Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....
Am 28.11.2012 19:30, schrieb david peahi: Many years ago the standard books on application network programming were based on C language. Books such as Adventures in UNIX Network Programming, and Professor Comer's Internetworking with TCP/IP Vol 3 detailed how to write C programs using BSD sockets where binding to a socket brought the program up in listening mode on an 2 tuple IP v4 IP address/TCP well known port. Once the program opened and bound to a socket netstat -n would show that program to be listening on the 2-tuple. Do today's programmers still use basic BSD socket programming? Is there an equivalent set of called procedures for IPv6 network application programming? On the practical side: Have all programmers created a 128 bit field to store the IPv6 address, where IPv4 programs use a 32 bit field to store the IP address? This would seem to be similar to the year 2000 case where almost all programs required auditing to see if they took into account dates after 1999. on linux/unix: if the program only opens a tcp-connection or listen on it, it's simple. socket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) - socket = socket(AF_INET6, SOCK_STREAM, IPPROTO_TCP) It's more work, to build a dual-stack program - then 2 sockets needs to be opened and handled. But overall - it's trivial. y2k: the will be app's that will it never made to ipv6 - but you can do ipv6-ipv4 translation NAT-PT (RFC2766) Kind regards, Ingo Flaschberger
mysql.org down?
Hi, from my location / austria, mysql.org seems to be down: traceroute to 213.136.52.82 (213.136.52.82), 30 hops max, 40 byte packets 7 at-vie-xion-pe01-vl-2061.upc.at (84.116.229.21) 39.009 ms 38.957 ms 39.001 ms 8 at-vie01a-rd1-vl-2050.aorta.net (84.116.228.193) 36.824 ms 35.930 ms 61.089 ms 9 nl-ams05a-rd2-xe-0-1-0.aorta.net (213.46.160.145) 38.910 ms nl-ams05a-rd2-xe-0-0-2.aorta.net (84.116.130.73) 36.573 ms nl-ams05a-rd2-xe-0-1-0.aorta.net (213.46.160.145) 38.631 ms 10 84.116.134.145 (84.116.134.145) 36.539 ms 84.116.134.61 (84.116.134.61) 40.418 ms 84.116.136.22 (84.116.136.22) 36.507 ms 11 ams-ix.ams-cr1.bahnhof.net (195.69.144.99) 38.430 ms 38.473 ms 42.336 ms 12 ams-cr1.cph-cr1.bahnhof.net (46.59.112.26) 42.201 ms 38.980 ms 36.493 ms 13 cph-cr1.mmo-cr1.bahnhof.net (85.24.151.246) 47.877 ms 49.929 ms 49.882 ms 14 mmo-cr1.sto-cr3.bahnhof.net (85.24.151.108) 46.963 ms 46.938 ms 55.098 ms 15 sto-cr1.pio-dr3.bahnhof.net (85.24.151.225) 53.173 ms 52.898 ms 52.927 ms 16 pio-dr3.pio-dr2.bahnhof.net (85.24.151.72) 52.863 ms 51.261 ms 49.389 ms 17 sto-cr1.sto-cr2.bahnhof.net (85.24.151.1) 51.399 ms 46.986 ms 49.730 ms Kind regards, Ingo Flaschberger
Re: static asymmetry
In my opinion. Home networking (including personal clouds) have to change the brain damaged model of asymmetric tail technologies. Giving back the original peer-to-peer nature of networking the asymmetricity of the access technologies will not be tolerable in such a level (1:10) we have today. Maybe 1:2 should be more acceptable. I think a more fundamental question is why in 2011 we're stuck with statically shaped asymmetric up and down. You can pretty dynamically shape *within* a given direction to do just about anything you want to the traffic, but I don't know of last mile access technologies that do that *across* the up and downstream. If it were more like ethernet that doesn't have those artificial distinctions, this conversation would be moot. I recall the reason that DOCSIS is asymmetric is had a lot to do with how they carved out spectrum of the analog channels -- and relegating upstream to slots that weren't very good for those analog channels. That's been about 15 years ago though and in the mean time the internet has sort of become important. With dsl technologies like vdsl (flexible) or adsl (fixed 1/8 or 1/24) the total bandwidth (up+down) is not linear. example: adsl: 1mbit up, 24mbit down - total 25mbit can not be used with 12.5mbit up/down. at the co the noise is very high, as there are many lines in a bundle and the dslams cry with high signal levels into the lines. Also the crosstalk is high. downstream: co-side: dslams send signal with high level + high level noise. cpe-side: signal arrives damped, noise arrives damped - signal to noise (snr) is acceptable. high bandwiths can be achieved. upstream: cpe-side: cpe send signal with high level, low level noise co-side: high level noise produce crosstalk to damped signal that arrives from cpe - signal to noise (snr) is low only low bandwiths can be achieved. so dsl technologies, that use old, unshielded cables operate now at the maximum what the cable can do (up to 30MHz with vdsl2). Higher speeds can only be achieved with better cables; like fiber or coax. coax technologies use in oposite to dsl technologies no point to point links but bus technology to connect several customers to one head-end. asymmetric bandwith - more clients per head-end. high-speed symmetric services can only be offered with new network types like fiber. Kind regards, Ingo Flaschberger
Re: Wacky Weekend: NERC to relax power grid frequency strictures
Take a guess what the datacenter our equipment is currently hosted in uses. Yet another reason to be glad of a datacenter move that's coming up. Why can't we just all use DC and be happy? motors don't produce DC? dc generators produce dc. tesla vs edison? human safe dc voltage requires comically large conductors for the sorts of loads we energize? transmission loss except at very high voltages... http://en.wikipedia.org/wiki/High-voltage_direct_current but transforming is not easy. ac/ac transformers are easy tu build and very immune against lightning strikes - inverter systems are not. Kind regards, Ingo Flaschberger
RE: Wacky Weekend: NERC to relax power grid frequency strictures
2) Allowing transformer fields to collapse. Even in phase, without a delayed transition ATS you can end up with a partially collapsed transformer field with a new field being created at non-ground state. This can cause a transient back wave that can snap circuit breakers. Yep, this one happened to us a few times before we switched to a delayed ATS, was a PITA to debug and resolve. a transformer should be switched to the network when phase is at highest/lowest point, not at zero. zero: highist current highest/lowest point: lowest current because it's a coil. Kind regards, Ingo Flaschberger
Re: Wacky Weekend: NERC to relax power grid frequency strictures
Generators all stay in sync. Generator owners have expensive devices that sync the phase before the generator is connected to the grid. Once a generator is connected to the gird, it will stay in sync - in fact that is why they have the expensive devices to make sure that they are in sync before they connect them, as if they are not, it will instantly jump to being in sync, which may destroy the generator. As a matter of fact, it may destroy the generator, the housing, the building, the damn, and more. An out-of-sync generator becomes a motor until it is in sync. lt can be a graphic and dramatic event. Big generator are synchron maschines, as they can generate also reactive power. If a out of sync synchron maschine is connected to the grid, theres a big kawumm and then the maschine is in sync or dead. Only the angle between the rotor and the magentic field make the difference between generator and motor. A synchron motor can not self-start and only run at fixed grid freuency / rpm's. A overloaded motor suddenly stops. Smaller generators are asynchron maschines, that can run faster or slower than network frequency - ie run as generator or motor - but they always consume reactive power. They can self-start. Synchronising maschines to a grid is not a big problem, the bigger problem is to syncronise 2 disconnected grids. Some years ago in europe a grid operator violated the n+1 redundancy rule as he needed to switch of a big power line over the river Ems - to allow a big ship to leave the shipyard. The result was a netsplit trough whole europe - a lot of big line-breakers flipped and switched of north-west and south-east power lines. The whole european grid was split into 3 parts, running at higher and lowet frequencies. Details: http://www.bundesnetzagentur.de/SharedDocs/Downloads/EN/BNetzA/Areas/ElectricityGas/Special%20Topics/Blackout2005/BerichtEnglischeVersionId9347pdf.pdf?__blob=publicationFile Kind regards, Ingo Flaschberger
Re: BGP Design question.
Hi Bret, To keep this scenario simple, I'm multihoming to one carrier. I have two Netiron CERs. Each have a eBGP connection to the same peer. The CERs have an iBGP connection to each other. That works all fine and dandy. Feel free to comment, however if you think there is a better way to do this. Here comes the tricky part. I have two firewalls in an Active/Passive setup. When one fails the other is configured exactly the same and picks up where the other left off. (Yes, all the sessions etc. are actively mirrored between the devices) I am using OSPFv2 between the CERs and the Firewalls. Failover works just fine, however when I fail an OSPF link that has the active default route, ingress traffic still routes fine and dandy, but egress traffic doesn't. Both Netiron's OSPF are setup to advertise they are the default route. Linux firewall? disabled rp-filter? What I'm wondering is, if OSPF is the right solution for this. How do others solve this problem? I do something similar with freebsd; you always make shure the backbone area 0.0.0.0 does not break into 2 parts, perhaps use an extra link between the 2 firewalls just because of this. Kind regards, Ingo Flaschberger
Re: Resilient streaming protocols
I'm also searching something cheap software or device to stream audio only (radio broadcasting, stream from external site to head-office). Kind regards, Ingo Flaschberger
Re: New vyatta-nsp list
I won't argue that an ASIC isn't faster, but it is hard to argue that Vyatta isn't capable of high-end performance. http://download.intel.com/embedded/processor/solutionbrief/322973.pdf aeh - mpps - mega packets per second - is really low. and the gbps scale in figure 4 is wrong - factor 10 to high. 1gige linerate: 1,9mpps 10gige linerate:19mpps and intel is proud to achieve 1,6mpps at 2 10gige cards? I have seen higher values at pc hardware - but still not compareable to asics. Kind regards, Ingo Flaschberger
Re: CIsco IOS bug info request
Dear Eric, Can anybody point me to a documented case where a bug in Cisco IOS has taken a whole network down ? The ripe experiment is really a great one. A little bit older one, but bigger - took down the whole internet: 1) http://markmail.org/message/nmlyif7oycohcr22 2) http://www.atm.tut.fi/list-archive/nanog/msg04507.html Kind regards, Ingo Flaschberger
RE: Web Server and Firewall Hellp
I run a web-server based on ubuntu server and the LAMP stack. I used Ubuntu's UFW firewall model and have enabled only Web and SSH ports. Namely port 80 and port 22 only. Unfortunately once a while some guys get to inject some content onto our web pages. Now managements are looking at getting a well proven infrastructure to counter that. But I also think i can fall on this community to help me get the right stuff done. Where i can protect the server from such attack. I want to know what measure i can do on the server to get it protected which mysql protection I should implement. since i can see that it might be a php or mysql injection that is been used. Currently I run these security measures on it. Ubuntu UFW Fail2ban PHP model security Apache security have a look at mod_security, helps very successfull against outdated, exploitable user webpages. mod_security ist a layer 7 firewall wich runs as a apache module. Kind regards, Ingo Flaschberger
Re: [menog] Fwd: Connectivity status for Egypt
Here is the analysis of BGP table regarding what happened to the Internet in Egypt: http://stat.ripe.net/egypt/ https://labs.ripe.net/Members/akvadrako/live_eqyptian_internet_incident_analysis Cidr report (http://www.cidr-report.org) shows this also very well: Recent Table History Date PrefixesCIDR Agg 26-01-11345293 201663 27-01-11344858 200621 28-01-11342381 201194 Top 20 Net Decreased Routes per Originating AS Prefixes Change ASnum AS Description -102102-0 AS5536 Internet-Egypt Kind regards, Ingo Flaschberger
Re: Want to move to all 208V for server racks
There's also a telco oriented 48V inverter rack system thats escaping my mind at the moment. It can be setup with A/B 48V strings, and you plug in inverter modules up to IIRC around 8kW. Not parallel capable between racks AFAIK. 48V (and some more when batteries are full) are slightly below the limit of non harmfull voltage. Thus you have a voltage with less power loss at short transports and a secure voltage. (creating a short is still not a great idea). Kind regards, Ingo Flaschberger
Re: Wikileaks moved to cave bunker in Iran, Mr. Assange reportedly offered asylum by North Korea...
We seem to be sailing into an interesting new set of challenges. I'm not sure that it'll be healthy for the net for the government to be providing lists of IP addresses that have to be blocked; our routing tables are already quite challenged. if - then welcome to china, we are also there. Kind regards, Ingo Flaschberger
Re: Want to move to all 208V for server racks
Dear Leo, I worked in a data center with something I thought was very, very cool. http://www.hilkar.com/highresistance.htm The concept, at a high level, is rather than tie the (service, not signal) ground back to grounding rods directly you run it through a large resistor. Now when a phase is grounded it runs through the resistor, allowing a small but safe current to flow. currents above 1mA and 50V are dangerous. also the net-frequency of 50hz/60hz cause troubles for the heart (Ventricular fibrillation). If a really fail-tolerant system is needed, that the only solution if to have a ground-free system. the incomming power is transformed (1:1 for example) and not earthed. a special device monitors the voltage between earth and power and do an alarm if one of the power-lines connects to earth - but do no shutdown. the fault can then be repaired without shutdowns. only when 2 faults occur the breakers trip. usually hospitals use such a configuration. probably hilkar system is similar to this one. Kind regards, Ingo Flaschberger
Re: Want to move to all 208V for server racks
Dear Jay, I really want to move all newly installed internal and customer racks over to all 208v power instead of 120v. As far as I can remember, I can't remember any server/switch/router or any other equipment that didn't run on 208v AC. (Other than you may need a different cable) Anyone have any experience where some oddball equipment that couldn't do 208v and regret going 208v? We won't have any TDM or SONET equipment, all Ethernet switches, routers and servers. I have control over internal equipment but sometimes customers surprises you. you mean 240V AC 50HZ and move from 120V 60Hz? (or also 50Hz) you will need to check each device if it supports 240V, commonly the specified power ratings are printed at a stricker on the device itself. Kind regards, Ingo Flaschberger
Re: Want to move to all 208V for server racks
Dear Jay, you mean 240V AC 50HZ and move from 120V 60Hz? (or also 50Hz) In US, I think everything is 60Hz. But I mean 208v single phase. (Which is what you get when you combine two 120v single phase legs out of three phase, I believe. I am not an expert on AC...) I got the point. 120 * sqrt(3), phase to phase, three-phase current in european; you will need to check each device if it supports 240V, commonly the specified power ratings are printed at a stricker on the device itself. I have even been looking at USB HD AC adapter and all other odd ball equipment and I always see the label say 100~240v AC. Dell's old rack mount monitor/KB from 5 years ago even supports 208v (Just wrong connector.) Whats the idea behind todo this? You will also need circuit breakers that both phases are switched of simultaneous? Kind regards, Ingo Flaschberger
Re: Blocking International DNS
and anyone who thinks that the fidonet was not hierarchic is not taking their meds. yes, the bad bad node ops :) bye, Ingo
Re: Want to move to all 208V for server racks
Why do we install 120v instead of 208v? was asked over a year ago either here or on cisco-nsp. It generated a long discussion, but it should have been cut short as early in the thread someone said all that had to be said: because we are idiots. *GG* good old europp
Re: Want to move to all 208V for server racks
I was just recently trying to explain this to a European friend who thought I was hallucinating this system, so I took a picture. http://dl.dropbox.com/u/230717/temp/208YPanel.jpg That's a picture of one of the breaker boxes in our office, showing what you described. There are 3 phases coming into the panel, each a different coil off a Y transformer, as well as a neutral. Those are the 4 black wires you see at the bottom. You can see how the three hot phases are staggered as they go up the breaker rails. For standard 110V service, you use a single-wide breaker and send one hot phase + neutral and you get 110V. The difference between two phases is 208 volts though, so you use a double wide breaker and can send to device without using a neutral wire. Just 2 hots and a ground. If that's all you're doing (you don't need legacy 110V service anywhere) you skip the ground wire going into the panel entirely. that one looks dangerous. In europe: http://img406.imageshack.us/i/verteilerkasten.jpg/ 64A 240V 3-Phase input. Out to Servers single phase, output to airconditioners with 3 phase (not at this picture). Kind regards, Ingo Flaschberger
Re: Want to move to all 208V for server racks
Precisely the same panel layout I had in my last facility, though we didn't use any 208V branch circuits; thanks for the pic, Kevin. good thing is, if you have no neutral you can't break it - to whom knows whats happen :) Kind regards, Ingo Flaschberger
Re: Want to move to all 208V for server racks
Err, I meant skip the neutral wire. It's still grounded. And there are normally significantly more covers over the panel than this, there were a dozen screws I had to remove to expose all of this. :) This is a much smaller scale panel though, not far up from a typical home system. The more current you start talking about, the more isolated everything becomes until you wouldn't even be able to see the bus bars like in this one. are Residual-current device (Fi in German) are common in us? I use for servers Residual-current device and circuit breaker integrated in one device; but I try to use the more expensive pulse tolerant ones. They're called Ground Fault Interruptors here, or GFI/GFCI. They're extremely common built into wall power outlets, and GFI outlets are required in wet areas (kitchens, bathrooms, hot tubs, outdoors, etc). Most wall outlets with GFIs built into them have a daisy chain system where one outlet in the kitchen has the circuitry and the Test/Reset buttons, and it protects all non-GFI downstream outlets from it. Downstream outlets usually have a sticker on them saying GFI Protected which is a hint that if the outlet stops working, check other outlets in the room to see if one of them tripped. Newer versions have a light that comes on to indicate when they've been tripped, which is handy for non-technical people to figure out what happened more easily. You can get breakers with GFIs built into them(called GFCIs), but they're favored less than putting them at the outlet. I haven't seen any datacenters using them, but I haven't looked that closely. An electrician I talked to once about it felt that the panel mounted variety were designed to be less sensitive/slower reacting due to much longer wire lengths, but I'm not sure if that's just urban legend, experience with a single product or fact. in europe GFIs are always needed for prection and by law. to avoid the cascading effects the GFCIs are better. break current ranges from 10mA (bath) up to 300mA; for servers I use the 30mA with pulse protection (internal delay) to avoid the server powersupply capacitor loading GFCIs flip. Kind regards, Ingo Flaschberger
Re: Cacti Bandwidth Monitoring
Dear Peter, I have a cacti server running and it has been working fine so far except for one interface which has an average of 150Mbps going through it now. Before when I had less than 120Mbps I got proper graphs but of late it gives me graphs of 20Mbps when it should be giving me the correct reading (150Mbps). Is there a maximum bandwidth it graphs or can this be edited so that I get proper graphs? 32bit counters run over with 100mbit in less than 5 minutes. solutions: run poller every 1 minute update rrd's heartbeat or use 64bit counters Kind regards, Ingo Flaschberger
Re: wikileaks unreachable
On Nov 28, 2010, at 4:46 PM, Andrew Kirch wrote: On 11/28/2010 4:34 PM, Randy Bush wrote: anyone know why https://www.wikileaks.org/ is not reachable? nations state level censors trying to close the barn door after the horse has left? Good riddance. The sooner someone gives Julian Assange 230gr of shut the f*** up, the better. I find it distressing when Network Operators are willing to encourage DDoS'ing of a site. Any site. Especially on an operational list, where politics are specifically prohibited. You don't like Wikileaks, that's between you Julian. A DDoS affects the infrastructure of multiple networks, users, other websites, etc., etc. Most people who read the last sentence thought to themselves that is beyond obvious. It is a shame you do not understand it. Put another way, perhaps you should take your own 230gr. ++ Kind regards, Ingo Flaschberger -- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet?' --Mike Godwin
Re: Migrating from PPP to DHCPo82
Hi, I work for an small ISP, which does traditional xDSL service with PPPoE. Currently we are in the process of migrating most of our customers to DHCP (some customers are getting new CPEs and some will be sw upgraded remotely ). It would be great if someone has the time to share their experience (on- or offline) from such a migration. Common pitfals and perhaps what whey would do differently next time. I know that every network is different but I believe that there are some general concerns, specially around security of DHCP and security features for vendors around DHCP and DHCP snooping etc. option82 is great, but differs from vendor to vender - I use always a custom string. a pitfal is, when you try to give a dslam port a static ip with a isc-dhcpd, thats not possible. (I have modfied isc-dhcpd to have a fixed size option82 hardware type). also pools and leasetimes could be problematic, when getting low. What about 802.1x, is that generally being deployed with option82? more security - but not always supported, I have not yet tested or needed this feature. Kind regards, Ingo Flaschberger
Re: How to have open more than 65k concurrent connections?
and do not forget the ulimit and select limit of maximum open selects - but can be tuned.
Re: BGP next-hop
i was recently bitten by a cousin of this research router getting an ebgp multi-hop full feed from 147.28.0.1 (address is relevant) it is on a lan with a default gateway 42.666.77.11 (address not relevant), so it has ip route 0.0.0.0 0.0.0.0 42.666.77.11 massive flapping results. it seems it gets the bgp route for 147.28.0.0/16 and then can not resolve the next hop. it would not recurse to the default exit. of course it was solved by ip route 147.28.0.0 255.255.0.0 42.666.77.11 but i do not really understand in my heart why i needed to do this. last time severall years ago on cisco I used a route-map to rewrite the next-hop. route-map xx-in permit 10 set ip next-hop 42.666.77.11 route-map xx-out permit 10 set ip next-hop x.x.x.x neighbor 147.28.0.1 remote-as yyy neighbor 147.28.0.1 ebgp-multihop 8 neighbor 147.28.0.1 route-map xx-in in neighbor 147.28.0.1 route-map xx-out out something like this.
Re: Software-based Border Router
What's the real-world power consumption and heat like? 455 days shows some pretty good reliability! I reached more than 700 days - then power cycle due (planned) power maintenance works.
Re: Routers in Data Centers
But it seems, that NetFPGA has not enough memory to hold a full view (current 340k routes). It's just a development platform for prototyping designs, not something you would use in production... I want to use it to implement and test ideas that I have, and play with some different forwarding architectures, not use it as a final product :) also, does a datacenter router/switch need a full table? isn't that the job of the peering/transit routers in your scheme? In my small network the datacenter router is also the peering/transit router.
Re: Software-based Border Router
Another big problem for Linux/Unix-based routers of this size/cost is upgrade-ability. If you need to add cards, you are going to have to bring the router down for extended periods. Likewise, a software upgrade can be a bigger deal than on a purpose designed router. If a router is mission critical, Linux/Unixed-based has issues over extended periods. depends on knowledge, as mentioned in previous post. I have 2 software based border routers - no problem bringing one down. 700kpps for 1200eur that can handle a full view. and changing line-cards - could be really funny at c6500. kind regards, Ingo Flaschberger
Re: Routers in Data Centers
I'm more than interested in developing a much cheaper, hardware forwarding router.. I think there is a lot of room for innovation - especially at the target market in this thread. If anyone wants to work with me on this, just let me know! I've got a tonne of ideas and a bit of free time.. NetFPGA is a good platform, im saving my pennies to buy one and do some development. Its only a 4 port device, so not a device you would really use in production however. But it seems, that NetFPGA has not enough memory to hold a full view (current 340k routes).
Re: Sending ARP request to unicast MAC instead of broadcast MAC address?
Dear Chris, OK, this sounds Really Wacky (or, Really Hacky if you're into puns) but there's a reason for it, I swear... Will typical OSS UNIX kernels (Linux, BSD, MacOS X, etc) reply to a crafted ARP request that, instead of having FF:FF:FF:FF:FF:FF as its destination MAC address, is instead sent to the already-known unicast MAC address of the host? Try or read kernel source. Next, what would be your utility of choice for crafting such a packet? Or is this something one would need to code up by hand in a lower-level language? http://www.perihel.at/sec/mz/ should be able todo this. Kind regards, Ingo Flaschberger
Re: BGP convergence problem
Dear Andy This morning there was an ethernet loop problem on DECIX, causing many BGP sessions to flap throughout the entire platform. While this can happen, I am myself facing with BGP convergence problems on our DECIX router (SUP720-3BXL with IOS SXI3). De DECIX loop has been solved two hours ago, but my BGP sessions are still flapping and not converging at all. This has been flooding our logs, and is still going on: route half or more of the peering-network to Null - lowering bgp session up's. (at the other side, your bgp-router seems to be overloaded). Kind regards, Ingo Flaschberger
RE: Mikrotik BGP Question
Dear Lorell, We will implement OSPF. so what arguments speak against 2 bgp upstreams? Kind regards, Ingo Flaschberger
RE: Mikrotik BGP Question
Dear Lorell, We are putting a private PTP metro ethernet (fiber based) link between the two locations. And both locations will have one internet connection. this network between should be no problem, what routing protocols do you use in your network? ospf? Kind regards, Ingo Flaschberger
Re: Mikrotik BGP Question
Dear Lorell, My question is about BGP on the Mikrotik platform. The guy who I am supplanting swears that we are supposed to be bringing the second internet link to the same place as the first internet link for BGP to work properly. Obviously that is not true with major brand routers which would do the BGP job just fine. (And he's the same guy that has bridged this whole network, so it is easy to disbelieve his opinion.) But maybe he knows that Mikrotik can't perform BGP in the same way that other routers can. So here's the question. Is there something about running BGP on a Mikrotik platform that precludes having the internet connections come in at different locations? That depends on the netwoek in between this two locations. There could be a lot of good reasons why this is no good idea; please bring some light into this. Kind regards, Ingo Flaschberger
Re: BGP Transit AS
Dear Rafael, Is this solution right ? What is the better solution for this scenario? How large ISPs solve this kind of problem? communitie(filters) help to scale. for example lambdanet communities: remarks:Prepend communities to modify announcements to peers remarks: remarks:13237:3811n announcements to AS12322 (Free) remarks:13237:3812n announcements to AS3356 (Level3) remarks:13237:3813n announcements to AS8220 (COLT) remarks:13237:3814n announcements to AS286 (KPN Eurorings) remarks:13237:3815n announcements to AS3303 (Swisscom) remarks:13237:3818n announcements to AS9121 (TurkTelekom) remarks:13237:3824n announcements to AS2914 (Verio) remarks:13237:3825n announcements to AS4766 (Korea Telecom) remarks:13237:3826n announcements to AS3491 (BtN) remarks:13237:3828n announcements to AS8928 (Interoute) remarks:13237:3830n announcements to AS1257 (Swipnet) remarks:13237:3831n announcements to AS3292 (TeleDanmark) remarks:13237:3832n announcements to AS3209 (Arcor) remarks:13237:3833n announcements to AS3320 (DTAG) remarks:13237:3835n announcements to AS6805 (Telefonica DE) remarks:13237:3836n announcements to AS8447 (Telekom AT) remarks:13237:3837n announcements to AS8881 (Versatel DE) remarks:13237:3838n announcements to AS13184 (Hansenet) remarks:13237:3855n announcements to AS6830 (Chello) remarks:13237:3860n announcements to AS3257 (Tiscali Int.) remarks:13237:3865n announcements to AS702 (MCI EU) remarks:13237:3866n announcements to AS3549 (Global Crossing) remarks:13237:3869n announcements to AS6453 (Tata/Teleglobe) remarks:13237:3870n announcements to AS20676 (QSC) remarks:13237:3876n announcements to AS2856 (BT UK) remarks:13237:3877n announcements to AS2119 (Telenor) remarks:13237:3891n announcements to AS1299 (TeliaSonera) remarks:13237:3892n announcements to AS6461 (Abovenet) remarks: remarks:with n = 0,1,2,3 meaning remarks:n = 0 do not announce to peer remarks:n = 1 prepend AS13237 remarks:n = 2 prepend AS13237 AS13237 remarks:n = 3 prepend AS13237 AS13237 AS13237 Kind regards, Ingo Flaschberger
Re: POE switches and lightning
We had a lightning strike nearby yesterday that looks to have come inside our facility via a feeder circuit that goes outdoors underground to our facility's gate. Perhaps there was a move of the earth-level relative to the neutral line. I have no idea how neutral-line to earth potential is handled in us, but here in austria we use a so called nullung. That means that the earth-ground potential line of the building (which includes also the lightning conductor) is connected to the neutral power line where it enters the building, keeping this potential-difference low. Theres also a potential between earth ground and the neutral-phase of the online-ups. The ethernet-cables; utp or stp? pannels correctly earthed? Perhaps a electrician should check the earthing. Also all copper lines that enter the building should be protected by lightning protectors. Kind regards, Ingo Flaschberger
sync attack from cox.net
Hi, can please someone from cox.net contact me? I receive now since more tha 24 hours a syn-attack from their network - and abuse contact does not react. Kind regards, ingo flaschberger geschaeftsleitung crossip communications gmbh A-1020 Wien, Sebastian Kneipp Gasse 1 Tel: +43-1-7261522-0 Fax: +43-1-726 15 22-111 www.crossip.net ___ crossip communications gmbh Sitz der Gesellschaft: 1020 Wien, Oesterreich Firmenbuchgericht: Handelsgericht Wien, FN 269698 s Umsatzsteueridentifikationsnummer (UID): ATU62080367 Diese Nachricht ist fuer die crossip communications gmbh rechtsunverbindlich und ausschliesslich fuer den/die oben bezeichneten Adressaten bestimmt und enthaelt moeglicherweise vertrauliche Informationen. Sollten Sie nicht der oben bezeichnete Adressat sein oder diese Nachricht irrtuemlich erhalten haben, ersuchen wir Sie, diese Nachricht nicht weiterzugeben, zu kopieren oder im Vertrauen darauf zu handeln, sondern den Absender zu verstaendigen und diese Nachricht samt allfaelliger Anlagen sofort zu loeschen. Vielen Dank. This message is not legally binding upon crossip communications gbmbh and is intended only for use by the named addressee and may contain privileged and/or confidential information. If you are not the named addressee, you should not disseminate, copy, or take any action in reliance on it. If you have received this message in error, please immediately notify the sender and delete this message and any attachment. Thank you.
cisco as pptp client
Hi, I'm searching a working (if possible) configuration for a cisco 1841 as pptp-client. 1841 should do an pptp dialin to another cisco via ethernet-port. Kind regards, Ingo Flaschberger
Re: NEED ANY LINK OR SAMPLE TEMPLATE FOR ROUTINE NETWORK (ISP)
and never forget to check the circuit breakers for good grounding, prefered use an etherkill(tm) cable - but be aware, that there is currently no such cable available for fiber optics. If you are unshure if your fiber cables are properly grounded try to use an optical isolation transformer. Kind regards, ingo flaschberger
Re: .se disappeared?
Hi, .se statement: http://www.iis.se/en/2009/10/13/felaktig-dns-information/ Kind regards, ingo flaschberger
hotmail send bare LF
Hi, it seems, that hotmail send a bare LF in the added signature (and violates RFC). qmail drops the connection afterwards: 451 See http://pobox.com/~djb/docs/smtplf.html no helpfull response from hotmail: https://windowslivehelp.com/community/t/121824.aspx Kind regards, Ingo Flaschberger
Re: hotmail send bare LF
Hi, it seems, that hotmail send a bare LF in the added signature (and violates RFC). qmail drops the connection afterwards: 451 See http://pobox.com/~djb/docs/smtplf.html no helpfull response from hotmail: https://windowslivehelp.com/community/t/121824.aspx Kind regards, Ingo Flaschberger Which added signature? hotmail added: 006A 52 65 63 65 69 76 65 64 3a 20 66 72 6f 6d 20 53 Received : from S 007A 4e 54 31 32 34 2d 57 32 38 20 28 5b 36 35 2e 35 NT124-W2 8 ([65.5 008A 35 2e 39 30 2e 37 5d 29 20 62 5.90.7]) b 0094 b5 c4 d3 ca bc fe 2d 2d 0d 0a 46 72 6f 6d 3a 20 ..-- ..From: (removed) (removed) 00BE b0 cf e4 a1 a3 b1 be b3 b5 bc db b8 f1 ca c7 34 ...4 00CE 33 30 d4 aa a3 ac d5 e2 bf c9 ca c7 c5 e4 cc d7 30.. 00DE c6 eb c8 ab b5 c4 bc db b8 f1 .. 00E8 0d 0a 0d 0a d2 f8 c9 ab b5 c4 0d 0a 0d 0a 0d 0a 00F8 b4 cb d6 f7 cc e2 cf e0 b9 d8 cd bc c6 ac c8 e7 0108 cf c2 a3 ba 0d 0a 0d 0a 0d 0a .. 0112 a2 bf cc cf c2 d4 d8 a3 a1 0d 0a 0d 0a 0d 0a 0d 0122 0a ca b9 d3 c3 d0 c2 d2 bb b4 fa 20 57 69 6e 64 ... Wind 0132 6f 77 73 20 4c 69 76 65 20 4d ows Live M 013C b5 bd d5 e2 bf c9 b0 ae b5 c4 b3 b5 b3 b5 ba f3 014C be cd c4 dc bf aa d0 c4 b5 c4 c6 ef d7 c5 cb fc 015C a3 ac cb f9 d2 d4 ce d2 be a1 .. 0166 0a 0d 0a cd fe cd fb a3 ba 30 0d 0a 0d 0a ce c4 .0.. ^^ here 0176 d5 c2 a3 ba 32 38 36 0d 0a 0d 0a b9 b1 cf d7 a3 286. 0186 ba 31 39 37 34 0d 0a 0d 0a d7 .1974... .. Kind regards, Ingo Flaschberger
Re: Google Pagerank and Class-C Addresses
Hey, I should tell my customers that the cross sum of the domains ip also count to the pagerank, and the ip 255.255.255.255 is the best of all. bye, ingo flaschberger
Re: Opensource or Low Cost NMS for Server Hardware / Application Monitoring
Munin http://munin.projects.linpro.no/ - has a api to nagios and cacti: www.cacti.net (with add-on plugings, ie weathermap) cricket: http://cricket.sourceforge.net/ munin, cacti and cricket are more graphing than alerting (nagios) systems Kind regards, Ingo Flaschberger
Re: Data centre info
Dear Deric, Any suggestion about data center 1/ to put on the switch in rack? Top eg: top. middle or bottom position 2/ There is no raise floor - adv hot/cool corridor solution (air-condition standing between racks, apc has solutions) easy cabling - disadv you can not hide cables kind regards, Ingo Flaschberger
[quagga-users 10587] bgpd crash - apologies (fwd)
-- Forwarded message -- Date: Mon, 04 May 2009 00:38:54 +0300 From: Geert Jan de Groot geertjan.degr...@xs4all.nl To: quagga-us...@lists.quagga.net Subject: [quagga-users 10587] bgpd crash - apologies Hello, I learned today that a BGP announcement for which I am the tech-c, is causing difficulties with Quagga. First of all, I apologise; it's only today that I heard about these difficulties. I arrived less than 20 hours ago in Cairo as part of a setup-team for the upcoming AfNOG-10 meeting. We will be multi-homed this time, and hence applied for (and obtained) an ASN. Per RIR-policy active since 1-1-2009, these ASNs are 32-bit ASNs so AS327686 (AS5.6) is what is used. Currently, the local host team is provisioning links etc and hence you may have seen this problem come and go. I do not know why they choose to do prepending, but suspect it has to do with ability to set policy. I have a very, very long list of things to set up for the conference but will try any of the workarounds that have been suggested to me today. At the same time, I kindly but strongly ask to implement the fix that has been posted on various lists. One of the aims of this setup is to demonstrate that 32-bit ASNs do work and people should not steer away from them, especially since the pool of 16-bit ASNs is shrinking fast. A showcase network goes a long way in this regard. I do apologise for this unexpected, undesired side-effect. This was obviously not intended, and I apologise. It was 1996 when Paul Traina, at that time with Cisco, was doing AS path prepending for the very first time. This caused an assertion error with gated, which (among others) ANS was using at that time. I did administer AS back then and my gated boxes, too, did crash, so I have been victimized myself before. It is perhaps ironic that 12 years later I'm again involved. Again, my sincere apologies. Geert Jan ___ Quagga-users mailing list quagga-us...@lists.quagga.net http://lists.quagga.net/mailman/listinfo/quagga-users
Re: Documentation of switch maps
Dear Blake, Had a customer come to me this morning who wanted to create a document for their switching infrastructure and thought I would bounce it off the rest of the world on how you usually do this. Typically I use a spreadsheet with outlines to define the switch and then outlines for the ports and color coding for vlan's as well as a description of the port. Curious what other people are doing, as this would be a huge undertaking for a customer who is using an entire /19 of rfc 1918 ip addresses and has well over 150 switches and 40 active vlans. The want to be able to look at this document and pull up any switch and look at the port and be able to see what vlan the port is on, as well as what device it is connected to as well as port channel membership, trunks and other fun things like that. Needless to say their documentation is lacking on the physical connectivity however their cisco infrastructure does have labels on every port that goes to a named device outside of the DHCP pools. Thoughts? I use wiki. 1 page switch: switchname...10.0.0.20 - 1 uplink 2 server2 . 24 donwlink 1 page vlans: 102MYVLAN - ip: 10.0.1.0/24 ports: sw1: 1+, 2, 3, 24+ sw2: 1+, 4, 5 + means tagged kind regards, Ingo Flaschberger
Re: real hardware router VS linux router
this plattform can handle about 100.000pps and 400mbit 1500byte packets with freebsd http://lannerinc.com/Network_Application_Platforms/x86_Network_Appliance/1U_Network_Appliances/FW-7550 hardware: 4x pci 32bit, 33mhz intel gbit 1gb cf-card 1gb ram with this hardware even more pps should be possible: http://www.axiomtek.de/network_appliances/network_appliances/smb_network_security_platform/na820.html hardware: 7x pcie (1lane each) connected network add freebsd-net mailinglist people achieved nearly 1.000.000pps with servers (hp-servers) I suggest to use freebsd os if quagga is the routing daemon as quagga runs more stable than on linux. I have currently 300days uptime at my border routers (2x FW-7550), last week I had a peak with 230mbit's; no problem to handle. Kind regards, ingo flaschberger
Re: Gigabit Linux Routers
Dear Joe, Yes, but the point was that the feature was listed as simple traffic shaping. You can do *complicated* traffic shaping too, which was the reason I commented on that. Usually the ability to do complicated traffic shaping means you can do simple traffic shaping too. ;-) with linux? really? Mmm, generally, it looks to me like it works, but the above is the entirety of my testing, so I could easily be wrong. you have ospf between this 2 boxes? show me them routing table. do a failover and show the routing table again, *) carp is i bound, carp-dev line openbsd is in development (not shure if already stable) You mean inbound? Well, yes. That's reasonably practical. It isn't entirely clear what other paradigms would look like (i.e. if the host system didn't have a native address on the wire), though several ideas spring to mind. Am I correct in assuming that you mean to have no native interface on the network in question, and only a CARP interface? Or am I reading in between the lines incorrectly? only carp-int has the ip's. *) if carp switch over: t=0: A is master, has route 192.168.0.1/24 B has route 192.168.0.1/24 via ospf t=1: A goes down, route disappear (need linkstate in ospf) t=2: B carp takes over 192.168.0.1/24 B can not add 192.168.0.1/24 route as it is still known via ospf t=3: B gets update to remove route 192.168.0.1/24 via ospf t=4: 192.168.0.1/24 route has disappeared, failover broken. with ucarp, some special scripts and source code changed I was able to handle this situation, but not with carp and ospf (at least at freebsd 6.3) I agree that this is a problematic scenario. FreeBSD 5.* and 6.* are pretty worthless to us, so we've pretty much jumped from 4 to 7, and so my knowledge of the networking improvements in between are limited. I have not yet tested freebsd 7, as the multicast kernel interface changed and quagge ospf breaked. also I need(ed) a stable platform. Under FreeBSD 4, there is indeed a great deal of pain associated with routes coming in via a routing protocol that are also theoretically available on a directly-attached interface. I just tried downing rtr1: vlan20 on the above (which is FreeBSD 7, obviously) and from rtr1's PoV the network did move correctly to an alternate route via OSPF, but upon re-enabling the vlan20 interface, the OSPF route remained. Now, it seemed to all work again when I did the following: yes, thats the problem. # ifconfig vlan20 up # route delete -net 206.55.68.192 # ifconfig vlan20 inet 206.55.68.195 netmask 0xffe0 I have changed ucarp todo so, but you also need gratious arp and such stuff to get a real, flawless failover. which re-established the local link. That's not ideal, but it is a lot better than FreeBSD 4, where things were just breaking all over if you did strange things like this. For most important things around here, we use OSPF with stub routes so the failure of a particular ethernet is not necessarily of great concern, but it would be nice to see things like this know how to DTRT. DTRT? Kind regards, Ingo Flaschberger
Re: Gigabit Linux Routers
Dear Joe, I did that experiment below. I didn't grab snapshots of the routing table at the time, but I described the effect. Essentially, upon downing of the interface, the local link via the vlan20 interface went away, and was promptly replaced by the OSPF route (generally good/desirable). Further discussion was in my previous message. I'm not shure if this setup would ever be stable. also with ucarp tweaks. hopefully freebsd supports soon more than 1 route. only carp-int has the ip's. Really? Interesting. I'm trying to think of how that would be configured. How does the system identify which ethernet interface to use, or is this something that's specific to Linux? I'm not shure how I have configured that (~6months ago). Now with ucarp I use a /32 for the interfaces as ip and the virtual ip is added as an alias. I'm aware of the Quagga OSPF issues, having grinched about them a number of times in various places. For what it is worth, there's a patch that appears to work, but which was thought to not really be a correct fix. Several people, including us, however, are using it with apparent success. As far I remember, freebsd changed the multicast-interface to linux-style. Source code seems to be already there, only makefile needs to be changed, to support freebsd 7 and 7. Kind regards, Ingo Flaschberger
Re: Gigabit Linux Routers
Dear Chris, One final quick question on the NICs if I can. Following Mike's suggestion about specific Intel chipsets (82575 or 82576) it looks like it's much easier to source the chipsets mentioned by David (82571EB). If these NICs are embedded on the motherboard is it going to be of disadvantage in terms of performance ? I take the point of the interrupts being the key, kindly thrown into the mix by Eugeniu. For a new system you should go with pci-e cards. A nice man called John mailed me off list and mentioned this off-the-shelf build. On that note does anyone have any experience of Lannerinc's appliances mentioned above by Ingo I have posted thos off-list, for the list: http://www.lannerinc.com/DM/FW-7550_DM.pdf pros: cheap, cf-disk support, low power (~50W) cons: only 1GB Ram (enough for 1million routes), pci-connected intel 82541GI, 32bit, 33MHZ acpi max-temp is set to low in bios and needs an acpi-aml file to be loaded http://www.axiomtek.de/uploads/na-820.pdf pros: 7x pci-e www.endian.com use them. http://www.endian.com/en/products/hardware/macro-x2/ OS: Freebsd: pros: very stable, quagge runs very well, fastforwarding support, simple traffic shaping, interrupt less polling supported cons: only 1 route for each network, vrrp failover is not easy to implement with quagga and ospf, no multipath routing Linux: pros: more than 1 route for each network possible, interrupt less polling should be supported? fastforwarding ? cons: no multipath routing Cpu's: Single-core-cpus performs better at freebsd than multi-core ones At freebsd-net mailinglist there is a very long thread about freebsd-routers. Kind regards, Ingo Flaschberger
Re: Gigabit Linux Routers
Dear Joe, Several different traffic shaping strategies are available, and I think all of them go far beyond simple. ipfw 100 add pipe 1 all from 192.168.0.0/24 to any xmit vlan1 ipfw pipe 1 config bw 95Mbit/s queue 200Kbytes thats simple. cons: only 1 route for each network, vrrp failover is not easy to implement with quagga and ospf, no multipath routing carp seems easy to implement, even with quagga and ospf. At least, it's set up on a lab setup here and everything appears to work as expected. example setup: A(ospf)---B \/ \ / \/ \ / \/ lan1 A and B share 1 virtual ip for lan1 (192.168.0.1/24). problems: *) only 1 ip-net supported (no aliases) *) carp is i bound, carp-dev line openbsd is in development (not shure if already stable) *) if carp switch over: t=0: A is master, has route 192.168.0.1/24 B has route 192.168.0.1/24 via ospf t=1: A goes down, route disappear (need linkstate in ospf) t=2: B carp takes over 192.168.0.1/24 B can not add 192.168.0.1/24 route as it is still known via ospf t=3: B gets update to remove route 192.168.0.1/24 via ospf t=4: 192.168.0.1/24 route has disappeared, failover broken. with ucarp, some special scripts and source code changed I was able to handle this situation, but not with carp and ospf (at least at freebsd 6.3) Kind regards, Ingo Flaschberger
Re: prefix hijack by ASN 8997
Hi, http://www.msk-ix.ru/network/traffic.html it was 12:00 moscow local time. Kind regards, ingo flaschberger
Re: prefix hijack by ASN 8997
Hi http://www.msk-ix.ru/network/traffic.html it was 12:00 moscow local time. sorry, 13:xx TIME: 09/22/08 09:30:05 TYPE: BGP4MP/MESSAGE/Update FROM: 193.232.244.36 AS2895 TO: 193.232.244.114 AS12654 ORIGIN: IGP ASPATH: 2895 3267 8997 NEXT_HOP: 193.232.244.36 ANNOUNCE GMT+4 Kind regards, ingo flaschberger
sharktech.net hosts irc-server for botnets
Dear community, sharktech.net hosts irc-server for botnets and does not respond to abuse notifications. Kind regards, ingo flaschberger geschaeftsleitung --- netstorage-crossip-flat:fee powered by crossip communications gmbh --- sebastian kneipp gasse 1 a-1020 wien fix: +43-1-726 15 22-217 fax: +43-1-726 15 22-111 ---
Re: easy way to scan for issues with path mtu discovery?
Dear Patrick, Does anyone know of an easy way to scan for issues with path mtu discovery along a hop path? E.g. if you think someone is ICMP black-holing along a route, or even on the endpoint host, could you use some obscure nmap flag to find out for sure, and also to identify the offending hop/router/host? What tool would you use to test for this, and how would you do such a test? Is there any probing tool that does checks like this automatically? Seems to me this happens often enough that someone has probably already figured it out, so I am trying not to reinvent the wheel. All I can think of would be to handcraft packets of steadily increasing sizes and look for replies from each hop on the route (which would be laborious at best). Google has not been kind to my researches so far. If you have a cisco router: ping Protocol [ip]: Target IP address: x.x.x.x Repeat count [5]: Datagram size [100]: 1500 Timeout in seconds [2]: 1 Extended commands [n]: y Source address or interface: Type of service [0]: Set DF bit in IP header? [no]: yes Validate reply data? [no]: yes Data pattern [0xABCD]: Loose, Strict, Record, Timestamp, Verbose[none]: Sweep range of sizes [n]: y Sweep min size [36]: Sweep max size [18024]: 1500 Sweep interval [1]: Kind regards, Ingo Flaschberger
Re: PPPoE over L2TP over GigE questions
Dear Mezei, Would the L2TP payload be an ethernet packet which contains a PPPoE packet, or would the L2TP payload be the PPPoE packet only ? ppp frame in l2tp (udp packet). http://www.faqs.org/rfcs/rfc2661.html 5.0 Protocol Operation l2tp is designed for minimal overhead. Also, while I am at it: Architecturally, is a BAS considered a router, or a bridge/switch ? (since the PPPoE packet has no routing information (source, destination), it is the BAS which maintains the table of source/destination for each PPPoE session ID. Yet, the BAS machines are supposedly Juniper ERX routers in Bell territory... the BAS is a LAC (L2TP Access Concentrator), which preauth the pppoe session, create, if needed a L2TP tunnel to a LNS (L2TP Network Server), handle the authentication between client (pppoe) and LNS. L2TP use one tunnel for 1 LAC - LNS link, meaning more than one pppoe tunnel use a L2TP tunnel link. And while I am at it: From the end user point of view, the ADSL modem sends all ATM frames to a predetermined ATM destination (VPI/VCI). I assume that VPI/VCI points to the BAS. Depends on network design. As adsl use ATM as line protocol, you need VPI/VCI. protocol stack: pppoe ethernet ATM at the provider side you have various options. it is very common that the dslam, that terminates the adsl line has an ethernet upstream port. How does the BAS address ATM packets back to an individual subscriber ? Do each subscribers get their own VPI/VCI that points to the right port on the right DSLAM ? That is done via ppp(oe) authentication. And in cases where the telcos are extending the ethernet to the DSLAM, with the fragmentation into multiple ATM frames limited to the ADSL link itself, how does the BAS address invididual customers ? Does each ADSL port on the DSLAM get its own ethernet address ? pppoe is ethernet, so they use the mac adress of the pppoe source (client pc, adsl modem, whatever) (since some services do not use PPPoE, I have to assume that the DSLAM doesn't base its packet switching on PPPoE session IDs.) pppoe is commonly used for large scale setups. but you can also build a network without pppoe and plain ethernet. Kind regards, Ingo Flaschberger
