Re: Deploying IPv6 globally
At a previous company my pi assigment request included our overseas sites. the bulk of the assignment and the business unit making the request were based in north america. resulting request was for a /43. joel On May 31, 2011, at 8:36 AM, eric clark wrote: Many North American based organizations operate with their ARIN issued BGP AS distributed globally. When I discussed obtaining IPv6 space from ARIN a few years ago, they told me to submit an individual request for each of my sites (and they'd issue a /48 or larger based on the site). This is the process I've been following, until now, for my North American sites... My question is, has anyone started deploying ARIN IP space to their global offices? If so, how are you registering those sites with ARIN? Or did they tell you something else? Thanks -C
RE: Deploying IPv6 globally
I have done this several times for NA orgs with global sites with ARIN and for EU orgs with global sites with RIPE. ARIN were fine, RIPE just excluded any non-RIPE governed locations from the calculation criteria, however they were granted on all counts. John From: Joel Jaeggli [joe...@bogus.com] Sent: Tuesday, May 31, 2011 4:54 PM To: eric clark Cc: NANOG list Subject: Re: Deploying IPv6 globally At a previous company my pi assigment request included our overseas sites. the bulk of the assignment and the business unit making the request were based in north america. resulting request was for a /43. joel On May 31, 2011, at 8:36 AM, eric clark wrote: Many North American based organizations operate with their ARIN issued BGP AS distributed globally. When I discussed obtaining IPv6 space from ARIN a few years ago, they told me to submit an individual request for each of my sites (and they'd issue a /48 or larger based on the site). This is the process I've been following, until now, for my North American sites... My question is, has anyone started deploying ARIN IP space to their global offices? If so, how are you registering those sites with ARIN? Or did they tell you something else? Thanks -C Please consider the environment before printing this e-mail This e-mail (and/or any attachment) contains information, which is confidential and intended solely for the attention and use of the named addressee(s). If you are not the intended recipient you must not copy, distribute or use it for any purpose or disclose the contents to any person. If you have received this e-mail in error, please immediately notify the sender. The information contained in this e-mail (and any attachments) is supplied in good faith, but the sender shall not be under any liability in damages or otherwise for any reliance that may be placed upon it by the recipient, nor does it constitute a contract in any way. Any comments or opinions expressed are those of the originator not of Alentus Corporation unless otherwise expressly stated.
Re: Deploying IPv6 globally
On May 31, 2011, at 8:36 AM, eric clark wrote: Many North American based organizations operate with their ARIN issued BGP AS distributed globally. When I discussed obtaining IPv6 space from ARIN a few years ago, they told me to submit an individual request for each of my sites (and they'd issue a /48 or larger based on the site). This is the process I've been following, until now, for my North American sites... My question is, has anyone started deploying ARIN IP space to their global offices? If so, how are you registering those sites with ARIN? Or did they tell you something else? Thanks -C Not a problem. As long as you are HQ in the ARIN region, you can obtain space from ARIN regardless of where you use it. You also have the option of getting the space from whatever RIR the particular infrastructure is located within. Owen
RE: VeriSign Internet Defense Network
Let's not ignore the value of DNS with a short ttl time. It may not be as quick as a BGP adjustment, but serves to provide a buttressed front-end IP that can restore service instantly [faster than getting someone on the phone to coordinate the change, etc]. Disclaimer: We provide a service for our customers that does substantially this sort of DDOS mitigation. DJ Normally when mitigation is put in place, they advertise a more specific prefix from as26415, scrub the traffic and hand it back to you over a gre tunnel... Obviously some design consideration goes into having services in prefixes you're willing to de-agg in such a fashion... I'd also recommend advertising the more specific out your own ingress paths before they pull your route otherwise the churn while various ASes grind through their longer backup routes takes a while. On May 30, 2011, at 7:43 AM, Rubens Kuhl wrote: ms made by the product descriptions seem suspect to me. it claims to be Carrier-agnostic and ISP-neutral, yet When an event is detected, Verisign will work with the customer to redirect Internet traffic destined for the protected service to a Verisign Internet Defense Network site. anyone here have any comments on how this works, and how effective it will be vs. dealing directly with your upstream providers and getting them to assist in shutting down the attack? Anyone willing to announce your IP blocks under attack, receive the traffic and then tunnel the non-attack traffic back to you can provide such services without cooperation from your upstreams. I don't know the details about this particular provider, such as if they announce your blocks from yours or theirs ASN, if they use more specifics, communities or is simply very well connected, but as BGP on the DFZ goes, it can work. You might need to get your upstreams to not filter announcements from your IP block they receive, because that would prevent mitigation for attack traffic from inside your upstream AS. (RPKI could also be a future challenge for such service, but one could previously sign ROAs to be used in an attack response) Rubens
Re: VeriSign Internet Defense Network
On Tue, May 31, 2011 at 3:06 PM, Deepak Jain dee...@ai.net wrote: Let's not ignore the value of DNS with a short ttl time. It may not be as quick as a BGP adjustment, but serves to provide a buttressed front-end IP that can restore service instantly [faster than getting someone on the phone to coordinate the change, etc]. Disclaimer: We provide a service for our customers that does substantially this sort of DDOS mitigation. also, note that VerizonBusiness ddos-mitigation service was no-call-required, just send the right community on a configured session ... and 'cheap'. -chris Normally when mitigation is put in place, they advertise a more specific prefix from as26415, scrub the traffic and hand it back to you over a gre tunnel... Obviously some design consideration goes into having services in prefixes you're willing to de-agg in such a fashion... I'd also recommend advertising the more specific out your own ingress paths before they pull your route otherwise the churn while various ASes grind through their longer backup routes takes a while. On May 30, 2011, at 7:43 AM, Rubens Kuhl wrote: ms made by the product descriptions seem suspect to me. it claims to be Carrier-agnostic and ISP-neutral, yet When an event is detected, Verisign will work with the customer to redirect Internet traffic destined for the protected service to a Verisign Internet Defense Network site. anyone here have any comments on how this works, and how effective it will be vs. dealing directly with your upstream providers and getting them to assist in shutting down the attack? Anyone willing to announce your IP blocks under attack, receive the traffic and then tunnel the non-attack traffic back to you can provide such services without cooperation from your upstreams. I don't know the details about this particular provider, such as if they announce your blocks from yours or theirs ASN, if they use more specifics, communities or is simply very well connected, but as BGP on the DFZ goes, it can work. You might need to get your upstreams to not filter announcements from your IP block they receive, because that would prevent mitigation for attack traffic from inside your upstream AS. (RPKI could also be a future challenge for such service, but one could previously sign ROAs to be used in an attack response) Rubens
RE: VeriSign Internet Defense Network
-Original Message- From: Deepak Jain [mailto:dee...@ai.net] Sent: Tuesday, May 31, 2011 3:07 PM Subject: RE: VeriSign Internet Defense Network Let's not ignore the value of DNS with a short ttl time. It may not be as quick as a BGP adjustment, but serves to provide a buttressed front-end IP that can restore service instantly [faster than getting someone on the phone to coordinate the change, etc]. Heck, if it's good enough for fast-flux, it's good enough for me ;) Stefan Fouant JNCIE-M #513, JNCIE-ER #70, JNCI GPG Key ID: 0xB4C956EC
RE: VeriSign Internet Defense Network
-Original Message- From: Christopher Morrow [mailto:morrowc.li...@gmail.com] Sent: Tuesday, May 31, 2011 3:31 PM Subject: Re: VeriSign Internet Defense Network also, note that VerizonBusiness ddos-mitigation service was no-call-required, just send the right community on a configured session ... and 'cheap'. The downside to their approach is that it only works for sites you actually have connected to VzB's network. They could just as easily offer the service to off-net customers similar to what Verisign and Prolexic do, but for some reason we could never convince the marketing folks to do just that... Agreed though, it is super-easy to use and competitively priced. Stefan Fouant JNCIE-M #513, JNCIE-ER #70, JNCI GPG Key ID: 0xB4C956EC
RE: Yahoo and IPv6
Going to http://help.yahoo.com/l/us/yahoo/ipv6/ and hitting Start IPv6 Test I get: Your system will continue to work for you on World IPv6 day. However, we found that your server only supports IPv4 at this time. You'll simply continue to use IPv4 to reach your favorite web sites. Netalyzr (http://n3.netalyzr.icsi.berkeley.edu/analysis) finds no issues with my IPv6 status, but alerts me to the fact (since confirmed by switching to IE) that Google Chrome defaults to IPv4 rather than IPv6, and consequently a lot of the testing tools claim that my IPv6 is broken. Toivo Voll Network Administrator Information Technology Communications University of South Florida -Original Message- From: Brandon Ross [mailto:br...@pobox.com] Sent: Monday, May 09, 2011 12:25 To: Arie Vayner Cc: nanog@nanog.org Subject: Re: Yahoo and IPv6 Even more disturbing than that is that when I run a test from here it says that I have broken v6. But I don't have broken v6 and test-v6.com proves it with a 10/10. This Yahoo tool doesn't seem to even give a hint as to what it thinks is broken. Can anyone from Yahoo shed some light on what this tool is doing and how to get it to tell us what it thinks is broken? -- Brandon Ross AIM: BrandonNRoss ICQ: 2269442 Skype: brandonross Yahoo: BrandonNRoss
Re: Verisign Internet Defence Network
At 10:25 30/05/2011 -0400, Jim Mercer wrote: My knowledge is from 1.5 years ago when I compared Verisign, Prolexic, Akamai and others so things may have changed since then. VeriSign claim that they are servicing their own network globally which has performed with zero down time over the last decade. Verisign have 2 offerings - one over BGP and the other over GRE/SSL VPNs. The BGP solution would be faster to turn on but will require more configuration set-up. Interestingly, their mitigation service is not 'always-on' (they sell their monitoring and mitigation services seperately). On detection of an attack, they contact the customer and only once the customer acknowledges that they want their services redirected do they turn on the filtering. My biggest gripe was their SLA - or lack of one. Back in Dec 2009 I forced them to start writing an SLA which they had not thought of, which back then showed an immaturity of service. Things might be different now. Verisign then took the view that the SLA should be based on *their* mitigation platform availability (our scrubbing center has 100% SLA) and not on the customer site availability (all great and wonderful that your scrubbing center is up and running - but my site is down). They were willing to give service credits if their scrubbing center was down but not if the customer site was down. I found they had a well established customer portal and ample reporting facilities. Just make sure they have improved on their SLA before buying. Regards, Hank Heyo, So, I asked to look into the viability and usefullness of the Verisign Internet Defence Network service. I don't claim to be any kind of expert in DDoS mitigation, but some of the claims made by the product descriptions seem suspect to me. it claims to be Carrier-agnostic and ISP-neutral, yet When an event is detected, Verisign will work with the customer to redirect Internet traffic destined for the protected service to a Verisign Internet Defense Network site. anyone here have any comments on how this works, and how effective it will be vs. dealing directly with your upstream providers and getting them to assist in shutting down the attack? -- Jim Mercerj...@reptiles.org+1 416 410-5633 You are more likely to be arrested as a terrorist than you are to be blown up by one. -- Dianora