[124307] in North American Network Operators' Group
RE: NANOG Digest, Vol 26, Issue 142
daemon@ATHENA.MIT.EDU (Stephen Tandy)
Tue Mar 30 09:09:29 2010
From: "Stephen Tandy" <stephen.tandy@trigenis.com>
Date: Tue, 30 Mar 2010 14:09:32 +0100
To: <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Sent from my Windows=C2=AE phone=2E
-----Original Message-----
From=3A nanog-request=40nanog=2Eorg =3Cnanog-request=40nanog=2Eorg=3E
Sent=3A 30 March 2010 13=3A00
To=3A nanog=40nanog=2Eorg =3Cnanog=40nanog=2Eorg=3E
Subject=3A NANOG Digest=2C Vol 26=2C Issue 142
Send NANOG mailing list submissions to
=09nanog=40nanog=2Eorg
To subscribe or unsubscribe via the World Wide Web=2C visit
=09https=3A//mailman=2Enanog=2Eorg/mailman/listinfo/nanog
or=2C via email=2C send a message with subject or body =27help=27 to
=09nanog-request=40nanog=2Eorg
You can reach the person managing the list at
=09nanog-owner=40nanog=2Eorg
When replying=2C please edit your Subject line so it is more specific
than =22Re=3A Contents of NANOG digest=2E=2E=2E=22
Today=27s Topics=3A
1=2E Re=3A DNSSEC deployment testing and awareness =28Was=3A Re=3A IPv4=
ANYCAST=09setup=29 =28Robert Kisteleki=29
2=2E Re=3A DNSSEC deployment testing and awareness =28Was=3A Re=3A IPv4=
ANYCAST=09setup=29 =28Phil Regnauld=29
3=2E Re=3A IPv4 ANYCAST setup =28Jens Link=29
4=2E Re=3A IPv4 ANYCAST setup =28bmanning=40vacation=2Ekaroshi=2Ecom=29=
5=2E Re=3A IPv4 ANYCAST setup =28Tony Finch=29
6=2E Re=3A Useful URL for network operators =28Valdis=2EKletnieks=40vt=
=2Eedu=29
7=2E RE=3A Auto MDI/MDI-X + conference rooms + bored =3D=3D loop
=28William Mullaney=29
----------------------------------------------------------------------
Message=3A 1
Date=3A Tue=2C 30 Mar 2010 11=3A37=3A49 +0200
From=3A Robert Kisteleki =3Crobert=40ripe=2Enet=3E
Subject=3A Re=3A DNSSEC deployment testing and awareness =28Was=3A Re=3A IP=
v4
=09ANYCAST=09setup=29
To=3A nanog=40nanog=2Eorg
Message-ID=3A =3C4BB1C66D=2E7000808=40ripe=2Enet=3E
Content-Type=3A text/plain=3B charset=3DISO-8859-1=3B format=3Dflowed
I must observe that these are not really the links you=27d want to give you=
r=20
end users to check out=2E Their audience is very different=2E While the art=
icle=20
on RIPE Labs comes close=2C they don=27t really answer the =22does it work=
or does=20
it not=3F=22 question with a green/red light=2C and they don=27t provide a=
good=20
explanation to the audience Randy is referring to=2E
Robert
On 2010=2E03=2E30=2E 11=3A29=2C Phil Regnauld wrote=3A
=3E Randy Bush =28randy=29 writes=3A
=3E=3E
=3E=3E i=2Ee=2E what can we do to maximize the odds that the victim will qu=
ickly
=3E=3E find the perp=2C as opposed to calling our our tech support lines=3F=
=3E
=3E =09Ah yes=2C there was the second good reason for actually helping neto=
ps
=3E =09and security officers =3A=29
=3E
=3E =09Tools=3A
=3E
=3E =09https=3A//www=2Edns-oarc=2Enet/oarc/services/replysizetest
=3E
=3E =09https=3A//www=2Ednssec-deployment=2Eorg/wiki/index=2Ephp/Tools=5Fand=
=5FResources=2C
=3E =09under troubleshooting=3A
=3E =09=09http=3A//labs=2Eripe=2Enet/content/testing-your-resolver-dns-repl=
y-size-issues
=3E =09=09http=3A//secspider=2Ecs=2Eucla=2Eedu/
=3E
=3E =09Info sheets=3A
=3E
=3E =09http=3A//www=2Eafnic=2Efr/actu/nouvelles/240/l-afnic-invite-les-resp=
onsables-techniques-reseaux-a-se-preparer-a-la-signature-de-la-racine-dns-e=
n-mai-2010
=3E =09=28click English=2C top right=29
=3E
=3E =09=2E=2E=2E plenty of links there too=2E
=3E
=3E =09Cheers=2C
=3E =09Phil
=3E
------------------------------
Message=3A 2
Date=3A Tue=2C 30 Mar 2010 11=3A52=3A27 +0200
From=3A Phil Regnauld =3Cregnauld=40nsrc=2Eorg=3E
Subject=3A Re=3A DNSSEC deployment testing and awareness =28Was=3A Re=3A IP=
v4
=09ANYCAST=09setup=29
To=3A Robert Kisteleki =3Crobert=40ripe=2Enet=3E
Cc=3A nanog=40nanog=2Eorg
Message-ID=3A =3C20100330095226=2EGE24147=40macbook=2Ecatpipe=2Enet=3E
Content-Type=3A text/plain=3B charset=3Dus-ascii
Robert Kisteleki =28robert=29 writes=3A
=3E I must observe that these are not really the links you=27d want to
=3E give your end users to check out=2E Their audience is very different=2E=
=3E While the article on RIPE Labs comes close=2C they don=27t really answe=
r
=3E the =22does it work or does it not=3F=22 question with a green/red ligh=
t=2C
=3E and they don=27t provide a good explanation to the audience Randy is
=3E referring to=2E
=09Fair enough=2E Some simple =22check your DNS reply size test =5Bwhat is=
this =3F=5D=22
=09page ought to be set up=2C with a simple explanagtion=2E
=09=22checkmydns=2Eorg=22 is available=2E If I get 5 minutes=2E=2E=2E =3A=
=29
------------------------------
Message=3A 3
Date=3A Tue=2C 30 Mar 2010 11=3A58=3A16 +0200
From=3A Jens Link =3Clists=40quux=2Ede=3E
Subject=3A Re=3A IPv4 ANYCAST setup
To=3A nanog=40nanog=2Eorg
Message-ID=3A =3C87mxxqb07b=2Efsf=40bowmore=2Equux=2Ede=3E
Content-Type=3A text/plain=3B charset=3Dus-ascii
=22Kevin Oberman=22 =3Coberman=40es=2Enet=3E writes=3A
=3E He said that if the protocols would not handle blocked 53/tcp=2C the
=3E protocols would have to be changed=2E Opening the port was simply not=
=3E open to discussion=2E
Let me guess=3A They also completely blocked ICMP=2E I always tell these
customers to switch to IPv6 real fast and to turn of ICMPv6 to make
their networks really secure=2E =3B-=29=20
=3E I will say that these were at federal government facilities=2E I hope t=
he
=3E commercial world is a bit more in touch with reality=2E
You can find clueless people everywhere=2E=20
Jens
--=20
-------------------------------------------------------------------------=
=7C Foelderichstr=2E 40 =7C 13595 Berlin=2C Germany =7C +49-151-18721264=
=7C
=7C http=3A//www=2Equux=2Ede =7C http=3A//blog=2Equux=2Ede =7C jabber=3A=
jenslink=40guug=2Ede =7C
-------------------------------------------------------------------------=
------------------------------
Message=3A 4
Date=3A Tue=2C 30 Mar 2010 10=3A05=3A27 +0000
From=3A bmanning=40vacation=2Ekaroshi=2Ecom
Subject=3A Re=3A IPv4 ANYCAST setup
To=3A Randy Bush =3Crandy=40psg=2Ecom=3E
Cc=3A =22nanog=40nanog=2Eorg=22 =3Cnanog=40nanog=2Eorg=3E
Message-ID=3A =3C20100330100527=2EGC30288=40vacation=2Ekaroshi=2Ecom=2E=3E=
Content-Type=3A text/plain=3B charset=3Dus-ascii
On Tue=2C Mar 30=2C 2010 at 05=3A43=3A25PM +0900=2C Randy Bush wrote=3A
=3E =3E=3E=3E I have talked to multiple security officers =28who are genera=
lly not =20
=3E =3E=3E=3E really knowledgeable on networks=29 who had 53/tcp blocked an=
d none =20
=3E =3E=3E=3E have yet agreed to change it=2E
=3E =3E=3E patience=2E when things really start to break=2C and the finger=
of fate =20
=3E =3E=3E points at them=2C clue may arise=2E
=3E =3E 36 days until all root servers have DNSSEC data=2C at which point l=
arge
=3E =3E replies become normal=2E
=3E=20
=3E are end user tools=2C i=2Ee=2E a web click a button=2C available so the=
y can
=3E test if they are behind a clueless security id10t=3F
=09no - in part because using a browser to debug DNS involves
=09a third app =28and likly a third/forth=29 platform=2E
=09the nifty OARC testpoint is nearly worthless for real operations=2C
=09since its not located at/near a DNS authoritative source=2E the
=09K testpoint is good=2C I should prolly put back the one off B=2E
=09
=3E is there good simple end user docco they are somewhat likely to find
=3E when things break for them=3F
=09not yet=2E in part because out of the few simple parts=2C many=2C many=
=09combinations of failure can occur=2E
=09=29 MTU strictures=3A
=09=09v6/v4 tunneling
=09=09v6/v4 MTU
=09=09clamping
=09=09
=09=29 Fragmenation
=09=09UDP
=09=29 Port blocking
=09=29 Resolver Behaviour
=09=09EDNS awareness
=3E i=2Ee=2E what can we do to maximize the odds that the victim will quick=
ly
=3E find the perp=2C as opposed to calling our our tech support lines=3F
=09thats a tough call=2E as tech support staff=2C we are almost always
=09an outside observer on the path btwn the victim and the perp=2E
=09troubleshooting is going to be problematic=2E
=3E=20
=3E randy
------------------------------
Message=3A 5
Date=3A Tue=2C 30 Mar 2010 11=3A53=3A12 +0100
From=3A Tony Finch =3Cdot=40dotat=2Eat=3E
Subject=3A Re=3A IPv4 ANYCAST setup
To=3A nanog=40nanog=2Eorg
Message-ID=3A
=09=3Calpine=2ELSU=2E2=2E00=2E1003301152280=2E1923=40hermes-2=2Ecsi=2Ecam=
=2Eac=2Euk=3E
Content-Type=3A TEXT/PLAIN=3B charset=3DUS-ASCII
=22Kevin Oberman=22 =3Coberman=40es=2Enet=3E writes=3A
=3E He said that if the protocols would not handle blocked 53/tcp=2C the
=3E protocols would have to be changed=2E Opening the port was simply not=
=3E open to discussion=2E
Do they also believe that all DNS replies are less than 512 bytes=3F =3A-=
=29
Tony=2E
--=20
f=2Eanthony=2En=2Efinch =3Cdot=40dotat=2Eat=3E http=3A//dotat=2Eat/
GERMAN BIGHT HUMBER=3A SOUTHWEST 5 TO 7=2E MODERATE OR ROUGH=2E SQUALLY SHO=
WERS=2E
MODERATE OR GOOD=2E
------------------------------
Message=3A 6
Date=3A Tue=2C 30 Mar 2010 07=3A33=3A39 -0400
From=3A Valdis=2EKletnieks=40vt=2Eedu
Subject=3A Re=3A Useful URL for network operators
To=3A Jim Mercer =3Cjim=40reptiles=2Eorg=3E
Cc=3A nanog=40nanog=2Eorg
Message-ID=3A =3C1191=2E1269948819=40localhost=3E
Content-Type=3A text/plain=3B charset=3D=22us-ascii=22
On Tue=2C 30 Mar 2010 05=3A34=3A06 EDT=2C Jim Mercer said=3A
=3E Once again=2C please ignore Jim Mercer=2E
=3E He should do more homeworks too=2E
He=27s said similar about a number of people who have more operations clue=
than
he does=2E I=27d comment=2C except Woody Allen already did it better=3A
http=3A//www=2Eyoutube=2Ecom/watch=3Fv=3D9wWUc8BZgWE
=3E a=29 I have never heard of Randy Bush
That=27s OK=2C I encoura=2E=2E oh nevermind=2C it=27s shooting fish in a ba=
rrel=2E =3B=29
-------------- next part --------------
A non-text attachment was scrubbed=2E=2E=2E
Name=3A not available
Type=3A application/pgp-signature
Size=3A 227 bytes
Desc=3A not available
Url =3A http=3A//mailman=2Enanog=2Eorg/mailman/nanog/attachments/20100330/d=
fea2bda/attachment-0001=2Epgp=20
------------------------------
Message=3A 7
Date=3A Tue=2C 30 Mar 2010 07=3A36=3A04 -0400
From=3A =22William Mullaney=22 =3Cwmullaney=40annese=2Ecom=3E
Subject=3A RE=3A Auto MDI/MDI-X + conference rooms + bored =3D=3D loop
To=3A =22Chuck Anderson=22 =3Ccra=40WPI=2EEDU=3E=2C=09=3Cnanog=40nanog=2Eor=
g=3E
Message-ID=3A
=09=3CCB659FEF50324640B503095DA13FA9F4F65373=40COMM02=2Eannese=2Elocal=3E=
Content-Type=3A text/plain=3B=09charset=3D=22us-ascii=22
We had a school district that had a large number of =22dumb=22 switches in=
each class room hanging off real ones=2E These would get looped when a
student or staff member plugged a patch cable into two ports on the end
switch=2C taking down large portions of the network=2E It seems Cisco
3500=27s ignore a BPDU that comes in the same port it comes out=2E
We switched them to 3750=27s as part of other upgrades=2C which eliminated=
the BPDU problem =283560=27s and 3550=27s also work correctly=29=2C RSTP=2C=
enabled
port fast=2C root guard=2C loop back detection=2C and storm control=2E The=
n set
the switches to automatically come back in service from err-disable
after 60 seconds or so=2E
In every single test we did =28looping off a dumb switch=2C looping two
ports on the 3750=2C looping between two 3750 in different stacks=29=2C the=
re
was immediate blocking occurring that prevented any non-sense from
effecting the network=2E Of course the little switches get taken out
along with anything connected=2C but that=27s really just an indicator of=
the need for more drops from real switches=2E Additionally=2C turning on=
only one of the features at a time still shut down the port within a
second or so=2E
I don=27t really like BPDUGuard when rootguard is available=2C as I think=
other devices should be able to participate in STP so long as they
aren=27t trying to reconverge the network by grabbing root or becoming a
transit between two building switches=2E As for RSTP=2C it=27s on for ever=
y
switch we deploy unless there is some compelling reason not to do so=2E I=
have yet to find another switch that will not work even if it only
supports =22old=22 STP=2E
-WT
-----Original Message-----
From=3A Chuck Anderson =5Bmailto=3Acra=40WPI=2EEDU=5D=20
Sent=3A Friday=2C March 26=2C 2010 6=3A09 PM
To=3A nanog=40nanog=2Eorg
Subject=3A Auto MDI/MDI-X + conference rooms + bored =3D=3D loop
Anyone have suggestions on Ethernet LAN loop-prevention=3F With the=20
advent of Auto MDI/MDI-X ports on switches=2C it seems way too easy to=20=
accidentally or maliciously create loops between network jacks=2E We=20
have bored or inattentive people plugging in patch cords between=20
adjacent network jacks=2E STP for loop-prevention isn=27t working so well=
=20
for us=2E
STP =22edge=22 or =22portfast=22 or =22faststart=22 modes are required for=
=20
end-station ports =28with normal STP=2C DHCP often times out after 30+=20=
seconds it takes to go into Forwarding state=29=2E Since the =22edge=22 ST=
P=20
mode goes into Forwarding state immediately=2C there is a period when=20
loops will form=2C causing havok with upstream gear until STP blocks the=20=
port =28if it ever does see below=29=2E
=22Desktop=22 switches=2E You know=2C those 4 or 5 port Gigabit Ethernet=
=20
switches=2E Apparently=2C many of them don=27t do any kind of STP at all=
=2E =20
Recommendations on ones that do STP=3F
RSTP=3A is it any better than traditional STP in regards to =22edge=22 port=
s=20
and blocking before a loop gets out of hand=3F Or perhaps blocking for=20=
5-10 seconds before going into Forwarding state=2C hopefully preventing=20=
loops before they happen but also allowing DHCP clients to get an=20
address without timeouts=3F Recommendations on =22Desktop=22 switches that=
=20
do RSTP=3F
Thanks for your suggestions/discussion=2E
--=20
- Chuck =28354 Days until IPv4 depletion=3A http=3A//ipv4depletion=2Ecom/=
=29
------------------------------
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=
=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F=5F
NANOG mailing list
NANOG=40nanog=2Eorg
https=3A//mailman=2Enanog=2Eorg/mailman/listinfo/nanog
End of NANOG Digest=2C Vol 26=2C Issue 142
**************************************
