Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

2016-09-30 Thread Matt Freitag 
Pedro,

Please also keep in mind that the Juniper EX4500 is an end of life product.
Soon you won't be able to get Juniper to support you. That's why there are
so many for so cheap on eBay.

Matt Freitag
Network Engineer I
Information Technology
Michigan Technological University
(906) 487-3696 <%28906%29%20487-3696>
https://www.mtu.edu/
https://www.it.mtu.edu/

On Fri, Sep 30, 2016 at 4:06 PM, Saku Ytti  wrote:

> On 30 September 2016 at 22:42, Pedro  wrote:
>
> Hey Pedro,
>
> > I have some idea to put switch before bgp router in order to terminate
> isp
> > 10G uplinks on switch, not router. Main reason is that could be some
> kind of
> > 1st level of defence against ddos, second reason, less important, save
> cost
> > of router ports, do many port mirrors.
>
> I don't understand your rationale, unless your router is software box,
> but as it has 10G interface, probably not.
> Your router should be able to limit packets in HW, likely with better
> counter and filtering options than cheap switch.
>
> --
>   ++ytti
>

Re: nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

2016-09-30 Thread Saku Ytti 
On 30 September 2016 at 22:42, Pedro  wrote:

Hey Pedro,

> I have some idea to put switch before bgp router in order to terminate isp
> 10G uplinks on switch, not router. Main reason is that could be some kind of
> 1st level of defence against ddos, second reason, less important, save cost
> of router ports, do many port mirrors.

I don't understand your rationale, unless your router is software box,
but as it has 10G interface, probably not.
Your router should be able to limit packets in HW, likely with better
counter and filtering options than cheap switch.

-- 
  ++ytti

nexus N3K-C3064PQ vs juniper ex4500 in order to protect against ddos

2016-09-30 Thread Pedro 


Hello,

I have some idea to put switch before bgp router in order to terminate
isp 10G uplinks on switch, not router. Main reason is that could be some
kind of 1st level of defence against ddos, second reason, less
important, save cost of router ports, do many port mirrors.

I think about N3K-C3064PQ or Juniper ex4500 because there are quite
cheap and a lot of on Ebay.

I would like on nexus or juniper try use some feature:

-  limit udp, icmp, bum packets (bandwith,pps) at ingress tagged port or
vlan
-  create counters: passed and dropped packets, best way to get this
counters via snmp oid, sent snmp traps, syslog etc in order to monitor
or even as a action shut down port
-  port mirror from many ports/vlans to multiple port (other anty ddos
solutions)
-  limited bgp but with flowspec to comunicate with another anty ddos
devices

I'm also wondering how this feature above impact on cpu/whole switch. It
can be some performance degradation ot all of this feature are done in
hardware, with wirespeeed ? Which model will better to do this ?

Thanks for any advice,
Pedro

---
Ta wiadomość została sprawdzona na obecność wirusów przez oprogramowanie 
antywirusowe Avast.
https://www.avast.com/antivirus

Re: ARIN legacy block transfer process

2016-09-30 Thread Matthew Kaufman 
But only the recipient must put them under an RSA in order to have them
registered. The source need not have an RSA or LRSA for their legacy
blocks, at least as I understand it.

I'd also suggest that having a broker is useful, because the few well-known
ones that exist are well-versed in the process by now, for all types of
sources and destinations.

Matthew Kaufman

On Fri, Sep 30, 2016 at 12:08 PM William Herrin  wrote:

> On Fri, Sep 30, 2016 at 1:34 PM, Bryan Fields 
> wrote:
> > On 9/30/16 1:22 PM, William Herrin wrote:
> >> Note that you can't sell the block as an "owned asset" and have ARIN
> >> recognize the change. ARIN does not recognize ownership of IP address
> >> blocks, they only recognize registration and authorized agents.
> >
> > This would seem to be in violation of what the NSF has said about this
> space.
> > I thought ARIN was slapped hard once before about this very thing?
>
> To the best of my knowledge, that's not the case. Every relevant court
> case has ended one of two ways:
>
> 1. The addresses were revoked after the POC was (correctly) determined
> not currently represent the (defunct) registrant.
> 2. The registrant consented to place the addresses under an ARIN RSA
> without a judicial ruling. (e.g. Microsoft/Nortel)
>
> Regards,
> Bill Herrin
>
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems . Web: 
>

Re: ARIN legacy block transfer process

2016-09-30 Thread William Herrin 
On Fri, Sep 30, 2016 at 1:34 PM, Bryan Fields  wrote:
> On 9/30/16 1:22 PM, William Herrin wrote:
>> Note that you can't sell the block as an "owned asset" and have ARIN
>> recognize the change. ARIN does not recognize ownership of IP address
>> blocks, they only recognize registration and authorized agents.
>
> This would seem to be in violation of what the NSF has said about this space.
> I thought ARIN was slapped hard once before about this very thing?

To the best of my knowledge, that's not the case. Every relevant court
case has ended one of two ways:

1. The addresses were revoked after the POC was (correctly) determined
not currently represent the (defunct) registrant.
2. The registrant consented to place the addresses under an ARIN RSA
without a judicial ruling. (e.g. Microsoft/Nortel)

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web:

Re: ARIN legacy block transfer process

2016-09-30 Thread William Herrin 
On Fri, Sep 30, 2016 at 1:47 PM, Enno Rey  wrote:
> Note also there's voices recommending not to sign an RSA for legacy space (in 
> certain situations, at least), see 
> http://ipv4marketgroup.com/dont-sign-an-rsa-during-your-82-ipv4-transfer/.

Hi Enno,

The article says:

"Never sign an RSA as part of bringing your registry entry up to date,
unless you are in the process of a transfer for an IPv4 sale"

I agree with that statement. But, the situation here *IS* a transfer
for an IPv4 sale. If you want to do the transfer, the originating
registration has to be under a registration services agreement (RSA).
As a legacy registrant, the LRSA is slightly more advantageous than
the regular RSA.

If the legacy registrant is actually in Europe, you might get away
with bypassing ARIN. I wouldn't try it if they aren't.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web:

Weekly Routing Table Report

2016-09-30 Thread Routing Analysis Role Account 
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.

The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG,
SAFNOG, SdNOG, BJNOG, CaribNOG and the RIPE Routing WG.

Daily listings are sent to bgp-st...@lists.apnic.net

For historical data, please see http://thyme.rand.apnic.net.

If you have any comments please contact Philip Smith .

Routing Table Report   04:00 +10GMT Sat 01 Oct, 2016

Report Website: http://thyme.rand.apnic.net
Detailed Analysis:  http://thyme.rand.apnic.net/current/

Analysis Summary


BGP routing table entries examined:  612615
Prefixes after maximum aggregation (per Origin AS):  220315
Deaggregation factor:  2.78
Unique aggregates announced (without unneeded subnets):  298785
Total ASes present in the Internet Routing Table: 54938
Prefixes per ASN: 11.15
Origin-only ASes present in the Internet Routing Table:   36401
Origin ASes announcing only one prefix:   15384
Transit ASes present in the Internet Routing Table:6509
Transit-only ASes present in the Internet Routing Table:168
Average AS path length visible in the Internet Routing Table:   4.3
Max AS path length visible:  54
Max AS path prepend of ASN ( 55644)  51
Prefixes from unregistered ASNs in the Routing Table:62
Unregistered ASNs in the Routing Table:  16
Number of 32-bit ASNs allocated by the RIRs:  15608
Number of 32-bit ASNs visible in the Routing Table:   12028
Prefixes from 32-bit ASNs in the Routing Table:   48261
Number of bogon 32-bit ASNs visible in the Routing Table:   151
Special use prefixes present in the Routing Table:0
Prefixes being announced from unallocated address space:333
Number of addresses announced to Internet:   2829857764
Equivalent to 168 /8s, 172 /16s and 51 /24s
Percentage of available address space announced:   76.4
Percentage of allocated address space announced:   76.4
Percentage of available address space allocated:  100.0
Percentage of address space in use by end-sites:   98.3
Total number of prefixes smaller than registry allocations:  199109

APNIC Region Analysis Summary
-

Prefixes being announced by APNIC Region ASes:   156521
Total APNIC prefixes after maximum aggregation:   42983
APNIC Deaggregation factor:3.64
Prefixes being announced from the APNIC address blocks:  170242
Unique aggregates announced from the APNIC address blocks:69342
APNIC Region origin ASes present in the Internet Routing Table:5193
APNIC Prefixes per ASN:   32.78
APNIC Region origin ASes announcing only one prefix:   1146
APNIC Region transit ASes present in the Internet Routing Table:943
Average APNIC Region AS path length visible:4.4
Max APNIC Region AS path length visible: 54
Number of APNIC region 32-bit ASNs visible in the Routing Table:   2395
Number of APNIC addresses announced to Internet:  760195012
Equivalent to 45 /8s, 79 /16s and 167 /24s
APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431
(pre-ERX allocations)  23552-24575, 37888-38911, 45056-46079, 55296-56319,
   58368-59391, 63488-64098, 64297-64395, 131072-137529
APNIC Address Blocks 1/8,  14/8,  27/8,  36/8,  39/8,  42/8,  43/8,
49/8,  58/8,  59/8,  60/8,  61/8, 101/8, 103/8,
   106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8,
   116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8,
   123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8,
   163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8,
   203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8,
   222/8, 223/8,

ARIN Region Analysis Summary


Prefixes being announced by ARIN Region ASes:184711
Total ARIN prefixes after maximum aggregation:89553
ARIN Deaggregation factor: 2.06
Prefixes being announced from the ARIN address blocks:   190560
Unique aggregates announced from the ARIN address blocks: 88497
ARIN Region origin ASes present in the Internet Routing Table:16181
ARIN Prefixes per ASN:11.78

Re: ARIN legacy block transfer process

2016-09-30 Thread Enno Rey 
Hi,

On Fri, Sep 30, 2016 at 10:26:36AM -0700, Seth Mattinen wrote:
> On 9/30/16 09:49, Bryan Fields wrote:
> > I'm trying to find a place on ARIN's website where this is addressed, but
> > coming up short.  I'm not the seller or buyer in this, but basically someone
> > has a legacy block allocated by Postel and wants to sell the block as it's 
> > an
> > owned asset.
> >
> > What's the process to get ARIN to move the admin/ownership of this?  Do they
> > only need to see a valid asset purchase agreement?  There is no legacy RSA 
> > for
> > this.
> 
> 
> It'll have to go under RSA to stay with ARIN.
> 
> Or you can do a transfer to RIPE.

carefully note the "or".
If you first move it under ARIN's jurisdiction (by signing an RSA) and *then* 
transfer it to RIPE, it won't be "legacy" any more in the course of the 2nd 
step and RIPE's 2-yr holding period comes into play (=> it can't be transferred 
during that time).

Note also there's voices recommending not to sign an RSA for legacy space (in 
certain situations, at least), see 
http://ipv4marketgroup.com/dont-sign-an-rsa-during-your-82-ipv4-transfer/.

best

Enno








> 
> ~Seth

-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Enno Rey

===
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
===

Re: ARIN legacy block transfer process

2016-09-30 Thread Jim Mercer 
On Fri, Sep 30, 2016 at 01:22:19PM -0400, William Herrin wrote:
> 1. Buyer gets approved by ARIN for a specified transfer in the amount
> to be purchased. Signs RSA.
> 2. Legacy registrant (seller) signs the LRSA, proves identity and
> authority to ARIN, places legacy block under the LRSA.

i don't recall having to sign an LRSA, but they certainly do need proof that
you are the entity that holds the block.

> 3. Buyer requests specified transfer from ARIN, seller authorizes it.
> 4. ARIN transfers registration to buyer, now under the RSA.

if you are a legacy holder, and you want a dead simple way to sell off your
rights to blocks, register for the STLS, and get your blocks added to the
list.
https://www.arin.net/public/secure/downloads/index.xhtml
(at the bottom)

this is also a good place to go if you want to buy rights to a block.

you can also solicit offers to buy from anyone on the list.

works well, and less dodgy-ness, since everyone on the list has been
vetted (to some degree) by ARIN.

--jim


-- 
Jim Mercer Reptilian Research  j...@reptiles.org+1 416 410-5633

Life should not be a journey to the grave with the intention of
arriving safely in a pretty and well preserved body, but rather
to skid in broadside in a cloud of smoke, thoroughly used up,
totally worn out, and loudly proclaiming "Wow! What a Ride!"
 -- Hunter S. Thompson

Re: ARIN legacy block transfer process

2016-09-30 Thread Bryan Fields 
On 9/30/16 1:22 PM, William Herrin wrote:
> Note that you can't sell the block as an "owned asset" and have ARIN
> recognize the change. ARIN does not recognize ownership of IP address
> blocks, they only recognize registration and authorized agents.

This would seem to be in violation of what the NSF has said about this space.
I thought ARIN was slapped hard once before about this very thing?

Thanks,
-- 
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net

Re: ARIN legacy block transfer process

2016-09-30 Thread Seth Mattinen 

On 9/30/16 09:49, Bryan Fields wrote:

I'm trying to find a place on ARIN's website where this is addressed, but
coming up short.  I'm not the seller or buyer in this, but basically someone
has a legacy block allocated by Postel and wants to sell the block as it's an
owned asset.

What's the process to get ARIN to move the admin/ownership of this?  Do they
only need to see a valid asset purchase agreement?  There is no legacy RSA for
this.



It'll have to go under RSA to stay with ARIN.

Or you can do a transfer to RIPE.

~Seth

Re: ARIN legacy block transfer process

2016-09-30 Thread William Herrin 
On Fri, Sep 30, 2016 at 12:49 PM, Bryan Fields  wrote:
> I'm trying to find a place on ARIN's website where this is addressed, but
> coming up short.  I'm not the seller or buyer in this, but basically someone
> has a legacy block allocated by Postel and wants to sell the block as it's an
> owned asset.
>
> What's the process to get ARIN to move the admin/ownership of this?

Hi Bryan,

If this is entirely within the ARIN region, the process is this:

1. Buyer gets approved by ARIN for a specified transfer in the amount
to be purchased. Signs RSA.
2. Legacy registrant (seller) signs the LRSA, proves identity and
authority to ARIN, places legacy block under the LRSA.
3. Buyer requests specified transfer from ARIN, seller authorizes it.
4. ARIN transfers registration to buyer, now under the RSA.


Note that you can't sell the block as an "owned asset" and have ARIN
recognize the change. ARIN does not recognize ownership of IP address
blocks, they only recognize registration and authorized agents.

Note that if the legacy block's registration is defective, you're in
for some trouble. Defects include a defunct organization where an
individual who is not the registrant has maintained the block.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web:

Re: ARIN legacy block transfer process

2016-09-30 Thread Jared Mauch 
I would review this:

https://ripe72.ripe.net/presentations/65-160524.ripe-transfer.pdf

- Jared

> On Sep 30, 2016, at 12:49 PM, Bryan Fields  wrote:
> 
> I'm trying to find a place on ARIN's website where this is addressed, but
> coming up short.  I'm not the seller or buyer in this, but basically someone
> has a legacy block allocated by Postel and wants to sell the block as it's an
> owned asset.
> 
> What's the process to get ARIN to move the admin/ownership of this?  Do they
> only need to see a valid asset purchase agreement?  There is no legacy RSA for
> this.
> 
> I'm thinking of referring both parties to an experienced broker as well.
> 
> Does anyone have current process experience with this?
> -- 
> Bryan Fields
> 
> 727-409-1194 - Voice
> http://bryanfields.net

ARIN legacy block transfer process

2016-09-30 Thread Bryan Fields 
I'm trying to find a place on ARIN's website where this is addressed, but
coming up short.  I'm not the seller or buyer in this, but basically someone
has a legacy block allocated by Postel and wants to sell the block as it's an
owned asset.

What's the process to get ARIN to move the admin/ownership of this?  Do they
only need to see a valid asset purchase agreement?  There is no legacy RSA for
this.

I'm thinking of referring both parties to an experienced broker as well.

Does anyone have current process experience with this?
-- 
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net