Re: Firewalls in service provider environments

2012-02-08 Thread Matthew Reath 
 On Tue, Feb 7, 2012 at 4:35 PM, Matthew Reath m...@mattreath.com wrote:

  One of my customers has a list like that. They can't understand why
  one in every hundred or so TCP connections on port 443 fails.
 
  Hint: you forgot access-list 102 permit tcp any any established
  after access-list 102 deny   ip host 255.255.255.255 any. The
  destination port in one direction is the source port in the other and
  many of those are dynamic source ports picked by Windows. Unless you
  restrict that filter to just packets attempting to initiate a new
  connection, you're shooting yourself in the foot.

 Yeah agreed.  The only place this gets applied is inbound on the
 interface
 facing an upstream provider. ACLs ingress from end customers are much
 different. In theory this could cause issues with externally initiated
 traffic that use lets say  as its random source port.


 If you apply the ACL you showed as an inbound ACL on your provider facing
 interfaces, you will be breaking any connections that exit your network
 with source ports from your list of bad ports.  For example, you connect
 out from x.x.x.x: to y.y.y.y:80, then the response packets coming back
 into your network will be from y.y.y.y:80 to x.x.x.x: and will be
 dropped by your ACL.

 This seems to be a common mistake, and is often missed because it
 manifests
 as one-in-thousands failures of TCP connections.  People tend to just try
 a
 second time and it works and never investigate why they had one random
 failure.


Good point. Adding in an established entry, although may open you up for
TCP/SYN sort of packets is a better trade off than affecting customer
traffic.

-Matt

Re: Firewalls in service provider environments

2012-02-08 Thread Matthew Reath 
 On Wed, Feb 8, 2012 at 9:25 AM, Matthew Reath m...@mattreath.com wrote:

 Good point. Adding in an established entry, although may open you up for
 TCP/SYN sort of packets is a better trade off than affecting customer
 traffic.

 'established' is explicitly NOT 'syn' ...
 maybe you meant 'ack flood' ? (or rst flood? or  but certainly not
 syn flood)


If I had an 'established' entry on an inbound ACL to filter traffic coming
from my upstream provider wouldn't SYN ACK (2nd step in handshake) packets
be allowed to pass the ACL because of this?

But I see your point a connection initiation from external sources with
just the SYN flag set would not be allowed.  However if a session is
initiated internally the returning SYN ACK from the external server would
be allowed as would ACK and data packets with ACK set.

Firewalls in service provider environments

2012-02-07 Thread Matthew Reath 
All,

Looking for some recommendations on firewall placement in service provider
environments.  I'm of the school of thought that in my SP network I do as
little firewalling/packet filtering as possible. As in none, leave that to
my end users or offer a managed firewall solution where if a customer
signs up for the extra service I put him in a VRF or VLAN that is behind
a firewall and manage that solution for them. Otherwise I don't prefer to
have a firewall inline in my service provider network for all customer
traffic to go through. I can accomplish filtering of known bad ports on my
edge routers either facing my customers or upstream providers.

What is the group's thought on this?

-Matt

--
Matt Reath
CCIE #27316 (SP)
m...@mattreath.com | http://mattreath.com
Twitter: http://twitter.com/mpreath

Re: Question about prefix list

2012-02-03 Thread Matthew Reath 
 Ann,
 the commas not withstanding, the le/ge operands as applicable to
 prefix-lists simply mean less-than or equal-to or greater-than or
 equal-to wrt netmasks in CIDR speak.

 In you prefix-list below, the le operand means -
 allow following ranges:

 /22,/23,/24 deny all else
 for the /21
 it means allow /21 thru /24

 Anything without an operand means an exact-match(permit/deny)

 Homework for you:

 What do the following do:

 1) ip prefix-list foo deny 0.0.0.0/0 le32
 2) ip prefix-list foo permit 0.0.0/0 le 32

 Understand the above and you will understand how operands work in
 prefix-lists.
 ./Randy


 --- On Wed, 2/1/12, Ann Kwok annkwo...@gmail.com wrote:

 From: Ann Kwok annkwo...@gmail.com
 Subject: Question about prefix list
 To: nanog@nanog.org
 Date: Wednesday, February 1, 2012, 6:32 AM
 Hi

 I read this prefix list.

 Can I know why there is le 24 after network block in /22
 and /21

 Why don't have le 24 after /24?

 I also saw another prefix list before. They use le 32
 instead of  le 24

 What are their different?

 ip prefix-list prefix-filter-as100 seq 10 permit
 202,168.136.0/22 le 24
 ip prefix-list prefix-filter-as100 seq 20 permit
 202,22.92.0/22 le 24
 ip prefix-list prefix-filter-as100 seq 30 permit
 202,21.148.0/22 le 24
 ip prefix-list prefix-filter-as100 seq 40 permit
 203,178.88.0/21 le 24
 ip prefix-list prefix-filter-as100 seq 50 permit
 178.88.74.0/24

 Thank you so much




Here is how I look at prefix lists …

Lets say I have the following:
ip prefix-list EXAMPLE permit 202.21.148.0/22 le 24

What this essentially means is match any prefixes that match the first 22
bits of 202.21.148.0 with a prefix length less than or equal to /24.

The third octet (148) is 10010100 in binary, the /22 would be at
100101|00. So we would match anything that has the same bits set before
the divider or the /22 mark.

Matching prefixes would be:
202.21.148.0/22
202.21.148.0/23
202.21.150.0/23
202.21.148.0/24
202.21.149.0/24
202.21.150.0/24
202.21.151.0/24

Hope that makes sense.

--
Matt Reath
CCIE #27316 (SP)
m...@mattreath.com | http://mattreath.com
Twitter: http://twitter.com/mpreath

Re: Please help our simple bgp

2012-02-03 Thread Matthew Reath 
 Hello

 Our router is running simple bgp. one BGP router, two upstreams (each
 100M
 from ISP A and ISP B)
 We are getting full feeds tables from them

 We discover the routes is going to ISP A only even the bandwidth 100M is
 full

 Can we set the weight to change to ISP B to use ISP B as preference
 routes?

 Can the following configuration work?
 What suggest to this weight no. too?

  neighbor 1.2.3.4 description ISP B
  neighbor 1.2.3.4 remote-as 111
  neighbor 1.2.3.4 weight 2000

 If this works, how is ISP B upstream connection is down?

 Can it still be failover to ISP A automatically?

 If it won't work, Do you have any suggestion?

 Thank you for your help


Ann,

I've done this for a few customers that have requested it. Some engineers
complain that advertising /24 routes dilutes the Internet routing tables,
which is true in some regards.  However, this does work in many situations
to balance things out.

Check out my blog post that walks through this procedure:
http://mattreath.com/2012/01/29/bgp-load-balancing/

-Matt


--
Matt Reath
CCIE #27316 (SP)
m...@mattreath.com | http://mattreath.com
Twitter: http://twitter.com/mpreath

Problem with AOL through XO

2011-07-30 Thread Matthew Reath 
I'm wondering if anyone else is having issues with their customers
accessing AOL related sites including Engadget. We have two upstream
providers, Charter and TW, both of which peer with XO. If traffic goes out
Charter to AOL sites it gets blackholed in XO.  If it goes out TW the
sites load fine.

Any thoughts?

-Matt

Re: Resilient streaming protocols

2011-06-11 Thread Matthew Reath 

 There is a RTP FEC extension...

 Pete

 On May 29, 2011, at 12:40 AM, Aria Stewart wrote:

 Anyone have any interest in a forward-error-corrected streaming protocol
 suitable for multicast, possibly both audio and video?

 Good for when there's some packet loss.

 
 Aria Stewart



I believe Cisco had/has a solution called VQE:
http://www.cisco.com/en/US/prod/collateral/video/ps7191/ps7127/product_data_sheet0900aecd806c0bfb.html.

It works by having a free software (LGPL or GPL) VQE client on the STB or
PC device that queues and requests missing packets.

--
Matt Reath
CCIE #27316 (SP)
m...@mattreath.com | http://mattreath.com
Twitter: http://twitter.com/mpreath

Re: Question about migrating to IPv6 with multiple upstreams.

2011-06-11 Thread Matthew Reath 

 I have an interesting situation at a business that I am working on. We
 currently have the office set up with redundant connections for their
 mission critical servers and such, and also have a (cheap) cable modem for
 general browsing on client machines.

 The interesting part is that the client machines need to access some
 customer networks via the main redundant network, so we have a firewall
 set up to route those connections via the redundant connections, and
 everything else via the cheaper, faster cable modem. NAT is used on both
 outbound connections.

 With IPv6, we are having some trouble coming up with a way to do this.
 Since there is no NAT, does anyone have any ideas as to how this could be
 accomplished?

 In a nutshell: how do you have 2 upstream connections, and choose between
 them based on outbound destination?

 thanks,
 -Randy



Standard IP routing, the default gateway of the network can decide based
on a route entry whether to send it to the cable modem or send it to the
firewall.


--
Matt Reath
CCIE #27316 (SP)
m...@mattreath.com | http://mattreath.com
Twitter: http://twitter.com/mpreath

RE: Question about migrating to IPv6 with multiple upstreams.

2011-06-11 Thread Matthew Reath 
 -Original Message-
 From: Matthew Reath [mailto:m...@mattreath.com]
 Sent: June-11-11 11:22 PM
 To: Randy Carpenter
 Cc: nanog@nanog.org
 Subject: Re: Question about migrating to IPv6 with multiple upstreams.

 Standard IP routing, the default gateway of the network can decide based
 on a route entry whether to send it to the cable modem or send it to the
 firewall.

 If the source block is not routed via both connections it won't work
 without
 NAT.  I had this same problem trying to use my ISP's native v6 over PPPoE
 and maintain a tunnel as backup since it was still pretty flaky as they
 were
 testing it at the time ... no way a residential ISP is going to route 3rd
 party blocks for all their customers, and no chance the tunnel provider
 was
 going to route the block my ISP assigned me either ... with no NAT66 in
 Tomato/ddWRT/etc it was 100% impossible to have multiple connections ...



I guess I'm a little confused on the setup. You have a firewall with a
connection to a local LAN, another connection to customer network(s), and
a third connection to the Internet via cable modem?

You have NAT setup to NAT your Local LAN out to the Internet and to the
customer network? A customer network device would use the outside IP on
the customer network connection to communicate with devices in the Local
LAN?

I think it makes more sense to me now.

--
Matt Reath
CCIE #27316 (SP)
m...@mattreath.com | http://mattreath.com
Twitter: http://twitter.com/mpreath

RE: Question about migrating to IPv6 with multiple upstreams.

2011-06-11 Thread Matthew Reath 
 -Original Message-
 From: Matthew Reath [mailto:m...@mattreath.com]
 Sent: June-11-11 11:22 PM
 To: Randy Carpenter
 Cc: nanog@nanog.org
 Subject: Re: Question about migrating to IPv6 with multiple upstreams.

 Standard IP routing, the default gateway of the network can decide based
 on a route entry whether to send it to the cable modem or send it to the
 firewall.

 If the source block is not routed via both connections it won't work
 without
 NAT.  I had this same problem trying to use my ISP's native v6 over PPPoE
 and maintain a tunnel as backup since it was still pretty flaky as they
 were
 testing it at the time ... no way a residential ISP is going to route 3rd
 party blocks for all their customers, and no chance the tunnel provider
 was
 going to route the block my ISP assigned me either ... with no NAT66 in
 Tomato/ddWRT/etc it was 100% impossible to have multiple connections ...



Are you able to create ip6ip tunnels from your firewall/router to each
customer?

--
Matt Reath
CCIE #27316 (SP)
m...@mattreath.com | http://mattreath.com
Twitter: http://twitter.com/mpreath

Re: The stupidity of trying to fix DHCPv6

2011-06-10 Thread Matthew Reath 

 This is different types of networks and network users and also different
 operational, administrative, and security domains.

 I am also getting frustrated with the endless discussions that could be
 immediately shortened by tinkering with DHCP to add one or two
 additional options -- a minimal cost process.  Why is the argument not
 about business needs instead of technical purity?


I'd have to agree with this. Although from a technical standpoint RA Guard
would be a plausible solution to the rogue RA problem. However, the bigger
issue seems to be the mixing of what used to be managed by different
groups. Now you have IP transport folks implementing parameters sent to
client machines or routers. Less than ideal probably.

What are the current options for a company to disable RA messages,
implement RAGuard, and force clients/routers to use DHCPv6 or static
assignment for IPv6 addresses? I believe ignoring M and O bits would break
standard though - but what if they never get sent?

I know on Cisco you can suppress the RA, but not sure if you can force
most clients to make DHCPv6 requests instead of listen for RAs.


--
Matt Reath
CCIE #27316 (SP)
m...@mattreath.com | http://mattreath.com
Twitter: http://twitter.com/mpreath