Re: TLD .so Partial Outage?

> I'm observing a near global outage of DNS services from d.nic.so. This > appears to be an AfriNIC anycast DNS service. >From my vantage point in Oslo, Norway, d.nic.so works just fine using IPv6 but not IPv4. Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms,Re: ICMPv6 "too-big" packets ignored (filtered ?) by Cloudflare farms

> Out of curiosity, which operating systems put anything useful (for use > in ECMP) into the flow label of IPv6 packets? At the moment, I only > have access to CentOS 6 and CentOS 7 machines, and both of them set the > flow label to zero for all traffic. FreeBSD 11.2-STABLE. Steinar Haug,

Re: AS205869, AS57166: Featured Hijacker of the Month, July, 2018

>> Dead for me via: >> HE >> NTT >> COX > > Likewise here, via a bunch of other transits. I saw them from HE this morning > but they appear to have been withdrawn now. Also gone from HE from my vantage point in Oslo, Norway. Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: AS205869, AS57166: Featured Hijacker of the Month, July, 2018

> I'd greatly appreciate it if readers of this post would help me to to confirm > that the non-routing of the above block is both universal and complete... > as it is, at least, from where I am sitting... but at this point I have > nothing and nobody to rail against. (Or so I thought! But while

Re: Yet another Quadruple DNS?

> > This also ignores the shift if every house in the world did its own > > recursion. TLD servers and auth servers all over the world would > > have to massively up their capacity to cope. > > With my TLD operator hat, I tend to say it is not a problem, we > already have a lot of extra capacity,

Re: IPv6 Unique Local Addresses

> > ULA at inside and 1:1 to operator address in the edge is what I've > > been recommending to my enterprise customers since we started to offer > > IPv6 commercially. Fits their existing processes and protects me from > > creating tainted unusable addresses. > > Oh, please. NAT all over again?

Re: Waste will kill ipv6 too

> > My wild guess is if we'd just waited a little bit longer to formalize > > IPng we'd've more seriously considered variable length addressing with > > a byte indicating how many octets in the address even if only 2 > > lengths were immediately implemented (4 and 16.) > > Actually, that got

Re: ccTLDs - Become a Registrar

> > I am hoping to find what other TLD operators may have similar requirements. > > > > .br also has such requirements. OpenSRS reference chart has a good hint of > which ccTLDs have such requirements: > http://bit.ly/OpenSRS_TLD_Reference_Chart It might be advisable to verify the data. For

Re: Long BGP AS paths

> Could you list which prefix(es) you saw were being announced with these > long AS paths? 186.177.184.0/23 - still being announced with 533 occurrences of 262197 in the AS path. Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: AS PATH limits

> If you're on cogent, since 22:30 UTC yesterday or so this has been happening > (or happened). Still happening here. I count 562 prepends (563 * 262197) in the advertisement we receive from Cogent. I see no good reason why we should accept that many prepends. Steinar Haug, Nethelp consulting,

Re: IPv6 migration steps for mid-scale isp

> Thank you all for your Ideas. AFAIK one of the main decisions for IPv6 > transition and deployment is the choice of IPv6 IGP. I read somewhere > that its a good practice to use different IGP protocol for IPv6 and > IPv4. For example if IGP for IPv4 is IS-IS then use OSPFv3 for IPv6. > any

Re: IPv6 Loopback/Point-to-Point address allocation

> > Null-routing may not be sufficient, if the edge/border router has a > > route to that /128; the (forwardable) /128 entry will win from the > > blackholed /64 FIB entry since it is more-specific. > > just thought about it a bit. > As mentioned (in other post) I was thinking of a specific use

Re: Long AS Path

> > I see no valid reason for such long AS paths. Time to update filters > > here. I'm tempted to set the cutoff at 30 - can anybody see a good > > reason to permit longer AS paths? > > Well, as I mentioned in my Net Neutrality filing to the FCC, a TTL of 30 > is OK for intra-planet routing, but

Re: Long AS Path

> Just wondering if anyone else saw this yesterday afternoon ? > > Jun 20 16:57:29:E:BGP: From Peer 38.X.X.X received Long AS_PATH=3D AS_SEQ(2= > ) 174 12956 23456 23456 23456 23456 23456 23456 23456 23456 23456 23456 234= > 56 23456 23456 23456 23456 23456 23456 23456 23456 23456 23456 23456

Re: [SPAM] Re: OSPF vs ISIS - Which do you prefer & why?

> > I think people were looking for specifics about the implementation > > deficits in the junos version which caused enough problems to justify > > the term "not getting it"? > > The only IS-IS implementation we struggle with is Quagga. > > For that, we run OSPFv2 and OSPFv3 on Quagga and

Re: OSPF vs ISIS - Which do you prefer & why?

> Cisco is the only "real" IS-IS vendor. > > Juniper, Brocade, Arista, Avaya, etc you're not getting it. Any of the > whitebox hardware or real SDN capable solutions, you're going to be on OSPF. Maybe you need to tell us what the other companies aren't getting? We're using IS-IS on (mostly)

Re: OSPF vs ISIS - Which do you prefer & why?

> I think you misunderstood his point: it's not the knobs, but the > vendors. Generally, when you're trying to integrate random crap into an > otherwise well-structured network, you'll find OSPF available, but very > rarely IS-IS. We never really want to talk IS-IS with random crap - in that

Re: Death of the Internet, Film at 11

>From Dyn's statement, http://hub.dyn.com/static/hub.dyn.com/dyn-blog/dyn-statement-on-10-21-2016-ddos-attack.html we have "After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast

Re: Cost-effectivenesss of highly-accurate clocks for NTP

> I was just thing about this WAN jitter issue myself. I'm wondering how many > folks put NTP traffic in priority queues? At least for devices in your > managed IP ranges. Seems like that would improve jitter. Would like to > hear about others doing this successfully prior to suggesting it for

Re: sFlow vs netFlow/IPFIX

> > That's interesting, given that most larger routers don't support 1:1. > > I find that strange, because if you're doing in in HW, doing hash > lookup for flow and adding packets and bytes to the counter is cheap. > It's expensive having lot of those flows, but incrementing their > packet and

Re: IX ARP Timeout

> So I'm looking at the policies, recommended configurations, etc. of other > IXes. We try to model a lot of ourselves on what the Europeans do (even if we > come up short in some areas). I was reading through the AMS-IX guide. > >

Re: DHCPv6 PD & Routing Questions

> > The DHCP relay could also have injected routes but that is a second > > class solution. > > DHCP relays *are* second class solutions :) Unfortunately they cannot > always be avoided in the semi-L2-environments like ISP access networks > often are. Each to his own, I guess. Some of us are

Re: IGP choice

> > The differences between the two protocols are so small, that people > > really grasp at straws when 'proving' that one is better over the > > other. 'IS-IS doesn't work over IP, so its more secure'. 'IS-IS uses > > TLVs so new features are quicker to implement'. While these may be > > vaguely

Re: /27 the new /24

> Keep in mind that IPv6 has IPSec VPN built into the protocol. It doesn't need > to be in the router. > > Unlike IPv4, where the IPSec VPN protocol is an add-on, optional service, > with IPv6 it's built into every device, because IPsec is a mandatory > component for IPv6, and therefore, the

Re: PMTUD for IPv4 Multicast - How?

> > > At first, I thought this was a bug, but then learned that RFCs 1112, 1122 > > > and 1812 all specify that ICMP unreachables not be sent in response to > > > multicast packets. > > > > > I'm struggling to grok the rationale behind not sending unreachables in > > > response to multicast

Re: Current state / use of OSPF-TE

What is the current state/use of OSPF-TE? Something you don't hear about much, for sure. Is this something that wasn't designed well, supported well, or was it just superseded by label based switching by the vast Telco market? I assume you mean RFC 3630 Traffic Engineering (TE) Extensions

Re: BGP Security Research Question

In real life people use - bgp ttl security, md5 passwords, control plane protection of 179 port, inbound/outbound routes filters. So far this has been enough. These mechanisms do little or nothing to protect against unauthorized origination of routing information. There are plenty of examples

Re: BGP Security Research Question

Let me disagree - Pakistan Youtube was possible only because their uplink provider did NOT implement inbound route filters . As always the weakest link is human factor - and no super-duper newest technology is ever to help here . Agreed, the uplink absolutely should have implemented prefix

Re: Why is .gov only for US government agencies?

Wondering if some of the long-time list members can shed some light on the question--why is the .gov top level domain only for use by US government agencies? Where do other world powers put their government agency domains? With the exception of the cctlds, shouldn't the top-level gtlds

Re: 192.250.24.0/22 (as 23034) not reachable from Verizon, tinet, global crossing, XO

The 192.250.24 addresses have been reachable for several months in the current configuration with no reported issues. Since the 16th we have been hearing reports that destinations in that block are unavailable for some. Several looking glass' report network not in table. Visible

Re: Interesting problems with using IPv6

There are decades of mailing lists archives at nanog and others that have the same thing -- 1) stressed out ops guy 2) buggy code (tac says need to load latest code as first step) 3) L2 mess -- most of those examples of epic failure are ipv4 related, but many are just ethernet fails. If

Re: Hurricane Electric packet loss

We$,1ry(Bve been customers of Hurricane Electric for a number of years now and always been happy with their service. In recent months packet loss on some of their major routes has become a very common (every few days) occurrence. Without knowledge of their network I am unsure

Re: US patent 5473599

So, then the only problem, perhaps, is that noone has apparently bothered to explicitly document that both VRRP and CARP use 00:00:5e:00:01:xx MAC addresses, and that the xx part comes from the Virtual Router IDentifier (VRID) in VRRP and virtual host ID (VHID) in CARP, providing a colliding

Re: IPv6 Security

No, it is LESS robust, because the client identifier changes when the SOFTWARE changes. Around here, software changes MUCH more often than hardware. Heck, even a dual-boot scenario breaks the client identifier stability. Worse yet, DHCPv6 has created a scenario where a client's IPv4

Re: IPv6 Security

DHCPv6 as defined in RFC 3315 does not offer client MAC address at all (thus making the job more difficult for a number of organizations). Yes it does… What do you think “Link Layer Address” (RFC 3315, Section 9.1 Type 3) is? From RFC-3315 Section 9.4, it seems pretty clear that is

Re: Filter NTP traffic by packet size?

The business model seems clearer when offering filtering as a service to downstream networks, the effects are narrowly scoped, and members have control over the traffic they accept from the exchange, e.g. I don't want to accept NTP traffic to any destination that exceeds 1Gbit/s, or is

Re: random dns queries with random sources

Premature send - I meant to add 'Or against the authoritative servers for 5kkx.com?' We've been seeing a spate of reflected (not amplified) DNS attacks against various authoritative servers in Europe for the past week or so, bounced through some type of consumer DSL broadband CPE with an

Re: random dns queries with random sources

It has been ongoing for a week or so (but not constant). The domain names have a pattern but are comprised of components that appear to be randomly generated. The source IP addresses for the queries appear to be non duplicated and randomly generated. query logs are available for

Re: Experiences with IPv6 and Routing Efficiency

Was just trying to get more info from large networks about whether how some of the things that make theoretical logical sense actually work out in practice that way e.g. whether fixed header size and the fewer headers required to decode to read an IPv6 packet (with respect to IPv4) really may

Re: NSA able to compromise Cisco, Juniper, Huawei switches

I think there needs to be some clarification on how these tools get used, how often they're used, and if they're ever cleaned up when no longer part of an active operation. Of course we'll never get that. Highly unlikely, I'd say. The amount of apologists with the attitude this isn't a big

Re: NSA able to compromise Cisco, Juniper, Huawei switches

The best response I've seen to all this hype and I completely agree with Scott: Do ya think that you wouldn't also notice a drastic increase in outbound traffic to begin with? It's fun to watch all the hype and things like that, but to truly sit down and think about what it would actually

Re: Europe-to-US congestion and packet loss on he.net network, and their NOC@ won't even respond

Using a 1/10th of a second interval is rather anti-social. I know we rate-limit ICMP traffic down, and such a short interval would be detected as attack traffic, and treated as such. ... For what it is worth, I used to think the same, until I saw several providers themselves suggest that

Re: common method to count traffic volume on IX

But isn't this all just neo-colonialism? Establish a market in the colony, but ensure through restrictive trade practices that all trade routes lead back via the mother country. Or can I buy myself connectivity to AMS-IX Amsterdam when i'm present at the LINX Harare exchange? There are

Re: subrate SFP?

I actually emailed RAD, MethodE and Avago yesterday and pitched the idea. MiTOP is my exact justification why it should technically be feasible. I guess it would be easier to pitch, if there would be commitment to buy, but I don't personally need many units, just 1-2 here and there. I

Re: Line cut in Mediterranean?

Getting reports from a third party vendor that there's been a line cut in the Mediterranean that is affecting some Internet traffic. Anyone have any details? See the outages list: https://puck.nether.net/pipermail/outages/2013-March/005386.html Steinar Haug, Nethelp consulting,

Re: OOB core router connectivity wish list

I don't think you can get ethernet and transport out-of-the-area in some places at a reasonable cost, so having serial-console I think is still a requirement. TDM is disappearing quickly in at least some parts of the world. We may not be quite there yet, but I think it's entirely reasonable to

Re: Big day for IPv6 - 1% native penetration

Again, where're the compelling IPv6-only content/apps/services? To answer your rhetorical question, http://www.kame.net/ has a dancing kame. To my knowledge, that's the most compelling IPv6-only content. Don't forget http://loopsofzen.co.uk/ - that's definitely the most compelling

Re: Whats so difficult about ISSU

as to whether ios/xe is rtc, you may want to see my preso at the last nanog. NANOG56? I only found RPKI Propagation by you. Direct URL would be appreciated. Look towards the end of the presentation and you'll find run to completion... Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: MTU issues s0.wp.com

Is anyone else experiencing similar issues? Not from here (AS 2116, Norway). No problem getting up the web page, tcpdump shows MSS 1440. My traceroute shows they are employing a CDN for s0.wp.com, so not everyone might be affected. 7 asd2-rou-1022.NL.eurorings.net

Re: HSRP vs VRRP for IPv6 on IOS-XE - rekindling an old flame

Yeah I see the disconnect. I'm assuming that what I see is what I get. Which means I'm going to stick with HSRP. If our AS team gives me any good feedback that I can share I will do so. Thanks Nick. XE: v4: HSRPv1, HSRPv2, VRRPv6: HSRPv2 Not particularly relevant to the

Re: Does anyone use anycast DHCP service?

I think it would be far more reliable to simply have two independent DHCP servers with mutually exclusive address ranges, and have one system be secondary and delay its responses by 2s so it always loses when the primary is up and running well. Yes, you lose the ability for clients to get

Re: DDoS using port 0 and 53 (DNS)

The port number of the Layer 4 connection cannot be determined without executing IP fragment reassembly in that case.Routers normally reassemble fragments they receive, if possible. No, routers normally do *not* reassemble fragments. This is typically done by hosts and firewalls. Steinar

Re: HE.net BGP origin attribute rewriting

I disagree. Origin is tremendously useful as a multi-AS weighting tool, and isn't the blunt hammer that AS_PATH is. If you think of AS_PATH as a blunt hammer, how would you describe localpref? We use AS_PATH in many cases *precisely* because we don't consider it to be a blunt hammer...

Re: [IPv6] Monitoring BGP IPv6 Sesions

There's new mib support in new IOS's and ASR9k stuffs but there's still not feature parity with IPv4. It seems the current prevailing winds indicate less support for SNMP and more for NETCONF. So maybe we should all get cozy with XML rather than OIDs... shudder All I've seen of Netconf so

Re: Cheap Juniper Gear for Lab

Anyway, not the best devices for an edge router that is for sure. Which is too bad... for very small DC edge applications, the J6350 was a pretty cool router in earlier versions of JunOS that didn't decide to re-engineer your network and transit for you. We have 3 J2320s in the lab, all

Re: Attack on the DNS ?

Anyone seen signs of this attack actually occurring ? http://www.nytimes.com/2012/03/31/technology/with-advance-warning-bracing-for-attack-on-internet-by-anonymous.html?_r=1 From my vantage point in Oslo, Norway, there is no sign of any attack occurring. Steinar Haug, Nethelp consulting,

Re: Attack on the DNS ?

We already have this type of attack in Bucharest/Romania since last Friday. The targets where IP's of some local webhosters, but at one moment we event saw IP's from Go Daddy. Tcpdump will show something like: 11:10:41.447079 IP target open_resolver_ip.53: 80+ [1au] ANY? isc.org. (37)

Re: Common operational misconceptions

If you want to know if your resolver talks IPv6 to the world and supports 4096 EDNS UDP messages the following query will tell you. dig edns-v6-ok.isc.org txt Similarly for IPv4. dig edns-v4-ok.isc.org txt Both PowerDNS recursor 3.3 and Nominum CNS 3.0.5

Re: subnet prefix length 64 breaks IPv6?

Note: An IPv4 route requires only one TCAM entry. Because of the hardware compression scheme used for IPv6, an IPv6 route can take more than one TCAM entry, reducing the number of entries forwarded in hardware. For example, for IPv6 directly connected IP addresses, the

Re: subnet prefix length 64 breaks IPv6?

On the other hand there's also the rule that IPv6 is classless and therefore routing on any prefix length must be supported, although for some implementations forwarding based on /64 is somewhat less efficient. Can you please name names for the somewhat less efficient part? I've seen this

Re: subnet prefix length 64 breaks IPv6?

Most vendors have a TCAM that by default does IPv6 routing for netmasks =64. They have a separate TCAM (which is usually limited in size) that does routing for masks 64 and =128. Please provide references. I haven't seen any documentation of such an architecture myself. TCAMs are expensive

Re: subnet prefix length 64 breaks IPv6?

Can you please name names for the somewhat less efficient part? I've seen this and similar claims several times, but the lack of specific information is rather astounding. Well, I do know if you look at the specs for most newer L3 switches, they will often say something like max IPv4

Re: subnet prefix length 64 breaks IPv6?

If every route is nicely split at the 64-bit boundary, then it saves a step in matching the prefix. Admittedly a very inexpensive step. My point here is that IPv6 is still defined as longest prefix match, so unless you *know* that all prefixes are = 64 bits, you still need the longer match.

Re: subnet prefix length 64 breaks IPv6?

IPv6 CEF appears to be functioning normally for prefixes longer than 64-bit on my 720(s). I'm not seeing evidence of unexpected punting. The CPU utilization of the software process that would handle IPv6 being punted to software, IPv6 Input, is at a steady %0.00 average (with spikes up

Re: subnet prefix length 64 breaks IPv6?

prefixes on the same link.  Choosing to make use of a 120-bit prefix (for example) will do nothing to protect against a rogue RA announcing its own 64-bit prefix with the A flag set. I could not find any A flag in the RA. Am i missing something? It's part of the Prefix Information

Re: subnet prefix length 64 breaks IPv6?

I am not sure if this is the reason as this only applies to the link local IP address. One could still assign a global IPv6 address. So, why does basic IPv6 (ND process, etc) break if i use a netmask of say /120? As long as you assign addresses statically, IPv6 works just fine with a netmask

Re: Any tools to help network security

We discover there are so many (source) ip not belonging to our network to go to outside. We can block it but don't know how to locate the source. Any tools can be easily found out. http://lmgtfy.com/?q=unicast+rpf Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: Recent DNS attacks from China?

I am wondering if anyone else is seeing a sudden increase in DNS attacks emanating from chinese IP addresses? Over the past 24 hours we've seen a sudden rash of chinese IPs attacking our DNS servers in the order of 5 to 10 million PPS for periods of 5 to 10 mins, repeated every 20 to 30

Re: Performance Issues - PTR Records

The practice of filling out the reverse zone with fake PTR record started before there was wide spread support for UPDATE/DNS. There isn't any need for this to be done anymore. Machines are capable of adding records for themselves. How do I setup this for DHCPv6-PD? Say, I delegate

Re: Microsoft deems all DigiNotar certificates untrustworthy, releases updates

To pop up the stack a bit it's the fact that an organization willing to behave in that fashion was in my list of CA certs in the first place. Yes they're blackballed now, better late than never I suppose. What does that say about the potential for other CAs to behave in such a fashion? I'd

Re: IPv6 end user addressing

And your average home user, whose WiFi network is an open network named linksys is going to do that how? Because the routers that come on pantries and refrigerators will probably be made by people smarter than the folks at Linksys? One could argue that routing and access control is even

Re: dynamic or static IPv6 prefixes to residential customers

3) I think people do some of both. I think that if people can get static for the same price, they will choose static over dynamic. I think that some will even choose to use their dynamic to run tunnels where they can get static. You can get free static tunnels for IPv6

Re: dynamic or static IPv6 prefixes to residential customers

Experience from IPv4 suggests otherwise. We (as an ISP) normally hand out dynamic IPv4 addresses to residential customers, and static IPv4 addresses to business customers. - We have plenty of business customers who *want* dynamic addresses, even if static is available as a standard

Re: dynamic or static IPv6 prefixes to residential customers

- Dynamic address: Customer connects PC (defaults to DHCP) or router/ firewall with DHCP for the WAN interface plus NAT for the LAN side. Necessary configuration: Small to none. DHCP doesn't imply dynamic address. It implies customer doesn't have to configure an address him/herself.

Re: MX 80 advantages and shortcomings

Can anyone enlighten me on the pros and cons of MX 80 platform There's been quite a bit of discussion about the MX80 on the juniper-nsp list, and I recommend asking on that list instead (if you don't find what you already need in the list archives). As a general rule, people are more likely to

Re: The stupidity of trying to fix DHCPv6

Ethernet doesn't scale because of large amounts of broadcast traffic. We started to introduce multicast, and multicast-aware switches in IPv4; in IPv6 there is no broadcast traffic. We won't be able to scale networks up until we can turn off IPv4, In other words, probably not for another

Re: The stupidity of trying to fix DHCPv6

Are you not using managed switches? Certainly. It takes me about 1 second to find exactly which device and which port a device is connected to. Once you know that; you have a pretty nice collection of statistics and log messages that usually tell you exactly what is wrong. Here is where

Re: The stupidity of trying to fix DHCPv6

Ethernet is not designed for huge LANs. If you want that you need to make significant changes - http://www.cl.cam.ac.uk/~mas90/MOOSE/ Hm: Our object is to design a communication system which can grow smoothly to accommodate several buildings full of personal computers and the

Re: The stupidity of trying to fix DHCPv6

DHCPv6 does not provide route information because this task is handled by RA in IPv6. Thankfully this silliness is in the process of being fixed, So where do I point out the stupidity of trying to fix this non-brokenness? Several large operators have said, repeatedly, that they want to

Re: The stupidity of trying to fix DHCPv6

Several large operators have said, repeatedly, that they want to use DHCPv6 without RA. I disagree that this is stupid. I wonder if it's just a violation of rule #1: stop thinking legacy! If having a significant infrastructure that supports IPv4 DHCP is legacy, yes then you could argue

Re: Cogent IPv6

You can actually use DHCPv6 to assign addresses to hosts dynamically on longer than /64 networks. However, you may have to go to some effort to add DHCPv6 support to those hosts first. Also, there is no prefix-length (or default router) option in DHCPv6, so you have to configure the

Re: New vyatta-nsp list

nitpicking 1gige linerate: 1,9mpps 10gige linerate: 19mpps and intel is proud to achieve 1,6mpps at 2 10gige cards? I have seen higher values at pc hardware - but still not compareable to asics. If you're going to specify line rate pps, please get the figures right.

Re: rwhois website

I am trying to use http://www.rwhois.net/rwhois/prwhois.html to check my rwhois server but it is not reachable now Do you know why the websie is not in existing? and how can i check it As somebody else answered on Nanog a couple of weeks ago, rwhoisd is very old software that has had

Re: IPv6 Conventions

No, the same Internet Protocol. I believe he meant different IP addresses No, that can't be, he would have said IP addresses. and I highly recommend doing so. If you do so, then you can move services around and name things independent of the actual host that they happen to be

Re: IPv6 Conventions

1) Is there a general convention about addresses for DNS servers? NTP servers? dhcp servers? DNS server addresses should be short and easy to tape, as already mentioned. 2) Are we tending to use different IPs for each service on a device? In many cases yes - because that makes it possible to

Re: Why does abuse handling take so long ?

Why o why are isp's and hosters so ignorant in dealing with such issues and act like they do not care? they don't act like they do not care. they really *don't* care. no acting. Well now, I'd say this varies considerably. There are definitely ISPs that care and *do* work hard at reducing

Re: Real World NAT64 deployments

6to4 is handy as a toy or for experimenting, but it relies on a loose network of generous volunteers who, while generous, are neither generous nor numerous enough to support production traffic. Any ISP that is delivering IPv6 to their clients would be insane to not run a 6to4 relays for

Re: Switch with 24x SFP PVLAN QinQ Layer 2

Requirements are basically just 24/48 SFP ports, PVLAN and selective QinQ. Most devices that fit the requirements are Layer 3, which pushes the cost per port too high. ... The ME3600X might be more a more appropriate Cisco solution than the ME6524. The ME3600X

Re: Switch with 10 Gig and GRE support in hardware.

Juniper MX80 does all this. 1. It's not a switch (so don't expect switch pricing). 2. It doesn't offer 12 x 10GE ports. And I believe this has been mentioned earlier in the same thread... Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: Mac OS X 10.7, still no DHCPv6

Does anybody have anything neat to keep logs of what host gets what ipv6 address in an SLAAC environment? You'd have to correlate ND information in the router to some kind of record of who has what MAC address at any given time. With SLAAC the host doesn't get an IPv6 address, it takes

Re: Mac OS X 10.7, still no DHCPv6

In fairness, said device can do the same sort of inspection of SLAAC traffic. It just looks at neighbor discovery messages instead of DHCP messages. http://tools.ietf.org/html/draft-ietf-savi-fcfs Any known (existing) or planned implementations of this? Steinar Haug, Nethelp consulting,

Re: IPv6 addressing for core network

Is there a NANOG FAQ we can add this to? 1- Use Public Ipv6 with /122 and do not advertise to Internet 2- Use Public Ipv6 with /127 and do not advertise to Internet The all zeros address is the all routers anycast address so on most non-Cisco routers you can't use it, ruling out

Re: IPv6 addressing for core network

A /127 mask is still the best way to handle real point-to-point links like SDH/SONET today, to avoid the ping-pong problem. Works fine with Cisco and Juniper, not tried with other vendors. I know it's immature, but I can't wait for some new hire at vendor C or vendor J to reread the

Re: IPv6 addressing for core network

Global scope addresses on router-to-router interfaces are necessary today for traceroute to work. Some ISPs are *requiring* working traceroute (without MPLS hiding of intermediate hops) in RFPs to transit providers. If you can get router ICMP handling changed such that the ICMP packet

Re: IPv6 addressing for core network

A /127 mask is still the best way to handle real point-to-point links like SDH/SONET today, to avoid the ping-pong problem. Works fine with Cisco and Juniper, not tried with other vendors. Can you elaborate on this? What's the ping-pong problem? This has been well covered in the

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

The subject says it all... anyone with experience with a setup like this ? Unicast addresses must be located in at least a /64 subnet. No doubt there are vendors which enforce this (perhaps even in the ASICs), so deviating from this rule will result in some lock-in. The Juniper and

Re: quietly....

I'm perfectly happy with an IPv6 network that only has rational people on it while those who insist on NAT stay behind on IPv4. There's an inherent conflict between your wish here and the desire to bring IPv6 to the masses... Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: quietly....

It's a bit of a shame that people who've gotten into networking in the last 10 to 15 years haven't studied or worked with anything more than IPv4. They've missed out on seeing a variety of different ways to solve the same types of problems and therefore been exposed to the various benefits

Re: [arin-announce] ARIN Resource Certification Update

- Hosted solutions offer a low barrier entry to smaller organizations who simply cannot develop their own PKI infrastructure. This is the case where they also lack the organizational skills to properly manage the keys themselves, so, in most cases at least, they are *better off* with a

Re: Using IPv6 with prefixes shorter than a /64 on a LAN

IPv6 is classless; routers cannot blindly make that assumption for performance optimization. Blindly, no. However, it's not impractical to implement fast path switching that handles things on /64s and push anything that requires something else to the slow path. Any vendor who was

  1   2   >