyright infringement? Or if you're especially evil, used by larger companies to bully smaller companies out of precious IPv4 space? I reckon having your IPv4 space revoked for more than a few hours would upset most if not all small players. Please find an alternative method of tidying up the trash and don't stir that nest of hornets. Adrian
Re: Force10 Gear
On Sun, Sep 07, 2008, David Newman wrote: > 1. Set IP options. A pair of Cat 6509Es using VSS can forward packets > without options at up to 770 mpps, but when packets have options the > maximum is more like 20 kpps. And that's a "high-speed" example; the > options forwarding rate is more like 0 pps with some other devices. > Silicon that forwards packets very fast is only good when header lengths > are fixed. So what you're saying is "send the right crafted packets and DoS the internet", right? (I think I know which options may make routers go all software-path on the packets but I haven't given it a run on a Cat6500. Hm, I wonder if this here 3750 in the lab will do..) Adrian
Re: Routing Suggestions
On Wed, Jan 12, 2011, Jon Lewis wrote: > On Wed, 12 Jan 2011, Jared Mauch wrote: > > >I suggest using one of the reserved/private BGP asns for this purpose. > > > >ASNumber: 64512 - 65535 > > It sounds to me like Company B isn't doing BGP (probably has no experience > with it) and if there's only a single prefix per side of the cross > connect, especially if the cross connect is going into routers smart > enough to remove a route from the table if the destination interface is > down, static would do just fine. Unless you'd like to ensure the sensitive traffic doesn't cross an "unsafer" default rout path if the XC is down. (Assuming the prefixes are both public IPv4/6 space to begin with.) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Routing Suggestions
On Wed, Jan 12, 2011, Jon Lewis wrote: > >Unless you'd like to ensure the sensitive traffic doesn't cross an > >"unsafer" default rout path if the XC is down. > > BGP would have that same issue since B is default routing to their > provider. > > [config for B] > ip route > ip route null0 250 > ip route 0.0.0.0 0.0.0.0 > > problem solved. If the gw to A is reachable, traffic goes via the cross > connect. If the gw is down, traffic goes nowhere. I was just making the observation; the solution is pretty simple. (Yes, I've seen "secure" network cross-connects get bitten by this. :-) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Using IPv6 with prefixes shorter than a /64 on a LAN
(Top-posting because the whole message is context. Oh, and I'm lazy.) I do indeed love it when people break out IPv6 addressing as "there's so many addresses, we'll never ever go through them!" Sure, if they're only used as end-point identifiers. Say you want to crack out that 64k-port space into something bigger, because say p2p becomes so wide-spread and ingrained in our society, that 64k port space per IP becomes silly. So we say, break off another 16 bits and have a host just listen on not a /128, but on a /112. Cool, 4 billion "ports". That fixes the port space. Then someone comes along with a bright idea. "Hi!" she says, "Since hosts are already listening on a /112 of space (and thus all those pesky ND cache problems have been fixed!), we can start allocating cloud identifiers on peoples' hosts, so each cloud application instance gets a separate address prefix; thus any given host can run multiple cloud instances!" Let's call that a 32 bit address space, because I bet a 16 bit "cloud ID" doesn't scale. A 16 bit cloud identifier takes it down to a /96. A 32 bit cloud identifier takes it down to /80. Cool. Now you've got all these end-hosts all happily doing p2p between each other over a 16-bit extended port space, then running p2p and other apps inside a 32-bit cloud identifier so they can both run their own distributed apps/vms (eg diaspora), or donate/sell/whatever their clock cycles to others. What did that just do to your per-site /64? That you have no hope of ever seeing a user use up? It just turned that /64 into a /112 (16 bits of port space, 32 bits of cloud identifier space.) What's the next killer app that'll chew up more of your IPv6 space? I'm all for IPv6. And I'm all for avoiding conjecture and getting to the task at hand. But simply assuming that the IPv6 address space will forever remain that - only unique host identifiers - I think is disingenious at best. :-) Adrian On Tue, Jan 25, 2011, Owen DeLong wrote: > I love this term... "repetitively sweeping a targets /64". > > Seriously? Repetitively sweeping a /64? Let's do the math... > > 2^64 = 18,446,744,073,709,551,616 IP addresses. > > Let's assume that few networks would not be DOS'd by a 1,000 PPS > storm coming in so that's a reasonable cap on our scan rate. > > That means sweeping a /64 takes 18,446,744,073,709,551 sec. > (rounded down). > > There are 86,400 seconds per day. > > 18,446,744,073,709,551 / 86,400 = 213,503,982,334 days. > > Rounding a year down to 365 days, that's 584,942,417 > years to sweep the /64 once. > > If we increase our scan rate to 1,000,000 packets > per second, it still takes us 584,942 years to sweep > a /64. > > I don't know about you, but I do not expect to live long > enough to sweep a /64, let alone do so repetitively. > > Owen -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: ipv4's last graph
On Tue, Feb 01, 2011, Randy Bush wrote: > with the iana free pool run-out, i guess we won't be getting those nice > graphs any more. might we have one last one for the turnstiles? :-)/2 > > and would you mind doing the curves now for each of the five rirs? > gotta give us all something to repeat endlessly on lists and in presos. I think having a graph that reached full and stays there will be quite powerful. :) Adrian
Re: quietly....
s/IPv6/ATM/g Just saying... Adrian On Tue, Feb 01, 2011, Iljitsch van Beijnum wrote: > On 1 feb 2011, at 13:01, Owen DeLong wrote: > > >>> IPv4 is very dead in the sense that it's not going to go anywhere in the > >>> future. > > >>taking the long view - your statement applies equally to IPv6. > > IPv6 has many places to go in the future. Of course the future is long, and > there will be a point when IPv6 is no longer what's needed. But we're nowhere > close to that point now. > > > I disagree. I think there is little, if any, innovation that will continue > > to be put > > into IPv4 hence forth. I think there will be much innovation in IPv6 in the > > coming years. > > I'm afraid it may be the other way around: lots of IPv4 innovation just so > IPv6 can be avoided a few more years. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: 802.11g with WPA-PSK
if it's running a recent net80211 stack, you'll need to create a vap sttion interface first eg, ifconfig wlan0 create wlandev rum0 then do stuff to wlan0, not rum0. Adrian On Sun, Feb 06, 2011, Atticus wrote: > Im not familiar with wpa_supplicant, but you can preface external commands > to execute in ifconfig.* with ! > > On Feb 6, 2011 1:08 PM, "Andrew Ball" > wrote: > > Hello, > >I have a NetBSD host that I would like to > connect to an existing wireless LAN using a rum(4) interface > (Belkin F5D7050B USB 802.11g adaptor). I have tried > configuring wpa_supplicant via rc.conf but it does not seem > to start and I don't know why. Is there some other way to > launch wpa_supplicant, perhaps via ifconfig.rum0? > > - Andy Ball -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: US Warships jamming Lebanon Internet
On Tue, Feb 08, 2011, Denys Fedoryshchenko wrote: > I try to install C-Band bandpass filter, no effect at all, so it is in-band > interference. Putting foil (yes i try almost everything) near LNB doesn't > affect interference level too. Can you get access to some kind of spectrum analyser kit to see what the kind of interference is? Adrian
Re: US Warships jamming Lebanon Internet
On Tue, Feb 08, 2011, Denys Fedoryshchenko wrote: > On Tuesday 08 February 2011 14:18:59 Adrian Chadd wrote: > > On Tue, Feb 08, 2011, Denys Fedoryshchenko wrote: > > > I try to install C-Band bandpass filter, no effect at all, so it is > > > in-band > > > > > > interference. Putting foil (yes i try almost everything) near LNB doesn't > > > affect interference level too. > > > > Can you get access to some kind of spectrum analyser kit to see what the > > kind of interference is? > > > > > > > > Adrian > Yes, on short (few minutes) sweeps it is clean. During long time run, with > 100 > Khz resolution, if we run few hours we can catch anomalies on the carrier. > Important note: this snapshot done on spectrum analyser in Europe, same > transponder, and results similar, so it looks like interference is on > transponder. Issue start to affect us at same time when people in Lebanon got > local interference issues. > > Here is snapshot of carrier spectrum with anomaly: > http//www.nuclearcat.com/PICTURES/interference.jpg And does this interference similarly screw up being able to RX data from the transponder whilst in Europe? (eg, if you stick a modem on RX-only in Europe (ie, no uplink) and then just lock onto the signal and decode whatever happens, do you suffer the same problem?) Adrian -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
AS7007 incident - would someone please "fix" the article?
There's a wikipedia article: http://en.wikipedia.org/wiki/AS_7007_incident .. that a post I wrote up for a local computer club magazine somehow suffices as primary reference material for. Even though I think this is partially hilarious, would someone mind making it a little more authoritive and well-referenced? My article was definitely not written to be used as any form of source, primary or otherwise. :-) Thanks! Adrian
Re: The growth of municipal broadband networks
On Fri, Mar 25, 2011, Leo Bicknell wrote: > Having looked around the world I personally believe most communities > would be best served if the government provided layer-1 distribution, > possibly with some layer 2 switching, but then allowed any commercial > entity to come in and offer layer 3 services. For simplicity of > argument I like people to envision the local government fiber agency > (like your water authority) dropping off a 1 port fiber 4 port > copper switch in your basement. On that device they can create a > layer 2 VLAN/VPN/Tunnel from any of the copper ports to any provider > in the town CO. You could buy video from one, voice from one, and > internet from another, on three different ports. You could buy > everything from one provider. And the natural question is - how will this differ from the way the "government" services like water, power and transportation have been run, privatised-but-not-quite, etc? Adrian
Re: Bandwidth growth
If it's a true research project, wouldn't you really be interested in both evidence for/against? :-) Just my 2c here, Adrian On Wed, Apr 20, 2011, Patrick W. Gilmore wrote: > On Apr 20, 2011, at 9:35 PM, Curran, David wrote: > > > I'm interested in any evidence (even anecdotal) that general Internet usage > > (and more importantly, link utilization) has increased at higher rates in > > the last 6-12 months than in previous periods. Any graphs or otherwise > > would be greatly appreciated. The purpose is for an internal research > > project and this data will only be used internally and will not be shared, > > nor will the sources. > > <https://stats.linx.net/aggregate.html> > <http://www.ams-ix.net/historical-traffic-data/> > <http://de-cix.net/content/network.html> > <http://www.seattleix.net/agg.htm> > <http://www.torix.net/stats.php> > > Etc. > > I don't know if that proves your theory. And one could argue public IX stats > are actually not representative of growth, since many networks move peers to > private connections as they grow. But it is data, and it is available. > > -- > TTFN, > patrick > -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $24/pm+GST entry-level VPSes w/ capped bandwidth charges available in WA -
Re: OPERATIONAL: Royal Wedding expected to break traffic records
On Fri, Apr 29, 2011, Jay Ashworth wrote: > > (cough)multicast(cough) > > But... but... how do we count the viewers, then? With HTML cookies and AJAX, like everyone else[1]. Adrian [1] and small embedded flash apps in small frames. Hi Facebook.
Re: coprorations using BGP for advertising prefixes in mid-1990s
On Fri, May 13, 2011, Hank Nussbacher wrote: > I always liked seeing the string "tli" in the IOS bundle in those days. Whoa, you mean Cisco IOS images have "built by" names other than "prod rel team" ? (heh.) Adrian
Re: Had an idea - looking for a math buff to tell me if it's possible with today's technology.
On Thu, May 19, 2011, Warren Kumari wrote: > > Just wanted to say yes, this is entirely what I meant. Of course the > > smaller the file the more pointless it gets but still... If the file was > > 1GB instead of just 7 bytes I'm wondering if a regular old workstation could > > put it back together in any reasonable amount of time with the equation. > > While many folk have said "You've just invented compression", I'm going to be > a little more specific -- "Wavelet compression". Well, yes. There's other types of function driven compression rather than dictionary driven compression (which is just function driven compression :-), eg iterated function systems. The problem is finding a method that works for a variety of data. From what I understand, (lossless) wavelet compression isn't fantastic for arbitrary types of data. I'd suggest the original poster pull up some literature introducing them to information theory and compression techniques in general. Heck, even the wikipedia article on lossless compression is a good starting point. I think once the original poster understands some of the basics of information theory and coding as it relates to representing say 1GB from 7 bytes as given above, they may be better equipped to ask more specific (and useful!) questions. HTH, Adrian
Re: Ham Radio Networking (was Re: Rogers Canada using 7.0.0.0/8 for internal address space)
On Thu, May 26, 2011, Lyndon Nerenberg wrote: > >Sorry, poorly worded. What I was wondering is there is an equivalent of > >KA9Q for IPv6. I believe one of the comments we got back when we were > >trying to reclaim 44/8 was that folks couldn't migrate to IPv6 because > >no software was available... > > We've come a little way since NOS. Linux has native AX25, and it's pretty > simple to write a KISS adapter for any version of UNIX with a tun driver. .. except at such low bit rates, the extra IPv6 header size is not insignificant? Adrian
Re: New vyatta-nsp list
On Fri, May 27, 2011, George Bonser wrote: > > It's actually rather hard with current pc hardware to get to multiple > > cores engaged in paralell per input interfaces. while you can plan for > > various cases the the one to account for is the small packet > > performance not overwhelming the capabilities of a single cpu core. > > Not anymore. Linux will do processor per flow and it will remember > which processor handed it traffic outgoing and try to route the reply > back to the same CPU so you reduce cache misses. FreeBSD is doing much the same, both for TCP flows and for packet routing. The real fun will be when open source freebsd/linux stops trying to do per-flow tracking and optimises their forwarding paths. From what I've heard on the lists, NICs are certainly doing small packet linerate now. Adrian
L2tp for DSL
Hi Do you know any free open source L2tp for NAS? I know this software was developed so many years before but stopped any information Thank you Send instant messages to your online friends http://uk.messenger.yahoo.com
Re: L2tp for DSL
Try openl2tp or l2tpns. They can both be LNSes. Adrian On Mon, Nov 03, 2008, adrian kok wrote: > Hi > > Do you know any free open source L2tp for NAS? > > I know this software was developed so many years > before but stopped > > any information > > Thank you
Re: Advice requested for OpenBSD vs. Linux/OpenBGP vs. Quagga router deployment.
OpenBSD SMP support is quite limited. NetBSD SMP is quite limited. FreeBSD and Linux seem to be running better. :) Adrian On Wed, Dec 17, 2008, Marc Runkel wrote: > Greetings all, > > We are a software development firm that currently delivers our install ISOs > via Sourceforge. We need to start serving them ourselves for marketing > reasons and are therefore increasing our bandwidth and getting a 2nd ISP in > our datacenter. Both ISPs will be delivering 100mbit/sec links. We don't > expect to increase that for the next year or so and expect average traffic to > be about 40-60mbit/sec. > > We are planning to run two OpenBSD based firewalls (with CARP and pf) running > OpenBGP in order to connect to the two ISPs. > > I saw from previous email that Quagga was recommended as opposed to OpenBGP. > Any further comments on that? Also, any comments on the choice of OpenBSD > vs. Linux? > > I don't want to start a religious war :-) Just curious about what most folks > are doing and what their experiences have been. > > Thanks in advance, > > Marc Runkel > Technical Operations Manager > Untangle, Inc. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Gigabit Linux Routers
On Wed, Dec 17, 2008, Chris wrote: > All the responses have been really helpful. Thanks to everyone for being > friendly and for taking the time to answer in detail. > I've asked a hardware provider to quote for a couple of x86 boxes and I'll > look for suitable Intel NICs too. > > Jim: We're a very small ISP and have a full mix of packet sizes on the > network but the vast majority is outbound on port 80 so hopefully that'll > help. > > Any more input will of course be considered. I may post the NIC models for > approval if I'm scratching my head again :) Just FYI, the more recent Intel hardware has multiple hardware TX/RX queues, implemented via seperate (IIRC) PCIe channels, and Linux/FreeBSD is growing support to handle these multiple queues via multiple kernel threads. Ie, multiple CPUs handling packet forwarding. The trick is whether they can pull it off in a way that scales the FIB and RIB lookups and updates across 4 core (and more) boxes. But 40kpps is absolutely doable on one CPU. Some of the FreeBSD guys working on it are looking at supporting 1mil pps + on 10GE cards (in the public source tree), so .. :) Adrian
Re: Gigabit Linux Routers
On Sat, Dec 20, 2008, Ingo Flaschberger wrote: > I'm not shure if this setup would ever be "stable". > also with ucarp tweaks. > hopefully freebsd supports soon more than 1 route. > FreeBSD, like all good open source projects, gets features supported when people code them up. So if you'd like to see FreeBSD support it, either code it up, or pay soemone to code it up. Then everyone benefits. :) Adrian
Re: Unallocated prefix 100.10.10.0/24 in the DFZ via Cogent
On Tue, Dec 23, 2008, sth...@nethelp.no wrote: > Axtel is announcing 100.10.10.0/24, which is within the 100.0.0.0/8 block, > which is unallocated according to I'd love to see what that prefix is doing.. :) Anyone have anything they can share? adrian
Re: Leap second tonight
On Mon, Jan 05, 2009, Nick Hilliard wrote: > Notice for the leap second was issued on July 4 2008. > > http://hpiers.obspm.fr/iers/bul/bulc/bulletinc.36 > Wow, how'd I miss that, I wonder? :) I'm just angry at the jack moves pulled by last minute timezone changes back in Australia, and the massively stupid repercussions seen throughout chunks of IT (incl. network auditing setups I had to poke at the time.) I'll add "handling second == 60" to the list of things I should check for in my code. Thanks. :) Adrian
Re: Leap second tonight
This begs the question - how the heck do timekeepers and politicians get away with last minute time changes? Surely there's -some- pushback from technology related interest groups to try and get more than four weeks warning? :) Adrian On Mon, Jan 05, 2009, Frank Bulk wrote: > A report from a DHCP/DNS appliance vendor here: > > Several customers have reported a complete lock-up of their Proteus system > around the beginning of January 1st 2009. We believe that we have traced > this to a problem in the underlying kernel and NTP and the handling of the > date change associated with 2008 being a Leap Year and therefore having 366 > days. > > Several conditions must be met to trigger this problem: > 1. The Proteus was originally installed as v2.1.x or earlier. > 2. NTP is enabled as a client with 2 or more external source servers > defined. > 3. There is a discrepancy in the times reported back by these other NTP > servers. > > There is no correction available at this time, and the resolution is to > power cycle the system, after which it will run fine. > > If you experienced a similar problem at the indicated time, please submit a > trouble ticket so that we can confirm that this occurred on your system. > > > I don't know what the underlying OS is. > > Frank > > -Original Message- > From: Kevin Day [mailto:toa...@dragondata.com] > Sent: Wednesday, December 31, 2008 4:42 PM > To: NANOG list > Subject: Leap second tonight > > > Just a reminder that there's a leap second tonight. > > Last time I watched for what happened on 01/01/2006, there was a > little bit of chaos: > http://markmail.org/message/cpoj3jw5onzhhjkr?q=%22kevin+day%22+leap+second+r > eminder+nanog&page=1&refer=cnkxb3iv7sls5axu > > I've been told that some of the causes of these problems are fixed on > any reasonably recent ntp distribution, but just in case, you might > wanna keep an eye out if you're seeing any weirdness. The worst damage > I'd heard from anyone after that event was their clock being > significantly off for several hours. > > -- Kevin > > > -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -
Re: Anyone notice strange announcements for 174.128.31.0/24
On Tue, Jan 13, 2009, Patrick W. Gilmore wrote: > How can anyone seriously argue the ASN owner is somehow wrong and keep > a straight face? How can anyone else who actually runs a network not > see that as ridiculous? Speaking purely as an outsider who hasn't had to pull such jack moves with his tiny corner of the world these days, I've frequently seen people pull exactly these jack moves for Traffic Engineering. So either they're not talking and wish to remain nameless, or they're talking and being hypocritical. But they do exist, and I'm pretty sure they see it as another way of "hacking" the routing system to achieve goals the original implementors didn't explicitly define, but have operational relevance today. But they're out there, injecting routes to peers to control traffic. I remember the first time I saw it and said "uhm wtf?" followed by "evil but clever." Much like other BGP tricks. :) (Ah, how the internet seems to have grown up. Sniff.) Adrian
Re: smtp.comcast.net self-signed certs
On Fri, Jan 16, 2009, Florian Weimer wrote: > There's no PKI for Internet Mail routing, so I don't see what you get > by checking certificates at all. Function, non-broken Outlook integration. Adrian (Who is -fed up- with outlook just randomly spewing crap at you from time to time if you use self-signed certs for various mail related activities. Or chained certs. Sigh. :)
Re: "IP networks will feel traffic pain in 2009" (C|Net & Cisco)
On Tue, Jan 20, 2009, Patrick W. Gilmore wrote: > Define "cached". > > For instance, most of the video today (which apparently had 12 zeros > in the bits per second number) was "cached", if you ask the CDNs > serving it. > > Sounds to me like that is significant, no matter how big your network > is. If, for example, Google's current generation of YouTube content serving wasn't 100% uncachable by design, Squid caches would probably be saving a stupid amount of bandwidth for those of you who are using it. People rolling Squid + 'magic adrian rules to rewrite Youtube URLs so they don't suck' report upwards of 80% byte hit rates on -just- the Youtube content, because people view the same bloody popular videos over and over again. Thats 80% of a couple hundred megabits for a couple groups in Brazil, and that translates to mega dollars to them. There's no reason to doubt this wouldn't be the case even in Europe and North America for forward caches put in exactly the right spot to see exactly the right number of people. I tried talking to Google about this. Those I spoke to went from enthusiastic one month to "sorry, been told this won't happen!" the next month. Which is sad really; the people who keep coming to me and asking about caching all those things you funny CDNs are pushing out are those who are on things like satellite links, or in eastern europe / south america, where the -infrastructure- is still lacking. They're the ones blocking facebook, youtube, etc, because of the amount of bandwidth used by just those sites. :) Adrian (And I know about the various generations of Google content boxes out there and have heard stories from people who have and are trialling them. Thats great if you're a service provider, and sucks if you're not well connected to a service provider. Like, say, schools in Australia trying to run a class with 30-40 odd computers hitting Google maps at once. tsk.)
Re: "IP networks will feel traffic pain in 2009" (C|Net & Cisco)
On Wed, Jan 21, 2009, Patrick W. Gilmore wrote: > Google is not the only company which will put caches into any provider > - or school (which is really just a special case provider) - with > enough traffic. A school with 30 machines probably would not > qualify. This is not being mean, this is just being rational. No way > those 30 machines save the company enough money to pay for the caches. > > Again, sux, but that's life. I'd love to hear your solution - besides > writing "magic" into squid to intentionally break or alter (some would > use much harsher language) content you do not own. Content others are > providing for free. Finding ways to force object revalidation by an intermediary cache (so the end origin server knows something has been fetched) and thus allowing the cache to serve the content on behalf of the content origintor, under their full control, but without the bits being served. I'm happy to work with content providers if they'd like to point out which bits of HTTP design and implementation fail them (eg, issues surrounding Variant object caching and invalidation/revalidation) and get them fixed in a public manner in Squid so it -can- be deployed by people to save on bandwidth in places where it still matters. Adrian
Re: "IP networks will feel traffic pain in 2009" (C|Net & Cisco)
> Excellent idea. It is a shame content owners do not see the utility > in your idea. > > To bring this back to an operational topic, just because a content > owner does not want to work with someone on this, does the lack of > external bandwidth / infrastructure / whatever make it "OK" to install > a proxy which will intentionally re-write the content? This really boils down to "who is more important? The content or the contents' eyeballs?" (Or the people having to deliver said content to said eyeballs, and aren't being paid by the content deliverer on their behalf.) Adrian
Re: "IP networks will feel traffic pain in 2009" (C|Net & Cisco)
On Wed, Jan 21, 2009, Nick Hilliard wrote: > This doesn't provide feed-back to the content distributors on partial > downloads, etc - which is useful information to content providers, if > you're into data mining end-user browsing habits. In the specific case of > Youtube, of course I don't know that they do this, but I'd be surprised if > they didn't. If they'd like that included as a side-channel for certain response types, then they could ask. Its not like caches don't store per-connection information like that already.. :) Adrian
