Re: Inexpensive software bgp router that supports route tags?

On 07/02/2015 04:23 AM, Israel G. Lugo wrote: > protocol static temp_block { > # DDOS mitigation, etc > route 203.0.113.17/32 blackhole; > } Didn't make it clear in my example, but you can obviously have multiple routes in a static instance: protocol static temp_block { route 203.0.113.17/

Re: Inexpensive software bgp router that supports route tags?

+1 for BIRD. Basically, what you want is to have several different static (blackhole) routes, and be able to differenciate them at BGP level, for marking with communities, etc. Correct? This is easy with BIRD. Just use separate instances of the "static" protocol, and filter using "proto" to disti

Re: REMINDER: LEAP SECOND

No, I'm surprised we know the kernels. They're a pretty closed company. All we can do is enter IPs for the client side and turn it on\off server side. Well, and broadcast\multicast\manycast. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exc

Re: REMINDER: LEAP SECOND

Mike Hammett writes: > It looks to have only affected the CCR line and only those running the > NTP and not the SNTP package. Any idea what version of NTP or what their configuration looked like? H

Re: leap second outage

Jimmy Hess writes: > On Wed, Jul 1, 2015 at 12:38 AM, Mikael Abrahamsson wrote: > > quickly. Either we should abolish the leap second or we should make leap > > second adjustments (back and forth) on a monthly basis to exercise the code > . > > See maybe there should some day be building cod

Re: leap second outage

No, it was a route leak by a colo provider (Axcelx) downstream. Regards, Tim Raphael > On 1 Jul 2015, at 11:37 am, Justin Paine via NANOG wrote: > > Any confirmation if the AWS outage was leap second-related? > > > Justin Paine > Head of Trust & Safety > CloudFlare Inc. > PGP Ke

RE: leap second outage

And just 12.5% of them required TLC. =) -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of frnk...@iname.com Sent: Wednesday, July 01, 2015 7:05 AM To: 'Stefan' Cc: nanog@nanog.org Subject: RE: leap second outage Yes, happened at 7 pm Central (0:oo UTC). From

Re: Inexpensive software bgp router that supports route tags?

On 07/01/15 15:47 -0400, David H wrote: Sorry I wasn't clear on that. Traditionally on a hardware, e.g. cisco/brocade, router performing the RTBH role, I'd add blackhole routes by way of static routes with a particular tag; one tag for block this source, one tag for block this destination. Redi

Re: Inexpensive software bgp router that supports route tags?

Sorry I wasn't clear on that. Traditionally on a hardware, e.g. cisco/brocade, router performing the RTBH role, I'd add blackhole routes by way of static routes with a particular tag; one tag for block this source, one tag for block this destination. Redistribute static would let route maps opera

Re: Inexpensive software bgp router that supports route tags?

Thanks all; I'll check out ExaBGP and the software version of Mikrotik; didn't realize it wasn't tied to hardware. On Wed, Jul 1, 2015 at 11:19 AM, David H wrote: > Hi all, I was wondering if anyone can recommend a software (preferable), > or hardware-based router with an API, that supports BGP

Re: Inexpensive software bgp router that supports route tags?

On Wed, Jul 01, 2015 at 11:19:45AM -0400, David H wrote: > I was wondering if anyone can recommend a software (preferable), or > hardware-based router with an API, that supports BGP with tags on > advertised routes? I want to use it for a RTBH feed [ ... ] Did you look at BIRD? It is one of the m

Re: REMINDER: LEAP SECOND

http://forum.mikrotik.com/viewtopic.php?f=2&t=98138#p488731 - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: "Rubens Kuhl" To: "Nanog" Sent: Wednesday, July 1, 2015 1:

Re: GRE performance over the Internet - DDoS cloud mitigation

Kenneth, That would also be my recommendation to this scenario. The only caveat would be to consider the risk in the service-policy dropping legit traffic because the policy. Often times, the PPS rates of a DDoS attack fill's the policy queue up with malicious packets, sending the legit packets in

Re: Inexpensive software bgp router that supports route tags?

My voice for awesome ExaBGP too! On Wednesday, July 1, 2015, harbor235 wrote: > Quagga supports BGP communities, > > > > Mike > > On Wed, Jul 1, 2015 at 11:19 AM, David H > wrote: > > > Hi all, I was wondering if anyone can recommend a software (preferable), > or > > hardware-based router with

Re: Inexpensive software bgp router that supports route tags?

Quagga supports BGP communities, Mike On Wed, Jul 1, 2015 at 11:19 AM, David H wrote: > Hi all, I was wondering if anyone can recommend a software (preferable), or > hardware-based router with an API, that supports BGP with tags on > advertised routes? I want to use it for a RTBH feed and ha

Re: Inexpensive software bgp router that supports route tags?

David, check out exabgp https://github.com/Exa-Networks/exabgp james On Wed, Jul 1, 2015 at 8:19 AM, David H wrote: > Hi all, I was wondering if anyone can recommend a software (preferable), or > hardware-based router with an API, that supports BGP with tags on > advertised routes? I want to u

Re: Inexpensive software bgp router that supports route tags?

FYI, Mikrotik is software (ROS) you can run it on an x86 platform (physical or virtual machine). Not sure about the API and BGP, but they have extensive support for scripting. Additionally check the Mikrotik Forums for other user developed API/Interfaces... Regards. Faisal Imtiaz Snappy Interne

Re: in-cabinet PDU safety regs?

If you are in the US, NFPA 70 article 645 may, or may not, apply. http://www.powercabling.com/documents/NEC645.pdf On Wed, Jul 1, 2015, 12:44 William Herrin wrote: > Hi Folks, > > Do you know of any regulations, standards or publications covering the > safe installation and use of the little 1U

Inexpensive software bgp router that supports route tags?

Hi all, I was wondering if anyone can recommend a software (preferable), or hardware-based router with an API, that supports BGP with tags on advertised routes? I want to use it for a RTBH feed and having it in software would make certain things easier to automate. I tried Quagga/Zebra but it doe

Re: Route leak in Bangladesh

On 1/Jul/15 17:11, Nick Hilliard wrote: > > The source code is available on github.com/inex. Lots of IXPs use it in > production. Thanks, Nick. I'll have a bit of a sniff... Mark.

Re: REMINDER: LEAP SECOND

On Wed, Jul 1, 2015 at 3:17 PM, Chris Adams wrote: > Once upon a time, Mike Hammett said: > > v5 is 2.4, v6 3.3.5 > > Don't know why a 3.3.5 kernel would have deadlocked; don't think there > are any known issues that would cause that, unless there are Mikrotik > specific patches that caused the

Re: REMINDER: LEAP SECOND

The only v6 ones that are sure to have had the problem are based on tilera chips and one of two NTP packages available. *shrugs* - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message -

Re: REMINDER: LEAP SECOND

Once upon a time, Mike Hammett said: > v5 is 2.4, v6 3.3.5 Don't know why a 3.3.5 kernel would have deadlocked; don't think there are any known issues that would cause that, unless there are Mikrotik specific patches that caused the problem. I believe the bug from the 2008 leap second was prese

Re: Leap Second Folo/After Action

supposedly vulnerable devices sailed through without a peep. -Dan On Wed, 1 Jul 2015, Jay Ashworth wrote: Here's LWN's piece on the then-upcoming event from last week, presumably with comments trailing into today. http://lwn.net/Articles/648313/ How'd it go for everyone? Did the world end?

Re: Leap Second Folo/After Action

--- j...@baylink.com wrote: From: Jay Ashworth Here's LWN's piece on the then-upcoming event from last week, presumably with comments trailing into today. http://lwn.net/Articles/648313/ How'd it go for everyone? Did the world end? --- Not one

RE: [outages] CenturyLink fiber cut between Modesto, CA and San Jose, CA this AM.. Start time 4:26AM PST

Have they asked No-Such-Agency? No-Such-Agency typically taps communication lines by "back-hoe accident" of some sort on the path they are interested in tapping. That way they can install a tap "over yonder" while the victim telecom is attempting to repair the original damage. I guess this t

Leap Second Folo/After Action

Here's LWN's piece on the then-upcoming event from last week, presumably with comments trailing into today. http://lwn.net/Articles/648313/ How'd it go for everyone? Did the world end? Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer

Re: REMINDER: LEAP SECOND

v5 is 2.4, v6 3.3.5 - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: "Chris Adams" To: nanog@nanog.org Sent: Wednesday, July 1, 2015 9:39:09 AM Subject: Re: REMINDER:

in-cabinet PDU safety regs?

Hi Folks, Do you know of any regulations, standards or publications covering the safe installation and use of the little 1U and 2U PDUs in rack cabinets? My google fu is failing me. All I've found is OSHA 1926.403(i)(1)(i) (https://www.osha.gov/pls/oshaweb/owadisp.show_document?p_table=STANDARDS&p

Re: GRE performance over the Internet - DDoS cloud mitigation

How stable can GRE transports and BGP sessions be when under load?   I typically protect the BGP session by policing all traffic being delivered to the remote end except for BGP.  Using this posture, my BGP session over GRE are stable; even under attack. Kenneth  On Jun 30, 2015, at 01:37 PM,

Re: Route leak in Bangladesh

On 01/07/2015 17:03, Joe Abley wrote: > The idea of configuring this stuff from the IRR is great in terms of > distributing the ops cycles in the right places, but it doesn't help with > verifying that the end result isn't insane, as I think you and Mike have > described on this list over the past

Re: Route leak in Bangladesh

On 1 Jul 2015, at 11:03, Jared Mauch wrote: On Wed, Jul 01, 2015 at 03:54:16PM +0100, Nick Hilliard wrote: On 01/07/2015 15:51, Mark Tinka wrote: I found RPSL complicated a few years ago, and sort of put that on the back-burner. you probably want to ignore more rpsl constructs and depend

Re: Route leak in Bangladesh

That they do. Thanks for a great system, BTW! - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: "Nick Hilliard" To: "Mark Tinka" , "Jared Mauch" Cc: "North American Net

Re: Route leak in Bangladesh

On 01/07/2015 16:02, Mark Tinka wrote: > Honestly, I'm ambivalent about using the IRR data for prefix-list > generation (even without RPSL), also because of how much junk there is > in there, and also how redundant some of it really is, e.g., someone > creating a /32 (IPv4) route object and yet we

Re: Route leak in Bangladesh

On 1/Jul/15 17:04, Nick Hilliard wrote: > Naah, trie compilation is simple, particularly with a line oriented > configuration like IOS (one of the worse offenders). Once the config is > syntax-checked, a regexp will split it out trivially and the binary form of > the data can be compiled. Even

Re: Route leak in Bangladesh

On 01/07/2015 15:57, Mark Tinka wrote: > Remember some high-end Cisco routers only have 2MB of NVRAM. This could > get tested with a large prefix-list configuration. Junos may not have > much of a space issue since the configuration is stored on the compact > flash or HDD. Not at all. Even C6500

Re: Route leak in Bangladesh

On Wed, Jul 01, 2015 at 03:54:16PM +0100, Nick Hilliard wrote: > On 01/07/2015 15:51, Mark Tinka wrote: > > I found RPSL complicated a few years ago, and sort of put that on the > > back-burner. > > you probably want to ignore more rpsl constructs and depend solely on > as-sets, aut-nums and route

Re: Route leak in Bangladesh

On 1/Jul/15 16:54, Nick Hilliard wrote: > you probably want to ignore more rpsl constructs and depend solely on > as-sets, aut-nums and route/route6 objects. RPSL is not going to live up > to your expectations. Honestly, I'm ambivalent about using the IRR data for prefix-list generation (even w

Re: Route leak in Bangladesh

On 1/Jul/15 16:52, Nick Hilliard wrote: > This is a strange sort of thing really. There's no reason that a compiled > prefix list of 250k entries should take up much RAM in a trie structure; > there's no reason that a competently written parser shouldn't be able to > handle 20 megs of prefix lis

Re: Route leak in Bangladesh

On 01/07/2015 15:51, Mark Tinka wrote: > I found RPSL complicated a few years ago, and sort of put that on the > back-burner. you probably want to ignore more rpsl constructs and depend solely on as-sets, aut-nums and route/route6 objects. RPSL is not going to live up to your expectations. Nick

Re: Route leak in Bangladesh

On 01/07/2015 15:12, Jared Mauch wrote: > I would like to see others participate in the dialog with vendors > so we don't seem to be quite an outlier with "wow, you have really > large configs". The vendors haven't quite kept pace with the increase > in density proportional to the number of

Re: Route leak in Bangladesh

On 1/Jul/15 16:12, Jared Mauch wrote: > > I would like to see others participate in the dialog with vendors > so we don't seem to be quite an outlier with "wow, you have really > large configs". The vendors haven't quite kept pace with the increase > in density proportional to the number o

Re: REMINDER: LEAP SECOND

Once upon a time, Rubens Kuhl said: > Not quite. Reported crashes included 6.27, so it's possible that some other > mitigating factor helped not to crash (like using SNTP instead of NTP, > although there seems to be people with crashes using SNTP or no SNTP/NTP at > all). These are running Linux

Re: REMINDER: LEAP SECOND

On Wed, Jul 1, 2015 at 11:15 AM, Michel Luczak wrote: > > I had problems with Leap Second with mikrotik in versions 6.29.1, 6.28, > 6.5 and other versions. > > > > Configured NTP Client in all of them. > > > > Anyone else had this problem? > > Apparently 6.27 was the safe version to have (no issu

Re: REMINDER: LEAP SECOND

> I had problems with Leap Second with mikrotik in versions 6.29.1, 6.28, 6.5 > and other versions. > > Configured NTP Client in all of them. > > Anyone else had this problem? Apparently 6.27 was the safe version to have (no issues on our CRS and CCR routers). Regards, Michel

Re: Route leak in Bangladesh

On Wed, Jul 01, 2015 at 08:25:06AM +0200, Mark Tinka wrote: > > > On 30/Jun/15 17:09, Job Snijders wrote: > > > > If you are a network providing transit to the leak originator mentioned > > in the above paragraph, I believe a prefix based filter could have made > > a big difference. > > And ther

Re: REMINDER: LEAP SECOND

On Wed, Jul 1, 2015 at 10:17 AM, Mike Hammett wrote: > It looks to have only affected the CCR line and only those running the NTP > and not the SNTP package. > > That's Mikrotik's position, but reports of some users contradict their version (both in the need for NTP and for only affecting CCR lin

Re: REMINDER: LEAP SECOND

It looks to have only affected the CCR line and only those running the NTP and not the SNTP package. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest Internet Exchange http://www.midwest-ix.com - Original Message - From: "Guilherme Ganascim"

Re: REMINDER: LEAP SECOND

I had problems with Leap Second with mikrotik in versions 6.29.1, 6.28, 6.5 and other versions. Configured NTP Client in all of them. Anyone else had this problem? > On Jun 19, 2015, at 19:30, Baldur Norddahl wrote: > > On 19 June 2015 at 23:58, Harlan Stenn wrote: > >> Bad idea. >> >> Wh

Re: Sacramento Outage.

I suspect most people here also sub the outages lists https://puck.nether.net/pipermail/outages/2015-June/007904.html Brooks Bridges On 6/30/2015 5:37 PM, Larry Sheldon wrote: Is it odd that there is no mention of this even here? http://www.wavebroadband.com/resources/outage/service.txt

Re: leap second outage

Any confirmation if the AWS outage was leap second-related? Justin Paine Head of Trust & Safety CloudFlare Inc. PGP KeyID: 57B6 0114 DE0B 314D On Tue, Jun 30, 2015 at 8:32 PM, Dovid Bender wrote: > I read that and that at midnight local time since that's when you have the > extra

Re: Sacramento Outage.

Was surprised too. http://www.usatoday.com/story/tech/2015/06/30/california-internet-outage/29521335/ > On 30 Jun 2015, at 19:37, Larry Sheldon wrote: > > > Is it odd that there is no mention of this even

Re: leap second outage

On Wed, Jul 1, 2015 at 12:38 AM, Mikael Abrahamsson wrote: > quickly. Either we should abolish the leap second or we should make leap > second adjustments (back and forth) on a monthly basis to exercise the code. See maybe there should some day be building codes for commercially marketed sof

RE: leap second outage

Yes, happened at 7 pm Central (0:oo UTC). From: Stefan [mailto:netfort...@gmail.com] Sent: Tuesday, June 30, 2015 10:30 PM To: frnk...@iname.com Cc: nanog@nanog.org Subject: Re: leap second outage This was supposed to have happened @midnight UTC, right? Meaning that we are past that event

Re: leap second outage

Mikael Abrahamsson wrote: > This is similar to the jiffycounter wrapping, since this doesn't happen > that often, it's not commonly tested for. Good way is to start the jiffy > counter so it wraps after 10 minutes of uptime. That way you'll run into > any bugs quickly. Either we should abolish