Fw: new message
Hey! New message, please read <http://americantrailermart.com/pocket.php?wmci3> Jo Rhett
Fw: new message
Hey! New message, please read <http://tamsart.net/other.php?5myx> Jo Rhett
clueful colo hands in Cincinnati
$DAYJOB is in need of some clueful hands at a colocation in Cincinnati to regain IPMI access to some boxes there. Colo firm has no hands of any sort. Any clueful hands we can hire? Respond offline, please. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects. Author of Instant Puppet 3 Starter: http://www.netconsonance.com/instant-puppet-3-starter-book/
Re: IP Address Management IPAM software for small ISP
On Dec 20, 2012, at 9:26 PM, Charles N Wyble wrote: Zenoss works very well Um... you lost me after the first 4 words. Zenoss might work acceptably for very, very small organizations with very small amounts of data. Zenoss is incapable of scaling to even moderate-sized data sets with tens of thousands of data sources, nevermind medium sized data sets with millions of data sources. I work at a very small shop with three total engineers and Zenoss was unable to scale beyond 1/4 of our data sources with dozens of cores and hundreds of gigabytes of RAM on numerous systems. It doesn't actually use any of these, the internal deadlocks in the architecture make it impossible for it to scale. That Zenoss might make a better IP management tool than what it is purported and sold to do... amuses. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: IP Address Management IPAM software for small ISP
Small shop people wise with millions of customers and tens of thousands of application and log-derived data sources. We use Zenoss extensively and mostly we keep having to make decisions what data to pull out of it so it can function. I have previously worked at larger enterprises which had millions of data sources, and Zenoss couldn't dream of handling that, no matter how much hardware we threw at it. On Dec 24, 2012, at 10:48 PM, Mike Hale wrote: Very small shop with millions of data sources? lol? On Mon, Dec 24, 2012 at 10:38 PM, Jo Rhett jrh...@netconsonance.com wrote: On Dec 20, 2012, at 9:26 PM, Charles N Wyble wrote: Zenoss works very well Um... you lost me after the first 4 words. Zenoss might work acceptably for very, very small organizations with very small amounts of data. Zenoss is incapable of scaling to even moderate-sized data sets with tens of thousands of data sources, nevermind medium sized data sets with millions of data sources. I work at a very small shop with three total engineers and Zenoss was unable to scale beyond 1/4 of our data sources with dozens of cores and hundreds of gigabytes of RAM on numerous systems. It doesn't actually use any of these, the internal deadlocks in the architecture make it impossible for it to scale. That Zenoss might make a better IP management tool than what it is purported and sold to do... amuses. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects. -- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0 -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Is a /48 still the smallest thing you can route independently?
I've finally convinced $DAYJOB to deploy IPv6. Justification for the IP space is easy, however the truth is that a /64 is more than we need in all locations. However the last I heard was that you can't effectively announce anything smaller than a /48. Is this still true? Is this likely to change in the immediate future, or do I need to ask for a /44? -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: Is a /48 still the smallest thing you can route independently?
First: But likely if you are in that camp, just asking for address space, that you can use stably for a long time, from your network provider who provides you connectivity is a better way to go. Um, sorry I figured by the fact that I was posting on Nanog the context was clear, but I've forgotten how Nanog is now a go-to source for home network too :( The context was for what Nanog was originally intended for: We are provider-independent and peering around the world. On Oct 11, 2012, at 2:17 PM, Jeroen Massar wrote: A /64 is for a single link …(snip)... A /48 (or /56 for end-users for some of the RIRs) is for a single end-site Sorry, I wasn't looking for the breakdown of expected usage. I know those maps. What I was asking was whether you can PI-route a /56 or anything less than a /48 today. It's nice to have a few dozen of the entire Internet for each site, but totally unnecessary. If you thus have 5 end-sites, you should have room for 5 /48s and thus a /47 is what you can justify. Really? One bit can flip that many ways? ;-) I assume you mean /45, and apparently ARIN's recommended size is /44 anyway. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: Is a /48 still the smallest thing you can route independently?
On Oct 11, 2012, at 2:28 PM, Randy Carpenter wrote: so there really is no drawback from getting the /44, and having enough space to not have to worry about it in the future. It's only a worry if you can only route /48s, which was my question. And seriously, we're going to be banging around in the emptiness as compared to our IPv4 allocations. :) -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
guys != gender neutral
On Sep 27, 2012, at 9:20 AM, Jim Mercer wrote: On Thu, Sep 27, 2012 at 12:12:50PM -0400, Patrick W. Gilmore wrote: Many. Although in fairness, some people use guys in a gender-neutral manner. some people use it in a globally-neutral manner. those guys over there pointing at a rack full of servers. Guys seem to think that it's gender neutral. The majority of women are used to this, but they have indicated to me that they don't believe it to be very neutral. Using guys is not gender neutral, it's flat out implying the other gender doesn't matter. * Given the lack of truly neutral terms in english, I have taken to alternative my pronouns interchangably when I write. Those guys are chewing on that, but these gals are doing the vector calculations. (pointing at different racks of gear) Or when actually referring to persons of mixed gender, here's a quote from something I posted in a private forum (my own journal) which is safe for export: Because frankly, we're all in this together and honestly everyone loves the competition. The guys I race with often come find me afterwards and tell me where they got past me, or ask me how I kept passing them. The really fast girls rarely want more than a beer to go out on the track and give you a detailed breakdown on what you are doing wrong. We all help each other. In this situation I'm leaving it up the reader to grasp that I'm not saying that the girls are all faster than the boys, but I believe it's understood in context as the topic was about how peers help each other out. I really wish that english had better pronouns for this. * As evidence of the nasty side effects of this, the bible was translated from a language which understands gender neutral terms to english, and was in translating reduced it to man. Which is now used by only-english-speaking preachers to justify the proper placement of women in society. If for no other reason than that the use of a single gender pronoun confuses less intelligent types to assume that women aren't important in technology (and god knows this completely baseless assumption is widely held) do your part to mix it up! -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: guys != gender neutral
It's not suitable to refer to a single person of either gender.
On Sep 27, 2012, at 11:34 AM, Owen DeLong wrote:
When did people stop being an acceptable gender-neutral substitute for
{guys,gals}?
Owen
Sent from my iPad
On Sep 27, 2012, at 1:10 PM, Jo Rhett jrh...@netconsonance.com wrote:
On Sep 27, 2012, at 9:20 AM, Jim Mercer wrote:
On Thu, Sep 27, 2012 at 12:12:50PM -0400, Patrick W. Gilmore wrote:
Many. Although in fairness, some people use guys in a gender-neutral
manner.
some people use it in a globally-neutral manner.
those guys over there pointing at a rack full of servers.
Guys seem to think that it's gender neutral. The majority of women are used
to this, but they have indicated to me that they don't believe it to be very
neutral. Using guys is not gender neutral, it's flat out implying the
other gender doesn't matter. *
Given the lack of truly neutral terms in english, I have taken to
alternative my pronouns interchangably when I write.
Those guys are chewing on that, but these gals are doing the vector
calculations. (pointing at different racks of gear)
Or when actually referring to persons of mixed gender, here's a quote from
something I posted in a private forum (my own journal) which is safe for
export:
Because frankly, we're all in this together and honestly everyone loves the
competition. The guys I race with often come find me afterwards and tell me
where they got past me, or ask me how I kept passing them. The really fast
girls rarely want more than a beer to go out on the track and give you a
detailed breakdown on what you are doing wrong. We all help each other.
In this situation I'm leaving it up the reader to grasp that I'm not saying
that the girls are all faster than the boys, but I believe it's understood
in context as the topic was about how peers help each other out.
I really wish that english had better pronouns for this.
* As evidence of the nasty side effects of this, the bible was translated
from a language which understands gender neutral terms to english, and was
in translating reduced it to man. Which is now used by
only-english-speaking preachers to justify the proper placement of women
in society.
If for no other reason than that the use of a single gender pronoun confuses
less intelligent types to assume that women aren't important in technology
(and god knows this completely baseless assumption is widely held) do your
part to mix it up!
--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet
projects.
--
Jo Rhett
Net Consonance : net philanthropy to improve open source and internet projects.
Re: guys != gender neutral
On Sep 27, 2012, at 11:36 AM, JC Dill wrote: It's NOT helping to equivocate guys and girls! *shrug* Sorry you are offended. Some are, most of my friends use those terms interchangeably. (I'm referring to friends of the female gender) Apparently some on the east coast get offended by this, but that post was to a tight audience who I knew well. I use 'boys' and 'guys' interchangeably too, and that probably offends someone. It's not sexism :) I really wish folks would dig a bit deeper into the thesaurus to find appropriate words. One can use a variety of gender neutral words with some simple re-writing. Remember, it's perfectly OK to employ singular they as well. http://en.wikipedia.org/wiki/Singular_they I completely disagree. Abusing plural words causes confusion when trying to discuss topics and be specific about the numbers involved. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: Anyone from Verizon/TATA on here? Possible Packet Loss
Many (most?) routers deprioritize ICMP meesages. Direct pings against the router are not informative re transit failures. On Sep 26, 2012, at 11:37 AM, Derek Ivey wrote: After some further troubleshooting, I believe I have narrowed down the issue to one of Verizon's routers (130.81.28.255). ping 130.81.28.255 repeat 100 Type escape sequence to abort. Sending 100, 100-byte ICMP Echos to 130.81.28.255, timeout is 2 seconds: ??!!!??!!!?!!?!!!? !!?!!!?!!! Success rate is 91 percent (91/100), round-trip min/avg/max = 20/26/30 ms I had my client send me the output of the ping command (100 pings) and a trace route. Their 5th hop is 130.81.28.254 and one of the response times in their trace route was 175ms so the issue seems to be around there. I asked them to open a ticket with Verizon to take a look. Thanks, Derek On Sep 26, 2012, at 1:54 PM, Derek Ivey de...@derekivey.com wrote: Thanks guys. That was an informative read. I will do some more troubleshooting. Derek On Sep 26, 2012, at 1:16 PM, Darius Jahandarie djahanda...@gmail.com wrote: On Wed, Sep 26, 2012 at 1:10 PM, Blake Dunlap iki...@gmail.com wrote: This is not the proper way to interpret traceroute information. Also, 3 pings is not sufficient to determine levels of packet loss statistically. I suggest searching the archives regarding traceroute, or googling how to interpret them in regards to packet loss, as what you posted does not indicate what you think it does. Agreed. Derek should read A Practical Guide to (Correctly) Troubleshooting with Traceroute: http://www.nanog.org/meetings/nanog45/presentations/Sunday/RAS_traceroute_N45.pdf -- Darius Jahandarie -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: the economies of scale of a Worldcon, and how to make this topic relevant to Nanog
On Sep 23, 2012, at 4:42 PM, Joe Hamelin wrote: PSAV is the company. I just installed about 20 Cisco WiFi radios at the Doubletree (a Hilton prop) at Sea-Tac. These covered only the convention space, conf rooms, ball rooms, whatnot. It would seem that the hotel is running their own system in the other public areas such as check-in, coffee shops and bars. Mostly they were well placed, often in the same spot as the existing radios. But I'd never throw a geek-con at that system. Yeah, I just stayed at SeaTac a month back and had to shift to working offline and syncing upward, since I was getting modem-like speed through the network there. I think I ended up using my phone more than their wifi :( -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: the economies of scale of a Worldcon, and how to make this topic relevant to Nanog
On Sep 21, 2012, at 10:00 AM, Jay Ashworth wrote: And this is pretty much precisely why I'm hammering the nail; there's *lots* of stuff that could -- and properly should -- be technology assisted at the world's largest gathering of science fiction enthusiasts. No point in building fast access to nothing (related to the con) ;-) I'm not saying that's right, but it is what is. And don't forget that right now hard SF is a pretty mean minority. The vast majority of sci-fi fans are into steampunk and other alt history these days. (and don't get me started about that) iPhones are not generally strapped to their victorian outfits. Assuming you can get close enough -- which won't be geographically practical for ... oh, wait; you're envisioning 3G, not WLAN. Yeah, I suppose that might work... until you consider that I will, personally, be bringing both laptops, my tablet, and my phone, all of which want All of which can use LTE either natively or with a dongle. to talk to the outside world. I would bet that I'm not all *that* unusual in that, at a Worldcon, based on some attendee conversations I've had at Anticipation and the much less well attended NASfic 10, ReConstruction. You aren't unusual, but you aren't the average by a long shot. A lot of this, too, depends on what the concom negotiated with the property about wifi access already. And this is where you're going to hit some very hard walls. One of which I forgot to mention. Many of the hotels (I believe all Hilton properties at this time) have sold the facilities space for their wifi network to another company. They CAN'T negotiate it with you, because they don't own it any more. And most of these wifi networks have stealth killers enabled, so that they spoof any other wifi zone they see and send back reject messages to the clients. So you can't run them side by side. Try having a conversation with the hotel rep in charge of selling convention space about these kind of technical bits about wifi networks sometime. If you don't mind tearing your hair out at the time. Or tearing it out later, after you've been assured that the hotel will make it all work and then find that none of this equipment is within their control. (they don't care, you're already there and can't go anywhere else) Sorry I'm being so negative on this topic. Got more than a few burnt fingers on this one :) Can I get 12000 sessions on a single LTE tower? Yes. Can you get 12000 sessions through any single POE gateway? ;-) -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
the economies of scale of a Worldcon, and how to make this topic relevant to Nanog
In a message Jay had apparently forwarded from offlist (or I missed the original) Rick said: From: Rick Alfvin ralf...@verilan.com Verilan is the exclusive network services provider for NANOG, IEEE 802, IETF, ICANN, ZigBee Alliance, MAAWG, OIF, GENIVI, Tizen and many other technical organizations. We deploy large temporary networks to provide high density WI-Fi for meetings, events and conferences all over the world where Internet connectivity is mission critical to the success of the event. This points out another significant facter to why network isn't part of what's negotiated here. Internet is *not* considered mission critical by most attendees. Cheaper hotel rooms, adequate facilities, and inexpensive food nearby are the top three items Worldcon attendees complain about. So it's not going to be on the top of things to focus on. (and why this topic as it is being discussed is not relevant to this list) Those of us who feel Internet access is mission critical carry LTE network devices or make other arrangements. Obviously the growth of smartphones and tablets is starting to change that equation, but at the moment none of the Worldcons have done a very good job of providing useful online interaction so there's no actual use for onsite data related to the conference itself. Obviously I would love to see this change. For those who care about the economics of Worldcons, the following post is from a person deeply involved in the organization which holds the rights and trademarks for Worldcon. (Think Olympic Site Selection Committee, except they don't select the locations -- the members do) He covers a lot of the topics about why Worldcons are so very, very different from any of the conferences listed above, and why the economics of scale these conventions have don't work: http://kevin-standlee.livejournal.com/1166167.html Now, if we want to make this topic relevant to Nanog, the operative question is the feasability of a data provider putting good wireless gear near these facilities and selling data access to attendees. For a useful comparison, the 2010 Worldcon in Melbourne had an expensive wifi service in the building that kept falling over. A cell provider across the street put up banners advertising cheap data service, and put people on the sidewalk in from of the convention selling pay as you go SIM cards with data service. They made brisk business. *THIS* is where us network operators can provide good networking service to a large facility, and pretty much kill the expensive data plans operated by the facility. Instead of building up and tearing down a network for each convention, put an LTE tower near the facility and sell to every group that uses the convention center. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: The Department of Work and Pensions, UK has an entire /8 nanog@nanog.org
On Sep 19, 2012, at 7:09 PM, Brett Frankenberger wrote: It works fine if the gateway has multiple routing tables (VRF or equivalent) and application software that is multiple-routing-table aware. If you are arguing that it is technically possible to build an environment in which every piece of software is aware at an application level whether or not a given service is inside the network or outside the network and thus eliminate issues with routing overlaps… uh, sure. I agree that you can do this in a very customized environment. Now if you want to suggest that most businesses with a diversity of applications and access methods should be doing this, in order to allow overlapping IP usage on the internet, I'm going to have to point and giggle. I really love how everyone keeps advancing these businesses should rebuild their entire infrastructure, at their cost, and with no benefit to themselves, so that I can use their IP space! arguments. Ya huh. Right. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: The Department of Work and Pensions, UK has an entire /8
On Sep 18, 2012, at 11:40 PM, goe...@anime.net wrote: Is they are not using them directly on the public internet, then there's no reason we can't use them. Problem solved! Dude, seriously. Just because they aren't in *YOUR* routing table doesn't mean that they aren't in hundreds of other routing tables. Look, more than half of Milnet isn't publicly advertised on the Internet. This doesn't mean that it's okay to advertise Milnet routes to locations which might be closer to you (bgp-wise) than the actual owners of the addresses. You are totally missing the point of unique assignment. This is like claiming that we should reuse the phone numbers of people who block their number when they call you. Yes, really, it makes just as much sense. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: The Department of Work and Pensions, UK has an entire /8
On Sep 19, 2012, at 1:46 AM, Alex Harrowell wrote: To be provocative, what on earth is their excuse for not using IPv6 internally? By definition, an internal network that isn't announced to the public Internet doesn't have to worry about happy eyeballs, broken carrier NAT, and the like because it doesn't have to be connected to them if it doesn't want to be. A lot of the transition issues are much less problematic if you're not on the public Internet. Because next to zero of the common office equipment supports v6, or supports it well. And honestly it's a cost facter that nobody has any incentive to pay. Every enterprise I have spoken with has the exact same intention: IPv4 inside forever to avoid cost they don't need to pay. NAT to v6 externally if necessary. Obviously when IPv6 has a larger footprint and their staff has the experience this will change, but asking the enterprise to pick up this ball and run with it is wasting your time. And second, have you ever worked on a private intranet that wasn't connected to the internet through a firewall? Skipping oob networks for equipment management, neither have I. Perhaps the military have a lot of weird equipment that is IPv4 only - in fact it's a racing certainty - but DWP is a gigantic enterprise data processing organisation. They also have some big Web sites, but obviously those aren't on the private network. (If they had enough workstations to need the whole /8, we wouldn't need DWP as the unemployment problem would have been definitively solved:-)) As a giant enterprise data processing center that works today, what possible motivation do they have for disrupting that? You've got to shake this silliness out of your head. I started my career when there were dozens of networking protocols. The industry eventually shook out by 1992 around IPv4, however many businesses were running some of the obsolete, dead, unsupported protocols well up and past 2000, long long long after IPv4 had become the one true protocol. Even if we flip the entire Internet over to IPv6 next week, enterprises will be running IPv4 internally well into the 2020s. Because they have no gain in paying the cost to change, and massive risk in making the change. Obviously some businesses will need to upgrade and will have the motivation. But don't expect people who don't need to upgrade, don't need to change, to undertake a massive infrastructure upgrade so that you can get more IPv4 addresses. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
They aren't on *MY* Internet, so I should get their space!
I'm renaming the thread to what the argument really is. On Sep 19, 2012, at 11:01 AM, Cutler James R wrote: On Sep 19, 2012, at 1:42 PM, Jo Rhett jrh...@netconsonance.com wrote: And second, have you ever worked on a private intranet that wasn't connected to the internet through a firewall? Skipping oob networks for equipment management, neither have I. Yes, for many years. External connections only via Application Level Gateways for SMTP, HTTP and Virtual Network connections. And, using assigned IPv4 addresses. And, no one willing to pay for IPv6. You are making my point for me. Does your internet deal with duplication of IP space inside and outside the gateways? Is that easy to deal with? Thus my point is made. Just because you don't have direct connectivity to *every* point on the Internet does not mean that you don't need unique space. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: The Department of Work and Pensions, UK has an entire /8 nanog@nanog.org
On Sep 19, 2012, at 5:59 PM, Robert Bonomi wrote: In the financial and/or brokerage communities, there are internal networks with enough 'high value'/sensitive information to justify air gap isolation from the outide world. Also, in those industries, there are 'semi-isolated' networks where all external commnications are mediated through dual-homed _application- layer_ gateways. No packet-level communications between 'inside' and 'outside'. The 'inside' apps onl know how to talk to the gateway; server- side talks only to specific (pre-determined) trusted hosts for the specific request being processed. NO 'transparent pass-through' in either direction. You're all missing the point in grand style. If you would stop trying to brag about something that nearly everyone has done in their career and pay attention to the topic you'd realize what my point was. This is the last time I'm going to say this. Not only do I know well those networks, I was the admin responsible for the largest commercial one (56k routes) in existence that I'm aware of. I was at one point cooperatively responsible for a very large one in SEANet as well. (120k routes, 22k offices) I get what you are talking about. That's not what I am saying. For these networks to have gateways which connect to the outside, you have to have an understanding of which IP networks are inside, and which IP networks are outside. Your proxy client then forwards connections to outside networks to the gateway. You can't use the same networks inside and outside of the gateway. It doesn't work. The gateway and the proxy clients need to know which way to route those packets. THUS: you can't have your own IP space re-used by another company on the Internet without breaking routing. Duh. RFC1918 is a cooperative venture in doing exactly this, but you simply can't use RFC1918 space if you also connect to a diverse set of other businesses/units/partners/etc. AND there is no requirement in any IP allocation document that you must use RFC1918 space. So acquiring unique space and using it internally has always been legal and permitted. Now let's avoid deliberately misunderstanding me again, alright? -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: Big Temporary Networks
On Sep 13, 2012, at 7:29 AM, Jay Ashworth wrote: I'm talking to the people who will probably be, in 2015, running the first Worldcon I can practically drive to, in Orlando, at -- I think -- the Disney World Resort. I've told them how critical the issue is for this market; they, predictably, replied We look forward to your patch. :-} So I just want to point out that this is an utterly irrelevant topic. Worldcon is full to the brim with really smart people who can build good networks, but in every place large enough to host a Worldcon the owners of the building make money selling Internet access and don't want competition. The very best we've been able to do was create an Internet Lounge with good connectivity, and even that isn't acceptable at most locations. So this really is an irrelevant topic, unless you want to create an LTE network with good connectivity near the location and sell bandwidth via that. (Phones and tablets outnumber laptop computers by a facter of 20:1 at scifi conventions) Off-topic: FWIW Hellsinki is a hell of a lot more likely. Remember that the membership votes on where to go, and Orlando really doesn't top anyone's list. Especially since Orlando keeps blowing off the very legitimate concerns that other people have raised about the location, including that Disney takes a dim view of anyone except their own paid actors wearing costumes, and more importantly the lack of inexpensive food options. If for some reason Hellsinki's bid falls apart, Spokane has better facilities and good LTE network support. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: Big Temporary Networks
On Sep 14, 2012, at 8:53 AM, Jay Ashworth wrote: Tech had a person managing the feed to DragonCon from the dedicated room w/ the polycomm video conference system, for panels, in addition to the actual union operator of the camera such. The camera ops had to be union? Hmmm. Ah, Chicago. Yes. That has been true everywhere that Worldcon has been for a number of years, excluding Japan. Hotel union contracts generally forbid activity being done by any non-union people, even if they are the guests. Yes, and I'm told by my best friend who did attend (I didn't make it this year) that the hotel wired/wifi was essentially unusable, every time he tried. Hence my interest in the issue. Always is. Those networks are not built for that many devices attaching. They never are. But they don't want the competition either. If you NEED connectivity at the convention, you must bring your own LTE MIFI and take care of yourself. This is simply not solvable in the convention hotel contracts level. I've got many SMOF friends and I've been trying for years, and it only worked for a small gap of years before hotels starting seeing Internet as a profit vector. Unfortunately, the size requirements of things the size of Worldcon limit the choices enough that this simply can't be a bargaining point. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: Big Temporary Networks
On Sep 14, 2012, at 1:55 PM, Jay Ashworth wrote: That's an interesting question indeed. The optimal solution here, of course, would be for Worldcons -- which are planned 3-4 years in advance -- to get the right technical people in the loop with the property to see when in the next 2 years (after a bid is confirmed) they plan to upgrade the networking they have now... and make sure it will tolerate a real worst case. The business case for the property, of course, is that they're more salable to large technical conferences -- which makes them more money. Question is, is it enough. Those people are already in the loop. Hi. Nice to see you again, Jay :) Unfortunately, as I've said in the previous two messages, it simply isn't something that can be changed. If you are running a small convention that can fit into a dozen hotels in the city, you can make them compete on multiple levels including network. Since there are less than 4 cities in the world who could host a worldcon in more than one facility, there's zero competition. * And frankly, the hotel contracts people have bigger problems to solve--namely, getting to use metric tons of convention floor space without paying much, if any money. Worldcon memberships are $150 each unless you wait until the last minute. This is a problem that large technical conferences with thousand dollar memberships can solve. They have money to throw at the hotel. Not fan-run conventions whose entire budget is less than the spare capital that Usenix keeps in their account. (I've seen both and can state this as a positive fact.) * The one place that competition can occur is in the bidding process. Part of what we all ask bid committees is about the network access at the location. And we vote based on what we can find out. However, the number of us who vote that way are fairly small, as most attendees have other priorities like inexpensive food options, cheaper hotel options, etc. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: Big Temporary Networks
NOTE: None of the following content can be typed into your router. It holds information only slightly relevant to networking. On Sep 18, 2012, at 1:47 PM, William Herrin wrote: That has been true everywhere that Worldcon has been for a number of years, excluding Japan. Hotel union contracts generally forbid activity being done by any non-union people, even if they are the guests. http://en.wikipedia.org/wiki/Right-to-work_law ''A right-to-work law is a statute that prohibits union security agreements, or agreements between labor unions and employers that govern the extent to which an established union can require employees' membership [...] as a condition of employment. Right-to-work laws exist in twenty-three U.S. states,'' Well, Bill, this starts the legal dance equivalent of patches accepted, that being you are welcome to sue against this with your own money. Not being aware of which states have this law, it's entirely possible that the intersection between states that have this law and states which have enough scifi fans willing to get together to host a worldcon is negligible. I can only recall ~9 states which have hosted a worldcon in the last 30 years. Checking the easily found references pages seems to confirm this although I didn't bother checking extensively. I'm closely associated and personal friends with people who have done the hotel negotiations for four of the recent worldcons, and on a first name basis with most of the others, and this union requirement has been a major problem with most if not all of them. Just getting a waiver to allow people to serve drinks in their own hotel rooms has been hard enough to break many bids. It is currently impossible in San Francisco due to hotel contracts, and part of why Worldcon will never return to San Francisco unless very unlikely changes happen. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: Big Temporary Networks
On Sep 18, 2012, at 2:38 PM, William Herrin wrote: IIRC when the Democatic National Convention was held in Denver in 2008, they had to strike a special deal with the venue to bring in union labor instead of the normal workers because they couldn't find a suitable place that was already union. I can provide people who can refute that, but I don't have (or care about) the details enough to bother quoting them. I can say that Worldcon was in Denver the proceeding week, and we could only get one hotel about a half mile from the convention center to allow us to serve drinks in our own rooms without a union person there to serve them. So I have personal experience to doubt your story. Conversely, when I went to IETF in Minneapolis a few years ago the networking folks simply took over the hotel network for the week. IETF attendee or not, you got wired Internet in your room courtesy of the conference. As I understand it, they convinced the hotel with the simple expedient of paying what they would ordinarily earn from a week's Internet charges. IETF is considerably smaller event that Worldcon, and as such can play ball with smaller hotels. Worldcons haven't fit into hotels in more than 20 years*, and must negotiate with the convention centers -- and are not able to leverage room nights in the balance. * They tried with the large Hyatt in Chicago this year and got the worst of both worlds. The rooms were overfull far beyond standing room only, and they still couldn't get a hotel contract with good internet, accessibility or issue handling. My point is that blaming union contracts or union anything for being unable to find a place to hold a convention where you can implement the network you want to implement is nonsense. NANOG, ARIN and IETF conferences have all somehow managed to implement their own effective networks. Even in union towns. If Worldcon's site selection committee can't find a suitable host, that's their deficiency. Money speaks here. The budgets for NANOG conferences are posted, as are some of the worldcon committee budgets. RTFM. And again, even though Worldcons have significantly less money, the largest Nanog ever was still smaller than the smallest worldcon in the last 20 years. Smaller == more choices of hotels == negotiating ability. Please stop trying to be a smartass about something you could research, but haven't bothered to do so. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: Big Temporary Networks
There were enough fans among the 600,000 folks in the Baltimore area but not enough an hour away among the 5,600,000 in the National Capital Region to justify hosting a Worldcon a couple miles inside the Virginia border where no unions would get in your way? Really? Having grown up and started my career in Virginia, and much of my family still lives there, I can assure that that there isn't a single facility in Virginia capable of hosting a Worldcon. I think DC has another common problem, where it's either not big enough, or too big for something with only 7k attendees. AND, Virginia has the exact same problem with hotel contracts. I was part of the convention running teams there in the late 80s and early 90s too. Same problems, same discussions. Same negotiations. At this point I think at this point your right to work wishful thinking has been thoroughly debunked by others. Let's drop this topic. To bring it back on topic, even if we didn't have unions to deal with, there's no law that can force a hotel or convention center to provide access to the facilities necessary for providing wifi or LTE access to the guests. You can only do that when you have negotiating power, and then you get back to there's usually only one possible choice and they know it -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: Big Temporary Networks
On Tue, Sep 18, 2012 at 6:44 PM, Jo Rhett jrh...@netconsonance.com wrote: On Sep 18, 2012, at 2:38 PM, William Herrin wrote: IIRC when the Democatic National Convention was held in Denver in 2008, they had to strike a special deal with the venue to bring in union labor instead of the normal workers because they couldn't find a suitable place that was already union. I can provide people who can refute that, but I don't have (or care about) the details enough to bother quoting them. Well you would know, you were working for the Democratic National Committee back when they selected Denver and started working the logistics. No, wait, that was actually me. Ah, then you shouldn't have said IIRC now should you? That expressly indicates you may or may not recall something you read/heard/etc. But since you do know the details of that, then pray tell which hotels they brought in union workers at? Because I'd love to see how that played out. Or were you talking about some other type of facility that we weren't discussing? -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: The Department of Work and Pensions, UK has an entire /8
On Sep 18, 2012, at 9:11 PM, Mike Hale wrote: I'd love to hear the reasoning for this. Why would it be bad policy to force companies to use the resources they are assigned or give them back to the general pool? Here's one: there's little to no legal basis for such reclamation so any such attempt would end up in the legal system. Take a gander at how long that might take. Now go look at the consumption rates for IPv4, and recognize that the relevance of reclaiming that space isn't likely to extend to even the first hearing for said court case. It's not worth the effort, for something that will eventually become valueless. And actually, not reclaiming the space will make it valueless even faster as IPv6 migration takes off. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: The Department of Work and Pensions, UK has an entire /8
On Sep 18, 2012, at 9:49 PM, Mike Hale wrote: So...why do you need publicly routable IP addresses if they aren't publicly routable? Because you have private connectivity with other companies and you need guaranteed unique IP space. No, really, you can't implement NAT for every possible scenario and even if you could you'd need publicy routable space to NAT it to, or you run into the same collisions. I have worked at companies that have in excess of 4k private interconnections with their clients. Unique IP space is the only way to make this work. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: EBAY and AMAZON
I'm still trying to figure out how to put golf clubs or even spam into my router configuration. Perhaps you intended this for a different list? On Jun 11, 2012, at 10:27 AM, Brandt, Ralph wrote: I have received bogus emails from both of the above on Friday. These look like I bought something that in both cases I did not buy. The EBAY was a golf club for $887 and the Amazon was a novel for $82, far more than I would have spent on either. I think I looked at the novel on Amazon and I remember the golf club came up on a search with something else on Ebay. How this information could get to someone spoofing is a little disconcerting. I have changed EBAY and Paypal Passwords as instructed. Ralph Brandt Communications Engineer HP Enterprise Services Telephone +1 717.506.0802 FAX +1 717.506.4358 Email ralph.bra...@pateam.com 5095 Ritter Rd Mechanicsburg PA 17055 -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: Force10 E Series at the edge?
On Mar 28, 2012, at 11:48 AM, Joel jaeggli wrote: On 3/27/12 23:21 , Roberts, Brent wrote: Is anyone running an E300 Series Chassis at the internet edge with multiple Full BGP feeds? 95th percent would be about 300 meg of traffic. BGP Doesn't support URPF which makes it unsuitable for RTBH and therefore I was just about to pipe up and say they do it fine! and then I remembered that we built automatic filtering provisioning so that each edge customer got filters applied automatically based on their static assignments from us, or from IRR tables if a checkbox was marked. The boxes handled 1000x ports with ~6 filters per port no problem, but yeah, real uRPF would be nice. -- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects.
Re: Force10 E Series at the edge?
I was very happy with the E300 as a data center core switch handling multiple full feeds (around 15) with about 10x the traffic you are talking about. The only problem I had was that Force10 didn't have a useful (basically forklift) upgrade to get more IPv4 prefixes, and the more I talked to them and the more I showed them the graphs demonstrating what we'd need for prefix space assuming even the most conservative assumptions at depletion, the more I realized they really Did Not Get It. In fact, their brand new architecture recently announced had only 500k prefixes allowed, at a time that the Juniper MX platform handled 2million easily. So I would be fine using Force10 again, given the following changes: 1. Large limits on IP prefixes allowed 2. Reallocation of useless memory from stupid things like MAC tables to prefixes (data centers have very few MACs, very many prefixes) 3. Command line logging The units worked great at failover, never had any problems gracefully failing over from one RP to another, but if you have to cold boot them for any reason it takes like 5 minutes :( On Mar 27, 2012, at 2:21 PM, Roberts, Brent wrote: Is anyone running an E300 Series Chassis at the internet edge with multiple Full BGP feeds? 95th percent would be about 300 meg of traffic. BGP session count would be between 2 and 4 Peers. 6k internal Prefix count as it stands right now. Alternative are welcome. Thought about the ASR1006 but I need some local switching as well. Full requirements include Full internet Peering over GigE Links. Fully Redundant Power Redundant Supervisor/Route Processor Would prefer a Small Chassis unit. (under 10u) Would also prefer a single unit as opposed to a two smaller units. This email and any attached files may contain confidential and/or privileged material and is intended solely for the use of the person to whom it is addressed. Any review, retransmission, dissemination or other use of or taking of any action in reliance upon this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender immediately and delete it and all attachments from your computer. Progressive Solutions is not liable for any errors or omissions in the content or transmission of this email. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: bgp question
On Jan 18, 2012, at 5:58 AM, Deric Kwok wrote: Could you tell me more about routing registries? I would like to learn it google it, and RADB for example. 2nd questions? Are you familiar to quagga? ls it supporting equally multipath in different bgp connections? Yes, absolutely. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: reporting physical plant damage to ATT?
On Nov 25, 2010, at 2:11 PM, Kevin Oberman wrote: Have you tried 611 (from an ATT land-line phone)? Many people don't have one. I haven't had one for over 12 years now, nor have any of my employers for the last 8 years. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: [Nanog-futures] Transition update
On Jun 3, 2010, at 10:39 AM, Jay Hennigan wrote: Within less than 36 hours, you've gone from being tired of people coming back months later (as if it had all been over and done a long time ago) to It's been a very a small number of weeks (give them more time). This is total nonsense. The scale for responding to something that was announced weeks before is entirely different from the scale related to reasonable amount of time to handle a mind-numbing amount of work. This is a false equivalency. Rather than doing the time-warp and marginalizing those asking questions, how about some straight answers? Are you on the SC? Do you have anything to share in terms of facts or are you just here to call names and ridicule? No, I'm not on the SC. I'm just here to ridicule those who expect personalized answers and bunny-suited couriers from their unpaid, otherwise busy fellows who are trying to get this all done. Chill out. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Transition update
On Jun 4, 2010, at 7:24 AM, Rich Kulawiec wrote: But I'll comment that from my outsider's view back here in the cheap seats, what has happened is indistinguishable from a coup. There is the lack of information about what really happened; there is the nebulous citation of alleged problems whose severity necessitated this action; there is the marginalization of those asking direct questions; there is the lack of a cogent public plan; If you haven't visited a country in a while and aren't aware of the civil unrest, then yeah you might assume that a revolution is a coup. If you had attended NANOG meetings recently and talked with your SC chairs and others involved in moving things forward, you'd know something. Hell, I've attended what, 2? in the last 10 years and the friction has always been apparent to me. Note: not saying that this is a good idea, or that it's being done well. I'm waiting to see how they approach this, just like the rest of you. But I've been down this road before and I know very well how much work is involved, so I have a lot more patience. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Transition update
On Jun 2, 2010, at 12:17 PM, Jay Hennigan wrote: 2. I agree completely that the new entity should be completely transparent to the members. This is a good idea. However, I have seen major problems with this in the past, where the original entity was unwilling to meet the new transparency desires of the new entity. This makes it very difficult until after significant progress in the transition is completed. Agreed 100%. Do you also agree that such transparency has been lacking in the announcements to date by the new entity. No. It's been a very small number of weeks since the first announcement. Are you expecting daily reports from these unpaid people? Shall we micro-manage the SC? There has been transparency only in that they are doing it, not why they are doing it. Very limited transparency in how they are doing it and how it will be better than the status quo. Unless you are paying their salaries, I might suggest learning some patience. I for one have never asked for nor received personal responses to any of my questions. I have asked for public clarification. I don't consider myself to be an armchair critic. I saw, out of the blue, an announcement that a decision had been made unanimously to sever ties with Merit followed within hours by a statement from Merit that they had not been informed of this in advance and were opposed to it. Is Merit an armchair critic here? Oh, now we are debating the meaning of Is. *plonk* -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Transition update
On May 28, 2010, at 1:44 PM, Jay Hennigan wrote: I'm beginning to feel a lot like a mushroom. Am I alone in this perception? Then perhaps you should stop standing in a pile of ? Sorry, you set that up, it had to be said ;-) I myself, am getting fairly tired of people coming back in months later and demanding answers as to why they themselves weren't personally served with overnight mail from a bunny-suited courier explaining that they should be paying attention. Comment for everyone who just started paying attention, not just Jay: You got an e-mail on this very same mailing list, just like the rest of us. The fact that you didn't choose to pay attention to it does not mean that anyone else failed to do their job notifying you. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Transition update
I don't deny that you have some very good questions. I agree that forthcoming transparency would be an excellent thing. But having been through the creation of a new entity and separation from the old entity before, I can see a large number of factors which might be making these things difficult: 1. There's a lot of work to be done creating a new entity. Who are these fulltime paid-for-by-nanog-finances people to do this work? This is a cart-horse problem they have to solve. 2. I agree completely that the new entity should be completely transparent to the members. This is a good idea. However, I have seen major problems with this in the past, where the original entity was unwilling to meet the new transparency desires of the new entity. This makes it very difficult until after significant progress in the transition is completed. So push for transparency for the new organization, but understand that transparency from Merit regarding the finances and employee information related to NANOG may never become public, and thus meeting minutes held under their structure may never become available. 3. If there is a mailing list on the Internet with more (perhaps well-meaning) armchair critics, I can't imagine one more. I applaud the NANOG SC for being willing to take on this bunch. I also absolutely understand why they aren't going to write personal responses to every single member asking the same thing. This very quickly becomes personal one-on-one training of the questioner on the topics and issues of which they are not familiar. I believe that creating a FAQ that attempts to answer the essential questions is a good use of their time. Summary: This isn't easy. There's a lot of work to do, given 0 paid workers to do it. Give them a chance to prioritize their first deliverables, read the deliverables, and comment on that. Any complaints about the lack of personal hands-on training (read: direct e-mail replies to each question asked) on the issues facing the creation of an organization and the issues they face doing it are simply out of line. They could easily expend every moment they have available to work on NANOG doing this kind of personal training. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: ftc shuts down a colo and ip provider
On Jun 4, 2009, at 9:38 PM, Randy Bush wrote: http://voices.washingtonpost.com/securityfix/2009/06/ftc_sues_shuts_down_n_calif_we.html while allegedly a black hat, this is the first case i know of in which the usg has shut down an isp. nose of camel? first they came for ... It's good to see them finally taking action. I see what you are saying, but this isn't the case of maybe kindof bad -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: [Nanog-futures] Draft Policy re individual sites
On May 11, 2009, at 11:22 PM, Randy Bush wrote: i, for one, am ready. i have a delete key for messages that do not interest me. but i do not have an undelete for messages which censors do not think i should read. Randy what you are saying makes sense. But you are forgetting the dark side of this behavior. The loudness of the people with nothing useful to say makes it impossible for a lot of technically clueful people to participate. For example, I don't even try to keep up with Nanog. Keeping up with Nanog would take up far far far too many hours a week for me to both hold down a job and spend any reasonable time with my partner, children, etc. Which is why I didn't see your reply until 25 days after you posted it. Because Nanog's lack of useful content gives it an extremely low priority on my list. In theory, if Nanog was topical to its own mission, Nanog would be a must read every day. I wish. The arguments for censorship are to try and limit the list to useful content to all parties. Your statement about subscribing to the 20 lists which interest you and dumping them all in the same folder is actually a perfect solution (for you). You get to choose which 20 topics interest you. I get to choose a different 20, etc and so forth. We interact on 4 or 5 we have in common and all of the posts on those lists being topical to the list, is a perfect scenario. No, I doubt perfection will ever happen on any of those lists nevermind all. But it's more likely to work than the current I can barely spell network and my 16-bit ethernet interface on my Redhat linux system isn't working posts we routinely see on NANOG today. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
[Nanog-futures] modest proposal for moderation
Very simple idea: if it hasn't been a topic in the NANOG conference, and is unlikely to be a topic in the NANOG conference, it doesn't belong on the mailing list. Note: topic in the presentation room, not topic at the hotel bar ;-) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] spam-l list
On May 15, 2009, at 1:50 PM, Jim Popovitch wrote: On Fri, May 15, 2009 at 02:29, Jo Rhett jrh...@netconsonance.com wrote: That's funny, given that Mailman is the source of significant amounts of backscatter. Mailman is neither an MTA nor a MUA. Something before or after Mailman is backscattering. Sorry, but you are wrong. Mailman creates new messages and sends them to forged senders of messages it receives without checking any validity whatsoever. Mailman creates backscatter regardless of the MTA. And mailman.org is ALSO configured by the administrators in a way that easily allows backscatter. Anyway, off topic even for futures so respond offline. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Draft Policy re individual sites
On May 1, 2009, at 1:34 PM, Martin Hannigan wrote: I think most of us are broad minded and appreciate common sense topics related to network operations. Yes. Most know what that is. No need to make rules to assault the few, IMHO. If they were few, this wouldn't be a topic. Perhaps you have time to sit and hit delete for a few hours every day before you find a single post relevant to your job. I don't, and neither do any of the very clueful admins who don't even try to read Nanog once a month, like I do. So the more noise, the less clueful content. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Draft Policy re individual sites
On Jun 9, 2009, at 5:58 PM, Scott Weeks wrote: 'Select All' on the 'Subject' you don't want to read about and delete. A few hours turns into a few minutes... :-) I do that, but at risk. Far too many people who should know better use Reply to create a new thread. So their new thread gets to be part of someone else's stupid thread. If only the people who were smart enough to use Compose to start a new thread were an overlapping set with the people whose commentary was well-thought and clueful... -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] modest proposal for moderation
On Jun 9, 2009, at 5:24 PM, Cat Okita wrote: On Tue, 9 Jun 2009, Jo Rhett wrote: Note: topic in the presentation room, not topic at the hotel bar ;-) ... which clearly means that you've missed where the real discussions happen. No, I made that statement because I know what gets discussed at the bar ;-) And c'mon Cat, if there is something that nobody has ever accused me of, it's not of refusing to go drink with people. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: Savvis quality?
On May 27, 2009, at 10:35 AM, David Hubbard wrote: Just wondering if anyone can tell me their opinion on Savvis bandwidth/company preferably from a web host perspective. Considering a connection. I wouldn't touch them with a 10g pole. They were the first and only provider we have dropped for inability to provide reasonable service. 1. They have problems in the bay area (and I've heard other places but I can't confirm) coming up with ports to connect to people on. We had long since outgrown 100mb (was 1g or higher with everyone else) but they couldn't come up with a 1g port to sell us. Then when one became free, they demanded a 700mb commit to get it. After I argued that we never run ports at that level of congestion they backed down to a 500mb commit but that was as low as they'd go. They had no budget to deploy more ports in any of the bay area peering facilities. 2. Their national NOC staff was gut-stripped down to 3 people. 24 hours a day I'd find the same person answering issues we reported. Often outages weren't resolved until they could wake the engineer up. (this isn't surprising in a small company, it's very surprising in a network the size of Savvis) 3. We had repeated issues that needed escalation to our salesperson for credit. We never got calls back on any of these, even when we had escalated through phone, email and paper letters to him. 4. One day they changed the implementation of their community strings to start putting other providers and international customers in their US-Customer-Only community strings. We escalated this issue through management, and the final conclusion was that their community strings advertised to us had to be inconsistent to meet their billing needs. (ie get peers to send them traffic they shouldn't have gotten) We were forced to drop using their community strings and instead build a large complex route-map to determine which traffic should be routed to them. That's nonsense, and was the final straw. In one of the marathon phone calls with the NOC staff about this, a NOC manager frankly told me that Savvis had been stripped and reamed, and they were just trying to stay alive long enough to sell the low- cost carcass to another provider. Yeah, I think that pretty much sums it up. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
who provides bandwidth to Telehouse?
Besides the obvious KDD which shows up in traceroute, does anyone else provide bandwidth to Telehouse? They are spamming contact addresses from the PAIX peering list, and claiming they have every right to do so. We'd like to convince them otherwise. Replies would be best off- list. Received: from yw-out-2324.google.com (yw-out-2324.google.com [74.125.46.28]) by kininvie.sv.svcolo.com (8.14.1/8.14.2) with ESMTP id n3NIKkTW095522 for ipad...@svcolo.com; Thu, 23 Apr 2009 11:20:46 -0700 (PDT) (envelope-from managedserv...@telehouse.com) Received: by yw-out-2324.google.com with SMTP id 2so198588ywt.47 for ipad...@svcolo.com ; Thu, 23 Apr 2009 11:20:46 -0700 (PDT) Received: by 10.100.171.15 with SMTP id t15mr1759646ane. 99.1240510845890; Thu, 23 Apr 2009 11:20:45 -0700 (PDT) Received: from wohlarsb (fw.telehouse.com [209.137.140.2]) by mx.google.com with ESMTPS id c29sm637866anc.10.2009.04.23.11.20.43 (version=SSLv3 cipher=RC4-MD5); Thu, 23 Apr 2009 11:20:45 -0700 (PDT) Subject: The Security information you missed last Friday Thread-Index: AcnEP/Q6yPwCzf2XRgmtpXMo9zh8vA== Date: Thu, 23 Apr 2009 14:19:00 -0400 To: ipad...@svcolo.com From: Managed Services managedserv...@telehouse.com X-Mailer: Microsoft Office Outlook 11 X-Mimeole: Produced By Microsoft MimeOLE V6.00.2900.5579 Message-ID: e27c46955ad044b59d3849186f51e...@har.ai.pri Reply-To: managedservi...@telehouse.com Organization: TELEHOUSE America Jo, You missed the Telehouse WebEx Friday on Security Threats from Virtualization. But good news - we can forward you a copy of the presentation, if you would like to review the security threats that most IT groups are missing. The top threats reviewed include: * The inability to monitor the virtualized environment including machines, OS, and network * How virtualization impacts compliance * Forensic challenges of a virtualized environment * Virtualized machines as attack tools * Why the hypervisor is the weakest security link Just reply to this email for a copy or let us know who at Silicon ValleyColocation we should forward it to. Regards, Ken Rubin Senior Global Account Manager Telehouse America (T) 718-313-1221 (M) 917-829-0397 (F) 718-355-2517 ken.ru...@telehouse.com www.telehouse.com -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Question. Cisco PIX/ASA
Greetings all I have a customer running with a Cisco 5500 series firewall. What were seeing (as a problem) is that there is a bit being flipped by the firewall in the packet header. The bit in question is the Congession Window Reduced or CWR bit. Under heavy load the target server is getting this bit as high and since (I am guessing) its that way dropping the session yet its not near capacity. Its a Microsoft server as well. Not that I am knocking that but. Under the same situation a Linux/Apache server doesn't seem to care, and goes about its business. Anyone heard of this? I did searches regarding this but found (as per usual) tons of usless info. I'm not sure why the packets are being changed by the ASA. I know there not hitting the firewall this way (Packet capture) but they are getting changed. Config mishap? Is the ASA throttling down stuff, and if so why not at the requesting party? Dunno. Completely baffled. Thanks In Advance! -Joe
Re: Important New Requirement for IPv4 Requests
On Apr 21, 2009, at 5:23 PM, Matthew Palmer wrote: Oh, you lucky, lucky person. We've got a couple of customers at the day job that constantly come back to us for more IP addresses for bandwidth accounting purposes for their colo machine(s). Attempts at education are like talking to a particularly stupid brick wall. And not very effective either, because anything they do to solve the problem another way will likely create the valid need for an external IP. These days, virtual hosting is all virtual machines, so the IP justification is just there anyway. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Important New Requirement for IPv4 Requests
On Apr 21, 2009, at 5:20 PM, Matthew Palmer wrote: Then they come back with a request for IPs for SSL certificates, which is a valid technical justification. BTDT. People will find a way to do the stupid thing they want to do. Most of the stupid people don't, actually. That's the funny thing that surprises me -- just how obviously lame the justifications are, and how they are unable even with direct statements about how to justify the IP space to do so. My god, it's really not hard to build a valid justification for more space than you need -- seriously. But these people just can't pull it off. Likewise, every company with whom I've had to debate the topic has failed within 18 months, so the problem pervades the organization ;-) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Important New Requirement for IPv4 Requests
On Apr 21, 2009, at 6:50 PM, bmann...@vacation.karoshi.com wrote: FTP? Who uses FTP these days? Certainly not consumers. Even Cisco well, pretty much anyone who has large datasets to move around. that default 64k buffer in the openssl libs pretty much sucks rocks for large data flows. Large data sets? So you are saying that 512-byte packets with no windowing work better? Bill, have you measured this? Time to download a 100mb file over HTTP and a 100mb interface: 20 seconds. Time to download a 100mb file over FTP and a 100mb interface: ~7 minutes. And yes, that was FreeBSD with the old version openssl library that shipped with 6.3. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: [Nanog-futures] Fwd: ADMIN: Reminder on off-topic threads
On Apr 23, 2009, at 4:14 AM, Gadi Evron wrote: What I am saying is not to dump everything, but rather now that issues are resolved, how about a lighted finger on that moderate button? The issues are not resolved. How about a slightly heavier finger on the moderate button? Gadi, everyone here understands that you want NANOG to be a all-things- Gadi-wants-to-talk about. The rest of us prefer to keep topics relevant to their list, and not discuss the same topic on multiple mailing lists. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: [Nanog-futures] Fwd: ADMIN: Reminder on off-topic threads
On Apr 22, 2009, at 3:31 AM, Joe Provo wrote: I think the MLC has been doing a good job I would like to say that I agree with this statement. I think the MLC is doing a better job than previously, and could improve the list even a bit more if they cracked down sooner on these threads. Thank you, and keep up the good work. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
Re: Important New Requirement for IPv4 Requests
On Apr 21, 2009, at 3:49 AM, Frank Bulk - iName.com wrote: There's a big difference between signing that the books are right (it matters!) and filling out paperwork for ARIN. The first is one of his primary duties as an officer of the company, the second won't even make his secretary's to do list. It appears that ARIN wants to raise the IP addressing space issue to the CxO level -- if it was interested in honesty, ARIN would have required a notarized statement by the person submitting the request. No. Those are two entirely different problems. A notary signs only that the person in front of them has been checked to be who they say they are. That's authentication. A Notary cannot attest that what is on the document is valid. A CxO signing that the request is valid is Authorization to speak for the company. Different spectrum. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Important New Requirement for IPv4 Requests
On Apr 21, 2009, at 1:58 PM, David Hubbard wrote: Raising the price won't help; there's already a huge amount of wasted address space by web hosts selling IP addresses to customers who need them solely for 'seo purposes' rather It's a common request we see. We refuse it, and point them to the Google documentation that shows that unique IPs don't help or hurt their SEO standings. reasons and even then they don't believe me. If ARIN would enforce a technically justified use of IPv4 space that does not recognize seo as a valid reason, that would definitely help I point to the wording where it says that we need to collect the technical justification for the additional IP addresses. Since virtual web hosting has no technical justification for IP space, I refuse it. And since the policy allows it currently, the CEO signing off on it will also be valid. Depends on how you read the policy. I prefer my reading to yours ;-) That said, if someone who likes writing these things will help me, I'll gladly create and advance a policy demanding a real, provable need for an IP beyond one per physical host. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Important New Requirement for IPv4 Requests [re impacting revenue]
On Apr 21, 2009, at 2:42 PM, Shane Ronan wrote: Mr Curran, given the response you've seen from the group, and in particular the argument that most CEO's or Officers of firms will simply sign off on what they IT staff tells them (as they have little to no understanding of the situation), You really should go ask a CEO if he'd sign off on something that he doesn't understand. Really. I can assure you that your impression is wrong, and most CEOs don't prefer to be standing in court defending their actions. can you explain what exactly you are hoping to achieve by heaping on yet an additional requirement to the already over burdensome process of receiving an IPv4 allocation? Burdensome? Really? If you have your documentation together it takes about 15 minutes from beginning of the application form until receiving your new allocation. I spend longer on hold any time I deal with any other vendor. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Important New Requirement for IPv4 Requests
On Apr 21, 2009, at 3:40 PM, Chris Adams wrote: Once upon a time, Jo Rhett jrh...@netconsonance.com said: Since virtual web hosting has no technical justification for IP space, I refuse it. SSL and FTP are techincal justifications for an IP per site. Absolutely. But SEO on pure virtual sites is not ;-) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Important New Requirement for IPv4 Requests
On Apr 21, 2009, at 4:22 PM, Ken A wrote: Chris Adams wrote: Once upon a time, Jo Rhett jrh...@netconsonance.com said: Since virtual web hosting has no technical justification for IP space, I refuse it. SSL and FTP are techincal justifications for an IP per site. Right. Also, monthly bandwidth monitoring/shaping/capping are more easily done using one ip per hosted domain, or ftp site, or whatever. Otherwise you are parsing logs or using 3rd party apache modules. *Shrug* I've been doing IP allocations for 14 years and that's never been mentioned to me. I suspect that anyone with enough traffic to need traffic shaping has dedicated hosts or virtual servers, which get a unique IP each. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Important New Requirement for IPv4 Requests
On Apr 21, 2009, at 4:55 PM, Jon Lewis wrote: Some customers have wised up and when providing IP justification, they don't mention SEO anymore. However, I've seen several requests in the past couple weeks from customers/prospective customers wanting /24's or larger subnets (or they're not buying/canceling service) where the justification provided was something ARIN would probably be ok with, but IMO was completely FoS. It's hard to tell sales no when the customer tells you exactly what they think you want to hear [for IP justification], but your gut tells you this is BS. Then you have an obligation to investigate. It's in the NRPM ;-) For our part, it becomes really easy. When someone submits a request for 200 physical hosts and their profile says they are paying for 40 amps of power... yeah, it's easy to know they are lying ;-) It is a problem because some ISPs don't care and just give away IPs, so customers get annoyed with us when I ask for proper justification. Oh well ;-) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Important New Requirement for IPv4 Requests
On Apr 20, 2009, at 4:39 PM, Joe Greco wrote: So the officer, most likely not being a technical person, is going to contact ... probably the same people who made the request, ask them if they need the space. Right? And why would the answer be any different, now? This is exactly identical to having the CEO signed the quarterly statements. You are saying this is Right. The CEO couldn't do that accounting him/herself -- but they're going to ask more questions and be more cautious before putting their name on it. I applaud this idea. I wish we had done it 10 years ago, but it's not too late to start. Before late than never. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
RE: Michael Mooney releases another worm: Law Enforcement /Intelligence Agency's do nothing
Pardon the ignorance I have to take this a step back. Your neighbor leaves their window open with a fresh bowl of fish near the window. A bunch of cats show up and start trying to get in, to no avail do they get in. At the first chance you discuss this with your neighbor, and warn them of this situation. The following day the neighbor does the same thing, window open, fresh bowl of fish, do you A: sit back and say Told you so. B: Swat the cats away and guard the window. C: kill all the cats in the area. D: hire the cats to find another open window. I know this sounds silly, but to simplify things, If you A: Sitting back and watching the whole mess your now an accessory (Yeah I watched em) B: Neighbor says Hey I wanted to take pictures of those cats and you shoed them away! C: Vigilante style kill all the cats. Closing a window just is too much. D: Hire cats? Perhaps another EDS commercial. If theres a genuine exploit that one has been made aware of, and there is no preventive action made than I think we all know the outcome. If theres a sudden exploit that runs ramped that you haven't been aware of than lots of time spent researching it. Locking up all the bad guys will not solve the short comings of security in applications. But just my 2¢s - Joe Blanchard -Original Message- From: Randy Bush [mailto:ra...@psg.com] Sent: Saturday, April 18, 2009 12:56 AM To: andrew.wallace Cc: n3td3v; nanog@nanog.org Subject: Re: Michael Mooney releases another worm: Law Enforcement /Intelligence Agency's do nothing So if Al-Qaeda blow up a shopping centre and the guy who masterminded it turns out to be 17 he gets a job in MI5? what is more fun than a net vigilante? a ranting and raving hyperbolic net vigilante.
RE: Michael Mooney releases another worm: Law Enforcement /Intelligence Agency's do nothing
lol, in a virtual world its always nice to have the delete key (: -Original Message- From: Randy Bush [mailto:ra...@psg.com] Sent: Saturday, April 18, 2009 3:10 AM To: Jo¢ Cc: 'andrew.wallace'; 'n3td3v'; nanog@nanog.org Subject: Re: Michael Mooney releases another worm: Law Enforcement /Intelligence Agency's do nothing I have to take this a step back. Your neighbor leaves their window open with a fresh bowl of fish near the window. what i do is laugh at the fool and hit delete
RE: Fiber cut in SF area
I'm confussed, but please pardon the ignorance. All the data centers we have are at minimum keys to access data areas. Not that every area of fiber should have such, but at least should they? Manhole covers can be keyed. For those of you arguing that this is not enough, I would say at least its a start. Yes if enough time goes by anything can happen, but how can one argue an ATM machince that has (at times) thousands of dollars stands out 24/7 without more immediate wealth. Perhaps I am missing something here, do the Cops stake out those areas? dunno Just my 2¢
options for full routing table in 1 year?
I was chatting with someone the other day and we were trying to build a complete list of all units which can handle full routing tables 1 year from now, assuming current 4k/month growth (nevermind de- aggregation) Juniper M/T-series units could handle 600k before, now 1mil with I- chip upgrade? Juniper MX-series units are always 1mil Cisco 6500/7600 with SUP720-3BXL handles 1mil routes Force10 E300/600/1200 with dual-cam line cards handle 512k routes Force10 E600/1200 with Exascale (quad-cam) line cards handle 1mil routes Is there anything I'm forgetting here? And if you already have one of these units, the upgrades are: Juniper M-series units can replace the FPIC card to get new I-chip? ...if I understand it, no other cards need replaced Cisco 6500/7600 you replace SUP32 or SUP720 with SUP720-3BXL ...if I understand it, no other cards need replaced? (note that this disagrees with my understanding of how their FIB/CEF works so I'm curious about this) Force10 you replace every single line card, since the entire chassis is limited to the smallest CAM size available. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
[Nanog-futures] An opinion re:issues with heavy-handed moderation
This message is intended for Joe Provo and other members of the steering committee. I am not replying to Gadi. On Apr 6, 2009, at 1:57 PM, Gadi Evron wrote: 1. Threads are moderated with no notice to person or mailing list, or availability for examination. I have been moderated on the list recently. I received notice that I was moderated, and on consideration of the topic I agreed with the moderation. Honestly there should be more moderation rather than less ;-) 3. It is very heavy-handed high-key moderation, which is not what we ask for on NANOG as far as I understand, unless there was a policy change. It has been what I've been hoping for ;-) So it is certain why *I* ask for. 5. The admin team does not respond to requests for information or challenges on this matter (I made one). I don't know about recently, but a year or so ago I replied to a notice that my post was rejected and I got a detailed answer in response. That answer satisfied my curiosity, and even though I didn't agree entirely with the decision it was a close enough call anyway. I don't have any problem with the process as I have witnessed it. If it is still being handled in this fashion then I see no need for change. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness ___ Nanog-futures mailing list Nanog-futures@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog-futures
RE: Nipper and Cisco configuration results
What IOS version are you using? I don't see that behavior (rlogin/rsh) by default, but I'm a few revisions behind on the latest. @ 12.2 I do see from the router: RCMD-4-RSHPORTATTEMPT Attempted to connect to RSHELL from 192.168.1.52 from nmaps, but theres no response to the SYN packet of the attempting IP. I think this has been the case since w-a-y earlier versions of IOS for logging levels but not sure at which level. Looks to only be logging an attempt, no session is made, sort of like a firewall just letting you know there was an attempt. The router gets the request but it falls on deaf ears, no one home. Unless perhaps theres some other sort of flag/bit that can be presented to open that connection(extremely doubtful) I don't believe theres any way to connect. Perhaps turning down your logging will prevent your testing program from reporting a false positive? I'd snoop/sniff the traffic and see if your router is SYN/ACK-ing the request of rlogin/rsh to be sure. sarcasmAnd make sure their not to close to one another, incase their using undocumented internal wireless units as a means to complete the connection, those Cisco guys you know../sarcasm Regards Joe Blanchard -Original Message- From: Subba Rao [mailto:castellan2004-...@yahoo.com] Sent: Thursday, April 02, 2009 6:33 PM To: nanog@nanog.org Subject: Nipper and Cisco configuration results I am using Nipper for verifying my Cisco configuration. Nipper is finding the rlogin service that is not in the configuration. I have searched the access lists and do not see it anywhere. The explanation by Nipper about this finding, Telnet protocol implemented by this service is confusing. Here is the Nipper's output: __ Rlogin Service Settings The Rlogin service enables remote administrative access to a CLI on Cisco Router Devices. The Telnet protocol implemented by th service is simple and provides no encryption of the network communications between client and the server. This section details the Rlogin settings. Description Setting Rlogin Service Enabled Service TCP Port 513 __ I have checked a few other routers where SSH was not enabled with the same results. Can someone explain why Nipper is saying Rlogin is enabled when I do not see it in the configuration file? Is there something else that I need to be looking at? Thank you in advance for any help. Subba Rao
RE: Nipper and Cisco configuration results
Subba, Sorry, perhaps I am confussed about the nature of your question? Did you have acls up for logging these attempts and they weren't logged? or are you asking for help from the Nipper portion of this as to why its reporting this item. With my logging turned up to debug I do see entries about RSHPORTATTEMPTs, but I suspect theres a lesser logging for that based on facility. At 12.3 I don't see any sort of problem with an open Rlogin/Rsh, and I have tested this on a router running a very minimal configuration. Hands out DHCP and does OSPF, but that's about it. Can you clarify your problem a bit? -Joe From: Subba Rao [mailto:castellan2004-...@yahoo.com] Sent: Thursday, April 02, 2009 8:25 PM To: nanog@nanog.org; Jo¢ Subject: RE: Nipper and Cisco configuration results I did not scan the routers yet with nmap. These results are from Nipper analysis. None of the access lists are showing port 513 as Nipper is complaining about. The IOS version is 12.4 Subba Rao --- On Thu, 4/2/09, Jo¢ jbfixu...@gmail.com wrote: From: Jo¢ jbfixu...@gmail.com Subject: RE: Nipper and Cisco configuration results To: castellan2004-...@yahoo.com, nanog@nanog.org Date: Thursday, April 2, 2009, 8:18 PM What IOS version are you using? I don't see that behavior (rlogin/rsh) by default, but I'm a few revisions behind on the latest. @ 12.2 I do see from the router: RCMD-4-RSHPORTATTEMPT Attempted to connect to RSHELL from 192.168.1.52 from nmaps, but theres no response to the SYN packet of the attempting IP. I think this has been the case since w-a-y earlier versions of IOS for logging levels but not sure at which level. Looks to only be logging an attempt, no session is made, sort of like a firewall just letting you know there was an attempt. The router gets the request but it falls on deaf ears, no one home. Unless perhaps theres some other sort of flag/bit that can be presented to open that connection(extremely doubtful) I don't believe theres any way to connect. Perhaps turning down your logging will prevent your testing program from reporting a false positive? I'd snoop/sniff the traffic and see if your router is SYN/ACK-ing the request of rlogin/rsh to be sure. sarcasmAnd make sure their not to close to one another, incase their using undocumented internal wireless units as a means to complete the connection, those Cisco guys you know../sarcasm Regards Joe Blanchard -Original Message- From: Subba Rao [mailto:castellan2004-...@yahoo.com] Sent: Thursday, April 02, 2009 6:33 PM To: nanog@nanog.org Subject: Nipper and Cisco configuration results I am using Nipper for verifying my Cisco configuration. Nipper is finding the rlogin service that is not in the configuration. I have searched the access lists and do not see it anywhere. The explanation by Nipper about this finding, Telnet protocol implemented by this service is confusing. Here is the Nipper's output: __ Rlogin Service Settings The Rlogin service enables remote administrative access to a CLI on Cisco Router Devices. The Telnet protocol implemented by th service is simple and provides no encryption of the network communications between client and the server. This section details the Rlogin settings. DescriptionSetting Rlogin ServiceEnabled Service TCP Port513 __ I have checked a few other routers where SSH was not enabled with the same results. Can someone explain why Nipper is saying Rlogin is enabled when I do not see it in the configuration file? Is there something else that I need to be looking at? Thank you in advance
RE: Nipper and Cisco configuration results
Subba, I've not heard or used this product (Nipper) before, so I cannot confirm what the reasoning is for this. I can tell you that based on the captures at the wire this appears to be a false-positive. It appears there is a simuliar question being asked on their (Nipper's) forums. My guess is it (Nipper) is using the logging from the Cisco devices in error to claim this as an issue. If its not given access to the Cisco devices other than a network feed not snmp/logins/syslogging/works/etc, I as well as many others would surely be interested. Forum reference (which hasn't been answered at this time) Ref: http://nipper.titania.co.uk/forums/viewtopic.php?f=3t=72sid=8f7bc0ec62d41b 09cd977eb7e72d1f6e I would be interested to know if you find out the reasoning for this, of course offlist would be fine. Regards, -Joe Blanchard From: Subba Rao [mailto:castellan2004-...@yahoo.com] Sent: Thursday, April 02, 2009 9:43 PM To: nanog@nanog.org; Jo¢ Subject: RE: Nipper and Cisco configuration results Joe, Thank you for replying. I am asking about the Nipper complaint. Why is Nipper report saying Rlogin is enabled when I don't see any ACL in the config? Using IOS 12.4 Cheers, Subba Rao
Re: Yahoo and their mail filters..
On Wed, Mar 25, 2009 at 9:16 AM, Jo Rhett jrh...@netconsonance.com wrote: The problem is... you aren't doing the work. You aren't stopping the offenders. That's the goal. Automation should be a tool to help you do the job better, not avoid doing the job at all. On Mar 24, 2009, at 9:00 PM, Suresh Ramasubramanian wrote: And yes indeed, its a way for us to automate termination of spammers, and to discover other patterns (in signup methods / spam content etc) that we can use to update our filters. That's a great theory. Would you be willing to post an update to this list if and when your technology and automation actually get to the point of actually shutting down a spammer? There's a whole lot of maawg best practices (some work in progress, on outbound abuse / webmail abuse) that deal with these issues. No, see, that's the problem. Best Practices don't deal with abuse reports. Humans deal with abuse reports. You can collect and sort and collate your spam reports all day. What about the part where a human looks at the report, confirms that it is spam, and terminates the customer? You've got to do that. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Yahoo and their mail filters..
On Feb 27, 2009, at 7:10 AM, Ken A wrote: I agree that aol could do a better job of filtering the outbound, but I don't think it's a useless system. We get a few dozen from aol a day unless we have a real problem. I see the mother-daughter conversations (worst), the subscribed lazy user emails - we encourage our mailing list senders to include unsub links - partly to make it easy for _us_ to click and unsub these dummies. And we see the 'real deal' now and then; usually an exploited php script being abused by spammers, or someone who has had their password sniffed, or stolen. Most of these are users who travel and don't use secure protocols, or have a teenager in the house (the most insecure protocol is adolescence). We appreciate aol's efforts, imperfect as they are. The math here is easy. 1. The time cost of reading AOL's feedback loop was greater than 2 working hours every day. 2. The number of exploited systems that we received notification about was total of 3 in 2 years of reading that loop. 3. Every one of those exploited systems also got SpamCop reports. 365 x 2 years x 2 hours = 1460 hours minimum (because it rarely took only 2 hours) 1460 hours of effort / 3 compromises = 487 hours, or 3 months of work per compromise. In short, AOL provided zero value to us. Because if a SpamCop user is reporting valid receipts, I report it back to the SpamCop admins and they go have a talk with the user. NOTE: for a small mail sending provider who controls every mail server and customer in their netblock, it probably is useful. It's just useless for colocation providers and generic ISPs. And let's be honest. AOL's effort shouldn't be applauded. It's an autobot which sends false spam reports, nothing more and nothing less. Any autobot which sends false spam reports needs to be shut down. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Yahoo and their mail filters..
Suresh, in theory I like what you say but this caught my eye: On Mar 24, 2009, at 6:50 PM, Suresh Ramasubramanian wrote: though several sites do seem to be consuming it just fine, and we send high volume feedback loops to hotmail/yahoo/aol etc, and they to us, without my team having to do anything much manually, its mostly automated. I would like to point out that gmail abuse reports appear to be entirely ignored. I've been reporting and rereporting everything from spam floods to phishing attacks that were very good looking/tricky to ab...@gmail.com and report them again in 2 days, report the exact same one again in 2 days, etc. Yes, you've automated your report processing to the point you don't actually have to do any work. The problem is... you aren't doing the work. You aren't stopping the offenders. That's the goal. Automation should be a tool to help you do the job better, not avoid doing the job at all. -- Jo Rhett an abuse response administrator who reads *every* report sent to us, and takes action on *every* one of them.
Re: Yahoo and their mail filters..
On Feb 25, 2009, at 8:14 AM, Ray Corbin wrote: It depends on your environment. I've seen where it is helpful and where it is overwhelming. If you are a smaller company and want to know why you keep getting blocked then those should help. If you are a larger company and get a several hundred a day, but you send 100k emails to AOL then it is not as big of a deal. If you are a shared hosting provider and you get a lot of them you should look into what is being sent to AOL, such as forwarded spam from customers 'auto forwards' (isolate the auto forwards to a separate IP address and simply don't sign up for the FBL for it) If you have a good setup where only customer-originated email is being sent through the IP's you have a FBL on, then it is useful and you shouldn't get as many complaints. Ray, you don't get it. What comes from AOL is literally every step in a mother-daughter conversion. You get to read the entire thread. Loving chat, mother and daughter back and forth. But one of them is hitting SPAM on the e-mail *AFTER* replying to it and writing a nice letter back. This is abuse of the abuse department. This isn't spam. Reading through ~3k of these not-spams every day doesn't help us solve any actual abuse problems. Feedback loops will not be useful until the providers of the feedback loops accept reports about use of the spam reporting tools, and are willing to go fix their user behavior. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Atrivo/Intercage
On Sep 23, 2008, at 8:12 PM, Joe Greco wrote: Which is not acceptable. You answer your abuse complaints, you shut down your spammers. Period, end of subject. That's a bit '90's. I'll settle for s/answer/handle/, because I don't think that most sites are willing to actually discuss abuse issues with random folks submitting complaints, and so that leaves you with either sending a form letter of some sort, or not saying anything. I went out of my way to get it written into our customer contract that we can discuss abuse issues with the affected parties. And I am simply an employee, neither an executive nor an owner, so this took a bit of doing. But it has given me great pleasure the few times that we made a mistake with a customer, and I got to tell the affected parties that the abuser is now homeless ;-) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
a vernier of civilization...
On Sep 24, 2008, at 7:24 PM, Randy Bush wrote: this way lies lynch mobs shall we at least apply a vernier of civilization? Randy, I would agree if anything less had ever been effective. If you have a better idea, please explain to the rest of us. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Atrivo/Intercage
On Sep 22, 2008, at 1:33 PM, Tom Sparks (Applied Operations) wrote: I also don't believe Intercage was complicit in any net-crime; Thats not to say it didn't exist, but more along the lines of they got lost in the noise of running a business. Which is not acceptable. You answer your abuse complaints, you shut down your spammers. Period, end of subject. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Procedure to Change Nameservers
On Sep 16, 2008, at 3:50 PM, Crist Clark wrote: I want to change the nameservers for a bunch of domains Then ask the question on a list related to DNS. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Teleglobe appears to be spam-source zombie network?
On Sep 10, 2008, at 6:50 PM, Yann Berthier wrote: while there is certainly outdated abuse info for some of our blocks, in this particular case the subnet that was allocated to us has up-to-date mail+phone info I'd like to note for anyone else who might make similar mistakes -- putting valid contact info only in the top level allocation and not tied to your organization means that nobody can find it, unless they are bored and feel like trying the IP with /25, /24, /23, /22 ... etc until they find your working contact info. Do it right, tie the abuse contact to the organization. It will show up on *all* allocations. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Teleglobe appears to be spam-source zombie network?
On Sep 10, 2008, at 6:23 PM, Christopher Morrow wrote: It's possible that in the shuffle of company renaming/rebranding/rejiggering-of-people they lost this bit in the Is it just me, or isn't keeping valid contact information on your netblocks like, a serious affair? Something you should get around to within a few hours, nevermind a few months since the changes? I mean seriously. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: an effect of ignoring BCP38
On Sep 6, 2008, at 6:49 AM, k claffy wrote: do that many networks really allow spoofing? i used to think so, based on hearsay, but rob beverly's http://spoofer.csail.mit.edu/summary.php suggests things are a lot better than they used to be, arbor's last survey echos same. are rob's numbers inconsistent with numbers anyone else believes to be true? I hate to spoil anyone's fantasies about this topic, but yeah. Nearly everyone does. I've been in, near, or directly in touch with enough big provider NOCs in the last year on various DoS attach research issues, and nearly nobody... that's right NONE of them were using BCP38 consistently. Name the five biggest providers you can think of. They ain't doing it. Now name the five best transit providers you can think of. They ain't doing it either. (note that all of these claimed to be doing so in that survey, but during attack research they admitted that it was only in small deployments) If someone told me (truthfully) that there was 10% BCP38 compliance out there, I'd be surprised given what I have observed. We don't have a long ways to finish. We have a long ways to start. Finishing isn't even within the horizon yet. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 3:22 PM, Gadi Evron wrote: On that you'll have to speak for yourself. We have it on every customer port ;-) Now that is interesting. Can you share a bit about you rimplementation hardships, costs, customer complaints, etc? One customer complaint. Found the customer was looping traffic between two uplinks and helped them fix the problem ;-) Implementation cost: time/labor to implement automatic management of ACLs on the customer ports. Not all that much cost, since we had already developed infrastructure to do the same thing for customer configurations. Maybe 12 hours of my time coding and testing. Honestly, I expected a lot more problems than we've had. Especially given the fallout I'd seen on the networks trying to do it with Cisco. But the Force10 gear didn't even notice the effect, and it's been ~2 years since I've even thought much about it. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Sep 5, 2008, at 12:37 PM, Paul Wall wrote: Jo Rhett wrote: Note the not random comment. People love to use the random feature of ixia/etc but it rarely displays actual performance in a production network. Once upon a time, vendors released products which relied on CPU-based flow setup. Certain vintages of Cisco, Extreme, Foundry, Riverstone, etc come to mind. These could forward at line rate under normal conditions. Sufficient randomization on the sources and/or destinations (DDoS, Windows worm, portscans, ...) and they'd die a spectacular death. Nowadays, this is less of a concern, as the ... Either way, I think it's a good test metric. I'd be interested in hearing of why you think that's not the case. Back on topic, doing a Yes. And those problems were fixed in most gear. What I found *also* was that the flow tables tended to fill up, and a lot of gear thrashes on the flow tables. You need real bi-directional sessions to create the effect properly in many cases. (ie Extreme, which handles random fine but bidirectional flows proved that too much of the work was being done in software) I have a current spreadsheet here, and trust me your math went wrong somewhere. A completely full chassis is only a bit more than what you are ... But no, I'm not going to redo the math. I'm not a F10 salesperson and I have much more important things to do right now. I'd be interested in seeing where I went wrong, in the interest of setting the record straight. The original poster was interested in how Force 10 stacks up against the competition from a feature and price prospective. He deserves some cold science, and I'm trying to help him out. I meant what I said, and I wasn't trying to be rude. There are F10 people on this mailing list, it would serve you to engage them instead of me. I'm quite happy with my Force10 units but I'm not making any commission selling them and I have too much to do to be doing someone else's job. To wit, you said F10 is cheaper than a comparable Cisco 6500 (in a basic gig-e configuration). I demonstrated that's not the case. You responded with ad-hominem attacks, followed by indifference, and later, claims of emotional distress; still you refuse to provide any hard numbers, claiming it's not your job. Where I come from, people like that are referred to as sore losers. :) You're reading a lot more into it than I bothered to think about it. I've done the math repeatedly, and Force10 always comes out cheaper than Cisco in that scale of port density. Your numbers looked off to me, but letting you know the previous sentence is about all the time I can spend on this topic. Can we kill this now? Thanks. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Cisco uRPF failures
On Sep 6, 2008, at 10:20 AM, Anton Kapela wrote: On Thu, Sep 4, 2008 at 11:35 AM, Jo Rhett [EMAIL PROTECTED] wrote: That's the surprising thing -- no scenario. Very basic configuration. Enabling uRPF and then hitting it with a few gig of non-routable packets consistently caused the sup module to stop talking on the console, and What do you mean by 'non routable?' Should have been dropped by UDP. What was the src/dst makeup of the test traffic? Both random sources and singular sources demonstrated the problem. What version of code? Also, port-channel/lag or ECMP? I don't have those details handy now, nor am I likely to anytime soon. If they've been solved in recent code, great. But I've seen nothing in the tech notes. quickly, but that turns out not to be the case. To this day I've never I've never seen the issues you speak of, so it could be code/platform/config specific. Also, what sup were you testing? 720s, as said repeatedly. Forgive me, but what does bits/sec have to do with anything? The problem only appeared at high bits/sec, as I've said repeatedly. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 7, 2008, at 12:18 AM, Randy Bush wrote: normally i would have just hit delete. but your ad hominem attack on the messenger need a response. the reality of life is that he is correct in that attack traffic comes from legitimate IP sources anyway. therefore, your first duty should be to keep your hosts from joining the massive army of botnets. Having no hosts, I can't do much about that other than use various good best practices (including BCP38), run ids units looking for compromised hosts, and respond quickly to each abuse report if my IDS doesn't observe it first. Given that I know of no provider larger than us using BCP38 on every port, and no other provider larger than us that responds to every abuse report, it would appear that we are top of the class in that aspect. Therefore, when someone says I don't need to do BCP38 because BCP38 doesn't cause problems for them, I consider them a jerk. And yeah, I feel pretty confident looking down my nose at someone like that. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: an effect of ignoring BCP38
On Sep 11, 2008, at 12:59 AM, Pekka Savola wrote: A problem I have with these discussions is that everyone has their own idea what BCP38 implies. Others say their loose-mode uRPF setups are BCP38. Others are using strict uRPF or similar (e.g. acls). Some think that Tier1 transit operators should apply one of the options above to their tier2 customers. Others think it should just be applied at the site-edges. Some don't consider spoofing protection at LAN interface level at all, others call that also BCP38. Etc. Honestly, *anything* is better than most of what's out there, which is *nothing*. Loose mode URPF is seems (IMHO) pretty much waste of time and is confusing the discussion about real spoofing protection. The added protection compared to ACLs that drop private and possibly bogons is not that big and it causes transient losses when the routing tables are changing. I disagree. But I will say that if everyone would apply strict mode or ACLs to their end point interfaces, this would likely make most of the loose mode irrelevant. And your arguments about BGP changes affecting loose mode are only problematic on the busiest peering ports. Loose mode works perfectly fine with zero drops (even on Cisco) on anything smaller than a full feed (ie, that ISP client of yours you do BGP with) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: an effect of ignoring BCP38
On Sep 11, 2008, at 6:32 AM, Pekka Savola wrote: FWIW, based on off-list discussion, Jo's disagreement seems to stem from a misunderstanding of how loose uRPF works (he didn't know it accepts any packet that has a route in the routing table). Um, no. Because if you put loose mode uRPF on your edges you aren't implementing BCP38 now are you? I don't care how it is deployed. That's your job ;-) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Cisco uRPF failures
On Sep 11, 2008, at 10:11 AM, Saku Ytti wrote: On (2008-09-11 00:50 -0700), Jo Rhett wrote: As someone who does a lot of work talking to NOCs trying to chase down attack sources, I can honestly tell you that I haven't talked to a single NOC in the last 16 months who had BCP38 on every port, or even on most of their ports. And the majority response is our (vendor) gear can't handle it. As we both know, Cisco is the largest by far vendor in the marketplace, and I've heard that name more than 70% of the time. Sound like these shops are using 3550 as router, which is common for smaller shops, especially in EU. And indeed, 3550 would not do uRPF. (3560E does). I don't honestly know. I do know that in every case it was mentioned to me it was either a 6500 or a 7600. (that it was a Cisco anyway) But frankly, lack of uRPF doesn't mean that BCP38 is impossible. My generation of Force10 gear can't do uRPF. Yet we are BCP38 compliant. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Teleglobe appears to be spam-source zombie network?
We started getting a flood of autobot spam to our listed abuse mailbox about an hour ago out of Teleglobe. Trying to find someone to shut this down has found that 1. Teleglobe has no listed abuse contacts for any of their netblocks 2. The few of their records which have listed e-mail addresses all bounce 3. All listed phone numbers on any netblocks we can find are invalid Any chance that RIPE is more strigent than ARIN and would pull their netblocks until they fix this stuff? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Cisco uRPF failures
(changing subject line) On Sep 3, 2008, at 7:06 PM, Rubens Kuhl Jr. wrote: This statement is patently false. The uRPF failures I dealt with were based entirely on the recommended settings, and were confirmed by Cisco. Last I heard (2 months ago) the problems remain. Cisco just isn't being honest with you about them. Would you mind telling us what is the scenario so we can avoid it ? That's the surprising thing -- no scenario. Very basic configuration. Enabling uRPF and then hitting it with a few gig of non-routable packets consistently caused the sup module to stop talking on the console, and various other problems to persist throughout the unit, ie no arp response. We were able to simulate this with two 2 pc's direction connected to a 6500 in a lab. If I remember right, we had to enable CEF to see the problem, but since CEF is a kitchen sink that dozens of other features require you simply couldn't disable it. We also discovered problems related to uRPF and load balanced links, but those were difficult to reproduce in the lab and we couldn't affect their peering, so we had to disable uRPF and ignore so I don't have much details. I kept thinking that this was a serious problem that Cisco would address quickly, but that turns out not to be the case. To this day I've never found a network operator using uRPF on Cisco gear. (note: network operator. it's probably fine for several-hundred-meg enterprise sites) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Sep 3, 2008, at 8:45 PM, Paul Wall wrote: Linksys, D-Link, SMC, etc are able to pull it off on the layer 3 switches sold at Fry's for a couple benjamins a pop. :) I am. All of these boxes can forward packets at line rate, and list for a fraction of the price of the Force 10 S-Series. You and I (and any real network operator) must have different definitions of forward at line rate. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
uRPF
On Sep 4, 2008, at 1:34 AM, Mark Tinka wrote: catch inbound RFC 1918 and RFC 3330 with ACL's; and just to see how crazy things get, we stick our own prefixes in there since we really shouldn't be seeing them as sources from the wild. So you are talking single site, or single peering location? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
BCP38 dismissal
On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
Count you which way? You seem to agree with me. Everyone should be doing both, not discounting BCP38 because they aren't seeing an attack right now. On Sep 4, 2008, at 9:50 AM, John C. A. Bambenek wrote: Count me in. There is no reason to limit our defenses to the one thing that we think is important at one instance in time... attackers change and adapt and multimodal defense is simply good policy. On Thu, Sep 4, 2008 at 11:45 AM, Jo Rhett [EMAIL PROTECTED] wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp-policer/ control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Sep 4, 2008, at 10:03 AM, Paul Wall wrote: You and I (and any real network operator) must have different definitions of forward at line rate. forwards a gig-e full of 64 byte packets, random src/dst, when you hook a smartbits/ixia up to it is mine. What's yours? Forwards a mixed bag of small and large packets from tens of thousands of streams (not random) 1. at sub-millisecond latency 2. no packet loss at full line rate on multiple ports 3. deals appropriately with multiple ports at full line rate leading to a single port And finally, is responsive to operator control even when full line rate is directed at switch itself. Note the not random comment. People love to use the random feature of ixia/etc but it rarely displays actual performance in a production network. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
Patrick, it would appear that you are insulting me by your choice of quotes but from content one would assume you agree with me. Perhaps next time quote the idiot that said attacks BCP38 would stop don't happen any more? (top posted because the thread is already confused) On Sep 4, 2008, at 10:05 AM, Patrick W. Gilmore wrote: On Sep 4, 2008, at 12:52 PM, Jo Rhett wrote: Count you which way? You seem to agree with me. Everyone should be doing both, not discounting BCP38 because they aren't seeing an attack right now. No one sees attacks that BCP38 would stop? Wow, I thought things like the Kaminsky bug were big news. I guess all that was for nothing? (Yes, I am being sarcastic. Anyone who thinks attacks which BCP 38 would stop are not happening in the wild is .. I believe the phrase used was confused and misinformed.) -- TTFN, patrick On Sep 4, 2008, at 9:50 AM, John C. A. Bambenek wrote: Count me in. There is no reason to limit our defenses to the one thing that we think is important at one instance in time... attackers change and adapt and multimodal defense is simply good policy. On Thu, Sep 4, 2008 at 11:45 AM, Jo Rhett [EMAIL PROTECTED] wrote: On Sep 4, 2008, at 7:24 AM, James Jun wrote: Indeed... In today's internet, protecting your own box (cp- policer/control plane filtering) is far more important IMO than implementing BCP38 when much of attack traffic comes from legitimate IP sources anyway (see botnets). I'm sorry, but nonsense statements such as these burn the blood. Sure, yes, protecting yourself is so much more important than protecting anyone else. Anyone else want to stand up and join the I am an asshole club? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Force10 Gear - Opinions
On Sep 4, 2008, at 10:07 AM, Paul Wall wrote: On Thu, Sep 4, 2008 at 12:40 PM, Jo Rhett [EMAIL PROTECTED] wrote: You added a third SFM3 which has no place to go in this chassis. No, I did not. I did, however, list it as a point of reference for a-la-carte analysis. So $52,500 versus $62,240 for the Cisco. No, $65000.00 vs $62240.00. I have a current spreadsheet here, and trust me your math went wrong somewhere. A completely full chassis is only a bit more than what you are quoting (at list) and the chassis itself is practically free. But no, I'm not going to redo the math. I'm not a F10 salesperson and I have much more important things to do right now. (not trying to be rude, just seriously...) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 10:14 AM, Paul Wall wrote:
On Thu, Sep 4, 2008 at 12:45 PM, Jo Rhett [EMAIL PROTECTED]
wrote:
I'm sorry, but nonsense statements such as these burn the blood.
Sure, yes,
protecting yourself is so much more important than protecting
anyone else.
Anyone else want to stand up and join the I am an asshole club?
uRPF is important. But all the uRPF in the world won't protect you
against a little tcp/{22,23,179} SYN aimed at your Force 10 box.
Ya know what I mean?
No. Because our F10s aren't suspectible to that, period. I think
this whole control panel policing is flat out wrong, but honestly to
argue that point I'd have to do some research into what Cisco is doing
these days (never had most of the good anti-dos and flood-control
stuff F10 has last time I looked) and frankly, it's not within my
scope of work so I left that alone.
The focus of my comment was on the BCP38 isn't important, because
*THAT* is something that causes grief for me (and everyone) in the day
job.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 10:14 AM, james wrote: OK, I'm an asshole. I'm sure BCP38 can prove to be useful I guess being an asshole is not so bad given that I have plenty of company. It is unfortunately true that you do have lots of company. If I could get away with dropping all routes from people like you I'd be a lot happier. (and we'd all be a lot safer) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 12:38 PM, Gadi Evron wrote: Seriously though, everyone should take care of their own end first. The problem is Jo doesn't seem to be in the loopon attacks from recent years, but I am unsure he would change his mind if he was/ Nice going, Gadi -- let's insult someone who does a good job of protecting your network from his customers. I spend at least 8 hours a week tracking down attacks originating from non-BCP38 networks. This is still a real problem, and the idea that BCP-38 is some fad that is irrelevant now ... I have no words for this kind of idiocy. Everyone should be doing BCP-38. Why don't you apply this to your network, instead of sitting around insulting people for your incorrect assumptions about their job? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: BCP38 dismissal
On Sep 4, 2008, at 2:56 PM, Gadi Evron wrote: I apologize for making an incorrect assumption and apparently insulting you. My assumption was based on the threading in the email I replied to, as what you write here conpletely contradicts what was written there. Yeah, I think the threading was getting confused quite a bit. So, we all support BCP38 and nothing really changed from the last time we all had this discussion about why most of us don't use it. On that you'll have to speak for yourself. We have it on every customer port ;-) -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
