RE: RIR filtering & Level3
We're getting 231740 routes from Level(3) at this moment hit me offline with some specific prefixes and I'd be happy to share what we see...;) Paul Stewart Senior Network Administrator Nexicom 5 King St. E., Millbrook, ON, LOA 1GO Phone: 705-932-4127 Web: http://www.nexicom.net Nexicom - Connected. Naturally. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Justin Shore Sent: Wednesday, November 14, 2007 9:43 PM To: nanog@merit.edu Subject: RIR filtering & Level3 Are any other L3 customers seeing the large number of /25 and smaller routes from L3? I'm seeing almost 2500 of these routes in 4/8, some but not as many in 8/8 and still more in L3's non-US allocations. Looking at the AS paths for a handful of those specific networks I only see them via our L3 connection and not via our other 2 upstreams. I'm seeing paths to the larger aggregate networks via our other upstreams of course; the Oregon and AT&T route servers see the same aggregates too. To be more accurate we actually touch L3's acquisition form a year or so ago, Telcove (19094). All of the small routes are originating from L3 though (3356). Best I can tell L3 is aggregating before it advertises to a peer but not before it advertises to a customer. Or, on the otherhand, perhaps L3 is advertising without aggregation to Telcove and Telcove is not aggregating before advertising to us. So, that said, what is everyone else doing to perform sanity checks on their learned routes? Are a good many implementing RIR filtering and dropping everything smaller than a /24? L3 of course isn't the only source of these tiny routes but it's so obvious I saw it and wasn't even looking for it. This would explain why I'm getting so many more routes from L3 too. I'm getting 232k from AT&T, 233.5k from Cox and 244k from L3. Thanks Justin "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
RIR filtering & Level3
Are any other L3 customers seeing the large number of /25 and smaller routes from L3? I'm seeing almost 2500 of these routes in 4/8, some but not as many in 8/8 and still more in L3's non-US allocations. Looking at the AS paths for a handful of those specific networks I only see them via our L3 connection and not via our other 2 upstreams. I'm seeing paths to the larger aggregate networks via our other upstreams of course; the Oregon and AT&T route servers see the same aggregates too. To be more accurate we actually touch L3's acquisition form a year or so ago, Telcove (19094). All of the small routes are originating from L3 though (3356). Best I can tell L3 is aggregating before it advertises to a peer but not before it advertises to a customer. Or, on the otherhand, perhaps L3 is advertising without aggregation to Telcove and Telcove is not aggregating before advertising to us. So, that said, what is everyone else doing to perform sanity checks on their learned routes? Are a good many implementing RIR filtering and dropping everything smaller than a /24? L3 of course isn't the only source of these tiny routes but it's so obvious I saw it and wasn't even looking for it. This would explain why I'm getting so many more routes from L3 too. I'm getting 232k from AT&T, 233.5k from Cox and 244k from L3. Thanks Justin
Re: VLANs
On Wed, 14 Nov 2007, Rodney Joffe wrote: I have too many services to just want to use a T1 or two as sacrificial pipes. and I don't want to be messing around manually. I need to be able to have the transit providers effectively provide isolation for each subnet, so my idea is to advertise each service up a separate rate-limited VLAN. So if one service is DDoS'd, and its 100mb vlan is hosed, the other 9 services still cope easily with each of their 100mb vlans. Seems simple and logical to me, but I wasn't sure what I was missing. The trick isn't the classification part, but needing multiple hardware queues. If you have multiple hardware queues, it doesn't matter too much whether you use "virtual" things like MPLS, VLAN, DSCP, 802.1p, PVCs, etc. Most will work. If you don't have multiple hardware queues, then it also doesn't matter too much whether you use "virtual" things like MPLS, VLANs, DSCP, 802.1P, PVCs, etc. Most will not work. Providers use sacrifical physical interfaces, e.g. a T1, because some routers aren't very good at managing multiple queues on a single physical interface, and may not have multiple hardware queues on a single physical interface.
Re: VLANs
On Nov 13, 2007, at 11:16 AM, Christopher Morrow wrote: On 11/13/07, Rodney Joffe <[EMAIL PROTECTED]> wrote: Are any of you operators utilizing VLANs to/with your transit providers in order to isolate traffic types or services, and/or to assist in traffic shaping before it hits your transit connections (isolating the effects of DDoS's)? There was once a customer at a past job that used a sacrificial T1 to do this... They'd just announce/next-hop the attacked thing to the T1 interface, apparently remembering that there was BHR community available (and config'd for them) was hard to do. Are you looking to save the traffic for a reason or would just junking it down a tiny pipe work? (send me only x bps don't squeeze out all of my pipe in the process, unless your vlan config also included bandwidth limits?) I have too many services to just want to use a T1 or two as sacrificial pipes. and I don't want to be messing around manually. I need to be able to have the transit providers effectively provide isolation for each subnet, so my idea is to advertise each service up a separate rate-limited VLAN. So if one service is DDoS'd, and its 100mb vlan is hosed, the other 9 services still cope easily with each of their 100mb vlans. Seems simple and logical to me, but I wasn't sure what I was missing. -Chris
Re: US Provisioned GSM cards abroad... SSL Issues?
On Wed, 14 Nov 2007 09:05:32 -0800 "Mike Lyon" <[EMAIL PROTECTED]> wrote: > > Curious. Has anyone on the list here ever encountered issues while > traveling in EMEA accessing SSL websites back in the states while > using an ATT/Cingular GSM data card? We are seeing some issues with > this and were curious to see if anyone else is seeing the same issue. > > Any insight would be appreciated. > Do you have a tcptraceroute? Might some "helpful", "transparent" proxy be getting in your way? (You don't say anything about what your issues are.) --Steve Bellovin, http://www.cs.columbia.edu/~smb
US Provisioned GSM cards abroad... SSL Issues?
Curious. Has anyone on the list here ever encountered issues while traveling in EMEA accessing SSL websites back in the states while using an ATT/Cingular GSM data card? We are seeing some issues with this and were curious to see if anyone else is seeing the same issue. Any insight would be appreciated. Thank You, Mike Lyon
Re: FCC rules for backup power
Jared> and all this time I thought you just wanted to attend those meetings to see all of our bright faces and partake of the chocolate chip cookies :) In all seriousness, it is very good to get involved in these meetings and stay on top of what is going on. Plus it helps the gubment types out on what is reality or what is doable versus going off on a wild tangent. Especially with recovery, understanding what the real vulnerabilities or exposures are, and of course planning response activities. I can't thank many of you enough that have taken an active role in helping USG out over the last few years and also the insights that you've shared with many of us that have worked these issues in the past. So with that said, get involved and let your opinions be known. Also you have a great opportunity coming up with new elections about to take place to help shape or influence the way ahead but you've got to get involved. Another good link on current documents on national level response and preparedness can be found here: http://www.dhs.gov/xprepresp/publications/ Also recommend setting up the usual google alerts on some keywords like: "cyber and homeland" "communications and homeland" Lastly there is a great effort underway led by a bi-partisan Congressional Commission. See http://www.csis.org/tech/cyber/ Congressman & Chairman Langevin & Ranking Member McCaul are two good people to send letters to or communicate with related to many of these issues if you have concerns. There office is real responsive to Cyber & Communication issues. They're the ones that setup the Congressional Cyber Commission. http://homeland.house.gov/about/subcommittees.asp?subcommittee=12 -Jerry -Original Message- From: Jared Mauch [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 13, 2007 04:44 PM To: 'Mike Lyon' Cc: 'Wayne E. Bouchard', 'Sean Donelan', nanog@merit.edu Subject: Re: FCC rules for backup power On Tue, Nov 13, 2007 at 01:15:53PM -0800, Mike Lyon wrote: > What? The gov't putting their nose in where it shouldn't be? NEVER! I must say, if you're a provider with US presence and you're not paying attention to the FCC, DHS (NCS, NCSD) and possibly that thing called NSTAC you may wake up one day and be amazed what is going on. Take an example - Unregulated chemical industry becomes regulated under DHS. (One of the 17 sectors that the govvies track). There's stuff to track that doesn't involve having a full time employee to associate with it, but some allocation of time is valuable. If you don't, who knows, you may have Senator Stevens setting policy that is relevant to you. http://hsgac.senate.gov/ http://homeland.house.gov/ There's all sorts of interesting stuff in this space to track. What if your network traffic doubled tomorrow due to a pandemic outbreak and everyone starts telecommuting? http://www.dhs.gov/xprevprot/programs/editorial_0760.shtm Perhaps it's wrong, or maybe they're right? I think continuing to watch the activities in this space are going to be critical to our evolution as providers of these ip packets. - Jared ps. other stuff of interest: www.it-scc.org (free) www.pcis.org (us, ca) -- Jared Mauch | pgp key available via finger from [EMAIL PROTECTED] clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: FCC rules for backup power
Sean Donelan wrote: > > On Tue, 13 Nov 2007, Wayne E. Bouchard wrote: >> On Tue, Nov 13, 2007 at 03:07:03PM -0500, Sean Donelan wrote: > > Can you find the FCC proposed 24-hours of backup power at this CO after > Hurricane Katrina? > > http://www.thecentraloffice.com/Katrina/lkctla.jpg Obviously that CO didn't fork out enough for the "vertically integrated high availability, maximized throughput, horizontal latency free, managed distribution with 99.9% clusterfsck free with a track record to obtain operational multiples on the valuations of power" version. http://tinyurl.com/2ogat8 J. Oquendo SGFA (FW+VPN v4.1) SGFE (FW+VPN v4.1) "I hear much of people's calling out to punish the guilty, but very few are concerned to clear the innocent." Daniel Defoe http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xF684C42E smime.p7s Description: S/MIME Cryptographic Signature