Re: Famous operational issues

[Todd Underwood]

There are all the hilarious leaks and blocks.

Pakistan blocks youtube and the announcement leaks internet-wide.
Turk telecom (AS9121 IIRC) leaks a full table out one of their providers.

So many routing level incidents they're probably not even interesting any
more,  I suppose.

The huge power outages in the US northeast in 2003 (
https://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.183.998=rep1=pdf)
were pretty decent.



On Tue, Feb 16, 2021 at 4:02 PM Damian Menscher via NANOG 
wrote:

> https://en.wikipedia.org/wiki/SQL_Slammer was interesting in that it was
> an application-layer issue that affected the network layer.
>
> Damian
>
> On Tue, Feb 16, 2021 at 11:37 AM John Kristoff  wrote:
>
>> Friends,
>>
>> I'd like to start a thread about the most famous and widespread Internet
>> operational issues, outages or implementation incompatibilities you
>> have seen.
>>
>> Which examples would make up your top three?
>>
>> To get things started, I'd suggest the AS 7007 event is perhaps  the
>> most notorious and likely to top many lists including mine.  So if
>> that is one for you I'm asking for just two more.
>>
>> I'm particularly interested in this as the first step in developing a
>> future NANOG session.  I'd be particularly interested in any issues
>> that also identify key individuals that might still be around and
>> interested in participating in a retrospective.  I already have someone
>> that is willing to talk about AS 7007, which shouldn't be hard to guess
>> who.
>>
>> Thanks in advance for your suggestions,
>>
>> John
>>
>

Re: CISA critical infrastructure letters

[Todd Underwood]

However, if you are stopped and don't have a letter, you're much more
likely to trigger the "bozo making stuff up" detector and get sent home.

Virtually no one stops to print out a weird document on their way to buy
beer.

I'm aware of security guards and telecom techs who have been sent home for
not having these documents in 'shelter in place' jurisdictions.

t

On Wed, Mar 25, 2020 at 3:04 PM Matt Erculiani  wrote:

> The letters are not to be confused with hall passes.;they don't even have
> an individual's name on it.
>
> They simply outline a federal mandate that already exists to inform anyone
> who may not know.
>
> Law enforcement of any area that has implemented "stay at home" or
> "shelter in place" should already be briefed on who is permitted to be out
> and about.
>
> If you're stopped and have a letter, you may still be asked to
> substantiate the critical nature of your trip, just like you would be if
> you didn't have one.
>
> -Matt
>
> On Wed, Mar 25, 2020, 12:54 Scott Weeks  wrote:
>
>>
>>
>> I got these.  One each for travel and fuel.  I could fake
>> one in 15 minutes or so.  Heck, I could probable find one
>> online and modify it in less time than that! Because of
>> that I don't see the usefulness.
>>
>> scott
>>
>

Re: QUIC traffic throttled on AT residential

[Todd Underwood]

and just to check one thing...

On Thu, Feb 20, 2020 at 2:33 PM Daniel Sterling 
wrote:

> I don't particularly *want* to block or advocate blocking QUIC, but if
> I keep hitting the issue and can't help people troubleshoot, what
> other sane option have I?
>

i don't think you've addressed the "replace your broken ISP" action that is
clearly sane and would fix this, right?

i'm assuming that this is not an option to get a functional IP layer?

t


>
> -- Dan
>

Re: ECN

[Todd Underwood]

as one of the authors of that talk, it definitely is "a thing", has been
for years and years and years, and indeed, mostly works.

t

On Wed, Nov 13, 2019 at 12:18 PM Hunter Fuller  wrote:

> It is certainly odd, but it's definitely a "thing."
>
> https://archive.nanog.org/meetings/nanog37/presentations/matt.levine.pdf
>
> On Wed, Nov 13, 2019 at 10:24 AM Matt Corallo  wrote:
> >
> > This sounds like a bug on Cloudflare’s end (cause trying to do anycast
> TCP is... out of spec to say the least), not a bug in ECN/ECMP.
> >
> > > On Nov 13, 2019, at 11:07, Toke Høiland-Jørgensen via NANOG <
> nanog@nanog.org> wrote:
> > >
> > > 
> > >>
> > >> Hello
> > >>
> > >> I have a customer that believes my network has a ECN problem. We do
> > >> not, we just move packets. But how do I prove it?
> > >>
> > >> Is there a tool that checks for ECN trouble? Ideally something I could
> > >> run on the NLNOG Ring network.
> > >>
> > >> I believe it likely that it is the destination that has the problem.
> > >
> > > Hi Baldur
> > >
> > > I believe I may be that customer :)
> > >
> > > First of all, thank you for looking into the issue! We've been having
> > > great fun over on the ecn-sane mailing list trying to figure out what's
> > > going on. I'll summarise below, but see this thread for the discussion
> > > and debugging details:
> > >
> https://lists.bufferbloat.net/pipermail/ecn-sane/2019-November/000527.html
> > >
> > > The short version is that the problem appears to come from a
> combination
> > > of the ECMP routing in your network, and Cloudflare's heavy use of
> > > anycast. Specifically, a router in your network appears to be doing
> ECMP
> > > by hashing on the packet header, *including the ECN bits*. This breaks
> > > TCP connections with ECN because the TCP SYN (with no ECN bits set) end
> > > up taking a different path than the rest of the flow (which is marked
> as
> > > ECT(0)). When the destination is anycasted, this means that the data
> > > packets go to a different server than the SYN did. This second server
> > > doesn't recognise the connection, and so replies with a TCP RST. To fix
> > > this, simply exclude the ECN bits (or the whole TOS byte) from your
> > > router's ECMP hash.
> > >
> > > For a longer exposition, see below. You should be able to verify this
> > > from somewhere else in the network, but if there's anything else you
> > > want me to test, do let me know. Also, would you mind sharing the
> router
> > > make and model that does this? We're trying to collect real-world
> > > examples of network problems caused by ECN and this is definitely an
> > > interesting example.
> > >
> > > -Toke
> > >
> > >
> > >
> > > The long version:
> > >
> > > From my end I can see that I have two paths to Cloudflare; which is
> > > taken appears to be based on a hash of the packet header, as can be
> seen
> > > by varying the source port:
> > >
> > > $ traceroute -q 1 --sport=1 104.24.125.13
> > > traceroute to 104.24.125.13 (104.24.125.13), 30 hops max, 60 byte
> packets
> > > 1  _gateway (10.42.3.1)  0.357 ms
> > > 2  albertslund-edge1-lo.net.gigabit.dk (185.24.171.254)  4.707 ms
> > > 3  customer-185-24-168-46.ip4.gigabit.dk (185.24.168.46)  1.283 ms
> > > 4  te0-1-1-5.rcr21.cph01.atlas.cogentco.com (149.6.137.49)  1.667 ms
> > > 5  netnod-ix-cph-blue-9000.cloudflare.com (212.237.192.246)  1.406 ms
> > > 6  104.24.125.13 (104.24.125.13)  1.322 ms
> > >
> > > $ traceroute -q 1 --sport=10001 104.24.125.13
> > > traceroute to 104.24.125.13 (104.24.125.13), 30 hops max, 60 byte
> packets
> > > 1  _gateway (10.42.3.1)  0.293 ms
> > > 2  albertslund-edge1-lo.net.gigabit.dk (185.24.171.254)  3.430 ms
> > > 3  customer-185-24-168-38.ip4.gigabit.dk (185.24.168.38)  1.194 ms
> > > 4  10ge1-2.core1.cph1.he.net (216.66.83.101)  1.297 ms
> > > 5  be2306.ccr42.ham01.atlas.cogentco.com (130.117.3.237)  6.805 ms
> > > 6  149.6.142.130 (149.6.142.130)  6.925 ms
> > > 7  104.24.125.13 (104.24.125.13)  1.501 ms
> > >
> > >
> > > This is fine in itself. However, the problem stems from the fact that
> > > the ECN bits in the IP header are also included in the ECMP hash (-t
> > > sets the TOS byte; -t 1 ends up as ECT(0) on the wire and -t 2 is
> > > ECT(1)):
> > >
> > > $ traceroute -q 1 --sport=1 104.24.125.13 -t 1
> > > traceroute to 104.24.125.13 (104.24.125.13), 30 hops max, 60 byte
> packets
> > > 1  _gateway (10.42.3.1)  0.336 ms
> > > 2  albertslund-edge1-lo.net.gigabit.dk (185.24.171.254)  6.964 ms
> > > 3  customer-185-24-168-46.ip4.gigabit.dk (185.24.168.46)  1.056 ms
> > > 4  te0-1-1-5.rcr21.cph01.atlas.cogentco.com (149.6.137.49)  1.512 ms
> > > 5  netnod-ix-cph-blue-9000.cloudflare.com (212.237.192.246)  1.313 ms
> > > 6  104.24.125.13 (104.24.125.13)  1.210 ms
> > >
> > > $ traceroute -q 1 --sport=1 104.24.125.13 -t 2
> > > traceroute to 104.24.125.13 (104.24.125.13), 30 hops max, 60 byte
> packets
> > > 1  _gateway (10.42.3.1)  0.339 ms
> > > 2  albertslund-edge1-lo.net.gigabit.dk 

Re: D'oH III: In 3-D! Plot Twist from Google/Chrome, Vixie approves?

[Todd Underwood]

the relevant sentiment is:  thanks for whitelisting a fixed number of them
so i can block them.

t

On Wed, Oct 30, 2019 at 11:42 AM Royce Williams 
wrote:

> The difference is that Chrome won't use resolvers other than the ones
> you've configured yourself, and will simply opportunistically upgrade to
> DoH if they detect that those resolvers support it.
>
> In other words, there is no usurpation of administrative intent.
>
> Royce
>
> On Wed, Oct 30, 2019 at 7:30 AM Jay R. Ashworth  wrote:
>
>> It's not clear to me whether Paul is expressing approval of the whole
>> shebang
>> at this point, or just the one change they've made, but, just on first
>> look,
>> I don't think that change addresses *my* distaste for DoH, as discussed in
>> last month's 100-poster.  :-)
>>
>>
>> https://www.zdnet.com/article/dns-over-https-google-hits-back-at-misinformation-and-confusion-over-its-plans/
>>
>> TL;DR: they (Chrome) won't enable DoH unless it's being run from an
>> internet
>> which they know supports it; there are apparently a list of 8-12 ISPs/etc
>> which are announcing such support.
>>
>> Cheers,
>> -- jra
>>
>> --
>> Jay R. Ashworth  Baylink
>> j...@baylink.com
>> Designer The Things I Think   RFC
>> 2100
>> Ashworth & Associates   http://www.bcp38.info  2000 Land
>> Rover DII
>> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647
>> 1274
>>
>

Re: Colombia Network Operators Group

[Todd Underwood]

References to all things Colombian being related to drugs and smuggling are
racist.

Please don't be racist here.

Thanks!

t

On Mon, Sep 23, 2019 at 4:46 PM Ronald F. Guilmette 
wrote:

> In message <6f2876a6abe02547ba85adb58bd21...@mail.dessus.com>,
> "Keith Medcalf"  wrote:
>
> >Fascinating.  What is the security threat I wonder, that there is no
> >JavaScript?
>
> Undoubtedly drug smuggling over HTTP.
>

Re: IPAM recommendations

[Todd Underwood]

i don't think that this is a reasonable use of nanog.  if you have research
to present and then a question to ask, that's totally great.  this is
especially true if you can add evaluative criteria and information before
asking questions from people who have relevant experience.

you read a single web page and are asking nanog to do your homework for
you.  that's unkind and is taking advantage of the attention and goodwill
of the community here.  this is becoming a pattern.  please either do some
research yourself and start a conversation substantively, or look to paid
consultants to evaluate your software/hardware/datacenter space/networking
gear etc.

best,

t



On Thu, Sep 5, 2019 at 4:42 AM Mehmet Akcin  wrote:

> Not much beyond this,
> https://appuals.com/the-5-best-ip-address-management-ipam-software/
>
> On Thu, Sep 5, 2019 at 5:39 PM Todd Underwood  wrote:
>
>> What have you evaluated so far?  Can you share your evaluation grid, how
>> you selected the candidates, how you are weighting criteria and specific
>> interesting findings so far?
>>
>> Thanks!
>>
>> t
>>
>> On Thu, Sep 5, 2019 at 4:37 AM Mehmet Akcin  wrote:
>>
>>> Looking for IPAM recommendations, preferably open source, API is a plus
>>> (almost must, almost..). 40-50K IPs to be managed.
>>>
>>> thanks in advance.
>>>
>>

Re: IPAM recommendations

[Todd Underwood]

What have you evaluated so far?  Can you share your evaluation grid, how
you selected the candidates, how you are weighting criteria and specific
interesting findings so far?

Thanks!

t

On Thu, Sep 5, 2019 at 4:37 AM Mehmet Akcin  wrote:

> Looking for IPAM recommendations, preferably open source, API is a plus
> (almost must, almost..). 40-50K IPs to be managed.
>
> thanks in advance.
>

Re: 44/8

[Todd Underwood]

silently deleting the thread isn't noise.  posting that was, randy.

t

On Mon, Jul 22, 2019 at 4:23 PM Randy Bush  wrote:

> my deep sympathies go out to those folk with real work to do whose mail
> user agents do not have a `delete thread` key sequence.
>

Re: A Zero Spam Mail System [Feedback Request]

[Todd Underwood]

This is truly awful and off topic for network engineering. Please stop and
try to listen to the people who are offering you feedback. On other lists.
Not here.

Thanks!

T

On Sun, Feb 17, 2019, 21:05 Viruthagiri Thirumavalavan  Hello Everyone,
>
> My name is Viruthagiri Thirumavalavan. I'm the guy who proposed SMTP over
> TLS on Port 26
> 
>  last
> month. I'm also the guy who attacked (???) John Levine.
>
> Today I have something to show you.
>
> Long story short I solved the email spam problem. Well... Actually I
> solved it long time back. I'm just ready to disclose it today. Again...
>
> Yeah.. Yeah.. Yeah... If only I had a dime for every time people insult me
> for saying "I solved the spam problem"
>
> They usually start with the insult like "You think you are the inventor of
> FUSSP?"
>
> These guys always are the know-it-all assholes. They don't listen. They
> don't want to listen. They are like barking dogs. If one started to bark,
> everyone else gets the courage to do the same thing.
>
> I'm tired of fighting these assholes in every mailing list.  I'm on your
> side morons. So how about you all knock it off?
>
> Six months back, it was John Levine who humiliated me in the DMARC list.
> Apparently, for him 50 words are enough to attack me.
>
> Töma Gavrichenkov and Suresh Ramasubramanian even started to defend this
> man saying 50 words are enough to judge a 50,000 words paper.  [We are
> gonna figure it out today]
>
> --
>
> @Töma Gavrichenkov
>
> In theory, I can easily recall a few cases in my life when going
>> through just 50 words was quite enough for a judgment.
>
>
> How can you be so sure that you didn't fuck up none of the lives of these
> "few cases"? Or in more technical terms, How can you be absolutely sure
> that there is no "False Positives"?
>
> --
>
> @Suresh Ramasubramanian
>
> Yes, 50 words are more than enough to decide a bad idea is bad.  You don't
>> have to like that, or like any of us, but facts are facts
>
>
> Merely appending the text "facts are facts" not gonna convert a bullshit
> statement into a fact.
>
> You know what's the meaning of the word "fact"? It's a statement that can
> be proved TRUE.
>
> Let's do a little experiment. 100 researchers presents their lifetime work
> to us. Each of their research paper contain 50,000 words. We are gonna
> judge them.
>
> You are gonna judge them based on only the first 50 words. And I'm gonna
> judge them by tossing a coin. Can you guess who is gonna fuck up less
> number of researcher lives?
>
> I'm claiming that I solved the email spam problem. If that's true, then
> you should know, common sense is one of the very basic requirement for that.
>
> I designed my email system. Every inch of it. I wrote my research paper.
> Every word of it. I made my prototype video. Every second of it. So I'm the
> captain of my ship. Not you. But you all think you know my system better
> than me? That too, with only 50 words?
>
> My research paper has around 50,000 words. And you think 50 words are
> enough to judge my work? Let me make sure I get this right. You are all
> saying, you know what's in the rest of the 49,950 words based on only the
> first 50 words? That's stupid on so many levels.
>
> If you are gonna do a half-assed job and relay that misinformation to
> thousands of people, why volunteer in the first place? And by the way, by
> saying you are all doing half-assed job, I'm actually insulting the people
> who are REALLY doing the half-assed job.
>
> --
>
> John Levine vs. me
>
> One month back, some of you may have noticed a thread created by John
> Levine
> 
> where he goes like "He's Forum Shopping". The whole gist of that message
> was "We already have DANE and MTA-STS. We don't a third solution". And then
> I used some harsh words to defend myself. But that was the Season 2 of his
> "Shitshow". The Season 1 was aired 6 months back. You all missed that show.
> This is what happened in Season 1.
>
>
>1. Six months back, I posted on three mailing list saying "I solved
>the email spam problem" and asked them to provide feedback on my invention.
>Those three mailing lists were SPF, DKIM and DMARC. That's because my
>solution relied on them and those three were the only email related mailing
>lists I knew at that time.
>2. In DMARC community, John Levine started to insult me after reading
>only the first 50 words.
>3. Dave Crocker joined the cast and did a flawless job on abusing me.
>He asked me to kill my project. I told him he is being rude. And this is 
> what
>he replied for that . He is one
>of the most radical and ignorant person I have seen in tech. He didn't even
>stop 

Re: Amazon now controls 3.0.0.0/8

[Todd Underwood]

google used 4.4.4.4 for DNS in the past (2010, IIRC).

t

On Thu, Nov 8, 2018 at 8:21 PM Steve Meuse  wrote:

>
> I think it was the dial modem team that beat us to 4.4.4.0/24?
>
> -Steve
>
> On Thu, Nov 8, 2018 at 7:44 PM John Orthoefer  wrote:
>
>> I wish we could have used 4.4.4.4. Although at the time I suspect we
>> would have used 4.4.4.[123].
>>
>> Johno
>>
>> On Nov 8, 2018, at 18:58, Matt Erculiani  wrote:
>>
>> So it looks like GE will be solvent for a few more years and 3.3.3.3 DNS
>> is incoming.
>>
>> -Matt
>>
>> On Thu, Nov 8, 2018, 17:54 Eric Kuhnke >
>>> https://news.ycombinator.com/item?id=18407173
>>>
>>> Quoting from the post:
>>>
>>> "
>>>
>>> Apparently bought in two chunks: 3.0.0.0/9 and 3.128.0.0/9.
>>>
>>> Previous owner was GE.
>>>
>>> Anecdotal reports across the Internet that AWS EIPs are now being
>>> assigned in that range.
>>>
>>> https://whois.arin.net/rest/net/NET-3-0-0-0-1.html
>>>
>>> https://whois.arin.net/rest/net/NET-3-128-0-0-1.html
>>> "
>>>
>>>
>>>
>>>

Re: CVV (was: Re: bloomberg on supermicro: sky is falling)

[Todd Underwood]

This is a confusing and off-topic discussion with respect to network
engineering.

But for completeness:

Payments systems are architected by fraud rates, not by isolated security
requirements or engineering mandates, as i think most network engineers can
understand.

The fraud rates in the US for credit card transactions were historically
very, very low and being a large jurisdiction with a single national law
enforcement branch (the FBI) enforcement was effective.

Compare this to Europe in the 1980s when credit cards were accepted very
few places.  This was for two reasons:

1) the fraud rates were much, much higher, which created chargebacks for
merchants that they preferred not to eat;
2) trans-national enforcement was virtually nonexistent. interpol had ~zero
time to deal with credit card fraud.

so the best european fraud rings always operated from a different country
than where they perpetrated the fraud.

when chip-and-pin was introduced, the point was actually twofold:
A) security
B) shifting liability to the consumer

somewhat famously, even after chip-and-pin was proven compromised, UK banks
continued to make consumers liable for all fraudulent transactions that
were 'pin used'.  this was very, very good for the adoption of credit cards
in europe but it was very, very bad for a few people.  banks, as usual,
didn't are and made some decent money.

So why did the US get pin-and-signature?  Target.

International fraud rings finally got wise to the ripe opportunity that was
the soft underbelly of the US economy and figured out ways to perpetrate
massive, trans-national fraud in the US.  and as soon as that happened, the
US got chips.  the signature-vs-pin part is mostly about the fact that
there are *still* low rates of fraud here as tracked by chargeback rates
and as a result there's no real need to pay the cost of support to set
everyone up with a pin.

and that's what security is always all about:  cost tradeoffs.  people in
countries where everyone has a pin have eaten that cost already and had to
because the fraud rates were high enough to justify it.  people in the US
do not have PINs that they know and setting those up costs money and
maintaining people's access to them costs money.  so if that's not worth
it, it doesn't get done. nor should it.

i generally find it amusing when people from other countries mock the US
for not having PINs.  this is just another way of saying "my country has
high fraud rates and yours appears not to."  :-) . you can see this in the
comment below "If we were swipe-based here, we'd all be
broke :-).".  the payments systems are architected to minimize cost and
maximize adoption and they are usually at (or moving towards) some locally
optimal point.  the US is no exception in that.

now, the checking/chequing system is a whole other, embarrassing beast and
mocking that one is just the correct thing to do. :-)

anyway, let's talk about networks, no?

cheers,

t

On Thu, Nov 8, 2018, 19:07 Frank Bulk  I have a low-cost/high interest rate account at one of the Canadian bank
> and each "assisted" transaction is $5.
>
> Frank
>
> -Original Message-
> From: NANOG  On Behalf Of Mark Tinka
> Sent: Thursday, November 08, 2018 3:35 AM
> To: George Michaelson 
> Cc: North American Network Operators' Group 
> Subject: Re: CVV (was: Re: bloomberg on supermicro: sky is falling)
>
> 
> Speaking of "cost" as a motivator, in South Africa, most of the banks
> are now using extra fees as a way to force users to do their banking
> online (phone, laptop, app, e.t.c.). If you want to walk into a bank to
> deposit money, withdraw money, make a transfer, e.t.c., you pay for that
> service over and above, while the process costs you zero (0) when done
> online. This has led to banks now renovating banking halls into where
> there was once 23 tellers, you now have 1 service usher, 1 teller, 2
> support agents and 20 self-service computers.
>
> I hope the U.S. does catch-up. If we were swipe-based here, we'd all be
> broke :-). I know a number of major merchants in the U.S. now use PIN's,
> and I always stick to those when I travel there.
>
> Mark.
>
>
>
>

Re: courtesy

[Todd Underwood]

the "please" distributes to both clauses and the difference is a matter of
style rather than substance.

job's point is sound and correct.

please try to respect his firm suggestion.

thanks,

t

On Wed, Jun 27, 2018 at 9:03 PM, Scott Weeks  wrote:

>
>
> --- j...@instituut.net wrote:
> People - please just stop the off topic chatter. It is
> ludicrous that a thread about bgp hijacks morphed into
> font discussions.
>
> Either contribute to the operational issue at hand by
> evaluating your terms & conditions (or abuse policies)
> and applying them to your operations, or remain silent.
> -
>
>
> While I have to agree with what you said in the first
> paragraph (there was too much of off topic chatter on
> this thread), I disagree with the second paragraph.
> You are not the King of NANOG where you can demand
> folks contribute in the manner you expect or "remain
> silent".  The "Please" is acceptable and we'd likely
> all comply.  The "remain silent" demand is not and
> it's likely to not gain compliance.
>
> scott
>

Re: list blockchain

[Todd Underwood]

On Mon, Jan 29, 2018 at 7:05 AM, Tom Hill <t...@ninjabadger.net> wrote:

> On 28/01/18 18:38, Todd Underwood wrote:
> > Moderators: even when posts are by long term members of the community can
> > you remind them of the list purpose when they forget, please? Thanks!
>
> Randy's post has provided more commentary on our industry than most of
> the other drivelling nonsense that befalls this mailing list every other

day.
>

disagree.  it was a zero-content offhand snipe.  it was funny, but clearly
off-topic and useless.  i suspect even randy would agree with that.


>
> Reminder: satire can be relevant.
>

agree.  this time it managed to not be.

t


>
> --
> Tom
>

Re: list blockchain

[Todd Underwood]

This isn't off-topic noise at all. Nope. Nothing to see here. Move along.

Moderators: even when posts are by long term members of the community can
you remind them of the list purpose when they forget, please? Thanks!

T

On Jan 28, 2018 13:04, "Andrew Kirch"  wrote:

> On Sun, Jan 28, 2018 at 12:52 PM John Levine  wrote:
>
> > In article  you write:
> > >why is no one exploring converting this mailing list to a blockchain?
> > >major missed opportunity.  
> >
> > Ssshhh, we're in the quiet period before the IPO.
> >
> > Block chain?  We can’t get half these people to adopt IPv6.
>

Re: media are reporting "major Internet outage"

[Todd Underwood]

There's a whole lot of 'Comcast and L3 are having problems' on Reddit.
Nothing much beyond that.

On Nov 6, 2017 21:47, "Miles Fidelman"  wrote:

> Folks,
>
> It seems like various media outlets are reporting a "major Internet
> outage" - some going so far as to call it an "attack."
>
> A few headlines that crossed Facebook today:
>
> "Major internet outage hits the U.S."  (Mashable via AOL News)
>
> "Widespread Comcast internet outage across U.S. includes Massachusetts
> customers"  (WHDH, Channel 7 News, Boston)
>
> A couple of more detailed sources reported that issues at L3 were
> effecting Comcast, specifically.
>
> Kind of interesting that there's been no mention here on nanog, nor have I
> personally noticed any issues (as a user or a hosting provider).
>
> Tempest in a teapot?
>
> Miles Fidelman
>
> --
> In theory, there is no difference between theory and practice.
> In practice, there is.   Yogi Berra
>
>

Re: Puerto Rico: Lack of electricity threatens telephone and internet services

[Todd Underwood]

This thread is mostly full of idle speculation, is at the least insensitive
and verges on offensive.

If you have operational information about Puerto Rico (see Sean Donelan's
posts rather than these responses), please go ahead. If you would like to
allocate blame, please go somewhere else to do it. The Internet is full of
people who are blaming Puerto Rico for getting hit by a hurricane. I don't
need it here.

Thanks,

T
(From Humacao)

El 19 oct. 2017 19:45, "Jean-Francois Mezei" 
escribió:

On 2017-10-19 18:18, Wayne Bouchard wrote:
> Well, the problem as I understand it is that the infrastructure was
> not all that great to begin with. Much of it was damaged in the first
> storm and when this second one came through, what remained basically
> disappeared.


Being hit with a Cat 5 hurricane/cyclone in a caribeean island that
hasn't been a direct hit from severe storms in decades will cause
extensive damage no matter what state its infrastructure was in before.

Vegetation that does not regular storms to "prune" it will grow to a
point where it will cause major damage when a big storm hits.

And a caribbean island who has never been "rich" will not have had, as a
priority, increasing building codes to widthstand hurricanes. Building
codes get updated after a big devastating hurricane, whether it is for
Darwin in 1974 (Tracy) or ones like Andrew in Florida.

It's easy for a state the size of Texas to send all of its electrical
utility trucks to the Houson area to repair damage. But they too would
be stretched thin if all of Texas had been leveled.

If buildings were not built to widthstand a 5 or a 4, then the building
itself becomes destructor of infrastructure as its materials become high
speed projectiles throuwn at other buildings and especially
teleohone/electrical lines.

I went through a category 4 (Olivia, Australia 1996). While the town and
building I was in (Karatha) were built to new standards and had little
damage, I witnessed the power of it, and I can totally understand Puerto
Rico being destroyed.

I know a politician with tendancy to skew facts points to Puerto Rico
having had terrible infrastructure. But consider that Darwin, a "rich"
town" was wiped out in 1974 by Tracy.

https://www.youtube.com/watch?v=B89wBGydSvs

Tracy was a 4. Maria was a 5.
(note the alert sound at start of video still sends shivers down my
spine because it was the same as I heard before Olivia hit).

The population was evacuated by 747s because there was nothing there to
support it. The road link to is (Stuart Highway) is so long that Darwin
is tantamount to an island. (especially since Stuart wasn't fully paved
back then).


Also note: in Florida, the utilities positioned all their equipment in
safe places so it could survive storm and be deployed when needed. But
what happens when there is no safe place, or the safe places become
isolated because roads become impassable?


It is one thing when a state has some areas with high level of
destruction. But when the whole state is destroyed, it is a truly
different situation because its economy is also destroyed. Florida
Power still has plenty of revenues from undamaged areas to pay for the
repairs in damaged areas. The Utility in Puerto Rico doesn't. (and if it
was finacially weak before, it makes things worse).

When you see other states' utilities coming to help in a highly damaged
area, don't think for a minute they do this for free. The local utility
stll gets a bill at the end of the day for the work done. If the Puerto
Rico company has no cash to pay, don't exopect other utilities to send
crews.

Re: Puerto Rico just lost internet?

[Todd Underwood]

the entire island is now without power:

http://www.bbc.co.uk/news/world-latin-america-41340392



no bueno.

t

On Wed, Sep 20, 2017 at 1:36 PM, Mehmet Akcin  wrote:

> There is a major outage going on in Puerto Rico and you can see it here -
>
> https://stat.ripe.net/PR#tabId=routing
>
> I am putting together some analysis as time passes - i will publish them in
> a blog and share.
>
> On Wed, Sep 20, 2017 at 5:45 AM, Sean Donelan  wrote:
>
> > On Wed, 20 Sep 2017, Daniel Brisson wrote:
> >
> >> “Strongest storm of the century” just hit San Juan.
> >>
> >
> > The number of reachable networks in Puerto Rico is down by 50%.
> >
> > Puerto Rico still has connectivity to the island, but outside facilities
> > and electrical grid is being damaged by Hurricane Maria (Cat 4).
> >
>

Re: Puerto Rico just lost internet?

[Todd Underwood]

http://www.nhc.noaa.gov/graphics_at5.shtml?cone#contents

it's still south of san juan but maría will move across the island all day
today.

t

On Wed, Sep 20, 2017 at 7:33 AM, Daniel Brisson  wrote:

> “Strongest storm of the century” just hit San Juan.
>
> -dan
>
>
>
> —
>
> Dan Brisson
> Network Engineer
> University of Vermont
>
> On 9/20/17, 7:31 AM, "NANOG on behalf of Javier J" <
> nanog-boun...@nanog.org on behalf of jav...@advancedmachines.us> wrote:
>
> Any info would help.
>
>
>

Re: Question to Google

[Todd Underwood]

On Mon, May 15, 2017 at 9:33 AM, Randy Bush  wrote:

>
> it's a whacky world.  as geoff said long ago, if there ever is real
> money counting on v6 transport, these messes will straighten out.
>

totally agree. and i'd like someone else to volunteer the "real money"
traffic, please.  :-)

t

Re: Question to Google

[Todd Underwood]

On Mon, May 15, 2017 at 8:43 AM, Stephane Bortzmeyer 
wrote:

>
> There are many zones (including your isc.org) that have several name
> servers dual-stacked, and they didn't notice a problem. Furthermore,
> since the DNS is a tree, resolution of google.com requires a proper
> resolution of the root and .com, both having IPv6 name servers.
>

"didn't notice a problem" is woefully insufficient here.

how carefully was this measured?  how was it measured?  across what
diversity of traffic.  what was the threshold for "a problem" here.

different use cases have different tolerances for the kinds of bad user
experience that google is concerned about here, both in terms of percentage
and in amount of impact.

please note that google has been super aggressively implementing and
promoting IPv6 for years, so implications that this is somehow related to
Google dragging their feet are silly.

t


>
> So, this answer is at least insufficient.
>

Re: dilemmas

[Todd Underwood]

randy,

On Wed, Nov 2, 2016 at 11:35 PM, Randy Bush  wrote:

>
> yep.  and thanks for the forward, reminding my why i have a long
> .procmailrc.
>

if this is an attempt to simply publicly mock someone on the nanog list i
have a polite request:  keep your snark to yourself.

this kind of uncivil behavior is part of what keeps this community so
homogenous as it appeals only to people willing to put up with this kind of
public nastiness.  as someone who i thought supporting increasing diversity
in our community, i would expect a higher standard of professionalism and
inclusion from you.

this may also tend to keep you off of everyone else's increasingly long
(but possibly less public) mail filters.

apologies if i misunderstood your terse and otherwise apparently
content-free missive.

cheers,

t

Re: Should abuse mailboxes have quotas?

[Todd Underwood]

to answer the actual question:

all abuse mailboxes have quotas, either implicitly or explicitly.
the amount of storage available to any given mailsystem is finite.

technically correct.  it's the best kind of correct.

:-)

t

On Thu, Oct 27, 2016 at 11:03 AM, Stephen Satchell 
wrote:

> For the last couple of weeks, every single abuse mail I've tried to send
> to networks in a very short list of countries has bounced back with
> "mailbox exceeds quota".  I take this to mean that there isn't someone
> actively reading, acting on, and deleting e-mail from abuse@.
>
> So my new rule is this:  bounce an abuse e-mail message, sent to an
> abuse address announced for the netrange, and the ENTIRE NETRANGE gets
> put in my "reject forever" firewall.  I've ask all my customers about
> this action, and all agree that it's reasonable, because an
> administration with an active abuse desk shouldn't ever have their abuse
> mailbox overflow.  (Especially in this day of terabyte disks.)
>
> Or they need more people on their abuse desk.
>
> Or they need to eliminate the problem that generates so many abuse
> e-mails that it fills up their should-be-enormous mail queue.
>
> I'm tired of blatantly uncaring administrations.
>

Re: Sunday night social?

[Todd Underwood]

huh.  today we learn that social is subject to particular people's
view of social.  please author an RFC to explain the scope that counts
as social.

thanks!

t

On Sun, Jun 12, 2016 at 6:18 PM, Randy Bush <ra...@psg.com> wrote:
> This may surprise some, but social != frat boys.
>
> randy, on a phone
>
>> On Jun 12, 2016, at 15:08, Todd Underwood <toddun...@gmail.com> wrote:
>>
>> surely this is not the same randy bush that loves to point out that
>> humans are social animals!
>>
>> t
>>
>> On Sun, Jun 12, 2016 at 2:31 PM, Randy Bush <ra...@psg.com> wrote:
>>>>> Is Wednesday night the only social?
>>>> Yes.
>>>
>>> damn!  if i had known there was a chance of folk acting more like sober
>>> adults than the usual frat boys i might have scheduled chicago.
>>>
>>> randy

Re: Sunday night social?

[Todd Underwood]

surely this is not the same randy bush that loves to point out that
humans are social animals!

t

On Sun, Jun 12, 2016 at 2:31 PM, Randy Bush  wrote:
>>> Is Wednesday night the only social?
>> Yes.
>
> damn!  if i had known there was a chance of folk acting more like sober
> adults than the usual frat boys i might have scheduled chicago.
>
> randy

Re: ATT Mobile Outage San Juan, PR 8+ hours, 1 Million out.

[Todd Underwood]

http://www.univision.com/noticias/comunicacion/cerca-de-un-millon-de-abonados-de-at-t-sin-servicio-en-el-pais-debido-a-averia

for spanish speakers.

they say it's a "hardware" issue that caused the fault.  the story has
almost no other facts in it about the RFO.  there.  i just read it for
you.

:-)

t

On Wed, May 4, 2016 at 5:44 PM, Javier J  wrote:
> Haha, wouldn't be surprised if it had something to do with some government
> owned infrastructure crashing on a fiber.
>
> Just got my first call of the day from someone there. Looks like it's
> starting to come back.
>
> I'm still curious what exactly died.
>
> I saw hardware mentioned, but you could get a plane from Miami there in 2
> hours if it was a matter of just swapping out a piece of network gear.
> On May 4, 2016 5:22 PM, "Tyler Applebaum"  wrote:
>
>> Maybe they didn't pay their bill! (kidding...)
>>
>> http://money.cnn.com/2016/05/02/investing/puerto-rico-default-may-1/
>>
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Javier J
>> Sent: Wednesday, May 4, 2016 1:37 PM
>> To: nanog@nanog.org
>> Subject: ATT Mobile Outage San Juan, PR 8+ hours, 1 Million out.
>>
>> Anyone know what is going on, nothing in the English speaking media (not
>> surprised)
>>
>> but reports are that a million + people on ATT in the metro area are
>> without service for 8+ hours now.
>>
>>
>> Only reports I have seen are on local media and social media.
>>
>>
>> Any information is appreciated.   If there is a better mailing list please
>> let me know.
>>
>> - Javier
>> Attention: Information contained in this message and or attachments is
>> intended only for the recipient(s) named above and may contain confidential
>> and or privileged material that is protected under State or Federal law. If
>> you are not the intended recipient, any disclosure, copying, distribution
>> or action taken on it is prohibited. If you believe you have received this
>> email in error, please contact the sender with a copy to
>> complia...@ochin.org, delete this email and destroy all copies.
>>

Re: Cogent <=> Google Peering issue

[Todd Underwood]

let me try to be more concrete and helpful:

lots of people who work at google *and* at cogent are on this list.
none of them are doing anything to look at anything right now b/c
there are no facts in evidence yet.

if you want help with something or want to verify something, provide a
time, a date, a path, a fact, a traceroute, a flow, a log entry a
clue.

cheers,

t

On Wed, Feb 17, 2016 at 11:54 AM, jim deleskie <deles...@gmail.com> wrote:
> They haven't been since at least the mid 90's :)
>
> On Wed, Feb 17, 2016 at 12:50 PM, Nick Hilliard <n...@foobar.org> wrote:
>>
>> Todd Underwood wrote:
>> > Can you scope "issue" with any facts or data?
>>
>> are facts or data strictly necessary on the nanog mailing list?
>>
>> Nick
>>
>> > T
>> > On Feb 17, 2016 11:16, "Fred Hollis" <f...@web2objects.com> wrote:
>> >
>> >> Anyone else aware of it?
>> >>
>>
>

Re: Cogent <=> Google Peering issue

[Todd Underwood]

Can you scope "issue" with any facts or data?

T
On Feb 17, 2016 11:16, "Fred Hollis"  wrote:

> Anyone else aware of it?
>

Re: bad announcement taxonomy

[Todd Underwood]

Reorigination?

Mis-re-origination?
On Nov 18, 2015 22:53, "Randy Bush"  wrote:

> > What about "origin scrubbing".
>
> so now it has no origin?
>

Re: Project Fi and the Great Firewall

[Todd Underwood]

Why not both?  So sad when you have to choose a single oppressive regime to
track your internet use.

T

On Sun, Nov 15, 2015, 09:04 Brandon Butterworth 
wrote:

> > This is what roaming data means, Your data packet is simply trunked to
> > your original operator to process.  So you will be having a US ip on
> > the web.
>
> And continuity of US tracking of your use rather than temporary Chinese
> tracking
>
> brandon
>

Re: spam smackdown?

[Todd Underwood]

luckily, many of us saw almost none of this spam due to effective
inbound spam filtering on our accounts.  which is awesome.

i did, however, manage to see lots of messages from people complaining
about the spam that they did receive.  :-)

t

On Mon, Oct 26, 2015 at 12:35 PM, Jim Popovitch  wrote:
> On Sat, Oct 24, 2015 at 10:39 PM, Scott Weeks  wrote:
>>
>>
>> It looks like someone's trying to make a point.
>
> The takeaway is:
>
> 1) NANOG doesn't seem to do simple inbound spam filtering  :-)
>
>
> -Jim P.

Re: /27 the new /24

[Todd Underwood]

it's also not entirely obvious what the point of having local IXes
that serve these kinds of collections of people.

how much inter-ASN traffic is there generally for a city of 100k
people, even if they all have 1Gb/s connections?  are they all
torrenting, accessing local business web pages that are hosted
locally, streaming video from local streaming caches?  if a local IX
is a good place for a llnw, akamai, ggc, netflix cache node, i can see
it, but that's about it.

t

On Mon, Oct 12, 2015 at 10:33 AM, joel jaeggli  wrote:
> On 10/12/15 1:57 AM, Henrik Thostrup Jensen wrote:
>> On Fri, 9 Oct 2015, Jeremy Austin wrote:
>>
>>> Juneau, I'm not so surprised; how many other cities that small and
>>> isolated
>>> have IXes? I'm curious. It's an interesting prospect, at least for some
>>> value of $location.
>>
>> Several small cities in Sweden have IXes. Not sure than any of them are
>> quite as small as Juneau, but some (Borås, Luleå, Sundsvall) are sub
>> 100k people, and other cities (Umeå, Uppsala) are just over 100k
>> inhabitants. Umeå and Luleå are releativly isolated - at least by
>> European standards.
>>
>> Most of these are probably just a switch or two, and are probably there
>> to provide better quality of service, and not because it makes for a
>> good business.
>
> Sweden's  IX infrastructure is not entirely unique but are certainly
> borne out of a particular set of circumstances and public private
> partnerships that  don't generally exist elsewhere.
>
> https://en.wikipedia.org/wiki/Netnod
>
>>
>> Best regards, Henrik
>>
>>  Henrik Thostrup Jensen 
>>  Software Developer, NORDUnet
>>
>
>

Re: /27 the new /24

[Todd Underwood]

all,

On Mon, Oct 12, 2015 at 1:15 PM, Christopher Morrow
<morrowc.li...@gmail.com> wrote:
> On Mon, Oct 12, 2015 at 11:23 AM, Todd Underwood <toddun...@gmail.com> wrote:
>> it's also not entirely obvious what the point of having local IXes
>> that serve these kinds of collections of people.
>>
>
> this conversation is sort of like the ipv6 part earlier though... 'if
> people want to do this, cool! if they don't or can't for $REASONS also
> cool.'

oh, for sure.  anyone who wants to should, of course.

i'm just pointing out (in opposition to the drumbeat of "MOAR IXes
EVERYWHERE!!!" message) that IXes are often not that useful and people
should critically evaluate whether they need one and would benefit
from the cost.

so far, the "coolness", "psychological", "possible future industry"
benefits are all cited.  that's fine.  but there's often zero business
case for an IX outside of major fibre confluences.

t

Re: /27 the new /24

[Todd Underwood]

In general, most of NANOG recipients live in the populated metros and know
very little about what it's like to try to provide internet access in the
hinterlands.  do not pay attention to there magical claims of 'just connect
to some IX and everything will be fine'.

you already know that that's not how the internet in the rural west works.
 it's fine.  smile and nod and pretend that they are making sensible claims
and move back to trying to figure out how to make things work on your own
network.

cheers,


t
On Oct 10, 2015 2:43 PM, "Eric Kuhnke"  wrote:

> As Jeremy has described in detail, the problem is at OSI layer 1. Not a
> lack of peering exchanges such as the VANIX. There is no dark fiber route
> from Alaska via the Yukon to Vancouver.
>
> I know where most of the Telus (ILEC) and Northwestel (Bell) fiber is in
> northern BC and none of interconnects with Alaska.
>
> Network topologically all locations in Alaska which are fiber fed via the
> existing submarine cable routes (not on geostationary C/Ku-band satellite)
> are a suburb of Seattle. Imagine an island with a population of about
> 600,000 people located somewhere in Puget Sound with various DWDM circuits
> that have their other ends in the Westin Building. Various IP transit,
> peering, transport and IX connections at that location.
>
> Other satellite fed singlehomed locations in Alaska can be logically just
> about anywhere thanks to the way bent-pipe relay via geostationary
> transponders work. There's at least a couple of dozen large teleports in
> the US 48 states with 7.3m and larger C-band dishes that support two way
> TDMA and SCPC services into Alaska. In such case the sites are
> indistinguishable from very low bandwidth singlehomed FDD microwave sites
> which happen to have at minimum 495ms latency.
>
>
>
> On Fri, Oct 9, 2015 at 1:04 PM, Owen DeLong  wrote:
>
> >
> > > On Oct 8, 2015, at 11:24 PM, Jeremy Austin  wrote:
> > >
> > > On Thu, Oct 8, 2015 at 3:25 PM, James Jun  wrote:
> > >
> > >>
> > >> If you want choices in your transit providers, you should get a
> > transport
> > >> circuit (dark, wave or EPL) to a nearby carrier hotel/data center.
> Once
> > >> you do that, you will suddenly find that virtually almost everyone in
> > the
> > >> competitive IP transit market will provide you with dual-stacked
> > IPv4/IPv6
> > >> service.
> > >>
> > >
> > > The future is here, but it isn't evenly distributed yet. I'm in North
> > > America, but there are no IXPs in my *state*, let alone in my
> *continent*
> > > -- from an undersea fiber perspective. There is no truly competitive IP
> > > transit market within Alaska that I am aware of. Would love to be
> proved
> > > wrong. Heck, GCI and ACS (the two providers with such fiber) only
> > directly
> > > peered a handful of years ago.
> >
> > Alaska is in the same continent as Canda and the Contiguous US.
> >
> > VANIX (Vancouver), CIX (Calgary), Manitoba-IX (Winnipeg), WPGIX
> > (WInnipeg), TORIX (Toronto),
> > and an exchange in Montreal (I forget the name) exist as well as a few
> > others in Canada (I think
> > there’s even one out in the maritimes).
> >
> > There are tons of exchanges all over the contiguous US.
> >
> > I’m surprised that there isn’t yet an exchange point in Juneau or
> > Anchorage, but that
> > does, indeed, appear to be the case. Perhaps you should work with some
> > other ISPs
> > in your state to form one.
> >
> > According to this:
> > http://www.alaskaunited.com 
> >
> > There is subsea fiber to several points in AK from Seattle and beyond.
> >
> > And on a continental basis, quite a bit of undersea fiber in other
> landing
> > stations
> > around the coastal areas of the contiguous 48.
> >
> > >> If you are buying DIA circuit from some $isp to your rural location
> that
> > >> you call "head-end" and are expecting to receive a competitive
> service,
> > >> and support for IPv6, well, then your expectations are either
> > unreasonable,
> > >> ignorant or both.
> > >>
> > >
> > > Interestingly both statewide providers *do* provide both IPv4 and IPv6
> > > peering. The trick is to find a spot where there's true price
> > competition.
> > > The 3 largest statewide ISPs have fiber that meets a mere three city
> > blocks
> > > from one of my POPs, but there's no allowable IX. I'm looking at you,
> > AT
> >
> > I’m not sure what you mean by “allowable IX”, to the best of my
> knowledge,
> > anyone
> > can build an IX anywhere.
> >
> > Owen
> >
> >
> >
>

Re: How to force rapid ipv6 adoption

[Todd Underwood]

On Fri, Oct 2, 2015 at 2:07 PM, Owen DeLong  wrote:
>
> None of them does what you propose — Smooth seamless communication between
> an IPv4-only host and an IPv6-only host.

i view this point/question as an assertion by owen as follows:

"it was never possible to design a smooth transition and that's why we
gave up on it."

furthermore, it's a also the following assertion:

"it was never possible to expand our address space while allowing for
an actual migration."

if you believe that, then you end up in advocacy land.  if you don't
believe that but you see lots of people who gave up on the design
process early, then you understand why we're here.

v6 was designed without a migration plan and it wasn't believed to be
important, or possibly wasn't believed to be possible.  but there was
never any pressure to use v6 because v4 worked well and we had plenty
of addresses.  we still have plenty of addresses and although they're
no longer ~free from quasi-governmental organizations they're way
cheaper than the cost to implement v6.  so we're still going to use v4
~forever.

>
> So, please, Todd, explicate exactly how you would achieve that stated
> objective… What could you do differently on the IPv6-only host side that
> would allow smooth seamless connectivity to/from the IPv4 host while still
> providing a larger address space?

it sounds like you're interested in having the engineering
conversation that should have been had ~15 years ago.  me, too  15
years ago.  sigh.

i know owen is now just trolling because he's threatened by the idea
that there might be something wrong with ipv6, but the reality is that
none of this was necessary.  ipv6 might have been done differently
with a different header format and different choices around migration.
routing could have been done differently to try to preserve end-to-end
but still splitting locators and identifiers (which i know that dave
meyer thinks might not be possible but i'm still more sanguine about).
we could have explicitly made smooth migration an engineering
requirement just as much as "more addresses" were.

we didn't.  that's fine.  so we got a disconnected network that some
things can talk to and others can't.  and we put the full burden all
the way to every edge.  and now we have conversations about how to
upgrade home cpe everywhere.  it's tedious and boring and dumb but
it's the direct result of every decision we made and how we
prioritized things.

so, for clarity, this "how do you magically enable smooth migration
now that we didn't prioritize it in the protocol design" question is a
bogus red herring.  the answer is:  "you prioritize it in the protocol
design".  i assume smart people can see that.

owen:  i understand you like v6 and that it's important to you.  that
doesn't mean it's perfect and it doesn't mean we couldn't have done
better. stop being so hostile and so threatened and try to listen a
bit.  or don't.  whatever works for you.

cheers!

t

>
> In any case I'm giving up on that conversation. And this whole one. It goes
> nowhere.
>
> And this is why v6 is where it is: true believers. Instead of a simple,
> practical matter of engineering a transition we got 15 years of advocacy.
>
> If it’s so simple, why do you continue to refuse to explain the process?
>
> Owen
>
>

Re: How to force rapid ipv6 adoption

[Todd Underwood]

that's crazy.  why would you want a simple way to boostrap more
addresses from what we have now?

you'll never make yourself into an internationally known ipvNEXT
advocate with engineering like that.

more advocacy.  less engineering!

t

On Fri, Oct 2, 2015 at 5:18 PM, William Herrin  wrote:
> On Fri, Oct 2, 2015 at 5:03 PM, Fred Baker (fred)  wrote:
>>  There's no way to change the IPv4 address to be larger
>
> http://bill.herrin.us/network/ipxl.html
>
> There's always a way.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems . Web: 

Re: How to force rapid ipv6 adoption

[Todd Underwood]

i'm still confused, to be honest.

why are we 'encouraging' 'evangelizing' or 'forcing' ipv6 adoption.

it's just a new addressing protocol that happens to not work with the rest
of the internet.  it's unfortunate that we made that mistake, but i guess
we're stuck with that now (i wish i could say something about lessons
learned but i don't think any one of us has learned a lesson yet).

so people will renumber their network assets into this new network
namespace when either:

1) the new non-internet ipv6 network has enough good stuff only on it that
it makes sense to go over there; or

2) the old ipv4 internet addresses get so expensive that ain't no one
willing to pay.

right now, neither of those things are true.  so people who are adopting
ipv6 are doing so for two reason:

A) blind, unmotivated religious reasons.  they "believe" in this new
protocol and have somehow managed to tie their identity up in it.  (this is
clearly a mistake for an engineer:  technology comes and goes.  don't ever
tie your identity up in some technology or you'll end up advocating DECNET
for the cloud at some point.  it won't be pretty).

B) strategic reasons.  there are people who think that switching costs are
going to be high and that there's an advantage to moving earlier to be
ready for coming demand when #1 or #2 above happen.  unlike A, B is
completely rational and smart.  it might be wrong, but it's not stupid at
all.  put mike leber and HE in this B category.

the only reason people are *advocating* ipv6 right now are that they've
made a religious choice, which is weird and should be a personal, not
public choice unless they are great commission ipv6 adherants [1], *or*
they have a vested interest in getting your business.

the first reason is religion and is off-topic for nanog and the second
reason is marketing (however well intentioned) and should also be off topic
for nanog.

so can we stop talking about ipv6 advocacy and move on to the network
engineering topics, please?  if someone is running ipv6 for whatever reason
and has questions, awesome.  if someone wants to talk about addressing
schemes, awesome.  but trying to convince someone to run LAT^H^H^Hipv6 or
whatever disconnected network protocol they're advocating today?  not
useful.

cheers,

t



On Thu, Oct 1, 2015 at 6:32 PM Mark Andrews  wrote:

>
> In message <4f2e19ba-d92a-4bec-86e2-33b405c30...@delong.com>, Owen DeLong
> writes:
> >
> > > On Oct 1, 2015, at 13:55 , Grzegorz Janoszka 
> > wrote:
> > >
> > > On 2015-10-01 20:29, Owen DeLong wrote:
> > >> However, I think eventually the residential ISPs are going to start
> > charging extra
> > >> for IPv4 service.
> > >
> > > ISP's will not charge too much. With too expensive IPv4 many customers
> > will migrate from v4/dual stack to v6-only and ISP's will be left with
> > unused IPv4 addresses and less income.
> >
> > Nope… They’ll be left with unused IPv4 addresses which is not a
> > significant source of income and they’ll be able to significantly reduce
> > the costs incurred
> > in supporting things like CGNAT.
> >
> > > Will ISP's still find other profitable usage for v4 addresses? If not,
> > they will be probably be quite slowly rising IPv4 pricing, not wanting to
> > overprice it.
> >
> > Probably they will sell it to business customers instead of the
> > residential customers. However, we’re talking about relatively large
> > numbers of customers
> > for relatively small numbers of IPv4 addresses that aren’t producing
> > revenue directly at this time anyway.
> >
> > > Even with $1/IPv4/month - what will be the ROI of a brand new home
> > router?
> >
> > About 2.5 years at that price since a brand new home router is about $29.
> >
> > Owen
>
> The hard part is the internet connected TV's and other stuff which
> fetches content over the internet which are IPv4 only despite being
> released when IPv6 existed.  These are theoretically upgradable to
> support IPv6 so long as the manufactures release a IPv6 capable
> image.  The real question is will governments force them to do this.
>
> Upgrading the router is a no brainer.  Upgrading the TV, games
> consoles, e-readers, etc. starts to add up.
>
> Mark
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>

Re: How to force rapid ipv6 adoption

[Todd Underwood]

Yep. Nat is terrible. Dual stack is even worse for end user exclusive.
Clients that migrate back and forth between different protocols at will
(hello Mac OS) are going to be really challenging for everyone, too.

But we didn't get magical, free, simple migration. So we could have done
some kind of 8+8 or LISP thing but we didn't. And here we are.


T

On Thu, Oct 1, 2015, 21:15 Dovid Bender <do...@telecurve.com> wrote:

> Nothing to do with religion at all. I advocate IPv6 all the time as some
> one who deals a lot with SIP. The issues are endless when dealing with NAT.
> NAT is an ugly hack and should die already. It will take a few years for
> router manufactures to get it right but them they do it will be better for
> all.
>
> Regards,
>
> Dovid
>
> -Original Message-
> From: Todd Underwood <toddun...@gmail.com>
> Sender: "NANOG" <nanog-boun...@nanog.org>Date: Thu, 01 Oct 2015 22:42:57
> To: Mark Andrews<ma...@isc.org>; Owen DeLong<o...@delong.com>
> Cc: <nanog@nanog.org>
> Subject: Re: How to force rapid ipv6 adoption
>
> i'm still confused, to be honest.
>
> why are we 'encouraging' 'evangelizing' or 'forcing' ipv6 adoption.
>
> it's just a new addressing protocol that happens to not work with the rest
> of the internet.  it's unfortunate that we made that mistake, but i guess
> we're stuck with that now (i wish i could say something about lessons
> learned but i don't think any one of us has learned a lesson yet).
>
> so people will renumber their network assets into this new network
> namespace when either:
>
> 1) the new non-internet ipv6 network has enough good stuff only on it that
> it makes sense to go over there; or
>
> 2) the old ipv4 internet addresses get so expensive that ain't no one
> willing to pay.
>
> right now, neither of those things are true.  so people who are adopting
> ipv6 are doing so for two reason:
>
> A) blind, unmotivated religious reasons.  they "believe" in this new
> protocol and have somehow managed to tie their identity up in it.  (this is
> clearly a mistake for an engineer:  technology comes and goes.  don't ever
> tie your identity up in some technology or you'll end up advocating DECNET
> for the cloud at some point.  it won't be pretty).
>
> B) strategic reasons.  there are people who think that switching costs are
> going to be high and that there's an advantage to moving earlier to be
> ready for coming demand when #1 or #2 above happen.  unlike A, B is
> completely rational and smart.  it might be wrong, but it's not stupid at
> all.  put mike leber and HE in this B category.
>
> the only reason people are *advocating* ipv6 right now are that they've
> made a religious choice, which is weird and should be a personal, not
> public choice unless they are great commission ipv6 adherants [1], *or*
> they have a vested interest in getting your business.
>
> the first reason is religion and is off-topic for nanog and the second
> reason is marketing (however well intentioned) and should also be off topic
> for nanog.
>
> so can we stop talking about ipv6 advocacy and move on to the network
> engineering topics, please?  if someone is running ipv6 for whatever reason
> and has questions, awesome.  if someone wants to talk about addressing
> schemes, awesome.  but trying to convince someone to run LAT^H^H^Hipv6 or
> whatever disconnected network protocol they're advocating today?  not
> useful.
>
> cheers,
>
> t
>
>
>
> On Thu, Oct 1, 2015 at 6:32 PM Mark Andrews <ma...@isc.org> wrote:
>
> >
> > In message <4f2e19ba-d92a-4bec-86e2-33b405c30...@delong.com>, Owen
> DeLong
> > writes:
> > >
> > > > On Oct 1, 2015, at 13:55 , Grzegorz Janoszka <grzeg...@janoszka.pl>
> > > wrote:
> > > >
> > > > On 2015-10-01 20:29, Owen DeLong wrote:
> > > >> However, I think eventually the residential ISPs are going to start
> > > charging extra
> > > >> for IPv4 service.
> > > >
> > > > ISP's will not charge too much. With too expensive IPv4 many
> customers
> > > will migrate from v4/dual stack to v6-only and ISP's will be left with
> > > unused IPv4 addresses and less income.
> > >
> > > Nope… They’ll be left with unused IPv4 addresses which is not a
> > > significant source of income and they’ll be able to significantly
> reduce
> > > the costs incurred
> > > in supporting things like CGNAT.
> > >
> > > > Will ISP's still find other profitable usage for v4 addresses? If
> not,
> > > they will be probably be quite slowly rising IPv4 pricin

Re: How to force rapid ipv6 adoption

[Todd Underwood]

one interesting thing to note...

On Thu, Oct 1, 2015 at 8:01 PM Mark Andrews  wrote:

>
> Some of us have been running IPv6 in production for over a decade
> now and developing products that support IPv6 even longer.
>
> We have had 17 years to build up a universal IPv6 network.  It
> should have been done by now.
>

yes.  huh.  funny about that, right?  what do you think accounts for that?
 *why* do you think that *17* *years* later people are still just barely
using this thing.

i have a theory.  i may have already mentioned that "dual stack and ipv4
will wither away by itself" turns out to have been a dumb idea that didn't
happen. and there was no migration path other than that, really.

so v6 and v4 don't interoperate as designed and that was an afterthought
that didn't really happen until recently (and in a way that's still
arguably more complex than NAT).  and here we are.

so here's my view:  if you have some technical solution for a networking
problem that no one wants for 17 years, you should really probably think
about that.  you might not even have to wait 17 years to figure out that
something might be wrong.

most good stuff is adopted without "evangelism".

t



> Mark
>
> > --
> > Matthew Newton, Ph.D. 
> >
> > Systems Specialist, Infrastructure Services,
> > I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
> >
> > For IT help contact helpdesk extn. 2253, 
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>

Re: How to force rapid ipv6 adoption

[Todd Underwood]

this is an interesting example of someone who has ill advisedly tied up his
identity in a network protocol.  this is a mistake i encourage you all not
to make.  network protocols come and go but you only get one shot at life,
so be your own person.

this is ad-hominem, owen and i won't engage.  feel free to be principled
and have technical discussion but insults and attacks really have no place.
 so please just stop and relax.

thanks,

t



On Thu, Oct 1, 2015 at 8:53 PM, Owen DeLong <o...@delong.com> wrote:

> OK… Let’s look at the ASN32 process.
>
> Use ASN 23456 (16-bit) in the AS-Path in place of each ASN32 entry in the
> path.
> Preserve the ASN32 path in a separate area of the BGP attributes.
>
> So, where in the IPv4 packet do you suggest we place these extra 128 bits
> of address?
>
> Further, what mechanism do you propose for forwarding to the 128 bit
> destination by
> looking at the value in the 32 bit field?
>
> The closest I can come to a viable implementation of what you propose
> would be
> to encapsulate IPv6 packets between IPv6 compatible hosts in an IPv4
> datagram
> which is pretty much what 6in4 would be.
>
> If you want the end host on the other side to be able to send a reply
> packet, then
> it pretty much has to be able to somehow handle that 128 bit reply address
> to set up the destination for the reply packet, no? (No such requirements
> for ASN32).
>
> Seriously, Todd, this is trolling pure and simple.
>
> Unless you have an actual complete mechanism for solving the problem,
> you’re just
> doing what you do best… Trolling.
>
> Admittedly, most of your trolling has enough comedic value that we laugh
> and get
> past it, but nonetheless, let’s see if you have a genuine solution to
> offer or if this
> is just bluster.
>
> Owen
>
> > On Oct 1, 2015, at 16:52 , Todd Underwood <toddun...@gmail.com> wrote:
> >
> > I can't tell if this question is serious. It's either making fun of the
> > embarrassingly inadequate job we have done on this transition out it's
> > naive and ignorant in a genius way.
> >
> > Read the asn32 migration docs for one that migrations like this can be
> > properly done.
> >
> > This was harder but not impossible. We just chose badly for decades and
> now
> > we have NAT *and* a dumb migration.
> >
> > Oh well.
> >
> > T
> > On Oct 1, 2015 19:26, "Matthew Newton" <m...@leicester.ac.uk> wrote:
> >
> >> On Thu, Oct 01, 2015 at 10:42:57PM +, Todd Underwood wrote:
> >>> it's just a new addressing protocol that happens to not work with the
> >> rest
> >>> of the internet.  it's unfortunate that we made that mistake, but i
> guess
> >>> we're stuck with that now (i wish i could say something about lessons
> >>> learned but i don't think any one of us has learned a lesson yet).
> >>
> >> Would be really interesting to know how you would propose
> >> squeezing 128 bits of address data into a 32 bit field so that we
> >> could all continue to use IPv4 with more addresses than it's has
> >> available to save having to move to this new incompatible format.
> >>
> >> :-)
> >>
> >> Matthew
> >>
> >>
> >> --
> >> Matthew Newton, Ph.D. <m...@le.ac.uk>
> >>
> >> Systems Specialist, Infrastructure Services,
> >> I.T. Services, University of Leicester, Leicester LE1 7RH, United
> Kingdom
> >>
> >> For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk>
> >>
>
>

Re: How to force rapid ipv6 adoption

[Todd Underwood]

Either there are multiple translation systems that exist that were invented
late or there are not. Either Owen has never heard of any of them or he is
trolling.

In any case I'm giving up on that conversation. And this whole one. It goes
nowhere.

And this is why v6 is where it is: true believers. Instead of a simple,
practical matter of engineering a transition we got 15 years of advocacy.

It makes the sleazy v4 transfer market look appealing. :)

T
On Oct 1, 2015 8:59 PM, "Owen DeLong" <o...@delong.com> wrote:

> I’m not at all tied up in a particular protocol.
>
> Still, Todd, ignoring the other parts, the least you can do is answer this
> simple question:
>
> How would you implement a 128-bit address that is backwards compatible
> with existing
> IPv4 hosts requiring no software modification on those hosts? Details
> matter here.
> Handwaving about ASN32 doesn’t cut it.
>
>
> If you can’t answer that, there’s really nothing to your argument.
>
> Owen
>
> On Oct 1, 2015, at 17:56 , Todd Underwood <toddun...@gmail.com> wrote:
>
> this is an interesting example of someone who has ill advisedly tied up
> his identity in a network protocol.  this is a mistake i encourage you all
> not to make.  network protocols come and go but you only get one shot at
> life, so be your own person.
>
> this is ad-hominem, owen and i won't engage.  feel free to be principled
> and have technical discussion but insults and attacks really have no place.
>  so please just stop and relax.
>
> thanks,
>
> t
>
>
>
> On Thu, Oct 1, 2015 at 8:53 PM, Owen DeLong <o...@delong.com> wrote:
>
>> OK… Let’s look at the ASN32 process.
>>
>> Use ASN 23456 (16-bit) in the AS-Path in place of each ASN32 entry in the
>> path.
>> Preserve the ASN32 path in a separate area of the BGP attributes.
>>
>> So, where in the IPv4 packet do you suggest we place these extra 128 bits
>> of address?
>>
>> Further, what mechanism do you propose for forwarding to the 128 bit
>> destination by
>> looking at the value in the 32 bit field?
>>
>> The closest I can come to a viable implementation of what you propose
>> would be
>> to encapsulate IPv6 packets between IPv6 compatible hosts in an IPv4
>> datagram
>> which is pretty much what 6in4 would be.
>>
>> If you want the end host on the other side to be able to send a reply
>> packet, then
>> it pretty much has to be able to somehow handle that 128 bit reply address
>> to set up the destination for the reply packet, no? (No such requirements
>> for ASN32).
>>
>> Seriously, Todd, this is trolling pure and simple.
>>
>> Unless you have an actual complete mechanism for solving the problem,
>> you’re just
>> doing what you do best… Trolling.
>>
>> Admittedly, most of your trolling has enough comedic value that we laugh
>> and get
>> past it, but nonetheless, let’s see if you have a genuine solution to
>> offer or if this
>> is just bluster.
>>
>> Owen
>>
>> > On Oct 1, 2015, at 16:52 , Todd Underwood <toddun...@gmail.com> wrote:
>> >
>> > I can't tell if this question is serious. It's either making fun of the
>> > embarrassingly inadequate job we have done on this transition out it's
>> > naive and ignorant in a genius way.
>> >
>> > Read the asn32 migration docs for one that migrations like this can be
>> > properly done.
>> >
>> > This was harder but not impossible. We just chose badly for decades and
>> now
>> > we have NAT *and* a dumb migration.
>> >
>> > Oh well.
>> >
>> > T
>> > On Oct 1, 2015 19:26, "Matthew Newton" <m...@leicester.ac.uk> wrote:
>> >
>> >> On Thu, Oct 01, 2015 at 10:42:57PM +, Todd Underwood wrote:
>> >>> it's just a new addressing protocol that happens to not work with the
>> >> rest
>> >>> of the internet.  it's unfortunate that we made that mistake, but i
>> guess
>> >>> we're stuck with that now (i wish i could say something about lessons
>> >>> learned but i don't think any one of us has learned a lesson yet).
>> >>
>> >> Would be really interesting to know how you would propose
>> >> squeezing 128 bits of address data into a 32 bit field so that we
>> >> could all continue to use IPv4 with more addresses than it's has
>> >> available to save having to move to this new incompatible format.
>> >>
>> >> :-)
>> >>
>> >> Matthew
>> >>
>> >>
>> >> --
>> >> Matthew Newton, Ph.D. <m...@le.ac.uk>
>> >>
>> >> Systems Specialist, Infrastructure Services,
>> >> I.T. Services, University of Leicester, Leicester LE1 7RH, United
>> Kingdom
>> >>
>> >> For IT help contact helpdesk extn. 2253, <ith...@le.ac.uk>
>> >>
>>
>>
>
>

Re: How to force rapid ipv6 adoption

[Todd Underwood]

another good idea is to design a migration path to ipv6 so that people
using hte internet can also use the ipv6-internet.

that would be cool.

we should probably think about some migration path other than the pretty
obviously implausible "dual stack" silliness before this stuff actually
becomes a necessity, otherwise lots of people will end up spinning their
wheels trying to figure out how to "convince people" to use a
non-internet-connected protocol rather than just keeping on using ipv4.

i'll bet some smart people are already on that problem, though.

keep me posted!  :-)

t

On Tue, Sep 29, 2015 at 4:37 PM, David Hubbard <
dhubb...@dino.hostasaurus.com> wrote:

> Had an idea the other day; we just need someone with a lot of cash
> (google, apple, etc) to buy Netflix and then make all new releases
> v6-only for the first 48 hours.  I bet my lame Brighthouse and Fios
> service would be v6-enabled before the end of the following week lol.
>
> David
>

Re: Recent trouble with QUIC?

[Todd Underwood]

This has now been resolved. See recent post by ian swett in a separate
thread about quic.

T
On Sep 24, 2015 1:12 AM, "Mike Meredith"  wrote:

> On Wed, 23 Sep 2015 19:01:19 -0500, Sean Hunter 
> may have written:
> > a) Has anyone here had a similar experience? Was the root cause QUIC
> > in your case?
>
> Yes. No; in our case our firewall (a PA5060 running PANOS6.1.3 at the
> time) was allowing some QUIC packets through, but not others. As it was
> newly deployed at the time, it was soon blamed :-\
>
> > b) Has anyone noticed anything remotely similar in the last few
> > weeks/days/today?
>
> Only because I enabled QUIC within Chrome on our test network to verify
> that it was still a problem.
>
> > We're an Apps domain, so this may be specific to universities in the
> > Apps universe.
>
> As are we.
>
> --
> Mike Meredith, University of Portsmouth
> Principal Systems Engineer, Hostmaster, Security, and Timelord!
>
>

Re: Android (lack of) support for DHCPv6

[Todd Underwood]

lorenzo already stated that the cost was in user satisfaction related to
tethering and the business reason was the desire to not implement NAT in v6
on android.

many people didn't like those reasons or think that they are less important
than their own reasons.

shockingly, everyone believes that their own priorities are more important
than everyone else's priorities.

the 'cranky about the lack of DHCPv6' crowd has already made their points
and further shut down conversation by demanding that lorenzo speak for
Google on this thread.  indeed, shouting loudly and shutting down
conversation was almost certainly the intent of many of the posts here.  so
mission accomplished.

fists have been pounded.  conversation has been halted.  well done.

can me move on now?

t

On Fri, Jun 12, 2015 at 11:18 AM, James R Cutler 
james.cut...@consultant.com wrote:

 Ray Soucy has given us an nice summary. It goes along with “please let me
 manage my business and don’t take away my tools just to satisfy your
 prejudices.”

 Selection of management policies and implementations is ALWAYS a local
 issue (assuming consideration of legal necessities). Especially in the
 end-to-end model, the requirements management of end systems has not
 changed because the IP layer protocol has changed. This is a good reason
 for not prohibiting continuing use of DHCP-based solutions. “Purity of
 protocols” is not a reason for increasing management costs such as
 described by Ray.

 This debate about DHCPv6 has been going on far too long.  I want to know
 how much it will cost the “SLAAC-only” faction to quit fighting DHCPv6.
 My conjecture is that it would be minimal, especially as compared to the
 costs for the activities described by Ray.

 Putting it differently: What business purpose is served by fighting
 full-functioned DHCPv6 deployment. Don’t give me any RFC or protocol
 arguments - just tell me the business reasons for forcing others to change
 how they manage their business.

 James R. Cutler
 james.cut...@consultant.com
 PGP keys at http://pgp.mit.edu



  On Jun 12, 2015, at 10:07 AM, Ray Soucy r...@maine.edu wrote:
 
  The only thing I would add is that DHCPv6 is not just about tracking
  clients.  Yes there are ways to do so using SLAAC, but they are not
 pretty.
 
  Giving too much weight to tracking being the reason for DHCPv6 is just as
  bad as giving too much weight to tethering as the reason against it.  It
  skews the conversation.
 
  For us, DHCPv6 is about *operational consistency*.
 
  Universities have been running with the end-to-end model everyone is
  looking to IPv6 to restore for a very long time.
 
  When you connect to our network, wired or wireless, you get a public IP
  with no filtering in place in most cases.
 
  We have been living the end-to-end model, and that has given us
 operational
  experience and insight on what it actually takes to support access
 networks
  using this model.
 
  Almost every peer institution I talk to has implemented custom systems
  refined over decades to preserve the end-to-end model in a time of
  increasing security incidents and liability.  These include IPAM systems,
  which feed into vulnerability scanning, or host filtering for incident
  response, etc.
 
  These systems are in place for IPv4, and modifying them to support IPv6
  (which most of us have done) is relatively easy in the case of DHCPv6.
 
  By maintaining consistency between IPv4 and IPv6 we avoid having to
 retrain
  hundreds of IT workers on supporting connectivity.  By saying that you
  won't support DHCPv6, you effectively force us into a choice between
  investing considerable effort in redesigning systems and training IT
  personnel, while introducing confusion in the support process because
 IPv4
  and IPv6 are delivered using completely different methods.
 
  You have just made it cheaper for us to turn to NAT than to support IPv6.
  That's unacceptable.
 
  You might be thinking well that's just universities and a small percent
 of
  users, but the point here is that we do these things for a reason; we've
  been living without NAT and our collective operational experience doing
 so
  is something that would be wise to take into consideration instead of
  dismissing it or trying to call us names.
 
  Organizations running SLAAC who say everything is fine, think everything
 is
  fine because IPv6 has received almost no attention from bad actors in
 terms
  of security incidents or denial of service attacks.  Even well known
  servers with IPv6 addresses on our network rarely see SSH attempts over
  IPv6 today.
 
  *This will fundamentally change as IPv6 adoption grows*.
 
  Are you prepared to be able to deal with abuse reports of hosts on your
  network participating on denial of service attacks?  Can you associate
 the
  identity of a system to an individual when law enforcement demands you to
  do so?  How much longer will it take you to track down a host by its IPv6
  address to disable it?  How 

Re: Android (lack of) support for DHCPv6

[Todd Underwood]

On Fri, Jun 12, 2015 at 1:43 PM, valdis.kletni...@vt.edu wrote:

 On Fri, 12 Jun 2015 10:33:55 -0700, Dave Taht said:
  The core bits of what I don't understand about the flamage is how hard
  would it be for an end-user - or corporate client - to just add any of
  these functionalities to this, cyanogenmod, etc.

 What percent of Android users have even *heard* of cyanogenmod?


a larger percentage than have ever *heard* of IPv6.  :-)

game. set. match.

t

Re: Open letter to Level3 concerning the global routing issues on June 12th

[Todd Underwood]

i remember that presentation!

https://www.nanog.org/meetings/abstract?id=459

:-)

On Fri, Jun 12, 2015 at 11:53 AM, jim deleskie deles...@gmail.com wrote:

 People from Big telcom should never reply to mailing lists from work
 addresses unless specifically allowed, which I suspect TATA doesn't either,
 based on some direct, buy old knowledge :)


indeed, people from big companies who post on mailing lists at all will be
called out as official representatives of their company no matter what
address they use, from recent experience.

it's probably far better for everyone in such a situation to simply never
post anything.  :-/

t

Re: Android (lack of) support for DHCPv6

[Todd Underwood]

Anyone who thinks Lorenzo hasn't been on the front lines of pushing for
IPv6 adoption is pretty late to the party or confused about the state of
affairs.

T

On Wed, Jun 10, 2015, 21:30 Ray Soucy r...@maine.edu wrote:

 I agree that some of the rhetoric should be toned down (go out for a beer
 or something, guys ... I did).

 There is a difference between fiery debate with Lorenzo and a witch hunt,
 and some of this is starting to sound a bit personal.  I shouldn't have
 worded things the way I did, I went for the cheap shot in one of those last
 notes and that isn't really constructive.  I'm sorry.

 I think for many this thread represents years of frustration, though, and
 LC making the statements in the way he did made him a focal point for that
 frustration.

 The problem is there are many of us on the front lines trying to push for
 IPv6 adoption outside the bubble of idealism and when people of great
 influence like LC take positions like DHCPv6 isn't required it's like a
 slap in the face to all that effort.

 We really need to see Google and Android come on board with DHCPv6 support
 and I'm interested in how we can help make that happen.





 On Wed, Jun 10, 2015 at 7:00 PM, Jeff McAdams je...@iglou.com wrote:

  No.
 
  Given that Lorenzo was posting with absolute statements about Google's
  approach, and with what they would do in the future in response to
  hypothetical standards developments, these questions are completely
 valid.
 
  On Jun 10, 2015 5:24 PM, Michael Thomas m...@mtcc.com wrote:
  
   On 06/10/2015 02:51 PM, Paul B. Henson wrote:
From: Lorenzo Colitti
Sent: Wednesday, June 10, 2015 8:27 AM
   
please do not construe my words on this thread as being Google's
  position
on anything. These messages were sent from my personal email
 address,
  and I
do not speak for my employer.
Can we construe your postings on the issue thread as being Google
  and/or Androids official position? They are posted by lore...@google.com
  with a tag of Project Member, and I believe you also declined the
 request
  in the issue under that mantle.
   
   
   Oh, stop this. The only thing this will accomplish is a giant black
 hole
   of silence from anybody at Google and any other $MEGACORP
   in a similar situation.
  
   Mike
 



 --
 Ray Patrick Soucy
 Network Engineer
 University of Maine System

 T: 207-561-3526
 F: 207-561-3531

 MaineREN, Maine's Research and Education Network
 www.maineren.net

Re: AWS Elastic IP architecture

[Todd Underwood]

fb is not a 'cloud provider'.

it's orthogonal to the question.

t

On Mon, Jun 1, 2015 at 2:36 PM, Ca By cb.li...@gmail.com wrote:

 On Mon, Jun 1, 2015 at 10:49 AM, Matthew Kaufman matt...@matthew.at
 wrote:

  On 6/1/2015 12:06 AM, Owen DeLong wrote:
 
  ... Here’s the thing… In order to land IPv6 services without IPv6
 support
  on the VM, you’re creating an environment where...
 
 
  Let's hypothetically say that it is much easier for the cloud provider if
  they provide just a single choice within their network, but allow both v4
  and v6 access from the outside via a translator (to whichever one isn't
  native internally).
 
  Would you rather have:
  1) An all-IPv6 network inside, so the hosts can all talk to each other
  over IPv6 without using (potentially overlapping copies of) RFC1918
  space... but where very little of the open-source software you build your
  services on works at all, because it either doesn't support IPv6 or they
  put some IPv6 support in but it is always lagging behind and the bugs
 don't
  get fixed in a timely manner. Or,
 


 Facebook selected IPv6-only as outlined above

 http://blog.ipspace.net/2014/03/facebook-is-close-to-having-ipv6-only.html


 
  2) An all-IPv4 network inside, with the annoying (but well-known) use of
  RFC1918 IPv4 space and all your software stacks just work as they always
  have, only now the fraction of users who have IPv6 can reach them over
 IPv6
  if they so choose (despite the connectivity often being worse than the
 IPv4
  path) and the 2 people who are on IPv6-only networks can reach your
  services too.
 
  Until all of the common stacks that people build upon, including
  distributed databases, cache layers, web accelerators, etc. all work
  *better* when the native environment is IPv6, everyone will be choosing
 #2.
 
  And both #1 and #2 are cheaper and easier to manage that full dual-stack
  to every single host (because you pay all the cost of supporting v6
  everywhere with none of the savings of not having to deal with the
  ever-increasing complexity of continuing to use v4)
 
  Matthew Kaufman
 
 

Re: AWS EC2 us-west-2 reboot

[Todd Underwood]

read:  http://www.xenproject.org/security-policy.html

they have a sensible, commonly used security policy that involves private
notification to large customers in advance where it is practical and there
is not evidence of ongoing exploits in the wild.

this is kind of incident handling 101 and shouldn't be surprising to anyone.

t

On Wed, Oct 1, 2014 at 4:38 PM, Bryan Fullerton fehwal...@gmail.com wrote:


 On 01/10/2014 4:29 PM, Matt Palmer wrote:

 On Wed, Oct 01, 2014 at 11:01:37AM -0700, Grant Ridder wrote:

 For those interested, this is the Xen bug they were fixing with the
 reboots
 http://xenbits.xen.org/xsa/advisory-108.html

 Ouch.  Good thing Bashpocalypse is still capturing everyone's attention...

 Interestingly, Amazon *didn't* discover this bug, which makes one wonder
 why
 they, out of all the big Xen-based providers out there, got a heads-up in
 advance of the embargo end.  If I was a big provider who didn't get
 advance
 notice, I'd be somewhat miffed.


 Rackspace did reboots over the weekend for this as well -
 http://www.rackspace.com/blog/an-apology/

 Bryan

 ---
 This email is free from viruses and malware because avast! Antivirus
 protection is active.
 http://www.avast.com

Re: [Paper] B4: Experience with a Globally-Deployed Software Defined WAN

[Todd Underwood]

Unpossible.  I heard that no one really uses sdn for anything.

:)

T
On Aug 17, 2013 2:43 PM, staticsafe m...@staticsafe.ca wrote:

 We present the design, implementation, and evaluation of B4, a pri-
 vate WAN connecting Google’s data centers across the planet.

 - http://cseweb.ucsd.edu/~vahdat/papers/b4-sigcomm13.pdf
 --
 staticsafe
 O ascii ribbon campaign - stop html mail - www.asciiribbon.org
 Please don't top post.
 Please don't CC! I'm subscribed to whatever list I just posted on.

Re: It's the end of the world as we know it -- REM

[Todd Underwood]

this is still my favorite post on this subject:

http://mailman.nanog.org/pipermail/nanog/2011-February/031737.html

t


On Tue, Apr 23, 2013 at 3:36 PM, staticsafe m...@staticsafe.ca wrote:

 On 4/23/2013 18:04, Leo Bicknell wrote:
  In a message written on Tue, Apr 23, 2013 at 05:41:40PM -0400,
  Valdis Kletnieks wrote:
  I didn't see any mention of this Tony Hain paper:
 
  http://tndh.net/~tony/ietf/ARIN-runout-projection.pdf
 
  tl;dr: ARIN predicted to run out of IP space to allocate in
  August this year.
 
  Here's a Geoff Houston report from 2005:
 
 https://www.arin.net/participate/meetings/reports/ARIN_XVI/PDF/wednesday/huston_ipv4_roundtable.pdf
 
   I point to page 8, and the prediction RIR Pool Exhaustion, 4
  June 2013.
 
  Those of us who paid attention are well prepared.
 
  tl;dr: Real statistical models properly executed in 2005 were
  remarkably close to the reality 8 years later.
 
 On that note, something Mr. Huston wrote more recently:

 A Primer on IPv4, IPv6 and Transition
 http://www.potaroo.net/ispcol/2013-04/primer.html

 Discussion:
 https://news.ycombinator.com/item?id=5586519

 --
 staticsafe
 O ascii ribbon campaign - stop html mail - www.asciiribbon.org
 Please don't top post - http://goo.gl/YrmAb
 Don't CC me! I'm subscribed to whatever list I just posted on.

Re: Notice: Fradulent RIPE ASNs

[Todd Underwood]

 I do not understand why you're so adamant about sending this information
 to an organization primarily distinguished by its incompetence and
 negligence.  If they were actually DOING THEIR JOBS in even minimally
 diligent fashion, then Ron wouldn't needed to write that note or do
 the research behind it, because this wouldn't be happening.

this kind of mostly unfounded vitriole is silly and damages your credibility.

no one seriously believes that the RIPE NCC (which is managed by all
of its members) is primarily distinguished by their incompetence and
negligence.

i believe this conversation has now gotten to the plonk stage.  can
someone compare them to hitler so that we can move on?

cheers,

t

Re: Notice: Fradulent RIPE ASNs

[Todd Underwood]

it's  nice that we've proceded to insult our colleagues.

many thanks to mr. petach for achieving the end of this thread.  thank
you all for participating.

On Wed, Jan 16, 2013 at 10:54 AM, Rich Kulawiec r...@gsp.org wrote:
 On Wed, Jan 16, 2013 at 10:07:40AM -0500, Todd Underwood wrote:
 no one seriously believes that the RIPE NCC (which is managed by all
 of its members) is primarily distinguished by their incompetence and
 negligence.

 Really?  Then why, pray tell, haven't they made it a practice to routinely
 (let's say, once a month) ask the people over at Spamhaus: Hey folks, do
 you see anything wonky in the space we manage? and then act
 immediately and decisively on what they get back for an answer?

 I don't want to speak for Spamhaus, but I suspect that they would be
 delighted to provide that response, particularly if it led to swift and
 effective action to make the problem(s) go away.  And while I don't
 always agree with their positions, I've *rarely* found mistakes in
 their research: they're thorough.  (So's Ron, by the way.)

 This isn't complicated.  This isn't expensive.  This doesn't require
 new technology or anything fancy.  It's basic due diligence.  Yet it
 clearly hasn't happened.  Why the hell not?

 We live in a time when abuse is epidemic.  It's costing us a fortune,
 and I don't just mean in financial terms, although certainly that's
 bad enough all by itself.  But it doesn't just magically fall out of
 the sky and land on our servers or routers, or at port 25 on our
 mail servers.   It comes from *somewhere*, and it does so on *somebody's*
 watch.  And when it does so on a chronic and systemic basis, surely
 it is reasonable to ask questions like Why, if we can so clearly see
 it arriving at our operation, can they not see it leaving theirs?
 or Why aren't people paying attention to the primary/most useful
 sources of information about their own operations?

 So it's (well past) time to stop giving people a pass for looking the
 other way or failing to look at all.  It's my, your, and everyone's
 professional responsibility to do everything we possibly can to prevent
 the networks, hosts, and resources we run from being part of the problem.
 So yeah: incompetence and negligence are the best words I can find
 to describe failure to do that.  What would you call it?

 ---rsk

Re: FYI Netflix is down

[Todd Underwood]

 Actually, it was a very complex power outage. I'm going to assume that what 
 happened this weekend was similar to the event that happened at the same 
 facility approximately two weeks ago (its immaterial - the details are 
 probably different, but it illustrates the complexity of a data center 
 failure)

 Utility Power Failed
 First Backup Generator Failed (shut down due to a faulty fan)
 Second Backup Generator Failed (breaker coordination problem resulting in 
 faulty trip of a breaker)

 In this case, it was clearly a cascading failure, although only limited in 
 scope. The failure in this case, also clearly involved people. There was one 
 material failure (the fan), but the system should have been resilient enough 
 to deal with it. The system should also have been resilient enough to deal 
 with the breaker coordination issue (which should not have occurred), but was 
 not. Data centers are not commodities. There is a way to engineer these 
 facilities to be much more resilient. Not everyone's business model supports 
 it.

ok, i give in.  as some level of granularity everything is a cascading
failure (since molecules colide and the world is an infinite chain of
causation in which human free will is merely a myth /Spinoza)

of course, this use of 'cascading' is vacuous and not useful anymore
since it applies to nearly every failure, but i'll go along with it.

from the perspective of a datacenter power engineer, this was a
cascading failure of a few small number of components.

from the perspective of every datacenter customer:  this was a power failure.

from the perspective of people watching B-rate movies:  this was a
failure to implement and test a reliable system for streaming those
movies in the face of a power outage at one facility.

from the perspective of nanog mailing list readers:  this was an
interesting opportunity to speculate about failures about which we
have no data (as usual!).

can we all agree on those facts?

:-)

t

Re: FYI Netflix is down

[Todd Underwood]

On Jun 30, 2012 11:23 AM, Seth Mattinen se...@rollernet.us wrote:


 But haven't they all been cascading failures?

No.  They have not.  That's not what that term means.

'Cascading failure' has a fairly specific meaning that doesn't imply
resilience in the face of decomposition into smaller parts.  Cascading
failures can occur even when a system is decomposed into small parts, each
of which is apparently well run.

T

Re: FYI Netflix is down

[Todd Underwood]

This was not a cascading failure.  It was a simple power outage

Cascading failures involve interdependencies among components.

T
On Jun 30, 2012 2:21 PM, Seth Mattinen se...@rollernet.us wrote:

 On 6/30/12 9:25 AM, Todd Underwood wrote:
 
  On Jun 30, 2012 11:23 AM, Seth Mattinen se...@rollernet.us
  mailto:se...@rollernet.us wrote:
 
 
  But haven't they all been cascading failures?
 
  No.  They have not.  That's not what that term means.
 
  'Cascading failure' has a fairly specific meaning that doesn't imply
  resilience in the face of decomposition into smaller parts.  Cascading
  failures can occur even when a system is decomposed into small parts,
  each of which is apparently well run.
 


 I honestly have no idea how to parse that since it doesn't jive with my
 practical view of a cascading failure.

 ~Seth

Re: FYI Netflix is down

[Todd Underwood]

scott,


 This was not a cascading failure.  It was a simple power outage

 Cascading failures involve interdependencies among components.


 Not always.  Cascading failures can also occur when there is zero dependency
 between components.  The simplest form of this is where one environment
 fails over to another, but the target environment is not capable of handling
 the additional load and then fails itself as a result (in some form or
 other, but frequently different to the mode of the original failure).

indeed.  and that is an interdependency among components.  in
particular, it is a capacity interdependency.

 Whilst the Amazon outage might have been a simple power outage, it's
 likely that at least some of the website outages caused were a combination
 of not just the direct Amazon outage, but also the flow-on effect of their
 redundancy attempting (but failing) to kick in - potentially making the
 problem worse than just the Amazon outage caused.

i think you over-estimate these websites.  most of them simply have no
redundancy (and obviously have no tested, effective redundancy) and
were simply hoping that amazon didn't really go down that much.

hope is not the best strategy, as it turns out.

i suspect that randy is right though:  many of these businesses do not
promise perfect uptime and can survive these kinds of failures with
little loss to business or reputation.  twitter has branded it's early
failures with a whale that no only didn't hurt it but helped endear
the service to millions.  when your service fits these criteria, why
would you bother doing the complicated systems and application
engineering necessary to actually have functional redundancy?

it simply isn't worth it.

t


   Scott

RIPE 65 Call for Presentations/Papers

[Todd Underwood]

Fellow North American network-interested-and-involved folks:  In
September, RIPE will be back in Amsterdam and we're interested in
presentations.  Please see the appended Call for Presentations and let
me/us know if you have an interesting idea for a presentation, panel,
birds-of-a-feather sessions or a tutorial.  thanks!




Call for Presentations: RIPE 65

A RIPE Meeting is an open event where Internet Service Providers,
network operators and other interested parties get together. Although
the meeting is mostly technical, it is also a chance for people to
meet and network with others in their field.

RIPE 65 will take place on 24-28 September 2012 in Amsterdam, Netherlands.

The RIPE Programme Committee (PC) is now seeking content proposals
from the RIPE community for the Plenary, BoF and tutorial sessions at
RIPE 65. The PC is looking for presentations covering topics of
network engineering and operations, including but not limited to:

- IPv6 deployment
- Managing IPv4 scarcity in operations
- Commercial transactions of IPv4 addresses
- Data center technologies
- Network and DNS operations
- Internet governance and regulatory practices
- Network and routing security
- Content delivery
- Internet peering and mobile data exchange


Submissions

Attendees of the RIPE meetings are quite sensitive to keeping
presentations non-commercial, and product marketing talks are strongly
discouraged. Repeated audience feedback shows that the most successful
talks focus on operational experience, research results, or case
studies. For example, presenters wishing to describe a commercial
solution should focus on the underlying technology and not attempt a
product demonstration.

Presenters who are proposing a panel or BoF are encouraged to include
speakers from several (perhaps even competing) companies and/or a
neutral facilitator.

In addition to presentations selected in advance for the Plenary, the
RIPE PC also offers several time slots for “lightning talks” which are
selected immediately before or during the conference.

The following requirements apply:

- Proposals for talks, BoFs and panels must be submitted for full
consideration no later than 1 July 2012, using the meeting submission
system at:

https://meetings.ripe.net/pc/

Proposals submitted after this date will be considered on a
space-available basis.

- Presenters should indicate how much time they will require (30
minutes for talks is a common maximum duration, although some talks
can be longer).

- Proposals for talks will only be considered by the PC if they
contain at least draft presentation slides (slides may be updated
later on). For BoFs and panels proposals must contain a clear
description as well as names of invited panelists/presenters.

- Due to potential technical issues, it is expected that most if not
all presenters/panelists will be physically present at the RIPE
meeting.

- Lightning talks should be submitted using the meeting submission
system. They must be short (10 minutes maximum) and often involve more
timely topics. They can be submitted at any time. The allocation of
lightning talk slots will be announced one day prior to the relevant
session.

If you have any questions or requests concerning content submissions,
please email pc [at] ripe [dot] net.

--

Todd Underwood
for the RIPE Program(me) Committee
toddun...@gmail.com

Re: AD and enforced password policies

[Todd Underwood]

http://www.diceware.com/

works well.  has plausible analysis of the entropy of the passphrases
created.  it's 100% prescriptive and deterministic so can be used for
large, unevenly skilled userbases.  the passphrases are easy to
remember and type for english speakers (and there are alternative
dictionaries).

and it wouldn't pass any of these silly requirements.

what people really need to be doing is deploying:
http://en.wikipedia.org/wiki/HOTP

there are free apps for android and iphone to generate sequences as a
2nd factor.

t

On Tue, Jan 3, 2012 at 8:09 AM, Greg Ihnen os10ru...@gmail.com wrote:

 On Jan 3, 2012, at 4:14 AM, Måns Nilsson wrote:

 Subject: RE: AD and enforced password policies Date: Mon, Jan 02, 2012 at 
 11:15:08PM + Quoting Blake T. Pfankuch (bl...@pfankuch.me):

 However I would say 365 day expiration is a little long, 3 months is about 
 the average in a non financial oriented network.

 If you force me to change a password every three months, I'm going
 to start doing g0ddw/\ssPOrd-01, ..-02, etc immediately. Net result,
 you lose.

 Let's face it, either the bad guys have LANMAN hashes/unsalted MD5 etc,
 and we're all doomed, or they will be lucky and guess. None of these
 attack modes will be mitigated by the 3-month scheme; success/fail as
 seen by the bad guys will be a lot quicker than three months. If they
 do not get lucky with john or rainbow tables, they'll move on.

 (Some scenarios still are affected by this, of course, but there is a
 lot to be done to stop bad things from happening like not getting your
 hashes stolen etc. On-line repeated login failures aren't going to work
 because you'll detect that, right? )

 Either way, expiring often is the first and most effective step at making
 the lusers hate you and will only bring the Post-It(tm) makers happy.

 If your password crypto is NSA KW-26 or similar, OTOH, just
 don the Navy blues and start swapping punchcards at  ZULU.
       (http://en.wikipedia.org/wiki/File:Kw-26.jpg)

 --
 Måns Nilsson     primary/secondary/besserwisser/machina
 MN-1334-RIPE                             +46 705 989668
 Life is a POPULARITY CONTEST!  I'm REFRESHINGLY CANDID!!


 A side issue is the people who use the same password at fuzzykittens.com as 
 they do at bankofamerica.com. Of course fuzzykittens doesn't need high 
 security for their password management and storage. After all, what's worth 
 stealing at fuzzykittens? All those passwords.  I use and recommend and use a 
 popular password manager, so I can have unique strong passwords without 
 making a religion out of it.

 Greg

Re: AD and enforced password policies

[Todd Underwood]

additionally, etrade in the states has had 2-factor authentication
(RSA token) for over 8 or 9 years now.

it's one reasonable reason to stay with them.

t

On Tue, Jan 3, 2012 at 10:52 PM, Randy Bush ra...@psg.com wrote:
 fwiw, citibank in the states uses normal passwording for personal
 accounts.  but citibank business uses two-factor with a password
 and a customized vasco digipass 270.

 randy

RIPE 64 Call for Presentations

[Todd Underwood]

Fellow builders, operators, analyzers and ponderers of networks,

I suspect that the following Call for Presentations may be a useful
reminder for some of you to begin working on presentations for RIPE 64
next Spring.

---

RIPE 64: Call for Presentations

RIPE 64 takes place on 16-20 April 2012 in Ljubljana, Slovenia.

The RIPE Programme Committee (PC) is now seeking content proposals from the
RIPE community for the Plenary, BoF and tutorial sessions at RIPE 64.
The PC seeks presentations covering topics of network engineering and
operations, including but not limited to:

• IPv6 deployment
• Managing IPv4 scarcity in operations
• Commercial transactions of IPv4 addresses
• Data centre technologies
• Network and DNS operations
• Internet governance and regulatory practices
• Network and routing security
* Content delivery
* Internet peering and mobile data exchange

Submissions

Attendees of the RIPE meetings are quite sensitive to keeping
presentations non-commercial, and product marketing talks are strongly
discouraged. Repeated audience feedback shows that the most successful
talks focus on operational experience, research results, or case
studies. For example, presenters wishing to describe a commercial
solution should focus on the underlying technology and not attempt a
product demonstration. Presenters who are proposing a panel or BOF are
encouraged to include speakers from several (perhaps even competing)
companies and/or a neutral facilitator.  Presenters should indicate
how much time they will require (30 minutes is a common maximum
duration, although some talks can be longer).

Proposals for presentations must be submitted for full consideration
no later than
*3 February* using the online topic submission system at:
http://meetings.ripe.net/pc/
Presentations submitted after this date will be considered on a
space-available basis.

In addition to presentations selected in advance for the plenary, the
RIPE PC also offers several timeslots for “lightning talks” which are
selected immediately before or during the conference.  Lightning talks
are short (10 mins maximum) and often involve more timely topics.
Lightning talks will be announced shortly before the conference.

If you are aware of a talk that might be interesting to the community,
please provide us with the details and we will approach the potential
speaker.

If you have any questions or requests concerning content submissions,
please email p...@ripe.net.

For more information about RIPE 64, including how to register, visit:
http://ripe64.ripe.net/


Kind regards,

todd underwood, for the RIPE Programme Committee
toddun...@gmail.com
p...@ripe.net

Re: Y'all know Google is offering public DNS services now?

[Todd Underwood]

not bad for CDNs anymore:

http://arstechnica.com/telecom/news/2011/08/opendns-and-google-working-with-cdns-on-dns-speedup.ars

t

On Mon, Oct 10, 2011 at 5:45 PM, Scott Howard sc...@doc.net.au wrote:
 This service has been discussed several times in the ~2 years since it was
 first released (including topics such as why it's bad for CDNs)

 The archives would be a good place to start...

  Scott.



 On Mon, Oct 10, 2011 at 2:12 PM, steve pirk [egrep] st...@pirk.com wrote:

 I saw this in a post from Travis Wise of Google yesterday. Pretty cool for
 those users who do not want to use their ISP's name servers, or just want
 to
 have dns resolve quickly from anywhere in the world. In either case, I
 think
 it is cool ;-]

 http://code.google.com/speed/public-dns/

 Here is the original post - Yes, this one is public... oops!
 https://plus.google.com/111937447827665620879/posts/27S6QB8j1Ry

 Nice easy numbers to remember too. 8.8.8.8 and 8.8.4.4

 --
 steve pirk
 yensid
 father... the sleeper has awakened... paul atreides - dune
 kexp.org member august '09

Re: F.ROOT-SERVERS.NET moved to Beijing?

[Todd Underwood]

 User Exercise:  What happens when you enable integrity checking in an
 application (e.g., 'dnssec-validation auto') and datapath manipulation
 persists?  Bonus points for analysis of implementation and deployment
 behaviors and resulting systemic effects.


i agree with danny here.

ignoring randy (and others) off-topic comments about hypocrisy, this
situation is fundamentally a situation of bad (or different) network
policy being applied outside of its scope.  i would prefer that china
not censor the internet, sure.  but i really require that china not
censor *my* internet when i'm not in china.

t

Re: F.ROOT-SERVERS.NET moved to Beijing?

[Todd Underwood]

leo, all,

in the past, name servers that operated inside of china were subject
to arbitrary rewriting or blocking of their results by the Great
Firewall.

this is obviously bad for Chinese citizens but it's *dramatically*
worse for people outside of china who end up reaching a root server in
china by mistake, no?  people who ostensibly live free of this kind of
interference and censorship are now subject to it by mistake.

a previous time this happened renesys did a good write up on it.

http://www.renesys.com/blog/2010/06/two-strikes-i-root.shtml

i guess my questions now are:

1) how long was this happening?
2) can any root server operator who serves data inside of china verify
that the data that they serve have not been rewritten by the great
firewall?
3) does ISC (or Insert Root Operator Here) have a plan for
monitoring route distribution to ensure that this doesn't happen again
(without prompt detection and mitigation)?

i'm not really singling out ISC here--this is a serious problem for
anyone who chooses to operate a root server node on untrustworthy or
malicious network infrastructure (which is one appropriate way of
thinking of a rewriting firewall from the perspective of a root server
operator).

cheers,

t

On Sun, Oct 2, 2011 at 3:08 PM, Leo Bicknell bickn...@ufp.org wrote:
 In a message written on Sun, Oct 02, 2011 at 05:40:23PM +, Janne Snabb 
 wrote:
 I happened to notice the following at three separate sites around
 the US and one site in Europe:

 ISC has verified our PEK2 route was being leaked further than
 intended, and for the moment we have pulled the route until we can
 get confirmation from our partners that the problem has been resolved.
 Service should be back to normal, but if anyone is still having
 problems n...@isc.org will open a ticket.

 --
       Leo Bicknell - bickn...@ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/

Re: F.ROOT-SERVERS.NET moved to Beijing?

[Todd Underwood]

valdis, all,

On Sun, Oct 2, 2011 at 6:02 PM,  valdis.kletni...@vt.edu wrote:
 On Sun, 02 Oct 2011 17:30:37 EDT, Todd Underwood said:

 2) can any root server operator who serves data inside of china verify
 that the data that they serve have not been rewritten by the great
 firewall?

 DNSSEC should help this issue dramatically.  This however could be problematic
 if the Chinese govt (or any repressive regime) decides to ban the use of
 technology that allows a user to identify when they're being repressed.

sure, but DNSSEC is still basically unused.


 3) does ISC (or Insert Root Operator Here) have a plan for
 monitoring route distribution to ensure that this doesn't happen again
 (without prompt detection and mitigation)?

 Leaked routes happen  External monitors and looking glasses and filters and
 communities are all things we should probably be doing more of, in order to
 minimize routing bogosity.  But when all is said and done, there's no real way
 to have a dynamic routing protocol like BGP and at the same time *guarantee*
 that some chucklehead NOC monkey won't bollix things up.  At best, we'll be
 able to get to less than N brown-paper-bag moments per Tier-[12] per annum 
 for
 some value of N.

yep.  this is a *great* argument *against* running critical
information services on known-malicious network infrastructure, right?

i.e.:  if you are sure you're going to be interfered with regularly
and you're positive you can't restrict the damage of that interference
narrowly to the people who were already suffering such interference,
perhaps you should choose to not locate your critical network
information resource on that network.

yes, i'm (again) suggesting that people take seriously not doing root
name service inside of china as long as the great firewall exists.

t

Re: [Nanog-futures] Moving Forward - What kind of NANOG do we want?

[Todd Underwood]

On Fri, Jul 2, 2010 at 11:37 PM, Jay Hennigan j...@west.net wrote:

 On 7/2/10 8:29 PM, Simon Lyall wrote:

  Unless people serious intended for the organisation to have regular [1]
  meetings outside of North America (which I doubt) then it should retain
  the current general name and focus.
 
  [1] - At least 50% in Europe, Asia, ROW , not one every 5 years in
 Mexico.

 [1a] Mexico is part of North America so that doesn't count as outside.



no.  only citizens of the united states and canada consider mexico to be
part of north america.  mexicans consider north america to begin at the rio
bravo where the united states start.  they consider mexico to be either part
of mesoamerica or simply to be mexico.  mexicans refer to americans and
canadians as 'norteamericanos' explicitly identifying it as a difference.

the 'NAFTA' (north american free trade agreement) in english is simply the
'Tratado de Libre Commercio' (Free Trade Agreement) in spanish.

this is not to say that mexico can't be more included in nanog activities in
the future, but simply to point out this difference in perception.

please resume all other quibbling. :-)

t.



 --
 Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
 Impulse Internet Service  -  http://www.impulse.net/
 Your local telephone and internet company - 805 884-6323 - WB6RDV

 ___
 Nanog-futures mailing list
 Nanog-futures@nanog.org
 https://mailman.nanog.org/mailman/listinfo/nanog-futures

___
Nanog-futures mailing list
Nanog-futures@nanog.org
https://mailman.nanog.org/mailman/listinfo/nanog-futures

Re: Todd Underwood was a little late

[Todd Underwood]

jon, all,

i've received several questions about the context of this mail, so i
thought it would be worth posting to clear up the reference.

for those who missed it, i presented a lightning talk at nanog 49 in
san francisco yesterday on some very early conceptual work on a really
interesting strategy to dramatically extend the useful life of v4
prefixes.  the talk is linked from:
http://nanog.org/meetings/nanog49/agenda.php and i encourage people to
take a look at it.

if you like the general idea (Probabilistic Assignment of Prefixes:  a
System for Managing and Extending Address Resources is what some
people are starting to call it), i'd encourage you to take the
suggestion made at the mic by mark kosters, cto of arin, and work to
help refine the proposal and establish a useful policy framework
around its implementation.

work is needed especially in collision domain modeling and count of
resource implications for the operational overhead per prefix.
experience with high flow rate instrumentation is likely to be needed
in the near future as well.

i wanted to thank everyone for the kind words and suggestions after
the presentation and look forward to productively exploring this idea.

cheers,

todd underwood
toddun...@gmail.com

Re: Todd Underwood was a little late

[Todd Underwood]

christopher, all,



 ...nothing to see here, this is CGN's...


oh, i think this has several important advantages aver carrier-grade
nat (which i believe to be mostly dead, anyway, no?  someone who knows
more can chime in with references to the contrary should this not be
the case).

firstly:  cgn puts reachability in the hands of a single organization.
 with the PAP System you have a set of distributed choices about
reachability:  different people can assess their different tolerance
to certain kinds of unreachability.

as i said in the presentation, the probability that there will be
positive operational overhead for a prefix is related the the count of
reuse within an association domain for a prefix ( p(Oop) = Cr(Ap) ).
We need to work out how to subdivide which parts of the internet
actually want to communicate directly with each other reliably and
make sure that they are within association domains.

in any case, i think this is more the subject of future work (and
possibly future nanog presentations) so i'll leave this here.

t.

(and stop trolling)
:-)

[NANOG-announce] change in roles on the program committee

[Todd Underwood]

today, at our lunchtime meeting, the nanog program committee selected a new
chair, david meyer of cisco and university of oregon, and a new vice-chair,
tom daly of dynamic network services.  please join me in cogratulating them
in person if you're here at nanog.

for the past two years, ren provo has served as vice-chair of the program
committee, a role that was basically created specifically for her.  she has
been critical in the development of the program committee into the open,
active, and even somewhat-organized group that it is today.  i'm proud to
have worked with her on this project for the past two years and am extremely
grateful for everything she has done.

ren and i decided to resign our positions prior to the october meeting to
ensure a smooth transition. we will both continue to serve as members of the
program committee through the end of our current terms in october.  NANOG
has been getting better and better for the last several years.  we're
announcing locations much earlier and we're continuing to develop and
experiment with the content to make it more relevant and more interesting
for attendees.  credit for these efforts certainly go to members of the
steering and mailing list committees and to merit staff, but they also go to
the program committee.

the nanog program committee is full of some of the smartest, best people
that i've ever worked with.  it's a pleasure to be associated with them.
eight (8) of the slots on the program committee will be opening up this
october.  if you'd like to work with other interesting people to make the
nanog conference better, please consider submitting your name to be
considered for one of these slots.  the steering committee will announce
details, or you can come see almost any member of the PC for more
information.

again, congratulations to dave and tom.

cheers,

todd underwood, outgoing chair
for the program committee
spots opening up in october
___
NANOG-announce mailing list
nanog-annou...@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog-announce

[NANOG-announce] lightning talks open and hotel rate expiring

[Todd Underwood]

two quick reminders:

1) the nanog discount rate on the hotel is mostly (but not completely)
full and i believe it expires today.  if you're planning on coming to
nanog, please register for the conference and book a hotel room.  or
pay more for the privilege of both experiences.

https://nanog.merit.edu/registration/
http://nanog.org/meetings/nanog46/hotel.php

2)  lightning talk submissions are now open. lightning talks are short
(10 minutes), topical and timely.  and they are done at the last
minute (a feature which endears them to many of us).

lightning talks submitted by jun 8 will be voted on by the program
committee on our jun 9 call just prior to the start of nanog 46.
lightning talks will continue to be accepted through tuesday of the
conference, although the sooner you get your abstract in, the more
likely we will be to accept your talk.  several talks have already
been submitted so if you've got a good idea, now is the time to write
it up and get it in.

i'm very much looking forward to seeing all of you in philadelphia.

todd underwood, chair
nanog program committee

___
NANOG-announce mailing list
nanog-annou...@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog-announce

[NANOG-announce] NANOG 46 agenda announced; reduced rate registration expiring soon

[Todd Underwood]

Howdy,

An updated agenda for NANOG46 has been posted at:

http://nanog.org/meetings/nanog46/agenda.php

you might notice that this NANOG features:

   * Keynote by Paul Vixie on Internet Superbugs and the Art of War
   * A ton of useful tutorials including Dani Roisman's popular BGP
Load Balancing,
 and new tutorials from Richard Steenbergen, Production v6
Network in 30 minutes
 or less and Martin Hannigan Network Capacity RFP
   * The popular Peering and Security tracks
   * New v6 operational content and experience
   * Lots of other great, operational presentations

So I would humbly suggest that you (collectively) register for NANOG46

( https://nanog.merit.edu/registration/ )

as quickly as possible.  Discounted registration ends in less than two
weeks (on May 10) so save yourself $75 and get registered.  You know
you're going to go, so just go already.

If you require an invitation or travel letter for visa purposes, please
send mail to nanog-supp...@nanog.org.

I would *strongly* suggest you reserve a hotel room if you have not
already.  The last several NANOGs all available discounted rooms in
the room block have gone very quickly.

( http://nanog.org/meetings/nanog46/hotel.php )

Note that the program is now almost completely full (there are 2-3 slots
left that are saved for conditionally accepted talks that are already
in progress or any presentations dealing with late-breaking events,
but the event would have to be exceptionally significant and
interesting).  If you didn't submit for this NANOG conference, please
consider submitting a presentation for NANOG47. (http://pc.nanog.org)

Lightning talk submission will open on May 14.  Lightning talks are short
(10 minute maximum) presentations submitted immediately prior to
or during the conference.  Lightning talks are particularly appropriate
for material that is too short to fill a normal Plenary presentation slot
or too timely to have been submitted with sufficient anticipation.  Lightning
talks are also an opportunity for presenters to get early feedback on a
new or still-gestating idea.

The first round of Lightning talks will be selected on June 9 and will
be announced immediately prior to the start of the  conference.
Additional lightning talks will be selected during the conference.

Looking forward to seeing all of you in Philadelphia,


Todd Underwood, Chair
NANOG Program Commitee

___
NANOG-announce mailing list
nanog-annou...@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog-announce

[NANOG-announce] NANOG 46 Call for Presentations

[Todd Underwood]

 Committee for
review. Until then authors should not submit their individual
presentations for the panel.

A panel may be up to 90 minutes long.

Lightning Talks
---

A lightning talk is a very short presentation or speech by any
attendee on any topic relevant to the NANOG audience. These are
limited to ten minutes; this will be strictly enforced.

If you have a topic that's timely, interesting, or even a
crackpot idea you want to share, we encourage you to consider
presenting it. Signups for lightning talks will be accepted
during the NANOG meeting.

Research Forum
--

Researchers are invited to present short (10-minute) summaries of
their work for operator feedback. Topics include routing, network
performance, statistical measurement and analysis, and protocol
development and implementation. Studies presented may be works in
progress. Researchers from academia, government, and industry are
encouraged to present.

Tutorials
-

Proposals are also invited for tutorial sessions from the
introductory through advanced level on all related topics,
including:

 - Disaster Recovery Planning
 - Troubleshooting BGP
 - Best Practices for Determining Traffic Matrices
 - Options for Blackhole and Discard Routing
 - BGP/MPLS Layer 3 VPNs
 - Peering business and engineering basics


BOFs


BOFs (Birds of a Feather sessions) are informal sessions on
topics which are of interest to a portion of the NANOG community.
BOFs may be held in the hallways, break-out areas or in an
unscheduled tutorial room by request submitted to
nano...@nanog.org at least 30 minutes in advance of desired use
with estimated duration notes.

A typical BOF session may include some structure or
presentations, but usually is focused on community discussion and
interaction.

Frequent BOF topics include:

 - RD collaboration
 - Hot-topics in the media
 - Peering
 - ISP Security
 - Tools

The less structured nature of BOF sessions allows for the
greatest flexibility from a timing perspective.

Registration Fee Waivers
=

The meeting registration fee will be waived as follows:

 - General session talk:  one speaker
 - General session panel: one moderator and all panelists
 - Research forum talk:   one speaker
 - Track: one moderator
 - Tutorial:  one instructor

How to Present
==

The deadline for accepting abstracts and slides is 06 March 2009.
While the majority of speaking slots may be filled by that date,
a limited number of slots may be available after that date for
topics that are exceptionally timely, important, or critical to
the operations of the Internet.

The primary speaker, moderator, or author should submit
presentation information and an abstract on-line at:

   http://pc.nanog.org

Once you have done this, you will receive instructions for
submitting your draft slides. See Presentation Guidelines for
complete submission guidelines. All submissions must include:

 - Author's name(s)
 - Preferred contact email address
 - Submission category (General Session, Panel, Tutorial,
  Research Forum, or BOF)
 - Presentation title
 - Abstract
 - Slides (attachment or URL), in PDF (preferred) or Powerpoint
  format (Slides are optional for BOFs.)

You may instead submit the presentation information and draft
slides in email to nanog-supp...@nanog.org.

We look forward to reviewing your submission.

Todd Underwood, Chair
NANOG Program Committee

___
NANOG-announce mailing list
nanog-annou...@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog-announce

NANOG 45 Lightning Talks Open

[Todd Underwood]

On behalf of the rest of the NANOG Program Committee, I'm pleased to
announce that submissions for Lightning talks for NANOG 45 are open
at:

http://www.nanogpc.org/lightning/

Lightning talks are short presentations (no more than 10 minutes,
including questions) of topics that are either too short, too timely
or too preliminary to include on the general agenda.  In the past,
these have been some of the most popular presentations at NANOG, For
this upcoming conference in Santo Domingo, we have lightning talk
slots available on all three days.  The Program Committee will pick
the first three of these prior to the conference (by the end of next
week, in fact), so please get your submissions in by Wed, 14 January
for the best possible consideration.  We already have several
submissions, but would appreciate more, of course.

Rest assured, however, that we will continue accepting lightnings talk
proposals (and voting on them) through the conference, as timeliness
is part of what makes lightning talks so great.  The sooner you
submit, though, the better your chance to present.

See all of you in Santo Domingo.

Todd Underwood
Chair, Program Committee, NANOG

[NANOG-announce] NANOG 45 Agenda Posted

[Todd Underwood]

On behalf of the NANOG Program Committee and Merit I'm pleased to
announce that an updated Agenda is available and posted at:

http://www.nanog.org/meetings/nanog45/agenda.php

We're excited about the quality of the agenda and we hope you are,
too.  I want to thank all of the members of the Program Committee who
worked hard to recruit, review and select the presentations and
tutorials that make up this program.  I also want to thank everyone
who submitted a proposal.  The quality and variety seemed very high
this time around.

Please note that there remain a very small number of slots open for
late-breaking or especially topical presentations, so if the Internet
melts down completely between now and January, feel free to submit a
presentation explaining what happened.

Lighting Talk slots will officially open after the first of the year.

If you have not already registered for the conference and reserved
your hotel room, now is a great time to do that.  See

http://nanog.org/meetings/nanog45/

and in particular

https://nanog.merit.edu/registration/

to get started.  Remember that Hotel expenses are fantastically low
this time, with rooms as cheap as $104 and cheap flights are still
available to the SDQ airport.  The overall cost of this NANOG should
be the same or lower as previous ones.  I mention this because I know
that many travel budgets are tight and I hope that this information
might be useful to your management.

I look forward to seeing all of you in Santo Domingo.

Todd Underwood
Chair, NANOG Program Committee
toddun...@gmail.com

___
NANOG-announce mailing list
nanog-annou...@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog-announce

NANOG 45 Preliminary Agenda and Conference Registration

[Todd Underwood]

NANOG 45 is fast approaching. Today we have a preliminary agenda to
announce that should assist people who need supplementary material for
travel justifications.  There are a number of presentation slots still
available.

The Program Committee will continue to accept presentations this week
(if you plan to submit something, Friday was the deadline, but we will
try to review presentations that arrive during the week this week.
Please contact me if you have a talk in progress and need information
on how to submit it, but in general:

  http://www.nanogpc.org/

Please note that conference registration is open and the early bird
discount expires in under two weeks:

  https://nanog.merit.edu/registration/

Hotel registration is open as well, although to get the discount rate
you may have to call the hotel.  They are working on the automated
registration issue and should have it resolved soon.  Be aware:  the
hotel is outrageously cheap for very nice rooms (part of what should
make your travel justification easier), so be sure to register soon.

Also, consider booking travel soon.  A number of airlines have
substantially discounted flights at the moment, but one never knows
when they might expire.

The following talks were submitted early and have already been
accepted by the Program Committee:



Tutorials:
=
Introduction to LISP
 Dave Meyer, Cisco
 Dino Farinacci, Cisco

Small Network Operator - Lessons Learned
 Pete Templin, Nextlink

BGP 102: Scaling the Network
 Avi Freedman, Akamai

DNSSEC at Comcast
 Srini Avirneni, Comcast Cable

Accurate and Advanced Traceroute for Troubleshooting
 Richard Steenbergen

Peering 101
 William Norton and Kevin Oberman


Plenary Presentations:
=
Tutorial on using the Malware Hash Registry
 Stephen Gill, Team Cymru

Practical Reverse Traceroute
 Ethan Katz-Bassett, University of Washington

DNSSEC at Comcast
 Srini Avirneni, Comcast Cable

BFD - Is it worth it and does it work in production networks?
 Tom Scholl, ATT Labs

It's The End Of The World As We Know It (aka The New Internet Architecture)
 David Meyer, Cisco/Univ of Oregon

4-byte ASNs
 Greg Hankins, Force10 Networks




Birds of a Feather Sessions (BOFs):
=
ISP Security
 Danny McPherson, Arbor Networks
 Warren Kumari, Google

Peering
 (including welcome, peering personals, peering survey results
 contact [EMAIL PROTECTED] to present)
 Aaron Hughes, Cariden Technologies, LMCO, UnitedLayer


Research Forum:
=

A Comparative Analysis of BGP Anomaly Detection and Robustness Algorithms
 Kotikapaludi Sriram, Patrick Gleichmann, and Doug Montgomery


100Gbps for NexGen Content Distribution Networks
 Martin Zirngibl, Alcatel-Lucent

I Look forward to seeing all of you in Santo Domingo,

t.


--
--
Todd Underwood,
Chair, NANOG Program Committee
[EMAIL PROTECTED]

Re: Prefix Hijack Tool Comaprision

[Todd Underwood]

hank, all,

On Thu, Nov 13, 2008 at 08:57:35PM +0200, Hank Nussbacher wrote:

 I use all 4 - BGPmon, RIPE, PHAS, and Watchmy.net.
 
 BGPMon kicks ass on all of them.  RIPE showed up 5-6 hours later.  PHAS and 
 Watchmy were nowhere to be seen.

is that a bug or a feature?

this was a non-event in a tiny corner of the internet.  it's
interesting, but it's not operationally significant.  i would not
consider the fact that PHAS and Watchmy didn't alert any particular
criticism of them.  

but perhaps there was something else to which you were referring.

t.

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporation
[EMAIL PROTECTED]   http://www.renesys.com/blog

Re: Prefix Hijack Tool Comaprision

[Todd Underwood]

alexander, all,

On Thu, Nov 13, 2008 at 07:56:26PM +, Alexander Harrowell wrote:
 It may be the North American NOG, but it's been said before that it
 functions as a GNOG, G for Global. I don't think Brazil is
 insignificant. I respect Todd's work greatly, but I think he's wrong
 on this point. 

you misread me.

i did not say that brazil was insignificant. it's not.  it has some of
the fastest growing internet in latin america.  

i said that *this* hijacking took place in an insignificant corner of
the internet.  i mean this AS-map wise rather than geographically.
this hijacking didn't even spread beyond one or two ASes, one of whom
just happened to be a RIPE RIS peer.  

real hijackings leak into dozens or hundreds or thousands of ASNs.
they spread far and wide.  that's why people carry them out, when they
do.  this one was stopped in its tracks in a very small portion of one
corner of the AS graph.  

as such, i don't count it as a hijacking or leak of any great
significance and wouldn't want to alert anyone about it.  that's why i
recommend that prefix hijacking detection systems do thresholding of
peers to prevent a single, rogue, unrepresentative peer from reporting
a hijacking when none is really happening.  others may have a
different approach, but without thresholding prefix alert systems can
be noisy and more trouble than they are worth.

sorry if it appears that i was denegrating .br .  i was not.

t.

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporation
[EMAIL PROTECTED]   http://www.renesys.com/blog

Re: Peering - Benefits?

[Todd Underwood]

On Thu, Oct 30, 2008 at 01:03:55PM +, HRH Sven Olaf Prinz von 
CyberBunker-Kamphuis MP wrote:

 (the amsix with their many outages and connected parties that rely
 primarliy on it's functionality is a prime example here)
 
 internet exchanges usually are some sort of hobby computer club, you
 cannot rely on them to actually -work-, but when they do work that's
 nice (always make sure you have enough paid capacity to cover for it
 when they do not work however!)

http://www.ams-ix.net/technical/stats/

certainly looks like over 500Gb/s of traffic across ams-ix.  that's a
big 'sort of hobby computer club'.  i wonder what all those hobbiests
are doing.

in all seriousness, the above post is ludicrous.  ams-ix runs one of
the most reliable exchange platforms on the planet due to an
incredible investment in optical switches and duplicate hardware.
it's expensive to run that way but the results have been incredible.

none of that is actually on-target for the original question about the
*value* (other than cost savings) of peering.

so far there have been some good values articulated and there may be
more (reach, latency, diversity of path, diversity of capacity,
control, flexibility, options, price negotation) and some additional
costs have been mentioned (capex for peering routing, opex for the
peering itself + cross connects + switch fees + additional time spent
troubleshooting routing events). 

are there others?

 Confidential: Please be advised that the information contained in this
 email message, including all attached documents or files, is privileged
 and confidential and is intended only for the use of the individual or
 individuals addressed. Any other use, dissemination, distribution or
 copying of this communication is strictly prohibited.

i was not an individual addressed but the attached mail was sent to a
mailing list of 10k people.  HRH Sven Olaf is in violation of his own
policy about dissemination, distribution or copying.  

t.

--
_
todd underwood +1 603 643 9300 x101
renesys corporation
[EMAIL PROTECTED]   http://www.renesys.com/blog

vote now, please

[Todd Underwood]

apologies if this is off-topic, but the elections are really important
and many people on the list are not at the conference so i thought a
short reminder might be useful:

nanog is holding elections for steering committee members right now
and charter ammendments right now.

more information:

http://nanog.org/governance/elections/2008elections/

go vote:

https://nanog.merit.edu/election/

if you can't remember your password:

https://nanog.merit.edu/registration/password.epl


this election matters.  the steering committee selects the program
committe and the mailing list committee.  they guide the selection of
conference locations.  they should be people with good judgement who
you respect.  

elections close at 1300PDT/1600EDT/2000UTC which is in approximately
two hours.  so vote right now!

canada is voting today too, so if you're canadian, vote here and then
vote there.  thanks :-)

t.

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporation
[EMAIL PROTECTED]   http://www.renesys.com/blog

lighting talks and the program committee

[Todd Underwood]

again wearing that chair of the nanog program committee hat

two quick reminders as many of us head towards LA for the conference:

1) there have been some excellent lightning talks submitted but there
are still more slots availble than talks submitted.  if you have an
idea and can whip up an abstract by tomorrow and a talk by monday, you
still stand an excellent chance of getting to present at this nanog.
i've heard lots of good ideas that i have yet to see in lightning
talks.  so send 'em in!

http://www.nanogpc.org/lightning/ has the information on how to submit
talks.

2) many slots in the nanog program committee are opening up.  the
program committee is the group of 16 people responsible for
recruiting and selecting the entire set of talks/presentations/bofs
you see at nanog.  most of you are *positive* you could do a better
job than we have been doing.  of that i have no doubt.  so please
submit your name to be considered for a slot.  there is a certain
amount of work involved (about 4 conference calls per nanog and the
requirement to read/vote/comment on almost every submitted talk) but
the rewards in fame and infamy are well worth it.

more information is here:

http://www.nanog.org/governance/elections/2008elections/

you can nominate yourself or someone else by sending mail to:

[EMAIL PROTECTED]



looking forward to seeing many of you in LA tomorrow.

t.

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporation
[EMAIL PROTECTED]   http://www.renesys.com/blog

NANOG 45 Jan 25-28 in Santo Domingo, Dominican Republic

[Todd Underwood]

hat org=NANOG Program Committee role=Chair

NANOG45 will be held in the middle of the North American Winter in
beautiful Santo Domingo in the Dominican republic on January 25-28.

 http://nanog.org/meetings/nanog45/

This is the first time that a NANOG has been held outside of the US or
Canada and everyone involved is excited about the opportunity.  It's
just like Toronto in February (which was actually fantastic) but it's
the Caribbean in January.  :-)

The Call for Presentations is already up:

 http://nanog.org/meetings/nanog45/callforpresent.php

Presentations can be submitted at [4]http://www.nanogpc.org/ (please
ignore the references to NANOG44--we'll change those references over
to NANOG45 at the close of the NANOG44 conference).

If you have a good idea for a presentation but need some feedback or
some help developing it, please contact me and I'll be happy to either
work directly with you or find someone else on the program committee
to help you put together a presentation.

We have already received a number of early submissions for NANOG45 so
for the best chance to be accepted, please begin working on your
presentations now.

Thanks,

Todd Underwood
NANOG Program Committee Chair

/hat

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporation
[EMAIL PROTECTED]   http://www.renesys.com/blog

Re: 198.32.64.12 -- Harmless mis-route or potential exploit?

[Todd Underwood]

dan,

(to follow up on david conrad's response)...

On Tue, Sep 02, 2008 at 04:31:40PM -0700, David Conrad wrote:
 On Sep 2, 2008, at 3:24 PM, Dan Mahoney, System Admin wrote:
 While recently trying to debug a CEF issue, I found a good number of  
 packets in my debug cef drops output that were all directed at  
 198.32.64.12 (which I see as being allocated to ep.net but  
 completely unused).
 
 As Steve Conte pointed out, that is the address that used to be used  
 for l.root-servers.net.  l.root-servers.net was renumbered almost a  
 year ago, with the announcement of the old address turned off about 6  
 months ago.

there's some context on recent routing issues with this network
described at the renesys blog here:

http://www.renesys.com/blog/2008/06/securing_the_root_1.shtml

in short:  the prefix containing this network was advertised by people
other than iana for a time after iana stopped advertising it. 

checking our current data, that block is not currently routed by any
of our peers over the last month (i would assume ripe ris and
routeviews report similar data, but i did not check them.

t.

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporationgeneral manager babbledog
[EMAIL PROTECTED]   http://www.renesys.com/blog

[NANOG-announce] NANOG44 updated agenda, so register already

[Todd Underwood]

hat org=NANOG program committee role=chair

An updated agenda for NANOG44 has been posted at:

http://nanog.org/mtg-0810/agenda.html

you might notice that this NANOG features:

* Keynote by Vint Cerf of Google
* More tutorials than you can shake a stick at
* A panel of Internet Luminaries addressing the current
  addressing situation from a historical perspective
* A surfeit of IPv6 content (with some more likely before the
  event). 
* Lots of other great, operational presentations

So I would humbly suggest that you (collectively) register for NANOG44 

( https://nanog.merit.edu/registration/ )

as quickly as possible.  Discounted registration ends in less than two
weeks, so save yourself $75 and get registered.  You know you're going
to go, so just go already.  

I would *strongly* suggest you reserve a hotel room if you have not
already.  The last several NANOGs all available discounted rooms in
the room block have gone very quickly.  

( http://nanog.org/mtg-0810/hotel.html )

Note that the program is now effectively full (there are 2-3 slots
left that are saved for conditionally accepted talks that are already
in progress or any presentations dealing with late-breaking events,
but the event would have to be exceptionally significant and
interesting).  If you didn't submit for this NANOG conference, please
consider submitting a presentation for NANOG45.  

See y'all (that's yinz in Pittsburgh :-) in LA.

t.

/hat

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporationgeneral manager babbledog
[EMAIL PROTECTED]   http://www.renesys.com/blog

___
NANOG-announce mailing list
[EMAIL PROTECTED]
http://mailman.nanog.org/mailman/listinfo/nanog-announce

[NANOG-announce] NANOG 44 Call For Presentations Posted

[Todd Underwood]

The Call for Presentations for NANOG 44, to be held in Los Angeles, CA
October 12 - 15 is posted:

http://www.nanog.org/mtg-0810/callforpresent.html

The deadline for submissions is July 7 (fast approaching) so please
post your abstracts at:

http://www.nanogpc.org/ 

where you will receive instructions on how to submit slideware.

If you have a good idea but a presentation but need some feedback or
some help developing it, please contact me and I'll be happy to either
work directly with you or find someone else on the program committee
to help you put together a presentation.

Note also that this conference is held just before the ARIN meeting in
LA and we are working on programming Wednesday morning to be of
special interest to the ARIN audience.  So any engineering or
operations talks that impact registry policies under consideration
would be most appreciated for that segment.  

The CFP lists a number of subjects were interested in, but as previous
NANOG attendees know:  if it's on-topic on the mailing list and of
interest to network operators, we want it in the program.

Submissions have already started rolling in, so for the best chance to
have your talk accepted, please submit by the deadline above.

Thanks,

todd underwood
NANOG Program Committee Chair

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporationgeneral manager babbledog
[EMAIL PROTECTED]   http://www.renesys.com/blog

___
NANOG-announce mailing list
[EMAIL PROTECTED]
http://mailman.nanog.org/mailman/listinfo/nanog-announce

[NANOG-announce] NANOG43 survey for on-site and remote attendees

[Todd Underwood]

They survey for NANOG43 is currently available at:

http://www.surveymonkey.com/s.aspx?sm=cv7fRvxyfEFSR2ds8Tvm8w_3d_3d

the Program Committee and (speaking for them) Steering Committee of
NANOG desperately want to know what you think about this NANOG so that
we might use that feedback in the planning for future NANOGs.

so whether you are attending on-site or via the webcast, please take a
couple of minutes to fill out the survey.

thanks!

todd
NANOG PC chair

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporationgeneral manager babbledog
[EMAIL PROTECTED]   http://www.renesys.com/blog

___
NANOG-announce mailing list
[EMAIL PROTECTED]
http://mailman.nanog.org/mailman/listinfo/nanog-announce

[NANOG-announce] Program Committee Nominations

[Todd Underwood]

Attached are all of the the current nominations to the nanog program
committee.  comments in support (or opposition) to any candidate can
be made to the nanog steering committee [EMAIL PROTECTED]

(if you submitted a nomination and you do not see it here, please
notify me immediately, resend it and we'll get it added).  thanks,

todd underwood
chair, nanog program committee


Nominated by David Conrad
- Nominee's name (if not you)
- Nominee's email address: [EMAIL PROTECTED]
- Reason why:

I was the co-founder and original program chair committee for APRICOT
for 3 years, been loosely involved with APRICOT since then.  Been
doing various jobs in network infrastructure since around 1983.  I'm
fairly well versed in network operations, at least from a non-router
jockey point of view.  Due to a change in my job responsibilities, I
have a bit of time that could be supported by my company (ICANN) to do
this sort of thing.


Nominated by Aaron Hughes
- Nominees name: Randy Epstein
- Nominees email: [EMAIL PROTECTED]
- Reason why:
For starters, take a look at his linkedin profile:
http://www.linkedin.com/profile?viewProfile=key=11803139  He has a hell
 of a lot of industry experience, a great
personality, is well known in the community and respected for his
decisions.  I believe Randy would make a fantastic addition to the PC.


Nominated by Michael K. Smith
- Nominee's name (if not you)
- Nominee's email address: [EMAIL PROTECTED]
- Reason why:
Strong desire to see NANOG continue to be relevant to the largest
group of people possible through a diverse and dynamic program
offering.
- I have a keen sense of irony
- I have a thick skin
- I've been attending NANOG since 1998
- I have a diverse networking background that includes at least one
thing at each of the OSI Extended Layers through 12.
- I would really enjoy giving back to a community that has given me
a lot over the years (seriously).


Nominated by jared mauch
- Nominees name: Mike Long
- Nominees email: [EMAIL PROTECTED]
- Reason why:
Mike is our top operations guy for our backbone and would be an
asset in providing critical reviews of presentations. I hope he
accepts this nomination!


Nominated by John G. Scudder
- Nominee's name: Ron Bonica
- Nominee's email: [EMAIL PROTECTED]
- Reasons why:
Ron has a long history with Internet operations, first as an operator
(Internet MCI, VBNS) and now as IETF Operations Area co-director.  I
think this would be a good opportunity to improve communications
between the operations community and the IETF.  Also, Ron is very easy
to get along with!


  - Nominater Kevin Epperson
  - Nominate Brian Deardorff
  - [EMAIL PROTECTED]
  - 720-888-1227
  - Brian has extensive experience working for ISPs going back to 1995
racking and stacking Portmasters.  He is currently a senior engineer
at Level 3 working on multiple products and technologies in the layer
2/3/4 space.  He would be a great addition to the program committee
bringing both techinical expertise and outstanding industry knowledge
from an ISP point of view.  Please consider this nomination for Brian
to the NANOG PC.  Please contact me if you have any questions.


 - Your name:   Richard Steenbergen
 - Nominee's name (if not you):Tom Scholl
 - Nominee's email address:[EMAIL PROTECTED]
 - Reasons why you believe the nominee is qualified to serve on the Program 
Committee.
   Tom is very experienced in the operation of large scale networks,
and a frequent contributor to the NANOG program. His many years of
experience at SBC/ATT would be an excellent replacement to the value
Ted Seely brought to the Program Committee with his experience from
Sprint.


- Nominee's name (if not you) - Celeste Anderson
- Nominee's email address - [EMAIL PROTECTED]
- Reasons why you believe the nominee is qualified to serve on the
  Program Committee

quoting bill woodcock: Celeste has been at the center of the
Southern-California academic networking scene for, I believe, twenty
years.  Which is about as long as there's been an Internet that
counts.  She ran the Los Angeles IXP since it was established in
1994/1995, and grew it very well, way beyond how it could have grown
if it had been done solely as an academic project.  She included all
kinds of commercial and governmental folks, roped in One Wilshire,
etc.  Very active in getting everybody there to peer, regardless of
many of them not having much of any language in common, since LA is
such a big hub for Asian traffic.  At the same time that she was doing
all the outward-facing IXP stuff, she was also equally active in Los
Nettos, the SoCal RE network.  Lots of contacts within the research
community, the peering community, the network ops community, and the
RE-specific-networking community.


-- 
_
todd underwood +1 603 643 9300 x101
renesys corporation

[NANOG-announce] Lightning Talk submissions open for NANOG42

[Todd Underwood]

/me dons the NANOG PC Chair hat again

Lightning talk submissions for NANOG42 are now open:

http://nanogpc.org/lightning/

Lightning talks are short talks of interest to the audience in line
with the rest of the program.  They are strictly limited to 10 minutes
(including questions).  Lightning talks are selected by the program
committee during the conference but we will probably select the first
round of lightning talks just prior to the start of the conference.

Get your submissions in.

/me takes off the hat and wipes his brow

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporationgeneral manager babbledog
[EMAIL PROTECTED]   http://www.renesys.com/blog

___
NANOG-announce mailing list
[EMAIL PROTECTED]
http://mailman.nanog.org/mailman/listinfo/nanog-announce

[NANOG-announce] New socials for NANOG 42 Brooklyn -- Register

[Todd Underwood]

hat org=NANOG group=program committee role=chair

howdy,

NANOG42 will take place in brooklyn, NY in about a week and a half.
there are two new socials (you can read socials as free drinks and
snacks) that have been added to the agenda at 

http://nanog.org/mtg-0806/agenda.html

* equinix is sponsoring a social on tuesday evening:

   http://nanog.org/mtg-0806/invitation.html

* and our host, Telx is sponsoring an event on wednesday evening:

   http://nanog.org/mtg-0806/invitation2.html

both events are open to all nanog attendees.


if you have not yet registered for NANOG42, please do so now.  the
hotel rooms at good rates are all gone, but the registration numbers
indicate that many of you are waiting until the last minute to
register.  please take a minute to do so now so that we can have a
more accurate count of the number of expected attendees:

https://nanog.merit.edu/registration/


thanks,

todd

/hat


-- 
_
todd underwood +1 603 643 9300 x101
renesys corporationgeneral manager babbledog
[EMAIL PROTECTED]   http://www.renesys.com/blog

___
NANOG-announce mailing list
[EMAIL PROTECTED]
http://mailman.nanog.org/mailman/listinfo/nanog-announce

[NANOG-announce] Program Committee Vacancy Call for Volunteers Extension

[Todd Underwood]

. o O ( i'm thinking about just leaving this program committee chair
hat on)

the call for volunteers to the nanog program committee (originally
sent:

http://mailman.nanog.org/pipermail/nanog/2008-April/000153.html

) has been extended through the end of the weekend (to sunday, 25 may
2008).  there were some miscommunications among nominators and the
program committee that means that a number of nominations and
solicitations did not take place in a timely fashion.  i believe the
fair thing to do is to extend the time frame for several days to make
it possible for everyone who is interested in this seat to offer their
name.

so if you're interested, review the call for volunteers and submit
your name promptly, please.

thanks,

todd

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporationgeneral manager babbledog
[EMAIL PROTECTED]   http://www.renesys.com/blog

___
NANOG-announce mailing list
[EMAIL PROTECTED]
http://mailman.nanog.org/mailman/listinfo/nanog-announce

[NANOG] [NANOG-announce] NANOG43 in Brooklyn Registration Hotel -- Cheap rates going going ...

[Todd Underwood]

y'all,

just to remind everyone:

the discounted rate of registration for NANOG43 in Brooklyn expires
Tuesday, April 30.  after April 30, rates go up from $450 to $525.  so
if you want to save $75, please register now.

https://nanog.merit.edu/registration/

almost more importantly, cheap hotel rates are expiring may 14, but
they are only available on a first come basis.  they're running out.
so if you plan to attend the event, register for the hotel now:

http://nanog.org/mtg-0806/hotel.html

the agenda is basically final as well:

http://nanog.org/mtg-0806/agenda.html

the program committee will be accepting lightning talks for
late-breaking or shorter presentations, but those will be accepted
closer to the event (or at the event itself).

see you in brooklyn.

t.
(chair of the program committee)

-- 
_
todd underwood +1 603 643 9300 x101
renesys corporationgeneral manager babbledog
[EMAIL PROTECTED]   http://www.renesys.com/blog

___
NANOG-announce mailing list
[EMAIL PROTECTED]
http://mailman.nanog.org/mailman/listinfo/nanog-announce

___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog

Re: 40Gbit private peer

[Todd Underwood]

 we have brought up what we believe is the first private 
 peer at 40G between two independent networks.

40G.  cool.

   30 second input rate 77849000 bits/sec, 7236 packets/sec
   30 second output rate 17464000 bits/sec, 5023 packets/sec

or 77Mb/s.  

hrm.  so confusing.  

i regularly do 80+Mb/s on 100 Mb/s full duplex links.  perhaps you
should have considered that technology for this application.  Or even
copper or fiber gigabit interfaces.

i think you'll find that both options are considerably cheaper for the
traffic that you have.  you may be able to use the remaining capex
spend on other gear inside of your network.

t.


-- 
_
todd underwood +1 603 643 9300 x101
renesys corporationvp operations and professional 
svcs
[EMAIL PROTECTED]   
http://www.renesys.com/blog/todd.shtml