Re: [Update] Re: New ISP to market, BCP 38, and new tactics
On Wednesday 04 February 2009 09:51:16 am Nathan Ward wrote: You get the same with OSPF - you run OSPFv2 and OSPFv3 in parallel. Suffice it to say that some vendors are already implementing 'draft-ietf-ospf-af-alt-06.txt', which allows OSPFv3 to handle multiple address families, including IPv4. But this still runs over an IPv6 link. I'd still recommend running IPv4 and IPv6 IGP's separately, unless the IGP integrates both protocols, as in the case of IS-IS. Cheers, Mark. signature.asc Description: This is a digitally signed message part.
Re: [Update] Re: New ISP to market, BCP 38, and new tactics
On Wednesday 04 February 2009 10:10:02 am Steve Bertrand wrote: I'm not ready for MPLS (but I am interested in the theory of it's purpose), so when I'm done what I'm doing now, I'll look at it. Well, having a v6 core will prevent from you running MPLS, as a v6 control plane for MPLS is not yet implemented by the vendors today. A draft for this is already out, though - 'draft-manral- mpls-ldp-ipv6-02'. Cheers, Mark. signature.asc Description: This is a digitally signed message part.
Re: [Update] Re: New ISP to market, BCP 38, and new tactics
On Feb 4, 2009, at 2:52 AM, Steve Bertrand wrote: http://tools.ietf.org/html/draft-kumari-blackhole-urpf-02 If I understand this correctly, there will be a route entered on each edge router for all sources that are participating in a DDoS attack. Is anyone worried about TCAM usage if one of their customers gets hit with a larger DDoS attack? Add in our IPv6 and V4 multicast tables chewing up more TCAM space and things get even more dicy! For my part, I'd be worried if the overall IPv4 unicast route table got much larger than ~1million entries because our hardware-based routers might run out of TCAM and bring the whole network to a screeching halt.
Re: [Update] Re: New ISP to market, BCP 38, and new tactics
On 7/02/2009, at 5:20 AM, Brad Fleming wrote: On Feb 4, 2009, at 2:52 AM, Steve Bertrand wrote: http://tools.ietf.org/html/draft-kumari-blackhole-urpf-02 If I understand this correctly, there will be a route entered on each edge router for all sources that are participating in a DDoS attack. Is anyone worried about TCAM usage if one of their customers gets hit with a larger DDoS attack? Add in our IPv6 and V4 multicast tables chewing up more TCAM space and things get even more dicy! For my part, I'd be worried if the overall IPv4 unicast route table got much larger than ~1million entries because our hardware-based routers might run out of TCAM and bring the whole network to a screeching halt. Or more than 256k routes on a SUP2, or 192k/239K routes on a SUP720. We are at 285798 as of last CIDR report. So, I guess you should be worried.. now :-) -- Nathan Ward
Re: [Update] Re: New ISP to market, BCP 38, and new tactics
Steve Bertrand wrote: This entire discussion went off topic, in regards to bcp and filtering. Off-list, I had someone point out: http://tools.ietf.org/html/draft-kumari-blackhole-urpf-02 ...which is EXACTLY in line with what my end goal was originally, and by reading it, I feel as if I was getting there free-hand. This document helps standardize things a bit, .. This technique, and a whole lot more, may also be found in book form: Router Security Strategies: Securing IP Network Traffic Planes by Gregg Schudel and David J. Smith Cisco Press, December 2007 ISBN 978-1-58705-336-8 (paper-back) Don't expect to get through it in one sitting; it's ~600+ pages ;-) Michael
Re: [Update] Re: New ISP to market, BCP 38, and new tactics
On Tue, Feb 3, 2009 at 5:43 PM, Steve Bertrand st...@ibctech.ca wrote: What I was hoping for (even though I'm testing something that I know won't work) is that I can break something so I could push v4 traffic over a v6-only core. Is there _any_ way to do this (other than NAT/tunnel etc)? If you can push v4 over it (other than through a NAT/tunnel/etc.), then it's not a v6-only core :-) The real question is whether you're going to route natively in v4, or do a v4-in-v6 tunnel of some sort, or a v4-in-Layer2-in-v6 tunnel of some sort, or do NAT, or use MPLS as a Layer 2ish core. If you're doing MPLS, you'll need to figure out if you can run _it_ with purely v6 gear supporting it, or whether you'll need to run v4 to make all of your MPLS vendors happy, but that doesn't need to be publicly routable v4 carrying the entire Internet's routing tables on it; you can leave the Internet inside a large MPLS VPN if you want. -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
[Update] Re: New ISP to market, BCP 38, and new tactics
For all the kind folk who have been asking how my project is going, I'll summarize here. - I've enabled strict uRPF filtering on all interfaces that I am certain what the source will be. - I've implemented a mix of loose uRPF combined with ACL's on interfaces that I know have multi-homed clients - On all interfaces that run the risk of blocking traffic by accident, I've implemented strict inbound ACL's for known-bad (combined always with Team Cymru BGP learnt bogons), and with logging counter ACLs for all other traffic. After a couple more days, I should be able to focus more strictly on these interfaces - I've made significant changes to my 'core', moving from static routes to an iBGP mesh over OSPF learnt loopbacks. This will allow me to implement a couple of host-based routing daemon boxes for the easy insertion of sinkhole routes in the event of significantly bad behaviour. With my scripting knowledge, preparing a recommended sinkhole route for insertion, ready for admin approval will be easy, and so will having the route removed automatically (or manually) if the attack has ceased. I like the idea of traffic flowing to a host-based machine to null as opposed to null'ing it on the router, as (from what I can tell) it will make it easier to track the flow of the problem ingress and egress - Currently, (as I write), I'm migrating my entire core from IPv4 to IPv6. I've got the space, and I love to learn, so I'm just lab-ing it up now to see how things will flow with all iBGP v4 routes being advertised/routed over v6. The division of the v6 space still overwhelms me, so I guess I'll do what someone else stated in another thread if I mess this one up: go to ARIN for another 1000 /32's :) (no, I'll learn from my mistake, and be ready for next one) Cheers, and thanks! Steve
Re: [Update] Re: New ISP to market, BCP 38, and new tactics
On 4/02/2009, at 2:33 PM, Steve Bertrand wrote: - Currently, (as I write), I'm migrating my entire core from IPv4 to IPv6. I've got the space, and I love to learn, so I'm just lab-ing it up now to see how things will flow with all iBGP v4 routes being advertised/routed over v6. Don't advertise v4 prefixes in v6 sessions, keep them separate. If you do, you have to do set next-hops with route maps and things, it's kind of nasty. Better to just run a v4 BGP mesh and a v6 BGP mesh. -- Nathan Ward
Re: [Update] Re: New ISP to market, BCP 38, and new tactics
Nathan Ward wrote: On 4/02/2009, at 2:33 PM, Steve Bertrand wrote: - Currently, (as I write), I'm migrating my entire core from IPv4 to IPv6. I've got the space, and I love to learn, so I'm just lab-ing it up now to see how things will flow with all iBGP v4 routes being advertised/routed over v6. Don't advertise v4 prefixes in v6 sessions, keep them separate. If you do, you have to do set next-hops with route maps and things, it's kind of nasty. Better to just run a v4 BGP mesh and a v6 BGP mesh. Ok. I've been having problems with this. What I was hoping for (even though I'm testing something that I know won't work) is that I can break something so I could push v4 traffic over a v6-only core. Is there _any_ way to do this (other than NAT/tunnel etc)? Steve
RE: [Update] Re: New ISP to market, BCP 38, and new tactics
Agreed. Keeping it separate works very well. Can be the same interface sure... but do it as a separate session. ...Skeeve -Original Message- From: Nathan Ward [mailto:na...@daork.net] Sent: Wednesday, 4 February 2009 12:40 PM To: nanog list Subject: Re: [Update] Re: New ISP to market, BCP 38, and new tactics On 4/02/2009, at 2:33 PM, Steve Bertrand wrote: - Currently, (as I write), I'm migrating my entire core from IPv4 to IPv6. I've got the space, and I love to learn, so I'm just lab-ing it up now to see how things will flow with all iBGP v4 routes being advertised/routed over v6. Don't advertise v4 prefixes in v6 sessions, keep them separate. If you do, you have to do set next-hops with route maps and things, it's kind of nasty. Better to just run a v4 BGP mesh and a v6 BGP mesh. -- Nathan Ward
Re: [Update] Re: New ISP to market, BCP 38, and new tactics
On 4/02/2009, at 2:43 PM, Steve Bertrand wrote: Nathan Ward wrote: On 4/02/2009, at 2:33 PM, Steve Bertrand wrote: - Currently, (as I write), I'm migrating my entire core from IPv4 to IPv6. I've got the space, and I love to learn, so I'm just lab-ing it up now to see how things will flow with all iBGP v4 routes being advertised/routed over v6. Don't advertise v4 prefixes in v6 sessions, keep them separate. If you do, you have to do set next-hops with route maps and things, it's kind of nasty. Better to just run a v4 BGP mesh and a v6 BGP mesh. Ok. I've been having problems with this. What I was hoping for (even though I'm testing something that I know won't work) is that I can break something so I could push v4 traffic over a v6-only core. Is there _any_ way to do this (other than NAT/tunnel etc)? MPLS - The MP is for Multi Protocol! Otherwise, no, you don't get to use IPv6 addresses as next hops for IPv4 routes, which I think is what you're asking to do. Run IPv4 and IPv6 in parallel, iBGP for v4, iBGP for v6. Same for eBGP to peers/customers. Running v4 and v6 in one BGP session is weird and is asking for confusion, IMHO. You get the same with OSPF - you run OSPFv2 and OSPFv3 in parallel. -- Nathan Ward
Re: [Update] Re: New ISP to market, BCP 38, and new tactics
Skeeve Stevens wrote: Agreed. Keeping it separate works very well. Can be the same interface sure... but do it as a separate session. Yeah, that's what I thought, and that is exactly what I've been doing thus far. I was hoping to have a v6-only core, but in order to get the current project done, I'll have to stay with your (and Nathan's) recommendation. I'm not ready for MPLS (but I am interested in the theory of it's purpose), so when I'm done what I'm doing now, I'll look at it. At that time, if implemented, I'll be the most complex, smallest ISP in Canada ;) This has been an awesome journey, and I've learnt an immense amount via all of the recommendations, reading and exercising. Thanks guys, Steve