Re: Frontier

[Matt Hoppes]

Someone did. Unfortunately response time through frontiers NOC seems to have 
gotten terrible since the acquisition of many Verizon properties. 

When ever we have issues it's the norm to wait two to four hours before we hear 
anything back and often the NOC scrambles the information. 

50% of the time when we call in for ticket updates the ticket has been closed 
or can't be found. Hang up. Call back now it's found. 

And several times the ticket had been closed without confirming with the end 
user the issue has actually been fixed. 

It's terrible.  

> On May 2, 2017, at 9:09 PM, Eric Dugas  wrote:
> 
> I hope someone contacted you off-list because their NOC's answer was 
> unacceptable.
> 
> Pretty sure it's a human error and not malicious but network operators have 
> to react quickly to this type of issue.
> 
> Several days? Even several hours is a ridiculous response time. Contact their 
> upstream providers and mention they (the upstream) are not doing their job by 
> filtering their customer's BGP announcements. Contact IXes (if they're 
> connected to any), peers, etc. Rinse and repeat.
> 
> At last, threaten them with legal actions by sending angry emails or calls to 
> senior ops/management/marketing/legal department.
> 
> On May 2, 2017 17:14, "Matt Hoppes"  wrote:
> I need a network administrator from Frontier to contact me ASAP regarding BGP 
> advertisement of a block that needs to stop please.
> 
> We are down. Have been told it will be several days until restoration. And 
> frontier is advertising our ips so I can't even advertise them out a 
> different route.
> 
> The NOC had been completely unhelpful.
> 
> 570-707-3000
> mhop...@rivervalleyinternet.net
> 

Re: Frontier

[Eric Dugas]

I hope someone contacted you off-list because their NOC's answer
was unacceptable.

Pretty sure it's a human error and not malicious but network operators have
to react quickly to this type of issue.

Several days? Even several hours is a ridiculous response time. Contact
their upstream providers and mention they (the upstream) are not doing
their job by filtering their customer's BGP announcements. Contact IXes (if
they're connected to any), peers, etc. Rinse and repeat.

At last, threaten them with legal actions by sending angry emails or calls
to senior ops/management/marketing/legal department.

On May 2, 2017 17:14, "Matt Hoppes" 
wrote:

I need a network administrator from Frontier to contact me ASAP regarding
BGP advertisement of a block that needs to stop please.

We are down. Have been told it will be several days until restoration. And
frontier is advertising our ips so I can't even advertise them out a
different route.

The NOC had been completely unhelpful.

570-707-3000
mhop...@rivervalleyinternet.net

Re: Financial services BGP hijack last week?

[Randy Bush]

> the use of rsync in RPKI is preventing a lot of large ISPs from
> implementing it (too difficult to provide redundancy with
> rsync).

uh, at least the DRL implementation supports caches feeding off of
caches in (if you are silly enough) an arbitrarily complex graph.

some years back, our research group actually used large clusters to
emulate large deployments with multi-level caching and found it quite
efficient.  see

   Olaf Maennel, Iain Phillips, Debbie Perouli, Randy Bush, Rob Austein,
   and Askar Jaboldinov, "Towards a Framework for Evaluating BGP
   Security," CSET'12, 5th Workshop on Cyber Security Experimentation
   and Test.
   https://www.usenix.org/system/files/conference/cset12/cset12-final19.pdf

randy

Re: Financial services BGP hijack last week?

[Christopher Morrow]

On Tue, May 2, 2017 at 11:21 AM, Compton, Rich A 
wrote:

> That¹s the million dollar question.  I think that there will be more
> adoption from the Internet at large when some big players adopt it.  Right
> now the use of rsync in RPKI is preventing a lot of large ISPs from
> implementing it (too difficult to provide redundancy with rsync). There is
>

how is it hard to provide redundancy with rsync?

Re: Financial services BGP hijack last week?

[Randy Bush]

>> it only proves the need for wider RPKI adoption
> How can we actually encourage RPKI adoption?

http://certification-stats.ripe.net/

tim, oleg, alex, ..., the ripe/ncc team, and the ripe community have
worked very hard to make it easy, and the numbers show their success.

lacnic even more so when looked at as a percentage (not shown at the
above url); i.e. they have approximately 25% coverage; also due to solid
policy, community, and technical work.

arin has made it very difficult for a large and important segment of
their membeship, and the numbers show their negative success.

the other regions are asleep.

but the rpki is only part of the equation.  to be pedantic,

The RPKI is the X.509 based hierarchy [rfc 6481] with is congruent
with the internet IP address allocation administration, the IANA,
RIRS, ISPs, ...  It is the substrate on which the next two are
based.  It is currently deployed in all five administrative regions.

RPKI-based Origin Validation [rfc 6811] uses the RPKI data to allow
a router to verify that the autonomous system announcing an IP
address prefix is in fact authorized to do so.  This is not crypto
checked so can be violated.  But it should prevent the vast majority
of accidental 'hijackings' on the internet today, e.g. the famous
Pakistani accidental announcement of YouTube's address space.
RPKI-based origin validation is in shipping code from many vendors.

Path validation, a downstream technology just finishing
standardisation, uses the full crypto information of the RPKI to
make up for the embarrassing mistake that, like much of the internet
BGP was designed with no thought to securing the BGP protocol itself
from being gamed/violated.  It allows a receiver of a BGP
announcement to formally cryptographically validate that the
originating autonomous system was truly authorized to announce the
IP address prefix, and that the systems through which the
announcement passed were indeed those which the sender/forwarder at
each hop intended.

one blocker for origin validation deployment today is lack of solid
testing of vendors' implementations; and one is known to be sorely
mis-implemented.

there is work to be done.  as stephane pointed out, if you want to be
overwhelmed with tweets or email, subscribe to the feed of mis-
originations at andree's http://bgpmon.net/.  as the sea level rises,
maybe we'll do more about this problem.

randy

Frontier

[Matt Hoppes]

I need a network administrator from Frontier to contact me ASAP regarding BGP 
advertisement of a block that needs to stop please. 

We are down. Have been told it will be several days until restoration. And 
frontier is advertising our ips so I can't even advertise them out a different 
route. 

The NOC had been completely unhelpful. 

570-707-3000
mhop...@rivervalleyinternet.net

Re: SD-WAN for enlightened

[Stefan]

As of this announcement:

http://investor.cisco.com/investor-relations/news-and-events/news/news-details/2017/Cisco-Announces-Intent-to-Acquire-Viptela/default.aspx

there will be one less than before :-)

Seriously - when I first learned about them, upon service inclusion of the
Viptela products into the VzB SD-WAN offering, they (Viptela -
http://blog.ipspace.net/2014/11/viptela-sen-hybrid-wan-connectivity.html)
looked very nice, already, as standalone products. And that was a few years
back.

***Stefan

On Tue, May 2, 2017 at 12:44 PM, Doug Marschke 
wrote:

> Too many to list.  I don’t know who is “winning” in market share right
> now, as I am sure each vendor tracks their wins differently.
>
> There are definitely a few making more noise than others.
>
> Doug Marschke
>
> CTO
>
>   www.sdnessentials.com
>
> JNCIE-SP #41, JNCIE-ENT #3
>
> 415-902-5702 (cell)
>
> 415-340-3112 (office)
>
>
>
> From: Colton Conor [mailto:colton.co...@gmail.com]
> Sent: Thursday, April 27, 2017 6:26 PM
> To: Doug Marschke 
> Cc: Kasper Adel ; NANOG list 
> Subject: Re: SD-WAN for enlightened
>
>
>
> So who are the big SD-WAN players out there?
>
>
>
> On Mon, Apr 17, 2017 at 10:31 AM, Doug Marschke   > wrote:
>
> Hello Kasper,
>
> I will do my best to answer your SD-WAN question, but as you mentioned it
> is a buzzword that has a bit of confusion in its definitions.  I would say
> that a SD-WAN solution should have the following elements:
>
> 1.) Ability to manage multiple WAN connection and choose the path based on
> user and machine criteria (The Hybrid WAN)
> 2.) A controller to manage the polices and operations of the SD-WAN devices
> 3.) Analytics on the network and application level
> 4.) A software overlay that abstracts and secures the underlying networks
>
> Currently there are a lot of solutions out there by many vendors.  Some do
> all of these and some a subset, so it make the landscape a bit confusing.
>  Lots of times vendors use SD-WAN when they are really just talking about
> Hybrid WAN (multiple connections) or WAN optimization.
>
>
>
>
>
> Doug Marschke
> CTO
> www.sdnessentials.com 
> JNCIE-SP #41, JNCIE-ENT #3
> 415-902-5702   (cell)
> 415-340-3112   (office)
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org  org> ] On Behalf Of Kasper Adel
> Sent: Sunday, April 16, 2017 1:14 PM
> To: NANOG list mailto:nanog@nanog.org> >
> Subject: SD-WAN for enlightened
>
> Hi,
>
> I'm not sure if the buzzword SD-WAN is used to compensate for another
> buzzword that got over-utilized (SDN) or it is a true 'new and improved'
> way of doing things that has some innovation into it.
>
> I heard different explanation from different vendors:
>
> 1) appliances (+ controller) placed in-line to put traffic in tunnels
> based on policy, with some DPI and traffic tagging...(to do
> performance/policy based routing) over an expensive link (MPLS) and a cheap
> one (broadband) with some 'firewall-like' filtering capabilities.
> 2) same as above, with a flavor of 'machine learning' to find a pattern
> for traffic to optimize utilization.
> 3) a controller that instantiates and tears down tunnels from 'classic
> routers' based on external policies and Network based features to do
> performance based routing over an expensive link (MPLS) and a cheap one
> (broadband) with encryption.
>
> Is the above a decent high-level summary?
>
> Has anyone tried any of these solutions, any general feedback ?
>
> Cheers,
> Kim
>
>
>
>

RE: SD-WAN for enlightened

[Doug Marschke]

Too many to list.  I don’t know who is “winning” in market share right now, as 
I am sure each vendor tracks their wins differently.

 

There are definitely a few making more noise than others.

 

Doug Marschke

CTO

  www.sdnessentials.com

JNCIE-SP #41, JNCIE-ENT #3

415-902-5702 (cell)

415-340-3112 (office)

 

From: Colton Conor [mailto:colton.co...@gmail.com] 
Sent: Thursday, April 27, 2017 6:26 PM
To: Doug Marschke 
Cc: Kasper Adel ; NANOG list 
Subject: Re: SD-WAN for enlightened

 

So who are the big SD-WAN players out there? 

 

On Mon, Apr 17, 2017 at 10:31 AM, Doug Marschke mailto:d...@sdnessentials.com> > wrote:

Hello Kasper,

I will do my best to answer your SD-WAN question, but as you mentioned it is a 
buzzword that has a bit of confusion in its definitions.  I would say that a 
SD-WAN solution should have the following elements:

1.) Ability to manage multiple WAN connection and choose the path based on user 
and machine criteria (The Hybrid WAN)
2.) A controller to manage the polices and operations of the SD-WAN devices
3.) Analytics on the network and application level
4.) A software overlay that abstracts and secures the underlying networks

Currently there are a lot of solutions out there by many vendors.  Some do all 
of these and some a subset, so it make the landscape a bit confusing.   Lots of 
times vendors use SD-WAN when they are really just talking about Hybrid WAN 
(multiple connections) or WAN optimization.





Doug Marschke
CTO
www.sdnessentials.com  
JNCIE-SP #41, JNCIE-ENT #3
415-902-5702   (cell)
415-340-3112   (office)


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org  ] 
On Behalf Of Kasper Adel
Sent: Sunday, April 16, 2017 1:14 PM
To: NANOG list mailto:nanog@nanog.org> >
Subject: SD-WAN for enlightened

Hi,

I'm not sure if the buzzword SD-WAN is used to compensate for another buzzword 
that got over-utilized (SDN) or it is a true 'new and improved'
way of doing things that has some innovation into it.

I heard different explanation from different vendors:

1) appliances (+ controller) placed in-line to put traffic in tunnels based on 
policy, with some DPI and traffic tagging...(to do performance/policy based 
routing) over an expensive link (MPLS) and a cheap one (broadband) with some 
'firewall-like' filtering capabilities.
2) same as above, with a flavor of 'machine learning' to find a pattern for 
traffic to optimize utilization.
3) a controller that instantiates and tears down tunnels from 'classic routers' 
based on external policies and Network based features to do performance based 
routing over an expensive link (MPLS) and a cheap one
(broadband) with encryption.

Is the above a decent high-level summary?

Has anyone tried any of these solutions, any general feedback ?

Cheers,
Kim

 

Old Long Haul Versus New Long Haul Fiber

[Rod Beck]

I am curious how much of a performance gap exists between new long haul fiber 
and fiber laid during the Great Boom from 1998-2001. We are very close to 20 
years.


I assume there are two dimensions, namely bit carrying capacity of an 
individual wave and total bandwidth capacity of a fiber pair. I have been told 
and readily believe that fiber improvements do make a difference. But I have no 
sense of magnitudes. My impression is that the 1998-2001 fiber probably cannot 
handle above 100 gig waves and about 14 terabits per fiber pair at least on 
Trans-Atlantic cables.


- R.

www.crosslakefibre.ca

www.unitedcablecompany.com

Re: Financial services BGP hijack last week?

[Mike Hammett]

Lower cost router platforms don't have RPKI capability. Mikrotik claims that v7 
will... whenever that comes out. AFAIK, Ubiquiti doesn't support it either. 
Both have submitted and acknowledged feature requests for it. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Job Snijders"  
To: "Nikos Leontsinis"  
Cc: nanog@nanog.org 
Sent: Tuesday, May 2, 2017 7:27:29 AM 
Subject: Re: Financial services BGP hijack last week? 

On Tue, May 02, 2017 at 08:29:32AM +0100, Nikos Leontsinis wrote: 
> it only proves the need for wider RPKI adoption 

How can we actually encourage RPKI adoption? 

Kind regards, 

Job 

Re: Financial services BGP hijack last week?

[Compton, Rich A]

That¹s the million dollar question.  I think that there will be more
adoption from the Internet at large when some big players adopt it.  Right
now the use of rsync in RPKI is preventing a lot of large ISPs from
implementing it (too difficult to provide redundancy with rsync). There is
a protocol called RPKI Repository Delta Protocol (RRDP)
https://tools.ietf.org/html/draft-ietf-sidr-delta-protocol-08 which will
alleviate these concerns but it is still in draft.  I think once that
becomes an RFC we will see more adoption of RPKI.



Rich Compton  |  Principal Eng |  314.596.2828
14810 Grasslands  Dr,Englewood,  CO80112






On 5/2/17, 6:27 AM, "NANOG on behalf of Job Snijders"
 wrote:

>On Tue, May 02, 2017 at 08:29:32AM +0100, Nikos Leontsinis wrote:
>> it only proves the need for wider RPKI adoption
>
>How can we actually encourage RPKI adoption?
>
>Kind regards,
>
>Job

E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: Akamai contact

[James Harr]

Akamai contacted me off-list. Thanks!


--
James Harr
Lead Network Engineer
University of Nebraska at Omaha
402-554-4925 M:402-660-5466

From: NANOG  on behalf of James Harr 

Sent: Tuesday, May 2, 2017 8:38:26 AM
To: nanog@nanog.org
Subject: Akamai contact

Hi,


Can someone from Akamai contact me off-list?


We're having a problems accessing a testing website served from the Akamai CDN 
during finals week.


--
James Harr
Lead Network Engineer
University of Nebraska at Omaha
402-554-4925 M:402-660-5466

Akamai contact

[James Harr]

Hi,


Can someone from Akamai contact me off-list?


We're having a problems accessing a testing website served from the Akamai CDN 
during finals week.


--
James Harr
Lead Network Engineer
University of Nebraska at Omaha
402-554-4925 M:402-660-5466

Re: Financial services BGP hijack last week?

[Job Snijders]

On Tue, May 02, 2017 at 08:29:32AM +0100, Nikos Leontsinis wrote:
> it only proves the need for wider RPKI adoption

How can we actually encourage RPKI adoption?

Kind regards,

Job

Re: Financial services BGP hijack last week?

[Stephane Bortzmeyer]

On Tue, May 02, 2017 at 01:49:04AM -0400,
 valdis.kletni...@vt.edu  wrote 
 a message of 29 lines which said:

> I didn't see any mention of this here.

You should susbcribe to @bgpstream on Twitter, and read BGPmon blog
:-)

https://twitter.com/bgpstream

https://bgpmon.net/bgpstream-and-the-curious-case-of-as12389/ (five
days ago)

Need help from walmart.com NOC

[Jason J. W. Williams]

Hi,


We run an Internet filtering service for protecting kids and folks with 
addiction issues. As of a couple of days ago, walmart.com stopped responding to 
requests (connection is formed but no response) through our filtering servers. 
If anyone here from Walmart could contact me off list, that would be greatly 
appreciated.


Thank you in advance.


-J

Re: Financial services BGP hijack last week?

[Scott Christopher]

On Mon, May 1, 2017, at 10:49 PM, valdis.kletni...@vt.edu wrote:

> I didn't see any mention of this here.  Any comments?
> 
> [...]
> 
> https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/

Governments mopping up signals and data isn't a new concept, and
certainly not unique to the Russian Federation.

Personally I'm more concerned about important people giving up passwords
so easily to spearfishers. . .

-- 
 Regards,
  S

Re: Financial services BGP hijack last week?

[Nikos Leontsinis]

it only proves the need for wider RPKI adoption

On 2 May 2017 at 06:49,   wrote:
> I didn't see any mention of this here.  Any comments?
>
> "On Wednesday, large chunks of network traffic belonging to MasterCard, Visa,
> and more than two dozen other financial services companies were briefly routed
> through a Russian government-controlled telecom under unexplained 
> circumstances
> that renew lingering questions about the trust and reliability of some of the
> most sensitive Internet communications."
>
> https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/

Re: Financial services BGP hijack last week?

[Max Tulyev]

All know. Nobody care.

On 02.05.17 08:49, valdis.kletni...@vt.edu wrote:
> I didn't see any mention of this here.  Any comments?
> 
> "On Wednesday, large chunks of network traffic belonging to MasterCard, Visa,
> and more than two dozen other financial services companies were briefly routed
> through a Russian government-controlled telecom under unexplained 
> circumstances
> that renew lingering questions about the trust and reliability of some of the
> most sensitive Internet communications."
> 
> https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/
>