mercutio: still, i'm surprised the "engineer" hasn't heard of it from others; he must be new i dunno i don't have high expectations i hardly expect "engineers" to understand mtu i think the problem is that these days a lot of people do courses and cram study and forget huge amounts of stuff i would hope they would understand MTU... if not, what makes them even qualified for the job? ccna? :) knowing subnet maths i guess i haven't look at it that way... someone off the street, knowing nothing, gets CCNA, then gets a network engineer job? they still seem underqualified if they only got the CCNA wow, don't visit #freenode-newyears (i warned you) yeah you've been around a bit long it changed :) or you're lucky and it's not like that over there so much apparently ccna does cover mtu a bit although it seems to suggest that routers do fragmentation i can't remember hearing about mtu in icnd1 or icnd2 oh..there it is one more thing i forgot what's icnd? oh another name for ccna? ant: would you call yourself a network engineer? tbh, i dunno how people are meant to learn the vast amounts of stuff that's relevant these days i still don't know much about node.js etc BAREMETAL!!! and apparently it's really big these days mercutio: icnd (interconnecting cisco networking devices) 1 and 2 are the courses which prepare for the ccna exam mercutio: and i don't have a clue what "network engineer" would even mean heh btw. i think "node.js" triggers BryceBot BAREMETAL!!! i was looking up systems engineer before node.js BAREMETAL!!! apparently sys engineer > sys admin i've always considered myself a sys admin but apparently sys admin now means someone who looks at graphs whereas systems engineer implements things so i assume network engineer is someone who implements networks i assume network technician is what they call someone that responds to trouble tickets it all gets pretty confusing really oh hmm, node.js isn't a baremetal thing though BAREMETAL!!! well, there are some titles which are backed by certificates, like ccna/ccnp/rhce/..., so there one can assume some (minimal) knowledge. but apart from that i can call myself whatever i want ime ccna doesn't seem to many anything ccnp is slightly significant though yeah. you don't need to know much to get an ccna and visa versa not having it doesn't really mean you don't know things and there are also "leaked" exam questions which you can learn by hard... some companies like juniper or cisco certifications though even if they only use one of them just like some places like university degrees in any field i think it just proves you have a bit of commitment imo the icna courses are also quite good to get some basic networking knowledge actually, according to corporate lore, that's just for HR to filter the CVs. heh i must admit i don't have much experience in such areas but from what i've heard most jobs gets heaps of applicants and certifications like ccna are pretty comon but experience not so much CCIEs are supposed to be the prized ones. to become a ccie you actually need to know stuff and have the experience ohh yes CCIE exams are 'a bit' more complicated :D mercutio: isn't it true for ipv4 that routers do fragmentation? mercutio: or did you mean that modern implementations use pmtu discovery und thus the routers don't have much to fragment? ip pmtu does not always work, and is not possible on udp pmtud even according to the link i posted it depends on the application for udp well, yes but the routers will never do it can someone here with js disabled in their browser check out www.coindev.org and tell me what the bottom left bitcoin donate button does? GluffiS: isn't pmtud always done by the host? no routers can do it also, to determine if fragmentation is needed but I would not trust pmtud :D exacvtly at least cisco routers has options for pmtud :D better to keep track of your mtu :) i'd like to see internet mtus go above 1.5k networks can't be too small to have mtu related problems..i remember having them at home yeh adsl and cable networks it's common with dialup it was too and vpns mss clamping is well known now but it didn't used to be tunneling over mpls networks is horrible :D mpls networks usually have jumbo frames or baby jumbo frames and so you're usually fine over the internet is a different story true... my work is mainly off internet ;) are you doing mpls over the internet? or do you have mpls connections provdided by someone else? i love it how this channel is off topic so much but generally when people have an issue someone will pay attention to them, and even then it's not that often mpls providede by someone else :D GluffiS: yeh so they'll have jumbo or baby jumbo frames on their network and give you 1500 mtu, right? well, my findings told me that somewhere arounde 1300 was the way to go for that system :) oh what how lame :/ hehe :D l2tp over the internet is around there somewhere i think using udp ie the old l2tp not the new one l2tp v3 is nice v2 is more common probably, but v3 has nice qos options... huh it can copy , at least on cisco, the dscp value from the orginal packet to the tunnled packet :D well that's not a feature of l2tp but an implementation detail probably :D openbsd is gaining l2tp support but that's one of the areas that lags behind in open source / unix platforms. i'm no network guru... mainly dabble around with networking, firewalls, voip and stuff OpenBSD and networking is awesome :D their vrf implementation is really nice mostly they need better vrf support :/ haha well i had a play with it well, compare it to Linux :) heh yeah i want to see openbgpd get more efficient but i really like openbgpd but for some reason cisco is way quicker at loading bgp tables someone benchmarked it and cisco was beating openbgpd on much lower end cpus well, cisco does BGP for a living :D that was when used as route server yeah but cpu sppeed is way faster so it should be possible to speed it up yes, they will get there :D i believe that to be true how far did you get with vrfs on openbsd btw? i was struggling to get it working right with bgp i did not do anything fancy , needed a lot of diffrerent networks for some firewall migration https://www.ams-ix.net/downloads/ams-ix-route-server-implementations-performance.pdf thjis is what i saw about cisco being faster with converging than openbgpd ok well, a ASR cisco box is expensive as hell :D it's still a slower cpu yes but they have spent a couple of millions in devloping the software :D heh well it still means it's possible to get more efficient absolutley which is what counts really you can never solve bad code with hardware like when people talk about making a faster web server it's like static web pages go at line rate on modern hardware with whatever server heh yeah to a point but yeah algorithams matter but there are limits on that note, intel have made zlib faster apparently nice (by using more cpu instructions) but for some reason no-one was trying to make zlib faster it seemed even though it's damn coommonn anod bottlenecks easily lbzip2/pbzip2 are actually faster than gzip on modern cpus cos they parallelise hehe yes... paralelling is cruicial these days well with low compression values that still compresses better than zlib yeah that's where openbsd needs to catch up :) and get rid of their giaint lock i imagine some of what makes openbgpd slower is interacting with the kernel openbsd has nerver been fast ;) fast, secure, cheap - choose two. :-) it's usuually just one :) heh openbsd is pretty fast for UP stuff really i acutually had a beer with Theo Da Raadt 10 yeras ago or so :D what was he like well, regular nerd :) a bit nerdier than most he seems like he has the right attitude towards things in a way to me yes unlike rms etc :/ yeah omg stallman feels like more of a clown looking at openbsd hackathon photos makes me feel less geeky :/ hehe i've met rms heh i didn't stick around though he wasn't very interesting there were a discussion regarding bugfixing on that event and Alan Cox asked why Theo did not use the built in debugger in GCC, 'It to slow, its faster to just read the 180mb of code, then you might find something else to fix' haha i hated gcc's debugger when i first tried it i ended up just using printf :/ hehe but then i used it for backtraces havn't written C since school :P i haven't done much C recently trying to get back into it well, I fixed some kernel stuff ages ago when struggeling with the nvidia drivers :D cool never submitted the patch though i know how that is i fixed s/pdif on audio driver on openbsd err added s/pdif support but never submitted anything :D for cmi8738 i just wanted to be able to listen to music this happened on a friday evening with a lot of cursing i ended up taking code from netbsd iirc and i was surprised i managed to do it :) hehe hmm i added higher initcwnd support to openbsd before it wsa implemented too but that was pretty easy hehe and reduced the initial retransmit timeout hmm i wonder if openbsd has decreased that yet linux has now for some reason people pay more attention to the initial window size thing, when both of them were proposed by google at around the same time basically normally there's a 3 second timeout in retransmits in initial packets and it can be safely decreased to 1 second these days saving a couple of seconds easy to reproduce with 5% packet loss :D and the difference can be noticable it only matters when you have packet loss in the beginning of connections though and no one really cares :D i dunno, dsl networks here had 5 to 15% packet lsos for a while that's how i got interested i dunno how common it is i imagine it's still common in places like india and happens on some wifi connectinos at long distance people with dlink wifi equipment is probably interested must be the crappiest piece of network hardware I ever bought there's actually more stuff that can be improved for wireless networks normal tcp/ip congestion control doesn't work that well with the variable latency variance of wifi freebsd's got a new algoritham that's meant to work better in such situations but i haven't tested what it's like for wifi yet CAIA Delay-Gradient (CDG) congestion control algorithm as soon as I get some cabling to the other side of the house I will literally set my dlink AP on fire ahh this is it that bad is it? yes you've set it to 20 mhz already? use it as bridge i bridge for my wifi too cisco 1142 in the other end :D the dlink just dies and has to be restarted oh you mean you have a bridge off it it just stops forwarding packets yes have you tried openwrt on it? it cant :( 1360 DAP i had a d-link 504t adsl modem everywehere says they're crap was real stable on openwrt just need a drill and some rj45 contacts :D one of the few adsl modems supported for adsl in openwrt ok a bit old now though the cpu can't keep up with adsl > 16 mbit you mean freebsd has such good coverage of wifi drivers that they dream up algorithms to optimize tcp/ip over wifi? :-) i am thinkg of getting me a dsl wic for my 1841 router :D ziy: it'll help a freebsd web server send to an end user on wifi too ah. i have no idea what freebsd is like for wifi i only came across it cos i was wondering what was new in freebsd 10 but it's actually in freebsd 9.2 too i'm using a tp-link wireless router with openwrt but it's bridging rather than doing anything just between wifi and ethernet and my normal linux box runs the dhcp server etc well in theory iv'e acutally stopped using wifi 3g works well enough on my cellphone 20 mhz is often more stable than 40 mhz depending on how crowded your area is it seems pretty common to have wifi issues these days though and i'd rather see everyone shift to 20 mhz it's not crowded... closest neighbour is 100m away oh you live rural ok yes, crappy phone wires though, get 8mbit dsl only damn can you get two adsl connections and bond them? nope single line to the house? is it adsl1 or adsl2+ at 8 mbit? well, I guess I can get 12-18mbit on my line acutally 2+ ahh ok 12 mbit is ok my ISP refuses to deliver vdsl :D how come? they haven't upgraded the dslam yet you may not get much more downstream, but you'd get more upstream at least ahh here having vdsl available means fibre fed ahh not having vdsl available means it could still be atm fed and atm fed can mean congestion fibre here is 10Mbps ethernet as slowest :D fibre to the dslam i mean ahh the dlsam is fibre :D so having a vdsl capable exchange is good well that's a good start just they have no vdsl line cards? see if you can get some other people in the area to put in requests for vdsl yes :D i'm in new zealand hh mercutio, happy new year :-) a long long way way :/ haha yes it's 2014 here :/ not that it makes any diff to me i didn't een get drunk :/ sweden has good net speeds right? yes if you live in the city 100Mbps is not uncommon :d heh is it gpon? some ISP's even offer gig :D nope, copper usually oh curious is this like apartments? but fibre is coming, mostly to new villas yep apparently sweden is using something called AON which i've never heard of it may be dated though don't think it's that widespread i think gpon is taking off yes CAIA Delay-Gradient (CDG) congestion control algorithm oops http://www.swedentelecom.com/solutions/fttx-gpon/ looks lie one isp is doing gpon at least and that's curious, it came up in english :) and they doing hardware nat cool. current routers are going to struggle with gigabit speeds yes... biggest ISP is still Telia, TSIC :D TSIC are tier1 :D i've heard of telia they are huge so yeah they must be big cos i don't hear much about sweden but they're all blonde over there right? abba wasn't all blonde :-) haha yes they are doing stupid stuff like selling voip over adsl :) what's stupid about that? which is interesting when you pay for POTS voip has some advantages over pots anyway no it hasn't yes, it does. voip is crap :D can be crap POTS always works i dunno my phone line been having issues :/ not mine here it does my line been crackling and i've had it somewhere else before and my parents had it once if your line crackles too bad it can go off hook randomly and then you can't receive phone calls the weird thing is my dsl is stable well, when they teard down the phoneline with a woodcutting machine it went dead else , it always works but yeah overall pots is still more reliable than voip ersp. with regards to power outages etc even in powerouttakes :D well as long as you plug in a legacy phone :/ voip over 3g is horrible :D in the dark yes i've done voip over 3g it was ok it works... modem over voip also kinda works it depends on the jitter of the provider but i was doing it with 80 msec ping :E on 3g i would never pay for voip over adsl :D why not i used to do it but i use an alternatve voip provider and it had cheaper phone calls well, I still have to pay for copper now i seem to get good value out of cellphone :/ it used to be you could cut the cost of ringing cellphones down heaps here by using voip ok but now can get 120 minutes or something of mixed minutes from cellphone we used to pay 79cents/minute for cellphone calls on land line calling is ridiculusly cheap here and my cellphone plan used to be 49centres/minute to the same provider, and $1.40/minute to other networks we got flatrate cellphone plans for like 25USD a month then voip providers were like 35 cents/minute or something call anyone domestic :D i don't even know how much calling cellphones costs from landline here now seems expensive :D it's 5c/min on voip and 10c/min on landline domestic as normal rate here i didn't say it was cheap we don't have other options though :/ businesses pay like 5c/min for local calls too i htink the differens between dsl only copper and dsl with pots copper is like 2USD a month but residential get free local calling ahh here the difference is about $20/month i think which iz nd is nzd :D but often there's discount of $10/month if you have tolls through your isp hehe so it ends up being $10/month difference or such so even as backup it's not silly sweden is really cheap for calling :D heh how much do phone lines cost there? it's $45 nzd here i can probably work out conversion rate you use SEK right? i guess 20USD a mon mothn yes that's 237.57 SEK hehe that's just for a phone line no internet yeah, around 22NZD for just phone here i think the cheapest naked dsl are about $60 hehe and the cheapest DSL+POTS is about $70 to me, it's the phone line that's overcharged rather than the internet i think my colleague pays like 45NZD a month for 100Mbps fiber at his house :D cos the thing is for $19/month you can get cellphone prepay plan for 120 minutes of calling, 1gb of data, and unlimited text well, time to go to new years party :D hehe ok hf hf heh haha, that's one thing that benefits people living in geographically tiny places - cheap to deploy fast infrastructure curious if anyone has a horrible experience attempting to use IPv6 and connections to freenode. Or any irc network for that matter. god aweful slow. barely useable. etc forgotten: openbsd? m0unds: yes. other people here have similar issues w/openbsd and ipv6 w/freenode gotcha forgotten: which IRC client? irssi even just ping6 outs to google takes 1000ms for the first response tho whoa I'm doing it right now No issues you could try using /set server_connect_timeout to 5min to see if that prevents you from timing out in irssi, but that sounds like something else is screwy if it's taking 1 sec to get a response from google phlux: are you using openbsd? Ah, no FreeBSD same here, no problems either (freebsd) digging thru irc logs that google finds yeah right now i have like 50 to 75 percent packet loss on ipv6 :(. according to "mtr -6 www.google.com" can't seem to find anything related on the web anyone seen up_the_irons ? never in person ;-) heh lteo: lol forgotten: are you using the default /64 or did you have your /48 set up? m0unds: default /64 hm do you see packet loss if you just ping6 or mtr -6 the gateway? yep i get same amount to the first hop of the gateway when going to google running it by itself instantly goes to 40%, between 40 and 50% open a ticket - i had a similar issue last week; in my case, it was a config issue w/the redundant switch mtr is still showing 33% loss. But PF was blocking some icmp6 stuff. have that resolved. this seems way more useable than before. i am able to type now at least lol not seeing any ipv6 releated blocks in PF. at all. do you still see packet loss if you temporarily disable pf? think i might have found something related http://openbsd.7691.n7.nabble.com/4-8-current-tcpdump-pflog-unaligned-libpcap-packets-td170588.html m0unds: and yes i have it disabled now. and am getting 60% loss to the Gateway addres 1. 2607:f2f8:a768::1 65.5% 30 0.7 0.7 0.4 1.5 0.3 so now my link is probably unrelated after trying this Well that's neat I mtr google myself (from my Debian host) and part way throughthe second packet, ithe whole connection hangs for 6 seconds or so. Did that twice in a row fwiw forgotte1 I'm seeing packet loss sporadically, both to the gateway (55pkts, 1.7%) and to Google (70pkts 4.1%) mine will somewhat hang occationally too. which makes the loss spike higher brycec: good to know. and that is from a debian vm ? my lag shows 8.02 in irssi. on the ipv6 con right now. heh yep so it seems like an arp issue then. not an obsd issue. I blame ARP's transit what host are you on? kvr07 im on kvr29 I still see more problems with Freenode than any other IRC network, so I always chalk it up to Freenode cept we are testing packet loss to goggle. and just the arp gateway lol or i am heh The packet loss I'm seeing is highly intermittent I restarted mtr, 100 packet, no loss same here 0.0% all the way to google since i restarted it and suddenly, loss (through the whole chain) now seeing some loss 11% yep something is majorly screwy. those damn ubuntu servers ! :P hopefully I'll have time to re-setup smokeping today 1.93.25.234 is trying to hack me right now China is trying to hack a server? Unbelievable!! I've never heard of such a thing ever in my whole life. my first intrusion attempt :) i sent auth log to the noc of the registered an, confirmed sshd is configured to not allow root login, now i'm conifguring pf. next i'll install fail2ban what's cnnic? @wiki CNNIC China Internet Network Information Center :: The China Internet Network Information Center (simplified Chinese: 中国互联网络信息中心; traditional Chinese: 中國互聯網絡信息中心; pinyin: Zhōngguó Hùlián Wǎngluò Xìnxī Zhōngxīn), or CNNIC, was founded as a non-profit organization on June 3, 1997. CNNIC is the administrative agency responsible for... http://en.wikipedia.org/wiki/China%20Internet%20Network%20Information% ah if they don't shape up ill just block their entire ip block Just block China. It's not like you want anything to do with them And heck, it's only 4,940 CIDR blocks do you block all of china? I'm confident that at this rate, fail2ban will take care of that for me robonerd: you can disable password auth mercutio and go to ssh key auth? robonerd: yeh yep, i'll be getting to that after fail2ban it's good to run both right? i dunno about you, but i find encrypted key with unlocking it works best for me if i use too many passwords i'll just be tempted to write them down, or cut and paste, or type the password into the wrong place. i haven't typed any passwords into irc by accident yet though can't you make as many mistakes with a key file? what if file gets corrupt or w/e i dunno, to my mind it makes sense to have an alpha numeric password for root in case you need to get in via oob but for normal user it only matters if you use sudo :/ you kinda lost me with those last 2. catch me up? and from that perspective if aynone hacks your user account they can get root so it makes more sene to me to just log in as root to do root things, and as a user to do user things. and keep them seggregated. if the file gets corrupt? files don't normally get corrupt. but in case yo lose your hard-drive you can have your key in multiple places and if it's encrypted then you just unlock it once. after i fail2ban_enable="Y" in rc.conf, then what? to enable fail2van with pf, please i assume you need to reboot, if it's in rc.conf, but there may be some way to reread it oh i lost you sorry i am losing myself :/ too much coffee with a key file, you can encrypt or have it not encrypted if you have a key file unencrypted you can just copy it to every host you connect from, and connect with no passwrod at all if you encrypt it you have to type an unlock passphrase on the key file to connect to a remote host which is the same for all hosts you connect to with that key but if you use something like ssh-agent, you can type that unlock passphrase once, and keep reconnecting to different hosts <-- always surprised to learn people still use passwords for SSH auth brycec: I use keys, but what do you do when you are on a new machine, do you have to keep a copy of your key handy? Passwords are a lot more portable mnathani: I'm not saying never-ever-ever-ever-use passwords. There is a time, albeit briefly, for their use. In-person, freshly setup, etc. My surprise comes from those who use passwords daily, as if they were perfectly secure, etc. Bryce's rules for basic security: Disable ssh login as root (or if you really must, key-only). If you can, disable password ssh altogether; if you cannot, at least setup two-factor. And yeah, you should probably have a passphrase on your key, and keep backup copies of your key in safe places, and while we're at it, use different keys for different machines/networks/etc. you only need your public key which you can stick on a web site or such if need be ie you can give your public key out freely and not worry about it. It's the private key you have to keep secure. what i tend to do is set a bad password, then stick key on, then change to a better password can someone try to own my arp vps and see how the sec is?