IPv6 filtering at network edge?
I'm tightening up some network-edge filters, and in the process of testing filtering with IPv6, I found that there is a lot of ICMP link-local (fe80::) to ff02:: activity at an IX. Is any of this necessary? I am wary of over-filtering that cuts down functionality and doesn't increase security. What of the IANA-reserved IPv6 addresses can be safely blocked on ingress/egress at the network edge?
Re: OpenNTPProject.org
On 2/17/14, 7:26 AM, George, Wes wrote: I’ll note that this is less than 140 chars, and therefore fits nicely in a tweet. If you’re on twitter, Signal boost the PSA, please. My edited example: https://twitter.com/wesgeorge/status/435404354242478080 Wes George On 2/16/14, 10:03 PM, Kate Gerry k...@quadranet.com wrote: add these to your ntp.conf restrict default kod nomodify notrap nopeer noquery restrict -6 default kod nomodify notrap nopeer noquery I seem to recall some issue with older Windows clients using peer for synchronization. Does not having nopeer contribute to DDoS amplification?
Re: OpenNTPProject.org
Just in case you run a legitimate open NTP server, this iptable stanza helps immensely: ## rate limit ntp $IPTABLES -N NTP $IPTABLES -N BLACKHOLE $IPTABLES -A BLACKHOLE -m recent --set --name ntpv4blackhole --rsource $IPTABLES -A BLACKHOLE -j DROP $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 20 --name ntpv4 --rsource -j BLACKHOLE $IPTABLES -A NTP -m recent --update --seconds 5 --hitcount 2 --name ntpv4blackhole --rsource -j DROP $IPTABLES -A NTP -m recent --set --name ntpv4 --rsource -j ACCEPT $IPTABLES -A INPUT -p udp -m udp --dport 123 -j NTP I've found that blocking TCP destination NTP to client servers/networks blocks legitimate NTP synchronization for their clients. Although I wish they'd all just use my on-network NTP server, I can't assume they will. Does anyone have a list or source of pool and vendor (Apple/Microsoft/etc) servers so I can permit based on source before blocking based on destination port?
Re: OpenNTPProject.org
On 2/16/14, 11:29 AM, Pete Ashdown wrote: I've found that blocking TCP destination NTP to client servers/networks blocks legitimate NTP synchronization for their clients. ^TCP^UDP
Re: OpenNTPProject.org
On 2/16/14, 7:38 PM, Brian Rak wrote: Seriously, just fix your configuration. The part of NTP being abused is completely unrelated to actually synchronizing time. It's a management query, that has no real reason to be enabled remotely. You don't even need to resort to iptables for this, because NTPD has built in rate limiting (which isn't enabled for management queries, but those are trivial to disable). Thanks for the tip, monitoring is off. I was under the impression that rate-limiting hadn't made it into a stable version of ntpd yet. Is that incorrect?
Urgent, need bandwidth in Blue Springs, Missouri
I've got a customer's point-to-point 50M that has taken too long to install and is averaging 5M throughput. If someone can drop a solid 50-100M DIA in Blue Springs, Missouri, I'd like to hear from you. Email me directly. Thanks in advance.
Looking for US East Coast KVM Swap
I'm looking for a KVM guest swap on the US eastern coast for a tertiary DNS server. Must have a minimum of 1GB RAM, 4 CPUs, and be IPv6 capable. I am willing to swap the same here in Salt Lake City, Utah. Thanks in advance!
JunOS IPv6 announcements over IPv4 BGP
I've got a peer who wishes me to send my IPv6 announcements over IPv4 BGP. I'm running around in circles with JTAC trying to find out how to do this in JunOS. Does anyone have a snippet they can send me?
Re: JunOS IPv6 announcements over IPv4 BGP
Itis just informational rather than real peering. Akamai CDN. On 12/21/2012 12:45 PM, Jared Mauch wrote: On Dec 21, 2012, at 1:45 PM, Pete Ashdown wrote: I've got a peer who wishes me to send my IPv6 announcements over IPv4 BGP. I'm running around in circles with JTAC trying to find out how to do this in JunOS. Does anyone have a snippet they can send me? I would say don't do this. You are likely to experience software defects that are unique to this configuration which IMHO is far less common than a peer per v4/v6 transport. It will also show they aren't doing any 'kinky' engineering to get you IPv6. While some folks may disagree, the ability to connect you to an edge device that does dual-stack will provide you better service. - Jared
Re: In Need of 10GbE Optics @AMS4
I don't have the quantity you need, but this reminded me that I'm in need of a reliable supplier of CWDM 40KM XFP 10GbE optics. Specifically 1310nm, but I'll need other wavelengths soon. These things seem to be manufactured by elves. I can't find a reliable supplier anywhere. Can anyone help? On 11/17/12 2:20 PM, Brant I. Stevens wrote: Please forgive the cross-post, but figured this was the best way to reach my target audiences. I am onsite and in need of: -8 10GbE Single-Mode SFP's. -4 10GbE Single-Mode XFPs. If you have them available for sale, that would be great, but pointing us in the direction of where to obtain them in-country, quickly, would be very useful as well. Regards, - Brant aim:branto