#arpnetworks 2015-09-02,Wed

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)

WhoWhatWhen
***hazardous has quit IRC (Quit: Lost terminal) [02:38]
................................... (idle for 2h52mn)
ben2 has joined #arpnetworks
mercutio has quit IRC (Ping timeout: 250 seconds)
[05:30]
.................................................. (idle for 4h6mn)
bryceckellytk: Normally what you've described is resolved by set keep-state
(I tried looking at your pf.conf but it's been removed already)
*set keep state
i think
oh my bad, it's this:
block return
pass
That establishes the "keep state" for connections
(Overall my point is that the default pf.conf, at least in OpenBSD, has no problems)
[09:36]
......... (idle for 43mn)
grodyfsck my cc company, gonna have to use bloody paypal mc instead
they got real assy after i bought things on play
[10:23]
........ (idle for 35mn)
m0undsbummer [10:58]
................... (idle for 1h34mn)
***hive-mind has quit IRC (Ping timeout: 260 seconds) [12:32]
ben2 is now known as mercutio [12:42]
....... (idle for 33mn)
kellytkbrycec: http://pastebin.com/6uGA28JM is my ruleset
FYI, it's for FBSD's port of pf
[13:15]
***hive-mind has joined #arpnetworks [13:18]
brycecWell assuming it's similar enough to OpenBSD's, then yeah your block by default isn't helping ;P
(it's blocking everything including the return acks)
[13:20]
m0undsime it's nearly the same as openbsd's pf [13:21]
brycec(same) [13:21]
m0undsi love pf [13:21]
brycecDiffers when it comes to specifics like queueing [13:21]
m0undsyeah [13:21]
brycecbut its common features are the same [13:21]
m0undsyup [13:21]
bryceclike most languages with regional dialects :p [13:22]
kellytkbryce, which line?
"block log all"?
[13:23]
.... (idle for 15mn)
Is the traffic being blocked in http://pastebin.com/kzSv01i5 important? It looks like it's related to DNSSEC resolution but I'm not positive [13:38]
....... (idle for 31mn)
brycecYou blocked the response from a DNS server. It happens to be a request for a DNSKEY record, but I don't think that's why it was blocked. It was blocked by rule 1, "block log all" [14:09]
mercutioheh [14:10]
brycec(you can confirm which active with "pfctl -sr" of course) [14:11]
kellytkbrycec: What I would like to do is block all, and selectively pass [14:11]
mercutioudp is nasty [14:11]
BryceBotThat's what she said!! [14:11]
mercutiowell at least if you want to send out udp packets and get them back [14:11]
brycecYeah, states and UDP... [14:11]
kellytkhttp://pastebin.com/afQv0gj5 is the output of pfctl -sr [14:12]
mercutioif you allow all responses from port 53, then people can taget any udp ports on your host just by using a source port of 53
there's no direction with udp, ...
there are helpers, but they can have issues too
and i don't think pf supports any of those fancy helper things.
[14:12]
brycec(tftp-proxy...)
(siproxd...)
[14:13]
mercutiotftp-proxy is transparent isn't it? [14:13]
***carvite has quit IRC (Ping timeout: 240 seconds) [14:13]
mercutioerr i mean, you redirect the port to a local host
rather than inline
i suppose it makes no diff
anyway, if you use the same external recursive dns you can allow source/destination ip with all ports for udp
[14:13]
kellytkI'm not finding a way to flush Unbound's cache totally (http://unbound.net/documentation/unbound-control.html) Am I missing something? [14:16]
***carvite has joined #arpnetworks [14:19]
m0undsreload Reload the server. This flushes the cache and reads the config
file fresh.
^
[14:20]
kellytkI just found that, thank you :-)
While running `host update.freebsd.org` the states are http://pastebin.com/bHVa3GDL
[14:22]
.... (idle for 15mn)
staticsafeunbound-control flush * [14:39]
m0undsor that
hahaha
[14:40]
kellytkstaticsafe: Are you sure?
That gave odd output when I tried it
[14:41]
staticsaferoot@lasciel:~# unbound-control flush *
ok
[14:42]
kellytkstaticsafe: http://pastebin.com/BKvQCAMc [14:43]
staticsafethats a shell interpretation problem [14:43]
kellytkI use tcsh [14:43]
staticsafetry quoting the whole thing [14:43]
kellytkWhat do you mean by whole thing? [14:44]
staticsafe"/usr/local/sbin/unbound-control flush *" [14:44]
kellytk/usr/local/sbin/unbound-control flush "*" worked [14:44]
staticsafeor that [14:44]
kellytkThanks for the tip staticsafe [14:44]
staticsafenp [14:45]
kellytkSo I'm back to the firewall not allowing name resolution [14:45]
mercutioi didn't realise reload flushes the cache on unbound
that's kind of sub-optimal
[14:46]
brycecthat would not be valid :P staticsafe | "/usr/local/sbin/unbound-control flush *" [14:46]
mercutioi have found that reload tends to crash out though, so i've been doing restarts... [14:46]
brycec(Unless you have an executable named "unbound-control flush *" of course) [14:46]
staticsafeah true [14:47]
mercutiowhich is also sub-optimal
that's with ubuntu trusty, i haven't checked to see if it's got better since then.
[14:47]
kellytkhttp://pastebin.com/1kZ66MPk is a summary of the ruleset problem I'm having [14:51]
I'm getting the impression /usr/local/sbin/unbound-control flush "*" doesn't actually flush. Results return immediately, whereas after a `service unbound restart` results take a moment
Something else interesting is `host google.com` returns with the firewall up, however `host update.freebsd.org` does not
[14:56]
***carvite has quit IRC (Ping timeout: 246 seconds)
carvite has joined #arpnetworks
[15:03]
staticsafepossible you are dropping EDNS queries at the firewall
i would suggest adjusting your DNS rules
flush the cache, do queries for google.com and freebsd.org and check firewall log
[15:06]
kellytkstaticsafe: Is http://pastebin.com/J3x6PgQA what you mean?
I recall having to add the last line in the past, but when I've looked for recent info on it I only found mailing lists, no docs
[15:07]
staticsafeedns0 (since glibc 2.6)
sets RES_USE_EDNSO in _res.options. This enables support for the DNS extensions described in RFC 2671.
that is on linux
[15:09]
kellytkWhich man page? [15:09]
staticsafeman resolv.conf [15:09]
kellytkFreeBSD's resolve.conf man page doesn't include an explanation of the option unfortunately [15:11]
staticsafeits probably not a valid option then
the difference between google.com and freebsd.org is that freebsd.org is DNSSEC signed which requires EDNS queries to validate
[15:12]
kellytkOk that's what I suspected. So is it likely that the pf ruleset is blocking DNSSEC, but not regular DNS? [15:14]
staticsafeits breaking EDNS in some way yes [15:15]
BryceBotThat's what she said!! [15:15]
staticsafekellytk: http://lists.freebsd.org/pipermail/freebsd-net/2007-May/014190.html [15:16]
brycecBryceBot: no [15:16]
BryceBotOh, okay... I'm sorry. 'its breaking EDNS in some way yes' [15:16]
kellytkstaticsafe: IPv6 isn't necessary for this, correct? [15:16]
staticsafeno
pf is dropping the fragments
[15:16]
kellytkpass out quick on $pub_if inet proto udp from $pub_if to any port $out_udp_services keep state > pass out quick on $pub_if inet proto udp from $pub_if to any port $out_udp_services keep state keep frag?
staticsafe: What are fragments?
http://www.dnssec-deployment.org/tag/udp-fragments/
[15:17]
Unbound has a edns-buffer-size configuration option to help, however is it correct to think that the better solution is to modify the pf ruleset to allow fragments?
staticsafe: Thoughts on using scrub fragment reassemble?
[15:30]
This is strange. Two identically configured FreeBSD boxes on my LAN, each having "scrub fragment reassemble" added to pf.conf, one can resolve update.freebsd.org and the other cannot [15:44]
staticsafei do not know, i don't have experience with pf [15:53]
kellytkWhich firewall do you use? [15:53]
Two identically configured boxes on the LAN (except for differing pf.conf), working pf.conf http://pastie.org/private/o6exhdd0wgyofhf0htcq and the broken pf.conf http://pastie.org/private/paf0wnaik0i49l2q0cxyyq
Ok this is odd, when I drop the firewall on the broken box and rerun `host update.freebsd.org`, it still returns "Host update.freebsd.org not found: 3(NXDOMAIN)"
[16:01]
mnathani_up_the_irons brycec mercutio : I emailed softlayer yesterday about the domain they hadn't registered. No response and it is still not registered. [16:03]
mercutiomnathani_: hahahaha [16:04]
kellytkRegister it and redirect to a lolcats? [16:04]
mercutiowell you've given them fair warning [16:04]
brycecbrycec owns too many domains as is, and isn't feeling overly dickish today. [16:04]
mercutiodirect it to ovh [16:04]
bryceclolol [16:04]
mercutiowould be embarassing for them [16:04]
brycecor worse, GoDaddy [16:04]
mercutioset the nameserver expiry times insanely long
and direct to goatse
i dunno it depends how much you want to stir :)
[16:05]
mnathani_I would rather they fix it [16:06]
mercutioyeah :) [16:06]
mnathani_as one of my clients is about to become a customer of theirs [16:06]
BryceBotThat's what she said!! [16:06]
mnathani_BryceBot: nbo
BryceBot: no
[16:06]
BryceBotOh, okay... I'm sorry. 'as one of my clients is about to become a customer of theirs' [16:06]
mercutioyou could just register it and set the name registration to their name servers
you could register it, and say that you got no response and go public
and say you're willing to give it to them at cost
[16:06]
mnathani_I wouldnt want to risk a lawsuit [16:07]
mercutiobut going public without registering it first would be irresponsible
i thought you were in canada for some reaosn
[16:07]
mnathani_I am in Canada
they have a datacenter here also
[16:07]
mercutiooh, i thought that protected you from US lawsuits for the most part.
at least frivilous ones.
apparently there's a big el nino thing happening soon
[16:08]
mnathani_close to Mexico? [16:12]
mercutioand july was the hottest recorded month on average around the world.
across huge areas afaik
across pacific ocean it seems
i'm trying to find something more moderate and balanced rather than alarming
not to much avail
http://www.thedailybeast.com/articles/2015/09/01/we-re-worse-off-than-ever-for-el-ni-o.html
this seems better than most
it's still a bit alarming though.
[16:12]
staticsafekellytk: i use iptables for the most part [16:18]
m0undsi'd love to see some fear mongering about when we don't have el nino patterns [16:18]
mercutiothere's the non el nino pattern too [16:19]
m0undsi know
but no fear mongering
[16:19]
mercutiohmm, apparently el nino may bring rain to california [16:19]
m0undsSW US enjoys el nino because it means we get rain
and it means we have fewer forest fires
[16:19]
mercutioheh
winter here hasn't been neraly as wet or stormy as last year.
[16:19]
staticsafe.w [16:20]
m0undsi wonder what would happen if someone registered that softlayer domain [16:20]
staticsafehm what was the trigger [16:20]
mercutio@weather [16:20]
BryceBotmercutio: Fetching weather for your previous query (akl). [16:20]
kellytkstaticsafe: A greater oddity has arisen. With firewalls disabled, one server correctly resolves `host update.freebsd.org` whereas the other server returns ";; connection timed out; no servers could be reached" [16:20]
BryceBotAuckland International, New Zealand: Mostly Cloudy ☁ 57°F (14°C), Humidity: 82%, Wind: From the West at 28 MPH -- For more details including the forecast and almanac, see http://www.wunderground.com/cgi-bin/findweather/getForecast?query=-37.00805664,174.79167175 or re-request this with: @weather -v [16:20]
staticsafem0unds: i don't want to know enough to risk a lawsuit
well
[16:20]
m0undsstaticsafe: lol [16:20]
staticsafeUDRP process maybe [16:20]
mercutiomaybe brycebot can register it [16:21]
m0undsbe a sport [16:21]
staticsafeeh even if somebody did, Softlayer has certainly enough money and lawyers to file a UDRP
which would be decided in their favour
[16:21]
mercutio"The selection and placement of stories on this page were determined automatically by a computer programme. "
does google news spell program as programme for other people too?
[16:21]
m0undsprobably localization [16:22]
mercutioor is it trying to use US vs UK spelling. [16:22]
m0undse.g. you're in a place where that might be normal [16:22]
mercutiohere it's normal to call computer programs, programs.
but if you have an event or something you may have a programme
[16:22]
m0undswould you otherwise say UK english is pretty typical? [16:22]
mercutioyeah. [16:22]
m0undsok [16:22]
brycecWhat's sorta weird is news.google.com shows "program" even though my language is en-UK
Perhaps because this is the "U.S. edition"
[16:22]
mercutioi don't even remember seeing that statement before. [16:23]
m0undsit says programme on news.google.co.uk
it says program on news.google.com w/en_us
[16:23]
brycecIt has said it for a long time [16:23]
staticsafebrycec: maybe it is IP geo-locating you
:P
[16:24]
***kellytk has left "WeeChat 1.0.1" [16:24]
mercutioi'm on www.google.co.nz with news tab [16:24]
m0undsit says program on co.nz
for me
[16:24]
bryceclol I switched edition to UK and now it's programme https://news.google.com/?edchanged=1&ned=uk&authuser=0 [16:24]
m0undsgoogle is mysterious [16:24]
mercutiobrycec: probably just didn't notice [16:24]
m0undshahaha [16:24]
mercutioi don't usually scroll down all the way [16:24]
brycecAnd when I switch it to France edition, it's all in french, including programmae
*programme
[16:25]
m0undsm0unds waits for google to tell brycec to make up his mind
we can't profile you if we don't know where you are and what language you want
[16:25]
mercutiohow do you switch editions
i tried appending &ned=us and it's still programme
[16:25]
brycec"But Google, I care about the world and speak multiple languages!"
mercutio: there's a drop-down for me
[16:25]
m0undsbased on your search history, we can confirm you're a liar [16:26]
brycechttps://dl.dropboxusercontent.com/u/3167967/screenshot_2015-09-02_16-23-29.png [16:26]
m0undsredirecting to pig latin edition [16:26]
mercutiooh that looks totally different
i don't even have the top stories on the left
ahh goign to news.google.com is different
[16:26]
brycecAnd just for completeness https://dl.dropboxusercontent.com/u/3167967/screenshot_2015-09-02_16-24-39.png [16:27]
***carvite has quit IRC (Ping timeout: 252 seconds) [16:27]
mercutiothe american news is more disturbing
for some strange reason australia tells me about another china chemical explosion.
[16:28]
***carvite has joined #arpnetworks [16:30]
mercutioi wonder how they decide what's important for different regions. [16:30]
brycecAustralia? like the whole entire country at once, shouting it across the sea? :D [16:31]
mercutioaustralia google news dition
there's actually no china english edition
[16:31]
brycecWhatever, I liked my mental image better. [16:31]
m0undsaustralia just shouting about a chemical explosion
what would australia sound like?
[16:31]
mercutionot sure [16:33]
brycec@google site:youtube.com Australians shouting [16:34]
BryceBot2,490 total results returned for 'site:youtube.com Australians shouting', here's 3
A century worth shouting about. 100 years of the Royal Australian ... (http://www.youtube.com/redirect?event=stream_redirect&q=http%3A%2F%2Fwww.insidehistory.com.au%2F2013%2F10%2Fa-century-worth-shouting-about%2F&usg=VVFYdiLaFnMweikWVjKABUmaEh4=) Oct 3, 2013 ... Lindsey Shaw, formerly a Senior Curator at the Australian National Maritime Museum, starts a series of four articles on the history of the Royal ...
Are you God? Crazy guy shouting on Australian Train - YouTube (http://www.youtube.com/watch?v=uq5DzvqJma0) Dec 19, 2013 ... Are you God? Crazy guy shouting on Australian Train. ... Are you God? Crazy guy shouting on Australian Train. MCARDLEPRODUCTIONS.
Construction Workers Shouting Catcalls Women Can Appreciate ... (http://www.youtube.com/redirect?event=stream_redirect&q=http%3A%2F%2Fwallstreetinsanity.com%2Fconstruction-workers-shouting-catcalls-women-can-appreciate-video%2F&usg=4V43l-ajdmbsmA1yXc9ZQTPShKc=) Mar 27, 2014 ... Snickers has released a new ad in Australia that has good intentions, ... The builders then shouted loud, empowering statements at the women ...
[16:34]
m0undsare you god video sounds like it might be a winner
m0unds loads
[16:34]
staticsafewell then [16:34]
brycecI am suitably amused.
Especially the part where they try and push him off/down
[16:35]
m0undsyeah
imagining him screaming about chemical explosions
[16:35]
brycecNeeds more female voices shouting too though [16:35]
mercutiohaha [16:36]
staticsafeJava based IPMIs make me sad [16:42]
mercutiothe ipmi isn't java based
it's the kvm that is java
[16:56]
staticsafeyeah thats what I meant [16:56]
mercutioyou can use ipmitool and serial console to get around it
and you can reboot etc with ipmitool too
but yeah java isn't even supported in chrome anymore :(
and it never really seemed that great.
[16:56]
....... (idle for 34mn)
***mnathani_ has quit IRC (Read error: No route to host)
mnathani_ has joined #arpnetworks
[17:31]
..... (idle for 23mn)
mercutiohttps://www.snellman.net/blog/archive/2015-09-01-the-most-obsolete-infrastructure-money-could-buy/ [17:54]
***kellytk has joined #arpnetworks [18:02]
kellytkI figured out the Unbound resolution issue. After removing the search domain, all became well. It's an imperfect solution as I made use of the search domain feature however [18:03]
....... (idle for 33mn)
Has anyone seen "Could not establish a chain of trust to keys for ntp.org. DNSKEY IN" in unbound.log? In the course of research it seems to be possibly related to pf ruleset + UDP fragmentation, however my pf ruleset should handle frags with its `scrub fragment reassemble` option, so I'm confused [18:36]
........ (idle for 39mn)
gizmoguydnssec is probably going to occur over TCP
do you handle tcp fragmentation?
[19:15]
BryceBotThat's what she said!! [19:15]
kellytkgizmoguy: http://pastie.org/private/imat8lhakzvxkt0fbytmla is my entire pf.conf
I don't believe I do
FWIW I'm using the FreeBSD pf port. Can you suggest any improvements to my ruleset?
[19:16]
gizmoguyyou shouldn't really have to handle fragmentation differently [19:18]
BryceBotThat's what she said!! [19:18]
gizmoguyalso I can't say I've used pf before..
hold up
is ntp.org even signed?
no it's not
[19:18]
kellytkI don't know [19:20]
gizmoguyI would suspect that's why DNSSEC to ntp.org fails [19:21]
kellytkSo that failure is normal? [19:21]
gizmoguymaybe? [19:22]
***milki has quit IRC (Ping timeout: 256 seconds)
grody has quit IRC (Remote host closed the connection)
milki has joined #arpnetworks
grody has joined #arpnetworks
[19:22]
m0undsBryceBot: no [19:23]
BryceBotOh, okay... I'm sorry. 'you shouldn't really have to handle fragmentation differently' [19:23]
kellytkWhat is the purpose of that bot BTW? [19:24]
m0unds_gross packet loss [19:24]
gizmoguy@last m0unds_ [19:24]
BryceBotgizmoguy, I last saw m0unds_ 4 sec ago saying in a channel: gross packet loss. [19:24]
m0unds_can't even stay connected to my VM via ipv6 [19:24]
kellytkOh [19:24]
gizmoguyipv6 is for losers [19:24]
mike-burnsI've switched to IPv9. [19:25]
kellytkblock log quick inet6 all [19:25]
m0unds_mike-burns: how is v9? do your pakkitz travel at least 15% faster than the speed of light? [19:25]
gizmoguyi run chimiak-enhanced-ipv4 [19:25]
m0unds_they arrive before they were transmitted [19:25]
mike-burnsYes but that makes them very loud. [19:25]
gizmoguybest ipv4
https://tools.ietf.org/html/draft-chimiak-enhanced-ipv4-00
[19:25]
m0unds_hahaha [19:25]
gizmoguybasically he removes some cruft from the ipv4 header and lets you use 64bit ipv4 addresses
for some reason it didn't take off
[19:26]
m0unds_funny
ah yes, NTT return path shittiness
just saw 50% packet loss at s3, then my session died
sweet
[19:26]
mercutiogizmoguy: that sounds like a good idea [19:34]
m0unds_mercutio: anything going on w/ipv6? [19:34]
mercutiom0unds: nothing diff from usual that i know about [19:34]
m0unds_i thought it was ntt being stupid, but i keep seeing packet loss at s3 incrementing, then my ssh session drops when it hits 50% [19:34]
mercutiowow
i'm seeing something funky
with ntt too hah
wtf
it's not even all ntt, ..
hmm and i trace again and it's fine
[19:35]
m0unds_yeah, it's fine right now [19:36]
mercutioyeah i was tracing to www.kame.net [19:36]
m0unds_give it a minute, it'll get weird again
it's getting worse now
[19:36]
mercutiooh it's going funky again [19:36]
m0unds_yeah
haha
[19:36]
mercutioand it hits japan ok
then it hits another router in japan and starts dropping
[19:36]
m0unds_me -> arp via ipv6 goes comcast -> he -> arp [19:37]
mercutioin both directions? [19:37]
m0unds_nah, outbound to arp only
return is ntt
outbound to arp is worse
ntt is just regular old flaky ntt
[19:37]
mercutioi'm not well situated for ipv6 test sites atm [19:37]
m0unds_it seems like it's just v6 that's acting up though, for sure [19:38]
mercutiovultr in sydney seems fine atm [19:38]
m0unds_because i'm still connected via v4 [19:38]
mercutiobut i'll keep it going [19:38]
m0unds_and that goes level3, not ntt [19:38]
mercutiobah late hops on vult just screwed up
and of course there's no reverse lookups and 12 hops...
[19:38]
m0unds_hahaha [19:39]
***grody has quit IRC (Remote host closed the connection) [19:39]
m0unds_just hit...75% loss and dropped [19:39]
***grody has joined #arpnetworks [19:39]
mercutiotoggling asn info isn't working
if you press z does it tell you asn's in mtr?
[19:40]
m0unds_negative, it's not doing it
used to
[19:40]
mercutiodamnit [19:40]
m0unds_it's working on my vm [19:41]
mercutiomaybe it only ever worked with ipv4 [19:41]
m0unds_what version of mtr are you? [19:41]
mercutio0.86 [19:41]
m0unds_i have .86 on fbsd and .82 on deb
oh
[19:41]
mercutioon openbsd [19:41]
m0unds_hm [19:41]
mercutioand 0.85 on linux
neither are working
[19:41]
m0unds_it's working on freebsd but not debian on an rpi
weird
hahaha
[19:41]
mercutioit's showing loss from vultr in the same way
vultr mostly use ntt afaik
[19:41]
m0unds_oh, -z isn't a flag on .82 that's why [19:42]
mercutio2402:7800
i'm pressing inside the app
hmm 2402:7800 is vocus
so vultr's screwing up on vocus
before hitting arp even
vultr is vocus in both directions
not ntt
although i'm not sure what 2001:504:13::210:136 is
it's probably coresite though
[19:42]
m0unds_coresite
yea
[19:45]
mercutiothis is whack though
i'm mtr'ing in both directions, and one way is showing much more loss than the other
and my smokeping has been broken for 40 minutes too
wtf
40 minutes ago it got TERM signals
so i have no ipv4 smokepings to look at
but if i look at sydney's smokeping stuff to arp there was some loss a couple of hours ago
so there may be concurrent vocus and ntt issues
[19:45]
***mhoran has quit IRC (Ping timeout: 256 seconds) [19:53]
mhoran has joined #arpnetworks
ChanServ sets mode: +o mhoran
[19:58]
mercutioi'm struggling to determine any consistent patterns [19:59]
***KDE_Perry has quit IRC (Read error: Connection reset by peer)
KDE_Perry has joined #arpnetworks
[19:59]
mercutioit's only www.kame.net i saw the severe loss pattern too [20:03]
oh another bind crash vulnerability [20:09]
m0unds_yup
did coresite die?
looks like the route changed, outbound from me to arp changed from he to ntt, and return path is still ntt
lol, he's lg at one wilshire looks awful
[20:18]
mercutioawful to arp or awful in general? [20:24]
m0unds_awful in general [20:24]
mercutiohmm
yeah not sure what's happening tbh
[20:24]
m0unds_800ms to me from lax @ coresite
hahaha
[20:24]
mercutioouch [20:24]
m0unds_vs 35ms to me from equinix
pinging arpnetworks.com via coresite lg = 750ms
[20:25]
mercutioit seems a lot of disparate failures at once [20:26]
m0unds_yeah [20:26]
mercutioso i'm wondering what the connection is
it may fibre cut
there was fibre cut in san francisco the other day
maybe there were more
i think it's up to like 13 in the last year?
of reported cuts around there
[20:26]
m0unds_yea [20:27]
mercutiobut they seem to cluster a bit [20:28]
m0unds_oh well, weird as hell
time for planetside
[20:28]
mercutioit does make me think i should setup better ipv6 monitoring though :) [20:28]
m0unds_yea, i have just long interval ping monitoring via uptimerobot [20:29]
***brycec has quit IRC (Ping timeout: 244 seconds)
brycec has joined #arpnetworks
[20:34]
milki has quit IRC (Ping timeout: 256 seconds)
milki has joined #arpnetworks
[20:40]
.... (idle for 18mn)
brycecAm I the only one getting horribly network activity?
i worded that badly
oh a quick skim of the backlog is ffffffasfl;jksadjkladljkasdjkl;sdjkl;asjkl;asjkl;asasdfjkasdfjkasdf[
it hung again ^
I'll have to get more info, but looks like I haven't been alone
[20:59]
up_the_ironsbrycec: i liked your mental image better too [21:07]
brycecThanks. When a country can work together as one voice, it's always great.
Now, wtf is up with my connection???. I have too much shit to get done to debug this stuff.
https://smokeping.cobryce.com/?target=ARP shows some nasty IPv6 latency and spikes since 5pm
(inside ARP)
And it's really fucking with my SSH session.
I feel so dirty, connected to my VPS over IPv4
but hopefully it's smoother
(Hm an mtr I've left running for awhile from my VPS to an ipv6 host shows 3% packet loss starting at the second hop 2001:504:13::1a, that would be the first hop beyond ARP.
Aw I had 30 days connected to this Freenode server too, lost due to the network issues I was seeing.
[21:08]
milkiaha [21:15]
up_the_irons2001:504:13::1a is an Any2 IX peer [21:15]
brycecAt this very second, it's dropping packets for me
Just started flowing
dropping
flowing
(that was 45 seconds dropping)
dropping
flowing after 36 seconds
dropping
[21:16]
m0unds_brycec: mine was working via v4
v6 was terribad for a long while
[21:20]
brycecflowing
(I also dropped 2 packets to ARP's router :O)
[21:20]
m0unds_that's what it was doing for me too - it was bad when my v6 route was via he [21:21]
brycec(that was another 42 seconds of dropped packets) [21:21]
m0unds_but it seemed to change the last time i tracerouted and it was using ntt instead [21:21]
brycecdropping...
Wow
[21:21]
m0unds_the coresite he lg was hosed - 900ms to itself, 900ms to arp, 900ms to other stuff [21:21]
brycecThis is... [21:21]
BryceBotThat's what she said!! [21:21]
brycecflowing [21:22]
m0unds_hahaha [21:22]
brycec52 seconds, and again 2 dropped @ ARP
dropping...
flowing, 52 seconds agin
this is cray cray
looks like it drops every 90 seconds or so for about 52 seconds
[21:22]
(I should point out that HE is involved in all directions and destinations to which I have access - I can't mtr from a non-HE address besides ARP)
Well it's not the cleanest way to share two mtr's but it works :P Issue is that he.net->ntt.net handoff it looks like https://dl.dropboxusercontent.com/u/3167967/screenshot_2015-09-02_21-35-05.png
Dear up_the_irons please to be fixing upstream's issue, kthx
[21:35]
........... (idle for 53mn)
mercutiobrycec: there were issues with just ntt in both directions too
and there were issues with vocus/any2ix
[22:31]
brycec: did it come right? [22:36]
brycecStill craptastic
Dropped up to a few seconds even
*a few seconds ago
And there it goes dropping again
flowing again
(but it's not worth flooding the channel, and I have better things to do.)
[22:44]
.... (idle for 18mn)
mercutiogot an ip address can trace to to reproduce? [23:04]
brycec2607:f2f8:a650::3 [23:05]
mercutiofrom arp i mean :) [23:05]
brycec2001:470:4:2a5::feed:dead [23:05]
mercutiocool
that coresite hop having high pings suggests the router is under heavy cpu load
[23:05]
brycecI'm happy to say in the last 60 seconds, I've only dropped 1 packet in mtr.
Agreed.
(I figure it will sort itself out soon enough)
aka "eventually"
[23:06]
mercutioyeah i was thinking that a couple of hours ago
even across any2ix direct it does that
[23:07]
brycecknock on wood but it's looking more stable right now. [23:07]
mercutioi'm seeing around 0.7% loss [23:13]
brycec11/500 packets dropped [23:14]
mercutiothat's like 2% loss
i have 3 out of 519 dropped
[23:14]
brycec(% without context can be a bit hard to grasp. 50% of 2 packets vs 500 can indicate very different things :P) [23:18]
mercutioyeah
can be different if they're all dropped in a row etc too
[23:20]
m0undssounds better [23:27]
kellytkRunning Unbound, is there a reason why a fresh start up is often met with a random number of failures (0-~5) to resolve update.freebsd.org, but not google.com? I suspect the former being signed and the latter not has something to do with it [23:35]
***hive-mind has quit IRC (Ping timeout: 246 seconds) [23:40]

↑back Search ←Prev date Next date→ Show only urls(Click on time to select a line by its url)