Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Roland Dobbins 

On Jul 1, 2014, at 7:03 AM, Skeeve Stevens 
 wrote:

> Roland, what methods are the easiest/cheapest way to deal with this?  

Ensure you have visibility into your traffic southbound of the NAT - flow 
telemetry generally works best for this, and there are plenty of open-source 
solutions around which allow folks to get up and running quickly.

Then deploy either S/RTBH or flowspec on the aggregation routers southbound of 
the NAT.  This makes is easy to squelch compromised/abusive hosts.

It might also be worth considering sticking some Web proxies (transparent ones 
clustered via WCCPv2, if available) southbound of the NAT, as well; while the 
bandwidth savings may be a wash due to dynamic content, SSL, etc. (all highly 
variable based upon user behavior), TCP sessions for Web requests from hosts 
southbound of the NAT will terminate on the proxies, which provide a good point 
to perform filtering on an as-needed basis.

--
Roland Dobbins  // 

   Equo ne credite, Teucri.

  -- Laocoön

Re: Erroneous Leap Second Introduced at 2014-06-30 23:59:59 UTC

2014-06-30 Thread Majdi S. Abbas 
On Mon, Jun 30, 2014 at 05:33:52PM -0700, Tim Heckman wrote:
> I just was alerted to one of the systems I managed having a time skew
> greater than 100ms from NTP sources. Upon further investigation it
> seemed that the time was off by almost exactly 1 second.
> 
> Looking back over our NTP monitoring, it would appear that this system
> had a large time adjust at approximately 00:00 UTC:

Okay.  Do you have any logging configured (peerstats, etc?) for
ntpd?

> A few of our systems did alert early this morning, indicating they
> were going to be receiving a leap second today. However, I was unable
> to determine the exact cause for NTP believing a leap second should be
> added. And after some time a few of the systems were no longer
> indicating that a leap second would be introduced.

This can happen if a server is either passing along a leap
notification that it received, or is configured to use a leapseconds
file that is incorrect.

> This specific system is hosted in AWS US-WEST-2C and uses the
> 0.amazon.pool.ntp.org pool.

0 is just one server in the pool (whichever you draw by 
rotation); is this the only server you have configured?

--msa

Erroneous Leap Second Introduced at 2014-06-30 23:59:59 UTC

2014-06-30 Thread Tim Heckman 
Hey Everyone,

I just was alerted to one of the systems I managed having a time skew
greater than 100ms from NTP sources. Upon further investigation it
seemed that the time was off by almost exactly 1 second.

Looking back over our NTP monitoring, it would appear that this system
had a large time adjust at approximately 00:00 UTC:

- http://puu.sh/9Rs6O/a514ad7c97.png (times are in Pacific in these
graphs, sorry about that)

A few of our systems did alert early this morning, indicating they
were going to be receiving a leap second today. However, I was unable
to determine the exact cause for NTP believing a leap second should be
added. And after some time a few of the systems were no longer
indicating that a leap second would be introduced.

This specific system is hosted in AWS US-WEST-2C and uses the
0.amazon.pool.ntp.org pool.

Has anyone else seen any erroneous leap seconds being added to their system?

Cheers!
-Tim Heckman

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Owen DeLong 
Greenfield or not, unless you can expect that 100% of the users have never
had internet access anywhere else before, you may be up against expectations
you are not meeting with NAT444.

Owen

On Jun 30, 2014, at 17:28 , Skeeve Stevens 
 wrote:

> Great advice Stepan.
> 
> Re user support.  It is a greenfield environment so we're in the position
> to say 'this is how it is and what you get'.
> 
> Re usage profile. No idea what to expect from users as there is nothing to
> measure.  I've actually not designed a NAT444 solution for residential
> profiles before so never had to worry about what they did.
> 
> 
> 
> ...Skeeve
> 
> *Skeeve Stevens - *eintellego Networks Pty Ltd
> ske...@eintellegonetworks.com ; www.eintellegonetworks.com
> 
> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
> 
> facebook.com/eintellegonetworks ;  
> linkedin.com/in/skeeve
> 
> experts360: https://expert360.com/profile/d54a9
> 
> twitter.com/theispguy ; blog: www.theispguy.com
> 
> 
> The Experts Who The Experts Call
> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
> 
> 
> On Mon, Jun 30, 2014 at 10:06 PM, Stepan Kucherenko 
> wrote:
> 
>> On 30.06.2014 14:12, Roland Dobbins wrote:
>>> I've seen huge problems from compromised machines completely killing
>>> NATs from the southbound side.
>> 
>> It depends on CGN solution used. Some of them will just block new
>> translations for that user after reaching the limit, and that's it.
>> 
>> 
>> On 30.06.2014 09:59, Skeeve Stevens wrote:
>>> I am after a LSN/CGN/NAT444 solution to put about 1000 Residential
>>> profile NBN speeds (fastest 100/40) services behind.
>> 
>>> I am looking at a Cisco ASR1001/2, pfSense and am willing to consider
>>> other options, including open source Obviously the cheaper the
>>> better.
>> 
>> ASR1k NAT is known to be problematic (nat overload specifically), don't
>> know if they fixed it yet. I recommend to check this with the vendor first.
>> 
>> New Juniper MS-MIC/MS-MPC multiservices cards can be used but
>> feature-parity with MS-DPC isn't there yet. For example, you can have a
>> working CGN with most bells and whistles, but you can't use IDS. You can
>> (probably) use deterministic nat with max ports/sessions per user, but
>> sometimes it's not enough. Again, ask the vendor for
>> details/roadmaps/solutions.
>> 
>> Both those options aren't really cheap though.
>> 
>> Cheaper would be something like Mikrotik but I wouldn't touch that sh*t
>> with a ten-foot pole. It might work but you'll pay for that with your
>> sanity and sleep hours.
>> 
>> Speaking of cheap and open-source, I know several relatively large
>> implementations using Linux boxes. One Linux NAT box can chew on at
>> least 1Gb/s of traffic, or even more with a careful selection of
>> hardware and even more careful tuning, and you can load-balance between
>> them, but it's much more effort and it isn't robust enough (which is the
>> reason why they all migrate to better solutions later).
>> 
>> 
>> BTW, I agree that you should speak in PPS and bandwidth instead of
>> number of users, those are much better as a metric.
>> 
>> 
>>> This solution is for v4 only, and needs to consider the profile of the
>>> typical residential users.  Any pitfalls would be helpful to know -
>>> as in what will and and more importantly wont work - or any
>>> work-arounds which may work.
>> 
>> Try to pair a user IP with a public IP, that way you'll workaround most
>> websites/games/applications expecting publicly visible user IP to be the
>> same for all connections.
>> 
>> Start with selected few active customers, check how much connections
>> they use with different NAT settings. Double/triple that. Then do the
>> math of how many ports/IPs you need per X users, don't just guess it.
>> Then try to limit it and see if anything breaks.
>> 
>> By working with them you can also workaround some of the problems you
>> didn't think about before. Seriously. Fix it before you roll it out.
>> 
>> What anyone implementing CGN should expect is complaints from users for
>> any number of reasons, like their IPSEC or L2TP tunnel stopped working,
>> or some application behaves strangely and so on. Prepare your
>> techsupport for that.
>> 
>>> This solution is not designed to be long lasting (maybe 6-9
>>> months)... it is to get the solution going for up to 1000 users, and
>>> once it reaches that point then funds will be freed up to roll out a
>>> more robust, carrier-grade and long term solution (which will include
>>> v6). So no criticism on not doing v6 straight up please.
>> 
>> Heh. Nothing lasts longer than temporary solutions. You should implement
>> it like you're going to live it for years (probably true) or you'll
>> create yourself a huge PITA very soon.
>> 
>> 
>> 
>>

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Owen DeLong 
With enough horsepower, iptables+Linux is adequate for this, depending on your
requirements.

I would want to put as little money as possible behind CGN in favor of moving as
much as possible towards IPv6 instead.

Owen

On Jun 29, 2014, at 22:59 , Skeeve Stevens 
 wrote:

> Hi all,
> 
> I am sure this is something that a reasonable number of people would have
> done on this list.
> 
> I am after a LSN/CGN/NAT444 solution to put about 1000 Residential profile
> NBN speeds (fastest 100/40) services behind.
> 
> I am looking at a Cisco ASR1001/2, pfSense and am willing to consider other
> options, including open source Obviously the cheaper the better.
> 
> This solution is for v4 only, and needs to consider the profile of the
> typical residential users.  Any pitfalls would be helpful to know - as in
> what will and and more importantly wont work - or any work-arounds which
> may work.
> 
> This solution is not designed to be long lasting (maybe 6-9 months)... it
> is to get the solution going for up to 1000 users, and once it reaches that
> point then funds will be freed up to roll out a more robust, carrier-grade
> and long term solution (which will include v6). So no criticism on not
> doing v6 straight up please.
> 
> Happy for feedback off-list of any solutions that people have found work
> well...
> 
> Note, I am in Australia so any vendors which aren't easily accessible down
> here, won't be useful.
> 
> 
> ...Skeeve
> 
> *Skeeve Stevens - *eintellego Networks Pty Ltd
> ske...@eintellegonetworks.com ; www.eintellegonetworks.com
> 
> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
> 
> facebook.com/eintellegonetworks ;  
> linkedin.com/in/skeeve
> 
> experts360: https://expert360.com/profile/d54a9
> 
> twitter.com/theispguy ; blog: www.theispguy.com
> 
> 
> The Experts Who The Experts Call
> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Skeeve Stevens 
Great advice Stepan.

Re user support.  It is a greenfield environment so we're in the position
to say 'this is how it is and what you get'.

Re usage profile. No idea what to expect from users as there is nothing to
measure.  I've actually not designed a NAT444 solution for residential
profiles before so never had to worry about what they did.



...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  
linkedin.com/in/skeeve

experts360: https://expert360.com/profile/d54a9

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering


On Mon, Jun 30, 2014 at 10:06 PM, Stepan Kucherenko 
wrote:

> On 30.06.2014 14:12, Roland Dobbins wrote:
> > I've seen huge problems from compromised machines completely killing
> > NATs from the southbound side.
>
> It depends on CGN solution used. Some of them will just block new
> translations for that user after reaching the limit, and that's it.
>
>
> On 30.06.2014 09:59, Skeeve Stevens wrote:
> > I am after a LSN/CGN/NAT444 solution to put about 1000 Residential
> > profile NBN speeds (fastest 100/40) services behind.
>
> > I am looking at a Cisco ASR1001/2, pfSense and am willing to consider
> > other options, including open source Obviously the cheaper the
> > better.
>
> ASR1k NAT is known to be problematic (nat overload specifically), don't
> know if they fixed it yet. I recommend to check this with the vendor first.
>
> New Juniper MS-MIC/MS-MPC multiservices cards can be used but
> feature-parity with MS-DPC isn't there yet. For example, you can have a
> working CGN with most bells and whistles, but you can't use IDS. You can
> (probably) use deterministic nat with max ports/sessions per user, but
> sometimes it's not enough. Again, ask the vendor for
> details/roadmaps/solutions.
>
> Both those options aren't really cheap though.
>
> Cheaper would be something like Mikrotik but I wouldn't touch that sh*t
> with a ten-foot pole. It might work but you'll pay for that with your
> sanity and sleep hours.
>
> Speaking of cheap and open-source, I know several relatively large
> implementations using Linux boxes. One Linux NAT box can chew on at
> least 1Gb/s of traffic, or even more with a careful selection of
> hardware and even more careful tuning, and you can load-balance between
> them, but it's much more effort and it isn't robust enough (which is the
> reason why they all migrate to better solutions later).
>
>
> BTW, I agree that you should speak in PPS and bandwidth instead of
> number of users, those are much better as a metric.
>
>
> > This solution is for v4 only, and needs to consider the profile of the
> > typical residential users.  Any pitfalls would be helpful to know -
> > as in what will and and more importantly wont work - or any
> > work-arounds which may work.
>
> Try to pair a user IP with a public IP, that way you'll workaround most
> websites/games/applications expecting publicly visible user IP to be the
> same for all connections.
>
> Start with selected few active customers, check how much connections
> they use with different NAT settings. Double/triple that. Then do the
> math of how many ports/IPs you need per X users, don't just guess it.
> Then try to limit it and see if anything breaks.
>
> By working with them you can also workaround some of the problems you
> didn't think about before. Seriously. Fix it before you roll it out.
>
> What anyone implementing CGN should expect is complaints from users for
> any number of reasons, like their IPSEC or L2TP tunnel stopped working,
> or some application behaves strangely and so on. Prepare your
> techsupport for that.
>
> > This solution is not designed to be long lasting (maybe 6-9
> > months)... it is to get the solution going for up to 1000 users, and
> > once it reaches that point then funds will be freed up to roll out a
> > more robust, carrier-grade and long term solution (which will include
> > v6). So no criticism on not doing v6 straight up please.
>
> Heh. Nothing lasts longer than temporary solutions. You should implement
> it like you're going to live it for years (probably true) or you'll
> create yourself a huge PITA very soon.
>
>
>
>

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Skeeve Stevens 
Hi Valdis,

Re 1.. completely understand.  The environment is such that we will openly
state what does and doesn't work.  It is a captive environment and the
users don't have a choice who they use.  Think large university dorm (about
600) for part of the customer base.

Re 2.. The larger design is already approved and budgeted for... this is a
proof-of-concept cheap solution to see if the uptake happens as expensive.
 I agree with you that we should just build it the right was the first
time, but the people paying want to do it this way.  And in the end, I am
just the designer, if they leave it in place, it is not really my concern,
they have my advice.


...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  
linkedin.com/in/skeeve

experts360: https://expert360.com/profile/d54a9

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering


On Mon, Jun 30, 2014 at 11:40 PM,  wrote:

> On Mon, 30 Jun 2014 15:59:47 +1000, Skeeve Stevens said:
>
> > I am after a LSN/CGN/NAT444 solution to put about 1000 Residential
> profile
> > NBN speeds (fastest 100/40) services behind.
>
> > This solution is for v4 only, and needs to consider the profile of the
> > typical residential users.  Any pitfalls would be helpful to know - as in
> > what will and and more importantly wont work - or any work-arounds which
> > may work.
>
> Pitfall 1:  Make sure you have enough support desk to handle calls from
> everybody who's doing something that doesn't play nice with CGN/NAT444.
> And remember that unless "screw you, find another provider" is an
> acceptable
> response to a customer, those calls are going to be major resource sinks to
> resolve to the customer's satisfaction...
>
> Pitfall 2: These sort of short-term solutions often end up still in
> use well after their sell-by date.  If you're planning to deploy a
> new solution in 6 months, maybe throwing resources at a short-term fix
> is counterproductive and the resources should go towards making the current
> solution hold together and deploying the long-term solution...
>

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Skeeve Stevens 
Roland, what methods are the easiest/cheapest way to deal with this?


...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  
linkedin.com/in/skeeve

experts360: https://expert360.com/profile/d54a9

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering


On Mon, Jun 30, 2014 at 8:12 PM, Roland Dobbins  wrote:

>
> On Jun 30, 2014, at 4:53 PM, Tony Wicks  wrote:
>
> > From experience (we ran out of IPv4 a long time ago in the APNIC region)
> this is not needed,
>
> I've seen huge problems from compromised machines completely killing NATs
> from the southbound side.
>
> > what is needed however is session timeouts.
>
> This can help, but it isn't a solution to the botted/abusive machine
> problem.  They'll just keep right on pumping out packets and establishing
> new sessions, 'crowding out' legitimate users and filling up the
> state-table, maxing the CPU.  Embryonic connection limits and all that
> stuff aren't enough, either.
>
> --
> Roland Dobbins  // 
>
>Equo ne credite, Teucri.
>
>   -- Laocoön
>
>

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Skeeve Stevens 
Roland, as always you remind me of the important things to remember.


...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  
linkedin.com/in/skeeve

experts360: https://expert360.com/profile/d54a9

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering


On Mon, Jun 30, 2014 at 5:48 PM, Roland Dobbins  wrote:

>
> On Jun 30, 2014, at 1:37 PM, Robert Drake  wrote:
>
> > Total PPS or bandwidth is the number you need rather than number of
> customers.
>
> Also, be sure you have S/RTBH or some other mechanism southbound of the
> NAT for dealing with compromised/abusive hosts which can chew up the
> state-table with SYN-floods and the like.
>
> --
> Roland Dobbins  // 
>
>Equo ne credite, Teucri.
>
>   -- Laocoön
>
>

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Skeeve Stevens 
Hi Rob,

Interesting insights.  I hadn't thought of an older 6500/7600... certainly
might be worth considering if I want to stay Cisco.

Yes, PPS is the key, but I thought someone might have some comments on the
metrics/pps I'd expect with that kind of user profile and speeds.

It doesn't need to not have v6, I'm just not using it at the moment.

The timeframes are my numbers based on the proof of concept for the larger
business model/design - which is modular as such.


...Skeeve

*Skeeve Stevens - *eintellego Networks Pty Ltd
ske...@eintellegonetworks.com ; www.eintellegonetworks.com

Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve

facebook.com/eintellegonetworks ;  
linkedin.com/in/skeeve

experts360: https://expert360.com/profile/d54a9

twitter.com/theispguy ; blog: www.theispguy.com


The Experts Who The Experts Call
Juniper - Cisco - Cloud - Consulting - IPv4 Brokering


On Mon, Jun 30, 2014 at 4:37 PM, Robert Drake  wrote:

>
> On 6/30/2014 1:59 AM, Skeeve Stevens wrote:
>
>> Hi all,
>>
>> I am sure this is something that a reasonable number of people would have
>> done on this list.
>>
>> I am after a LSN/CGN/NAT444 solution to put about 1000 Residential profile
>> NBN speeds (fastest 100/40) services behind.
>>
>> I am looking at a Cisco ASR1001/2, pfSense and am willing to consider
>> other
>> options, including open source Obviously the cheaper the better.
>>
>
> Total PPS or bandwidth is the number you need rather than number of
> customers.  Assuming 1Gbps aggregation then almost anything will work for
> your requirements and support NAT.  Obviously if you have a large number of
> 100Mbps customers then 1Gbps wouldn't cut it for aggregation.
>
> Based on your looking at the ASR I would guess you're somewhere around
> 1Gbps, maybe 2Gbps.  If you're closer to 1Gbps and want to stay with a 1RU
> solution then I would advise checking out the ASA5512 which is much cheaper
> than an ASR.
>
> If you want to go ultra cheap but scalable to 4Gbps you could use a Cisco
> 6500/sup2/FWSM (all used.. probably totals less than $1000USD, but I don't
> know how much it is in Australia).  That would let you replace parts later
> to move to SUP720/ASASM for around 16Gbps throughput.
>
> FWIW, I doubt you'll find a NAT platform with no IPv6 support, so you can
> start your IPv6 work now if need be.  Older stuff like the FWSM won't
> support things like DS-Lite though, so if you plan to go v6-only in your
> backbone then that's something to think about.
>
>
>> This solution is for v4 only, and needs to consider the profile of the
>> typical residential users.  Any pitfalls would be helpful to know - as in
>> what will and and more importantly wont work - or any work-arounds which
>> may work.
>>
>> This solution is not designed to be long lasting (maybe 6-9 months)... it
>> is to get the solution going for up to 1000 users, and once it reaches
>> that
>> point then funds will be freed up to roll out a more robust, carrier-grade
>> and long term solution (which will include v6). So no criticism on not
>> doing v6 straight up please.
>>
> Be wary if someone thinks this is going to last 6-9 months.  That's less
> than a funding cycle for a company and longer than an outage. That means
> the boss is pulling the number out of his ass and it could last anywhere
> from 30 days to 10 years depending on any number of factors.
>
>
>
>> Happy for feedback off-list of any solutions that people have found work
>> well...
>>
>> Note, I am in Australia so any vendors which aren't easily accessible down
>> here, won't be useful.
>>
>>
>> ...Skeeve
>>
>> *Skeeve Stevens - *eintellego Networks Pty Ltd
>> ske...@eintellegonetworks.com ; www.eintellegonetworks.com
>>
>> Phone: 1300 239 038; Cell +61 (0)414 753 383 ; skype://skeeve
>>
>> facebook.com/eintellegonetworks ;  
>> linkedin.com/in/skeeve
>>
>> experts360: https://expert360.com/profile/d54a9
>>
>> twitter.com/theispguy ; blog: www.theispguy.com
>>
>>
>> The Experts Who The Experts Call
>> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
>>
>>
>

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Mark Andrews 

In message <96782.1404135...@turing-police.cc.vt.edu>, valdis.kletni...@vt.edu 
writes:
> --==_Exmh_1404135618_1958P
> Content-Type: text/plain; charset=us-ascii
> 
> On Mon, 30 Jun 2014 15:59:47 +1000, Skeeve Stevens said:
> 
> > I am after a LSN/CGN/NAT444 solution to put about 1000 Residential profile
> > NBN speeds (fastest 100/40) services behind.
> 
> > This solution is for v4 only, and needs to consider the profile of the
> > typical residential users.  Any pitfalls would be helpful to know - as in
> > what will and and more importantly wont work - or any work-arounds which
> > may work.
> 
> Pitfall 1:  Make sure you have enough support desk to handle calls from
> everybody who's doing something that doesn't play nice with CGN/NAT444.
> And remember that unless "screw you, find another provider" is an acceptable
> response to a customer, those calls are going to be major resource sinks to
> resolve to the customer's satisfaction...

And this is where the entire industry world wide is to blame.  CGN,
DS-Lite, NAT64 are designed as end-of-transition products not start-
of-transition products.  They are designed around getting to a
legacy IPv4 network.  CGN, DS-Lite, and NAT64 all reduce functionality
that is normally available on wired networks.

Just because there was not a fixed date, like 1/1/2000, for when it
would be too late didn't mean that there wasn't a problem coming
or that plain dual stack shouldn't have been ubiquitous before then.

As a consumer I don't want to be forced to loose functionally because
the industry as a whole was too f!@$!#!@ short sighted to do what
was best for the consumer well enough in advance so that everyone
could sort out the teething issues.  Networks work because *everybody*
can speak the same protocol.  I don't care which transport protocol
I use.  I do care if I can't continue to do something because people
were too slow to react.

> Pitfall 2: These sort of short-term solutions often end up still in
> use well after their sell-by date.  If you're planning to deploy a
> new solution in 6 months, maybe throwing resources at a short-term fix
> is counterproductive and the resources should go towards making the current
> solution hold together and deploying the long-term solution...
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

RE: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Tony Wicks 
I run ASR1k6's ESP40/RP2 with 10-15k BNG clients on each running full CGNAT.
Translations peak at about 250k per 10K users. The ESP40 can handle 2M
translations, so there is plenty of room to run them up to 32k users without
having to be concerned (64k in an emergency). I have been running this
configuration for 2+ years in production and never had any issue with
getting anywhere near close to having a performance issue. Now incoming DDOS
attacks are another matter, they are a lot more common and damaging with the
CGNAT as you need to remove the destination IP from your nat pool for the
duration.

If you were doing your CGNAT on an older 72xx or similar CPU based box, well
then all bets are off, I would expect available NAT table resource to be
very easy to exhaust.



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Roland Dobbins
Sent: Monday, 30 June 2014 10:12 p.m.
To: nanog@nanog.org list
Subject: Re: Cheap LSN/CGN/NAT444 Solution


On Jun 30, 2014, at 4:53 PM, Tony Wicks  wrote:

> From experience (we ran out of IPv4 a long time ago in the APNIC region)
this is not needed,

I've seen huge problems from compromised machines completely killing NATs
from the southbound side.

> what is needed however is session timeouts. 

This can help, but it isn't a solution to the botted/abusive machine
problem.  They'll just keep right on pumping out packets and establishing
new sessions, 'crowding out' legitimate users and filling up the
state-table, maxing the CPU.  Embryonic connection limits and all that stuff
aren't enough, either.

--

Re: Comcast Business Internet Options

2014-06-30 Thread rw...@ropeguru.com 

I have a cable based business in my residence.

There is no SLA with the standard business class service. However, I 
have typically seen about a 4 hour response time during the week for a 
tech and never any longer than the next day.


As far as install fees and such, the only way to get it waived, as 
others have mentioned, is a 3 year contract. Lower fee for 2 year 
contract and full install fee for 1 year contract. Good deal with the 
Visa Card as I have never heard of that being offered before.


You get the saem "up to" BS as residential and if you want static IP's 
with that, be prepared for a required $12.95 equipment rental fee on 
top of the monthly price, static IP price, and tax.


Robert


On Mon, 30 Jun 2014 15:49:50 -0400
 Phil Gardner  wrote:
Damn, interesting. Though for my needs, I'm more interested in the 
response time for service than all out speed.


I'd also be surprised if they offer that in my state.


On 06/30/2014 02:37 PM, Will Dean wrote:

Phil,


Comcast does have a residential fiber tier that leverages their 
metro

ethernet network. https://www.comcast.com/505

Re: Comcast Business Internet Options

2014-06-30 Thread rdrake 
On 06/30/2014 03:49 PM, Phil Gardner wrote:
> Damn, interesting. Though for my needs, I'm more interested in the
> response time for service than all out speed.
>
> I'd also be surprised if they offer that in my state.
>
Where are you located?  Usually you can get an okay DSL connection as a
backup and that would be better than most of the SLAs from big
companies*.  Alternatively you could get a wifi or USB LTE dongle for a
secondary connection.  Of course that may not be available in your area,
but I've gotten LTE in surprising places.
 
* The problem with the SLAs being that they won't restore your service
in 3 days, they'll just credit you the full price of your dinky
circuit.  The good news is if your inside wiring is clean then you
probably won't have too many outages on cable.  Ask your neighbors if
their Internet is reliable.



signature.asc
Description: OpenPGP digital signature

Re: Comcast Business Internet Options

2014-06-30 Thread Phil Gardner 
Damn, interesting. Though for my needs, I'm more interested in the 
response time for service than all out speed.


I'd also be surprised if they offer that in my state.


On 06/30/2014 02:37 PM, Will Dean wrote:

Phil,


Comcast does have a residential fiber tier that leverages their metro
ethernet network. https://www.comcast.com/505

http://www.speedtest.net/result/3595673618.png

- Will

Brandon Galbraith 
June 30, 2014 at 1:33 PM

I've worked with Comcast Business on <10 installations for clients,
and the only time I was able to get installation charge concessions
was on a long-term agreement (3 years minimum). This is in an area
where they have active competition with an ILEC.

brandon
Phil Gardner 
June 30, 2014 at 9:45 AM
Hi all -

Probably like a lot of people on the list, I depend on my home
internet connection for many things including my primary job, and the
numerous side projects I work on.

I'd really a appreciate a connection that would have a shorter
response time if something were to go wrong. Unfortunately, I just
moved and now I'm out of the service area of my previous provider, who
was actually able to compete with Comcast (FTTH). Now I'm stuck with
one option.

I really don't plan on spending more than a year where I currently am,
so I don't want be locked into a contract for more than a year,
especially with Comcast's crap termination fee (75% of the remainder
on the contract).

I called and talked to a sales rep, who was just a kid, and an
arrogant one at that. He knew of the monopoly for a decent internet
connection in my area, so I had little bargaining power.

The offer he gave me was: minimum 2 year contract, with a $99
installation fee, and his "supervisor" "approved" a $300 Visa giftcard
if I agreed to this. The other option is a 1 year contract, with a
$199 installation fee, with no giftcard. This is for the 50Mbit
option, and he didn't seem to care about my counter offer to bump it
up to 75Mbit if he waived the install fee.

Come on...$199 to plug in a modem. The address already had Comcast
before I got there...

Is there anyone out there that has ideas about how to waive or lower
that installation fee while only having a 1 year contract?




--
_
Phil Gardner
PGP Key ID 0xFECC890C
OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538

Re: Comcast Business Internet Options

2014-06-30 Thread Will Dean 

Phil,


Comcast does have a residential fiber tier that leverages their metro 
ethernet network. https://www.comcast.com/505


http://www.speedtest.net/result/3595673618.png

- Will

Brandon Galbraith 
June 30, 2014 at 1:33 PM

I've worked with Comcast Business on <10 installations for clients,
and the only time I was able to get installation charge concessions
was on a long-term agreement (3 years minimum). This is in an area
where they have active competition with an ILEC.

brandon
Phil Gardner 
June 30, 2014 at 9:45 AM
Hi all -

Probably like a lot of people on the list, I depend on my home 
internet connection for many things including my primary job, and the 
numerous side projects I work on.


I'd really a appreciate a connection that would have a shorter 
response time if something were to go wrong. Unfortunately, I just 
moved and now I'm out of the service area of my previous provider, who 
was actually able to compete with Comcast (FTTH). Now I'm stuck with 
one option.


I really don't plan on spending more than a year where I currently am, 
so I don't want be locked into a contract for more than a year, 
especially with Comcast's crap termination fee (75% of the remainder 
on the contract).


I called and talked to a sales rep, who was just a kid, and an 
arrogant one at that. He knew of the monopoly for a decent internet 
connection in my area, so I had little bargaining power.


The offer he gave me was: minimum 2 year contract, with a $99 
installation fee, and his "supervisor" "approved" a $300 Visa giftcard 
if I agreed to this. The other option is a 1 year contract, with a 
$199 installation fee, with no giftcard. This is for the 50Mbit 
option, and he didn't seem to care about my counter offer to bump it 
up to 75Mbit if he waived the install fee.


Come on...$199 to plug in a modem. The address already had Comcast 
before I got there...


Is there anyone out there that has ideas about how to waive or lower 
that installation fee while only having a 1 year contract?

Re: Comcast Business Internet Options

2014-06-30 Thread Brandon Galbraith 
On Mon, Jun 30, 2014 at 8:45 AM, Phil Gardner  wrote:
> Is there anyone out there that has ideas about how to waive or lower that
> installation fee while only having a 1 year contract?

I've worked with Comcast Business on <10 installations for clients,
and the only time I was able to get installation charge concessions
was on a long-term agreement (3 years minimum). This is in an area
where they have active competition with an ILEC.

brandon

Re: Next steps in extortion case - ideas?

2014-06-30 Thread Charles N Wyble 
Sue him for slander? 

Contact the US DOJ and request extortion charges be filed? I mean if someone 
was committing a crime against me, I'd certainly be in contact with law 
enforcement to have charges filed and a warrant out for arrest. 

You shouldn't have called him. He has certainly changed his phone number. He 
also now most likely has your personal phone number. 

Contact law enforcement. That's what you should of done instead of calling him. 
I'd also consult your attorney. Ironically enough , the person you contacted 
could potentially try and turn the tables on you. Did you record the telephone 
conversation? 

On June 28, 2014 9:32:15 AM CDT, Markus  wrote:
>Hi list,
>
>nothing operational here, but there are many smart minds on this list 
>and people working for telcos, ISPs and law enforcement agencies, so 
>maybe you are willing to give me some advice in the following case:
>
>There's an individual out there on the web that has been blackmailing 
>hundreds of people and companies in a specific area of business for 
>years. His scheme is: 1. Contact the alleged "debtor" via e-mail and 
>inform him about an existing debt claim by a third party. 2. Offer the 
>debtor a deadline to pay the debt and warn the debtor if he shouldn't 
>pay he'll be prosecuted and his case will be "made public". 3. Once the
>
>deadline has elapsed, he'll publish completely false information made 
>out of thin air on the web, in particular Facebook, Twitter, a blog, a 
>website, including pictures of the debtor and serious accusations like 
>"This debtor is a child molestor" or "This debtor is part of the mafia"
>
>and other crazy stuff that you can usually only see in movies. All of 
>course with real names, company information (if applicable) and 
>basically everything he can find out about the debtor. 4. Then, the 
>individual hopes that the debtor will be intimidated because the debtor
>
>is afraid of the false information about him, which will show up on 
>Google etc., and will finally pay to get this false information removed
>
>from the web.
>
>In all cases the published "background information" about the debtors
>is 
>false, made out of thin air, and over the top. Just the names and 
>pictures are correct. Intentional slander in order to get the debtor to
>
>pay. If any of the published information was true, then every 2nd
>debtor 
>would be a child molestor and every other debtor part of the mafia.
>
>That individual is hiding his real identity really well, obviously, and
>
>he knows what he's doing. Domain hosted in Russia, taking good care his
>
>IP address won't show up in the mail headers, using false names and 
>identities, phone numbers registered through some DID provider who 
>doesn't collect personal information about the DID owner etc.
>
>I am one of the accused and had lots of false information about myself 
>and my company published by him. This is why I started to have an 
>interest to track his real identity down. I took 2 days out of my life 
>and researched high and low and finally found his personal phone number
>
>along with a name, a picture of him and several possible addresses (in 
>the US).
>
>I cannot be sure that the name, picture and addresses are correct, but
>I 
>called him on his personal phone number and after having spoken with
>him 
>before under his false identity, I can confirm that it's the same
>person 
>(the voice is the same). He was quite surprised to say the least.
>
>In case it matters, according to a LRN lookup the number belongs to 
>Omnipoint Communications, which is part of T-Mobile USA, I think.
>
>My idea is to somehow confirm his identity and confirm my research by 
>matching the voice of the false identity (available from a message he 
>left on my voicemail and also from his voicemail intro) to the real 
>person. I'm thinking about hiring a private investigator in the US (I'm
>
>in Germany) to drive up to the addresses I can provide the PI with and 
>find the person that matches the voice / maybe even the picture. The PI
>
>then must document the outcome in a way that it can be used in court. 
>I'm wanting to go the PI route because it will be the fastest way to 
>possibly gather evidence, I assume, as opposed to commissioning a
>lawyer 
>who will then in turn contact law enforcement etc.
>
>Unfortunately I do not have the authority to access the personal data
>of 
>the person that pays the monthly bill for the phone number that I
>called 
>him on, otherwise that would be the fastest way I suppose. I spent
>money 
>for some pay-sites that do some reverse phone lookup and stuff like 
>that, and although the information was helpful, I cannot be sure that 
>it's accurate.
>
>My goal is to confirm his real identity/name and address in order to 
>start a lawsuit and have a lawyer, or maybe even law enforcement, 
>investigate this case and ultimately, put an end to his slander 
>activities, not just for my case but for all hundreds before me and 
>those which are to com

Re: Next steps in extortion case - ideas?

2014-06-30 Thread Bill Merriam 
On Sat, 28 Jun 2014 16:32:15 +0200
Markus  wrote:

> Hi list,
> 
> nothing operational here, but there are many smart minds on this list 
> and people working for telcos, ISPs and law enforcement agencies, so 
> maybe you are willing to give me some advice in the following case:
> 
> There's an individual out there on the web that has been blackmailing 
> hundreds of people and companies in a specific area of business for 
> years. His scheme is: 1. Contact the alleged "debtor" via e-mail and 
> inform him about an existing debt claim by a third party. 2. Offer
> the debtor a deadline to pay the debt and warn the debtor if he
> shouldn't pay he'll be prosecuted and his case will be "made public".
> 3. Once the deadline has elapsed, he'll publish completely false
> information made out of thin air on the web, in particular Facebook,
> Twitter, a blog, a website, including pictures of the debtor and
> serious accusations like "This debtor is a child molestor" or "This
> debtor is part of the mafia" and other crazy stuff that you can
> usually only see in movies. All of course with real names, company
> information (if applicable) and basically everything he can find out
> about the debtor. 4. Then, the individual hopes that the debtor will
> be intimidated because the debtor is afraid of the false information
> about him, which will show up on Google etc., and will finally pay to
> get this false information removed from the web.
> 
> In all cases the published "background information" about the debtors
> is false, made out of thin air, and over the top. Just the names and 
> pictures are correct. Intentional slander in order to get the debtor
> to pay. If any of the published information was true, then every 2nd
> debtor would be a child molestor and every other debtor part of the
> mafia.
> 
> That individual is hiding his real identity really well, obviously,
> and he knows what he's doing. Domain hosted in Russia, taking good
> care his IP address won't show up in the mail headers, using false
> names and identities, phone numbers registered through some DID
> provider who doesn't collect personal information about the DID owner
> etc.
> 
> I am one of the accused and had lots of false information about
> myself and my company published by him. This is why I started to have
> an interest to track his real identity down. I took 2 days out of my
> life and researched high and low and finally found his personal phone
> number along with a name, a picture of him and several possible
> addresses (in the US).
> 
> I cannot be sure that the name, picture and addresses are correct,
> but I called him on his personal phone number and after having spoken
> with him before under his false identity, I can confirm that it's the
> same person (the voice is the same). He was quite surprised to say
> the least.
> 
> In case it matters, according to a LRN lookup the number belongs to 
> Omnipoint Communications, which is part of T-Mobile USA, I think.
> 
> My idea is to somehow confirm his identity and confirm my research by 
> matching the voice of the false identity (available from a message he 
> left on my voicemail and also from his voicemail intro) to the real 
> person. I'm thinking about hiring a private investigator in the US
> (I'm in Germany) to drive up to the addresses I can provide the PI
> with and find the person that matches the voice / maybe even the
> picture. The PI then must document the outcome in a way that it can
> be used in court. I'm wanting to go the PI route because it will be
> the fastest way to possibly gather evidence, I assume, as opposed to
> commissioning a lawyer who will then in turn contact law enforcement
> etc.
> 
> Unfortunately I do not have the authority to access the personal data
> of the person that pays the monthly bill for the phone number that I
> called him on, otherwise that would be the fastest way I suppose. I
> spent money for some pay-sites that do some reverse phone lookup and
> stuff like that, and although the information was helpful, I cannot
> be sure that it's accurate.
> 
> My goal is to confirm his real identity/name and address in order to 
> start a lawsuit and have a lawyer, or maybe even law enforcement, 
> investigate this case and ultimately, put an end to his slander 
> activities, not just for my case but for all hundreds before me and 
> those which are to come in the future.
> 
> Do you think the PI route makes sense? Any other recommendations?
> Your feedback in general?
> 
> Thanks and sorry for so much text. :)
> Markus
> 

Try contacting Brian Krebs.

http://krebsonsecurity.com/2014/06/2014-the-year-extortion-went-mainstream/

Also it seems like if you have a industry association you should get
them to notify members and help with a response.

Bill

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Stepan Kucherenko 
On 30.06.2014 14:12, Roland Dobbins wrote:
> I've seen huge problems from compromised machines completely killing
> NATs from the southbound side.

It depends on CGN solution used. Some of them will just block new
translations for that user after reaching the limit, and that's it.


On 30.06.2014 09:59, Skeeve Stevens wrote:
> I am after a LSN/CGN/NAT444 solution to put about 1000 Residential
> profile NBN speeds (fastest 100/40) services behind.

> I am looking at a Cisco ASR1001/2, pfSense and am willing to consider
> other options, including open source Obviously the cheaper the
> better.

ASR1k NAT is known to be problematic (nat overload specifically), don't
know if they fixed it yet. I recommend to check this with the vendor first.

New Juniper MS-MIC/MS-MPC multiservices cards can be used but
feature-parity with MS-DPC isn't there yet. For example, you can have a
working CGN with most bells and whistles, but you can't use IDS. You can
(probably) use deterministic nat with max ports/sessions per user, but
sometimes it's not enough. Again, ask the vendor for
details/roadmaps/solutions.

Both those options aren't really cheap though.

Cheaper would be something like Mikrotik but I wouldn't touch that sh*t
with a ten-foot pole. It might work but you'll pay for that with your
sanity and sleep hours.

Speaking of cheap and open-source, I know several relatively large
implementations using Linux boxes. One Linux NAT box can chew on at
least 1Gb/s of traffic, or even more with a careful selection of
hardware and even more careful tuning, and you can load-balance between
them, but it's much more effort and it isn't robust enough (which is the
reason why they all migrate to better solutions later).


BTW, I agree that you should speak in PPS and bandwidth instead of
number of users, those are much better as a metric.


> This solution is for v4 only, and needs to consider the profile of the
> typical residential users.  Any pitfalls would be helpful to know -
> as in what will and and more importantly wont work - or any
> work-arounds which may work.

Try to pair a user IP with a public IP, that way you'll workaround most
websites/games/applications expecting publicly visible user IP to be the
same for all connections.

Start with selected few active customers, check how much connections
they use with different NAT settings. Double/triple that. Then do the
math of how many ports/IPs you need per X users, don't just guess it.
Then try to limit it and see if anything breaks.

By working with them you can also workaround some of the problems you
didn't think about before. Seriously. Fix it before you roll it out.

What anyone implementing CGN should expect is complaints from users for
any number of reasons, like their IPSEC or L2TP tunnel stopped working,
or some application behaves strangely and so on. Prepare your
techsupport for that.

> This solution is not designed to be long lasting (maybe 6-9
> months)... it is to get the solution going for up to 1000 users, and
> once it reaches that point then funds will be freed up to roll out a
> more robust, carrier-grade and long term solution (which will include
> v6). So no criticism on not doing v6 straight up please.

Heh. Nothing lasts longer than temporary solutions. You should implement
it like you're going to live it for years (probably true) or you'll
create yourself a huge PITA very soon.

Comcast Business Internet Options

2014-06-30 Thread Phil Gardner 

Hi all -

Probably like a lot of people on the list, I depend on my home internet 
connection for many things including my primary job, and the numerous 
side projects I work on.


I'd really a appreciate a connection that would have a shorter response 
time if something were to go wrong. Unfortunately, I just moved and now 
I'm out of the service area of my previous provider, who was actually 
able to compete with Comcast (FTTH). Now I'm stuck with one option.


I really don't plan on spending more than a year where I currently am, 
so I don't want be locked into a contract for more than a year, 
especially with Comcast's crap termination fee (75% of the remainder on 
the contract).


I called and talked to a sales rep, who was just a kid, and an arrogant 
one at that. He knew of the monopoly for a decent internet connection in 
my area, so I had little bargaining power.


The offer he gave me was: minimum 2 year contract, with a $99 
installation fee, and his "supervisor" "approved" a $300 Visa giftcard 
if I agreed to this. The other option is a 1 year contract, with a $199 
installation fee, with no giftcard. This is for the 50Mbit option, and 
he didn't seem to care about my counter offer to bump it up to 75Mbit if 
he waived the install fee.


Come on...$199 to plug in a modem. The address already had Comcast 
before I got there...


Is there anyone out there that has ideas about how to waive or lower 
that installation fee while only having a 1 year contract?


--
_
Phil Gardner
PGP Key ID 0xFECC890C
OTR Fingerprint 6707E9B8 BD6062D3 5010FE8B 36D614E3 D2F80538

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Valdis . Kletnieks 
On Mon, 30 Jun 2014 15:59:47 +1000, Skeeve Stevens said:

> I am after a LSN/CGN/NAT444 solution to put about 1000 Residential profile
> NBN speeds (fastest 100/40) services behind.

> This solution is for v4 only, and needs to consider the profile of the
> typical residential users.  Any pitfalls would be helpful to know - as in
> what will and and more importantly wont work - or any work-arounds which
> may work.

Pitfall 1:  Make sure you have enough support desk to handle calls from
everybody who's doing something that doesn't play nice with CGN/NAT444.
And remember that unless "screw you, find another provider" is an acceptable
response to a customer, those calls are going to be major resource sinks to
resolve to the customer's satisfaction...

Pitfall 2: These sort of short-term solutions often end up still in
use well after their sell-by date.  If you're planning to deploy a
new solution in 6 months, maybe throwing resources at a short-term fix
is counterproductive and the resources should go towards making the current
solution hold together and deploying the long-term solution...


pgpAdoA8bhHor.pgp
Description: PGP signature

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Roland Dobbins 

On Jun 30, 2014, at 8:19 PM, Simon Perreault  wrote:

> Oh, actually I think I get it. You're trying to sell something.

Yes, you've found me out - I'm 'selling' S/RTBH, which is built-in 
functionality of routers and layer-3 switches made by companies which don't 
employ me.



--
Roland Dobbins  // 

   Equo ne credite, Teucri.

  -- Laocoön

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Simon Perreault 

Le 2014-06-30 09:05, Roland Dobbins a écrit :


On Jun 30, 2014, at 7:42 PM, Simon Perreault  wrote:


Why? Cause that (per-subscriber limits on ports and memory) is exactly what we 
recommend in RFC 6888...




I can't tell you how many times I've received frantic 4AM calls about NATted 
wireless networks going down due to this sort of thing.  It's a real problem.


If you're saying "NAT is bad", then sure, ok, but that's besides the point.

Otherwise, then I don't know what your point is.

Oh, actually I think I get it. You're trying to sell something.


Also, there are horizontal behaviors which are undesirable, as well.


Yeah, and let's not forget the diagonal ones either.

Simon

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Roland Dobbins 

On Jun 30, 2014, at 7:42 PM, Simon Perreault  wrote:

> Why? Cause that (per-subscriber limits on ports and memory) is exactly what 
> we recommend in RFC 6888...



I can't tell you how many times I've received frantic 4AM calls about NATted 
wireless networks going down due to this sort of thing.  It's a real problem.

Also, there are horizontal behaviors which are undesirable, as well.

--
Roland Dobbins  // 

   Equo ne credite, Teucri.

  -- Laocoön

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Simon Perreault 

Le 2014-06-30 06:12, Roland Dobbins a écrit :

what is needed however is session timeouts.

This can help, but it isn't a solution to the botted/abusive machine problem.  
They'll just keep right on pumping out packets and establishing new sessions, 
'crowding out' legitimate users and filling up the state-table, maxing the CPU. 
 Embryonic connection limits and all that stuff aren't enough, either.


Why? Cause that (per-subscriber limits on ports and memory) is exactly 
what we recommend in RFC 6888...


Simon

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Roland Dobbins 

On Jun 30, 2014, at 4:53 PM, Tony Wicks  wrote:

> From experience (we ran out of IPv4 a long time ago in the APNIC region) this 
> is not needed,

I've seen huge problems from compromised machines completely killing NATs from 
the southbound side.

> what is needed however is session timeouts. 

This can help, but it isn't a solution to the botted/abusive machine problem.  
They'll just keep right on pumping out packets and establishing new sessions, 
'crowding out' legitimate users and filling up the state-table, maxing the CPU. 
 Embryonic connection limits and all that stuff aren't enough, either.

--
Roland Dobbins  // 

   Equo ne credite, Teucri.

  -- Laocoön

RE: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Tony Wicks 
>From experience (we ran out of IPv4 a long time ago in the APNIC region)
this is not needed, what is needed however is session timeouts. Xbox and
PlayStation are the most sensitive to session timeouts. 

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Roland Dobbins
Sent: Monday, 30 June 2014 7:48 p.m.
To: nanog@nanog.org list
Subject: Re: Cheap LSN/CGN/NAT444 Solution


On Jun 30, 2014, at 1:37 PM, Robert Drake  wrote:

> Total PPS or bandwidth is the number you need rather than number of
customers.

Also, be sure you have S/RTBH or some other mechanism southbound of the NAT
for dealing with compromised/abusive hosts which can chew up the state-table
with SYN-floods and the like.

--
Roland Dobbins  // 

   Equo ne credite, Teucri.

  -- Laocoön

Re: MACsec SFP

2014-06-30 Thread Saku Ytti 
On (2014-06-30 17:21 +0930), Glen Turner wrote:

> What you really want isn’t DHCP-like, but simple AND-mask OR-set register 
> handling. You’d provide your customers with the magic numbers.
> 
> interface …
>  gbic-register [if REGISTER AND-MASK VALUE]… [set REGISTER AND-MASK OR-VALUE]…
>  gbic-register …
> 
> Assuming that the GBIC programming doesn’t change PHY requirements you are 
> done.

It could be lot more user-friendly with syntactic sugar for strings, ip
addresses etc.
So you'd know you'll push crypto key string to register N1 and crypto integer
(implying which algo to use) in regisrter N2, so you'd get something like.

gbic-register N1 string "supahsecret"
dgib-register N2 int 4

Far more user-friendly.

-- 
  ++ytti

Re: MACsec SFP

2014-06-30 Thread Glen Turner 

On 30 Jun 2014, at 3:47 pm, Saku Ytti  wrote:

> On (2014-06-30 13:28 +0930), Glen Turner wrote:
> 
>> After the SFF Committee specifies the registers the operating system vendors 
>> or vendors of devices would then add commands to support to toggle the I2C 
>> needed to program those registers with MACsec keys, etc.
> 
> This is what I tried to tackle, this creates chicken/egg scenario, no one is
> buying optic, because you can't program it from your router, and you can't
> program it in your router, as no one is using the optic and vendor won't put
> development hours on it.
> If instead there would be standardized (DHCP option like) system to code
> arbitrary value to arbitrary location, you could code the feature, without
> router understanding what it is, after a while, syntactic sugar might be added
> for convenience.

What you really want isn’t DHCP-like, but simple AND-mask OR-set register 
handling. You’d provide your customers with the magic numbers.

interface …
 gbic-register [if REGISTER AND-MASK VALUE]… [set REGISTER AND-MASK OR-VALUE]…
 gbic-register …

Assuming that the GBIC programming doesn’t change PHY requirements you are done.

-- 
 Glen Turner

Re: Cheap LSN/CGN/NAT444 Solution

2014-06-30 Thread Roland Dobbins 

On Jun 30, 2014, at 1:37 PM, Robert Drake  wrote:

> Total PPS or bandwidth is the number you need rather than number of customers.

Also, be sure you have S/RTBH or some other mechanism southbound of the NAT for 
dealing with compromised/abusive hosts which can chew up the state-table with 
SYN-floods and the like.

--
Roland Dobbins  // 

   Equo ne credite, Teucri.

  -- Laocoön