On Fri, 7 Feb 2014, Jay Ashworth wrote:
If I am a commercial customer of an eyeball ISP like Road Runner: *I am
entitled to expect that that ISP is technically capable of protecting
me from possible attack traffic from that other customer*, who's outside
my administrative span of control. If th
- Original Message -
> From: "Mikael Abrahamsson"
> On Fri, 7 Feb 2014, Jay Ashworth wrote:
> > In my not-at-all humble opinion, in an eyeball network, you almost
> > *never* want to make it easier for houses to talk to one another
> > directly; there isn't any "real" traffic there. Just
On Fri, 7 Feb 2014, Jay Ashworth wrote:
In my not-at-all humble opinion, in an eyeball network, you almost
*never* want to make it easier for houses to talk to one another
directly; there isn't any "real" traffic there. Just attack traffic.
But creating a solution where you can talk to anyon
- Original Message -
> From: "Frank Bulk"
> And then you need MACFF to overcome the split-horizon to that
> customers in the same subnet can talk to each other. =)
In my not-at-all humble opinion, in an eyeball network, you almost *never*
want to make it easier for houses to talk to one
And then you need MACFF to overcome the split-horizon to that customers in
the same subnet can talk to each other. =)
Frank
-Original Message-
From: Mark Tinka [mailto:mark.ti...@seacom.mu]
Sent: Thursday, February 06, 2014 8:09 AM
To: nanog@nanog.org
Subject: Re: SIP on FTTH systems
On
Based on your description, it sounds like the outage did not bring your BGP
session down, as such you were connected and advertising to the broken Service
Provider.
e.g. Cogent typically does multi-hop bgp, as such if there a network outage
past the BGP router, you will experience the situation
On 2/6/2014 8:24 PM, Jay Ashworth wrote:
Mailing lists aren't *supposed* to set Reply-To, Larry; your mail client is
supposed to have a Reply To List command.
It does. And does not light up for most of the lists I am on (including
one I "own"). I am apparently not bright enough to notice wh
- Original Message -
> From: "Mark Milhollan"
> Generally speaking, you'll need at least 3 sources if you want
> stablity.
My usual practice is to set up two in house servers, each of which
talks to:
time.windows.com
time.apple.com
and one of the NIST servers
0.us.pool.ntp.org
1.us.po
> -Original Message-
> From: Notify Me [mailto:notify.s...@gmail.com]
> Sent: Thursday, February 06, 2014 4:54 AM
> To: Aled Morris
> Cc: nanog@nanog.org; Martin Hotze
> Subject: Re: Need trusted NTP Sources
>
> Raspberries! Not common currency here either, but let's see!
While I would be
- Original Message -
> From: "Larry Sheldon"
> After all these years I still can not get used to the non-standard NANOG
> response to "reply". I wonder if there is a way for ne to fix that.
Noo!!! Everybody!!! Don't reply to that!!!
:-)
Mailing lists aren't *supposed* to set Reply-
This doesn't address the full-mesh part, but this discussion suggests at
least four servers, but better to have five.
http://support.ntp.org/bin/view/Support/SelectingOffsiteNTPServers#Section_5
.3.3.
Frank
-Original Message-
From: Saku Ytti [mailto:s...@ytti.fi]
Sent: Thursday, February
Hi,
People on this list might also want to submit responses.
Regards,
Leo
From: dns-operations-boun...@mail.dns-oarc.net
[mailto:dns-operations-boun...@mail.dns-oarc.net] On Behalf Of Kim
Davies
Sent: Thursday, February 06, 2014 12:38 PM
To: DNS Operations
Subject: [dns-operations] Truste
Anyone have a contact for AT&T security? I have a Denial of service attack
going on for a customer with an AT&T Fiber Circuit. I called AT&T and they
gave me an 888 number which is some security contractor.
Justin
--
Justin Wilson
MTCNA CCNA MTCRE MTCWE - COMTRAIN
Aol & Yahoo IM: j2sw
htt
B) We have our own AS and IP space. I advertise them to both Cogent and
our other ISP. I use the local preference attribute to share the load
for incoming traffic between both ISPs. In the last 5 outages over the
last few years, this has happened twice. I'm waiting on the RFO so I can
further
Vlade,
When you say that "they still advertise your routes", do you mean:
A: That you were having them originate your routes, and they failed to stop
doing so when they had problems? Or...
B: That routes you were originating continued to be propagated by them,
even though your session with them
I use Cogent as well, no real issues other than I wouldn't single home to
them. Personally, I don't understand why someone would depend on a single
provider for connectivity however...
-Blake
On Thu, Feb 6, 2014 at 3:22 PM, Matthew Crocker wrote:
>
>
> IMHO Cogent bandwidth is fine so long as
+1 Same feeling here.
Sam Moats
On 2014-02-06 16:22, Matthew Crocker wrote:
IMHO Cogent bandwidth is fine so long as it isn’t your only
bandwidth. Good, Cheap, Fast, Pick any two.
--
Matthew S. Crocker
President
Crocker Communications, Inc.
PO BOX 710
Greenfield, MA 01302-0710
E: matt...@c
IMHO Cogent bandwidth is fine so long as it isn’t your only bandwidth. Good,
Cheap, Fast, Pick any two.
--
Matthew S. Crocker
President
Crocker Communications, Inc.
PO BOX 710
Greenfield, MA 01302-0710
E: matt...@crocker.com
P: (413) 746-2760
F: (413) 746-3704
W: http://www.crocker.com
On Feb 4, 2014, at 8:52 AM, William Herrin wrote:
> On Tue, Feb 4, 2014 at 11:23 AM, Jared Mauch wrote:
>> On Feb 4, 2014, at 11:04 AM, William Herrin wrote:
>>> If just three of the transit-free networks rewrote their peering
>>> contracts such that there was a $10k per day penalty for sendin
On Feb 5, 2014, at 2:46 AM, Saku Ytti wrote:
> If we keep thinking this problem as last-mile port problem, it won't be solved
> in next 20 years. Because lot of those ports really can't do RPF and even if
> they can do it, they are on autopilot and next change is market forced
> fork-lift change
On Wed, Feb 5, 2014 at 11:52 PM, Jean-Francois Mezei <
jfmezei_na...@vaxination.ca> wrote:
> Quick question:
>
> In the USA, do CLECs have access to homes served only by FTTH ? If so,
> how it is accomplisehd ?
>
>
In practice CLECs do not have access. The TR order of the last decade
mandated t
On Thursday, February 06, 2014 09:04:40 PM Mikael
Abrahamsson wrote:
> No, you don't. It works perfectly well without direct
> port-to-port communication, you just have to align L3
> configuration with this L2 behavior (which can be done
> in IPv6 but not in IPv4).
>
> IPv6 can be made to work w
On Thursday, February 06, 2014 07:41:34 PM Anders Löwinger
wrote:
> Ok, then you have not understood the problem with IPv6 in
> shared VLANs. You need to allow some communication
> between the user ports on L2, to get the IPv6 control
> procotol to work. You do this on IPv4 today, with proxy
> ar
On Thu, Feb 6, 2014 at 8:28 AM, jamie rishaw wrote:
> PCI DSS only requires that all clocks be synchronized; It doesn't
> /require/ "how".
>
If you read requirement 10.4 more carefully, you will find that it Does
require that time
be synchronized from an INDUSTRY ACCEPTED external time sourc
On Thu, Feb 6, 2014 at 9:03 PM, Notify Me wrote:
I'm trying to help a company I work for to pass an audit, and we've
> been told we need trusted NTP sources (RedHat doesn't cut it). Being
> located in Nigeria, Africa, I'm not very knowledgeable about trusted
> sources therein.
>
Obviously "trust
On Thu, 6 Feb 2014, Anders Löwinger wrote:
Ok, then you have not understood the problem with IPv6 in shared VLANs.
You need to allow some communication between the user ports on L2, to
get the IPv6 control procotol to work. You do this on IPv4 today, with
proxy arp etc. Its much more complex i
On 2014-02-06 15:08, Mark Tinka wrote:
You need a bunch of stuff, proxy ND, proxy DAD, DHCPv6 inspection
If you have a reasonably intelligent AN (like some of
today's Active-E devices), you can create so-called split
horizons on the same bridge domain (VLAN, really) where
customers will on
Food for thought:
- ASNs can be reused at different locations by IXPs, barring perhaps
certain business or administrative reasons. Ask Equinix.
- For IXPs that already have 16-bit ASNs for route servers, this saves
additional
allocations from RIRs and mitigates concerns for the IXP getting pote
On Thu, 6 Feb 2014, Notify Me wrote:
>According to the auditors, "trusted" means
>
>1. Universities or Research facilities (nuclear/atomic facilities,
>space research (such as NASA) etc.)
>2. Main country internet/telecom providers
>3. Government departments
>4. Satellites (using GPS module)
>
>Wh
FYI.
Mark.
--- Begin Message ---
The Southern Africa Network Operators Group (SAFNOG)
Johannesburg, South Africa 22 April - 23 April, 2014
http://www.safnog.org
CALL FOR PAPERS
===
The SAFNOG 2014 Programme Committee is now seeking contributions for
Presentations and Tutorials for S
> My questions are:
>
> - Will we be sacrificing quality if we spring for Cogent?
> (yesterday's Cogent/Verizon thread provided some cold chills for my spine)
Jehova!
Popcorn!
:-)
We used Cogent for some time. We dropped them, but not for poor quality (au
contraire) but for other m
On Thursday, February 06, 2014 06:38:23 PM Jean-Francois
Mezei wrote:
> When an incumbent already has PPPoE deployed for its DSL,
> putting FTTH on PPPoE makes it simpler.
And that is the practical issue I saw (and still see). A lot
of operators just continue with it because it is maturely
dep
On Thu, 6 Feb 2014, Jean-Francois Mezei wrote:
You do not want the incumbent/wholesaler to perform DHCP. This is a HUGE
headache. We have that in Canada for cable wholesale (TPIA). The
incumbent has to micromanage each ISPs IP blocks and carve subnets for
each CMTS (for cable).
You could hav
When I priced out providers 2 years ago for 500Mbps over 1 gig fiber
link the list from most expensive to least expensive was:
Verizon-->XO-->Cogent-->Lightpath
This is for Northern NJ. Abovenet and some of the other big providers
couldn't reach our Campus. Lightpath ate the cost of running Fi
On 14-02-06 08:06, Mark Tinka wrote:
> I'm just saying DHCP is better than PPPoE if you're
> greenfielding FTTH deployments today, and I'm not sure you
> entirely disagree.
When an incumbent already has PPPoE deployed for its DSL, putting FTTH
on PPPoE makes it simpler.
And PPPoE really simpl
On 2/6/14, 7:17 AM, Adam Greene wrote:
> Hi,
>
>
>
> We're a small ISP / datacenter with a Time Warner fiber-based DIA contract
> that is coming up for renewal.
>
>
>
> We're getting much better pricing offers from Cogent, and are finding out
> what Level 3 can do for us as well. Both prov
On (2014-02-06 07:24 -0800), Michael DeMan wrote:
> A) Run a local set of NTP servers - these are your 'trusted' servers, under
> your control, properly managed/secured, fully meshed, etc.
I'm not sure if full-mesh is best practice, the external clients should have
full view of as close to sourc
On Feb 6, 2014, at 11:22, Joshua Goldbard wrote:
>
> Cogent always has the cheapest rates
Objectively, provably false.
--
TTFN,
patrick
> but they also have the most peering disputes of any operator. I've seen
> intra-data center hops between cogent and Verizon take over 150ms.
>
> As with
Cogent always has the cheapest rates but they also have the most peering
disputes of any operator. I've seen intra-data center hops between cogent and
Verizon take over 150ms.
As with all things Internet, your mileage may vary. I would not put something
with a 5 9'a uptime requirement on cogent
We have had Cogent over Verizon's Fiber for more than a few years now.
Cogent goes down once at year at minimum. They had 2 outages in a single
day a couple days ago in Northern NJ. One in the AM "..caused by a
power outage in a vendor data center where Cogent is collocated." They
went on to h
On Thursday, February 06, 2014 04:56:15 PM Mikael
Abrahamsson wrote:
> Yes, this is for hundreds of thousands of customers. Why
> do you need customer management? You document where a
> certain fiber goes to (what port), and then this port
> goes to a certain customer. That is the only customer
>
Hi Alexander,
I think you or your consultant may have an overly strict reading of the PCI
documents.
Looking at section 10.4 of PCI DSS 3.0, and from having gone through PCI a few
times...
If you have your PCI hosts directly going against ntp.org or similar, then you
are not in compliance.
My
Hi,
We're a small ISP / datacenter with a Time Warner fiber-based DIA contract
that is coming up for renewal.
We're getting much better pricing offers from Cogent, and are finding out
what Level 3 can do for us as well. Both providers will use Time Warner
fiber for last mile.
My questi
On 2/6/2014 9:02 AM, Nick Hilliard wrote:
On 06/02/2014 14:57, Larry Sheldon wrote:
http://support.ntp.org/bin/view/Servers/PublicTimeServer79
bear in mind that due to the vagaries of african peering weirdness, the
actual path from there to the OP's network could be over multiple satellite
After all these years I still can not get used to the non-standard NANOG
response to "reply". I wonder if there is a way for ne to fix that locally.
On 2/6/2014 8:49 AM, Larry Sheldon wrote:
On 2/6/2014 4:43 AM, Nick Hilliard wrote:
On 06/02/2014 10:03, Notify Me wrote:
I'm trying to help a
It has been a while since I have done anything with NTP, but I would start
with ntp.org (which didn't exist when I WAS working with it) which I am led
to believe has the stuff that used to be at U. Delaware, like the public
servers lists:
http://support.ntp.org/bin/view/Servers/WebHome
Where
On Thu, 6 Feb 2014, Mark Tinka wrote:
On Thursday, February 06, 2014 04:17:42 PM Mikael
Abrahamsson wrote:
You don't need a BNG. You need an L3 switch as the first
hop the customer is talking to.
Fine for FTTB, but not for FTTH where you're serving tens-
to-hundreds-of-thousands of customers
On Thursday, February 06, 2014 04:17:42 PM Mikael
Abrahamsson wrote:
> You don't need a BNG. You need an L3 switch as the first
> hop the customer is talking to.
Fine for FTTB, but not for FTTH where you're serving tens-
to-hundreds-of-thousands of customers.
If your FTTH deployments are low sc
Once upon a time, Nick Hilliard said:
> So presuming that your company is using RH or Fedora or CentOS something,
> the auditors are claiming that Red Hat, Inc is trusted enough to provide a
> precompiled based operating system with no feasible means of proving its
> reliability, but that they're
PCI DSS only requires that all clocks be synchronized; It doesn't
/require/ "how".
If you have servers getting time from external sources (authenticated
always a plus) and peering with each other internally, then you comply
with PCI DSS 2.0 (3.0 has no changes to this that I'm aware of).
OTOH, I'
On Thu, 6 Feb 2014, Mark Tinka wrote:
Or do something bold, run L3 at the edge :)
BNG's are too big to distributed that deeply, even in
distributed BNG designs. This would get costly.
You don't need a BNG. You need an L3 switch as the first hop the customer
is talking to.
Cheap switches t
On Thursday, February 06, 2014 03:51:51 PM Anders Löwinger
wrote:
> This is a deep hole, and basically does not work with
> IPv6.
>
> You need a bunch of stuff, proxy ND, proxy DAD, DHCPv6
> inspection, RA guard and more. One VLAN per customer and
> a separate multicast is much simpler.
If you
On Thursday, February 06, 2014 03:46:54 PM Mikael
Abrahamsson wrote:
> We're in violent agreement it seems.
Tend to agree.
> My only beef was
> that it seemed like you were implying this was something
> new.
In most of my travels, there is a healthy amount of
resistance toward DHCP from new (
On 2014-02-06 09:01, Mark Tinka wrote:
1. SVLAN N:1 model
The SVLAN (N:1) model is simple; just have a single VLAN for
each service (VLAN 10 for Internet/Unicast, VLAN 20 for
VoIP, VLAN 30 for IPTv/Multicast).
This is a deep hole, and basically does not work with IPv6.
You need a bun
On Thu, 6 Feb 2014, Mark Tinka wrote:
I'm just saying DHCP is better than PPPoE if you're greenfielding FTTH
deployments today, and I'm not sure you entirely disagree.
We're in violent agreement it seems. My only beef was that it seemed like
you were implying this was something new.
--
Mika
On Thursday, February 06, 2014 02:58:14 PM Mikael
Abrahamsson wrote:
> Why do you need to authenticate the customer? Don't your
> documentation system know the port/subscriber mapping?
> And why is this secure, instead of being tied to a
> physical connection the customer can now take the
> crede
Don't fight it.
It's clear that implementation on a per-packet basis of RFC4824 (datagrams
over Semaphore Flag Signaling System) would have prevented this entire
situation.
Refer to sections 3.3 and 3.4.
-j
On Mon, Feb 3, 2014 at 12:23 PM, Paul Ferguson
wrote:
>
>
> On 2/2/2014 2:17 PM, Cb B w
On Thu, 6 Feb 2014, Mark Tinka wrote:
End user authentication and management typically being done via PPPoE
because that was the best and most secure way to manage customer
connections (for some operators, still is).
Why do you need to authenticate the customer? Don't your documentation
syst
Raspberries! Not common currency here either, but let's see!
grateful for all the input and responses, this list is amazing as usual.
On Thu, Feb 6, 2014 at 1:41 PM, Aled Morris wrote:
> On 6 February 2014 12:30, Martin Hotze wrote:
>
>> > I'm trying to help a company I work for to pass an audit
On 06/02/2014 12:30, Martin Hotze wrote:
> here is a well done how-to:
> http://open.konspyre.org/blog/2012/10/18/raspberry-pi-time-server/
The OP had a question about standards compliance, not about something that
made technical sense and would deliver a superior service. The two things
aren't i
On Thursday, February 06, 2014 02:29:40 PM Mikael
Abrahamsson wrote:
> I disagree on that one as well. It might be in some
> markets, but it's not in all.
I keep using the word "typical", but not sure if you're
missing it.
Typical, not limited to, i.e., common, but not the only
option.
I'm b
On 6 February 2014 12:30, Martin Hotze wrote:
> > I'm trying to help a company I work for to pass an audit, and we've
> > been told we need trusted NTP sources (RedHat doesn't cut it). Being
> > located in Nigeria, Africa,
>
[...]
> So build your own stratum 1 server (maybe a second one with DC
> I'm trying to help a company I work for to pass an audit, and we've
> been told we need trusted NTP sources (RedHat doesn't cut it). Being
> located in Nigeria, Africa, I'm not very knowledgeable about trusted
> sources therein.
>
> Please can anyone help with sources that wouldn't mind letting
On Thu, 6 Feb 2014, Mark Tinka wrote:
The models I listed are typical to an operator that runs its own
infrastructure (including the FTTH last mile), and does not necessarily
wholesale out to other operators.
I disagree on that one as well. It might be in some markets, but it's not
in all.
On Thursday, February 06, 2014 02:15:57 PM Mikael
Abrahamsson wrote:
> There are more. There are models where each ISP gets its
> own customer vlan and L2 equipment do inspection of
> ARP/ND and does security filtering on L2/L3 using this
> information. There are also L3 networks where the
> traf
On Thu, 6 Feb 2014, Mark Tinka wrote:
There are, typically, three topology models for modern FTTH
(wireline, really) networks that a service provider could
deploy:
1. SVLAN N:1 model
2. CVLAN 1:1 model
3. Hybrid of both
There are more. There are models where each ISP g
GPS time sources are pretty cheap (< US$500) and easy to set up nowadays.
You could probably build your own for less that US$100:
http://www.satsignal.eu/ntp/Raspberry-Pi-NTP.html
Aled
On 6 February 2014 11:51, Notify Me wrote:
> According to the auditors, "trusted" means
>
> 1. Universities
On 06/02/2014 11:46, Notify Me wrote:
> We're a redhat shop, and we use redhat auth which by default uses redhat
> NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands.
PCI DSS states:
> 10.4.3 Time settings are received from industry-accepted time sources.
The default RHE
According to the auditors, "trusted" means
1. Universities or Research facilities (nuclear/atomic facilities,
space research (such as NASA) etc.)
2. Main country internet/telecom providers
3. Government departments
4. Satellites (using GPS module)
Which is a bit of a tall order over here.
On Thu
We're a redhat shop, and we use redhat auth which by default uses redhat
NTP sources. Sounds odd to me too. They claim this is what PCI DSS demands.
On Feb 6, 2014 11:43 AM, "Nick Hilliard" wrote:
> On 06/02/2014 10:03, Notify Me wrote:
> > I'm trying to help a company I work for to pass an audi
On Thursday, February 06, 2014 11:56:45 AM
cdel.firsthand.net wrote:
> Time for users to consider splitting L2 services from IP
> ?
But consumer broadband is all about IP; the Layer 2 is
needed to transport that IP, and that's a network problem,
not a user one.
Mark.
signature.asc
Descripti
On 06/02/2014 10:03, Notify Me wrote:
> I'm trying to help a company I work for to pass an audit, and we've
> been told we need trusted NTP sources (RedHat doesn't cut it).
So presuming that your company is using RH or Fedora or CentOS something,
the auditors are claiming that Red Hat, Inc is trus
www.pool.ntp.org
Oorspronkelijk bericht
Van: Notify Me
Datum:
Aan: "nanog@nanog.org list" ,af...@afnog.org
Onderwerp: Need trusted NTP Sources
Hi !
I'm trying to help a company I work for to pass an audit, and we've
been told we need trusted NTP sources (RedHat doesn't c
Hi !
I'm trying to help a company I work for to pass an audit, and we've
been told we need trusted NTP sources (RedHat doesn't cut it). Being
located in Nigeria, Africa, I'm not very knowledgeable about trusted
sources therein.
Please can anyone help with sources that wouldn't mind letting us syn
Time for users to consider splitting L2 services from IP ?
Christian de Larrinaga
> On 6 Feb 2014, at 08:01, Mark Tinka wrote:
>
> On Thursday, February 06, 2014 09:19:59 AM Måns Nilsson
> wrote:
>
>> Or, one could make sure everything has a globally unique
>> IP address and is using reason
On Thursday, February 06, 2014 09:19:59 AM Måns Nilsson
wrote:
> Or, one could make sure everything has a globally unique
> IP address and is using reasonably secured
> communications. The downside is that one then can't
> defend the existence of those empire-building
> middleboxes. It is not th
76 matches
Mail list logo
