Re: Atrivo/Intercage: Now Only 1 Upstream
It exists but not in bgp form - http://www.spamhaus.org/drop/ Dont Route Or Peer srs On Wed, Sep 17, 2008 at 7:01 PM, Gadi Evron <[EMAIL PROTECTED]> wrote: > On Wed, 17 Sep 2008, Skywing wrote: >> >> Putting things in the automated bogon feeds (e.g. Team Cymru) that are not >> strictly bogons (unallocated addresses) is likely to very quickly erode >> trust in those services, if that is what you are suggesting. > > We all want a "really really bad stuff" BGP feed for anyone who wants it, > but the Internet is not ready for that.
Re: Atrivo/Intercage: Now Only 1 Upstream
On 17 Sep 2008, at 18:32, David Ulevitch wrote: At the end of the day, nobody is going to drop packets for amazon's IP space. I have a customer that sells online, and is dropping stuff from ec2 today due to abuse. Andy
Re: Procedure to Change Nameservers
On Sep 16, 2008, at 3:50 PM, Crist Clark wrote: I want to change the nameservers for a bunch of domains Then ask the question on a list related to DNS. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
RE: Procedure to Change Nameservers
Typical answer from an uneducated DNS expert. Jo Rhetts comments and experience are simplistic in nature and uselss at best. Given that your SOA DNS is one it would be quite simple to do so. If the Domains in question are SOA'd at many different sources than I would say you have a bit a work in front of you. You would have to contact each of the SOAs and change them. If your sourcing your own SOA than its simple. Contact me off list and we can discuss the details. Cheers, -Joe Blanchard > > > -Original Message- > > From: Jo Rhett [mailto:[EMAIL PROTECTED] > > Sent: Thursday, September 18, 2008 5:45 AM > > To: Crist Clark > > Cc: Nanog > > Subject: Re: Procedure to Change Nameservers > > > > On Sep 16, 2008, at 3:50 PM, Crist Clark wrote: > > > I want to change the nameservers for a bunch of domains > > > > Then ask the question on a list related to DNS. > > > > -- > > Jo Rhett > > Net Consonance : consonant endings by net philanthropy, open source > > and other randomness > > > >
Re: Mechanisms for a multi-homed host to pick the best router
Hi Paul,
Thank you very much for the confirmation that the idea is sane and for the
pointers to the additional information.
-- Cayle
On Wed, Sep 17, 2008 at 11:49 PM, Paul Vixie <[EMAIL PROTECTED]> wrote:
> [EMAIL PROTECTED] ("Cayle Spandon") writes:
>
> > (My apologies, in advance, for the fact that this question is very long
> > winded.)
>
> np.
>
> > I have a server which is multi-homed to N routers as shown below:
> >
> > +---+
> > R1---| |
> > | |
> > R2---| |
> > ... | S |
> > | |
> > Rn---| |
> > +---+
> >
> > This server is a host; it is not a router in the sense that it will never
> > forward any packets (but it might run routing protocols as discussed
> below).
> >
> > Also, for the sake of simplicity in this discussion, let's say this
> server
> > only receives inbound TCP connections; it never initiates outbound TCP
> > connections.
> >
> > Finally, this server has a loopback address L. All traffic destined to
> the
> > server uses address L as the destination address. All N routers have a
> > static route to L and inject that route into their routing protocol
> > (possibly as part of an aggregate).
> >
> > Now, imagine the server receives an inbound connection from another host
> > whose address is A. Thus, the TCP SYN packet which S receives has source
> > address A and destination address L.
> ...
> > For all these reasons, I don't want to run BGP on the server.
>
> "too many moving parts."
>
> > Someone suggested an idea to me which seems almost to simple to work, but
> I
> > cannot find any good reason why it would not work.
> >
> > The idea is "the server simply sends all outbound traffic for the TCP
> > connection out over the same interface over which the most recent TCP
> > traffic for that connection was received".
> >
> > So, for example, if the server receives the SYN from router R3, it would
> > send the SYN ACK and all subsequent packets for the TCP connection over
> that
> > same interface R3.
> > ...
>
> right idea. works great. see the following:
>
> http://www.academ.com/nanog/feb1997/multihoming.html
> http://www.irbs.net/internet/nanog/9706/0232.html
> http://gatekeeper.dec.com/pub/misc/vixie/ifdefault/
>
> > ...
> > I can think of the following problems with this approach:
> >
> > (Problem 1) It only works for inbound TCP connections and not for
> outbound
> > TCP connections. For outbound TCP connections we would not know which
> router
> > to send the first SYN packet to.
>
> you said above you only needed inbound. for outbound and udp: round robin.
>
> > ...
> > My question for the NANOG community are these:
> >
> > (Question 1) Can you think of any additional problems with this approach?
> > Specifically, I am interested in persistent failures in the absence of
> > topology changes.
>
> topology change frequency is in a different order of magnitude than the
> usual tcp session startup frequency, so unless you've got long running tcp
> sessions which won't restart on a connection reset, you've got no problem,
> and if you do have that kind of tcp session, you've already got problems.
>
> > (Question 2) Is there another mechanism for the server (a multi-homed
> host)
> > to pick a best router, short of running stub BGP? Are there any standards
> > for this?
>
> there are a bazillion patented and/or ubersecret ways to do this. noone
> has
> ever demonstrated anything that works better than an undercommitted network
> with undercommitted connections to other undercommitted first-hop networks.
>
> > (Question 3) If the answer to question 2 is "no", is there any interest
> > in standardizing a protocol for a multi-homed host to pick a best
> > next-hop router? One could think of this is a host-to-router routing
> > protocol. One might call the existing routing protocols router-to-router
> > protocols (because I think we are abusing them by running them on
> > hosts). This is somewhat analogous to the multicast routing world where
> > we use different protocols for router-to-router multicast (PIM) versus
> > host-to-router (IGMP).
>
> sadly, this has been tried, but it always runs into least-cost routing
> issues
> whereby not only the predicted connection quality but also contract details
> like whether this is over or under the per-period minima and how many
> quatloos
> per kilosegment it will cost all have to get exchanged at high speed with
> low
> latency and good accuracy. been there, did that, got no useful t-shirt
> even.
> --
> Paul Vixie
>
>
Re: Mechanisms for a multi-homed host to pick the best router
Hi Laurence, RE> why would you not sent the reply out the same spigot you go the request on? Yes, that exactly what I was trying to ask in the e-mail (in a much more verbose way than you :-). The problems I could think of are: - It only works for inbound TCP connections. - The TCP connections might be dropped after a topology change despite the existence of an alternative path. I was wondering if anyone else knows of any additional problems. -- Cayle
Re: Atrivo/Intercage: Now Only 1 Upstream
On Sep 17, 2008, at 4:07 PM, David Ulevitch wrote: Patrick W. Gilmore wrote: On Sep 17, 2008, at 1:32 PM, David Ulevitch wrote: At the end of the day, nobody is going to drop packets for amazon's IP space. I'm afraid reality disagrees with you - there already are networks doing it. Being big does not guarantee you ability to do Bad Things. I didn't imply that it did. Actually, that is exactly what you did. But the ability to block without causing significant collateral damage becomes more and more difficult as IPs become less tied to the organization using them. True (and rather obvious). Here's another obviously true statement: As more & more spam comes from a set of IP addresses, it becomes less & less likely you should accept e-mail from that space. That said, you're right that people are doing it now. Consensus from friends running their apps on EC2 is that you can't expect to be able to send any email from EC2 and hope for a high deliverability rate. Not news to anyone who works on anti-spam or e-mail deliverability. Perhaps the collateral damage will force Amazon to get things fixed faster. Or maybe not, but either way I don't see how you can blame someone for not wanting to accept e-mail from EC2. -- TTFN, patrick
Seattle Peering
Hi folks... We're working on some plans to peer in the Seattle area. Choices so far considered are SIX and PAIX Seattle pretty much I was of the impression that if you get a port on one of these exchanges, you can connect to the other one as well? Just looking for clarification from folks who are connected out there..;) Any charges to go between the exchanges or it just included? Thanks, Paul "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
Re: Seattle Peering
Hello Paul: On 9/18/08 8:01 AM, "Paul Stewart" <[EMAIL PROTECTED]> wrote: > Hi folks... > > We're working on some plans to peer in the Seattle area. Choices so far > considered are SIX and PAIX Seattle pretty much > > I was of the impression that if you get a port on one of these > exchanges, you can connect to the other one as well? Just looking for > clarification from folks who are connected out there..;) Any charges to > go between the exchanges or it just included? > Speaking from the SIX side, there is no charge to connect to the fabric if you supply the optics, and there is a one-time fiber cross connect charge of $200.00 US. The SIX and PAIX are directly connected and you can peer across the fabric. The SIX page is http://www.seattleix.net for more info or you can email me directly. I have no idea about charges related to PAIX. Mike SIX Tech Guy Hat On
Re: Mechanisms for a multi-homed host to pick the best router
On Wed, 17 Sep 2008 22:32:29 EDT, Cayle Spandon said: > (Problem 2) If there is a topology change after the TCP connection has been > established, the traffic might follow a sub-optimal path. Another possibility is that the connection was originally established *during* a link outage, so the initial part of the connection was done over a sub-optimal path, and that the topology change puts it back to the normal better path... A possible *biggger* issue is that "toss the reply packet back where the original came from" makes traffic-engineering your outbound packets a lot more challenging - you end up having to play announcement games upstream of your N routers to engineer your *inbound* traffic so your outbound packets do what you want. pgp90Ld4EITT3.pgp Description: PGP signature
RE: LoA (Letter of Authorization) for Prefix Filter Modification?
I use RWHOIS for proof of who we assign and allocate address space to. I dont believe an LOA is any more valid or secure than my RWHOIS data base that I keep and update on a daily basis. In this case I find it a waste of time when people ask me for LOA's when they can verify the info on my RWHOIS site. And I point these people to my RWHOIS site when they ask for LOA as opposed to wasting my time on creating paperwork. However, if you dont have something like that set up, then I do see the value in people asking for LOA and thus helping to ensure address space isnt getting hijacked. My 2 cents Marla Azinger Frontier Communications -Original Message- From: Joe Greco [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 17, 2008 9:22 AM To: Raoul Bhatia [IPAX] Cc: nanog@nanog.org Subject: Re: LoA (Letter of Authorization) for Prefix Filter Modification? > Joe Greco wrote: > > How do you verify the authenticity of anything? This is a common > > problem in the Real World, and is hardly limited to LoA's. > > > > How do you prove that what was on Pages 1 to (N-1) of an N page > > contract contained the words you think they said? I knew a guy, > > back in the early days, who habitually changed the SLA's in his > > contracts so that he could cancel a contract for virtually no reason > > at all ... the folly of mailing around contracts as .doc files in > > e-mail. But even failing that, it's pretty trivial to reprint a > > document, so where do you stop, do you use special paper, special > > ink, watermarking of documents, initial each page, all of the above, etc? > > what about using a digital signation of e.g. a pdf version of a scan? Try putting that up next to an apparently legitimate but actually subtly modified paper contract with signatures, in a court of law, and feel free to inform us of which one the court finds more compelling. In an environment where there's an established history and standard procedures, they're typically going to prefer the familiar method. In our world, if we were to have some sort of crypto-based way to have a netblock owner sign something like that, yeah, that'd be great, and it would mean that the community would generally be able to manage the issue without having to resort to faxed-around LoA's, etc., but we don't have that infrastructure, or even a common/widespread LoA system. Sigh. I'm not arguing that some sort of technical/crypto infrastructure for authorizing the advertisement of space shouldn't be developed, and in fact I think it should. However, as an interim step, things like LoA's are much better than nothing at all, and worrying about the authenticity of an LoA is probably not worth the time and effort, given the way these things tend to work out. If there's cause for concern, those who are receiving the LoA's will ramp up the paranoia. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: LoA (Letter of Authorization) for Prefix Filter Modification?
Azinger, Marla wrote: I use RWHOIS for proof of who we assign and allocate address space to. I dont believe an LOA is any more valid or secure than my RWHOIS data base that I keep and update on a daily basis. In this case I find it a waste of time when people ask me for LOA's when they can verify the info on my RWHOIS site. And I point these people to my RWHOIS site when they ask for LOA as opposed to wasting my time on creating paperwork. However, if you dont have something like that set up, then I do see the value in people asking for LOA and thus helping to ensure address space isnt getting hijacked. How is _you_ showing information in an RWHOIS server that _you_ control in any way proving that the holder of a address block is authorizing _you_ to advertise it on their behalf? It is not unreasonable for your upstreams to ask for some proof _from the holder_ rather than simply trusting you. For all they know, you're just hijacking random address space and putting it in your RWHOIS server. Would you be happy if some random Tier 1 started letting _their_ customers advertise _your_ address space, just because those customers had put up an RWHOIS server claiming it was theirs? This is not about asking you for an LoA for your own address space, which any moron can follow in a reasonably trustworthy chain from ARIN to you. It's about address space that is _not_ directly registered to the company trying to get a filter exception. S
Re: Mechanisms for a multi-homed host to pick the best router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 So, for example, if the server receives the SYN from router R3, it would send the SYN ACK and all subsequent packets for the TCP connection over that same interface R3. ... right idea. works great. see the following: http://www.academ.com/nanog/feb1997/multihoming.html http://www.irbs.net/internet/nanog/9706/0232.html http://gatekeeper.dec.com/pub/misc/vixie/ifdefault/ This approach is particularly useful for host with multiple IPv6 tunnels. Some tunnel providers implement strict RPF, some don't. Where this is the case, having multiple tunnels (cf multiple address ranges) is problematic. Of course these days perhaps perhaps the IPv4 variant could be done with a stateful NAT. Maybe case could be made for IPv6 NAT (and site-local addresses?) in this scnario... - -w - -- William Waites <[EMAIL PROTECTED]> http://www.irl.styx.org/ +49 30 8894 9942 CD70 0498 8AE4 36EA 1CD7 281C 427A 3F36 2130 E9F5 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkjSlsMACgkQQno/NiEw6fWEhACfcVGZ5qEbvESVCWxQibkm/jLp wKsAn1lQWcMO+fk5ZV5V08narSfoC/gF =tlbx -END PGP SIGNATURE-
Re: Procedure to Change Nameservers
- "Crist Clark" <[EMAIL PROTECTED]> wrote: > I want to change the nameservers for a bunch of domains. Really, > all I want to do is change the IP address, but it seems easier > just to change both the name and IP to avoid any possibility of > confusion. However, I am not "physically" moving the services. > These are the same physical servers, just an additional IP address > assigned to the appropriate interface. I want to do this the > "right" way. > Not really too bad. At least we don't have to send in host > record templates anymore. In fact, some registrars do require that they have the new zone nameserver names and IP addresses registered, at least with themselves, and if it's a new zone, you may not be able to put them inside the zone on first setup; Domain Discover just did this to me on a change, and I believe I've had the latter happen to me as well: the automated system wanted to *validate* the IP to name mapping in... um, DNS. For a new domain. Which wasn't up yet. Cheers, -- jra -- Jay R. Ashworth Baylink [EMAIL PROTECTED] Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)
Re: Procedure to Change Nameservers
- [EMAIL PROTECTED] wrote: > > Free sites that perform similar DNS configuration checks that I know > of > > are: > > > > http://dnssy.com > > http://www.intodns.com > > Just to add to the list: > http://squish.net/dnscheck/ Wow. Nice one. All three added to wiki.outages.org. Cheers, -- jra -- Jay R. Ashworth Baylink [EMAIL PROTECTED] Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com '87 e24 St Petersburg FL USA http://photo.imageinc.us +1 727 647 1274 Those who cast the vote decide nothing. Those who count the vote decide everything. -- (Josef Stalin)
Re: Procedure to Change Nameservers
On Thu, Sep 18, 2008 at 07:31:37PM -0400, Jay R. Ashworth wrote: > - "Crist Clark" <[EMAIL PROTECTED]> wrote: > > I want to change the nameservers for a bunch of domains. Really, > > all I want to do is change the IP address, but it seems easier > > just to change both the name and IP to avoid any possibility of > > confusion. However, I am not "physically" moving the services. > > These are the same physical servers, just an additional IP address > > assigned to the appropriate interface. I want to do this the > > "right" way. > > > Not really too bad. At least we don't have to send in host > > record templates anymore. > > In fact, some registrars do require that they have the new zone nameserver > names and IP addresses registered, at least with themselves, and if it's a > new zone, you may not be able to put them inside the zone on first setup; > Domain Discover just did this to me on a change, and I believe I've had the > latter happen to me as well: the automated system wanted to *validate* the > IP to name mapping in... um, DNS. > > For a new domain. > > Which wasn't up yet. > > > > Cheers, > -- jra well, wearing my oldschool hat, the service should be working on the authoritative servers -prior- to asking the parent to jump in - do some work - and send me a bill. validation can work just fine w/ address literals. --bill
Re: Mechanisms for a multi-homed host to pick the best router
When the server sends TCP traffic for that same connection back to host A, it needs to pick one of the N routers, in other words, it needs to pick an outbound interface from its N interfaces. ... The problem is that some routers are "better" than other routers in the sense that they are closer to the final destination address A. (For example, each router could be connected to a different ISP.) One way for the server to pick the "optimal" downstream router, is to run "stub BGP" between the server and each of the routers. ... While this approach would certainly allow the server to pick the optimal downstream router in all cases, I would prefer not to run routing protocols on this server for a number of reasons: It's probably good to keep in mind that this would be "optimal", not optimal. As far as I know the best you would get is to minimize the number of AS hops, which is probably correlated with, but definitely not the same as, metrics you actually care about like latency. All in all, running BGP does seem like an awful lot of work just to let you optimize for the wrong metric. Here's another thought, though. You don't need to run BGP to get the data that BGP will give you. There exist approximate maps of the Internet at the router or AS level with IP prefixes attached. It would be possible to periodically obtain one of these graphs, e.g. from CAIDA, and then run a shortest-paths algorithm on that graph to decide based on the destination IP address which router is best. Not only does this let you avoid running BGP, it also saves memory since you need only one copy of the graph, rather than one copy for each of the N BGP sessions. Of course, it's not real-time data, but if all you need is a good guess as to which of the outbound interfaces is best, it might be sufficient. Does anyone actually do something like this in practice? (I'm guessing no) Someone suggested an idea to me which seems almost to simple to work, but I cannot find any good reason why it would not work. The idea is "the server simply sends all outbound traffic for the TCP connection out over the same interface over which the most recent TCP traffic for that connection was received". So the underlying idea here is that the source (or its ISP) has effectively done the work of picking a good path, and by replying on the same interface, you use the reverse of that path, which is also likely to be pretty good. Some of the assumptions in that reasoning seem imperfect: - There's a good chance the forward path (i.e. the one the source picked) isn't the best. - Asymmetry, as you noted: Even if the forward path was the best, the reverse of it is not necessarily the best. - A different asymmetry: Even if the forward was best and the reverse of it is best, the path followed by sending on the same interface is not necessarily the reverse of the forward path. So I understand that this heuristic could perform pretty well in practice, and certainly better than sending on a random interface (in terms of latency, not traffic engineering). But I can't see how it's the optimal strategy. I think there are commercial products that solve this problem the "right" way, by automatically and dynamically monitoring path quality and availability, and selecting paths for you. I think the Avaya Converged Network Analyzer is one. I recall speaking with an operator from a major content provider who said that they use an intelligent route selection product similar to this for their outbound traffic. I'd be personally interested to hear what other operators typically use. ~Brighten Godfrey
Anyone have experience with Alcatel 9500MXC?
Hi all. I have several of these units deployed, they are all running fine, but I am looking for information about them, specifically SNMP related. Our Alcatel contacts have given us a collection of MIBs, from which I cant really get anything useful out of the radios. Other than that they dont seem too hell bent on providing much further help on this subject. Hoping someone else on here might have experience with these units and can share some information about how to get useful information out of them via SNMP, like traffic and error counters, signal parameters, alarm status, etc. Cheers, Tom
Re: Anyone have experience with Alcatel 9500MXC?
Tom Storey wrote: > Hi all. > > I have several of these units deployed, they are all running fine, but I > am looking for information about them, specifically SNMP related. > > Our Alcatel contacts have given us a collection of MIBs, from which I cant > really get anything useful out of the radios. Other than that they dont > seem too hell bent on providing much further help on this subject. > > Hoping someone else on here might have experience with these units and can > share some information about how to get useful information out of them via > SNMP, like traffic and error counters, signal parameters, alarm status, > etc. Excuse my ignorance (never touched such a device) but would doing an snmpwalk over the device not help? MIB's for traffic on interfaces should be fairly standard unless Alcatel smoked their socks.
