NANOG is not a general purpose router help mailing list. Issues
discussed here are supposed to be relevant to the North American ISP
community.
excuse? configuring routers is not operational in north america? have
you gone completely layer 2 over there?
Are you seriously going to sit there a
NANOG is not a general purpose router help mailing list. Issues discussed
here are supposed to be relevant to the North American ISP community.
Please take this question to a FreeBSD mailing list.
Thanks,
-Don
ls it possible to have 2 default routes?
or how can I do the rebundant when the
Do you really think that today's allocations are going to be in use
(unchanged) when people are building homes out of IPv6-addressed
nanobots, or when people are trying to firewall the fridge from the TV
remote, etc.?
I certainly hope not- but then again I never thought IPv4 would be around
thi
That's 281,474,976,710,656 /48 customer networks. It's 16
million times the number of class C's in the current IPv4
Internet. Am I just not thinking large or long term enough?
No, you are just counting wrong. When you are talking /48's
you are talking "number of bits of of subnet hierarchy", n
The only place in which people have noted that there is a possibility
of running out of bits in the existing IPv6 addressing hierarchy
is when they look at a model where every residential customer gets
a /48. In that scenario there is a possibility that we might runout
in 50 to 100 years from no
So if /64 is "subnet" rather than "node" then the practice of placing one
and only one node per subnet is pretty wasteful.
The whole point here is flexibility. IEEE defined several standards for
globally unique identifiers including EUI-48/MAC-48 and EUI-64.
MAC-48 should last us til 2100, bu
doesn't more address space just give us more routes to handle?
No. It only makes more possible prefixes. Migrating to IPv6 while keeping
the current (IPv4) routing and current business relations, there would be
somewhat less routes:
bigger address space -> bigger chunks -> less need to increm
...but without a (public) reply. It has been suggested (both in the
follow-ups to the above and elsewhere) that there are people involved with
7018 that are frequent readers here; I'm really hoping one of them will take
pity on us and either reply here or communicate with me off-list.
We ar
I'll post some pictures when I get a chance.
http://www.neener.info/gallery/v/cagebrackets/
In case anyone cares- those are the brackets we made.
-Don
Then again, sometimes it requires a whole lot more dedication. In our case
the racks we inherited were installed wrong (no space between them for
vertical cable management). Getting our cabling organized meant welding our
own cable management brackets that we could bolt onto the front of the
Does anyone know if any good resources on best-practices at this sort
of thing? I'm pretty sure that others must've already figured out the
trickier stuff that I've thought about.
Most good cabling jobs require one thing- dedication.
If you are willing to put in the time and effort, you can d
agree that this isn't "ideal", however Cisco has always been very specific
about the h/w FIB & adjacency table sizes on the hardware in question.
i know that vendor bashing is a sport in this list, but
Can you please point out where I can find this information ...
The only place I found in
1. Cisco is still selling the 7600 with the Sup32 bundle (which is what
we bought) and saying you can take a full route table on it. I could
already do MPLS and IPv6 on this box. This is pretty new hardware.
Where are they saying that? The Sup32 sounded great until it became clear
that it
All things being equal (which they're usually not) you could use the ACK
response time of the TCP handshake if they've got TCP DNS resolution
available. Though again most don't for security reasons...
Then most are incredibly stupid.
Several anti DoS utilities force unknown hosts to initiate a
You can, and this will work for a while. When it stops working
(which is not at all predictable) you're going to need a fairly
sizable IPv6 Internet so that you can continue to connect new
customers up, and unfortunately, that means we need to start
getting folks moving ahead of time since we d
This was a very curious experience. What they want to achieve is protecting
children from abuse. This is of course a laudable goal. But they think they
can do that by ridding the internet of images depicting said abuse. There are
pretty strong laws against that in the Netherlands*, but this wo
It is quite odd really that governments want to implement something to
prevent people from breaking a law. And some posts have been correct in
asking what's next? Automatic copyright/patent infringing filtering?
On that subject- we should probably change the language as well. Make it
so that p
I, for one, give up. No matter what you say I will never implement NAT, and
you may or may not implement it if people make boxes that support it. Clearly
...
This was supposed to be a private reply and was not meant to go to the
list. My apologies.
I will also refrain from further response
Sure, very easily, by using NAT between the subnets.
Have at it. Nothing like trying to reach 10.10.10.10 nad having to put in
a dns entry pointing to 172.29.10.10, NAT'ing the address on your side to
their side and from their side back to your side, and adding the rules.
That's definitely si
A core but often neglected factor in IT security is KIS. NAT,
particularly in the form of PAT, is an order of magnitude simpler to
administer than a stateful firewall with one-to-one address mappings.
Why would a stateful firewall have one-to-one address mappings? I'm not
even sure what you me
Even people I have spoken that understand the difference between
firewalling/reachability and NATing are still in favour of NAT. The argument
basically goes "Yes, I understand that have a public address does not
neccessarily mean being publically reachable. But having a private address
means
The last time I renumbered, I found that quite a few people were not
honoring the TTLs I put in my DNS zone files. [...] Custom customer
zone files hosted elsewhere?
Do not forget that applications have their own caches, too, and they
typically ignore completely the DNS TTL. A typical Web brow
my favourite load balancer is OSPF ECMP, since there are no extra boxes,
just the routers and switches and hosts i'd have to have anyway.
quagga ospf6d works great, and currently lacks only a health check API.
Health checks are unfortunately the most important aspect of a LB for some
people.
You write "when" rather than "if" - is ignoring reasonable TTLs
current practice?
Definitely. We've seen 15 minute TTLs regularly go 48 hours without updating
on Cox or Comcast's name servers. I believe the most I've seen was 8 days
(Cox).
I definitely meant "when" not if. And Cox is by no
[Update to earlier stats: The current v4 prefix/AS ratio is 8.7.
However, there are ~11k ASes only announcing a single v4 route, so that means
the other ~14k ASes are at a v4 ratio of 14.3. In contrast, the current v6
ratio is 1.1 and the deaggregate rate is 1.2%.]
This is more than a little
First of all, there's disagreement about the definition of "site", and some
folks hold the opinion that means physical location. Thus, if you have 100
sites, those folks would claim you have justified 100 /48s (or one /41).
Other folks, like me, disagree with that, but there are orgs out ther
Current policy allows for greater-than-/48 PI assignments if the org can
justify it. However, since we haven't told staff (via policy) what that
justification should look like, they are currently approving all requests and
several orgs have taken advantage of that.
I can't imagine what an end
I don't think ARIN is planning on giving out more less a /48 but more than
a /32- at least that was the impression I got. End sites get a /48- ISP's
get a /32 or larger- and that's it (I could certainly be wrong). As such,
deaggragation in the /48 block should not be an issue because no one wi
The upside is that in the block you're expected to accept /48s, nobody will
have a /32. The downside is that anyone who gets a larger-than-minimum sized
allocation/assignment can deaggregate down to that level.
I don't think ARIN is planning on giving out more less a /48 but more than
a /32-
and this means getting a good story in front of bean-counters about
expending opex/capex to do this transition work. Today the simplest answer
is: "if we expend Z dollars on new equipment, and A dollars on IT work we
will be able to capture X number of users for Y new service" or some
version of
I understand the problems but I think there are clear cut cases where
/48's make sense- a large scale anycast DNS provider would seem to be a
good candidate for a /48 and I would hope it would get routed. Then again
that might be the only sensible reason...
Don't give people an excuse to deagg
Strange. My rep always took pride in the fact that M- and T- series
devices have no overcommit at all.. Maybe things changed, we use no
quad-gig.
Many of Junipers cards for the M7/M10 are oversubscribed- just look at
their pdf's on the subject:
http://www.juniper.net/products/modules/100044.p
choice. Layout here is such that I'd expect to use a single quad gigabit port
ethernet blade in each of a pair of M10i/M20 to achieve redundancy.
he said 'blade' to which I read '4 pics in a FPC'... maybe it's a
terminology thing? Neal?
The M10i doesn't have an FPC blade per se (it's built int
I don't know much about Juniper but I'm about to learn with a new job. If
I'm going to take full routes from a couple of upstreams and have a couple of
peers will the M10i (768M max) be enough or is the M20 (2048M max) a better
choice. Layout here is such that I'd expect to use a single quad g
On routers, you have your choice as of 12.2 (I believe). On the small
3550/3560 type MLS products only HSRP is offered.
Sorry- wasn't thinking.
Of course the "new" animal in town is GLBP which offers load sharing.
GLBP being completely Cisco proprietary unfortunately.
-Don
No, in fact those are very interesting as they're a stop-gap between 3750s
and 4500s at a good price per port. Are there any HSRP limitations on them?
Guess I need to do some more research, as those are pretty hot.
Hasn't Cisco said for years that HSRP should not be used in new
deployments and
A _much_ longer version of this was sent privately- but I had to take
public exception to the following comment:
I'm not surprised that when they are dealing with companies that delete
all evidence they might need or push as much red tape as possible, that
the LEA turns around and scrutinizes
You work so hard to defend people that exploit children? Interesting. We are
talking LEA here and not the latest in piracy law suits. The #1 request from
a LEA in my experience concerns child exploitation.
?? ???
Working hard to defend privacy does not automatically equal protecting
people w
In my personal opinion, ISPs, vendors, and such should legally be held
responsible for their product's security and unconditionally be made to
repair any security holes. -- if a vendor or ISP maintains good security
practices, there will be nothing for them to fear from this.
What's really upset
It *is* a criminal offence under extensions to the original CMA1990 in the
Police and Justice Act 2006. The maximum penalty was also increased to two
years imprisonment.
I don't think this particular incident is enough to attract a custodial
sentence, but he will almost certainly end up with a
offers 5 minutes from curb to seat checkin service. The need exists but
it ain't gonna be filled anytime soon because the government prohibits
such things. The government mandates delays and multiple vetting
processes between the time you step on the curb and the time you sit in
your airplane se
Well, you're not likely to get it for the $8.95 that Godaddy charges.
Their abuse department does a remarkably good job, considering their
volume and margins.
Perhaps the message here is that you get what you pay for. For a rock
bottom price, You get rock bottom service. There are registrars
I know the head abuse guy at Godaddy. He is a reasonable person. He
turns off large numbers of domains but he is human and makes the
occasional mistake. The fact that everyone cites the same mistake
tells me that he doesn't make very many of them.
We cite this one because it was such an unbel
What are your thoughts on basic suggestions such as:
1. Allowing registrars to terminate domains based on abuse, rather than
just fake contact details.
I don't like this because its impossible to define abuse clearly enough in
this context.
If a fictitious web-shop 'nice-but-dim.com' get a
You got me there. I will add:
"You can NEVER make the Pirates go away" but;
"You can make sure they never enter your seas"
Enough analogies though. :)
The Flying Spaghetti Monster is not at all happy about this talk of
stopping pirates. He will likely smite you all with his noodly appendage.
You do realize this post is not about Microsoft or IE 0days, right?
I would prefer not to turn this into an OS flamefest, my only point is that
*this list* is not the proper venue to discuss this issue; nor the methods
that you suggest as a remedy, regardless of merit.
Again if the rest of
1) Expected to have above-average UNIX skills, above-average exposure to
DNS (understanding SOAs, must have familiarity with dig, etc.),
familiarity with HTTP (manual fetches/form queries, etc.), SSH and
...
and do not hire people who tote themselves as superior or "too proud to
work in a NO
Anyway, I have a friend who used managed to get "Not A Janitor" on his
business card.
"Rear Admiral" was my favorite business card title if only because that
was also the caller ID on my phone (I managed the PBX at the time).
I've seen "Systems/Unix/DNS Ninja." At my current job I make breakf
Especially in rural areas (where physically reading meters sucks the most due
to long inter-house distances), you have no guarantee of good cellular coverage.
The electric company *can* however assume they have copper connectivity to
the meter by definition
Doesn't have to be copper- it co
I have a cage at an AT&T hosting facility in NY.
Every few weeks I end up with horrendous VPN problems to another site I
have on MCI's network in Maryland, as well as to a partners site, in the
same area, also on MCI.
mtr -s 800 to either site shows 10% packet loss on the hop from:
12.122.10
now pingable addresses are:
194.60.78.254
194.60.204.254
194.153.114.254
From one location, things die as soon as they hit AT&T, another location
things work perfectly.
I have a couple of networks off AT&T and I am not seeing these routes in
my tables. I do see them off other networks, howeve
throughout the US. In recent memory, I can think of two large collocation
centers that retain your ID. One is in Miami and one in New York (I don't
think I need to name names, most of you know to which I refer). All others
(including AT&T) have never asked to retain my ID.
I dont mind naming
So we're saying that a lawsuit is an intelligent method to force someone
else to correct something that you are simply using to avoid the irritation
of manually updating things yourself???
That seems to be the epitomy of laziness vs. litigousness.
I think the point is that people are trusting t
agreed, let's NOT do the v6 thing... do the 32-bit asn's give us more than
just 'more bits' ? :) (Sorry, I couldn't resist). So, yes, let's get
someone to start testing, I'd just caution on assigning the 32-bit asn's
for real-users, since much of the net might not be able to use them,
partial re
So, all of the current devices need to get upgraded before 'day one' of
32-bit ASN use... that'll be fun :) Why is RIPE passing out the 32-bit
ASN's now?
ARIN will begin passing out 32 bit ASN's to anyone who asks as of January
1, 2007. This is the same policy as RIPE so I don't see what the bi
At some point, it will become cheaper to just deploy IPv6 than to do the
things needed to get more IPv4 space.
What's this week's forcast for the event horizon, anyhow? It keeps moving
around
That's what I'd like to know. Is the DoD "deadline" going to motivate
anyone? When are we going t
Steve's 100% spot-on here. I don't have bogon filters at all and it
hasn't hurt me in the least. I think the notion that this is somehow
a good practice needs to be quashed.
Some people don't use condoms with hookers either. Just because they
haven't caught anything yet doesn't make it a sm
I've got a client looking to upgrade their edge routers and they want
to consider all of their options.
Right now we're looking at Cisco, Juniper and Foundry. I'd like to hear
what other people have to say about the vendors, their offerings and their
support. Do their products have particula
As for the LSA issue- rebooting would have fixed the problem, assuming it was
done by all nodes at the same time. All of the Link State tables would have
been rebuilt from scratch by the IMPs and the corrupt announcements would
have been gone.
Turns out this is actually mentioned on page 14 o
Anyway, I don't think that would have helped if you're talking about the
same incident I'm thinking of. There were application-level
retransmissions of (corrupted) packets, complete with building new bad
packets from bad data structures, all over the net
The problem is documented in RFC 789 I
My tests from 2 years ago showed the same thing, both /24s were behind
the same system in Exodus' NYC DC in Manhattan (IIRC). That is what
prompted me to move everything to the rcom partner side which uses eNom.
I don't know about a "partner" side but their premium service was always
run by Re
I submitted both spams to spamcop and the appropriate abuse addresses would
have been notified in both cases. I got no response from either of my
submissions. As for a "reason for ignoring" my complaint I really couldn't
say since, well they ignored me.
Did you ever send a complaint to [EMAI
It's pretty well-known that register.com has been a source of spam, and that
complaints to them have been ineffective.
Albert,
I don't know about Register.com's opinion but I dare say the statement
above isn't very helpful to me as an admin.
When you say "has been a source of spam" is there
5. AT&T (at least when I've dealt with them in their datacenters) does not
support BGP community strings for null routing (or any strings for that
matter :)
Lest anyone take me too seriously on that last point- AT&T hosting does
have community strings for certain features- unfortunately not fo
64 matches
Mail list logo