Discussion:
Did Youtube not pay their domain bill?
(too old to reply)
s***@nethelp.no
2008-05-03 13:27:44 UTC
Permalink
Did Youtube not pay their domain bill?

% dig @a.gtld-servers.net. ns yotube.com

yotube.com. 2D IN NS ns1.parked.com.
yotube.com. 2D IN NS ns2.parked.com.

Steinar Haug, Nethelp consulting, ***@nethelp.no
Niels Bakker
2008-05-03 13:29:06 UTC
Permalink
Post by s***@nethelp.no
Did Youtube not pay their domain bill?
^^
^
Still early, Steinar?


-- Niels.

--
s***@nethelp.no
2008-05-03 13:35:45 UTC
Permalink
Post by Niels Bakker
Post by s***@nethelp.no
Did Youtube not pay their domain bill?
^^
^
Still early, Steinar?
You're right, clearly insufficient amounts of coffee here...

Steinar Haug, Nethelp consulting, ***@nethelp.no
Kipkemoi Kibiego
2008-05-03 13:33:01 UTC
Permalink
yotube.com != youtube.com
Post by s***@nethelp.no
Did Youtube not pay their domain bill?
yotube.com. 2D IN NS ns1.parked.com.
yotube.com. 2D IN NS ns2.parked.com.
_______________________________________________
NANOG mailing list
http://mailman.nanog.org/mailman/listinfo/nanog
----------------------------------------------
This message has been scanned for viruses and
dangerous content by Jambo MailScanner, and is
believed to be clean.
---------------------------------------------
"easy access to the world"
Eric Spaeth
2008-05-03 13:40:56 UTC
Permalink
Still down either way...

===================================================
; <<>> DiG 9.2.4 <<>> dns1.sjl.youtube.com @a.gtld-servers.net
; (2 servers found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22563
;; flags: qr rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;dns1.sjl.youtube.com. IN A

;; ADDITIONAL SECTION:
dns1.sjl.youtube.com. 172800 IN A 208.65.152.201
dns2.sjl.youtube.com. 172800 IN A 208.65.152.137
===================================================


===================================================
; <<>> DiG 9.2.4 <<>> www.youtube.com @208.65.152.201
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached

; <<>> DiG 9.2.4 <<>> www.youtube.com @208.65.152.137
; (1 server found)
;; global options: printcmd
;; connection timed out; no servers could be reached
===================================================
Post by Kipkemoi Kibiego
yotube.com != youtube.com
Post by s***@nethelp.no
Did Youtube not pay their domain bill?
yotube.com. 2D IN NS ns1.parked.com.
yotube.com. 2D IN NS ns2.parked.com.
_______________________________________________
NANOG mailing list
http://mailman.nanog.org/mailman/listinfo/nanog
----------------------------------------------
This message has been scanned for viruses and
dangerous content by Jambo MailScanner, and is
believed to be clean.
---------------------------------------------
"easy access to the world"
_______________________________________________
NANOG mailing list
http://mailman.nanog.org/mailman/listinfo/nanog
Randy Bush
2008-05-03 13:45:57 UTC
Permalink
Post by Eric Spaeth
dns1.sjl.youtube.com. 172800 IN A 208.65.152.201
dns2.sjl.youtube.com. 172800 IN A 208.65.152.137
2182 lesson again, probably. after all, microsoft/hotmail/... being
borked for a day can't happen to me!

randy
Brant I. Stevens
2008-05-03 13:50:16 UTC
Permalink
Maybe that block is anycasted?
Post by Randy Bush
Post by Eric Spaeth
dns1.sjl.youtube.com. 172800 IN A 208.65.152.201
dns2.sjl.youtube.com. 172800 IN A 208.65.152.137
2182 lesson again, probably. after all, microsoft/hotmail/... being
borked for a day can't happen to me!
randy
_______________________________________________
NANOG mailing list
http://mailman.nanog.org/mailman/listinfo/nanog
Eric Spaeth
2008-05-03 14:16:50 UTC
Permalink
If they were anycasted, shouldn't they be reachable from _somewhere_
? Those servers are dead from the 4 corners of the US that I have
resources to use for testing.
Post by Brant I. Stevens
Maybe that block is anycasted?
David Coulson
2008-05-03 14:25:42 UTC
Permalink
Depends - It doesn't help if the DNS server is dead, but the front-end
is still advertising the routes.

It came back to life for me a few moments ago (via Cogent) and it looks
like the routing did not change (there is a bunch of 10/8 stuff in the
traceroute).
Post by Eric Spaeth
If they were anycasted, shouldn't they be reachable from _somewhere_
? Those servers are dead from the 4 corners of the US that I have
resources to use for testing.
Marshall Eubanks
2008-05-03 15:03:00 UTC
Permalink
I received a report from a user at 9:46 EDT that they couldn't access
youtube, so at least some users
were affected.

Regards
Marshall
Post by David Coulson
Depends - It doesn't help if the DNS server is dead, but the front-end
is still advertising the routes.
It came back to life for me a few moments ago (via Cogent) and it looks
like the routing did not change (there is a bunch of 10/8 stuff in the
traceroute).
Post by Eric Spaeth
If they were anycasted, shouldn't they be reachable from _somewhere_
? Those servers are dead from the 4 corners of the US that I have
resources to use for testing.
_______________________________________________
NANOG mailing list
http://mailman.nanog.org/mailman/listinfo/nanog
s***@nethelp.no
2008-05-03 15:07:36 UTC
Permalink
Post by David Coulson
Depends - It doesn't help if the DNS server is dead, but the front-end
is still advertising the routes.
It came back to life for me a few moments ago (via Cogent) and it looks
like the routing did not change (there is a bunch of 10/8 stuff in the
traceroute).
Looks like it's back here. However, they clearly have more problems.
At the moment, the two name servers that the youtube.com domain is
delegated to,

dns1.sjl.youtube.com. 1H IN A 208.65.152.201
dns2.sjl.youtube.com. 1H IN A 208.65.152.137

reply ok. However, they reply that the youtube.com domain is served by

youtube.com. 1H IN NS dns1.sjl.youtube.com.
youtube.com. 1H IN NS dns2.sjl.youtube.com.
youtube.com. 1H IN NS dns3.sjl.youtube.com.
youtube.com. 1H IN NS sjl-ins2.sjl.youtube.com.

but reply with NXDOMAIN when asked for the A of sjl-ins2.sjl.youtube.com.

Steinar Haug, Nethelp consulting, ***@nethelp.no
Mike Lewinski
2008-05-03 17:27:41 UTC
Permalink
Post by David Coulson
Depends - It doesn't help if the DNS server is dead, but the front-end
is still advertising the routes.
Possibly a good argument for allowing the DNS servers to originate the
routes for them...? I've seen configuration where the routes were
injected based on link state via crossover cable, so at least if the
whole machine pukes the route is dropped. But if the resolver or OS
itself is just hung then yeah...

Mike
Kevin Blackham
2008-05-03 19:23:15 UTC
Permalink
We did that with our internally anycasted recursors at my former
network. A script withdraws the routes if bind isn't answering. Works
great.
Post by Mike Lewinski
Post by David Coulson
Depends - It doesn't help if the DNS server is dead, but the front-end
is still advertising the routes.
Possibly a good argument for allowing the DNS servers to originate the
routes for them...? I've seen configuration where the routes were
injected based on link state via crossover cable, so at least if the
whole machine pukes the route is dropped. But if the resolver or OS
itself is just hung then yeah...
Mike
_______________________________________________
NANOG mailing list
http://mailman.nanog.org/mailman/listinfo/nanog
Steve Gibbard
2008-05-03 22:10:56 UTC
Permalink
Post by Mike Lewinski
Post by David Coulson
Depends - It doesn't help if the DNS server is dead, but the front-end
is still advertising the routes.
Possibly a good argument for allowing the DNS servers to originate the
routes for them...? I've seen configuration where the routes were
Running Quagga or something similar on the anycasted server to announce
the routes is the standard way of setting up anycast. That way, if the
server fails completely, the route goes away.

A common improvement on that is to run a script on the server that checks
to make sure the name server process is running and responding correctly,
and kills BGP if it isn't. That covers cases where named has problems
that don't take down the whole server.

The first one depends heavily on the server, if it's going to fail,
failing the right way. If it loses power or stops all processes, the
route goes away and traffic gets redirected elsewhere. If named dies or
stops responding, you're stuck. The second method solves a lot of that
sort of problems, but there are still conceivable situations where the
server would get into a state of partial failure and be unable to withdraw
the route. Still, that's probably the best option. Another approach
would be to run the monitoring script and BGP process on a separate host
that would presumably be healthy even when the name server host is in
trouble. That approach has issues too, in that you lose the guarantee
that the route will go away if the name server box is turned off.

The right solution is to design the anycast servers to be as sure as
possible that the route will go away when you want it gone, but to have
multiple non-interdependent anycast clouds in the NS records for each
zone. If the local node in one cloud does fail improperly, something will
still be responding on the other cloud's IP address.

Note that any of these failure scenarios is still preferable to what you
get with unicast servers. With unicast, if the server has trouble, the
route always stays up, and the the traffic always ends up in a black hole.

-Steve
Paul Vixie
2008-05-04 16:19:53 UTC
Permalink
Post by Steve Gibbard
Post by Mike Lewinski
Post by David Coulson
Depends - It doesn't help if the DNS server is dead, but the front-end
is still advertising the routes.
Possibly a good argument for allowing the DNS servers to originate the
routes for them...? I've seen configuration where the routes were
Running Quagga or something similar on the anycasted server to announce
the routes is the standard way of setting up anycast. That way, if the
server fails completely, the route goes away.
that's what joe said to do in <http://www.isc.org/pubs/tn/isc-tn-2004-1.txt>.
Post by Steve Gibbard
A common improvement on that is to run a script on the server that checks
to make sure the name server process is running and responding correctly,
and kills BGP if it isn't. That covers cases where named has problems
that don't take down the whole server.
in ISC-TN-2004-1 [ibid], appendix D, joe suggests bringing up and down the
interface BIND listens on (which presumes that it's a dedicated loopback
like lo1 whose address is covered by a quagga route advertisement rule).

note that joe's example brings up the interface before starting the name
server program, and bringing it down if the name server program exits.
this presumes that the name server will start very quickly, and that while
running, it is healthy. since i've seen name server programs be unhealthy
while running, and/or take a long time to start, i'm now considering an
outboard shell script that runs some kind of DNS query and decides, based
on the result, whether to bring the dedicated loopback interface up or down.
Post by Steve Gibbard
...
The right solution is to design the anycast servers to be as sure as
possible that the route will go away when you want it gone, but to have
multiple non-interdependent anycast clouds in the NS records for each
zone. If the local node in one cloud does fail improperly, something will
still be responding on the other cloud's IP address.
the need for multiple independent anycast clouds is an RFC 2182 topic, but
joe's innovation both in ISC-TN-2004-1 and in his earlier ISC-TN-2003-1 (see
<http://www.isc.org/pubs/tn/isc-tn-2003-1.txt> is that if each anycast cluster
is really several servers, each using OSPF ECMP, then you can lose a server
and still have that cluster advertising the route upstream, and only when you
lose all servers in a cluster will that route be withdrawn.
Post by Steve Gibbard
Note that any of these failure scenarios is still preferable to what you
get with unicast servers. With unicast, if the server has trouble, the
route always stays up, and the the traffic always ends up in a black hole.
here, the real problem is the route staying up, which also blackholes anycast.
the only things DNS anycast universally buys you are DDoS resilience and
hot swap. anything else anycast can do (high availability, low avg. RTT, etc)
can also be engineered using a unicast design, though probably at higher TCO.
--
Paul Vixie
Deepak Jain
2008-05-05 04:32:35 UTC
Permalink
Post by Paul Vixie
note that joe's example brings up the interface before starting the name
server program, and bringing it down if the name server program exits.
this presumes that the name server will start very quickly, and that while
running, it is healthy. since i've seen name server programs be unhealthy
while running, and/or take a long time to start, i'm now considering an
outboard shell script that runs some kind of DNS query and decides, based
on the result, whether to bring the dedicated loopback interface up or down.
All deference to this model, we've all seen these kinds of problems with
name servers. We *can* be certain that bringing a loopback interface up
or down takes almost no time (with the implied effect to a speaker like
Quagga). There is *no* reason with a sufficiently deep name server depth
(depends on your load) that your monitoring script should *need* to
hurry to test this condition. Every 5-10 or even 15 minutes to see if
its eligible to bring up, more frequently to see if its eligible to take
down. This also reduces oscillation.

This means, bring up/kill off your name server in one cronjob
(automatically taking the interface down at the end or after a kill),
and monitor/talk to the interface in another (up function and sometimes
the down).

You'll be much happier.

Deepak Jain
AiNET
Steve Gibbard
2008-05-05 10:25:51 UTC
Permalink
Post by Paul Vixie
Post by Steve Gibbard
The right solution is to design the anycast servers to be as sure as
possible that the route will go away when you want it gone, but to have
multiple non-interdependent anycast clouds in the NS records for each
zone. If the local node in one cloud does fail improperly, something will
still be responding on the other cloud's IP address.
the need for multiple independent anycast clouds is an RFC 2182 topic, but
joe's innovation both in ISC-TN-2004-1 and in his earlier ISC-TN-2003-1 (see
<http://www.isc.org/pubs/tn/isc-tn-2003-1.txt> is that if each anycast cluster
is really several servers, each using OSPF ECMP, then you can lose a server
and still have that cluster advertising the route upstream, and only when you
lose all servers in a cluster will that route be withdrawn.
This is getting into minutia, but using multipath BGP will also accomplish
this without having to get the route from OSPF to BGP. This simplifies
things a bit, and makes it safer to have the servers and routers under
independent control.

But yes, Joe's ISC TechNote is an excellent document, and was a big help
in figuring out how to set this up a few years ago.

-Steve
Paul Vixie
2008-05-05 16:07:03 UTC
Permalink
Post by Steve Gibbard
... if each anycast cluster is really several servers, each using OSPF
ECMP, then you can lose a server and still have that cluster advertising
the route upstream, and only when you lose all servers in a cluster will
that route be withdrawn.
This is getting into minutia, but using multipath BGP will also accomplish
this without having to get the route from OSPF to BGP. This simplifies
things a bit, and makes it safer to have the servers and routers under
independent control.
i think the minutia is good, especially after a long weekend of layer 9
threads. my limited understanding of multipath bgp is that it's a global
config knob for routers, not a per peer knob, and that it has disasterous
consequences if the router is also carrying a full table and has many peers.
also, in OSPF, ECMP is not optional, even though most BSD-based software
routers don't implement it yet (since multipath routing is very new.) so,
we have been using OSPF for this, it just works out better. i dearly do
wish that something like a "service advertisement protocol" existed, that
did what OSPF ECMP did, without a router operator effectively giving every
customer the ability to inject other customer routes, or default routes.
in that sense, i agree with your "safer... independent control" assertion.
Post by Steve Gibbard
But yes, Joe's ISC TechNote is an excellent document, and was a big help
in figuring out how to set this up a few years ago.
and now for something completely different -- where in the interpipes could
a document like that have been published, vs. ISC's web site? the amount
of red tape and delay involved in Usenix or IETF or IEEE or ACM are vastly
more than most smart ops people are willing to put in. where is the light /
middle weight class, or is every organization or person who wants to publish
this kind of thing going to continue to have the exclusive and bad choice of
"blog it, or write an article for ;login:/ACM-Queue/Circle-ID, or write an
academic paper and wait ten months"? isn't this a job for... NANOG?
--
Paul Vixie
David Andersen
2008-05-05 17:16:29 UTC
Permalink
Post by Paul Vixie
Post by Steve Gibbard
But yes, Joe's ISC TechNote is an excellent document, and was a big help
in figuring out how to set this up a few years ago.
and now for something completely different -- where in the
interpipes could
a document like that have been published, vs. ISC's web site? the amount
of red tape and delay involved in Usenix or IETF or IEEE or ACM are vastly
more than most smart ops people are willing to put in. where is the light /
middle weight class, or is every organization or person who wants to publish
this kind of thing going to continue to have the exclusive and bad choice of
"blog it, or write an article for ;login:/ACM-Queue/Circle-ID, or write an
academic paper and wait ten months"? isn't this a job for... NANOG?
If you're asking seriously: arXiv.org is a pretty reasonable
candidate for less-formal but more-public publication of things like
Joe's TechNote.

It's taken off seriously in physics, but I don't know anyone who uses
it seriously for computer science stuff. Probably because our
conferences have much faster turnaround than most discipline's
journals do. But arXiv exists, it'll probably be around for a while,
and it provides a reasonable starting point for hosting and citing the
documents...

-Dave
Marshall Eubanks
2008-05-05 17:28:49 UTC
Permalink
Post by David Andersen
Post by Paul Vixie
Post by Steve Gibbard
But yes, Joe's ISC TechNote is an excellent document, and was a big help
in figuring out how to set this up a few years ago.
and now for something completely different -- where in the
interpipes could
a document like that have been published, vs. ISC's web site? the amount
of red tape and delay involved in Usenix or IETF or IEEE or ACM are vastly
more than most smart ops people are willing to put in. where is the light /
middle weight class, or is every organization or person who wants to publish
this kind of thing going to continue to have the exclusive and bad choice of
"blog it, or write an article for ;login:/ACM-Queue/Circle-ID, or write an
academic paper and wait ten months"? isn't this a job for... NANOG?
If you're asking seriously: arXiv.org is a pretty reasonable
candidate for less-formal but more-public publication of things like
Joe's TechNote.
It's taken off seriously in physics, but I don't know anyone who uses
it seriously for computer science stuff.
There are certain types of networking problems where arxiv gets decent
traffic; I get about 1 paper
per day on networking and cryptography.

At any rate, I would encourage people to use it and this seems like a
possible appropriate paper for it.

Regards
Marshall
Post by David Andersen
Probably because our
conferences have much faster turnaround than most discipline's
journals do. But arXiv exists, it'll probably be around for a while,
and it provides a reasonable starting point for hosting and citing the
documents...
-Dave
_______________________________________________
NANOG mailing list
http://mailman.nanog.org/mailman/listinfo/nanog
Chris Grundemann
2008-05-05 17:18:56 UTC
Permalink
Post by Paul Vixie
Post by Steve Gibbard
... if each anycast cluster is really several servers, each using OSPF
ECMP, then you can lose a server and still have that cluster advertising
the route upstream, and only when you lose all servers in a cluster will
that route be withdrawn.
This is getting into minutia, but using multipath BGP will also accomplish
this without having to get the route from OSPF to BGP. This simplifies
things a bit, and makes it safer to have the servers and routers under
independent control.
i think the minutia is good, especially after a long weekend of layer 9
threads. my limited understanding of multipath bgp is that it's a global
config knob for routers, not a per peer knob, and that it has disasterous
consequences if the router is also carrying a full table and has many peers.
I am not sure what routers specifically are being discussed here, but
in JunOS you can enable multipath on a global, group or single
neighbor level, possibly eliminating your concern...
Post by Paul Vixie
also, in OSPF, ECMP is not optional, even though most BSD-based software
routers don't implement it yet (since multipath routing is very new.) so,
we have been using OSPF for this, it just works out better. i dearly do
wish that something like a "service advertisement protocol" existed, that
did what OSPF ECMP did, without a router operator effectively giving every
customer the ability to inject other customer routes, or default routes.
in that sense, i agree with your "safer... independent control" assertion.
Post by Steve Gibbard
But yes, Joe's ISC TechNote is an excellent document, and was a big help
in figuring out how to set this up a few years ago.
and now for something completely different -- where in the interpipes could
a document like that have been published, vs. ISC's web site? the amount
of red tape and delay involved in Usenix or IETF or IEEE or ACM are vastly
more than most smart ops people are willing to put in. where is the light /
middle weight class, or is every organization or person who wants to publish
this kind of thing going to continue to have the exclusive and bad choice of
"blog it, or write an article for ;login:/ACM-Queue/Circle-ID, or write an
academic paper and wait ten months"? isn't this a job for... NANOG?
--
Paul Vixie
_______________________________________________
NANOG mailing list
http://mailman.nanog.org/mailman/listinfo/nanog
--
Chris Grundemann
www.linkedin.com/in/cgrundemann
Mr. James W. Laferriere
2008-05-05 17:01:07 UTC
Permalink
Hello All ,
...snip...
Post by Paul Vixie
Post by Steve Gibbard
But yes, Joe's ISC TechNote is an excellent document, and was a big help
in figuring out how to set this up a few years ago.
and now for something completely different -- where in the interpipes could
a document like that have been published, vs. ISC's web site? the amount
of red tape and delay involved in Usenix or IETF or IEEE or ACM are vastly
more than most smart ops people are willing to put in. where is the light /
middle weight class, or is every organization or person who wants to publish
this kind of thing going to continue to have the exclusive and bad choice of
"blog it, or write an article for ;login:/ACM-Queue/Circle-ID, or write an
academic paper and wait ten months"? isn't this a job for... NANOG?
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Hear , Hear ! I second the motion .
Sorry about the 1-2 line response , But I beleive it was needed .

Twyl , JimL
--
+------------------------------------------------------------------+
| James W. Laferriere | System Techniques | Give me VMS |
| Network&System Engineer | 2133 McCullam Ave | Give me Linux |
| ***@baby-dragons.com | Fairbanks, AK. 99701 | only on AXP |
+------------------------------------------------------------------+
Steven M. Bellovin
2008-05-05 17:59:20 UTC
Permalink
On 05 May 2008 16:07:03 +0000
Post by Paul Vixie
Post by Steve Gibbard
But yes, Joe's ISC TechNote is an excellent document, and was a big
help in figuring out how to set this up a few years ago.
and now for something completely different -- where in the interpipes
could a document like that have been published, vs. ISC's web site?
the amount of red tape and delay involved in Usenix or IETF or IEEE
or ACM are vastly more than most smart ops people are willing to put
in. where is the light / middle weight class, or is every
organization or person who wants to publish this kind of thing going
to continue to have the exclusive and bad choice of "blog it, or
write an article for ;login:/ACM-Queue/Circle-ID, or write an
academic paper and wait ten months"? isn't this a job for... NANOG?
I did some checking on this topic a few years ago. The consensus among
the people I talked to was that NANOG itself seemed to generate too
little that was publishable in a formal way to warrant a specific
mechanism.

A web site like arxiv is good for some stuff. But -- should there be a
link from nanog.org to operational content? Should nanog.org have
its own archive? Should there be a peer review process? If not, what
should the criteria be for an "official" note of the paper?

--Steve Bellovin, http://www.cs.columbia.edu/~smb
Roland Dobbins
2008-05-05 18:19:36 UTC
Permalink
If not, what should the criteria be for an "official" note of the
paper?
Perhaps it's an oversimplification, but can't those who wish to
publish such information simply deliver their papers at a NANOG
meeting (after acceptance by the Program Committee, which acts as a
gate), and then the NANOG folks post the documents along with any
slides and the VoDs of their presentations, in the usual fashion?

-----------------------------------------------------------------------
Roland Dobbins <***@cisco.com> // +66.83.266.6344 mobile

History is a great teacher, but it also lies with impunity.

-- John Robb
Steven M. Bellovin
2008-05-05 18:38:07 UTC
Permalink
On Tue, 6 May 2008 01:19:36 +0700
Post by Roland Dobbins
If not, what should the criteria be for an "official" note of the
paper?
Perhaps it's an oversimplification, but can't those who wish to
publish such information simply deliver their papers at a NANOG
meeting (after acceptance by the Program Committee, which acts as a
gate), and then the NANOG folks post the documents along with any
slides and the VoDs of their presentations, in the usual fashion?
That's certainly one very good answer. Are there others?


--Steve Bellovin, http://www.cs.columbia.edu/~smb
Paul Vixie
2008-05-05 19:52:03 UTC
Permalink
Post by Steven M. Bellovin
If not, what should the criteria be for an "official" note of the paper?
Perhaps it's an oversimplification, but can't those who wish to publish
such information simply deliver their papers at a NANOG meeting (after
acceptance by the Program Committee, which acts as a gate), and then
the NANOG folks post the documents along with any slides and the VoDs
of their presentations, in the usual fashion?
That's certainly one very good answer. Are there others?
--Steve Bellovin, http://www.cs.columbia.edu/~smb
i think that's a good first tier, but there's still delay and congestion in
that path. delay, because nanog meetings only happen N times per year, so
an idea may have to wait months before it's widely circulated. congestion,
because nanog meetings are of fixed duration and there is, and has to be,
competition for the slots, to make the meeting interesting, keep quality high.

as a second tier, if a technote draft could be sent to nanog-pc at any time,
and the readable ones sent to nanog@ (at a maximum of one per week, so there
would still be some quality-control related congestion, and rate limiting),
and if the nanog-pc could then use mailing list feedback to judge whether the
technote deserved to be given a number and put on www.nanog.org somewhere, we
could be doing something really interesting with the expertise assembled here.
--
Paul Vixie
Roland Dobbins
2008-05-06 01:06:07 UTC
Permalink
Post by Paul Vixie
delay, because nanog meetings only happen N times per year, so
an idea may have to wait months before it's widely circulated.
congestion,
because nanog meetings are of fixed duration and there is, and has to be,
competition for the slots, to make the meeting interesting, keep quality high.
From one standpoint, these aren't necessarily unalloyed negatives, as
they act as a filter to keep the noise-level down, somewhat.

Are we convinced that there's a glut of useful technical/operational
information which folks have both the time and inclination to write
up, but which they don't due to the perceived lack of an appropriate
review/publication mechanism utilized by their intended audience?

-----------------------------------------------------------------------
Roland Dobbins <***@cisco.com> // +66.83.266.6344 mobile

History is a great teacher, but it also lies with impunity.

-- John Robb
Paul Vixie
2008-05-05 19:43:29 UTC
Permalink
Post by Steven M. Bellovin
...
A web site like arxiv is good for some stuff. But -- should there be a
link from nanog.org to operational content? Should nanog.org have
its own archive? Should there be a peer review process? If not, what
should the criteria be for an "official" note of the paper?
--Steve Bellovin, http://www.cs.columbia.edu/~smb
i wouldn't want to see a full academia-style peer review process, since that
problem is pretty well solved elsewhere, and we're not having that problem.

but a nanog-style peer review process, where the nanog-pc acts as the judge
of how a technote was received by the mailing list, might work. such that if
nanog-pc puts their stamp of approval on it, the connotation would be "more
than one set of eyes has been laid on this, and it's not totally worthless."

i say nanog-like because it's a new trail to blaze based on nanog's culture
which, while often hard to cope with, has some innovative, genuine strengths.
Stuart Henderson
2008-05-05 18:15:17 UTC
Permalink
Post by Paul Vixie
also, in OSPF, ECMP is not optional, even though most BSD-based software
routers don't implement it yet (since multipath routing is very new.)
Some readers might be interested to know the exception to "most" here;
the OpenBSD kernel has supported ECMP for the last couple of releases
(activated by setting a sysctl); in the most recent release ECMP support
was also added to ospfd.
Joe Abley
2008-05-06 02:03:30 UTC
Permalink
Perhaps what would make more sense here is Foundry (F5, etc.)
building
an anycast feature - anycast prefixes are withdrawn when a cluster
relying on that anycast prefix goes below a threshold.
I'm not sure exactly what feature is required, here. f5s of my
acquaintance are already very capable of making OSPF LSAs based on
virtual servers' pools being non-empty. Do it on more than one f5 in
the same area, and you're anycasting service availability with the
current feature set.
Can they do it with BGP for Internet anycast?
They run ZebOS for routing stuff, so I would say so, although I
haven't tried. In our application the covering supernets are
synthesised as aggregates based on the presence of the OSPF /32.
The general reason why people prefer to find alternative solutions
rather than use dedicated load-balancers are that the dedicated load-
balancers are hellishly more expensive than the $5 gigabit switch
you probably already have in your garage.
The dedicated load balancers also talk BGP (well, ones I've played
with), so that does away with the need for a BGP speaking router.
There is a certain keenness to keep the peering edge free of multi-
function boxes in some sandboxes I have played in.

I can't say I would be tremendously enthusiastic about the idea of
using an (say) f5 BigIP 6800 as a peering router (not that I've tried
and failed, or anything; for all I know it would work just fine). But
perhaps some of that religion has just rubbed off on me.


Joe
Nathan Ward
2008-05-06 00:50:08 UTC
Permalink
Post by Paul Vixie
i dearly do
wish that something like a "service advertisement protocol" existed, that
did what OSPF ECMP did, without a router operator effectively giving every
customer the ability to inject other customer routes, or default routes.
This stuff about customers and things sounds too hard.

Steve, have you actually had to do anycast without having control of
the routing hop in front of your service providing hosts, or is this
getting unnecessarily complicated? I'd imagine that the ability to
install routing equipment would be a pre-requisite for any anycast
service deployment..

Perhaps what would make more sense here is Foundry (F5, etc.) building
an anycast feature - anycast prefixes are withdrawn when a cluster
relying on that anycast prefix goes below a threshold. These load
balancing switches already do all this service health check stuff and
have done for years, so why are we re-inventing the wheel?

--
Nathan Ward

ps. I'm amused that your message that started with "i think the
minutia is good, especially after a long weekend of layer 9 threads."
ended with a paragraph of L9 :-)
Joe Abley
2008-05-06 01:21:13 UTC
Permalink
Post by Nathan Ward
Perhaps what would make more sense here is Foundry (F5, etc.) building
an anycast feature - anycast prefixes are withdrawn when a cluster
relying on that anycast prefix goes below a threshold.
I'm not sure exactly what feature is required, here. f5s of my
acquaintance are already very capable of making OSPF LSAs based on
virtual servers' pools being non-empty. Do it on more than one f5 in
the same area, and you're anycasting service availability with the
current feature set.

The general reason why people prefer to find alternative solutions
rather than use dedicated load-balancers are that the dedicated load-
balancers are hellishly more expensive than the $5 gigabit switch you
probably already have in your garage.


Joe
Nathan Ward
2008-05-06 01:49:39 UTC
Permalink
Perhaps what would make more sense here is Foundry (F5, etc.)
building
an anycast feature - anycast prefixes are withdrawn when a cluster
relying on that anycast prefix goes below a threshold.
I'm not sure exactly what feature is required, here. f5s of my
acquaintance are already very capable of making OSPF LSAs based on
virtual servers' pools being non-empty. Do it on more than one f5 in
the same area, and you're anycasting service availability with the
current feature set.
Can they do it with BGP for Internet anycast?
The general reason why people prefer to find alternative solutions
rather than use dedicated load-balancers are that the dedicated load-
balancers are hellishly more expensive than the $5 gigabit switch
you probably already have in your garage.
The dedicated load balancers also talk BGP (well, ones I've played
with), so that does away with the need for a BGP speaking router.

--
Nathan Ward
Nathan Ward
2008-05-06 01:24:35 UTC
Permalink
"Steve"? I assume you meant "Paul"....
No, Steve Gibbard referred to not having control of routers, Paul
referred to customers.

--
Nathan Ward
Steven M. Bellovin
2008-05-06 01:36:57 UTC
Permalink
On Tue, 6 May 2008 13:24:35 +1200
Post by Nathan Ward
"Steve"? I assume you meant "Paul"....
No, Steve Gibbard referred to not having control of routers, Paul
referred to customers.
Ah. As has often been noted, "Steve is a multicast address".


--Steve Bellovin, http://www.cs.columbia.edu/~smb
Steve Gibbard
2008-05-06 10:09:43 UTC
Permalink
Post by Nathan Ward
This stuff about customers and things sounds too hard.
Steve, have you actually had to do anycast without having control of
the routing hop in front of your service providing hosts, or is this
getting unnecessarily complicated? I'd imagine that the ability to
install routing equipment would be a pre-requisite for any anycast
service deployment..
Yes I have. Or rather, I've done the network infrastructure for anycast
services without having administrative control of the anycasted servers.
PCH's anycast platform hosts some blade servers for some other DNS
infrastructure operators (in addition to the name servers PCH operates
itself). Those operators operate their own servers. PCH operates the
routing infrastructure. There is filtering in place to limit the routing
announcements from the servers.

But also, most of the larger organizations I've worked for have had
separate systems and network engineering groups. In general, the network
groups haven't wanted to let the systems engineers configure the routers,
and the systems groups haven't wanted to let network engineers configure
the servers (with good reason). Filtering of routing announcements from
anycast servers would be useful in that environment too.


To address Paul's point about multipath BGP, I never saw Cisco's
implementation of it causing a problem even with full routing tables. I
haven't used any other implementations.

In the Cisco version (and at least for EBGP; I haven't looked at this with
IBGP), it only applies to otherwise identical AS paths. Multiple
directly-connected DNS servers sourcing the same announcement with the
same AS path and other BGP attributes get load balanced between. Paths
learned from different peers had different AS paths and do not get
balanced between. I suppose there probably is load balancing in cases
where there are multiple sessions with the same peer at the same exchange.
That's a relatively rare case in this implementation, and using hash based
rather than per-packet load balancing makes it not really matter.

-Steve

Randy Bush
2008-05-03 22:17:08 UTC
Permalink
Post by Eric Spaeth
If they were anycasted, shouldn't they be reachable from _somewhere_
not if routing problem with the prefix. anycasted prefixes have
analogous problem to that described in 2182. need at least two
separately routed prefixes or single method of failure.

randy
Brant I. Stevens
2008-05-03 13:53:35 UTC
Permalink
Never mind. I'll go back to bed now.
Post by Brant I. Stevens
Maybe that block is anycasted?
Post by Randy Bush
Post by Eric Spaeth
dns1.sjl.youtube.com. 172800 IN A 208.65.152.201
dns2.sjl.youtube.com. 172800 IN A 208.65.152.137
2182 lesson again, probably. after all, microsoft/hotmail/... being
borked for a day can't happen to me!
randy
_______________________________________________
NANOG mailing list
http://mailman.nanog.org/mailman/listinfo/nanog
_______________________________________________
NANOG mailing list
http://mailman.nanog.org/mailman/listinfo/nanog
Loading...