Re: Companies using public IP space owned by others for internal routing

[james machado]

I had a vendor at $dayjob prior to my arrival who assigned all their
customers ip space based on the customer number.  when i got there all the
internal network was assigned space from an company in the middle east.
$dayjob didn't have the in-house knowledge to know what was going on and as
they never worried about the middle east it didn't affect their business.

On Sun, Dec 17, 2017 at 3:25 PM, Jens Link  wrote:

> Matt Hoppes  writes:
>
> > Had a previous employee or I discovered it on the network segment after
> > we had some weird routing issues and had to get that cleaned up. I don't
> > know why anyone would do that when there is tons of private IP space.
>
> Excuse 1: "We'll never connect to the internet!"
>
> Excuse 2: "It's only temporary!"
>
> Excuse 3: Typo (At some customers customer I found 192.!168 address which
>   where apparently a typo but in use for years so nobody wanted
>   to change it.) I also know one company who is using (has
>   used?) 2001:8db::/48. I suggested to get v6 PI an properly
>   implement IPv6 but never heard from them again.
>
> Excuse 4: "We used the addresses from out training material." - I heard
>   this story some time ago: A large German government agency
>   wanted to implement IP(v4) and the people attended a course
>   about this new TCP/IP stuff at $Vendor. The training material
>   was prepared by a student who was using his university's /16 as
>   an example.
>
> BTW: Is the Cisco WLC 1.1.1.1 as default address for DHCP?
>
> Jens
> --
> 
> 
> | Foelderichstr. 40   | 13595 Berlin, Germany   | +49-151-18721264
> |
> | http://blog.quux.de | jabber: jensl...@quux.de|
> ---  |
> 
> 
>

Re: Issues with 4-octet BGP AS and Akamai?

[james machado]

Greg,

I don't see a routing database object for your routes pointing too your
AS394666 /24's, I only see one for AS12 for the /23 and /24's.  It is
possible (and probable) you are being filtered due to that.

james

route: 216.165.124.0/23
descr: NEW YORK UNIVERSITY (added by MAINT-AS6517)
origin: AS12
remarks: This route object was registered by
Global Cloud Xchange MAINT-AS6517
on behalf of their customer:
NEW YORK UNIVERSITY
notify: supp...@relianceglobalcom.com
mnt-by: MAINT-AS6517
changed: supp...@globalcloudxchange.com 20160506 #00:49:14Z
source: RADB

(125-127)
route: 216.165.127.0/24
descr: New York University Medical Center (maintained by NYU NOC)
origin: AS12
mnt-by: MAINT-AS12
changed: n...@nyu.edu 20121121 #16:23:31Z
source: RADB

Re: Issues with 4-octet BGP AS and Akamai?

[james machado]

Greg,

I have a 4 byte ASN and have not had any issues with reach ability,
including the 2 websites you have linked.

James

Re: Internet access for security consultants - pen tests, attack traffic, bulk e-mail, etc.

[james machado]

On Mon, Sep 11, 2017 at 3:40 PM, Sean Pedersen 
wrote:

> We were recently approached by a company that does security consulting.
> Some
> of the functions they perform include discovery scans, penetration testing,
> bulk e-mail generation (phishing, malware, etc.), hosting fake botnets -
> basically, they'd be generating a lot of bad network traffic. Targeted at
> specific clients/customers, but still bad. As an ISP, this is new territory
> for us and there are some concerns about potential impact, abuse reports,
> reputation, authorization to perform such tests, etc.
>
>
>
> Does anyone have experience in this area that would be willing to offer
> advice?
>
>
> From a customer point of view:

We have written agreements with our vendors on who they can and can not
send this traffic from, where exactly it is coming from and what type of
traffic it will be.  One reason our vendor does this is to not get on black
hole/spam lists or to cause their ISP issues, as well as having proof that
they are allowed to send specific traffic to specific addresses for a
specific time period.  The test managers then know what to expect and to
head off abuse notifications after detection of the specific traffic.  We,
also, use this traffic to test other vendors we might have and only after
detection we will have white lists or black lists put in place as warranted.

I would expect the company in question to be able to provide documentation
that could track any specific traffic back to an engagement that has the
approval of their customer.  If they have been around for a bit they should
have a track record and may have current IP space that could be vetted to
see what condition it is in.  Are they leaving it or adding too it.  If
they are leaving their current space then find out why.

James

Re: Domain renawals

[james machado]

so who would you quantify as secure and reliable? who does not require
additional "services" besides registration or spend all their time trying
to upsell you?

james

On Wed, Sep 21, 2016 at 10:18 AM, Jim Mercer  wrote:

>
> cheap, secure, reliable
>
> pick two.
>
> --jim
>
> On Mon, Sep 19, 2016 at 12:19 PM, Jeff Jones 
> wrote:
> > Sorry if this is low level. But are people sick of registrars jacking up
> > prices? Who is the cheapest and most reliable? I have been using
> whois.com,
> > networksolutions.com and am looking for input on who is cheap, secure,
> > reliable registrar. Thanks for your input.
>
> --
> Jim Mercer Reptilian Research  j...@reptiles.org+1 416 410-5633
>
> Life should not be a journey to the grave with the intention of
> arriving safely in a pretty and well preserved body, but rather
> to skid in broadside in a cloud of smoke, thoroughly used up,
> totally worn out, and loudly proclaiming "Wow! What a Ride!"
>  -- Hunter S. Thompson
>

Re: IPv6 Deployment for Mobile Subscribers

[james machado]

Ricardo,

I know from previous discussions on this list that Android phones are
looking for DHCPD leases and not /128's or /64's.  From what I remember
this is due to the current requirement for multiple ipv6 subnets for
various applications (vpns among others) to function correctly.  As a
result Google has disabled Android from receiving a DHCP lease as it wasn't
long enough.

if you look back about 6 months there is probably 100+ posts on the subject.

All I really know is that I can not provide an ipv6 dhcp lease to an
android phone and have it receive the address.


james

On Fri, Jul 22, 2016 at 1:54 AM, Ricardo Ferreira <
ricardofbferre...@gmail.com> wrote:

> Is there anyone here working in an ISP where IPv6 is deployed?
> We are starting to plan the roll-out IPv6 to mobile subscribers (phones) I
> am interesting in knowing the mask you use for the assignment; whether it
> is /64 or /128.
>
> In RFC 3177, it says:
> 3. Address Delegation Recommendations
>
>The IESG and the IAB recommend the allocations for the boundary
>between the public and the private topology to follow those general
>rules:
>
>   -  /48 in the general case, except for very large subscribers.
>   -  /64 when it is known that one and only one subnet is needed by
>  design.
>   -  /128 when it is absolutely known that one and only one device
>  is connecting.
>
> Basically a sole device will be connecting to the internet so I am
> wondering if this rule is follwed.
>
> Cheers
>
> --
> Ricardo Ferreira
>

Re: Netflix banning HE tunnels

[james machado]

http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/

fusion just did a story on how this.



On Wed, Jun 8, 2016 at 3:10 PM, Spencer Ryan  wrote:

> The center of the US is maxmind's unknown location. Fill out the form and
> they'll correct it.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Wed, Jun 8, 2016 at 6:09 PM, Ricky Beam  wrote:
>
> > On Wed, 08 Jun 2016 17:24:48 -0400, Matthew Huff  wrote:
> >
> > What does https://www.maxmind.com/en/geoip-demo show for your IPv6
> >> prefix? If it is incorrect, try
> >> https://support.maxmind.com/geoip-data-correction-request/
> >>
> >>
> > HAH. Funny... 39.76,-98.5 for every HE address I enter. And it's not like
> > they haven't been registered for years. (that's the center of the US,
> btw.)
> >
>

TeamNANOG youtube video seeding

[james machado]

First I am thrilled to see older Nanog meetings making it to youtube.

Having said that can the people putting up the files put the Nanog
meeting number in the title of the videos to make it easier to search
and determine relevance?

Thanks,
james

Re: Cogent BGP Woes

[james machado]

Justin,

What are you trying to do?  I had a similar situation as my rep got
the wrong product for BGP.  I actually cleaned it up by talking to
support and I had to fill out a second BGP questionnaire but it was
resolved and turned up in a couple of days.

James

On Thu, Oct 15, 2015 at 11:38 AM, Justin Wilson - MTIN  wrote:
> Have the rest of you been having as hard a time I am having in turning up BgP 
> sessions with Cogent? They have made it a sales order nowadays instead of 
> support. I filled out the questionnaire on the support site over 3 weeks ago 
> and was directed to sales.  I am going on 3 weeks waiting on a session to be 
> turned up.
>
> Just wondering if I am alone.
>
>
> Justin Wilson
> j...@mtin.net
>
> ---
> http://www.mtin.net Owner/CEO
> xISP Solutions- Consulting – Data Centers - Bandwidth
>
> http://www.midwest-ix.com  COO/Chairman
> Internet Exchange - Peering - Distributed Fabric
>

Re: Branch Location Over The Internet

[james machado]

On Aug 11, 2015 11:22 AM, Colton Conor colton.co...@gmail.com wrote:

 We have an enterprise that has a headquarter office with redundant fiber
 connections, its own ASN, its own /22 IP block from ARIN, and a couple of
 gigabit internet connections from multiple providers. The office is taking
 full BGP routes from tier 1 providers using a Juniper MX80.

 They are establishing their first branch location, and need the branch
 location to be able to securely communicate back to headquarters, AND be
 able to use a /24 of  headquarters public IP addresses. Ideally the device
 at the HQ location would hand out public IP address using DHCP to the
other
 side of the tunnel at the branch location.

 We know that in an ideal world it would be wise to get layer 2 transport
 connections from HQ to the branch location, but lets assume that is not an
 option. Please don't flood this thread about how it could be an option
 because it's not at this time. This setup will be temporary and in service
 for the next year until we get fiber to the branch site.

 Let's assume at the branch location we can get a DOCSIS cable internet
 connection from a incumbent cable provider such as Comcast, and that
 provider will give us a couple static IP address. Assume as a backup, we
 have a PPPoE DSL connection from the ILEC such as Verizon who gives us a
 dynamic IP address.

 What solution could we put at the HQ site and the branch site to achieve
 this? Ideally we would want the solution to load balance between the
 connections based on the connections speeds, and failover if one is down.
 The cable connection will be much faster speed (probably 150Mbps down and
 10 Upload) compared to the DSL connection (10 download and 1 upload). If
we
 need more speed we can upgrade the cable modem to a higher package, but
for
 DSL that is the max speed so we might have to get multiple DSL lines. The
 cable solution could always be used as the primary, and the DSL connection
 could only be used as backup if that makes things easier.

 If you were to do this with Juniper or Cisco gear what would you have at
 each location? What technology would you use?


Colton,

The Cisco solution for this would be Cisco Intelligent WAN (iWAN) utilizing
ASRs and ISRs. iWAN utilizes a combination of DMVPNs and pFR to make this
happen.

Another name I've heard but have no feedback on is Viptela

 I know there is Pepewave and a couple of other software solutions that
seem
 to have a proprietary load balancing solutions developed, but I would
 prefer to use a common Cisco or Juniper solution if one exists.

 There will be 50 users at the branch office. There is only one branch
 location at this time, but they might expand to a couple more but under
10.

James

Re: Inexpensive software bgp router that supports route tags?

[james machado]

David,

check out exabgp https://github.com/Exa-Networks/exabgp

james

On Wed, Jul 1, 2015 at 8:19 AM, David H ispcoloh...@gmail.com wrote:
 Hi all, I was wondering if anyone can recommend a software (preferable), or
 hardware-based router with an API, that supports BGP with tags on
 advertised routes?  I want to use it for a RTBH feed and having it in
 software would make certain things easier to automate.  I tried
 Quagga/Zebra but it doesn't support tags.  I see Mikrotik hardware routers
 have an API, but I can't tell if the API supports adding BGP networks, so I
 need to investigate that further.  I can go hardware if I have to, with
 some ssh/expect scripts, but thought there may be other options that are
 easier.

 Thanks,

 David

Re: ARIN just subdivided their last /17, /18, /19, /20, /21 and /22. Down to only /23s and /24s now. : ipv6

[james machado]

On Tue, Jun 30, 2015 at 1:43 PM, Ricky Beam jfb...@gmail.com wrote:
 On Tue, 30 Jun 2015 10:28:13 -0400, Justin M. Streiner
 strei...@cluebyfour.org wrote:

 There are still isolated pockets of devices out there speaking IPX,
 DECnet, Appletalk, etc


 Indeed. I'm one of them. (rarely) ... IPX managed print server. It speaks
 IP, but cannot be managed by IP. I'd throw it away, but it functions as a
 two port serial terminal server as well. (2 parallel, 2 serial)

 I don't have any true appletalk (or localtalk!) hardware anymore. But I know
 where there's a palet of them. :-)

 I still have MCA token-ring cards for an RS/6000 (and the RS/6000.) I'm just
 waiting for the NCDOT to need one to recoup a wad of tax money.

 or their traffic passes through other devices that encapsulate and
 de-encapsulate it in IP to allow it to be transported.


 A, the internet in a box IPX-IP gateway device. God, how we hated
 those things. But some companies refused to install an IP stack, 'tho they'd
 install the IPX IP app suite. (late '90s)

But how much memory you could save if you only ran IPX.  Adding the IP
stack would take you below 500K and then you would have programs that
just wouldn't run.  QEMM could only do so much.

Re: Issues encountered with assigning .0 and .255 as usable addresses?

[james machado]

On Mon, Oct 22, 2012 at 6:49 PM, Justin Krejci jkre...@usinternet.com wrote:
 And since owen has not yet mentioned it, consider something that supports 
 having : in its address as well.

 Sort of tangentially related, I had a support rep for a vendor once tell me 
 that a 255 in the second or third octet was not valid for an ipv4 address. 
 Hard to troubleshoot a problem when I had to first explain how ip addressing 
 worked because the rep was so fixated on the 255 we were using on the 
 network. If any product really doesn't like 255 in any position then you 
 should consider yourself lucky to still be in business at all. Jimmy Hess 
 mysi...@gmail.com wrote:On 10/22/12, Paul Zugnoni 
 paul.zugn...@jivesoftware.com wrote:
 [snip]
 Any experience or recommendations? Besides replace the ISA proxy…. Since
 it's not mine to replace. Also curious whether there's an RFC recommending
 against the use of .0 or .255 addresses for this reason.

 ISA is old, and might not be supported anymore, unless you have an
 extended support contract.   If it's not supported anymore, then don't
 be surprised if it has breakage you will not be able to repair. I
 don't recommend upgrading to TMG, either:  although still supported,
 that was just discontinued.

 If ISA is refusing traffic to/from IPs ending in .0, then ISA is
 either broken, or misconfigured.
 Get a support case with the vendor, raise it as a critical issue --
 unable to pass traffic to critical infrastructure that ends with a
 .255 or .0  IP address,  demand that the vendor provide a resolution,
 And explain that changing the IP address of the remote server is not an 
 option.


 If the vendor can't or won't provide a resolution,   then  not only is
 the proxy server broken,
 but malfunctioning in a way   that has an impact on network connectivity.

 I would consider its removal compulsory,  as you never know,  when a
 network resource, web site, e-mail server, etc. your org has a
 business  critical need to access,  or be accessed from;  may be
 placed on .255 or  .0

 --
 -JH


this was also discussed back in August in this thread
http://mailman.nanog.org/pipermail/nanog/2012-August/051290.html

james

Re: Detection of Rogue Access Points

[james machado]

On Thu, Oct 18, 2012 at 7:00 AM, Jonathan Rogers quantumf...@gmail.com wrote:
 I like the idea of looking at the ARP table periodically, but this presents
 some possible issues for us. The edge routers at our remote sites are Cisco
 1841 devices, typically with either an MPLS T1 or a Public T1 (connected
 via an IAD owned by Centurylink; router to router, so dumb). Aside from
 manually logging in to those individual routers (all 140 or so of them) and
 checking them on a schedule, can anyone think of a good way to capture that
 information automatically? If I had to I could probably come up with a
 script to log in to them and scrape the info then process it but...eww.


quite a few people have leveraged RANCID
(http://www.shrubbery.net/rancid/) for doing stuff like this.

it is made to pull configs from routers on a cycle and produces text
files that can be worked with.  you can use the tools that are there
to pull specific information, such as arp tables, and then process the
resultant files with your scripting language of choice.  check the
mail list for examples of this kind of thing.


 Another possible option (although costly) is installing a Ruckus device at
 each location; we have a Ruckus infrastructure at our HDQ and it works
 great (almost too good, it's super sensitive) at picking up rogues. A
 Ruckus WAP could talk to our ZoneDirector appliance and do that for us at
 each site, I think, but it may be difficult to justify the cost.

 --JR


james

Re: Level 3 BGP Advertisements

[james machado]

On Thu, Aug 30, 2012 at 11:50 AM, Blake Hudson bl...@ispn.net wrote:
 Matt Addison wrote the following on 8/29/2012 6:08 PM:

 Sent from my mobile device, so please excuse any horrible misspellings.

 On Aug 29, 2012, at 18:30, james machado hvgeekwt...@gmail.com wrote:

 On Wed, Aug 29, 2012 at 1:55 PM, STARNES, CURTIS
 curtis.star...@granburyisd.org wrote:

 Sorry for the top post...

 Not necessarily a Level 3 problem but;

 We are announcing our /19 network as one block via BGP through ATT, not
 broken up into smaller announcements.
 Earlier in the year I started receiving complaints that some of our
 client systems were having problems connecting to different web sites.
 After much troubleshooting I noticed that in every instance the xlate in
 our Cisco ASA for the client's IP last octet was either a 0 or 255.
 Since I am announcing our network as a /19, the subnet mask is
 255.255.224.0, that would make our network address x.x.192.0 and the
 broadcast x.x.223.255.
 So somewhere the /24 boundary addresses were being dropped.

 Just curious if anyone else has seen this before.

 some OS's by M and others as well as some devices have IP stacks which
 will not send or receive unicast packets ending in 0 or 255.  have had
 casses where someone was doing subnets that included those in the DCHP
 scopes and the computers that received these addresses were black
 holes.

 james

 MSKB 281579 affects XP home and below. Good times anytime someone adds
 a .0 or .255 into an IP pool.

 It might be relevant to note that XP and below is simply respecting classful
 boundaries. This does not affect all .0 or .255 address, just class C
 addresses (192.0.0.0 through 223.255.255.255) that end with .0 or .255. If
 your IP range is 0.0.0.0 - 191.255.255.255 you are not affected (by this
 particular bug) by using .0 or .255 as the last octet unless the address is
 ALSO the last octet of the classful boundary for your subnet. In effect,
 these OS's simply enforce classful boundaries regardless of the subnet mask
 you have set. As the KB states, this bug affects supernets only. I'm not
 trying to defend MS (they can do that themselves), but your statement was
 misleading.

I can distinctly remember having the issue in 10/8 address space with
Win2k and WinXP


 We do, sometimes, use .0 and .255 addresses. Most clients work fine with
 them (including XP). However, I have personally seen a few networks where an
 administrator had blocked .0 and .255 addresses, causing problems for people
 on his network communicating to hosts that ended in .0 or .255. It has been
 years since I have seen an issue with a .0 or a .255 IP however. Given fears
 over IP shortages, even a couple percent of addresses wasted due to
 subnetting can be cause for adjusting network policy. I would not be
 surprised if folks who excluded .0 and .255 addresses from their assignable
 pools will re-evaluate that decision over the next few years.

 --Blake

Re: Level 3 BGP Advertisements

[james machado]

On Wed, Aug 29, 2012 at 1:55 PM, STARNES, CURTIS
curtis.star...@granburyisd.org wrote:
 Sorry for the top post...

 Not necessarily a Level 3 problem but;

 We are announcing our /19 network as one block via BGP through ATT, not 
 broken up into smaller announcements.
 Earlier in the year I started receiving complaints that some of our client 
 systems were having problems connecting to different web sites.
 After much troubleshooting I noticed that in every instance the xlate in our 
 Cisco ASA for the client's IP last octet was either a 0 or 255.
 Since I am announcing our network as a /19, the subnet mask is 255.255.224.0, 
 that would make our network address x.x.192.0 and the broadcast x.x.223.255.
 So somewhere the /24 boundary addresses were being dropped.

 Just curious if anyone else has seen this before.

some OS's by M and others as well as some devices have IP stacks which
will not send or receive unicast packets ending in 0 or 255.  have had
casses where someone was doing subnets that included those in the DCHP
scopes and the computers that received these addresses were black
holes.

james

Re: BGPttH. Neustar can do it, why can't we?

[james machado]

On Mon, Aug 6, 2012 at 3:55 PM, Owen DeLong o...@delong.com wrote:
 That's simply not true at all...

 Let's look at what it takes to configure BGP as I suggested...

 1. The ASN number of the two providers
 2. The ASN to be used for the local side
 3. The IP Address to use on the local end of each connection
 4. The IP Address to peer with on each connection
 5. Te prefix(es) to be advertised.

 Of these 5, only items 2 and 5 have to come from the customer and the 
 customer needs to provide both of these to both ISPs anyway for them to 
 configure their side.

 It would be trivial for providers and CPE vendors to develop a standardized 
 API by which a router could retrieve all 5 pieces of information for a given 
 connection once that connection is plugged in to the router. It could 
 literally be as simple as:

 1.  Port gets address via SLAAC or DHCP
 2.  Port retrieves XML configuration document from 
 http://bgpconfig.local (or user-specified URL provided by ISP, or whatever)
 XML
 PROVIDERASN6939/PROVIDERASN
 LOCALASN65512/LOCALASN
 PROVIDERIPv4192.0.2.21/30/PROVIDERIPv4
 
 PROVIDERIPv62001:db8:1fea:93a9::1/64/PROVIDERIPv6
 LOCALIPv4192.0.2.22/30/LOCALIPv4
 
 LOCALIPv62001:db8:1fea:93a9::2/64/LOCALIPv6
 PrefixInformation
 
 PrefixAccepted203.0.113.0/24/PrefixAccepted
 
 PrefixAccepted198.51.100.0/24/PrefixAccepted
 
 PrefixAnnounced0.0.0.0/0/PrefixAnnounced
 /PrefixInformation
 /XML

 (Yes, I realize that is a bit of an oversimplification of the XML syntax, but 
 you get the idea)

 3.  Router configures port and BGP session according to received 
 XML document, including
 appropriate prefix filters.

 4.  Router runs with that XML based configuration as long as 
 link-state and power remain.

 That would allow a zeroconf BGP-enabled router in relatively small hardware 
 accepting a default route that would work at least as well as today's 
 dual-NAT based boxes. Note that BGP is not redesigned or even altered to 
 achieve this. Since Linksys/DLink/Netgear/$EVERYONE already has web servers 
 and clients embedded in their gear, the XML parser (or JSON or whatever they 
 choose to use for standard encoding) would be pretty straight forward.


From a SMB perspective this is part of the problem.  Why pay for:

 1. An ASN
 2. 2 BGP connections
 3. PI space
 4. More expensive hardware (potentially and probably)

when I'm only going to get a Default Route?  I've added complexity to
my life, administrative and OPEX overhead when I'm getting no benefits
of BGP other than a default route.  I can get a default route from a
provider without adding complexity and overhead.

An SMB who does not have a staff on hand wants it cheap and to work.
Everything else is a potential expense they don't want to spend.  They
don't want to have to call either their support company or vendor
because the Internet is down, at most they want to pull the power on
the router and plug it back in and have it all work.  At best they
want to only know what that little black box with the blinky lights
is when someone packs it into a box because it's wasting power and now
the Internet is broken.

From an SMB who has a staff on hand it still may not be worth it if
they don't have someone who is BGP smart.  And truth to tell *you*
don't want more BGP idiots polluting the routing table either
intentionally or unintentionally.

Conversely if you do make BGP that available to SMB's and home users
(not necessarily a bad thing) the issues with routing table size has
to be dealt with.  Right now there are roughly 42K ASes with routes in
the routing table.  Add SMB's and home users and your looking at
potentially millions of ASes with routes in the routing table.  Heck
if you *only* double the ASes and associated routes many many routers
are going to crash and need replacement.


 Yes, the operator/provider has to do some additional configuration, but 
 speaking as a network operator, I know that this can be automated because the 
 management of BGP configurations, including the filters _IS_ that automated 
 where I work. If the provider is telling the router which prefixes to permit 
 announcement of through the configuration URL, then it's even more reliable, 
 right?

 Owen

 On Aug 6, 2012, at 15:05 , Scott Helms khe...@ispalliance.net wrote:

 Owen,

That's like saying if it were easy to fly we'd all be pilots, which isn't 
 true either.  BGP would need to be completely redesigned/replaced before it 
 could possibly be 

Re: Shim6, was: Re: filtering /48 is going to be necessary

[james machado]

2012/3/14 Masataka Ohta mo...@necom830.hpcl.titech.ac.jp:
  stuff deleted 
 For high speed (fixed time) routed look up with 1M entries, SRAM is
 cheap at /24 and is fine at /32 but expensive and power consuming
 TCAM is required at /48.

 That's one reason why we should stay away from IPv6.

                                                Masataka Ohta


I found this bit of research from 2007 (
http://www.cise.ufl.edu/~wlu/papers/tcam.pdf ).  It seems to me there
are probably more ways to mix and match different types of ram to be
able to deal with this beast.

james

Re: [rt-users] External Auth using Active Directory 2008

[james machado]

I would use ldapsearch on that machine to make sure you can bind to
the AD server using the login credentials in your Site_Config.  Make
sure you are using the proper certificates to connect via the TLS you
have configured.  I've noticed that being one of the biggest problems
with ldap and Windows 2008 and 2008 R2 AD servers.

james

Re: [rt-users] External Auth using Active Directory 2008

[james machado]

my apologies - fat fingered the email address

 james

Re: Windows UDP packet generator software?

[james machado]

d-itg works very well.
http://www.grid.unina.it/software/ITG/index.php  you can create
reports of loss/jitter etc.  windows and qos don't work so don't try
setting qos values as they will just be reset to 0 by the windows
tcp/ip stack.

james

Re: flow generating tool

[james machado]

you might also try D-ITG  http://www.grid.unina.it/software/ITG/index.php

james

Re: IPv6 end user addressing

[james machado]

 It isn't hard to do some arithmetic and guess that if every household
 in the world had IPv6 connectivity from a relatively low-density
 service like the above example, we would still only burn through about
 3% of the IPv6 address space on end-users (nothing said about server
 farms, etc. here) but what does bother me is that the typical end-user
 today has one, single IP address; and now we will be issuing them 2^16
 subnets; yet it is not too hard to imagine a future where the global
 IPv6 address pool becomes constrained due to service-provider
 inefficiency.


what is the life expectancy of IPv6?  It won't live forever and we
can't reasonably expect it too.  I understand we don't want run out of
addresses in the next 10-40 years but what about 100? 200? 300?

We will run out and our decedents will go through re-numbering again.
The question becomes what is the life expectancy of IPv6 and does the
allocation plan make a reasonable attempt to run out of addresses
around the end of the expected life of IPv6.


 Jeff S Wheeler j...@inconcepts.biz
 Sr Network Operator  /  Innovative Network Concepts



james

Re: dynamic or static IPv6 prefixes to residential customers

[james machado]

 I don't understand why this is a problem if your ISP gives you a static 
 address.
 There are, of course, other sources of addresses available as well.
 Nobody has yet presented me a situation where I would prefer to use ULA over 
 GUA.

 while link-local is necessary it's also probably not sufficient.

t
 True.

 Owen

Lets look at some issues here.

1) it's unlikely that a normal household with 2.5 kids and a dog/cat
will be able to qualify for their own end user assignment from ARIN.

2) if their router goes down they loose network connectivity on the
same subnet due to loosing their ISP assigned prefix.

3) If they are getting dynamic IP's from their ISP and it changes they
may or may not be able to print, connect to a share, things like that.

these 3 items make a case for everybody having a ULA.  however while
many of the technical bent will be able to manage multiple addresses I
know how much tech support I'll be providing my parents with either an
IP address that goes away/changes or multiple IP addresses.  I'll set
them up on a ULA so there is consistency.

Complain about NAT all you want but NAT + RFC 1918 addressing in IPv4
made things such as these much nicer in a home and business setting.

james

Re: dynamic or static IPv6 prefixes to residential customers

[james machado]

On Tue, Aug 2, 2011 at 3:28 PM, Joel Jaeggli joe...@bogus.com wrote:

 On Aug 2, 2011, at 2:42 PM, james machado wrote:

 Lets look at some issues here.

 1) it's unlikely that a normal household with 2.5 kids and a dog/cat
 will be able to qualify for their own end user assignment from ARIN.


 Interesting...

 I have a normal household.
 I lack 2.5 kids and have no dog or cat.

 I have my own ARIN assignment.

 Are you saying that the 2.5 kids and the dog/cat would disqualify them? I 
 can't
 find such a statement in ARIN policy.

 Are you saying that a household that multihomes is abnormal? Perhaps today,
 but, not necessarily so in the future.


 Yes I am saying a household that mulithomes is abnormal and with
 today's and contracted monopolies I expect that to continue.  You are
 not a normal household in that 1) you multihome 2) you are willing to
 pay $1500+ US a year for your own AS, IP assignments

 while I don't disagree with the assertion that this is unrealistic the annual 
 fee is $100 per org-id for direct assignments.


sorry was unclear - I was guessing $1500+ for ASnumer + IP Assignments
but not counting  ISP costs for a year.  Looks like ARIN is charging
about $1250 per year for a new IPv6 assignment and the AS yearly cost
is rolled into that.  Granted ISP costs will probably be in the
ballpark of  $150 per month for 2 consumer grade connections and more
for business or better connections.

James

Re: dynamic or static IPv6 prefixes to residential customers

[james machado]

 I would argue that I am not an abnormal household by any definition other 
 than
 my internet access and that even by that definition, I am not particularly 
 abnormal
 where I live.


your based out of san jose, there might not be any other area like
that in the U.S. as far as connectivity and concentration of i.t.
savy.  there might be 10 cities in the U.S. with the same
infrastructure and availability as you have accessible.  there are not
50.  while not abnormal where you live, it is abnormal to the rest of
the country.


 There are many people I know of with much more expensive and elaborate
 internet connectivity to their houses than what I have within 30 miles of me.

 While I don't think I represent the typical residential ISP customer, I do 
 think that
 the typical customer will eventually learn what static addressing is and will 
 want
 it for a variety of reasons.

 Owen

scott's user base is more typical than what you can find in your
neighborhood.  i am sure some of the same users live within 30 miles
of you too but you,i, scott, or anybody else on this list can not be
considered normal in this respect.

james