Re: Linux router network cards

❦ 24 octobre 2020 09:55 -06, Keith Medcalf: > And do not use an Intel CPU. > > Intel only has 4x PCIe lanes that are shared out into whatever > configuration they claim to have and are totally unsuitable for use in > a computer that actually has to be able to do high-speed I/O. That's likely t

Re: Trident3 vs Jericho2

❦ 9 avril 2021 17:20 +03, Saku Ytti: > If we'd change TCP sender to bandwidth estimation, and newly created window > space would be serialised at estimated receiver rate then we would need > dramatically less buffers. However this less aggressive TCP algorithm would > be outcompeted by new reno

Re: Juniper hardware recommendation

❦ 7 mai 2021 21:14 GMT, Adam Thompson: > * Skip the MX 2k/10k series – they don’t support SFP+ interfaces! > (“No 10G WDM for you!”) Also no 1G, you need a separate step-down > switch for that. I don’t know what SP Juniper thinks they’re targeting > with these. The 10k can take 10G SFP+ using

Re: Juniper hardware recommendation

In addition to the QSA, note that 40G LR optics are using CWDM. You can therefore get 1270, 1290, 1310 and 1330 out of the optic. Not the favorites channels, but if that's OK for you, configure it as a 4x10G on the Juniper side. -- Make it clear before you make it faster. - The Element

Re: "Is BGP safe yet?" test

❦ 22 avril 2020 12:51 -04, Andrey Kostin: > BTW, has anybody yet thought/looked into extending RPKI-RTR protocol > for validation of prefixes received from peer-as to make ingress > filtering more dynamic and move away prefix filters from the routers? It could be used as is if the client impleme

Re: Arista Switches rebooting

❦ 5 mai 2020 09:09 +03, Saku Ytti: >> We found a bug on the 64 port x 100gig model that if you insert a quad >> twinax 10gig fanout cable in many of the ports it will trigger a reboot.I > > I've seen a similar issue in another vendor, where specific SFP > inserted would reload the linecard. This

Re: looking for operator validation for regexes that extract ASNs

❦ 11 mai 2020 20:03 +12, Matthew Luckie: > To support Internet topology analysis efforts, we have been working on > an algorithm to detect AS numbers inside hostnames (PTR records) for > router interfaces, and automatically build regular expressions > (regexes) to extract them. Hello Matthew, T

Re: RFC 5549 - IPv4 Routes with IPv6 next-hop - Does it really exists?

Hello, This is implemented in FRR and will also be available in BIRD 2.0.8. Linux accepts IPv6 next-hop for IPv4 natively since 5.3 (no tunnels). This is the solution Cumulus is advocating to its users, so I suppose they have some real users behind that. Juniper also supports RFC 5549 but, from th

Re: RFC 5549 - IPv4 Routes with IPv6 next-hop - Does it really exists?

❦ 29 juillet 2020 12:13 +03, Saku Ytti: >> This is the solution Cumulus is advocating to its users, so I suppose >> they have some real users behind that. Juniper also supports RFC 5549 >> but, from the documentation, the forwarding part is done using >> lightweight tunnels. > > I'm not sure if y

Re: [outages] Major Level3 (CenturyLink) Issues

❦ 2 septembre 2020 10:15 +03, Saku Ytti: > RFC7313 might show us way to reduce amount of useless work. You might > want to add signal that initial convergence is done, you might want to > add signal that no installation or best path algo happens until all > route are loaded, this would massively

Re: [outages] Major Level3 (CenturyLink) Issues

❦ 2 septembre 2020 16:35 +03, Saku Ytti: >> I am not buying it. No normal implementation of BGP stays online, >> replying to heart beat and accepting updates from ebgp peers, yet >> after 5 hours failed to process withdrawal from customers. > > I can imagine writing BGP implementation like this

Re: AS16509 Peering Contact

❦ 18 septembre 2020 21:03 +03, Paschal Masha: > Any Techie from AS16509 (Amazon) in here that can help with a peering > request for Denver and LA Any2 IXs that was sent to peering@amazon for days > now without a response :) It takes some time to get an answer from Amazon, but they eventually ans

Re: Gaming Consoles and IPv4

❦ 30 septembre 2020 09:45 -07, Owen DeLong: > Games want to go peer-to-peer. Not sure about that. To avoid cheaters, multiplayer games are likely to be mediated by a server running the same game engine to manage state of each player. -- Noise proves nothing. Often a hen who has merely laid an

Re: ROA mirror to IRR?

❦ 26 October 2021 10:17 -10, Shawn: > Curious if any IRR databases are mirroring/importing ROA data - creating > route|6 objects from ROA? This is a feature of IRRd 4: https://irrd.readthedocs.io/en/stable/admins/rpki/ > IRR questions: > How do most large networks maintain (automate) their IRR

Re: SRv6 Capable NOS and Devices

❦ 11 January 2022 09:16 -06, Colton Conor: > I know the SRv6 is a fairly new technology. I am wondering which > vendors and network operating systems fully support SRv6 today? Has > anyone deployed this new technology? Cisco on NCS devices have full support of SRv6 F1 (End, End.X, End.T, End.DX4

Re: 40G QSFP+ to 4 SFP+ on MX960

❦ 25 February 2022 00:46 +03, Paschal Masha: > Has anyone managed to get the 40G QSFP+ to 4 SFP+ breakout cable to work on > the 2X40GE QSFPP Juniper MICs? > > Which commands did you use to channelize the port under the "chassis > fpc" mode to get it to channelize to 4x10g at least for one 40G

Re: dump of NOS config examples

Here are some real word configurations: https://github.com/jerikan-network/cmdb/tree/generated-public/output (including IOS, JunOS and IOS-XR, but no NX-OS). On 2022-08-20 18:25, guardian.wheel9...@fastmail.com wrote: Hi, I am looking for a large dump of example, real but scrubbed, whatever,

Re: rsync CVE-2022-29154 and RPKI Validation

On 2022-09-09 04:56, Matt Corallo wrote: Has anyone done an analysis of the rsync CVE-2022-29154 (which "allows malicious remote servers to write arbitrary files inside the directories of connecting peers") and its potential impact on RPKI validators? It looks like both Debian [1] and Ubuntu [2

Re: rsync CVE-2022-29154 and RPKI Validation

On 2022-09-09 19:36, Matt Corallo wrote: The attacker is still limited to the target directory. The attacker can send files that were excluded or not requested, but they still end up in the target directory. RPKI validators download stuff in a dedicated download directory Ah, okay, thanks, i

Re: Akvorado Resource Requirements

On 2023-03-24 15:01, Graham Johnston via NANOG wrote: For anyone running Akvorado, can you please comment on resource requirements. I'm most concerned with CPU and memory, with the assumption that resources are somewhat linear to flow rate, but also curious about disk usage secondarily. A VM

Re: NTP for ASBRs?

❦ 8 mai 2019 09:56 +02, Lars Prehn : > do you NTP sync your AS boundary routers? If so, what are incentives > for doing so? Are there incentives, e.g. security considerations, not > to do it? Ensure you have a firewall rule in place to prevent people to use your router for NTP amplification. NT

Re: MAP-E

❦ 8 août 2019 16:18 -04, Lee Howard : > NAT64. IPv6-only to users. DNS resolver given in provisioning > information is a DNS64 server. When it does a lookup but there's no > , it invents one based on the A record (e.g., 2001:db8:64:: address>). The IPv6 prefix in the invented is actuall

Re: Request comment: list of IPs to block outbound

❦ 14 octobre 2019 09:14 +03, Saku Ytti : >> I think you should seriously re-consider using rp_filter on a router. > > rp_filter is one of the most expensive features in modern routers, you > should only use it, if PPS performance is not important. If PPS > performance is important, ACL is much fa

Re: FRR as Route-Reflector & Scaling stats

❦ 15 novembre 2019 09:33 +00, ERCIN TORUN : > Generally chipset is what limits the scale (e.g. trident2 is 128k ipv4 > lpm https://docs.cumulusnetworks.com/cumulus-linux/Layer-3/Routing/ ). > If you disable "zebra" daemon, FRR works only in control-plane then > you would most likely have a limita

Re: MTU

❦ 22 juillet 2016 14:01 CEST, Baldur Norddahl  : > Until now we have used the default of 1500 bytes. I now have a project were > we peer directly with another small ISP. However we need a backup so we > figured a GRE tunnel on a common IP transit carrier would work. We want to > avoid the trouble

Re: BCP38 deployment [ was Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey ]

❦ 26 septembre 2016 09:14 CEST, valdis.kletni...@vt.edu : >> Linux: >> From /etc/sysctl.conf: >> >> # Uncomment the next two lines to enable Spoof protection (reverse-path=20 >> # filter) >> # Turn on Source Address Verification in all interfaces to >> # prevent some spoofing attacks >> net.ipv4.

Re: External BGP Controller for L3 Switch BGP routing

❦ 14 janvier 2017 05:24 GMT, Faisal Imtiaz  : > A while back there was a discussion on how to do optimized (dynamic) > BGP routing on a L3 switch which is only capable of handing a subset > of BGP Routing table. > > Someone has pointed out that there was a project to do just that, and > had poste

Re: External BGP Controller for L3 Switch BGP routing

❦ 16 janvier 2017 14:08 +0200, Saku Ytti  : > I wonder if true whitelabel is possible, would some 'real' HW vendor, > of BRCM size, release HW docs openly? Then some integrator could start > selling the HW with BOM+10-20%, no support, no software at all. And > community could build the actual sof

Re: Open Souce Network Operating Systems

❦ 3 mai 2018 13:39 -0700, Andrey Khomyakov  : > 1st is Linux inherently doesn't program the hardware. So if you install > Ubuntu on some Quanta switch, you still need a way to program the ASIC. > Cumulus Linux is open source with the exception of switchd, which is what > they use to take network

Re: Juniper BGP Convergence Time

Hey! This feature is already enabled on MX with MPC cards. -- Make it right before you make it faster. - The Elements of Programming Style (Kernighan & Plauger) ――― Original Message ――― From: Adam Kajtar Sent: 23 mai 2018 23:21 -0400 Subject: Re: Juniper BGP Convergence

Re: Juniper BGP Convergence Time

❦ 24 mai 2018 12:36 +0200, Olivier Benghozi  : > I wonder if this convergence time issue wouldn't be a typical mission for > «BGP PIC Edge for MPLS Layer 3 VPNs». > But it would be necessary to migrate the DFZ to a VPN MPLS (and > configure composite nexthop and BGP PIC / «Provider Edge Link > P

Re: YANG daemeon for Linux

❦ 27 juillet 2018 12:23 -0700, Karl Jørn  : > Looking for an agent on Linux that will render YANG models, so I can > provision networking on Linux. Maybe looking at this one: http://yuma123.org/wiki/index.php/Yuma_netconfd_Manual -- Make sure your code "does nothing" gracefully. -

Re: [EXTERNAL] Re: RTBH no_export

❦ 4 février 2019 09:01 +00, i3D.net - Martijn Schmidt : > Cogent does let you use RTBH, but on a separate BGP session to a > blackhole server. So it's a bit more hassle to set it up policy-wise, > because it deviates from the standard. Same story for "former > GlobalCrossing", now CenturyLink's

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

On 2024-03-27 09:09, Marinos Dimolianis wrote: My only "concern" was that it did not provide an API for consuming data externally. This is very high on my todo list, notably because I don't want to reimplement Grafana. The API already exists (the current web interface uses it) but it is not "

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

Without much information, I think this is more likely that you are running out of disk space. On 2024-06-05 23:15, Javier Gutierrez wrote: Hi everyone, I've been trying to get Akvorado to work on my environmnet but I keep getting the flows to stop collecting, it seems like the issue is related

Re: SHA1 collisions proven possisble

❦ 23 février 2017 19:28 -0500, Jon Lewis  : >>> cost! However this in no way invalidates SHA-1 or documents signed by >>> SHA-1. >> >> We negotiate a contract with terms favorable to you. You sign it (or more >> correctly, sign the SHA-1 hash of the document). >> >> I then take your signed copy,

Re: SHA1 collisions proven possisble

❦ 23 février 2017 21:16 -0500, "Patrick W. Gilmore"  : > A couple things will make this slightly less useful for the attacker: > 1) How many people are not going to keep a copy? Once both docs are be > found to have the same hash, well, game over. But if a transaction is automated

Re: Templating/automating configuration

❦ 6 juin 2017 14:30 +0100, Oliver Elliott  : > I echo Ansible. I'm using it with NAPALM and jinja2 templates to push and > verify config on switches. Why not using the builtin ability of ansible for most vendors? (genuine question) http://docs.ansible.com/ansible/list_of_network_modules.html

Re: WiFi - login page redirection not working

❦ 30 novembre 2017 18:26 -0800, Owen DeLong  : >> SSL requests are. For example, Google cache's their 301 redirect >> from http://www.google.com to >> https://www.google.com which means clients >> that had access while that browser ps stays acti

Re: WiFi - login page redirection not working

❦ 1 décembre 2017 15:02 +0300, Nikolay Shopik  : >> DHCP and neighbor discovery can also provide the information of the >> login page: https://tools.ietf.org/html/rfc7710 > > I don't think it got support in any os. It's supported on Linux by Network Manager. -- All things that are, are with mo

Re: Carrier IRR Update Frequency

❦ 1 janvier 2018 10:17 -0600, Mike Hammett  : > Any idea how often Cogent, XO, and Level 3 update their prefix filters > from the IRRDBs? I got a recent answer from Cogent support stating they don't use IRR (at least for their customers). -- Consider well the proportions of things. It is bet

Re: MTU to CDN's

❦ 8 janvier 2018 15:08 -0800, joel jaeggli  : >> N00b here trying to understand why certain CDN's such as Cloudfare have >> issues where my MTU is low. For instance if I am using pptp and the MTU is >> at 1300 it wont work. If I increase to 1478 it may or may not work. > PMTUD has a lot of troub

Re: MTU to CDN's

❦ 19 janvier 2018 08:53 +1000, George Michaelson  : > if I was an ISP (Im not) and a CDN came and said "we want to be inside > you" (ewww) why wouldn't I say "sure: lets jumbo" Most traffic would be with clients limited to at most 1500 bytes. -- Its name is Public Opinion. It is held in revere

Re: MTU to CDN's

❦ 19 janvier 2018 08:07 -0600, Mike Hammett  : > Wouldn't those situations be causing issues now, given the likelihood > that someone with a less than 1,500 byte MTU is communicating with you > now? Those situations are causing issues now. If you have a MTU less than 1500 bytes, it is likely som

Re: IPv4 and IPv6 hijacking by AS 6

❦ 12 avril 2018 13:51 -0500, Matt Harris  : >> Have you tried their IRR entries? Bull appears to redirect to Atos now >> (site-wise). >> >> notify: ed.gie...@atos.net >> notify: charlie.mol...@atos.net >> changed:christophe.fra...@atos.net 20180117 #18:47:40Z >> > > I'm now in touch

Re: Upgrade Path Options from 6500 SUP720-3BXL for Edge Routing

❦ 30 juillet 2014 09:53 +0200, Mark Tinka  : > IOS XR on the CRS and ASR9000 is based on QNX, which suffers > from being only a 32-bit kernel. So even if the hardware > will ship with >4GB of RAM, the OS will only see 4GB (I have > 12GB in my CRS's and 8GB on my ASR9001's). What's the point

Re: [j-nsp] Viability of EX4300 in a primarily l3 environment?

❦ 6 août 2014 20:54 +0900, "Paul S."  : > Correct me if I'm wrong, but doesn't OSPF require the AFL license > anyway to be 'legitly' ran? OSPF does not need a feature license on those models (it is needed on EX2200). AFL is needed for BGP, IS-IS and MPLS. -- Use statement labels that mean some