Re: validating reachability via an ISP

[Frank Habicht]

On 3/29/2018 2:22 AM, Andy Litzinger wrote:
> Hi all,
>   I have an enterprise network and do not provide transit. In one of our
> datacenters we have our own prefixes and rely on two ISPs as BGP neighbors
> to provide global reachability for our prefixes.  One is a large regional
> provider and the other is a large global provider.
> 
> Recently we took our link to the global provider offline to perform
> maintenance on our router.  Nearly immediately we were hit with alerts that
> our prefix was unreachable and BGPMon alerted that nearly 80 AS's noted our
> route had been withdrawn.  We were not unreachable from every AS, but we
> certainly were from some of the largest.
> 
> The root cause is that the our prefix is not being adequately
> re-distributed globally by the regional ISP.  This is unexpected and we are
> working through this with them now.
> 
> My question is, how can I monitor global reachability for a prefix via this
> or any specific provider I use over time?  Are there various route-servers
> I can programmatically query for my prefix and get results that include AS
> paths? Then I could verify that an "acceptable" number of paths exist that
> include the AS of the all the ISPs I rely upon.  And what would an
> "acceptable" number of alternate paths be?

If your global provider supports, you could send your announcements with
a BGP community per RFC1998 telling them to not-prefer-so-much that
advertisement, "use it as a backup".

that would shift a lot of incoming traffic to the other link (regional
provider).
You'll still have the global provider link.
this is a smaller change towards taking global provider offline, keeping
some fallback.

Frank

Re: Yet another Quadruple DNS?

[David Ulevitch]

On Wed, Mar 28, 2018 at 1:27 PM Aftab Siddiqui 
wrote:

> 1.1.1.0/24 and 1.0.0.0/24 both are APNIC's Lab Research Prefixes. APNIC,
> probably doing some more data gathering on 1.1.1.1 and doesn't want to be
> smashed with Gigs of traffic.


Doubtful. This is most assuredly going to be a commercial production
recursive DNS service. Matthew (CEO) has said as much on Twitter:
https://twitter.com/eastdakota/status/970214433598275584 and
https://twitter.com/eastdakota/status/970359846548549632

-David




Transit is still quite expensive in Aus :)
>
> https://www.apnic.net/wp-content/uploads/prop-109/assets/prop-109-v001.txt
>
>
> On Thu, 29 Mar 2018 at 07:08 Bill Woodcock  wrote:
>
> >
> >
> > > On Mar 28, 2018, at 11:14 AM, Payam Poursaied  wrote:
> > >
> > > dig google.com @1.1.1.1
> > > Cloudflare?
> >
> > Yeah, Cloudflare did a deal with Geoff Huston to use it.  It’s reserved
> > for “experimental use."
> >
> > -Bill
> >
> > --
> Best Wishes,
>
> Aftab A. Siddiqui
>

Re: Qu??bec Sales tax

[Jean-Francois Mezei]

On 2018-03-28 17:45, Alain Hebert wrote:
>      Same deal as Paypal and EBay.

Paypal and EBay have not worked fevereshly to avoid a presence in
Canada. They have presence and already handle the taxes.

>      Netflix dropping their services in CDN/QC only serve  
> attempt at making yet another market grab.

Netflix has worked VERY hard  to avoid having a presence in Canada to
avoid not only taxation, but also regulation from CRTC in broadcasting,
having to contribute to various funds etc.

The danger here is that it may feel that losing its QC customers is
worth the price of maintaining the illusion it has no presence in Canada.

There is also a class action lawsuit for Netflix because it did not
follow the Québec Consumer procection law when it raised its rates a
year or two ago. Class action lawsuits can be very expensive.


And to bring his back to the network/ISP level: this is why it is very
important that ISPs remain "common carriers" who do not control or have
responsibility over content so that they don't get dragged into all
those issues.


>          ( And with all the hardware already deployed locally at the 
> many exchanges ... )

Netflix owns NO, NONE, NADA, ZERO hardware in Canada. It has no offices
in Canada.  Gifting the network appliances to ISPs means Netflix does
not own the hardware and thus maintains its "no presence here".


The second Netflix has physical presence here, the existing tax laws
kicks in and Netflix must collect federal and provincial taxes.

validating reachability via an ISP

[Andy Litzinger]

Hi all,
  I have an enterprise network and do not provide transit. In one of our
datacenters we have our own prefixes and rely on two ISPs as BGP neighbors
to provide global reachability for our prefixes.  One is a large regional
provider and the other is a large global provider.

Recently we took our link to the global provider offline to perform
maintenance on our router.  Nearly immediately we were hit with alerts that
our prefix was unreachable and BGPMon alerted that nearly 80 AS's noted our
route had been withdrawn.  We were not unreachable from every AS, but we
certainly were from some of the largest.

The root cause is that the our prefix is not being adequately
re-distributed globally by the regional ISP.  This is unexpected and we are
working through this with them now.

My question is, how can I monitor global reachability for a prefix via this
or any specific provider I use over time?  Are there various route-servers
I can programmatically query for my prefix and get results that include AS
paths? Then I could verify that an "acceptable" number of paths exist that
include the AS of the all the ISPs I rely upon.  And what would an
"acceptable" number of alternate paths be?


thanks in advance,
  -andy

Re: Yet another Quadruple DNS?

[Izaac]

On March 28, 2018 6:14:26 PM UTC, Payam Poursaied  wrote:
>dig google.com @1.1.1.1

Cute. I'm sure this engineering effort to centralize a distributed service will 
also go a long way to spur IPv6 adoption.

-- 
Izaac

Re: Qu??bec Sales tax

[Ken Chase]

bell canada?

/kc

On Wed, Mar 28, 2018 at 05:45:26PM -0400, Alain Hebert said:
  >?? Same deal as Paypal and EBay.
  >
  >?? Netflix dropping their services in CDN/QC only serve 
  >attempt at making yet another market grab.
  >
  >
  >?? At the end Netflix may just charge the Tax and funnel it to the
  >govt.?? They'll still be making a bundle.
  >
  >?? ?? ( And with all the hardware already deployed locally at the
  >many exchanges ... )
  >
  >
  >?? Now if we can only break that damn 1930's licensing scheme so that
  >we can gain access to more content...?? Kinda annoyed that 
  >is hogging all the content with their vertical licensing agreements.
  >
  >-
  >Alain Hebertaheb...@pubnix.net
  >PubNIX Inc.
  >50 boul. St-Charles
  >P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
  >Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443
  >
  >On 03/27/18 18:21, Ken Chase wrote:
  >>If Netflix has no physical presence in Quebec, what the lever are they going
  >>to use to force this? A lawsuit in  in the
  >>US? What court is going to entertain a foreign jurisdiction's tax claim in
  >>their court? And how would that be then enforced?
  >>
  >>Canada has tried this before:
  >>
  
>>https://www.ctvnews.ca/business/u-s-judge-puts-halt-to-canadian-court-order-for-google-to-delist-search-results-1.3663055
  >>
  >>Court file: https://scc-csc.lexum.com/scc-csc/scc-csc/en/item/16701/index.do
  >>
  >>Im a big fan of Canada standing up for its sovereignty (I live here), but 
nice
  >>try.
  >>
  >>/kc
  >>
  >>
  >>On Tue, Mar 27, 2018 at 06:10:51PM -0400, Jean-Francois Mezei said:
  >>   >Not quite networking but probably relevant.
  >>   >
  >>   >The Canadian province of Qu??bec just introduced a new budget with
  >>   >basically the intent to force foreign digital companies who sell
  >>   >services to Qu??bekers to collect the local value added sales tax and
  >>   >remit those to the QC government.
  >>   >
  >>   >The goal is to capture tax from Netflix who has so far escaped taxation
  >>   >in Canada by having no legal/physical presence in Canada, no cache
  >>   >servers of its own etc. Netflix does not currently collect province
  >>   >information from customers (or any address info for that matter).
  >>   >
  >>   >They based many of their arguments on an OECD study (which ironically
  >>   >the Canadian federal government says is not completed yet (as excuse for
  >>   >not proceeding with similar tax).
  >>   >
  >>   >So foreign digital services will be required to require subscibers enter
  >>   >AND VALIDATE their address so that they have an accurate province field
  >>   >(validation remains to be finalized), and IF they sell more than $30,000
  >>   >to Qu??bec residents, will be required to self register with QC
  >>   >government to collect local sales tax (and remit to QC government).
  >>   >
  >>   >The Qu??bec budget expects that validation of address will be based on 
IP
  >>   >address geolocation or custoemrs send paper bills to prove place of
  >>   >residence.
  >>   >
  >>   >(Although requiring full address/phone number and sendint this to credit
  >>   >card network for authorization might constitute a better means to
  >>   >validate address).
  >>   >
  >>   >I suspect the big winners will be VPN services in the USA :-)
  >>   >
  >>   >Because many ISPs span multiple provinces, IP geolocation generally
  >>   >points to their HQ address, not necessarily the province of the
  >>   >subscriber. (This is especially true for DSL in bell Canada wholesale
  >>   >where currently a single point of connection between Bell and ISP allows
  >>   >full reach of all of its DSL territory in QC/ON. For Cable, ISPs require
  >>   >different IP pools for Rogers in Ontario and Vid??otron in Ontario (with
  >>   >a couple of exceptions where Vid??otron has service in a couple fo
  >>   >Ontario towns). In Western Canada, things are harder as Shaw serves BC,
  >>   >AB, SASK and MB.
  >>
  >>--
  >>Ken Chase - m...@sizone.org Guelph Canada
  >>
  >

-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: Qu??bec Sales tax

[Alain Hebert]

    Same deal as Paypal and EBay.

    Netflix dropping their services in CDN/QC only serve  
attempt at making yet another market grab.



    At the end Netflix may just charge the Tax and funnel it to the 
govt.  They'll still be making a bundle.


        ( And with all the hardware already deployed locally at the 
many exchanges ... )



    Now if we can only break that damn 1930's licensing scheme so that 
we can gain access to more content...  Kinda annoyed that  
is hogging all the content with their vertical licensing agreements.


-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

On 03/27/18 18:21, Ken Chase wrote:

If Netflix has no physical presence in Quebec, what the lever are they going
to use to force this? A lawsuit in  in the
US? What court is going to entertain a foreign jurisdiction's tax claim in
their court? And how would that be then enforced?

Canada has tried this before:

https://www.ctvnews.ca/business/u-s-judge-puts-halt-to-canadian-court-order-for-google-to-delist-search-results-1.3663055

Court file: https://scc-csc.lexum.com/scc-csc/scc-csc/en/item/16701/index.do

Im a big fan of Canada standing up for its sovereignty (I live here), but nice
try.

/kc


On Tue, Mar 27, 2018 at 06:10:51PM -0400, Jean-Francois Mezei said:
   >Not quite networking but probably relevant.
   >
   >The Canadian province of Qu??bec just introduced a new budget with
   >basically the intent to force foreign digital companies who sell
   >services to Qu??bekers to collect the local value added sales tax and
   >remit those to the QC government.
   >
   >The goal is to capture tax from Netflix who has so far escaped taxation
   >in Canada by having no legal/physical presence in Canada, no cache
   >servers of its own etc. Netflix does not currently collect province
   >information from customers (or any address info for that matter).
   >
   >They based many of their arguments on an OECD study (which ironically
   >the Canadian federal government says is not completed yet (as excuse for
   >not proceeding with similar tax).
   >
   >So foreign digital services will be required to require subscibers enter
   >AND VALIDATE their address so that they have an accurate province field
   >(validation remains to be finalized), and IF they sell more than $30,000
   >to Qu??bec residents, will be required to self register with QC
   >government to collect local sales tax (and remit to QC government).
   >
   >The Qu??bec budget expects that validation of address will be based on IP
   >address geolocation or custoemrs send paper bills to prove place of
   >residence.
   >
   >(Although requiring full address/phone number and sendint this to credit
   >card network for authorization might constitute a better means to
   >validate address).
   >
   >I suspect the big winners will be VPN services in the USA :-)
   >
   >Because many ISPs span multiple provinces, IP geolocation generally
   >points to their HQ address, not necessarily the province of the
   >subscriber. (This is especially true for DSL in bell Canada wholesale
   >where currently a single point of connection between Bell and ISP allows
   >full reach of all of its DSL territory in QC/ON. For Cable, ISPs require
   >different IP pools for Rogers in Ontario and Vid??otron in Ontario (with
   >a couple of exceptions where Vid??otron has service in a couple fo
   >Ontario towns). In Western Canada, things are harder as Shaw serves BC,
   >AB, SASK and MB.

--
Ken Chase - m...@sizone.org Guelph Canada

Re: Yet another Quadruple DNS?

[Bill Woodcock]

> On Mar 28, 2018, at 2:39 PM, David Ulevitch  wrote:
> 
> On Wed, Mar 28, 2018 at 1:27 PM Aftab Siddiqui  
> wrote:
> 1.1.1.0/24 and 1.0.0.0/24 both are APNIC's Lab Research Prefixes. APNIC,
> probably doing some more data gathering on 1.1.1.1 and doesn't want to be
> smashed with Gigs of traffic.
> 
> Doubtful. This is most assuredly going to be a commercial production 
> recursive DNS service. Matthew (CEO) has said as much on Twitter.

Yep, they’ve been trying to put something together in this space for several 
years.  Sounds like it may be close now.

I can’t say I envy them their task, as it will be very difficult for them to 
differentiate in that space, since they don’t have OpenDNS’s many years of 
experience and fine-tuning and security services, nor Google’s 
brand-recognition.  Verisign have had a reasonably good commercial offering in 
this space for years, and hardly anyone’s heard of it, for instance.  I believe 
even Neustar does.  And they’re all DNS specialists, rather than web-content 
specialists.

-Bill



signature.asc
Description: Message signed with OpenPGP

Re: Yet another Quadruple DNS?

[Jared Mauch]

A reminder to go back and watch the awesome talk from Nanog 49 about this:

https://youtu.be/RBOPcLpQZ8w
https://www.nanog.org/meetings/nanog49/presentations/Monday/karir-1slash8.pdf

- Jared

> On Mar 28, 2018, at 4:25 PM, Aftab Siddiqui  wrote:
> 
> 1.1.1.0/24 and 1.0.0.0/24 both are APNIC's Lab Research Prefixes. APNIC,
> probably doing some more data gathering on 1.1.1.1 and doesn't want to be
> smashed with Gigs of traffic. Transit is still quite expensive in Aus :)
> 
> https://www.apnic.net/wp-content/uploads/prop-109/assets/prop-109-v001.txt
> 
> 
> On Thu, 29 Mar 2018 at 07:08 Bill Woodcock  wrote:
> 
>> 
>> 
>>> On Mar 28, 2018, at 11:14 AM, Payam Poursaied  wrote:
>>> 
>>> dig google.com @1.1.1.1
>>> Cloudflare?
>> 
>> Yeah, Cloudflare did a deal with Geoff Huston to use it.  It’s reserved
>> for “experimental use."
>> 
>>-Bill
>> 
>> --
> Best Wishes,
> 
> Aftab A. Siddiqui

Re: Yet another Quadruple DNS?

[Aftab Siddiqui]

1.1.1.0/24 and 1.0.0.0/24 both are APNIC's Lab Research Prefixes. APNIC,
probably doing some more data gathering on 1.1.1.1 and doesn't want to be
smashed with Gigs of traffic. Transit is still quite expensive in Aus :)

https://www.apnic.net/wp-content/uploads/prop-109/assets/prop-109-v001.txt


On Thu, 29 Mar 2018 at 07:08 Bill Woodcock  wrote:

>
>
> > On Mar 28, 2018, at 11:14 AM, Payam Poursaied  wrote:
> >
> > dig google.com @1.1.1.1
> > Cloudflare?
>
> Yeah, Cloudflare did a deal with Geoff Huston to use it.  It’s reserved
> for “experimental use."
>
> -Bill
>
> --
Best Wishes,

Aftab A. Siddiqui

Re: Yet another Quadruple DNS?

[Christopher Morrow]

On Wed, Mar 28, 2018 at 9:13 PM, Michael Crapse  wrote:

> Many providers filter out 1.1.1.1 because too many people use it in their
> examples/test code. I doubt that it's a usable IP/service.
>
>
having previously globally announce 1.1.1.1 ... and some other of it's
friends... not nearly enough people filter it.
We regularly saw ~10gbps+ of traffic to those prefixes.


> On 28 March 2018 at 12:14, Payam Poursaied  wrote:
>
> > dig google.com @1.1.1.1
> >
> >
> >
> > Cloudflare?
> >
> > Didn't find any news around it
> >
> >
>

Re: Yet another Quadruple DNS?

[Jared Mauch]

> On Mar 28, 2018, at 4:13 PM, Michael Crapse  wrote:
> 
> Many providers filter out 1.1.1.1 because too many people use it in their
> examples/test code. I doubt that it's a usable IP/service.


There’s at least one vendor *cough* cisco *cough* that has used it as
captive portal IP.

I’m not sure I would try to use it on a client machine because you don’t
know if you’ll reach the internet.

If you know you’re not on a closed network, you could use it instead of
the list of usual suspects, like 8.8.8.8 4.2.2.1 9.9.9.9 etc.

- Jared

Re: Yet another Quadruple DNS?

[DaKnOb]

Out of 1,000 RIPE Atlas Probes, only 34 report it as unreachable. Very good 
latency from those who can reach it..

https://atlas.ripe.net/measurements/11859210/#!general 


Antonis 

> On 28 Mar 2018, at 23:13, Michael Crapse  wrote:
> 
> Many providers filter out 1.1.1.1 because too many people use it in their
> examples/test code. I doubt that it's a usable IP/service.
> 
> On 28 March 2018 at 12:14, Payam Poursaied  wrote:
> 
>> dig google.com @1.1.1.1
>> 
>> 
>> 
>> Cloudflare?
>> 
>> Didn't find any news around it
>> 
>> 

Re: Yet another Quadruple DNS?

[Michael Crapse]

Many providers filter out 1.1.1.1 because too many people use it in their
examples/test code. I doubt that it's a usable IP/service.

On 28 March 2018 at 12:14, Payam Poursaied  wrote:

> dig google.com @1.1.1.1
>
>
>
> Cloudflare?
>
> Didn't find any news around it
>
>

Re: Yet another Quadruple DNS?

[Bill Woodcock]

> On Mar 28, 2018, at 11:14 AM, Payam Poursaied  wrote:
> 
> dig google.com @1.1.1.1
> Cloudflare?

Yeah, Cloudflare did a deal with Geoff Huston to use it.  It’s reserved for 
“experimental use."

-Bill



signature.asc
Description: Message signed with OpenPGP

Yet another Quadruple DNS?

[Payam Poursaied]

dig google.com @1.1.1.1

 

Cloudflare?

Didn't find any news around it

Firewall as a Service.

[Daniel Corbe]

Are there any vendors that have hardware firewalls and maintain their own 
Openstack nova/neutron driver set?

I’m looking for something that I can offer to my VPS customers as a 
self-managed service.   At the moment, I’m using the default firewall driver. 
Which is nothing but a wrapper for iptables; and while seamless, I can’t 
imagine it’s going to scale very well.   

I’m looking for something that has 10 gig client connectivity and either 100G 
or 40G uplinks.

-Daniel

Re: How are you configuring BFD timers?

[Arie Vayner]

Not directly related, but I wonder: how common is micro-BFD for detecting
bundle member failures?



On Thu, Mar 22, 2018 at 10:12 PM Måns Nilsson 
wrote:

>
>
> --On 22 mars 2018 23:45:16 +0200 Saku Ytti  wrote:
>
> > On 22 March 2018 at 22:41, Måns Nilsson 
> > wrote:
> >
> >> Subject: Re: How are you configuring BFD timers? Date: Wed, Mar 21, 2018
> >> at 04:24:47PM + Quoting Job Snijders (j...@instituut.net):
> >>> Silly question perhaps, but why would you do BFD on dark fiber?
> >>
> >> Because Ethernet lacks the PRDI that real WAN protocols have.
> >
> > Indeed, RFI on ethernet is rather modern addition, turning 20 this year.
>
> (You just reminded me I've been doing some sort of WAN network ops for
> about 20 years.)
>
> That does indeed solve the problem for dark fibre, and those lucky WDM
> systems that actually reflect input status to output. Not always true, I'm
> afraid (just look at the Ethernet switch mid-span that Thomas Bellman wrote
> about; a fitting metaphor for all "ethernet-over-other.." models..).
> Ethernet still regards "no frames seen on the yellow coax" as an
> opportunity to send traffic rather than an error, if we're talking old
> things ;-).  BFD solves that, and it is worthwhile to have one setup
> regardless of technology, if possible.
>
> --
> Måns Nilsson primary/secondary/besserwisser/machina
> MN-1334-RIPE   SA0XLR+46 705 989668
> CHUBBY CHECKER just had a CHICKEN SANDWICH in downtown DULUTH!
>