Any validity to this claim? Fiber cable cut to St. John USVI.

[Javier J]

https://www.reddit.com/r/TropicalWeather/comments/6zcr3y/this_is_a_message_from_st_john_us_virgin_islands/?st=j7flzzyx=28637fa3

Re: 2017 NANOG Elections General Information

[Ken Matlock]

Yep, I've been in this industry since.. '94 or so, and the absolute number
one reason that I do not participate in NANOG is that even going back as
far as I can remember it's been a good-old-boy's club.

Yes, there are some very smart people that speak up, but I see time and
time again the cliques and good-old-boys club mentality inherent in NANOG.
And because of this, the thinking and mindset of NANOG in general will (in
my opinion) never change.

As you mention there is definitely a 'cool kids' or Ivory tower mentality.
And I'm not sure that it really *can* be fixed and more welcoming of newer
members without risking alienating the old guard. So for the most part I
tease out the nuggets of wisdom I can, and ignore most of the mindless
arguments that we have been over time and time again about.

Ken


On Sun, Sep 10, 2017 at 6:00 PM, Scott Weeks  wrote:

>
> --- br...@shout.net wrote:
> From: Bryan Holloway 
>
> Had I been a first-time attendee, I would've felt like a
> high-school freshman being told who all the "cool seniors"
> were.
>
> Frankly, it was awkward and off-putting.
> ---
>
> Not only first time attendees, but also long time list
> participants are made to feel that way; me included for
> making comments about vendor spam or top posting.  I note
> that not only randy is doing what he says, but other old
> schoolers are now gone (such as vixie, li and others) who
> are folks that a person could learn a lot from.
>
> scott
>
> ps.  I always shot peas at the "cool kids" table in the
> lunch room in high school.  From time-to-time I want
> virtual peas to shoot now days...  >;-)
>

Re: 2017 NANOG Elections General Information

[Scott Weeks]

--- br...@shout.net wrote:
From: Bryan Holloway 

Had I been a first-time attendee, I would've felt like a 
high-school freshman being told who all the "cool seniors" 
were.

Frankly, it was awkward and off-putting.
---

Not only first time attendees, but also long time list
participants are made to feel that way; me included for 
making comments about vendor spam or top posting.  I note 
that not only randy is doing what he says, but other old 
schoolers are now gone (such as vixie, li and others) who 
are folks that a person could learn a lot from.

scott

ps.  I always shot peas at the "cool kids" table in the 
lunch room in high school.  From time-to-time I want
virtual peas to shoot now days...  >;-)

Re: 2017 NANOG Elections General Information

[Bryan Holloway]

This leads to a good point, and I think the point Randy was trying to make
- the Board elections should not be a popularity contest, either in terms
of who people like or who the best engineers are. It should *not* be
focused on who has the most fun at the socials or the room parties.


+1 ... and ..

... if I may expand candidly on this, I'd like to see a little less of 
an -- to use the term loosely -- "Old Boys Network" mentality at meetings.


I point specifically to the opening talk at Bellevue where there were 
wackily photoshop'd pictures of NANOG star heavy-hitters.


I consider myself a relative newcomer to the community, and I find the 
meetings invaluable, but I've been to enough of them to know who the 
folks pictured were. Had I been a first-time attendee, I would've felt 
like a high-school freshman being told who all the "cool seniors" were.


Frankly, it was awkward and off-putting.

Just my $0.02 worth.



On Fri, Sep 8, 2017 at 2:28 AM Randy Bush  wrote:


my impression is that, in recent years, one has to be a white frat boy
who is proud of being drunk.

randy, who stopped attending

Re: IPv6 Loopback/Point-to-Point address allocation

[sthaug]

> > Null-routing may not be sufficient, if the edge/border router has a
> > route to that /128; the (forwardable) /128 entry will win from the
> > blackholed /64 FIB entry since it is more-specific.
> 
> just thought about it a bit.
> As mentioned (in other post) I was thinking of a specific use case/setting, 
> but wouldn't a static null-route (of a blackholed /64) win over a /128 
> learned from a RP anyway (given the better AD)?
> Am I missing sth here?

Longest prefix match wins.

Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: IPv6 Loopback/Point-to-Point address allocation

[Enno Rey]

Hi,

On Sun, Sep 10, 2017 at 12:08:59PM +0200, Job Snijders wrote:
> Hi,
> 
> On Sun, Sep 10, 2017 at 11:53:20AM +0200, Enno Rey wrote:
> > On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote:
> > > Baldur Norddahl wrote:
> > > > Loopback interfaces should be configured as /128. How you allocate 
> > > > these do
> > > > not matter.
> > > 
> > > ..so long as there are interface ACLs on your network edge which block
> > > direct IP access to these IP addresses.
> > 
> > or, maybe even more efficient, assign all loopbacks from a dedicated
> > netblock which you null-route on the edge/your border devices.
> 
> Null-routing may not be sufficient, if the edge/border router has a
> route to that /128; the (forwardable) /128 entry will win from the
> blackholed /64 FIB entry since it is more-specific.

just thought about it a bit.
As mentioned (in other post) I was thinking of a specific use case/setting, but 
wouldn't a static null-route (of a blackholed /64) win over a /128 learned from 
a RP anyway (given the better AD)?
Am I missing sth here?

thanks

Enno






 Applying an ingress
> interface ACL to each and every external facing interface will probably
> work best in the most common deployment scenarios.
> 
> For router-to-router linknets I recommend to configure a linknet that is
> as small as possible and is supported by all sides: /127, /126, /120,
> etc. Some vendors have put in effort to mitigate the problems related to
> Neighbor Discovery Protocol cache exhaustion attacks, but the fact of
> the matter is that on small subnets like a /127, /126 or /120 such
> attacks simply are non-existent. 
> 
> Kind regards,
> 
> Job

-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Matthias Luft, Enno Rey

===
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
===

Re: IPv6 Loopback/Point-to-Point address allocation

[Enno Rey]

Hi,

On Sun, Sep 10, 2017 at 12:08:59PM +0200, Job Snijders wrote:
> Hi,
> 
> On Sun, Sep 10, 2017 at 11:53:20AM +0200, Enno Rey wrote:
> > On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote:
> > > Baldur Norddahl wrote:
> > > > Loopback interfaces should be configured as /128. How you allocate 
> > > > these do
> > > > not matter.
> > > 
> > > ..so long as there are interface ACLs on your network edge which block
> > > direct IP access to these IP addresses.
> > 
> > or, maybe even more efficient, assign all loopbacks from a dedicated
> > netblock which you null-route on the edge/your border devices.
> 
> Null-routing may not be sufficient, if the edge/border router has a
> route to that /128

good point. 
I was coming from an Enterprise network perspective where
- the border devices do not necessarily hold the/those 128(s) given there's a 
layer of stateful firewalls in between which creates an isolation boundary for 
routing protocols.
- people do not necessarily fully trust the (outsourced) entities responsible 
for implementing the filters/ACLs.
- this is hence a not-uncommon strategy to feel/be safer as for the (unwanted) 
global reachability of loopbacks, after the introduction of IPv6.

best

Enno





; the (forwardable) /128 entry will win from the
> blackholed /64 FIB entry since it is more-specific. Applying an ingress
> interface ACL to each and every external facing interface will probably
> work best in the most common deployment scenarios.
> 
> For router-to-router linknets I recommend to configure a linknet that is
> as small as possible and is supported by all sides: /127, /126, /120,
> etc. Some vendors have put in effort to mitigate the problems related to
> Neighbor Discovery Protocol cache exhaustion attacks, but the fact of
> the matter is that on small subnets like a /127, /126 or /120 such
> attacks simply are non-existent. 
> 
> Kind regards,
> 
> Job

-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Matthias Luft, Enno Rey

===
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
===

Re: IPv6 Loopback/Point-to-Point address allocation

[Enno Rey]

Hi,

On Sun, Sep 10, 2017 at 02:25:04PM +0300, Saku Ytti wrote:
> On 10 September 2017 at 13:56, Thomas Bellman  wrote:
> 
> > An alternative is to just have link-local addresses on your point-to-
> > point links.  At least on your internal links where you run your IGP.
> > On external links, where you run eBGP or static routes, it's probably
> > more trouble than it is worth, though, since link-local addresses can
> > change if you replace the hardware, requiring a config change on the
> > other end.  (Also, I'm not sure all BGP implementations support using
> > link-local addresses.)

all BGP implementations I'm aware of do that (support LLAs), BUT at least 
Cisco's doesn't support using the same LLAs in multiple BGP sessions (e.g. on 
PE-CE links) which in turn ruins the potential benefits in many environments, 
see
https://ripe72.ripe.net/presentations/122-ERNW_RIPE72_IPv6wg_RFC7404.pdf
https://blog.apnic.net/2016/05/31/beauty-ipv6-link-local-addressing-not/

> 
> This is solvable problem. Vendors support 'bgp listen' or 'bgp allow'
> to accept BGP session from specific CIDR range. Similarly you could
> allow IPv6 on interface, with SADDR anywhere in link-local. Your own
> end link-local stability you could guarantee by manually configuring
> MAC address, instead of using BIA. I.e. customers would experience
> stable DADDR, but we wouldn't care about customer's SADDR.
> 
> However I don't think market would generally appreciate the
> implications linklocal brings to traceroute, where least bad option
> would be just to originate hop-limit exceeded from loop0, with no
> visibility on actual interface.

some might be willing to accept that, as a trade-off for other benefits 
operations-wise.

best

Enno



-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Matthias Luft, Enno Rey

===
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
===

Re: IPv6 Loopback/Point-to-Point address allocation

[Saku Ytti]

On 10 September 2017 at 13:56, Thomas Bellman  wrote:

> An alternative is to just have link-local addresses on your point-to-
> point links.  At least on your internal links where you run your IGP.
> On external links, where you run eBGP or static routes, it's probably
> more trouble than it is worth, though, since link-local addresses can
> change if you replace the hardware, requiring a config change on the
> other end.  (Also, I'm not sure all BGP implementations support using
> link-local addresses.)

This is solvable problem. Vendors support 'bgp listen' or 'bgp allow'
to accept BGP session from specific CIDR range. Similarly you could
allow IPv6 on interface, with SADDR anywhere in link-local. Your own
end link-local stability you could guarantee by manually configuring
MAC address, instead of using BIA. I.e. customers would experience
stable DADDR, but we wouldn't care about customer's SADDR.

However I don't think market would generally appreciate the
implications linklocal brings to traceroute, where least bad option
would be just to originate hop-limit exceeded from loop0, with no
visibility on actual interface.

-- 
  ++ytti

Re: IPv6 Loopback/Point-to-Point address allocation

[Thomas Bellman]

On 2017-09-10 00:09, Baldur Norddahl wrote:

> You want to configure point to point interfaces as /127 or /126 even if you
> allocate a full /64 for the link. This prevents an NDP exhaustion attack
> with no downside.

An alternative is to just have link-local addresses on your point-to-
point links.  At least on your internal links where you run your IGP.
On external links, where you run eBGP or static routes, it's probably
more trouble than it is worth, though, since link-local addresses can
change if you replace the hardware, requiring a config change on the
other end.  (Also, I'm not sure all BGP implementations support using
link-local addresses.)


/Bellman



signature.asc
Description: OpenPGP digital signature

Re: IPv6 Loopback/Point-to-Point address allocation

[Job Snijders]

Hi,

On Sun, Sep 10, 2017 at 11:53:20AM +0200, Enno Rey wrote:
> On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote:
> > Baldur Norddahl wrote:
> > > Loopback interfaces should be configured as /128. How you allocate these 
> > > do
> > > not matter.
> > 
> > ..so long as there are interface ACLs on your network edge which block
> > direct IP access to these IP addresses.
> 
> or, maybe even more efficient, assign all loopbacks from a dedicated
> netblock which you null-route on the edge/your border devices.

Null-routing may not be sufficient, if the edge/border router has a
route to that /128; the (forwardable) /128 entry will win from the
blackholed /64 FIB entry since it is more-specific. Applying an ingress
interface ACL to each and every external facing interface will probably
work best in the most common deployment scenarios.

For router-to-router linknets I recommend to configure a linknet that is
as small as possible and is supported by all sides: /127, /126, /120,
etc. Some vendors have put in effort to mitigate the problems related to
Neighbor Discovery Protocol cache exhaustion attacks, but the fact of
the matter is that on small subnets like a /127, /126 or /120 such
attacks simply are non-existent. 

Kind regards,

Job

Re: IPv6 Loopback/Point-to-Point address allocation

[Enno Rey]

Hi,

On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote:
> Baldur Norddahl wrote:
> > Loopback interfaces should be configured as /128. How you allocate these do
> > not matter.
> 
> ..so long as there are interface ACLs on your network edge which block
> direct IP access to these IP addresses.

or, maybe even more efficient, assign all loopbacks from a dedicated netblock 
which you null-route on the edge/your border devices.

best

Enno


-- 
Enno Rey

ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de
Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 

Handelsregister Mannheim: HRB 337135
Geschaeftsfuehrer: Matthias Luft, Enno Rey

===
Blog: www.insinuator.net || Conference: www.troopers.de
Twitter: @Enno_Insinuator
===

Re: IPv6 Loopback/Point-to-Point address allocation

[Nick Hilliard]

Baldur Norddahl wrote:
> Loopback interfaces should be configured as /128. How you allocate these do
> not matter.

..so long as there are interface ACLs on your network edge which block
direct IP access to these IP addresses.

Nick