Re: residential/smb internet access in 2019 - help?
On Tue, Mar 26, 2019 at 11:29 PM Ross Tajvar wrote: > But most likely you're just out of luck. > it's really amazing that this is still the case, with our effectively internet based economy now.
residential/smb internet access in 2019 - help?
folks, I've been away from nanog for a long time - and away from the ISP world for longer. Looking at a house in a new area, at copper splice box out front, bellsouth fiber markers as well (yes, that's usually just passing by. but it's there). Owners since '82 said the telephone company was AT - but the New AT apparently no longer offers phone or internet service there. This is located in a semi-rural area between Ocala and Gainesville Florida (Micanopy, specifically). I knew the state of residential service was in sorry shape - but from what I'm reading, it seems to be worse than I'd though possible. Anyone have any suggestions for service options? I'm cool with dark fiber, if it comes down to that (and can be price sanely and terminated somewhere useful), but it seems like there -should- still be CLEC/DLECs or just plain resellers in business who still have access to resources that are in the ground. My business operates from home - so obviously quality service is a priority, and I'm willing to pay for it within reason. Business plans are certainly an option as well. I've confirmed with all of the known players via their front channels - att, windstream, centurylink, frontier, cox/comcast/spectre. Via backchannels I've confirmed that cox has fiber in the ground 1.4 miles away - straight shot down a dirt road (same one with the BS fiber markers). I have a lead on a couple of tower shots - but there's a big (for florida) ridge between us, and I might have to build 3-400ft to hit anything (speculatively). Anyone have local area or other knowledge that might be helpful? I'd hate to miss out on this house - it's a lot of things we love - but cell or sat only for internet access just isn't going to fly. thanks guys. ...david
Re: Dyn DDoS this AM?
On Fri, Oct 21, 2016 at 6:21 PM, David Birdsongwrote: > > I'd love to hear how others are handling the overhead of managing two dns > providers. Every time we brainstorm on it, we see it as blackhole of eng > effort WRT to keeping them in sync and and then waiting for TTLs to cut an > entire delegation over. > with the usual caveats - and I dont have any projects that currently need this but have in the past - pretty much every major dns provider allows you to ship them a full zone in some form or fashion. The effort to pull and ship a zone should be fairly minimal in and of itself. mixing your public zone providers in your authoritative NS records is also easy - and, depending on your registrar of choice, should be easy to manage changing those (including having non-public mirrors maintained that you can switch too..). setting TTLs that make sense for a design that supports change is also easy. the real developmental and architectural challenges are around what to do if the APIs you use to talk to your "primary" disappear and you need to consume them (creating new host entries, updating loadbalancer pools, whatever. we all have different and sometimes very diverse use cases for dns.). one approach - as randy suggested - is to switch to a purely hidden and self managed primary - which might mean running your own API stack in front of it to control whatever you need to control and change. this doesnt need to be a "real" dns server in todays world - the days of BIND style zone transfers are generally long gone anyway when you hit these scales and levels of intra complexity.then your zone-replication components that ship zone updates to your various external providers are shipping from the same place. at least in that case it's fully within your control - but dev time and complexity definitely comes into play. if your infra can survive internally without dns change control for the extent of an outage, that could be much easier to manage. anyway, random and incomplete thoughts - time ran out, work calls. ...david
contact @ detroit pistons IT/network org?
by chance - anyone have a clueful contact at the detroit pistons who can help resolve an https MITM proxy problem? (likely a misconfigured watchguard.) trying to diagnose a proxy level certificate problem through a management level proxy is less than fun.
Re: ATT UVERSE Native IPv6, a HOWTO
On Mon, 2 Dec 2013, Owen DeLong wrote: Given that 10.7 is fairly ancient at this point I know, right? 2.5 years old is -ancient- . o O ( sigh ) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org ascii ribbon campaign - stop html mail http://www.asciiribbon.org/
Re: roadrunner takes a really long excursion
On Thu, 11 Jul 2013, Randy Bush wrote: their xo peering. i guess the root cause is that roadrunner is poorly peered. are they not actually twt? Nope. TWT vs TWC. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org ascii ribbon campaign - stop html mail http://www.asciiribbon.org/
Re: huawei
On Thu, 13 Jun 2013, Phil Fagan wrote: I've always wondered about thatwould you know that the Huawei is leaking data? the puddle on the floor isn't a giveaway? -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org ascii ribbon campaign - stop html mail http://www.asciiribbon.org/
Re: What Should an Engineer Address when 'Selling' IPv6 to Executives?
On Wed, 6 Mar 2013, George Herbert wrote: The mindshare shift is happening, but the change won't snowball until IT admins - in bulk - really get it. and keeping in mind that the bulk still don't get ipv4, either, (how many times a day do I explain to someone what a /xx is, and how you'd fill that out for just a single ip addresssigh), the snowball really won't happen until it Just Works(tm). impe and all that. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org ascii ribbon campaign - stop html mail http://www.asciiribbon.org/
Re: What Should an Engineer Address when 'Selling' IPv6 to Executives?
On Tue, 5 Mar 2013, Patrick W. Gilmore wrote: Why not just have them read their own SEC filings. Nearly every company has something to the effect of this in their 10K: The potential exhaustion of the supply of unallocated IPv4 addresses and the inability of $COMPANY and other Internet users to successfully transition to IPv6 could harm our operations and the functioning of the Internet as a whole. ours doesn't. at least not the may '12 AR -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org ascii ribbon campaign - stop html mail http://www.asciiribbon.org/
Re: NANOG 57 Notes (on location)
On Wed, 6 Feb 2013, Jay Ashworth wrote: - Original Message - From: david raistrick dr...@icantclick.org sure would be nice if the nanog meetings were a bit better announcedwhy do I aways find out about the orlando ones during or after? I hadn't realized there was another one in Orlando, David; last Florida ones I knew about were Miami, and 10 in Tampa. Yeah, my brain fart - ARIN XV was what I was thinking of (2005). -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org ascii ribbon campaign - stop html mail http://www.asciiribbon.org/
Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....
On Wed, 28 Nov 2012, Bjørn Mork wrote: Do you really want to run netowrking software written by someone incapable of setting up a test network? This doesn't have anything with tunnel brokers or native access to do at all. So the software engineer should now -also- be responsible for, and capable of, recreating both the network as well as 3rd party systems that he/she has to code against? again focusing on just our last title release - 20+ 3rd party interfaces run by 6 different companies. Is the software engineer really responsible for faking things like xbox live, PSN, facebook, twitter, google, etc on a test network? -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org ascii ribbon campaign - stop html mail http://www.asciiribbon.org/
Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....
On Wed, 28 Nov 2012, Jeroen Massar wrote: Not for faking it, but in the case you mention it is very obvious that the software engineer should be able to ask their network team to make sure that they can access those API's if only for testing... You're assuming, now, that the network team either a) works for the same arm of the company as the development team, and therefor can apply pressure on them or b) has support to build v6 into the system already (so they have time and resources to support the dev team), or c) gives a foo at all. Not to mention the time the dev team will spend spinning its wheels. Now, yes - if ipv6 support is a feature of the product they're building (and so driven and supported by management or marketing teams) then things could work as you suggest. But until such time as v6 support is something that they care about upstream...well. The 2 days of time you were budgeted to build the tool/feature/etc you're supposed to be working on isn't really going to include time to get v6 support in. your job, the least of which is to file a ticket for IPv6 support in the ticket tracking system so that one could state I thought of it, company did not want it. funnily enough that's -exactly- what I've been doing for the last 3 years. So, until it comes down from the top, the company doesn't want it. ...david (who is not a developer and is a network engineer, but not in this job) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org ascii ribbon campaign - stop html mail http://www.asciiribbon.org/
Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....
On Wed, 28 Nov 2012, Bjørn Mork wrote: Maybe so. But do I _want_ do run that software? No. Anyway, I am not sure which programs that would be. The applications with open sockets on my laptop are currently: I take it you're in the minority who don't play games, use mobile apps on your phone, use a dvr... or any SaaS applications accessable via the web, or indeed visit websites with shopping cart software, or CRM software, or blogs, or the large majority of software that interfaces to v4 networks does so through libraries and frameworks that seperate that part of the application stack from the part that the developer is building his code in. So really and truly most software is written by developers who can barely plug and play their home networks, much less actually understand what dhcp means. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org ascii ribbon campaign - stop html mail http://www.asciiribbon.org/
Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....
On Wed, 28 Nov 2012, Bjørn Mork wrote: Native IPv6 internet access has never been a requirement for developing IPv6 aware applications. That was a bad excuse even 10 years ago. Today it is just ridiculous. I certainly never said that was the case. I built v6 test networks, and helped kernel devs build v6 support into firewall appliances 10 years ago. But it wasn't a feature that drove sales... My argument is that a) typical developers don't develop microcode, kernel drivers, or protocols. But they DO build a lot of applications that sit on top of them. They build them because someone is paying them to do it. The folks that sign the checks ask for A B and C. And v6 isn't one of those things yet. Some day, maybe it will be. We're just not there yet. (yes. when we get there it's going to be too late. no argument.) in the meantime there's still a ton of new and old stuff to build w/o v6 support from our internal or external vendors. ...david -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org ascii ribbon campaign - stop html mail http://www.asciiribbon.org/
Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....
On Tue, 27 Nov 2012, Jeroen Massar wrote: As for actually getting IPv6 at home or at work, there are so many ways to get that, thus not having it is a completely ridiculous excuse. bull. explain using a tunnel broker to anyone who isn't a network engineer. oh, and then make that work inside a typical F500 corp network with restrictions on inbound and outbound ports, no admin user access to desktop machines, etc. Until the orgs that support the developers find that v6 is a priority (through whatever means it happens - neteng/IT/etc pushing it up the chain or politics/marketing pushing it down the chain) and it's functional on the typical corp desktop, the typical corp application engineer is going to have no motivation (not to mention no time in his/her schedule to reengineer their platform) to support v6. ...david (who hasn't read the rest of the thread. but is it really any different than any other?) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org ascii ribbon campaign - stop html mail http://www.asciiribbon.org/
Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....
On Wed, 28 Nov 2012, Mark Andrews wrote: oh, and then make that work inside a typical F500 corp network with restrictions on inbound and outbound ports, no admin user access to desktop machines, etc. And if they are developing a product for the company there are procedures to get the changes needed to do the development. ...only if v6 support is on their development roadmap. For our latest released product, which had a 3 month timeline, there definitely would have been no software engineering support for building v6 support into a server framework that never had to support it before, nor 2 (or 3) client frameworks. ...david (who supports a bunch of software engineers for one of many arms of an F500 company) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org ascii ribbon campaign - stop html mail http://www.asciiribbon.org/
Re: FYI Netflix is down
On Tue, 3 Jul 2012, Rodrick Brown wrote: face when implementing BCP today. I doubt Amazon gave much thought to multiple site outages and clients not being able to dynamically redeploy their engines because of inaccessibility from ELB. Considering there's a grand total of -one- tool in the entirely AWS toolkit that supports working across multiple regions at all sanely (that would be ec2-migrate-bundle, btw), I'd agree. Amazon has put nearly zero thought into multiple site outages or how their customer base could leverage the multiple sites (regions) operated by AWS. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org
Re: FYI Netflix is down
On Mon, 2 Jul 2012, Leo Bicknell wrote: I used to work with a guy who had a simple test for these things, and if I was a VP at Amazon, Netflix, or any other large company I would do the same. About once a month he would walk out on the you mean like this? http://techblog.netflix.com/2011/07/netflix-simian-army.html -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org
Re: FYI Netflix is down
On Mon, 2 Jul 2012, Leo Bicknell wrote: http://techblog.netflix.com/2011/07/netflix-simian-army.html Yes, Netflix seems to get it, and I think their Simian Army is a great QA tool. However, it is not a complete testing system, I have never seen them talk about testing non-software components, and I hope they do that as well. As we saw in the previous Amazon outage, part of the problem was a circuit breaker configuration. When the hardware is outsourced how would you propose testing the non-software components? They do simulate availability zone issues (and AZ is as close as you get to controlling which internal power/network/etc grid you're attached to). I suppose they could introduce artificial network latency/loss @ each instance - and could add testing around what happens when amazon's API disappears (as was the case friday). Beyond thatthe rest of it is up to the hardware provider (Amazon, in this case). ..david (who also relies on outsourced hardware these days) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org
Re: FYI Netflix is down
On Mon, 2 Jul 2012, James Downs wrote: back-plane / control-plane was unable to cope with the requests. Netflix uses Amazon's ELB to balance the traffic and no back-plane meant they were unable to reconfigure it to route around the problem. Someone needs to define back-plane/control-plane in this case. (and what wasn't working) Amazon resources are controlled (from a consumer viewpoint) by API - that API is also used by amazon's internal toolkits that support ELB (and RDS..). Those (http accessed) API interfaces were unavailable for a good portion of the outages. I know nothing of the netflix side of it - but that's what -we- saw. (and that caused all us-east RDS instances in every AZ to appear offline..) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org
Re: Vixie warns: DNS Changer ‘blackouts’ inevitable
On Thu, 31 May 2012, cncr04s/Randy wrote: Exactly how much can it cost to serve up those requests... I mean for 9$ a month I have a cpu that handles 2000 *Recursive* Queries a second. 900 bux could net me *200,000* a second if not more. The government overspends on a lot of things.. they need some one whos got the experience to use a bunch of cheap servers for the resolvers and a box that hosts the IPs used and then distributes the query packets. So you'd offer your expertise for $9 (or $900) a month 24/7? Since you imply server cost is the only cost in operating such a service.. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org
Re: Reliable Cloud host ?
On Tue, 28 Feb 2012, Owen DeLong wrote: But they don't have to... They can simply use getaddrinfo()/getnameinfo() and let the OS libraries do it. The fact that some applications choose to use their own resolvers instead of system libraries is what is broken. Not always true - firewall software, for example, generally requires IP addresses in their rules (ipfw, pfsense, iptables, at least a few years ago) and for validly sane reasons (even some of our best kernel guys were not crazy enough to change that for ipfw). Proxy software that supports high connection rates and connection churn generally prefer to cache the IP address internally because OS resolvers and the caches they read from just can't keep up [except in specificly well designed systems - which proxy developers can't expect blow joe to know how to do]. A stress test tool I'm working with just had to be modified for exactly that reason (and because adding more caches in front of AWS semiauthorative caches (due to split horizon) wouldn't solve anything. a short TTL is a short TTL is a short TTL). Some of those proxy developers claim that within the chrootwhatchamajiggy that their socket handling code runs they don't have access to the resolvers - so they have to store them at startup (see haproxy). -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Programmers with network engineering skills
On Mon, 27 Feb 2012, Owen DeLong wrote: I think you're more likely to find a network engineer with (possibly limited) programming skills. While I'll agree about the more likely, if I needed a coder who had a firm grasp of networking I'd rather teach a good coder networking, than try to teach the art and magic of good development to a network guy. I think it really comes down to which you need: a hardcore network engineer/architect who can hack up code, or a hardcore developer who has or can obtain enough of a grasp of networking fundementals and specifics to build you the software you need him to develop. The ones who already know both ends extremely well are going to be -very- hard to find, but finding one who can learn enough of the other to accomplish what you need shouldn't be hard at all. oh wait, that's an echo I hear isn't it. ...d (who is not exactly the former though I've played one for TV, and not at all the later) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
dns and software, was Re: Reliable Cloud host ?
On Mon, 27 Feb 2012, William Herrin wrote: In some cases this is because of carelessness: The application does a gethostbyname once when it starts, grabs the first IP address in the list and retains it indefinitely. The gethostbyname function doesn't even pass the TTL to the application. Ntpd is/used to be one of the notable offenders, continuing to poll the dead address for years after the server moved. While yes it often is carelessness - it's been reported by hardcore development sorts that I trust that there is no standardized API to obtain the TTL... What needs to get fixed is get[hostbyname,addrinfo,etc] so programmers have better tools. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Reliable Cloud host ?
On Sun, 26 Feb 2012, Randy Carpenter wrote: I don't need that kind of HA, and understand that it is not going to be available. 15 minutes of downtime is fine. 6 hours is completely unacceptable, and it false advertising to say you have a Cloud service, and then have the realization that you could have *indefinite* downtime. Um. You and I apparently work in different clouds. In my world, the SLAs I have agreed to state, roughly, that uptime is not guaranteed, nor is data recoverability. They suggest that that sort of thing is -my- problem to engineer and architect around. I don't use Rackspace's cloud solution - but I haven't seen anything to suggest that they advertise their service any differently. The cloud provides flexibility and rapid deployment at the expense of hands-on control and reliability (and SLAs). Perhaps you forgot to read the SLA? Or you can show us where someone defines Cloud as highly available and without indefinite downtime ? -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: WW: Colo Vending Machine
On Sat, 18 Feb 2012, Pierre-Yves Maunier wrote: 6 - plastic cable clamps (don't know the exact english term for that but I mean this -- http://www.hellopro.fr/images/produit-2/9/3/8/serre-cables-261839.jpg) also known as zip tie or plastic cable tie more generically -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: time sink 42
On Thu, 16 Feb 2012, Randy Bush wrote: is there a trick? is there a (not expensive) different labeling machine or technique i should use? the rhino pro labelers and labels have a split on the backer so they peel easy. oh, and they dont come off with heat exposure (some of them are even ok after a few years outdoors in florida) like the brother junk does. I think my megadeluxewithacase model cost about $100 from provantage... :) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Wireless Recommendations
On Mon, 30 Jan 2012, Jonathan Lassoff wrote: That said, I'm not sure what you're trying to do here, but I think you'll be disappointed with any AP with 600 *active* stations associated to it. No AP can work around the congestive collapse of hundreds of stations all transmitting RTS frames at once. unless, of course, that's the concept you are trying to prove...? :) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Equinix Miami 1 condemnation
On Wed, 25 Jan 2012, Jay Ashworth wrote: Last week, we saw some traffic about the Lightfiber problems because EqM1 is apparently in a building that's been condemned by the city or county of Miami. If I were to toss out purely random semieducated guess - a lot of south florida datacenter buildings were pretty damaged by Ivan (and his friends, floyd, charlie, francis, and katrina) some years back. I'd venture to guess that they've managed to keep things running (or put it back together enough to keep things running) for a while and have been fighting the condemnation order for a number of years...and finally lost. Fun part about those is you usually have nearly zero time to gtfo, especially if you've fought it... of course, my memory of that time is pretty fuzzy (but I did watch as the company that borged my employeer at the time had to scramble massively to recover from having their gear destroyed, flooded, and otherwise put out of service by the storms, basically moving everything that was down south up to orlando). It definitely affected our ability to get paychecks - and for the next few months the were having to literally truck the only remaining check printer back and forth from S.Fl to Orlando every week to print checks . o O ( and I don't know where equinix's building was in south florida, either. but I know they never showed up on our radar when we were hunting for space with dark fiber back to the NAP to feed our southern customers their dose of WCQ...) ...david -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Recent DNS attacks from China?
On Wed, 30 Nov 2011, Leland Vandervort wrote: I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30 minutes. This anomalous traffic started roughly 24 hours ago, and while we've had occasions of anomalous chinese traffic, never anything of this type. That might explain akamai.net hostnames not resolving intermittently since Tue Nov 29 20:20:02 2011 UTC... I don't run any authoritative or exposed caches at the moment, and the aka NXDOMAINs are the only thing we've been seeing dropouts on for the past ~48 hours, but we did see NXDOMAINs from a bunch of amazonaws hostnames over the holidays... -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Posting for network engineers and operators...
On Wed, 23 Nov 2011, Brian Stengel wrote: Apologies if this is not appropriate for this list... but I'm looking to hire network engineers for our project and would like to hear what job boards are best for network engineering types to view. I'm not a IME, anyway, none of them. If you're targeting a specific locality, eng/ops groups, linkedin, and craigslist are probably a good start. I dont believe that engineers looking for engineers is offtopic for nanog, either (though the rules may have changed over the years), though if you're open to a more global response. there is a nanog-jobs list, but it has had effectively zero traffic -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Arguing against using public IP space
On Tue, 15 Nov 2011, Joe Greco wrote: Or perhaps a better argument would be that routers really ought to default to deny. :-) I'd be fine with that, but I can hear the screaming already. er. you've forgotten en; conf t; ip routing to turn off the default no ip routing (or no ip forwarding is my memory, but my config archive says otherwise) so we had default to deny in routers for a long time -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
RE: Brighthouse Outage in Tampa, FL
On Thu, 8 Sep 2011, Dylan Bouterse wrote: Brighthouse in Orlando was not affected as far as I could tell, but I did hear of customers in Lakeland that were down. Pretty widespread outage. Internally at brighthouse, Tampa (southwest florida) and Orlando (central florida) are pretty heavily detached from each other. There's now some call center, management, and engineering overlap but that only happened over the last few years. network and video delivery systems are still significantly divergent... (which is usually a good thing, since it means that when tampa breaks, orlando survives. ;) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Enterprise Internet - Question
On Thu, 14 Jul 2011, Jeff Cartier wrote: - Does the idea of having local Internet at each site make more sense? If so why? IME, costs for private backhaul circuits of any flavor are significantly higher than costs for plain internet access - so backhauling internet access (unless you have extremely restrictive access policies that you can actually enforce) through your WAN would/should cost through the nose. Routing only WAN traffic through the WAN reduces the size/scope/impact on those more expensive circuits.Probably at the expense of additional complexity, of course. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: (OT) Firearms Was: UN declares Internet access a human right
On Mon, 6 Jun 2011, Owen DeLong wrote: While your statement above sounds wonderfully utopian, the reality is that unless the citizens can take up arms against the government, the government can, over time, become criminal. A disarmed populace has no ability to protect itself from such a government. urg. obNetops anyone? not sure nanog is really the place to arm bears and bare arms -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: How do you put a TV station on the Mbone?
On Fri, 29 Apr 2011, Jay Ashworth wrote: I'd expect it to be fairly common at colleges; possibly in companies, ok, colleges I can buy. Is it still this fragile in 2011? It was in 2009, anyway. And you haven't written the O'Reilly book yet... why? :-) Because it's not an experience I care to repeat. ;-) Today, I make video games. MUCH more fun! (who knew, content CAN be fun) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Graph Utils (Open-Source)
On Fri, 18 Feb 2011, Max Pierson wrote: Hi List, Anyone out there using something other than rrdtool for creating graphs?? I have a project that will need a trend taken, and unfortunately rrdtool doesn't fit the bill. All of the scripting, data collection, database archival, etc will be custom written or is already done (with some hacks of course :). So really what i'm looking for is something along the we use both gd (in php and in perl and in c++) and google's graphing magic in various places. http://code.google.com/apis/chart/ -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: My upstream ISP does not support IPv6
On Fri, 4 Feb 2011, david raistrick wrote: Amazon AWS - No. But I'm asking again, that's a few months old. To follow up on this: We are investigating IP v6 but, unfortunately, have no plans that are available for sharing at present -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Looking for an IPv6 naysayer...
On Wed, 9 Feb 2011, Scott Helms wrote: For ISPs in this circumstance the choice will be CGNAT rather than IPv6 for a number of years because the cost is much lower and according to the vendors selling CGNAT solutions the impact to end users is (almost) unnoticeable. Anyone care to define CGNAT? Google results for this are either unrelated or CGNAT will save us or CGNAT doesnt count - no rfcs, no explainations, nothing -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Looking for an IPv6 naysayer...
On Wed, 9 Feb 2011, Jens Link wrote: Scott Helms khe...@ispalliance.net writes: IPv6 for some ISPs will be extraordinarily painful because of legacy layer 2 gear I don't feel sorry for them. We know that IPv6 is coming for how long? 15years? 10year? 5years? Well if you only read the mainstream media you And at what point during that time did they have any vendor gear they could purchase that -would- support v6? At -best- during the last 5 years, but I'd put money on that even today they can't purchase gear with adequate v6 support. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Looking for an IPv6 naysayer...
On Wed, 9 Feb 2011, Owen DeLong wrote: I don't feel sorry for them. We know that IPv6 is coming for how long? 15years? 10year? 5years? Well if you only read the mainstream media you And at what point during that time did they have any vendor gear they could purchase that -would- support v6? At -best- during the last 5 years, but I'd put money on that even today they can't purchase gear with adequate v6 support. This is largely the result of the fact that they did not demand it from their vendors during that time. I was purchasing for and building small SP networks during that time. Requiring v6 of our vendors would have meant we just never got anything, so we'd have never provided service. Come to think if it, maybe it -would- have been better for everyone involved (except those of us who just got paychecks and experience out of it) to just simply not do it - but we didn't know that at the time 15 years ago! Vendor C and J don't provide gear that fits into all network topologies (WISPs, MTU DSL, and smallish ADSL roll outs come to mind, certain during the time period in question. Sure, they eventually bought products in those markets...but even still, I had sub 6 figure budgets to build with - I certainly had no leverage). -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Thu, 3 Feb 2011, Owen DeLong wrote: Er. That's not news. That's been the state of the art for what, 15+ years or so now? SIP (because it's peer to peer) and P2P are really the only things that actually give a damn about it. Largely because we've been living with the tradeoff that we had to break the end-to-end model to temporarily compensate for an address shortage. Those of us that remember life before NAT would prefer not to bring this damage forward into an area of address abundance. In other words, yes, we gave up Life before NAT, and firewalls (with or without SPI) on every PC and every CPI, also was life before mass consuption of internet access by the normal folks. And before extensive cellular and wifi networks for internet access. And before many of today's (common end user PC) security issues had been discovered. Firewalls -destroy- the end to end model. You don't get inbound connectivity past the firewall unless a rule is explicitly created. That's no different than NAT requiring specific work to be done. Firewalls are not going away, if anything the continuing expansion of consumer users will create more and more breakage of the open-everything-connects-to-everything model, regardless of what the core engineering teams may want. Hell, even without CPE doing it, many residential ISPs (regardless of NAT) block inbound traffic to consumers. The end-to-end model ended a long long time agomaybe it will come back, but I rather doubt it. We'll continue to have users, who run client software, and providers, who run server software. And a mix in between, because the user end can CHOOSE to enable server functionality (with their feet, by choosing a new ISP, at their firewall and or NAT device, and by enabling server software). NAT doesn't destroy end-to-end. It just makes it slightly more difficult. But no more difficult that turning on a firewall does. It doesn't break anything that isn't trying to announce itself - and imo, applications that want to announce themselves seem like a pretty big security hole. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
Everyone doesn't suddenly get owned because there isn't a external firewall. Modern OS's default to secure. We clearly live and work in different worlds. Not to mention that we are not the average consumers anymore. We were, in the days before NAT (and SPI). -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Fri, 4 Feb 2011, Roland Perry wrote: But NAT does have the useful (I think) side effect that I don't have to renumber my network when I change upstream providers - whether that's once But (what I keep being told) you should never have to renumber! Get PI space and insert magic here! sigh -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
RE: quietly....
On Thu, 3 Feb 2011, Brian Johnson wrote: 1) To allow yourself to change or maintain multiple upstreams without renumbering. Not sure what you mean here. So having PI space can't accomplish this? Using PI space means paying significantly more money per year than using PA space, particularly if you factor in the recommended subnet sizing and that your v6 address space requirements signficantly increase over v4+NAT. Remember that we're not talking about ISPs and large enterprises who are used to shelling out artifically inflated $$ per year to use PI space. We're talking about telling folks who were happy using PA space (or who have PI space from before IANA) that they now have to rent addresses if they want to avoid internal renumbering. 6) Because you have allocated a single address to a machine that later on actually represents n differerent actual network entities, and retrofitting them with their own unique IPv6 subnet presents a problem. Huh? I understood that. I have a customer in my datacenter with 50 servers behind a firewall. (that customer could be an internal team at my enterprise, or a customer at a colo, or even a customer at the end of a telco circuit). I need to renumber. The coordination effort involved in renumbering @ the firewall, vs renumbering the -entirety- of the customer's internal subnets is significant. One customer side example? Oracle RAC. With v4 and NAT, RAC would never have to know anything. With no NAT, I have to shut down RAC, shut down OCFS2, reconfigure the cluster filesystem (which is a nontrival task with nontrival risk), reconfigure RAC (which goes OK, other than that I have to reconfigure potentially a half dozen config files on every server that connects to it), restart ocfs, restart RAC That's all new work, because I told my customer they cannot use NAT. And I have to do that with -every- customer. With v4, I just helped the customer configure his firewall to support both the old and new addresses, changed external facing DNS, waited for all traffic to move over, removed the old addresses, and we were done. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Thu, 3 Feb 2011, valdis.kletni...@vt.edu wrote: The only reason FTP works through a NAT is because the NAT has already been hacked up to further mangle the data stream to make up for the mangling it does. Speaking of should-have-died-years-ago. FTP fits that category well. ;) I'm told that IPSEC through a NAT can be interesting too... And that's something I'm also told some corporations are interested in. NAT traversal for ipsec was sorted out more than a few years ago with 3 or 4 different methods in play. I dropped out of that market about the time it came to light, but as a ipsec end user I haven't had NAT problems going back as far as 2006 for sure, possibily further. (the original problem was that only 1 user behind 1 IP could speak ipsec because it uses a specific protocol, not a port, that can only be 1-to-1. I'll leave it as an exercise for the reader to figure out that was magiced around without requiring the NAT devices to do anything. and ssl doesn't count. :) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: And so it ends...
On Thu, 3 Feb 2011, Scott Helms wrote: My 2 cents, in the few cases that we've been involved with that dealt with reclaiming space the backbone providers have universally followed what is in If that legacy block holder were, well, one of the legacy block holders, would you as a backbone provider reject IBM or ATT or HP or Apple, etc? -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Thu, 3 Feb 2011, valdis.kletni...@vt.edu wrote: Well, it's official - the original end-to-end design principal of the Internet is dead, deceased, and buried. Henceforth, there will be Clients, and there will be Servers, and all nodes will be permanently classified as one or the other, with no changing or intermixing of status allowed. Er. That's not news. That's been the state of the art for what, 15+ years or so now? SIP (because it's peer to peer) and P2P are really the only things that actually give a damn about it. No one is going to check out their neighbors website running on their neighbors computer if the neighbor didn't make an effort to make their computer a server (by assigning DNS, running server software, etc) regardless of NAT etc etc. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Wed, 2 Feb 2011, Jay Ashworth wrote: I, personally, have been waiting to hear what happens when network techs discover that they can't carry IP addresses around in their heads anymore. That sounds trivial, perhaps, but I don't think it will be. Heh. My personal hope, anyway, is that it will motivate certain software engineers (and companies) who decide that DNS isn't worthwhile to support (for x y z or no reason) will never be able to remember the new addressing schemes, and find themselves having to use DNS...and thereby adding support to their code. In which case, bring it on! :) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Wed, 2 Feb 2011, Jimmy Hess wrote: SOCKS5 can be used to forward any TCP based protocol, and most UDP protocols, Because SOCKS didn't break things worse than NAT? Really? -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Tue, 1 Feb 2011, Cameron Byrne wrote: Telling people I'm right, you're wrong over and over again leads to them going away and ignoring IPv6. +1 Somebody should probably get a blog instead of sending, *39 and counting*, emails to this list in one day. It's a discussion list. We're having a discussion. Admittedly, Owen hasn't presented any solutions to my actual problems, but.. ;) Owen said: The solution to number 2 depends again on the circumstance. IPv6 offers a variety of tools for this problem, but, I have yet to see an environment where the other tools can't offer a better solution than NAT. Which is a complete non-answer. NAT provides a nice solution - even with it's problems - for small consumers and large enterprises, who have much higher percentages of devices that need (or even -require-) no inbound connectivity. Why should I (or my IT department) have to renumber the 5,000 desktop PCs in this office (a large percentage of which have static IP addresses due to the failings of dynamic DNS and software that won't support DNS (I'm looking at you, Unity.) just because we've changed providers? Why should we have to renumber devices at my mom's house just because she switched from cable to dsl? -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Wed, 2 Feb 2011, Iljitsch van Beijnum wrote: No, the point is that DNS resolvers in different places all use the same addresses. So at the cyber cafe 3003::3003 is the cyber cafe DNS but at the airport 3003::3003 is the airport DNS. (Or in both cases, if they don't run a DNS server, one operated by their ISP.) Because no one has ever had a need to coexist with other DNS servers on the same subnet, right? After all, there should only ever be 1 authorative source of information, and there's no way we would ever want to have an exception for that. ...david (who manages his own authorative and recursive DNS servers that are used specificly for our group's purposes that have to coexist with IT-managed servers) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Wed, 2 Feb 2011, Iljitsch van Beijnum wrote: IPv6 is what it is. There will be more tinkering but if you think there's enough and yet it still isn't ready and standardly supported by OSes, routers, switches, software seems to me it's in the same mode it always has been. Because IPv4-style DHCP often breaks because the DHCP server points to Really? Never had that happen if I didn't configure it to happen... (and yes, I've done some pretty deep dhcp setups over the years, particular for WISP setups) the wrong router address and because NAT breaks end-to-end connectivity so severe workaround in applications become necessary. But you knew that. On the NAT subject, I'll point out a recent change that I wasn't aware of, and a bit of history around it. It might help less people feel the need for NAT. At least in ARIN territory, if you're multihomed, and you can show in-1-year use of 50% of a (v4) /24, you qualify for a PI v6 /48.Which means that a lot of the shops I've worked for over the years can get PI space where they couldn't before, and one of the heavy uses of NAT (renumbering sanity) disappears. (if you're singlehomed, 50% of /20..) For the history, v6 was originally pushed as -NO ONE- (who isn't an LIR or RIR) -EVER- gets PI space, you should use insert-magic-of-the-week-here. That's changed. We can now get PI space, and we can use it.So those of you who were thinking of using NAT with v6, how does that effect your plans? -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Wed, 2 Feb 2011, Chris Owen wrote: On Feb 2, 2011, at 3:09 PM, david raistrick wrote: At least in ARIN territory, if you're multihomed, and you can show in-1-year use of 50% of a (v4) /24, you qualify for a PI v6 /48. One of the things I find frustrating about this is the cost of the space. We're a very small shop and to add IPv6 addresses for testing now we're looking at paying another $2,200 a year ($1,700 in the first Ooof. I didn't get that far - and hadn't realized the waiver was expired. That's a pretty signficant barrier to entry. :( -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Tue, 1 Feb 2011, Iljitsch van Beijnum wrote: What's the point of switching to IPv6 if it repeats all the IPv4 mistakes only with bigger addresses? If you like NAT IPv4 is the place to be, it'll only get more and more. It's argument like this that has lead to this moment. Instead of discussing how can the next generation addressing scheme support the needs of Internet consumers today and tomorrow we tell people if you don't like it, use v4 Guess what? We're still using v4. ..david -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Tue, 1 Feb 2011, Dave Israel wrote: responsibility. If they want to use DHCPv6, or NAT, or Packet over Avian Carrier to achieve that, let them. If using them causes them problems, then they should not use them. It really isn't the community's place to force people not to use tools they find useful because we do not like them. Not to mention that when you take tools -away- from people that solve an existing problem, you'll get a lot of pushback. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: quietly....
On Tue, 1 Feb 2011, Owen DeLong wrote: NAT solves exactly one problem. It provides a way to reduce address consumption to work around a shortage of addresses. It does not solve any other problem(s). Sure it does. It obfuscates internal addressing. This wasn't the original goal, but it's a feature that some groups of users have come to require. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Found: Who is responsible for no more IP addresses
On Thu, 27 Jan 2011, Jay Ashworth wrote: Fox didn't screw up, for a change, and Vint's quote appears in many other news sources. Apparently, I'm the only one on Nanog who knows about this new thing called The Google. :-) Fox (in the linked article) didn't quote Vint. They said useful things like this: source: http://www.foxnews.com/scitech/2011/01/26/internet-run-ip-addresses-happens-anyones-guess/ It's the end of the web as we know it. And this is -not- what the article said before: Web developers have compensated for this problem by creating IPv6 -- a system which recognizes 128-bit addresses as opposed to IPv4's 32-bit addresses. Originally (an hour ago) it read something like Web developers have compensated for this problem by creating IPv6 -- a system which uses 6 digit addresses instead of 4 digit addresses But IPv6 isn't backwards-compatible with IPv4, meaning that it's not able to read most content that operates on an IPv4 system. At best, the user experience will be clunky and slow. At worst, instead of a webpage, all users will be able to view is a blank page. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Found: Who is responsible for no more IP addresses
here's the original quote (which a friend had pasted to me): Web developers have tried to compensate for this problem by creating IPv6 -- a system that recognizes six-digit IP addresses rather than four-digit ones. On Thu, 27 Jan 2011, david raistrick wrote: On Thu, 27 Jan 2011, Jay Ashworth wrote: Fox didn't screw up, for a change, and Vint's quote appears in many other news sources. Apparently, I'm the only one on Nanog who knows about this new thing called The Google. :-) Fox (in the linked article) didn't quote Vint. They said useful things like this: source: http://www.foxnews.com/scitech/2011/01/26/internet-run-ip-addresses-happens-anyones-guess/ It's the end of the web as we know it. And this is -not- what the article said before: Web developers have compensated for this problem by creating IPv6 -- a system which recognizes 128-bit addresses as opposed to IPv4's 32-bit addresses. Originally (an hour ago) it read something like Web developers have compensated for this problem by creating IPv6 -- a system which uses 6 digit addresses instead of 4 digit addresses But IPv6 isn't backwards-compatible with IPv4, meaning that it's not able to read most content that operates on an IPv4 system. At best, the user experience will be clunky and slow. At worst, instead of a webpage, all users will be able to view is a blank page. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Software DNS hghi availability and load balancer solution [SEC=UNCLASSIFIED]
On Wed, 19 Jan 2011, Wilkinson, Alex wrote: freebsd + varnish + carp (http://www.openbsd.org/faq/pf/carp.html) two of the three won't work @ EC2 (for my purposes, no idea about the original poster - but he did ask about DNS based solutions so I suspect he's in a similar boat) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Software DNS hghi availability and load balancer solution
On Tue, 18 Jan 2011, Jay Reitz wrote: gdnsd is very robust and fast and has an interface that a networking engineer won't mind. It comes with a geolocation plugin with health-check failover via HTTP. http://code.google.com/p/gdnsd/ Thanks Jay, that looks like a good option - I like single-focus-software for things like this. ;) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Software DNS hghi availability and load balancer solution
On Tue, 18 Jan 2011, William Herrin wrote: Net result is that in some cases a user's long-running browser will indefinitely ignore the change you made to the DNS. I've seen such things persist for months. Do you have any recent evidence to support this? The what-browsers-do-with-what world changes daily... and my understanding is that a lot of these things that used to be problems have been changed. For better or for worse, the way you -reliably- fail over a web server is with routing and middleboxes like a load balancer. Alas, sometimes that's just not possible - try doing that @ EC2, for example (which is why I've recently been on the hunt for GSLB solutions that don't involve appliances...). -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Software DNS hghi availability and load balancer solution
On Tue, 18 Jan 2011, Rhys Rhaven wrote: Having hit these issues myself, I heavily recommend a real frontend proxy like nginx or varnish. A frontend proxy (nginx, varnish, haproxy, or anything else) doesnt give you HA any more than any other loadbalancer solution does. You need a way to send traffic to another frontend server when the primary frontend server fails, or is overloaded, transparently. The tools we have available these days to do this are VRRP-like solutions (which all of the appliances use) that use multicast, some amount of NAT and routing magic (which I've often not seen done sanely), or DNS solutions (better known as GSLB) that dynamicly change the DNS responses depending on conditions (which could be source location, or could be server availability, or whatever). Normally, VRRP would be the way to go. But these days multicast isn't supported everywhere (major example - Amazon EC2), leaving DNS... -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Software DNS hghi availability and load balancer solution
On Tue, 18 Jan 2011, Jack Bates wrote: On 1/18/2011 1:42 PM, david raistrick wrote: Normally, VRRP would be the way to go. But these days multicast isn't supported everywhere (major example - Amazon EC2), leaving DNS... Many HA environments use both, and F5 is designed to do both, supporting DNS tricks (of which, you could possibly run host based monitoring and dynamic updates to accomplish), anycast routing, and vrrp-like DSR/NAT load balancing. Agreed. But sometimes you can't do both. ;) Now if F5 would sell me an appliance that runs their GSLB code I could run @ EC2. ;) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Software DNS hghi availability and load balancer solution
On 01/18/2011 09:42 AM, Sergey Voropaev wrote: Does any one know software sollutions (free is preferable) like as cisco GSS and F5 BIG-IP? The main point is that DNS-server (or dns server plugin) must be able to monitor server availability (for example by TCP connect) and from DNS-reply depends on it. On Tue, 18 Jan 2011, Charles N Wyble wrote: Ha-proxy and linux virtual server are popular packages. Neither of these do DNS. He asked about DNS based loadbalancing (also known as GSLB, among other things) software packages -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: co-location and access to your server
On Wed, 12 Jan 2011, Jeroen van Aart wrote: What is considered normal with regards to access to your co-located server(s)? Especially when you're just co-locating one or a few servers. For less than 1 rack, or specialty racks with lockable sections (1/2 or 1/3 or 1/4 racks with their own doors), I'd consider any physical access to simply be a plus. I wouldn't expect any at all. You're not paying for enough space to justify the costs involved in 24x7 independant access, and the risks to other customers gear. When you get a full rack+, or cage+, I'd expect unfettered 24x7 access since your gear should be seperated and secured from other folks gear. Some specialty providers would be exceptions, of course (ie, I used to colo gear inside tv stations, satellite downlink stations, etc). Telecom colo (switch and network gear in a dedicated but shared space for providers providing service) would be an exception, of course. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Is NAT can provide some kind of protection?
On Wed, 12 Jan 2011, Chris Adams wrote: Yes, they do. NAT requires a stateful firewall. Why is that so hard to understand? Um. No. NAT requires stateful inspection (because NAT needs to maintain a state table), but does not require a stateful firewall. You can (and many CPE appliances do/did) have no firewall, or stateless firewall in front of NAT. All NAT does is give you an implied deny-all-inbound rule, but doesn't, in and of itself, prevent someone probing open (configured by you or the vendor) ports that are forwarded or on the device. Or from having unfettered inside access of 1 internal IP if you NAT all external ports to an internal IP. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: co-location and access to your server
On Wed, 12 Jan 2011, Jeroen van Aart wrote: I guess knowing who entered the building by means of a keycard and having cameras isn't considered enough to deter potential evil doers. I know it's not enough for places like equinix, but that's of a different caliber. Paying for 1u of colo justifys a keycard for you, cameras and keycard hardware for the facility? you're paying what, 50-100$ a month, maybe less? you realize that low prices comes at the cost of reduced services? -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Clearwire/Clear for branch office connectivity?
On Wed, 5 Jan 2011, tico wrote: Is anyone using Clearwire/Clear's wireless broadband offering for Me too! I'd love to hear from anyone that's used it extensively. I haven't in a few years (I worked for someone who thought of themselves as a clearwire competitor), but we replaced a bunch of them that customers had, we installed a few of them with our own stickers on them, and we always kept one in the truck for those times we couldn't hit our own networks but we could hit theirs... the gear was generally solid - as long as you could get a good signal. inside datacenters, basements, and telco huts, though, were not places that good signal was often available -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
RE: potential new and different architectural approach to solve theComcast - L3 dispute
On Fri, 17 Dec 2010, George Bonser wrote: What if instead of the end users paying for Internet service, the content providers did. Sort of like broadcast TV where the broadcasters Um. I'm a content provider. I pay a -lot- for internet service already. That's how my bits and bytes arrive in the tubes for those end users to recieve... -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
RE: Facebook issue
We detected it about 3:40 eastern, and they just announced it on the status page. We are currently investigating sitewide issues that will affect Facebook Platform. We apologize for any inconvenience and will post here with updates. this should maybe be moved to outages@ though (depending on who you ask, of course) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Pointer for documentation on actually delivering IPv6
On Mon, 6 Dec 2010, Owen DeLong wrote: Seriously, though, you're welcome to use fd00::/8 for exactly that purpose. The problem is that you (and hopefully it stays this way) won't have much luck finding a vendor that will provide the NAT for you to do it with. [with my flame-retardant hat installed firmly] So what's the IPV6 solution for PCI compliance, where 1.3.8 requires the use of RFC1918 space? Admitedly, it's been a year or two since I last had to engineer around that particular set of rules...but it's life or death for a lot of folks. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: The scale of streaming video on the Internet.
On Thu, 2 Dec 2010, Jack Bates wrote: Watch the game live multicast. Missed the game? Watch it on demand. As things progress, we'll probably see more edge content delivery systems (like Akamai) Have you ever actually been involved with really large scale multicast implementations? I take it that's a no. The -only- way that would work internet wide, and it defeats the purpose, is if your client side created a tunnel back to your multicast source network. Which would mean you're carrying your multicast data over anycast. If you, the multicast broadcaster, dont have extensive control of the -entire- end to end IP network, it will be significantly broken significant amounts of the time. ...david (former member of a team of engineers who built and maintained a 220,000 seat multicast video network) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Facebook down!! Alert!
On Wed, 6 Oct 2010, Bret Clark wrote: I have to agree on this as well. I can understand when a service provider is you've forgotten that facebook (and indeed twitter too) are service providers that provide business-critical services. just because you don't want to play facebook games doesn't make a facebook outage any less operationally relevant than, say, an akamai or limelight outage. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Facebook down!! Alert!
On Wed, 6 Oct 2010, Greg Whynott wrote: just because you don't want to play facebook games doesn't make a facebook outage any less operationally relevant than, say, an akamai or limelight outage. IMO which may be way off base, when akamai goes off the air, people lose potential sales/revenue. when facebook goes off the air, a greater number of companies become more efficient than those who suffer productivity loss. so the majority defines operational now, huh? wow. nice to know that network service providers outnumber other companies these days... (of course, those service providers also make their money from facebook consumers) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Facebook down!! Alert!
On Wed, 6 Oct 2010, Matt Baldwin wrote: I would imagine more businesses benefit from a FB outage in terms of a tick up in productivity versus businesses harmed by a FB outage, e.g. Perhaps, then, we should instead be discussing the business benefits of blocking facebook so companies can regain productivity? -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Facebook down!! Alert!
On Wed, 6 Oct 2010, Andrew Kirch wrote: No, the majority does not define what operational means. Facebook is not a mission critical internet resource (such as a fiber cut, power not a mission critical internet resource -to you- -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Facebook down!! Alert!
On Wed, 6 Oct 2010, david raistrick wrote: On Wed, 6 Oct 2010, Andrew Kirch wrote: No, the majority does not define what operational means. Facebook is not a mission critical internet resource (such as a fiber cut, power not a mission critical internet resource -to you- to be clear, I could give a damn about if we talk about this on nanog or not. (and I agree that outages is the right place to announce outages, and outage-discuss to discuss them). my point is that facebook has moved beyond being a pure content provider, and (much like, say, google) provide both content AND service. I have dependancies on facebook's (as do many many others who perhaps dont yet hire folks who even know what nanog is but someday will) services. without them, my teams can't work and my employeer loses signiicant figures of revenue per day. so facebook is very much operationally relevant for my network, and that these mixed content/service providers will be more and more relevant as time goes on and we as a community should figure out how to deal with their transition from pure content to perhaps some day pure service. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Facebook Issues/Outage in Southeast?
Want to see something funnier: http://downrightnow.com/ Exactly the same as what your seeing for facebook. Working icmp, broken http. downforeveryoneorjustme.com is/was returning intermittent 500 errors, too. fun day. ..d (twiddling his thumbs waiting to test newly built servers that require facebook) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: virtual switches
On Mon, 19 Jul 2010, Truman Boyes wrote: Cisco has VSS (on 6500 class) and H3C has IRF; allowing you to virtualize 2 or more physical switches/routers in an active/active configuration Juniper also has Virtual Chassis support on the EX-series. The MX also supports active/active multi chassis-LAG. It works as you would expect, I seem to recall that both of these implementations suffer from some significant limitations around how/what you can do with them, as well as HA options...though that's all I can remember from digging into it (enough to realize it wouldn't work for us) last year. OTOH, Raptor's virtual chassis magic (while it has its own issues...) didn't have these problems. :) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: 100% want IPv6 - Was: New Linksys CPE, IPv6 ?
On Wed, 31 Mar 2010, Joel Jaeggli wrote: On 03/31/2010 08:52 PM, Patrick Giagnocavo wrote: We have just (anecdotally, empirically) established earlier in this thread, that anything smaller than a mid-sized business, can't even *GET* IPv6 easily (at least in the USA); much less care about it. fwiw, that last time I was at a company that needed a prefix, we wrote up an addressing plan, applied, received an assignment, payed our money and were done. if a pool of public addresses are a resource you need to But were you able to get transit that let you use the address space? I'm sure it's getting better, but as recently as 2 years ago it was near impossible to get for most areas (and most providers, and most colo facilities). -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: YouTube AS36561 began announcing 1.0.0.0/8
On Fri, 12 Mar 2010, Joe Greco wrote: If 1.0.0.0/8 has been widely used as de-facto rfc1918 for many years, perhaps it is time to update rfc1918 to reflect this? I seem to recall that the WIANA project decided to use 1.0.0.0/8 for the internal network within their meshAP project... http://www.wiana.org/faq.php random data point from memory. -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: FreeAxez raised flooring?
On Fri, 5 Mar 2010, Dorn Hetzel wrote: What is the purpose of raised flooring if it *doesn't *create a plenum? ...cabling? (though I think working under a floor to route cables vs overhead ladder is a pain..but mixing cabling AND air underfloor is much worse) On Fri, Mar 5, 2010 at 10:39 AM, Jason Gurtz jasongu...@npumail.com wrote: How would cooling be done in this scenario? Open air (with intake/exhaust mixing) seems like a step backwards in terms of efficiency. The usual methods of overhead (or possibly underfloor if you have enough height) distribution: Ductwork. :) Feed cold air into your cold aisle, and depending on your density and ceiling height use a general hot air return that pulls from the top of the ceiling (likely the same way you're used to seeing it done for most raised floor installs) OR drop additional hot air returns right over your hot aisles. Further hot/cold seperation is entirely possible, too, to support higher densities... Personally I'm not a fan of using raised floor for a cold air plenum for reasons I'm not inclined to go into right now. :) -- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Level 3 - legacy Wiltel/Looking Glass bandwidth
On Wed, 1 Jul 2009, Scott Howard wrote: We're looking at getting connectivity via Level 3 in a particular datacenter, but we're being told that it's legacy Wiltel/Looking Glass rather than true Level 3. Given that both of these acquisitions occurred years ago should I be worried, or is this legacy connectivity the same as L3 at any other datacenter? As recently as a year ago, I had circuit issues in a L3 gateway facility (-not- an aquisition facility). It took 8 hours, and a VP level escalation to get resolved. The excuse that -every- tech save the last one gave? we don't have access to some of the legacy [wiltel] equipment in the path, we can't diagnose further YMMV, etc etc etc. But full integration may still be far from complete... [full disclosure: L3's purchase of Wiltel, then Telcove and Progress, destroyed my formerly reasonable opinion of L3 as they suddenly became the monopoly player in my town and were completely unable to deliver or maintain anything. later issues in L3's own Gateway facilities further enforced my low opinion of them] --- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Why choose 120 volts?
On Tue, 26 May 2009, Joe Greco wrote: http://www.cdw.com/shop/products/default.aspx?edc=1036852 Great, you're the latest person to invent a way to present a 5-15R that offers something besides 120VAC. This is neither new nor novel, but it *is* dangerous and risky, and in no way solves the problem. No, this does NOT present 208v at a 5-15R. Don't believe me, buy one and put a voltmeter across it. I'll leave the FUD to others. --- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Why choose 120 volts?
On Wed, 27 May 2009, Seth Mattinen wrote: Here's the L-G voltage off the 208v taps from an isolation transformer in a system with no neutral: http://ninjamonkey.us/not_120_volts.jpg Not 120, but 90 give or take. 90 is at the low end of the acceptable range for common household 110/120v service. Depending on how the phases are balanced in your facility, you may see that fluctuate up or down, of course. If you measure hot to hot on the same PDU, do you get anywhere close to 208? I'm going to suspect either your fairly out of balance, or you've got a good bit of voltage drop by the time it arrives But since the concensus from those who haven't used this is that the device will present 208/240 at the 5-15 plug, I withdraw my suggestion and leave you to your own methods. (for the rest, test it yourself) I also won't argue using ground for neutral, that's like arguing bonded vs unbonded panels. --- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Why choose 120 volts?
On Wed, 27 May 2009, Joe Greco wrote: ... and move right on to outright misstatements? No, statements based on personal experience. I -fully- expected to get 208v out of them, but in testing didn't. Perhaps the ten I ordered were unique. Or perhaps I don't know how to operate a VOM, or perhaps I'm full of sh!t. I didn't expect this to generate such an uproar...but I forgot this is nanog. ;-) .d --- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Why choose 120 volts?
On Tue, 26 May 2009, Joe Greco wrote: Once upon a time, Joe Greco jgr...@ns.sol.net said: And I don't like not having anywhere to plug in my power screwdriver's recharger... I suppose I should see if I can find someplace that has Yes, but this doesn't imply that you have access to those other phases. It is easy enough to be delivered 208V single phase service in a data center environment. Uh. 208v single phase is functionally the same as 240v single phase. You grab 1 hot, neutral off the ground, and you have a common 110v circuit. Even if you're 3 phase to your PDU, it's still single phase to the servers. (specialty gear excluded, but those generally plug direct to the circuit, not to a PDU). This makes it very very easy to solve this problem, and I keep a few of these floating around at all of my datacenters, with big labels saying who they belong too. (ignoring the fact that for drill charging at least there's usually house power available, but crash carts need these...) C14 (M) to 5-15 (F) adaptor cable: http://www.cdw.com/shop/products/default.aspx?edc=1036852 I also use them to run wall warts, etc, as needed. --- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: Network SLA
On Thu, 19 Feb 2009, Saqib Ilyas wrote: I am curious to know about any tools/techniques that a service provider uses to assess an SLA before signing it. That is to say, how does an administrator know if he/she can meet what he is promising. IME, the administrators don't have anything to do with what is signed. The company chooses what SLAs to sign with customers (typically whatever the customer requests, possibly with various levels of pricing for different agreements), but the operational staff are not involved. If you're lucky, you have this information before you build and can -try- to build to suite. But most times, the SLAs are signed after you've built, and everyone just crosses their fingers. IME. ..david --- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
Re: What to do when your ISP off-shores tech support
On Sat, 27 Dec 2008, JF Mezei wrote: The problem with oursourced first level support is that they are totally disconnected from real time operations and wouldn't be aware of problems that network engineers are currently working on. Not always true. Our outsourced support in India were also our first layer of network troubleshooting, and they monitored everything related to the products they supported.They were almost always the first to call the engineers (in .us and .ca) to alert them of issues. It's all about /what/ you hire them to do. ...david --- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
RE: Sprint v. Cogent, some clarity facts
On Wed, 5 Nov 2008, Church, Charles wrote: I didn't really care about this, but now I'm curious. Since their peering was a 'trial', I'm assuming it hasn't always been there. Prior to Sprint and Cogent peering directly with each other, how did they communicate? Why was that functionality broken after they started peering? They purchased transit (through NTT I believe) for connectivity to sprint. They removed that, because their goal has been to be transit-free. --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html
Re: Level 3 TPA routing today?
On Tue, 26 Aug 2008, David Hubbard wrote: Anyone seeing issues with Level 3 between anywhere and Tampa, particularly Atlanta and Dallas? We've Internap just reported problems with L3 out of Miami: we are seeing latency, minor packet loss and path problems to a number of destinations and other PNAPs via our Level3 (AS3356) upstream connection in the MIA003 PNAP. --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html
Re: [NANOG] Multihoming for small frys?
On Tue, 20 May 2008, Tony Varriale wrote: AFAIK, ARIN doesn't give out /22s anymore. It's a recent change in the past couple of years. Still current: However, for multi-homed organizations, the minimum allocation size is a /22 http://www.arin.net/registration/guidelines/ipv4_initial_alloc.html Now, if you're not multihomed you still have the /20 as the longest prefix. --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html
Re: [NANOG] Multihoming for small frys?
On Tue, 20 May 2008, William Herrin wrote: The last I heard, the way to make this happen was: Find a service provider with IP blocks available in ARIN's set of /8's that permit that part isn't required. Generally any /24 will do in my experience except for specific cases. Other than that, you've got it about right. --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog
Re: rack power question
On Sat, 22 Mar 2008, Joe Greco wrote: Charging substantially less for rack space, even offset by higher costs for power, would encourage a lot of colo customers to spread the load around and not feel as obligated to maximize the use of space. That would in turn reduce the tendency for there to be excessive numbers of hot spots. I wonder if we're to the point yet where we should just charge for power and give the space away free When I'm shopping for colo that's pretty much the way I look at it. Power determines space. I need 80,000W of power at the breaker, so I need 800sqftx15$ in facility A, and [EMAIL PROTECTED] in facility B. I can fit my 8 racks into either the 320sqft or into the 800. If I'm doing the 800, I'll probably spend a bit more up front and use 12 or 14 racks, to keep my density down. A bit more cost up front, but in the grand scheme of things 4 or 6 extra racks ($6 to 10,000$) don't directly hurt to much. (80kW worth of power usually means you've got well north of $2M worth of hardware and software being stuffed into the space in my experience..but maybe that's because we're an Oracle shop. ;) Of course, I suppose for those customers still doing super-low-density boxes (webhosting with lots and lots of desktops), I suppose that model wouldn't work as well. ramble. .d --- david raistrickhttp://www.netmeister.org/news/learn2quote.html [EMAIL PROTECTED] http://www.expita.com/nomime.html