***: easymac is now known as Guest45044
Guest45044 is now known as easymac
easymac is now known as Guest19993
Guest19993 is now known as easymac
easymac is now known as Guest49233
ziyourenxiang has joined #arpnetworks up_the_irons: mercutio: still, i'm surprised the "engineer" hasn't heard of it from others; he must be new mercutio: i dunno i don't have high expectations
i hardly expect "engineers" to understand mtu
i think the problem is that these days a lot of people do courses and cram study and forget huge amounts of stuff up_the_irons: i would hope they would understand MTU... if not, what makes them even qualified for the job? mercutio: ccna? :)
knowing subnet maths up_the_irons: i guess i haven't look at it that way... someone off the street, knowing nothing, gets CCNA, then gets a network engineer job? they still seem underqualified if they only got the CCNA
wow, don't visit #freenode-newyears
(i warned you) -: up_the_irons wanders off ***: Guest49233 is now known as easymac
easymac is now known as Guest16064 mercutio: yeah you've been around a bit long
it changed :)
or you're lucky
and it's not like that over there so much
apparently ccna does cover mtu a bit
although it seems to suggest that routers do fragmentation ant: i can't remember hearing about mtu in icnd1 or icnd2
oh..there it is
one more thing i forgot mercutio: what's icnd?
oh another name for ccna?
ant: would you call yourself a network engineer?
tbh, i dunno how people are meant to learn the vast amounts of stuff that's relevant these days
i still don't know much about node.js etc BryceBot: BAREMETAL!!! mercutio: and apparently it's really big these days -: mercutio wonders what made byrcebot say that ant: mercutio: icnd (interconnecting cisco networking devices) 1 and 2 are the courses which prepare for the ccna exam
mercutio: and i don't have a clue what "network engineer" would even mean mercutio: heh ant: btw. i think "node.js" triggers BryceBot BryceBot: BAREMETAL!!! mercutio: i was looking up systems engineer before ant: node.js BryceBot: BAREMETAL!!! mercutio: apparently sys engineer > sys admin
i've always considered myself a sys admin
but apparently sys admin now means someone who looks at graphs
whereas systems engineer implements things
so i assume network engineer is someone who implements networks
i assume network technician is what they call someone that responds to trouble tickets
it all gets pretty confusing really
oh hmm, node.js isn't a baremetal thing though BryceBot: BAREMETAL!!! ant: well, there are some titles which are backed by certificates, like ccna/ccnp/rhce/..., so there one can assume some (minimal) knowledge. but apart from that i can call myself whatever i want mercutio: ime ccna doesn't seem to many anything
ccnp is slightly significant though ant: yeah. you don't need to know much to get an ccna mercutio: and visa versa
not having it doesn't really mean you don't know things ant: and there are also "leaked" exam questions which you can learn by hard... mercutio: some companies like juniper or cisco certifications though
even if they only use one of them
just like some places like university degrees in any field
i think it just proves you have a bit of commitment ant: imo the icna courses are also quite good to get some basic networking knowledge ziyourenxiang: actually, according to corporate lore, that's just for HR to filter the CVs. mercutio: heh
i must admit i don't have much experience in such areas
but from what i've heard most jobs gets heaps of applicants
and certifications like ccna are pretty comon
but experience not so much ziyourenxiang: CCIEs are supposed to be the prized ones. ant: to become a ccie you actually need to know stuff and have the experience GluffiS: ohh yes
CCIE exams are 'a bit' more complicated :D ***: Guest16064 is now known as easymac
easymac is now known as Guest48034 ant: mercutio: isn't it true for ipv4 that routers do fragmentation? ***: Guest48034 has quit IRC (Quit: leaving) ant: mercutio: or did you mean that modern implementations use pmtu discovery und thus the routers don't have much to fragment? -: ant is now reading http://stack.nil.com/ipcorner/IP_Fragmentation/ GluffiS: ip pmtu does not always work, and is not possible on udp
pmtud even ant: according to the link i posted it depends on the application for udp GluffiS: well, yes but the routers will never do it robonerd: can someone here with js disabled in their browser check out www.coindev.org and tell me what the bottom left bitcoin donate button does? ant: GluffiS: isn't pmtud always done by the host? GluffiS: no
routers can do it also, to determine if fragmentation is needed
but I would not trust pmtud :D mercutio: exacvtly GluffiS: at least cisco routers has options for pmtud :D
better to keep track of your mtu :) -: GluffiS normally builds small networks :D mercutio: i'd like to see internet mtus go above 1.5k ant: networks can't be too small to have mtu related problems..i remember having them at home mercutio: yeh adsl and cable networks it's common with
dialup it was too
and vpns
mss clamping is well known now but it didn't used to be GluffiS: tunneling over mpls networks is horrible :D mercutio: mpls networks usually have jumbo frames or baby jumbo frames and so you're usually fine
over the internet is a different story GluffiS: true...
my work is mainly off internet ;) mercutio: are you doing mpls over the internet?
or do you have mpls connections provdided by someone else?
i love it how this channel is off topic so much
but generally when people have an issue someone will pay attention to them, and even then it's not that often GluffiS: mpls providede by someone else :D mercutio: GluffiS: yeh so they'll have jumbo or baby jumbo frames on their network
and give you 1500 mtu, right? GluffiS: well, my findings told me that somewhere arounde 1300 was the way to go for that system :) mercutio: oh what
how lame :/ GluffiS: hehe :D mercutio: l2tp over the internet is around there somewhere i think
using udp
ie the old l2tp not the new one GluffiS: l2tp v3 is nice mercutio: v2 is more common GluffiS: probably, but v3 has nice qos options... mercutio: huh GluffiS: it can copy , at least on cisco, the dscp value from the orginal packet to the tunnled packet :D mercutio: well that's not a feature of l2tp but an implementation detail GluffiS: probably :D mercutio: openbsd is gaining l2tp support
but that's one of the areas that lags behind in open source / unix platforms. GluffiS: i'm no network guru... mainly dabble around with networking, firewalls, voip and stuff
OpenBSD and networking is awesome :D
their vrf implementation is really nice mercutio: mostly
they need better vrf support :/
haha
well i had a play with it GluffiS: well, compare it to Linux :) mercutio: heh yeah
i want to see openbgpd get more efficient
but i really like openbgpd
but for some reason cisco is way quicker at loading bgp tables
someone benchmarked it
and cisco was beating openbgpd on much lower end cpus GluffiS: well, cisco does BGP for a living :D mercutio: that was when used as route server
yeah
but cpu sppeed is way faster
so it should be possible to speed it up GluffiS: yes, they will get there :D mercutio: i believe that to be true
how far did you get with vrfs on openbsd btw?
i was struggling to get it working right with bgp GluffiS: i did not do anything fancy , needed a lot of diffrerent networks for some firewall migration mercutio: https://www.ams-ix.net/downloads/ams-ix-route-server-implementations-performance.pdf
thjis is what i saw about cisco being faster with converging than openbgpd ***: r0ni has joined #arpnetworks GluffiS: ok
well, a ASR cisco box is expensive as hell :D mercutio: it's still a slower cpu GluffiS: yes
but they have spent a couple of millions in devloping the software :D mercutio: heh
well it still means it's possible to get more efficient GluffiS: absolutley mercutio: which is what counts really GluffiS: you can never solve bad code with hardware mercutio: like when people talk about making a faster web server
it's like static web pages go at line rate on modern hardware
with whatever server
heh yeah to a point
but yeah algorithams matter
but there are limits
on that note, intel have made zlib faster apparently GluffiS: nice mercutio: (by using more cpu instructions)
but for some reason no-one was trying to make zlib faster it seemed
even though it's damn coommonn anod bottlenecks easily
lbzip2/pbzip2 are actually faster than gzip on modern cpus
cos they parallelise GluffiS: hehe yes... paralelling is cruicial these days mercutio: well with low compression values
that still compresses better than zlib
yeah
that's where openbsd needs to catch up :)
and get rid of their giaint lock
i imagine some of what makes openbgpd slower is interacting with the kernel GluffiS: openbsd has nerver been fast ;) ziyourenxiang: fast, secure, cheap - choose two. :-) GluffiS: it's usuually just one :) mercutio: heh
openbsd is pretty fast for UP stuff really GluffiS: i acutually had a beer with Theo Da Raadt 10 yeras ago or so :D mercutio: what was he like GluffiS: well, regular nerd :) a bit nerdier than most mercutio: he seems like he has the right attitude towards things in a way to me GluffiS: yes mercutio: unlike rms etc :/
yeah omg GluffiS: stallman feels like more of a clown mercutio: looking at openbsd hackathon photos makes me feel less geeky :/ GluffiS: hehe mercutio: i've met rms heh
i didn't stick around though
he wasn't very interesting GluffiS: there were a discussion regarding bugfixing on that event and Alan Cox asked why Theo did not use the built in debugger in GCC, 'It to slow, its faster to just read the 180mb of code, then you might find something else to fix' mercutio: haha
i hated gcc's debugger when i first tried it
i ended up just using printf :/ GluffiS: hehe mercutio: but then i used it for backtraces GluffiS: havn't written C since school :P mercutio: i haven't done much C recently
trying to get back into it GluffiS: well, I fixed some kernel stuff ages ago when struggeling with the nvidia drivers :D mercutio: cool GluffiS: never submitted the patch though mercutio: i know how that is
i fixed s/pdif on audio driver on openbsd
err added s/pdif support
but never submitted anything GluffiS: :D mercutio: for cmi8738
i just wanted to be able to listen to music GluffiS: this happened on a friday evening with a lot of cursing mercutio: i ended up taking code from netbsd
iirc
and i was surprised i managed to do it :) GluffiS: hehe mercutio: hmm i added higher initcwnd support to openbsd before it wsa implemented too
but that was pretty easy GluffiS: hehe mercutio: and reduced the initial retransmit timeout
hmm i wonder if openbsd has decreased that yet
linux has now
for some reason people pay more attention to the initial window size thing, when both of them were proposed by google at around the same time
basically normally there's a 3 second timeout in retransmits in initial packets
and it can be safely decreased to 1 second these days
saving a couple of seconds
easy to reproduce with 5% packet loss GluffiS: :D mercutio: and the difference can be noticable
it only matters when you have packet loss in the beginning of connections though GluffiS: and no one really cares :D mercutio: i dunno, dsl networks here had 5 to 15% packet lsos for a while
that's how i got interested
i dunno how common it is
i imagine it's still common in places like india
and happens on some wifi connectinos at long distance GluffiS: people with dlink wifi equipment is probably interested
must be the crappiest piece of network hardware I ever bought mercutio: there's actually more stuff that can be improved for wireless networks
normal tcp/ip congestion control doesn't work that well with the variable latency variance of wifi
freebsd's got a new algoritham that's meant to work better in such situations but i haven't tested what it's like for wifi yet
CAIA Delay-Gradient (CDG) congestion control
algorithm GluffiS: as soon as I get some cabling to the other side of the house I will literally set my dlink AP on fire mercutio: ahh this is it
that bad is it? GluffiS: yes mercutio: you've set it to 20 mhz already? GluffiS: use it as bridge mercutio: i bridge for my wifi too GluffiS: cisco 1142 in the other end :D the dlink just dies and has to be restarted mercutio: oh
you mean you have a bridge off it GluffiS: it just stops forwarding packets
yes mercutio: have you tried openwrt on it? GluffiS: it cant :(
1360 DAP mercutio: i had a d-link 504t adsl modem
everywehere says they're crap
was real stable on openwrt GluffiS: just need a drill and some rj45 contacts :D mercutio: one of the few adsl modems supported for adsl in openwrt GluffiS: ok mercutio: a bit old now though
the cpu can't keep up with adsl > 16 mbit ziyourenxiang: you mean freebsd has such good coverage of wifi drivers that they dream up algorithms to optimize tcp/ip over wifi? :-) GluffiS: i am thinkg of getting me a dsl wic for my 1841 router :D mercutio: ziy: it'll help a freebsd web server send to an end user on wifi too ziyourenxiang: ah. mercutio: i have no idea what freebsd is like for wifi -: ziyourenxiang would love to run freebsd on his netbook. mercutio: i only came across it cos i was wondering what was new in freebsd 10
but it's actually in freebsd 9.2 too
i'm using a tp-link wireless router with openwrt
but it's bridging rather than doing anything
just between wifi and ethernet
and my normal linux box runs the dhcp server etc
well in theory
iv'e acutally stopped using wifi -: GluffiS is happy with his 1142 AP, it can do 40mhz also :D mercutio: 3g works well enough on my cellphone
20 mhz is often more stable than 40 mhz
depending on how crowded your area is
it seems pretty common to have wifi issues these days though
and i'd rather see everyone shift to 20 mhz GluffiS: it's not crowded...
closest neighbour is 100m away mercutio: oh you live rural ok GluffiS: yes, crappy phone wires though, get 8mbit dsl only mercutio: damn
can you get two adsl connections and bond them? GluffiS: nope mercutio: single line to the house?
is it adsl1 or adsl2+ at 8 mbit? GluffiS: well, I guess I can get 12-18mbit on my line acutally
2+ mercutio: ahh ok
12 mbit is ok GluffiS: my ISP refuses to deliver vdsl :D mercutio: how come? GluffiS: they haven't upgraded the dslam yet mercutio: you may not get much more downstream, but you'd get more upstream at least
ahh
here having vdsl available means fibre fed GluffiS: ahh mercutio: not having vdsl available means it could still be atm fed
and atm fed can mean congestion GluffiS: fibre here is 10Mbps ethernet as slowest :D mercutio: fibre to the dslam i mean GluffiS: ahh
the dlsam is fibre :D mercutio: so having a vdsl capable exchange is good
well that's a good start
just they have no vdsl line cards? -: GluffiS is in sweden, fibre is almost everywhere mercutio: see if you can get some other people in the area to put in requests for vdsl GluffiS: yes :D mercutio: i'm in new zealand GluffiS: hh ziyourenxiang: mercutio, happy new year :-) mercutio: a long long way way :/
haha
yes it's 2014 here :/
not that it makes any diff to me
i didn't een get drunk :/
sweden has good net speeds right? GluffiS: yes
if you live in the city 100Mbps is not uncommon :d mercutio: heh
is it gpon? GluffiS: some ISP's even offer gig :D
nope, copper usually mercutio: oh curious
is this like apartments? GluffiS: but fibre is coming, mostly to new villas
yep mercutio: apparently sweden is using something called AON
which i've never heard of
it may be dated though GluffiS: don't think it's that widespread mercutio: i think gpon is taking off GluffiS: yes mercutio: CAIA Delay-Gradient (CDG) congestion control
algorithm
oops
http://www.swedentelecom.com/solutions/fttx-gpon/
looks lie one isp is doing gpon at least
and that's curious, it came up in english :)
and they doing hardware nat
cool.
current routers are going to struggle with gigabit speeds GluffiS: yes... biggest ISP is still Telia, TSIC :D
TSIC are tier1 :D mercutio: i've heard of telia GluffiS: they are huge mercutio: so yeah they must be big
cos i don't hear much about sweden
but they're all blonde over there right? ziyourenxiang: abba wasn't all blonde :-) GluffiS: haha yes
they are doing stupid stuff like selling voip over adsl :) mercutio: what's stupid about that? GluffiS: which is interesting when you pay for POTS mercutio: voip has some advantages over pots anyway GluffiS: no
it hasn't mercutio: yes, it does. GluffiS: voip is crap :D mercutio: can be crap GluffiS: POTS always works mercutio: i dunno my phone line been having issues :/
not mine GluffiS: here it does mercutio: my line been crackling
and i've had it somewhere else before
and my parents had it once
if your line crackles too bad it can go off hook randomly
and then you can't receive phone calls
the weird thing is my dsl is stable GluffiS: well, when they teard down the phoneline with a woodcutting machine it went dead ***: ese has quit IRC (*.net *.split)
plett has quit IRC (*.net *.split) GluffiS: else , it always works mercutio: but yeah overall pots is still more reliable than voip
ersp. with regards to power outages etc GluffiS: even in powerouttakes :D mercutio: well as long as you plug in a legacy phone :/ GluffiS: voip over 3g is horrible :D mercutio: in the dark GluffiS: yes mercutio: i've done voip over 3g
it was ok GluffiS: it works...
modem over voip also kinda works mercutio: it depends on the jitter of the provider
but i was doing it with 80 msec ping GluffiS: :E mercutio: on 3g GluffiS: i would never pay for voip over adsl :D mercutio: why not i used to do it
but i use an alternatve voip provider
and it had cheaper phone calls GluffiS: well, I still have to pay for copper mercutio: now i seem to get good value out of cellphone :/
it used to be you could cut the cost of ringing cellphones down heaps here by using voip GluffiS: ok mercutio: but now can get 120 minutes or something
of mixed minutes from cellphone
we used to pay 79cents/minute for cellphone calls on land line GluffiS: calling is ridiculusly cheap here mercutio: and my cellphone plan used to be 49centres/minute to the same provider, and $1.40/minute to other networks GluffiS: we got flatrate cellphone plans for like 25USD a month mercutio: then voip providers were like 35 cents/minute or something GluffiS: call anyone domestic :D mercutio: i don't even know how much calling cellphones costs from landline here now GluffiS: seems expensive :D mercutio: it's 5c/min on voip and 10c/min on landline domestic as normal rate here
i didn't say it was cheap
we don't have other options though :/
businesses pay like 5c/min for local calls too GluffiS: i htink the differens between dsl only copper and dsl with pots copper is like 2USD a month mercutio: but residential get free local calling GluffiS: ahh mercutio: here the difference is about $20/month i think ***: ese has joined #arpnetworks
plett has joined #arpnetworks mercutio: which iz nd
is nzd GluffiS: :D mercutio: but often there's discount of $10/month if you have tolls through your isp GluffiS: hehe mercutio: so it ends up being $10/month difference or such
so even as backup it's not silly GluffiS: sweden is really cheap for calling :D mercutio: heh
how much do phone lines cost there?
it's $45 nzd here
i can probably work out conversion rate
you use SEK right? GluffiS: i guess 20USD a mon
mothn
yes mercutio: that's 237.57 SEK GluffiS: hehe mercutio: that's just for a phone line no internet GluffiS: yeah, around 22NZD for just phone here mercutio: i think the cheapest naked dsl are about $60 GluffiS: hehe mercutio: and the cheapest DSL+POTS is about $70
to me, it's the phone line that's overcharged
rather than the internet GluffiS: i think my colleague pays like 45NZD a month for 100Mbps fiber at his house :D mercutio: cos the thing is for $19/month you can get cellphone prepay plan for 120 minutes of calling, 1gb of data, and unlimited text GluffiS: well, time to go to new years party :D
hehe mercutio: ok
hf GluffiS: hf mercutio: heh ***: heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
ziyourenxiang has quit IRC (Quit: ziyourenxiang)
ese has quit IRC (Read error: Connection reset by peer)
ziyourenxiang has joined #arpnetworks
ziyourenxiang has quit IRC (Client Quit)
ese has joined #arpnetworks
heavysixer has quit IRC (Quit: heavysixer)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer m0unds: haha, that's one thing that benefits people living in geographically tiny places - cheap to deploy fast infrastructure ***: milki has quit IRC (Ping timeout: 272 seconds)
heavysixer has quit IRC (Quit: heavysixer)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
qbit has quit IRC (Remote host closed the connection)
qbit has joined #arpnetworks
demahai has joined #arpnetworks
qbit has quit IRC (Remote host closed the connection)
qbit has joined #arpnetworks
qbit has quit IRC (Remote host closed the connection)
qbit has joined #arpnetworks
demahai has quit IRC (K-Lined)
heavysixer has quit IRC (Quit: heavysixer)
forgotten has joined #arpnetworks forgotten: curious if anyone has a horrible experience attempting to use IPv6 and connections to freenode. Or any irc network for that matter.
god aweful slow. barely useable. etc m0unds: forgotten: openbsd? forgotten: m0unds: yes. m0unds: other people here have similar issues w/openbsd and ipv6 w/freenode forgotten: gotcha ***: Hien_ has joined #arpnetworks m0unds: forgotten: which IRC client? forgotten: irssi
even just ping6 outs to google takes 1000ms for the first response tho m0unds: whoa ***: milki has joined #arpnetworks phlux: I'm doing it right now
No issues ***: ameise has joined #arpnetworks m0unds: you could try using /set server_connect_timeout to 5min to see if that prevents you from timing out in irssi, but that sounds like something else is screwy if it's taking 1 sec to get a response from google
phlux: are you using openbsd? phlux: Ah, no
FreeBSD m0unds: same here, no problems either
(freebsd) forgotten: digging thru irc logs that google finds ***: heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
CaZe`_ has joined #arpnetworks
Hien has quit IRC (Ping timeout: 240 seconds)
RandalSchwartz has quit IRC (Ping timeout: 240 seconds)
staticsafe-znc has quit IRC (Ping timeout: 240 seconds)
twobithacker has quit IRC (Ping timeout: 240 seconds)
ant has quit IRC (Ping timeout: 240 seconds)
NiTeMaRe has quit IRC (Ping timeout: 240 seconds)
xiphias has quit IRC (Ping timeout: 240 seconds)
CaZe` has quit IRC (Ping timeout: 240 seconds)
xiphias has joined #arpnetworks
ameise is now known as ant
xiphias has quit IRC (Changing host)
xiphias has joined #arpnetworks forgotten: yeah right now i have like 50 to 75 percent packet loss on ipv6 :(. according to "mtr -6 www.google.com"
can't seem to find anything related on the web ***: staticsafe-znc has joined #arpnetworks
NiTeMaRe has joined #arpnetworks heavysixer: anyone seen up_the_irons ? toddf: never in person ;-) ***: lteo has quit IRC (Ping timeout: 245 seconds) heavysixer: heh ***: lteo has joined #arpnetworks forgotten: lteo: lol ***: NiTeMaRe has quit IRC (Ping timeout: 240 seconds)
twobithacker has joined #arpnetworks m0unds: forgotten: are you using the default /64 or did you have your /48 set up? ***: xiphias has quit IRC (Ping timeout: 240 seconds)
xiphias has joined #arpnetworks
xiphias has quit IRC (Ping timeout: 240 seconds)
staticsafe-znc has quit IRC (Ping timeout: 240 seconds)
xiphias has joined #arpnetworks forgotten: m0unds: default /64 m0unds: hm ***: xiphias has quit IRC (Changing host)
xiphias has joined #arpnetworks m0unds: do you see packet loss if you just ping6 or mtr -6 the gateway? forgotten: yep i get same amount to the first hop of the gateway
when going to google
running it by itself instantly goes to 40%, between 40 and 50% ***: NiTeMaRe has joined #arpnetworks
staticsafe-znc has joined #arpnetworks
heavysixer has quit IRC (Quit: heavysixer) m0unds: open a ticket - i had a similar issue last week; in my case, it was a config issue w/the redundant switch ***: forgotte1 has joined #arpnetworks forgotte1: mtr is still showing 33% loss. But PF was blocking some icmp6 stuff. have that resolved.
this seems way more useable than before. i am able to type now at least lol
not seeing any ipv6 releated blocks in PF. at all. m0unds: do you still see packet loss if you temporarily disable pf? ***: NiTeMaRe has quit IRC (Ping timeout: 240 seconds)
NiTeMaRe has joined #arpnetworks forgotte1: think i might have found something related
http://openbsd.7691.n7.nabble.com/4-8-current-tcpdump-pflog-unaligned-libpcap-packets-td170588.html
m0unds: and yes i have it disabled now. and am getting 60% loss to the Gateway addres
1. 2607:f2f8:a768::1 65.5% 30 0.7 0.7 0.4 1.5 0.3
so now my link is probably unrelated after trying this brycec: Well that's neat
I mtr google myself (from my Debian host) and part way throughthe second packet, ithe whole connection hangs for 6 seconds or so.
Did that twice in a row
fwiw forgotte1 I'm seeing packet loss sporadically, both to the gateway (55pkts, 1.7%) and to Google (70pkts 4.1%) forgotte1: mine will somewhat hang occationally too. which makes the loss spike higher
brycec: good to know. and that is from a debian vm ? forgotten: my lag shows 8.02 in irssi. on the ipv6 con right now. heh brycec: yep forgotten: so it seems like an arp issue then. not an obsd issue. brycec: I blame ARP's transit -: brycec always plays the transit forgotten: what host are you on? brycec: kvr07 forgotten: im on kvr29 brycec: I still see more problems with Freenode than any other IRC network, so I always chalk it up to Freenode forgotten: cept we are testing packet loss to goggle. and just the arp gateway lol
or i am brycec: heh
The packet loss I'm seeing is highly intermittent
I restarted mtr, 100 packet, no loss forgotte1: same here
0.0% all the way to google since i restarted it brycec: and suddenly, loss
(through the whole chain) forgotte1: now seeing some loss
11%
yep
something is majorly screwy.
those damn ubuntu servers !
:P brycec: hopefully I'll have time to re-setup smokeping today ***: heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
forgotte1 has quit IRC (Quit: leaving)
forgotten has quit IRC (Quit: leaving)
avj has joined #arpnetworks
forgotten has joined #arpnetworks
heavysixer has quit IRC (Read error: Connection reset by peer)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
heavysixer has quit IRC (Client Quit)
CaZe`_ has quit IRC ()
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
heavysixer has quit IRC (Quit: heavysixer)
forgotten has quit IRC (Quit: leaving)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
heavysixer has quit IRC (Quit: heavysixer)
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
heavysixer has quit IRC (Quit: heavysixer)
josephb has quit IRC (Ping timeout: 245 seconds)
josephb has joined #arpnetworks
lteo has quit IRC (Ping timeout: 245 seconds)
lteo has joined #arpnetworks robonerd: 1.93.25.234 is trying to hack me right now brycec: China is trying to hack a server? Unbelievable!! I've never heard of such a thing ever in my whole life. robonerd: my first intrusion attempt :)
i sent auth log to the noc of the registered an, confirmed sshd is configured to not allow root login, now i'm conifguring pf. next i'll install fail2ban -: brycec has never, ever received a response from CNNIC. Nor has it ever appeared to do any good. robonerd: what's cnnic? brycec: @wiki CNNIC BryceBot: China Internet Network Information Center :: The China Internet Network Information Center (simplified Chinese: 中国互联网络信息中心; traditional Chinese: 中國互聯網絡信息中心; pinyin: Zhōngguó Hùlián Wǎngluò Xìnxī Zhōngxīn), or CNNIC, was founded as a non-profit organization on June 3, 1997. CNNIC is the administrative agency responsible for... http://en.wikipedia.org/wiki/China%20Internet%20Network%20Information% robonerd: ah
if they don't shape up ill just block their entire ip
block brycec: Just block China. It's not like you want anything to do with them
And heck, it's only 4,940 CIDR blocks robonerd: do you block all of china? brycec: I'm confident that at this rate, fail2ban will take care of that for me mercutio: robonerd: you can disable password auth robonerd: mercutio and go to ssh key auth? mercutio: robonerd: yeh robonerd: yep, i'll be getting to that after fail2ban
it's good to run both right? mercutio: i dunno about you, but i find encrypted key with unlocking it works best for me
if i use too many passwords i'll just be tempted to write them down, or cut and paste, or type the password into the wrong place.
i haven't typed any passwords into irc by accident yet though robonerd: can't you make as many mistakes with a key file?
what if file gets corrupt or w/e mercutio: i dunno, to my mind it makes sense to have an alpha numeric password for root
in case you need to get in via oob
but for normal user it only matters if you use sudo :/ robonerd: you kinda lost me with those last 2. catch me up? mercutio: and from that perspective if aynone hacks your user account they can get root
so it makes more sene to me to just log in as root to do root things, and as a user to do user things.
and keep them seggregated.
if the file gets corrupt?
files don't normally get corrupt. but in case yo lose your hard-drive you can have your key in multiple places
and if it's encrypted then you just unlock it once. robonerd: after i fail2ban_enable="Y" in rc.conf, then what? to enable fail2van with pf, please mercutio: i assume you need to reboot, if it's in rc.conf, but there may be some way to reread it
oh i lost you sorry i am losing myself :/
too much coffee
with a key file, you can encrypt or have it not encrypted
if you have a key file unencrypted you can just copy it to every host you connect from, and connect with no passwrod at all
if you encrypt it you have to type an unlock passphrase on the key file to connect to a remote host
which is the same for all hosts you connect to with that key
but if you use something like ssh-agent, you can type that unlock passphrase once, and keep reconnecting to different hosts brycec: <-- always surprised to learn people still use passwords for SSH auth ***: laotzi has joined #arpnetworks
laotzi has quit IRC (Client Quit)
laotzi has joined #arpnetworks
heavysixer has joined #arpnetworks
ChanServ sets mode: +o heavysixer
laotzi has quit IRC (Quit: Lost terminal)
heavysixer has quit IRC (Quit: heavysixer)
laotzi has joined #arpnetworks
CaZe has joined #arpnetworks mnathani: brycec: I use keys, but what do you do when you are on a new machine, do you have to keep a copy of your key handy? Passwords are a lot more portable brycec: mnathani: I'm not saying never-ever-ever-ever-use passwords. There is a time, albeit briefly, for their use. In-person, freshly setup, etc. My surprise comes from those who use passwords daily, as if they were perfectly secure, etc. ***: TheHiTCH_ has quit IRC ()
TheHiTCHO has joined #arpnetworks brycec: Bryce's rules for basic security: Disable ssh login as root (or if you really must, key-only). If you can, disable password ssh altogether; if you cannot, at least setup two-factor. And yeah, you should probably have a passphrase on your key, and keep backup copies of your key in safe places, and while we're at it, use different keys for different machines/networks/etc. mercutio: you only need your public key
which you can stick on a web site or such if need be
ie you can give your public key out freely and not worry about it. It's the private key you have to keep secure.
what i tend to do is set a bad password, then stick key on, then change to a better password ***: CaZe has quit IRC (Ping timeout: 245 seconds)
CaZe` has joined #arpnetworks
CaZe` is now known as CaZe robonerd: can someone try to own my arp vps and see how the sec is?