Re: DDOS solution recommendation

2015-01-12 Thread William F. Maton Sotomayor


On Mon, 12 Jan 2015, Mike Hammett wrote:


So the preferred alternative is to simply do nothing at all? That seems fair.


Not at all.  But it is your network and only you know what the suggested 
approaches others have already run through are best for your environment.


But if you haven't yet done so, help the rest of us and deploy BCP38 too. :-)







-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com



- Original Message -

From: "Christopher Morrow" 
To: "Brandon Ross" 
Cc: "Mike Hammett" , "NANOG list" 
Sent: Monday, January 12, 2015 3:05:14 PM
Subject: Re: DDOS solution recommendation

On Mon, Jan 12, 2015 at 3:17 PM, Brandon Ross  wrote:

On Sun, 11 Jan 2015, Mike Hammett wrote:


I know that UDP can be spoofed, but it's not likely that the SSH, mail,
etc. login attempts, web page hits, etc. would be spoofed as they'd have to
know the response to be of any good.



Okay, so I'm curious. Are you saying that you do not automatically block
attackers until you can confirm a 3-way TCP handshake has been completed,
and therefore you aren't blocking sources that were spoofed? If so, how are
you protecting yourself against SYN attacks? If not, then you've made it
quite easy for attackers to deny any source they want.


this all seems like a fabulous conversation we're watching, but really
.. if someone wants to block large swaths of the intertubes on their
systems it's totally up to them, right? They can choose to not be
functional all they want, as near as I can tell... and arguing with
someone with this mentality isn't productive, especially after several
(10+? folk) have tried to show and tell some experience that would
lead to more cautious approaches.

If mike wants less packets, that's all cool... I'm not sure it's
actually solving anything, but sure, go right ahead, have fun.

-chris



wfms


Re: Multicast Internet Route table.

2014-09-02 Thread William F. Maton Sotomayor

On Tue, 2 Sep 2014, Jeff Tantsura wrote:


It is not the network devices per se, it is additional configuration,
security, MSDP peering, etc, i.e. OPEX

Business justification for such effort is not obvious, (most of multicast
deployments I have done in my previous life were because I loved the
technology, not because of business needs :))


Ditto, although business needs played a part as well. :)

wfms


Re: Multicast Internet Route table.

2014-09-02 Thread William F. Maton Sotomayor

On Tue, 2 Sep 2014, S, Somasundaram (Somasundaram) wrote:


Members
   I have few questions related to Multicast deployment in the internet today.


Inter-domain I am assuming.


1: Does all the ISP's provide Multicast Routing by default?


Probably not a majority, but it is found on research networks like 
Internet2, GEANT, etc and any of their member networks.



2:  Is there any placeholder where one can get to know the Multicast Internet 
Route table (usage, stability etc) just like Unicast Route table 
(http://bgpupdates.potaroo.net)?


One such place, long running:

https://nic.nrc.ca/bgp-mcast/bgp-active.html

There may be others on the networks mentioned above...

wfms


Re: Listing or google map of peering exchange

2014-07-09 Thread William F. Maton Sotomayor

On Wed, 9 Jul 2014, Paul Stewart wrote:


I?ve actually been working on a site like that for a while (with Google
Maps) - just never got around to putting it online.   Honestly I wasn?t
sure if there was an interest in it :)


chop-chop! :)



Paul


On 2014-07-09, 2:18 PM, "Dennis Burgess"  wrote:


Looking for a good listing of US/Canada peering exchange, similar to
Torx in Toronto..Google map listing would be nice J



Dennis Burgess, Mikrotik Certified Trainer Author of "Learn RouterOS-
Second Edition  "

Link Technologies, Inc -- Mikrotik & WISP Support Services

Office: 314-735-0270   Website:
http://www.linktechs.net   - Skype: linktechs


-- Create Wireless Coverage's with www.towercoverage.com
  - 900Mhz - LTE - 3G - 3.65 - TV
Whitespace









wfms


Re: Listing or google map of peering exchange

2014-07-09 Thread William F. Maton Sotomayor


On Wed, 9 Jul 2014, Dennis Burgess wrote:


Looking for a good listing of US/Canada peering exchange, similar to
Torx in Toronto..Google map listing would be nice J


Telegeography may have this

or:

https://prefix.pch.net/applications/ixpdir/





Dennis Burgess, Mikrotik Certified Trainer Author of "Learn RouterOS-
Second Edition  "

Link Technologies, Inc -- Mikrotik & WISP Support Services

Office: 314-735-0270   Website:
http://www.linktechs.net   - Skype: linktechs


-- Create Wireless Coverage's with www.towercoverage.com
  - 900Mhz - LTE - 3G - 3.65 - TV
Whitespace






wfms


Re: Canada and IPv6 (was: Ars Technica on IPv4 exhaustion)

2014-06-20 Thread William F. Maton Sotomayor


On Thu, 19 Jun 2014, jim deleskie wrote:


Those all sounds like legit business questions.  


Yup.  On the otherhand at the other end of the customer spectrum:

http://www.tbs-sct.gc.ca/it-ti/ipv6/ipv6tb-eng.asp


-jim


On Thu, Jun 19, 2014 at 2:45 PM, William F. Maton Sotomayor  
wrote:
  On Wed, 18 Jun 2014, Sadiq Saif wrote:

On 6/18/2014 14:25, Lee Howard wrote:
  Canada is way behind, just 0.4% deployment.


Any Canadian ISP folk in here want to shine a light on this dearth 
of
residential IPv6 connectivity?

Is there any progress being made on this front?


Teksavvy does it (tunnel I believe) if you ask.

Otherwise it's the usual:

- 'why do we need this?';
- 'It costs money to upgrade for something low-demand';
- 'What's the market?';
- 'I don't have time';
- 'Aw gee do I have to??'

wfms






wfms


Re: Canada and IPv6 (was: Ars Technica on IPv4 exhaustion)

2014-06-19 Thread William F. Maton Sotomayor

On Wed, 18 Jun 2014, Sadiq Saif wrote:


On 6/18/2014 14:25, Lee Howard wrote:

Canada is way behind, just 0.4% deployment.


Any Canadian ISP folk in here want to shine a light on this dearth of
residential IPv6 connectivity?

Is there any progress being made on this front?


Teksavvy does it (tunnel I believe) if you ask.

Otherwise it's the usual:

- 'why do we need this?';
- 'It costs money to upgrade for something low-demand';
- 'What's the market?';
- 'I don't have time';
- 'Aw gee do I have to??'

wfms


Re: Anternet

2014-05-06 Thread William F. Maton Sotomayor

On Tue, 6 May 2014, Dave Crocker wrote:


On 4/4/2014 11:32 PM, Andrew D Kirch wrote:

So, if there's more than 4 billion ants... what are they going to do?



get larger ants.


No, no.  The solution is far simpler than that, and would probably give a 
good example of real-world population control.  Just get an ant-eater.





(and the responses have now covered both pro forma responses.)

d/

--
Dave Crocker
Brandenburg InternetWorking
bbiw.net



wfms


Re: Recommendation on NTP appliances/devices

2014-04-04 Thread William F. Maton Sotomayor

On Thu, 3 Apr 2014, David Hubbard wrote:


Anyone have recommendations on NTP appliances; i.e. make, model, gps vs
cell, etc.?  Roof/outdoor/window access not available.  Would ideally
need to be able to handle bursts of up to a few thousand simultaneous
queries.  Needs IPv6 support.


For some diversity you could try:

- WWVB/CHU radio with a good indoor antenna into an appliance
- CDMA, which yes is based on GPS, but tied with Rb oscillator can carry
  over any reception outages (CDMA or GPS)
- Of course just setup an NTP server that peers to pool.ntp.org
  (but perphaps the least desirable)

I've seen good results using the Endrun CDMA units as well as the
WWVB units, both appliances and IPv6-enabled.  Symmetricom does this too.

wfms



Re: AlbertaIX - no longer a Cybera project?

2013-09-09 Thread William F. Maton Sotomayor

On Sat, 7 Sep 2013, Theo de Raadt wrote:


Mike Leber wrote:

Facility and parties willing, hopefully there will be a YYCIX switch in
Cybera.


Interesting idea, how the heck did I miss that.


Indeed, if multiple IX pops in any given locale makes sense, then it is 
worth pursuing - providing there is a benefactor willing to aid in the 
cross connect between the pops or an economic model enabling the IXP to do 
it itself.



In Canada, the other collision preventing exchanges from showing up is
the CANARIE content peering model, which by providing free content
access to schools and such takes many (young bandwidth hungry)
eyeballs out of the equation for IX development and growth:


This isn't a new idea actually.  It was first proposed on the CANARIE 
techs mailing list way back in mid-2000 I believe.  In any case it is a 
replication of the Internet2 CDS effort.  Not sure how well this has 
caught on, but since CANARIE are now charging user fees, it remains to be 
seen how far it goes.



Time for change?


There once was a proposal back in the day that CANARIE POPs should be 
co-located at either universities (offering a neutral venue for everyone) 
or at least with other IXPsOh, what IXPs?  The idea quickly evolved to 
CANARIE establishing some IXPs but this was very quickly shot down (IIRC) 
by the then CANARIE board as it was seen to be interference by CANARIE in 
municipal affairs - because back then municipal dark fibre builds were all 
the rage.  WHET those BTW?


In any case, I did persuade CANARIE to peer to at least one IXP in Canada 
to pick peering instead of doing a backhaul for all the peerings into the 
USA.  My little bit of contribution to the IXP cause.  However, given the 
science and academic population in CANARIE's network, I do know it is felt 
in some quarters to be of no real benefit to peer at IXPs.


wfms



Re: Vancouver IXP - VanTX - BCNet

2013-08-21 Thread William F. Maton Sotomayor

On Wed, 21 Aug 2013, bmann...@vacation.karoshi.com wrote:


IIRC, Albuquerque has NMIX which I think was setup as for-profit.  (John
Brown are you still here?)  Well over a decade ago now, my recollection is
fuzzy.  I don't recall the reasoning in choosing for-profit over
nont-for-profit.


[NMIX couldn't pay its bills so it lost a lot of support/clients]


Ah thanks for that update.

You've reminded me of another point:  While it is admirable that CIRA (and 
probably other similar counterparts are watching) looking to establish 
IXPs, my anxiety lies with the future:  Given everything that's already 
been written, are any of these IXPs capable of becoming self-sustaining in 
the future?  It's a rhetorical question applicable to any starting IXP and 
requires an understanding of the local environment.


wfms



Re: Vancouver IXP - VanTX - BCNet

2013-08-21 Thread William F. Maton Sotomayor

On Wed, 21 Aug 2013, Randy Bush wrote:


and i would add carrier neutrality, i can haul fiber from anyone into
the exchange.  this is pretty critical in the exchanges where i have
played.


Facility neutrality especially.  If the IXP is inside a non-neutral DC, 
it and its peers are always under constant threat of being squeezed out or 
shutdown by any number of circumstances.  If the co-lo business were 
separate from the facility business, it may be a better environment since 
the IXP could convince the facility to host it, which the co-lo business 
could then be attracted to.  All depends on the circumstances and 
environment.


wfms



Re: Vancouver IXP - VanTX - BCNet

2013-08-21 Thread William F. Maton Sotomayor

On Wed, 21 Aug 2013, Clayton Zekelman wrote:

Just wondering aloud if an ISP that did have commercial interest could run a 
non-member driven exchange point successfully as long as they had pricing and 
policies that were similar to member driven exchange points.


Vey interesting that you raise that.

IIRC, Albuquerque has NMIX which I think was setup as for-profit.  (John 
Brown are you still here?)  Well over a decade ago now, my recollection is 
fuzzy.  I don't recall the reasoning in choosing for-profit over 
nont-for-profit.


As for ISPs doing it, there are clear examples in the wild today, but. 
Many buts.  That ISP would have to be quite benevolent.  In the long run.

New MGMT/owners and then.?

I have a facility in Windsor, Ontario that is well connected, has all the 
physical infrastructure necessary, the ability to provide relatively low cost 
local fibre loops, has an open policy towards other carriers providing 
transport loops, but alas, it wouldn't be perceived as "neutral".


The only reason why we (OttIX) followed the path of not-for-porfit (and 
all that it comes with, from beloved loons to passionate supporters to the 
somewhat silent majority) was to give the community of interest (gawd what 
a PC-style phrase) assurance that the IXP would not be held hostage to a 
bottom-line or to the dictates of the single owner.  In other words, 
neutral.


(Now going for-profit could have been tempered with issuing one share per 
peer and having share-holders, etc, but we're starting to delve into 
philosophical viewpoints which in turn have consequences, advantages and 
disadvantages too numerous to get into here.)


Community of interest of course is the other magical ingredient that is 
necessary.  Not sure how many ISPs would want to peer in Windsor...


If I were looking strictly at bottomline and had the same cost option 
between connecting to an IX in Ottawa/Windsor as going to Toronto, I'd go 
to Toronto.  $dayjob was public sector:  We believed the more we peer 
with, the greater the benefit to public citizen (along being able to 
divide and conquer potential DDOS).  Of course there are those who don't 
subscribe to that notion... so what do I know?


But, do what we did, throw it out there and try it just to see if there's 
any interest Windsor.  Get the packets flowing, forget the paperwork and 
managerial super-structure for now.  Talk to CIRA, get them to listen to 
you, you listen to them.  OttIX started with a Paradyne DSLAM as switch 
core and many peers coming in on $40/month xDSL lines, just to see if 
there was a point.


That's one decade gone, already into another

wfms



Re: Vancouver IXP - VanTX - BCNet

2013-08-21 Thread William F. Maton Sotomayor

On Wed, 21 Aug 2013, Randy Bush wrote:


In Montreal, is anyone at the Peer1 exchange other than Peer1?

Peer1 exchanges are only open to Peer1 customers, I believe. At least,
that's how it worked in Toronto the last time I looked.


that is not an exchange.  most isps have switches in their transit
infrastructure.


+1

The Peer1 setups remind me very much of what Group Telecom (defunct 
Canadian backbone provider) did in the very late 90's and the very early 
part of the last decade.  They had them in nearly every city they had 
their facilities, but the GT IXPs never caught on ($$$ to get inside the 
facility and they played hard ball against incumbant access effectively 
making them closed unless direct GT customers.)


wfms



Re: Vancouver IXP - VanTX - BCNet

2013-08-21 Thread William F. Maton Sotomayor

On Tue, 20 Aug 2013, Jonathan Stewart wrote:


You named 2 IXPs, and only got one right. A year ago, there were two
active: TORIX in Toronto, and OTTIX in Ottawa.  Ottawa is too close to
Toronto to have an impact, so OTTIX has remained small.  Having only 2 open


That's not entirely accurate.

The fact is the Ottawa market - as well as the Eastern Ontario market, had 
a large number of very small ISPs in the area a decade ago.  So OttIX had 
many ISPs be litle traffic.  After a major market conolidation (buyouts,m 
mergers, etc) the number of peers declined quite a bit - but the traffic 
increased.


In the meantime, within the province of Ontario, LANX costs became 
effectively the same (to us) to go from one end of the city to the 
other as the cost to go between cities.  Even at the $dayjob, we took 
advantage of this and simply dragged another LANX over to TorIX.
Heck, even OttIX had a POP at 151 Fron in Toronto which saw enormous 
growth.


So in that sense, OttIX achieved one of its primary objectives and that 
was to drive transit costs down in what is effectively a one-company town.



IXPs, 400 km apart in a country 5000 km wide is not good enough.


5000km in length by 100Km in width as most of the population lives within 
100Km of the Canada-US border, but yes, it's a big country.



Since then, QIX in Montreal has opened up from a research-only IXP, to a
neutral peering facility.  MBIX in Winnipeg has started, and YYCIX in
Calgary is up and running as well.  Vancouver is still lacking.


BCNet would beg to differ. :-)

There's also VicTX in Victoria run by BCNet.  (Granted, some might simply 
say those are nothing more than BCNet aggregation hubs - but judge 
for yourselves please.)



Currently, the aforementioned established big players are not at all
interested in our exchange, they don't talk to us.  Only exception is
Hurricane Electric, who recently joined, dropping wholesale bandwidth costs
in Winnipeg *dramatically*.


IXPs in Canada have been particularly effective in doing this, especially 
in Ottawa where in 2003 it was something like $550 per megabit/month.  One 
of the OttIX members (IGS) offered $200 and well, a number of OttIX peers 
went to town with that.  The rate grudgingly dropped to $333 by 2006 until 
$MGMT allowed me to break out in other places to leverage even lower 
pricing.  As of 2011 the best price I could get here was $90 but we 
already got out of Dodge by then.


All to say the effects of an IXP in a certain locale were positive for the 
end-consumers (ISPs mainly) of transit.



BTW, in Winnipeg we still have the problem of cross-continent traffic paths
to send data across the street.  Worst case is something like this:
Winnipeg--Chicago--Toronto--Vancouver--Calgary--Winnipeg. That's a 15,000
km round trip.  MBIX can help with that.


For a good view of the Canadian perspective on those and more, see:

http://www.ixmaps.ca/index.php

We've contributed a lot of traceroutes, ditto via $dayjob given the 
diverse footprint of the network (national research backbone - not 
CANARIE's though) just to see how our traffic runs about the country as 
well as outside.  Some surprises there.  (I think CIRA funded that one as 
well.)


wfms



Re: Big day for IPv6 - 1% native penetration

2012-11-20 Thread William F. Maton Sotomayor


APNIC labs have an interesting set of numbers on IPv6 uptake as well.

http://labs.apnic.net/measureipv6/

On Tue, 20 Nov 2012, Owen DeLong wrote:


It is entirely possible that Google's numbers are artificially low for a number
of reasons.

Owen

On Nov 20, 2012, at 5:31 AM, Aaron Toponce  wrote:


On Tue, Nov 20, 2012 at 10:14:18AM +0100, Tomas Podermanski wrote:

   It seems that today is a "big day" for IPv6. It is the very first
time when native IPv6 on google statistics
(http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
might say it is tremendous success after 16 years of deploying IPv6 :-)


And given the rate on that graph, we'll hit 2% before year-end 2013.

--
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o






wfms



Re: Plages d'adresses IP Orange

2012-11-19 Thread William F. Maton Sotomayor


Il serait mieux si vous contactez directement d'Orange.

On Mon, 19 Nov 2012, jipe foo wrote:


Bonjour ? tous,

Quelqu'un d'Orange (ou autre) pourrait-il me donner plus d'info sur les
plages d'adresses suivantes:

inetnum:81.253.0.0 - 81.253.95.255
netname:ORANGE-FRANCE-HSIAB
descr:  Orange France / Wanadoo service
country:FR
admin-c:AR10027-RIPE
tech-c: ER1049-RIPE

inetnum:90.96.0.0 - 90.96.199.255
netname:ORANGEFRANCE-WFP
descr:  Orange France - WFP
country:FR
admin-c:ER1049-RIPE
tech-c: ER1049-RIPE

S'agit-il de plages d'adresses de mobiles, de livebox ou de connexions WIFI
partag?es (au moins pour la seconde) ?

Merci d'avance,

--
J



wfms


RE: Internet routing table "completeness" monitoring?

2012-10-03 Thread William F. Maton Sotomayor

On Wed, 3 Oct 2012, Joseph Jackson wrote:


I have cacti graph the amount of prefixes announced and withdrawn from a BGP 
peer on each BGP router.


+1

Note that not all router OSs support fetching data like that via SNMP.

We use a custom built thing internally that does this two, which we then 
tack on an alert threshold for.  So if a downstream peer sends us less 
than that, we get an alert.  Handy for those times when they call and ask 
us what we did to their network. :-)


Prior to that, we had a script which whould login, munge the 'show ip bgp 
summary' table output, figure out the deltas and graph or report as 
needed on a particularly troublesome peer.






-Original Message-
From: ML [mailto:m...@kenweb.org]
Sent: Tuesday, October 02, 2012 11:43 PM
To: North American Networking and Offtopic Gripes List
Subject: Internet routing table "completeness" monitoring?

Has anyone put in place a method to identify if one their BGP peers suddenly 
withdraws X% of their prefixes?

e.g I should expect ~420k prefixes in a "complete"[1] routing table from a 
transit peer today.  If suddenly I'm only getting 390k prefixes I'd guess a major network 
was depeered or similiar.

If so how are people doing this? SNMP MIB, screen scrape?



[1] Varying levels of completeless apply.





wfms



Re: RFC becomes Visio

2012-10-02 Thread William F. Maton Sotomayor

On Tue, 2 Oct 2012, Michael Hallgren wrote:


Le mardi 02 octobre 2012 à 23:25 +0200, Dan Luedtke a écrit :

On Fri, 2012-09-28 at 19:31 +0100, Nick Hilliard wrote:

Here's a visio diagram you can send them:

http://www.foobar.org/~nick/bgp-network-diagram.vsd


Is there a .png version of it somewhere?
The whole thread made my day, I'm eager to see this diagram as well.
I don't have this MS Visio thingy you all use to set up your Avian
Carrier BGP sessions...


Don't use ``MS Visio thingy'', prefer TeX with metapost, PGF/TikZ (or
PSTRicks). The output is by far more beautiful, and maintaining the
document much more slim.


I still miss doing this stuff using gpic/groff. ;-)

wfms


Re: RFC becomes Visio

2012-09-28 Thread William F. Maton Sotomayor

On Fri, 28 Sep 2012, Joe Maimon wrote:

Just got told by a Lightpath person that in order to do BGP on a customer gig 
circuit to them they would need a visio diagram (of what I dont know).


Has anybody else seen this brain damage?


In my quaint little corner of the world, this was once fairly routine 
actually.  It seems to have been more popular amonsgt the enterprise crowd 
than anything else.




Joe



wfms



Re: The Cidr Report

2011-10-16 Thread William F. Maton Sotomayor

On Sun, 16 Oct 2011, Aftab Siddiqui wrote:


success.


what would help?


I guess rpki would help and a banner during every NOG/RIR meeting showing
top polluters.


A similar thing was done at a USENIX in Monterey over a decade ago.  The 
point behind that one was to drive home how bad it was for the attendees 
to use telnet to their boxes at the mothership.  Nothing like seeing 
people watch their passwords put up on two screens to teach them about 
SSH.


Granted, placing the CIDR report up on a screen may not have the same 
effect, but as NANOGs get video recorded, it's a lot harder to explain 
in the future why you were on that list.  Somehow the visual is more 
powerful than pretending an erased email doesn't make it into a web 
archive.



I seriously don't understand that why an RIR can't send atleast a notice to
those announcing bogus prefixes. A letter in RED mailed to the business
address would help.


May be a useful angle for the RIRs to pursue - but are RIRs in the routing 
police business?


wfms



Re: [routing-wg] BGP Update Report

2011-10-16 Thread William F. Maton Sotomayor

On Sat, 15 Oct 2011, Keegan Holley wrote:


+1

good to get a view from multiple sources even if they are automated.  Should
be easy enough to filter for those that do not want them.


Plus it's helped me in the past catch a very massive (well, OK, it was a 
less than a hundred unaggregated routes run off into the Internet) leak, 
which forced me to learn about prefix-lists and such.  So for those that 
care enough about their own networks, it can be catalyst to learning 
something new.




2011/10/15 William F. Maton Sotomayor 


On Sat, 15 Oct 2011, Lynda wrote:

 On 10/15/2011 4:26 AM, Geoff Huston wrote:



While I am at it, does anyone read this report, or is this weekly report
also just part of the spam load on this list?



I read both of them, and also the Weekly Routing Report. I will regret the
loss, and consider all three to be far more valuable than 90% of the traffic
on the list.



+1

The reports are also useful to do a double-check on changes I've made from
the perspective of others (even if they are automated tools).

wfms







wfms



Re: [routing-wg] BGP Update Report

2011-10-15 Thread William F. Maton Sotomayor

On Sat, 15 Oct 2011, Lynda wrote:


On 10/15/2011 4:26 AM, Geoff Huston wrote:
While I am at it, does anyone read this report, or is this weekly report 
also just part of the spam load on this list?


I read both of them, and also the Weekly Routing Report. I will regret the 
loss, and consider all three to be far more valuable than 90% of the traffic 
on the list.


+1

The reports are also useful to do a double-check on changes I've made 
from the perspective of others (even if they are automated tools).


wfms



Re: IPv6 words

2011-06-23 Thread William F. Maton Sotomayor


(Warning:  This email contains scenes of flashbacks)

On Thu, 23 Jun 2011, Jeroen van Aart wrote:

I am sure it has come up a number of times, but with IPv6 you can make up 
fancy addresses that are (almost) complete words or phrases. Making it almost 
as easy to remember as the resolved name.


It'd be nice in a weird geek sort of way (but totally impractical) to be able 
to request IPv6 blocks that have some sort of fancy name of your choice.


2001:db8:dead:beef::
dead:beef::
dead::beef


3fff:BAD::

Seriously though, I remember playing little games like this numbering 
Novell IPX network segments back in the 1990's.  After IP came on the 
network I think I was accussed of polluting pristine IPX netsthen...


I'll stop now. ;-)

wfms



Re: BCP38 considerations in IPv6

2011-02-10 Thread William F. Maton Sotomayor

On Thu, 10 Feb 2011, Ryan Rawdon wrote:


What considerations should be made with respect to implementing egress
filtering based on source IPv6 addresses? Things like allowing traffic
sourced from fe80::/10 in said filters for on-link communication (for the
interface that the filter is applied to).  Is there anything else that
should be taken into account while implementing BCP38 egress filtering in
IPv6?


That's a consideration, and one other candidate which has already been 
welcomed to my black-hole server:  2001:DB8::/32.


I'll leave that as an exercise to everyone to see who's block that is. :-)

wfms



Re: IPv6 - a noobs prespective

2011-02-09 Thread William F. Maton Sotomayor

On Wed, 9 Feb 2011, Mike Lyon wrote:


With the recent allocation of the last existing IPv4 /8s (which now kind of
puts pressure on going v6), it would be wonderful if at the next couple of
NANOGs if there could be an IPv6 for dummies session or two :)


I think these could be pretty valuable in the light of the last of thae 
allocations, and I would expect that even the RIRs through their outreach 
have done the same.


NANOG archives, especially of previous sessions (look for the Sunday 
tutorials) will help.




-Mike


On Wed, Feb 9, 2011 at 10:22 AM, Jack Bates  wrote:


On 2/9/2011 12:03 PM, William Herrin wrote:


The thing that terrifies me about deploying IPv6 is that apps
compatible with both are programmed to attempt IPv6 before IPv4. This
means my first not-quite-correct IPv6 deployments are going to break
my apps that are used to not having and therefore not trying IPv6. But
that's not the worst part... as the folks my customers interact with
over the next couple of years make their first not-quite-correct IPv6
deployments, my access to them is going to break again. And again. And
again. And I won't have the foggiest idea who's next until I get the
call that such-and-such isn't working right.



What scares me most is that every time I upgrade a router to support needed
hardware or some badly needed IPv6 feature, something else breaks. Sometimes
it's just the router crashes on a specific IPv6 command entered at CLI (C)
or as nasty as NSR constantly crashing the slave (J); the fixes generally
requiring me to upgrade again to the latest cutting edge releases which
everyone hates (where I'm sure I'll find MORE bugs).

The worst is when you're the first to find the bug(which I'm not even sure
how it's possible given how simplistic my configs are, isis multitopology,
iBGP, NSR, a few acls and route-maps/policies), it takes 3-6 months or so to
track it down, and then it's put only in the next upcoming release (not out
yet) and backported to the last release.


Jack (hates all routers equally, doesn't matter who makes it)







wfms



Re: NTP Server

2010-10-26 Thread William F. Maton Sotomayor

On Mon, 25 Oct 2010, Robert E. Seastrom wrote:


The folks at NRC in Canada will do cryptographically authenticated NTP
with you for an annual fee.  I have no idea if there is something


Robert,
Thanks for the shout.  NRC does do this, more info here:

http://www.nrc-cnrc.gc.ca/eng/services/inms/time-services/network-time.html

You can use the services as well for non-auth.

I should also point out to folks on this list that the NRC NTP servers 
have renumbered, but I still see quite a bit of traffic from what appears 
to be ISP infrastructure looking for the old addresses.


wfms



Re: ipv6 bogon / martian filter - simple

2010-06-14 Thread William F. Maton Sotomayor

On Mon, 14 Jun 2010, Brandon Applegate wrote:


I mean really simple.  Like 2000::/3.  If it's not in there it's bogon, yes ?


Been using that on the advanced networks side for ... OK, years.  Seems to 
work.  Kept unseemingly bogons like 1000::/3 out, except for the 
deprecated 6bone pTLA, 3FFF::


What I'm really asking, is for folks thoughts on using this - is it too 
restrictive ?


For leaks of old 6bone space, which I haven't seen for a long while, 
probably not.  But filter aginst that, and maybe it will be fine.  It's 
all in the RIR allocations



How long until it's obsolete ?

Should be a really long time no ?


Mmm...Last table entry in my table is: 2C0F:FE18::/32.  Maybe 2000::/4 
will do, but that might not last very long as an ACL, given the proximty 
of 2Cxx:: to 2FFF::


Again, just looking for some feedback either way.  Would be very nice to have 
a single line ACL do this job.


--
Brandon Applegate - CCIE 10273
PGP Key fingerprint:
7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996
"SH1-0151.  This is the serial number, of our orbital gun."





wfms



Re: Large number of IPv6 bogons with spoofed ASpath

2010-06-12 Thread William F. Maton Sotomayor

On Sat, 12 Jun 2010, Andree Toonk wrote:


Hi List

Yesterday I noticed a large number of 'bogon' IPv6 announcement.
I think it was about a 100 different (IPv6) bogon prefixes [1] [2] being 
announced from a what looks a variety of origin ASns.


I have seen 1000::/32 come in once and a while, but I've noticed that it's 
hard to catch from where this is coming from.  But I've not seen the 
others.


But it does point to the larger lesson that just because it is IPv6, it 
doesn't mean that prefix-fiters (and other tools) aren't required like in 
IPv4.


wfms



Re: Network Naming Conventions

2010-03-13 Thread William F. Maton Sotomayor


Singers:

tenchi% ping elvis
elvis is alive
tenchi%

On Sat, 13 Mar 2010, aa...@wholesaleinternet.net wrote:


STD's



--Original Message--
From: Tim Sanderson
To: NANOG list
Subject: RE: Network Naming Conventions
Sent: Mar 13, 2010 12:12 PM

...Types of coffee and donuts

Tim

-Original Message-
From: James Bensley [mailto:jwbens...@gmail.com]
Sent: Saturday, March 13, 2010 12:27 PM
To: NANOG list
Subject: Re: Network Naming Conventions

On 13 March 2010 16:06, James Jones  wrote:

On my last network I named all the routers after simpsons characters.


We use ancient Greek gods.

--
Regards,
James ;)





Sent from my Verizon Wireless BlackBerry




wfms



Re: Speed Testing and Throughput testing

2009-11-03 Thread William F. Maton Sotomayor

On Tue, 3 Nov 2009, Jason Biel wrote:


Please take note with using iperf that you'll want to make sure the
appropriate TCP Window Size has been negotiated.  We recently did some
testing with systems that had decided to pick less than optimal window sizes
and in turn had to manually set the size within iperf options.


Indeed this is true.

Also, if you use one of the Internet2 network test web100-enabled servers, 
you can try testing through a web browser.  There's both NPAD and NDT on 
distributed on different nodes, although each has its own slightly 
different tests.  It's also not a bad set of tools for support people 
wanting to troubleshoot bandwidth problems caused by duplex misconfigs.




Jason

On Tue, Nov 3, 2009 at 4:01 AM, Benoit VANNIER wrote:


Hello,

Iperf is pretty good at this ... It s free


Ben


-Message d'origine-
De : Mark Urbach [mailto:mark.urb...@pnpt.com]
Envoyé : lundi 2 novembre 2009 22:57
À : nanog@nanog.org
Objet : Speed Testing and Throughput testing

Anyone have a good solution to get "accurate" speed results when testing at
10/100/1000 Ethernet speeds?

Do you have a server/software that customer can test too?



Thanks,
Mark Urbach
PinPoint Communications, Inc.
100 N. 12th St  Suite 500
Lincoln, NE 68508
402-438-6211  ext 1923  Office
402-660-7982  Cell
mark.urb...@pnpt.com
[cid:image003.jpg@01CA5BD5.1A5CEE20]






--
Jason Biel




wfms

Re: Unable to reach security.debian.org through an HurricaneElectric IPv6 pipe

2009-10-29 Thread William F. Maton Sotomayor

On Thu, 29 Oct 2009, Laurent CARON wrote:


I'm currently unable to reach security.debian.org
(2001:8d8:2:1:6564:a62:0:2) through IPv6.


Judging from the traceroute, it seems that Hurricane Electric and 
OneAndOne are peering, but perhaps there's a problem between Nerim and one 
of the other two?  My traceroutes reach wieck, but the Nerim sTLA 
(2001:7a8::/32) isn't in my routing tables.


Have you contacted Nerim NOC?

wfms



Re: SMS

2009-09-22 Thread William F. Maton Sotomayor

On Tue, 22 Sep 2009, Shane Ronan wrote:


How do I send out an email if the network is down?


I have had success using a GSM phone hooked up to the server via USB. 
(Bonus is that the server constantly 'charges' the phone).  An ugly set of 
scripts deals with taking emails and changing them into SMS messages which 
are then transmitted through that phone to another.




On Sep 22, 2009, at 11:52 AM, Alex Balashov wrote:


Shane Ronan wrote:

On that same note, can someone point me in the direction of an SMS gateway 
service? I would like to be able to send SMS messages from my monitoring 
systems, but I am unsure about how to go about it.

Appreciate the assistance.


Why not use an e-mail to SMS gateway from whichever carrier?

--
Alex Balashov - Principal
Evariste Systems
Web : http://www.evaristesys.com/
Tel : (+1) (678) 954-0670
Direct  : (+1) (678) 954-0671





wfms



Re: how to fix incorrect GeoIP data?

2009-05-01 Thread William F. Maton Sotomayor

On Fri, 1 May 2009, Christopher Morrow wrote:


On Fri, May 1, 2009 at 2:06 PM, Mikael Abrahamsson  wrote:

On Fri, 1 May 2009, Frank Bulk wrote:


What we need is a "master update" form where Akamai, Google, Maxmind,
hostip.info, Geobytes, ip2location, ipgeo, etc can be notified about
changes.


Perhaps we as the ISP community need to realise that we need to somehow
publish this data (town or something alike) via some kind of standardized
API?


hey lookie! dns TXT records!! :)


LOC records too. :-)

 dig @prisoner.iana.org hostname.as112.net any

;; QUESTION SECTION:
;hostname.as112.net.IN  ANY

;; ANSWER SECTION:
hostname.as112.net. 604800  IN  SOA as112.gigafed.net. 
dns.ryouko.imsb.nrc.ca. 1 604800 60 604800 604800
hostname.as112.net. 604800  IN  LOC 45 25 0.000 N 75 42 0.000 
W 80.00m 1m 1m 10m


Helpful for folks like CAIDA too.

wfms



Re: IPv6 Advertisements

2007-05-29 Thread William F. Maton Sotomayor


On Tue, 29 May 2007, David Conrad wrote:


Should've clarified: this was in the context of IPv4...

To be honest, I'm not sure what the appropriate equivalent would be in IPv6 
(/128 or /64?  Arguments can be made for both I suppose).


There have been discussions of this sort made over the years.  A good 
place to start would be the old (well, maybe not that old) 6Net site where 
there's a list of publications called 'Deliverables'.  The info is buried 
in other, but amongst other things it contains deployment scenarios as 
well as cookbooks decumenting IPv6 deigns and roll-outs, and what they 
learned from it all.  Lot's to read, but good info nonetheless:


http://www.6net.org/publications/deliverables/



Rgds,
-drc

On May 29, 2007, at 9:34 AM, David Conrad wrote:

On May 29, 2007, at 8:23 AM, Donald Stahl wrote:

vixie had a fun discussion about anycast and dns... something about him
being sad/sorry about making everyone have to carry a /24 for f-root
everywhere.
Whether it's a /24 for f-root or a /20 doesn't really make a difference- 
it's a routing table entry either way- and why waste addresses.


I once suggested that due to the odd nature of the root name server 
addresses in the DNS protocol (namely, that they must be hardwired into 
every caching resolver out there and thus, are somewhat difficult to 
change), the IETF/IAB should designate a bunch of /32s as "root server 
addresses" as DNS protocol parameters.  ISPs could then explicitly permit 
those /32s.


However, the folks I mentioned this to (some root server operators) felt 
this would be inappropriate.


Rgds,
-drc





wfms


Re: IPv6 Advertisements

2007-05-29 Thread William F. Maton Sotomayor


On Tue, 29 May 2007, Donald Stahl wrote:


That said- ARIN is handing out /48's- should we be blocking validly
assigned networks?


your network might have to to protect it's valuable routing slots. There
are places in the v4 world where /24's are not carried either. So, as Bill
said just cause you get an allocation doesn't mean you can assure
routability of it everywhere.
I understand the problems but I think there are clear cut cases where /48's 
make sense- a large scale anycast DNS provider would seem to be a good 
candidate for a /48 and I would hope it would get routed. Then again that 
might be the only sensible reason...


f-root does this on the IPv6 side:  2001:500::/48

Whether that's available everywhere on IPv6 networks, is as Bill 
pointed-out, another question.


wfms