Re: UUNET issues?
On Nov 4, 2006, at 7:45 PM, Randy Bush wrote: Chris L. Morrow wrote: Could you be any less descriptive of the problem you are seeing? the internet is broken. anyone know why? Did you ping it? Mike
Re: UUNET issues?
On Nov 4, 2006, at 10:51 PM, Randy Bush wrote: Could you be any less descriptive of the problem you are seeing? the internet is broken. anyone know why? Did you ping it? is that what broke it? Please. That's how you *know* it's broken.
Re: 3rd Party Cisco CWDM GBICs?
From: Aaron Thomas [EMAIL PROTECTED] Date: Mon, 14 Feb 2005 11:52:46 -0800 To: 'nanog list' nanog@merit.edu Subject: 3rd Party Cisco CWDM GBICs? Hi List, Cisco currently provides 8 lambdas for CWDM and we have a 10 lambda mux/de-mux system we want to make use of over a single fibre (5 data channels). The 1430 and 1450nm lambdas are dark and I was wondering if there are any 3rd party vendors out there that have produced Cisco compatible GBICs for these wavelengths. I have looked around and seen Finisar does make Cisco GBICs, but not in the 1430/1450 lambdas. Any help appreciated Aaron You might want to try MRV Communications, www.mrv.com. I think they also make units for Cisco. Mike
Re: The Cidr Report
From: Warren Kumari, Ph.D, CCIE# 9190 [EMAIL PROTECTED] Date: Mon, 14 Feb 2005 10:14:38 -0500 To: nanog@merit.edu Subject: Re: The Cidr Report -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Feb 13, 2005, at 2:31 AM, Christopher L. Morrow wrote: On Sat, 12 Feb 2005, Alexander Koch wrote: On Sat, 12 February 2005 14:58:42 +, Stephen J. Wilcox wrote: From: Stephen J. Wilcox [EMAIL PROTECTED] [...] - would you agree that most of the poor deaggregating is not intentional ie that they're announcing their '16 class Cs' or historically had 2 /21s and Think about someone putting in a Null0 route and re- exporting stuff unconditionally, now after he originates his /19 he is then adding a /24 here, and a /25 there. Lack of experience, when you suggest to them they should remove these announcements they are afraid to change it, not understanding the implications, etc. Not to mention ppl using cisco and prefix lists, it is way too easy with cisco to say '/19 le 24', and then they use outbound prefix lists to their transit supplier (different, but related as I see it). Some transit ISPs use that a lot, and encourage the table growth. There are some business reasons to de-aggregate. Look at some outages caused by 'routing problems' (someone leaked my /24's to their peers, peers, peer and my traffic got blackholed, because the public net only knows me as a /20) There are multiple reasons for deaggregation aside from 'dumb operator', some are even 'valid' if you look at them from the protection standpoint. -Chris That and the I have 1 circuit to $good_provider and 1 circuit to $bad_provider and the only way I can make them balance is to split my space in half and announce more specifics out through each provider argument. I have also often seen people do this without announcing the aggregate because some undefined bad thing will happen, usually justified with much hand-waving. The people who do this can usually not be reasoned with It happens all the time... Warren. So, say I'm a provider that has received a /22 from UUNet (just for example Chris :-) ) and I now get another transit provider and announce the /22 there. So, I call UUNet and ask them to announce the /22 as a more specific because I don't want a de-facto asymmetric configuration. I *want* to get a /20 from ARIN but my usage doesn't justify it yet, so I have to ride the /22 for some time. By the long string of anecdotal attacks in the string to date, listing most or all such providers as bad or uninformed how do you separate out those providers who are legitimately interested in routing redundancy and not clue impaired? Do we just say too bad, routing table bloat is more important than your need for redundancy small guy!? I find it interesting that the general theme is one of we're smarter than they are because we aggregate more routes as if clue were directly correlated to aggregated routing announcements. Mike -- Michael K. Smith NoaNet 206.219.7116 (work) 866.662.6380 (NOC) [EMAIL PROTECTED] http://www.noanet.net
RE: Open-Source Network Management Tools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 -Original Message- From: Alexei Roudnev [mailto:[EMAIL PROTECTED] Sent: Friday, September 17, 2004 12:53 AM To: Michael Smith; [EMAIL PROTECTED] Subject: Re: Open-Source Network Management Tools I always tried to avoid any deal with SNMP TRAPS as most unreliable and unconvenient way of alerting (unfortunately, it can not be avoided totally). We use 'syslog' (syslog-ng + home written syslog analyzers + copmmercial soft, sometimes) when possible. Unfortunately, SNMP TRAPS are what is available on the SONET transport side of the network. There is no useful data to be gotten from polling. In addition, the fact that TRAPS are proactive instead of reactive means I have am immediately aware of network events whereas I might miss something with a poll. In addition, we have dry contact closures on these devices that TRAP only, no polling. Thankfully, the number of these events is small enough that syslog functions quite well. Syslog has not been up to the task of working with the sheer volume of TRAPS generated when there is a significant event on the optical network. Sometimes we see the notification but not the resolution, sometimes we see all but the last line of a TRAP message, and sometimes we get nothing. Thanks, Mike -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQUscOZzgx7Y34AxGEQK3oQCgg6bP3O4Pt5GyOPXsi+1tSvLrt2AAnjqs BeYnYocvvNjP1RqqfH2dq+HT =JrJP -END PGP SIGNATURE-
RE: Open-Source Network Management Tools
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm looking for open-source alternatives for network management, such as Nagios or Big Brother. We are currently using WhatsUp Gold, and would like to move to something more flexible (and not running on a Windows platform). Something that has email/paging capabilities, and can process SNMP traps would be a plus for us as well. Recommendations? Thanks. I'd like to expand the question by asking, what Open-Source applications do people use for SNMP Trap collecting and alarming? We're very happy with Nagios for polling, but we have a lot of optical components that send information via Traps that then needs to be culled, trimmed and analyzed. Thanks, Mike -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQUhq+Zzgx7Y34AxGEQJP6gCgh1KW5vvq2fRh4WBSik1Q7Ay31okAoIAh ZKUgPFi9PZhDpOGIAXXOIY9W =oD9A -END PGP SIGNATURE-
RE: 802.17 RPR and L2 Ethernet interoperablity (Ethernet over RPR)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello Sam: We're using the Cisco ML cards in the 15454's. The inbound port from the switch is just a .1Q trunk. The ML cards do the Q-in-Q encapsulation of all frames coming inbound, although this is just one configuration scenario that happened to work well for our application. These particular cards can take any frame up to 9000 bytes, so pre-encapsulated traffic types such a Q-in-Q or MPLS frames are no problem. We have not seen any issues with encapsulated types, but of course, your mileage may vary. Mike -Original Message- From: Sam Stickland [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 07, 2004 3:28 AM To: Michael Smith Cc: [EMAIL PROTECTED] Subject: RE: 802.17 RPR and L2 Ethernet interoperablity (Ethernet over RPR) Thanks for the reply. Pretty much everyone has told me that it's vendor specific, although the implementation mentioned below sounds nice. Any chance of naming that vendor? One question about this, the Q-in-Q tunnelling would have to take place on the switch connected to the ring - what happens if the packet has already been placed in a dot1Q tunnel? I haven't really worked much with dot1Q tunneling - are their any know problems with extra tags? (aside from MTU issues, but I imagine most rings will support at least 9bytes) Sam On Tue, 6 Jul 2004, Michael Smith wrote: Hello: I think this is pretty provider-specific. However, we are doing this right now with a particular vendor using their flavor of RPR. The ring uses Q in Q tunneling in the core and all switches communicate directly to one another using .1Q encapsulated frames. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: 802.17 RPR and L2 Ethernet interoperablity (Ethernet over RPR) Hi, This is probably a fairly simply question, I'm probably just not quite groking the layers involved here. If I had the following setup: Endstation A -- Switch A === RPR Ring === Switch B -- Endstation B could there be a VLAN setup such that Endstations A and B are both in it, and can communicate as if they are on the same LAN segment? (And I mean natively. ie. not using an MPLS VPN). ie. Will the switches involved tranlate the different framing formats in use? Is this vendor dependent? Sam -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQOwTjZzgx7Y34AxGEQITygCfVnf2TwHWTM2RKIOlwpWxv2CCop8AoMxK tLDj65xi20rBuWtR6to8uMDq =JWVZ -END PGP SIGNATURE-
RE: 802.17 RPR and L2 Ethernet interoperablity (Ethernet over RPR)
Hello: I think this is pretty provider-specific. However, we are doing this right now with a particular vendor using their flavor of RPR. The ring uses Q in Q tunneling in the core and all switches communicate directly to one another using .1Q encapsulated frames. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 06, 2004 11:50 AM To: [EMAIL PROTECTED] Subject: 802.17 RPR and L2 Ethernet interoperablity (Ethernet over RPR) Hi, This is probably a fairly simply question, I'm probably just not quite groking the layers involved here. If I had the following setup: Endstation A -- Switch A === RPR Ring === Switch B -- Endstation B could there be a VLAN setup such that Endstations A and B are both in it, and can communicate as if they are on the same LAN segment? (And I mean natively. ie. not using an MPLS VPN). ie. Will the switches involved tranlate the different framing formats in use? Is this vendor dependent? Sam
RE: concern over public peering points [WAS: Peering point speed publicly available?]
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mikael Abrahamsson Sent: Saturday, July 03, 2004 10:22 AM To: [EMAIL PROTECTED] Subject: Re: concern over public peering points [WAS: Peering point speed publicly available?] On Sat, 3 Jul 2004, Laurence F. Sheldon, Jr. wrote: Does the person that sweeps the floor do so for free? And supply the broom? The marginal cost of half a rack being occupied by an IX switch in a multi-hundred-rack facility is negiglabe. Yes, it should carry a cost of a few hundred dollars per month in rent, and the depreciation of the equipment is also a factor, but all-in-all these costs are not high and if an IX point rakes in $200k a year that should well compensate for these costs. -- Mikael Abrahamssonemail: [EMAIL PROTECTED] At the Seattle Internet Exchange a, granted, smaller peering exchange, you have to account for the following costs (and, mind you, this list is not exhaustive). 1) 1 Rack 2) Space for the rack in a secure facility 3) AC for the equipment 4) Power for the equipment (including line and UPS) 5) Fiber and Copper runs to the facility for cross-connects 6) Terminations of (5) 7) OM of space and gear 8) Layer 8 and 9 negotiation of (1) through (7) to keep costs down. That's not a trivial set of expenses, particularly when there are limitations in place to recovering costs via non-cash methods, such as advertising the hosting of the exchange. Thankfully, there is some altruism on the behalf of several parties that allow the exchange to continue providing zero cost connections to participants. I hardly think the cost of their time and effort is marginal. Mike NoaNet
RE: OT: Looking for Ethernt/Optical Device
Hello Eric: You can issue the following command in the 3550 series that takes care of that issue. However, your mileage may vary. :-) No errdisable detect cause gbic-invalid Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Kuhnke Sent: Tuesday, June 01, 2004 2:06 PM To: [EMAIL PROTECTED] Subject: Re: OT: Looking for Ethernt/Optical Device Be warned that you can't use non-Cisco CWDM SFPs or GBICs in a cisco switch or router... There is a PROM code in the cisco-sold units that is identified by IOS. Plug in a non-cisco SFP/GBIC and it will shut down the port. (This was discussed about 9 months ago on nanog-l, it should be in the archives). Does anyone actually buy the $3500 CWDM SFPs? That's a $3300 profit margin for Cisco... Scott McGrath wrote: Finisar also has CWDM optics in both the SFP and GBIC form factor and they are quite a bit less expensive than the Cisco solution and they do have a 16 lambda passive OADM as well as the 4 and 8 lambda models. Scott C. McGrath On Tue, 1 Jun 2004, Erik Haagsman wrote: What you could try is use the Cisco CWDM-MUX-4 and it's pluggable optics that can be fit into any GBIC 802.3z compliant slot. It's just an OADM with 4 or 8 wavelengths that delivers GigE to any box with pluggable GBICs provided you use the right optics and it's quite a bit cheaper than using ONS stuff. That said, CWDM doesn't get you much further than 80 kilometres, above that DWDM is your only option, and a hell of a lot more expensive. Cheers, -- --- Erik Haagsman Network Architect We Dare BV tel: +31(0)10 7507008 fax:+31(0)10 7507005 http://www.we-dare.nl On Tue, 2004-06-01 at 17:30, Michael Smith wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello All: I'm wondering if anyone has seen a good and cheap(er) solution for providing multiple Gigabit Ethernet circuits over single pair of fiber. I'm looking for a way to do CWDM or DWDM that's cheaper than putting in a Cisco 15454 or 15327. I'm only going to be doing 2 GigE circuits between two switches, so I don't need to plan for future growth. If anyone knows of a magic box that will do the above I would love to hear about it. Thanks, Mike - -- Michael K. SmithNoaNet 206.219.7116 (work) 866.662.6380 (NOC) [EMAIL PROTECTED] http://www.noanet.net -BEGIN PGP SIGNATURE- Version: PGP 8.0.3 iQA/AwUBQLyiVJzgx7Y34AxGEQIDewCfR8JQG2jqbxsBopUE6u3FUnfiX3UAoODx 41QL7T1eyK1EQ4ZMnVJU+l2p =hDVT -END PGP SIGNATURE-
Best Common Practice - Listening to local routes from peers?
Hello: We have a customer of a customer who is attempting to send traffic from IP space we control, through the Internet and back into us via one of our transit connections. I have filters in place that block all inbound traffic from the blocks I announce coming in over my transit and peering connections. This is breaking the downstream customer ability to route from them, through UUNet, and back to me. I'm curious what the Best Common Practice is for this type of scenario. I have always used this type of filtering as a way to bury source-spoofed traffic in a DDOS situation but I'm not sure if it's appropriate, generally speaking. If other operators would like to reply directly to me I would be more than happy to summarize to the list. Thank you for any assistance you can provide. Michael Smith [EMAIL PROTECTED]
RE: interesting article on Saudi Arabia's http filtering
For the record... I have first hand knowledge that KSA's filtering is not too effective. I'll abstain from the ethics/moral discussion. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vadim Antonov Sent: Thursday, January 15, 2004 8:35 PM To: Randy Bush Cc: [EMAIL PROTECTED] Subject: Re: interesting article on Saudi Arabia's http filtering On Thu, 15 Jan 2004, Randy Bush wrote: i was helping get the link up into kacst (their nsf equivalent) in ryadh back in '94, and a rather grownup friend there, Abdulaziz A. Al Muammar, who had his phd from the states and all that, explained it to me something like this way. yes, to a westerner, our ways of shielding our society seem silly, and sometimes even worse. but tell me, how do we liberalize and open the culture without becoming like the united states [0]? not an easy problem. considering the *highly* offensive material that arrives in my mailbox (and i do not mean clueless nanog ravings:-), my sympathy for abdulaziz increases monotonically. Installing a whitelisting and challenge-response mail filer on my box reduced amount of spam to nearly zero. I mostly get spam through the e2e list nowadays. The solution to high offensiveness is to grow up and stop behaving like the sight of some physiological function is going to kill us. It is offensive only because the offended party thinks that the world should be a sterile place, and instead of concluding that the sender of the offensive material is a tasteless moron and moving on decides to wage a war against human nature. so perhaps we should ask, rather than ranting, how do we, the self-appointed ubergeeks of the net, think we can clean up our own back yards, before we start talking about how others maintain theirs? Maybe we should stop whining when others refuse to accept mail from total unknowns without those unknowns making a small token effort to prove their willingness to hold a civilized conversation? I certainly don't care what they want to read or see. Or send, for that matter. None of my business. [0] - which, americans need to realize is, to much of the civilized world, the barbarian hordes, sodom, and gomorrah rolled into one To much of the civilized world (and, besides Europe and Japan, no other places qualify, sorry) Americans look like neurotic prudes who have a peculiar hang-up on sex and deep inferiority complex compelling them to unceasingly seek affirmations of their superiority. Much of what goes for offensive in US won't get an eyebrow raised in Paris or Amsterdam. In fact, the more likely reaction would be how boringly lame. As for the arabian friend who seeks to control what his compatriots are allowed to see, I'd say that his sensibilities are his own problem, and that if he wished to impose them on _me_ I'd tell him to mind his own business, possibly augmenting my message with appropriate degree of violence. --vadim
RE: Pitfalls of annoucing /24s
What about the /24's that many ISPs (especially tier 2-3) are assigning to multi-homed customers? What about an IX or critical infrastructure providers that may be issued a /24 from ARIN (Policy 2001-3)? Although it may be rare that a large aggregate would become unreachable to a large network, doesn't the possibility exist that a customer with a /24 would become unreachable (to some) due to the aggregate dropping out even though the /24 should still be reachable? That scenario may not be very likely, but the question of assymetric routing and one's ability to balance traffic become issues. Assigning a lower preference to /24's would be a lot friendlier than just throwing them away. If I am way off base, I fully expect to be corrected (with volume). My flame retardant suit is in place. Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Rosenthal Sent: Wednesday, October 15, 2003 4:47 PM To: John Palmer Cc: [EMAIL PROTECTED] Subject: Re: Pitfalls of annoucing /24s http://info.us.bb.verio.net/routing.html#PeerFilter That's how Verio does it, and I assume, that's how most people who filter by length do it as well. --Phil On Oct 15, 2003, at 4:40 PM, John Palmer wrote: Good question. You know there are thousands of legacy /24's out there that were allocated by IANA as /24's How can you aggregate them up if all you have is the /24? To those who filter out /24's - how is this done - just by the netmask size? - Original Message - From: Jean-Christophe Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 15:34 Subject: Pitfalls of annoucing /24s In current practice would there be serious jeopardy of portions of the internet not being able to reach this address space due to bgp filters or other restrictions? What is the smallest acceptable block of IPs that can be announced without adverse or unpredictable results? Verio would most likely be picking up these routes from us. I don't want to cause a religious debate, but I am interested in what the industry consensus is. I'm just doing some research, any comments would be appreciated. Thanks, Jean-Christophe Smith --Phil Rosenthal ISPrime, Inc.
RE: Pitfalls of annoucing /24s
Understood. But... networks filtering out the /24 announcement will always prefer the aggregate learned from the owner/issuer of the space. They'll be completely unaware that another route exists to the (/24) network. If the customers link to the provider that assigned the space goes down, those filtering /24's will still send the traffic to the 'owner' of the space (right?). What is the issuer of the /24 is filtering incoming /24 advertisements (Verio)? Will they learn the route to the other ISP or blackhole traffic destined for their own customer? I keep hoping that I am missing something here. If not, I sure hope more folks don't adopt Verio's filtering techniques. (I know that a VERY low AS # issues /24's out of a /8) -Original Message- From: Phil Rosenthal [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 5:42 PM To: H. Michael Smith, Jr. Cc: [EMAIL PROTECTED]; 'John Palmer' Subject: Re: Pitfalls of annoucing /24s On Oct 15, 2003, at 5:24 PM, H. Michael Smith, Jr. wrote: What about the /24's that many ISPs (especially tier 2-3) are assigning to multi-homed customers? What about an IX or critical infrastructure providers that may be issued a /24 from ARIN (Policy 2001-3)? As long as it's provider assigned, and your provider announces the supernet that the /24 is from, it will still work. If you announce PI space out of the old class A space in /24's, many networks wont be able to reach you.
RE: Pitfalls of annoucing /24s
Even if they understand it, why should they accept it? If an ISP assigns an address block, runs BGP with the customer, promotes multi-homing, shouldn't they make a reasonable effort to make it work? Unless I am missing something, I am having a big problem with an ISP assigning a /24 to a multi-homed customer and not accepting /24 routes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Caban Sent: Wednesday, October 15, 2003 5:44 PM To: Jean-Christophe Smith Cc: NANOG Subject: RE: Pitfalls of annoucing /24s I will say most probably yes. I have seen this problem(?) on many small business customers. The hard part is trying to explain that to them. -William On Wed, 2003-10-15 at 17:16, Jean-Christophe Smith wrote: I noticed the verio filter policy, in relation to inbound: - In the traditional Class A space (i.e., 0/1), we accept /22 and shorter. If I want to announce a /24 in the 64.x.x.x space(traditional Class A space) am I'm going to have a problem with other networks that have peer filters similar to Verios? Thanks, Jean-Christophe Smith -- William Caban [EMAIL PROTECTED]
RE: Pitfalls of annoucing /24s
This is a part of the problem. I realize that large ISPs are probably against micro-assignments so that they can continue to use address space to treat customers as indentured servants. I guess they can skip Chicago and just filter out any micro-assignments that ARIN may one day issue. My biggest gripe on this topic is about ISPs that assign /24's to multi-homed customers, but filter out /24's received from peers. Verio (the example of the day) accepts /24's (that they likely assigned) from customers but filters these out from others. Are they expecting their peers not to filter these /24's or do they really care? I suppose if their peers adopt filtering policies such as theirs, they can just tell their customers We accept your /24, but the other guy is filtering it out Michael -Original Message- From: Andrew Dul [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 11:35 PM To: Forrest; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: Pitfalls of annoucing /24s Forrest, Even if ARIN passes this policy that will not make any provider change their filtering policy. It is true that many providers do use the ARIN allocation sizes to create their filtering rules but the two are not inherently linked. Any ASN can choose the filter on what ever rule set they choose. Andrew At 04:38 PM 10/15/2003 -0500, Forrest wrote: This is just one of the many reasons why we need ARIN proposal 2002-3 to be approved. So that small networks that wish to multihome don't have issues with networks filtering out their /24 along with all the other garbage /24's that are announced. http://www.arin.net/policy/2002_3.html If you support 2002-3 I urge you to get on the ARIN Public Policy Mailing List (PPML) and voice your opinion. http://www.arin.net/mailing_lists/index.html Forrest -Original Message- From: H. Michael Smith, Jr. [SMTP:[EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 4:24 PM To:'Phil Rosenthal'; 'John Palmer' Cc:[EMAIL PROTECTED] Subject: RE: Pitfalls of annoucing /24s What about the /24's that many ISPs (especially tier 2-3) are assigning to multi-homed customers? What about an IX or critical infrastructure providers that may be issued a /24 from ARIN (Policy 2001-3)? Although it may be rare that a large aggregate would become unreachable to a large network, doesn't the possibility exist that a customer with a /24 would become unreachable (to some) due to the aggregate dropping out even though the /24 should still be reachable? That scenario may not be very likely, but the question of assymetric routing and one's ability to balance traffic become issues. Assigning a lower preference to /24's would be a lot friendlier than just throwing them away. If I am way off base, I fully expect to be corrected (with volume). My flame retardant suit is in place. Michael -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Phil Rosenthal Sent: Wednesday, October 15, 2003 4:47 PM To: John Palmer Cc: [EMAIL PROTECTED] Subject: Re: Pitfalls of annoucing /24s http://info.us.bb.verio.net/routing.html#PeerFilter That's how Verio does it, and I assume, that's how most people who filter by length do it as well. --Phil On Oct 15, 2003, at 4:40 PM, John Palmer wrote: Good question. You know there are thousands of legacy /24's out there that were allocated by IANA as /24's How can you aggregate them up if all you have is the /24? To those who filter out /24's - how is this done - just by the netmask size? - Original Message - From: Jean-Christophe Smith [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, October 15, 2003 15:34 Subject: Pitfalls of annoucing /24s In current practice would there be serious jeopardy of portions of the internet not being able to reach this address space due to bgp filters or other restrictions? What is the smallest acceptable block of IPs that can be announced without adverse or unpredictable results? Verio would most likely be picking up these routes from us. I don't want to cause a religious debate, but I am interested in what the industry consensus is. I'm just doing some research, any comments would be appreciated. Thanks, Jean-Christophe Smith --Phil Rosenthal ISPrime, Inc.
Dynamic Internet Maps based on BGP table / AS_PATH
Hello All, A few months ago someone posted a URL to a tool that maps the Internet from the perspective of any (inputted) AS Number. Could someone send this URL (on- or off-list)? I've searched the archives, but I cannot find it. Thanks, Michael
RE: AS announcement question (easy)
If the old provider is advertising the prefix based on your advertisement to them (you're running BGP), then their advertisement should cease shortly after your link to them goes down. Likewise, the new provider would only propagate the advertisement after you advertise it to them. Michael H. Michael Smith, Jr. Network Services and Security Manager Clark Atlanta University -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mike Donahue Sent: Monday, August 04, 2003 2:22 PM To: '[EMAIL PROTECTED]' Subject: AS announcement question (easy) Hi, sorry for this low-level question, but at least I'm not posting in html. :) My company owns a class C, and we're switching ISPs. The new provider is telling us that they can start announcing, without us having to tell the old provider to stop announcing. I.e., a 2-3 day period where both are announcing our class C. This conflicts with my extremely (admittedly)limited knowledge. Can someone let me know if this is OK/not OK? Thanks in advance, Mike Michael Donahue WATG (949) 574-8500 x261
RE: Where is the edge of the Internet? Re: no ip forged-source-address
One of my clients is currently a victim of an over-zealous ISP recklessly trying to implement rpf. One (of two) ISPs are trying to monitor my customer's circuit by watching the serial interface (IP address) of the cpe (customer owned and controlled) router (IP address is from ISP's block). Due to the fact that this customer has a T1 to one ISP and a DS-3 to another ISP, the return path of this monitoring traffic is sent via the 2nd ISP's link. This 2nd ISP (DS-3) is dropping the packets because they are being sourced from the serial interface (IP address of 1st ISP). Advertised routes != valid source addresses is this not obvious? I can think of MANY examples of different sets of prefixes being advertised across different links, while the routing decision for outbound packets does not consider what routes are being advertised. -Original Message- From: [EMAIL PROTECTED] [mailto:owner-nanog;merit.edu] On Behalf Of alok Sent: Thursday, November 07, 2002 3:00 PM To: Majdi S. Abbas; [EMAIL PROTECTED] Subject: Re: Where is the edge of the Internet? Re: no ip forged-source-address On Fri, Nov 08, 2002 at 01:01:33AM +0530, alok wrote: there was a comment from chris saying...never possible to knw what networks an bgp customer uplinks via you which is very true.. ..so i assume u mean non-bgp customers? loose or strict, rpf will not work for aasymterically connected bgp neighbouring AS How does loose not work in this scenario? If it's not in the global tables -at all-, it's not reachable, and might as well be discarded. -- the scenario is this... a BGP customer uplinks network a.b.c.d via me, but advertises it via some place else (some other network he peers with) and some other bgp peer/router to bring that traffic back into his AS... this can also happen mainly due to BGP metrics blah blah now, essentially a.b.c.d can be anything...and he need not tell me what he uplinks from me, all he tells me are the networks he downlinks via me so as to tell me what routemaps to put with acls for bgp advertisements from him.. infact people tend to use this very often (also a way of providing link failure etc by multihoming) ..and they have the choice to uplink anything from anywhere and downlink it from another location...they certainly dont need to tell you what they uplink..as far as i know... now the point is that if you use loose rfp here what are u filtering on? you dont even know what he is uplinking to you... i assume the subject is still DDoS attacks...using spoofed ips... now when u dont know what he is uplinking from ur networks, how do u even know what to block? if u say loose simply means check if the entry for the network is there in the routing table..then the entire internet is there in the routing table...(thanks to bgp)so it certainly work on bgp based edges the other point u made about not reachable...well not reachaable from where? from a ospf running node which uses 0.0.0.0 ? a lot of ones own networks etc may not be reachable from there i guess...as they are covered in default routes... for a bgp running router...all valid internet addresses are reachable , for an ospf routerall is reachable either via 0.0.0.0, and if u remove default any, it doesnt even know what the customer networks are.so a lot isnt reachable i think as was rightly defined...the edge is the place where the end user/host gets onto the net...
RE: no ip forged-source-address
A fundamental effect of spoofing addresses from your local subnet is that when the packets reach their target, the source addresses are meaningful. I realize that the traceability of these packets has already been mentioned, but I want to point out the profound difference between a DDoS attack with meaningful vs. meaningless source addresses. -Original Message- From: [EMAIL PROTECTED] [mailto:owner-nanog;merit.edu] On Behalf Of Hank Nussbacher Sent: Wednesday, October 30, 2002 2:27 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: no ip forged-source-address On Wed, 30 Oct 2002 [EMAIL PROTECTED] wrote: If every router in the world did this I could still use spoofed IP addresses and DDOS someone. My little program could determine what subnet I am on, check what other hosts are alive on the subnet and then when it decides to attack, it would use some neighbor's IP. The subnet I am on is a /24 and there very well may be a few dozen hosts. I could be real sneaky and alter my IP randomly to be any of my neighbors for every packet I send out. Traceback would get me instantly back to the offending subnet but then it would take a bit of digging on the network admin to track me down and applying RPF checking won't help. RPF checking can only go so far. You would need RPF checking down to the host level and I haven't heard anyone discuss that yet. -Hank Hi, I've been following the discussion on DDoS attacks over the last few weeks and our network has also recently been the target of a sustained DDoS attack.I'm not alone in believing that source address filters are the simplest way to prevent the types of DDoS traffic that we have all been seeing with increasing regularity.Reading the comments on this list have lead me to believe that there is a lot of inertia involved in applying what appears to me as very simple filters. As with the smurf attacks a few years ago, best practice documents and RFC's don't appear to be effective.I realise that configuring and applying a source address filter is trivial, but not enough network admins seem to be taking the time to lock this down.If the equipment had sensible defaults (with the option to bypass them if required), then perhaps this would be less of an issue. Therefore, would it be a reasonable suggestion to ask router vendors to source address filtering in as an option[1] on the interface and then move it to being the default setting[2] after a period of time?This appeared to have some success with reducing the number of networks that forwarded broadcast packets (as with no ip directed-broadcast). Just my $0.02, Richard Morrell edNET [1] For example, an IOS config might be: interface fastethernet 1/0 no ip forged-source-address [2] Network admins would still have the option of turning it off, but this would have to be explicitly configured.
RE: no ip forged-source-address
If you go back to the thread, you'll see that I was responding to the idea that using src-addr verification would not prevent someone from spoofing addresses on his/own own subnet. Others pointed out that while this might hide the true offender, it would still make the DoS attack easier to mitigate because the src addresses would indicate the network from which the attack originated (if not the actual hosts). Some folks didn't seem to appreciate the value here, therefore I asserted that there is a specific difference between packets with virtually random src addrs, and packets that passed through src-addr filters. The first set are not traceable and src addresses generally useless, while the 2nd set have src addresses that can be used to trace to at least the attack's source network. As for your confusion, I am not sure that I can help with that. :-) -Original Message- From: Christopher L. Morrow [mailto:chris;UU.NET] Sent: Thursday, October 31, 2002 1:21 AM To: H. Michael Smith, Jr. Cc: 'Hank Nussbacher'; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: no ip forged-source-address On Wed, 30 Oct 2002, H. Michael Smith, Jr. wrote: A fundamental effect of spoofing addresses from your local subnet is that when the packets reach their target, the source addresses are meaningful. I realize that the traceability of these packets has already been mentioned, but I want to point out the profound difference between a DDoS attack with meaningful vs. meaningless source addresses. I'm confused.. its still a DoS attack, eh??
RE: ICANN Targets DDoS Attacks
Source address verification at access layer and rate limiting icmp would be fine starts. -Original Message- From: [EMAIL PROTECTED] [mailto:owner-nanog;merit.edu] On Behalf Of fingers Sent: Tuesday, October 29, 2002 1:12 AM To: [EMAIL PROTECTED] Subject: Re: ICANN Targets DDoS Attacks Meanwhile, U.S. government security officials are discussing the possibility of creating new regulations that would require federal agencies to buy Internet service only from ISPs that have DDoS protection on their networks, according to people familiar with the situation. Such a decision could place economic pressure on the other ISPs to follow suit, thereby improving Internet security. just how would an isp stamp themselves with the DDoS protected rubber stamp? I'm just curious as to what the next sales person is going to request as a product/service they're going to want to charge customers for. best practices like filtering != DDoS protection imho
RE: ICANN Targets DDoS Attacks
Agreed 100%, but Gov't (being run by lawyers) is well accustomed to defining what the meaning of 'is' is. If they dictate that ISPs employ DDoS Protection, they will define what DDoS Protection means 'for the purposes of this policy'. -Original Message- From: fingers [mailto:fingers;fingers.co.za] Sent: Tuesday, October 29, 2002 10:04 AM To: H. Michael Smith, Jr. Cc: [EMAIL PROTECTED] Subject: RE: ICANN Targets DDoS Attacks Source address verification at access layer and rate limiting icmp would be fine starts. these are best practices and not DDoS Protection imho
RE: ICANN Targets DDoS Attacks
If we take Marc Sachs' presentation at face-value, the Gov't is asking us to provide such definitions (as well as anything else we can do to help). -Original Message- From: [EMAIL PROTECTED] [mailto:owner-nanog;merit.edu] On Behalf Of bob Sent: Tuesday, October 29, 2002 10:26 AM To: fingers Cc: H. Michael Smith, Jr.; [EMAIL PROTECTED] Subject: Re: ICANN Targets DDoS Attacks I would point out that if we were to define it and provide the definition to the proper authorities, it would go a long way towards getting a definition that makes sense. I, (and many others here I would imagine) can help get the definition to the right ears if ya'll come up with it. iii fingers wrote: Agreed 100%, but Gov't (being run by lawyers) is well accustomed to defining what the meaning of 'is' is. If they dictate that ISPs employ DDoS Protection, they will define what DDoS Protection means 'for the purposes of this policy'. ah ok the point I was trying to make is, there are steps that can be taken to mitigate/reduce the affects of DDoS. I do not believe there is any complete way to protect against a DDoS. perhaps I'm just being pedantic. perhaps the clarity you mention would be a good thing for other areas too :)
Re: Draft of Rep. Berman's bill authorizes anti-P2P hacking
On 7/24/02 11:31 AM, Adam Rothschild [EMAIL PROTECTED] wrote: On 2002-07-24-14:10:00, James Thomason [EMAIL PROTECTED] wrote: If this legislation is passed, they certainly will earn Null0 on mine. Unless, of course, the RIAA, MPAA, and friends carry out their cracking through throw-away dial and DSL accounts, like they purportedly use now to troll for copyright offenders, and send automated nasty-grams to their upstream providers. Carrying out their cracking from a uniform netblock or AS, which we could all identify and filter, would be too easy. They're flagrant, but they're not stupid. The Business Software Alliance appears to be using this technique to flush out people distributing their Members' software via Gnutella and others. I have received the obligatory nasty-gram advising me as the owner of an IP (not taking into account the IP has been allocated and then assigned to consecutive downstream providers) that I could be held liable for the actions of this particular user. Mike