Can I do this in EVPN? (Multihome to more different CEs)

[Simon Lockhart]

All,

I have a bit of a networking design challenge, and I thing EVPN is the right
answer, but despite spending the last week reading loads of resources about
it, I can't quite get my head around one aspect.

I'm trying to genericise the design a bit here, but what I've got is...

I have multiple layer two broadcast domains that I need to link together 
over a layer 3 network. The broadcast domains consist of multiple switches
carrying multiple vlans spanning multiple locations (think of it like a 
customer campus network).

I need to interconnect with each broadcast domain in two different locations.
(so two PEs to two CEs), and link it back to a datacentre in another city.

In the simple case, using EVPN, I see that I can run active-standby 
multihoming, configuring one ESI for the customer campus network. If one of my
PEs fails, or one of the customer CEs fails, then EVPN will fail over to the
other link.

However, the failure scenario I need to deal with is if a layer two link fails
between two locations within the customer campus, the two halves of the now
split broadcast domain still need to be able to communicate with the 
datacentre (but do not need to be able to communicate with each other).

Every example I can see for EVPN shows multihoming to a single CE, and I 
can't find anywhere an example which deals with a "split" ES.

Is there a solution to this problem?

Many thanks in advance,

Simon

Re: Yondoo provided router, has "password" as admin pw, won't let us change it

[Jason R. Rokeach via NANOG]

   It’s been a while, but attacks that take advantage of this are (or at least in the past have been) real.https://blog.sucuri.net/2014/09/website-security-compromised-website-used-to-hack-home-routers.htmlhttps://www.digitaltrends.com/web/_javascript_-malware-mobile/ I recall when this stuff first started to come out, leaning on RG vendors to fix their firmware to make their default passwords unpredictable based on information readily available on the LAN. In this case we’re not even talking about taking action this sophisticated… It seems to me that, having a customer willing and ready to secure themselves, preventing them from doing so is wildly inappropriate.  On Wed, Feb 8, 2023 at 7:57 PM, Eric Kuhnke  wrote:  I agree, but if we start listing every massive security vulnerability that can be found on the intra-home LAN in consumer-grade routers and home electronics equipment, or things that people operate in their homes with the factory-default passwords, we'd be here all month in a thread with 300 emails. I'm sure this ISP will realize what a silly thing they did if and when some sort of worm or trojan tries a set of default logins/passwords on whatever is the default gateway of the infected PC, and does something like rewrite the IPs entered for DNS servers to send peoples' web browsing to advertising for porn/casinos/scams, male anatomy enlargement services or something. On Wed, Feb 8, 2023 at 3:28 PM William Herrin  wrote:On Wed, Feb 8, 2023 at 2:36 PM Eric Kuhnke  wrote:
> I would hope that this router's admin "password" interface is only accessible from the LAN side.
> This is bad, yes, but not utterly catastrophic.

It means that any compromised device on the LAN can access the router
with whatever permissions the password grants. While there are
certainly worse security vulnerabilities, I'm reluctant to describe
this one as less than catastrophic. Where there's one grossly ignorant
security vulnerability there are usually hundreds.

Regards,
Bill Herrin


-- 
For hire. https://bill.herrin.us/resume/






signature.asc
Description: OpenPGP digital signature

Re: Yondoo provided router, has "password" as admin pw, won't let us change it

[Eric Kuhnke]

I agree, but if we start listing every massive security vulnerability that
can be found on the intra-home LAN in consumer-grade routers and home
electronics equipment, or things that people operate in their homes with
the factory-default passwords, we'd be here all month in a thread with 300
emails.

I'm sure this ISP will realize what a silly thing they did if and when some
sort of worm or trojan tries a set of default logins/passwords on whatever
is the default gateway of the infected PC, and does something like rewrite
the IPs entered for DNS servers to send peoples' web browsing to
advertising for porn/casinos/scams, male anatomy enlargement services or
something.



On Wed, Feb 8, 2023 at 3:28 PM William Herrin  wrote:

> On Wed, Feb 8, 2023 at 2:36 PM Eric Kuhnke  wrote:
> > I would hope that this router's admin "password" interface is only
> accessible from the LAN side.
> > This is bad, yes, but not utterly catastrophic.
>
> It means that any compromised device on the LAN can access the router
> with whatever permissions the password grants. While there are
> certainly worse security vulnerabilities, I'm reluctant to describe
> this one as less than catastrophic. Where there's one grossly ignorant
> security vulnerability there are usually hundreds.
>
> Regards,
> Bill Herrin
>
>
> --
> For hire. https://bill.herrin.us/resume/
>

Re: Yondoo provided router, has "password" as admin pw, won't let us change it

[William Herrin]

On Wed, Feb 8, 2023 at 2:36 PM Eric Kuhnke  wrote:
> I would hope that this router's admin "password" interface is only accessible 
> from the LAN side.
> This is bad, yes, but not utterly catastrophic.

It means that any compromised device on the LAN can access the router
with whatever permissions the password grants. While there are
certainly worse security vulnerabilities, I'm reluctant to describe
this one as less than catastrophic. Where there's one grossly ignorant
security vulnerability there are usually hundreds.

Regards,
Bill Herrin


-- 
For hire. https://bill.herrin.us/resume/

Re: Yondoo provided router, has "password" as admin pw, won't let us change it

[Eric Kuhnke]

I would hope that this router's admin "password" interface is only
accessible from the LAN side. It's not listening to the world for a login
with "password", right?  Have you port scanned its WAN interface and tried
connecting to it to see what's listening?

This is bad, yes, but not utterly catastrophic. Generally in a situation
where somebody has physical access to a home
Netgear/Linksys/TP-Link/whatever type router, they could physically push
the factory reset button and gain access to its admin interface to
reconfigure it however they wanted anyways.

I think there's a value for discussion in nanog about how to provision and
set up residential last mile services that work right, but this isn't
exactly a wider spread network operational issue unless you've discovered
thousands of CPEs that can be accessed by "password" from the outside
Internet.





On Tue, Feb 7, 2023 at 6:18 AM TACACS Macaque via NANOG 
wrote:

> Hi,
>
> Long time lurker, first time poster. Sorry in advance if this is the wrong
> forum for something like this.
>
> My mom's ISP (Yondoo) seems to be providing DOCSIS 3.1 CPE (Customer
> Premises Equipment) with a built-in router, without providing the ability
> to change the admin password from "password" on it.
>
> [image: Screenshot 2023-02-03 at 9.49.15 PM.png]
>
> ​[image: Screenshot 2023-02-03 at 9.51.51 PM.png]
>
> Their customer service rep said that this is not only WAI, but also wanted
> to charge her $50 to have a tech come out and change it. Which is obviously
> less than ideal.
>
> That aside, this seems like a pretty egregious security standard which,
> from my understanding, can have fairly dire security implications... e.g.,
> DNS server settings can be pointed at whatever someone wants here.
>
> My mom is elderly and had already fallen victim to a call center scammer a
> couple years ago. They briefly took control over her laptop before she
> called for backup. So I'm just a little concerned that we have no control
> over changing this router's admin password — from “password” — in a pinch,
> without waiting for a truck roll && shelling out $50.
>
> I've sent her a DOCSIS 3.1 modem that doesn't have a router built-in, in
> hopes that they'll let us bring our own. She does have Google Wifi, but we
> can't even put their router into bridge mode. So she would be double NATed
> *and* have no control over changing the admin password on the first
> router.
>
> Anyone have any experience with Yondoo? I've tried reaching out to them on
> multiple fronts, but have yet to hear back from them on this. A tech is
> scheduled to come out tomorrow, so the plan is to beg (bribe?) them to let
> us use our own modem and then take it from there.
>
> Thanks,
> Todd
>

Re: Yondoo provided router, has "password" as admin pw, won't let us change it

[Collider]

The first router would still be vulnerable, and through it the second router.

On 8 February 2023 16:06:07 UTC, Josh Luthman  
wrote:
>What's the problem with double NAT?  I can't imagine an elderly mom trying
>to host Xbox games - which is 95% of the problem with double NAT these days
>(the other 5% being Ubiquiti bros having to access their Unifi router from
>anywhere).
>
>Your screenshots didn't come through, I suspect it's stripped via the
>mailing list, but there's no model number specified anywhere.
>
>NANOG really isn't the best place for this, but I don't know where else you
>would be able to go besides what you've already done:  Yondoo support.
>
>On Tue, Feb 7, 2023 at 9:17 AM TACACS Macaque via NANOG 
>wrote:
>
>> Hi,
>>
>> Long time lurker, first time poster. Sorry in advance if this is the wrong
>> forum for something like this.
>>
>> My mom's ISP (Yondoo) seems to be providing DOCSIS 3.1 CPE (Customer
>> Premises Equipment) with a built-in router, without providing the ability
>> to change the admin password from "password" on it.
>>
>> [image: Screenshot 2023-02-03 at 9.49.15 PM.png]
>>
>> ​[image: Screenshot 2023-02-03 at 9.51.51 PM.png]
>>
>> Their customer service rep said that this is not only WAI, but also wanted
>> to charge her $50 to have a tech come out and change it. Which is obviously
>> less than ideal.
>>
>> That aside, this seems like a pretty egregious security standard which,
>> from my understanding, can have fairly dire security implications... e.g.,
>> DNS server settings can be pointed at whatever someone wants here.
>>
>> My mom is elderly and had already fallen victim to a call center scammer a
>> couple years ago. They briefly took control over her laptop before she
>> called for backup. So I'm just a little concerned that we have no control
>> over changing this router's admin password — from “password” — in a pinch,
>> without waiting for a truck roll && shelling out $50.
>>
>> I've sent her a DOCSIS 3.1 modem that doesn't have a router built-in, in
>> hopes that they'll let us bring our own. She does have Google Wifi, but we
>> can't even put their router into bridge mode. So she would be double NATed
>> *and* have no control over changing the admin password on the first
>> router.
>>
>> Anyone have any experience with Yondoo? I've tried reaching out to them on
>> multiple fronts, but have yet to hear back from them on this. A tech is
>> scheduled to come out tomorrow, so the plan is to beg (bribe?) them to let
>> us use our own modem and then take it from there.
>>
>> Thanks,
>> Todd
>>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: Yondoo provided router, has "password" as admin pw, won't let us change it

[Josh Luthman]

What's the problem with double NAT?  I can't imagine an elderly mom trying
to host Xbox games - which is 95% of the problem with double NAT these days
(the other 5% being Ubiquiti bros having to access their Unifi router from
anywhere).

Your screenshots didn't come through, I suspect it's stripped via the
mailing list, but there's no model number specified anywhere.

NANOG really isn't the best place for this, but I don't know where else you
would be able to go besides what you've already done:  Yondoo support.

On Tue, Feb 7, 2023 at 9:17 AM TACACS Macaque via NANOG 
wrote:

> Hi,
>
> Long time lurker, first time poster. Sorry in advance if this is the wrong
> forum for something like this.
>
> My mom's ISP (Yondoo) seems to be providing DOCSIS 3.1 CPE (Customer
> Premises Equipment) with a built-in router, without providing the ability
> to change the admin password from "password" on it.
>
> [image: Screenshot 2023-02-03 at 9.49.15 PM.png]
>
> ​[image: Screenshot 2023-02-03 at 9.51.51 PM.png]
>
> Their customer service rep said that this is not only WAI, but also wanted
> to charge her $50 to have a tech come out and change it. Which is obviously
> less than ideal.
>
> That aside, this seems like a pretty egregious security standard which,
> from my understanding, can have fairly dire security implications... e.g.,
> DNS server settings can be pointed at whatever someone wants here.
>
> My mom is elderly and had already fallen victim to a call center scammer a
> couple years ago. They briefly took control over her laptop before she
> called for backup. So I'm just a little concerned that we have no control
> over changing this router's admin password — from “password” — in a pinch,
> without waiting for a truck roll && shelling out $50.
>
> I've sent her a DOCSIS 3.1 modem that doesn't have a router built-in, in
> hopes that they'll let us bring our own. She does have Google Wifi, but we
> can't even put their router into bridge mode. So she would be double NATed
> *and* have no control over changing the admin password on the first
> router.
>
> Anyone have any experience with Yondoo? I've tried reaching out to them on
> multiple fronts, but have yet to hear back from them on this. A tech is
> scheduled to come out tomorrow, so the plan is to beg (bribe?) them to let
> us use our own modem and then take it from there.
>
> Thanks,
> Todd
>

Re: [EXTERNAL]INC000026031132 RE: Lima, Ohio Spectrum Hop/Node Having Severe Packet Loss

[Austin Ayers via NANOG]

Thank you,

The IP of his gateway is 65.29.110.132 - as you can see it's having horrible 
ping times to go a few city blocks (56ms) in addition to the horrid drops.

I believe several tickets have been opened for his address too, 1718 Leland 
Ave. Lima, OH 45805

Thank you!
-Austin

[cid:53d8905f-681a-4dfd-819e-ab68644238fd]

From: NOC.AUS.NATL.BBN 
Sent: Tuesday, February 7, 2023 5:03 PM
To: Austin Ayers ; nanog@nanog.org 
Cc: NOC.AUS.NATL.BBN 
Subject: [EXTERNAL]INC26031132 RE: Lima, Ohio Spectrum Hop/Node Having 
Severe Packet Loss


All

​

I opened INC26031132 for our CBO-CSC team to review



Thank you,





James Wynn | Network Engineer III  |  Austin NOC  866.248.7662 option 2 option 5





[cid:image001.png@01D93B0D.995D1C10]



13620-A North FM 620, Suite 200 | Austin, TX  78717



From: Austin Ayers 
Sent: Tuesday, February 7, 2023 3:53 PM
To: nanog@nanog.org
Cc: NOC.AUS.NATL.BBN 
Subject: [EXTERNAL] Re: Lima, Ohio Spectrum Hop/Node Having Severe Packet Loss



CAUTION: The e-mail below is from an external source. Please exercise caution 
before opening attachments, clicking links, or following guidance.

[cid:image002.jpg@01D93B0D.995D1C10]



[cid:image003.png@01D93B0D.995D1C10]



From: Austin Ayers
Sent: Tuesday, February 7, 2023 4:46 PM
To: nanog@nanog.org 
mailto:nanog@nanog.org>>
Cc: noc.aus.natl@charter.com 
mailto:noc.aus.natl@charter.com>>
Subject: Lima, Ohio Spectrum Hop/Node Having Severe Packet Loss



Hello all,



One of my NetOps engineers resides in Lima, Ohio and they are receiving 
terrible bufferbloat, packet loss, and random disconnects.



I have been pinging 24.33.160.213 (Lima, OH Spectrum/Chart Node) and it's 
rejecting a ton of packets. This has been going on for weeks.



Node having problems: lag-1.limaohid01h.netops.charter.com



NOC seems like they don't care, same with OSP in the field.



There is no reason why this hop (#13) should have up to 613ms ping times.



Thank you,

Austin



[cid:image003.png@01D93B0D.995D1C10]

The contents of this e-mail message and
any attachments are intended solely for the
addressee(s) and may contain confidential
and/or legally privileged information. If you
are not the intended recipient of this message
or if this message has been addressed to you
in error, please immediately alert the sender
by reply e-mail and then delete this message
and any attachments. If you are not the
intended recipient, you are notified that
any use, dissemination, distribution, copying,
or storage of this message or any attachment
is strictly prohibited.

Re: LINX is down?

[Elmar K. Bins]

dmi...@interhost.net (Dmitry Sherman) wrote:

> Hello any problems with Linx?

I've seen an "At Risk" notice this morning, about some emergency fibre testing.
Our equipment is not affected, but other locations might be.

If you're a member, https://portal.linx.net/member/maintenance/1670

HTH,
Elmar.

LINX is down?

[Dmitry Sherman]

Hello any problems with Linx?

Dmitry