Re: Rate of growth on IPv6 not fast enough?
> > > > > I'm just saying it's one valid > > security issue with using any sort of globally unique IP address (v4 > > or v6), in that analyzing a bunch of traffic from a particular > > netblock would allow one to build a topology map. It's easier with > > IPv6 since you can presume most if not all addresses are on /64s out > > of a /48 (so look to the fourth quad for the "subnet ID"). > > I understand and totally agree. > > Obviously if someone is super concerned with revealing this sort of > > info there are other things besides NAT they can do, such as using a > > proxy server(s) for various internet applications, transparent > > proxies, etc. But it is a valid security concern for some. > > Could not agree more which is why I stated that there are other ways of > accomplishing the "hiding internal topology" using other methodoligies. > NAT/PAT has caused me many headaches which is why I am so opposed to using > it. > > Also, is that your real name? ;-) > No, but this list is great for buying and selling clue. In today's market, clue is equivalent to gold. :)
Re: Rate of growth on IPv6 not fast enough?
> But none of this does what NAT does for a big enterprise, which is > to *hide internal topology*. Yes, addressing the privacy concerns > that come from using lower-64-bits-derived-from-MAC-address is > required, but it is also necessary (for some organizations) to > make it impossible to tell that this host is on the same subnet as > that other host, as that would expose information like which host > you might want to attack in order to get access to the financial > or medical records, as well as whether or not the executive floor > is where these interesting website hits came from. > > Matthew Kaufman > Yeh that information leak is one reason I can think of for supporting > NAT for IPv6. One of the inherent security issues with unique > addresses I suppose. What makes you think that not using NAT exposes internal topology?? I have many cases where either filtering at layer-2 or NAT'ing a /48 for itself (or proxy-arp for those that do not have kits that can NAT IP blocks as itself) does NOT expose internal topology. Get your filtering correctly setup, and there is no use for NAT/PAT in v6. NAT was designed with one puropose in mind . extending the life of v4... period! The so called security that most think NAT gives them is a side effect. NAT/PAT also breaks several protocols (PASV FTP, H.323, etc) and I for one will be happy to see it go. I think it's a mistake to include NAT in v6 because there are other methodologies of accomplishing all of the side effects that everyone is use to seeing NAT provide without having to actually translate IP's or ports. I for one (as well as alot of other folks I know) am not/will not be using any kind of NAT moving forward.
Re: small site multi-homing (related to: Small guys with BGP issues)
I think you're missing my point and did not read my post completely. First off, BGP was never mentioned in my post. By the time these 'dreamers' want to announce a /29 to multiple providers and have everyone accept them with this new light weight protocol you speak about, there will hopefully be no /29's (as in v4 host sub-nets) as I dream that IPv4 will be a forgotten protocol by the time BGP is replaced by this magical protocol that does not exist in any form as today. If I accept a /29 for the minority and pass that prefix along to the next provider, I have to accept it for the majority and pass them along to the next provider. And these 500 company's you speak about, the other blocks given back to would be hashed back out which WOULD still increase prefixes in the global table as they want to advertise their /29's. I agree that it would save v4 space right now for those who wouldn't announce the remainder /29's, but you're thinking short term as we all know that v4 space has out-welcomed it's stay (thank you NAT). Yes, it will run paraellel for 3, 5, maybe 7 years until enough folks get a clue and make the switch to v6, but in the end, v4 will go away. Having all that said, I am not knocking the 'dreamers' out there one bit. I encourage new ideas to help solve issues that we've discussed in this very thread. But at this point, there's more dreaming than solutions and revenue. And de-aggreation is one of the biggest problems with global routing today. Add v6 and the possibility of /48's being permitted into the global table, and most folks with a router from any vendor today couldn't support a full global table. I'll stop my rant at that, but again, im not knocking the dreamers. I'm just having to deal with more problems that don't have valid solutions today. Clue On Tue, Nov 3, 2009 at 12:21 PM, Dave Israel wrote: > > Clue Store wrote: > > Well you and the rest of these so called "dreamers" can help with the > > purchase of my new routers that don't exist yet to support you wanting to > > multi-home a /29 and have the rest of the Internet world hold all of > these > > said /29's in their tables. Most folks who get a /29's don't care how > they > > get to and from the internet, they just want to always be able to get > there. > > TE at that granular of a level is not needed. So in other words, you and > the > > rest of the world of these dreamers can keep dreaming, because I doubt > any > > sensible ISP would accept and pass along anyone announcing /29's and > > then there's V6, which I won't even get started on. Most ISP's are having > a > > hard time holding 300k ipv4 routes as of today, and you want to > de-aggregate > > even farther?? > > > > It's clear that you have some impatience with deaggregation, and with > cause. However, there are a few flaws in your position. The first is > that you contradicted yourself. If most folks who get a /29 don't care > how they get to and from the Internet, then there won't be a flood of > new /29s. It is the minority who do care how they get to and from the > Internet who will be adding routes. Currently, they are doing so by > getting more address space than they need assigned, so as to have a > block large enough to be heard. If 500 companies are currently > announcing /24s to be heard, but could be moved to /29s, then you still > have 500 route announcements. You just have a lot less waste. > > The second is that you said "BGP." Mike didn't say BGP. He said he was > dreaming of the future. That future coudl easily include a lightweight > multihoming protocol, something that informs interested parties of > presence on multiple networks, or allows for extremely fast > reconvergence, so that a second route need only join the routing table > when needed. And he's right; if I want to change my name to Joe, grab a > sixpack, build a rack in my kitchen, and pay two providers for service, > it isn't unreasonable to want an infrastructure that supports my > configuration. > > We shouldn't dismiss a dreamer's dream because it is hard, or we can't > do it right now with what we have. The desire to do what is not > currently possible is the source of innovation, and we shouldn't shoot > down innovation because it sounds hard and we don't like it. > > -Dave > > >
Re: small site multi-homing (related to: Small guys with BGP issues)
Well you and the rest of these so called "dreamers" can help with the purchase of my new routers that don't exist yet to support you wanting to multi-home a /29 and have the rest of the Internet world hold all of these said /29's in their tables. Most folks who get a /29's don't care how they get to and from the internet, they just want to always be able to get there. TE at that granular of a level is not needed. So in other words, you and the rest of the world of these dreamers can keep dreaming, because I doubt any sensible ISP would accept and pass along anyone announcing /29's and then there's V6, which I won't even get started on. Most ISP's are having a hard time holding 300k ipv4 routes as of today, and you want to de-aggregate even farther?? Clue On Tue, Nov 3, 2009 at 10:11 AM, Mike wrote: > > Small-site multi-homing is one of the great inequities of the Internet > and one that can, and should, be solved. I envision an Internet of the > future where anyone with any mixture of any type of network connections can > achieve, automatically, provider independence and inbound/outbound load > sharing across disparate links. Gone is the built in hostage situation of > having to either use your provider assigned IP's (>%99 of internet connected > sites today), or the quantum leap of being an AS with PI space (and the > associated technical baggage to configure and manage that beast). End users > should have the power to dictate their own routing policies and not suffer > thru 'damping', 'urpf', or other policies imposed on how or when their > packets come and go. So if you want to use 2 dsl lines and a CDMA modem, or > a satellite and a fiber, or 27 dial up modems and a T1, you should be able > to do that and the network should work with you to deliver your packets no > matter where 'you' connect or how. > > What it's gonna take is new routing paradigms and new thinking about the > role of providers and users and a lowering of the barriers between these two > for more cooperation in the overall structure of the network. Just like > classfull addressing giving way to cidr, I belive hierarchal routing will > give way to truely dynamic routing where all participants have equal > capabilities over their own domain with no one (or group) of 'providers' > having any more or less influence on global reachability for any 'users' who > choose to go their own way, and I expect that to be an easy (or even > default) choice in the future. > > You may say I'm a dreamer, but I'm not the only one. I hope some day > you'll join us, and the world will live as one. > > > > What is the issue here, that your DSL provider won't speak BGP with you >>> no matter how many times you've asked, so you're complaining to NANOG >>> about it because you don't have the ability or authority to change >>> providers? Please correct me if I'm reading this wrong, but the emails >>> so far haven't been very clear and this isn't making a lot of sense. >>> >>> > >
Re: ISP port blocking practice
> > > > Blocking port 25 is not, IMHO, a violation of Network Neutrality. I > explained why in a very long, probably boring, post. Your definition of > Network neutrality may differ. Which is fine, but doesn't make mine wrong. > > > > -- > TTFN, > patrick > > > I agree with this. I would think that from an administrator/engineers perspective, it's more of being proactive to help protect the network, the end-user and help keep SLA's (keep from getting listed on RBL because of a non-patched or virused pc, not wasting network resources due to SPAM, trying to keep your own house clean, etc) more than it is an attack on Net Neutrality. But on the other hand, the end-user, customer, or whoever is having a port blocked, might wonder about the services they are buying and if it's time to jump ship to another provider if they aren't willing to work with the customer. I think that most providers are willing to work with the customer if ports such as SMTP need to be unblocked for whatever reason. If they aren't, then i would suggest finding another provider. Clue
Re: IPv6 Deployment for the LAN
>Since the goal for this initial wave is to make IPv6 available to >those who request it or have a need for it, we feel its acceptable >that there will need to be some user participation in enabling IPv6 >for a host. To me, from a small ISP perspective, this is where the largest delima is what 'vendor' is already depolying end user equipment that is ipv6 ready?? Then there's the 'delivering the customer' their ipv6 block (hopefully alongside their ipv4 block). Dual stack seems the way to go... To me, there's still a lot of wiggle room on how this should be deployed to the absolute edge. What's folks experience in rolling this out the the customer ... be it DHCP or SLAAC?? Also from a BBA perspective?? On Sat, Oct 17, 2009 at 7:55 PM, Ray Soucy wrote: > Looking for general feedback on IPv6 deployment to the edge. > > As it turns out delivering IPv6 to the edge in an academic setting has > been a challenge. Common wisdom says to rely on SLAAC for IPv6 > addressing, and in a perfect world it would make sense. > > Given that historically we have relied on DHCP for a means of NAC and > host registration, like many academic institutions, the idea of > sweeping changes to accommodate IPv6 was just not going to happen in > the near future. > > The only solution that lets us expand our roll out IPv6 to the edge > without major changes to the production IPv4 network seems to point to > making use of DHCPv6, so the effort has been focused there. > > Our current IPv6 allocation schema provides for a 64-bit prefix for > each network. Unfortunately, this enables SLAAC; yes, you can > suppress the prefix advertisement, and set the M and O flags, but that > only prevents hosts that have proper implementations of IPv6 from > making use of SLAAC. The concern here is that older hosts with less > than OK implementations will still enable IPv6 without regard for the > stability and security concerns associated with IPv6. > > Needless to say, the thought of being able to enable IPv6 on a > per-host basis is met with far less resistance than opening up the > floodgates and letting SLAAC take control. > > Ultimately, the best solution that I've been able to come up with is > to preserve the IPv6 allocation schema and reserve a 64-bit prefix for > each network, but for the initial deployment use an 80-bit one in its > place with the extra 16 bits given a value of 1. The advantages of > this: Guarantee that SLAAC will not be initiated for the prefix; > Allow for a migration path to 64-bit prefixes in the future; and, Make > it easy to identify a network that us making use of an 80-bit prefix > by setting the extra bits to a value of 1. > > This allows us to be fairly confident that extending IPv6 to edge > networks will not impact production services, and focus on DHCPv6 for > host configuration and address assignment. > > We have no problem using a 64-bit prefix and letting SLAAC take care > of addressing for certain networks where we actually manage the hosts, > so that has been included as an exception. All other networks, > however, will make use of DHCPv6 or manual configuration to receive > native IPv6. > > So far, this has proven to work well with testing of various hosts and > applications. > > Has anyone run into issues with applications in not using a 64-bit prefix? > > Of course, the other challenge here is proper DHCPv6 client > implementations for host operating systems. Linux, Windows Server > 2003 and later, Windows Vista, and Windows 7 all support DHCPv6. > Windows XP has a poor implementation of IPv6 but has the option of > using Dibbler or some other 3rd party DHCPv6 client. Mac OS X is a > challenge; it currently has no option for DHCPv6, though newer > releases provide for manual configuration of IPv6 addressing. > > Does anyone know if Apple has plans to release a DHCPv6 client for Mac OS > X? > > Since the goal for this initial wave is to make IPv6 available to > those who request it or have a need for it, we feel its acceptable > that there will need to be some user participation in enabling IPv6 > for a host. I think the hope is that more systems, like Windows 7, > will begin including mature DHCPv6 clients which are enables when the > M flag for a router advertisement is set and perhaps make it the > default behavior. Is this likely to happen or am I being too > optimistic? > > Anyway, just thought I'd bounce it to NANOG and get some feedback. > > -- > > Ray Soucy > Communications Specialist > > +1 (207) 561-3526 > > Communications and Network Services > > University of Maine System > http://www.maine.edu/ > >
OT: iPhone Problems
Mine's rebooted at leat 3 times a day sine the upgrade :( What ever happened to quality control http://discussions.apple.com/thread.jspa?threadID=2152619&tstart=0
Re: Cogent leaking /32s?
Yes, I absolutely love the /24 filtering "everybody" does. Internet littering at its best. http://thyme.apnic.net/current/data-badpfx-nos Clue On Fri, Oct 2, 2009 at 10:36 AM, Mikael Abrahamsson wrote: > On Fri, 2 Oct 2009, ML wrote: > > I received an alert from Cyclops telling me a probe in AS513 had seen a /32 >> that I announce to Cogent for one of our BGP sessions. >> >> Did anyone else see this? >> > > Are you relying on the /24 filtering "everybody" does, or did you announce > it to them with NO-EXPORT set? > > -- > Mikael Abrahamssonemail: swm...@swm.pp.se > >
Re: OSPF vs IS-IS vs PrivateAS eBGP
> Am I alone in my view that BGP is _far_ more simple and > straight-forward than OSPF >that ospf has become exceedingly complex, and all that results thereof. I couldn't agree more. Most of my staff are still under the impression in Cisco land that the "network 10.0.0.0 255.255.255.0" statement injects that network into OSPF, when it simply turns on OSPF for the interfaces that are in that network. I'm really glad to see Cisco that made this change in OSPFv3 for v6. Clue On Thu, Aug 20, 2009 at 6:52 PM, Randy Bush wrote: > > Am I alone in my view that BGP is _far_ more simple and > > straight-forward than OSPF > > this is a very telling statement in a number of ways. > > that ospf has become exceedingly complex, and all that results thereof. > > that both are known for their complexity. > > randy > >
Re: OSPF vs IS-IS vs PrivateAS eBGP
Thanks again for all of the replies on and off list. As I stated earlier, I didn't not think IGP was the protocol of choice for running to customers, i've just been to many different houses that do actually do this. 99% of all of our customer CPE is not managed by the customer, so that leaves it up to me to decide what to run to them. The only issue with using ebgp is getting enough of my staff that actually understand bgp to the point where they can deploy it themselves without having to get me involved on every install. I think I can make this pretty cookie-cutter config to start off and then work from there. We are moving to a new NOC so this network will get a fresh start (new 7513-sup720, few m10i's, and a dozen or so 7200vxr's). So my deployment strategy will be ebgp with multihmed customers. I just had to poke the fire so I had some ammo for upper management when they ask why I decide to go ebgp. And yes Philip, I actually have many of those presentations saved on my drive as they were all for not ;) Once again, thanks all for the replies. Clue On Thu, Aug 20, 2009 at 8:26 AM, Philip Smith wrote: > Clue Store said the following on 20/8/09 01:12 : > > > > I know this has been discussed probably many times on this list, but I > was > > looking for some specifics about what others are doing in the following > > situations. > > Discussed on list, presented in tutorials, how much more advice is > actually required? ;-) > > > I would like to run an IGP (currently OSPF) to our customers that are > > multi-homed > > Several have replied saying "don't ever do this". The I in IGP stands > for "interior" - which means "inside" your network, which does not mean > "outside" your network. For the latter, we have BGP - if BGP for some > reason seems too hard, check out the NANOG tutorials on the subject. > > Good luck! > > philip > -- >
Re: OSPF vs IS-IS vs PrivateAS eBGP
Thanks for all the replies so far. Just to clarify, I am in the small ISP/Hosted services business. I was fortunate to inherit the current setup of OSPF to the multi-homed customers. As i stated earlier, I would like to run an IGP, what I really meant was I would like to run a routing protocol that gives me most control as well as the customer and that scales. I am not dead set on running and IGP as IGP in my mind refers to MY internal gateways. and not my customers gateways. eBGP with Private AS is what I would like to go with , but I have had some in the industry say this is not as good as running an IGP with the customer. However, I disagree, but from the looks, this really might just come down to whatever protocol im comfortable with and making sure that it is configured in the correct manor for my situation. As far as my internal connections, I think I will be migrating to IS-IS, but this is not the point of my message to the list, as I am more concerned about customer connections. Keep the opinions coming guys. Clue On Wed, Aug 19, 2009 at 12:01 PM, Nick Hilliard wrote: > On 19/08/2009 16:12, Clue Store wrote: > >> I would like to run an IGP (currently OSPF) to our customers that are >> multi-homed in a non-mpls environment. >> > > Unless you want your customers to have very substantial control over your > internal network, don't use an SPF IGP like ospf or is-is. You really want > to use BGP for this and private ASNs are fine - that's what they are there > for. > > Nick > >
Re: OSPF vs IS-IS vs PrivateAS eBGP
Sorry, not OSPFv3. IPv6 thoughts dancing in my head. OSPF-VRF as most of you probably interpret. On Wed, Aug 19, 2009 at 10:12 AM, Clue Store wrote: > Hi All, > > I know this has been discussed probably many times on this list, but I was > looking for some specifics about what others are doing in the following > situations. > > I would like to run an IGP (currently OSPF) to our customers that are > multi-homed in a non-mpls environment. They are multi-homed with small > prefixes that are swipped from my ARIN allocations. OSPF has been flaky at > best under certain conditions and I am thinking of making the move to IS-IS. > I have also seen others going to private AS and running eBGP. This seems a > bit much, but if it works, i'd make the move to it as I like bgp the most > (all of the BGP knobs give me the warm and fuzzies :). > > I'd also like to see what folks are using in a MPLS network?? OSPFv3 or > IS-IS or right to MP-BGP and redist static from the CE to PE??? > > On and off list are welcome. I'll make a summary after I gather the info. > > Thanks, > Clue >
OSPF vs IS-IS vs PrivateAS eBGP
Hi All, I know this has been discussed probably many times on this list, but I was looking for some specifics about what others are doing in the following situations. I would like to run an IGP (currently OSPF) to our customers that are multi-homed in a non-mpls environment. They are multi-homed with small prefixes that are swipped from my ARIN allocations. OSPF has been flaky at best under certain conditions and I am thinking of making the move to IS-IS. I have also seen others going to private AS and running eBGP. This seems a bit much, but if it works, i'd make the move to it as I like bgp the most (all of the BGP knobs give me the warm and fuzzies :). I'd also like to see what folks are using in a MPLS network?? OSPFv3 or IS-IS or right to MP-BGP and redist static from the CE to PE??? On and off list are welcome. I'll make a summary after I gather the info. Thanks, Clue
Akamai Support
Could someone from Akamai support unicast me off list please?? I have tried the usual support emails and numbers which usually have great response, but am having an issue getting someone to help me with an services problem. Sorry for the noise TIA Max
Re: Geo Location and DNS
Thanks for the follow up. I admit I didn't search the archives ;) So this sux there's really no way to fix this but contact as many geo location folks as possible and have them update. I can't even get to alot of sites in the US because of this. UGH!!! Max On Fri, May 29, 2009 at 12:55 PM, Kaegler, Mike wrote: > We last went through this 30 days ago. > http://www.merit.edu/mail.archives/nanog/msg17619.html > -porkchop > > > On 5/29/09 1:50 PM, "Clue Store" wrote: > > > Hi All, > > I am having a hell of a time trying to figure out who it is I need to > > contact to get this fixed. I just got a new /21 allocation from ARIN and > am > > announcing it with no issues. I can ping anywhere and the planet can see > me. > > The issue I am having is that when I surf out on this new allocation, it > > sends me to sites as if I were in Canada. A google search is all things > > canadian. Not that I have anything against canadians, but I also cannot > surf > > to alot of sites using various DNS servers (my own, 4.2.2.2, etc). Anyone > > have any clue where I can get this fixed?? > > > > > > TIA, > > Max > > > > -- > Michael Kaegler, TESSCO Technologies: Engineering, 410 229 1295 > Your wireless success, nothing less. http://www.tessco.com/ > >
Geo Location and DNS
Hi All, I am having a hell of a time trying to figure out who it is I need to contact to get this fixed. I just got a new /21 allocation from ARIN and am announcing it with no issues. I can ping anywhere and the planet can see me. The issue I am having is that when I surf out on this new allocation, it sends me to sites as if I were in Canada. A google search is all things canadian. Not that I have anything against canadians, but I also cannot surf to alot of sites using various DNS servers (my own, 4.2.2.2, etc). Anyone have any clue where I can get this fixed?? TIA, Max