Re: The state of TACACS+
Change the root when any senior person leaves. It shouldn't be known to a large set of staff members. During the bubble burst rifs we were changing them on 40k+ devices every week. Make sure you verify the pass before disconnecting the login acct making the change. Also make sure you understand the AAA process well when trying to do this so that you don't lock yourself out. On December 29, 2014 10:32:51 AM EST, Colton Conor colton.co...@gmail.com wrote: Scott, Thanks for the response. How do you make sure the failsafe and/or root password that is stored in the device incase remote auth fails can't be accessed without having several employees engaged? Are there any mechanisms for doing so? My fear would be we would hire an outsourced tech. After a certain amount of time we would have to let this part timer go, and would disabled his or her username and password in TACAS. However, if that tech still knows the root password they could still remotely login to our network and cause havoc. The thought of having to change the root password on hundreds of devices doesn't sound appealing either every time an employee is let go. To make matters worse we are using an outsourced firm for some network management, so the case of hiring and firing is fairly consistent. On Mon, Dec 29, 2014 at 9:22 AM, Scott Helms khe...@zcorum.com wrote: Colton, Yes, that's the 'normal' way of setting it up. Basically you still have to configure a root user, but that user name and password is kept locked up and only accessed in case of catastrophic failure of the remote authentication system. An important note is to make sure that the fail safe password can't be accessed without having several people engaged so it can't be used without many people knowing. Scott Helms Vice President of Technology ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Mon, Dec 29, 2014 at 10:15 AM, Colton Conor colton.co...@gmail.com wrote: We are able to implement TACAS+. It is my understanding this a fairly old protocol, so are you saying there are numerous bugs that still need to be fixed? A question I have is TACAS+ is usually hosted on a server, and networking devices are configured to reach out to the server for authentication. My question is what happens if the device can't reach the server if the devices network connection is offline? Our goal with TACAS+ is to not have any default/saved passwords. Every employee will have their own username and password. That way if an employee gets hired/fired, we can enable or disable their account. We are trying to avoid having any organization wide or network wide default username or password. Is this possible? Do the devices keep of log of the last successful username/password combinations that worked incase the device goes offline? On Sun, Dec 28, 2014 at 5:02 PM, Robert Drake rdr...@direcpath.com wrote: Picking back up where this left off last year, because I apparently only work on TACACS during the holidays :) On 12/30/2013 7:28 PM, Jimmy Hess wrote: Even 5 seconds extra for each command may hinder operators, to the extent it would be intolerable; shell commands should run almost instantaneously this is not a GUI, with an hourglass. Real-time responsiveness in a shell is crucial --- which remote auth should not change. Sometimes operators paste a buffer with a fair number of commands, not expecting a second delay between each command --- a repeated delay, may also break a pasted sequence. It is very possible for two of three auth servers to be unreachable, in case of a network break, but that isn't necessary. The response timeout might be 5 seconds, but in reality, there are cases where you would wait longer, and that is tragic, since there are some obvious alternative approaches that would have had results that would be more 'friendly' to the interactive user. (Like remembering which server is working for a while, or remembering that all servers are down -- for a while, and having a 50ms timeout, with all servers queried in parallel, instead of a 5 seconds timeout) I think this needs to be part of the specification. I'm sure the reason they didn't do parallel queries was because of both network and CPU load back when the protocol was drafted. But it might be good to have local caching of authentication so that can happen even when servers are down or slow. Authorization could be updated to send the permissions to the router for local handling. Then if the server dies while a session is open only accounting would be affected. That does increase the vendors/implementors work but it might be doable in phases and with partial support with the clients and servers negotiating what is possible. The biggest drawback to making things like this better is you don't gain
Re: Andros Island Connectivity?
Doesn't cable Bahamas sell in andros Warren Bailey wbai...@satelliteintelligencegroup.com wrote: I suggested VSAT. Probably the quickest and cheapest. Sent from my T-Mobile 4G LTE Device Original message From: Mike Lyon mike.l...@gmail.com Date: 04/30/2013 1:35 PM (GMT-08:00) To: Aaron C. de Bruyn aa...@heyaaron.com,memb...@wispa.org Cc: NANOG mailing list nanog@nanog.org Subject: Re: Andros Island Connectivity? Aaron, Cross-posting this over to the WISPA list to see if there are any Wireless ISPs over there that can help you. -Mike On Tue, Apr 30, 2013 at 1:28 PM, Aaron C. de Bruyn aa...@heyaaron.comwrote: I just had a client drop an interesting requirement on me. They are on Andros Island (Bahamas) for about a year. I'm working on getting an exact address from the adminisphere above me, but all I've been told so far is they are 'near the naval base'. They just called and said We need internet access yesterday. None of the people on-site are technical, and all their data is accessed via RDP on a server in the United States. Having never been there, I have no idea if it's like downtown San Francisco where the internet grows on trees, or if it's like the Sahara desert which might require dragging your own fiber in on camelback... Does anyone have pointers on who to talk to or how I can get them internet access? -A -- Mike Lyon 408-621-4826 mike.l...@gmail.com http://www.linkedin.com/in/mlyon -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: Typical additional latency for CGN?
Owen DeLong o...@delong.com wrote: On Oct 7, 2012, at 3:18 PM, Cameron Byrne cb.li...@gmail.com wrote: On Oct 7, 2012 1:48 PM, Tom Limoncelli t...@whatexit.org wrote: Have there been studies on how much latency CGN adds to a typical internet user? I'd also be interested in anecdotes. Anecdote. Sub-millasecond, with full load. (gigs and gigs) . CGN does not meaningfully add latency. CGN is not enough of a factor to impact happy eyeballs in a way that improves ipv6 use. I've seen theoretical predictions but by now we should have measurements from early-world deployments. Most mobile providers have been doing what is commonly called cgn for 5 to 10 years. CGN is not a new concept or implementation for mobile. True, but, as we have discussed before, mobile users, especially in the US, have dramatically lowered expectations of internet access from their mobile devices vs. what they expect from a household ISP. We expect half the services we want to be crippled by mobile carriers because they don't like competition. We file lawsuits when that happens on our terrestrial connections. Owen Except now you have to do mediation, since class action lawsuits are now null and void. :) -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
RE: guys != gender neutral
Intention is everything, words are only part of it. If you can't determine intention and you get upset then it is you that has the problem. Ask or let it go and assume the best intentions. The world be a lot better off if we all did this. Lorell Hathcock lor...@hathcock.org wrote: We may not all be guys. We may not all be gals. But we are definitely all CLOWNS. This is a substitution that should be acceptable to all and it really works. Sales-clown. Yep! Mail-clown. Yep! Fire-clown. Yep! Police-clown. Yep! Congress-clown. Yep! Yep! -Original Message- From: Landon Stewart [mailto:lstew...@superb.net] Sent: Thursday, September 27, 2012 3:56 PM To: Owen DeLong Cc: nanog@nanog.org Subject: Re: guys != gender neutral On 27 September 2012 11:34, Owen DeLong o...@delong.com wrote: When did people stop being an acceptable gender-neutral substitute for {guys,gals}? Owen Using the word 'people' is good but I like to say 'humans'. What's up humans? Can I get you humans to drink? This rarely offends anyone. -- Landon Stewart lstew...@superb.net Sr. Administrator Systems Engineering Superb Internet Corp - 888-354-6128 x 4199 Web hosting and more Ahead of the Rest: http://www.superbhosting.net -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: IPv6 Ignorance
I agree with the way you are looking at it. I know it sounds impressive to talk about hosts, but in ipv6 all that matters is how many subnets do I have and how clean are my aggregation levels to avoid large wastes of subnets. Host addressing is not an issue or concern. So to talk about 128 bits instead of the reality of the 64 is silly. Owen DeLong o...@delong.com wrote: On Sep 16, 2012, at 20:23 , Randy Bush ra...@psg.com wrote: [ yes, there are a lot of idiots out there. this is not new. but ] We are totally convinced that the factors that made IPv4 run out of addresses will remanifest themselves once again and likely sooner than a lot of us might expect given the Reccomendations for Best Practice deployment. while i am not totally convinced, i am certainly concerned. we are doing many of the same things all over again. remember when rip forced a homogenous, often classful, mask length in a network and we chewed through /24s? think /64 in ipv6, except it's half the bits not 1/4 of them. remember when we gave out As and Bs willy nilly? look at the giant swaths of v6 we give out today in the hopes that someone will deploy it. and don't bs me with how humongous the v6 address space is. we once though 32 bits was humongous. randy We thought 32 bits was humongous in the context of a research project that would connect universities, research institutions and some military installations. In that context, 32 bits would still be humongous. Our estimation of humongous didn't change, the usage of the network changed dramatically. The experiment escaped from the laboratory and took on a life of its own. Once that happened, the realization that 32 bits wasn't enough was very nearly immediate. The IPv6 address space offers 61 bits of network numbers each of which holds up to 64 bits worth of hosts. Obviously you never want to fill one of those subnets (nor could you with any available hardware), but it means that you don't have to waste time thinking about rightsizing network assignments. I won't say we will never run out of IPv6 address space, but I will say that I'll be surprised if IPv6 doesn't hit a different limit first. Guess what... If it turns out that our current behavior with respect to IPv6 addresses is ill-advised, then, we have 6+ more copies of the current IPv6 address space where we can try different allocation strategies. Rather than fretting about the perils of using the protocol as intended, let's deploy it, get a working end-to-end internet and see where we stand. Owen -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
Re: using reserved IPv6 space
If it is a hostile lab environment, then pre decide on the address space to be used by the company and auto include that into all production routers policies to drop it like a hot potatoes covered in lava. Brandon Ross br...@pobox.com wrote: On Fri, 13 Jul 2012, Owen DeLong wrote: On Jul 13, 2012, at 4:24 PM, Randy Bush wrote: keep life simple. use global ipv6 space. randy Though it is rare, this is one time when I absolutely agree with Randy. It's even more rare for me to agree with Randy AND Owen at the same time. -- Brandon Ross Yahoo AIM: BrandonNRoss +1-404-635-6667 ICQ: 2269442 Schedule a meeting: https://tungle.me/bross Skype: brandonross
Re: job screening question
I agree. Let the person talk do a few probing questions based off what they say. If you yourself have any value you should be able to tell if they have a chance. Also I would prefer someone who says I don't know for sure but maybe something along these lines, and then wants to know the right answer. Passion is also important, if you are willing to hire someone who is in it for just a paycheck, save yourself the headache and get a contractor. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Matthew Palmer mpal...@hezmatt.org wrote: On Thu, Jul 05, 2012 at 11:04:05PM -0400, Robert E. Seastrom wrote: Diogo Montagner diogo.montag...@gmail.com writes: For screening questions (for 1st level filtering), IMO, the questions has to be straight to the point, for example: 1) What is the LSA number for an external route in OSPF? This can have two answer: 5 or 7. So, I will accept if the candidate answer 5, 7 or 5 and 7. Later on (the next level of the interview), a techinical interviewer will chech if the candidate understand the differences of LSA 5 and 7. Frankly, this feels a bit like asking what the 9th byte in an IP header is used for (it's TTL, but who's, uh, counting?) -- That's why God gave us packet analyzers should be counted as an acceptable answer. If not, you'll find yourself skipping over plenty of extremely well qualified candidates in favor of those who have crammed recently for some sort of exam in hopes of compensating for their short CV. Ugh, I know someone (thankfully no longer a current colleague) who ardently *defends* his use of questions like what does the -M option to ps do? on the basis that any senior person who knows what they're doing should know all the options to ps!. No, you useless tit, anyone who knows what they're doing should know how to read a bloody manpage. Trivia tests get you hiring people who know trivia. Knowing trivia has it's productivity benefits, but if you can't apply it, it's useless. - Matt -- Politics and religion are just like software and hardware. They all suck, the documentation is provably incorrect, and all the vendors tell lies. -- Andrew Dalgleish, in the Monastery
Re: ZOMG: IPv6 a plot to stymie FBI !!!11!ONE!
It's about time and cost. If it's an emergency situation, trying to guess who might own the address waste time to get confirmation, if it is a complete guessing game. Then a warrant has to be gotten. You need to know who to put on the warrant to make a request. Cameron Byrne cb.li...@gmail.com wrote: But whois info is really the linchpin for LEAs trying to find criminals? I find that very hard to believe. CB
Re: Dear Linkedin,
My biggest problem still is the multiple computer issue. I am on at least 3-5 physical computers and 1-20 virtual machines, and 2 cellphones a day. I honestly do not want to store a database of passwords encrypted or not on an open service. As I have never had a virus or malware on any of my computers in the last 20 something years I trust my local machine/network more. The problem is it creates a distribution problem that is painful and tedious to deal with. So I stick with 10-15 long reasonably secure passwords that get used for stuff that just doesn't matter because there is an assumed no security (facebook, linkedin, whatever, and honestly who cares if this stupid stuff is hacked, its really just to avoid the hassle it would cause) and 1 unique password per critical sites (bank, benefits, financials). I store them on a local 3x3 levels of encrypted virtual drives with (2) 32-48 remembered passwords to access them just in case I forget any. Then I lock the 2 passwords up in a safe in a sealed envelope just in case something happens to me. If you are cautious on what and where you use them you honestly only need to change the criticals once a year or if there is a security event, heck outside of the bank account, I almost never login to any of the other accounts except to change the password. And for all other internet stuff, who cares, the assumption is it will be hacked, don't put stuff on the open internet that you don't want the entire world to know.
Re: Quad-A records in Network Solutions ?
I agree, but in a big company it generally would cost at least 10s of thousands of dollars just for training alone. The time away from the phones that would have to be covered would exceed that. Let's say you had 8000 phone staff and they were getting $10/be and training took an hour. That is 80k coverage expenses alone. For a large company I would expect a project budget of at least 250k minimal. And probably more if the company exceeds 50,000 employees. Arturo Servin arturo.ser...@gmail.com wrote: Another reason to not use them. Seriusly, if they cannot expend some thousands of dollars (because it shouldn't be more than that) in touching code, (hopefully) testing that code, deploying it, training customer support staff to answer questions, updating documentation, etc. I cannot take them as a serious provider for my names. Regards, .as On 28 Mar 2012, at 21:16, John T. Yocum wrote: On 3/28/2012 12:13 PM, Carlos Martinez-Cagnazzo wrote: I'm not convinced. What you mention is real, but the code they need is little more than a regular expression that can be found on Google and a 20-line script for testing lames. And a couple of weeks of testing, and I think I'm exaggerating. If they don't want to offer support for it, they can just put up some disclaimer. regards, Carlos On 3/28/12 3:55 PM, David Conrad wrote: On Mar 28, 2012, at 11:47 AM, Carlos Martinez-Cagnazzo wrote: I'm not a fan of conspiracy theories, but, c'mon. For a provisioning system, an record is just a fragging string, just like any other DNS record. How difficult to support can it be ? Of course it is more than a string. It requires touching code, (hopefully) testing that code, deploying it, training customer support staff to answer questions, updating documentation, etc. Presumably Netsol did the cost/benefit analysis and decided the potential increase in revenue generated by the vast hordes of people demanding IPv6 (or the potential lost in revenue as the vast hordes transfer away) didn't justify the expense. Simple business decision. Regards, -drc That's assuming their system is sanely or logically designed. It could be a total disaster of code, which makes adding such a feature a major pain. --John
Re: Muni Fiber
Hmm even most urban environments aren't worth deploying in or are probably marginal profit. So I would expect 30-45% of population of the US to not be worth or marginally worth deploying. I am assuming most urban less than 250k and probably spread out. Not to mention to provide transit without services to residential is a margins game to begin with and without at least a 20-30% take rate it probably isn't worth the cost of l3 infrastructure. On the other hand for actual dense urban environments it makes perfect sense as long as the are willing to maintain it. I see the possibilities, but have a gut feeling it would become a political mess and unreliable, not to mention cost us more than we pay now. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Leo Bicknell bickn...@ufp.org wrote: In a message written on Sun, Mar 25, 2012 at 05:29:04PM +0100, Nick Hilliard wrote: most of the expense of laying fibre is associated with ducting + wayleave. Once you have that in place, blowing new fibre is relatively inexpensive. So rather than amortising the cost according to the lifetime of the fibre, it makes much more sense to amortise over the lifetime of the ducting. Maybe. In rural deployments it's much more likely the fiber is aerial, it's far cheaper to attach to existing poles with few cables on them than it is to bury the fiber. Even in urban areas where buried duct is the norm, being able to use old ducts varies a lot with the geography and how active the area is to other development. I've seen plenty of ducts where it had been cut and repaired several times before use that running a new cable through it was impossible and it simply had to be replaced. In other locations 20 years later a new cable goes through like butter. But I think it's all a bit of a tangent; when talking about _residential_ fiber it's prudent to run 2-6 strands to every home day one, and then, well, there's basically never a point in running more. The chance of blowing more fiber down the duct later is near zero. It's also why I'm not a fan of *PON schemes, eliminate the splitter and run a single star topology. 20 years from now Petabit optics will look different than today's GigE in some way, but I'll bet money they are tuned to run on single mode fiber. They may not like the splitters and the like though. By doing a star back to a wiring center you enable all technologies. GPON today, direct GigE or 10GE where necessary, and all future technologies. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/
Re: last mile, regulatory incentives, etc (was: att fiber, et al)
Any details on how much this cost, maybe I just missed it in the article. 40k. It sounds interesting but in the US this would only make sense in cities and most people don't live in MDUs. Where I live a lot of peoples driveways are a mile or two long. Marcel Plug marcelp...@gmail.com wrote: This article from arstechnica is right on topic. Its about how the city of Amsterdam built an open-access fibre network. It seems to me this is the right way to do it, or at least very close to the right way.. http://arstechnica.com/tech-policy/news/2010/03/how-amsterdam-was-wired-for-open-access-fiber.ars -Marcel On Fri, Mar 23, 2012 at 11:35 PM, valdis.kletni...@vt.edu wrote: On Fri, 23 Mar 2012 14:18:26 -1000, Michael Painter said: The indication of above average or below average is based on a comparison of the actual test result to the current NTIA definition of broadband which is 768 kbps download and 200 kbps upload. Any test result above the NTIA definition is considered above average, and any result below is considered below average. That's the national definition of broadband that we're stuck with. To show how totally cooked the books are, consider that when they compute percent of people with access to residential broadband, they do it on a per-county basis - and if even *one* subscriber in one corner of the county has broadband, the entire county counts.
Re: last mile, regulatory incentives, etc (was: att fiber, et al)
Lol too early in the morning, that much for so few, but if you are going to govt fund copper replacement, it's probably the way to go. Not sure how costly that would be in the US since even in the cities there are a lot of duplexes. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Joseph Snyder joseph.sny...@gmail.com wrote: Any details on how much this cost, maybe I just missed it in the article. 40k. It sounds interesting but in the US this would only make sense in cities and most people don't live in MDUs. Where I live a lot of peoples driveways are a mile or two long. Marcel Plug marcelp...@gmail.com wrote: This article from arstechnica is right on topic. Its about how the city of Amsterdam built an open-access fibre network. It seems to me this is the right way to do it, or at least very close to the right way.. http://arstechnica.com/tech-policy/news/2010/03/how-amsterdam-was-wired-for-open-access-fiber.ars -Marcel On Fri, Mar 23, 2012 at 11:35 PM, valdis.kletni...@vt.edu wrote: On Fri, 23 Mar 2012 14:18:26 -1000, Michael Painter said: The indication of above average or below average is based on a comparison of the actual test result to the current NTIA definition of broadband which is 768 kbps download and 200 kbps upload. Any test result above the NTIA definition is considered above average, and any result below is considered below average. That's the national definition of broadband that we're stuck with. To show how totally cooked the books are, consider that when they compute percent of people with access to residential broadband, they do it on a per-county basis - and if even *one* subscriber in one corner of the county has broadband, the entire county counts.
Re: last mile, regulatory incentives, etc (was: att fiber, et al)
For those who didn't Google it. http://www.ftthcouncil.org/en/knowledge-center/case-studies/amsterdam-city-fiber-project-analysis -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Joseph Snyder joseph.sny...@gmail.com wrote: Lol too early in the morning, that much for so few, but if you are going to govt fund copper replacement, it's probably the way to go. Not sure how costly that would be in the US since even in the cities there are a lot of duplexes. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Joseph Snyder joseph.sny...@gmail.com wrote: Any details on how much this cost, maybe I just missed it in the article. 40k. It sounds interesting but in the US this would only make sense in cities and most people don't live in MDUs. Where I live a lot of peoples driveways are a mile or two long. Marcel Plug marcelp...@gmail.com wrote: This article from arstechnica is right on topic. Its about how the city of Amsterdam built an open-access fibre network. It seems to me this is the right way to do it, or at least very close to the right way.. http://arstechnica.com/tech-policy/news/2010/03/how-amsterdam-was-wired-for-open-access-fiber.ars -Marcel On Fri, Mar 23, 2012 at 11:35 PM, valdis.kletni...@vt.edu wrote: On Fri, 23 Mar 2012 14:18:26 -1000, Michael Painter said: The indication of above average or below average is based on a comparison of the actual test result to the current NTIA definition of broadband which is 768 kbps download and 200 kbps upload. Any test result above the NTIA definition is considered above average, and any result below is considered below average. That's the national definition of broadband that we're stuck with. To show how totally cooked the books are, consider that when they compute percent of people with access to residential broadband, they do it on a per-county basis - and if even *one* subscriber in one corner of the county has broadband, the entire county counts.
Re: last mile, regulatory incentives, etc (was: att fiber, et al)
USF is more of a free for all get ISPs to build in 80% of the locations that nobody would build in their right mind vs a mini monopoly model for l2 that I equate this with. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Owen DeLong o...@delong.com wrote: We've been funding it for years without getting it because of the stupid way in which it has been funded. I suggest you look into USF in more detail. Owen On Mar 24, 2012, at 6:06 AM, Joseph Snyder wrote: Lol too early in the morning, that much for so few, but if you are going to govt fund copper replacement, it's probably the way to go. Not sure how costly that would be in the US since even in the cities there are a lot of duplexes. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Joseph Snyder joseph.sny...@gmail.com wrote: Any details on how much this cost, maybe I just missed it in the article. 40k. It sounds interesting but in the US this would only make sense in cities and most people don't live in MDUs. Where I live a lot of peoples driveways are a mile or two long. Marcel Plug marcelp...@gmail.com wrote: This article from arstechnica is right on topic. Its about how the city of Amsterdam built an open-access fibre network. It seems to me this is the right way to do it, or at least very close to the right way.. http://arstechnica.com/tech-policy/news/2010/03/how-amsterdam-was-wired-for-open-access-fiber.ars -Marcel On Fri, Mar 23, 2012 at 11:35 PM, valdis.kletni...@vt.edu wrote: On Fri, 23 Mar 2012 14:18:26 -1000, Michael Painter said: The indication of above average or below average is based on a comparison of the actual test result to the current NTIA definition of broadband which is 768 kbps download and 200 kbps upload. Any test result above the NTIA definition is considered above average, and any result below is considered below average. That's the national definition of broadband that we're stuck with. To show how totally cooked the books are, consider that when they compute percent of people with access to residential broadband, they do it on a per-county basis - and if even *one* subscriber in one corner of the county has broadband, the entire county counts.
Re: Verizon FiOS - is BGP an option?
I will just say no on all parts of this current part of the conversation and leave it at that. - j Curtis Maurand cmaur...@xyonet.com wrote: On 3/14/2012 9:00 PM, Robert E. Seastrom wrote: Christopher Morrowmorrowc.li...@gmail.com writes: On Wed, Mar 14, 2012 at 8:14 PM, Robert E. Seastromr...@seastrom.com wrote: Faisal Imtiazfai...@snappydsl.net writes: I am not familiar with VZ's FIOS network... however I suspect that if they are using a Redback at the Headend, it would allow you to have a 'bridge' network with secure arp settings. (it's a feature that we have seen on Redback's...) AFAIK Verizon does not use Redback/Ericsson stuff for FIOS and never has. A cursory survey of two (older, BPON, Tellabs) builds found ethernet OUI 00:90:1a, i.e. Juniper ERX. yes, all edge boxes for FIOS are ERX... better support for CALEA there was one of the major drivers. So it was _one_ of the drivers, but was it a more major driver than for the love of God, not Redback!? :) the last I knew, Verizon was an Alcatel house for switching and Alcatel managed to get tcp/ip into their switching gear. so I'm left to wonder. --C
Re: Megaupload.com seized
I would disagree, to me I would guess that the court would interpret the disabling of access or removal to refer to the material and not the url. The url is just a reference to the material in question. If you build a bashing system that does not let you comply with the law, that becomes your problem, not the courts. If you show good faith explain the issue and propose a reasonable timeline to resolve the issue or show financial hardship and appeal to the court for more time, then you can avoid, a lot of headaches. Nick B n...@pelagiris.org wrote: I just made the brain melting mistake of trying to read the DMCA. The text which jumps out at me is: `(2) EXCEPTION- Paragraph (1) shall not apply with respect to material residing at the direction of a subscriber of the service provider on a system or network controlled or operated by or for the service provider that is removed, or to which access is disabled by the service provider, pursuant to a notice provided under subsection (c)(1)(C), unless the service provider-- `(A) takes reasonable steps promptly to notify the subscriber that it has removed or disabled access to the material; `(B) upon receipt of a counter notification described in paragraph (3), promptly provides the person who provided the notification under subsection (c)(1)(C) with a copy of the counter notification, and informs that person that it will replace the removed material or cease disabling access to it in 10 business days; and `(C) replaces the removed material and ceases disabling access to it not less than 10, nor more than 14, business days following receipt of the counter notice, unless its designated agent first receives notice from the person who submitted the notification under subsection (c)(1)(C) that such person has filed an action seeking a court order to restrain the subscriber from engaging in infringing activity relating to the material on the service provider's system or network. I'm about 90% sure that in a fair court, it would be concluded that disabling the reported URL qualifies as disabling access to the material. The court might then issue an injunction to, in the future, disable *all* *possible* access to the material, but that's not the current text of the law. YMMV Nick B On Sun, Jan 22, 2012 at 11:58 AM, Roland Perry li...@internetpolicyagency.com wrote: In article 596B74B410EE6B4CA8A30C3AF1A15**5ea09c8c...@rwc-mbx1.corp.** seven.com596b74b410ee6b4ca8a30c3af1a155ea09c8c...@rwc-mbx1.corp.seven.com, George Bonser gbon...@seven.com writes The problem is going to be the thousands of people who have now lost their legitimate files, research data, personal recordings, etc. that they were using Megaupload to share. But that's an operational risk of using any commercial entity as a filestore. Thousands of people lost[1] a lot of work when fotopic.netcollapsed: http://en.wikipedia.org/wiki/**Fotopic.nethttp://en.wikipedia.org/wiki/Fotopic.net; [1] As it's getting on for a year since an apparent rescue attempt, and nothing has emerged, this seems a reasonable assumption. -- Roland Perry
Re: VZ FiOS DNS issues:
Try a full rebind on your cpe or power cycle, whichever is easier. This seems to have worked for a few on the forums. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. James Laszko jam...@mythostech.com wrote: On Jan 22, 2012, at 8:11 AM, Jamie Bowden ja...@photon.com wrote: Any Verizon techs around today? I don't know why you can't pass DNS traffic this morning, but it's the second time in as many weeks as it has been an issue, and it's rather annoying (Google is the example, but the exact same failure happens using any destination, on VZ's own or any other public DNS servers, phone support are of course, useless): Have a look at: http://forums.verizon.com/t5/FiOS-Internet/DNS-issues-in-SoCal/td-p/393781/page/11 Are you by chance in So Cal? VZ has been having some serious pot holes on their information super highway of late. Regards, James Laszko Mythos Technology Inc C:\Users\jamietracert -d 71.252.0.12 Tracing route to 71.252.0.12 over a maximum of 30 hops 1 1 ms 1 ms 1 ms 192.168.2.254 2 1 ms 1 ms 1 ms 192.168.1.1 3 8 ms 9 ms 13 ms 96.231.199.1 4 14 ms 9 ms 9 ms 130.81.183.118 5 9 ms 9 ms 9 ms 130.81.151.232 6 9 ms 9 ms * 130.81.20.19 7 11 ms 9 ms 9 ms 71.252.0.12 Trace complete. C:\Users\jamienslookup www.google.com 71.252.0.12 Server: nsrest01.verizon.net Address: 71.252.0.12 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to nsrest01.verizon.net timed-out C:\Users\jamietracert -d 8.8.8.8 Tracing route to 8.8.8.8 over a maximum of 30 hops 1 1 ms 1 ms 1 ms 192.168.2.254 2 1 ms 1 ms 1 ms 192.168.1.1 3 7 ms 8 ms 9 ms 96.231.199.1 4 8 ms 9 ms 8 ms 130.81.183.118 5 9 ms 28 ms 10 ms 130.81.22.56 6 8 ms 9 ms 9 ms 152.63.36.237 7 20 ms 19 ms 19 ms 152.63.0.153 8 21 ms 18 ms 18 ms 152.63.21.73 9 41 ms 47 ms 49 ms 152.179.72.66 10 17 ms 18 ms 19 ms 209.85.255.68 11 * * * Request timed out. 12 * * * Request timed out. 13 22 ms 19 ms 19 ms 72.14.236.200 14 20 ms 31 ms 18 ms 216.239.49.145 15 18 ms 19 ms 19 ms 8.8.8.8 Trace complete. C:\Users\jamienslookup www.google.com 8.8.8.8 Server: google-public-dns-a.google.com Address: 8.8.8.8 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to google-public-dns-a.google.com timed-out C:\Users\jamie
Re: Inaccessible network from Verizon, accessible elsewhere.
I believe 130.81 is blocked. Traceroute to your gateway address. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. NetSecGuy netsec...@gmail.com wrote: I should have included reverse traces to begin with. No firewall on VPS. Trace from the VPS to a router close to me. traceroute to 130.81.199.4 (130.81.199.4), 64 hops max, 40 byte packets 1 106.187.33.2 (106.187.33.2) 1 ms 0 ms 0 ms 2 124.215.199.121 (124.215.199.121) 6 ms 1 ms 13 ms 3 59.128.4.121 (59.128.4.121) 2 ms otejbb204.kddnet.ad.jp (124.215.194.177) 2 ms 2 ms 4 lajbb001.kddnet.ad.jp (203.181.100.14) 126 ms 100 ms lajbb002.kddnet.ad.jp (203.181.100.22) 162 ms 5 ix-la1.kddnet.ad.jp (59.128.2.70) 108 ms ix-la1.kddnet.ad.jp (59.128.2.178) 102 ms 102 ms 6 lap-brdr-03.inet.qwest.net (63.146.26.69) 99 ms 101 ms 99 ms 7 63.146.26.210 (63.146.26.210) 99 ms 101 ms 99 ms 8 0.ae3.XL3.LAX15.ALTER.NET (152.63.113.186) 102 ms 102 ms 101 ms 9 * * * 10 * * * Tracer from VPS to a router close to my other location, not Verizon. traceroute to 4.59.244.49 (4.59.244.49), 64 hops max, 40 byte packets 1 106.187.33.2 (106.187.33.2) 1 ms 1 ms 1 ms 2 124.215.199.121 (124.215.199.121) 9 ms 1 ms 1 ms 3 59.128.4.121 (59.128.4.121) 2 ms otejbb204.kddnet.ad.jp (124.215.194.177) 9 ms 59.128.4.121 (59.128.4.121) 2 ms 4 lajbb001.kddnet.ad.jp (203.181.100.18) 108 ms lajbb002.kddnet.ad.jp (203.181.100.22) 101 ms 101 ms 5 ix-la2.kddnet.ad.jp (59.128.2.102) 116 ms 116 ms ix-la2.kddnet.ad.jp (59.128.2.186) 125 ms 6 xe-11-3-0.edge2.LosAngeles9.Level3.net (4.53.228.13) 111 ms 101 ms 101 ms 7 vlan70.csw2.LosAngeles1.Level3.net (4.69.144.126) 110 ms vlan90.csw4.LosAngeles1.Level3.net (4.69.144.254) 108 ms vlan60.csw1.LosAngeles1.Level3.net (4.69.144.62) 103 ms 8 ae-63-63.ebr3.LosAngeles1.Level3.net (4.69.137.33) 110 ms 117 ms ae-73-73.ebr3.LosAngeles1.Level3.net (4.69.137.37) 108 ms 9 ae-4-4.ebr4.Washington1.Level3.net (4.69.132.82) 178 ms 180 ms 166 ms 10 ae-64-64.csw1.Washington1.Level3.net (4.69.134.178) 174 ms 166 ms 166 ms 11 ae-62-62.ebr2.Washington1.Level3.net (4.69.134.145) 172 ms 165 ms 172 ms 12 ae-8-8.car2.Baltimore1.Level3.net (4.69.134.106) 181 ms 174 ms 174 ms 13 ae-11-11.car1.Baltimore1.Level3.net (4.69.134.109) 181 ms * 174 ms
RE: Inaccessible network from Verizon, accessible elsewhere.
I hope it's not an outdated martian problem firewall or route filter. For the Traceroute from linode to FiOS, Traceroute to the FiOS gateway address. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Network IP Dog network.ip...@gmail.com wrote: From 90701 - Artesia, CA. FIOS No Go here too!!! C:\WINDOWS\system32tracert 106.187.34.1 Tracing route to gw-li377.linode.com [106.187.34.1] over a maximum of 30 hops: 1 22 ms 34 ms 1 ms Tomato [192.168.100.1] 2 49 ms 1 ms 1 ms Verizon [192.168.1.1] 3 36 ms 6 ms 6 ms L100.LSANCA-VFTTP-114.verizon-gni.net [173.58.21 1.1] 4 24 ms 9 ms 9 ms G0-9-1-4.LSANCA-LCR-21.verizon-gni.net [130.81.1 85.72] 5 24 ms 9 ms 8 ms so-4-1-0-0.LAX01-BB-RTR1.verizon-gni.net [130.81 .151.246] 6 24 ms 9 ms 8 ms 0.ae1.BR3.LAX15.ALTER.NET [152.63.2.129] 7 38 ms 8 ms 8 ms ae6.edge1.LosAngeles9.level3.net [4.68.62.169] 8 25 ms 10 ms 10 ms 63.146.26.70 9 24 ms 9 ms 8 ms lajbb001.kddnet.ad.jp [59.128.2.173] 10 24 ms 9 ms 8 ms lajbb001.kddnet.ad.jp [59.128.2.181] 11 140 ms 110 ms 108 ms otejbb203.kddnet.ad.jp [203.181.100.9] 12 140 ms 124 ms 111 ms cm-fcu203.kddnet.ad.jp [124.215.194.164] 13 * * * Request timed out. 14 * * * Request timed out. 15 * * * Request timed out. 16 * * * Request timed out. 17 * * * Request timed out. 18 * * * Request timed out. 19 * * * Request timed out. 20 * * * Request timed out. 21 * * * Request timed out. 22 * * * Request timed out. 23 * * * Request timed out. 24 * ^C C:\WINDOWS\system32tracert 106.187.34.33 Tracing route to li377-33.members.linode.com [106.187.34.33] over a maximum of 30 hops: 1 22 ms 1 ms 1 ms Tomato [192.168.100.1] 2 31 ms 1 ms 1 ms Verizon [192.168.1.1] 3 51 ms 10 ms 11 ms L100.LSANCA-VFTTP-114.verizon-gni.net [173.58.21 1.1] 4 42 ms 9 ms 33 ms G0-9-1-4.LSANCA-LCR-21.verizon-gni.net [130.81.1 85.72] 5 40 ms 15 ms 9 ms so-4-1-0-0.LAX01-BB-RTR1.verizon-gni.net [130.81 .151.246] 6 31 ms 8 ms 8 ms 0.ae1.BR3.LAX15.ALTER.NET [152.63.2.129] 7 61 ms 10 ms 16 ms lap-brdr-03.inet.qwest.net [63.146.26.209] 8 31 ms 10 ms 10 ms 63.146.26.70 9 31 ms 9 ms 9 ms lajbb001.kddnet.ad.jp [59.128.2.173] 10 31 ms 9 ms 8 ms lajbb001.kddnet.ad.jp [59.128.2.181] 11 125 ms 118 ms 109 ms otejbb203.kddnet.ad.jp [203.181.100.9] 12 156 ms 111 ms 143 ms 124.215.199.122 13 126 ms 112 ms 137 ms 124.215.199.122 14 * * * Request timed out. 15 * * * Request timed out. 16 * * * Request timed out. 17 * * ^C C:\WINDOWS\system32 E = 4:32 Cheers!!! -Original Message- From: Lee [mailto:ler...@gmail.com] Sent: Sunday, December 11, 2011 6:44 AM To: NetSecGuy Cc: nanog@nanog.org Subject: Re: Inaccessible network from Verizon, accessible elsewhere. On 12/10/11, NetSecGuy netsec...@gmail.com wrote: I have a Linode VPS in Japan that I can't access from Verizon FIOS, but can access from other locations. I'm not sure who to blame. I can't get to 106.187.34.33 or 106.187.34.1 using Verizon FIOS C:\tracert 106.187.34.33 Tracing route to li377-33.members.linode.com [106.187.34.33] over a maximum of 30 hops: [.. snip ..] 5 23 ms 4 ms 4 ms so-14-0-0-0.RES-BB-RTR2.verizon-gni.net [130.81.22.56] 6 73 ms 6 ms 7 ms 0.ae2.BR2.IAD8.ALTER.NET [152.63.34.73] 7 8 ms 6 ms 7 ms dcp-brdr-03.inet.qwest.net [63.146.26.105] 8 8 ms 9 ms 9 ms sl-crs1-dc-0-1-0-0.sprintlink.net [144.232.19.229] 9 28 ms 26 ms 44 ms sl-crs1-dc-0-5-3-0.sprintlink.net [144.232.24.37] 10 177 ms 176 ms 177 ms lajbb001.kddnet.ad.jp [59.128.2.173] 11 43 ms 41 ms 42 ms sl-crs1-oma-0-9-2-0.sprintlink.net [144.232.2.177] 12 291 ms * 301 ms cm-fcu203.kddnet.ad.jp [124.215.194.164] 13 286 ms 279 ms 282 ms 124.215.199.122 14 81 ms 81 ms 82 ms sl-crs1-sj-0-5-3-0.sprintlink.net [144.232.20.99] 15 88 ms 86 ms 87 ms sl-st20-pa-9-0-0.sprintlink.net [144.232.8.108] 16 405 ms 406 ms 399 ms 144.223.243.126 17 364 ms 386 ms 406 ms pajbb001.kddnet.ad.jp [111.87.3.41] 18 * * * Request timed out. 19 * * * Request timed out. 20 * * * Request timed out. 21 * * * Request timed out. 22 * * * Request timed out. 23 * * ^C C:\tracert 106.187.34.1 Tracing route to gw-li377.linode.com [106.187.34.1] over a maximum of 30 hops: [.. snip ..] 5 5 ms 24 ms 24 ms so-3-1-0-0.RES-BB-RTR2.verizon-gni.net [130.81.151.232] 6 7 ms 7 ms 7 ms 0.ae2.BR2.IAD8.ALTER.NET [152.63.34.73] 7 8 ms 7 ms 7 ms dcp-brdr-03.inet.qwest.net [63.146.26.105] 8 84 ms 84 ms 84 ms lap-brdr-03.inet.qwest.net [67.14.22.78] 9 171 ms 174 ms 176 ms 63.146.26.70 10 178 ms 177 ms 177 ms lajbb001.kddnet.ad.jp [59.128.2.173] 11 283 ms 284 ms 284 ms otejbb203.kddnet.ad.jp [203.181.100.9] 12 289 ms 287 ms 287 ms cm-fcu203.kddnet.ad.jp [124.215.194.164] 13 * * * Request timed out. 14 83 ms 81 ms 82 ms sl-crs1-sj-0-12-0-1.sprintlink.net [144.232.9.224] 15 * * * Request timed out. 16 403 ms 407 ms 404 ms 144.223.243.126 17 * * * Request timed out. 18 501 ms 499 ms 501 ms otejbb203.kddnet.ad.jp.100.181.203.in-addr.arpa [203.181.100.137] 19 * * * Request timed out. 20 * * * Request timed out. 21 * * * Request timed out. 22 * * * Request timed out. 23 * * * Request