Re: Kudos to Rogers Wireless on IPv6 deployment
On Sat, 1 Oct 2016, Hugo Slabbert wrote: So, kudos, Rogers Wireless! http://labs.apnic.net/cgi-bin/ccpagev6?c=CA Sort on "samples". Seems Telus and Rogers are the only top10 with any double digit % IPv6 users. Telus is at 65-70%, that's a really good number. -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Kudos to Rogers Wireless on IPv6 deployment
> On Oct 1, 2016, at 8:37 PM, Hugo Slabbert wrote: > > So, kudos, Rogers Wireless! This has also been live on Roger's Fido sub-brand for a while now, too. 2605:8d80:484:: is live in Vancouver. --lyndon
Kudos to Rogers Wireless on IPv6 deployment
So frequently on this list we hear people asking/begging their providers for IPv6 roadmaps or chastising them for the lack of same, that I thought it might be nice to actually give props to a provider actually moving the needle. I was pleasantly surprised today to notice an IPv6 address on my Android smartphone on the Rogers Wireless LTE network. I had to do a double-take and poke through test-ipv6.com to make sure something wasn't amiss, but there it was: honest-to-$deity dual stack service on a Canadian mobile provider, with a dual-stack resolver and everything! ;) So, kudos, Rogers Wireless! So that's Rogers on the wireless side (with Telus Mobility at last check being in early stages but not yet fully rolled out), and basically Rogers, Telus and a bunch of smaller or regional ISPs that have deployed IPv6 on residential and/or business wired service. Shaw? Bell? (FYI Bell, your IPv6 Starter Kit linked from http://ipv6.bell.ca/ currently hits a 404. -- Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com pgp key: B178313E | also on Signal signature.asc Description: Digital signature
Re: BCP38 adoption "incentives"?
- Original Message - > From: "Joe Klein" > What would it take to test for BCP38 for a specific AS? There's a tester tool, which I believe I put a link to on the wiki. One of the Cali tech universities; Berkeley? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Request for comment -- BCP38
- Original Message - > From: "Florian Weimer" > * Jason Iannone: >> Are urpf and bcp38 interchangeable terms in this discussion? It seems >> impractical and operationally risky to implement two unique ways to dos >> customers. What are the lessons learned by operators doing static output >> filters, strict urpf, or loose/feasible urpf? > > Historically (in 1998, when RFC 2267 was released), BCP 38 was an > egress filter applied at the AS boundary. You meant ingress, no? The control of the address space allocation resides with the upstream, as must control of the filtering. You *can* do BCP38 egress filtering on your network, but that filter would *be in control of the Bad Guys* whom we're trying to kill off. The filtering needs to be on the other side of the administrative span of control fence. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Request for comment -- BCP38
- Original Message - > From: "Hugo Slabbert" > This seems to have split into a few different sub-threads and had some > cross-talk on which network is being described where (thanks in no small > part to my flub on John's figures and target), but this seems to be exactly > the kind of info folks are looking for but missing at > http://www.bcp38.info. I heartily encourage people to add content to the wiki for network types that I'm insufficiently familiar with; cookbook entries are where I'd like to see it end up. If anyone wants to contribute please poke me or Alain for an account (keeping a MediaWiki despammed is a fulltime job these days, if you allow user created accounts, so we don't). The address to poke at is moderator (at) bcp38.info Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Request for comment -- BCP38
- Original Message - > From: "John Levine" >>If you have links from both ISP A and ISP B and decide to send traffic out >>ISP A's link sourced from addresses ISP B allocated to you, ISP A *should* >>drop that traffic on the floor. There is no automated or scalable way for >>ISP A to distinguish this "legitimate" use from spoofing; unless you >>consider it scalable for ISP A to maintain thousands if not more >>"exception" ACLs to uRPF and BCP38 egress filters to cover all of the cases >>of customers X, Y, and Z sourcing traffic into ISP A's network using IPs >>allocated to them by other ISPs? > > I gather the usual customer response to this is "if you don't want our > $50K/mo, I'm sure we can find another ISP who does." Come on, John. Anyone spending 50K a month belongs in PI space with BGP, and they're a big enough customer for the ISPs to both put exception rules in their ingress filters even if they're not. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Request for comment -- BCP38
- Original Message - > From: "Laszlo Hanyecz" >> If you have links from both ISP A and ISP B and decide to send traffic >> out ISP A's link sourced from addresses ISP B allocated to you, ISP A >> *should* drop that traffic on the floor. There is no automated or >> scalable way for ISP A to distinguish this "legitimate" use from >> spoofing; unless you consider it scalable for ISP A to maintain >> thousands if not more "exception" ACLs to uRPF and BCP38 egress >> filters to cover all of the cases of customers X, Y, and Z sourcing >> traffic into ISP A's network using IPs allocated to them by other ISPs? > > This is a legitimate and interesting use case that is broken by BCP38. > The effectiveness of BCP38 at reducing abuse is dubious, but the > benefits of asymmetric routing are well understood. Why should everyone > have to go out of their way to break this.. it works fine if you just > don't mess with it. Let me see if I have your argument straight: In order to enable an "interesting" use case that is used by maybe well under 1% of end nodes not in PI address space, we should decide *not* to do something which makes it much easier to protect attack targets against well over 75% of incoming attacks of ridiculous (>OC-12) bandwidth? Is that what you're advocating? No. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: Root Zone DNSSEC Operational Update -- ZSK length change
On 10/01/2016 06:36 AM, Wessels, Duane wrote: I'm pleased to announce that this change is now complete. As of 13:34 UTC on October 1, 2016 the root zone has been signed and published with a 2048-bit ZSK. Please contact myself of Verisign customer service (i...@verisign-grs.com) if you observe any problems related to this change. Duane W. I emailed you but got a 'host not found' error. Does that count as a problem related to the change.? Lol
Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos
On Sat, Oct 01, 2016 at 06:17:42PM +0300, Saku Ytti wrote: > On 1 October 2016 at 18:12, James Jun wrote: > > > We also want support contracts from our vendors. EOL boxes get removed > > from support availability within few years of the announcement. > > Support, particularly software maintenance is indeed the key deadline, > after that you're on your own. For EX this would be 2019 or 2021 > depending on model, if that fits to your amortisation times, then it's > fine. You may get more out of it, but you can't build business case on > it. Yup, exactly. There are things to keep around from used market for unimportant stuff (OOB etc), but software maintenance support on production box is key. James
Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos
On 1 October 2016 at 18:12, James Jun wrote: > We also want support contracts from our vendors. EOL boxes get removed from > support availability within few years of the announcement. Support, particularly software maintenance is indeed the key deadline, after that you're on your own. For EX this would be 2019 or 2021 depending on model, if that fits to your amortisation times, then it's fine. You may get more out of it, but you can't build business case on it. -- ++ytti
Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos
Again, keep doing that :P Be sure to eBay it for a reasonable price when you are done! On Oct 1, 2016 10:12 AM, "James Jun" wrote: > On Sat, Oct 01, 2016 at 09:22:32AM -0500, Mike Hammett wrote: > > Better power performance, newer features, higher capacities sure are all > great reasons to get newer hardware. EOL isn't. Don't too many of you adopt > that strategy, though. I still want my source of cheap EOL hardware. :-) > > We also want support contracts from our vendors. EOL boxes get removed > from support availability within few years of the announcement. > > James >
Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos
On Sat, Oct 01, 2016 at 09:22:32AM -0500, Mike Hammett wrote: > Better power performance, newer features, higher capacities sure are all > great reasons to get newer hardware. EOL isn't. Don't too many of you adopt > that strategy, though. I still want my source of cheap EOL hardware. :-) We also want support contracts from our vendors. EOL boxes get removed from support availability within few years of the announcement. James
Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos
I like putting a switch in front so then I can run two routers behind and get a /29 from the upstream. I can then do router maintenance, upgrades, etc. without taking the circuit down. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Pedro" To: nanog@nanog.org Sent: Friday, September 30, 2016 2:42:37 PM Subject: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos Hello, I have some idea to put switch before bgp router in order to terminate isp 10G uplinks on switch, not router. Main reason is that could be some kind of 1st level of defence against ddos, second reason, less important, save cost of router ports, do many port mirrors. I think about N3K-C3064PQ or Juniper ex4500 because there are quite cheap and a lot of on Ebay. I would like on nexus or juniper try use some feature: - limit udp, icmp, bum packets (bandwith,pps) at ingress tagged port or vlan - create counters: passed and dropped packets, best way to get this counters via snmp oid, sent snmp traps, syslog etc in order to monitor or even as a action shut down port - port mirror from many ports/vlans to multiple port (other anty ddos solutions) - limited bgp but with flowspec to comunicate with another anty ddos devices I'm also wondering how this feature above impact on cpu/whole switch. It can be some performance degradation ot all of this feature are done in hardware, with wirespeeed ? Which model will better to do this ? Thanks for any advice, Pedro --- Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast. https://www.avast.com/antivirus
Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos
That sort of thing has never bothered me much. If the platform is so great, surely it'll last more than a few years. What's the MTBF on these things? Decades? Better power performance, newer features, higher capacities sure are all great reasons to get newer hardware. EOL isn't. Don't too many of you adopt that strategy, though. I still want my source of cheap EOL hardware. :-) - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Matt Freitag" To: "Saku Ytti" Cc: "nanog list" Sent: Friday, September 30, 2016 3:50:25 PM Subject: Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos Pedro, Please also keep in mind that the Juniper EX4500 is an end of life product. Soon you won't be able to get Juniper to support you. That's why there are so many for so cheap on eBay. Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 <%28906%29%20487-3696> https://www.mtu.edu/ https://www.it.mtu.edu/ On Fri, Sep 30, 2016 at 4:06 PM, Saku Ytti wrote: > On 30 September 2016 at 22:42, Pedro wrote: > > Hey Pedro, > > > I have some idea to put switch before bgp router in order to terminate > isp > > 10G uplinks on switch, not router. Main reason is that could be some > kind of > > 1st level of defence against ddos, second reason, less important, save > cost > > of router ports, do many port mirrors. > > I don't understand your rationale, unless your router is software box, > but as it has 10G interface, probably not. > Your router should be able to limit packets in HW, likely with better > counter and filtering options than cheap switch. > > -- > ++ytti >
Re: Root Zone DNSSEC Operational Update -- ZSK length change
I'm pleased to announce that this change is now complete. As of 13:34 UTC on October 1, 2016 the root zone has been signed and published with a 2048-bit ZSK. Please contact myself of Verisign customer service (i...@verisign-grs.com) if you observe any problems related to this change. Duane W. > On Sep 29, 2016, at 11:15 AM, Wessels, Duane wrote: > > A quick update on this change: A 2048-bit ZSK has been pre-published in the > root zone as of September 20. We are not aware of any issues related to the > appearance of the larger key. > > In less than 48 hours we will being publishing root zones signed with the > 2048-bit ZSK. I will send another note once that has happened. If you > observe any problems related to this change, please contact Verisign's > customer service at i...@verisign-grs.com. > > Duane W. > >> On Jul 28, 2016, at 3:37 PM, Wessels, Duane wrote: >> >> As you may know, Verisign, in its role as the Root Zone Maintainer >> is also the operator of the root zone Zone Signing Key (ZSK). Later >> this year, we will increase the size of the ZSK from 1024-bits to >> 2048-bits. >> >> The root zone ZSK is normally rolled every calendar quarter, as per >> our “DNSSEC Practice Statement for the Root Zone ZSK operator.”[1] >> The ZSK public keys are signed at quarterly key signing ceremonies >> by ICANN in its role as the IANA Functions Operator. >> >> On September 20, 2016 the 2048-bit ZSK will be pre-published in the >> root zone, following the standard ZSK rollover procedure. We intend >> to begin publishing root zones signed with the first 2048-bit ZSK >> on October 1, 2016. >> >> Some details of the ZSK size transition have recently been presented >> at the DNS-OARC, NANOG, RIPE, ICANN, and IETF meetings.[2] If you >> have any questions or concerns, please feel free to contact us at >> z...@verisign.com. >> >> Please feel free to forward this message to anyone who might not have >> seen it here. >> >> [1] https://www.verisign.com/assets/dps-zsk-operator-1532.pdf >> [2] >> https://ripe72.ripe.net/wp-content/uploads/presentations/168-verisign-zsk-change.pdf >> > signature.asc Description: Message signed with OpenPGP using GPGMail
Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos
On 1 October 2016 at 10:03, Pedro wrote: > We had situations, that we lost all our bgp sessions, not even only on ports > where flood was coming. Just cpu overloaded. I don't care about support too > much, there are cheap enough to have spare. What is the device you're trying to protect? Perhaps it supports reasonable CoPP features so that you can protect it directly on itself. To do this CoPP on neighbouring switch, you'll need unique policer for each and every BGP session and ARP, your switch may not support this and it is provisioning nightmare. -- ++ytti
Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos
We had situations, that we lost all our bgp sessions, not even only on ports where flood was coming. Just cpu overloaded. I don't care about support too much, there are cheap enough to have spare. Soft is mature with known bugs so i assume that this risk are accepted. Bigger problem for me is technical details about features, which i desribed in my first post. Most of this features i tested on trident2 chipset extreme 670, it works but with problems and some limits. Now i have to change vendor. Really wondering what can i get from N3K-C3064PQ, its also build on trident2 AFAIK thanks for answers, Pedro W dniu 2016-09-30 o 22:50, Matt Freitag pisze: Pedro, Please also keep in mind that the Juniper EX4500 is an end of life product. Soon you won't be able to get Juniper to support you. That's why there are so many for so cheap on eBay. Matt Freitag Network Engineer I Information Technology Michigan Technological University (906) 487-3696 https://www.mtu.edu/ https://www.it.mtu.edu/ On Fri, Sep 30, 2016 at 4:06 PM, Saku Ytti mailto:s...@ytti.fi>> wrote: On 30 September 2016 at 22:42, Pedro mailto:piotr.1...@interia.pl>> wrote: Hey Pedro, > I have some idea to put switch before bgp router in order to terminate isp > 10G uplinks on switch, not router. Main reason is that could be some kind of > 1st level of defence against ddos, second reason, less important, save cost > of router ports, do many port mirrors. I don't understand your rationale, unless your router is software box, but as it has 10G interface, probably not. Your router should be able to limit packets in HW, likely with better counter and filtering options than cheap switch. -- ++ytti --- Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie antywirusowe Avast. https://www.avast.com/antivirus
