Re: QFX5k question

2019-03-23 Thread Paul S. 
QFX5100 as a L3 router + L2 switch performed well for us in the past, I 
don't see why it'd fall over in <1g traffic now.


You should be good to go.

On 3/24/2019 04:41 午前, Mehmet Akcin wrote:

Hey there,

I am trying to get my hands on some QFX5000s and I have a rather quick 
question.


In the past, I often used MX + EX where MX did routing and I connected 
all uplinks/peering and EX, and EX did switching, i connected my 
servers to ex.


in QFX, I am trying to see if I need EX or not? more importantly 
(besides from what juniper papers say) are there any known issues 
people run into for a small scale deployment. (100mbps-1gbps range 1 
rack, 20 servers)


my plan is to have QFX to it all, but i am worried, if this is too 
much for QFX, if you have relative experience on this , feel free to 
let me know


thanks in advance

mehmet

Re: RTBH no_export

2019-02-03 Thread Paul S. 
+1, exactly what we did. I also recommend implementing 
per-upstream/region blackhole communities (so your users can choose who 
to blackhole as they see fit.)


Often time, DDoS traffic comes from regions that do not intersect with 
legitimate traffic.


On 2/4/2019 03:15 午前, Tom Hill wrote:

On 31/01/2019 20:17, Nick Hilliard wrote:

you should implement a different community for upstream blackholing.
This should be stripped at your upstream links and replaced with the
provider's RTBH community.  Your provider will then handle export
restrictions as they see fit.


This works wonderfully, from past experience. :)

Re: BGP Experiment

2019-01-23 Thread Paul S. 

Replying to throw in my support behind continuing the experiment as well.

Assurance that my gear will NOT fall over under adversarial situations 
is paramount, thank you for the research that you're doing to ensure that.


Ben, you may wish to re-evaluate how "rock solid" [1] your networking 
truly is if you're being taken down by random BGP updates.


As others have noted, the right target to be angry at is your equipment 
vendor.


[1]: https://packet.gg/

On 1/24/2019 02:19 午前, Italo Cunha wrote:

Ben, NANOG,

We have canceled this experiment permanently.

On Wed, Jan 23, 2019 at 12:00 PM Ben Cooper > wrote:


Can you stop this?

You caused again a massive prefix spike/flap, and as the internet
is not centered around NA (shock horror!) a number of operators in
Asia and Australia go effected by your “expirment” and had no idea
what was happening or why.

Get a sandbox like every other researcher, as of now we have black
holed and filtered your whole ASN, and have reccomended others do
the same.

Looking for a contact with clue at Choopa/Reliablesite network engineering

2017-10-13 Thread Paul S. 

Hi nanog,

Choopa/reliablesite is announcing our IP space, and despite repeated 
requests from us, they are refusing to withdraw the announcements.


Can someone with clue from this contact me? Does anyone know someone at 
Choopa neteng?


Their abuse desk has so far proved useless.

Re: How to secure link between switches in Layer2

2017-03-25 Thread Paul S. 

What exactly does "limited trust" mean?

Are you worried they might sniff the data on the link, or?

If so, macsec is really your only remedy.

On 3/25/2017 07:00 PM, Pedro wrote:

Hello,

Sometimes i have situation that i have to extend my layer2 (access, 
trunk mode) network to third parties with limited trust. Sometimes 
it's L2 MPLS links from isp (1x or 2x), sometimes it's just colocated 
switch. Mostly there are Juniper Ex4200/4300 or and Cisco 3750.  Below 
i puts my config but maybe i miss something important ? Or i should 
correct ?


Thanks for help


1.
If two p2p links: aggregation with LACP

2.
stp/rstp in portfast mode on access port
stp/rstp without portfast mode on trunk port
rstp root guard

3.
on ports facing servers, in portfast mode, bpdu guard
spanning-tree root guard

4.
max amount of mac addresses ie 100
per port per vlan max mac address

5.
802.1q with vlans, but not vlan 1

6.
broadcast storm for bum packets: 10 pps


7.
static ip - no dhcp servers/clients in vlans

8.
cpu monitoring with notification in ie zabbix

9.
cdp disable (if cisco)
dtp disable (if cisco)

10.
eventually policer per port or per vlan.



thanks in advance,
Pedro

Re: Two BGP peering sessions on single Comcast Fiber Connection?

2016-10-14 Thread Paul S. 

+1, could not have said it better.

On 10/15/2016 01:47 AM, Leo Bicknell wrote:

In a message written on Thu, Oct 13, 2016 at 05:48:18PM +, rar wrote:

The goal is to keep the single BGP router from being a single point of failure.

I don't really understand the failure analysis / uptime calculation.

There is one router on the Comcast side, which is a single point of
failure.

There is one circuit to your prem, which is a single point of failure.

To connect two routers on your end you must terminate the circuit
in a switch, which is a single point of failure.

And yet, in the face of all that somehow running two routers with
two BGP sessions on your end increases your uptime?

The only way that would even remotely make sense is if the routers
in question were horribly broken / mismanaged so (had to be?) reboot(ed)
on a regular basis.  However if uptime is so important using gear
with that property makes no sense!

I'm pretty sure without actually doing the math that you'll be more
reliable with a single quality router (elminiation of complexity),
and that if you really need maximum uptime that you had better get
a second circuit, on a diverse path, into a different router probably
from a different carrier.

After a Korea Telecom / KT sales rep

2016-10-10 Thread Paul S. 

Hi folks,

Looking for a Korea Telecom / KT sales rep for access into Korea *from* 
Hong Kong.


Leads so far have turned up empty over normal channels, anyone mind 
sharing their contacts?


Thanks!

Looking for a Seabone / Telecom Italia Sparkle rep

2016-07-04 Thread Paul S. 

Hi guys,

Does anyone have any good Seabone / Telecom Italia Sparkle 
representatives whose contacts they don't mind passing along?


Looking for service in Asia, particularly Singapore and Hong Kong markets.

Having absolutely no luck with the standard sales channels, no one has 
gotten back to us. We've been trying for a while.


Thanks in advance!

Looking for a Singtel rep

2016-05-24 Thread Paul S. 

Hi guys,

We're after a good Singapore Telecom (AS7473) sales rep. After some IP 
transit in the Singapore and Hong Kong markets.


Anyone have details that you wouldn't mind passing along?

Much appreciated!

Re: google search threshold

2016-02-29 Thread Paul S. 
DO's SG range is allocated out of a single /64 (I think?) and Google 
basically asks for captcha on every single request over IPv6. :(


We're using it as a corporate vpn.

On 3/1/2016 01:49 AM, Keenan Tims wrote:

FWIW I have seen the captchas more often on IPv6 both from home and the office 
than when both networks were using a single shared IPv4; not sure if this is 
just related to chronology or a real effect. Once a month or so I seem to get 
them for a couple of days, then they go away.

No idea what's triggering it. It would be *really* helpful if Google could provide some useful 
technical details beyond a generic FAQ page. As it is I just get annoyed by it and have no way to 
troubleshoot or correct the constant false positives. How is Google detecting "robots"? 
My sense is that I tend to trigger the captcha thing when iterating similar search terms 
(particularly due to removal of the + operator and extremely poor "change my search terms 
because you think you know better than I do what I want to search for" behaviour. My search 
patterns haven't really changed since turning up IPv6 everywhere, so I have to think either the 
captcha trigger has gotten more aggressive, or somehow prefers to blacklist IPv6 users.

In any case, just going to IPv6 is definitely not a complete fix for this. It 
seems to be related to search behaviour and $blackbox_magic.

Keenan Tims
Stargate Connections

From: NANOG  on behalf of Philip Lavine via NANOG 

Sent: February 29, 2016 7:53 AM
To: Damian Menscher
Cc: nanog@nanog.org
Subject: Re: google search threshold

I have about 2000 users behind a single NAT. I have been looking at netflow, 
URL filter logs, IDS logs, etc. The traffic seems to be legit.

I am going to move more users to IPv6 and divide some of the subnets into 
different NATS and see if that alleviates the traffic load.
Thanks for the advice.
-Philip


   From: Damian Menscher 
  To: Philip Lavine 
Cc: "nanog@nanog.org" 
  Sent: Friday, February 26, 2016 6:05 PM
  Subject: Re: google search threshold

On Fri, Feb 26, 2016 at 3:01 PM, Philip Lavine via NANOG  
wrote:

Does anybody know what the threshold for google searches is before you get the 
captcha?I  am trying to decide if I need to break up the overload NAT to a pool.


There isn't a threshold -- if you send automated searches from an IP, then it 
gets blocked (for a while).

So... this comes down to how much you trust your machines/users.  If you're a 
company with managed systems, then you can have thousands of users share the 
same IP without problems.  But if you're an ISP, you'll likely run into 
problems much earlier (since users like their malware).
Some tips:   - if you do NAT: try to partition users into pools so one abusive 
user can't get all your external IPs blocked  - if you have a proxy: make sure 
it inserts the X-Forwarded-For header, and is restricted to your own users  - 
if you're an ISP: IPv6 will allow each user to have their own /64, which avoids 
shared-fate from abusive ones
Damian (responsible for DDoS defense)-- Damian Menscher :: Security Reliability 
Engineer :: Google :: AS15169

Re: Equipment Supporting 2.5gbps and 5gbps

2016-01-30 Thread Paul S. 
>> I would kill for a 24-port 10GbE Juniper switch for ~$2,500. You 
can't even get a 24-port 1GbE for that.


EX4200s are abundant for much less in Ebay (for the 24port 1g requirement).

In the 10G space though, indeed, Juniper is expensive.

On 1/30/2016 05:03 PM, Jonas Bjork wrote:

Dear Mr. Carpenter,

Juniper is expensive. If you buy a new 48 x 10GbE/SFP+ fiberswitch from an H3C 
based vendor like Huawei, you get the whole unit for $10,000. All you need in 
addition to that are the lasers and these will set you back a hundred bucks per 
port in case you select 1310nm SFP+ modules (SMF 80km duplex), rendering a 
total price of less than $300 per interface,

Best regards,

Jonas Bjork
ISP Senior Network Engineer



On 28 Jan 2016, at 19:35, Mike  wrote:




On 01/28/2016 10:29 AM, Randy Carpenter wrote:
I'd love to know what model Juniper you are getting for $102 per 10GbE port and 
where you are getting it. The lowest-end 10GbE switch is the EX4600, which 
lists at more like $850 per port. You can get higher-end ones with much larger 
port counts and get the cost/port down to about half that, but I can't imagine 
what you could be talking about for $102/port.

I would kill for a 24-port 10GbE Juniper switch for ~$2,500. You can't even get 
a 24-port 1GbE for that.

+1, me too!

Re: http://rtros.nop.hu/

2016-01-01 Thread Paul S. 

I'm not sure if these URLs are supposed to resolve `-`

On 1/1/2016 05:51 PM, mate csaba wrote:



On 01/01/2016 09:40 AM, Randy Bush wrote:

opinions?

yep.  do not click on strange urls.


never. and disable flash! and activate firewall.
this one http://fun.nop.hu/cisco-asa.jpg
or this one http://fun.nop.hu/firewall.png
in the following topology: http://fun.nop.hu/firewalls.png
cs

Re: Opinions on Cologix data centers?

2015-12-15 Thread Paul S. 
I recommend them for everything other than the quality of their remote 
hands. They could do with some improvements in this department.


We have space at Cologix Dallas (within Infomart), and it's all fine. We 
run our own ASN too though, so no idea on the bandwidth side of things.


On 12/15/2015 06:12 AM, Oliver O'Boyle wrote:

I used/inherited them in Montreal after they bought out a series of colos.
The corporate management team is good and I would work with them again.
They saw themselves as partners and not just a vendor. The local DC
manager/team was honest and easy to work with and they were very
knowledgeable.

The quality of the facility and success of your projects depends in great
deal on what they bought and what stage they are at in upgrading it. In my
case, the original DC had some design issues they were battling with
related to the previous owner + unplanned growth that forced some poor
decisions. Cologix did, however, redesign everything and make some major
investments in the facility. We saw improvements come out every few months.

Oliver

On Mon, Dec 14, 2015 at 4:00 PM, David H  wrote:


Hello; was curious if anyone has opinions on Cologix?  Any aspect would be
of interest; management, financials, colo quality (power, a/c, etc).  The
specific facility I'm looking at is their Lakeland FL building which began
life under a company called Colo 5 that they purchased; it's only two years
old.  They seem to have been on a buying spree recently with other colo
buildings.

Thanks,

David

Re: Is RouteViews dead? Is there any alternatives?

2015-12-08 Thread Paul S. 

RIPE stats also takes a feed similarly.

On 12/9/2015 01:24 AM, Kurt Kraut via NANOG wrote:

Hi,


For the past couple of months I've been attempting to add new Autonomous
Systems to the RouteViews project and got no response. Talking to other AS
in my area, I wasn't able to find no new BGP operator that got a response
from them since July.

Is RouteViews dead? If the answer is yes, it is sad. It is the most used
resource about the internet routing for multiple perspectives.

Is there any other similar project that I could colaborate providing the
point of view of my routers have of the internet?


Best regards,


Kurt Kraut

Re: IPv6 Cogent vs Hurricane Electric

2015-12-04 Thread Paul S. 
It is worth noting that HE indeed provides the full view, it's the other 
side that has an issue.


(Since HE isn't really a tier 1, their transit relationships with Telia 
and other carriers "save" them)


Cogent -> HE dies with unreachable on the first hop though, and that's 
an issue for Cogent customers.


On 12/5/2015 11:09 AM, Baldur Norddahl wrote:

On 5 December 2015 at 02:43, Randy Bush  wrote:


Or, if you feel that Cogent's stubborn insistence on partitioning the
global v6 internet

if A does not peer with B,
then for all A and B
they are evil partitioners?

can we lower the rhetoric?


They both loses on this. In fact anyone claiming tier 1 status loses here,
because this illustrates why you can never be single homed on a tier 1
network. These guys simply do not have the full internet.

Regards,

Baldur

Re: IPv6 Cogent vs Hurricane Electric

2015-12-04 Thread Paul S. 

Whoops, spoke too soon.

While HE indeed seems to use the transits to reach Cogent, they only do 
this over v4.


IPv6 packets are indeed dropped on the first border. Sorry for the noise.

core1.fmt1.he.net> traceroute ipv6 2001:550:2:d::a:2 numericTarget 
2001:550:2:d::a:2

Hop Start   1
Hop End 30

Hop Packet 1Packet 2Packet 3Hostname
1   *   *   *   ?
2   *   *   *   ?
3   *   *   *   ?
4   *   *   *   ?
IP: Errno(8) Trace Route Failed, no response from target node.




On 12/5/2015 11:43 AM, Paul S. wrote:
It is worth noting that HE indeed provides the full view, it's the 
other side that has an issue.


(Since HE isn't really a tier 1, their transit relationships with 
Telia and other carriers "save" them)


Cogent -> HE dies with unreachable on the first hop though, and that's 
an issue for Cogent customers.


On 12/5/2015 11:09 AM, Baldur Norddahl wrote:

On 5 December 2015 at 02:43, Randy Bush <ra...@psg.com> wrote:


Or, if you feel that Cogent's stubborn insistence on partitioning the
global v6 internet

if A does not peer with B,
then for all A and B
they are evil partitioners?

can we lower the rhetoric?

They both loses on this. In fact anyone claiming tier 1 status loses 
here,

because this illustrates why you can never be single homed on a tier 1
network. These guys simply do not have the full internet.

Regards,

Baldur

Re: Opinions on Arista 7280?

2015-11-24 Thread Paul S. 

Tom,

Could you expand further on this?

On 11/25/2015 07:29 AM, Tom Hill wrote:

And in relation to Brocade: I'd feel very uncomfortable throwing any
*new*  money at MLXe, CER or CES. Strategy for those families seems to
have fallen off of a cliff.

Can someone do something about this "Fw: New message" spam?

2015-10-26 Thread Paul S. 

Hi,

Can someone from the moderator team take a look?

This has been going on for a while.

Re: Packetfront/Waystream gear

2015-10-15 Thread Paul S. 
Their products seem to be named 'MPC' or 'ASR,' reminds me of J and C 
respectively.


Very unique way of naming things, I must say.

On 10/15/2015 06:08 AM, rdrake wrote:
Does anyone have experience running Packetfront hardware in a 
production network?  We've looked at a few and they seem to be pretty 
good but I want to know if they have downsides.


We're looking at them for edge switches now and thinking about if they 
can be site routers or switches (either a q-in-q vlan handoff to a 
ring or a separate L3 with routing protocols depending on how the site 
is accessed)


You can contact me offlist if you don't want to talk about it publicly.

Thanks,
Robert

Re: IPv6 Irony.

2015-10-13 Thread Paul S. 
Anyone in a network administrator position struggling with IPv6 (and not 
willing to fix that out of their own initiative) has no business running 
any network.


You should hire better staff.

On 10/13/2015 06:56 PM, Max Tulyev wrote:

On our network, we had to spent times more money in people than in hardware.

Customer support, especially network troubleshootings and so on...

So upgrade hardware and network admins are NOT sufficient for IPv6
adoption ;)

On 13.10.15 06:17, Ca By wrote:

On Monday, October 12, 2015, Donn Lasher  wrote:


Having just returned from NANOG65/ARIN36, and hearing about how far IPv6
has come.. I find my experience with  support today
Ironic.

Oh wait..

Hi, my name is Donn, and I’m speaking for… myself.

Irony is a cable provider, one of the largest, and earliest adopters of
IPv6, having ZERO IPv6 support available via phone, chat, or email. And
being pointed, by all of those contact methods, to a single website. A
static website. In 2015, when IPv4 is officially exhausted.

:sigh:




Tech support websites are long tail

Pragmatists are focused on getting ipv6 to the masses by default in
high traffic use cases.

Sighing about edge cases in the long tail  with ipv6 ... Not sure what you
expect.



CB

Re: Prefix hijacking by AS20115

2015-09-28 Thread Paul S. 

+1, this is the only sensible advice here.

NSPs actually do seem to care about not letting things like these happen.

On 2015/09/29 01:24 PM, Hank Nussbacher wrote:

At 23:11 28/09/2015 -0400, Josh Luthman wrote:


Start announcing their prefixes?


Contact the upstreams of AS20115 - Cogent, Level3, HE and XO.

-Hank



Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Sep 28, 2015 11:09 PM, "Seth Mattinen"  wrote:

> On 9/28/15 18:30, William Herrin wrote:
>
>> On Mon, Sep 28, 2015 at 9:01 PM, Seth Mattinen 
>> wrote:
>>
>>> I've got a problem where AS20115 continues to announce prefixes 
after BGP
>>> neighbors were shutdown. They claim it's a wedged BGP process but 
aren't

>>> in
>>> any hurry to fix it outside of a maintenance window.
>>>
>>
>> If they weren't lying to you, they'd fix it now. That's not the kind
>> of problem that waits.
>>
>> Thing is: they lied to you. Long ago they "helpfully" programmed 
their

>> router to announce your route regardless of whether you sent a route
>> to them. They want to wait for a maintenance window to remove that
>> configuration.
>>
>>
>> I'm at a loss of what else I can do. They admit the problem but 
won't take
>>> action saying it needs to wait for a maintenance window. Am I out 
of line
>>> insisting that's an unacceptable response to a problem that 
results in

>>> prefix/traffic hijacking?
>>>
>>
>> Try dropping the link entirely. If they still announce your 
addresses,

>> bring it back up but report it as emergency down, escalate, and call
>> back every 10 minutes until the junior tech understands that it's 
time

>> to call and wake up the guy who makes the decision to fix it now.
>>
>>
>
> I'm at the tail end here almost 8 hours later since the hijacking 
started.

> Their NOC is just blowing me off now and they're happy to continue the
> hijacking until it's convenient for them to have a maintenance 
window. And

> that's apparently the final decision.
>
> ~Seth
>

Re: DDOS Simulation

2015-07-28 Thread Paul S. 
Seeing as the 'traditional' ways to launch big DDoS attacks are illegal, 
and you're after a 'legit' company to offer this...


Yeah, I don't think you'll get too far.

You'll either have to roll your own testsuite on a lan environment, or ...

On 29/7/2015 3:31 AM, Dovid Bender wrote:

We are looking for a company that can launch a DDOS attack against the
solutions we are testing. I don't want a proof of concept from the company
that will be offering DDOS protection since they can simulate an easy
attack and then mitigate. I want whom ever we go with to be able to handle
what ever is thrown at them.


On Mon, Jul 27, 2015 at 5:40 PM, lobna gouda lobna_go...@hotmail.com
wrote:


Hello David et Dan,

Are you going to perform the DDOS solution yourself, or you are looking
for  a company to provide a solution for you. Some companies perform an
attack simulation for you before buying the product


From: dro...@gmail.com
Date: Mon, 27 Jul 2015 09:31:21 -0700
Subject: Re: DDOS Simulation
To: do...@telecurve.com
CC: nanog@nanog.org
Looking for similar here.

-Dan

On Mon, Jul 27, 2015 at 8:32 AM, Dovid Bender do...@telecurve.com

wrote:

Hi All,

We are looking into a few different DDOS solutions for a client. We

need a

LEGITIMATE company that can simulate some DDOS attacks (the generic +
specific to the clients business). Anyone have any recommendations?

Regards,

Dovid

Re: AW: AW: Prefix-Hijack by AS7514

2015-07-17 Thread Paul S. 

I let IIJ know too, hopefully they'll filter it soon.

On 7/17/2015 午後 03:30, Jürgen Jaritsch wrote:

Hi,

we also sent them an mail, but their MX is not reachable for us :(


best regards

Jürgen Jaritsch
Head of Network  Infrastructure

ANEXIA Internetdienstleistungs GmbH

Telefon: +43-5-0556-300
Telefax: +43-5-0556-500

E-Mail: j...@anexia.at
Web: http://www.anexia.at

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

-Ursprüngliche Nachricht-
Von: Seiichi Kawamura [mailto:kawamu...@mesh.ad.jp]
Gesendet: Freitag, 17. Juli 2015 08:29
An: Jürgen Jaritsch j...@anexia.at; Hugo Slabbert hslabb...@stargate.ca
Cc: 'nanog@nanog.org' nanog@nanog.org
Betreff: Re: AW: Prefix-Hijack by AS7514

I contacted 7514. They are aware.

-Seiichi

On 2015/07/17 15:23, Jürgen Jaritsch wrote:

We already informed AS2497 but I have no idea if they we'll cooperate.


Best regards


Jürgen Jaritsch
Head of Network  Infrastructure

ANEXIA Internetdienstleistungs GmbH

Telefon: +43-5-0556-300
Telefax: +43-5-0556-500

E-Mail: j...@anexia.at
Web: http://www.anexia.at

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

-Ursprüngliche Nachricht-
Von: Hugo Slabbert [mailto:hslabb...@stargate.ca]
Gesendet: Freitag, 17. Juli 2015 08:23
An: Jürgen Jaritsch j...@anexia.at
Cc: 'nanog@nanog.org' nanog@nanog.org
Betreff: Re: Prefix-Hijack by AS7514

Seeing the same; a /19.

BGPMon reports an alert at 2015-07-17 05:29 (UTC) and that it's being
accepted by 2497.

--
Hugo Slabbert
Stargate Connections - AS19171

-Original Message-

Date: Fri, 17 Jul 2015 06:15:36 +
From: Jürgen Jaritsch j...@anexia.at
To: 'nanog@nanog.org' nanog@nanog.org
Subject: Prefix-Hijack by AS7514

Hi,

does anyone else see some prefix hijacks from AS7514? They started to announce 
some of our /24 


Thanks  best regards

Jürgen Jaritsch
Head of Network  Infrastructure

ANEXIA Internetdienstleistungs GmbH

Telefon: +43-5-0556-300
Telefax: +43-5-0556-500

E-Mail: j...@anexia.atmailto:j...@anexia.at
Web: http://www.anexia.athttp://www.anexia.at/

Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
Geschäftsführer: Alexander Windbichler
Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601

Re: ISP in NYC

2015-07-17 Thread Paul S. 
Rather than a peer, it might be an okay idea to try out peering at NYIIX 
(and if the funds permit to get transport, AMS-IX/DE-CIX).


You'll quickly find that peering is *very* useful in Europe, if you have 
any EU bound traffic at all.


On 7/17/2015 午後 04:06, Colin Johnston wrote:

good isp's / peers are in no particular order
bt
telstra ex psinet uk/eu

colin

Sent from my iPhone


On 17 Jul 2015, at 07:52, Jared Geiger ja...@compuwizz.net wrote:

HE uses Telia for Transit. So you won't gain much redundancy there. I would
go with Cogent if you have lots of European customers and North American
business customers. One not on your list is Level3. They would be strong in
that blend too.

You might also try joining a peering point. You'll gain a lot by just
peering with the route servers.


On Thu, Jul 16, 2015 at 6:34 AM, Dovid Bender do...@telecurve.com wrote:

Hi,

We are looking to peer with another ISP in NY. My options are:
Telia
Tata
Cogent

We currently have (and will keep):
HE
NTT
TELX (They use NTT and HE and we are looking to replace them).

We need an ISP that has a good peering/connectivity in Europe and Asia
(Israel specific).

Any advice on who to go with?

Re: Route Optimization Products

2015-05-15 Thread Paul S. 
Problem in this space is, none of the products offered are genuinely 
affordable.


When your route optimization software costs more monthly than yet 
another link to yet another tier one provider... `-`


On 5/16/2015 午前 12:27, Rafael Possamai wrote:

Internap also has a product called MIRO, although I am not sure how it
differs from FCP.

On Fri, May 15, 2015 at 10:19 AM, Mike Hammett na...@ics-il.net wrote:


What is out there for route optimization products? I can think of Noction
(no inbound) or Internap FCP (old).



-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com



Midwest Internet Exchange
http://www.midwest-ix.com

Recommended 10GE ISCSI SAN switch

2015-05-12 Thread Paul S. 

Hi guys,

We're shortly going to be getting some 10G SANs, and I was wondering 
what people were using as SAN switches for 10G SANs.


It is my understanding that low buffer sizes make most 'normal' 10G 
ethernet switches unsuitable for the job.


We're pretty much an exclusive Juniper shop, but are not biased in any 
way -- best tool for the job is what I've been tasked with to find.


Keeping that in mind, how would something like a EX4550 fare in the 
role? Are there better devices in the same price range?


Thanks!

Re: BGP offloading (fixing legacy router BGP scalability issues)

2015-04-02 Thread Paul S. 

Do you have data on '100% of the traffic' being bad?

I happen to have a large Chinese clientbase, and this is not the case on 
my network.


On 4/2/2015 午後 04:35, Colin Johnston wrote:

or ignore/block russia and north korea and china network blocks
takes away 5% of network ranges for memory headroom, especially the large 
number of smaller china blocks.
Some may say this is harsh but is the network contacts refuse to co-operate 
with abuse and 100% of the traffic is bad then why not

Colin



On 2 Apr 2015, at 07:59, Mark Tinka mark.ti...@seacom.mu wrote:



On 1/Apr/15 19:01, Frederik Kriewitz wrote:

We're wondering if anyone has experience with such a setup?

Cisco have a feature called BGP-SD (BGP Selective Download).

With BGP-SD, you can hold millions of entries in RAM, but decide what
gets downloaded into the FIB. By doing this, you can still export a full
BGP table to customers directly connected to your 6500, and only have a
0/0 + ::/0 (and some more customer routes) in the FIB to do forwarding
to a bigger box.

BGP-SD started shipping in IOS XE, but I now understand that the feature
is on anything running IOS 15.

This would be my recommendation.

Mark.

Re: BGP offloading (fixing legacy router BGP scalability issues)

2015-04-02 Thread Paul S. 

163data is announced as Chinanet, a China Telecom brand.

Dropping 4134 (http://bgp.he.net/AS4134) globally will get my customers 
up at my doors with pitchforks fairly fast, I dunno about yours


Simply too big to do anything that drastic against.

On 4/2/2015 午後 05:04, Colin Johnston wrote:

On 2 Apr 2015, at 08:40, Paul S. cont...@winterei.se wrote:

Do you have data on '100% of the traffic' being bad?


as a example anything in 163data.com.cn is bad

Colin


I happen to have a large Chinese clientbase, and this is not the case on my 
network.

On 4/2/2015 午後 04:35, Colin Johnston wrote:

or ignore/block russia and north korea and china network blocks
takes away 5% of network ranges for memory headroom, especially the large 
number of smaller china blocks.
Some may say this is harsh but is the network contacts refuse to co-operate 
with abuse and 100% of the traffic is bad then why not

Colin



On 2 Apr 2015, at 07:59, Mark Tinka mark.ti...@seacom.mu wrote:



On 1/Apr/15 19:01, Frederik Kriewitz wrote:

We're wondering if anyone has experience with such a setup?

Cisco have a feature called BGP-SD (BGP Selective Download).

With BGP-SD, you can hold millions of entries in RAM, but decide what
gets downloaded into the FIB. By doing this, you can still export a full
BGP table to customers directly connected to your 6500, and only have a
0/0 + ::/0 (and some more customer routes) in the FIB to do forwarding
to a bigger box.

BGP-SD started shipping in IOS XE, but I now understand that the feature
is on anything running IOS 15.

This would be my recommendation.

Mark.

Re: BGP offloading (fixing legacy router BGP scalability issues)

2015-04-02 Thread Paul S. 

David Barroso's (Spotify) SDN Internet Router [0] comes to mind.

0 - https://github.com/dbarrosop/sir

On 4/2/2015 午後 07:47, Baldur Norddahl wrote:

Filtering countries is a bad idea, but it is probably possible to create
filters so 99% of your actual traffic is handled by a relatively small
subset of global routes and the remaining 1% routed via a default route or
via a Linux box.

Anyone know of tools and methods to do this? How effective is it ( how many
routes is necessary to capture 99% of the traffic)?

Regards

Baldur

Re: Getting hit hard by CHINANET

2015-03-23 Thread Paul S. 

+1, I've had good luck with this as well.

My experiences pretty much mirror yours, NOC says no, had to ask my SE 
to take care of it.


Didn't have any issues after.

On 3/23/2015 午後 11:55, Ca By wrote:

On Sun, Mar 23, 2014 at 3:43 AM, Justin M. Streiner strei...@cluebyfour.org

wrote:
On Mon, 23 Mar 2015, Ca By wrote:

  Having your upstream apply a permanent udp bw policer, say 5 or 10x busy

hour baseline, works well for this.


Many upstreams will not do that, particularly on a permanent basis.  They
might do something temporarily to deal with an incident, but many of the
bigger carriers probably wouldn't want to leave that in place permanently.

jms


Mine Tier 1 up-streams are fine with it permanent. YMMV.  I did have to get
my account team involved, but from a technical perspective, a one line
policer (all UDP rate-limit to 10% of link speed) is not a technical
challenge, and the one-off config element is not overly burdensome.

Again, YMMV.  And, your frequency and impact of IPv4 UDP based attacks will
dictate your needs.

CB

Re: Getting hit hard by CHINANET

2015-03-18 Thread Paul S. 

On 3/18/2015 午後 02:44, Mark Tinka wrote:



On 18/Mar/15 07:31, Paul S. wrote:
All 6 of my upstreams (Most of them tier 1s, except Internap which is 
a tier 3?) have cooperated just fine in blocking problematic IPs if 
needed in emergencies.


In the data plane for the link facing you, or through RTBH?

Mark.


Data plane.

PCCW on a separate project even offered to do specific filters like 
'drop all udp to port n targetting block x.' My subscription to them is 
normal internet transit.


Suppose I've been lucky, eh.

Re: Getting hit hard by CHINANET

2015-03-17 Thread Paul S. 
All 6 of my upstreams (Most of them tier 1s, except Internap which is a 
tier 3?) have cooperated just fine in blocking problematic IPs if needed 
in emergencies.


I did not have to argue.

On 3/18/2015 午後 02:26, Mark Tinka wrote:



On 18/Mar/15 04:13, Roland Dobbins wrote:



Also, asking your upstreams/peers to block traffic sourced from this 
IP to your netblock(s) on their networks.


I'm actually curious how many transit providers would implement data 
plane filters on their side to block source traffic bound for their 
downstreams.


Personally, as a transit provider, I'm less inclined to filtering 
traffic in any way; impact to hardware e.t.c. notwithstanding...


Perhaps times are changing.

Mark.

Re: Input Regarding Cogent and NTT

2015-02-05 Thread Paul S. 
As a current Cogent customer, my experience on the service side of 
things is similar.


Very responsive (I called on a Sunday and had someone with good enough 
clue + router access pick up instantly.)


NOC is competent, and my sales guys (I've had two so far) are not pushy 
at all. I don't have any real complaints.


I'd rate them higher than most of my other upstreams as far as NOC 
competency goes.


On 2/6/2015 午前 03:00, Christopher Rogers wrote:

NTT is awesome.  Extremely responsive, sales guys aren't pushy, noc is
great, and lots of NTT guys are here on nanog.

Cogent is not.  Their sales guys love to scrape whois records too, and
won't leave you the hell alone.

I've used both extensively, and now typically just avoid cogent.

-chris
Am 05.02.2015 09:26 schrieb Jack Stonebraker 
jack.stonebra...@mygrande.com:


My organization is currently shopping for some additional Transit Capacity
to augment our existing interconnects.  We've got around 8 distinct AS's
that we're receiving transit routes from, followed by a handful of Public
IX's and Private PNI's to AS's that warrant them.  That said, the networks
that are on our radar are Cogent and NTT.  I've done some due diligence
poking around on their Looking Glass, but I'd love to hear any user
experiences from the community, both from a Layer 3 Perspective, as well as
an Operational Perspective (Working with the businesses themselves).  Feel
free to contact me off-list and thanks in advance for your time.

[cid:image002.jpg@01CFE2F3.A6F973D0]


Jack Stonebraker  | Sr. IP Network Engineer
(512) 878-5627  |  jack.stonebra...@mygrande.commailto:
john.ho...@mygrande.com
Grande  Communications  Networks
401 Carlson Circle  |  San Marcos, Texas  |  78666

Re: Verizon FiOS contact?

2015-02-03 Thread Paul S. 
isn't pnap a direct vz customer either way? I know it's in the DFW blend 
which we have, not sure about NY.


It shouldn't be out of their ability to complain.

On 2/4/2015 午後 01:35, Christopher Morrow wrote:

On Tue, Feb 3, 2015 at 11:02 PM, Charles Gagnon charl...@unixrealm.com wrote:

Anyone from VZ FiOS network on the list who would be interested in
discussing something.

We host in Equinix/NY4 and have internet provided by Internap. Several of
our users have been complaining of speed issues and our own speed tests
confirm severe bandwidth degradation  (we're talking 0.5Mbps download
speeds) but only for FiOS customers. From anywhere to Internap is fine.
 From FiOS to anywhere else is also fine. But there is a definite
reproducible issues from FiOS (tested in NYC, Westchester and NJ) to
Internap in NY4.

Internap informed us other customers are having issues from FiOS as well
but it seems they can't reach anyone at VZ who will engage on this. They
claim each user must file a repair request with VZ. We are encouraging our
users to do so but I'm not holding my breath.

guessing here, but I bet if someone from internap called the vz sales
folks and there'd be a solution in 30-90 days (standard install
interval).

Re: scaling linux-based router hardware recommendations

2015-01-28 Thread Paul S. 

That's the problem though.

Everyone has presentations for the most part, very few actual tools that 
end users can just use exist.


On 1/28/2015 午後 08:02, Robert Bays wrote:

On Jan 27, 2015, at 8:31 AM, Jim Shankland na...@shankland.org wrote:

My expertise, such as it ever was, is a bit stale at this point, and my
figures might be a little off. But I think the general principle
applies: think about the minimum number of x86 instructions, and the
minimum number of main memory accesses, to inspect a packet header, do a
routing table lookup, and enqueue the packet on an outbound interface. I
can't see that ever getting reduced to the point where a generic server
can handle 40-byte packets at line rate (for that matter, line rate is
increasing a lot faster than speed of generic server these days).

Using DPDK it’s possible to do everything stated and achieve 10Gbps line rate 
at 64byte packets on multiple interfaces simultaneously.  Add ACLs to the test 
setup and you can reach significant portions of 10Gbps at 64byte packets and 
full line rate at 128bytes.

Check out Venky Venkatesan’s presentation at the last DPDK Summit for 
interesting information on pps/CPU cycles and some of the things that can be 
done to optimize forwarding in a generic processor environment.

http://www.slideshare.net/jstleger/6-dpdk-summit-2014-intel-presentation-venky-venkatesan

Re: scaling linux-based router hardware recommendations

2015-01-27 Thread Paul S. 
Anyone aware of any dpdk enabled solutions in the software routing space 
that doesn't cost an arm and a leg?


vMX certainly does.

On 1/27/2015 午後 04:33, Pavel Odintsov wrote:

Hello!

Looks like somebody want to build Linux soft router!) Nice idea for
routing 10-30 GBps. I route about 5+ Gbps in Xeon E5-2620v2 with 4
10GE cards Intel 82599 and Debian Wheezy 3.2 (but it's really terrible
kernel, everyone should use modern kernels since 3.16 because buggy
linux route cache). My current processor load on server is about:
15%, thus I can route about 15 GE on my Linux server.

Surely, you should deploy backup server too if master server fails.

On Tue, Jan 27, 2015 at 1:53 AM, micah anderson mi...@riseup.net wrote:

Hi,

I know that specially programmed ASICs on dedicated hardware like Cisco,
Juniper, etc. are going to always outperform a general purpose server
running gnu/linux, *bsd... but I find the idea of trying to use
proprietary, NSA-backdoored devices difficult to accept, especially when
I don't have the budget for it.

I've noticed that even with a relatively modern system (supermicro with
a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server
adapters, and 16gig of ram, you still tend to get high percentage of
time working on softirqs on all the CPUs when pps reaches somewhere
around 60-70k, and the traffic approaching 600-900mbit/sec (during a
DDoS, such hardware cannot typically cope).

It seems like finding hardware more optimized for very high packet per
second counts would be a good thing to do. I just have no idea what is
out there that could meet these goals. I'm unsure if faster CPUs, or
more CPUs is really the problem, or networking cards, or just plain old
fashioned tuning.

Any ideas or suggestions would be welcome!
micah

Re: scaling linux-based router hardware recommendations

2015-01-26 Thread Paul S. 
Like Mike mentioned, the feature list in RouterOS is nothing short of 
impressive -- problem is that pretty much everything in there is 
inherently buggy.


That and one hell of a painful syntax-schema to work with too.

On 1/27/2015 午前 10:57, Tony Wicks wrote:

And the solution to this issue is - http://routerboard.com/ or 
http://www.mikrotik.com/software# on x86 hardware, plus any basic layer2 
switch. Don't scoff until you have tried it, the price/performance is pretty 
staggering if you are in the sub 20gig space.
  
-Original Message-

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mike Hammett
Sent: Tuesday, 27 January 2015 2:44 p.m.
To: nanog@nanog.org
Subject: Re: scaling linux-based router hardware recommendations

Aren't most of the new whitebox\open source platforms based on switching and not routing? 
I'd assume that the cloud-scale data centers deploying this stuff still have 
more traditional big iron at their cores.

The small\medium sized ISP usually is left behind. They're not big enough to 
afford the big new hardware, but all of their user's NetFlix and porn and 
whatever else they do is chewing up bandwidth. For example, the small\medium 
ISPs are at the Nx10GigE stage now. The new hardware is expensive, the old 
hardware (besides being old) is likely in a huge chassis if you can get any 
sort of port density at all.

48 port GigE switches with a couple 10GigE can be had for $100. A minimum of 24 
port 10GigE switches (except for the occasional IBM switch ) is 30x to 40x 
times that. Routers (BGP, MPLS, etc.) with that more than just a couple 10GigEs 
are even more money, I'd assume.

I thought vMX was going to save the day, but it's pricing for 10 gigs of 
traffic (licensed by throughput and standard\advanced licenses) is really about 
5x - 10x what I'd be willing to pay for it.

Haven't gotten a quote from AlcaLu yet.

Vyatta (last I checked, which was admittedly some time ago) doesn't have MPLS.

The FreeBSD world can bring zero software cost and a stable platform, but no 
MPLS.

Mikrotik brings most (though not all) of the features one would want... a good enough 
feature set, let's say... but is a non-stop flow of bugs. I don't think a week or two 
goes by where one of my friends doesn't submit some sort of reproducible bug to Mikrotik. 
They've also been looking into DPDK for 2.5 years now. hasn't shown up yet. 
I've used MT for 10 years and I'm always left wanting just a little more, but it may be 
the best balance between the features and performance I want and the ability to pay for 
it.




-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

- Original Message -

From: Mehmet Akcin meh...@akcin.net
To: micah anderson mi...@riseup.net
Cc: nanog@nanog.org
Sent: Monday, January 26, 2015 6:06:53 PM
Subject: Re: scaling linux-based router hardware recommendations

Cumulus Networks has some stuff,

http://www.bigswitch.com/sites/default/files/presentations/onug-baremetal-2014-final.pdf

Pretty decent presentation with more details you like.

Mehmet


On Jan 26, 2015, at 8:53 PM, micah anderson mi...@riseup.net wrote:


Hi,

I know that specially programmed ASICs on dedicated hardware like
Cisco, Juniper, etc. are going to always outperform a general purpose
server running gnu/linux, *bsd... but I find the idea of trying to use
proprietary, NSA-backdoored devices difficult to accept, especially
when I don't have the budget for it.

I've noticed that even with a relatively modern system (supermicro
with a 4 core 1265LV2 CPU, with a 9MB cache, Intel E1G44HTBLK Server
adapters, and 16gig of ram, you still tend to get high percentage of
time working on softirqs on all the CPUs when pps reaches somewhere
around 60-70k, and the traffic approaching 600-900mbit/sec (during a
DDoS, such hardware cannot typically cope).

It seems like finding hardware more optimized for very high packet per
second counts would be a good thing to do. I just have no idea what is
out there that could meet these goals. I'm unsure if faster CPUs, or
more CPUs is really the problem, or networking cards, or just plain
old fashioned tuning.

Any ideas or suggestions would be welcome!
micah

Re: DDOS solution recommendation

2015-01-11 Thread Paul S. 

There's the Cisco xRV too, should be decent for playing around with.

On 1/12/2015 午前 12:08, Dave Bell wrote:

Maybe try the Cisco CSR1000v. In the trial mode it won't give you a
decent throughput, but should have all features enabled.

On 11 January 2015 at 15:02, Ammar Zuberi am...@fastreturn.net wrote:

I’m stuck trying to find a virtual router environment that I can play with 
flowspec on. We do have some Juniper routers, but they are in production and I 
don’t think I want to touch flowspec on them just yet.

Does anyone have any experience or any ideas here? Even openbgpd?


On Jan 11, 2015, at 6:58 PM, Roland Dobbins rdobb...@arbor.net wrote:


On 11 Jan 2015, at 20:52, Ca By wrote:


1. BCP38 protects your neighbor, do it.

It's to protect yourself, as well.  You should do it all the way down to the 
transit customer aggregation edge, all the way down to the IDC access layer, 
etc.


2.  Protect yourself by having your upstream police Police UDP to some
baseline you are comfortable with.

This will come back to haunt you, when the programmatically-generated attack 
traffic 'crowds out' the legitimate traffic and everything breaks.

You can only really do this for ntp.


3.  Have RTBH ready for some special case.

S/RTBH and/or flowspec are better (S/RTBH does D/RTBH, too).

---
Roland Dobbins rdobb...@arbor.net

Re: DDOS solution recommendation

2015-01-10 Thread Paul S. 
While it indeed is true that attacks up to 600 gbit/s (If OVH and 
CloudFlare's data is to be believed) have been known to happen in the 
wild, it's very unlikely that you need to mitigate anything close.


The average attack is usually around the 10g mark (That too barely) -- 
so even solutions that service up to 20g work alright.


Obviously, concerns are different if you're an enterprise that's a DDoS 
magnet -- but for general service providers selling 'protected 
services,' food for thought.


On 1/11/2015 午後 12:48, Damian Menscher wrote:

On Thu, Jan 8, 2015 at 9:01 AM, Manuel Marín m...@transtelco.net wrote:


I was wondering what are are using for DDOS protection in your networks. We
are currently evaluating different options (Arbor, Radware, NSFocus,
RioRey) and I would like to know if someone is using the cloud based
solutions/scrubbing centers like Imperva, Prolexic, etc and what are the
advantages/disadvantages of using a cloud base vs an on-premise solution.
It would be great if you can share your experience on this matter.


On-premise solutions are limited by your own bandwidth.  Attacks have been
publicly reported at 400Gbps, and are rumored to be even larger.  If you
don't have that much network to spare, then packet loss will occur upstream
of your mitigation.  Having a good relationship with your network
provider(s) can help here, of course.

If you go with a cloud-based solution, be wary of their SLA.  I've seen
some claim 100% uptime (not believable) but of course no refund/credits for
downtime.  Another provider only provides 20Gbps protection, then will
null-route the victim.

On Sat, Jan 10, 2015 at 4:19 PM, Charles N Wyble char...@thefnf.org wrote:


Also how are folks testing ddos protection? What lab gear,tools,methods
are you using to determine effectiveness of the mitigation.


Live-fire is the cheapest approach (just requires some creative trolling)
but if you want to control the off button, cloud VMs can be tailored to
your needs.  There are also legitimate companies that do network stress
testing.

Keep in mind that you need to test against a variety of attacks, against
all components in the critical path.  Attackers aren't particularly
methodical, but will still randomly discover any weaknesses you've
overlooked.

Damian

Re: DDOS solution recommendation

2015-01-10 Thread Paul S. 

Very true.

Last year's Atrato outages in NY come to mind on this one.

On 1/11/2015 午後 01:51, Roland Dobbins wrote:

On Jan 11, 2015, at 11:37 AM, Paul S. cont...@winterei.se wrote:


Obviously, concerns are different if you're an enterprise that's a DDoS magnet 
-- but for general service providers selling 'protected services,' food for 
thought.

Actually, bystander traffic is all-too-often affected by these very large 
reflection/amplification attacks, because they fill up peering/transit links:

https://app.box.com/s/r7an1moswtc7ce58f8gg

[Full disclosure:  I work for a provider of IDMS solutions, but there's no 
vendor propaganda in the above-linked .pdf preso.]

--
Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

Equo ne credite, Teucri.

  -- Laocoön

Re: DDOS solution recommendation

2015-01-10 Thread Paul S. 
Seeing a lot of SSDP too, but attacks on scales that large have been 
rare (at least for us).


Have however seen a few 40+ ones, yeah.

I suppose it all comes down to how much you actually /need/ to stand up 
against. For enterprises that can't afford to go down, yeah... :(


On 1/11/2015 午後 01:50, Ammar Zuberi wrote:

I'd beg to differ on this one. The average attacks we're seeing are double 
that, around the 30-40g mark. Since NTP and SSDP amplification began, we've 
been seeing all kinds of large attacks.

Obviously, these can easily be blocked upstream to your network. Hibernia 
Networks blocks them for us.

Ammar


On 11 Jan 2015, at 8:37 am, Paul S. cont...@winterei.se wrote:

While it indeed is true that attacks up to 600 gbit/s (If OVH and CloudFlare's 
data is to be believed) have been known to happen in the wild, it's very 
unlikely that you need to mitigate anything close.

The average attack is usually around the 10g mark (That too barely) -- so even 
solutions that service up to 20g work alright.

Obviously, concerns are different if you're an enterprise that's a DDoS magnet 
-- but for general service providers selling 'protected services,' food for 
thought.


On 1/11/2015 午後 12:48, Damian Menscher wrote:

On Thu, Jan 8, 2015 at 9:01 AM, Manuel Marín m...@transtelco.net wrote:

I was wondering what are are using for DDOS protection in your networks. We
are currently evaluating different options (Arbor, Radware, NSFocus,
RioRey) and I would like to know if someone is using the cloud based
solutions/scrubbing centers like Imperva, Prolexic, etc and what are the
advantages/disadvantages of using a cloud base vs an on-premise solution.
It would be great if you can share your experience on this matter.

On-premise solutions are limited by your own bandwidth.  Attacks have been
publicly reported at 400Gbps, and are rumored to be even larger.  If you
don't have that much network to spare, then packet loss will occur upstream
of your mitigation.  Having a good relationship with your network
provider(s) can help here, of course.

If you go with a cloud-based solution, be wary of their SLA.  I've seen
some claim 100% uptime (not believable) but of course no refund/credits for
downtime.  Another provider only provides 20Gbps protection, then will
null-route the victim.


On Sat, Jan 10, 2015 at 4:19 PM, Charles N Wyble char...@thefnf.org wrote:

Also how are folks testing ddos protection? What lab gear,tools,methods
are you using to determine effectiveness of the mitigation.

Live-fire is the cheapest approach (just requires some creative trolling)
but if you want to control the off button, cloud VMs can be tailored to
your needs.  There are also legitimate companies that do network stress
testing.

Keep in mind that you need to test against a variety of attacks, against
all components in the critical path.  Attackers aren't particularly
methodical, but will still randomly discover any weaknesses you've
overlooked.

Damian

Re: ASN Domain for rDNS

2014-12-10 Thread Paul S. 
Just been using the .net version of our company domain for 
router/interface IPs.


Also own the ASn.com/net and ASN.as though, primarily to not get 
squatted on.


On 12/10/2014 午前 09:30, Keefe John wrote:
I've been seeing more and more carriers(and even small ISPs) using 
as.net as their domain for rDNS on IP space.  What are the pros 
and cons for doing this versus using your primary business domain name?


Keefe John

Re: Carrier-grade DDoS Attack mitigation appliance

2014-12-10 Thread Paul S. 
Tons of such companies exist; BlackLotus/Staminus/Prolexic/Voxility to 
name a few within the US.


Service provided is usually based on proprietary algorithms that may or 
may not do what you want it to do, though.


On 12/11/2014 10:39 AM, Javier J wrote:

What about DDOS protection as a service? is that something that is being
offered by more than a few vendors? I know of only one that exists through
a friend.

They basically start advertising your bgp routes, filter out the junk, and
send the good traffic back to you.

On Wed, Dec 10, 2014 at 8:08 AM, James Braunegg james.braun...@micron21.com

wrote:
Dear All



We use a combination of NSFOCUS hardware (ADS, ADS-m and NTA along with
A10 Hardware)



All of which I highly recommend !



Kindest Regards


James Braunegg
P:  1300 769 972  |  M:  0488 997 207 |  D:  (03) 9751 7616
E:   james.braun...@micron21.commailto:james.braun...@micron21.com  |
ABN:  12 109 977 666
W:  www.micron21.com/ddos-protection
http://www.micron21.com/ddos-protection   T: @micron21


[Description: Description: Description: Description: M21.jpg]
This message is intended for the addressee named above. It may contain
privileged or confidential information. If you are not the intended
recipient of this message you must not use, copy, distribute or disclose it
to anyone other than the addressee. If you have received this message in
error please return the message to the sender by replying to it and then
delete the message from your computer.



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Parrish, Luke
Sent: Wednesday, December 10, 2014 8:08 AM
To: J. Tozo
Cc: nanog
Subject: RE: Carrier-grade DDoS Attack mitigation appliance



Switch to Nemo.







-Original Message-

From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of J. Tozo

Sent: Monday, December 08, 2014 3:26 PM

Cc: nanog

Subject: Re: Carrier-grade DDoS Attack mitigation appliance



We also evaluating another appliance to put in place of Arbor, their
support outside USA its a joke.



On Mon, Dec 8, 2014 at 6:17 PM, Ammar Zuberi am...@fastreturn.net wrote:




Hi,
We're currently running the Arbor Peakflow SP with the TMS and it
works very well for us.
Best Regards,
Ammar Zuberi
FastReturn, Inc
Direct Line: +971 50 394 7299
Email: am...@fastreturn.net
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are

addressed.


If you have received it by mistake, please let us know by e-mail reply
and delete it from your system; you may not copy this message or
disclose its contents to anyone. Please note that any views or
opinions presented in this email are solely those of the author and do
not necessarily represent those of the company. Finally, the recipient
should check this email and any attachments for the presence of
viruses. The company accepts no liability for any damage caused by any

virus transmitted by this email.


On Dec 8, 2014, at 10:53 PM, Tony McKay

tony.mc...@rittercommunications.com wrote:

Does anyone on list currently use Peakflow SP from Arbor with TMS,
and

is it truly a carrier grade DDoS detection and mitigation platform?
Anyone have any experience with Plixir?

Tony McKay
Dir. Of Network Operations
Office:  870.336.3449
Mobile:  870.243.0058
-The boundary to your comfort zone fades a little each time you
cross

it.  Raise your limits by pushing them.

This electronic mail transmission may contain confidential or
privileged

information. If you believe that you have received this message in
error, please notify the sender by reply transmission and delete the
message without copying or disclosing it.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Mohamed
Kamal
Sent: Sunday, December 07, 2014 2:10 PM
To: nanog
Subject: Carrier-grade DDoS Attack mitigation appliance
Have anyone tried any DDoS attack mitigation appliance rather than
Arbor

PeakFlow TMS? I need it to be carrier-grade in terms of capacity and
redundancy, and as far as I know, Arbor is the only product in the
market which offers a clean pipe volume of traffic, so if the DDoS
attack volume is, for example, 1Tbps, they will grant you for example
50Gbps of clean traffic.

Anyway, I'm open to other suggestions, and open-source products that
can

do the same purpose, we have network development team that can work on

this.


Thanks.
--
Mohamed Kamal
Core Network Sr. Engineer





--

Grato,



Tozo





The information transmitted is intended only for the person or entity to
which it is addressed and may contain proprietary, confidential and/or
legally privileged material. Any review, retransmission, dissemination or
other use of, or taking of any action in reliance upon, this information by
persons or entities other than the intended recipient is prohibited. If you
received this in error, please contact the sender and delete the material

Re: Cisco CCNA Training (Udemy Discounted Training)

2014-12-04 Thread Paul S. 

Share them anyway? Juniper's certs have enough demand as well :)

On 12/5/2014 午前 05:13, Eric Litvin wrote:

have some juniper but not cisco.

On Thu, Dec 4, 2014 at 12:08 PM, Bacon Zombie baconzom...@gmail.com wrote:


Anybody got codes valid for December?
On 14 Nov 2014 18:07, Wakefield, Thad M. twakefi...@stcloudstate.edu
wrote:


Since there was some interest in the Udemy CCNA training, I'll risk
forwarding these additional discounts:

Remember that this is ONLY for the month of NOVEMBER!
*** CCNA Course is now $24 with coupon code: THANKS24


https://www.udemy.com/the-complete-ccna-200-120-course/?couponCode=THANKS24

*** ROUTING Course is now $14 with coupon code: THANKS14



https://www.udemy.com/routing-configuration-router-administration/?couponCode=THANKS14

*** SWITCHING Course is now $9 with coupon code: THANKS9
https://www.udemy.com/layer-2-switching-vlans/?couponCode=THANKS9
*** IPv4 Course is now $9 with coupon code: THANKS9



https://www.udemy.com/everything-you-need-to-know-about-ipv4-and-its-configuration/?couponCode=THANKS9

*** IPv6 Course is now $9 with coupon code: THANKS9
https://www.udemy.com/the_abcs_of_ipv6/?couponCode=THANKS9
*** VLANs Course is now $5 with coupon code: THANKS5



https://www.udemy.com/overview-of-vlans-access-list-nat-bonus-material/?couponCode=THANKS5

*** OSPF Course is now $14 with coupon code: THANKS14
https://www.udemy.com/ospf-breakdown/?couponCode=THANKS14
*** HEX Course is FREE *** use coupon code: THANKSFREE



https://www.udemy.com/learn-how-to-do-hex-conversions-in-under-30-seconds/?couponCode=THANKSFREE

Re: Low-numbered ASes being hijacked? [Re: BGP Update Report]

2014-11-30 Thread Paul S. 
Do these people never check what exactly they end up originating 
outbound due to a config change, if that's really the case?


On 11/30/2014 午後 11:24, Pierfrancesco Caci wrote:

Simon == Simon Leinen simon.lei...@switch.ch writes:

 Simon Some suspicious paths I'm seeing right now:

 Simon   133439 5
 Simon   197945 4

my bet is on someone using the syntax prepend asnX timesY on a router
that instead wants prepend asnX asnX

Re: Anyone else having trouble reaching thepiratebay.se? AS39138

2014-11-26 Thread Paul S. 
No problem here in Los Angeles either, but seeing a lone route through 
Atrato only.


flags destination  gateway  lpref   med aspath origin
*194.71.107.0/24   100 0 3491 5580 39138 22351 2.207 
51040 i
* 194.71.107.0/24 100 0 174 5580 39138 22351 2.207 
51040 i



On 11/27/2014 午前 11:24, Tony Wicks wrote:

No problem here in New Zealand

tonyw@vrhost1-w show route 194.71.107.0/24

icore1-w.inet.0: 519451 destinations, 525214 routes (519437 active, 14
holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

194.71.107.0/24*[BGP/170] 10:25:44, MED 0, localpref 90
   AS path: 4826 5580 39138 22351 131279 51040 I,
validation-state: unverified
  to 175.45.102.9 via ae1.526

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Courtney Smith
Sent: Thursday, 27 November 2014 3:18 p.m.
To: Eric Tykwinski
Cc: nanog@nanog.org
Subject: Re: Anyone else having trouble reaching thepiratebay.se? AS39138

I just posted TATA as a single example.  This route is missing from multiple
networks.  I could not find the specific /24 on, Sprint(1239) ATT(7018) and
Centurylink either.

rvi...@route-server.ip.att.net show route 194.71.107.0/24

rvi...@route-server.ip.att.net

Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-20 Thread Paul S. 

WANguard from andrisoft has worked well on this for us.

It supports flow telemetry and mirrored ports both (We use flows 
strictly), and does what it says it does.


No complaints.

On 11/21/2014 午後 12:00, Robert Duffy wrote:

I've been using NTOP for couple of years.  I'm mostly looking for something
that can quickly detect DDoS attacks in a datacenter environment.  Thanks
for the suggestions.  Ill check them out.

On Thu, Nov 20, 2014 at 6:50 PM, Tim Jackson jackson@gmail.com wrote:


I highly recommend pmacct and it's in-memory tables. Lightweight, easy to
query and super fast.

You can also easily run multiple aggregates of traffic to find what you are
interested in, tag common interface types to easily filter traffic..

Or you can use pmacct to insert this into whatever database you want, AMQP
or MongoDB..

My current favorite is using an IMT table for DoS detection and another for
aggregates for interesting traffic types and querying this every X minutes
and inserting it into ElasticSearch. Kibana makes the most powerful netflow
dashboard ever.

--
Tim
On Nov 20, 2014 6:39 PM, Roland Dobbins rdobb...@arbor.net wrote:


On 21 Nov 2014, at 9:19, Robert Duffy wrote:

  What open-source NetFlow analysis tools would you recommend for quickly

detecting a DDoS attack?


I generally recommend that folks get started with something like
nfdump/nfsen or ntop.  There are other, more sophisticated tools out

there,

but these allow one to get up and running quickly, and to gain valuable
operational experience with which to evaluate more sophisticated tools,

if

they're needed.

---
Roland Dobbins rdobb...@arbor.net

Re: Route Science

2014-11-16 Thread Paul S. 

There's another option called the Noction IRP.

I've been told that it's a cheaper FCP replacement.

On 11/17/2014 午前 12:42, Phil Bedard wrote:

Didn't Avaya completely drop the old Route Science line at this point?

Internap still sells their FCP appliance which does similar things and of
course Internap has their own MIRO system they have been using for
probably 15+ years now to optimize paths out of their own
datacenters/colos.  Like the fellow from Border6 mentioned you can get a
wealth of information out of the systems along with the path optimization.
  


Phil




On 11/16/14, 3:03 AM, Jimmy Hess mysi...@gmail.com wrote:


On Sat, Nov 15, 2014 at 4:44 PM, Clayton Zekelman clay...@mnsi.net
wrote:

I would also wonder if someone has more details about how useful and
good the Avaya/Routescience are in practice after significant time in
deployment in the real world on a large network,   were  they worth
whatever the price tag was  to get and maintain ?

Oh, and how about Border6 ?I  believe they have marketing language
claiming to be able to achieve some similar things,  in regards to
automatic path optimizations and rerouting.  :)



http://www.computerweekly.com/news/2240046663/Google-chooses-RouteScience
-Internet-technology

Yeah,  there are always great news stories.But media tends to
exagerate things, and I think when it comes to enterprise products
it's strictly promotional.  When was the last time you heard a
followup news story on one of those sorts of things 1yr later about
BigCo dropped Vendor X product because they felt it's no longer
worth it,  the savings were less than expected and did not exceed the
cost of the product,  the actual thing fell short of marketing claims,
or didn't actually work out so well, etc, etc.



--
-JH

Re: Equinix Virginia - Ethernet OOB suggestions

2014-11-10 Thread Paul S. 
I'd be doubtful if anyone will feel like offering a /23 with OOB as 
justification these days, sadly.


Good luck nonetheless.

On 11/10/2014 午後 11:00, Ruairi Carroll wrote:

Hey,

VPN setup is not really a viable option (for us) in this scenario.
Honestly, I'd prefer to just call it done already and have a VPN but due to
certain restraints, we have to go down this route.

/Ruairi

On 10 November 2014 14:38, Alistair Mackenzie magics...@gmail.com wrote:


Couldn't you put a router or VPN system on the single IP they are giving
you and use RFC1918 addressing space?

OOB doesn't normally justify a /24 let alone a /23.

On 10 November 2014 13:18, Ruairi Carroll ruairi.carr...@gmail.com
wrote:


Dear List,

I've got an upcoming deployment in Equinix (DC10) and I'm struggling to
find a provider who can give me a 100Mbit port (With a commit of about
5-10Mbit) with a /23 or /24 of public space , for OOB purposes. We had
hoped to use Equinixs services, however they're limiting us to a single
public IP.

I'm also open to other solutions - xDSL or similar, but emphasis is on
cheap and on-net.

Cheers
/Ruairi

Contact at internode / iiNet (AS4739)?

2014-11-10 Thread Paul S. 

Hey,

If anyone from the routing / peering team of Internode / iiNet happens 
to frequent this list, could you reach me off-list?


I've been having routing problems with my peering session to you for a 
few months already, and haven't been able to get a response off the 
helpdesk.


Thanks, and sorry for the noise.

Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-09 Thread Paul S. 

I've used the first one, and hacked on the second.

WANGuard, when deployed properly, works amazingly well.

ddosmon is only useful if you have netflow v5 flows (or sflow that can 
get converted to nfv5), but also works well when coupled with exabgp / 
openbgpd.


I added some per ip limiting / exemption features to it (which may or 
may not work, I no longer use it. We've moved to something in house) -- 
available on this fork (https://github.com/Wintereise/ddosmon-mod)


The atheme framework it's built on is fairly easy to extend as well.

But yeah, automated rtbh is really easy (and cheap!) to do these days.

On 11/9/2014 午前 11:56, srn.na...@prgmr.com wrote:

http://www.andrisoft.com/software/wanguard/ddos-mitigation-protection

https://bitbucket.org/tortoiselabs/ddosmon

https://github.com/FastVPSEestiOu/fastnetmon

I have no idea if any of them actually work.

On 11/08/2014 05:10 PM, Eric C. Miller wrote:

Today, we experienced (3) separate DDoS attacks from Eastern Asia, all generating 
 2Gbps towards a single IP address in our network. All 3 attacks targeted 
different IP addresses with dst UDP 19, and the attacks lasted for about 5 minutes 
and stopped as fast as they started.

Does anyone have any suggestions for mitigating these type of attacks?

A couple of things that we've done already...

We set up BGP communities with our upstreams, and tested that RTBH can be set 
and it does work. However, by the time that we are able to trigger the black 
hole, the attack is almost always over.

For now, we've blocked UDP 19 incoming at our edge, so that if future, similar 
attacks occur, it doesn't affect our internal links.

What I think that I need is an IDS that can watch our edge traffic and 
automatically trigger a block hole advertisement for any internal IP beginning to 
receive  100Mbps of traffic. A few searches are initially coming up dry...



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115

Re: NTT high packet loss from US and BR to AU?

2014-10-22 Thread Paul S. 

Does it actually persist to your destination?

Loss in transit paths is simply ICMP de-prioritization unless it's 
losing packets all the way to the last hop.


On 10/23/2014 午後 01:18, Javier J wrote:

Anyone else notice this?

Or is this an AWS issue in APAC that hasn't been reported yet?

AU-NY(aws)
18. xe-1.level3.lsanca03.us.bb.gin.n 72.0%

BR(aws)-AU(aws)
11. ae-9.r20.snjsca04.us.bb.gin.ntt.net 71.4%


NJ/NYC to AU(aws)
9. ae-9.r20.asbnva02.us.bb.gin.ntt.net 45.9% 772 10.1 16.4 9.2 94.4 13.3
10. ae-2.r21.lsanca03.us.bb.gin.ntt.net 40.5% 772 69.6 72.7 69.3 149.2 9.0

Re: IPv6 Default Allocation - What size allocation are you giving out

2014-10-09 Thread Paul S. 

I've been using /36s per location, but hm -- great question.

How easy is it to get a larger allocation anyway? In RIPE, i.e: you just 
ask and get a /29 with no questions asked.


On 10/9/2014 午後 11:31, Faisal Imtiaz wrote:

Selection of a default prefix is easy.  Here are the steps.

4. Keeping in mind

 4.1 Prefixes longer than somewhere around /48 to /56 may be
 excluded from the global routing table

4.1a Prefix cutouts of any size (including /48) from inside your /32
or larger block may be excluded from the global routing table. Folks
who are multihomed and thus need to advertise their own block with BGP
should be referred to ARIN for a direct assignment. Folks who aren't
multihomed, well, until given evidence otherwise I claim there are no
single-homed entities who will use 65,000 LANs, let alone more.

=

This brings up another interesting question...

We operate Two separate networks in two geographical locations (Two ASN), we 
have a single /32 allocation from ARIN.

Question:  Should we be asking ARIN for another /32 so that each network has 
it's own /32  or should be break out the /32 into /36 and use these in each of 
the geographies ?


Regards

Faisal Imtiaz
Snappy Internet  Telecom

Re: IPv6 Default Allocation - What size allocation are you giving out

2014-10-08 Thread Paul S. 

I'm allocating /64s in /56 boundaries per customer.

Allows me to give the client more should they need it without fuss.

On 10/9/2014 午前 10:18, Erik Sundberg wrote:

I am planning out our IPv6 deployment right now and I am trying to figure out 
our default allocation for customer LAN blocks. So what is everyone giving for 
a default LAN allocation for IPv6 Customers.  I guess the idea of handing a 
customer /56 (256 /64s) or  a /48 (65,536 /64s) just makes me cringe at the 
waste. Especially when you know 90% of customers will never have more than 2 or 
3 subnets. As I see it the customer can always ask for more IPv6 Space.

/64
/60
/56
/48

Small Customer?
Medium Customer?
Large Customer?

Thanks

Erik



CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files or 
previous e-mail messages attached to it may contain confidential information 
that is legally privileged. If you are not the intended recipient, or a person 
responsible for delivering it to the intended recipient, you are hereby 
notified that any disclosure, copying, distribution or use of any of the 
information contained in or attached to this transmission is STRICTLY 
PROHIBITED. If you have received this transmission in error please notify the 
sender immediately by replying to this e-mail. You must destroy the original 
transmission and its attachments without reading or saving in any manner. Thank 
you.

Re: cogent update suppression, and routing loops

2014-10-02 Thread Paul S. 

First time I'm seeing it, and I've been a Cogent client for quite a while.

Have you tried getting in touch with their NOC yet? They're one of the 
most responsive in the industry.


On 10/3/2014 午前 01:03, ryanL wrote:

hi. relatively new cogent customer. is what i've stated in my subject line
kinda standard fare with them?

i've discovered that when i advertise a /24 from inside a larger /22 to XO,
(who peers with cogent), and then pull the /24 some time later, that cogent
holds onto the /24 and then bounces packets around in their network a bunch
of times for upwards of 8-10 minutes until they finally yank it. this
effectively blackholes traffic to my /24 for anyone that is using a path
thru cogent.

example: http://ryry.foursquare.com/image/0e0K1K0t0W2M

it's been a bit of a frustrating experience talking to their noc to
demonstrate it, but i'm able to duplicate it on demand. even pushing routes
using their communities to offload the circuit takes forever to propagate
even on their own looking-glasses.

thx

ryan

Re: Here comes iOS 8...

2014-09-17 Thread Paul S. 

Later,

I think it requires 5.7G of free space on the device -- but the download 
is not that big.


On 9/18/2014 午前 11:04, JoeSox wrote:

Grant,
Do you have a reference? Someone just told me it is more around 5GB.

--
Later, Joe

On Wed, Sep 17, 2014 at 10:31 AM, Grant Ridder shortdudey...@gmail.com
wrote:


For those that are curious, it looks like the download is 1.1 gigs.

-Grant

On Wed, Sep 17, 2014 at 10:04 AM, Nick Olsen n...@flhsi.com wrote:


I've been waiting all morning.

  Expedited repair of a primary link to prepare for the traffic. Not that

it

didn't have multiple backups. But one doesn't trifle with IOS8 release
traffic.. If it's anything like IOS7 was..

  Nick Olsen
Network Operations  (855) FLSPEED  x106



  From: Zachary McGibbon zachary.mcgibbon+na...@gmail.com
Sent: Wednesday, September 17, 2014 12:59 PM
To: NANOG nanog@nanog.org
Subject: Here comes iOS 8...
So Apple is about to release iOS 8... Have you done anything special to
your network setup to accommodate the traffic flood ie traffic shaping
rules, cache servers, etc?

I heard that Apple Caching servers won't work with this update, so I'm
guessing it will be pushed through Akamai servers as is usually is.

- Zachary

Re: Dealing with abuse complaints to non-existent contacts

2014-08-10 Thread Paul S. 
It would appear you've done your part in trying to reach out (and 
subsequently failed), so the next step to go is dropping all traffic 
from it.


Nothing wrong with trying to protect your own customer from people who 
cannot be bothered to do their own due diligence.


On 8/11/2014 午前 12:19, Gabriel Marais wrote:

Hi Nanog

I'm curious.

I have been receiving some major ssh brute-force attacks coming from random
hosts in the 116.8.0.0 - 116.11.255.255 network. I have sent a complaint to
the e-mail addresses obtained from a whois query on one of the IP Addresses.

My e-mail bounced back from both recipients. Once being rejected by filter
and the other because the e-mail address doesn't exist. I would have
thought that contact details are rather important to be up to date, or not?

Besides just blocking the IP range on my firewall, I was wondering what
others would do in this case?


Regards, Gabriel

Re: [j-nsp] Viability of EX4300 in a primarily l3 environment?

2014-08-06 Thread Paul S. 
Correct me if I'm wrong, but doesn't OSPF require the AFL license anyway 
to be 'legitly' ran?


Price difference might be a lot smaller depending on that.

On 8/6/2014 午後 08:30, Yucong Sun wrote:

I used ex4200 to do exactly what you did before.  ex4200 releases is pretty
rock solid, feature extensive, although with lower arp entry limits.

Given the price difference maybe you can connect each l2 domain to its own
ex4200 and have them do ospf routing among selves, which maybe give you
better failure tolerances compare to a single core.


On Wed, Aug 6, 2014 at 6:35 PM, Giuliano Cardozo Medalha 
giuli...@wztech.com.br wrote:


we are using ex4300 with the last release available

the setup is pretty simple using virtual chassis, lag, L3 and poe

it works pretty fine and we do not have any serious problems

sometimes the poe controller goes down but we have a case oppened in jtac
to try solve it

Sent from my iPhone


On 06/08/2014, at 07:15, Sebastian Wiesinger juniper-...@ml.karotte.org

wrote:

* Paul S. cont...@winterei.se [2014-08-02 05:18]:

Hi folks,

We're considering the EX4300 to run routing (l3) for a few
hypervisors of ours that are connected via l2.

Primarily interested due to the rather massive arp limit (64, 000)
on the switch, but we've been told (and searched for ourselves to
find out) that the 4300 platform has been plagued by random issues
since launch.

I don't have hands-on experience but I looked at the EX4300 platform
for a new deployment. If you look at the current release notes:



http://www.juniper.net/techpubs/en_US/junos13.2/information-products/topic-collections/ex-qfx-series/release-notes/ex-qfx-series-junos-release-notes-13.2X51-D25.pdf

There are a lot of (serious) bugs still getting fixed so I'm not sure
how mature this platform is. One big reason for that is probably
because EX4300 uses other chips than the rest of the 4xxx series
(Broadcom).

Regards

Sebastian

--
GPG Key: 0x93A0B9CE (F4F6 B1A3 866B 26E9 450A  9D82 58A2 D94A 93A0 B9CE)
'Are you Death?' ... IT'S THE SCYTHE, ISN'T IT? PEOPLE ALWAYS NOTICE THE

SCYTHE.

-- Terry Pratchett, The Fifth Elephant
___
juniper-nsp mailing list juniper-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

___
juniper-nsp mailing list juniper-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


___
juniper-nsp mailing list juniper-...@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

Re: [j-nsp] Viability of EX4300 in a primarily l3 environment?

2014-08-06 Thread Paul S. 

On 8/6/2014 午後 09:13, Vincent Bernat wrote:

  ❦  6 août 2014 20:54 +0900, Paul S. cont...@winterei.se :


Correct me if I'm wrong, but doesn't OSPF require the AFL license
anyway to be 'legitly' ran?

OSPF does not need a feature license on those models (it is needed on
EX2200). AFL is needed for BGP, IS-IS and MPLS.


3300 too, apparently -- thanks for the correction.

Re: EBAY reachability issues

2014-07-31 Thread Paul S. 
Appears to be loading just fine from here in Sg.
On Jul 31, 2014 11:21 PM, Mike A mi...@mikea.ath.cx wrote:

 On Thu, Jul 31, 2014 at 02:38:13PM +, Drew Weaver wrote:
  We've been seeing some issues with getting to Ebay this morning, only a
 very select few of their GSLB sites in DNS seem to be responding (to us at
 least)...
 
  Connecting to www.ebay.com|66.135.210.181|:80... connected.
  HTTP request sent, awaiting response... 200 OK
 
  Connecting to www.ebay.com|66.211.181.161|:80... connected.
  HTTP request sent, awaiting response...timed out
 
  Connecting to www.ebay.com|66.211.181.181|:80... connected.
  HTTP request sent, awaiting response...timed out
 
  Tried reaching out to them but can't contact anyone if anyone has a
 contact there please forward.

 isitdownrightnow.com says that ebay isn't answering and hasn't been for
 close to 14 hours.

 --
 Mike Andrews, W5EGO
 mi...@mikea.ath.cx
 Tired old sysadmin

Re: Verizon Public Policy on Netflix

2014-07-21 Thread Paul S. 

When exactly did we sign up for a discreet math course `-`

On 7/21/2014 午後 09:31, Michael Conlen wrote:

On Jul 18, 2014, at 2:32 PM, Jay Ashworth j...@baylink.com wrote:


- Original Message -

From: Owen DeLong o...@delong.com
But the part that will really bend your mind is when you realize that
there is no such thing as THE Internet.

The Internet as the largest equivalence class in the reflexive, transitive, 
symmetric closure of the relationship 'can be reached by an IP packet from'
-- Seth Breidbart.

I happen to like this idea but since we are getting picky and equivalence 
classes are a mathematical structure 'can be reached by an IP packet from’ is 
not an equivalence relation. I will use ~ as the relation and say that x ~ y if 
x can be reached by an IP packet from y

In particular symmetry does not hold. a ~ b implies that a can be reached by b 
but it does not hold that b ~ a; either because of NAT or firewall or an 
asymmetric routing fault. It’s also true that transitivity does not hold, a ~ b 
and b ~ c does not imply that a ~ c for similar reasons.

Therefore, the hypothesis that ‘can be reached by an IP packet from’ partitions 
the set of computers into equivalence classes fails.

Perhaps if A is the set of computers then “The Internet” is the largest subset 
of AxA, say B subset AxA, such for (a, b) in B the three relations hold and the 
relation partitions B into a single equivalence class.

That really doesn’t have the same ring to it though does it.

—
Mike

Re: DDoS mitigation Equinix?

2014-07-20 Thread Paul S. 
CF is willing to offer network drops over GRE / XCs too and filter 
everything apparently if the price is right.


It is a custom service, though.

On 7/20/2014 午後 11:32, Ameen Pishdadi wrote:

Equinix doesn't provide Ddos protection ,  cloud flare is able to mitigate 
attacks by spreading out the traffic across 20-30 different pops which are 
mostly located at Equinix. Cloud flare is pretty much a cdn , people have been 
using cdns for years to mitigate Ddos like akaimi , wasn't really popular 
though because of how expensive cdns like Akamai were, btw they recently bought 
prolexic. Cloud flare as far as I know does not sell Ddos protection service by 
any other means then there web proxy/cache service. Also there core business 
isn't Ddos protection it's website optimization via cdn type setup.

Our company also uses Equinix and other carrier hotels to provide Ddos 
protection, we provide a connection to our network by cross connects or peering 
exchanges , 1 gig or 10 gig and filter the Ddos before it leaves our network, 
this can be on full time or only when an attack is detected.
Other methods of filtered traffic delivery are gre VPN tunnels and reverse 
proxy method. The difference between us  , prolexic vs cloud flare is the 
different delivery methods allow protection against attacks towards other 
services and protocols besides http protocol/websites, and protection against 
entire networks versus an individual domain, it's just a different business 
model going after different market segments.



Sent from my iPhone


On Jul 19, 2014, at 2:44 AM, Abuse Contact stopabuseandrep...@gmail.com wrote:

Hi,
I've heard that using Equinix has it's DDoS protection benefits like large
companies such as CloudFlare use them for DDoS mitigation, I don't get it,
how do they help with DDoS protection? You still get a 1Gbit from them or
whatever and also do you guys know around how much they'd cost?

Thanks!

Sent from my iPhone


On Jul 19, 2014, at 2:44 AM, Abuse Contact stopabuseandrep...@gmail.com wrote:

Hi,
I've heard that using Equinix has it's DDoS protection benefits like large
companies such as CloudFlare use them for DDoS mitigation, I don't get it,
how do they help with DDoS protection? You still get a 1Gbit from them or
whatever and also do you guys know around how much they'd cost?

Thanks!

Re: BGP Session

2014-07-19 Thread Paul S. 
I believe you'll find that all of this gets a lot easier if you try to 
understand how layer 3 routing itself works instead of asking sparodic 
questions one at a time.


I recommend picking up a layer 3 routing book for the platform of your 
choice and going through the basics.


On 7/19/2014 午後 04:43, Abuse Contact wrote:

Hi,
Yeah, I need to turn on and off overtime, but I'm getting my own ASN very
soon so that shouldn't be a problem soon! :)
but how would I go about turning off a location at a certain time?


Thanks!


On Wed, Jul 16, 2014 at 5:50 PM, Jonathan Lassoff j...@thejof.com wrote:


Wow -- be careful playing with public eBGP sessions unless you know
what you're doing. It can affect the entire Internet.

Since you're just connecting to a single upstream ISP, you wont
qualify for a public AS number. So, you'll have to work with your
upstream ISP to agree on a private AS number you can use.
You will be setting up an eBGP session (which is a session between two
different AS numbers, as opposed to iBGP, wherein the AS numbers are
the same).

As for running BGP on a dedicated server, it'll depend on the OS in
use. Assuming Linux, take a look at Quagga, BIRD, and ExaBGP.
http://www.nongnu.org/quagga/
http://bird.network.cz/
https://code.google.com/p/exabgp/


It may be a *lot* easier for you to just have your upstream ISP
announce your IP space, and route it to your dedicated server, unless
you need the ability to turn it off and on over time.

Cheers,
jof

On Wed, Jul 16, 2014 at 1:05 AM, Abuse Contact
stopabuseandrep...@gmail.com wrote:

Hi,
So I just purchased a Dedicated server from this one company and I have a
/24 IPv4 block that I bought from a company on WebHostingTalk, but I am
clueless on how to setup the /24 IPv4 block using the BGP Session. I want
to set it up to run through their network as if it was one of their IPs,
etc. I keep seeing things like iBGP (which I think means like a inner
routing BGP) and eBGP (what I'm talking about??) but I have no idea how

to

set those up or which one I would need.

Any help would be appreciated.


Thanks!

Re: DDoS mitigation Equinix?

2014-07-19 Thread Paul S. 
This is done by performing some sort of filtering / acling, be it 
proactive or reactive on the traffic before it's handed off to you.


How exactly EQX' solution is engineered is a question best left for 
their sales engineers or similar people to answer, though.


On 7/19/2014 午後 04:44, Abuse Contact wrote:

Hi,
I've heard that using Equinix has it's DDoS protection benefits like large
companies such as CloudFlare use them for DDoS mitigation, I don't get it,
how do they help with DDoS protection? You still get a 1Gbit from them or
whatever and also do you guys know around how much they'd cost?

Thanks!

Re: Net Neutrality...

2014-07-18 Thread Paul S. 

On 7/19/2014 午前 03:35, William Herrin wrote:

On Fri, Jul 18, 2014 at 2:05 PM, Rob Seastrom r...@seastrom.com wrote:

Michael Thomas m...@mtcc.com writes:

On 7/17/14, 2:15 PM, valdis.kletni...@vt.edu wrote:

/me makes popcorn and waits for 4K displays to drop under US$1K and
watch the network providers completely lose their shit

http://www.amazon.com/Seiki-SE39UY04-39-Inch-Ultra-120Hz/dp/B00DOPGO2G

$339!

I use it for doing dev. It's *fabulous*.

Refresh rate is limited to 30Hz with 4K

Bracing for my first seizure ever in 3...  2... 1...

Hi Rob,

An LED screen doesn't refresh the way a CRT does, right? The light
doesn't flash and fade, it stays constant until the next change. So
why would a 30 hz refresh rate make any difference at all for tasks
which update the screen less often than 30 times a second? Mike did
say he used it for doing software development.

Movies were shot at 24fps and TV shows at 30fps (60 interlaced), so
I'm not sure where the harm would be there either.

Regards,
Bill Herrin




For all intents and purposes, it actually does work fine -- yeah.

I've got a few friends who bought it, it seems to work fine.

Re: Inevitable death, was Re: Verizon Public Policy on Netflix

2014-07-14 Thread Paul S. 

On 7/15/2014 午後 12:51, Brett Glass wrote:
But regardless of the financial arrangements, such a connection 
doesn't require an ASN or BGP. In fact, it doesn't even require a 
registered IP address at either end! A simple Ethernet connection (or 
a leased line of any kind, in fact; it could just as well be a virtual 
circuit) and a static route would work just fine.


--Brett Glass

At 09:35 PM 7/14/2014, Mike Lyon wrote:

So if Netflix was at 1850 Pearl, you wouldn't be able to peer with 
them anyways cuz u have no ASN?




Why would any content network (realistically) be interested in manually 
maintaining your prefixes in their routing table? BGP exists for a 
reason, you really should be using it.


The fact that you don't have an ASN means that automatically creating 
said static routes based on data from some IRRd is likely more trouble 
than it's likely to be worth as well.

Re: Verizon Public Policy on Netflix

2014-07-10 Thread Paul S. 
Unless said tf2 server happens to be hosted within UU's own network, I'd 
imagine the blame would go to whichever party in the transit path 
refused to upgrade their commitments.


On 7/11/2014 午前 10:21, Jim Popovitch wrote:

On Thu, Jul 10, 2014 at 9:12 PM, Miles Fidelman
mfidel...@meetinghouse.net wrote:

Randy Bush wrote:

And, of course, one might ask why Netflix isn't ... making use of a
caching network like Akamai, as many other large traffic sources do
on a routine basis.

they do.  netflix rolls their own cache servers, installable in any
network



At the ISPs expense, including connectivity to a peering point. Most content
providers pay Akamai, Netflix wants ISPs to pay them. Hmmm

Now I write a check every month to both Verizon and Netflix - and clearly it
would be nice if some of that went to provisioning better service between
the two.  But I can as easily point to Netflix, as to Verizon, when it comes
to which dollar stream should be going to bigger (or more efficient) pipes.

I was going to sit on the sidelines but...

Take Netflix out of the equation and google things like tf2 verizon
fios or any other game.  Who do you point the finger at then?

-Jim P.

Re: Team Cymru / Spamhaus

2014-06-27 Thread Paul S. 

+1, blanket banning is probably not the best way to go.

On 6/28/2014 午前 05:40, Jon Lewis wrote:

On Fri, 27 Jun 2014, Adam Greene wrote:

We're evaluating whether to add BGP feeds from these two sources in 
attempt

to minimize exposure to DoS.

The Team Cymru BOGON list (

http://www.team-cymru.org/Services/Bogons/bogon-bn-nonagg.txt or

http://www.team-cymru.org/Services/Bogons/bogon-bn-agg.txt


These really won't do anything to stop DoS attacks. Common DDoS attack 
traffic these days comes via reflection from non-spoofed sources 
replying to a spoofed public IP target.



http://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt


Same here. Whether or not its worth null routing unallocated IP space 
may be debatable, but again, it't not going to help protect you from a 
typical real DDoS.


We're a little more leery about trying Spamhaus's BGPf service (DROP, 
EDROP

and BCL,

http://www.spamhaus.org/bgpf/


This is more about stopping spam from entering your network and 
stopping compromised hosts on your network from becoming active in 
botnets (by cutting off their command and control).


--
Jon Lewis, MCP :) | I route
| therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: real-time traffic engineering/management solutions

2014-06-04 Thread Paul S. 

Two 'established' options are,

0. Noction IRP (As mentioned)
1. Internap FCP

Everyone appears to either be using one of these, or have gone full custom.

On 6/4/2014 午後 10:52, Tassos Chatzithomaoglou wrote:

I'm having a look at real-time traffic engineering/management solutions that 
include visibility/analysis/control and offer the following basic 
characteristics:

1) take into account

   * links utilization/threshold/deviation
   * link price
   * packet delay/loss
   * physical/logical topology


2) and offer real-time automatic ingress/egress traffic adjustment using

   * netconf  bgp to change localpref/med/aspath/community attributes 
(mandatory)
   * SDN/Openflow/I2RS/PCEP technologies (optional)


3) considering only IP traffic (MPLS can be optional), especially on external 
links used for peering and transit by tier-1/2 providers.

Do you have any personal experience regarding the above features?

 From my personal search Cisco offers Quantum/WAE (inc MATE) which seem very 
limited in real-time functionality and Huawei offers RR+ which seems 
interesting but unknown to many people (and maybe not compatible with all 
vendor routers).

Any other idea or commercial option? Offline answers would be good too.


--
Tassos

Re: ipmi access

2014-06-02 Thread Paul S. 

On 6/2/2014 午後 09:19, Andrew Latham wrote:

I use OpenVPN to access an Admin/sandboxed network with insecure portals,
wiki, and ipmi.
On Jun 2, 2014 7:13 AM, Randy Bush ra...@psg.com wrote:


so how to folk protect yet access ipmi?  it is pretty vulnerable, so 99%
of the time i want it blocked off.  but that other 1%, i want kvm
console, remote media, and dim sum.

currently, i just block the ip address chunk into which i put ipmi at
the border of the rack.  when i want access, i reconfig the acl.  bit of
a pita.

anyone care to share better idea(s)?  thanks.

randy



Depends.

On most ATEN chip based BMC boards from Supermicro, it includes a UI to 
iptables that works in the same way.


You could put it on a public net, allow your stuff and DROP 0.0.0.0/0.

But unless you have servers with those, I think the best way to go is 
putting them on internal IPs and then using some sort of a VPN.

Re: ipmi access

2014-06-02 Thread Paul S. 

True, excellent point as well.

Multiple openvpn/ipsec entry points on a internal network is probably 
the best way to go.


On 6/2/2014 午後 09:33, Jeroen Massar wrote:

On 2014-06-02 14:23, Paul S. wrote:
[..]

On most ATEN chip based BMC boards from Supermicro, it includes a UI to
iptables that works in the same way.

You could put it on a public net, allow your stuff and DROP 0.0.0.0/0.

But unless you have servers with those, I think the best way to go is
putting them on internal IPs and then using some sort of a VPN.

While you are typing the iptables command, do a check of the software
versions, typically they are running a decade old kernel and a lot of
unpatched software that is exposed. You really do not want to run that
on the Interwebs, just the idea of any packet arriving to such a kernel
is scary.


Relevant good reads:
http://michael.stapelberg.de/Artikel/supermicro_ipmi_openvpn
https://plus.google.com/+TobiasDiedrich/posts/Bq44KkBT3vK

The first URL references 2.6.17, yes... *2.6.17* is the CURRENT version
of the kernel running on most IPMIs out there.

http://kernelnewbies.org/Linux_2_6_17 - Released 17 June, 2006

8 years... ouch, yeah, no way that is going to be attached to a public
network...

Thus please, don't shoot yourself in the foot with that and more
importantly don't shoot the rest of the Internet in the foot as they'll
receive the packets.


Note: the IPMI that Michael describes is on a unrouted VLAN, the access
to the OpenVPN port that he runs on the IPMI happens through SSH on a
jumpbox which is ACLd away.

Greets,
  Jeroen

   (who is still awaiting for Zeus4IPMI)

Re: level3 dia egress filtering?

2014-05-13 Thread Paul S. 

You can't really have your cake, and eat it too.

If this is a deal breaker for anyone, getting it in writing within the 
contract should be the most basic of steps to undertake. Asking 
beforehand will also actually let you know who will and won't do this, 
thus avoid surprises like these altogether.


Otherwise, as Mark mentioned, they're entirely within the contractual 
agreement.


On 5/13/2014 午後 10:51, Blake Dunlap wrote:

I would personally look at leaving Level 3 over that kind of response.
I consider it basic service to throw a 1 line acl on an interface
temporarily in exceptional circumstances. Transit guys can argue if
they wish, but it won't change my expectations as a customer.
Eventually I'll find a carrier that will offer reasonable service.

I know it's why I kept UUnet back in the day, and dropped all my other
providers at the time. Heck ATT even blackholed our traffic with a
static null, so we were broken even after depeering for several hours
until we could find someone who knew what a route was via their
support.

-Blake

On Tue, May 13, 2014 at 4:02 AM, Mark Tinka mark.ti...@seacom.mu wrote:

On Monday, May 12, 2014 11:58:20 PM Petter Bruland wrote:


We contacted Level3 a few weeks back, and were told that
they do not provide any filtering service. I've not been
able to confirm this from anyone else, besides the
Level3 customer service rep we spoke with.

We've received such requests from customers as well, and our
policy is we do not implement any kind of filtering, even
though it is restricted to just one customer.

If the customer is looking for DoS/DDoS Mitigation services,
that is something else that can be offered.

But as an ISP, filtering in the data plane that is not for
the protection of our core's control plane is not our deal.
It is not something I'd ask of my IP Transit provider, nor
support that they do.

Mark.

Re: Best practices IPv4/IPv6 BGP (dual stack)

2014-05-03 Thread Paul S. 
As precaution, you should always deny ipv6 unicast on v4 sessions, and 
vice versa.


On 5/3/2014 午後 03:01, Eugeniu Patrascu wrote:

On Fri, May 2, 2014 at 10:44 PM, Deepak Jain dee...@ai.net wrote:


Between peering routers on a dual-stacked network, is it considered best
practices to have two BGP sessions (one for v4 and one for v6) between
them? Or is it better to put v4 in the v6 session or v6 in the v4 session?

According to docs, obviously all of these are supported and if both sides
are dual stacked, even the next-hops don't need to be overwritten.



I've done it separately. IPv4 with IPv4, IPv6 with IPv6. From my point of
view it's a cleaner configuration to have things decoupled completely:
management, debugging.



Is there any community-approach to best practices here? Any FIB weirdness
(e.g. IPv4 routes suddenly start sucking up IPv6 TCAM space, etc)  that
results with one solution over the other?



None that I've noticed.

Re: We hit half-million: The Cidr Report

2014-04-29 Thread Paul S. 

There are many actually doing this, to be honest.

From the top of my head, in the greater Dallas area, 54540 comes to mind.

http://bgp.he.net/AS54540#_asinfo

For large ASNs like these, aggregation would really help the table size.

That said, working on reducing our own as well.

On 4/29/2014 10:29 PM, Kate Gerry wrote:

Already working on aggregating as much as I can. I was checking  my tables the 
other day and I think I saw another provider advertising their /18 as /24s, it 
made me sick.

--
Kate Gerry
Network Manager
k...@quadranet.com

1-888-5-QUADRA Ext 206 | www.QuadraNet.com
Dedicated Servers, Colocation, Cloud Services and more.
Datacenters in Los Angeles, Dallas and Miami.

Follow us on:

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Patrick W. Gilmore
Sent: Tuesday, April 29, 2014 9:23 AM
To: NANOG list
Subject: Re: We hit half-million: The Cidr Report


The remainder of the prefixes (45%) shares the same origin AS and the same path.
The could be TE prefixes, but as they are identical to their covering
aggregate its hard to appreciate exactly what the engineering intent
may be. I could make a wild guess and call these 45% of more specifics
to be an act of senseless routing vandalism. ( :-) ) This number has been 
steady as a % for the past three years.

This could easily be TE, and a type of TE which would be trivially fixed.

Let's take a simple example of a network with a /22 and 4 POPs. They have the 
same transit provider(s) at all 4 POPs and a small backbone to connect them. 
Each POP gets a /24.

A not-ridiculous way to force their transit provider to carry bits instead of clogging 
their backbone while still ensuring redundancy would be to announce the /22 at all four 
POPs and the individual /24 at each individual POP. This creates four /24s and a covering 
/22 with exactly the same path, but still has use as TE.

Of course, it would be trivial for the network to clean up their act by attacking 
no-export to the /24s. But some people either do not know it exists, know how it works, 
or know BGP well enough to understand it would not harm them. Or maybe they are just 
lazy: What's 3 extra prefixes in half a million?

The answer to the last question is, frankly, nothing. But 3 prefixes for 30K ASNs is an 
ass-ton. (That's a technical term meaning lots  lots.)


This is a good time for a marketing effort. Let's see if we can get the table 
back under 500K. Everyone check your announcements. Are you announcing more 
specifics and a covering aggregate with the same path? Can you delete the more 
specific? Can you add no-export or another community to keep the more specifics 
from the global table?

If you are unsure, ask. I think it would be rather awesome if we saw a quick reversal in table 
growth and went back under 500K, even if it was short lived. ESPECIALLY if we can do it before we 
hit 512K prefixes. Would prove the community still cares about, well, the community, not just their 
own network. Because on the Internet, your network is part of the 
community, and things that harm the latter do harm the former, even if it is difficult 
for you to see sometimes.

Who will be the first to pull back a few prefixes?

--
TTFN,
patrick

On Apr 29, 2014, at 03:31 , Geoff Huston g...@apnic.net wrote:


On 29 Apr 2014, at 12:39 pm, valdis.kletni...@vt.edu wrote:


On Mon, 28 Apr 2014 21:59:43 -0400, Patrick W. Gilmore said:

On Apr 28, 2014, at 19:41, Chris Boyd cb...@gizmopartners.com wrote:
I'm in the middle of a physical move.  I promise I'll take the 3
deagg'd /24s out as soon as I can.

Do not laugh. If everyone who had 3 de-agg'ed prefixes fixed it, the
table would drop precipitously. We all have to do our part.

Do we have a handle on what percent of the de-aggrs are legitimate
attempts at TE, and what percent are just whoopsies that should be 
re-aggregated?


I made a shot at such a number in a presentation to NANOG in Feb this
year
(http://www.potaroo.net/presentations/2014-02-09-bgp2013.pdf)


If you assume that Traffic Engineering more specifics share a common
origin AS with the covering aggregate, then around 26% of more
specifics are TE advertisements. This number (as a percentage) has
gwon by 5% over the past three years


If you assume that Hole Punching more specifics are more specifics
that use a different origin AS, then these account for 30% of the more 
specifics in today's routing table.
This number has fallen by 5% over the past three years.

The remainder of the prefixes (45%) shares the same origin AS and the same path.
The could be TE prefixes, but as they are identical to their covering
aggregate its hard to appreciate exactly what the engineering intent
may be. I could make a wild guess and call these 45% of more specifics
to be an act of senseless routing vandalism. ( :-) ) This number has been 
steady as a % for the past three years.

Interestingly, it's the hole punching more specifics that are less
stable, and the

Re: ARIN Enters Phase Four of the IPv4 Countdown Plan

2014-04-23 Thread Paul S. 
Am I the only one who thinks this 'clench' is rather absurd especially 
right after one company pretty much got 1/4th of all remaining address 
space when there's such an insane crunch looming?


Regardless of how large / important they are, that is.

If anything, this is just gonna make things more difficult for smaller 
companies while larger ones roam free.


On 4/23/2014 午後 11:04, John Curran wrote:

NANOGers -

ARIN's regional IPv4 free pool has reached the equivalent of one /8 of IPv4 
space,
which means we are approaching runout of IPv4 space availability in this 
region.
(See attached announcement from ARIN regarding occurrence of this event)

There are some changes to processing of requests as we enter this final 
phase,
and obviously service providers ought to be thinking about IPv6-based 
services,
if not already in deployment.

FYI,
/John

John Curran
President and CEO
ARIN

Begin forwarded message:

From: ARIN i...@arin.netmailto:i...@arin.net
Subject: [arin-announce] ARIN Enters Phase Four of the IPv4 Countdown Plan
Date: April 23, 2014 at 10:00:20 AM GMT-3
To: arin-annou...@arin.netmailto:arin-annou...@arin.net

ARIN is down to its final /8 of available space in its inventory and has moved 
into Phase Four of its IPv4 Countdown Plan. All IPv4 requests are now subject 
to Countdown Plan processes, so please review the following details carefully.

All IPv4 requests will be processed on a First in, First out basis, and all 
requests of any size will be subject to team review, and requests for /15 or larger will 
require department director approval. ARIN's resource analysts will respond to tickets as 
they appear chronologically in the queue. Each ticket response is treated as an 
individual transaction, so the completion time of a single request may vary based on 
customer response times and the number of requests waiting in the queue. Because each 
correspondence will be processed in sequence, it is possible that response times may 
exceed our usual two-day turnaround.

The hold period for returned, reclaimed, and revoked blocks is now reduced to 
60 days. All returned, revoked, and reclaimed IPv4 address space will go back 
into the available pool when the 60 day period has expired. Staff will continue 
to check routing/filtering on space being reissued and will notify recipients 
if there are issues.

When a request is approved, the recipient will have 60 days to complete payment 
and/or an RSA. On the 61st day, the address space will be released back to the 
available pool if payment and RSA are not completed.

We encourage you to visit the IPv4 Countdown Phase Four page at:

https://www.arin.net/resources/request/countdown_phase4.html

ARIN may experience situations where it can no longer fulfill qualifying IPv4 
requests due to a lack of inventory of the desired block size. At that time, 
the requester may opt to accept the largest available block size or they may 
ask to be placed on the Waiting List for Unmet Requests. Full details about 
this process are available at:

https://www.arin.net/resources/request/waiting_list.html

Please contact hostmas...@arin.net or our Help Desk +1.703.227.0660 if you have 
questions about these procedural changes.

Regards,

Leslie Nobile
Director, Registration Services
American Registry for Internet Numbers (ARIN)
___
ARIN-Announce
You are receiving this message because you are subscribed to
the ARIN Announce Mailing List (arin-annou...@arin.net).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-announce
Please contact i...@arin.net if you experience any issues.

Re: Serious bug in ubiquitous OpenSSL library: Heartbleed

2014-04-08 Thread Paul S. 
If you built anything against the vulnerable library (esp static linked 
stuff), you'll need to rebuild those too.


On 4/8/2014 午後 09:18, David Hubbard wrote:

Don't forget to restart every daemon that was using the old library as
well, or just reboot.

-Original Message-
From: Peter Kristolaitis [mailto:alte...@alter3d.ca]
Sent: Tuesday, April 08, 2014 1:19 AM
To: nanog@nanog.org
Subject: Re: Serious bug in ubiquitous OpenSSL library: Heartbleed

Not just run the updates -- all private keys should be changed too, on
the assumption that they've been compromised already.  THAT is going to
be the crappy part of this.

- Pete


On 4/8/2014 1:13 AM, David Hubbard wrote:

RHEL and CentOS both have patches out as of a couple hours ago, so run
those updates!  CentOS' mirrors do not all have it yet, so if you are
updating, make sure you get the
1.0.1e-16.el6_5.7 version and not older.

David

-Original Message-
From: Paul Ferguson [mailto:fergdawgs...@mykolab.com]
Sent: Tuesday, April 08, 2014 1:07 AM
To: NANOG
Subject: Fwd: Serious bug in ubiquitous OpenSSL library: Heartbleed

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

I'm really surprised no one has mentioned this here yet...

FYI,

- - ferg



Begin forwarded message:


From: Rich Kulawiec r...@gsp.org Subject: Serious bug in ubiquitous
OpenSSL library: Heartbleed Date: April 7, 2014 at 9:27:40 PM EDT

This reaches across many versions of Linux and BSD and, I'd presume,
into some versions of operating systems based on them.
OpenSSL is used in web servers, mail servers, VPNs, and many other
places.

Writeup: Heartbleed: Serious OpenSSL zero day vulnerability revealed
http://www.zdnet.com/heartbleed-serious-openssl-zero-day-vulnerabilit
y
-revealed-728166/

   Technical details: Heartbleed Bug http://heartbleed.com/

OpenSSL versions affected (from link just above):  OpenSSL 1.0.1
through 1.0.1f (inclusive) are vulnerable OpenSSL 1.0.1g is NOT
vulnerable (released today, April 7, 2014) OpenSSL 1.0.0 branch is
NOT vulnerable OpenSSL 0.9.8 branch is NOT vulnerable


- --
Paul Ferguson
VP Threat Intelligence, IID
PGP Public Key ID: 0x54DC85B2
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlNDg9gACgkQKJasdVTchbIrAAD9HzKaElH1Tk0oIomAOoSOvfJf
3Dvt4QB54os4/yewQQ8A/0dhFZ/YuEdA81dkNfR9KIf1ZF72CyslSPxPvkDcTz5e
=aAzE
-END PGP SIGNATURE-

Re: A little silly for IPv6

2014-03-26 Thread Paul S. 
Of course it is, you don't even need to think about logic to answer that 
one.


On 3/26/2014 午後 09:55, rw...@ropeguru.com wrote:

On Tue, 25 Mar 2014 23:28:04 -0500
 Larry Sheldon larryshel...@cox.net wrote:

According to the Ace of Spades HQ blog:


IPv6 would allow every atom on the surface of the earth to have its
own IP address, with enough spare to do Earth 100+ times.



--
Requiescas in pace o email   Two identifying characteristics
of System Administrators:
Ex turpi causa non oritur actio  Infallibility, and the ability to
learn from their mistakes.
  (Adapted from Stephen Pinker)



I want to see HIS source of hpow many atoms are actually on the earth. 
Somehow, I do not think anyone knows that answer. So his comparision 
is a joke.


Robert

Re: IPv6 isn't SMTP

2014-03-25 Thread Paul S. 

On 3/26/2014 午後 12:31, Cutler James R wrote:

Wow, what a lot of NANOG traffic about IPv6 readiness for SMTP!

Please explain my misunderstanding on the following:

1.  IPv6 is a Routing Layer Protocol (with some associated helpers, like RA, 
ND, DHCP-PD, and the like).

2.  SMTP is an Application Layer Protocol, supposedly independent of Routing 
and lower layers of the protocol stack. Various communities have added 
connection initiation requirements that sometimes impinge upon layer 3 by 
requiring name/address correlations in DNS and none of which depend directly on 
technical aspects of layer 3 addressing. [ignoring obsolescent MTA 
implementations]

3.  Arguing about IPv6 in the context of requirements upon SMTP connections is 
playing that uncomfortable game with one’s own combat boots.  And not 
particularly productive.

I look forward to furthering my education.


James R. Cutler
james.cut...@consultant.com
PGP keys at http://pgp.mit.edu





+1, very well put.

Re: tools similar to stat.ripe.net?

2014-03-23 Thread Paul S. 
I'd simply just recommend using the route views servers, you don't 
really need the graphical representation.


On 3/24/2014 午前 02:46, Damien Burke wrote:

Hello,

Are there any tools similar to the routing tab at stat.ripe.net ?

To be more specific, I'm looking for the BGP route visibility feature.

-Damien

Re: Who uses ARIN's IRR?

2014-03-07 Thread Paul S. 

On 3/8/2014 午前 01:07, Jason Lixfeld wrote:

I don't need to use it much, but when I do, it's an ever-increasing royal pain 
in the ass.

My current plight revolves around not being able to get full dumps of objects.  
Certain mandatory fields in objects are 'filtered' and/or replaced with dummy 
data.  This poses a problem because one can no longer simply cut and paste the 
output, change the necessary bits and fire it off to r...@arin.net for 
processing.  WhoisRWS doesn't seem to have hooks into the IRR database like 
RIPE seems to have gotten right.

So how do people tend to get around this?  Is there something that I'm missing 
or do people just throw their hands up and move their IRR data to RADB or 
something?


You'll likely have a lot more peace of mind by moving to RADB anyway, 
ARIN's IRR is way too unflexible for use -- at least in my opinion.

Re: DNS Resolving issues. So for related just to Cox. But could be larger.

2014-03-06 Thread Paul S. 

OP is actually the owner of it as per ARIN whois data.

-- Paul

On 3/6/2014 午後 09:41, Nick Hilliard wrote:

On 06/03/2014 12:14, bmann...@vacation.karoshi.com wrote:

On Wed, Mar 05, 2014 at 07:52:10AM -0500, Rob Seastrom wrote:

to secondary nameservers.  Speaking of that...

;; ADDITIONAL SECTION:
ns1.nineplanetshosting.com. 172800 IN   A   199.73.57.122
ns2.nineplanetshosting.com. 172800 IN   A   199.73.57.122

I think OP ought to approach his hoster with a cluebat.  Not just on
the same subnet but the same address?  Really.

-r


haven't you heard about anycast??

rs probably has.  The owner of 199.73.57.122, probably not.

Nick

Re: DNS Resolving issues. So for related just to Cox. But could be larger.

2014-03-04 Thread Paul S. 
For all it's worth, it might be Cox ignoring TTLs and enforcing their 
own update times instead.


Wait 24-48 hours, and it should probably fix it all up.

I'm not seeing anything majorly broken with your system except the SOA 
EXPIRE being ridiculously large.


On 3/5/2014 午後 01:40, Mark Keymer wrote:

Hi Everyone,

So I have a client who moved a domain specifically periodforgood.com 
to a new VPS with our company.


DNS has been updated and the TTL time is 4 hours so things should all 
be updated but something might still be wrong. Looking for help / 
confirmation that things look good. And better yet if someone from Cox 
and take a look.


Our client uses Cox for there home internet and sometimes the domain 
resolves and sometimes it does not. We found they have the following 
IP's in Cox's network that are being used to resolve domains.


68.105.28.11
68.105.28.12
68.105.29.12

After doing many nslookups via a remote session to there computer we 
found that the top 2 IP's never resolve the periodforgood.com domain 
and we found that the third one will about 20%-40% of the time resolve 
it.


We have gone to several DNS testing tools and all seems to be in 
order. If you dig or nslookup directly to the DNS servers that are 
used for the domain it seems to always respond.


I admit I might just be overlooking something myself and will feel 
dumb once someone points it out to me. But if you can point it out to 
me that would be great!


Also note that it looks like those DNS resolvers are blocked from 
outside lookups which is good. So maybe someone with some eyeballs 
inside or otherwise can help out?


Sincerely,

Re: Managing IOS Configuration Snippets

2014-02-27 Thread Paul S. 
Rancid with the git plugin can be used to attain pretty much the exact 
same thing a lot more easily, if you're after an existing implementation 
of it.


Cheers,

Paul

On 2/27/2014 午後 09:44, Harry Hoffman wrote:

Wow, this sounds fantastic! Have any code you can share?

Cheers,
Harry

On Feb 27, 2014 6:52 AM, Andrew Latham lath...@gmail.com wrote:

For a large install I set up a solution that might help. I utilized a
Mediawiki install and its API to create, update and pull the
configuration on many IOS devices. A wiki page for the host name was
dynamically created and the configuration was placed there daily or
hourly. This allowed support to review the configuration and advise
customers quicker. Additional hacks for updating the devices via the
wiki were used. The goal was transparency for the support team and the
side effect was wiki page history showing what day and what lines
changed.  As mentioned the answer to your question would likely make a
good article.

On Wed, Feb 26, 2014 at 3:22 PM, Ryan Shea ryans...@google.com wrote:

Howdy network operator cognoscenti,

I'd love to hear your creative and workable solutions for a way to track
in-line the configuration revisions you have on your cisco-like devices.
Let me clearify/frame:

You have a set of tested/approved configurations for your routers which use
IOS style configuration. These configurations of course are always refined
and updated. You break these pieces of configuration into logical sections,
for example a configuration file for NTP configuration, a file for control
plane filter and store these in some revision control system. Put aside for
the moment whether this is a reasonable way to comprehend deployed
configurations. What methods do some of you use to know which version of a
configuration you have deployed to a given router for auditing and update
purposes? Remarks are a convenient way to do this for ACLs - but I don't
have similar mechanics for top level configurations. About a decade ago I
thought I'd be super clever and encode versioning information into the snmp
location - but that is just awful and there is a much better way everyone
is using, right? Flexible commenting on other vendors/platforms make this a
bit easier.

Assume that this version encoding perfectly captures what is on the router
and that no person is monkeying with the config... version 77 of the
control plane filter is the same everywhere.



--
~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~

Re: congestion between Cogent and CenturyLink

2014-02-27 Thread Paul S. 

+1, which semi-large eyeball does Cogent NOT have capacity problems to?

On 2/28/2014 午前 11:55, Suresh Ramasubramanian wrote:

With cogent? Now you will be asking us if the Pope is really Catholic :)
On 28-Feb-2014 7:43 AM, Aidan Scheller ai...@aodhandigital.com wrote:


Hello,



We send periodic 10-15Mbps bursts of traffic to a business partner and it
appears to transition from Cogent to Century Link in Atlanta. During the
day performance is normal and latency appears acceptable on a trace route.



12 ms 13 ms 12 ms te0-6-1-7.rcr21.msp01.atlas.cogentco.com [38.88.188.41]

26 ms 26 ms 27 ms be2410.ccr22.ord01.atlas.cogentco.com [154.54.7.229]

43 ms 44 ms 44 ms be2099.ccr22.atl01.atlas.cogentco.com [154.54.28.74]

44 ms 44 ms 44 ms be2051.ccr21.atl02.atlas.cogentco.com [154.54.0.162]

43 ms 42 ms 43 ms qwest.atl02.atlas.cogentco.com [154.54.13.30]

49 ms 49 ms 50 ms min-edge-10.inet.qwest.net [205.171.128.154]



But after hours latency spikes and throughput drops to less than 1Mbps.



te8-3.ccr01.msp01.atlas.cogentco.com (38.88.188.41) 4.603 ms

te0-0-0-19.mpd22.ord01.atlas.cogentco.com (154.54.1.230) 17.838 ms

be2099.ccr22.atl01.atlas.cogentco.com (154.54.28.74) 33.156 ms

be2051.ccr21.atl02.atlas.cogentco.com (154.54.0.162) 36.449 ms

qwest.atl02.atlas.cogentco.com (154.54.13.30) 89.583 ms

min-edge-10.inet.qwest.net (205.171.128.150) 89.806 ms



Century Link stated that Cogent is oversubscribing the link, and that
they've requested Cogent resolve the problem, but that action has yet to be
taken.  I've tried reaching out to Cogent but as we're not a direct
customer they wouldn't provide assistance.



Has anyone else seen similar issues?



Thanks,



Aidan

Re: out of band management gear

2014-02-21 Thread Paul S. 

Lantronix is pretty solid if it doesn't have issues with your hardware.

I have a bunch of older Dell boxes where turning on virtual media makes 
them stall indefinitely on the boot prompt.


Though, for serial only stuff -- it should be pretty good.

On 2/22/2014 午前 12:39, Bryan Socha wrote:

We have both lantronix and opengear hardware and use the og brand almost
exclusively now.   Good price, extremely reliable.  We have about 200 of
them.
On Feb 21, 2014 9:41 AM, Hank Disuko gourmetci...@hotmail.com wrote:


Hi folks,
I wonder if anyone has good experiences to share with out-of-band hardware?
I'm looking for a good OOB hardware vendor.  I need to manage my
routers/switches/firewalls in a datacenter located overseas, and I'm
looking to setup a good serial console server via an OOB link.
I've been looking at Lantronix, OpenGear, Raritan...but they all seem to
have the same basic features.  I'm having trouble really differentiating
them.
I'm interested in analog modem, cellular options for my OOB link.  Or even
a secondary internet circuit either wired or wifi if the DC has that option
available.
Any good suggestions or experiences with a current OOB solution out there?
  What are you doing for your OOB management?
thanks,Hank

Re: OpenNTPProject.org

2014-02-17 Thread Paul S. 

Better yet, why is your ntp server even reachable off net?

Providing a public clock service needs a lot more configuration effort 
than a simple, default one -- as just demonstrated.


(However, this is not to say that private servers should have management 
queries enabled.)


On 2/17/2014 9:03 AM, Kate Gerry wrote:

Just add these to your ntp.conf configuration then restart the service: (Works 
with all default installations that I've found)

restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery

--
Kate Gerry
Network Manager
k...@quadranet.com

1-888-5-QUADRA Ext 206 | www.QuadraNet.com
Dedicated Servers, Colocation, Cloud Services and more.
Datacenters in Los Angeles, Dallas and Miami.

Follow us on:


-Original Message-
From: Brian Rak [mailto:b...@gameservers.com]
Sent: Sunday, February 16, 2014 6:38 PM
To: Pete Ashdown; NANOG list
Subject: Re: OpenNTPProject.org

Seriously, just fix your configuration.  The part of NTP being abused is 
completely unrelated to actually synchronizing time.  It's a management query, 
that has no real reason to be enabled remotely. You don't even need to resort 
to iptables for this, because NTPD has built in rate limiting (which isn't 
enabled for management queries, but those are trivial to disable).

$ ntpdc -c monlist -n clock.xmission.com
remote address  port local address  count m ver code avgint
lstint
===
173.209.207.23342422 198.60.22.240   4727 3 3 0  0   0
24.155.184.100 45285 198.60.22.240 11 3 4 0  6   0
107.0.41.2 48625 198.60.22.240264 3 4 0  5   0
67.108.239.31  40642 198.60.22.240  77084 3 3 0  0   0
177.65.149.237 62212 198.60.22.240   1085 3 1 0  0   0
209.64.161.162 44786 198.60.22.240 19 3 4 0  7   0
103.7.36.3851618 198.60.22.240  4 3 3 0  8   0
173.209.207.21850616 198.60.22.240   4731 3 3 0  0   0
69.61.203.25   20766 198.60.22.240  16379 3 4 0  1   0
68.188.251.223   478 198.60.22.240  2 1 3 0  0   0
75.82.183.104123 198.60.22.240  1 3 4 0  0   0
63.64.124.129  52839 198.60.22.240 150867 3 4 0  0   0
65.201.33.150151 198.60.22.240393 3 2 0  3   0
124.228.119.10524687 198.60.22.240 31 3 3 0  4   0
64.191.150.130   319 198.60.22.2404494361 3 2 0  0   0
76.102.124.27123 198.60.22.240  2 3 4 0  0   0
72.235.200.183   123 198.60.22.240  1 3 4 0  0   0
50.73.42.121   10398 198.60.22.240 11 3 3  0 14   0
63.64.124.144  26984 198.60.22.2405823740 3 4 0  0   0
71.5.8.194 44699 198.60.22.240  3 3 4 0  0   0
143.112.64.21320 198.60.22.240182 1 3 0  6   0
72.235.19.125123 198.60.22.240  1 3 4 0  0   0
198.237.66.2   10471 198.60.22.240499 3 3 0  3   0
12.108.21.226357 198.60.22.240 10 1 3  0 14   0
174.47.116.250   463 198.60.22.240 24 3 4 0  5   0
72.1.71.73   738 198.60.22.240 19 3 3 0  8   0
67.136.57.101026 198.60.22.240243 3 3 0  5   0
64.199.163.5 306 198.60.22.240231 3 4 0  4   0
70.77.76.153   32188 198.60.22.240  1 3 4 0  0   0

There is no excuse to still be running a NTP server with monlist enabled.  Fix 
your configuration, and you don't need IPTables rules.



On 2/16/2014 1:29 PM, Pete Ashdown wrote:

Just in case you run a legitimate open NTP server, this iptable stanza
helps immensely:

## rate limit ntp
$IPTABLES -N NTP
$IPTABLES -N BLACKHOLE
$IPTABLES -A BLACKHOLE -m recent --set --name ntpv4blackhole --rsource
$IPTABLES -A BLACKHOLE -j DROP
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name
ntpv4 --rsource -j BLACKHOLE
$IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name
ntpv4blackhole --rsource -j DROP
$IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT
$IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP


I've found that blocking TCP destination NTP to client servers/networks
blocks legitimate NTP synchronization for their clients.   Although I
wish they'd all just use my on-network NTP server, I can't assume they
will.  Does anyone have a list or source of pool and vendor
(Apple/Microsoft/etc) servers so I can permit based on source before
blocking based on destination port?

Re: news from Google

2009-12-03 Thread Paul S. R. Chisholm 
On Thu, Dec 3, 2009 at 5:07 PM, Ken Chase m...@sizone.org wrote:
 We all know that google is leveraging cross-referenceable information from all
 of its services for its profit/advantage ...

 /kc
 --
 Ken Chase - k...@heavycomputing.ca - +1 416 897 6284 - Toronto CANADA
 Heavy Computing - Clued bandwidth, colocation and managed linux VPS @151 
 Front St. W.

Ken, this was addressed in the announcement:

http://code.google.com/speed/public-dns/privacy.html

We built Google Public DNS to make the web faster and to retain as
little information about usage as we could, while still being able to
detect and fix problems. Google Public DNS does not permanently store
personally identifiable information.

http://code.google.com/speed/public-dns/faq.html#account
http://code.google.com/speed/public-dns/faq.html#shared
http://code.google.com/speed/public-dns/faq.html#info

Is any of the information collected stored with my Google account?
No.
Does Google share the information it collects from the Google Public
DNS service with anyone else?
No.
Is information about my queries to Google Public DNS shared with other
Google properties, such as Search, Gmail, ads networks, etc.?
No.

Hope this helps.  --PSRC