from:"Leigh Porter"

RE: YouTube Video Streaming

2012-05-18 Thread Leigh Porter


> I would like to get some input for the following problem we face with
> YouTube video streaming.
> We are an ISP in Singapore and peer with Google at Equinix and SOX
> (Singapore Open Exchange), For about 2 weeks we have been facing choppy
> streaming or continuous buffering on various YouTube videos. These
> problem videos are streamed at HD or original quality.
> Our troubleshooting narrow down to those bad videos being streamed to
> us from outside Singapore. We contacted Google support, they are
> confused too, as why we are served from a cache server in Poland on one
> of the videos. The case has been escalated within Google, unfortunately
> no update from them since.
> 
> Not all YouTube videos are bad through us, some 45 minutes videos can
> fully buffered within seconds on HD or original quality, of course the
> IP we streamed for these videos are through our local peering with
> Google.

I have seen similar issues, some videos work fine but others seem to stop after 
either a few minutes or half way through. The same behaviour is seen on various 
computers, the same video stops at the same place.

I didn't have time and could not be bothered to look into it at the time and 
kind of put it down to one of those things that will be fixed later. 

So I'd be really interested in what the outcome is!

--
Leigh Porter


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: CDNs should pay eyeball networks, too.

2012-05-02 Thread Leigh Porter


> I (in the UK) had the same letter from LLNW yesterday, word for word.

Me too.

> However I must say that the wording of their letter is appalling

Agreed.
 
> I am glad they are spending ton of money to upgrade their
> infrastructure.. but so am I.

Slightly odd though that they are upgrading their network and then de-peering 
everybody who takes < 1Gb/s from them.
I don't quite understand why a content DELIVERY network would want to do this.

I'm not sure who's content they deliver but this does not seem like a 
particularly great way to go about delivering it. 

There was a network who commented earlier in the thread that they do 600Mb/s 
with them, that's not an insignificant level of traffic really, especially 
coming from a single CDN. I wonder if this not some slightly mis-informed exec 
at LLNW who thought they found a great way to extract more money to deliver 
content that they have already been paid to deliver.

--
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Operation Ghost Click

2012-04-26 Thread Leigh Porter


On 26 Apr 2012, at 22:47, "Andrew Latham" 
mailto:lath...@gmail.com>> wrote:

On Thu, Apr 26, 2012 at 5:38 PM, Jeroen van Aart 
mailto:jer...@mompl.net>> wrote:

Yes its a major problem for the users unknowingly infected.  To them
it will look like their Internet connection is down.  Expect ISPs to
field lots of support s

Is there a list of these temporary servers so I can see what customers are 
using them (indicating infection) and head off a support call with some contact?

--
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Securing OOB

2012-04-23 Thread Leigh Porter

I have juniper SRX110s that use the magic new multi site IPSec thing. 

-- 
Leigh Porter


On 23 Apr 2012, at 13:43, "Eric"  wrote:

> Hello,
> 
> It seems that the current practice is to use a DSL line, as opposed to a 
> modem, for accessing an OOB a console server at a remote colo.  From a 
> security standpoint, what do people generally do - trust the console server, 
> repurpose an old linksys box from my house or put in a full firewall?  
> 
> Eric :)
> 
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Communal Dining

2012-04-16 Thread Leigh Porter


Is this going to be like when teenagers advertise their parties on facebook?

> -Original Message-
> From: Ronald Bonica [mailto:rbon...@juniper.net]
> Sent: 16 April 2012 15:09
> To: frbi...@aol.com; Nicholas Hinko; Susan Hinko; jay cuasay; William
> Richey; Will Ress; maria torres; landre...@gmail.com; nanog@nanog.org
> Subject: Communal Dining
> 
> Folks,
> 
> You are all invited to an extremely informal dinner at our house at 6PM
> on Saturday, April 21. Spouses and children are all invited. I will
> bake bread and put on a huge pot of soup. If your kids are picky
> eaters, feel free to bring whatever they will eat.
> 
> Our house is located at:
> 
> 241 West Meadowland Lane
> Sterling, Virgina 20164
> 703 430 8379
> 
> --
> Ron and Nancy Bonica
> vcard:   www.bonica.org/ron/ronbonica.vcf
> 
> 
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud
> service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Cheap Juniper Gear for Lab

2012-04-11 Thread Leigh Porter

On 11 Apr 2012, at 18:36, "Carl Rosevear"  wrote:

> Yeah, I have to apply the term "awful" and "annoying" to the packet
> mode implementation on SRX/J-series. Anyway, I spent *hours* with JTAC
> on the phone trying to get the thing to just pass packets.  Best part
> was, I didn't know how to do it and nor did they!  I escalated, worked
> with many engineers.  My key statement was "I just want my router to
> route.  Make it do what it is supposed to do.  No session tracking!
> This is not a firewall."  So, now it doesn't require valid sessions to
> pass packets but it does still appear to *track* sessions in some
> tables and I am, of course, very curious when some attack vector will
> fill up some table.
> 

I have had some rather odd issues with the SRX boxes but JTAC were pretty good 
at turning around fixes for me for my specific issues.

Since then I have had quite a lot of SRX boxes across the range running various 
MPLS services including MPLS over GRE with fragmentation/reassembly which has 
been working very well. Since 11.1R3 I've had no issues at all with them.

So yeah the new flow mode stuff had its issues, but as a *small* MPLS box it is 
very functional. Of course in MPLS mode, you turn the flow stuff off..

--
Leigh Porter

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Cheap Juniper Gear for Lab

2012-04-10 Thread Leigh Porter


On 11 Apr 2012, at 02:34, "Owen DeLong"  wrote:.
> 
>> Don't let the "mpls" keyword throw you off.  This actually causes the
>> box to run the inet /and/ mpls address families in packet mode.
>> 
> 
> I'm not unfamiliar or uninitiated in this regard. I had tickets with Juniper 
> for
> over a year and it escalated quite high up their escalation chain before they
> finally admitted "Yeah, Services JunOS is different and it behaves differently
> and if you need to do what you're trying to do, you should buy an M or MX
> series."
> 
> It's quite unfortunate. I'd really like for the SRX series to not be so 
> crippled for
> my purposes.


Do you have an example of this crippledness?

--
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

April fools joke?

2012-04-01 Thread Leigh Porter


http://www.bbc.co.uk/news/uk-politics-17576745

It's sad when you just can't tell with things like this..

-- 
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Outdoor Wireless Access Point

2012-04-01 Thread Leigh Porter


On 31 Mar 2012, at 23:51, "Network IP Dog" 
mailto:network.ip...@gmail.com>> wrote:

Hi...How do I do it!

I'm utterly amazed how many people give away free consultant work.

We need to keep people working... not giving it away.

Ethics... Security... etc...

Does the university give away free diploma's?   I don't think so.

Must be another copy & paste e&^%$#?r too!

Google is your friend...  ;^)

Cheers!


Ephesians 4:32  &  Cheers!!!

For I was hungry and you gave me nothing to eat, I was thirsty and you gave me 
nothing to drink, 43 I was a stranger and you did not invite me in, I needed 
clothes and you did not clothe me, I was sick and in prison and you did not 
look after me.’ 44 I needed some help building a wireless network and you 
wanted consultancy fees.

I think the day we stop helping each other on this list and start demanding 
consultancy fees will be the day the Internet really did die..

So whilst nobody would document an end to end design for nothing, I think the 
odd snipped of good advice should always be free.

Of course, y'all should google it first because how else are they going to send 
you relevant advertisements!

--
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: OWA blocked by China

2012-03-27 Thread Leigh Porter

Are there any issues with general https there also?

--
Leigh


> -Original Message-
> From: Lyle Giese [mailto:l...@lcrcomputer.net]
> Sent: 27 March 2012 15:39
> To: nanog@nanog.org
> Subject: Re: OWA blocked by China
> 
> On 03/27/12 09:16, Jim Gonzalez wrote:
> > Hello,
> >
> >  One of my customers has workers in China. There
> > outlook web access is blocked by the China Firewall. I was just
> > wondering if anyone had this issue ? I have not tried any work
> arounds
> > as of yet just gathering info
> >
> >
> > Thanks in advance
> >
> > Jim Gonzalez
> >
> >
> >
> Common practice in China.  Typically the block comes and goes. Here
> today, gone tomorrow.
> 
> However if the OWA server is on a dynamic IP or you use a dynamic IP
> address service for ip  address resolution, then it will be blocked all
> the time by China.
> 
> It's just the way things are done over there.
> 
> Lyle Giese
> LCR Computer Services, Inc.
> 
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud
> service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: $1.5 billion: The cost of cutting London-Tokyo latency by 60ms

2012-03-23 Thread Leigh Porter



> -Original Message-
> From: Vitkovsky, Adam [mailto:avitkov...@emea.att.com]
> Sent: 23 March 2012 12:57
> To: Aled Morris; Eugen Leitl
> Cc: NANOG list
> Subject: RE: $1.5 billion: The cost of cutting London-Tokyo latency by
> 60ms
> 
> That is why there's this neutrinos project It's not faster than the
> speed of light though it can shoot through the Earth and no cables cost
> involved
> 
> So far the speed is 0.1 bit per sec
> 
> Can't wait for the neutrino SFPs :)
> 
> adam
> 


Nooo, we just need Interocitors!

http://en.wikipedia.org/wiki/Interocitor

---
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Shim6, was: Re: filtering /48 is going to be necessary

2012-03-14 Thread Leigh Porter



> -Original Message-
> From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
> 
> The only reason you got HDMI at all was because the content owners
> managed to get HDCP included.  You won't get a replacement that doesn't
> do HDCP until we fix the sorry state of copyright in the US.
> 
> So it's equivalent to asking if we're going to fix copyright within
> your lifetime... :)


When the revolution comes, all will be fixed.

--
Leigh



__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: shared address space... a reality!

2012-03-13 Thread Leigh Porter

On 14 Mar 2012, at 06:31, "Joel jaeggli"  wrote:

> On 3/13/12 23:22 , Christopher Morrow wrote:
>> NetRange:   100.64.0.0 - 100.127.255.255
>> CIDR:   100.64.0.0/10
>> OriginAS:
>> NetName:SHARED-ADDRESS-SPACE-RFCTBD-IANA-RESERVED
> 
> Already updated my martians acl and deployed it internally...

There's an app for that!

-- 
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Shim6, was: Re: filtering /48 is going to be necessary

2012-03-12 Thread Leigh Porter


> 
> Grass-roots, bottom-up policy process
> +
> Need for multihoming
> +
> Got tired of waiting
> =
> IPv6 PI
> 
> -r

A perfect summation. Also given that people understand what PI space is and how 
it works and indeed it does pretty much just work for the end users of the 
space.

--
Leigh Porter
UK Broadband


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Huawei edge routers..

2012-03-07 Thread Leigh Porter

> -Original Message-
> From: Jay Ashworth [mailto:j...@baylink.com]
> Sent: 07 March 2012 15:28
> To: NANOG
> Subject: Re: Huawei edge routers..
> 
> - Original Message -
> > From: "Saku Ytti" 
> 
> > On (2012-03-07 09:46 -), Tim Franklin wrote:
> > > This does occasionally brighten up my day with gems like "rip no
> > > work" and "reset-recycle-bin", so it's not all bad :)
> >
> > I liked how ssh is secure-telnet, took bit head scratching to enable
> > ssh.
> 
> That is, of course, incorrect; there is actually a "secure telnet";
> ISTR it's telnet-over-ssl?

How do you enable SSH then?

Do Huawei routers even have SSH? It'd slightly ironic that there is fuss around 
getting a Juniper domestic image with SSH enabled and yet a Chinese vendor 
likely just gives it away.

So having said all that, has anybody here had good experiences of Huawei 
routers? Have they worked well in your networks and are you happy with them? 
I'm mainly looking for something small (1-2U) that will do Ethernet over MPLS, 
VPLS and L3VPN services. 

--
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Huawei edge routers..

2012-03-07 Thread Leigh Porter

On 7 Mar 2012, at 09:48, "Tim Franklin"  wrote:

>> On the other hand, if you hop into other people's Huawei
>> routers via CLI you will curse and scream. As close as I
>> could tell, it handles most functionality of IOS, but
>> they tried to find a synonym for every word cisco used
>> in the cli.
> 
> This does occasionally brighten up my day with gems like "rip no work" and 
> "reset-recycle-bin", so it's not 

Oh so you have to configure it in chinglish.. Well I'll certainly be looking 
forward to that !

Somebody set up us the BGP.

--
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

L3 VPN Management

2012-03-06 Thread Leigh Porter


Folks,

I have a number of L3 MPLS VPNs. For example, there is the WiFi management VPN 
(WiFi  management interface). There is th systems VPN where things like RADIUS 
servers, Databases talk. There is a VPN for LTE OAM. There are alsomseparate 
VPNs for other LTE functions.

All OK.

Then are various sites I have a cluster of ops servers, syslogs, things that go 
ping, instances of cacti and our various vendors management systems. They all 
sit behind a firewall.

What's the nicest way of allowing the ops servers all talk to each VPN 
instance? At the moment I just us pretty normal L3VPN techniques so that every 
VPN sees routes tagged with the ops VPN target community and so that the ops 
VPN sees all the other VPN routes but the division between VPNs is maintained.

Or, would it be nicer to have the firewall have a foot in each VPN, advertise 
routes to ops systems to each VPN instance and receive routes from all the 
other VPNs?

-- 
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Huawei edge routers..

2012-03-06 Thread Leigh Porter

HI All,

Has anybody had any experience of Huawei Mobile/Metro edge routers? I'm looking 
for something that will handle various MPLS services (Layer 2/3), QinQ with 
about 10x1Gb Ethernet interfaces (no need for 10G). 

How are they compared to JNPR/CSCO/etc equivalent ?

Thanks,
Leigh Porter
UK Broadband/PCCW



__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Falling for address collection (Was: Evil Bit and Spread Spectrum IP Addressing - NANOG Source Address Shaping)

2012-03-05 Thread Leigh Porter


I'm sorry but I have failed to understand the grammar of these bizarre posts. 
Is it just me or do they actually make very little sense?

What is perhaps scary is that I know somebody who talks just like that (i.e. 
makes little sense) and I really thought it may be them... It isn't because 
they died last year, but still, who knows..

--
Leigh Porter


> -Original Message-
> From: Jason Hellenthal [mailto:jhellent...@dataix.net]
> Sent: 05 March 2012 03:27
> To: nanog@nanog.org
> Subject: Falling for address collection (Was: Evil Bit and Spread
> Spectrum IP Addressing - NANOG Source Address Shaping)
> 
> 
> Why does everyone keep falling for the same address collector ? ;-)
> 
> -- LoL
> 
> On Sun, Mar 04, 2012 at 10:22:15AM -0600, Guru NANOG wrote:
> > Common Misconception: One additional bit of IPv4 Addressing will
> solve
> > world hunger
> >
> > The Evil Bit (or spare unused bit) can be used to store (restore) one
> > bit
> >
> > The Left-Most bit of the 32-bit Source Address Field can be SET to
> > Zero no matter what the original value. The Evil bit can be set IFF
> > the Left-Most bit is **changed**.
> >
> > Setting the Left-Most bit to zero **folds** this table in half.
> > http://www.iana.org/assignments/ipv4-address-space/ipv4-address-
> space.
> > txt
> >
> > Setting the Left-Most bit to ONE would move return traffic to the
> > upper half of the Spectrum which has vast quantities of unused /8s
> >
> > Wide-spread consensus shows that TWO bits can work. Three bits folds
> > the table to 1/8th.
> > Governments want a 4-bit Return Prefix to their Super-Hubs for
> > IPv6-like intercept.
> >
> > The U.S.FCC is expected to issue the regulations on how Spread
> > Spectrum Source Address Shaping will work in their licensed CPE
> > wireless devices. There are 160-bits in the deprecated header so
> there
> > are many ways to go.
> >
> > One-Way Broadcast IP Addressing is now available. The Source Address
> > Field is used for the second half of the 64-bit Destination Address.
> > The DF (Did
> > Flip) bit near the Evil
> > Bit is used to note the two halves of the Destination Address have
> > been *flipped*.
> > NANOGers simply route 32 and then 32 after the flip based only on the
> > Destination Field.
> > There is no Source Address, only a channel (port).
> >
> > Keywords: WRT DNSMASQ Tomato WIFI Linux CPE
> 
> --
> ;s =;
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud
> service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: NANOG Operational TTL Alert for 160-bit Headers (aka IPv4)

2012-03-03 Thread Leigh Porter

He has a point. The IPv4 exhaustion problem was manufactured by the illuminati 
to usher in their IPv6 protocol (note the use of the number 6, the number if 
the beast. Combined with the tuple of source, destination address and protocol 
type this is 666!).

The illuminati want us to deploy IPv6 so they can use it to control people 
ready for the new world order.

It was all predicted by Nostradamus.

Innit.

-- 
Leigh Porter

On 3 Mar 2012, at 23:27, "Robert Glover"  wrote:

> Someone get this man a Xanax!
> 
> -Original message-
> From: Guru NANOG 
> To: nanog 
> Sent: 2012 Mar, Sun, 4 00:01:04 GMT+00:00
> Subject: NANOG Operational TTL Alert for 160-bit Headers (aka IPv4)
> 
> Common Misconception - IPv4 is Out of Address Space
> 
> NANOG Operational TTL Alert for 160-bit Headers (aka IPv4)
> 
> The 8-bit TTL field is reduced to 4-bits plus two 11 bits stuck at 1
> for a long time
> 
> The new 8-bit fields are: SD11
> 
> Packets without the 11 will enter Deep Packet Inspection processing (slow)
> 
> SD are new Source and Destination Address bits set via the generic
>  128-bit records
> 
> 4+8+12+30+6 = 60 + 68 = 128
> 
> VRHL+111.T1.000+Port12+30+Frag6
> 
> T1 sets the TTL bits - Use T0 at your own risk - VRHL=0101=5
> 
> NANOG.GURU.☺
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Reliable Cloud host ?

2012-02-27 Thread Leigh Porter

> -Original Message-
> From: Tony Patti [mailto:t...@swalter.com]
> Sent: 27 February 2012 02:42
> To: 'david raistrick'; 'Randy Carpenter'
> Cc: 'Nanog'
> Subject: RE: Reliable Cloud host ?
> 
> > -Original Message-
> > From: david raistrick [mailto:dr...@icantclick.org]
> > Sent: Sunday, February 26, 2012 7:19 PM
> > To: Randy Carpenter
> > Cc: Nanog
> > Subject: Re: Reliable Cloud host ?
> >
> > On Sun, 26 Feb 2012, Randy Carpenter wrote:
> >
> > > I don't need that kind of HA, and understand that it is not going
> to
> > > be available. 15 minutes of downtime is fine. 6 hours is completely
> > > unacceptable, and it false advertising to say you have a "Cloud"
> > > service, and then have the realization that you could have
> > > *indefinite* downtime.
> >
> > Um.  You and I apparently work in different clouds.
> 
> Since it is the weekend, I can't resist writing down a little equation:
> 
> Marketing(cloud) <> Technology(cloud)
> 
> For some values  of "cloud" perhaps?

Well indeed that is a valid point. All cloud to me means is that there is some 
abstracted instance of x and that it does not always relate to a particular 
physical device, indeed, it may well be spread around a few physical devices. 

I don't think there is any implied magic redundancy automatic failover move 
your instance to another bit of metal if something breaks in there unless 
that's specifically stated.

caveat emptor

--
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: HP A6600 experiences

2012-02-24 Thread Leigh Porter


I thought the A6604 was EOL?

http://h17007.www1.hp.com/docs/products/eos/Select_HP_A6600_Routers_and_Modules_ES_Announcement.pdf


--
Leigh


> -Original Message-
> From: Christopher Pilkington [mailto:c...@0x1.net]
> Sent: 24 February 2012 19:05
> To: NANOG mailing list
> Subject: HP A6600 experiences
> 
> If anyone has any experiences they'd be willing to share, or even lab
> reports, on HP A6600, it would be helpful.  I believe this is the same
> product as H3C SR6600.
> 
> We're being asked to "look at" A6604 facing our IPv4/IPv6 transit.  I'd
> like to get some opinions before I go through effort of getting one in
> the lab.
> 
> -cjp
> 
> __
> This email has been scanned by the Symantec Email Security.cloud
> service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Most energy efficient (home) setup

2012-02-22 Thread Leigh Porter

On 22 Feb 2012, at 22:40, "Jeroen van Aart"  wrote:

> Leigh Porter wrote:
>> You dudes need to get with the times and put all this stuff in the cloud.
>> Ok so I joke a little.. 
> 
> The "cloud" seems to be a more modern implementation of the mainframe 
> "paradigm" (and now I feel soiled having used 2 such words in one sentence). 
> It has its uses, though it's interesting to see how things go full circle. I 
> predict a move away from "the cloud" in about a decade, give or take.

Or sooner when people realise that anything not locked away on an box at home 
is being routinely nosed at for thought crime and illegal quotations or 
something or other..

> I do have a few virtual private servers (and use them) and have set up a few 
> VPS serving servers myself. However it's fun to tinker with hardware and if 
> I'd migrate as much as possible to VPS systems it'd take a big chunk of the 
> fun out of it.

Yeah it does, I wish I had time for the fun of it! 

--
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Most energy efficient (home) setup

2012-02-22 Thread Leigh Porter

On 22 Feb 2012, at 22:04, "Stefan Bethke"  wrote:

> Am 22.02.2012 um 22:48 schrieb Joe Greco:
> 
>> You also don't have to
>> buy a MMS; the lower end Mac mini's are also plenty powerful, can be
>> upgraded similarly, but lack OS X Server and the quad core CPU.
> 
> With 10.7, Server is now a $50 add-on download from the Mac App Store, no 
> special hardware required.
> 

You dudes need to get with the times and put all this stuff in the cloud.

Ok so I joke a little.. But I did move a load of stuff from a couple of home 
servers to some VMs and it works fine. Less to mess around with and prob 
cheaper too. 

The only thing I keep at home now is storage.

--
Leigh Porter

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Customer Notification System.

2012-02-22 Thread Leigh Porter

> -Original Message-
> From: Rich Kulawiec [mailto:r...@gsp.org]
> Sent: 22 February 2012 11:04
> To: nanog@nanog.org
> Subject: Re: Customer Notification System.
> 
> On Tue, Feb 21, 2012 at 05:58:19PM -0500, James Wininger wrote:
> > We would need to send notifications out to say about 400 customers.
> > Ideally the system would send an attached PDF. It would be great if
> > this system were SQL based etc.
> 
> (a) Use ASCII.  Using PDF for this is insane.
> 
> (b) You're dealing with only 400 customers, yet you want the overhead
> and complexity of a SQL-capable database?  Do you also engage a fleet
> of bulldozers when you want to plant a flower in the back yard?
> 
> > I have thought of possibly using a
> > mailing list type approach, but that gets us back to (almost) where
> we
> > are today.
> 
> Precisely what is wrong with a "mailing list type approach", using
> Mailman (which is the best available and what runs this list)?  It
> handles COI (mandatory for responsible and ethical operation of all
> mailing lists), it runs on all varieties of 'nix, it plays nice with
> MTAs, it deals with most bounces in a sane fashion, etc.

Yeah please don't use PDF. There is nothing more annoying than getting an email 
about something important that had a PDF attachment to tell you about the 
important things. Lowest common denominator!

I used to use mailman for this, but we had a CRM system as well which was 
database driven. So I write a script to grab the right email addresses from the 
database every night and populate mailman. 

--
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: WW: Colo Vending Machine

2012-02-18 Thread Leigh Porter

On 18 Feb 2012, at 01:46, "Owen DeLong"  wrote:

> I have, on occasion been away from my laptop and gotten the call to go to the 
> colo and deal with XYZ hardware problem and the colo was either: A in the 
> opposite or orthogonal direction from  my house and significantly closer or B 
> the colo was between my present location.
> 
> In such cases, I will occasionally stop by the colo without going home to 
> retrieve the laptop. 90% of the time it works out OK. 10% of the time I end 
> up leaving the colo, going home, retrieving the laptop and returning to the 
> colo. Obviously, if there was a loaner laptop available for a $15 rental in 
> the colo as described, it would probably be worth $15 to me and/or my 
> organization to avoid the delay and bother of the round-trip between colo and 
> home.
> 
> Owen
> 

Yeah done that a few times.. Now all our colo sites have a kit with laptop 
(that boots win 7,  XP and Linux) serial USB things, USB ethernet things and 
that has a DVD/cd burner and a stock of blanks and a 3G dongle thing.

I.e. everything I have ever had to go home/office/nearest-shop for..

So now when our guys to go colo, they can usually take anything and have most  
things they need there already.

Now we need to nail them down so people DON'T BRING THEM BACK TO THE OFFICE.

--
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Colo Vending Machine

2012-02-17 Thread Leigh Porter

On 17 Feb 2012, at 20:18, "Randy Bush"  wrote:

> i just want to pay a compliment to the fibercloud colo in the seattle
> westin.  there are crash carts, a tool-chest, rack screws, other screws,
> garbage cans, ...  and, if you are polite, they'll loan you usbs, blank
> cds, ...  and, as remote hands, they are smarter than i.  oops, maybe
> that's not a compliment.
> 
> randy

There used to me a guy called Mike at telecity NY (25 Broadway) who was just 
fantastic. With mike and the radio shack next door there was not much that 
could not be fixed.

Mike, wherever you are now, kudos!

--
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: WW: Colo Vending Machine

2012-02-17 Thread Leigh Porter

On 17 Feb 2012, at 20:10, "Peter Kristolaitis"  wrote:

> On 12-02-17 03:05 PM, Leigh Porter wrote:
>> Did anybody say beer yet?
>> 
> 
> Don't forget the 30lb sledgehammer for those times when, ah, "percussive 
> maintenance" is the only possible solution.  ;)
> 
> (Might be a bit hard to fit into a vending machine though... maybe the colo 
> staff could just rent one out...)
> 
> - Pete
> 

Ahh yes, I recently used a universal adjuster to assist with some installation 
issues..

Another handy item would be little packets of pixie dust for when things just 
don't work,,

--
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: WW: Colo Vending Machine

2012-02-17 Thread Leigh Porter

Did anybody say beer yet?

-- 
Leigh


On 17 Feb 2012, at 18:37, "Jay Ashworth"  wrote:

> Please post your top 3 favorite components/parts you'd like to see in a
> vending machine at your colo; please be as specific as possible; don't 
> let vendor specificity scare you off.
> 
> Cheers,
> -- jra
> -- 
> Jay R. Ashworth  Baylink   
> j...@baylink.com
> Designer The Things I Think   RFC 2100
> Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
> St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: WW: Colo Vending Machine

2012-02-17 Thread Leigh Porter

On 17 Feb 2012, at 18:37, "Jay Ashworth"  wrote:

> Please post your top 3 favorite components/parts you'd like to see in a
> vending machine at your colo; please be as specific as possible; don't 
> let vendor specificity scare you off.

Pizza, condoms and headache tablets.

-- 
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Spam from Telx

2012-02-17 Thread Leigh Porter

No he didnt. The one he sent to me actually included part of the thread he 
picked me up from.

I told him the most exciting thing he could do is to not spam me again.

Poor guy, did nobody tell him?

-- 
Leigh Porter


On 17 Feb 2012, at 15:11, "Justin M. Streiner"  wrote:

> On Fri, 17 Feb 2012, Suresh Ramasubramanian wrote:
> 
>> In other words he bought a list of leads.
> 
> Possibly, albeit a poorly screened list of leads.
> 
> jms
> 
>> On Fri, Feb 17, 2012 at 8:24 PM, Justin M. Streiner
>>  wrote:
>>> I did respond directly to him, and got a somewhat indignant response back,
>>> stating that he had no idea what I was talking about and that my contact
>>> information had come from an "opt in email broker".  It's going to be one of
>>> those days
>> 
>> 
>> 
>> -- 
>> Suresh Ramasubramanian (ops.li...@gmail.com)
>> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Common operational misconceptions

2012-02-16 Thread Leigh Porter

On 15 Feb 2012, at 20:50, "John Kristoff"  wrote:

> Hi friends,
> 
> As some of you may know, I occasionally teach networking to college
> students and I frequently encounter misconceptions about some aspect
> of networking that can take a fair amount of effort to correct.
> 
> For instance, a topic that has come up on this list before is how the
> inappropriate use of classful terminology is rampant among students,
> books and often other teachers.  Furthermore, the terminology isn't even
> always used correctly in the original context of classful addressing.

When I took an A level computing course in the 90s the course material still 
talked about primary stor and backing stor, batch jobs and the like...

Needless to say I quit in disgust but the point is that the people who write 
these courses are often woefully out of touch.

--
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Sonicwall 3500/netflow

2012-02-14 Thread Leigh Porter



> -Original Message-
> From: Brandon Kim [mailto:brandon@brandontek.com]
> Sent: 14 February 2012 15:51
> To: bl...@pfankuch.me; j...@miscreant.org; j...@baylink.com
> Cc: nanog group
> Subject: RE: Sonicwall 3500/netflow
> 
> 
> I've been using 5.8 with no problems thus far. As for the CLI, yes it
> is CLUNKY.
> 
> But they are completely revamping it, it will be very similar to Cisco
> in the near future...

Why do people like to base their CLIs on the really rather awful Cisco style 
interface rather than something with some more structure like Juniper?


--
Leigh Porter




__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: 10G switchrecommendaton

2012-02-09 Thread Leigh Porter

> -Original Message-
> From: Brent Jones [mailto:br...@brentrjones.com]
> Sent: 27 January 2012 06:33
> To: Rodrick Brown
> Cc: nanog list
> Subject: Re: 10G switchrecommendaton
> 
> On Thu, Jan 26, 2012 at 8:40 PM, Rodrick Brown
> wrote:
> 
> > Not to mention Arista's cli runs a busybox Linux inside!
> >
> > Sent from my iPhone
> >
> >
> >
> Last I checked, Arista used Fedora Linux, with x86 dual-core CPUs and
> 4GB
> RAM.
> Their CLI was written in Python or Perl as well, and they encourage
> hacking
> it for cool new things.

Based on this thread I has Arista in today for a show'n'tell and it is pretty 
impressive both in terms of features (features that you actually use) and 
pricing.

So a couple of evals on the way...

--
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Firewalls in service provider environments

2012-02-07 Thread Leigh Porter



> -Original Message-
> From: Matthew Reath [mailto:m...@mattreath.com]
> Sent: 07 February 2012 21:34
> To: nanog@nanog.org
> Subject: Firewalls in service provider environments
> 
> All,
> 
> Looking for some recommendations on firewall placement in service
> provider
> environments.  I'm of the school of thought that in my SP network I do
> as
> little firewalling/packet filtering as possible. As in none, 

I had a vendor actually suggest that that ALL my customer traffic should 
traverse a firewall. I asked why and they said "Ahhh it the internet, must have 
firewall". I suppose this must have been a great firewall.

So yes I would agree with you, firewall nothing for your customers unless they 
are paying you for a specific service. Filtering known bad ports, well, what's 
a known bad port? Bad for one person may be quite important for another. Whilst 
filtering port 25 outbound may help prevent some bots from emanating spam, it 
certainly does a lot to annoy other people.

--
Leigh Porter


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Optimal IPv6 router

2012-02-06 Thread Leigh Porter

> >> With IPv6 growing, if we were to design a native IPv6 router, with
> >> IPv4 functionality thrown in, then is it possible to design a more
> >> optimal IPv6 router, than what exists today?
> >
> > OK, I'll bite.  What would qualify as a "native IPv6" router?  Is
> this
> > another concept as silly as "hardware vs software based" routers?
> 
> Join them and create a router where IPv6 is ASIC-forwarded and IPv4
> gets to use a CPU. Market perspectives for such a product are very
> shy, but would fit the description.

And where half the useful features just don't support IPv6.

Make it support draft-ietf-mpls-ldp-ipv6 and we're away :)

--
Leigh Porter


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Thanks & Let's Prevent this in the Future.

2012-02-01 Thread Leigh Porter

On 1 Feb 2012, at 09:01, "Kelvin Williams"  wrote:

> 
> A few months ago, when establishing a new peering relationship I was
> encouraged (actually required) to utilize one of the IRRs.  I took the time
> to register all of my routes, ASNs, etc.  However, as I learned today, this
> was probably done in vain.  Too many people won't spend the extra
> 30-seconds to verify the information listed there or in ARINs WHOIS.

It's amazing isn't it. It isn't only fraud and maliciousness that this 
prevents. 

A number of times I have been asked to advertise space or open filters for 
space based on typos and people not understanding address notation and CIDR. So 
it's with doing if only to prevent this.

-- 
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Console Server Recommendation

2012-01-30 Thread Leigh Porter

On 30 Jan 2012, at 18:41, "Brent Jones"  wrote:

> Another +1 to Opengear
> Just buy the units that have the pinout for your devices, or you may need
> adapters.

And making them gets boring very quickly!

--
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Console Server Recommendation

2012-01-30 Thread Leigh Porter


On 30 Jan 2012, at 16:10, "Ray Soucy"  wrote:

> What are people using for console servers these days?  We've
> historically used retired routers with ASYNC ports, but it's time for
> an upgrade.
> 
> OpenGear seems to have some nice stuff, anyone else?
> 

+1 for OpenGear. I asked this same question about a year ago..

-- 
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: 10G switchrecommendaton

2012-01-27 Thread Leigh Porter

On 27 Jan 2012, at 10:21, "Fabien Delmotte"  wrote:

> I worked for Extreme, and I deployed a lot of X650 (24 10G ports) for 
> DataCenter environment. The box is really good.
> In fact if you use the box at a layer 2 it is perfect, BUT DON'T use their 
> BGP code, they never understood what is BGP :)

Is that don't use for Internet facing full table BGP or do you include iBGP for 
say VPN as well?

-- 
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: 10G switchrecommendaton

2012-01-26 Thread Leigh Porter

Let's see how many vendors you get listed!

I would go for Brocade.  

-- 
Leigh Porter

On 26 Jan 2012, at 20:24, "Deric Kwok"  wrote:

> Hi all
> 
> I would like to have 10G switchrecommendaton
> Ipref software can test around 9.2G but we can have congestion over 6G
> in single port!
> 
> Thank you
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: juniper mx80 vs cisco asr 1000

2012-01-19 Thread Leigh Porter



> -Original Message-
> From: jon Heise [mailto:j...@smugmug.com]
> Sent: 19 January 2012 21:37
> To: nanog@nanog.org
> Subject: juniper mx80 vs cisco asr 1000
> 
> Does anyone have any experience with these two routers, we're looking
> to buy one of them but i have little experience dealing with cisco
> routers and zero experience with juniper.

I have lots of MX80s and they have all been fantastic. But if you have no 
experience of Juniper it will be a different learning curve (one that is, IMO, 
worth the effort).

I have not used the asr1000 but it looks like a capable box. You would do well 
to look at the MX80 fixed chassis, it comes with 48 1G interfaces and 4 10G 
interfaces. They are pretty good value, I think.


--
Leigh Porter



__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: RIS raw data

2012-01-19 Thread Leigh Porter



> -Original Message-
> From: Peter Kristolaitis [mailto:alte...@alter3d.ca]
> Sent: 19 January 2012 16:04
> To: nanog@nanog.org
> Subject: Re: RIS raw data
> 
> On 12-01-19 10:46 AM, valdis.kletni...@vt.edu wrote:
> > On Thu, 19 Jan 2012 21:52:52 +0900, Randy Bush said:
> >
> >> uselessness, with more crap welded on to it than envisioned in mad
> max.
> > oooh... steampunk BGP. ;)
> 
> The Internet is like a series of (steam) tubes?   ;)
> 
> - Peter

When they break, do you see little clouds of 1s and 0s ?

--
Leigh





__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: DNS Attacks

2012-01-18 Thread Leigh Porter



Yeah like I say, it wasn't my idea to put DNS behind firewalls. As long as it 
is not *my* firewalls I really don't care what they do ;-)

--
Leigh Porter


> -Original Message-
> From: Dennis [mailto:den...@justipit.com]
> Sent: 18 January 2012 12:55
> To: Leigh Porter; toor
> Cc: nanog@nanog.org
> Subject: Re: DNS Attacks
> 
> I agree with Roland on the firewall placement.  I add that the attack
> would have likely succeeded to exhaust the servers.  There is alot of
> recent ddos activity on DNS with what looks like legitimate queries.
> You should also look at some DOS/ application level protections;
> Radware and Arbor top the list.
> 
> 
> Leigh Porter  wrote:
> 
> >
> >
> >On 18 Jan 2012, at 05:06, "toor"  wrote:
> >
> >> Hi list,
> >>
> >> I am wondering if anyone else has seen a large amount of DNS queries
> >> coming from various IP ranges in China. I have been trying to find a
> >> pattern in the attacks but so far I have come up blank. I am
> completly
> >> guessing these are possibly DNS amplification attacks but I am not
> >> sure. Usually what I see is this:
> >>
> >
> >At various seemingly random times over the past week I have had a DNS
> which is behind a firewall come under attack. The firewall is
> significant because the attacks killed the firewall as it is rather
> under specified (not my idea..).
> >
> >It did originate from Chinese address space and consisted of DNS
> queries for lots of hosts. There was also a port-scan in the traffic
> and a SYN attack on a few hosts on the same small subnet as the DNS, a
> web server and an open SSH port.
> >
> >--
> >Leigh Porter
> >
> >
> >__
> >This email has been scanned by the Symantec Email Security.cloud
> service.
> >For more information please visit http://www.symanteccloud.com
> >__
> >
> >
> 
> __
> This email has been scanned by the Symantec Email Security.cloud
> service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: DNS Attacks

2012-01-17 Thread Leigh Porter

On 18 Jan 2012, at 05:06, "toor"  wrote:

> Hi list,
> 
> I am wondering if anyone else has seen a large amount of DNS queries
> coming from various IP ranges in China. I have been trying to find a
> pattern in the attacks but so far I have come up blank. I am completly
> guessing these are possibly DNS amplification attacks but I am not
> sure. Usually what I see is this:
> 

At various seemingly random times over the past week I have had a DNS which is 
behind a firewall come under attack. The firewall is significant because the 
attacks killed the firewall as it is rather under specified (not my idea..).

It did originate from Chinese address space and consisted of DNS queries for 
lots of hosts. There was also a port-scan in the traffic and a SYN attack on a 
few hosts on the same small subnet as the DNS, a web server and an open SSH 
port.

-- 
Leigh Porter

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: enterprise 802.11

2012-01-15 Thread Leigh Porter

I use ruckus in town and city installs and despite rather a lot of other APs it 
performs very well.

I don't have experience of them in high connected station density though.

-- 
Leigh Porter

On 15 Jan 2012, at 19:33, "Ken King"  wrote:

> I need to choose a wireless solution for a new office.
> 
> up to 600 devices will connect.  most devices are mac books and mobile phones.
> 
> we can see hundreds of access points in close proximity to our new office 
> space.
> 
> what are the thoughts these days on the best enterprise solution/vendor?
> 
> Thanks for your replies.
> 
> 
> Ken King
> 
> 
> 
> 
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Whois 172/12

2012-01-15 Thread Leigh Porter


On 15 Jan 2012, at 07:39, "Ted Fischer"  wrote:

> Hi all,
> 
>   Tearing what's left of my hair out.
> 
>   A customer is getting scanned by a host claiming to be "172.0.1.216".
> 
>   I know this is bogus, but I want to go back to the customer with as
> much authoritative umph as I can (heaven forbid they just take my
> word).
> 
>   I'm pretty sure I read somewhere once that 172/12 was "reserved" or
> something like that.  All I can find now is that 172/8 is "administered by
> ARIN".  Lots of information on 172.16/12, but not a peep about
> 172/12.
> 
>   If anybody could provide some insight as to the
> allocation/non-allocation of this block, it would be much appreciated.
> 
>   Thanks.
> 
> Ted Fischer

I would look for the prefix in your BGP table and in a couple of looking 
glasses and show the empty output.

If its not there, then it is bogus.

-- 
Leigh




__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: VPC=S/MLT?

2012-01-13 Thread Leigh Porter


On 13 Jan 2012, at 19:35, "Joel jaeggli"  wrote:

> On 1/13/12 11:19 , -Hammer- wrote:
>> OK, So I'm doing a lot of reading lately on Nexus as we are about to get
>> into the 7k/5k game and of course a lot of the marketing revolves around
>> VPC. Every time I see it referenced, I keep remembering a reasonably
>> reliable Nortel implementation called Split MLT (Multi Link Trunk). Is
>> there something fancy here that I'm missing in the docs or am I wrong in
>> equating the two? Isn't VPC just S/MLT? It's just that Cisco has shown
>> up 8 years late and is trying to hype it up to compensate?
> 
> vpc/vlt/mlag/s/mlt
> 

I am using the Brocade version, Multi Chassis Trunking (MCT), and it really 
does make things a lot nicer.

--
Leigh Porter


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: anycast load balancing issue

2012-01-06 Thread Leigh Porter

On 6 Jan 2012, at 07:33, "Måns Nilsson"  wrote:

> 
> Thanks all who made me think a second round and solve this. 

Hence why people prefer to ask people and not GOOG et-al.

-- 
Leigh Porter

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: OSS Systems

2012-01-05 Thread Leigh Porter

On 5 Jan 2012, at 22:02, "Shahab Vahabzadeh"  wrote:

> Hi there,
> Has anybody experience about running and OSS System in enterprise level?
> And do you have any idea about it?
> For example for an ISP who is running users more than 20K or 30K, there
> must be some good solutions to integrate all systems like:
> Radius, Billing Systems and CRM
> For example after searching and asking friends I have some ideas about
> Radius to use: radiator
> Is there anybody who has analyse such a systems before in his ISP? Need
> sharing here :)
> Thanks

We did this a few years ago and ended up writing the while thing ourselves. 
This included billing, subscriber management etc etc.

We integrates to salesforce.com for the internal front end and the user facing 
stuff we did ourselves.

It was a big project and took a team of six about six months. But we ended up 
with a perfect solution that did exactly what we needed and it was pretty good.

It handled within the order of users you mention, but we designed to 100k users.

We used radiator (highly recommended) with openldap back end. Multiple load 
balanced servers etc etc.

The worst thing we did was to build our own mail system. Not that it was an 
issue, it never went wrong, but these days I'd just send people to gmail or 
something.

--
Leigh Porter

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

DC wiring standards

2012-01-03 Thread Leigh Porter

Hi all,

Does anybody know where I can find standards for DC cabling for -48v systems?

I'm looking for general best common practices, cable colouring etc. 

Thanks, 

-- 
Leigh Porter


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Ethernet From China to Singapor or Hong Kong ?

2012-01-02 Thread Leigh Porter

I'd second PCCW. I have contacts there if you drop me a mail off list.


-- 
Leigh Porter
UKBroadband PCCW...



On 2 Jan 2012, at 14:08, "Paul Rolland"  wrote:

> Hello,
> 
> On Mon, 2 Jan 2012 14:30:47 +0100
> Olivier CALVANO  wrote:
> 
>> anyone have contact of a operator (CHina Telecom ? CPC ?) that can provide
>> L2 Link
>> from China to Singapor or if not direct link, China to Hong Kong.
> 
> PCCW ?
> 
> Paul
> 
> -- 
> TelcoTV Awards 2011 - Witbe winner in "Innovation in Test & Measurement"
> 
> Paul RollandE-Mail : rol(at)witbe.net
> CTO - Witbe.net SA  Tel. +33 (0)1 47 67 77 77
> Les Collines de l'Arche Fax. +33 (0)1 47 67 77 99
> F-92057 Paris La DefenseRIPE : PR12-RIPE
> 
> LinkedIn : http://www.linkedin.com/in/paulrolland
> Skype: rollandpaul
> 
> "I worry about my child and the Internet all the time, even though she's
> too young to have logged on yet. Here's what I worry about. I worry that 10
> or 15 years from now, she will come to me and say 'Daddy, where were you
> when they took freedom of the press away from the Internet?'"
> --Mike Godwin, Electronic Frontier Foundation 
> 
> 

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Speed Test Results

2011-12-23 Thread Leigh Porter

They are completely unreliable and not to be trusted except for an occasional 
general indication of speed.

-- 
Leigh Porter

On 23 Dec 2011, at 09:20, "jacob miller"  wrote:

> Hi,
> 
> Am having a debate on the results of speed tests sites.
> 
> Am interested in knowing the thoughts of different individuals in regards to 
> this.
> 
> Regards,
> Jacob
> 
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Recognized Address Transfer Facilitators (was: Your Christmas Bonus Has Arrived)

2011-12-14 Thread Leigh Porter

I love the anti v6 stuff on some of their sites!

http://www.iptrading.com/news/news.htm


-- 
Leigh


On 14 Dec 2011, at 12:21, "John Curran"  wrote:

> On Dec 14, 2011, at 12:40 AM, Patrick W. Gilmore wrote:
> 
>> I believe this company is the one that sold the MS & Borders blocks, so they 
>> may be "legit" (whatever that means in this context).
> 
> I also do not know what "legit" means in this context, but will note
> that we have added a public list of all recognized specified transfer 
> facilitators to the ARIN web site:
> 
> 
> 
> Facilitators are aware of ARIN's address transfer policies and agree to 
> comply with same.  Note that any qualifying parties may transfer space in 
> compliance with policy, but folks may find it easier to work with one of 
> these facilitators to find a matching party for transfer.  Facilitators may 
> make use of information in the optional Specified Transfer Listing Service 
> (which lists those who have space available or prequalify as a recipient) 
> but not required to do so.  Similarly, parties which may have space available
> for transfer or wish to prequalify in advance to receive address space via 
> transfer may also register in the Specified Transfer Listing Service (STLS).  
> More information is available on the ARIN web site  under 
> "IPv4 SPECIFIED TRANSFER OPTIONS" section.
> 
> FYI (and Happy Holidays :-)
> /John
> 
> John Curran
> President and CEO
> ARIN
> 
> 
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Your Christmas Bonus Has Arrived

2011-12-13 Thread Leigh Porter



> -Original Message-
> From: Chaim Rieger [mailto:chaim.rie...@gmail.com]
> Sent: 14 December 2011 06:10
> To: IPv4 Brokers; nanog@nanog.org
> Subject: Re: Your Christmas Bonus Has Arrived
> 
> What do you have for those that don't do the whole Jesus thing ?
> 


That would be Hell..

--
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Sad IPv4 story?

2011-12-12 Thread Leigh Porter

> -Original Message-
> From: Vitkovsky, Adam [mailto:avitkov...@emea.att.com]
> Sent: 12 December 2011 09:19
> To: Eric Parsonage; valdis.kletni...@vt.edu
> Cc: nanog@nanog.org
> Subject: RE: Sad IPv4 story?
> 
> > and models that doesn't take "we may not get IPv4 space" into account
> and have
> > a contingency plan for that *deserves* to be soundly mocked and
> ridiculed in
> > public.
> 
> That's right
> 
> However the original post was concerning a fresh new ISP that can't run
> their business the way they would like
> Maybe they'd like to build an mpls core which right now is not possible
> with only ipv6 at hand
> I'd like to see the business model to build an mpls network with all
> the features we're used to -but solely on ipv6 -I guess the plan would
> be let's wait a couple years till it gets implemented and mature enough

Well really this is pretty much our fault. IPv6 has been on peoples 'back 
burner' for far too long. Additional vendor pressure and pressure at the IETF 
would have pushed things forward far faster had people actually been interested 
in doing so.

As per an earlier post, I am shocked at how I still have vendors coming to me 
with equipment that is nowhere near ready for commercial IPv6 deployment, it 
either just does not work, is half baked or is "on the roadmap".

So now we will reap the consequences and it will be at the cost of new market 
entrants (which I am sure will please some people) and perhaps cold hard cash 
for those who cannot expand their business or have to 'buy' address space.

I know a lot of people have been working hard to move IPv6 along both here, at 
NANOG and other events and with their vendors. It's because of those people, 
like Randy perhaps that we actually have what we do now else most people would 
still be stuck with their heads in the sand.

Well, I am sure it'll all be OK in the end...

--
Leigh



__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: On Working Remotely

2011-12-04 Thread Leigh Porter

This pretty much says it all, I think:

http://www.youtube.com/watch?v=co_DNpTMKXk

--
Leigh


> -Original Message-
> From: Keegan Holley [mailto:keegan.hol...@sungard.com]
> Sent: 04 December 2011 18:50
> To: Jay Ashworth
> Cc: NANOG
> Subject: Re: On Working Remotely
> 
> Maybe I have a different personality, but I find it much easier to work
> from home (provided home is empty).  I think "networking" from home,
> which
> I do periodically during the week is different from coding from home
> which
> I do on the weekends.  It does take some getting used to.  I find I'm
> much
> more productive from home. (again as long as home is empty)  I spend
> less
> time talking about sports (professional, college and little league) TV,
> the
> opposite sex, hunting... etc. etc.  I also tend to make healthier
> choices
> since the coffee and cigarettes aren't free and no one invites me to
> order
> pizza for lunch when I'm at home.  To each his own though.
> 
> 2011/12/4 Jay Ashworth 
> 
> > Some more thoughts on telecommuting, from the guy who built Stack
> Overflow.
> >
> > http://www.codinghorror.com/blog/2010/05/on-working-remotely.html
> >
> > Cheers,
> > -- jra
> > --
> > Jay R. Ashworth  Baylink
> > j...@baylink.com
> > Designer The Things I Think
> RFC
> > 2100
> > Ashworth & Associates http://baylink.pitas.com 2000 Land
> > Rover DII
> > St Petersburg FL USA  http://photo.imageinc.us +1 727
> 647
> > 1274
> >
> >
> >
> 
> __
> This email has been scanned by the Symantec Email Security.cloud
> service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: IP addresses are now assets

2011-12-02 Thread Leigh Porter



> -Original Message-
> From: Justin M. Streiner [mailto:strei...@cluebyfour.org]
> Sent: 02 December 2011 19:26
> To: Leo Bicknell
> Cc: NANOG
> Subject: Re: IP addresses are now assets
> 
> On Fri, 2 Dec 2011, Leo Bicknell wrote:
> 
> > In a message written on Thu, Dec 01, 2011 at 11:04:23PM -0500,
> Michael R. Wayne wrote:
> >>After negotiating with multiple prospective buyers, Cerner Corp.
> >>agreed to buy the Internet addresses for $12 each. Other bids
> were
> >>as low as $1.50 each, according to a bankruptcy court filing.
> >
> > Someone should tell Cerner Corp you can still get them for free,
> > and thus they overpaid by oh, $12 an address!
> 
> I'm waiting for someone to come back and balk at $12/address, and try
> to
> reduce the number of addresses they buy, forgetting that pesky powers-
> of-two
> business:  "In the interest of containing the cost of the deal, XYZ
> Corp has
> agreed to buy 27,000 addresses instead of the original 65,536."
> 
> That will be a definite facepalm moment.
> 
> jms


So about a /18 a /19 a /21 and a /23 then ;-)


--
Leigh



__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: IP addresses are now assets

2011-12-02 Thread Leigh Porter



> -Original Message-
> From: John Curran [mailto:jcur...@arin.net]
> Joly -
> 
>   Requests are processed according the transfer policies
>   <https://www.arin.net/policy/nrpm.html#eight>.  If a
>   request doesn't meet the transfer policy (e.g. the sale
>   is not to an actual entity that has an operational need
>   for address space or it is more space than needed for the
>   next twelve months), then it will be denied.


Presumably organisations will check this and fake the appropriate paperwork and 
come up with some plausible excuse for requiring the space within the next 12 
months BEFORE they part with their cash.

It would be most amusing for somebody to buy space, hand over the money and 
then have ARIN deny the transfer.

So I do wonder, how is this policy is being enforced and will ARIN be 
investigating this current news item?

-- 
Leigh Porter


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Looking for a Tier 1 ISP Mentor for career advice.

2011-12-02 Thread Leigh Porter

> -Original Message-
> From: Thorsten Dahm [mailto:t.d...@resolution.de]
> Sent: 02 December 2011 12:28
> To: nanog@nanog.org
> Subject: Re: Looking for a Tier 1 ISP Mentor for career advice.
> 
> Am 12/1/11 9:35 PM, schrieb David Radcliffe:
> > Since I like to work and code (I spend 10 hours a day on the computer
> at the
> > office, think about work related stuff in the shower, and often write
> Perl code
> > at home to deal with various household tasks) I work quite well at
> home.
> > There are more distractions at the office and my productivity is
> greater in my
> > home computer room during those times I have to put in some extra for
> the
> > office.
> 
> The downside of this is that you are not around in the office in case
> someone wants to talk to you. I often end up with guys from our
> operations team or other teams stopping at my desk and ask questions.
> Or
> guys who want to have a quick chat about a problem and want to ask for
> an advice or idea. Or people who want to learn Perl and have a question
> that you can answer in 30 seconds.

And it means you do not get 'noticed' as much. I work from home when I have a 
task to get done that benefits from not having to talk to people. A specific 
document that needs completing or some more PowerPoint waffle for a pointless 
meeting with people who won't get it anyway.

Other than that, I try to be in the office.

--
Leigh




__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Looking for a Tier 1 ISP Mentor for career advice.

2011-12-01 Thread Leigh Porter



> -Original Message-
> From: Leo Bicknell [mailto:bickn...@ufp.org]
> Sent: 01 December 2011 16:15
> To: nanog@nanog.org
> Subject: Re: Looking for a Tier 1 ISP Mentor for career advice.


> It's a wonderful double edged sword.  Someone who can think their way
> out of a myriad of technical problems is also smart enough to evaluate
> the orginizational structure and dynamics, predict their own future (or
> lack thereof), predict the success and failure rates of the current
> envornment and leave if they don't think it's a net positive.


An excellent analysis of the situation.

--
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Looking for a Tier 1 ISP Mentor for career advice.

2011-12-01 Thread Leigh Porter

I am looking for just such a person now. Good Juniper, some Cisco and Sysadmin 
experience with an ISP background..

I expect it will be immensely difficult to find somebody. What makes it even 
more frustrating is that just such a person was not all that long ago made 
redundant!

So if anybody is looking for something to do around London...

--
Leigh


> -Original Message-
> From: randal k [mailto:na...@data102.com]
> Sent: 01 December 2011 15:19
> To: Bill Stewart
> Cc: nanog@nanog.org
> Subject: Re: Looking for a Tier 1 ISP Mentor for career advice.
> 
> This is a huge point. We've had a LOT of trouble finding good network
> engineers who have all of the previously mentioned "soft" attributes -
> attitude, team player, can write, can speak, can run a small project -
> and
> are more than just Cisco pimps. I cannot explain how frustrating it is
> to
> meet a newly minted CCNP who has zero Linux experience, can't script
> anything, can't setup a syslog server, doesn't understand AD much less
> LDAP, etc. Imagine, an employee who can help themselves 90% of the time
> ...
> 
> Finding the diamond that has strong niche skill, networking, with a
> broad &
> just-deep-enough sysadmin background has been very, very hard. I cannot
> emphasize enough the importance of cross-training. Immensely valuable.
> 
> Randal
> 
> On Wed, Nov 30, 2011 at 4:39 PM, Bill Stewart 
> wrote:
> 
> >  And yeah, sometimes it means that you need to go
> > learn technologies like Active Directory
> >
>  [snip]
> 
> >
> > In addition to learning scripting languages
> >
> 
> __
> This email has been scanned by the Symantec Email Security.cloud
> service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Odd router brokenness

2011-11-23 Thread Leigh Porter



> -Original Message-
> From: Mark Radabaugh [mailto:m...@amplex.net]
> Sent: 23 November 2011 16:53
> To: NANOG list
> Subject: Re: Odd router brokenness
> 
> On 11/23/11 11:33 AM, Saku Ytti wrote:
> > On (2011-11-23 09:41 -0500), Mark Radabaugh wrote:
> >
> >> The question is:   How does a router break in this manner?It
> >> appears to unintentionally be doing something different with traffic
> >> based on the source address, not the destination address.I
> >> realize this can be done intentionally  - but that is not the case
> >> here (unless somebody isn't telling me something).
> > I don't think we can determine that it has anything to do with source
> > address based on data shown.
> > 38.104.148.5 could very well be 6500 and somehow broken adjacency to
> > 74.125.226.6, perhaps hardware adjacency having MTU of 0B, causing
> punt
> > which is rate-limited by different policer than TTL exceeded policer.
> >
> I was told the router was reloaded to resolve a CEF issue.  Not sure
> what was wrong with 'clear cef linecard'.


Now *that* brings back memories!

--
Leigh


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Any recommended router. They are reliable and have good support.

2011-11-22 Thread Leigh Porter

I have used quite a few of their devices and have been impressed. The bang for 
your buck is unlike anything else. I sometimes wonder why I bother buying other 
kit, apart from the larger boxes.

Maybe I'll find a bug and test them out ;-)

-- 
Leigh


On 22 Nov 2011, at 16:04, "Meftah Tayeb"  wrote:

> Leigh,
> MT is very responcive
> wonderfull
> fast bug fixs and very organised RouterOs releases
> i use it a lot and have a hell load of features
> support all major routing protocols BGP, OSPF / OSPFv3, RIP/RIPNG, PIM for 
> multicast, MME for wireless and much more.
> thank you
> 
> ----- Original Message - From: "Leigh Porter" 
> 
> To: 
> Cc: "nanog list" 
> Sent: Tuesday, November 22, 2011 6:02 PM
> Subject: Re: Any recommended router. They are reliable and have good support.
> 
> 
> Has anybody had experience of mikrotik support? Is it any good? Any thoughts 
> about the time to fix bugs?
> 
> -- 
> Leigh
> 
> 
> On 22 Nov 2011, at 15:57, "Faisal Imtiaz"  wrote:
> 
>> mikrotik family .. you can have all sizes and shapes of routers ..
>> lots of support available online or from independent consultants.
>> 
>> Regards.
>> 
>> Faisal Imtiaz
>> Snappy Internet&  Telecom
>> 
>> 
>> On 11/22/2011 10:38 AM, Deric Kwok wrote:
>>> Hi
>>> 
>>> Can I know any selection of Linux routers except cisco / juniper?
>>> 
>>> They are reliable and have  good support provided
>>> 
>>> We would like to get one for testing.
>>> 
>>> Thank you
>>> 
>>> 
>> 
>> 
>> __
>> This email has been scanned by the Symantec Email Security.cloud service.
>> For more information please visit http://www.symanteccloud.com
>> __
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __
> 
> 
> 
> __ Information from ESET NOD32 Antivirus, version of virus signature 
> database 6651 (2022) __
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 
> 
> __ Information from ESET NOD32 Antivirus, version of virus signature 
> database 6651 (2022) __
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Any recommended router. They are reliable and have good support.

2011-11-22 Thread Leigh Porter

Has anybody had experience of mikrotik support? Is it any good? Any thoughts 
about the time to fix bugs?

-- 
Leigh


On 22 Nov 2011, at 15:57, "Faisal Imtiaz"  wrote:

> mikrotik family .. you can have all sizes and shapes of routers ..
> lots of support available online or from independent consultants.
> 
> Regards.
> 
> Faisal Imtiaz
> Snappy Internet&  Telecom
> 
> 
> On 11/22/2011 10:38 AM, Deric Kwok wrote:
>> Hi
>> 
>> Can I know any selection of Linux routers except cisco / juniper?
>> 
>> They are reliable and have  good support provided
>> 
>> We would like to get one for testing.
>> 
>> Thank you
>> 
>> 
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: Any recommended router. They are reliable and have good support.

2011-11-22 Thread Leigh Porter

Brocade have some reasonable boxes.

-- 
Leigh Porter


On 22 Nov 2011, at 15:40, "Deric Kwok"  wrote:

> Hi
> 
> Can I know any selection of Linux routers except cisco / juniper?
> 
> They are reliable and have  good support provided
> 
> We would like to get one for testing.
> 
> Thank you
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: First real-world SCADA attack in US

2011-11-21 Thread Leigh Porter

On 21 Nov 2011, at 20:23, "Ryan Pavely"  wrote:

> Might I suggest using 127.0.0.2 if you want less spam :P
> 
> Pretty scary that folks have
> 1. Their scada gear on public networks, not behind vpns and firewalls.

Do people really do that? Just dump a /24 of routable space on a network and 
use it? 
Fifteen years ago perhaps, but now, really? Or are these legacy installations 
with Cisco routers that don't do 'ip classless' and that everybody has 
forgotten about?

> 2. Allow their hardware vendor to keep a list of usernames / passwords.

Yeah I can believe this. That's if they bothered changing the passwords at all.

> 2b. Obviously don't change these so often.  Whens the last time they really 
> "called support" and refreshed the password with the hw vendor Probably 
> when they installed the gear... Sheesh..

I am curious now as to what you would find port scanning for port 23 on some 
space owned by utility companies. Now, I'm not about to do this, but it would 
be interesting.

Does anybody know what really happened here? We're they just using some ancient 
VHF radio link to an unmanned pumping station that somebody hacked with an old 
TCM3105 or AM2911 modem chip and a ham radio?

--
Leigh

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

Re: First real-world SCADA attack in US

2011-11-21 Thread Leigh Porter

I checked the SCADA boxes used in our "smart" building. They are all using 
127.0.0.1

Is that a security risk?

-- 
Leigh Porter


On 21 Nov 2011, at 19:20, "Arturo Servin"  wrote:

> 
>I wonder if they are using private IP addresses.
> 
> -as
> 
> On 21 Nov 2011, at 13:32, Jay Ashworth wrote:
> 
>> On an Illinois water utility:
>> 
>> http://www.msnbc.msn.com/id/45359594/ns/technology_and_science-security
>> 
>> Cheers,
>> -- jra
>> -- 
>> Jay R. Ashworth  Baylink   
>> j...@baylink.com
>> Designer The Things I Think   RFC 
>> 2100
>> Ashworth & Associates http://baylink.pitas.com 2000 Land Rover 
>> DII
>> St Petersburg FL USA  http://photo.imageinc.us +1 727 647 
>> 1274
> 
> 
> 
> __
> This email has been scanned by the Symantec Email Security.cloud service.
> For more information please visit http://www.symanteccloud.com
> __

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

RE: Have they stopped teaching Defense in Depth?

2011-11-16 Thread Leigh Porter



> -Original Message-
> From: Jay Ashworth [mailto:j...@baylink.com]
> Sent: 16 November 2011 13:38
> To: NANOG
> Subject: Re: Have they stopped teaching Defense in Depth?
> 
> - Original Message -
> > From: "Jimmy Hess" 
> 
> > Or, the attack is against a legitimate user's outbound connection,
> for example:
> > a user behind the firewall connects to a web site, a vulnerability
> > in their browser is exploited
> > to install a trojan -- the trojan tunnels to the attacker over an
> > outgoing port that is allowed on the firewall.
> 
> Oh, certainly; I have lots of web browsers running on my servers.
> 
> All The World Is Not A Workstation, guys.

I think the point is that you access your servers from your work station and so 
if the workstation you use to access the network is compromised then your whole 
network is potentially compromised.

--
Leigh



__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: Arguing against using public IP space

2011-11-15 Thread Leigh Porter

Quite right.. I bet all Iran's nuclear facilities have air gaps but they let 
people in with laptops and USB sticks.

-- 
Leigh


On 15 Nov 2011, at 14:48, "Chuck Church"  wrote:

> -Original Message-
> From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu] 
> Sent: Tuesday, November 15, 2011 9:17 AM
> To: Leigh Porter
> Cc: nanog@nanog.org; McCall, Gabriel
> Subject: Re: Arguing against using public IP space
> 
>> And this is totally overlooking the fact that the vast majority of
> *actual* attacks these days are web-based drive-bys > and similar things
> that most firewalls are configured to pass through.  Think about it - if a
> NAT'ed firewall provides > any real protection against real attacks, why are
> there still so many zombied systems out there?  I mean, Windows >
> Firewall has been shipping with inbound "default deny" since XP SP2 or so.
> How many years ago was that?
> 
> Simple explanation is that most firewall rules are written to trust traffic
> initiated by 'inside' (your users), and the return traffic gets trusted as
> well.  This applies to both Window's own FW, and most hardware based
> firewalls.  And NAT/PAT devices too.  There's nothing more dangerous than a
> user with a web browser.  Honestly, FWs will keep out attacks initiated from
> outside.  But for traffic permitted or initiated by the inside, IPS is only
> way to go.  
> 
> Chuck  
> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: Arguing against using public IP space

2011-11-15 Thread Leigh Porter

On 15 Nov 2011, at 15:36, "Owen DeLong"  wrote:

> 
> On Nov 15, 2011, at 2:57 AM, Leigh Porter wrote:
> 
>> 
>> 
>> On 14 Nov 2011, at 18:52, "McCall, Gabriel" 
>>  wrote:
>> 
>>> Chuck, you're right that this should not happen- but the reason it should 
>>> not happen is because you have a properly functioning stateful firewall, 
>>> not because you're using NAT. If your firewall is working properly, then 
>>> having public addresses behind it is no less secure than private. And if 
>>> your firewall is not working properly, then having private addresses behind 
>>> it is no more secure than public. In either case, NAT gains you nothing 
>>> over what you'd have with a firewalled public-address subnet.
>> 
>> 
>> Well this is not quite true, is it.. If your firewall is not working and you 
>> have private space internally then you are a lot better off then if you have 
>> public space internally! So if your firewall is not working then having 
>> private space on one side is a hell of a lot more secure!
>> 
> This is not true.
> 
> If your firewall is not working, it should not be passing packets.

And of course, things always fail just the way we want them to.

> 
> If you put a router where you needed a firewall, then, this is not a failure 
> of the firewall, but, a
> failure of the network implementor and the address space will not have any 
> impact whatsoever
> on your lack of security.

This is not really a well made point, sorry. It's about a firewall failing, 
perhaps due to software error or hardware issue or because somebody failed to 
correctly configure a firewall rule. 

The point about private space is that is forces security in a way in which 
public space and a firewall does not.

With private space, you are forces to explicitly configure NAT holes or VPN 
connections whereas with public space your boxes by default are accessible by 
the whole Internet. By default, on a private space network, nothing can get to 
it.

> 
>> As somebody else mentioned on this thread, a NAT box with private space on 
>> one side fails closed.
>> 
> 
> So does a firewall.

If it fails just how you want it to.

--
Leigh

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: Arguing against using public IP space

2011-11-15 Thread Leigh Porter

On 14 Nov 2011, at 18:52, "McCall, Gabriel"  
wrote:

> Chuck, you're right that this should not happen- but the reason it should not 
> happen is because you have a properly functioning stateful firewall, not 
> because you're using NAT. If your firewall is working properly, then having 
> public addresses behind it is no less secure than private. And if your 
> firewall is not working properly, then having private addresses behind it is 
> no more secure than public. In either case, NAT gains you nothing over what 
> you'd have with a firewalled public-address subnet.

Well this is not quite true, is it.. If your firewall is not working and you 
have private space internally then you are a lot better off then if you have 
public space internally! So if your firewall is not working then having private 
space on one side is a hell of a lot more secure!

As somebody else mentioned on this thread, a NAT box with private space on one 
side fails closed.

--
Leigh

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: Arguing against using public IP space

2011-11-13 Thread Leigh Porter

I was involved in a security review of a SCADA system a couple of years ago. 
Their guy was very impressed with himself and his "Internet air-gap" but 
managed to leave all their ops consoles on both the SCADA network and their 
internal corp LAN.

Their corp LAN was a mess with holes through their NAT gateway all over the 
place to let external support people rdesktop to the SCADA network machines.

Of course it was all on private address space internally. 

So you see, when you put idiots in charge, your screwed whatever you do and 
private address space and NAT and whatever else will be no more then security 
by nice stickers and marketing.

-- 
Leigh

On 13 Nov 2011, at 15:38, "Jason Lewis"  wrote:

> I don't want to start a flame war, but this article seems flawed to
> me.  It seems an IP is an IP.
> 
> http://www.redtigersecurity.com/security-briefings/2011/9/16/scada-vendors-use-public-routable-ip-addresses-by-default.html
> 
> I think I could announce private IP space, so doesn't that make this
> argument invalid?  I've always looked at private IP space as more of a
> resource and management choice and not a security feature.
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: where was my white knight....

2011-11-08 Thread Leigh Porter

On 8 Nov 2011, at 21:37, "Leo Bicknell"  wrote:

> In a message written on Tue, Nov 08, 2011 at 04:22:48PM -0500, Christopher 
> Morrow wrote:
>> I think actually it wouldn't have caused more validation requests, the
>> routers have (in some form of the plan) a cache from their local
>> cache, they use this for origin validation... there's not a
>> requirement to refresh up the entire chain. (I think).
> 
> I kinda think everyone is wrong here, but Chris is closer to accurate.
> :P
> 
> When a router goes boom, the rest of the routers recalculate around
> it.  Generally speaking all of the routers will have already had a
> route with the same origin, and thus have hopefully cached a lookup
> of the origin.  However, that lookup might have been done
> days/weeks/months ago, in a stable network.
> 
> While I'm not familar with the nitty gritty details here, caches
> expire for various reasons.  The mere act of the route changing
> paths, if it moved to a device with a stale cache, would trigger a
> new lookup, right?
> 
> Basically I would expect any routing change to generate a set of
> new lookups proportial to the cache expiration rules.

Which may very well fail because all the routing is hosed. I'm not all that 
familiar with the potential implementation issues, but I would think that 
network-local caches would be in order. 

Even with local caches, I would expect a high incidence of change to trigger 
something sensible to mitigate this kind of craziness from happening. I am sure 
enough people have had incorrectly scaled RADIUS farms blow up when a load of 
DSLAMS vanish and come back again not to repeat such storms.

--
Leigh Porter

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: where was my white knight....

2011-11-08 Thread Leigh Porter


On 8 Nov 2011, at 18:24, "Dobbins, Roland"  wrote:

> 
> On Nov 9, 2011, at 1:14 AM,  wrote:
> 
>> that was/is kindof orthoginal to the question... would the sidr plan for 
>> routing security have been a help in this event? 
> 
> SIDR is intended to provide route-origination validation - it isn't intended 
> to be nor can it possibly be a remedy for vendor-specific implementation 
> problems.
> 
> Validation storm-control is something which must be accounted for in 
> SIDR/DANE architecture, implementation, and deployment.  But at the end of 
> the day, vendors are still responsible for their own code.
> 
> 

Indeed, we can expect new and exciting ways to blow up networks with SIDR. 


--
Leigh


__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: XO blocking individual IP's

2011-11-08 Thread Leigh Porter

So if you want to launch a DoS attack against a specific IP address you spoof 
TCP3389 SYNs to networks single homed to XO and they will null it for you.

-- 
Leigh


On 8 Nov 2011, at 04:36, "Blake T. Pfankuch"  wrote:

> Oh yes!  Good lord I about went insane with this.  I was working with a 
> customer single homed to cBeyond.  I spent 3 hours on the phone with cBeyond 
> to figure out what was going on, it looks like a broken route.  Come to find 
> out it was an XO "security null".  The engineer on the phone from cBeyond 
> said to me "Well, I have learned 2 things today.  1, XO nulls for 'security 
> purposes' at random.  2, I am no longer shocked by any ridiculous policy I 
> will ever come across again."
> 
> In this case majority traffic was going from cBeyond to anywhere (via XO) and 
> being eaten, however it was VERY tough to diagnose as all parties involved 
> assumed this would not be occurring between source and destination without 
> good public documentation or at least any record of this happening to someone 
> else.  Also I guess we all assumed that major bandwidth players don't filter 
> anything.
> 
> I personally think its good on paper, but very bad real life until there is a 
> way to notify the end customer of the violation quickly.  This issue 
> literally took 3 full weeks to figure out what was going on.  Yes this works 
> great in a colo datacenter as you have the customer contact info (hopefully). 
>  But in the case where my customers provider was having the IP filtered by 
> their transit it was hell to diagnose.  In my case the customer had a single 
> infected machine that was making outbound connections on TCP3389 in the range 
> of about 100 connections every 5 minutes and because of this was entirely 
> being "security nulled".
> 
> Blake
> 
> -Original Message-
> From: clay...@haydel.org [mailto:clay...@haydel.org] 
> Sent: Monday, November 07, 2011 7:43 PM
> To: nanog@nanog.org
> Subject: XO blocking individual IP's
> 
> 
> I'm hoping someone has had the same experiences, and is further toward a 
> resolution on this than I am. About 6 months ago, we noticed that XO was 
> blackholing one specific IP out of a /24.  Traces to that IP stopped on XO's 
> network, traces to anything else out of the block went through fine.
> XO finally admitted that they had a new security system that identifies 
> suspicious traffic and automatically blocks the IP for 30 minutes.  We had to 
> get the IP in question "whitelisted" by their security guys.  The traffic was 
> all legit, it was just on a high port # that they considered suspicious.
> 
> There have several more cases like this, and XO has not been forthcoming with 
> information. We're either looking to be exempted from this filtering or at 
> least get a detailed description of how the system works.  I'm not sure how 
> they think this is acceptable from a major transit provider.
> Anybody else had similar problems?
> 
> 
> Clayton Haydel
> 
> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: TATA problems?

2011-11-07 Thread Leigh Porter

Any thoughts on just how wide read this was? Did every Juniper that receives 
Internet BGP updates with the affected software break? Or did it die out quite 
quickly?

-- 
Leigh


On 7 Nov 2011, at 19:55, "John van Oppen"  wrote:

> We saw several customers go away this morning as well.   Our network itself 
> is cisco so we did not see anything directly. 
> 
> John van Oppen
> @ AS11404.
> 
> 
> -Original Message-
> From: Tom Hill [mailto:t...@ninjabadger.net] 
> Sent: Monday, November 07, 2011 7:09 AM
> To: nanog@nanog.org
> Subject: Re: TATA problems?
> 
> On Mon, 2011-11-07 at 10:00 -0500, Todd Snyder wrote:
>> We seem to be having some problems with our tata links - first seen in 
>> EU about 45 minutes ago, now we're seeing problems in NA.  I'm focused 
>> on DNS, so I'm seeing a lot of timeouts/servfails, but our networking 
>> folks are talking about links dropping.
>> 
>> Anyone else seeing oddness on the NA Internet right now?
>> 
>> http://downrightnow.com/ confirms - something is up.
> 
> There are widespread issues across the Internet; certain versions of Juniper 
> firmware have core dumped after seeing a particular BGP 'UPDATE'
> message. 
> 
> (That's the running theory at least).
> 
> It's affected multiple service providers, globally, not just those connected 
> to TATA.
> 
> Tom
> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: General Internet Instability

2011-11-07 Thread Leigh Porter



On 7 Nov 2011, at 16:41, "Todd Snyder"  wrote:

> On Mon, Nov 7, 2011 at 11:27 AM, Richard Golodner <
> rgolod...@infratection.com> wrote:
> 
>> On Mon, 2011-11-07 at 11:09 -0500, Todd Snyder wrote:
>>> Can anyone point to any authoritative updates about this?
>> 
>>I think Jared's suggestion was about as close as your going to get
>> for
>> right now. Look at the size of the files he mentioned as compared to the
>> average size of the others.
>>   Hopefully someone will come forth with an authoritative answer later
>> today.
>>Richard Golodner
>> 
>> 
> Management don't understand or care about BGP updates, they just want to
> know if the problem is ours, and if it's not, who to blame :)
> 
> thank goodness for NANOG - updates here have been helpful explaining things
> to management.
> 
> t.
> 

Just blame Shub Internet..

Oh no, I've said it now!

--
Leigh


__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: TATA problems?

2011-11-07 Thread Leigh Porter


My 10.4r1.9 boxes died also but I saw interfaces go down whilst bgpd seemed 
stable. 

-- 
Leigh


On 7 Nov 2011, at 15:34, "Pierre-Yves Maunier"  wrote:

> 2011/11/7 Tom Hill 
> 
>> On Mon, 2011-11-07 at 10:00 -0500, Todd Snyder wrote:
>>> We seem to be having some problems with our tata links - first seen in EU
>>> about 45 minutes ago, now we're seeing problems in NA.  I'm focused on
>> DNS,
>>> so I'm seeing a lot of timeouts/servfails, but our networking folks are
>>> talking about links dropping.
>>> 
>>> Anyone else seeing oddness on the NA Internet right now?
>>> 
>>> http://downrightnow.com/ confirms - something is up.
>> 
>> There are widespread issues across the Internet; certain versions of
>> Juniper firmware have core dumped after seeing a particular BGP 'UPDATE'
>> message.
>> 
>> (That's the running theory at least).
>> 
>> It's affected multiple service providers, globally, not just those
>> connected to TATA.
>> 
>> Tom
>> 
>> 
>> 
> On our side all our 10.3R2.11 core dumped which made all our interfaces
> flapped.
> I've been told 10.4R1.9 is affected too.
> 
> -- 
> Pierre-Yves Maunier
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: Performance Issues - PTR Records

2011-11-07 Thread Leigh Porter

On 7 Nov 2011, at 14:03, "Bjørn Mork"  wrote:

> Leigh Porter  writes:
> 
>> Indeed, there is no way I would allow that either. But really,
>> providing a reverse zone and forward zone to match is a case of five
>> minutes and a shell script or a DNS that as Steinar said, will
>> synthesise results.
>> 
>> It's really not all that difficult..
> 
> No, not at all.  It's just totally pointless.  Any IPv6 address is just
> as pretty as a synthesized name.  Maybe even prettier. Do you prefer
> "2001:db8:1::2" or "20010db800010002.rev.example.com"?
> 
> If we're going to provide any reverse DNS for end users, then it is
> because we can create names which actually improves something.
> 
> 
> Bjørn
> 
> 

Yup it is pointless.. Mine are all ipadrress.domain which is of course, 
pointless.. I suppose at least somebody would glean that perhaps its a home 
user rather than a business or server on that address but that's all.

With IPv6 arguably even more pointless as you say.

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: Performance Issues - PTR Records

2011-11-07 Thread Leigh Porter



On 7 Nov 2011, at 13:48, "sth...@nethelp.no"  wrote:

>>> The practice of filling out the reverse zone with fake PTR record
>>> started before there was wide spread support for UPDATE/DNS.  There
>>> isn't any need for this to be done anymore.  Machines are capable
>>> of adding records for themselves.
>> 
>> How do I setup this for DHCPv6-PD?  Say, I delegate 2001:db8:42::/48 to
>> the end user.  Should I delegate reverse DNS as well?  If so, to whom?
>> 
>> Or is it the CPEs responibility to dynamically add records for whatever
>> addresses it sees on the internal LAN(s)?  Are there CPEs capable of
>> doing this?
>> 
>> Or will the end systems themselves do the update against my DNS server?
>> If so, how do I authenticate that?
> 
> With my ISP hat on, I find the idea of customer CPEs updating their
> own PTR records to be completely unacceptable. So I guess I'll either
> live without the reverse DNS, or use a name server that can synthesize
> answers on the fly.
> 
> Steinar Haug, Nethelp consulting, sth...@nethelp.no
> 

Indeed, there is no way I would allow that either. But really, providing a 
reverse zone and forward zone to match is a case of five minutes and a shell 
script or a DNS that as Steinar said, will synthesise results.

It's really not all that difficult..

--
Leigh Porter

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

RE: IPv6 beta support for Android phones

2011-11-07 Thread Leigh Porter

> 
> LTE does not have the dual attachment problem since there is the
> concept of having v4 and v6 in one attachment, but it does not change
> the fact that there are not enough IPv4 addresses to go around,
> especially from a strategic planning perspective (let's design this
> once for 5 to 10+ year life ...)
> 

Most networks seem to dish out address space behind a LSN box these days.

I have three dongle things from three networks in the UK, none of them give me 
a public address.

--
Leigh Porter


__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

RE: Hands and Eyes for London and Amsterdam

2011-10-31 Thread Leigh Porter

For London:

http://www.netsumo.com/

--
Leigh Porter



> -Original Message-
> From: Mike Rae [mailto:mike@sjrb.ca]
> Sent: 31 October 2011 16:26
> To: nanog@nanog.org
> Subject: Hands and Eyes for London and Amsterdam
> 
> Hi :
> 
> Looking for some recommendation on "Hands and Eyes" to aid in setting
> up gear in datacenters located in Amsterdam and London.
> 
> Exceptional quality of workmanship a must.
> 
> Thanks
> Mike
> 
> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: Recommendation for customer monitoring network tool/portal for a large ISP

2011-10-27 Thread Leigh Porter

I looked at Statseeker a while back and it was very good. 

-- 
Leigh


On 27 Oct 2011, at 09:47, "Alex Nderitu"  wrote:

> Hello,
> What solutions do you guys in the fixed network business/ISPs use to provide 
> customer portals for network KPI reporting to customers in a fixed network on 
> real time basis. The KPI in question are network availability, utilization, 
> memory/cpu of managed routers/firewall, jitter, packet loss etc in a multi 
> vendor environment.
> 
> 
> What would you recommend especially in the licensed/supported options and not 
> the free ones like Zabbix, Cacti, MRTG etc. This solution should scale well 
> for hundreds of thousand of clients.
> 
> We have been using Orion NPM and it pretty much does the job but would wish 
> to move to something more scalable for SP environment.
> 
> Regards,
> Alex.
> 
> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: Outgoing SMTP Servers

2011-10-26 Thread Leigh Porter

On 26 Oct 2011, at 23:13, "Mark Andrews"  wrote:

> 
> In message , "Ricky Beam" writes:
>> On Tue, 25 Oct 2011 15:52:46 -0400, Alex Harrowell   
>> wrote:>
>>> Why do they do that?
>> 
>> You'd have to ask them.  Or more accurately, you'd need to ask their  
>> system integrator -- I've never seen an "in house" network run like that.  
>> (and for the record, they were charging for that shitty network access.)
>> 
>> Bottom line: Blocking port 25 (smtp) is undesirable, but necessary for a  
>> modern consumer internet. (Translation: It f'ing works.) This is the ISP  
>> saying, "You aren't a mail *server*."  
> 
> MTA == Mail Transfer Agent.  You don't have to be a *server* to be
> a MTA.  Blocking SMTP also prevents your customers running encrypted
> mail sessions to prevent nosy ISP's and others looking at what they
> are sending.  With DNSSEC now being deployed and DANE being
> standardised, running a SMTP session with STARTTLS is being a
> reality.
> 

This is what I used to do.

Any outgoing port 25 was sunk into a pool of SMTP proxies that I wrote. These 
proxies would look for signs of authentication and if they found them, the 
session would be proxied to the original destination SMTP server from the same 
IP address of the originating host.

Anything else was proxied to the pool of Ironports which would rate limit and 
otherwise SPAM examine the mail.

That way people using authenticated servers would be allowed through on the 
assumption that in all likelihood they were OK. Others who do not auth or are 
SPAM bots would be scrubbed and rate limited quite severely.

Our own customers were encouraged to use our outbound SMTP hosts which would 
either authenticate them if external or just allow them if internal, but with 
the SPAM scrubbing and less severe rate limiting enabled,

Customers who need a higher volume of outbound mail can call us and 
authenticate to the SMTP servers and we can set them a bespoke profile for rate 
limiting and message size etc etc.

That worked rather well because people's email got out and SPAM was largely 
stopped.

The Ironports were darn good boxes if a little pricey,

--
Leigh Porter

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: Outgoing SMTP Servers

2011-10-26 Thread Leigh Porter

On 25 Oct 2011, at 09:34, "Tim"  wrote:

> This sadly is very common. It is getting more common by the day it seems but
> this practice has started almost a decade ago.
> 
> An easy work around is to use a custom port as they seem to just block port
> 25 as a bad port but leave just about everything else open including 2525
> which seems to be a common secondary smtp port for hosting companies.

I use port 80 which has not failed me so far ;-)

--
Leigh


__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

RE: [outages] News item: Blackberry services down worldwide

2011-10-14 Thread Leigh Porter

> -Original Message-
> From: Nikolay Shopik [mailto:sho...@inblock.ru]
> Sent: 14 October 2011 10:17
> To: nanog@nanog.org
> Subject: Re: [outages] News item: Blackberry services down worldwide
> 
> On 13/10/11 19:56, Jared Mauch wrote:
> > Rebuilding this trust can take some time.  I do expect that with the
> iMessage stuff that was released yesterday (SMS/MMSoIP to email/phone#)
> many more companies will shift to using that instead as the value of
> BBM is decreased.
> >
> > I also wonder what the impact of iMessage and others will be on
> places like hotel networks as the devices camp out longer/more often on
> the wifi, etc.  We observed the impact to a hotel of the NANOG crowd
> this week (i wonder if there will be lessons learned on the part of
> lodgenet, etc?)
> 
> If we talking about iMessage as replace of BBM, that's probably fine,
> but it's really niche market.
> I was really expecting them to release that stuff and allow desktop
> users to chat with idevice and making iMessage s2s(XMPP) compatible, so
> anyone could chat with idevice, even not supporting all fancy features,
> but at least dumb texting.

My iThings camp on WiFi all the time anyway as they are waiting for push 
updates, checking mail etc.

Of course, all these little things add up and add to the total network traffic 
(and port counts for NAT)so they all take a toll on networks.

I agree though, I would have liked to have seen iMessage cross platform. One of 
the great things about Skype is that I can talk from PeeCee to MAC to iThing to 
whatever..

--
Leigh

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

RE: [outages] News item: Blackberry services down worldwide

2011-10-12 Thread Leigh Porter



> -Original Message-
> From: D. Marshall Lemcoe Jr. [mailto:fo...@lemcoe.com]
> Sent: 12 October 2011 18:01
> Cc: nanog@nanog.org
> Subject: Re: [outages] News item: Blackberry services down worldwide
> 
> Haven't received an e-mail on my Blackberry since around 4AM, located
> in Atlanta.
> 

Email on my iPhone is working fine.. ;-)

--
Leigh


__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

RE: [outages] News item: Blackberry services down worldwide, Egypt affected (not N.A.)

2011-10-12 Thread Leigh Porter



> -Original Message-
> From: -Hammer- [mailto:bhmc...@gmail.com]
> Sent: 12 October 2011 17:10
> To: nanog@nanog.org
> Subject: Re: [outages] News item: Blackberry services down worldwide,
> Egypt affected (not N.A.)
> 
> I have been witness to N+1 HUMAN failures but never a N+1 hardware
> failure or system/design failure that warranted questioning the need
> for
> N+2. Usually your N+1 failure is (as already referenced) pasting in a
> bad config that gets replicated or something like that. Not saying the
> hardware is perfect. It's just that I haven't personally seen a full
> blown failure like that without human help.

You have not seen VIP2-40s and CEF in action ;-)

--
Leigh Porter


__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: passive bandwidth estimation

2011-10-05 Thread Leigh Porter

I used a passive TCP RTT calculator and TCP re-trans monitor to guess the 
conditions to a host or group of hosts with some success. I the. Derived the 
network "weather" from this and it worked pretty well to dynamically tune DPI 
box policing for wireless networks.

It also makes cool graphs. Especially if you add other parameters and do it all 
in various colours.

-- 
Leigh

On 5 Oct 2011, at 07:41, "Murtaza"  wrote:

> Hi everyone,
> I want to do passive available bandwidth measurement. I was just wandering
> what tools/techniques people are generally using these days. And is it a
> good idea to use congestion window as parameter.
> Ghulam
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: events

2011-10-04 Thread Leigh Porter

8pussy.org ?

-- 
Leigh Porter


On 4 Oct 2011, at 10:59, "Ben Roeder"  wrote:

> Hi Mike,
> We have used octopussy ( http://www.8pussy.org/dokuwiki/doku.php?id=home  yes 
> it is work safe :-) ) with ok results.
> Have used sec ( simple event correlator http://simple-evcorr.sourceforge.net/ 
> ) to some success in simple cases.
> 
> Currently having another look at this myself and the following look 
> interesting, but have not deployed them yet
> http://logstash.net/
> http://graylog2.org/about
> 
> Ben
> On 30 Sep 2011, at 14:50, harbor235 wrote:
> 
>> What is everyone using to collect, alert, and analyze syslog data?
>> I am looking for something that can generate reports as well as support
>> multiple vendors. We have done some home grown stuff in the past but
>> would be interested in something  that incorprates all the best features.
>> 
>> Soalrwinds, splunk, fwanalog, and others come to mind, any other good ones
>> out there?
>> 
>> 
>> Mike
> 
> 
> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

RE: Mails to Google being blocked for illegal attachments

2011-09-30 Thread Leigh Porter

Yeah.. +1 reasons not to use Google Aps..

--
Leigh Porter


> -Original Message-
> From: Meftah Tayeb [mailto:tayeb.mef...@gmail.com]
> Sent: 30 September 2011 13:19
> To: foks; nanog@nanog.org
> Subject: Re: Mails to Google being blocked for illegal attachments
> 
> Hey
> my guess is that maybe the Image have bean built using a Non licensed
> version of Adobe fotoshop or some other software
> the US embassy refused it for me cause of that.
> 
> - Original Message -
> From: "foks" 
> To: 
> Sent: Friday, September 30, 2011 1:19 PM
> Subject: Mails to Google being blocked for illegal attachments
> 
> 
> Hello,
> 
> Since Sep 7 Google has bounced a specific type of our mails with this
> message:
> 
> host aspmx.l.google.com[74.125.43.27] said: 552-5.7.0 Our system
> detected an illegal attachment on your message. Please 552-5.7.0 visit
> http://mail.google.com/support/bin/answer.py?answer=6590 to 552 5.7.0
> review our attachment guidelines. z4si211085bkd.116 (in reply to end of
> DATA command)
> 
> The only attachment is a gif image so it seems that Googles check is
> wrong. Has anyone experienced this issue, or has any helpful contact
> information to Google? I have checked
> http://www.google.com/support/a/bin/static.py?page=contacting_support.h
> t
> ml and called these numbers, but they were not able to help me.
> 
> Regards,
> Jörgen Nilsson
> 
> __ Information from ESET NOD32 Antivirus, version of virus
> signature
> database 6505 (20110930) __
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 
> 
> __ Information from ESET NOD32 Antivirus, version of virus
> signature database 6505 (20110930) __
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
> 
> 
> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: SDH Fiber Problem

2011-09-19 Thread Leigh Porter

Did you try turning it off and on again? ;-)

-- 
Leigh Porter


On 19 Sep 2011, at 10:21, "jacob miller"  wrote:

> I have triend to do a ping with the DF bit set.
> Maximum am able to get to is 1600.
> This am guessing is because of the fact I have set the mtu size on My 
> interface to 1600.
> 
> I have also enable all alarms on the node and am getting the following alarm 
> which is registering as beign Minor.
> 
> "High Order Path Signal Label Mismatch"
> 
> Regards,
> jacob Miller
> 
> 
> 
> - Original Message -
> From: Leigh Porter 
> To: jacob miller 
> Cc: "nanog@nanog.org" 
> Sent: Monday, September 19, 2011 11:17 AM
> Subject: Re: SDH Fiber Problem
> 
> It does sound like an MTU issue. Symptoms are typical. Did you try pings end 
> to end with DF bit set and full size datagrams?
> 
> 
> 
> -- 
> Leigh Porter
> 
> 
> On 19 Sep 2011, at 09:15, "jacob miller"  wrote:
> 
>> By meanigful traffic I mean traffic like Http traffic
>> 
>> Am able to ssh no problem.
>> 
>> Most of the clients on the link are using it for browsing.
>> However we find that even though they are able to resolve and ping different 
>> sites.
>> When it comes to opening of the page we have the page reading as opening 
>> opening .. but the page never gets opened.
>> 
>> Regards,
>> Jacob Miller
>> 
>> 
>> 
>> - Original Message -
>> From: Leigh Porter 
>> To: jacob miller 
>> Cc: "nanog@nanog.org" 
>> Sent: Monday, September 19, 2011 11:10 AM
>> Subject: Re: SDH Fiber Problem
>> 
>> What exactly do you mean by meaningful traffic? ICMP from port to port 
>> works, can you pass TCP? SSH between routers? Establish a TCP session over 
>> it?
>> 
>> Are you using Juniper SRXs ? :-)
>> 
>> -- 
>> Leigh Porter
>> 
>> 
>> On 19 Sep 2011, at 08:24, "jacob miller"  wrote:
>> 
>>> I have tried the pings and am able to ping through with a size of 1600 with 
>>> the df-bit set
>>> 
>>> without the df-bit am able to get up to 9000.
>>> 
>>> The switched on bot ends hav been set to allow jumbo frames through and the 
>>> system MTU size and routing MTU sizes are at 1998.
>>> The switch is a 2960 Cisco switch.
>>> 
>>> I have set the mtu on the interface on the end router to 1600 and still 
>>> unable to push meaningful traffic.
>>> 
>>> Regards,
>>> jacob Miller
>>> 
>>> 
>>> 
>>> - Original Message -
>>> From: Randy Bush 
>>> To: jacob miller 
>>> Cc: "nanog@nanog.org" 
>>> Sent: Monday, September 19, 2011 9:55 AM
>>> Subject: Re: SDH Fiber Problem
>>> 
>>>> I can ping on point to point
>>>> I have BGP up and running
>>>> When I try to pass traffic over the link my clients are unable to pass
>>>> any meanigful traffic asn browsing is impossible.
>>> 
>>> mtu?  try various size pings.
>>> 
>>> filters?
>>> 
>>> randy
>>> 
>>> 
>>> 
>>> __
>>> This email has been scanned by the MessageLabs Email Security System.
>>> For more information please visit http://www.messagelabs.com/email
>>> __
>> 
>> __
>> This email has been scanned by the MessageLabs Email Security System.
>> For more information please visit http://www.messagelabs.com/email 
>> __
>> 
>> 
>> 
>> __
>> This email has been scanned by the MessageLabs Email Security System.
>> For more information please visit http://www.messagelabs.com/email 
>> __
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __
> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: SDH Fiber Problem

2011-09-19 Thread Leigh Porter

It does sound like an MTU issue. Symptoms are typical. Did you try pings end to 
end with DF bit set and full size datagrams?



-- 
Leigh Porter


On 19 Sep 2011, at 09:15, "jacob miller"  wrote:

> By meanigful traffic I mean traffic like Http traffic
> 
> Am able to ssh no problem.
> 
> Most of the clients on the link are using it for browsing.
> However we find that even though they are able to resolve and ping different 
> sites.
> When it comes to opening of the page we have the page reading as opening 
> opening .. but the page never gets opened.
> 
> Regards,
> Jacob Miller
> 
> 
> 
> - Original Message -
> From: Leigh Porter 
> To: jacob miller 
> Cc: "nanog@nanog.org" 
> Sent: Monday, September 19, 2011 11:10 AM
> Subject: Re: SDH Fiber Problem
> 
> What exactly do you mean by meaningful traffic? ICMP from port to port works, 
> can you pass TCP? SSH between routers? Establish a TCP session over it?
> 
> Are you using Juniper SRXs ? :-)
> 
> -- 
> Leigh Porter
> 
> 
> On 19 Sep 2011, at 08:24, "jacob miller"  wrote:
> 
>> I have tried the pings and am able to ping through with a size of 1600 with 
>> the df-bit set
>> 
>> without the df-bit am able to get up to 9000.
>> 
>> The switched on bot ends hav been set to allow jumbo frames through and the 
>> system MTU size and routing MTU sizes are at 1998.
>> The switch is a 2960 Cisco switch.
>> 
>> I have set the mtu on the interface on the end router to 1600 and still 
>> unable to push meaningful traffic.
>> 
>> Regards,
>> jacob Miller
>> 
>> 
>> 
>> - Original Message -
>> From: Randy Bush 
>> To: jacob miller 
>> Cc: "nanog@nanog.org" 
>> Sent: Monday, September 19, 2011 9:55 AM
>> Subject: Re: SDH Fiber Problem
>> 
>>> I can ping on point to point
>>> I have BGP up and running
>>> When I try to pass traffic over the link my clients are unable to pass
>>> any meanigful traffic asn browsing is impossible.
>> 
>> mtu?  try various size pings.
>> 
>> filters?
>> 
>> randy
>> 
>> 
>> 
>> __
>> This email has been scanned by the MessageLabs Email Security System.
>> For more information please visit http://www.messagelabs.com/email 
>> __
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __
> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: SDH Fiber Problem

2011-09-19 Thread Leigh Porter

What exactly do you mean by meaningful traffic? ICMP from port to port works, 
can you pass TCP? SSH between routers? Establish a TCP session over it?

Are you using Juniper SRXs ? :-)

-- 
Leigh Porter


On 19 Sep 2011, at 08:24, "jacob miller"  wrote:

> I have tried the pings and am able to ping through with a size of 1600 with 
> the df-bit set
> 
> without the df-bit am able to get up to 9000.
> 
> The switched on bot ends hav been set to allow jumbo frames through and the 
> system MTU size and routing MTU sizes are at 1998.
> The switch is a 2960 Cisco switch.
> 
> I have set the mtu on the interface on the end router to 1600 and still 
> unable to push meaningful traffic.
> 
> Regards,
> jacob Miller
> 
> 
> 
> - Original Message -
> From: Randy Bush 
> To: jacob miller 
> Cc: "nanog@nanog.org" 
> Sent: Monday, September 19, 2011 9:55 AM
> Subject: Re: SDH Fiber Problem
> 
>> I can ping on point to point
>> I have BGP up and running
>> When I try to pass traffic over the link my clients are unable to pass
>> any meanigful traffic asn browsing is impossible.
> 
> mtu?  try various size pings.
> 
> filters?
> 
> randy
> 
> 
> 
> __
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> __

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

RE: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

2011-09-18 Thread Leigh Porter



> -Original Message-
> From: Frank Bulk [mailto:frnk...@iname.com]
> Sent: 18 September 2011 23:14
> To: 'Charles N Wyble'; nanog@nanog.org
> Subject: RE: wet-behind-the-ears whippersnapper seeking advice on
> building a nationwide network
> 
> Where I live in rural America, I would not be surprised that someone
> who wanted to start an ISP might only be able to cost-justify one
> upstream.  When one Internet T-1 is $1,200/month, getting a second T-1
> for that price from another provider just to get an AS or PI is
> definitely cost-prohibitive and may go against their business plan.
> 
> Our own company has just one upstream provider (from geographically
> diverse POPs), our state's telecom coop, and to multi-home solely to
> meet ARIN's policy doesn't make sense.  Fortunately we were using
> enough address space to meet the /20 requirement.
> 
> Charles, if you wrote a policy that allowed smaller ISPs to obtain a PI
> without the multihoming requirement if they demonstrated that
> multihoming was burdensome, I would support it at arin-ppml.
> 
> Frank

I'll happily 'multihome' anybody over a GRE tunnel if it helps ;-)

--
Leigh



__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

RE: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

2011-09-16 Thread Leigh Porter



> -Original Message-
> From: Randy Bush [mailto:ra...@psg.com]
> Sent: 16 September 2011 21:38
> To: Randy Carpenter
> Cc: North American Network Operators' Group
> Subject: Re: wet-behind-the-ears whippersnapper seeking advice on
> building a nationwide network
> 
> > As an ISP, ARIN will not give you any space if you are new. You have
> > to already have an equivalent amount of space from another provider.
> 
> does arin *really* still have that amazing barrier to market entry?
> 
> arin claims to be a shining example of industry self-governance.  to
> me,
> this barrier to entry looks far more like industry self-protection from
> new entrants.
> 
> and before anyone starts bleeding about the routing table, to me that
> sounds like you fear new entrants forcing you to make a small upgrade
> to
> your protected business as usual.


People have been bleating about routing tables sizes for years and everything 
has been fine. You could argue that the bleating has helped keep the size down 
of course, perhaps it has.

--
Leigh





__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

RE: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

2011-09-16 Thread Leigh Porter

> -Original Message-
> From: Charles N Wyble [mailto:char...@knownelement.com]
> Sent: 16 September 2011 20:47
> To: nanog@nanog.org
> Subject: wet-behind-the-ears whippersnapper seeking advice on building
> a nationwide network
> 
> 
> 
> Wow this turned into a very long post
> 
> On 09/16/2011 01:10 PM, hass...@hushmail.com wrote:
> > No one replied with any useful information. I guess no one wants
> > competition on this list? Pretty poor tactic.
> >
> > On Sat, 10 Sep 2011 21:55:01 -0400 hass...@hushmail.com wrote:
> >
> 
> 
> 2) Obtain ipv6 space from ARIN (inquired about getting space and ran
> into some issues. need to speak with my co founder and get details.
> evidently getting brand new v6 space for a brand new network is fairly
> difficult. for now may just announce a /48 from he.net. ) Yes I did
> come
> up with a sub netting plan for the entire United States out of a single
> /48. It's quite ingenious really. More details on request if anyone
> wants them.
> 

I wonder what would happen if a new ARIN member requested an IPv4 block of say 
a /16 for a new business? Or even a smaller block. I don't know what the 
current ARIN rules are but RIPE will currently give out six months worth of 
space. Now, in six months, I don't expect there to be any left anyway, so what 
will likely be all the v4 you ever get.

Very soon it'll be nigh on impossible for new entrants to the ISP business to 
get their own v4 space.

--
Leigh

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

RE: Disappointing ARIN - A great advertisement for the USA ?

2011-09-16 Thread Leigh Porter



> -Original Message-
> From: Randy Bush [mailto:ra...@psg.com]
> Sent: 16 September 2011 16:05
> To: John Curran
> Cc: NANOG list
> Subject: Re: Disappointing ARIN - A great advertisement for the USA ?
> 
> > If you have a particular suggestion for changing whois, please
> > feel free to submit it.
> 
> simple.  don't.
> 
> if you want to do something new, don't call it whois.
> 
> randy
> 


Or call it whois and offer the service somewhere else.. Just not in a way that 
breaks everything.

--
Leigh




__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

Re: ouch..

2011-09-15 Thread Leigh Porter

That will either be because you exceeded your port count or the RTSP ALG is 
broken.

-- 
Leigh Porter

On 15 Sep 2011, at 07:48, "valdis.kletni...@vt.edu"  
wrote:

> On Thu, 15 Sep 2011 06:36:42 -, Leigh Porter said:
>> I'm looking forward to the awful experience of NAT444 promoting IPv6.
> 
> In NAT444, no one can hear you scream

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

1 2 3 >

1 - 100 of 208 matches

Mail list logo