Re: IoT security

I think the fundamental problem here is that these devices aren't good network citizens in the first place. The odds of getting them to add functionality to support a new protocol are even likely than getting them to not have open services externally IMHO. Couldn't a lot of this be caught by

Re: IPv4 Legacy assignment frustration

Regardless of whether or not people "should" do this, I think the horse has already left the barn on this one. I don't see any way of getting people who decided to filter all of APNIC to make changes. Most of them are static configurations that they'll never look to update. On Wed, Jun 22, 2016

Re: Android and DHCPv6 again

Android does not have a complete IPv6 implementation and should not be IPv6 enabled. Please do your part and complain to Google that Android does not support DHCPv6 for address assignment. On Sat, Oct 3, 2015 at 9:52 PM, Baldur Norddahl wrote: > Hi > > I noticed that

Re: /27 the new /24

Here is a quick starting point for filtering IPv6 on a Linux host system if you don't feel comfortable opening up all ICMPv6 traffic: http://soucy.org/tmp/v6firewall/ip6tables.txt I haven't really re-visited it in a while, so if I'm forgetting something let me know. On Wed, Oct 7, 2015 at 9:13

Re: UDP clamped on service provider links

It depends on the network. is really the only answer. It's the kind of thing that happens quietly and often can be transient in nature (e.g. temporary big stick filters to deal with an active attack). As far as the reason it happens to UDP: UDP is a challenge because it's easy to leverage for

Re: Whats' a good product for a high-density Wireless network setup?

users per building. That's 8,000 users. (8 buildings, not counting walkways and courtyards, admin, etc.) Does this qualify as high-density? On Sat, Jun 20, 2015 at 5:33 AM Ray Soucy r...@maine.edu wrote: Well, I could certainly be wrong, but it's news to me if UBNT started supporting DFS

Re: Whats' a good product for a high-density Wireless network setup?

I've actually never made it out to a NANOG conference, so I'm not sure. I was just told this by peers who attended. On Sat, Jun 20, 2015 at 5:31 PM, Randy Bush ra...@psg.com wrote: I've never run Xirrus personally, but I think they were used for the last NANOG conference. and how did that

Re: Whats' a good product for a high-density Wireless network setup?

I know you don't want to hear this answer because of cost but I've had good luck with Cisco for very high density (about 1,000 clients in a packed auditorium actively using the network as they follow along with the presenter). The thing you need to watch out for with Ubiquiti is that they don't

Re: Whats' a good product for a high-density Wireless network setup?

...@snappytelecom.net -- *From: *Josh Luthman j...@imaginenetworksllc.com *To: *Faisal Imtiaz fai...@snappytelecom.net *Cc: *NANOG list nanog@nanog.org, Ray Soucy r...@maine.edu *Sent: *Friday, June 19, 2015 9:16:37 PM *Subject: *Re: Whats' a good product for a high

Re: Anycast provider for SMTP?

24x7x365 their content and they have watchers getting their streaming also 24x7x365 (like waiting rooms, airports) with no complaints or instability. Best regards, Kurt Kraut 2015-06-17 16:13 GMT-03:00 Ray Soucy r...@maine.edu: Anycast is generally not well-suited for stateful connectivity

Re: Anycast provider for SMTP?

Anycast is generally not well-suited for stateful connectivity (e.g. most things TCP). The use case for anycast is restricted to simple challenge-response protocol design. As such, you typically only see it leveraged for simple services (e.g. DNS, NTP). The reason for this, as you suspect, is

Re: Anycast provider for SMTP?

is better used for discovery services rather than services themselves. On Wed, Jun 17, 2015 at 5:12 PM, Chuck Church chuckchu...@gmail.com wrote: Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ray Soucy Sent: Wednesday, June 17, 2015 3:14 PM To: Joe

Re: Is it safe to use 240.0.0.0/4

There is already more than enough address space allocated for NAT, you don't need to start using random prefixes that may or may not be needed for other purposes in the future. For all we know, tomorrow someone could write an RFC requesting an address reserved for local anycast DNS and it could

Re: Android (lack of) support for DHCPv6

. conversation has been halted. well done. can me move on now? t On Fri, Jun 12, 2015 at 11:18 AM, James R Cutler james.cut...@consultant.com wrote: Ray Soucy has given us an nice summary. It goes along with “please let me manage my business and don’t take away my tools just to satisfy

Re: Android (lack of) support for DHCPv6

The only thing I would add is that DHCPv6 is not just about tracking clients. Yes there are ways to do so using SLAAC, but they are not pretty. Giving too much weight to tracking being the reason for DHCPv6 is just as bad as giving too much weight to tethering as the reason against it. It skews

Re: eBay is looking for network heavies...

I really wonder how people get into this field today. It has gotten incredibly complex and I've been learning since before I was a teenager (back when it was much more simple). I'm 31 now, but I started getting into computers and specifically networking at a very young age (elementary school).

Re: Android (lack of) support for DHCPv6

That's really not the case at all. You're just projecting your own views about not thinking DHCPv6 is valid and making yourself and Lorenzo out to be the some sort of victims of NANOG and the ... university net nazis Did you really just write that? What we're arguing for here is choice, the

Re: Android (lack of) support for DHCPv6

Well, most systems implemented DHCPv6 support a long time ago. Despite other efforts to have Google support DHCPv6 for Android, nothing has happened. There is nothing wrong with using NANOG to call out a major vendor for this, even if they are a significant sponsor. Just because you don't agree

Re: Android (lack of) support for DHCPv6

So here is the thing. You can try to use enhanced functionality which depends on multiple addresses as justification for saying DHCPv6 is not supported. In practice, your device will just not be supported. As you pointed out, there isn't anything that forces adoption of IPv6 right now. If your

Re: Android (lack of) support for DHCPv6

becomes a second class citizen on the network under your model. On Wed, Jun 10, 2015 at 8:21 AM, Lorenzo Colitti lore...@colitti.com wrote: On Wed, Jun 10, 2015 at 8:35 PM, Ray Soucy r...@maine.edu wrote: In practice, your device will just not be supported. As you pointed out, there isn't

Re: Android (lack of) support for DHCPv6

The whole conversation is around 464XLAT on IPv6-only networks right? We're going to be dual-stack for a while IMHO, and by the time we can get away with IPv6 only for WiFi, 464 should no longer be relevant because we'll have widespread IPv6 adoption by then. Carriers can do IPv6 only because

Re: Android (lack of) support for DHCPv6

I've already written systems to do this kind of thing, but the logging requirements quickly go through the roof for a non-trivial network; especially in the case of temporary addressing now default on many systems. That isn't so much the issue as operational consistency and supportability. The

Re: Android (lack of) support for DHCPv6

I don't really feel I was trying to take things out of context, but the full quote would be: If there were consensus that delegating a prefix of sufficient size via DHCPv6 PD of a sufficient size is an acceptable substitute for stateful IPv6 addressing in the environments that currently insist on

Re: Android (lack of) support for DHCPv6

I agree that some of the rhetoric should be toned down (go out for a beer or something, guys ... I did). There is a difference between fiery debate with Lorenzo and a witch hunt, and some of this is starting to sound a bit personal. I shouldn't have worded things the way I did, I went for the

Re: Android (lack of) support for DHCPv6

On Wed, Jun 10, 2015, 21:30 Ray Soucy r...@maine.edu wrote: I agree that some of the rhetoric should be toned down (go out for a beer or something, guys ... I did). There is a difference between fiery debate with Lorenzo and a witch hunt, and some of this is starting to sound a bit personal. I

Re: Android (lack of) support for DHCPv6

that this is the position of Google. On Wed, Jun 10, 2015 at 10:58 AM, Lorenzo Colitti lore...@colitti.com wrote: On Wed, Jun 10, 2015 at 10:06 PM, Ray Soucy r...@maine.edu wrote: Actually we do support DHCPv6-PD, but Android doesn't even support DHCPv6 let alone PD, so that's the discussion here

Re: Android (lack of) support for DHCPv6

It really is too bad. They're literally the only major player not on board but claim to champion IPv6. There is a big difference between saying that something isn't supported and the Android position that they will NOT support DHCPv6. To me, that's something that shouldn't be a decision they

Re: Low Cost 10G Router

You're right I dropped down to the v2 for pricing reasons: - Supermicro SuperServer 5017R-MTRF - 4x SATA - 8x DDR3 - 400W Redundant - Eight-Core Intel Xeon Processor E5-2640 v2 2.00GHz 20MB Cache (95W) - 4 x SAMSUNG 2GB PC3-12800 DDR3-160 - 2 x 500GB SATA 6.0Gb/s 7200RPM - 3.5 - Western Digital

Re: Low Cost 10G Router

P.S I went through HotLava Systems for the Intel-based SFP+ NICs to add to those, http://hotlavasystems.com/ (not trying to plug; these are just hard to find) On Wed, May 20, 2015 at 9:08 AM, Ray Soucy r...@maine.edu wrote: You're right I dropped down to the v2 for pricing reasons

Re: Low Cost 10G Router

How cheap is cheap and what performance numbers are you looking for? About as cheap as you can get: For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro is that BGP convergence time will be good

Re: symmetric vs. asymmetric [was: Verizon Policy Statement on Net Neutrality]

Sorry, I know I get long-winded. That's why I don't post as much as I used to. ;-) On Thu, Apr 23, 2015 at 10:09 AM, Jay Ashworth j...@baylink.com wrote: There's an op-ed piece in this posting, Ray. Do you want to write it, or should I? :-) On April 23, 2015 10:06:42 AM EDT, Ray Soucy r

Re: symmetric vs. asymmetric [was: Verizon Policy Statement on Net Neutrality]

It's amazing, really. Netflix and YouTube now overtake BitTorrent and all other file sharing peer-to-peer traffic combined, even on academic networks, by order(s) of magnitude. The amount of peer-to-peer traffic is not even significant in comparison. It might as well be IRC from our

Re: How are you doing DHCPv6 ?

details on what platforms and releases from Cisco support RFC 6939 Option 79 so far? The only thing I can find online is reference to the Cisco uBR7200 release 12.2(33)SCI, which doesn't really help me. On Mon, Jan 23, 2012 at 5:23 PM, Ray Soucy r...@maine.edu wrote: The requirement of the DUID

Re: Broken SSL cert caused by router?

It might be filtering the CRL or OCSP verification for the SSL certificate. For GoDaddy I think this would be: http://crl.godaddy.com/ http://ocsp.godaddy.com/ http://certificates.godaddy.com/ We ran into this when OS X changed how it handles SSL a few years back, our captive portal was

Re: Getting hit hard by CHINANET

I did a test on my personal server of filtering every IP network assigned to China for a few months and over 90% of SSH attempts and other noise just went away. It was pretty remarkable. Working for a public university I can't block China outright, but there are times it has been tempting. :-)

Re: FTTx Active-Ethernet Hardware

in the service provider networks. They use these Planet devices in every deployment I've taken a look at so far. Ammar On 10 Feb 2015, at 6:42 pm, Ray Soucy r...@maine.edu wrote: Price and functionality-wise Planet MGSW-28240F and GSD-1020S look pretty close to what I'm looking for. Anyone have

FTTx Active-Ethernet Hardware

One thing I'm personally interested in is the growth of municipal FTTx that's starting to happen around the US and possibly applying that model to highly rural areas (e.g. 10 mile long town with no side streets, existing utility polls, 250 or so homes) and doing a realistic cost analysis of what

Re: FTTx Active-Ethernet Hardware

. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com - Original Message - From: Ray Soucy r...@maine.edu To: NANOG nanog@nanog.org Sent: Tuesday, February 10, 2015 7:31:22 AM Subject: FTTx Active-Ethernet Hardware One thing I'm personally interested

Re: Checkpoint IPS

An IPS doesn't have to be in line. It can be something watching a tap and scripted to use something else to block traffic (e.g. hardware filtering options on a router that can handle it). An IDS tied into an internal RTBH setup to leverage uRPF filtering in hardware can be pretty effective at

Re: Dynamic routing on firewalls.

It all depends how much of the firewall functionality is implemented in CPU. The biggest problem is that firewalls that implement functionality in software usually saturate CPU when stressed (e.g. DOS) and routing protocols start dropping. I'm a strong believer in having a router that can do

Re: Recommended wireless AP for 400 users office

Honestly, in a lot of cases you don't even need a device to support packet capture as a feature to add it as a feature once its compromised. This is just FUD IMHO. On Wed, Feb 4, 2015 at 7:24 AM, Paul Nash p...@nashnetworks.ca wrote: I love the built-in remote packet captures, You, the NSA,

Re: Cisco Nexus

I have a small setup, Nexus 2 x 5596UP + 12 x 2248TP FEX, 2 x B22DELL, 2 x B22HP, 1 x C2248PQ-10GE. Been using this setup since 2012, so it's getting a bit long in the tooth. It's in an Active-Active setup because there wasn't much guidance at the time on which way to go. There are some

Re: Recommended wireless AP for 400 users office

Just curious. What kind of problems have you seen with the Ubiquiti solution? I've had a few units in for testing a potential managed wireless for rural libraries and so far they've been pretty rock solid for the price. My biggest critique is that they don't support many features and are fairly

Re: Recommended wireless AP for 400 users office

Yeah, most people ignore ZH. UBNT marketing hyped it up quite a bit, and for a residential deployment it can work OK, but if you have any kind of background in wireless you'll understand that it goes out the window for a non-trivial deployment due to the requirement of all APs sharing a channel.

Re: scaling linux-based router hardware recommendations

For us, open source isn't just a business model; it's smart engineering practice. -- Bruce Schneier I hope I'm not the only one, but I think the NSA (and other state actors) intentionally introducing systemic weaknesses or backdoors into critical infrastructure is pretty ... reckless. I really

Re: Muni Fiber and Politics

IMHO the way to go here is to have the physical fiber plant separate. FTTH is a big investment. Easy for a municipality to absorb, but not attractive for a commercial ISP to do. A business will want to realize an ROI much faster than the life of the fiber plant, and will need assurance of

Re: Muni Fiber and Politics

Helms Vice President of Technology ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Tue, Jul 22, 2014 at 2:13 PM, Ray Soucy r...@maine.edu wrote: IMHO the way to go here is to have the physical fiber plant separate

Re: The case(s) for, and against, preemption (was Re: Muni Fiber and Politics)

You're over-thinking it. Use the power company as a model and you'll close to the right path. On Tue, Jul 22, 2014 at 4:05 PM, Eric Brunner-Williams brun...@nic-naa.net wrote: On 7/22/14 11:13 AM, Ray Soucy wrote: Municipal FTTH needs to be a regulated public utility (ideally at a state

Re: Muni Fiber and Politics

Helms Vice President of Technology ZCorum (678) 507-5000 http://twitter.com/kscotthelms On Tue, Jul 22, 2014 at 2:13 PM, Ray Soucy r...@maine.edu wrote: IMHO the way to go here is to have the physical fiber plant

Re: Muni Fiber and Politics

the fiber to them on a flat per-subscriber strand fee basis that applies to all comers with a per-rack price for the colo space. So I think we are completely on the same page now. Owen On Jul 22, 2014, at 13:37 , Ray Soucy r...@maine.edu wrote: I was mentally where you were a few years ago

Re: Muni Fiber and Politics

Agree. I'd go a step further and say that Dark Fiber as a Public Utility (which is regulated to provide open access at published rates and forbidden from providing its own lit service directly) is the only way forward. That said, I don't think it's a good idea to see the municipality provide the

Re: Net Neutrality...

In truth, however, market failures like these have never happened, and nothing is broken that needs fixing. Prefixing a statement with in truth doesn't actually make it true, Bob. On Wed, Jul 16, 2014 at 10:50 AM, Fred Baker (fred) f...@cisco.com wrote: Relevant article by former FCC Chair

Re: FYI: Unbreakable VPN using Vyatta/VyOS -HOW TO-

Thanks for this, Have you posted this to the VyOS project forums? It would make a nice addition to the wiki (*cough* I've been trying to find some help to complete the VyOS user guide). On Tue, May 13, 2014 at 5:10 AM, Naoto MATSUMOTO n-matsum...@sakura.ad.jpwrote: Hi all! We wrote TIPS

Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)

I'm wondering how many operators don't have systems in place to quickly and efficiently filter problem host systems. I see a lot of talk of ACL usage, but not much about uRPF and black hole filtering. There are a few white papers that are worth a read:

Re: Managing ACL exceptions (was Re: Filter NTP traffic by packet size?)

/index.php/HOWTO:CISCO:7200VXR On Fri, Feb 28, 2014 at 9:04 AM, Jay Ashworth j...@baylink.com wrote: You mean, like Bcp38(.info)? On February 28, 2014 9:02:03 AM EST, Ray Soucy r...@maine.edu wrote: I'm wondering how many operators don't have systems in place to quickly and efficiently filter

Re: Filter NTP traffic by packet size?

We have had pretty good success in identifying offenders with simple monitoring flow data for NTP flows destined for our address space with packet counts higher than 100; we disable them and notify to correct the configuration on the host. Granted we only service about 1,000 different customers.

Re: EIGRP support !Cisco

Use a standard protocol and redistribute between the two. OSPF is likely the easiest way to go for this. I like EIGRP, but I don't think I like it enough to try a non-Cisco implementation of it. At least with OSPF you know that most of the bugs have been worked out (hopefully). On Wed, Jan 8,

Re: Open source hardware

haven't counted them all up, but I believe we have over 1,000 third-party optics in use, so a fair enough sample size. Most of the optics that I've replaced in the last year have had a Cisco label on them. ;-) On Tue, Jan 7, 2014 at 9:58 AM, Ray Soucy r...@maine.edu wrote: http://approvedoptics.com

Re: Vyatta to VyOS

a mailing list, forum or very much documentation for it. Is there another site with this info? I'd love to test a few builds out but I never used Vyatta before. On 12/23/2013 10:18 AM, Ray Soucy wrote: Many here might be interested, In response to Brocade not giving the community edition of Vyatta

Re: Open source hardware

. I see a bunch of third party ones on Amazon and CDW but I'd to love to get my hands one that has the correct vendor code without going and trying them all. On 1/3/2014 7:48 AM, Ray Soucy wrote: You actually buy brand-name SFP's? That's like buying the gold-plated HDMI Monster Cable at Best

Re: Open source hardware

You actually buy brand-name SFP's? That's like buying the gold-plated HDMI Monster Cable at Best Buy at markup ... I just find the the companies that the vendors contract to make their OEM SFP's and buy direct. Same SFP from the same factory except one has a Cisco sticker. ;-) You can even get

Re: NSA able to compromise Cisco, Juniper, Huawei switches

I think there needs to be some clarification on how these tools get used, how often they're used, and if they're ever cleaned up when no longer part of an active operation. Of course we'll never get that. The amount of apologists with the attitude this isn't a big deal, nothing to see here, the

Re: NSA able to compromise Cisco, Juniper, Huawei switches

Even more outrageous than the domestic spying is the arrogance to think that they can protect the details on backdoors into critical infrastructure. They may have basically created the framework for an Internet-wide kill switch, that likely also affects every aspect of modern communication.

Re: NSA able to compromise Cisco, Juniper, Huawei switches

Looking more at the actual leaked information it seems that if the NSA is working with companies, it's not anything the companies are likely aware of. The common form of infection seems to be though software updates performed by administrators (through the NSA hijacking web traffic). They are

Re: NSA able to compromise Cisco, Juniper, Huawei switches

On a side note, I've been involved with organizing the New England regional Collegiate Cyber-Defense Competition for a while, and one our Red Team members was able to make a pretty convincing IOS rootkit using IOS TCL scripting to mask configuration from the students. I don't think any students

Re: The Making of a Router

for i in /proc/sys/net/ipv4/conf/*/arp_announce; do echo 2 $i;done +1 setting arp_announce in Linux is essential if being used as a router with more than one subnet. I would also recommend setting arp_ignore. For Linux-based routers, I've found the following settings to be optimal: echo 1

Re: The Making of a Router

, Ray Soucy r...@maine.edu wrote: The basic idea of RAMBOOT is typical in Embedded Linux development. Linux makes use of multi-stage boot process. One of the stages involves using an initial ramdisk (initrd) to provide a base root filesystem which can be used to locate and mount the system root

Re: The Making of a Router

It seems to be a pretty hot button issue, but I feel that modern hardware is more than capable of pushing packets. The old wisdom of only hardware can do it efficiently is starting to prove untrue. 10G might still be a challenge (I haven't tested), but 1G is not even close to being an issue.

Re: The Making of a Router

On a side note, Q-in-Q support has been added to the recent 3.10 Linux kernel, configured using the ip command. It will be popping up in distributions soon [tm]. Another interesting addition is IPv6 NAT (transparent redirect, prefix translation, etc). On Fri, Dec 27, 2013 at 8:18 PM, Baldur

Re: The Making of a Router

You can build using commodity hardware and get pretty good results. I've had really good luck with Supermicro whitebox hardware, and Intel-based network cards. The Hot Lava Systems cards have a nice selection for a decent price if you're looking for SFP and SFP+ cards that use Intel chipsets.

Re: The Making of a Router

Chipsets and drivers matter a lot in the 1G+ range. I've had pretty good luck with the Intel stuff because they offload a lot in hardware and make open drivers available to the community. On Thu, Dec 26, 2013 at 7:48 PM, Olivier Cochard-Labbé oliv...@cochard.mewrote: Le 26 déc. 2013 22:02,

Vyatta to VyOS

Many here might be interested, In response to Brocade not giving the community edition of Vyatta much attention recently, some of the more active community members have created a fork of the GPL code used in Vyatta. It's called VyOS, and yesterday they released 1.0. http://vyos.net/ I've been

Re: Meraki

Nov 2013 09:32:10 -0500 From: Ray Soucy r...@maine.edu To: Rob Seastrom r...@seastrom.com Cc: NANOG nanog@nanog.org Subject: Re: Meraki Message-ID: calftrnppbqlhrrdkmnt1nz8wi0k3b6kemt9tbgns-wfrhqs...@mail.gmail.com Content-Type: text/plain; charset=ISO-8859-1 It looks like

Re: Meraki

point. I really hope the VyOS project can get off the ground. If any developers familiar with maintaining Debian-based distributions are on-list, I know the project is looking for people to help. On Sun, Nov 24, 2013 at 8:33 PM, Rob Seastrom r...@seastrom.com wrote: Ray Soucy r

Re: Meraki

FWIW, I picked up a UniFi 3-pack of APs and built up a controller VM using Ubuntu Server LTS and the beta multi-site controller code over the past week. I'm very impressed so far, it doesn't have all the bells and whistles of Cisco setup, sure, but I'm pretty shocked at the level of functionality

Re: Meraki

I'm very interested in other user experiences with Ubiquity for smaller deployments vs. traditional Cisco APs and WLC. Especially for a collection of rural areas. The price point and software controller are very attractive. Anyone running a centralized controller for a lot of remote sites? On

Re: DNS and nxdomain hijacking

http://en.wikipedia.org/wiki/Response_policy_zone RPZ functionality has been widely adopted in the past few years. Also known as DNS Firewall. On Tue, Nov 5, 2013 at 10:30 PM, Andrew Sullivan asulli...@dyn.com wrote: On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote: I think

Re: latest Snowden docs show NSA intercepts all Google and Yahoo DC-to-DC traffic

Was the unplanned L3 DF maintenance that took place on Tuesday a frantic removal of taps? :-) On Wed, Oct 30, 2013 at 3:30 PM, Scott Weeks sur...@mauigateway.com wrote: On Wed, Oct 30, 2013 at 1:46 PM, Jacque O'Lantern jacque.olant...@yandex.com wrote:

Cisco DMVPN Configuration Question

Don't usually poke NANOG for a second pair of eyes, but got hit with an urgent need to get connectivity up on a small budget. I've run into a situation where I require multiple DMVPN spokes to be behind a single NAT IP (picture of things to come with CGN?) The DMVPN endpoint works fine behind

Re: Muni fiber: L1 or L2?

Late to the conversation, but I'll chime in that we established a model in Maine that is working pretty well, at least for middle-mile fiber. When we started building out MaineREN (our RON) we decided that having the University own the fiber would tie it up in political red tape. So much so that

Re: Muni fiber: L1 or L2?

1. Must sell dark fiber to any purchaser. 2. Must sell dark fiber to all purchasers on equal terms. (There must be a published price list and there cannot be deviations from that price list. If the price list is modified, existing customers receive the new

Re: TCP time_wait and port exhaustion for servers

PM, Matthew Palmer mpal...@hezmatt.org wrote: On Thu, Dec 06, 2012 at 08:58:10AM -0500, Ray Soucy wrote: net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_time = 90 net.ipv4.tcp_fin_timeout = 30 As discussed, those do not affect TCP_TIMEWAIT_LEN

Re: TCP time_wait and port exhaustion for servers

It does require a fixed source address. The box is also a router and firewall, so it has many IP addresses available to it. On Wed, Dec 5, 2012 at 5:24 PM, William Herrin b...@herrin.us wrote: On Wed, Dec 5, 2012 at 5:01 PM, Mark Andrews ma...@isc.org wrote: In message

Re: TCP time_wait and port exhaustion for servers

This tunes conntrack, not local TCP on the server itself. On Wed, Dec 5, 2012 at 4:18 PM, Cyril Bouthors cy...@bouthors.org wrote: On 5 Dec 2012, r...@maine.edu wrote: Where there is no way to change this though /proc 10:17PM lenovo:~% sudo sysctl -a |grep wait

Re: TCP time_wait and port exhaustion for servers

net.ipv4.tcp_keepalive_intvl = 15 net.ipv4.tcp_keepalive_probes = 3 net.ipv4.tcp_keepalive_time = 90 net.ipv4.tcp_fin_timeout = 30 As discussed, those do not affect TCP_TIMEWAIT_LEN. There is a lot of misinformation out there on this subject so please don't just Google for 5 min. and chime

Re: TCP time_wait and port exhaustion for servers

This issue is for really for connections that close properly and without any issue. The application closes the socket and doesn't care about it; but the OS keeps it in the TIME_WAIT state as required by the RFC for TCP in case data tries to be sent after the connection has closed (out of order

TCP time_wait and port exhaustion for servers

RFC 793 arbitrarily defines 2MSL (how long to hold a socket in TIME_WAIT state before cleaning up) as 4 min. Linux is a little more reasonable in this and has it baked into the source as 60 seconds in /usr/src/linux/include/net/tcp.h: #define TCP_TIMEWAIT_LEN (60*HZ) Where there is no way to

Re: TCP time_wait and port exhaustion for servers

This would be outgoing connections sourced from the IP of the proxy, destined to whatever remote website (so 80 or 443) requested by the user. Essentially it's a modified Squid service that is used to filter HTTP for CIPA compliance (required by the government) for keep children in public schools

Re: TCP time_wait and port exhaustion for servers

though IP addresses for outgoing requests, but trying to avoid that. On Wed, Dec 5, 2012 at 1:58 PM, William Herrin b...@herrin.us wrote: On Wed, Dec 5, 2012 at 12:09 PM, Ray Soucy r...@maine.edu wrote: Like most web traffic, the majority of these connections open and close in under a second

Re: TCP time_wait and port exhaustion for servers

There is an extra 7 on that number, it was 48194 (was sitting on a different PC so I typed it instead of copy-paste). On Wed, Dec 5, 2012 at 1:58 PM, William Herrin b...@herrin.us wrote: On Wed, Dec 5, 2012 at 12:09 PM, Ray Soucy r...@maine.edu wrote: Like most web traffic, the majority

Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....

once the libraries are written. On Thu, Nov 29, 2012 at 9:55 AM, William Herrin b...@herrin.us wrote: On Thu, Nov 29, 2012 at 9:01 AM, Ray Soucy r...@maine.edu wrote: You should store IPv6 as a pair of 64-bit integers. While PHP lacks the function set to do this on its own, it's not very

Re: William was raided for running a Tor exit node. Please help if you can.

If you run Tor, then you should probably accept that it might be used for activity that you don't approve of or even is in violation of the law. I'm not saying Tor is good or bad, just that if you're using it you probably know what you're getting into. In order to catch someone in a criminal

Re: Programmers can't get IPv6 thus that is why they do not have IPv6 in their applications....

You should store IPv6 as a pair of 64-bit integers. While PHP lacks the function set to do this on its own, it's not very difficult to do. Here are a set of functions I wrote a while back to do just that (though I admit I should spend some time to try and make it more elegant and I'm not sure

PHP library for IOS devices

Quick note as many on-list may find this useful. I've maintained a PHP class to connect to IOS devices over telnet and parse the output into something useful for various internal tools for a few years now. I've recently worked with the author of phpseclib to create an SSH version of the library.

Re: Big day for IPv6 - 1% native penetration

Or artificially high ... On Tue, Nov 20, 2012 at 8:45 AM, Owen DeLong o...@delong.com wrote: It is entirely possible that Google's numbers are artificially low for a number of reasons. Owen On Nov 20, 2012, at 5:31 AM, Aaron Toponce aaron.topo...@gmail.com wrote: On Tue, Nov 20, 2012 at

Re: Plages d'adresses IP Orange

The universal translator is still a few years out it seems. Written that way it's borderline insulting. ;-) 2012/11/19 Jon Lewis jle...@lewis.org: Pourquoi demandez-vous des questions NANOG que Wanadoo peut répondre? Hopefully google translate hasn't butchered that too badly. On Mon, 19

DHCPv6 and MAC addresses

Saw yet another attempt at a solution pop up to try and deal with the lack of a MAC address in DHCPv6 messages. I've been giving this some thought about how this should be best accomplished without requiring that host implementations of DHCPv6 be modified. Taking advantage of the relay-agent

Re: dhcpy6d - a MAC address aware DHCPv6 server

FWIW ISC DHCPd listens on raw sockets. On Tue, Nov 6, 2012 at 11:12 AM, George Herbert george.herb...@gmail.com wrote: Oh, horrors, part of my infrastructure needs raw socket data? We should ban that, for security. Who needs those pesky switches anyways? George William Herbert Sent from

Re: DHCPv6 and MAC addresses

at 1:02 PM, Tim Chown t...@ecs.soton.ac.uk wrote: What about http://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-client-link-layer-addr-opt-03 ? -- Tim On 14 Nov 2012, at 17:46, Ray Soucy r...@maine.edu wrote: Saw yet another attempt at a solution pop up to try and deal with the lack

Re: IP tunnel MTU

The core issue here is TCP MSS. PMTUD is a dynamic process for adjusting MSS, but requires that ICMP be permitted to negotiate the connection. The realistic alternative, in a world that filters all ICMP traffic, is to manually rewrite the MSS. In IOS this can be achieved via ip tcp adjust-mss

  1   2   3   >