Re: IPv6 first hop security on a budget?

[joel jaeggli]

On 11/11/17 09:14, Fernando Gont wrote:
> On 05/05/2017 08:27 PM, Joel Whitehouse wrote:
>> What's a good budget option for switching a small lab or office ipv6
>> with RA Guard, DHCP6 snooping, and ICMP6 snooping?
>>
> 
> If you do deploy this, please take a look at the issues discussed in
> RFC7113. Similar stuff is likely to apply to DHCPv6 snooping et al.

experiences vary, if you're looking to experience them first hand, warts
implementation details and all, juniper ex2300c, cisco 3560cx are both
small variants of both providers lower-end layer2/3 switches and are
relatively inexpensive, fairly feature rich platforms.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960cx_3650cx/software/release/15-2_3_e/configuration/guide/b_1523e_consolidated_2960cx_3560cx_cg/b_consolidated_152ex_2960-X_cg_chapter_011.pdf

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/router-advertisement-guard-edit-fo.html

joel

> Thanks!
> 
> Best regards,
> 

Re: IPv6 first hop security on a budget?

[Saku Ytti]

Not suggesting there is no use case of RA Guard, DHCP6 Snooping, ICMP6
snooping, as I deployed IPv4 equivalent pretty much the day they were
available on 3560.

You might want to consider de-perimeterisation. Do you offer way to
connect to intranet from Internet? If so, why not use same method in
office, and have equivalent 0 trust on office infra? Additional
benefit is OPEX reduction by not having users submit tickets 'X works
from VPN but not from office' and vice versa.

On 6 May 2017 at 08:27, Joel Whitehouse  wrote:
> What's a good budget option for switching a small lab or office ipv6 with RA
> Guard, DHCP6 snooping, and ICMP6 snooping?



-- 
  ++ytti

Re: IPv6 first hop security on a budget?

[Fernando Gont]

On 05/05/2017 08:27 PM, Joel Whitehouse wrote:
> What's a good budget option for switching a small lab or office ipv6
> with RA Guard, DHCP6 snooping, and ICMP6 snooping?
> 

If you do deploy this, please take a look at the issues discussed in
RFC7113. Similar stuff is likely to apply to DHCPv6 snooping et al.

Thanks!

Best regards,
-- 
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint:  31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492

95 Christopher Colombus

[chris]

Hello,

Just wondering if anyone on the list is an existing tenant at 95
Christopher Colombus Jersey City NJ which has equipment already and/or a
few RU of free rack space. We have a small project so renting a full cage
etc isnt really practical.

If you are in the building (real equipment not virtual presence via an NNI
or something like that) please ping me off list.

Thanks!
chris

Weekly Routing Table Report

[Routing Analysis Role Account]

This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG, CaribNOG
TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG, IRNOG and the RIPE Routing WG.

Daily listings are sent to bgp-st...@lists.apnic.net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith .

Routing Table Report   04:00 +10GMT Sat 11 Nov, 2017

Report Website: http://thyme.rand.apnic.net
Detailed Analysis:  http://thyme.rand.apnic.net/current/

Analysis Summary


BGP routing table entries examined:  668655
Prefixes after maximum aggregation (per Origin AS):  260785
Deaggregation factor:  2.56
Unique aggregates announced (without unneeded subnets):  323939
Total ASes present in the Internet Routing Table: 58967
Prefixes per ASN: 11.34
Origin-only ASes present in the Internet Routing Table:   50941
Origin ASes announcing only one prefix:   22406
Transit ASes present in the Internet Routing Table:8026
Transit-only ASes present in the Internet Routing Table:239
Average AS path length visible in the Internet Routing Table:   4.3
Max AS path length visible:  44
Max AS path prepend of ASN ( 55644)  41
Prefixes from unregistered ASNs in the Routing Table:86
Number of instances of unregistered ASNs:86
Number of 32-bit ASNs allocated by the RIRs:  20551
Number of 32-bit ASNs visible in the Routing Table:   16368
Prefixes from 32-bit ASNs in the Routing Table:   67078
Number of bogon 32-bit ASNs visible in the Routing Table:31
Special use prefixes present in the Routing Table:0
Prefixes being announced from unallocated address space:376
Number of addresses announced to Internet:   2859891296
Equivalent to 170 /8s, 118 /16s and 122 /24s
Percentage of available address space announced:   77.2
Percentage of allocated address space announced:   77.2
Percentage of available address space allocated:  100.0
Percentage of address space in use by end-sites:   98.7
Total number of prefixes smaller than registry allocations:  220528

APNIC Region Analysis Summary
-

Prefixes being announced by APNIC Region ASes:   184517
Total APNIC prefixes after maximum aggregation:   52837
APNIC Deaggregation factor:3.49
Prefixes being announced from the APNIC address blocks:  183573
Unique aggregates announced from the APNIC address blocks:76274
APNIC Region origin ASes present in the Internet Routing Table:8464
APNIC Prefixes per ASN:   21.69
APNIC Region origin ASes announcing only one prefix:   2363
APNIC Region transit ASes present in the Internet Routing Table:   1208
Average APNIC Region AS path length visible:4.5
Max APNIC Region AS path length visible: 44
Number of APNIC region 32-bit ASNs visible in the Routing Table:   3326
Number of APNIC addresses announced to Internet:  766641376
Equivalent to 45 /8s, 178 /16s and 4 /24s
APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations)  23552-24575, 37888-38911, 45056-46079, 55296-56319,
   58368-59391, 63488-64098, 64297-64395, 131072-137529
APNIC Address Blocks 1/8,  14/8,  27/8,  36/8,  39/8,  42/8,  43/8,
49/8,  58/8,  59/8,  60/8,  61/8, 101/8, 103/8,
   106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8,
   116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
   123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8,
   163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8,
   203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8,
   222/8, 223/8,

ARIN Region Analysis Summary


Prefixes being announced by ARIN Region ASes:200702
Total ARIN prefixes after maximum aggregation:96754
ARIN Deaggregation factor: 2.07
Prefixes being announced from the ARIN address blocks:   202165
Unique aggregates announced from the ARIN address blocks: 94512
ARIN Region origin ASes present in the Internet Routing Table:18011
ARIN Prefixes per ASN:

Weekend Reading - New Undersea Cable Systems

[Rod Beck]

Marea
 provides Trans-Atlantic connectivity via Virginia to Spain. Much needed 
diversity given the dominance of NYC-London. Facebook and Microsoft were 
principal backers.




https://www.digitaltrends.com/cool-tech/microsoft-facebook-marea-undersea-cable-complete/




Indigo
 links Singapore and Jarkarta to Australia. Open cable design which involves 
spectrum sharing and allows each consortium member to select a different DWDM 
technology. Uses existing cable landing stations.


https://www.subpartners.net/indigo.html




Project to connect Indonesia, 
Singapore and Malaysia via an unrepeatered cable system. Cities include Bantam, 
Singapore, Mersing, and Lumpur (Cyberjaya). Non-consortium cable.


http://www.seacablex.com/




Wet cable to connect Toronto to Buffalo.  Dark fiber 
pairs.



http://www.marketwired.com/press-release/crosslake-fibre-to-build-submarine-cable-connecting-long-island-to-wall-new-jersey-2237925.htm




New
 low latency, high capacity cable connecting Marseille to Singapore and HK. 
Standard consortium model. Marseille/Singapore express route is 138 
milliseconds.


http://www.aaeone.com/


Roderick Beck

Director of Global Sales

United Cable Company

www.unitedcablecompany.com

85 Király utca, 1077 Budapest

rod.b...@unitedcablecompany.com

36-30-859-5144


[1467221477350_image005.png]