Re: Solutions for DoS DDoS
Try the DDoS attacks detection and mitigation software named WANGUARD from http://www.andrisoft.com. It's not expensive and non-profit organisations like you are granted with a 30% discount. Install it on a Linux server and you'll have DDoS attacks detection in no time. Since you're not a carrier the DDoS scrubbing feature won't be useful to you, but the black hole routing probably will. You can also configure it to send alerts to your upstream carrier or to your attackers' ISPs. On Thu, Dec 6, 2012 at 7:51 PM, Mike Gatti ekim.it...@gmail.com wrote: Hello Everyone, I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source. I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions. Thanks, -- Michael Gatti 949.371.5474 (UTC -8)
Re: Solutions for DoS DDoS
Sounds like an advertisement to me Thanks, Ameen Pishdadi On Dec 10, 2012, at 7:22 AM, Vasile Borcan naitlu...@gmail.com wrote: Try the DDoS attacks detection and mitigation software named WANGUARD from http://www.andrisoft.com. It's not expensive and non-profit organisations like you are granted with a 30% discount. Install it on a Linux server and you'll have DDoS attacks detection in no time. Since you're not a carrier the DDoS scrubbing feature won't be useful to you, but the black hole routing probably will. You can also configure it to send alerts to your upstream carrier or to your attackers' ISPs. On Thu, Dec 6, 2012 at 7:51 PM, Mike Gatti ekim.it...@gmail.com wrote: Hello Everyone, I'm assisting a non-profit organization to research solutions to secure their network from DOS/DDOS attacks. So far we have gone the route of discussing with their ISP's to see what solutions they have to offer, believing that the carriers are better positioned to block the attack from the source. I wanted to get the lists thoughts on our approach going the carrier route and/or hear about successful implementation of other solutions. Thanks, -- Michael Gatti 949.371.5474 (UTC -8)
Re: Solutions for DoS DDoS
On Mon, Dec 10, 2012 at 9:33 AM, Ameen Pishdadi apishd...@gmail.com wrote: Sounds like an advertisement to me In the end there are few actual options (in general): 1) do it yourself 2) have your carrier do it for you 3) have a third party do it for you There are cost and capability considerations with all of these, basically: 1: - you'll need more pipe - absorb all that can arrive, can you handle an extra 100gbps of traffic? (or less, you could reasonably build out for X gbps and just die under Y if the cost is unacceptably large to absorb Y) - more people-smarts - understand what is/isn't an attack, understand peering, transit, costs, complexities, mitigation techniques and costs involved. - more equipment - mitigation gear (cisco guard, arbor tms, radware...etc) 2: - monthly (most times) cost for 'insurance', imagine paying an uplift on your current bandwidth costs, for mitigation services, pre-prepared, so all you need to is 'initiate mitigation' inside the carrier's network. - people-cost in training to 'make the mitigation happen' (done right at the carrier this is nothing more than a bgp update from you...) 3: - monthly (or one-time) cost, you may be able to initiate it one-time and walk away, with the attendant costs in management of adhoc contracts/etc. - routing changes (do you control at least the /24 around the resource you need to mitigate?) - tunneling complexity to return to you the 'clean' traffic - dns shennigans for those ddos-mitigation folks who don't do routing change, or prefer DNS ones. pick what works for you... or your charity org. -chris
Re: gmail offline?
I'm getting the same thing when I try to access the web interface, but SMTP IMAP seem to be working fine at the moment. - Peter On 12/10/2012 11:56 AM, Philip Lavine wrote: getting a 502 error
Re: gmail offline?
On Mon, Dec 10, 2012 at 11:56 AM, Philip Lavine source_ro...@yahoo.com wrote: getting a 502 error Some network issues on a normal Monday morning. -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
Re: gmail offline?
Web interface for Gmail/GChat seems to be the culprit. My email and chat clients that don't use the web interface seem pretty uneffected. It's Google. They'll straighten it out quick enough. On 12/10/2012 12:00 PM, Peter Kristolaitis wrote: I'm getting the same thing when I try to access the web interface, but SMTP IMAP seem to be working fine at the moment. - Peter On 12/10/2012 11:56 AM, Philip Lavine wrote: getting a 502 error
RE: gmail offline?
Just loaded for me, however quite a bit slower than normal. -Original Message- From: Peter Kristolaitis [mailto:alte...@alter3d.ca] Sent: Monday, December 10, 2012 10:00 AM To: nanog@nanog.org Subject: Re: gmail offline? I'm getting the same thing when I try to access the web interface, but SMTP IMAP seem to be working fine at the moment. - Peter On 12/10/2012 11:56 AM, Philip Lavine wrote: getting a 502 error
Re: gmail offline?
On Mon, Dec 10, 2012 at 12:00 PM, Peter Kristolaitis alte...@alter3d.ca wrote: I'm getting the same thing when I try to access the web interface, but SMTP IMAP seem to be working fine at the moment. - Peter This email sent via the Web interface... Trying to track down the issue now. -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
Re: gmail offline?
Not seeing any issues from a TWTC circuit in Milwaukee, Wi. -Grant On Mon, Dec 10, 2012 at 11:01 AM, Andrew Latham lath...@gmail.com wrote: On Mon, Dec 10, 2012 at 11:56 AM, Philip Lavine source_ro...@yahoo.com wrote: getting a 502 error Some network issues on a normal Monday morning. -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
Re: gmail offline?
In Israel as well. -Hank On Mon, 10 Dec 2012, Andrew Latham wrote: On Mon, Dec 10, 2012 at 11:56 AM, Philip Lavine source_ro...@yahoo.com wrote: getting a 502 error Some network issues on a normal Monday morning. -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
Re: gmail offline?
I stand corrected, the web interface just stopped working with a 502 error Sent from my iPhone On Dec 10, 2012, at 11:06 AM, Tom Beecher tbeec...@localnet.com wrote: Web interface for Gmail/GChat seems to be the culprit. My email and chat clients that don't use the web interface seem pretty uneffected. It's Google. They'll straighten it out quick enough. On 12/10/2012 12:00 PM, Peter Kristolaitis wrote: I'm getting the same thing when I try to access the web interface, but SMTP IMAP seem to be working fine at the moment. - Peter On 12/10/2012 11:56 AM, Philip Lavine wrote: getting a 502 error
Re: gmail offline?
Seems to be working again. On Mon, Dec 10, 2012 at 12:08 PM, Grant Ridder shortdudey...@gmail.comwrote: Not seeing any issues from a TWTC circuit in Milwaukee, Wi. -Grant On Mon, Dec 10, 2012 at 11:01 AM, Andrew Latham lath...@gmail.com wrote: On Mon, Dec 10, 2012 at 11:56 AM, Philip Lavine source_ro...@yahoo.com wrote: getting a 502 error Some network issues on a normal Monday morning. -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
Re: gmail offline?
It's been up and down for at least the past 20 minutes. Amusingly some of the isitdown sites are sporadic as a result of so many people checking to see if gmail is down. I'm reading/sending this via the gmail web interface now though. On Mon, Dec 10, 2012 at 12:06 PM, Andrew Latham lath...@gmail.com wrote: On Mon, Dec 10, 2012 at 12:00 PM, Peter Kristolaitis alte...@alter3d.ca wrote: I'm getting the same thing when I try to access the web interface, but SMTP IMAP seem to be working fine at the moment. - Peter This email sent via the Web interface... Trying to track down the issue now. -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
Re: gmail offline?
Reading this just fine from the UK on GMail web interface. On 10 December 2012 17:18, Derek Ivey de...@derekivey.com wrote: Seems to be working again. On Mon, Dec 10, 2012 at 12:08 PM, Grant Ridder shortdudey...@gmail.com wrote: Not seeing any issues from a TWTC circuit in Milwaukee, Wi. -Grant On Mon, Dec 10, 2012 at 11:01 AM, Andrew Latham lath...@gmail.com wrote: On Mon, Dec 10, 2012 at 11:56 AM, Philip Lavine source_ro...@yahoo.com wrote: getting a 502 error Some network issues on a normal Monday morning. -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
Re: gmail offline?
It seems like gmail web interface is working for some, but not others. http://www.google.com/appsstatus On 12/10/12 9:19 AM, Jay Farrell wrote: It's been up and down for at least the past 20 minutes. Amusingly some of the isitdown sites are sporadic as a result of so many people checking to see if gmail is down. I'm reading/sending this via the gmail web interface now though. On Mon, Dec 10, 2012 at 12:06 PM, Andrew Latham lath...@gmail.com wrote: On Mon, Dec 10, 2012 at 12:00 PM, Peter Kristolaitis alte...@alter3d.ca wrote: I'm getting the same thing when I try to access the web interface, but SMTP IMAP seem to be working fine at the moment. - Peter This email sent via the Web interface... Trying to track down the issue now. -- ~ Andrew lathama Latham lath...@gmail.com http://lathama.net ~
RE: Why do some providers require IPv6 /64 PA space to have public whois?
Actually, requiring a public whois record is the way it always has been, that's only recently changed. I think most folks would agree that, IPv4 /32 :: IPv6 /128 as IPv4 /29 :: IPv6 /64 So, while you are right, that swip'ing a v4 /32 has never been required, I think your analogy of a v6 /64 to a v4 /32 is off. The minimum assignment requiring a swip is also ensconced in RIR policy. If you don't like it, may I suggest you propose policy to change it? RIPE's policy: When an End User has a network using public address space this must be registered separately with the contact details of the End User. Where the End User is an individual rather than an organisation, the contact information of the service provider may be substituted for the End Users. Note the *may* -- ISP's aren't required to support it. More RIPE policy.. When an organisation holding an IPv6 address allocation makes IPv6 address assignments, it must register these assignments in the appropriate RIR database. These registrations can either be made as individual assignments or by inserting a object with a status value of 'AGGREGATED-BY-LIR' where the assignment-size attribute contains the size of the individual assignments made to End Users.When more than a /48 is assigned to an organisation, it must be registered in the database as a separate object with status 'ASSIGNED'. So they have to register it, and they get a choice about how they do it.. Your provider has chosen a way you don't like. Talk to them about it, rather than complaining on NANOG? It's pretty similar in the ARIN region. In 2004, the ARIN community passed the residential customer privacy policy - specifically allowing ISP's to designate a record private. Again, it's optional. https://www.arin.net/policy/nrpm.html Min assignment swip 6.5.5.1. Reassignment information Each static IPv6 assignment containing a /64 or more addresses shall be registered in the WHOIS directory via SWIP or a distributed service which meets the standards set forth in section 3.2. Reassignment registrations shall include each client's organizational information, except where specifically exempted by this policy. IPv4 4.2.3.7.3.2. Residential Customer Privacy To maintain the privacy of their residential customers, an organization with downstream residential customers holding /29 and larger blocks may substitute that organization's name for the customer's name, e.g. 'Private Customer - XYZ Network', and the customer's street address may read 'Private Residence'. Each private downstream residential reassignment must have accurate upstream Abuse and Technical POCs visible on the WHOIS directory record for that block. IPv6 6.5.5.3. Residential Subscribers 6.5.5.3.1. Residential Customer Privacy To maintain the privacy of their residential customers, an organization with downstream residential customers holding /64 and larger blocks may substitute that organization's name for the customer's name, e.g. 'Private Customer - XYZ Network', and the customer's street address may read 'Private Residence'. Each private downstream residential reassignment must have accurate upstream Abuse and Technical POCs visible on the WHOIS record for that block. --Heather -Original Message- From: Constantine A. Murenin [mailto:muren...@gmail.com] Sent: Saturday, December 08, 2012 12:46 AM To: nanog@nanog.org Subject: Why do some providers require IPv6 /64 PA space to have public whois? Hello, I personally don't understand this policy. I've signed up with hetzner.de, and I'm trying to get IPv6; however, on the supplementary page where the complementary IPv6 /64 subnet can be requested (notice that it's not even a /48, and not even the second, routed, /64), after I change the selection from requesting one additional IPv4 address to requesting the IPv6 /64 subnet (they offer no other IPv6 options in that menu), they use DOM to remove the IP address justification field (Purpose of use), and instead statically show my name, physical street address (including the apartment number), email address and phone number, and ask to confirm that all of this information can be submitted to RIPE. They offer no option of modifying any of this; they also offer no option of hiding the street address and showing it as Private Address instead; they also offer no option of providing contact information different from the contact details for the main profile or keeping a separate set of contact details in the main profile specifically for RIPE; they also offer no option of providing a RIPE handle instead (dunno if one can be registered with a Private Address address, showing only city/state/country and postal code; I do know that with ARIN and PA IPv4 subnets you can do Private Address in the Address field); they also don't let you submit the form unless you agree for the information shown to be passed along to RIPE for getting IPv6 connectivity (again,
Re: Why do some providers require IPv6 /64 PA space to have public whois?
On 12/10/2012 01:27 PM, Schiller, Heather A wrote: I think most folks would agree that, IPv4 /32 :: IPv6 /128 as IPv4 /29 :: IPv6 /64 Quite the opposite in fact. In IPv6 a /64 is roughly equivalent to a /32 in IPv4. As in, it's the smallest possible assignment that will allow an end-user host to function under normal circumstances. SWIP or rwhois for a /64 seems excessive to me, FWIW. Doug
Re: Why do some providers require IPv6 /64 PA space to have public whois?
IPv4 /32 :: IPv6 /128 i.e. a single host or gkw behind a nat. kinda what i get from comcast and twt now. IPv4 /29 :: IPv6 /64 i.e. i get a lan segment. makes sense The minimum assignment requiring a swip is also ensconced in RIR policy. i am sure that, if you dig deeply enough, a recipe for chocolate chip cookies is ensconced in RIR policy. the bookkeepers drank koolaid and think they have become regulators. does samantha know her mom is a wannabe lawyer? :) randy
Re: Why do some providers require IPv6 /64 PA space to have public whois?
In message 50c65c84.6080...@dougbarton.us, Doug Barton writes: On 12/10/2012 01:27 PM, Schiller, Heather A wrote: I think most folks would agree that, IPv4 /32 :: IPv6 /128 as IPv4 /29 :: I Pv6 /64 Quite the opposite in fact. In IPv6 a /64 is roughly equivalent to a /32 in IPv4. As in, it's the smallest possible assignment that will allow an end-user host to function under normal circumstances. SWIP or rwhois for a /64 seems excessive to me, FWIW. Doug Even SWIP for a /48 for a residential assignment is excessive. SWIP for a /48 for a commercial assignment is reasonable Note it is the type of assignment, not the size, which is determining factor here. A /64 commercial assignment should have a SWIP entry. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
facebook down
I know there's an outages list, but seriously! It seems like a DNS prob? -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -- -
Re: Why do some providers require IPv6 /64 PA space to have public whois?
Sent from my iPad On Dec 10, 2012, at 2:04 PM, Doug Barton do...@dougbarton.us wrote: On 12/10/2012 01:27 PM, Schiller, Heather A wrote: I think most folks would agree that, IPv4 /32 :: IPv6 /128 as IPv4 /29 :: IPv6 /64 Quite the opposite in fact. In IPv6 a /64 is roughly equivalent to a /32 in IPv4. As in, it's the smallest possible assignment that will allow an end-user host to function under normal circumstances. No, you could be assigned a /128 and have it function for a single host. However, let's not start doing that as it's pretty brain-dead and the reality is that hardly anyone has a single host any more. Heather has the corollaries correct. SWIP or rwhois for a /64 seems excessive to me, FWIW. I'm not sure I disagree, but, I certainly don't feel strongly enough about it to submit a policy proposal. I will say that you are far more likely to get this changed by submitting a policy proposal than you are by complaining to NANOG about it. Owen
RE: Why do some providers require IPv6 /64 PA space to have public whois?
Quite the opposite in fact. In IPv6 a /64 is roughly equivalent to a /32 in IPv4. As in, it's the smallest possible assignment that will allow an end-user host to function under normal circumstances. SWIP or rwhois for a /64 seems excessive to me, FWIW. IPv4/32 is both a routing endpoint and a host. IPv4 is a 32 bit combined routing and host space. IPv6/64 is a routing endpoint and v6/128 is a host. IPv6 is a 64 bit routing space and also a 64 bit host space for each routing space, not a 128 bit combined routing and host space. Evidently, the whois requirement is for networks, not nodes, which makes sense when you think about how the entity that controls a /64 is assuming responsibility for 2^64 network nodes. -Original Message- From: Doug Barton [mailto:do...@dougbarton.us] Sent: Monday, December 10, 2012 5:05 PM To: Schiller, Heather A Cc: Constantine A. Murenin; nanog@nanog.org Subject: Re: Why do some providers require IPv6 /64 PA space to have public whois? On 12/10/2012 01:27 PM, Schiller, Heather A wrote: I think most folks would agree that, IPv4 /32 :: IPv6 /128 as IPv4 /29 :: IPv6 /64 Doug - No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.2793 / Virus Database: 2634/5946 - Release Date: 12/08/12
Re: Why do some providers require IPv6 /64 PA space to have public whois?
Sent from my iPad On Dec 10, 2012, at 3:02 PM, Mark Andrews ma...@isc.org wrote: In message 50c65c84.6080...@dougbarton.us, Doug Barton writes: On 12/10/2012 01:27 PM, Schiller, Heather A wrote: I think most folks would agree that, IPv4 /32 :: IPv6 /128 as IPv4 /29 :: I Pv6 /64 Quite the opposite in fact. In IPv6 a /64 is roughly equivalent to a /32 in IPv4. As in, it's the smallest possible assignment that will allow an end-user host to function under normal circumstances. SWIP or rwhois for a /64 seems excessive to me, FWIW. Doug Even SWIP for a /48 for a residential assignment is excessive. SWIP for a /48 for a commercial assignment is reasonable I disagree. SWIP for a /48 with the appropriate notations under residential customer privacy policy provides a good balance between the need for public accountability of resource utilization and privacy concerns for residential customer assignments. Owen
RE: facebook down
In other news, productivity in the workplace hit an all time high. High Schools around the nation are reporting dozens of potential suicide threats, citing the inability to announce their current location. Millions of farms are unattended, which may lead to a widespread shortage of virtual corn and grapes. From my Galaxy Note II, please excuse any mistakes. Original message From: Joly MacFie j...@punkcast.com Date: 12/10/2012 3:09 PM (GMT-08:00) To: North American Network Operators Group nanog@nanog.org Subject: facebook down I know there's an outages list, but seriously! It seems like a DNS prob? -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -- -
Re: facebook down
I noticed Google Public DNS was returning ServerFail for www.facebook.com A earlier around 6pm EST ; , NS records were fine. Now DNS problem is solved but web still does not work. On Mon, Dec 10, 2012 at 6:06 PM, Joly MacFie j...@punkcast.com wrote: I know there's an outages list, but seriously! It seems like a DNS prob? -- --- Joly MacFie 218 565 9365 Skype:punkcast WWWhatsup NYC - http://wwwhatsup.com http://pinstand.com - http://punkcast.com VP (Admin) - ISOC-NY - http://isoc-ny.org -- -
Re: Why do some providers require IPv6 /64 PA space to have public whois?
On Dec 10, 2012, at 2:53 PM, Ian Smith i.sm...@f5.com wrote: Quite the opposite in fact. In IPv6 a /64 is roughly equivalent to a /32 in IPv4. As in, it's the smallest possible assignment that will allow an end-user host to function under normal circumstances. SWIP or rwhois for a /64 seems excessive to me, FWIW. IPv4/32 is both a routing endpoint and a host. IPv4 is a 32 bit combined routing and host space. IPv6/64 is a routing endpoint and v6/128 is a host. IPv6 is a 64 bit routing space and also a 64 bit host space for each routing space, not a 128 bit combined routing and host space. You can make a /128 a routing endpoint in IPv6 just like a /32 in IPv4 with all the same rules, restrictions, and limitations. Evidently, the whois requirement is for networks, not nodes, which makes sense when you think about how the entity that controls a /64 is assuming responsibility for 2^64 network nodes. Correct (in the first part). In reality, nobody has 2^64 nodes, that's more than the square of the current host addressing available in all of IPv4. You'll never see a /64 full of hosts. For one thing, there's no concept for switching hardware that could handle that large of a MAC adjacency table, nor is there ever likely to be such. Owen -Original Message- From: Doug Barton [mailto:do...@dougbarton.us] Sent: Monday, December 10, 2012 5:05 PM To: Schiller, Heather A Cc: Constantine A. Murenin; nanog@nanog.org Subject: Re: Why do some providers require IPv6 /64 PA space to have public whois? On 12/10/2012 01:27 PM, Schiller, Heather A wrote: I think most folks would agree that, IPv4 /32 :: IPv6 /128 as IPv4 /29 :: IPv6 /64 Doug - No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.2793 / Virus Database: 2634/5946 - Release Date: 12/08/12
Re: Why do some providers require IPv6 /64 PA space to have public whois?
In message 272782d1-8dea-4718-9429-8b0505dd3...@delong.com, Owen DeLong write s: Sent from my iPad On Dec 10, 2012, at 3:02 PM, Mark Andrews ma...@isc.org wrote: =20 In message 50c65c84.6080...@dougbarton.us, Doug Barton writes: On 12/10/2012 01:27 PM, Schiller, Heather A wrote: I think most folks would agree that, IPv4 /32 :: IPv6 /128 as IPv4 /29 := : I Pv6 /64 =20 Quite the opposite in fact. In IPv6 a /64 is roughly equivalent to a /32 in IPv4. As in, it's the smallest possible assignment that will allow an end-user host to function under normal circumstances. =20 SWIP or rwhois for a /64 seems excessive to me, FWIW. =20 Doug =20 Even SWIP for a /48 for a residential assignment is excessive. SWIP for a /48 for a commercial assignment is reasonable =20 I disagree. SWIP for a /48 with the appropriate notations under residential c = ustomer privacy policy provides a good balance between the need for public a= ccountability of resource utilization and privacy concerns for residential c= ustomer assignments. Owen You don't SWIP each residential customer with IPv4. You often SWIP blocks of residential customers down to the pop level. You often SWIP each commercial customer with IPv4. To require a SWIP entry for each residential customer is bureaucracy gone mad. Additionally there is no technical need for this. It isn't needed for address accountability. Residential customers have historically been treated in bulk. -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Why do some providers require IPv6 /64 PA space to have public whois?
On 8 December 2012 23:10, Owen DeLong o...@delong.com wrote: Frankly, the more I think about this, the less it's clear why someone like hetzner.de would actually want you to be using their native IPv6 support, instead of the one provided by HE.net through their free tunnelbroker.net service. HE has an open-peering policy (AFAIK); Yes, HE has a one-word peering policy… YES! However, that means that if hetzner peered IPv6 native with us, we would provide them every thing you get through tunnel broker still at no cost and without any limitations on bandwidth. We don't artificially limit the bandwidth on tunnel broker, but, each tunnel broker server has a single network interface that it hairpins the v4/v6 traffic on and the bandwidth is what it is. I don't expect that will be an issue any time soon, but for planning purposes, people should understand that tunnel broker is a where-is-as-is service on a best effort basis with no SLA. We do offer production grade tunnel services for a fee and people are welcome to contact me off-list for more information. which basically means that tunnelbroker.net traffic is free for hetzner.de, whereas for native IPv6 traffic they might have to be paying for transit costs, depending on the destination. HE.net We would really rather see such traffic come native across our peering links as much as possible. It allows us to provide a higher quality of service. Are you suggesting that it's an official/semi-official policy to allow IPv6 peering clients to use HE.net as their default route for IPv6? (To no surprise, that seems to contradict http://he.net/peering.html.) Because, essentially, if you allow settlement-free peering with IPv4, and include tunnelbroker.net into it, then, indeed, a major hosting provider, by having a poor native IPv6 support, can indirectly save a few pennies by forcing some clients to instead use tunnelbroker.net and thus bypass having to pay for any kind of IPv6 transit on behalf of such clients, since any traffic requiring transit when native, will qualify for peering once tunnelled. I'm curious if anyone actually does now, or have attempted in the past, any such traffic laundering by design and on purpose. :-) I guess in the end, the scenario is more hypothetical and conspiracy-driven, since such attempts will either never be statistically significant enough to be noticed, or would be obvious enough to warrant some immediate manual intervention against the misbehaving peer. To HE's credit, I do recall hearing from someone that HE.net is nice enough to not restrict other network operators to choose whether they want to do settlement-free peering or transit, and is very flexible to allow doing both at the same time (unlike ATT, which explicitly documents that they will never peer with anyone who buys transit from them). As an end user, I still don't understand how you can afford to carry all that traffic globally between the POPs for free; but I'm not complaining. :-) I guess it's a great way to be spending most of your marketing budget in house. :-) You obviously have to justify the need for native connectivity; but, honestly, for my situation (one value server in a given DC) I still see it as a marketing talk that native IPv6 is somehow better than tunnelled. As an end user, I honestly think I have more flexibility with the tunnelled service (and without any extra price). And, as people have pointed out, tunnelled service is usually as reliable as the underlying connection; meaning, in the hosting setting there should really be no problems with tunnels whatsoever. On the other hand, native IPv6 would be quite easy to get wrong; in fact, very easy to get wrong, as I have personally learnt. probably wins, too; since being the place-to-go-for-IPv6 might make it easier for them to have more settlement-free peering with big transit providers such as ATT (Bay-Area-wise, they still have IPv6 traffic going through their peering in Los Angeles). Being a popular IPv6 peer and having so many tunnel broker users has been a great success story for us, yes. However, in terms of how this affects our standing for peering, I think that the effect is the same regardless of whether we are passing the traffic from/to a peering link or a tunnel broker. Yes; but I was referring to the free transit that you effectively offer through the tunnel broker; such traffic would otherwise go to ATT through a transit provider, which may or may not be HE. C.
Re: Why do some providers require IPv6 /64 PA space to have public whois?
On 10 December 2012 16:07, Mark Andrews ma...@isc.org wrote: You don't SWIP each residential customer with IPv4. You often SWIP blocks of residential customers down to the pop level. You often SWIP each commercial customer with IPv4. To require a SWIP entry for each residential customer is bureaucracy gone mad. Additionally there is no technical need for this. It isn't needed for address accountability. Residential customers have historically been treated in bulk. Yes, agreed; and note that in my specific case, we're not even talking about the residential customer situation: we're talking about individual private servers (with IPv4) requiring basic IPv6 connectivity (in order to be dual stacked, no more). I'm picky, and will not accept long and unabbreviatable addresses (especially when I'm already paying for a unique and short 32-bit IPv4 address). Having my street address, apartment and phone numbers appearing in a public whois is also hardly a pleasantry. But for all I care (and I'm not a network engineer), I just need a single IPv6 address or two; an abbreviatable /124 is all I'd need; but, then, why not just issue a /48, since that's manageable and easier anyways? C.
Re: Why do some providers require IPv6 /64 PA space to have public whois?
You don't SWIP each residential customer with IPv4. you don't swip anybody. some folk swip each residential customer. randy
Re: Why do some providers require IPv6 /64 PA space to have public whois?
On 12/10/2012 03:14 PM, Owen DeLong wrote: On Dec 10, 2012, at 2:04 PM, Doug Barton do...@dougbarton.us wrote: On 12/10/2012 01:27 PM, Schiller, Heather A wrote: I think most folks would agree that, IPv4 /32 :: IPv6 /128 as IPv4 /29 :: IPv6 /64 Quite the opposite in fact. In IPv6 a /64 is roughly equivalent to a /32 in IPv4. As in, it's the smallest possible assignment that will allow an end-user host to function under normal circumstances. No, you could be assigned a /128 and have it function for a single host. You saw how I very carefully phrased my statement to try to avoid this kind of ratholing, right? :) However, let's not start doing that as it's pretty brain-dead and the reality is that hardly anyone has a single host any more. Heather has the corollaries correct. You're entitled to your opinion of course, just don't be surprised when people disagree with you. SWIP or rwhois for a /64 seems excessive to me, FWIW. I'm not sure I disagree, but, I certainly don't feel strongly enough about it to submit a policy proposal. I will say that you are far more likely to get this changed by submitting a policy proposal than you are by complaining to NANOG about it. I certainly don't care enough about it to do that, I was just voicing an opinion. Doug (personally I'd be happy just to have native IPv6 available)
