Re: IGP choice
On 23/Oct/15 23:02, Mikael Abrahamsson wrote: > > There is running code now for IETF HOMENET using Quagga that speaks > IS-IS over IPv6 (using IP proto 124) if you want to, it's configurable > per-interface. > > I do not know at this time what the status is for mainline Quagga > IS-IS, but I've sent a question about it to Netdef about it Thanks, Mikael. Mark.
Re: IGP choice
On Fri, 23 Oct 2015, Pablo Lucena wrote: A lot of carriers use ISIS in the core so they can make use of the' overload bit' with a 'set-overload-bit on-startup wait-for-bgp". Keeps them from black holing Traffic while BGP reconverges., when you have millions of routes to converge it can take forever. It's also a really handy tool when you're troubleshooting or repairing a link, set the OL bit, and traffic gracefully moves, then when you're done it gracefully moves back. You can do the same thing with the Metric, and Cost in OSPF, just not quite as elegant. That feature is also present in OSPF. 'max metric router-lsa'. This is not exactly the same thing as overload-bit set, but it can be argued that setting max-metric actually makes more sense than what the overload bit does. The choice between IS-IS and OSPF depends more on soft than hard factors. OSPF support is more widespread amongst smaller equipment vendors, IS-IS is the traditional choice for large ISP core IGP, mostly due to the Cisco codebase for IS-IS happened to be more stable than OSPF around 1995, and that's when a lot of larger ISPs started running these protocols, and that stuck. There is no right or wrong IGP to run, both protocols have their quirks and pro:s and con:s. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: IGP choice
On Fri, 23 Oct 2015, Mark Tinka wrote: I'm not really sure what the hold-up is, but I know Mikael, together with the good folks at netDEF (Martin and Alistair) are working hard on fixing these issues. While I have not had much time to provide them with feedback on their progress, it is high on my agenda - not to mention funding support for them will only help the cause. There is running code now for IETF HOMENET using Quagga that speaks IS-IS over IPv6 (using IP proto 124) if you want to, it's configurable per-interface. I do not know at this time what the status is for mainline Quagga IS-IS, but I've sent a question about it to Netdef about it
Re: IGP choice
> A lot of carriers use ISIS in the core so they can make use of the' > overload bit' with a 'set-overload-bit on-startup wait-for-bgp". Keeps > them from black holing Traffic while BGP reconverges., when you have > millions of routes to converge it can take forever. It's also a really > handy tool when you're troubleshooting or repairing a link, set the OL > bit, and traffic gracefully moves, then when you're done it gracefully > moves back. You can do the same thing with the Metric, and Cost in OSPF, > just not quite as elegant. > That feature is also present in OSPF. 'max metric router-lsa'.
RE: IGP choice
A lot of carriers use ISIS in the core so they can make use of the' overload bit' with a 'set-overload-bit on-startup wait-for-bgp". Keeps them from black holing Traffic while BGP reconverges., when you have millions of routes to converge it can take forever. It's also a really handy tool when you're troubleshooting or repairing a link, set the OL bit, and traffic gracefully moves, then when you're done it gracefully moves back. You can do the same thing with the Metric, and Cost in OSPF, just not quite as elegant. Largely I think it's preference, ISIS and OSPF tackle most of the same stuff just in different ways. -D -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matthew Petach Sent: Friday, October 23, 2015 11:31 AM To: marcel.durega...@yahoo.fr Cc: nanog@nanog.org Subject: Re: IGP choice On Fri, Oct 23, 2015 at 1:41 AM, marcel.durega...@yahoo.fr wrote: > sorry for that, but the only one I've heard about switching his core > IGP is Yahoo. I've no precision, and it's really interest me. > I know that there had OSPF in the DC area, and ISIS in the core, and > decide to switch the core from ISIS to OSPF. Wait, what? *checks memory* *checks routers* Nope. Definitely went the other way; OSPF -> IS-IS in the core. > Why spend so much time/risk to switch from ISIS to OSPF, _in the core_ > a not so minor impact/task ? > So I could guess it's for maintain only one IGP and have standardized > config. But why OSPF against ISIS ? What could be the drivers? People > skills (more people know OSPF than ISIS) --> operational reason ? I'm sorry you received the wrong information, the migration was from OSPF to IS-IS, not the other way around. Thanks! Matt
Re: Google IMAP (with k9mail)
Its oauth they require now. Thunderbird bug https://bugzilla.mozilla.org/show_bug.cgi?id=849540 On 23/10/2015 19:20, Jay Ashworth wrote: > - Original Message - >> From: "Christopher Morrow" > >> Incoming settings >> IMAP server: imap.gmail.com >> Port: 993 >> Security type: SSL (always) >> >> Outgoing settings >> SMTP server: smtp.gmail.com >> Port: 465 >> Security type: SSL (always) > > Hijack: to use k9mail with gmail IMAP, I have to enable "allow less secure > clients" in the gmail web UI, but neither the Gmail people nor the k9mail > people seem to want to actually document which protocol is disliked or > required. > > Anyone have any actual facts on this point? > > Cheers, > -- jra >
Re: Google IMAP (with k9mail)
Not protocols as much as less secure ssl ciphers is my guess --srs > On 23-Oct-2015, at 9:50 PM, Jay Ashworth wrote: > > - Original Message - >> From: "Christopher Morrow" > >> Incoming settings >> IMAP server: imap.gmail.com >> Port: 993 >> Security type: SSL (always) >> >> Outgoing settings >> SMTP server: smtp.gmail.com >> Port: 465 >> Security type: SSL (always) > > Hijack: to use k9mail with gmail IMAP, I have to enable "allow less secure > clients" in the gmail web UI, but neither the Gmail people nor the k9mail > people seem to want to actually document which protocol is disliked or > required. > > Anyone have any actual facts on this point? > > Cheers, > -- jra > -- > Jay R. Ashworth Baylink > j...@baylink.com > Designer The Things I Think RFC 2100 > Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII > St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: IGP choice
On Fri, Oct 23, 2015 at 1:41 AM, marcel.durega...@yahoo.fr wrote: > sorry for that, but the only one I've heard about switching his core IGP is > Yahoo. I've no precision, and it's really interest me. > I know that there had OSPF in the DC area, and ISIS in the core, and decide > to switch the core from ISIS to OSPF. Wait, what? *checks memory* *checks routers* Nope. Definitely went the other way; OSPF -> IS-IS in the core. > Why spend so much time/risk to switch from ISIS to OSPF, _in the core_ a not > so minor impact/task ? > So I could guess it's for maintain only one IGP and have standardized > config. But why OSPF against ISIS ? What could be the drivers? People skills > (more people know OSPF than ISIS) --> operational reason ? I'm sorry you received the wrong information, the migration was from OSPF to IS-IS, not the other way around. Thanks! Matt
Re: IGP choice
On Thu, Oct 22, 2015 at 9:57 AM, marcel.durega...@yahoo.fr wrote: > Hi everyone, > > Anybody from Yahoo to share experience on IGP choice ? > IS-IS vs OSPF, why did you switch from one to the other, for what reason ? > Same question could apply to other ISP, I'd like to heard some international > ISP/carriers design choice, please. > > Thank in advance, > Best regards, > -Marcel When we decided to go dual-stack many many years ago, we faced the choice of either running OSPFv2 and OSPFv3 in parallel in the core, or just running IS-IS. Several of us on the team had experience with IS-IS from previous jobs, so we decided to shift over from OSPF to IS-IS to simplify the environment by only needing a single IGP for both address families. Hope this helps answer your question. Thanks! Matt
Re: Google IMAP (with k9mail)
- Original Message - > From: "Christopher Morrow" > Incoming settings > IMAP server: imap.gmail.com > Port: 993 > Security type: SSL (always) > > Outgoing settings > SMTP server: smtp.gmail.com > Port: 465 > Security type: SSL (always) Hijack: to use k9mail with gmail IMAP, I have to enable "allow less secure clients" in the gmail web UI, but neither the Gmail people nor the k9mail people seem to want to actually document which protocol is disliked or required. Anyone have any actual facts on this point? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: VPS in DC/VA on L3?
- Original Message - > From: "Christopher Morrow" > On Fri, Oct 23, 2015 at 11:02 AM, Jay Ashworth > wrote: > > We need to do host-mode IPSEC out of AWS to a company in the DC/VA area that > > is on L3; AWS apparently will only do network mode IPSEC, and they won't > > take > > that, so we'll need to hop. > > 'will only do network mode' because the VM you run in aws can't > do ipsec to your pix? Pick your problem: AWS's productized IPSEC VPC gateway won't do host-mode, or so I am told, and Our customer won't do network mode, and Our customer also won't accept IPSEC traffic that's been NATted, so we can't do it from an AWS host cause EIPs are natted; there is, TTBOMK *no* way to get a non-natted IP on an EC2/VPC host. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: TWC / XO Chicago?
Thanks! On Fri, Oct 23, 2015 at 1:59 AM, Krenn, Thomas A wrote: > We're told by AT&T this started around 11:30 CT and by XO that it was > resolved around 22:00 CT. Seems a link between AS7018 and AS2828 was > saturated in Chicago. > > > Tom Krenn | Optum > IT Network Services > > -Original Message- > From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Michael Clark > Sent: Thursday, October 22, 2015 5:06 PM > To: Gareth Tupper > Cc: NANOG [nanog@nanog.org] > Subject: Re: TWC / XO Chicago? > > Looks like XO is having an issue. Anything I have that routes through them > in Chicago is dropping but I don't see anyone talking about it. > > Sent from my iPhone > >> On Oct 22, 2015, at 4:10 PM, Gareth Tupper >> wrote: >> >> With TWC /XO, or just in general? >> >> -Original Message- >> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mikeal Clark >> Sent: Thursday, October 22, 2015 12:44 PM >> To: NANOG [nanog@nanog.org] >> Subject: TWC / XO Chicago? >> >> Anyone know what is going on? >> >> >> >> >> This electronic mail transmission contains information from Warner Pacific >> Insurance Services that may be confidential or privileged. Such information >> is solely for the intended recipient, and use by any other party is not >> authorized. If you are not the intended recipient, be aware that any >> disclosure, copying, distribution or use of this message, its contents or >> any attachments is prohibited. Any wrongful interception of this message is >> punishable as a Federal Crime. If you have received this message in error, >> please notify the sender immediately by telephone (800) 801-2300 or by >> electronic mail at postmas...@warnerpacific.com. > > > This e-mail, including attachments, may include confidential and/or > proprietary information, and may be used only by the person or entity > to which it is addressed. If the reader of this e-mail is not the intended > recipient or his or her authorized agent, the reader is hereby notified > that any dissemination, distribution or copying of this e-mail is > prohibited. If you have received this e-mail in error, please notify the > sender by replying to this message and delete this e-mail immediately.
Re: VPS in DC/VA on L3?
On Fri, Oct 23, 2015 at 11:02 AM, Jay Ashworth wrote: > We need to do host-mode IPSEC out of AWS to a company in the DC/VA area that > is on L3; AWS apparently will only do network mode IPSEC, and they won't take > that, so we'll need to hop. > 'will only do network mode' because the VM you run in aws can't do ipsec to your pix?
VPS in DC/VA on L3?
We need to do host-mode IPSEC out of AWS to a company in the DC/VA area that is on L3; AWS apparently will only do network mode IPSEC, and they won't take that, so we'll need to hop. Anyone got a VPS provider in that area they like so we can set up the bank-shot? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: PeeringDB survey results and Board election plan
ghu saave us from more committees
Re: IGP choice
On 23/Oct/15 11:00, marcel.durega...@yahoo.fr wrote: > by having multiple areas, therefore ABR which deny routers and network > LSA, you introduce summarization (ABR only send summary LSA, mean > subnet info, not topology info) in your network. > Thus you loose informations and do not have a complete topology of > your network. I guess MPLS/TE prefer to seat on top of a real topology ? Yes, summarization in the IGP has the potential to create blackholes and/or loops. This reminds me of: http://tools.ietf.org/id/draft-swallow-mpls-aggregate-fec-01.txt Mark.
Re: IGP choice
by having multiple areas, therefore ABR which deny routers and network LSA, you introduce summarization (ABR only send summary LSA, mean subnet info, not topology info) in your network. Thus you loose informations and do not have a complete topology of your network. I guess MPLS/TE prefer to seat on top of a real topology ? On 22.10.2015 23:22, Bill Blackford wrote: I don't have all the details because I don't fully understand it, but I've heard that if you're running an MPLS/RSVP core, you can only use a single OSPF area. This introduces a scalability ceiling. On Thu, Oct 22, 2015 at 12:35 PM, Dave Bell wrote: On 22 October 2015 at 19:41, Mark Tinka wrote: The "everything must connect to Area 0" requirement of OSPF was limiting for me back in 2008. I'm unsure if this is a serious argument, but its such a poor point today. Everything has to be connected to a level 2 in IS-IS. If you want a flat area 0 network in OSPF, go nuts. As long as you are sensible about what you put in your IGP, both IS-IS and OSPF scale very well. The differences between the two protocols are so small, that people really grasp at straws when 'proving' that one is better over the other. 'IS-IS doesn't work over IP, so its more secure'. 'IS-IS uses TLVs so new features are quicker to implement'. While these may be vaguely valid arguments, they don't hold much water. If you don't secure your routers to bad actors forming OSPF adjacencies with you, you're doing something wrong.Who is running code that is so bleeding edge that feature X might be available for IS-IS, but not OSPF? Chose whichever you and your operational team are most comfortable with, and run with it. Regards, Dave
Re: IGP choice
On 23 October 2015 at 11:54, Mark Tinka wrote: Hey, > Well, on the basis that an attack is made easier if you are running > IS-IS on a vulnerable interface, in theory, an attack would be highly > difficult if a vulnerable interface were not running IS-IS to begin with. Assuming that interface won't punt ISIS if ISIS is not configured, unfortunately this assumption isn't true for all platforms. -- ++ytti
Re: IGP choice
On 23/Oct/15 10:48, Saku Ytti wrote: > I believe this is because you need 802.3 (as opposed to EthernetII) > and rudimentary CLNS implementation, both which are very annoying from > programmer point of view. I'm not really sure what the hold-up is, but I know Mikael, together with the good folks at netDEF (Martin and Alistair) are working hard on fixing these issues. While I have not had much time to provide them with feedback on their progress, it is high on my agenda - not to mention funding support for them will only help the cause. > I hope ISIS would migrate to EthernetII and IP. From security point of > view, people often state how it's better that it's not IP, but in > reality, how many have verified the flip side of this proposal, how > easy it is to protect yourself from ISIS attack from connected host? > For some platforms the answer is, there is absolutely no way, and any > connected host can bring you down with trivial amount of data. Well, on the basis that an attack is made easier if you are running IS-IS on a vulnerable interface, in theory, an attack would be highly difficult if a vulnerable interface were not running IS-IS to begin with. But I do not have any empirical data on any attempts to attack IS-IS, successfully or otherwise. So your guess is as good as mine. Mark.
Re: IGP choice
On 23 October 2015 at 08:31, Mark Tinka wrote: Hey, > Quagga is an example of a case where IS-IS is seriously lagging behind > OSPF to the point of not being useable at all. I believe this is because you need 802.3 (as opposed to EthernetII) and rudimentary CLNS implementation, both which are very annoying from programmer point of view. I hope ISIS would migrate to EthernetII and IP. From security point of view, people often state how it's better that it's not IP, but in reality, how many have verified the flip side of this proposal, how easy it is to protect yourself from ISIS attack from connected host? For some platforms the answer is, there is absolutely no way, and any connected host can bring you down with trivial amount of data. -- ++ytti
Re: IGP choice
sorry for that, but the only one I've heard about switching his core IGP is Yahoo. I've no precision, and it's really interest me. I know that there had OSPF in the DC area, and ISIS in the core, and decide to switch the core from ISIS to OSPF. Why spend so much time/risk to switch from ISIS to OSPF, _in the core_ a not so minor impact/task ? So I could guess it's for maintain only one IGP and have standardized config. But why OSPF against ISIS ? What could be the drivers? People skills (more people know OSPF than ISIS) --> operational reason ? In my understanding of both protocols, from 3 year old documentation (2012): OSPF is more or less limited to hundred routers in the backbone area. Yeah, ok, but back in 2005 I know some ISP which run 200 routers in the backbone area (only one area) w/o problem. What about today ? protocol design limitation or resources (memory+cpu) limitation ? If ressources only, as of today we can put also 1000 ospf routers in one area... Cisco recommend no more than 50 routers per area with OSPF. Is it a conservative value ? It also depend on the number of networks/router, of course. ISIS is not. ISIS scale up to thousand routers in the same area. Some docs say that ISIS converge faster due to fewer LSP traffic (compare to OSPF which generate more LSA traffic, therefore use more CPU) and better timers. Timers can also be tuned with OSPF, so I do not sea a real argument with better timers for ISIS (same story between HSRP versus VRRP with better timers for VRRP). As your doc say (reason to choose ISIS): better convergence, better security, simplicity. -Marcel On 22.10.2015 19:25, Niels Bakker wrote: * marcel.durega...@yahoo.fr (marcel.durega...@yahoo.fr) [Thu 22 Oct 2015, 18:57 CEST]: Anybody from Yahoo to share experience on IGP choice ? What a weird way to limit your audience. This is NANOG, not Yahoo. Otherwise, http://userpages.umbc.edu/~vijay/work/ppt/oi.pdf -- Niels.
