Re: 7206 VXR NPE-G1 throughput
On Thursday, February 13, 2014 12:28:47 AM Vlade Ristevski wrote: My Cisco SE brought up an interesting alternative. This summer we're replacing our 6513 Sup720 with a pair of 6807 with redundant Sup 2Ts. It is where all our internal Fiber terminates and where internal routing happens. He said we can add extra memory and terminate our BGP sessions here and use that for our Internet connections. After thinking it over, I'd still rather have dedicated routers for our Internet access but I'm curious what you guys think about this suggestion. If you have the budget, run dedicated peering/upstream routers. Hierarchical separation of functions at the hardware level provides lots of flexibility in other areas as your network grows. If cash is not a constraint, go for it, I'd say. Mark. signature.asc Description: This is a digitally signed message part.
Re: SIP on FTTH systems
On 2014-02-12 05:47, Frank Bulk wrote: In the scenario you're describing does each PC get its own /64 (or /56 or /48) directly from the service provider? Or are they in the same netblock? They are connected through a L2 switch directly to the access port. Mikael responded in another email, and verified that traffic will be exchanged trough the default gateway even if the PCs are in the same home. If CPE is L3 capable it's not an issue. /Anders
Re: 7206 VXR NPE-G1 throughput
On Thursday, February 13, 2014 05:08:02 AM Mikael Abrahamsson wrote: A lot of people use SUP720-3BXL and RSP720-3CXL for full BGP table routing. This will work just fine until the IPv4 routing table reaches 800k entries or something (if you want to do IPv6 at the same time, you probably don't want to go over 800k IPv4 routes and 50k IPv6 routes to have a little bit of margin of the around 1M routes the XL sup can handle). Or route churn which quickly shows the inadequacies of the CPU in those control planes. An NPE-G1/G2 has a much quicker CPU. Mark. signature.asc Description: This is a digitally signed message part.
Re: SIP on FTTH systems
On Thursday, February 13, 2014 11:37:54 AM Anders Löwinger wrote: They are connected through a L2 switch directly to the access port. Mikael responded in another email, and verified that traffic will be exchanged trough the default gateway even if the PCs are in the same home. If CPE is L3 capable it's not an issue. Ideally, CPE would be Layer 3-capable. I can see situations where providers offer you only one port off their AN into your home. I can also see this further enhanced with permiting only one MAC address on that port. In such a case, a IP-capable CPE device is ideal. Mark. signature.asc Description: This is a digitally signed message part.
ddos attack blog
Good write up, includes name and shame for ATT Wireless, IIJ, OVH, DTAG and others http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack Standard plug for http://openntpproject.org/ and http://openresolverproject.org/ and bcp38 , please fix/help. For those of you paying attention to the outage list, this is a pretty big deal that has had daily ramification for some very big networks https://puck.nether.net/pipermail/outages/2014-February/date.html In general, i think UDP is doomed to be blocked and rate limited -- tragedy of the commons. But, it would be nice if folks would just fix the root of the issue so the rest of us don't have go there... Regards, CB
Re: ddos attack blog
On Feb 13, 2014, at 12:06 PM, Cb B cb.li...@gmail.com wrote: Good write up, includes name and shame for ATT Wireless, IIJ, OVH, DTAG and others http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack Standard plug for http://openntpproject.org/ and http://openresolverproject.org/ and bcp38 , please fix/help. For those of you paying attention to the outage list, this is a pretty big deal that has had daily ramification for some very big networks https://puck.nether.net/pipermail/outages/2014-February/date.html In general, i think UDP is doomed to be blocked and rate limited -- tragedy of the commons. But, it would be nice if folks would just fix the root of the issue so the rest of us don't have go there... While I'm behind some of the inventory projects (so you can go ahead and fix.. let me know if you need/want the URLs to see data for your networks)... I must provide credit to those behind the Amplification Hell talk at NDSS. If you are at all interested in what is going on, you should attend or review the content. http://www.internetsociety.org/ndss2014/programme BCP-38 on your customers is going to be critical to prevent the abuse reaching your network. Please ask your vendors for it, and ask for your providers to filter your network to prevent you originating this abuse. If you operate hosted VMs, servers, etc.. please make sure those netblocks are secured as well. You can easily check your network (As can the bad guys!) here: http://spoofer.cmand.org/ - Jared
Re: ddos attack blog
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 2/13/2014 9:06 AM, Cb B wrote: Good write up, includes name and shame for ATT Wireless, IIJ, OVH, DTAG and others http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack Standard plug for http://openntpproject.org/ and http://openresolverproject.org/ and bcp38 , please fix/help. For those of you paying attention to the outage list, this is a pretty big deal that has had daily ramification for some very big networks https://puck.nether.net/pipermail/outages/2014-February/date.html In general, i think UDP is doomed to be blocked and rate limited -- tragedy of the commons. But, it would be nice if folks would just fix the root of the issue so the rest of us don't have go there... The alternative is get people to understand that anti-spoofing is good, and efforts to combat spoofing should be encouraged. - - ferg - -- Paul Ferguson VP Threat Intelligence, IID PGP Public Key ID: 0x54DC85B2 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlL9AR4ACgkQKJasdVTchbJZYwEAivI00Yq7RSMze74GFQKEyCeH pS2s8TH0ba08NWKC22AA/jyN35xonJBzldJA8/xlzhnuLnyOFB0Y7GKZ8NiqRiRl =ItxR -END PGP SIGNATURE-
Re: 7206 VXR NPE-G1 throughput
Dan Brisson wrote the following on 2/12/2014 9:06 PM: My Cisco SE brought up an interesting alternative. This summer we're replacing our 6513 Sup720 with a pair of 6807 with redundant Sup 2Ts. It is where all our internal Fiber terminates and where internal routing happens. He said we can add extra memory and terminate our BGP sessions here and use that for our Internet connections. After thinking it over, I'd still rather have dedicated routers for our Internet access but I'm curious what you guys think about this suggestion. I think at the Internet edge, physical separation trumps logical unless you have no other choice. Personally, I would keep them separate. My .02, -dan A point to consider: Layer 3 infrastructure and the services that run on L3 devices (ssh, ntp, routing protocols, packet classification, monitoring, shaping, etc) have a much higher surface area for attack and bugs. They therefore (theoretically) require more frequent updates and encounter more problems. Do you want to disrupt your layer 2 infrastructure every time you update your L3 infrastructure? Do you want to expose your L2 infrastructure to the potential bugs in L3 and above code? Separate physical devices can create a more available network. Counter point: A router in front of a router adds an additional point of failure. If you're not gaining anything (features, redundancy, etc) by its introduction you're just wasting money and hurting your (potential) availability. If you provide a lot of L2 only services, or have a substantial amount of traffic that never leaves L2, I would recommend dividing your network by OSI layer. This allows you to easily have different update, security, warranty, etc policies for the different services your network provides. If you are an ISP offering L3 only services or all traffic on your network hits L3, then a failure of any one layer will disrupt all communication; In this case, you may save time/money and increase availability by combining L2 and L3+ functions. --Blake
Tail-F NCS? (Or similar network configuration management.)
Looking for real-world experience with Tail-f NCS (or similar network configuration management.) Not looking for rancid, we have a homebrew config collection that works well. Looking for something significantly better than I can write myself. Not looking for sales either, I have people for that :-) On/off list is fine. -- Tim:
Wide BGP Communities update (-04) - input solicited
The authors of the Wide BGP Communities Internet-draft would like to solicit your feedback on the current version of the draft. The intended purpose of the feature is to provide for next-generation BGP communities. Why next-generation? A few motivations: - BGP Path Attribute code space is limited. We want to stop burning new code points for such features when the underlying mark a route behavior is the same. - Each time we add something with new encoding, we get deployment lag from needing new code to handle it. - While it's done the job for a number of years, existing communities force operators to go through a lot of convoluted policy to do anything from very common things to subtle things. The accompanying use case document will be updated soon, but not prior to the upcoming IETF. Most of our attention the last few weeks has been on getting the details of the encoding right. In recognition to a very common use case desired here, note Section 5. A wide community is being registered with no further semantics than here's a list of AS numbers. This permits the desired AS4:AS4 semantic. -- Jeff - Forwarded message from internet-dra...@ietf.org - Date: Thu, 13 Feb 2014 12:55:54 -0800 From: internet-dra...@ietf.org To: i-d-annou...@ietf.org Subject: I-D Action: draft-raszuk-wide-bgp-communities-04.txt A New Internet-Draft is available from the on-line Internet-Drafts directories. Title : Wide BGP Communities Attribute Authors : Robert Raszuk Jeffrey Haas Andrew Lange Shane Amante Bruno Decraene Paul Jakma Richard A Steenbergen Filename: draft-raszuk-wide-bgp-communities-04.txt Pages : 24 Date: 2014-02-13 Abstract: Route tagging plays an important role in external BGP [RFC4271] relations, in communicating various routing policies between peers. It is also a very common best practice among operators to propagate various additional information about routes intra-domain. The most common tool used today to attach various information about routes is through the use of BGP communities [RFC1997]. Such information is important to allow BGP speakers to perform some mutually agreed actions without the need to maintain a separate offline database for each tuple of prefix and associated set of action entries. This document defines a new encoding which will enhance and simplify what can be accomplished today with the use of BGP communities. The most important addition this specification makes over currently defined BGP communities is the ability to specify, carry as well as use for execution an operator's defined set of parameters. It also provides an extensible platform for any new community encoding needs in the future. The IETF datatracker status page for this draft is: https://datatracker.ietf.org/doc/draft-raszuk-wide-bgp-communities/ There's also a htmlized version available at: http://tools.ietf.org/html/draft-raszuk-wide-bgp-communities-04 A diff from the previous version is available at: http://www.ietf.org/rfcdiff?url2=draft-raszuk-wide-bgp-communities-04 Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. Internet-Drafts are also available by anonymous FTP at: ftp://ftp.ietf.org/internet-drafts/ ___ I-D-Announce mailing list i-d-annou...@ietf.org https://www.ietf.org/mailman/listinfo/i-d-announce Internet-Draft directories: http://www.ietf.org/shadow.html or ftp://ftp.ietf.org/ietf/1shadow-sites.txt - End forwarded message -
Question on Route-Set for Arin DB
So the Routing Database is something that I am just learning about and trying to find out if I need to create a Route-set or not. I just created my MNTNER ID and I also created the Route Objects for my two /24s that were given to my by my carriers. Do I need a route-set or aut-num object created? Still trying to get my head wrapped around the need for this. I read through this tutorial: http://www.nanog.org/meetings/nanog51/presentations/Sunday/NANOG51.Talk34.NANOG51%20IRR%20Tutorial.pdf and didn't get a really clear idea as to if I needed these. TIA, Joe
Re: ddos attack blog
On 02/13/2014 10:06 AM, Cb B wrote: Good write up, includes name and shame for ATT Wireless, IIJ, OVH, DTAG and others http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack Standard plug for http://openntpproject.org/ and http://openresolverproject.org/ and bcp38 , please fix/help. For those of you paying attention to the outage list, this is a pretty big deal that has had daily ramification for some very big networks https://puck.nether.net/pipermail/outages/2014-February/date.html In general, i think UDP is doomed to be blocked and rate limited -- tragedy of the commons. But, it would be nice if folks would just fix the root of the issue so the rest of us don't have go there... UDP won't be blocked. There are some vendors that have their own hidden protocol inside UDP packets to control and communicate with their devices. Thinking on it again, maybe blocking UDP isn't all that bad. Would force the vendors to not 'hide' their protocol. --John Regards, CB
internet peering conferences in Asia Pacific
Does anyone know what is the equivalent or similar conference / organization for Internet operators in Asia Pacific? Thanks, Krishnan
Re: Question on Route-Set for Arin DB
I am a newbie at it as well, having said that.. the short answer to your question is YES to aut-num and NO to route-set .. but the longer answer will always be based on how you are using the IRR If you are doing this for the most common, basic reason, that one of your upstream is requiring it.. then you may have to ask them. (in most cases aut-num for your ASN and route object for your routes is needed at minimum) BTW, I am curious, if you did not create an aut-num object, what did you enter as origin: for your route objects ? Regards Faisal Imtiaz Snappy Internet Telecom 7266 SW 48 Street Miami, FL 33155 Tel: 305 663 5518 x 232 Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net - Original Message - From: Joseph Jenkins j...@breathe-underwater.com To: nanog@nanog.org Sent: Thursday, February 13, 2014 5:28:39 PM Subject: Question on Route-Set for Arin DB So the Routing Database is something that I am just learning about and trying to find out if I need to create a Route-set or not. I just created my MNTNER ID and I also created the Route Objects for my two /24s that were given to my by my carriers. Do I need a route-set or aut-num object created? Still trying to get my head wrapped around the need for this. I read through this tutorial: http://www.nanog.org/meetings/nanog51/presentations/Sunday/NANOG51.Talk34.NANOG51%20IRR%20Tutorial.pdf and didn't get a really clear idea as to if I needed these. TIA, Joe
Re: internet peering conferences in Asia Pacific
There is a group called PTC.. Pacific Telecommunications Council.. That¹s pretty much the biggest I can think of (lot¹s of MSO¹s.. Operators, etc.) and it¹s in Hawaii every year. On 2/13/14, 11:25 AM, Krishnan Subramanian krishnan.subraman...@guavus.com wrote: Does anyone know what is the equivalent or similar conference / organization for Internet operators in Asia Pacific? Thanks, Krishnan
Re: internet peering conferences in Asia Pacific
Apricot Mehmet On Feb 13, 2014, at 11:25, Krishnan Subramanian krishnan.subraman...@guavus.com wrote: Does anyone know what is the equivalent or similar conference / organization for Internet operators in Asia Pacific? Thanks, Krishnan
Re: internet peering conferences in Asia Pacific
http://2014.apricot.net/ -R On 14/02/14 5:25 AM, Krishnan Subramanian krishnan.subraman...@guavus.com wrote: Does anyone know what is the equivalent or similar conference / organization for Internet operators in Asia Pacific? Thanks, Krishnan
Re: internet peering conferences in Asia Pacific
http://www.nznog.org/home http://www.ausnog.net/ http://www.sanog.org/ https://www.pacnog.org/ -- Geraint Jones Director of Systems Infrastructure Koding https://koding.com gera...@koding.com Phone (415) 653-0083 On 14/02/14 8:25 am, Krishnan Subramanian krishnan.subraman...@guavus.com wrote: Does anyone know what is the equivalent or similar conference / organization for Internet operators in Asia Pacific? Thanks, Krishnan
Re: internet peering conferences in Asia Pacific
APRICOT conference always has time slots of Peering Forum and Peering Cocktail for peering topic. JANOG meeting is held in Japan twice a year. http://www.janog.gr.jp/en/ Regards, Masataka MAWATARI * On Thu, 13 Feb 2014 23:40:15 + * Nurul Islam Roman nu...@apnic.net wrote: http://2014.apricot.net/ -R On 14/02/14 5:25 AM, Krishnan Subramanian krishnan.subraman...@guavus.com wrote: Does anyone know what is the equivalent or similar conference / organization for Internet operators in Asia Pacific? Thanks, Krishnan
Re: ddos attack blog
On Feb 13, 2014, at 1:47 PM, John jsch...@flowtools.net wrote: On 02/13/2014 10:06 AM, Cb B wrote: Good write up, includes name and shame for ATT Wireless, IIJ, OVH, DTAG and others http://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack Standard plug for http://openntpproject.org/ and http://openresolverproject.org/ and bcp38 , please fix/help. For those of you paying attention to the outage list, this is a pretty big deal that has had daily ramification for some very big networks https://puck.nether.net/pipermail/outages/2014-February/date.html In general, i think UDP is doomed to be blocked and rate limited -- tragedy of the commons. But, it would be nice if folks would just fix the root of the issue so the rest of us don't have go there... UDP won't be blocked. There are some vendors that have their own hidden protocol inside UDP packets to control and communicate with their devices. Thinking on it again, maybe blocking UDP isn't all that bad. Would force the vendors to not 'hide' their protocol. Be careful what you wish for. I know some people have just blocked all NTP to keep their servers from participating in attacks. This is common in places where they hand off a VM/host to a customer and no longer have access despite it being in their environment. I would actually like to ask for those folks to un-block NTP so there is proper data on the number of hosts for those researching this. The right thing to do is reconfigure them. I've seen a good trend line in NTP servers being fixed, and hope we will see more of that in the next few weeks. I've seen maybe 100-200 per-ASN reports handed out to network operators. If you want yours, please e-mail ntp-s...@puck.nether.net to obtain it. Put your ASN in the subject line and/or body. - Jared (and others like Patrick that presented on the projects behalf).
Re: internet peering conferences in Asia Pacific
There is a group called PTC the T stands for telco. no internet peering
Re: Question on Route-Set for Arin DB
The origin stands alone; no aut-num needed in many cases. The way many providers use the IRR info is to take the adjacent ASN and do a reverse index lookup on the origin field. That is, for AS1234, what are all the route and route6 objects with that as an origin. If you need something more complicated, you can use an aut-num object to say that an as-set, route-set or combinations of these ought to be folded in when creating the filters. Tony On Thu, Feb 13, 2014 at 6:30 PM, Faisal Imtiaz fai...@snappytelecom.netwrote: I am a newbie at it as well, having said that.. the short answer to your question is YES to aut-num and NO to route-set .. but the longer answer will always be based on how you are using the IRR If you are doing this for the most common, basic reason, that one of your upstream is requiring it.. then you may have to ask them. (in most cases aut-num for your ASN and route object for your routes is needed at minimum) BTW, I am curious, if you did not create an aut-num object, what did you enter as origin: for your route objects ? Regards Faisal Imtiaz Snappy Internet Telecom 7266 SW 48 Street Miami, FL 33155 Tel: 305 663 5518 x 232 Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net - Original Message - From: Joseph Jenkins j...@breathe-underwater.com To: nanog@nanog.org Sent: Thursday, February 13, 2014 5:28:39 PM Subject: Question on Route-Set for Arin DB So the Routing Database is something that I am just learning about and trying to find out if I need to create a Route-set or not. I just created my MNTNER ID and I also created the Route Objects for my two /24s that were given to my by my carriers. Do I need a route-set or aut-num object created? Still trying to get my head wrapped around the need for this. I read through this tutorial: http://www.nanog.org/meetings/nanog51/presentations/Sunday/NANOG51.Talk34.NANOG51%20IRR%20Tutorial.pdf and didn't get a really clear idea as to if I needed these. TIA, Joe
Re: internet peering conferences in Asia Pacific
Simmer. http://www.iixpeering.net/news/iix-leads-remote-peering-industry-at-ptc-14/ ... Sent from my T-Mobile 4G LTE Device Original message From: Randy Bush ra...@psg.com Date: 02/13/2014 5:34 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Krishnan Subramanian krishnan.subraman...@guavus.com,nanog@nanog.org Subject: Re: internet peering conferences in Asia Pacific There is a group called PTC the T stands for telco. no internet peering
Re: internet peering conferences in Asia Pacific
https://www.ams-ix.net/events/19 In case more citation is required. I'd imagine the whole free trip to hawaii aspect brings in more folks than you'd expect. Sent from my T-Mobile 4G LTE Device Original message From: Randy Bush ra...@psg.com Date: 02/13/2014 5:34 PM (GMT-08:00) To: Warren Bailey wbai...@satelliteintelligencegroup.com Cc: Krishnan Subramanian krishnan.subraman...@guavus.com,nanog@nanog.org Subject: Re: internet peering conferences in Asia Pacific There is a group called PTC the T stands for telco. no internet peering
Re: internet peering conferences in Asia Pacific
http://www.iixpeering.net/news/iix-leads-remote-peering-industry-at-ptc-14/ ah yes, sales and marketing bumph. desperate for any venue. the point is, if you want to do internet peering in asia, the venues are apricot, sanog, aus/nz/.../nog, ripe (yes, asian peering coords go to ripe), etc. randy
Re: Question on Route-Set for Arin DB
The way many providers use the IRR info is to take the adjacent ASN and do a reverse index lookup on the origin field. That is, for AS1234, what are all the route and route6 objects with that as an origin. If you need something more complicated, you can use an aut-num object to say that an as-set, route-set or combinations of these ought to be folded in when creating the filters. fwiw, i build filters by running peval() over their as-set randy
Re: internet peering conferences in Asia Pacific
On Thu, 13 Feb 2014, Warren Bailey wrote: There is a group called PTC.. Pacific Telecommunications Council.. That¹s pretty much the biggest I can think of (lot¹s of MSO¹s.. Operators, etc.) and it¹s in Hawaii every year. Actually the conference moves around the Pacific. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: internet peering conferences in Asia Pacific
On Friday, February 14, 2014 01:35:03 AM Warren Bailey wrote: There is a group called PTC.. Pacific Telecommunications Council.. That¹s pretty much the biggest I can think of (lot¹s of MSO¹s.. Operators, etc.) and it¹s in Hawaii every year. PTC is not your typical -NOG or -PF forum. It's very salesy in nature and revolves around operators scheduling meetings in hotel suites on an hourly basis to talk commercial matters, not necessarily peering and operations a la -NOG's and -PF's. If you've been to a Capacity Pick-Your-Region meeting, PTC is like that. Just bigger. The plenaries at PTC are poorly attended (IMHO), quite costly, and the content is not the kind you would find at NANOG, APRICOT, RIPE, APF, GPF, AfPIF, e.t.c. Mark. signature.asc Description: This is a digitally signed message part.
Re: ARIN Wants Your Feedback
the survey questions are highly biased toward arin's view of itself. just one example. you ask how well arin serves it's members and customers. you do not ask how well it serves the internet community, the internet, or society in general. and that particular bias in viewpoint is at the core of arin's failure. randy
Re: ARIN Wants Your Feedback
I answered it truthfully, I clicked a lot of 1s. On Feb 13, 2014 10:21 PM, Randy Bush ra...@psg.com wrote: the survey questions are highly biased toward arin's view of itself. just one example. you ask how well arin serves it's members and customers. you do not ask how well it serves the internet community, the internet, or society in general. and that particular bias in viewpoint is at the core of arin's failure. randy
Re: ARIN Wants Your Feedback
I answered it truthfully, I clicked a lot of 1s. i actually find day-to-day transactions with hostfolk ok. the org just has no vision of the internet. register, do not regulate. board, ceo, and AC seem to be dominated by itu wannabes. randy
Re: ARIN Wants Your Feedback
On Feb 13, 2014, at 10:39 PM, Randy Bush ra...@psg.com wrote: I answered it truthfully, I clicked a lot of 1s. i actually find day-to-day transactions with hostfolk ok. the org just has no vision of the internet. register, do not regulate. board, ceo, and AC seem to be dominated by itu wannabes. randy An interesting comment given that we currently do a lot more of the former and a lot less of the latter than what ARIN did when you were on the AC. Owen