Re: Youtube contact

[Nathan]

done.

On Tue, Dec 30, 2008 at 1:41 PM, Simon Allard
 wrote:
> Hi,
>
> Can someone from Youtube/Google please contact me off list, I have a strange 
> routing issue at the youtube->cogent border. Usual contact methods have 
> failed me.
>
> Thanks
>
> Regards
> Simon
>
>
>



-- 
Nathan Hickson
KI6RWZ
aim/y!: nullrouten
efnet: N2k

Re: Hardware capture platforms

[nathan]

On Tue, 29 Jul 2008, John A. Kilpatrick wrote:

We've deployed a bunch taps in our network and now we need a platform on 
which to capture the data.  Our bandwidth is currently pretty low but I've 
got 8 links to tap, which means I need 16 ports.  Has anyone done any 
research on doing accurate packet capture with commodity hardware?


A hardware based capture card is the only way to get to any real 
throughput. Check out Endace cards, that will let you do line rate gig e 
or better and has native libpcap interface. You also may want to check out 
WildPackets cards.




<>

Nathan StrattonCTO, BlinkMind, Inc.
nathan at robotics.net     nathan at blinkmind.com
http://www.robotics.nethttp://www.blinkmind.com

Re: 1.0.0.0/8 route from MERIT ?

[Nathan]

I'm sorry my RR update was ... too late?  Did this cause a problem for  
someone?


 --N

(AS36561)

On Mar 2, 2010, at 7:28, Larry Blunk  wrote:



Christopher Morrow wrote:
On Tue, Mar 2, 2010 at 3:50 AM, Tomoya Yoshida   
wrote:



Thank you Geoff.

I asked because I could see 1/8 of merit AS237 but couldn't see
of origin AS36561 for those two in database.
Even if it's an experiment and sort term, It's better to be  
registerd

in right origin I think. # It could be guessed but...



which databases?

morr...@localhost:~$ whois -h rr.arin.net 1.2.3.0
% This is the ARIN Routing Registry.

% Note: this output has been filtered.

% Information related to '1.2.3.0/24AS36561'

route:  1.2.3.0/24
descr:  YouTube, Inc.
descr:  901 Cherry Ave
descr:  San Bruno, CA 94066
descr:  US
origin: AS36561
mnt-by: MNT-YOUTU
source: ARIN # Filtered


morr...@localhost:~$ whois -h rr.arin.net 1.1.1.0
% This is the ARIN Routing Registry.

% Note: this output has been filtered.

% Information related to '1.1.1.0/24AS36561'

route:  1.1.1.0/24
descr:  YouTube, Inc.
descr:  901 Cherry Ave
descr:  San Bruno, CA 94066
descr:  US
origin: AS36561
mnt-by: MNT-YOUTU
source: ARIN # Filtered

These ought to then get around to other IRR-ish-things when their
propogation times hit, yes?

-Chris




   I'm not positive that this is still the case, but I believe that
there can be quite a bit of latency in mirroring due to the
way RIPE database code (which ARIN uses) works.   The
last object(s) registered are not pushed to the mirror stream until
the next object(s) are registered.I believe RIPE regularly pushes
a dummy object in order to keep it's mirrors more regularly
synced.   I don't think that ARIN does this.   It's a bigger issue
for ARIN as their routing registry is updated less frequently
than the RIPE routing registry.

  According to our logs, the objects were not mirrored on
the RADB server until about 2.5 hours after Tomoya posted
his email (the objects were picked up from the ARIN
mirror at 05:37:42 -0500 (EST)  March 2).



--Larry






When RPKI comes, is it no problem??

  -tomoya


On Tue, 2 Mar 2010 19:17:45 +1100
Geoff Huston  wrote:

|Hi,
|
|As I noted in the previous note quoted below, APNIC are  
undertaking a second experiment with these two /24 routes  
originated by AS 36561. These two /24s appear to be the major  
attractors in the 1.0.0.0/8 space. YouTube have generously  
provided assistance for this second experiment, and we are very  
grateful for their help!

|
|  Geoff Huston
|  APNIC
|
|
|
|
|On 02/03/2010, at 6:59 PM, Tomoya Yoshida wrote:
|
|> Are these from youtube also?
|>
|> 1.1.1.0/24 *[BGP/170] 07:04:22, MED 0, localpref 100
|>  AS path: 2914 3356 36561 I
|> 1.2.3.0/24 *[BGP/170] 07:01:21, MED 0, localpref 100
|>  AS path: 2914 3356 36561 I
|>
|>  tomoya
|>
|>
|> On Thu, 25 Feb 2010 14:34:02 +1100
|> Geoff Huston  wrote:
|>
|> |
|> |On 25/02/2010, at 6:13 AM, Alex H. Ryu wrote:
|> |
|> |>
|> |> Today I jumped into one of our routers, and I found that 1.0.0.0/8 
 is

|> |> announced from AS237, which is MERIT.
|> |>
|> |>
|> |>NetworkNext HopMetric LocPrf Weight  
Path
|> |> *>  1.0.0.0/8  4.59.200.5  0  60 0   
(65001

|> |> 65105) 3356 7018 237 i
|> |>
|> |> Is this supposed to be?
|> |> I thought 1.0.0.0/8 is allocated to APNIC.
|> |
|> |Yes, this is supposed to be. This is one of a number of  
planned experiments in advertising all and selected parts of 1/8  
in the coming weeks.

|> |
|> |Geoff Huston
|> |APNIC
|>
|> --
|> Tomoya Yoshida 
|>

--
Tomoya Yoshida 

YouTube AS36561 began announcing 1.0.0.0/8

[Nathan]

Hello,

I'm hoping to alleviate the "what's going on!?" type messages here this time. :)

Here's an except from the APNIC provided LOA I provided to a couple
networks, to carry a new announcement...

"To whom it may concern,

APNIC and YouTube are cooperating in a project to investigate the
properties of unwanted traffic that is being sent to specific
destinations in the address block of 1.0.0.0/8. This address block has
been recently allocated to APNIC from the IANA, and
APNIC and YouTube are wanting to undertake this investigation prior to
the commencement of ordinary allocations.
Accordingly, APNIC authorizes AS36351 to periodically advertise a
route for 1.0.0.0/8 from now until 21 March 2010, and
requests that AS36351's peers and upstreams accept this as a
legitimate routing advertisement."


In a continuation of last weeks experiments... we are now announcing
1.0.0.0/8 instead of 1.1.1.0/24 and 1.2.3.0/24.

Cheers
,N (nat...@youtube.com - AS36561)

Re: YouTube AS36561 began announcing 1.0.0.0/8

[Nathan]

A trace-route reaches the Youtube border... so everything is ok.  The
routes are being ECMP'd to a set of capture hosts for the purpose of
spreading load, aggregating more disk-space for packets, providing
some form of redundancy for the experiment, etc. We're receiving about
175mbps of unsolicited noise.  I'll leave the remaining details to be
provided by the official report/article from Geoff and George.  Its
amazing how prolific 1.x traffic is.

,N



On Fri, Mar 12, 2010 at 12:53 AM, William Pitcock
 wrote:
> On Thu, 2010-03-11 at 22:52 -0800, Nathan wrote:
>> Hello,
>>
>> I'm hoping to alleviate the "what's going on!?" type messages here this 
>> time. :)
>>
>
> 
> Any IPs we can ping and get a response back from to verify everything is
> ok?  1.2.3.4 isn't pingable, for example. :(
> 
>
> William
>
>

Re: YouTube AS36561 began announcing 1.0.0.0/8

[Nathan]

We've never cared about ratios... its futile!

Level3 is slow to update prefix lists this time.  I simply picked a
couple networks that respond to my emails. My laziness to call others
is why the route isn't visible there. :)


,N



On Fri, Mar 12, 2010 at 7:58 AM, Richard A Steenbergen  
wrote:
> On Fri, Mar 12, 2010 at 07:34:10AM -0500, Patrick W. Gilmore wrote:
>> Oh, I understand what's going on exactly.  YouTube is trying to
>> balance their ratios. :)
>
> That might explain why they're only announcing it behind Cogent. :)
>
> --
> Richard A Steenbergen        http://www.e-gerbil.net/ras
> GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)
>
>

Re: YouTube AS36561 began announcing 1.0.0.0/8

[Nathan]

There are sizable chunks that are fairly quiet (un-interesting
numbers, luck of the draw, etc).  Given that its mostly
mis-configurations, laziness, ignorance, or poor planning... I suspect
the worst ranges will need to be sacrificed, and the remaining 80-90%
of the space used for legitimate allocations.  Unfortunately, anyone
who accepts allocations in 1.x will need to be aware that they will
have a slightly lower quality address-space.  Accepting 1.1.1.0/24,
for example, will land you with a continuous 50mbps of junk...
seemingly forever... and a respectable chance that some percentage of
the net will never reach you, due to their own misconfigurations.

,N



On Fri, Mar 12, 2010 at 1:34 PM, Kevin Loch  wrote:
> Axel Morawietz wrote:
>>
>> Am 12.03.2010 17:03, schrieb Nathan:
>>>
>>> [...] Its
>>> amazing how prolific 1.x traffic is.
>>
>> one reason might also be, that at least T-Mobile Germany uses 1.2.3.*
>> for their proxies that deliver the content to mobile phones.
>> And I'm not sure what they are doing when they are going to receive this
>> route from external. ;)
>
> If 1.0.0.0/8 has been widely used as de-facto rfc1918 for many years,
> perhaps it is time to update rfc1918 to reflect this?
>
> - Kevin
>
>
>

Re: AARNet AS7575 announcing 1.0.0.0/24, 1.1.1.0/24 and 1.2.3.0/24 soon

[Nathan]

1.0.0.0/8 has been fun.  I wont steal George/Geoff's show by telling
all... but I will state that about 18% of the internet is still bogon
filtering (or using internally) 1.x...   I wouldn't want to be a poor
schlub getting assigned something from this space, personally.

We're going to announce 27.128.0.0/12 in the next 24 hours as well...
To see what backscatter is like in an uninteresting range.  I'll send
a separate clear message to the list about this too. :)

,N



On Wed, Mar 17, 2010 at 3:25 AM, Peter van Arkel  wrote:
> On Wed, 17 Mar 2010, Nathan Ward wrote:
>
>> route-views>sh ip bgp 1.0.0.0/8
>> BGP routing table entry for 1.0.0.0/8, version 600951180
>> Paths: (24 available, no best path)
>> Flag: 0x820
>>   Not advertised to any peer
>>   1239 174 36561
>>     144.228.241.130 (inaccessible) from 144.228.241.130 (144.228.241.130)
>>       Origin IGP, localpref 100, valid, external
>>
>> % whois -a AS36561 | grep -i name
>> OrgName:    YouTube, Inc.
>
> http://www.merit.edu/mail.archives/nanog/msg06402.html
>
> "Accordingly, APNIC authorizes AS36351 to periodically advertise a
> route for 1.0.0.0/8 from now until 21 March 2010, and
> requests that AS36351's peers and upstreams accept this as a
> legitimate routing advertisement."
>
> :-)
>
> --
> Peter van Arkel
>  T: +31 623988844                       | p.vanar...@gmail.com
>  RIPE: PvA63-RIPE                       | PGP: 0xA0991D6B
>
>

Re: Where do your 911 fees go and why does 911 fail

[Nathan Stratton]

On Wed, Dec 30, 2020 at 2:13 PM Sean Donelan  wrote:

> The folks on this list likely know where the central Tennessee backup
> tandem office is located. Although its semi-public knowledge, I avoided
> mentioning its location until the immediate threat passed.  LATAs don't
> have much legal meaning anymore, but every LATA had at least two tandem
> offices.
>
> Nevertheless, the "cloud" still depends on physical infrastructure.
>
> I'm sure there will be several investigations by regulators why all
> the 911 PSAPs didn't fail-over to the backup tandem office. Of course,
> single-homed circuits physically connected to the Nashville CO wouldn't
> fail-over.
>

Amazing how much data is in LERG.

-Nathan

Re: 10 years from now... (was: internet futures)

[Nathan Stratton]

I mix Starlink and Comcast over two openvpn tunnels to my datacenter in
Ashburn.

><>
nathan stratton


On Mon, Mar 29, 2021 at 3:38 PM Matt Erculiani  wrote:

> I wouldn't be the least bit surprised if anyone out there was trying to
> mix their StarLink kit and existing broadband service to optimize
> performance and/or add redundancy though.
>
> The underlying technologies will change, but what people try to do with
> them will remain relatively unchanged.
>
> Back 20 years ago people were talking about their Frame Relay P2P
> services, now they talk about their Ethernet P2P services.
>
> -Matt
>
> On Mon, Mar 29, 2021 at 1:10 PM Aaron C. de Bruyn 
> wrote:
>
>> On Mon, Mar 29, 2021 at 11:39 AM Matt Erculiani 
>> wrote:
>>
>>> I think the best way to think about what 10 years from now will look
>>> like is to compare 10 years ago to the present:
>>> https://mailman.nanog.org/pipermail/nanog/2011-April/thread.html
>>>
>>
>> Multi-homing your DSL connection?
>> I can't wait to multi-home my 10x10 array of StarLink satellites in a few
>> years...
>>
>> -A
>>
>
>
> --
> Matt Erculiani
> ERCUL-ARIN
>

Re: A crazy idea

[Nathan Angelacos]

On Mon, 2021-07-19 at 08:51 -0700, Randy Bush wrote:
> > Well, for SLAAC you need a /64
> 
> this is not true
> 
> randy


That is cool!   Can you point me to the correct RFC please?

QVC.com Technical Contact

[Nathan Gerencser]

Looking for a contact, trying to clear up a reachability issue. Please reach 
out to me off-list.

Thanks,
Nathan Gerencser
MetaLINK Technologies

RE: Amazon Prime Video IP reputation

[Nathan Gerencser]

Geoguard takes care of Amazon and are usually responsive.

n...@geoguard.com<mailto:n...@geoguard.com>

Nathan Gerencser, Network Engineer
MetaLINK Technologies

From: NANOG  On Behalf Of 
Josh Luthman
Sent: Monday, August 23, 2021 8:47 AM
To: Eric C. Miller 
Cc: nanog@nanog.org
Subject: Re: Amazon Prime Video IP reputation

I've had a couple calls over the weekend from customers that got blocked.  Was 
there any resolution to this or place to contact them?  TBW page is only a link 
to the forums.

Josh Luthman
24/7 Help Desk: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Wed, Aug 18, 2021 at 3:51 PM Eric C. Miller 
mailto:e...@ericheather.com>> wrote:
We found that ipqualityscore.com<http://ipqualityscore.com> seems to match up 
with the CGNATs that we are having the most trouble with. They indicated a 1-3 
day turnaround in responding to mis-classifications. We might have to make a 
habit of calling them every 30 minutes until they do something.

From: NANOG 
mailto:ericheather@nanog.org>>
 On Behalf Of Joshua Stump
Sent: Wednesday, August 18, 2021 1:40 PM
To: nanog@nanog.org<mailto:nanog@nanog.org>
Subject: RE: Amazon Prime Video IP reputation

I’m having the same with one of my valid IPv4 /21 right now. Amazon Prime, HBO 
Max, and Hulu confirmed. Just started within the last couple days.

Joshua Stump
Network Admin
Fourway.NET<https://fourway.net/>
800-733-0062

From: NANOG 
mailto:nanog-bounces+jstump=fourway@nanog.org>>
 On Behalf Of Eric C. Miller
Sent: Tuesday, August 17, 2021 7:31 PM
To: NANOG mailto:nanog@nanog.org>>
Subject: Amazon Prime Video IP reputation

Does anybody know which IP reputation service Amazon uses for Prime video? 
Within the last couple of hours several of our CGNAT publics are showing up as 
VPN or proxy when someone tries to watch Amazon video.

Any help would be appreciated!

Thank you!
Eric

RE: DiviNetworks

[Nathan Babcock]

So interesting thing about Divi.  I am a regional WISP operator and we did sign 
a deal with them and let them use our space.  One of the issues we developed 
while they were active on our network was all of our IP’s started being homed 
in the UK for google.  So anytime a customer would go to google or any google 
service, it would reroute us the .uk version of the site.  This took about 6 
months to start happening, so we didn’t have any issues for that long letting 
them use our IP space.  After a day or so of us cutting them off it went away 
and never came back.  I have discussed this with them at length in email phone 
and in person at conferences.  They assured me that this wasn’t them, but when 
I turned it back on, the issue came back in under a week.  Turn them off…. Goes 
away.  So we removed their connection.  This was over a year ago, and I have 
been talking with them again about this but am significantly more cautious 
about moving forward if for nothing else the above reason alone.  Not to 
mention the other items Mike pointed out which are of the greatest concern.  

 

What they do is create a VPN connection on your edge router and utilize your IP 
space for Geo location IP services and allow their customers to use IP’s from 
all over the world to check their sites for compatibility/interoperability.  
That’s what they tell you.  I’ve not seen any indication to believe otherwise 
in my dealings with them which is why we are talking with them again.

 

From: NANOG  On Behalf Of 
Justin Wilson
Sent: Thursday, February 6, 2020 1:35 PM
To: Mike Fuller 
Cc: nanog@nanog.org
Subject: Re: DiviNetworks

 

They don’t lease your IP space is the thing.

 

 

Justin Wilson

li...@mtin.net  



—
https://j2sw.com - All things jsw (AS209109)
https://blog.j2sw.com - Podcast and Blog





On Feb 6, 2020, at 2:07 PM, Mike Fuller mailto:m...@google.com> > wrote:

 

I'd be very cautious about engaging with any company whose business model is to 
get a short-term lease of your IP-space.  Many companies use IP reputation 
data, and so you are essentially lending that reputation to a 3rd party, who 
may use it in ways you don't anticipate until the reputation is sufficiently 
damaged, and then return it to you and move on to another ISP.

Some organizations' response to unwanted traffic is simply to block large IP 
ranges or entire ASes, and not everyone is good about following-up and expiring 
such blocks in the future.  I realize your customers haven't ended-up on any 
spam/abuse blocklists, but that doesn't mean they won't be, or that their IP 
reputation hasn't already been affected in less obvious ways.  You should ask 
yourself if you are being sufficiently compensated for these risks as reputable 
IPv4 space is at a premium, so replacing the IPv4 space you lent out could get 
quite costly.

--
Mike Fuller :: Security Reliability Engineer :: Google :: AS15169

 

On Wed, Feb 5, 2020 at 12:15 PM Justin Wilson mailto:li...@mtin.net> > wrote:

Have several networks using them.  This he networks get paid, and no 
blacklists.  Contact me off list if you want more details



Justin Wilson
li...@mtin.net  


—
https://j2sw.com   - All things jsw (AS209109)
https://blog.j2sw.com   - Podcast and Blog

> On Feb 5, 2020, at 2:14 PM, Steve Saner   > wrote:
> 
> Has anyone here worked with DiviNetworks (https://divinetworks.com/) to 
> "sell" their unused bandwidth?
> 
> I'd be curious to hear any thoughts or experiences.
> 
> Steve
> 
> -- 
> --
> Steven Saner mailto:ssa...@hubris.net> >  
> Voice:  316-858-3000  
> Director of Network Operations  Fax:  316-858-3001 
>  
> Hubris Communicationshttp://www.hubris.net 
>  
> 

 

Re: Quagga for production?

[Nathan Brookfield]

Hi Mate,

Yep on and off for about 15 years, very solid, very reliable.  I tend to use 
Bird this hmorning we rays for this task but Zebra and Quagga are rock solid.

Kindest Regards,

Nathan Brookfield (VK2NAB)
Simtronic Technologies Pty Ltd


On 23 Feb 2020, at 23:29, Dmitry Sherman  wrote:



Hello,

Anybody working with Quagga for production peering with multiple peers and 
dynamic eBGP/iBGP announcement?



Thanks.

Dmitry

Re: Quagga for production?

[Nathan Brookfield]

Hi Mate,

Yep on and off for about 15 years, very solid, very reliable.  I tend to use 
Bird this hmorning we rays for this task but Zebra and Quagga are rock solid.

Kindest Regards,

Nathan Brookfield (VK2NAB)
Simtronic Technologies Pty Ltd


On 23 Feb 2020, at 23:29, Dmitry Sherman  wrote:



Hello,

Anybody working with Quagga for production peering with multiple peers and 
dynamic eBGP/iBGP announcement?



Thanks.

Dmitry

Amazon Prime Video Contact

[Nathan Gerencser]

Anybody have a contact at Amazon that could help clear up an issue with an  IP 
prefix being blocked from accessing the Prime Video service?

Thanks in advance.

Nathan Gerencser, Network Engineer
MetaLINK Technologies

Re: questions asked during network engineer interview

[Nathan Stratton]

On Mon, Jul 20, 2020 at 4:45 PM Sander Steffann  wrote:

> > I find there's a strong INVERSE correlation between the quantity of
> > certificates on an applicant's resume and their ability to do the
> > job.
>
> Never got a certificate, don't want one either :)
>

That's what I said about high school, my parents were not thrilled, but at
least for me, it worked out.

-Nathan

AT&T Wireless contact

[Nathan Anderson]

This is probably a long shot, but are there any AT&T Wireless engineers here, & 
one who wouldn't mind contacting me off-list?  I may be misinterpreting what 
I'm seeing, but I think you might have a small number of MMSC servers that are 
down...

-- Nathan

Re: An update on the AfriNIC situation

[Nathan Angelacos]

On Mon, 2021-08-30 at 16:08 -0700, Owen DeLong via NANOG wrote:
> 
> 
> 
> I am here doing what I am doing because I have ethics and morals.
> Because even though I often disagree with Lu, in this case, he
> happens to be right and AFRINIC must not be allowed to act so
> irresponsibly in this matter.
> 
> Owen
> 

Amen.  Sucks to be moral.  But at the end of the day, you have to go to
sleep and say I did what was moral. 

To me, that is NANOG.

Re: Open source mapping of US high voltage electrical grid

[Nathan Stratton]

Very cool, thanks, Eric.

><>
nathan stratton


On Sat, Jan 15, 2022 at 9:48 PM Eric Kuhnke  wrote:

> Possibly of interest for network operators who have inter-city circuits,
> where the underlying carrier is something on OPGW fiber in high voltage
> lines.
>
> These people seem to be making an effort at mapping out high voltage
> lines, hydroelectric dams, substations, etc.
>
> https://openinframap.org
>
>

Re: New minimum speed for US broadband connections

[Nathan Angelacos]

20 miles from Sacramento.

Mother-in-law has an ATT  DSLAM *at the end of her driveway*  on
the other side of the street.  ATT swears she can get internet. Until
she tries to sign up, and "oh no... wrong side of the street"

She is at 700Kbps over a WISP ... *after* she trimmed the trees to get
line of sight.

sigh.

Re: VPN recommendations?

[Nathan Angelacos]

On Sat, 2022-02-12 at 13:24 -0700, Grant Taylor via NANOG wrote:
> On 2/11/22 12:35 PM, William Herrin wrote:
> > The thing to understand is that IPSec has two modes: transport and 
> > tunnel. Transport is between exactly two IP addresses while tunnel 
> > expects a broader network to exist on at least one end.
> 
> That is (syntactically) correct.  However, it is possible to NAT many
> LAN IPs (say RFC 1918) to one single Internet IP (say from a SOHO
> ISP) 
> and use IPSec /Transport/ Mode to a single remote IP.  The IPSec sees
> exactly two IPs.
> 
> > "Tunnel" mode is what everyone actually uses
> 
> I may be enough of an outlier that I'm a statistical anomaly.  But
> I'm using IPSec /Transport/ Mode between my home router and my VPSs. 
> I have a tiny full mesh of IPSec /Transport/ Mode connections.
> 

+1 on *cough* enterprise networks.

> Using the aforementioned many-to-one NAT, my home LAN systems access
> the single globally routed IP of each of my VPSs without any problem.
> 

+1

> Aside:  I did have to tweak MTU for LAN traffic going out to the VPS
> IPs.

+1

> 
> So -1 for '"Tunnel" mode is what everyone actually uses', and +1 for 
> /Transport/ Mode 

+1

Re: CC: s to Non List Members (was Re: 202203080924.AYC Re: 202203071610.AYC Re: Making Use of 240/4 NetBlock)

[Nathan Angelacos]

On Tue, 2022-03-08 at 19:25 -0500, Tom Beecher wrote:
> 
> 
> The only way IPv6 will ever be ubiquitous is if there comes a time
> where there is some forcing event that requires it to be. 
> 
> Unless that occurs, people will continue to spend time and energy
> coming up with ways to squeeze the blood out of v4 that could have
> been used to get v6 going instead. I don't foresee anything changing
> for most of the rest of our careers, and possibly the next generation
> behind us. 


Exactly.   The only thing I see changing anything is when the MTU gets
low enough that you are sending more encapsulation headers than
payload.   When the effective MTU is 8, then... But by then I'll have a
1Tb link to my house... so who cares?!

Re: V6 still not supported

[Nathan Angelacos]

On Fri, 2022-03-18 at 13:17 -0700, Michael Thomas wrote:
> 
> > 
> We weren't part of the wars. What I saw was what eventually became ipv6
> and I remember talking to one of my coworkers about how hard he
> thought it would be to implement. He concurred that he didn't think it
> would be any big deal. One of our big issues is that we didn't have
> anybody to interop with, that and nobody was asking for it unlike v4
> features.

Classic Second System Effect, as described by Fred Brooks... in 1975. 
"The Mythical Man-Month" is a great book for remembering how we got
here.

https://en.wikipedia.org/wiki/Second-system_effect

But as all you have said, here we are.

Re: What say you, nanog re: Starlink vs 5G?

[Nathan Stratton]

I use Comcast Business for my primary at home, but it is so bad that I was
forced to get Starlink as backup. I am not in a city, but close enough that
there would be issues.

><>
nathan stratton


On Thu, Jun 23, 2022 at 9:47 PM John Levine  wrote:

> It appears that Eric Kuhnke  said:
> >Adding a terrestrial transmitter source mounted on towers and with CPEs
> >that stomps on the same frequencies as the last 20 years of existing two
> >way VSAT terminals throughout the US seems like a bad idea. Even if you
> >ignore the existence of Starlink, there's a myriad of low bandwidth but
> >critical SCADA systems out there and remote locations on ku-band two way
> >geostationary terminals right now.
>
> I think the original thought was that the satellite service would be used
> in
> rural areas and 5G in cities so there'd be geographic separation, but
> Starlink
> is selling service all over the place.
>
>

IPv6 on Lumen/CL

[Nathan Anderson]

We have a circuit on AS209 that was originally provisioned v4-only.  I'm now 
trying to get Lumen to turn v6 up on it.  How long does this typically take?  
I've had a configuration ticket open for nearly 3 biz days now with no movement 
(or even acknowledgement).  For anybody who has gone through this with them, is 
this unusual or nah?

When they do get around to it, what can I expect in terms of how they will 
prefer to set this up?  Separate BGP session running over v6 itself, or modify 
existing session to have it also carry v6 NLRIs?

Thanks,

-- Nathan

RE: iCloud/Apple Mail contact.

[Nathan Anderson]

Did you ever manage to find out who at Apple to speak to about getting things
added to or changed in this database?

 

Quite irritating how there is zero public-facing information about this.  Also,
an Apple employee authored RFC 6186, yet they don't implement it??

 

-- Nathan

 

From: NANOG [mailto:nanog-bounces+nathana=fsr@nanog.org] On Behalf Of Matt
Hohman
Sent: Wednesday, July 20, 2022 10:28 AM
To: nanog@nanog.org
Cc: Jonathan Dukes
Subject: iCloud/Apple Mail contact.

 

Hello,

 

Looking for an iCloud/Apple admin contact me off list. 

 

I’ve exhausted all the usual support channels on this one and some of the
responses have been quite comical.

 

Background:

Every time you setup an email account in Apple Mail it will check the domain
entered against a database of email server settings and conveniently autofill
those settings.

 

10 or so years ago we reached out to our business contact at Apple to setup
email server auto discovery for our domain, over the last decade our contact
has left and any attempts to reach Apple to get this info updated have been
fruitless. The autofilled info now points to a long dead email server.

 

 

Thanks,
Matt Hohman
Technical Director
New Heights Foundation

Re: FCC chairwoman: Fines alone aren't enough (Robocalls)

[Nathan Angelacos]

On Tue, 2022-10-04 at 08:05 -0600, Jawaid Bazyar wrote:
> Phone spam pretty much always involves the knowledge and involvement
> of the provider. There are no phone providers who don't know when one
> of their customers are making millions of robocalls.
> 
> International toll fraud also always involves the collusion of
> corrupt small country telephone monopolies.
> 
> So unlike email spam, where there are a million ways to send a
> million emails a minute without someone being aware, phone spam is
> definitively collisional. (Is that a word?)
> 

collusion:  

noun:
secret or illegal cooperation or conspiracy, especially in order to
cheat or deceive others.

Law:
illegal cooperation or conspiracy, especially between ostensible
opponents in a lawsuit.


Yup.  Having worked for a small VoIP provider, your comment is exactly
on point.

Re: jon postel

[Nathan Angelacos]

On Sun, 2022-10-16 at 13:23 -0700, Randy Bush wrote:
> it's been 24 years, and we still live in his shadow and stand on his
> shoulders.  we try not to stand on his toes.
> 
> randy

I got on the "interwebs" just before Al Gore invented the internet (no
political statement, just that is the way it was back then.)   15 3.5"
floppy disks, a 33Mhz 486, slackware, (and a really reliable USRobotics
modem.)

I found this thing called "RFC"... and Jim Postel was a man I really
wanted to meet.  

Thanks, Randy, for reminding me of the shoulders I stand on.

Re: jon postel

[Nathan Angelacos]

> 
> Early unix had a similar philosophical debate. Everything is a simple
> file (including most devices), make commands which do one thing and
> do it well so they can be connected together in new ways (an almost
> prescient view on the ubiquity of multi-cpu/core systems), when in
> doubt generalize and let the user specialize for their needs, don't
> try to guess everything your program will be used for.



Oh. you mean SaaS?  or WebSockets?  or REST? or :)

I remember an old guy I worked with.   We were decommissioning our
Prime for this new thing called "Novell 286"

He said "The computer industry is like the car industry in the 50's.  
We add more grille, more fenders, more wings.   But it is still a car."

Offline contact for MS Windows network stack dev? (Win10 IPv6 bug Q.)

[Nathan Anderson]

Not sure this is the best place to ask, but I'm not sure where else to go at 
this point...  I'm trying to find somebody on the Windows development team that 
might be able & willing to help me track down some info on a bizarre IPv6 bug 
I've been chasing in Win10 & its related fix.

I can confirm the bug in question was silently fixed somewhere in between 
10.0.18362.657 and 10.0.18362.693 and that it seems to be within the tcpip.sys 
component, but the release notes for KB4535996 make zero mention of it.  The 
fix has also seemingly never been backported to LTSC 2019.

Essentially the problem is that, in a dual-stack environment, if a DNS lookup 
returns both an A and an  record, Windows will prefer to make a connection 
to the target host via v4, claiming that it chose to do so because it is 
"Prefer[ring] [the] Aoac Interface", as if the given network interface only 
supports Connected/Modern Standby for IPv4 and not v6.  Despite this, with the 
exact same drivers on the exact same host with the exact same hardware & 
network interfaces connected to the exact same LAN, the seemingly-fixed 
tcpip.sys no longer behaves this way.  (It actually even works on "buggy" 
tcpip.sys after a fresh reboot, but only for some undefined amount of time 
before it reverts to this behavior.  My theory is the codepath that is causing 
this is only *supposed* to be followed while the PC is *actually* asleep & not 
during normal operation, but some bit in memory is getting flipped when some 
event occurs, and the logic that is taking this particular bit into account is 
faulty.)

If anybody can put me in touch with somebody who can pull a changelog of 
tcpip.sys between those two versions, I'd really appreciate it!  I'm just 
trying to better understand the exact nature of the bug & the fix, since a 
NetTrace would implicate buggy network interface drivers, but that clearly 
can't be the whole story.  And I'd like to figure out if a workaround is 
available for still-supported Windows versions that do not incorporate the 
actual fix (e.g., some registry entry that will make Windows ignore the 
freaking AOAC support reported by the network interface driver...the NetTrace 
entry implies Windows is following RFC 6724 and that it is considering the IPv6 
destination to be "unreachable" [merely because of lack of AOAC support in the 
driver for IPv6?!], which is clearly not the case).

Thanks!

-- 
Nathan Anderson
First Step Internet, LLC
nath...@fsr.com

Re: New addresses for b.root-servers.net

[Nathan Ward]

On 2/06/2023 at 10:22:46 AM, Wes Hardaker  wrote:

>
> 2. I'll note that we are still serving DNS requests at the addresses that
> we switched away from in 2017 [1][2].  At that time we actually only
> promised 6 months and we've doubled that time length with our latest
> announced change.  But we do need a date after which we can turn off
> service to an address block if some reason demands it.
>

Hi Wes,

Seems to me that this could be heavily informed by historical data from
this earlier renumbering.

Do you have query rates over time for the old and new addresses since this
change in 2017?

Even if you end up with the same answer of 12mo, data supporting it may
give comfort to the community.

Maybe you make a call that once it’s at say 1% or 0.1% or something like
that, then it’s OK to turn off - and make a prediction for when that might
be based on the historical data.

--
Nathan Ward

Facebook (account)

[Nathan Anderson]

Fellow NetOps,

I realize this is an unorthodox / off-topic request, but I've been trying to 
help a friend out and don't know how to advise her next.

If there is someone from FB here who has connections to someone in account 
security and is willing to contact me off-list, I'd really appreciate it.  A 
friend had her FB account of many years hijacked and then held for ransom by a 
random dude.  When she asked FB to intercede, she appeared to have her account 
back for a short time (< 24 hrs) before FB themselves blocked the account, and 
that's where we are now.  It's been over 2 weeks and she has been going round 
and round with "CS" and getting nowhere...whoever these robots are keep 
repeating requests for her to send in ID, which she does, and then they repeat 
the request again and it just goes in a circle.  I have a feeling that I know 
what's going on behind-the-scenes, but we can't seem to get a living, breathing 
human over there who isn't just reading a script to actually listen to her.  
Seriously, what is the average person supposed to do under these circumstances?

If this was just the story of a lone FB account I'm not sure I would bother and 
I'd just tell her to get a new one.  But she runs a business (popular local 
coffee shop) with a FB page that this account of hers was apparently the only 
admin for.

Thanks in advance for any leads,

-- 
Nathan Anderson
First Step Internet, LLC
nath...@fsr.com

RE: Facebook (account)

[Nathan Anderson]

Matt Harris wrote:
 
> On Apr 9, 2019, at 21:05, Nathan Anderson  wrote:
>
> > a FB page that this account of hers was apparently the only admin for.
> 
> Redundancy: it's not just a concept to be applied to devices and wiring.   

Preaching. To. The. Choir. :-)

-- 
Nathan Anderson
First Step Internet, LLC
nath...@fsr.com

Re: 44/8

[Nathan Brookfield]

Yeah because v6 only is the answer plus tour assuming all of these clubs have 
routers and BGP and the money to get an allocation and ASN

On 23 Jul 2019, at 22:59, Naslund, Steve  wrote:

How about this?  If you guys think your organization (club, group of friends, 
neighborhood association, whatever...) got screwed over by the ARDC, then why 
not apply for your own v6 allocation.  You would then have complete control 
over its handling and never have to worry about it again.  If you are not sure 
how to get started, visit ARINs website.  It is not that difficult or expensive 
and it would not be hard to justify.

Steven Naslund
Chicago IL

> And after 75 messages, nobody has asked the obvious question. When is ARDC 
> going to acquire IPv6 resources on our behalf? Instead being all worried 
> about legacy resources >we're highly underutilizing.
> 
> Ham Radio is supposed to be about pushing the art forward. Let's do that.
> 
> -KC8QAY

Re: Russian government’s disconnection test

[Nathan Angelacos]

> 
> Got crickets, so now I have to respond to my own post on 
> what I just found out about it.  Is that like talking to 
> yourself? :)

Not when others are listening.

Thanks for the update.

Re: ATT Mobile Outage San Juan, PR 8+ hours, 1 Million out.

[Nathan Schrenk]

It looks like www.outages.org stopped being updated with outage data in
January 2013?

Nathan

On Wed, May 4, 2016 at 3:57 PM, Bill Woodcock  wrote:

>
> > On May 4, 2016, at 4:37 PM, Javier J  wrote:
> >
> > If there is a better mailing list please let me know.
>
> outa...@outages.org
>
> -Bill
>
>
>
>
>

SNMP "bridging"/proxy?

[Nathan Anderson]

'lo all,

Is anybody out there aware of a piece of software that can take data from an 
arbitrary source and then present it, using a MIB or set of OIDs of your 
choosing, as an SNMP-interrogatable device?

We have some CPE that supports SNMP, but considers it to be a 
mutually-exclusive "remote management" protocol such that if you use another 
supported method for deployment and provisioning (e.g., TR-069), you cannot 
have both that AND SNMP enabled simultaneously.  It's one or the other.

We currently monitor and graph some device stats for these CPE with Cacti, but 
we want to be able to provision using a TR-069 ACS.  The ACS can collect some 
of the same data we are graphing right now, but cannot present it in a fashion 
that is nearly as useful as the way Cacti/RRDtool does (not to mention the 
staff is already used to navigating Cacti).  We know what SQL database table 
the stats are being stored in by the ACS, though, so my thought was that there 
must be some way that we can have a host respond to SNMP gets and then have it 
turn around and collect the value to be returned from a database.  Basically, 
an ODBC -> SNMP proxy.  We'd then point Cacti at that IP instead of the 
individual CPEs.  But I can't seem to find anything like this.

Thanks,

-- Nathan

RE: SNMP "bridging"/proxy?

[Nathan Anderson]

Hey, thanks guys!  I had never really looked that deeply into Net-SNMP and had 
only ever installed it either to use as a client (snmpget/snmpwalk) or a basic 
agent w/ standard MIBs for the host it's running on, so I was unaware of its 
extensibility.  And it even looks like it ships with a Perl module.  That 
sounds like a perfect solution; thanks for pointing me in the right direction.

-- Nathan

RE: SNMP "bridging"/proxy?

[Nathan Anderson]

On Friday May 20, 2016 @ 21:45, Robert Drake  wrote:

> I would move away from this CPE vendor.

I'm not thrilled with it either, but at this moment in time, this is easier 
said than done for many unfortunately good and unavoidable reasons.  We will 
see how the future plays out, though.

> [...] Or possibly have cacti run the
> SQL query directly.  It looks like they have many general (non SNMP)
> templates that you could use to base it on.

Another interesting suggestion & possibility.  Thanks.

-- Nathan

Re: Oct. 3, 2018 EAS Presidential Alert test

[Nathan Stratton]

On Wed, Oct 3, 2018 at 4:18 PM  wrote:

> Iphone, vzw, silicon valley, rcvd.
>
> Interesting question though... I wonder if people on micro-cells and/or
> wifi calling don’t get the alerts. That would be extremely dumb and
> irresponsible of the cell phone carriers, so its likely the case :)
>

Very possible, I have two phones on a AT&T micro-cells and both missed it.

-Nathan

RE: Youtube Outage

[Nathan Brookfield]

Australia too….

From: NANOG  On Behalf Of Oliver O'Boyle
Sent: Wednesday, October 17, 2018 1:08 PM
To: marshall.euba...@gmail.com
Cc: North American Network Operators' Group 
Subject: Re: Youtube Outage

Same in Montreal.

On Tue, Oct 16, 2018 at 9:52 PM Marshall Eubanks 
mailto:marshall.euba...@gmail.com>> wrote:
Reports (and humor) are flooding twitter.
On Tue, Oct 16, 2018 at 9:44 PM Ross Tajvar 
mailto:r...@tajvar.io>> wrote:
>
> You beat my email by seconds. Yes, it is widespread.
>
> On Tue, Oct 16, 2018 at 9:39 PM, Kenneth McRae via NANOG 
> mailto:nanog@nanog.org>> wrote:
>>
>> Is this widespread?
>
>


--
:o@>

Re: Current diameter of the Internet?

[Nathan Angelacos]

On Sat, 2024-07-20 at 00:58 -0500, Stas Bilder wrote:
> Pity we can’t ping Voyagers.
> 
> S.


ROTFL,   you actually had me pull out Star Trek - The Movie... Wow...
what a blast from 1979.

So yeah ... According to our media outlets, RTT of the internet is ...
um 3 days.

Re: Current diameter of the Internet?

[Nathan Angelacos]

On Sun, 2024-07-21 at 16:10 -0700, Michael Thomas wrote:
>  
> 
>  
>  
> On 7/21/24 4:05 PM, Josh Luthman wrote:
>  
> > 
> > Mel, 
> > 
> > 
> > 
> > Voyager is using radio waves, which travel faster than the speed of
> > light (in a vacuum, too!).  But my point is more Earth to outside
> > the solar system is ~24 hours so where did circumnavigating the
> > globe get three days of latency?
> >  
>  


I'm the one who said 3 days.  I was wrong.   Can we go with 1.833 days
RTT (22 hrs out, 22 hrs back)?

Sorry folks.

Re: Current diameter of the Internet?

[Nathan Angelacos]

On Mon, 2024-07-22 at 17:05 -0400, Sean Donelan wrote:
> 
> OMG, Not trying to solve Einstein's General Theory of Relativity.
> 
> Just trying to choose reasonable timeouts for my TCP packets 
> :-)


To quote someone I respect

I have a bridge loop here for you. :D

Re: Current diameter of the Internet?

[Nathan Angelacos]

On Mon, 2024-07-22 at 17:57 -0400, Josh Luthman wrote:
> Right, that's why I asked where the 3 days come from.
> 
> I found an India website and I'm located in Ohio.  That's pretty
> close to the opposite side of the world.  I'm assuming it's a
> terrestrial service.  My results are comparable to others in this
> thread, 200-280 ms on the higher end.

To be serious, from my experience Comcast  consumer internet in
Monterey CA to Eritrea / Burkina Faso (which is pretty crazy to get to)
was within that range.

Re: IANA IPv4 Recovered Address Space registry updated

[Nathan Brookfield]

https://www.iana.org/assignments/ipv4-recovered-address-space/

Nathan Brookfield
Chief Executive Officer

Simtronic Technologies Pty Ltd
http://www.simtronic.com.au

On 5 Mar 2017, at 11:29, Doug Barton 
mailto:do...@dougbarton.us>> wrote:

Paula,

Thank you for this update. Is there a convenient resource for viewing the delta?

Doug

On 03/01/2017 12:15 PM, Paula Wang wrote:
Hi,



An update has been made to the IANA IPv4 Recovered Address Space registry 
according to the Global Policy for Post Exhaustion IPv4 Allocation Mechanisms 
by the IANA 
(https://www.icann.org/resources/pages/allocation-ipv4-post-exhaustion-2012-05-08-en).



The list of allocations can be found at: 
https://www.iana.org/assignments/ipv4-recovered-address-space/



Kind regards,



Paula Wang

IANA Services Specialist

PTI

Re: Please run windows update now

[Nathan Brookfield]

Well it was patched by Microsoft of March 14th, just clearly people running 
large amounts of probably Windows XP have been owned.

Largely in Russia.

Nathan Brookfield
Chief Executive Officer

Simtronic Technologies Pty Ltd
http://www.simtronic.com.au

On 13 May 2017, at 14:47, Keith Medcalf  wrote:


The SMBv1 issue was disclosed a year or two ago and never patched.
Anyone who was paying attention would already have disabled SMBv1.

Thus is the danger and utter stupidity of "overloading" the function of service 
listeners with unassociated road-apples.  Wait until the bad guys figure out 
that you can access the same "services" via a connection to the DNS port (UDP 
and TCP 53) on windows machines ...

-- 
˙uʍop-ǝpısdn sı ɹoʇıuoɯ ɹnoʎ 'sıɥʇ pɐǝɹ uɐɔ noʎ ɟı


> -Original Message-
> From: NANOG [mailto:nanog-bounces+kmedcalf=dessus@nanog.org] On Behalf
> Of Karl Auer
> Sent: Friday, 12 May, 2017 18:58
> To: nanog@nanog.org
> Subject: Re: Please run windows update now
> 
>> On Fri, 2017-05-12 at 10:30 -0800, Royce Williams wrote:
>> - In parallel, consider investigating low-hanging fruit by OU
>> (workstations?) to disable SMBv1 entirely.
> 
> Kaspersky reckons the exploit applies to SMBv2 as well:
> 
> https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in
> -widespread-attacks-all-over-the-world/
> 
> I thought it was a typo in para 2 and the table, but they emailed back
> saying nope, SMBv2 is (was) also broken. However, they also say (same
> page) that the MS patch released in March this year fixes it.
> 
> Assuming they are right, I wonder why Microsoft didn't mention SMBv2?
> 
> Regards, K.
> 
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
> 
> GPG fingerprint: A52E F6B9 708B 51C4 85E6 1634 0571 ADF9 3C1C 6A3A
> Old fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> 

Re: Please run windows update now

[Nathan Fink]

I show MS17-010 as already superseded in SCCM

On Fri, May 12, 2017 at 1:44 PM, Josh Luthman 
wrote:

> MS17-010
> https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Fri, May 12, 2017 at 2:35 PM, JoeSox  wrote:
>
> > Thanks for the headsup but I would expect to see some references to the
> > patches that need to be installed to block the vulnerability (Sorry for
> > sounding like a jerk).
> > We all know to update systems ASAP.
> >
> > --
> > Later, Joe
> >
> > On Fri, May 12, 2017 at 10:35 AM, Ca By  wrote:
> >
> > > This looks like a major worm that is going global
> > >
> > > Please run windows update as soon as possible and spread the word
> > >
> > > It may be worth also closing down ports 445 / 139 / 3389
> > >
> > > http://www.npr.org/sections/thetwo-way/2017/05/12/
> > > 528119808/large-cyber-attack-hits-englands-nhs-hospital-
> > > system-ransoms-demanded
> > >
> >
>

Re: Arista hardware health and environmental nagios plugin

[Nathan Schrenk]

Bas,

Arista EOS supports ENTITY-SENSOR-MIB and exposes temperature sensors, etc,
via that MIB so you should be able to use any NAGIOS plugins that can pull
ENTITY-SENSOR-MIB data for environmental monitoring. For example,
https://exchange.nagios.org/directory/Plugins/Hardware/Others/check_
entPhySensorValue/details
I haven't used that specific NAGIOS plugin myself -- it just turned up when
I searched and looked like it would do the job.

To find the index of the temp sensor(s) you want to monitor (e.g. CPU, back
panel, front panel, etc) you can drop into a bash shell on your Arista
switches and run something like "snmptable localhost
ENTITY-MIB::entPhysicalTable" and look at the entPhysicalDescr column to
see the available sensors. The actual sensor values are provided in
ENTITY-SENSOR-MIB::entPhySensorTable.

The indices in entPhySensorTable are constructed by
adding entPhysicalContainedIn + entPhysicalParentRelPos. For example, on my
switch I see a sensor named "Back-panel temp sensor" with
entPhysicalContainedIn=116000 and entPhysicalParentRelPos=3 so the
index into the ENTITY-SENSOR-MIB::entPhySensorTable would be 116000+3 =
116003:

$ snmpwalk localhost ENTITY-SENSOR-MIB::entPhySensorTable |grep 16003
ENTITY-SENSOR-MIB::entPhySensorType.16003 = INTEGER: celsius(8)
ENTITY-SENSOR-MIB::entPhySensorScale.16003 = INTEGER: units(9)
ENTITY-SENSOR-MIB::entPhySensorPrecision.16003 = INTEGER: 1
ENTITY-SENSOR-MIB::entPhySensorValue.16003 = INTEGER: 326
ENTITY-SENSOR-MIB::entPhySensorOperStatus.16003 = INTEGER: ok(1)
ENTITY-SENSOR-MIB::entPhySensorUnitsDisplay.16003 = STRING: Celsius
ENTITY-SENSOR-MIB::entPhySensorValueTimeStamp.16003 = Timeticks:
(1063007379) 123 days, 0:47:53.79
ENTITY-SENSOR-MIB::entPhySensorValueUpdateRate.16003 = Gauge32: 5000
milliseconds


The entPhySensorValue value of 326 means 32.6 degrees Celsius because
entSensorPrecision=1 (meaning entPhySensorValue equals "degrees C times
10").

Nathan


On Fri, May 19, 2017 at 1:08 PM, bas  wrote:

> Hello All,
>
> Does anyone have a ready to use nagios/icinga plugin for hardware health
> and temperature monitoring of arista devices that they are willing to
> share? (7050, 7280 and 7500)
>
> With google searches I can't find any available.
>
> Arista TAC replied: "nagios does snmp, so that should fit you needs"
>
> There is https://github.com/ncsa/nagios-plugins which should be able to be
> augmented to do the extra checks.
> And with pyeapi it shouldn't be rocket science either. (for a developer,
> which I am not)
>
> If I were to request our devops department to build it it would probably
> put in back of a very long queue.
>
> So if there is anyone out there that is willing to share it would be
> greatly appreciated.
>
> Thanks,
>
> Bas
>

RE: USA local SIM card

[Nathan Anderson]

 like it 
would be a problem.  (This may not solve your Canada problem, though...you'd 
still likely have to work out a separate solution for any time spent up there.)

Hope this helps,

--
Nathan Anderson
First Step Internet, LLC
nath...@fsr.com

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Max Tulyev
Sent: Sunday, September 17, 2017 10:08 AM
To: nanog@nanog.org
Subject: USA local SIM card

Hi All,

sorry for possible off-topic, I really did not know where to ask this.

I'm going to visit USA for two weeks. I want to buy a local prepaid SIM
card mostly for IP access.

Is it possible in USA to buy a prepaid SIM as a visitor, without long
term contract?

I need a public (can be dynamic) IP address, NOT over NAT, and (or)
IPv6, if possible.

My phone is GSM UMTS 3G.

Expected traffic volume is about 10G.

Will use it in New York City and Orlando City, not in rural areas.

Good data roaming tariff in Cannada will be a big advantage.

What can you advice?

Thank you!

Re: AS36040 Prefix Limits

[Nathan Brookfield]

Both sides should be filtering advertisements.

The IX may just filter by AS Path which is fairly normal by the originating AS 
or transiting AS should be filtering the prefixes they advertise as well/

Nathan Brookfield
Chief Executive Officer

Simtronic Technologies Pty Ltd
http://www.simtronic.com.au

On 19 Oct 2017, at 17:23, Andy Davidson 
mailto:a...@nosignal.org>> wrote:

Hi, Mike

On 18/10/2017, 18:39, Mike Hammett mailto:na...@ics-il.net>> 
wrote:

I am looking for someone that can speak authoritatively regarding AS36040's
ability to change their own prefix limits, prefix filtering, etc.
My current contact is advising the IX to do the filtering for them, which
is not something IXes should be doing.

Unless this is in conjunction with a multilateral peering session 
(“route-server”), when prefix-filtering is something that the IXP very much 
should be doing.

Andy

Re: Contacting AS6589 - "Beneficial Technologies"

[Nathan Brookfield]

The remainder of the advertisements being more /16’s from China Seems very 
very bogus.

Nathan Brookfield
Chief Executive Officer

Simtronic Technologies Pty Ltd
http://www.simtronic.com.au

On 2 Dec 2017, at 02:27, Carlos M. Martinez 
mailto:carlosm3...@gmail.com>> wrote:

Hello all,

I’m trying to reach anyone at AS 6589, “Beneficial Technologies”. They are 
announcing large chunk of LACNIC unallocated space, as can be seen here: 
https://bgp.he.net/AS6589

Although I usually give people the benefit of doubt, in this case we are 
talking about 5 /16 prefixes. Talk about fat fingers.

Private email is ok.

Thanks

Carlos
LACNIC CTO

RE: do you use SPF TXT RRs? (RFC4408)

[Nathan Eisenberg]

> how many of you are using SPF records?  Do you have an opinion on their
> use/non use of?
 
We use SPF on most client domains.  On inbound filtering, we add no score for a 
lack of SPF record, and we reject mail if the SPF record hardfails.  We've seen 
it reduce domain-imposter spam.  It's not the ultimate spam fighting tool, but 
it does give you some control over your own domain for whoever will listen to 
it, which is handy.  The only 'DoS Mitigation'  I can think of is that the 
presence of a hardfail record would help keep your domain off the various DBLs. 
 You could call "getting a domain blacklisted" a denial of service, I suppose.

Nathan

Whois lookups (was: 2010.10.04 NANOG50 day 1 morning notes posted)

[Nathan Eisenberg]

http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt

"
Whois traffic has been going through the roof; they
added more proxies in front to support it.
Apparently, there's IP management packages that do
whois queries.  It would be good to find out who is
doing it, and talk to ARIN engineering, to find a better
way of handling it.
We can't keep up if so many machines on the internet
keep doing it like this.
Source addresses are all over, they're all over, not
sign of bots; could be a DLL or mac system startup
that's doing it.
Please, don't embed whois lookups in everyone's computers
like this!!
"

The only thing I know of is that packages like fail2ban that perform WHOIS 
lookups when blocking IPs to generate abuse POC notification emails.  So more 
SSH bruteforce attacks = more whois lookups.

Nathan
 

> For those who might care, I've put version 1.0 of my notes from the morning
> session up at 
> http://kestrel3.netflight.com/2010.10.04-NANOG50-morning-notes.txt

RE: do you use SPF TXT RRs? (RFC4408)

[Nathan Eisenberg]

> If it passes SPF we remove a few points of the spam weight.

I would rethink this practice.  Many spammers publish SPF valid records these 
days precisely because of this.

Nathan 

RE: Facebook down!! Alert!

[Nathan Eisenberg]

> -Original Message-
> From: Guerra, Ruben [mailto:ruben.gue...@arrisi.com]
> Sent: Wednesday, October 06, 2010 1:47 PM
> To: nanog@nanog.org
> Subject: RE: Facebook down!! Alert!
> 
> Passes Andrew the shotgun... Please kill all FB threads with it. :)
> 
> The only thing I noticed being down last night is battle.net ;). Guess you
> know where my priorities are. Lol
> 
> -Rg

Minecraft.net keeps going down, maybe we should start a thread about that, too!

Nathan

RE: network name 101100010100110.net

[Nathan Eisenberg]

> I'm assuming we aren't making jokes here, but 3com.com was created in
> 1986:

I'm confused.  3com.com would not appear to be entirely numerical.  Or maybe 
someone spiked my coffee this morning.

Best Regards,
Nathan Eisenberg

RE: IPv4 sunset date set for 2019-12-31

[Nathan Eisenberg]

 
> Oooh. Did someone say IPv8?
> 

No god!   Not this again!

Nathan Eisenberg

RE: Optical Wireless

[Nathan Eisenberg]

> > I am looking for some vendors that make PtP optical wireless (laser)
> > gear. 
> 

Any reason you want an optical wavelength link, rather than a 23, 38, 60 or 
80Ghz Microwave link? 

Best Regards,
Nathan Eisenberg

RE: IPv6 fc00::/7 ??? Unique local addresses

[Nathan Eisenberg]

> Stateless autoconfig works very well, It would be just perfect if the
> network boundary was configurable (like say /64 if you really want it,
> or
> /80 -  /96 for the rest of us)

Why do you feel it's a poor decision to assign /64's to individual LANs?

Best Regards,
Nathan Eisenberg

RE: NSF.gov Unavailable

[Nathan Eisenberg]

> http://www.arlnow.com/2010/10/27/nsf-building-evacuated-in-ballston-
> after-apparent-lightning-strike/
> 
> lightning strike -> electrical fire
> 
>   -Dave

At the science foundation.  Nature has a sense of irony.

RE: IPv6 fc00::/7 - Unique local addresses

[Nathan Eisenberg]

> My guess is that the millions of residential users will be less and
> less enthused with (pure) PA each time they change service providers...

That claim seems to be unsupported by current experience.   Please elaborate.
 
Nathan

RE: RINA - scott whaps at the nanog hornets nest :-)

[Nathan Eisenberg]

> Been unexpectedly gone for the weekend, apologies for the delay.  Wow,
> can subjects get hijacked quickly here.  I think it happened within one or two
> emails.  It was just for weekend fun anyway...

So... You tossed a cow into a pool (that you knew was) filled with piranhas, 
waited a few days, and now you want to know where the cow went?

-Nathan

RE: RINA - scott whaps at the nanog hornets nest :-)

[Nathan Eisenberg]

> If you think peering points are the "middle" portion of the internet that all
> packets have to traverse, then this thread is beyond hope.
> 
> 
>   -- Niels.

Making sweeping generalizations at thin air is fun!

This statement could be easily true, just as it could be easily false.

Nathan

id.apple.com

[Nathan Eisenberg]

Would a mail-op from id.apple.com please contact me off-list?

RE: Static routes and reverse DNS with Cogeco

[Nathan Eisenberg]

> 1.  They absolutly refuse to delagate rDNS authority for a /24 2.  I was told
> they "do not do static routes" when I asked if I could have my /24 circuit
> converted to a /30 and have the remaining subnets routed to my end of /30.
> Their suggested meathod is to put a router running proxy arp in front of my
> CMTS.
> 
> I am trying to escalate my case, but it looks like I am being forced into some
> kind of proxy-arp setup.

They won't speak BGP with you?

Re: Want to move to all 208V for server racks

[Nathan Stratton]

On Thu, 2 Dec 2010, Ricky Beam wrote:


On Thu, 02 Dec 2010 13:39:16 -0500, Kevin Day  wrote:
You can get breakers with GFIs built into them(called GFCIs), but they're 
favored less than putting them at the outlet. ...


I think they are now a violation of the NEC.  And they were delisted by UL 
years ago.  They pose a hazard as they will not react fast enough to prevent 
a fatal shock. (and the only one's I've ever seen were outlawed as the 
breaker itself was a fire hazard.)


They are

Bought some at Grainger the other day..

http://www.grainger.com/Grainger/wwg/search.shtml?searchQuery=GFCI+breaker&op=search&Ntt=GFCI+breaker&N=0&sst=subset

Home Depot also must have missed this:

http://www.homedepot.com/webapp/wcs/stores/servlet/Search?keyword=gfci+breaker&langId=-1&storeId=10051&catalogId=10053


<>

Nathan Stratton    CTO, BlinkMind, Inc.
nathan at robotics.net nathan at blinkmind.com
http://www.robotics.nethttp://www.blinkmind.com

RE: "Unlimited" wireless data...

[Nathan Eisenberg]

> This came up in another thread yesterday or today, and I just got the
> solicitation mailer for Clearwire's WiMAX service in Tampa Bay, which they
> call "4G", though the ITU disagrees.
> 
> The AUP is here: http://www.clear.com/legal/aup

I cannot strongly enough discourage you from using their service.  My 
experience with them has been consistently awful - and given that they're 
headquartered in my area, that's unacceptable.  I'm informed that my experience 
is not at all unique - either to the Seattle area or to their service at large. 
 Their Wikipedia article tells you pretty much everything you need to know.

http://en.wikipedia.org/wiki/Clearwire

Their definition of unlimited tends to be "barely acceptable throughput levels, 
until you start streaming youtube/netflix or doing a long-running download or 
using bittorrent to seed files to your work PC and laptop or using your VPN to 
retrieve a document, in which case, we won't turn you off, we'll just silently 
jail you into a 32-128kbps bandwidth profile.   Also, have some poorly 
implemented NAT on our ludicrously underpowered CPEs!"

I also understand that they've been having financial difficulties, so they're 
unlikely to address the issues their customers are faced with.

If I were you, I would keep your backpack offline until another option is 
available.  You're not going to be able to use VOIP on their service, anyways.

Nathan
(Speaking as an individual - not as the company I work for.)

RE: U.S. officials deny technical takedown of WikiLeaks

[Nathan Eisenberg]

> Factoid: we outnumber the pigs by 1000 to 1.  Even if only 1% of us
> were
> to go out and shoot a pig, we would still outnumber them 10 to 1!  We
> *CAN* win -- wake up, people!
 
Dude.

As someone who was personally connected to this 
(http://www.komonews.com/news/local/78088192.html), and this, 
http://www.komonews.com/news/local/68320537.html I feel pretty justified in 
telling you to keep this 'shoot a pig' crap off the list.

Unbelievable.

RE: Cloud proof of failure - was:: wikileaks unreachable

[Nathan Eisenberg]

> The cloud is a failure. Too easy to get it down.
> I guess wikileaks returning to dedicated hosting proofs that.
 
No, it just proves that organizational decisions are made by human beings that 
have values.  Whether or not those values are 'right' isn't the point - the 
point is that the technology isn't what failed here.

There are plenty of dedicated server hosts that would have shut off wikileaks 
under political pressure - and there are plenty of 'cloud' hosts who would have 
kept them up.  I don't think we can draw any pass/fail conclusions WRT cloud 
computing (defined here as virtualization-as-a-service) from the removal of 
Wikileaks from S3.

Nathan

RE: Cloud proof of failure - was:: wikileaks unreachable

[Nathan Eisenberg]

> In a cloud hosting environment, you typically don't know where your
> data and servers are, and thus you don't know what legal and political
> pressures they may be subject to. If that means that in practice you
> are subject to the combination of any pressure that can be applied to
> any one of the hosting centers maintained by your hosting provider,
> then "the cloud" indeed would seem pretty unattractive to anyone with
> politically or socially controversial content.

How is it more or less unattractive than having one's own servers in one's own 
office?  Lieberman and Co would simply have leaned on Mom's Best BGP (r) and 
Pop's Fastest Packets (r) instead of on Amazon, and the result would have been 
the same.

That's the catch with this here series of tubes - you don't control all of the 
tubes, even if you're Amazon, or Giant National ISP Co, or Massive National 
Fiber Plant Co.  The server infrastructure is the least interesting part of 
what happened to WikiLeaks.

Nathan

Re: Some truth about Comcast - WikiLeaks style

[Nathan Angelacos]

On 12/15/10 14:13, valdis.kletni...@vt.edu wrote:

On Wed, 15 Dec 2010 15:51:05 EST, Mikel Waxler said:


The reality is that most customers do not make uncapped connections. File
servers cap bandwidth per user and certain services, like gaming or
streaming media have a maximum rate. As long as the average data rate
allocated per customer is close to the usage then customers will not notice
the difference. Does it matter if it takes 10 seconds or 15 seconds to
download a 5 minute youtube clip?


The problem starts when that the choke point is congested enough that the
question isn't "10 seconds or 15", it's "4 mins 30 or 5 mins 30 for that 5
minute clip". Buffer underruns are incredibly annoying.


Or, from personal experience:

The movie stops because the buffer was exhausted, Netflix informs you 
"Your network connection has changed", shows a progress bar while it 
buffers /at a lower bitrate/.


Then you get to watch the rest of the movie like it was 1995.

RE: Some truth about Comcast - WikiLeaks style

[Nathan Eisenberg]

> All that said, the whole issue of 'local content' is going to continue to 
> rage on
> for years to come.  Getting the content closer to the end user is going to be 
> a
> key to reducing costs for the long-tail providers to homes and businesses.
> Should it be incumbent on the CDNs to pay for colo at the headend?  That's a
> business decision that will entirely be driven by these ongoing disputes.

What I still don't understand is this (and please pardon my ignorance):

If the issue is the costs that long-tail providers must bear to transit content 
across their own network, and the solution is to move the content closer to the 
providers' customers, (why) is the content provider obligated to subsidize that?

If collocating equipment to the headend is truly the correct response (if it 
truly reduces the ISP's costs to provide access to that content, and truly 
results in a better customer experience), then surely the savings would cover 
the ISP's cost of collocating equipment at that ISP's own headends?  It seems 
reasonable to expect that a content provider come up with the equipment to be 
collocated, as well as bear the cost-burden of supporting that equipment, so 
there can't be a significant capex for the ISP...

The idea of buying colocation from a last-mile ISP to reduce that last-mile 
ISP's costs seems (at first glance) to be a hysterically unfair proposition - 
though it seems that incumbent ISPs may have great enough leverage to extract 
this revenue if they really want to.  Or am I off my rocker?

What is in the best interests of the customer?
 
Nathan

RE: Muni Fiber Last Mile - a contrary opinion

[Nathan Eisenberg]

> I'd be interested to see what comments nanogers have on this piece. I'm not
> well enough read to critically evaluate the guy's assertions.

I'm not familiar with a GPON system that provides gigabit to every subscriber 
under 'high congestion'.I do know of FTTN systems that can provide a lot 
more than 10/50 service to the end user (VDSL2 or ethernet over coax).  What I 
really want to know is why 'Active Ethernet' didn't even make the chart...

I got a chuckle out of this:
"Provo County’s iProvo was hoping for 10,000 subscribers by July 2006 with the 
assumption that 75% of those customers would subscribe to lucrative triple play 
services, but the reality was 10,000 customers in late 2007 with only 17% of 
those customers subscribing to triple play"

A 75% upsell rate to triple play packages seems ludicrous.  I can't think of 
any industry that sees an upsell rate of 75% - can you (hell, I sold running 
shoes in high school, and the -target- upsell rate on 
shoestrings/socks/whatever-else was 15%).

Nathan

RE: Hotel Internet?

[Nathan Eisenberg]

> -Original Message-
> From: Ryan Finnesey [mailto:ryan.finne...@harrierinvestments.com]
> Sent: Friday, December 24, 2010 11:36 PM
> To: nanog@nanog.org
> Subject: Hotel Internet?
> 
> Is anyone within the group providing Internet access to Hotels?  It
> seems most of this market is controlled by Lodge Net.

Yep, my employer does.  And yes, yes it is.  Which is too bad.  Because their 
product is... crap.

(My personal opinion, and not that of my employer, who probably completely 
disagrees).

RE: Clearwire/Clear for branch office connectivity?

[Nathan Eisenberg]

> There
> appears to be zero interest in their business model to accommodate the
> enterprise.

In my own personal experience, there appears to be zero interest in their 
business model to accommodate the CUSTOMER.

They go on and on about how their frequency-space gives them a competitive 
advantage, but their network is unreliable and extremely traffic policed (try 
downloading something.  You MIGHT get close to the advertised speed for a few 
seconds, but you'll spend the next 2 hours browsing at the speed of mud when 
the traffic policer kicks in.  Do it too often, and it seems to stop 
de-limiting you altogether).  As far as I can tell, the issue isn't on the 
customer-leg, it's on their backhauls and core network.  Worse, their customer 
service is nonexistent, and their cancellation policy is a nightmare (so bad 
that there's a class action against them - not sure where it's at, haven't 
checked in a while).  

I have heard horror stories from their employees, their resellers, and fellow 
former customers.  They're filing/have filed for bankruptcy.  How many letters 
does it take to spell 'broken'?  If you have a POTS line at locations where you 
need a connection, find someone who will sell you dialup, or get 3G service 
from a cell carrier (careful - 4G Sprint service is provided by Clearwire).  
You will, sadly, be happier.

Nathan

(This is my own personal opinion based on my experiences and the experiences 
directly related to me by others.  It does not reflect solid fact or reality.  
My employer probably thinks my opinion is false - and it may well be.)

RE: Is NAT can provide some kind of protection?

[Nathan Eisenberg]

> And yet blaster type worms are less common now, and I still get the
> occasional reinfection reported where a computer shop installs XP pre-patch
> with a public IP. A simple stateful firewall or NAT router would stop that and
> allow them to finish patching the OS. There is always a new attack vector.
> 
> Jack

I'd argue that the above has everything to do with firewalling, and nothing to 
do with NAT.

Slightly OT: It boggles the mind a bit when I find desktop shops -not- using 
imaging.  I would think most people would prefer not to stare at OS install 
screens - and when you can blast out a fully patched XP image easily in sub-10 
minutes, the ROI is staggering.

Nathan

Re: Request Spamhaus contact

[Nathan Stratton]

On Mon, 17 Jan 2011, Jeffrey Lyon wrote:


Being a legitimate corporation means that we're accountable for
maintaining certain standards. Everyone assumes that because we
mitigate DDoS that we're no better than some offshore spam haven.


Will you please stop using "legitimate corporation" for what you guys are 
doing?



<>

Nathan Stratton    CTO, BlinkMind, Inc.
nathan at robotics.net nathan at blinkmind.com
http://www.robotics.nethttp://www.blinkmind.com

RE: Request Spamhaus contact

[Nathan Eisenberg]

> It was blocked and I did verify it. A very small amount of our traffic
> comes in on PCCW and *they* were not honoring a tag that they've
> contractually agreed to honor. I can understand why it may be fun to
> make this look like a product of my own incompetence, and perhaps it
> is something I would have noticed if I wasn't busy responding to
> flames.
 
It may be a good policy going forward to do your own null-routes.  I realize 
that for a DDOS protection company, the ability to tag nullroutes upstream is 
handy, but you also need to nullroute the traffic on your own gear, or shut 
down the switch port.  Something that is completely independent of another 
organization, regardless of their contractual obligations to you.

If you were my employee, I would find the fact that you fat-fingered a 
nullroute to be highly concerning.  I would recommend that in addition to 
changing the way you do nullroutes, you also implement a change control policy 
which screens commands for approval before making configuration changes upon 
which your public declarations, and your reputation as a decent operator, rely.

Nathan Eisenberg

United Airlines Technical Contact

[Nathan Charles]

Does anybody have a technical contact for United Airlines?  I can't seem to
get in touch with any of the phone numbers or email addresses listed in
whois.

Regards,

Nathan Charles

United Airlines Technical Contact

[Nathan Charles]

Does anybody have a technical contact for United Airlines?  I can't seem to
get in touch with any of the phone numbers or email addresses listed in
whois.

Regards,

Nathan Charles

RE: DSL options in NYC for OOB access

[Nathan Eisenberg]

> You can get a CLEAR WiMAX fixed modem with static IP address for $50
> (USD) monthly, or less if you opt for the low-bandwidth plan.

I wouldn't dare rely on something of that nature for a lifeline connection.  
I'd spring for the extra $30/mo.  It's expensive, but there ain't nothin' like 
a physical cable when it's 3AM on a Sunday.

Nathan

RE: Using IPv6 with prefixes shorter than a /64 on a LAN

[Nathan Eisenberg]

> Even if every RIR gets to 3 /12s in 50 years, that's still only 15/512ths of 
> the
> initial /3 delegated to unicast space by IETF. There are 6+ more /3s remaining
> in the IETF pool.

That's good news - we need to make sure we have a /3 for both the Moon and Mars 
colonies.  ;)

Nathan

RE: help needed - state of california needs a benchmark

[Nathan Eisenberg]

> We've learned to pick our fights, and this isn't one of them.
> 
> --
> Dan White

The most effective mechanism I've seen for explaining the problem is latency 
and VOIP.  Set up an artificially latency-ridden, high bandwidth connection, 
then connect to a PBX using a softphone.  One call is generally sufficient 
proof of the issue.

Ookla does offer another metric, at http://www.pingtest.net/, which provides 
some valuable additional information.  You can therefore infer an argument by 
speedtest.net:

Gov: Speedtest.net is an authorative location for all testing.
Speedtest.net: Anyone can host our test application, so that is clearly false.

Gov: The only important factor in certification is bandwidth to speedtest.net.
Speedtest.net: We offer other connection quality tests that don't rely on 
bandwidth.

I often find that statements people make rely on half-truths gleaned from other 
people, and that generally, the fastest way to conclude an argument is to go to 
the source and extract the complete truth, and then present in contrast.  It is 
difficult to argue with your own source.  :-)

Nathan

RE: Connectivity status for Egypt

[Nathan Eisenberg]

> Here's an updated list:
> http://www.bgpmon.net/egypt-routes-jan31-2011.txt

Some decent opportunities for route aggregation in that list...

RE: AS numbers and multiple site best practices

[Nathan Eisenberg]

> I've had trouble finding any technical reason not to use it.  

What is important to you about having QA and Corporate use separate AS numbers? 
 Does using the same AS number result in a reduction of separation?

Nathan

RE: Gmail throttling?

[Nathan Anderson]

On Friday, February 21, 2014 4:59 PM, Eduardo A. Suárez 
<mailto:esua...@fcaglp.fcaglp.unlp.edu.ar> wrote:

> some of our users have forwarded the email to Gmail and Gmail now are
> complaining that this is bulk mail and delaying it.
> 
> We have SPF, DKIM, DMARC, even SRS to try these things do not happen :(

Have you double-checked your setup to make sure it is performing SRS correctly? 
 In my experience, Google is secretly blacklisting certain IPs for unknown, 
unpublished reasons, and implementing SRS seems to be a surefire workaround.

If you aren't on the secret blacklist, mail will still pass even if it fails 
SPF, but once you are on the blacklist, mail that fails SPF (either softfail or 
fail) will not be delivered.  If a user of yours is forwarding mail from your 
server to Gmail, the SPF check is not going to be against *your* SPF record, 
but against the original sender's SPF record, and so the check will fail (since 
the message looks like it is coming from you, and your MX won't be listed in 
the original sender's SPF record...thus, it will look like you are spoofing 
mail for the original sender).  Adding a valid SPF record to your domain and 
then implementing SRS on your mail server should ensure that all SPF checks 
pass, even for mail that your users are forwarding to Gmail.

I wrote a post detailing my experience and findings: 
http://www.brokenbitstream.com/gmail-spf-policy

-- 
Nathan Anderson
First Step Internet, LLC
nath...@fsr.com

Re: [[Infowarrior] - NSA Said to Have Used Heartbleed Bug for Years]

[Nathan Angelacos]

On 04/14/2014 07:14 PM, Michael Thomas wrote:


It's much, much worse than that. I can still read code plenty fine, but
bugs can be
extremely obscure, and triply so with convoluted security code where
people are
actively going after you to find problems in most inventive ways.
Openssl, etc,
probably need to be treated more like Mars Landers than the typical
github forkfest.



You mean this one? http://en.wikipedia.org/wiki/Mars_Climate_Orbiter

;)

SORBs Human

[Nathan Eisenberg]

Could a human being from SORBs please contact me off-list?  Your robot isn't 
functional, and you are listing one of our ARIN allocations as dynamic, when it 
is not.

(Yes, I know that 'no one uses' SORBs.  Customers don't care.)

Nathan

RE: Yup; the Internet is screwed up.

[Nathan Eisenberg]

> I agree, the whole use of the terms 'need' and 'want' in this conversation are
> ridiculous.  It's the Internet.  The entire thing isn't a 'need'.  It's not 
> like life
> support or something that will cause loss of life if it isn't there.  The 
> only thing
> to even discuss here is 'want'.  Yes, consumers 'want' super-fast Internet,
> faster than any of us can comprehend right now.  1Tbps to the house, for
> everyone, for cheap!

Wait, the internet isn't a need?  Is this 1991?  Of course it's a need, as 
surely as heat or electricity are needs.

Without even trying, I can think of a dozen life-safety systems that rely 
solely on the internet for their functionality.

Nathan

RE: OT: Given what you know now, if you were 21 again...

[Nathan Eisenberg]

> > Given what you know now, if you were 21 and just starting into
> > networking / communications industry which areas of study or specialty
> > would you prioritize?
> 
> But in all seriousness, networking like I suppose most professions are not
> about knowing one thing and stopping. It's evolving rather rapidly so most
> thing you know now are irrelevant in decade or two. What you should learn is
> how to learn, how to attack problems and learn to love doing both.

Totally agree. 

IMHO, the truly challenging (and most important) skills aren't technical in 
nature.  They're things like the ability to work in, or especially lead, a team 
of people.  Things like building functional business processes that account for 
all the little details of operations, or professionally handling customers with 
utterly disparate cultural values (timeliness, the honoring of contractual 
obligations, etc).

So, I would put a strong initial emphasis on logic and critical thinking, as 
well as intercultural competence and basic business leadership/process 
engineering.  I'd also snap up any courses I could find on learning effectively 
or on using research tools.  Once you can learn effectively in a short period 
of time, and you know how to find the information you need to absorb, it 
becomes fairly trivial to acquire new technical (or otherwise) capacities.

In fact, the limiting factor starts to become your imagination - "what do you 
think you want to learn?", and the best way to combat this is to have a 
balanced life with a healthy dose of social interaction (read: women - later, 
family).  I've not yet met the person who won't burn out if they aren't 
distracted by non-virtual concerns on a regular basis.

Nathan Eisenberg

RE: [BULK] Re: SORBS contact

[Nathan Eisenberg]

> A valid and well put argument.  I don't know what we do with stuff to
> webmaster@ however I do know that it is possible that messages to it
> will go into the spamtrap system. (the spamtrap system has multiple
> entry points, and a mail going in does not guarentee a listing, but it
> is likely, especially if the message is repeated to multiple addresses
> and therefore is 'bulk'.)

Respectfully, I'm unconvinced that fewer than 10 recipients (sending to 
webmaster and cc'ing netops) constitutes sending in 'bulk'.  For instance, USPS 
requires 200 recipients for standard mail to classify such mail as 'bulk'[1].  
That number seems quite high to me, but then again, 2-10 seems quite low.

In the past, I've had a heck of a time getting blocks delisted from SORBs - 
even getting a PI assignment removed from the DUHL, which isn't even a list of 
abusive blocks, was tough.  Again respectfully, if so many operations people 
have a problem with the way SORBS operates, doesn't that represent a valid 
concern?  Operators constitute the bulk of your users, and they are, by and 
large, frustrated.  The fact that they are trying to reach out via other 
methods should tell you something - and it isn't that the operators are doing 
it wrong (and should therefore be punished).

Writing as a human, not as my employer,
Nathan Eisenberg
 
[1] - http://pe.usps.com/businessmail101/getstarted/bulkmail.htm

RE: FTTH CPE landscape

[Nathan Eisenberg]

> Why? As long as it can be a transparent router, why would it need to be
> a bridge?

Layer 2 CPE capability is a big deal, especially if you're doing unrouted 
multicast (see many TV/VoD over ethernet platforms for details).  But it's also 
nice for handing the customer a layer-2 service port like they're used to 
getting, if they want it that way.  The routing engine in CPE's is often simply 
not as capable as the bridging mechanism, so there's an end-user experience to 
consider.

It's also worth noting that this feature will probably become less important as 
IPv6 and DHCP6-PD becomes more widely deployed.  Until then, the extra routing 
in IPv4 starts to chew up some serious address space if you're rolling out 
thousands or more of the CPEs.  See most national ISP's CPE configuration if 
you think it's unusual to want to hand off services on a bridged interface- 
it's not, at all.

Nathan Eisenberg

RE: Prefix hijacking by Michael Lindsay via Internap

[Nathan Eisenberg]

> RIPE/ARIN/APNIC etc have zero actual authority over actual routing.

That is not a flaw in the system, it is a fundamental precept of it.  Their 
function (In Curran's words: "as the community has defined it") is as a 
registry of allocation data, not as some kind of authoritative regional route 
super-reflector.

> Yet another reason they aren't worth the money we flush down the toilet
> for them to do absolutely nothing.
 
It seems obvious to me that an internet without -some- kind of addressing 
registry will not function.  So you're being hyperbolic.

Hyperbole weakens any argument - it reveals that the proponent is not 
rationally considering the issue.  I suspect you are completely aware that the 
RIRs perform real functions, and that your real objection is that they don't 
operate at some arbitrary level of efficiency, or perform some additional role 
that you've predefined (but not shared in your argument).  Without a shared 
definition, it is impossible to have a constructive conversation (and I am 
assuming that you are on NANOG to be constructive, rather than to troll 
operators).

John Curran appears to be completely open to constructive suggestions, so if 
you have real and substantive input, why not contribute your intellect to the 
problem and talk to him?  Every organization has things they could be doing 
better, but as in physics, it often requires some new outside force to make it 
happen.

Nathan Eisenberg

Re: Route Optimization Software / Appliance

[Nathan Stratton]

On Mon, 22 Aug 2011, Babak Pasdar wrote:


Hello Group,

I was wondering if anyone could share their experience with any route 
optimization approaches, methodologies or platforms, either open source or 
commercial (Internap FCP), that can actively adjust BGP parameters based on 
latency and number of layer 3 hops to a network rather than AS hops.  We have 
upstreams all over the country and we would like to automate optimization to 
take the best egress path.


We were using Internap, but ended up writing our own so that we could look 
at larger number of speakers. The technology is not that complicated, you 
basically take netflow data and send it to a host that has tunnels over 
each one of your BGP peers that you care about. It then uses a combination 
of traceroute and ping to collect its data that is then injected back to 
the router over BGP.



<>

Nathan StrattonCTO, BlinkMind, Inc.
nathan at robotics.net     nathan at blinkmind.com
http://www.robotics.nethttp://www.blinkmind.com

RE: VRF/MPLS on Linux

[Nathan Eisenberg]

> Jared,
> Thank you for your reply.  The one issue I have is how can I label
> traffic to match a given table (i.e. ping VRF or snmp VRF).  I don't
> see any way this can be done with normal BSD sockets, finding a way to
> get my application to 'color' the traffic has been a little evasive.
> The developers I am working with are using Mule for their data
> collection.  I would really prefer to add an MPLS tag to mark the
> traffic, but I will investigate what I can do using the Linux routing
> features and 802.1q tags.
 
I don't know about Mule, but Zabbix has the concept of premise-based proxy 
servers which work around this issue, and it works quite well.  

Perhaps this issue can be solved at the application layer with some similar 
proxying methodology, rather than making this a very complicated routing issue?

RE: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Nathan Eisenberg]

> > As an ISP, ARIN will not give you any space if you are new. You have
> > to already have an equivalent amount of space from another provider.
> 
> does arin *really* still have that amazing barrier to market entry?

Yes.  If you want PI space, you have to start off with PA space, utilize it, 
and then apply for PI space and an AS #, with contracts demonstrating your 
intention to multihome.  Then, you have to *migrate* off the PA space and 
surrender it back to the 'owner'.  You cannot get further PI allocations until 
you've done this.

RE: wet-behind-the-ears whippersnapper seeking advice on building a nationwide network

[Nathan Eisenberg]

> When I still worked in the ISP world, the startup I worked for started off 
> with
> PA space, and then grew into PI space, and handed the PA space back to
> their upstreams as it was vacated.  I had no problems getting subsequent PI
> blocks because our documentation was in order.

The documentation isn't the pain.  The renumbering is, *especially* if you're 
running a service provider network:

'Dear dedicated server customer, we're taking away your IPs, please don't be 
angry with us even though it will cost you untold hours of work to hunt down 
all the tiny implications of renumbering.  Never mind the lost business it 
might cause if you miss something.'

'Dear internet access user who happens to run a bunch of IPSEC tunnels: Have 
fun fixing all your tunnels!  Don't worry, we'll figure out an off-hours time 
that works for everyone, and that makes all the pain go away, right?  You won't 
harbor any resentment, right?'

(Wow, that comes off more bitter than I expected...)

Oh well... Since new IPv4 allocations are fast approaching the same scarcity as 
unobtanium, I guess it's too late to worry about it now.  Anyways, apparently 
IPv6 fixes all of this, or something.

Nathan