Re: Netflix VPN detection - actual engineer needed

On 5/Jun/16 23:18, Damian Menscher wrote: > This entire thread confuses me. Are there normal home users who are being > blocked from Netflix because their ISP forces them through a HE VPN? Or is > this massive thread just about a handful of geeks who think IPv6 is cool > and insist they be all

Re: Netflix VPN detection - actual engineer needed

On 6/Jun/16 00:18, Matt Freitag wrote: > While it is damaging negative publicity it also makes sense. HE's tunnel > service amounts to a free VPN that happens to provide IPv6. I would love > for someone from HE to jump in and explain better how their tunnel works, > why it's been blocked by Netf

Re: Netflix VPN detection - actual engineer needed

On 6/Jun/16 00:48, Damian Menscher wrote: > What *is* standard about them? My earliest training as a sysadmin taught > me that any time you switch away from a default setting, you're venturing > into the unknown. Your config is no longer well-tested; you may experience > strange errors; nobody

Re: Netflix VPN detection - actual engineer needed

On 6/Jun/16 01:45, Damian Menscher wrote: > > Who are these non-technical Netflix users who accidentally stumbled into > having a HE tunnel broker connection without their knowledge? I wasn't > aware this sort of thing could happen without user consent, and would like > to know if I'm wrong. O

Traffic engineering and peering for CDNs

Lately I have been putting in some effort to maximize our IX connections by trying to work with the top 5-ish list of ASNs that still send us traffic via a paid transit connection despite the fact that we are both present on the same IX(s). In one case I missed the fact that one ASN wasn't using

Re: Traffic engineering and peering for CDNs

On Mon, 6 Jun 2016, Graham Johnston wrote: What I am not understanding about the respective CDN's network wherein they don't send traffic to me through a consistent path? Is the content coming from widely different places and rather than transport it across their own network from a remote site

Monitoring system recommendation

Dear Nanog community We are currently planning to upgrade our monitoring system (Opsview) due to scalability issues and I was wondering what do you recommend for monitoring 5000 hosts and 35000 services. We would like to use a monitoring system that is compatible with the nagios plugin format, how

Re: Traffic engineering and peering for CDNs

Hello, > On Jun 6, 2016, at 7:36 AM, Graham Johnston wrote: > > Lately I have been putting in some effort to maximize our IX connections by > trying to work with the top 5-ish list of ASNs that still send us traffic via > a paid transit connection despite the fact that we are both present on t

Re: Netflix VPN detection - actual engineer needed

I have Hulu Plus and Amazon Prime. The only thing I would miss from Netflix is their Marvel original series. And I can live with that. I can't live without my IPv6 enabled home network and Internet connection since that's an essential part of my job. (I'm the IPv6 transition technical lead for a la

RE: Netflix VPN detection - actual engineer needed

Netflix IS acting in their user's best interest. In order to provide content that the user's want, the content providers have mandated that they do their due diligence to block out of region users including VPN and open tunnel access. As Hulu and Amazon prime become more popular and their contra

Re: Netflix VPN detection - actual engineer needed

As an addendum to this and what someone said earlier about the tunnels not being anonymous: From Netflix's perspective they are. Yes HE knows who controls which tunnel, but if Netflix went to HE and said "Tell me what user has x/48" HE would say "No". Thus, making them an effective anonymous VP

Re: Netflix VPN detection - actual engineer needed

Nonsense. That is hardly their only option as many others have pointed out. It's a deliberate and technically lazy choice to block 6in4 tunnels. Those are not even vaguely the same thing as a VPN. They've decided to break normal IPv6 support and do so in a way that does not even fall back to IPv4.

Re: Netflix VPN detection - actual engineer needed

On Sun, Jun 5, 2016, at 17:18, Matt Freitag wrote: > While it is damaging negative publicity it also makes sense. HE's tunnel > service amounts to a free VPN that happens to provide IPv6. I would love > for someone from HE to jump in and explain better how their tunnel works, > why it's been bloc

Re: Netflix VPN detection - actual engineer needed

On Fri, Jun 3, 2016, at 17:30, Naslund, Steve wrote: > > I guarantee you that Apple does not know where my Apple TV units or any > of my Sony TVs are because they are on hard Ethernet cables with WiFi > disabled so if they told the lawyers that, they lied. > I woud not be surprised if Apple wa

Vidéotron CPE bug

Any Vidéotron engineer listening? On your CPE there's a SIP ALG on TCP port 5060 that is causing issues to our clients with Cisco 79xx phones. I'm referring to the CPE that is used for business subscribers with static IP addresses. Please contact me for all the details. Thanks, Simon

Re: Netflix VPN detection - actual engineer needed

On Sun, Jun 5, 2016, at 18:45, Damian Menscher wrote: > > Another question: what benefit does one get from having a HE tunnel > broker > connection? Is it just geek points, or is there a practical benefit too? > I can access all my equipment at home remotely without having to resort to Port A

Re: Netflix VPN detection - actual engineer needed

On Sun, Jun 5, 2016, at 23:55, jim deleskie wrote: > Damian, I HIGHLY doubt regular folks are running into issues with this, I > suspect its not even geeks in general having issues, I suspect 80% plus of > those having issues spend most of their time complaining about something > related to v6 and

intra-AS messaging for route leak prevention

I am a co-author on a route-leak detection/mitigation/prevention draft in the IDR WG in the IETF: https://tools.ietf.org/html/draft-ietf-idr-route-leak-detection-mitigation-03 Based on private conversations with a few major ISPs, the following common practice for intra-AS messaging (using Commu

Re: Monitoring system recommendation

On Mon, Jun 6, 2016, at 09:18, Manuel Marín wrote: > Dear Nanog community > > We are currently planning to upgrade our monitoring system (Opsview) due > to > scalability issues and I was wondering what do you recommend for > monitoring > 5000 hosts and 35000 services. We would like to use a moni

Re: Netflix VPN detection - actual engineer needed

The whois information on the HE IPv6 address, does give the location. At least, it does on mine. On Mon, 6 Jun 2016 11:03:16 -0400 Spencer Ryan wrote: > As an addendum to this and what someone said earlier about the > tunnels not being anonymous: From Netflix's perspective they are. Yes > HE kn

Re: Netflix VPN detection - actual engineer needed

> They deserve all the bad publicity that comes with such a anti-customer decision and the blame for their implementation choices cannot be passed back to the content providers. Content Providers: Block VPN and tunnel services. Netflix: That really isn't the best way of doing this Content Provider

RE: Netflix VPN detection - actual engineer needed

Scott, You are being absurd. The number of Netflix customers using 6in4 tunnels has to be in the 0.0001% territory of their users. They would be committing business malpractice to risk their contracts with content providers to provide access to that negligent amount of users. It’s not laziness

Re: Netflix VPN detection - actual engineer needed

The SB6141, while fine for now, is only an 8 downstream channel device. If you are buying one now I would recommend a a 16 or 24 channel device. Alternatively, wait (lease) a few months and buy a DOCSIS 3.1 modem in retail when they come out. Jason Livingood Comcast On 6/3/16, 11:42 PM, "nanog

RE: Netflix VPN detection - actual engineer needed

On Mon, 6 Jun 2016, Matthew Huff wrote: You can argue about the content provides business model all you want, but Netflix has to do what they are doing. They aren't blocking IPv6 users, they are blocking users that are using VPNs and/or tunnels since their currently is no practical way of prov

Re: Netflix VPN detection - actual engineer needed

* Spencer Ryan > As an addendum to this and what someone said earlier about the > tunnels not being anonymous: From Netflix's perspective they are. Yes > HE knows who controls which tunnel, but if Netflix went to HE and > said "Tell me what user has x/48" HE would say "No". Thus, making > them

Re: Netflix VPN detection - actual engineer needed

On Sun, Jun 5, 2016 at 10:51 PM, Jon Lewis wrote: > On Sun, 5 Jun 2016, Owen DeLong wrote: > >> What is non-standard about an HE tunnel? It conforms to the relevant RFCs >> and >> is a very common configuration widely deployed to many thousands of >> locations >> around the internet. >> >> Itÿÿs n

Re: Netflix VPN detection - actual engineer needed

On 6/5/16, 7:11 PM, "NANOG on behalf of Christopher Morrow" wrote: >I dislike the IP folks as much as anyone, but :( flix has to make a >good-faith-effort or they'll lose content sources, I suspect. Perhaps so. And now that they are an original content creator as well, and making large investmen

Re: intra-AS messaging for route leak prevention

On Mon, Jun 06, 2016 at 11:41:52AM +, Sriram, Kotikalapudi (Fed) wrote: > I am a co-author on a route-leak detection/mitigation/prevention draft > in the IDR WG in the IETF: > https://tools.ietf.org/html/draft-ietf-idr-route-leak-detection-mitigation-03 > > > Question: Are there other mean

Re: Monitoring system recommendation

On Mon, Jun 6, 2016, at 09:18, Manuel Marín wrote: 5000 hosts and 35000 services. We would like to use a monitoring system that is compatible with the nagios plugin format, however we are not sure if systems like Icinga/Shinken/Op5 are the way to go. At that kind of scale, you need to take a s

Re: Netflix VPN detection - actual engineer needed

On 2016-06-06 15:21, Tore Anderson wrote: But Netflix shouldn't have any need to ask in the first place. Their customers need to log in to their own personal accounts in order to access any content, when they do Netflix can discover their addresses. Tore Hey there's an idea, how about they A

Re: Netflix VPN detection - actual engineer needed

> On Jun 6, 2016, at 8:21 AM, Tore Anderson wrote: > > * Spencer Ryan > >> As an addendum to this and what someone said earlier about the >> tunnels not being anonymous: From Netflix's perspective they are. Yes >> HE knows who controls which tunnel, but if Netflix went to HE and >> said "Tell m

Re: Netflix VPN detection - actual engineer needed

No need to speculate some details are available ... http://www.michaelgeist.ca/2015/04/nobodys-perfect-leaked-contract-reveals-sony-requires-netflix-to-geo-block-but-acknowledges-technology-is-imperfect/ And thats just for a single content provider ... On Mon, Jun 6, 2016 at 11:55 AM, Livingood, J

RE: Monitoring system recommendation

> We are currently planning to upgrade our monitoring system (Opsview) due > to scalability issues and I was wondering what do you recommend for > monitoring > 5000 hosts and 35000 services. We would like to use a monitoring system that Another consideration is check_mk. We use it in our shop. T

Re: Traffic engineering and peering for CDNs

Some rely on performance testing to the client's DNS resolver and if they're not using on-net ones, they'll be directed to use a different CDN node. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Or

Re: Netflix VPN detection - actual engineer needed

> On Jun 5, 2016, at 15:48 , Damian Menscher wrote: > > On Sun, Jun 5, 2016 at 2:59 PM, Owen DeLong > wrote: > > On Jun 5, 2016, at 14:18 , Damian Menscher > > wrote: > > On Fri, Jun 3, 2016 at 4:43 PM, Baldur Norddahl >

AW: Traffic engineering and peering for CDNs

Hi Graham! In addition to the other two comments, I´d like to add some topics: > Lately I have been putting in some effort to maximize our IX connections by > trying to work with the top 5-ish list of ASNs that still send us traffic via a paid > transit connection despite the fact that we are b

Re: Netflix VPN detection - actual engineer needed

On Mon, Jun 6, 2016, at 10:08, John Peach wrote: > The whois information on the HE IPv6 address, does give the location. > At least, it does on mine. > That's interesting. On mine it does not. It just shows HE's info. -- Mark Felder f...@feld.me

Re: Netflix VPN detection - actual engineer needed

> On Jun 5, 2016, at 16:45 , Damian Menscher wrote: > > On Sun, Jun 5, 2016 at 4:33 PM, Laszlo Hanyecz > wrote: > >> On 2016-06-05 22:48, Damian Menscher wrote: >> >>> >>> What *is* standard about them? My earliest training as a sysadmin taught >>> me that any ti

Re: Traffic engineering and peering for CDNs

as far as im aware ... a friend of mine on INEX in Ireland said most cdns use source ip of the DNS requests to determine which network to direct them to ... so if you use you have your own resolver on an ip address in your network range cdns can accurately determine what network the request is co

Re: Netflix VPN detection - actual engineer needed

On Mon, Jun 6, 2016, at 13:09, Brandon Jackson wrote: > Looking up your tunnels block in ARIN will only show HE's Info. > > Using HE's rwhois http://rwhois.he.net/whois.php > > Shows the information provided by the tunnel user at time of signup or as > modified in account settings. > Ahh, co

Re: Netflix VPN detection - actual engineer needed

Maybe HE's IPv6 tunnel packets could be flagged with a destination option (extension header field) that records the end-user's IPv4 tunnel endpoint so geolocation could be done in the "old fashioned" way on that address. Similar to the way that edns-client-subnet records the end user's address for

Re: Netflix VPN detection - actual engineer needed

It's obviously a nontrivial number otherwise why would Netflix block it? :) Aled Morris wrote: Maybe HE's IPv6 tunnel packets could be flagged with a destination option (extension header field) that records the end-user's IPv4 tunnel endpoint so geolocation could be done in the "old fashioned"

Re: Netflix VPN detection - actual engineer needed

On Mon, Jun 6, 2016 at 3:30 PM, Aled Morris wrote: > Maybe HE's IPv6 tunnel packets could be flagged with a destination option > (extension header field) that records the end-user's IPv4 tunnel endpoint > so geolocation could be done in the "old fashioned" way on that address. > > Similar to the

Re: Netflix VPN detection - actual engineer needed

On Mon, 06 Jun 2016 20:30:02 +0100, Aled Morris said: > Maybe HE's IPv6 tunnel packets could be flagged with a destination option > (extension header field) that records the end-user's IPv4 tunnel endpoint > so geolocation could be done in the "old fashioned" way on that address. > > Similar to the

Re: Netflix VPN detection - actual engineer needed

None of this is a problem with actual network engineering, HE's tunnels work fine. It goes in the category of political/economic/contractual , not "this is a technical problem we need to solve". The problem exists with business/contractual relationship Netflix has with its content providers, which

Re: ISP License in the USA?

These are the two I'm most familiar with: Lerman Senter, as Faisal mentioned: http://www.lermansenter.com/ Rini O'Neil: http://rinioneil.com/ --Eric

any way to deal with google's captcha for whole /21 v4?

Hello dear Nanog group, Any suggestions how to deal with Google captcha for whole /21 ipv4 newly acquired block? Every IP from the prefix getting blocked by Captcha which never resolves. Thanks in advance. — Dmitry Sherman Interhost Networks Ltd dmi...@interhost.net office: 972-74-7029881 mobile

Re: Netflix VPN detection - actual engineer needed

On 2016-06-06 19:39, Christopher Morrow wrote: ​Doing any sort of 'authentication' or 'authorization' on src-IP is just .. broken.​ This. Netflix is pretending to have a capability (geolocation by src ip) that doesn't exist and there is collateral damage from the application of their half

Re: Netflix VPN detection - actual engineer needed

Geolocation by IP is even funnier as an idea for those who have worked in network engineering for commercial, geostationary two-way satellite services... Some examples: 1. C-band teleport in Singapore with SingTel IPs, remote terminals in Afghanistan. 2. Ku-band teleport in Germany with IP space

Re: Netflix VPN detection - actual engineer needed

> 1. C-band teleport in Singapore with SingTel IPs, remote terminals in > Afghanistan. > > 2. Ku-band teleport in Germany with IP space in an Intelsat /20, remote > terminal on the roof of a US government diplomatic facility in > $DEVELOPING_COUNTRY > > 3. Teleports in Miami with IP space that lo

Re: Netflix VPN detection - actual engineer needed

In message , Eric Kuhnke writes: > None of this is a problem with actual network engineering, HE's tunnels > work fine. It goes in the category of political/economic/contractual , not > "this is a technical problem we need to solve". > > The problem exists with business/contractual relationship

Re: Netflix VPN detection - actual engineer needed

On Sun, 05 Jun 2016 19:35:27 -0400, Mark Andrews wrote: It is a attack on HE. HE also provides stable user -> address mappings so you can do fine grained geo location based on HE IPv6 addresses. They may be "fine grained", but they are still lies. One's tunnel can be terminated from *anywhe

Re: Netflix VPN detection - actual engineer needed

On Mon, 06 Jun 2016 11:08:13 -0400, John Peach wrote: The whois information on the HE IPv6 address, does give the location. At least, it does on mine. It lists the location of the user's registration -- which could very well be a lie as they do nothing at all to verify it. AND that has zero

Re: any way to deal with google's captcha for whole /21 v4?

This usually happens because we've detected abuse on your network. Please send me details off-list -- I think you may be an unusual case with the recent transfer of the IP-space. I'm especially curious who you acquired it from since they may have been using it for abuse, then sold it when it was

Re: Netflix VPN detection - actual engineer needed

On Mon, 06 Jun 2016 15:44:14 -0400, wrote: And if Netflix can't be bothered to consult rwhois for the ownership (which could be used for other use cases as well), they certainly aren't going to do *new* code as a one-off. Said by someone who's never written (r)whois parsers. There's no standar

Re: Netflix VPN detection - actual engineer needed

> And they could easily redirect HE IPv6 addresses to a IPv4 only > service. This would satify both the content providers and the > customers. It's not like there tunneled traffic is IPv6 only as > there has to be a IPv4 endpoint for the tunnel. > > You can't argue that HE is too small to do this

Re: Netflix VPN detection - actual engineer needed

While I think this may well be the reason for Netflix’s actions, do you have any evidence to back up this claim? Actual evidence vs. just a very good educated guess and speculation could prove very useful in this circumstance. Owen > On Jun 6, 2016, at 7:59 AM, Matthew Huff wrote: > > Netfli

Re: Netflix VPN detection - actual engineer needed

In message , "Ricky Beam" writes: > On Sun, 05 Jun 2016 19:35:27 -0400, Mark Andrews wrote: > > It is a attack on HE. HE also provides stable user -> address > > mappings so you can do fine grained geo location based on HE IPv6 > > addresses. > > They may be "fine grained", but they are still l

Re: Netflix VPN detection - actual engineer needed

> On Jun 6, 2016, at 9:01 AM, Laszlo Hanyecz wrote: > > > On 2016-06-06 15:21, Tore Anderson wrote: >> >> But Netflix shouldn't have any need to ask in the first place. Their >> customers need to log in to their own personal accounts in order to >> access any content, when they do Netflix can

Re: Netflix VPN detection - actual engineer needed

Search this email thread (there was a link to a document dump), or use google. Neither Netflix nor the content providers have been very shy about this. Now for the speculation part … I think it’s possible that Netflix has gone along with this because they want to expand into countries that have

Re: IPv6 is better than ipv4

On Thursday, June 2, 2016, Rubens Kuhl wrote: > On Thu, Jun 2, 2016 at 11:47 AM, Ca By > > wrote: > > > > > > https://blogs.akamai.com/2016/06/preparing-for-ipv6-only-mobile-networks-why-and-how.html > > > > Wherein akamai explains a detailed study showing ipv6 is "well > > over 10%" faster than

Re: Netflix VPN detection - actual engineer needed

On 6 June 2016 at 19:40, Owen DeLong wrote: > > The problem is that some users travel and they try to watch Netflix using > their home account in far away lands. > Interestingly, audible.com (the audio book people) actually warn you about this up front - they point out on their site that many ti

Re: Netflix VPN detection - actual engineer needed

> In other words, it's not just Netflix that has this problem... No, it's Netflix that has the problem. Audible actually gives a fuck about their customers.

Re: Netflix VPN detection - actual engineer needed

Holy fuck get on your meds. As someone who actually has to deal with 3 different (4 technically) content providers, their distribution agreements and requirements for distribution a the way through the network are absolutely asinine, but required if you want your eyeballs to receive their cont

Re: Netflix VPN detection - actual engineer needed

On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews wrote: What lie? Truly who is lying here. Not the end user. Not HE. There is no requirement to report physical location. The general lie that is IP Geolocation. HE only has what I tell them (100% unverified), and what MaxMind (et.al.) tell

Re: Netflix VPN detection - actual engineer needed

It should be pointed out that -- the SPECIFIC accusation from Netflix -- is that people on TunnelBroker are on a VPN or proxy unblocker. The data does not bear that out. Hash tag just saying. On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam wrote: > On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews

Re: Netflix VPN detection - actual engineer needed

The tunnelbroker service acts exactly like a VPN. It allows you, from any arbitrary location in the world with an IPv4 address, to bring traffic out via one of HE's 4 POP's, while completely masking your actual location. *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net *Arbor Netwo

Re: Netflix VPN detection - actual engineer needed

Right, but I think we know what Netflix is implying when they say "proxy unblocker" or "VPN" -- they mean people are deliberately going around GeoIP. In this case, I don't know anyone who uses TunnelBroker that way. They're using it for V6. That is to say, everyone I know with this issue could si

Re[2]: Netflix VPN detection - actual engineer needed

Yes. Just like any Internet connection, anywhere. The official place where my ISP provides my service is 14 miles from my house, and I use microwave between the two. Some of the things that are on that same port are 50 miles in the opposite direction. With a satellite uplink, I could make that

Re: intra-AS messaging for route leak prevention

On Mon, Jun 06, 2016 at 05:54:18PM +0200, Job Snijders wrote: > On Mon, Jun 06, 2016 at 11:41:52AM +, Sriram, Kotikalapudi (Fed) wrote: > > I am a co-author on a route-leak detection/mitigation/prevention draft > > in the IDR WG in the IETF: > > https://tools.ietf.org/html/draft-ietf-idr-route

Re: Monitoring system recommendation

On 6 June 2016 at 07:18, Manuel Marín wrote: > Dear Nanog community > > We are currently planning to upgrade our monitoring system (Opsview) due to > scalability issues and I was wondering what do you recommend for monitoring > 5000 hosts and 35000 services. We would like to use a monitoring syst

syslog server

Hi nanog community I need help !! What is the best syslog server (opensource)? Thanks for your help Regards. -- Max Velazquez |

Re: Monitoring system recommendation

I once worked for Zenoss and still suggest them. Zenoss supports NAGIOS plugins, and my $DAYJOB is at a Zenoss Partner who can help you achieve your goals. If you need some help with Zenoss feel free to contact me off list. Andrew On Monday, June 6, 2016, Manuel Marín wrote: > Dear Nanog commu

Re: Netflix VPN detection - actual engineer needed

> On Jun 6, 2016, at 6:44 PM, Harald Koch wrote: > > On 6 June 2016 at 19:40, Owen DeLong wrote: > >> >> The problem is that some users travel and they try to watch Netflix using >> their home account in far away lands. >> > > Interestingly, audible.com (the audio book people) actually warn

Re: Netflix VPN detection - actual engineer needed

I believe there are a lot more than 4. Owen > On Jun 6, 2016, at 8:25 PM, Spencer Ryan wrote: > > The tunnelbroker service acts exactly like a VPN. It allows you, from any > arbitrary location in the world with an IPv4 address, to bring traffic out > via one of HE's 4 POP's, while completely ma

Re: Netflix VPN detection - actual engineer needed

I’m sorry to say, Blair, that there are, in fact, many who do use HE tunnels for Geo Fence evasion. Sure, it doesn’t represent even a significant fraction of tunnel users, but they exist and they’ve been vocal, thus spoiling it for the rest of us. Owen > On Jun 6, 2016, at 8:27 PM, Blair Trosper

Re: syslog server

On Mon, 06 Jun 2016 14:59:51 -0600, Maximino Velazquez said: > What is the best syslog server (opensource)? Step 0: Define what "best" means in your environment. What features do you need? Routing to a central aggregation server over TLS? Powerful regex-based routing? Ingestion into a databas

Re: intra-AS messaging for route leak prevention

On 6/Jun/16 17:54, Job Snijders wrote: > There is the "human network" approach, where operators share information > with each other which be used to generate config to help block > "unlikely" announcements from eBGP neighbors. > > For instance AT&T and NTT agreed (through email) that there shoul

Re: Traffic engineering and peering for CDNs

On 6/Jun/16 20:03, Tom Smyth wrote: > as far as im aware ... a friend of mine on INEX in Ireland said most cdns > use source ip of the DNS requests to determine which network to direct them > to ... so if you use you have your own resolver on an ip address in your > network range cdns can accu

Re: IPv6 is better than ipv4

On 7/Jun/16 03:28, Ca By wrote: > > AWS / Cloudfront / Fastly - please have a look at how it is done. I think > Cloudflare already did this. CloudFlare already do. Mark.

Re: Monitoring system recommendation

Things to notice, as I prefer Zabbix over nagios (real database related, more functionalities) : - Zabbix actually is open source. You can buy support from them or from partners if you want - Zabbix can be distributed through central/proxies architecture to scale - nagios plugins can be adapted f