I think the fundamental problem here is that these devices aren't good
network citizens in the first place. The odds of getting them to add
functionality to support a new protocol are even likely than getting them
to not have open services externally IMHO.
Couldn't a lot of this be caught by proa
Regardless of whether or not people "should" do this, I think the horse has
already left the barn on this one. I don't see any way of getting people
who decided to filter all of APNIC to make changes. Most of them are
static configurations that they'll never look to update.
On Wed, Jun 22, 2016
Android does not have a complete IPv6 implementation and should not be IPv6
enabled. Please do your part and complain to Google that Android does not
support DHCPv6 for address assignment.
On Sat, Oct 3, 2015 at 9:52 PM, Baldur Norddahl
wrote:
> Hi
>
> I noticed that my Nexus 9 tablet did not h
Here is a quick starting point for filtering IPv6 on a Linux host system if
you don't feel comfortable opening up all ICMPv6 traffic:
http://soucy.org/tmp/v6firewall/ip6tables.txt
I haven't really re-visited it in a while, so if I'm forgetting something
let me know.
On Wed, Oct 7, 2015 at 9:13 A
"It depends on the network." is really the only answer.
It's the kind of thing that happens quietly and often can be transient in
nature (e.g. temporary "big stick" filters to deal with an active attack).
As far as the reason it happens to UDP:
UDP is a challenge because it's easy to leverage fo
I've actually never made it out to a NANOG conference, so I'm not sure. I
was just told this by peers who attended.
On Sat, Jun 20, 2015 at 5:31 PM, Randy Bush wrote:
> > I've never run Xirrus personally, but I think they were used for the
> > last NANOG conference.
>
> and how did that work ou
hat it's to be a minimum of 1000 users per building.
> That's 8,000 users. (8 buildings, not counting walkways and courtyards,
> admin, etc.)
> Does this qualify as high-density?
>
> On Sat, Jun 20, 2015 at 5:33 AM Ray Soucy wrote:
>
>> Well, I could certainly
L 33155
> Tel: 305 663 5518 x 232
>
> Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net
>
> ----------
>
> *From: *"Josh Luthman"
> *To: *"Faisal Imtiaz"
> *Cc: *"NANOG list" , "Ray Soucy"
> *Sent: *Frida
I know you don't want to hear this answer because of cost but I've had good
luck with Cisco for very high density (about 1,000 clients in a packed
auditorium actively using the network as they follow along with the
presenter).
The thing you need to watch out for with Ubiquiti is that they don't
su
s happy and never wanting to leave
> us: anycast.
>
> We have customers that are TV stations and stream 24x7x365 their content
> and they have watchers getting their streaming also 24x7x365 (like waiting
> rooms, airports) with no complaints or instability.
>
>
> Best regards,
>
There is already more than enough address space allocated for NAT, you
don't need to start using random prefixes that may or may not be needed for
other purposes in the future.
For all we know, tomorrow someone could write an RFC requesting an address
reserved for local anycast DNS and it could be
st is better used for
discovery services rather than services themselves.
On Wed, Jun 17, 2015 at 5:12 PM, Chuck Church wrote:
> Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ray Soucy
> Sent: Wednesday, June 17, 2015 3:14 PM
> To: Joe Ha
Anycast is generally not well-suited for stateful connectivity (e.g. most
things TCP). The use case for anycast is restricted to simple
challenge-response protocol design.
As such, you typically only see it leveraged for simple services (e.g. DNS,
NTP).
The reason for this, as you suspect, is yo
s almost certainly the intent of many of the posts here. so
> mission accomplished.
>
> fists have been pounded. conversation has been halted. well done.
>
> can me move on now?
>
> t
>
> On Fri, Jun 12, 2015 at 11:18 AM, James R Cutler <
> james.cut...@consult
The only thing I would add is that DHCPv6 is not just about "tracking"
clients. Yes there are ways to do so using SLAAC, but they are not pretty.
Giving too much weight to tracking being the reason for DHCPv6 is just as
bad as giving too much weight to tethering as the reason against it. It
skew
Well, most systems implemented DHCPv6 support a long time ago. Despite
other efforts to have Google support DHCPv6 for Android, nothing has
happened. There is nothing wrong with using NANOG to call out a major
vendor for this, even if they are a significant sponsor.
Just because you don't agree
That's really not the case at all.
You're just projecting your own views about not thinking DHCPv6 is valid
and making yourself and Lorenzo out to be the some sort of victims of NANOG
and the ...
> university net nazis
Did you really just write that?
What we're arguing for here is choice, the e
I really wonder how people get into this field today. It has gotten
incredibly complex and I've been learning since before I was a teenager
(back when it was much more simple).
I'm 31 now, but I started getting into computers and specifically
networking at a very young age (elementary school). W
T
>
> On Wed, Jun 10, 2015, 21:30 Ray Soucy wrote:
>
>> I agree that some of the rhetoric should be toned down (go out for a beer
>> or something, guys ... I did).
>>
>> There is a difference between fiery debate with Lorenzo and a witch hunt,
>> and some of
I agree that some of the rhetoric should be toned down (go out for a beer
or something, guys ... I did).
There is a difference between fiery debate with Lorenzo and a witch hunt,
and some of this is starting to sound a bit personal. I shouldn't have
worded things the way I did, I went for the che
I've already written systems to do this kind of thing, but the logging
requirements quickly go through the roof for a non-trivial network;
especially in the case of temporary addressing now default on many
systems. That isn't so much the issue as operational consistency and
supportability.
The re
I don't really feel I was trying to take things out of context, but the
full quote would be:
"If there were consensus that delegating a prefix of sufficient size via
DHCPv6 PD of a sufficient size is an acceptable substitute for stateful
IPv6 addressing in the environments that currently insist on
pointing to see that this is the position of Google.
On Wed, Jun 10, 2015 at 10:58 AM, Lorenzo Colitti
wrote:
> On Wed, Jun 10, 2015 at 10:06 PM, Ray Soucy wrote:
>
>> Actually we do support DHCPv6-PD, but Android doesn't even support DHCPv6
>> let alone PD, so that's
The whole conversation is around 464XLAT on IPv6-only networks right?
We're going to be dual-stack for a while IMHO, and by the time we can get
away with IPv6 only for WiFi, 464 should no longer be relevant because
we'll have widespread IPv6 adoption by then.
Carriers can do IPv6 only because they
iability that the only option is to not use
IPv6. As I said, Android becomes a second class citizen on the network
under your model.
On Wed, Jun 10, 2015 at 8:21 AM, Lorenzo Colitti
wrote:
> On Wed, Jun 10, 2015 at 8:35 PM, Ray Soucy wrote:
>
>> In practice, your device will just not
So here is the thing.
You can try to use enhanced functionality which depends on multiple
addresses as justification for saying DHCPv6 is not supported.
In practice, your device will just not be supported.
As you pointed out, there isn't anything that forces adoption of IPv6 right
now.
If your
It really is too bad. They're literally the only major player not on board
but claim to champion IPv6.
There is a big difference between saying that something isn't supported and
the Android position that they will NOT support DHCPv6. To me, that's
something that shouldn't be a decision they get
P.S I went through HotLava Systems for the Intel-based SFP+ NICs to add to
those, http://hotlavasystems.com/ (not trying to plug; these are just hard
to find)
On Wed, May 20, 2015 at 9:08 AM, Ray Soucy wrote:
> You're right I dropped down to the v2 for pricing reasons:
>
>
You're right I dropped down to the v2 for pricing reasons:
- Supermicro SuperServer 5017R-MTRF
- 4x SATA
- 8x DDR3
- 400W Redundant
- Eight-Core Intel Xeon Processor E5-2640 v2 2.00GHz 20MB Cache (95W)
- 4 x SAMSUNG 2GB PC3-12800 DDR3-160
- 2 x 500GB SATA 6.0Gb/s 7200RPM - 3.5" - Western Digital R
How cheap is cheap and what performance numbers are you looking for?
About as cheap as you can get:
For about $3,000 you can build a Supermicro OEM system with an 8-core Xeon
E5 V3 and 4-port 10G Intel SFP+ NIC with 8G of RAM running VyOS. The pro
is that BGP convergence time will be good (bette
Sorry, I know I get long-winded. That's why I don't post as much as I used
to. ;-)
On Thu, Apr 23, 2015 at 10:09 AM, Jay Ashworth wrote:
> There's an op-ed piece in this posting, Ray. Do you want to write it, or
> should I?
>
> :-)
>
>
> On April 23, 20
It's amazing, really.
Netflix and YouTube now overtake BitTorrent and all other file sharing
peer-to-peer traffic combined, even on academic networks, by order(s) of
magnitude. The amount of peer-to-peer traffic is not even significant in
comparison. It might as well be IRC from our perspective.
XR and IOS and
still don't see support for it.
Does anyone have details on what platforms and releases from Cisco support
RFC 6939 "Option 79" so far? The only thing I can find online is reference
to the Cisco uBR7200 release 12.2(33)SCI, which doesn't really help me.
On M
It might be filtering the CRL or OCSP verification for the SSL
certificate. For GoDaddy I think this would be:
http://crl.godaddy.com/
http://ocsp.godaddy.com/
http://certificates.godaddy.com/
We ran into this when OS X changed how it handles SSL a few years
back, our captive portal was presenti
I did a test on my personal server of filtering every IP network assigned
to China for a few months and over 90% of SSH attempts and other noise just
went away. It was pretty remarkable.
Working for a public university I can't block China outright, but there are
times it has been tempting. :-)
T
ice provider networks.
>
> They use these Planet devices in every deployment I've taken a look at so far.
>
> Ammar
>
>> On 10 Feb 2015, at 6:42 pm, Ray Soucy wrote:
>>
>> Price and functionality-wise Planet MGSW-28240F and GSD-1020S look
>> pretty clo
TP-Link.
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> - Original Message -
>
> From: "Ray Soucy"
> To: "NANOG"
> Sent: Tuesday, February 10, 2015 7:31:22 AM
> Subject: FTTx Activ
One thing I'm personally interested in is the growth of municipal FTTx
that's starting to happen around the US and possibly applying that
model to highly rural areas (e.g. 10 mile long town with no side
streets, existing utility polls, 250 or so homes) and doing a
realistic cost analysis of what th
An IPS doesn't have to be in line.
It can be something watching a tap and scripted to use something else
to block traffic (e.g. hardware filtering options on a router that can
handle it).
An IDS tied into an internal RTBH setup to leverage uRPF filtering in
hardware can be pretty effective at det
It all depends how much of the firewall functionality is implemented in CPU.
The biggest problem is that firewalls that implement functionality in
software usually saturate CPU when stressed (e.g. DOS) and routing
protocols start dropping.
I'm a strong believer in having a router that can do basi
Honestly, in a lot of cases you don't even need a device to support
packet capture as a feature to add it as a feature once its
compromised. This is just FUD IMHO.
On Wed, Feb 4, 2015 at 7:24 AM, Paul Nash wrote:
>> I love the built-in remote packet captures,
>
> You, the NSA, and lots and lots
I have a small setup, Nexus 2 x 5596UP + 12 x 2248TP FEX, 2 x B22DELL,
2 x B22HP, 1 x C2248PQ-10GE.
Been using this setup since 2012, so it's getting a bit long in the
tooth. It's in an Active-Active setup because there wasn't much
guidance at the time on which way to go. There are some restrict
"For us, open source isn't just a business model; it's smart
engineering practice." -- Bruce Schneier
I hope I'm not the only one, but I think the NSA (and other state
actors) intentionally introducing systemic weaknesses or backdoors
into critical infrastructure is pretty ... reckless. I really
Yeah, most people ignore ZH. UBNT marketing hyped it up quite a bit,
and for a residential deployment it can work OK, but if you have any
kind of background in wireless you'll understand that it goes out the
window for a non-trivial deployment due to the requirement of all APs
sharing a channel.
Just curious. What kind of problems have you seen with the Ubiquiti solution?
I've had a few units in for testing a potential managed wireless for
rural libraries and so far they've been pretty rock solid for the
price. My biggest critique is that they don't support many features
and are fairly
t; service provider (internet, TV, phone, whatever else they can
>> imagine)
>> install the optical term at the customer prem and whatever they want in
>> the colo
>> and XC the fiber to them on a flat per-subscriber strand fee basis that
>> applies to
>> all comers
centration (dragging L1
>> facilities
>> back to centralized locations where access providers can connect to large
>> numbers of customers), then access providers have to compete to deliver
>> what consumers actually want. They can't ignore the need for newer L2
>> technologies b
You're over-thinking it. Use the power company as a model and you'll
close to the right path.
On Tue, Jul 22, 2014 at 4:05 PM, Eric Brunner-Williams
wrote:
> On 7/22/14 11:13 AM, Ray Soucy wrote:
>>
>> Municipal FTTH needs to be a regulated public utility (ideally
e layer 2 hand off being Ethernet regardless of the access technology
> used.
>
>
> Scott Helms
> Vice President of Technology
> ZCorum
> (678) 507-5000
> --------
> http://twitter.com/kscotthelms
>
>
&
IMHO the way to go here is to have the physical fiber plant separate.
FTTH is a big investment. Easy for a municipality to absorb, but not
attractive for a commercial ISP to do. A business will want to
realize an ROI much faster than the life of the fiber plant, and will
need assurance of having
Agree.
I'd go a step further and say that Dark Fiber as a Public Utility
(which is regulated to provide open access at published rates and
forbidden from providing its own lit service directly) is the only way
forward.
That said, I don't think it's a good idea to see the municipality
provide the
"In truth, however, market failures like these have never happened,
and nothing is broken that needs fixing."
Prefixing a statement with "in truth" doesn't actually make it true, Bob.
On Wed, Jul 16, 2014 at 10:50 AM, Fred Baker (fred) wrote:
> Relevant article by former FCC Chair
>
> http://ww
> My main gripe with Netflix is overly liberal bias.
Well that escalated quickly.
On Tue, Jul 15, 2014 at 8:17 AM, Graham Donaldson wrote:
> On 2014-07-15 12:11, manning wrote:
>
>> (youtube was
>> a grand, failed, experiment)
>>
>>
> It was? I stopped watching broadcast TV in about 2010, and
Thanks for this,
Have you posted this to the VyOS project forums? It would make a nice
addition to the wiki (*cough* I've been trying to find some help to
complete the VyOS user guide).
On Tue, May 13, 2014 at 5:10 AM, Naoto MATSUMOTO
wrote:
> Hi all!
>
>
> We wrote TIPS memo about the Basic I
/www.bcp38.info/index.php/HOWTO:CISCO:7200VXR
On Fri, Feb 28, 2014 at 9:04 AM, Jay Ashworth wrote:
> You mean, like Bcp38(.info)?
>
>
> On February 28, 2014 9:02:03 AM EST, Ray Soucy wrote:
>>
>> I'm wondering how many operators don't have systems in place to
>> qu
I'm wondering how many operators don't have systems in place to
quickly and efficiently filter problem host systems.
I see a lot of talk of ACL usage, but not much about uRPF and black
hole filtering.
There are a few white papers that are worth a read:
http://www.cisco.com/c/dam/en/us/products/co
We have had pretty good success in identifying offenders with simple
monitoring flow data for NTP flows destined for our address space with
packet counts higher than 100; we disable them and notify to correct
the configuration on the host. Granted we only service about 1,000
different customers.
y the
same place.
I haven't counted them all up, but I believe we have over 1,000 third-party
optics in use, so a fair enough sample size. Most of the optics that I've
replaced in the last year have had a "Cisco" label on them. ;-)
On Tue, Jan 7, 2014 at 9:58 AM, Ray Soucy wrote:
Use a standard protocol and redistribute between the two. OSPF is likely
the easiest way to go for this.
I like EIGRP, but I don't think I like it enough to try a non-Cisco
implementation of it. At least with OSPF you know that most of the bugs
have been worked out (hopefully).
On Wed, Jan 8, 2
nch of
> third party ones on Amazon and CDW but I'd to love to get my hands one
> that has the correct vendor code without going and trying them all.
>
>
> On 1/3/2014 7:48 AM, Ray Soucy wrote:
>
>> You actually buy brand-name SFP's? That's like buying the gol
inked below, I didn't see a mailing list, forum or
> very much documentation for it. Is there another site with this info? I'd
> love to test a few builds out but I never used Vyatta before.
>
>
>
> On 12/23/2013 10:18 AM, Ray Soucy wrote:
>
>> Many here might be
You actually buy brand-name SFP's? That's like buying the gold-plated HDMI
Monster Cable at Best Buy at markup ...
I just find the the companies that the vendors contract to make their OEM
SFP's and buy direct. Same SFP from the same factory except one has a
Cisco sticker. ;-)
You can even get t
I think there needs to be some clarification on how these tools get used,
how often they're used, and if they're ever cleaned up when no longer part
of an active operation. Of course we'll never get that.
The amount of apologists with the attitude "this isn't a big deal, nothing
to see here, the
On a side note,
I've been involved with organizing the New England regional Collegiate
Cyber-Defense Competition for a while, and one our "Red Team" members was
able to make a pretty convincing IOS rootkit using IOS TCL scripting to
mask configuration from the students. I don't think any students
Looking more at the actual leaked information it seems that if the NSA is
working with companies, it's not anything the companies are likely aware
of.
The common form of infection seems to be though software updates performed
by administrators (through the NSA hijacking web traffic). They are
imp
Even more outrageous than the domestic spying is the arrogance to think
that they can protect the details on backdoors into critical
infrastructure.
They may have basically created the framework for an Internet-wide kill
switch, that likely also affects every aspect of modern communication.
Since
> for i in /proc/sys/net/ipv4/conf/*/arp_announce; do echo 2 > $i;done
+1 setting arp_announce in Linux is essential if being used as a router
with more than one subnet.
I would also recommend setting arp_ignore. For Linux-based routers, I've
found the following settings to be optimal:
echo 1 >
On a side note, Q-in-Q support has been added to the recent 3.10 Linux
kernel, configured using the "ip" command. It will be popping up in
distributions "soon [tm]". Another interesting addition is IPv6 NAT
(transparent redirect, prefix translation, etc).
On Fri, Dec 27, 2013 at 8:18 PM, Baldur
It seems to be a pretty "hot button" issue, but I feel that modern hardware
is more than capable of pushing packets. The old wisdom of "only hardware
can do it efficiently" is starting to prove untrue. 10G might still be a
challenge (I haven't tested), but 1G is not even close to being an issue.
no
apt-get install ssh
apt-get install vlan
apt-get install bridge-utils
On Thu, Dec 26, 2013 at 8:27 PM, Ray Soucy wrote:
> The basic idea of RAMBOOT is typical in Embedded Linux development.
>
> Linux makes use of multi-stage boot process. One of the stages involves
> using an
Chipsets and drivers matter a lot in the 1G+ range.
I've had pretty good luck with the Intel stuff because they offload a lot
in hardware and make open drivers available to the community.
On Thu, Dec 26, 2013 at 7:48 PM, Olivier Cochard-Labbé
wrote:
> Le 26 déc. 2013 22:02, "Nick Cameo" a écri
I'm actually working with the VyOS project to try and
incorporate some of the RAMBOOT ideas into VyOS as an install option for
in-memory only.
If you make use of RAMBOOT I would love to hear about it. :-)
On Thu, Dec 26, 2013 at 4:22 PM, Nick Cameo wrote:
> Inline response exist,
>
&g
You can build using commodity hardware and get pretty good results.
I've had really good luck with Supermicro whitebox hardware, and
Intel-based network cards. The "Hot Lava Systems" cards have a nice
selection for a decent price if you're looking for SFP and SFP+ cards that
use Intel chipsets.
Many here might be interested,
In response to Brocade not giving the community edition of Vyatta much
attention recently, some of the more active community members have created
a fork of the GPL code used in Vyatta.
It's called VyOS, and yesterday they released 1.0.
http://vyos.net/
I've been p
erTip257 wrote:
> Date: Mon, 25 Nov 2013 09:32:10 -0500
>> From: Ray Soucy
>> To: Rob Seastrom
>>
>> Cc: NANOG
>> Subject: Re: Meraki
>> Message-ID:
>> <
>> calftrnppbqlhrrdkmnt1nz8wi0k3b6kemt9tbgns-wfrhqs...@mail.gmail.com>
&g
swapped out as a starting point.
I really hope the VyOS project can get off the ground. If any developers
familiar with maintaining Debian-based distributions are on-list, I know
the project is looking for people to help.
On Sun, Nov 24, 2013 at 8:33 PM, Rob Seastrom wrote:
>
> Ray So
FWIW, I picked up a UniFi 3-pack of APs and built up a controller VM using
Ubuntu Server LTS and the beta multi-site controller code over the past
week.
I'm very impressed so far, it doesn't have all the bells and whistles of
Cisco setup, sure, but I'm pretty shocked at the level of functionality
I'm very interested in other user experiences with Ubiquity for smaller
deployments vs. traditional Cisco APs and WLC. Especially for a collection
of rural areas. The price point and software controller are very
attractive.
Anyone running a centralized controller for a lot of remote sites?
On
http://en.wikipedia.org/wiki/Response_policy_zone
RPZ functionality has been widely adopted in the past few years. Also
known as "DNS Firewall".
On Tue, Nov 5, 2013 at 10:30 PM, Andrew Sullivan wrote:
> On Tue, Nov 05, 2013 at 07:57:59PM -0500, Phil Bedard wrote:
> >
> > I think every major r
Was the unplanned L3 DF maintenance that took place on Tuesday a frantic
removal of taps? :-)
On Wed, Oct 30, 2013 at 3:30 PM, Scott Weeks wrote:
> On Wed, Oct 30, 2013 at 1:46 PM, Jacque O'Lantern <
> jacque.olant...@yandex.com> wrote:
>
> >
> http://www.washingtonpost.com/world/national-secur
Don't usually poke NANOG for a second pair of eyes, but got hit with an
urgent need to get connectivity up on a small budget.
I've run into a situation where I require multiple DMVPN spokes to be
behind a single NAT IP (picture of things to come with CGN?)
The DMVPN endpoint works fine behind NAT
> 1. Must sell dark fiber to any purchaser.
> 2. Must sell dark fiber to all purchasers on equal terms.
> (There must be a published price list and there cannot be deviations
> from that price list. If the price list is modified, existing
> customers
> receive the
Late to the conversation, but I'll chime in that we established a
model in Maine that is working pretty well, at least for middle-mile
fiber.
When we started building out MaineREN (our RON) we decided that having
the University own the fiber would tie it up in political red tape.
So much so that i
7, 2012 at 4:51 PM, Matthew Palmer wrote:
> On Thu, Dec 06, 2012 at 08:58:10AM -0500, Ray Soucy wrote:
>> > net.ipv4.tcp_keepalive_intvl = 15
>> > net.ipv4.tcp_keepalive_probes = 3
>> > net.ipv4.tcp_keepalive_time = 90
>> > net.ipv4.tcp_fin_timeout = 30
&g
This issue is for really for connections that close properly and
without any issue.
The application closes the socket and doesn't care about it; but the
OS keeps it in the TIME_WAIT state as required by the RFC for TCP in
case data tries to be sent after the connection has closed (out of
order tra
> net.ipv4.tcp_keepalive_intvl = 15
> net.ipv4.tcp_keepalive_probes = 3
> net.ipv4.tcp_keepalive_time = 90
> net.ipv4.tcp_fin_timeout = 30
As discussed, those do not affect TCP_TIMEWAIT_LEN.
There is a lot of misinformation out there on this subject so please
don't just Google for 5 min. and chim
This tunes conntrack, not local TCP on the server itself.
On Wed, Dec 5, 2012 at 4:18 PM, Cyril Bouthors wrote:
> On 5 Dec 2012, r...@maine.edu wrote:
>
>> Where there is no way to change this though /proc
>
> 10:17PM lenovo:~% sudo sysctl -a |grep wait
> net.netfilter.nf_conntrack_tcp_timeout_f
It does require a fixed source address. The box is also a router and
firewall, so it has many IP addresses available to it.
On Wed, Dec 5, 2012 at 5:24 PM, William Herrin wrote:
> On Wed, Dec 5, 2012 at 5:01 PM, Mark Andrews wrote:
>> In message
>> ,
>> William Herrin writes:
>>> The thing is
There is an extra 7 on that number, it was 48194 (was sitting on a
different PC so I typed it instead of copy-paste).
On Wed, Dec 5, 2012 at 1:58 PM, William Herrin wrote:
> On Wed, Dec 5, 2012 at 12:09 PM, Ray Soucy wrote:
>> Like most web traffic, the majority of these connections
are could be re-written to round-robin though IP addresses
for outgoing requests, but trying to avoid that.
On Wed, Dec 5, 2012 at 1:58 PM, William Herrin wrote:
> On Wed, Dec 5, 2012 at 12:09 PM, Ray Soucy wrote:
>> Like most web traffic, the majority of these connections open an
This would be outgoing connections sourced from the IP of the proxy,
destined to whatever remote website (so 80 or 443) requested by the
user.
Essentially it's a modified Squid service that is used to filter HTTP
for CIPA compliance (required by the government) for keep children in
public schools
RFC 793 arbitrarily defines 2MSL (how long to hold a socket in
TIME_WAIT state before cleaning up) as 4 min.
Linux is a little more reasonable in this and has it baked into the
source as 60 seconds in "/usr/src/linux/include/net/tcp.h":
#define TCP_TIMEWAIT_LEN (60*HZ)
Where there is no way to ch
riable which makes it something the developer doesn't need to
worry about once the libraries are written.
On Thu, Nov 29, 2012 at 9:55 AM, William Herrin wrote:
> On Thu, Nov 29, 2012 at 9:01 AM, Ray Soucy wrote:
> > You should store IPv6 as a pair of 64-bit integers. While PHP
You should store IPv6 as a pair of 64-bit integers. While PHP lacks
the function set to do this on its own, it's not very difficult to do.
Here are a set of functions I wrote a while back to do just that
(though I admit I should spend some time to try and make it more
elegant and I'm not sure it'
If you run Tor, then you should probably accept that it might be used
for activity that you don't approve of or even is in violation of the
law.
I'm not saying Tor is good or bad, just that if you're using it you
probably know what you're getting into.
In order to catch someone in a criminal case
Quick note as many on-list may find this useful.
I've maintained a PHP class to connect to IOS devices over telnet and
parse the output into something useful for various internal tools for
a few years now. I've recently worked with the author of phpseclib to
create an SSH version of the library.
Or artificially high ...
On Tue, Nov 20, 2012 at 8:45 AM, Owen DeLong wrote:
> It is entirely possible that Google's numbers are artificially low for a
> number
> of reasons.
>
> Owen
>
> On Nov 20, 2012, at 5:31 AM, Aaron Toponce wrote:
>
>> On Tue, Nov 20, 2012 at 10:14:18AM +0100, Tomas Pode
The universal translator is still a few years out it seems.
Written that way it's borderline insulting. ;-)
2012/11/19 Jon Lewis :
> Pourquoi demandez-vous des questions NANOG que Wanadoo peut répondre?
>
> Hopefully google translate hasn't butchered that too badly.
>
>
> On Mon, 19 Nov 2012, Pie
2012 at 1:02 PM, Tim Chown wrote:
> What about
>
> http://tools.ietf.org/html/draft-ietf-dhc-dhcpv6-client-link-layer-addr-opt-03
>
> ?
>
> --
> Tim
>
> On 14 Nov 2012, at 17:46, Ray Soucy wrote:
>
> Saw yet another attempt at a solution pop up to try and
FWIW ISC DHCPd listens on raw sockets.
On Tue, Nov 6, 2012 at 11:12 AM, George Herbert
wrote:
> Oh, horrors, part of my infrastructure needs raw socket data?
>
> We should ban that, for security. Who needs those pesky switches anyways?
>
>
> George William Herbert
> Sent from my iPhone
>
> On No
1 - 100 of 279 matches
Mail list logo
