From mspitzer at gmail.com  Sat Nov  1 02:37:56 2008
From: mspitzer at gmail.com (Marc Spitzer)
Date: Sat, 1 Nov 2008 02:37:56 -0400
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
	Oldschool?
In-Reply-To: <490BBCFD.20202@belovedarctos.com>
References: <Pine.LNX.4.44.0810311454480.28579-100000@bawx.pilosoft.com>
	<512F3A48-3261-4C45-A8E6-8B863C3D9101@lesmuug.org>
	<8c50a3c30810311508t2ea88c6di1f210d2be086cb41@mail.gmail.com>
	<490BBCFD.20202@belovedarctos.com>
Message-ID: <8c50a3c30810312337r5e610170x65d1ef609361da88@mail.gmail.com>

On Fri, Oct 31, 2008 at 10:20 PM, Bjorn Nelson
<o_sleep at belovedarctos.com> wrote:
> Marc Spitzer wrote:
>>
>> Interstats are federal roads, built during the cold war to help us
>> kill the heathen commies by letting us move troops and such around
>> after WWIII
>
> I never understood this, wouldn't it have been more efficient build tracks?
>  I am sure GM was involved.
>
> -Bjorn


Rails carry more, but only if you have trains,  and it is easier to
work around a nuked city with roads vs rails.  Lots of people with
shovels and dirt can do wonders for helping to rebuild and move tanks.

marc
-- 
Freedom is nothing but a chance to be better.
Albert Camus


From carton at Ivy.NET  Sat Nov  1 16:40:30 2008
From: carton at Ivy.NET (Miles Nordin)
Date: Sat, 01 Nov 2008 16:40:30 -0400
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
	Oldschool?
In-Reply-To: <Pine.LNX.4.44.0810311454480.28579-100000@bawx.pilosoft.com>
	(Alex Pilosov's message of "Fri,
	31 Oct 2008 15:15:04 -0400 (EDT)")
References: <F42108D7-52ED-4A79-B80E-147CB64160FE@lesmuug.org>
	<Pine.LNX.4.44.0810311454480.28579-100000@bawx.pilosoft.com>
Message-ID: <oq7i7nfadd.fsf@castrovalva.Ivy.NET>

>>>>> "ap" == Alex Pilosov <alex at pilosoft.com> writes:

    ap> (As you might now, many toll roads are now built and operated
    ap> by commercial enterprises).

I used to work for a toll road IT contractor.  First, most east coast
toll roads are public, operated by ``authorities'' which create the
jobs elected officials hand out to repay favors.  This is something
Bloomberg's complained about because the ``authorities'' are less
manageable and accountable than other parts of the government.

Second, even if private, the road/bridge will be built by the same
private contractors whether it's a free public road or a tolled
privately-owned road.  And whether public or private they come with a
medoicre non-agile maintenance workforce attached to the road
owners---limited capability, lot of mostly-idle, well-painted, washed,
pristine-looking machinery, existing mostly to give the owners control
over what they own, not to do significant construction or repair which
is usually contracted out.  It's arguably better to have a smaller
number of different road owners so you end up with only one such
workforce.

Private roads are a financial instrument.  They're used for raising
capital outside the normal government bond market.  It works in one of
two ways:

 * government leases an existing road/bridge for 99 years in exchange
   for a big up-front payment: the usual privatization game through
   which third-world governments have been disenfranchised by global
   capital.

 * government negotiates with a private investment bank to get the
   capital for building the bridge.  tolls from the road concession
   pay the interest on the loan, and the terms of the government's
   concession secure the loan.

These particular Ozzies have their fingers in a lot of pies:

 http://en.wikipedia.org/wiki/Macquarie_Group

Toll roads are almost neglidgibly about ``maintenance.''  They're
about getting loans to finance government deficit spending in the most
savvy way possible, cost-wise or politics-wise.

I think in general they are stupid when used this way because their
main function seems to be to throw sand into the process of trying to
honestly debate tax policy.  but I like tolls used for traffic
management, especially the highly-agile GPS/GPRS-based toll system the
Germans use for truck traffic.  This sort of toll openly has nothing
to do with maintenance or raising capital---charging the toll is the
ends in itself.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081101/d317f43f/attachment.bin>

From ike at lesmuug.org  Sat Nov  1 18:06:41 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 18:06:41 -0400
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
	Oldschool?
In-Reply-To: <8c50a3c30810311508t2ea88c6di1f210d2be086cb41@mail.gmail.com>
References: <Pine.LNX.4.44.0810311454480.28579-100000@bawx.pilosoft.com>
	<512F3A48-3261-4C45-A8E6-8B863C3D9101@lesmuug.org>
	<8c50a3c30810311508t2ea88c6di1f210d2be086cb41@mail.gmail.com>
Message-ID: <88517111-4674-4281-B464-C343384D1202@lesmuug.org>


On Oct 31, 2008, at 6:08 PM, Marc Spitzer wrote:

> On Fri, Oct 31, 2008 at 4:08 PM, Isaac Levy <ike at lesmuug.org> wrote:
>> Hi Alex,
>>
>> On Oct 31, 2008, at 3:15 PM, Alex Pilosov wrote:
>>
>>> On Fri, 31 Oct 2008, Isaac Levy wrote:
>>>> I would argue that to continue to compete and grow internationally,
>>>> American businesses desperately need increased bandwidth all  
>>>> around-
>>>> especially at the datacenter.  I argue that carriers need to be
>>>> supported in, as well as held accountable for, planning upgrade
>>>> cycles.
>>> We all held them accountable, with our wallets. It's called 'free
>>> market'.
>>
>> I'm no economist, but didn't the raw free market, and Freedman-style
>> economics, just wholly collapse?
>
> not even close, check out the Weirmar republic or whatever they are
> calling Rhodisa now for economic collapse.

I said Freedman-style economics- as in Milton Friedman- not market  
capitalism itself!

<snip- toll roads>
>>>> Seriously- I feel this may be a critical moment to be thinking the
>>>> notion of US Government regulation or involvement in internet
>>>> infrastructure.  Fundamental concepts and principles, not just
>>>> technical
>>>> implementation details.
>>> I hope not.
>>
>> Well, at least the Obama campaign seems serious about getting
>> government more involved...
>
> this is a good thing????  EVER?????

As I stated in a different post, I believe Government regulation is  
not evil.  We may simply disagree on this.

>> So like it or not, (and from my post, I'm terribly uneasy about  
>> either
>> Obama or McCain taking this on), it will be on the table in some way
>> soon enough.
>>
>>>
>>>
>>>> "If Obama Appoints a Tech Czar . . ." By Garrett M. Graff
>>>> http://www.washingtonian.com/blogarticles/people/capitalcomment/8378.html
>>>> "Names kicking around Silicon Valley and the tech community as CTO
>>>> candidates include Google's Vint Cerf, one of the founders of the
>>>> Internet, Microsoft's Steve Ballmer, Amazon's Jeff Bezos, eBay
>>>> founder
>>>> Pierre Omidyar, and Lotus pioneer Mitch Kapor."
>>> Wankers. Except for Kapor.
>>
>> Perhaps- but I don't even think Kapor is really in a position to  
>> serve
>> as a public servant in this way.
>
> looking back on the drug Czar, it will raise my taxes and make my life
> more difficult.  Gov likes problems, fixing them could shut down whole
> branches of the fed and/or local gov.  Why would a career bureaucrat
> cut his own throat like that, and why would the people next to him let
> him cut theirs as well?

I don't really know how to respond to this Marc.  I see your points,  
but this becomes a purely political conversation, and on this list,  
I'm only interested in engaging politics with regard to how it affects  
technology, the internet, and ultimately, UNIX- so I'd like to drop  
this.

Best,
.ike




From ike at lesmuug.org  Sat Nov  1 18:11:21 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 18:11:21 -0400
Subject: [nycbug-talk] Why is DSL-Cable asynchronous?
Message-ID: <6700C37B-3636-4172-94D0-0CF70A3FCD24@lesmuug.org>

Hi All,

A simple question which I've never been able to answer for years:

Why is consumer dsl or cable asynchronous?  Does it have something do  
do with how the physical layer technology functions?

I don't want hypothesis, I'm dying to get a real answer.

To me, this seems to undermine the core nature of what the internet is  
about- end to end connectivity.

I can understand speed limitations in the design of DSL/cable, I can  
even understand the half-duplex nature of DSL lines- but the  
asynchronous part baffles me.

--
If this is perhaps the wrong list to ask this, any suggestions or urls  
would be more than welcome.

Best,
.ike




From ike at lesmuug.org  Sat Nov  1 18:14:02 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 18:14:02 -0400
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
	Oldschool?
In-Reply-To: <Pine.LNX.4.44.0810312002550.20036-100000@bawx.pilosoft.com>
References: <Pine.LNX.4.44.0810312002550.20036-100000@bawx.pilosoft.com>
Message-ID: <605F3107-0EEB-402A-BB94-26414CEE62AD@lesmuug.org>

Charles and Alex,

On Oct 31, 2008, at 8:13 PM, Alex Pilosov wrote:

> On Fri, 31 Oct 2008, Charles Sprickman wrote:
>
>> Nice.
>>
>> I've not followed the ups and downs of ISP dramas in a long time,  
>> but my
>> gut feeling, even before reading the Renesys blog, was "oh, sprint  
>> still
>> sells internets?".  Personally, I think this hurts Sprint the  
>> most.  My
>> gut feeling is that they are something of a has-been in this market.
> It's complicated. Despite being a "has-been", sprint maintains the "we
> will not peer with you" reputation, and is the "hardest to establish
> settlement-free peering" carrier. As a result, many people end up  
> using
> only Sprint for transit (or, "the only transit we will admit to  
> having"),
> so they *can* get other peering (it's a bit complicated - basically,  
> if
> your transit is an existing peer, you won't get peering), in effect,
> helping Sprint maintain this status.
>
>> One thing that really has me wondering, and again, this is probably  
>> an
>> Alex question, is an odd situation I ran into a few years back...   
>> I was
>> toying around with two providers - L3 and HE.  I primarily wanted  
>> HE as
>> backup, since L3 was not really soaking us and they generally have  
>> their
>> shit together outside of the management/sales/install realms.  No  
>> matter
>> how much I prepended our HE announcement, I just could not squash the
>> inbound traffic.  Apparently HE buys transit from Cogent and there  
>> are a
>> TON of people that shove all outbound traffic down a Cogent link if  
>> they
>> have one.  This is not that much of a surprise (the volume of  
>> traffic was
> *snicker* Yes, cogent is the "transit we use for outbound but we won't
> admit to it".
>
> The answer, of course, is not prepending it, but setting community  
> flags
> telling HE to not announce this route to cogent, or to depreference  
> your
> route while announcing to cogent, or some such. I don't know the  
> community
> list for HE.
>
>> though), but the thing that puzzled me when I ran a bunch of stuff
>> through flow-tools was that I was seeing traffic from 1239 (Sprint)
>> coming in through HE via Cogent.  I'm still puzzled as to what that  
>> was
>> about - from my view, it looked like Sprint jamming traffic down  
>> Cogent
>> rather than L3 (I'm certain Sprint and L3 peer).
> It's complicated without looking at more details. You can't say  
> where it
> *really* came from. What *could* be easily happening is that someone  
> (X)
> only uses Sprint for inbound - so you see them behind Sprint. However,
> X uses everyone else for outbound (including Cogent), who will  
> obviously
> send it toward HE (paying customer).

This thread is mind-blowingly interesting to me.

This thread, and Miles' earlier email about 'hot potato' routing,  
makes me ask perhaps a stupid question:

Why is routing not synchronous?  Why is sending more expensive than  
receiving packets- from a transit perspective?

Rocket-
.ike




From mspitzer at gmail.com  Sat Nov  1 18:29:58 2008
From: mspitzer at gmail.com (Marc Spitzer)
Date: Sat, 1 Nov 2008 18:29:58 -0400
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
	Oldschool?
In-Reply-To: <605F3107-0EEB-402A-BB94-26414CEE62AD@lesmuug.org>
References: <Pine.LNX.4.44.0810312002550.20036-100000@bawx.pilosoft.com>
	<605F3107-0EEB-402A-BB94-26414CEE62AD@lesmuug.org>
Message-ID: <8c50a3c30811011529t2aa8bf4ay6692ded49cb70ed0@mail.gmail.com>

On Sat, Nov 1, 2008 at 6:14 PM, Isaac Levy <ike at lesmuug.org> wrote:
> Charles and Alex,
>
> On Oct 31, 2008, at 8:13 PM, Alex Pilosov wrote:
>
>> On Fri, 31 Oct 2008, Charles Sprickman wrote:
>>
>>> Nice.
>>>
>>> I've not followed the ups and downs of ISP dramas in a long time,
>>> but my
>>> gut feeling, even before reading the Renesys blog, was "oh, sprint
>>> still
>>> sells internets?".  Personally, I think this hurts Sprint the
>>> most.  My
>>> gut feeling is that they are something of a has-been in this market.
>> It's complicated. Despite being a "has-been", sprint maintains the "we
>> will not peer with you" reputation, and is the "hardest to establish
>> settlement-free peering" carrier. As a result, many people end up
>> using
>> only Sprint for transit (or, "the only transit we will admit to
>> having"),
>> so they *can* get other peering (it's a bit complicated - basically,
>> if
>> your transit is an existing peer, you won't get peering), in effect,
>> helping Sprint maintain this status.
>>
>>> One thing that really has me wondering, and again, this is probably
>>> an
>>> Alex question, is an odd situation I ran into a few years back...
>>> I was
>>> toying around with two providers - L3 and HE.  I primarily wanted
>>> HE as
>>> backup, since L3 was not really soaking us and they generally have
>>> their
>>> shit together outside of the management/sales/install realms.  No
>>> matter
>>> how much I prepended our HE announcement, I just could not squash the
>>> inbound traffic.  Apparently HE buys transit from Cogent and there
>>> are a
>>> TON of people that shove all outbound traffic down a Cogent link if
>>> they
>>> have one.  This is not that much of a surprise (the volume of
>>> traffic was
>> *snicker* Yes, cogent is the "transit we use for outbound but we won't
>> admit to it".
>>
>> The answer, of course, is not prepending it, but setting community
>> flags
>> telling HE to not announce this route to cogent, or to depreference
>> your
>> route while announcing to cogent, or some such. I don't know the
>> community
>> list for HE.
>>
>>> though), but the thing that puzzled me when I ran a bunch of stuff
>>> through flow-tools was that I was seeing traffic from 1239 (Sprint)
>>> coming in through HE via Cogent.  I'm still puzzled as to what that
>>> was
>>> about - from my view, it looked like Sprint jamming traffic down
>>> Cogent
>>> rather than L3 (I'm certain Sprint and L3 peer).
>> It's complicated without looking at more details. You can't say
>> where it
>> *really* came from. What *could* be easily happening is that someone
>> (X)
>> only uses Sprint for inbound - so you see them behind Sprint. However,
>> X uses everyone else for outbound (including Cogent), who will
>> obviously
>> send it toward HE (paying customer).
>
> This thread is mind-blowingly interesting to me.
>
> This thread, and Miles' earlier email about 'hot potato' routing,
> makes me ask perhaps a stupid question:
>
> Why is routing not synchronous?  Why is sending more expensive than
> receiving packets- from a transit perspective?

Could you expand on what you mean by synchronous?

marc

>
> Rocket-
> .ike
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>



-- 
Freedom is nothing but a chance to be better.
Albert Camus


From mspitzer at gmail.com  Sat Nov  1 18:27:28 2008
From: mspitzer at gmail.com (Marc Spitzer)
Date: Sat, 1 Nov 2008 18:27:28 -0400
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
	Oldschool?
In-Reply-To: <88517111-4674-4281-B464-C343384D1202@lesmuug.org>
References: <Pine.LNX.4.44.0810311454480.28579-100000@bawx.pilosoft.com>
	<512F3A48-3261-4C45-A8E6-8B863C3D9101@lesmuug.org>
	<8c50a3c30810311508t2ea88c6di1f210d2be086cb41@mail.gmail.com>
	<88517111-4674-4281-B464-C343384D1202@lesmuug.org>
Message-ID: <8c50a3c30811011527i340879d7u75ca021b1a5e487@mail.gmail.com>

On Sat, Nov 1, 2008 at 6:06 PM, Isaac Levy <ike at lesmuug.org> wrote:
>
> On Oct 31, 2008, at 6:08 PM, Marc Spitzer wrote:
>
>> On Fri, Oct 31, 2008 at 4:08 PM, Isaac Levy <ike at lesmuug.org> wrote:
>>>
>>> Hi Alex,
>>>
>>> On Oct 31, 2008, at 3:15 PM, Alex Pilosov wrote:
>>>
>>>> On Fri, 31 Oct 2008, Isaac Levy wrote:
>>>>>
>>>>> I would argue that to continue to compete and grow internationally,
>>>>> American businesses desperately need increased bandwidth all around-
>>>>> especially at the datacenter.  I argue that carriers need to be
>>>>> supported in, as well as held accountable for, planning upgrade
>>>>> cycles.
>>>>
>>>> We all held them accountable, with our wallets. It's called 'free
>>>> market'.
>>>
>>> I'm no economist, but didn't the raw free market, and Freedman-style
>>> economics, just wholly collapse?
>>
>> not even close, check out the Weirmar republic or whatever they are
>> calling Rhodisa now for economic collapse.
>
> I said Freedman-style economics- as in Milton Friedman- not market
> capitalism itself!

Reread what you wrote:
ike> I'm no economist, but didn't the raw free market, and Freedman-style
ike> economics, just wholly collapse?

I said no because people still, world over, have faith in the dollar.
Since the currency is still believed to be valuble and stable the
collaps has not happend.  When people start buying all the trade goods
they can and hording them then you have a problem.  When you need to
renegotate your pay each morning and after lunch to take into account
inflation, and get paid at lunch time and end of day, then you have a
problem.


>
> <snip- toll roads>
>>>>>
>>>>> Seriously- I feel this may be a critical moment to be thinking the
>>>>> notion of US Government regulation or involvement in internet
>>>>> infrastructure.  Fundamental concepts and principles, not just
>>>>> technical
>>>>> implementation details.
>>>>
>>>> I hope not.
>>>
>>> Well, at least the Obama campaign seems serious about getting
>>> government more involved...
>>
>> this is a good thing????  EVER?????
>
> As I stated in a different post, I believe Government regulation is not
> evil.  We may simply disagree on this.

I never said evil I said never good.  Unfourtunitly it is nessary some times.

>
>>> So like it or not, (and from my post, I'm terribly uneasy about either
>>> Obama or McCain taking this on), it will be on the table in some way
>>> soon enough.
>>>
>>>>
>>>>
>>>>> "If Obama Appoints a Tech Czar . . ." By Garrett M. Graff
>>>>>
>>>>> http://www.washingtonian.com/blogarticles/people/capitalcomment/8378.html
>>>>> "Names kicking around Silicon Valley and the tech community as CTO
>>>>> candidates include Google's Vint Cerf, one of the founders of the
>>>>> Internet, Microsoft's Steve Ballmer, Amazon's Jeff Bezos, eBay
>>>>> founder
>>>>> Pierre Omidyar, and Lotus pioneer Mitch Kapor."
>>>>
>>>> Wankers. Except for Kapor.
>>>
>>> Perhaps- but I don't even think Kapor is really in a position to serve
>>> as a public servant in this way.
>>
>> looking back on the drug Czar, it will raise my taxes and make my life
>> more difficult.  Gov likes problems, fixing them could shut down whole
>> branches of the fed and/or local gov.  Why would a career bureaucrat
>> cut his own throat like that, and why would the people next to him let
>> him cut theirs as well?
>
> I don't really know how to respond to this Marc.  I see your points, but
> this becomes a purely political conversation, and on this list, I'm only
> interested in engaging politics with regard to how it affects technology,
> the internet, and ultimately, UNIX- so I'd like to drop this.

Think paladium chip on your motheboard, sorry freebsd is not an
approved os.  I can go on but will show rare, for me anyway,
restraint.

enjoy the weelkend,

marc

>
> Best,
> .ike
>
>
>



-- 
Freedom is nothing but a chance to be better.
Albert Camus


From alex at pilosoft.com  Sat Nov  1 18:33:50 2008
From: alex at pilosoft.com (Alex Pilosov)
Date: Sat, 1 Nov 2008 18:33:50 -0400 (EDT)
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
 Oldschool?
In-Reply-To: <605F3107-0EEB-402A-BB94-26414CEE62AD@lesmuug.org>
Message-ID: <Pine.LNX.4.44.0811011815040.17622-100000@bawx.pilosoft.com>

On Sat, 1 Nov 2008, Isaac Levy wrote:

> This thread, and Miles' earlier email about 'hot potato' routing,  
> makes me ask perhaps a stupid question:
> 
> Why is routing not synchronous?  Why is sending more expensive than  
> receiving packets- from a transit perspective?
You meant 'why is it not symmetric'. It's not supposed to be. Just look
how BGP works - each AS "announces" a set of networks, and determines from
a set of available AS-PATHs (based on some policy, involving "money" or
as-path-distance), where the outgoing packet will go. If a packet is going
from AS A to AS B, the set of AS-PATHs and associated policies will be
very different and unlikely to be symmetric vs packets going from AS A to
AS B.

There's no such thing as 'sending vs receiving' - in any TCP
conversations, packets always flow both ways. What you mean, and what is
being sort-of-used-as-justification-of-higher-expense-for-eyeball-network 
is the fact that 

a) Almost everyone uses "hot potato" routing - that means, you get it out
of your network as soon as you can to pass it off to peer/transit/etc.  
Assuming you have multiple points of interconnection with it, for example,
if Pilosoft had nationwide network and connection to AT&T in San Jose and
NY, and I have a packet from NYC customer going to AT&T, I *should* still
hand it to AT&T in NY, regardless of where it is going to end up. [1] 

In fact, hot potato is the *preferred* way - since you don't know how your
peer/transit network works, you should optimize *your* path, and let
*them* worry how to carry it inside their network.

b) As result, assuming AT&T customer is downloading something hosted on my 
network, AT&T will carry large packets with content on the path from 
NYC->SJC, and I would carry ACKs SJC->NYC. Since ACKs are much smaller, 
the load on their network will be more than mine.

[1] There's such a thing as "MED" (multiple exit discriminators) to avoid
"hot potato" routing, but it has potential to fuck things up more - so it
is rarely used except in situations where your peers *require* you to obey
the MEDs




From ike at lesmuug.org  Sat Nov  1 18:49:16 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 18:49:16 -0400
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
	Oldschool?
In-Reply-To: <Pine.LNX.4.44.0811011815040.17622-100000@bawx.pilosoft.com>
References: <Pine.LNX.4.44.0811011815040.17622-100000@bawx.pilosoft.com>
Message-ID: <F35B754D-D22A-494A-AB34-39D3B8DE61BD@lesmuug.org>

On Nov 1, 2008, at 6:29 PM, Marc Spitzer wrote:
>>
>> This thread, and Miles' earlier email about 'hot potato' routing,
>> makes me ask perhaps a stupid question:
>>
>> Why is routing not synchronous?  Why is sending more expensive than
>> receiving packets- from a transit perspective?
>
> Could you expand on what you mean by synchronous?
>
> marc

Alex corrected me below, symmetric, and answered my question,

On Nov 1, 2008, at 6:33 PM, Alex Pilosov wrote:

> On Sat, 1 Nov 2008, Isaac Levy wrote:
>
>> This thread, and Miles' earlier email about 'hot potato' routing,
>> makes me ask perhaps a stupid question:
>>
>> Why is routing not synchronous?  Why is sending more expensive than
>> receiving packets- from a transit perspective?
> You meant 'why is it not symmetric'. It's not supposed to be. Just  
> look
> how BGP works - each AS "announces" a set of networks, and  
> determines from
> a set of available AS-PATHs (based on some policy, involving "money"  
> or
> as-path-distance), where the outgoing packet will go. If a packet is  
> going
> from AS A to AS B, the set of AS-PATHs and associated policies will be
> very different and unlikely to be symmetric vs packets going from AS  
> A to
> AS B.
>
> There's no such thing as 'sending vs receiving' - in any TCP
> conversations, packets always flow both ways. What you mean, and  
> what is
> being sort-of-used-as-justification-of-higher-expense-for-eyeball- 
> network
> is the fact that
>
> a) Almost everyone uses "hot potato" routing - that means, you get  
> it out
> of your network as soon as you can to pass it off to peer/transit/etc.
> Assuming you have multiple points of interconnection with it, for  
> example,
> if Pilosoft had nationwide network and connection to AT&T in San  
> Jose and
> NY, and I have a packet from NYC customer going to AT&T, I *should*  
> still
> hand it to AT&T in NY, regardless of where it is going to end up. [1]
>
> In fact, hot potato is the *preferred* way - since you don't know  
> how your
> peer/transit network works, you should optimize *your* path, and let
> *them* worry how to carry it inside their network.
>
> b) As result, assuming AT&T customer is downloading something hosted  
> on my
> network, AT&T will carry large packets with content on the path from
> NYC->SJC, and I would carry ACKs SJC->NYC. Since ACKs are much  
> smaller,
> the load on their network will be more than mine.
>
> [1] There's such a thing as "MED" (multiple exit discriminators) to  
> avoid
> "hot potato" routing, but it has potential to fuck things up more -  
> so it
> is rarely used except in situations where your peers *require* you  
> to obey
> the MEDs


Wow- I get it.  Excellent explanation.

Alex: I guess it seems I don't understand BGP use as much as I  
should.  Can you point me to any urls/books/whatever about BGP that I  
could check out?

Rocket-
.ike




From carton at Ivy.NET  Sat Nov  1 19:08:14 2008
From: carton at Ivy.NET (Miles Nordin)
Date: Sat, 01 Nov 2008 19:08:14 -0400
Subject: [nycbug-talk] Why is DSL-Cable asynchronous?
In-Reply-To: <6700C37B-3636-4172-94D0-0CF70A3FCD24@lesmuug.org> (Isaac Levy's
	message of "Sat, 1 Nov 2008 18:11:21 -0400")
References: <6700C37B-3636-4172-94D0-0CF70A3FCD24@lesmuug.org>
Message-ID: <oq3aibf3j5.fsf@castrovalva.Ivy.NET>

>>>>> "il" == Isaac Levy <ike at lesmuug.org> writes:

    il> Why is consumer dsl or cable asynchronous?

for cable, WCDMA/cdma2000/gprs, and maybe FiOS, it is actually more
expensive to move bits upstream at L1.  The problem is that you must
share a band among the many endpoints who'd like to send upstream, and
there's overhead to coordinating this.  There are two general
approaches.

One is straight AlohaNet, or optimisations like ``slotted aloha''
which will get you only 30 - 40% link usefulness in the pure
mathematical model.  (compared to downstream, which has a single
transmitter and thus always 100% link use.)  Half-duplex ethernet can
do better than this because of collision detection---it's able to
listen while transmitting---which radio cannot do, nor can networks
with a large diameter measured in bits: 

  [physical size] / (c * bit-time)

The other approach, which all three in fact use, is to do aloha on a
thin reservation channel to schedule who may talk on a separate fat
upstream channel.  This trick in combination with ``ranging'' lets the
fat channel fill with high efficiency even though the reservation
channel has to stay mostly-quiet.

The fat upstream can thus be about as efficient as downstream.
However I expect there might be other problems for cellular which
cable/FiOS don't have related to band reuse, because cellular does not
have the filters cable/FiOS have to block the signal, and has
endpoints in 2 or 3 dimensions instead of 1 dimension.  I haven't
fully thought it through but the downstream antennas are of
higher-quality, of known 3D location, and are aimed into the ground,
and can be coordinated with each other using GPS while upstream
antennas are omni and coordinated in time with ranging only and
exist in two (or three) unknown dimensions.

anyway...The problem for this thin/fat trick is, the relative sizes of
the reservation channel and the fat channel depend on the size of the
upstream packets you're sending.  There's only a gain if your data
packets are much larger than a reservation packet.  so, honestly,
bittorrenting's upstream is less expensive per kilobit to the L1 than
a leech's stream of ACK's.

The ``unsolicited grant'' I spoke of earlier for cable VoIP is a
stateful, recurring reservation that doesn't need to be discussed on
the reservation channel.  The downside is, if you get an unsolicited
grant and don't use it, then space is wasted on the fat channel.  The
tremendous upsides are: (1) efficient reservation for tiny packets,
(2) no latency to obtain the reservation.  The same trick works for
WiMAX CIR.  I'm not sure if the 802.11 QoS uses it or not---802.11 is
a bit different since it has a small diameter.  Unsolicited grant is
analagous to how circuit-switched celfone voice calls are done
upstream, except on cable it's generalized into a type of QoS for IP
so it can be used with a regular UDP application stack instead of
quaint cumbersome TDM stacks.

for DSL I expect it's all fucking layer 10 market-forces baloney as I
discussed earlier.  I doubt there's anything expensive about upstream
at L1.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081101/ac759d7a/attachment.bin>

From lego at therac25.net  Sat Nov  1 19:23:04 2008
From: lego at therac25.net (Andy Michaels)
Date: Sat, 1 Nov 2008 19:23:04 -0400
Subject: [nycbug-talk] Why is DSL-Cable asynchronous?
In-Reply-To: <47f344f40811011614q54051ec5l98a510ba3fd94e90@mail.gmail.com>
References: <6700C37B-3636-4172-94D0-0CF70A3FCD24@lesmuug.org>
	<47f344f40811011614q54051ec5l98a510ba3fd94e90@mail.gmail.com>
Message-ID: <47f344f40811011623i3a0b89d2i5292e154d202dd30@mail.gmail.com>

On Sat, Nov 1, 2008 at 7:14 PM, Andy Michaels <lego at therac25.net> wrote:
> I was thinking about this the other day.  I'm not sure why, but it's
> common thinking that the "A" in ADSL stands for asynchronous.  the "A"
> stands for asymmetric, as opposed to "S" for symmetric.  Asymmetric,
> as in downstream and upstream line rates are not the same.  You are
> certainly able to purchase SDSL, but it'll cost a fortune.  Is that
> what you were asking, or were you asking, "why is it asymmetric?"
>
> http://en.wikipedia.org/wiki/Adsl
>
> kind regards,
>
> -Andy

Hey Jackass, don't top-post.


From mspitzer at gmail.com  Sat Nov  1 19:06:28 2008
From: mspitzer at gmail.com (Marc Spitzer)
Date: Sat, 1 Nov 2008 19:06:28 -0400
Subject: [nycbug-talk] shmoocon is selling tickets for 2009
Message-ID: <8c50a3c30811011606t1a70a903j4464b13900867557@mail.gmail.com>

https://www.shmoocon.org/cart/

see you there

marc

-- 
Freedom is nothing but a chance to be better.
Albert Camus


From lego at therac25.net  Sat Nov  1 19:14:38 2008
From: lego at therac25.net (Andy Michaels)
Date: Sat, 1 Nov 2008 19:14:38 -0400
Subject: [nycbug-talk] Why is DSL-Cable asynchronous?
In-Reply-To: <6700C37B-3636-4172-94D0-0CF70A3FCD24@lesmuug.org>
References: <6700C37B-3636-4172-94D0-0CF70A3FCD24@lesmuug.org>
Message-ID: <47f344f40811011614q54051ec5l98a510ba3fd94e90@mail.gmail.com>

I was thinking about this the other day.  I'm not sure why, but it's
common thinking that the "A" in ADSL stands for asynchronous.  the "A"
stands for asymmetric, as opposed to "S" for symmetric.  Asymmetric,
as in downstream and upstream line rates are not the same.  You are
certainly able to purchase SDSL, but it'll cost a fortune.  Is that
what you were asking, or were you asking, "why is it asymmetric?"

http://en.wikipedia.org/wiki/Adsl

kind regards,

-Andy

On Sat, Nov 1, 2008 at 6:11 PM, Isaac Levy <ike at lesmuug.org> wrote:
> Hi All,
>
> A simple question which I've never been able to answer for years:
>
> Why is consumer dsl or cable asynchronous?  Does it have something do
> do with how the physical layer technology functions?
>
> I don't want hypothesis, I'm dying to get a real answer.
>
> To me, this seems to undermine the core nature of what the internet is
> about- end to end connectivity.
>
> I can understand speed limitations in the design of DSL/cable, I can
> even understand the half-duplex nature of DSL lines- but the
> asynchronous part baffles me.
>
> --
> If this is perhaps the wrong list to ask this, any suggestions or urls
> would be more than welcome.
>
> Best,
> .ike
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>


From ike at lesmuug.org  Sat Nov  1 19:53:14 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 19:53:14 -0400
Subject: [nycbug-talk] Cogent and Sprint - a signal of things
	getting	Oldschool?
In-Reply-To: <oqbpx0fmxb.fsf@castrovalva.Ivy.NET>
References: <F42108D7-52ED-4A79-B80E-147CB64160FE@lesmuug.org>
	<oqbpx0fmxb.fsf@castrovalva.Ivy.NET>
Message-ID: <3345B09B-28AA-4020-91AA-599D5B6A52CC@lesmuug.org>

Yo Miles,

On Oct 31, 2008, at 5:57 PM, Miles Nordin wrote:

>>>>>> "il" == Isaac Levy <ike at lesmuug.org> writes:
>
>   il> Cogent.  What's their deal?
>
> The idea comes from ``hot potato'' routing.
<snip>
> You should ask more of an insider but I
> don't have the impression they're incompetent.

Thanks for the usual detailed insight.

>   il> I need the coming fiber *like yesterday*.
>
> This is where Alex and I will disagree.  I think we need neutrality
> badly, and I think that current ideas of neutrality don't even touch
> the relevant part and are so narrow they should be implemented as an
> obvious matter of course, and what we actually need goes WAY further
> than the discussion.

This is where I believe I'm on Miles' side.  Alex, (and Marc), I  
respect your views, but I like the idea of future Government  
involvement and proactive regulation of network businesses.

I'm simply getting sick of this unregulated wild-west network/tech  
environment.

Hwoever, not only was the recent 'net neutrality debate' so terribly  
misguided, but it was embarrassing and irrelevant.
The current state of the US Govt. on technical/network matters has  
been juvinile- and dangerous.  It's been enough to make many folks  
want to run from *any* Govt. regulation.

But the only place to retreat to, is the unregulated market.

--
If I think of how I'd like to see telcos regulated, it's all for these  
objectives:

Technology gets faster/cheaper at an expected pace, why doesn't  
internet connectivity get faster/cheaper at the same pace?
As a 'colo consumer', and effectively an end-user of the internet,  
this is what I expect from the net.
Jokes and cynicism aside- when I see networks get saturated, good  
things are happening- big picture.

- Promote the advancement of networking technology
  - increasing network speed/quality/reliability
    (trying to keep up with Moores law, with computing machinery)

- Promote transparency of infrastructure
  - give users more control of their service
    (even if this simply means clearly stated policies)
    - from QoS to packet inspection, L2-L7
      (clear communication to customers what they get, what they don't)

- Keep ISP's blind to users data, just focus on throughput
  - end QoS abuses
    (e.g. VPN's requiring 'business' class service,
     logging/selling DNS record metrics to marketing/anyone;
     preferring particular packets over others based on content,
     protocol, etc...)

- Promote synchronous network connectivity everywhere
  - Let expanded application/use of the internet define network need

--
Here's some different ways *how* I'd like to see those objectives met  
(but different from my list of wants above, this is just thinking out  
loud):

- Legislate Separation of Content from Infrastructure businesses

- Incentivize QoS honesty
  - encourage pricing models based on speed/quality metrics
  - provide incentives to discourage asynchronous connectivity

- Get the state more involved with transparently, publically,  
regulating Telcos as a Natural Monopoly

- Penalize ISP's for inaccurate service claims
  - most consumer pipes are 60-80% sold speed
  - most colo pipes (I've experienced) are 70-90% sold speed

- Incentivize measurable infrastructure improvements
  - reduce barriers to network upgrades

--
But outside of legislation, social changes can have an impact:

- Hold carriers accountable for their actions
  - Make SLA's stick, all the way through the chain
  - Demand honesty and sane transparency from network providers

- Help people realize the costs of the internet, discouraging 'the  
internet is free' (cost) mentality

- Provide services people care about and respect, and from my  
experience people tend to respect these services

The greater impact of these changes is often hard to measure.

Note to Alex: from my experience- these are things you already do.

>
>
> It's nearly possible, and scalable, to deliver television over the
> public Internet.  Currently I think there may be some big gaps in the
> free software toolkit, and there may be some
> robustness/security/control-plane-DoS problems since it involves
> letting untrusted parties create state on router control planes, but
> it's already very advanced and I think is quite close.
>
> Also I don't think multicast will be safe without QoS to prevent
> multicast from filling your entire pipe, otherwise you could routinely
> (albeit temporarily) DoS yourself off the Internet by subscribing to
> too much.

Ha- interesting- I'd never really thought of multicast used on the  
internet this way.  Are you talking about some kind of end-user  
controls which affect multicast traffic filtering up the ISP chain?

And how do the big backbone providers, who have to run all of that  
multicast, (it has to flow somewhere, right?), how do they get  
compensated to maintain network load?

A url answer would suffice since I'm totally out of the loop on this  
one...

>
>
> Currently cable companies are switching all their fiber to IP.  They
> will deliver television to the set-top boxes over multicast IP.  but
> they'll probably not let these IP packets leak out of their DRMbox.
> They might.  They will DEFINITELY reserve the right to be multicast
> sources for themselves so they can sell your eyeballs to others, and
> keep your choices of TV stations tied to your choice of ISP.

Yuck.  This is exactly the kind of Content+Infrastructure nightmare I  
loathe.

In a sane world, I think Cable companies could make a fine business  
out of simply selling content from their respective endpoint on the  
internet- and use the net like everyone else.  Hell, their budgets  
make their respective endpoint eclipse the network capabilities  
typical home user- without mucking about with the greater network at  
all.  But understatedly, they are monsters regarding fair competition-  
and indeed they are not trying to play this way.

>
>
> Neutrality means, if television is ready to move onto Internet
> technology, then FORCE it onto the public Internet itself not just
> Internet-technology, rather than letting last mile monopolies keep a
> unicast moat around it.  The ability of any person to broadcast a live
> television station, using the same amount of his own resources no
> matter how many people are watching it, is so stunningly disruptive it
> warrants the same type of zealous government support as the original
> invention of television itself.
>
>
> Next, I think VoIP can currently work well over networks like
> Speakeasy's that impliment simple priority-based QoS in both
> directions on the DSL link, and do it at ASIC level or ATM level or
> whatever the fuck they do, the point being that you can't do it
> yourself.  VoIP also works well over cable company networks, but
> implementing the QoS for the upstream direction requires a DOCSIS
> feature called ``unsolicited grant''.  It's possible with better DSL
> modems to do your own QoS on upstream, but for downstream speakeasy
> has you by the balls---there is no way you can put the VoIP traffic
> headed toward you in front of your bittorrenting, because you've no
> control over what's headed at you.  The best you can do is leave some
> of the pipe unused and try to use TCP congestion control to leave gaps
> between packets, but this wastes speed and will work like crap
> compared to what Speakeasy can arrange with control of L2.  On cable
> or FiOS or anything else without a specific bandwidth and with a
> reservation-based broadcast upstream, QoS *cannot work at all*, in
> either direction, without cooperation of L2.
>
> If you're a Teliax or a Junction Networks (or Vonage), your customers
> will get much shittier service than if they buy the proprietary VoIP
> from speakeasy or time-warner.  The ATM QoS and unsolicited grant
> features these ISP's are using aren't exposed to the user, nor
> available to bits received from random sites on the Internet.  It's
> all walled-garden bullshit.  They start with the VoIP the rest of us
> are using, then add a layer of wallpaper so we don't realize it's
> VoIP, and then quietly finish the job with proper QoS analagous to
> what banks and big corporations run over their WANs.  That last step
> needs to be cracked open by neutrality legislation.  It's about giving
> end users full control over their own Internet access, and not
> allowing ISP's to tie other services to your Internet service by
> deliberately crippling their own technology.
>
> I think Alex will favour a system he says the british are using which
> splits monopolies vertically.  He says they have no ILEC.  There is
> one company that owns all the copper, but they don't provide telephone
> service too, just copper.  Everyone is a CLEC.

Well, this model starts screwing with my simple Separation of Content  
and Infrastructure spiel- as it puts the IP layer in as a sort of  
content layer.

I can see why (hypothetically) this would be beneficial to Alex, I see  
him as constantly being stuck in-between massive telco battles  
upstream, and customers downstream.

>
>
> It sounds harder to cheat that system, but the modern networks are
> cable and fiber, and both of these have L2 that natively accepts IP.
> For cable, TV is moving onto multicast IP.  For FiOS, AIUI (maybe
> wrong) there's no longer a TDM bandwidth reservation per house.  In
> both cases the L2 is operating at building/neighborhood-level, not
> house-level, so unless you intend to convince all your neighbors to
> switch to a certain CLEC at once I don't see how it's going to work
> because the houses in your neighborhood/building are already part of
> an IP broadcast domain.
>
> anyway in general I think the CLEC idea is a failure and is what led
> to the Cogent/L3 or Cogent/Sprint problem in the first place.  Markets
> work like shit when shopping stops.  Web surfers don't shop.  They get
> come-on offers in the mail from Verizon and accept them.  and the
> consequences of their (lack of) choice-making spill over to others.

Well, I agree with this sentiment- but I'm challenged to think of a  
clear alternative.  Like the quote from that Kreugman op-ed in my  
original post,

"I'm like a 19th-century farmer who had to ship his grain on the Union  
Pacific, or not at all"

It's difficult to see a way out of the lack of bandwidth choices, (or  
lack of choice based on the difficulty of acquiring/securing/providing  
these lines).

>
>
>   il> Vint Cerf, one of the
>   il> founders of the Internet, Microsoft?s Steve Ballmer,
>   il> Amazon?s Jeff Bezos, eBay founder Pierre Omidyar, and Lotus
>   il> pioneer Mitch Kapor."
>
> wait those are McCain's choices or Obama's?  seriously some of these
> old geezers hang onto some really strange ideas very tenaciously.
> Also in this field people accomplish things early in their careers,
> and if they keep trying to do technical work after they get older it
> ends up being really embarassing shitty work.  I don't know where to
> turn.

I'm disheartened by these names too.

Rocket-
.ike




From ike at lesmuug.org  Sat Nov  1 20:06:43 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 20:06:43 -0400
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
	Oldschool?
In-Reply-To: <Pine.LNX.4.44.0810312014190.20036-100000@bawx.pilosoft.com>
References: <Pine.LNX.4.44.0810312014190.20036-100000@bawx.pilosoft.com>
Message-ID: <40FE5E3D-0D6B-45F0-8A63-7BBAC184A14A@lesmuug.org>

On Oct 31, 2008, at 10:07 PM, Alex Pilosov wrote:

> On Fri, 31 Oct 2008, Isaac Levy wrote:
>
>>>> My DSL (Speakeasy) gets quite slow for small periods of time since
>>>> yesterday.  OpenBSD 4.4 release today is coming down *slowly*.  My
>>>> home-office telecommute work day is sucking rocks. My neighbor
>>>> (Comcast Cable), reported less than 20k bandwidth for long  
>>>> periods of
>>>> time last night.
>>> Correlation does not imply causation.
>>
>> Er, it does imply, but your sentiment is correct if I modify-
>> correlation does not confirm causation.
> Correlation does not imply causation.
> http://en.wikipedia.org/wiki/Correlation_does_not_imply_causation
>
> I'm right, you are wrong, wikipedia says so.

*chortle* I stand corrected.

>
>
>>>> Admittedly unscientifically, from my endpoint --> traceroute to  
>>>> known
>>>> points in NYC, now go through mzima where they used to always go
>>>> through some level3 pipes- so I *believe* I'm not crazy to say the
>>>> Sprint/ Cogent de-peering affected my piddly DSL, (as it reportedly
>>>> seems to affect a lot more people).
>>> Yes, gamerz coming out from woodwork and "OMG IM PINGIN 10"
>> lol
> I missed mzima in the above sentence. That's where lulz is.

?

>
>
>> After years of (happily) paying ISP's, I see little change or
>> explanation from ISP's for why speeds/quality/reliability remains the
>> same.
> Disagree. People think that Interwebs is now a mission-critical  
> service,
> and demand 100% availability. They are getting close to it now.  
> Whereas, 5
> years ago, it was quite different and people were not really expecting
> 100%.
>
>> I see old networking gear, and a massive multi-billion dollar  
>> business
>> maintaining a status quo which I'm not happy about.
> Point fingers, please.

Oh- let me clarify one thing in my tone and meaning:
I'm DEFINATELY not pointing fingers at you, Alex.  I'm pointing them  
at the backbone telcos.

>
>
>> Examples:
>> ISP's getting into the CDN business: AT&T, XO, Internap, etc...
> Nothing wrong with that, it's where the money is. Means new builds  
> for CDN
> etc.

Sure- but what about their network customers who are CDN's?

>
>
>> Network Providers focused on ringtones: Telewest, Sprint, AT&T
> That's where the money is.

Great- but did it make my network connectivity any faster, or heck-  
did it make my mobile phone any more reliable?

>
>
>> Network Providers marry Media (Content) Businesses: AT&T, Quest,  
>> Verizon
> VZ doesn't have own content (AFAIK). Neither does Qwest. You probably
> meant to say "Time Warner" or "Comcast" (who owns both content and  
> pipes).

Sure-

>
>
>> None of this free market has opened up the market for various content
>> businesses to use the internet, however my point here is that none  
>> of it
>> has made our providers re-invest significantly in their own networks
>> either.
> What data do you have that providers don't "re-invest significantly in
> their own networks", I'm dying to know.

DSL available to me in 2002: 768/6.0, around $100/mo
DSL available to me in 2008: 768/6.0, around $100/mo

Gear deployed/used by DSL company: nothing upgraded, (even squeezing  
DSL through old lead pairs in my parts of Brooklyn).
Even with the newer DSL speeds (1.0/15.0), requiring a new card for  
the circut at the DSLAM, they won't deploy the new card until I pay  
for the service- I can't just 'switch over' and start paying more...  
(the monthly cost is nearly double anyhow).
In the last year, the card at the DSLAM burned out and was replaced,  
with an identical unit- not the newer stuff.
This is a personal story from 1 guy, (me), but can you tell me things  
are any different big picture?

-vs-

Rough Server specs in 2002:
1u server, 2gRAM (4 max), 4xSATA 250gb each, Hardware Raid5 PCI, dual  
Gig nics, dual Xeon 1.5ghz range
about $3200

Rough Server specs in 2008:
1u server, 4gRAM (32 max), 4xSATA 1000gb each, Onboard Raid5, Dual Gig  
nics which do altQ, dual Xeon Quad-Core procs 3.0ghz range
about $3000

--
The point here is that from my vantage point, computing machinery  
available in the market is advancing- and internet connectivity is not  
keeping pace.

I want this to change, and before that can happen, I feel it's  
important to explore *why* it's not changing.

>
>
> As far as free market for content - I don't think there's been a  
> better
> time. See all pr0n companies, none of them have any problems  
> delivering
> their content to end user.

There's more to the net than pr0n, but from the numbers, not much I  
guess.

>
>
>> I was thinking Sprint may have been going around rattling cages to  
>> cut
>> costs and make their next quarters numbers...  Not a conspiracy,  
>> but as
>> the market is down...
> Doubt anyone in Sprint corporate even *knows* about sprint internet
> transit. It is such a tiny portion of their revenue, I doubt they  
> finance
> people care.

Gotcha.

>
>
>> My point here, is that upgrading the networks seems to be happening  
>> in
>> big waves- instead of a more cumulative or calculated manner- and
>> therefore has pains.
> Explain what you mean by waves of upgrade, and how are they  
> different from
> cumulative or calculated.

Big waves of upgrade: Re-Wire all of NYC with FIOS and light it all at  
once (big expendature all at once)

Cumulative upgrades: An example: At an old job of mine, if a  
production server was taken offline, it was policy to drop more RAM  
into the box when it was out of the rack- regardless of need.  RAM was  
always cheaper/better/etc... and the cost of taking a production box  
offline was high.  This can be applied to *many* small aspects of a  
tech business, but the cost is the organization and management  
overhead of paying attention to detail.
I am willing to see this cost of managing small details, and strategic  
planning, may not scale easily.


>
>
>> When I worked on the web-hosting ISP, we had a life-span for each  
>> server
>> accounted for in advance, and rough estimates on what the tech (and
>> service offerings) would be a couple of years down the road.  It  
>> worked
>> out peachy- servers, storage, etc... all could cumulatively grow and
>> change as technology advanced.
> There's no lifespan of networking gear. It stays in service until it  
> is
> unable to handle traffic passing through it. There's nothing wrong  
> with
> that. If traffic is not increasing and there are no additional feature
> requirements, it'll stay.

Gotcha.

>
>
>>>> I would argue that to continue to compete and grow internationally,
>>>> American businesses desperately need increased bandwidth all  
>>>> around-
>>>> especially at the datacenter.  I argue that carriers need to be
>>>> supported in, as well as held accountable for, planning upgrade
>>>> cycles.
>>> We all held them accountable, with our wallets. It's called 'free
>>> market'.
>>
>> I'm no economist, but didn't the raw free market, and Freedman-style
>> economics, just wholly collapse?
> I wouldn't quite put it like that just yet. We won't have whole  
> picture
> until a year from now, at least.

Understood- we'll all see with time.

>
>
>> But if a company has a network application which drives their  
>> business,
>> and the network sucks/fails, it's out of their hands, right?  It  
>> becomes
>> a surprise cost, and everyone down the chain is affected by the big
>> carriers decision making?
> Wrong. It means you didn't build *your* network right, didn't  
> multihome
> properly. If the network is *so* critical to your business, you owe  
> it to
> plan for your carrier's failures - just like you plan for your own
> equipment to fail.

I get your point from a carrier perspective-

I'm saying that on a smaller-scale than before, the functioning  
internet is critical to businesses.

How does a small office of 5 people, deal with loosing the internet  
for a day?  Or a building full of small offices?

>
>
>> I would argue that the US Govt. was far too immature with where  
>> networks
>> were going to even legislate, back then- and perhaps now?
> Sorta. Reed Hundt's FCC was actually fairly sensible and visionary.

Interesting- he's another name around the Obama campaign.

I see what you mean- it's not all been bad from the Fed- but the  
common problem is trucks-and-tubes blunders, as these issues become  
more mainstream.

>
>> What, no comment on "Separation of Content and Infrastructure"?
> I don't think there's a problem with it. If content merges with a  
> network,
> nothing's wrong. It's when you get into the monopoly (or duopoly)
> situation, problems happen.

Yes- but aren't we talking in general about a monopoly here?

>
>
>>>> Who has internet backbone?
>>> I dunno. But I can has cheezburger.
>>
>> Oh- I guess that means you think content and infrastructure are the
>> same.
> No, I mean that this thread has not enough lulz. So here's a picture  
> of a
> firewall:
> http://icanhascheezburger.files.wordpress.com/2008/10/funny-pictures-furwall-prevents-unauthorized-access.jpg

*sigh*/*chortle*

Rocket-
.ike




From ike at lesmuug.org  Sat Nov  1 20:11:27 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 20:11:27 -0400
Subject: [nycbug-talk] Why is DSL-Cable asynchronous?
In-Reply-To: <47f344f40811011623i3a0b89d2i5292e154d202dd30@mail.gmail.com>
References: <6700C37B-3636-4172-94D0-0CF70A3FCD24@lesmuug.org>
	<47f344f40811011614q54051ec5l98a510ba3fd94e90@mail.gmail.com>
	<47f344f40811011623i3a0b89d2i5292e154d202dd30@mail.gmail.com>
Message-ID: <DD1322DF-2FDC-4662-883C-EE32F43488FC@lesmuug.org>

On Nov 1, 2008, at 7:23 PM, Andy Michaels wrote:

>> kind regards,
>>
>> -Andy
>
> Hey Jackass, don't top-post.

lols

Rocket-
.ike




From alex at pilosoft.com  Sat Nov  1 20:20:41 2008
From: alex at pilosoft.com (Alex Pilosov)
Date: Sat, 1 Nov 2008 20:20:41 -0400 (EDT)
Subject: [nycbug-talk] nyetwork neutrality, rehashed (was: some other crap)
In-Reply-To: <3345B09B-28AA-4020-91AA-599D5B6A52CC@lesmuug.org>
Message-ID: <Pine.LNX.4.44.0811012001490.17622-100000@bawx.pilosoft.com>

On Sat, 1 Nov 2008, Isaac Levy wrote:

> > This is where Alex and I will disagree.  I think we need neutrality
> > badly, and I think that current ideas of neutrality don't even touch
> > the relevant part and are so narrow they should be implemented as an
> > obvious matter of course, and what we actually need goes WAY further
> > than the discussion.
> 
> This is where I believe I'm on Miles' side.  Alex, (and Marc), I respect
> your views, but I like the idea of future Government involvement and
> proactive regulation of network businesses.
Crazy talk. Regulation is only necessary in case of monopolies. In every 
other case, vote with your wallet. If noone provides service that you 
want, start providing it.

Then again, you *may* be talking about regulation of the last mile 
monopolies, in which case, I agree.

<snip>

> Technology gets faster/cheaper at an expected pace, why doesn't internet
> connectivity get faster/cheaper at the same pace? As a 'colo consumer',
> and effectively an end-user of the internet, this is what I expect from
> the net. Jokes and cynicism aside- when I see networks get saturated,
> good things are happening- big picture.
Last mile is a monopoly, that's why. IP transit *is* getting very cheap
very fast - we went from 1000$/mbit about 8 years ago to 10-15$/mbit
today, and we'll go to mid-teens soon.

> - Promote the advancement of networking technology
> - Promote transparency of infrastructure
> - Keep ISP's blind to users data, just focus on throughput
<snip>
In case of monopolies, yes, otherwise, hell no. I built my network, I paid 
for it, keep your hands offa it. 

I've went through this exact debate some time ago on nycwirelesss, so not
to re-hash this, I'd like you to read this before posting.

http://www.mail-archive.com/nycwireless at lists.nycwireless.net/msg04878.html
http://www.mail-archive.com/nycwireless at lists.nycwireless.net/msg04891.html
http://www.mail-archive.com/nycwireless at lists.nycwireless.net/msg04916.html
http://www.mail-archive.com/nycwireless at lists.nycwireless.net/msg04889.html
http://www.mail-archive.com/nycwireless at lists.nycwireless.net/msg04904.html

(particularly last one)

> - Legislate Separation of Content from Infrastructure businesses
It is not a problem.

> - Incentivize QoS honesty
>   - encourage pricing models based on speed/quality metrics
>   - provide incentives to discourage asynchronous connectivity
Market already does this just fine, thanks.

> 
> - Get the state more involved with transparently, publically, regulating
> Telcos as a Natural Monopoly
Yes, in case of monopoly.

> - Penalize ISP's for inaccurate service claims
>   - most consumer pipes are 60-80% sold speed
>   - most colo pipes (I've experienced) are 70-90% sold speed
OMG IM PINGIN 10. 

Where did you get this data? This looks like complete and utter bullshit, 
spoken by a gamer who doesn't have any idea how internet works, that it is 
not end-to-end, etc, etc etc. You know better than that.


> - Incentivize measurable infrastructure improvements
>   - reduce barriers to network upgrades
Market already does it just fine.

> But outside of legislation, social changes can have an impact:
> 
> - Hold carriers accountable for their actions
>   - Make SLA's stick, all the way through the chain
>   - Demand honesty and sane transparency from network providers
Except that most customers "can't handle the truth". Pilosoft has mostly 
clued customers, yet I doubt many of them want or need or care about the 
truth.

> - Help people realize the costs of the internet, discouraging 'the  
> internet is free' (cost) mentality
That'd help. Clearly, it'd get rid of tards who think "unlimited" means
dedicated as in "I can use 100% of my bandwidth 24x7 and not pay extra".
I'm very much in favor of carriers placing GB caps and charging per GB -
it is similar to abuse of dialup back in the day by staying connected
24x7. Unlimited does not mean dedicated.

> > It's nearly possible, and scalable, to deliver television over the
> > public Internet.  Currently I think there may be some big gaps in the
> > free software toolkit, and there may be some
> > robustness/security/control-plane-DoS problems since it involves
> > letting untrusted parties create state on router control planes, but
> > it's already very advanced and I think is quite close.
> >
> > Also I don't think multicast will be safe without QoS to prevent
> > multicast from filling your entire pipe, otherwise you could routinely
> > (albeit temporarily) DoS yourself off the Internet by subscribing to
> > too much.
> 
> Ha- interesting- I'd never really thought of multicast used on the
> internet this way.  Are you talking about some kind of end-user controls
> which affect multicast traffic filtering up the ISP chain?
Multicast is like IPv6 in many ways. Chicken and egg, nobody really cares 
enough to multicast-enable their network.

> And how do the big backbone providers, who have to run all of that
> multicast, (it has to flow somewhere, right?), how do they get
> compensated to maintain network load?
Same as every other traffic?

> > Currently cable companies are switching all their fiber to IP.  They
> > will deliver television to the set-top boxes over multicast IP.  but
> > they'll probably not let these IP packets leak out of their DRMbox.
> > They might.  They will DEFINITELY reserve the right to be multicast
> > sources for themselves so they can sell your eyeballs to others, and
> > keep your choices of TV stations tied to your choice of ISP.
> 
> Yuck.  This is exactly the kind of Content+Infrastructure nightmare I
> loathe.
Why? Nothing's wrong with that. If you had a *choice* of your cable 
carriers, that wouldn't be a problem.

> > If you're a Teliax or a Junction Networks (or Vonage), your customers
> > will get much shittier service than if they buy the proprietary VoIP
> > from speakeasy or time-warner.  The ATM QoS and unsolicited grant
> > features these ISP's are using aren't exposed to the user, nor
> > available to bits received from random sites on the Internet.  It's
> > all walled-garden bullshit.  They start with the VoIP the rest of us
> > are using, then add a layer of wallpaper so we don't realize it's
> > VoIP, and then quietly finish the job with proper QoS analagous to
> > what banks and big corporations run over their WANs.  That last step
> > needs to be cracked open by neutrality legislation.  It's about giving
> > end users full control over their own Internet access, and not
> > allowing ISP's to tie other services to your Internet service by
> > deliberately crippling their own technology.
(addressed in the emails linked above from nycwireless)

> > I think Alex will favour a system he says the british are using which
> > splits monopolies vertically.  He says they have no ILEC.  There is
> > one company that owns all the copper, but they don't provide telephone
> > service too, just copper.  Everyone is a CLEC.
> 
> Well, this model starts screwing with my simple Separation of Content
> and Infrastructure spiel- as it puts the IP layer in as a sort of
> content layer.
> 
> I can see why (hypothetically) this would be beneficial to Alex, I see
> him as constantly being stuck in-between massive telco battles upstream,
> and customers downstream.
No, it's beneficial to consumers by letting *market* decide things.

-alex



From alex at pilosoft.com  Sat Nov  1 20:32:38 2008
From: alex at pilosoft.com (Alex Pilosov)
Date: Sat, 1 Nov 2008 20:32:38 -0400 (EDT)
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
 Oldschool?
In-Reply-To: <40FE5E3D-0D6B-45F0-8A63-7BBAC184A14A@lesmuug.org>
Message-ID: <Pine.LNX.4.44.0811012020570.17622-100000@bawx.pilosoft.com>

On Sat, 1 Nov 2008, Isaac Levy wrote:

> >> After years of (happily) paying ISP's, I see little change or
> >> explanation from ISP's for why speeds/quality/reliability remains the
> >> same.
> > Disagree. People think that Interwebs is now a mission-critical
> > service, and demand 100% availability. They are getting close to it
> > now.  Whereas, 5 years ago, it was quite different and people were not
> > really expecting 100%.
> >
> >> I see old networking gear, and a massive multi-billion dollar
> >> business maintaining a status quo which I'm not happy about.
> > Point fingers, please.
> 
> Oh- let me clarify one thing in my tone and meaning: I'm DEFINATELY not
> pointing fingers at you, Alex.  I'm pointing them at the backbone
> telcos.
I meant to say, "who do you think is not upgrading their network"? I'd 
like to know so I can refute. 

> >> Examples: ISP's getting into the CDN business: AT&T, XO, Internap,
> >> etc...
> > Nothing wrong with that, it's where the money is. Means new builds for
> > CDN etc.
> 
> Sure- but what about their network customers who are CDN's?
So what, let the market decide. Contrary to what you think, the 
carrier-CDNs are not anywhere as successful as dedicated-CDNs - mostly 
because its not their core business and they have no idea what do to. Top 
3 CDNs are still not "major carriers" and it's likely to stay that way.

> >> Network Providers focused on ringtones: Telewest, Sprint, AT&T
> > That's where the money is.
> 
> Great- but did it make my network connectivity any faster, or heck- did
> it make my mobile phone any more reliable?
No, but if stupid people want to pay for ringtones, why should carriers 
refuse their money? I don't see your point.

> >> None of this free market has opened up the market for various content
> >> businesses to use the internet, however my point here is that none of
> >> it has made our providers re-invest significantly in their own
> >> networks either.
> > What data do you have that providers don't "re-invest significantly in
> > their own networks", I'm dying to know.
> 
> DSL available to me in 2002: 768/6.0, around $100/mo
> DSL available to me in 2008: 768/6.0, around $100/mo
Last mile is something else, and its a monopoly issue. That being said, 
FIOS is changing this - and it is *serious* money for VZ. TWC also moving, 
albeit slowly, going from 3 to 5 to 10 to 15Mbit...

> The point here is that from my vantage point, computing machinery
> available in the market is advancing- and internet connectivity is not
> keeping pace.
>
> 
> I want this to change, and before that can happen, I feel it's important
> to explore *why* it's not changing.
Cause you don't pay enough. 50$/month doesn't cover 1000$/port linecards.

VZ's investment into FIOS is serious. And I'm kinda hoping it'd bankrupt 
VZ. Unfortunately they have too many cash cows for this to happen :(

> >> My point here, is that upgrading the networks seems to be happening
> >> in big waves- instead of a more cumulative or calculated manner- and
> >> therefore has pains.
> > Explain what you mean by waves of upgrade, and how are they different
> > from cumulative or calculated.
> 
> Big waves of upgrade: Re-Wire all of NYC with FIOS and light it all at
> once (big expendature all at once)
Except that it isn't. FIOS thing will take many years.

> Cumulative upgrades: An example: At an old job of mine, if a production
> server was taken offline, it was policy to drop more RAM into the box
> when it was out of the rack- regardless of need.  RAM was always
> cheaper/better/etc... and the cost of taking a production box offline
> was high.  This can be applied to *many* small aspects of a tech
> business, but the cost is the organization and management overhead of
> paying attention to detail. I am willing to see this cost of managing
> small details, and strategic planning, may not scale easily.
Example, in case of HFC upgrade for example, it cannot be done
"cumulatively".  Either plant is two-way ready, or its not. If its not, 
you toss money and make it two-way.

> >> But if a company has a network application which drives their
> >> business, and the network sucks/fails, it's out of their hands,
> >> right?  It becomes a surprise cost, and everyone down the chain is
> >> affected by the big carriers decision making?
> > Wrong. It means you didn't build *your* network right, didn't
> > multihome properly. If the network is *so* critical to your business,
> > you owe it to plan for your carrier's failures - just like you plan
> > for your own equipment to fail.
> 
> I get your point from a carrier perspective-
> 
> I'm saying that on a smaller-scale than before, the functioning internet
> is critical to businesses.
> 
> How does a small office of 5 people, deal with loosing the internet for
> a day?  Or a building full of small offices?
Pay more money for a reliable service. Your 50$/month DSL is not mission 
critical - and not intended to be. If internet is critical for your 
business, that means there's actual money riding on it, that means you 
should spend actual money to support your infrastructure. 

If this is mission critical, you *should* expect to pay more than grandma, 
for whom it isn't. 

> >> What, no comment on "Separation of Content and Infrastructure"?
> > I don't think there's a problem with it. If content merges with a
> > network, nothing's wrong. It's when you get into the monopoly (or
> > duopoly) situation, problems happen.
> 
> Yes- but aren't we talking in general about a monopoly here?
I wasn't necessarily.

-alex



From spork at bway.net  Sat Nov  1 20:40:12 2008
From: spork at bway.net (Charles Sprickman)
Date: Sat, 1 Nov 2008 20:40:12 -0400 (EDT)
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
 Oldschool?
In-Reply-To: <40FE5E3D-0D6B-45F0-8A63-7BBAC184A14A@lesmuug.org>
References: <Pine.LNX.4.44.0810312014190.20036-100000@bawx.pilosoft.com>
	<40FE5E3D-0D6B-45F0-8A63-7BBAC184A14A@lesmuug.org>
Message-ID: <Pine.OSX.4.64.0811012027110.97292@toasty.nat.fasttrackmonkey.com>

On Sat, 1 Nov 2008, Isaac Levy wrote:

> DSL available to me in 2002: 768/6.0, around $100/mo
> DSL available to me in 2008: 768/6.0, around $100/mo

Optonline Business cable with a /29 of static space, 4 hr. service, etc 
available to me:
30Mb/s down/5Mb/s up, around $75/month.

The world is full of tradeoffs.  I live in western Jersey where people are 
excited that Palin may be president.  There is no art, no culture, no 
coffee shops, no record stores.  There is fast internets (FiOS is on it's 
way) and a giant WalMart.

You live in Brooklyn and have such perks as culture, food, and even the 
possibility of meeting like-minded people.  You probably pay at least 
double what I pay in rent, but you get slow internets.

The giant apartment complex I live in is having a recession special 
though, $883/month for a 780 sq. ft. 1 bedroom apt.  You can move out 
here and get fast internet and be "that weird guy". :)

> Gear deployed/used by DSL company: nothing upgraded, (even squeezing
> DSL through old lead pairs in my parts of Brooklyn).

You are likely using someone that uses Covad.  Even after going bankrupt 
and getting rid of debt, they are still always broke.

> Even with the newer DSL speeds (1.0/15.0), requiring a new card for
> the circut at the DSLAM, they won't deploy the new card until I pay
> for the service- I can't just 'switch over' and start paying more...
> (the monthly cost is nearly double anyhow).

Tell them (speakeasy) that's BS.  Covad has a list of COs with the new 
(earthlink-financed) Samsung DSLAMs.  It's either hot or not, but I 
guarantee you that one customer ordering service will not trigger the 
install of a whole new DSLAM (and thanks to covad's fucked-up engineering, 
another backhaul).

> In the last year, the card at the DSLAM burned out and was replaced,
> with an identical unit- not the newer stuff.

Want to hear another fun fact?  Your DSLAM is made by Nokia, and has been 
EOL'd long, long ago.  Covad has to stock their own spares since they are 
no longer made.  They bought up the last cards a few years ago and when 
they burn through their stock... all gone.  Again, this is part of why you 
don't have ADSL2+ - there are no such cards for the bulk of the DSLAMs 
covad has deployed.

In case you haven't noticed, I've got a bit of a love/hate thing with 
Covad.  My Optonline stuff has not had any problems yet, but Covad is 
going on nearly two months of getting a line in here for backup purposes. 
Their OSS cannot deal with the fact that that test equipment in my CO has 
been dead for the last two years and they cannot figure out how to 
override my "failed" loop test in the system so the order can proceed to 
the next step.

C


From ike at lesmuug.org  Sat Nov  1 20:59:35 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 20:59:35 -0400
Subject: [nycbug-talk] nyetwork neutrality,
	rehashed (was: some other crap)
In-Reply-To: <Pine.LNX.4.44.0811012001490.17622-100000@bawx.pilosoft.com>
References: <Pine.LNX.4.44.0811012001490.17622-100000@bawx.pilosoft.com>
Message-ID: <2D876571-595F-4103-B248-E0A5662DA4E3@lesmuug.org>

On Nov 1, 2008, at 8:20 PM, Alex Pilosov wrote:

> On Sat, 1 Nov 2008, Isaac Levy wrote:
>
>>> This is where Alex and I will disagree.  I think we need neutrality
>>> badly, and I think that current ideas of neutrality don't even touch
>>> the relevant part and are so narrow they should be implemented as an
>>> obvious matter of course, and what we actually need goes WAY further
>>> than the discussion.
>>
>> This is where I believe I'm on Miles' side.  Alex, (and Marc), I  
>> respect
>> your views, but I like the idea of future Government involvement and
>> proactive regulation of network businesses.
> Crazy talk. Regulation is only necessary in case of monopolies. In  
> every
> other case, vote with your wallet. If noone provides service that you
> want, start providing it.
>
> Then again, you *may* be talking about regulation of the last mile
> monopolies, in which case, I agree.

Oh no- dude- we're on the same page here.

Example:
I a want 100mbps internet drop at my house from say, Pilosoft.
My budget is, Maximum, $100/mo.

I'm sure Alex would gladly provide it, if his upstream was cheaper/ 
faster/etc and if Verizon could drop the right line.

I mean, if you could get it for me, you'd sell it- right?

>
>
> <snip>
>
>> Technology gets faster/cheaper at an expected pace, why doesn't  
>> internet
>> connectivity get faster/cheaper at the same pace? As a 'colo  
>> consumer',
>> and effectively an end-user of the internet, this is what I expect  
>> from
>> the net. Jokes and cynicism aside- when I see networks get saturated,
>> good things are happening- big picture.
> Last mile is a monopoly, that's why. IP transit *is* getting very  
> cheap
> very fast - we went from 1000$/mbit about 8 years ago to 10-15$/mbit
> today, and we'll go to mid-teens soon.

Gah.  So it is getting faster!  Gee, I wish my DSL provider told me  
(and dropped my rates, or improved my speed a bit)!

(sidenote- can I run a patch cable from Williamsburg downtown to the  
Pilosoft NOC?  Er, better, some fiber...  I'll go dig in my closet for  
some... ;)

>
>
>> - Promote the advancement of networking technology
>> - Promote transparency of infrastructure
>> - Keep ISP's blind to users data, just focus on throughput
> <snip>
> In case of monopolies, yes, otherwise, hell no. I built my network,  
> I paid
> for it, keep your hands offa it.

Huh?  As an end user of a 'Layer 3' service, this still may suck for  
me.  Why should I accept a 'Layer 3' company mucking with my packets?

>
>
> I've went through this exact debate some time ago on nycwirelesss,  
> so not
> to re-hash this, I'd like you to read this before posting.
>
> http://www.mail-archive.com/nycwireless at lists.nycwireless.net/msg04878.html
> http://www.mail-archive.com/nycwireless at lists.nycwireless.net/msg04891.html
> http://www.mail-archive.com/nycwireless at lists.nycwireless.net/msg04916.html
> http://www.mail-archive.com/nycwireless at lists.nycwireless.net/msg04889.html
> http://www.mail-archive.com/nycwireless at lists.nycwireless.net/msg04904.html
>
> (particularly last one)

Excellent- the last one is definitely a good read.

>
>
>> - Legislate Separation of Content from Infrastructure businesses
> It is not a problem.
>
>> - Incentivize QoS honesty
>>  - encourage pricing models based on speed/quality metrics
>>  - provide incentives to discourage asynchronous connectivity
> Market already does this just fine, thanks.
>
>>
>> - Get the state more involved with transparently, publically,  
>> regulating
>> Telcos as a Natural Monopoly
> Yes, in case of monopoly.

I think we're on the same page with much of this Alex- you and I just  
sit in slightly different sides of internet usage, (you on the  
network, me on the servers/appliation)- and much of our vocabulary is  
out of sync.

>
>
>> - Penalize ISP's for inaccurate service claims
>>  - most consumer pipes are 60-80% sold speed
>>  - most colo pipes (I've experienced) are 70-90% sold speed
> OMG IM PINGIN 10.
>
> Where did you get this data? This looks like complete and utter  
> bullshit,
> spoken by a gamer who doesn't have any idea how internet works, that  
> it is
> not end-to-end, etc, etc etc. You know better than that.

No- I've never tested a pilosoft DSL line, but:

- Even 'speed-tests', from a given vendor, are always slower than the  
sold-as speed- even if the location is right on top of the CO

- with colo pipes, (as a cabinet and cage consumer- with IP/Net  
connectivity from the facility), It's hard to push more than 60mb on a  
100mb pipe- even to servers a few cabinets away.  Understandable, but  
worth mention.

I know how the internet works- I know how networks perform- I'm just  
fed up with all the soft-metrics.

>
>
>> - Incentivize measurable infrastructure improvements
>>  - reduce barriers to network upgrades
> Market already does it just fine.
>
>> But outside of legislation, social changes can have an impact:
>>
>> - Hold carriers accountable for their actions
>>  - Make SLA's stick, all the way through the chain
>>  - Demand honesty and sane transparency from network providers
> Except that most customers "can't handle the truth". Pilosoft has  
> mostly
> clued customers, yet I doubt many of them want or need or care about  
> the
> truth.
>
>> - Help people realize the costs of the internet, discouraging 'the
>> internet is free' (cost) mentality
> That'd help. Clearly, it'd get rid of tards who think "unlimited"  
> means
> dedicated as in "I can use 100% of my bandwidth 24x7 and not pay  
> extra".
> I'm very much in favor of carriers placing GB caps and charging per  
> GB -
> it is similar to abuse of dialup back in the day by staying connected
> 24x7. Unlimited does not mean dedicated.

Well, from a reality perspective on the network side- I agree with you.

However, the market has gone to selling different expectations- and  
24x7 network saturation is something I tend to find ways to regularly  
do...  I think others on this list do too.

>
>
>>> It's nearly possible, and scalable, to deliver television over the
>>> public Internet.  Currently I think there may be some big gaps in  
>>> the
>>> free software toolkit, and there may be some
>>> robustness/security/control-plane-DoS problems since it involves
>>> letting untrusted parties create state on router control planes, but
>>> it's already very advanced and I think is quite close.
>>>
>>> Also I don't think multicast will be safe without QoS to prevent
>>> multicast from filling your entire pipe, otherwise you could  
>>> routinely
>>> (albeit temporarily) DoS yourself off the Internet by subscribing to
>>> too much.
>>
>> Ha- interesting- I'd never really thought of multicast used on the
>> internet this way.  Are you talking about some kind of end-user  
>> controls
>> which affect multicast traffic filtering up the ISP chain?
> Multicast is like IPv6 in many ways. Chicken and egg, nobody really  
> cares
> enough to multicast-enable their network.
>
>> And how do the big backbone providers, who have to run all of that
>> multicast, (it has to flow somewhere, right?), how do they get
>> compensated to maintain network load?
> Same as every other traffic?

No- I meant that with regard to the Over-Subscribe problem,  
(effectively DDOS'ing yourself to oblivion), the multicast hast go get  
filtered at some point- yet it *all* flows back up at the top?

>
>
>>> Currently cable companies are switching all their fiber to IP.  They
>>> will deliver television to the set-top boxes over multicast IP.  but
>>> they'll probably not let these IP packets leak out of their DRMbox.
>>> They might.  They will DEFINITELY reserve the right to be multicast
>>> sources for themselves so they can sell your eyeballs to others, and
>>> keep your choices of TV stations tied to your choice of ISP.
>>
>> Yuck.  This is exactly the kind of Content+Infrastructure nightmare I
>> loathe.
> Why? Nothing's wrong with that. If you had a *choice* of your cable
> carriers, that wouldn't be a problem.

Are you joking?  I'd need to change internet carriers if I wanted to  
watch a different TV show?

>
>
>>> If you're a Teliax or a Junction Networks (or Vonage), your  
>>> customers
>>> will get much shittier service than if they buy the proprietary VoIP
>>> from speakeasy or time-warner.  The ATM QoS and unsolicited grant
>>> features these ISP's are using aren't exposed to the user, nor
>>> available to bits received from random sites on the Internet.  It's
>>> all walled-garden bullshit.  They start with the VoIP the rest of us
>>> are using, then add a layer of wallpaper so we don't realize it's
>>> VoIP, and then quietly finish the job with proper QoS analagous to
>>> what banks and big corporations run over their WANs.  That last step
>>> needs to be cracked open by neutrality legislation.  It's about  
>>> giving
>>> end users full control over their own Internet access, and not
>>> allowing ISP's to tie other services to your Internet service by
>>> deliberately crippling their own technology.
> (addressed in the emails linked above from nycwireless)
>
>>> I think Alex will favour a system he says the british are using  
>>> which
>>> splits monopolies vertically.  He says they have no ILEC.  There is
>>> one company that owns all the copper, but they don't provide  
>>> telephone
>>> service too, just copper.  Everyone is a CLEC.
>>
>> Well, this model starts screwing with my simple Separation of Content
>> and Infrastructure spiel- as it puts the IP layer in as a sort of
>> content layer.
>>
>> I can see why (hypothetically) this would be beneficial to Alex, I  
>> see
>> him as constantly being stuck in-between massive telco battles  
>> upstream,
>> and customers downstream.
> No, it's beneficial to consumers by letting *market* decide things.


Well, I guess we can just disagree here- not sure what else to say-  
except that in the last few months, much of the world is shaky about  
just letting the *market* decide anything.

Rocket-
.ike




From ike at lesmuug.org  Sat Nov  1 21:10:32 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 21:10:32 -0400
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
	Oldschool?
In-Reply-To: <Pine.OSX.4.64.0811012027110.97292@toasty.nat.fasttrackmonkey.com>
References: <Pine.LNX.4.44.0810312014190.20036-100000@bawx.pilosoft.com>
	<40FE5E3D-0D6B-45F0-8A63-7BBAC184A14A@lesmuug.org>
	<Pine.OSX.4.64.0811012027110.97292@toasty.nat.fasttrackmonkey.com>
Message-ID: <18800958-F4F1-4AC5-8D9D-8E13E1CD9592@lesmuug.org>

On Nov 1, 2008, at 8:40 PM, Charles Sprickman wrote:

> On Sat, 1 Nov 2008, Isaac Levy wrote:
>
>> DSL available to me in 2002: 768/6.0, around $100/mo
>> DSL available to me in 2008: 768/6.0, around $100/mo
>
> Optonline Business cable with a /29 of static space, 4 hr. service,  
> etc available to me:
> 30Mb/s down/5Mb/s up, around $75/month.
>
> The world is full of tradeoffs.  I live in western Jersey where  
> people are excited that Palin may be president.  There is no art, no  
> culture, no coffee shops, no record stores.  There is fast internets  
> (FiOS is on it's way) and a giant WalMart.
>
> You live in Brooklyn and have such perks as culture, food, and even  
> the possibility of meeting like-minded people.  You probably pay at  
> least double what I pay in rent, but you get slow internets.

Nah- you and I live in the same place- this list ;P

>
>
> The giant apartment complex I live in is having a recession special  
> though, $883/month for a 780 sq. ft. 1 bedroom apt.  You can move  
> out here and get fast internet and be "that weird guy". :)

But this opens the door to another problem I've been talking to ISP's  
about (as a colo customer),

If we have a world where 30mb/s down is becoming the norm for end  
users, why is bandwidth at the datacenter still so expensive?!  I'm  
not comparing a DSL/Cable line to a solid pipe at a datacenter, but I  
am saying that people's expectations and uses of the internet are  
changing...

>
>
>> Gear deployed/used by DSL company: nothing upgraded, (even squeezing
>> DSL through old lead pairs in my parts of Brooklyn).
>
> You are likely using someone that uses Covad.  Even after going  
> bankrupt and getting rid of debt, they are still always broke.
>
>> Even with the newer DSL speeds (1.0/15.0), requiring a new card for
>> the circut at the DSLAM, they won't deploy the new card until I pay
>> for the service- I can't just 'switch over' and start paying more...
>> (the monthly cost is nearly double anyhow).
>
> Tell them (speakeasy) that's BS.

I tried to- they said I'd need to put in an order and even have a new  
copper line run to my apt.  Crazy, I thought...

> Covad has a list of COs with the new (earthlink-financed) Samsung  
> DSLAMs.  It's either hot or not, but I guarantee you that one  
> customer ordering service will not trigger the install of a whole  
> new DSLAM (and thanks to covad's fucked-up engineering, another  
> backhaul).
>
>> In the last year, the card at the DSLAM burned out and was replaced,
>> with an identical unit- not the newer stuff.
>
> Want to hear another fun fact?  Your DSLAM is made by Nokia, and has  
> been EOL'd long, long ago.  Covad has to stock their own spares  
> since they are no longer made.  They bought up the last cards a few  
> years ago and when they burn through their stock... all gone.   
> Again, this is part of why you don't have ADSL2+ - there are no such  
> cards for the bulk of the DSLAMs covad has deployed.

Oh joy.

>
>
> In case you haven't noticed, I've got a bit of a love/hate thing  
> with Covad.  My Optonline stuff has not had any problems yet, but  
> Covad is going on nearly two months of getting a line in here for  
> backup purposes. Their OSS cannot deal with the fact that that test  
> equipment in my CO has been dead for the last two years and they  
> cannot figure out how to override my "failed" loop test in the  
> system so the order can proceed to the next step.
>
> C

Alex, is that the free market excellence you were speaking of?
(I'm not trying to be rude- just playful- I know we all want faster/ 
better/ceaper networks!)

Rocket-
.ike




From ike at lesmuug.org  Sat Nov  1 20:16:15 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 20:16:15 -0400
Subject: [nycbug-talk] Why is DSL-Cable asynchronous?
In-Reply-To: <oq3aibf3j5.fsf@castrovalva.Ivy.NET>
References: <6700C37B-3636-4172-94D0-0CF70A3FCD24@lesmuug.org>
	<oq3aibf3j5.fsf@castrovalva.Ivy.NET>
Message-ID: <07787F71-E98D-4ABC-87FA-CB1BEC59F82F@lesmuug.org>

On Nov 1, 2008, at 7:08 PM, Miles Nordin wrote:

>>>>>> "il" == Isaac Levy <ike at lesmuug.org> writes:
>
>    il> Why is consumer dsl or cable asynchronous?
>
> for cable, WCDMA/cdma2000/gprs, and maybe FiOS, it is actually more
> expensive to move bits upstream at L1.

BINGO!

> The problem is that you must
> share a band among the many endpoints who'd like to send upstream, and
> there's overhead to coordinating this.

THAT is what I've been looking for.  Now it's crystal clear to me.

Understanding the way the signaling is setup on the transport wire,  
and how it is different than the characteristics of say, ethernet, is  
the key to understanding this for me.

Thanks Miles, and everyone!

Rocket-
.ike




From alex at pilosoft.com  Sat Nov  1 21:16:34 2008
From: alex at pilosoft.com (Alex Pilosov)
Date: Sat, 1 Nov 2008 21:16:34 -0400 (EDT)
Subject: [nycbug-talk] nyetwork neutrality,
	rehashed (was: some other crap)
In-Reply-To: <2D876571-595F-4103-B248-E0A5662DA4E3@lesmuug.org>
Message-ID: <Pine.LNX.4.44.0811012101320.17622-100000@bawx.pilosoft.com>

On Sat, 1 Nov 2008, Isaac Levy wrote:

> > Crazy talk. Regulation is only necessary in case of monopolies. In
> > every other case, vote with your wallet. If noone provides service
> > that you want, start providing it.
> >
> > Then again, you *may* be talking about regulation of the last mile
> > monopolies, in which case, I agree.
> 
> Oh no- dude- we're on the same page here.
> 
> Example: I a want 100mbps internet drop at my house from say, Pilosoft.
> My budget is, Maximum, $100/mo.
> 
> I'm sure Alex would gladly provide it, if his upstream was cheaper/
> faster/etc and if Verizon could drop the right line.
> 
> I mean, if you could get it for me, you'd sell it- right?
Yes, see above, regulation of last mile monopolies.

> > Last mile is a monopoly, that's why. IP transit *is* getting very
> > cheap very fast - we went from 1000$/mbit about 8 years ago to
> > 10-15$/mbit today, and we'll go to mid-teens soon.
> 
> Gah.  So it is getting faster!  Gee, I wish my DSL provider told me (and
> dropped my rates, or improved my speed a bit)!
> 
> (sidenote- can I run a patch cable from Williamsburg downtown to the
> Pilosoft NOC?  Er, better, some fiber...  I'll go dig in my closet for
> some... ;)
With that budget, no. However, if you want to get more people together, 
some opportunities like wireless stuff become possible, of course, not for 
100$/month.

> >> - Promote the advancement of networking technology - Promote
> >> transparency of infrastructure - Keep ISP's blind to users data, just
> >> focus on throughput
> > <snip> In case of monopolies, yes, otherwise, hell no. I built my
> > network, I paid for it, keep your hands offa it.
> 
> Huh?  As an end user of a 'Layer 3' service, this still may suck for me.  
> Why should I accept a 'Layer 3' company mucking with my packets?
Why shouldn't you? Its their network, not yours. You don't own it, you are
just a customer. If you don't like it, vote with your wallet and buy from
someone else.

> No- I've never tested a pilosoft DSL line, but:
> 
> - Even 'speed-tests', from a given vendor, are always slower than the
> sold-as speed- even if the location is right on top of the CO
Duh, because most speed-tests are 

a) on some ghetto network so they don't pay much for free speedtests
b) java based and slow as hell
c) ran by people who don't understand what tcp window size either

The only meaningful speed test is downloading from your ISP's site. 
Everything else is 'best effort'.

> - with colo pipes, (as a cabinet and cage consumer- with IP/Net
> connectivity from the facility), It's hard to push more than 60mb on a
> 100mb pipe- even to servers a few cabinets away.  Understandable, but
> worth mention.
I have to say, in the above case, it is definitely a problem between chair
and keyboard. *you* need to track down what is the problem - is it
insufficient buffers, tcp window size, duplex issues, etc, and not blame
carrier. Just saying "omg im getting 60mbit" is silly.

> I know how the internet works- I know how networks perform- I'm just fed
> up with all the soft-metrics.
You are the one tossing them around. There are better ways to measure
things, you should use them. (latency, packet loss, etc).

> >> - Help people realize the costs of the internet, discouraging 'the
> >> internet is free' (cost) mentality
> > That'd help. Clearly, it'd get rid of tards who think "unlimited"  
> > means dedicated as in "I can use 100% of my bandwidth 24x7 and not pay
> > extra". I'm very much in favor of carriers placing GB caps and
> > charging per GB - it is similar to abuse of dialup back in the day by
> > staying connected 24x7. Unlimited does not mean dedicated.
> 
> Well, from a reality perspective on the network side- I agree with you.
> 
> However, the market has gone to selling different expectations- and 24x7
> network saturation is something I tend to find ways to regularly do...  
> I think others on this list do too.
Yes, exactly which is why I bring it up. Smart customers should know
better. But you (plural) don't. Yet you demand more knowledge about my
networks - like that's gonna help you figure out what's TCP window size 
and what does it have to do with performance.

> >> And how do the big backbone providers, who have to run all of that
> >> multicast, (it has to flow somewhere, right?), how do they get
> >> compensated to maintain network load?
> > Same as every other traffic?
> 
> No- I meant that with regard to the Over-Subscribe problem, (effectively
> DDOS'ing yourself to oblivion), the multicast hast go get filtered at
> some point- yet it *all* flows back up at the top?
Why? I don't get it. The point of multicast is that its sent only once at 
the top.

> >>> Currently cable companies are switching all their fiber to IP.  
> >>> They will deliver television to the set-top boxes over multicast IP.  
> >>> but they'll probably not let these IP packets leak out of their
> >>> DRMbox. They might.  They will DEFINITELY reserve the right to be
> >>> multicast sources for themselves so they can sell your eyeballs to
> >>> others, and keep your choices of TV stations tied to your choice of
> >>> ISP.
> >>
> >> Yuck.  This is exactly the kind of Content+Infrastructure nightmare I
> >> loathe.
> > Why? Nothing's wrong with that. If you had a *choice* of your cable
> > carriers, that wouldn't be a problem.
> 
> Are you joking?  I'd need to change internet carriers if I wanted to
> watch a different TV show?
Yes, pretty much. If your carrier (say, time warner) bundles access to 
Springer with your interwebs access, and (say, cablevision) bundless 
access to Geraldo, what's wrong with that? You can watch anything *else* 
that you like from the interwebs, on the "best effort" packet delivery 
basis. Youtube seems to work just dandy here, after all.


-alex



From ike at lesmuug.org  Sat Nov  1 20:21:56 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 20:21:56 -0400
Subject: [nycbug-talk] Why is DSL-Cable asynchronous?
In-Reply-To: <oq3aibf3j5.fsf@castrovalva.Ivy.NET>
References: <6700C37B-3636-4172-94D0-0CF70A3FCD24@lesmuug.org>
	<oq3aibf3j5.fsf@castrovalva.Ivy.NET>
Message-ID: <852FFB77-5011-4BFF-A4C6-2F1CE5C4C67D@lesmuug.org>

On Nov 1, 2008, at 7:08 PM, Miles Nordin wrote:

> layer 10 market-forces baloney


Haha- I'd never put a layer 10 into the OSI model- I thought layers 8  
and 0 were wild enough territory...

Rocket-
.ike




From alex at pilosoft.com  Sat Nov  1 21:23:05 2008
From: alex at pilosoft.com (Alex Pilosov)
Date: Sat, 1 Nov 2008 21:23:05 -0400 (EDT)
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
 Oldschool?
In-Reply-To: <18800958-F4F1-4AC5-8D9D-8E13E1CD9592@lesmuug.org>
Message-ID: <Pine.LNX.4.44.0811012116460.17622-100000@bawx.pilosoft.com>

On Sat, 1 Nov 2008, Isaac Levy wrote:

> But this opens the door to another problem I've been talking to ISP's
> about (as a colo customer),
> 
> If we have a world where 30mb/s down is becoming the norm for end users,
> why is bandwidth at the datacenter still so expensive?!  I'm not
> comparing a DSL/Cable line to a solid pipe at a datacenter, but I am
> saying that people's expectations and uses of the internet are
> changing...
Yet you are doing just that. The 30mb/s bandwidth to end user is not 
expected to be used 24x7 - it is unlimited (for now) but not dedicated. 

Your colo bandwidth *is* expected to be used 24x7 - in fact, you most
likely pay based on 95th percentile, which results in paying only for what
you use.

> Alex, is that the free market excellence you were speaking of? (I'm not
> trying to be rude- just playful- I know we all want faster/
> better/ceaper networks!)
Yes, just what I said - you don't pay enough for people to care. Free
market at work. Customers demand better and bigger things, but not
interested in understanding economic realities, nor interested in paying
more - instead I hear "cheaper", "government should mandate this". Guess
what, someone's gonna have to pay for these upgrades - and it'll be you or
your children in taxes, if you have it your way.

-alex



From ike at lesmuug.org  Sat Nov  1 21:49:31 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 21:49:31 -0400
Subject: [nycbug-talk] nyetwork neutrality,
	rehashed (was: some other crap)
In-Reply-To: <Pine.LNX.4.44.0811012101320.17622-100000@bawx.pilosoft.com>
References: <Pine.LNX.4.44.0811012101320.17622-100000@bawx.pilosoft.com>
Message-ID: <379446C0-432D-4345-A7AB-62722C0B44C1@lesmuug.org>

On Nov 1, 2008, at 9:16 PM, Alex Pilosov wrote:

> On Sat, 1 Nov 2008, Isaac Levy wrote:
>
>>> Crazy talk. Regulation is only necessary in case of monopolies. In
>>> every other case, vote with your wallet. If noone provides service
>>> that you want, start providing it.
>>>
>>> Then again, you *may* be talking about regulation of the last mile
>>> monopolies, in which case, I agree.
>>
>> Oh no- dude- we're on the same page here.
>>
>> Example: I a want 100mbps internet drop at my house from say,  
>> Pilosoft.
>> My budget is, Maximum, $100/mo.
>>
>> I'm sure Alex would gladly provide it, if his upstream was cheaper/
>> faster/etc and if Verizon could drop the right line.
>>
>> I mean, if you could get it for me, you'd sell it- right?
> Yes, see above, regulation of last mile monopolies.

Great!

Now here's the problem- as an end user of the internet, and a 'colo  
consumer', my only contact, the only people I pay and deal with at  
this scale, is 'layer 3' service providers...

So from my seat, aside from Legislation, what can a small business, or  
small fry like me, do to improve things?

>
>
>>> Last mile is a monopoly, that's why. IP transit *is* getting very
>>> cheap very fast - we went from 1000$/mbit about 8 years ago to
>>> 10-15$/mbit today, and we'll go to mid-teens soon.
>>
>> Gah.  So it is getting faster!  Gee, I wish my DSL provider told me  
>> (and
>> dropped my rates, or improved my speed a bit)!
>>
>> (sidenote- can I run a patch cable from Williamsburg downtown to the
>> Pilosoft NOC?  Er, better, some fiber...  I'll go dig in my closet  
>> for
>> some... ;)
> With that budget, no. However, if you want to get more people  
> together,
> some opportunities like wireless stuff become possible, of course,  
> not for
> 100$/month.

Hrm... Interesting...

>
>
>>>> - Promote the advancement of networking technology - Promote
>>>> transparency of infrastructure - Keep ISP's blind to users data,  
>>>> just
>>>> focus on throughput
>>> <snip> In case of monopolies, yes, otherwise, hell no. I built my
>>> network, I paid for it, keep your hands offa it.
>>
>> Huh?  As an end user of a 'Layer 3' service, this still may suck  
>> for me.
>> Why should I accept a 'Layer 3' company mucking with my packets?
> Why shouldn't you? Its their network, not yours. You don't own it,  
> you are
> just a customer. If you don't like it, vote with your wallet and buy  
> from
> someone else.

Ok- but if I take that for my home/office internet, I have only a  
handful options where I'm at:
verizon, speakeasy, comcast, roadrunner, pilosoft, bway.net

I mean, realistically, what am I supposed to do- change my DSL every  
time I want to use my network connection in some way my ISP doesn't  
allow for?

>
>
>> No- I've never tested a pilosoft DSL line, but:
>>
>> - Even 'speed-tests', from a given vendor, are always slower than the
>> sold-as speed- even if the location is right on top of the CO
> Duh, because most speed-tests are
>
> a) on some ghetto network so they don't pay much for free speedtests
> b) java based and slow as hell
> c) ran by people who don't understand what tcp window size either
>
> The only meaningful speed test is downloading from your ISP's site.
> Everything else is 'best effort'.

Right- and I'm saying that these speeds never meet advertised  
expectations. It's like buying a dozen eggs and 2 to 5 of them are  
consistently broken.

>
>
>> - with colo pipes, (as a cabinet and cage consumer- with IP/Net
>> connectivity from the facility), It's hard to push more than 60mb  
>> on a
>> 100mb pipe- even to servers a few cabinets away.  Understandable, but
>> worth mention.
> I have to say, in the above case, it is definitely a problem between  
> chair
> and keyboard. *you* need to track down what is the problem - is it
> insufficient buffers, tcp window size, duplex issues, etc, and not  
> blame
> carrier. Just saying "omg im getting 60mbit" is silly.

/sigh
Alex, next time I'm in the position to monopolize a network during a  
deployment, I promise I'll load up nettestd on some hosts document a  
comprehensive test- just for you.

Then I'll be fine if you explain to me what type of matter actually is  
between my chair and keyboard.

>
>
>> I know how the internet works- I know how networks perform- I'm  
>> just fed
>> up with all the soft-metrics.
> You are the one tossing them around. There are better ways to measure
> things, you should use them. (latency, packet loss, etc).
>
>>>> - Help people realize the costs of the internet, discouraging 'the
>>>> internet is free' (cost) mentality
>>> That'd help. Clearly, it'd get rid of tards who think "unlimited"
>>> means dedicated as in "I can use 100% of my bandwidth 24x7 and not  
>>> pay
>>> extra". I'm very much in favor of carriers placing GB caps and
>>> charging per GB - it is similar to abuse of dialup back in the day  
>>> by
>>> staying connected 24x7. Unlimited does not mean dedicated.
>>
>> Well, from a reality perspective on the network side- I agree with  
>> you.
>>
>> However, the market has gone to selling different expectations- and  
>> 24x7
>> network saturation is something I tend to find ways to regularly  
>> do...
>> I think others on this list do too.
> Yes, exactly which is why I bring it up. Smart customers should know
> better. But you (plural) don't. Yet you demand more knowledge about my
> networks - like that's gonna help you figure out what's TCP window  
> size
> and what does it have to do with performance.

Alex, your talking to a list who understand things like TCP window  
size- but I'm not attacking you (personally or plurally) about stuff  
like that.

I'm talking more about things like blocked ports, QoS rules which  
affect the customer, weather or not the ISP will keep/sell any metrics/ 
info about my line to 3rd parties, etc...

As a customer here, I don't want to know insane things about your  
network, do I?  (just for people on list, I'm not a customer of  
Pilosoft but Alex is being a VERY good sport to go through this!)

>>>> And how do the big backbone providers, who have to run all of that
>>>> multicast, (it has to flow somewhere, right?), how do they get
>>>> compensated to maintain network load?
>>> Same as every other traffic?
>>
>> No- I meant that with regard to the Over-Subscribe problem,  
>> (effectively
>> DDOS'ing yourself to oblivion), the multicast hast go get filtered at
>> some point- yet it *all* flows back up at the top?
> Why? I don't get it. The point of multicast is that its sent only  
> once at
> the top.

Right- but per Miles' post, if everybody is sending multicast, (let  
alone just the TV shows), that's a *lot* of data...

>
>
>>>>> Currently cable companies are switching all their fiber to IP.
>>>>> They will deliver television to the set-top boxes over multicast  
>>>>> IP.
>>>>> but they'll probably not let these IP packets leak out of their
>>>>> DRMbox. They might.  They will DEFINITELY reserve the right to be
>>>>> multicast sources for themselves so they can sell your eyeballs to
>>>>> others, and keep your choices of TV stations tied to your choice  
>>>>> of
>>>>> ISP.
>>>>
>>>> Yuck.  This is exactly the kind of Content+Infrastructure  
>>>> nightmare I
>>>> loathe.
>>> Why? Nothing's wrong with that. If you had a *choice* of your cable
>>> carriers, that wouldn't be a problem.
>>
>> Are you joking?  I'd need to change internet carriers if I wanted to
>> watch a different TV show?
> Yes, pretty much. If your carrier (say, time warner) bundles access to
> Springer with your interwebs access, and (say, cablevision) bundless
> access to Geraldo, what's wrong with that? You can watch anything  
> *else*
> that you like from the interwebs, on the "best effort" packet delivery
> basis. Youtube seems to work just dandy here, after all.

Dude- if I read you right, I think that's insane.  It either  
presupposes that piracy is just the way to bypass this- (and that  
youtube is quality?), or you are saying that I change the wires coming  
into my apartment to watch a different show.

Neither of these ideas are sane to me, am I getting your meaning  
correctly?

Rocket-
.ike




From ike at lesmuug.org  Sat Nov  1 21:57:36 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 1 Nov 2008 21:57:36 -0400
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
	Oldschool?
In-Reply-To: <Pine.LNX.4.44.0811012116460.17622-100000@bawx.pilosoft.com>
References: <Pine.LNX.4.44.0811012116460.17622-100000@bawx.pilosoft.com>
Message-ID: <0A9BC898-95E7-487A-AACB-4158568C775D@lesmuug.org>

On Nov 1, 2008, at 9:23 PM, Alex Pilosov wrote:

> On Sat, 1 Nov 2008, Isaac Levy wrote:
>
>> But this opens the door to another problem I've been talking to ISP's
>> about (as a colo customer),
>>
>> If we have a world where 30mb/s down is becoming the norm for end  
>> users,
>> why is bandwidth at the datacenter still so expensive?!  I'm not
>> comparing a DSL/Cable line to a solid pipe at a datacenter, but I am
>> saying that people's expectations and uses of the internet are
>> changing...
> Yet you are doing just that. The 30mb/s bandwidth to end user is not
> expected to be used 24x7 - it is unlimited (for now) but not  
> dedicated.
>
> Your colo bandwidth *is* expected to be used 24x7 - in fact, you most
> likely pay based on 95th percentile, which results in paying only  
> for what
> you use.

OK, but what's the going rate for 30mbit transit for 'colo  
customers'?  It surely isn't 10-15$/mbit?

>
>
>> Alex, is that the free market excellence you were speaking of? (I'm  
>> not
>> trying to be rude- just playful- I know we all want faster/
>> better/ceaper networks!)
> Yes, just what I said - you don't pay enough for people to care. Free
> market at work. Customers demand better and bigger things, but not
> interested in understanding economic realities,

I am interested in understanding economic realities!

> nor interested in paying
> more - instead I hear "cheaper", "government should mandate this".  
> Guess
> what, someone's gonna have to pay for these upgrades - and it'll be  
> you or
> your children in taxes, if you have it your way.
>
> -alex

I don't know man.

I think you and I beat this thread nearly to death- and we could go on  
and not get so far.

I will say, even though we don't agree on many points, I've got a lot  
to chew on for a while.

Rocket-
.ike




From alex at pilosoft.com  Sat Nov  1 22:33:11 2008
From: alex at pilosoft.com (Alex Pilosov)
Date: Sat, 1 Nov 2008 22:33:11 -0400 (EDT)
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
 Oldschool?
In-Reply-To: <0A9BC898-95E7-487A-AACB-4158568C775D@lesmuug.org>
Message-ID: <Pine.LNX.4.44.0811012232350.17622-100000@bawx.pilosoft.com>

On Sat, 1 Nov 2008, Isaac Levy wrote:

> > On Sat, 1 Nov 2008, Isaac Levy wrote:
> >
> >> But this opens the door to another problem I've been talking to ISP's
> >> about (as a colo customer),
> >>
> >> If we have a world where 30mb/s down is becoming the norm for end
> >> users, why is bandwidth at the datacenter still so expensive?!  I'm
> >> not comparing a DSL/Cable line to a solid pipe at a datacenter, but I
> >> am saying that people's expectations and uses of the internet are
> >> changing...
> > Yet you are doing just that. The 30mb/s bandwidth to end user is not
> > expected to be used 24x7 - it is unlimited (for now) but not
> > dedicated.
> >
> > Your colo bandwidth *is* expected to be used 24x7 - in fact, you most
> > likely pay based on 95th percentile, which results in paying only for
> > what you use.
> 
> OK, but what's the going rate for 30mbit transit for 'colo customers'?  
> It surely isn't 10-15$/mbit?
Sure is. Somewhere there or maybe slightly north from there.

-alex



From alex at pilosoft.com  Sat Nov  1 22:50:23 2008
From: alex at pilosoft.com (Alex Pilosov)
Date: Sat, 1 Nov 2008 22:50:23 -0400 (EDT)
Subject: [nycbug-talk] nyetwork neutrality,
	rehashed (was: some other crap)
In-Reply-To: <379446C0-432D-4345-A7AB-62722C0B44C1@lesmuug.org>
Message-ID: <Pine.LNX.4.44.0811012233200.17622-100000@bawx.pilosoft.com>

On Sat, 1 Nov 2008, Isaac Levy wrote:

> Now here's the problem- as an end user of the internet, and a 'colo
> consumer', my only contact, the only people I pay and deal with at this
> scale, is 'layer 3' service providers...
> 
> So from my seat, aside from Legislation, what can a small business, or
> small fry like me, do to improve things?
As colo customer, you have very very very wide choice of providers, make
it a smart one.

> >>> <snip> In case of monopolies, yes, otherwise, hell no. I built my
> >>> network, I paid for it, keep your hands offa it.
> >>
> >> Huh?  As an end user of a 'Layer 3' service, this still may suck for
> >> me. Why should I accept a 'Layer 3' company mucking with my packets?
> > Why shouldn't you? Its their network, not yours. You don't own it, you
> > are just a customer. If you don't like it, vote with your wallet and
> > buy from someone else.
> 
> Ok- but if I take that for my home/office internet, I have only a
> handful options where I'm at: verizon, speakeasy, comcast, roadrunner,
> pilosoft, bway.net
That's quite wide choice. There are a lot more companies like
bway/pilosoft, look on dslreports for more.

> I mean, realistically, what am I supposed to do- change my DSL every
> time I want to use my network connection in some way my ISP doesn't
> allow for?
Yes.

> >> - Even 'speed-tests', from a given vendor, are always slower than the
> >> sold-as speed- even if the location is right on top of the CO
> > Duh, because most speed-tests are
> >
> > a) on some ghetto network so they don't pay much for free speedtests
> > b) java based and slow as hell
> > c) ran by people who don't understand what tcp window size either
> >
> > The only meaningful speed test is downloading from your ISP's site.
> > Everything else is 'best effort'.
> 
> Right- and I'm saying that these speeds never meet advertised
> expectations. It's like buying a dozen eggs and 2 to 5 of them are
> consistently broken.
Which speeds? I'm saying tools you measure are broken, and the speeds are
likely to be correct. It's like buying a dozen eggs and saying they are
broken cause your egg-tester (made out of duct tape) says so.

> > I have to say, in the above case, it is definitely a problem between
> > chair and keyboard. *you* need to track down what is the problem - is
> > it insufficient buffers, tcp window size, duplex issues, etc, and not
> > blame carrier. Just saying "omg im getting 60mbit" is silly.
> 
> /sigh Alex, next time I'm in the position to monopolize a network during
> a deployment, I promise I'll load up nettestd on some hosts document a
> comprehensive test- just for you.
>
> Then I'll be fine if you explain to me what type of matter actually is
> between my chair and keyboard.
You either measure it and prove it or don't post accusations that its
provider's fault, don't bring it up unless you can back it up. 


> Alex, your talking to a list who understand things like TCP window size-
> but I'm not attacking you (personally or plurally) about stuff like
> that.
> 
> I'm talking more about things like blocked ports, QoS rules which affect
> the customer, weather or not the ISP will keep/sell any metrics/ info
> about my line to 3rd parties, etc...
That all is fairly well known already, and documented. Particularly 
privacy policy is in your contract.

> >> No- I meant that with regard to the Over-Subscribe problem,
> >> (effectively DDOS'ing yourself to oblivion), the multicast hast go
> >> get filtered at some point- yet it *all* flows back up at the top?
> > Why? I don't get it. The point of multicast is that its sent only once
> > at the top.
> 
> Right- but per Miles' post, if everybody is sending multicast, (let
> alone just the TV shows), that's a *lot* of data...
But it's only sent ONCE.

> >> Are you joking?  I'd need to change internet carriers if I wanted to
> >> watch a different TV show?
> > Yes, pretty much. If your carrier (say, time warner) bundles access to
> > Springer with your interwebs access, and (say, cablevision) bundless
> > access to Geraldo, what's wrong with that? You can watch anything
> > *else* that you like from the interwebs, on the "best effort" packet
> > delivery basis. Youtube seems to work just dandy here, after all.
> 
> Dude- if I read you right, I think that's insane.  It either presupposes
> that piracy is just the way to bypass this- (and that youtube is
> quality?), or you are saying that I change the wires coming into my
> apartment to watch a different show.
No, changing your carrier, not the wires. Wires are a natural monopoly. 
What flows on them shouldn't.

> Neither of these ideas are sane to me, am I getting your meaning
> correctly?
Something like that.



From carton at Ivy.NET  Sat Nov  1 23:57:39 2008
From: carton at Ivy.NET (Miles Nordin)
Date: Sat, 01 Nov 2008 23:57:39 -0400
Subject: [nycbug-talk] nyetwork neutrality, rehashed
In-Reply-To: <Pine.LNX.4.44.0811012001490.17622-100000@bawx.pilosoft.com>
	(Alex Pilosov's message of "Sat, 1 Nov 2008 20:20:41 -0400 (EDT)")
References: <3345B09B-28AA-4020-91AA-599D5B6A52CC@lesmuug.org>
	<Pine.LNX.4.44.0811012001490.17622-100000@bawx.pilosoft.com>
Message-ID: <oqod0yeq4s.fsf@castrovalva.Ivy.NET>

>>>>> "ap" == Alex Pilosov <alex at pilosoft.com> writes:

    ap> http://www.mail-archive.com/nycwireless at lists.nycwireless.net/msg04904.html

QoS is only needed on the ends because the core network by convention
does not fill.  There is not and probably never needs to be
``end-to-end QoS.''  For those cases when it does fill, it's within
user expectation to have problems, like the old days when long
distance carriers reported ``there are no lines available'' after a
major televised earthquake made too many concerned relatives place
calls at once.

Corporate WAN's built from private leased lines _do_ make end-to-end
QoS a reality, today and routinely, but the technology faces a
different task for that job than for the public Internet because a
corporate WAN is a nationwide core network that has one-to-few
last-miles spoking off each POP, so it's plausible and cost-effective
to have core links that may fill before the last-mile links, while
when this happens to an ISP it's a problem that should be fixed, and
not by QoS.

I would like (and, in a rickety way, have rigged up for myself) a type
of lastmile QoS that doesn't exist on these corporate WANs and would
be hard to implement scalably, in ASIC, or across trust boundaries.
It would:

 * let web browsing remain fast even while I'm bittorrenting

 * let me share Internet with neighbors without risking making my own
   Internet slow

 * divide bandwidth among the people inside my household evenly
   regardless of what they're doing

The type of QoS I imagine neutrality legislating would be much simpler
and less capable than this.  It'd be DiffServ-ish and based on CIR.  

Traffic can be Red, Green, or Black.  There are three queues in the
ASIC, and the ASIC always sends Green traffic (``CIR'') if it has
some, then Red traffic (``best-effort''), and if there is no Green or
Red traffic then it can send Black traffic (``violation'').  If the
ASIC has only two queues, it may drop Black traffic unconditionally
without fucking up the overall system.  On Red traffic the ASIC does
RED (Random Early Detection, statistical packet dropping rather than
FIFO to make TCP less bursty).  It'd be wonderful if it could do
WFQ-RED, but i don't think that will be possible with line-rate
ASIC's and is definitely impossible with L2 ASIC's.

Each packet is marked Red or Green or Black based on two checks:

 1. an L3 classifier.  Customer specify a list of them.  If a packet
    matches, it gets marked Green.  Everything that doesn't match a
    classifier rule is Red.

 2. a rate-policer.  If packets match the L3 rule, but are arriving
    more quickly than the rate you specify, they get marked Black.

This scheme is simple enough to work with Unsolicited Grant.  Also the
classifier and rate-policer can run on a separate box from the ASIC
having 2 or 3 queues, so the ASIC that actually implements the
priorities and does the stochastic dropping can be an L2 ASIC rather
than L3, can be managed by a different company, does not need to speak
reservation-protocol to the customer.

VoIP will of course be Green.  You'll install rules on both ends of
your last mile link when you set up the call legs.

When you subscribe to receive a multicast flow (a television channel),
you'll always add a classifier to turn it Green because multicast
traffic can't be congestion-controlled like TCP (there is no closed
loop) and often won't be retransmitted at all.  The Black category
gives you enough power to prevent subscribing to an unexpectedly
high-traffic multicast stream from overwhelming your pipe.

It doesn't do the link-sharing things I dreamed of to the Red traffic,
but it's enough to give non-ISP VoIP and IPTV companies
competitively-fair access to customers of Speakeasy, Time Warner,
Comcast, FiOS that are already using the kind of QoS I've just
described to provide their ``tripple play''.  Since this type of QoS
is already _working_, there's an existence proof that ADSLAM's and
6500's and broadcast L1's that these four companies have implemented
on a national scale.  What's possibly missing is a reservation system
for installing the filters that can work across a customer/ISP trust
boundary, and desktop free software capable to order the reservations.
Maybe there does exist such a protocol which is adequate (RSVP?), and
I just don't understand it yet.

Here is one way to implement the reservation protocol.  I hope it's
not the way that Obama's team forces into legislative reality, but
describing it proves that such a scheme is within reach.

The Upstream router looks at the DSCP the customer has put in his
packets.  It says either Red or Green.  The upstream router does no
policing, no step 2, and expects the customer to do this himself on
the desktop.  (not good enough IMHO, but a start.)

The Downstream router does flow-cacheing on packets received from the
customer.  Each cached flow also measures the rate of traffic received
from the customer.  The DSCP value the customer sent is cached along
with the flow in the flow-forwarding hash table.  The DSCP marked in
Downstream customer-bound packets is ignored, and they're treated
according to the DSCP stored in the flow cache.  Downstream Green
packets are policed to the measured rate of upstream packets in the
same flow.

It's primitive.  It's not adequate for IPTV.  I think an explicit UDP
reservation protocol is better.  but I described something well within
reach of current ASICs, sufficient for VoIP, requiring no nonexistent
desktop software, and basically abuse-proof.


Whether something's a monopoly or not has become complicated, not a
simple question of ``do they have competitors?  more than one
competitor?  active shoppers?''  Talk to the same people espousing
this simple view about their own plans for expansion and success in
business, and they use words like ``horizontal and vertical
integration,'' ``leverage,'' ``cannibalize.''  They're tying products
together deliberately to smother customer choices and throw sand into
the market's gears.  This isn't an accident or a byproduct, but rather
their primary intent and method---their success is, _to their own view
Mr. Tripple Play,_ related primarily to how _much_ sand they can dream
into existence and how sticky it makes the gears.  Market idealism is
most thorougly obsolete among the people who love, study, and succeed
in markets.  Causing markets to behave less ideally in your favour is
what studying business is _about_ right now.

It's too late to treat regulation as a response to an abberation.
Maybe it used to be that, but not any more.  Markets everywhere are
saturated with regulation, and are not necessarily always impeded by
it---the sophisticated markets all _depend_ on complicated regulation
to function smoothly.  This is the meaning of ``post-capitalist,'' and
if there's one biggest-lesson from the present economic crisis, what
the fuck else is it?!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081101/e61713c3/attachment.bin>

From carton at Ivy.NET  Sun Nov  2 01:45:52 2008
From: carton at Ivy.NET (Miles Nordin)
Date: Sun, 02 Nov 2008 01:45:52 -0500
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
	Oldschool?
In-Reply-To: Alex Pilosov's message of "Sat, 1 Nov 2008 20:32:38 -0400 (EDT)"
References: <40FE5E3D-0D6B-45F0-8A63-7BBAC184A14A@lesmuug.org>
	<Pine.LNX.4.44.0811012020570.17622-100000@bawx.pilosoft.com>
	<Pine.LNX.4.44.0810312014190.20036-100000@bawx.pilosoft.com>
	<Pine.OSX.4.64.0811012027110.97292@toasty.nat.fasttrackmonkey.com>
	<18800958-F4F1-4AC5-8D9D-8E13E1CD9592@lesmuug.org>
	<Pine.LNX.4.44.0811012101320.17622-100000@bawx.pilosoft.com>
	<379446C0-432D-4345-A7AB-62722C0B44C1@lesmuug.org>
	<2D876571-595F-4103-B248-E0A5662DA4E3@lesmuug.org>
Message-ID: <oqfxmaeicf.fsf@castrovalva.Ivy.NET>

>>>>> "ap" == Alex Pilosov <alex at pilosoft.com> writes:
>>>>> "il" == Isaac Levy <ike at lesmuug.org> writes:

    ap> Pay more money for a reliable service.

for me $340/mo T1 loop was less reliable than $50/mo DSL loop, and
*vastly* less reliable than one Verizon DSL + one Covad DSL.  If you
want reliability i think you need to get two of something because the
business-class-enterprise claims seem to be a wooden cart full of
baloney.

The extra cost seems more for service that's flexible:

 * bit-for-bit TDM service handed off as T1 on both ends---L2 exposed
   to the customer---that works well if you want to set up your own
   Cisco QoS, rather than handed off as L3 so QoS is hard and works
   shittily and inefficiently.  also on T1 L2 Cisco can do weird
   things like split big packets and send small ones in the middle so
   small ones experience less jitter.  you cannot do this with the L3
   over ATM cheapo DSL stack.

 * symmetric service, if you are doing ``interesting'' things that
   require upstream rather than interweb downloading advertisements
   like grandma

The scheme is, design one package to capture almost all the customers,
and compete for the pool vigorously.  Make sure the package doesn't
accomodate everyone so you don't ``cannibalize your higher-end
products.''  soak whoever's left for whatever the market will bear.

    il> If we have a world where 30mb/s down [$75/mo] [...]  why is
    il> bandwidth at the datacenter still so expensive?!

dunno, just gave one idea, gave some better ideas earlier, but at
least high datacenter prices have nothing to do with the ``BINGO''
alohanet L1 stuff I spoke about which doesn't even apply to the
ADSL/SDSL price difference much less prices for people without a last
mile.

    ap> If your carrier (say, time warner) bundles
    ap> access to Springer with your interwebs access, and (say,
    ap> cablevision) bundless access to Geraldo, what's wrong with
    ap> that?

because we'll complain about something else later, and you'll say ``If
you don't like Springer, then just watch Geraldo instead.  He has
competition.''  But we can't watch Geraldo without getting a new phone
number.  That's what it means, tying products together.  using one
monopoly to grab another.

but really I'm dreaming of busting television open, so that cable
companies and TV stations are no longer gatekeepers of what gets a
channel number on the dial and what doesn't.

The cable companies are terrified of Youtube, and anything else that
might replace television.  I expect their ultimate nightmare is being
forced to give Internet players equal access to their customers'
televisions, with the same QoS reservations and multicast efficiency
they use to deliver ``bundled'' private TV to their DRMboxes.

When you talk about ``someone will have to pay for it,'' customers,
taxpayers, someone, you're talking pay for implementation cost.  This
type of equal access is a threat to their business model, their
ability to vertically integrate, their ability to _grow_ the APRU they
can squeeze from their territory.  Compared to this threat I suspect
they could give a shit about the added technical cost of securing
QoS/mc interfaces for outsiders.  They don't want their vertical tower
sliced.  It's not about cost at all---it fucks their whole business
plan by opening television to competition.

Right now they're gatekeepers.  They keep TV off the Internet, and
they keep the Internet off your television.  They're the troll under
the bridge.  A fuck they could give about cost.  It's more like, ``the
LAST thing in which we'd dream of investing is something that gives
our customers more choices, and thus gives us more competition.''  Yet
multicast and QoS do just that.  

Optimistic about ``markets'' you might imagine, ``if multicast and QoS
are wanted, then the market will bring them about, because people will
pay for them, and if people will pay then ISP's will build.''  no
fucking way.  it will not happen, not cable companies!

Even when there's competition here, there is nothing like an open
market or a free choice.  There's a landscape, and they're
manipulating it.  We're entitled to some power to change the
landscape, too.

    il> if everybody is sending multicast, (let alone just the TV
    il> shows), that's a *lot* of data...

not sure where the confusion comes from.  Multicast is strictly less
data on each link that makes up the internet than it would take to
accomplish the same amount of TV watching with unicast ``streaming''.
You shuld probably just read about multicast.

The scalability downside to multicast is that it requires state on
each intermediate router for each multicast flow passing through it.
but there are a few tricks, and there are routers that are just Big.
It's possible to flood all multicast near the core if necessary.  Also
the MPLS-VPN thing (the standards Speakeasy uses to implement their
``private WAN'' service) has some way that each VPN customer inside
the MPLS can have as many flows as they like with a fixed amount of
state on the MPLS core routers.  I do not understand how this works
nor understand MPLS in general, but the point is the existing,
implemented standards are extremely ambitious and intend to handle
Internet-scale multicast.

note that there are non-TV-like applications of multicast.  There's a
reliable-delivery standard where the multicast source gets NAK's from
the destinations to unicast replacements for missed packets---one
could imagine many uses for this, like whiteboards, distributed
locking, Usenet-like file delivery.  This one has some complexity that
i don't understand to block ``NAK storms'' if there's an interruption
high in the spanning tree.  The other different kinds amount to
playing games with the destination group address, which are a scarce
resource and there is a lot of bickering about how to assign them, but
conceptually they could all be implemented with the same tools as the
IPTV case if you burned through more group destination addresses.
Among these there's many-to-many multicast where any subscriber to the
multicast group is also inclined to source traffic to the group, like
a multiplayer video game or a videoconference with split windows like
the intro to the brady bunch.  There's source-specific multicast where
the scope of the group destination address is the sender's IP, so you
cannot do many-to-many any longer but you can allocate the group
addresses yourself right on the source host without consulting anyone.
And there is some complicated minimally-implemented DHCP-ish protocol
for choosing group destination addresses.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081102/8919895d/attachment.bin>

From jonathan at kc8onw.net  Sun Nov  2 14:00:22 2008
From: jonathan at kc8onw.net (Jonathan)
Date: Sun, 02 Nov 2008 14:00:22 -0500
Subject: [nycbug-talk] TCP tuning between FreeBSD and Vista
Message-ID: <490DF8C6.2010309@kc8onw.net>

OK I'm stuck :(

I've been playing with it for two days and I can't for the life of me
get more than 7% utilization of a gigabit link between my laptop and my
file server.  I've gone through man tuning as well as a great deal of
Google searching and here are the settings I've tried tweaking with
their current values.  My current testing is transmitting from FreeBSD
to Vista so I've not messed with receive specific settings on BSD or the
transmit specific on Vista.

FreeBSD
net.inet.tcp.rfc1323: 1
net.inet.tcp.sendspace: 1048576
net.inet.tcp.recvspace: 1048576
net.inet.tcp.delayed_ack: 1
net.inet.tcp.sendbuf_max: 262144

Vista
TCP Global Parameters
----------------------------------------------
Receive-Side Scaling State          : enabled
Chimney Offload State               : enabled
Receive Window Auto-Tuning Level    : normal
Add-On Congestion Control Provider  : ctcp
ECN Capability                      : disabled
RFC 1323 Timestamps                 : enabled

I even did a wireshark dump which looks fine other than the fact I can't
get higher than 7% Trimmed wireshark trace start follows

[SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=9
[SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=8
[ACK] Seq=1 Ack=1 Win=1049600 Len=0

The window stays at 1049600 for the remainder of the connection.

Am I missing something obvious or does anyone have any suggestions to
try as I'm getting rather frustrated at this point.

Thanks,
Jonathan Stewart


From spork at bway.net  Sun Nov  2 14:05:00 2008
From: spork at bway.net (Charles Sprickman)
Date: Sun, 2 Nov 2008 14:05:00 -0500 (EST)
Subject: [nycbug-talk] TCP tuning between FreeBSD and Vista
In-Reply-To: <490DF8C6.2010309@kc8onw.net>
References: <490DF8C6.2010309@kc8onw.net>
Message-ID: <Pine.OSX.4.64.0811021403170.97292@toasty.nat.fasttrackmonkey.com>

On Sun, 2 Nov 2008, Jonathan wrote:

> OK I'm stuck :(
>
> I've been playing with it for two days and I can't for the life of me
> get more than 7% utilization of a gigabit link between my laptop and my
> file server.  I've gone through man tuning as well as a great deal of
> Google searching and here are the settings I've tried tweaking with
> their current values.  My current testing is transmitting from FreeBSD
> to Vista so I've not messed with receive specific settings on BSD or the
> transmit specific on Vista.

What version of FreeBSD?  In 7.x, they enabled SCTP, which may or may not 
have any bearing on this.

Are other non-vista machines capable of getting closer to line rate?

Charles

> FreeBSD
> net.inet.tcp.rfc1323: 1
> net.inet.tcp.sendspace: 1048576
> net.inet.tcp.recvspace: 1048576
> net.inet.tcp.delayed_ack: 1
> net.inet.tcp.sendbuf_max: 262144
>
> Vista
> TCP Global Parameters
> ----------------------------------------------
> Receive-Side Scaling State          : enabled
> Chimney Offload State               : enabled
> Receive Window Auto-Tuning Level    : normal
> Add-On Congestion Control Provider  : ctcp
> ECN Capability                      : disabled
> RFC 1323 Timestamps                 : enabled
>
> I even did a wireshark dump which looks fine other than the fact I can't
> get higher than 7% Trimmed wireshark trace start follows
>
> [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=9
> [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=8
> [ACK] Seq=1 Ack=1 Win=1049600 Len=0
>
> The window stays at 1049600 for the remainder of the connection.
>
> Am I missing something obvious or does anyone have any suggestions to
> try as I'm getting rather frustrated at this point.
>
> Thanks,
> Jonathan Stewart
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>


From ike at lesmuug.org  Sun Nov  2 14:09:13 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sun, 2 Nov 2008 14:09:13 -0500
Subject: [nycbug-talk] TCP tuning between FreeBSD and Vista
In-Reply-To: <490DF8C6.2010309@kc8onw.net>
References: <490DF8C6.2010309@kc8onw.net>
Message-ID: <E2DEBE73-F52A-4BCB-B041-0174A2AE36A3@lesmuug.org>

Word,

On Nov 2, 2008, at 2:00 PM, Jonathan wrote:

> OK I'm stuck :(
>
> I've been playing with it for two days and I can't for the life of me
> get more than 7% utilization of a gigabit link between my laptop and  
> my
> file server.  I've gone through man tuning as well as a great deal of
> Google searching and here are the settings I've tried tweaking with
> their current values.  My current testing is transmitting from FreeBSD
> to Vista so I've not messed with receive specific settings on BSD or  
> the
> transmit specific on Vista.
>
> FreeBSD
> net.inet.tcp.rfc1323: 1
> net.inet.tcp.sendspace: 1048576
> net.inet.tcp.recvspace: 1048576
> net.inet.tcp.delayed_ack: 1
> net.inet.tcp.sendbuf_max: 262144
>
> Vista
> TCP Global Parameters
> ----------------------------------------------
> Receive-Side Scaling State          : enabled
> Chimney Offload State               : enabled
> Receive Window Auto-Tuning Level    : normal
> Add-On Congestion Control Provider  : ctcp
> ECN Capability                      : disabled
> RFC 1323 Timestamps                 : enabled
>
> I even did a wireshark dump which looks fine other than the fact I  
> can't
> get higher than 7% Trimmed wireshark trace start follows
>
> [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=9
> [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1460 WS=8
> [ACK] Seq=1 Ack=1 Win=1049600 Len=0
>
> The window stays at 1049600 for the remainder of the connection.
>
> Am I missing something obvious or does anyone have any suggestions to
> try as I'm getting rather frustrated at this point.
>
> Thanks,
> Jonathan Stewart


Oh- Vista- no idea, but,

Not sure if this helps, but I've read through this before and remember  
it had WinXP/2000 tuning instructions in it:

http://www.psc.edu/networking/projects/tcptune/

Rocket-
.ike




From jonathan at kc8onw.net  Sun Nov  2 14:11:29 2008
From: jonathan at kc8onw.net (Jonathan)
Date: Sun, 02 Nov 2008 14:11:29 -0500
Subject: [nycbug-talk] TCP tuning between FreeBSD and Vista
In-Reply-To: <Pine.OSX.4.64.0811021403170.97292@toasty.nat.fasttrackmonkey.com>
References: <490DF8C6.2010309@kc8onw.net>
	<Pine.OSX.4.64.0811021403170.97292@toasty.nat.fasttrackmonkey.com>
Message-ID: <490DFB61.3020101@kc8onw.net>

Charles Sprickman wrote:
> What version of FreeBSD?  In 7.x, they enabled SCTP, which may or may
> not have any bearing on this.

7-Stable from not too long after 7-Release.  Updating is an option but I
don't think any relevant changes have been committed since I last updated.

> Are other non-vista machines capable of getting closer to line rate?

I haven't been able to get my hands on another machine to test with yet.
 Hopefully I'll have one I can test with tonight.

Jonathan Stewart


From alex at pilosoft.com  Sun Nov  2 14:19:46 2008
From: alex at pilosoft.com (Alex Pilosov)
Date: Sun, 2 Nov 2008 14:19:46 -0500 (EST)
Subject: [nycbug-talk] TCP tuning between FreeBSD and Vista
In-Reply-To: <490DF8C6.2010309@kc8onw.net>
Message-ID: <Pine.LNX.4.44.0811021418570.20036-100000@bawx.pilosoft.com>

On Sun, 2 Nov 2008, Jonathan wrote:

> I've been playing with it for two days and I can't for the life of me
> get more than 7% utilization of a gigabit link between my laptop and my
> file server.  I've gone through man tuning as well as a great deal of
> Google searching and here are the settings I've tried tweaking with
> their current values.  My current testing is transmitting from FreeBSD
> to Vista so I've not messed with receive specific settings on BSD or the
> transmit specific on Vista.
99% chance that either
a) you have a duplex issue (check netstat -i)
b) it's not gigabit.

-alex



From jonathan at kc8onw.net  Sun Nov  2 14:43:54 2008
From: jonathan at kc8onw.net (Jonathan)
Date: Sun, 02 Nov 2008 14:43:54 -0500
Subject: [nycbug-talk] TCP tuning between FreeBSD and Vista
In-Reply-To: <Pine.LNX.4.44.0811021418570.20036-100000@bawx.pilosoft.com>
References: <Pine.LNX.4.44.0811021418570.20036-100000@bawx.pilosoft.com>
Message-ID: <490E02FA.4070900@kc8onw.net>

Alex Pilosov wrote:
> On Sun, 2 Nov 2008, Jonathan wrote:
> 
>> I've been playing with it for two days and I can't for the life of me
>> get more than 7% utilization of a gigabit link between my laptop and my
>> file server.  I've gone through man tuning as well as a great deal of
>> Google searching and here are the settings I've tried tweaking with
>> their current values.  My current testing is transmitting from FreeBSD
>> to Vista so I've not messed with receive specific settings on BSD or the
>> transmit specific on Vista.
> 99% chance that either
> a) you have a duplex issue (check netstat -i)
> b) it's not gigabit.

Back to back gigabit with both interfaces autodetecting at 1Gbit full
duplex and no errors showing in netstat, no lost packets in the
wireshark trace either.

I did just find this though which is interesting:
http://www-didc.lbl.gov/TCP-tuning/Windows-Vista.html
"""There is no way to adjust the default TCP buffer in Vista, which is
64 KB. Also, the Windows Vista autotuning algorithm is not used unless
the RTT is greater than 1 ms, so single streamTCP will be throttled on a
LAN by this small default TCP buffer. """

With the systems back to back (no switch even) the RTT is much less than
1ms which makes me think Vista is using a default unscaled TCP window if
this is correct and given that when I force autotuning to disabled I get
the exact same throughput seems rather likely to be correct :(

[a bit later]
I tried adding a switch to the link but as I expected it didn't add
enough latency or make any other difference in the transmit rate.

Jonathan Stewart



From jonathan at kc8onw.net  Sun Nov  2 14:46:00 2008
From: jonathan at kc8onw.net (Jonathan)
Date: Sun, 02 Nov 2008 14:46:00 -0500
Subject: [nycbug-talk] TCP tuning between FreeBSD and Vista
In-Reply-To: <E2DEBE73-F52A-4BCB-B041-0174A2AE36A3@lesmuug.org>
References: <490DF8C6.2010309@kc8onw.net>
	<E2DEBE73-F52A-4BCB-B041-0174A2AE36A3@lesmuug.org>
Message-ID: <490E0378.6060109@kc8onw.net>

Isaac Levy wrote:
> Oh- Vista- no idea, but,
> 
> Not sure if this helps, but I've read through this before and remember  
> it had WinXP/2000 tuning instructions in it:
> 
> http://www.psc.edu/networking/projects/tcptune/

Most of that is not relevant to Vista as it has an autotuning TCP stack
like FreeBSD now and it ignores some of those settings completely.  I
did come across that before and it was a good resource though so thanks
for the suggestion anyway.

Jonathan


From chsnyder at gmail.com  Sun Nov  2 20:09:20 2008
From: chsnyder at gmail.com (csnyder)
Date: Sun, 2 Nov 2008 20:09:20 -0500
Subject: [nycbug-talk] Cogent and Sprint - a signal of things getting
	Oldschool?
In-Reply-To: <oqfxmaeicf.fsf@castrovalva.Ivy.NET>
References: <40FE5E3D-0D6B-45F0-8A63-7BBAC184A14A@lesmuug.org>
	<Pine.LNX.4.44.0811012020570.17622-100000@bawx.pilosoft.com>
	<Pine.LNX.4.44.0810312014190.20036-100000@bawx.pilosoft.com>
	<Pine.OSX.4.64.0811012027110.97292@toasty.nat.fasttrackmonkey.com>
	<18800958-F4F1-4AC5-8D9D-8E13E1CD9592@lesmuug.org>
	<Pine.LNX.4.44.0811012101320.17622-100000@bawx.pilosoft.com>
	<379446C0-432D-4345-A7AB-62722C0B44C1@lesmuug.org>
	<2D876571-595F-4103-B248-E0A5662DA4E3@lesmuug.org>
	<oqfxmaeicf.fsf@castrovalva.Ivy.NET>
Message-ID: <b76252690811021709l4b54e581x69c3a90f40523fe5@mail.gmail.com>

Guys, thanks for this thread, very informative.

Isaac Levy wrote:
> Big waves of upgrade: Re-Wire all of NYC with FIOS and light it all at
once (big expendature all at once)

And by all-at-once you mean between now and 2017 when the rollout is
complete. Guess which end of that Brooklyn is on?
It took over 20 years to finally install cable tv across all five boroughs.
http://query.nytimes.com/gst/fullpage.html?res=9B0DE4D61438F934A1575AC0A961948260


Miles Nordin wrote:
> note that there are non-TV-like applications of multicast.

Stock tickers.
Weather radar.
Traffic cameras.
Large scale lighting or HVAC systems.
MMORPG world state.

... or any other one-to-many stream of information, obviously. Not
just high-bandwidth, but also low-bandwidth+many listeners.


From skreuzer at exit2shell.com  Mon Nov  3 09:07:49 2008
From: skreuzer at exit2shell.com (Steven Kreuzer)
Date: Mon, 3 Nov 2008 09:07:49 -0500
Subject: [nycbug-talk] TCP tuning between FreeBSD and Vista
In-Reply-To: <Pine.LNX.4.44.0811021418570.20036-100000@bawx.pilosoft.com>
References: <Pine.LNX.4.44.0811021418570.20036-100000@bawx.pilosoft.com>
Message-ID: <BEF91492-8604-4264-97A4-D06D0C5BF278@exit2shell.com>


On Nov 2, 2008, at 2:19 PM, Alex Pilosov wrote:

> On Sun, 2 Nov 2008, Jonathan wrote:
>
>> I've been playing with it for two days and I can't for the life of me
>> get more than 7% utilization of a gigabit link between my laptop  
>> and my
>> file server.  I've gone through man tuning as well as a great deal of
>> Google searching and here are the settings I've tried tweaking with
>> their current values.  My current testing is transmitting from  
>> FreeBSD
>> to Vista so I've not messed with receive specific settings on BSD  
>> or the
>> transmit specific on Vista.
> 99% chance that either
> a) you have a duplex issue (check netstat -i)
> b) it's not gigabit.

At work we were recently testing some new network equipment and out of  
every piece of
equipment we tested, only one of them managed to deliver on the full  
capacity of the link.
When the interface was brought up, it would negotiate at the full  
speed, but we would usually
only get 50% utilization on average.

Another reason might be the method you are using to do your tests.  
Since you said this was
a file server, are you just copying a file from Vista to FreeBSD? If  
so, you'll also have to look to
see if the hard drive is the bottleneck (Chances are that it is). If  
this is your testing methodology,
I would take a look at using something like tcppref.

Another possibility is that the controller your hard drive is  
connected to shares the same PCI bus that you
have your NIC in and they are sharing interrupts. If at all possible,  
it's usually better to not share.

SK


From jonathan at kc8onw.net  Mon Nov  3 10:47:05 2008
From: jonathan at kc8onw.net (Jonathan)
Date: Mon, 03 Nov 2008 10:47:05 -0500
Subject: [nycbug-talk] TCP tuning between FreeBSD and Vista [SOVLED]
In-Reply-To: <BEF91492-8604-4264-97A4-D06D0C5BF278@exit2shell.com>
References: <Pine.LNX.4.44.0811021418570.20036-100000@bawx.pilosoft.com>
	<BEF91492-8604-4264-97A4-D06D0C5BF278@exit2shell.com>
Message-ID: <490F1CF9.6080009@kc8onw.net>

First off *many* thanks to all that made suggestions and tried to help.
 I hate it when I miss the obvious :(

I finally found out that I hit 98% between the two machines when using
ttcp *when my media player is stopped or closed*  I remember reading
about network issues when playing music many months ago when I was first
learning about Vista but for some reason I either never noticed the
issue before or never triggered it.  More details can be found here
http://blogs.zdnet.com/Ou/?p=711 and here
http://blogs.technet.com/markrussinovich/archive/2007/08/27/1833290.aspx

Although I saw references to being able to change MMCSS settings in
Vista SP1 I never actually saw anything on where to make the changes so
I simply disabled MMCSS completely as seen here
http://courtneymalone.com/2007/08/28/a-note-on-vista-network-speed/

Thanks again to all that helped and I am once again glad I run BSD on my
server and don't have to deal with this crap there,
Jonathan Stewart



From skreuzer at exit2shell.com  Mon Nov  3 10:51:21 2008
From: skreuzer at exit2shell.com (Steven Kreuzer)
Date: Mon, 3 Nov 2008 10:51:21 -0500
Subject: [nycbug-talk] DCBSDCon 2009 Call for Papers
References: <20081103005815.GW21806@dixongroup.net>
Message-ID: <389C4BE9-277C-4A5B-B798-F8F1BB06C416@exit2shell.com>

Sorry for top posting, but I saw this on the freebsd-advocacy mailing  
list and I figured DC is close enough to NY to
pass this along.

Hopefully some of you will respond to the call for papers. I would  
love to see some NYCBUG folks invade DC

SK

Begin forwarded message:

> From: Jason Dixon <jason at dixongroup.net>
> Date: November 2, 2008 7:58:15 PM EST
> To: freebsd-advocacy at freebsd.org
> Subject: DCBSDCon 2009 Call for Papers
>
> The DCBSDCon conference has opened up a Call for Papers for the 2009
> event.  Speakers are welcome to submit any topic of interest, although
> security themes are preferred. This conference leads up to the very
> popular ShmooCon hacker convention in Washington, D.C. where BSD
> developers and users are always in attendance.
>
> Main Website: http://www.dcbsdcon.org/
> Call For Papers: http://www.dcbsdcon.org/cfp.html
>
> Hope to see you there!
>
> -- 
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net/
> _______________________________________________
> freebsd-advocacy at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-advocacy
> To unsubscribe, send any mail to "freebsd-advocacy-unsubscribe at freebsd.org 
> "



From matt at atopia.net  Tue Nov  4 11:28:22 2008
From: matt at atopia.net (Matt Juszczak)
Date: Tue, 4 Nov 2008 11:28:22 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
Message-ID: <20081104112555.U81533@mercury.atopia.net>

Hi all,

What do all of you use for monitoring now-n-days?  In the past I've used a 
combination of Nagios and Cacti, but I've setup Nagios on a new setup, and 
while investigating Cacti (via SNMP) I also began investigating Ganglia.

What do all of you prefer - push methods or pull methods for statistics 
gathering and graphing?  It seems using Cacti with SNMP would work nicely, 
but also using Ganglia to push the data to a centralized gmond (which 
I've also done in the past) works well, too.

Thoughts?


From max at neuropunks.org  Tue Nov  4 11:41:02 2008
From: max at neuropunks.org (Max Gribov)
Date: Tue, 04 Nov 2008 11:41:02 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081104112555.U81533@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
Message-ID: <49107B1E.4070606@neuropunks.org>

Matt Juszczak wrote:
> Hi all,
>
> What do all of you use for monitoring now-n-days?  In the past I've used a 
> combination of Nagios and Cacti, but I've setup Nagios on a new setup, and 
> while investigating Cacti (via SNMP) I also began investigating Ganglia.
>
>   
I like symon (http://www.xs4all.nl/~wpd/symon/)  - its a server/client 
push set up, so you can aggregate and graph in one place, it should be 
in ports
I also like vnstat for cumulative traffic stats.

Theres also mailstat.pl for postfix, and something very similar for BIND

hope this helps..

> What do all of you prefer - push methods or pull methods for statistics 
> gathering and graphing?  It seems using Cacti with SNMP would work nicely, 
> but also using Ganglia to push the data to a centralized gmond (which 
> I've also done in the past) works well, too.
>
> Thoughts?
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>   



From pete at nomadlogic.org  Tue Nov  4 11:42:22 2008
From: pete at nomadlogic.org (pete)
Date: Tue, 04 Nov 2008 11:42:22 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081104112555.U81533@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
Message-ID: <1acbaffb199c20f07c31a826bddbc982@nomadlogic.org>

On Tue, 4 Nov 2008 11:28:22 -0500 (EST), Matt Juszczak <matt at atopia.net>
wrote:
> Hi all,
> 
> What do all of you use for monitoring now-n-days?  In the past I've used
a 
> combination of Nagios and Cacti, but I've setup Nagios on a new setup,
and 
> while investigating Cacti (via SNMP) I also began investigating Ganglia.
> 
> What do all of you prefer - push methods or pull methods for statistics 
> gathering and graphing?  It seems using Cacti with SNMP would work
nicely, 
> but also using Ganglia to push the data to a centralized gmond (which 
> I've also done in the past) works well, too.
> 
> Thoughts?
> 

while i would not say that nagios is the best thing out there - i was
actually quite happy with nagios v3 after moving off of v1 and v2.  you can
relay alerts from one nagios installation to another (i.e. forward alerts
from one DC/office to your NOC) which was helpful for us.  it's pretty easy
to write custom alerts if you need to (we usually let our middleware
developers write alerts in their language of choice perl/python/ruby/etc.)
if their code that has to be monitored is not snmp friendly.

cacti is pretty nice for trending i have found, and it seems quite flexible
too.  the stock php snmp agent is crap for anything more than a couple
network nodes - but they do have a compiled C poller as well.  the UI is
great for management types too i have found.

we did look into Zenoss as well - but we had alot of time and effort
invested in our existing nagios alerts so we did not go that route.  having
said that, it does look like it could be a nice package combining trending
and alerts:

http://www.zenoss.com/

HTH,
-pete

-- 
Pete Wright
pete at nomadlogic.org
310.869.9459


From skreuzer at exit2shell.com  Tue Nov  4 11:59:25 2008
From: skreuzer at exit2shell.com (Steven Kreuzer)
Date: Tue, 4 Nov 2008 11:59:25 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081104112555.U81533@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
Message-ID: <22CFDD18-73C9-4732-9BD6-545808E35921@exit2shell.com>


On Nov 4, 2008, at 11:28 AM, Matt Juszczak wrote:

> Hi all,
>
> What do all of you use for monitoring now-n-days?  In the past I've  
> used a
> combination of Nagios and Cacti, but I've setup Nagios on a new  
> setup, and
> while investigating Cacti (via SNMP) I also began investigating  
> Ganglia.
>
> What do all of you prefer - push methods or pull methods for  
> statistics
> gathering and graphing?  It seems using Cacti with SNMP would work  
> nicely,
> but also using Ganglia to push the data to a centralized gmond (which
> I've also done in the past) works well, too.

I used Ganglia at a previous job and for the most part found it to be  
a nice way to
quickly poll several thousand hosts.

In addition to having it report on things like cpu and memory usage,  
it was integrated
into one of our internally developed applications which allowed us to  
retrieve statistics
specific to that application in a more efficient manner.

Previously all the statistics were being exported by a tiny built in  
web server and then
having a script make http get requests to each server. It did not  
scale too well.

My only complaint with ganglia is that after running it for a while,  
it would stop
responding to requests and require the service to be restarted.

Steven Kreuzer
http://www.exit2shell.com/~skreuzer



From bonsaime at gmail.com  Tue Nov  4 12:39:26 2008
From: bonsaime at gmail.com (Jesse Callaway)
Date: Tue, 4 Nov 2008 12:39:26 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081104112555.U81533@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
Message-ID: <aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>

On Tue, Nov 4, 2008 at 11:28 AM, Matt Juszczak <matt at atopia.net> wrote:
> Hi all,
>
> What do all of you use for monitoring now-n-days?  In the past I've used a
> combination of Nagios and Cacti, but I've setup Nagios on a new setup, and
> while investigating Cacti (via SNMP) I also began investigating Ganglia.
>
> What do all of you prefer - push methods or pull methods for statistics
> gathering and graphing?  It seems using Cacti with SNMP would work nicely,
> but also using Ganglia to push the data to a centralized gmond (which
> I've also done in the past) works well, too.
>
> Thoughts?
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>

I'm running Nagios + pnp4nagios which takes the extra data that the
nagios service checks picks up and makes RRD/Cacti graphs out of them.
I did this to reduce the amount of polling which can skew results, and
soaks up resources for those times when you really need the graphs.
Also it's all wrapped up in one place to maintain.
I'm scared of SNMP security-wise, but that may be because I don't know
enough about it.
Pull methods have the advantage of allowing for failover/redundant
monitoring servers. Push methods can be easier on the firewall.

-jesse


From george at ceetonetechnology.com  Tue Nov  4 13:32:21 2008
From: george at ceetonetechnology.com (George Rosamond)
Date: Tue, 04 Nov 2008 13:32:21 -0500
Subject: [nycbug-talk] OT - cloud computing
Message-ID: <49109535.5050405@ceetonetechnology.com>

This is from one of the network theory blogs I follow. . . pretty funny:

http://intelfusion.net/wordpress/?p=441

g


From matt at atopia.net  Tue Nov  4 15:00:23 2008
From: matt at atopia.net (Matt Juszczak)
Date: Tue, 4 Nov 2008 15:00:23 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <49107B1E.4070606@neuropunks.org>
References: <20081104112555.U81533@mercury.atopia.net>
	<49107B1E.4070606@neuropunks.org>
Message-ID: <20081104145812.U49065@mercury.atopia.net>

> I like symon (http://www.xs4all.nl/~wpd/symon/)  - its a server/client
> push set up, so you can aggregate and graph in one place, it should be
> in ports

So you code the pushing of the statistics and it graphs it?  Its 
light-weight, which I like, but the problem is that our router and 
firewall only allow us to gather info via snmp, so I was hoping for 
something that could support both retrieving information via SNMP, and 
also accepting information "pushed" to it.  Does such a thing exist, or 
should I use symon and just setup mrtg for the load balancer and firewall?


From matt at atopia.net  Tue Nov  4 15:04:17 2008
From: matt at atopia.net (Matt Juszczak)
Date: Tue, 4 Nov 2008 15:04:17 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <1acbaffb199c20f07c31a826bddbc982@nomadlogic.org>
References: <20081104112555.U81533@mercury.atopia.net>
	<1acbaffb199c20f07c31a826bddbc982@nomadlogic.org>
Message-ID: <20081104150043.A49065@mercury.atopia.net>

> while i would not say that nagios is the best thing out there - i was
> actually quite happy with nagios v3 after moving off of v1 and v2.  you can
> relay alerts from one nagios installation to another (i.e. forward alerts
> from one DC/office to your NOC) which was helpful for us.  it's pretty easy
> to write custom alerts if you need to (we usually let our middleware
> developers write alerts in their language of choice perl/python/ruby/etc.)
> if their code that has to be monitored is not snmp friendly.

I believe there are two different types of monitoring: one for alerts 
(pulling real-time statistics and alerting based on those statistics), and 
one to calculate things over time (storing statistics for graphic, etc.). 
Correct me if I'm wrong, but I feel like some people use one without the 
other, and vice versa.

I already have nagios setup (its pulling data mostly by connecting via 
TCP/IP, and for local checks its (for now) polling via check_by_ssh).  I'd 
eventually like to replace the check_by_ssh checks with SNMP for disk 
usage, CPU, etc.

> cacti is pretty nice for trending i have found, and it seems quite flexible
> too.  the stock php snmp agent is crap for anything more than a couple
> network nodes - but they do have a compiled C poller as well.  the UI is
> great for management types too i have found.

Cacti is really only for polling via SNMP though, am I correct?  And its a 
pull system only, right?

> we did look into Zenoss as well - but we had alot of time and effort
> invested in our existing nagios alerts so we did not go that route.  having
> said that, it does look like it could be a nice package combining trending
> and alerts:

Ah, I see =) The answer I was looking for before!  But I've already setup 
nagios, so at this point, I'm looking for something to use for trending 
only.


From matt at atopia.net  Tue Nov  4 15:05:31 2008
From: matt at atopia.net (Matt Juszczak)
Date: Tue, 4 Nov 2008 15:05:31 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <22CFDD18-73C9-4732-9BD6-545808E35921@exit2shell.com>
References: <20081104112555.U81533@mercury.atopia.net>
	<22CFDD18-73C9-4732-9BD6-545808E35921@exit2shell.com>
Message-ID: <20081104150428.O49065@mercury.atopia.net>

> I used Ganglia at a previous job and for the most part found it to be a 
> nice way to quickly poll several thousand hosts.
>
> In addition to having it report on things like cpu and memory usage, it 
> was integrated into one of our internally developed applications which 
> allowed us to retrieve statistics specific to that application in a more 
> efficient manner.
>
> Previously all the statistics were being exported by a tiny built in web 
> server and then having a script make http get requests to each server. 
> It did not scale too well.
>
> My only complaint with ganglia is that after running it for a while, it 
> would stop responding to requests and require the service to be 
> restarted.

Your experience with Ganglia has been simply as a push agent, correct? 
You can collect statistics via any method you choose and just push to 
gmond?  I don't believe ganglia has a "pull" method where it can combine 
querying snmp as well, does it?


From matt at atopia.net  Tue Nov  4 15:09:17 2008
From: matt at atopia.net (Matt Juszczak)
Date: Tue, 4 Nov 2008 15:09:17 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
Message-ID: <20081104150608.K49065@mercury.atopia.net>

> I'm running Nagios + pnp4nagios which takes the extra data that the
> nagios service checks picks up and makes RRD/Cacti graphs out of them.
> I did this to reduce the amount of polling which can skew results, and
> soaks up resources for those times when you really need the graphs.
> Also it's all wrapped up in one place to maintain.

Sounds cool, but I'm running a lot of my checks via check_by_ssh, so when 
things get bogged down, I tend to get a lot of "plugin timeout". 
Technically, I could switch these to SNMP checks, and/or passive checks, 
which would help a lot, but there are many things I want to graph that I 
don't want to alert on -- such as each webserver's input/output on the 
NIC, I/O on hard disk, etc.  Would I just create these as checks inside 
nagios but just never set a critical or warning level for them?  Or is it 
better to use something different since there are so many checks that I 
don't want to monitor for alerts?


From matt at atopia.net  Tue Nov  4 15:20:04 2008
From: matt at atopia.net (Matt Juszczak)
Date: Tue, 4 Nov 2008 15:20:04 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081104150608.K49065@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
	<20081104150608.K49065@mercury.atopia.net>
Message-ID: <20081104151938.C67188@mercury.atopia.net>

> Sounds cool, but I'm running a lot of my checks via check_by_ssh, so when
> things get bogged down, I tend to get a lot of "plugin timeout".
> Technically, I could switch these to SNMP checks, and/or passive checks,
> which would help a lot, but there are many things I want to graph that I
> don't want to alert on -- such as each webserver's input/output on the
> NIC, I/O on hard disk, etc.  Would I just create these as checks inside
> nagios but just never set a critical or warning level for them?  Or is it
> better to use something different since there are so many checks that I
> don't want to monitor for alerts?

I should say that I'm looking for something that would allow monitoring 
cross platform of both linux and bsd boxes.


From riegersteve at gmail.com  Tue Nov  4 15:24:21 2008
From: riegersteve at gmail.com (Steve Rieger)
Date: Tue, 04 Nov 2008 12:24:21 -0800
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081104151938.C67188@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>	<20081104150608.K49065@mercury.atopia.net>
	<20081104151938.C67188@mercury.atopia.net>
Message-ID: <4910AF75.20108@gmail.com>

Matt Juszczak wrote:

> I should say that I'm looking for something that would allow monitoring 
> cross platform of both linux and bsd boxes.
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk


i use zabbix,


From skreuzer at exit2shell.com  Tue Nov  4 15:35:27 2008
From: skreuzer at exit2shell.com (Steven Kreuzer)
Date: Tue, 4 Nov 2008 15:35:27 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081104150608.K49065@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
	<20081104150608.K49065@mercury.atopia.net>
Message-ID: <5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>


On Nov 4, 2008, at 3:09 PM, Matt Juszczak wrote:

>> I'm running Nagios + pnp4nagios which takes the extra data that the
>> nagios service checks picks up and makes RRD/Cacti graphs out of  
>> them.
>> I did this to reduce the amount of polling which can skew results,  
>> and
>> soaks up resources for those times when you really need the graphs.
>> Also it's all wrapped up in one place to maintain.
>
> Sounds cool, but I'm running a lot of my checks via check_by_ssh, so  
> when
> things get bogged down, I tend to get a lot of "plugin timeout".
> Technically, I could switch these to SNMP checks, and/or passive  
> checks,
> which would help a lot, but there are many things I want to graph  
> that I
> don't want to alert on -- such as each webserver's input/output on the
> NIC, I/O on hard disk, etc.  Would I just create these as checks  
> inside
> nagios but just never set a critical or warning level for them?  Or  
> is it
> better to use something different since there are so many checks  
> that I
> don't want to monitor for alerts?


Personally, I think it is very bad form to try do what you want to do  
with nagios.
People always try to make nagios into something it isn't and the  
results are
usually poorly implemented and difficult to support.

I have seen people try to turn nagios into a replacement for cron, a  
tool
to isolate system faults and god knows what else.

Its core strength is checking the state of a host or service and  
alerting you if
that host or service is not in a "good" state.

If you need graphing, look at a "heavy" application like cacti, or  
roll your own
with rrdtool and whatever scripting language you prefer.

Keep your nagios configuration simple and clean. They are complex enough
that you don't need to add another layer of complexity on top of them.

Steven Kreuzer
http://www.exit2shell.com/~skreuzer


From matt at atopia.net  Tue Nov  4 15:38:17 2008
From: matt at atopia.net (Matt Juszczak)
Date: Tue, 4 Nov 2008 15:38:17 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
	<20081104150608.K49065@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
Message-ID: <20081104153705.Y78714@mercury.atopia.net>

> If you need graphing, look at a "heavy" application like cacti, or roll 
> your own with rrdtool and whatever scripting language you prefer.

Cacti is great, but does it allow the polling of information other than 
via SNMP?

> Keep your nagios configuration simple and clean. They are complex enough
> that you don't need to add another layer of complexity on top of them.

I agree.  The system used for alerts should be completely different than 
the system used for graphing, especially since you probably want to poll 
the graphing data more often than you do the alert data.


From skreuzer at exit2shell.com  Tue Nov  4 15:39:44 2008
From: skreuzer at exit2shell.com (Steven Kreuzer)
Date: Tue, 4 Nov 2008 15:39:44 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081104153705.Y78714@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
	<20081104150608.K49065@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
Message-ID: <639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>


On Nov 4, 2008, at 3:38 PM, Matt Juszczak wrote:

>> If you need graphing, look at a "heavy" application like cacti, or  
>> roll your own with rrdtool and whatever scripting language you  
>> prefer.
>
> Cacti is great, but does it allow the polling of information other  
> than via SNMP?
>

yup

http://www.cacti.net/downloads/docs/html/making_scripts_work_with_cacti.html

>
>
>> Keep your nagios configuration simple and clean. They are complex  
>> enough
>> that you don't need to add another layer of complexity on top of  
>> them.
>
> I agree.  The system used for alerts should be completely different  
> than the system used for graphing, especially since you probably  
> want to poll the graphing data more often than you do the alert data.

Steven Kreuzer
http://www.exit2shell.com/~skreuzer



From matt at atopia.net  Tue Nov  4 15:49:47 2008
From: matt at atopia.net (Matt Juszczak)
Date: Tue, 4 Nov 2008 15:49:47 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
	<20081104150608.K49065@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
Message-ID: <20081104154643.J85044@mercury.atopia.net>

> yup
>
> http://www.cacti.net/downloads/docs/html/making_scripts_work_with_cacti.html

And do you recommend using cacti with that or something more simple like 
ganglia?


From skreuzer at exit2shell.com  Tue Nov  4 16:03:20 2008
From: skreuzer at exit2shell.com (Steven Kreuzer)
Date: Tue, 4 Nov 2008 16:03:20 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081104154643.J85044@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
	<20081104150608.K49065@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
	<20081104154643.J85044@mercury.atopia.net>
Message-ID: <1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>


On Nov 4, 2008, at 3:49 PM, Matt Juszczak wrote:

>> yup
>>
>> http://www.cacti.net/downloads/docs/html/making_scripts_work_with_cacti.html
>
> And do you recommend using cacti with that or something more simple  
> like ganglia?

Cacti will be the quickest and easiest solution to deploy if you need  
to collect and
graph meaningful statistics today.

Once you get ganglia up and running, all it will do is provide you  
with statistics and
it will be up to you to figure out a way to collect and store them and  
then do something
meaningful with them.

Steven Kreuzer
http://www.exit2shell.com/~skreuzer



From matt at atopia.net  Tue Nov  4 16:08:25 2008
From: matt at atopia.net (Matt Juszczak)
Date: Tue, 4 Nov 2008 16:08:25 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
	<20081104150608.K49065@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
Message-ID: <20081104160736.Y3454@mercury.atopia.net>

> Once you get ganglia up and running, all it will do is provide you
> with statistics and
> it will be up to you to figure out a way to collect and store them and
> then do something
> meaningful with them.

So ganglia is just a means of collecting and storing information?  It 
doesn't handle graphing ,etc.?  Forgive these questions - I've used cacti 
a lot in the past, but never in a place where we didn't need SNMP-only 
data.  So I'm looking at other alternatives.


From skreuzer at exit2shell.com  Tue Nov  4 16:33:01 2008
From: skreuzer at exit2shell.com (Steven Kreuzer)
Date: Tue, 4 Nov 2008 16:33:01 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081104160736.Y3454@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
	<20081104150608.K49065@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
	<20081104160736.Y3454@mercury.atopia.net>
Message-ID: <C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>


On Nov 4, 2008, at 4:08 PM, Matt Juszczak wrote:

>> Once you get ganglia up and running, all it will do is provide you
>> with statistics and
>> it will be up to you to figure out a way to collect and store them  
>> and
>> then do something
>> meaningful with them.
>
> So ganglia is just a means of collecting and storing information?   
> It doesn't handle graphing ,etc.?  Forgive these questions - I've  
> used cacti a lot in the past, but never in a place where we didn't  
> need SNMP-only data.  So I'm looking at other alternatives.

gmond collects statistics from the host. You'll need a client  
application to actually collect those statistics from the host and  
archive them somewhere. After that, after that, you will need to  
somehow create graphs from that data.

However, there is an application called "Ganglia Web Frontend" which  
seems to be a cacti like application for ganglia. I have never used  
it, but maybe that will be worth looking into.

Steven Kreuzer
http://www.exit2shell.com/~skreuzer



From spork at bway.net  Tue Nov  4 17:05:10 2008
From: spork at bway.net (Charles Sprickman)
Date: Tue, 4 Nov 2008 17:05:10 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
Message-ID: <Pine.OSX.4.64.0811041702270.8809@toasty.nat.fasttrackmonkey.com>

On Tue, 4 Nov 2008, Jesse Callaway wrote:

> On Tue, Nov 4, 2008 at 11:28 AM, Matt Juszczak <matt at atopia.net> wrote:
>> Hi all,
>>
>> What do all of you use for monitoring now-n-days?  In the past I've used a
>> combination of Nagios and Cacti, but I've setup Nagios on a new setup, and
>> while investigating Cacti (via SNMP) I also began investigating Ganglia.
>>
>> What do all of you prefer - push methods or pull methods for statistics
>> gathering and graphing?  It seems using Cacti with SNMP would work nicely,
>> but also using Ganglia to push the data to a centralized gmond (which
>> I've also done in the past) works well, too.
>>
>> Thoughts?
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk
>>
>
> I'm running Nagios + pnp4nagios which takes the extra data that the
> nagios service checks picks up and makes RRD/Cacti graphs out of them.

I'll just second this.  I looked at zenoss and liked the graphing, but I 
already had Nagios, so I upgraded to the latest and added pnp4nagios to 
the mix.  It works extremely well and produces really nice graphs.  They 
look pretty, and they are also on my weekly/monthly checklist - I review 
cpu usage and other trends to see if anything looks odd long-term.  I'm 
very happy with this mix.

Charles

> I did this to reduce the amount of polling which can skew results, and
> soaks up resources for those times when you really need the graphs.
> Also it's all wrapped up in one place to maintain.
> I'm scared of SNMP security-wise, but that may be because I don't know
> enough about it.
> Pull methods have the advantage of allowing for failover/redundant
> monitoring servers. Push methods can be easier on the firewall.
>
> -jesse
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>


From skreuzer at exit2shell.com  Tue Nov  4 15:27:45 2008
From: skreuzer at exit2shell.com (Steven Kreuzer)
Date: Tue, 4 Nov 2008 15:27:45 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081104150428.O49065@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
	<22CFDD18-73C9-4732-9BD6-545808E35921@exit2shell.com>
	<20081104150428.O49065@mercury.atopia.net>
Message-ID: <21FDB990-A09A-4081-BF42-56658A123F39@exit2shell.com>


On Nov 4, 2008, at 3:05 PM, Matt Juszczak wrote:

>> I used Ganglia at a previous job and for the most part found it to  
>> be a nice way to quickly poll several thousand hosts.
>>
>> In addition to having it report on things like cpu and memory  
>> usage, it was integrated into one of our internally developed  
>> applications which allowed us to retrieve statistics specific to  
>> that application in a more efficient manner.
>>
>> Previously all the statistics were being exported by a tiny built  
>> in web server and then having a script make http get requests to  
>> each server. It did not scale too well.
>>
>> My only complaint with ganglia is that after running it for a  
>> while, it would stop responding to requests and require the service  
>> to be restarted.
>
> Your experience with Ganglia has been simply as a push agent,  
> correct? You can collect statistics via any method you choose and  
> just push to gmond?  I don't believe ganglia has a "pull" method  
> where it can combine querying snmp as well, does it?

We had each server running gmond, collecting information from the host  
and ganglia aware applications. gmond makes this information available  
by listening on a multicast channel and everyone once and a while a  
central server would poll this channel and archive the XML that every  
server responded with.

Its a pull method, but you only have to make one request to retrieve  
statistics from every machine in that broadcast domain as opposed to  
querying each and every host.

Steven Kreuzer
http://www.exit2shell.com/~skreuzer



From matt at atopia.net  Tue Nov  4 16:43:29 2008
From: matt at atopia.net (matt at atopia.net)
Date: Tue, 4 Nov 2008 21:43:29 +0000
Subject: [nycbug-talk] Statistical Monitoring
Message-ID: <1330777268-1225835008-cardhu_decombobulator_blackberry.rim.net-2110745368-@bxe191.bisx.prod.on.blackberry>

So technically, you can use ganglia to collect statistics to push to cacti?
------Original Message------
From: Steven Kreuzer
Sender: talk-bounces at lists.nycbug.org
To: talk at lists.nycbug.org List
Subject: Re: [nycbug-talk] Statistical Monitoring
Sent: Nov 4, 2008 16:33


On Nov 4, 2008, at 4:08 PM, Matt Juszczak wrote:

>> Once you get ganglia up and running, all it will do is provide you
>> with statistics and
>> it will be up to you to figure out a way to collect and store them  
>> and
>> then do something
>> meaningful with them.
>
> So ganglia is just a means of collecting and storing information?   
> It doesn't handle graphing ,etc.?  Forgive these questions - I've  
> used cacti a lot in the past, but never in a place where we didn't  
> need SNMP-only data.  So I'm looking at other alternatives.

gmond collects statistics from the host. You'll need a client  
application to actually collect those statistics from the host and  
archive them somewhere. After that, after that, you will need to  
somehow create graphs from that data.

However, there is an application called "Ganglia Web Frontend" which  
seems to be a cacti like application for ganglia. I have never used  
it, but maybe that will be worth looking into.

Steven Kreuzer
http://www.exit2shell.com/~skreuzer

_______________________________________________
talk mailing list
talk at lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/talk


From matt at atopia.net  Wed Nov  5 11:03:51 2008
From: matt at atopia.net (Matt Juszczak)
Date: Wed, 5 Nov 2008 11:03:51 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
	<20081104150608.K49065@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
	<20081104160736.Y3454@mercury.atopia.net>
	<C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>
Message-ID: <20081105105930.Y86221@mercury.atopia.net>

>>> Once you get ganglia up and running, all it will do is provide you 
>>> with statistics and it will be up to you to figure out a way to 
>>> collect and store them and then do something meaningful with them.

The problem I have is I want TONS of graphs.  I want to graph our load 
balancer, our firewall, our CPU usage for specific processes across 
servers (apache, memcache, mysql, etc.), memory usage (free/available), 
mysql statistics (threads running, queries running, long running queries, 
average query time, seconds behind master, etc.), and much much more.  If 
I have all of these statistics being reported (and graphed), then is this 
something that reliably, a pull method can perform well?  I've used SNMP a 
lot to gather basic statistics, but I doubt I'd be able to get SNMP to 
broadcast what the current queries per second are on the local MySQL 
server easily (I know its possible - there's an SNMP module for MySQL, but 
I doubt its trivial).  Wouldn't something like this be better as a script 
running on ALL servers to gather the statistics and push those statistics 
to a centralized daemon of sorts running on the server?

But since I also need to graph things that are snmp-based (for instance, 
our load balancer information can only be obtained via snmp), my thoughts 
are that using cacti is most likely the best option, but I'd have to use 
the custom-graph-with-scripts option more often.  Or, like I asked, 
perhaps using ganglia to push the statistics, and then running a script on 
the cacti server to convert the ganglia data into graphs?


From pete at nomadlogic.org  Wed Nov  5 11:22:48 2008
From: pete at nomadlogic.org (pete)
Date: Wed, 05 Nov 2008 11:22:48 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081105105930.Y86221@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
	<20081104150608.K49065@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
	<20081104160736.Y3454@mercury.atopia.net>
	<C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>
	<20081105105930.Y86221@mercury.atopia.net>
Message-ID: <05b4be319281067825bebb42de8717ea@nomadlogic.org>

On Wed, 5 Nov 2008 11:03:51 -0500 (EST), Matt Juszczak <matt at atopia.net>
wrote:
>>>> Once you get ganglia up and running, all it will do is provide you 
>>>> with statistics and it will be up to you to figure out a way to 
>>>> collect and store them and then do something meaningful with them.
> 
> The problem I have is I want TONS of graphs.  I want to graph our load 
> balancer, our firewall, our CPU usage for specific processes across 
> servers (apache, memcache, mysql, etc.), memory usage (free/available), 
> mysql statistics (threads running, queries running, long running queries,

> average query time, seconds behind master, etc.), and much much more.  If

> I have all of these statistics being reported (and graphed), then is this

> something that reliably, a pull method can perform well?  I've used SNMP
a 
> lot to gather basic statistics, but I doubt I'd be able to get SNMP to 
> broadcast what the current queries per second are on the local MySQL 
> server easily (I know its possible - there's an SNMP module for MySQL,
but 
> I doubt its trivial).  Wouldn't something like this be better as a script

> running on ALL servers to gather the statistics and push those statistics

> to a centralized daemon of sorts running on the server?
> 

heck i'd look at it from the other perspective.  running a dedicated snmpd
on your server is going to be much more light weight than running a home
grown script written in an interpreted lang like perl or python.  in my
personal experience monitoring lots of gear ranging from switches/routers
to load balancers and servers i find that SNMP is the way to go.  it is
quite light weight and it's the only way you are gonna be able to have
consistent counters b/w switches and servers (for monitoring network
traffic for example).

> But since I also need to graph things that are snmp-based (for instance, 
> our load balancer information can only be obtained via snmp), my thoughts

> are that using cacti is most likely the best option, but I'd have to use 
> the custom-graph-with-scripts option more often.  Or, like I asked, 
> perhaps using ganglia to push the statistics, and then running a script
on 
> the cacti server to convert the ganglia data into graphs?

there is nothing to say that you cant write your own OID that lives on your
servers that runs a script - say something showing how many active MySQL
connections you have active at a given time.  that'll still be more light
weight than running a perl/python daemon that you write since you can use
the SNMP protocol to execute these queries.  you can still get the
customization you want - but gain the consistency of just using SNMP across
all your network devices as well which i think is a huge win long term
support wise.

i've also found that %80 of the info that I am interested in is already
available easily via stock snmp configs - process counts, memory info,
network counters, cpu load, users logged in etc...

just my two bits though..

-pete

-- 
Pete Wright
pete at nomadlogic.org
310.869.9459


From matt at atopia.net  Wed Nov  5 11:26:54 2008
From: matt at atopia.net (Matt Juszczak)
Date: Wed, 5 Nov 2008 11:26:54 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <05b4be319281067825bebb42de8717ea@nomadlogic.org>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
	<20081104150608.K49065@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
	<20081104160736.Y3454@mercury.atopia.net>
	<C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>
	<20081105105930.Y86221@mercury.atopia.net>
	<05b4be319281067825bebb42de8717ea@nomadlogic.org>
Message-ID: <20081105112524.A3710@mercury.atopia.net>

> i've also found that %80 of the info that I am interested in is already
> available easily via stock snmp configs - process counts, memory info,
> network counters, cpu load, users logged in etc...

Do you have an example of such SNMP configs?  I've used SNMP for simple 
monitoring of network traffic, etc., but never to the point of needing to 
get as much info as I really need now.

Also, if SNMP really is that great of a solution, why was 
ganglia/symon/etc created in the first place?


From pete at nomadlogic.org  Wed Nov  5 11:37:42 2008
From: pete at nomadlogic.org (pete)
Date: Wed, 05 Nov 2008 11:37:42 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081105112524.A3710@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
	<aa9991030811040939k5c59bbb5ob23f8c7d6c34f0d7@mail.gmail.com>
	<20081104150608.K49065@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
	<20081104160736.Y3454@mercury.atopia.net>
	<C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>
	<20081105105930.Y86221@mercury.atopia.net>
	<05b4be319281067825bebb42de8717ea@nomadlogic.org>
	<20081105112524.A3710@mercury.atopia.net>
Message-ID: <ef1d08afb06d7fee62489c32b814826f@nomadlogic.org>

On Wed, 5 Nov 2008 11:26:54 -0500 (EST), Matt Juszczak <matt at atopia.net>
wrote:
>> i've also found that %80 of the info that I am interested in is already
>> available easily via stock snmp configs - process counts, memory info,
>> network counters, cpu load, users logged in etc...
> 
> Do you have an example of such SNMP configs?  I've used SNMP for simple 
> monitoring of network traffic, etc., but never to the point of needing to

> get as much info as I really need now.
> 

don't have time to do a tutorial for you now, but there is alot of good doc
out there.  the O'Reilly book is pretty good too.  as a hint you may want
to read a stock snmpd.conf on a BSD box and check out the "proc"
directives....but really reading the docs is the best place to start.

> Also, if SNMP really is that great of a solution, why was 
> ganglia/symon/etc created in the first place?
> 

lol - you'd have to ask the developers that one :)

what i can say about SNMP is that for better or worse it pretty much is an
industry standard for polling information from devices regardless of the
platform you are on.

-pete

-- 
Pete Wright
pete at nomadlogic.org
310.869.9459


From bonsaime at gmail.com  Wed Nov  5 16:52:22 2008
From: bonsaime at gmail.com (Jesse Callaway)
Date: Wed, 5 Nov 2008 16:52:22 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081105105930.Y86221@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
	<20081104150608.K49065@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
	<20081104160736.Y3454@mercury.atopia.net>
	<C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>
	<20081105105930.Y86221@mercury.atopia.net>
Message-ID: <aa9991030811051352s7342ed56v992c3ae9e16a2d33@mail.gmail.com>

On Wed, Nov 5, 2008 at 11:03 AM, Matt Juszczak <matt at atopia.net> wrote:
>>>> Once you get ganglia up and running, all it will do is provide you
>>>> with statistics and it will be up to you to figure out a way to
>>>> collect and store them and then do something meaningful with them.
>
> The problem I have is I want TONS of graphs.  I want to graph our load
> balancer, our firewall, our CPU usage for specific processes across
> servers (apache, memcache, mysql, etc.), memory usage (free/available),
> mysql statistics (threads running, queries running, long running queries,
> average query time, seconds behind master, etc.), and much much more.  If
> I have all of these statistics being reported (and graphed), then is this
> something that reliably, a pull method can perform well?  I've used SNMP a
> lot to gather basic statistics, but I doubt I'd be able to get SNMP to
> broadcast what the current queries per second are on the local MySQL
> server easily (I know its possible - there's an SNMP module for MySQL, but
> I doubt its trivial).  Wouldn't something like this be better as a script
> running on ALL servers to gather the statistics and push those statistics
> to a centralized daemon of sorts running on the server?
>
> But since I also need to graph things that are snmp-based (for instance,
> our load balancer information can only be obtained via snmp), my thoughts
> are that using cacti is most likely the best option, but I'd have to use
> the custom-graph-with-scripts option more often.  Or, like I asked,
> perhaps using ganglia to push the statistics, and then running a script on
> the cacti server to convert the ganglia data into graphs?
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>

Most systems let you mix up SNMP and whatever the heck else you can
get some numbers out of. I don't think Cacti is limited to data from
SNMP at all. And I know that Nagios is not.
With Nagios you can push you can pull you can wait for data to come
in. You can freak if the data does not come in... there's lots of
options. Although it was mostly built to send you alerts if something
doesn't look right to it, you can extend it to give you nice trend
graphs. I graph a bunch of MySQL information with it
(Uptime_since_flush_status, Last_query_cost, Connections,
Slow_queries, Open_tables, Questions, Threads_running,
Innodb_row_lock_time_avg) using the pnp4nagios plugin.

Looking back I should have done Nagios and Cacti separately. Just
monitor a few things with Nagios to determine if a critical service is
UP or DOWN. If you want to get real simple, check out sysmon. George
loves it, but for some reason he's not piping up about it. It's good
for this.
For all the pretty graphs use Cacti and a plugin to layout the graphs
in a nice way.

-jesse


From tekronis at gmail.com  Wed Nov  5 23:29:39 2008
From: tekronis at gmail.com (H. G.)
Date: Wed, 5 Nov 2008 23:29:39 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081105105930.Y86221@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
	<20081104150608.K49065@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
	<20081104160736.Y3454@mercury.atopia.net>
	<C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>
	<20081105105930.Y86221@mercury.atopia.net>
Message-ID: <60131f920811052029s1570cc3cy9ca0d2bd8947ce15@mail.gmail.com>

On Wed, Nov 5, 2008 at 11:03 AM, Matt Juszczak <matt at atopia.net> wrote:

> >>> Once you get ganglia up and running, all it will do is provide you
> >>> with statistics and it will be up to you to figure out a way to
> >>> collect and store them and then do something meaningful with them.
>
> The problem I have is I want TONS of graphs.  I want to graph our load
> balancer, our firewall, our CPU usage for specific processes across
> servers (apache, memcache, mysql, etc.), memory usage (free/available),
> mysql statistics (threads running, queries running, long running queries,
> average query time, seconds behind master, etc.), and much much more.  If
> I have all of these statistics being reported (and graphed), then is this
> something that reliably, a pull method can perform well?  I've used SNMP a
> lot to gather basic statistics, but I doubt I'd be able to get SNMP to
> broadcast what the current queries per second are on the local MySQL
> server easily (I know its possible - there's an SNMP module for MySQL, but
> I doubt its trivial).  Wouldn't something like this be better as a script
> running on ALL servers to gather the statistics and push those statistics
> to a centralized daemon of sorts running on the server?
>
> But since I also need to graph things that are snmp-based (for instance,
> our load balancer information can only be obtained via snmp), my thoughts
> are that using cacti is most likely the best option, but I'd have to use
> the custom-graph-with-scripts option more often.  Or, like I asked,
> perhaps using ganglia to push the statistics, and then running a script on
> the cacti server to convert the ganglia data into graphs?
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>


Two recommendations, one that I've tried and one that I haven't:

Zabbix, (http://www.zabbix.com), which is the former, and Munin (
http://munin.projects.linpro.no/), which is the latter.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081105/d17ec951/attachment.htm>

From chsnyder at gmail.com  Thu Nov  6 13:00:02 2008
From: chsnyder at gmail.com (csnyder)
Date: Thu, 6 Nov 2008 13:00:02 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <60131f920811052029s1570cc3cy9ca0d2bd8947ce15@mail.gmail.com>
References: <20081104112555.U81533@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
	<20081104160736.Y3454@mercury.atopia.net>
	<C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>
	<20081105105930.Y86221@mercury.atopia.net>
	<60131f920811052029s1570cc3cy9ca0d2bd8947ce15@mail.gmail.com>
Message-ID: <b76252690811061000y64463d3bh95493082175a88f2@mail.gmail.com>

On Wed, Nov 5, 2008 at 11:29 PM, H. G. <tekronis at gmail.com> wrote:
>
> Zabbix, (http://www.zabbix.com), which is the former, and Munin
> (http://munin.projects.linpro.no/), which is the latter.
>

Munin is the first monitoring package I've tried that just works, with
very little config. (I'm still scarred by Nagios config experiences.)

But having to constantly type munin (everything is munin-this and
munin-that) is annoying, and looking at the complexity of the code
scared me off. I'm rolling my own very simple system using RRDTool.

That said, if I had hundreds of boxes to monitor and wanted to be able
to dive deep into as many arcane metrics as possible, I would
definitely turn to munin as the path of least effort.


From matt at atopia.net  Thu Nov  6 13:34:38 2008
From: matt at atopia.net (Matt Juszczak)
Date: Thu, 6 Nov 2008 13:34:38 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <b76252690811061000y64463d3bh95493082175a88f2@mail.gmail.com>
References: <20081104112555.U81533@mercury.atopia.net>
	<5E24C5C9-B2A5-4F3D-AA1A-BEE3117A7BFC@exit2shell.com>
	<20081104153705.Y78714@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
	<20081104160736.Y3454@mercury.atopia.net>
	<C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>
	<20081105105930.Y86221@mercury.atopia.net>
	<60131f920811052029s1570cc3cy9ca0d2bd8947ce15@mail.gmail.com>
	<b76252690811061000y64463d3bh95493082175a88f2@mail.gmail.com>
Message-ID: <20081106133418.O48696@mercury.atopia.net>

> That said, if I had hundreds of boxes to monitor and wanted to be able
> to dive deep into as many arcane metrics as possible, I would
> definitely turn to munin as the path of least effort.

What do you consider "monitoring".  Like I said, I have nagios to alert 
us, but it isn't good at collecting and graphic long term statistics.


From matt at atopia.net  Thu Nov  6 13:49:34 2008
From: matt at atopia.net (Matt Juszczak)
Date: Thu, 6 Nov 2008 13:49:34 -0500 (EST)
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <b76252690811061045n6751965fhe56ee592f5f7af8a@mail.gmail.com>
References: <20081104112555.U81533@mercury.atopia.net> 
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
	<20081104160736.Y3454@mercury.atopia.net>
	<C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>
	<20081105105930.Y86221@mercury.atopia.net> 
	<60131f920811052029s1570cc3cy9ca0d2bd8947ce15@mail.gmail.com> 
	<b76252690811061000y64463d3bh95493082175a88f2@mail.gmail.com> 
	<20081106133418.O48696@mercury.atopia.net> 
	<b76252690811061044u349c5d07ic020aa7a96b8d8cc@mail.gmail.com>
	<b76252690811061045n6751965fhe56ee592f5f7af8a@mail.gmail.com>
Message-ID: <20081106134800.I59727@mercury.atopia.net>

> Although that's a pretty damning indictment of munin since all the
> graphs seem to be blank. Oh well, keep looking, Matt.

I think I'm leaning towards cacti and nagios.


From chsnyder at gmail.com  Thu Nov  6 13:45:59 2008
From: chsnyder at gmail.com (csnyder)
Date: Thu, 6 Nov 2008 13:45:59 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <b76252690811061044u349c5d07ic020aa7a96b8d8cc@mail.gmail.com>
References: <20081104112555.U81533@mercury.atopia.net>
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
	<20081104160736.Y3454@mercury.atopia.net>
	<C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>
	<20081105105930.Y86221@mercury.atopia.net>
	<60131f920811052029s1570cc3cy9ca0d2bd8947ce15@mail.gmail.com>
	<b76252690811061000y64463d3bh95493082175a88f2@mail.gmail.com>
	<20081106133418.O48696@mercury.atopia.net>
	<b76252690811061044u349c5d07ic020aa7a96b8d8cc@mail.gmail.com>
Message-ID: <b76252690811061045n6751965fhe56ee592f5f7af8a@mail.gmail.com>

On Thu, Nov 6, 2008 at 1:44 PM, csnyder <chsnyder at gmail.com> wrote:
> On Thu, Nov 6, 2008 at 1:34 PM, Matt Juszczak <matt at atopia.net> wrote:
>>> That said, if I had hundreds of boxes to monitor and wanted to be able
>>> to dive deep into as many arcane metrics as possible, I would
>>> definitely turn to munin as the path of least effort.
>>
>> What do you consider "monitoring".  Like I said, I have nagios to alert us,
>> but it isn't good at collecting and graphic long term statistics.
>>
>
> Munin author maintains a public example installation here:
> http://munin.ping.uio.no/
>

Although that's a pretty damning indictment of munin since all the
graphs seem to be blank. Oh well, keep looking, Matt.


From chsnyder at gmail.com  Thu Nov  6 13:44:40 2008
From: chsnyder at gmail.com (csnyder)
Date: Thu, 6 Nov 2008 13:44:40 -0500
Subject: [nycbug-talk] Statistical Monitoring
In-Reply-To: <20081106133418.O48696@mercury.atopia.net>
References: <20081104112555.U81533@mercury.atopia.net>
	<639192FD-7C32-4FEC-98C3-ABAD3D37D26F@exit2shell.com>
	<20081104154643.J85044@mercury.atopia.net>
	<1A5D7D0E-A7FE-4F4F-A9E8-3F4F75AE3420@exit2shell.com>
	<20081104160736.Y3454@mercury.atopia.net>
	<C35732E7-65A7-4479-BD9E-0CA4137626EF@exit2shell.com>
	<20081105105930.Y86221@mercury.atopia.net>
	<60131f920811052029s1570cc3cy9ca0d2bd8947ce15@mail.gmail.com>
	<b76252690811061000y64463d3bh95493082175a88f2@mail.gmail.com>
	<20081106133418.O48696@mercury.atopia.net>
Message-ID: <b76252690811061044u349c5d07ic020aa7a96b8d8cc@mail.gmail.com>

On Thu, Nov 6, 2008 at 1:34 PM, Matt Juszczak <matt at atopia.net> wrote:
>> That said, if I had hundreds of boxes to monitor and wanted to be able
>> to dive deep into as many arcane metrics as possible, I would
>> definitely turn to munin as the path of least effort.
>
> What do you consider "monitoring".  Like I said, I have nagios to alert us,
> but it isn't good at collecting and graphic long term statistics.
>

Munin author maintains a public example installation here:
http://munin.ping.uio.no/


From nikolai at fetissov.org  Thu Nov  6 15:36:51 2008
From: nikolai at fetissov.org (nikolai)
Date: Thu, 6 Nov 2008 15:36:51 -0500 (EST)
Subject: [nycbug-talk] November 2008 meeting audio
Message-ID: <5f54185875575257aded7408c84591ff.squirrel@www.geekisp.com>

Folks,

Audio of yesterday's presentation is available at
http://www.fetissov.org/public/nycbug/

--
 Nikolai


From matt at atopia.net  Fri Nov  7 12:35:48 2008
From: matt at atopia.net (Matt Juszczak)
Date: Fri, 7 Nov 2008 12:35:48 -0500 (EST)
Subject: [nycbug-talk] Yup, I did it: chown -R ....
Message-ID: <alpine.BSF.2.00.0811071232140.58930@pluto.atopia.net>

New rule to myself: NEVER FORCE YOURSELF to work when you're under the 
weather.

I've felt horrible for a few days now, and it shows.  I meant to chown -R 
root:users /some/directory but ended up doing it to the root.  I ctrl-c'd 
about 2 seconds later but damage was already done.

Luckily, I have a few other boxes and I compared them to this one with a 
custom script and was able to get the group back to where it was, but I'm 
afraid I set files that shouldn't be owned by root to being owned by root.

At this point, I'm just wondering if I'm missing anything, or if there is 
a program out there that will run through your user:group/permissions 
settings (of course on system files only) verifying they are set correctly 
compared to the base install or something.

Any suggestions?


From nycbug at cyth.net  Fri Nov  7 12:58:16 2008
From: nycbug at cyth.net (Ray Lai)
Date: Fri, 7 Nov 2008 12:58:16 -0500
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <alpine.BSF.2.00.0811071232140.58930@pluto.atopia.net>
References: <alpine.BSF.2.00.0811071232140.58930@pluto.atopia.net>
Message-ID: <7765c0380811070958u2035f3bbq306dd0cd1a33e690@mail.gmail.com>

On Fri, Nov 7, 2008 at 12:35 PM, Matt Juszczak <matt at atopia.net> wrote:
> At this point, I'm just wondering if I'm missing anything, or if there is
> a program out there that will run through your user:group/permissions
> settings (of course on system files only) verifying they are set correctly
> compared to the base install or something.

mtree(8)


From drulavigne at sympatico.ca  Fri Nov  7 12:58:24 2008
From: drulavigne at sympatico.ca (Dru Lavigne)
Date: Fri, 07 Nov 2008 17:58:24 +0000
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <alpine.BSF.2.00.0811071232140.58930@pluto.atopia.net>
Message-ID: <BAY124-F4036260FA7E1BA6728534FAC190@phx.gbl>



>I've felt horrible for a few days now, and it shows.  I meant to chown -R
>root:users /some/directory but ended up doing it to the root.  I ctrl-c'd
>about 2 seconds later but damage was already done.
>
>Luckily, I have a few other boxes and I compared them to this one with a
>custom script and was able to get the group back to where it was, but I'm
>afraid I set files that shouldn't be owned by root to being owned by root.
>
>At this point, I'm just wondering if I'm missing anything, or if there is
>a program out there that will run through your user:group/permissions
>settings (of course on system files only) verifying they are set correctly
>compared to the base install or something.


Assuming /some/directory came with the system, mtree is your friend. Page 88 
of BSD Hacks gives an example of recreating var as follows:

mtree -deU -f /etc/mtree/BSD.var.dist -p /var

Cheers,

Dru




From freebsd-listen at fabiankeil.de  Fri Nov  7 12:56:28 2008
From: freebsd-listen at fabiankeil.de (Fabian Keil)
Date: Fri, 7 Nov 2008 18:56:28 +0100
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <alpine.BSF.2.00.0811071232140.58930@pluto.atopia.net>
References: <alpine.BSF.2.00.0811071232140.58930@pluto.atopia.net>
Message-ID: <20081107185628.7ba7d959@fabiankeil.de>

Matt Juszczak <matt at atopia.net> wrote:

> I've felt horrible for a few days now, and it shows.  I meant to chown -R 
> root:users /some/directory but ended up doing it to the root.  I ctrl-c'd 
> about 2 seconds later but damage was already done.
> 
> Luckily, I have a few other boxes and I compared them to this one with a 
> custom script and was able to get the group back to where it was, but I'm 
> afraid I set files that shouldn't be owned by root to being owned by root.
> 
> At this point, I'm just wondering if I'm missing anything, or if there is 
> a program out there that will run through your user:group/permissions 
> settings (of course on system files only) verifying they are set correctly 
> compared to the base install or something.

mtree(8).

Fabian


From matt at atopia.net  Fri Nov  7 13:12:00 2008
From: matt at atopia.net (Matt Juszczak)
Date: Fri, 7 Nov 2008 13:12:00 -0500 (EST)
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <BAY124-F4036260FA7E1BA6728534FAC190@phx.gbl>
References: <BAY124-F4036260FA7E1BA6728534FAC190@phx.gbl>
Message-ID: <alpine.BSF.2.00.0811071311380.91303@pluto.atopia.net>

> Assuming /some/directory came with the system, mtree is your friend. Page 88 
> of BSD Hacks gives an example of recreating var as follows:
>
> mtree -deU -f /etc/mtree/BSD.var.dist -p /var
>
> Cheers,
>
> Dru


But is there anyway to do this without overwriting NEWER files that have 
been installed into /var (such as /var/db/mysql for mysql?)


From matt at atopia.net  Fri Nov  7 13:17:22 2008
From: matt at atopia.net (Matt Juszczak)
Date: Fri, 7 Nov 2008 13:17:22 -0500 (EST)
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <alpine.BSF.2.00.0811071311380.91303@pluto.atopia.net>
References: <BAY124-F4036260FA7E1BA6728534FAC190@phx.gbl>
	<alpine.BSF.2.00.0811071311380.91303@pluto.atopia.net>
Message-ID: <alpine.BSF.2.00.0811071314001.92977@pluto.atopia.net>

> But is there anyway to do this without overwriting NEWER files that have been 
> installed into /var (such as /var/db/mysql for mysql?)

Also, now I'm nervous to reboot the box.  It all seems to be working fine, 
but I'm afraid certain files having incorrect permissions and/or 
group/user ownership could cause the box to stop rebooting.

Technically, everything boots as root right?


From matt at atopia.net  Fri Nov  7 13:24:40 2008
From: matt at atopia.net (Matt Juszczak)
Date: Fri, 7 Nov 2008 13:24:40 -0500 (EST)
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <BAY124-F402D3D21079E9A24EF6FCBAC190@phx.gbl>
References: <BAY124-F402D3D21079E9A24EF6FCBAC190@phx.gbl>
Message-ID: <alpine.BSF.2.00.0811071323430.607@pluto.atopia.net>

> man mtree shows that mtree supports an exclude list.
>
> Unless /boot is the directory you mucked up, I don't think you'll have probs 
> rebooting. Of course, I would fix the permissions using mtree first :-)
>
> Dru

Well, my permissions must be messed up somewhere because:

pluto$ man mtree
No manual entry for mtree
pluto$ man ls
No manual entry for ls

Does it actually recreate the permissions or just compare them?  Is there 
a way to use it to compare permissions without actually writing anything 
to disk/making changes?


From matt at atopia.net  Fri Nov  7 13:28:37 2008
From: matt at atopia.net (Matt Juszczak)
Date: Fri, 7 Nov 2008 13:28:37 -0500 (EST)
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <BAY124-F406E2EF302E3004C3EF43AAC190@phx.gbl>
References: <BAY124-F406E2EF302E3004C3EF43AAC190@phx.gbl>
Message-ID: <alpine.BSF.2.00.0811071328320.5226@pluto.atopia.net>

> Use the online manpages then:
>
> http://www.freebsd.org/cgi/man.cgi?query=mtree&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html
>
> Dru

Cool, thanks!


From drulavigne at sympatico.ca  Fri Nov  7 13:22:59 2008
From: drulavigne at sympatico.ca (Dru Lavigne)
Date: Fri, 07 Nov 2008 18:22:59 +0000
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <alpine.BSF.2.00.0811071311380.91303@pluto.atopia.net>
Message-ID: <BAY124-F402D3D21079E9A24EF6FCBAC190@phx.gbl>


>But is there anyway to do this without overwriting NEWER files that have 
>been installed into /var (such as /var/db/mysql for mysql?)


man mtree shows that mtree supports an exclude list.

Unless /boot is the directory you mucked up, I don't think you'll have probs 
rebooting. Of course, I would fix the permissions using mtree first :-)

Dru




From matt at atopia.net  Fri Nov  7 13:36:15 2008
From: matt at atopia.net (Matt Juszczak)
Date: Fri, 7 Nov 2008 13:36:15 -0500 (EST)
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <alpine.BSF.2.00.0811071328320.5226@pluto.atopia.net>
References: <BAY124-F406E2EF302E3004C3EF43AAC190@phx.gbl>
	<alpine.BSF.2.00.0811071328320.5226@pluto.atopia.net>
Message-ID: <alpine.BSF.2.00.0811071335450.11085@pluto.atopia.net>

>> http://www.freebsd.org/cgi/man.cgi?query=mtree&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html

So it looks like, technically, I can run:

mtree -c -d -i -n -k uname,gname,mode,nochange

for each directory, and then diff the output of that file with the 
original in /etc/mtree.

Is this inefficient?



From drulavigne at sympatico.ca  Fri Nov  7 13:27:31 2008
From: drulavigne at sympatico.ca (Dru Lavigne)
Date: Fri, 07 Nov 2008 18:27:31 +0000
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <alpine.BSF.2.00.0811071323430.607@pluto.atopia.net>
Message-ID: <BAY124-F406E2EF302E3004C3EF43AAC190@phx.gbl>


>Well, my permissions must be messed up somewhere because:
>
>pluto$ man mtree
>No manual entry for mtree
>pluto$ man ls
>No manual entry for ls
>
>Does it actually recreate the permissions or just compare them?  Is there a 
>way to use it to compare permissions without actually writing anything to 
>disk/making changes?


Use the online manpages then:

http://www.freebsd.org/cgi/man.cgi?query=mtree&apropos=0&sektion=0&manpath=FreeBSD+7.0-RELEASE&format=html

Dru




From matt at atopia.net  Fri Nov  7 13:45:07 2008
From: matt at atopia.net (Matt Juszczak)
Date: Fri, 7 Nov 2008 13:45:07 -0500 (EST)
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <alpine.BSF.2.00.0811071335450.11085@pluto.atopia.net>
References: <BAY124-F406E2EF302E3004C3EF43AAC190@phx.gbl>
	<alpine.BSF.2.00.0811071328320.5226@pluto.atopia.net>
	<alpine.BSF.2.00.0811071335450.11085@pluto.atopia.net>
Message-ID: <alpine.BSF.2.00.0811071343200.17652@pluto.atopia.net>

OK, I ran:

     # mtree -U -p / -f /etc/mtree/BSD.root.dist
     # mtree -U -p /usr -f /etc/mtree/BSD.usr.dist
     # mtree -U -p /usr/local -f /etc/mtree/BSD.local.dist
     # mtree -U -p /usr/include -f /etc/mtree/BSD.include.dist
     # mtree -U -p /var -f /etc/mtree/BSD.var.dist

And I've also run:

find / -group users | grep -v "/usr/home" | grep -v "/usr/backup" | grep 
-v "/var/mail" > /tmp/output

And it has found nothing (meaning nothing that should be owned by group 
"user" is still owned by group "user" on the server).

But I'm still experiencing some issues:

IE:

pluto# man ls
No manual entry for ls

At this point, I'm thinking more and more it may be best to make 
buildworld && make installworld and also rebuild all my ports.

-Matt


From matt at atopia.net  Fri Nov  7 13:50:55 2008
From: matt at atopia.net (Matt Juszczak)
Date: Fri, 7 Nov 2008 13:50:55 -0500 (EST)
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <alpine.BSF.2.00.0811071343200.17652@pluto.atopia.net>
References: <BAY124-F406E2EF302E3004C3EF43AAC190@phx.gbl>
	<alpine.BSF.2.00.0811071328320.5226@pluto.atopia.net>
	<alpine.BSF.2.00.0811071335450.11085@pluto.atopia.net>
	<alpine.BSF.2.00.0811071343200.17652@pluto.atopia.net>
Message-ID: <alpine.BSF.2.00.0811071350390.23471@pluto.atopia.net>

> But I'm still experiencing some issues:
>
> IE:
>
> pluto# man ls
> No manual entry for ls

Nevermind.  I'm an idiot.  Ignore this.  There is no man page for ls.


From matt at atopia.net  Fri Nov  7 16:35:13 2008
From: matt at atopia.net (Matt Juszczak)
Date: Fri, 7 Nov 2008 16:35:13 -0500 (EST)
Subject: [nycbug-talk] Yup, I did it: chown -R ....
In-Reply-To: <9333DB81-51FD-4CAB-B44E-0AC420F572F6@tridisha.com>
References: <alpine.BSF.2.00.0811071232140.58930@pluto.atopia.net>
	<9333DB81-51FD-4CAB-B44E-0AC420F572F6@tridisha.com>
Message-ID: <alpine.BSF.2.00.0811071634290.29708@pluto.atopia.net>

At least it was production.

Here's a shell script that should be tied into "su" or "sudo":

#!/bin/bash

[[ $SICK ]] && exit;



On Fri, 7 Nov 2008, Siobhan P. Lynch wrote:

>
> I just did the same thing (well similar, I copied passwd, shadow, and group 
> files to /etc on a solaris machine, and forgot to make sure the perms were 
> correct) on a non-production machine... I also am sick (possible strep 
> throat, my son now has Bronchitis, and we're both on Zithromax)
>
> Now I need to go down top the datacenter this weekend and bring it into 
> single user mode to fix it...
>
> How fun.
>
> -Trish
>
>
> On Nov 7, 2008, at 12:35 PM, Matt Juszczak wrote:
>
>> New rule to myself: NEVER FORCE YOURSELF to work when you're under the
>> weather.
>> 
>> I've felt horrible for a few days now, and it shows.  I meant to chown -R
>> root:users /some/directory but ended up doing it to the root.  I ctrl-c'd
>> about 2 seconds later but damage was already done.
>> 
>> Luckily, I have a few other boxes and I compared them to this one with a
>> custom script and was able to get the group back to where it was, but I'm
>> afraid I set files that shouldn't be owned by root to being owned by root.
>> 
>> At this point, I'm just wondering if I'm missing anything, or if there is
>> a program out there that will run through your user:group/permissions
>> settings (of course on system files only) verifying they are set correctly
>> compared to the base install or something.
>> 
>> Any suggestions?
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk


From matt at atopia.net  Fri Nov  7 23:11:39 2008
From: matt at atopia.net (matt at atopia.net)
Date: Sat, 8 Nov 2008 04:11:39 +0000
Subject: [nycbug-talk] BSD admins: set for life or a domino set waiting to
	happen?
Message-ID: <1581305780-1226117859-cardhu_decombobulator_blackberry.rim.net-1804672121-@bxe191.bisx.prod.on.blackberry>

It seems like unix jobs are in high demand. While we all have a general understanding of TCP/IP and DNS etc. Which are things unlikely to change, what's to stop someone from coming out with a replacement to unix that would make our skills immediately go to waste?

What's the future of people with skillsets like us? (my assumption is anyone on this list has at least an average and desirable understanding of unix, etc.). Will the market eventually get so diluted with unix people that it will no longer be in demand?




From mspitzer at gmail.com  Sat Nov  8 00:38:46 2008
From: mspitzer at gmail.com (Marc Spitzer)
Date: Sat, 8 Nov 2008 00:38:46 -0500
Subject: [nycbug-talk] BSD admins: set for life or a domino set waiting
	to happen?
In-Reply-To: <1581305780-1226117859-cardhu_decombobulator_blackberry.rim.net-1804672121-@bxe191.bisx.prod.on.blackberry>
References: <1581305780-1226117859-cardhu_decombobulator_blackberry.rim.net-1804672121-@bxe191.bisx.prod.on.blackberry>
Message-ID: <8c50a3c30811072138q1c708b56l7685b9847a065d27@mail.gmail.com>

People or not particularly good people?  They are different answers

Marc

On 11/7/08, matt at atopia.net <matt at atopia.net> wrote:
> It seems like unix jobs are in high demand. While we all have a general
> understanding of TCP/IP and DNS etc. Which are things unlikely to change,
> what's to stop someone from coming out with a replacement to unix that would
> make our skills immediately go to waste?
>
> What's the future of people with skillsets like us? (my assumption is anyone
> on this list has at least an average and desirable understanding of unix,
> etc.). Will the market eventually get so diluted with unix people that it
> will no longer be in demand?
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>

-- 
Sent from my mobile device

Freedom is nothing but a chance to be better.
Albert Camus


From matt at atopia.net  Sat Nov  8 00:39:57 2008
From: matt at atopia.net (matt at atopia.net)
Date: Sat, 8 Nov 2008 05:39:57 +0000
Subject: [nycbug-talk] BSD admins: set for life or a domino set waiting
	to happen?
Message-ID: <218309399-1226122787-cardhu_decombobulator_blackberry.rim.net-1113817094-@bxe191.bisx.prod.on.blackberry>

I'm not aware of the differences. Are there bad admins?  What defines that?


------Original Message------
From: Marc Spitzer
Sender: 
To: matt at atopia.net
To: talk at lists.nycbug.org
Subject: Re: [nycbug-talk] BSD admins: set for life or a domino set waiting to happen?
Sent: Nov 8, 2008 00:38

People or not particularly good people?  They are different answers

Marc

On 11/7/08, matt at atopia.net <matt at atopia.net> wrote:
> It seems like unix jobs are in high demand. While we all have a general
> understanding of TCP/IP and DNS etc. Which are things unlikely to change,
> what's to stop someone from coming out with a replacement to unix that would
> make our skills immediately go to waste?
>
> What's the future of people with skillsets like us? (my assumption is anyone
> on this list has at least an average and desirable understanding of unix,
> etc.). Will the market eventually get so diluted with unix people that it
> will no longer be in demand?
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>

-- 
Sent from my mobile device

Freedom is nothing but a chance to be better.
Albert Camus


From akosela at andykosela.com  Sat Nov  8 06:55:17 2008
From: akosela at andykosela.com (Andy Kosela)
Date: Sat, 8 Nov 2008 12:55:17 +0100
Subject: [nycbug-talk] BSD admins: set for life or a domino set waiting
	to happen?
In-Reply-To: <1581305780-1226117859-cardhu_decombobulator_blackberry.rim.net-1804672121-@bxe191.bisx.prod.on.blackberry>
References: <1581305780-1226117859-cardhu_decombobulator_blackberry.rim.net-1804672121-@bxe191.bisx.prod.on.blackberry>
Message-ID: <3cc535c80811080355l3eb505d5qf741a5ebee82163b@mail.gmail.com>

On Sat, Nov 8, 2008 at 5:11 AM,  <matt at atopia.net> wrote:
> It seems like unix jobs are in high demand.

Maybe you are right, but from my perspective it seems the word Unix
should really be termed Linux. When you search job websites it's
mostly what you see. As I can agree that it's all Unix basically, and
someone coming from Linux environment is looking at the world from a
similar perspective as us, BSD people, I also realize and recognize
the substantial differences between Linux and BSD worlds. On the more
abstract level more similarities occur, but as you go deeper and
deeper inside each system you see how much they are really different.
Even from a sysadmin perspective maintaining of each system is really
not so similar (try to use dump(8) on mounted EXT3, where is my
sockstat(1), etc.)

My point is that I see many Linux jobs, that's true, but very few for
BSD sysadmins. Actually in recent years I see the decline of job
offers for BSDs. Take a look at freebsd-jobs@ to see my point. There
are some opportunities for kernel hackers as they can go try at
Juniper, Cisco, Isilon and similar companies who develop network
appliances using FreeBSD code, but try to find me some job offer for
FreeBSD system administrator :) I will be the first to look at it :)

-- 
Andy Kosela
ora et labora


From lego at therac25.net  Sat Nov  8 07:02:31 2008
From: lego at therac25.net (Andy Michaels)
Date: Sat, 8 Nov 2008 07:02:31 -0500
Subject: [nycbug-talk] BSD admins: set for life or a domino set waiting
	to happen?
In-Reply-To: <1581305780-1226117859-cardhu_decombobulator_blackberry.rim.net-1804672121-@bxe191.bisx.prod.on.blackberry>
References: <1581305780-1226117859-cardhu_decombobulator_blackberry.rim.net-1804672121-@bxe191.bisx.prod.on.blackberry>
Message-ID: <47f344f40811080402r79dafedetb47928b51a950141@mail.gmail.com>

On Fri, Nov 7, 2008 at 11:11 PM,  <matt at atopia.net> wrote:
> It seems like unix jobs are in high demand. While we all have a general understanding of TCP/IP and DNS etc. Which are things unlikely to change, what's to stop
> someone from coming out with a replacement to unix that would make our skills immediately go to waste?

Wasn't Windows supposed to do that?  (that's what recruiters have
always told me) See how that's worked out?

> What's the future of people with skillsets like us? (my assumption is anyone on this list has at least an average and desirable understanding of unix, etc.).

as with any domain, you need to stay relevant.  It's not so much about
*what* you know specifically, but you should be able to learn, and
have solid conceptual foundations.

> Will the market eventually get so diluted with unix people that it will no longer be in demand?

<pure-opinion type="personal" flame="pleaseNo">

maybe, but not likely any time soon.  I've tried hiring *nix folks and
nearly all the people that responded to the job posts were from this
list.  Seriously.  *nix has a relatively high barrier to entry (time
and skillwise).  Therefore, people looking to add bulk to their resume
are a little less likely to put effort into learning it.  During the
same hiring efforts I mentioned before, 99% of the respondents
(literally hundreds) were MCSEs with absolutely no *nix experience or
knowledge. I *specifically* asked for *nix skills.

At the worst, the market may become flooded with people with *nix on
their resume, or who "really interested in checking it out", but
probably not with solid *nix people.

</pure-opinion>

-Andy


From ike at lesmuug.org  Sat Nov  8 15:35:49 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 8 Nov 2008 15:35:49 -0500
Subject: [nycbug-talk] wpa cracked
Message-ID: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>

And more on the wireless arms race:

Migrate to WPA2, (until it gets cracked):
http://isc.sans.org/diary.html?storyid=5315

Rocket-
.ike




From george at ceetonetechnology.com  Sat Nov  8 16:16:26 2008
From: george at ceetonetechnology.com (George Rosamond)
Date: Sat, 08 Nov 2008 16:16:26 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
Message-ID: <491601AA.8030601@ceetonetechnology.com>

Isaac Levy wrote:
> And more on the wireless arms race:
> 
> Migrate to WPA2, (until it gets cracked):
> http://isc.sans.org/diary.html?storyid=5315
> 

Yeah. .  and don't use TKIP

George


From thomas at zaph.org  Sat Nov  8 18:33:15 2008
From: thomas at zaph.org (N.J. Thomas)
Date: Sat, 8 Nov 2008 18:33:15 -0500
Subject: [nycbug-talk] passwordless sudo: yay or nay?
Message-ID: <20081108233315.GV66521@zaph.org>

I've noticed a trend in the past few years where a lot of Unix users (a
group in which I clump BSD, Linux, and Mac OS X) are using passwordless
sudo.

I've always thought this to be a security risk, if a local account with
sudo access is compromised then the attackers have root access, so all
my accounts that have blanket sudo access (i.e. "ALL=(ALL) ALL") need to
enter a password.

What is the current thinking/best practice on how to setup sudo on PCs
and personal Unix-based desktops? Is passwordless sudo okay in this
context?

Thomas


From ike at lesmuug.org  Sat Nov  8 19:28:56 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sat, 8 Nov 2008 19:28:56 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: <7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
	<491601AA.8030601@ceetonetechnology.com>
	<7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>
Message-ID: <EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>

On Nov 8, 2008, at 5:25 PM, Ray Lai wrote:

> On Sat, Nov 8, 2008 at 4:16 PM, George Rosamond
> <george at ceetonetechnology.com> wrote:
>> Isaac Levy wrote:
>>> And more on the wireless arms race:
>>>
>>> Migrate to WPA2, (until it gets cracked):
>>> http://isc.sans.org/diary.html?storyid=5315
>>>
>>
>> Yeah. .  and don't use TKIP
>
> Or just use IPsec! =)
>
> -Ray-

For encrypted transport, sure- but what about for auth to the AP?  Is  
there some sort of IPSEC-based solution I don't know of?

Rocket-
.ike




From dan at radiusim.com  Sat Nov  8 19:46:56 2008
From: dan at radiusim.com (Dan Colish)
Date: Sat, 8 Nov 2008 19:46:56 -0500
Subject: [nycbug-talk] passwordless sudo: yay or nay?
In-Reply-To: <20081108233315.GV66521@zaph.org>
References: <20081108233315.GV66521@zaph.org>
Message-ID: <e24aad180811081646o2c836db6q572e8067537f25d5@mail.gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



On Sat, Nov 8, 2008 at 6:33 PM, N.J. Thomas <thomas at zaph.org> wrote:
I've noticed a trend in the past few years where a lot of Unix users (a
group in which I clump BSD, Linux, and Mac OS X) are using passwordless
sudo.

I've always thought this to be a security risk, if a local account with
sudo access is compromised then the attackers have root access, so all
my accounts that have blanket sudo access (i.e. "ALL=(ALL) ALL") need to
enter a password.

What is the current thinking/best practice on how to setup sudo on PCs
and personal Unix-based desktops? Is passwordless sudo okay in this
context?

Thomas
_______________________________________________
talk mailing list
talk at lists.nycbug.org
http://lists.nycbug.org/mailman/listinfo/talk

I don't want to speak for everyone, but I believe passwordless sudo is
always a mistake. If a user needs to run something without tty, for
example, its better to correct permissions so that user can run the
process properly.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: http://getfiregpg.org

iEYEARECAAYFAkkWMuYACgkQUYkOIhDLq7ankACeNcHMEIw6JAcNYuuhVGBFJ46Y
2LgAniPaU56yeJ3zv9Y2/G8trdYwwzvq
=eY9N
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081108/3be98002/attachment.htm>

From george at ceetonetechnology.com  Sat Nov  8 20:03:46 2008
From: george at ceetonetechnology.com (George Rosamond)
Date: Sat, 08 Nov 2008 20:03:46 -0500
Subject: [nycbug-talk] passwordless sudo: yay or nay?
In-Reply-To: <e24aad180811081646o2c836db6q572e8067537f25d5@mail.gmail.com>
References: <20081108233315.GV66521@zaph.org>
	<e24aad180811081646o2c836db6q572e8067537f25d5@mail.gmail.com>
Message-ID: <491636F2.3020006@ceetonetechnology.com>

Dan Colish wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> 
> On Sat, Nov 8, 2008 at 6:33 PM, N.J. Thomas <thomas at zaph.org 
> <mailto:thomas at zaph.org>> wrote:
> I've noticed a trend in the past few years where a lot of Unix users (a
> group in which I clump BSD, Linux, and Mac OS X) are using passwordless
> sudo.
> 
> I've always thought this to be a security risk, if a local account with
> sudo access is compromised then the attackers have root access, so all
> my accounts that have blanket sudo access (i.e. "ALL=(ALL) ALL") need to
> enter a password.
> 
> What is the current thinking/best practice on how to setup sudo on PCs
> and personal Unix-based desktops? Is passwordless sudo okay in this
> context?
> 
> Thomas
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org <mailto:talk at lists.nycbug.org>
> http://lists.nycbug.org/mailman/listinfo/talk
> 
> I don't want to speak for everyone, but I believe passwordless sudo is
> always a mistake. If a user needs to run something without tty, for
> example, its better to correct permissions so that user can run the
> process properly.

It really depends on the context, of course.

I also use with passwds, and use that as standard for any multi-user 
servers, but sometimes i just do it for that extra "you sure?"

Thomas: we won't tell anyone if you do that on your personal unix 
desktop.  promise.

g


From george at ceetonetechnology.com  Sat Nov  8 20:09:32 2008
From: george at ceetonetechnology.com (George Rosamond)
Date: Sat, 08 Nov 2008 20:09:32 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: <EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
	<491601AA.8030601@ceetonetechnology.com>
	<7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>
	<EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>
Message-ID: <4916384C.9010204@ceetonetechnology.com>

Isaac Levy wrote:
> On Nov 8, 2008, at 5:25 PM, Ray Lai wrote:
> 
>> On Sat, Nov 8, 2008 at 4:16 PM, George Rosamond
>> <george at ceetonetechnology.com> wrote:
>>> Isaac Levy wrote:
>>>> And more on the wireless arms race:
>>>>
>>>> Migrate to WPA2, (until it gets cracked):
>>>> http://isc.sans.org/diary.html?storyid=5315
>>>>
>>>
>>> Yeah. .  and don't use TKIP
>>
>> Or just use IPsec! =)
>>
>> -Ray-
> 
> For encrypted transport, sure- but what about for auth to the AP?  Is 
> there some sort of IPSEC-based solution I don't know of?
> 

More importantly, "hey, ma, unclick TKIP and use AES instead on the 
router" is easier than "okay, ma, now let's find you an IPSec client. . ."

security<---->usability

Or Ray, do you do free wireless/IPSec support for other people's 
families too?

;-'

g


From mikel.king at olivent.com  Sat Nov  8 20:44:30 2008
From: mikel.king at olivent.com (Mikel King)
Date: Sat, 8 Nov 2008 20:44:30 -0500
Subject: [nycbug-talk] passwordless sudo: yay or nay?
In-Reply-To: <20081108233315.GV66521@zaph.org>
References: <20081108233315.GV66521@zaph.org>
Message-ID: <BD07C3B2-D854-43AD-9F7B-43446361A19D@olivent.com>


On Nov 8, 2008, at 6:33 PM, N.J. Thomas wrote:

> I've noticed a trend in the past few years where a lot of Unix users  
> (a
> group in which I clump BSD, Linux, and Mac OS X) are using  
> passwordless
> sudo.
>
> I've always thought this to be a security risk, if a local account  
> with
> sudo access is compromised then the attackers have root access, so all
> my accounts that have blanket sudo access (i.e. "ALL=(ALL) ALL")  
> need to
> enter a password.
>
> What is the current thinking/best practice on how to setup sudo on PCs
> and personal Unix-based desktops? Is passwordless sudo okay in this
> context?
>
> Thomas

Thomas,

	Yeah it's bad, real bad, and you should never ever ever do it. It  
will curl your hair, sour your milk, turning your beer into water and  
cause mold to grow on all of your bread.  Oh and of course give you  
really bad breath.

	But all that aside, there are a few instances when it is possibly  
acceptable....

	I find it a good way to protect me from myself especially after  
spending 18 hours rebuilding a clients server and at 2 am when you  
just ran out of coffee just before you try to type rm  -rf...

Cheers,
m



From okan at demirmen.com  Sat Nov  8 21:01:54 2008
From: okan at demirmen.com (Okan Demirmen)
Date: Sat, 8 Nov 2008 21:01:54 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: <EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
	<491601AA.8030601@ceetonetechnology.com>
	<7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>
	<EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>
Message-ID: <20081109020154.GA5198@clam.khaoz.org>

On Sat 2008.11.08 at 19:28 -0500, Isaac Levy wrote:
> On Nov 8, 2008, at 5:25 PM, Ray Lai wrote:
> 
> > On Sat, Nov 8, 2008 at 4:16 PM, George Rosamond
> > <george at ceetonetechnology.com> wrote:
> >> Isaac Levy wrote:
> >>> And more on the wireless arms race:
> >>>
> >>> Migrate to WPA2, (until it gets cracked):
> >>> http://isc.sans.org/diary.html?storyid=5315
> >>>
> >>
> >> Yeah. .  and don't use TKIP
> >
> > Or just use IPsec! =)
> >
> > -Ray-
> 
> For encrypted transport, sure- but what about for auth to the AP?  Is  
> there some sort of IPSEC-based solution I don't know of?

since always.  ipsec; i'll say it again so as to interest you to read
about it.


From carton at Ivy.NET  Sat Nov  8 21:02:17 2008
From: carton at Ivy.NET (Miles Nordin)
Date: Sat, 08 Nov 2008 21:02:17 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: <4916384C.9010204@ceetonetechnology.com> (George Rosamond's
	message of "Sat, 08 Nov 2008 20:09:32 -0500")
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
	<491601AA.8030601@ceetonetechnology.com>
	<7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>
	<EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>
	<4916384C.9010204@ceetonetechnology.com>
Message-ID: <oqiqqxlkra.fsf@castrovalva.Ivy.NET>

>>>>> "gr" == George Rosamond <george at ceetonetechnology.com> writes:

    gr> "hey, ma, unclick TKIP and use AES instead on the router"

It's worse x2.

 1. AIUI, wireless chips include AES accelerators for WPA2 which are
    working at the ~20 - 50Mbit/s rates the chips push, drawing <5W,
    and extremely cheap, and fit into the network stack in a way that
    can handle high pps.

    IPsec accelerators for Cisco with ~20 - 50Mbit/s performance are
    more expensive, and accelerators built into Ethernet MAC chips do
    not exist.  Accelerators that fit into the stack similarly
    smoothly close to the line card are only available in really high
    end stuff like 6500.

 2. there are confusing L2/L3 DoS problems that L2 security may help
    with a little bit (though maybe not help very far with wireless)

I've never implemented WPA2 but what I worry about is MITM by
impersonating the AP.  Is that prevented somehow?  can you even do
CHAP with RADIUS?  do people actually sign their AP certificates and
load the CA certificate onto the clients?  With IPsec that I've seen
(Cisco), the former is not possible, and the latter is
routine/best-practice---you either use XAuth with Mutual Group
Authentication, or else if you refuse to use Aggressive Mode then you
use XAuth with certificate authentication, but just load the same
certificate on all the clients and let them use different XAuth
passwords.  not sure if that made sense---I can ramble longer if
needed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081108/acd0aad5/attachment.bin>

From george at ceetonetechnology.com  Sat Nov  8 21:04:00 2008
From: george at ceetonetechnology.com (George Rosamond)
Date: Sat, 08 Nov 2008 21:04:00 -0500
Subject: [nycbug-talk] FreeBSD gmirror
Message-ID: <49164510.3090004@ceetonetechnology.com>

Wondering if anyone has used FreeBSD's geom gmirror for production 
purposes, and what their experiences are.

I'm not a fan of software raid, but decided to make the leap, and it's 
been pretty seamless in testing.  I know sometimes there's issues with 
different manufacturer's drives (these are SATA) in one mirror, but it 
tested fine.  I could almost call it a pleasant experience.

And no, I'm not running ZFS here. . .

Another related question, has anyone used geom-based UFS journaling with 
gmirror or on its own?

TIA.

g


From okan at demirmen.com  Sat Nov  8 21:05:31 2008
From: okan at demirmen.com (Okan Demirmen)
Date: Sat, 8 Nov 2008 21:05:31 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: <4916384C.9010204@ceetonetechnology.com>
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
	<491601AA.8030601@ceetonetechnology.com>
	<7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>
	<EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>
	<4916384C.9010204@ceetonetechnology.com>
Message-ID: <20081109020531.GC5198@clam.khaoz.org>

On Sat 2008.11.08 at 20:09 -0500, George Rosamond wrote:
> Isaac Levy wrote:
> > On Nov 8, 2008, at 5:25 PM, Ray Lai wrote:
> > 
> >> On Sat, Nov 8, 2008 at 4:16 PM, George Rosamond
> >> <george at ceetonetechnology.com> wrote:
> >>> Isaac Levy wrote:
> >>>> And more on the wireless arms race:
> >>>>
> >>>> Migrate to WPA2, (until it gets cracked):
> >>>> http://isc.sans.org/diary.html?storyid=5315
> >>>>
> >>>
> >>> Yeah. .  and don't use TKIP
> >>
> >> Or just use IPsec! =)
> >>
> >> -Ray-
> > 
> > For encrypted transport, sure- but what about for auth to the AP?  Is 
> > there some sort of IPSEC-based solution I don't know of?
> > 
> 
> More importantly, "hey, ma, unclick TKIP and use AES instead on the 
> router" is easier than "okay, ma, now let's find you an IPSec client. . ."
>
> security<---->usability
> 
> Or Ray, do you do free wireless/IPSec support for other people's 
> families too?

but that was not ike's question.  and yes, ray is available anytime for
free clicky-clicky support.


From dan at langille.org  Sun Nov  9 00:32:05 2008
From: dan at langille.org (Dan Langille)
Date: Sun, 9 Nov 2008 00:32:05 -0500
Subject: [nycbug-talk] FreeBSD gmirror
In-Reply-To: <49164510.3090004@ceetonetechnology.com>
References: <49164510.3090004@ceetonetechnology.com>
Message-ID: <346BC0E4-B040-48E0-80F1-801A18DDFF85@langille.org>


On Nov 8, 2008, at 9:04 PM, George Rosamond wrote:

> Wondering if anyone has used FreeBSD's geom gmirror for production
> purposes, and what their experiences are.

Production?  Define please.

I'm using gmirror on my gateway at home, my development box at home,
and soon my workstation at the office.


-- 
Dan Langille
http://langille.org/






From lavalamp at spiritual-machines.org  Sun Nov  9 01:00:19 2008
From: lavalamp at spiritual-machines.org (Brian A. Seklecki)
Date: Sun, 9 Nov 2008 01:00:19 -0500 (EST)
Subject: [nycbug-talk] FreeBSD gmirror
In-Reply-To: <346BC0E4-B040-48E0-80F1-801A18DDFF85@langille.org>
References: <49164510.3090004@ceetonetechnology.com>
	<346BC0E4-B040-48E0-80F1-801A18DDFF85@langille.org>
Message-ID: <20081109005740.I87984@arbitor.digitalfreaks.org>


>> Wondering if anyone has used FreeBSD's geom gmirror for production

Its extremely stable.  As far back as 5.3.  See my nagios health check on 
nagiosexchange.org.

We use it on mission critical systems where budgets are tight.  Of course, 
there are system-level and facility-level HA/Failover/DRP arrangements in 
addition to component level redundancy.

~BAS


From ike at lesmuug.org  Sun Nov  9 01:06:20 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sun, 9 Nov 2008 01:06:20 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: <20081109020154.GA5198@clam.khaoz.org>
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
	<491601AA.8030601@ceetonetechnology.com>
	<7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>
	<EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>
	<20081109020154.GA5198@clam.khaoz.org>
Message-ID: <4344E9DB-88CC-4A40-829F-9B086C128F22@lesmuug.org>

On Nov 8, 2008, at 9:01 PM, Okan Demirmen wrote:

> On Sat 2008.11.08 at 19:28 -0500, Isaac Levy wrote:
>> On Nov 8, 2008, at 5:25 PM, Ray Lai wrote:
>>
>>> On Sat, Nov 8, 2008 at 4:16 PM, George Rosamond
>>> <george at ceetonetechnology.com> wrote:
>>>> Isaac Levy wrote:
>>>>> And more on the wireless arms race:
>>>>>
>>>>> Migrate to WPA2, (until it gets cracked):
>>>>> http://isc.sans.org/diary.html?storyid=5315
>>>>>
>>>>
>>>> Yeah. .  and don't use TKIP
>>>
>>> Or just use IPsec! =)
>>>
>>> -Ray-
>>
>> For encrypted transport, sure- but what about for auth to the AP?  Is
>> there some sort of IPSEC-based solution I don't know of?
>
> since always.  ipsec; i'll say it again so as to interest you to read
> about it.

OK- I understand the fundamentals of IPSEC- (hell, my name is ike  
after all :)
I even use (and love) IPSEC tunnels, though setup and the various  
userland tools could be a wee bit more refined, (as with many crypto  
oriented tools, but I digress...)

--
Excuse my verbosity of these basics, I'm just trying to clarify:

What I'm asking here is this:
What about Link Layer (WiFi Access/Auth) controls?  WPA, and WEP, were  
designed to allow link-access to an Access Point, (as well as an idea  
of transport encryption).

Without Auth control at the link layer, we get:

   - DOS problems (too many connected users)
     - Too many unauthorized users simply connecting to the AP,  
malicious or not
       (connecting weather they get IP connectivity or not...)

(Live in NYC == feel this pain):

Plenty of vendor-supplied 'user friendly' softwares on windows  
machines try to auto-connect to AP's, based on signal strength and IP  
connectivity- often as a default setting- so it's not like many users  
even know they are helping hose your AP.  Heck- users banging away at  
the 'Internet Repair Wizzard' thingie in an OSX machine can hammer an  
AP trying to get IP connectivity, after a link is established...

Scale the problem to a busy NYC neighborhood with cafes and apartment  
buildings, and viola- hosed- with perhaps zero malicious or trespass  
intent.

--
So, again I ask- are there any IPSEC auth systems out there for  
wireless access points?

- If so, where are they in the *BSD world?  (e.g. for use with  
decently supported wireless cards- 802.11foo and 5ghz 802.16bar)

- And if so, where are they in the commercial WiFi access point  
world?  (big RADIUS based systems or small home units- I don't care- I  
can't find vendor gear after hitting the search engines...)

- And if so, what's it like to use in common practice?  Are there any  
sane tools for managing the key distribution?

Rocket-
.ike





From ike at lesmuug.org  Sun Nov  9 01:13:14 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sun, 9 Nov 2008 01:13:14 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: <4916384C.9010204@ceetonetechnology.com>
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
	<491601AA.8030601@ceetonetechnology.com>
	<7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>
	<EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>
	<4916384C.9010204@ceetonetechnology.com>
Message-ID: <923936FB-BDAB-49BD-851A-64A4E5CE5913@lesmuug.org>

On Nov 8, 2008, at 8:09 PM, George Rosamond wrote:

> More importantly, "hey, ma, unclick TKIP and use AES instead on the  
> router" is easier than "okay, ma, now let's find you an IPSec  
> client. . ."

Heck- beyond ma's problem- regarding WiFi transport security, (IPSEC  
to trusted/wired networks), it's cheaper in many environments to drop  
Cat6 and end this malarkey, than to pay smart techs to muck about  
twiddling the switches...  (these kinds of switches notoriously being  
buried in different vendor supplied AP hardwares...)

>
>
> security<---->usability

Dead on.

Rocket-
.ike




From spork at bway.net  Sun Nov  9 01:48:03 2008
From: spork at bway.net (Charles Sprickman)
Date: Sun, 9 Nov 2008 01:48:03 -0500 (EST)
Subject: [nycbug-talk] FreeBSD gmirror
In-Reply-To: <49164510.3090004@ceetonetechnology.com>
References: <49164510.3090004@ceetonetechnology.com>
Message-ID: <Pine.OSX.4.64.0811090140280.8809@toasty.nat.fasttrackmonkey.com>

On Sat, 8 Nov 2008, George Rosamond wrote:

> Wondering if anyone has used FreeBSD's geom gmirror for production
> purposes, and what their experiences are.

I've been running it on 2 production servers for some time.  One is a 
fairly heavily used internal box (a kitchen sink type intranet/monitoring 
thing) and the other is a backup mxer + secondary DNS.  One SATA, one 
scsi.

I have had exactly zero problems with it.

I also have two boxes that will be in production soon running.  One in 
fact because the crappy old Adaptec ZCR card makes it's new, very 
expensive scsi drives only do async transfers - remove ZCR and the same 
SCSI controller does U160.  Gmirror was the only reasonable solution.

Both long time production boxes with it have been tested pretty hard - 
Level3 was trying to rewire the row of cabinets we're in and screwed it up 
for 3 nights in a row, with a total of about 5 unexpected power losses. 
Every damn time the gmirror box came up with no manual intervention.
The other box had a mainboard fry and a disk die.  Again, no malarky to 
deal with.  So far it's been more predictable/stable than most of the 
older Adaptec controllers I deal with.

Performance seems fine to me, at least as good as a mid-level hardware 
RAID card.

> I'm not a fan of software raid, but decided to make the leap, and it's
> been pretty seamless in testing.  I know sometimes there's issues with
> different manufacturer's drives (these are SATA) in one mirror, but it
> tested fine.  I could almost call it a pleasant experience.

I like it because like the good old CCD stuff it is very simple and it 
just works.  Not anything like vinum.

> And no, I'm not running ZFS here. . .
>
> Another related question, has anyone used geom-based UFS journaling with
> gmirror or on its own?

Try it and let us know. :)  I found too much conflicting info on the combo 
to try it.

Charles

> TIA.
>
> g
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>


From ike at lesmuug.org  Sun Nov  9 02:00:37 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sun, 9 Nov 2008 02:00:37 -0500
Subject: [nycbug-talk] FreeBSD gmirror
In-Reply-To: <346BC0E4-B040-48E0-80F1-801A18DDFF85@langille.org>
References: <49164510.3090004@ceetonetechnology.com>
	<346BC0E4-B040-48E0-80F1-801A18DDFF85@langille.org>
Message-ID: <67368DCC-6E91-48F4-A2CA-B2ED1B2DCDA1@lesmuug.org>


> On Nov 8, 2008, at 9:04 PM, George Rosamond wrote:
>
>> Wondering if anyone has used FreeBSD's geom gmirror for production
>> purposes, and what their experiences are.
>

Sortof- I ran into gmirror for a small emergency, where the disks were  
both failing on a box I'd never touched before and did not build to  
begin with.

Noteworthy:  In my case, a rare case, I needed physical access to at  
the very least, unplug the failing drive, so I could see straight (I  
had to try booting the box on each drive until it came back up).
In this instance, I would even hang before the filesystems were being  
loaded, so it was impossible to troubleshoot from a running system.
The failure I was experiencing was intermittent on one drive,  
S.M.A.R.T didn't catch it even...  But this scenario could have  
happened with hardware RAID, so...

Regardless, I was impressed that with a bit of quick reading, I could  
simply 'turn off' the Geom Mirror, modify the fstab, remove the bad  
drive- and Viola, the drive booted as a UFS drive like normal.  *Very*  
cool- saved the day in fact.  Client chose to get a second server for  
backups instead of making a new gmirror (tiny office).

I was simply impressed with how clear gmirror was to use, especially  
in a pinch.



On Nov 9, 2008, at 12:32 AM, Dan Langille wrote:

> Production?  Define please.
>
> I'm using gmirror on my gateway at home, my development box at home,
> and soon my workstation at the office.

I think George is deploying internet-facing servers, (vs desktop use  
or something), just because I believe I know what he's up to with  
these boxes.  Actually, because of physical proximity, production is a  
term I use mostly for servers- workstations/desktops have human  
contact, and therefore different expectations- (a user can push the  
button, etc...)
http://www.youtube.com/watch?v=8Yr-Pp4PFVA

It's not a bad question though, in the context of mirroring, physical  
access could play an important role with some RAID schemes- etc...

--
Ya know, without an ounce of sarcasm, I truly would love to hear the  
definition of 'Production' from others- (or hammer it out on list).

To me, Production tries to label a given software or hardware as  
proven not to:

- Not fail in ways which take food of my plate (at work)
- Not fail in ways which are unexpected
- Not fail in ways which make me cry (at home)
+ Be Reliable/Proven/Stable/Trusted software in an assumed or given  
context

Hard metrics aren't always part of Production criteria, (e.g. how many  
days uptime will it have?  etc...)

Although some organizations I've been in have stiff/formal criteria  
for 'Production' systems, and I've even created this formal criteria,  
it's always based on context.  Any good QA person will explain that  
context is critical to assessment...
Threat models, business models, usage patterns, and applied value- all  
affect the meaning of Production.

--
Wikipedia is a blank:
http://en.wikipedia.org/wiki/Production_(information_technology)

Rocket-
.ike




From nycbug at cyth.net  Sat Nov  8 17:25:44 2008
From: nycbug at cyth.net (Ray Lai)
Date: Sat, 8 Nov 2008 17:25:44 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: <491601AA.8030601@ceetonetechnology.com>
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
	<491601AA.8030601@ceetonetechnology.com>
Message-ID: <7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>

On Sat, Nov 8, 2008 at 4:16 PM, George Rosamond
<george at ceetonetechnology.com> wrote:
> Isaac Levy wrote:
>> And more on the wireless arms race:
>>
>> Migrate to WPA2, (until it gets cracked):
>> http://isc.sans.org/diary.html?storyid=5315
>>
>
> Yeah. .  and don't use TKIP

Or just use IPsec! =)

-Ray-


From ike at lesmuug.org  Sun Nov  9 02:07:03 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Sun, 9 Nov 2008 02:07:03 -0500
Subject: [nycbug-talk] FreeBSD gmirror
In-Reply-To: <Pine.OSX.4.64.0811090140280.8809@toasty.nat.fasttrackmonkey.com>
References: <49164510.3090004@ceetonetechnology.com>
	<Pine.OSX.4.64.0811090140280.8809@toasty.nat.fasttrackmonkey.com>
Message-ID: <DA9F2A2D-BCB7-45DC-9ACC-46090B1F79D4@lesmuug.org>

On Nov 9, 2008, at 1:48 AM, Charles Sprickman wrote:

> I like it because like the good old CCD stuff it is very simple and it
> just works.  Not anything like vinum.

Ah- vinum :)

Like IPFW in a world before PF, it rocked as hard as it could IMHO.

NYC*BUG should have some kind of 'Veteran Software (and why it was  
replaced/displaced/dissed)' meeting sometime, focusing on the ol'  
reliables...

Rocket-
.ike




From carton at Ivy.NET  Sun Nov  9 02:27:44 2008
From: carton at Ivy.NET (Miles Nordin)
Date: Sun, 09 Nov 2008 02:27:44 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: Isaac Levy's message of "Sun, 9 Nov 2008 01:06:20 -0500"
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
	<491601AA.8030601@ceetonetechnology.com>
	<7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>
	<EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>
	<20081109020154.GA5198@clam.khaoz.org>
	<4344E9DB-88CC-4A40-829F-9B086C128F22@lesmuug.org>
	<4916384C.9010204@ceetonetechnology.com>
	<923936FB-BDAB-49BD-851A-64A4E5CE5913@lesmuug.org>
Message-ID: <oq7i7dl5ov.fsf@castrovalva.Ivy.NET>

>>>>> "il" == Isaac Levy <ike at lesmuug.org> writes:

    il>    - DOS problems

it's radio.  encryption won't help with DoS.  There is no such thing
as admission control.  Anyone can broadcast garbage on the band
period.  The only choice you can make is, what will you forward and
what will you ignore?

    il> Plenty of vendor-supplied 'user friendly' softwares on windows
    il> machines try to auto-connect to AP's, based on signal strength
[...]
    il> cafes and apartment buildings, and viola- hosed- with perhaps
    il> zero malicious or trespass intent.

I've seen some AP's that seem like they don't have the CPU power or
NAT table size to handle normal bittorrent, so I don't doubt that you
might have seen a problem with too many associations.  but the answer
is to get an AP that's not a piece of shit and doesn't crash.  auth
isn't needed for that.

    il> are there any IPSEC auth systems out there for wireless access
    il> points?

you just set up plain ipsec behind the AP.  you can use cisco ipsec
which works well, but costs a fair bit on ebay to get at 11g/11a
speeds.  It's complicated to configure but works well.  or else try to
use ipsec-tools racoon or openbsd isakmpd or whatever.  all probably
support XAuth, which is what you need to use ipsec with RADIUS.  You
also need the mode-config extension which they all support.  And you
don't need nat-traversal, which AIUI is still a stupid patch on
FreeBSD, and on all the BSD's it fails to do PMTU-D the way Cisco's
does.

    il> drop Cat6 and end this malarkey,

It's not unusual for companies to run EAP and the wpa-ish L2 auth,
802-dot-somethingorother, even on wired jacks.  logging into a jack
with a username and password, or with an X.509 cert, is supported by
both Mac and ExPee.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081109/f6588062/attachment.bin>

From mspitzer at gmail.com  Sun Nov  9 16:50:48 2008
From: mspitzer at gmail.com (Marc Spitzer)
Date: Sun, 9 Nov 2008 16:50:48 -0500
Subject: [nycbug-talk] kvm breakout cable for a ibm x330 server
Message-ID: <8c50a3c30811091350i2c645f9eh16000c21f7168954@mail.gmail.com>

Hello,

does anyone have a breaout kvm cable for a ibm x330 server I coudl
borrow for a couple of days?  I am doing some volunteer work for
bsdcertification and need to get into the server I am working on.
Here are the details : C2T Cable for IBM x330 x335 06P6210 06P4792

Thanks,

marc
-- 
Freedom is nothing but a chance to be better.
Albert Camus


From mspitzer at gmail.com  Sun Nov  9 17:15:59 2008
From: mspitzer at gmail.com (Marc Spitzer)
Date: Sun, 9 Nov 2008 17:15:59 -0500
Subject: [nycbug-talk] FreeBSD gmirror
In-Reply-To: <67368DCC-6E91-48F4-A2CA-B2ED1B2DCDA1@lesmuug.org>
References: <49164510.3090004@ceetonetechnology.com>
	<346BC0E4-B040-48E0-80F1-801A18DDFF85@langille.org>
	<67368DCC-6E91-48F4-A2CA-B2ED1B2DCDA1@lesmuug.org>
Message-ID: <8c50a3c30811091415u671264b8ta8e5a0f6a87811f9@mail.gmail.com>

On Sun, Nov 9, 2008 at 2:00 AM, Isaac Levy <ike at lesmuug.org> wrote:
>
> On Nov 9, 2008, at 12:32 AM, Dan Langille wrote:
>
>> Production?  Define please.
>>
>> I'm using gmirror on my gateway at home, my development box at home,
>> and soon my workstation at the office.
>
> I think George is deploying internet-facing servers, (vs desktop use
> or something), just because I believe I know what he's up to with
> these boxes.  Actually, because of physical proximity, production is a
> term I use mostly for servers- workstations/desktops have human
> contact, and therefore different expectations- (a user can push the
> button, etc...)
> http://www.youtube.com/watch?v=8Yr-Pp4PFVA
>
> It's not a bad question though, in the context of mirroring, physical
> access could play an important role with some RAID schemes- etc...
>
> --
> Ya know, without an ounce of sarcasm, I truly would love to hear the
> definition of 'Production' from others- (or hammer it out on list).
>
> To me, Production tries to label a given software or hardware as
> proven not to:
>
> - Not fail in ways which take food of my plate (at work)
> - Not fail in ways which are unexpected
> - Not fail in ways which make me cry (at home)
> + Be Reliable/Proven/Stable/Trusted software in an assumed or given
> context
>
> Hard metrics aren't always part of Production criteria, (e.g. how many
> days uptime will it have?  etc...)
>
> Although some organizations I've been in have stiff/formal criteria
> for 'Production' systems, and I've even created this formal criteria,
> it's always based on context.  Any good QA person will explain that
> context is critical to assessment...
> Threat models, business models, usage patterns, and applied value- all
> affect the meaning of Production.


Productrion has nothing to do with hardware, conceptually anyway, it
is all about services and providing them when you need them.  This is
really a system design/business process issue, how much redundancy do
you want to buy.  For example if you have only one disk in a computer
it will fail and test your backup/DR policy.  And if you have raid one
disks your controller will fail and test your backup/DR policy,
although this failure is less likely then the first.  This goes on and
on until you say I have reached the point of diminishing returns and
you stop spending money and accept the remaining risk.

Ah well it irks me when peple talk about production hardware as there
is no such thing.

marc


>
> --
> Wikipedia is a blank:
> http://en.wikipedia.org/wiki/Production_(information_technology)
>
> Rocket-
> .ike
>
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>



-- 
Freedom is nothing but a chance to be better.
Albert Camus


From george at ceetonetechnology.com  Mon Nov 10 13:23:42 2008
From: george at ceetonetechnology.com (George Rosamond)
Date: Mon, 10 Nov 2008 13:23:42 -0500
Subject: [nycbug-talk] FreeBSD gmirror
In-Reply-To: <346BC0E4-B040-48E0-80F1-801A18DDFF85@langille.org>
References: <49164510.3090004@ceetonetechnology.com>
	<346BC0E4-B040-48E0-80F1-801A18DDFF85@langille.org>
Message-ID: <49187C2E.7080809@ceetonetechnology.com>

Dan Langille wrote:
> 
> On Nov 8, 2008, at 9:04 PM, George Rosamond wrote:
> 
>> Wondering if anyone has used FreeBSD's geom gmirror for production
>> purposes, and what their experiences are.
> 
> Production?  Define please.
> 

"Production" meaning for business . . . b to c or b to b.

As opposed to personal use.

> I'm using gmirror on my gateway at home, my development box at home,
> and soon my workstation at the office.

Thanks.


g


From max at neuropunks.org  Mon Nov 10 16:44:25 2008
From: max at neuropunks.org (Max Gribov)
Date: Mon, 10 Nov 2008 16:44:25 -0500
Subject: [nycbug-talk] icmp redirects from host A to host A
Message-ID: <4918AB39.6070304@neuropunks.org>

Hi all,
saw this today in dmesg on one of the freebsd servers i have:
icmp redirect from xx.xx.149.215: xx.xx.153.131 => xx.xx.153.131

is that just general brokenness, or is there a reason to do something 
like that?..


From bonsaime at gmail.com  Mon Nov 10 19:46:58 2008
From: bonsaime at gmail.com (Jesse Callaway)
Date: Mon, 10 Nov 2008 19:46:58 -0500
Subject: [nycbug-talk] Fwd:  icmp redirects from host A to host A
In-Reply-To: <aa9991030811101646k7f48df9cyd194cd989cc25ea2@mail.gmail.com>
References: <4918AB39.6070304@neuropunks.org>
	<aa9991030811101646k7f48df9cyd194cd989cc25ea2@mail.gmail.com>
Message-ID: <aa9991030811101646u43fae7b4q531048e80545f6cb@mail.gmail.com>

On Mon, Nov 10, 2008 at 4:44 PM, Max Gribov <max at neuropunks.org> wrote:
> Hi all,
> saw this today in dmesg on one of the freebsd servers i have:
> icmp redirect from xx.xx.149.215: xx.xx.153.131 => xx.xx.153.131
>
> is that just general brokenness, or is there a reason to do something
> like that?..
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>

I ain't no ICMP expert, but this looks like there's some crap going on.

from wikipedia ... "RFC1122 states that redirects should only be sent
by gateways and should not be sent by Internet hosts."

Even then... accepting routes over ICMP is probably not SOP for most
router maintainers I would venture to guess. Something is likely
broken. Are you on more than one subnet?

-jesse


From carton at Ivy.NET  Mon Nov 10 23:56:43 2008
From: carton at Ivy.NET (Miles Nordin)
Date: Mon, 10 Nov 2008 23:56:43 -0500
Subject: [nycbug-talk] Fwd:  icmp redirects from host A to host A
In-Reply-To: <aa9991030811101646u43fae7b4q531048e80545f6cb@mail.gmail.com>
	(Jesse Callaway's message of "Mon, 10 Nov 2008 19:46:58 -0500")
References: <4918AB39.6070304@neuropunks.org>
	<aa9991030811101646k7f48df9cyd194cd989cc25ea2@mail.gmail.com>
	<aa9991030811101646u43fae7b4q531048e80545f6cb@mail.gmail.com>
Message-ID: <oqfxlykghg.fsf@castrovalva.Ivy.NET>

>>>>> "jc" == Jesse Callaway <bonsaime at gmail.com> writes:

    jc> Even then... accepting routes over ICMP is probably not SOP
    jc> for most router maintainers I would venture to
    jc> guess.

they're either accepted or ignored really quietly.  There's nothing to
configure except two sysctl knobs:  send or not?  and obey or not?

They're sent if, for example:

 .1
    0.0.0.0/0   via <some other interface>
    1.2.3.0/24  via .2

 .2
    0.0.0.0/0   via .1
    1.2.3.0/24  via <some other interface>

 .3
    0.0.0.0/0 via .1

In this case, when .3 sends a packet to 1.2.3.4 via .1, then .1 will
forward the packet out the same interface it was received albeit with
the new destination MAC address, and will also send an ICMP redirect
to .3 asking that further packets for 1.2.3.4 go directly to .2.  .3
will install a route via .2 for a little while.  The route times out,
though, like ARP.  And this is very old and is actually implemented on
BSD gateways and end-systems, though I don't know if it defaults to on
or off.

You can argue about whether this is really a security problem or not.
If the redirects were sanity-checked before accepting them such that
they can never change a destination's outbound interface, I could see
its being implemented with no added danger over arp spoofing.  I'm not
sure they are sanity-checked, though.  I usually turn off accepting
redirects with sysctl.

Max's redirect, though, seemed to have the same address in the
destination and next-hop fields, so I don't know why it was generated,
and that's why i didn't reply before.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081110/f76c4c3e/attachment.bin>

From max at neuropunks.org  Tue Nov 11 12:10:05 2008
From: max at neuropunks.org (Max Gribov)
Date: Tue, 11 Nov 2008 12:10:05 -0500
Subject: [nycbug-talk] Fwd:  icmp redirects from host A to host A
In-Reply-To: <oqfxlykghg.fsf@castrovalva.Ivy.NET>
References: <4918AB39.6070304@neuropunks.org>	<aa9991030811101646k7f48df9cyd194cd989cc25ea2@mail.gmail.com>	<aa9991030811101646u43fae7b4q531048e80545f6cb@mail.gmail.com>
	<oqfxlykghg.fsf@castrovalva.Ivy.NET>
Message-ID: <4919BC6D.9030103@neuropunks.org>

Miles Nordin wrote:
> Max's redirect, though, seemed to have the same address in the
> destination and next-hop fields, so I don't know why it was generated,
> and that's why i didn't reply before.
>   
>   
yea, sorry about the confusion - i know what icmp redirect does, but in 
this case a router on that host's network send me a redirect saying
"if you wanna reach bob, talk to bob" -- kinda silly, so either a 
misconfiguration or some sort of bizarre practice ive never seen before..
 



> ------------------------------------------------------------------------
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>   



From matt at atopia.net  Wed Nov 12 15:08:35 2008
From: matt at atopia.net (Matt Juszczak)
Date: Wed, 12 Nov 2008 15:08:35 -0500 (EST)
Subject: [nycbug-talk] FreeBSD box rebooting itself
Message-ID: <alpine.BSF.2.00.0811121507001.1377@pluto.atopia.net>

Problem started today @ 8:30 AM or so...

Nov 12 07:38:47 pluto sshd[73708]: error: PAM: authentication error for 
illegal user soandso from ipaddress
Nov 12 08:41:59 pluto syslogd: kernel boot file is /boot/kernel/kernel

So you can see this was a hard reboot since no "reboot" was issued or 
anything (and I got disk mount complaints later in dmesg):

WARNING: / was not properly dismounted
WARNING: /tmp was not properly dismounted
WARNING: /usr was not properly dismounted



Just happened again about 20 minutes ago.


My first guess is a hardware issue (power supply, etc.), but does anyone 
know of any other possibilities?  I'm hoping this isn't some super hidden 
reboot root kit or something.


-MJ



From akosela at andykosela.com  Wed Nov 12 15:49:16 2008
From: akosela at andykosela.com (Andy Kosela)
Date: Wed, 12 Nov 2008 21:49:16 +0100
Subject: [nycbug-talk] FreeBSD box rebooting itself
In-Reply-To: <alpine.BSF.2.00.0811121507001.1377@pluto.atopia.net>
References: <alpine.BSF.2.00.0811121507001.1377@pluto.atopia.net>
Message-ID: <3cc535c80811121249m404465b9mf0120e77785d46ec@mail.gmail.com>

On Wed, Nov 12, 2008 at 9:08 PM, Matt Juszczak <matt at atopia.net> wrote:
> Problem started today @ 8:30 AM or so...
>
> Nov 12 07:38:47 pluto sshd[73708]: error: PAM: authentication error for
> illegal user soandso from ipaddress

First, I would cut off those messages by employing some access rules
to sshd(8) using pf(4), sshd_config(5) or even good ol'
/etc/hosts.allow. Or better yet do it at your gateway firewall if you
manage it. I try to never open sshd(8) to worldwide access. But I
really doubt your reboots are caused by any issues with sshd(8)
security.

-- 
Andy Kosela
ora et labora


From matt at atopia.net  Wed Nov 12 15:57:18 2008
From: matt at atopia.net (Matt Juszczak)
Date: Wed, 12 Nov 2008 15:57:18 -0500 (EST)
Subject: [nycbug-talk] FreeBSD box rebooting itself
In-Reply-To: <3cc535c80811121249m404465b9mf0120e77785d46ec@mail.gmail.com>
References: <alpine.BSF.2.00.0811121507001.1377@pluto.atopia.net>
	<3cc535c80811121249m404465b9mf0120e77785d46ec@mail.gmail.com>
Message-ID: <alpine.BSF.2.00.0811121556290.4997@pluto.atopia.net>

> First, I would cut off those messages by employing some access rules
> to sshd(8) using pf(4), sshd_config(5) or even good ol'
> /etc/hosts.allow. Or better yet do it at your gateway firewall if you
> manage it. I try to never open sshd(8) to worldwide access. But I
> really doubt your reboots are caused by any issues with sshd(8)
> security.

To clarify, that user was valid, he just typed his password in wrong.  I 
already have access rules in pf, etc. (and a lovely little shell script) 
to manage improper ssh access.  I was simply putting that in there to show 
the previous timestamp'd entry before the kernel boot to show it was a 
hard boot.

-MJ


From skreuzer at exit2shell.com  Wed Nov 12 16:11:20 2008
From: skreuzer at exit2shell.com (Steven Kreuzer)
Date: Wed, 12 Nov 2008 16:11:20 -0500
Subject: [nycbug-talk] FreeBSD box rebooting itself
In-Reply-To: <alpine.BSF.2.00.0811121507001.1377@pluto.atopia.net>
References: <alpine.BSF.2.00.0811121507001.1377@pluto.atopia.net>
Message-ID: <463F3642-CF30-46F0-A80F-E0FB5E65E177@exit2shell.com>


On Nov 12, 2008, at 3:08 PM, Matt Juszczak wrote:

> Problem started today @ 8:30 AM or so...
>
> Nov 12 07:38:47 pluto sshd[73708]: error: PAM: authentication error  
> for
> illegal user soandso from ipaddress
> Nov 12 08:41:59 pluto syslogd: kernel boot file is /boot/kernel/kernel
>
> So you can see this was a hard reboot since no "reboot" was issued or
> anything (and I got disk mount complaints later in dmesg):
>
> WARNING: / was not properly dismounted
> WARNING: /tmp was not properly dismounted
> WARNING: /usr was not properly dismounted
>
>
>
> Just happened again about 20 minutes ago.
>
>
> My first guess is a hardware issue (power supply, etc.), but does  
> anyone
> know of any other possibilities?  I'm hoping this isn't some super  
> hidden
> reboot root kit or something.

If this machine has been well behaved in the past, chances are that you
have a malfunctioning piece of hardware that is causing the kernel to  
panic.
Once the kernel panics the machine will reboot itself.

If you recently did a kernel upgrade, I would check in the cvs tree to
see if any of the drivers for your devices had changes made to them
recently. If thats the case, its possible a bug was introduced and you
are hitting it.

I suggest you read Chapter 10 in the FreeBSD developers handbook.

http://www.freebsd.org/doc/en/books/developers-handbook/kerneldebug.html

Once you setup a dump device and get a dump of the kernel it will make
diagnosing this issue much easier.

--
Steven Kreuzer
http://www.exit2shell.com/~skreuzer



From skreuzer at exit2shell.com  Thu Nov 13 14:28:17 2008
From: skreuzer at exit2shell.com (Steven Kreuzer)
Date: Thu, 13 Nov 2008 14:28:17 -0500
Subject: [nycbug-talk] More Macs mean higher IPv6 usage in US
Message-ID: <4CD025DE-FFBE-45FD-894F-BD94E7372C44@exit2shell.com>

Interesting Read: http://tinyurl.com/6zma7k

Highlights from the Article:

"At the RIPE meeting in Dubai two weeks ago, Google presented results  
from a study about how IPv6-capable "ordinary users" are. And the  
results are surprising. While an earlier study by Arbor Networks  
showed only 0.0026 percent of all traffic was IPv6 enabled, Google  
determined that world wide, 0.238 percent of their users' systems have  
IPv6 enabled and prefer to use IPv6 over IPv4 where possible. "

"The top five IPv6-using countries (that generate significant traffic)  
are: Russia (0.76 percent), France (0.65 percent), Ukraine (0.64  
percent), Norway (0.49 percent), and the US (0.45 percent). The notion  
that IPv6 is much further along in Asia is apparently a myth: China  
showed 0.24 percent IPv6-enabled users and Japan 0.15 percent."

"In the case of the US, the relatively high IPv6 penetration seems to  
be the result of Apple's market share being much higher there than  
elsewhere in the world. It turns out that no less than 52 percent of  
all IPv6 users have a Mac and use 6to4. Apparently, those users have  
an Airport Extreme Wi-Fi base station / home router, which has the  
6to4 tunneling mechanism enabled."

Steven Kreuzer
http://www.exit2shell.com/~skreuzer


From ike at lesmuug.org  Thu Nov 13 18:50:35 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Thu, 13 Nov 2008 18:50:35 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: <e09a34af27b5e01e0a3f0322671e3088@1984.ws>
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
	<491601AA.8030601@ceetonetechnology.com>
	<7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>
	<EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>
	<e09a34af27b5e01e0a3f0322671e3088@1984.ws>
Message-ID: <9B82E575-4EA6-4F53-B1BD-3DC937A0250E@lesmuug.org>

On Nov 13, 2008, at 5:23 PM, dingo wrote:
> On Sat, 8 Nov 2008 19:28:56 -0500, Isaac Levy <ike at lesmuug.org> wrote:
>> On Nov 8, 2008, at 5:25 PM, Ray Lai wrote:
>>
>>> On Sat, Nov 8, 2008 at 4:16 PM, George Rosamond
>>> <george at ceetonetechnology.com> wrote:
>>>> Isaac Levy wrote:
>>>>> And more on the wireless arms race:
>>>>>
>>>>> Migrate to WPA2, (until it gets cracked):
>>>>> http://isc.sans.org/diary.html?storyid=5315
>>>>>
>>>>
>>>> Yeah. .  and don't use TKIP
>>>
>>> Or just use IPsec! =)
>>>
>>> -Ray-
>>
>> For encrypted transport, sure- but what about for auth to the AP?
>
> Are you F'in kidding me?! PFAUTH! sheesh

Sounds like you're getting closer to answering my question, but could  
you point me at PFAUTH information?

Google isn't doing much good...

Rocket-
.ike




From nycbug at cyth.net  Thu Nov 13 20:47:11 2008
From: nycbug at cyth.net (Ray Lai)
Date: Thu, 13 Nov 2008 20:47:11 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: <9B82E575-4EA6-4F53-B1BD-3DC937A0250E@lesmuug.org>
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
	<491601AA.8030601@ceetonetechnology.com>
	<7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>
	<EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>
	<e09a34af27b5e01e0a3f0322671e3088@1984.ws>
	<9B82E575-4EA6-4F53-B1BD-3DC937A0250E@lesmuug.org>
Message-ID: <7765c0380811131747v51ef691frd6e0185400e38ab5@mail.gmail.com>

On Thu, Nov 13, 2008 at 6:50 PM, Isaac Levy <ike at lesmuug.org> wrote:
> On Nov 13, 2008, at 5:23 PM, dingo wrote:
>>
>> On Sat, 8 Nov 2008 19:28:56 -0500, Isaac Levy <ike at lesmuug.org> wrote:
>>>
>>> On Nov 8, 2008, at 5:25 PM, Ray Lai wrote:
>>>
>>>> On Sat, Nov 8, 2008 at 4:16 PM, George Rosamond
>>>> <george at ceetonetechnology.com> wrote:
>>>>>
>>>>> Isaac Levy wrote:
>>>>>>
>>>>>> And more on the wireless arms race:
>>>>>>
>>>>>> Migrate to WPA2, (until it gets cracked):
>>>>>> http://isc.sans.org/diary.html?storyid=5315
>>>>>>
>>>>>
>>>>> Yeah. .  and don't use TKIP
>>>>
>>>> Or just use IPsec! =)
>>>>
>>>> -Ray-
>>>
>>> For encrypted transport, sure- but what about for auth to the AP?
>>
>> Are you F'in kidding me?! PFAUTH! sheesh
>
> Sounds like you're getting closer to answering my question, but could you
> point me at PFAUTH information?
>
> Google isn't doing much good...

I think he meant authpf.

-Ray-


From ike at lesmuug.org  Thu Nov 13 21:40:23 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Thu, 13 Nov 2008 21:40:23 -0500
Subject: [nycbug-talk] wpa cracked
In-Reply-To: <7765c0380811131747v51ef691frd6e0185400e38ab5@mail.gmail.com>
References: <9C1CFC6B-AC96-4C05-A193-E163B551BB65@lesmuug.org>
	<491601AA.8030601@ceetonetechnology.com>
	<7765c0380811081425p7ecf4ac6mce8e68a58216dd47@mail.gmail.com>
	<EC993837-2AE4-4495-8C25-C486C19D6379@lesmuug.org>
	<e09a34af27b5e01e0a3f0322671e3088@1984.ws>
	<9B82E575-4EA6-4F53-B1BD-3DC937A0250E@lesmuug.org>
	<7765c0380811131747v51ef691frd6e0185400e38ab5@mail.gmail.com>
Message-ID: <BCAE8D8D-F68C-4994-BDFC-75B3DCC64990@lesmuug.org>


On Nov 13, 2008, at 8:47 PM, Ray Lai wrote:
>>>>>>>
>>>>>>> http://isc.sans.org/diary.html?storyid=5315
>>>>>>>
>>>>>>
>>>>>> Yeah. .  and don't use TKIP
>>>>>
>>>>> Or just use IPsec! =)
>>>>>
>>>>> -Ray-

ike asked,

>>>> For encrypted transport, sure- but what about for auth to the AP?

ray and dingo said something to the effect of:

> I think he meant authpf.

OK- very cool alternative to the ipsec setup, easier for sysadmins  
(people who use ssh a great deal anyhow), so this is good to know-  
but- it doesn't help with office or other deployments (where wireless  
users may not ever use ssh).  I guess IPSEC behind the AP, (and  
deploying certs/passwords/etc

Thanks dingo and ray- learned a new tool here :)


--
However, the crux of my question was answered by Miles, and I can add  
one thing:

On Nov 9, 2008, at 2:27 AM, Miles Nordin wrote:

> it's radio.  encryption won't help with DoS.

WiFi blocking wallpaper (ah-ha!):
http://www.newscientist.com/article/dn6240

> There is no such thing
> as admission control.  Anyone can broadcast garbage on the band
> period.  The only choice you can make is, what will you forward and
> what will you ignore?
>
>    il> Plenty of vendor-supplied 'user friendly' softwares on windows
>    il> machines try to auto-connect to AP's, based on signal strength
> [...]
>    il> cafes and apartment buildings, and viola- hosed- with perhaps
>    il> zero malicious or trespass intent.
>
> I've seen some AP's that seem like they don't have the CPU power or
> NAT table size to handle normal bittorrent, so I don't doubt that you
> might have seen a problem with too many associations.

In-f'ing-deed I have!

> but the answer
> is to get an AP that's not a piece of shit and doesn't crash.  auth
> isn't needed for that.


For this problem, true- bust most AP's available simply don't cut it.

The only benefit of WPA, or WEP even- is perhaps a side-effect?:  Upon  
'bad' auth for association to the AP, most AP's seem to simply quit  
paying attention to the wireless client which is trying to connect-  
for a period of time (in seconds).  With that, WPA can basically  
tarpit clients which are trying to auto connect repeatedly.  It's all  
pretty ghetto with most AP gear, but as opposed to having open AP's  
(even with IPSEC or other behind them), it functionally stops AP  
association overload.  A real WiFi DDOS is a whole other matter, but  
I've dealt with this situation around town too many times to not say  
it's fairly common...

Rocket-
.ike




From matt at atopia.net  Fri Nov 21 12:44:11 2008
From: matt at atopia.net (Matt Juszczak)
Date: Fri, 21 Nov 2008 12:44:11 -0500 (EST)
Subject: [nycbug-talk] Desktop
Message-ID: <alpine.BSF.2.00.0811211242010.11381@pluto.atopia.net>

I'm an avid FreeBSD user, and I used to use it on my desktop, but then I 
got so busy that I didn't have time to work on getting everything working 
each time I loaded it up, so I switched to Ubuntu for my desktop (servers 
still FreeBSD across the board).

In any event, I was running Ubuntu 7.10 fine, but 8.10 just came out and I 
think it's horrible - on my T42, fonts don't look right, its slow, and I'm 
just not really happy.

This really does remind me of just how light weight I like things-- I 
remember running FreeBSD on my old T23 with xfce4 and loving it, but 
getting things like wifi working, etc. were a pain.

So, I'm curious -- what do all the BSD lovers here use on their desktops? 
I've seen PCBSD which looks nice.  Do many of you run Ubuntu or some other 
"work out of box" variant?

Just curious!

-Matt


From ike at lesmuug.org  Fri Nov 21 13:13:45 2008
From: ike at lesmuug.org (Isaac Levy)
Date: Fri, 21 Nov 2008 13:13:45 -0500
Subject: [nycbug-talk] Desktop
In-Reply-To: <alpine.BSF.2.00.0811211242010.11381@pluto.atopia.net>
References: <alpine.BSF.2.00.0811211242010.11381@pluto.atopia.net>
Message-ID: <66F9EB79-4161-41E7-818F-06BDCF65175B@lesmuug.org>

On Nov 21, 2008, at 12:44 PM, Matt Juszczak wrote:

> I'm an avid FreeBSD user, and I used to use it on my desktop, but  
> then I
> got so busy that I didn't have time to work on getting everything  
> working
> each time I loaded it up, so I switched to Ubuntu for my desktop  
> (servers
> still FreeBSD across the board).
>
> In any event, I was running Ubuntu 7.10 fine, but 8.10 just came out  
> and I
> think it's horrible - on my T42, fonts don't look right, its slow,  
> and I'm
> just not really happy.
>
> This really does remind me of just how light weight I like things-- I
> remember running FreeBSD on my old T23 with xfce4 and loving it, but
> getting things like wifi working, etc. were a pain.
>
> So, I'm curious -- what do all the BSD lovers here use on their  
> desktops?
> I've seen PCBSD which looks nice.  Do many of you run Ubuntu or some  
> other
> "work out of box" variant?
>
> Just curious!
>
> -Matt

As a server-junkie and long-time Mac user, (not zealot, just a user),  
and a user of OpenBSD on my tiny EEEPc, PC-BSD really looks appealing  
to me...

If you go that route, I'd love to hear how you feel after living with  
it for a while?!

Rocket-
.ike




From carton at Ivy.NET  Fri Nov 21 16:08:59 2008
From: carton at Ivy.NET (Miles Nordin)
Date: Fri, 21 Nov 2008 16:08:59 -0500
Subject: [nycbug-talk] Desktop
In-Reply-To: <alpine.BSF.2.00.0811211242010.11381@pluto.atopia.net> (Matt
	Juszczak's message of "Fri, 21 Nov 2008 12:44:11 -0500 (EST)")
References: <alpine.BSF.2.00.0811211242010.11381@pluto.atopia.net>
Message-ID: <oqk5awdbx0.fsf@castrovalva.Ivy.NET>

>>>>> "mj" == Matt Juszczak <matt at atopia.net> writes:

    mj> what do all the BSD lovers here use on their desktops?

I use OpenBSD.  The original reason was (1) a friend told me it works
well on the X40, so i went out and bought an X40 and ran openbsd on
it.  known-good combination.  and (2) free wireless drivers providing
basic functionality.  

It fails both parts.

for (1), it mostly works but if you do ANYthing to it while suspended,
plug or unplug anything, including DC power, it'll panic or kill the X
server.  Also I trired to play audio on it, and it started skipping
and clicking like the samplerate was wrong somehow.

yeah, sure, S2RAM works, but on Linux you can get S2RAM supported by
the manufacturer if you buy Acer One or EEE or whatever, and when you
don't have S2RAM, Ubuntu can do software-only hibernation to the swap
partition, so it's kind of <yawn>, that's pretty good for 2004, so why
don't you go back in time in your OpenBSD-powered time machine and pat
yourselves on the back.

for (2), ``basic'' seems to omit any stable chip with 802.11a support.
Their favorite, Ralink, doesn't make an 802.11a chip, and their
Reyk-freeHAL-based atheros driver doesn't do 802.11a.  Also they don't
do WPA which seems to have shifted into the Basic category.  and I
can't get aircrack to work on it consistently.  it halfway works I
guess.  I dunno what's wrong with it.  Honestly wireless is a fucking
disaster everywhere though.  I am betting the ar5k driver and the new
mac80211 framework in Linux is going to school everyone in another 12
months, though.  especially with OpenWRT driving them to do some real
release engineering.  there is some funded development of openwrt by
La Fonera and others, and also I think there is a culture of backdoor
NDA-breaking information-leeking between chip company insiders and
Linux developers because of the new college students, the
piraatengeneraation or whatever.  I think BSD will always have
shittier laptop wireless drivers because it can't run on a real AP: no
JFFS2, no squashfs, no execute-in-place, no embedded targets for
fashionable chips that people actually use like Atheros SoC or Marvell
Orion.

What panned out stunningly well was the ports collection.  The
/usr/ports on openbsd have zero knobs, so you can start things
building, walk away, expect to come back and find them working.
Gentoo/FreeBSD/pkgsrc has all those shitty dials that keep stopping
your builds until you fiddle them into a combination that works
together.  This would be not so bad if the dials shipped with
reasonable settings, and those settings worked together---in that
case, it'd be a superset of OpenBSD or Ubuntu which comes with no
dials.  But they don't do this.  You find retarded things like someone
disabled GIFs or MP3 support because of patents with the reasoning
``people should be using oggs and ayway you can always turn it back on
again with the package option.''  Or A4 paper is a compile-time
option.  Or else they pander to these fucking OCD dinosaur retards who
are like ``I like to run my machine as lean as possible.  I don't want
all these extra packages pulled in.  god, why is it building X when X
has NOTHING TO DO with Y.  It's just slowing down my build.  That shit
should be turned off, that's why I come here.'' so you find all this
broken missing shit, like maybe no manuals because Wolford Brimley
threw a tantrum when he found Java was a build-dependency of Vim
because it was needed by some other package that translated the man
page from XML into nroff/mandoc.  I don't give a shit how long or how
much space it takes to build, only how many times the build craps out,
waiting for my attention, hurting my brain digging through other
people's broken spaghetti.  Go ahead, build Java, and use it to make
the manuals.  Just do it while I'm sleeping so I can come back to a
working system.  OpenBSD produced a working system an order of
magnitude faster than FreeBSD, pkgsrc, gentoo.  mostly because of the
lack of pkgoptions/USEflags, though in Gentoo's case also because the
BSD existence of a base system breaks open the circular dependencies.
Anyway I'm just so over this gamer shit that thinks I want to spend a
month ``customizing'' my machine---I feel like these people piss where
they live and then go to Mac OS or Ubuntu or ``live CDs'' and other
panzyass purple-dinosaur distributions so they can escape themselves.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081121/e65e9ed4/attachment.bin>

From akosela at andykosela.com  Fri Nov 21 15:50:46 2008
From: akosela at andykosela.com (Andy Kosela)
Date: Fri, 21 Nov 2008 21:50:46 +0100
Subject: [nycbug-talk] Desktop
In-Reply-To: <alpine.BSF.2.00.0811211242010.11381@pluto.atopia.net>
References: <alpine.BSF.2.00.0811211242010.11381@pluto.atopia.net>
Message-ID: <3cc535c80811211250p1e89e8e9w84bd0890f47f6719@mail.gmail.com>

On Fri, Nov 21, 2008 at 6:44 PM, Matt Juszczak <matt at atopia.net> wrote:
> So, I'm curious -- what do all the BSD lovers here use on their desktops?
> I've seen PCBSD which looks nice.  Do many of you run Ubuntu or some other
> "work out of box" variant?

Yes, PC-BSD might be a good choice for someone who wants a FreeBSD
based alternative to Ubuntu. Personally though, what I need from a
desktop machine is just a basic X server with a couple of rxvt's
opened, that's why I stick just to openbox and fbpanel. I like to
configure everything from a terminal anyway so I just use FreeBSD. On
a general note, I don't like GUIs at all.

-- 
Andy Kosela
ora et labora


From thomas at zaph.org  Fri Nov 21 16:25:11 2008
From: thomas at zaph.org (N.J. Thomas)
Date: Fri, 21 Nov 2008 16:25:11 -0500
Subject: [nycbug-talk] Desktop
In-Reply-To: <alpine.BSF.2.00.0811211242010.11381@pluto.atopia.net>
References: <alpine.BSF.2.00.0811211242010.11381@pluto.atopia.net>
Message-ID: <20081121212511.GC64601@zaph.org>

* Matt Juszczak <matt at atopia.net> [2008-11-21 12:44:11+0000]:
> So, I'm curious -- what do all the BSD lovers here use on their
> desktops?

FreeBSD on my desktop, laptop, and work desktop.

But apart from installing the occasional package, I do very little on
the desktop that is OS-specific. As long as I have my usual editor,
shell, window manager and browser, I'd probably never notice if I was
running on some other BSD or Linux.

Thomas


From matt at atopia.net  Fri Nov 21 17:37:54 2008
From: matt at atopia.net (Matt Juszczak)
Date: Fri, 21 Nov 2008 17:37:54 -0500 (EST)
Subject: [nycbug-talk] Desktop
In-Reply-To: <3cc535c80811211250p1e89e8e9w84bd0890f47f6719@mail.gmail.com>
References: <alpine.BSF.2.00.0811211242010.11381@pluto.atopia.net>
	<3cc535c80811211250p1e89e8e9w84bd0890f47f6719@mail.gmail.com>
Message-ID: <alpine.BSF.2.00.0811211737240.31007@pluto.atopia.net>

> Yes, PC-BSD might be a good choice for someone who wants a FreeBSD
> based alternative to Ubuntu. Personally though, what I need from a
> desktop machine is just a basic X server with a couple of rxvt's
> opened, that's why I stick just to openbox and fbpanel. I like to
> configure everything from a terminal anyway so I just use FreeBSD. On
> a general note, I don't like GUIs at all.

I'm beginning to hate GUI's too.  All the fonts and whatever that hurt my 
eyes.  Drives me crazy.

But I do like how with Ubuntu, you can just plug in a flash drive, etc., 
and it just works.


From jonathan at kc8onw.net  Tue Nov 25 19:19:15 2008
From: jonathan at kc8onw.net (Jonathan)
Date: Tue, 25 Nov 2008 19:19:15 -0500
Subject: [nycbug-talk] Distributed ssh dictionary attacks
Message-ID: <492C9603.2000705@kc8onw.net>

Is anyone else seeing the usual ssh attacks go distributed?  I'm seeing
failed usernames from a large variety of address going by in a slow
alphabetical list.  I guess I will have to actually change ssh to an
alternate port to quiet the logs a bit :P  Anyone have any other
suggestions or is that the best workaround these days?

Thanks,
Jonathan

A short section of the log, covers about 30 minutes...
error: PAM: authentication error for illegal user charleen from
71.117.126.102
error: PAM: authentication error for illegal user charleen from
89.96.172.100
error: PAM: authentication error for illegal user charleigh from
200.141.223.99
error: PAM: authentication error for illegal user charleigh from
211.154.254.89
error: PAM: authentication error for illegal user charleigh from
211.154.128.158
error: PAM: authentication error for illegal user charlene from
122.224.128.222
error: PAM: authentication error for illegal user charles from
194.224.118.61
error: PAM: authentication error for illegal user charles from
195.234.169.138
error: PAM: authentication error for illegal user charlie from 62.61.141.93
error: PAM: authentication error for illegal user charlie from 79.188.238.50
error: PAM: authentication error for illegal user charlize from
218.248.79.251


From dan at langille.org  Tue Nov 25 21:38:28 2008
From: dan at langille.org (Dan Langille)
Date: Tue, 25 Nov 2008 21:38:28 -0500
Subject: [nycbug-talk] Distributed ssh dictionary attacks
In-Reply-To: <492C9603.2000705@kc8onw.net>
References: <492C9603.2000705@kc8onw.net>
Message-ID: <4DFA0375-B003-470E-8E2C-94C4C029920C@langille.org>


On Nov 25, 2008, at 7:19 PM, Jonathan wrote:

> Is anyone else seeing the usual ssh attacks go distributed?  I'm  
> seeing
> failed usernames from a large variety of address going by in a slow
> alphabetical list.  I guess I will have to actually change ssh to an
> alternate port to quiet the logs a bit :P  Anyone have any other
> suggestions or is that the best workaround these days?

Not me. That's my usual suggestion (alternative port number).
That, or restrict SSH to specific sources.  Or both.

-- 
Dan Langille
http://langille.org/






From akosela at andykosela.com  Wed Nov 26 07:40:51 2008
From: akosela at andykosela.com (Andy Kosela)
Date: Wed, 26 Nov 2008 13:40:51 +0100
Subject: [nycbug-talk] Distributed ssh dictionary attacks
In-Reply-To: <492C9603.2000705@kc8onw.net>
References: <492C9603.2000705@kc8onw.net>
Message-ID: <3cc535c80811260440k72acd243hb5f188d30206f18@mail.gmail.com>

On Wed, Nov 26, 2008 at 1:19 AM, Jonathan <jonathan at kc8onw.net> wrote:
> Is anyone else seeing the usual ssh attacks go distributed?  I'm seeing
> failed usernames from a large variety of address going by in a slow
> alphabetical list.  I guess I will have to actually change ssh to an
> alternate port to quiet the logs a bit :P  Anyone have any other
> suggestions or is that the best workaround these days?

I think we discussed this not so long ago on this list. pf(4),
sshd_config(5) or hosts_options(5) are usually my options. Also I
don't think it's very reasonable to open sshd(8) to the whole world,
just limit it to specific ip's/networks. In the worst scenario you can
even ignore this type of messages as I don't really think that they
can be successful if you follow strict guidelines on strong passwords
and disable root ssh access (which FreeBSD has as a default option).
But of course it's best to get rid of them.

-- 
Andy Kosela
ora et labora


From dan at radiusim.com  Wed Nov 26 08:57:27 2008
From: dan at radiusim.com (Dan Colish)
Date: Wed, 26 Nov 2008 08:57:27 -0500
Subject: [nycbug-talk] Distributed ssh dictionary attacks
In-Reply-To: <3cc535c80811260440k72acd243hb5f188d30206f18@mail.gmail.com>
References: <492C9603.2000705@kc8onw.net>
	<3cc535c80811260440k72acd243hb5f188d30206f18@mail.gmail.com>
Message-ID: <e24aad180811260557u42875762gac7b022d7825cb6f@mail.gmail.com>

On Wed, Nov 26, 2008 at 7:40 AM, Andy Kosela <akosela at andykosela.com> wrote:

> On Wed, Nov 26, 2008 at 1:19 AM, Jonathan <jonathan at kc8onw.net> wrote:
> > Is anyone else seeing the usual ssh attacks go distributed?  I'm seeing
> > failed usernames from a large variety of address going by in a slow
> > alphabetical list.  I guess I will have to actually change ssh to an
> > alternate port to quiet the logs a bit :P  Anyone have any other
> > suggestions or is that the best workaround these days?
>
> I think we discussed this not so long ago on this list. pf(4),
> sshd_config(5) or hosts_options(5) are usually my options. Also I
> don't think it's very reasonable to open sshd(8) to the whole world,
> just limit it to specific ip's/networks. In the worst scenario you can
> even ignore this type of messages as I don't really think that they
> can be successful if you follow strict guidelines on strong passwords
> and disable root ssh access (which FreeBSD has as a default option).
> But of course it's best to get rid of them.
>
> --
> Andy Kosela
> ora et labora
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>


You should check out denyhosts. It will cut down on these attacks from a
single ip because it blocks ips based on failed attempts. Just be sure to
set the limit so you don't lock yourself out one day.

--Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081126/bf25d330/attachment.htm>

From thomas at zaph.org  Wed Nov 26 11:05:30 2008
From: thomas at zaph.org (Thomas)
Date: Wed, 26 Nov 2008 11:05:30 -0500
Subject: [nycbug-talk] Distributed ssh dictionary attacks
In-Reply-To: <492C9603.2000705@kc8onw.net>
References: <492C9603.2000705@kc8onw.net>
Message-ID: <20081126160530.GA92844@zaph.org>

* Jonathan <jonathan at kc8onw.net> [2008-11-25 19:19:15+0000]:
> Is anyone else seeing the usual ssh attacks go distributed?  I'm
> seeing failed usernames from a large variety of address going by in a
> slow alphabetical list.

Yup, logwatch(1) mailed me the same thing from my logs this morning.

This problem comes up fairly regularly here. The usual suggestion is to
do one or more of the following:

    - change your ssh port number

    - set "AllowUsers" to only let in certain users

    - use an application-level script like DenyHosts to watch for stuff
      like this and block offending IPs

    - use firewall-level filtering as found in pf, et al. to watch for
      stuff like this and block offending IPs

    - do nothing

>From what I have seen the most common option chosen by far is the last
one.

Thomas


From matt at atopia.net  Wed Nov 26 11:12:06 2008
From: matt at atopia.net (Matt Juszczak)
Date: Wed, 26 Nov 2008 11:12:06 -0500 (EST)
Subject: [nycbug-talk] Off topic: Best way to mirror large ftp
Message-ID: <alpine.BSF.2.00.0811261110170.56006@pluto.atopia.net>

I have about 3 TB of data I need to mirror off of an FTP box.  Using 
traditional methods, it would take me about 16+ days to get all of that 
information.

I've looked at things like lftp, and a few other "scripts" out there, but 
ideally I would love to find something that can:

1) Index the entire FTP
2) Split the downloads into multiple threads
3) Update the index at any time (the FTP server changes) and download the 
differences (yes, this may be an expensive operation I know)

Any suggestions?  Off topic I know, but I've been struggling for some time 
now on this issue and I'm hoping some of you fellow sysadmins have some 
suggestions.

Thanks!

-Matt


From jonathan at kc8onw.net  Wed Nov 26 11:48:26 2008
From: jonathan at kc8onw.net (Jonathan)
Date: Wed, 26 Nov 2008 11:48:26 -0500
Subject: [nycbug-talk] Distributed ssh dictionary attacks
In-Reply-To: <e24aad180811260557u42875762gac7b022d7825cb6f@mail.gmail.com>
References: <492C9603.2000705@kc8onw.net>	<3cc535c80811260440k72acd243hb5f188d30206f18@mail.gmail.com>
	<e24aad180811260557u42875762gac7b022d7825cb6f@mail.gmail.com>
Message-ID: <492D7DDA.40200@kc8onw.net>

Dan Colish wrote:
> 
> On Wed, Nov 26, 2008 at 7:40 AM, Andy Kosela <akosela at andykosela.com
> <mailto:akosela at andykosela.com>> wrote:
> 
>     On Wed, Nov 26, 2008 at 1:19 AM, Jonathan <jonathan at kc8onw.net
>     <mailto:jonathan at kc8onw.net>> wrote:
>     > Is anyone else seeing the usual ssh attacks go distributed?  I'm
>     seeing
>     > failed usernames from a large variety of address going by in a slow
>     > alphabetical list.  I guess I will have to actually change ssh to an
>     > alternate port to quiet the logs a bit :P  Anyone have any other
>     > suggestions or is that the best workaround these days?
> 
>     I think we discussed this not so long ago on this list. pf(4),
>     sshd_config(5) or hosts_options(5) are usually my options. Also I
>     don't think it's very reasonable to open sshd(8) to the whole world,
>     just limit it to specific ip's/networks. In the worst scenario you can
>     even ignore this type of messages as I don't really think that they
>     can be successful if you follow strict guidelines on strong passwords
>     and disable root ssh access (which FreeBSD has as a default option).
>     But of course it's best to get rid of them.
> 
> You should check out denyhosts. It will cut down on these attacks from a
> single ip because it blocks ips based on failed attempts. Just be sure
> to set the limit so you don't lock yourself out one day.

I would do that except the attack is highly distributed and very slow,
it's still trying usernames that start with "c".  I'll probably just do
the alternate port option as I can never be sure what address I'll be
coming from and can't filter based on that.

Thanks for taking the time to reply,
Jonathan


From carton at Ivy.NET  Wed Nov 26 14:09:50 2008
From: carton at Ivy.NET (Miles Nordin)
Date: Wed, 26 Nov 2008 14:09:50 -0500
Subject: [nycbug-talk] Distributed ssh dictionary attacks
In-Reply-To: <3cc535c80811260440k72acd243hb5f188d30206f18@mail.gmail.com>
	(Andy Kosela's message of "Wed, 26 Nov 2008 13:40:51 +0100")
References: <492C9603.2000705@kc8onw.net>
	<3cc535c80811260440k72acd243hb5f188d30206f18@mail.gmail.com>
Message-ID: <oqabbm9udd.fsf@castrovalva.Ivy.NET>

>>>>> "ak" == Andy Kosela <akosela at andykosela.com> writes:

    ak> I don't think it's very reasonable to open sshd(8) to the
    ak> whole world

what do you use to get into your machines then, GoToMyPeeCee.com?
jesus, of course it's reasonable.

I think we're muddling this with squishy secure-feeling bikeshed
discussion.  The point of PF and other blacklisting was to stop the
attackers from CPU-DoSing you with PFS key negotiations, not fear that
one of the stolen passwords in their database will actually work.

If you have the latter fear, I'd suggest:

 (1) don't let users choose their own passwords.  Make passwords with
     pwgen, and give users the option to ``generate new password'',
     but not to set it, and force generation of new ones a couple
     times a year.

     This does two things.  First the passwords are good and hard to
     replicate with dictionaries.  Second and maybe more importantly,
     it's less convenient for users to use your password on other
     sites, so it's vastly less likely your passwords will end up in
     the attacker's database.  Users are so lazy, any crapass
     VBulletin site is functionally a phishing site because they feed
     the damn thing with the one password they use everywhere.

 -or-

 (2) use pubkey login only, no passwords.


 -and-

 (3) don't make the (1) stupid-user problem worse.  If you ever store
     a PAP-like password in a database, hash it.  And OpenID-ify all
     your web2.0 craplets so users can have their convenience without
     being unhygenic.

The reason this new attack has come up is probably that the PF
blacklists _were_ effective at protecting bad passwords underneath.
If you'd kept the two attacks separate in your head before, then this
new variant of it wouldn't cause you any new worry.

well...provided you acted on what was in your head.  I don't do (1) or
(2) or (3), so the new attack does cause me some extra worry.

but...yeah...it's starting to look like ``ability to receive plaintext
email at an address confirmed earlier, and the good fortune to have it
arrive unsnooped'' may actually be MORE secure than ``knowledge of a
password negotiated earlier over an encrypted link.''
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081126/81641b0c/attachment.bin>

From carton at Ivy.NET  Wed Nov 26 14:56:02 2008
From: carton at Ivy.NET (Miles Nordin)
Date: Wed, 26 Nov 2008 14:56:02 -0500
Subject: [nycbug-talk] Distributed ssh dictionary attacks
In-Reply-To: <3cc535c80811261127v2944e8edid14e1097516f481c@mail.gmail.com>
	(Andy Kosela's message of "Wed, 26 Nov 2008 20:27:59 +0100")
References: <492C9603.2000705@kc8onw.net>
	<3cc535c80811260440k72acd243hb5f188d30206f18@mail.gmail.com>
	<oqabbm9udd.fsf@castrovalva.Ivy.NET>
	<3cc535c80811261127v2944e8edid14e1097516f481c@mail.gmail.com>
Message-ID: <oq63ma9s8d.fsf@castrovalva.Ivy.NET>

>>>>> "ak" == Andy Kosela <akosela at andykosela.com> writes:

    ak> If this is not a server with hundreds of users coming from all
    ak> over the world that setup works very nicely

how about one user coming from all over the world:  me?

I was trying to say, at least for me I expect access to my machines
from anywhere, so if it's not going to be through ssh then there will
be some kind of VPN or a chain of ssh's bouncing all over the place or
some stupid ad-hoc shit like ``first I VPN in, then i remote-desktop
into the Active Drectory DNS server machine and then vnc over to the
Mac webserver, and from there i can ssh back out to anywhere because
the NAT address at that site is whitelisted.  except, haha, this one
time when the UPS blew and <blah blah blah>.''  ssh is one of the
simplest and strongest front doors there is, so why not put it out
rather than something else?  I would guess it's probably more bug-free
and DoS-hardenable than an IKE daemon, except that bot-herders
probably aren't targeting IKE yet.  Unless you are saying that you can
only maintain your machines from certain physical locations, which
does not seem reasonable to me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 304 bytes
Desc: not available
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081126/05059162/attachment.bin>

From akosela at andykosela.com  Wed Nov 26 14:27:59 2008
From: akosela at andykosela.com (Andy Kosela)
Date: Wed, 26 Nov 2008 20:27:59 +0100
Subject: [nycbug-talk] Distributed ssh dictionary attacks
In-Reply-To: <oqabbm9udd.fsf@castrovalva.Ivy.NET>
References: <492C9603.2000705@kc8onw.net>
	<3cc535c80811260440k72acd243hb5f188d30206f18@mail.gmail.com>
	<oqabbm9udd.fsf@castrovalva.Ivy.NET>
Message-ID: <3cc535c80811261127v2944e8edid14e1097516f481c@mail.gmail.com>

On Wed, Nov 26, 2008 at 8:09 PM, Miles Nordin <carton at ivy.net> wrote:
>>>>>> "ak" == Andy Kosela <akosela at andykosela.com> writes:
>
>    ak> I don't think it's very reasonable to open sshd(8) to the
>    ak> whole world
>
> what do you use to get into your machines then <snip>

I just allow only specific ip's/networks. If this is not a server with
hundreds of users coming from all over the world that setup works very
nicely.. Zero noise in the logs.

-- 
Andy Kosela
ora et labora


From matt at atopia.net  Wed Nov 26 15:55:18 2008
From: matt at atopia.net (matt at atopia.net)
Date: Wed, 26 Nov 2008 20:55:18 +0000
Subject: [nycbug-talk] Off topic: Best way to mirror large ftp
Message-ID: <697199041-1227732923-cardhu_decombobulator_blackberry.rim.net-285532527-@bxe342.bisx.prod.on.blackberry>

Marc,

All of your suggestions are helpful, but we only have ftp access.  I wish I could use rsync. We have no shell access to the remote ftp. 

Matt 

------Original Message------
From: Marc Spitzer
Sender: 
To: Matt Juszczak
Cc: talk at lists.nycbug.org
Subject: Re: [nycbug-talk] Off topic: Best way to mirror large ftp
Sent: Nov 26, 2008 15:49

On Wed, Nov 26, 2008 at 11:12 AM, Matt Juszczak <matt at atopia.net> wrote:
> I have about 3 TB of data I need to mirror off of an FTP box.  Using
> traditional methods, it would take me about 16+ days to get all of that
> information.
>
> I've looked at things like lftp, and a few other "scripts" out there, but
> ideally I would love to find something that can:
>
> 1) Index the entire FTP

mtree on server?

> 2) Split the downloads into multiple threads

how much bandwidth do you have to work with?

> 3) Update the index at any time (the FTP server changes) and download the
> differences (yes, this may be an expensive operation I know)

run mtree every so often on server?

>
> Any suggestions?  Off topic I know, but I've been struggling for some time
> now on this issue and I'm hoping some of you fellow sysadmins have some
> suggestions.

run the following on the server:

1: run "find . -type d > dir_list"
2: run "find . -type f >file_list"

on client
3: down load both files
4: cat dir_list |xargs -n 20  mkdir -p
5: split file_list -l "pick reasonable number"
6: run a bunch of shell scripts to do the fetch, one per out put file from 5
....

or just run rsync and let it do its job.

marc

marc


-- 
Freedom is nothing but a chance to be better.
Albert Camus


From okan at demirmen.com  Wed Nov 26 16:47:17 2008
From: okan at demirmen.com (Okan Demirmen)
Date: Wed, 26 Nov 2008 16:47:17 -0500
Subject: [nycbug-talk] Off topic: Best way to mirror large ftp
In-Reply-To: <alpine.BSF.2.00.0811261110170.56006@pluto.atopia.net>
References: <alpine.BSF.2.00.0811261110170.56006@pluto.atopia.net>
Message-ID: <20081126214717.GB10866@clam.khaoz.org>

On Wed 2008.11.26 at 11:12 -0500, Matt Juszczak wrote:
> I have about 3 TB of data I need to mirror off of an FTP box.  Using 
> traditional methods, it would take me about 16+ days to get all of that 
> information.
> 
> I've looked at things like lftp, and a few other "scripts" out there, but 
> ideally I would love to find something that can:
> 
> 1) Index the entire FTP
> 2) Split the downloads into multiple threads
> 3) Update the index at any time (the FTP server changes) and download the 
> differences (yes, this may be an expensive operation I know)
> 
> Any suggestions?  Off topic I know, but I've been struggling for some time 
> now on this issue and I'm hoping some of you fellow sysadmins have some 
> suggestions.

mirror


From matt at atopia.net  Wed Nov 26 17:08:29 2008
From: matt at atopia.net (matt at atopia.net)
Date: Wed, 26 Nov 2008 22:08:29 +0000
Subject: [nycbug-talk] Off topic: Best way to mirror large ftp
Message-ID: <395185148-1227737314-cardhu_decombobulator_blackberry.rim.net-1224833342-@bxe342.bisx.prod.on.blackberry>

I don't have access to the source box, just the destination box. 
------Original Message------
From: Steve Rieger
To: matt at atopia.net
Cc: Marc Spitzer
Cc: talk at lists.nycbug.org
Subject: Re: [nycbug-talk] Off topic: Best way to mirror large ftp
Sent: Nov 26, 2008 16:45

matt at atopia.net wrote:
> Marc,
> 
> All of your suggestions are helpful, but we only have ftp access.  I wish I could use rsync. We have no shell access to the remote ftp. 
> 
> Matt 


mput from the source server




From riegersteve at gmail.com  Wed Nov 26 16:45:14 2008
From: riegersteve at gmail.com (Steve Rieger)
Date: Wed, 26 Nov 2008 13:45:14 -0800
Subject: [nycbug-talk] Off topic: Best way to mirror large ftp
In-Reply-To: <697199041-1227732923-cardhu_decombobulator_blackberry.rim.net-285532527-@bxe342.bisx.prod.on.blackberry>
References: <697199041-1227732923-cardhu_decombobulator_blackberry.rim.net-285532527-@bxe342.bisx.prod.on.blackberry>
Message-ID: <492DC36A.90001@gmail.com>

matt at atopia.net wrote:
> Marc,
> 
> All of your suggestions are helpful, but we only have ftp access.  I wish I could use rsync. We have no shell access to the remote ftp. 
> 
> Matt 


mput from the source server



From matt at atopia.net  Wed Nov 26 17:12:27 2008
From: matt at atopia.net (matt at atopia.net)
Date: Wed, 26 Nov 2008 22:12:27 +0000
Subject: [nycbug-talk] Off topic: Best way to mirror large ftp
Message-ID: <729428343-1227737551-cardhu_decombobulator_blackberry.rim.net-1046160806-@bxe342.bisx.prod.on.blackberry>

Wget supports ftp mirroring?

------Original Message------
From: Steve Rieger
To: matt at atopia.net
Cc: Marc Spitzer
Cc: talk at lists.nycbug.org
Subject: Re: [nycbug-talk] Off topic: Best way to mirror large ftp
Sent: Nov 26, 2008 17:09

matt at atopia.net wrote:
> I don't have access to the source box, just the destination box. 
then from the dest server use wget





From riegersteve at gmail.com  Wed Nov 26 17:15:45 2008
From: riegersteve at gmail.com (Steve Rieger)
Date: Wed, 26 Nov 2008 14:15:45 -0800
Subject: [nycbug-talk] Off topic: Best way to mirror large ftp
In-Reply-To: <729428343-1227737551-cardhu_decombobulator_blackberry.rim.net-1046160806-@bxe342.bisx.prod.on.blackberry>
References: <729428343-1227737551-cardhu_decombobulator_blackberry.rim.net-1046160806-@bxe342.bisx.prod.on.blackberry>
Message-ID: <492DCA91.4080208@gmail.com>

matt at atopia.net wrote:
> Wget supports ftp mirroring?


http://www.editcorp.com/Personal/Lars_Appel/wget/v1/wget_7.html


From riegersteve at gmail.com  Wed Nov 26 17:14:14 2008
From: riegersteve at gmail.com (Steve Rieger)
Date: Wed, 26 Nov 2008 14:14:14 -0800
Subject: [nycbug-talk] Off topic: Best way to mirror large ftp
In-Reply-To: <729428343-1227737551-cardhu_decombobulator_blackberry.rim.net-1046160806-@bxe342.bisx.prod.on.blackberry>
References: <729428343-1227737551-cardhu_decombobulator_blackberry.rim.net-1046160806-@bxe342.bisx.prod.on.blackberry>
Message-ID: <492DCA36.4000604@gmail.com>

matt at atopia.net wrote:
> Wget supports ftp mirroring?
> 
yes sir

easiest way is
-m

wget --help will show you, it also supports retries, timeouts, and many 
more options




From riegersteve at gmail.com  Wed Nov 26 17:09:20 2008
From: riegersteve at gmail.com (Steve Rieger)
Date: Wed, 26 Nov 2008 14:09:20 -0800
Subject: [nycbug-talk] Off topic: Best way to mirror large ftp
In-Reply-To: <395185148-1227737314-cardhu_decombobulator_blackberry.rim.net-1224833342-@bxe342.bisx.prod.on.blackberry>
References: <395185148-1227737314-cardhu_decombobulator_blackberry.rim.net-1224833342-@bxe342.bisx.prod.on.blackberry>
Message-ID: <492DC910.9090806@gmail.com>

matt at atopia.net wrote:
> I don't have access to the source box, just the destination box. 
then from the dest server use wget




From mspitzer at gmail.com  Wed Nov 26 15:49:00 2008
From: mspitzer at gmail.com (Marc Spitzer)
Date: Wed, 26 Nov 2008 15:49:00 -0500
Subject: [nycbug-talk] Off topic: Best way to mirror large ftp
In-Reply-To: <alpine.BSF.2.00.0811261110170.56006@pluto.atopia.net>
References: <alpine.BSF.2.00.0811261110170.56006@pluto.atopia.net>
Message-ID: <8c50a3c30811261249h7611a68bx43a80e5fbbdaa6fe@mail.gmail.com>

On Wed, Nov 26, 2008 at 11:12 AM, Matt Juszczak <matt at atopia.net> wrote:
> I have about 3 TB of data I need to mirror off of an FTP box.  Using
> traditional methods, it would take me about 16+ days to get all of that
> information.
>
> I've looked at things like lftp, and a few other "scripts" out there, but
> ideally I would love to find something that can:
>
> 1) Index the entire FTP

mtree on server?

> 2) Split the downloads into multiple threads

how much bandwidth do you have to work with?

> 3) Update the index at any time (the FTP server changes) and download the
> differences (yes, this may be an expensive operation I know)

run mtree every so often on server?

>
> Any suggestions?  Off topic I know, but I've been struggling for some time
> now on this issue and I'm hoping some of you fellow sysadmins have some
> suggestions.

run the following on the server:

1: run "find . -type d > dir_list"
2: run "find . -type f >file_list"

on client
3: down load both files
4: cat dir_list |xargs -n 20  mkdir -p
5: split file_list -l "pick reasonable number"
6: run a bunch of shell scripts to do the fetch, one per out put file from 5
....

or just run rsync and let it do its job.

marc

marc


-- 
Freedom is nothing but a chance to be better.
Albert Camus


From bonsaime at gmail.com  Wed Nov 26 23:14:04 2008
From: bonsaime at gmail.com (Jesse Callaway)
Date: Wed, 26 Nov 2008 23:14:04 -0500
Subject: [nycbug-talk] Off topic: Best way to mirror large ftp
In-Reply-To: <alpine.BSF.2.00.0811261110170.56006@pluto.atopia.net>
References: <alpine.BSF.2.00.0811261110170.56006@pluto.atopia.net>
Message-ID: <aa9991030811262014p5b2c65c6y306436c696591dcd@mail.gmail.com>

On Wed, Nov 26, 2008 at 11:12 AM, Matt Juszczak <matt at atopia.net> wrote:

> I have about 3 TB of data I need to mirror off of an FTP box.  Using
> traditional methods, it would take me about 16+ days to get all of that
> information.
>
> I've looked at things like lftp, and a few other "scripts" out there, but
> ideally I would love to find something that can:
>
> 1) Index the entire FTP
> 2) Split the downloads into multiple threads
> 3) Update the index at any time (the FTP server changes) and download the
> differences (yes, this may be an expensive operation I know)
>
> Any suggestions?  Off topic I know, but I've been struggling for some time
> now on this issue and I'm hoping some of you fellow sysadmins have some
> suggestions.
>
> Thanks!
>
> -Matt
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
>

Really, lftp and ncftp are the only decent clients for this sort of thing.
If you use lftp make sure to tune the number of parallel threads to
something realistic, but greater than say 3.
lftp is very fancy, and is about as feature rich as wget, so you have to
experiment with it to make it run the way you mean it to.
ncftp works as well, but the number of knobs it has for checking "sameness"
of teh remote vs local version of a file is much fewer. This makes it
slower, since you have to clobber if there's any doubt.
Both have some seriously cool batching options. If you use an ftp client
more than once a day there are really no other options.
I use ncftp for everyday, and lftp if I have to do heavy lifting.

So, I say stick with lftp. It's a pain at first because it can sometimes
hang or skip files, but keep working with it.

-jesse
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20081126/6f12074d/attachment.htm>