Re: Strange connectivity issue Frontier EVPL

[will]

I have similar Frontier NNI's out of One Wilshire, some 1gig some 10.

While I haven't seen the half-IP-reachable issue you describe I have spent
days and days chasing performance issues on them. I finally got gig 
line-rate capable iperf3 boxes at both ends and see distinct differences
in single-TCP stream performance vs running 3-4 streams, and the difference
disappears like clockwork at "unbusy hours" (1am-7am) every day.

After running hundreds of tests and adjusting my buffering and RED on both
ends of these circuits I just have come to the conclusion that they have
some LAGs somewhere "in the middle" that get busy during the day, and
they don't care if I have to run 4 TCP streams to max a 1gig circuit.

It makes browser-based speedtests look really bad but otherwise the 
circuits are usable. We're trying to replace the worst ones with 
wavelength services.

-Will Orton


On Fri, Nov 06, 2020 at 08:59:28AM -0800, Jay Hennigan wrote:
> We have a strange issue that defies logic. We have a NNI at our POP
> with Frontier serving as an aggregation circuit with different
> customers on different VLANs. It's working well to several
> customers.
> 
> Bringing up a new customer shows roughly half of the IP addresses
> unreachable across the link, as if there's some kind of
> load-balancing or hashing function that's mis-directing half of the
> traffic. It's consistent, if an address is reachable it's always
> reachable. If it's not reachable, it's never reachable. Everything
> ARPs fine.
> 
> The Frontier circuit is layer 2 so shouldn't care about IP
> addresses. Frontier tech shows no trouble. They changed the RAD
> device on-premise. We've triple-checked configurations, torn down
> and rebuilt subinterface, etc. with no joy.
> 
> Any suggestions?
> 
> -- 
> Jay Hennigan - j...@west.net
> Network Engineering - CCIE #7880
> 503 897-8550 - WB6RDV

So I've got this 2.5gig wave, what do I do with it?

[will]

Due to the vagaries of telecom pricing, I've ended up with a 2.5gig 
wavelength service between two locations when what I really wanted was a 
gig-e or two.

I'm really not sure if this is a "transparent" wave service or not... 
the carrier is using gear from Ciena to hand it off to us and they seem 
to be big on transparent waves, so maybe it is, but nobody seems to be 
able to say for sure.

So, how can I best make use of this beast in my ethernet-centered world? 

1- Since it doesn't cost me anything, I'm going to try to send a 
gigabit LX signal and see what happens. The handoff from the carrier to 
me seems to be a plain 1310 type of signal... Light goes on, light goes 
off, maybe the carrier's gear doesn't care that it's not modulating 
"fast enough" and I'll get lucky?

2- MRV's EM2009-GM2 card takes 2xGE and spits out a 2.5G signal
of some sort. However they won't guarantee me that it'll work when 
talking to the Ciana card the carrier is using. I should probably 
inquire about their return policy and go for it.
The SFPs they spec on the trunk side are the same as those for OC48,
so as long as my wave is transparent and not expecting OC48 framing I'm 
thinking this would work.

3- I can buy an OC48 box and mux some GE onto it with GFP/VCAT. 
Expensive and overcomplicated since I don't need anything but ethernet.


Anyone have some clue for me? I'm starting to wish we'd just jumped to 
10G waves since at least there it's clear how to interop with 10gig 
ethernet.


-Will Orton
w...@loopfree.net

Re: 1G/10G BaseT switch recommendation

[Will Essary]

We run all Juniper QFX in our DC and cannot be happier. Solid stuff.

-Will


[cid:0b7ef51a-4778-4669-ba5c-01a2acbb0bce.jpg]  William Essary  
[cid:aheliotech-hexagon-logo-cropped_4ea04a43-cfad-47ab-9277-d5827ac9395a.jpg]  
<http://www.aheliotech.com>
Office:   614.333. 
Fax:  614.333.
wess...@aheliotech.com<mailto:wess...@aheliotech.com>
www.aheliotech.com<http://www.aheliotech.com>
[cid:facebook-emailSig_bdc3b07b-8cb1-4cc6-b9de-ebef5b3cb299.png]
Like Us on Facebook <http://www.facebook.com/aheliotech>
[cid:twitter-emailSig_296de7a6-c36d-4ee8-9c31-001d0fa1dc34.png]
Follow Us on Twitter <http://www.twitter.com/aheliotech>
[cid:linkedin-emailSig_c138ee31-9787-443b-93c3-41f74a00b3ae.png]
Connect on LinkedIn <http://www.linkedin.com/companies/aheliotech-ltd>  
[cid:support-emailSig_e6c17c73-dddf-4279-8636-0a4b162b1dbb.png]
Open a Support Ticket <http://www.aheliotech.com/support-ticket/>   
[cid:internationalNumbers-emailSig_d4b77f2a-7ca5-429a-825e-d67a8adef3cb.png]
International Phone #'s <http://www.aheliotech.com/about-aheliotech/contact-us/>

From: NANOG , 
 on behalf of Matt Erculiani 

Date: Thursday, July 22, 2021 at 15:34
To: Drew Weaver 
Cc: "nanog@nanog.org" 
Subject: Re: 1G/10G BaseT switch recommendation

The Juniper QFX 5120-48T has the 48x10G RJ45s you're looking for and has 
QSFP+/28 100G capable ports that can each be broken out into 4x25G (via DAC or 
MPO).

They can be licensed to add OSPF/BGP and their brand is ubiquitous enough that 
API support should be no problem on most management platforms.

I think you'll have a tougher time finding native SFP28 25G uplink ports for a 
10G switch as it's mostly seen as a server-facing port speed alternative 
alongside 10G, rather than an uplink for 10G; the oversubscription ratio 
between 48x10G and 4-6x25G is quite high when you account for at least 2N 
redundancy on the uplinks.

-Matt

On Thu, Jul 22, 2021 at 12:47 PM Drew Weaver 
mailto:drew.wea...@thenap.com>> wrote:
Hello everyone,

I’m looking for recommendations from the community on 48x10G RJ45/4-6 SFP28 
(uplink ports) switches that people actually like working with.

Features are VPC or non-vendor specific equivalent, L2/L3 BGP/OSPFv3, ACLs, 
functional CoPP and some sort of API to manage them. [the CLI would work, my 
lib can handle most Networking OS CLIs anyway]

My problem point is coming from the RJ45 requirement, most vendors have one 
switch that they sell that is RJ45 at 10G or at the most one in each line 
(enterprise/datacenter) and they seem to be almost an afterthought. [probably 
because SFP28 is better in every way if you are already using fiber at the 
endpoint] sadly, we are not.

I just want to make sure I am not excluding any vendors from my research.

I appreciate any suggestions or recommendations. Can even keep it off-list if 
you want.

Thanks,
-Drew





--
Matt Erculiani
ERCUL-ARIN

MAP-T Implementation

[Will Duquette]

Has anyone successfully deployed MAP-T?  We are in the process of testing
and have it working in our lab.  We are running into an issue where the
last half of the ipv4 prefix doesn't work.  I.E. x.x.x.0/24
assigned x.x.x.0-127 works, x.x.x.128-255 does not.   We are able to
manipulate our DHCP config to allow for the handing out of IPv4 IP's.   The
CPE gets an IPV6 address and IPv6 only works, anything trying to be routed
with an ipv4 address in the last half of the ipv4 prefix will not work.

-Will

Comcast route server not reflecting their reality

[Will Orton]

I'm seeing odditiies when trying to traffic-engineering my way around an AS 
3356-to-7922 performance issue.

I buy transit from 3356 and announce my /19 to 3356. I set traffic engineering 
community 65000:7922 to supress announcement of it from 3356 to 7922.
When I do that, at route-server.newyork.ny.ibone.comcast.net I see the AS-path 
for my /19 change from:
3356 
to:
2914 

which makes sense as I also have transit from 2914.

So that's great, 7922 should be routing to me via 2914 or, any path not via 
3356.
But then if I go to a customer location on 7922's network, and traceroute to my 
/19, it still goes via 7922 3356  !

Is 7922's looking glass no longer reflecting actual route selection in their 
network? Does Comcast do traffic engineering that is not otherwise reflected at 
their looking glass?

If I deaggregate my /19 and announce a /24 from it to 2914, I can draw the 
inbound traffic to me away from the 7922 3356 path. Which is not a real nice 
long-term solution...

-Will

Re: Comcast route server not reflecting their reality

[Will Orton]

On Tue, Sep 10, 2019 at 04:42:10PM +, Martijn Schmidt wrote:
> Hi Will,
> 
> Unlike AS2914 which purely interconnects with AS7922, it seems that AS3356 
> also has direct interconnections to the various Comcast subsidiary networks 
> which are hidden from the DFZ through no-export communities.. I figured this 
> out due to a routing leak which happened a few years ago: 
> https://dyn.com/blog/widespread-impact-caused-by-level-3-bgp-route-leak/
> 
> Give it a shot with the following list of communities - that should swing 
> your traffic away from the AS3356 links: 65000:7922 65000:7015 65000:7016 
> 65000:7725 65000:13367 65000:20214 65000:22909 65000:33287 65000:33490 
> 65000:33491 65000:33650 65000:33651 65000:33652 65000:33657 65000:33659 
> 65000:33660 65000:33662 65000:33667 65000:33668
> 
> Best regards,
> Martijn Schmidt

Thanks Martijn,
That's the info I was missing. I have found I can now 65000:XXX or even 
65001:XXX to 3356 with the Comcast regional network AS numbers and see the 
traffic
jump to the 7922 network which has a different set of links to 3356, then I can 
further do 65001:7922 to get it off 3356 entirely if I need to.

And I can find the specific regional AS# by checking the aforementioned Comcast 
route views server so it can be applied to only problem areas.

I wish none of this was necessary but when you can't get >100mbit from a 
Comcast gigabit subscriber into 3356 then customers complain.

-Will

Re: NANOG67 - Tipping point of community and sponsor bashing?

[Will Hargrave]

On 15 Jun 2016, at 19:23, Sander Steffann wrote:


So here we are now... Where do we want to go?
I think IXPs have indeed become too much like ISPs, providing more 
services but also increasing complexity and cost. I prefer simple, 
scalable and cheap solutions!
I want to go to an IXP being a nice simple ethernet switch. Add some 
nice graphs and a route server, and we're done. Redundancy is a 
separate switch :)


(I spoke on this topic in the session - I regret insufficiently 
coherently, but I’ll try again)



Most of the major IXs in the European market operate in multiple 
datacentres. Why? Because it decreases the monopoly conferred upon one 
particular datacentre in a market which becomes the ‘go to’ 
location.


Dan Golding disagreed with me but I can certainly speak for LONAP where 
I feel our mission of “promoting efficient interconnection in the 
UK” is hugely enhanced by our ability to provide services in any of 
our current seven datacentres, across four different operators. London 
would not be the great city of interconnection it is without the east 
London cluster of DCs from different operators.


We have had a fair few single site IXs in London - e.g. the now defunct 
RBEIX, Sovex, Meriex. I don’t think it is a viable model for an IXP in 
a well-developed market.



Then there is another concern. What’s the plan for SIX if the Westin 
Building colo is sold to someone less benevolent and co-operative? I am 
really pleased their current arrangement seems to work well for SIX, its 
members and datacentre partners. I think our own members would be less 
comfortable with that level of risk.



Will

Re: NANOG67 - Tipping point of community and sponsor bashing?

[Will Hargrave]

On 17 Jun 2016, at 1:15, Daniel Golding wrote:

You said that LONAP's distributed strategy "kept datacenters honest" 
to use
your exact quote. That implied some sort of benefit for members in 
acting

as some sort of counterweight to (rapacious?) data center providers.


I rely primarily on information from our membership base who reaffirm 
their desire for a multi-site approach. They (and you) are the people 
with the data, as they are the people buying these services.


The origin of these designs was probably not out of a desire for 
diversity to promote competition, but actually because existing 
datacentres were full.
Nevertheless, a datacentre which is full, incompetently run, or too 
expensive all have something in common - to my members they are useless.



I made the point that distributed IX's don't really
impact power or space costs in data centers. I can provide actual data 
on

this, if you would like.


What about crossconnect prices?

It is interesting you have data that indicates that this policy could be 
futile, because the belief in this principle is almost axiomatic in 
our/my community.

Did we waste time and money spanning metros with IXs?

Inbound Call Issues

[Will Duquette]

Has anyone had issues reported over the last few weeks from customers with
inbound calls in the Northeast reporting the following:

1. Long call setup
2. No ring back or very delayed ring back (Post Dial Delay)
3. Delayed audio in calls.  Persons on each end maybe talking over each
other.
4. Multiple call logs showing up for a single call in logs.

We have been engaging multiple providers (CCI, Spectrum, Windstream and
Onvoy) and have been making some progress but are looking to see if anyone
else is experiencing the same issues.

Thanks,

-- 
Will Duquette

*Network Engineer II*GWI

*Office:*   207-602-1228
*Cell:*  207-590-2084
*Fax:*  207-282-5036
www.gwi.net

NCS5508 for Agg/Core/Peering router

[Will Black]

Is anyone using the NCS5508 as the role of a backbone Core / Aggregation / 
Peering router?  I understand these are generally different network models but 
we would be interested in hearing whether anyone is using these routers for all 
three roles.  We flattened our network during our last refresh and are trying 
to do more with less (who isn’t these days?), so we’re trying to determine 
whether the NCS5508 would fit the bill that’s currently being served by our 
ASR9K’s.  

We would also be interested in hearing general observations and thoughts about 
the NCS5508 for any role.

Thanks,

Will Black 

Re: 12 years ago today...

[Will Hargrave]

On 16/10/10 10:02, Warren Bailey wrote:

> While we are on the subject of "the godfathers of the Internet", when is a
> documentary coming out that tells the story? There was a really long
> documentary done on the BBS, surely someone (myself included) would find it
> interesting.

I can recommend "Where Wizards Stay Up Late" by Katie Hafner

http://www.amazon.com/Where-Wizards-Stay-Up-Late/dp/0684832674

A really good read IMHO.

Will

Re: ARIN recognizes Interop for return of more than 99% of 45/8 address block

[Will Hargrave]

On 20/10/10 17:47, Brielle Bruns wrote:

> Not to stir an already boiling over pot and all, but is there any kind of
> report or documentation on releasing of space from countries other then the
> North American region?

Really it's mainly US govt agencies, defence contractors, etc from the dawn of
the Internet who hold legacy class A space of this type. This space was pre-RIR
which means it was not assigned on the same (broadly similar) global policies
as the majority of address space in the modern era.

On that basis, there's nothing big for other regions to 'give up'. One
exception is the UK government with two /8s.

http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt
http://en.wikipedia.org/wiki/List_of_assigned_/8_IPv4_address_blocks

Re: IPv6 rDNS

[Will Orton]

We developed a web/mysql-based front-end that our noc uses for all DNS 
ops, so the NOC never touches zone files directly. So it was easy to 
just add a feature that provides additional syntax for ipv6 PTRs...

So for example in zone 
0.0.0.0.d.c.b.a.8.B.D.0.1.0.0.2.ip6.arpa

we can enter
:::0003   PTR  foo.com.

and it will reverse the nibbles/remove the ":"s and put in the "."s
and get generated into a zone file as needed:
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.c.b.a.8.B.D.0.1.0.0.2.ip6.arpa PTR 
foo.com.
(of course you can enter x.x.x.x... syntax too)

Having a front-end also lets you do all sorts of other sanity-checking 
with instant feedback to avoid choking up BIND, depending on the skill 
level of your target "DNS admin".

-Will

On Fri, Oct 29, 2010 at 06:06:32PM -0700, Jeroen van Aart wrote:
> Date: Fri, 29 Oct 2010 18:06:32 -0700
> From: Jeroen van Aart 
> To: NANOG list 
> Subject: IPv6 rDNS
> 
> I battled for a few hours getting IPv6 rDNS to work. The following tool 
> proved to be quite helpful:
> http://www.fpsn.net/?pg=tools&tool=ipv6-inaddr
> 
> Just in case anyone else would run into similar problems. It's not as 
> straightforward as IPv4 rDNS.
> 
> Greetings,
> Jeroen
> 
> -- 
> http://goldmark.org/jeff/stupid-disclaimers/
> http://linuxmafia.com/~rick/faq/plural-of-virus.html

Re: RINA - scott whaps at the nanog hornets nest :-)

[Will Hargrave]

On 6 Nov 2010, at 20:29, Matthew Petach wrote:

>> There is no reason why we are still using 1500 byte MTUs at exchange points.
> Completely agree with you on that point.  I'd love to see Equinix, AMSIX, 
> LINX,
> DECIX, and the rest of the large exchange points put out statements indicating
> their ability to transparently support jumbo frames through their fabrics, or 
> at 
> least indicate a roadmap and a timeline to when they think they'll be able to
> support jumbo frames throughout the switch fabrics.


At LONAP we've been able to support jumbo frames (at 9000+ depending on how you 
count it) for some years. We have been running large MTU p2p vlans for members 
for some time - L2TP handoff and so on. What we don't do is support >1500byte 
MTU on the shared peering vlan, and I don't see this changing anytime soon. 
There isn't demand; multiple vlans split your critical mass even if you are 
able to decide on a lowest common denominator above 1500.

I imagine the situation is similar for other exchanges (apart from Netnod as 
already mentioned).

I won't bother to further reiterate the contents of 
<20101106203616.gh1...@gerbil.cluepon.net>; others can just read Ras's post for 
a concise description. :-)

-- 
Will Hargrave
Technical Director
LONAP Ltd

Re: RINA - scott whaps at the nanog hornets nest :-)

[Will Hargrave]

On 7 Nov 2010, at 08:24, George Bonser wrote:

> It will happen on its own as more and more networks configure internally
> for larger frames and as more people migrate out of academia where 9000
> is the norm these days into industry.

I used to run a large academic network; there was a vanishingly small incidence 
of edge ports supporting >1500byte MTU. It's possibly even more tricky than the 
IX situation to support in an environment where you commonly have mixed devices 
at different speeds (most 100mbit devices will not support >1500) on a single 
L2, often under different administrative control.

Re: -48VDC supply for home lab?

[Will Orton]

I use:
http://www.mastechpowersupply.com/dc-power-supply/switching-power-supply/volteq-power-supply-hy5020ex-50v-20a-over-voltage-over-current-protection/prod_61.html

The output is changable from positive to negative ground by moving the 
shorting bar to ground from the - output to the + side.

If you need to be able to charge a 48v battery plant you'd want the 60v version
instead, but it's more $. The 50v one works fine for benchtesting equipment,
at least.

-Will


On Mon, Feb 03, 2014 at 02:02:11PM -0700, Mark Leonard wrote:
> Date: Mon, 3 Feb 2014 14:02:11 -0700
> Subject: -48VDC supply for home lab?
> From: Mark Leonard 
> To: "North American Network Operators' Group" 
> 
> Greetings NANOG'ers!
> 
> I have a small home lab which I mostly use for learning and testing.  I'm
> likely to receive some gear that needs negative 48VDC (ie: positive
> ground).  Mains is a typical 120VAC, 60Hz.
> 
> Can anyone recommend a power supply, reasonably priced, to go from 120VAC
> down to -48VDC@10Amps?  Something that fits in a two post rack would be
> preferred, but not required.
> 
> Thanks,
> Mark

Re: Recommendation on NTP appliances/devices

[Will Orton]

On Thu, Apr 03, 2014 at 09:06:57PM -0700, George Herbert wrote:
> Sadly, right now that either means your own real clock, or WWV.  The
> cellphone time is (as far as I know, for the networks I saw data on) all
> coming off GPS.
> 
> Fortunately real clocks are coming way down in cost.


There are commercially available NTP servers with GPS + Rb oscillators... for 
NTP 
use you could basically let it sync up a couple days, disconnect the GPS and 
let 
it freerun. You'd still be within a millisecond of GPS even after a couple 
years 
most likely. Reconnect it to GPS for a couple days every 1-2 years to resync 
it. 
More fun and cheaper to build your own I'd bet, if you had the time.

With clocks/oscillators designed to provide hold-over for synchronous networks 
and microwave RF systems (parts per million or billion) the demands of NTP for 
general use in an IP network are pretty modest. You lose more accuracy in NTP 
stratum 1->2 across a (relaively) jittery WAN link than a cheap atomic clock 
does 
in a long time.

-Will

Cogent to Comcast IPv6 broken?

[Will Orton]

Cogent from various west coast USA locations seems to have trouble getting to 
some Comcast ipv6 addresses:

Cogent LG Los Angeles to www.comcast6.net
traceroute to 2001:558:fe16:7:69:252:216:215 (2001:558:fe16:7:69:252:216:215), 
30 hops max, 80 byte packets
 1  2001:550:1:317::1 (2001:550:1:317::1)  70.184 ms  70.181 ms
 2  * *
 3  * *
 4  2001:550:4::51 (2001:550:4::51)  15.013 ms  14.981 ms
 5  * *
 6  * *
[ ... ]


Cogent LG San Francisco ipv6 trace to www.comcast6.net
 traceroute to 2001:558:fe16:7:69:252:216:215 (2001:558:fe16:7:69:252:216:215), 
30 hops max, 80 byte packets
 1  2001:550:1:31f::1 (2001:550:1:31f::1)  0.367 ms  0.369 ms
 2  * *
 3  * *
 4  * *
[ ... ]

Cogent LG San Jose ipv6 ping to www.comcast6.net
PING 2001:558:fe16:7:69:252:216:215(2001:558:fe16:7:69:252:216:215) 56 data 
bytes

--- 2001:558:fe16:7:69:252:216:215 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 13999ms


Cogent LG San Jose ipv6 ping to speedtest.comcast.net (Los Angeles does same 
thing, but Kansas City works):
PING 2001:558:fe2a:3:69:241:64:6(2001:558:fe2a:3:69:241:64:6) 56 data bytes

--- 2001:558:fe2a:3:69:241:64:6 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 14000ms

from Los Angeles same thing, but from Cogent's LG Kansas City it works:
PING 2001:558:fe2a:3:69:241:64:6(2001:558:fe2a:3:69:241:64:6) 56 data bytes
64 bytes from 2001:558:fe2a:3:69:241:64:6: icmp_seq=1 ttl=55 time=35.6 ms
64 bytes from 2001:558:fe2a:3:69:241:64:6: icmp_seq=2 ttl=55 time=35.7 ms
64 bytes from 2001:558:fe2a:3:69:241:64:6: icmp_seq=3 ttl=55 time=35.6 ms
64 bytes from 2001:558:fe2a:3:69:241:64:6: icmp_seq=4 ttl=55 time=35.6 ms
64 bytes from 2001:558:fe2a:3:69:241:64:6: icmp_seq=5 ttl=55 time=35.6 ms

--- 2001:558:fe2a:3:69:241:64:6 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4043ms
rtt min/avg/max/mdev = 35.620/35.676/35.734/0.241 ms


This is similar to issues I see with a Cogent IPv6/BGP-enabled transit 
connection in Los Angeles to a random
Comcast customer address (that is otherwise up and reachable from HE.net, NTT, 
etc):

(from router with ipv6 BGP Cogent transit connection):
traceroute6 to 2601:7:1300:3d2::1 (2601:7:1300:3d2::1) from 2001:550:2:18::5:2, 
64 hops max, 12 byte packets
 1  2001:550:2:18::5:1 (2001:550:2:18::5:1)  1.903 ms  1.120 ms  10.771 ms
 2  * * *
 3  * 2001:550::57 (2001:550::57)  15.654 ms *
 MPLS Label=19852 CoS=2 TTL=255 S=0
 MPLS Label=19207 CoS=2 TTL=255 S=1
 4  * * *


I have Cogent ticket #HD005706297  on that but I'm being ignored.
I see the similar things from Cogent IP6 transit out of San Jose.

Anyone at Cogent able to look at this? I basically blackhole big chunks of 
Comcast ipv6 on my network when I 
enable ipv6 to Cogent.


-Will

Re: No route to weather.gov

[Will Dean]

I also can't reach weather.gov.

traceroute to weather.gov (204.227.127.201), 64 hops max, 72 byte packets
 1  192.168.124.1 (192.168.124.1)  0.315 ms  0.140 ms  0.134 ms
 2  ge-2-2-0-32767-sur01.michiganave.dc.bad.comcast.net 
(50.202.87.153)  0.383 ms  0.359 ms  0.339 ms
 3  ae-19-0-ar04.whitemarsh.md.bad.comcast.net (68.85.114.133)  29.131 
ms  22.402 ms  3.160 ms

 4  * * *
 5  * * *

will$ telnet weather.gov 80
Trying 204.227.127.201...
telnet: connect to address 204.227.127.201: Operation timed out
telnet: Unable to connect to remote host

www.weather.gov has an A record for Akamai which is reachable.

will$ telnet www.weather.gov 80
Trying 23.3.108.190...
Connected to a895.g.akamai.net.
Escape character is '^]'.


-- Will

Re: Comcast Business Internet Options

[Will Dean]

Phil,


Comcast does have a residential fiber tier that leverages their metro 
ethernet network. https://www.comcast.com/505


http://www.speedtest.net/result/3595673618.png

- Will

Brandon Galbraith <mailto:brandon.galbra...@gmail.com>
June 30, 2014 at 1:33 PM

I've worked with Comcast Business on <10 installations for clients,
and the only time I was able to get installation charge concessions
was on a long-term agreement (3 years minimum). This is in an area
where they have active competition with an ILEC.

brandon
Phil Gardner <mailto:phil.gardne...@gmail.com>
June 30, 2014 at 9:45 AM
Hi all -

Probably like a lot of people on the list, I depend on my home 
internet connection for many things including my primary job, and the 
numerous side projects I work on.


I'd really a appreciate a connection that would have a shorter 
response time if something were to go wrong. Unfortunately, I just 
moved and now I'm out of the service area of my previous provider, who 
was actually able to compete with Comcast (FTTH). Now I'm stuck with 
one option.


I really don't plan on spending more than a year where I currently am, 
so I don't want be locked into a contract for more than a year, 
especially with Comcast's crap termination fee (75% of the remainder 
on the contract).


I called and talked to a sales rep, who was just a kid, and an 
arrogant one at that. He knew of the monopoly for a decent internet 
connection in my area, so I had little bargaining power.


The offer he gave me was: minimum 2 year contract, with a $99 
installation fee, and his "supervisor" "approved" a $300 Visa giftcard 
if I agreed to this. The other option is a 1 year contract, with a 
$199 installation fee, with no giftcard. This is for the 50Mbit 
option, and he didn't seem to care about my counter offer to bump it 
up to 75Mbit if he waived the install fee.


Come on...$199 to plug in a modem. The address already had Comcast 
before I got there...


Is there anyone out there that has ideas about how to waive or lower 
that installation fee while only having a 1 year contract?

Earthlink Contact - DNS cache poisoning

[Will Dean]

Anyone out there in Earthlink land? I am seeing what looks to be a cache 
poisoning attack on ns1.mindspring.com.

Sporadic of course so it takes a few queries to replicate. 

will$ dig www.google.com @207.69.188.185

; <<>> DiG 9.7.3 <<>> www.google.com @207.69.188.185
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26196
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.IN  A

;; ANSWER SECTION:
www.google.com. 60  IN  A   64.27.117.179
www.google.com. 60  IN  A   69.25.212.24

;; AUTHORITY SECTION:
www.google.com. 65535   IN  NS  WSC2.JOMAX.NET.
www.google.com. 65535   IN  NS  WSC1.JOMAX.NET.

;; Query time: 88 msec
;; SERVER: 207.69.188.185#53(207.69.188.185)
;; WHEN: Sat Sep 24 20:25:40 2011
;; MSG SIZE  rcvd: 120


- Will

Re: Earthlink Contact - DNS cache poisoning

[Will Dean]

On Sep 24, 2011, at 9:07 PM, Christopher Morrow wrote:

> On Sat, Sep 24, 2011 at 8:51 PM, Jimmy Hess  wrote:
> I think actually.. earthlink uses barefruit? (or they did when ...
> kaminsky was off doing his destruction of the dns liars gangs...)
> Maybe the same backend is used though for the advertizer side?
> (barefruit provides the appliance, some third-party is the
> advertiser/website-host... same for paxfire?)
> 

Barefruit was just for returning a search engine result for a NXDOMAIN response.

It appears Earthlink is now using Paxfire to sniff and proxy a users traffic to 
at least one popular website. Besides the obvious privacy implications, it 
introduces a nice captcha on Google.

- Will

Re: William was raided for running a Tor exit node. Please help if you can.

[Will Hargrave]

On 29 Nov 2012, at 20:53, George Herbert  wrote:

> The assertion being made here, that it's somehow illegal (or immoral,
> or scary) for there to be not-completely-traceable internet access in
> the US, is absurd.

The real issue here is *not* the legality of the act of providing a Tor exit 
node, or an open access point, or anything else. In sensible countries that is 
perfectly legal. The problem here is the reality of undergoing a criminal 
investigation. 

Think carefully about the impact of having everything in your life which runs 
an operating system taken away. Phones. Tablet. Laptop. Servers. All portable 
drives, data. If you rely on that hardware for your income (and who doesn't?) 
you're going to have to buy all of that again. And restore your data, if you 
are able. 


-- 
Will

Are people still building SONET networks from scratch?

[Will Orton]

We've run into an issue with a customer that has been confounding us for a few 
months as we try to design what they need.

The customer has a location in the relative middle of nowhere that they are 
trying to build a protected OC3 to. Ultimately, their traffic on it will be 
packet data (IP/ethernet, not channelized/voice). But they seem to be 
absolutely 100% set on the idea that they build with Cisco ONS boxes and that 
they run and control the D1-D12 bytes in order to manage protection switching 
on the OC3 (and have their DCC channel for management).

Since this is the middle of nowhere, we are having to piece it together from a 
few runs of dark fiber here and there and lit services from about 3 other 
providers to get from the desired point A to the desired point B. The issues 
we seem to be hitting are:

-We seem to be unable to find anyone who sells lit OC3 with D1-D12 
transparency for the client. Sometimes we can get D1-D3, but that's it.

-lit OC3/12/48 is ridiculously expensive comapred to 1g ethernet waves or 10g 
waves (choice LAN/WAN ethernet or OC192)

10g waves are cheap enough that we have entertained the idea of buying them and 
putting OC-192/muxponders on the ends to provide the OC-3, but even then I'm 
having trouble finding boxes that will do D1-D12 transparency for client OC-3. 
Building the whole thing on dark fiber so that we could specify the exact 
equipment on every hop isn't going to happen, as the "protect" path is about 
1000 miles and the geography is such that we don't really have a market for all 
the other wasted capacity there would be on that path.

Having much more experience with ethernet/packet/MPLS setups, we are trying to 
get the client to admit that 1g/10g waves running ethernet with QoS would be as 
good as or better in terms of latency, jitter, and loss for their packet data. 
So far they will barely listen to the arguments. And then going the next leap 
and showing them that we could work towards <50ms protection switching with 
MPLS/BFD/etc packet-based protocols is another stretch.


Am I missing something here that my customer isn't, or is it the other way 
around? 

-Will

Re: Are people still building SONET networks from scratch?

[Will Orton]

On Thu, Sep 06, 2012 at 06:00:37PM +0100, Nick Hilliard wrote:
> Not sure if I see the problem here.  Show them the bill for an OC3 service,
> and then show them the bill for the equivalent ethernet service.  This
> usually works for me.  If they want to pay for OC3 when there's no
> compelling reason to, who are you to argue?
> 
> Nick
> 


Yes, of course the response is, "figure out how to make the OC3 cheaper". :) 
So we're rapidly approaching a response of "you've engineered yourself into 
a corner, take it or leave it".

I just can't see how to get OC3 D1-D12 tunneled through without doing it as 
a mix of OC-48 and dark fiber for the entire path and specifying lots of 
complicated boxes just to get those bytes through. That cost is an order of 
magnitude more than just buying OC3 from multiple carriers (who can't tunnel 
D1-D12), which is a magnitude more than buying mpls-based gig-e or gig-e 
wave.

I wasn't around (well, I was just a T1/DS3 customer) when all the OC3/12/48 
SONET networks were built 10-15 years ago. I suppose they were all built 
directly on the fiber (maybe with WDM but no layer1.5-2 muxing) and the 
provider was always the one who handled protection switching?

I've considered using J's PE-4CHOC3-CE-SFP (OC3 emulated SAToP), then I 
could do it all with gig-e underneath. Does anyone make a cheaper OC3 
circuit emulation module or box? Most likely the customer wouldn't believe 
such a thing is possible and we'd have to put something in the contract 
allowing them SLA credit if their OC3 suffers too many timing slips or 
something.


-Will

Re: Big Temporary Networks

[Will Hargrave]

On 13 Sep 2012, at 17:32, Tim Franklin  wrote:

>> You'll need a beefy NAT box.  Linux with Xeon CPU and 4GB RAM minimum.
> Or not.  The CCC presentation is showing *real* Internet for everyone, unless 
> I'm very much mistaken…

Absolutely. NAT is too fragile/expensive/non-performant for these setups. CGN 
boxes are too new to be economically borrowed/rented, maybe one day it will be 
possible, but for now we can still get the address space required (Timespan 
issues notwithstanding)


On 13 Sep 2012, at 21:03, Chris Boyd  wrote:

> If you know of an ISP in Central Texas that can deploy a 10Mbit plus 
> connection along with a /22 of v4 address space for a 1 day event, please let 
> me know. TWCable has been pretty easy to work with for special events, but 
> I'd be really surprised to see them be able to do that.

I suggest either getting a L2 circuit or else IPIP/GRE tunnel to somewhere with 
a functioning internet market. It is far preferable to tunnel than it is to 
have session state in the network.



I've been part of the team deploying networking to various leafy parts of the 
Netherlands (e.g. HAR2009), ex-soviet airbases (CCC Camp), a park in Milton 
Keynes, UK (EMF2012). With some thought and creative planning it is possible to 
bring in a useful uplink in the 300M-10G+ range. [I'm not sure I remember those 
DS3s and OC3s that other posters are talking about, something these days used 
only in developing countries i thought ;-)]


As a network engineer, these events are a great way to meet people with 
different experience, talk to eager young folk, do things in a different way 
and generally have a reset on your professional life. You might even get some 
sun too :-)

Inter-domain OTN, does it happen in the real world?

[Will Orton]

Reading about OTN networks, I see that "IrDI" is specified to handle the case 
where one OTN network needs to connect to another natively with OTN signals.

Is this done in the real world? Does OTN network operator A ever go to OTN 
network operator B and say, "I'd like to buy a OTU2 from city X to city Y on 
your 
long haul network (at buildings J and K where we can connect simply with 
short-distance SMF/1310 signals), and what TCM levels can you give me?"

I understand this in the case of lit 10GbE-WANPHY, LAN, and OC-192, but are OTU 
"lit" signals bought and sold wholesale this way too? Is there generally a 
price 
premium over the more normal client signals?

-Will Orton

Re: www.ipv6.facebook.com not loading

[Will Lawton]

www.v6.facebook.com was the official pre-www  record host. I recall a 
www.ipv6.facebook being added as a redirect because there seemed to be 
confusion around which one it was.

Regardless, to answer the original question, yes www.v6.facebook.com has been 
official deprecated for almost 2 years now as it was only meant as a test 
platform for the inevitable www.facebook.com .

If you can not get to www.facebook on v6, please work with your ISP to find out 
why. When I left there, it was still a whitelisting design for known good 
networks, but I believe that was done away with after this years ipv6 day.

-Will Lawton

On Oct 25, 2012, at 9:17, "Jima"  wrote:

> On 2012-10-25 07:18, Frank Bulk wrote:
>> Since Wednesday at 1:48 pm Central www.ipv6.facebook.com has not been
>> loading (though it's pingable).  Does anyone know if this has been
>> formally
>> deprecated?
> 
> As I recall, the primary IPv6-only FQDN was (and still is)
> www.v6.facebook.com .  I honestly never noticed that they added an 
> for www.ipv6.facebook.com .
> 
> Hardly scientific, but
> http://www.googlefight.com/index.php?lang=en_GB&word1=www.v6.facebook.com&word2=www.ipv6.facebook.com
> seems to support my memory to some degree.
> 
> Jima
> 
> 

Re: update

[Will Yardley]

On Thu, Sep 25, 2014 at 05:11:22AM +0200, Mikael Abrahamsson wrote:
> On Wed, 24 Sep 2014, Jim Popovitch wrote:
> 
> > I *did* read that, and it doesn't change anything about what I wrote. 
> > Debian didn't make those changes for you..  Debian has never set 
> > root's shell to bash, ever.  PEBKAC?
> 
> I can verify Williams settings on my Debian system that was initially 
> installed back in 3.x days or so, probably around 2005 or thereabouts. My 
> root shell uses bash and /bin/sh points to bash.

I haven't administered many Debian / Ubuntu systems recently, but I did
during the days of hamm / slink / potato, and my recollection is that
the *default* /bin/sh in 2.x and 3.x was bash, though it was possible to
configure the system to use ash or something lighter weight instead.
Doubt I currently have access to any systems that old, but:

% cat /etc/debian_version 
5.0.4
% ls -al /bin/sh 
lrwxrwxrwx 1 root root 4 2009-03-05 16:58 /bin/sh -> bash*
% which dash 
dash not found

$ cat /etc/debian_version 
5.0.9
$ ls -al /bin/sh
lrwxrwxrwx 1 root root 4 2010-08-02 12:21 /bin/sh -> bash*

So, I think "never... ever" is maybe not quite correct.

w

Dial Up Solutions

[Will Duquette]

Does anyone have any suggestions on equipment for our ISP that is still
supporting dial up customers?

At the moment we are running 3Com Total Control 1000's but are running out
of spare parts as we have failures.  Given that this gear is so old trying
to source spare parts is proving to be difficult.

We do have access to an Cisco AS5200 but are looking for maybe a SIP based
solution that could possibly run on our VM farm?  Has anyone heard of
anything like that or does it even exist?

What kind of gear are you running if you still are supporting dial up
customers?

Thanks in advance

-- 
Will Duquette
GWI
Network Systems Engineer
www.gwi.net

Re: Small IX IP Blocks

[Will Hargrave]

On 5 Apr 2015, at 04:29, Paul Stewart  wrote:

> I worked for a provider until recently that happened to get an IP assignment
> at an IXP that was transitioning from /25 to /24.  It was painful chasing
> down peers to get them to change their netmask just so we could connect.
> This went on for several months dealing with the peering/network contacts of
> whom many of them didn't know the mask had changed in the first place.

If you had problems peering because other participants have the wrong netmask, 
the IXP is not being operated correctly. It’s such a very bad thing to have the 
incorrect netmask on interfaces (think, more-specifics, route leaks, etc) that 
the IXP should manage the netmask change process itself - in fact to the point 
of disconnecting networks who do not configure it correctly.

When we renumbered LONAP from /24 to /22, we had to change netblocks too. I 
can’t recall if we had any netmask problems too but it seems perfectly possible 
if lazy people just went %s/193.203.5/5.57.80/g. So we did check for that - 
it’s quite a simple task.

From an IXP user point of view, the change was easier for J users, but we built 
a config validator/renumbererer for C IOS users to help them out. (‘paste your 
config in this webform’ ‘examine the output’ sort of thing)


Will

Re: Galaxy S6 is IPv6 on all US National Mobile carriers

[Will Dean]

Reddit started using CloudFlare late last year, so they should able to 
serve content up over v6.


http://www.reddit.com/r/blog/comments/2ftv08/hell_its_about_time_reddit_now_supports_fullsite/ckcoww2

(http://www.redditblog.com/2014/09/hell-its-about-time-reddit-now-supports.html)

Christopher Morrow 
April 13, 2015 at 5:22 PM

good news! it's only really 3 places that need update, since reddit is
(still?) an amazon aws customer.
Ca By 
April 13, 2015 at 5:20 PM
Good news (that i have not personally verified) !

Verizon, T-Mobile, Sprint, and AT&T all launched the Samsung Galaxy S6 
with

IPv6 on by default.

Given the growth and importance of mobile to Internet, it is great to see
this progress from the mobile carriers.

Just for those keeping score, of the top 10 Alexa website for the USA,
these major websites prefer IPv6 or prefer NAT44 / NAT64 from the mobile
networks

1. Google -- prefers IPv6
2. Facebook -- prefers IPv6
3. Youtube -- prefers IPv6
4. Amazon -- prefers NAT -- :(
5. Yahoo! -- prefers IPv6
6. Wikipedia -- prefers IPv6
7. Twitter -- prefers NAT -- :(
8. Ebay -- prefers NAT -- :(
9. Linkedin -- prefers IPv6
10. Reddit -- prefers NAT -- :(

Dear Amazon, Twitter, Ebay, and Reddit -- please consider this your
personal invitation to introduce IPv6 to your service.

Re: SEC webpages inaccessible due to Firefox blocking servers with weak DH ciphers

[Will M.]

Load balancers can also be used like this, while maintaining redundancy 
(assuming HA LB config). Terminate SSL/TLS on the LB and run plain-text 
to the application/appliance. As long as the load balancer is in an 
acceptable part of the network.


--Will

On 7/17/15 1:59 PM, Michael O Holstein wrote:

Yes, the config option in FF is global .. I'm sure it could be done with an 
extension though.

The 'el cheapo' solution that comes to mind is use a Rasberry Pi with dual 
ethernet (second via USB) and run Nginx on it .. secure out the front, insecure 
out the back. It'd cost you something like $50.

I'm surprised "SSL stupidifiers" aren't on sale for $9 at Aliexpress or DX.

-Mike


From: NANOG  on behalf of Alexander Maassen 

Sent: Friday, July 17, 2015 4:50 PM
To: nanog@nanog.org
Subject: Re: SEC webpages inaccessible due to Firefox blocking servers with 
weak DH ciphers

(Sorry Michael for the duplicate, forgot to press reply all :P)

No problem making the web more secure, but in such cases I think it would
have been better if you could set this behaviour per site, same as with
'invalid/self signed certs'. And in some cases, vendors use weak ciphers
because they also utilize less resources. Everyone who has a DRAC knows
about it's sluggish performance.

Another backdraw of the DRAC's is, they are https only, and you cannot
turn this behaviour off. Guess for that the only options would be to make
your own interface and utilize the telnet/snmp interface. (Which is
probably less secure then SSLv3), or some form of SSLv3 <-> strong cipher
proxy.

And needing to replace hardware that works perfectly fine for the purposes
it's intended for just because a browser refuses to connect to it and
denies you the option to make exceptions sounds just like the well known
error 'Not enough money spend on hardware'

On Fri, July 17, 2015 9:14 pm, Michael O Holstein wrote:

making 99% of the web secure is better than keeping an old 1% working

A fine idea, unless for $reason your application is among the 1% ..

nevermind the arrogance of the "I'm sorry Dave" sort of attitude.

As an example .. we have a vendor who, in the current release (last 3

months) still requires "weak" ciphers in authentication responses. That
was mostly okay until another vendor (with more sense) wanted to auth
the same way but only permitted strong ciphers.

My $0.02

Michael Holstein
Cleveland State University

Re: common method to count traffic volume on IX

[Will Hargrave]

On 19 Sep 2013, at 12:32, Niels Bakker  wrote:

> I know you're a busy man so the tl;dr is that by encouraging local peering 
> more networks will start to peer, and by partnering with one or more local 
> carriers those new networks as well as established players in those markets 
> can connect to the home exchange point too, increasing value for all 
> connected parties.

But isn't this all just neo-colonialism? Establish a market in the colony, but 
ensure through restrictive trade practices that all trade routes lead back via 
the mother country. 

Or can I buy myself connectivity to AMS-IX Amsterdam when i'm present at the 
LINX Harare exchange?

Will

Re: BGP hijack from 23724 -> 4134 China?

[Will Clayton]

Do share!

On Thu, Apr 8, 2010 at 7:29 PM, Beavis  wrote:

> Is it possible for you to share that filter list you have for china?
> im getting bogged down by those ssh-bruts as well coming in from
> china.
>
>
> -B
>
> On Thu, Apr 8, 2010 at 2:36 PM, Brielle Bruns  wrote:
> > On 4/8/10 2:23 PM, Jay Hennigan wrote:
> >>
> >> We just got Cyclops alerts showing several of our prefixes sourced from
> >> AS23474 propagating through AS4134.  Anyone else?
> >>
> >> aut-num:  AS23724
> >> as-name:  CHINANET-IDC-BJ-AP
> >> descr:IDC, China Telecommunications Corporation
> >> country:  CN
> >>
> >> aut-num:  AS4134
> >> as-name:  CHINANET-BACKBONE
> >> descr:No.31,Jin-rong Street
> >> descr:Beijing
> >> descr:100032
> >> country:  CN
> >>
> >> --
> >> Jay Hennigan - CCIE #7880 - Network Engineering - j...@impulse.net
> >> Impulse Internet Service  -  http://www.impulse.net/
> >> Your local telephone and internet company - 805 884-6323 - WB6RDV
> >>
> >
> > I'm starting to wonder if someone is 'testing the waters' in China to see
> > what they can get away with. I hate to be like this, but there's a reason
> > why I have all of China filtered on my routers.
> >
> > Amazing how much  SSH hammering, spam, and other nastiness went away
> within
> > minutes of the filtering going in place.
> >
> > There comes a point where 'accidental' and 'isolated incident' become "we
> no
> > care" and "spam not illegal".  And no, i'm not quoting that to mock, but
> > rather repeat exactly what admins in China send to me in response to
> abuse
> > reports and blocking in the AHBL.
> >
> > --
> > Brielle Bruns
> > The Summit Open Source Development Group
> > http://www.sosdg.org/ http://www.ahbl.org
> >
> >
>
>
>
> --
> ()  ascii ribbon campaign - against html e-mail
> /\  www.asciiribbon.org   - against proprietary attachments
>
>

Re: Surcharge for providing Internet routes?

[Will Hargrave]

On 3 May 2010, at 05:27, Matthew Petach wrote:
> In Asia, there is a popular, but incorrectly named product offering
> that many ISPs sell called "domestic transit" which they sell
> for price $X; for "full routes" you often pay $2X-$3X.  I grind my
> teeth every time I hear it, since "transit" doesn't mean "to select
> parts of the internet" in most people's eyes.  It's really a paid
> peering offering, but no matter how much I try to correct people,
> the habit of calling it "domestic transit" still persists.  :(


This is relatively common in europe too - normally under the name 'partial 
transit'.

paid peering: [provider AS] + [providers customers] 
partial transit: [provider AS] + [providers customers] + [providers peers]

Pricing is typically 5-20% of the cost of full routes, and will provide in the 
region of 40-120k routes.

Re: AW: Recommended 1Gb SFP for ~115km?

[Will Hargrave]

On 4 Aug 2010, at 17:58, Thomas Weible wrote:

> Cisco did a quite good job on implementing the DDM characteristics of the 
> optics. So why not to take a 32dB or even 41dB power budget SFP and make it 
> workable in the switch / router. Works like charm in some setups and you see 
> straight the actual line.


Sadly not the case here.

OP is using a 6506, and the majority of the 67xx linecards released (which are 
the decent gige linecards for 6500) don't even support DDM/DOM at all. Only the 
very latest hardware revisions do. Sigh.

Other vendors refuse to report light levels from optics they didn't supply. 
This is just a bad-faith way round the RFP/tender clauses we've all been 
including for the past 5 years prohibiting vendor locking optics. Shame on them.


Will

Re: Level 3 - "legacy" Wiltel/Looking Glass bandwidth

[Will Orton]

We have an old Wiltel DS3 homed from their Anaheim POP... all traffic that's 
not going to destinations on the old 7911 backbone seems to be backhauled to 
Level3 in San Jose before getting anywhere else, like so:

 1  (internal)
 2  (internal)
 3  (internal)
 4  anhmca1wcx1-atm10-0-0.wcg.net (64.200.142.169)  8.017 ms  8.596 ms  8.138 ms
 5  anhmca1wcx3-oc48.wcg.net (64.200.143.65)  9.325 ms  8.056 ms  9.485 ms
 6  64.200.249.122 (64.200.249.122)  79.108 ms  251.438 ms  222.596 ms
 7  64.200.249.142 (64.200.249.142)  16.357 ms  16.167 ms  17.004 ms
 8  te-3-2-70.car4.SanJose1.Level3.net (4.68.110.25)  12.568 ms  13.195 ms  
13.384 ms

So they don't seem to interconnect 7911 and 3356 in Los Angeles. We complained 
about this a year ago and they basically said, "tough, you bought IP transit, 
we're giving you IP transit".

Anyway, so in the meantime we bougt a new gig-e to 3356 in San Jose...


 1  (internal)
 2  (internal)
 3  (internal)
 4  (internal)
 5  ge-x-x.car4.SanJose1.Level3.net (4.71.x.x)  9.063 ms  7.780 ms  8.460 ms


So it almost looks like my gig-e in San Jose is off the same router they 
backhaul 7911/Anaheim via.

I wouldn't take a new connection to 7911 unless you're okay with this sort of 
thing. Performance has been fine other than the 5-10ms of extra latency, but 
the 
asthetics bug me more than anything. If they communicated more about what 
they're doing on the 7911 net and what the PLAN is for transitioning things, 
I'd 
be happier. But it's been this way for years now so we're just disconencting 
the 
old one, which is probably what they're waiting for everyone to do rather than 
really merge the networks.

-Will


On Wed, Jul 01, 2009 at 11:15:42PM -0700, Scott Howard wrote:
> Date: Wed, 1 Jul 2009 23:15:42 -0700
> Subject: Level 3 - "legacy" Wiltel/Looking Glass bandwidth
> From: Scott Howard 
> To: nanog@nanog.org
> 
> We're looking at getting connectivity via Level 3 in a particular
> datacenter, but we're being told that it's "legacy Wiltel/Looking Glass"
> rather than "true" Level 3.
> 
> Given that both of these acquisitions occurred years ago should I be
> worried, or is this "legacy" connectivity the same as L3 at any other
> datacenter?
> 
>   Scott.

Re: Opensource or Low Cost NMS for Server Hardware / Application Monitoring

[Will Clayton]

Eric Gauthier wrote:

Hello,

  
As for server / application / random other stuff (like printers and  
ups's and IP camera and the like), Zenoss is great -- its clean,  
simple, fast(ish), easy  and pretty -- the last one happens to be  
important for some folks (esp in the enterprise world...)



We've looked at ZenOSS but couldn't get it to model the network.
>From what we can tell, it couldn't handle the full routing table
on our core routers (there are six).  If someone has successfully 
done this, can you contact me off list?


Eric :)


I like NMIS. Fast, scalable, flexible and really hackable. It doesn't 
take much time to get it up and running but selling others on it can be 
challenging. It works off of flat tab delimited text files making 
populating the node base pretty easy. There are plans for NMIS5 to use 
database connectivity for this which will be even more fun. There are 
external contributions that do everything from RANCID to Flash maps of 
your network. The home page is here:


http://sins.com.au/nmis/

But has since moved to sourceforge:

http://sourceforge.net/projects/nmis/files/

With the gang being here:

http://tech.groups.yahoo.com/group/nmis_users/

While not for everyone and not as popular or pretty as some of the 
others, it is a network monitoring system built by engineers for 
engineers. With a combination of SNMP data collection and ping/service 
tests, bandwidth utilization alerts, alert groups, thresholds etc. can 
be adjusted on a per-device basis and just a week of utilization can 
really help you identify points on the network that need to be cleaned up.


I guess my favorite part is the ability to write device interface 
descriptions to trigger actions in the Perl script since that data is 
collected via SNMP.


--
Will Clayton

Re: Trouble with the rtsp vlc feed?

[Will Hargrave]

Joe Maimon wrote:
> Anyone else having trouble with that?

Not had any luck on either the unicast or multicast RTSP feeds. Flash works
fine, though.

Re: Peering - Benefits?

[Will Hargrave]

HRH Sven Olaf Prinz von CyberBunker-Kamphuis MP wrote:

> as for "peering" agreements, just implement an open peering policy
> (doesn't nessesarily have to take place over an ix, also applies to pieces
> of ethernet running from your network to others).
> 
> those basically are contracts that force anyone who has also signed one to
> peer with your network, wether they like you or not (saves the trouble
> when you are a content provider and others do not want to peer with you
> because they provide content too and you are a competing party etc).

It is not practice in this community for 'open peering policy' to mean 'must
peer with anyone'. You might still refuse to peer on the basis that the other
party is unreliable or run by idiots, and this is perfectly acceptable even
with an advertised open peering policy.

Nor does such a statement create any form of contract or obligation under any
law I am aware of, as such an indicative offer does not fulfill the
requirements to form a binding contract.


Any device which has REQUIRED e.g. participants in an IX to peer with others
has proved very unpopular in the industry.

Re: Peering - Benefits?

[Will Hargrave]

Paul Stewart wrote:

> We have multiple transit providers today and are already present on a couple
> of smaller peering exchanges with an open peering policy... our experience
> with them has been very positive.

As an IX operator I'm glad to hear it :-)

> The redundancy perspective is that you now have more paths to the same AS -
> and an assumption that the peering route will always be best (I know that's
> not always true).

Something to remember is that you are a network *operator* not a network
*purchaser*. If the peering route isn't working for you, pick up the phone and
talk to your peering partner. The whole point of being a network operator is
that you control who you connect with and take an active hand in fixing
problems! As others have stated, rich interconnection gives you greater
abilities in this area.

> We of course have enough transit in case of a peering outage - would never
> "put all our eggs into one basket" that it sounds like some others are

That attitude is quite 'old-school' - the idea that you can back up your
peering with transit often does not ring true in practice. You have less
visibility into your transit providers network than into your IXes networks,
and what information you do have is clouded by commercial concerns (read: sales
bullshit).

The traffic has to go somewhere, and if everyone in a metro area tries to send
to their transits it will just result in congestion within those networks -
even more likely when you consider the typical way their are built with ports
tiered off at layer2 from routers; traffic in the same metro area is likely to
simply hairpin up/down the router uplink.

Traffic between major transits within a metro area is also subject to
complicated commercial considerations which might mean the connectivity via
that route isn't so great.

> also, we are looking at a number of them in various parts of the world
> currently which adds another level of redundancy per say

Many metro areas have more than one IX fabric often with considerable numbers
of operators on both. At LONAP in London we have members with big ports
expressly for backing up their private interconnects as well as to back up
sessions at other IXes.

In (primarily) Europe, the Euro-ix website has some useful resources to help
people select IXes: e.g https://www.euro-ix.net/member/m/peeringmatrix


Will

Re: Sprint v. Cogent, some clarity & facts

[Will Hargrave]

David Schwartz wrote:

> The ratio argument is nonsense. If your customers want to receive mostly,
> and receiving is expensive, they should pay you more to cover your higher
> costs in receiving traffic. If my customers mostly want to send, and sending
> is cheap, then I should pay less, since I want to do the cheap thing and you
> want to do the expensive thing.

If it costs one party to an SFI agreement more than the other (total cost,
including intangibles) this makes the agreement less attractive, perhaps to the
point of inequitability. Where one party profits more from the agreement than
another, there is less incentive for the interconnection to be settlement-free.

There is no father figure standing there saying 'Party A and Party B must SFI
regardless of cost' - that decision is up to the relevant commercial minds
within Party A and Party B to carry out the required analysis and negotiate as
required.


Will

Re: YouTube IP Hijacking

[Will Hargrave]

Sargun Dhillon wrote:


So, it seems that youtube's ip block has been hijacked by a more
specific prefix being advertised. This is a case of IP hijacking, not
case of DNS poisoning, youtube engineers doing something stupid, etc.
For people that don't know. The router will try to get the most specific
prefix. This is by design, not by accident. 


You are making the assumption of malice when the more likely cause is 
one of accident on the part of probably stressed NOC staff at 17557.


They probably have that /24 going to a gateway walled garden box which 
replies with a site saying 'we have banned this', and that /24 route is 
leaking outside of their AS via PCCW due to dodgy filters/communities.


Will

Re: STP Visualization

[Will Clayton]

Graphviz?

On Mon, Nov 30, 2009 at 11:07 AM, Brian Feeny  wrote:

>
> Can anyone recommend a good tool for spanning tree visualization?  I am
> needing to get a good visual depiction of forwarding for many vlans, across
> 4 core switches.
> Two of them are CatOS, 2 are IOS, root is different for many of the vlans,
> lots of port costing in place, in other words it would take a while by hand.
>
> Thanks,
>
> Brian
>
>
>

Re: FTTH Active vs Passive

[Will Clayton]

Now just imagine that people inside the big firewall could tell you how they
engineered multi-gig FTTTVs.

At the risk of sounding like a politician I will actually state that the
physical/private interest topology of the fiber network in the United States
is incredibly prohibitive of the advances that you guys are talking about.
The big picture here is table scraps to equipment manufacturers no matter
how crowded the vendor meet is. There are pockets of isolated/niche success
and its great to see technology implemented in such ways, RFCs being
drafted, etc., but jeez guys, the real issue at stake here is how in the
hell we are all going to work past the bureaucratic constraints of our
arguably humble positions to transparently superimpose something that will
enable the masses to communicate and, at the same time, appease, for lack of
a better word, those who would capitalize on the sheer lack of unified
infrastructure. This post in itself obviates our incapacity to handle our
own infrastructure, and while I believe discussing this is of the utmost
importance I have to point out, first and foremost, that the highest
priority is a level playing field. I know at least some of you can really
understand that and I hope it drive some of your sleeping points home a bit
so you can wake up in the morning and get something right.

-Will

Ok I will never post here again. Gnight...

On Tue, Dec 1, 2009 at 5:11 PM, Randy Bush  wrote:

> > actually, the killer here is PMTU... there is almost no way to
> > effectively utilize the BW when the MTU is locked to 1500 bytes.
>
> and the reality, e.g. ntt b-flets, is often pppoe v4-only, which is
> lower.
>
> randy
>
>

Re: austin eats

[Will Clayton]

Maudi's on Lake Austin and Taco Deli are always on my menu. We just got some
Buffalo Wild Wings in town if you are in to that. If you make it to NXNW get
the Calimari. If you wind up ordering pizza, shop local and get the best
pizza for the best price in town at Austin's Pizza.

On Wed, Feb 17, 2010 at 10:39 AM, Chris Boyd wrote:

>
> On Feb 17, 2010, at 10:33 AM, Mike Lyon wrote:
>
> > Don't forget the Salt Lick...
>
> BBQ lovers should go to House Park BBQ.  Most of the time the sign out
> front says "you don't need no teef to eat my meef"
> http://www.yelp.com/biz/house-park-bar-b-q-austin
> Cash only!
>
>
> If you want to make a short drive out to the east side of town and help
> your cardiologist make a boat payment or two, get the Don Juan breakfast
> taco from Juan in a Million.  This place was featured on "Man vs. Food" a
> while back.
> http://www.juaninamillion.com/
>
>
> If you get tired of Tex-Mex, there's a good interior Mexican place
> downtown.  Manuel's.
> http://www.manuels.com/
>
>
> Guiness fans should stop in at BD Riley's downtown.
> http://www.bdrileys.com/
>
>
> Most coffee shops, bars and restaurants have wifi hotspots since there's an
> active group of volunteers that helps install and maintain them.
>
> --Chris
>
>

Re: austin eats

[Will Clayton]

The fish tacos at Hang Town down Capital of Texas are awesome too.

On Wed, Feb 17, 2010 at 11:01 PM, Daniel Fox  wrote:

> Just ate at iron cactus on 6th and both the talapia and spicy shrimp tacos
> are phenomonal! Margaritas are really good too... 90 plus tequillas to
> choose from...great staff
>
> Daniel Fox
> Smarsh Inc
>
> - Original Message -
> From: Chris Boyd 
> Sent: 17 February 2010 14:42
> To: North American Network Operators Group 
> Subject: Re: austin eats
>
>
> On Feb 17, 2010, at 2:04 PM, Will Clayton wrote:
>
> > Maudi's on Lake Austin and Taco Deli are always on my menu. We just got
> some Buffalo Wild Wings in town if you are in to that. If you make it to
> NXNW get the Calimari. If you wind up ordering pizza, shop local and get the
> best pizza for the best price in town at Austin's Pizza.
>
> Austin's is good, but HomeSlice on South Congress is better, and you can
> walk on down to Trophy's, Continental Club, or the garden at Guero's and
> take in a band.
>
> http://www.homeslicepizza.com/
>
> http://austin.citysearch.com/profile/10210801/austin_tx/trophy_s_bar_grill.html
> http://www.continentalclub.com/
> http://www.guerostacobar.com/
>
>

Re: austin eats

[Will Clayton]

Now that you mention it, Might Fine burgers are some of the best I've had in
town too.

On Wed, Feb 17, 2010 at 8:58 PM, Christopher Morrow  wrote:

> On Wed, Feb 17, 2010 at 9:07 PM, Christopher Morrow
>  wrote:
> > On Wed, Feb 17, 2010 at 6:23 PM, Randy Bush  wrote:
> >>> Most coffee shops, bars and restaurants have wifi hotspots since
> >>> there's an active group of volunteers that helps install and maintain
> >>> them.
> >>
> >> which raises the critical question, where is the nearest decent
> >> (i.e. not fourbucks) coffee to the venue?
> >
> > <
> http://maps.google.com/maps?near=500+E+4th+St,+Austin,+TX+78701&geocode=CdxL1XHf6o_tFXzOzQEdUJ8s-ikL4kgoprVEhjGsYasgZ_A1zQ&q=coffee+shop&f=l&sll=30.265406,-97.739289&sspn=0.004202,0.003578&ie=UTF8&z=15
> >
> >
> > lmgtfy.com ... (I'll ask a local as well, unless one pipes up first)
> >
>
> A local (and very good friend, buy her book: <
> http://www.notellbooks.org/harlot>
> book not about coffee, and the cover's a tad nsfwish... but it's art so...)
> says:
> "Ok, this is a few blocks away but it's quite fine-- mighty fine, even--
>
> http://www.halcyonaustin.com/
> 218 W 4th street"
>
> -Chris
>
>

Re: Need advise for a linux firewall

[Will Clayton]

Microtik makes a pretty robust Linux based firewall
appliance-on-a-usb-stick. It does a lot out of the box like BGP, VPN,
MPLS,QoS and all kinds of other crazy things you wouldn't expect to fit on
one gig of flash. It takes my HP about 10 seconds to load a full table.

My vote is for PFSense though. PF is a lot of fun itself and I have seen
awesome throughput with no load on very low end hardware.

On Thu, Mar 11, 2010 at 1:45 PM, Jim Miller  wrote:

> On Thu, Mar 11, 2010 at 11:56 PM, Abdul Nazeer  >wrote:
>
> > On 03/11/2010 11:22 AM, gordon b slater wrote:
> > > On Thu, 2010-03-11 at 11:00 -0500, Abdul Nazeer wrote:
> > >
> > >
> > >> iptables, but if anyone has any other suggestion, I'd love to hear it.
> > >>
> > > PFsense, (being freeBSD-based, comes  under your "other" category)
> > > It uses the OpenBSD-based pf firewall, with a web-based GUI for almost
> > > everything (except maybe console resets). works for me in  several
> > > locations, some `heavy and high`.
> > >
> > Looks interesting. Will give it a shot, thanks!
> >
> > For a very long time I used the following setup with great success:
> 1. Debian based linux for the firewall box.  With Debian you can do a very
> light setup.
> 2. FWBuilder to builder for the GUI front end.  It's been around for quite
> a
> long time now and has built in RCS for revision control.
> 3. Quagga for OSPF routing.. We only had about .. 4-5 firewalls but made a
> lot of internal routing changes and OSPF _really_ made things easy when we
> made changes
> 4. OpenVPN for after-hours access and off-site staff access.
>
> Anyway, just my $0.02
>
> --Jim
>

Re: Comcast Metro Ethernet

[Will Clayton]

Comcasts Metro-E products are pretty stable. The topology of those networks
is fault tolerant with geographically diverse entry to the fabric for a
given premises are usually available. The non-PtP connections you are
referring to would be called Direct Internet Access, or DIA, but might have
another name depending on the market.

I worked on some of the Metro-E early on in Houston and can say these
networks are composed of very high end hardware with only the most stable
firmware loaded, and taken care of by some of the most capable people in the
industry. The networks are monitored in real time for outages, and getting
very straightforward RFOs and ETAs never seems to be a problem.

There you go!

On Fri, Mar 12, 2010 at 10:33 AM, Jeffrey Negro wrote:

> We are currently in talks with Comcast with regards to their metro
> ethernet products in New Jersey and Illinois, for internet bandwidth
> not L2/PTP.  I'd like to hear opinions from others who have the
> service, in regards to uptime, support, and performance.  Thank you in
> advance!
>
> --
> Jeffrey Negro
>
>

Re: Can an IXP sell IP transit?

[Will Hargrave]

On 5 Nov 2024, at 16:56, Tom Beecher wrote:

>> Especially so if a few of the large content providers continue to pull
>> back from route servers and such.
> Content providers aren't leaving IXP's completely. They're still there,
> still paying monthly for ports and XCs. Still doing bilateral peering over
> the IX. There's no revenue hit to an IXP for a CDN to de-peer off the route
> servers.

Hi Tom,

I don’t really think your last statement is true.

UK, and London in particular, is quite a dynamic market. At LONAP we see plenty 
of networks connect and see an immediate “quick win” of traffic by connection 
to our route-servers, where adoption among the membership is something like 
85-90%.

If an operator decides to replace those RS sessions with a (often intractable) 
portal to request bilateral sessions - or worse, email - that immediate traffic 
benefit is lost. That can affect the value the IXP provides to its members.

Will

Re: Ear protection

[Will van Gulik]

I used molded 15dB earplug from ACS that I also use for other environments 
(music, etc). 
They are way much more comfortable (like, you forget them) but also more 
expensive. 

BTW I'm looking for a place to get new ones in Europe, if anyone has got 
adresses.

Will van Gulik

On 23 Sep 2015, at 11:42, Dave Taht  wrote:

> On Wed, Sep 23, 2015 at 2:34 AM, Nick Hilliard  wrote:
>> What are people using for ear protection for datacenters these days?
> 
> Telecommuting, in my case.
> 
> had to say it! :0
> 
>> I'm
>> down to my last couple of corded 3M 1110:
>> 
>> http://www.shop3m.com/3m-corded-earplugs-hearing-conservation-1110.html
>> 
>> These work reasonably well in practice, with a rated nominal noise
>> reduction rate of 29dB.  Some people find them uncomfortable, but they work
>> well for me.
>> 
>> There are other ear plugs with rated NRR of up to 32-33dB.  Anyone have any
>> opinions on what brands work well for them?
>> 
>> Nick
> 
> 
> 
> -- 
> Dave Täht
> endo is a terrible disease: http://www.gofundme.com/SummerVsEndo

Stalled IX requests in Google peering

[Will OBrien via NANOG]

Since google is abandoning RS routes, we worked on setting up IX peering 
across the board. 
All of those requests have been completed but one seems to be stalled out for a 
couple of weeks now. 
I put in a noc ticket and got a tone deaf response of ‘that’s another group and 
the ticket is still in process’. The response time was decent at least! 

Anyone I can ping at google to tell me what’s up? 


Thanks! 



smime.p7s
Description: S/MIME cryptographic signature