Re: MPLS in the campus Network?

[Youssef Ghorbal]

> FWIW, if I had to solve the "college across buildings with common
> access control" problem I would create MPLS L3 VPN's, one subnet
> per building (where it is a VLAN inside of a building), with a
> "firewall in the cloud" somewhere to get between VLAN's with all
> of the policy in one place.
>
> No risk of the L2 across buildings mess, including broadcast and
> multicast issues at L2.  All tidy L3 routing.  Can use a real
> firewall between L3 VPN instances to get real policy tools (AV, URL
> Filtering, Malware detection, etc) rather than router ACL's.  Scales
> to huge sizes because it's all L3 based.

Until people start complaining they can no more auto discover their
Time Capsule left in the other building whereas their colleagues in
the other building can etc etc. All fancy discover protocols breaks
without L2 continuity !
Welcome to the campus network nightmare :)
For now, there is no perfect solution ! either you cope with L2 hell
or users inconvenience (and yes people tend to think that the campus
network is expected to work as their home network)

I've also stumbled upon some "Building Automation and Control
Networks" (BACnet/IP for instance) where each building has some
automats that all needs to be in the same network segment.

> Combine with 802.1x port authentication and NAC, and in theory every
> L3 VPN could be in every building, with each port dynamically assigning
> the VLAN based on the user's login!  Imagine never manually configuring
> them again.  Write a script that makes all the colleges (20? 40? 60?)
> appear in every building all attached to their own MPLS VPN's, and
> then the NAC handles port assignment.

Here again, it's perfect until you start coping with old stuff, all
fancy new ethernet capable "things" or scientific/industrial
equipments. The "802.1x what ? it's plug'n play man !" attitude.

(my experience is with research institutes/academy kind of campuses)

Youssef Ghorbal

Re: Announcement: Critical Internet Infrastructure WG is now open to public participation

[Youssef Ghorbal]

Off topic, but are you serious about the Admin Interface Link
(http://www.isotf.org/?page_value=13223) or is it just a joke ?


On Wed, Nov 18, 2009 at 6:29 PM, Gadi Evron g...@linuxbox.org wrote:
 Simon Lockhart wrote:

 On Wed Nov 18, 2009 at 07:08:31PM +0200, Gadi Evron wrote:

 ISOTF Critical Internet Infrastructure WG is now open to public
 participation.

 Sorry, who is ISOTF?

 I tried looking on the website, but the About ISOTF page is blank...

        http://www.isotf.org/?page_value=0

 It's the blanket name we use to host meetings, publish papers, or give a
 home on the web for task forces of volunteers for global incident response
 and similar matters.

 We don't like the idea of formalizing it, and thus not much data is
 available on the official web page. Perhaps that needs to be fixed.

 Thanks for bringing it to our attention.

        Gadi.



 Simon



 --
 Gadi Evron,
 g...@linuxbox.org.

 Blog: http://gevron.livejournal.com/

Re: Where to buy Internet IP addresses

[Youssef Ghorbal]

On Mon, May 4, 2009 at 11:57 PM,  char...@thewybles.com wrote:
 This has been a fascinating theoritcal discussion.. how do existing providers 
 hand out space?

 Hurricane electric (via its tunnel service) hands out a /64 by default and a 
 /48 is a click away.

 How do other providers handle it? I'm in the us and only have native v4 
 connectivity :(

 Do the various traditional last mile providers (sprint/Verizon/att/patch etc 
 ) offer it for t1 and better? If they do then what do they hand out by 
 default, what's available, at what price point and what's the upgrade path? 
 Is it one click like he?

 No provider I have talked to offers it for residential connectivity in the 
 united states.
 What does free.fr do?

Free does 6rd and allocate a /64 per customer.
Here is a presentation how they do this :
http://www.ripe.net/ripe/meetings/ripe-58/content/presentations/ipv6-free.pdf


 If there is this level of confusion and disagreement around addressing 
 schemes then will it ever be offered to residences over traditional last mile 
 loops?


 Sent via BlackBerry from T-Mobile

 -Original Message-
 From: Stephen Sprunk step...@sprunk.org

 Date: Mon, 04 May 2009 16:36:16
 To: Bill Stewartnonobvi...@gmail.com
 Cc: north American Noise and Off-topic Gripesna...@merit.edu; Joe 
 Grecojgr...@ns.sol.net
 Subject: Re: Where to buy Internet IP addresses


 Bill Stewart wrote:
 When I came back, I found this ugly EUI-64 thing instead, so not only was 
 autoconfiguration much uglier, but you needed a /56 instead of a /64 if you 
 were going to subnet.

 It's supposed to be a /48 per customer, on the assumption that 16 bits
 of subnet information is sufficient for virtually anyone; exceptions
 should be rare enough that they can be handled as special cases.

 The /56 monstrosity came about because a US cable company wanted to
 assign a prefix to every home they passed, regardless of whether it
 contained a customer, so that they'd never need to renumber anything
 ever again.  However, that would require they get more than the /32
 minimum allocation, and ARIN policy doesn't allow _potential_ customers
 as a justification for getting a larger allocation, so they had to
 shrink the per-customer prefix down to a /56 to fit them all into a
 single /32.  If all those assignments were to _real_ customers, they
 could have gotten a /24 and given each customer a /48 as expected.  And,
 after that, many folks who can't wrap their heads around the size of the
 IPv6 address space appear to be obsessed with doing the same in other
 cases where even that weak justification doesn't apply...

 Does anybody know why anybody thought it was a good idea to put the extra 
 bits in the middle, or for IPv6 to adopt them?


 Why the switch from EUI-48 to EUI-64?  Someone in the IEEE got worried
 about running short of MAC (er, EUI-48) addresses at some point in the
 future, so they inserted 16 bits in the middle (after the OUI) to form
 an EUI-64 and are now discouraging new uses of EUI-48.  The IETF
 decided to follow the IEEE's guidance and switch IPv6 autoconfig from
 EUI-48 to EUI-64, but FireWire is the only significant user of EUI-64
 addresses to date; if you're using a link layer with EUI-48 addresses
 (e.g. Ethernet), an extra 16 bits (FFFE) get stuffed in the middle to
 transform it into the EUI-64 that IPv6 expects.

 S

 --
 Stephen Sprunk         God does not play dice.  --Albert Einstein
 CCIE #3723         God is an inveterate gambler, and He throws the
 K5SSS        dice at every possible opportunity. --Stephen Hawking