Re: residential/smb internet access in 2019 - help?

[david raistrick]

On Tue, Mar 26, 2019 at 11:29 PM Ross Tajvar  wrote:


> But most likely you're just out of luck.
>

it's really amazing that this is still the case, with our effectively
internet based economy now.

residential/smb internet access in 2019 - help?

[david raistrick]

folks,

I've been away from nanog for a long time - and away from the ISP world for
longer.

Looking at a house in a new area, at copper splice box out front,
bellsouth fiber markers as well (yes, that's usually just passing by. but
it's there).  Owners since '82 said the telephone company was AT - but
the New AT apparently no longer offers phone or internet service there.

This is located in a semi-rural area between Ocala and Gainesville Florida
(Micanopy, specifically).

I knew the state of residential service was in sorry shape - but from what
I'm reading, it seems to be worse than I'd though possible.

Anyone have any suggestions for service options?  I'm cool with dark fiber,
if it comes down to that (and can be price sanely and terminated somewhere
useful), but it seems like there -should- still be CLEC/DLECs or just plain
resellers in business who still have access to resources that are in the
ground.

My business operates from home - so obviously quality service is a
priority, and I'm willing to pay for it within reason.  Business plans are
certainly an option as well.

I've confirmed with all of the known players via their front channels -
att, windstream, centurylink, frontier, cox/comcast/spectre.

Via backchannels I've confirmed that cox has fiber in the ground 1.4 miles
away - straight shot down a dirt road (same one with the BS fiber markers).
  I have a lead on a couple of tower shots - but there's a big (for
florida) ridge between us, and I might have to build 3-400ft to hit
anything (speculatively).

Anyone have local area or other knowledge that might be helpful?

I'd hate to miss out on this house - it's a lot of things we love - but
cell or sat only for internet access just isn't going to fly.


thanks guys.

...david

Re: Dyn DDoS this AM?

[david raistrick]

On Fri, Oct 21, 2016 at 6:21 PM, David Birdsong  wrote:

>
> I'd love to hear how others are handling the overhead of managing two dns
> providers. Every time we brainstorm on it, we see it as blackhole of eng
> effort WRT to keeping them in sync and and then waiting for TTLs to cut an
> entire delegation over.
>


with the usual caveats - and I dont have any projects that currently need
this but have in the past - pretty much every major dns provider allows you
to ship them a full zone in some form or fashion.   The effort to pull and
ship a zone should be fairly minimal in and of itself.

mixing your public zone providers in your authoritative NS records is also
easy - and, depending on your registrar of choice, should be easy to manage
changing those (including having non-public mirrors maintained that you can
switch too..).   setting TTLs that make sense for a design that supports
change is also easy.

the real developmental and architectural challenges are around what to do
if the APIs you use to talk to your "primary" disappear and you need to
consume them (creating new host entries, updating loadbalancer pools,
whatever.  we all have different and sometimes very diverse use cases for
dns.).

one approach - as randy suggested - is to switch to a purely hidden and
self managed primary - which might mean running your own API stack in front
of it to control whatever you need to control and change.   this doesnt
need to be a "real" dns server in todays world - the days of BIND style
zone transfers are generally long gone anyway when you hit these scales and
levels of intra complexity.then your zone-replication components that
ship zone updates to your various external providers are shipping from the
same place.

at least in that case it's fully within your control - but dev time and
complexity definitely comes into play.

if your infra can survive internally without dns change control for the
extent of an outage, that could be much easier to manage.

anyway, random and incomplete thoughts - time ran out, work calls.


...david

contact @ detroit pistons IT/network org?

[david raistrick]

by chance -

anyone have a clueful contact at the detroit pistons who can help resolve
an https MITM proxy problem?  (likely a misconfigured watchguard.)

trying to diagnose a proxy level certificate problem through a management
level proxy is less than fun.

Re: ATT UVERSE Native IPv6, a HOWTO

[david raistrick]

On Mon, 2 Dec 2013, Owen DeLong wrote:


Given that 10.7 is fairly ancient at this point


I know, right?  2.5 years old is -ancient-

. o O ( sigh )



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org   ascii ribbon campaign - stop html mail
http://www.asciiribbon.org/

Re: roadrunner takes a really long excursion

[david raistrick]

On Thu, 11 Jul 2013, Randy Bush wrote:


their xo peering.  i guess the root cause is that roadrunner is poorly
peered.  are they not actually twt?


Nope.  TWT vs TWC.


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org   ascii ribbon campaign - stop html mail
http://www.asciiribbon.org/

Re: huawei

[david raistrick]

On Thu, 13 Jun 2013, Phil Fagan wrote:


I've always wondered about thatwould you know that the Huawei is
leaking data?


the puddle on the floor isn't a giveaway?




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org   ascii ribbon campaign - stop html mail
http://www.asciiribbon.org/

Re: What Should an Engineer Address when 'Selling' IPv6 to Executives?

[david raistrick]

On Wed, 6 Mar 2013, George Herbert wrote:


The mindshare shift is happening, but the change won't snowball until
IT admins - in bulk - really get it.


and keeping in mind that the bulk still don't get ipv4, either, (how 
many times a day do I explain to someone what a /xx is, and how you'd fill 
that out for just a single ip addresssigh), the snowball really won't 
happen until it Just Works(tm).  impe and all that.




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org   ascii ribbon campaign - stop html mail
http://www.asciiribbon.org/

Re: What Should an Engineer Address when 'Selling' IPv6 to Executives?

[david raistrick]

On Tue, 5 Mar 2013, Patrick W. Gilmore wrote:


Why not just have them read their own SEC filings. Nearly every company has 
something to the effect of this in their 10K:
The potential exhaustion of the supply of unallocated IPv4 addresses
and the inability of $COMPANY and other Internet users to successfully
transition to IPv6 could harm our operations and the functioning of
the Internet as a whole.



ours doesn't. at least not the  may '12 AR



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org   ascii ribbon campaign - stop html mail
http://www.asciiribbon.org/

Re: NANOG 57 Notes (on location)

[david raistrick]

On Wed, 6 Feb 2013, Jay Ashworth wrote:


- Original Message -

From: david raistrick dr...@icantclick.org



sure would be nice if the nanog meetings were a bit better
announcedwhy do I aways find out about the orlando ones during or
after?


I hadn't realized there was another one in Orlando, David; last Florida
ones I knew about were Miami, and 10 in Tampa.


Yeah, my brain fart - ARIN XV was what I was thinking of (2005).



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org   ascii ribbon campaign - stop html mail
http://www.asciiribbon.org/

Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....

[david raistrick]

On Wed, 28 Nov 2012, Bjørn Mork wrote:


Do you really want to run netowrking software written by someone
incapable of setting up a test network?  This doesn't have anything with
tunnel brokers or native access to do at all.


So the software engineer should now -also- be responsible for, and capable 
of, recreating both the network as well as 3rd party systems that he/she 
has to code against?


again focusing on just our last title release - 20+ 3rd party interfaces 
run by 6 different companies.   Is the software engineer really 
responsible for faking things like xbox live, PSN, facebook, twitter, 
google, etc on a test network?




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org   ascii ribbon campaign - stop html mail
http://www.asciiribbon.org/

Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....

[david raistrick]

On Wed, 28 Nov 2012, Jeroen Massar wrote:


Not for faking it, but in the case you mention it is very obvious that
the software engineer should be able to ask their network team to make
sure that they can access those API's if only for testing...


You're assuming, now, that the network team either a) works for the same 
arm of the company as the development team, and therefor can apply 
pressure on them or b) has support to build v6 into the system already (so 
they have time and resources to support the dev team), or c) gives a foo 
at all.   Not to mention the time the dev team will spend spinning its 
wheels.


Now, yes - if ipv6 support is a feature of the product they're 
building (and so driven and supported by management or marketing teams) 
then things could work as you suggest.


But until such time as v6 support is something that they care about 
upstream...well.   The 2 days of time you were budgeted to build the 
tool/feature/etc you're supposed to be working on isn't really going to 
include time to get v6 support in.



your job, the least of which is to file a ticket for IPv6 support in the
ticket tracking system so that one could state I thought of it, company
did not want it.


funnily enough that's -exactly- what I've been doing for the last 3 years. 
So, until it comes down from the top, the company doesn't want it.




...david (who is not a developer and is a network engineer, but not in 
this job)


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org   ascii ribbon campaign - stop html mail
http://www.asciiribbon.org/

Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....

[david raistrick]

On Wed, 28 Nov 2012, Bjørn Mork wrote:


Maybe so.  But do I _want_ do run that software?  No.

Anyway, I am not sure which programs that would be.  The applications
with open sockets on my laptop are currently:


I take it you're in the minority who don't play games, use mobile apps on 
your phone, use a dvr...


or any SaaS applications accessable via the web, or indeed visit websites 
with shopping cart software, or CRM software, or blogs, or



the large majority of software that interfaces to v4 networks does so 
through libraries and frameworks that seperate that part of the 
application stack from the part that the developer is building his code 
in.   So really and truly most software is written by developers who can 
barely plug and play their home networks, much less actually understand 
what dhcp means.




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org   ascii ribbon campaign - stop html mail
http://www.asciiribbon.org/

Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....

[david raistrick]

On Wed, 28 Nov 2012, Bjørn Mork wrote:


Native IPv6 internet access has never been a requirement for developing
IPv6 aware applications.  That was a bad excuse even 10 years ago. Today
it is just ridiculous.


I certainly never said that was the case.  I built v6 test networks, and 
helped kernel devs build v6 support into firewall appliances 10 years ago. 
But it wasn't a feature that drove sales...



My argument is that a) typical developers don't develop microcode, kernel 
drivers, or protocols.   But they DO build a lot of applications that sit 
on top of them.   They build them because someone is paying them to do it. 
The folks that sign the checks ask for A B and C.  And v6 isn't one of 
those things yet.


Some day, maybe it will be.   We're just not there yet.

(yes.  when we get there it's going to be too late.  no argument.)

in the meantime there's still a ton of new and old stuff to build w/o v6 
support from our internal or external vendors.


...david

--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org   ascii ribbon campaign - stop html mail
http://www.asciiribbon.org/

Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....

[david raistrick]

On Tue, 27 Nov 2012, Jeroen Massar wrote:


As for actually getting IPv6 at home or at work, there are so many ways
to get that, thus not having it is a completely ridiculous excuse.


bull.  explain using a tunnel broker to anyone who isn't a network 
engineer.


oh, and then make that work inside a typical F500 corp network with 
restrictions on inbound and outbound ports, no admin user access to 
desktop machines, etc.



Until the orgs that support the developers find that v6 is a priority 
(through whatever means it happens - neteng/IT/etc pushing it up the chain 
or politics/marketing pushing it down the chain) and it's functional on 
the typical corp desktop, the typical corp application engineer is going 
to have no motivation (not to mention no time in his/her schedule to 
reengineer their platform) to support v6.



...david (who hasn't read the rest of the thread. but is it really any 
different than any other?)

--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org   ascii ribbon campaign - stop html mail
http://www.asciiribbon.org/

Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....

[david raistrick]

On Wed, 28 Nov 2012, Mark Andrews wrote:


oh, and then make that work inside a typical F500 corp network with
restrictions on inbound and outbound ports, no admin user access to
desktop machines, etc.


And if they are developing a product for the company there are
procedures to get the changes needed to do the development.



...only if v6 support is on their development roadmap.

For our latest released product, which had a 3 month timeline, there 
definitely would have been no software engineering support for building v6 
support into a server framework that never had to support it before, nor 2 
(or 3) client frameworks.


...david (who supports a bunch of software engineers for one of many arms 
of an F500 company)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org   ascii ribbon campaign - stop html mail
http://www.asciiribbon.org/

Re: FYI Netflix is down

[david raistrick]

On Tue, 3 Jul 2012, Rodrick Brown wrote:

face when implementing BCP today. I doubt Amazon gave much thought to 
multiple site outages and clients not being able to dynamically redeploy 
their engines because of inaccessibility from ELB.


Considering there's a grand total of -one- tool in the entirely AWS 
toolkit that supports working across multiple regions at all sanely (that 
would be ec2-migrate-bundle, btw), I'd agree.   Amazon has put nearly zero 
thought into multiple site outages or how their customer base could 
leverage the multiple sites (regions) operated by AWS.




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org

Re: FYI Netflix is down

[david raistrick]

On Mon, 2 Jul 2012, Leo Bicknell wrote:


I used to work with a guy who had a simple test for these things,
and if I was a VP at Amazon, Netflix, or any other large company I
would do the same.  About once a month he would walk out on the


you mean like this?

http://techblog.netflix.com/2011/07/netflix-simian-army.html



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org

Re: FYI Netflix is down

[david raistrick]

On Mon, 2 Jul 2012, Leo Bicknell wrote:


http://techblog.netflix.com/2011/07/netflix-simian-army.html


Yes, Netflix seems to get it, and I think their Simian Army is a
great QA tool.  However, it is not a complete testing system, I
have never seen them talk about testing non-software components,
and I hope they do that as well.  As we saw in the previous Amazon
outage, part of the problem was a circuit breaker configuration.



When the hardware is outsourced how would you propose testing the 
non-software components?  They do simulate availability zone issues (and 
AZ is as close as you get to controlling which internal power/network/etc 
grid you're attached to).


I suppose they could introduce artificial network latency/loss @ each 
instance - and could add testing around what happens when amazon's API 
disappears (as was the case friday).


Beyond thatthe rest of it is up to the hardware provider (Amazon, in 
this case).


..david (who also relies on outsourced hardware these days)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org

Re: FYI Netflix is down

[david raistrick]

On Mon, 2 Jul 2012, James Downs wrote:


back-plane / control-plane was unable to cope with the requests.  Netflix uses 
Amazon's ELB to balance the traffic and no back-plane meant they were unable to 
reconfigure it to route around the problem.


Someone needs to define back-plane/control-plane in this case. (and what 
wasn't working)


Amazon resources are controlled (from a consumer viewpoint) by API - that 
API is also used by amazon's internal toolkits that support ELB (and 
RDS..).   Those (http accessed) API interfaces were unavailable for a good 
portion of the outages.


I know nothing of the netflix side of it - but that's what -we- saw. (and 
that caused all us-east RDS instances in every AZ to appear offline..)




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org

Re: Vixie warns: DNS Changer ‘blackouts’ inevitable

[david raistrick]

On Thu, 31 May 2012, cncr04s/Randy wrote:




Exactly how much can it cost to serve up those requests... I mean for
9$ a month I have a cpu that handles 2000 *Recursive* Queries a
second. 900 bux could net me *200,000* a second if not more.
The government overspends on a lot of things.. they need some one whos
got the experience to use a bunch of cheap servers for the resolvers
and a box that hosts the IPs used and then distributes the query
packets.



So you'd offer your expertise for $9 (or $900) a month 24/7?  Since you 
imply server cost is the only cost in operating such a service..




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org

Re: Reliable Cloud host ?

[david raistrick]

On Tue, 28 Feb 2012, Owen DeLong wrote:


But they don't have to... They can simply use getaddrinfo()/getnameinfo()
and let the OS libraries do it. The fact that some applications choose to
use their own resolvers instead of system libraries is what is broken.


Not always true - firewall software, for example, generally requires IP 
addresses in their rules (ipfw, pfsense, iptables, at least a few years 
ago) and for validly sane reasons (even some of our best kernel guys were 
not crazy enough to change that for ipfw).



Proxy software that supports high connection rates and connection churn 
generally prefer to cache the IP address internally because OS resolvers 
and the caches they read from just can't keep up [except in specificly 
well designed systems - which proxy developers can't expect blow joe to 
know how to do].  A stress test tool I'm working with just had to be 
modified for exactly that reason (and because adding more caches in front 
of AWS semiauthorative caches (due to split horizon) wouldn't solve 
anything.  a short TTL is a short TTL is a short TTL).


Some of those proxy developers claim that within the chrootwhatchamajiggy 
that their socket handling code runs they don't have access to the 
resolvers - so they have to store them at startup (see haproxy).




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Programmers with network engineering skills

[david raistrick]

On Mon, 27 Feb 2012, Owen DeLong wrote:


I think you're more likely to find a network engineer with (possibly limited)
programming skills.


While I'll agree about the more likely, if I needed a coder who had a firm 
grasp of networking I'd rather teach a good coder networking, than try to 
teach the art and magic of good development to a network guy.


I think it really comes down to which you need: a hardcore network 
engineer/architect who can hack up code, or a hardcore developer who has 
or can obtain enough of a grasp of networking fundementals and specifics 
to build you the software you need him to develop.


The ones who already know both ends extremely well are going to be -very- hard to find, but 
finding one who can learn enough of the other to accomplish what you need 
shouldn't be hard at all.


oh wait, that's an echo I hear isn't it.


...d (who is not exactly the former though I've played one for TV, and not 
at all the later)


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

dns and software, was Re: Reliable Cloud host ?

[david raistrick]

On Mon, 27 Feb 2012, William Herrin wrote:


In some cases this is because of carelessness: The application does a
gethostbyname once when it starts, grabs the first IP address in the
list and retains it indefinitely. The gethostbyname function doesn't
even pass the TTL to the application. Ntpd is/used to be one of the
notable offenders, continuing to poll the dead address for years after
the server moved.


While yes it often is carelessness - it's been reported by hardcore 
development sorts that I trust that there is no standardized API to obtain 
the TTL...  What needs to get fixed is get[hostbyname,addrinfo,etc] so 
programmers have better tools.




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Reliable Cloud host ?

[david raistrick]

On Sun, 26 Feb 2012, Randy Carpenter wrote:

I don't need that kind of HA, and understand that it is not going to be 
available. 15 minutes of downtime is fine. 6 hours is completely 
unacceptable, and it false advertising to say you have a Cloud 
service, and then have the realization that you could have *indefinite* 
downtime.



Um.  You and I apparently work in different clouds.

In my world, the SLAs I have agreed to state, roughly, that uptime is not 
guaranteed, nor is data recoverability.  They suggest that that sort of 
thing is -my- problem to engineer and architect around.


I don't use Rackspace's cloud solution - but I haven't seen anything to 
suggest that they advertise their service any differently.


The cloud provides flexibility and rapid deployment at the expense of 
hands-on control and reliability (and SLAs).


Perhaps you forgot to read the SLA?  Or you can show us where someone 
defines Cloud as highly available and without indefinite downtime ?




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: WW: Colo Vending Machine

[david raistrick]

On Sat, 18 Feb 2012, Pierre-Yves Maunier wrote:


6 - plastic cable clamps (don't know the exact english term for that but I
mean this --
http://www.hellopro.fr/images/produit-2/9/3/8/serre-cables-261839.jpg)


also known as zip tie or plastic cable tie more generically


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: time sink 42

[david raistrick]

On Thu, 16 Feb 2012, Randy Bush wrote:


is there a trick?  is there a (not expensive) different labeling machine
or technique i should use?


the rhino pro labelers and labels have a split on the backer so they peel 
easy.  oh, and they dont come off with heat exposure (some of them are 
even ok after a few years outdoors in florida) like the brother junk does.


I think my megadeluxewithacase model cost about $100 from provantage...

:)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Wireless Recommendations

[david raistrick]

On Mon, 30 Jan 2012, Jonathan Lassoff wrote:



That said, I'm not sure what you're trying to do here, but I think
you'll be disappointed with any AP with 600 *active* stations
associated to it. No AP can work around the congestive collapse of
hundreds of stations all transmitting RTS frames at once.


unless, of course, that's the concept you are trying to prove...? :)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Equinix Miami 1 condemnation

[david raistrick]

On Wed, 25 Jan 2012, Jay Ashworth wrote:


Last week, we saw some traffic about the Lightfiber problems because EqM1
is apparently in a building that's been condemned by the city or county
of Miami.



If I were to toss out purely random semieducated guess - a lot of 
south florida datacenter buildings were pretty damaged by Ivan (and his 
friends, floyd, charlie, francis, and katrina) some years back.  I'd 
venture to guess that they've managed to keep things running (or put it 
back together enough to keep things running) for a while and have been 
fighting the condemnation order for a number of years...and finally lost. 
Fun part about those is you usually have nearly zero time to gtfo, 
especially if you've fought it...



of course, my memory of that time is pretty fuzzy (but I did watch as the 
company that borged my employeer at the time had to scramble massively to 
recover from having their gear destroyed, flooded, and otherwise put out 
of service by the storms, basically moving everything that was down south 
up to orlando).  It definitely affected our ability to get paychecks - and 
for the next few months the were having to literally truck the only 
remaining check printer back and forth from S.Fl to Orlando every week to 
print checks



. o O ( and I don't know where equinix's building was in south florida, 
either.  but I know they never showed up on our radar when we were hunting 
for space with dark fiber back to the NAP to feed our southern customers 
their dose of WCQ...)


...david


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Recent DNS attacks from China?

[david raistrick]

On Wed, 30 Nov 2011, Leland Vandervort wrote:


I am wondering if anyone else is seeing a sudden increase in DNS attacks 
emanating from chinese IP addresses?  Over the past 24 hours we've seen a 
sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 
million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes.

This anomalous traffic started roughly 24 hours ago, and while we've had 
occasions of anomalous chinese traffic, never anything of this type.


That might explain akamai.net hostnames not resolving intermittently since 
Tue Nov 29 20:20:02 2011 UTC...


I don't run any authoritative or exposed caches at the moment, and the aka 
NXDOMAINs are the only thing we've been seeing dropouts on for the past 
~48 hours, but we did see NXDOMAINs from a bunch of amazonaws hostnames 
over the holidays...



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Posting for network engineers and operators...

[david raistrick]

On Wed, 23 Nov 2011, Brian Stengel wrote:


Apologies if this is not appropriate for this list... but I'm looking to
hire network engineers for our project and would like to hear what job
boards are best for network engineering types to view.  I'm not a


IME, anyway, none of them.   If you're targeting a specific locality, 
eng/ops groups, linkedin, and craigslist are probably a good start.


I dont believe that engineers looking for engineers is offtopic for nanog, 
either (though the rules may have changed over the years), though if 
you're open to a more global response.  there is a nanog-jobs list, but it 
has had effectively zero traffic



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Arguing against using public IP space

[david raistrick]

On Tue, 15 Nov 2011, Joe Greco wrote:


Or perhaps a better argument would be that routers really ought to
default to deny.  :-)  I'd be fine with that, but I can hear the
screaming already.


er.  you've forgotten en; conf t; ip routing to turn off the default no 
ip routing (or no ip forwarding is my memory, but my config archive 
says otherwise)


so we had default to deny in routers for a long time


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

RE: Brighthouse Outage in Tampa, FL

[david raistrick]

On Thu, 8 Sep 2011, Dylan Bouterse wrote:


Brighthouse in Orlando was not affected as far as I could tell, but I did hear 
of customers in Lakeland that were down. Pretty widespread outage.


Internally at brighthouse, Tampa (southwest florida) and Orlando (central 
florida) are pretty heavily detached from each other.  There's now some 
call center, management, and engineering overlap but that only happened 
over the last few years.  network and video delivery systems are still 
significantly divergent...  (which is usually a good thing, since it means 
that when tampa breaks, orlando survives. ;)





--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Enterprise Internet - Question

[david raistrick]

On Thu, 14 Jul 2011, Jeff Cartier wrote:

- Does the idea of having local Internet at each site make more sense? 
If so why?


IME, costs for private backhaul circuits of any flavor are significantly 
higher than costs for plain internet access - so backhauling internet 
access (unless you have extremely restrictive access policies that you can 
actually enforce) through your WAN would/should cost through the nose. 
Routing only WAN traffic through the WAN reduces the size/scope/impact on 
those more expensive circuits.Probably at the expense of additional 
complexity, of course.





--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: (OT) Firearms Was: UN declares Internet access a human right

[david raistrick]

On Mon, 6 Jun 2011, Owen DeLong wrote:

While your statement above sounds wonderfully utopian, the reality is 
that unless the citizens can take up arms against the government, the 
government can, over time, become criminal. A disarmed populace has no 
ability to protect itself from such a government.


urg.  obNetops anyone?  not sure nanog is really the place to arm bears 
and bare arms




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: How do you put a TV station on the Mbone?

[david raistrick]

On Fri, 29 Apr 2011, Jay Ashworth wrote:


I'd expect it to be fairly common at colleges; possibly in companies,


ok, colleges I can buy.


Is it still this fragile in 2011?


It was in 2009, anyway.


And you haven't written the O'Reilly book yet... why?  :-)


Because it's not an experience I care to repeat. ;-)

Today, I make video games.  MUCH more fun!  (who knew, content CAN be fun)


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Graph Utils (Open-Source)

[david raistrick]

On Fri, 18 Feb 2011, Max Pierson wrote:


Hi List,

Anyone out there using something other than rrdtool for creating graphs?? I
have a project that will need a trend taken, and unfortunately rrdtool
doesn't fit the bill. All of the scripting, data collection,
database archival, etc will be custom written or is already done (with some
hacks of course :). So really what i'm looking for is something along the



we use both gd (in php and in perl and in c++) and google's graphing magic 
in various places. http://code.google.com/apis/chart/




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: My upstream ISP does not support IPv6

[david raistrick]

On Fri, 4 Feb 2011, david raistrick wrote:


Amazon AWS - No.   But I'm asking again, that's a few months old.


To follow up on this:

We are investigating IP v6 but, unfortunately, have no plans that are 
available for sharing at present





--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Looking for an IPv6 naysayer...

[david raistrick]

On Wed, 9 Feb 2011, Scott Helms wrote:

For ISPs in this circumstance the choice will be CGNAT rather than IPv6 for a 
number of years because the cost is much lower and according to the vendors 
selling CGNAT solutions the impact to end users is (almost) unnoticeable.


Anyone care to define CGNAT?  Google results for this are either unrelated 
or CGNAT will save us or CGNAT doesnt count - no rfcs, no 
explainations, nothing




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Looking for an IPv6 naysayer...

[david raistrick]

On Wed, 9 Feb 2011, Jens Link wrote:


Scott Helms khe...@ispalliance.net writes:


IPv6 for some ISPs will be extraordinarily painful because of legacy
layer 2 gear


I don't feel sorry for them. We know that IPv6 is coming for how long?
15years? 10year? 5years? Well if you only read the mainstream media you


And at what point during that time did they have any vendor gear they 
could purchase that -would- support v6?   At -best- during the last 5 
years, but I'd put money on that even today they can't purchase gear with 
adequate v6 support.







--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Looking for an IPv6 naysayer...

[david raistrick]

On Wed, 9 Feb 2011, Owen DeLong wrote:


I don't feel sorry for them. We know that IPv6 is coming for how long?
15years? 10year? 5years? Well if you only read the mainstream media you


And at what point during that time did they have any vendor gear they could 
purchase that -would- support v6?   At -best- during the last 5 years, but I'd 
put money on that even today they can't purchase gear with adequate v6 support.


This is largely the result of the fact that they did not demand it from their
vendors during that time.



I was purchasing for and building small SP networks during that time.

Requiring v6 of our vendors would have meant we just never got anything, 
so we'd have never provided service.   Come to think if it, maybe it 
-would- have been better for everyone involved (except those of us who 
just got paychecks and experience out of it) to just simply not do it - 
but we didn't know that at the time 15 years ago!



Vendor C and J don't provide gear that fits into all network topologies 
(WISPs, MTU DSL, and smallish ADSL roll outs come to mind, certain during 
the time period in question.  Sure, they eventually bought products in 
those markets...but even still, I had sub 6 figure budgets to build with - 
I certainly had no leverage).




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Thu, 3 Feb 2011, Owen DeLong wrote:


  Er.  That's not news.  That's been the state of the art for
  what, 15+ years or so now?   SIP (because it's peer to peer) and
  P2P are really the only things that actually give a damn about
  it.

Largely because we've been living with the tradeoff that we had to break the
end-to-end model to temporarily compensate for an address shortage. Those of
us that remember life before NAT would prefer not to bring this damage
forward into an area of address abundance. In other words, yes, we gave up



Life before NAT, and firewalls (with or without SPI) on every PC and every 
CPI, also was life before mass consuption of internet access by the 
normal folks.   And before extensive cellular and wifi networks for 
internet access.   And before many of today's (common end user PC) 
security issues had been discovered.



Firewalls -destroy- the end to end model.   You don't get inbound 
connectivity past the firewall unless a rule is explicitly created. 
That's no different than NAT requiring specific work to be done.


Firewalls are not going away, if anything the continuing expansion of 
consumer users will create more and more breakage of the 
open-everything-connects-to-everything model, regardless of what the core 
engineering teams may want.



Hell, even without CPE doing it, many residential ISPs (regardless of NAT) 
block inbound traffic to consumers.



The end-to-end model ended a long long time agomaybe it will come 
back, but I rather doubt it.



We'll continue to have users, who run client software, and providers, who 
run server software.   And a mix in between, because the user end can 
CHOOSE to enable server functionality (with their feet, by choosing a new 
ISP, at their firewall and or NAT device, and by enabling server 
software).



NAT doesn't destroy end-to-end.  It just makes it slightly more difficult. 
But no more difficult that turning on a firewall does.
It doesn't break anything that isn't trying to announce itself - and 
imo, applications that want to announce themselves seem like a 
pretty big security hole.




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

Everyone doesn't suddenly get owned because there isn't a external
firewall.  Modern OS's default to secure.



We clearly live and work in different worlds.   Not to mention that we 
are not the average consumers anymore.   We were, in the days before NAT 
(and SPI).



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Fri, 4 Feb 2011, Roland Perry wrote:


But NAT does have the useful (I think) side effect that I don't have to 
renumber my network when I change upstream providers - whether that's once


But (what I keep being told) you should never have to renumber!  Get PI 
space and insert magic here!


sigh

--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

RE: quietly....

[david raistrick]

On Thu, 3 Feb 2011, Brian Johnson wrote:


1) To allow yourself to change or maintain multiple upstreams without
renumbering.


Not sure what you mean here. So having PI space can't accomplish this?



Using PI space means paying significantly more money per year than using 
PA space, particularly if you factor in the recommended subnet sizing 
and that your v6 address space requirements signficantly increase over 
v4+NAT.


Remember that we're not talking about ISPs and large enterprises who are 
used to shelling out artifically inflated $$ per year to use PI space.


We're talking about telling folks who were happy using PA space (or 
who have PI space from before IANA) that they now have to rent addresses 
if they want to avoid internal renumbering.




6) Because you have allocated a single address to a machine that later
on actually represents n differerent actual network entities, and
retrofitting them with their own unique IPv6 subnet presents a problem.


Huh?


I understood that.

I have a customer in my datacenter with 50 servers behind a firewall. 
(that customer could be an internal team at my enterprise, or a customer 
at a colo, or even a customer at the end of a telco circuit).


I need to renumber.

The coordination effort involved in renumbering @ the firewall, vs 
renumbering the -entirety- of the customer's internal subnets is 
significant.


One customer side example?  Oracle RAC.  With v4 and NAT, RAC would never 
have to know anything.  With no NAT, I have to shut down RAC, shut down 
OCFS2, reconfigure the cluster filesystem (which is a nontrival task with 
nontrival risk), reconfigure RAC (which goes OK, other than that I have to 
reconfigure potentially a half dozen config files on every server that 
connects to it), restart ocfs, restart RAC


That's all new work, because I told my customer they cannot use NAT.

And I have to do that with -every- customer.

With v4, I just helped the customer configure his firewall to support both 
the old and new addresses, changed external facing DNS, waited for all 
traffic to move over, removed the old addresses, and we were done.






--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Thu, 3 Feb 2011, valdis.kletni...@vt.edu wrote:

The only reason FTP works through a NAT is because the NAT has already 
been hacked up to further mangle the data stream to make up for the 
mangling it does.


Speaking of should-have-died-years-ago.  FTP fits that category well. ;)


I'm told that IPSEC through a NAT can be interesting too...  And that's
something I'm also told some corporations are interested in.


NAT traversal for ipsec was sorted out more than a few years ago with 3 or 
4 different methods in play.   I dropped out of that market about the time 
it came to light, but as a ipsec end user I haven't had NAT problems going 
back as far as 2006 for sure, possibily further.



(the original problem was that only 1 user behind 1 IP could speak ipsec 
because it uses a specific protocol, not a port, that can only be 1-to-1. 
I'll leave it as an exercise for the reader to figure out that was magiced 
around without requiring the NAT devices to do anything.  and ssl doesn't 
count. :)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: And so it ends...

[david raistrick]

On Thu, 3 Feb 2011, Scott Helms wrote:

My 2 cents, in the few cases that we've been involved with that dealt with 
reclaiming space the backbone providers have universally followed what is in


If that legacy block holder were, well, one of the legacy block holders, 
would you as a backbone provider reject IBM or ATT or HP or Apple, etc?



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Thu, 3 Feb 2011, valdis.kletni...@vt.edu wrote:

Well, it's official - the original end-to-end design principal of the 
Internet is dead, deceased, and buried.  Henceforth, there will be 
Clients, and there will be Servers, and all nodes will be permanently 
classified as one or the other, with no changing or intermixing of 
status allowed.


Er.  That's not news.  That's been the state of the art for what, 15+ 
years or so now?   SIP (because it's peer to peer) and P2P are really the 
only things that actually give a damn about it.



No one is going to check out their neighbors website running on their 
neighbors computer if the neighbor didn't make an effort to make their 
computer a server (by assigning DNS, running server software, etc) 
regardless of NAT etc etc.








--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Wed, 2 Feb 2011, Jay Ashworth wrote:


I, personally, have been waiting to hear what happens when network techs
discover that they can't carry IP addresses around in their heads anymore.

That sounds trivial, perhaps, but I don't think it will be.


Heh.

My personal hope, anyway, is that it will motivate certain software 
engineers (and companies) who decide that DNS isn't worthwhile to support 
(for x y z or no reason) will never be able to remember the new addressing 
schemes, and find themselves having to use DNS...and thereby adding 
support to their code.


In which case, bring it on!  :)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Wed, 2 Feb 2011, Jimmy Hess wrote:

SOCKS5 can be used to forward any TCP based protocol, and most UDP 
protocols,


Because SOCKS didn't break things worse than NAT?  Really?


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Tue, 1 Feb 2011, Cameron Byrne wrote:


Telling people I'm right, you're wrong over and over again leads to
them going away and ignoring IPv6.



+1

Somebody should probably get a blog instead of sending, *39 and
counting*, emails to this list in one day.


It's a discussion list.  We're having a discussion.   Admittedly, Owen 
hasn't presented any solutions to my actual problems, but.. ;)



Owen said:

The solution to number 2 depends again on the circumstance. IPv6
offers a variety of tools for this problem, but, I have yet to see an
environment where the other tools can't offer a better solution than
NAT.


Which is a complete non-answer.  NAT provides a nice solution - even 
with it's problems - for small consumers and large enterprises, who have 
much higher percentages of devices that need (or even -require-) no 
inbound connectivity.


Why should I (or my IT department) have to renumber the 5,000 desktop PCs 
in this office (a large percentage of which have static IP addresses due 
to the failings of dynamic DNS and software that won't support DNS (I'm 
looking at you, Unity.) just because we've changed providers?  Why should 
we have to renumber devices at my mom's house just because she switched 
from cable to dsl?





--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Wed, 2 Feb 2011, Iljitsch van Beijnum wrote:

No, the point is that DNS resolvers in different places all use the same 
addresses. So at the cyber cafe 3003::3003 is the cyber cafe DNS but at 
the airport 3003::3003 is the airport DNS. (Or in both cases, if they 
don't run a DNS server, one operated by their ISP.)


Because no one has ever had a need to coexist with other DNS servers on 
the same subnet, right?   After all, there should only ever be 1 
authorative source of information, and there's no way we would ever want 
to have an exception for that.



...david (who manages his own authorative and recursive DNS servers that 
are used specificly for our group's purposes that have to coexist with 
IT-managed servers)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Wed, 2 Feb 2011, Iljitsch van Beijnum wrote:

IPv6 is what it is. There will be more tinkering but if you think 
there's enough


and yet it still isn't ready and standardly supported by OSes, routers, 
switches, software  seems to me it's in the same mode it always has 
been.



Because IPv4-style DHCP often breaks because the DHCP server points to


Really?  Never had that happen if I didn't configure it to happen... (and 
yes, I've done some pretty deep dhcp setups over the years, particular for 
WISP setups)



the wrong router address and because NAT breaks end-to-end connectivity 
so severe workaround in applications become necessary. But you knew 
that.



On the NAT subject, I'll point out a recent change that I wasn't aware of, 
and a bit of history around it.   It might help less people feel the 
need for NAT.



At least in ARIN territory, if you're multihomed, and you can show 
in-1-year use of 50% of a (v4) /24, you qualify for a PI v6 /48.Which 
means that a lot of the shops I've worked for over the years can get PI 
space where they couldn't before, and one of the heavy uses of NAT 
(renumbering sanity) disappears.   (if you're singlehomed, 50% of /20..)



For the history, v6 was originally pushed as -NO ONE- (who isn't an LIR or 
RIR) -EVER- gets PI space, you should use insert-magic-of-the-week-here.



That's changed.  We can now get PI space, and we can use it.So those 
of you who were thinking of using NAT with v6, how does that effect your 
plans?




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Wed, 2 Feb 2011, Chris Owen wrote:


On Feb 2, 2011, at 3:09 PM, david raistrick wrote:

At least in ARIN territory, if you're multihomed, and you can show 
in-1-year use of 50% of a (v4) /24, you qualify for a PI v6 /48.


One of the things I find frustrating about this is the cost of the 
space.  We're a very small shop and to add IPv6 addresses for testing 
now we're looking at paying another $2,200 a year ($1,700 in the first


Ooof.   I didn't get that far - and hadn't realized the waiver was 
expired.


That's a pretty signficant barrier to entry. :(




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Tue, 1 Feb 2011, Iljitsch van Beijnum wrote:

What's the point of switching to IPv6 if it repeats all the IPv4 
mistakes only with bigger addresses?


If you like NAT IPv4 is the place to be, it'll only get more and more.


It's argument like this that has lead to this moment.  Instead of 
discussing how can the next generation addressing scheme support the 
needs of Internet consumers today and tomorrow we tell people if you 
don't like it, use v4



Guess what?  We're still using v4.

..david


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Tue, 1 Feb 2011, Dave Israel wrote:

responsibility.  If they want to use DHCPv6, or NAT, or Packet over Avian 
Carrier to achieve that, let them.  If using them causes them problems, then 
they should not use them.  It really isn't the community's place to force 
people not to use tools they find useful because we do not like them.


Not to mention that when you take tools -away- from people that solve an 
existing problem, you'll get a lot of pushback.




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: quietly....

[david raistrick]

On Tue, 1 Feb 2011, Owen DeLong wrote:


NAT solves exactly one problem. It provides a way to reduce address 
consumption to work around a shortage of addresses.


It does not solve any other problem(s).



Sure it does.

It obfuscates internal addressing.

This wasn't the original goal, but it's a feature that some groups of 
users have come to require.





--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Found: Who is responsible for no more IP addresses

[david raistrick]

On Thu, 27 Jan 2011, Jay Ashworth wrote:


Fox didn't screw up, for a change, and Vint's quote appears in many
other news sources.  Apparently, I'm the only one on Nanog who knows
about this new thing called The Google.  :-)


Fox (in the linked article) didn't quote Vint.


They said useful things like this:

source:
http://www.foxnews.com/scitech/2011/01/26/internet-run-ip-addresses-happens-anyones-guess/

It's the end of the web as we know it.

And this is -not- what the article said before:
Web developers have compensated for this problem by creating IPv6 -- a 
system which recognizes 128-bit addresses as opposed to IPv4's 32-bit 
addresses.


Originally (an hour ago) it read something like
Web developers have compensated for this problem by creating IPv6 -- a 
system which uses 6 digit addresses instead of 4 digit 
addresses



But IPv6 isn't backwards-compatible with IPv4, meaning that it's not able 
to read most content that operates on an IPv4 system. At best, the user 
experience will be clunky and slow. At worst, instead of a webpage, all 
users will be able to view is a blank page.




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Found: Who is responsible for no more IP addresses

[david raistrick]

here's the original quote (which a friend had pasted to me):

Web developers have tried to compensate for this problem by creating IPv6 
-- a system that recognizes six-digit IP addresses rather than four-digit 
ones.





On Thu, 27 Jan 2011, david raistrick wrote:


On Thu, 27 Jan 2011, Jay Ashworth wrote:


Fox didn't screw up, for a change, and Vint's quote appears in many
other news sources.  Apparently, I'm the only one on Nanog who knows
about this new thing called The Google.  :-)


Fox (in the linked article) didn't quote Vint.


They said useful things like this:

source:
http://www.foxnews.com/scitech/2011/01/26/internet-run-ip-addresses-happens-anyones-guess/

It's the end of the web as we know it.

And this is -not- what the article said before:
Web developers have compensated for this problem by creating IPv6 -- a 
system which recognizes 128-bit addresses as opposed to IPv4's 32-bit 
addresses.


Originally (an hour ago) it read something like
Web developers have compensated for this problem by creating IPv6 -- a 
system which uses 6 digit addresses instead of 4 digit addresses



But IPv6 isn't backwards-compatible with IPv4, meaning that it's not able to 
read most content that operates on an IPv4 system. At best, the user 
experience will be clunky and slow. At worst, instead of a webpage, all users 
will be able to view is a blank page.




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html






--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Software DNS hghi availability and load balancer solution [SEC=UNCLASSIFIED]

[david raistrick]

On Wed, 19 Jan 2011, Wilkinson, Alex wrote:


freebsd + varnish + carp (http://www.openbsd.org/faq/pf/carp.html)


two of the three won't work @ EC2 (for my purposes, no idea about the 
original poster - but he did ask about DNS based solutions so I suspect 
he's in a similar boat)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Software DNS hghi availability and load balancer solution

[david raistrick]

On Tue, 18 Jan 2011, Jay Reitz wrote:


gdnsd is very robust and fast and has an interface that a networking
engineer won't mind.  It comes with a geolocation plugin with
health-check failover via HTTP.

http://code.google.com/p/gdnsd/



Thanks Jay, that looks like a good option - I like single-focus-software 
for things like this. ;)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Software DNS hghi availability and load balancer solution

[david raistrick]

On Tue, 18 Jan 2011, William Herrin wrote:


Net result is that in some cases a user's long-running browser will
indefinitely ignore the change you made to the DNS. I've seen such
things persist for months.


Do you have any recent evidence to support this?  The 
what-browsers-do-with-what world changes daily... and my understanding 
is that a lot of these things that used to be problems have been changed.




For better or for worse, the way you -reliably- fail over a web server
is with routing and middleboxes like a load balancer.


Alas, sometimes that's just not possible - try doing that @ EC2, for 
example (which is why I've recently been on the hunt for GSLB solutions 
that don't involve appliances...).



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Software DNS hghi availability and load balancer solution

[david raistrick]

On Tue, 18 Jan 2011, Rhys Rhaven wrote:


Having hit these issues myself, I heavily recommend a real frontend
proxy like nginx or varnish.


A frontend proxy (nginx, varnish, haproxy, or anything else) doesnt give 
you HA any more than any other loadbalancer solution does.  You need a way 
to send traffic to another frontend server when the primary frontend 
server fails, or is overloaded, transparently.



The tools we have available these days to do this are VRRP-like solutions 
(which all of the appliances use) that use multicast, some amount of 
NAT and routing magic (which I've often not seen done sanely), or DNS 
solutions (better known as GSLB) that dynamicly change the DNS responses
depending on conditions (which could be source location, or could be 
server availability, or whatever).


Normally, VRRP would be the way to go.   But these days multicast isn't 
supported everywhere (major example - Amazon EC2), leaving DNS...


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Software DNS hghi availability and load balancer solution

[david raistrick]

On Tue, 18 Jan 2011, Jack Bates wrote:


On 1/18/2011 1:42 PM, david raistrick wrote:

Normally, VRRP would be the way to go.   But these days multicast isn't
supported everywhere (major example - Amazon EC2), leaving DNS...


Many HA environments use both, and F5 is designed to do both, supporting DNS 
tricks (of which, you could possibly run host based monitoring and dynamic 
updates to accomplish), anycast routing, and vrrp-like DSR/NAT load 
balancing.


Agreed.  But sometimes you can't do both. ;)   Now if F5 would sell me an 
appliance that runs their GSLB code I could run @ EC2. ;)







--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Software DNS hghi availability and load balancer solution

[david raistrick]

On 01/18/2011 09:42 AM, Sergey Voropaev wrote:

Does any one know software sollutions (free is preferable) like as cisco GSS
and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must
be able to monitor server availability (for example by TCP connect) and from
DNS-reply depends on it.



On Tue, 18 Jan 2011, Charles N Wyble wrote:


Ha-proxy and linux virtual server are popular packages.


Neither of these do DNS.   He asked about DNS based loadbalancing (also 
known as GSLB, among other things) software packages




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: co-location and access to your server

[david raistrick]

On Wed, 12 Jan 2011, Jeroen van Aart wrote:

What is considered normal with regards to access to your co-located 
server(s)? Especially when you're just co-locating one or a few servers.


For less than 1 rack, or specialty racks with lockable sections (1/2 or 
1/3 or 1/4 racks with their own doors), I'd consider any physical access 
to simply be a plus.  I wouldn't expect any at all.   You're not paying 
for enough space to justify the costs involved in 24x7 independant access, 
and the risks to other customers gear.



When you get a full rack+, or cage+, I'd expect unfettered 24x7 access 
since your gear should be seperated and secured from other folks gear. 
Some specialty providers would be exceptions, of course (ie, I used to 
colo gear inside tv stations, satellite downlink stations, etc).



Telecom colo (switch and network gear in a dedicated but shared space for 
providers providing service) would be an exception, of course.



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Is NAT can provide some kind of protection?

[david raistrick]

On Wed, 12 Jan 2011, Chris Adams wrote:


Yes, they do.  NAT requires a stateful firewall.  Why is that so hard to
understand?


Um.  No.  NAT requires stateful inspection (because NAT needs to maintain 
a state table), but does not require a stateful firewall.  You can (and 
many CPE appliances do/did) have no firewall, or stateless firewall in 
front of NAT.



All NAT does is give you an implied deny-all-inbound rule, but doesn't, in 
and of itself, prevent someone probing open (configured by you or the 
vendor) ports that are forwarded or on the device.   Or from having 
unfettered inside access of 1 internal IP if you NAT all external ports to 
an internal IP.





--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: co-location and access to your server

[david raistrick]

On Wed, 12 Jan 2011, Jeroen van Aart wrote:

I guess knowing who entered the building by means of a keycard and having 
cameras isn't considered enough to deter potential evil doers. I know it's 
not enough for places like equinix, but that's of a different caliber.


Paying for 1u of colo justifys a keycard for you, cameras and keycard 
hardware for the facility?   you're paying what, 50-100$ a month, maybe 
less?   you realize that low prices comes at the cost of reduced services?




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Clearwire/Clear for branch office connectivity?

[david raistrick]

On Wed, 5 Jan 2011, tico wrote:


Is anyone using Clearwire/Clear's wireless broadband offering for


Me too! I'd love to hear from anyone that's used it extensively.


I haven't in a few years (I worked for someone who thought of themselves 
as a clearwire competitor), but we replaced a bunch of them that customers 
had, we installed a few of them with our own stickers on them, and we 
always kept one in the truck for those times we couldn't hit our own 
networks but we could hit theirs...


the gear was generally solid - as long as you could get a good signal.

inside datacenters, basements, and telco huts, though, were not places 
that good signal was often available




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

RE: potential new and different architectural approach to solve theComcast - L3 dispute

[david raistrick]

On Fri, 17 Dec 2010, George Bonser wrote:

What if instead of the end users paying for Internet service, the 
content providers did.  Sort of like broadcast TV where the broadcasters


Um.

I'm a content provider.

I pay a -lot- for internet service already.   That's how my bits and bytes 
arrive in the tubes for those end users to recieve...




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

RE: Facebook issue

[david raistrick]

We detected it about 3:40 eastern, and they just announced it on the 
status page.


We are currently investigating sitewide issues that will affect Facebook 
Platform. We apologize for any inconvenience and will post here with 
updates.



this should maybe be moved to outages@ though (depending on who you ask, 
of course)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Pointer for documentation on actually delivering IPv6

[david raistrick]

On Mon, 6 Dec 2010, Owen DeLong wrote:

Seriously, though, you're welcome to use fd00::/8 for exactly that 
purpose. The problem is that you (and hopefully it stays this way) won't 
have much luck finding a vendor that will provide the NAT for you to do 
it with.


[with my flame-retardant hat installed firmly]

So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the 
use of RFC1918 space?  Admitedly, it's been a year or two since I last had 
to engineer around that particular set of rules...but it's life or death 
for a lot of folks.




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: The scale of streaming video on the Internet.

[david raistrick]

On Thu, 2 Dec 2010, Jack Bates wrote:

Watch the game live multicast. Missed the game? Watch it on demand. As things 
progress, we'll probably see more edge content delivery systems (like Akamai)


Have you ever actually been involved with really large scale multicast 
implementations?   I take it that's a no.


The -only- way that would work internet wide, and it defeats the purpose, 
is if your client side created a tunnel back to your multicast source 
network.  Which would mean you're carrying your multicast data over 
anycast.


If you, the multicast broadcaster, dont have extensive control of the 
-entire- end to end IP network, it will be significantly broken 
significant amounts of the time.



...david (former member of a team of engineers who built and maintained a 
220,000 seat multicast video network)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Facebook down!! Alert!

[david raistrick]

On Wed, 6 Oct 2010, Bret Clark wrote:


I have to agree on this as well. I can understand when a service provider is



you've forgotten that facebook (and indeed twitter too) are service 
providers that provide business-critical services.


just because you don't want to play facebook games doesn't make a facebook 
outage any less operationally relevant than, say, an akamai or limelight 
outage.






--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Facebook down!! Alert!

[david raistrick]

On Wed, 6 Oct 2010, Greg Whynott wrote:




just because you don't want to play facebook games doesn't make a facebook
outage any less operationally relevant than, say, an akamai or limelight
outage.


IMO which may be way off base, when akamai goes off the air, people lose 
potential sales/revenue.  when facebook goes off the air, a greater 
number of companies become more efficient than those who suffer 
productivity loss.



so the majority defines operational now, huh?  wow. nice to know that 
network service providers outnumber other companies these days... (of 
course, those service providers also make their money from facebook 
consumers)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Facebook down!! Alert!

[david raistrick]

On Wed, 6 Oct 2010, Matt Baldwin wrote:


I would imagine more businesses benefit from a FB outage in terms of a
tick up in productivity versus businesses harmed by a FB outage, e.g.


Perhaps, then, we should instead be discussing the business benefits of 
blocking facebook so companies can regain productivity?




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Facebook down!! Alert!

[david raistrick]

On Wed, 6 Oct 2010, Andrew Kirch wrote:


No, the majority does not define what operational means.  Facebook is
not a mission critical internet resource (such as a fiber cut, power


not a mission critical internet resource -to you-


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Facebook down!! Alert!

[david raistrick]

On Wed, 6 Oct 2010, david raistrick wrote:


On Wed, 6 Oct 2010, Andrew Kirch wrote:


No, the majority does not define what operational means.  Facebook is
not a mission critical internet resource (such as a fiber cut, power


not a mission critical internet resource -to you-



to be clear, I could give a damn about if we talk about this on nanog or 
not. (and I agree that outages is the right place to announce outages, 
and outage-discuss to discuss them).



my point is that facebook has moved beyond being a pure content provider, 
and (much like, say, google) provide both content AND service.   I have 
dependancies on facebook's (as do many many others who perhaps dont yet 
hire folks who even know what nanog is but someday will) services. 
without them, my teams can't work and my employeer loses signiicant 
figures of revenue per day.


so facebook is very much operationally relevant for my network, and that 
these mixed content/service providers will be more and more relevant as 
time goes on and we as a community should figure out how to deal with 
their transition from pure content to perhaps some day pure service.





--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Facebook Issues/Outage in Southeast?

[david raistrick]

Want to see something funnier:
http://downrightnow.com/

Exactly the same as what your seeing for facebook. Working icmp, broken http.


downforeveryoneorjustme.com is/was returning intermittent 500 errors, too. 
fun day.



..d (twiddling his thumbs waiting to test newly built servers that require 
facebook)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: virtual switches

[david raistrick]

On Mon, 19 Jul 2010, Truman Boyes wrote:

Cisco has VSS (on 6500 class) and H3C has IRF;  allowing you to 
virtualize 2 or more physical switches/routers in an active/active 
configuration


Juniper also has Virtual Chassis support on the EX-series. The MX also 
supports active/active multi chassis-LAG. It works as you would expect,



I seem to recall that both of these implementations suffer from some 
significant limitations around how/what you can do with them, as well as 
HA options...though that's all I can remember from digging into it 
(enough to realize it wouldn't work for us) last year.


OTOH, Raptor's virtual chassis magic (while it has its own issues...) 
didn't have these problems. :)






--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: 100% want IPv6 - Was: New Linksys CPE, IPv6 ?

[david raistrick]

On Wed, 31 Mar 2010, Joel Jaeggli wrote:


On 03/31/2010 08:52 PM, Patrick Giagnocavo wrote:

We have just (anecdotally, empirically) established earlier in this
thread, that anything smaller than a mid-sized business, can't even
*GET* IPv6 easily (at least in the USA); much less care about it.


fwiw, that last time I was at a company that needed a prefix, we wrote
up an addressing plan, applied, received an assignment, payed our money
and were done. if a pool of public addresses are a resource you need to



But were you able to get transit that let you use the address space?

I'm sure it's getting better, but as recently as 2 years ago it was 
near impossible to get for most areas (and most providers, and most colo 
facilities).




--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: YouTube AS36561 began announcing 1.0.0.0/8

[david raistrick]

On Fri, 12 Mar 2010, Joe Greco wrote:


If 1.0.0.0/8 has been widely used as de-facto rfc1918 for many years,
perhaps it is time to update rfc1918 to reflect this?


I seem to recall that the WIANA project decided to use 1.0.0.0/8 for 
the internal network within their meshAP project...


http://www.wiana.org/faq.php

random data point from memory.


--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: FreeAxez raised flooring?

[david raistrick]

On Fri, 5 Mar 2010, Dorn Hetzel wrote:


What is the purpose of raised flooring if it *doesn't *create a plenum?


...cabling?  (though I think working under a floor to route cables vs 
overhead ladder is a pain..but mixing cabling AND air underfloor is much 
worse)




On Fri, Mar 5, 2010 at 10:39 AM, Jason Gurtz jasongu...@npumail.com wrote:



How would cooling be done in this scenario?  Open air (with intake/exhaust
mixing) seems like a step backwards in terms of efficiency.


The usual methods of overhead (or possibly underfloor if you have enough 
height) distribution:  Ductwork. :)


Feed cold air into your cold aisle, and depending on your density and 
ceiling height use a general hot air return that pulls from the top of the 
ceiling (likely the same way you're used to seeing it done for most raised 
floor installs) OR drop additional hot air returns right over your hot 
aisles.



Further hot/cold seperation is entirely possible, too, to support higher 
densities...



Personally I'm not a fan of using raised floor for a cold air plenum for 
reasons I'm not inclined to go into right now. :)



--
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Level 3 - legacy Wiltel/Looking Glass bandwidth

[david raistrick]

On Wed, 1 Jul 2009, Scott Howard wrote:


We're looking at getting connectivity via Level 3 in a particular
datacenter, but we're being told that it's legacy Wiltel/Looking Glass
rather than true Level 3.

Given that both of these acquisitions occurred years ago should I be
worried, or is this legacy connectivity the same as L3 at any other
datacenter?



As recently as a year ago, I had circuit issues in a L3 gateway facility 
(-not- an aquisition facility).  It took 8 hours, and a VP level 
escalation to get resolved.  The excuse that -every- tech save the last 
one gave?  we don't have access to some of the legacy [wiltel] equipment 
in the path, we can't diagnose further


YMMV, etc etc etc.   But full integration may still be far from 
complete...


[full disclosure: L3's purchase of Wiltel, then Telcove and Progress, 
destroyed my formerly reasonable opinion of L3 as they suddenly became the 
monopoly player in my town and were completely unable to deliver or 
maintain anything. later issues in L3's own Gateway facilities further 
enforced my low opinion of them]



---
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Why choose 120 volts?

[david raistrick]

On Tue, 26 May 2009, Joe Greco wrote:


http://www.cdw.com/shop/products/default.aspx?edc=1036852



Great, you're the latest person to invent a way to present a 5-15R that
offers something besides 120VAC.  This is neither new nor novel, but it
*is* dangerous and risky, and in no way solves the problem.


No, this does NOT present 208v at a 5-15R.   Don't believe me, buy one and 
put a voltmeter across it.


I'll leave the FUD to others.

---
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Why choose 120 volts?

[david raistrick]

On Wed, 27 May 2009, Seth Mattinen wrote:

Here's the L-G voltage off the 208v taps from an isolation transformer in a 
system with no neutral: http://ninjamonkey.us/not_120_volts.jpg


Not 120, but 90 give or take.  90 is at the low end of the acceptable 
range for common household 110/120v service.


Depending on how the phases are balanced in your facility, you may see 
that fluctuate up or down, of course.  If you measure hot to hot on the 
same PDU, do you get anywhere close to 208?  I'm going to suspect either 
your fairly out of balance, or you've got a good bit of voltage drop by 
the time it arrives



But since the concensus from those who haven't used this is that the 
device will present 208/240 at the 5-15 plug, I withdraw my suggestion and 
leave you to your own methods.   (for the rest, test it yourself)


I also won't argue using ground for neutral, that's like arguing bonded vs 
unbonded panels.




---
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Why choose 120 volts?

[david raistrick]

On Wed, 27 May 2009, Joe Greco wrote:


... and move right on to outright misstatements?


No, statements based on personal experience.  I -fully- expected to get 
208v out of them, but in testing didn't.


Perhaps the ten I ordered were unique.  Or perhaps I don't know how to 
operate a VOM, or perhaps I'm full of sh!t.


I didn't expect this to generate such an uproar...but I forgot this is 
nanog. ;-)


.d


---
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Why choose 120 volts?

[david raistrick]

On Tue, 26 May 2009, Joe Greco wrote:


Once upon a time, Joe Greco jgr...@ns.sol.net said:

And I don't like not having anywhere to plug in my power screwdriver's
recharger...  I suppose I should see if I can find someplace that has



Yes, but this doesn't imply that you have access to those other phases.
It is easy enough to be delivered 208V single phase service in a data
center environment.



Uh.  208v single phase is functionally the same as 240v single phase. 
You grab 1 hot, neutral off the ground, and you have a common 110v 
circuit.  Even if you're 3 phase to your PDU, it's still single phase to 
the servers. (specialty gear excluded, but those generally plug direct to 
the circuit, not to a PDU).


This makes it very very easy to solve this problem, and I keep a few of 
these floating around at all of my datacenters, with big labels saying who 
they belong too.  (ignoring the fact that for drill charging at least 
there's usually house power available, but crash carts need these...)



C14 (M) to 5-15 (F) adaptor cable:

http://www.cdw.com/shop/products/default.aspx?edc=1036852

I also use them to run wall warts, etc, as needed.



---
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: Network SLA

[david raistrick]

On Thu, 19 Feb 2009, Saqib Ilyas wrote:


I am curious to know about any tools/techniques that a service provider uses
to assess an SLA before signing it. That is to say, how does an
administrator know if he/she can meet what he is promising.


IME, the administrators don't have anything to do with what is signed. 
The company chooses what SLAs to sign with customers (typically whatever 
the customer requests, possibly with various levels of pricing for 
different agreements), but the operational staff are not involved.



If you're lucky, you have this information before you build and can -try- 
to build to suite.   But most times, the SLAs are signed after you've 
built, and everyone just crosses their fingers.


IME.

..david

---
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

Re: What to do when your ISP off-shores tech support

[david raistrick]

On Sat, 27 Dec 2008, JF Mezei wrote:


The problem with oursourced first level support is that they are totally
disconnected from real time operations and wouldn't be aware of problems
that network engineers are currently working on.


Not always true.  Our outsourced support in India were also our first 
layer of network troubleshooting, and they monitored everything related to 
the products they supported.They were almost always the first to call 
the engineers (in .us and .ca) to alert them of issues.


It's all about /what/ you hire them to do.


...david

---
david raistrickhttp://www.netmeister.org/news/learn2quote.html
dr...@icantclick.org http://www.expita.com/nomime.html

RE: Sprint v. Cogent, some clarity facts

[david raistrick]

On Wed, 5 Nov 2008, Church, Charles wrote:


I didn't really care about this, but now I'm curious.  Since their
peering was a 'trial', I'm assuming it hasn't always been there.  Prior
to Sprint and Cogent peering directly with each other, how did they
communicate?  Why was that functionality broken after they started
peering?



They purchased transit (through NTT I believe) for connectivity to sprint.

They removed that, because their goal has been to be transit-free.




---
david raistrickhttp://www.netmeister.org/news/learn2quote.html
[EMAIL PROTECTED] http://www.expita.com/nomime.html

Re: Level 3 TPA routing today?

[david raistrick]

On Tue, 26 Aug 2008, David Hubbard wrote:


Anyone seeing issues with Level 3 between anywhere
and Tampa, particularly Atlanta and Dallas?  We've



Internap just reported problems with L3 out of Miami:

we are seeing latency, minor packet loss and path problems to a
number of destinations and other PNAPs via our Level3 (AS3356) upstream
connection in the MIA003 PNAP. 




---
david raistrickhttp://www.netmeister.org/news/learn2quote.html
[EMAIL PROTECTED] http://www.expita.com/nomime.html

Re: [NANOG] Multihoming for small frys?

[david raistrick]

On Tue, 20 May 2008, Tony Varriale wrote:


AFAIK, ARIN doesn't give out /22s anymore.


It's a recent change in the past couple of years.

Still current:

However, for multi-homed organizations, the minimum allocation size is a 
/22



http://www.arin.net/registration/guidelines/ipv4_initial_alloc.html


Now, if you're not multihomed you still have the /20 as the longest 
prefix.



---
david raistrickhttp://www.netmeister.org/news/learn2quote.html
[EMAIL PROTECTED] http://www.expita.com/nomime.html

Re: [NANOG] Multihoming for small frys?

[david raistrick]

On Tue, 20 May 2008, William Herrin wrote:

 The last I heard, the way to make this happen was: Find a service
 provider with IP blocks available in ARIN's set of /8's that permit

that part isn't required.   Generally any /24 will do in my 
experience except for specific cases.

Other than that, you've got it about right.





---
david raistrickhttp://www.netmeister.org/news/learn2quote.html
[EMAIL PROTECTED] http://www.expita.com/nomime.html


___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog

Re: rack power question

[david raistrick]

On Sat, 22 Mar 2008, Joe Greco wrote:


Charging substantially less for rack space, even offset by higher costs for
power, would encourage a lot of colo customers to spread the load around
and not feel as obligated to maximize the use of space.  That would in turn
reduce the tendency for there to be excessive numbers of hot spots.


I wonder if we're to the point yet where we should just charge for power
and give the space away free

When I'm shopping for colo that's pretty much the way I look at it.  Power 
determines space.   I need 80,000W of power at the breaker, so I need 
800sqftx15$ in facility A, and [EMAIL PROTECTED] in facility B.


I can fit my 8 racks into either the 320sqft or into the 800.  If I'm 
doing the 800, I'll probably spend a bit more up front and use 12 or 14 
racks, to keep my density down.  A bit more cost up front, but in the 
grand scheme of things 4 or 6 extra racks ($6 to 10,000$) don't directly 
hurt to much. (80kW worth of power usually means you've got well north of 
$2M worth of hardware and software being stuffed into the space in my 
experience..but maybe that's because we're an Oracle shop. ;)




Of course, I suppose for those customers still doing super-low-density 
boxes (webhosting with lots and lots of desktops), I suppose that model 
wouldn't work as well.



ramble.

.d

---
david raistrickhttp://www.netmeister.org/news/learn2quote.html
[EMAIL PROTECTED] http://www.expita.com/nomime.html