Re: AAAA on various websites, but they all forgot to enable them on their nameservers....

[Seth Mattinen]

On 6/15/2011 12:14, Jeroen van Aart wrote:
> Octavio Alvarez wrote:
>> In fact. Although a website of mine worked flawlessly in a dual-stack
>> but it did NOT in an IPv6-only environment. Unfortunately, the problem
>> has to be fixed in the DNS provider, which though supporting 
>> records was enough to "support IPv6".
> 
> Why not run your own nameserver if it is your website assuming you own
> the domain?
> 
> Out of curiosity, what are the options you need to use to properly
> enable bind for IPv6? To me it appears there isn't that much to it, it
> almost works out of the box with 1 or 2 things turned on. Then you just
> add the appropriate zone files or records. Am I missing something
> blatantly obvious that will break it?
> 


listen-on-v6 { any; };

Simple as that. Indicate individual addresses, if preferred. Or switch
to a DNS provider that has made this monumental configuration effort.

~Seth

Re: Yup; the Internet is screwed up.

[Seth Mattinen]

On 6/12/11 2:22 AM, Don Gould wrote:
> 100mbit is not luxury, it's something my business needs all it's
> customers to have to drive more uptake of my services.
> 
> My customers already have 10/1 today.  Now I need them to have 100/40 so
> they have a reason to buy other CPE that in turn drives my business.
> 

I have to ask, why not just give them symmetric speeds? I understand
there are technical reasons why on DSL and cable you end up with
asymmetric, but those don't apply to Ethernet delivery.

~Seth

Re: Cogent & HE

[Seth Mattinen]

On 6/8/2011 12:43, Dennis Burgess wrote:
> Just noted that cogent does not have a IPv6 route to any subnet in HE,
> and HE does not have any routes to Cogent!  
> 
> Looks like we have different Global IPv6 tables?  Or does Cogent just
> NOT peer IPv6 peer with anyone else!  
> 

Cogent and HE don't talk anymore, so yeah, you're living in a
partitioned world if you only have Cogent. It's been this way for a while.

~Seth

Re: IPv6 day fun is beginning!

[Seth Mattinen]

On 6/8/11 1:29 AM, Neil Long wrote:
> 
> On 8 Jun 2011, at 02:13, TJ wrote:
> 
>> On Tue, Jun 7, 2011 at 21:04, Iljitsch van Beijnum
>> wrote:
>>
>>> On 8 jun 2011, at 2:31, TJ wrote:
>>>
 ... and Gmail, too ...
>>>
>>> imap.gmail.com only has IPv4, though.
>>>
>>
>> Good catch, applies to pop & smtp as well.  Baby steps, I guess?
>> /TJ
>>
> 
> Sadly, although I can connect over IPv6 to Gmail an email sent from
> within the browser to an IPv6-only address ( but also an MX) still
> gives the "DNS Error: DNS server returned answer with no data" message.
> 
> Transport is one thing but getting applications working with an IPv6
> world will take longer (not that it is that hard :-) )
> 


I've been doing IPv6 with SMTP and POP3/IMAP for quite a while now
without any magic tricks. In fact, I've found SMTP to be a far better
test in the early days since it's non-interactive and invisible to the
customer if it took time to fall back to IPv4.

~Seth

Re: [v6z] Re: IPv6 day fun is beginning!

[Seth Mattinen]

On 6/7/2011 17:16, Scott Howard wrote:
> That's because you're asking the wrong nameservers.  The response you're
> getting is pointing you to the correct nameservers (glb1/glb2.facebook.com)
> which are defintely returning  records for me :
> 
> $ dig +short  www.facebook.com @glb1.facebook.com
> 2620:0:1c08:4000:face:b00c:0:3
> 


Now I'm seeing it. Quite the short TTL:

; <<>> DiG 9.6-ESV-R4 <<>>  www.facebook.com @glb2.facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34595
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.facebook.com.  IN  

;; ANSWER SECTION:
www.facebook.com.   30  IN  2620:0:1c00:0:face:b00c:0:1

;; Query time: 34 msec
;; SERVER: 69.171.255.10#53(69.171.255.10)
;; WHEN: Tue Jun  7 17:32:31 2011
;; MSG SIZE  rcvd: 62



Earlier I was getting no :

; <<>> DiG 9.6-ESV-R4 <<>>  www.facebook.com @glb2.facebook.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32876
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;www.facebook.com.  IN  

;; AUTHORITY SECTION:
www.facebook.com.   500 IN  SOA glb01.sf2p.tfbnw.net.
hostmaster.facebook.com. 2008102433 10800 3600 604800 86400

;; Query time: 29 msec
;; SERVER: 69.171.255.10#53(69.171.255.10)
;; WHEN: Tue Jun  7 16:27:29 2011
;; MSG SIZE  rcvd: 101

Re: IPv6 day fun is beginning!

[Seth Mattinen]

On 6/7/2011 17:04, fredrik danerklint wrote:
> This is from Sweden.
> 
> $ dig any www.facebook.com @ns1.facebook.com
> 
> ; <<>> DiG 9.7.3 <<>> any www.facebook.com @ns1.facebook.com
> ;; global options: +cmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 61742
> ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 2
> ;; WARNING: recursion requested but not available
> 
> ;; QUESTION SECTION:
> ;www.facebook.com.  IN  ANY
> 
> ;; AUTHORITY SECTION:
> www.facebook.com.   86400   IN  NS  glb1.facebook.com.
> www.facebook.com.   86400   IN  NS  glb2.facebook.com.
> 
> ;; ADDITIONAL SECTION:
> glb1.facebook.com.  3600IN  A   69.171.239.10
> glb2.facebook.com.  3600IN  A   69.171.255.10
> 
> ;; Query time: 58 msec
> ;; SERVER: 204.74.66.132#53(204.74.66.132)
> ;; WHEN: Wed Jun  8 02:01:37 2011
> ;; MSG SIZE  rcvd: 104
> 
> 
> No  records at the moment. Checked alll their nameservers.
> 


Same results here, western US.

~Seth

Re: Verisign Internet Defence Network

[Seth Mattinen]

On 5/31/11 10:26 PM, Hank Nussbacher wrote:
> 
> My biggest gripe was their SLA - or lack of one. Back in Dec 2009 I
> forced them to start writing an SLA which they had not thought of, which
> back then showed an immaturity of service.  Things might be different
> now.  Verisign then took the view that the SLA should be based on
> *their* mitigation platform availability ("our scrubbing center has 100%
> SLA") and not on the customer site availability (all great and wonderful
> that your scrubbing center is up and running - but my site is down). 
> They were willing to give service credits if their scrubbing center was
> down but not if the customer site was down.
> 
> I found they had a well established customer portal and ample reporting
> facilities.
> 
> Just make sure they have improved on their SLA before buying.
> 

Sounds like a catch-22 though; if it's not always on and only starts
scrubbing after an attack begins (pending activation approval from the
customer which may take time), then the customer site is quite possibly
already down when they start doing their thing to make it come back up.

~Seth

Re: blocking annoying 'bounce mail' "feature" from customers use.

[Seth Mattinen]

On 5/25/11 9:09 AM, Eric J Esslinger wrote:
> Mac Mail (and others) have a "feature" that allows my customers to generate a 
> fake NDR message and send it back through my server. I get about a customer 
> every few months that discovers this 'solution' to spam emails, and when it 
> happens they cause delivery problems for my customer mail server by 
> generating backscatter.
> 
> Today I just ended up on a list that won't take me off for quite a while (or 
> unless I pay).
> 
> Does anyone know of a way for me to block the following, using postfix, 
> either via refusing to accept the mail or by dropping it in /dev/null:
> Mail from <> or postmaster that originates within our customer IP blocks/is 
> sent using authentication at the submission port and/or that does not have a 
> valid local recipient.
> 
> I can't find any ready made recipies online for this sort of thing in a short 
> dig around for it, and while I think it's possible, I was wondering if anyone 
> else was already dealing with this and could say 'oh yeah just put line blah 
> in header_checks'. I would think it would be simple once you find it but you 
> know how it is.
> 
> (I've already dealt with the customer in question but I'm getting tired of 
> this popping up every month or three.)


You can check for a combination of two or more of these headers:

Auto-Submitted: auto-generated (failure)
X-Mailer: Apple Mail (x)
Content-Type: multipart/report;
boundary=x;
report-type=delivery-status

~Seth

Re: Yahoo and IPv6

[Seth Mattinen]

On 5/9/2011 08:16, Arie Vayner wrote:
> Actually, I have just noticed a slightly more disturbing thing on the Yahoo
> IPv6 help page...
> 
> I have IPv6 connectivity through a HE tunnel, and I can reach IPv6 services
> (the only issue is that my ISP's DNS is not IPv6 enabled), but I tried to
> run the "Start IPv6 Test" tool at http://help.yahoo.com/l/us/yahoo/ipv6/ and
> it says:
> "We detected an issue with your IPv6 configuration. On World IPv6 Day, you
> will have issues reaching Yahoo!, as well as your other favorite web sites.
> We recommend disabling
> IPv6,
> or seeking assistance in order to fix your system's IPv6 configuration
> through your ISP or computer manufacturer."
> 


It says the same thing for me; however it is most certainly wrong. All
my IPv6 connectivity is native - no tunnels.

~Seth

Re: IPv6 Prefix announcing

[Seth Mattinen]

On 4/26/2011 09:39, Kate Gerry wrote:
> Funny enough, some carriers actually require the 'smallest' as being /32... :(
> 

This is becoming the exception now, not the rule.

Last year I was fighting with Verizon about their refusal to carry /48s.
That, together with the impasse of figuring out how to put dual stack
IPv6 on an Ethernet port (it was delivered as IPv4 only multiple times),
I never accepted it and went with a competitor who got it right the
first time. However, I've had several sources tell me Verizon has since
backpedaled and now accepts /48s.

~Seth

Re: Implementations/suggestions for Multihoming IPv6 for DSL sites

[Seth Mattinen]

On 4/8/11 8:31 AM, Job Snijders wrote:
> 
>> As Seth pointed out SHIM6 is still an academic exercise
> 
> Another Locator / ID separator protocol is LISP. The advantage is that you 
> don't need to 
> change the host but only the CPE. I've been using it to multi-home my house 
> and it works
> fine. I'm multihoming my IPv6 /48 over a v6-only DSL and a v4-only FTTH 
> connection. 
> 
> More information about LISP be found here: http://www.lisp4.net/
> 

Ah, I completely forgot about LISP, which reminds me, I'd wanted to set
it up for fun and learning.

~Seth

Re: Implementations/suggestions for Multihoming IPv6 for DSL sites

[Seth Mattinen]

On 4/7/2011 02:27, Daniel STICKNEY wrote:
> Hello all,
> 
> I'm investigating how to setup multihoming for IPv6 over two DSL lines
> (different ISPs), and I wanted to see if this wheel has already been
> invented. Has anyone already set this up or tested it ?
> 
> In my research into the proposed solutions I came across this document
> "IEEE Communications Surveys - 2nd Quarter 2006, Volume 8, No. 2"
> (http://www.shim6.org/path-to-mh.pdf) which seems quite thorough. It
> compares routing methods, middle-box methods, and host-centric methods.
> It mentions "During the last years, the IETF has made several explicit
> or implicit architectural decisions regarding IPv6 multihoming. The main
> decision is to go down the path of developing the host-centric
> approaches" as well as "Host-centric multihoming, the approach promoted
> by the IETF for IPv6 multihoming, [...]". After the comparison of all
> host-centric methods it adds " [...], the IETF has decided by the end of
> 2004 to foster the SHIM approach."
> 
> This approach looks interesting to me after all the comparisons, though
> I'm less familiar with it. I'm interested to hear your real-world
> experiences on this topic.
> 


It doesn't exist in practice; real world is BGP multihoming. Everything
else is still just an academic exercise.

~Seth

Re: voip vs tdm fallout

[Seth Mattinen]

On 3/11/2011 10:29, Michael Thomas wrote:
> 
> Is it too soon to start to compare and contrast how voip
> held up vs. tdm? Back in the old days circa mid to late
> 90's, there was a lot of hand wringing about whether
> voip would be up to the task of dealing with a massive
> emergency. Well, we certainly have one now in Japan
> on almost every front imaginable.
> 
> Is voice such a small fraction of data that the larger
> issues of cuts, electricity, etc make it moot, or has
> there been some appreciable differences between the
> two's ability to stay in usable service?
> 

My question would be what communications methods are working *right now*
in the inital stages? (I heard cellular was down.) Past that, what's
seeing service restoration first?

~Seth

Re: What vexes VoIP users?

[Seth Mattinen]

On 2/28/2011 15:35, Joe Greco wrote:
> 
> There may be no compelling reason to do so, at least.  However, digital
> gear offers benefits, and some people want them.  Others, like me, live
> in bad RF environments where POTS picks up too much noise unless you 
> very carefully select your gear and shield your cables.  Further, the
> digital phones support other features, such as the ability to manage 
> multiple calls seamlessly, present Caller-ID reliably (even while you
> are on another call), etc.
> 


ISDN would have fit the bill nicely as a digital home phone line.
However, it never became popular in the US. I once read on Wikipedia
that it was popular in Germany.

~Seth

Re: BGP Failover Question

[Seth Mattinen]

On 2/21/2011 13:44, Max Pierson wrote:
>>Save yourself the headache and find a new provider that knows how to
> handle BGP
> 
> I've had this happen with providers that do know how to handle BGP. Just
> because you peer with 3356, 701, etc, doesn't mean operators can't make
> a mistake. I've even seen this happen due to some wierd BGP behavior
> caused by some cool new "features". 
> 
> IMHO, better to plan for it and deploy it as a policy (by whatever means).
> 


On a predictable schedule? That's where I drew the line: they were
"fixing" something that was not "normal" to them every two months that
resulted in the problem the OP described. Yes, mistakes happen, but
identical repeating mistakes don't count in my book. I would expect my
providers to document changes and whoever is making changes to consult
it when they see a deviation from common config.

~Seth

Re: BGP Failover Question

[Seth Mattinen]

On 2/21/2011 13:10, Chris Wallace wrote:
> I am looking for some help with an issue we recently had with one of our BGP 
> peers recently.  I currently have two DIA providers each terminated into 
> their own edge router and I am doing iBGP to exchange routes between the two 
> edge routers.  Last week Provider A made a policy change "somewhere" in their 
> network in the middle of the day causing traffic to stop routing.  Of course 
> this connection happens to be the preferred route for the majority of our 
> inbound and outbound traffic.  I never saw our physical link go down and 
> never saw our peer drop therefore BGP did not stop advertising routes, this 
> caused most of our customers traffic to go nowhere.  In order to fix the 
> issue I had to manually shutdown the peer till Provider A confirmed the 
> change they made had been reverted.  This isn't the first time we have seen 
> this issue with our various providers, how can I prevent issues like this 
> from happening in the future?
> 


I had a provider like that a long time ago; it was an ATG T1 (which was
fine) but when they were bought by Eschelon the exact problem you're
describing would happen every other month like clockwork. The first time
was forgivable. The second time I was annoyed. After the third I was
angry, unplugged it, and told them to stuff it because apparently they
didn't know how to deal with BGP.

You can't prevent it from happening. You can only come up with band-aids
to notify you. Save yourself the headache and find a new provider that
knows how to handle BGP. What happens if the other circuit is not
available (outage, planned maintenance, etc.) at the same time the
problem one decides to black hole you? If you're facing the same
repeating problem they are obviously not the best fit for you.

~Seth

Re: SmartNet Alternatives

[Seth Mattinen]

On 2/12/2011 13:33, Ryan Finnesey wrote:
> This is one of the reasons we are starting to look at Juniper for a new 
> network build.  It is my understanding we set software updates for life for 
> free.
> Cheers
> Ryan
> 


How does Juniper feel about used hardware?

~Seth

Re: SmartNet Alternatives

[Seth Mattinen]

On 2/11/2011 13:49, Andrey Khomyakov wrote:
> If only Cisco would sell "software only" support. 3rd party smartNet
> alternatives are nice for parts replacement. They suck for support, imho,
> especially, when it comes down to declaring a problem to be a bug.
> On quite a few occasions I found bugs in IOS and TAC submitted those as bugs
> and fixed them reasonably fast.
> 


I thought there already was a software-only smartnet option?

~Seth

Re: Looking for an IPv6 naysayer...

[Seth Mattinen]

On 2/9/2011 14:55, Scott Helms wrote:
> Absolutely, just as the ISPs didn't see demand, and don't today, from
> their users and thus the circle of blame is complete :)
> 


And they never will. Their users demand "the internets", not a specific
version of some protocol that users don't care about.

~Seth

Re: It's the end of IPv4 as we know it... and I feel fine..

[Seth Mattinen]

On 2/3/2011 08:38, Josh Smith wrote:
> Seth,
> What sort of ISP do your "not technically inclined" parents have that
> offers native ipv6? :-)
> 


I'm doing it via fixed wireless. They'll actually be my second access
customer to get native IPv6. My parents are a good test case for the
kind of user who doesn't care about the difference between IPv4 or IPv6
or the debates whether to /64 or not, only that the internet works.

~Seth

Re: Top webhosters offering v6 too?

[Seth Mattinen]

On 2/6/11 8:21 PM, Carlos Martinez-Cagnazzo wrote:
> BlueHost, which while maybe not a great quality web host, by all
> measures is a big one, not only does not support IPv6 but they denied
> my request to create a  record pointing to a friend's IPv6 page
> for a domain I host there.
> 
> BH, are you listening???
> 


There are plenty of providers that support IPv6 and would be happy to
have a new customer that's interested in IPv6. If your current host does
not support it and you want it, just drop them already and move on to
one that does.

~Seth

Re: My upstream ISP does not support IPv6

[Seth Mattinen]

On 2/4/2011 07:05, Scott Helms wrote:
> 
> TLDR version, marketing often fails to reflect reality :)
> 


My experience with trying to get a circuit turned up with Verizon boiled
down to two things:

1) Failure to meet the standards of my existing IPv6 connections in
carrying PI /48 (apparently now changed).
2) Failure to home the circuit on a router that supported IPv6. Month
after month they would keep placing it to an IPv4-only router and I
would refuse to accept it until it was moved to an IPv6 capable router.
It never happened.

They said they could do it, but couldn't figure out how.

~Seth

Re: My upstream ISP does not support IPv6

[Seth Mattinen]

On 2/4/2011 06:13, Jack Bates wrote:
> 
> I waited years and finally turned up a transit to L3 for additional
> bandwidth (had to wait for GE support from the other 2, of which 1 still
> can't give me a GE) and luckily native v6. Within 30 days I should have
> a cogent 10G, and I hear I'll get v6 there as well.
> 

Does anyone know how partitioned Cogent is these days?

~Seth

Re: It's the end of IPv4 as we know it... and I feel fine..

[Seth Mattinen]

On 2/3/11 7:36 AM, Jared Mauch wrote:
> (apologies to REM)
> 
> On Feb 3, 2011, at 10:11 AM, Jon Lewis wrote:
> 
>> The real fun's going to be over the next several years as the RIR's become 
>> irrelevant in the acquisition of scarce IPv4 resources...and things become 
>> less stable as lots of orgs rush to implement a strange new IP version.
> 
> There's clearly two things that need to be done:
> 
> 1) Major infrastructure (ie: backhaul, corporate, ISP gateway) need to be 
> upgraded/configured to support IPv6
> 2) Edge networks need to start to hand out IPv6 addresses and name servers.  
> I think it would be great if providers started handing out IPv6 addressed 
> name servers when an IPv4 client does a dhcp renew, etc.
> 


Well, I'm doing my part by turning up native IPv6 at my parent's house
this week or next. They are not technically inclined and I'm confident
it won't be a problem. ;)

~Seth

Re: quietly....

[Seth Mattinen]

On 2/2/11 7:23 AM, Iljitsch van Beijnum wrote:
> On 2 feb 2011, at 16:00, Owen DeLong wrote:
> 
>> SLAAC fails because you can't get information about DNS, NTP, or anything 
>> other than a list of prefixes and a router that MIGHT actually be able to 
>> default-route your packets.
> 
> Who ever puts NTP addresses in DHCP? That doesn't make any sense. I'd rather 
> use a known NTP server that keeps correct time.
> 

Me, because I have better things to do than to manually enter NTP
servers (and other various boot settings) into all of my IP phones by
hand. Configure DHCP, plug them in, and it just works.

~Seth

Re: IPv6: numbering of point-to-point-links

[Seth Mattinen]

On 1/31/11 9:13 AM, Blake Hudson wrote:
> 
> I setup a p2p /127 link and found that BGP would not peer over the link;
> Changing to /126 resolved the problem. I never looked into it further
> because I had intended to use /126 from the start. My guess is that
> while BGP should be a unicast IP, Cisco's implementation uses an anycast
> in some cases, disregarding the configured unicast address.
> 
> Just one practical example...
> 


Sprint runs a /127 for my dual stack circuit with BGP; I know their side
is Cisco as is mine.

~Seth

Re: IPv6 filtering

[Seth Mattinen]

On 1/25/11 9:13 PM, Roland Dobbins wrote:
> 
> On Jan 26, 2011, at 12:03 PM, Franck Martin wrote:
> 
>> Ok filtering ipv6 and ipv6-icmp is understood, it is like ipv4. 
> 
> Be advised, ICMPv6 is *not* like ICMP in IPv4, and knowing what can be 
> filtered, what to filter, and where to filter it is considerably more complex 
> than in IPv4 - which, given the prevalence of broken PMTU-D alone, is 
> apparently not well-understood in many quarters, heh.
> 


Also, try to resist popular opinion in outright blocking of ICMP - it's
not really that evil.

~Seth

Re: Another v6 question

[Seth Mattinen]

On 1/25/2011 10:19, Max Pierson wrote:

> 
>>From the provider perspective, what is the prefix-length that most are
> accepting to be injected into your tables??  2 or so years ago, I read where
> someone stated that they were told by ATT that they weren't planning on
> accepting anything smaller than a /32. So what if I get my shiny new /48
> from ARIN and am already multi-homed??? Does ATT not want my business (which
> they wouldn't get if the first place, but for argument sake, yes, I chose to
> pick on ATT, sorry if I offended anyone :)  I already see /40's /48's ,etc
> in the v6 table, so some folks are allowing /48 and smaller, so what is the
> new /24 in v6?
> 
> I only ask due to the fact that ARIN's policy for end-users is /48 minimum
> (which is what i've been telling folks to apply for or applying for it on
> behalf of them).
> 

Almost everyone of consequence accepts a /48. Verizon last year was very
firm at /32, but I've heard they recently changed their mind. Verizon
gave up on trying to get IPv6 to me before this and closed the account
after a calendar year's worth of attempts. I replaced them with Global
Crossing who got it right on the first try.

These days a provider that only accepts a /32 or shorter is the
exception, not the rule.

~Seth

Re: DSL options in NYC for OOB access

[Seth Mattinen]

On 1/24/2011 15:22, Nathan Eisenberg wrote:
>> You can get a CLEAR WiMAX fixed modem with static IP address for $50
>> (USD) monthly, or less if you opt for the low-bandwidth plan.
> 
> I wouldn't dare rely on something of that nature for a lifeline connection.  
> I'd spring for the extra $30/mo.  It's expensive, but there ain't nothin' 
> like a physical cable when it's 3AM on a Sunday.
> 

For me it depends; if the OOB is related to some other physical cable
that the OOB is for, wireless might have a better chance of still
working if there's a cable cut.

~Seth

Re: co-location and access to your server

[Seth Mattinen]

On 1/12/2011 12:24, Jeroen van Aart wrote:
> Cruzio in Santa Cruz recently opened a little co-location facility. That
> makes two of such facilities in Santa Cruz (the other being got.net),
> which could be a good thing for competition.
> 
> Their 1U offer comes with limited access to your server, only from 10AM
> to 6 PM. I find that not acceptable. Why wait until 10 AM when a disk
> breaks at 8 PM? But maybe I am being too picky.
> 
> What is considered normal with regards to access to your co-located
> server(s)? Especially when you're just co-locating one or a few servers.
> 


I treat all my colo customers as 24 hour (escorted) access.

~Seth

Re: Is NAT can provide some kind of protection?

[Seth Mattinen]

On 3/21/07 2:41 AM, Tarig Ahmed wrote:
> 
> Is it true that NAT can provide more security?
> 

No.

However, some things like PCI compliance require NAT, likely because of
the "NAT = super hacker firewall" concept.

~Seth

Re: Is Cisco equpiment de facto for you?

[Seth Mattinen]

On 1/11/11 6:49 AM, Jack Bates wrote:
> 
> To be honest, I use smartnet to upgrade the OS. I quit calling TAC after
> they failed to understand, much less help me with my eigrp over frame
> relay with automatic ISDN backup on route failure and re-establishment
> of eigrp over the ISDN. :)
> 

The cisco-nsp mailing list is often much more helpful than TAC.

~Seth

Re: Is Cisco equpiment de facto for you?

[Seth Mattinen]

On 1/10/2011 14:54, Brandon Kim wrote:
> 
> To be fair to Cisco and maybe I'm way off here. But it seems they do come out 
> with a way to do things first which then become a standard that
> they have to follow.
> 
> ISL/DOT1Q
> HSRP/VRRP
> etherchannel/LACP
> 
> Just some examples. I'm not aware of too many other vendors that create 
> their own protocol, in which they then become a standard?
> 
> 


All I found (quickly without trying too hard) is that the IEEE version
is based on Cisco's MISTP rather than PVST.

~Seth

Re: Is Cisco equpiment de facto for you?

[Seth Mattinen]

On 1/10/2011 14:32, Jeff Kell wrote:
> On 1/10/2011 3:20 PM, Greg Whynott wrote:
>> HP probably was the most helpful vendor i've dealt with in relation to 
>> solving/providing inter vendor interoperability solutions.   they have PDF 
>> booklets on many  things we would run into during work.  for example,  
>> setting up STP between Cisco and HP gear,  ( 
>> http://cdn.procurve.com/training/Manuals/ProCurve-and-Cisco-STP-Interoperability.pdf
>>  ).
> 
> Well, technically, the HP reference tells you how to convert your Cisco
> default PVST over to MST to match the HP preference.
> 
> The handful of HP switches versus the stacks and stacks of production
> Cisco requiring conversion to suit them was "intimidating" to say the
> least :-)
> 


To be fair, one is Cisco proprietary while the other is IEEE 802.1Q.

~Seth

Re: NIST IPv6 document

[Seth Mattinen]

On 1/5/2011 10:02, TJ wrote:
> 
> Many would argue that the version of IP is irrelevant, if you are permitting
> external hosts the ability to scan your internal network in an unrestricted
> fashion (no stateful filtering or rate limiting) you have already lost, you
> just might not know it yet.
> 

Stateful filtering introduces its own set of scaling issues.

~Seth

Re: sudden low spam levels?

[Seth Mattinen]

On 1/4/11 7:10 AM, William Allen Simpson wrote:
> On 1/3/11 6:42 PM, Jay Farrell wrote:
>> I noticed a substantial drop in spam in my gmail account in recent days,
>> from several hundred a day to maybe a hundred. Ironically, gmail filtered
>> this thread to my spam folder.
>>
> Yes, I found these messages my gmail spam today, too.  Lately, gmail has
> been regularly flagging NANOG as spam, particularly the end of week
> CIDR and BGP reports.
> 

Not being a gmail user this may be a stupid question: can't you
whitelist things in gmail? The ratio of spam/ham on NANOG is pretty good.

~Seth

Re: The tale of a single MAC

[Seth Mattinen]

On 1/1/11 7:33 PM, Graham Wooden wrote:
> 
> So ­ here is the interesting part... Both servers are HP Proliant DL380 G4s,
> and both of their NIC1 and NIC2 MACs addresses are exactly the same.  Not
> spoofd and the OS drivers are not mucking with them ... They¹re burned-in ­
> I triple checked them in their respective BIOS screen.  I acquired these two
> machines at different times and both were from the grey market.  The ³What
> the ...² is sitting fresh in my mind ...  How can this be?
> 
> In the last 15 years of being in IT, I have never encountered a ³burned-in²
> duplicated MACs across two physically different machines.  What are the
> odds, that HP would dup¹d them and that both would eventually end up at my
> shop?  Or maybe this type of thing isn¹t big of deal... ?
> 


None of the HP servers I have contain duplicate MAC addresses. (I just
looked through all the iLO2 cards to make sure I wasn't lying.) I'll
send you some details offlist.

~Seth

Re: Muni Fiber Last Mile - a contrary opinion

[Seth Mattinen]

On 12/26/10 4:37 PM, Jared Mauch wrote:
> You are likely already at the mercy of some local hut for your dialtone. Very 
> few things home run to the co these days. It's unlikely any hut has more than 
> 24 hours of battery. 
> 
> I have talked to local techs that make the same trip each shift to fuel the 
> generator during regular or minor power outages. Anything major, expect the 
> service to die.
> 
> Best bets: your state emergency operations center, hospitals, airports, 
> grocery stores and possibly hotels.
> 
> During the northeast power outage the biggest local problem was inability to 
> pump gas out of underground tanks. The margin at the stations is low enough 
> it's not worth it to have generators. Best off having the pipeline next to 
> you and to use natural gas/propane if your needs can be easily met by it. 
> 


During the last multi-hour power outage in my neighborhood I drove
around to tour the area; sure enough there was a truck backed up to many
(but not all) of them with a cable plugged in to the meter kiosk.

I feel dirty using a facebook link, but:

http://www.facebook.com/photo.php?pid=1265926&l=999da42e39&id=1327652570

However, residential internet access as a whole (DSL, cable) tends to
have lower reliability than POTS or T1, so they still a leg to stand on
if it matters to you. Power-wise though they're all on equal footing.

~Seth

Re: IPv6 BGP table size comparisons

[Seth Mattinen]

On 12/21/10 2:18 PM, Frank Bulk wrote:
> There are 4,035 routes in the global IPv6 routing table.  This is what one
> provider passed on to me for routes (/48 or larger prefixes), extracted from
> public route-view servers.
>   AT&T AS7018: 2,851 (70.7%)
>   Cogent AS174: 2,864 (71.0%)
>   GLBX AS3549: 3,706 (91.8%)
>   Hurricane Electric AS6939: 3,790 (93.9%)
>   Qwest AS209: 3,918 (97.1%)
>   TINET (formerly Tiscali) AS3257: 3,825 (94.8%)
>   Verizon AS701: 3,938 (97.6%)


Sprint (AS1239) is sending 3,779 routes.

~Seth

Re: IPv6 BGP table size comparisons

[Seth Mattinen]

On 12/21/2010 14:18, Frank Bulk wrote:
> There are 4,035 routes in the global IPv6 routing table.  This is what one
> provider passed on to me for routes (/48 or larger prefixes), extracted from
> public route-view servers.
>   AT&T AS7018: 2,851 (70.7%)
>   Cogent AS174: 2,864 (71.0%)
>   GLBX AS3549: 3,706 (91.8%)
>   Hurricane Electric AS6939: 3,790 (93.9%)
>   Qwest AS209: 3,918 (97.1%)
>   TINET (formerly Tiscali) AS3257: 3,825 (94.8%)
>   Verizon AS701: 3,938 (97.6%)
> 


Does this mean Verizon is carrying PI /48s now?

~Seth

Re: Some truth about Comcast - WikiLeaks style

[Seth Mattinen]

On 12/20/2010 12:46, JC Dill wrote:
> 
> Your lmgtfy link's search finds 5 year old press releases about
> discussions to PLAN overbuilding in various locations.  What I want are
> the Names of Specific Locations (in the SF Bay Area) where such
> overbuilds are currently in place and serving customers.
> 

Or conversely, they tried and failed.

I found Astound Broadband through the lmgtfy link (yes, I did look and
read, thanks) and they appear to be alive. But I don't live in
California to verify that personally.

~Seth

Re: Some truth about Comcast - WikiLeaks style

[Seth Mattinen]

On 12/20/2010 12:20, Alex Rubenstein wrote:
> Amazing how that worked, even spelling "fransisco" (sic) wrong.
> 

One letter off:

http://lmgtfy.com/?q=cable+overbuilder+san+francisco

Re: Some truth about Comcast - WikiLeaks style

[Seth Mattinen]

On 12/20/2010 11:44, JC Dill wrote:
>  On 20/12/10 11:31 AM, Joe Provo wrote:
>> On Mon, Dec 20, 2010 at 11:16:30AM -0800, Leo Bicknell wrote:
>> [snip]
>>> And yet, I don't know of any location in the US with two cable
>>> operators.
>> [snip]
>>
>> Everywhere that had enough paying-humans-per fiber-mile, so primarily
>> the Northeast corridor (Metro DC through Metro Boston).  Parts of the
>> SF Bay, Chicago, Cleveland, Denver, Detroit... google "cable overbuilder"
>> (RCN, WOW and several others).
> 
> Can you name/locate the part of the SF Bay Area where this has happened?
> 

http://lmgtfy.com/?q=cable+overbuilder+san+fransisco

Re: Some truth about Comcast - WikiLeaks style

[Seth Mattinen]

On 12/19/10 6:12 PM, JC Dill wrote:
>  On 19/12/10 5:48 PM, Richard A Steenbergen wrote:
>> On Sun, Dec 19, 2010 at 08:20:49PM -0500, Bryan Fields wrote:
>>> The government granting a monopoly is the problem, and more lame
>>> government regulation is not the solution.  Let everyone compete on a
>>> level playing field, not by allowing one company to buy a monopoly
>>> enforced by men with guns.
>> Running a wire to everyone's house is a natural monopoly. It just
>> doesn't make sense, financially or technically, to try and manage 50
>> different companies all trying to install 50 different wires into every
>> house just to have competition at the IP layer. It also wouldn't make
>> sense to have 5 different competing water companies trying to service
>> your house, etc.
> 
> This is the argument the government uses to keep first class mail
> service as an exclusive monopoly service for the USPS, claiming you
> wouldn't want 50 different mail carriers marching up and down your walk
> every day.  Yet we aren't seeing a big problem with package delivery. 
> Currently you have 3 choices, USPS, UPS, and FedEx.  The market can't
> support more than 3 or 4 package delivery services (e.g. we had 4 with
> DHL, which didn't survive the financial melt down).  Why not open up the
> market for telco wiring and just see what happens?  There might be 5 or
> perhaps even 10 players who try to enter the market, but there won't be
> 50 - it simply won't make financial sense for additional players to try
> to enter the market after a certain number of players are already in. 
> And there certainly won't be 50 all trying to service the same
> neighborhood.
> 
> And if a competing water service thought they could do better than the
> incumbent, why not let them put in a competing water project?  If they
> think they can make money after the cost of the infrastructure, then
> they may be onto something.  We don't have to worry that too many would
> join in, the laws of diminishing returns would make it unprofitable for
> the nth company to build out the infrastructure to enter the market.
> 

Contrary to popular belief the average person tend to severely dislike
all forms of road construction or having their yard repeatedly torn up.

I know it's all happy fun times to say "let's have 10 water/electrical
providers and you can select which molecules/electrons you want!", but
there's a practical limit as to how much stuff one can pack under a
street's limited right of way. If you look at what's under there right
now it's actually quite crowded. We just don't see it because it's buried.

~Seth

Re: Some truth about Comcast - WikiLeaks style

[Seth Mattinen]

On 12/14/2010 15:23, Douglas Otis wrote:
> On 12/14/10 2:38 PM, Richard A Steenbergen wrote:
>> On Tue, Dec 14, 2010 at 03:39:07PM -0600, Aaron Wendel wrote:
>>> >  To what end?  And who's calling the shots there these days?  Comcast
>>> >  has been nothing but shady for the last couple years.  Spoofing
>>> >  resets, The L3 issue, etc.  What's the speculation on the end game?
>> I believe Comcast has made clear their position that they feel content
>> providers should be paying them for access to their customers.
> The Internet would offer lesser value by allowing access providers to
> hold their customers hostage.  Clearly, such providers are not acting in
> their customer's interests when inhibiting access to desired and
> legitimate content.  What is net neutrality expected to mean?
> 
> Providers should charge a fair price for bandwidth offered, not over
> sell the bandwidth, and not constrain bandwidth below advertised rates. 
> Congestion pricing rewards bad practices that leads to the congestion.
> 

I just see this as a natural progression of what happens of a single
player with a captive audience due to mergers and attrition. They know
their customers aren't going anywhere. The only way to "fix" it would be
to go back to the days when there were a bunch of competing local providers.

~Seth

Re: Over a decade of DDOS--any progress yet?

[Seth Mattinen]

On 12/8/2010 08:06, Jack Bates wrote:
> I call BS. Windows has it's problems, but it is the most common
> exploited as it holds the largest market share. Many Windows infections
> I've seen occur not due to the OS, but due to lack of patching of
> applications on the OS. The system does as much as it can.
> 

And end users clicking/running every shiny thing they come across,
consequences be damned.

~Seth

Re: Start accepting longer prefixes as IPv4 depletes?

[Seth Mattinen]

On 12/8/2010 11:23, Cameron Byrne wrote:
> 
> At the edge, with the down economy, i bet there are plenty of folks
> that are only accept /21s and shorter from their upstream ISP so they
> can get some more mileage out of their older gear.
> 

Hopefully they have a default route; ARIN now has PI /24 assignments,
and none of those would have a large aggregate announcement.

~Seth

Re: ARIN space not accepted

[Seth Mattinen]

On 12/3/2010 14:09, Dustin Swinford wrote:
> We have run into an issue with the 107.7.0.0/16 assigned to us several
> months ago.  It appears that many sites have not yet accepted this space.  I
> understand this is not a normal type post to NANOG, but hoped to get the
> word out to as many operators as possible.  Does anyone know of a better way
> to get the word out to ask people to update their BOGONs/filters?
> 

Can you provide a pingable test address within that space?

~Seth

Re: Want to move to all 208V for server racks

[Seth Mattinen]

On 12/2/10 8:02 PM, John van Oppen wrote:
> GFCI breakers are very common, the slightly less common version are arc fault 
> breakers which are starting to show up more as well.
> 

Arc fault breakers are a very new code requirement which I believe is
primarily targeted at sleeping areas. My place has them (built about 4
years ago) on the bedroom outlet circuits. If I spin the socket switch
on one of the table lamps too fast it'll trip.

~Seth

Re: Want to move to all 208V for server racks

[Seth Mattinen]

On 12/2/2010 13:42, Darren Bolding wrote:
> One thing to be aware of- if you are going to be connecting gear with bigger
> current draws- Cisco 6509's, most blade enclosures etc. come to mind- then
> many of them effectively require 208V C19 connectors.

Even smaller stuff like a 2U server will have multiple ratings on the
PSU these days: you will only get full capacity out of it at high
voltage. Plus, almost any modern PSU will run at higher efficiency
compared to 120V.


> There are not as many power strips out there that provide sufficient numbers
> of C19 connectors as would be desired, particularly if you want remote
> switched power.
> 
> In that case 3 Phase power becomes more attractive.  Since many datacenters
> are moving towards consolidation on Blades with SAN backend storage, it is
> worth keeping in mind.
> 

Most blade enclosures can be found with three-phase power supply options
as well, making it even more convenient. When they take three-phase
directly it's usually a pair of 20A circuits and you're good for full
capacity.

~Seth

Re: The scale of streaming video on the Internet.

[Seth Mattinen]

On 12/2/10 12:28 PM, Owen DeLong wrote:
> You are assuming the absence of any of the following optimizations:
> 
> 1.Multicast

Multicast is great for simulating old school broadcasting, but I don't
see how it can apply to Netflix/Amazon style demand streaming where
everyone can potentially watch a different stream at different points in
time with different bitrates.

~Seth

Re: Want to move to all 208V for server racks

[Seth Mattinen]

On 12/2/10 8:35 AM, Jameel Akari wrote:
> 
> Just be careful on older non-autosensing power supplies where you have
> to flip a switch to go from 100-120V to 200-240V input, in that you make
> sure to flip them to begin with, and that you flip them back should you
> ever mover them back to a 120V circuit.
> 

Been there, done that with my nagios box when I had to replace a fan
years ago. The build table was 120V so I flipped the switch and forgot
to flip it back. It actually booted for about 5 seconds before things
inside the PSU started exploding and spewing magic smoke. Scared the
daylights out of me. No damage other than requiring a new PSU.

~Seth

Re: Want to move to all 208V for server racks

[Seth Mattinen]

On 12/2/10 9:20 AM, Mark Kent wrote:
> "Why do we install 120v instead of 208v?" was asked over a year ago
> either here or on cisco-nsp.  It generated a long discussion, but it
> should have been cut short as early in the thread someone said
> all that had to be said: "because we are idiots."
> 

This one?

http://www.merit.edu/mail.archives/nanog/2009-05/msg00649.html

~Seth

Re: Want to move to all 208V for server racks

[Seth Mattinen]

On 12/2/10 8:30 AM, Jay Nakamura wrote:
>> you mean 240V AC 50HZ and move from 120V 60Hz? (or also 50Hz)
> 
> In US, I think everything is 60Hz.  But I mean 208v single phase.
> (Which is what you get when you combine two 120v single phase legs out
> of three phase, I believe.  I am not an expert on AC...)

Correct, a L-N connection will get you 120V, a L-L connection will get
you 208V. Everything in the US is 60Hz.


>> you will need to check each device if it supports 240V, commonly the
>> specified power ratings are printed at a stricker on the device itself.
> 
> I have even been looking at USB HD AC adapter and all other odd ball
> equipment and I always see the label say "100~240v AC".  Dell's old
> rack mount monitor/KB from 5 years ago even supports 208v (Just wrong
> connector.)
> 

The vast majority of power adapters are switching these days and will
run up to 240, it's when they have built in NEMA 1-15 or 5-15 prongs
that you have to overcome.

~Seth

Re: Level 3 Communications Issues Statement Concerning Comcast'sActions

[Seth Mattinen]

On 11/29/10 7:51 PM, Ben Butler wrote:
> In the Uk, we used to have 2MB DSL, and business providers like myself would 
> happily provide it on the basis of CBR 2Mbit and we did'nt care what you did 
> with it.  2Mbit is more than enough for streaming and I challenge anyone 
> otherwise.
> 

While this whole discussion was going on, I took a break to watch Tears
of the Sun on Netflix streaming via my Roku. The utilization looked like
this:

http://ninjamonkey.us/wordpress/wp-content/uploads/2010/11/netflixonroku.png

~Seth

Re: Level 3 Communications Issues Statement Concerning Comcast's Actions

[Seth Mattinen]

On 11/29/10 3:59 PM, Leo Bicknell wrote:
> 
> But this isn't a technology problem, or a ratio problem.


Comcast's blog specifically mentions unbalanced ratios as an issue.

~Seth

Re: Level 3 Communications Issues Statement Concerning Comcast's Actions

[Seth Mattinen]

On 11/29/2010 15:24, Phil Bedard wrote:
> Is L3 hosting content for Netflix?  Netflix has become a large source of
> traffic going to end users.  L3 likely could have held out on this one if
> the content they were hosting is valuable enough to Comcast's customers,
> but maybe what Comcast was asking for wasn't much in the grand scheme of
> things.  
> 
> Obviously someone has to pay for the access infrastructure and Comcast
> would much rather get the content provider to pay for it versus passing it
> along to their customers.  I think they probably just took a stab and L3
> complied. 
> 

My take on this is that settlement free peering only remains free as
long as it is beneficial to both sides, i.e. equal amounts of traffic
exchanged. If it becomes wildly lopsided in one direction, then it
becomes more like paying for transit.

Perhaps this is the "cost" of acquisitions and mergers, like acquiring a
CDN product that dramatically screws with your peering ratios.

~Seth

Re: Level 3 Communications Issues Statement Concerning Comcast's Actions

[Seth Mattinen]

On 11/29/2010 14:49, Aaron Wendel wrote:
> A customer pays them for access to the Internet.  If that access demands
> more infrastructure then Comcast needs to build out the infrastructure and
> pass on the costs to the customers demanding it.
> 

But then Comcast might have to raise prices on their customers. This way
they don't.

~Seth

Re: Level 3 Communications Issues Statement Concerning Comcast's Actions

[Seth Mattinen]

On 11/29/2010 14:40, Rettke, Brian wrote:
> Essentially, the question is who has to pay for the infrastructure to support 
> the bandwidth requirements of all of these new and booming streaming 
> ventures. I can understand both the side taken by Comcast, and the side of 
> the content provider, but I don't think it's as simple as the slogans spewed 
> out regarding "Net Neutrality", which has become so misused and abused as a 
> term that I don't think it has any credulous value remaining.
> 


Is Level3 the content provider though? Or did Comcast just decide they
don't want to do the settlement free peering thing anymore for traffic
transiting via Level 3?

~Seth

Re:

[Seth Mattinen]

On 11/26/10 9:58 AM, Lyle Giese wrote:
> Let me ask this question from a different angle. Did you NMS notice the
> issue? If so, does your software require Internet to notify you?
> 
> I use just a simple modem(remember those?), a pots line and qpage
> to send 'out of band' notifications.
> 

Ah yes, the frequently overlooked "internet is required to notify when
the internet is broken" problem. I use text-to-speech with Asterisk on a
POTS line or PRI. Killing landlines is the cool thing to do these days,
but if IP breaks that's when a POTS line still wins.

~Seth

Re: starwars.com subdomain hijacked?

[Seth Mattinen]

On 11/22/10 9:05 AM, Ken Chase wrote:
> 
> That phishers manage to fake sites that look wrong is also beyond me, what's
> so hard about 'save page as'?
> 

Probably because there's no need to try that hard - they'll catch enough
people no matter how crappy the phish.

~Seth

Re: Problems at HE.net?

[Seth Mattinen]

On 11/21/10 2:58 AM, Franck Martin wrote:
> My understanding was that there was a partial power outage that lasted only a 
> few minutes for some systems (not the entire facility). Generators kicked in 
> but a few UPS did not do their job correctly.
> 

There's been some weather activity on this side of the country; up here
in Reno where I am we're just being snowed on. California usually gets
the worst of it before it hits the mountains (which calms it down) and
gets to us here at 4200' elevation.

~Seth

Re: Why is your company treating IPv6 turn ups as a sales matter?

[Seth Mattinen]

On 11/18/2010 14:24, George, Wes E [NTK] wrote:>
> [WES] Bill, I know that you mean well and you're just trying to push IPv6
> deployment, and sometimes a little public shame goes a long way, but in the
> future, before you call my company out in public with tenuous assertions
> like this, please at least try to reach out to me privately to address your
> perceived issue with the way Sprint is handling IPv6 rollout? It's not like
> I'm hard to find, even if it's a blast message to NANOG that looks like
> "Will someone with IPv6 clue at Sprint contact me?"
>  

Me, personally, I have had absolutely zero issues with Sprint and
requesting IPv6. The process was extremely smooth and at no point did my
rep or their support engineers ever tell me it was not available. There
was an easy questionnaire I had to fill out, but that was it.

~Seth

Re: Cisco GRE/IPSec performance, 3845 ISR/3945 ISR G2

[Seth Mattinen]

On 11/18/2010 14:39, Pete Lumbis wrote:
> This is probably more appropriate for the cisco-nsp list, but what
> process is taking up the CPU or is it due to interrupts?
> To the best of my knowledge the crypto should be hardware accelerated,
> while everything else is going to be done in software on the 3800.
> 


The ISR series do have onboard hardware crypto, but I don't know offhand
if it can handle a full DS3 worth.

My first guess is fragment reassembly would probably kill it fast.

~Seth

Re: Why is your company treating IPv6 turn ups as a sales matter?

[Seth Mattinen]

On 11/18/2010 14:10, Ryan Finnesey wrote:
> Sprint keeps telling us they do not yet support IPv6.  Is this not the
> case?
> 


I'd say that's not completely true. IPv6 is not available everywhere on
the edge of 1239, but it is available. Contact your rep and place an SCA
request for dual stack on your port so you are on the radar.

~Seth

Re: Why is your company treating IPv6 turn ups as a sales matter?

[Seth Mattinen]

On 11/18/2010 11:06, William Herrin wrote:
> Hiya folks,
> 
> Why are your respective companies treating IPv6 turn ups as a sales
> matter instead of a standard technical change request like IP
> addresses or BGP? Sprint and Qwest, I know you're guilty. How many of
> the rest of you are making IPv6 installation harder for your customers
> than it needs to be?
> 

My IPv6 dealings with Sprint have been purely technical from all
aspects. If you were to ask about, say, Verizon; well, check the
archives for my failed experience. =)

~Seth

Re: Verizon off-list contact requested

[Seth Mattinen]

On 11/3/10 6:51 PM, Edward A. Trdina III wrote:
> Hello-
> 
> Would someone with clue within the Verizon team contact me off-list, please?
> I'm not seeing rDNS entries for "new" fios ip addresses.
> 

You should probably start a new thread rather than burying your request
inside a really long one that someone who could help could be ignoring.
(Hint: changing the subject doesn't do that.)

~Seth

Re: NTP Server

[Seth Mattinen]

On 10/24/2010 09:26, Brandon Kim wrote:
> 
> Wow that is amazing and quite impressive that you even run the antenna 
> linesinteresting..do you have to pay for the GPS service?
> 


Make your own simple GPS NTP clock source:

http://www.satsignal.eu/ntp/FreeBSD-GPS-PPS.htm

~Seth

Re: Definitive Guide to IPv6 adoption

[Seth Mattinen]

On 10/18/2010 14:39, Doug Barton wrote:
> On Mon, 18 Oct 2010, Owen DeLong wrote:
> 
>> I think it's generally a bad idea. /48 is the design architecture for
>> IPv6. It allows for significant innovation in the SOHO arena that we
>> haven't accounted for in some of our current thinking.
> 
> Q:Why are /48s everywhere a good idea?
> A:Because it's the design!
> 
> Q:Why are /48s everywhere in the design?
> A?Because it's a good idea!
> 
> This kind of crap is one of the reasons people get frustrated with IPv6
> zealotry. If people are actually interested in deploying IPv6 then by
> all means, STOP BITCHING AT THEM ABOUT HOW THEY DO IT. Problems like the
> wrong allocation to end users are fixable, especially given that the
> vast majority of end user assignments are dynamic in the first place.

Dynamic under IPv4, that is. It could be argued that IPv6 brings back
the ability to go static everywhere again.

~Seth

Re: Only 5x IPv4 /8 remaining at IANA

[Seth Mattinen]

On 10/18/2010 11:19, Henning Brauer wrote:
> * Owen DeLong  [2010-10-18 18:29]:
>> The good news is that stateful inspection doesn't go away in IPv6.
> 
> that is right.
> 
>> It works just fine. All that goes away is the header mangling.
> 
> that is partially true. it can work just fine, but all the bloat in v6
> makes it way harder to implement the state tracking than it should be.
> 

What bloat? Larger address space?

~Seth

Re: Equinix MPLS connectivity

[Seth Mattinen]

On 10/9/10 5:08 PM, Ryan Finnesey wrote:
> We have been looking into Sprint but one issue we are running into is
> lack of IPv6 support.  So we are looking into Level3 and Global.  I
> think Equinix may also have its own connectivity they can sell you.
> 

Um, if you order an MPLS connection between two distant sites, doesn't
the provider normally (in my experience) just hand you ports that are
effectively layer 2? IPvAnything doesn't even factor in.

~Seth

Re: Facebook down!! Alert!

[Seth Mattinen]

On 10/5/10 10:05 PM, Larry Brower wrote:
> James Smith wrote:
>> At 1:20am here in Canada, NB our networks are showing that facebook is down.
>> Please confirm in the USA.
> 
> 
> 
>> ~SmithwaySecurity
> 
>> Sent from my iPhone
> 
> 
> We need "Alert" and ! in the subject? seriously?
> Sorry, but I don't see a reason to get all excited. FB is down, omg,
> alert the media. geez


Correction, that's "alert" and a total of three exclamation points. Not
a peep on outages.

~Seth

Re: Whois lookups (was: 2010.10.04 NANOG50 day 1 morning notes posted)

[Seth Mattinen]

On 10/4/2010 10:05, Nathan Eisenberg wrote:
> http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt
> 
> "
> Whois traffic has been going through the roof; they
> added more proxies in front to support it.
> Apparently, there's IP management packages that do
> whois queries.  It would be good to find out who is
> doing it, and talk to ARIN engineering, to find a better
> way of handling it.
> We can't keep up if so many machines on the internet
> keep doing it like this.
> Source addresses are all over, they're all over, not
> sign of bots; could be a DLL or mac system startup
> that's doing it.
> Please, don't embed whois lookups in everyone's computers
> like this!!
> "
> 
> The only thing I know of is that packages like fail2ban that perform WHOIS 
> lookups when blocking IPs to generate abuse POC notification emails.  So more 
> SSH bruteforce attacks = more whois lookups.
> 


Or the new whois doesn't scale as well as the old one.

~Seth

Re: AT&T Dry Pairs?

[Seth Mattinen]

On 9/30/2010 15:34, Jared Mauch wrote:
> 
> On Sep 30, 2010, at 6:30 PM, Seth Mattinen wrote:
> 
>> On 9/30/2010 15:12, Bret Clark wrote:
>>> If the buildings are a 100ft apart, can't you just go with a wireless
>>> connection? Speeds would probably be better and no monthly fee!
>>>
>>
>> Wireless is not the end all solution for everything.
> 
> Understood, but for $160 you can get equipment that acts as a L2 bridge with 
> RJ45 and PoE at 50Mb/s duplex. (UBNT Nanobridge 5, they're $79 per and do 
> 5Ghz 802.11n MCS-15 @ 40Mhz channels).
> 
> Just trying to help :)
> 

The biggest laugh I always got when I worked at the local university as
a student were trouble tickets to the Faraday cage rooms because the
campus wireless internet didn't work inside them. "But it's wireless!"
"Yes, that's the problem. Please just use the damn cable."

~Seth

Re: AT&T Dry Pairs?

[Seth Mattinen]

On 9/30/2010 15:12, Bret Clark wrote:
> If the buildings are a 100ft apart, can't you just go with a wireless
> connection? Speeds would probably be better and no monthly fee!
> 

Wireless is not the end all solution for everything.

~Seth

Re: What must one do to avoid Gmail's retarded non-spam filtering?

[Seth Mattinen]

On 9/29/2010 11:48, Erik L wrote:
> Thanks John. This was a common question that was asked off-list. That edge 
> MTA is not used and has never been used by anything/anyone other than us. No 
> customer mail flows or has flowed in or out via it ever.
> 
> As I mentioned in my follow-up post, the issue at this point is that the 
> domain has been blacklisted. I can send an identical message from the same 
> MTA, changing only the From header, and it will be delivered to Inbox. Only 
> when the From header contains @caneris.com will the message be delivered to 
> spam. Any changes to the MTA IP, content, headers, etc. don't have any 
> effect. 
> 

Do you let customers have addresses under that domain?

~Seth

Re: Software-based Border Router

[Seth Mattinen]

On 9/29/10 6:23 AM, Curtis Maurand wrote:

> be even lower power for around $414.  Its a nothing box and its not even
> breathing hard.  its running on a 100mbps fiber.  The speed tests that
> I've run show it running close to wire speed.  It would probably run
> even better if I were using real server NIC's on it.  I'm just using the
> two on board GB NIC's.  It has an available PCI slot.
> 

What size packets?

~Seth

Re: Randy in Nevis

[Seth Mattinen]

On 9/28/10 7:49 AM, Leo Vegoda wrote:
> On 27 Sep 2010, at 8:29, Owen DeLong wrote:
> 
> [...]
> 
>> 465 is not an odd-ball port, it's the standard well-known port for STMPS.
> 
> It is? That's not what's recorded at: 
> http://www.iana.org/assignments/port-numbers
> 
> urd 465/tcpURL Rendesvous Directory for SSM
> igmpv3lite  465/udpIGMP over UDP for SSM 
> 

Microsoft frequently has different ideas about things.

~Seth

Re: Mobile Operator Connectivity

[Seth Mattinen]

On 9/25/2010 13:37, Leo Woltz wrote:
> I am looking for some guidance from the list.  We will soon be deploying
> wireless payment devices (CDMA/GSM).  We are looking at options on where to
> locate the servers that will run the backend payment gateways; we would like
> the least amount of latency between the servers and the wireless networks as
> possible.  The wireless networks we will be deploying the devices on are:
> 

> 
> Sprint PCS
> 

For Sprint you can get a circuit to AS1239 and just take customer
routes. Their PCS network is AS10507, but as far as I know the closest
you can get to it is 1239.

~Seth

Re: Routers in Data Centers

[Seth Mattinen]

On 9/26/10 11:09 AM, Joel Jaeggli wrote:
> 
> 
> Joel's widget number 2
> 
> On Sep 26, 2010, at 10:47, Chris Adams  wrote:
> 
>> Once upon a time, Joel Jaeggli  said:
>>> On Sep 26, 2010, at 8:26, Chris Adams  wrote:
 There are servers and storage arrays that have a front that is nothing
 but hot-swap hard drive bays (plugged into backplanes), and they've been
 doing front-to-back cooling since day one.  Maybe the router vendors
 need to buy a Dell, open the case, and take a look.
>>>
>>> The backplane for a sata disk array is 8 wires per drive plus a common 
>>> power bus.
>>
>> Server vendors managed cooling just fine for years with 80 pin SCA
>> connectors.  Hard drives are also harder to cool, as they are a solid
>> block, filling the space, unlike a card of chips.
> 
> It's the same 80 wires on every single drive in the string.
> 
> There are fewer conductors embedded in 12 drive sca backplane as there are in 
> a 12 drive sata backplane, in both cases they are generally two layer pcbs. 
> Compared to what 10+ layer pcbs that are a approaching 1/4" thick on the 
> router. 

Aw come on, that's no reason you can't just drill it full of holes. I
mean, it is 2010. It should be wireless by now.

~Seth

Re: Routers in Data Centers

[Seth Mattinen]

On 9/24/10 5:28 PM, Alex Rubenstein wrote:
>> While this question has many dimensions and there is no real
>> definition of either I suspect that what many people mean when they
>> talk about a DC routers is:
> 
>>From the datacenter operator prospective, it would be nice if some of these 
>>vendors would acknowledge the need for front-to-back cooling. I mean, it is 
>>2010.
> 


Well, if you look at the hardware it's dead obvious: airflow goes across
the linecards. Nexus 7k 10-slot has front bottom to back top airflow
because it uses vertically oriented cards.

~Seth

Re: Facebook Issues/Outage in Southeast?

[Seth Mattinen]

On 9/23/2010 13:04, Cameron Byrne wrote:
> IPv6 seems to be working fine for me www.v6.facebook.com :)
> 

Yep, works great. You guys should really upgrade your networks to
something that works. ;)

~Seth

Re: Facebook Issues/Outage in Southeast?

[Seth Mattinen]

On 9/23/2010 12:43, Justin Horstman wrote:
> Via http://downforeveryoneorjustme.com/facebook.com
> 
> It's not just you! http://facebook.com looks down from here.
> 
> Also down from LA, qwest has been having issues today as well, not sure if 
> its related.
> 
> 


However, www.v6.facebook.com works fine.

~Seth

Re: US hunters shoot down Google fibre

[Seth Mattinen]

On 9/21/2010 10:52, Holmes,David A wrote:
> Modern telephone pole aerial fiber uses all dialectric self-supporting
> (ADSS) technology, where the self-supporting component consists
> primarily of aramid yarn, the same material used for bullet-proof vests.
> This makes for an extremely light weight, almost indestructible fiber
> bundle. My guess is that ADSS fiber would deflect any bullets, or it
> would take a very good marksman using a very high caliber weapon to
> actually sever an aerial fiber. 
> 
> Now in the case described below where optical ground wire (OPGW) fiber
> is used as a component in the ground wire running at the top of high
> voltage transmission towers, it may be possible to hit the insulators at
> the top of the towers, but the ground wire itself is usually armored,
> with ADSS inside. Seems far-fetched to me.
> 


Back in my ISP days it was more common for people to take pot shots at
remote equipment cabinets than the cable/fiber itself. Any field
enclosure is as easy a target as your average bullet-ridden road sign.
Although this was extremely rare; I can only recall one instance where
it was the direct cause of an outage.

~Seth

Re: Cisco 6509/6513 cable management...

[Seth Mattinen]

On 9/21/10 8:23 AM, Matthew Topper wrote:
> Maybe I'm thinking about this the wrong way, but it seems to be that
> that would be a huge problem when you need to change out a cable or
> move something.  Do the benefits outweigh the headaches with this kind
> of setup?
> 


I can't speak for others, but I find it's rarely necessary to move a
physical cable. If I need to "move" something I do it virtually in the
config.

~Seth

Re: Cisco 6509/6513 cable management...

[Seth Mattinen]

On 9/21/10 5:38 AM, William Herrin wrote:
> 
> And, of course, the easy way:
> 
> http://bill.herrin.us/pictures/2008/cables-sm.jpg
> 

A similar way would be MRJ21 cables and patch panels or fan out ends,
but Cisco doesn't make any line cards with it.

http://www.flickr.com/photos/vax-o-matic/2465615611/in/photostream/

~Seth

Re: XO Routing

[Seth Mattinen]

On 9/16/10 9:35 AM, Jeffrey Lyon wrote:
> Hopefully they don't treat this the same way they treat their billing,
> otherwise you all will be degraded for months or even years. It is
> absolutely amazing that this company is still in business.
> 

The "big guys" will always remain in business, or be absorbed into
another equal or larger entity to form an even bigger one, regardless of
their practices. (A fringe exception would be AT&T's court ordered
breakup.) The larger they get the much more spectacular the faults tend
to be.

Whereas with smaller providers like myself, how I treat my customers
factors in as a major aspect to whether or not they stick around. I
can't compete strictly on price with the big guys, but I do absorb their
BS and shield my customers from it as much as possible. If I treated my
customers like the big guys do, I wouldn't have any.

~Seth

Re: POS to Ethernet Converter

[Seth Mattinen]

On 9/9/2010 10:59, Alan Bryant wrote:
> I did a quick google search for a converter but either I'm not
> understanding, or I'm not searching for the right thing.
> 
> We currently have a POS OC-3 that I would like to be able to convert
> it to Ethernet, if possible.
> 
> Do such devices exist?
> 

By "convert" do you mean:

1) You have a POS OC-3 from an upstream and you don't want to buy a
router that can take a serial OC-3.

or

2) You have a PTP OC-3 that you control both ends of and you want to
make it into a really long Ethernet cable.

~Seth

Re: whois at rest

[Seth Mattinen]

On 9/7/10 10:23 AM, Jon Lewis wrote:
> More often than not today the only replies I've been getting back from
> the ARIN whois servers is:
> 
> ERROR 503: Unable to service request due to high volume.
> 
> Is there really high volume today, or is the new restful thing broken
> again?
> 

S, it's an improvement over the old ways.

~Seth

Re: IPv6 Glue Records at Dotster / Domain.com

[Seth Mattinen]

On 9/5/2010 11:17, Joseph C. Bender wrote:
> 
> Perhaps economic pressure will be a good enough reason for the
> registrars to actually get moving and make progress with better support.
>  OpenSRS kept my business because they at least have a mechanism for
> handling glue, albeit not an automated one.
> 

Ah, that's good to know. I have a handful of domains through OpenSRS and
in the past they have not been responsive to IPv6 glue inquires. I'll
give them another go around.

~Seth

Re: IPv6 Glue Records at Dotster / Domain.com

[Seth Mattinen]

On 9/4/10 6:35 AM, Ryan Shea wrote:
> Anyone with a contact at Doster with the ability to make things happen?
> Apparently they do not support v6 glue records and they have been
> unresponsive to my ticket. This seems a kooky reason to change registrars.
> 
> The table of registrars over at sixxs who have at least some way to get v6
> glue records has been getting greener and greener, but no love from Dotster.
> http://www.sixxs.net/faq/dns/?faq=ipv6glue
> 

It's not kooky at all. If you need a service your current provider
can't/won't provide, then find a new one that will.

~Seth

Re: IPv6 Glue Records at Dotster / Domain.com

[Seth Mattinen]

On 9/4/10 10:30 AM, Joel Jaeggli wrote:
> On 9/4/10 9:31 AM, Seth Mattinen wrote:
>> On 9/4/10 6:35 AM, Ryan Shea wrote:
>>> Anyone with a contact at Doster with the ability to make things happen?
>>> Apparently they do not support v6 glue records and they have been
>>> unresponsive to my ticket. This seems a kooky reason to change registrars.
>>>
>>> The table of registrars over at sixxs who have at least some way to get v6
>>> glue records has been getting greener and greener, but no love from Dotster.
>>> http://www.sixxs.net/faq/dns/?faq=ipv6glue
>>>
>>
>> Why are DynDNS.com and DNS Exit on that list? Do they register domains
>> (I can't find it if they do)?
> 
> Dynamic Network Services does, and they do support ipv6 glue.
> 

Ah, I see it now.

And I guess the "whois lookup" form on DNS Exit actually means "register
domain", I didn't make that connection.

~Seth

Re: IPv6 Glue Records at Dotster / Domain.com

[Seth Mattinen]

On 9/4/10 6:35 AM, Ryan Shea wrote:
> Anyone with a contact at Doster with the ability to make things happen?
> Apparently they do not support v6 glue records and they have been
> unresponsive to my ticket. This seems a kooky reason to change registrars.
> 
> The table of registrars over at sixxs who have at least some way to get v6
> glue records has been getting greener and greener, but no love from Dotster.
> http://www.sixxs.net/faq/dns/?faq=ipv6glue
> 

Why are DynDNS.com and DNS Exit on that list? Do they register domains
(I can't find it if they do)?

~Seth

Re: just seen my first IPv6 network abuse scan, is this the start for more?

[Seth Mattinen]

On 9/3/2010 17:12, Owen DeLong wrote:
> I was not attempting to defend security through obscurity. It doesn't 
> ultimately help at all.
> 
> However, compared to the network and other resource costs of scanning, even 
> at more than a billion pps, I think there will be more effective vectors of 
> attack that are more likely to be used in IPv6. In IPv4, an exhaustive scan 
> is quite feasible. In IPv6, scanning a single subnet is 4 billion times 
> harder than scanning the entire IPv4 Internet.
> 
> My point isn't that hiding hosts in arbitrarily large address space makes 
> them safe. My point is that scanning is not the vector by which they are most 
> likely to get discovered.
> 

Even so, it won't stop the uninitiated from scanning the crap out of
IPv6 space.

~Seth

Re: IP characteristics for 3G and WiFi links

[Seth Mattinen]

On 8/26/2010 09:20, Seth Mattinen wrote:
> On 8/26/10 3:26 AM, Daniel Migault wrote:
>>
>> Currently we are considering the following values. Packet Lost Rate for L2
>> seems 7% for Wifi and 5% for 3G. We are wondering how L3 is affected?
>>
> 
> TCP retransmits. UDP does not.
> 


Nevermind my response; I've been outside in the sun too much pulling
cables through vaults. =P

~Seth

Re: IP characteristics for 3G and WiFi links

[Seth Mattinen]

On 8/26/10 3:26 AM, Daniel Migault wrote:
> 
> Currently we are considering the following values. Packet Lost Rate for L2
> seems 7% for Wifi and 5% for 3G. We are wondering how L3 is affected?
> 

TCP retransmits. UDP does not.

~Seth

Re: Lightly used IP addresses

[Seth Mattinen]

On 8/13/2010 19:55, Randy Bush wrote:
> 
> when the registry work was re-competed and taken from sri to netsol (i
> think it was called that at the time), rick adams [0] put in a no cost
> bid to do it all with automated scripts.  hindsight tells me we should
> have supported that much more strongly.  and folk who think that would
> not have scaled, need to know that the netsol lowball solution was mark
> and scott in a basement with a sun3 and a 56k line.
> 


Hah. Automated no-cost registration, meet automated registering script
with a dictionary plus random string generator.

~Seth

Re: Lightly used IP addresses

[Seth Mattinen]

On 8/13/10 10:42 AM, Brandon Galbraith wrote:

> Alternate #4: A "rents" the space to B without ARIN knowing it, while A
> continues to claim that the space belongs to them.
> 


This already happens as we speak with "IP brokers".

~Seth

Re: Example RFI for colo provider selection

[Seth Mattinen]

On 8/9/2010 17:48, Jason Lixfeld wrote:
> I'm researching a list of some colocation providers I have here to find the 
> most suitable one to provide services for a project I'm working on.  My 
> thought is to send out an informal RFI, which I believe is something others 
> may have done too.  If anyone is able to share, I'd be interested in having a 
> peek at some of these colo-centric RFIs to understand what questions others 
> have asked in the past, as it may help me come up with some questions that I 
> may not have thought of myself.
> 
> If an RFI isn't an appropriate means to gather information on such a 
> prospect, I'd certainly like to hear that too.
> 
> Thanks in advance.
> 
> PS.  To any reader who may be thinking this is an open invitation for a sales 
> email, it's not :)


Pretty much every first contact I see is along the lines of "I have the
following requirements X, Y, and Z. Please provide a quote to suit
these." The format of these may vary wildly.

As far as questions to ask, IPv6 is always on the top of my list but
almost always makes the viable prospects list pretty slim. Power *type*
availability is often overlooked (i.e. 208 volts or three-phase) until
the fateful day you need more than single phase 120 to run something and
the colo says oops not available.

~Seth

Re: Monitoring tools for IPv6 tools

[Seth Mattinen]

On 7/31/10 12:20 AM, valdis.kletni...@vt.edu wrote:
> On Sat, 31 Jul 2010 10:04:16 +0800, Diogo Montagner said:
>> This was the best compilation that I found before. Unfortunately, this
>> presentation is a little bit old (2006). I am supposing that most of
>> commercial tools have improved your IPv6 support.
> 
> Dunno.  Were the customers pressuring the vendors to improve the IPv6 support,
> or were they letting it slide because they didn't plan to deploy IPv6 till 
> 2012
> or so? ;)
> 

Personally, I stopped pressuring vendors that didn't support IPv6,
preferring to drop the completely and pick up one with equal or better
service who did. Sometimes this was easy, sometimes it was exceedingly
difficult. In every case when they asked why I said it was the lack of
IPv6 support because I've been running a dual stack network for years,
not as part of some future plan.

~Seth