Re: Fwd: Interesting problems with using IPv6

2014-09-15 Thread Bruce Pinsky 
On 9/14/2014 11:20 AM, Matthew Petach wrote:
 On Sun, Sep 14, 2014 at 10:45 AM, Sam Stickland s...@spacething.org wrote:
 
 Slightly off topic, but has there ever been a proposed protocol where hosts
 can register their L2/L3 binding with their connected switch (which could
 then propagate the binding to other switches in the Layer 2 domain)?
 Further discovery requests (e.g. ARP, ND) from other attached hosts could
 then all be directly replied, eliminating broadcast gratuitous arps. If the
 switches don't support the protocol they would default to flooding the
 discovery requests.

 It seems to me that so many network are caused because of the inability to
 change the host mechanisms.

 Sam

 
 
 It looks like in 2011 Cisco proposed a
 technology called OTV that would do
 just that, according to this page:
  http://network-101.blogspot.com/2011/03/otv-vs-vpls.html
 Granted, it was aimed for wide-area
 networking, rather than control within
 a datacenter; but as everyone who has
 started doing BGP to their top of rack
 switches has learned, there's often good
 value in adopting techniques and protocols
 used in the wide area network within the
 datacenter as well.
 
 However, I haven't heard recent mention
 of it, so I'm guessing it failed to make a
 big enough splash to get any widespread
 adoption.


Also consider the emergence of eVPN and PBB-eVPN.

https://www.ciscolive.com/online/connect/sessionDetail.ww?SESSION_ID=5998tclass=popup

-- 
=
bep




smime.p7s
Description: S/MIME Cryptographic Signature

Re: Policy-based routing is evil? Discuss.

2013-10-11 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Phil Bedard wrote:
 I'm having a discussion with a small network in a part of the world
 where bandwidth is scarce and multiple DSL lines are often used for
 upstream links. The topic is policy-based routing, which is being
 described as load balancing where end-user traffic is assigned to a
 line according to source address.
 
 In my opinion the main problems with this are:
 
   - It's brittle, when a line fails, traffic doesn't re-route
   - None of the usual debugging tools work properly
   - Adding a new user is complicated because it has to be done in (at
 least) two places
 
 But I'm having a distinct lack of success locating rants and diatribes
 or even well-reasoned articles supporting this opinion.
 
 Am I out to lunch?
 

No, but what better solution do we have to offer them?  There are dynamic
load distribution features and products (think Cisco PfR, for example), but
those are routinely lambasted as well.


- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlJYgsoACgkQE1XcgMgrtyaHOgCfaS58WFFKaXfY87FddXZu4SGb
b60AoPMY73ZtENIW4akBZbUMN0H9euY2
=XSi6
-END PGP SIGNATURE-

Re: Office 365..? how Microsoft handed the NSA access to encrypted messages

2013-07-12 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Matt Baldwin wrote:
 While that would secure the connections from snooping if you're mailboxes
 are on Office 365 and those mailbox stores do not exits on an encrypted LUN
 then a service can easily read the Exchange database; anyone with server
 access can read mail across all mailboxes. In fact, Microsoft supports this
 type of setup with impersonation, e.g. a global user that can query any
 mailbox it has permissions to within Exchange. This is how some EWS
 integrated applications work. It wouldn't be that far fetched for the NSA
 to incorporate the same type of query to monitor the mailboxes -- even
 subscribing to change notifications so it only queries and collects when a
 new mail item has arrived. Additionally, Office 365 can simply create a
 journal rule and have all inbound / outbound mail journal to a location
 that makes it easier for snoops to look through the messages, e.g. an
 external SMTP endpoint, all without the end customers' knowledge.
 
 If anyone has any questions on Exchange they, too, can contact me off list.
 
 Just my 2-cents.

Any what's to say that email addresses at Office 365 aren't just mailing
lists where you get a copy and so does $FEDAGENCY.  That's how my kids'
email addresses work at home :-)


- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHgc98ACgkQE1XcgMgrtyYZhgCg3CO8DJfFDXJWj8W6JuasjeOf
VeQAnRmhMfhyp5M7S81fxagW96ZGWoCH
=LDSL
-END PGP SIGNATURE-

Re: Single AS multiple Dirverse Providers

2013-06-10 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Patrick W. Gilmore wrote:
 however, providers a/b at site1 do not send us the two /24s from
 site b..
 
 This is probably incorrect.
 
 The providers are almost certainly sending you the prefixes, but your router 
 is dropping them due to loop detection. To answer your later question, this 
 is the definition of 'standard' as it is written into the RFC.
 
 Use the allow-as-in style command posted later in this thread to fix your 
 router.
 

Or maintain standard behavior by running a GRE tunnel between the two
discontinuous sites and run iBGP over the tunnel.

- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlG2DrQACgkQE1XcgMgrtyZVWQCgzeYOVPCWdNz3LKf4AvdsZ2pR
I5MAn3ojgD8zaTY4VyaR/7KdaC2YUD7B
=nGK/
-END PGP SIGNATURE-

Re: Single AS multiple Dirverse Providers

2013-06-10 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Patrick W. Gilmore wrote:
 On Jun 10, 2013, at 13:36 , Bruce Pinsky b...@whack.org wrote:
 Patrick W. Gilmore wrote:
 
 however, providers a/b at site1 do not send us the two /24s from
 site b..

 This is probably incorrect.

 The providers are almost certainly sending you the prefixes, but your 
 router is dropping them due to loop detection. To answer your later 
 question, this is the definition of 'standard' as it is written into the 
 RFC.

 Use the allow-as-in style command posted later in this thread to fix your 
 router.
 
 Or maintain standard behavior by running a GRE tunnel between the two
 discontinuous sites and run iBGP over the tunnel.
 
 Standard how? I don't remember any such standard, but always willing to be 
 educated.
 
 Also, as someone who helps run 2500 non-connected sites, I can't begin to 
 imagine the mess of GRE that would require. (OK, not all are in the same ASN, 
 but I like hyperbole. :)
 

Standard in the sense of continuing to reject duplicate ASN in the AS
path and not using a BGP knob to allow unnatural behavior.

If the networks he wishes to advertise for those sites are considered in
the same ASN, there should be continuity between those sites, either
physical or virtual.

- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlG2FdcACgkQE1XcgMgrtybZWQCg8CBl8406YFzmXxZgczPYk3z5
sL0AoMe26Q+6vkyOEaEHjKb1BM2/W6DO
=AKb8
-END PGP SIGNATURE-

Re: Cisco CAT6500 IOS Simulator

2012-02-23 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -Hammer- wrote:
 I'm sure that virtualizing the sup would be possible. But having to come up
 with all the line cards would be a nightmare. I'd love for someone Internal
 to tell me I'm wrong but until we can get a 3560 or a 3750X on Dynamips I
 wouldn't push for a 6500 or a Nexus.
 

What functionality of the 6500 are you looking for?  If you want hardware
specifics like QoS queues and such, that is unlikely.  If you are looking
for platform independent things like spanning tree, port channels, layer 3
functionality, etc, there may be a solution forthcoming from Cisco.

- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9HMRMACgkQE1XcgMgrtybX4ACg0d8MPXQ4Y+HqlRp78wWNQR82
ZIQAoJ4oWXfGcELZIxVYOoGl4Sk+FcYB
=oiUG
-END PGP SIGNATURE-

Re: Did Internap lose all clue?

2011-10-21 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Darrell Hyde wrote:
 That might have something to do with the fact InterNAP bought both of 
 them (and the third company in that space).
 
 I believe RouteScience was acquired by Avaya in 2004. Did Internap acquire 
 the IP after the fact?
 

Correct on RouteScience going to Lucent/Avaya.  InterNAP bought NetVMG and
Sockeye in 2003.  Proficient Networks merged with IP Deliver forming
Infiniroute in 2004.

http://www.networkworld.com/news/2003/1013internap.html
http://investing.businessweek.com/research/stocks/private/snapshot.asp?privcapId=1204052

And Cisco in the space with OER/PFR.

- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6hEQ0ACgkQE1XcgMgrtybB5gCfUGfsya2+PlT21jT2nnbp9X9m
7j4AnRXDKEOHeykd9t30tS5FjgenKTch
=a85l
-END PGP SIGNATURE-

Re: Access and Session Control System?

2011-09-01 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Jones, Barry wrote:
 
 Hello all. I am looking at a variety of systems/methods to provide
 (vendor, employee) access into my dmz's. I want to reduce the FW rule
 sets and connections to as minimal as possible. And I want the accessing
 party to only get to the destination I define (like a fw rule).
 
 When I refer to access, I'm referring to the ability of a vendor or
 employee to perform maintenance tasks on a server(s). The server(s) will
 be running apps for doing different tasks - such as Shavlik, etc..,
 (patching, reports, logging, etc..), so I am envisioning allowing an
 outside vendor/employee (from the internet or corp. net) to RDP or SSH
 to a given Windows or Unix based machines, then perform their
 application work from that jumping off point - kind of like a terminal
 server; but I'd like to control and audit the sessions as well.
 
 Overall, I can allow a host/port through the FW to a single host, but I
 wanted to be able to do the session management and endpoint controls.
 FW's are ok, but you know as well as I that I now deal with lots of
 rules sets. And I need to also authenticate the user.
 
 We are a couple smaller facilities (150 hosts each) and I need to be
 able to control and audit the sessions when requested. I have considered
 doing a meetingplace server, then providing escorted access for them, or
 doing just the FW and a jump host - but need the endpoint and session
 solution, or just using VPN - but don't want to install a host on the
 vendor machines. I also have looked at a product called EDMZ - wondered
 if anyone had experience with it?
 
 And did I say I wanted to keep it as simple as possible? :-) It's been a
 few years since I've done hands-on networking work, so excuse the
 long-winded letter. Feel free to email me directly too.
 

The Cisco ASA firewall/VPN appliance with SSLVPN can provide the kind of
control you are asking for.  You can customize for different connection
profiles that are based individuals and/or groups that specify where they
can connect to and what types of connection protocols can be used.

- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5gacEACgkQE1XcgMgrtybBWgCgyh9YPD8eNMN1f/UknmL1kHoa
jUYAoNcCKqjxwo3QOv/0nSmp1aF+UPn/
=RtBT
-END PGP SIGNATURE-

Re: SMS Standards

2008-10-16 Thread Bruce Pinsky 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Glen Kent wrote:
 Hi,
 
 Apologies in advance since this is off-topic. However, posting in on
 nanog since i am confident that we will have some experts who would be
 able to guide me here.
 
 I want to study the standards (RFC equivalent) for sending and
 receiving SMSs. Any ideas on what kind of protocol runs between a
 mobile phone and a SMS center (SMSC)?
 

Wiki_Pedia is your friend http://en.wikipedia.org/wiki/Short_message_service

The Short Message Service - Point to Point (SMS-PP) is defined in GSM
recommendation 03.40.[2] GSM 03.41 defines the Short Message Service - Cell
Broadcast (SMS-CB) which allows messages (advertising, public information,
etc.) to be broadcast to all mobile users in a specified geographical
area.[16] Messages are sent to a Short Message Service Centre (SMSC) which
provides a store-and-forward mechanism. It attempts to send messages to
their recipients. If a recipient is not reachable, the SMSC queues the
message for later retry.[17] Some SMSCs also provide a forward and forget
option where transmission is tried only once. Both Mobile Terminated (MT),
for messages sent to a mobile handset, and Mobile Originating (MO), for
those that are sent from the mobile handset, operations are supported.
Message delivery is best effort, so there are no guarantees that a message
will actually be delivered to its recipient and delay or complete loss of a
message is not uncommon, particularly when sending between networks. Users
may choose to request delivery reports (simply add *0# or *N# to the
beginning of your text message), which can provide positive confirmation
that the message has reached the intended recipient.

Transmission of short messages between the SMSC and the handset is done
using the Mobile Application Part (MAP) of the SS7 protocol. Messages are
sent with the MAP mo- and mt-ForwardSM operations, whose payload length is
limited by the constraints of the signalling protocol to precisely 140
octets (140 octets = 140 * 8 bits = 1120 bits). Short messages can be
encoded using a variety of alphabets: the default GSM 7-bit alphabet (shown
below), the 8-bit data alphabet, and the 16-bit UTF-16/UCS-2 alphabet.[18]
Depending on which alphabet the subscriber has configured in the handset,
this leads to the maximum individual Short Message sizes of 160 7-bit
characters, 140 8-bit characters, or 70 16-bit characters (including
spaces). Support of the GSM 7-bit alphabet is mandatory for GSM handsets
and network elements,[18] but characters in languages such as Arabic,
Chinese, Korean, Japanese or Cyrillic alphabet languages (e.g. Russian)
must be encoded using the 16-bit UCS-2 character encoding (see Unicode).
Routing data and other metadata is additional to the payload size.

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkj37WcACgkQE1XcgMgrtyZiVACgjSYOrHVRE9g1vufxWpa67rC6
o8YAn1JjliEYx73fLGXbIOyeTTZtsj/S
=2vZP
-END PGP SIGNATURE-

Re: Possible explanations for a large hop in latency

2008-07-01 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Sam Stickland wrote:
| Even if they are decrementing TTL inside of their MPLS core, the TTL
| expired message still has to traverse the entire MPLS LSP (tunnel), so
| the latency reported for each hop is in fact the latency of the last
| hop in the MPLS network. Always.
|

And who said tunneling protocols aren't fun :-)

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFIavwUE1XcgMgrtyYRArGuAJwJa3g/BiIDqNL1L1lItDu+BL3b/ACeMrPT
DtiH+THvgfPz31MAK2QmsZ4=
=m5il
-END PGP SIGNATURE-

Re: Problems with either Cisco.com or ATT?

2007-08-08 Thread Bruce Pinsky 

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Paul Ferguson wrote:
 No idea -- maybe just a hiccup?
 

No, the outage is real and affecting network and systems for internal and
external services.

- --
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGuiMZE1XcgMgrtyYRAmqXAJ49T9qynoNTigAJoWTNDs47gGm+fwCg1r5U
UBMuGr0jH0mh0iBXRh+BPrw=
=NHKE
-END PGP SIGNATURE-