Re: de-peering for security sake

[Suresh Ramasubramanian]

Well, at least she's here rather than sprinkling eggnog and brandy flavoured 
pixie dust on our gear over the Christmas break.

--srs

> On 25-Dec-2015, at 9:08 AM, Owen DeLong  wrote:
> 
> Yes… Isn’t it impressive just how persistent the bad idea fairy can be?
> 
> Owen

Re: de-peering for security sake

[Joel Jaeggli]

While you have a great deal of control over what prefixes you choose to 
accept... You have very little control over your advertised prefixes once they 
exit your ASN. Maybe your transits offer communities to control their peer 
advertisements. In general assuming you're paying for the Internet cone, you 
have a vested interest in them propagating everywhere otherwise the party that 
is partitioned is you.

Sent from my iPhone

> On Dec 24, 2015, at 15:44, Colin Johnston  wrote:
> 
> see
> http://map.norsecorp.com
> 
> We really need to ask if China and Russia for that matter will not take abuse 
> reports seriously why allow them to network to the internet ?
> 
> Colin
> 
> 

de-peering for security sake

[Colin Johnston]

see
http://map.norsecorp.com

We really need to ask if China and Russia for that matter will not take abuse 
reports seriously why allow them to network to the internet ?

Colin

Re: de-peering for security sake

[Valdis . Kletnieks]

On Thu, 24 Dec 2015 23:44:10 +, Colin Johnston said:
> We really need to ask if China and Russia for that matter will not take abuse
> reports seriously why allow them to network to the internet ?

Well, first off, it isn't like China or Russia are just one ASN.  You'd have
to de-peer a bunch of ASN's - and also eliminate any paid transit connections.

Note that even North Korea has managed to land at least a small presence on
the Internet.  Are you going to ban them too?

While we're banning countries, how about the country that's known for
widespread surveillance both foreign and domestic, has one of the strongest
cyber warfare arsenals around, and has been caught multiple times diverting and
backdooring routers sold to foreign countries?

Oh wait, that's the US. Maybe we better rethink this?

Obviously, there's a lot of organizations that think that being able to
communicate with China and Russia outweighs the security issues.  You are
of course welcome to make a list of all Russian and Chinese ASNs and block
their prefixes at your border.


pgpqI8bdHjqAm.pgp
Description: PGP signature

Re: de-peering for security sake

[Stephen Satchell]

On 12/24/2015 04:50 PM, Daniel Corbe wrote:

Let’s just cut off the entirety of the third world instead of having
a tangible mitigation plan in place.


While you thing you are making a snarky response, it would be handy for 
end users to be able to turn on and off access to other countries 
retail.  If *they* don't need access to certain third world countries, 
it would be their decision, not the operator's decision.


For example, here on my little network we have no need for connectivity 
to much of Asia, Africa, or India.  We do have need to talk to Europe, 
Australia, and some countries in South America.

announcement of freerouter

[mate csaba]

hi,
pleased to announce a stable release of freerouter.
this is a routing daemon that does packet handling itself
so it can do bridging, routing ipv4/ipv6 unicast/multicast,
mpls, vpls, evpn, mpls te, mldp, segment routing, and so on...
speaks a lot of routing protocols like rip, ospf, isis, eigrp, bgp, babel...
does a lot of tunneling like gre, ipip, ipsec, l2tp, geneve, vxlan, nvgre...
have a lot of built in servers like dns, http(s), smtp, pop3, telnet, 
tacacs, radius, ssh...
it can start external images which could be connected, so various lab 
topolgies can be easily created.
our nren uses if as primary fullbgp rr for more than a year for about 
hundred routers.

here is the homepage: http://freerouter.nop.hu/
feel free to try it out and send suggestions/bug reports...:)
thanks in advance,
csaba mate
niif/hungarnet

Re: IPv4 shutdown in mobile

[Mark Tinka]

On 22/Dec/15 14:45, Ca By wrote:
>
> At least in mobile, the change to ipv6 has been quick and the pace is
> increasing -- not just on ipv6 deployment but also on ipv4 shutdown. I know
> many people liken ipv6 to "the boy who cried wolf", so be it, the
> data shows the ipv6 wolf is here.  Or perhapsin hind   sight, we will see
> the right metaphor was "the tortoise and the hare" or "the little engine
> that could"... Or even better IPv4 is John Henry.  It was the best in its
> time, but times have changed.

Mobile in Africa has done nothing on IPv6. South East Asia was the same
last time I was there (2012).

It would be nice to hear about Europe, the Middle East Latin America and
Canada as well, if anyone has any stories.

Mark.

Re: de-peering for security sake

[Baldur Norddahl]

I am afraid people are already doing this. Every time I bring a new IP
series into production, my users will complain that they are locked out
from sites including many government sites. This is because people will
load IP location lists into their firewall and drop packets at the border.
Of course they will not update said lists and load year old lists into
their firewalls.

So now my users can not access government sites because the IP ranges were
owned by a company in a different country two years ago.

Take a guess on how responsive site owners are when we complain about their
firewall. Most refuse to acknowledge they do any blocking and insist the
problem is at our end. That is if they respond at all.

Regards,

Baldur


On 25 December 2015 at 02:25, Stephen Satchell  wrote:

> On 12/24/2015 04:50 PM, Daniel Corbe wrote:
>
>> Let’s just cut off the entirety of the third world instead of having
>> a tangible mitigation plan in place.
>>
>
> While you thing you are making a snarky response, it would be handy for
> end users to be able to turn on and off access to other countries retail.
> If *they* don't need access to certain third world countries, it would be
> their decision, not the operator's decision.
>
> For example, here on my little network we have no need for connectivity to
> much of Asia, Africa, or India.  We do have need to talk to Europe,
> Australia, and some countries in South America.
>
>

Re: de-peering for security sake

[Owen DeLong]

> On Dec 24, 2015, at 17:25 , Stephen Satchell  wrote:
> 
> On 12/24/2015 04:50 PM, Daniel Corbe wrote:
>> Let’s just cut off the entirety of the third world instead of having
>> a tangible mitigation plan in place.
> 
> While you thing you are making a snarky response, it would be handy for end 
> users to be able to turn on and off access to other countries retail.  If 
> *they* don't need access to certain third world countries, it would be their 
> decision, not the operator's decision.
> 
> For example, here on my little network we have no need for connectivity to 
> much of Asia, Africa, or India.  We do have need to talk to Europe, 
> Australia, and some countries in South America.

Yes… Balkanization has been such a wonderful and useful strategy in the 
physical world, let’s bring it to cyberspace and we should be able to expect 
the same level of success…

Oh, wait, that wouldn’t be so good. Maybe this should be rethought.

One of the definitions of insanity is doing the same thing over and over again, 
expecting different results. This would seem to me to fit that particular 
definition.

Owen

Re: de-peering for security sake

[Daniel Corbe]

Let’s just cut off the entirety of the third world instead of having a tangible 
mitigation plan in place.

> On Dec 24, 2015, at 6:44 PM, Colin Johnston  wrote:
> 
> see
> http://map.norsecorp.com
> 
> We really need to ask if China and Russia for that matter will not take abuse 
> reports seriously why allow them to network to the internet ?
> 
> Colin
> 

Re: de-peering for security sake

[Suresh Ramasubramanian]

Hmm, has anyone at all kept count of the number of times such a discussion has 
started up in just the last year, and how many more times in the past 16 or so 
years?

Mind you, back in say 2004, this discussion would have run to 50 or 60 emails 
at a bare minimum, in no time at all.

--srs

On 25-Dec-2015, at 6:55 AM, Stephen Satchell  wrote:

>> On 12/24/2015 04:50 PM, Daniel Corbe wrote:
>> Let’s just cut off the entirety of the third world instead of having
>> a tangible mitigation plan in place.
> 
> While you thing you are making a snarky response, it would be handy for end 
> users to be able to turn on and off access to other countries retail.

Re: de-peering for security sake

[Owen DeLong]

Yes… Isn’t it impressive just how persistent the bad idea fairy can be?

Owen

> On Dec 24, 2015, at 19:25 , Suresh Ramasubramanian  
> wrote:
> 
> Hmm, has anyone at all kept count of the number of times such a discussion 
> has started up in just the last year, and how many more times in the past 16 
> or so years?
> 
> Mind you, back in say 2004, this discussion would have run to 50 or 60 emails 
> at a bare minimum, in no time at all.
> 
> --srs
> 
> On 25-Dec-2015, at 6:55 AM, Stephen Satchell  wrote:
> 
>>> On 12/24/2015 04:50 PM, Daniel Corbe wrote:
>>> Let’s just cut off the entirety of the third world instead of having
>>> a tangible mitigation plan in place.
>> 
>> While you thing you are making a snarky response, it would be handy for end 
>> users to be able to turn on and off access to other countries retail.

Re: announcement of freerouter

[Josh Reynolds]

RouterOS is an existing product by MikroTik.
On Dec 24, 2015 9:46 PM, "mate csaba"  wrote:

> hi,
> pleased to announce a stable release of freerouter.
> this is a routing daemon that does packet handling itself
> so it can do bridging, routing ipv4/ipv6 unicast/multicast,
> mpls, vpls, evpn, mpls te, mldp, segment routing, and so on...
> speaks a lot of routing protocols like rip, ospf, isis, eigrp, bgp,
> babel...
> does a lot of tunneling like gre, ipip, ipsec, l2tp, geneve, vxlan,
> nvgre...
> have a lot of built in servers like dns, http(s), smtp, pop3, telnet,
> tacacs, radius, ssh...
> it can start external images which could be connected, so various lab
> topolgies can be easily created.
> our nren uses if as primary fullbgp rr for more than a year for about
> hundred routers.
> here is the homepage: http://freerouter.nop.hu/
> feel free to try it out and send suggestions/bug reports...:)
> thanks in advance,
> csaba mate
> niif/hungarnet
>
>

Re: IPv4 shutdown in mobile

[Mikael Abrahamsson]

On Fri, 25 Dec 2015, Mark Tinka wrote:

It would be nice to hear about Europe, the Middle East Latin America and 
Canada as well, if anyone has any stories.


I know of at least one mobile provider in Sweden, Finland and Germany that 
have IPv6 enabled for at least part of their device base.


Some have chosen IPv4v6 (providing dual stack) which means they can do 
this with Apple devices today, some are IPv6 only which means they're like 
T-Mobile waiting for the Apple App universe to come around to being IPv6 
only supporting.


North America is by far the leader in number of IPv6 enabled customers 
which


https://www.stateoftheinternet.com/trends-visualizations-ipv6-adoption-ipv4-exhaustion-global-heat-map-network-country-growth-data.html#networks

shows. However, things are happening all across the world now... I 
wouldn't be surprised if we're already in the 100-300M IPv6 enabled 
devices range by now...


--
Mikael Abrahamssonemail: swm...@swm.pp.se

RE: Broadband Router Comparisons

[Frank Bulk]

+1.

Here's one managed option that non-Calix customers, such as WISPs, have found 
interesting: https://www.calix.com/systems/gigafamily-overview/GigaCenters.html

Frank

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Justin Wilson
Sent: Thursday, December 24, 2015 9:40 AM
To: nanog@nanog.org
Subject: Re: Broadband Router Comparisons

The trend is a managed router service.  This way the ISP can control the 
customer experience a little better.  It also gives the ISP a DMARC point to 
test from, which is not as reliant on getting the customer involved. 

Mikrotik makes the hAP lite, which has a retail of $21.95.  
http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-point-tower-case-built-in-1-5dbi-antenna.html
 

  .  This is *nix based router you can cheaply deploy even if a customer 
doesn’t want a managed router.  I have clients who deploy this as a “modem” if 
the customer chooses their own router.  By doing this the ISP can run pings, 
traceroutes, see usage, and other useful tools from the customer side.

Once you figure on your average support call on troubleshooting a customer 
router $21.95 is a drop in the bucket. Having a place to test from the customer 
side is invaluable.  Tons of tricks you can do too.  Turn on the wireless and 
have the customer connect to it.  Block out all traffic except what the 
customer is using for tests (i.e. wireless) so you can see if there are devices 
hogging the pipe.   You can do frequency scans to see how bad 2.4 is.You 
can get a dual band hAP router with AC.  It is more expensive so deploying one 
of those at every customer might not be feasible. 


Justin Wilson
j...@mtin.net

---
http://www.mtin.net Owner/CEO
xISP Solutions- Consulting – Data Centers - Bandwidth

http://www.midwest-ix.com  COO/Chairman

> On Dec 24, 2015, at 10:05 AM, Baldur Norddahl  
> wrote:
> 
> I have reasonable success with simply lending the customer a router. In
> most cases they will then buy it afterwards, because it turns out that
> their old router was indeed bad.
> 
> But you can not win them all. Sometimes it is the other equipment that is
> bad, or the customer is clueless. They might even be lying because everyone
> knows you have to pretend it is worse than it actually is to get the doctor
> to take you seriously. Also who here can honestly say you never pretended
> to power cycle your Windows 95 when asked by the support bot on the phone,
> while actually running Linux, because that is the only way to get passed on
> to second tier support?
> 
> Just last week I had a customer complaining his router was bad. I went out
> there and found it in the basement, on the floor, under a bed with a ton of
> crap on top. He said it was so much worse than his old internet, where he
> had the router in the center of the house in his living room. Not too
> surprisingly? He claimed the routers were located the same place until I
> turned up at his house and asked to see it...
> 
> I do not think you will have much success at pointing to a list of
> supposedly bad routers. The world is just too complex. A bad experience can
> be due to anything really. Most likely they are on 2,4 GHz and the spectrum
> is crowded. Combine with an old computer (or even brand new!) that has crap
> 2,4 GHz wifi - nothing a router can do about that. I demonstrate that it
> can work with my own computer and then advise the customer on what to buy.
> 
> Regards,
> 
> Baldur
> 

Re: Broadband Router Comparisons

[Jason Baugher]

Providing a managed service is the direction we're going. In our case,
since we're a Calix shop, we're using their GigaCenters, but I'm sure there
are other vendor options out there.

Early indications are that 95+% of our residential customers would rather
pay a nominal "maintenance" fee and use our managed router than purchase
their own. From our end, we get a little more revenue, we ensure our
customers aren't blaming us for problems caused by junk routers, and we
provide a level of service and support that the big guys can't even come
close to matching.

On Thu, Dec 24, 2015 at 9:40 AM, Justin Wilson  wrote:

> The trend is a managed router service.  This way the ISP can control the
> customer experience a little better.  It also gives the ISP a DMARC point
> to test from, which is not as reliant on getting the customer involved.
>
> Mikrotik makes the hAP lite, which has a retail of $21.95.
> http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-point-tower-case-built-in-1-5dbi-antenna.html
> <
> http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-point-tower-case-built-in-1-5dbi-antenna.html>
> .  This is *nix based router you can cheaply deploy even if a customer
> doesn’t want a managed router.  I have clients who deploy this as a “modem”
> if the customer chooses their own router.  By doing this the ISP can run
> pings, traceroutes, see usage, and other useful tools from the customer
> side.
>
> Once you figure on your average support call on troubleshooting a customer
> router $21.95 is a drop in the bucket. Having a place to test from the
> customer side is invaluable.  Tons of tricks you can do too.  Turn on the
> wireless and have the customer connect to it.  Block out all traffic except
> what the customer is using for tests (i.e. wireless) so you can see if
> there are devices hogging the pipe.   You can do frequency scans to see how
> bad 2.4 is.You can get a dual band hAP router with AC.  It is more
> expensive so deploying one of those at every customer might not be feasible.
>
>
> Justin Wilson
> j...@mtin.net
>
> ---
> http://www.mtin.net Owner/CEO
> xISP Solutions- Consulting – Data Centers - Bandwidth
>
> http://www.midwest-ix.com  COO/Chairman
>
> > On Dec 24, 2015, at 10:05 AM, Baldur Norddahl 
> wrote:
> >
> > I have reasonable success with simply lending the customer a router. In
> > most cases they will then buy it afterwards, because it turns out that
> > their old router was indeed bad.
> >
> > But you can not win them all. Sometimes it is the other equipment that is
> > bad, or the customer is clueless. They might even be lying because
> everyone
> > knows you have to pretend it is worse than it actually is to get the
> doctor
> > to take you seriously. Also who here can honestly say you never pretended
> > to power cycle your Windows 95 when asked by the support bot on the
> phone,
> > while actually running Linux, because that is the only way to get passed
> on
> > to second tier support?
> >
> > Just last week I had a customer complaining his router was bad. I went
> out
> > there and found it in the basement, on the floor, under a bed with a ton
> of
> > crap on top. He said it was so much worse than his old internet, where he
> > had the router in the center of the house in his living room. Not too
> > surprisingly? He claimed the routers were located the same place until I
> > turned up at his house and asked to see it...
> >
> > I do not think you will have much success at pointing to a list of
> > supposedly bad routers. The world is just too complex. A bad experience
> can
> > be due to anything really. Most likely they are on 2,4 GHz and the
> spectrum
> > is crowded. Combine with an old computer (or even brand new!) that has
> crap
> > 2,4 GHz wifi - nothing a router can do about that. I demonstrate that it
> > can work with my own computer and then advise the customer on what to
> buy.
> >
> > Regards,
> >
> > Baldur
> >
>
>

RE: Broadband Router Comparisons

[Keith Medcalf]

> to take you seriously. Also who here can honestly say you never pretended
> to power cycle your Windows 95 when asked by the support bot on the phone,
> while actually running Linux, because that is the only way to get passed
> on to second tier support?

I can honestly say that I have told support droids that I am rebooting 
"Windows" while actually running zOS.  Support droids have a definite problem 
with comprehending "No Transport" ...

I have even called to report a border router down on their network.  They 
complain and want to plug, unplug and reboot.  It isn't until 20 minutes later 
when the call volume exceeds the "geez there must be something wrong with our 
network" limit that someone actually bother to look and see where the problem 
is really located.

Re: Broadband Router Comparisons

[Rob Seastrom]

> On Dec 23, 2015, at 10:38 PM, Lorell Hathcock  wrote:
> 
> That's a good troubleshooting technique when the customer is cooperative and 
> technically competent.

... and has ethernet on anything in the house, which is increasingly a bad 
thing to rely on.  Got an iPad, a smart phone, and a MacBook Air (any 
revision)?  Two of the three have substantially no support for hardwired 
Ethernet.  The third requires an external USB adaptor.  "Go out and buy this 
$24 gizmo so we can confirm that your $29 router/wireless device is indeed 
crap" is a hard thing to get most people to do.

-r

Re: Broadband Router Comparisons

[Baldur Norddahl]

I have reasonable success with simply lending the customer a router. In
most cases they will then buy it afterwards, because it turns out that
their old router was indeed bad.

But you can not win them all. Sometimes it is the other equipment that is
bad, or the customer is clueless. They might even be lying because everyone
knows you have to pretend it is worse than it actually is to get the doctor
to take you seriously. Also who here can honestly say you never pretended
to power cycle your Windows 95 when asked by the support bot on the phone,
while actually running Linux, because that is the only way to get passed on
to second tier support?

Just last week I had a customer complaining his router was bad. I went out
there and found it in the basement, on the floor, under a bed with a ton of
crap on top. He said it was so much worse than his old internet, where he
had the router in the center of the house in his living room. Not too
surprisingly? He claimed the routers were located the same place until I
turned up at his house and asked to see it...

I do not think you will have much success at pointing to a list of
supposedly bad routers. The world is just too complex. A bad experience can
be due to anything really. Most likely they are on 2,4 GHz and the spectrum
is crowded. Combine with an old computer (or even brand new!) that has crap
2,4 GHz wifi - nothing a router can do about that. I demonstrate that it
can work with my own computer and then advise the customer on what to buy.

Regards,

Baldur

Re: Broadband Router Comparisons

[Justin Wilson]

The trend is a managed router service.  This way the ISP can control the 
customer experience a little better.  It also gives the ISP a DMARC point to 
test from, which is not as reliant on getting the customer involved. 

Mikrotik makes the hAP lite, which has a retail of $21.95.  
http://www.balticnetworks.com/mikrotik-hap-lite-tc-2-4ghz-indoor-access-point-tower-case-built-in-1-5dbi-antenna.html
 

  .  This is *nix based router you can cheaply deploy even if a customer 
doesn’t want a managed router.  I have clients who deploy this as a “modem” if 
the customer chooses their own router.  By doing this the ISP can run pings, 
traceroutes, see usage, and other useful tools from the customer side.

Once you figure on your average support call on troubleshooting a customer 
router $21.95 is a drop in the bucket. Having a place to test from the customer 
side is invaluable.  Tons of tricks you can do too.  Turn on the wireless and 
have the customer connect to it.  Block out all traffic except what the 
customer is using for tests (i.e. wireless) so you can see if there are devices 
hogging the pipe.   You can do frequency scans to see how bad 2.4 is.You 
can get a dual band hAP router with AC.  It is more expensive so deploying one 
of those at every customer might not be feasible. 


Justin Wilson
j...@mtin.net

---
http://www.mtin.net Owner/CEO
xISP Solutions- Consulting – Data Centers - Bandwidth

http://www.midwest-ix.com  COO/Chairman

> On Dec 24, 2015, at 10:05 AM, Baldur Norddahl  
> wrote:
> 
> I have reasonable success with simply lending the customer a router. In
> most cases they will then buy it afterwards, because it turns out that
> their old router was indeed bad.
> 
> But you can not win them all. Sometimes it is the other equipment that is
> bad, or the customer is clueless. They might even be lying because everyone
> knows you have to pretend it is worse than it actually is to get the doctor
> to take you seriously. Also who here can honestly say you never pretended
> to power cycle your Windows 95 when asked by the support bot on the phone,
> while actually running Linux, because that is the only way to get passed on
> to second tier support?
> 
> Just last week I had a customer complaining his router was bad. I went out
> there and found it in the basement, on the floor, under a bed with a ton of
> crap on top. He said it was so much worse than his old internet, where he
> had the router in the center of the house in his living room. Not too
> surprisingly? He claimed the routers were located the same place until I
> turned up at his house and asked to see it...
> 
> I do not think you will have much success at pointing to a list of
> supposedly bad routers. The world is just too complex. A bad experience can
> be due to anything really. Most likely they are on 2,4 GHz and the spectrum
> is crowded. Combine with an old computer (or even brand new!) that has crap
> 2,4 GHz wifi - nothing a router can do about that. I demonstrate that it
> can work with my own computer and then advise the customer on what to buy.
> 
> Regards,
> 
> Baldur
>