RE: Re: using expect to log into devices

[Jamie Bowden]

Jimmy Hess 
> 
> On Tue, Jul 24, 2018 at 9:55 PM, Scott Weeks 
> wrote:
> >
> > --- valdis.kletni...@vt.edu wrote:
> > From: valdis.kletni...@vt.edu
> >
> > On Sun, 22 Jul 2018 00:43:35 +0200, Niels Bakker said:
> > > Fine as a personal exercise, of course.  The inability to download
> > > modules seems sadistic to me, though.
> >
> 
> Yeah... just download RANCID and check the command line options.
> Expect is mainly of historical interest,  and  the code already exists in
> several forms, so no need to completely re-invent the wheel (as a square)
> here.

In a follow up he stated that wasn't allowed either. 

> I call shenanigans about the avoidance of Perl modules.No real-world
> system
> has such constraints.

As someone who administers systems with such constraints, allow me to say that 
you are incorrect in your assertion.

> Besides,  Expect itself is a module / extension of the Tcl language and
> requires the
> use of dynamically-loaded extension libraries for pattern matching and
> various functions,
> so using Expect would break the  "No modules rule".

"No PERL modules" != "no dynamically linked binaries"

Jamie

RE: bloomberg on supermicro: sky is falling

[Jamie Bowden]

> From: NANOG  On Behalf Of Naslund, Steve
> Sent: Wednesday, October 10, 2018 1:06 PM


> If there was a waiver issued for your ATO, it would have had to have been 
> issued by a
> department head or the OSD and approved by the DoD CIO after Director DISA 
> provides a
> recommendation and it is mandatory that it be posted at 
> https://gtg.csd.disa.mil.  Please see this
> DoD Instruction 
> http://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/831001p.pdf
> (the waiver process is on page 23).  If it did not go through that process, 
> then it is not approved
> not matter what anyone told you.  I know your opinion did not make it through 
> that process.

That only applies to RMF systems where DSS is the AO on behalf of the DoD.  For 
anything that falls outside DSS purview you can do whatever the COTR for the 
Cog is willing to sign off on.  Even under RMF, MUSAs and isolated LANs have 
those requirements tailored out by default.  IWANS and UWANS that don't have 
connectivity to anything but themselves are also NA for the firewall 
requirements.  At the present, contractor systems that don't connect to a USG 
network aren't required to implement any of the STIGs other than base OS.  I 
don't expect things to stay that way, but I haven't heard anything from DSS to 
indicate it'll be changing anytime in the near future.

It's less difficult than it first appears to get ATO from a technical 
standpoint (the paperwork hell IA is buried under is an entirely different 
story, but I'm not them and have no desire to be).

Jamie

RE: Re: Looking for help @ 60 Hudson

[Jamie Bowden]

>On Behalf Of Seth Mattinen
>
>On 11/13/17 12:49, Mike Hammett wrote:
>> Keep the humans out of the rack and you should be fine.
>> 
>> Where should I send the invoice?:-P  
>
>
>It's easy to keep a rack nice if you take the time. I've spent hours 
>removing and replacing cables in neatly dressed bundles because 
>equipment changes required a different length/type cable, but sometimes 
>that's what you gotta do to keep things neat and tidy.

Go that way really fast.  If something gets in your way, turn.

I want my two dollars.

-- 
Jamie Bowden

RE: Using IPv6 with prefixes shorter than a /64 on a LAN

[Jamie Bowden]

Our classified networks aren't ever going to be connected to anything
but themselves either, and they need sane local addressing.  Some of
them are a single room with a few machines, some of them are entire
facilities with hundreds of machines, but none of them are going to be
talking to a router or anything upstream, as neither of those exist on
said networks.

Jamie

-Original Message-
From: Chuck Anderson [mailto:c...@wpi.edu] 
Sent: Tuesday, February 01, 2011 6:39 PM
To: nanog@nanog.org
Subject: Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Tue, Feb 01, 2011 at 03:14:57PM -0800, Owen DeLong wrote:
> On Feb 1, 2011, at 2:58 PM, Jack Bates wrote:
> > There are many cases where ULA is a perfect fit, and to work 
> > around it seems silly and reduces the full capabilities of IPv6. I 
> > fully expect to see protocols and networks within homes which will 
> > take full advantage of ULA. I also expect to see hosts which don't 
> > talk to the public internet directly and never need a GUA.
> > 
> I guess we can agree to disagree about this. I haven't seen one yet.

What would your recommended solution be then for disconnected 
networks?  Every home user and enterprise user requests GUA directly 
from their RIR/NIR/LIR at a cost of hunderds of dollars per year or 
more?

RE: out of band management gear

[Jamie Bowden]

> From: vinny_abe...@dell.com [mailto:vinny_abe...@dell.com]
> Just ran into that exact problem with Cisco Nexus 2232TM-E FEX's. They only
> do 10Gb/1Gb and won't step down to 100Mb. Couldn't connect some newer
> gear's Ethernet management ports to the management network as a result
> and have to get a different model FEX like the 2248TP-E just for that. The
> devices in question are current generation too and only support 100Mb for
> the management ports. My question was less about why the 2232TM-E's
> couldn't step down to 100Mb, but rather why in this day and age do we have
> something that doesn't do 1Gb, even on a management port?

It's not just you guys at Dell.  HP are still doing the same thing with iLO 
ports (for dedicated iLO ports anyway, shared ports (which are a whole new 
level of WTF were you thinking?) are normally 1gb and will operate just fine at 
that connection rate).

Jamie

RE: We hit half-million: The Cidr Report

[Jamie Bowden]

> Behalf Of Jeff Kell

> Not to mention that PCI compliance requires you are RFC1918 (non-routed)
> at your endpoints, but I digress...

You're not funny.  And if you're not joking, you're wrong.  We just went over 
this on this very list two weeks ago. 

Jamie

RE: dynamic or static IPv6 prefixes to residential customers

[Jamie Bowden]

Oh please, you know practical, operational, and security concerns mean nothing 
next to the beauty and purity of the perfect network protocol design.

Jamie

-Original Message-
From: Jay Ashworth [mailto:j...@baylink.com] 
Sent: Tuesday, August 02, 2011 3:56 PM
To: NANOG
Subject: Re: dynamic or static IPv6 prefixes to residential customers

- Original Message -
> From: "james machado" 

> Complain about NAT all you want but NAT + RFC 1918 addressing in IPv4
> made things such as these much nicer in a home and business setting.

An argument I've been making right along.  Concern about what's happening
network-wise outside my edge router belongs to my edge router, *and no 
other device on my LAN* should be held hostage by problems there.

That's my best practice advice (to my clients, at least), and if IPv6
makes that impossible, well, then, things are gonna get messy, until someone
figures out a way around it, cause I'm sure I'm not the only person who 
views it that way...

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

RE: FTTH CPE landscape

[Jamie Bowden]

You don't have to use bridge mode for this (and the Actiontec router VZ 
supplies with FiOS is capable of doing bridge mode, but unless you jump through 
some fairly esoteric hoops, doing so breaks the guide and VOD, trust me on 
this...oh and you have to jump through them every time you reset the damn thing 
for any reason).  I set mine with my D-Link as the DMZ host and forward all 
traffic on all ports unimpeded to it, and it works; Poor Man's Bridge, but it 
works.

Jamie

-Original Message-
From: Jay Ashworth [mailto:j...@baylink.com] 
Sent: Thursday, August 04, 2011 5:08 PM
To: NANOG
Subject: Re: FTTH CPE landscape

- Original Message -
> From: "Owen DeLong" 

> On Aug 4, 2011, at 8:35 AM, Jay Ashworth wrote:
> 
> >> - Generic consumer grade NAT/Firewall
> >
> > Hobby horse: please make sure it support bridge mode? Those of us who
> > want to put our own routers on the wire will hate you otherwise.
> 
> Why? As long as it can be a transparent router, why would it need to
> be a bridge?

Ask a Verizon FiOS customer who wants to run IPv4 VPNs.

He didn't say IPv6 only, right?  

I have a couple of customers who can't get bridge mode on residence FiOS 
service, and therefore can't run their own routers to terminate IPsec.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
St Petersburg FL USA  http://photo.imageinc.us +1 727 647 1274

RE: IPv6 end user addressing

[Jamie Bowden]

Owen wrote:

> -Original Message-
> From: Owen DeLong [mailto:o...@delong.com]
> Sent: Wednesday, August 10, 2011 9:58 PM
> To: William Herrin
> Cc: nanog@nanog.org
> Subject: Re: IPv6 end user addressing
> 
> 
> On Aug 10, 2011, at 6:46 PM, William Herrin wrote:
> 
> > On Wed, Aug 10, 2011 at 9:32 PM, Owen DeLong 
wrote:
> >>> Someday, I expect the pantry to have a barcode reader on it
> connected back
> >>> a computer setup for the kitchen someday.  Most of us already use
> barcode
> >>> readers when we shop so its not a big step to home use.
> >>
> >> Nah... That's short-term thinking. The future holds advanced
> pantries with
> >> RFID sensors that know what is in the pantry and when they were
> manufactured,
> >> what their expiration date is, etc.
> >
> > And since your can of creamed corn is globally addressable, the rest
> > of the world knows what's in your pantry too. ;)
> >
> 
> This definitely helps explain your misconceptions about NAT as a
> security tool.
> 
> 
> Globally addressable != globally reachable.
> 
> Things can have global addresses without having global reachability.
> There are
> these tools called access control lists and routing policies. Perhaps
> you've heard
> of them. They can be quite useful.

And your average home user, whose WiFi network is an open network named
"linksys" is going to do that how?

Jamie

RE: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Jamie Bowden]

> From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
> Sent: Tuesday, September 20, 2011 12:15 AM
> 
> On Tue, 20 Sep 2011 05:32:04 +0200, Randy Bush said:
> 
> > you left out one connection via a chevy full of hollerith cards and
> the
> > second a canoe full of 7 track tape in waterproof containers.
> 
> Does anybody actually *have* a functional 7 track drive?  I remember
> seeing a
> story on PBS (may have been a Nova episode) where they discussed the
> fact that
> NASA had literally thousands of 7 track tapes of telemetry data and no
> way to
> read them because their last 7 track drive had died, and IBM had no 7
> track
> read/write heads left either...
> 
> (I admit we still have a rack of 9-track tapes in ez-loader seals in
> our tape
> library, though we got rid of our last IBM 3420 about a decade ago. I
> think
> most of them are tapes we've lost track of ownership info, and don't
> dare
> dispose of in case the owner turns up.. ;)

It's worse than that.  I spent a little time working at NASA LaRC, and
even if you had a functional drive, the tapes are mostly garbage (we had
tens of thousands of 9 track spools that had spent decades in rooms with
no temp or humidity controls).  No point in trying to read data from a
tape that's shedding the layer of magnetic material.  We were not
unique.

Jamie

RE: [outages] News item: Blackberry services down worldwide

[Jamie Bowden]

You are correct.  The BES uses PSKs to talk to RIM's servers, which then
uses them to talk to the devices over the carrier networks.  All of this
was in complete failure mode until sometime overnight when it appears to
have all started flowing again.  Someday either Google or Apple will get
off their rear ends and roll out an end to end encrypted service that
plugs into corporate email/calendar/workgroup services and we can all
gladly toss these horrid little devices in the recycle bins where they
belong.

Jamie

> -Original Message-
> From: Joe Abley [mailto:jab...@hopcount.ca]
> Sent: Wednesday, October 12, 2011 6:06 PM
> To: Phil Regnauld
> Cc: nanog@nanog.org
> Subject: Re: [outages] News item: Blackberry services down worldwide
> 
> 
> On 2011-10-12, at 18:02, Phil Regnauld wrote:
> 
> > Joe Abley (jabley) writes:
> >>
> >> On 2011-10-12, at 13:05, Leigh Porter wrote:
> >>
> >>> Email on my iPhone is working fine.. ;-)
> >>
> >> The blackberry message service is centralised with a lot of
> processing intelligence in the core. Messaging services that use the
> core as a simple transport and shift the processing intelligence to
the
> edge have different, less-dramatic failure modes.
> >
> > This is not the case for corporate customers with dedicated
> servers,
> > AFAIU.
> 
> I'm no expert, but my understanding is that at some/most/all traffic
> between handhelds and a BES, carried from the handheld device through
a
> cellular network, still flows through RIM.
> 
> 
> Joe

RE: [outages] News item: Blackberry services down worldwide

[Jamie Bowden]

> -Original Message-
> From: Christopher Morrow [mailto:morrowc.li...@gmail.com]
> Sent: Thursday, October 13, 2011 11:36 AM
> To: Jay Ashworth
> Cc: NANOG
> Subject: Re: [outages] News item: Blackberry services down worldwide
> 
> On Thu, Oct 13, 2011 at 11:13 AM, Jay Ashworth 
wrote:
> > - Original Message -
> >> From: "Jamie Bowden" 
> >
> >> Someday either Google or Apple will get
> >> off their rear ends and roll out an end to end encrypted service
> that
> >> plugs into corporate email/calendar/workgroup services and we can
> all
> >> gladly toss these horrid little devices in the recycle bins where
> they
> >> belong.
> >
> > I'm fairly sure K-9 does GPG, at least for the email
> 
> plus normal mail + k9 will do TLS on SMTP and IMAP... or they both do
> with my mail server just fine. (idevices seeem to also do this well
> enough)
> 
> It's possible that the 'encryption' comment from Jamie is really about
> encrypting the actual device... which I believe Android[0] will do, I
> don't know if idevices do though.

As of 2.3[.x?] (can't remember if it's a sub release that intro'd this),
Android devices can be wholly encrypted, though I don't know if they are
by default. All these kludges are great on a small scale, but the BES
does end to end encryption for transmission, plugs into Exchange, Lotus,
Sametime, proxies internal http[s], and lets us manage policies and push
out software updates from a central management point.  When it works,
it's also scalable, which matters when you have thousands of devices to
manage.

Jamie

RE: Have they stopped teaching Defense in Depth?

[Jamie Bowden]

> -Original Message-
> From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
> Sent: Wednesday, November 16, 2011 9:02 AM
> To: Jay Ashworth
> Cc: NANOG
> Subject: Re: Have they stopped teaching Defense in Depth?
> 
> On Wed, 16 Nov 2011 08:36:21 EST, Jay Ashworth said:
> > - Original Message -
> > > From: "Jimmy Hess" 
> >
> > > Or, the attack is against a legitimate user's outbound connection,
> for example:
> > > a user behind the firewall connects to a web site, a vulnerability
> > > in their browser is exploited
> > > to install a trojan -- the trojan tunnels to the attacker over an
> > > outgoing port that is allowed on the firewall.
> >
> > Oh, certainly; I have lots of web browsers running on my servers.
> >
> > All The World Is Not A Workstation, guys.
> 
> Is there *anything* on the allegedly protected subnet that has a web
> browser
> running on it?  Maybe that laptop on the crash cart that you use for
> downloading firmware and installing it on storage appliances?  If it's
> a
> corporate-sized NAT, do you have any desktops that have network
> reachability to
> the servers (probably do - if the desktops can't reach the servers,
the
> servers
> aren't useful are they?) and also have web browsers that go to the
> outside
> world?
> 
> I compromise an ad server someplace.  Bob over in Accounting visits
the
> CPA forum
> on the accountants-r-us.com website looking for suggestion on how to
> handle
> a tax issue.  I now have control of Bob's workstation, and the
question
> of whether
> your firewall does NAT or not just became totally moot.
> 
> Defense in depth doesn't mean building a second Maginot Line behind
the
> first
> is a good idea - it means you *also* have a capable army that will
stop
> a
> German invasion coming in via Belgium.

That's absurd, no one could get an army across that terrain...

Jamie

RE: Have they stopped teaching Defense in Depth?

[Jamie Bowden]

> -Original Message-
> From: Owen DeLong [mailto:o...@delong.com]
> Sent: Wednesday, November 16, 2011 11:11 AM
> To: William Herrin
> Cc: NANOG
> Subject: Re: Have they stopped teaching Defense in Depth?
> 
> 
> On Nov 15, 2011, at 2:01 PM, William Herrin wrote:
> 
> > On Tue, Nov 15, 2011 at 4:50 PM, Mark Andrews  wrote:
> >> If you want to use unroutable addresses then use a bastion host /
> >> proxy.  Don't expect to be able to open a TCP socket and have it
> >> connect to something on the outside.  Do it right or don't do it
> >> at all.
> >
> > Mark,
> >
> > What is a modern NAT but a bastion host proxy for which application
> > compatibility has been maximized?
> 
> It is a mechanism for header mutilation which creates additional costs
> in hardware (cost of routers), software (development of NAT traversal
> code in various applications, NAT software in some cases), security
> (NAT obfuscates audit trails and increases the difficulty and cost of
> event correlation, forensics, abuser identification, and attack source
> identification and mitigation, etc.).

How is that any different than a proxy server, really?  From the inside,
your apps are either NAT aware or proxy aware, but either way, you're
not directly exposed to the world and all your traffic comes from one
place as far as the world is concerned.  I live behind both (NAT at
home; all external traffic of any type (assuming it's even allowed) is
proxied at work), and both suck in different and exciting ways.

Jamie

RE: IPv6 prefixes longer then /64: are they possible in DOCSIS networks?

[Jamie Bowden]

> -Original Message-
> From: Jimmy Hess [mailto:mysi...@gmail.com]
> Sent: Wednesday, November 30, 2011 11:14 AM
> To: Ray Soucy
> Cc: NANOG
> Subject: Re: IPv6 prefixes longer then /64: are they possible in
DOCSIS
> networks?
> 
> On Wed, Nov 30, 2011 at 8:48 AM, Ray Soucy  wrote:
> > Saying you can mitigate neighbor table exhaustion with a "simple
ACL"
> > is misleading (and you're not the only one who has tried to make
that
> > claim).
> 
> It's true, though, you can.
> But you can also mitigate neighbor table exhaustion by using a long
> prefix /126;
> you create an upper bound on the number of neighbor table entries that
> are possible,
> and that bound is less than your device's memory capacity for neighbor
> table entries.
> 
> This is a more reliable mitigation than an ACL;  it is also simpler
> and less likely for an
> operator to mistake to render the mitigation useless, or cause other
> issues.
> 
> From a pure security POV,  it's easy to reject ACL mitigation in favor
> of inherent
> designed-in  mitigation / non-vulnerability.
> 
> From a network design POV, there may still be reasons to prefer the
ACL
> method.
> They better be good reasons, such as a requirement for SLAAC on a
large
> LAN.

Or maybe the IETF could, you know, decouple SLAAC from a particular
netmask and make the world a better place for all of us who aren't
backbone providers.  Do we have to recreate the mistakes from v4 all
over again?

Jamie

RE: why haven't ethernet connectors changed?

[Jamie Bowden]

> From: Warren Bailey [mailto:wbai...@satelliteintelligencegroup.com]


> I'm shocked there hasn't been a whisper of amphenol. As an rf guy, I
> vote all connectors move to sma or bnc. I can then justify the cost of
> a Walmart 10 foot cable for 25 dollars.. And if we gold plate them, we
> can charge a premium. ;)

Let's just use MTC thermocouple connectors everywhere and be done with it.

Jamie

RE: OOB core router connectivity wish list

[Jamie Bowden]

> From: Mikael Abrahamsson [mailto:swm...@swm.pp.se]
> On Sat, 12 Jan 2013, Matthew Petach wrote:
> 
> > Thank goodness ethernet never has problems with negotiation going
> awry,
> > and coming up with mismatched duplexes, and vendors never had to
> > implement "no negotiation-auto" in their configs because you couldn't
> > count on everyone's implementations working together just absolutely
> > perfectly the first time on bootup.  Yes, it sure is a good thing
> > ethernet never has issues like that which would cripple your ability
> to
> > get a box up and running at 2am.
> 
> Has this happened to you with equipment designed and manufactured the
> past
> 5 years?

This happened to me just last month.

Jamie

RE: Slashdot: UK ISP PlusNet Testing Carrier-Grade NAT Instead of IPv6

[Jamie Bowden]

> From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
> On Fri, 18 Jan 2013 09:03:31 -0500, William Herrin said:


> > On the technical side, enterprises have been doing large-scale NAT
> for
> > more than a decade now without any doomsday consequences. CGN is not
> > different.


> Corporate enterprises have been pushing GPO to the desktop for more
> than a decade as well.  Feel free to try to push GPO to Joe Sixpack's
> PC,
> let me know how that works out for you.

We don't even do NAT here.  Our corporate parent has PI space that they've had 
since the Jurassic period of the internet and we mostly live on that (there are 
spots of 1918 addresses, but not for NAT purposes, think temporary networks in 
lab spaces).  Access to the internet at large is all via proxy, there is no 
direct way out.

Jamie

RE: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Jamie Bowden]

> From: Warren Bailey [mailto:wbai...@satelliteintelligencegroup.com]


> If you are doing DS0 splitting on the DACS, you'll see that on the
> other
> end (it's not like channelized CAS ds1's or PRI's are difficult to look
> at
> now) assuming you have access to that. If the DACS is an issue, buy the
> DACS and lock it up. I was on a .mil project that used old school
> Coastcom
> DI III Mux with RLB cards and FXO/FXS cards, that DACS carried some
> pretty
> top notch traffic and the microwave network (licensed .gov band)
> brought
> it right back to the base that project was owned by. Security is
> expensive, because you cannot leverage a service provider model
> effectively around it. You can explain the billion dollars you spent on
> your global network of CRS-1's, but CRS-1's for a single application
> usually are difficult to swallow. I'm not saying that it isn't done
> EVER,
> I'm just saying there are ways to avoid your 1998 red hat box from
> rpc.statd exploitation - unplug aforementioned boxen from inter webs.

Our connections to various .mil and others are private ds1's with full on end 
to end crypto over them.  You can potentially kill our connections, but you're 
not snooping them or injecting traffic into them.

Jamie

RE: Comcast NOC Contact

[Jamie Bowden]

> From: Eugeniu Patrascu [mailto:eu...@imacandi.net]


> Comcast's customers send money to Comcast in order to receive whatever
> they
> want from other networks. With that money, Comcast should invest in
> infrastructure so that it's network is not saturated anymore. Isn't this
> how IPSs work ? :)

In competitive markets, that's the theory.  That would require one to test 
with...

Jamie

RE: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Jamie Bowden]

> From: Mike A [mailto:mi...@mikea.ath.cx]
> On Thu, Feb 21, 2013 at 04:41:42PM +, Warren Bailey wrote:
> > Not to mention, the KG units are dot government only.. For obvious
> reasons.


> Erm ... yesandno. Lots of defense contractors have one end of a secured
> circuit. Been there, installed-and-maintained them.

They don't belong to us, they're in a secured area inside a secured area (yes, 
I typed that twice on purpose), and they are regularly inspected by whichever 
bit of the fed loaned them to us.  It's in our facility only as long as the 
circuit it's servicing exists.

Jamie

RE: Network security on multiple levels (was Re: NYT covers China cyberthreat)

[Jamie Bowden]

> From: Shrdlu [mailto:shr...@deaddrop.org]
> On 3/12/2013 4:16 PM, Warren Bailey wrote:
> 
> > Contractors with facility clearances? I would find it hard to believe
> > dot gov would run secure circuits to a non secure facility. ;)
> 
> The word "Contractor" is usually used to refer to anyone that has a
> contract to do work with the government. Having spent nearly my entire
> working life in those situations, I can absolutely and completely
> guarantee that this type of circuit is common, that the types of phones
> referred to are commonplace in such an environment, and that I have used
> such phones in the course of a normal day.

STU / STE units are not KGs.  Different type of equipment.  Far less functional 
and single purpose.  

Jamie

RE: Open Resolver Problems

[Jamie Bowden]

> From: Jared Mauch [mailto:ja...@puck.nether.net]
> On Mar 25, 2013, at 2:04 PM, Jay Ashworth  wrote:
> > - Original Message -
> >> From: "Jared Mauch" 
> >
> >> Open resolvers pose a security threat.
> >
> > Could you clarify, here, Jared?
> >
> > Do "open DNS customer-resolver/recursive servers" *per se* cause a
> problem?
> >
> > Or is it merely "customer zone servers which are misconfigured to recurse",
> > as has always been problematic?
> >
> > That is: is this just a reminder we never closed the old hole, or
> > notification of some new and much nastier hole?
> 
> There have been some moderate size attacks recently that I won't go into
> detail here about.  The IPs that are on the website are certainly being
> used/abused.  A recent attack saw a 90% match rate against the "master list"
> here.  This means your open resolver is likely being used.

I'm just going to jump in here and ask what is probably a silly question, but 
let's suppose I just happen to have, or have access to, a botnet comprised of 
(tens of) millions of random hosts all over the internet, and I feel like 
destroying your DNS servers via DDoS; what's stopping me from just directly 
querying your servers continuously from said botnet until you melt?  Those 
machines send you traffic indirectly through open resolvers, or hit you 
directly, but either way, it's the same number of machines issuing the same 
number of queries, and you're no less inundated.  If your own servers rate 
limit to protect themselves, you're losing valid traffic, and if they don't, 
once you melt down, you're losing valid traffic...

Jamie

RE: Open Resolver Problems

[Jamie Bowden]

> From: Dobbins, Roland [mailto:rdobb...@arbor.net]
> On Apr 2, 2013, at 7:53 AM, Mark Andrews wrote:


> >  Such lines are tantamount to extortion especially if the ISP supplies
> commercial grade lines.


> Patrick's talking about consumer broadband access.  Such AUP stipulations
> are quite common.


> This is in no way 'tantamount to extortion'.  Folks can either accept the AUP,
> or choose not to enter into a contract for the service in question under those
> conditions; there is no compulsion or coercion to do so.

And that would be a valid response if we actually lived in a place where I, or 
anyone else, had more than two choices, both offering roughly the same terms 
and pricing.  In my little corner of Fairfax Co, we have Cox or FiOS.  Across 
the Potomac in Montgomery, they can pick between Comcast and FiOS.  I hear that 
in other bits of the US, your cable and telco might be different, but other 
than the label, nothing else is.

Jamie

RE: RFC 1149

[Jamie Bowden]

> From: Jay Ashworth [mailto:j...@baylink.com]
> - Original Message -
> > From: "TJ" 

> > On Tue, Apr 2, 2013 at 3:41 PM, Owen DeLong 
> wrote:

> > > "Never underestimate the bandwidth of a 747 full of DLT cartridges."

> > XKCD is all over this: http://what-if.xkcd.com/31/
> > :)

> I have always wondered what kind of station wagon Andy had in mind; the
> SRT-8 Magnum didn't exist when he said that...

No, but the Caprice Classic wagon was very common at the time.

Jamie

RE: Data Center Installations

[Jamie Bowden]

> From: Warren Bailey [mailto:wbai...@satelliteintelligencegroup.com]
> 
> Do any of you have a "go to" resource for materials used in installations? Tie
> wraps, cable management, blahblahblah?
> 
> I have found several places, but I'm curious to know what the nanog ninja's
> have to say.

I use Graybar for the most part.  If it's something small or easy, MicroCenter 
probably has it, but when I need a couple thousand feet of 
cat[5|5e|6|whatever], a bag of 500 cable ties, a box RJ-48s, etc., it's 
straight to Graybar.  If it's not already on the shelf they can get it quick 
and their pricing is pretty good.

-- 
Jamie Bowden(ja...@photon.com)
Sr. Sys. Admin. (703) 243-6613 x3848
Photon Research Associates
1616 Fort Myer Drive, Suite 1000
Arlington, VA 22209

VZ FiOS DNS issues:

[Jamie Bowden]

Any Verizon techs around today?  I don't know why you can't pass DNS traffic 
this morning, but it's the second time in as many weeks as it has been an 
issue, and it's rather annoying (Google is the example, but the exact same 
failure happens using any destination, on VZ's own or any other public DNS 
servers, phone support are of course, useless):

C:\Users\jamie>tracert -d 71.252.0.12

Tracing route to 71.252.0.12 over a maximum of 30 hops

  1<1 ms<1 ms<1 ms  192.168.2.254
  2<1 ms<1 ms<1 ms  192.168.1.1
  3 8 ms 9 ms13 ms  96.231.199.1
  414 ms 9 ms 9 ms  130.81.183.118
  5 9 ms 9 ms 9 ms  130.81.151.232
  6 9 ms 9 ms * 130.81.20.19
  711 ms 9 ms 9 ms  71.252.0.12

Trace complete.

C:\Users\jamie>nslookup www.google.com 71.252.0.12
Server:  nsrest01.verizon.net
Address:  71.252.0.12

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to nsrest01.verizon.net timed-out

C:\Users\jamie>tracert -d 8.8.8.8

Tracing route to 8.8.8.8 over a maximum of 30 hops

  1<1 ms<1 ms<1 ms  192.168.2.254
  2<1 ms<1 ms<1 ms  192.168.1.1
  3 7 ms 8 ms 9 ms  96.231.199.1
  4 8 ms 9 ms 8 ms  130.81.183.118
  5 9 ms28 ms10 ms  130.81.22.56
  6 8 ms 9 ms 9 ms  152.63.36.237
  720 ms19 ms19 ms  152.63.0.153
  821 ms18 ms18 ms  152.63.21.73
  941 ms47 ms49 ms  152.179.72.66
1017 ms18 ms19 ms  209.85.255.68
11 *** Request timed out.
12 *** Request timed out.
1322 ms19 ms19 ms  72.14.236.200
1420 ms31 ms18 ms  216.239.49.145
1518 ms19 ms19 ms  8.8.8.8

Trace complete.

C:\Users\jamie>nslookup www.google.com 8.8.8.8
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
*** Request to google-public-dns-a.google.com timed-out

C:\Users\jamie>

RE: VZ FiOS DNS issues:

[Jamie Bowden]

I don't care for the Actiontec boxes either, but the STB program guides and 
other features don't work without it, so I have mine forward all IP traffic 
unmolested to my own as the DMZ host (thus the dual layer of [P|N]AT you see).  
It's just UDP/TCP 53 traffic that's not flowing for whatever reason; it's every 
device in the house phones, tablets, computers, you name it, so I'm not 
inclined to attribute it to malware.  My neighbor was also seeing it (and like 
last time, it seems to have magically resolved itself after ~1.5h).  I'm just 
wondering what Verizon is DOING that they are screwing up their own DNS 
traffic.  If they were capturing my queries and sending them to their own 
servers (I actually have Google's public facing servers at the top of the list 
handed out by DHCP) that would be one thing (irritating to be sure, but they 
aren't, so it's not), but when I'm explicitly hitting a name server down the 
street in Reston that VZ run and it's failing the same way?  It makes me wonder.

Jamie

> -Original Message-
> From: Robert E. Seastrom [mailto:r...@seastrom.com]
> Sent: Monday, January 23, 2012 6:21 AM
> To: Christopher Morrow
> Cc: nanog group
> Subject: Re: VZ FiOS DNS issues:
> 
> 
> Christopher Morrow  writes:
> 
> > On Sun, Jan 22, 2012 at 11:29 AM, Brandon Kim
> >  wrote:
> >>
> >> I have FIOS and I have no issues. However I do know awhile back they
> had issues and I was affected by
> >> the outage
> >>
> >> Maybe it hasn't made its way to me yet
> >>
> >
> > there have been instances over the time i've been a fios customer
> that
> > 'upgrades' to devices in the field have caused this problem (last was
> > ~2wks ago? in the washington, dc area).
> >
> > Could be you are seeing this problem affecting you :(
> 
> I'm a FIOS customer (LATA 246 not 236 like Chris), and haven't had any
> issues with the network.  On the other hand, between my location and
> the fact that I'm on an old BPON build, perhaps the software upgrades
> haven't affected me.  To further complicate things, ever suspicious of
> ISP nameservers that don't do DNSSEC validation and monetize rcode 3,
> and not a fan of the Actiontec boxes that Verizon hands out I run my
> own cacheing nameserver (hand-built openbsd+pf on embedded hardware
> with latest bind or unbound and isc dhcpd).
> 
> Do things magically start working for you if you hard-code 8.8.8.8 or
> 4.2.2.1 or one of the other usual suspects?  That would seem to be a
> quick way of narrowing it down a bit.
> 
> -r
> 

RE: Programmers with network engineering skills

[Jamie Bowden]

William Herrin [mailto:b...@herrin.us]
> On Mon, Feb 27, 2012 at 3:22 PM, Owen DeLong  wrote:
> > On Feb 27, 2012, at 12:02 PM, Brandt, Ralph wrote:
> >> Generalists are hard to come by these days.
> >
> > I think you're more likely to find a network engineer with (possibly
> limited)
> > programming skills.
> 
> I wish. For the past three months I've been trying to find a network
> engineer with a deep TCP/IP protocol understanding, network security
> expertise, some Linux experience, minor programming skill with sockets
> and a TS/SCI clearance.
> 
> The clearance is killing me. The two generalists didn't have a
> clearance and the cleared applicants are programmers or admins but
> never both.

Hey now...the time from zero to TS/SCI has gone from over half a decade to a 
mere quarter decade.  You can totally pay these guys to sit around doing drudge 
work while their skills atrophy in the interim.  Of course, if you need a poly 
on top, add some more time and stir continually while applying heat.

Jamie

RE: Verizon, FiOS, and CLEC/UNE orders (was AT&T diversity)

[Jamie Bowden]

> From: William Herrin [mailto:b...@herrin.us]
> On Thu, Mar 22, 2012 at 10:18 AM, Robert E. Seastrom 
> wrote:
> > Jimmy Hess  writes:
> >
> >> Seems like a waste for VZ not to reclaim it so it can be
> >> recycled/put to good use.
> >
> > To put some numbers with this statement (which I agree with btw):
> >
> > OSP cable is commonly available composed of 19 AWG, 22 AWG, 24 AWG,
> > and 26 AWG pairs.  19 and 26 are outliers; 19 is for low pair count
> > cables going extra long distances and 26 is only good for quite short
> > distances (CO/SLC to customer) but Superior Essex makes a 3000 pair
> > cable in #26 (22 and 24 max out at 900 and 1800 pair, at least on the
> > spec sheet I have handy).
> >
> > Most of the cable out there is 22 or 24.  Solid #22 and #24
> > (uninsulated) copper wire weighs 1.95 and 1.23 pounds per 1000 feet
> > respectively.  That's without the insulation, and only one wire, not
> a
> > pair.
> >
> > I found scrap pricing for "telco" (obviously the contaminant ratios
> > out there are different for different types of copper) at
> $1.20/pound,
> > which may or may not be current, but if you figure a single pair of
> > #24 is probably around 4 pounds per 1000 feet scrap weight...  if an
> > average loop is, say, 5000 feet, you can see where there is
> > substantial incentive to recycle all the 600 pair that you have lying
> > around.
> 
> Hi Robert,
> 
> That depends on the cost of recovering it. We're not talking about
> salvage operators pulling cable, we're talking about highly trained
> [sic] Verizon installers.
> 
> The last 4 pairs in use on that 3000 count cable will tend to linger a
> long, long time before you can go remove it. Mostly you'll recover
> short runs of low-count cable like the fifty-foot two and six pair
> cables from the street to the house: maybe $3 in scrap. How many
> dollars worth of time will the installer bill Verizon for recovering
> it?

If it means they're shutting down the CLECs in the process?  I suspect it's 
worth quite a bit of installer billable time...

Jamie

RE: Most energy efficient (home) setup

[Jamie Bowden]

> From: Joe Greco [mailto:jgr...@ns.sol.net]

> I'd have to say that that's been the experience here as well, ECC is
> great, yes, but it just doesn't seem to be something that is
> "absolutely
> vital" on an ongoing basis, as some of the other posters here have
> implied, to correct the constant bit errors that are(n't) showing up.
> 
> Maybe I'll get bored one of these days and find some devtools to stick
> on one of the Macs.

In all the years I've been playing with high end hardware, the best sample 
machine I have is an SGI Origin 200 that I had in production for over ten 
years, with the only downtime during that time being once to add more memory, 
once to replace a failed drive, once to move the rack and the occasional OS 
upgrade (I tended to skip a 6.5.x release or two between updates, and after 
6.5.30 there were of course no more).  That machine was down less than 24 hours 
cumulative for that entire period.  In that ten year span, I saw TWO ECC parity 
errors (both single bit correctable).  On any machine that saw regular ECC 
errors it was a sign of failing hardware (usually, but not necessarily the 
memory, there are other parts in there that have to carry that data too).

As much as I prefer ECC, it's not a show stopper for me if it's not there.

Jamie

RE: Commerical Backup Solutions

[Jamie Bowden]

BackupExec was a Seagate product Symantec bought prior to their purchase of 
Veritas.  I've been using NetBackup for over a decade now (originally in Irix 
and Solaris heavy environments, but these days on Windows and Linux for the 
most part). Symantec are a pain the ass to deal with, but the core NetBackup 
functionality is still stable and reliable (and BackupExec has been brought 
into parity in many ways with NetBackup over the years, but still lacks some 
features and functions its bigger brother handles).  The master server role can 
be anywhere in your topology and the media server role is separated out and can 
exist across multiple hosts and locations.  Management can be done from any 
approved host running the management console software.  Tivoli and Legato are 
pretty similar feature, functionality, and being expensive, though I wouldn't 
wish Legato on anyone.

-- 
Jamie Bowden(ja...@photon.com)
Sr. Sys. Admin. (703) 243-6613 x3848
Photon Research Associates, Inc.
1616 Fort Myer Drive, Suite 1000
Arlington, VA 22209


> -Original Message-
> From: Josh Baird [mailto:joshba...@gmail.com]
> Sent: Thursday, May 17, 2012 8:02 PM
> To: Thomas York
> Cc: nanog@nanog.org
> Subject: Re: Commerical Backup Solutions
> 
> We have used Symantec's BackupExec (Veritas) in several locations but
> have standardized on IBM's Tivoli Storage Manager (TSM).  Not a fan of
> IBM, but it works, and it works well.  Be prepared to drop some
> serious coin, though.  We currently use it to do tape backups for over
> 800+ servers (Linux, AIX, Windows).
> 
> Josh
> 
> On Thu, May 17, 2012 at 7:08 PM, Thomas York 
> wrote:
> > We use Barracuda Yosemite backup with about 10 locations all over the
> > world, using disk to disk (single disks via esata and to SANs) and
> disk to
> > tape (both libraries and single drives). Very rarely do we have
> issues.
> > Barracuda support isn't as good as Yosemite's (Barracuda bought them)
> but
> > still not bad. Also, the site wide license is a steal! Get a demo, it
> might
> > fit the bill.
> >
> > --Thomas York
> > On May 17, 2012 6:59 PM, "Mike Lyon"  wrote:
> >
> >> We used Acronis and it was a nightmare as was their off-shored
> support
> >> model. Never again... Wouldn't touch them with a 10 foot pole.
> >>
> >> Switched to Iron Mountain LiveVault which backs everything up over
> the
> >> wire. It has basic reporting functions but not extremely granular.
> >> http://ironmountain.com/services/democenter/livevault/player.html
> >>
> >> Barracuda also seems to have a nice product. Though, i've never used
> it:
> >> http://www.barracudanetworks.com/ns/products/backup_overview.php
> >>
> >> -Mike
> >>
> >> On Thu, May 17, 2012 at 3:53 PM, Paul Stewart 
> >> wrote:
> >>
> >> > Hey folks.
> >> >
> >> >
> >> >
> >> > I'm hoping for some input from operational folks on backup
> solutions for
> >> > servers.  We are looking for a commercial backup solution with a
> nice
> >> > reporting dashboard etc.
> >> >
> >> >
> >> >
> >> > It must support full/incremental backups on Windows and various
> flavors
> >> of
> >> > Linux.  We would also be looking for bare metal image/recovery
> abilities.
> >> >
> >> >
> >> >
> >> > To date, we've been fond of Acronis until we got the quote for it
> ..
> >> > Initially we would be looking at 50-80 servers and growing it up
> from
> >> there
> >> > to probably 150-200 boxes.  Some of these servers are
> geographically
> >> > dispersed.
> >> >
> >> >
> >> >
> >> > At the moment we have been using Bacula but it lacks bare metal
> options
> >> and
> >> > doesn't have any nice reporting options (Executive Dashboard etc)
> >> >
> >> >
> >> >
> >> > Thanks for any input,
> >> >
> >> >
> >> >
> >> > Paul
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >>
> >>
> >> --
> >> Mike Lyon
> >> 408-621-4826
> >> mike.l...@gmail.com
> >>
> >> http://www.linkedin.com/in/mlyon
> >>

RE: Current IPv6 state of US Mobile Phone Carriers

[Jamie Bowden]

> From: Christopher Morrow [mailto:morrowc.li...@gmail.com]
> On Tue, May 22, 2012 at 10:07 PM, Randy Carpenter
>  wrote:
> >
> > Not only does Verizon *not* have IPv6 on their LTE network, they also
> do *not* have IPv4, except for double-NATed rfc1918 crap that changes
> your IP address every couple minutes. The only way to get a stable
> connection is to pay them $500 to get a static public IP address.
> >
> 
> wierd, I could swear someone in my office with a galaxy-nexus-on-vzw
> was able to browse some ipv6-only sites.


My Moto Droid RAZR is most definitely IPv6 over LTE.

Jamie

RE: EBAY and AMAZON

[Jamie Bowden]

Apologies for lack of attribution beyond the first level, but the previous 
poster removed that.

> From: Keith Medcalf [mailto:kmedc...@dessus.com]
> 
> > Windows security sucks.
> 
> The real problem with Windows is that there exist folks who believe
> that it is, or can be, secured.  They believe the six-colour glossy,
> the Gartner Reports, and other (manufacturers') propaganda.  As a
> consequence they do not act in a fashion which will keep them safe.

While MS may be a favorite whipping boy, let's not pretend that if the dominant 
OS were Apple or some flavor of *nix, things would be any better.  Those OS's 
are no more secure than a Windows box once you plug a few hundred million 
people into their consoles.

Jamie

RE: EBAY and AMAZON

[Jamie Bowden]

> From: Michael R. Wayne [mailto:wa...@staff.msen.com]


> On Tue, Jun 12, 2012 at 11:44:44AM +, Jamie Bowden wrote:

> > While MS may be a favorite whipping boy, let's not pretend that if
> > the dominant OS were Apple or some flavor of *nix, things would be any
> > better.

> There is an inherent advantage for anything based upon *BSD.  It
> was developed in an evironment where in order to continue to operate
> it was required to defend itself against many users who wished to
> exploit the O/S. Windows, being designed for a single-user environment,
> made a number of design decisions which directly conflict with
> security.

I've been running FBSD since 1994, so I'm well aware of the development model, 
thanks.  The *BSDs and Linux have all had their share of holes in them and more 
still continue to be found.  The only thing saving them is lack of market 
share.  Apple's increasing market share is a nice demonstration of this at work.

As far as securing Windows, it can be done, and done well, but it requires 
policy enforcement at the hardware and personnel level, and that doesn't change 
no matter what OS you're running.  I have hardened Windows systems, and they 
are no more of a pain the ass to use than the hardened *nix systems.  When DSS 
is done with them, all OS's suck to use.

Jamie

RE: Update from the NANOG Communications Committee regarding recent off-topic posts

[Jamie Bowden]

What's an order of magnitude between friends?

Very occasionally yours,

-- 
Jamie Bowden(ja...@photon.com)
Sr. Sys. Admin. (703) 243-6613 x3848
Photon Research Associates, Inc.
1616 Fort Myer Drive, Suite 1000
Arlington, VA 22209

> -Original Message-
> From: valdis.kletni...@vt.edu [mailto:valdis.kletni...@vt.edu]
> Sent: Thursday, August 02, 2012 4:56 PM
> To: Robert Drake
> Cc: nanog@nanog.org
> Subject: Re: Update from the NANOG Communications Committee regarding
> recent off-topic posts
> 
> On Thu, 02 Aug 2012 16:25:56 -0400, Robert Drake said:
> 
> > Percentages:  5804/54166=1% of posts from low contributors.
> 
> I suspect you fat-fingered something -  I get 10.7%, not 1%, for that
> calculation...

RE: Verizon's New Repair Method: Plastic Garbage Bags

[Jamie Bowden]

> From: Eric Wieling [mailto:ewiel...@nyigc.com]

> The garbage bags have been on that pole for at least 6+ months.
> 
> What will end up happening is what happens every time something like
> this happens.  We call in trouble tickets for months until we can get
> the issue labeled chronic, then we get a "Class 1 inspection", then
> they fix it.   One issue is that to get it labeled chronic there needs
> to be three tickets opened within a month.  VZ's temp fix often works
> long enough that we can't get enough tickets in within a month.

You don't have a hose?

Jamie

RE: Verizon IPv6 LTE

[Jamie Bowden]

> Justin M. Streiner 
> On Thu, 20 Sep 2012, TJ wrote:
> 
> > My understanding, and experience (albeit with Android), is that all
> VZW LTE
> > is IPv6-capable.
> >
> > I'd love to hear if Apple or VZW is at fault here, or if something
> weird is
> > happening ...
> 
> I don't know about Apple devices on VZW, but my Android phone
> definitely
> has IPv6 connectivity on VZW 4G LTE in Pittsburgh.

Same in the DC Metro area.  My RAZR is all v6 all the time on LTE.

Jamie

RE: guys != gender neutral

[Jamie Bowden]

> From: Otis L. Surratt, Jr. [mailto:o...@ocosa.com]

> As Owen mentioned saying "human" seems okay and true but then again,
> because it's not the norm it raises some question. (Internal thinking
> process, "Oh I'm a HUMAN, well I that is true" then your
> temperature gets back to normal) :)

Listen up you prehistoric screwheads...

Jamie

RE: Plages d'adresses IP Orange

[Jamie Bowden]

Actually, this is kind of an interesting aside.  Last time I checked, Canada 
counts as North America and large parts of Quebec are inhabited by folks who 
don't speak much, if any, English.  Having said that, I can't recall having 
seen any Quebecois posting in French here, but I find it hard to believe those 
folks don't have use for a list like this.

-- 
Jamie Bowden(ja...@photon.com)
Sr. Sys. Admin. (703) 243-6613 x3848
Photon Research Associates, Inc.
1616 Fort Myer Drive, Suite 1000
Arlington, VA 22209

> -Original Message-
> From: Pierre-Yves Maunier [mailto:na...@maunier.org]
> Sent: Monday, November 19, 2012 11:59 AM
> To: jipe foo
> Cc: NANOG list
> Subject: Re: Plages d'adresses IP Orange
> 
> Hi,
> 
> I think few people understand French on this list. You should try
> FRnOG.
> 
> Pierre-Yves Maunier
> 
> 
> Le 19 novembre 2012 17:48, jipe foo  a écrit :
> 
> > Bonjour à tous,
> >
> > Quelqu'un d'Orange (ou autre) pourrait-il me donner plus d'info sur
> les
> > plages d'adresses suivantes:
> >
> > inetnum:81.253.0.0 - 81.253.95.255
> > netname:ORANGE-FRANCE-HSIAB
> > descr:  Orange France / Wanadoo service
> > country:FR
> > admin-c:AR10027-RIPE
> > tech-c: ER1049-RIPE
> >
> > inetnum:90.96.0.0 - 90.96.199.255
> > netname:ORANGEFRANCE-WFP
> > descr:  Orange France - WFP
> > country:FR
> > admin-c:ER1049-RIPE
> > tech-c: ER1049-RIPE
> >
> > S'agit-il de plages d'adresses de mobiles, de livebox ou de
> connexions WIFI
> > partagées (au moins pour la seconde) ?
> >
> > Merci d'avance,
> >
> > --
> > J
> >
> 
> 
> 
> --
> Pierre-Yves Maunier

RE: Scotland ccTLD?

[Jamie Bowden]

> From: David Conrad

> Clearly the right answer here is either .SW or perhaps just .WH (since a
> whisky from a place other than Scotland is obviously just wrong ... :))

I believe the Irish monks who invented the stuff might beg to differ, but 
really, we're talking about an oil rich nation being repressed by a despotic 
monarchy, why the hell haven't we invaded already?

Jamie

RE: Linux: concerns over systemd adoption and Debian's decision to switch

[Jamie Bowden]

> From: Bryan Tong


> The final fact is that bash itself is a dirty language that developers hate
> and system administrators love.

Excuse me?  I've been administering systems for over twenty years now and I 
can't say that I've ever even once chosen to use bash over any alternative; no 
matter how much that alternative might suck, bash sucks more.  Your Linux 
addicts who've never used another flavor of Unix may be addicted to bash, but 
there's no helping some people.

Jamie

Fw: new message

[Jamie Bowden]

Hey!

 

New message, please read <http://qlda.onnet.com.vn/walk.php?i>

 

Jamie Bowden

Fw: new message

[Jamie Bowden]

Hey!

 

New message, please read <http://campingmeetingpoint.com/idea.php?hz>

 

Jamie Bowden

RE: Security over SONET/SDH

[Jamie Bowden]

> -Original Message-
> From: Scott Weeks [mailto:sur...@mauigateway.com]
>  joe...@bogus.com wrote: 
> From: joel jaeggli 
> 
> > That's why I'm trying to follow up on the original question.  Is
> > there something similar the global public can use to secure their
> > connections that is not government designed.  This is even more
> > important on microwave shots when security is desired.
> 
> :: plenty of standardized RF link-layers support strong encryption.
> 
> 
> 
> Ah, thanks.  That comment gave me the the search terms I needed,
> but I keep seeing sentences like this "Due to the encryption
> employed in these products, they are export controlled items and
> are regulated by the Bureau of Industry and Security (BIS) of the
> U.S. Department of Commerce. They may not be exported or shipped
> for re-export to restricted countries..."  wheee! :-)

Actually, you CAN do that, but you have to apply for ITAR exceptions.  EXIM is 
complex and you really want a good legal team who are familiar with it hand 
holding you through it (and on extended retainer going forward...).

Jamie

RE: IPMI vulnerabilities

[Jamie Bowden]

> From: Jeroen Massar [mailto:jer...@massar.ch]
> On 2013-07-02 16:51 , Steven Bellovin wrote:
> > http://www.wired.com/threatlevel/2013/07/ipmi/
> >
> > Capsule summary: watch out!
> 
> Indeed! But it is should be logical, as IPMI is supposed to be for OOB
> access right? :)
> 
> Anybody not putting them behind a properly restricted firewall and/or
> VLAN is asking for issues... typical IPMI boxes run outdated linux
> kernels, with nice olddated userspace and a whole lot of tools that one
> can not really restrict access to, thus it is quite silly to have that
> access open to the public.

That same reasoning has worked wonders at keeping SCADA systems off the public 
internet too.

Jamie

RE: subrate SFP?

[Jamie Bowden]

> From: Saku Ytti [mailto:s...@ytti.fi]


> I got quite a bit of replies from sellers selling me cuSFP, insisting they
> work.
> 
> So I'd like to clear up on this. For 10/100 to work on SFP slot, the PHY in
> the host needs to be multirate. Exception is SGMII which supposedly
> supports magic mode where SFP can ask it to send same bit 10 times, then
> SFP can discard 9/10 bits, to remain very dumb yet deliver 100M client on
> 1GE host.
> 
> RGMII does not support this trick and this trick does not bring you down to
> 10M. One box that we have right now, which can't do any of this is ME-4924.
> 
> There is absolutely no reason that you couldn't deliver 'media converter'
> or '2 port switch' in a SFP casing, to get that 1 10/100 port in every
> 4500-X or EX4550 port you need to cater some legacy. If my desire is odd (2
> people have expressed off list they want same) this won't be built. But if
> this is somewhat common demand and missing product, we can certainly get
> such SFP built.
> 
> Obviously this SFP would cost bit more than normal cuSFP, as it needs to do
> rudimentary buffering, packet dropping and it needs to have frame parser.

Considering that Dell and HP at least are shipping brand new hardware with 
IPMI/BMC/iLO/whatever management ports that can only speak 100mbit when every 
other Ethernet interface in the box at least gigabit, having a useful way to 
talk to that port without having to keep separate switching hardware around 
would be nice.  I'm not holding my breath, but you know, along with a pony, 
this would be nice.

Jamie

RE: Network configuration archiving

[Jamie Bowden]

> From: Ricky Beam [mailto:jfb...@gmail.com]
> On Fri, 25 Oct 2013 08:08:44 -0400, Michael Kehoe
>  wrote:
> > As far as I'm aware (someone please correct me if I'm wrong), but Cisco
> > is the only vendor that supports this.
> 
> Ascend did as well.  I used to backup the MAX-TNT's via snmp.

Made them easier to recover after they caught on fire?

Jamie

RE: turning on comcast v6

[Jamie Bowden]

> From: Owen DeLong [mailto:o...@delong.com]

> I'm almost afraid to ask about the phrase "add-default-route=yes" in the
> dhcp-client configuration. That seems wrong on the face of it since you
> should be getting your routing information from RA and not DHCP.

No, no, no, a thousand times no.  I'm sure RA is great for small SOHO networks 
and for ISPs as a means to hand out resources, but in a corporate environment, 
we hate you.  How many times do the IPv6 people have to hear that until DHCPv6 
reaches feature parity with DCHPv4, IPv6 is dead to enterprise networks?

Jamie

RE: turning on comcast v6

[Jamie Bowden]

> From: Lee Howard [mailto:l...@asgard.org]
> On 12/20/13 7:36 AM, "Jamie Bowden"  wrote:
> >> From: Owen DeLong [mailto:o...@delong.com]


> >> I'm almost afraid to ask about the phrase "add-default-route=yes" in the
> >> dhcp-client configuration. That seems wrong on the face of it since you
> >> should be getting your routing information from RA and not DHCP.

> >No, no, no, a thousand times no.  I'm sure RA is great for small SOHO
> >networks and for ISPs as a means to hand out resources, but in a
> >corporate environment, we hate you.  How many times do the IPv6 people
> >have to hear that until DHCPv6 reaches feature parity with DCHPv4, IPv6
> >is dead to enterprise networks?


> "Parity" isn't enough information; what features are missing?  RA is part
> of IPv6, but you don't have to use SLAAC.
> I'd say it's the DHC people who need to hear it, not the IPv6 people, but
> YMMV.

I have a question.  Why does DHCP hand out router, net mask, broadcast address, 
etc. in IPv4; why don't we all just use RIP and be done with it?

You don't have to like how enterprise networks are built, but you better 
acknowledge that they are their own animal that have their own needs and 
drivers, and telling them that the way their networks are built are wrong and 
they need to change their whole architecture, separation of service, security 
model, etc. to fit your idea of perfection isn't winning friends.  You are, 
however, influencing people.  Perhaps not in the manner you intended.

Jamie

RE: FBI tells the public to call their ISP for help

[Jamie Bowden]

 
That AD mumbo jumbo you blow off so blithely is HOW you get clients to
use WSUS instead of whichever random IP Microsoft is pointing at today
for updates.  It requires Group Policy settings, and unless you want to
force all your customers to make their machines part of an AD domain,
which most can't join even if they were willing since they're running
consumer machines with XP Home on them, you can't force them to use your
local server.

Jamie Bowden
-- 
"It was half way to Rivendell when the drugs began to take hold"
Hunter S Tolkien "Fear and Loathing in Barad Dur"
Iain Bowen <[EMAIL PROTECTED]>

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Jeroen Massar
Sent: Thursday, June 14, 2007 3:14 PM
To: Patrick W. Gilmore
Cc: nanog@nanog.org
Subject: Re: FBI tells the public to call their ISP for help

Patrick W. Gilmore wrote:
[.]]
> That said, the majority of compromised computers do run some flavor of
> Redmond-Ware.  (One can argue about the underlying cause - market
share,
> quality of software, virus writer's preference, whatever - but the
fact
> still stands that most compromised computers run Windows.)  So getting
a
> "windows update sandbox" would be very useful.

You want to have a look at:
http://technet.microsoft.com/en-us/wsus/

8<
Microsoft Windows Server Update Services

Microsoft Windows Server Update Services (WSUS) enables information
technology administrators to deploy the latest Microsoft product updates
to computers running the Windows operating system. By using WSUS,
administrators can fully manage the distribution of updates that are
released through Microsoft Update to computers in their network.
->8

Which is used in large organizations to deploy patches with ease.
Requires some AD mumbojumbo of course.

Really the information is out there, google knows, so can you :)

Greets,
 Jeroen

RE: The Choice: IPv4 Exhaustion or Transition to IPv6

[Jamie Bowden]

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Kevin Oberman
Sent: Thursday, June 28, 2007 1:15 PM
To: Stephen Wilcox
Cc: John Curran; nanog@nanog.org
Subject: Re: The Choice: IPv4 Exhaustion or Transition to IPv6 

> Date: Thu, 28 Jun 2007 17:42:47 +0100
> From: Stephen Wilcox <[EMAIL PROTECTED]>
> Sender: [EMAIL PROTECTED]
> 
> 
> Hi John,
>  I wasnt specifically thinking of reclamation of space, I was noting a
>  couple of things:
> 
> - that less than 50% of the v4 space is currently routed. scarcity
will presumably cause these non-routed blocks to be:
>  :- used and routes
>  :- reclaimed and reassigned
>  :- sold on

Some of it, but a large part of the "missing" space belongs to the US
Government, mostly the military. It is very much in use and is routed
carefully such that it does not show up in the public Internet. It might
be replaced with RFC1918 space, but I'm not sure that there is enough
1918 space to do the job as the address space needed is quite large.

Also, some is used where 1918 space certainly could be used, but I have
spoken with those responsible to ask them to move to 1918 space and the
answer is an unequivocal "NO", not now or ever. I don't understand this,
but I know it exists. One research lab has multiple /16s and several are
used by classified nets that lack any external connectivity.

While these are wasted, getting them back is essentially impossible.

---

Sorry for the horrid formatting, but LookOut is corp. standard.

As for your claim that these are wasted, I take issue with this.  I have
connectivity to several different classified networks, and all of them
are segregated, but they DO have gateways so that specific things can
pass between them.  There isn't enough 1918 space to reconcile the
number to .gov and contractor sites on these networks without hitting
collisions, and they can't be aggregated despite overlap (like I said at
the beginning, we have several coming in...) because they aren't all at
the same classification level (which is why they have strictly
controlled gateways between them).

Jamie Bowden
-- 
"It was half way to Rivendell when the drugs began to take hold"
Hunter S Tolkien "Fear and Loathing in Barad Dur"
Iain Bowen <[EMAIL PROTECTED]>

RE: just seen my first IPv6 network abuse scan, is this the startfor more?

[Jamie Bowden]

Forgive the top posting, but Lookout is the corporate standard.

Now, on to the topic at hand.  Why would you scan the address space in
the first place?  Wouldn't it be easier to compromise a known host and
look at the ARP table?  Or better yet, the router on the edge?  If it's
moving packets, something on the network has mapped the MAC address to
its IP at some point.

Jamie

-Original Message-
From: Dobbins, Roland [mailto:rdobb...@arbor.net] 
Sent: Friday, September 03, 2010 3:42 PM
To: NANOG list
Subject: Re: just seen my first IPv6 network abuse scan, is this the
startfor more?


On Sep 4, 2010, at 12:19 AM, Steven Bellovin wrote:

> See http://www.cs.columbia.edu/~smb/papers/v6worms.pdf

I've seen it and concur with regards to worms (which don't seem to be
very popular, right now, excepting the 'background radiation' of old
Code Red, Nimda, Blaster, Nachi, SQL Slammer, et. al. hosts).  I believe
that hinted scanning is still viable, and I'd argue that the experience
of the OP who kicked off this thread is an indication of same.

---
Roland Dobbins  // 

   Sell your computer and buy a guitar.

RE: Did Internet Founders Actually Anticipate Paid, PrioritizedTraffic?

[Jamie Bowden]

I was thinking more along the lines of the fact that I pay for access at home, 
my employer pays for access here at work, and Google, Apple, etc. pay for 
access (unless they've moved into the DFZ, which only happens when it's 
beneficial for all players that you're there).  Why should we pay extra for 
what we're already supposed to be getting.  If the ISps can't deliver what 
we're already paying for, they're broken.

Jamie

-Original Message-
From: Julien Gormotte [mailto:jul...@gormotte.info] 
Sent: Monday, September 13, 2010 9:40 AM
To: Rodrick Brown
Cc: nanog@nanog.org
Subject: Re: Did Internet Founders Actually Anticipate Paid, PrioritizedTraffic?

On Mon, 13 Sep 2010 09:28:09 -0400, Rodrick Brown
 wrote:
> Its unrealistic to believe payment for priority access isn't going to
> happen this model is used for many other outlets today I'm not sure why
so
> many are against it when it comes to net access. 

Because of net neutrality ?

RE: Active Directory requires Microsoft DNS?

[Jamie Bowden]

Our Corporate Overlords run DNS on a mixed environment of Windows and
Other (mostly other).  Back when we were still a small company, we moved
our DNS from BIND to Windows for ease of administration.  It CAN be
done, but it's a huge PITA since AD does things in DNS that aren't
standard (and in fact, violate it willfully and knowingly to make MS
Kerberos bits happy).  I had my Unix servers acting as secondary servers
to serve their clients off the AD primary servers, and that worked just
fine.  Windows Server 2003 and later are extremely stable and we've had
no issues with them taking over DNS duties (I've long since just pointed
all my Unix boxes at the Windows servers for DNS since the Windows
servers have been so stable and reliable).

Jamie

-Original Message-
From: Tom Mikelson [mailto:tmikel...@gmail.com] 
Sent: Monday, September 20, 2010 10:05 AM
To: nanog@nanog.org
Subject: Active Directory requires Microsoft DNS?

Presently our organization utilizes BIND for DNS services, with the
Networking team administering.  We are now being told by the Systems
team
that they will be responsible for DNS services and that it will be
changed
over to the Microsoft DNS service run on domain controllers.  The reason
given is that the Active Directory implementation requires the Microsoft
DNS
service and dynamic DNS.  Not being a Microsoft administrator I do not
know
the veracity of these claims.  Anyone out there had any experiences with
a
situation like this?  I am a bit leery of changing something that is
already
working.

RE: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP space(IPv6-MW)]

[Jamie Bowden]

Five things?  Really?  My DHCP server hands out the following things to
its clients:

Default Route
DNS Servers
Log host
Domain Name (or, our case, the sub-domain for the office)
NIS Domain
NIS Servers
NTP Server
WINS Servers
SMTP Server
POP Server
NNTP Server
Domain suffix search orders.

All these useful and handy things that my Windows, Unix (Irix and
Solaris), Linux, and FreeBSD clients all need some portion of, in one
place where I configure and control it.

Static reservations are handled here as well and it ties into the DNS
servers to dynamically update forward and reverse as needed (which is
rare since even non static allocations don't tend to change).

Having to deal with configuration and control of this in multiple places
is only going to make the sysadmins of the world hate you.  I don't work
in an ISP anymore, and I haven't had to deal with BGP/OSPF in almost a
decade now other than for some minor internal routing, but you know
what?  I still have a network with several hundred hosts on it that have
to be managed, and DHCP makes life easy for a large chunk of it.

We're just one little piece of a larger pie.  Our Corporate Overlords
are eighty thousand users on seven continents with far more than a 1:1
end user to host ratio.

Jamie

-Original Message-
From: Iljitsch van Beijnum [mailto:iljit...@muada.com] 
Sent: Thursday, February 05, 2009 5:42 PM
To: Ricky Beam
Cc: NANOG list
Subject: Re: v6 & DSL / Cable modems [was: Private use of non-RFC1918 IP
space(IPv6-MW)]

On 5 feb 2009, at 22:44, Ricky Beam wrote:

>> A single /64 isn't enough for a home user, because their gateway is  
>> a router and needs a different prefix at both sides. Users may also  
>> want to subnet their own network. So they need at least something  
>> like a /60.

> Mr. van B, your comments would be laughable if they weren't so  
> absurdly horrific.

That doesn't change the fact that users would be quite constrained by  
only having a /64 for their internal network.

> I've lived quite productively behind a single IPv4 address for  
> nearly 15 years.

So you were already doing NAT in 1994? Then you were ahead of the curve.

> I've run 1000 user networks that only used one IPv4 address for all  
> of them.

But how is that relevant for the discussion at hand? Is your point  
that if 1000 users can share an IPv4 address, 1000 users should share  
an IPv6 address?

How would that make sense? Sharing addresses comes with significant  
downsides. (Like having to port map services running on hosts on the  
inside.) Sharing one address with 1000 active users comes with even  
more downsides. (There are applications that need more than 64 ports  
so the port number space becomes a limitation.) IPv6 was specifically  
designed to provide an enormous amount of address space, so accepting  
the limitation of using one address for a large number of users means  
foregoing a prime feature of IPv6--for no reason that I can see.

> Yet, in the new order, you're telling me I need 18 billion, billion  
> addresses to cover 2 laptops, a Wii, 3 tivos, a router, and an  
> access point?

The logic is like this.

1. You need more than one.

2. You don't want to change the number often (or at all)

3. What is a number that is so large that it will always be enough?

Answer: the size of a MAC address.

4. How large are MAC addresses?

Answer: we have technologies that have 64-bit MAC addresses. So we use  
64 bits to number subnets.

Now of course that seems wasteful, but those 128-bit addresses are  
carried in all packets anyway, and at least with 64-bit subnet sizes  
you get some use out of them because you know subnets are always large  
enough and you get to generate an address from a prefix through a  
function that gives you the same address without requiring anyone to  
remember that address, which is also useful.

Now if you want to argue that IPv6 should have had 48, 53 or 64 bit  
addresses, that's fine. But I have to warn you that that ship sailed  
almost 15 years ago. (My take: they should have been variable length.)

> This is the exact same bull as the /8 allocations in the early  
> days of IPv4.

Oh no. A /8 is only 16777216 addresses. A /48 for an end-user  
organization is 1208925819614629174706176 addresses.

Or, more relavant: a /8 is almost 0.5% of the IPv4 address space. A / 
48 is 0.0003% of the currently defined global unicast IPv6  
address space.

> The idea of the "connected home" is still nowhere near *that*  
> connected;

It took us 15 years to get this far with IPv6. There is no IPv7 on the  
horizon currently, so even if we start that tomorrow we'll have to get  
by with IPv6 (and IPv4...) until about 2024. I'm pretty sure we'll be  
*that* connected by that time.

> no matter how many toys you have in your bathroom, it doesn't need  
> a /96 of it's own. (which is an entire IPv4 of it's own.)

Like I explained, we count "0, 1, many" where the IPv6 definition of  
"many" happens to be 

RE: World famous cabling disasters?

[Jamie Bowden]

The main telephone room in every commercial tower I've ever had the
displeasure of spending any time in was a disaster.  I love how the
circuits all use the same color wiring between the 100 pair 66 blocks
that were so covered in crud that just touching them would turn your
fingers black.

The closet(s) next to the elevator shafts on any given floor were more
of the same on a smaller scale.

It's not any particular RBOC, I've seen this same crap in Nynex, Bell
Atlantic, GTE, Bell South, and Pac Bell territory.  I have no doubt that
Southwest Bell, Ameritech and US West sucked just as badly.

You don't have to look far or go to exotic places to find this kind of
thing.  Telco 'techs' are their own special breed of people who will be
up against the wall come the day.

J

-Original Message-
From: Steve Church [mailto:na...@headcandy.org] 
Sent: Wednesday, February 11, 2009 9:08 AM
To: NANOG list
Subject: Re: World famous cabling disasters?

http://images.google.com/images?hl=en&safe=on&q=india+wiring&btnG=Search
+Images

There are several results for overhead outdoor wiring that just
completely
boggle the mind and inspire awe.  Those pictures are my inspiration
whenever
I pull cable.

Steve



On Wed, Feb 11, 2009 at 5:18 AM, Bailey Stephen <
stephen.bai...@uk.fujitsu.com> wrote:

> That's quality engineering
>
> Great pic
>
> Stephen Bailey - Senior Lead Systems Engineer
> Network Operations - ISP & DSL
>
> FUJITSU
> + Infinity House, Mallard Way, Crewe Business Park, Crewe, Cheshire,
CW1
> 6ZQ
> ( Tel: +44 (0) 870 325 3457  or Internally: 7225 3457
> ( Fax: +44 (0) 870 325 3622  or Internally: 7225 3622
> : E-mail: stephen.bai...@uk.fujitsu.com
> " Web: http://services.fujitsu.com/
>
>
> Fujitsu Services Limited, Registered in England no 96056, Registered
> Office 22 Baker Street, London, W1U 3BW
>
> This e-mail is only for the use of its intended recipient.  Its
contents
> are subject to a duty of confidence and may be privileged.  Fujitsu
> Services does not guarantee that this e-mail has not been intercepted
> and amended or that it is virus-free.
> -Original Message-
> From: Patrick W. Gilmore [mailto:patr...@ianai.net]
> Sent: 11 February 2009 03:30
> To: NANOG list
> Subject: Re: World famous cabling disasters?
>
> On Feb 10, 2009, at 10:16 PM, joe mcguckin wrote:
>
> > I'm looking for a couple of pictures of the worst cabling
> > infrastructure ever seem. One Wilshire meet me room comes to mind.
> > Anyone got any links to their photo albums, etc?
>
> I've always considered this the worst:
>
>
>
> Google shows lots of pictures, such as  p=1836>.
>
> --
> TTFN,
> patrick
>
>
>
>

RE: Outside plant protection, fiber cuts, interwebz down oh noes!

[Jamie Bowden]

You forgot the clip board.  Without the clip board, no one will believe
it.

J

-Original Message-
From: Andy Ringsmuth [mailto:andyr...@inebraska.com] 
Sent: Friday, April 10, 2009 1:52 PM
To: Daryl G. Jurbala
Cc: nanog@nanog.org
Subject: Re: Outside plant protection, fiber cuts, interwebz down oh
noes!


On Apr 10, 2009, at 12:37 PM, Daryl G. Jurbala wrote:

>>
>> 3) From what I understand it's not trivial to raise a manhole  
>> cover. Most likely can't be done by one person. Can they be locked?  
>> Or were the carriers simply relying on obscurity/barrier to entry?
>
>
> Your understanding is incorrect.  I'm an average sized guy and I can  
> pull a manhole cover with one hand on the right tool. It might take  
> 2 hands if it hasn't been opened recently and has lots of pebbles  
> and dirt jammed in around it.  It's like everything else: if you  
> know how to do it, and you have the right tool, it's simple.

Agreed.  Manhole covers are very simple to remove.  I don't even need  
any tools.  I've removed countless manhole covers to retrieve balls,  
frisbees, etc., with nothing more than my bare hands.  It's a pretty  
trivial task.

Think about it.  All anyone would need to do is pull up to the  
manhole, set a few orange cones around it, put on an orange vest and a  
hard hat, and crawl on in with your wire cutters and bolt cutter.   
Guaranteed NO ONE will even question it.


-Andy

RE: large organization nameservers sending icmp packets to dns servers.

[Jamie Bowden]

Forgive my broken formatting, but LookOut, it's Microsoft! Is what we
use, period.

I have a question related to what you posted below, and it's a pretty
simple one:

How is answering a query on TCP/53 any MORE dangerous than answering it
on UDP/53?  Really.  I'd like to know how one of these security nitwits
justifies it.  It's the SAME piece of software answering the query
either way.

Jamie Bowden
-- 
"It was half way to Rivendell when the drugs began to take hold"
Hunter S Tolkien "Fear and Loathing in Barad Dur"
Iain Bowen <[EMAIL PROTECTED]>
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of
Steve Gibbard
Sent: Tuesday, August 07, 2007 6:10 PM
To: Nanog
Subject: Re: large organization nameservers sending icmp packets to dns
servers.


On Tue, 7 Aug 2007, Donald Stahl wrote:

> It has nothing to do with judging how one runs their network or any
other 
> such nonsense. The RFC's say TCP 53 is fine. If you don't want to
follow the 
> rules, fine, but have the temerity to admit that it is stupid.

I don't want to wade into this particular argument, which doesn't seem
to 
be going anywhere useful.  But I think the style of the argument causes 
some problems that trickle into network operations, and should be 
addressed.

The problem with this argument is that, while it may be entirely
correct, 
it's unlikely to convince the people who matter.  The people who matter 
are the people who write the checks for the networks we work on.

Successful managers (and successful engineers) generally get pretty good

at doing cost benefit analyses.  Since there are many decisions where 
there isn't one obvious answer, they learn instead to think in terms of 
each choice providing some benefits and having some costs, and doing the

things where the benefits outweigh the costs.

In the firewall case, as Kevin said, there are probably people going to 
the decision makers and talking about the importance of keeping things 
closed up.  Every open firewall rule, they'll say, creates the potential

for an attack.  Any attack could cause down time, unauthorized sharing
of 
confidential data, loss of files people have spent the last several
years 
working on, and more.  Therefore, the cost of an open firewall rule
could 
potentially be millions of dollars.  The value of any service enabled by
a 
hole in the firewall had better be more than that.

Is this argument valid?  Maybe not.  But the money people who make the 
decisions probably don't have the technical expertise to analyse it. 
Even if they suspect that the case for the policy is overstated, they'll

associate some cost with ignoring the advice of their security people,
as 
they probably should.

So, what's somebody who objects to such an argument to do?

You could go to management and say, "the security people are wrong.  The

standard says we must open more ports.  To not do so would be wrong." 
But you may not like the choice this presents management with.  On one 
side, they've got you telling them to follow an arbitrary standard, 
because not doing so would be wrong.  On the other side, they're being 
told that taking your advice could cost millions of dollars.  Losing 
millions of dollars as a result of a refusal to heed warnings would 
probably get them fired, or worse.  Pointing at an arbitrary standard 
after things had gone wrong probably wouldn't get them very far.

Alternatively, you too could start speaking their cost benefit language.

You could assail the security peoples' cost figures, although at that 
point you'd be asking them to distrust other employees and they might 
wonder if they should distrust you instead.  Or you could point out the 
costs of leaving the port closed, or possible benefits of leaving it
open. 
If you can tell them that some fraction of their customers aren't able
to 
get to them because of the closed port, and that those would be
customers 
represent some large amount of revenue, you'll show that there's actual 
benefit to having the port open.  If that benefit is greater than the 
potential loss they're being told about, you might actually win the 
argument.  If you have some evidence to back up your numbers, you may
have 
more credibility, and be able to win the argument with lower numbers.

Or, you may find that you're not as right as you thought you were.  You 
may find that what you were advocating doesn't seem to have any concrete

benefit, and that what the other side was saying has some merit.  That
may 
not happen in this case, but sooner or later you'll probably find one 
where it does.

-Steve

RE: quietly....

[Jamie Bowden]

I don't mean to rain on your parade here...oh wait, yeah, I do actually.
I have an SGI Indigo (MIPS R3000/25 with 32MB RAM baby, it's a
screamer!) that still runs with no problems.  Show me an eighteen year
old router that's still up and running.  The Dell hardware we ran NT4
Server on for providing DHCP until I replaced it is still as functional
today as it was when it was purchased in 1998.  I have a five year old
Cisco doorstop.  Don't tell me routers are made of magic hardware that
is somehow immune to failure.

Jamie

-Original Message-
From: Jimmy Hess [mailto:mysi...@gmail.com] 
Sent: Wednesday, February 02, 2011 11:48 PM
To: Brandon Butterworth
Cc: nanog@nanog.org
Subject: Re: quietly

On Wed, Feb 2, 2011 at 7:10 PM, Brandon Butterworth
 wrote:
>
> Just need to add default route in there and make dhcpd do RA
> then the user can turn off RA on their routers and not care
> that DHCPv6 doesn't include default router.
>
Having a DHCP server generate RA messages kind of defeats the point of
having RA messages
in the first place,  resulting in loss of robustness, and now a new
mode of failure.

The point of having RA messages is they are simple,  and integrated
into the routers,
so there is not a separate server to fail  (a "DHCP server")  to cause
loss of connectivity,
due to  server appliances (computers)  being less reliable than routers.

With the RA integrated into the routers properly,  clients can
maintain connectivity
(and establish connectivity, provided DNS details obtained in the past),
even
if  DHCP server(s) should fail.

--
-JH

RE: Using IPv6 with prefixes shorter than a /64 on a LAN

[Jamie Bowden]

If you're on a DoD classified network that spans multiple facilities (as
a contractor we only get access to certain ones, and only certain hosts
are allowed to access them).  Self contained networks are our problem.

Jamie

-Original Message-
From: TJ [mailto:trej...@gmail.com] 
Sent: Thursday, February 03, 2011 10:39 AM
To: NANOG
Subject: Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Wed, Feb 2, 2011 at 08:11, Jamie Bowden  wrote:

> Our classified networks aren't ever going to be connected to anything
> but themselves either, and they need sane local addressing.  Some of
> them are a single room with a few machines, some of them are entire
> facilities with hundreds of machines, but none of them are going to be
> talking to a router or anything upstream, as neither of those exist on
> said networks.
>

Correct me if I am wrong, but won't Classified networks will get their
addresses IAW the DoD IPv6 Addressing Plan (using globals)?
/TJ

RE: What's really needed is a routing slot market (was: Using IPv6 withprefixes shorter than a /64 on a LAN)

[Jamie Bowden]

It would help if we weren't shipping the routing equivalent of the pre
DNS /etc/hosts all over the network (it's automated, but it's still the
equivalent).  There has to be a better way to handle routing information
than what's currently being done.  The old voice telephony guys built a
system that built SVCs on the fly from any phone in the world to any
other phone in the world; it (normally) took less than a second for it
to do it between any pair of phones under the NANPA, and only slightly
longer for international outside the US and Canada.  There have to be
things to be learned from there.

Jamie

-Original Message-
From: John Curran [mailto:jcur...@istaff.org] 
Sent: Sunday, February 06, 2011 11:00 AM
To: Mark Andrews
Cc: NANOG list
Subject: What's really needed is a routing slot market (was: Using IPv6
withprefixes shorter than a /64 on a LAN)

On Feb 5, 2011, at 9:40 PM, Mark Andrews wrote:

> What's really needed is seperate the routing slot market from the
> address allocation market.

Bingo! In fact, having an efficient market for obtaining routing of a 
given prefix, combined with IPv6 vast identifier space, could actually
satisfy the primary goals that we hold for a long-term scalable address
architecture, and enable doing it in a highly distributed, automatable
fashion:

Aggregation would be encouraged, since use of non-aggregatable address
space would entail addition costs. These costs might be seen as minimal 
for some organizations that desire addressing autonomy, but others might
decide treating their address space portable and routable results in 
higher cost than is desired. Decisions about changing prefixes with 
ISPs can be made based on a rational tradeoff of costs, rather than in
a thicket of ISP and registry policies.  

Conservation would actually be greatly improved, since address space 
would only be sought after because of the need for additional unique 
identifiers, rather than obtaining an address block of a given size 
to warrant implied routability.  In light of IPv6's vast address 
space, it actually would be possible to provide minimally-sized but
assured unique prefixes automatically via nearly any mechanism (i.e.
let your local user or trade association be a registry if they want)

With a significantly reduced policy framework, Registration could be
fully automated, with issuance being as simple as assurance the right
level of verification of requester identity (You might even get rid
of this, if you can assure that ISPs obtain clear identity of clients 
before serving them but that would preclude any form of reputation 
systems based on IP address prefix such as we have in use today...)

Just think: the savings in storage costs alone (from the reduction in 
address policy-related email on all our mailing lists) could probably
fund the system. :-)

Oh well, one project at a time...
/John

RE: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million

[Jamie Bowden]

Does anyone really believe MS is this naïve? I have no doubt at all that some 
small bit of Nortel will be transferred to MS if that's what's required for the 
IPs in question to be moved in accordance with normal standards, practice, and 
policy.

Jamie

-Original Message-
From: Matthew Kaufman [mailto:matt...@matthew.at] 
Sent: Thursday, March 24, 2011 11:07 PM
To: Jimmy Hess
Cc: John Curran; NANOG list
Subject: Re: Nortel, in bankruptcy, sells IPv4 address block for $7.5 million

On 3/24/2011 7:59 PM, Jimmy Hess wrote:
>
> Because that's what IP addresses are.  Totally worthless unless community
> participants voluntarily route traffic for those IPs to the assignee.

Note that community participants can do this with or without ARIN having 
updated some entries in a database.

Would de-peer with Microsoft (or turn down a transit contract from them) 
just because they wanted to announce some Nortel address space?

Would ARIN really erase the Nortel entry and move these addresses to the 
free pool if Microsoft doesn't play along with one of the transfer policies?

Would you announce addresses someone had just obtained from ARIN that 
were already being announced by Microsoft?

Matthew Kaufman

RE: Had an idea - looking for a math buff to tell me if it's possiblewith today's technology.

[Jamie Bowden]

I know you're having fun with him, but I think what the original poster
had in mind was more like thinking of a file as just a string of
numbers.  Create an equation that generates that string of numbers, send
equation, regenerate string on other end.  Of course, if it was that
easy, someone would already have done it (or who knows, IBM might have
done this decades ago, put it on a virtual shelf in their IP closet, and
forgot about it...apparently they do that sort of thing all the time).
Compression is mathematically akin to cryptography, with the compressed
file being a huge seed with a standard algorithm (and a very weak one by
modern cryptography standards, sure, but imagine someone trying to
figure out a .zip file in the 50s).

Jamie

-Original Message-
From: Leo Bicknell [mailto:bickn...@ufp.org] 
Sent: Wednesday, May 18, 2011 5:03 PM
To: nanog
Subject: Re: Had an idea - looking for a math buff to tell me if it's
possiblewith today's technology.

In a message written on Wed, May 18, 2011 at 04:33:34PM -0400,
Christopher Morrow wrote:
> no no no.. it's simply, since the OP posited a math solution, md5.
> ship the size of file + hash, compute file on the other side. All
> files can be moved anywhere regardless of the size of the file in a
> single packet.
> 
> 
> The solution is left as an exercise for the reader.

Bah, you should include the solution, it's so trivial.

Generate all possible files and then do an index lookup on the MD5.
It's a little CPU heavy, but darn simple to code.

You can even stop when you get a match, which turns out to be a HUGE
optimization. :)

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/

High throughput switches...

[Jamie Bowden]

I'm looking for people's experiences with Voltaire switches in general
and the Vantage 6048 in particular.

 

We'd like to use a central switch and use 16 10g ports trunked via LACP
to two other switches and a SAN (to clarify, the central switch would
have three data channels, each one consisting of 16 trunked 10g ports,
the two downstream switches would have 10gb clients hanging off of them
and I'm not sure how the SAN is supposed to use 16 10g ports; they
haven't felt the need to give me specs on it, but for now I'm assuming
it either has a built in switch fabric that supports LACP or will have
another switch dedicated to it can handle different L1 media).  Assuming
we can bond that many channels (which I'm not sure about, but none of
the docs I've read on the IEEE protocol involved indicate a limit on the
number ports that can be aggregated, and the manufacturer docs don't
mention it either), how realistic is the expectation of getting a full
160gb throughput?  Are the switches in question up to the task?

 

This is a research project we're building for a customer, so I'm trying
to manage expectations, but this isn't the sort of thing I've personally
ever built before and I'm hoping someone here has done something close
enough and is willing to share experiences.

 

Thanks,

 

Jamie

RE: IPv6 day fun is beginning!

[Jamie Bowden]

Thanks to HE's tunnel broker service, I've got fully functional dual
stack at home (well, mostly, like most folks, VZ gives me a single
address and I live behind that with NATv4, but otherwise, I loves me
some FiOS) and yesterday went by for me without a hitch, including
accessing Facebook (I'd hear from the wife and kid really quickly if
they weren't working).  For a working tunnel, I put my DIR-825 as the
"DMZ" host behind the cheesy Actiontec router VZ requires, forward all
traffic with zero firewalling to it, and let the D-Link appliance handle
all my firewall needs (and it terminates my v6 tunnel obviously).  The
one thing I haven't quite figured out how to make it do (and maybe it's
just not capable) is use the /48 HE routes to me.  The box insists that
the internal interface be on the same subnet as the external, and it
hands out v6 addresses from that /64.

Jamie

-Original Message-
From: Jared Mauch [mailto:ja...@puck.nether.net] 
Sent: Tuesday, June 07, 2011 7:15 PM
To: Iljitsch van Beijnum
Cc: NANOG list
Subject: Re: IPv6 day fun is beginning!


On Jun 7, 2011, at 7:13 PM, Iljitsch van Beijnum wrote:

> www.facebook.com has  but doesn't load for me over IPv6, it does
for others though

If you go to www.v6.facebook.com it works, but it seems they have some
problem on their main site.  I am seeing some issues reaching them over
IPv6.

- Jared

RE: IPv6 day fun is beginning!

[Jamie Bowden]

If Verizon would offer v6 on FiOS, I'd already be there.  They don't, so
I've got a tunnel coming out of HE's Ashburn, VA POP.  As far as me
losing a day (or is it gaining?), blah...too early in the morning.  It
really is only Wednesday isn't it?

Jamie

-Original Message-
From: Jeroen Massar [mailto:jer...@unfix.org] 
Sent: Wednesday, June 08, 2011 7:52 AM
To: Jamie Bowden
Cc: NANOG list
Subject: Re: IPv6 day fun is beginning!

On 2011-Jun-08 13:40, Jamie Bowden wrote:
> Thanks to HE's tunnel broker service, I've got fully functional dual
> stack at home (well, mostly, like most folks, VZ gives me a single
> address and I live behind that with NATv4, but otherwise, I loves me
> some FiOS) and yesterday went by for me without a hitch, including

Yesterday was 7th of June, World IPv6 day is happening now (since 00:00
UTC 8th of June) and still on for another 12 hours or so ;)


But what you mention is something that has been seen a lot: people see
the mention of IPv6 day and suddenly want IPv6 (which is a good thing
btw and probably the most important thing) but instead of calling their
ISP and asking it from them they get a tunnel.

Getting IPv6 connectivity does not matter though as without IPv6 you'll
just reach the IPv4 version of the site like you did yesterday and most
likely tomorrow.


As for your magic that you had to do to get a protocol 41 tunnel up and
running, didn't HE.net have a PPTP trial for which they received a /15
or so from ARIN? Or did they actually not go on with it and are they now
using that /15 for other services instead?

Greets,
 Jeroen

RE: IPv6 day fun is beginning!

[Jamie Bowden]

The Actiontec is underpowered and if you put too many hosts behind it
will run out of memory for its NAT tables and your connectivity goes to
hell. My router is a D-Link not a Linksys.  When I last upgraded my home
router, the D-Links were plainly v6 capable; the Linksys may or may not
have been, but if so, it wasn't on the box and since my old router was
suffering from hardware problems, I wasn't really in the mood to go out
to Linksys' web site and dig around to hopefully find out.  That and
Cisco has irritated me with their abandonment issues.  My old Linksys
was still running draft N code and hadn't seen a firmware update in two
plus years.

Five minutes after getting the D-Link up and running, I did have my HE
tunnel though, which is nifty.  As far as the firewall goes, it is doing
SPI on both v4 and v6 with a default deny rule for all unrequested
traffic.

Jamie

-Original Message-
From: Harry Hoffman [mailto:hhoff...@ip-solutions.net] 
Sent: Wednesday, June 08, 2011 8:00 AM
To: Jamie Bowden; 'NANOG list'
Subject: RE: IPv6 day fun is beginning!

I have the same setup as you, except a Linux box that does the
firewalling.
The actiontec is pretty bad-ass, hardware-wise, and latest firmware
versions
give you a bit more freedom.

Eth0 is the public addr and eth1 is the private addr. On Eth1 I've got a
address from the routed /48 and then everything behind eth1 also gets
addrs
in that /48.
(Maybe a firmware update is available for the Linksys? Or open/dd wrt).

One thing to note, if you're not doing ipv6 filtering at the router.
TCP/135
is open by default on a Windows 7 laptop here so if you're not filtering
at
the laptop then you're potentially allowing the world to access that
port.

Cheers,
Harry

-Original Message-
From: Jamie Bowden [mailto:ja...@photon.com] 
Sent: Wednesday, June 08, 2011 7:40 AM
To: NANOG list
Subject: RE: IPv6 day fun is beginning!

Thanks to HE's tunnel broker service, I've got fully functional dual
stack at home (well, mostly, like most folks, VZ gives me a single
address and I live behind that with NATv4, but otherwise, I loves me
some FiOS) and yesterday went by for me without a hitch, including
accessing Facebook (I'd hear from the wife and kid really quickly if
they weren't working).  For a working tunnel, I put my DIR-825 as the
"DMZ" host behind the cheesy Actiontec router VZ requires, forward all
traffic with zero firewalling to it, and let the D-Link appliance handle
all my firewall needs (and it terminates my v6 tunnel obviously).  The
one thing I haven't quite figured out how to make it do (and maybe it's
just not capable) is use the /48 HE routes to me.  The box insists that
the internal interface be on the same subnet as the external, and it
hands out v6 addresses from that /64.

Jamie

-Original Message-
From: Jared Mauch [mailto:ja...@puck.nether.net] 
Sent: Tuesday, June 07, 2011 7:15 PM
To: Iljitsch van Beijnum
Cc: NANOG list
Subject: Re: IPv6 day fun is beginning!


On Jun 7, 2011, at 7:13 PM, Iljitsch van Beijnum wrote:

> www.facebook.com has  but doesn't load for me over IPv6, it does
for others though

If you go to www.v6.facebook.com it works, but it seems they have some
problem on their main site.  I am seeing some issues reaching them over
IPv6.

- Jared

RE: Re: Reminiscing our first internet connections (WAS) Re: akamai yesterday - what in the world was that

[Jamie Bowden via NANOG]

That was the other half of going to Extended Super Frame.  Lyle talked about 
AMI going away below, but didn't mention what replaced it (Binary 8bit Zero 
Substitution for the kids on the list).

I don't know about the other ILECs out there, but I don't know if Verizon will 
even provision a T1 anymore.  I know you can still get a PRI (that's how our 
phone systems interface with the PSTN), but if we needed a CT1 instead, I don't 
know that they'd be able (willing) to deliver it.  I know you can't get a BRI.  
We moved offices a few years ago and we basically lost the ability to use our 
STEs for anything but voice as we couldn't get BRIs delivered to the new space.

Speaking of ISDN, I had equipment that would support 56k ISDN, but never saw it 
provisioned (was that Switch56?  Or am I mixing up FR and ISDN?).  All of the 
ISDN circuits I dealt with were standard 2B+D (BRI), or 23B+D (PRI).  I think 
the oldest (and weirdest) piece of gear I personally worked on was a Gandalf 
ISDN router that was supporting a US Navy site to site connection.  Which makes 
me a newcomer to The Internet compared to a lot of people on this list, I'm 
sure.

-- 
Jamie Bowden (jamie.s.bow...@raytheon.com) (703) 842-3848
Sr Computer Network Technologist II
Raytheon Space and Airborne Systems
1100 Wilson Blvd., Suite 2000
Arlington, VA 22209

> -Original Message-
> From: NANOG  On Behalf Of Roy
> Sent: Monday, January 27, 2020 1:39 PM
> To: nanog@nanog.org
> Subject: [External] Re: Reminiscing our first internet connections (WAS) Re: 
> akamai yesterday -
> what in the world was that
> 
> 
> 
> Don't forget B8ZS which did way with the need for SFon copper data T1s
> 
> On 1/27/2020 10:43 AM, Lyle Giese wrote:
> >
> > 64k vs 56k was the result of changing T1 framing from SF to ESF.  SF
> > utilized AMI(Alt Mark Inversion) required for copper T1 lines between
> > Central Offices.  SF(Super Frame) robbed bits for signalling and
> > limited each voice channel to 56k.  Conversion to fiber between TELCO
> > offices allowed the conversion of SF to ESF, which dropped the AMI
> > requirement and the resultant bit robbing, allowing 64k throughput per
> > voice channel.
> >
> > In other words, the limitation was in the inter-office T1's and the
> > conversion of to fiber between TELCO offices cleared that hurdle.
> >
> > Lyle Giese
> >
> > LCR Computer Services, Inc.
> >
> >

RE: Re: FCC proposes higher speed goals (100/20 Mbps) for USF providers

[Jamie Bowden via NANOG]

As much as I hate giving C&P/Bell Atlantic/Verizon praise for anything ever, my 
1gb FIOS connection reliably delivers 900+mb/s in both directions any time I 
care to test it.  Generally, if I can’t fill the pipe it’s the other end’s lack 
of available bandwidth.

Thanks,
-- 
Jamie

From: NANOG  On Behalf Of 
David Bass
Sent: Tuesday, May 24, 2022 7:34 AM
To: Sean Donelan 
Cc: nanog@nanog.org
Subject: [External] Re: FCC proposes higher speed goals (100/20 Mbps) for USF 
providers

The real problem most users experience isn’t that they have a gig, or even 
100Mb of available download bandwidth…it’s that they infrequently are able to 
use that full bandwidth due to massive over subscription .  

The other issue is the minimal upload speed.  It’s fairly easy to consume the 
10Mb that you’re typically getting as a residential customer.  Even “business 
class” broadband service has a pretty poor upload bandwidth limit.  

We are a pretty high usage family, and 100/10 has been adequate, but there’s 
been times when we are pegged at the 10 Mb upload limit, and we start to see 
issues. 

I’d say 25/5 is a minimum for a single person. 

Would 1 gig be nice…yeah as long as the upload speed is dramatically increased 
as part of that.  We would rarely use it, but that would likely be sufficient 
for a long time.  I wouldn’t pay for the extra at this point though. 

On Mon, May 23, 2022 at 8:20 PM Sean Donelan  wrote:

Remember, this rulemaking is for 1.1 million locations with the "worst" 
return on investment. The end of the tail of the long tail.  Rural and 
tribal locations which aren't profitable to provide higher speed 
broadband.

These locations have very low customer density, and difficult to serve.

After the Sandwich Isles Communications scandal, gold-plated proposals 
will be viewed with skepticism.  While a proposal may have a lower total 
cost of ownership over decades, the business case is the cheapest for 
the first 10 years of subsidies.  [massive over-simplification]

Historically, these projects have lack of timely completion (abandoned, 
incomplete), and bad (overly optimistic?) budgeting.

RE: Fwd: Congrats to AS701

[Jamie Bowden via NANOG]

I had to log in to my FiOS provided CPE (Verizon Quantum Gateway) and enable 
IPv6.  It’s off by default.

This is what I see in Reston, VA:

Ethernet adapter Ethernet:

   Connection-specific DNS Suffix  . : fios-router.home
   Description . . . . . . . . . . . : Intel(R) Ethernet Connection I217-LM
   Physical Address. . . . . . . . . : 6C-C2-17-EE-EE-6D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 
2600:4040:2b48:ce00:25e4:9527:2f2b:e571(Preferred)
   Temporary IPv6 Address. . . . . . : 
2600:4040:2b48:ce00:3411:b0a4:e9e7:e28f(Preferred)
   Link-local IPv6 Address . . . . . : fe80::25e4:9527:2f2b:e571%18(Preferred)
   IPv4 Address. . . . . . . . . . . : 192.168.2.146(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Lease Obtained. . . . . . . . . . : Thursday, June 16, 2022 8:48:52 AM
   Lease Expires . . . . . . . . . . : Friday, June 17, 2022 8:48:51 AM
   Default Gateway . . . . . . . . . : fe80::4a5d:36ff:fecc:fe42%18
   192.168.2.254
   DHCP Server . . . . . . . . . . . : 192.168.2.254
   DHCPv6 IAID . . . . . . . . . . . : 57459223
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-23-20-9D-C9-6C-C2-17-EE-EE-6D
   DNS Servers . . . . . . . . . . . : 2600:4040:2b48:ce00::1
   192.168.2.254
   2600:4040:2b48:ce00::1
   NetBIOS over Tcpip. . . . . . . . : Enabled
   Connection-specific DNS Suffix Search List :
   fios-router.home

My Netgear router/WAP is set to autodetect IPv6 and sees it as passthrough.  
IPv4 is double NAT, but I have the v4 interface on the Netgear set to a static 
IP and the Verizon router is configured to treat that address as a DMZ and 
passes all traffic directly to it (theoretically unmolested).  I used to have 
it set to bridge mode for that port so it was only a single NAT, but every time 
the VZ supplied router rebooted, I’d have to manually go back and fix it, so I 
compromised and set as a DMZ instead.

In the interest of not putting my house directly on the internet without 
protection, I do have all v6 traffic using the FiOS router’s firewall since I’m 
not convinced that the Netgear is properly firewalling that traffic due to the 
mode.

Thanks,
--
Jamie Bowden
Senior Computer Network Technologist II

O: +1 703.842.3848
C: +1 703.403.9745
jamie.s.bow...@raytheon.com<mailto:jamie.s.bow...@raytheon.com>
jamie.s.bow...@rtx.com<mailto:jamie.s.bow...@rtx.com>

Raytheon Intelligence & Space
Digital Technology
1100 Wilson Blvd.
Suite 2000
Arlington, VA 22209

RTX.com<https://www.rtx.com/> | 
LinkedIn<https://www.linkedin.com/company/raytheontechnologies> | 
Twitter<https://twitter.com/raytheontech> | 
Instagram<https://www.instagram.com/raytheontechnologies>

Upcoming PTO:

June 22, 2022
July 4-8, 2022

From: NANOG  On Behalf Of 
Christopher Morrow
Sent: Saturday, June 11, 2022 10:05 PM
To: nanog list 
Subject: [External] Fwd: Congrats to AS701


Looks like FIOS customers may be getting ipv6 deployed toward them, finally:

ifconfig snippet from local machine:
inet6 2600:4040:2001:2200:73d2:6bcc:1e6b:43a1  prefixlen 64  scopeid 
0x0
inet6 2600:4040:2001:2200:e87:bf36:b6cb:6ce1  prefixlen 64  scopeid 
0x0

ping attempt:
  64 bytes from bh-in-f106.1e100.net<http://bh-in-f106.1e100.net> 
(2607:f8b0:4004:c09::6a): icmp_seq=1 ttl=59 time=8.71 ms

8ms from mclean, va to ashburn, va isn't wondrous, but at least it's ipv6 (and 
marginally faster than ipv4)

Congrats to the 701 folk for deploying more widely!
  (note: I don't know exactly when this started, nor how wide it really is, but 
progress here is welcomed by myself at least :) )
-chris

RE: Random shower thought: GBIC with LC connector...

[Jamie Bowden via NANOG]

Warren,

Do SFP+ modules count?

https://www.enetusa.com/455886-b21-enc
https://www.enetusa.com/455883-b21-enc

I have a pair of the multimode versions of this sitting on my desk as I type 
this.

Thanks,
--
Jamie Bowden
Senior Computer Network Technologist II

O: +1 703.842.3848
C: +1 703.403.9745
jamie.s.bow...@raytheon.com<mailto:jamie.s.bow...@raytheon.com>
jamie.s.bow...@rtx.com<mailto:jamie.s.bow...@rtx.com>

Raytheon Intelligence & Space
Digital Technology
1100 Wilson Blvd.
Suite 2000
Arlington, VA 22209

RTX.com<https://www.rtx.com/> | 
LinkedIn<https://www.linkedin.com/company/raytheontechnologies> | 
Twitter<https://twitter.com/raytheontech> | 
Instagram<https://www.instagram.com/raytheontechnologies>

Upcoming PTO:


From: NANOG  On Behalf Of 
Warren Kumari
Sent: Tuesday, November 15, 2022 10:56 AM
To: North American Network Operators' Group 
Subject: [External] Random shower thought: GBIC with LC connector...

Hi there all,

While looking through my big box of random optics I suddenly realized that I'd 
never seen a GBIC with an LC connector, and I started wondering if anyone else 
had / if such a thing actually exists.

Yes, I realize that this would be a fairly niche device - if you arrived 
somewhere with a device that took GBICs and there was existing fiber with LC 
connectors you could just replace the patch cable or use an LC-SC convertor, 
but that doesn't really satisfy my curiosity.

A quick look through the GBIC MSA / SFF documentation implies that such a thing 
*could* probably exist (there is a defined value for the 'LC' connector), but I 
wasn't able to actually find any. It might not actually be compliant with the 
specs (the document I found only lists SC fiber or copper (coax with BNC, TNC 
or DB-9?!)), but that doesn't mean that no-one made them.

So, has anyone seen a regular (30mm/1.2") GBIC with LC connectors? And, if so, 
"pics or it didn't happen"... :-)

Obviously I don't have an actual use for this, it's just to satisfy my (OCD) 
curiosity...
W