Re: [arin-announce] ARIN Resource Certification Update

On Mon, Jan 24, 2011 at 11:52 PM, Roland Dobbins wrote: > > On Jan 25, 2011, at 11:35 AM, Christopher Morrow wrote: > >> thinking of using DNS is tempting > > > The main arguments I see against it are: > > 1.      Circular dependencies. in the end though... if you depend upon something off-box to

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

> > IPv6 is classless; routers cannot blindly make that assumption for > > "performance optimization". > > > Blindly, no. However, it's not impractical to implement fast path switching > that > handles things on /64s and push anything that requires something else > to the slow path. Any vendor

RE: DSL options in NYC for OOB access

Hi Andy We use Wireless (at&t) on a custom APN for this, has worked great. Cheers Ryan -Original Message- From: Andy Ashley [mailto:li...@nexus6.co.za] Sent: Monday, January 24, 2011 5:04 PM To: nanog@nanog.org Subject: DSL options in NYC for OOB access Hi, Im looking for a little ad

Re: [arin-announce] ARIN Resource Certification Update

On Jan 25, 2011, at 11:35 AM, Christopher Morrow wrote: > thinking of using DNS is tempting The main arguments I see against it are: 1. Circular dependencies. 2. The generally creaky, fragile, brittle, non-scalable state of the overall DNS infrastructure in general. Routing and DN

Re: [arin-announce] ARIN Resource Certification Update

On Mon, Jan 24, 2011 at 11:27 PM, Steven Bellovin wrote: > > On Jan 24, 2011, at 10:31 30PM, Christopher Morrow wrote: >> it's not the best example, but I know that at UUNET there were plenty >> of examples of the in-addr tree not really following the BGP path. >> > The other essential point is t

Re: [arin-announce] ARIN Resource Certification Update

On Jan 24, 2011, at 10:31 30PM, Christopher Morrow wrote: > On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley wrote: >> >> On 2011-01-24, at 20:24, Danny McPherson wrote: >> >>> >>> Beginning to wonder why, with work like DANE and certificates in DNS >>> in the IETF, we need an RPKI and new hierarc

Re: [arin-announce] ARIN Resource Certification Update

On Mon, Jan 24, 2011 at 9:02 PM, Joe Abley wrote: > > On 2011-01-24, at 20:24, Danny McPherson wrote: > >> >> Beginning to wonder why, with work like DANE and certificates in DNS >> in the IETF, we need an RPKI  and new hierarchical shared dependency >> system at all and can't just place ROAs in

Re: [arin-announce] ARIN Resource Certification Update

On Jan 24, 2011, at 9:21 PM, Richard Barnes wrote: > The more you have to invent, though, the more this sounds like a > bike-shed discussion. > s/DNSSEC/X.509/g > s/delegating reverse "prefix" zone/signing RPKI delegation certificate/g The difference is that we don't have an operational RPKI syst

Re: [arin-announce] ARIN Resource Certification Update

>> the folk who sign dns zones are not even in the same building as the >> folk who deal with address space. > I think the idea is to effectuate de-siloing in this space to the > point that the DNS folks would make the appropriate delegations to the > addressing folks, who would then proceed to cre

Re: [arin-announce] ARIN Resource Certification Update

On Jan 25, 2011, at 9:31 AM, Randy Bush wrote: > the folk who sign dns zones are not even in the same building as the folk who > deal with address space. I think the idea is to effectuate de-siloing in this space to the point that the DNS folks would make the appropriate delegations to the ad

Re: [arin-announce] ARIN Resource Certification Update

On Jan 25, 2011, at 9:24 AM, Danny McPherson wrote: > So, are you suggesting the RPKI isn't going to rely on DNS at all? In terms of organic, real-time route validation performed by routers - which it is assumed is an ultimate goal of rPKI, at some point in the future - one should hope this

Re: [arin-announce] ARIN Resource Certification Update

> Right, I've heard the circular dependency arguments. So, are you > suggesting the RPKI isn't going to rely on DNS at all? correct. it need not. > I'm of the belief RPKI should NOT be on the critical path, but instead > focus on Internet number resource certification - are you suggesting > oth

Re: [arin-announce] ARIN Resource Certification Update

On Jan 24, 2011, at 9:14 PM, Randy Bush wrote: > > you want certificates etc? or did you plan to reuse dns keys? I suspect the former, reusing much of the SIDR machinery perhaps, although > if the former, than all you are discussing is changing the transport to > make routing security rel

Re: [arin-announce] ARIN Resource Certification Update

On Mon, Jan 24, 2011 at 9:16 PM, Danny McPherson wrote: > > On Jan 24, 2011, at 9:02 PM, Joe Abley wrote: >> >> In this case the DNS delegations go directly from RIR to C; there's no >> opportunity for A or B to sign intermediate zones, and hence no opportunity >> for them to indicate the legiti

Re: [arin-announce] ARIN Resource Certification Update

It's in-band only in the sense of delivery. The worst that a corruption of the underlying network can do to you is deny you updates; it can't convince you that a route validates when it shouldn't. And even denying updates to your RPKI cache isn't that bad, since the update process doesn't really

Re: [arin-announce] ARIN Resource Certification Update

On Jan 24, 2011, at 9:02 PM, Joe Abley wrote: > > In this case the DNS delegations go directly from RIR to C; there's no > opportunity for A or B to sign intermediate zones, and hence no opportunity > for them to indicate the legitimacy of the allocation. > > As a thought experiment, how would

Re: [arin-announce] ARIN Resource Certification Update

> I just don't like the notion of deploying a brand new system you want certificates etc? or did you plan to reuse dns keys? if the former, than all you are discussing is changing the transport to make routing security rely on dns and dns security. not a really great plan. if the latter, then

Re: [arin-announce] ARIN Resource Certification Update

On Jan 25, 2011, at 8:59 AM, Danny McPherson wrote: > I just don't like the notion of deploying a brand new system with data that > at the end of the day is going to look an awful lot like the existing > in-addr.arpa delegation system that's deployed, and introduce new > hierarchical shared de

Re: [arin-announce] ARIN Resource Certification Update

On 2011-01-24, at 20:59, Danny McPherson wrote: > On Jan 24, 2011, at 8:48 PM, Randy Bush wrote: > >>> And now that DNSSEC is deployed >> >> and you are not sharing what you are smoking > > root and .arpa are signed, well on the way, particularly relative > to RPKI. > > Incremental cost of s

Re: [arin-announce] ARIN Resource Certification Update

On 2011-01-24, at 20:24, Danny McPherson wrote: > > Beginning to wonder why, with work like DANE and certificates in DNS > in the IETF, we need an RPKI and new hierarchical shared dependency > system at all and can't just place ROAs in in-addr.arpa zone files that are > DNSSEC-enabled. In

Re: [arin-announce] ARIN Resource Certification Update

On Jan 24, 2011, at 8:48 PM, Randy Bush wrote: >> And now that DNSSEC is deployed > > and you are not sharing what you are smoking root and .arpa are signed, well on the way, particularly relative to RPKI. Incremental cost of signing in-addr.arpa using a deployed DNS system as opposed to con

Re: [arin-announce] ARIN Resource Certification Update

> And now that DNSSEC is deployed and you are not sharing what you are smoking > and DANE is happening see above randy

Re: [arin-announce] ARIN Resource Certification Update

On Jan 24, 2011, at 8:32 PM, Randy Bush wrote: > let's wind the wayback machine to 1998 > >http://tools.ietf.org/html/draft-bates-bgp4-nlri-orig-verif-00 Yep, read that way back when it was posted initially, and again a short while back, makes good sense, methinks. And now that DNSSEC is

Re: IPv6: numbering of point-to-point-links

>> https://datatracker.ietf.org/doc/draft-ietf-6man-prefixlen-p2p/ > All of the (mostly religious) arguments about /64 versus any > smaller subnets aside, I'm curious about why one would choose > /126 over /127 for P-to-P links? see above randy

Re: [arin-announce] ARIN Resource Certification Update

> Beginning to wonder why, with work like DANE and certificates in DNS > in the IETF, we need an RPKI and new hierarchical shared dependency > system at all and can't just place ROAs in in-addr.arpa zone files > that are DNSSEC-enabled. let's wind the wayback machine to 1998 http://tools.ietf

Re: [arin-announce] ARIN Resource Certification Update

On Jan 24, 2011, at 7:16 PM, Randy Bush wrote: > > i understand fearing holding others' private keys and critical data. no > blame there. > > > but out of curiousity, how reality based are arin's general liability > fears? in the last few years, how many times has arin been a named > defendan

Re: IPv6: numbering of point-to-point-links

On Jan 24, 2011, at 4:22 PM, Crist Clark wrote: >> RFC 3627 Actually makes it pretty clear. It's IPv6 think where the subnet-router anycast address is the prefix followed by all zeros. So, while IPv6 does not reserve the all-ones address, the all-zeroes address is still reserved. Owen

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Jan 24, 2011, at 4:10 PM, Ricky Beam wrote: > On Mon, 24 Jan 2011 15:53:32 -0500, Ray Soucy wrote: >> Every time I see this question it' usually related to a fundamental >> misunderstanding of IPv6 and the attempt to apply v4 logic to v6. > > Not exactly. If it's a point-to-point link, then

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

In message , "Ricky Beam" writes: > On Mon, 24 Jan 2011 15:53:32 -0500, Ray Soucy wrote: > > Every time I see this question it' usually related to a fundamental > > misunderstanding of IPv6 and the attempt to apply v4 logic to v6. > > Not exactly. If it's a point-to-point link, then there are *

Re: IPv6: numbering of point-to-point-links

>>> On 1/24/2011 at 5:18 AM, wrote: > On Mon, Jan 24, 2011 at 02:10:48PM +0100, Marco Hogewoning wrote: >> > While reading up on IPv6, I've seen numerous places that subnets are now >> > all /64. >> > >> > I have even read that subnets defined as /127 are considered harmful. >> >> RFC3627, with

Re: Fwd: [arin-announce] ARIN Resource Certification Update

thanks john. your consideration to the ops community is appreciated. > ARIN continues its preparations for offering production-grade resource > certification services for Internet number resources in the region. > ARIN recognizes the importance of Internet number resource > certification in the r

Re: DSL options in NYC for OOB access

On 1/24/2011 15:22, Nathan Eisenberg wrote: >> You can get a CLEAR WiMAX fixed modem with static IP address for $50 >> (USD) monthly, or less if you opt for the low-bandwidth plan. > > I wouldn't dare rely on something of that nature for a lifeline connection. > I'd spring for the extra $30/mo.

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Mon, 24 Jan 2011 15:53:32 -0500, Ray Soucy wrote: Every time I see this question it' usually related to a fundamental misunderstanding of IPv6 and the attempt to apply v4 logic to v6. Not exactly. If it's a point-to-point link, then there are *TWO* machines on it -- one at each end; ther

Re: DSL options in NYC for OOB access

On 2011-01-24, at 18:22, Nathan Eisenberg wrote: >> You can get a CLEAR WiMAX fixed modem with static IP address for $50 >> (USD) monthly, or less if you opt for the low-bandwidth plan. > > I wouldn't dare rely on something of that nature for a lifeline connection. > I'd spring for the extra $

bestpath as-path multipath-relax

I am looking for some operational feedback of this undocumented feature, bgp bestpath as-path multipath-relax, for IOS. If you are using this for outbound load balancing I would like to hear your experiences. Also if you are running it across edges. Thanks, Zaid

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On 1/24/11 11:04 AM, bmann...@vacation.karoshi.com wrote: well... you are correct - he did say shorter. me - i'd hollar for my good friends Fred and Radia (helped w/ the old vitalink mess) on the best way to manage an arp storm and/or cam table of a /64 of MAC addresses. :) It was hard enoug

RE: DSL options in NYC for OOB access

> You can get a CLEAR WiMAX fixed modem with static IP address for $50 > (USD) monthly, or less if you opt for the low-bandwidth plan. I wouldn't dare rely on something of that nature for a lifeline connection. I'd spring for the extra $30/mo. It's expensive, but there ain't nothin' like a phy

Re: DSL options in NYC for OOB access

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 01/24/2011 02:54 PM, Adam Rothschild wrote: > On 2011-01-24-17:04:25, Andy Ashley wrote: >> Im looking for a little advice about DSL circuits in New York, >> specifically at 111 8th Ave [...] > > You can get a CLEAR WiMAX fixed modem with static

The Conficker Working Group Lessons Learned Document

http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/LessonsLearned http://www.confickerworkinggroup.org/wiki/uploads/Conficker_Working_Group_Lessons_Learned_17_June_2010_final.pdf The Conficker Working Group Lessons Learned Document Starting in late 2008, and continuing through June of 2010

Re: DSL options in NYC for OOB access

On 2011-01-24-17:04:25, Andy Ashley wrote: > Im looking for a little advice about DSL circuits in New York, > specifically at 111 8th Ave [...] You can get a CLEAR WiMAX fixed modem with static IP address for $50 (USD) monthly, or less if you opt for the low-bandwidth plan. Unscientific testing

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Mon, Jan 24, 2011 at 1:53 PM, Ray Soucy wrote: > Many cite concerns of potential DoS attacks by doing sweeps of IPv6 > networks.  I don't think this will be a common or wide-spread problem. >  The general feeling is that there is simply too much address space > for it to be done in any reasona

DSL options in NYC for OOB access

Hi, Im looking for a little advice about DSL circuits in New York, specifically at 111 8th Ave. Going to locate a console server there for out-of-band serial management. The router will need connectivity for remote telnet/ssh access from the NOC. Looking for a low speed (and low cost) DSL line

Re: IPv6: numbering of point-to-point-links

Doh, I meant the /80 of 1C for interconnects. ::zz::1C::1 and :F in a /112 ...Skeeve -- Skeeve Stevens, CEO eintellego Pty Ltd - The Networking Specialists ske...@eintellego.net / www.eintellego.net Phone: 1300 753 383, Fax: (+612) 8572 9954 Cell +61 (0

Re: IPv6: numbering of point-to-point-links

The only advantage of a 126-bit prefix is if you're using it to take advantage of the short address, and keep all your point-to-point networks in the same address space so that you can easily identify them. This is really only personal preference for network engineers who may not want to be depend

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

Every time I see this question it' usually related to a fundamental misunderstanding of IPv6 and the attempt to apply v4 logic to v6. That said. Any size prefix will likely work and is even permitted by the RFC. You do run the risk of encountering applications that assume a 64-bit prefix length,

Fwd: [arin-announce] ARIN Resource Certification Update

Copy to NANOG for those who aren't on ARIN lists but may be interested in this info. FYI. /John Begin forwarded message: From: John Curran mailto:jcur...@arin.net>> Date: January 24, 2011 2:58:52 PM EST To: "arin-annou...@arin.net" mailto:arin-annou...@arin.net>>

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

well... you are correct - he did say shorter. me - i'd hollar for my good friends Fred and Radia (helped w/ the old vitalink mess) on the best way to manage an arp storm and/or cam table of a /64 of MAC addresses. :) It was hard enough to manage a "lan"/single broadcast domain that was global

Re: Verizon local CFA sanity check

On Jan 24, 2011, at 13:37, "Matthew S. Crocker" wrote: > Wouldn't you map the DS1 to the M13 mux that is connected to the STS1 on the > OC? I didn't think Verizon did DS1 level xconnects directly into SONET. It's a Flashwave 4100, I'm told it has an integrated DS1 mux. (It's not on the prem her

Re: Verizon local CFA sanity check

Wouldn't you map the DS1 to the M13 mux that is connected to the STS1 on the OC? I didn't think Verizon did DS1 level xconnects directly into SONET. - Original Message - > From: "Christopher Pilkington" > To: nanog@nanog.org > Sent: Monday, January 24, 2011 1:25:46 PM > Subject: Veri

Verizon local CFA sanity check

I'm writing a LOA/CFA doc for some DS1s to be delivered to us on a Verizon private OC12 ring, and I'm getting conflicting info (including from multiple people within Verizon) on how to address individual DS1s. For STS/DS3s, it's pretty obvious, just the STS number, i.e. /OC12/// Anyone know for c

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

Doing a little introspection, I found myself realizing that one of the most bothersome aspects of the /64 boundary (for me, just speaking for myself here) is exactly that, the tendency to the hardcoding of boundaries. C. On Mon, Jan 24, 2011 at 12:26 PM, Phil Regnauld wrote: > bmann...@vacation

Future of the IPv6 CPE survey on RIPE Labs - Your Input Needed

[apologies for duplicates] Hello, Based on new information we received since the last publication, we updated the IPv6 CPE matrix: http://labs.ripe.net/Members/mirjam/ipv6-cpe-survey-updated-january-2011 In order to make this information more useful for a large user base, we are preparing a

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

bmann...@vacation.karoshi.com (bmanning) writes: > as a test case, i built a small home network out of /120. works just fine. > my home network has been native IPv6 for about 5 years now, using a /96 and > IVI. > > some thoughts. disable RD/RA/ND. > none of the DHCPv6 code works

Re: IPv6: numbering of point-to-point-links

On 1/24/2011 7:18 AM, bmann...@vacation.karoshi.com wrote: this results in -very- sparse matrix allocation - which is fine, as long as you believe that you'll never run out/make mistakes. personally, i've use /126 for the past 12 years w/o any problems. There isn't an increased mistake risk

Re: IPv6: numbering of point-to-point-links

Lasse, We use /112's – last chazwazza being 65k addresses… Requires little effort in remembering the ranges…. With one end being :1 and the other :F This leaves more than enough addresses for HSRP/VRRP and all the other things like it. Also means we can introduce addressing on the link for di

RE: IPv6: numbering of point-to-point-links

Lasse, draft-ietf-6man-prefixlen-p2p-01 provides some insights. Ron > -Original Message- > From: Lasse Jarlskov [mailto:l...@telenor.dk] > Sent: Monday, January 24, 2011 7:49 AM > To: nanog@nanog.org > Subject: IPv6: numbering of point-to-point-links >

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

as a test case, i built a small home network out of /120. works just fine. my home network has been native IPv6 for about 5 years now, using a /96 and IVI. some thoughts. disable RD/RA/ND. none of the DHCPv6 code works like DHCP, so I re-wrote client and

Re: IPv6: numbering of point-to-point-links

On Mon, Jan 24, 2011 at 02:10:48PM +0100, Marco Hogewoning wrote: > > While reading up on IPv6, I've seen numerous places that subnets are now > > all /64. > > > > I have even read that subnets defined as /127 are considered harmful. > > RFC3627, with a lot of discussion in the IETF on this. See

Re: IPv6: numbering of point-to-point-links

On 24-01-11 13:59, Carlos Friacas wrote: > Using /126s or /127s (or even /120s) is a result of going with the v4 > mindset of conservation. Not only, there are some other advantages of using /126's, like reducing number of ND requests on the link and the size of neighbor tables. -- Grzegorz Jano

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

On Monday, 24 January 2011 at K:59:59 -0200, Carlos Martinez-Cagnazzo wrote: > I am particularly wondering about possible NDP breakage. +1 We allocate /64 per PtP but only configure /127 for NDP and secrity concerns, I figure we can always change the mask if the space is set asside from the get go

Re: IPv6: numbering of point-to-point-links

> While reading up on IPv6, I've seen numerous places that subnets are now > all /64. > > I have even read that subnets defined as /127 are considered harmful. RFC3627, with a lot of discussion in the IETF on this. See also https://datatracker.ietf.org/doc/draft-ietf-6man-prefixlen-p2p/ > Howev

Using IPv6 with prefixes shorter than a /64 on a LAN

The subject says it all... anyone with experience with a setup like this ? I am particularly wondering about possible NDP breakage. cheers! Carlos -- -- = Carlos M. Martinez-Cagnazzo http://www.labs.lacnic.net =

Re: IPv6: numbering of point-to-point-links

Hi Lasse, We use /64s. ::1 for one end, ::2 for the second end. Using /126s or /127s (or even /120s) is a result of going with the v4 mindset of conservation. With a /32 you have 65536 /48s, and then 65536 /64s. Guess you only need 1 /48 for all the p-to-p links, no? Regards, Carlos (portu

IPv6: numbering of point-to-point-links

Hi all. While reading up on IPv6, I've seen numerous places that subnets are now all /64. I have even read that subnets defined as /127 are considered harmful. However while implementing IPv6 in our network, I've encountered several of our peering partners using /127 or /126 for point-to-p