Fw: new message
Hey! New message, please read <http://homeeshop.co.in/say.php?f9> Greg Ihnen
Re: NTP Issues Today
It sounds like the Navy and who ever else they partner with (NIST?) need some egress filtering on their NTP servers to catch and prevent events like this.
Re: Eaton 9130 UPS feedback
Are these UPS units going inside the racks? Would it not be better to do something in the power room with an inverter on the circuits that feed the racks, such as a large Outback unit with sufficient battery capacity? http://www.amazon.com/OutBack-Inverter-3600-Watts-Volt/dp/B002MWAAYU With one device acting as your UPS you'd have only one point of failure (that may be a plus or minus), only one set of batteries to worry about, and those inverters are very well made. They have 120v and 240v units. There are other brands you could use but my experience with various brands is that Outback is the best in their class. Greg On Wed, Nov 14, 2012 at 8:38 AM, Erik Amundson erik.amund...@oati.netwrote: I've had issues and experience with many types of UPSes, including HP (probably OEM'd from someone else), APC, EATON/Powerware, and Liebert/Emerson. I keep coming back to APC. Solid units, and are always slightly 'ahead' in technology. Sure, I've seen each model have failures and even faults (big boom style), but APC provides a solid product and supports their customers the best if you ask me. That being said, a very close second choice would be EATON/Powerware. - Erik -Original Message- From: Seth Mattinen [mailto:se...@rollernet.us] Sent: Tuesday, November 13, 2012 1:59 PM To: nanog@nanog.org Subject: Eaton 9130 UPS feedback Does anyone use Eaton 9130 series UPS for anything? I'm curious how they've worked out for you. I bought a 700VA model to give it a whirl versus the traditional APC since the Eaton is an online type with static bypass and also does some high efficiency thing where it normally stays on bypass, but the first thing it did on the bench was have the inverter/rectifier or bypass section catch on fire and destroy itself. ~Seth
Re: The End-To-End Internet (was Re: Blocking MX query)
On Wed, Sep 5, 2012 at 11:11 AM, Izaac iz...@setec.org wrote: On Wed, Sep 05, 2012 at 07:50:12AM -0700, Henry Stryker wrote: Not only that, but a majority of spam I receive lately has a valid DKIM signature. They are adaptive, like cockroaches. This is why tcp port 25 filtering is totally effective and will remain so forever. Definitely worth breaking basic function principles of a global communications network over which trillions of dollars of commerce occur. -- . ___ ___ . . ___ . \/ |\ |\ \ . _\_ /__ |-\ |-\ \__ But as someone pointed out further back on this thread people who want to have their mail servers available to people who are on the other side of port 25 filtering just use the alternate ports. So then what does filtering port 25 accomplish? Greg
http/ssl to dropbox.com dying
From other geographic locations I can connect to the dropbox service and get to their https web page, but from my home connection I can't, unless I vpn around the issue. downforeveryoneorjustme says it's just me, but they're located someplace else geographically, and I don't know if they check the https site. http://www.dropbox.com immediately redirects to https://www.dropbox.com It seems like a transport issue. Is there any tools for checking where an https connection is failing, like a traceroute for https? I'm not sure if the traceroute results are indicative but here it is Macintosh-2:~ gregihnen$ traceroute dropbox.com traceroute: Warning: dropbox.com has multiple addresses; using 199.47.216.179 traceroute to dropbox.com (199.47.216.179), 64 hops max, 52 byte packets 1 router (192.168.7.1) 1786.458 ms 1.670 ms 2.072 ms 2 modem (100.42.12.241) 1644.717 ms 2031.032 ms 2113.805 ms 3 75.7.64.12 (75.7.64.12) 2594.284 ms 1650.347 ms 822.159 ms 4 75.7.64.2 (75.7.64.2) 1528.550 ms 2168.641 ms 1922.285 ms 5 12.91.131.205 (12.91.131.205) 2323.903 ms 3137.965 ms 2138.427 ms 6 cr83.cgcil.ip.att.net (12.122.133.202) 1629.569 ms 1946.842 ms 1621.351 ms 7 cr1.cgcil.ip.att.net (12.123.7.110) 2256.595 ms 1515.060 ms 2418.845 ms 8 gar8.cgcil.ip.att.net (12.122.133.161) 2349.706 ms 2339.392 ms 583.224 ms 9 192.205.37.150 (192.205.37.150) 1396.288 ms 1732.779 ms 2664.270 ms 10 4.69.158.138 (4.69.158.138) 2690.646 ms 4.69.158.130 (4.69.158.130) 2313.195 ms 4.69.158.138 (4.69.158.138) 1261.560 ms 11 ae-3-3.ebr2.denver1.level3.net (4.69.132.61) 1476.892 ms 1819.138 ms 2188.664 ms 12 ae-1-100.ebr1.denver1.level3.net (4.69.151.181) 1490.142 ms 2916.895 ms 2569.848 ms 13 ae-3-3.ebr2.sanjose1.level3.net (4.69.132.57) 4328.125 ms 3226.550 ms 2648.859 ms 14 ae-72-72.csw2.sanjose1.level3.net (4.69.153.22) 2171.863 ms ae-82-82.csw3.sanjose1.level3.net (4.69.153.26) 2675.059 ms ae-92-92.csw4.sanjose1.level3.net (4.69.153.30) 4404.724 ms 15 ae-1-60.edge2.sanjose3.level3.net (4.69.152.17) 3331.595 ms ae-2-70.edge2.sanjose3.level3.net (4.69.152.81) 3112.938 ms 2492.688 ms 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * * 31 * * * 32 * * * 33 * * * 34 * * * 35 * * * 36 * * * Greg
Re: very confusing.
A trick to do on mail (USPS) spammers is take the prepaid mailing envelope they often include and tape it to a brick wrapped in brown paper and drop it off at the post office. They have to pay the shipping. If enough people do it, they go out of business. In this case, do anything you can to waste his time and resources. Call up and act interested in his services and have them go through their sales pitch as many times as you can. Ask for them to mail you literature. Have them write up proposals and quotes. Then when the last step left is to actually commit to their service tell them you were just pulling their chain, and why. If you eat up enough of their time they end up attending to too few real paying customers and they go out of business. Greg On Jun 13, 2012, at 5:35 PM, Randy Bush wrote: NANOG, i strongly desire to restrain this slimeball idiot's trade. please tell me if you have any ideas on how to do so. --- Be advised that Im following your posts and have your threating messages to me. If there is an ddos or restraint of trade due to my ACCIDENTAL email I'll escalate to commerce and FBI. LOL. you are not only a slimeball (who the ietf and nanog admins are scraping out), but an idiot. but do please tell me how i can restrain your trade. would love to discuss your spam with the DoC and FBI. randy
Re: Attack on the DNS ?
I manage a tiny network in the Amazon, a satellite internet connection and decent sized wireless network. All of my users started complaining yesterday about lost connectivity except for Skype. I had no problems. I checked from the users' computers and could not resolve domain names (when Skype connects and nothing else does it's always been a DNS issue). After much troubleshooting I finally fired up Wireshark and saw that the DNS servers (or someone appearing to have their IP addresses) were replying to our queries with no such name. The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With DNSCrypt on we have no problems. With good old fashioned unencrypted DNS (Googles, OpenDNS', our ISPs) we're barely able to communicate. Is DNS traffic being directed to bogus servers? Are the real servers being overloaded? Am I seeing the results of some kind of DDOS mitigation technique? Is anyone else seeing this? Greg Ihnen
Re: Attack on the DNS ?
I manage a tiny network in the Amazon, a satellite internet connection and decent sized wireless network. All of my users started complaining yesterday about lost connectivity except for Skype. I had no problems. I checked from the users' computers and could not resolve domain names (when Skype connects and nothing else does it's always been a DNS issue). After much troubleshooting I finally fired up Wireshark and saw that the DNS servers (or someone appearing to have their IP addresses) were replying to our queries with no such name. The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With DNSCrypt on we have no problems. With good old fashioned unencrypted DNS (Googles, OpenDNS', our ISPs) we're barely able to communicate. Is DNS traffic being directed to bogus servers? Are the real servers being overloaded? Am I seeing the results of some kind of DDOS mitigation technique? Is anyone else seeing this? Greg Ihnen
Re: Attack on the DNS ?
I manage a tiny network in the Amazon, a satellite internet connection and decent sized wireless network. All of my users started complaining yesterday about lost connectivity except for Skype. I had no problems. I checked from the users' computers and could not resolve domain names (when Skype connects and nothing else does it's always been a DNS issue). After much troubleshooting I finally fired up Wireshark and saw that the DNS servers (or someone appearing to have their IP addresses) were replying to our queries with no such name. The reason I was having no problems is I'm using OpenDNS' DNSCrypt. With DNSCrypt on we have no problems. With good old fashioned unencrypted DNS (Googles, OpenDNS', our ISPs) we're barely able to communicate. Is DNS traffic being directed to bogus servers? Are the real servers being overloaded? Am I seeing the results of some kind of DDOS mitigation technique? Is anyone else seeing this? Greg Ihnen
Re: airFiber (text of the 8 minute video)
On Mar 30, 2012, at 6:01 PM, Dylan Bouterse wrote: A couple of thoughts. First, it's not fair to compare 24GHz to 2.4 or even 5Gig range due to the wave length. You will get 2.4GHz bleed through walls, windows, etc. VERY close to a 5GHz transmitter you may get some bleed through walls but not reliably. 24GHz will not propagate through objects as it's millimeter wavelength. That coupled with the fact it is a directional PTP product, you will be able to get a good amount of density of 24GHz PTP links using the same frequency in a small area (downtown for instance). The comparison isn't on wavelength, it's on the unlicensed-ness of it. Think CB vs Ham Radio. Where 2.4GHz and 5.8GHz are congested people have no where to go but up. You may not be alone up there. Guys already running 24GHz links might look at the sudden availability of cheap 24GHz gear in a different light. Granted there's many things in AirFiber's favor regarding congestion being less of a problem. The short range and high directivity, high cost, etc, but remember this isn't the only 24GHz product out there. In the kind of places where one of these links might be needed, others might have the same need. If you're thinking about the implications of possible congestion/interference when you're thinking about a link between the main office and the warehouse at a plant to give the guys in the warehouse internet that's not mission critical that's one thing. If it's key infrastructure for your ISP business then things start to look different. The licensed links start looking better regarding reliability down the road because you have a protected frequency. For ISPs out in farm country this is less of an issue, but in the more urban areas it is a concern. You start getting interference to your backhaul and you've got serious issues. You possibly have downgraded service or no service at many towers involving lots of customers. Another point, the GPS on the airFiber will also allow for frequency reuse to a point. I would like to see smaller channel sizes though. I hear it will be a software upgrade down the road. I'm shocked the old Canopy guys didn't code that into the first release to be honest. The GPS/reuse thing is for transmitters that are synced, that is transmitters belonging to the same system. Someone else's system won't be synced with yours and you won't see that benefit. So if you're thinking that's going to help between competitors it won't. Greg Dylan -Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Thursday, March 29, 2012 7:18 PM To: Oliver Garraux Cc: NANOG list Subject: Re: airFiber (text of the 8 minute video) On Mar 29, 2012, at 12:33 PM, Oliver Garraux wrote: Also keep in mind this is unlicensed gear (think unprotected airspace). Nothing stops everyone else in town from throwing one up and soon you're drowning in a high noise floor and it goes slow or doesn't work at all. Like what's happened to 2.4GHz and 5.8GHz in a lot of places. There's few urban or semi-urban places where you still can use those frequencies for backhaul. The reason why people pay the big bucks for licenses and gear for licensed frequencies is you're buying insurance it's going to work in the future. Greg I was at Ubiquiti's conference. I don't disagree with what you're saying. Ubiquiti's take on it seemed to be that 24 Ghz would likely never be used to the extent that 2.4 / 5.8 is. They are seeing 24 Ghz as only for backhaul - no connections to end users. I guess point-to-multipoint connections aren't permitted by the FCC for 24 Ghz. AirFiber appears to be fairly highly directional. It needs to be though, as each link uses 100 Mhz, and there's only 250 Mhz available @ 24 Ghz. It also sounded like there was a decent possibility of supporting licensed 21 / 25 Ghz spectrum with AirFiber in the future. Oliver I don't think it's an FCC issue so much as 24Ghz has so much fade tendency with atmospheric moisture that an omnidirectional antenna is about as effective as a resistor coupled to ground (i.e. dummy load). The only way you can get a signal to go any real distance at that frequency is to use a highly directional high-gain antenna at both ends. Owen
Re: airFiber (text of the 8 minute video)
Respectfully, the claim isn't a decline in the cost of backhaul bandwidth between 10 and 100 times, the claim is Operators will be able to get 10 to 100 times more data throughput for the same dollar. which granted is a very good thing, but it does not imply how much more money one would have to spend with a competitor to reach that bandwidth level. It is only an assumption that you would have to buy between 10 and 100 of the competitor's products and put them in parallel (not feasible anyway) to get the same performance thereby costing between 10 and 100 times a much. Logically it's possible that the competitor's product which matches AirFiber is only penny more, which it's not, but that's all one could logically conclude from UBNT's statement - for the same price you get a lot more bandwidth _not_ how much more you'd have to spend to get that performance level from a competitor. Ubiquiti gear is shattering price barriers, but I believe the difference in cost between their product and their competition's which can offer the same bandwidth is less than 10:1 and certainly not 100:1. AirFiber is reported to be $3000 a pair (both ends of the link). 100:1 would mean the competitor's cost is $300,000. I don't believe anyone else's 24 GHz UNLICENSED gear is in that price range. Also keep in mind this is unlicensed gear (think unprotected airspace). Nothing stops everyone else in town from throwing one up and soon you're drowning in a high noise floor and it goes slow or doesn't work at all. Like what's happened to 2.4GHz and 5.8GHz in a lot of places. There's few urban or semi-urban places where you still can use those frequencies for backhaul. The reason why people pay the big bucks for licenses and gear for licensed frequencies is you're buying insurance it's going to work in the future. Greg On Mar 29, 2012, at 1:53 PM, Gordon Cook wrote: On Mar 29, 2012, at 1:58 PM, Josh Baird wrote: Anyhow, check the video out on ubnt.com for an introduction and technical overview - it's worth watching. The claim is a huge decline in the cost of backhaul bandwidth for wisps between 10 and 100 times. I have just finished the preparation of an extensive article on a nebraska wisp whose network is backhaul radios on towers about 5 miles apart. he is on over 100 towers across a space of 150 miles by roughly 40 miles here is the text of the video which indeed is very good Robert Pera, CEO Ubiquity: Ubiquity had a lot of strength. We had hardware design software design, mechanical design, antenna design. We had firmware and protocol design but the one thing that we were missing was really our own radio design at our old modem design. Engineer 1: The group of guys who are here have been working together for about 20 years. we collectively have a lot of experience in the wireless data world - probably more so than any other company. This team of people originally were all hired into Motorola, some of us go back to the late 1980s. We actually worked on a program called altair. Altair was one of the 1st attempts at doing in building wireless networking. It was the 1st wireless local area network product ever. It was actually the 1st time that I am aware of that anyone had actually built a broadband wireless networking product. What we did on altair continued on through Motorola and eventually became a product called canopy. Canopy is a very popular product now. It is a wireless Internet distribution system used to provide high-speed Internet people in houses where there typically is no access to cable or to DSL Gary Schulz: we had kind of run the canopy product through its maturity and did not see a lot of additional room for growth there. When the ubiquity management approached us, we were looking for the opportunity to continue to build new stuff and that's what made it very interesting to come over and work for Ubiquity Because their focus is on the new stuff. It is on working on high speed and low cost. The freedom to design at our level was just go and do it. What are you going to do? it was like start with a clean sheet of paper. start with nothing. We could build and design this product in any way we saw fit. The idea was just to be the best we could. air fiber is the start of the new product line within Ubiquity. It is the 1st of several products that are highly efficient, high data rate, wireless broadband products. Greg Bedian: Our design is something that is a little bit crazy. We are trying to build a 0 IF radio at 24 GHz and do this for a 100 MHz bandwidth which is something that I am not sure anyone else has been crazy enough to try. Chuck Macenski: As fast as you can send a packet on an ethernet wire we can receive it and transmit with no limitations. Air fiber is designed to be mounted in a reasonably high location. It is a point to point network
Re: enterprise 802.11
Very cool. Because all the individual APs are in one enclosure and I assume are under control of one central controller, I bet they're sync'ing all the AP's transmitters to transmit and listen at the same time so the APs don't interfere with each other. Cisco does that in their Canopy line with GPS sync. Greg On Jan 15, 2012, at 7:12 PM, Mike Lyon wrote: Another one which looks promising for high-density locations is Xirrus (www.xirrus.com) Haven't ever used them though. -mike Sent from my iPhone On Jan 15, 2012, at 15:36, Greg Ihnen os10ru...@gmail.com wrote: Since we're already top-posting… I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. To get around that limitation, folks are using proprietary protocols with polling media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the Canopy line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. Stay away from mesh solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. Greg On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote: Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. In a clean environment, I've seen decent performance with 70 - 100 devices / AP. Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. You really can't argue with Unifi's price. If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. They're more expensive, though. And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. Nathan -Original Message- From: Mike Lyon [mailto:mike.l...@gmail.com] Sent: Sunday, January 15, 2012 11:54 AM To: Meftah Tayeb Cc: nanog@nanog.org Subject: Re: enterprise 802.11 Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new in the marketspace and this, working out the bugs. I use their other products exclusively for outdoor wireless. However, in the offices ive done, ive used Cisco's WLC 4402 controller which supports 12 access points. They have controllers which support more APs as well. Hit me up offlist if you have any quesrions. -mike Sent from my iPhone On Jan 15, 2012, at 11:39, Meftah Tayeb tayeb.mef...@gmail.com wrote: Ubiquity or ubikity, maybe is miss spelled Someone correct the spelling for him please thank you - Original Message - From: Ken King kk...@yammer-inc.com To: nanog@nanog.org Sent: Sunday, January 15, 2012 9:30 PM Subject: enterprise 802.11 I need to choose a wireless solution for a new office. up to 600 devices will connect. most devices are mac books and mobile phones. we can see hundreds of access points in close proximity to our new office space. what are the thoughts these days on the best enterprise solution/vendor? Thanks for your replies. Ken King __ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: enterprise 802.11
Since we're already top-posting… I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n starts to fall apart with more than 30 clients associated if they're all reasonably active. I believe this is a limitation of 802.11g/n's media access control (MAC) mechanism, regardless of who's brand is on the box. This is most important if you're doing VoIP or anything else where latency and jitter is an issue. To get around that limitation, folks are using proprietary protocols with polling media access control. Ubiquiti calls theirs AirMax. Cisco uses something different in the Canopy line. But of course then you've gone to something proprietary and only their gear can connect. So it's meant more for back-hauls and distribution networks, not for end users unless they use a proprietary CPE. Since you need consumer gear to be able to connect, you need to stick with 802.11g/n. You should limit to 30 clients per AP. You should stagger your 2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them spaced close enough that no more than 30 will end up connecting to a single AP. 5.8GHz APs would be better, and you'll want to stagger their channels too and turn the TX power down so each one has a small footprint to only serve those clients that are nearby. Stay away from mesh solutions and WDS where one AP repeats another, that kills throughput because it hogs airtime. You'll want to feed all the APs with Ethernet. Greg On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote: Ubiquiti's Unifi products are decent, and have *MUCH* improved since their original release (amazing what you can do with better code!). In the original release, you had to have a management server running on the same L2 network as the Aps - they've moved the management to a L3 model so you can put the controller elsewhere. The big PITA with their system is that any change requires 'reprovisioning' the APs, which means rebooting all of them in sequence. They've added VLANs, multiple SSID's/AP, wireless backhaul/chaining, guest portalling, and limiters to balance the # of clients / AP. In a noisy environment, I've found that they top out at around 30 devices / AP for good performance, and 50 devices / AP for 'working/not working'. In a clean environment, I've seen decent performance with 70 - 100 devices / AP. Of course, if one bad client comes along (with a card that doesn't backoff its TX power, etc), it can wreak havoc with higher densities. You really can't argue with Unifi's price. If you move up the price scale, Meraki seems to be a good midrange solution, and they have some really sweet reporting functionality. They're more expensive, though. And then, yes, Cisco is the gold standard, but it will cost you some gold to get it. Nathan -Original Message- From: Mike Lyon [mailto:mike.l...@gmail.com] Sent: Sunday, January 15, 2012 11:54 AM To: Meftah Tayeb Cc: nanog@nanog.org Subject: Re: enterprise 802.11 Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty new in the marketspace and this, working out the bugs. I use their other products exclusively for outdoor wireless. However, in the offices ive done, ive used Cisco's WLC 4402 controller which supports 12 access points. They have controllers which support more APs as well. Hit me up offlist if you have any quesrions. -mike Sent from my iPhone On Jan 15, 2012, at 11:39, Meftah Tayeb tayeb.mef...@gmail.com wrote: Ubiquity or ubikity, maybe is miss spelled Someone correct the spelling for him please thank you - Original Message - From: Ken King kk...@yammer-inc.com To: nanog@nanog.org Sent: Sunday, January 15, 2012 9:30 PM Subject: enterprise 802.11 I need to choose a wireless solution for a new office. up to 600 devices will connect. most devices are mac books and mobile phones. we can see hundreds of access points in close proximity to our new office space. what are the thoughts these days on the best enterprise solution/vendor? Thanks for your replies. Ken King __ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com __ Information from ESET NOD32 Antivirus, version of virus signature database 6793 (20120113) __ The message was checked by ESET NOD32 Antivirus. http://www.eset.com
Re: AD and enforced password policies
On Jan 3, 2012, at 4:14 AM, Måns Nilsson wrote: Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 11:15:08PM + Quoting Blake T. Pfankuch (bl...@pfankuch.me): However I would say 365 day expiration is a little long, 3 months is about the average in a non financial oriented network. If you force me to change a password every three months, I'm going to start doing g0ddw/\ssPOrd-01, ..-02, etc immediately. Net result, you lose. Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc, and we're all doomed, or they will be lucky and guess. None of these attack modes will be mitigated by the 3-month scheme; success/fail as seen by the bad guys will be a lot quicker than three months. If they do not get lucky with john or rainbow tables, they'll move on. (Some scenarios still are affected by this, of course, but there is a lot to be done to stop bad things from happening like not getting your hashes stolen etc. On-line repeated login failures aren't going to work because you'll detect that, right? ) Either way, expiring often is the first and most effective step at making the lusers hate you and will only bring the Post-It(tm) makers happy. If your password crypto is NSA KW-26 or similar, OTOH, just don the Navy blues and start swapping punchcards at ZULU. (http://en.wikipedia.org/wiki/File:Kw-26.jpg) -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 Life is a POPULARITY CONTEST! I'm REFRESHINGLY CANDID!! A side issue is the people who use the same password at fuzzykittens.com as they do at bankofamerica.com. Of course fuzzykittens doesn't need high security for their password management and storage. After all, what's worth stealing at fuzzykittens? All those passwords. I use and recommend and use a popular password manager, so I can have unique strong passwords without making a religion out of it. Greg
Re: facebook spying on us?
Install Ghostery on your browsers and you'll see even more connections pages want to make behind the scenes to tracking sites etc. It's not just javascript. Greg On Sep 29, 2011, at 8:57 AM, valdis.kletni...@vt.edu wrote: On Thu, 29 Sep 2011 18:43:49 +0530, Glen Kent said: Any idea why these connections are established (with facebook and akamaitechnologies) and how i can kill them? Since my laptop has several connections open with facebook, what kind of information is flowing there? Probably you visited other pages that have links to Facebook on them. Try installing NoScript or similar in your browser and don't allow Facebook javascript, and see if these connections evaporate. Akamai is a content-caching service, just means somebody paid to have their content be (hopefully) nearer to you network-wise. I also wonder about the kind of servers facebook must be having to be able to manage millions of TCP connections that must be terminating there. Two words: Big Honkin' Load Balancers. OK, maybe more than two words. ;)
Re: How long is your rack?
On Aug 16, 2011, at 3:03 AM, Leigh Porter wrote: -Original Message- From: Bryan Irvine [mailto:sparcta...@gmail.com] Sent: 15 August 2011 17:42 To: Lyndon Nerenberg (VE6BBM/VE7TFX) Cc: nanog@nanog.org Subject: Re: How long is your rack? On Sun, Aug 14, 2011 at 1:49 PM, Lyndon Nerenberg (VE6BBM/VE7TFX) lyn...@orthanc.ca wrote: I hope someone will explain the operational relevance of this ... Sun V100 FreeBSD firewall/border gateway Sun V100 Plan 9 kernel porting test bed Sun V100 OpenBSD build/test/port box Intel 8-core Solaris fileserver and zones host AMDx4Random OS workstation crash box Epia-EK Plan 9 terminal MacBook xSnow Leopard build/test host Intel-mumble-ITX Win2K8.2 development host Supermicro XLS7A Plan 9 File server Supermicro XLS7A Plan 9 CPU/Auth server Sun V100 Oracle (blech) new-Solaris test/porting box Sun V100 crashbox for *BSD firewall failover tests Sun V100 *BSD ham radio stuff, plus Plan9 terminal kernal testing. OK, you've piqued my interest. What use have you found for Plan 9? How do you guys find time for all this? I used to have a couple of racks of boxes in the basement, then I got married, had three kids and started a Theology PhD program.. Now anything I do at home is purely practical. I took on some ideas for backup though, so I am sorting out a backblaze account and using Randy's fantastic sync thing that he mentioned. I really do not want 18 months of research to vanish. -- Leigh Porter One thing about Backblaze is they don't have redundant sites. They have only one facility so if a giant meteor takes it out your data is gone. Amazon's S3 is the way to go for data that matters. Greg
Re: NANOG Digest, Vol 43, Issue 53
On Aug 13, 2011, at 7:23 AM, Dorn Hetzel wrote: I live on a farm and I have a number of data runs between buildings that are copper ethernet pulled through buried conduits. (It was what I could afford when I put it in). We have trouble from time to time with damage from lightning. (I've taken to using an intermediate throwaway 5-port switch after the surge suppressors on the cable after building entry, but still stuff gets blown up now and then. The longer runs of outside ethernet have one or more toadstools with small switches used as repeaters in the middle. Well, I would like to convert the whole outside mess to fiber to eliminate this problem, and the per-foot price of 6 or 12 strand single mode cables is pretty reasonable nowadays... But, I'm not very current on the most economical methods for splicing and terminating the fiber, which of course I would need to do on a personal sized budget. Any suggestions? This is somewhat off topic but have you tried any ethernet surge protectors? I use them here in the jungle with lots of lightning and it works good if your overall install is sound. Also you have to have your electrical ground tied to the conduit so it all stays at the same potential. But still fiber is the way to go. You could also go wireless with a pair of Ubiquiti Nanostation M2's Greg
Re: NANOG Digest, Vol 43, Issue 53
On Aug 13, 2011, at 11:28 AM, Dorn Hetzel wrote: On Sat, Aug 13, 2011 at 11:41 AM, Greg Ihnen os10ru...@gmail.com wrote: On Aug 13, 2011, at 7:23 AM, Dorn Hetzel wrote: I live on a farm and I have a number of data runs between buildings that are copper ethernet pulled through buried conduits. (It was what I could afford when I put it in). We have trouble from time to time with damage from lightning. (I've taken to using an intermediate throwaway 5-port switch after the surge suppressors on the cable after building entry, but still stuff gets blown up now and then. The longer runs of outside ethernet have one or more toadstools with small switches used as repeaters in the middle. Well, I would like to convert the whole outside mess to fiber to eliminate this problem, and the per-foot price of 6 or 12 strand single mode cables is pretty reasonable nowadays... But, I'm not very current on the most economical methods for splicing and terminating the fiber, which of course I would need to do on a personal sized budget. Any suggestions? This is somewhat off topic but have you tried any ethernet surge protectors? I use them here in the jungle with lots of lightning and it works good if your overall install is sound. Also you have to have your electrical ground tied to the conduit so it all stays at the same potential. But still fiber is the way to go. You could also go wireless with a pair of Ubiquiti Nanostation M2's Greg Greg, Yes, that's the part about 5-port switch after the surge suppressors on the cable after building entry. Immediately after building entry I use HyperLink HGLN-CAT6 Lightning Protectors (See: http://www.l-com.com/item.aspx?id=22171 ) Then I connect to a throwaway 5-port switch (whatever was on sale last time I ran out). This switch is connected to it's own throwaway UPS, which is plugged into a separate power circuit from everything else. [[[ Note: If I could find cheap enough switches with an optical interface I would be switching to optical at this point! ]]] Then I connect from the throwaway switch to the real switch. But STILL I lose ports on the real switch from time to time. So converting the outside plant to fiber is a real goal. And the fiber prices are darn reasonable nowadays for 6 or 12 strands of 9/125: (Example http://www.showmecables.com/viewItem.asp?idProduct=10493 ) But outside plant fiber was never my thing, and I have no decent idea about how to get it spliced and terminated for reasonable costs, or really even what would be reasonable. Regards, -Dorn Dom, If you're still losing the switches then you've got issues that would be cheaper to solve with fiber or wireless instead of grounding. The folks on with Wireless Internet Service Provider's Association (WISPA) www.wispa.org do these kinds of installs all the time, doing short fiber runs up towers etc. If you put out a message there I'm sure you'll get all kinds of help. Greg
Re: IPv6 end user addressing
On Aug 11, 2011, at 1:04 PM, Owen DeLong wrote: On Aug 11, 2011, at 5:41 AM, Jamie Bowden wrote: Owen wrote: -Original Message- From: Owen DeLong [mailto:o...@delong.com] Sent: Wednesday, August 10, 2011 9:58 PM To: William Herrin Cc: nanog@nanog.org Subject: Re: IPv6 end user addressing On Aug 10, 2011, at 6:46 PM, William Herrin wrote: On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong o...@delong.com wrote: Someday, I expect the pantry to have a barcode reader on it connected back a computer setup for the kitchen someday. Most of us already use barcode readers when we shop so its not a big step to home use. Nah... That's short-term thinking. The future holds advanced pantries with RFID sensors that know what is in the pantry and when they were manufactured, what their expiration date is, etc. And since your can of creamed corn is globally addressable, the rest of the world knows what's in your pantry too. ;) This definitely helps explain your misconceptions about NAT as a security tool. Globally addressable != globally reachable. Things can have global addresses without having global reachability. There are these tools called access control lists and routing policies. Perhaps you've heard of them. They can be quite useful. And your average home user, whose WiFi network is an open network named linksys is going to do that how? Because the routers that come on pantries and refrigerators will probably be made by people smarter than the folks at Linksys? Owen I respectfully disagree. If appliance manufacturers jump on the bandwagon to make their device *Internet Ready!* we'll see appliance makers who have way less networking experience than Linksys/Cisco getting into the fray. I highly doubt the pontifications of these Good Morning America technology gurus who predict all these changes are coming to the home. Do we really think appliance manufacturers are going to agree on standards for keeping track of how much milk is in the fridge, especially as not just manufacturing but also engineering is moving to countries like China? How about the predictions that have been around for years about appliances which will alert the manufacturer about impending failure so they can call you and you can schedule the repair before there's a breakdown? Remember that one? We don't even have an appliance about to break, call repairman idiot light on appliances yet. But I predict the coming of IPv6 to the home in a big way will have unintended consequences. I think the big shock for home users regarding IPv6 will be suddenly having their IPv4 NAT firewall being gone and all their devices being exposed naked to everyone on the internet. Suddenly all their security shortcomings (no passwords, password for the password etc) are going to have catastrophic consequences. I foresee an exponential leap in the number of hacks of consumer devices which will have repercussions well beyond their local network. In my opinion that's going to be the biggest problem with IPv6, not all the concerns about the inner workings of the protocols. I'm guessing the manufacturers of consumer grade networkable devices are still thinking about security as it applies to LANs with rfc 1918 address space behind a firewall and haven't rethought security as it applies to IPv6. Greg
Re: IPv6 end user addressing
On Aug 11, 2011, at 5:05 PM, Owen DeLong wrote: I respectfully disagree. If appliance manufacturers jump on the bandwagon to make their device *Internet Ready!* we'll see appliance makers who have way less networking experience than Linksys/Cisco getting into the fray. I highly doubt the pontifications of these Good Morning America technology gurus who predict all these changes are coming to the home. Do we really think appliance manufacturers are going to agree on standards for keeping track of how much milk is in the fridge, especially as not just manufacturing but also engineering is moving to countries like China? How about the predictions that have been around for years about appliances which will alert the manufacturer about impending failure so they can call you and you can schedule the repair before there's a breakdown? Remember that one? We don't even have an appliance about to break, call repairman idiot light on appliances yet. What standards? The RFID tag on the milk carton will, essentially, replace the bar code once RFID tags become cheap enough. It'll be like an uber-barcode with a bunch more information. For keeping track of how much, cheap sensitive pressure transducers will know by the position of the RFID tag combined with the weight of the thing at that location in the refrigerator. There's no new standard required. The technology to do this exists today. The integration and mainstream acceptance is still years, if not decades off, but, IPv6 should last for decades, so, if we don't plan for at least the things we can see coming today and already know feasible ways to implement, we're doomed for the other unexpected things we don't see coming. What reads the RFID's and the pressure sensors? What server or application receives this data and deals with it according to the user's desires? How does that data or the information and alerts this system would generate get to the user's devices? There has to be a device in the home or a server somewhere for a service the home owner subscribes to which keeps an inventory of all these things and acts on it. Do you really think it's going to be common place for people to have this kind of technology and more importantly use it? I think the kitchen you foresee is the kind of dream kitchen the kind of people who imbed RFID chips in themselves so they can have a house that opens the doors and turns on the lights as they approach. You don't have a chip in you, do you? But I predict the coming of IPv6 to the home in a big way will have unintended consequences. Definitely. I think the big shock for home users regarding IPv6 will be suddenly having their IPv4 NAT firewall being gone and all their devices being exposed naked to everyone on the internet. Suddenly all their security shortcomings (no passwords, password for the password etc) are going to have catastrophic consequences. I foresee an exponential leap in the number of hacks of consumer devices which will have repercussions well beyond their local network. In my opinion that's going to be the biggest problem with IPv6, not all the concerns about the inner workings of the protocols. I'm guessing the manufacturers of consumer grade networkable devices are still thinking about security as it applies to LANs with rfc 1918 address space behind a firewall and haven't rethought security as it applies to IPv6. Sigh... Continuing to propagate this myth doesn't make it any more true than it was 10 years ago. I'm sorry, what was the myth there? The public overall uses bad passwords and knowingly does not comply with security best practices? More connectivity is going to bring more problems and exploits? Those myths? NAT != Security End-to-End addressing != End-to-End connectivity It will not be long before the average residential IPv6 gateway comes with a default deny all inbound stateful firewall built in. Once you have that, your hosts are not exposed naked to everyone on the internet. In fact, they are no more exposed than with NAT with the key difference being that if you choose to expose one or more hosts, you have the option of deliberately doing so. We'll see. Actually, I know for certain that most of the CPE manufacturers are participating in the effort to draft better security requirements for residential gateways as a current ID and hopefully an RFC soon. I believe, as a matter of fact, that this is a BIS document being intended as a more comprehensive improvement over the initial version. Owen
Re: Yup; the Internet is screwed up.
On Jun 10, 2011, at 10:06 AM, Ricardo Ferreira wrote: I live in europe and we have at home 100Mbps . Mid sized city of 500k people. Some ISPs even spread WiFi across town so that subscribers can have internet access outside their homes. Cablevision does that somewhat. Greg
Re: Cablevision's company line on IPv6 to the home
On May 30, 2011, at 8:56 PM, Bob Snyder wrote: On Sat, May 28, 2011 at 4:21 PM, Greg Ihnen os10ru...@gmail.com wrote: I just got off the phone with a level 1 tech support guy about an issue with my parents Cablevision/Optimum Online service and decided to ask the fellow if there's any official company news about IPv6 being in the works. His comments were that there is a test coming up (he was referring to World IPv6 Day), though he admitted that Cablevision is choosing not to participate in the test because they want to wait to see that IPv6 actually works without problems before they turn it on. He said it with a tone that seemed to express that the World IPv6 Day test is an irresponsible diversion. I politely and without any noticeable condescension (I believe) told him that's what I expected and bid him adieu. It's neat how they're going to skip that irresponsible testing phase and just turn it on one day and it's going to work perfectly. Because when I want to know details of future major architectural changes to a network, I usually ask a level 1 tech support guy since he's the one most likely to know, right? Should I answer that? No, that was sarcasm. Nice touch. See my post where I address the fact that I wanted to know what the company's official public position is, as you said, the script. In that post I mention I qualified the fact that the fellow was level 1 for obvious reasons. I wasn't trying to say he had technical insight. The official script does possibly say something about the company's desire/willingness/urgency/felt need to deploy IPv6. Does hearing that there's fast and furious work going on in the NOC to bring IPv6 capability mean it will be rolled out to the customer in short order? I'd say the answer to that is who knows. It's not an apples to apples comparison with Cablevision's territory but down in my neck of the woods where I live the guys who work the telco's switch in town have been telling me for years that the banda ancha (broadband) gear is all installed as is the fiber back to the capitol and they're just waiting for the bureaucratic OK to turn it on. They've cut grooves in the town's perimetral (perimeter) road and ran fiber in the road ringing the town. That was almost two years ago. Sure seems like broadband could be just around the corner right? And the years drag on, no broadband. Sometimes the company's official public stance (from like... um... the level 1 guys) is highly indicative of what's coming. I'm surprised that all ISPs aren't trying to glom onto IPv6 the way so many companies now feel the need to claim to be green just because you don't want to be the last one in your market place not claiming to be green. Then again, maybe you're just trolling. For trolling I like a Rapala lure (negative buoyancy) or live bait with a weight. Here in the jungle they take an empty jug, tie a line on it and put a big hook on the end with some kind of meat or fish and throw them out in the river and them float down river with the current, mostly for the big catfish. It's the lazy man's trolling. Greg He'll know it's being rolled out when they create a script for him to follow. One that'll likely say something like For IPv6 problems, immediately escalate to someone we've actually training in IPv6. Bob
Cablevision's company line on IPv6 to the home
I just got off the phone with a level 1 tech support guy about an issue with my parents Cablevision/Optimum Online service and decided to ask the fellow if there's any official company news about IPv6 being in the works. His comments were that there is a test coming up (he was referring to World IPv6 Day), though he admitted that Cablevision is choosing not to participate in the test because they want to wait to see that IPv6 actually works without problems before they turn it on. He said it with a tone that seemed to express that the World IPv6 Day test is an irresponsible diversion. I politely and without any noticeable condescension (I believe) told him that's what I expected and bid him adieu. It's neat how they're going to skip that irresponsible testing phase and just turn it on one day and it's going to work perfectly. And I wonder how they'll know when IPv6 is done. Maybe is has one of those things that frozen turkeys have, that pops out when it's done. I've got my HE tunnels up and running on a Mikrotik hardware on the little networks I manage. I can't wait for IPv6 Day. So someone on the list please let Cablevision/Optonline know when you've finished IPv6. I'm sure they'd appreciate it. Greg
Re: A BGP issue?
On Mar 7, 2011, at 10:19 PM, Patrick W. Gilmore wrote: On Mar 7, 2011, at 14:27, Greg Ihnen os10ru...@gmail.com wrote: I run a small network on a mission base in the Amazon jungle which is fed by a satellite internet connection. We had an outage from Feb 25th to the 28th where we had no connectivity with email, http/s, ftp, Skype would indicate it's connected but even chatting failed, basically everything stopped working except for ICMP. I could ping everywhere just fine. I started doing traceroutes and they all were very odd, all not reaching their destination and some hopping all over creation before dying. But if I did traceroute with ICMP it worked fine. Does this indicate our upstream (Bantel.net) had a BGP issue? Bantel blamed Hughesnet which is the service they resell. I'm wondering what kind of problem would let ping work fine but not any of the other protocols. It also seems odd that I could traceroute via UDP part way to a destination but then it would fail if the problem was my own provider. Thanks. If this is the wrong forum for this post I'm sorry and please just hit delete. If this is the wrong forum but you'd be kind enough to share your expertise please reply off-list. Thanks! Honestly, I would rate this as one of the most on-topic posts in a while. BGP only handles reachability, not higher level protocols. (Of course, you can h4x0r anything to do jus about anything, but we are talking the general case here.) If you can ping, BGP is working. If you can ping and cannot use TCP, then something other than BGP is at fault. I've seen strange things like someone enabling TCP compression (common on very small or very expensive links) one side but not the other, which then allowed ICMP and UDP but not TCP. It is a great way to annoy someone. See, I can ping, it must be your side! Have you tried TCP traceroute? Or telnetting to port 80? -- TTFN, patrick Patrick, Thank you very much! Thank you to everyone else who replied. I did try TCP traceroute and it failed too. I didn't have a machine to telnet to on port 80 but I did try an ssh tunnel on port and it failed too. From what everyone is saying it sounds like it was the satellite internet provider's compression scheme that was having trouble or some kind of an MTU issue. What I don't understand is why when using traceroute UDP/TCP/GRE I could get replies from some routers but not all routers to the destination, and why some routes were bizarre. If it was a failure of the sat internet provider's compression scheme or an MTU issue wouldn't traceroute UDP/TCP/GRE fail completely? What could have happened to my packets that would make them go only part way or go the wrong way? According to our satellite internet service provider Bantel the outage was system wide. Thank again! Greg
A BGP issue?
I run a small network on a mission base in the Amazon jungle which is fed by a satellite internet connection. We had an outage from Feb 25th to the 28th where we had no connectivity with email, http/s, ftp, Skype would indicate it's connected but even chatting failed, basically everything stopped working except for ICMP. I could ping everywhere just fine. I started doing traceroutes and they all were very odd, all not reaching their destination and some hopping all over creation before dying. But if I did traceroute with ICMP it worked fine. Does this indicate our upstream (Bantel.net) had a BGP issue? Bantel blamed Hughesnet which is the service they resell. I'm wondering what kind of problem would let ping work fine but not any of the other protocols. It also seems odd that I could traceroute via UDP part way to a destination but then it would fail if the problem was my own provider. Thanks. If this is the wrong forum for this post I'm sorry and please just hit delete. If this is the wrong forum but you'd be kind enough to share your expertise please reply off-list. Thanks! Here's some examples of the traceroutes I saved during the outage. Using UDP: Gregs-MacBook-Pro:~ GregIhnen$ traceroute metaconi.com traceroute to metaconi.com (70.32.39.205), 64 hops max, 52 byte packets 1 192.168.7.1 (192.168.7.1) 1541.165 ms 25.665 ms 39.211 ms 2 * * * 3 192.168.14.254 (192.168.14.254) 625.710 ms 860.264 ms 694.238 ms 4 192.168.180.5 (192.168.180.5) 645.666 ms 757.161 ms 664.785 ms 5 10.254.253.158 (10.254.253.158) 738.661 ms 801.487 ms 728.139 ms 6 fe11-0-5.miami1.mia.seabone.net (195.22.199.77) 726.884 ms 733.989 ms 647.736 ms 7 te3-4.miami7.mia.seabone.net (195.22.199.97) 740.233 ms 694.619 ms 685.464 ms 8 206.111.1.161.ptr.us.xo.net (206.111.1.161) 639.077 ms 741.495 ms 679.880 ms 9 te-4-1-0.rar3.miami-fl.us.xo.net (207.88.12.161) 650.312 ms 612.386 ms 660.452 ms 10 te-3-2-0.rar3.atlanta-ga.us.xo.net (207.88.12.5) 787.079 ms 725.495 ms 685.068 ms 11 te-11-0-0.rar3.washington-dc.us.xo.net (207.88.12.10) 760.002 ms 828.076 ms 702.041 ms 12 ae0d0.mcr2.chicago-il.us.xo.net (216.156.0.166) 719.324 ms 641.274 ms 689.997 ms 13 ae1d0.mcr1.chicago-il.us.xo.net (216.156.1.81) 669.613 ms 813.794 ms 737.211 ms 14 edge1.chi1.ubiquityservers.com (216.55.8.30) 729.875 ms 751.481 ms 730.088 ms 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * Now here it is again doing traceroute via ICMP: Gregs-MacBook-Pro:~ GregIhnen$ traceroute -I metaconi.com traceroute to metaconi.com (70.32.39.205), 64 hops max, 72 byte packets 1 192.168.7.1 (192.168.7.1) 5.254 ms 3.059 ms 2.578 ms 2 * * * 3 192.168.14.254 (192.168.14.254) 1511.146 ms 711.304 ms 822.967 ms 4 192.168.180.5 (192.168.180.5) 712.672 ms 821.990 ms 713.009 ms 5 10.254.253.158 (10.254.253.158) 823.244 ms 711.764 ms 823.219 ms 6 fe11-0-5.miami1.mia.seabone.net (195.22.199.77) 712.640 ms 613.306 ms 614.429 ms 7 te3-4.miami7.mia.seabone.net (195.22.199.97) 823.232 ms 711.881 ms 823.166 ms 8 206.111.1.161.ptr.us.xo.net (206.111.1.161) 712.765 ms 822.398 ms 712.531 ms 9 te-4-1-0.rar3.miami-fl.us.xo.net (207.88.12.161) 822.809 ms 920.831 ms 712.399 ms 10 te-3-2-0.rar3.atlanta-ga.us.xo.net (207.88.12.5) 823.288 ms 711.478 ms 822.887 ms 11 te-11-0-0.rar3.washington-dc.us.xo.net (207.88.12.10) 712.705 ms 822.287 ms 712.713 ms 12 * ae0d0.mcr2.chicago-il.us.xo.net (216.156.0.166) 738.656 ms 919.752 ms 13 ae1d0.mcr1.chicago-il.us.xo.net (216.156.1.81) 921.381 ms 920.884 ms 1228.683 ms 14 edge1.chi1.ubiquityservers.com (216.55.8.30) 921.560 ms 920.482 ms 921.634 ms 15 relativity.mrk.com (70.32.39.205) 880.318 ms 753.150 ms 823.285 ms Gregs-MacBook-Pro:~ GregIhnen$ Here's an example of a UDP traceroute going all over creation: Gregs-MacBook-Pro:~ GregIhnen$ traceroute skype.com traceroute to skype.com (78.141.177.7), 64 hops max, 52 byte packets 1 192.168.7.1 (192.168.7.1) 18.939 ms 4.596 ms 27.124 ms 2 * * * 3 192.168.14.254 (192.168.14.254) 724.034 ms 704.520 ms 823.886 ms 4 192.168.180.5 (192.168.180.5) 711.962 ms 704.606 ms 823.208 ms 5 10.254.253.158 (10.254.253.158) 712.622 ms 912.870 ms 921.471 ms 6 fe11-0-5.miami1.mia.seabone.net (195.22.199.77) 712.642 ms 822.307 ms 712.720 ms 7 * te9-1.ccr01.mia03.atlas.cogentco.com (154.54.11.37) 3692.277 ms 702.345 ms 8 te9-1.ccr01.mia03.atlas.cogentco.com (154.54.11.37) 823.172 ms 920.050 ms 921.612 ms 9 te8-2.ccr01.mia01.atlas.cogentco.com (154.54.28.245) 921.681 ms te8-7.ccr02.mia01.atlas.cogentco.com (154.54.1.185) 703.270 ms te8-2.ccr02.mia01.atlas.cogentco.com (154.54.2.153) 730.152 ms 10 te0-0-0-5.ccr21.atl01.atlas.cogentco.com (154.54.30.33) 797.769 ms te2-1.ccr02.atl01.atlas.cogentco.com (154.54.3.25) 913.513 ms
Hughesnet outage - where can I ask?
I run a small network in the jungle of Venezuela which is fed by a rebranded Hughesnet connection. We just had a four day failure where the only protocol that worked was ICMP and we were completely without communication. Traceroutes all failed in a bizarre way when using UDP, TCP or GRE packets but traceroute with ICMP worked fine. Our provider (Bantel) is blaming Hughesnet but I'm not finding anything to back that up in forums or in searching the web. I don't want to bother this forum's members with my questions regarding what the traceroute results show and what the problem might be. Is there another forum where these questions would be appropriate? Thanks in advance. Greg
Re: Is NAT can provide some kind of protection?
+1 on Nick's comment. If you're doing 1:1 NAT or port forwarding your server is still public facing. If your firewall is merely stateful and not deep packet inspecting all it's doing is seeing is that the statefulness of the connection meets it's requirements. You could have that and still have all kinds of naughtiness going on. Greg On Mar 21, 2007, at 6:25 AM, Tarig Ahmed wrote: In fact our firewall is stateful. This is why I thought, we no need to Nat at least our servers. Tarig Yassin Ahmed On Jan 12, 2011, at 4:59 PM, Nick Hilliard n...@foobar.org wrote: On 21/03/2007 09:41, Tarig Ahmed wrote: Is it true that NAT can provide more security? No. Your security person is probably confusing NAT with firewalling, as NAT devices will intrinsically do firewalling of various forms, sometimes stateful, sometimes not. Stateful firewalling _may_ provide more security in some situations for low bandwidth applications, at least before you're hit by a DoS attack; for high bandwidth applications, stateful firewalling is usually a complete waste of time. Your security guy will probably say that a private IP address will give better protection because it's not reachable on the internet. But the reality is if you have 1:1 NAT to a server port, then you have reachability and his argument becomes substantially invalid. Most security problems are going to be related to poor coding anyway (XSS, improper data validation, etc), rather than port reachability, which is easy to fix. Unfortunately, many security people from large organisations do not appreciate these arguments, but instead write their own and other peoples' opinions down and call them policy. Changing policy can be difficult. Nick
