Zayo Contact
I have a customer with a fiber outage with some Zayo IPs, Zayo is adverting the /24, would love to have someone contact me from zayo; as we need that advertisement turned off so we can get inbound though another provider until the fiber is fixed.:( Thanks, [DennisBurgessSignature] www.linktechs.nethttp://www.linktechs.net/ - 314-735-0270 x103 - dmburg...@linktechs.netmailto:dmburg...@linktechs.net
Re: BRAS sugestion
You can try Ericsson SSR or SE. On Fri, Aug 14, 2015 at 9:58 PM, Ahad Aboss a...@telcoinabox.com wrote: Julian If you have budget constraints, try getting 2 x ASR1004, else ASR1006 with dual RP would take care of your needs. Cheers Ahad Sent from my iPhone On 15 Aug 2015, at 1:06 am, Julian Eble juliane...@yahoo.com.br wrote: Hello Nanog, Our company are constantly growing and we're looking for a 30k+ subscribers BRAS, does the community have a sugestion? Thank you!
Re: Production-scale NAT64
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 26/Aug/15 17:16, valdis.kletni...@vt.edu wrote: So I'm guessing that 75% of the traffic flows with better latency than the 25% IPvhorse-n-buggy traffic? ;) Practically, when we've tested NAT64 at reasonable scale, it does not add any noticeable slow-down provided your hardware is decent and you're operating the forwarding plane within the limits supported by the vendor. Yes, I know this can quickly become a cost run-away problem, but for better or worse, that is what separates the wheat from the other thing... The point is you need a transition tech. solution if you are serious about providing a service to your customers. Assuming you don't is living in denial. Mark. -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJV3eJcAAoJEGcZuYTeKm+G2nUP/14tVjKaorUddJPaIfa3qm5y GQ7EGq343ssihW1Vy335xtmXwUX2ti/WelavXBZD8WEU/17wYdy0Yoq7PcnKVk/+ 8NufD9Zp6dDjugIDMczjZbn6NQ/aQjwQ9TVk3SAH90iAgBMkT3SfE3NJE9CqK+LD 90+7wIwNUdY53z8x8xBfPqu6Mf1HSkbngifyJ9piDsAs3Pdki++k8IXJEjDeysop 5EPeCeQydgIMzj2v4dxLhbAI8BGYmPG5501eJbmyoehB3mWtFp3be0wE8RtAHwMY ABUT6dyYAr/yu7lt52ALQUOyN9avodagZR5tRbAck/Ah/0hYpsOErvEo3ZiuUrPE FV0t4Gp6hXcG4/7tgThaFMGWWYomZXCFvO9vSPzMd+CI30dVJ4qtCFLHYQy3PoM+ a9S9ZAvN6qrL+aPANbkg2IIUBv2EiSVQ8tdISf5urQtbyGByEd/31LCaMJZGRnRa Rg38C9K/NtHimGXADR1NZ1KjfrN4tECFXydEYS59FNf29oR0F/jAD4lZPmTTXDXK o5rmfXdLR37Llwr2MStPM41EOQB9tLY+rxwjHIxgl5ZVm6yv3727IAufXDG7gGVk YZJBtVvH63wZEK6o+ki2HdAA2QLr4gdxcsN2KWzQtnwbA3E5tZeyd8jSdDe3Hfze rNX7Ccr2hwkAEH65bLmx =nQN9 -END PGP SIGNATURE-
Re: Production-scale NAT64
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 26/Aug/15 18:42, valdis.kletni...@vt.edu wrote: Actually, the point is that if you're a content provider, there's a good chance that turning up IPv6 will result in happier eyeballs, which can probably be leveraged into a competitive advantage. And the more content providers do that, the smaller your transition problem becomes. I can't argue with you there. But the problem has to be attacked from all sides. We can't just sit back and hope for the best; that's already nearly 2x decades in the making... Mark. -BEGIN PGP SIGNATURE- iQIcBAEBCAAGBQJV3e0WAAoJEGcZuYTeKm+G6DQP/iXbz6v6xWqAOyLU4TyVWJLa xcf0GBajZ7GR2iHNIqJ/usYAZg1nVvApoaBPd1tCegp8QWM2nzrAz1hRYFZnTZVY LTm40+6UD37/tMML9WgXyXw3qk/23LR0bY2IQZcwBtzscpStAEWCB304GPmyRS1X JFtunFTxE8zP1iD1ErE8CgHvJMN5vRGyJpASxWyk7ZS3UFWDfH1TVur+U9PsqiuZ av0tobjp+/tLgkMYTU2jRhnVbgnhXrkawS0uvT8uyt8ivn8Igf/f15SkM+X4DIJs Ck1Bu2cTtNW8QLuLbu/ue8M9S1JU/jHKS18LN0medoByqPJ1fLL1Ur3Xl2SzBDkm Fr9IZftTvLnpNvyP/FXLF6XH/CyzU1+lChOvhZ8Bmy305ETZFNz177fsjpcdVogg NiZ6GzHhA7wZ1NWrkqSVwdvCcg9kd413MKbhnWPi7cKB1Yi6Tewcam8+xCWH56T7 j2+2qhT3FPQHO5viVgfFEAhCB7PW2p9HRzf7mlpq7ykFIZG4t0oYpXqlBNuVd07o 7qKRIDFM8Ym8Po4edKxQLoW3w0yk8HDfcb8ByiDuoyDHX/ZcrKZY2ME6WTyUBgKf 58w/0IbSJaeTHTjyAaZu/MwgP/WFBzul6sKnXh3aQrdrVOo6xrcW0EvvN+wZGD5D AjhpcWdteKjf/Smv/HlG =igCd -END PGP SIGNATURE-
Re: LTE
Ericsson SSR or SE. On Tue, Aug 25, 2015 at 5:38 PM, Bryan Ignatow br...@ignatow.org wrote: Nathan, I know someone. Contact me off list and I will get you and he connected. Bryan On Tue, Aug 25, 2015 at 4:33 PM Nathan Anderson nath...@fsr.com wrote: Is there anybody here who is fluent in LTE/3GPP networks and the standards that govern them? I'm not sure where else to look. I have a very specific question about UEs, UICCs, and the security negotiation (integrity ciphers) that occurs during attachment both on the AS and NAS layers, and so far I have not found our vendor to be very helpful. If there is somebody out there that knows something about this area, and is willing to chat with me about it, feel free to drop me a line off-list. Thanks much, -- Nathan Anderson First Step Internet, LLC nath...@fsr.com
Re: DDoS appliances reviews needed
hi ramy On 08/26/15 at 12:54pm, Aftab Siddiqui wrote: Anybody here has experienced a PoC for any anti DDoS appliance, or already using a anti DDoS appliance in production and able to share his user experience/review? only interested in appliance? why not scrubbing services? is it for own use (industry reviews before purchase) or some article/publication/research? see previous similar thread for some real world reviews by folks http://mailman.nanog.org/pipermail/nanog/2015-April/074410.html i think a benchmarking ddos lab would be fun to build and publish findings.. to test all the ddos appliances from those competitors willing to participate --- for your reviewing or collecing info from folks .. - what's your metrics that is important to you ? - what (ddos) problems are you trying to resolve ? - do you want to see the ddos attacks in progress and how you're being attacked http://ddos-mitigator.net/cgi-bin/IPtables-GUI.pl - do you want 100% automated ddos defense with zero false positives :-) my $0.02 ddos experiences n summary over the years, aka mitigation in production use ... usually, arp-based ddos attacks requires fixing your infrastructure, a ddos appliance may not help you usually, udp and icmp ddos attacks can only be resolved by the ISP or scrubbing centers - if you limit udp/icmp at your appliance, the damage is already done, since those packets used your bandwidth, cpu, memory, diskspace and your time spoof'd source addresses can only be resolved by having the ISP preventing outgoing spoofed address ( fix egress filters ) at their edge routers my requirement: all tcp-based ddos attacks must be tarpit'd ... ddos attacks are now 1% of it's peak a few years ago where firefox google.com wouldn't come up - you must be able to distinguish legit tcp traffic from ddos attacks which is ez if you build/install/configure the servers properly i want the attacking zombies and script kiddies to pay a penalty for attacking my customer's servers to sustain a 100,000 tcp packets attack requires lots of kernel memory ( 100,000 packets * 1500 byte/packet * 120 seconds ) for 2minute tcp timeouts there are 65,535 tcp they could be attacking ... imho, an ssh-based solution or apache-based solution would be useless ... add another 65,535 udp ports always keep your servers up to date ... patch your OS, apps, etc, etc volumetric attacks can only be resolved by (expensive) ddos scrubbers or installing your own geographcially separated colo in usa, europe, asia like the scrubbers ... if you are high profile target, the ddos attackers probably has more bandwidth than you could afford and the ddos attacks will probably make the evening news magic pixie dust alvin # DDoS-Mitigator.net/Competitors # DDoS-Mitigator.net/InHouse-vs-Cloud # DDoS-Simulator.net #
Re: LTE
Sorry, wrong thread! On Wed, Aug 26, 2015 at 12:29 PM, Tomas Lynch tomas.ly...@gmail.com wrote: Ericsson SSR or SE. On Tue, Aug 25, 2015 at 5:38 PM, Bryan Ignatow br...@ignatow.org wrote: Nathan, I know someone. Contact me off list and I will get you and he connected. Bryan On Tue, Aug 25, 2015 at 4:33 PM Nathan Anderson nath...@fsr.com wrote: Is there anybody here who is fluent in LTE/3GPP networks and the standards that govern them? I'm not sure where else to look. I have a very specific question about UEs, UICCs, and the security negotiation (integrity ciphers) that occurs during attachment both on the AS and NAS layers, and so far I have not found our vendor to be very helpful. If there is somebody out there that knows something about this area, and is willing to chat with me about it, feel free to drop me a line off-list. Thanks much, -- Nathan Anderson First Step Internet, LLC nath...@fsr.com
Re: Production-scale NAT64
On Wed, 26 Aug 2015 17:59:24 +0200, Mark Tinka said: The point is you need a transition tech. solution if you are serious about providing a service to your customers. Assuming you don't is living in denial. Actually, the point is that if you're a content provider, there's a good chance that turning up IPv6 will result in happier eyeballs, which can probably be leveraged into a competitive advantage. And the more content providers do that, the smaller your transition problem becomes. pgpz5b9e6D3OX.pgp Description: PGP signature
Re: Level(3) ex-twtelecom midwest packet loss (4323)
I have been seeing the same issues, but haven't heard anything back yet. It has improved in the last 30 minutes or so, see below. http://imgur.com/KVAzetA On Wed, Aug 26, 2015 at 4:34 PM, Ryan K. Brooks r...@hack.net wrote: Seeing packet loss on AS4323 since 2:30 Central time. NOC is unresponsive to phone and email. Anyone have an idea what's going on over there?
Re: Level(3) ex-twtelecom midwest packet loss (4323)
Seems to be impacting their entire network now. On 8/26/15 4:41 PM, Rafael Possamai wrote: I have been seeing the same issues, but haven't heard anything back yet. It has improved in the last 30 minutes or so, see below. http://imgur.com/KVAzetA * * On Wed, Aug 26, 2015 at 4:34 PM, Ryan K. Brooks r...@hack.net mailto:r...@hack.net wrote: Seeing packet loss on AS4323 since 2:30 Central time. NOC is unresponsive to phone and email. Anyone have an idea what's going on over there?
Re: DDoS appliances reviews needed
On 08/26/2015 05:40 AM, Ramy Hashish wrote: Anybody here has experienced a PoC for any anti DDoS appliance, or already using a anti DDoS appliance in production and able to share his user experience/review? We need to collect good reviews from people whom got their hands dirty with the configuration/attack mitigation, real experience. Is this for publication? What are you paying for such reviews? Who is the audience?
Re: DDoS appliances reviews needed
Hi, Anybody here has experienced a PoC for any anti DDoS appliance, or already using a anti DDoS appliance in production and able to share his user experience/review? only interested in appliance? why not scrubbing services? is it for own use (industry reviews before purchase) or some article/publication/research? Best Wishes, Aftab A. Siddiqui
DDoS appliances reviews needed
Good day all, Anybody here has experienced a PoC for any anti DDoS appliance, or already using a anti DDoS appliance in production and able to share his user experience/review? We need to collect good reviews from people whom got their hands dirty with the configuration/attack mitigation, real experience. Thanks, Ramy
Re: Production-scale NAT64
On Thu, Aug 20, 2015 at 07:44:10AM -0600, Jawaid Shell2 wrote: Who out there is using production-scale NAT64? What solution are you using? Yes, I'm curious about this too. I'd like a solid list of providers to avoid. -- . ___ ___ . . ___ . \/ |\ |\ \ . _\_ /__ |-\ |-\ \__
Re: Production-scale NAT64
On 26/Aug/15 16:13, Izaac wrote: Yes, I'm curious about this too. I'd like a solid list of providers to avoid. NAT64 is opt-in. It will mostly be used for customers that can no longer obtain IPv4 addresses. Service providers do not like NAT64 anymore than you do, but there needs to be some way to bridge both protocols in the interim. What you should be more interested in is which service providers have deployed it at scale where it is not causing problems, as those are the ones you want to be connected to when the IPv4-hell hiteth the faneth! Mark.
Re: Production-scale NAT64
On 26/Aug/15 16:28, Ca By wrote: From largish deployment ... Another relevant metric, less than 25% of my mobile subscribers traffic require NAT64 translating. 75+% of bits flows through end-to-end IPv6 (thanks Google/Youtube, Facebook, Netflix, Yahoo, Linkedin and so on ...). And trust me, Cameron knows what's on about... And just in case it's not obvious, fewer and fewer bits will need to hit the NAT64 gateways as more and more of the Internet turns up IPv6. And the beauty of it all, NAT64-based service providers don't have to decommission anything in the future; this is one of the key points around using NAT64 as transition tech. Mark.
Re: Production-scale NAT64
On 26/Aug/15 16:32, Jared Mauch wrote: This for me is an important note, because if your site only gives out an A address, it’s going to be slowed by the NAT process. I have noticed the IPv4 penalty getting worse with many locations. But you only need to hit the NAT64 gateway if you are IPv6-only. If you're dual-stacked, your route to an A record will not hit the NAT64 gateway. Mark.
Re: Production-scale NAT64
On Wed, 26 Aug 2015 07:28:08 -0700, Ca By said: Another relevant metric, less than 25% of my mobile subscribers traffic require NAT64 translating. 75+% of bits flows through end-to-end IPv6 (thanks Google/Youtube, Facebook, Netflix, Yahoo, Linkedin and so on ...). So I'm guessing that 75% of the traffic flows with better latency than the 25% IPvhorse-n-buggy traffic? ;) pgpCNlfjmoWXD.pgp Description: PGP signature
Re: DDoS appliances reviews needed
Hello Aftab, Sure we are interested in scrubbing centers, and we will have an on premise appliance as well, but let's make the scope of this thread limited to the on premise appliances. If you want to discuss a certain scrubbing center subscription, let's have this chat offline. Thanks, Ramy On Wed, Aug 26, 2015 at 3:54 PM, Aftab Siddiqui aftab.siddi...@gmail.com wrote: Hi, Anybody here has experienced a PoC for any anti DDoS appliance, or already using a anti DDoS appliance in production and able to share his user experience/review? only interested in appliance? why not scrubbing services? is it for own use (industry reviews before purchase) or some article/publication/research? Best Wishes, Aftab A. Siddiqui
Re: Production-scale NAT64
On Wed, Aug 26, 2015 at 04:39:11PM +0200, Mark Tinka wrote: On 26/Aug/15 16:32, Jared Mauch wrote: This for me is an important note, because if your site only gives out an A address, it’s going to be slowed by the NAT process. I have noticed the IPv4 penalty getting worse with many locations. But you only need to hit the NAT64 gateway if you are IPv6-only. Sure... For DS, I could send IPv6 native and IPv4 via NAT. I suspect this actually the most common home setup at this point. It's certainly the way mine looks. I have noticed that IPv4 feels slow on my t-mobile usa connected devices. This is only a problem when interacting with legacy players on the network, eg: financials, opensrs, airlines. I suspect this is a 64 CGN tax. Waiting to see my other devices/sims see IPv6 on them via VZ and ATT. If you're dual-stacked, your route to an A record will not hit the NAT64 gateway. Sure, but your v4 is likely to have issues regardless and face this penalty/tax. - Jared -- Jared Mauch | pgp key available via finger from ja...@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
Re: Level(3) ex-twtelecom midwest packet loss (4323)
Cleared up here in WI TW/Level3 COLO between 19:00 - 19:20 CST - 3235 Intertech Dr. Brookfield On Aug 26, 2015, at 16:44, Ryan K. Brooks r...@hack.net wrote: Seems to be impacting their entire network now. On 8/26/15 4:41 PM, Rafael Possamai wrote: I have been seeing the same issues, but haven't heard anything back yet. It has improved in the last 30 minutes or so, see below. http://imgur.com/KVAzetA * * On Wed, Aug 26, 2015 at 4:34 PM, Ryan K. Brooks r...@hack.net mailto:r...@hack.net wrote: Seeing packet loss on AS4323 since 2:30 Central time. NOC is unresponsive to phone and email. Anyone have an idea what's going on over there? -- Jason Hellenthal JJH48-ARIN signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Level(3) ex-twtelecom midwest packet loss (4323)
We continue to see 10 to 20 percent packet loss crossing TW border and even between clients in the same region (e.g. LA and Santa Barbara). No news from the NOC yet. -mel From: NANOG nanog-boun...@nanog.org on behalf of Jason Hellenthal jhellent...@dataix.net Sent: Wednesday, August 26, 2015 5:33 PM To: nanog@nanog.org Subject: Re: Level(3) ex-twtelecom midwest packet loss (4323) Cleared up here in WI TW/Level3 COLO between 19:00 - 19:20 CST - 3235 Intertech Dr. Brookfield On Aug 26, 2015, at 16:44, Ryan K. Brooks r...@hack.net wrote: Seems to be impacting their entire network now. On 8/26/15 4:41 PM, Rafael Possamai wrote: I have been seeing the same issues, but haven't heard anything back yet. It has improved in the last 30 minutes or so, see below. http://imgur.com/KVAzetA * * On Wed, Aug 26, 2015 at 4:34 PM, Ryan K. Brooks r...@hack.net mailto:r...@hack.net wrote: Seeing packet loss on AS4323 since 2:30 Central time. NOC is unresponsive to phone and email. Anyone have an idea what's going on over there? -- Jason Hellenthal JJH48-ARIN
Level(3) ex-twtelecom midwest packet loss (4323)
Seeing packet loss on AS4323 since 2:30 Central time. NOC is unresponsive to phone and email. Anyone have an idea what's going on over there?
Re: Production-scale NAT64
In message 20150827065346.58554...@echo.ms.redpill-linpro.com, Tore Anderson writes: Hi Mark, * Mark Tinka mark.ti...@seacom.mu In our deployment, we do not offer customers private IPv4 addresses. I suppose we can afford to do this because a) we still have lots of public IPv4, b) we are not a mobile carrier. So any of our customers with IPv4 will never hit the NAT64 gateway. When we do run out of public IPv4 addresses (and cannot get anymore from AFRINIC), all new customers will be assigned IPv6 addresses. Why wait until then? Any particular reason why you cannot already today provide IPv6 addresses to your [new] customers in parallel with IPv4? Tore Or why you are looking at NAT64 instead of DS-Lite, MAP-E, or MAP-T all of which are better solutions than NAT64. NAT64 + DNS64 which breaks DNSSEC. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: DDoS appliances reviews needed
Thank you Alvin, I have just remembered that I wanted to reply to your previous input on Wanguard versus the other vendors in the market, I will reply this there. I can't get exactly what you are doing, do you have your own mitigation SW? If so I would like to know more about it. On Wed, Aug 26, 2015 at 8:53 PM, alvin nanog nano...@mail.ddos-mitigator.net wrote: hi ramy On 08/26/15 at 12:54pm, Aftab Siddiqui wrote: Anybody here has experienced a PoC for any anti DDoS appliance, or already using a anti DDoS appliance in production and able to share his user experience/review? only interested in appliance? why not scrubbing services? is it for own use (industry reviews before purchase) or some article/publication/research? see previous similar thread for some real world reviews by folks http://mailman.nanog.org/pipermail/nanog/2015-April/074410.html i think a benchmarking ddos lab would be fun to build and publish findings.. to test all the ddos appliances from those competitors willing to participate --- for your reviewing or collecing info from folks .. - what's your metrics that is important to you ? Our important metrics includes but not limited to the following: - Ability to mitigate all kinds of volumetric DDoS attacks. - Ability to mitigate application level attacks for at least HTTP, HTTPs, SMTP and DNS. - Time-to-detect and time-to-mitigate. - False positives. - Response time to the management plan. - Ability to sniff packets for further analysis with the support. - Granularity of detection thresholds. - Percentage of DDoS attack leakage. - Multitenancy (We are an ISP) - what (ddos) problems are you trying to resolve ? - Fast to detect/mitigate appliance, no problem to work inline. - do you want to see the ddos attacks in progress and how you're being attacked http://ddos-mitigator.net/cgi-bin/IPtables-GUI.pl - do you want 100% automated ddos defense with zero false positives :-) my $0.02 ddos experiences n summary over the years, aka mitigation in production use ... my requirement: all tcp-based ddos attacks must be tarpit'd ... ddos attacks are now 1% of it's peak a few years ago where firefox google.com wouldn't come up - you must be able to distinguish legit tcp traffic from ddos attacks which is ez if you build/install/configure the servers properly Could you please give more details on this? i want the attacking zombies and script kiddies to pay a penalty for attacking my customer's servers Could you please give more details about how to tarpit?
Re: Production-scale NAT64
On 27/Aug/15 07:16, Mark Andrews wrote: Or why you are looking at NAT64 instead of DS-Lite, MAP-E, or MAP-T all of which are better solutions than NAT64. NAT64 + DNS64 which breaks DNSSEC. Because with NAT64/DNS64/464XLAT, there isn't any undo work after the dust settles. There is value in that. Mark.
Re: Experience on Wanguard for 'anti' DDOS solutions
On Thu, Aug 13, 2015 at 4:20 AM, alvin nanog nano...@mail.ddos-mitigator.net wrote: hi ramy On 08/12/15 at 05:28pm, Ramy Hashish wrote: Anybody here compared Wanguard's performance with the DDoS vendors in the market (Arbor, Radware, NSFocus, A10, RioRey, Staminus, F5 ..)? wouldn't the above comparison be kinda funky comparing software solutions with hardware appliances and/or cloud scubbers ?? comparisons between vendors should be between sw solutions, or hw appliances vs other hw, or cloud vs other clouds wanguard should be compared with other sw options or vendors using sflow, netflow, jflow, etc etc http://www.andrisoft.com/software/wanguard http://bitbucket.org/tortoiselabs/ddosmon http://www.github.com/FastVPSEestiOu/fastnetmon http://nfdump.sourceforge.net http://nfsen.sourceforge.net wanguard - software solution using sflow http://www.andrisoft.com/software/wanguard arbor hardware/software solutions -- peakflow http://www.arbornetworks.com/products/peakflow radware -- hardware/software/cloud solutions -- defenseflow http://www.radware.com/products/attack-mitigation-service/ http://www.radware.com/Products/DefenseFlow/ nsfocus -- hardware/cloud solutions http://www.nsfocus.com/products/ A10 -- hardware solution http://www.a10network.com/products riorey --- hardware solution http://www.riorey.com/riorey-ddos-products staminus - hardware/cloud solutions http://www.staminus.net/shield # and to add to the ddos confusion .. akamai/prolexic --- hardware/cloud solution f5 hardware/cloud solutions http://www.f5.com/resources/white-papers/mitigating-ddos-attacks-with-f5-technology fortinet -- custom ASIC hardware and cloud solution http://www.fortinet.com/products/fortiddos/ddos-mitigation-appliances.html Let me disagree to some extent, we have contacted most of the above vendors, selling a HW doesn't necessarily mean they are HW based solution, most of them run their SW/algorithm on an x86 machine. Thanks, Ramy
Re: Production-scale NAT64
Hi Mark, * Mark Tinka mark.ti...@seacom.mu In our deployment, we do not offer customers private IPv4 addresses. I suppose we can afford to do this because a) we still have lots of public IPv4, b) we are not a mobile carrier. So any of our customers with IPv4 will never hit the NAT64 gateway. When we do run out of public IPv4 addresses (and cannot get anymore from AFRINIC), all new customers will be assigned IPv6 addresses. Why wait until then? Any particular reason why you cannot already today provide IPv6 addresses to your [new] customers in parallel with IPv4? Tore
Re: Production-scale NAT64
On 27/Aug/15 06:53, Tore Anderson wrote: Why wait until then? I didn't say that we're waiting :-)... Any particular reason why you cannot already today provide IPv6 addresses to your [new] customers in parallel with IPv4? As a standard delivery of service, all our customers (BGP- and non-BGP-based) are assigned IPv6 addresses by default. Point-to-point for the BGP-based customers, and point-to-point + onward LAN assignments for the non-BGP-based customers. We do (and configure) this regardless of whether customers have asked for it or not. In reality, 70% of the time it's like pulling teeth getting customers to configure their end of the IPv6 point-to-point address, much less turn-up an IPv6 BGP session. Reasons range from, We do not have a /32 IPv6 allocation yet, Our router does not support IPv6 yet, We shall get to it in time, we are busy with other things now, It is not important to us, We only have one interface in our whole network with IPv6, so let's forget about it for now, What is IPv6? Oh, that - no thanks, and so on and so on. 30% of the time, however, we are dealing with a switched-on customer that is happy to turn it up, and would even chase us for the same. We like these types of customers. You won't find a customer order or port in our network that does not have IPv6 enabled. It's just all about getting their side sorted out. And the team have been going out of their way to help them turn-up, e.g., recommending the minimum software they should upgrade to to support IPv6, helping them reach out to AFRINIC to apply for their /32 IPv6 allocation, helping them set things up on their end, nagging them weekly on when they will get their side up, e.t.c. It's never-ending work. Same things goes for peering - we always ask peers to turn-up both IPv4 and IPv6 at the same time. For the majority of peers, once the IPv4 session is up, they disappear. But we keep nagging, and nagging and nagging, and many times we are successful in getting IPv6 going. Sometimes, however, it's all falling on deaf ears. But it is good work, so we do not let up. All I was saying before is that when we can no longer hand out public IPv4 addresses to new customers in the future, those customers will require the NAT64 gateway to speak to IPv4-only resources. Hopefully, by the time that happens, the demand on the NAT64 gateways is as close to 0% as possible. Mark.
Re: Production-scale NAT64
On Wed, Aug 26, 2015 at 8:16 AM, valdis.kletni...@vt.edu wrote: On Wed, 26 Aug 2015 07:28:08 -0700, Ca By said: Another relevant metric, less than 25% of my mobile subscribers traffic require NAT64 translating. 75+% of bits flows through end-to-end IPv6 (thanks Google/Youtube, Facebook, Netflix, Yahoo, Linkedin and so on ...). So I'm guessing that 75% of the traffic flows with better latency than the 25% IPvhorse-n-buggy traffic? ;) Facebook says IPv6 is 20-40% faster http://www.internetsociety.org/deploy360/blog/2015/04/facebook-news-feeds-load-20-40-faster-over-ipv6/ Another way to look at it, IPv4 is 20-40% slower than IPv6.
Re: Production-scale NAT64
On 27/Aug/15 03:21, Jared Mauch wrote: Sure... For DS, I could send IPv6 native and IPv4 via NAT. I suspect this actually the most common home setup at this point. It's certainly the way mine looks. I have noticed that IPv4 feels slow on my t-mobile usa connected devices. This is only a problem when interacting with legacy players on the network, eg: financials, opensrs, airlines. I suspect this is a 64 CGN tax. Waiting to see my other devices/sims see IPv6 on them via VZ and ATT. If your IPv4 is public, you should not feel slow. Of course, if your IPv4 is private, then yes, some NAT44 may happen somewhere along the path. Sure, but your v4 is likely to have issues regardless and face this penalty/tax. But that would be a function of NAT44 if you're on private IPv4, and have nothing to do with the NAT64. In our deployment, we do not offer customers private IPv4 addresses. I suppose we can afford to do this because a) we still have lots of public IPv4, b) we are not a mobile carrier. So any of our customers with IPv4 will never hit the NAT64 gateway. When we do run out of public IPv4 addresses (and cannot get anymore from AFRINIC), all new customers will be assigned IPv6 addresses. These will hit a NAT64 gateway if they want to talk to legacy resources on the Internet. Mark.