Re: BGP prefix filter list

[Ross Tajvar]

In that case shouldn't each company advertise a /21?

On Wed, May 22, 2019, 1:11 PM Sabri Berisha  wrote:

> Hi,
>
> One legitimate reason is the split of companies. In some cases, IP space
> needs to be divided up. For example, company A splits up in AA and AB, and
> has a /20. Company AA may advertise the /20, while the new AB may advertise
> the top or bottom /21. I know of at least one worldwide e-commerce company
> that is in that situation.
>
> Thanks,
>
> Sabri
>
>
> - On May 22, 2019, at 9:40 AM, Tom Beecher  wrote:
>
> There are sometimes legitimate reasons to have a covering aggregate with
> some more specific announcements. Certainly there's a lot of cleanup that
> many should do in this area, but it might not be the best approach to this
> issue.
>
> On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta <
> alejandroacostaal...@gmail.com> wrote:
>
>>
>> On 5/20/19 7:26 PM, John Kristoff wrote:
>> > On Mon, 20 May 2019 23:09:02 +
>> > Seth Mattinen  wrote:
>> >
>> >> A good start would be killing any /24 announcement where a covering
>> >> aggregate exists.
>> > I wouldn't do this as a general rule.  If an attacker knows networks are
>> > 1) not pointing default, 2) dropping /24's, 3) not validating the
>> > aggregates, and 4) no actual legitimate aggregate exists, (all
>> > reasonable assumptions so far for many /24's), then they have a pretty
>> > good opportunity to capture that traffic.
>>
>>
>> +1 John
>>
>> Seth approach could be an option _only_ if prefix has an aggregate
>> exists && as origin are the same
>>
>>
>> > John
>>
>
>

Re: BGP prefix filter list

[Sabri Berisha]

Hi, 

One legitimate reason is the split of companies. In some cases, IP space needs 
to be divided up. For example, company A splits up in AA and AB, and has a /20. 
Company AA may advertise the /20, while the new AB may advertise the top or 
bottom /21. I know of at least one worldwide e-commerce company that is in that 
situation. 

Thanks, 

Sabri 

- On May 22, 2019, at 9:40 AM, Tom Beecher  wrote: 

> There are sometimes legitimate reasons to have a covering aggregate with some
> more specific announcements. Certainly there's a lot of cleanup that many
> should do in this area, but it might not be the best approach to this issue.

> On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta < [
> mailto:alejandroacostaal...@gmail.com | alejandroacostaal...@gmail.com ] >
> wrote:

>> On 5/20/19 7:26 PM, John Kristoff wrote:
>> > On Mon, 20 May 2019 23:09:02 +
>> > Seth Mattinen < [ mailto:se...@rollernet.us | se...@rollernet.us ] > wrote:

>> >> A good start would be killing any /24 announcement where a covering
>> >> aggregate exists.
>> > I wouldn't do this as a general rule. If an attacker knows networks are
>> > 1) not pointing default, 2) dropping /24's, 3) not validating the
>> > aggregates, and 4) no actual legitimate aggregate exists, (all
>> > reasonable assumptions so far for many /24's), then they have a pretty
>> > good opportunity to capture that traffic.

>> +1 John

>> Seth approach could be an option _only_ if prefix has an aggregate
>> exists && as origin are the same

>> > John

Re: BGP prefix filter list

[Alejandro Acosta]

Hello.., you are totally right, the first reason that came to my mind is 
traffic engineering but there are other reasons too.


On 5/22/19 12:40 PM, Tom Beecher wrote:
There are sometimes legitimate reasons to have a covering aggregate 
with some more specific announcements. Certainly there's a lot of 
cleanup that many should do in this area, but it might not be the best 
approach to this issue.


On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta 
> wrote:



On 5/20/19 7:26 PM, John Kristoff wrote:
> On Mon, 20 May 2019 23:09:02 +
> Seth Mattinen mailto:se...@rollernet.us>>
wrote:
>
>> A good start would be killing any /24 announcement where a covering
>> aggregate exists.
> I wouldn't do this as a general rule.  If an attacker knows
networks are
> 1) not pointing default, 2) dropping /24's, 3) not validating the
> aggregates, and 4) no actual legitimate aggregate exists, (all
> reasonable assumptions so far for many /24's), then they have a
pretty
> good opportunity to capture that traffic.


+1 John

Seth approach could be an option _only_ if prefix has an aggregate
exists && as origin are the same


> John

Re: BGP prefix filter list

[Tom Beecher]

There are sometimes legitimate reasons to have a covering aggregate with
some more specific announcements. Certainly there's a lot of cleanup that
many should do in this area, but it might not be the best approach to this
issue.

On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta <
alejandroacostaal...@gmail.com> wrote:

>
> On 5/20/19 7:26 PM, John Kristoff wrote:
> > On Mon, 20 May 2019 23:09:02 +
> > Seth Mattinen  wrote:
> >
> >> A good start would be killing any /24 announcement where a covering
> >> aggregate exists.
> > I wouldn't do this as a general rule.  If an attacker knows networks are
> > 1) not pointing default, 2) dropping /24's, 3) not validating the
> > aggregates, and 4) no actual legitimate aggregate exists, (all
> > reasonable assumptions so far for many /24's), then they have a pretty
> > good opportunity to capture that traffic.
>
>
> +1 John
>
> Seth approach could be an option _only_ if prefix has an aggregate
> exists && as origin are the same
>
>
> > John
>

Re: Doha dark fiber

[Mehmet Akcin]

yes. GBI http://www.gbiinc.com/

https://gbi.networkatlas.com/ (customized so you can view just their
network rest of cables are at www.infrapedia.com ) if you need an intro to
them, let me know

mehmet

On Wed, May 22, 2019 at 6:56 AM Pui Edylie  wrote:

> Anyone knows anyone has dark fiber in doha and has a pop in Singapore?
>
> Thank you.
>
> Regards
> Edy
>
>
>
> Sent from my Samsung Galaxy smartphone.
>

Doha dark fiber

[Pui Edylie]

Anyone knows anyone has dark fiber in doha and has a pop in Singapore?Thank 
you.RegardsEdySent from my Samsung Galaxy smartphone.

Re: Free Program to take netflow

[Mike Hammett]

nProbe as well. I was just checking if the setup was made simpler. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Niels Bakker"  
To: nanog@nanog.org 
Sent: Wednesday, May 22, 2019 8:34:49 AM 
Subject: Re: Free Program to take netflow 

* na...@ics-il.net (Mike Hammett) [Wed 22 May 2019, 14:40 CEST]: 
>The last time I looked, Esastiflow didn't accept a BGP session to learn ASes. 
>Has that changed? 

You can put pmacct inbetween to alleviate this. 


-- Niels. 

Re: Free Program to take netflow

[Niels Bakker]

* na...@ics-il.net (Mike Hammett) [Wed 22 May 2019, 14:40 CEST]:

The last time I looked, Esastiflow didn't accept a BGP session to learn ASes. 
Has that changed?


You can put pmacct inbetween to alleviate this.


-- Niels.

Re: BGP prefix filter list

[Blake Hudson]

adamv0...@netconsultings.com wrote on 5/22/2019 3:23 AM:

From: NANOG  On Behalf Of Blake Hudson
Sent: Monday, May 20, 2019 4:35 PM

As I recall reading about one vendor's platform (the ASR9k
perhaps?) and its TCAM organization process, it stored /32 routes in a
dedicated area for faster lookups and did the same for /24 routes.


Yes that was true for the first generation (trident based) line-cards and is no 
longer the case anymore.

adam


Thanks Adam! For the life of me I could not remember where I read that 
information or what platform it applied to. I do recall it being a very 
transparent view into TCAM organization and I appreciated the insight. 
It was also a good reminder that it pays to understand your platform as 
I had previously (naively) thought that a 1M capacity FIB could hold 1M 
entries with any mask size, whether those be 1M /32 entries (a BRAS with 
1M PPP/BNG subscribers) or 1M /24 or bigger entries (a BGP edge router). 
This was obviously not the case on that platform.

Re: Free Program to take netflow

[Jason Lixfeld]

I loved using ElastiFlow, but we didn’t quite work out in the end.  Here’s my 
$0.02 -

- ElastiFlow setup is easy-ish.
- ELK setup is easy-ish.
- Scaling ELK is not easy unless you know what you’re doing.

If you’ve got enough flows that you need to scale ELK, you’re probably also 
using multiple flow exporters, at which point this[1] could bite you and if ELK 
scaling was hard for you, dealing with this might not be trivial until Rob 
decides how best to bake a fix into EF.

I learned ELK because I wanted to use EF, but I only learned enough about ELK 
to get me by.  Having to also learn about REDIS and having to learn more about 
ELK to make it work with REDIS and EF was a show stopper; I just didn’t have 
the time. 

[1] https://github.com/robcowart/elastiflow/issues/205

> On May 18, 2019, at 12:19 AM, Crist Clark  wrote:
> 
> Been loving Elastiflow. Way overkill for what you need, but it's
> actually pretty easy to setup.
> 
> https://github.com/robcowart/elastiflow
> 
> 
> On Fri, May 17, 2019 at 7:25 AM Dennis Burgess via NANOG
>  wrote:
>> 
>> I am looking for a free program to take netflow and output what the top 
>> traffic ASes to and from my AS are.   Something that we can look at every 
>> once in a while, and/or spin up and get data then shutdown..  Just have two 
>> ports need netflow from currently.
>> 
>> 
>> 
>> Thanks in advance.
>> 
>> 
>> 
>> 
>> 
>> Dennis Burgess, Mikrotik Certified Trainer
>> 
>> Author of "Learn RouterOS- Second Edition”
>> 
>> Link Technologies, Inc -- Mikrotik & WISP Support Services
>> 
>> Office: 314-735-0270  Website: http://www.linktechs.net
>> 
>> Create Wireless Coverage’s with www.towercoverage.com
>> 
>> 

Re: Free Program to take netflow

[Mike Hammett]

The last time I looked, Esastiflow didn't accept a BGP session to learn ASes. 
Has that changed? 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Crist Clark"  
To: "Dennis Burgess"  
Cc: nanog@nanog.org 
Sent: Friday, May 17, 2019 11:19:02 PM 
Subject: Re: Free Program to take netflow 

Been loving Elastiflow. Way overkill for what you need, but it's 
actually pretty easy to setup. 

https://github.com/robcowart/elastiflow 


On Fri, May 17, 2019 at 7:25 AM Dennis Burgess via NANOG 
 wrote: 
> 
> I am looking for a free program to take netflow and output what the top 
> traffic ASes to and from my AS are. Something that we can look at every once 
> in a while, and/or spin up and get data then shutdown.. Just have two ports 
> need netflow from currently. 
> 
> 
> 
> Thanks in advance. 
> 
> 
> 
> 
> 
> Dennis Burgess, Mikrotik Certified Trainer 
> 
> Author of "Learn RouterOS- Second Edition” 
> 
> Link Technologies, Inc -- Mikrotik & WISP Support Services 
> 
> Office: 314-735-0270 Website: http://www.linktechs.net 
> 
> Create Wireless Coverage’s with www.towercoverage.com 
> 
> 

Re: Free Program to take netflow

[Alain Hebert]

    +1 for elasticflow

    But make sure to clear the indexes, as it wasn't included with the 
project, when we installed ours.


    Here's our solution that delete them after 90 days.

- Crontab

0 12 * * * (cd /usr/local//scripts; ./corp>_elastiflow_prune.sh) > /dev/null 2>&1


- Content of the *_prune.sh for Linux

#!/bin/csh -f

set d_current=`date "+%s"`
set d_90=`expr ${d_current} - \( 90 \* 24 \* 60 \* 60 \)`
set idx=`date -d @${d_90} "+%Y.%m.%d"`

curl -XDELETE "http://localhost:9200/elastiflow-${idx};

-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

On 2019-05-18 00:19, Crist Clark wrote:

Been loving Elastiflow. Way overkill for what you need, but it's
actually pretty easy to setup.

https://github.com/robcowart/elastiflow


On Fri, May 17, 2019 at 7:25 AM Dennis Burgess via NANOG
 wrote:

I am looking for a free program to take netflow and output what the top traffic 
ASes to and from my AS are.   Something that we can look at every once in a 
while, and/or spin up and get data then shutdown..  Just have two ports need 
netflow from currently.



Thanks in advance.





Dennis Burgess, Mikrotik Certified Trainer

Author of "Learn RouterOS- Second Edition”

Link Technologies, Inc -- Mikrotik & WISP Support Services

Office: 314-735-0270  Website: http://www.linktechs.net

Create Wireless Coverage’s with www.towercoverage.com

RE: BGP prefix filter list

[adamv0025]

> From: NANOG  On Behalf Of Blake Hudson
> Sent: Monday, May 20, 2019 4:35 PM
> 
> As I recall reading about one vendor's platform (the ASR9k
> perhaps?) and its TCAM organization process, it stored /32 routes in a
> dedicated area for faster lookups and did the same for /24 routes.
>
Yes that was true for the first generation (trident based) line-cards and is no 
longer the case anymore. 

adam