Re: shared address space... a reality!
Greetings Dave, Having been one of the authors of this, and, at the time, unfortunately looking down the barrel of a CGN deployment (in AU). I can say, at least in our case, it had nothing to do with monitoring or intercept. In fact, CGN actually made that more difficult in some circumstances. And this was a carrier that definitely had that requirement. Chris On 17Mar2012, at 10.33, Dave Edelman wrote: Some major stakeholders are under legal or regulatory obligation to supervise and control. A small number of control points makes this less awful to effect. Dave Edelman On Mar 16, 2012, at 16:21, cdel.firsthand.net c...@firsthand.net wrote: NAT at the edge is one thing as it gives an easy to sell security proposition for the board. But CGN controlled by whoever sitting between their NATs does the opposite. Christian de Larrinaga On 16 Mar 2012, at 19:35, William Herrin b...@herrin.us wrote: On Fri, Mar 16, 2012 at 2:01 PM, Octavio Alvarez alvar...@alvarezp.ods.org wrote: On Tue, 13 Mar 2012 23:22:04 -0700, Christopher Morrow christopher.mor...@gmail.com wrote: NetRange: 100.64.0.0 - 100.127.255.255 CIDR: 100.64.0.0/10 OriginAS: NetName:SHARED-ADDRESS-SPACE-RFCTBD-IANA-RESERVED Weren't we supposed to *solve* the end-to-end connectivity problem, instead of just letting it live? We forgot to ask if all the stakeholders wanted it solved. Most self-styled enterprise operators don't: they want a major control point at the network border. Deliberately breaking end to end makes that control more certain. Which is why they deployed IPv4 NAT boxen long before address scarcity became an impactful issue. Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004 -- 李柯睿 Check my PGP key here: https://www.asgaard.org/~cdl/cdl.asc Current vCard here: https://www.asgaard.org/~cdl/cdl.vcf Check my calendar availability: https://tungle.me/cdl
Re: X.509 Certs For Personal Use
Greetings I'll +1 Chris's experience with startssl On 18Feb2012, at 10.57, Christopher Morrow wrote: On Sat, Feb 18, 2012 at 10:44 AM, John Peach john-na...@johnpeach.com wrote: On Sat, 18 Feb 2012 14:27:05 +0100 Phil Regnauld regna...@nsrc.org wrote: toor (lists) writes: I use http://www.startssl.com/ for all my personal certifcates. I have not had any issues with the validations (once you have an account you can validate a domain by sending an email to a predefined list of contact addresses) and the certificates are issued instantly. Your request is being held up for review by our personnel. Up to 6 hours. Must be their definition of instant :) It's nice to see that they actually do random reviews, rather than just issuing everything requested. I use startssl and have not had anything held for review. I've had most of mine held, but almost always I get a response in side of 20 mins. Really, what I care about here is: 1) cert validates in almost all clients (mozilla/chrome/mail.app) 2) controlled/secured by my key, not something made up on the server side 3) not paying money for random bytes. it works and eddy's pretty quick on requests. -chris Cheers, Phil -- John -- 李柯睿 Check my PGP key here: https://www.asgaard.org/~cdl/cdl.asc Current vCard here: https://www.asgaard.org/~cdl/cdl.vcf signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Writable SNMP
On 06Dec2011, at 12.28, David Barak wrote: From: Jeff Wheeler j...@inconcepts.biz Juniper does not support writing via SNMP. I am glad. Hopefully that is the first step toward not supporting SNMP at all. If I recall correctly, wasn't the old FORE CLI implemented via localhost SNMP? I liked using them, but that's a special case... Wellfleet David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com -- 李柯睿 Check my PGP key here: https://www.asgaard.org/~cdl/cdl.asc Current vCard here: https://www.asgaard.org/~cdl/cdl.vcf signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Mailing list/group for datacenter facilities folks
+1 -- Pardon the typos - sent from a silly keyboard On Sep 7, 2011, at 12:09, Matt Ryanczak ryanc...@gmail.com wrote: On 09/07/2011 03:06 PM, Brandon Kim wrote: I would love to be a part of this list if there is one!!! +1
Re: Regional AS model
On 25Mar2011, at 09.17, Michael Hallgren wrote: Le jeudi 24 mars 2011 à 14:26 -0700, Bill Woodcock a écrit : On Mar 24, 2011, at 1:47 PM, Patrick W. Gilmore wrote: On Mar 24, 2011, at 3:40 PM, Owen DeLong wrote: On Mar 24, 2011, at 12:42 PM, Zaid Ali z...@zaidali.com wrote: I have seen age old discussions on single AS vs multiple AS for backbone and datacenter design. I am particularly interested in operational challenges for running AS per region e.g. one AS for US, one EU etc or I have heard folks do one AS per DC. I particularly don't see any advantage in doing one AS per region or datacenter since most of the reasons I hear is to reduce the iBGP mesh. I generally prefer one AS and making use of confederation. If you have good backbone between the locations, then, it's mostly a matter of personal preference. If you have discreet autonomous sites that are not connected by internal circuits (not VPNs), then, AS per site is greatly preferable. We disagree. Single AS worldwide is fine with or without a backbone. Which is preferable is up to you, your situation, and your personal tastes. We're with Patrick on this one. We operate a single AS across seventy-some-odd locations in dozens of countries, with very little of what an eyeball operator would call backbone between them, and we've never seen any potential benefit from splitting them. I think the management headache alone would be sufficient to make it unattractive to us. Experience with a major backbone in the early 2000's that spanned 50 core sites and 4 continents - single AS is not really a problem. We chose IS-IS with wide metrics as the IGP, and one-layer of route-reflection for the bgp mesh control. The only reason I could possibly see doing multi-AS in a general case is if your route policies are different in different regions (i.e. in one region a peer AS is a 'peer' and in another region the same AS is a 'transit' or 'upstream'). You CAN do it with a single AS, but it's more painful... -Bill Right. I think that a single AS is most often quite fine. I think our problem space is rather about how you organise the routing in your AS. Flat, route-reflection, confederations? How much policing between regions do you feel that you need? In some scenarios, I think confederations may be a pretty sound replacement of the multiple-AS approach. Policing iBGP sessions in a route-reflector topology? Limits? Thoughts? Cheers, mh --- 李柯睿 Check my PGP key here: https://www.asgaard.org/~cdl/cdl.asc PGP.sig Description: This is a digitally signed message part
Re: so big earthquake in JP
Pacific tsunami warning centre has confirmed a deep ocean tsunami. Three dart bouys have detected 2 ft wave fronts. Warnings up for entire pacific basin except for Alaska/canada/us west coast. Chris -- Pardon the typos - sent from a silly keyboard On 10/03/2011, at 23:13, Khurram Khan brokenf...@gmail.com wrote: bbc reports 8.8 magnitude with a tsunami. http://www.bbc.co.uk/news/world-asia-pacific-12709598 On Fri, Mar 11, 2011 at 12:08 AM, Bryan Irvine sparcta...@gmail.com wrote: On Thu, Mar 10, 2011 at 10:19 PM, Tomoya Yoshida yosh...@nttv6.jp wrote: Japan had so big terrible earthquake How big? I see reports of Tokyo, was Kyoto affected?
Re: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance
++ On 30Dec2010, at 12.47, Jared Mauch wrote: On Dec 29, 2010, at 11:24 AM, Josh Smith wrote: While certainly not the best stuff made I've found the ubiquiti equipment to be very nice for the price and have a few of their AP's which have been in service 24x7 for a couple of years now. Same here. The price performance is hard (impossible?) to beat. Combine that with the Linux/SDK stuff and you can do some interesting things with it that you can't do with other devices. - Jared --- 李柯睿 Check my PGP key here: https://www.asgaard.org/~cdl/cdl.asc PGP.sig Description: This is a digitally signed message part
Clarification from Pica8 (was Fwd: Mystery open source switching company claims top-of-rack price edge)
I just talked to Lin Du (who I worked with when I was at Woven), who is the current CEO of Pica8. Don't know anything about the product, but this didn't seem like Lin's style. Turns out Fontaine GUILLAUME has registered pic8@gmail.com, has no relation to the company - and is trying to prove to them that he should be a reseller. Lin has told GUILLAUME to stop (not that that will do any good). Some e-mail fragments below. Chris Begin forwarded message: From: Lin Du l...@pica8.com Date: 01 November 2010 17.11.58 +1100 To: Christopher LILJENSTOLPE c...@asgaard.org Subject: Re: Mystery open source switching company claims top-of-rack price edge Hi, Chris, Thanks for your reminding. This guy wants to resell the Pronto products but without any partnership with us yet. He even registered an email with my name as pica8@gmail.com for posting. I sent another email to let him stop doing this anymore. I need to clarify NANOG for this. Thanks, Lin From: Christopher LILJENSTOLPE Sent: Monday, November 01, 2010 12:31 PM To: Lin Du Subject: Re: Mystery open source switching company claims top-of-rack price edge NP. Chris On 01Nov2010, at 15.30, Lin Du wrote: Chris, Many thanks. Guillaume, Please stop using pica8 name in your posts, emails and any other public messages. We didn't grant you to do in this way. You could be pica8 partner until you are legally qualified. Thanks, Lin Pica8 Technology Inc. snip
Re: ARIN negotiation?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 yes; no; without reservation; really, why would a competent lawyer have any problems accepting that contract :) ? On 27 Mar 2010, at 08.45 , Jeremy Charles wrote: Has anyone here had their legal department balk at the legal agreement that ARIN wants you to sign when you get things like an AS number or an IP block? Any luck in negotiating with ARIN? The agreement has language at the top saying that ARIN doesn't accept modifications, but our legal team is questioning whether that means it really is non-negotiable. They're not exactly fans of it as it is written. (I probably can't share what my legal counsel is saying to me about the agreement, but it's probably not relevant to the question anyway...) === Jeremy Charles Epic - Computer and Technology Services Division jchar...@epic.com Phone: 608-271-9000 Fax: 608-271-7237 - --- 李柯睿 Check my PGP key here: https://www.asgaard.org/~cdl/cdl.asc -BEGIN PGP SIGNATURE- iQEcBAEBAgAGBQJLrUnQAAoJEGmx2Mt/+Iw/smoH/2eOivfobfS8RLEESWVp/cDx QYv7ALqfKh4RArXr3lRWtYjpJhjCwBH+bPDbycEyQGtq4738Ry5fC+MMwmwQf8GZ be6xa6C4RXxGMuRfaNX3xpPIxU893Vg++2vEvApQItrgBuMoc8R3+yxzT7s4P4b8 G0FnKp469LYiSFVaH2/0Pd8FrmXRUAMHWfi4BvOp3+rb8mKBReTUtfN7Sl/Rgts7 D1C7TjKo0lBN/4W6jjB0WAXA3A4MZF+HqHX3l28FIIpsv28NecWJfNun1Ja8PVmh O7yIg/RKrxezCLnNWEp6A7zeBSvpqDkrr2gKKrWDdKOkZXsa2cnby/2bBLCbtBk= =WweW -END PGP SIGNATURE-
Re: IP4 Space
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings Owen, The only problem is that there will be a number of devices that the eyeballs like that won't ever see an IPv6 packet (specifically thinking about the CE devices in the home). As such, it won't be IPv6 only, it will be dual-stack. Eventually we won't be able to give that eyeball's NAT box a unique address, then the proliferation of state begins Chris On 27 Mar 2010, at 08.42 , Owen DeLong wrote: Dave, It's clear we disagree about what will happen in an obviously unpredictable future. I think that eyeball networks will deploy IPv6 rapidly due to the high costs of attempting to continue to hack IPv4. You believe that something else will happen. In time, we will see which of us turns out to be more correct. We can look at it in hindsight over drinks in about 5 years or so. Owen On Mar 26, 2010, at 1:32 PM, Dave Israel wrote: On 3/26/2010 1:31 PM, Owen DeLong wrote: On Mar 26, 2010, at 8:57 AM, Lamar Owen wrote: You should ask your server guy how he plans to talk to your core stakeholders when they can't get IPv4 any more. Then, at that time, both he and his key stakeholders will experience pain while they both deploy IPv6, or more likely, his key stakeholders will add another level of NAT-like indirection to give themselves space to expand with the address pool they have. At the CxO level, it's all about the money. Or the lack therof. How much less money will you have when donors can not reach your website or have a poor user experience doing so? This assumption is incorrect. They can't keep nursing IPv4 forever. Eventually everybody will have to switch to v6. If you don't, you'll be sorry. Just wait and see. That attitude did not force any previous supposed IPv4-killer protocol to be deployed. The fact is, for the foreseeable future, his donors will tend to have a better experience over v4 than v6. He isn't going to be blindsided by the need to deploy v6, and he knows it. By the time an important v4 host is not reachable via the entire internet (and at full speed), v6 will have been everywhere for years. An address space crisis will not result in v6 deployment from repentant network engineers who did not see the light in time. An address space crisis will merely result in more hacks to keep v4 running longer. v6 will be deployed slowly by the curious, encouraged by features v6 has that they want and with the assumption that they will still be able to do everything they can do on v4 (either through translation or dual stacking.) This process can be accelerated by something that v6 can do that v4 can't. So far, there's nothing that fits that description; everything being done over v6 can also be done over v4. - --- 李柯睿 Check my PGP key here: https://www.asgaard.org/~cdl/cdl.asc -BEGIN PGP SIGNATURE- iQEcBAEBAgAGBQJLrUppAAoJEGmx2Mt/+Iw/k30IAIv4rBRUbpWpFt7g5aXj5Jdh BfT7vKZp20Ho4O4IPPu5gqF1w5m/PWAsdyyuD+seUaVx/r6+KQbS5cLuErt+RXtb nZShLBjmXRusuJaz6Wj9ydTPaCZ0YdAC+drLLVN+7ogyoLpk3bp8JYf9nA66eHV5 BvaepyWOO47Fl2jG18Zds/xuPDlx9wTTi/fdeJiPAfLMFUKyMhoooFbqZXYd1Go4 tZVZWShvD8WOSiCnBr746WiuUpsqzpk0UPD+fmkciMkLEC3kCCJlRg0ak0O/SSlC nl8DgMk/ADY421ilZpUs27NwrpjOd8AXMgXoDhmeZ4q7HyH7KqqVrBlWrWuYe6Q= =ELTE -END PGP SIGNATURE-
Re: OK, who's the idiot using tcwireless.us?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, I agree with Howard here, I don't think this is a mis-configuration, but a harvest attempt. The mailserver is in different messages, and I can't see how that could get misconfigured in a honest validation server. My guess is that someone is trolling the archives, and sending this back? Why, I have no idea, given they already can see the sending address. Chris On 07 Oct 2008, at 13.14, [EMAIL PROTECTED] wrote: Somebody on the NANOG mailing list has their mail pointing to tcwireless.us, which is throwing challenge/response mail like the following: Your message From: [EMAIL PROTECTED] To: n3td3v [EMAIL PROTECTED] Subject: Re: Fwd: cnn.com - Homeland Security seeks cyber counterattack system ( Einstein 3.0) Date: 10/6/2008 has been just received by gmail.com mailserver. To prove that your message was sent by a human and not a computer, please visit the URL below and type in the alphanumeric text you will see in the image. You will be asked to do this only once for this recipient. http://mail.tcwireless.us/challenge/?folder=2008100614384085099427 Your message will be automatically deleted in a few days if you do not confirm this request. = DO NOT REPLY TO THIS MESSAGE. NO ONE WILL RECEIVE IT. = Note it says 'gmail.com mailserver'. Paul Ferguson reported to me that the one he saw said 'received by vt.edu mailserver'. Also note that the From/To has lost nanog@nanog.org - for both my note and Paul's (in fact, looking at Paul's actual posting and mine show nanog@nanog.org as being the only common link, thus the must be a nanog subscriber conclusion). Please, if you're going to use a C/R, at least learn how to whitelist the mailing lists you're on. And if you can't figure out how to do that, please do us all a favor and not try to run an operational network... - --- 李柯睿 Check my PGP key here: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xCB67593B -BEGIN PGP SIGNATURE- iQEcBAEBAgAGBQJI690kAAoJEGmx2Mt/+Iw/awkH/j/goIY2MuQYfMkGVCmBVlMx vrFACJFUdM3kFSw1KuB5l0s7U62JIuxoCMkIFuEU1xtXQzNMbmYytlkIq/oNY31q VEaEcG6khM7oxDrbbc4TgFVHm195o1mKYhK8TMPr5WBq9RIgY+n2iWFYfi/kIR0x R5VgKG2LUFOJr2i/400X8UGbq5DJAbStJf7FrqIWAQCsgtEVPSSp/cMrjujG4iPD 1mH4x76q3RrrMfUpcELs/LAE55eBPMFXAUx4lk13QKVhp7xkK5lkQWlUvEOUQKmQ zDCsj0Lu2sOPldZFszcKUQNuHQE3Bp8j3MNJ1vMBqSH2m+Gdh+Wwu3TRq8F1QaM= =flGu -END PGP SIGNATURE-
Re: [Fwd:] Nvidia NICs with duplicate mac addresses
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Oh, it's the truth - trust me. There was an Interop show (back when it really was an Interoperability event) that was made quite enjoyable for the network staff by that set of NIC cards Chris On 05 Sep 2008, at 07.53, Scott Berkman wrote: This reminds me of a story I was told a while back that there was a batch of 3com NIC's that all went out with the same MAC from the factory. I never found out if that was a rumor/urban legend or the truth. Anyone know firsthand or have an article about that? -Scott -Original Message- From: Robert E. Seastrom [mailto:[EMAIL PROTECTED] Sent: Friday, September 05, 2008 10:33 AM To: nanog@nanog.org Subject: [Fwd:] Nvidia NICs with duplicate mac addresses Forwarded to NANOG in the interests of wider awareness... having been there and torn out my already scarce hair, duplicate MAC addresses can really mess up your day... --- Just when you thought this couldn't happen any more... Copying from a different email list... mac address 04:4b:80:80:80:03, was showing up in multiple places across the network. I googled the mac address and discovered that other people are having the same issue with this mac address. Below are some links describing the problem: http://forums.nvidia.com/index.php?showtopic=22148 http://www.nvnews.net/vbulletin/archive/index.php/t-73469.html I just wanted everyone to know about this problem in case you run across similar slow connectivity issues. I believe the network card is made by NVIDIA. - --- 李柯睿 Check my PGP key here: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xCB67593B -BEGIN PGP SIGNATURE- iQEcBAEBAgAGBQJIxd6iAAoJEGmx2Mt/+Iw/TAUH/0zG2RUi2oJ3oNaPO0yNoz73 noV7ql2NVpJNtaJz8kmaeoZamE5pSVgJ1byj/wSknPimeAFdDUny+ZmPqSO8b0N4 E1Pqh9O5MegxVAZ2FjjTCLv9TvJ8mnH+l3pDPebqps43PGTyBfa6alZjceadMWDj NyPfS9yrne7JM6zaZt6mgBvfPc93ZXdaB77N4SteKRbplB+5FbzPzzE2HnEiY46E qxYbZHt9vT/6f9cyPZmH7AGjqnbNBaCMb/dXEWKn1LqkTWRUdhfbKTUUvvtUYvGJ tiT6EI4r8z/IlsCn9+APSA5mnsMDm8dI1/j48ogsgW/RumL2BBi9CEalJO4CHPo= =77sL -END PGP SIGNATURE-
Re: Hauling gear around a NANOG meeting
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, I think the 0.02 take-away for this discussion is: If you don't feel safe doing what you are doing, or being where you are, then stop/leave. In almost any big city, it's really not a problem - there are lots of people around and things are usually ok. However, your intuition is usually a pretty good guide. A corollary is, if you are scared, even if the area is safe certain actors will pickup on it. Therefore, the simple act of feeling uncomfortable will probably raise the likelihood of you getting into trouble. Unless you've lived a very sheltered life, your intuition will usually give you warning WAY before you get into trouble. BTW - there are a lot of big cities that I have no concerns walking alone in at 0300. However, not all cities fit in that bucket. There are also places that you just don't go to even in the middle of the day. Chris On 23 May 2008, at 17.53, Steve Gibbard wrote: I hesitate to weigh in here, but my observation after several years of doing a fair bit of traveling to a wide variety of places is this: In any big city, anywhere in the world, there will be plenty of people ready with lectures on how this is a big city, and is therefore a dangerous place. You need to be careful. Often, this will be repeated with escalating tones of alarm if it becomes clear that I've been ignoring it. Sometimes the claim will be that their city is especially dangerous, and sometimes the claim will be that it's dangerous just like any other big city. Sometimes it takes on the form of this is a really safe city, but don't go out at night. It doesn't matter. Some cities really are dangerous, and some seem quite safe, but there's no quantifiable difference between lectures received in places that really are dangerous and places that aren't. -Steve On Fri, 23 May 2008, Paul Stewart wrote: A lot of it is common sense - New York is a GREAT city .. no question and very safe overall. But common sense will tell you not to take a leisure walk through Harlem at 3AM .. having said that, I've walked through Central Park (65th St.) at various times of the night and never had a problem, but then again that's different too... Travel in herds and mind your own business - don't travel at 3AM (on foot) and you'll be fine..;) That really goes for any city when you think about it... Take care, Paul -Original Message- From: Alex Rubenstein [mailto:[EMAIL PROTECTED] Sent: Thursday, May 22, 2008 5:06 PM To: Rod Beck; David Diaz; Martin Hannigan Cc: nanog@nanog.org Subject: RE: Hauling gear around a NANOG meeting I hate to break the news to the New York bashers, but New York is one of the safest American cities. This is not a controversial statement. While I generally agree with what Rod is saying, saying NYC is safe is like saying all routers are cisco There are safe areas, and there are not safe areas. I don't know how the Brooklyn side of the Brooklyn bridge rates, but I don't think I'd be overly concerned. And, since people going to NANOG tend to have a herding instinct, there shouldn't be a problem. New York has a lower incidence of crime than Miami, Detroit, Seattle, Los Vegas, Houston, Atlanta, DC, Los Angeles, and Philadelphia. Yes, but in at least most of those locations, my Florida or Utah CCW is valid. The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you. - --- 李柯睿 Check my PGP key here: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xCB67593B -BEGIN PGP SIGNATURE- iQEcBAEBAgAGBQJIN4HTAAoJEGmx2Mt/+Iw/vLwH/1vk5L3Hbmd0Pp0iA8CY8lt4 ssVs5lQMcR5t1ssZ112q0EvlqRTaUhilPGw86+Rn502LtGZAvgBsXWssvT/B14vP 8mkh6qz1fCQ1X3xrdocxgRl92KGtIYz6qJLp/AtGVxrjzNXxc14PB5eteGcDWNjm jrfnGvbBBr4c5aSKE9EJmYZWW19dtsMTjZbiKF9UbJjzU6ynxFp5FO26ovEy12ux u6YhSH37kYzUNqCehWRz7rfE/MhBew5wHdPRHJNhVLwbhtImrZrl+RlHQLZi30ff 7MLkAkwG2EMDdyTHZaPiPHCr8ar6hBfVCNavzjIDCtYlp6lKAqlHCYb9D6mkTfQ= =L1XZ -END PGP SIGNATURE-
Re: [NANOG] US DoD receives chunked IPv6 /13 (14x /22 but not totally consecutive)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 You certainly don't have to. However, as other folks have indicated here, that is the way that some folks read it. My guess is that this was purely for network topology and administrative reasons. Chris On 16 May 2008, at 12.51, Colin Alston wrote: On 16/05/2008 20:15 Christopher LILJENSTOLPE wrote: My guess is that they don't want to be tied to only announcing a single /13. Each of those organizations is bigger than a lot of service providers out there... Since when do you have to announce only the same size prefix as your allocation? -- Colin Alston ~ http://www.karnaugh.za.net/ To the world you may be one person, to one person you may be the world ~ Rachel Ann Nunes. ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog - --- 李柯睿 Check my PGP key here: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xCB67593B -BEGIN PGP SIGNATURE- iQEcBAEBAgAGBQJILqXzAAoJEGmx2Mt/+Iw/UxkH/25h7CPcpr50ontu5y/sYFav dXron7uvLtCEFPyT/mEemYn31hekjsd37xy6bLMeAaqwo6/Eh66nZxKLhKLgtR+q f+PBAUj5znQ58/NITvJzIq3fFN3A1ll3x96cqOVSmiqa1DZo6ChquX1CW2sIRBWw aVQaFatrVnvlGx7cDR6IFiwertrEftcK/7POm9wgljYUCfS9pZhv3hy66yNUdEe9 4MWIB6K9lK36WBHz+ZnKLRbmw3QALFAbTWwzVC9qc0EFY7Yr3b3BZuba0UGyin0d HcL0cupzJ3UutINwVjUlmujbwaYot8pyVcr3FrQ9YbZ2mGLDvvMTVjipuWtqmOU= =wh07 -END PGP SIGNATURE- ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] BCP Muni WiFI?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, Interesting comment Paul. However, 16e and evdo are a bit heavy with infrastructure to support mobility. Before giving that answer, you may want to ask Deepak if he NEEDS mobility Chris On 16 May 2008, at 10.23, Paul Wall wrote: On Thu, May 15, 2008 at 4:21 PM, Deepak Jain [EMAIL PROTECTED] wrote: Are there any good (published) BCPs for building out Municipal WiFi networks? Particularly in the security/authentication/scaling areas? BCP #58,271,432--which basically states Don't, comes highly recommended. Instead, investigate your nearest .16e or evdo rev. A reseller. In the case of .16e, most available APN's are built around user and transport/transit abstractions, assuming shared-facilities, virtual providers, etc. The equipment used in both is a far cry from anything 802.11. p. ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog - --- 李柯睿 Check my PGP key here: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xCB67593B -BEGIN PGP SIGNATURE- iQEcBAEBAgAGBQJILcx7AAoJEGmx2Mt/+Iw/20UIAJjNOQ7JSbE8/iqGbuFZPEVX AvQ/eRPHT6BhLXNSg5WZiL4aQcDeLhkMYwhpJTMkslHg5hveQHN/pUQB9pkMeqCZ jffRbiKDzypaDf8q/Rx1vORO/bnQ4R27AfeKDc75Z07YewdBa9PKZz2EgsjVHQmp FNDq9dVDWAI+scK3BFNge+QNeXatYUf0gP+LnRmNaPu+KZBThjD+Wmd6FWlfmuRa GxvTOrESrbhRxrnF128B5RXa/GBohduiql1jrU0phb6w2a/NJbd+a4yvHANZpBHk fwU3BrZKLixRtOOM3uA4ZPgliTUO/lD4tpW8SEWnvluhRe1tTIrmgf4qjxit5gA= =z83n -END PGP SIGNATURE- ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: [NANOG] US DoD receives chunked IPv6 /13 (14x /22 but not totally consecutive)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Greetings, Not to address the political issues here (which are deep, wide, and WAY too much of a black-hole), remember, that the DoD is not a single organization from a networking perspective. There are a number of different organizations within that structure, all of which may, or may not, want to announce separately, maintain their own external links, etc. Those boundaries can be on a service level (USAF vs USN), geographical level (Southern Command vs. Northern Command), etc. My guess is that they don't want to be tied to only announcing a single /13. Each of those organizations is bigger than a lot of service providers out there... As for why so many addresses - consider a networked ship (where everything has an address), soldier (each soldier having one or more addresses), battlefield sensors, etc. With stateless autoconf, that can add up fairly quickly (depending on network topology). Lastly, If you honestly think that any entity (government or non- government) would launch an offensive cyber-attack from their own address space... never mind Chris On 16 May 2008, at 10.58, Dorn Hetzel wrote: Perhaps it is an attempt to make their address space so sparsely populated that it's close to impossible to find a host without knowing it's address in the first place? On Fri, May 16, 2008 at 1:09 PM, Jeroen Massar [EMAIL PROTECTED] wrote: Hi folks, As everybody is a big fan of securing their networks against foreign attacks, be aware that the US DoD has been assigned 14 /22's, IPv6 that is, not IPv4, they all come from a single IPv6 /13 though, which is what they apparently asked for in the beginning, at least that was the rumor, well they got what they wanted. I've recorded it into GRH as a single /13 though, as that is what it is, and I am not going to bother whois'ing and entering the 14 separate entries there, as that is useless, especially as they will most likely never appear in the global routing tables anyway. Depending on your love for the US, you might want to add special rules in your network to be able to easily detect Cyber Attacks and other such things towards that address space, to be able to better serve your country, may that be the US or any other country for that matter. I am of course wondering why ARIN gave 1 organization 14 separate / 22's, even though they are recorded exactly the same, just different prefixes and netnames and it is effectively one huge /13. They could easily have been recorded as that one /13, it is not like eg Canada (no other countries that fall under ARIN now is there) will get a couple of the chunks of remaining space in between there. By assigning them separate /22's, they effectively are stating that it is good to fragment the address space and by having them recorded in whois, also that announcing more specifics from that /13 is just fine. The other fun question is of course what a single organization has to do with (2^(48-13)=) 34.359.738.368, yes indeed, 34 billion /48's which cover 2.251.799.813.685.248 /64's which is a number that I can't even pronounce. According to Wikipedia the US only has a mere population of 304,080,000, that means that every US citizen can get a 1000+ /48's from their DoD, thus maybe every nuclear warhead and every bullet is getting their own /48 or something to be able to justify for that amount of address space. At least this gives the opportunity to hardcode that block out of hardware if you want to avoid it being ever used by the publicly known part of the US DoD. I wouldn't mind seeing the request form that can justify this amount of address space though, must be a lot of fun. Now back to your regular NANOG schedule Greets, Jeroen (who will hide himself in a nice Swiss nuclear bunker till the flames are all gone ;) 1) http://en.wikipedia.org/wiki/United_States which points to: http://www.census.gov/population/www/popclockus.html ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog - --- 李柯睿 Check my PGP key here: http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xCB67593B -BEGIN PGP SIGNATURE- iQEcBAEBAgAGBQJILc81AAoJEGmx2Mt/+Iw/0HEH/1HZmv1nsNRpz1sqjMJwy0kr O68VCagg7tNfRLq/ErY8lOkxcVsAp0R6urZN8kJwt59MBcd1Yat8BxqayfXcbrx4 m/y361FKjEt8HpBBcS5EiHftjojD2aWczlinJuGL97koDw390ozuZhXLvui27JsE Zh2LHdLrya2ZKMkfL2/mLc7J1C0CiuMvflDVCURG8c+aG17O+aH8csTbxHzStoH4 U0lbxH6hvOHVtQdaHa4JKtZD6zdUIn4quZnwnyPO7mop9005h/W4GRIqB4fUQMGB Jk+8bo5ArTxIlceunhLhbUhMAphF7RaABNKBxsUrgc4nqQVVCV8fOCbyvOr6rTA= =z0uG -END PGP SIGNATURE-