Re: Gi Firewall for mobile subscribers

2019-04-10 Thread Mikael Abrahamsson
On Wed, 10 Apr 2019, Jan Chrillesen wrote: Also keep in mind that most GGSN/PGW will assign a /64 (and not a /128) All 3GPP devices assign /64 per bearer because that's what's in the 3GPP spec. I've been told 3GPP went to IETF and asked what to do, IETF said "assign /64 per device" and

Re: Facebook (account)

2019-04-10 Thread Constantine A. Murenin
#DeleteFacebook. On Tue, 9 Apr 2019 at 21:18, J. Hellenthal via NANOG wrote: > Delete fB account ... > > -- > J. Hellenthal > > The fact that there's a highway to Hell but only a stairway to Heaven says > a lot about anticipated traffic volume. > > > On Apr 9, 2019, at 21:05, Nathan Anderson

RE: Facebook (account)

2019-04-10 Thread Nathan Anderson
Matt Harris wrote: > On Apr 9, 2019, at 21:05, Nathan Anderson wrote: > > > a FB page that this account of hers was apparently the only admin for. > > Redundancy: it's not just a concept to be applied to devices and wiring.    Preaching. To. The. Choir. :-) -- Nathan Anderson First Step

Re: residential/smb internet access in 2019 - help?

2019-04-10 Thread Fletcher Kittredge
I believe there is no Federal requirement that there be a Provider of Last Resort (POLR). State law might require it, but in at least some states there is possible to have areas without a POLR. At the national level the regulatory theory is that when there is sufficient competition in a market,

Re: Gi Firewall for mobile subscribers

2019-04-10 Thread Jan Chrillesen
On tir., 09 apr. 2019, Amos Rosenboim wrote: > On the other hand, allowing only subscriber initiated traffic is mostly > achievable using ACLs on the mobile core facing routers, or is it with the > growing percentage of UDP traffic ? > > BTW – I don’t mention IPv4 traffic on the mobile

Re: Gi Firewall for mobile subscribers

2019-04-10 Thread Ross Tajvar
I agree with Owen that an always-on firewall which blocks all inbound traffic would be very frustrating to some users. I do understand your need as a provider to prevent expensive signaling operations. I think the suggestion of a toggle in a web portal to disable the firewall is a good compromise.

Re: residential/smb internet access in 2019 - help?

2019-04-10 Thread Brandon Martin
On 4/10/19 1:55 PM, Jeff Shultz wrote: It seems like_someone_ has to be the CLEC and "Carrier of Last Resort" for the area. Not that that means you are going to get the service you want. Where I live, you can get AT POTS from the ILEC of record. Sometimes it even works...when their cross

Re: Gi Firewall for mobile subscribers

2019-04-10 Thread Amos Rosenboim
Owen, Let me clarify a few points: 1. I am in favor of end to end connectivity and IPv6 can help restore this. 2. In the fixed broadband portion of the network this is the case. IPv6 is routed to the subscriber CPE. Firewall on the CPE is turned on by default, but can be turned off by the user.

Re: Gi Firewall for mobile subscribers

2019-04-10 Thread Owen DeLong
> We have an ongoing discussion about Gi firewall (adding a firewall between > the subscribers and the internet, allowing only subscriber initiated > connections), for the IPv6 traffic. > > > > The firewall is doing very little security, the ruleset is very basic, > allowing anything from

RE: Facebook (account)

2019-04-10 Thread Keith Medcalf
It would depend on whether FB is being paid to provide a service or not. However, if "your friend" is not paying FB to provide a service to them then there is really nought that you can do about it. Otherwise, the course of action to be taken will be specified in the contract which was

Re: residential/smb internet access in 2019 - help?

2019-04-10 Thread Jeff Shultz
On Tue, Mar 26, 2019 at 7:43 PM david raistrick wrote: > > folks, > > I've been away from nanog for a long time - and away from the ISP world for > longer. > > Looking at a house in a new area, at copper splice box out front, bellsouth > fiber markers as well (yes, that's usually just passing

Re: SNMP via proxy

2019-04-10 Thread Brant Ian Stevens
This might be what you're looking for... http://www.net-snmp.org/wiki/index.php/Snmpd_proxy -- Regards, Brant Ian Stevens bra...@branto.com Jared Mauch wrote on 4/10/19 12:50 PM: This is one of (many) reasons why a number of people

Re: SNMP via proxy

2019-04-10 Thread Jared Mauch
This is one of (many) reasons why a number of people have been converting to a streaming telemetry model of getting data out of devices. You can send it to a relay host and visualize in your favorite magic (eg: grafana w/ influx or some other storage). - Jared > On Apr 10, 2019, at 10:15 AM,

Re: SNMP via proxy

2019-04-10 Thread Dave Phelps
Some devices only accept IP addresses as destinations, or resolve a FQDN to an IP and that goes in the config. I add secondary IPs to servers for these functions. Then I can simply move the IP to a new host whenever the role moves. On Wed, Apr 10, 2019 at 9:13 AM Dovid Bender wrote: > Hi, > >

Re: Gi Firewall for mobile subscribers

2019-04-10 Thread Dovid Bender
I don't v6 stats yet but it would be interesting to see. I did a tcpdump on one v6 IP and saw hundreds of requests to port 25. On Wed, Apr 10, 2019 at 10:43 AM Ca By wrote: > > > On Wed, Apr 10, 2019 at 7:06 AM Dovid Bender wrote: > >> I think the traffic Amos is referring to is random

Re: Gi Firewall for mobile subscribers

2019-04-10 Thread Ca By
On Wed, Apr 10, 2019 at 7:06 AM Dovid Bender wrote: > I think the traffic Amos is referring to is random traffic hitting the > devices causing them to "wake up". Everyone here knows a simple dump on > port 22 will show traffic. We have a /22 that gets an avg of 1-2 mbit of > random traffic

RE: SNMP via proxy

2019-04-10 Thread Phil Lavin
> Going forward I was thinking of setting up a few hosts whose job would be to > simply relay SNMP traffic. This way moving forward we could hard code several > IP's and bounce all traffic through one of these IP's. You can Source NAT your monitoring servers through a single IP/pool of IPs on a

Re: SNMP via proxy

2019-04-10 Thread Forrest Christian (List Account)
Cacti and Nagios generally poll via SNMP. This means the traffic is generally NAT'able. If I really needed multiple polling SNMP servers at the same address, I'd just throw them behind some sort of NAT device. On Wed, Apr 10, 2019 at 8:13 AM Dovid Bender wrote: > > Hi, > > A bit off topic.

SNMP via proxy

2019-04-10 Thread Dovid Bender
Hi, A bit off topic. One of my early mistakes in my 9-5 was hard coding the IP's of our SNMP box in all of our gear (networking equipment, Servers etc,). The box is at its limit and increasing its capacity will be nearly impossible. We mainly use Nagios and Cacti to monitor our network. Going

Re: Gi Firewall for mobile subscribers

2019-04-10 Thread Dovid Bender
I think the traffic Amos is referring to is random traffic hitting the devices causing them to "wake up". Everyone here knows a simple dump on port 22 will show traffic. We have a /22 that gets an avg of 1-2 mbit of random traffic (mainly 22 and 3389). On Wed, Apr 10, 2019 at 9:49 AM Ca By

Re: Gi Firewall for mobile subscribers

2019-04-10 Thread Ca By
On Wed, Apr 10, 2019 at 6:23 AM Amos Rosenboim wrote: > Hello NANOG, > > > > We are discussing internally and wanted to get more opinions and > especially more data on what are people actually doing. > > We are running an ISP network with about 150K fixed broadband users, > running dual stack

Gi Firewall for mobile subscribers

2019-04-10 Thread Amos Rosenboim
Hello NANOG, We are discussing internally and wanted to get more opinions and especially more data on what are people actually doing. We are running an ISP network with about 150K fixed broadband users, running dual stack (IPv4 behind CGNAT). On the ISP network IPv6 is simply routed, and is