Re: Dedicated Server and IP anycast provider recommendation

2018-08-07 Thread Philippe Bonvin via NANOG 
We use http://packet.net/ for our anycast setup, their pricing isn't cheap 
compared to Vultr but it worth try.

If you commit on long-term you can get custom pricing.


From: NANOG  on behalf of Siyuan Miao 

Sent: Tuesday, August 7, 2018 16:29
To: anth...@fms.io
Cc: nanog@nanog.org
Subject: Re: Dedicated Server and IP anycast provider recommendation

I would recommend Vultr, you can bring your own IP address and set up BGP
session using VM.

Their BGP service are fully automated and provide well-documented BGP
community for traffic engineering.

--
Siyuan Miao
Misaka Network, Inc | https://misaka.io

On Tue, Aug 7, 2018 at 10:06 PM Anthony Leto  wrote:

> Hi,
>
> I would checkout NetActuate. They are pretty awesome when it comes to
> Anycast IPv4 /IPv6 and they do custom VM's.
>
> Anthony Leto
>
> On 8/7/2018 2:51:59 PM, John Kristoff  wrote:
>
> Friends,
>
> For those that may have used or know of a service like this. I know
> some exist, but it doesn't seem to be that popular or widely advertised
> as a standard service.
>
> I'm interested in pointers to a hosting/network provider that leases
> dedicated servers and can provide an anycast IP address assignment to
> two or more US-diversely connected POPs, but with reasonably consistent
> routing (e.g. peering, transit). A customer-shared prefix is OK. I'm
> interested in pointers to networks that would provide the prefix and
> handle all the routing.
>
> If you represent a network and sales is part of your job, I don't mind
> an off list pointer to a web page describing such a service, but please,
> this is not an invitation for "call me to discuss needs and options"
> replies nor an opportunity to get me on your customer prospect list.
> You likely ensure I never do business with you if you do either of
> those things. :-)
>
> Thank you,
>
> John
>


[EDSI-Tech Sarl]
Philippe Bonvin, Directeur, Ing. MSc. in Computer Science, IPMA, eMBA
EDSI-Tech Sàrl
EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | Téléphone: +41 (0) 21 
566 14 15, poste 99

Disclaimer:
This email is confidential and intended solely for the use of the individual to 
whom it is addressed. If you are not the intended recipient of this 
information, be advised that you have received this email in error and that any 
usage, disclosure, distribution, copying of the information or any part of it 
in any form whatsoever is strictly prohibited.
If you have received this email in error please notify the EDSI-Tech helpdesk 
by phone on +41 21 566 14 15 and then delete this e-mail.

Re: Build an anycast network on a shoestring

2016-12-13 Thread Philippe Bonvin via NANOG 
I've also set up an anycast AS, based on the work of others, notably Nat Morris.

If you are looking for providers that are willing to peer with your VPS over 
BGP, you can check the IRR records of AS204248: whois -r AS204248
But you need to manually check for best routing paths, which can be a slow 
process.
Using the nlnog ring is a great help when dealing with routings issues on an 
anycast network.

I'm available if somebody need help with that.

_
From: NANOG  on behalf of Hugo Slabbert 

Sent: Tuesday, December 13, 2016 00:31
To: Theodore Baschak
Cc: NANOG Operators' Group
Subject: Re: Build an anycast network on a shoestring

If you're doing ECMP w/i the DC, PMTUD does come to mind, though:

https://blog.cloudflare.com/path-mtu-discovery-in-practice/

--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal

On Mon 2016-Dec-12 15:59:29 -0600, Theodore Baschak  
wrote:

>Wow thanks for sharing both of these.  Anycast can be "black magic"
>sometimes, and the more that is known about it by operators the better. I'm
>somewhat surprised that ECMP
>I've done a little poor-mans anycasting within a network by simply using
>OSPF and some /32's. Had IPv4 space not been at such a premium when I got
>into the game, I would have definitely attempted to get a larger block so
>that I could anycast a /24 of it. :-(
>
>
>Theodore Baschak - AS395089 - Hextet Systems
>https://ciscodude.net/ - https://hextet.systems/
>http://mbix.ca/
>
>
>On Mon, Dec 12, 2016 at 1:27 PM, chris  wrote:
>
>>  @natmorris did something similar 18 months to 2 years or so ago too
>>  video below from uknof 30 ..
>>
>> https://youtu.be/itEtjsauwFQ
>>
>>
>> Sent from Samsung Mobile on O2
>>  Original message From: Franck Martin via NANOG <
>> nanog@nanog.org> Date: 12/12/2016  18:39  (GMT+00:00) To: NANOG <
>> nanog@nanog.org> Subject: Build an anycast network on a shoestring
>> This is quite a nice write up by a colleague of mine:
>> https://www.linkedin.com/pulse/build-your-own-anycast-
>> network-9-steps-samir-jafferali
>>

[EDSI-Tech Sarl]
Philippe Bonvin, Directeur
EDSI-Tech Sàrl
EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | Téléphone: +41 (0) 21 
566 14 15, ext. 99
Savoie Technolac, 17 Avenue du Lac Léman, 73375 Le Bourget-du-Lac, France | 
Téléphone: +33 (0)4 86 15 44 78, ext. 99

Disclaimer:
This email is confidential and intended solely for the use of the individual to 
whom it is addressed. If you are not the intended recipient of this 
information, be advised that you have received this email in error and that any 
usage, disclosure, distribution, copying of the information or any part of it 
in any form whatsoever is strictly prohibited.
If you have received this email in error please notify the EDSI-Tech helpdesk 
by phone on +41 21 566 14 15 and then delete this e-mail.

Re: OSPFv3 with IPSec between Cisco and Juniper gears

2016-11-10 Thread Philippe Bonvin via NANOG 
Yes that was it... sorry for the noise.

Now the IPSec SA is up and the neighbors are stuck in ExStart state, but that's 
another story.


From: David Hubbard <dhubb...@dino.hostasaurus.com>
Sent: Thursday, November 10, 2016 22:02
To: Philippe Bonvin; nanog@nanog.org
Subject: Re: OSPFv3 with IPSec between Cisco and Juniper gears

Wouldn’t you want to use hexadecimal instead of ascii-text, since that would 
match what the Cisco is asking for?  I’m just throwing this out there, I’m not 
familiar with Juniper but their docs seem to suggest that using hex will cause 
it to ask for 40 hex chars.

David

On 11/10/16, 3:14 PM, "NANOG on behalf of Philippe Bonvin via NANOG" 
<nanog-boun...@nanog.org on behalf of nanog@nanog.org> wrote:

Hello folks,


Quick question about incompatibility between Cisco and Juniper gears.


Without IPSec, OSPFv3 is working as expected.

I'm trying to configure IPSec authentification of OSPFv3 between a Juniper 
SRX and a Cisco router but it seems that they didn't agree to a common key 
length.


Can you confirm that this is a well-known problem or give me the right 
configuration that I should use ?


The error message on the juniper:

[edit security ipsec security-association ospfv3 manual direction 
bidirectional authentication key ascii-text]
  'ascii-text "..."'
Authentication key size must be 20 bytes

On the cisco side:

cisco(config-if)#ipv6 ospf authentication ipsec spi 256 sha1 0 ?
  Hex-string  SHA-1 key (40 chars)?



Here is an output of the config I'm using on the SRX side:



ipsec {
security-association ospfv3 {
mode transport;
manual {
direction bidirectional {
protocol ah;
spi 256;
authentication {
algorithm hmac-sha1-96;
key ascii-text "..."; ## SECRET-DATA
}
}
}
}
}

interface ge-0/0/0.0 {
ipsec-sa ospfv3;
}


Thanks for your help,
Philippe


[EDSI-Tech Sarl]<http://www.edsi-tech.com>
Philippe Bonvin, Directeur
EDSI-Tech Sàrl<http://www.edsi-tech.com>
EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | Téléphone: +41 
(0) 21 566 14 15, ext. 99
Savoie Technolac, 17 Avenue du Lac Léman, 73375 Le Bourget-du-Lac, France | 
Téléphone: +33 (0)4 86 15 44 78, ext. 99

Disclaimer:
This email is confidential and intended solely for the use of the 
individual to whom it is addressed. If you are not the intended recipient of 
this information, be advised that you have received this email in error and 
that any usage, disclosure, distribution, copying of the information or any 
part of it in any form whatsoever is strictly prohibited.
If you have received this email in error please notify the EDSI-Tech 
helpdesk by phone on +41 21 566 14 15 and then delete this e-mail.



[EDSI-Tech Sarl]<http://www.edsi-tech.com>
Philippe Bonvin, Directeur
EDSI-Tech Sàrl<http://www.edsi-tech.com>
EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | Téléphone: +41 (0) 21 
566 14 15, ext. 99
Savoie Technolac, 17 Avenue du Lac Léman, 73375 Le Bourget-du-Lac, France | 
Téléphone: +33 (0)4 86 15 44 78, ext. 99

Disclaimer:
This email is confidential and intended solely for the use of the individual to 
whom it is addressed. If you are not the intended recipient of this 
information, be advised that you have received this email in error and that any 
usage, disclosure, distribution, copying of the information or any part of it 
in any form whatsoever is strictly prohibited.
If you have received this email in error please notify the EDSI-Tech helpdesk 
by phone on +41 21 566 14 15 and then delete this e-mail.

OSPFv3 with IPSec between Cisco and Juniper gears

2016-11-10 Thread Philippe Bonvin via NANOG 
Hello folks,


Quick question about incompatibility between Cisco and Juniper gears.


Without IPSec, OSPFv3 is working as expected.

I'm trying to configure IPSec authentification of OSPFv3 between a Juniper SRX 
and a Cisco router but it seems that they didn't agree to a common key length.


Can you confirm that this is a well-known problem or give me the right 
configuration that I should use ?


The error message on the juniper:

[edit security ipsec security-association ospfv3 manual direction bidirectional 
authentication key ascii-text]
  'ascii-text "..."'
Authentication key size must be 20 bytes

On the cisco side:

cisco(config-if)#ipv6 ospf authentication ipsec spi 256 sha1 0 ?
  Hex-string  SHA-1 key (40 chars)?



Here is an output of the config I'm using on the SRX side:



ipsec {
security-association ospfv3 {
mode transport;
manual {
direction bidirectional {
protocol ah;
spi 256;
authentication {
algorithm hmac-sha1-96;
key ascii-text "..."; ## SECRET-DATA
}
}
}
}
}

interface ge-0/0/0.0 {
ipsec-sa ospfv3;
}


Thanks for your help,
Philippe


[EDSI-Tech Sarl]
Philippe Bonvin, Directeur
EDSI-Tech Sàrl
EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | Téléphone: +41 (0) 21 
566 14 15, ext. 99
Savoie Technolac, 17 Avenue du Lac Léman, 73375 Le Bourget-du-Lac, France | 
Téléphone: +33 (0)4 86 15 44 78, ext. 99

Disclaimer:
This email is confidential and intended solely for the use of the individual to 
whom it is addressed. If you are not the intended recipient of this 
information, be advised that you have received this email in error and that any 
usage, disclosure, distribution, copying of the information or any part of it 
in any form whatsoever is strictly prohibited.
If you have received this email in error please notify the EDSI-Tech helpdesk 
by phone on +41 21 566 14 15 and then delete this e-mail.

Looking for VPS providers with BGP session

2015-12-07 Thread Philippe Bonvin via NANOG 
Hello,


I'm looking for providers around the world who are able to provide VPS with a 
BGP session but it seems to be rather difficult to find. I have already found a 
few with WHT/bgp.he.net/google but a little help would be appreciated.


Does anyone have contact or know people who can offer such services ?

If yes, please contact me off list.


Our budget is quite low: around 50$/month/node +/- 50$ depending the transit 
providers for a server with 1-2 CPU cores, 20 Go SSD or SAS and 1-2 Go RAM.


I'll be happy to share my provider list we use with anyone who needs it.


Thanks for your help,

Philippe

[EDSI-Tech Sarl]
Philippe Bonvin, Directeur
EDSI-Tech S?rl
EPFL Innovation Park, Batiment C, 1015 Lausanne, Suisse | T?l?phone: +41 (0) 21 
566 14 15
Savoie Technolac, 17 Avenue du Lac L?man, 73375 Le Bourget-du-Lac, France | 
T?l?phone: +33 (0)4 86 15 44 78