connectivity to bkbits.net?

connectivity to bkbits.net?

[Larry McVoy]

We've been having problems getting out to certain parts of the net for the
last few days, in particular, we can't get to sgi.com which is unusual.
If you are having problems getting to bkbits.net, let me know.  We have
a couple of machines at rackspace and I can push repos over there.

traceroute to sgi.com (128.167.58.40), 30 hops max, 38 byte packets
 1  bitmover (10.3.9.3)  0.535 ms  0.103 ms  0.100 ms
 2  cisco (192.132.92.1)  1.236 ms  1.175 ms  1.228 ms
 3  s9-1-1-6-0.ar2.SFO1.gblx.net (64.214.96.229)  3.080 ms  3.205 ms  2.982 ms
 4  64.215.195.189 (64.215.195.189)  3.052 ms  3.256 ms  3.114 ms
 5  64.211.147.86 (64.211.147.86)  4.592 ms  4.623 ms  4.468 ms
 6  so6-0-0-2488M.br2.PAO2.gblx.net (207.136.163.126)  4.586 ms  4.530 ms  4.701 ms
 7  p4-0.paix-bi1.bbnplanet.net (4.0.6.81)  4.627 ms  4.467 ms  4.427 ms
 8  p6-0.snjpca1-br1.bbnplanet.net (4.24.7.61)  5.179 ms  5.678 ms  5.215 ms
 9  p1-0.sjccolo-dbe1.bbnplanet.net (4.24.6.253)  5.431 ms  5.214 ms  5.235 ms
10  vlan40.sjccolo-isw03-rc1.bbnplanet.net (128.11.200.91)  5.326 ms  5.396 ms  5.464 ms
11  128.11.16.169 (128.11.16.169)  5.581 ms  5.470 ms  5.654 ms
12  *

Re: connectivity to bkbits.net?

[Kai Henningsen]

lm@bitmover.com (Larry McVoy)  wrote on 28.11.02 in <200211281625.gASGPo804227@work.bitmover.com>:

> We've been having problems getting out to certain parts of the net for the
> last few days, in particular, we can't get to sgi.com which is unusual.
> If you are having problems getting to bkbits.net, let me know.  We have
> a couple of machines at rackspace and I can push repos over there.
>
> traceroute to sgi.com (128.167.58.40), 30 hops max, 38 byte packets
>  1  bitmover (10.3.9.3)  0.535 ms  0.103 ms  0.100 ms
>  2  cisco (192.132.92.1)  1.236 ms  1.175 ms  1.228 ms
>  3  s9-1-1-6-0.ar2.SFO1.gblx.net (64.214.96.229)  3.080 ms  3.205 ms  2.982
> ms  4  64.215.195.189 (64.215.195.189)  3.052 ms  3.256 ms  3.114 ms
>  5  64.211.147.86 (64.211.147.86)  4.592 ms  4.623 ms  4.468 ms
>  6  so6-0-0-2488M.br2.PAO2.gblx.net (207.136.163.126)  4.586 ms  4.530 ms
> 4.701 ms  7  p4-0.paix-bi1.bbnplanet.net (4.0.6.81)  4.627 ms  4.467 ms
> 4.427 ms  8  p6-0.snjpca1-br1.bbnplanet.net (4.24.7.61)  5.179 ms  5.678 ms
> 5.215 ms  9  p1-0.sjccolo-dbe1.bbnplanet.net (4.24.6.253)  5.431 ms  5.214
> ms  5.235 ms 10  vlan40.sjccolo-isw03-rc1.bbnplanet.net (128.11.200.91)
> 5.326 ms  5.396 ms  5.464 ms 11  128.11.16.169 (128.11.16.169)  5.581 ms
> 5.470 ms  5.654 ms 12  *

>From two or three traceroutes, that problem seems to be at the SGI end. I  
can't get to them either (nothing after the same IP as for you, at hop  
#17, some place at Genuity), but you are practically next door.

MfG Kai

Re: connectivity to bkbits.net?

[Russell King]

On Thu, Nov 28, 2002 at 06:53:00PM +0200, Kai Henningsen wrote:
> >From two or three traceroutes, that problem seems to be at the SGI end. I  
> can't get to them either (nothing after the same IP as for you, at hop  
> #17, some place at Genuity), but you are practically next door.

Lesson #1 of firewalling: drop everything.
Lesson #2 of firewalling: only accept what you absolutely have to.

Try pointing a web browser at sgi.com port 80.  I _bet_ you get a
response.  The site is reachable, they just block UDP (and probably
a lot of other stuff.)

traceroute uses UDP, so if a site drops UDP (rather than blocking it)
it will appear as a black hole.

-- 
Russell King (rmk@arm.linux.org.uk)                The developer of ARM Linux
             http://www.arm.linux.org.uk/personal/aboutme.html

Re: connectivity to bkbits.net?

[Miquel van Smoorenburg]

In article <20021128211347.D27234@flint.arm.linux.org.uk>,
Russell King  <rmk@arm.linux.org.uk> wrote:
>On Thu, Nov 28, 2002 at 06:53:00PM +0200, Kai Henningsen wrote:
>> >From two or three traceroutes, that problem seems to be at the SGI end. I  
>> can't get to them either (nothing after the same IP as for you, at hop  
>> #17, some place at Genuity), but you are practically next door.
>
>Lesson #1 of firewalling: drop everything.
>Lesson #2 of firewalling: only accept what you absolutely have to.

Lesson#3 of firewalling: due to #1 and #2 most admins block
ICMP_UNREACH_NEEDFRAG as well (ICMP == ping == bad) breaking
path MTUd. http://alive.znep.com/~marcs/mtu/

Note that IPv6 has no fragmentation and pMTUd is mandatory.
Oh joy.

Mike.
-- 
They all laughed when I said I wanted to build a joke-telling machine.
Well, I showed them! Nobody's laughing *now*! -- acesteves@clix.pt

Re: connectivity to bkbits.net?

[Kai Henningsen]

miquels@cistron.nl (Miquel van Smoorenburg)  wrote on 28.11.02 in <as6aks$amj$1@ncc1701.cistron.net>:

> In article <20021128211347.D27234@flint.arm.linux.org.uk>,
> Russell King  <rmk@arm.linux.org.uk> wrote:
> >On Thu, Nov 28, 2002 at 06:53:00PM +0200, Kai Henningsen wrote:
> >> >From two or three traceroutes, that problem seems to be at the SGI end.
> >> >I
> >> can't get to them either (nothing after the same IP as for you, at hop
> >> #17, some place at Genuity), but you are practically next door.
> >
> >Lesson #1 of firewalling: drop everything.
> >Lesson #2 of firewalling: only accept what you absolutely have to.
>
> Lesson#3 of firewalling: due to #1 and #2 most admins block
> ICMP_UNREACH_NEEDFRAG as well (ICMP == ping == bad) breaking
> path MTUd. http://alive.znep.com/~marcs/mtu/

Lesson #4 of firewalling: a friendly firewall will (unless there are  
*specific* reasons to do otherwise) allow for ICMP_UNREACH_NEEDFRAG (and  
some similar things), ping, and traceroute. That's how I usually set them  
up. (ping == good)

MfG Kai