Re: To CCIEs and JNCIEs
Please relay to your CCIE/JNCIE friends, I am giving out name@theccie.comand n...@jncie.com email accounts, anyone interested can contact me. but who would want to deal with such slime?
2013.10.09 NANOG59 notes posted
Sorry, ARIN's been keeping me busy since the NANOG wrap-up, but finally took some time after the social tonight to finish posting all the rest of my notes, minus the IP Reputation notes, to http://nanog.cluepon.net/index.php/NANOG59 Another awesome NANOG, one of the best ones in a while; thanks again to everyone who helped make it a kick-ass conference! Matt
Baghdad internet access
Access to Baghdad(Iraq) via internet is not possible. Anyone seeing the same thing ? Regards -Ray L.
Re: To CCIEs and JNCIEs
Seriously... Those cert monkeys think they know everything ;) Stefan Fouant JNCIE-SEC, JNCIE-SP, JNCIE-ENT, JNCI m (703) 625-6243 On Oct 11, 2013, at 3:28 AM, Randy Bush ra...@psg.com wrote: Please relay to your CCIE/JNCIE friends, I am giving out name@theccie.comand n...@jncie.com email accounts, anyone interested can contact me. but who would want to deal with such slime?
Re: Contact for free-mobile.fr
Hi, They did, unfortunately I've been having one busy week. I should get around to pinging the person who replied to me today, and thank you if that person reads this email and to you as well. It's much appreciated. Thanks, On Fri, Oct 11, 2013 at 1:11 PM, Paul Rolland r...@witbe.net wrote: Hello Guillaume, Did you try to ping someone on FrNog ? People from Free are generally not showing up a lot, but considering what you describe, they'd most probably at least contact you privately... Paul On Thu, 10 Oct 2013 14:46:25 -0400 Guillaume Parent gpar...@gparent.org wrote: Hi, I am getting unsolicited mail from what appears to be the mobile division of Free. postmaster is sleeping at his post even after a few different attempts. I normally wouldn't make a big deal of this except I am receiving potentially sensitive information of other customers straight into my inbox. If anyone could put me in touch with anything resembling a human being at Free, it'd be great. I can speak french so that's not an issue. Thanks, -gp -- TelcoTV Awards 2011 - Witbe winner in Innovation in Test Measurement Paul RollandE-Mail : rol(at)witbe.net CTO - Witbe.net SA Tel. +33 (0)1 47 67 77 77 Les Collines de l'Arche Fax. +33 (0)1 47 67 77 99 F-92057 Paris La DefenseRIPE : PR12-RIPE LinkedIn : http://www.linkedin.com/in/paulrolland Skype: rollandpaul I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say 'Daddy, where were you when they took freedom of the press away from the Internet?' --Mike Godwin, Electronic Frontier Foundation
Policy-based routing is evil? Discuss.
I'm having a discussion with a small network in a part of the world where bandwidth is scarce and multiple DSL lines are often used for upstream links. The topic is policy-based routing, which is being described as load balancing where end-user traffic is assigned to a line according to source address. In my opinion the main problems with this are: - It's brittle, when a line fails, traffic doesn't re-route - None of the usual debugging tools work properly - Adding a new user is complicated because it has to be done in (at least) two places But I'm having a distinct lack of success locating rants and diatribes or even well-reasoned articles supporting this opinion. Am I out to lunch? -w -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpev3R7hFybU.pgp Description: PGP signature
Re: Policy-based routing is evil? Discuss.
On Oct 11, 2013, at 1:27 PM, William Waites wwai...@tardis.ed.ac.uk wrote: I'm having a discussion with a small network in a part of the world where bandwidth is scarce and multiple DSL lines are often used for upstream links. The topic is policy-based routing, which is being described as load balancing where end-user traffic is assigned to a line according to source address. In my opinion the main problems with this are: - It's brittle, when a line fails, traffic doesn't re-route - None of the usual debugging tools work properly I think this all depends on how it's configured, and if you can monitor/detect failures. I've seen folks do things like this with a Linux box with multiple routing tables. If you have something validate the link is working, you can easily have it fail over. This is all depending on the admin to do it right. - Adding a new user is complicated because it has to be done in (at least) two places This all depends on the tool set in use/available. But I'm having a distinct lack of success locating rants and diatribes or even well-reasoned articles supporting this opinion. Am I out to lunch? No, but most people I've seen either a) set it up, it works (or seems to) and cross their fingers and move to the next fire b) try to over-engineer the crap out of it so it's got what they feel is 100% availability but isn't sustainable or maintainable by someone other than themselves. The simple answer is: rfc1925 7.a 8 apply - Jared
Re: Policy-based routing is evil? Discuss.
On Oct 12, 2013, at 12:27 AM, William Waites wwai...@tardis.ed.ac.uk wrote: But I'm having a distinct lack of success locating rants and diatribes or even well-reasoned articles supporting this opinion. Possibly because it's so commonly known that PBR is generally a Very Bad Idea for the reasons you cite, and more, that nobody has felt the need to re-state the obvious? ; Am I out to lunch? Not with regards to PBR, at least, IMHO. ; It's to be avoided if at all possible. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Policy-based routing is evil? Discuss.
On Oct 11, 2013, at 10:27 AM, William Waites wwai...@tardis.ed.ac.uk wrote: I'm having a discussion with a small network in a part of the world where bandwidth is scarce and multiple DSL lines are often used for upstream links. The topic is policy-based routing, which is being described as load balancing where end-user traffic is assigned to a line according to source address. In my opinion the main problems with this are: - It's brittle, when a line fails, traffic doesn't re-route it's brittle - None of the usual debugging tools work properly - Adding a new user is complicated because it has to be done in (at least) two places you take all the useful information that an IGP could be (or is) providing you, and then you ignore it and do something else. But I'm having a distinct lack of success locating rants and diatribes or even well-reasoned articles supporting this opinion. Am I out to lunch? evil is not a synonym for ugly patch placed over a problem that could be handled better. If it's being used as an alternative to VRF, it isn't. -w -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Policy-based routing is evil? Discuss.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 11/10/2013 19:41, joel jaeggli a écrit : On Oct 11, 2013, at 10:27 AM, William Waites wwai...@tardis.ed.ac.uk wrote: I'm having a discussion with a small network in a part of the world where bandwidth is scarce and multiple DSL lines are often used for upstream links. The topic is policy-based routing, which is being described as load balancing where end-user traffic is assigned to a line according to source address. In my opinion the main problems with this are: - It's brittle, when a line fails, traffic doesn't re-route it's brittle - None of the usual debugging tools work properly - Adding a new user is complicated because it has to be done in (at least) two places you take all the useful information that an IGP could be (or is) providing you, and then you ignore it and do something else. I like that phrase. ;-) mh But I'm having a distinct lack of success locating rants and diatribes or even well-reasoned articles supporting this opinion. Am I out to lunch? evil is not a synonym for ugly patch placed over a problem that could be handled better. If it's being used as an alternative to VRF, it isn't. -w -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJYPfUACgkQZNZ/rrgsqad+uQCgmQlT3kz8F6QrsYZe8SJmlrvJ k4MAn2CwQIOJF8vm1yXTsJh0vZR/cOVi =L+tx -END PGP SIGNATURE-
Re: Policy-based routing is evil? Discuss.
On Fri, 11 Oct 2013 18:27:00 +0100 (BST) William Waites wwai...@tardis.ed.ac.uk wrote: I'm having a discussion with a small network in a part of the world where bandwidth is scarce and multiple DSL lines are often used for upstream links. The topic is policy-based routing, which is being described as load balancing where end-user traffic is assigned to a line according to source address. BGP is nothing if not policy-based routing, but I think I see your concern with an approach that essentially statically locks in a particular set of paths to links. Not knowing what if any routing is configured between the end points, perhaps just point out there are alternative means to achieve load balancing. Perhaps using LOCAL_PREF for some set of ASNs over one path or the other, or alternatively doing some sort of flow-based load balancing might be sufficient. John
Re: Policy-based routing is evil? Discuss.
On Fri, 11 Oct 2013 10:41:46 -0700, joel jaeggli joe...@bogus.com said: you take all the useful information that an IGP could be (or is) providing you, and then you ignore it and do something else. Yes, that's another part of the conversation, encouraging the use of an IGP, which has been a source of trouble for them because of broken wireless bridges from a very commonly used vendor that randomly eat multicast packets, so it's not as straightforward as it should be. evil is not a synonym for ugly patch placed over a problem that could be handled better. Ok, fair enough. My first experience with PBR was as a summer intern in the mid-1990s who inherited management of a large ATM network that had a big VPN-esque thing built entirely that way and with no documentation. It certainly felt evil at the time. ;) -w -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpPWoOBe9VGE.pgp Description: PGP signature
Re: Policy-based routing is evil? Discuss.
On Fri, 11 Oct 2013, Jared Mauch wrote: I think this all depends on how it's configured, and if you can monitor/detect failures. I've seen folks do things like this with a Linux box with multiple routing tables. If you have something validate the link is working, you can easily have it fail over. This is all depending on the admin to do it right. I've done exactly this with Linux routers doing SNAT and multiple upstream connections (ip route and ip rule are the commands used to setup the multiple tables and rules to determine routing policy). Depending on the level of segregation needed, adding a new user can be as simple as plugging them into the appropriate network. Is it ideal? No. But when $ is the deciding factor between a real router with real upstream connections supporting BGP and a Linux router with DSL and cable and no routing protocol, policy routing with some intelligence to fail-over if a link fails (and go back when it recovers) can work acceptably. -- Jon Lewis, MCP :) | I route | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Policy-based routing is evil? Discuss.
Most if not all IGPs can be configured to work without multicast. Now if you're talking IPv6 you may have some issuesŠ On 10/11/13 2:13 PM, William Waites wwai...@tardis.ed.ac.uk wrote: On Fri, 11 Oct 2013 10:41:46 -0700, joel jaeggli joe...@bogus.com said: you take all the useful information that an IGP could be (or is) providing you, and then you ignore it and do something else. Yes, that's another part of the conversation, encouraging the use of an IGP, which has been a source of trouble for them because of broken wireless bridges from a very commonly used vendor that randomly eat multicast packets, so it's not as straightforward as it should be. evil is not a synonym for ugly patch placed over a problem that could be handled better. Ok, fair enough. My first experience with PBR was as a summer intern in the mid-1990s who inherited management of a large ATM network that had a big VPN-esque thing built entirely that way and with no documentation. It certainly felt evil at the time. ;) -w -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: Policy-based routing is evil? Discuss.
- Original Message - From: joel jaeggli joe...@bogus.com you take all the useful information that an IGP could be (or is) providing you, and then you ignore it and do something else. Well, I tell you what. My perception of where this was a good idea is the use case a recent client might have for it: Two consumer-grade uplinks (FiOS 150 and RR 100, specifically); primary application is callcenter, VoIP to a service provider Elsewhere. I would set it up so that all the VoIP and callcenter web traffic went over FiOS *until it failed*, and everything else went Road Runner *unless it failed*. This keeps the general traffic out of the hair of the latency/PPS sensitive traffic whenever possible. Is that not policy-based routing? Why is it bad? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: Policy-based routing is evil? Discuss.
On Fri, Oct 11, 2013 at 2:13 PM, William Waites wwai...@tardis.ed.ac.uk wrote: On Fri, 11 Oct 2013 10:41:46 -0700, joel jaeggli joe...@bogus.com said: evil is not a synonym for ugly patch placed over a problem that could be handled better. Ok, fair enough. My first experience with PBR was as a summer intern in the mid-1990s who inherited management of a large ATM network that had a big VPN-esque thing built entirely that way and with no documentation. It certainly felt evil at the time. ;) I think really PBR violates this: http://en.wikipedia.org/wiki/Principle_of_least_astonishment I see ISP folks MOSTLY avoid PBR, because it does weird things that NOC/ops folks just plain don't expect. I see Enterprise network folks fall back to PBR often, for reasons that they seem happy with... but man it makes things confusing :) -chris
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-st...@lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith pfsi...@gmail.com. Routing Table Report 04:00 +10GMT Sat 12 Oct, 2013 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary BGP routing table entries examined: 469227 Prefixes after maximum aggregation: 189103 Deaggregation factor: 2.48 Unique aggregates announced to Internet: 232899 Total ASes present in the Internet Routing Table: 45163 Prefixes per ASN: 10.39 Origin-only ASes present in the Internet Routing Table: 35242 Origin ASes announcing only one prefix: 16260 Transit ASes present in the Internet Routing Table:5915 Transit-only ASes present in the Internet Routing Table:160 Average AS path length visible in the Internet Routing Table: 4.6 Max AS path length visible: 35 Max AS path prepend of ASN ( 59482) 25 Prefixes from unregistered ASNs in the Routing Table: 303 Unregistered ASNs in the Routing Table: 171 Number of 32-bit ASNs allocated by the RIRs: 5177 Number of 32-bit ASNs visible in the Routing Table:4006 Prefixes from 32-bit ASNs in the Routing Table: 12413 Special use prefixes present in the Routing Table:1 Prefixes being announced from unallocated address space:714 Number of addresses announced to Internet: 2648115732 Equivalent to 157 /8s, 215 /16s and 10 /24s Percentage of available address space announced: 71.5 Percentage of allocated address space announced: 71.5 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 95.1 Total number of prefixes smaller than registry allocations: 164200 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes: 111390 Total APNIC prefixes after maximum aggregation: 33839 APNIC Deaggregation factor:3.29 Prefixes being announced from the APNIC address blocks: 113461 Unique aggregates announced from the APNIC address blocks:46844 APNIC Region origin ASes present in the Internet Routing Table:4875 APNIC Prefixes per ASN: 23.27 APNIC Region origin ASes announcing only one prefix: 1222 APNIC Region transit ASes present in the Internet Routing Table:830 Average APNIC Region AS path length visible:4.6 Max APNIC Region AS path length visible: 28 Number of APNIC region 32-bit ASNs visible in the Routing Table:710 Number of APNIC addresses announced to Internet: 728465152 Equivalent to 43 /8s, 107 /16s and 127 /24s Percentage of available APNIC address space announced: 85.1 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 63488-63999, 131072-133631 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:163008 Total ARIN prefixes after maximum aggregation:81421 ARIN Deaggregation factor: 2.00 Prefixes being announced from the ARIN address blocks: 163510 Unique aggregates announced from the ARIN address blocks: 76000 ARIN Region origin ASes present in the Internet Routing Table:15898 ARIN Prefixes per ASN:10.28 ARIN
Re: Policy-based routing is evil? Discuss.
I think they are referring to something like Cisco PBR, where you configure routing policy statically on each hop. Yes, it can be configured to fail over, etc, but inherently it is a management nightmare if you are configuring PBR on each device in your network. May as well move back to static routing on everythingŠ Used sparingly, I'd agree that it does have its uses. One use I can think of is to use PBR to direct traffic for testing a new circuit or path while not cutting everything over. That is, until it is sufficiently tested, and then everything would be cut over and the PBR removedŠ On 10/11/13 2:33 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: joel jaeggli joe...@bogus.com you take all the useful information that an IGP could be (or is) providing you, and then you ignore it and do something else. Well, I tell you what. My perception of where this was a good idea is the use case a recent client might have for it: Two consumer-grade uplinks (FiOS 150 and RR 100, specifically); primary application is callcenter, VoIP to a service provider Elsewhere. I would set it up so that all the VoIP and callcenter web traffic went over FiOS *until it failed*, and everything else went Road Runner *unless it failed*. This keeps the general traffic out of the hair of the latency/PPS sensitive traffic whenever possible. Is that not policy-based routing? Why is it bad? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
RE: NANOG Digest, Vol 69, Issue 28
What is SDN at its essence ? Message: 9 Date: Fri, 11 Oct 2013 19:13:57 +0100 (BST) From: William Waites wwai...@tardis.ed.ac.uk To: joe...@bogus.com Cc: nanog@nanog.org Subject: Re: Policy-based routing is evil? Discuss. Message-ID: 20131011.191357.239591912.wwai...@tardis.ed.ac.uk Content-Type: text/plain; charset=us-ascii On Fri, 11 Oct 2013 10:41:46 -0700, joel jaeggli joe...@bogus.com said: you take all the useful information that an IGP could be (or is) providing you, and then you ignore it and do something else. Yes, that's another part of the conversation, encouraging the use of an IGP, which has been a source of trouble for them because of broken wireless bridges from a very commonly used vendor that randomly eat multicast packets, so it's not as straightforward as it should be. evil is not a synonym for ugly patch placed over a problem that could be handled better. Ok, fair enough. My first experience with PBR was as a summer intern in the mid-1990s who inherited management of a large ATM network that had a big VPN-esque thing built entirely that way and with no documentation. It certainly felt evil at the time. ;) -w -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: NANOG Digest, Vol 69, Issue 28
Centralized management / control plane. Kind of the reverse of widely dispersed per-node policy based routing. On 10/11/13 2:47 PM, Vytautas V Grigaliunas v...@fnal.gov wrote: What is SDN at its essence ? Message: 9 Date: Fri, 11 Oct 2013 19:13:57 +0100 (BST) From: William Waites wwai...@tardis.ed.ac.uk To: joe...@bogus.com Cc: nanog@nanog.org Subject: Re: Policy-based routing is evil? Discuss. Message-ID: 20131011.191357.239591912.wwai...@tardis.ed.ac.uk Content-Type: text/plain; charset=us-ascii On Fri, 11 Oct 2013 10:41:46 -0700, joel jaeggli joe...@bogus.com said: you take all the useful information that an IGP could be (or is) providing you, and then you ignore it and do something else. Yes, that's another part of the conversation, encouraging the use of an IGP, which has been a source of trouble for them because of broken wireless bridges from a very commonly used vendor that randomly eat multicast packets, so it's not as straightforward as it should be. evil is not a synonym for ugly patch placed over a problem that could be handled better. Ok, fair enough. My first experience with PBR was as a summer intern in the mid-1990s who inherited management of a large ATM network that had a big VPN-esque thing built entirely that way and with no documentation. It certainly felt evil at the time. ;) -w -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
Re: To CCIEs and JNCIEs
On Fri, Oct 11, 2013 at 12:28 AM, Randy Bush ra...@psg.com wrote: but who would want to deal with such slime? I dunno, it looks pretty legit to me!! Domain Name.. theccie.com Creation Date 2013-09-28 Registration Date 2013-09-28 Expiry Date.. 2014-09-28 Organisation Name the ccie Organisation Address. later Organisation Address. Organisation Address. Organisation Address. singapore Organisation Address. 100850 Organisation Address. singapore Organisation Address. SINGAPORE Scott
Re: To CCIEs and JNCIEs
Hey, No offense but this could potentially look like a phishing expedition to some people. I'm saying this regardless of whether you are legit or not, I did not do much research and am only giving you my honest impression. Just saying, anyone could purchase a domain name and say they want to provide email as a gift, then scan through that email all day. Perhaps you're not trying to target people with certifications who may receive corporate email while they are in a high level position in official capacity, for everyone's sake. But really, I don't have a CCIE ;) If you ever purchase CCNAAndStillGotAGreatJob.com, let me know. Make my username ThrewAwayMyMoneyOnly. On Fri, Oct 11, 2013 at 4:03 PM, Guillaume Parent gpar...@gparent.orgwrote: Hey, No offense but this could potentially look like a phishing expedition to some people. I'm saying this regardless of whether you are legit or not, I did not do much research and am only giving you my honest impression. Just saying, anyone could purchase a domain name and say they want to provide email as a gift, then scan through that email all day. Perhaps you're not trying to target people with certifications who may receive corporate email while they are in a high level position in official capacity, for everyone's sake. But really, I don't have a CCIE ;) If you ever purchase CCNAAndStillGotAGreatJob.com, let me know. Make my username ThrewAwayMyMoneyOnly. -Guillaume On Fri, Oct 11, 2013 at 3:45 PM, Scott Howard sc...@doc.net.au wrote: On Fri, Oct 11, 2013 at 12:28 AM, Randy Bush ra...@psg.com wrote: but who would want to deal with such slime? I dunno, it looks pretty legit to me!! Domain Name.. theccie.com Creation Date 2013-09-28 Registration Date 2013-09-28 Expiry Date.. 2014-09-28 Organisation Name the ccie Organisation Address. later Organisation Address. Organisation Address. Organisation Address. singapore Organisation Address. 100850 Organisation Address. singapore Organisation Address. SINGAPORE Scott
Re: Policy-based routing is evil? Discuss.
On Oct 11, 2013, at 12:27 PM, William Waites wwai...@tardis.ed.ac.uk wrote: I'm having a discussion with a small network in a part of the world where bandwidth is scarce and multiple DSL lines are often used for upstream links. The topic is policy-based routing, which is being described as load balancing where end-user traffic is assigned to a line according to source address. Doing this with actual routing, in a way that doesn't become fragile is hard. It is not impossible as Jared points out, but is non-trivial. However there is a variant which is much less brittle, but is more annoying to configure with most tools. The idea is that the gateway box is a NAT, with an outbound IP on each of the two uplinks. The box can then make intelligent decisions about which provider to use based on layer 8+9 information. I've seen this done multiple times where for instance there is high bandwidth satellite, and low bandwidth terrestrial services. Latency sensitive traffic (dns, ssh, etc) are send over the low bandwidth terrestrial, while bulk downloads go over satellite. It's quite robust and useful in these situations. Making open source boxes do this is possible, but quite annoying in my experience. I don't think it's possible to make a Cisco or Juniper do this sort of thing in any reasonable way. A number of manufacturers have developed custom solutions around this idea. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ signature.asc Description: Message signed with OpenPGP using GPGMail
Re: To CCIEs and JNCIEs
On Fri, 2013-10-11 at 12:45 -0700, Scott Howard wrote: I dunno, it looks pretty legit to me!! Domain Name.. theccie.com Creation Date 2013-09-28 Registration Date 2013-09-28 Expiry Date.. 2014-09-28 Organisation Name the ccie Organisation Address. later Organisation Address. Organisation Address. Organisation Address. singapore Organisation Address. 100850 Organisation Address. singapore Organisation Address. SINGAPORE With a business address of later and no other traceable info I would be wary. Like in Scarface, perhaps I am just paranoid. My paranoia has worked for me though. Richard
Re: Policy-based routing is evil? Discuss.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Hi all, We use Linux for our edge routers which have multiple interfaces to different BGP peers. Policy based routing allows us to insure that traffic originating from a particular external IP address on the router, goes out the matching network. We have also used in on client systems to force particular protocols out particular providers. It's not that easy to do on Linux, as you need to make sure you have all the proper link routes on place and positioned properly in the rule chain, or you can really break things. Stu On 10/11/2013 11:35 AM, Christopher Morrow wrote: On Fri, Oct 11, 2013 at 2:13 PM, William Waites wwai...@tardis.ed.ac.uk wrote: On Fri, 11 Oct 2013 10:41:46 -0700, joel jaeggli joe...@bogus.com said: evil is not a synonym for ugly patch placed over a problem that could be handled better. Ok, fair enough. My first experience with PBR was as a summer intern in the mid-1990s who inherited management of a large ATM network that had a big VPN-esque thing built entirely that way and with no documentation. It certainly felt evil at the time. ;) I think really PBR violates this: http://en.wikipedia.org/wiki/Principle_of_least_astonishment I see ISP folks MOSTLY avoid PBR, because it does weird things that NOC/ops folks just plain don't expect. I see Enterprise network folks fall back to PBR often, for reasons that they seem happy with... but man it makes things confusing :) -chris - -- Sometimes I lie awake at night and I ask, Is life a multiple choice test or is it a true or false test? ...Then a voice comes to me out of the dark and says, We hate to tell you this but life is a thousand word essay. -- Charles M. Schulz -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBCAAGBQJSWEc2AAoJEFKVLITDJSGSDSAP/iW6s1nM56cwAyQAq8djsn3x OlD40O698iluf9r1ZmDABZqO3dWI/JxGktANmhC34b/ux9qMKx27RBEVS+L5Kp9p f5YJxG0vr0lkqhVGngr9pOKTmOLdnLWwDiL0yUyxXngYm7ZG9E5aQ5mbLSz0DxBB +JGoc4DXzI1lNXMSfklxooAZoRP6dbwxhzC8r/TIbExFyRuf/OgsR9bYB3wjpRvQ 7uXdHiLmLIO68pvRmGIIYQUNQ/aUSI9wod2jdleupK6yoO7fAktrndhj1+lD0TCS kZA5/b2u5O+PJ61ocbK20s/mKVt/joVSfEG5IBQxqxKqpcc9N1x7Kr7XzoQuUFo/ M3szoDZnwIq5zgXWDvvt11+AzG5qraZCxfwaTpwHbuRAC9bZMIZkrpd4LLXTGwvG bxuJmWqcY2ktX5XiyLRgvcYzw+Pkz6uNU+PpS9UYI7x9qSwkYGPomoj5iHbaTrs4 nKBQZgAUUcEkr7+kRfXIhq6ZZKsaoaFGCX8u5WeXBQj78GlEiOMxAthFPYr8iU8X Kai4nCBx+c204hjoYdI5K2aFNztqh8Xj2qW3DyxrqwsKld46ZFut/zKs4qcJLvPP jrs2ihtdsIHDn2QLVoRqHJWdpMn2l/TETbygqnRyO9hYUkqub7Zo/fVJwXCGNZDz quDOESz/QwPH5IrOPiub =ww8J -END PGP SIGNATURE-
The Cidr Report
This report has been generated at Fri Oct 11 21:15:04 2013 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date PrefixesCIDR Agg 04-10-13479970 272927 05-10-13480730 273310 06-10-13480899 273239 07-10-13480964 272845 08-10-13480570 273225 09-10-13481248 273313 10-10-13481423 273608 11-10-13481980 273866 AS Summary 45317 Number of ASes in routing system 18603 Number of ASes announcing only one prefix 4182 Largest number of prefixes announced by an AS AS7029 : WINDSTREAM - Windstream Communications Inc 118190016 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 11Oct13 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 481513 273799 20771443.1% All ASes AS6389 3060 62 299898.0% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS17974 2713 106 260796.1% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS28573 3395 939 245672.3% NET Serviços de Comunicação S.A. AS7029 4182 1860 232255.5% WINDSTREAM - Windstream Communications Inc AS4766 2944 954 199067.6% KIXS-AS-KR Korea Telecom AS18566 2066 572 149472.3% MEGAPATH5-US - MegaPath Corporation AS36998 1864 375 148979.9% SDN-MOBITEL AS4323 2966 1548 141847.8% TWTC - tw telecom holdings, inc. AS7303 1724 466 125873.0% Telecom Argentina S.A. AS1785 2020 811 120959.9% AS-PAETEC-NET - PaeTec Communications, Inc. AS4755 1779 580 119967.4% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS10620 2602 1413 118945.7% Telmex Colombia S.A. AS7552 1193 140 105388.3% VIETEL-AS-AP Vietel Corporation AS22561 1241 216 102582.6% DIGITAL-TELEPORT - Digital Teleport Inc. AS18881 1462 481 98167.1% Global Village Telecom AS22773 2172 1304 86840.0% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS7545 2091 1238 85340.8% TPG-INTERNET-AP TPG Telecom Limited AS35908 904 87 81790.4% VPLSNET - Krypt Technologies AS18101 981 180 80181.7% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS4808 1191 403 78866.2% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS11830 866 118 74886.4% Instituto Costarricense de Electricidad y Telecom. AS8402 1808 1073 73540.7% CORBINA-AS OJSC Vimpelcom AS701 1518 794 72447.7% UUNET - MCI Communications Services, Inc. d/b/a Verizon Business AS24560 1091 375 71665.6% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS6983 1294 585 70954.8% ITCDELTA - ITC^Deltacom AS8151 1344 636 70852.7% Uninet S.A. de C.V. AS13977 852 145 70783.0% CTELCO - FAIRPOINT COMMUNICATIONS, INC. AS6147 801 108 69386.5% Telefonica del Peru S.A.A. AS855733 55 67892.5% CANET-ASN-4 - Bell Aliant Regional Communications, Inc. AS7738
BGP Update Report
BGP Update Report Interval: 03-Oct-13 -to- 10-Oct-13 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS36998 62516 3.0% 48.1 -- SDN-MOBITEL 2 - AS982940360 1.9% 23.7 -- BSNL-NIB National Internet Backbone 3 - AS840237741 1.8% 52.3 -- CORBINA-AS OJSC Vimpelcom 4 - AS13118 23815 1.1% 506.7 -- ASN-YARTELECOM OJSC Rostelecom 5 - AS10620 22477 1.1% 12.3 -- Telmex Colombia S.A. 6 - AS38547 21735 1.0% 58.4 -- WITRIBE-AS-AP WITRIBE PAKISTAN LIMITED 7 - AS755220213 1.0% 16.9 -- VIETEL-AS-AP Vietel Corporation 8 - AS816318688 0.9% 48.2 -- METROTEL REDES S.A. 9 - AS23966 16397 0.8% 48.8 -- LDN-AS-PK LINKdotNET Telecom Limited 10 - AS477516320 0.8% 206.6 -- GLOBE-TELECOM-AS Globe Telecoms 11 - AS55714 14203 0.7% 55.1 -- APNIC-FIBERLINK-PK Fiberlink Pvt.Ltd 12 - AS17974 14092 0.7% 6.5 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 13 - AS28573 13804 0.7% 8.1 -- NET Serviços de Comunicação S.A. 14 - AS381612763 0.6% 31.8 -- COLOMBIA TELECOMUNICACIONES S.A. ESP 15 - AS11976 11800 0.6%5900.0 -- FIDN - Fidelity Communication International Inc. 16 - AS958311504 0.6% 9.4 -- SIFY-AS-IN Sify Limited 17 - AS19886 11503 0.6%1437.9 -- BOFABROKERDEALERSVCS - Bank of America 18 - AS27831 10248 0.5% 57.3 -- Colombia Móvil 19 - AS486129627 0.5% 687.6 -- RTC-ORENBURG-AS CJSC Comstar-Regions 20 - AS204739556 0.5% 183.8 -- AS-CHOOPA - Choopa, LLC TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS11976 11800 0.6%5900.0 -- FIDN - Fidelity Communication International Inc. 2 - AS194064528 0.2%4528.0 -- TWRS-MA - Towerstream I, Inc. 3 - AS6174 6865 0.3%3432.5 -- SPRINTLINK8 - Sprint 4 - AS373673313 0.2%3313.0 -- CALLKEY 5 - AS166084998 0.2%2499.0 -- KENTEC - Kentec Communications, Inc. 6 - AS325287184 0.3%2394.7 -- ABBOTT Abbot Labs 7 - AS322447042 0.3%1760.5 -- LIQUID-WEB-INC - Liquid Web, Inc. 8 - AS61714 0.1% 25.0 -- HOSTING-SOLUTION - Hosting Solution Ltd. 9 - AS6629 9182 0.4%1530.3 -- NOAA-AS - NOAA 10 - AS19886 11503 0.6%1437.9 -- BOFABROKERDEALERSVCS - Bank of America 11 - AS225921117 0.1%1117.0 -- HBP - HBP, Inc. 12 - AS290521061 0.1%1061.0 -- LYCOS-AS INFORM P. LYKOS A.E 13 - AS226881001 0.1%1001.0 -- DOLGENCORP - Dollar General Corporation 14 - AS324451880 0.1% 940.0 -- XHOP - XHOP LLC 15 - AS45808 766 0.0% 766.0 -- UTP-MY Bandar Seri Iskandar 16 - AS23295 703 0.0% 703.0 -- EA-01 - Extend America 17 - AS7202 8414 0.4% 701.2 -- FAMU - Florida A M University 18 - AS486129627 0.5% 687.6 -- RTC-ORENBURG-AS CJSC Comstar-Regions 19 - AS587611166 0.1% 583.0 -- RECHARGEITNOW-AS-IN Online Recharge Services Pvt Ltd 20 - AS470891163 0.1% 581.5 -- ROUTEMORE - Route More Solutions, LLC TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 109.161.64.0/20 23323 1.1% AS13118 -- ASN-YARTELECOM OJSC Rostelecom 2 - 92.246.207.0/249539 0.4% AS48612 -- RTC-ORENBURG-AS CJSC Comstar-Regions 3 - 108.61.128.0/189177 0.4% AS20473 -- AS-CHOOPA - Choopa, LLC 4 - 192.58.232.0/249172 0.4% AS6629 -- NOAA-AS - NOAA 6 - 120.28.62.0/24 7982 0.4% AS4775 -- GLOBE-TELECOM-AS Globe Telecoms 7 - 67.210.190.0/236294 0.3% AS11976 -- FIDN - Fidelity Communication International Inc. 8 - 67.210.188.0/235506 0.2% AS11976 -- FIDN - Fidelity Communication International Inc. 9 - 202.141.62.0/244985 0.2% AS2697 -- ERX-ERNET-AS Education and Research Network 10 - 202.154.17.0/244852 0.2% AS4434 -- ERX-RADNET1-AS PT Rahajasa Media Internet 11 - 69.38.178.0/24 4528 0.2% AS19406 -- TWRS-MA - Towerstream I, Inc. 12 - 2.93.235.0/24 4456 0.2% AS8402 -- CORBINA-AS OJSC Vimpelcom 13 - 168.223.200.0/22 4231 0.2% AS7202 -- FAMU - Florida A M University 14 - 62.84.76.0/24 4147 0.2% AS42334 -- BBP-AS Broadband Plus s.a.l. 15 - 168.223.206.0/23 4146 0.2% AS7202 -- FAMU - Florida A M University 16 - 115.170.128.0/17 4062 0.2% AS4847 -- CNIX-AP China Networks Inter-Exchange 17 - 206.105.75.0/243435 0.1% AS6174 -- SPRINTLINK8 - Sprint 18 - 208.16.110.0/243430 0.1% AS6174 -- SPRINTLINK8 - Sprint 19 - 41.75.40.0/21 3313 0.1% AS37367 -- CALLKEY 20 -
Re: Policy-based routing is evil? Discuss.
On Fri, Oct 11, 2013 at 12:27 PM, William Waites wwai...@tardis.ed.ac.ukwrote: In my opinion the main problems with this are: - It's brittle, when a line fails, traffic doesn't re-route Yes, but this is no worse than if you just had one single DSL link. Manual failover is a perfectly valid solution for very small networks where aless-than-enterprise-grade solution such as DSL is suitable. I'd be more concerned about the question of /have you implemented a proper firewall solution/ ? - None of the usual debugging tools work properly - Adding a new user is complicated because it has to be done in (at least) two places Not necessarily. You might pick a /20 rfc1918 network, and then assign a /24 of source addresses out of the subnet to each link. Then you won't need to adjust two places, every time a device is added; just IP it appropriately, or set the appropriate DHCP reservation, or Best: subnet the local network based on choice of outgoing WAN link, and select the client's VLAN based on desired WAN link... Another alternative to PBR is to have an extra router for each DSL link, providing a default gateway; But I'm having a distinct lack of success locating rants and diatribes or even well-reasoned articles supporting this opinion. There are plenty of downsides to PBR in various scenarios, but the PBR functionality on these devices doesn't exist just at the whim of the device manufacturer --- operators look for the functionality. It is perfectly valid and very good to use PBR, as long as you understand any limitations and drawbacks that apply to your specific situation. The main drawback is ease-of-maintenance challenges. -w -- -JH
RE: Policy-based routing is evil? Discuss.
I'm having a discussion with a small network in a part of the world where bandwidth is scarce and multiple DSL lines are often used for upstream links. The topic is policy-based routing, which is being described as load balancing where end-user traffic is assigned to a line according to source address. In my opinion the main problems with this are: - It's brittle, when a line fails, traffic doesn't re-route - None of the usual debugging tools work properly - Adding a new user is complicated because it has to be done in (at least) two places But I'm having a distinct lack of success locating rants and diatribes or even well-reasoned articles supporting this opinion. Am I out to lunch? -w -- The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. pgpYQA_NTESJq.pgp Description: PGP signature
Re: Policy-based routing is evil? Discuss.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Phil Bedard wrote: I'm having a discussion with a small network in a part of the world where bandwidth is scarce and multiple DSL lines are often used for upstream links. The topic is policy-based routing, which is being described as load balancing where end-user traffic is assigned to a line according to source address. In my opinion the main problems with this are: - It's brittle, when a line fails, traffic doesn't re-route - None of the usual debugging tools work properly - Adding a new user is complicated because it has to be done in (at least) two places But I'm having a distinct lack of success locating rants and diatribes or even well-reasoned articles supporting this opinion. Am I out to lunch? No, but what better solution do we have to offer them? There are dynamic load distribution features and products (think Cisco PfR, for example), but those are routinely lambasted as well. - -- = bep -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJYgsoACgkQE1XcgMgrtyaHOgCfaS58WFFKaXfY87FddXZu4SGb b60AoPMY73ZtENIW4akBZbUMN0H9euY2 =XSi6 -END PGP SIGNATURE-
Re: To CCIEs and JNCIEs
Hey, I'm a security guy, I'm paid to be paranoid, the only question is whether I'm paranoid enough .. I don't need another EMail addy Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 10/11/2013 04:51 PM, Richard Golodner wrote: On Fri, 2013-10-11 at 12:45 -0700, Scott Howard wrote: I dunno, it looks pretty legit to me!! Domain Name.. theccie.com Creation Date 2013-09-28 Registration Date 2013-09-28 Expiry Date.. 2014-09-28 Organisation Name the ccie Organisation Address. later Organisation Address. Organisation Address. Organisation Address. singapore Organisation Address. 100850 Organisation Address. singapore Organisation Address. SINGAPORE With a business address of later and no other traceable info I would be wary. Like in Scarface, perhaps I am just paranoid. My paranoia has worked for me though. Richard
Re: To CCIEs and JNCIEs
I'd hope that an IE would get this email for a vanity address on some blog.. I would hope.. On 10/11/13 4:07 PM, Gary Baribault g...@baribault.net wrote: Hey, I'm a security guy, I'm paid to be paranoid, the only question is whether I'm paranoid enough .. I don't need another EMail addy Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 10/11/2013 04:51 PM, Richard Golodner wrote: On Fri, 2013-10-11 at 12:45 -0700, Scott Howard wrote: I dunno, it looks pretty legit to me!! Domain Name.. theccie.com Creation Date 2013-09-28 Registration Date 2013-09-28 Expiry Date.. 2014-09-28 Organisation Name the ccie Organisation Address. later Organisation Address. Organisation Address. Organisation Address. singapore Organisation Address. 100850 Organisation Address. singapore Organisation Address. SINGAPORE With a business address of later and no other traceable info I would be wary. Like in Scarface, perhaps I am just paranoid. My paranoia has worked for me though. Richard
Re: To CCIEs and JNCIEs
I think I'll look to one up him and register theccar.com On Oct 11, 2013, at 18:09, Gary Baribault g...@baribault.net wrote: Hey, I'm a security guy, I'm paid to be paranoid, the only question is whether I'm paranoid enough .. I don't need another EMail addy Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 On 10/11/2013 04:51 PM, Richard Golodner wrote: On Fri, 2013-10-11 at 12:45 -0700, Scott Howard wrote: I dunno, it looks pretty legit to me!! Domain Name.. theccie.com Creation Date 2013-09-28 Registration Date 2013-09-28 Expiry Date.. 2014-09-28 Organisation Name the ccie Organisation Address. later Organisation Address. Organisation Address. Organisation Address. singapore Organisation Address. 100850 Organisation Address. singapore Organisation Address. SINGAPORE With a business address of later and no other traceable info I would be wary. Like in Scarface, perhaps I am just paranoid. My paranoia has worked for me though. Richard
Re: To CCIEs and JNCIEs
On 10/11/2013 7:07 PM, Gary Baribault wrote: Hey, I'm a security guy, I'm paid to be paranoid, the only question is whether I'm paranoid enough .. I don't need another EMail addy Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 While your email contains a reference to a GPG key your email was not signed with it. Are you the real Gary Baribault? :)
Re: To CCIEs and JNCIEs
Well in case you wondering how much the domain costs me, it costs me 1.99 for 1 year :-) On Sat, Oct 12, 2013 at 7:26 AM, ML m...@kenweb.org wrote: On 10/11/2013 7:07 PM, Gary Baribault wrote: Hey, I'm a security guy, I'm paid to be paranoid, the only question is whether I'm paranoid enough .. I don't need another EMail addy Gary Baribault Courriel: g...@baribault.net GPG Key: 0x685430d1 Fingerprint: 9E4D 1B7C CB9F 9239 11D9 71C3 6C35 C6B7 6854 30D1 While your email contains a reference to a GPG key your email was not signed with it. Are you the real Gary Baribault? :)
Re: NANOG 59 - Monday presentations on YouTube
Really appreciated this video! Tracking amplification on Comcast as we speak! On Thu, Oct 10, 2013 at 12:59 AM, Mikael Abrahamsson swm...@swm.pp.sewrote: On Wed, 9 Oct 2013, Niels Bakker wrote: * d...@temk.in (David Temkin) [Tue 08 Oct 2013, 23:43 CEST]: We're proud to announce that all of the recorded presentations from Monday at NANOG 59 in Phoenix have now been posted to Youtube. This is really neat. I agree, it's great! My only nit with it is that the aspect ratio seems to be wrong. -- Mikael Abrahamssonemail: swm...@swm.pp.se -- Phil Fagan Denver, CO 970-480-7618
Re: Policy-based routing is evil? Discuss.
As others have pointed out, PBR ... * Is a fragile configuration. You're typically forcing next-hop without a [direct] failover option, * Often incurs a penalty (hardware cycles, conflicting feature sets, or outright punting to software), * Doesn't naturally load-balance (you pick the source ranges you route where) However, there are few alternatives in some cases... * If you are using some provider-owned IP space you often must route to that provider, * There may be policies restricting what traffic (sources) can transit a given provider There are few alternatives for the latter cases, unless you split the border across VRFs and assign routing policy on the VRF, which is a global decision across the VRF, and avoids PBR. We're doing a little of both, so I clearly don't take sides :) Jeff signature.asc Description: OpenPGP digital signature