Re: Better description of what happened

[Curtis Maurand]

On 10/5/21 5:51 AM, scott wrote:



On 10/5/21 8:39 PM, Michael Thomas wrote:


This bit posted by Randy might get lost in the other thread, but it 
appears that their DNS withdraws BGP routes for prefixes that they 
can't reach or are flaky it seems. Apparently that goes for the 
prefixes that the name servers are on too. This caused internal 
outages too as it seems they use their front facing DNS just like 
everybody else.


Sounds like they might consider having at least one split horizon 
server internally. Lots of fodder here.




even a POTS line connected to a modem connected to a serial port on a 
workstation in the data enter so that you can talk to whatever you need 
to talk to.  I would go so far as to have other outgoing serial 
connections to routers from that workstation. It's ugly, but it provides 
remote out of band disaster management.  Just sayin'







Move fast; break things? :)


scott

Re: Integrated WIFI router and phone adapter

[Curtis Maurand]

don't forget to disable SIP-ALG on the units.  That will be a huge 
improvement.


On 5/18/20 12:34 PM, Mark Tinka wrote:


On 18/May/20 16:45, Kevin Burke wrote:

They have an Ethernet version and GPON version.

The GPON version is the same price their Ethernet version + low end GPON ONT.

We stayed away from the GPON version for WiFi reasons.  Want the techs thinking 
about a good RF location.  Don't want them thinking about easy/good fiber 
routing.

To drive POTS lines, I suppose they are fine.

But agree that for home wi-fi, you're better off having a dedicated AP
so that you don't compromise wi-fi quality due to the fibre loop coming
into the back of your office/house, where only dust lives :-).

Mark.

Re: Google peering in LAX

[Curtis Maurand]

Your routers, your decision.

But how much traffic are you sending TO Google? Most people get the 
vast majority of traffic FROM Google. They send you videos, you send 
them ACKs. Does it matter where the ACKs go?


Lot's of DNS traffic, now.  All of the dns or https and all those 
clients pointing to 8.8.8.8.  Google's DNS servers are slow and extra 
latency makes it worse.


--
Best Regards
Curtis Maurand
mailto:cmaur...@xyonet.com

Re: This DNS over HTTP thing

[Curtis Maurand]

Might I suggest using PowerDNS's dinsdist.  it's an ha proxy that you can
put in front of your recursors and It implements dns over https if you want
it to.  It's open sources and ensures that you're not limited to Google's
or Cloudflare's servers which exist to drive advertising at you (I've seen
infected ads pwn machines).  I have much more paranoid reasons for
implementing, namely preventing 3rd parties from getting my histories.

On Wed, Oct 2, 2019 at 5:28 PM Jay R. Ashworth  wrote:

> - Original Message -
> > From: "John Levine" 
>
> > In article <804699748.1254612.1570037049931.javamail.zim...@baylink.com>
> you
> > write:
> >>Tools. Are. Neutral.
> >>
> >>Any solution to a problem that involves outlawing or breaking tools will.
> >>Not. Solve. Your. Problem.
> >
> > I think in the outside world you'll find very little support for an
> argument
> > that filtering DNS is fundamentally broken.
> >
> > Sure, you can do it in broken ways, but it's going to be really hard
> > to persuade anyone that their lives are better if they have unfiltered
> > access to the malware links in their spam.
>
> I expect I would.
>
> But this is not "filtering DNS".  It's "making a bodge-handed attempt to
> REPLACE DNS (well, proxy it) for only one application/layer".
>
> My problem isn't what they're using it for; it's that they've implemented
> it so poorly.
>
> I live down here in the trenches, John, where "it doesn't work" is the
> calibre
> of problem reports I get.  When my tools say that "yes, it does", *I'm*
> the one
> who takes it in the nads because Mozilla had a Better Fuckin' Idea.
>
> That it will likely cause lots of 50,000ft problems to is just a cherry on
> the
> top.
>
> Cheers,
> -- jra
>
> --
> Jay R. Ashworth  Baylink
> j...@baylink.com
> Designer The Things I Think   RFC
> 2100
> Ashworth & Associates   http://www.bcp38.info  2000 Land
> Rover DII
> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647
> 1274
>


-- 
--Curtis

Re: This DNS over HTTP thing

[Curtis Maurand]

Power DNS has a ha proxy/load balancer that does dns over https.  That way
you're not limited to google's and cloudflare's dns servers which exist to
drive advertising to you and give a single shource for tracking.

dns over https:  feh

On Wed, Oct 2, 2019 at 5:28 PM Jay R. Ashworth  wrote:

> - Original Message -
> > From: "John Levine" 
>
> > In article <804699748.1254612.1570037049931.javamail.zim...@baylink.com>
> you
> > write:
> >>Tools. Are. Neutral.
> >>
> >>Any solution to a problem that involves outlawing or breaking tools will.
> >>Not. Solve. Your. Problem.
> >
> > I think in the outside world you'll find very little support for an
> argument
> > that filtering DNS is fundamentally broken.
> >
> > Sure, you can do it in broken ways, but it's going to be really hard
> > to persuade anyone that their lives are better if they have unfiltered
> > access to the malware links in their spam.
>
> I expect I would.
>
> But this is not "filtering DNS".  It's "making a bodge-handed attempt to
> REPLACE DNS (well, proxy it) for only one application/layer".
>
> My problem isn't what they're using it for; it's that they've implemented
> it so poorly.
>
> I live down here in the trenches, John, where "it doesn't work" is the
> calibre
> of problem reports I get.  When my tools say that "yes, it does", *I'm*
> the one
> who takes it in the nads because Mozilla had a Better Fuckin' Idea.
>
> That it will likely cause lots of 50,000ft problems to is just a cherry on
> the
> top.
>
> Cheers,
> -- jra
>
> --
> Jay R. Ashworth  Baylink
> j...@baylink.com
> Designer The Things I Think   RFC
> 2100
> Ashworth & Associates   http://www.bcp38.info  2000 Land
> Rover DII
> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647
> 1274
>


-- 
--Curtis

Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users

[Curtis Maurand]

powerdns dnsdist supports dns over https so you don't have to be held 
hostage by cloudflare or google.




On 9/18/19 10:19 AM, Mike Hammett wrote:
Why on Earth would anyone want that (Firefox deciding to do it's own 
DNS) as default behavior?




-
Mike Hammett
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 


*From: *"Jeroen Massar" 
*To: *"NANOG" 
*Sent: *Wednesday, September 18, 2019 2:15:49 AM
*Subject: *DNS Recursive Operators: Please enable QNAME minimization 
(RFC7816) for the enhanced privacy of your users


Hi Folks,

While in the US soon all Firefox users will *NOT* use your DNS 
Recursives configured using DHCP anymore

(NXDOMAIN use-application-dns.net to avoid that[1]).
Next to that, it seems some of the root operators are now creating 
instances in the same networks that offer these kind of services for 
globally figuring out what queries are being made.



For those that thus either opt-out or otherwise want to use their own 
system resolvers, I suggest that all that run
DNS Recursive setups enable "QNAME minimization" as defined in 
(experimental) RFC7816 [2]


For pdns "qname-minimization=yes" [6]
For unbound "qname­-minimisation: yes" [5]
For BIND "qname-minimization" option [3] and [4]

Of course, do also provider your users with the option of using DoT or 
even DoH on your recursors...


Noting that DoH operators are supposed to enable RFC7816 also [7], 
guess they do not want others to see all the details they get...


Some more details in DNS Privacy Wiki [8]...

Discuss! :)

Greets,
 Jeroen


[1] 
https://support.mozilla.org/en-US/kb/configuring-networks-disable-dns-over-https

[2] https://tools.ietf.org/html/rfc7816
[3] https://www.isc.org/blogs/qname-minimization-and-privacy/
[4] https://gitlab.isc.org/isc-projects/bind9/issues/16
[5] https://netlabs.nl/downloads/presentations/unbound_qnamemin_oarc24.pdf
[6] https://github.com/PowerDNS/pdns/issues/2311
[7] https://wiki.mozilla.org/Security/DOH-resolver-policy
[8] https://dnsprivacy.org/wiki/

Re: For the Wireless Guys

[Curtis Maurand]

The higher the frequency, the more it acts like light.  at that frequency,
it wouldn't take much to block it.  even 2.4GHz is stopped by a tree.

On Mon, Aug 14, 2017 at 12:54 PM, Dan Hollis 
wrote:

> Good for a few meters at best? Terahertz is blocked by air.
>
> -Dan
>
> On Mon, 14 Aug 2017, Rod Beck wrote:
>
> https://phys.org/news/2017-08-transmission-terahertz-multiplexer.html
>>
>>
>> Roderick Beck
>>
>> Director of Global Sales
>>
>> United Cable Company
>>
>> DRG Undersea Consulting
>>
>> Affiliate Member
>>
>> www.unitedcablecompany.com
>>
>> 85 Király utca, 1077 Budapest
>>
>> rod.b...@unitedcablecompany.com
>>
>> 36-30-859-5144
>>
>>
>> [1467221477350_image005.png]
>>
>>


-- 
--Curtis

Re: Thank you, Comcast.

[Curtis Maurand]

I run my own resolver from behind my firewall at my home.  I don't allow 
incoming port 53 traffic.  I realize there's not a lot of privacy on the 
net, but I don't like having my dns queries tracked in order to target 
advertising at me and for annoying failed queries to end up at some 
annoying search page.




On 2/26/2016 9:18 AM, Maxwell Cole wrote:

I agree,

At the very least things like SNMP/NTP should be blocked. I mean how many 
people actually run a legit NTP server out of their home? Dozens? And the 
people who run SNMP devices with the default/common communities aren’t the ones 
using it.

If the argument is that you need a Business class account to run a mail server 
then I have no problem extending that to DNS servers also.

Cheers,
Max


On Feb 26, 2016, at 8:55 AM, Mikael Abrahamsson <swm...@swm.pp.se> wrote:

On Fri, 26 Feb 2016, Nick Hilliard wrote:


Traffic from dns-spoofing attacks generally has src port = 53 and dst port = 
random.  If you block packets with udp src port=53 towards customers, you will 
also block legitimate return traffic if the customers run their own DNS servers 
or use opendns / google dns / etc.

Sure, it's a very interesting discussion what ports should be blocked or not.

http://www.bitag.org/documents/Port-Blocking.pdf

This mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been blocked 
for a very long time to fix some issues, even though there is legitimate use 
for these ports.

So if you're blocking these ports, it seems like a small step to block 
UDP/TCP/53 towards customers as well. I can't come up with an argument that 
makes sense to block TCP/25 and then not block port UDP/TCP/53 as well. If 
you're protecting the Internet from your customers misconfiguraiton by blocking 
port 25 and the MS ports, why not 53 as well?

This is a slippery slope of course, and judgement calls are not easy to make.

--
Mikael Abrahamssonemail: swm...@swm.pp.se


--
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com

Re: How to force rapid ipv6 adoption

[Curtis Maurand]

You make a point, but those ipv6  addresses would not be a available to my cpe. 
 I would agree that if your cpe is less than 5 years old, it should support 
ipv6. 

On October 2, 2015 12:30:56 AM ADT, Mark Andrews <ma...@isc.org> wrote:
>
>In message <2bb18527-2f9c-4fee-95dd-3f89919a8...@xyonet.com>, Curtis
>Maurand wr
>ites:
>> If Time Warner (my ISP) put up IPv6  tomorrow, my firewall would no
>longer wo
>> rk.  I could put up a pfsnse or vyatta  box pretty quickly, but my
>off the sh
>> elf Cisco/Linksys  home router has no ipv6 support hence the need to
>replace 
>> the hardware.  There's no firmware update for it supporting ipv6
>either.  The
>> re would be millions of people in the same boat.
>
>Total garbage that *everyone* here should recognise as total garbage.
>If Time Warner turned on IPv6 your firewall would just continue to
>work as it always has.  TURNING ON IPv6 DOES NOT TURN OFF IPV4.
>
>As for millions of people needing to upgrade their CPE equipement
>you really should be asking yourself if you should be rewarding
>those vendors for selling you IPv4 only equipement in the first
>place.  If Microsoft, along with lots of other vendors could deliver
>IPv6 capable equipment in 2001, your and every other CPE vendor
>could have done so.  Instead they sold you out of date garbage that
>you happily accepted.
>
>Mark
>
>> Cheers, 
>> Curtis
>> 
>> On October 1, 2015 5:44:46 PM ADT, Owen DeLong <o...@delong.com>
>wrote:
>> >
>> >> On Oct 1, 2015, at 12:06 , Curtis Maurand <cmaur...@xyonet.com>
>> >wrote:
>> >> 
>> >> 
>> >> 
>> >> On 10/1/2015 2:29 PM, Owen DeLong wrote:
>> >>>> On Oct 1, 2015, at 00:39 , Baldur Norddahl
>> ><baldur.nordd...@gmail.com> wrote:
>> >>>> 
>> >>>> On 1 October 2015 at 03:26, Mark Andrews <ma...@isc.org> wrote:
>> >>>> 
>> >>>>> Windows XP does IPv6 fine so long as there is a IPv4 recursive
>> >>>>> server available.  It's just a simple command to install IPv6.
>> >>>>> 
>> >>>>>netsh interface ipv6 install
>> >>>>> 
>> >>>> If the customer knew how to do that he wouldn't still be using
>> >Windows XP.
>> >>>> 
>> >>>> 
>> >>>>> Actually I don't expect Gmail and Facebook to be IPv4 only
>> >forever.
>> >>>>> 
>> >>>> Gmail and Facebook are already dual stack enabled. But I do not
>see
>> >>>> Facebook turning off IPv4 for a very long time. Therefore a
>> >customer that
>> >>>> only uses the Internet for a few basic things will be able to
>get
>> >along
>> >>>> with being IPv4-only for a very long time.
>> >>>> 
>> >>> Yes and no���
>> >>> 
>> >>> I think you are right about facebook.
>> >>> 
>> >>> However, I think eventually the residential ISPs are going to
>start
>> >charging extra
>> >>> for IPv4 service. Some residences may pay for it initially, but
>if
>> >they think there���s a
>> >>> way to move away from it and the ISPs start fingerpointing to the
>> >specific laggards,
>> >>> you���ll see a groundswell of consumers pushing to find
>alternatives.
>> >>> 
>> >>> Owen
>> >>> 
>> >> ipv6 is going to force a lot of consumers to replace hardware.
>Worse,
>> >it's not easy to set up and get right as ipv4 is.
>> >> 
>> >> --Curtis
>> >
>> >You���re going to have to elaborate on that one���. I think IPv6 is
>> >actually quite a bit easier than IPv4, so please explicate
>> >in what ways it is harder to set up and get right?
>> >
>> >For the average household, it���s plug the IPv6-capable router in
>and let
>> >it go.
>> >
>> >For more advanced environments, it might take nearly as much effort
>as
>> >IPv4 and the unfamiliarity might add a couple
>> >of additional challenges the first time, but once you get past that,
>> >IPv6 has a lot of features that actually make it
>> >easier than IPv4.
>> >
>> >Not having to deal with NAT being just one of the big ones.
>> >
>> >Owen
>> 
>> -- 
>> Sent from my Android device with K-9 Mail. Please excuse my brevity.
>-- 
>Mark Andrews, ISC
>1 Seymour St., Dundas Valley, NSW 2117, Australia
>PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: How to force rapid ipv6 adoption

[Curtis Maurand]

On 10/1/2015 2:29 PM, Owen DeLong wrote:

On Oct 1, 2015, at 00:39 , Baldur Norddahl  wrote:

On 1 October 2015 at 03:26, Mark Andrews  wrote:


Windows XP does IPv6 fine so long as there is a IPv4 recursive
server available.  It's just a simple command to install IPv6.

netsh interface ipv6 install


If the customer knew how to do that he wouldn't still be using Windows XP.



Actually I don't expect Gmail and Facebook to be IPv4 only forever.


Gmail and Facebook are already dual stack enabled. But I do not see
Facebook turning off IPv4 for a very long time. Therefore a customer that
only uses the Internet for a few basic things will be able to get along
with being IPv4-only for a very long time.


Yes and no…

I think you are right about facebook.

However, I think eventually the residential ISPs are going to start charging 
extra
for IPv4 service. Some residences may pay for it initially, but if they think 
there’s a
way to move away from it and the ISPs start fingerpointing to the specific 
laggards,
you’ll see a groundswell of consumers pushing to find alternatives.

Owen

ipv6 is going to force a lot of consumers to replace hardware. Worse, 
it's not easy to set up and get right as ipv4 is.


--Curtis

Re: How to force rapid ipv6 adoption

[Curtis Maurand]

If Time Warner (my ISP) put up IPv6  tomorrow, my firewall would no longer 
work.  I could put up a pfsnse or vyatta  box pretty quickly, but my off the 
shelf Cisco/Linksys  home router has no ipv6 support hence the need to replace 
the hardware.  There's no firmware update for it supporting ipv6 either.  There 
would be millions of people in the same boat.

Cheers, 
Curtis

On October 1, 2015 5:44:46 PM ADT, Owen DeLong <o...@delong.com> wrote:
>
>> On Oct 1, 2015, at 12:06 , Curtis Maurand <cmaur...@xyonet.com>
>wrote:
>> 
>> 
>> 
>> On 10/1/2015 2:29 PM, Owen DeLong wrote:
>>>> On Oct 1, 2015, at 00:39 , Baldur Norddahl
><baldur.nordd...@gmail.com> wrote:
>>>> 
>>>> On 1 October 2015 at 03:26, Mark Andrews <ma...@isc.org> wrote:
>>>> 
>>>>> Windows XP does IPv6 fine so long as there is a IPv4 recursive
>>>>> server available.  It's just a simple command to install IPv6.
>>>>> 
>>>>>netsh interface ipv6 install
>>>>> 
>>>> If the customer knew how to do that he wouldn't still be using
>Windows XP.
>>>> 
>>>> 
>>>>> Actually I don't expect Gmail and Facebook to be IPv4 only
>forever.
>>>>> 
>>>> Gmail and Facebook are already dual stack enabled. But I do not see
>>>> Facebook turning off IPv4 for a very long time. Therefore a
>customer that
>>>> only uses the Internet for a few basic things will be able to get
>along
>>>> with being IPv4-only for a very long time.
>>>> 
>>> Yes and no…
>>> 
>>> I think you are right about facebook.
>>> 
>>> However, I think eventually the residential ISPs are going to start
>charging extra
>>> for IPv4 service. Some residences may pay for it initially, but if
>they think there’s a
>>> way to move away from it and the ISPs start fingerpointing to the
>specific laggards,
>>> you’ll see a groundswell of consumers pushing to find alternatives.
>>> 
>>> Owen
>>> 
>> ipv6 is going to force a lot of consumers to replace hardware. Worse,
>it's not easy to set up and get right as ipv4 is.
>> 
>> --Curtis
>
>You’re going to have to elaborate on that one…. I think IPv6 is
>actually quite a bit easier than IPv4, so please explicate
>in what ways it is harder to set up and get right?
>
>For the average household, it’s plug the IPv6-capable router in and let
>it go.
>
>For more advanced environments, it might take nearly as much effort as
>IPv4 and the unfamiliarity might add a couple
>of additional challenges the first time, but once you get past that,
>IPv6 has a lot of features that actually make it
>easier than IPv4.
>
>Not having to deal with NAT being just one of the big ones.
>
>Owen

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: DOCSIS CMTS Systems

[Curtis Maurand]

Seriously nice solutions...both of them.

--Curtis

On 7/29/2015 10:49 AM, frnk...@iname.com wrote:

Colton,

While we have never tried it ourselves, an option we've looked at in similar 
situations are these:
http://www.ready-links.com/ipc1840c.html
http://www.bectechnologies.net/main/EoCoax2310.shtml (up to 31 endpoints)

Frank

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Colton Conor
Sent: Wednesday, July 29, 2015 8:27 AM
To: NANOG nanog@nanog.org; Scott Helms khe...@zcorum.com
Subject: DOCSIS CMTS Systems

We are servicing more MDU customers that have older buildings. There is no
CAT5E installed, so extremely old phone cable or coaxial TV cable seems to
be our only inside wire options. There is no easy and inexpensive way to
run new cable, so we must deal with what is available.

We are very familiar with the VDSL2 offerings to be able to use the phone
cable, but know nothing about CMTS solutions available.DOCSIS 3.0 capable
modems seem to be much more inexpensive than VDSL2 capable modems.

We are looking for recommendations on small CMTS systems for MDU's. I would
expect we would want at least DOCSIS 3.0 capabilities, and I assume DOCSIS
3.1 is too new and expensive to deploy on a small scale (think 50 to 200
units per property). We would need the full solution to manage and maintain
such an offering.

I was thinking something like this might be a good fit:
http://www.picodigital.com/product-details.php?ID=miniCMTS200a which is
available new for $4500 online.

For those of you deploying CMTS systems what do you use and recommend?

I am not sure if there is a cable equivalent list to NANOG, but if so
please let me know.




--
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com

Re: Windows 10 Release

[Curtis Maurand]

Microsoft tells me 3.2 GB for win 10 pro 64 bit.

On July 28, 2015 6:04:04 PM EDT, Niels Bakker niels=na...@bakker.net wrote:
* n...@flhsi.com (Nick Olsen) [Tue 28 Jul 2015, 22:46 CEST]:
Being a 3-4GB download. Each device is moving more data than any Apple

update ever did.

I'm not so sure of that.  The 10.9 install image clocked in at 4.9 GB, 
and the Mac App Store for 10.10 Yosemite says Size: 5.67 GB; 
http://www.microsoft.com/en-us/windows/features says 3GB download 
required in the small print at the bottom.


   -- Niels.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

[Curtis Maurand]

On 7/21/2015 8:43 AM, Jared Mauch wrote:

On Tue, Jul 21, 2015 at 08:09:56AM -0400, Curtis Maurand wrote:

DNS is still largely UDP.

Water is also still wet :) - but you may not be doing 10% of your
links as UDP/53.

DNS can also use TCP as well, including sending more than one
query in a pipelined fashion.

The challenge that Cameron is trying to document here
is when seeing large volumes of UDP it becomes necessary to do
something to keep the network up.  This response is frustrating for those
of us who prefer to have a unfiltered e2e network but maintaining
the network as up in the face of these adverse conditions is important.

- Jared

Point well taken.

-Curtis

--Curtis

On 7/20/2015 5:40 PM, Ca By wrote:

Folks, it may be time to  take the next step and admit that UDP is too
broken to support

https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00

Your comments have been requested



On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver drew.wea...@thenap.com wrote:


Has anyone else seen a massive amount of illegitimate UDP 1720 traffic
coming from China being sent towards IP addresses which provide VoIP
services?

I'm talking in the 20-30Gbps range?

The first incident was yesterday at around 13:00 EST, the second incident
was today at 09:00 EST.

I'm assuming this is just another DDoS like all others, but I would be
interested to hear if I am not the only one seeing this.

On list or off-list is fine.

Thanks,
-Drew



--
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com


--
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com

Re: another tilt at the Verizon FIOS IPv6 windmill

[Curtis Maurand]

On 7/21/2015 4:05 PM, Ricky Beam wrote:
On Tue, 21 Jul 2015 08:13:48 -0400, Curtis Maurand 
cmaur...@xyonet.com wrote:
At least in Maine where I am, TWC does allow you to bring your own 
modem as long as it's DOCSIS 3 compliant and there's lots of those 
from motorola, netgear and others.  You're not stuck with the Ubee.


You are ignoring the BUSINESS CLASS part of the equation. TWC-BC 
provides the modem for you; you have little (arris) or no (ubee) 
access to it.

Touche.  Arris here in Maine.

--C

--
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com

Re: SIP trunking providers

[Curtis Maurand]

That may be true of metro areas, but in rural USA there's plenty of TDM 
to go around.  Telco's are still delivering broadband on ADSL and phone 
on TDM.  Worse those trunked circuits are TDM over HDSL. In many rural 
areas, there's not even ADSL or cable and that's within 40 miles of a 
small city.


--Curtis

On 7/20/2015 5:33 PM, Owen DeLong wrote:

The TDM network is rapidly being eliminated. The major telcos have been moving 
their backbones to VOIP and higher levels of oversubscription as a result for 
years now because of the very large cost savings that can be achieved.

International TDM may still be pretty common, but domestic TDM is rapidly 
becoming as popular as a Strowger.

Owen


On Jul 20, 2015, at 06:49 , Naslund, Steve snasl...@medline.com wrote:

End to end delay is not the most limiting factor.  Jitter is the issue and 
packet drops are the other issue that matters (more importantly the 
distribution of drops).  I think the best reason to select the local provider 
over the distant one is that the sooner he gets off the IP network the less 
impairments he will run into.  The TDM network as antiquated as it is, is less 
susceptible to congestion and call impairments than an IP backbone network is.  
I can tell you from running a bunch of International VOIP networks that they 
are just not as reliable as TDM.  The average internet connection just does not 
meet the reliability standards that the TDM voice network has achieved.  IP 
networks are affected by congestion and routing issues whereas the TDM network 
seldom has these type of problems.  An outage on a TDM circuit rarely affects 
other TDM circuits so they see a lot less higher level outages.  I can 
understand why he does not want to haul his voice cross country over IP when he 
is exiting locally most of the time.

Yes, I understand that the carrier might very well be hauling that traffic via 
IP even after he gets to his gateway point but at that point it becomes their 
problem to deal with.

Steven Naslund
Chicago IL



If you’re going to the PSTN, who gives a shit where you do the interconnect as 
long as its within 100ms.

If most of your calls are VOIP-VOIP within Chicago, then it makes some sense to 
set up a box and just send the external calls out to the trunking provider where you 
no longer really care where they are.

Absent significant network  suckage, there’s no place in the contiguous US that 
isn’t within 100 ms of any other place in the contiguous US these days.

Owen


--
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com

Re: 20-30Gbps UDP 1720 traffic appearing to originate from CN in last 24 hours

[Curtis Maurand]

DNS is still largely UDP.

--Curtis

On 7/20/2015 5:40 PM, Ca By wrote:

Folks, it may be time to  take the next step and admit that UDP is too
broken to support

https://tools.ietf.org/html/draft-byrne-opsec-udp-advisory-00

Your comments have been requested



On Mon, Jul 20, 2015 at 8:57 AM, Drew Weaver drew.wea...@thenap.com wrote:


Has anyone else seen a massive amount of illegitimate UDP 1720 traffic
coming from China being sent towards IP addresses which provide VoIP
services?

I'm talking in the 20-30Gbps range?

The first incident was yesterday at around 13:00 EST, the second incident
was today at 09:00 EST.

I'm assuming this is just another DDoS like all others, but I would be
interested to hear if I am not the only one seeing this.

On list or off-list is fine.

Thanks,
-Drew




--
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com

Re: another tilt at the Verizon FIOS IPv6 windmill

[Curtis Maurand]

On 7/20/2015 5:59 PM, Ricky Beam wrote:

On Sat, 18 Jul 2015 06:45:43 -0400, Seth Mos seth@dds.nl wrote:
For now, all the customers with the Ubee in bridge mode are SOL. It's 
not clear what the reason is, but Ubee in bridge mode with IPv6 is 
listed on the road map. If that's intentional policy or that the 
firmware isn't ready yet is not clear at this point.


Even in bridge mode, it's router is still active (and consuming an 
address -- which TWC eventually fixed by upping the number of 
allowed devices by one.) In TWC-BC land, the customer has no access to 
the CPE, so we cannot see anything beyond the login screen.


(user -- non-priv account -- can be accessed on some of them, which 
is how I know the router is still active, but I cannot do anything 
about it.)


The Arris DG1670A is passing IPv6 through properly. (I'm told it is 
known broken, but it's the *one* out of three that works.) The Arris 
CM820A -- used for their hotspot -- doesn't appear to work correctly; 
my (win7) laptop got a DHCP ::/128 but then couldn't get anywhere. 
(IPv4 worked fine)


[For the record, TWC-BC hands out a /56 no matter what you ask for.]


At least in Maine where I am, TWC does allow you to bring your own modem 
as long as it's DOCSIS 3 compliant and there's lots of those from 
motorola, netgear and others.  You're not stuck with the Ubee.


--
Best Regards
Curtis Maurand
Principal Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com

Re: ARIN IPV4 Countdown

[Curtis Maurand]

Since IPV6 does not have NAT, it's going to be difficult for the layman 
to understand their firewall.  deployment of ipv4 is pretty simple.  
ipv6 on the otherhand is pretty difficult at the network level.  yes, 
all the clients get everything automatically except for the router/firewall.


-C

On 7/14/2015 7:57 PM, James Downs wrote:

On Jul 14, 2015, at 16:09, Curtis Maurand cmaur...@xyonet.com wrote:

i think IPV6 adoption is going to be very slow.  It's very difficult for the 
layman to understand and that contributes to the slow rate of uptake.

Who is the layman in this story? Almost every system I work with at home and in 
the datacenter has IPv6 turned on by default. If someone wandered through those 
networks, and started turning on IPv6 infrastructure so that they started 
getting IPv6 addresses, my bet is that most of the java-based applications 
would already be bound to the stacks in such a way that they would just start 
sending traffic over IPv6. I base this on the fact that any number of 
developers have been confused by “::” being somewhere in their world now. Those 
people don’t care about the network, or IPv4 vs IPv6. It would just work.

Now, if layman == Network Operators, and Networking people at Corporations, 
well, there you might be right.

Cheers,
-j


--
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com

Re: ARIN IPV4 Countdown

[Curtis Maurand]

i think IPV6 adoption is going to be very slow.  It's very difficult for 
the layman to understand and that contributes to the slow rate of uptake.


--Curtis

On 7/14/2015 7:05 PM, Randy Bush wrote:

I am not ... It is long past time to move on, so getting rid of the
distraction might help with those still holding out hope.

i think that is unfair to the ipv6 fanboys (and girls).  ipv6 use is
increasing slowly.  i bet it hits 10% by the time we retire.

randy


--
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com

Infected hosts

[Curtis Maurand]

The number of infected hosts out there is just astounding.  I have bots 
attacking a server from all over the world.  Lots of them from a network 
known as micfo.  I could write abuse complaints from here until doomsday 
and I'd never be done.


--Curtis

--
Best Regards
Curtis Maurand
Principal
Xyonet Web Hosting
mailto:cmaur...@xyonet.com
http://www.xyonet.com

Re: Verizon FiOS - is BGP an option?

[Curtis Maurand]

On 3/14/2012 9:00 PM, Robert E. Seastrom wrote:

Christopher Morrowmorrowc.li...@gmail.com  writes:


On Wed, Mar 14, 2012 at 8:14 PM, Robert E. Seastromr...@seastrom.com  wrote:

Faisal Imtiazfai...@snappydsl.net  writes:


I am not familiar with VZ's FIOS network...
however I suspect that if they are using a Redback at the Headend, it
would allow you to have a 'bridge' network with secure arp
settings. (it's a feature that we have seen on Redback's...)

AFAIK Verizon does not use Redback/Ericsson stuff for FIOS and never has.

A cursory survey of two (older, BPON, Tellabs) builds found ethernet
OUI 00:90:1a, i.e. Juniper ERX.

yes, all edge boxes for FIOS are ERX... better support for CALEA there
was one of the major drivers.

So it was _one_ of the drivers, but was it a more major driver than
for the love of God, not Redback!?  :)

the last I knew, Verizon was an Alcatel house for switching and Alcatel 
managed to get tcp/ip into their switching gear.  so I'm left to wonder.


--C

Re: Firewall Appliance Suggestions

[Curtis Maurand]

On 6/30/2011 12:20 PM, Suresh Rajagopalan wrote:

Linux + iptables + fwbuilder



On Thu, Jun 30, 2011 at 8:50 AM, Blake T. Pfankuchbl...@pfankuch.me  wrote:

Howdy,
I am looking for something a little unique in a bit of a tough situation with some 
sticky requirements.  First off, my requirements are a little weird and I can't bend them a whole 
lot due to stipulations being put on me.  I am in need a firewall appliance which can be run on 
VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within a single Phase 1.  I am 
also in need of something that can support VLAN interfaces on the LAN side, and ideally something 
with multi zoning so I can keep LAN side networks separate from each without ridiculous firewall 
rules.  Meaning build a zone for Customer network 1 and it displays separately (ease of 
management and firewall config hopefully).  I need a minimum of 10 zones on LAN side 
(/29 or /30), and NAT support for LAN to WAN (to dedicate all outbound connections to a single IP 
from a specific zone), ideally something extremely scalable (100-200 zones).  And here is the super 
fun part!  I need something that is going to be web managed primarily as minions will be doing most 
of the day to day maintenance, or very simple CLI config.  Willing to pay for something if need be, 
but looking for something that can easily handly 50-100mbit of throughput.

Any Ideas?

Thanks!

Blake Pfankuch


Vyatta.  They have an appliance on their website.

--Curtis

Re: Barracuda Networks is at it again: Any Suggestions as to an Alternative?

[Curtis Maurand]

A barracuda appliance uses postfix, amavisd-new, spamassassin with 
fuzzyOCR and clamav.  I've built a couple of these boxes for customers.  
I use their dnsbl as well as spamhaus.  It works pretty well, not much 
gets through.


--Curtis

On 4/10/2011 8:24 PM, William Warren wrote:

On 4/9/2011 12:46 PM, Marc Runkel wrote:
Ok, shameless plug here, but I invite you to check out our product @  
www.untangle.comhttp://www.untangle.com.  Base product (including 
anti-spam) is free.   If you want support/web filtering/ or better 
spam rules they are available as premium add-ons.


Marc Runkel
Untangle, Inc.
Director, Technical Operations

(650) 425- direct
(650) 345-3788 fax

On Apr 8, 2011, at 8:51 PM, John Palmer (NANOG Acct) wrote:

OK, its been a year since my Barracuda subscription expired. The unit 
still stops some spam. I figured that I would go and see what
they would do if I tried to renew my subscription EXACTLY one year 
after it expired. Would their renewal website say Oh, you are at

your anniversary date, and renew me for a year?

No such luck: They want me to PAY FOR AN ENTIRE YEAR for which I did 
NOT receive service and then for the current (upcoming year).
Sorry - I don't allow myself to be ripped off like that. Sorry 
Barracuda - you get no money from me and I'll tell everyone I know

about this policy of yours.

I posted an article about this unscrupulous practice on my blog last 
year at http://www.john-palmer.net/wordpress/?p=46


My question is - does anyone have any suggestions for another e-mail 
appliance like the Barracuda Spam Firewall that doesn't try to
charge their customers for time not used. I should be able to shut 
off the unit for a year or whatever and simply renew from the
point that I re-activate the unit instead of having to pay for 
back-years that I didn't use.


Thanks






Untangle's free version...isn't worth the bandwidth.  The paid version 
is ok..but it's a resource hog.

Re: WebServer and Firewall Help

[Curtis Maurand]

On 2/8/2011 3:00 PM, Joshua Klubi wrote:



I want to know what measure i can do on the server to get it protected which
mysql protection
I should implement. since i can see that it might be a php or mysql
injection that is been used.

Currently I run these security measures on it.
Ubuntu UFW
Fail2ban
PHP model security
Apache security

Joshua

the problem may not be your operating system but the web application running.  
what web application/s are on that box?



I agree, you've got other problems.  I would look at defending against 
sql injection attacks and I would look to making sure that all the 
passwords get changed.

Re: Last of ipv4 /8's allocated

[Curtis Maurand]

Touché!  That could theoretically happen. I think Apple should buy HPQDEC just 
so they can announce 16/7 :-)

None of the RIR blocks are going to be routed that way on purpose, though :-)

-Randy


I agree.  Many of those corporations would have a hard time justifying 
an entire /8, even IBM.  They just don't run large public networks any 
longer.  Much of what they do is done on private nets.  I would make all 
of the corporate legacy networks justify their /8's.  I'll almost bet 
none of them can justify them any longer.  I worked for a large medical 
company (30,000 seats) and we didn't use an entire /24.


--Curtis

Re: Last of ipv4 /8's allocated

[Curtis Maurand]

On 2/8/2011 7:58 PM, Owen DeLong wrote:


It doesn't have to be a public network to need globally unique addresses.

There is NO policy requirement to use NAT or RFC-1918 for private networks. 
Just a suggestion that folks be considerate of the community where they can.

I'll bet most of them would have no problem under current policy. They only 
need to show need for ~8,000,000 hosts, including subnet overhead.

If you wanted to, your medical company could have easily justified at least a 
/17 and probably a  /16 under current policy.

There's really nothing to be gained from attempting to go after what might be 
reclaimed from the legacy block holders. EIther
they will return their addresses or contribute them to the market or they 
won't. Attempts at forced reclamation will only make
that situation worse and are unlikely to result in any actual reclamation of 
addresses before the conclusion of protracted
and ugly law suits that would be very expensive. Such lawsuits are unlikely to 
reach conclusion before the need for
massive quantities of IPv4 address space is in the past.

Owen


Point taken.

--C

Re: 5.7/5.8 GHz 802.11n dual polarity MIMO through office building glass, 1.5 km distance

[Curtis Maurand]

On 12/29/2010 8:19 AM, Robert E. Seastrom wrote:

The third consideration is someone notices and cares.
The Nanostation Loco (again from Ubiquiti) is easily capable of the
distances that you're talking about and is an all-in-out unit (antenna
plus radio, fed with POE) about twice the size of a pack of cigarettes
(does anyone use that as a point of reference anymore or have enough
of us quit smoking that it's irrelevant?).

Deck of cards, maybe?


--Curtis

Re: Windows Encryption Software

[Curtis Maurand]

On 12/10/2010 8:21 AM, Florian Weimer wrote:

I believe EFS is available in Windows XP and Windows 2003 Server, too.

Software-based solutions have the advantage that they are somewhat
more testable and reviewable.  If it's all in the disk, you can't
really be sure that the data is encrypted with a static key, and the
passphrase is used for access control only.  The latter approach seems
to be somewhat common with encrypting storage devices, unfortunately.

After some research, I find that recovery of EFS (available for Win 
2000/2003/XP/Vista/7) encrypted files in the case of disaster can be 
problematic.  It has to do with keys, file ownerships, etc., etc., etc.  
Plan for disaster and know how to recover before you encrypt with EFS.


--Curtis

Re: Windows Encryption Software

[Curtis Maurand]

On 12/10/2010 9:33 AM, Michael Holstein wrote:

After some research, I find that recovery of EFS (available for Win
2000/2003/XP/Vista/7) encrypted files in the case of disaster can be
problematic.  It has to do with keys, file ownerships, etc., etc.,
etc.  Plan for disaster and know how to recover before you encrypt
with EFS.

This is an interesting point .. it depends on what the disaster is
that you plan for.

In many cases, the disaster is the seizure or loss of the device, it
which case it's appropriate NOT to have any method of key recovery. In a
corporate context, it's debatable if key escrow and multikey methods
mitigate the risk or compound it.
Good point, but I'm thinking in terms of failure of the machine that 
physically houses the files.  You and I both know that you're not going 
to be able to replace server hardware with identical hardware and even 
if you do, the Windows SID will change.  Restoring the system state is 
going to be a useless exercise.  Therefore you will need the keys to 
decrypt/re-encrypt the files on a new device after you restore from 
backup.  If the disk is lost or stolen, then hell no, I don't want the 
thief to be able to restore the data.


All of this is moot if you're running in a virtual environment and you 
have good snapshots/backups of your VM.


--Curtis

Re: Over a decade of DDOS--any progress yet?

[Curtis Maurand]

On 12/8/2010 3:04 PM, Seth Mattinen wrote:

On 12/8/2010 08:06, Jack Bates wrote:

I call BS. Windows has it's problems, but it is the most common
exploited as it holds the largest market share. Many Windows infections
I've seen occur not due to the OS, but due to lack of patching of
applications on the OS. The system does as much as it can.

And end users clicking/running every shiny thing they come across,
consequences be damned.

  ActiveX is the problem.  Its got about as much security as a piece of 
swiss cheese.

Re: wikileaks dns (was Re: Blocking International DNS)

[Curtis Maurand]

The patriot act did away with due process.

On 12/3/2010 3:10 PM, Randy Fischer wrote:

On Fri, Dec 3, 2010 at 12:38 PM, George Bonsergbon...@seven.com  wrote:

As for a member of Congress pressuring Amazon, what else would one expect?  If a site has content that the 
USG might see as damaging, and if a US company is facilitating the distribution of that content, 
sure, I would expect members of that government to apply pressure but I have no idea what that 
pressure might have consisted of.

It may be naive, but I expect due process from the USG.

Just sayin'

-Randy Fischer

Re: Blocking International DNS

[Curtis Maurand]

On 11/22/2010 10:25 AM, Joe Abley wrote:


You don't think

(i) a service provider, as that term is defined in section 512(k)(1) of title 17, 
United States Code, or other operator of a domain name system server shall take 
reasonable steps that will prevent a domain name from resolving to that domain name’s 
Internet protocol address;

could be taken as a requirement for providers to intercept attempts to use 
off-network DNS resolvers and manage such requests to meet the end goal above?

Given that many providers already do this (for whatever reason), it's not much of a 
stretch to see someone declaring that such behaviour falls under the umbrella of 
reasonable steps.

I'm not suggesting that I think any of this is reasonable or sensible, but it 
does seem to imply an operational burden on service providers.



And where would the list that we need to block be gotten from?

--Curtis

Re: Token ring? topic hijack: was Re: Mystery open source switching

[Curtis Maurand]

Much of Maine is not covered by broadband and companies are still using 
dialup routers.  Much of the US (70%) is not covered by broadband and 
the only internet connection is dialup.


--Curtis

On 11/3/2010 11:13 AM, Gary Baribault wrote:

And you live in a cabin in the woods, pedal a generator to get the
router up and the router is connected to a 56K Dial-up morem?
;-)


Gary B

Carlos Martinez-Cagnazzocarlosm3...@gmail.com  wrote:


Hats off!! You should post some pictures!

As in ASCII art pictures?  Because my life revolves around ASCII text
and I abhor anything that isn't ASCII text, I do not own a camera of any
kind, never have and likely never will.

MS

Re: Token ring? topic hijack: was Re: Mystery open source switching

[Curtis Maurand]

On 11/2/2010 3:49 PM, Sven Olaf Kamphuis wrote:
Are there still any commercial X.25 nets in operation?  I had some 
peripheral involvement with Tymnet in the MCI/Concert conversion, and 
hear it shut down sometime in 2003-4.


http://www.ram.nl/nl/aanbieder_van_mobiele_datacommunicatie/diensten/netwerkdiensten?read_more=1323735124421760482 



also: yep.

commercial x.25 based packet radio networks, and the wired parts to 
keep them together, are still around.


(the non-commercial ones also ofcourse ;)


The last I knew all the ATM (Automated Teller Machines) all ran on X.25

--Curtis

Re: IPv6 rDNS

[Curtis Maurand]

I'll note that most of the behavior you describe here is deeply
rooted in the RFC's.  The concepts of zone transfers for instance
are not unique to BIND, but rather in the definition of how
interoperable DNS is supposed to work.

That said, there is clearly room for improvement, and in fact there
are a lot of folks working on it.  Indeed, some of them have funding
BIND 10, a ground-up rewrite of BIND that I think based on the tone
of your message may please you with the direction that it is going.

For more information...

http://www.isc.org/bind10
http://bind10.isc.org/

the documentation has some very glaring omissions like the structure of 
the sqlite3 zone files.


--Curtis

Re: Only 5x IPv4 /8 remaining at IANA

[Curtis Maurand]

 On 10/18/2010 8:16 AM, ML wrote:

 And +1 on the pioneers comment too.


Paul.



IPv6 Hipsters..Doing it before it was cool.




IPV4 -easy();
IPV6-really().Really().Difficult();

Re: router lifetime

[Curtis Maurand]

 On 10/2/2010 7:23 PM, Franck Martin wrote:

How long do you keep a router in production?

What is your cycle for replacement of equipment?

For a PC, you usually depreciate it over 3 years, and can make it last 5 years, 
but then you are stretching the functionality, especially if you upgrade the 
OS, tho it is not uncommon to see companies still on XP and IE6.

Hell, we still have Windows 2000 and IE6.

--Curtis

Re: ATT Dry Pairs?

[Curtis Maurand]

I'd set up something wireless between them.  Just my $0.02.

--Curtis

On 9/30/2010 4:52 PM, Brandon Galbraith wrote:

Has anyone had any luck lately getting dry pairs from ATT? I'm in the
Chicago area attempting to get a dry pair between two buildings (100ft
apart) for some equipment, but when speaking to several folks at ATT the
response I get is You want ATT service without the service? That's not
logical!. Had no problems 3-4 years ago getting these sorts of circuits,
but it appears it's gone the way of the dodo now. Any emails off-list are
appreciated.

Re: Software-based Border Router

[Curtis Maurand]

I didn't say hardware forwarding.  I said hardware.  They have 
appliances that run up to 3Mpps and support 8000 tunnels.  This is all 
information from their website.  I've been running vyatta on a small 
dual core supermicro shallow box for 455 days without a reboot.  Except 
for the occasional tunnel drop (which I've managed to automate 
restarting that service via a shell script) its been rock solid.  Its 
been as rock solid as the OpenRoute router it replaced and that router 
ran for 10 years.  There are lots of interfaces you can purchase for the 
thing including 10Gbps if you need them.  Some of those might have 
hardware forwarding, they might not.  Running server quality interfaces 
is always better than the cheap little Realtek.  However, those cheap 
little Realteks get it done...reliably.


On 9/28/2010 12:58 PM, Nathan Eisenberg wrote:

Vyatta has hardware forwarding?  Real hardware forwarding?  Where?

Best Regards,
Nathan Eisenberg


-Original Message-
From: Curtis Maurand [mailto:cmaur...@xyonet.com]
Sent: Tuesday, September 28, 2010 5:55 AM
To: Heath Jones
Cc: nanog@nanog.org
Subject: Re: Software-based Border Router

   Vyatta has support contracts.  If you want hardware, they've got that, too.



On 9/27/2010 6:48 PM, Heath Jones wrote:

Oh, support contract!!?


Differences:
- Hardware forwarding
- Interface options
- Port density
- Redundancy
- Power consumption
- Service Provider stuff - MPLS TE? VPLS? VRF??

Any others?

Re: Software-based Border Router

[Curtis Maurand]

 On 9/29/2010 8:59 AM, Heath Jones wrote:

What's the real-world power consumption and heat like? 455 days shows
some pretty good reliability!
Cheers for the info Curtis
That's a really good question.  This is a small 260 watt supermicro 
short depth (14) 1u system I purchased from tigerdirect.  Its roughly 
the same type of system that barracuda networks would sell you.  You can 
purchase one from newegg with dual core atom 330 processors which would 
be even lower power for around $414.  Its a nothing box and its not even 
breathing hard.  its running on a 100mbps fiber.  The speed tests that 
I've run show it running close to wire speed.  It would probably run 
even better if I were using real server NIC's on it.  I'm just using the 
two on board GB NIC's.  It has an available PCI slot.


Intel(R) Pentium(R) Dual  CPU  E2220  @ 2.40GHz

Would I run an ISP on it?  No.  Would I deploy a much more capable box 
for a more robust environment, absolutely.  This particular box is 
firewalling an insurance company.


--Curtis

Re: Software-based Border Router

[Curtis Maurand]

 Vyatta has support contracts.  If you want hardware, they've got that, 
too.




On 9/27/2010 6:48 PM, Heath Jones wrote:

Oh, support contract!!?


Differences:
- Hardware forwarding
- Interface options
- Port density
- Redundancy
- Power consumption
- Service Provider stuff - MPLS TE? VPLS? VRF??

Any others?

Re: ISP port blocking practice

[Curtis Maurand]

I use SSL only and even then, it requires authentication.

--Curtis



On 9/3/2010 1:00 PM, Owen DeLong wrote:

I have had it happen in some metro areas on sprint. I have experienced it in at 
least a dozen hotels over the last 12 months. I have run into it in various 
airports with free public wifi. I have run into the problem in several coffee 
shops.

By far, the worst offenders are the most expensive hotels where the Internet 
access, damaged as it is generally goes for $25+ per day. I almost always end 
up getting free Internet as a result because I report the issue as a problem 
and their technical support usually can't spell tcp let alone understand what I 
mean when I say a port is blocked.

Even worse is the ones that silently redirect your smtp (regardless of port) session to 
their MTA. Fortunately, my configuration is good enough that it just breaks in these 
cases, but I know many people who thought they were connecting to their own server via 
TLS only to later discover that their mail was relayed in clear text through several 
third party servers. (most mua's seem to have an unfortunate default to ssl or tis 
if available and keep right on sending even if tis negotiations are rejected.)

Owen


Sent from my iPad

On Sep 4, 2010, at 12:08 AM, JC Dilljcdill.li...@gmail.com  wrote:

Re: DNSSEC and SSL

[Curtis Maurand]

 On 8/22/2010 3:57 PM, Mans Nilsson wrote:

  a DNSSEC capable stub resolver not in the cards?
The best option today is to run a full-service resolver on the host;
which is a tad heavy for most desktops, not to speak about the cache
misses that would cause root server system load. The latter of course
can be avoided by setting forwarders.

OTOH: A thicker stub resolver does indeed exist; lwresd in the BIND
suite. Calling it from applications does however mean using new API
calls; since the traditional resolver API is oblivious to DNSSEC.


PowerDNS resolver.  Very fast, very light.

--Curtis

Re: Monitoring Tools

[Curtis Maurand]

 On 8/19/2010 4:23 PM, Phil Regnauld wrote:


hat employer=other
While developing our own monitoring product, we've had to deal with
various constraints from the customer side, for instance pharmaceutical
companies where there was no way installing an agent on PLC machines 
would
pass internal audit, without having the entire system re-validated 
(we're
talking FDA-validated medication production here).
/hat

But often, SNMPD ships with or is available as an optional base
component (Windows, most UNIXes) and it's easier to convince the IT
suits.  Go figure.

Oh, and it avoided us having to install an agent on 1000+ servers :)


But the configuration learning curve for SNMP is very steep indeed.

--Curtis

Re: Appliance Vs Software based routers

[Curtis Maurand]

On 8/4/2010 9:53 AM, Xavier Beaudouin wrote:

Le 4 août 2010 à 15:14, Mirko Maffioli a écrit :

   

2010/7/25 Laurens Vetslaur...@daemon.be:
 

Cisco PIX: no, Cisco ASA: yes. It even runs under VMware...  It's however
very hackish... :)
   

Cisco ASA under VMware?? :|
 

CiscoASA is based on x86, there is no reasons you cannot run this into VMWare 
or Xen...

Xavier
   
As long as VMWare's hardware (NIC , storage, etc.) line up with 
Cisco's.  You still have to have drivers.


--Curtis

Re: Vyatta as a BRAS

[Curtis Maurand]

On 7/13/2010 2:56 AM, Truman Boyes wrote:

On 13/07/2010, at 4:50 PM, Dobbins, Roland wrote:

   

On Jul 13, 2010, at 1:34 PM, Sharef Mustafa wrote:

 

do you recommend it?
   


My comment would be that a software-based BRAS - 7200, Vyatta, et. al. - is no 
longer viable in today's Internet, and hasn't been for years, due to 
security/availability concerns.  Same for peering/transit edge, customer 
aggregation edge, et. al.

---
Roland Dobbinsrdobb...@arbor.net  //http://www.arbornetworks.com

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken
 

  A low cost 7200 or ERX-310 would easily fit the bill, and you can buy them 
cheap these days.

   

Cisco may be a lot of things, but low cost is not one of them.

I've been running Vyatta on a small 1U Supermicro Server (cost $600.00) 
for over one year.  It handles all of our VPN traffic and is the main 
router for our fiber connection.  Except for dropping a tunnel every now 
and then its been flawless.  I've set up a cron job to monitor the VPN 
and restart any tunnel that might drop.  No tunnel is ever down for more 
than a minute.


router:~# uptime
 11:01:52 up 377 days, 17:22,  1 user,  load average: 0.00, 0.00, 0.00

--Curtis

Re: Vyatta as a BRAS

[Curtis Maurand]

On 7/13/2010 4:53 AM, Dobbins, Roland wrote:

On Jul 13, 2010, at 3:00 PM,khatfi...@socllc.net  wrote:

   

I agree software-based deployments have their flaws but I do not agree that it 
cannot be managed securely with comparable or exceeding uptime -vs- a drop in 
appliance. I firmly believe it has it's place in 'today's internet'.
 


When a single botted/misbehaving host easily can take down a software-based 
BRAS, that's a pretty strong indication that software-based edge devices are 
contraindicated, heh.

Software-based edge devices have been obsolete for a long time, now.  They're a 
great risk to operators who've yet to replace them with hardware-based devices.
   


They are all software based, no matter who builds them.  Cisco IOS, 
Juniper JunOS, etc.


--Curtis

Re: Vyatta as a BRAS

[Curtis Maurand]

On 7/13/2010 11:11 AM, Greg Whynott wrote:
   

They are all software based, no matter who builds them.  Cisco IOS,
Juniper JunOS, etc.
 

controlling hardware asic's and fpga's.
   
In a PIX, its a Pentium 4.  I've also been in other routers that use 
PowerPC.  It depends on the manufacturer.  Cisco uses its own custom 
processor when it gets to that level.  Its why you have a choice of 
processor in the 7200's.


--Curtis

Re: U.S. Plans Cyber Shield for Utilities, Companies

[Curtis Maurand]

On 7/8/2010 9:51 AM, Brandon Ross wrote:

On Wed, 7 Jul 2010, Michael Painter wrote:


Have we all gone mad?
I find it hard to understand that a nuclear power plant, air-traffic 
control network, or electrical grid would be 'linked' to the Internet 
in the interest of 'efficiency'.  Air gap them all and let them apply 
for Inefficiency Relief from the $100 million relief fund.



Heck, removing all of these functions from the Internet will create 
jobs, too, right?  And no one would mind paying for all of this out of 
their airline tickets, it should only increase fares by a third or so.


You know it is possible, mind you, possible to have control systems for 
things like the power grid and nuclear power plants to live on a 
physically separate network within a building from a terminal that has 
the internet connected to it.


--C

Re: Future of WiMax

[Curtis Maurand]

they've already claimed they'll probably switch to LTE.  They said it 
was just a software change to do that.  Of course the standard for 
actually placing a phone call on it (LTE) has yet to finalized.


On 6/16/2010 3:40 PM, Gregory Hicks wrote:
   

Date: Wed, 16 Jun 2010 12:35:16 -0700
From: Seth Mattinense...@rollernet.us

WiMax sounds promising, but I certainly don't hear a lot about it
 

other
   

than Sprint/Clear. Is it just that everyone that's doing wireless is
sticking with relatively inexpensive 802.11 a/b/g/n products, or is
WiMax really a dead end?
 

Sprint/Clear certainly thinks it has promise.  They just put up a
wireless tower just next door to my house in San Jose...  (Well, Clear
actually received permission from the city zoning dept...)

Regards,
Gregory Hicks

   

~Seth

 

-
Gregory Hicks   | Principal Systems Engineer
 | Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

The best we can hope for concerning the people at large is that they
be properly armed. --Alexander Hamilton


   

Re: Dial Concentrators - TNT / APX8000 R.I.P.

[Curtis Maurand]

On 5/10/2010 6:36 PM, Mark Foster wrote:

Does this not highlight a wider issue?

I realise that dialup is hardly 'cutting edge' but there are providers out
there with a significant number of dialup customers still on the books.
Surely there's still a market for (what should be by now) a
straightforward, well known piece of kit?

In parts of the world where broadband is not ubiquitous and dialup remains
useful as a Plan-B or is simply the only choice (for whatever reason),
what are the practical choices now?

Whilst folks may not be fielding 'new' dialup kit, I dare say that we're
going to be continuing to see dialup customers on the books for the next 5
years, perhaps a lot longer?  That's a whole product lifespan...

   
How about an Aastra CVX shelf?  We used one at an ISP I used to work for 
in Maine.  It worked well.  Dial-up was considered the cash cow then.


--C

Re: Rugged wireless bridge

[Curtis Maurand]

On 5/11/2010 9:36 AM, Andrey Khomyakov wrote:

Hi all,

I need to provide IP connectivity to an outdoor parking lot for security
devices like a camera, and emergency phone and a gate. Does anyone have any
suggestions on a wireless bridge and an outdoor rated switch if such exists?
How do people provide IP to outdoor locations like a surface parking lot?

   

http://www.cisco.com/en/US/products/ps10050/index.html

--Curtis

Re: Dial Concentrators - TNT / APX8000 R.I.P.

[Curtis Maurand]

30% of all people in the US (110 million) have no access to broadband.  
Large areas of my state have no access to broadband because its rural 
(Maine).


Aastra CVX (it used to be a Nortel product.)

--Curtis

On 5/11/2010 11:29 AM, Joe Abley wrote:

On 2010-05-11, at 11:08, Leo Bicknell wrote:

   

There comes a time when the old tech just doesn't make sense, even
if a small customer base still wants it.
 

There will also no doubt continue to be many customers for whom dial is the 
only option.

It's not long ago that I lived in such a house, deceptively close to the 
outskirts of town but in terms of wire distance and load coils it might as well 
have been on the moon. The house was in a wireless dead zone by a river, there 
was no cable, and the only line of sight to another structure was through 
several acres of 2.4GHz-absorbing trees.

The further you move away from urban centres, the easier it is to find examples 
of this.


Joe
   

Re: ARIN IP6 policy for those with legacy IP4 Space

[Curtis Maurand]

On 4/9/2010 10:10 AM, John Curran wrote:

A large *end-user* pays maintenance fees of $100/year. ISPs
pay an annual registration services subscription fee each year,
proportional to the size of aggregate address space held.

   

I stand corrected.  I misunderstood the doc.  I could never read.  :-)

--Curtis

Re: ARIN IP6 policy for those with legacy IP4 Space

[Curtis Maurand]

On 4/9/2010 1:43 PM, William Herrin wrote:
No, ARIN is not a regulator.  Regulators have guns or access to 
people with

guns to enforce the regulations that they enact. ARIN has no such power.

The FCC is a regulator.  The California PUC is a regulator. ARIN is not
a regulator.
 

Last I heard, the FCC has access to people with law degrees not guns.
Much like ARIN, really.
   
ARIN can act by de-allocating your network and revoking your ASN's.  
They can't fine you, but if you violate the RSA, they can revoke your 
stuff.  That seems regulatory to me.


--Curtis

Re: Locations with no good Internet

[Curtis Maurand]

On 3/6/2010 7:28 AM, Joel Snyder wrote:

Patrick Giagnocavo patr...@zill.net wrote:

Isn't this really an issue (political) with tariffed T1 prices rather
than a technical problem?

I was told that most T1s are provisioned over a DSLAM these days
anyways, and that the key difference between T1 and DSL was the SLA
(99.99% guarantee vs. when we get it fixed).

I don't know about anything other than Qwest-land in Arizona, but we 
are seeing the few T1s that are still in service provisioned as you 
described: a 2-wire DSL connection, although not out of a local DSLAM.


Here in Maine, they use HDSL (two pair) to supply T1.  They put 
repeaters down the line or work it out of a SLICK.  The bridge taps and 
side taps are removed from the loops (conditioned) and then there's the 
SLA.  I learned to always have a spare CSU/DSU on site.


--Curtis

Re: lt2p/pptp vpn concentrators

[Curtis Maurand]

pfsense or Vyatta on Intel dual core hardware with decent network cards 
will save you a ton of $$$ and run thousands of tunnels.


On 3/3/2010 7:01 PM, Paul Wall wrote:

On Wed, Mar 3, 2010 at 2:52 PM, Leslieles...@craigslist.org  wrote:
   

We're currently looking for a small lt2p/pptp concentrator, mainly so people
can connect via their iphones/androids with some vpn client to get email on
the go.
 

If you're looking for ease of client configuration, try a Cisco router or ASA.

A current enterprise best-practice is to put your Exchange web server
in the DMZ, sacrificing some security for not having to deal with the
annoyance of supporting client-side tunneling.

Drive Slow,
Paul Wall

   

Re: Security Guideance

[Curtis Maurand]

On 2/23/2010 5:38 PM, Nathan Ward wrote:

Using lsof, netstat, ls, ps, looking through proc with ls, cat, etc. is likely 
to not work if there's a rootkit on the box. The whole point of a rootkit is to 
hide processes and files from these tools.

Get some statically linked versions of these bins on to the server, and hope 
they haven't patched your kernel.
   
See if you can get a binary of busybox which has those tools and they're 
all contained in the binary.  It should run from any folder.


http://busybox.net

Very handy.

--Curtis

Re: Email Portability Approved by Knesset Committee

[Curtis Maurand]

On 2/22/2010 12:02 PM, Joel Esler wrote:

I have an idea.  Everyone just get a gmail (or otherwise neutral account) 
like me.com or gmail.com or yahoo.com and be done with it.

J

   


Sure and give all that information to data mining companies with no 
interest in privacy.  No thank you.  I have a gmail account that I only 
use to test other accounts.  I don't need folks snooping in my emai as 
google does.


C

Re: DNS server software

[Curtis Maurand]

DNSSEC with powerdns is under development.  Its coming  soon to a server 
near you.


--C

On 2/22/2010 3:16 PM, Grzegorz Janoszka wrote:

On 22-2-2010 15:39, Phil Regnauld wrote:
PowerDNS also has an open source solution (www.powerdns.com). 
PowerDNS
is easily modified with custom backends (using a simple pipe 
interface).


All of the above support DNSSEC.


I do not think so:

http://en.wikipedia.org/wiki/Comparison_of_DNS_server_software

DNSSEC support in PowerDNS is currently restricted to being able to 
serve DNSSEC-related RRs. No further DNSSEC processing takes place.


I have reviewed all popular DNS software recently, PowerDNS was really 
OK, but eventually I have decided not to go with it due to lack of 
full DNSSEC support.

Re: DNS server software

[Curtis Maurand]

I do hosting rather than network provisioning, but when I was doing 
network provisioning we used PowerDNS' resolver.  Its small, and its 
very, very fast.  Its customizable and can be scripted using LUA.


http://www.powerdns.com



On 2/22/2010 9:16 AM, Claudio Lapidus wrote:

Hello all,

We are a mid-sized carrier (1.2M broadband subscribers) and we are looking
for an upgrade in our public DNS resolver infrastructure, so we are
interested in getting to know what are you guys using in your networks.
Mainly what kind/brand of software and which architecture did you use to
deploy it, and how did you do the sizing, all of it would be most helpful
information.

Many thanks in advance for your advice!
cl.
   

Re: DNSSEC Readiness

[Curtis Maurand]

I haven't run BIND in a number of years.

--Curtis

On 2/15/2010 2:06 PM, Charles N Wyble wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tony Finch wrote:
   

On Mon, 15 Feb 2010, Charles N Wyble wrote:
 

How are folks verifying DNSSEC readiness of their environments? Any
existing testing methodologies / resources that folks are using?
   

Here's my summary of the situation (as of a couple of months ago) with
links to a few key resources: http://fanf.livejournal.com/104774.html

Tony.
 

Most interesting. Thanks.

- From https://www.dns-oarc.net/oarc/services/replysizetest

char...@charles-laptop:~] dig +short rs.dns-oarc.net txt
rst.x3827.rs.dns-oarc.net.
rst.x3837.x3827.rs.dns-oarc.net.
rst.x3843.x3837.x3827.rs.dns-oarc.net.
8.0.23.143 sent EDNS buffer size 4096
8.0.23.143 DNS reply size limit is at least 3843
Tested at 2010-02-15 19:03:47 UTC
char...@charles-laptop:~]

I have a local BIND server I use for DNS. It's whatever Ubuntu 9.10
installs  with apt-get, and a cisco 1841 as my edge router.

I imagine that is a pretty standard setup in a lot of user sites (linux
with bind and a cisco router of some sort).

Will do further investigation.

- --
Charles N Wyble
Linux Systems Engineer
char...@knownelement.com (818)280-7059
http://www.knownelement.com
Unless agreed upon, assume everything in this e-mail might be blogged.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkt5mxQACgkQJmrRtQ6zKE99PwCgh5ikE7LRywT610jG4QkkTE4n
lyoAoMT67y/fGQHadGC6aHyRzRzQsxZi
=K8sW
-END PGP SIGNATURE-

   

Re: Latest Cisco for small dual homed ASN

[Curtis Maurand]

On 2/11/2010 1:53 PM, James Smallacombe wrote:


I have a customer that is looking at using BGP for their network; one 
connection over a few bonded T1s, the other over a Comcast Enterprise 
connection (which supposedly will do BGP now).


When I was dual homed a few years ago, a 7204VXR with 256MB was more 
than adequate.  With routing tables growing the way they are, what's a 
good Cisco based solution on the lower end of the price spectrum that 
should handle this fine for a few years?


Somebody else is suggesting a Vyatta (Linux based) solution, which 
makes me a little nervous.  Then again, Linux has improved 
dramatically from a security and stability P.O.V, so maybe it's worth 
a look if there's no hard drive involved.


I've been running vyatta, here, for a year now.  Its running VPN's and 
its routing on a TimeWarner Fiber on a modest dual core supermicro 
server.  Its never had to be restarted.  Its only dropped its tunnel a 
few times, but a cronjob checks it and restarts if it goes away.


Version  :VC5.0.2
Copyright:2006-2009 Vyatta, Inc.
Built by :r...@vyatta.com
Built on :Fri Feb 27 03:18:16 UTC 2009
Build ID :2009-02-26-2347-3bb1a83
Boot via :disk
Uptime   :15:10:39 up 225 days, 22:31,  1 user,  load average: 0.00, 
0.00, 0.00



Cheers,
Curtis

Re: Default route with object tracking

[Curtis Maurand]

I'd rather send him to something more open like kernel.org;  anything 
but Google's DNS.  Google's DNS is a little too nefarious for my taste.


On 2/1/2010 10:31 AM, Dan White wrote:

On 01/02/10 10:13 -0500, Andrey Gordon wrote:

Hi list.

I'd like to setup my default routes to the Interwebz to be 
conditional on

reachability of something on the Interwebz. I got two different ISPs (no
BGP). I'm trying to figure out what would be a reliable object to track?
Meaning, it's probably not reasonable to track my ISPs default gateway,
since it does not protect me from someone on the ISP side screwing 
up. I'm
thinking of tracking something like google.com, but am not sure if 
after I

resolve google.com for the first time, it will be simply tracking an
arbitrary server (or some load balancer).

I wanted to see what experienced folks think is a reliable tracking 
target.

Any comments are much appreciated.


Publicly advertised DNS server IPs should be good, such as google's 
8.8.8.8

and 8.8.4.4.

Re: news from Google

[Curtis Maurand]

Eduardo A. Suárez wrote:

Hi,

now Google DNS, anything more?

http://googlecode.blogspot.com/2009/12/introducing-google-public-dns-new-dns.html 



Eduardo.-

yawn.  So not interested. 

Re: FTTH Active vs Passive

[Curtis Maurand]

You might look into what's being done in Sweden then, here there are 
municipality networks who dig up the streets and does fiber to the 
individual house in suburbia (you have to trench your own land though, 
4dm deep, 1-2dm wide, they only dig in the street put down the pipe in 
your trench).


Common cost for the house owner to get this done is in the 2-4kUSD range 
per house, then you can choose between multiple ISPs to purchase your bw 
from. 100/100 (symmetric speed) seems to cost 40 USD per month, 10/10 is 
5-10 USD/month cheaper.


I've been trying to run the text thru google translate, but the web magic 
seems to prohibit this from working.


If someone can figure it out better than me, the URL is here (in swedish):

http://www.sollentunaenergi.se/bredband/ansl_villor.asp

  
I'd look more to what they're doing in Rochester, NY:  
http://rocwiki.org/Sewer_Fiber_Optic_Network 

Run it in the sewers.  The sewer system runs to every building and 
household in the municipality.  No need to re-trench anything.


--Curtis

Re: FTTH Active vs Passive

[Curtis Maurand]

Mackinnon, Ian wrote:

snip

In the UK more homes have fixed wire telephony than mains sewers or
water.
Not sure what that means to this discussion :-)

  
In the US as well, but if you're trying to run a new fiber network and 
you want it uderground, the sewers in metro areas are a good place to 
start.  In the rural areas, however, everything is on poles except for 
new construction where trenching and conduit are required.


I worked briefly for a small ILEC/CLEC here in Maine that does not 
replace copper trunks with copper any longer.  If the copper goes bad, 
they're running FTTH.

Re: ISP customer assignments

[Curtis Maurand]

Sorry to be a curmudgeon and let me play devil's advocate for a minute.  
I realize that the address space is enormous; gigantic, even, but if we 
treat it as cavalierly as you all are proposing, it will get used up.  
If its treated like an infinite resource  that will never, ever be used 
up as we have done with every other resource on the planet, won't we 
find ourselves in a heap of trouble? 


Curtis

Michael Dillon wrote:

There seems to be a variance between It's OK to just give out a /64 to
You better be thinking about giving out a /48. I can live in those
boundaries and am most likely fine with either. I'm leaning toward a /56
for regular subscribers and a /48 only for business or large scale
customers, and undecided on dial-up. How does this sound?



The starting point is to give everybody a /48 per site. If a business customer
has 3 sites, then give them enough space for a /48 for each site. Could be
3 /48s or could be a /46.

But, if you have a lot of residential customers, it is quite
reasonable to give them
a /56 per site instead. Be prepared for some customers to ask for two
/56s because
they have a granny-flat or in-law apartment in the house. Also be
prepared for some
to ask for a /48 because they are running a business at home, or they
are technical
types who have a their own home network lab.

Your plan for /56 to residential subscribers and /48 to business
subscribers sounds
perfectly fine as long as your systems have some way to accomodate
that grey area,
either by recording a /48 against a residential subscriber or counting
them as a class
of business customer that pays a residential rate.

Charging a customer extra for more IPv6 addresses just will not fly in
a competitive
market.

--Michael Dillon

  

Re: Dan Kaminsky

[Curtis Maurand]

andrew.wallace wrote:

On Thu, Jul 30, 2009 at 11:48 PM, Dragos Ruiud...@kyx.net wrote:
  

at the risk of adding to the metadiscussion. what does any of this have to
do with nanog?
(sorry I'm kinda irritable about character slander being spammed out
unnecessarily to unrelated public lists lately ;-P )




What does this have to do with Nanog, the guy found a critical
security bug on DNS last year.
  
He didn't find it.  He only publicized it.  the guy who wrote djbdns 
fount it years ago.  Powerdns was patched for the flaw a year and a half 
before Kaminsky published his article.


http://blog.netherlabs.nl/articles/2008/07/09/some-thoughts-on-the-recent-dns-vulnerability

However - the parties involved aren't to be lauded for their current 
fix. Far from it. It has been known since 1999 that all nameserver 
implementations were vulnerable for issues like the one we are facing 
now. In 1999, Dan J. Bernstein http://cr.yp.to/djb.html released his 
nameserver (djbdns http://cr.yp.to/djbdns.html), which already 
contained the countermeasures being rushed into service now. Let me 
repeat this. Wise people already saw this one coming 9 years ago, and 
had a fix in place.



--Curtis

Re: Wireless bridge

[Curtis Maurand]

Cisco Aironet  www.cisco.com
Alvarion www.alvarion.com
Aruba www.arubanetworks.com
bluesocket www.bluesocket.com

I've used all but bluesocket and they all worked pretty well.  
bluesocket gets good reviews.  These are just a few.  There are lots of 
them.  Try to use one as and access point and use one as a client.  
Working in repeater mode will cut your bandwidth in half.


--Curtis



Peter Boone wrote:

Hi NANOG,

I'm looking for some equipment recommendations for a wireless bridge between
two locations approximately 500-800 meters apart. The current setup for this
company has been extremely unstable and slow. I don't have a lot of
experience in this area so I was hoping someone could give me a few
pointers.

Currently, both locations are using Linksys WRT54GL's flashed with DD-WRT
firmware (Yes, 802.11g. All extra bells and whistles are disabled in the
firmware. They were set up for WDS so other wireless clients could connect
to the same access point, with varying degrees of success. Not very
important). They are connected to SmartAnt 2300-2500 MHz 14 dBi directional
antenna mounted on the roof (extended pretty high for perfect line of
sight). I'm not sure when they got these antenna exactly but I'm told it was
when WiFi was very new. The network is very small so both locations share
the same subnet (192.168.1.0/24).

They have gone through numerous Linksys access points over the years. The
wireless settings are tweaked as best as possible, and we have found the
connection to be most stable when the TX is limited to 6-9 Mbps.

We have explored other options as well. An internet connection at each
location + VPN is out due to very slow upstream speeds (the buildings are in
an industrial area, ADSL is the only option.) The max they offer on regular
business accounts is 800 kbps up. T1 lines are even slower and even more
expensive. They won't offer us any other solutions such as fibre. We have
considered running fibre/coax but there is too much construction activity
and other property in the way.

I'm looking into RouterBOARD right now, considering a RB433AH and R52H
wireless card, but I'm not sure this will actually solve the problem. It's
difficult to determine if the issue is with the antennas or access points
(for example, after a good thunderstorm, the wireless link will be down for
at least 12 hours, but will fix itself eventually. Resetting either access
point will keep the link down for at least 30 minutes. Using an airgun on
the access points tends to make them more reliable, even if they are clean
and dust free. From the admin interface, each access point will report
seeing a very good and strong signal from the other, yet they refuse to
communicate until they feel like it a few hours later.)

Any suggestions welcome. I'm sure you can tell cost is a bit of a factor
here but it will be easy for me to justify a higher price if I'm confident
it will be effective.

While I'm at it, I've been reading along on the list for over a year now;
thanks everyone for sharing your real world experiences :)

Peter


  

Re: In a bit of bind...

[Curtis Maurand]

I've been using powerdns for quite a while and I've found it to be solid 
and stable.  It'll use quite a few different backends includeing BIND 
zone files, but its claim to fame is that it uses mysql.


a list of different backends can be found at: 
http://en.wikipedia.org/wiki/PowerDNS#Backends


I saw bind and bind2, db2, geo, gmysql, gpgsql, goracle, gsqlite, ldap, 
odbc, opendbx, pipe and xdb.  Pipe is interesting because you can write 
a backend in anything that talks to anything.  There is documentation 
and examples on the website.  The g stands for generic.


I've been using poweradmin for management.

register.com and tucows both use it.

Cheers,
Curtis

Ben Matthew wrote:
Thanks very much for the various responses to my question; both on and off-list. 


I'm very much liking the idea of only letting the outside world see bind and 
then AXFR'ing the data from an easier-to-manage internal database backed 
solution.  Whether that be myDNS, Microsoft or whatever.   Bit of initial 
config work and then, in theory, an easy job to administer.

Actually feel a bit dumb for not considering that in the first place.  


Cheers again,

Ben


-Original Message-
From: Peter Hicks [mailto:peter.hi...@poggs.co.uk] 
Sent: 01 June 2009 12:42

To: Ben Matthew
Cc: nanog@nanog.org
Subject: Re: In a bit of bind...

Ben,

Ben Matthew wrote:
  

I have six servers in total, two multi-homed servers for ordinary DNS and four 
servers running an Anycast network (2 x master and slave).
  

For DNS, you may find it easier to outsource hosting to another provider 
who has geographically diverse DNS services.  This doesn't necessarily 
mean loss of control.  It also separates your nameserver hosting from 
your servers - suppose your network were to be under attack, or a 
configuration error dropped you offline.  If DNS were somewhere else, 
you could log in, change A records, point somewhere else.
  

Anyway I've recently been investigating other options for DNS as, like many 
companies currently, we've laid off a bunch of staff and the overhead for 
maintaining BIND is quite high if done, like us, unassisted and you are editing 
zone files in a text editor.
  

Revision control systems - CVS, Subversion - are your friend here.  What 
about wrapping up your DNS change procedure through perl or shell 
scripts which automatically roll back if bind doesn't reload, or some 
critical hosts suddenly disappear from the file.


Also, ask yourself what the cost of operating the service without 
changes is, and what the cost of each change is.  How often are you 
making changes?  How often do you need to make a change in an absolute 
emergency?  If changes are being done frequently, a technical or 
semi-technical member of staff will get to know the procedure.  If 
changes are being made rarely, can the changes wait for you to apply 
them if you don't feel comfortable with others doing it?
  

Ultimately for our simple zones (non-Anycast, basic web forwarders) I want to 
create a web-app to do this for me, probably in PHP.  I could create something 
that...

Herein lies a problem - you want to create a web front-end to a DNS 
server.  You're going to have to do a lot of testing to make this play 
nicely, and you could introduce your own security holes or gotchas.  
What is the cost of creating something yourself?


How about one of the following?

  * Outsource DNS hosting, use another provider's interface to manage
  * BIND9 slaves, Windows-based master (hidden) which already has a GUI 
and it isn't difficult to change zones
  * Stick to what you have and document it, wrapping the 'apply' process 
in some simple shell or perl




Peter



DISCLAIMER 
This e-mail message, including any attachments, is intended solely for the use of the addressee and may contain confidential information. If it is not intended for you, please inform the sender and delete the e-mail and any attachments immediately. Any review, retransmission, disclosure, copying or modification of it is strictly forbidden. Please be advised that the views and opinions expressed in this e-mail may not reflect the views and opinions of TIML Radio Limited or any of its parent and subsidiary companies.

Whilst we take reasonable precautions to ensure that our emails are free from 
viruses, we cannot be responsible for any viruses transmitted with this e-mail 
and recommend that you subject any incoming e-mail to your own virus checking 
procedures. Use of this or any other e-mail facility signifies consent to any 
interception we might lawfully carry out to prevent abuse of these facilities.

TIML Radio Limited (trading as Absolute Radio)
Registered office: One Golden Square, London. W1F 9DJ
Registered in England No 02674136 VAT No 927 2572 11




  

Re: glue record

[Curtis Maurand]

Google is your ... well ... anyway.

http://www.zytrax.com/books/dns/ch8/ns.html



Anton Zimm wrote:

On Fri, May 29, 2009 at 2:36 PM, Scott Howard sc...@doc.net.au wrote:
  

On Fri, May 29, 2009 at 12:09 AM, Anton Zimm anton.z...@gmail.com wrote:


Now, from the 'authority section' dig is telling me that I can get the
authorize answer from ns1.push.mobi. But isn't that circular
dependency?
  

http://en.wikipedia.org/wiki/Domain_name_system#Circular_dependencies_and_glue_records

No offense, but a few minutes on Google should be able to tell you far more than you will 
ever need to know about how glue works (The above URL is the #1 hit for dns 
glue)




Scott,
I did google and check wikipedia and other sources before posting the
initial question. I didn't understand it thoroughly before, I think I
understand more now.

thank's,
Anton.

  

Re: Geo Location and DNS

[Curtis Maurand]

You may have to contact maxmind, the keepers of the geoip database.
correct...@maxmind.com

Curtis

Stefan Molnar wrote:
It took us over 3 months with Google to update.  They never once said the info was wrong, and it was not even a new ARIN allocation.  


--Original Message--
From: Clue Store
To: Kaegler, Mike
Cc: nanog@nanog.org
Subject: Re: Geo Location and DNS
Sent: May 29, 2009 11:02 AM

Thanks for the follow up. I admit I didn't search the archives ;)
So this sux there's really no way to fix this but contact as many geo
location folks as possible and have them update. I can't even get to alot of
sites in the US because of this. UGH!!!

Max

On Fri, May 29, 2009 at 12:55 PM, Kaegler, Mike kaegl...@tessco.com wrote:

  

We last went through this 30 days ago.
http://www.merit.edu/mail.archives/nanog/msg17619.html
-porkchop


On 5/29/09 1:50 PM, Clue Store cluest...@gmail.com wrote:



Hi All,
I am having a hell of a time trying to figure out who it is I need to
contact to get this fixed. I just got a new /21 allocation from ARIN and
  

am


announcing it with no issues. I can ping anywhere and the planet can see
  

me.


The issue I am having is that when I surf out on this new allocation, it
sends me to sites as if I were in Canada. A google search is all things
canadian. Not that I have anything against canadians, but I also cannot
  

surf


to alot of sites using various DNS servers (my own, 4.2.2.2, etc). Anyone
have any clue where I can get this fixed??


TIA,
Max

  

--
Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295
Your wireless success, nothing less. http://www.tessco.com/






  

Re: ISP best practices

[Curtis Maurand]

Check out www.powerdns.com as an alternative to bind.  Its faster, more 
secure, does IPV6 and easier to maintain.


Curtis

Philip Lavine wrote:

To all,

I am sure this has been asked 10 to the 1 millionth power times, however may be 
the rules have changed. I am looking to set up a really small ISP with a few 
/24's. I want to host DNS as well. Is there any whitepapers/howtos/best 
practices on setting up multihomed BGP and DNS with BIND so I don't blow up the 
Internet.

Thx

Philip



  

  

Re: ISP best practices

[Curtis Maurand]

You're correct on the blanket statement.  apologies.

--C

Joe Abley wrote:


On 21-May-2009, at 11:06, Curtis Maurand wrote:

Check out www.powerdns.com as an alternative to bind.  Its faster, 
more secure, does IPV6 and easier to maintain.


I have heard lots of good things about PowerDNS, and I'm quite 
prepared to believe that it's a natural choice for a DNS hosting 
service where the database back-end makes for far simpler provisioning 
and control than managing a pile of config files.


However, you're not necessarily doing anybody any favours in making 
statements like faster, more secure and does IPv6. DNS servers 
are complicated beasts, and simplistic comparisons are not useful for 
much (it'd be trivial to give you examples where PowerDNS is slower 
and less secure, for example, and BIND9 has done IPv6 for the better 
part of a decade).



Joe

Re: two interfaces one subnet

[Curtis Maurand]

Try this:

http://www.linuxfoundation.org/en/Net:Bridge

--Curtis

Patrick W. Gilmore wrote:

On May 11, 2009, at 5:40 PM, Ben Scott wrote:
On Mon, May 11, 2009 at 5:28 PM, Hector Herrera 
hectorherr...@gmail.com wrote:

On Mon, May 11, 2009 at 2:22 PM, David Devereaux-Weber
ddevereauxwe...@gmail.com wrote:
... both interfaces are on the same subnet, the OS sees the same 
router (gateway)
address on both interfaces, and the results are sub-optimal ... 
around 50%

packet loss.


packet loss is probably due to the network switch having to re-learn
the location of the MAC address constantly as it sees packets on two
or more ports with the same MAC address (think STP loops).


 My understand of the scenario is: Two physical interfaces, each with
a unique IP address, in the same Ethernet broadcast domain, on the
same IP (sub)network.

 If that's the case, the MAC address won't change.  The cards stay
put.  So a layer two switch will be none the wiser.

 The reason this doesn't work (for most implementations) is that most
IP routers look only at the destination IP address, and keep no state.
(Here, I'm using router to include the routing engine built-in to
any full IP implementation, not just dedicated equipment from Cisco,
et. al.)

 So we have a host with IP addresses A and B on the same subnet.  A
packet comes in from some other host X.  The application software does
whatever it does, and sends a response.  The router looks at the
destination IP address X, and sees that it has two routes, A and B.

 Depending on implementation, the router may send everything out the
first interface it finds in the routing table (e.g., use A and ignore
B), or round-robin between the two, or who-knows-what.  Either way, if
the packet *from* X was addressed *to* B but the response comes back
from *A*, then host X is going to drop the packet as
invalid/irrelevant/etc.


You are assuming facts not in evidence.  It doesn't matter which 
physical interface transmits the packet.  For instance, if I ping a 
router's loopback interface, there is nothing stopping the router from 
making the loopback the source IP address of the return packet even 
though the (virtual) loopback interface _obviously_ did not physically 
transmit the packet.


Another example: Imagine a web server with two uplinks in _different_ 
subnets running Quagga.  Now assume the web server gets an HTTP 
request and the route back to the requesting host changes before all 
the packets are returned.  Does the download break?  Sure, if you use 
an implementation too broken for words.  If not, things work just fine.


Could everyone please stop coming up with if people are stupid and 
break things, things don't work examples.  We all agree on that.


Back in reality land, things that broken tend not to be used.  (And 
please no jokes about cisco or microsoft or whatever.)

Re: Broadband Subscriber Management

[Curtis Maurand]

Good point.

Oliver Eyre wrote:
Integration with the billing system is a big one, but remember that 
not everybody is in control of the DSLAM or whichever device connects 
to the access network and touches the end user directly. They may 
instead rely on a wholesale provider for that if they don't have the 
reach themselves.


From: Larry Smith lesm...@ecsis.net
Sent: Thursday, 23 April 2009 2:07:42 AM
To: nanog@nanog.org
CC:
Subject: Re: Broadband Subscriber Management

On Wed April 22 2009 11:01, Curtis Maurand wrote:
 

I don't understand why DSL providers don't just administratively down
the port the customer is hooked to rather than using PPPoE which costs
bandwidth and has huge management overhead when you have to 
disconnect a

customer.  I made the same recommendation to the St. Maarten (Dutch)
phone company several years ago.  They weren't listening either.   That
way you can rate limit via ATM or by throttling the port 
administratively.



Most likely because most RADIUS systems can be tied fairly easily 
directly

to the billing/payment system which enables and disables (adds/removes)
the customer from radius for payment/non-payment and therefore does
not require any technical support to turn on/off customers.

  

Re: Broadband Subscriber Management

[Curtis Maurand]

I don't understand why DSL providers don't just administratively down 
the port the customer is hooked to rather than using PPPoE which costs 
bandwidth and has huge management overhead when you have to disconnect a 
customer.  I made the same recommendation to the St. Maarten (Dutch) 
phone company several years ago.  They weren't listening either.   That 
way you can rate limit via ATM or by throttling the port administratively.


Just a suggestion

Sherwin Ang wrote:

Hello Nanog!

i just would like to see how other operators are handling
broadband/DSL subscribers in their BRAS.  Currently, we are
implementing PPPoE with AAA on our Redback SE's and Cisco boxes.  As
our subscriber base grows and grows, management of user logins,
passwords, password resets, password changes are getting really huge.
Some customers also complains about the method of logging in, asking
for an easier way to do it or dump logins altogether.  We're looking
at DHCP/CLIPS for Redback but haven't really tested it since it
requires a new license for it.  For Cisco, we've been empty so far in
looking for a solution wherein we still have accounting and
rate-limiting on subscriber vc's.

how are network operators in your areas do it?  DHCP?  if i do DHCP,
will i still have the flexibility of sending a radius reply attribute
so i could rate-limit the subscribers speed? or still offer speed on
demand via radius/time-based upgrade of their rate-limits during
off-peak hours?

thank you for any insights that you may share.


-Sherwin

  

Re: Broadband Subscriber Management

[Curtis Maurand]

As opposed to SNMP and a script that would shut the port down via SNMP 
when the customer is disabled?


Larry Smith wrote:

On Wed April 22 2009 11:01, Curtis Maurand wrote:
  

I don't understand why DSL providers don't just administratively down
the port the customer is hooked to rather than using PPPoE which costs
bandwidth and has huge management overhead when you have to disconnect a
customer.  I made the same recommendation to the St. Maarten (Dutch)
phone company several years ago.  They weren't listening either.   That
way you can rate limit via ATM or by throttling the port administratively.



Most likely because most RADIUS systems can be tied fairly easily directly
to the billing/payment system which enables and disables (adds/removes)
the customer from radius for payment/non-payment and therefore does
not require any technical support to turn on/off customers.