Re: IPv6 Confusion
> Do you really want to keep state for hundreds of end user devices in > your equipment? > > In my mind, IPv6 more than ever requires the customer to have their > own L3 device (which you delegate a /56 to with DHCPv6-PD). > > Imagine the size of your TCAM needed with antispoofing ACLs and > adjacancies when the customer has 100 active IPv6 addresses (remember > that IPv6 enabled devices often have multiple IPv6 addresses, my > windows machine regularily grabs 3 for instance). we do not have to imagine. c & j have both demonstrated the nat scaling problem when protyping for comcast. that is why the idea of a 'carrier grade' nat in the core has become man near-edge nats and ds-lite. it is sorely broken architecture. randy
RE: IPv6 Confusion
On Thu, 19 Feb 2009, Frank Bulk wrote: I probably tied CPE to NAT together in my mindif I peel NAT out from what these CPE are doing, perhaps a PPPoE/A environment is the only place a L3 CPE will be needed with IPv6 anymore. FTTH, BWA, RFC 1483/RBE, and cable modems can bridge at L2 and each customer host can each have their own IPv6 address. Do you really want to keep state for hundreds of end user devices in your equipment? In my mind, IPv6 more than ever requires the customer to have their own L3 device (which you delegate a /56 to with DHCPv6-PD). Imagine the size of your TCAM needed with antispoofing ACLs and adjacancies when the customer has 100 active IPv6 addresses (remember that IPv6 enabled devices often have multiple IPv6 addresses, my windows machine regularily grabs 3 for instance). -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: IPv6 Confusion
Frank Bulk wrote: Considering that the only real IPv6-ready CPE at your favorite N.A. electronics store is Apple's AirPort, it seems to me that it will be several years before the majority (50% plus 1) of our respective customer bases has IPv6-ready or dual-stack equipment. Actually, out of the box my newish Linksys WRT610N started sending RAs and provides IPv6 connectivity via 6to4. Came as a bit of a surprise when it stole traffic away from my existing IPv6 tunnel. Couple of problems, though: 1) No switch to turn it off 2) No firewalling/filtering is done. This makes it somewhat less than ideal, and worse than the original Apple Airport default configuration which at least had clear and obvious knobs to make it do the right thing even if they had a poor default setting. Bob
RE: IPv6 Confusion
I probably tied CPE to NAT together in my mindif I peel NAT out from what these CPE are doing, perhaps a PPPoE/A environment is the only place a L3 CPE will be needed with IPv6 anymore. FTTH, BWA, RFC 1483/RBE, and cable modems can bridge at L2 and each customer host can each have their own IPv6 address. Frank -Original Message- From: Jack Bates [mailto:jba...@brightok.net] Sent: Thursday, February 19, 2009 7:42 AM To: Frank Bulk Cc: 'Brandon Galbraith'; nanog@nanog.org Subject: Re: IPv6 Confusion Frank Bulk wrote: > Considering that the only real IPv6-ready CPE at your favorite N.A. > electronics store is Apple's AirPort, it seems to me that it will be several > years before the majority (50% plus 1) of our respective customer bases has > IPv6-ready or dual-stack equipment. On the other hand, a majority of the routers purchased are for wireless connectivity, followed quickly by the necessity for multiple computers sharing a common subnet. Security and firewalls are not something most end users attribute to routers, but instead to their host based solutions. As such, I have no problem with pointing out that they can have 4.3 billion squared devices sitting off a cheap switch; all sharing the same subnet. Of course, wireless peeps will either have to use wireless bridges or have supported routers. Really, the AirPort is pretty stable and functional as a wireless AP. Most say it's worth the extra $$$. -Jack
Re: do I need to maintain with RADB?
On 19/02/2009 12:09, "Zaid Ali" wrote: > Hi, need some advise here. Do I still need to maintain my objects (and pay) > RADB? I use ARIN as source and all my route objects can be verified with a > whois. If you are happy using a RR which appears to only rely on a MAIL-FROM auth scheme then the ARIN RR is fine. If you'd like to have a stronger auth scheme available you might want to look at RADB. Leo
Re: real hardware router VS linux router
On 2/19/09, mike wrote: > > > > Steve Bertrand wrote: > >> Ryan Harden wrote: >> >> >>> While you could probably build a linux router that is just as fast as a >>> real hardware router, you're always going to run into the moving pieces >>> part of the equation. >>> >>> >> >> Not if you boot directly from USB key into memory with no disk drive. >> >> Steve >> >> >> > I am sorry, but this is wrong. A USB Key is another 'PC Architecture' that > DOES NOT WORK for network devices. There is NO positive mechanical force to > keep that thing inserted, and the way a USB Key would hang off most devices > with a USB port, would put it at very high risk for being accidentally > bumped / disconnected. Secondly, there are still many many PC Architecture > boxen that still do not boot correctly from USB. > I've used a hot glue gun to glue a USB key to the device/server/etc in question. Works very well against being bumped or accidentally dislodged. -brandon -- Brandon Galbraith Voice: 630.400.6992 Email: brandon.galbra...@gmail.com
Re: real hardware router VS linux router
> Ryan Harden wrote: > > While you could probably build a linux router that is just as fast as a > > real hardware router, you're always going to run into the moving pieces > > part of the equation. > > Not if you boot directly from USB key into memory with no disk drive. You probably don't want a USB key. Too easy to knock off, etc. Though for a small enough USB key, like the Kingston microSD-to-USB adapters (like FCR-MRR+SDC) ... that'd probably be okay. What we did for a few applications... FreeBSD 7.1R on a 4GB compact flash, the CF plugged into a CF-to-IDE converter. In our case we case modded a few Intel ISP 1100 1U servers to allow the CF to be inserted from the front. Great for VPN service (either server or client), load balancers, traffic shapers, or smallish routers. ad0: 3847MB at ata0-master PIO4 Designed to run with root as read-only-usually, with memory filesystems for /var and /tmp (logging to a remote syslog server and serial console seem to address most of the obvious complaints). This only partially addresses the moving parts concerns, since the system is still dependent on fans. However, with a passive heatsink, at least the loss of a single fan isn't critical. And, geez, most of my switch gear has fans, so at what point do we draw the line? We had a 3Com SuperStack switch (~10 years old) that we didn't identify as the source of a nasty growly sound for probably half a decade. :-) There have been numerous discussions about PC routers on NANOG and other lists in the past. Short form is, if you know what you're doing and the tradeoffs and benefits are acceptable, it can really rock. Otherwise, proceed with caution and do lots of reading. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: real hardware router VS linux router
Steve Bertrand wrote: Ryan Harden wrote: While you could probably build a linux router that is just as fast as a real hardware router, you're always going to run into the moving pieces part of the equation. Not if you boot directly from USB key into memory with no disk drive. Steve I am sorry, but this is wrong. A USB Key is another 'PC Architecture' that DOES NOT WORK for network devices. There is NO positive mechanical force to keep that thing inserted, and the way a USB Key would hang off most devices with a USB port, would put it at very high risk for being accidentally bumped / disconnected. Secondly, there are still many many PC Architecture boxen that still do not boot correctly from USB. '
Re: do I need to maintain with RADB?
Most of all my providers use a route registry and if they don't I would question it. I am all for a route registry but can we adopt one or one of X registries which I think is what is happening. For my ease of management I would like to use one and also pay (and budget) for one since its the same information (or should be). Zaid - Original Message - From: "Heather Schiller" To: "Zaid Ali" Cc: "Jon Lewis" , "NANOG list" Sent: Thursday, February 19, 2009 3:21:13 PM GMT -08:00 US/Canada Pacific Subject: Re: do I need to maintain with RADB? No. Use of a routing registry is not required.. ARIN's, RADB's or otherwise. You might want to check out this presentation: http://nanog.org/meetings/nanog44/abstracts.php?pt=ODg4Jm5hbm9nNDQ=&nm=nanog44 This is an entirely different statement from "Your globally unique IP's should to be allocated to you in an RIR's database before someone routes them for you" For example 207.76.0.0/14 is allocated to us, you can see it in ARIN's whois, but it is not registered in ARIN's IRRD, or any other. As further proof - note that people publicly route resources that aren't registered in a "routing registry database" or even registered to them by an RIR at all: http://www.cidr-report.org/as2.0/#Bogons I'm not saying this is a good thing.. I would like to see the system drastically improved and secured.. I'm just pointing out how things actually work today. Check w/ your provider, but in most cases you will find that they don't use a route registry. --Heather Heather SchillerVerizon Business Customer Security1.800.900.0241 IP Address Managementhel...@verizonbusiness.com = Jon Lewis wrote: > On Thu, 19 Feb 2009, Zaid Ali wrote: > >> Hi, need some advise here. Do I still need to maintain my objects (and >> pay) RADB? I use ARIN as source and all my route objects can be >> verified with a whois. > > If your objects are all maintained via another routing registry (ARIN's, > altdb, etc.) and you don't care to maintain objects with radb.ra.net, > then you do not need to pay RADB maintenance fees. > > -- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net| > _ http://www.lewis.org/~jlewis/pgp for PGP public key_ > >
Re: real hardware router VS linux router
Ryan Harden wrote: > While you could probably build a linux router that is just as fast as a > real hardware router, you're always going to run into the moving pieces > part of the equation. Not if you boot directly from USB key into memory with no disk drive. Steve
Re: do I need to maintain with RADB?
> No. Use of a routing registry is not required. ^ always some wise upstreams require it. and it is a good idea to be in the irr. and there are free/open irr servers. randy
Re: Appropriate list for Linux routers (was: real hardware router VS linux router)
On Thu, Feb 19, 2009, Brian Keefer wrote: > If anyone would like to drop me a line off-list to point me in the > right direction, I'd be very grateful. So far the most useful > information I've found on the topic has been via this list. > > PS I'm talking specifically about Linux. The FreeBSD and OpenBSD > crowd seem to have lists that provide this sort of thing already. The people doing this commercially under Linux/FreeBSD, and have mods to do higher PPS in certain conditions, generally don't talk (much.) A few FreeBSD developers are pushing forward with higher PPS improvements. If this is inline with what you want, then I suggest talking to them and seeing how they can help. Migrating to a superior platform (where "superior" here is "does what I want better" isn't a -bad- idea. :) Adrian
Re: do I need to maintain with RADB?
No. Use of a routing registry is not required.. ARIN's, RADB's or otherwise. You might want to check out this presentation: http://nanog.org/meetings/nanog44/abstracts.php?pt=ODg4Jm5hbm9nNDQ=&nm=nanog44 This is an entirely different statement from "Your globally unique IP's should to be allocated to you in an RIR's database before someone routes them for you" For example 207.76.0.0/14 is allocated to us, you can see it in ARIN's whois, but it is not registered in ARIN's IRRD, or any other. As further proof - note that people publicly route resources that aren't registered in a "routing registry database" or even registered to them by an RIR at all: http://www.cidr-report.org/as2.0/#Bogons I'm not saying this is a good thing.. I would like to see the system drastically improved and secured.. I'm just pointing out how things actually work today. Check w/ your provider, but in most cases you will find that they don't use a route registry. --Heather Heather SchillerVerizon Business Customer Security1.800.900.0241 IP Address Managementhel...@verizonbusiness.com = Jon Lewis wrote: On Thu, 19 Feb 2009, Zaid Ali wrote: Hi, need some advise here. Do I still need to maintain my objects (and pay) RADB? I use ARIN as source and all my route objects can be verified with a whois. If your objects are all maintained via another routing registry (ARIN's, altdb, etc.) and you don't care to maintain objects with radb.ra.net, then you do not need to pay RADB maintenance fees. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Appropriate list for Linux routers (was: real hardware router VS linux router)
On Feb 19, 2009, at 12:30 PM, Bill Nash wrote: Having carped, I'm obligated to offer a solution: The technical discussion is certainly interesting to a small subset of NANOG participants, I'm sure (I do find it interesting, I promise), but I'm thinking this conversation is better elsewhere, like a beer & gear, or might I recommend forming some kind of nanog- shoptalk sub list? Is there one like it? Something for discussing the network substrata and not the weather a few layers up? I'm aware of stuff like c-nsp/j-nsp, but the Linux router crowd has it's own niche and there's certainly a place for discussing them, I just don't think it's.. here. - billn I would be interested in a such a thing. I've tried approaching the Linux crowd for such information, but they seem more interested in writing patches to blink LEDs when Netfilter does something than talking about performance and scaling considerations. If anyone would like to drop me a line off-list to point me in the right direction, I'd be very grateful. So far the most useful information I've found on the topic has been via this list. PS I'm talking specifically about Linux. The FreeBSD and OpenBSD crowd seem to have lists that provide this sort of thing already. -- bk
Re: lots of prepends
> The only ill effect is if set it too low we tested it a bit > at 20-30 AS path length range figuring we shouldn't see *much* > and it was staggering over time. The unfortunate thing more > related to your question is that we found some AS's that were > prepending 40-50 times to ALL their upstreams so with max-as set > too low we had no routing to them at all! aha! an idiot filter. this could be a feature, not a bug. randy
Re: do I need to maintain with RADB?
Yes but I wanted to get a feel from the community and I get a notification message from RADB to pay up I wanted to get a feel from providers. I am happy to take my question off the list :) Zaid - Original Message - From: "Bruce Robertson" To: "Zaid Ali" Cc: "NANOG list" Sent: Thursday, February 19, 2009 2:19:42 PM GMT -08:00 US/Canada Pacific Subject: Re: do I need to maintain with RADB? But I pay for all that already, so it seems that using ARIN is a no-brainer. Zaid Ali wrote: It's not entirely free since you have to pay an AS maintenance fee and if you are assigned a netblock directly then you pay maintenance on that also. I would rather maintain everything in one place rather than paying an extra $495 to RADB if my BGP peers can source it from ARIN. Zaid - Original Message - From: "Bruce Robertson" To: "NANOG list" Sent: Thursday, February 19, 2009 2:07:31 PM GMT -08:00 US/Canada Pacific Subject: Re: do I need to maintain with RADB? Is the ARIN registry free, then? Jon Lewis wrote: On Thu, 19 Feb 2009, Zaid Ali wrote: Hi, need some advise here. Do I still need to maintain my objects (and pay) RADB? I use ARIN as source and all my route objects can be verified with a whois. If your objects are all maintained via another routing registry (ARIN's, altdb, etc.) and you don't care to maintain objects with radb.ra.net, then you do not need to pay RADB maintenance fees. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: lots of prepends
Hi all, I am writing on behalf of AS8928. We have changed our BGP policy against AS 20912 to allow maximum of 20 AS prepends. Our NOC will communicate this issue to customer and when I will have some news why this happened I will update NANOG list. Best Regards Tomas Caslavsky +---+ + Principal IP engineer + + Interoute CZECH + + Nad Elektrarnou 1428/47 + + 106 00 Praha 10 + + Prague+ + Czech RepubliC+ + Direct Phone: +420 225 352 675+ + Mobile Phone: +420 731 492 872+ + Email: tomas.caslav...@interoute.com + +---+ "the impossible we can do - miracles take a little longer!" "/earth is 98% full... please delete anyone you can." Paul Stewart wrote: The only ill effect is if set it too low we tested it a bit at 20-30 AS path length range figuring we shouldn't see *much* and it was staggering over time. The unfortunate thing more related to your question is that we found some AS's that were prepending 40-50 times to ALL their upstreams so with max-as set too low we had no routing to them at all! We've had it set to 100 for quite a while now and no side effects Paul -Original Message- From: Seth Mattinen [mailto:se...@rollernet.us] Sent: Thursday, February 19, 2009 4:50 PM To: nanog@nanog.org Subject: Re: lots of prepends Mikael Abrahamsson wrote: Today 85.119.176.0/21 was announced by AS20912 with 177 prepends. I noticed 20912 modulo 256 is 176. AS47868 modulo 256 is 252 which matches this mondays prepend-incident. So, what router OS will put 20912 into a byte and thus end up with 176 in something like "set as-path prepend last-as " ? It needs to be fixed. Has anyone noticed any ill effects with IOS and using "bgp max-as"? Will it just drop any prefixes with long as-paths and no other ill operational effects? No ill effects here, but I never saw the others before this one, and I'm only seeing it via 3561. 010308: Feb 19 13:08:13.455 PDT: %BGP-6-ASPATH: Long AS path 3561 3257 8928 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 received from 216.88.158.93: More than configured MAXAS-LIMIT ~Seth "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
Re: Single fiber 10Gb/s X2 or Xenpak transceiver
2009/2/19, Andrey Slastenov : > Hi Guys. > > Do you ever see single fiber 10Gb/s X2 or Xenpak transceiver? (I know about > SFP, but never see X2 or Xenpak before) > -- Envoyé avec mon mobile Jean
Re: do I need to maintain with RADB?
But I pay for all that already, so it seems that using ARIN is a no-brainer. Zaid Ali wrote: It's not entirely free since you have to pay an AS maintenance fee and if you are assigned a netblock directly then you pay maintenance on that also. I would rather maintain everything in one place rather than paying an extra $495 to RADB if my BGP peers can source it from ARIN. Zaid - Original Message - From: "Bruce Robertson" To: "NANOG list" Sent: Thursday, February 19, 2009 2:07:31 PM GMT -08:00 US/Canada Pacific Subject: Re: do I need to maintain with RADB? Is the ARIN registry free, then? Jon Lewis wrote: On Thu, 19 Feb 2009, Zaid Ali wrote: Hi, need some advise here. Do I still need to maintain my objects (and pay) RADB? I use ARIN as source and all my route objects can be verified with a whois. If your objects are all maintained via another routing registry (ARIN's, altdb, etc.) and you don't care to maintain objects with radb.ra.net, then you do not need to pay RADB maintenance fees. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ begin:vcard fn:Bruce Robertson n:Robertson;Bruce org:Great Basin Internet Services, Inc adr:;;241 Ridge St Ste 450;Reno;NV;89501-2013;US email;internet:br...@greatbasin.net title:Founder, Chief Technology Officer tel;work:+1.775.348.7299 tel;fax:+1.775.348.9412 x-mozilla-html:TRUE url:http://www.linkedin.com/in/BruceDRobertson version:2.1 end:vcard
Re: do I need to maintain with RADB?
It's not entirely free since you have to pay an AS maintenance fee and if you are assigned a netblock directly then you pay maintenance on that also. I would rather maintain everything in one place rather than paying an extra $495 to RADB if my BGP peers can source it from ARIN. Zaid - Original Message - From: "Bruce Robertson" To: "NANOG list" Sent: Thursday, February 19, 2009 2:07:31 PM GMT -08:00 US/Canada Pacific Subject: Re: do I need to maintain with RADB? Is the ARIN registry free, then? Jon Lewis wrote: > On Thu, 19 Feb 2009, Zaid Ali wrote: > >> Hi, need some advise here. Do I still need to maintain my objects >> (and pay) RADB? I use ARIN as source and all my route objects can be >> verified with a whois. > > If your objects are all maintained via another routing registry > (ARIN's, altdb, etc.) and you don't care to maintain objects with > radb.ra.net, then you do not need to pay RADB maintenance fees. > > -- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net| > _ http://www.lewis.org/~jlewis/pgp for PGP public key_ > > > > >
Re: do I need to maintain with RADB?
Is the ARIN registry free, then? Jon Lewis wrote: On Thu, 19 Feb 2009, Zaid Ali wrote: Hi, need some advise here. Do I still need to maintain my objects (and pay) RADB? I use ARIN as source and all my route objects can be verified with a whois. If your objects are all maintained via another routing registry (ARIN's, altdb, etc.) and you don't care to maintain objects with radb.ra.net, then you do not need to pay RADB maintenance fees. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_ begin:vcard fn:Bruce Robertson n:Robertson;Bruce org:Great Basin Internet Services, Inc adr:;;241 Ridge St Ste 450;Reno;NV;89501-2013;US email;internet:br...@greatbasin.net title:Founder, Chief Technology Officer tel;work:+1.775.348.7299 tel;fax:+1.775.348.9412 x-mozilla-html:TRUE url:http://www.linkedin.com/in/BruceDRobertson version:2.1 end:vcard
RE: Network diagram software
Graphviz will do this. (www.graphviz.org) The basic (dot) syntax for what you describe below is: digraph G { R1 -> VLAN100; R2 -> R1; SW1 -> VLAN100; SW2 -> R2; H1 -> SW1; H2 -> SW1; H3 -> SW2; H4 -> SW2; } It'll output a GIF flowchart-style diagram with the nodes connected as described above. It's also good for visualizing BGP AS paths . -Original Message- From: Ross Vandegrift [mailto:r...@kallisti.us] Sent: Wednesday, February 11, 2009 9:42 AM To: Mathias Wolkert Cc: nanog@nanog.org Subject: Re: Network diagram software On Wed, Feb 11, 2009 at 02:06:09PM +0100, Mathias Wolkert wrote: > I'd like to know what software people are using to document networks. > Visio is obvious but feels like a straight jacket to me. > I liked netviz but it seems owned by CA and unsupported nowadays. > > What do you use? I'd like to put a second request. I often want to very quickly mock-up a diagram that I'm going to use for myself or for internal purposes. Is there any application that takes some kind of *simple* description and produces a (possibly not so beautiful) picture? For example, I might say something like: Router(rtr1) connects to vlan 100 Router(rtr2) connects to Router(rtr1) via T1 switch(sw1) connects to vlan100 switch(sw2) connects to Router(rtr2) A few hosts connect to Switch(sw1) A few hosts connect to Switch(sw2) -- Ross Vandegrift r...@kallisti.us "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie
RE: lots of prepends
The only ill effect is if set it too low we tested it a bit at 20-30 AS path length range figuring we shouldn't see *much* and it was staggering over time. The unfortunate thing more related to your question is that we found some AS's that were prepending 40-50 times to ALL their upstreams so with max-as set too low we had no routing to them at all! We've had it set to 100 for quite a while now and no side effects Paul -Original Message- From: Seth Mattinen [mailto:se...@rollernet.us] Sent: Thursday, February 19, 2009 4:50 PM To: nanog@nanog.org Subject: Re: lots of prepends Mikael Abrahamsson wrote: > > Today 85.119.176.0/21 was announced by AS20912 with 177 prepends. I > noticed 20912 modulo 256 is 176. AS47868 modulo 256 is 252 which matches > this mondays prepend-incident. > > So, what router OS will put 20912 into a byte and thus end up with 176 > in something like "set as-path prepend last-as " ? It > needs to be fixed. > > Has anyone noticed any ill effects with IOS and using "bgp max-as"? Will > it just drop any prefixes with long as-paths and no other ill > operational effects? > No ill effects here, but I never saw the others before this one, and I'm only seeing it via 3561. 010308: Feb 19 13:08:13.455 PDT: %BGP-6-ASPATH: Long AS path 3561 3257 8928 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 received from 216.88.158.93: More than configured MAXAS-LIMIT ~Seth "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
Re: IPv6 Confusion
>> I can't think of a single working group chair/co-chair that's >> ever presented at NANOG and asked for feedback. > Were you at the last NANOG when I did everything but beg for feedback? no i was not but leo's post was simple flatulence randy
Re: lots of prepends
Mikael Abrahamsson wrote: > > Today 85.119.176.0/21 was announced by AS20912 with 177 prepends. I > noticed 20912 modulo 256 is 176. AS47868 modulo 256 is 252 which matches > this mondays prepend-incident. > > So, what router OS will put 20912 into a byte and thus end up with 176 > in something like "set as-path prepend last-as " ? It > needs to be fixed. > > Has anyone noticed any ill effects with IOS and using "bgp max-as"? Will > it just drop any prefixes with long as-paths and no other ill > operational effects? > No ill effects here, but I never saw the others before this one, and I'm only seeing it via 3561. 010308: Feb 19 13:08:13.455 PDT: %BGP-6-ASPATH: Long AS path 3561 3257 8928 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 received from 216.88.158.93: More than configured MAXAS-LIMIT ~Seth
[no subject]
protect users from victimisation by the likes of this : http://www.bleepingcomputer.com/forums/topic204619.html For years (decades?) I've been DNS hijacking to criple worm ridden machines associating with my wifi nodes etc. That only deals with a few threats. I'd like to feel confident in using blackhole routes to combat maleware proliferation too. Any tools available to age out male-routes after a given period of time? Robin David Hammond KB3IEN n.y.c. ares
RE: lots of prepends
Just seen that here too: Feb 19 16:20:35: %BGP-6-ASPATH: Long AS path 8001 8928 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 20912 received from 207.99.64.25: More than configured MAXAS-LIMIT Our AS path limit is 100 which is way too high in my opinion but regardless I was trying to figure out any logic in this I can remember prepending one of our upstreams 4X at one point thinking that was a bit nuts thankfully we don't prepend anyone these days Paul -Original Message- From: Mikael Abrahamsson [mailto:swm...@swm.pp.se] Sent: Thursday, February 19, 2009 4:21 PM To: nanog@nanog.org Subject: lots of prepends Today 85.119.176.0/21 was announced by AS20912 with 177 prepends. I noticed 20912 modulo 256 is 176. AS47868 modulo 256 is 252 which matches this mondays prepend-incident. So, what router OS will put 20912 into a byte and thus end up with 176 in something like "set as-path prepend last-as " ? It needs to be fixed. Has anyone noticed any ill effects with IOS and using "bgp max-as"? Will it just drop any prefixes with long as-paths and no other ill operational effects? -- Mikael Abrahamssonemail: swm...@swm.pp.se "The information transmitted is intended only for the person or entity to which it is addressed and contains confidential and/or privileged material. If you received this in error, please contact the sender immediately and then destroy this transmission, including all attachments, without copying, distributing or disclosing same. Thank you."
lots of prepends
Today 85.119.176.0/21 was announced by AS20912 with 177 prepends. I noticed 20912 modulo 256 is 176. AS47868 modulo 256 is 252 which matches this mondays prepend-incident. So, what router OS will put 20912 into a byte and thus end up with 176 in something like "set as-path prepend last-as " ? It needs to be fixed. Has anyone noticed any ill effects with IOS and using "bgp max-as"? Will it just drop any prefixes with long as-paths and no other ill operational effects? -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: do I need to maintain with RADB?
Is there a good source to explain the whole RADB "system", and tools/processes people use to maintain routing policies/filters based on it? I'd like to both review and make sure my current understanding is accurate, and have a doc to send people to. Thanks for any pointers! --D On Thu, Feb 19, 2009 at 12:17 PM, Jon Lewis wrote: > On Thu, 19 Feb 2009, Zaid Ali wrote: > > Hi, need some advise here. Do I still need to maintain my objects (and >> pay) RADB? I use ARIN as source and all my route objects can be verified >> with a whois. >> > > If your objects are all maintained via another routing registry (ARIN's, > altdb, etc.) and you don't care to maintain objects with radb.ra.net, then > you do not need to pay RADB maintenance fees. > > -- > Jon Lewis | I route > Senior Network Engineer | therefore you are > Atlantic Net| > _ http://www.lewis.org/~jlewis/pgp for PGP public key_ > > -- -- Darren Bolding -- -- dar...@bolding.org --
Re: IPv6 Confusion
>> this is a slight exaggeration. it took me less than five years to get >> rid of NLAs, TLAs, ... wooo wooo! > Those were put in at the insistence of the ops / routing >> community complete and utter bs! randy
Re: real hardware router VS linux router
On Thu, 19 Feb 2009 09:30:16 EST, Deric Kwok said: > Hi All > > Actually, what is the different hardware router VS linux router? I'm continually amazed by the number of people who manage to conflate two entirely different issues here. There's *TWO* axes here: | PC-class hardware | routing-blade-architecture hardware ---+---+--- proprietary| | ---+---+--- open-source| | Kinda like that. A Juniper box (which is a BSD running on something that's *not* PC-class hardware) is a prime example that it's not "hardware versus linux" - it's two separate questions. 1) Is PC-class gear "good enough"? Do you have the hardware interfaces needed, and the I/O backplanes? Or is something with more oomph needed? 2) Does the software running on the box support the feature set you need? pgpuxeLloWnLQ.pgp Description: PGP signature
Re: real hardware router VS linux router
You know you're off track when.. What operational relevance does this conversation, or the similiar ones that came before it, have? Are there a bunch in production contributing to the degradation of the best route between me and this video of cute kittens I'm trying to watch? Did something of this breed cause some eastern europe bgp flappy flappy this week? I've got BGP and OSPF speaking Linux machines under my care, but I don't think everyone wants to hear about them unless they're out of control like the cast of Lord of the Flies set loose in a supermarket. Having carped, I'm obligated to offer a solution: The technical discussion is certainly interesting to a small subset of NANOG participants, I'm sure (I do find it interesting, I promise), but I'm thinking this conversation is better elsewhere, like a beer & gear, or might I recommend forming some kind of nanog-shoptalk sub list? Is there one like it? Something for discussing the network substrata and not the weather a few layers up? I'm aware of stuff like c-nsp/j-nsp, but the Linux router crowd has it's own niche and there's certainly a place for discussing them, I just don't think it's.. here. - billn
Re: do I need to maintain with RADB?
On Thu, 19 Feb 2009, Zaid Ali wrote: Hi, need some advise here. Do I still need to maintain my objects (and pay) RADB? I use ARIN as source and all my route objects can be verified with a whois. If your objects are all maintained via another routing registry (ARIN's, altdb, etc.) and you don't care to maintain objects with radb.ra.net, then you do not need to pay RADB maintenance fees. -- Jon Lewis | I route Senior Network Engineer | therefore you are Atlantic Net| _ http://www.lewis.org/~jlewis/pgp for PGP public key_
Re: Network SLA
Saqib Ilyas wrote: Greetings I am curious to know about any tools/techniques that a service provider uses to assess an SLA before signing it. That is to say, how does an administrator know if he/she can meet what he is promising. Is it based on experience? Are there commonly used tools for this? Thanks and best regards Not necessarily as a direct answer (I am pretty sure there'll be others on this list giving details in the area of specific tools and standards), but I think this may be a question (especially considering your end result concern: *signing the SLA!) equally applicable to your legal department. In the environment we live, nowadays, the SLA could (should?!? ... unfortunately) be "refined" and (at the other end - i.e. receiving) "interpreted" by the lawyers, with possibly equal effects (mostly financial and as overall impact on the business) as the tools we (the technical people) would be using to measure latency, uptime, bandwidth, jitter, etc... Stefan
Re: anyone else seeing very long AS paths?
We are working on a document for Cisco.com but in the interim here is the bug that will fix the issue of a Cisco IOS device sending an incorrectly formatted BGP update when as a result of prepending it goes over 255 AS hops. Note: The Title and Release-note on bug toolkit may be a bit different as I just updated it to be more accurate. Of all the scenarios I've looked at (thanks to those that responded offline) there wasn't a condition found where this could happen without AS path prepending being used. Please respond offline or let's move the discussion over to cisco-nsp at this point. CSCsx73770 Invalid BGP formatted update causes peer reset with AS prepending Symptom: A Cisco IOS device that receives a BGP update message and as a result of AS prepending needs to send an update downstream that would have over 255 AS hops will send an invalid formatted update. This update when received by a downstream BGP speaker triggers a NOTIFICATION back to the sender which results in the BGP session being reset. Conditions: This problem is seen when a Cisco IOS device receives a BGP update and due to a combination of either inbound, outbound, or both AS prepending it needs to send an update downstream that has more than 255 AS hops. Workaround: The workaround is to implement bgp maxas-limit X on the device that after prepending would need to send an update with over 255 AS hops. Since IOS limits the inbound prepending value to 10 the most that could be added iss 11 AS hops (10 on ingress, 10 on egress, and 1 for normal eBGP AS hop addition). Therefore, a conservative value to configure would be 200 to prevent this condition. Full support of Section 5.1.2 of RFC4271 is being tracked under CSCsx75937 Add BGP support of AS paths longer than 255 per Section 5.1.2 of RFC4271 Thanks to those that worked offline with us to verify the field results reported. Rodney On Tue, Feb 17, 2009 at 05:27:01PM -0500, Rodney Dunn wrote: > If you want to take this offline send it unicast or we could > move it to cisco-nsp. > > What scenarios are you seeing that appear broken other than > when a notification is sent when a > 255 hop update is received? > That's the one I'm working on right now. > > Rodney > > On Tue, Feb 17, 2009 at 05:31:49PM -0500, German Martinez wrote: > > On Tue Feb 17, 2009, Rodney Dunn wrote: > > > > Hello Rodney, > > It will be great if you can share with us your findings. It seems > > like we are hitting different bugs in different platforms. > > > > Thanks > > German > > > > > Ivan, > > > > > > It is confusing but from what I have tested you have it correct. > > > > > > The confusing part comes from multiple issues. > > > > > > a) The documentation about the default maxas limit being 75 appears to be > > >incorrect. I'll get that fixed. > > > > > > b) Prior to CSCee30718 there was a hard limit of 255. After that fix > > >AS sets of more than 255 should work. > > > > > > c) CSCeh13489 implemented the maxas command to mark it as invalid and > > >not send. > > > > > > > > > There does appear to be an issue when you cross the 255 boundary > > > and the next hop router sends a notification back. > > > > > > I've got it recreated in the lab and we are working to clearly understand > > > why that is. I'll post an update once we have more. > > > > > > The way to prevent it is the upstream device that crosses the 255 boundary > > > on sending needs to use the maxas limit command to keep it less than 255. > > > > > > It doesn't work on the device that receives the update with the AS path > > > larger than 255. > > > > > > Rodney > > > > > > On Tue, Feb 17, 2009 at 08:58:48PM +0100, Ivan Pepelnjak wrote: > > > > > We were dropping ALL prefixes and the eBGP session was still > > > > > resetting. > > > > > > > > Upstream or downstream? > > > > > > > > > 1) "bgp maxas-limit 75" had no effect mitigating this problem > > > > > on the IOS we were using. That is: it was previously verified > > > > > to be working just fine to drop paths longer than 75, but > > > > > once we started receiving paths > > > > > > 255 then BGP started resetting. > > > > > > > > I was able to receive BGP paths longer than 255 on IOS release 12.2SRC. > > > > The > > > > paths were generated by Quagga BGP daemon. > > > > > > > > 12.2SRC causes the downstream session to break when the installed > > > > AS-path > > > > length is close to 255 and you use downstream AS-path prepending. > > > > > > > > In your case, I'm assuming you were hit with an older bug (probably at > > > > the > > > > 128 AS-path length boundary). It would be very hard to generate just the > > > > right AS-path length to unintentionally break your upstream EBGP > > > > session (as > > > > I said before, it's a nice targeted attack if you know your downstream > > > > topology). > > > > > > > > If your IOS is vulnerable to the older bugs that break inbound > > > > processing of > > > > AS paths longer than 1
do I need to maintain with RADB?
Hi, need some advise here. Do I still need to maintain my objects (and pay) RADB? I use ARIN as source and all my route objects can be verified with a whois. Thanks, Zaid
Re: real hardware router VS linux router
On 2/19/2009 9:37 AM, Ryan Harden wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 While you could probably build a linux router that is just as fast as a real hardware router, you're always going to run into the moving pieces part of the equation. In almost all scenarios, moving parts are more prone to failure than non-moving parts. Regardless of what you find out in your research, consider the above in your cost-benefit analysis. /Ryan Deric Kwok wrote: Hi All Actually, what is the different hardware router VS linux router? Have you had experience to compare real router eg: cisco VS linux router? eg: streaming speed... tcp / udp Thank you for your information - -- Ryan M. Harden, BS, KC9IHX Office: 217-265-5192 CITES - Network Engineering Cell: 630-363-0365 2130 Digital Computer Lab Fax:217-244-7089 1304 W. Springfield email: harde...@illinois.edu Urbana, IL 61801 University of Illinois at Urbana/Champaign University of Illinois - ICCN -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmdbpcACgkQtuPckBBbXboREgCguTikt2UwEIRHNfoNzASreLD/ YLcAoKdr/Gbw8CQuY9dTitvGQdD3+H0s =bsHP -END PGP SIGNATURE- ssd's remove the spindle from the equation..otherwise they both have fans that do fail.
Re: real hardware router VS linux router
Ingo Flaschberger wrote: > > this plattform can handle about > 100.000pps and 400mbit 1500byte packets with freebsd > http://lannerinc.com/Network_Application_Platforms/x86_Network_Appliance/1U_Network_Appliances/FW-7550 > > hardware: > 4x pci 32bit, 33mhz intel gbit > 1gb cf-card > 1gb ram > > with this hardware even more pps should be possible: > http://www.axiomtek.de/network_appliances/network_appliances/smb_network_security_platform/na820.html > > hardware: > 7x pcie (1lane each) connected network A very quick test through a box much like the one in your latter link, running FBSD 7.1, Quagga, and many IPFW rules, to a machine that is not very busy: receiver% netstat -h -w 1 input(Total) output packets errs bytespackets errs bytes colls 1 0 60 1 0170 0 1 0 60 1 0170 0 1 0 60 1 0170 0 1 0 60 1 0170 0 47K 028M 1 0170 0 132K 077M 1 0170 0 133K 078M 1 0170 0 133K 078M 1 0170 0 131K 077M 1 0170 0 132K 077M 1 0170 0 132K 078M 1 0170 0 133K 078M 1 0170 0 Steve
Re: more AS prepend antics?
--- nrauhau...@gmail.com wrote: From: neal rauhauser What in the world is someone doing with that many prepends? I'm trying to envision what would drive such a decision - small, regional player on one --- Playing with the internet just to see what happens? ;-) scott
RE: IPv6 Confusion
christopher.mor...@gmail.com wrote: > >... > > Yes people expect 1:1 functionality, but how many of them are > stepping up to > > how many vendors are implementing willy-nilly v4 feature requests for > their enterprise/isp customers? does it not seem reasonable to look at > each one and say: "Gosh, if you want a TE knob for v4,surely you'll > want that in v6 'soon' yes?" (replace TE knob with ... us about every > other knob requested actually). The arguement that 'You have to ask > for v6 knobs the exist in v4 else they won't happen' flies in the face > of the arguement that: "People don't want v4 or v6, they just want IP > connectivity." The reality is that people are telling the vendor 'I need X NOW, don't bother with slowing down to make IPv6 work while you are at it'. Since the list of X is never ending, nobody ever gets time to go back and add IPv6. If you expect IPv6 in your products, you have to put money on the table. Expecting that a vendor will do something that you are telling them not to by your procurement habits, is really silly. > > This doesn't exactly follow for the IETF process, though it really > ought to for a goodly number of things. If you are using something in > v4, and it got added via the consensus process in the IETF, it's very > likely that you will need like functionality in v6. No, the ops community does not use everything that the IETF turns out. How many people still use SLIP, RIP, EGP, SMTP over X.25, IP over ARCNET, FDDI-mib, ...??? The IETF needs operational input about what is really useful, and that has to come from people that are running networks. > DHCP and > Multihoming are just 2 simple examples of this. I still can't see how: > "but v6 has autoconf so you don't need dhcp!" is even attempted as an > argument after 1996. Surely vendors of networking gear and consumer > OS's realized before 1996 that things other than 'address and default > route' are important to end stations?? I know these entities use other > features in their enterprise networks... There are vast differences in how enterprise networks are run today than they were 10 years ago, and in both cases they are different than how consumer networks are run. Again, this group is composed of professional network managers, and they want explicit knobs to manage things. Other environments don't care about those knobs and shouldn't be required to understand and tweak them. Both are valid and need to operate independently of the other. > > > the table with $$$ to make that happen... In the US, it is only the > DoD. In > > the ISP space, most of it comes from Japan. If you are not finding > what you > > I thougth EU also was spending on v6? The EU talks a lot, but outside of the 6net/6diss projects has not really put much money behind it, that I am aware of. Even those efforts were more about documenting what was operationally possible at the time than they were about defining requirements. Tony
RE: IPv6 Confusion
David Conrad wrote: > Tony, > > On Feb 18, 2009, at 11:13 AM, Tony Hain wrote: > > The bottom line is, if you want something to be defined in a way > > that works for you, you have to participate in the definition. > > Well, yes. But there is an impedance mismatch here. No argument. > > The IETF still seems to operate under the assumption that the folks > who run the networks are the same folks who implement the code the > network runs on top of. I figure this (mostly) stopped being the case > (at least for the "production Internet") sometime in the mid-90s. > Today, network operators and end users are the folks who are > specifying requirements. Folks who go to IETFs are the ones who are > trying to figure out the protocols to meet those requirements, or at > least what they believe those requirements to be. Unfortunately, > that's not what we have. We have network operators in their own > little world, trying to keep the network running and protocol > developers in their own little world, trying to come up with cool > features that will make their protocols relevant, based on their own > beliefs as to what is important or not. These two camps seem to > intersect rarely. Outside of a handful of people that make a point of it, there is almost no interaction. > > As such, it isn't particularly surprising when IETF protocol > developers tell network operators who go to the IETF they aren't > relevant. In the specific definition of protocol bits on the wire, > network operators actually aren't that relevant. Network operators > care about the functionality and multi-vendor interoperability, > whether it is bit 8 in the second octet or bit 4 in the third octet > that results in that functionality isn't a big concern (as long as > everyone agrees). The network operators tell the vendors what sort of > functionality they need, and the vendors go to the IETF to push their > particular approach to address those requirements (or block another > vendor's approach). This may be where Randy Bush derives his "IVTF" > label. > > The problem is, since around the mid-90s, it seems we've taken it too > far. The fact that the IETF has demonstrably ignored network operator > input in stuff like DHCP or routing scalability means the IETF has > developed protocols that don't meet network operator requirements. > And because network operators can't be bothered to learn and argue the > bit patterns, their ability to provide input into protocol definition > is reduced to yelling from the sidelines or communicating via proxies > with their own agendas. Well, for awhile there was a push to develop 'requirements' RFCs, but without participation from the ops community, these did little and were widely chastised as a waste of time. I personally disagree with that, as anytime you get more than a couple of people working on a problem you need to write down the expected outcome to keep everyone on track. In any case, there is a place to put high-level requirements into the system, it just needs to be exercised. > > Yes, there have been attempts to bridge the two camps, but I suspect > the only way to really address this is a fundamental shift in the way > the IETF does business, taking into account the fact that network > operators and end users, by and large, are not the implementors of > protocols and don't actually care how they are implemented, but rather > the folks who define what the protocols need to do. I'll admit some > skepticism that such a change is actually feasible. It is easy to throw rocks and say that the other guy needs to change. Reality is that both sides need to move toward each other. There is nothing that says the ops community has to stay involved throughout the entire bit-positioning set of arguments, but if they don't engage at requirements definition time there is no hope that the outcome will be close to what they want. Tony
RE: Network SLA
We use the BRIX active measurement instrumentation product to measure round-trip, jitter, and packet loss SLA conformity. -Original Message- From: Saqib Ilyas [mailto:msa...@gmail.com] Sent: Thursday, February 19, 2009 7:50 AM To: nanog@nanog.org Subject: Network SLA Greetings I am curious to know about any tools/techniques that a service provider uses to assess an SLA before signing it. That is to say, how does an administrator know if he/she can meet what he is promising. Is it based on experience? Are there commonly used tools for this? Thanks and best regards -- Muhammad Saqib Ilyas PhD Student, Computer Science and Engineering Lahore University of Management Sciences
RE: Single fiber 10Gb/s X2 or Xenpak transceiver
Haven't seen one. With the huge heat sink and serialization circuitry on the X2, what advantage would a single strand connector bring? MRV may have one if anyone does, though. -Original Message- From: Andrey Slastenov [mailto:a.slaste...@gmail.com] Sent: Thursday, February 19, 2009 1:06 AM To: nanog@nanog.org Subject: Single fiber 10Gb/s X2 or Xenpak transceiver Hi Guys. Do you ever see single fiber 10Gb/s X2 or Xenpak transceiver? (I know about SFP, but never see X2 or Xenpak before)
RE: IPv6 Confusion
Randy Bush wrote: > > The fact that the *nog community stopped participating in the IETF > has > > resulted in the situation where functionality is missing, because > nobody > > stood up and did the work to make it happen. > > the ops gave up on the ietf because it did no good to participate. so > the choice was spend the time accomplishing nothing or do something > else > with one's time. > > this is a slight exaggeration. it took me less than five years to get > rid of NLAs, TLAs, ... wooo wooo! Those were put in at the insistence of the ops / routing community as a way to constrain the routing table, by using the technology definition as a way to enforce a no-PI policy. The fact that it moved policy control from the RIRs to the IETF was later recognized as a problem, and moving it back was what took the time. The 'give-up' attitude is now coming home as a set of definitions that are not meeting the operational needs. This is not a criticism of anyone, but the general global expectation of instant gratification is causing people to give up on long cycle issues that need active feedback to keep the system in check. Many in the *nog community criticize their management for having a long-range vision that only reaches to the end of the next quarter, and this is a case where the engineering side of the house is not looking far enough forward. If you don't give the vendors a couple of years notice that you require IPv6, don't expect it to be what you want. Then if you expect multiple vendors to implement something close to the same and the way you want it, you need to engage at the IETF to make sure the definition goes the right way. Working group chairs are supposed to be facilitators for the work of the group, not dictators. If you are having a problem with a WG chair, inform the AD. If that doesn't help, inform the nomcom that the AD is not responsive. Giving up will only let the system run open-loop, and you should not be surprised when the outcome is not what you expect. Tony
Re: Network SLA
On Thu, 19 Feb 2009, Saqib Ilyas wrote: I am curious to know about any tools/techniques that a service provider uses to assess an SLA before signing it. That is to say, how does an administrator know if he/she can meet what he is promising. IME, the administrators don't have anything to do with what is signed. The "company" chooses what SLAs to sign with customers (typically whatever the customer requests, possibly with various levels of pricing for different agreements), but the operational staff are not involved. If you're lucky, you have this information before you build and can -try- to build to suite. But most times, the SLAs are signed after you've built, and everyone just crosses their fingers. IME. ..david --- david raistrickhttp://www.netmeister.org/news/learn2quote.html dr...@icantclick.org http://www.expita.com/nomime.html
RE: Network SLA
Maybe the best way of addressing this is knowing exactly what we need to measure- if IP traffic, services or processes. If the timescale of a process (ie: MTTR's)and/or procedure or just data and/or voice traffic from point A to B. Or just scoping the measurments as being the performance of the core network, or only related to usage based service. And that takes us to the TMN model and to the bottom-up approach starting w/ the FCAPs. you have fereware, shareware and licenced tools or most likely specific vendor-related tools and only linked to one vendor or one type of equipment. I am sure you've heard of RRD/MRTG, just like a few others that normally sit on the botton tier and have an upstream chain correlating the events. Most times the options are about suitablity and what the software version is prepared to report on so they are seen as more "suitable" to customers. --- On Thu, 2/19/09, Andreas, Rich wrote: > From: Andreas, Rich > Subject: RE: Network SLA > To: "Saqib Ilyas" , nanog@nanog.org > Date: Thursday, February 19, 2009, 5:59 PM > Availability cannot be calculated in advance. It typically > is based on > historical component failure information. Sound design > ensures > redundancy and eliminates single point of failure. > > As for the rest, CIR, Latency, Jitter, Loss . this can > be tested > prior to customer handover with any number of tools and > protocols > including IEEE 802.11ag/ah, ITU-T 1731, IETF RFC2544. > Hand-helds are > typically not cost effective. > > Rich Andreas > Comcast Network Engineering > -Original Message- > From: Saqib Ilyas [mailto:msa...@gmail.com] > Sent: Thursday, February 19, 2009 10:50 AM > To: nanog@nanog.org > Subject: Network SLA > > Greetings > I am curious to know about any tools/techniques that a > service provider > uses > to assess an SLA before signing it. That is to say, how > does an > administrator know if he/she can meet what he is promising. > Is it based > on > experience? Are there commonly used tools for this? > Thanks and best regards > -- > Muhammad Saqib Ilyas > PhD Student, Computer Science and Engineering > Lahore University of Management Sciences
RE: single fiber 10Gb/s X2 or Xenpak transceiver
We just got in 4 of the X2's. Vernon Leonard Tarrant County IT -Original Message- From: Andrey Slastenov [mailto:a.slaste...@gmail.com] Sent: Thursday, February 19, 2009 4:18 AM To: nanog Subject: single fiber 10Gb/s X2 or Xenpak transceiver Hi Guys. Do you ever see single fiber 10Gb/s X2 or Xenpak transceiver? (I know about SFP, but never see X2 or Xenpak before)
Re: IPv6 Confusion
On Thu, 19 Feb 2009, Christopher Morrow wrote: That is not what the decision said. The point was that the DHCP WG was not going to decide for you what was necessary or appropriate to carry forward. Rather than add baggage that nobody actually uses, there is nothing until someone says 'I need that'. Never mind that DHCP wasn't defined when the IPng work started, and wasn't in widespread use yet when DHCPv6 was being started ... and ipv4 didnt stop evolving when ipv6 started being designed/engineered/'architected'. If new use cases, or different business cases were evolved in th ev4 world, it seems that those should have also trickled back into the v6 work. That does not seem to have been the case, multihoming is but one example of this. Nobody will stop you to go to RIR and argue for a PI address space for IPv6. You will be able use PI IPv6 address similarly as you used PI IPv4. This doesn't exactly follow for the IETF process, though it really ought to for a goodly number of things. If you are using something in v4, and it got added via the consensus process in the IETF, it's very likely that you will need like functionality in v6. DHCP and Multihoming are just 2 simple examples of this. I still can't see how: "but v6 has autoconf so you don't need dhcp!" is even attempted as an argument after 1996. Surely vendors of networking gear and consumer OS's realized before 1996 that things other than 'address and default route' are important to end stations?? I know these entities use other features in their enterprise networks... In IPv6 you have additional options next to static and DHCP the autoconfiguration. Since autoconfiguration was developed earlier this assumed to be avilable most of the IPv6 implementation. You can argue, that DHCPv6 client support is vital part of IPv6 node requirements... Janos Mohacsi Network Engineer, Research Associate, Head of Network Planning and Projects NIIF/HUNGARNET, HUNGARY Key 70EF9882: DEC2 C685 1ED4 C95A 145F 4300 6F64 7B00 70EF 9882 the table with $$$ to make that happen... In the US, it is only the DoD. In the ISP space, most of it comes from Japan. If you are not finding what you I thougth EU also was spending on v6? -chris
Re: real hardware router VS linux router
this plattform can handle about 100.000pps and 400mbit 1500byte packets with freebsd http://lannerinc.com/Network_Application_Platforms/x86_Network_Appliance/1U_Network_Appliances/FW-7550 hardware: 4x pci 32bit, 33mhz intel gbit 1gb cf-card 1gb ram with this hardware even more pps should be possible: http://www.axiomtek.de/network_appliances/network_appliances/smb_network_security_platform/na820.html hardware: 7x pcie (1lane each) connected network add freebsd-net mailinglist people achieved nearly 1.000.000pps with servers (hp-servers) I suggest to use freebsd os if quagga is the routing daemon as quagga runs more stable than on linux. I have currently 300days uptime at my border routers (2x FW-7550), last week I had a peak with 230mbit's; no problem to handle. Kind regards, ingo flaschberger
Re: real hardware router VS linux router
Patrick W. Gilmore wrote: > On Feb 19, 2009, at 10:54 AM, Bill Blackford wrote: > >> In scaling upward. How would a linux router even if a kernel guru were >> to tweak and compile an optimized build, compare to a 7600/RSP720CXL >> or a Juniper PIC in ASIC? At some point packets/sec becomes a >> limitation I would think. > > I've asked this before and been told you can get PCI cards with multiple > GigE ports, or even build specialized PCI cards that look like PICs. > > So I congratulated them on re-inventing Juniper. multiport network interfaces substantially predate the existence of asic based l3 forwarding. I can just barely remember what a router looked like in 1991, but our compaq and sun pedestal servers certainly had them. we have variously and in use today as standardized formfactors in embedded network optimized pc platforms. cpci (6u eurocard) - which is neither compact nor pci but I digress pmc xmc atca amc standard pci-e mini-pci-e when when consider that a gen2.0 8x pci-e point-to-point link can carry ~32Gbits/s symmetric the building blocks are certainly there for multiport interfaces and 4xge or 2x10Gbe per slot interfaces are relatively de riguer in pc based filewall/ips/network appliance platforms...
RE: Network SLA
Availability cannot be calculated in advance. It typically is based on historical component failure information. Sound design ensures redundancy and eliminates single point of failure. As for the rest, CIR, Latency, Jitter, Loss . this can be tested prior to customer handover with any number of tools and protocols including IEEE 802.11ag/ah, ITU-T 1731, IETF RFC2544. Hand-helds are typically not cost effective. Rich Andreas Comcast Network Engineering -Original Message- From: Saqib Ilyas [mailto:msa...@gmail.com] Sent: Thursday, February 19, 2009 10:50 AM To: nanog@nanog.org Subject: Network SLA Greetings I am curious to know about any tools/techniques that a service provider uses to assess an SLA before signing it. That is to say, how does an administrator know if he/she can meet what he is promising. Is it based on experience? Are there commonly used tools for this? Thanks and best regards -- Muhammad Saqib Ilyas PhD Student, Computer Science and Engineering Lahore University of Management Sciences
Re: IPv6 Confusion
On Wed, Feb 18, 2009 at 5:30 PM, Tony Hain wrote: > Daniel Senie wrote: >> >... >> > No, the decision was to not blindly import all the excess crap from >> IPv4. If >> > anyone has a reason to have a DHCPv6 option, all they need to do is >> specify >> > it. The fact that the *nog community stopped participating in the >> IETF has >> > resulted in the situation where functionality is missing, because >> nobody >> > stood up and did the work to make it happen. >> >> Because clearly everything done in IPv4 space was crap, or should be >> assumed to be crap. Therefore, everything that's been worked out and >> made to function well in the last 25+ years in IPv4 space should be >> tossed and re-engineered. OSI anyone? > > That is not what the decision said. The point was that the DHCP WG was not > going to decide for you what was necessary or appropriate to carry forward. > Rather than add baggage that nobody actually uses, there is nothing until > someone says 'I need that'. Never mind that DHCP wasn't defined when the > IPng work started, and wasn't in widespread use yet when DHCPv6 was being > started ... > and ipv4 didnt stop evolving when ipv6 started being designed/engineered/'architected'. If new use cases, or different business cases were evolved in th ev4 world, it seems that those should have also trickled back into the v6 work. That does not seem to have been the case, multihoming is but one example of this. >> >> The point, which seems to elude many, is that rightly or wrongly there >> is an assumption that going from IPv4 to IPv6 should not involve a step >> back in time, not on security, not on central configuration >> capability, >> not on the ability to multihome, and so forth. The rude awakening is >> that the IPv6 evangelists insisting everyone should "get with the >> program" failed to understand that the community at large would expect >> equivalent or better functionality. > > Yes people expect 1:1 functionality, but how many of them are stepping up to how many vendors are implementing willy-nilly v4 feature requests for their enterprise/isp customers? does it not seem reasonable to look at each one and say: "Gosh, if you want a TE knob for v4,surely you'll want that in v6 'soon' yes?" (replace TE knob with ... us about every other knob requested actually). The arguement that 'You have to ask for v6 knobs the exist in v4 else they won't happen' flies in the face of the arguement that: "People don't want v4 or v6, they just want IP connectivity." This doesn't exactly follow for the IETF process, though it really ought to for a goodly number of things. If you are using something in v4, and it got added via the consensus process in the IETF, it's very likely that you will need like functionality in v6. DHCP and Multihoming are just 2 simple examples of this. I still can't see how: "but v6 has autoconf so you don't need dhcp!" is even attempted as an argument after 1996. Surely vendors of networking gear and consumer OS's realized before 1996 that things other than 'address and default route' are important to end stations?? I know these entities use other features in their enterprise networks... > the table with $$$ to make that happen... In the US, it is only the DoD. In > the ISP space, most of it comes from Japan. If you are not finding what you I thougth EU also was spending on v6? -chris
RE: real hardware router VS linux router
> > In scaling upward. How would a linux router even if a kernel guru were > to tweak and compile an optimized build, compare to a 7600/RSP720CXL or > a Juniper PIC in ASIC? At some point packets/sec becomes a limitation I > would think. > Is anyone building linux/bsd-box add-on cards with off the shelf packet processors?Maybe something with the likes of http://www.netlogicmicro.com/ or whatever? -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean.
Re: real hardware router VS linux router
On Feb 19, 2009, at 10:54 AM, Bill Blackford wrote: In scaling upward. How would a linux router even if a kernel guru were to tweak and compile an optimized build, compare to a 7600/ RSP720CXL or a Juniper PIC in ASIC? At some point packets/sec becomes a limitation I would think. I've asked this before and been told you can get PCI cards with multiple GigE ports, or even build specialized PCI cards that look like PICs. So I congratulated them on re-inventing Juniper. -- TTFN, patrick
Re: real hardware router VS linux router
Bill Blackford wrote: In scaling upward. How would a linux router even if a kernel guru were to tweak and compile an optimized build, compare to a 7600/RSP720CXL or a Juniper PIC in ASIC? At some point packets/sec becomes a limitation I would think. It scales quite well, I'm sure, if you take about 12-16 servers, interconnect them at 256+ gigabit, build your own communication protocols between them. Hmmm. This is starting to sound like the Juniper layout prior to them having hardware. :) -Jack
Re: IPv6 Confusion
On Feb 19, 2009, at 10:23 AM, Steven M. Bellovin wrote: On Thu, 19 Feb 2009 10:19:19 -0500 Leo Bicknell wrote: In a message written on Thu, Feb 19, 2009 at 10:01:59AM -0500, Jared Mauch wrote: Would it be insane to have an IETF back-to-back with a NANOG? Probably, but it would be a good idea. :) I have no idea how the IETF agenda is set, but that may be part of the trick. I suspect network operators care a lot about protocols at lower layers in the stack, and less and less at higher levels in the stack. SeND, DHCP, the RA stuff are all very important to us; some new header field in HTTP or IMAP much less so. Since IETF is usually 5 days, it would be nice if that lower level stuff could be adjacent to NANOG. The IETF agenda isn't set that way -- not even close... The big problem I see is that after a week of IETF, I'm *completely* fried. It's also just a very long time to be away from my family. I fully agree. There is no time at any IETF meeting (at least for me, FWIW) to go to other meetings. Note that IETF agenda times are set out some time into the future to avoid conflicts with IEEE 802.1 and other bodies : http://www.ietf.org/meetings/0mtg-sites.txt If you want to pick a date and make a proposal, send it to Ray Pelletier and / or the IAOC i...@ietf.org i...@ietf.org Regards Marshall --Steve Bellovin, http://www.cs.columbia.edu/~smb
RE: real hardware router VS linux router
In scaling upward. How would a linux router even if a kernel guru were to tweak and compile an optimized build, compare to a 7600/RSP720CXL or a Juniper PIC in ASIC? At some point packets/sec becomes a limitation I would think. -b -Original Message- From: Ryan Harden [mailto:harde...@uiuc.edu] Sent: Thursday, February 19, 2009 6:37 AM To: Deric Kwok Cc: nanog@nanog.org Subject: Re: real hardware router VS linux router -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 While you could probably build a linux router that is just as fast as a real hardware router, you're always going to run into the moving pieces part of the equation. In almost all scenarios, moving parts are more prone to failure than non-moving parts. Regardless of what you find out in your research, consider the above in your cost-benefit analysis. /Ryan Deric Kwok wrote: > Hi All > > Actually, what is the different hardware router VS linux router? > > Have you had experience to compare real router eg: cisco VS linux router? > > eg: streaming speed... tcp / udp > > Thank you for your information - -- Ryan M. Harden, BS, KC9IHX Office: 217-265-5192 CITES - Network Engineering Cell: 630-363-0365 2130 Digital Computer Lab Fax:217-244-7089 1304 W. Springfield email: harde...@illinois.edu Urbana, IL 61801 University of Illinois at Urbana/Champaign University of Illinois - ICCN -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmdbpcACgkQtuPckBBbXboREgCguTikt2UwEIRHNfoNzASreLD/ YLcAoKdr/Gbw8CQuY9dTitvGQdD3+H0s =bsHP -END PGP SIGNATURE-
Network SLA
Greetings I am curious to know about any tools/techniques that a service provider uses to assess an SLA before signing it. That is to say, how does an administrator know if he/she can meet what he is promising. Is it based on experience? Are there commonly used tools for this? Thanks and best regards -- Muhammad Saqib Ilyas PhD Student, Computer Science and Engineering Lahore University of Management Sciences
Re: real hardware router VS linux router
Ryan Harden wrote: While you could probably build a linux router that is just as fast as a real hardware router, you're always going to run into the moving pieces part of the equation. In almost all scenarios, moving parts are more prone to failure than non-moving parts. It's quite possible to build Linux-based devices with few or no moving parts. Small embedded boards, and flash drives, are common and cheap; and for low-load situations it's possible to build a passively-cooled (i.e. no fans, so zero moving parts) system. Higher-performance setups with a few moving parts (mainly fans) are still possible, but at some point you have to balance the time and effort of R&D and performance-tuning your system. If you save a few thousand dollars on hardware, but spend a few days tweaking everything, you may not come out ahead after all. At least two vendors (Imagestream and Mikrotik) offer complete packages based on Linux; the latter also sells the software separately, for installation on your own hardware, and both offer support if you need it. David Smith MVN.net
Re: IPv6 Confusion
On Thu, 19 Feb 2009 10:19:19 -0500 Leo Bicknell wrote: > In a message written on Thu, Feb 19, 2009 at 10:01:59AM -0500, Jared > Mauch wrote: > > > > Would it be insane to have an IETF back-to-back with a NANOG? > > > > Probably, but it would be a good idea. :) > > I have no idea how the IETF agenda is set, but that may be part of > the trick. I suspect network operators care a lot about protocols > at lower layers in the stack, and less and less at higher levels > in the stack. > > SeND, DHCP, the RA stuff are all very important to us; some new > header field in HTTP or IMAP much less so. Since IETF is usually > 5 days, it would be nice if that lower level stuff could be adjacent > to NANOG. > The IETF agenda isn't set that way -- not even close... The big problem I see is that after a week of IETF, I'm *completely* fried. It's also just a very long time to be away from my family. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: IPv6 Confusion
>Were you at the last NANOG when I did everything but beg for feedback? Maybe I should have been more helpful. Here's the link: http://www.nanog.org/meetings/nanog45/presentations/Wednesday/Murphy_light_sidr_N45.pdf --Sandy
Re: IPv6 Confusion
In a message written on Thu, Feb 19, 2009 at 10:01:59AM -0500, Jared Mauch wrote: > > Would it be insane to have an IETF back-to-back with a NANOG? > Probably, but it would be a good idea. :) I have no idea how the IETF agenda is set, but that may be part of the trick. I suspect network operators care a lot about protocols at lower layers in the stack, and less and less at higher levels in the stack. SeND, DHCP, the RA stuff are all very important to us; some new header field in HTTP or IMAP much less so. Since IETF is usually 5 days, it would be nice if that lower level stuff could be adjacent to NANOG. -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ pgp7YlpkSI0Vr.pgp Description: PGP signature
RE: IPv6 Confusion
Response inline. -Original Message- From: Carl Rosevear [mailto:carl.rosev...@demandmedia.com] Sent: Tuesday, February 17, 2009 11:59 AM To: nanog@nanog.org Subject: IPv6 Confusion > How does IPv6 addressing work? RFC 2372 is a good starting point. With IPv6 we provide for every LAN network to be a /64. A good starting point would be counting your VLANs and trying to anticipate how many networks you will need (not how many hosts on said networks). Don't count any non-routed networks, as these can make use of ULA address space (the IPv6 equivalent to RFC 1918 space), for more info on ULA see RFC 4193. If you assign a /64 to every LAN (as you should) then the rest is deciding how much address space you need for network identifiers (remember, since the host segment of each network is a /64 there is no need to define the number of hosts you will have on any given network). A /56 for example would provide you with 256 networks, which is more than enough for most mid-sized networks. If you need more, you could jump up to a /52, providing a 12 bit address space for network identifiers (or 4096) which is the same size as the 802.1Q VLAN ID field. This could be useful in tracking your IPv6 networks as you could essentially use those 12 bits to encode the hex value of the VLAN ID for any network you create (preventing address space conflicts). For very large organizations (multi-campus organizations for example) moving up to a /48 provides enough address space for 16 /52s, or 256 /56s (again, these are just examples, I like to keep the breaks 4 bits apart for readability, but you could use any mask in between). The point is you need to get away from the mindset of determining network sizes based on the number of hosts. On a side note we do make use of /126 networks in the zero address space for link networks (router to router) as recommended by RFC 3627. The main reason for this is because a /64 for link networks (of which we have several) is very wasteful. Using the zero address space for these also provides us with the ability to have much shorter addresses for links using the :: notation; e.g. 2001:DB8::1. With that said, I think most providers are giving out either /64s or /48s right now. IMHO a /48 is often wasteful, but it's not like the address space isn't there. If you're going to be using BGP for routing IPv6 (e.g. more than one provider) you'll want to have something larger than a /48 (/48 and /32 are the most common prefix sizes we see announced through BGP). Many ISPs will refuse to route anything smaller than a /32 though, so check with who you plan on getting service from first. If you don't have need for something that is a /48 or larger, you probably should just try to go through a single provider to assign you a prefix out of their space. Hurricane Electric (HE.net) offers free IPv6 tunnels with /64 or /48 prefix assignments. It might be a good option for you to play around with IPv6 before you go out and request a /32. > I know it's been hashed and rehashed but several orgs I am associated > with are about to ask for their allocations from ARIN and we are all > realizing we don't really know how the network / subnet structure > trickles down from the edge to the host. We really don't have a firm > grasp of all of this as there seems to be multiple options regarding > how many addresses should be assigned to a host, if the MAC address > should be included in the address or if that is just for auto- > configuration purposes or what the heck the deal is. There are a lot > of clear statements out there and a lot that are clear as mud. > Unfortunately, even when trying to analyze which RFC superseded > another. Can I just subnet it all like IPv4 but with room to grow or > is each host really going to need its own /84 or something? I can't > see why hosts would need any more addresses than today but maybe I'm > missing something because a lot of addressing models sure allow for a > huge number of unique addresses per host. You shouldn't make any network smaller than a /64, the exception is link networks as mentioned above, but even then there are purists who will say no to those and use /64s there as well. That's the entire point of having a 128-bit address space instead of a 64-bit address space. The intent was to do away with the need for NAT (which is costly and breaks the Internet). Stateless Autoconfiguration (RFC 4862) is your friend; don't fight it. It will be some time before we see things like DHCPv6 snooping work its way into L2 security, but work is already in progress for protection against Router Advertisement (RA)... it's called RA Guard, and you can view the current draft of it here: http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01 On a side note, I always use ::1 for the gateway address, but there is no requirement for that. If you need to assign static IPs to hosts you can start using ::2 or even leave the first handful of ad
Re: real hardware router VS linux router
Well, Our operation uses linux everywhere and we have our own in house tiny embedded flavor with all the tools and things that make it suited for use in big and small boxes as many kinds of router and general packet flipping appliance. I have confidence built on long term, real world experience that says I can do this sucessfully, but the price I pay for it is the knowledge curve and having had to invent the 'right' mix of stuff, which includes compact flash based boot media, read-only filesystem, and minimal management (command line via ssh, you need to be an expert), and as well as having had to select the right hardware (constraints include power on always, no dumb bios to stop the boot process, and other issues). I would never ever reccomend that anyone just 'use linux' for network appliances. It *can* do the job, but all the baggage of 'pc hardware' typically conspires to make for less than rock solid. Stuff like hard disks, which crash malfunction corrupt, and issues like - does the box power on when power is applied or does someone have to press a button? (You will note, most commercial hardware like routers and switches either don't have a power button, or simply default to being 'on' unless you take pains to flip buttons somewhere. But, PC's typically have a power button you have to press to make it come on). And there's other issues too - PC Bios's also conspire to get in the way and stop the boot process. If they detect some sort of error, a key press, a missing disk, or many other excuses, they stop cold waiting for someone to 'press f1 to continue', or worse. Also most PC systems also have single power supply units, and that which are less sturdy construction and are more likely to burn out at some point than the more heavy duty commercial grade units you see in commercial router/switch equipment). The difference then between linux and 'a hardware router' then is that the manufacturer - cisco, juniper, whomever - has a large degree of control over the integration between their software and the hardware it runs on, and can dictate all of the things that makes the product work like the boot process and it's internal storage and wether there are sufficient fans and what kind of power supplie(s) are present and wether there's a hardware watchdog (that works!) and the type of chips serving as the ethernet controllers (which dictates all kinds of things that the mnf considers 'features'). It's a long list. To summarize, you can do many jobs with linux. How WELL you do them, however, is more of a function of how much exerience and knowledge that you have. You can also do many jobs with commercial boxes, but how well you do that job can be expressed more in terms of selecting the right platform and plugging the right configuration lines into it, and both of these can easilly be 'done well' in exchange for money (router vendor support team, etc). Mike- Deric Kwok wrote: Hi All Actually, what is the different hardware router VS linux router? Have you had experience to compare real router eg: cisco VS linux router? eg: streaming speed... tcp / udp Thank you for your information
Re: IPv6 Confusion
On Thu, Feb 19, 2009 at 09:56:35AM -0500, Sandy Murphy wrote: > >I can't think of a single > >> working group chair/co-chair that's ever presented at NANOG and asked > >> for feedback. > > Were you at the last NANOG when I did everything but beg for feedback? Would it be insane to have an IETF back-to-back with a NANOG? - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: IPv6 Confusion
>I can't think of a single >> working group chair/co-chair that's ever presented at NANOG and asked >> for feedback. Were you at the last NANOG when I did everything but beg for feedback? --Sandy
Re: real hardware router VS linux router
Imagestream is a very solid and mature solution. In order to head off the Holy War I am a Cisco guy too. It just depends on your budget and situation. Justin > From: Deric Kwok > Date: Thu, 19 Feb 2009 09:30:16 -0500 > To: > Subject: real hardware router VS linux router > > Hi All > > Actually, what is the different hardware router VS linux router? > > Have you had experience to compare real router eg: cisco VS linux router? > > eg: streaming speed... tcp / udp > > Thank you for your information
Re: real hardware router VS linux router
Deric Kwok wrote: > Hi All > > Actually, what is the different hardware router VS linux router? > > Have you had experience to compare real router eg: cisco VS linux router? Archives have discussed this at extreme length. The most interesting thing I saw come out of it was this http://data.guug.de/slides/lk2008/10G_preso_lk2008.pdf See pictures describing the primary differences.
RE: real hardware router VS linux router
Not much really, besides your personal preference and the configurability of the device (will maintaining some semblance of sanity), there are some very nice custom linux based appliances out there e.g. vyatta routers, which boast 10 times throughput of Cisco (2800 series) routers, however it all comes down to what you want to do. -Original Message- From: Deric Kwok [mailto:deric.kwok2...@gmail.com] Sent: Thursday, February 19, 2009 4:30 PM To: nanog@nanog.org Subject: real hardware router VS linux router Hi All Actually, what is the different hardware router VS linux router? Have you had experience to compare real router eg: cisco VS linux router? eg: streaming speed... tcp / udp Thank you for your information
Re: real hardware router VS linux router
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 While you could probably build a linux router that is just as fast as a real hardware router, you're always going to run into the moving pieces part of the equation. In almost all scenarios, moving parts are more prone to failure than non-moving parts. Regardless of what you find out in your research, consider the above in your cost-benefit analysis. /Ryan Deric Kwok wrote: > Hi All > > Actually, what is the different hardware router VS linux router? > > Have you had experience to compare real router eg: cisco VS linux router? > > eg: streaming speed... tcp / udp > > Thank you for your information - -- Ryan M. Harden, BS, KC9IHX Office: 217-265-5192 CITES - Network Engineering Cell: 630-363-0365 2130 Digital Computer Lab Fax:217-244-7089 1304 W. Springfield email: harde...@illinois.edu Urbana, IL 61801 University of Illinois at Urbana/Champaign University of Illinois - ICCN -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmdbpcACgkQtuPckBBbXboREgCguTikt2UwEIRHNfoNzASreLD/ YLcAoKdr/Gbw8CQuY9dTitvGQdD3+H0s =bsHP -END PGP SIGNATURE-
real hardware router VS linux router
Hi All Actually, what is the different hardware router VS linux router? Have you had experience to compare real router eg: cisco VS linux router? eg: streaming speed... tcp / udp Thank you for your information
Re: IPv6 Confusion
On Wed, Feb 18, 2009 at 03:05:43PM -0600, Dale W. Carder wrote: > > On Feb 18, 2009, at 3:00 PM, Nathan Ward wrote: > > > >Is there something like this already that anyone knows of? > > http://tools.ietf.org/id/draft-chown-v6ops-rogue-ra-02.txt There will be an update of this prior to March's IETF. If anyone has any comments please send them directly to me and we'll try to work them in. Hopefully with this text as a 'why' and the RA Guard text as a 'how' we have some things to point vendors at. Though as some have pointed out RA Guard isn't applicable everywhere (just as SeND isn't too). -- Tim
Re: IPv6 Confusion
Frank Bulk wrote: Considering that the only real IPv6-ready CPE at your favorite N.A. electronics store is Apple's AirPort, it seems to me that it will be several years before the majority (50% plus 1) of our respective customer bases has IPv6-ready or dual-stack equipment. On the other hand, a majority of the routers purchased are for wireless connectivity, followed quickly by the necessity for multiple computers sharing a common subnet. Security and firewalls are not something most end users attribute to routers, but instead to their host based solutions. As such, I have no problem with pointing out that they can have 4.3 billion squared devices sitting off a cheap switch; all sharing the same subnet. Of course, wireless peeps will either have to use wireless bridges or have supported routers. Really, the AirPort is pretty stable and functional as a wireless AP. Most say it's worth the extra $$$. -Jack
Re: IPv6 Confusion
Independent of this conversation, there has been some parallel interest in this problem area in the IETF. There is enough interest to suggest writing a draft defining additional options for DHCPv6 to allow "DHCPv6-only" operation. I'm writing as chair of the dhc WG to ask you, the operators who are asking for these extensions to DHCPv6, to provide clear technical requirements. What problem are you trying to solve and how do you want to solve it? Reply directly to me - no need for further congestion on this mailing list - and we can discuss those requirements. The deadline for draft publication prior to the upcoming IETF meeting in SF is March 3, so please respond soon. Thanks in advance... - Ralph
Re: IPv6 Confusion
> > I think, for example, that Juniper is making a mistake by rolling v6 > capability into a license that also includes BGP and ISIS on some > platforms. Cisco is guilty of this as well. > > I am not necessarily advocating that v6 must be a basic feature on every > new box; but I don't think it is correct to force customers to buy a > license that includes a lot of other bells and whistles just to get v6. > It could be a separate cost. I mean, surely the intellectual property has been developed now, are the vendors /still/ paying developers off for this? hasn't most of the money already been spent?
Re: IPv6 Confusion
On 19/02/2009 07:27, David Conrad wrote: those requirements to be. Unfortunately, that's not what we have. We have network operators in their own little world, trying to keep the network running and protocol developers in their own little world, trying to come up with cool features that will make their protocols relevant, based on their own beliefs as to what is important or not. These two camps seem to intersect rarely. Naah, it's worse than that. It's an unholy triad of protocol developers, software developers and operators, each of which operates in their own playpen, and none of which actually communicate with anyone else. While not wanting to stereotype things, some would say that the protocol developers think that the operators don't know crap about what's good for them, and that the three most important things in the world are correctness, committee approval and their own particular protocol. On the other side are the operators, trying to build and maintain real world networks, and who when presented with the sort of trashy mess that we see with RA/DHCPv6, make decisions which makes sense for themselves at that particular time, even if it involves. Being human, they spend considerable amounts of time frothing at the mouth at whoever thought, for example, that RA was a good idea in the first place, or that DHCPv6 should lack a default-route option. Stuck in the middle are the developers. The poor developers. Despised equally by both sides: one the one hand for butchering these beautiful, elegant protocols and churning out bug-ridden heaps of trash; on the other hand, for, well, butchering these bizarre, half-baked protocols and churning out bug-ridden heaps of trash. Life truly sucks for them. Sorry, did someone say that we all work in the communications industry? Nick
RE: IPv6 Confusion (back to technical conversation)
>>> I guess you don't use DHCP in IPv4 then. >> No, you seem to think the failure mode is the same, and it is not. >> Let's walk through this: >> 1) 400 people get on the NANOG wireless network. >> 2) Mr 31337 comes along and puts up a rogue DHCP server. >> 3) All 400 people continue working just fine until their lease expires, >> which is likely after the conference ends. The 10 people who came in >> late get info from the rogue server, and troubleshooting ensues. So a delayed failure makes it easier to troubleshoot? I'd rather know right away. Also - I'd rather not make the mistake in the first place ... but life isn't perfect. >> Let's try with IPv6. >> 1) 400 people get on the NANOG wireless network. >> 2) Mr 31337 sends a rouge RA. >> 3) 400 people instantly loose network access. >> The 10 who come in late don't even bother to try and get on. >> So, with DHCP handing out a default route we have 10/400 down, with >> RA's we have 410/410 down. Bravo! Right, so a timing difference is all you are talking about - and the malicious person would probably know his/her limitations, and therefore show up early. Same end result. Also - there are questions over what type of RA was sent (or, more correctly, what type of payload), the timing of the good RAs, etc. BUT, the point is taken - yes, rouge RAs are a problem and there is a solution being developed. >> Let me clear up something from the start; this is not security. If >> security is what you are after none of the solutions proffered so far >> work. Rather this is robust network design. A working device >> shouldn't run off and follow a new router in miliseconds like a lost >> puppy looking for a treat. >> >> This actually offers a lot of protection from stupidity though. Ever >> plug an IPv4 router into the wrong switch port accidently? What >> happened? Probably nothing; no one on the LAN used the port IP'ed in >> the wrong subnet. They ignored it. >> >> Try that with an IPv6 router. About 10 ms after you plug into the >> wrong port out goes an RA, the entire subnet ceases to function, and >> your phone lights up like a christmas tree. Right ... but you unplug it, NUD flushes and assuming you have your environment set right all is well in short order. >> Let me repeat, none of these solutions are secure. The IPv4/DHCP >> model is ROBUST, the RA/DHCPv6 model is NOT. I would still disagree. More readily supporting multiple routers seems like a measure of robustness, to me anyway. >Yup, understood. >The point I am making is that the solution is still the same - filtering in >ethernet devices. YES! >Perhaps there needs to be something written about detailed requirements for >this so that people have something to point their switch/etc. vendors at when >asking for compliance. I will write this up in the next day or two. I guess >IETF is the right forum for publication of that. > >Is there something like this already that anyone knows of? YES! http://tools.ietf.org/html/draft-ietf-v6ops-ra-guard-01 Push vendors for support, please. (For wireless, something like PSPF would work just fine AFAIK ... please correct me if I am wrong!)
RE: IPv6 Confusion
Most service providers aren't in the business of maintaining their customer's home network, and if you have to place an ONT/DSL modem/cable modem at the customer premise, most of that gear operates at L2 with little L3 in the way (except perhaps if you place the PPPoA/E functionality on the DSL modem or service-provided broadband router). Considering that the only real IPv6-ready CPE at your favorite N.A. electronics store is Apple's AirPort, it seems to me that it will be several years before the majority (50% plus 1) of our respective customer bases has IPv6-ready or dual-stack equipment. Frank -Original Message- From: Brandon Galbraith [mailto:brandon.galbra...@gmail.com] Sent: Tuesday, February 17, 2009 8:28 PM To: Randy Bush Cc: nanog@nanog.org Subject: Re: IPv6 Confusion Sounds like those consumer ISPs better get started on rolling out dual stacks to the CPE. -brandon -- Brandon Galbraith Voice: 630.400.6992 Email: brandon.galbra...@gmail.com
RE: IPv6 Confusion
On Thu, 19 Feb 2009, Frank Bulk wrote: The really scary thing is that deploying carrier-grade NAT might be cheaper to the service provider than rolling IPv6 to its residential subscribers. The really scary thing is that in areas where there are only two major ISPs, both might go for CGN and then you have no choice. The important thing is to have proper competition, that's the way innovation gets into the market. On the other hand, I have little problem in seeing a future with different service offerings, one being "IPv4 only behind CGN" and another being "globally routable IPv4 address with 6to4 support" and a third being "globally routable IPv4 address with native IPv6 and a /56 (or /48)". -- Mikael Abrahamssonemail: swm...@swm.pp.se
RE: IPv6 Confusion
The really scary thing is that deploying carrier-grade NAT might be cheaper to the service provider than rolling IPv6 to its residential subscribers. Frank -Original Message- From: Kevin Oberman [mailto:ober...@es.net] Sent: Tuesday, February 17, 2009 3:30 PM To: Owen DeLong Cc: 'Carl Rosevear'; nanog@nanog.org Subject: Re: IPv6 Confusion The big iron folks are proposing something called "Carrier Grade NAT". This one REALLY frightens me, but I understand a couple of hardware manufacturers are planning on building such a monster. It might actually work, but the amount of state carried strikes me as in invitation to disaster. There was a draft on CNG, but it expired last month. A copy is still available at: http://smakd.potaroo.net/ietf/all-ids/draft-nishitani-cgn-00.txt Also, a proposal for a different approach is at: http://mice.cs.columbia.edu/getTechreport.php?techreportID=560 (PDF) If you are really concerned about where we go whan v4 address space is exhausted, I strongly urge you to look at all of these issues. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
single fiber 10Gb/s X2 or Xenpak transceiver
Hi Guys. Do you ever see single fiber 10Gb/s X2 or Xenpak transceiver? (I know about SFP, but never see X2 or Xenpak before)
Single fiber 10Gb/s X2 or Xenpak transceiver
Hi Guys. Do you ever see single fiber 10Gb/s X2 or Xenpak transceiver? (I know about SFP, but never see X2 or Xenpak before)