[uknof] DDoS scrubbing - ballpark pricing figures

[Paul Thornton]

Hi folks,

I have been doing some work with a small ISP customer around sourcing 
off-net DDoS scrubbing to protect one of their downstream access 
customers.  I don't really have a feel for the ballpark pricing for this 
kind of service though.


We've been quoted around £20/meg/month[1] of scrubbed clean traffic for 
low hundreds of megabits/sec throughput.  That's for a service that is 
BGP signalled, ie: it wouldn't be used normally - only if a route was 
announced / community set on a subnet etc.


To anyone who has this kind of service at these levels of throughput - 
Is this "about right" or is it way out?  I don't want people to break 
pricing NDAs etc., just get a feel for what this costs in the 
marketplace in general.


Thanks

Paul.

[1] - For the avoidance of doubt this is GBP 20 per megabit/second for a 
commit of a few hundred megabits/second 95th percentile per month of 
cleaned traffic coming across the connection between the upstream 
scrubbing provider and the downstream ISP being protected.  Ie: attack 
size isn't an issue, its the actual throughput of clean traffic that 
matters.

Re: [uknof] Tracking BT MCT progress for VDSL hardware

[David Walters]

On Wed, Aug 17, 2016 at 4:06 PM, Keith Mitchell  wrote:
>
> The solution at the time was that approval testing was spun out into an
> independent 3rd party, BABT (* British Approvals Board for
> Telecommunications). AFIACT it appeared to resolve the situation very
> well. I don't know exactly what BABT does now, but feels like a
> similar solution is called for these days...
>

As I understand it 3rd party testing is possible. BT don't require an MCT
pass, just SIN 498 compliance. As long as you can demonstrate that in the
event of an issue then you don't need to test with BT first. I'm just not
aware of anyone else offering a testing service.

Regards,
David

Re: [uknof] Tracking BT MCT progress for VDSL hardware

[Keith Mitchell]

I'm slightly astonished that we're in this situation in 2016. My old
fart memory goes back as far as the mid 1980s, when BT had just been
privatised out of the Post Office, and people were trying to move beyond
their 300/1200 acoustic coupler modems on phones hard-wired into the
wall. The approval bar very high for what 3rd-party equipment
(even phone handsets !) could be connected to their new-fangled jack
sockets, and many similar accusations of test delays, expensive tests,
potential conflicts of interest, anti-competitiveness etc were being
bandied around.

The solution at the time was that approval testing was spun out into an
independent 3rd party, BABT (* British Approvals Board for
Telecommunications). AFIACT it appeared to resolve the situation very
well. I don't know exactly what BABT does now, but feels like a
similar solution is called for these days...

Keith


(*)
https://en.wikipedia.org/wiki/British_Approvals_Board_for_Telecommunications

On 08/17/2016 04:45 AM, Mike Jenkins wrote:
>> 
>> Is there any way to track which hardware and firmware versions
>> have been submitted to BT (or whoever does it on their behalf) for
>> Modem Conformance Testing? I can find the details of how the
>> process works but not which devices have been approved or submitted
>> and pending approval.
> 
> This process is an absolute nightmare at the moment. If one ISP 
> submits a modem/firmware/software combo to Openreach, then it's only 
> approved for that one ISP unless they specifically ask for it to be 
> public. It appears that most do not... In addition, a software 
> upgrade means that the whole approval process has to be repeated. 
> This is not conducive to getting bug/security fixes out to
> customers. With BT unwilling to provide the "BT Openreach" branded
> Huaweii or ECT modems any more, this is just spiralling into a
> bureaucratic mess!
> 
> The team are responsive if you are a customer, but I'm not sure that 
> there's any way for an end user to get at this level of detail.

On 08/17/2016 05:16 AM, Steve Howes wrote:
> This is also worth a read
> 
> http://www.revk.uk/2016/08/pointless-tests-at-bt-martlesham.html

Re: [uknof] Tracking BT MCT progress for VDSL hardware

[Neil J. McRae]

Agreed Paul - watch this space.

Sent from my iPhone

On 17 Aug 2016, at 14:36, Paul Mansfield 
> wrote:


On 17 Aug 2016 12:09, "Neil J. McRae" > 
wrote:
>
> The goal is to make our services work as best as they can.
>

How will that goal translate to taking action in this case to make as many 
tested CPE hardware/firmware combinations public, so as to maximise the chances 
of end users having the best service from their available CPE hardware?

Re: [uknof] Tracking BT MCT progress for VDSL hardware

[Paul Mansfield]

On 17 Aug 2016 12:09, "Neil J. McRae"  wrote:
>
> The goal is to make our services work as best as they can.
>

How will that goal translate to taking action in this case to make as many
tested CPE hardware/firmware combinations public, so as to maximise the
chances of end users having the best service from their available CPE
hardware?

Re: [uknof] IOS XR tcpdump

[Tom Hill]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 17/08/16 13:29, James Bensley wrote:
> One thing I forgot to mention is that as I'm sure you probably
> know already, come IOS-XR 6.1 on ASR9000's we should be able to use
> the Linux containers to run actual tcpdump on the boxes.

But not if you're running Typhoon. :)

- -- 
Tom Hill
Network Manager

Bytemark Hosting
http://www.bytemark.co.uk/
tel. +44 1904 890 890
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQEcBAEBCAAGBQJXtFnNAAoJEH2fKbrp2sQ6d8YIAMK6W57tyVfkipdjHH7A5FLD
nvV+IwgLHX+jAcIsw1iDji8Yc1713c40bwhoXSbmiBMa0ZRG8GhNy5nGpa2Xh7Mg
M44LuN2FYgVGLko4Z8PjRXYswYWOLXuFXtyHaViW6OsrRvP324hTyoEa+rwoSC9l
LMJy6XYxB2WXUIN0ihHB8B3j14i2g8HD9N6ZHk9UWtaeytfW8Vnf+isg3HoMqANp
05t1R+e35HxMw8rmVWx1/62nZ1iSunjgd881O6w1i3jwHI0itWADZh0VbzvpkTxF
XXL1HAc9q92CJ9KDzzCyknZhg1JcVyasWcJD3nuihhkMyYBBWIxz2i6C27/6/pg=
=ff8o
-END PGP SIGNATURE-

Re: [uknof] IOS XR tcpdump

[James Bensley]

On 17 August 2016 at 13:22, Job Snijders  wrote:
> On Wed, Aug 17, 2016 at 01:05:52PM +0100, James Bensley wrote:
>> Is it ever too late to revive a thread?
>>
>> Marty (and anyone else interested) there is packet capturing features
>> inside the NP added in IOS-XR 5.3.3. It works for pretty much all
>> inbound packet drops but only some outbound packet drops.
>>
>> This are some example notes I made;
>> https://null.53bits.co.uk/index.php?page=asr9000-np-packet-capture
>
> Thank you for sharing this!
>
> Kind regards,
>
> Job

One thing I forgot to mention is that as I'm sure you probably know
already, come IOS-XR 6.1 on ASR9000's we should be able to use the
Linux containers to run actual tcpdump on the boxes.

Cheers,
James.

Re: [uknof] IOS XR tcpdump

[Job Snijders]

On Wed, Aug 17, 2016 at 01:05:52PM +0100, James Bensley wrote:
> Is it ever too late to revive a thread?
> 
> Marty (and anyone else interested) there is packet capturing features
> inside the NP added in IOS-XR 5.3.3. It works for pretty much all
> inbound packet drops but only some outbound packet drops.
> 
> This are some example notes I made;
> https://null.53bits.co.uk/index.php?page=asr9000-np-packet-capture

Thank you for sharing this!

Kind regards,

Job

Re: [uknof] IOS XR tcpdump

[James Bensley]

On 10 July 2015 at 02:51, Marty Strong  wrote:
> Yay Cisco, lagging behind Juniper yet again!
>
> Thanks for the response.
>
> Regards,
> Marty Strong
> --
> CloudFlare - AS13335
> Network Engineer
> ma...@cloudflare.com
> +44 20 3514 6970 UK (Office)
> +44 7584 906 055 UK (Mobile)
> +1 888 993 5273 US (Office)
> smartflare (Skype)
>
> http://www.peeringdb.com/view.php?asn=13335
>
>> On 10 Jul 2015, at 04:17, James Bensley  wrote:
>>
>> On 30 June 2015 at 11:23, Marty Strong  wrote:
>>> Hey UKNOFers,
>>>
>>> Anybody know the Cisco IOS XR equivalent to "monitor traffic interface lo0" 
>>> on a Juniper?
>>>
>>> Searching around online I don’t see anything, and the Cisco documentation 
>>> is as lacking as some features in IOS /troll
>>
>> There isn't any such featre (as of yet) if you are talking about an
>> ASR9000 series device? If so then yeah, nothing yet. I am rather
>> shocked by this but I've been in contact with TAC over various issues
>> with IOS-XR and the ASR9K's and they have confirmed to me there is no
>> "proper" packet-capture feature yet.
>>
>> Even with Typhoon line cards and RSP440s. I would assume this feature
>> is perfectly possible and simply hasn't dropped yet, Cisco haven't
>> confirmed or denided that for me yet though.
>>
>> The best you can do is apply ACLs to the line card to check if a
>> packet that matches the ACL is either ingressing or egressing the PHY
>> or NP or FIA you assign the ACL to. This basically:
>> https://supportforums.cisco.com/document/122386/asr9000xr-how-capture-dropped-or-lost-packets
>>
>> Note before: that is a service affecting operation.
>>
>> You can run SPANs in IOS-XR if you have somewhere to SPAN a port to.
>>
>> Also you can use the interface "monitor" command, "monitor interface
>> xxx" which isn't great but sometimes anything is better than nothing.
>>
>> Cheers,
>> James,


Is it ever too late to revive a thread?

Marty (and anyone else interested) there is packet capturing features
inside the NP added in IOS-XR 5.3.3. It works for pretty much all
inbound packet drops but only some outbound packet drops.

This are some example notes I made;
https://null.53bits.co.uk/index.php?page=asr9000-np-packet-capture

Cheers,
James.

Re: [uknof] IX Cardiff call for CDN's

[Martin Hannigan]

On Wed, Aug 17, 2016 at 7:28 AM, Paul Webb
 wrote:
> Hi Martin,
>
> What scale would you need? I know what's available/possible better than any I 
> guess, and not all of it will be visible to you.
>
> Paul.


Scale == Cost.

It would be great to have a list available publicly of who is there so
we can analyze for ourselves. Adding the building and everyone present
in peeringDB is a great start as Job suggested.

Best,

-M<

Re: [uknof] IX Cardiff call for CDN's

[Paul Webb]

Hi Martin,

What scale would you need? I know what's available/possible better than any I 
guess, and not all of it will be visible to you.

Paul.

-Original Message-
From: Martin Hannigan [mailto:hanni...@gmail.com] 
Sent: 17 August 2016 12:22
To: Paul Webb 
Cc: uknof@lists.uknof.org.uk
Subject: Re: [uknof] IX Cardiff call for CDN's

Paul,

There doesn't appear to be a CDN scale competitive transit offering there. How 
do we solve for that? (Which is at least on the top of the list of detractors), 
If you can solve for one, you can probably solve for all. That doesn't remove 
all roadblocks, but it certainly removes a big one.

Thanks,

-M<




On Wed, Aug 17, 2016 at 5:09 AM, Paul Webb  
wrote:
> The IX Cardiff steering Group is interested in attracting CDN providers with 
> an offer of free hosting space and connectivity to the Cardiff IX.
>
> We recognize that there is a dearth of access network providers at IXCardiff 
> present, although commitments have been made to join by several, and so we're 
> trying to create incentives for them to join faster, and more local content 
> would help this.
>
> Any interest or enquiries please let me know and we can discuss offlist?
>
> Paul Webb
> CEO - Clearstream Technology Group
> Disclaimer: Views or opinions presented are solely those of the author and do 
> not necessarily represent those of Clearstream Technology Ltd or Clearstream 
> Technology Group Ltd (Clearstream). Confidentiality: This email and any 
> attached files are confidential and intended solely for the use of the 
> individual(s) to whom it is addressed. If you are not the intended recipient, 
> you have received this email in error and any use, dissemination, forwarding, 
> printing or copying of this email is strictly prohibited. If you have 
> received this email in error please contact the sender. Security: This e-mail 
> has been created in the knowledge that Internet e-mail is not a 100% secure 
> communications medium. We advise that you understand and observe this lack of 
> security when e-mailing us. Although this email and any attachments are 
> believed to be free of any virus or other defects which might affect any 
> computer or IT system into which they are received, no responsibility is 
> accepted by Clearstream or any of its associated companies for any loss or 
> damage arising in any way from the receipt or use thereof.
>

Re: [uknof] IX Cardiff call for CDN's

[Martin Hannigan]

Paul,

There doesn't appear to be a CDN scale competitive transit offering
there. How do we solve for that? (Which is at least on the top of the
list of detractors), If you can solve for one, you can probably solve
for all. That doesn't remove all roadblocks, but it certainly removes
a big one.

Thanks,

-M<




On Wed, Aug 17, 2016 at 5:09 AM, Paul Webb
 wrote:
> The IX Cardiff steering Group is interested in attracting CDN providers with 
> an offer of free hosting space and connectivity to the Cardiff IX.
>
> We recognize that there is a dearth of access network providers at IXCardiff 
> present, although commitments have been made to join by several, and so we're 
> trying to create incentives for them to join faster, and more local content 
> would help this.
>
> Any interest or enquiries please let me know and we can discuss offlist?
>
> Paul Webb
> CEO - Clearstream Technology Group
> Disclaimer: Views or opinions presented are solely those of the author and do 
> not necessarily represent those of Clearstream Technology Ltd or Clearstream 
> Technology Group Ltd (Clearstream). Confidentiality: This email and any 
> attached files are confidential and intended solely for the use of the 
> individual(s) to whom it is addressed. If you are not the intended recipient, 
> you have received this email in error and any use, dissemination, forwarding, 
> printing or copying of this email is strictly prohibited. If you have 
> received this email in error please contact the sender. Security: This e-mail 
> has been created in the knowledge that Internet e-mail is not a 100% secure 
> communications medium. We advise that you understand and observe this lack of 
> security when e-mailing us. Although this email and any attachments are 
> believed to be free of any virus or other defects which might affect any 
> computer or IT system into which they are received, no responsibility is 
> accepted by Clearstream or any of its associated companies for any loss or 
> damage arising in any way from the receipt or use thereof.
>

Re: [uknof] IX Cardiff call for CDN's

[Paul Webb]

That's an excellent question. There's more than one party supporting IXCardiff 
(doesn't always feel that way!) but I think there's interest in supporting any 
activities that will help drive IX participation. From Clearstream's 
perspective we sell hosting as our day job, but if a case to drive IX Cardiff 
exists...talk to us!

-Original Message-
From: uknof [mailto:uknof-boun...@lists.uknof.org.uk] On Behalf Of James Bensley
Sent: 17 August 2016 11:46
To: uknof@lists.uknof.org.uk
Subject: Re: [uknof] IX Cardiff call for CDN's

On 17 August 2016 at 10:09, Paul Webb  wrote:
> The IX Cardiff steering Group is interested in attracting CDN providers with 
> an offer of free hosting space and connectivity to the Cardiff IX.

Hi Paul,

Are you only offering free hosting space for CDN providers?

Kind regards,
James.

Re: [uknof] Tracking BT MCT progress for VDSL hardware

[Neil J. McRae]

The goal is to make our services work as best as they can.

Sent from my iPhone

On 17 Aug 2016, at 11:01, Phillip Baker 
> wrote:

On Tuesday, 16 August 2016, Neil J. McRae 
> wrote:

If you send me the details of what version and box I can take a look for you.

While it's obviously good of you to offer to help out here - for the life of me 
- I cannot understand why information required to be in compliance with BTs own 
rules (under penalty of disconnection) is (partially) treated like a secret. In 
the case of own branded hardware I can maybe - and only then, maybe - see that 
the information is of limited use to others, but IMO it should still be 
possible to verify that the kit and firmware you have been supplied is in 
compliance with BTs requirements.

It does not appear likely that this approach is helpful to end users (because 
yes, end users still want/need to buy their own equipment despite the trend in 
bundling in some so-so kit), CPs (who can't reliably determine certified kit 
for themselves or their end users), or even BT (who at the least create work 
for themselves fielding enquiries about whether such-and-such is certified and 
who run a greater risk having non-compliant kit connected because the process 
is unnecessarily opaque).

Likewise it seems odd to me that manufacturers (appear to?) have to go via a CP 
to get their own kit approved. Vendors (for it is they with the greatest 
interest in passing certification) submitting their own kit and firmware to BT, 
and any approved device/firmware list being public [1] seems the obvious route 
to take here, but it's possible there's something I (and, evidently, others) 
are missing about the overall reasoning here.

Phil

[1] though vendors would of course promote their efforts here, it should still 
be possible to independently verify their claims, and verify which is the 
latest certified firmware

Re: [uknof] IX Cardiff call for CDN's

[James Bensley]

On 17 August 2016 at 10:09, Paul Webb  wrote:
> The IX Cardiff steering Group is interested in attracting CDN providers with 
> an offer of free hosting space and connectivity to the Cardiff IX.

Hi Paul,

Are you only offering free hosting space for CDN providers?

Kind regards,
James.

Re: [uknof] IX Cardiff call for CDN's

[Job Snijders]

Dear Paul,

(disclaimer, I am a PeeringDB volunteer)

On Wed, Aug 17, 2016 at 09:09:01AM +, Paul Webb wrote:
> The IX Cardiff steering Group is interested in attracting CDN
> providers with an offer of free hosting space and connectivity to the
> Cardiff IX.
> 
> We recognize that there is a dearth of access network providers at
> IXCardiff present, although commitments have been made to join by
> several, and so we're trying to create incentives for them to join
> faster, and more local content would help this.

I see there are about 30 networks connected to IXCardiff [1] (which is
great), but it seems that that this nucleus of interconnection potential
is poorly advertised in the PeeringDB database, only 5 networks have
indicated that they are present at IX Cardiff [2].

You might want to consider to promote the use of PeeringDB amongst the
IX Cardiff participants to signal the exchange's potential to a wider
audience.

[1]: https://www.linx.net/ix-cardiff/about/member-list?letter=all
[2]: https://peeringdb.com/ix/1016

Kind regards,

Job

> Paul Webb
> CEO - Clearstream Technology Group
> Disclaimer: Views or opinions presented are solely those of the author
> and do not necessarily represent those of Clearstream Technology Ltd
> or Clearstream Technology Group Ltd (Clearstream). Confidentiality:
> This email and any attached files are confidential and intended solely
> for the use of the individual(s) to whom it is addressed. If you are
> not the intended recipient, you have received this email in error and
> any use, dissemination, forwarding, printing or copying of this email
> is strictly prohibited. If you have received this email in error
> please contact the sender. Security: This e-mail has been created in
> the knowledge that Internet e-mail is not a 100% secure communications
> medium. We advise that you understand and observe this lack of
> security when e-mailing us. Although this email and any attachments
> are believed to be free of any virus or other defects which might
> affect any computer or IT system into which they are received, no
> responsibility is accepted by Clearstream or any of its associated
> companies for any loss or damage arising in any way from the receipt
> or use thereof.

ps. this footer is ridiculously long and useless!

Re: [uknof] Tracking BT MCT progress for VDSL hardware

[Phillip Baker]

On Tuesday, 16 August 2016, Neil J. McRae  wrote:

>
> If you send me the details of what version and box I can take a look for
> you.
>

While it's obviously good of you to offer to help out here - for the life
of me - I cannot understand why information required to be in compliance
with BTs own rules (under penalty of disconnection) is (partially) treated
like a secret. In the case of own branded hardware I can maybe - and only
then, maybe - see that the information is of limited use to others, but
IMO it should still be possible to verify that the kit and firmware you
have been supplied is in compliance with BTs requirements.

It does not appear likely that this approach is helpful to end users
(because yes, end users still want/need to buy their own equipment despite
the trend in bundling in some so-so kit), CPs (who can't reliably determine
certified kit for themselves or their end users), or even BT (who at the
least create work for themselves fielding enquiries about whether
such-and-such is certified and who run a greater risk having non-compliant
kit connected because the process is unnecessarily opaque).

Likewise it seems odd to me that manufacturers (appear to?) have to go via
a CP to get their own kit approved. Vendors (for it is they with the
greatest interest in passing certification) submitting their own kit and
firmware to BT, and any approved device/firmware list being public
[1] seems the obvious route to take here, but it's possible there's
something I (and, evidently, others) are missing about the
overall reasoning here.

Phil

[1] though vendors would of course promote their efforts here, it should
still be possible to independently verify their claims, and verify which is
the latest certified firmware

[uknof] IX Cardiff call for CDN's

[Paul Webb]

The IX Cardiff steering Group is interested in attracting CDN providers with an 
offer of free hosting space and connectivity to the Cardiff IX.

We recognize that there is a dearth of access network providers at IXCardiff 
present, although commitments have been made to join by several, and so we're 
trying to create incentives for them to join faster, and more local content 
would help this.

Any interest or enquiries please let me know and we can discuss offlist?

Paul Webb
CEO - Clearstream Technology Group
Disclaimer: Views or opinions presented are solely those of the author and do 
not necessarily represent those of Clearstream Technology Ltd or Clearstream 
Technology Group Ltd (Clearstream). Confidentiality: This email and any 
attached files are confidential and intended solely for the use of the 
individual(s) to whom it is addressed. If you are not the intended recipient, 
you have received this email in error and any use, dissemination, forwarding, 
printing or copying of this email is strictly prohibited. If you have received 
this email in error please contact the sender. Security: This e-mail has been 
created in the knowledge that Internet e-mail is not a 100% secure 
communications medium. We advise that you understand and observe this lack of 
security when e-mailing us. Although this email and any attachments are 
believed to be free of any virus or other defects which might affect any 
computer or IT system into which they are received, no responsibility is 
accepted by Clearstream or any of its associated companies for any loss or 
damage arising in any way from the receipt or use thereof.

Re: [uknof] Tracking BT MCT progress for VDSL hardware

[Mike Jenkins]

> 
> Is there any way to track which hardware and firmware versions have been
> submitted to BT (or whoever does it on their behalf) for Modem Conformance
> Testing? I can find the details of how the process works but not which devices
> have been approved or submitted and pending approval.
> 

This process is an absolute nightmare at the moment.
If one ISP submits a modem/firmware/software combo to Openreach, then it's only 
approved for that one ISP unless they specifically ask for it to be public. It 
appears that most do not... In addition, a software upgrade means that the 
whole approval process has to be repeated. This is not conducive to getting 
bug/security fixes out to customers. With BT unwilling to provide the "BT 
Openreach" branded Huaweii or ECT modems any more, this is just spiralling into 
a bureaucratic mess!

The team are responsive if you are a customer, but I'm not sure that there's 
any way for an end user to get at this level of detail. 

Neil - this is an area where your customer experience could be improved!

Cheers

Mike