RE: IPv6 allocations, deaggregation, etc.

[George Bonser]

Apologies in advance for the top post.   

 

My initial idea was to use a /48, divide it up into /56 nets for each facility 
with /64 subnets within each facility.  We would announce a /48 to our transit 
providers that I would expect them to announce in turn to their peers and we 
would also announce the more specific /56 nets to the transit providers that I 
would expect them not to announce to their peers.  My current vlan requirements 
per facility would support such an addressing plan.  In order to make that 
work, we would need the same transit providers in each region as our locations 
are not meshed internally.  We don’t have dedicated connectivity from the US to 
the UK or China, for example.  Currently that is not a problem as far as 
connectivity is concerned as my US providers appear in Europe and my China 
provider appears in the US. BUT when I consider the possibilities of South 
America and Africa and finding a transit provider that has a robust presence 
everywhere, my choices are very limited.  I need to be multihomed and I need to 
be provider agnostic in my addressing.

 

Using that scheme above does create some potential performance issues. While my 
transit provider collects the traffic from a remote location and routes it to 
the more specific location in my network, If a provider in Europe, for example, 
sees only the /48 announced from the US, maybe they haul the traffic across an 
ocean to a point where they peer with my provider … who then must haul it back 
to Europe to the /56 corresponding to the destination because the original 
traffic source doesn’t see my /56 unless they are using the same transit 
provider I am.

 

Then based on earlier discussion on the list a while back, I was concerned that 
a /48 wasn’t even enough to get me connected to some nets that were apparently 
filtering smaller than a /48 but my mind is somewhat eased in that respect and 
I believe that a /48 announced from space where /48s are issued will be 
accepted by most people.

 

Then I was informed of ARIN 2009-5 which seems aimed at our situation; data 
centers widely separated by large geographical distances that are fairly 
autonomous and aren’t directly connected by dedicated links.  It now seems that 
we (and the rest of the Internet) might be better served if we get a RIPE AS 
and net block for our Europe operations, and APNIC AS and net block for our 
APAC operations and get a regional /48 that I can split into /56 nets for the 
various satellite facilities within that region as those satellite offices CAN 
be directly connected to the regional data center which would act as the 
regional communications hub.

 

There are probably 16 different ways to slice this but I would like to get it 
as close to “right” as possible to prevent us having to renumber later while at 
the same time not taking more space than we need.  A /48 per region seems like 
the right way to go at the present time.  So we would have a /48 for the US, a 
/48 for Asia (and possibly one /48 dedicated to China) and a /48 for Europe.  
Satellite facilities would collect a /56 (or two or three) out of that regional 
block for their local use.  Then I am free from being nailed to the same 
providers globally and have less chance of traffic crossing an ocean twice.

 

The probability of needing 200 /48s in the next several years is pretty slim 
and do not warrant our getting a /32 when currently three or four  /48 nets 
will fill the requirements.

 

Thanks again for the input, Mick.

 

George

 

 

From: Mick O'Rourke [mailto:mkorou...@gmail.com] 
Sent: Tuesday, December 22, 2009 10:43 PM
To: Joel Jaeggli
Cc: George Bonser; nanog@nanog.org
Subject: Re: IPv6 allocations, deaggregation, etc.

 

Is the idea behind the /48 being looked at (keeping in mind a mixed IPv4/IPv6 
environment & http://www.ietf.org/rfc/rfc5375.txt 
 page 8) to have a /64 per smaller 
branch or VLAN, larger campus /56, and advertise out the /48 for the region?; 
My previous thinking and biggest thinking point is enterprise level address 
allocation policy, impacts to device loopbacks, voice vlans, operational 
simplification requirements for management and security layers etc. The feel 
overall has been towards needing to have a /32, a /56 per site (campus to small 
branch) and internally within the site /64 per VLAN. A /48 becomes too small, a 
/32 very much borderline. Is this a similar scenario for you? How are you 
justifying a /48 vs a /32? 

Experiences with Comcast Ethernet/Transit service

[Brandon Galbraith]

We're looking at using Comcast's (business) transit and private ethernet
services at several client locations and I wanted to see what experiences
others have had regarding this. Off-list replies are preferred.

Thanks,
-brandon

-- 
Brandon Galbraith
Mobile: 630.400.6992

Re: Experiences with Comcast Ethernet/Transit service

[Sean Head]

I just started looking into them as well. Mind of I has for similar 
info? (maybe just keep the responses on list?)


-Sean

On 2009.12.23 01:10:39, Brandon Galbraith wrote:

We're looking at using Comcast's (business) transit and private ethernet
services at several client locations and I wanted to see what experiences
others have had regarding this. Off-list replies are preferred.

Thanks,
-brandon

[NANOG] Roport on internet business

[Takashi Tome]

Hi All

Morgan Stanley has released a very interesting report on internet business with 
some tips to net operators:

http://www.morganstanley.com/institutional/techresearch/mobile_internet_report122009.html

Regards

Takashi Tome
CPqD
www.cpqd.com.br  

IGMP and PIM protection

[Glen Kent]

Hi,

Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering
that if they do, then how would snooping switches work?

Affably,
Kent

Re: Article on spammers and their infrastructure

[Rich Kulawiec]

On Wed, Dec 23, 2009 at 01:58:47AM -0500, Christopher Morrow wrote:
> no real arguement, but... 'please provide some set of workable solutions'

The set of workable solutions at this point looks something like "null
routes, firewall rules, blacklist entries" -- in order to deny traffic
to and from such locales.

I agree just about entirely with Ferg: the policy angle is a dead end.
The organizations involved are either clueless or entirely focused on
other goals (e.g., profit) at the expense of sound policy.

---Rsk

Re: IGMP and PIM protection

[Peter Hicks]

Glen Kent wrote:

Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering
that if they do, then how would snooping switches work?
  
Would encrypting multicast not fundamentally break the concept of 
multicast itself, unless you're encrypting multicast traffic over a 
backbone?



Peter

Re: IGMP and PIM protection

[David Barak]

Multicast encryption using GDOI works well, although I haven't seen that 
implemented on a LAN.  If you're trying to provide encryption for LAN listeners 
(more accurately to exclude some LAN listeners) you'll probably find more bang 
for the buck in implementing this on a per-application basis.  That leaves the 
IGMP request subject to eavesdropping, but the data itself flows over a secure 
channel.  If instead you want the IGMP itself to be encrypted, then you'll need 
all of the switches to participate in the security protocol, and I would 
imagine that there are far easier ways to provide secure connections.  I 
believe GDOI is esp-only.

Cisco's term for GDOI is GETVPN.

-David Barak

On Wed Dec 23rd, 2009 7:26 AM EST Peter Hicks wrote:

>Glen Kent wrote:
>> Any idea if folks use AH or ESP to protect IGMP/PIM packets? Wondering
>> that if they do, then how would snooping switches work?
>>   
>Would encrypting multicast not fundamentally break the concept of multicast 
>itself, unless you're encrypting multicast traffic over a backbone?
>
>
>Peter
>
>
>



  

Re: IGMP and PIM protection

[Dobbins, Roland]

On Dec 23, 2009, at 6:41 PM, Glen Kent wrote:

> Any idea if folks use AH or ESP to protect IGMP/PIM packets

What are you trying to 'protect' them against?

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

Re: IGMP and PIM protection

[Glen Kent]

>>
>
> Would encrypting multicast not fundamentally break the concept of multicast
> itself, unless you're encrypting multicast traffic over a backbone?
>

No, i wasnt alluding to encrypting the multicast traffic. I was
thinking of using ESP-NULL (AH is optional) for the IGMP/PIM packets.

Affably,
Kent

Re: IGMP and PIM protection

[Glen Kent]

On Wed, Dec 23, 2009 at 7:46 PM, Dobbins, Roland  wrote:
>
> On Dec 23, 2009, at 6:41 PM, Glen Kent wrote:
>
>> Any idea if folks use AH or ESP to protect IGMP/PIM packets
>
> What are you trying to 'protect' them against?

Just integrity protection to ensure that my reports, etc. are not
mangled when i recv them. OR to make sure that i only receive
reports/leaves from the folks who are supposed to send them.

Please note that i am NOT interested in encrypting the control traffic.

Kent

>
> ---
> Roland Dobbins  // 
>
>    Injustice is relatively easy to bear; what stings is justice.
>
>                        -- H.L. Mencken
>
>
>
>
>

Re: IGMP and PIM protection

[Dobbins, Roland]

On Dec 23, 2009, at 9:19 PM, Glen Kent wrote:

> Just integrity protection to ensure that my reports, etc. are not mangled 
> when i recv them. OR to make sure that i only receive reports/leaves from the 
> folks who are supposed to send them.

I echo the previous respondent who noted that this is probably best done at the 
application layer, FWIW.

---
Roland Dobbins  // 

Injustice is relatively easy to bear; what stings is justice.

-- H.L. Mencken

Re: Article on spammers and their infrastructure

[Joel Jaeggli]

Rich Kulawiec wrote:
> On Wed, Dec 23, 2009 at 01:58:47AM -0500, Christopher Morrow wrote:
>> no real arguement, but... 'please provide some set of workable
>> solutions'
> 
> The set of workable solutions at this point looks something like
> "null routes, firewall rules, blacklist entries" -- in order to deny
> traffic to and from such locales.
> 
> I agree just about entirely with Ferg: the policy angle is a dead
> end. The organizations involved are either clueless or entirely
> focused on other goals (e.g., profit) at the expense of sound policy.
> 

Gosh, there's no way I can create this public good, because someone
somewhere will use it in the commission of a crime notwithstanding all
the benefits it confers.

I'll just throw down props to Paul Samuelson since he's no longer with
us and leave it at that.

> ---Rsk
> 

Re: IGMP and PIM protection

[Scott Morris]

So we're looking to complicate things for the same of complicating
them?  Using a predictable "security" doesn't exactly make things secure
does it?

On the links that you are running PIM or IGMP on, do you not have  a
predictable set of clients and therefore problems?  Or are we trying to
protect against something I'm not thinking of?  ;)

Scott


Glen Kent wrote:
>> Would encrypting multicast not fundamentally break the concept of multicast
>> itself, unless you're encrypting multicast traffic over a backbone?
>>
>> 
>
> No, i wasnt alluding to encrypting the multicast traffic. I was
> thinking of using ESP-NULL (AH is optional) for the IGMP/PIM packets.
>
> Affably,
> Kent
>
>
>   

Re: IGMP and PIM protection

[Scott Morris]

But IGMP IS the control traffic with users.  And PIM IS the control
traffic between multicast routers.

?


Scott

Glen Kent wrote:
> On Wed, Dec 23, 2009 at 7:46 PM, Dobbins, Roland  wrote:
>   
>> On Dec 23, 2009, at 6:41 PM, Glen Kent wrote:
>>
>> 
>>> Any idea if folks use AH or ESP to protect IGMP/PIM packets
>>>   
>> What are you trying to 'protect' them against?
>> 
>
> Just integrity protection to ensure that my reports, etc. are not
> mangled when i recv them. OR to make sure that i only receive
> reports/leaves from the folks who are supposed to send them.
>
> Please note that i am NOT interested in encrypting the control traffic.
>
> Kent
>
>   
>> ---
>> Roland Dobbins  // 
>>
>>Injustice is relatively easy to bear; what stings is justice.
>>
>>-- H.L. Mencken
>>
>>
>>
>>
>>
>> 
>
>
>   

RE: IGMP and PIM protection

[Stefan Fouant]

> -Original Message-
> From: Scott Morris [mailto:s...@emanon.com]
> Sent: Wednesday, December 23, 2009 9:27 AM
> To: Glen Kent
> Cc: nanog@nanog.org
> Subject: Re: IGMP and PIM protection
> 
> But IGMP IS the control traffic with users.  And PIM IS the control
> traffic between multicast routers.

I think OP meant that he only wants an integrity check of the control
traffic, not confidentiality, hence the statement that he does not want to
encrypt the control traffic.

Stefan Fouant
www.shortestpathfirst.net
GPG Key ID: 0xB5E3803D

Re: FYI, new USG Cybersecurity Coordinator ...

[andrew.wallace]

On Wed, Dec 23, 2009 at 7:19 AM, Christopher Morrow
 wrote:
> (again, this seems really off topic, but)
>
> On Tue, Dec 22, 2009 at 7:33 PM, andrew.wallace
>  wrote:
>> though Gadi is Israeli and Marcus Sachs Pakistani and couldn't be
>
> marcus is pakistani?
>
>

"He was born in Lahore, Pakistan in 1959 and moved to Tallahassee,
Florida with his parents and younger brother in 1961." --Wikipedia.

http://en.wikipedia.org/wiki/Marcus_Sachs

To me its amazing how deep into U.S Intelligence and The White House
he's been allowed to go up until now.

Re: FYI, new USG Cybersecurity Coordinator ...

[William Allen Simpson]

andrew.wallace wrote:

"He was born in Lahore, Pakistan in 1959 and moved to Tallahassee,
Florida with his parents and younger brother in 1961." --Wikipedia.

http://en.wikipedia.org/wiki/Marcus_Sachs


Just like many Americans.



To me its amazing how deep into U.S Intelligence and The White House
he's been allowed to go up until now.


   "... Georgia Institute of Technology in Atlanta, where he graduated in
   1981 with a Bachelor of Civil Engineering degree.

   "Commissioned as a Second Lieutenant of Engineers in the United States
   Army in 1981, he served over 20 years as an officer in the Army Corps of
   Engineers. He graduated from the United States Army Command and General
   Staff College, and holds a master's degree in Science and Technology
   Commercialization from the University of Texas and a master's degree in
   Computer Science from James Madison University."

An un-American mole, loyal to a country and a long-time US allied government
that he probably doesn't remember?

I'm wondering whether you're related to:

  http://en.wikipedia.org/wiki/George_Wallace

Re: FYI, new USG Cybersecurity Coordinator ...

[Eric Brunner-Williams]

+BIGINT

The real issues are (a) is this billet actually able to originate 
policy, (b) interpret existing policy, (c) at least find the RNC mail 
archive, (d) ...


Who the hell cares if the billet is filled by a Soviet Mole (tm) if the 
job is decoration?


Eric

On 12/23/09 12:42 PM, William Allen Simpson wrote:

andrew.wallace wrote:

"He was born in Lahore, Pakistan in 1959 and moved to Tallahassee,
Florida with his parents and younger brother in 1961." --Wikipedia.

http://en.wikipedia.org/wiki/Marcus_Sachs


Just like many Americans.



To me its amazing how deep into U.S Intelligence and The White House
he's been allowed to go up until now.


   "... Georgia Institute of Technology in Atlanta, where he graduated in
   1981 with a Bachelor of Civil Engineering degree.

   "Commissioned as a Second Lieutenant of Engineers in the United States
   Army in 1981, he served over 20 years as an officer in the Army 
Corps of
   Engineers. He graduated from the United States Army Command and 
General

   Staff College, and holds a master's degree in Science and Technology
   Commercialization from the University of Texas and a master's 
degree in

   Computer Science from James Madison University."

An un-American mole, loyal to a country and a long-time US allied 
government

that he probably doesn't remember?

I'm wondering whether you're related to:

  http://en.wikipedia.org/wiki/George_Wallace

Re: Article on spammers and their infrastructure

[J.D. Falk]

On Dec 22, 2009, at 11:58 PM, Christopher Morrow wrote:

> On Wed, Dec 23, 2009 at 1:12 AM, Paul Ferguson  wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>> 
>> Folks should not be so obtuse about these activities. It's almost blatantly
>> in-your-face, so to speak. These guys have no fear of retribution.
> 
> no real arguement, but... 'please provide some set of workable solutions'
> 
> The ARIN meetings (at least) are open, please come and help guide
> policies. I'm sure RIPE also wouldn't mind a discussion, if there
> could be some positive policy outcome.

Rather than expecting anti-spam researchers to lobby at ARIN & RIPE meetings, 
perhaps ARIN & RIPE representatives could visit anti-spam meetings such as 
MAAWG to ask how they can help?

I'd be happy to make some introductions.

--
J.D. Falk 
Return Path Inc

looking for a contact at Orange

[andrew young]

if anyone has a contact at Orange or is from Orange, can you contact me 
off list. need help with some issues originating from the EU.



--

Andrew Young
Webair Internet Development, Inc.
Phone: 1 866 WEBAIR 1  x143
http://www.webair.com
Shift hours: Tues-Friday 12PM-8PM, Sat 9AM-5PM

Re: Article on spammers and their infrastructure

[O'Reirdan, Michael]

JD

Great point, I am more than happy to have a couple of people from ARIN or
RIPE as guests at the next MAAWG in SFO or the subsequent one in Barcelona.

Mike


On 12/23/09 1:18 PM, "J.D. Falk"  wrote:

> On Dec 22, 2009, at 11:58 PM, Christopher Morrow wrote:
> 
>> > On Wed, Dec 23, 2009 at 1:12 AM, Paul Ferguson 
>> wrote:
>>> >> -BEGIN PGP SIGNED MESSAGE-
>>> >> Hash: SHA1
>>> >>
>>> >> Folks should not be so obtuse about these activities. It's almost
>>> blatantly
>>> >> in-your-face, so to speak. These guys have no fear of retribution.
>> >
>> > no real arguement, but... 'please provide some set of workable solutions'
>> >
>> > The ARIN meetings (at least) are open, please come and help guide
>> > policies. I'm sure RIPE also wouldn't mind a discussion, if there
>> > could be some positive policy outcome.
> 
> Rather than expecting anti-spam researchers to lobby at ARIN & RIPE meetings,
> perhaps ARIN & RIPE representatives could visit anti-spam meetings such as
> MAAWG to ask how they can help?
> 
> I'd be happy to make some introductions.
> 
> --
> J.D. Falk 
> Return Path Inc
> 
> 
> 
> 
> 
> 

IPv6 Training

[Marty Anstey]

Greetings,

Just wondering if anyone has had any experience with IPv6 training courses.

A quick search turns up a few results on the subject, but it would be
handy to hear if anyone has any firsthand experiences or recommendations.
We're based in western Canada but don't mind traveling a bit, but
alternatively an online course would be acceptable as well.

-M

Re: IPv6 Training

[Joel Esler]

On Wed, Dec 23, 2009 at 12:00:28PM -0800, Marty Anstey wrote:
> Greetings,
> 
> Just wondering if anyone has had any experience with IPv6 training courses.
> 
> A quick search turns up a few results on the subject, but it would be
> handy to hear if anyone has any firsthand experiences or recommendations.
> We're based in western Canada but don't mind traveling a bit, but
> alternatively an online course would be acceptable as well.
> 
> -M
> 

SANS has a course that's pretty good, from what I hear.  I haven't taken it.

Revisiting the Aviation Safety vs. Networking discussion

[Owen DeLong]

Those that remember the discussion may find this article interesting:

http://abcnews.go.com/Health/wireStory?id=9394406

Owen

Re: IPv6 Training

[Mike Leber]

Marty Anstey wrote:

Just wondering if anyone has had any experience with IPv6 training courses.

A quick search turns up a few results on the subject, but it would be
handy to hear if anyone has any firsthand experiences or recommendations.
We're based in western Canada but don't mind traveling a bit, but
alternatively an online course would be acceptable as well.


Once you have IPv6 connectivity established (either native IPv6 or via a 
tunnel from anybody (for example tunnelbroker.net or sixxs.net) if you 
want a self teaching procedural guide where you can setup and test 
various IPv6 services (HTTP, SMTP, reverse DNS, forward DNS, host record 
glue) then you might checkout our free IPv6 certification service at:


http://ipv6.he.net/certification

It's a bit tongue in cheek and meant to be sort of like entertainment 
with education for engineers (for example the certification ranks are 
from "Newb" to "Sage").  By the time you are done you are done IPv6 
won't seem weird.  (In fact, you'll probably be thinking "that's it?!")


We are still adding tests and content as people suggest ideas, so if you
run through it and see a gap you'd like covered, let me know.

Alternatively, if you would like a free IPv6 Speaker/Trainer your group 
of 30 or more people, Hurricane Electric will fly IPv6 Evangelist Owen 
Delong to your meeting to present a tutorial on what you need to do to 
support IPv6 (for system administrators and network engineers), porting 
IPv4 programs to IPv6 (for software engineers), or another IPv6 topic 
you suggest.  If you are interested, email i...@he.net


Mike.

Re: IGMP and PIM protection

[Anton Kapela]

On Wed, Dec 23, 2009 at 10:24 AM, Stefan Fouant
 wrote:
> I think OP meant that he only wants an integrity check of the control
> traffic, not confidentiality, hence the statement that he does not want to
> encrypt the control traffic.

I read the OP to mean this, too.

Musing on the idea for a moment, it would surely be 'nice' to somehow
know that PIM v2 joins from some other network were, in fact, 'good'
or somehow well-formed, rate-limited, and/or somehow 'safe' to accept
& hold state for. However, it seems as if the OP isn't interested in
inter-domain "rp protection" -- and probably more interested in
authenticating more local igmp v2/3 joins for STB's and the like.

Glen, clarify?

-Tk

Re: [NANOG] Roport on internet business

[Scott Weeks]

--- taka...@cpqd.com.br wrote:
From: "Takashi Tome" 

Morgan Stanley has released a very interesting report on internet business with 
some tips to net operators:

http://www.morganstanley.com/institutional/techresearch/mobile_internet_report122009.html
---


It must be purchased:

--
The Mobile Internet Report

To receive a printed copy of The Mobile Internet Report, please contact your 
Morgan Stanley Representative. To purchase a copy, please click here.
--

scott

Re: IPv6 Training

[Owen DeLong]

On Dec 23, 2009, at 12:00 PM, Marty Anstey wrote:

> Greetings,
> 
> Just wondering if anyone has had any experience with IPv6 training courses.
> 
> A quick search turns up a few results on the subject, but it would be
> handy to hear if anyone has any firsthand experiences or recommendations.
> We're based in western Canada but don't mind traveling a bit, but
> alternatively an online course would be acceptable as well.
> 
> -M
> 
> 

Depending on what you are looking for, check out tunnelbroker.net
and you can learn quite a bit there.

If you can be more specific about your needs, HE is actually actively
working to provide training in this area, and, we are the ISP with more
IPv6 experience than any other.

Owen

Re: [NANOG] Roport on internet business

[Richard Bennett]

It's actually available for free on the World-Wide Internet at 
http://www.morganstanley.com/institutional/techresearch/pdfs/Mobile_Internet_Report_Key_Themes_Final.pdf 
, but you can purchase a paper copy if you'd rather. It's pretty slow 
going as it's mostly power points, some with lots and lots of words, but 
some of the graphs and insights are intriguing, esp. as they related to 
the non-USA parts of the world.


The authors are pretty well convinced that the demand for more wireless 
spectrum will be handled by spectral efficiency improvements and 
deployment of more towers, they stress the importance of replacing 
copper with fiber and microwave in the middle mile, and don't think the 
telcos are doing the right things. There's a lot of discussion about how 
the wireless networks will handle voice and best-efforts at the same 
time which many will find troublesome, I suppose, but overall I'd give 
it 4 out of 5 stars.


RB

On 12/23/2009 3:01 PM, Scott Weeks wrote:

--- taka...@cpqd.com.br wrote:
From: "Takashi Tome"

Morgan Stanley has released a very interesting report on internet business with 
some tips to net operators:

http://www.morganstanley.com/institutional/techresearch/mobile_internet_report122009.html
---


It must be purchased:

--
The Mobile Internet Report

To receive a printed copy of The Mobile Internet Report, please contact your 
Morgan Stanley Representative. To purchase a copy, please click here.
--

scott

   

Re: IPv6 Training

[Jim Burwell]

On 12/23/2009 13:03, Mike Leber wrote:
>
> Marty Anstey wrote:
>> Just wondering if anyone has had any experience with IPv6 training
>> courses.
>>
>> A quick search turns up a few results on the subject, but it would be
>> handy to hear if anyone has any firsthand experiences or
>> recommendations.
>> We're based in western Canada but don't mind traveling a bit, but
>> alternatively an online course would be acceptable as well.
>
> Once you have IPv6 connectivity established (either native IPv6 or via
> a tunnel from anybody (for example tunnelbroker.net or sixxs.net) if
> you want a self teaching procedural guide where you can setup and test
> various IPv6 services (HTTP, SMTP, reverse DNS, forward DNS, host
> record glue) then you might checkout our free IPv6 certification
> service at:
>
> http://ipv6.he.net/certification
>
> It's a bit tongue in cheek and meant to be sort of like entertainment
> with education for engineers (for example the certification ranks are
> from "Newb" to "Sage").  By the time you are done you are done IPv6
> won't seem weird.  (In fact, you'll probably be thinking "that's it?!")
>
Tongue in cheek?  You mean I'm not *really* a Sage?  :p :p

The tunnelbroker.net forum is also a good source of info/discussion
about IPv6.  It'd be nice if it was a bit more "active" though.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: IGMP and PIM protection

[Glen Kent]

>
> Musing on the idea for a moment, it would surely be 'nice' to somehow
> know that PIM v2 joins from some other network were, in fact, 'good'
> or somehow well-formed, rate-limited, and/or somehow 'safe' to accept
> & hold state for. However, it seems as if the OP isn't interested in
> inter-domain "rp protection" -- and probably more interested in
> authenticating more local igmp v2/3 joins for STB's and the like.

Yup, i was currently looking at the IGMP v2/v3 joins only.

Kent

>
> Glen, clarify?
>
> -Tk
>

Re: IGMP and PIM protection

[Glen Kent]

>
> I think OP meant that he only wants an integrity check of the control
> traffic, not confidentiality, hence the statement that he does not want to
> encrypt the control traffic.

Yes, thats correct.

Kent

>
> Stefan Fouant
> www.shortestpathfirst.net
> GPG Key ID: 0xB5E3803D
>
>

Re: [NANOG] Roport on internet business

[Jared Mauch]

On Dec 23, 2009, at 6:11 PM, Richard Bennett wrote:

> The authors are pretty well convinced that the demand for more wireless 
> spectrum will be handled by spectral efficiency improvements and deployment 
> of more towers, they stress the importance of replacing copper with fiber and 
> microwave in the middle mile, and don't think the telcos are doing the right 
> things.

I know, watching my local incumbent they are not replacing damaged copper with 
fiber.  I think they must have warehouses of it someplace.  I can't imagine 
that it is good to replace buried copper w/copper during the wintertime.  If 
you're out doing it, might as well *actually* install fiber in the conduit.

(Unless it's about unions/job protection for the copper guys).

- Jared (not saying unions are bad, but when you operate two assets and have a 
different union for each, it can limit your potential significantly).

Re: [NANOG] Roport on internet business

[Scott Howard]

On Wed, Dec 23, 2009 at 3:01 PM, Scott Weeks  wrote:

> It must be purchased:
>

Only if you want the dead-tree edition.  The others are linked below the
text you've quoted.

  Scott.

Re: [NANOG] Roport on internet business

[Richard Bennett]

Maybe we need to pass some laws that ban copper wire outdoors.

On 12/23/2009 4:22 PM, Jared Mauch wrote:

On Dec 23, 2009, at 6:11 PM, Richard Bennett wrote:

   

The authors are pretty well convinced that the demand for more wireless 
spectrum will be handled by spectral efficiency improvements and deployment of 
more towers, they stress the importance of replacing copper with fiber and 
microwave in the middle mile, and don't think the telcos are doing the right 
things.
 

I know, watching my local incumbent they are not replacing damaged copper with 
fiber.  I think they must have warehouses of it someplace.  I can't imagine 
that it is good to replace buried copper w/copper during the wintertime.  If 
you're out doing it, might as well *actually* install fiber in the conduit.

(Unless it's about unions/job protection for the copper guys).

- Jared (not saying unions are bad, but when you operate two assets and have a 
different union for each, it can limit your potential significantly).

Re: UltraDNS Failure?

[Shrdlu]

Mark Pace wrote:


Anyone else having problems resolving DNS from UltraDNS?

I'm seeing this:

$ dig www.ultradns.com @8.8.8.8


Yeah, they went belly up in the last 20 or so. Hard. Looks like it's 
hitting some of Amazon's Cloud stuff too. It seems west coast related, 
by the way.


--
Oh, mairzy doats and dozy doats and liddle lamzy divey
A kiddley divey too, wooden chu?
Three little fiddies in an iddy, bitty pooh,
Three little fiddies and a mama fiddy too...

Re: UltraDNS Failure?

[Mark Pace]

>> Anyone else having problems resolving DNS from UltraDNS?
>>
>> I'm seeing this:
>>
>> $ dig www.ultradns.com @8.8.8.8
>
> Yeah, they went belly up in the last 20 or so. Hard. Looks like it's
> hitting some of Amazon's Cloud stuff too. It seems west coast related,
> by the way.
>

On the west coast here.  They went at 4:44pm (Pacific).


pace

Re: UltraDNS Failure?

[Mark Pace]

>   
>>> Anyone else having problems resolving DNS from UltraDNS?
>>>
>>> I'm seeing this:
>>>
>>> $ dig www.ultradns.com @8.8.8.8
>>>   
>> Yeah, they went belly up in the last 20 or so. Hard. Looks like it's
>> hitting some of Amazon's Cloud stuff too. It seems west coast related,
>> by the way.
>>
>> 
> On the west coast here.  They went at 4:44pm (Pacific).
>
>   
Recovered at this point...


pace

Re: [NANOG] Roport on internet business

[Scott Weeks]

--- sc...@doc.net.au wrote: --
From: Scott Howard 
On Wed, Dec 23, 2009 at 3:01 PM, Scott Weeks  wrote:

> It must be purchased:

Only if you want the dead-tree edition.  The others are linked below the
text you've quoted.
--


DOH! I blame it on Christmasits.  It's a bad disease I recently caught...  ;-)

Apologies for the confusion.  Have a great Christmas!
scott

Re: UltraDNS Failure?

[Mark Pace]

Clarification: www.ultradns.com is back.  There are still other problems
afoot, like amazon:

$ dig amazon.com @8.8.8.8

; <<>> DiG 9.6.0-P1 <<>> amazon.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 56390
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;amazon.com.IN  A

;; Query time: 2042 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Dec 23 17:28:10 2009
;; MSG SIZE  rcvd: 28


On 12/23/2009 5:22 PM, Mark Pace wrote:
>   
>>   
>> 
 Anyone else having problems resolving DNS from UltraDNS?

 I'm seeing this:

 $ dig www.ultradns.com @8.8.8.8
   
 
>>> Yeah, they went belly up in the last 20 or so. Hard. Looks like it's
>>> hitting some of Amazon's Cloud stuff too. It seems west coast related,
>>> by the way.
>>>
>>> 
>>>   
>> On the west coast here.  They went at 4:44pm (Pacific).
>>
>>   
>> 
> Recovered at this point...
>
>
> pace
>   

Re: UltraDNS Failure?

[John Sage]

Mark Pace wrote:
  

Anyone else having problems resolving DNS from UltraDNS?

I'm seeing this:

$ dig www.ultradns.com @8.8.8.8
  

Yeah, they went belly up in the last 20 or so. Hard. Looks like it's
hitting some of Amazon's Cloud stuff too. It seems west coast related,
by the way.



On the west coast here.  They went at 4:44pm (Pacific).

  

Recovered at this point...


Not from Seattle WA via Comcast HSI:

js...@spunky:$ dig www.ultradns.com @8.8.8.8

; <<>> DiG 9.6.1-P2 <<>> www.ultradns.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 21733
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.ultradns.com.  IN  A

;; Query time: 65 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Dec 23 17:29:41 2009
;; MSG SIZE  rcvd: 34


Also images on my web site are not loading from s3.amazonaws.com


- John

Re: UltraDNS Failure?

[Shrdlu]

I'm still seeing the DNS servers at udns down, hard. Amazon's cloud will 
need a reboot when this is over. Dang, what the heck happened to all 
that anycast stuff?

Re: UltraDNS Failure?

[Richard A Steenbergen]

On Wed, Dec 23, 2009 at 05:38:21PM -0800, Shrdlu wrote:
> I'm still seeing the DNS servers at udns down, hard. Amazon's cloud will 
> need a reboot when this is over. Dang, what the heck happened to all 
> that anycast stuff?

We have some DNS providing type customers (not UltraDNS) receiving a few
million packets/sec of UDP/53 DoS traffic, starting at about the same
time as the UltraDNS problems. No clue if it's related, but it certainly
sounds suspicious. :)

-- 
Richard A Steenbergenhttp://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)

Re: UltraDNS Failure?

[Stefan Fouant]

There have been several DNS based DDoS observed throughout the day targetting 
Ultra as well as a few other companies.  They were first observed earlier in 
the morning on the East coast.

--Original Message--
From: Richard A Steenbergen
To: Shrdlu
Cc: Nanog
Subject: Re: UltraDNS Failure?
Sent: Dec 23, 2009 8:42 PM

On Wed, Dec 23, 2009 at 05:38:21PM -0800, Shrdlu wrote:
> I'm still seeing the DNS servers at udns down, hard. Amazon's cloud will 
> need a reboot when this is over. Dang, what the heck happened to all 
> that anycast stuff?

We have some DNS providing type customers (not UltraDNS) receiving a few
million packets/sec of UDP/53 DoS traffic, starting at about the same
time as the UltraDNS problems. No clue if it's related, but it certainly
sounds suspicious. :)

-- 
Richard A Steenbergenhttp://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)



Sent from my Verizon Wireless BlackBerry

Re: UltraDNS Failure?

[Shrdlu]

Richard A Steenbergen wrote:


On Wed, Dec 23, 2009 at 05:38:21PM -0800, Shrdlu wrote:

I'm still seeing the DNS servers at udns down, hard. Amazon's cloud will 
need a reboot when this is over. Dang, what the heck happened to all 
that anycast stuff?



We have some DNS providing type customers (not UltraDNS) receiving a few
million packets/sec of UDP/53 DoS traffic, starting at about the same
time as the UltraDNS problems. No clue if it's related, but it certainly
sounds suspicious. :)


I saw close to a hundred hits on my local dns servers for one request, 
and they were mostly due to the crazy amazon cloud stuff. You looking at 
the packets?


--
Oh, mairzy doats and dozy doats and liddle lamzy divey
A kiddley divey too, wooden chu?
Three little fiddies in an iddy, bitty pooh,
Three little fiddies and a mama fiddy too...

Re: IPv6 Training

[Martin Hannigan]

Marty A.,

Not an endorsement, but Aaron Hughes ahug...@bind.com has been doing
training. I mention him because I'm aware that he has a track record,
has done some +NOG presos and generally knowledgeable.

He's also the only person I'm aware of outside of Europe doing
training. Alternatively, I believe Jordi Palet Martinez is still an
excellent trainer as well. Jordi is easily found in your favorite
search engine. YMMV.

Best,

Marty

(Yes, deliberately posted to nanog. For archives)

-M<


On 12/23/09, Marty Anstey  wrote:
> Greetings,
>
> Just wondering if anyone has had any experience with IPv6 training courses.
>
> A quick search turns up a few results on the subject, but it would be
> handy to hear if anyone has any firsthand experiences or recommendations.
> We're based in western Canada but don't mind traveling a bit, but
> alternatively an online course would be acceptable as well.
>
> -M
>
>
>
>


-- 
Martin Hannigan   mar...@theicelandguy.com
p: +16178216079
Power, Network, and Costs Consulting for Iceland Datacenters and Occupants

Re: [NANOG] Roport on internet business

[David Barak]

>- Original Message 
>From: Jared Mauch 

>I know, watching my local incumbent they are not replacing damaged copper with 
>fiber.  I think they must have warehouses of it someplace.  I can't imagine 
>that it is good to replace buried copper w/copper during the wintertime.  If 
>you're out doing it, might as well *actually* install fiber in the conduit.

>(Unless it's about unions/job protection for the copper guys).

>- Jared (not saying unions are bad, but when you operate two assets and have a 
>different union for each, it can limit your potential significantly).


One of the very hard things about running a large, geographically distributed 
layer 0/1 organization is managing the various and sundry physical cables from 
point to point.  Replacing one bad span with a good span which is qualitatively 
different introduces a level of version control and management headache, and if 
done in a haphazard fashion can reduce the overall availability of the network. 
 I don't know who your incumbent is, but it's reasonable to assume that they 
have some strategy for cable plant management which includes overall technology 
refresh at some point, with like-for-like replacement until then.

Also, last I checked, the specs on "how to build a good layer 0/1 fiber 
infrastructure" were different than those for copper - because the capabilities 
are different, the network architecture has different optimizations available.

This doesn't mean that the provider shouldn't be moving toward a large-scale 
fiber rollout - far from it!  I just wanted to provide a reason why they might 
not want to do said rollout in a piecemeal fashion.

David Barak
Need Geek Rock? Try The Franchise: 
http://www.listentothefranchise.com


  

Re: Revisiting the Aviation Safety vs. Networking discussion

[David Hiers]

1.  I grew up at the local airport watching my CFII pop train an
endless stream of pilots.

2.  The checklist for my last production gear swap had over 400 steps
and 4 time/task gates (each with a rollback plan).  As I did each
sequence of steps, I called it out, and someone read their copy of the
checklist and checked it off.  An entire peanut gallery of rouges
watched the whole thing on livemeeting, waiting to pounce on the first
misstep or shortcut.

3.  We migrated an entire nationwide phone system in 6 hours and
nobody noticed anything.

4.  We met afterward to in an after action review meeting that I
picked up in the Army.

I'm more persistent than smart, and I tell ya, if you prep well
enough, you can hand your checklist to a stoned intern and you'll have
no worries at all.


David




On Wed, Dec 23, 2009 at 12:48 PM, Owen DeLong  wrote:
> Those that remember the discussion may find this article interesting:
>
> http://abcnews.go.com/Health/wireStory?id=9394406
>
> Owen
>
>
>

Re: used hardware

[Martin Hannigan]

 www.subspacecom.com -- gear ++  Shows up @ NANOG, doesn't spam and clue.
Best,

-M<


On 12/18/09, Barrett Lyon  wrote:
> I buy a lot of gear from Peter Giberd at Townsend.  I have been
> working with him for a good 7 years.  It's budded into a friendship,
> good people there.
>
> -B
>
>
> http://www.townsendassets.com/
>
>
> On Dec 18, 2009, at 11:03 AM, Bill Lewis wrote:
>
>> http://www.networkhardware.com/ContactNHR/
>> Mostly Cisco, but I think they'll do Juniper.
>>
>> Bill
>>
>> --
>>
>> -Date: Fri, 18 Dec 2009 04:34:05 -0800
>> -From: Mehmet Akcin 
>> -Subject: used hardware..
>> -To: "nanog@nanog.org list" 
>> -Message-ID: <16e6d13c-ab9c-4ea5-8e73-59172dd28...@akcin.net>
>> -Content-Type: text/plain; charset=us-ascii
>> -Hello there..
>> -I am looking to sell and buy some used hardware, where is the best
>> place for this, other than ebay ?
>> -Mostly juniper stuff
>> -thanks in advance.
>> -Mehmet
>>
>
>
>


-- 
Martin Hannigan   mar...@theicelandguy.com
p: +16178216079
Power, Network, and Costs Consulting for Iceland Datacenters and Occupants