Re: Cablevision's company line on IPv6 to the home
On Sat, May 28, 2011 at 4:21 PM, Greg Ihnen wrote: > I just got off the phone with a level 1 tech support guy about an issue with > my parents Cablevision/Optimum Online service and decided to ask the fellow > if there's any official company news about IPv6 being in the works. His > comments comments from techsupport aside.. the cablevision folks did have 2-3 folks at ARIN in ... SanJuan (I think?) who were very interested and dedicated to pushing v6 to their consumer population. I think they (as well as every other consumer provider) have a lot of challenges in the last-mile architecture/etc, but they do seem dedicated to solving things for users. I think the gentlemen I ended up chatting with from CV was commenting on PPML as well at the time... I'm sure a quick perusal of that list would get you his POC info for queries... which are more likely to get useful answers than nanog posts will. -chris
Re: Cablevision's company line on IPv6 to the home
On May 30, 2011, at 8:56 PM, Bob Snyder wrote: > On Sat, May 28, 2011 at 4:21 PM, Greg Ihnen wrote: >> I just got off the phone with a level 1 tech support guy about an issue with >> my parents Cablevision/Optimum Online service and decided to ask the fellow >> if there's any official company news about IPv6 being in the works. His >> comments were that there is a test coming up (he was referring to World IPv6 >> Day), though he admitted that Cablevision is choosing not to participate in >> the "test" because they want to wait to see that IPv6 actually works without >> problems before they turn it on. He said it with a tone that seemed to >> express that the World IPv6 Day "test" is an irresponsible diversion. I >> politely and without any noticeable condescension (I believe) told him >> "that's what I expected" and bid him adieu. >> >> It's neat how they're going to skip that irresponsible testing phase and >> just turn it on one day and it's going to work perfectly. > > Because when I want to know details of future major architectural > changes to a network, I usually ask a level 1 tech support guy since > he's the one most likely to know, right? Should I answer that? No, that was sarcasm. Nice touch. See my post where I address the fact that I wanted to know what the company's official public position is, as you said, the "script". In that post I mention I qualified the fact that the fellow was level 1 for obvious reasons. I wasn't trying to say he had technical insight. The official script does possibly say something about the company's desire/willingness/urgency/felt need to deploy IPv6. Does hearing that there's fast and furious work going on in the NOC to bring IPv6 capability mean it will be rolled out to the customer in short order? I'd say the answer to that is "who knows". It's not an apples to apples comparison with Cablevision's territory but down in my neck of the woods where I live the guys who work the telco's switch in town have been telling me for years that the "banda ancha" (broadband) gear is all installed as is the fiber back to the capitol and they're just waiting for the bureaucratic "OK" to turn it on. They've cut grooves in the town's "perimetral" (perimeter) road and ran fiber in the road ringing the town. That was almost two years ago. Sure seems like broadband could be just around the corner right? And the years drag on, no broadband. Sometimes the company's official public stance (from like... um... the level 1 guys) is highly indicative of what's coming. I'm surprised that all ISPs aren't trying to glom onto IPv6 the way so many companies now feel the need to claim to be "green" just because you don't want to be the last one in your market place not claiming to be "green". Then again, maybe you're just trolling. For trolling I like a Rapala lure (negative buoyancy) or live bait with a weight. Here in the jungle they take an empty jug, tie a line on it and put a big hook on the end with some kind of meat or fish and throw them out in the river and them float down river with the current, mostly for the big catfish. It's the lazy man's trolling. Greg > He'll know it's being rolled out when they create a script for him to > follow. One that'll likely say something like "For IPv6 problems, > immediately escalate to someone we've actually training in IPv6." > > Bob >
Re: Cablevision's company line on IPv6 to the home
On Sat, May 28, 2011 at 4:21 PM, Greg Ihnen wrote: > I just got off the phone with a level 1 tech support guy about an issue with > my parents Cablevision/Optimum Online service and decided to ask the fellow > if there's any official company news about IPv6 being in the works. His > comments were that there is a test coming up (he was referring to World IPv6 > Day), though he admitted that Cablevision is choosing not to participate in > the "test" because they want to wait to see that IPv6 actually works without > problems before they turn it on. He said it with a tone that seemed to > express that the World IPv6 Day "test" is an irresponsible diversion. I > politely and without any noticeable condescension (I believe) told him > "that's what I expected" and bid him adieu. > > It's neat how they're going to skip that irresponsible testing phase and just > turn it on one day and it's going to work perfectly. Because when I want to know details of future major architectural changes to a network, I usually ask a level 1 tech support guy since he's the one most likely to know, right? He'll know it's being rolled out when they create a script for him to follow. One that'll likely say something like "For IPv6 problems, immediately escalate to someone we've actually training in IPv6." Bob
[NANOG-announce] Lightning talks open for NANOG 52
Submit yours now! Look forward to seeing you in Denver. Dave (for the NANOG PC) ___ NANOG-announce mailing list nanog-annou...@nanog.org https://mailman.nanog.org/mailman/listinfo/nanog-announce
Re: Verisign Internet Defence Network
Normally when mitigation is put in place, they advertise a more specific prefix from as26415, scrub the traffic and hand it back to you over a gre tunnel... Obviously some design consideration goes into having services in prefixes you're willing to de-agg in such a fashion... I'd also recommend advertising the more specific out your own ingress paths before they pull your route otherwise the churn while various ASes grind through their longer backup routes takes a while. On May 30, 2011, at 7:43 AM, Rubens Kuhl wrote: > ms made by the product descriptions seem suspect to me. >> >> it claims to be "Carrier-agnostic and ISP-neutral", yet "When an event is >> detected, Verisign will work with the customer to redirect Internet traffic >> destined for the protected service to a Verisign Internet Defense Network >> site." >> >> anyone here have any comments on how this works, and how effective it will be >> vs. dealing directly with your upstream providers and getting them to assist >> in shutting down the attack? > > Anyone willing to announce your IP blocks under attack, receive the > traffic and then tunnel the non-attack traffic back to you can provide > such services without cooperation from your upstreams. I don't know > the details about this particular provider, such as if they announce > your blocks from yours or theirs ASN, if they use more specifics, > communities or is simply very well connected, but as BGP on the DFZ > goes, it can work. > > You might need to get your upstreams to not filter announcements from > your IP block they receive, because that would prevent mitigation for > attack traffic from inside your upstream AS. > > (RPKI could also be a future challenge for such service, but one could > previously sign ROAs to be used in an attack response) > > Rubens >
RE: Verisign Internet Defence Network
> -Original Message- > From: Jim Mercer [mailto:j...@reptiles.org] > Sent: Monday, May 30, 2011 10:26 AM > To: nanog@nanog.org > Subject: Verisign Internet Defence Network > > it claims to be "Carrier-agnostic and ISP-neutral", yet "When an event > is > detected, Verisign will work with the customer to redirect Internet > traffic > destined for the protected service to a Verisign Internet Defense > Network > site." > > anyone here have any comments on how this works, and how effective it > will be > vs. dealing directly with your upstream providers and getting them to > assist > in shutting down the attack? It's really very simple. Verisign advertises your netblock to the Internet at whole while at the same time you cease to advertise your route to your ISPs. Traffic gets redirected into VIDN scrubbing center where the bad traffic is removed. The resulting clean traffic is sent via GRE tunnel back to customer CPE router. Regarding how effective it will be vs. getting your upstream to assist really depends on how many upstream providers you have and what their capabilities are. Certainly dealing with one company (Verisign) is going to be a lot easier than dealing with many upstream providers which are likely to not have uniform offerings and services. Most providers that are going to be willing to assist you are only going to null-route traffic towards the destination netblock thereby completing the DoS attack. Those that do have mitigation offerings are going to charge you for it, and then again, it's not a uniform offering across all your upstream providers. I personally think the "cloud-based" approach offered by Verisign makes a whole heckuva lot more sense than trying to deal with heterogeneous offerings from many disparate providers, much less having to open tickets with each provider, having to deal with typical response times, etc. In my experience, reducing the number of cogs usually results in dramatically lower mitigation times, which is certainly the end goal in dealing with these types of attacks. Stefan Fouant JNCIE-M #513, JNCIE-ER #70, JNCI GPG Key ID: 0xB4C956EC
HP 42U Cabinet - Caster fitting instructions?
Hello, My apologies for the off topic message. Mentioned previously, we have a HP Server Cabinet (42U 10842 G2), that was stripped down to the bare-bones chassis. I can't for the life of me figure how the caster wheels are meant to attached. We have two bolts for each caster, but what seems like only one fitting point for each. I have the installation instructions for the cabinet, but I believe it comes shipped with the casters attached as it makes no reference to how to fit these. Any help on how these attach from someone with a similar cabinet, perhaps even a picture, would be much appreciated! Rob
Re: Verisign Internet Defence Network
ms made by the product descriptions seem suspect to me. > > it claims to be "Carrier-agnostic and ISP-neutral", yet "When an event is > detected, Verisign will work with the customer to redirect Internet traffic > destined for the protected service to a Verisign Internet Defense Network > site." > > anyone here have any comments on how this works, and how effective it will be > vs. dealing directly with your upstream providers and getting them to assist > in shutting down the attack? Anyone willing to announce your IP blocks under attack, receive the traffic and then tunnel the non-attack traffic back to you can provide such services without cooperation from your upstreams. I don't know the details about this particular provider, such as if they announce your blocks from yours or theirs ASN, if they use more specifics, communities or is simply very well connected, but as BGP on the DFZ goes, it can work. You might need to get your upstreams to not filter announcements from your IP block they receive, because that would prevent mitigation for attack traffic from inside your upstream AS. (RPKI could also be a future challenge for such service, but one could previously sign ROAs to be used in an attack response) Rubens
Verisign Internet Defence Network
Heyo, So, I asked to look into the viability and usefullness of the "Verisign Internet Defence Network" service. I don't claim to be any kind of expert in DDoS mitigation, but some of the claims made by the product descriptions seem suspect to me. it claims to be "Carrier-agnostic and ISP-neutral", yet "When an event is detected, Verisign will work with the customer to redirect Internet traffic destined for the protected service to a Verisign Internet Defense Network site." anyone here have any comments on how this works, and how effective it will be vs. dealing directly with your upstream providers and getting them to assist in shutting down the attack? -- Jim Mercerj...@reptiles.org+1 416 410-5633 You are more likely to be arrested as a terrorist than you are to be blown up by one. -- Dianora
