Re: ipv6 bogon / martian filter - simple
On 2010-06-15 01:37, Brandon Applegate wrote: > I mean really simple. Like 2000::/3. If it's not in there it's bogon, > yes ? At the current time and hopefully for the next 20 years at least yes ;) > What I'm really asking, is for folks thoughts on using this - is it too > restrictive ? You should be fine for the lifetime of your job plus several other years. Like any configuration you need to document it and the reasoning behind it and if possible flag it in a way that people will re-examine it in time. google(ipv6 filter) if you want a set of filters which are tighter than that and actually there is another keyword that you should be using: RPSL See RFC2622/2650 there are various tools that can provide you with filters based on that data. Please also tell your customers/peers/transits to use it, many already do and it is the proper way to do filtering on your network. As for routes that are not in the RPSL databases, make a local registry with them and just feed your tools from it, kicking the folks to put them in RPSL though is a better method ;) Greets, Jeroen
Re: ipv6 bogon / martian filter - simple
Hi Brandon, On 6/15/10 9:02 AM, Jeroen Massar wrote: RPSL See RFC2622/2650 there are various tools that can provide you with filters based on that data. Please also tell your customers/peers/transits to use it, many already do and it is the proper way to do filtering on your network. ... and if you do want to learn about that, RIPE NCC has a "Routing Registry training course": http://www.ripe.net/training/rr/outline.html The participation to this hands-on workshop is limited to the LIRS (members of the RIPE NCC), but one of them could invite you as a guest; we also do presentations and workshops at conferences; and the material is free to download, and to re-use for educational purposes. Regards, Vesna (RIPE NCC trainer)
Re: Monitoring Tool
Jens Link wrote: Thorsten Dahm writes: The usual suspects in the open source world would be nagios, cacti, mrtg, netflow, ... There is no tool called netflow. ;-) of course, the German guy has to complain again. :-) cheers, Thorsten
Re: Monitoring Tool
Who is the German guy On Tue, Jun 15, 2010 at 9:01 AM, Thorsten Dahm wrote: > Jens Link wrote: > >> Thorsten Dahm writes: >> >>> The usual suspects in the open source world would be nagios, cacti, >>> mrtg, netflow, ... >>> >> >> There is no tool called netflow. ;-) >> > > of course, the German guy has to complain again. :-) > > cheers, > Thorsten > >
RE: ipv6 bogon / martian filter - simple
This would be another alternative: http://www.space.net/~gert/RIPE/ipv6-filters.html Slightly more than 1 line, but the loose case would nuke a few more things than just filtering on 2000::/3 without requiring frequent updates. The strict case requires keeping after it for updates, and you'd probably be better off with Cymru. Thanks, Wes George -Original Message- From: Brandon Applegate [mailto:bran...@burn.net] Sent: Monday, June 14, 2010 7:38 PM To: nanog@nanog.org Subject: ipv6 bogon / martian filter - simple I mean really simple. Like 2000::/3. If it's not in there it's bogon, yes ? What I'm really asking, is for folks thoughts on using this - is it too restrictive ? How long until it's obsolete ? Should be a really long time no ? Again, just looking for some feedback either way. Would be very nice to have a single line ACL do this job. -- Brandon Applegate - CCIE 10273 PGP Key fingerprint: 7407 DC86 AA7B A57F 62D1 A715 3C63 66A1 181E 6996 "SH1-0151. This is the serial number, of our orbital gun." This e-mail may contain Sprint Nextel Company proprietary information intended for the sole use of the recipient(s). Any use by others is prohibited. If you are not the intended recipient, please contact the sender and delete all copies of the message.
networking podcasts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks, Like probably many others on this list I have my couple of hours commute each day, and tend to fill it with reading, or listening to podcasts. I've found the new PacketPushers podcast to be off to a pretty good start (MPLS, DDoS, Trill, Interview Techniques, etc): http://packetpushers.net/ Are there any others, specifically on networking, that you know of? regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwXcv8ACgkQ2NPq7pwWBt6oWgCffOX9PpqYOUUz0IUx7EW09pnL WlEAoNRXy+1OR3h2SD4bpurngNfcyK00 =FB5x -END PGP SIGNATURE-
RE: networking podcasts
For you Juniper and Arbor wonks out there, you can find some decent podcasts on iTunes... I can't remember the name of the Juniper Podcast but you should be able to find it on iTunes without much effort... I believe the Arbor one is called "Security to the Core". Stefan Fouant -Original Message- From: Oliver Gorwits [mailto:oliver.gorw...@oucs.ox.ac.uk] Sent: Tuesday, June 15, 2010 8:33 AM To: nanog@nanog.org Subject: networking podcasts -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi folks, Like probably many others on this list I have my couple of hours commute each day, and tend to fill it with reading, or listening to podcasts. I've found the new PacketPushers podcast to be off to a pretty good start (MPLS, DDoS, Trill, Interview Techniques, etc): http://packetpushers.net/ Are there any others, specifically on networking, that you know of? regards, oliver. - -- Oliver Gorwits, Network and Telecommunications Group, Oxford University Computing Services -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwXcv8ACgkQ2NPq7pwWBt6oWgCffOX9PpqYOUUz0IUx7EW09pnL WlEAoNRXy+1OR3h2SD4bpurngNfcyK00 =FB5x -END PGP SIGNATURE-
Re: networking podcasts
On 15 Jun 2010, at 14:37, Stefan Fouant wrote: > For you Juniper and Arbor wonks out there, you can find some decent podcasts > on iTunes... I can't remember the name of the Juniper Podcast but you should > be able to find it on iTunes without much effort... I believe the Arbor one > is called "Security to the Core". There are quite a few Juniper ones[0], though they take the format of a tutorial rather than a discursive/magazine format though, which is OK, but not what I want when driving. :-) There's a tool called 'Handbrake' for the Mac which can be used to re-encode the nanog (and other meeting) video downloads to a format suitable for the iPhone/iPod/iPad. This is quite good for flights/trains. Andy [0] Example = http://itunes.apple.com/podcast/junos-as-a-switching-language/id292449024, some others are linked from the bottom of this page,
Re: Live streaming from NANOG49
I'm using a 24" iMac in full screen so the resolution is pretty decent. But I hadn't thought about the side benefit of watching what people are doing on their laptops, good entertainment value I suppose. TJ On 6/14/2010 4:34 PM, Matthew Petach wrote: On Mon, Jun 14, 2010 at 9:43 AM, T.J. Kniveton wrote: First off, thanks to the staffers who set up live streaming. I'm using HD unicast, and the quality is great. That said, is it possible to have the camera zoom in to the presenter a bit? The whole room is shown, and even on a 24" screen I still can't really see the presenters very clearly, since there's some pixellation. Could just be your monitor. On mine, I can see the laptop screens of the people in the back of the room. Fun to watch what they're during the talks. ^_^ (I like the large view of room plus screens on side, myself) Matt Thanks, TJ
RE: networking podcasts
> -Original Message- > From: Andy Davidson [mailto:a...@nosignal.org] > Sent: Tuesday, June 15, 2010 10:38 AM > To: nanog list > Subject: Re: networking podcasts > > There are quite a few Juniper ones[0], though they take the format of a > tutorial rather than a discursive/magazine format though, which is OK, but > not what I want when driving. :-) No I'm not talking about the "JUNOS as a Switching/Security Language" Podcasts - you are certainly right, those are more along the lines of tutorials. The ones I was referring to was a series called J-Net Perspectives and they had decent coverage of topics like High Availability, Multicast VPNs, and VPLS to name a few with the likes of Pedro Marques, Lenny Giuliano, and some other Juniper notables. See the URL below for the iTunes links... http://itunes.apple.com/us/podcast/j-net-perspectives/id279754930 Stefan Fouant
TWTC
Anyone on the list seeing issues with Time warner on the West coast? -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges.
2010.06.15 NANOG49 day 1 notes, part 1
*heh* OK, watching the web logs this morning while taking notes, I saw a bunch of people trying to grab day 2 already. ^_^; So, given there seems to be some demand, I'm posting the first half of today's notes at http://kestrel3.netflight.com/2010.06.15-NANOG49-day2-part1.txt Don't forget to fill out your survey! I've forgotten twice now, which isn't a good track record, so I'm pre-starting today's survey ahead of time. ^_^; Matt
Re: 2010.06.15 NANOG49 day 1 notes, part 1
Thanks Matt! -jim On Tue, Jun 15, 2010 at 5:22 PM, Matthew Petach wrote: > *heh* OK, watching the web logs this morning while taking > notes, I saw a bunch of people trying to grab day 2 already. ^_^; > > So, given there seems to be some demand, I'm posting the > first half of today's notes at > > http://kestrel3.netflight.com/2010.06.15-NANOG49-day2-part1.txt > > Don't forget to fill out your survey! I've forgotten twice now, > which isn't a good track record, so I'm pre-starting today's > survey ahead of time. ^_^; > > Matt > >
RE: TWTC
Are you asking about TW Telecom or Time Warner Cable? We have clients in CA with TW Telecom with no issues at this time. Mike Walter Sr. Network Engineer 3z.net a PCD Company -Original Message- From: Bill Blackford [mailto:bblackf...@gmail.com] Sent: Tuesday, June 15, 2010 4:19 PM To: nanog@nanog.org Subject: TWTC Anyone on the list seeing issues with Time warner on the West coast? -- Bill Blackford Network Engineer Logged into reality and abusing my sudo privileges.
2010.06.15 NANOG49 day 2 part 2 notes
Notes from the second half of today (post-lunchtime) are now posted at http://kestrel3.netflight.com/2010.06.15-NANOG49-day2-part2.txt Many thanks to those who have been mailing back to correct my errors. I try to catch most of them, but at this speed, some still creep in--though I'm still doing better than Google Voice does on my voicemail messages. :D As corrections are sent, I update the files, so I've started putting version information at the top. Thanks! Matt
Re: BGP Multihoming Partial vs. Full Routes
On Jun 14, 2010, at 12:08 PM, Fred Baker wrote: > upstream, full routes are generally not as useful as one might expect. You're > at least as well off with default routes for your upstreams plus what we call > "Optimized Edge Routing", which allows you to identify (dynamically, for each > prefix/peer you care about) which of your various ISPs gives you a route that > *you* would prefer in terms of reachability and RTT. In the words of a > prominent hardware store in my region, "you can do it, we can help". +1. additionally, one could filter on reasonable RIR allocation 'boundaries' per /8, cutting the fib down substantially. Cisco and a host of others maintain such a list of ready-to-use examples here: ftp://ftp-eng.cisco.com/cons/isp/security/Ingress-Prefix-Filter-Templates/ lastly, one could do something far more crude (yet strangely effective), like so: ip prefix-list longs permit 0.0.0.0/0 ge 23 ip prefix-list shorts permit 0.0.0.0/0 le 22 ip as-path access-list 10 permit (^_[0-9]+$|^_[0-9]+_[0-9]+$|^_[0-9]+_[0-9]+_[0-9]+$) route-map provider-in permit 10 match ip address prefix-list longs match as-path 10 route-map provider-in permit 20 match ip address prefix-list shorts ...etc -Tk
Re: BGP Multihoming Partial vs. Full Routes
Most providers will give you just their on net prefixes. This is useful if multihomed but you do not really need full tables. Then you can default or similar for the rest of the net. Jared Mauch On Jun 14, 2010, at 11:30 AM, James Smallacombe wrote: > > I know this topic must have been covered before, but I can find no search > tool for the NANOG archives. I did google and reference Halabi's book as > well as Avi's howto, but I still don't feel I fully understand the pros and > cons of Full vs. Partial routes in a dual/multihomed network. > > Cisco's position these days seems to be "you don't need to carry full views > unless you like tinkering with optimizig paths and such." > > Tinkering isn't the issue. Full reachability to servers on this network from > EVERYone, including both upstreams' customers, regardless of the status of > each upstream connection is. Ditto in the event that one upstream has some > kind of core or regional router meltdown, which I've seen more than once. I > see conflicting advice as to whether partial routes will suffice for this. > > Helpful links and/or synopsese appreciated. > > James Smallacombe PlantageNet, Inc. CEO and Janitor > u...@3.amhttp://3.am > =
