Re: How to have open more than 65k concurrent connections?

[Phil Regnauld]

Jorge Amodio (jmamodio) writes:
> you have only 16-bits for port numbers.

65k port numbers != number of connections.

The number of open connections (if we're talking TCP) is
limited by the number of max file descriptors in the kernel
(fs.file_max).

See also:


http://www.network-builders.com/maximum-simultaneous-network-connections-t56317.html

You could have hundreds of thousands of connections to
the same (destination IP, destination port).

In practice, there are other limitations:

http://www.kegel.com/c10k.html is good reading, even though
it is a few years old.

Re: Failover IPv6 with multiple PA prefixes (Was: IPv6 fc00::/7 — Unique local addresses)

[Phil Regnauld]

Jeroen Massar (jeroen) writes:
> 
> Now the problem with such a setup is the many locations where you
> actually are hardcoding the IP addresses/prefixes into: firewalls, DNS
> etc. That is the hard part to solve, especially when these services are
> managed by other parties.

And probably the reason why most won't deploy RA and multiple prefixes.
Hardcode and NAT, baby!

Re: flow analysis for juniper devices

[Phil Regnauld]

Mehmet Akcin (mehmet) writes:
> hey there
> 
> any recommendations on freeware flow analysis tool which can show the flow
> not only per prefix basis but also show asn and/or country/region as well?
> Juniper only.

Hi Mehmet,

As someone else answered, export v9 flows and then run something
like NFsen or Netflow Dashboard.

On that, Geo::IP will provide country/region info (for example):
http://search.cpan.org/~borisz/Geo-IP-1.38/lib/Geo/IP.pm

Cheers,
Phil

Re: vmware recover a 4.0 boot with a 4.1 cd

[Phil Regnauld]

Randy Bush (randy) writes:
> borked vmware boot, reset says no opsys found.  it's a 4.0 system.
> 
> can i do recovery (saving vmfs) using 4.1 cd, or must i use 4.0?

Yes, it will work for accessing the vmfs, at the very least.

Phil

Re: NIST IPv6 document

[Phil Regnauld]

Jeff Wheeler (jsw) writes:
> 
> IPv4) 

[...]

> Not good, but also does not affect any other interfaces on the router.

You're assuming that all routing devices have per-interface ARP tables. 

> IPv6)
>  Typically, this breaks not just on that interface, but on the entire
> router.  This is much worse than the v4/ARP sitation.

Inverse assumption here.

Doesn't change much to the case scenario you've put forward
as a cause to the problem, but still wanted to point it out.

Cheers,
Phil

Re: NIST IPv6 document

[Phil Regnauld]

Jeff Wheeler (jsw) writes:
> are badly needed.  The largest current routing devices have room for
> about 100,000 ARP/NDP entries, which can be used up in a fraction of a
> second with a gigabit of malicious traffic flow.  What happens after
> that is the problem, and we need to tell our vendors what knobs we
> want so we can "choose our own failure mode" and limit damage to one
> interface/LAN.

Well there are *some* knobs:


http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con.html#wp1369018

Not very smart, as it just controls how fast you run out of entries.

I haven't read all entries in this thread yet, but I wonder if
http://tools.ietf.org/html/draft-jiang-v6ops-nc-protection-01 has been
mentioned ?

Seems also that this topic has been brought up here a year ago give
or take a couple of weeks:

http://www.mail-archive.com/nanog@nanog.org/msg18841.html


Cheers,
Phil

Re: NIST IPv6 document

[Phil Regnauld]

Owen DeLong (owen) writes:
> 
> But, Jeff, if the router has a bunch of /24s attached to it and you scan
> them all, the problem is much larger than 250 arp entries.
> 
> I think that's what Phil was getting at.

And so did Joel.  If you've got a crapload of VLANs attached to a box,
and you're routing these for customers (say, virtual firewall 
instances),
you'll see this easily.

I do understand the argument that sweeping a /64 will mean more L3->L2
lookups for directly connected subnets than in v4, but the problem 
domain
remains the same, and I think it's been already explained here that 
there
are various strategies to mitigate this.

Additionnally I believe the size of typical recommended IPv6 space will
probably discourage idle scanning, though this may change as the 
resources
available increase, as Joe G. pointed out.  If it does not, we'll have 
to
address it if the existing mitigation techniques aren't sufficient.

Phil

Re: Network Simulators

[Phil Regnauld]

Arturo Servin (arturo.servin) writes:
> 
> GNS3
> http://www.gns3.net/
> 
>   This is another network simulator, mainly for academic research.
> 
> NS-2
> http://www.isi.edu/nsnam/ns/
> 
>   And you can always setup some virtual machines with DNSs, hosts and 
> routers with open-source software.

Also to add:

http://warriors.eecs.umich.edu/viz_tools/nam.html (referenced from
ISI.edu/nsnam above), and the Java version, JAVIS

Also worth looking at:

http://www.csse.uwa.edu.au/cnet/ (more for pure network simulation, not
tied to any particular protocol).


And of course, as suggested above, just using a virtual network using
something like VirtualBox/KVM and some Linux/BSD boxes, and throw in
maybe Dynamips / Dynagen / GNS3 (http://www.gns3.net/) if you want to
simulate some IOS.

Finally something like Quagga/BIRD for the routing protocol part.


Cheers,
Phil

Re: adaptec 5405 wedged

[Phil Regnauld]

On 19/01/2011, at 00.23, Randy Bush  wrote:

> any adaptec bios-level fu out there?  if so, please see
> http://archive.psg.com/110119.adaptec.pdf
> 

Hi Randy,

Did you see this bit about transfer speed issues?


http://ask.adaptec.com/scripts/adaptec_tic.cfg/php.exe/enduser/std_adp.php?p_faqid=16913

For those customers that are unable to update, or have a Series 2 (2045, 2405, 
2405Q, 2805) or a low-port Series 5 (5405, 5405Z, 5445, 5805, 5805Z, 5085, 
5805Z, 5805ZQ) controller, the Western Digital WD20EADS and WD2002FYPS drives 
will need to be jumpered down to 1.5Gb/sec in order to function properly 
(please refer to the specific jumper settings provided below). 

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

[Phil Regnauld]

bmann...@vacation.karoshi.com (bmanning) writes:
>  as a test case, i built a small home network out of  /120. works just fine.
> my home network has been native IPv6 for about 5 years now, using a /96 and 
> IVI.
> 
> some thoughts.  disable RD/RA/ND.
>   none of the DHCPv6 code works like DHCP, so I re-wrote
>   client and server code so that it does.
>   static address assignment is a good thing for services like 
> DNS/HTTP
>   secure dynmaic update is your friend
> 
> summary - its not easy, vendors don't want to help.  but it can be done.

Right - /64 is an assumption that's hardcoded many places.

But it does work.

Re: [outages] News item: Blackberry services down worldwide

[Phil Regnauld]

Joe Abley (jabley) writes:
> 
> On 2011-10-12, at 13:05, Leigh Porter wrote:
> 
> > Email on my iPhone is working fine.. ;-)
> 
> The blackberry message service is centralised with a lot of processing 
> intelligence in the core. Messaging services that use the core as a simple 
> transport and shift the processing intelligence to the edge have different, 
> less-dramatic failure modes.

This is not the case for corporate customers with dedicated servers,
AFAIU.

P.

Re: [outages] News item: Blackberry services down worldwide

[Phil Regnauld]

Joe Abley (jabley) writes:
> 
> > This is not the case for corporate customers with dedicated servers,
> > AFAIU.
> 
> I'm no expert, but my understanding is that at some/most/all traffic between 
> handhelds and a BES, carried from the handheld device through a cellular 
> network, still flows through RIM.

Correct - they need to transit at some point through the RIM servers.


http://www.interworks.com/blogs/wlyles/2010/01/14/why-rim-outage-affects-users-corporate-bes

That's just wrong on so many levels.

Cheers,
Phil

Re: Please change Mailman back to NOT force the rewrite for Reply-to

[Phil Regnauld]

John Peach (john-nanog) writes:
> > Normally I'd have just made this point privately, and perhaps only on 
> > Futures, but since it seems to be a recent change, I'm doing the public 
> > service of pointing it out, while asking that it be adjusted back.
> 
> I don't see that; I have to specifically choose to reply to the list.
> Maybe someone, like me, sets their own reply-to to the list.

From the headers.

X-Mailman-Version: 2.1.14
Precedence: list
Reply-To: nanog@nanog.org
List-Id: North American Network Operators Group 

Mutt asks me, but other mailers might not.

Cheers,
Phil

Re: Please change Mailman back to NOT force the rewrite for Reply-to

[Phil Regnauld]

Patrick W. Gilmore (patrick) writes:
> 
> Yes, he said he set reply-to  himself.  Look at your own post, it has no such 
> header.

Glenn Sieb (ges) writes:
> 
> I think you missed John's last sentence, Phil...

*sigh* back to the coffee machine.

P.

Re: Dnssec and ptr records

[Phil Regnauld]

Eric J Esslinger (eesslinger) writes:
> Quick question for those who have researched things more closely. I have 
> signed all my forward zones and think I've crossed my I's and dotted my T's, 
> but one thing I'm not sure of...
> 
> Are we supposed to setup signing for reverse dns zones?

Hi Eric,

Let me reverse the question: why wouldn't you ?

Cheers,
Phil

Abha Ahuja, 2001

[Phil Regnauld]

Abha passed away 10 years ago today.

Time flies.

Re: Network Asset/Service Track/Management

[Phil Regnauld]

Payam Poursaied (me) writes:
> Hi all
> 
> I'm looking for a system to keep track of network assets and also periodic 
> services in each pop site. Currently we have
> about 500 pop-sites. In each site we have DSLAMs, Linecards and also some 
> passive equipments including terminals, racks
> and ..
> 
> Also each site may have some recurring fees/services. Something like transit 
> link, power, rental space and .
> 
> Could you please share your experience with me

Hi Payam,

Some of what you mention can be handled with Netdot 
(https://netdot.uoregon.edu).

There is built-in support for maintenance contract definitions, but some
customization might be required. The good part about netdot is that it
will automate some of the inventory management if it has SNMP access to
your devices. Asset mgmt support is rather good for Cisco equipment, but
would have to be tested for other vendors.

Cheers,
Phil

Re: Arguing against using public IP space

[Phil Regnauld]

William Herrin (bill) writes:
> If your machine is addressed with a globally routable IP, a trivial
> failure of your security apparatus leaves your machine addressable
> from any other host in the entire world which wishes to send it
> packets. In the parlance, it tends to "fail open." Machines using
> RFC1918 or RFC4193 space often have the opposite property: a failure
> of the security apparatus is prone to leave them unable to interact
> with the rest of the world at all. They tend to "fail closed."
> 
> Think of this way: Your firewall is a deadbolt and RFC1918 is the lock
> on the doorknob. The knob lock doesn't stop anyone from entering an
> unlatched window, opening the door from the inside and walking out
> with all your stuff. Yet when you forget to throw the deadbolt, it
> does stop an intruder from simply turning the knob and wandering in.
>

That's not exactly correct. NAT doesn't imply firewalling/filtering.
To illustrate this to customers, I've mounted attacks/scans on
hosts behind NAT devices, from the interconnect network immediately
outside: if you can point a route with the ext ip of the NAT device
as the next hop, it usually just forwards the packets...

Phil

Re: Arguing against using public IP space

[Phil Regnauld]

Doug Barton (dougb) writes:
> On 11/13/2011 13:27, Phil Regnauld wrote:
> > That's not exactly correct. NAT doesn't imply firewalling/filtering.
> > To illustrate this to customers, I've mounted attacks/scans on
> > hosts behind NAT devices, from the interconnect network immediately
> > outside: if you can point a route with the ext ip of the NAT device
> > as the next hop, it usually just forwards the packets...
> 
> Have you written this up anywhere? It would be absolutely awesome to be
> able to point the "NAT IS A SECURITY FEATURE!!!" crowd to an actual
> demonstration of why it isn't.

Nope, but I could do a quick tut on how to do this against a natd/pf/
iptables or IOS with IP overload.

Arguably in *most* cases your CPE or whatever is NATing is behind
some upstream device doing ingress filtering, so you still need to
be compromising a device fairly close to the target network.

P.

Re: Arguing against using public IP space

[Phil Regnauld]

Chuck Church (chuckchurch) writes:
> When you all say NAT, are you implying PAT as well?  1 to 1 NAT really
> provides no security.  But with PAT, different story.  Are there poor
> implementations of PAT that don't enforce an exact port/address match for
> the translation table?  If the translation table isn't at fault, are the
> 'helpers' that allow ftp to work passively to blame? 

PAT (overload) will have ports open listening for return traffic,
on the external IP that's being "overloaded".

What happens if you initiate traffic directed at the RFC1918
network itself, and send that to the MAC address of the NAT device ?

In many cases, it just works. That's how IP forwarding works, after
all :)

inside net --[NAT]---{ext net}[attacker]
192.168.0.0/24.2541.2.3.4  1.2.3.5

S:1.2.3.5   D:192.168.0.1   next hop: 1.2.3.4

Now, on the way back *out* from the inside net, traffic from
192.168.0.1 back to 1.2.3.4 might get translated - it depends if
what the NAT is programmed to do if it sees, say, a S/A packet
with no corresponding SYN, on its way out. It might just get
dropped.  UDP would in some cases get natted, but since you
know your destination port on 1.2.3.5, you know what to expect,
and you can build an asymmetric connection since you control the
attacking host.

Either way, you've still injected traffic into the inside net.

Etc...

Re: Network device command line interfaces

[Phil Regnauld]

Jonathon Exley (Jonathon.Exley) writes:
> However vendors of low cost routers/switches/muxes

Hi Jonathon, have you ever tried to work with a Catalyst Express 500 ?
A good example of a fully functional IOS device, where the vendor went
out of their way to disable Telnet/SSH, and force one to run CLI
commands via the a Web UI.  You can do everything, but even "vty 0 x"
and "transport input telnet" won't give access.

> seem to take a stab in the dark and produce some really nasty stuff.

Cisco isn't exactly low cost, but the point here is exactly that:
take away CLI and tools that make automation easier, so that customers
will feel compelled to buy the more expensive stuff if they want
the fancy stuff (which, in this case, is actually LESS fancy).

It's not incompetence, it's called crippleware, and it's a business
model :)

> Maybe the vendors need some sort
> of best practices guide for what manageability features their kit
> needs to support to make them acceptable to the market. Does anyone
> know if there is anything along these lines?  

Yes, don't buy the cheap stuff :)

Phil

Re: btw, the itu imploded

[Phil Regnauld]

On Sun, Dec 16, 2012 at 12:20:57PM -0800, Doug Barton wrote:
> 
> I'm certain that most of you have already noticed how cutting off the 
> Internet is now on page 1 of every country's list of "Things to do when 
> there is an uprising ..."

In Egypt, this may actually have led to the opposite of what the regime
in place expected. Not the best source, but to illustrate:


http://content.usatoday.com/communities/technologylive/post/2011/01/egyptian-protestors-ditch-tech-use-word-of-mouth-to-mobilize/1

It was argued that because there was no access to the net, and no
other way to find out what was really going on, Egyptian citizens
got off their couches and down into the street, which in some
cases got some people to take sides and join the protests.

Case of damned if you do, and damned if you don't, as far as
censorship goes.

Phil

Re: IP Address Management IPAM software for small ISP

[Phil Regnauld]

Thilo Bangert (thilo.bangert) writes:
> > Then in your provisioning tools, you'd request resource from specific pool
> > via restful API. Humand would never manually write RD/RT/IP/VLAN in the
> > tool or in the configs. And this type of system is vastly simpler than the
> > IPAMs I see listed, once you get rid of all the UI candy, it gets rather
> > easy problem to solve.
> 
> this is a pretty accurate description of our requirements, as well. off the 
> top of my head we'd also manage phone numbers, key ids, and key box ids, with 
> it, but that would almost be a minor detail. ;-)

I think many of these requirements would be met by Netdot...

Cheers,
Phil

Re: IP Address Management IPAM software for small ISP

[Phil Regnauld]

Saku Ytti (saku) writes:
> 
> If exactly what I want exist, of course I'd love to have it. But evaluating
> options, working with them until you realise it does not work for you might
> take more time to just build it in-house to fit your needs and integrate to
> your existing systems.

http://xkcd.com/927/

> I have same opinion for NMS also. Everything I see offered is terrible and
> do not even solve easy-to-solve problems correctly.

Right, that's what's great about Open Source :D

Phil

Re: IP Management Software

[Phil Regnauld]

Shahab Vahabzadeh (sh.vahabzadeh) writes:
> Hi everybody,
> Can anybody share his/her experience with IP Management software's? Which I
> can use it managing near 100K IP Address?
> IPPlan is not good enough, I think its covering all my need and not fully
> flexible.
> If you have discuss this before here please share me the link.

Hi Shahab,

Look at the archives for NANOG - there are plenty of solutions.

You might want to look at:
- Netdot: https://osl.uoregon.edu/redmine/projects/netdot
- TIPP: http://tipp.tobez.org/

Cheers,
Phil

Re: incoming smtp from v6 addresses

[Phil Regnauld]

Randy Bush (randy) writes:
> 
> 7.8% is over ipv6 transport
> 
> but only 2% of outgoing deliveries are over ipv6.
> 
> what do other folk see?

What's your primary configuration ?  Hub, end user system ?

Care to share the methodology ? I can run some stats, but want
to be sure we're comparing the same thing :)

Cheers,
Phil

Re: incoming smtp from v6 addresses

[Phil Regnauld]

Received

# grep 'amavis' mail.log | grep Passed | wc -l

1411 (1189 if only counting CLEAN, post amavisd)

#grep 'amavis' mail.log | grep Passed | grep IPv6 | grep -v '::1' | wc -l

255 (253 if only counting CLEAN - so less spam in IPv6 :)

Sent

# grep 'postfix/smtp' mail.log | grep 'status=sent' | grep -v '127.0.0.1' | wc 
-l

1422

# grep 'postfix/smtp' mail.log | grep 'status=sent' | egrep 
'\[([a-f0-9]{0,4}:)+[a-f0-9]{0,4}\]' | wc -l

13 (filtered out a v6 IP that gets a copy of every mail)


18% incoming, .9% outgoing...

Re: IP Management Software

[Phil Regnauld]

Josh Baird (joshbaird) writes:
> In that case, there aren't too many options.  I have used IPPLAN in
> the past, and I have found it difficult to use and manage.  Most of
> the other open source IPAM packages are now vaporware.

Like, TIPP or Netdot ?

http://tipp.tobez.org/
http://netdot.uoregon.edu/

Re: accessing multiple devices via a script

[Phil Regnauld]

Abdullah Al-Malki (a.almalki1402) writes:
> Hi fellows,
> I am supporting a big service provider and sometimes I face this problem.
> Sometimes I want to access my customer network and want to extract some
> verification output "show commands" from a large number of devices.
> 
> What kind of scripting solutions you guys are using this case.

Hi Abdullah,

rancid ?

http://www.shrubbery.net/rancid/

Cheers,
Phil

Re: 2012.02.06 NANOG54 monday morning session notes are up

[Phil Regnauld]

Matthew Petach (mpetach) writes:
> I posted my notes from this morning's session at
> 
> http://kestrel3.netflight.com/2012.02.06-nanog54-morning-session.txt
> 
> in case people find them to be useful.

For those of us not attenting, this is invaluable. Thanks a lot
for this work, Matt.

Cheers,
Phil

Re: Common operational misconceptions

[Phil Regnauld]

Mario Eirea (meirea) writes:
> Something that makes me crawl out of my skin is when they refer to an access 
> point as "router". 

I have colleagues that work with radio and wireless, and they crawl out
of *their* skin when I call an access point an access point, and they 
tell
me it's a station :)

Re: Common operational misconceptions

[Phil Regnauld]

Mark Andrews (marka) writes:
> If you want to know if your resolver talks IPv6 to the world and
> supports 4096 EDNS UDP messages the following query will tell you.
> 
>   dig edns-v6-ok.isc.org txt
> 
> Similarly for IPv4.
> 
>   dig edns-v4-ok.isc.org txt
> 

9.8.1P1 on a dual stacked native v6 host: I'm seeing TC on both answers,
the difference is the TCP answer comes through on v4 but v6 gives 
SERVFAIL.

Don't see any v6 fragments (that'd be a problem since PF doesn't handle
them on this host).

P.

Re: Common operational misconceptions

[Phil Regnauld]

Borderline dns-ops, sorry folks! - but this is interesting
as we've been talking about ipv6 being operational, and this
is part of it...

Mark Andrews (marka) writes:
> 
> If you are seeing TC between the resolver and the server and the TCP query is 
> being answers then
> something in the path is intercepting the DNS queries.

TC is on the answer from the remote server to my resolver, so yeah, 
seems
like something is messing with the packets.

> > Don't see any v6 fragments (that'd be a problem since PF doesn't handle
> > them on this host).
> 
> You should see something like this on the wire.  The second query is to answer
> dig's query over TCP.

I'm not seeing fragments as you are.

Here's what I see:

14:40:20.955876 IP6 2001:2000:1080:d::2.64561 > 2001:4f8:0:2::8.53: 52841 TXT? 
edns-v6-ok.isc.org. (36)
14:40:21.141948 IP6 2001:4f8:0:2::8.53 > 2001:2000:1080:d::2.64561: 52841*-| 
0/0/0 (36)
14:40:21.142259 IP6 2001:2000:1080:d::2.53262 > 2001:4f8:0:2::8.53: Flags [S], 
seq 1112939462, win 65535, options [mss 1440,nop,wscale 6,sackOK,TS val 
2571957531 ecr 0], length 0
14:40:21.327895 IP6 2001:4f8:0:2::8.53 > 2001:2000:1080:d::2.53262: Flags [R.], 
seq 0, ack 1112939463, win 0, length 0

Cheers,
Phil

Re: X.509 Certs For Personal Use

[Phil Regnauld]

toor (lists) writes:
> I use http://www.startssl.com/ for all my personal certifcates. I have
> not had any issues with the validations (once you have an account you
> can validate a domain by sending an email to a predefined list of
> contact addresses) and the certificates are issued instantly.

"Your request is being held up for review by our personnel".

Up to 6 hours. Must be their definition of instant :)

Cheers,
Phil

Re: X.509 Certs For Personal Use

[Phil Regnauld]

John Peach (john-nanog) writes:
> > 
> > "Your request is being held up for review by our personnel".
> > 
> > Up to 6 hours. Must be their definition of instant :)
> 
> It's nice to see that they actually do random reviews, rather than just
> issuing everything requested. I use startssl and have not had anything
> held for review.

And I did get my account and cert shortly after. So they are quick.

On the other hand, I'm not sure I'd trust a cert where they
happen to be the ones generating the key and the CSR themselves.
Yes, it's free, but that doesn't mean I want to give up all forms
of security :)

Cheers,
Phil

Re: X.509 Certs For Personal Use

[Phil Regnauld]

On 18/02/2012, at 19.58, Christopher Morrow  wrote:

> 
>  (sorry, the blog's url is stupid and long)
> 
> use your own key materials and gen your own csr ... silly simple

Yep someone else pointed me to this off list. Very useful - thanks!

Cheers
Phil

Re: RANCID script for monitoring the routes received from peers.

[Phil Regnauld]

Ajay Kumar (joinajay1) writes:
> Hello,
> 
> We are running IX in India.Has some one written script for monitoring the
> routes announcement from peers?If yes,would you like to share code with
> me.It can be done via one script under the framework of RANCID.I want to
> know difference of routes,which has been added or removed.
> Thanks in advance.
> Regards,
> Ajay Kumar

Hi Ajay,

Are you running IOS, JunOS, something else ? You could do it
via Rancid, using *login scripts. But there are ways to do this using 
SNMP
and BGP mibs:

http://www.oidview.com/mibs/0/BGP4-MIB.html

http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2&mibName=CISCO-BGP4-MIB

Note that the network monitoring platform Observium has built-in
support for tracking BGP sessions.

Finally, another way to do this that could spare the CPU on on
your routers if you run this often would be to setup a peer running
Quagga (or BIRD) on a Linux/BSD host and run the monitoring there.

Cheers,
Phil

Re: Questions about anycasting setup

[Phil Regnauld]

Steve Gibbard (scg) writes:
> I have no idea what Cisco equipment Elmar is using, but I wouldn't jump to 
> the conclusion that it can't withdraw routes when needed.

Wouldn't the dns bit of ip sla do most of what's needed on IOS ?


http://www.cisco.com/en/US/docs/ios/12_4/ip_sla/configuration/guide/hsdns.html

some interesting examples at 
www.cisco.com/web/CA/events/pdfs/CNSF2011-Automations_for_Monitoring_and_Troubleshooting_your_Cisco_IOS_Network-Dan_Jerome.pdf

(slide 29 and onwards)

Note: this is more of a question than an assertion,
I've used quagga/ospfd for DNS anycasting within ISPs, and a script
to monitor the nameserver response, but I'd love to hear what people are
doing that's not host based.

Re: $1.5 billion: The cost of cutting London-Tokyo latency by 60ms

[Phil Regnauld]

Vitkovsky, Adam (avitkovsky) writes:
> 
> Can't wait for the neutrino SFPs :)

You know the shipping cost on a 2 light year thick lead SFP ?

Re: airFiber

[Phil Regnauld]

Drew Weaver (drew.weaver) writes:
> I've read that it requires perfect line of sight, which makes it sometimes 
> tricky.
> 
> Thanks,
> -Drew

Define perfect line of sight ? How is this different from any other 
wireless
link and the associated Fresnel zone ?

http://en.wikipedia.org/wiki/Fresnel_zone

Even 100 Mbit/s wireless equipment (which ubqt also happens to make 
great
gear for, at 800 USD / link) will need unobstructed view of the remote
point - and it's not all or nothing, the performance will degrade.

Cheers,
Phil

Re: rpki vs. secure dns?

[Phil Regnauld]

Nick Hilliard (nick) writes:
> 
> Leaving aside technical matters, this is one of the more contentious
> political issues with RPKI.  RPKI is a tool which can be used to locally
> influence routing decisions, but allows centralised control of prefix
> authenticity.  If this central point is influenced to invalidate a specific
> prefix, then that will cause serious reachability problems for that prefix
> on the Internet.

To me that seems like the most obvious problem, but as Alex put it,
"Everyone has the ability to apply an override on data they do not 
trust,
or have a specific local policy for."

> It will be difficult for politicians / legislators / LEAs to look at a
> technology like this and not see its potential for implementing wide-area
> Internet blocking.

> For sure, the LEAs currently looking at it are extremely interested.

Or the ITU ? :)

Cheers,
Phil

Re: rpki vs. secure dns?

[Phil Regnauld]

Rubens Kuhl (rubensk) writes:
> > In case you feel a BGP announcement should not be "RPKI Invalid" but 
> > something else, you do what's described on slide 15-17:
> >
> > https://ripe64.ripe.net/presentations/77-RIPE64-Plenery-RPKI.pdf
> 
> The same currently happens with DNSSEC, doing what Comcast calls
> "negative trust anchors":
> http://tools.ietf.org/html/draft-livingood-negative-trust-anchors-01

Yes, NTAs was the comparison that came to my mind as well. Or even
in classic DNS, overriding with stubs. You will get bitten by a bogus/
flawed ROA, but you'll have to the chance to mitigate it. Any kind of
centralized mechanism like this is subject to these risks, no matter
what the distribution mechanism is.

Re: rpki vs. secure dns?

[Phil Regnauld]

Brandon Butterworth (brandon) writes:
> 
> or you wait for the Elders of the Internet to visit with blessings
> http://www.youtube.com/watch?v=iDbyYGrswtg

Didn't randy just chime in ?

Re: pbx recco

[Phil Regnauld]

Wayne Wenthin (wayne.wenthin) writes:
> Randy,
> 
> Greets from 105/102!
> Now that I've said that I have had some luck with Trixbox.   His fun will
> be getting the Cisco phones talking sip and liking it.

Am running Trixbox (which wraps FreePBX) for 11 users, and using 7940s.

Has been working like a charm for the last 3 years.

Phil

Re: Whois data compromised?

[Phil Regnauld]

Eric Rosenberry (eric.rosenberry) writes:
> Not sure where this data got injected into the system (or who knows,
> perhaps it's a DNS injection attack or something), but this certainly is
> not right.  :-(
> 

http://slacksite.com/humour/whois.html

Re: DDI (DNS+DHCP+IPAM) Solutions

[Phil Regnauld]

On 26/06/2012, at 19.37, Eric Cables  wrote:

> Can anyone respond with their experience with DDI in an Enterprise
> environment?  Have the tools been useful/reliable?  What is the pricing
> model?Replies can be on, or off, list

Have you looked at netdot (netdot.uoregon.edu) ?

Cheers,
Phil 

Re: IMPLEMENTING A SOFTWARE BASED ROUTE SERVER

[Phil Regnauld]

Joseph M. Owino  (jpmuga) writes:
> Hi,
> 
> Hope you are all well. I work at an exchange point and was seeking any 
> assistance on how to implement a software based route server as currently we 
> are using a Cisco Router for that purpose. Any form of assistance will be 
> highly appreciated.

Hello Joseph,

You could do this in a number of ways, running Quagga or BIRD (or even
BGPD) on a Linux or BSD server.

Quagga documentation even has a chapter on this:

http://www.nongnu.org/quagga/docs/quagga.html#SEC115


I'm sure several people on this list have experience with this and will
contribute. Also, it might be send this inquiry to the AfNOG list as 
well
(afnog.org).

Finally (plug) we have some resources that may be of interest to you 
here:

https://nsrc.org/route-bgp-ixp.html

Cheers,
Phil

Re: Semi-automated L3 interface DNS records

[Phil Regnauld]

Pedersen, Sean (Sean.Pedersen) writes:
> Does anyone out there have any experience with a script, tool or appliance 
> that would help manage the creation and maintenance of DNS records for Layer 
> 3 interfaces on routers and switches?

Hi Sean,

Part of Netdot's (Network Documentation Tool - netdot.uoregon.edu)
functionality is to produce automated DNS zone exports based on the
IPAM information it manages, including L3 devices and their interfaces.

> We'd like to move toward this practice to help with troubleshooting and IPAM, 
> but it's not feasible to do it manually. At a minimum, I was mulling over the 
> idea of writing a script that would poll a device via SNMP to obtain 
> interface information, parse it, compare the results to DNS, then generate a 
> report if it found a miss. It wouldn't be fully-automated, but it would be 
> better than doing that portion of the work manually. Cleaning up dead entries 
> would be another issue.

Writing the scripts isn't too difficult, but as you write, you still
need to detect dead entries, differentiate between an interface
disappearing because it was deprovisioned, and the sudden disappearance
of a large number of IFs due to a script failing (is 1 dead entry
acceptable ? 10 ? 1000 ?)

Cheers,
Phil

Re: Detection of Rogue Access Points

[Phil Regnauld]

Raymond Burkholder (ray) writes:
> 
> NetDisco knows how to scan networks for mac addresses, arp addresses, ip
> addresses, etc.  It keeps track of deltas.  It may have be able to email
> deltas or something similar.Or run a query against the database, as I
> seem to recall it seems to hold historical data.

Yes, NetDisco will do this, and it has query interface for looking
up MAC <-> associations, and where they were last seen.

Netdot (netdot.uoregon.edu, just mentioned it in an earlier mail) also
offers this functionality, and stores the information in the database 
for
querying/searching.

Jonathan Rogers (quantumfoam) writes:
> I, uh...don't actually know how to do that. I've not done very much with
> SNMP other than working with power management devices. If someone could
> direct me to a good tutorial, that would be much appreciated.

It's probably easier to use one of the tools mentioned than to start
writing your own. To do that, you'd have to retrieve the L2 
forwarding table from switches, and the ARP tables from L3 devices.
You have to query all active devices regularly and build/update your DB
from that. There are tools such as SNMP::Info
http://search.cpan.org/~maxb/SNMP-Info-2.01 that make this easier,
but still some amount of coding would be required.

It's then a matter of querying the DB, and looking for the MAC addresses
of suspected rogue devices, if they keep on showing up (you will see 
many
one-times that don't reappear, which also grows the DB significantly 
over
time).

Phil

Re: Whats so difficult about ISSU

[Phil Regnauld]

Saku Ytti (saku) writes:
> 
> I've sometimes wondered why Linux is so common, and not FreeBSD.

Historical reasons and good timing.

> Is it easier to hire people if you use Linux?

As opposed to... ?

> Or is GPL not really problematic issue,
> as you can hide your intellectual property in binary kernel modules?

You can't. The GPL has provisions for that. Common mistake, several
lawsuits have shown.

As Randy pointed out, Juniper is FreeBSD inside, and NetApp uses
it as well (+ number of other vendors that don't advertise it because
they don't have to).

Phil

Re: Big day for IPv6 - 1% native penetration

[Phil Regnauld]

joel jaeggli (joelja) writes:
> On 11/24/12 8:29 PM, Dobbins, Roland wrote:
> >On Nov 25, 2012, at 10:09 AM, joel jaeggli wrote:
> >
> >>from goeff huston's data they have more v6 at home.
> >And not purposely, either - because it's enabled by default on recent client 
> >OSes.  My guess is that a non-trivial fraction of observed IPv6 traffic 
> >today is unintentional.
> In their defense, they don't know they have ipv4 connectivity either.

They don't know it's not real IPv4 either :)

But yeah, if Joe Random enables 6to4 on his Airport Express without
understanding what it means, it still translates to more IPv6 traffic
during evenings and weekend from residential connections.

It's be interesting to come up with a metric to compare "inadvertently"
vs "on purpose" v6 traffic. Free.fr, for instance, enables v6 by default
on their 6th gen freebox (set top box). Is that inadvertent ? For whom ?

Phil

Fw: new message

[Phil Regnauld]

Hey!

 

New message, please read <http://arsios.de/each.php?8x>

 

Phil Regnauld

Re: IPAM

[Phil Regnauld]

On 26/04/2010, at 17.57, Bryan Fields  wrote:

Is anyone running IPplan? http://iptrack.sourceforge.net/  I looked  
at it
before, and at the time it's support of V6 was lacking.  Is anyone  
running

this in a SP environment with v6?

Any other OSS tools for this people are using?


Check out tipp:

http://tipp.tobez.org/

There was a discussion thread on this topic not long ago here.

Cheers,
Phil

Re: IPAM

[Phil Regnauld]

Michael Hertrick (mike.hertrick) writes:
> 
> I found netdot recently.  It's a work in progress, but is coming along.
>  IPAM (with v6 support) is just one component; it has a lot of other
> features and uses as well, too many to list here.  Just check out the
> web site:
> 
> http://netdot.uoregon.edu

I'm working on a FreeBSD port of this one, which should make it much
easier to install.

Cheers,
Phil

Re: [dns-operations] Desire to migrate back to BIND

[Phil Regnauld]

Had forgotten to answer the list...

On 28/04/2010, at 07.07, Steve Bertrand  wrote:

> What I ask of the members of the community, is if you can make a
> recommendation on a piece of software that can bridge the gap so
> that my
> colleagues can use the pointy-clicky method of making simple changes
> (eg: A/MX, add domain etc) while keeping in mind that budget
> considerations are crucial, and there will always be the potential for
> someone making changes to the zone files directly (namely me).

Hi Steve,

There is BIND-DLZ and MyDNS to look at but I think both work directly
using a bind db driver so no possibility of editing the zone "by hand"
(unless you hack some export/import script using the zone transfer
functionality.

My company developed something that works with both GUI and text zone
edition including versioning, but it's not open source unfortunately.
It can drive any auth. nameserver software, not just bind.

I'm sure there might be other solutions around that do this as well
(though I haven't found one yet ;)

Cheers,
Phil

Re: [dns-operations] Desire to migrate back to BIND

[Phil Regnauld]

Steve Bertrand (steve) writes:
> 
> Thanks for the recommendations...
> 
> What I'm most confused about, is how this ended up on this list ;)



Duh. I did a reply from my iPhone, and then reread the mail that
came in, saw your "what I ask from the community" and realized I'd
forgotten to copy the list.

Then I typed "n" instead of "d" an it completed to Nanog instead of
dns-operati...@lists.dns-oarc.net :)

Sorry for the noise :(

Re: wanted: your old NAT home router

[Phil Regnauld]

Lars Eggert (lars.eggert) writes:
> Hi,
> 
> for a measurement study done together with Markku Kojo's team at the 
> University of Helsinki, we're looking to collect as many different NAT home 
> routers as possible. If you have an old clunker lying around somewhere, 
> please contact me off-list. I'll cover shipping via DHL. Feel free to forward 
> this email as you see fit.
> 
> The boxes will find a permanent home at the University of Helsinki. Study 
> results will be published openly. The intent is that this collection become a 
> resource for the community to be shared for future studies. 
> 
> Caveat: The boxes should NAT between Ethernet interfaces - we don't have DSL 
> or cable access equipment in the lab setup at the moment.

What about getting someone to donate an old DSLAM ?  Wouldn't that help 
?

Phil

Re: Internationalized domain names in the root

[Phil Regnauld]

Neil Harris (neil) writes:
> 
> To fix it, the .eg / .xn--4gbrim TLD registrar needs to contact the
> Mozilla Foundation in order to inform the Foundation of their
> official IDN name allocation policy, so that the native-script URL
> display can then be switched on for their domain.
> 
> See https://bugzilla.mozilla.org/show_bug.cgi?id=564213  and
> http://www.mozilla.org/projects/security/tld-idn-policy-list.html

Wow, talk about layer violation.

Is there a central place where various TLDs' IDN policies will
be maintained ?  I see a scalability issue if TLDs have to communicate
to every single application maintainer out there what their policy is.

Cheers,
Phil

Re: Config and scheduled event management software?

[Phil Regnauld]

George Bonser (gbonser) writes:
> Anyone have any recommendations of software for Configuration Management
> (change control for hardware, networks etc) and
> event scheduling?
> 
> We are using a hodgepodge of homegrown stuff and RT but are outgrowing
> it.
> 
> What's good? What sucks?

Hi George,

I gather you're already using Rancid ?

You should check out Netdot : https://netdot.uoregon.edu/

Cheers,
Phil

Re: Monitoring Tool

[Phil Regnauld]

Joshua William Klubi (joshua.klubi) writes:
> Hi
> I have been tasked to develop a good network for a Bank and i have also been
> tasked to get a good monitoring tool for the Bank's local network and
> Service providers network. i would like to ask the community
> to help recommend the best tool out there that can help me do this

Hi Joshua,

What kind of monitoring are we talking about ?  Network services,
performance, traffic, latency, ... ?

You might want to take a look at some popular Open Source tools, such 
as:

http://www.nagios.org/
http://www.zabbix.com/
http://www.hyperic.com/
http://www.opennms.org/wiki/Main_Page
http://www.cacti.net/
http://oss.oetiker.ch/smokeping/

... to get an idea of what's possible.

Cheers,
Phil

Re: Monitoring Tools

[Phil Regnauld]

jacob miller (mmzinyi) writes:
> Am looking for an opensource network monitoring tool with ability to create 
> different views for different users.
> 

Hi Jacob,

What kind of network monitoring ?  Bandwidth utilization, service
availability, RTT, statistics data collection, ... ?

There are tons of open source software tools out there:

Nagios (www.nagios.org)
Zabbix (www.zabbix.com)
OpenNMS (www.opennms.org)
ZenOSS (www.zenoss.com)
SmokePing (http://oss.oetiker.ch/smokeping/)
Cacti (www.cacti.netl)
NetFlow Dashboard (http://trac.netflowdashboard.com/netflowdashboard/)
NFSen (http://nfsen.sourceforge.net/)


etc...

Depends on what you want to achieve!

Cheers,
Phil

Re: Monitoring Tools

[Phil Regnauld]

Nathan Eisenberg (nathan) writes:
> It hasn't really changed. Almost every monitoring package I've found
> where you want to monitor something like 'disk space free on /' requires
> a daemon of some sort on the host - whether that's SNMPD or their agent.

Anything else than SNMP is a hassle (IMHO).

I understand the idea of having a dedicated agent for some hosts -
Windows for instance, when querying the WMI - and often it's the only
way for a vendor to have a predictable, verified  element in the greater
scheme (the network).

But in most cases, monitoring can be achieved by extending the SNMP mib,
and using and custom scripts that will report on mail queue size, 
in-house
application status, etc...

> FWIW, I have had their agent running on many, many servers over the
> years - it has never caused me a moment of heartache (for safety's sake,
> iptables restricts who can talk to the agent, which has its own control
> mechanism built in to define who it will talk to, and it runs as a
> restricted user, just in case).


While developing our own monitoring product, we've had to deal with
various constraints from the customer side, for instance pharmaceutical
companies where there was no way installing an agent on PLC machines 
would
pass internal audit, without having the entire system re-validated 
(we're
talking FDA-validated medication production here).


But often, SNMPD ships with or is available as an optional base
component (Windows, most UNIXes) and it's easier to convince the IT
suits.  Go figure.

Oh, and it avoided us having to install an agent on 1000+ servers :)

Cheers,
Phil

Re: Monitoring Tools

[Phil Regnauld]

Curtis Maurand (cmaurand) writes:
> > Oh, and it avoided us having to install an agent on 1000+ servers :)
> >
> But the configuration learning curve for SNMP is very steep indeed.

Doing network monitoring and not understanding SNMP is like,
umm, well I fail to come up with an analogy, but you get my drift.

:)

It's a bullet you'll have to bite at one point.

Re: Netflow Tool

[Phil Regnauld]

On 17/09/2010, at 21.06, Everton Marques  wrote:

> 
> nfdump with custom output.
> 
> Custom output format: -o fmt:..
> This is the most flexibel format, as you can specify yourself how the output
> looks like. The output format is defined using element tags as well as plain
> ascii text.
> 
> http://nfdump.sourceforge.net/
> 
> Everton

And to complement that:

- nfsen
- netflow dashboard
- pmGraph

The first one relies on nfdump, and offers a nice drill down web based analysis 
tool with the nifty feature that it shows the nfdump commands to be run on the 
cli to obtain the data output used to represent the current interval 

Haven't tried the second one yet, but it uses postgresql to store samples. 
Might be easy to dump csv from that.  Beware though of table growth.

Pmgraph is developed by aptivate.org and I'm sure Chris Wilson will have 
something good to say about it :)

Sorry for no URLs, using big fingers on small Iphone.

Re: Active Directory requires Microsoft DNS?

[Phil Regnauld]

Darren Pilgrim (nanog) writes:
> Tom Mikelson wrote:
> >Presently our organization utilizes BIND for DNS services, with the
> >Networking team administering.  We are now being told by the Systems team
> >that they will be responsible for DNS services and that it will be changed
> >over to the Microsoft DNS service run on domain controllers.  The reason
> >given is that the Active Directory implementation requires the Microsoft DNS
> >service and dynamic DNS.
> 
> Bunk.  At work we have a network of ~1500 computers with over 600 of
> them running Windows.  Our nameservers are all BIND, which have
> dynamic DNS enabled for updates sent from our 2003 and 2008R2 DCs.
> The DCs have no problem creating, updating and deleting the various
> RR's they use to publish the domain.  The Systems team folks will
> see errors/warnings in the Windows logs because the Windows machines
> are unable to set up secure connections to the nameservers and due
> to an implementation difference between what BIND accepts and what
> Microsoft's OSes send; but in practice these seem to be little more
> than noise.

Agreed.  What about dynamic updates of the client ?  It's usually not
a problem in this direction (Windows client -> BIND DNS), but as you
say it won't be secure (GSS-TSIG).

Cheers,
Phil

Re: Dan Kaminsky

[Phil Regnauld]

Jorge Amodio (jmamodio) writes:
> 
> It may sound too futuristic and inspired from science fiction, but I never saw
> Captain Piccard typing a URL on the Enterprise.

That's ok, I've never seen the Enterprise at the airport.

> Sooner or later, we or the new generation of ietfers and nanogers, will need 
> to
> start thinking about a new naming paradigm and design the services and 
> protocols
> associated with it.
> 
> The key question is, when we start?

Let's see how far the SMTP replacement has come, and get some 
inspiration.
Heck, it's an application that only _uses_ the DNS, should be easy.

--
  "Hey kid, go scan a /48"

Re: DNS hardening, was Re: Dan Kaminsky

[Phil Regnauld]

bert hubert (bert.hubert) writes:
> 
> 5 is 'edns ping', but it was effectively blocked because people
> thought DNSSEC would be easier to do, or demanded that EDNS PING
> (http://edns-ping.org) would offer everything that DNSSEC offered.

I'm surprised you failed to mention http://dnscurve.org/crypto.html,
which is always brought up, but never seems to solve the problems
mentioned.

Re: Tinet

[Phil Regnauld]

Some hosting we have in Paris was hit by an outage between 0100 GMT and
0800 GMT which seemed to be related to a software upgrade at Tinet.  The
affected path was between Copenhagen (TDC) and Galacsys/AS28855, via
former Tiscali.

P.

Ryan Werber (RWerber) writes:
> We have transport and transit with them all through North America and
> currently we do not see any issues. Latency all across their network is
> within normal parameters.
> 
> Perhaps clarify where you are having issues?
> 
> Ryan Werber
> Epik Networks
> AS21513
> 
> -Original Message-
> From: Zbynek Pospichal [mailto:zby...@dialtelecom.cz] 
> Sent: Thursday, August 13, 2009 5:29 AM
> To: nanog@nanog.org
> Subject: Tinet
> 
> Hi,
> 
> anyone else who see routing problems (some sites unreachable, lags in
> traceroutes etc.) through Tinet (former Tiscali/AS3257)?
> 
> BR,
> Zbynek

Re: Is v6 as important as v4? Of course not [was: IPv6 internet broken, cogent/telia/hurricane not peering]

[Phil Regnauld]

Patrick W. Gilmore (patrick) writes:
> You really can't read, can you?
> 
> And I spoke to Martin about it personally.  If he's OK with it,
> perhaps you should clam down?

I know Randy to be a bit taciturn and hard to get through to sometimes,
but never of being a shellfish.

P.

Re: Simple Change Management Tracking

[Phil Regnauld]

Paul Stewart (pstewart) writes:
> Thanks very much..
> 
> We ran RT for a while but every time a new update came out on CentOS it broke 
> the installation (perl mods), making it a pain to keep running.

Hi Paul,

I'm maintaining RT installs on FreeBSD, Debian, CentOS/RHEL, and so far
haven't had any problems.

Have you considered using cpan2rpm for the myriad Perl modules required
by RT ?

Alternatively, there ARE RT36 / RT38 packages for Redhat dists:


http://download.fedora.redhat.com/pub/fedora/linux/releases/11/Everything/source/SRPMS/repoview/rt3.html

Cheers,
Phil

Re: Simple Change Management Tracking

[Phil Regnauld]

Dan Young (dyoung) writes:
> If you want Fedora-ish packages built for RHEL/CentOS, getting them
> from EPEL is a better choice:
> http://download.fedora.redhat.com/pub/epel/5/i386/repoview/rt3.html
> http://download.fedora.redhat.com/pub/epel/5/x86_64/repoview/rt3.html

Yes, EPEL is ok, but they're out of date.

> Oh, and my recommendation for something simpler would be:
> http://roundup.sourceforge.net/
> http://download.fedora.redhat.com/pub/epel/5/i386/repoview/roundup.html
> http://download.fedora.redhat.com/pub/epel/5/x86_64/repoview/roundup.html

That's another possibility -- but the original request (to stay somewhat
on topic) is to implement a Change Management Tracking, possibly with
Approval.

This is possible in RT using Scrips and custom keywords:
http://wiki.bestpractical.com/view/ApprovalCreation

Would roundup allow this ?

Cheers,
Phil

Re: OT: Remebering Abha Ahuja - 6 years

[Phil Regnauld]

Jim Popovitch (yahoo) writes:
> 
> If there can be weeks long discussions on 240/4 or ipv6,

240/4 and ipv6 is on topic. 

> why not at
> least a day or two of remembrances from everyone on what Abha did for
> the community as well as ways she might have helped you?

Because Abha would have hated that, and bitched that this is
a network operators group, and instead of having off topics
discussions, we should be fixing our networks :)

P.

Re: monitoring tools

[Phil Regnauld]

Nesser, Phil (nesser) writes:
> 
> It has been a while since I have had to seriously think about 
> network/system/application monitoring and now I have got to look at it.  Can 
> anyone point me towards:
> 
> 1.  Serious documents on monitoring (i.e.  not vendor whitepapers)

Hi Phil,

There's lots of different papers out there -- define serious.
Is an online column comparing monitoring systems serious enough ?
What focus ?  Best practices ?  Agent vs SNMP based, etc...  Topics
are varied.

> 2.  Open Source Tools that you use or would recommend (I know the obvious 
> smokeping, mrtg, nagios).

That can be a long thread as well...
Nagios, OpenNMS, Zabbix, Hyperic, ZenOSS - for the application/
service/server/network monitoring, and Cacti, Smokeping, NFsen
for capacity/availability monitoring.

We used Nagios and co. until a few years ago, when we figured it
wouldn't scale for large networks.  Then we wrote our own :)

Cheers,
Phil

Re: [NANOG] Introducing latency for testing?

[Phil Regnauld]

Joel Jaeggli (joelja) writes:
> The freebsd dummynet driver is all about latency simulation...
> 
> http://www.scalabledesign.com/articles/dummynet.html
> 
> linux has a netem which can do the same thing
> 
> http://www.linux-foundation.org/en/Net:Netem

dummynet is significantly easier to set up, especially for
doing things like random packet reordering / packet loss (using the
'prob' rule of ipfw + delay property with pipes).

ipfw pipe 42 config bw 1024Kbit/s delay 6ms
ipfw pipe 666 config bw 64Kbit/s delay 350ms

ipfw add 10 prob 0.05 deny ip from 1.2.3.4 to any
ipfw add 10 prob 0.8 pipe 666 ip from A to B
ipfw add 10 prob 0.5 pipe 42 ip from A to B

... and it runs.

___
NANOG mailing list
NANOG@nanog.org
http://mailman.nanog.org/mailman/listinfo/nanog

Re: OT: www.Amazon.com down?

[Phil Regnauld]

Adam Fields (nanog304985) writes:
> whois for yahoo.com and google.com yield similar results.

And microsoft as well maybe ?

MICROSOFT.COM.ARE.GODDAMN.PIGFUCKERS.NET.NS-NOT-IN-SERVICE.COM
MICROSOFT.COM.AND.MINDSUCK.BOTH.SUCK.HUGE.ONES.AT.EXEGETE.NET
MICROSOFT.COM

> I expect this means that DNS has been compromised somewhere.

No, you should just learn to read WHOIS output :)

Re: smstools and CDMA

[Phil Regnauld]

Douglas K. Rand (rand) writes:
> From the GMS point of view I live and work in the boondocks: Grand
> Forks, North Dakota. (OK, so there is a decent argument that the
> entire US is GSM boondocks.)
> 
> Anyway, I'm trying to figure out a way of sending and receiving text
> messages using a tool like smstools and a CDMA modem. 
> 
> I've found the MultiTech CDMA modem (MTCBA-C-N3-NAM) but I can't seem
> to find any success stories to go along with it.

(I gather you mean smstools.meinemullemaus.de)

Does it support the AT command set ?  But even if it did, I think
that the first question in the FAQ says it all regarding requirements,
but I may be wrong.

Alternatively, have you considered a Nokia handset with Gnokii ?

http://smstools.meinemullemaus.de/faq.html

1) What hardware do I need? You need a Computer with at least one serial
port. It does not matter how fast the CPU is and how much memory you
installed. An old 486DX processor with 32 MB memory is enough. You
also need at least one GSM modem with SMS command set according to the
european specifications GSM 07.05 (=ETSI TS 300 585) and GSM 03.38
(=ETSI TS 100 900).

When a vendor writes "SMS command set" without giving the specification
names, then the device typically supports a subset of this
specification. In this case you can surely send 7bit text messages and
you can probably receive them. But its not sure, if status reports,
binary messages or unicode messages work.

Re: smstools and CDMA

[Phil Regnauld]

Douglas K. Rand (rand) writes:
> 
> Phil> Alternatively, have you considered a Nokia handset with Gnokii ?
> 
> No, not really. I was thinking that a "modem" would be a little more
> robust and easier to deal with in the rack than a handset would be. If
> I'm given a choice, I think I'd stay away from a handset, but I may
> not have a choice.  :)

Think about it: mobile handsets have built-in UPSes :)

Re: OS, Hardware, Network - Logging, Monitoring, and Alerting

[Phil Regnauld]

Rev. Jeffrey Paul (sneak) writes:
> 
> 1) Is SNMP the best way to do this?  Obviously some of the data (service
> checks) will need to be collected other ways.

SNMP, the vendor MIBs + SNMP extensions for monitoring hardware 
specifics
(PSU, etc...), and something like Nagios to do the TCP/network checks.

> 2) Is there any good solution that does both logging/trending of this
> data and also notification/monitoring/alerting?  I've used both Nagios
> and Cacti in the past, and, due to the number of individual things being
> monitored (3-5 items per OS instance, 5-10 items per physical server,
> 10-50 things per network device), setting them both up independently
> seems like a huge pain.  Also, I've never really liked Nagios that much.

Well, you could look at Zabbix, Hyperic, ZenOSS, OpenNMS and see if
they cut it better for you, but the trick with Nagios is to use
a DB and generate the include files automatically, then have some
other more user friendly tools to populate the DB.  Or use templates
extensively.

Then make sure your plugins output performance data for perf.data
monitoring, and use something like NagiosGraph
http://nagiosgraph.wiki.sourceforge.net/ or PNP4Nagios:

http://www.pnp4nagios.org/pnp/about#system_requirements
http://nagiosplug.sourceforge.net/developer-guidelines.html#AEN203
http://www.pnp4nagios.org/pnp/screenshots


> I recently entertained the idea of writing a CGI that output all of this
> information in a standard format (csv?), distributing and installing it, then
> collecting it periodically at a central location and doing all the
> rrd/notification myself, but then realized that this problem must've
> been solved a million times already.

Yes :)  But check out the above links, and with a bit of planning
and a small amount of coding/adapting existing components, it will
work out.

> There's got to be a better way.  What do you guys use?

We rewrote our own NMS from scratch :)

> (I'm not opposed to non-free solutions, provided they work better.)

We sell our solution, so I'm biased, but do check out the Nagios
route, it works well enough for small to medium, and larger 
installations
with careful planning (problem with Nagios is how to make it perform
with thousands of hosts).

Hth,
Phil

Re: what problem are we solving? (was Re: ICANN opens up Pandora's Box of new TLDs)

[Phil Regnauld]

David Conrad (drc) writes:
>
> Other folks believe that anything that reduces the effective monopoly 
> VeriSign has (through .COM and .NET) would be a good thing.  This view 
> holds that by increasing the number of top-level domains, you increase the 
> opportunities for consumer (that is, domain registrant) choice, thereby 
> reducing the value of any single top-level domain.

The process ensures that too few new TLDs will be created for
it being a threat to VeriSign, but sufficiently enough of them
will be created that it will bring in lots of cash, if only with
application fees, auction, but also because of the perceived rarity.

As business models go, it's a fine example of how to build demand
without really servicing the community.

> component of this management was explicitly stated as being the promotion 
> of competition.  While one might argue that creating new top-level domains 
> doesn't really promote competition given the cost of changing from one 
> domain name to another, realistically, I figure there aren't many other 
> ways in which additional opportunities for competition can be created.

Allowing anyone to register a TLD is one, but I do agree it's
not necessarily a trivial model.

Re: ICANN opens up Pandora's Box of new TLDs

[Phil Regnauld]

Owen DeLong (owen) writes:
>>
> Whether some choose to do that or not, I believe that the point is that:
>
> 1.Nobody is FORCING them to do so.

Trademark law is forcing you to - you have to make reasonable attempts
to actively defend your trademark.  Of course, no-one forces you
to trademark your name in the first place.  Not that I agree with the
practice, either.

Phil

Re: ICANN opens up Pandora's Box of new TLDs

[Phil Regnauld]

Jim Shankland (nanog) writes:
>
> Because it's Friday, I checked the last few weeks or so of logs from
> my personal mail server (located in the US), and broke the list of
> unique IP addresses rejected by zen.spamhaus.org up by registry:

... spam coming from US computers vs. spam coming from botnets which
are being rented by american spammers.  There is a distinction.
Don't think that legitimate american businesses aren't the only ones
who've outsourced.  A lot of people around the world running XP just
don't know that they're doing the outsourcing :)

P.

Re: ICANN opens up Pandora's Box of new TLDs

[Phil Regnauld]

Rich Kulawiec (rsk) writes:
> 
> Best practice is refuse all mail that comes from any host lacking rDNS,
> since that host doesn't meet the minimum requirements for a mail server.

No, that's utterly stupid.  You're excluding countries which have
poor infrastructure or clueless ISPs (usually legacy telco operators)
who can't be bothered to administrate IN-ADDR.ARPA delegations for
their customers.  It doesn't help, and only encourages people in
these countries to go for @{hotmail|yahoo|gmail}.  Millions of botnet
PCs have valid reverses.

> Yes, some of these also impact non-spamming but broken mail servers,
> however, this is usually the only way to get the attention of their
> operators and persuade them to effect repairs.

You're kidding, right ?  They don't give a rat's ass.

> Locally, .name, .info and .tv are permanently blacklisted, and I recommend
> this to others: they're all heavily spammer-infested.  .biz is not
> blacklisted at the moment, largely because it's been so badly ravaged
> that spammers *appear* to be abandoning it.

"Bomb the bridge, salt the earth" approach ?

Re: ICANN opens up Pandora's Box of new TLDs

[Phil Regnauld]

Roger Marquis (marquis) writes:
> I have to conclude that ICANN has failed, simply failed, and should be
> returned to the US government.  Perhaps the DHL would at least solicit for
> RFCs from the security community.

DHS ?  Otherwise, yes, you could ship ICANN back to the US gvt. with 
DHL,
but I don't think they'll give us our money back.

Re: ICANN opens up Pandora's Box of new TLDs

[Phil Regnauld]

Rich Kulawiec (rsk) writes:
> 
> I don't see a problem with not accepting mail from clueless ISPs or their
> customers.  The requirement for rDNS has been around for decades.
> Anyone who's not aware of it has no business running a mail server.

Requirement ?  What requirement ?  There's no requirement for
reverse DNS for email in any RFC.  Not that RFCs are ideal references
for mail operation in general.  Rejecting on missing or incorrectly
formatted HELO/EHLO is legitimate, as well as unknown sender or
recipient domain, as these are within the control of the sender,
or the sender's organisation.  Reverse DNS is not.  It's all subjective
of course.

> people to document the use of botnet PCs to send spam.  And of course
> That's why this particular measure doesn't work for them, but other
> best practices do, e.g., rejecting mail from known-dynamic/generic IP space
> or known-dynamic/generic namespace unless it's your own customer or is
> being submitted with authentication non-port 25

"known-dynamic" is extremely up to debate.  Frankly, blacklisting
entire /16s because individual customer PCs have been hijacked is
absurd, but I guess colateral damage is acceptable.  Probably bounces
will be the next thing to disappear.

> > > Yes, some of these also impact non-spamming but broken mail servers,
> > > however, this is usually the only way to get the attention of their
> > > operators and persuade them to effect repairs.
> > 
> > You're kidding, right ?  They don't give a rat's ass.
> 
> Then they should not be troubled that their mail is being rejected.

The operators don't care.  The customers do.  The customers don't have
a choice, often.  So you're right, the operator is not troubled
that their customer's mail is being rejected.

> > "Bomb the bridge, salt the earth" approach ?
> 
> I'm not the one of the people who thought .info was a good idea (what,
> domains in other TLDs don't provide "information"?)  I'm not the one
> who decided to sell domains in that TLD to spammers by the tens of
> thousands, thus effectively devaluing it for everyone else.

Because .org and .com don't do that as well ?

> I suggest laying blame on the people who are responsible for the current
> state of affairs, not on the recipients of abuse.

I'm not laying blame here, just pointing out that rejecting mail
from IP addresses for which no PTR delegation exists is unwarranted,
but it's your system, so of course it's up to you.  Don't go preaching
it as a best practice, though.

Phil

Re: Mail Server best practices - was: Pandora's Box of new TLDs

[Phil Regnauld]

[EMAIL PROTECTED] (michael.dillon) writes:
> 
> 
> http://www.maawg.org/about/MAAWG_Sender_BCP/MAAWG_Senders_BCP_Combine.pdf

Thanks for the pointer.  I don't necessarily agree with all of it,
but it's definitely a good reference.

I just get irritated by actions that penalize end users who feel they
don't have other options other than just using some horrible webmail
service, because their operator/ISP is clueless.  I do make a
distinction.

> On page 5 they do recommend matching reverse DNS and in
> Appendix A they go on to state that RFC 1912 states that
> all hosts on the Internet should have a valid rDNS entry.

Indeed it does, but rejecting a mail based on a missing PTR
is still arbitrarily useless (and I'm speaking in terms of
volume of spam emanating from hosts with a missing PTR, vs
spam origination from hosts that do have a PTR).

> Perhaps the RFC series doesn't have as many gaps as we think.

For mail operations, we're half a galaxy away from "be conservative
in what you send, be liberal in what you accept".

> > absurd, but I guess colateral damage is acceptable.  
> 
> If collateral damage is acceptable, then how is this
> absurd?

Apologies, I was being sarcastic.

> Once you accept that it is better to reject
> good email than let bad email through, the game has
> changed. It may end up by destroying the business usefulness
> of the existing email architecture, but not without a
> push from someone who has a better mousetrap.

Yep.

> This is quite simply, wrong. It is warranted.

Not agreeing :)  But fair enough, any site is allowed to operate
mail the way it wants.

> > Don't go preaching
> > it as a best practice, though.
> 
> Too late, the MAAWG has already published this as a best practice
> for quite some time. If you don't follow the MAAWG best practices
> then you are not a serious email operator. If email is mission
> critical to your business, then you really should be an MAAWG
> member as well.

We work for several customers and operate large mail installations.
We implement quite a few requirements that are fairly strict, but
rejecting based on missing PTR is not one of them.
Neither is blacklisting entire TLDs for that matter, but I digress.
I still feel like a serious mail operator, just because I don't
conclude that I as the receiver should reject mail from a host with
a missing PTR, because the MAAWG *Senders* BCP says that hosts
should have a reverse.

Phil

Re: ICANN opens up Pandora's Box of new TLDs

[Phil Regnauld]

Matthew Petach (mpetach) writes:
> If they simply use "smtp" as the hostname, most of the
> current resolver libraries will append the local domain
> name, so that instead of reaching my A record for smtp,
> they'll end up trying to reach smtp.their.domain.

Actually, that's a good point -- although it will try first with
the domains specified in the search list first.

So I wouldn't worry too much about this kind of thing.

But considering the amount of flag waving and "Caution: Wet
Floor" signs ICANN placed when it rolled out something has
harmless as the IDN tests in the root, I'm surprised that they
haven't thought about all the non-FQDNs that will suddenly
resolve, including all the private TLDs that people use
internally.  It's bad practice, and isn't recommended anyway,
but I do expect it will cause many more fun (read: annoying)
calls to helpdesks of the sort "where did my mail go ?".
And mail won't be the only thing.

> Will operating system manufacturers release updated
> resolver libraries that no longer assume that single
> token names should have the local domain attached?

I know a lot of mail clients that won't accept to send
mail to [EMAIL PROTECTED], but they certainly will accept [EMAIL 
PROTECTED]
as the outgoing mail name.  Luckily, that will match the
search list as well first.

> Or should I always ensure that resolvers reach my
> domain explicitly by including the trailing "dot" in
> all uses, so that my email would be given out as
> "[EMAIL PROTECTED]" in the hopes that everyone would
> correctly remember to add the "." at the end when
> entering my email address into their mail clients?

A fair number will barf on this (for now).

> Or does the current resolver logic already handle
> these cases (check root, work your way down
> stopping at the first match found; if you run out
> of tokens in the string being resolved, append the
> local domain name to the string and start the process
> over)?

The other way around.  And if I ping 'dk', my resolver
stops after "catpipe.net" and my other private domain.
It doesn't try "dk.", even though dk. has an A record
associated with it.  I get NXDOMAIN.

> Simply looking to solidify my understanding of how
> these new names would resolve.

Not too many problems, I think, except for resolver
libraries that fail to find the name in the domains
listed in the search list, and continue to '.'.

It's not standard practice though.

Phil

Re: ICANN opens up Pandora's Box of new TLDs

[Phil Regnauld]

John Levine (johnl) writes:
> d) 280

# dig @f.root-servers.net axfr . | egrep 'IN[[:space:]]NS' | awk '{ print $1 }' 
| sort -u |wc -l

 281

(with . itself)

Re: ICANN opens up Pandora's Box of new TLDs

[Phil Regnauld]

David Conrad (drc) writes:
>
> 1) The new gTLD stuff hasn't gotten as far as the point where the testing 
> of IDN stuff started.

Mhh, ok :)

> 2) ICANN (or rather, the technical side of ICANN staff) has thought about 
> this and there is a 'technical evaluation' phase of the application 
> evaluation

Fair enough.

> 3) We've already run into the 'private TLD' thing: lots of global companies 
> (apparently) have internal domains organized on regional/continental 
> boundaries. When '.asia' was put into the root, the Internet did not break.
>
>>  The other way around.  And if I ping 'dk', my resolver
>>  stops after "catpipe.net" and my other private domain.
>>  It doesn't try "dk.", even though dk. has an A record
>>  associated with it.  I get NXDOMAIN.
>
> Your resolver appears to be broken.  Works for me:

dig doesn't use the resolver the same way other applications do.

Try "ping dk" vs "ping dk.", or "telnet dk" vs. telnet "dk."

Of course, depends on the OS -- but at least on a few BSDs (OS X, 
FreeBSD),
Linuxes (Debian, Ubuntu), it behaves the same way.

Re: ICANN opens up Pandora's Box of new TLDs

[Phil Regnauld]

Matthew Petach (mpetach) writes:
> 
> That was amusing.  Firefox very handily took me to a search
> results page listing results for the word "museum", none of
> which was the actual page in question.

... and Safari took me to www.museum.com.

> Thanks for all the pointers!  I guess I won't be suggesting the
> use of such TLDs as gmail and ymail as a way to shorten up
> email addresses for people, given the inconsistent behaviour
> of client resolvers.  ^_^;

This is not only about client resolvers, it's equally about
the individual applications and their choice of how to handle
a single-label domain name, or just domain names (FQDN or not)
in particular.  Most often you'll see that the regular expressions
used to parse what is considered to be a valid domain -- or even
the policy that decides whether a given name has a special meaning
or not -- will vary wildly.  Most of them are wrong, or don't
do the expected thing.

Re: ICANN opens up Pandora's Box of new TLDs

[Phil Regnauld]

Phil Regnauld (regnauld) writes:
> John Levine (johnl) writes:
> > d) 280
> 
> # dig @f.root-servers.net axfr . | egrep 'IN[[:space:]]NS' | awk '{ print $1 
> }' | sort -u |wc -l
> 
>  281

Interesting extract from a transcript of tICANN board meeting in Paris.
It doesn't say much about what was originally envisioned,
but sheds light on the considerations that were made.

http://isoc-ny.org/wiki/ICANN_-_Paris/Board_meeting

[It's in the first statement from Dave Wodelet:]

I just think it's important for the public record to make some
comments about adding new gTLDs to the root. While conceptually I
agree and see the benefit to the community with adding more TLDs
to the root, there are still some concerns about how scalable in
the long term this will be.

How many can we truly support? Well, from the best guess we have,
and I do stress the word "guess," somewhere around 5,000 or so TLDs
seem to be realistic.

But how high can we actually go? We really don't know.  There are
both technical and administrative issue limits to the scaling. And
it looks like the administrative issues may be more limiting than
the technical ones.

Certainly, what we do now administratively will certainly need to
change to support even the 5,000 or so that I mentioned earlier.
So how many will we have to support? Well, if we just look at the
number of place names, there seems to be somewhere between 5 and 6
million place names in the world. And if every one of these wanted
a TLD, that might not be possible.

And the 5 to 6 million place names doesn't include the number of
commercial TLDs businesses may want, and this 5 to 6 million doesn't
include the vanity names people may want as well, nor does this 5
to 6 million include what we may need in the future for names of
planets, planetary colonies, which may, indeed, happen within the
life of our Internet.

So I am a bit concerned about spending our TLD name inheritance for
future generations of Internet users. As we know, everything has
limits, like IPv4. We all know that has a limit, and that's why
we're looking at IPv6.

Re: Multiple DNS implementations vulnerable to cache poisoning

[Phil Regnauld]

Eric Davis (eric) writes:
> Anyone using Infoblox DNSOne?  They claimed to have fixed their BIND version
> but I still see issues with source ports staying the same.

Which version are you running of the OS ?

Re: SANS: DNS Bug Now Public?

[Phil Regnauld]

Joe Abley (jabley) writes:
>
> Having just seen some enterprise types spend time patching their 
> nameservers, it's also perhaps worth spelling out that "patch" in this case 
> might require more than upgrading resolver code -- it could also involve 
> reconfigurations, upgrades or replacements of NAT boxes too. If your NAT 
> reassigns source ports in a predictable fashion, then no amount of BIND9 
> patching is going to help.

Case in point, we've got customers running around in circles
screaming "we need to upgrade, please help us upgrade NOW",
but they have _3_ layers of routers and firewalls that are hardcoded to
only allow DNS queries from port 53.

Re: Password repository

[Phil Regnauld]

Jay Nakamura (zeusdadog) writes:
> Quick question, does anyone have software/combination of tools they
> recommend on centrally store various passwords securely?

Home built app with GELI (FreeBSD) encrypted disk image and automated
versioning of documents/secure stuff wih a VCS.  Works fine in a multi
user context, but only one user can access it at a time.

Re: DNS query analyzer

[Phil Regnauld]

Joseph Jackson (jjackson) writes:
> Hey List!
> 
> Anyone know of a tool that can take a pcap file from wireshark that was used 
> to collect dns queries and then spit out statistics about the queries such as 
> RTT and timeouts?

I don't know if DSC does this, but check it out:

http://dns.measurement-factory.com/tools/dsc/

Cheers,
Phil

Article on spammers and their infrastructure

[Phil Regnauld]

http://threatpost.com/en_us/blogs/attackers-buying-own-data-centers-botnets-spam-122109

It this something new ?  The article seems to mix various issues together.
And this would seem highly inefficient to me compared to traditional
botnets (renting your own rack for a botnet doesn't really make sense :)

Comments ?

Re: ip address management

[Phil Regnauld]

Andy Davidson (andy) writes:
> 
> It looks like the lack of ipv6 support in ipplan is partly due to
> the maintainer not wanting to support it, so we might be tempted to
> (if the license permits)

It's GPL...  So for away :)

Also, you might want to look at TIPP:

http://tipp.tobez.org/
http://github.com/tobez/tipp

2-clause BSD-style license.

Was developed for a large ISP.  IPv6 support is planned:

Future of TIPP

- import/export from/to CSV;
- IP availability checks (pinging);
- editing ranges of IP addresses at once;
- plugin architecture for better integration with the existing systems;
- IPv6 support;
- installation instructions;
- automated install script;
- fine-grained access control;
- an ability to define new classes;
- user documentation;
- API documentation;

Cheers,
Phil

Re: ip address management

[Phil Regnauld]

Phil Regnauld (regnauld) writes:
> 
> Future of TIPP
> 
> - import/export from/to CSV;
> - IP availability checks (pinging);
> - editing ranges of IP addresses at once;
> - plugin architecture for better integration with the existing systems;
> - IPv6 support;

Update: IPv6 is planned during february apparently, according to
the developer.

Re: ip address management

[Phil Regnauld]

Nick Hilliard (nick) writes:
> 
> There is a FAQ entry for ipv6 support in ipplan:
> 
> > One feature request that comes up from time to time is IPv6. Adding IPv6
> > support will require major effort but has such a limited audience.
> > Ironically the only people that ever requested IPv6 support are either
> > from Telcos, ISP?s or government departments, yet they are never
> > interested in contributing resources! I deam them parasites of the Open
> > Source world - leaching off the good will and effort of the Open Source
> > community, yet give nothing in return.

Shame.  And "deam" is "deem".

> q.v. http://iptrack.sourceforge.net/doku.php?id=faq
> 
> I guess we're all entitled to our opinions.

Yeah, sad.

> The data model used in ipplan is to enumerate all IP addresses in the
> working ranges.  This works fine for ipv4, but obviously breaks horribly
> for ipv6.  Political considerations aside, I suspect that this is at least
> some of the reason that ipplan doesn't support it.

It would indeed require a very large screen and lots of memory :)

Cheers,
Phil

Re: ip address management

[Phil Regnauld]

Mark Scholten (mark) writes:
> Hello,
> 
> I am also working on creating a IP address management tool (including
> changing rDNS), of course it should work with IPv4 and IPv6. If someone is
> interested in it, please mail me (so I know I have to inform him/her when I
> release it). If there are certain features that I should include and are not
> listed please also inform me about it (by email or via the forum on
> mscholten.eu).

Hi Mark,

Considering the number of existing projects that have been mentioned
in the last couple of weeks here, and those that haven't, wouldn't
it be a good idea to see if any of the existing ones can be adapted
or patches sent to the authors so that the required features are
integrated ?

Not trying to discourage you, and more choice is always good, but
it does tend to get confusing ;)

> Features I have now on my list:
> - Multi user support (admin - user level 3 - user level 2 - user level 1), a
> user can create users on lower levels to edit how IPs are assigned from
> their ranges to their customers (nice for companies with resellers!), of
> course you could also only create level 1 users.

Ideally you should consider some form of role based access control:

Create roles, assign users and groups to them, and give rights to the
roles.

> - Multi language support (with language files to translate)
> - Change rDNS (based on changing PTR records in a MySQL database that could
> be used by PowerDNS and a script will be provided to convert the MySQL
> database to Bind files)

... or dynamic updates.

> Current requirements (to host it, this is what I use to test it, other specs
> may also work):
> - To use the rDNS: PowerDNS or Bind nameservers
> - PHP5 (with MySQLi extension and pear packages Net_IPv4 and Net_IPv6)
> - MySQL 5
> - The option to create a cron if you want to convert the database to a Bind
> file
> 
> The planned release date for the first version is this month.

That's ambitious :)

I've designed and co-developed at least 2 platforms similar to the 
above,
and if you really insist on going this way, I think you should publish
some requirement specifications somewhere, and let others come with
comments.  Nanog is a good starting point, but since this touches on
DNS as well, I'm sure a dedicated project page would be more useful,
with possibly a wiki to update said specs.

Cheers,
Phil

Re: Ticket/Asset Managment system

[Phil Regnauld]

Brandon Grant (brandon) writes:
> I am currently evaluating my options for an open source trouble ticket
> management system that is based on assets (the trouble ticket is opened
> on a particular server, network element, etc.).

Hi Brandon,

Maybe RT (already mentioned) could do the trick -- it's a matter of
choosing how you will set up the system, i.e.: number of queues, custom
fields, etc...

Since it's ticket centric, it really doesn't matter how many servers
or assets you have.

> Also, I am hoping to
> find a tool that can tie in with SNMP software so I can have tickets
> auto-generated for certain types of SNMP traps or polling failures. 

That's not really dependent on the ticket system.  I've done this
with Trac and RT: it's more a matter of whether the NMS platform
allows triggers (arbitrary actions) to be tied to events, and also
in which cases.  It's trivial with Nagios to open tickets on down
or unreachable events.  You could even instrument the script to
update the ticket (never close a ticket automatically!) every time
a new event related to this equipment took place.

> 1.OTRS.org
> 
> 2.   GLIP-project.org

You mean http://www.glpi-project.org/ -- I've heard it should be quite
complicated to setup, but have no first hand experience myself.

Cheers,
Phil