Re: turning on comcast v6
On 4 January 2014 06:06, Ricky Beam jfb...@gmail.com wrote: It'll **NEVER** be a default because it breaks too many clueless people's networks. Just like, surprise, DHCP guard isn't on by default in any gear I'm aware of. Spanning-tree portfast isn't on by default, and that breaks plenty of clueless people's networks with client DHCP timeouts. Just sayin'. I appreciate the view that IPv6 was designed in a certain way, partly to fix the problems and remove the kludges in IPv4; the reality is that IPv4 was wildly successful because it wasn't the proscriptive OSI. Whilst I would prefer not to see the mistakes of IPv4 repeated (especially NAT and RFC1918 addressing) trying to help people not shoot themselves in the foot will simply retard deployment and maybe result in even worse workarounds. Come on people - Postel's Law applies, let's be liberal in what we accept into the protocol design too. If users want DHCP served default gateway, fine. Nobody's forcing you to enable it on your network if you don't want to. Aled
Re: turning on comcast v6
On Jan 5, 2014, at 11:44 PM, valdis.kletni...@vt.edu wrote: If Joe Home User has a rogue device spewing RA's, he probably has a bigger problem than just not having RA Guard enabled. He either has a badly misconfigured router (and one that's disobeying the mandate to not RA if you don't have an uplink), or he has a compromised malicious host. In either case, he's got bigger fish to fry. mandate isn't the right description. http://tools.ietf.org/html/rfc6059 There is a ~3 year old _proposed standard_ for the behavior you describe. I have yet to see any compliant equipment at $LocalBigBox, but maybe I'm not purchasing the right gear. So yet again, the response I get to ra's are fragile is deploy this brand new band-aid that can't be purchased yet. Can we just have DHCPv6, please? How many dozens of technologies are we going to invent to try and avoid putting a default route in DHCP? -- Leo Bicknell - bickn...@ufp.org - CCIE 3440 PGP keys at http://www.ufp.org/~bicknell/ signature.asc Description: Message signed with OpenPGP using GPGMail
Re: turning on comcast v6
On Mon, 06 Jan 2014 09:44:32 -0600, Leo Bicknell said: mandate isn't the right description. http://tools.ietf.org/html/rfc6059 There is a ~3 year old _proposed standard_ for the behavior you describe. I'll make the case that if a router becomes unable to forward packets because it has lost its uplink or connection to another subnet (so it's now homed on only one subnet), that's a router-to-host transition. RFC2461, sections 6.2.4 and 6.2.5 discuss the case of a router becoming a host - and it includes thou shalt cease blabbing the RAs after a suitable amount of time. And that's a heck of a lot older than 3 years. pgpsRGivNv4uh.pgp Description: PGP signature
10gbps peering subscriber switch recommendation
Good morning, We're in the market to move our IX peering off of our core (too much BGP/CPU :-/ ) and onto a dedicated switch. Anybody have a recommendation on a switch that can do the following without costing a fortune? I have scoured Cisco, and bang for the buck is ... ASR9k (way over powered for handling zero-feature IX traffic), 3-8x 10gbps ports 64k routes minimum, preferably 128k Must be able to speak BGP Native/functional IPv6 would be sharp! Basic QoS to police our ports The prefix count seems to be the killer, as our exchange table is getting pretty big (42k+ currently). I'm really tempted to build a vyatta box or similar, but would rather do something off the shelf -- especially if it can be 1-2 gens old and cost effective. I'm certain that this same situation is scratching many other folks as exchanges become more important. Thanks for your input in advance -- stay warm! Randal
Re: 10gbps peering subscriber switch recommendation
Good morning, We're in the market to move our IX peering off of our core (too much BGP/CPU :-/ ) and onto a dedicated switch. Brocade ICX 7750 Switch seems to satisfy all the requirements. -- Best regards, Adrian Minta
Re: 10gbps peering subscriber switch recommendation
On 6 January 2014 17:57, randal k na...@data102.com wrote: Good morning, We're in the market to move our IX peering off of our core (too much BGP/CPU :-/ ) and onto a dedicated switch. Anybody have a recommendation on a switch that can do the following without costing a fortune? I have scoured Cisco, and bang for the buck is ... ASR9k (way over powered for handling zero-feature IX traffic), 3-8x 10gbps ports 64k routes minimum, preferably 128k Must be able to speak BGP Native/functional IPv6 would be sharp! Basic QoS to police our ports The prefix count seems to be the killer, as our exchange table is getting pretty big (42k+ currently). I'm really tempted to build a vyatta box or similar, but would rather do something off the shelf -- especially if it can be 1-2 gens old and cost effective. If you don't need to carry a full Internet table, the Cisco 4500-X has plenty of features and the 32 port model can accommodate 256k IPv4 routes. It also does IPv6 in hardware (128k routes) Aled
Re: 10gbps peering subscriber switch recommendation
On 06/01/2014 18:12, Adrian Minta wrote: Brocade ICX 7750 Switch seems to satisfy all the requirements. except qos (which needs switch port buffer space). There are no cheap 10G boxes on the market at the moment which have reasonable numbers of 10G ports and reasonable sized. Plenty which have 2-4 10G ports with reasonable buffers and lots more which have plenty of 10G ports with hardly any buffer space. Nick
Uverse Cleveland OH question
If there's anyone with firsthand knowledge of that system, could you shoot me a note off-list? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
Re: turning on comcast v6
On 01/04/2014 05:42 AM, Baldur Norddahl wrote: On Sat, Jan 4, 2014 at 2:12 AM, Doug Barton do...@dougbarton.us wrote: If you did add default route to DHCPv6, what is then supposed to happen to the other routes, that the client might discover? You would configure the client not to do RS, and to ignore any RAs that it receives. Simple. If you are going to modify the client, you can use any method you like, No, I can't, because the method I would like to use is not in the spec. including having the client simply use fe80:: or prefix:: as default gateway. You want a secure way to configure the clients. That sounds more like Secure NDP (SEND) than it sounds like DHCPv6 with default gateway. Thank you for the textbook illustration of the anything but DHCP! mindset I was referring to earlier. Doug
Re: turning on comcast v6
On Jan 6, 2014, at 10:37 , Doug Barton do...@dougbarton.us wrote: On 01/04/2014 05:42 AM, Baldur Norddahl wrote: On Sat, Jan 4, 2014 at 2:12 AM, Doug Barton do...@dougbarton.us wrote: If you did add default route to DHCPv6, what is then supposed to happen to the other routes, that the client might discover? You would configure the client not to do RS, and to ignore any RAs that it receives. Simple. If you are going to modify the client, you can use any method you like, No, I can't, because the method I would like to use is not in the spec. Doesn't have to be... You can create any local DHCPv6 extension you like. That _IS_ in the spec. Owen
Re: 10gbps peering subscriber switch recommendation
On Monday, January 06, 2014 08:24:22 PM Nick Hilliard wrote: except qos (which needs switch port buffer space). There are no cheap 10G boxes on the market at the moment which have reasonable numbers of 10G ports and reasonable sized. Plenty which have 2-4 10G ports with reasonable buffers and lots more which have plenty of 10G ports with hardly any buffer space. FIB space requirements in a switch are also going to limit your options. Also, many non-service provider switches don't do egress policing (they might do shaping, but then if the buffers are small...). Mark. signature.asc Description: This is a digitally signed message part.
IXP + government transparency report
As well as being first to be open-ix certified, I think LINX hit a second first that is as interesting; https://www.linx.net/service/publicpeering/novafiles/nova-usgov-reports.html Applause +LINX Best, -M
Re: IXP + government transparency report
On Jan 6, 2014, at 11:52 AM, Martin Hannigan hanni...@gmail.com wrote: As well as being first to be open-ix certified, I think LINX hit a second first that is as interesting; https://www.linx.net/service/publicpeering/novafiles/nova-usgov-reports.html …and is this function being conducted completely without dependencies inside the U.S.? -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: IXP + government transparency report
On Mon, Jan 6, 2014 at 2:57 PM, Bill Woodcock wo...@pch.net wrote: On Jan 6, 2014, at 11:52 AM, Martin Hannigan hanni...@gmail.com wrote: As well as being first to be open-ix certified, I think LINX hit a second first that is as interesting; https://www.linx.net/service/publicpeering/novafiles/nova-usgov-reports.html …and is this function being conducted completely without dependencies inside the U.S.? Bill, OIX certified organizations must provide an accurate and monthly report on Government Information Requests and actions taken related to the requests. You can see an example here http://xmission.com/transparency With regards to Patriot 215 and FISA 701, there are recommendations for warrant canaries. Obviously, much trickier. I think the point is about leadership and taking small, but giant, steps. I hope that everyone in the infrastructure follows this lead and does exactly the same thing. Best, -M
Re: NANOG Digest, Vol 72, Issue 17
Date: Mon, 6 Jan 2014 11:40:29 -0800 From: Owen DeLong o...@delong.com To: Doug Barton do...@dougbarton.us Cc: nanog@nanog.org nanog@nanog.org Subject: Re: turning on comcast v6 Message-ID: 741b5a5f-3d87-4ba2-9349-f5bb94a8b...@delong.com Content-Type: text/plain; charset=iso-8859-1 [...] Doesn't have to be... You can create any local DHCPv6 extension you like. That _IS_ in the spec. Owen Well, not exactly. The authors of RFC 3315, smarting (if I recall correctly) from the local options debacle in DHCPv4, didn't set aside any experimental option codes for DHCPv6. Oops and mea culpa. Having said that, I suppose I can't formally recommend that an implementor use an option code somewhere near the top of the range and implement a quick extension to a client and server for the default router option, which would result in some running code to point at. But running code isn't enough. The last time I took the default router option to the IETF, it died (in the 6man WG, again trusting to memory) for lack of support. More or less the same thing more recently in the mif WG (more support in mif, but it was the wrong WG). So, someone will have to do the hard work of shepherding and supporting the document through publication in the right WG. I understand Nick Hilliard may be undertaking that effort; those interested in the new option might want to lend Nick a hand (apologies to Nick if I've got that wrong). - Ralph
Re: 10gbps peering subscriber switch recommendation
A little bit overkill in term of number of ports but you can consider the new Trident 2 switches Juniper EX-5100, Cisco Nexus 3100 . They have unified TCAM that can store 128K v4 routes Nitzan On Mon, Jan 6, 2014 at 9:43 PM, Mark Tinka mark.ti...@seacom.mu wrote: On Monday, January 06, 2014 08:24:22 PM Nick Hilliard wrote: except qos (which needs switch port buffer space). There are no cheap 10G boxes on the market at the moment which have reasonable numbers of 10G ports and reasonable sized. Plenty which have 2-4 10G ports with reasonable buffers and lots more which have plenty of 10G ports with hardly any buffer space. FIB space requirements in a switch are also going to limit your options. Also, many non-service provider switches don't do egress policing (they might do shaping, but then if the buffers are small...). Mark.
Re: turning on comcast v6
On Sat, 04 Jan 2014 14:03:21 -0500, Owen DeLong o...@delong.com wrote: A router, yes. THE router, not unless the network is very stupidly put together. Like every win7 and win8 machine on the planet? (IPv6 is installed and enabled by default. Few places have IPv6 enabled on their LAN, so a single RA would, indeed, 0wn3z those machines instantly.) I disagree. Unlike with DHCP guard, RA guard can make reasonable predictions in most cases. Switches with “uplink” ports designated, for example, could easily default to permitting RAs only from those ports. One cannot **GUESS** the security for a network. You must either *know* or *not know* what's on a port. What makes a port uplink (read: trusted)? The only way to know for sure, without creating surprises or exploitable holes, is make the ADMIN explicitly SET EACH PORT. That's the way DHCP Guard works. That's the way spanning-tree portfast, bpdu guard, root guard, etc., etc. works. That's the way port security works. And that's the way RA Guard WILL be done.
Re: turning on comcast v6
On Jan 6, 2014, at 12:57 , Ricky Beam jfb...@gmail.com wrote: On Sat, 04 Jan 2014 14:03:21 -0500, Owen DeLong o...@delong.com wrote: A router, yes. THE router, not unless the network is very stupidly put together. Like every win7 and win8 machine on the planet? (IPv6 is installed and enabled by default. Few places have IPv6 enabled on their LAN, so a single RA would, indeed, 0wn3z those machines instantly.) The obvious solution to that is to install real IPv6 routers. I disagree. Unlike with DHCP guard, RA guard can make reasonable predictions in most cases. Switches with “uplink” ports designated, for example, could easily default to permitting RAs only from those ports. One cannot **GUESS** the security for a network. You must either *know* or *not know* what's on a port. What makes a port uplink (read: trusted)? The only way to know for sure, without creating surprises or exploitable holes, is make the ADMIN explicitly SET EACH PORT. That's the way DHCP Guard works. That's the way spanning-tree portfast, bpdu guard, root guard, etc., etc. works. That's the way port security works. And that's the way RA Guard WILL be done. The port isn't particularly trusted, but it is allowed to send RAs which are forwarded to the network by default. Obviously a sane switch would allow this configuration to be changed. We're not talking about the security model for a network, we're talking about the default behavior of a switch. Defaults are, inherently guesses to some extent. Nonetheless, a switch must have some default behavior. It seems to me that in the case of switches which have otherwise designated uplink ports, it is logical to make those ports default to RA allowed while defaulting to not allowing RAs from other ports by default. Owen
Re: turning on comcast v6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 1/6/2014 1:08 PM, Owen DeLong wrote: The port isn't particularly trusted, but it is allowed to send RAs which are forwarded to the network by default. Obviously a sane switch would allow this configuration to be changed. We're not talking about the security model for a network, we're talking about the default behavior of a switch. Defaults are, inherently guesses to some extent. Nonetheless, a switch must have some default behavior. It seems to me that in the case of switches which have otherwise designated uplink ports, it is logical to make those ports default to RA allowed while defaulting to not allowing RAs from other ports by default. Some people do not want switches making IP address assignments. That's all. :-) - - ferg - -- Paul Ferguson PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlLLHpMACgkQKJasdVTchbL6+gEApBli/t4RF4Eq3XroJkqrRmgn 9WYSy2ReVwo7Bx9l+PMA/16zyzwOgG4fdNc9zgt0A4Pb+dGpMBx8LkRY6Kj71F5t =J8uY -END PGP SIGNATURE-
Re: Comcast/Level3 issues
Kevin, Thank you for the info. Can you say how many quarters or years until Comcast is resolved? I've seen references to that obscure whitepaper (co-authored, ironically, by Patrick Gilmore) before on the broadbandreports forums, by someone with a lot of knowledge on Comcast's network and internal politics/peering discussions. Do you know who the poster is? https://encrypted.google.com/search?q=28619103+dslreports+site:www.dslreports.combiw=1000bih=1000 Drive Slow, Paul WALL On Sun, Jan 5, 2014 at 6:17 PM, McElearney, Kevin kevin_mcelear...@cable.comcast.com wrote: FWIW, we work with each issue and try to fix them as best we can. Several are underway. Much of the ³traffic shifting² is happening external to Comcast with very large traffic swings congesting AND uncongesting paths. The beauty of adaptive routing via CDN and text book ³Creating Incentives to Peer² - feel free to google that... - Kevin On 1/5/14, 1:22 AM, Paul WALL pauldotw...@gmail.com wrote: The people pushing this policy are not without a face and name. They read this mailing list, and attend our conferences. You'll want to talk to John Schanz, Kevin McElearney, and Barry Tishgart. Drive Slow (like a Comcast peering port), Paul Wall On Fri, Jan 3, 2014 at 10:55 AM, Scott Berkman sc...@sberkman.net wrote: Comcast having saturated links to other providers is a common and frequently discussed issue. Here is one previous NANOG thread on the topic: http://mailman.nanog.org/pipermail/nanog/2010-December/029251.html And a related article: http://www.dslreports.com/shownews/Claims-Resurface- Concerning-Congested-Comcast-TATA-Links-111818 There are debates back and forth on the validity of the graphs from the NANOG post, but it is a fact that at that time Comcast was heavily pre-pending their Level BGP advertisements to force traffic over to Tata, and many many people noticed congestion at those links in a variety of markets. I wish you luck, but my personal opinion is that your fastest resolution would be to move to another provider. Comcast is a residential ISP that lives on extreme over-subscription and not actually being able to deliver what customers believe they have. You'll notice a lot of recent news about increased and more strict data caps for their subscribers, and that is the only thing they will likely be doing to relieve these types of recurring issues. -Scott On 01/02/2014 11:18 PM, R W wrote: I'm seeing the same as well. Can anyone from Comcast/Level(3) reach out to me or provide comment. We're seeing heavy jitter and some packet loss most noticeable in NYC area connections between Level(3) and Comcast. -Rob Date: Tue, 31 Dec 2013 09:45:00 -0800 Subject: Comcast/Level3 issues From: dwh...@gmail.com To: nanog@nanog.org Looking for a networking contact at comcast and/or level3. I've been having some slow speed issues with hitting some sites that's going through level3 and I think there might be some congestion. Doug
Re: turning on comcast v6
On Jan 6, 2014, at 13:22 , Paul Ferguson fergdawgs...@mykolab.com wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 1/6/2014 1:08 PM, Owen DeLong wrote: The port isn't particularly trusted, but it is allowed to send RAs which are forwarded to the network by default. Obviously a sane switch would allow this configuration to be changed. We're not talking about the security model for a network, we're talking about the default behavior of a switch. Defaults are, inherently guesses to some extent. Nonetheless, a switch must have some default behavior. It seems to me that in the case of switches which have otherwise designated uplink ports, it is logical to make those ports default to RA allowed while defaulting to not allowing RAs from other ports by default. Some people do not want switches making IP address assignments. That's all. :-) Huh??? I don't think I said anything even remotely like that. Owen
Re: 10gbps peering subscriber switch recommendation
A little bit overkill in term of number of ports but you can consider the new Trident 2 switches Juniper EX-5100, Cisco Nexus 3100 . They have unified TCAM that can store 128K v4 routes the nice thing about buying bgp devices that can not hold a full table is that you can expense them in the year of purchase as opposed to amortizing them over 5 years or so. randy pgpPLsvpMF7Lh.pgp Description: PGP signature
Re: Comcast/Level3 issues
³Paul², I don¹t read this list often, and rarely have seen a private message reposted as you did, but at the risk of DFTT, give me some time to think through a discussion topic for this list which touches on some of these issues. - Kevin DISCLOSURE: On DSLR, I am ccneteng when I visit there. http://www.dslreports.com/profile?find=ccneteng
Re: Open source hardware
Arnd - the German Government is most likely a partner meaning overloading the NSA is pointless if you could. Todd On 1/5/2014 1:15 AM, Arnd Vehling wrote: Hi, On 04.01.2014 21:07, Daniël W. Crompton wrote: To my surprise I am seeing a theme fatalistic acceptance in this thread, thats not really suprising. Then most poeple dont understand the implications this has. A number have mentioned that if you are targeted there is little you can do, and this is something that I agree with to a certain extent. Here i agree too. But i think it should be in possible to overload them by mass-creating fake data and honey pots. They dont have endless resources especially when it comes to decrypting. So, if just 10% of the aware persons start firing up NSA honeypots they get a resource problem and will fail at selecting targets. // Arnd -- - Personal Email - Disclaimers Apply
