Hi all
We have finally fixed our 2M upload issues on Chorus UFB accelerate plans.
Skip to the end of this email if you just want an example fix.
Along the way we established a couple of incorrect "facts". Some of which I
shared with this list.
These were:
1) DEI marked packets were being silently dropped on ingress from the
Chorus handover
2) Junos 12.3 fixed this issue
Recently I deemed that "fact" 1) was wrong and hence "fact" 2) was a bit
irrelevant.
Here's a crude diagram of our typical set-up:
<Chorus handover> <-> [1] <MX80> [2] <-> MPLS/VPLS over Backhaul fibre <->
[3] <PMR MPLS MX> [4] <-> [5] <PMR BNG>
Where the numbers in the square brackets are interfaces where I performed
some traffic stats.
I deemed that DEI=1 marked packets were still showing up at [1] and [3].
They were not showing up at interfaces [4] and [5]. This deemed my above
"facts" incorrect.
With Juniper CoS you classify on ingress and rewrite on egress. Once we
deemed that DEI marked packets were not being dropped at [1] and instead
were being dropped between [3] and [4] we can now rewrite these before
interface [4]. As we need to rewrite on egress we'll do this at point [2].
In our test case interface [2] is actually xe-1/2/0.388 . And a simple fix
for the issue is under the class-of-service section implement:
interfaces {
xe-1/2/0 {
unit 388 {
rewrite-rules {
ieee-802.1ad {
ieee-802.1ad-dei-rewrite;
vlan-tag outer;
}
}
}
}
}
rewrite-rules {
ieee-802.1ad ieee-802.1ad-dei-rewrite {
forwarding-class best-effort {
loss-priority low code-point 0000;
loss-priority high code-point 0000;
}
}
}
The key is to use a ieee-802.1ad rewrite rule rather than a ieee-802.1
rule. The leftmost bit of the 4 bit code-point is the DEI bit. This is all
assuming that all traffic is classified as best-effort at interface [1] -
if that is not the case then re-write the DEI bit for your other queues as
well.
You only need to rewrite the outer vlan DEI bit.
This is tested on Junos 12.3R8.7 on a MX80.
Thanks to all involved in helping fix this - Steve K, Vance and Ivan
especially.
Cheers
Dave
Hi Nathan,
Happy to talk you through your application and help you out on this. I'm
the Spirent distributor for NZ.
Murray King
Sales Engineer
Nichecom
Delivery Address: 1 Lincoln Avenue, Tawa,Wellington
Postal Address: P.O. Box 56-045, Wellington
New Zealand
Phone: 64 4 2323233
Facsimile: 64 4 2323230
Mobile: 64 (0)21 379 192
murray(a)nichecom.co.nz
www.nichecom.co.nz
-----Original Message-----
From: nznog-request(a)list.waikato.ac.nz
To: nznog(a)list.waikato.ac.nz
Date: Sat, 26 Sep 2015 12:00:03 +1200
Subject: NZNOG Digest, Vol 153, Issue 20
Send NZNOG mailing list submissions to
nznog(a)list.waikato.ac.nz
To subscribe or unsubscribe via the World Wide Web, visit
http://list.waikato.ac.nz/mailman/listinfo/nznog
or, via email, send a message with subject or body 'help' to
nznog-request(a)list.waikato.ac.nz
You can reach the person managing the list at
nznog-owner(a)list.waikato.ac.nz
When replying, please edit your Subject line so it is more specific
than "Re: Contents of NZNOG digest..."
Today's Topics:
1. Router testers (Nathan Ward)
----------------------------------------------------------------------
Message: 1
Date: Fri, 25 Sep 2015 14:37:09 +1200
From: Nathan Ward <nznog(a)daork.net>
To: nznog <NZNOG(a)list.waikato.ac.nz>
Subject: [nznog] Router testers
Message-ID: <8E1B60F1-712F-40E1-8BCE-E088051ACEFB(a)daork.net>
Content-Type: text/plain; charset=utf-8
Hi,
Does anyone have a line on router testers that are available for lease in NZ
(or Aus, I guess)? Either from a proper leasing company, or if you?ve got
one kicking around you don?t need for a few weeks..
Something that does PPPoE, IPoE, maybe MPLS and BGP would be nice.
Ixia or Spirent or something.
--
Nathan Ward
------------------------------
_______________________________________________
NZNOG mailing list
NZNOG(a)list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog
End of NZNOG Digest, Vol 153, Issue 20
**************************************
Hi,
Does anyone have a line on router testers that are available for lease in NZ (or Aus, I guess)? Either from a proper leasing company, or if you’ve got one kicking around you don’t need for a few weeks..
Something that does PPPoE, IPoE, maybe MPLS and BGP would be nice.
Ixia or Spirent or something.
--
Nathan Ward
Hi all
We're hosting APRICOT 2016 - an Internet technical community conference -
in Auckland in February. (Details at https://2016.apricot.net)
NZNOG is a key supporter of the event so thank you for that, I am hoping
this request is (beer) sufficiently on topic for the list....
One of the things a local host gets to do is to propose a local/national
Keynote speaker for the event.
Do you have suggested speakers we could put into the mix?
One name that popped into my head is Steve Cotter who is shortly off to
head the European research network, after running REANNZ for a few years.
But this is an event aimed squarely at people like you, and so your ideas
would be incredibly helpful.
Grateful for your suggestions, ideally by the end of the week...
thanks!
Jordan
--
Jordan Carter
Chief Executive
*InternetNZ*
+64-495-2118 (office) | +64-21-442-649 (mob)
Email: jordan(a)internetnz.net.nz
Skype: jordancarter
Web: www.internetnz.nz
*A better world through a better Internet *
{from those archives}
10 years...??? blimey.
http://list.waikato.ac.nz/pipermail/nznog/2005-June/010239.html
Perhaps the way to go about it will end up being to legislate, that
you'll end up having to register your "NZ" IP address allocation with
the Intellectual Property Office - because they like the acronym IP too.
But, this of course will still ensure there is much humour to be had.
https://www.fyi.org.nz/request/1830-ip-address-range
On 20/09/15 01:00, nznog-request(a)list.waikato.ac.nz wrote:
> Send NZNOG mailing list submissions to
> nznog(a)list.waikato.ac.nz
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://list.waikato.ac.nz/mailman/listinfo/nznog
> or, via email, send a message with subject or body 'help' to
> nznog-request(a)list.waikato.ac.nz
>
> You can reach the person managing the list at
> nznog-owner(a)list.waikato.ac.nz
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of NZNOG digest..."
>
>
> Today's Topics:
>
> 1. nz ip range (bigalownz)
> 2. Re: nz ip range (Jethro Carr)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 19 Sep 2015 23:35:28 +1200
> From: "bigalownz" <bigalownz(a)gmail.com>
> To: <nznog(a)list.waikato.ac.nz>
> Subject: [nznog] nz ip range
> Message-ID: <D7FB71253CD54F99B15C3EAE3FE397AD@SEANPC>
> Content-Type: text/plain; format=flowed; charset="iso-8859-1";
> reply-type=original
>
> im doing a little project and im looking for a script to get nz ip ranges
>
> i did a Google search and found this, but as you can see it was from 2005
> and out dated, the url doesn't work etc
> i need some help to update it
> thanks
>
> #!/usr/local/bin/php
> <?php
>
> $in_file = "ftp://ftp.apnic.net/pub/apnic/dbase/data/country-ipv4.lst";
> // $in_file = "country-ipv4.lst";
> $out_file = "nzipranges.txt";
>
> $handle_input = @fopen($in_file,"r") or die("Unable to open $in_file\n\n");
>
> $handle_output = fopen($out_file, "w");
>
> $now = date ("r");
>
> fwrite ($handle_output,"# Generated: $now\n\n");
>
> while (!feof($handle_input)) {
> $buffer = fgets($handle_input);
> if ( ereg ( "nz", $buffer) ) {
> // echo $buffer;
> $this_range = trim(preg_replace ( "#([\d\.]+) \- [\d\.]+ :
> [\d\.]+(\/\d+) .+#","$1$2", $buffer ));
> fwrite ($handle_output,"\n" . $this_range);
> }
> }
> fclose($handle_input);
>
> fwrite ($handle_output,"\n");
> fclose($handle_output);
>
>
> ?>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 19 Sep 2015 23:49:35 +1200
> From: Jethro Carr <jethro.carr(a)jethrocarr.com>
> To: bigalownz <bigalownz(a)gmail.com>, nznog(a)list.waikato.ac.nz
> Subject: Re: [nznog] nz ip range
> Message-ID: <etPan.55fd4bcf.3d8a9f57.27d(a)kobol.local>
> Content-Type: text/plain; charset="utf-8"
>
> Hi bigalownz,
>
> I wrote a Puppet module that you can use to pull IP address lists from various registries. If you?re using Puppet, it means you can get an array of all the IPs for a specific region (such as NZ) for use in configuration files or resources.
>
> https://github.com/jethrocarr/puppet-rirs
>
> If you?re not using Puppet, the good news is that it?s almost entirely Ruby, so you could take a look at the function and adapt it very quickly to be a standalone script.
>
> https://github.com/jethrocarr/puppet-rirs/blob/master/lib/puppet/parser/fun…
>
> regards,
> Jethro
>
>
> --
> Jethro Carr
> www.jethrocarr.com
>
> On 19 September 2015 at 23:34:33, bigalownz (bigalownz(a)gmail.com) wrote:
>> im doing a little project and im looking for a script to get nz ip ranges
>>
>> i did a Google search and found this, but as you can see it was from 2005
>> and out dated, the url doesn't work etc
>> i need some help to update it
>> thanks
>>
>> #!/usr/local/bin/php
>>>
>> $in_file = "ftp://ftp.apnic.net/pub/apnic/dbase/data/country-ipv4.lst";
>> // $in_file = "country-ipv4.lst";
>> $out_file = "nzipranges.txt";
>>
>> $handle_input = @fopen($in_file,"r") or die("Unable to open $in_file\n\n");
>>
>> $handle_output = fopen($out_file, "w");
>>
>> $now = date ("r");
>>
>> fwrite ($handle_output,"# Generated: $now\n\n");
>>
>> while (!feof($handle_input)) {
>> $buffer = fgets($handle_input);
>> if ( ereg ( "nz", $buffer) ) {
>> // echo $buffer;
>> $this_range = trim(preg_replace ( "#([\d\.]+) \- [\d\.]+ :
>> [\d\.]+(\/\d+) .+#","$1$2", $buffer ));
>> fwrite ($handle_output,"\n" . $this_range);
>> }
>> }
>> fclose($handle_input);
>>
>> fwrite ($handle_output,"\n");
>> fclose($handle_output);
>>
>>
>> ?>
>>
>> _______________________________________________
>> NZNOG mailing list
>> NZNOG(a)list.waikato.ac.nz
>> http://list.waikato.ac.nz/mailman/listinfo/nznog
>>
>
>
> ------------------------------
>
> _______________________________________________
> NZNOG mailing list
> NZNOG(a)list.waikato.ac.nz
> http://list.waikato.ac.nz/mailman/listinfo/nznog
>
>
> End of NZNOG Digest, Vol 153, Issue 16
> **************************************
im doing a little project and im looking for a script to get nz ip ranges
i did a Google search and found this, but as you can see it was from 2005
and out dated, the url doesn't work etc
i need some help to update it
thanks
#!/usr/local/bin/php
<?php
$in_file = "ftp://ftp.apnic.net/pub/apnic/dbase/data/country-ipv4.lst";
// $in_file = "country-ipv4.lst";
$out_file = "nzipranges.txt";
$handle_input = @fopen($in_file,"r") or die("Unable to open $in_file\n\n");
$handle_output = fopen($out_file, "w");
$now = date ("r");
fwrite ($handle_output,"# Generated: $now\n\n");
while (!feof($handle_input)) {
$buffer = fgets($handle_input);
if ( ereg ( "nz", $buffer) ) {
// echo $buffer;
$this_range = trim(preg_replace ( "#([\d\.]+) \- [\d\.]+ :
[\d\.]+(\/\d+) .+#","$1$2", $buffer ));
fwrite ($handle_output,"\n" . $this_range);
}
}
fclose($handle_input);
fwrite ($handle_output,"\n");
fclose($handle_output);
?>
Hello-
A long post follows that is adapted from some questions I received yesterday. These are some of my legal academic thoughts and not legal advice. My overall assessment of this very short one page TICSA Amendment Bill is that community must put energy into this process even if the Bill itself is insufficient and likely to be voted down. If it makes it past the first step there is a chance for proposing additions and changes in the form of Supplementary Order Papers and this is something to be optimistic about and contact your MP’s about.
Even if the Bill fails at the first stage, there is the risk though that unless there is obvious energy put into it the whole issue reaches a state of entropy until some unforeseeable reactive event occurs where the law will finally get replaced or repealed. The Government will likely claim a lack of energy put into the Bill as evidence the status quo is acceptable, and who knows how many years it might be till the issue comes again on the Parliamentary floor for any kind of substantive change.
Is this toothless?
Yes, the Bill has no legal teeth in its own right in terms of statutory offences. On a personal level I must say I also think it is weak. There is no legal duty for the Minister/Director to follow the recommendations. For this could be dismissed as ineffectual. However, the Bill would creates added statutory powers and responsibilities that creative avenues legal challenge such as a judicial review of an Agency decision. Even if such a judicial review is never actualised it can start to carry weight “in the shadow of the law”. It means the Agency can be pressed to its statutory responsibilities by some entity pointing to a legal basis for their claims. I also think there is potential for the Bill to widen existing judicial review avenues elsewhere in the legislation that were very limited, given the interaction of the TAB and the Minister/Director’s duties.
Consider Clause 2 of the Bill
“Any matter to be referred to the Minister requesting the Minister to exercise his or her discretion or recommend the prescribing of an additional area of specified security interest must first be referred to the Technical Advisory Board for analysis and recommendations. “
If a Minister fails to refer the matter to the TAB first with enough time and detail so the TAB can give actual considered analysis and recommendations, on its face there would be breach of the Minister’s statutory responsibilities. This would tap into well established legal common law norms about the duty of consult and what that means in practice by Ministers, and open the case to judicial review in a Court. If the issue was intrusive enough on network operators this could potentially receive remedy’s in the form of injunctions on the matter at hand and form precedent for the future. I am trying to think of an example where this would be worth it economically, or in defence of rights of a NetOp or their subscribers, its not unforeseeable. A judicial review action could potentially be taken to seek an injunction on a area of security being decided while the TAB fully considers the issue. This could enforce a lag-time for compliance to allow network operators to react and plan ahead for impending decisions by the Minister.
Take for example s50 of the Act: http://www.legislation.govt.nz/act/public/2013/0091/latest/DLM5626115.html <http://www.legislation.govt.nz/act/public/2013/0091/latest/DLM5626115.html>
This section is closely related to the process of the Director in identifying network security risks which is relevant to the Bill. s50 also gives a list of things the Director must consider. Failing to give consideration to a mandatory consideration is a well recognised ground of judicial review of exercises of statutory power. As you can gather from the list above in the Section, its typically aimed at an enumerated list of more or less specific items.
On its own an action by an individual against a public figure for merely failing to consider mandatory considerations has only a formal/technical remedy and it would be an expensive and lengthy procedure for all involved. The Agency would then, usually, only have to correct the error in some token way - such as issuing a report saying “we have consider all the relevant matters, our opinion is unchanged” - and move forward. However, the existence of this action combined with a technical advisory board gives potential for a legal entity that can bring to light a bigger picture of systemic and formal breaches that would make great copy in the newspaper or an Ombudsman-like governmental complaint if not a court judgment.
Whichever of you may decide to sit on the Board (to be honest, not an entirely desirable role) would have the ability to oversee that mandatory consideration has been given on all of the ground under S50s. The Board could start issuing recommendations that align with the statutory duties and language, and force more compliance by the Agency, if it starts pointing out where this consideration hasn’t been given. This is at least one way a TAB could be applied to put the Agency on their toes like a real watchdog is supposed to.
Isn’t all this going to play out in secret anyways because NatSec? If the Agency doesn’t follow any recommendations this would be secret?
One issue I am interested in is use of the term “Security Interest” in the Bill and considering how much it maps onto the definition of “Security Risk” currently in the TICSA legislation, and whether this should change. The definition of security risk in the TICSA legislation is inclusive of the concept of national security but the term national security itself is not defined.
This question about whether all of the risks and all of the Agencies TICSA decisions/activities are to be legally treated as national security concerns is ultimately going to decide whether TICSA plays out before and in an open civil court as the norm or whether it will go into classified operations only where sufficient evidence is provided to the Courts to justify otherwise. I am strongly of the view this is a piece of regulation which only narrowly intersects with national security. Cloaking the daily and annual grind of bureaucracy and notification schemes and compliance in national security is a wrong approach and arguably just a very easy lawyerly way of keeping the Agency out of Court.
I will be writing more on this topic and releasing it in a proper text form, and am definitely planning on submitting something TICSA-related to Kiwicon.
Kind regards
___________
Beau Murrah
Ph: +64 27 375 7897
Email: bmurrah(a)icloud.com <mailto:bmurrah@icloud.com> - PGP: https://keybase.io/airbridge <https://keybase.io/airbridge>
Enrolled Barrister and Solicitor of the High Court of New Zealand (NB: not a lawyer <https://www.lawsociety.org.nz/for-lawyers/joining-the-legal-profession/admi…>)
Hello everyone:
Following some useful feedback from an operator, we have made changes to
the zone and web scan practice statement. Modifications are around three
main areas
- Provide a web page associated to the server where the scan comes from.
Now http://zonescan.nzrs.net.nz will lead you to an information page
that explains what is the scan about
- Kind of data collected.
- Reference to where aggregated data from the zone scan is published,
using our new Internet Data Portal
We are always open to receive feedback and improve our communication and
processes. With the aggregated data available, your can find out the
state of the .nz name space.
The URL of the improved practice statement is
https://nzrs.net.nz/dns/zone-and-web-scanning
Kind Regards,
--
Sebastian Castro
Technical Research Manager
NZRS Ltd.
desk: +64 4 495 2337
mobile: +64 21 400535