Re: Attacks on BGP Routing Ranges

On 18 Apr 2018, at 18:03, Ryan Hamel wrote: Could you explain how this can resolve my issue? I am not sure how this would work. You should have iACLs and GTSM enabled, as noted previously. Ideally, the link should come from an unadvertised range, or a range which is sunk to null0 at the

Re: Suggestion for Layer 3, all SFP+ switches

What is your budget? I know on the low end many operators are using the Huawei S6720S-26Q-EI-24S-AC. You can get these new for $2500 to $3500, and the support all the features and port counts you requested. The also have a lifetime warranty that includes advanced replacement (10 days), TAC

RE: Suggestion for Layer 3, all SFP+ switches

look at these... * Juniper ACX5048 - I've deployed about ~50 of these over the last couple years and they are great boxes. I'm using them as mpls p/pe running L3VPN (v4 and tested 6vpe), L2VPN (manual martini l2circuits and bgp-ad rfc4762, I'll say that IOS XR asr9k has an occasional problem

Re: Is WHOIS going to go away?

On Wed, Apr 18, 2018 at 5:51 PM, Florian Weimer wrote: > * Filip Hruska: > > > On 04/14/2018 07:29 PM, Florian Weimer wrote: > >> * Filip Hruska: > >> > >>> EURID (.eu) WHOIS already works on a basis that no information about > the > >>> registrant is available via standard

Re: Is WHOIS going to go away?

* Filip Hruska: > On 04/14/2018 07:29 PM, Florian Weimer wrote: >> * Filip Hruska: >> >>> EURID (.eu) WHOIS already works on a basis that no information about the >>> registrant is available via standard WHOIS. >>> In order to get any useful information you have to go to >>>

RE: Suggestion for Layer 3, all SFP+ switches

Juniper ACX 5048 is what we use though you need to license 10g ports (ACX5K-L-1X10GE) and VPN (ACX5K-L-IPVPN) QFX does MPLS but I'm pretty sure it doesn't do VPLs. ns -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Brandon Martin Sent: Wednesday,

Re: Suggestion for Layer 3, all SFP+ switches

Ruckus ICX switches do not do MPLS. They meet all the other requirements listed, but unfortunately MPLS was listed as the most important one. On Wed, Apr 18, 2018 at 3:01 PM Brandon Martin wrote: > On 04/18/2018 03:49 PM, Eric Litvin wrote: > > Brocade/arris is eager

Re: Suggestion for Layer 3, all SFP+ switches

On 04/18/2018 03:49 PM, Eric Litvin wrote: Brocade/arris is eager for business these days. They have a nice switch (10g ports with 40g stacking) that should meet your needs with very aggressive pricing. Does the Brocade/Foundry-lineage stuff that went to Arris actually do MPLS? I didn't

Re: Suggestion for Layer 3, all SFP+ switches

Brocade/arris is eager for business these days. They have a nice switch (10g ports with 40g stacking) that should meet your needs with very aggressive pricing. Eric Sent from my iPhone > On Apr 18, 2018, at 5:26 AM, Giuseppe Spanò - Datacast Srl > wrote: > > Hello, >

Re: Attacks on BGP Routing Ranges

On Wed, Apr 18, 2018 at 7:03 AM, Ryan Hamel wrote: > The attacks are definitely inbound on the border router interface. I have > tracked outbound attacks before and wish it was this simple, but its not. > >> a) edge filter, on all edge interfaces ensure that only udp

Re: Attacks on BGP Routing Ranges

Hey, On 18 April 2018 at 14:03, Ryan Hamel wrote: >> a) edge filter, on all edge interfaces ensure that only udp traceroute, icmp >> are sent (policed) to infrastructure addresses > > While I can implement an edge filter to drop such traffic, it's impacting our >

ANRW 2018

I’m forwarding this on behalf of the ANRW Chairs. Some of this research has been quite interesting, and is on-topic to what NANOG folks are interested in. Here’s some more details about it: https://irtf.org/anrp You can find their slides and presentation videos online as well, with the most

Suggestion for Layer 3, all SFP+ switches

Hello, we're looking for some L3 switches to be used as distribution devices. They should have all (at leaast 24) SFP+ ports 10G and at least a couple of upstream ports 40G capable, but what is most important, they should be able to run MPLS, EoMPLS and VPLS. Is there any device you would

Re: Attacks on BGP Routing Ranges

On Wed, 18 Apr 2018, Ryan Hamel wrote: c) do run BGP with GTSM, so you can drop BGP packets with lower TTL than 255 Could you explain how this can resolve my issue? I am not sure how this would work. If the issue is flooding to your interface IP, that's not a relevant countermeasure.

Re: Attacks on BGP Routing Ranges

Saku, The attacks are definitely inbound on the border router interface. I have tracked outbound attacks before and wish it was this simple, but its not. > a) edge filter, on all edge interfaces ensure that only udp traceroute, icmp > are sent (policed) to infrastructure addresses While I can

Re: Attacks on BGP Routing Ranges

Job, Unfortunately, with my current situation, we have stopped exporting our prefixes with the tier-1 carrier and still use the outbound bandwidth. I highly doubt they will implement such a solution, but is something to keep in mind for the future. Thanks for the tip! Ryan Hamel

Re: Attacks on BGP Routing Ranges

Hey Ryan, I'm assuming edge link in your network facing another administrative domain. You'll have two scenarios 1) attack coming from your side 2) attack coming from far side You can easily stop 1, obviously. But for 2, you really need to have far-side who is cooperative and understanding of

Re: Attacks on BGP Routing Ranges

Hi, On Wed, 18 Apr 2018 at 11:39, Ryan Hamel wrote: > I wanted to poll everyones thoughts on how to deal with attacks directly > on BGP peering ranges (/30's, /127's). > > I know that sending an RTBH for our side of the upstream routing range > does not resolve the

Attacks on BGP Routing Ranges

Hello, I wanted to poll everyones thoughts on how to deal with attacks directly on BGP peering ranges (/30's, /127's). I know that sending an RTBH for our side of the upstream routing range does not resolve the issue, and it would actually make things worse by blackholing all inbound traffic