Re: Howto for BGP black holing/null routing
On Tue, Feb 22, 2011 at 4:55 PM, Jack Carrozzo wrote: > Maybe I read your question wrong, but null-routing things at your border is > often not very useful if the traffic is flooding your transit links. Most > transits publish their community lists - you just need to tag the prefix you > want to blackhole with the right community. This is certainly true. Although most "big transit networks" offer this feature today, there are some important differences in what some of them will and won't accept. Some will only learn /32s, some say they'll accept /30-/32 but nothing shorter, some will honor anything you send them. This may be undocumented. Some networks seem to have forgotten about this feature when implementing IPv6, even though it is offered for IPv4. I don't see any value in not accepting a RTBH /24 but accepting a /30. I also don't know of any platform issues which would make deploying RTBH for IPv6 BGP customers any more difficult than doing so for IPv4. -- Jeff S Wheeler Sr Network Operator / Innovative Network Concepts
Re: Howto for BGP black holing/null routing
On Tue, 22 Feb 2011 16:42:28 -0500, David Hubbard wrote > I was wondering if anyone has a howto floating around on the > step by step setup of having an internal bgp peer for sending > quick updates to border routers to null route sources of > undesirable traffic? I've seen it discussed on nanog from > time to time, typically suggesting using Zebra, but could > not search up a link on a step by step. Ultimately it depends on the transit provider. For example, some have you set up a separate BGP session with a black hole router. Any prefix sent will be blackholed network wide. Some, such as the case of Level3, they are looking for specific community tags on your primary BGP session. So in a nutshell...lets blackhole a host: ip route x.x.x.x 255.255.255.255 null0 tag 255 Then set up a static-to-bgp with route-map to add community strings (for example 3356: for level3) to your routes with tag 255. route-map STATIC-TO-BGP permit 10 match tag 255 set community 3356: set origin igp And in your BGP config: redistribute static route-map STATIC-TO-BGP Now, for the case of level3, you're already set (just be sure to apply send-community on the neighbor). Now for a provider having a unique blackhole BGP session, you want a special route-map to filter prefixes going out that session: ip community-list BLACKHOLE seq 10 permit 3356: route-map BLACKHOLE permit 10 match community BLACKHOLE Now for the blackhole session: neighbor route-map out BLACKHOLE It can get more complicated than this (for example, you've got more than one EBGP router) but this is just a simple case. I hope it helps... ~Randy
Re: Howto for BGP black holing/null routing
Team Cymru has some really good examples on how to configure something similar (utilizing their BOGON feed). http://www.team-cymru.org/Services/Bogons/bgp.html Scroll down to "AUTOMATICALLY FILTERING BOGONS" for IOS, JUNOS, etc examples On Tue, Feb 22, 2011 at 4:42 PM, David Hubbard < dhubb...@dino.hostasaurus.com> wrote: > I was wondering if anyone has a howto floating around on the > step by step setup of having an internal bgp peer for sending > quick updates to border routers to null route sources of > undesirable traffic? I've seen it discussed on nanog from > time to time, typically suggesting using Zebra, but could > not search up a link on a step by step. > > Thanks, > > David > >
Re: Christchurch New Zealand
On 22/02/11 10:38 PM, Joe Hamelin wrote: The other CERT: Community Emergency Response Team. https://www.citizencorps.gov/cert/about.shtm +1 for CERT. I also think that taking a CERT class is a great way to re-evaluate your own network emergency procedures. You may find new ways to prepare for network disasters, and to triage damage when a network disaster occurs. jc
Re: Contact for APEWS.org?
Steve Linford wrote: APEWS is one of the many fringe hobby DNSBLs run from kids bedrooms. I don't deny APEWS is pretty much useless, though I disagree with the (perceived) condescending sentiment about hobby projects. Many successful enterprises sprung from hobby projects. Greetings, Jeroen -- http://goldmark.org/jeff/stupid-disclaimers/ http://linuxmafia.com/~rick/faq/plural-of-virus.html
Re: Contact for APEWS.org?
On Thu, Feb 24, 2011 at 7:08 AM, Jeroen van Aart wrote: > Steve Linford wrote: >> >> APEWS is one of the many fringe hobby DNSBLs run from kids bedrooms. > > I don't deny APEWS is pretty much useless, though I disagree with the > (perceived) condescending sentiment about hobby projects. Many successful > enterprises sprung from hobby projects. So did spamhaus for quite a while. But this is specifically in the context of dnsbls. Where steve's mostly right. -- Suresh Ramasubramanian (ops.li...@gmail.com)
Spam from *where*? Mars?
I saw in my mail logs tonight, a bounced spam from 'unknown[1.52.36.176]' 1/8? When did that happen? (Yes, yes, I know; last year. Just never seen one before...) Cheers, -- jra
Re: Spam from *where*? Mars?
On Wed, 23 Feb 2011, Jay Ashworth wrote: 1/8? When did that happen? For this block, end of january judging from the changed:-line below. inetnum:1.52.0.0 - 1.52.127.255 netname:FPT-NET country:VN descr: IP range for FPT Broadband Service descr: 48 Van Bao str,Ba Dinh Dist, Ha Noi admin-c:LPC5-AP tech-c: LPC5-AP status: ASSIGNED NON-PORTABLE remarks:For spamming matters, mail to ab...@fpt.vn mnt-irt:IRT-VNNIC-AP mnt-by: MAINT-VN-FPT source: APNIC changed:hm-chan...@vnnic.net.vn 20110124 -- Mikael Abrahamssonemail: swm...@swm.pp.se
Re: Spam from *where*? Mars?
On Thu, Feb 24, 2011 at 9:19 AM, Mikael Abrahamsson wrote: > remarks: For spamming matters, mail to ab...@fpt.vn aka /dev/null as far as I can see. Huge volumes of abuse from this range and from VNPT. If any ops from there are around please email me offlist --srs (postmaster for AS27477) -- Suresh Ramasubramanian (ops.li...@gmail.com)
Re: Howto for BGP black holing/null routing
On 2/22/11 1:42 PM, David Hubbard wrote: > I was wondering if anyone has a howto floating around on the > step by step setup of having an internal bgp peer for sending > quick updates to border routers to null route sources of > undesirable traffic? I've seen it discussed on nanog from > time to time, typically suggesting using Zebra, but could > not search up a link on a step by step. > > Thanks, I'd include: https://tools.ietf.org/html/rfc5635 in your list of reading materials. > David > >
Submarine cable sample?
Hi, Was wondering where one in the SF Bay area might be able to borrow (or otherwise procure at a reasonable cost) a short - less than 1 meter - section of undersea fiber cable for a presentation I'll be giving in a few weeks. Feel free to unicast your reply if you are in a position to assist. Thanks, -Chris
Re: ARIN and IPv6 Requests
(Yeah, high reply latency...) Is Carrier V still filtering at sub-/32 on their IPv6 peerings? Last I was in a position to check, not even Apple's /45 was visible from inside AS701. -C On Feb 10, 2011, at 12:25 PM, Eric Clark wrote: > Don't remember about the v4 part, but 3 years ago they issued me a /48, > specifically for my first site and indicated that a block was reserved for > additional sites. I can probably dig that up. > > Sent from my iPad > > On Feb 10, 2011, at 12:18 PM, Jason Iannone wrote: > >> It also looks like there isn't a policy for orgs with multiple >> multihomed sites to get a /48 per site. Is there an exception policy >> somewhere? >> >> On Thu, Feb 10, 2011 at 12:50 PM, wrote: >>> Initial. Documenting IPv4 usage is in the request template. >>> >>> -- >>> Adam Webb >>> >>> >>> >>> >>> >>> From: >>> "Nick Olsen" >>> To: >>> >>> Date: >>> 02/10/2011 01:45 PM >>> Subject: >>> re: ARIN and IPv6 Requests >>> >>> >>> >>> We requested our initial allocation without any such questions. Is this >>> your initial or additional? >>> >>> Nick Olsen >>> Network Operations >>> (855) FLSPEED x106 >>> >>> >>> >>> From: adw...@dstsystems.com >>> Sent: Thursday, February 10, 2011 2:38 PM >>> To: nanog@nanog.org >>> Subject: ARIN and IPv6 Requests >>> >>> Why does ARIN require detailed usage of IPv4 space when requesting IPv6 >>> space? Seems completely irrelevant to me. >>> >>> -- >>> Adam Webb >>> EN & ES Team >>> desk: 816.737.9717 >>> cell: 916.949.1345 >>> --- >>> The biggest secret of innovation is that anyone can do it. >>> --- >>> >>> - >>> Please consider the environment before printing this email and any >>> attachments. >>> >>> This e-mail and any attachments are intended only for the >>> individual or company to which it is addressed and may contain >>> information which is privileged, confidential and prohibited from >>> disclosure or unauthorized use under applicable law. If you are >>> not the intended recipient of this e-mail, you are hereby notified >>> that any use, dissemination, or copying of this e-mail or the >>> information contained in this e-mail is strictly prohibited by the >>> sender. If you have received this transmission in error, please >>> return the material received to the sender and delete all copies >>> from your system. >>> >>> >>> >> >
Re: ARIN and IPv6 Requests
On 2/23/11 10:10 PM, Chris Woodfield wrote: > (Yeah, high reply latency...) > > Is Carrier V still filtering at sub-/32 on their IPv6 peerings? Last I was in > a position to check, not even Apple's /45 was visible from inside AS701. evidence says that they are now accepting longer prefixes. > -C > > On Feb 10, 2011, at 12:25 PM, Eric Clark wrote: > >> Don't remember about the v4 part, but 3 years ago they issued me a /48, >> specifically for my first site and indicated that a block was reserved for >> additional sites. I can probably dig that up. >> >> Sent from my iPad >> >> On Feb 10, 2011, at 12:18 PM, Jason Iannone wrote: >> >>> It also looks like there isn't a policy for orgs with multiple >>> multihomed sites to get a /48 per site. Is there an exception policy >>> somewhere? >>> >>> On Thu, Feb 10, 2011 at 12:50 PM, wrote: Initial. Documenting IPv4 usage is in the request template. -- Adam Webb From: "Nick Olsen" To: Date: 02/10/2011 01:45 PM Subject: re: ARIN and IPv6 Requests We requested our initial allocation without any such questions. Is this your initial or additional? Nick Olsen Network Operations (855) FLSPEED x106 From: adw...@dstsystems.com Sent: Thursday, February 10, 2011 2:38 PM To: nanog@nanog.org Subject: ARIN and IPv6 Requests Why does ARIN require detailed usage of IPv4 space when requesting IPv6 space? Seems completely irrelevant to me. -- Adam Webb EN & ES Team desk: 816.737.9717 cell: 916.949.1345 --- The biggest secret of innovation is that anyone can do it. --- - Please consider the environment before printing this email and any attachments. This e-mail and any attachments are intended only for the individual or company to which it is addressed and may contain information which is privileged, confidential and prohibited from disclosure or unauthorized use under applicable law. If you are not the intended recipient of this e-mail, you are hereby notified that any use, dissemination, or copying of this e-mail or the information contained in this e-mail is strictly prohibited by the sender. If you have received this transmission in error, please return the material received to the sender and delete all copies from your system. >>> >> > > >
Re: My upstream ISP does support IPv6
On 11 Feb 11, at 19:24 , Matthew Petach wrote: > On Fri, Feb 4, 2011 at 4:33 PM, Owen DeLong wrote: >> I'll start.. >> >> Hurricane Electric Happily and readily provided me IPv6 Transit on >> request. >> Layer42 Happily and readily provided me IPv6 Transit >> on request. >> >> Owen > > I'll second that--I've had native v6 connectivity with Layer42 at home, with a > secondary path via HE tunnelbroker via a secondary physical path for many, > many moons, and have had no complaints. > For those with smaller-sized connectivity needs, it's likely you'll have > better > success getting v6 connectivity from a tier-2 provider, as there's less > non-v6- > compliant hardware and software that needs to be taken into consideration. > There's also likely to be some level of impedance mismatch between the > upgrade priority for high-bandwidth-customer gear and low-bandwidth-customer > gear at large-sized ISPs, which may relegate you to a slower deployment > scheduled than if you bring the question up with your local tier 2 provider. > > Matt Thirded. Layer42.net : Dual-stack IPv6 and IPv4 at our cabinets in their new Mountain View (CA, USA) facility. Works well; basically no hassle getting it going. Having reverse DNS delegated was a breeze. HE.net via Tunnelbroker.net : Bridging the connectivity gaps where my home/office ISPs do not yet offer IPv6. Very useful service. UnitedLayer.com : apparently ready to provide IPv6 at our cabinets in their suite at 200 Paul (San Francisco, CA, USA) as soon as we install a suitable router. Can't yet speak from experience as to how well it works, but their network folks certainly know their IPv6. jump.net.uk : dual-stack IPv6 and IPv4 at a VPS hosted by a customer of theirs in in Telehouse North (London, England). Works well; no hassle. Graham (https://cernio.com/)
Re: ARIN and IPv6 Requests
I discussed this with Randy Whitney a few months ago. He informed me that they had been taking down to /48s for some time now. Owen On Feb 23, 2011, at 10:20 PM, Joel Jaeggli wrote: > On 2/23/11 10:10 PM, Chris Woodfield wrote: >> (Yeah, high reply latency...) >> >> Is Carrier V still filtering at sub-/32 on their IPv6 peerings? Last I was >> in a position to check, not even Apple's /45 was visible from inside AS701. > > evidence says that they are now accepting longer prefixes. > >> -C >> >> On Feb 10, 2011, at 12:25 PM, Eric Clark wrote: >> >>> Don't remember about the v4 part, but 3 years ago they issued me a /48, >>> specifically for my first site and indicated that a block was reserved for >>> additional sites. I can probably dig that up. >>> >>> Sent from my iPad >>> >>> On Feb 10, 2011, at 12:18 PM, Jason Iannone wrote: >>> It also looks like there isn't a policy for orgs with multiple multihomed sites to get a /48 per site. Is there an exception policy somewhere? On Thu, Feb 10, 2011 at 12:50 PM, wrote: > Initial. Documenting IPv4 usage is in the request template. > > -- > Adam Webb > > > > > > From: > "Nick Olsen" > To: > > Date: > 02/10/2011 01:45 PM > Subject: > re: ARIN and IPv6 Requests > > > > We requested our initial allocation without any such questions. Is this > your initial or additional? > > Nick Olsen > Network Operations > (855) FLSPEED x106 > > > > From: adw...@dstsystems.com > Sent: Thursday, February 10, 2011 2:38 PM > To: nanog@nanog.org > Subject: ARIN and IPv6 Requests > > Why does ARIN require detailed usage of IPv4 space when requesting IPv6 > space? Seems completely irrelevant to me. > > -- > Adam Webb > EN & ES Team > desk: 816.737.9717 > cell: 916.949.1345 > --- > The biggest secret of innovation is that anyone can do it. > --- > > - > Please consider the environment before printing this email and any > attachments. > > This e-mail and any attachments are intended only for the > individual or company to which it is addressed and may contain > information which is privileged, confidential and prohibited from > disclosure or unauthorized use under applicable law. If you are > not the intended recipient of this e-mail, you are hereby notified > that any use, dissemination, or copying of this e-mail or the > information contained in this e-mail is strictly prohibited by the > sender. If you have received this transmission in error, please > return the material received to the sender and delete all copies > from your system. > > > >>> >> >> >> >
