Any validity to this claim? Fiber cable cut to St. John USVI.
https://www.reddit.com/r/TropicalWeather/comments/6zcr3y/this_is_a_message_from_st_john_us_virgin_islands/?st=j7flzzyx=28637fa3
Re: 2017 NANOG Elections General Information
Yep, I've been in this industry since.. '94 or so, and the absolute number one reason that I do not participate in NANOG is that even going back as far as I can remember it's been a good-old-boy's club. Yes, there are some very smart people that speak up, but I see time and time again the cliques and good-old-boys club mentality inherent in NANOG. And because of this, the thinking and mindset of NANOG in general will (in my opinion) never change. As you mention there is definitely a 'cool kids' or Ivory tower mentality. And I'm not sure that it really *can* be fixed and more welcoming of newer members without risking alienating the old guard. So for the most part I tease out the nuggets of wisdom I can, and ignore most of the mindless arguments that we have been over time and time again about. Ken On Sun, Sep 10, 2017 at 6:00 PM, Scott Weekswrote: > > --- br...@shout.net wrote: > From: Bryan Holloway > > Had I been a first-time attendee, I would've felt like a > high-school freshman being told who all the "cool seniors" > were. > > Frankly, it was awkward and off-putting. > --- > > Not only first time attendees, but also long time list > participants are made to feel that way; me included for > making comments about vendor spam or top posting. I note > that not only randy is doing what he says, but other old > schoolers are now gone (such as vixie, li and others) who > are folks that a person could learn a lot from. > > scott > > ps. I always shot peas at the "cool kids" table in the > lunch room in high school. From time-to-time I want > virtual peas to shoot now days... >;-) >
Re: 2017 NANOG Elections General Information
--- br...@shout.net wrote: From: Bryan HollowayHad I been a first-time attendee, I would've felt like a high-school freshman being told who all the "cool seniors" were. Frankly, it was awkward and off-putting. --- Not only first time attendees, but also long time list participants are made to feel that way; me included for making comments about vendor spam or top posting. I note that not only randy is doing what he says, but other old schoolers are now gone (such as vixie, li and others) who are folks that a person could learn a lot from. scott ps. I always shot peas at the "cool kids" table in the lunch room in high school. From time-to-time I want virtual peas to shoot now days... >;-)
Re: 2017 NANOG Elections General Information
This leads to a good point, and I think the point Randy was trying to make - the Board elections should not be a popularity contest, either in terms of who people like or who the best engineers are. It should *not* be focused on who has the most fun at the socials or the room parties. +1 ... and .. ... if I may expand candidly on this, I'd like to see a little less of an -- to use the term loosely -- "Old Boys Network" mentality at meetings. I point specifically to the opening talk at Bellevue where there were wackily photoshop'd pictures of NANOG star heavy-hitters. I consider myself a relative newcomer to the community, and I find the meetings invaluable, but I've been to enough of them to know who the folks pictured were. Had I been a first-time attendee, I would've felt like a high-school freshman being told who all the "cool seniors" were. Frankly, it was awkward and off-putting. Just my $0.02 worth. On Fri, Sep 8, 2017 at 2:28 AM Randy Bushwrote: my impression is that, in recent years, one has to be a white frat boy who is proud of being drunk. randy, who stopped attending
Re: IPv6 Loopback/Point-to-Point address allocation
> > Null-routing may not be sufficient, if the edge/border router has a > > route to that /128; the (forwardable) /128 entry will win from the > > blackholed /64 FIB entry since it is more-specific. > > just thought about it a bit. > As mentioned (in other post) I was thinking of a specific use case/setting, > but wouldn't a static null-route (of a blackholed /64) win over a /128 > learned from a RP anyway (given the better AD)? > Am I missing sth here? Longest prefix match wins. Steinar Haug, Nethelp consulting, sth...@nethelp.no
Re: IPv6 Loopback/Point-to-Point address allocation
Hi, On Sun, Sep 10, 2017 at 12:08:59PM +0200, Job Snijders wrote: > Hi, > > On Sun, Sep 10, 2017 at 11:53:20AM +0200, Enno Rey wrote: > > On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote: > > > Baldur Norddahl wrote: > > > > Loopback interfaces should be configured as /128. How you allocate > > > > these do > > > > not matter. > > > > > > ..so long as there are interface ACLs on your network edge which block > > > direct IP access to these IP addresses. > > > > or, maybe even more efficient, assign all loopbacks from a dedicated > > netblock which you null-route on the edge/your border devices. > > Null-routing may not be sufficient, if the edge/border router has a > route to that /128; the (forwardable) /128 entry will win from the > blackholed /64 FIB entry since it is more-specific. just thought about it a bit. As mentioned (in other post) I was thinking of a specific use case/setting, but wouldn't a static null-route (of a blackholed /64) win over a /128 learned from a RP anyway (given the better AD)? Am I missing sth here? thanks Enno Applying an ingress > interface ACL to each and every external facing interface will probably > work best in the most common deployment scenarios. > > For router-to-router linknets I recommend to configure a linknet that is > as small as possible and is supported by all sides: /127, /126, /120, > etc. Some vendors have put in effort to mitigate the problems related to > Neighbor Discovery Protocol cache exhaustion attacks, but the fact of > the matter is that on small subnets like a /127, /126 or /120 such > attacks simply are non-existent. > > Kind regards, > > Job -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Matthias Luft, Enno Rey === Blog: www.insinuator.net || Conference: www.troopers.de Twitter: @Enno_Insinuator ===
Re: IPv6 Loopback/Point-to-Point address allocation
Hi, On Sun, Sep 10, 2017 at 12:08:59PM +0200, Job Snijders wrote: > Hi, > > On Sun, Sep 10, 2017 at 11:53:20AM +0200, Enno Rey wrote: > > On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote: > > > Baldur Norddahl wrote: > > > > Loopback interfaces should be configured as /128. How you allocate > > > > these do > > > > not matter. > > > > > > ..so long as there are interface ACLs on your network edge which block > > > direct IP access to these IP addresses. > > > > or, maybe even more efficient, assign all loopbacks from a dedicated > > netblock which you null-route on the edge/your border devices. > > Null-routing may not be sufficient, if the edge/border router has a > route to that /128 good point. I was coming from an Enterprise network perspective where - the border devices do not necessarily hold the/those 128(s) given there's a layer of stateful firewalls in between which creates an isolation boundary for routing protocols. - people do not necessarily fully trust the (outsourced) entities responsible for implementing the filters/ACLs. - this is hence a not-uncommon strategy to feel/be safer as for the (unwanted) global reachability of loopbacks, after the introduction of IPv6. best Enno ; the (forwardable) /128 entry will win from the > blackholed /64 FIB entry since it is more-specific. Applying an ingress > interface ACL to each and every external facing interface will probably > work best in the most common deployment scenarios. > > For router-to-router linknets I recommend to configure a linknet that is > as small as possible and is supported by all sides: /127, /126, /120, > etc. Some vendors have put in effort to mitigate the problems related to > Neighbor Discovery Protocol cache exhaustion attacks, but the fact of > the matter is that on small subnets like a /127, /126 or /120 such > attacks simply are non-existent. > > Kind regards, > > Job -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Matthias Luft, Enno Rey === Blog: www.insinuator.net || Conference: www.troopers.de Twitter: @Enno_Insinuator ===
Re: IPv6 Loopback/Point-to-Point address allocation
Hi, On Sun, Sep 10, 2017 at 02:25:04PM +0300, Saku Ytti wrote: > On 10 September 2017 at 13:56, Thomas Bellmanwrote: > > > An alternative is to just have link-local addresses on your point-to- > > point links. At least on your internal links where you run your IGP. > > On external links, where you run eBGP or static routes, it's probably > > more trouble than it is worth, though, since link-local addresses can > > change if you replace the hardware, requiring a config change on the > > other end. (Also, I'm not sure all BGP implementations support using > > link-local addresses.) all BGP implementations I'm aware of do that (support LLAs), BUT at least Cisco's doesn't support using the same LLAs in multiple BGP sessions (e.g. on PE-CE links) which in turn ruins the potential benefits in many environments, see https://ripe72.ripe.net/presentations/122-ERNW_RIPE72_IPv6wg_RFC7404.pdf https://blog.apnic.net/2016/05/31/beauty-ipv6-link-local-addressing-not/ > > This is solvable problem. Vendors support 'bgp listen' or 'bgp allow' > to accept BGP session from specific CIDR range. Similarly you could > allow IPv6 on interface, with SADDR anywhere in link-local. Your own > end link-local stability you could guarantee by manually configuring > MAC address, instead of using BIA. I.e. customers would experience > stable DADDR, but we wouldn't care about customer's SADDR. > > However I don't think market would generally appreciate the > implications linklocal brings to traceroute, where least bad option > would be just to originate hop-limit exceeded from loop0, with no > visibility on actual interface. some might be willing to accept that, as a trade-off for other benefits operations-wise. best Enno -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Matthias Luft, Enno Rey === Blog: www.insinuator.net || Conference: www.troopers.de Twitter: @Enno_Insinuator ===
Re: IPv6 Loopback/Point-to-Point address allocation
On 10 September 2017 at 13:56, Thomas Bellmanwrote: > An alternative is to just have link-local addresses on your point-to- > point links. At least on your internal links where you run your IGP. > On external links, where you run eBGP or static routes, it's probably > more trouble than it is worth, though, since link-local addresses can > change if you replace the hardware, requiring a config change on the > other end. (Also, I'm not sure all BGP implementations support using > link-local addresses.) This is solvable problem. Vendors support 'bgp listen' or 'bgp allow' to accept BGP session from specific CIDR range. Similarly you could allow IPv6 on interface, with SADDR anywhere in link-local. Your own end link-local stability you could guarantee by manually configuring MAC address, instead of using BIA. I.e. customers would experience stable DADDR, but we wouldn't care about customer's SADDR. However I don't think market would generally appreciate the implications linklocal brings to traceroute, where least bad option would be just to originate hop-limit exceeded from loop0, with no visibility on actual interface. -- ++ytti
Re: IPv6 Loopback/Point-to-Point address allocation
On 2017-09-10 00:09, Baldur Norddahl wrote: > You want to configure point to point interfaces as /127 or /126 even if you > allocate a full /64 for the link. This prevents an NDP exhaustion attack > with no downside. An alternative is to just have link-local addresses on your point-to- point links. At least on your internal links where you run your IGP. On external links, where you run eBGP or static routes, it's probably more trouble than it is worth, though, since link-local addresses can change if you replace the hardware, requiring a config change on the other end. (Also, I'm not sure all BGP implementations support using link-local addresses.) /Bellman signature.asc Description: OpenPGP digital signature
Re: IPv6 Loopback/Point-to-Point address allocation
Hi, On Sun, Sep 10, 2017 at 11:53:20AM +0200, Enno Rey wrote: > On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote: > > Baldur Norddahl wrote: > > > Loopback interfaces should be configured as /128. How you allocate these > > > do > > > not matter. > > > > ..so long as there are interface ACLs on your network edge which block > > direct IP access to these IP addresses. > > or, maybe even more efficient, assign all loopbacks from a dedicated > netblock which you null-route on the edge/your border devices. Null-routing may not be sufficient, if the edge/border router has a route to that /128; the (forwardable) /128 entry will win from the blackholed /64 FIB entry since it is more-specific. Applying an ingress interface ACL to each and every external facing interface will probably work best in the most common deployment scenarios. For router-to-router linknets I recommend to configure a linknet that is as small as possible and is supported by all sides: /127, /126, /120, etc. Some vendors have put in effort to mitigate the problems related to Neighbor Discovery Protocol cache exhaustion attacks, but the fact of the matter is that on small subnets like a /127, /126 or /120 such attacks simply are non-existent. Kind regards, Job
Re: IPv6 Loopback/Point-to-Point address allocation
Hi, On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote: > Baldur Norddahl wrote: > > Loopback interfaces should be configured as /128. How you allocate these do > > not matter. > > ..so long as there are interface ACLs on your network edge which block > direct IP access to these IP addresses. or, maybe even more efficient, assign all loopbacks from a dedicated netblock which you null-route on the edge/your border devices. best Enno -- Enno Rey ERNW GmbH - Carl-Bosch-Str. 4 - 69115 Heidelberg - www.ernw.de Tel. +49 6221 480390 - Fax 6221 419008 - Cell +49 173 6745902 Handelsregister Mannheim: HRB 337135 Geschaeftsfuehrer: Matthias Luft, Enno Rey === Blog: www.insinuator.net || Conference: www.troopers.de Twitter: @Enno_Insinuator ===
Re: IPv6 Loopback/Point-to-Point address allocation
Baldur Norddahl wrote: > Loopback interfaces should be configured as /128. How you allocate these do > not matter. ..so long as there are interface ACLs on your network edge which block direct IP access to these IP addresses. Nick