[uknof] DDoS scrubbing - ballpark pricing figures
Hi folks, I have been doing some work with a small ISP customer around sourcing off-net DDoS scrubbing to protect one of their downstream access customers. I don't really have a feel for the ballpark pricing for this kind of service though. We've been quoted around £20/meg/month[1] of scrubbed clean traffic for low hundreds of megabits/sec throughput. That's for a service that is BGP signalled, ie: it wouldn't be used normally - only if a route was announced / community set on a subnet etc. To anyone who has this kind of service at these levels of throughput - Is this "about right" or is it way out? I don't want people to break pricing NDAs etc., just get a feel for what this costs in the marketplace in general. Thanks Paul. [1] - For the avoidance of doubt this is GBP 20 per megabit/second for a commit of a few hundred megabits/second 95th percentile per month of cleaned traffic coming across the connection between the upstream scrubbing provider and the downstream ISP being protected. Ie: attack size isn't an issue, its the actual throughput of clean traffic that matters.
Re: [uknof] Tracking BT MCT progress for VDSL hardware
On Wed, Aug 17, 2016 at 4:06 PM, Keith Mitchellwrote: > > The solution at the time was that approval testing was spun out into an > independent 3rd party, BABT (* British Approvals Board for > Telecommunications). AFIACT it appeared to resolve the situation very > well. I don't know exactly what BABT does now, but feels like a > similar solution is called for these days... > As I understand it 3rd party testing is possible. BT don't require an MCT pass, just SIN 498 compliance. As long as you can demonstrate that in the event of an issue then you don't need to test with BT first. I'm just not aware of anyone else offering a testing service. Regards, David
Re: [uknof] Tracking BT MCT progress for VDSL hardware
I'm slightly astonished that we're in this situation in 2016. My old fart memory goes back as far as the mid 1980s, when BT had just been privatised out of the Post Office, and people were trying to move beyond their 300/1200 acoustic coupler modems on phones hard-wired into the wall. The approval bar very high for what 3rd-party equipment (even phone handsets !) could be connected to their new-fangled jack sockets, and many similar accusations of test delays, expensive tests, potential conflicts of interest, anti-competitiveness etc were being bandied around. The solution at the time was that approval testing was spun out into an independent 3rd party, BABT (* British Approvals Board for Telecommunications). AFIACT it appeared to resolve the situation very well. I don't know exactly what BABT does now, but feels like a similar solution is called for these days... Keith (*) https://en.wikipedia.org/wiki/British_Approvals_Board_for_Telecommunications On 08/17/2016 04:45 AM, Mike Jenkins wrote: >> >> Is there any way to track which hardware and firmware versions >> have been submitted to BT (or whoever does it on their behalf) for >> Modem Conformance Testing? I can find the details of how the >> process works but not which devices have been approved or submitted >> and pending approval. > > This process is an absolute nightmare at the moment. If one ISP > submits a modem/firmware/software combo to Openreach, then it's only > approved for that one ISP unless they specifically ask for it to be > public. It appears that most do not... In addition, a software > upgrade means that the whole approval process has to be repeated. > This is not conducive to getting bug/security fixes out to > customers. With BT unwilling to provide the "BT Openreach" branded > Huaweii or ECT modems any more, this is just spiralling into a > bureaucratic mess! > > The team are responsive if you are a customer, but I'm not sure that > there's any way for an end user to get at this level of detail. On 08/17/2016 05:16 AM, Steve Howes wrote: > This is also worth a read > > http://www.revk.uk/2016/08/pointless-tests-at-bt-martlesham.html
Re: [uknof] Tracking BT MCT progress for VDSL hardware
Agreed Paul - watch this space. Sent from my iPhone On 17 Aug 2016, at 14:36, Paul Mansfield> wrote: On 17 Aug 2016 12:09, "Neil J. McRae" > wrote: > > The goal is to make our services work as best as they can. > How will that goal translate to taking action in this case to make as many tested CPE hardware/firmware combinations public, so as to maximise the chances of end users having the best service from their available CPE hardware?
Re: [uknof] Tracking BT MCT progress for VDSL hardware
On 17 Aug 2016 12:09, "Neil J. McRae"wrote: > > The goal is to make our services work as best as they can. > How will that goal translate to taking action in this case to make as many tested CPE hardware/firmware combinations public, so as to maximise the chances of end users having the best service from their available CPE hardware?
Re: [uknof] IOS XR tcpdump
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 17/08/16 13:29, James Bensley wrote: > One thing I forgot to mention is that as I'm sure you probably > know already, come IOS-XR 6.1 on ASR9000's we should be able to use > the Linux containers to run actual tcpdump on the boxes. But not if you're running Typhoon. :) - -- Tom Hill Network Manager Bytemark Hosting http://www.bytemark.co.uk/ tel. +44 1904 890 890 -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQEcBAEBCAAGBQJXtFnNAAoJEH2fKbrp2sQ6d8YIAMK6W57tyVfkipdjHH7A5FLD nvV+IwgLHX+jAcIsw1iDji8Yc1713c40bwhoXSbmiBMa0ZRG8GhNy5nGpa2Xh7Mg M44LuN2FYgVGLko4Z8PjRXYswYWOLXuFXtyHaViW6OsrRvP324hTyoEa+rwoSC9l LMJy6XYxB2WXUIN0ihHB8B3j14i2g8HD9N6ZHk9UWtaeytfW8Vnf+isg3HoMqANp 05t1R+e35HxMw8rmVWx1/62nZ1iSunjgd881O6w1i3jwHI0itWADZh0VbzvpkTxF XXL1HAc9q92CJ9KDzzCyknZhg1JcVyasWcJD3nuihhkMyYBBWIxz2i6C27/6/pg= =ff8o -END PGP SIGNATURE-
Re: [uknof] IOS XR tcpdump
On 17 August 2016 at 13:22, Job Snijderswrote: > On Wed, Aug 17, 2016 at 01:05:52PM +0100, James Bensley wrote: >> Is it ever too late to revive a thread? >> >> Marty (and anyone else interested) there is packet capturing features >> inside the NP added in IOS-XR 5.3.3. It works for pretty much all >> inbound packet drops but only some outbound packet drops. >> >> This are some example notes I made; >> https://null.53bits.co.uk/index.php?page=asr9000-np-packet-capture > > Thank you for sharing this! > > Kind regards, > > Job One thing I forgot to mention is that as I'm sure you probably know already, come IOS-XR 6.1 on ASR9000's we should be able to use the Linux containers to run actual tcpdump on the boxes. Cheers, James.
Re: [uknof] IOS XR tcpdump
On Wed, Aug 17, 2016 at 01:05:52PM +0100, James Bensley wrote: > Is it ever too late to revive a thread? > > Marty (and anyone else interested) there is packet capturing features > inside the NP added in IOS-XR 5.3.3. It works for pretty much all > inbound packet drops but only some outbound packet drops. > > This are some example notes I made; > https://null.53bits.co.uk/index.php?page=asr9000-np-packet-capture Thank you for sharing this! Kind regards, Job
Re: [uknof] IOS XR tcpdump
On 10 July 2015 at 02:51, Marty Strongwrote: > Yay Cisco, lagging behind Juniper yet again! > > Thanks for the response. > > Regards, > Marty Strong > -- > CloudFlare - AS13335 > Network Engineer > ma...@cloudflare.com > +44 20 3514 6970 UK (Office) > +44 7584 906 055 UK (Mobile) > +1 888 993 5273 US (Office) > smartflare (Skype) > > http://www.peeringdb.com/view.php?asn=13335 > >> On 10 Jul 2015, at 04:17, James Bensley wrote: >> >> On 30 June 2015 at 11:23, Marty Strong wrote: >>> Hey UKNOFers, >>> >>> Anybody know the Cisco IOS XR equivalent to "monitor traffic interface lo0" >>> on a Juniper? >>> >>> Searching around online I don’t see anything, and the Cisco documentation >>> is as lacking as some features in IOS /troll >> >> There isn't any such featre (as of yet) if you are talking about an >> ASR9000 series device? If so then yeah, nothing yet. I am rather >> shocked by this but I've been in contact with TAC over various issues >> with IOS-XR and the ASR9K's and they have confirmed to me there is no >> "proper" packet-capture feature yet. >> >> Even with Typhoon line cards and RSP440s. I would assume this feature >> is perfectly possible and simply hasn't dropped yet, Cisco haven't >> confirmed or denided that for me yet though. >> >> The best you can do is apply ACLs to the line card to check if a >> packet that matches the ACL is either ingressing or egressing the PHY >> or NP or FIA you assign the ACL to. This basically: >> https://supportforums.cisco.com/document/122386/asr9000xr-how-capture-dropped-or-lost-packets >> >> Note before: that is a service affecting operation. >> >> You can run SPANs in IOS-XR if you have somewhere to SPAN a port to. >> >> Also you can use the interface "monitor" command, "monitor interface >> xxx" which isn't great but sometimes anything is better than nothing. >> >> Cheers, >> James, Is it ever too late to revive a thread? Marty (and anyone else interested) there is packet capturing features inside the NP added in IOS-XR 5.3.3. It works for pretty much all inbound packet drops but only some outbound packet drops. This are some example notes I made; https://null.53bits.co.uk/index.php?page=asr9000-np-packet-capture Cheers, James.
Re: [uknof] IX Cardiff call for CDN's
On Wed, Aug 17, 2016 at 7:28 AM, Paul Webbwrote: > Hi Martin, > > What scale would you need? I know what's available/possible better than any I > guess, and not all of it will be visible to you. > > Paul. Scale == Cost. It would be great to have a list available publicly of who is there so we can analyze for ourselves. Adding the building and everyone present in peeringDB is a great start as Job suggested. Best, -M<
Re: [uknof] IX Cardiff call for CDN's
Hi Martin, What scale would you need? I know what's available/possible better than any I guess, and not all of it will be visible to you. Paul. -Original Message- From: Martin Hannigan [mailto:hanni...@gmail.com] Sent: 17 August 2016 12:22 To: Paul WebbCc: uknof@lists.uknof.org.uk Subject: Re: [uknof] IX Cardiff call for CDN's Paul, There doesn't appear to be a CDN scale competitive transit offering there. How do we solve for that? (Which is at least on the top of the list of detractors), If you can solve for one, you can probably solve for all. That doesn't remove all roadblocks, but it certainly removes a big one. Thanks, -M< On Wed, Aug 17, 2016 at 5:09 AM, Paul Webb wrote: > The IX Cardiff steering Group is interested in attracting CDN providers with > an offer of free hosting space and connectivity to the Cardiff IX. > > We recognize that there is a dearth of access network providers at IXCardiff > present, although commitments have been made to join by several, and so we're > trying to create incentives for them to join faster, and more local content > would help this. > > Any interest or enquiries please let me know and we can discuss offlist? > > Paul Webb > CEO - Clearstream Technology Group > Disclaimer: Views or opinions presented are solely those of the author and do > not necessarily represent those of Clearstream Technology Ltd or Clearstream > Technology Group Ltd (Clearstream). Confidentiality: This email and any > attached files are confidential and intended solely for the use of the > individual(s) to whom it is addressed. If you are not the intended recipient, > you have received this email in error and any use, dissemination, forwarding, > printing or copying of this email is strictly prohibited. If you have > received this email in error please contact the sender. Security: This e-mail > has been created in the knowledge that Internet e-mail is not a 100% secure > communications medium. We advise that you understand and observe this lack of > security when e-mailing us. Although this email and any attachments are > believed to be free of any virus or other defects which might affect any > computer or IT system into which they are received, no responsibility is > accepted by Clearstream or any of its associated companies for any loss or > damage arising in any way from the receipt or use thereof. >
Re: [uknof] IX Cardiff call for CDN's
Paul, There doesn't appear to be a CDN scale competitive transit offering there. How do we solve for that? (Which is at least on the top of the list of detractors), If you can solve for one, you can probably solve for all. That doesn't remove all roadblocks, but it certainly removes a big one. Thanks, -M< On Wed, Aug 17, 2016 at 5:09 AM, Paul Webbwrote: > The IX Cardiff steering Group is interested in attracting CDN providers with > an offer of free hosting space and connectivity to the Cardiff IX. > > We recognize that there is a dearth of access network providers at IXCardiff > present, although commitments have been made to join by several, and so we're > trying to create incentives for them to join faster, and more local content > would help this. > > Any interest or enquiries please let me know and we can discuss offlist? > > Paul Webb > CEO - Clearstream Technology Group > Disclaimer: Views or opinions presented are solely those of the author and do > not necessarily represent those of Clearstream Technology Ltd or Clearstream > Technology Group Ltd (Clearstream). Confidentiality: This email and any > attached files are confidential and intended solely for the use of the > individual(s) to whom it is addressed. If you are not the intended recipient, > you have received this email in error and any use, dissemination, forwarding, > printing or copying of this email is strictly prohibited. If you have > received this email in error please contact the sender. Security: This e-mail > has been created in the knowledge that Internet e-mail is not a 100% secure > communications medium. We advise that you understand and observe this lack of > security when e-mailing us. Although this email and any attachments are > believed to be free of any virus or other defects which might affect any > computer or IT system into which they are received, no responsibility is > accepted by Clearstream or any of its associated companies for any loss or > damage arising in any way from the receipt or use thereof. >
Re: [uknof] IX Cardiff call for CDN's
That's an excellent question. There's more than one party supporting IXCardiff (doesn't always feel that way!) but I think there's interest in supporting any activities that will help drive IX participation. From Clearstream's perspective we sell hosting as our day job, but if a case to drive IX Cardiff exists...talk to us! -Original Message- From: uknof [mailto:uknof-boun...@lists.uknof.org.uk] On Behalf Of James Bensley Sent: 17 August 2016 11:46 To: uknof@lists.uknof.org.uk Subject: Re: [uknof] IX Cardiff call for CDN's On 17 August 2016 at 10:09, Paul Webbwrote: > The IX Cardiff steering Group is interested in attracting CDN providers with > an offer of free hosting space and connectivity to the Cardiff IX. Hi Paul, Are you only offering free hosting space for CDN providers? Kind regards, James.
Re: [uknof] Tracking BT MCT progress for VDSL hardware
The goal is to make our services work as best as they can. Sent from my iPhone On 17 Aug 2016, at 11:01, Phillip Baker> wrote: On Tuesday, 16 August 2016, Neil J. McRae > wrote: If you send me the details of what version and box I can take a look for you. While it's obviously good of you to offer to help out here - for the life of me - I cannot understand why information required to be in compliance with BTs own rules (under penalty of disconnection) is (partially) treated like a secret. In the case of own branded hardware I can maybe - and only then, maybe - see that the information is of limited use to others, but IMO it should still be possible to verify that the kit and firmware you have been supplied is in compliance with BTs requirements. It does not appear likely that this approach is helpful to end users (because yes, end users still want/need to buy their own equipment despite the trend in bundling in some so-so kit), CPs (who can't reliably determine certified kit for themselves or their end users), or even BT (who at the least create work for themselves fielding enquiries about whether such-and-such is certified and who run a greater risk having non-compliant kit connected because the process is unnecessarily opaque). Likewise it seems odd to me that manufacturers (appear to?) have to go via a CP to get their own kit approved. Vendors (for it is they with the greatest interest in passing certification) submitting their own kit and firmware to BT, and any approved device/firmware list being public [1] seems the obvious route to take here, but it's possible there's something I (and, evidently, others) are missing about the overall reasoning here. Phil [1] though vendors would of course promote their efforts here, it should still be possible to independently verify their claims, and verify which is the latest certified firmware
Re: [uknof] IX Cardiff call for CDN's
On 17 August 2016 at 10:09, Paul Webbwrote: > The IX Cardiff steering Group is interested in attracting CDN providers with > an offer of free hosting space and connectivity to the Cardiff IX. Hi Paul, Are you only offering free hosting space for CDN providers? Kind regards, James.
Re: [uknof] IX Cardiff call for CDN's
Dear Paul, (disclaimer, I am a PeeringDB volunteer) On Wed, Aug 17, 2016 at 09:09:01AM +, Paul Webb wrote: > The IX Cardiff steering Group is interested in attracting CDN > providers with an offer of free hosting space and connectivity to the > Cardiff IX. > > We recognize that there is a dearth of access network providers at > IXCardiff present, although commitments have been made to join by > several, and so we're trying to create incentives for them to join > faster, and more local content would help this. I see there are about 30 networks connected to IXCardiff [1] (which is great), but it seems that that this nucleus of interconnection potential is poorly advertised in the PeeringDB database, only 5 networks have indicated that they are present at IX Cardiff [2]. You might want to consider to promote the use of PeeringDB amongst the IX Cardiff participants to signal the exchange's potential to a wider audience. [1]: https://www.linx.net/ix-cardiff/about/member-list?letter=all [2]: https://peeringdb.com/ix/1016 Kind regards, Job > Paul Webb > CEO - Clearstream Technology Group > Disclaimer: Views or opinions presented are solely those of the author > and do not necessarily represent those of Clearstream Technology Ltd > or Clearstream Technology Group Ltd (Clearstream). Confidentiality: > This email and any attached files are confidential and intended solely > for the use of the individual(s) to whom it is addressed. If you are > not the intended recipient, you have received this email in error and > any use, dissemination, forwarding, printing or copying of this email > is strictly prohibited. If you have received this email in error > please contact the sender. Security: This e-mail has been created in > the knowledge that Internet e-mail is not a 100% secure communications > medium. We advise that you understand and observe this lack of > security when e-mailing us. Although this email and any attachments > are believed to be free of any virus or other defects which might > affect any computer or IT system into which they are received, no > responsibility is accepted by Clearstream or any of its associated > companies for any loss or damage arising in any way from the receipt > or use thereof. ps. this footer is ridiculously long and useless!
Re: [uknof] Tracking BT MCT progress for VDSL hardware
On Tuesday, 16 August 2016, Neil J. McRaewrote: > > If you send me the details of what version and box I can take a look for > you. > While it's obviously good of you to offer to help out here - for the life of me - I cannot understand why information required to be in compliance with BTs own rules (under penalty of disconnection) is (partially) treated like a secret. In the case of own branded hardware I can maybe - and only then, maybe - see that the information is of limited use to others, but IMO it should still be possible to verify that the kit and firmware you have been supplied is in compliance with BTs requirements. It does not appear likely that this approach is helpful to end users (because yes, end users still want/need to buy their own equipment despite the trend in bundling in some so-so kit), CPs (who can't reliably determine certified kit for themselves or their end users), or even BT (who at the least create work for themselves fielding enquiries about whether such-and-such is certified and who run a greater risk having non-compliant kit connected because the process is unnecessarily opaque). Likewise it seems odd to me that manufacturers (appear to?) have to go via a CP to get their own kit approved. Vendors (for it is they with the greatest interest in passing certification) submitting their own kit and firmware to BT, and any approved device/firmware list being public [1] seems the obvious route to take here, but it's possible there's something I (and, evidently, others) are missing about the overall reasoning here. Phil [1] though vendors would of course promote their efforts here, it should still be possible to independently verify their claims, and verify which is the latest certified firmware
[uknof] IX Cardiff call for CDN's
The IX Cardiff steering Group is interested in attracting CDN providers with an offer of free hosting space and connectivity to the Cardiff IX. We recognize that there is a dearth of access network providers at IXCardiff present, although commitments have been made to join by several, and so we're trying to create incentives for them to join faster, and more local content would help this. Any interest or enquiries please let me know and we can discuss offlist? Paul Webb CEO - Clearstream Technology Group Disclaimer: Views or opinions presented are solely those of the author and do not necessarily represent those of Clearstream Technology Ltd or Clearstream Technology Group Ltd (Clearstream). Confidentiality: This email and any attached files are confidential and intended solely for the use of the individual(s) to whom it is addressed. If you are not the intended recipient, you have received this email in error and any use, dissemination, forwarding, printing or copying of this email is strictly prohibited. If you have received this email in error please contact the sender. Security: This e-mail has been created in the knowledge that Internet e-mail is not a 100% secure communications medium. We advise that you understand and observe this lack of security when e-mailing us. Although this email and any attachments are believed to be free of any virus or other defects which might affect any computer or IT system into which they are received, no responsibility is accepted by Clearstream or any of its associated companies for any loss or damage arising in any way from the receipt or use thereof.
Re: [uknof] Tracking BT MCT progress for VDSL hardware
> > Is there any way to track which hardware and firmware versions have been > submitted to BT (or whoever does it on their behalf) for Modem Conformance > Testing? I can find the details of how the process works but not which devices > have been approved or submitted and pending approval. > This process is an absolute nightmare at the moment. If one ISP submits a modem/firmware/software combo to Openreach, then it's only approved for that one ISP unless they specifically ask for it to be public. It appears that most do not... In addition, a software upgrade means that the whole approval process has to be repeated. This is not conducive to getting bug/security fixes out to customers. With BT unwilling to provide the "BT Openreach" branded Huaweii or ECT modems any more, this is just spiralling into a bureaucratic mess! The team are responsive if you are a customer, but I'm not sure that there's any way for an end user to get at this level of detail. Neil - this is an area where your customer experience could be improved! Cheers Mike