Hi, First submission so be nice :-)
Ex. CenturyLink'er here so happy to share my knowledge of their network based solution if anyone is interested. Cheers Chris On Wed, 5 Feb 2020, 12:00 , <nanog-requ...@nanog.org> wrote: > Send NANOG mailing list submissions to > nanog@nanog.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://mailman.nanog.org/mailman/listinfo/nanog > or, via email, send a message with subject or body 'help' to > nanog-requ...@nanog.org > > You can reach the person managing the list at > nanog-ow...@nanog.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of NANOG digest..." > > > Today's Topics: > > 1. Re: Recommended DDoS mitigation appliance? (Colton Conor) > 2. RE: Recommended DDoS mitigation appliance? (Phil Lavin) > 3. RE: Recommended DDoS mitigation appliance? (Kushal R.) > 4. Re: Recommended DDoS mitigation appliance? (J. Hellenthal) > 5. Re: Recommended DDoS mitigation appliance? (Colton Conor) > 6. RE: Recommended DDoS mitigation appliance? (Phil Lavin) > 7. Re: Jenkins amplification (Daryl) > 8. Re: Jenkins amplification (Mike Meredith) > 9. Re: EVPN multicast route (multi home case ) implementation / > deployment information (Andrey Kostin) > 10. WTR: 1-2RU @ Equinix Ashburn (Jason Lixfeld) > 11. Help with survey on enterprise network challenges? > (Joseph Severini) > 12. Re: Jenkins amplification (Christopher Morrow) > 13. Re: Has Anyone managed to get Delegated RPKI working with > ARIN (Cynthia Revström) > 14. Re: Has Anyone managed to get Delegated RPKI working with > ARIN (Randy Bush) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Tue, 4 Feb 2020 07:40:18 -0600 > From: Colton Conor <colton.co...@gmail.com> > To: Javier Juan <javier.j...@gmail.com> > Cc: Rabbi Rob Thomas <r...@cymru.com>, NANOG <nanog@nanog.org> > Subject: Re: Recommended DDoS mitigation appliance? > Message-ID: > < > camddszn0vhwk70gd0ennprvp9qafqoxz_guziavtgzcwgwn...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Javier, > > So is Imperva similar to how Kentik operates? What was it priced liked? I > like the Kentik solution, but their per router per month pricing is too > expensive even for a small network. > > On Mon, Feb 3, 2020 at 11:01 AM Javier Juan <javier.j...@gmail.com> wrote: > > > Hi ! > > > > I was looking around (a couple years ago) for mitigation appliances > > (Riorey, Arbor, F5 and so on).... but the best and almost affordable > > solution I found was Incapsula/Imperva. > > > > > https://docs.imperva.com/bundle/cloud-application-security/page/introducing/network-ddos-monitoring.htm > > > > > > Basically, You send your flows to Imperva on cloud for analysis. As soon > > as they find DDoS attack , they activate mitigation. It´s some kind of > > elegant-hybrid solution without on-premise appliances . Just check it > out :) > > > > Regards, > > > > JJ > > > > > > > > On Sun, Nov 17, 2019 at 11:20 PM Rabbi Rob Thomas <r...@cymru.com> > wrote: > > > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA256 > >> > >> > >> Hello, NANOG! > >> > >> I'm in the midst of rebuilding/upgrading our backbone and peering - > >> sessions cheerfully accepted :) - and am curious what folks recommend > >> in the DDoS mitigation appliance realm? Ideally it would be capable > >> of 10Gbps and circa 14Mpps rate of mitigation. If you have a > >> recommendation, I'd love to hear it and the reasons for it. If you > >> have an alternative to an appliance that has worked well for you > >> (we're a mix of Cisco and Juniper), I'm all ears. > >> > >> Private responses are fine, and I'm happy to summarize back to the > >> list if there is interest. > >> > >> Thank you! > >> Rob. > >> - -- > >> Rabbi Rob Thomas Team Cymru > >> "It is easy to believe in freedom of speech for those with whom we > >> agree." - Leo McKern > >> -----BEGIN PGP SIGNATURE----- > >> > >> iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF > >> 8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF > >> xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV > >> 7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv > >> oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ > >> N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y > >> 7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti > >> 27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ > >> hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka > >> VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC > >> g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP > >> d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo= > >> =uuel > >> -----END PGP SIGNATURE----- > >> > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mailman.nanog.org/pipermail/nanog/attachments/20200204/f146a39e/attachment-0001.html > > > > ------------------------------ > > Message: 2 > Date: Tue, 4 Feb 2020 13:50:07 +0000 > From: Phil Lavin <phil.la...@cloudcall.com> > To: Colton Conor <colton.co...@gmail.com>, Javier Juan > <javier.j...@gmail.com> > Cc: NANOG <nanog@nanog.org> > Subject: RE: Recommended DDoS mitigation appliance? > Message-ID: > < > db6pr0301mb2533f880b73aee1aa43c483089...@db6pr0301mb2533.eurprd03.prod.outlook.com > > > > Content-Type: text/plain; charset="utf-8" > > > So is Imperva similar to how Kentik operates? What was it priced liked? > > It is a nice model as you don't need additional hardware or virtual > appliances on-prem, which cuts down on the CAPEX cost. Like everyone else, > they price the scrubbing based on your clean traffic levels. Price I have > is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year > for 500mbit clean traffic. Reasonably good value if you get attacked a lot > - a very expensive insurance policy if not. Yearly pricing is broadly on > par with Radware, Arbor and A10 (Verisign). > > ------------------------------ > > Message: 3 > Date: Tue, 4 Feb 2020 19:27:13 +0530 > From: "Kushal R." <kusha...@h4g.co> > To: Colton Conor <colton.co...@gmail.com>, Javier Juan > <javier.j...@gmail.com>, Phil Lavin <phil.la...@cloudcall.com> > Cc: NANOG <nanog@nanog.org> > Subject: RE: Recommended DDoS mitigation appliance? > Message-ID: <8dfb7e0c-f61b-45eb-bd75-f93a3ec92277@Spark> > Content-Type: text/plain; charset="utf-8" > > If you are looking for remote scrubbing, I can high recommend DDoS-Guard ( > ddos-guard.com), they do not have any “limits” on the size or the number > of attacks, the billing is simply based on the clean bandwidth. The highest > they have mitigated for us is about 40G. You can either have it in an > always on mode, with all incoming traffic coming via their 4 POPs (Los > Angeles, Amsterdam, Hong Kong or Almaty) or you can use something like > FastNetMon or DDoS-Guard’s own application that runs on any hardware and > use eBGP to route the victim /24 over DDG’s network. > > -- > > Kushal R. | Management > Office: +1-8557374335 (Global) | +91-8080807931 (India) > > WhatsApp: +1-3104050010 (Global) | +91-9834801976 (India) > > host4geeks.com > host4geeks.in > > > > On 4 Feb 2020, 7:22 PM +0530, Phil Lavin <phil.la...@cloudcall.com>, > wrote: > > > So is Imperva similar to how Kentik operates? What was it priced liked? > > > > It is a nice model as you don't need additional hardware or virtual > appliances on-prem, which cuts down on the CAPEX cost. Like everyone else, > they price the scrubbing based on your clean traffic levels. Price I have > is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year > for 500mbit clean traffic. Reasonably good value if you get attacked a lot > - a very expensive insurance policy if not. Yearly pricing is broadly on > par with Radware, Arbor and A10 (Verisign). > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mailman.nanog.org/pipermail/nanog/attachments/20200204/021b4821/attachment-0001.html > > > > ------------------------------ > > Message: 4 > Date: Tue, 4 Feb 2020 08:04:30 -0600 > From: "J. Hellenthal" <jhellent...@dataix.net> > To: Javier Juan <javier.j...@gmail.com> > Cc: Rabbi Rob Thomas <r...@cymru.com>, nanog@nanog.org > Subject: Re: Recommended DDoS mitigation appliance? > Message-ID: <654d5fd3-7d9d-423a-b2a9-817cc443a...@dataix.net> > Content-Type: text/plain; charset="utf-8" > > Hopefully you would be sending those flows out a different circuit than > the one that’s going to get swamped with a DDoS otherwise... it might just > take a while to mitigate that ;-) depending on the type obviously. > > -- > J. Hellenthal > > The fact that there's a highway to Hell but only a stairway to Heaven says > a lot about anticipated traffic volume. > > > On Feb 3, 2020, at 11:01, Javier Juan <javier.j...@gmail.com> wrote: > > > > > > Hi ! > > > > I was looking around (a couple years ago) for mitigation appliances > (Riorey, Arbor, F5 and so on).... but the best and almost affordable > solution I found was Incapsula/Imperva. > > > https://docs.imperva.com/bundle/cloud-application-security/page/introducing/network-ddos-monitoring.htm > > > > Basically, You send your flows to Imperva on cloud for analysis. As soon > as they find DDoS attack , they activate mitigation. It´s some kind of > elegant-hybrid solution without on-premise appliances . Just check it out :) > > > > Regards, > > > > JJ > > > > > > > >> On Sun, Nov 17, 2019 at 11:20 PM Rabbi Rob Thomas <r...@cymru.com> > wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- > >> Hash: SHA256 > >> > >> > >> Hello, NANOG! > >> > >> I'm in the midst of rebuilding/upgrading our backbone and peering - > >> sessions cheerfully accepted :) - and am curious what folks recommend > >> in the DDoS mitigation appliance realm? Ideally it would be capable > >> of 10Gbps and circa 14Mpps rate of mitigation. If you have a > >> recommendation, I'd love to hear it and the reasons for it. If you > >> have an alternative to an appliance that has worked well for you > >> (we're a mix of Cisco and Juniper), I'm all ears. > >> > >> Private responses are fine, and I'm happy to summarize back to the > >> list if there is interest. > >> > >> Thank you! > >> Rob. > >> - -- > >> Rabbi Rob Thomas Team Cymru > >> "It is easy to believe in freedom of speech for those with whom we > >> agree." - Leo McKern > >> -----BEGIN PGP SIGNATURE----- > >> > >> iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF > >> 8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF > >> xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV > >> 7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv > >> oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ > >> N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y > >> 7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti > >> 27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ > >> hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka > >> VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC > >> g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP > >> d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo= > >> =uuel > >> -----END PGP SIGNATURE----- > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mailman.nanog.org/pipermail/nanog/attachments/20200204/a0d80487/attachment-0001.html > > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: smime.p7s > Type: application/pkcs7-signature > Size: 3944 bytes > Desc: not available > URL: < > http://mailman.nanog.org/pipermail/nanog/attachments/20200204/a0d80487/attachment-0001.bin > > > > ------------------------------ > > Message: 5 > Date: Tue, 4 Feb 2020 08:25:21 -0600 > From: Colton Conor <colton.co...@gmail.com> > To: Phil Lavin <phil.la...@cloudcall.com> > Cc: Javier Juan <javier.j...@gmail.com>, NANOG <nanog@nanog.org> > Subject: Re: Recommended DDoS mitigation appliance? > Message-ID: > < > camddszonkyyt4aemglm7iohyphzbb7nkbu_rsr+y6_gaban...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > Phil, > > This sounds like a different model to me. Kentik I think averages out > around $500 per 10G per month. Kentik doesn't do any scrubbing however. > Does anyone have guide to DDoS services? Seems like there is a wide array > of pricing and technology options. > > On Tue, Feb 4, 2020 at 7:50 AM Phil Lavin <phil.la...@cloudcall.com> > wrote: > > > > So is Imperva similar to how Kentik operates? What was it priced liked? > > > > It is a nice model as you don't need additional hardware or virtual > > appliances on-prem, which cuts down on the CAPEX cost. Like everyone > else, > > they price the scrubbing based on your clean traffic levels. Price I have > > is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a > year > > for 500mbit clean traffic. Reasonably good value if you get attacked a > lot > > - a very expensive insurance policy if not. Yearly pricing is broadly on > > par with Radware, Arbor and A10 (Verisign). > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mailman.nanog.org/pipermail/nanog/attachments/20200204/64450404/attachment-0001.html > > > > ------------------------------ > > Message: 6 > Date: Tue, 4 Feb 2020 14:27:33 +0000 > From: Phil Lavin <phil.la...@cloudcall.com> > To: Colton Conor <colton.co...@gmail.com> > Cc: Javier Juan <javier.j...@gmail.com>, NANOG <nanog@nanog.org> > Subject: RE: Recommended DDoS mitigation appliance? > Message-ID: > < > db6pr0301mb2533333514b0c540168e7b6189...@db6pr0301mb2533.eurprd03.prod.outlook.com > > > > Content-Type: text/plain; charset="utf-8" > > > This sounds like a different model to me. Kentik I think averages out > around $500 per 10G per month > > I was talking about Imperva > > ------------------------------ > > Message: 7 > Date: Mon, 3 Feb 2020 13:39:10 -0600 > From: Daryl <lists@soldmydata.online> > To: nanog@nanog.org > Subject: Re: Jenkins amplification > Message-ID: <20200203133910.2dfb5f5c@mail> > Content-Type: text/plain; charset=US-ASCII > > On Mon, 3 Feb 2020 10:55:35 -0800 (PST) > Sabri Berisha <sa...@cluecentral.net> wrote: > > > ----- On Feb 3, 2020, at 10:35 AM, Christopher Morrow > > morrowc.li...@gmail.com wrote: > > > > > On Mon, Feb 3, 2020 at 1:26 PM William Herrin <b...@herrin.us> > > > wrote: > > > > >> VPN. > > > > > > I love it when my home network gets full access to the corporate > > > network! > > > > Most places I've worked at issue company controlled laptops with > > company controlled VPN software which will disable all local access > > and even disconnect if you dare to manually change the routing table > > to access the printer in your home office. > > > > In fact, a too tightly controlled VPN contributed to a 7 figure loss > > during an outage at a company which name shall not be mentioned. > > > > Your home network should have no access to the corp network. Your > > company issued laptop should. > > > > Thanks, > > > > Sabri > > That's how our company operates. I went a step further and put all > company issued equipment on it's own vlan at home. > > > ------------------------------ > > Message: 8 > Date: Tue, 4 Feb 2020 16:12:45 +0000 > From: Mike Meredith <mike.mered...@port.ac.uk> > To: nanog@nanog.org > Subject: Re: Jenkins amplification > Message-ID: <20200204161245.10aac...@scrofula.eps.is.port.ac.uk> > Content-Type: text/plain; charset="utf-8" > > On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow > <morrowc.li...@gmail.com> may have written: > > My experience, and granted it's fairly scoped, is that this sort of thing > > works fine for a relatively small set of 'persons' and 'resources'. > > Seeing as managing this sort of thing is my primary job these days ... > > > it ends up being about the cross-product of #users * #resources. > > That's the interesting part of the job - coalescing rules in a way that > minimises the security impact but maximises the decrease of complexity. If > you don't, you get an explosion of complexity that results in a set of > rules (I know of an equivalent organisation that has over 1,000 firewall > rules) that becomes insanely complex to manage. > > > certainly a more holistic version of the story is correct. > > the relatively flippant answer way-back-up-list of: "vpn" > > I think that "vpn" is the right answer - it's preferrable to publishing > services to the entire world that only need to be used by empoyees. But > it's not cheap or easy. > > -- > Mike Meredith, University of Portsmouth > Hostmaster, Security, and Chief Systems Engineer > > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: not available > Type: application/pgp-signature > Size: 488 bytes > Desc: OpenPGP digital signature > URL: < > http://mailman.nanog.org/pipermail/nanog/attachments/20200204/51fff1b7/attachment-0001.sig > > > > ------------------------------ > > Message: 9 > Date: Tue, 04 Feb 2020 11:59:13 -0500 > From: Andrey Kostin <ank...@podolsk.ru> > To: "Mankamana Mishra (mankamis)" <manka...@cisco.com> > Cc: nanog@nanog.org > Subject: Re: EVPN multicast route (multi home case ) implementation / > deployment information > Message-ID: <af953fad372932f55b167921bd415...@podolsk.ru> > Content-Type: text/plain; charset=UTF-8; format=flowed > > Hi Mankamana, > > For Juniper: > > Starting in Junos OS 18.4R1, devices with IGMP snooping enabled use > selective multicast forwarding in a centrally routed EVPN-VXLAN network > to replicate and forward multicast traffic. As before, IGMP snooping > allows the leaf device to send multicast traffic only to the access > interface with an interested receiver. But now, when IGMP snooping is > enabled, the leaf device selectively sends multicast traffic to only the > leaf devices in the core that have expressed an interest in that > multicast group. In selective multicast forwarding, leaf devices always > send multicast traffic to the spine device so that it can route > inter-VLAN multicast traffic through its IRB interface. > > > https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-selective-multicast-forwarding.html > > Kind regards, > Andrey > > Mankamana Mishra (mankamis) via NANOG писал 2020-02-03 18:34: > > Folks > > > > Wondering if there is any known implementation of EVPN multihome > > multicast routes which are defined in > > > > https://tools.ietf.org/html/draft-ietf-bess-evpn-igmp-mld-proxy-04 > > > > there is some change planned in NLRI , we want to make sure to have > > solution which does work well with existing implementation. > > > > NOTE: Discussion INVOLVES NOKIA, JUNIPER, CISCO, ARISTA ALREADY. SO > > LOOKING FOR ANY OTHER VENDOR WHO HAVE IMPLEMENTATION. > > > > Mankamana > > > > ------------------------------ > > Message: 10 > Date: Tue, 4 Feb 2020 12:10:00 -0500 > From: Jason Lixfeld <jason+na...@lixfeld.ca> > To: NANOG mailing list <nanog@nanog.org> > Subject: WTR: 1-2RU @ Equinix Ashburn > Message-ID: <7bc7d4a3-5691-45d8-9c27-d8a21cd0b...@lixfeld.ca> > Content-Type: text/plain; charset=utf-8 > > Hi, > > I’m wondering if anyone is looking to subsidize their Equinix Ashburn colo > costs by way of carving out 1-2 RU to a friendly for a low density > networking application. If so, I’d love to hear from you! > > Thanks in advance! > > ------------------------------ > > Message: 11 > Date: Tue, 4 Feb 2020 13:04:19 -0500 > From: Joseph Severini <jseve...@andrew.cmu.edu> > To: nanog@nanog.org > Subject: Help with survey on enterprise network challenges? > Message-ID: > <CAGBamiMrvAk599A0_fAW= > sdmxjohr8mve9j9yxmhq+r52pj...@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > Hi, > > My name is Joseph Severini, and I am a PhD student in the Computer > Science Department at Carnegie Mellon University. > > I’m working on a research project to identify common operational > challenges in modern enterprise computer networks. I’ve put together a > survey to identify these challenges by analyzing some operational > problems found in the Network Engineering Stack Exchange open-source > dataset. You’ll be given a problem from the dataset and asked some > questions about it. > > I would appreciate it if you would consider taking this survey, which > can be found at the link below: > > http://cmu.ca1.qualtrics.com/jfe/form/SV_dm6i9znuPWlLDN3 > > The survey should take ~15 minutes. Participation is voluntary, with > no compensation, and all responses are anonymous. You must be at least > 18 years old to complete the survey. > > Thanks, > Joseph Severini > > PhD Student > CMU Computer Science Department > > > ------------------------------ > > Message: 12 > Date: Tue, 4 Feb 2020 15:59:37 -0500 > From: Christopher Morrow <morrowc.li...@gmail.com> > To: Mike Meredith <mike.mered...@port.ac.uk> > Cc: nanog list <nanog@nanog.org> > Subject: Re: Jenkins amplification > Message-ID: > <CAL9jLaaiiLsOqShddYcdn_HYO0aeY+skF+XDefK3Uhvm+= > a...@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > On Tue, Feb 4, 2020 at 11:15 AM Mike Meredith <mike.mered...@port.ac.uk> > wrote: > > > > On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow > > <morrowc.li...@gmail.com> may have written: > > > My experience, and granted it's fairly scoped, is that this sort of > thing > > > works fine for a relatively small set of 'persons' and 'resources'. > > > > Seeing as managing this sort of thing is my primary job these days ... > > <beer, you probably deserve one> :) > > > > it ends up being about the cross-product of #users * #resources. > > > > That's the interesting part of the job - coalescing rules in a way that > > minimises the security impact but maximises the decrease of complexity. > If > > you don't, you get an explosion of complexity that results in a set of > > rules (I know of an equivalent organisation that has over 1,000 firewall > > rules) that becomes insanely complex to manage. > > > > I think the fact that it's hard to keep all of this going and to > contain the natural spread of destruction (that it takes someone with > a pretty singular foc us) makes my point. > > > > certainly a more holistic version of the story is correct. > > > the relatively flippant answer way-back-up-list of: "vpn" > > > > I think that "vpn" is the right answer - it's preferrable to publishing > > services to the entire world that only need to be used by empoyees. But > > it's not cheap or easy. > > Weighing the cost/benefit is certainly each org's decision. > having lived without vpn for a long while and under the regime of > authen/author for users with proper token/etc access... I'd not want > my internal network opened to the wilds of vpn users :( (I actively > discourage this at work because there are vanishingly small reasons > why a full network connection is really required by a user at this > point). > > anyway, good luck! > > > ------------------------------ > > Message: 13 > Date: Wed, 5 Feb 2020 10:56:51 +0100 > From: Cynthia Revström <m...@cynthia.re> > To: christop...@ve7alb.ca > Cc: NANOG list <nanog@nanog.org> > Subject: Re: Has Anyone managed to get Delegated RPKI working with > ARIN > Message-ID: > < > cakw1m3pqtvb6zyjkn5emdbyjtsqxx4seuyfbduf-jqnlwsm...@mail.gmail.com> > Content-Type: text/plain; charset="utf-8" > > (Re-sent as I forgot to include the ML the first time, oops) > Hi Chris, > > I recently figured it out and posted it on the NLNetLabs RPKI mailing list. > https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html > I hope it helps :) > > - Cynthia > > On Wed, Jan 29, 2020 at 6:31 PM Christopher Munz-Michielin < > christop...@ve7alb.ca> wrote: > > > Hi Nanog, > > > > Posting here since my Google-fu is coming up short. I'm trying to setup > > delegated RPKI in ARIN using rpki.net's rpkid Python daemon and am > > running into an issue submitting the identity file to ARIN's control > panel. > > The same file submitted to RIPE's test environment at > > https://localcert.ripe.net/#/rpki works without issue, while submitting > > to ARIN results in "Invalid Identity.xml file." > > > > The guide I'm following is this one: > > > https://github.com/dragonresearch/rpki.net/blob/master/doc/quickstart/xenial-ca.md > > and I'm able to get as far as generating the identity file. > > > > Wondering if anyone has gone down this road before and has any helpful > > hints to make this work? > > > > Cheers, > > Chris > > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > http://mailman.nanog.org/pipermail/nanog/attachments/20200205/49b8cf46/attachment-0001.html > > > > ------------------------------ > > Message: 14 > Date: Wed, 05 Feb 2020 02:52:08 -0800 > From: Randy Bush <ra...@psg.com> > To: "Cynthia Revström" <m...@cynthia.re> > Cc: christop...@ve7alb.ca, NANOG list <nanog@nanog.org> > Subject: Re: Has Anyone managed to get Delegated RPKI working with > ARIN > Message-ID: <m2o8ud71d3.wl-ra...@psg.com> > Content-Type: text/plain; charset=US-ASCII > > > I recently figured it out and posted it on the NLNetLabs RPKI mailing > list. > > https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html > > nice. thank you. > > randy > > > End of NANOG Digest, Vol 145, Issue 5 > ************************************* >
