Re: do not filter your customers

[Anurag Bhatia]

Haha!  Funny

(Sent from my mobile device)

Anurag Bhatia
http://anuragbhatia.com
On Feb 23, 2012 12:27 PM, "Randy Bush"  wrote:

> >> and things when further downhill from there, when telstra also did not
> >> filter what they announced to their peers, and the peers went over
> >> prefix limits and dropped bgp.
> > Oh! so protections worked!
>
> imiho, prefix count is too big a hammer.
>
> it would have been better if optus had irr-based filters in place on
> peerings with telstra.  then they would not have dropped the sessions
> and their customers could still reach telstra customers.
>
> of course, if telstra did not publish accurately in an irr instance,
> not much optus could do.
>
> randy
>
>

Re: Question regarding anycasting in CDN setup

[Anurag Bhatia]

Great explanation .

Thanks everyone

(Sent from my mobile device)

Anurag Bhatia
http://anuragbhatia.com
On Feb 9, 2012 1:37 AM, "Joe Provo"  wrote:

> On Thu, Feb 09, 2012 at 01:28:07AM +0530, Anurag Bhatia wrote:
> [snip]
> > I have never did such setup, but I assume it works as you say. I wonder
> how
> > it finds a US based system from IP quickly (since it's DNS server)?
>
>
> Drop "ip geolocation" or "internet geolocation" into Your Favorite
> Search Engine. Short answer is some folks just refer to databases
> published/generated by others, some folks use DNS guesses, and some
> folks measure packet arrival. And most often, there is a combination
> of methods used.
>
> --
> RSUC / GweepNet / Spunk / FnB / Usenix / SAGE / NewNOG
>
>

RE: Cisco CAT6500 IOS Simulator

[Carlos Asensio]

Hi Hammer,

Thanks for your answer. That was pretty much what I was thinking.

Thanks to all the offers I've received off-line :).

Best regards,
Carlos.

-Mensaje original-
De: -Hammer- [mailto:bhmc...@gmail.com] 
Enviado el: miércoles, 22 de febrero de 2012 16:56
Para: nanog@nanog.org
Asunto: Re: Cisco CAT6500 IOS Simulator

NO.

There is no method. Go to Ebay and buy one. Sorry. Or if you are a big 
enough customer you can ask Cisco to mock up your solution in one of 
their labs.

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 2/22/2012 9:48 AM, Hank Nussbacher wrote:
> On Wed, 22 Feb 2012, Carlos Asensio wrote:
>
> Not supported:
> http://www.gns3.net/hardware-emulated/
>
> -Hank
>
>> Hi John,
>>
>> Thanks for your answer but, as far as I know, with GNS3 we can't run 
>> a CAT6500 IOS.
>>
>> Any alternative?
>>
>> Cheers,
>> Carlos.
>>
>>
>> -Mensaje original-
>> De: John Kreno [mailto:john.kr...@gmail.com]
>> Enviado el: miércoles, 22 de febrero de 2012 15:25
>> Para: Carlos Asensio
>> Asunto: Re: Cisco CAT6500 IOS Simulator
>>
>> Try GNS 3
>>
>>
>> On Wed, Feb 22, 2012 at 6:53 AM, Carlos Asensio  
>> wrote:
>>> Hi there,
>>>
>>> Anyone know a way of simulate a Cisco CAT6500 IOS?
>>>
>>> We're trying to deploy a lab of our production environment.
>>>
>>> Thanks in advance,
>>> Carlos.
>>
>>
>>
>>

Re: do not filter your customers

[Christian de Larrinaga]

not just the .au govt
C
On 23 Feb 2012, at 07:54, Jay Mitchell wrote:

> I'm laughing now, but it wasn't funny a couple of hours ago. Seems a lot of 
> the .au govt needs to learn some carrier diversity...
> 
> On 23/02/2012, at 4:41 PM, Randy Bush  wrote:
> 
>> don't filter your customers.  when they leak the world to you, it will
>> get you a lot of free press and your marketing department will love you.
>> 
>> just ask telstra.
>> 
>> randy
>> 
> 

Re: Customer Notification System.

[Rich Kulawiec]

On Wed, Feb 22, 2012 at 08:34:49AM -0800, JC Dill wrote:
> 99.999% of the time there is absolutely no benefit in the
> attachment.  But by pushing customers to open attachments to get the
> content we are encouraging them to be complacent about opening all
> attachments, and that's a great way to end up getting infected with
> malware.

Spurious attachments also (like HTML markup, another email worst practice
used only by (a) people who don't know any better and (b) spammers) chew
up bandwidth, which is sadly becoming an increasingly expensive commodity
for everyone using mobile devices.  They eat space in mail spools. They
require more resources to be scanned (whether for malware, dubious URLs,
exploits, or anything else).

---rsk

Re: Most energy efficient (home) setup

[Lamar Owen]

On Wednesday, February 22, 2012 04:13:47 PM Jeroen van Aart wrote:
> Any suggestions and ideas appreciated of course. :-)

www.aleutia.com

DC-powered everything, including a 12VDC LCD monitor.  We're getting one of 
their D2 Pro dual core Atoms (they have other options for more money) for a 
solar powered telescope controller, and the specs look good. 

There is a whole market segment out there for the 'Mini ITX' crowd with DC 
power, low power budgets, and reasonable processors.  Solid State drives have 
immensely.

Re: Cisco CAT6500 IOS Simulator

[-Hammer-]

I'm sure that virtualizing the sup would be possible. But having to come 
up with all the line cards would be a nightmare. I'd love for someone 
Internal to tell me I'm wrong but until we can get a 3560 or a 3750X on 
Dynamips I wouldn't push for a 6500 or a Nexus.


-Hammer-

"I was a normal American nerd"
-Jack Herer



On 2/23/2012 3:00 AM, Carlos Asensio wrote:

Hi Hammer,

Thanks for your answer. That was pretty much what I was thinking.

Thanks to all the offers I've received off-line :).

Best regards,
Carlos.

-Mensaje original-
De: -Hammer- [mailto:bhmc...@gmail.com]
Enviado el: miércoles, 22 de febrero de 2012 16:56
Para: nanog@nanog.org
Asunto: Re: Cisco CAT6500 IOS Simulator

NO.

There is no method. Go to Ebay and buy one. Sorry. Or if you are a big
enough customer you can ask Cisco to mock up your solution in one of
their labs.

-Hammer-

"I was a normal American nerd"
-Jack Herer



On 2/22/2012 9:48 AM, Hank Nussbacher wrote:

On Wed, 22 Feb 2012, Carlos Asensio wrote:

Not supported:
http://www.gns3.net/hardware-emulated/

-Hank


Hi John,

Thanks for your answer but, as far as I know, with GNS3 we can't run
a CAT6500 IOS.

Any alternative?

Cheers,
Carlos.


-Mensaje original-
De: John Kreno [mailto:john.kr...@gmail.com]
Enviado el: miércoles, 22 de febrero de 2012 15:25
Para: Carlos Asensio
Asunto: Re: Cisco CAT6500 IOS Simulator

Try GNS 3


On Wed, Feb 22, 2012 at 6:53 AM, Carlos Asensio
wrote:

Hi there,

Anyone know a way of simulate a Cisco CAT6500 IOS?

We're trying to deploy a lab of our production environment.

Thanks in advance,
Carlos.

Re: Most energy efficient (home) setup

[Leo Bicknell]

In a message written on Wed, Feb 22, 2012 at 01:13:47PM -0800, Jeroen van Aart 
wrote:
> After reading a number of threads where people list their huge and 
> wasteful, but undoubtedly fun (and sometimes necessary?), home setups 
> complete with dedicated rooms and aircos I felt inclined to ask who has 
> attempted to make a really energy efficient setup?

I've spent a fair amount of time working on energy effiency at home.
While I've had a rack at my house in the distant past, the cooling
and power bill have always made me work at down sizing.  Also, as
time went by I became more obsessed with quite fans, or in particular
fanless designs.  I hate working in a room with fan noise.

As others have pointed out, there are options these days.  Finding
a competent home router isn't hard, there are plenty of consumer,
fanless devices that can be flashed with OpenWRT or DDWRT.  I've
also used a fanless ALIX PC running a unix OS, works great.  Apple
products like the Mini and Time Capsule are great off the shelf
options for low power and fanless.  Plenty of folks make low power
home theater or car PC's as well.

The area where I think work needs to be done is home file servers.
Most of the low power computer options assume you also want a
super-small case and a disk or two.  Many Atom motherboards only
have a pair of SATA ports, a rare couple have four ports.  There
seems to be this crazy assumption that if you need 5 disks you need
mondo processor, and it's just not true.  I need 5 disks for space,
but if the box can pump it out at 100Mbps I'm more than happy for
home use.  It idles 99.99% of the time.

I'd love a low powered motherboard with 6-8 SATA, and a case with
perhaps 6 hot swap bays but designed for a low powered, fanless
motherboard.  IX Systems's FreeNAS Mini is the closest I've seen,
but it tops out at 4 drives.

But what's really missing is storage management.  RAID5 (and similar)
require all drives to be online all the time.  I'd love an intelligent
file system that could spin down drives when not in use, and even for
many workloads spin up only a portion of the drives.  It's easy to
imagine a system with a small SSD and a pair of disks.  Reads spin one
disk.  Writes go to that disk and the SSD until there are enough, which
spins up the second drive and writes them out as a proper mirror.  In a
home file server drive motors, time you have 4-6 drives, eat most of the
power.  CPU's speed step down nicely, drives don't.

The cloud is great for many things, but only if you have a local copy.
I don't mind serving a web site I push from home out of the cloud, if my
cloud provider dies I get another and push the same data.  It seems like
keeping that local copy safe, secure, and fed with electricty and
cooling takes way more energy (people and electricty) than it should.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/


pgpPknqJ78gOi.pgp
Description: PGP signature

Re: do not filter your customers

[Christopher Morrow]

On Thu, Feb 23, 2012 at 1:57 AM, Randy Bush  wrote:
>>> and things when further downhill from there, when telstra also did not
>>> filter what they announced to their peers, and the peers went over
>>> prefix limits and dropped bgp.
>> Oh! so protections worked!
>
> imiho, prefix count is too big a hammer.

sure. aspath-filter! :)

> it would have been better if optus had irr-based filters in place on
> peerings with telstra.  then they would not have dropped the sessions
> and their customers could still reach telstra customers.

really, both parties need/should-have filters, right?
both parties should have their 'irr data' up-to-date...
both parties should also filter outbound prefixes (so they don't leak
internals, or ...etc)

telstra seems to have ~8880 or so prefixes registered in IRRs (via
radb whois lookup)
optus has ~1217 or so prefixes registered in IRRs (again via the same
lookup to radb)

> of course, if telstra did not publish accurately in an irr instance,
> not much optus could do.

it's not clear how accurate the data is :( I do see one example that's
not telstra (and which I don't see through telstra from one host I
tested from)
  203.59.57.0/24

a REACH customer, supposedly, registered by REACH on the behalf of the
customer... the whole /16 there is allocated to the same entity not
REACH though, so that's a tad confusing.

-chris

Re: Most energy efficient (home) setup

[Andrew Wentzell]

On Thu, Feb 23, 2012 at 10:29 AM, Leo Bicknell  wrote:
> I'd love a low powered motherboard with 6-8 SATA, and a case with
> perhaps 6 hot swap bays but designed for a low powered, fanless
> motherboard.  IX Systems's FreeNAS Mini is the closest I've seen,
> but it tops out at 4 drives.

Look at Supermicro's X7SPA-H. It's an Atom board with the ICH9R
chipset, and 6 on-board SATA ports.

That one has been out for a while, so there may be something newer
available now too.

automatic bgp route refresh

[Joe Maimon]

Hey All,

I would greatly appreciate it if somebody would point me to cisco 
release notes for the change I see in 15.1 where BGP neighbor route-map 
configurations happen in real time, without needing any clearing, soft 
or otherwise.


Seems like some have also noticed this behavior recently on some other 
trains.


Much obliged.

Best,

Joe

Re: IX in France

[virendra rode]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Brings up another question to mind, how many of you have peered using
partial route transit versus having direct peering relationship at the
exchange?

I've personally ran into companies during peering meetings wanting to
sell you their peering relationship (access to their routes that they've
earned through their relationship) as opposed to you wanting to
establish direct peering relationship.

This way you don't bare port fees, no colocation cost, cost of IX
membership, etc.

I understand this is not true peering relationship, however its an
interesting way to obtain exchange point routes and I understand this is
nothing new.

Just interested in learning about your experiences.


regards,
/virendra

On 02/21/2012 08:46 AM, Ido Szargel wrote:
> Hi All,
> 
>  
> 
> We are currently looking to connect to one of the IX's available in Paris,
> 
> It seems that there are 2 "major" players - FranceIX and Equinix FR, can
> anyone share their opinions about those?
> 
>  
> 
> Thanks,
> 
> Ido
> 
>  
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk9GeccACgkQ3HuimOHfh+GcBAD8CBJ6Of8ciFMr4ufim8+u7Hpg
cWLXuuqNkgIeQa+jr1gA/27Bqck+d/LEXeoPNJQExUjXMoQC7sNXoPOIHlfrrKF0
=7jTr
-END PGP SIGNATURE-

Re: colosolutions abuse contact?

[Chris]

If all else fails, contact the uplink. Unfortunately it gets more
response and casually mention "I tried finding a contact but was
unable so I contacted you"



On 2/22/12, Carlos Kamtha  wrote:
> Hi,
>
> I'm hoping to get a hold of an abuse contact at colosolutions.com.
>
> Any help is greatly appreciated.
>
> If so, please contact me offlist.
>
> Cheers,
> Carlos.
>
>


-- 
--C

"The dumber people think you are, the more surprised they're going to
be when you kill them." - Sir William Clayton

Re: IX in France

[Jared Mauch]

On Feb 23, 2012, at 12:39 PM, virendra rode wrote:

> I understand this is not true peering relationship, however its an
> interesting way to obtain exchange point routes and I understand this is
> nothing new.



I've found people who use the term 'peering' to mean something different than 
what I personally interpret it to mean.

eg: "We have peering with 4 carriers at our colocation facility where you can 
place gear"

Translation: We have blended IP transit from 4 carriers, or you can directly 
connect to them as needed.

I understand why they call it this, because "I configured peering with 
Level3/Cogent" on my router, etc.  The difference is in the policy.  What 
you're speaking of is someone selling transit, which is perfectly fine over 
various IXes, you generally are prohibited from 'selling next-hop', i.e.: you 
have to bear the cost on the IX port of the forwarding.



Buying transit isn't as dirty as people think it is, sometimes its the right 
business decision.  If you connect to an IX for $4000/mo at gig-e, you might as 
well buy transit at $4/meg on that same port IMHO.  You're unlikely to be using 
the port at 100% anyways at the IX, so your cost-per-meg there needs to 
properly reflect your 95% or whatnot.

- Jared

Re: IX in France

[Nick Hilliard]

On 23/02/2012 18:00, Jared Mauch wrote:
> Buying transit isn't as dirty as people think it is, sometimes its the
> right business decision.  If you connect to an IX for $4000/mo at gig-e,

Anyone prepared to pay $4000/m for a gig IX connection is making the wrong
business decision.

Nick

Re: IX in France

[virendra rode]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 02/23/2012 10:00 AM, Jared Mauch wrote:
> 
> On Feb 23, 2012, at 12:39 PM, virendra rode wrote:
> 
>> I understand this is not true peering relationship, however its an
>> interesting way to obtain exchange point routes and I understand this is
>> nothing new.
> 
> 
- --
> 
> I've found people who use the term 'peering' to mean something different than 
> what I personally interpret it to mean.
> 
> eg: "We have peering with 4 carriers at our colocation facility where you can 
> place gear"
> 
> Translation: We have blended IP transit from 4 carriers, or you can directly 
> connect to them as needed.
> 
> I understand why they call it this, because "I configured peering with 
> Level3/Cogent" on my router, etc.  The difference is in the policy.  What 
> you're speaking of is someone selling transit, which is perfectly fine over 
> various IXes, you generally are prohibited from 'selling next-hop', i.e.: you 
> have to bear the cost on the IX port of the forwarding.
> 
> 
- ---
Correct, I meant to say private peering as opposed to settlement-free.


> 
> Buying transit isn't as dirty as people think it is, sometimes its the right 
> business decision.  If you connect to an IX for $4000/mo at gig-e, you might 
> as well buy transit at $4/meg on that same port IMHO.  You're unlikely to be 
> using the port at 100% anyways at the IX, so your cost-per-meg there needs to 
> properly reflect your 95% or whatnot.
> 
> - Jared
- --
I understand, I'm trying to factor in cost of peering (transport,
equipment, cross-connect, colocation, equipment cost) of buying transit
vs private peering.


regards,
/virendra

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk9GhVsACgkQ3HuimOHfh+HqFgD+L2WYr2Tt1ZRY+Z2AAVDpX00N
bwNSXKLbnzjy8Ol5b2QA/AiL3NbesEoZy901tBW7TAdAzPOUK8W9a4rnhRakDk8B
=acfM
-END PGP SIGNATURE-

Re: Customer Notification System.

[JC Dill]

On 22/02/12 6:46 PM, James Wininger wrote:

Well we would not be sending the notification in an attachment, but there are 
times when it would be nice to send a list of circuit ids (exported from 
billing system as PDF) or some other exported doc to the notification.


Nice for WHO?  There is absolutely no need to export something as simple 
as a list of circuit IDs as a pdf.  Use plain text.  Ditto for the rest 
of your exported DOCs.


When there are exceptions, when you need to include an image (sparingly, 
not because marketing thought it was a good idea to bling up all your 
emails), or a table, send in HTML with plain text.  Don't make the 
recipient start up another program to open an attachment.


jc

Re: common time-management mistake: rack & stack

[Lamar Owen]

On Wednesday, February 22, 2012 03:37:57 PM Dan Golding wrote:
> I disagree. The best model is - gasp - engineering, a profession which
> many in "networking" claim to be a part of, but few actually are. In the
> engineering world (not CS, not development - think ME and EE), there is
> a strongly defined relationship between junior and senior engineers, and
> real mentorship. 

My degree is in EE, and I spent over a decade in the field as a 'broadcast 
engineer' Now, a 'broadcast engineer' is not a PE, and is not currently 
licensed as such, although many of the best consulting broadcast engineers do 
take the extra step and expense to get the PE license; technically, in many 
states, you're not even supposed to use the word 'engineer' in your title 
without having a PE license.

By way of background, my specialty was phased array directional AM broadcast 
systems in the 5-50KW range, doing 'technician' things like phasor rocking, 
transmitter retubing and retuning, monitor point and radial measurements, 
transmitter installation, and tower climbing, in addition to more mathematical 
and engineering sorts of things like initial coverage and protection studies 
for pattern/power changes, measured radial ground conductivity/dielectric 
constant curve fitting/prediction contour overlap studies and models, as well 
as keeping up with FCC regulations and such.   

I left broadcasting full-time in 2003 for an IT position, as a stress-reducer 
(and it worked.).  So I say this with some experience. 

Mentoring in broadcast is still practiced by associations like the Society of 
Broadcast Engineers and others.  These days, much of this sort of thing is 
online with websites like www.thebdr.net and mailing lists like those hosted by 
broadcast.net; in this regard the network ops community isn't too dissimilar 
from the broadcast community.

Now, while in the broadcast role I had the distinct honor of having three 
fantastic personal mentors, two of whom still stay in touch, and one who died 
twenty years ago, a few years after I got started in the field.  RIP W4QA.  He 
taught me more in half an hour about phased arrays and the way they worked in 
practice than ten hours of class time could have.  Likewise, I know some old 
hands here, even if I've not physically met them, whose opinions I trust, even 
if I don't agree with them. 

> The problem with "networking" is that TOO MANY skills
> are learned on the job (poorly), rather than folks coming in with solid
> fundamentals. 

This is not limited to networking. 

The parallels between broadcast engineering and IT/networking are a little too 
close for comfort, since there are more potential mentors with weak teaching 
skills and bad misconceptions that were valid 'back in the day' than there are 
who will teach practical, working, correct ways of doing things 'today' and why 
they are done the way they are done (which can involve some history, one of my 
favorite things). 

A mentor who will teach how to think about why you are doing what you are doing 
is priceless.  A mentor who will honestly go over the pros and cons of his or 
her favorite technique and admit that is isn't the single 'correct' way to do 
something, and a mentor who will teach you how to think sideways, especially 
when things are broken, are beyond priceless.  I especially like it when a 
mentor has told me 'now, this isn't necessarily the way I'd do it, and I'm not 
really fond of it, but you *can* do this to get this result if you need to do 
so...just don't ask me to fix it later.'

And the recent thread on common misconceptions has been priceless, in my book.  
Especially due to some of the respectful disagreements.

> I blame our higher education system for being ineffectual
> in this regard. Most of the "book learning" that you refer to is not
> true theory - it's a mix of vendor prescriptions and
> overgeneralizations. In "networking", you don't learn real theory until
> you're very senior - you learn practice, first. 

Vendor-specific certifications don't help much, either, really, in the 'why' 
department.

> They also lack real licensing, which
> is a separate problem. 

Now you've stirred the pot!  In the broadcast field, SBE offers some good 
things in the line of vendor-neutral certification; in the networking field 
there are some vendor-neutral avenues, such as BiCSI for general stuff and SANS 
for security stuff.

Having said that, and going back to the broadcast example, not too long ago you 
had to have an FCC 'First Phone' to even be qualified to read a transmitter's 
meters, and every broadcast licensee (holding the station's operating license, 
that is) had to employ 'operators' holding an active First Phone to keep an eye 
on the transmitter during all operating hours, with the First Phone of every 
operator posted at the site, and even the DJ's had to have a Third Class Permit 
to run the audio board, and periodic FCC inspections were frequent.  So that's 
the extreme situ

Re: IX in France

[Christophe Lucas]

Le 21.02.2012 17:46, Ido Szargel a écrit :

Hi All,



We are currently looking to connect to one of the IX's available in 
Paris,


It seems that there are 2 "major" players - FranceIX and Equinix FR, 
can

anyone share their opinions about those?



Thanks,

Ido


Hi,

My former employer is connected to France-IX. I have spent time in 
peering managment and the service/connectivity is good.


My two cents.

Best regards,
--
Christophe Lucas
christo...@clucas.fr

RE: Customer Notification System.

[Vinny_Abello]

Paraphrasing someone else I would encourage my competitors to send 
notifications to their customers in PDF format.

:)

-Vinny

-Original Message-
From: JC Dill [mailto:jcdill.li...@gmail.com] 
Sent: Thursday, February 23, 2012 1:44 PM
To: NANOG list
Subject: Re: Customer Notification System.

On 22/02/12 6:46 PM, James Wininger wrote:
> Well we would not be sending the notification in an attachment, but there are 
> times when it would be nice to send a list of circuit ids (exported from 
> billing system as PDF) or some other exported doc to the notification.

Nice for WHO?  There is absolutely no need to export something as simple 
as a list of circuit IDs as a pdf.  Use plain text.  Ditto for the rest 
of your exported DOCs.

When there are exceptions, when you need to include an image (sparingly, 
not because marketing thought it was a good idea to bling up all your 
emails), or a table, send in HTML with plain text.  Don't make the 
recipient start up another program to open an attachment.

jc

Re: common time-management mistake: rack & stack

[Leo Bicknell]

In a message written on Wed, Feb 22, 2012 at 12:37:57PM -0800, Dan Golding 
wrote:
> I disagree. The best model is - gasp - engineering, a profession which
> many in "networking" claim to be a part of, but few actually are. In the
> engineering world (not CS, not development - think ME and EE), there is
> a strongly defined relationship between junior and senior engineers, and
> real mentorship. The problem with "networking" is that TOO MANY skills

Actually, the differences are deeper than you suggest, and it's why
the model you suggest won't work for networking, yet.  I think
there's a chance they may in the future, although it's not a given.

There are several aspects to licensing, but one of the most important
is that the applicant knows basic rules of the profession.  In most
cases these rules are codified into law, and can be tested in a
straitforwad way.  An EE doesn't go around saying "run your circits
at 80% unless you have a 100% duty breaker" because it's a good
idea, or they like it, or their vendor told them do.  They do that
because it's part of the National Electric Code which everyone
(including non-licensed folks) is _required by law_ to follow.

Networking does not have "codes".  There's nothing to test against.
If we wanted to apply a licensed engineer model to the networking
field the first thing that would need to be developed is a set of
comprehensive codes.  Anyone who's experienced PCI (as an example
of an IT attempt at something similar to a code) and also worked
with a more established one (NEC, NFPA, etc) knows that IT isn't
even in the same ballpark yet.  I won't go into the reasons here,
I think there are many and we could discuss that for hours.

But I actually think your analogy is more misplaced because the
names do not line up.  The networking equivilant of an EE or ME is
the "Network Architect".  EE's and ME's are designers in their
professions.  They write up blueprints and plans.  This is also
what network architects do.  Think a CCDA operating as a sales
engineer.  They draw up a design but never implement it.

Network Engineers are the trades people.  We come up with really
dumb names like Network Enginneer 1, 2, 3 and 4.  In a real trade
these would be apprentice, journyman, master, supervisor.  They
take the plans and turn it into something.  In a real trade
(electrican, plumber, hvac, etc) the supervisor interacts with the
apprentice, journeyman and master, who are all working on the same
team.  The subtasks are divided according to skill.

In IT, the Network Engineer 4 thinks he only needs to talk to the
Network Engineer 3.  Everyone else is "below him".  How many companies
have Network Engineer 1's that aren't allowed to even log into many
of their network devices, or call the engineer level 3's and 4's
on the phone?  This is absurd.  Some companies even put them in
different call centers sioled away from each other so they don't
even know who call!  This is where I think we need more mentorship
and teamwork.  When a team of electricans shows up the apprentice
does a lot of the meanial work, but is also allowed to do some of
the higher level work, under strict supervision.

I think, in a sense, we agree more than disagree.  There are established
models for engineering disciplins and IT would probably do better in
many ways if it were to fall in line.  Licensed folks working in
architecture and design.  Codes to standardize and provide quality
control and safety.  Apprenticed skilled trades to implement.  What
we're arguing over here is some minor semantics of how that structure
works in IT.

HOWEVER, I am not sure it completely works.  Here's why; some
colleges have C.S. in the Arts and Sciences college, and treat how
to program more like how to write a novel than how to build a bridge.
Others have it in the Engineering college, and treat it more like
building a bridge than writing an novel.  What seems to work is a
blend in the real world, treating most IT tasks like classical
engineering doesn't work out well, nor does treating it like writing
a book.  IT isn't governed by the same hard (physical) rules as
traditional engineering, but you also can't be freely creative and
expect to come up with something that works.

I personally would like to see the industry work on the "code"
problem, which would be necessary pre-work for licensing.  I'd also
like to see trade style mentoring.  I think those can proceed in
parallel.  I'm just personally prepared for the eventuality that
IT might never fit into as ridgid a framework as EE or ME.

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/


pgpRx0IPosuTU.pgp
Description: PGP signature

RE: common time-management mistake: rack & stack

[Holmes,David A]

The problem with using engineering as a model is that computer science 
networking theory is based upon mathematical logic and formal mathematics (for 
instance Finite State Machines, Turing Machines), and operates on what are 
essentially robotic automatons running in real time. Engineering as I have 
experienced it, operates according to construction time frames using CSI 
specifications, preliminary design reviews, and various iterations of final 
design reviews involving engineering drawings and CSI-format specification 
documents where a 6 year start-to-finish time frame is not unusual. The number 
of PEs who can operate in real time is but a fraction of all PEs, and those who 
can plan a project with a 1 week time frame, and implement the project at 3 am 
in the morning is a yet smaller fraction. ( and don't even think about the 
number of PEs who can get a 3 am call and must fix a broken network ASAP).

Not everyone has the ability to grasp mathematical logic, even though they have 
been able to get an engineering degree.

Engineers have no peers in the ability to build bridges, skyscrapers, and other 
large construction projects, but this ability does not transfer to computer 
science, and computer networking.

-Original Message-
From: Lamar Owen [mailto:lo...@pari.edu]
Sent: Thursday, February 23, 2012 10:59 AM
To: nanog@nanog.org
Subject: Re: common time-management mistake: rack & stack

On Wednesday, February 22, 2012 03:37:57 PM Dan Golding wrote:
> I disagree. The best model is - gasp - engineering, a profession which
> many in "networking" claim to be a part of, but few actually are. In the
> engineering world (not CS, not development - think ME and EE), there is
> a strongly defined relationship between junior and senior engineers, and
> real mentorship.

My degree is in EE, and I spent over a decade in the field as a 'broadcast 
engineer' Now, a 'broadcast engineer' is not a PE, and is not currently 
licensed as such, although many of the best consulting broadcast engineers do 
take the extra step and expense to get the PE license; technically, in many 
states, you're not even supposed to use the word 'engineer' in your title 
without having a PE license.

By way of background, my specialty was phased array directional AM broadcast 
systems in the 5-50KW range, doing 'technician' things like phasor rocking, 
transmitter retubing and retuning, monitor point and radial measurements, 
transmitter installation, and tower climbing, in addition to more mathematical 
and engineering sorts of things like initial coverage and protection studies 
for pattern/power changes, measured radial ground conductivity/dielectric 
constant curve fitting/prediction contour overlap studies and models, as well 
as keeping up with FCC regulations and such.

I left broadcasting full-time in 2003 for an IT position, as a stress-reducer 
(and it worked.).  So I say this with some experience.

Mentoring in broadcast is still practiced by associations like the Society of 
Broadcast Engineers and others.  These days, much of this sort of thing is 
online with websites like www.thebdr.net and mailing lists like those hosted by 
broadcast.net; in this regard the network ops community isn't too dissimilar 
from the broadcast community.

Now, while in the broadcast role I had the distinct honor of having three 
fantastic personal mentors, two of whom still stay in touch, and one who died 
twenty years ago, a few years after I got started in the field.  RIP W4QA.  He 
taught me more in half an hour about phased arrays and the way they worked in 
practice than ten hours of class time could have.  Likewise, I know some old 
hands here, even if I've not physically met them, whose opinions I trust, even 
if I don't agree with them.

> The problem with "networking" is that TOO MANY skills
> are learned on the job (poorly), rather than folks coming in with solid
> fundamentals.

This is not limited to networking.

The parallels between broadcast engineering and IT/networking are a little too 
close for comfort, since there are more potential mentors with weak teaching 
skills and bad misconceptions that were valid 'back in the day' than there are 
who will teach practical, working, correct ways of doing things 'today' and why 
they are done the way they are done (which can involve some history, one of my 
favorite things).

A mentor who will teach how to think about why you are doing what you are doing 
is priceless.  A mentor who will honestly go over the pros and cons of his or 
her favorite technique and admit that is isn't the single 'correct' way to do 
something, and a mentor who will teach you how to think sideways, especially 
when things are broken, are beyond priceless.  I especially like it when a 
mentor has told me 'now, this isn't necessarily the way I'd do it, and I'm not 
really fond of it, but you *can* do this to get this result if you need to do 
so...just don't ask me to fix it later.'

And the recent th

Re: common time-management mistake: rack & stack

[isabel dias]

1- what do you mean by "Licensed folks working in architecture and design"?
 
2- You wrote "IT isn't governed by the same hard (physical) rules as
traditional engineering, but you also can't be freely creative and
expect to come up with something that works." bolox!
As far as I'm aware you are not showing any creative work that requires the 
copywrite/authoring work. Unfortunatly the great majority of us are "users" of 
the system. There are different levels of users, some more cleaver than others.
 
The one that looks for data sets in databases in in IT and so is into 
"scripting" and CShell.
 
The sponsor is the issue.He was tasked to do so! have you ever been employed or 
have been offered employment by someone that has a lower weight than you have?
the frameworks seem to be known more and more and stillsome 
face unemployment whereas others are and will always be your sponsors- think 
about the director of your local post office  :-)
 
Have you ever thought the reason why you are doing what you are doing instead 
of signing a PO?
 
Who's business is this ? do you know why you are required to have at least 
three A levels? and at least two MSc/MA? Or even maybe a PhD? Where exactly are 
you based?
 
 
 
 
 
 
 
 
 



From: Leo Bicknell 
To: Dan Golding  
Cc: NANOG  
Sent: Thursday, February 23, 2012 7:35 PM
Subject: Re: common time-management mistake: rack & stack

In a message written on Wed, Feb 22, 2012 at 12:37:57PM -0800, Dan Golding 
wrote:
> I disagree. The best model is - gasp - engineering, a profession which
> many in "networking" claim to be a part of, but few actually are. In the
> engineering world (not CS, not development - think ME and EE), there is
> a strongly defined relationship between junior and senior engineers, and
> real mentorship. The problem with "networking" is that TOO MANY skills

Actually, the differences are deeper than you suggest, and it's why
the model you suggest won't work for networking, yet.  I think
there's a chance they may in the future, although it's not a given.

There are several aspects to licensing, but one of the most important
is that the applicant knows basic rules of the profession.  In most
cases these rules are codified into law, and can be tested in a
straitforwad way.  An EE doesn't go around saying "run your circits
at 80% unless you have a 100% duty breaker" because it's a good
idea, or they like it, or their vendor told them do.  They do that
because it's part of the National Electric Code which everyone
(including non-licensed folks) is _required by law_ to follow.

Networking does not have "codes".  There's nothing to test against.
If we wanted to apply a licensed engineer model to the networking
field the first thing that would need to be developed is a set of
comprehensive codes.  Anyone who's experienced PCI (as an example
of an IT attempt at something similar to a code) and also worked
with a more established one (NEC, NFPA, etc) knows that IT isn't
even in the same ballpark yet.  I won't go into the reasons here,
I think there are many and we could discuss that for hours.

But I actually think your analogy is more misplaced because the
names do not line up.  The networking equivilant of an EE or ME is
the "Network Architect".  EE's and ME's are designers in their
professions.  They write up blueprints and plans.  This is also
what network architects do.  Think a CCDA operating as a sales
engineer.  They draw up a design but never implement it.

Network Engineers are the trades people.  We come up with really
dumb names like Network Enginneer 1, 2, 3 and 4.  In a real trade
these would be apprentice, journyman, master, supervisor.  They
take the plans and turn it into something.  In a real trade
(electrican, plumber, hvac, etc) the supervisor interacts with the
apprentice, journeyman and master, who are all working on the same
team.  The subtasks are divided according to skill.

In IT, the Network Engineer 4 thinks he only needs to talk to the
Network Engineer 3.  Everyone else is "below him".  How many companies
have Network Engineer 1's that aren't allowed to even log into many
of their network devices, or call the engineer level 3's and 4's
on the phone?  This is absurd.  Some companies even put them in
different call centers sioled away from each other so they don't
even know who call!  This is where I think we need more mentorship
and teamwork.  When a team of electricans shows up the apprentice
does a lot of the meanial work, but is also allowed to do some of
the higher level work, under strict supervision.

I think, in a sense, we agree more than disagree.  There are established
models for engineering disciplins and IT would probably do better in
many ways if it were to fall in line.  Licensed folks working in
architecture and design.  Codes to standardize and provide quality
control and safety.  Apprenticed skilled trades to implement.  What
we're arguing over here is some minor seman

Network Traffic Collection

[Maverick]

Hello,

I am trying to collect traffic traffic from pcap file and store it in
a database but really confused how to organize it. Should I organize
it on connection basis/ flow basis or IP basis.

It might be an effort to write a customized traffic analysis tool like
wireshark with only required functionality. I would really appreciate
if someone can give me direction on write way of organizing the data
because right now I only see individual packets and no way of putting
them in some order.

Best,
Ali

Re: Network Traffic Collection

[Jeroen Massar]

On 2012-02-23 21:11 , Maverick wrote:
> Hello,
> 
> I am trying to collect traffic traffic from pcap file and store it in
> a database but really confused how to organize it. Should I organize
> it on connection basis/ flow basis or IP basis.
> 
> It might be an effort to write a customized traffic analysis tool like
> wireshark with only required functionality. I would really appreciate
> if someone can give me direction on write way of organizing the data
> because right now I only see individual packets and no way of putting
> them in some order.

Does this all not completely depend on what you actually want to do with
it? You might want to start there instead of the other way around.

Greets,
 Jeroen

Re: Network Traffic Collection

[Maverick]

I want to be able to see information like how much traffic an ip send
over a period of time, what machines it talked to etc from this
perspective it should be IP based but I would really like to know how
other people do it.

Best,
Ali

On Thu, Feb 23, 2012 at 3:14 PM, Jeroen Massar  wrote:
> On 2012-02-23 21:11 , Maverick wrote:
>> Hello,
>>
>> I am trying to collect traffic traffic from pcap file and store it in
>> a database but really confused how to organize it. Should I organize
>> it on connection basis/ flow basis or IP basis.
>>
>> It might be an effort to write a customized traffic analysis tool like
>> wireshark with only required functionality. I would really appreciate
>> if someone can give me direction on write way of organizing the data
>> because right now I only see individual packets and no way of putting
>> them in some order.
>
> Does this all not completely depend on what you actually want to do with
> it? You might want to start there instead of the other way around.
>
> Greets,
>  Jeroen
>

RE: Network Traffic Collection

[Matlock, Kenneth L]

Netflow + netflow collector.

Ken Matlock
Network Analyst
Systems and Technology Service Center
Sisters of Charity of Leavenworth Health System 
12600 W. Colfax, Suite A-500
Lakewood, CO 80215
 
303-467-4671
matlo...@exempla.org
 
-Original Message-
From: Maverick [mailto:myeaddr...@gmail.com] 
Sent: Thursday, February 23, 2012 1:19 PM
To: Jeroen Massar
Cc: nanog@nanog.org
Subject: Re: Network Traffic Collection

I want to be able to see information like how much traffic an ip send over a 
period of time, what machines it talked to etc from this perspective it should 
be IP based but I would really like to know how other people do it.

Best,
Ali

On Thu, Feb 23, 2012 at 3:14 PM, Jeroen Massar  wrote:
> On 2012-02-23 21:11 , Maverick wrote:
>> Hello,
>>
>> I am trying to collect traffic traffic from pcap file and store it in 
>> a database but really confused how to organize it. Should I organize 
>> it on connection basis/ flow basis or IP basis.
>>
>> It might be an effort to write a customized traffic analysis tool 
>> like wireshark with only required functionality. I would really 
>> appreciate if someone can give me direction on write way of 
>> organizing the data because right now I only see individual packets 
>> and no way of putting them in some order.
>
> Does this all not completely depend on what you actually want to do 
> with it? You might want to start there instead of the other way around.
>
> Greets,
>  Jeroen
>

*** Exempla Confidentiality Notice *** The information contained in this 
message may be privileged and confidential and protected from disclosure. If 
the reader of this message is not the intended recipient, or an employee or 
agent responsible for delivering this message to the intended recipient, you 
are hereby notified that any other dissemination, distribution or copying of 
this communication is strictly prohibited. If you have received this 
communication in error, please notify me immediately by replying to the message 
and deleting it from your computer. Thank you. *** Exempla Confidentiality 
Notice ***

Re: Network Traffic Collection

[Suresh Rajagopalan]

On Thu, Feb 23, 2012 at 12:19 PM, Maverick  wrote:
> I want to be able to see information like how much traffic an ip send
> over a period of time, what machines it talked to etc from this
> perspective it should be IP based but I would really like to know how
> other people do it.
>


Run argus on a span port.

-Suresh

Re: Network Traffic Collection

[Mike Lyon]

Random thought, anyone ever used Splunk for this kind of thing?

-mike

Sent from my iPhone

On Feb 23, 2012, at 10:30, Suresh Rajagopalan  wrote:

> On Thu, Feb 23, 2012 at 12:19 PM, Maverick  wrote:
>> I want to be able to see information like how much traffic an ip send
>> over a period of time, what machines it talked to etc from this
>> perspective it should be IP based but I would really like to know how
>> other people do it.
>>
>
>
> Run argus on a span port.
>
> -Suresh
>

Re: do not filter your customers

[virendra rode]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Speaking of leaking the world, I remember one of our transit peer during
their nightly maintenance decided they needed people to talk to, so they
decided to share some love by passing ~ 350k routes causing a meltdown.

As lesson learned, we included a combination of prefix-list &
maximum-prefix filters as part of our config script.

When the hard limit hits a certain percentage, we get alerted that the
neighbor is approaching the limit.


regards,
/virendra

On 02/22/2012 09:41 PM, Randy Bush wrote:
> don't filter your customers.  when they leak the world to you, it will
> get you a lot of free press and your marketing department will love you.
> 
> just ask telstra.
> 
> randy
> 
> 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iF4EAREIAAYFAk9GpfUACgkQ3HuimOHfh+HwZgD/dlgPaTsxCs0cyRFVBsDI2J5i
/dLwyQrUADOySuKlgn0A/iuF+gojyqIbLwstPin0Je06KDytE8AYsNuwLXCmAWI5
=qrOK
-END PGP SIGNATURE-

Re: Network Traffic Collection

[Jason Lixfeld]

Splunk is an amazing tool and did an awesome thing and introduced a free 
license in 4.3.

I'm using it at two sites now and I'm loving it!

On 2012-02-23, at 3:34 PM, Mike Lyon wrote:

> Random thought, anyone ever used Splunk for this kind of thing?
> 
> -mike
> 
> Sent from my iPhone
> 
> On Feb 23, 2012, at 10:30, Suresh Rajagopalan  wrote:
> 
>> On Thu, Feb 23, 2012 at 12:19 PM, Maverick  wrote:
>>> I want to be able to see information like how much traffic an ip send
>>> over a period of time, what machines it talked to etc from this
>>> perspective it should be IP based but I would really like to know how
>>> other people do it.
>>> 
>> 
>> 
>> Run argus on a span port.
>> 
>> -Suresh
>> 
> 

Re: Network Traffic Collection

[Jeroen Massar]

On 2012-02-23 21:34 , Mike Lyon wrote:
> Random thought, anyone ever used Splunk for this kind of thing?

Various folks have, the problem of course comes down to processing
power, thus you'll need to throw a lot of hardware against it to be able
to process traffic in a decent network.

Check http://www.raffy.ch/ and http://pixlcloud.com/ etc for more
details about this.

Greets,
 Jeroen

Re: Network Traffic Collection

[Mike Lyon]

Run it with hadoop in EC2?

Sent from my iPhone

On Feb 23, 2012, at 10:52, Jeroen Massar  wrote:

> On 2012-02-23 21:34 , Mike Lyon wrote:
>> Random thought, anyone ever used Splunk for this kind of thing?
>
> Various folks have, the problem of course comes down to processing
> power, thus you'll need to throw a lot of hardware against it to be able
> to process traffic in a decent network.
>
> Check http://www.raffy.ch/ and http://pixlcloud.com/ etc for more
> details about this.
>
> Greets,
> Jeroen

Re: Most energy efficient (home) setup

[Joe Greco]

> I've spent a fair amount of time working on energy effiency at home.
> While I've had a rack at my house in the distant past, the cooling
> and power bill have always made me work at down sizing.  Also, as
> time went by I became more obsessed with quite fans, or in particular
> fanless designs.  I hate working in a room with fan noise.

So, good group to ask, probably...  anyone have suggestions for a low-
noise, low-power GigE switch in the 24-port range ... managed, with SFP?
That doesn't require constant rebooting?

I'm sure I'll get laughed at for saying we like the Dell 5324.  It's a
competent switch that we've had good luck with for half a decade.  The
RPS is noisy as heck, though, and overall consumption is something like
maybe 80 watts per switch (incl RPS).

> The area where I think work needs to be done is home file servers.
> Most of the low power computer options assume you also want a
> super-small case and a disk or two.  Many Atom motherboards only
> have a pair of SATA ports, a rare couple have four ports.  There
> seems to be this crazy assumption that if you need 5 disks you need
> mondo processor, and it's just not true.  I need 5 disks for space,
> but if the box can pump it out at 100Mbps I'm more than happy for
> home use.  It idles 99.99% of the time.
> 
> I'd love a low powered motherboard with 6-8 SATA, and a case with
> perhaps 6 hot swap bays but designed for a low powered, fanless
> motherboard.  IX Systems's FreeNAS Mini is the closest I've seen,
> but it tops out at 4 drives.
> 
> But what's really missing is storage management.  RAID5 (and similar)
> require all drives to be online all the time.  I'd love an intelligent
> file system that could spin down drives when not in use, and even for
> many workloads spin up only a portion of the drives.  It's easy to
> imagine a system with a small SSD and a pair of disks.  Reads spin one
> disk.  Writes go to that disk and the SSD until there are enough, which
> spins up the second drive and writes them out as a proper mirror.  In a
> home file server drive motors, time you have 4-6 drives, eat most of the
> power.  CPU's speed step down nicely, drives don't.

FreeNAS can cope with ATA idle spindowns.  You don't need to have all the
drives spun up all the time.  But it's a lot more dumb than it maybe could
be.  What do you consider a reasonable power budget to be?

> The cloud is great for many things, but only if you have a local copy.
> I don't mind serving a web site I push from home out of the cloud, if my
> cloud provider dies I get another and push the same data.  It seems like
> keeping that local copy safe, secure, and fed with electricty and
> cooling takes way more energy (people and electricty) than it should.

Quite frankly, and I'm going to get some flak for saying this I bet, I am
very disappointed at how poorly the Internet community and related vendors
have been at making useful software, hardware, and services that mere 
mortals can use that do not also marry them to some significant gotchas 
(or their own proprietary platforms and/or services). Part of the reason 
that people wish to outsource their problems is because it hasn't been
made easy to handle them yourself.

Look at e-mail service as just one example.  What the average user wants
is to be able to get and send e-mail.  Think of how much effort it is to
set up an e-mail system, with spam filtering, a web frontend, and all the
other little things.  I've been building e-mail services on the Internet
for more than a quarter of a century, and as far as I can tell, it has
not gotten easier - it's gotten worse.  Most people just concede defeat
without even trying at this point, point their domains at Gmail, and let
someone else handle it.

What about services like Flickr?  We've completely failed at providing
strategies for users to retain their pictures locally without putting
them at risk.  By that, I mean that Microsoft (for example) has made it 
nice and easy for users to pull their digital photos off their cameras, 
but has failed to impress upon users that their computers are not 
redundant or reliable, and then when a hard drive fails, years worth
of pictures vanish in a moment.  So that frustrates users, who then go
to services like Flickr, upload their content there, and their data lies
on a server somewhere, awaiting the day the business implodes, or gets
T-Mo Sidekick'ed, or whatever.

This frustrates me, seeing as how we've had so much time in which this
stuff could have been made significantly more usable and useful...

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.

Re: Network Traffic Collection

[Justin M. Streiner]

On Thu, 23 Feb 2012, Maverick wrote:


I want to be able to see information like how much traffic an ip send
over a period of time, what machines it talked to etc from this
perspective it should be IP based but I would really like to know how
other people do it.


Truth is that most people probably don't do it, beyond temporary, ad-hoc 
deployments, to solve a specific problem at a specific point in time. 
Traffic capture and analysis doesn't scale too well into multi-Gb/s 
service provider environments.


Netflow tools are an option if 'reasonably accurate' is good enough for 
your needs.


jms

Botnet Traffic

[James Smith]

Hello,

Can anyone on this list provide botnet network traffic for analysis, or Ip’s 
which have been infected.
-- 
Sincerely;


James Smith
CEO, CEH, Security Analyst
Email: ja...@smithwaysecurity.com
Phone: 1877-760-1953
Website: www.SmithwaySecurity.com


CONFIDENTIALITY NOTICE: This communication with its contents may contain 
confidential and/or legally privileged information. It is solely for the use of 
the intended recipient(s). Unauthorized interception, review, use or disclosure 
is prohibited and may violate applicable laws including the Electronic 
Communications Privacy Act. If you are not the intended recipient, please 
contact the sender and destroy all copies of the communication.

- This communication is confidential to the parties it was intended to serve -

Re: Most energy efficient (home) setup

[Lamar Owen]

On Thursday, February 23, 2012 04:53:06 PM Joe Greco wrote:
> So, good group to ask, probably...  anyone have suggestions for a low-
> noise, low-power GigE switch in the 24-port range ... managed, with SFP?
> That doesn't require constant rebooting?

I can't comment to the rebooting, but a couple of years ago I looked at the 
Allied-Telesis AT-9000-28SP, which is a smack steeply priced (~$1,500) but has 
flexible optics and is managed.  And at ~35 watts is the lowest powered managed 
gigabit switch I was able to find for our solar powered telescopes.  The grant 
that was going to fund that fell through, so I'm still running the 90W+ 
Catalyst 2900XL with two 1000Base-X modules and 24 10/100 ports instead, but 
the AT unit looked pretty good as a pretty much direct replacement with extra 
bandwidth.

Re: Botnet Traffic

[Darius Jahandarie]

On Thu, Feb 23, 2012 at 17:17, James Smith  wrote:
> Can anyone on this list provide botnet network traffic for analysis, or Ip’s 
> which have been infected.

Have you considered contacting Team Cymru or Shadowserver? As far as I
know, they are the two major groups who collect this sort of
information on a non-local scale. I believe Team Cymru at least has
someone who follows NANOG..

The largest issue here is going to be trust -- it is highly unlikely
your just going to get huge dumps of useful information, especially if
your intentions are for-profit.


Best of luck.

-- 
Darius Jahandarie

Re: Botnet Traffic

[John Kristoff]

On Thu, 23 Feb 2012 18:17:38 -0400
"James Smith"  wrote:

> Can anyone on this list provide botnet network traffic for analysis,
> or Ip’s which have been infected.

Hi James,

Normally few people are going to be unwilling to provide such a thing,
at least for live or recently active botnets to the general public.  In
essence, few people like to spread that sort of dirty laundry around to
anyone who comes asking in a public forum.

However, there is some public data available in various locations.  For
instance, the Dragon Research Group (DRG) provides some public data it
sees on the well known HTTP, VNC and SSH ports.  The SSH report is
primarily compiled from random SSH brute force spreading worms.

  

Note, I'm one of the DRG volunteers.

You can browse around the SANS ISC reports and get an idea of what they
see from various hosts and networks too.

  

I'm not involved with that organization.

Lenny Zeltser has a page detailing where you might get some sample
malware to research:

  

There are likely many other sources of info if you dig around,
but you may be better off asking in another forum where security,
rather than networking is the major theme.  Feel free to contact me off
list and I'll see if I can help introduce you to the appropriate venues.

John

Re: Botnet Traffic

[James Smith]

Thank you, this will be helpful.

-Original Message- 
From: Darius Jahandarie

Sent: Thursday, February 23, 2012 6:26 PM
To: James Smith
Cc: nanog@nanog.org
Subject: Re: Botnet Traffic

On Thu, Feb 23, 2012 at 17:17, James Smith  
wrote:
Can anyone on this list provide botnet network traffic for analysis, or Ip’s 
which have been infected.


Have you considered contacting Team Cymru or Shadowserver? As far as I
know, they are the two major groups who collect this sort of
information on a non-local scale. I believe Team Cymru at least has
someone who follows NANOG..

The largest issue here is going to be trust -- it is highly unlikely
your just going to get huge dumps of useful information, especially if
your intentions are for-profit.


Best of luck.

--
Darius Jahandarie 

Re: Network Traffic Collection

[Scott Weeks]

--- myeaddr...@gmail.com wrote: --
From: Maverick 

>> It might be an effort to write a customized traffic analysis tool like
>> wireshark with only required functionality. I would really appreciate


I want to be able to see information like how much traffic an ip send
over a period of time, what machines it talked to etc from this
perspective it should be IP based but I would really like to know how
other people do it.
-


Wouldn't Wireshark provide this for you?  In particular, the "Conversations" 
tool under the "Statistics" drop down menu?  It adds data to the tool in 
real time.  If you want a graphical output the I/O graphs also under the
"Statistics" menu can graph all, or slices of the data in the main 
Wireshark output.

scott

RE: colosolutions abuse contact?

[Ed S. Nuckols]

I apologize for the late reply, we were  having an email issue causing mail to 
be queued instead of delivered.  This appears to be irc (efnet channel drama 
related), but it has been tended to regardless.  For reference, my arin POC 
(which is attached to our IP space) also has my direct office number on it, and 
typically abuse@/support@  are checked rather often.  We are also listed at 
http://www.nls.net/noc/, which seems a rather handy tool (although I have no 
idea how up to date its kept). 

Thanks much,

Ed Nuckols
Colo Solutions


-Original Message-
From: Chris [mailto:cal...@gmail.com] 
Sent: Thursday, February 23, 2012 12:45 PM
To: NANOG list
Subject: Re: colosolutions abuse contact?

If all else fails, contact the uplink. Unfortunately it gets more
response and casually mention "I tried finding a contact but was
unable so I contacted you"



On 2/22/12, Carlos Kamtha  wrote:
> Hi,
>
> I'm hoping to get a hold of an abuse contact at colosolutions.com.
>
> Any help is greatly appreciated.
>
> If so, please contact me offlist.
>
> Cheers,
> Carlos.
>
>


-- 
--C

"The dumber people think you are, the more surprised they're going to
be when you kill them." - Sir William Clayton

Re: Network Traffic Collection

[Carlos Alcantar]

Netflow / Sflow with one of the fallowing software packages

http://www.plixer.com/products/netflow-sflow/scrutinizer-netflow-sflow.php
http://www.solarwinds.com/NetFlow

http://www.arbornetworks.com/
Or the hand full of other open source options out there.



Carlos Alcantar
Race Communications / Race Team Member
101 Haskins Way, So. San Francisco, CA. 94080
Phone: +1 415 376 3314 / car...@race.com / http://www.race.com





-Original Message-
From: Maverick 
Date: Thu, 23 Feb 2012 15:19:24 -0500
To: Jeroen Massar 
Cc: "nanog@nanog.org" 
Subject: Re: Network Traffic Collection

I want to be able to see information like how much traffic an ip send
over a period of time, what machines it talked to etc from this
perspective it should be IP based but I would really like to know how
other people do it.

Best,
Ali

On Thu, Feb 23, 2012 at 3:14 PM, Jeroen Massar  wrote:
> On 2012-02-23 21:11 , Maverick wrote:
>> Hello,
>>
>> I am trying to collect traffic traffic from pcap file and store it in
>> a database but really confused how to organize it. Should I organize
>> it on connection basis/ flow basis or IP basis.
>>
>> It might be an effort to write a customized traffic analysis tool like
>> wireshark with only required functionality. I would really appreciate
>> if someone can give me direction on write way of organizing the data
>> because right now I only see individual packets and no way of putting
>> them in some order.
>
> Does this all not completely depend on what you actually want to do with
> it? You might want to start there instead of the other way around.
>
> Greets,
>  Jeroen
>




smime.p7s
Description: S/MIME cryptographic signature

Re: Network Traffic Collection

[Peter Phaal]

On Thu, Feb 23, 2012 at 1:59 PM, Justin M. Streiner
 wrote:
> On Thu, 23 Feb 2012, Maverick wrote:
>
>> I want to be able to see information like how much traffic an ip send
>> over a period of time, what machines it talked to etc from this
>> perspective it should be IP based but I would really like to know how
>> other people do it.
>
>
> Truth is that most people probably don't do it, beyond temporary, ad-hoc
> deployments, to solve a specific problem at a specific point in time.
> Traffic capture and analysis doesn't scale too well into multi-Gb/s service
> provider environments.
>
> Netflow tools are an option if 'reasonably accurate' is good enough for your
> needs.
>
> jms
>

For high speed switched Ethernet environments, consider using sFlow.

You can treat sFlow as remote packet capture and use Wireshark/tcpdump
for troubleshooting network traffic:

http://blog.sflow.com/2011/11/wireshark.html

Or use sFlow reporting tools to find IP sources, protocols etc.:

http://sflow.org/products/collectors.php

Which tool to choose depends on your requirements.

Re: Most energy efficient (home) setup

[Randy Carpenter]

I like the Juniper EX2200C switches. They are only 12-port, but have 2 SFPs. 
They are very low power, and have no fans.

However, I am still waiting (it has been several months) for them to send me 
the correct rack mount brackets (which are a separate purchase).


-Randy

--
| Randy Carpenter
| Vice President - IT Services
| Red Hat Certified Engineer
| First Network Group, Inc.
| (800)578-6381, Opt. 1


- Original Message -
> On Thursday, February 23, 2012 04:53:06 PM Joe Greco wrote:
> > So, good group to ask, probably...  anyone have suggestions for a
> > low-
> > noise, low-power GigE switch in the 24-port range ... managed, with
> > SFP?
> > That doesn't require constant rebooting?
> 
> I can't comment to the rebooting, but a couple of years ago I looked
> at the Allied-Telesis AT-9000-28SP, which is a smack steeply priced
> (~$1,500) but has flexible optics and is managed.  And at ~35 watts
> is the lowest powered managed gigabit switch I was able to find for
> our solar powered telescopes.  The grant that was going to fund that
> fell through, so I'm still running the 90W+ Catalyst 2900XL with two
> 1000Base-X modules and 24 10/100 ports instead, but the AT unit
> looked pretty good as a pretty much direct replacement with extra
> bandwidth.
> 
> 
> 

Re: Network Traffic Collection

[Owen DeLong]

PCAP is not well suited to what you describe. Most people use Sflow/Cflow/...
instead.

Owen

On Feb 23, 2012, at 12:19 PM, Maverick wrote:

> I want to be able to see information like how much traffic an ip send
> over a period of time, what machines it talked to etc from this
> perspective it should be IP based but I would really like to know how
> other people do it.
> 
> Best,
> Ali
> 
> On Thu, Feb 23, 2012 at 3:14 PM, Jeroen Massar  wrote:
>> On 2012-02-23 21:11 , Maverick wrote:
>>> Hello,
>>> 
>>> I am trying to collect traffic traffic from pcap file and store it in
>>> a database but really confused how to organize it. Should I organize
>>> it on connection basis/ flow basis or IP basis.
>>> 
>>> It might be an effort to write a customized traffic analysis tool like
>>> wireshark with only required functionality. I would really appreciate
>>> if someone can give me direction on write way of organizing the data
>>> because right now I only see individual packets and no way of putting
>>> them in some order.
>> 
>> Does this all not completely depend on what you actually want to do with
>> it? You might want to start there instead of the other way around.
>> 
>> Greets,
>>  Jeroen
>> 

Re: do not filter your customers

[Danny McPherson]

On Feb 23, 2012, at 1:44 AM, Randy Bush wrote:

> a customer leaked a full table to smellstra, and they had not filtered.
> hence the $subject.

Ahh, this is I think the customer "leak" problem I'm trying to illustrate 
that an RPKI/BGPSEC-enabled world alone (as currently prescribed) 
does NOT protect against.  

If it can happen by accident, it can certainly serve as smoke screen or
enable an actual targeted attack quite nicely by those so compelled.

> and things when further downhill from there, when telstra also did not
> filter what they announced to their peers, and the peers went over
> prefix limits and dropped bgp.

Prefix limits are rather binary and indiscriminate, indeed.

-danny

Re: do not filter your customers

[Randy Bush]

>> a customer leaked a full table to smellstra, and they had not filtered.
>> hence the $subject.
> 
> Ahh, this is I think the customer "leak" problem I'm trying to illustrate 
> that an RPKI/BGPSEC-enabled world alone (as currently prescribed) 
> does NOT protect against.  

the problem is that you have yet to rigorously define it and how to
unambiguously and rigorously detect it.  lack of that will prevent
anyone from helping you prevent it.

randy

Re: Cisco CAT6500 IOS Simulator

[Bruce Pinsky]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -Hammer- wrote:
> I'm sure that virtualizing the sup would be possible. But having to come up
> with all the line cards would be a nightmare. I'd love for someone Internal
> to tell me I'm wrong but until we can get a 3560 or a 3750X on Dynamips I
> wouldn't push for a 6500 or a Nexus.
> 

What functionality of the 6500 are you looking for?  If you want hardware
specifics like QoS queues and such, that is unlikely.  If you are looking
for platform independent things like spanning tree, port channels, layer 3
functionality, etc, there may be a solution forthcoming from Cisco.

- -- 
=
bep

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9HMRMACgkQE1XcgMgrtybX4ACg0d8MPXQ4Y+HqlRp78wWNQR82
ZIQAoJ4oWXfGcELZIxVYOoGl4Sk+FcYB
=oiUG
-END PGP SIGNATURE-

Re: do not filter your customers

[Dobbins, Roland]

On Feb 24, 2012, at 9:00 AM, Danny McPherson wrote:

> Prefix limits are rather binary and indiscriminate, indeed.

AS-PATH filters and max-length filters, OTOH, are not.

Also, it's important that network operators understand that flap-dampening has 
been iatrogenic for many years, now.

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton

Re: do not filter your customers

[Randy Bush]

> Also, it's important that network operators understand that
> flap-dampening has been iatrogenic for many years, now.

well, ... 

https://datatracker.ietf.org/doc/draft-ymbk-rfd-usable/

randy