Re: "Tactical" /24 announcements

We do something similar - build the prefix lists externally (based on PeeringDB, IRR, RPKI data) and push them with config management on regular intervals. This sort of automated policy architecture is clearly becoming more common, and the drive (see: MANRS) is ever-increasing. I'd really like

Re: "Tactical" /24 announcements

I quite like this approach as well - for those that would like to do more complicated policy logic off-box, the RTR architecture very much lends itself to that. JNPR already has accessible APIs (JET-based / RPC) you can leverage to push configuration into the ephemeral database or be called on

Re: Australian Dark Fibre Providers - Sydney

Hi Scott, NextHop (https://www.nexthop.com.au/) is probably worth a look if you're looking for within the Sydney 2000 area or between Sydney metro DCs. Unicast me and I can do an intro if you like. - Tim On Thu, Mar 11, 2021 at 12:42 PM scott wrote: > > On 3/10/2021 3:37 PM, Rod Beck wrote: >

Re: Service Provider NetFlow Collectors

pushed everything to influx from flows, > you have to be a bit smarter with the layout, aggregations and continuous > queries. > (collect what you need) > > > >> On 02-01-19 13:08, Tim Raphael wrote: >> I would advise against InfluxDB in this case - flow data has a

Re: Service Provider NetFlow Collectors

This is correct, With a flow database you want to be able to say: “show me all HTTP traffic from subnet a.b.c.0/24” which requires you to either keep individual IPs or aggregate subnets. Combined with port and protocol data for both source and destination, the series count shoots way above

Re: Service Provider NetFlow Collectors

I would advise against InfluxDB in this case - flow data has a very high (and open) tag cardinality which is not suited to Influx (although their recently new index format has improved this). I’m currently pushing sFlow through Pmacct —> Kafka —> Clickhouse (columnar store) with a summing

Re: Non-profit IX vs. neutral for-profit IX

The other point to consider is that a NFP can justify more locations and offer services (such as extended reach) that don’t have the same profit margins or ROI as for-profits. This often leads to greater value to those with smaller networks and fewer customers allowing them to grow and expand

Re: Question about bird RS config with BGP Community support

As an operator of large, established IXP I would also recommend this path. A lot of work had gone into the likes of IXPManager and arouteserver and they provide great value in providing secure configurations with added features such as action communities you are after. Cheers, Tim > On 24

Re: Proxying NetFlow traffic correctly

nProbe is what you want, it’s another product from NTop. http://www.ntop.org/products/netflow/nprobe/ - Tim > On 7 Jun 2017, at 7:43 am, Sami via NANOG wrote: > > Hello, > I have been searching for a solution that

Re: Recent NTP pool traffic increase

for less > trivial reasons. ;) > > > From: NANOG [nanog-boun...@nanog.org] On Behalf Of Tim Raphael > [raphael.timo...@gmail.com] > Sent: Tuesday, December 20, 2016 5:34 PM > To: Gary E. Miller > Cc: nanog@nanog.org > Subject: Re: Recent NTP pool traffic increa

Re: Recent NTP pool traffic increase

This was my thought actually, Apple does offer some time services as part of the OS but it’s becoming common with larger / more popular apps to provide some of these services internally. Look at the FB app for example, there are a lot of “system” things they do themselves due to the ability to

Re: automated site to site vpn recommendations

There is a downside to subscription pricing for the vendor: they don't get the instant cashflow they're used to. I know Cisco seems to be taking a tactic where only some product lines use subscriptions and the others are on a typical enterprise 3-5 year replacements cycle to provide Cisco with

Re: sub $500-750 CPE firewall for voip-centric application

The SIP ALG in the Juniper SRXs is definitely one of the best I’ve come across. I defaulted to turning it off based on my previous experiences with SIP ALGs and NAT however it became apparent that it actually worked really well and I ended up defaulting it to on. - Tim > On 6 May 2016, at

Re: Super Core Hardware suggestions

The Juniper PTX1000 is worth a look. http://www.juniper.net/us/en/products-services/routing/ptx-series/ptx1000/ Regards, Tim Raphael On 7 Aug 2015, at 10:10 am, Ben Cornish b...@overthewire.com.au wrote: Hey All We are looking for suggestions for a device to act as a super Core Device

Re: leap second outage

No, it was a route leak by a colo provider (Axcelx) downstream. Regards, Tim Raphael On 1 Jul 2015, at 11:37 am, Justin Paine via NANOG nanog@nanog.org wrote: Any confirmation if the AWS outage was leap second-related? Justin Paine Head of Trust Safety CloudFlare Inc

Re: Enterprise network as an ISP with a single huge customer

for the wrong reasons just so they can say that's what they're doing. Regards, Tim Raphael On 13 Jun 2015, at 10:48 am, Stepan Kucherenko t...@megagroup.ru wrote: 13.06.2015 05:35, Randy Bush wrote: i have seen a lot of this done with firewall devices and vlans. with vlans or mpls, you can make

Re: Rasberry pi - high density

to the chassis option. So yes, infeasible indeed. Regards, Tim Raphael On 9 May 2015, at 1:24 pm, char...@thefnf.org wrote: So I just crunched the numbers. How many pies could I cram in a rack? Check my numbers? 48U rack budget 6513 15U (48-15) = 33U remaining for pie 6513 max

Re: Multi-gigabit edge devices as CPE

L3VPN hand off is the only thing I can think of from the top of my head. But then, there would be no need to have a full table unless you had customers requesting a full table. It sounds like the OP is looking for one device to do multiple roles where two/three different device types and/or

Re: Multi-gigabit edge devices as CPE

for a decent reconvergence time. On 9 Apr 2015, at 10:42 pm, Daniel Rohan dro...@gmail.com wrote: On Thu, Apr 9, 2015 at 7:25 AM, Tim Raphael raphael.timo...@gmail.com mailto:raphael.timo...@gmail.com wrote: L3VPN hand off is the only thing I can think of from the top of my head

Re: Multi-gigabit edge devices as CPE

dave.t...@gmail.com wrote: On Wed, Apr 8, 2015 at 6:36 PM, Tim Raphael raphael.timo...@gmail.com wrote: Correct. But hopefully not far off now that there are x86 packages for simple MPLS operations. With a bit of luck an RSVP or LDP implementation isn't far behind. Just sitting around

Re: Multi-gigabit edge devices as CPE

VyOS is a community fork of Vyatta and is still being developed very actively and it pushing ahead with many new features! It's pretty stable too imo. http://vyos.net/wiki/Main_Page Regards, Tim Raphael On 9 Apr 2015, at 8:14 am, Faisal Imtiaz fai...@snappytelecom.net wrote: Mikrotik

Re: Multi-gigabit edge devices as CPE

Correct. But hopefully not far off now that there are x86 packages for simple MPLS operations. With a bit of luck an RSVP or LDP implementation isn't far behind. Regards, Tim Raphael On 9 Apr 2015, at 9:14 am, Josh Reynolds j...@spitwspots.com wrote: No MPLS though

Re: OT: VPS with Routed IP space

Same here, we do as well. But as per the OPs question: we will route additional space but you generally need a good reason for it. Regards, Tim Raphael On 25 Feb 2015, at 4:38 am, Jeff Fisher na...@techmonkeys.org wrote: On 02/24/2015 02:29 PM, Zachary Giles wrote: Partial thread jack

Re: Facebook outage?

And it appears to be back for me. - Tim On 27 Jan 2015, at 3:08 pm, Tim Raphael raphael.timo...@gmail.com wrote: Instagram used to use Amazon AWS before being purchased by Facebook. There has been a slow migration onto FB infrastructure, so yes, a mixture of addresses like that makes

Re: Facebook outage?

Instagram used to use Amazon AWS before being purchased by Facebook. There has been a slow migration onto FB infrastructure, so yes, a mixture of addresses like that makes sense. - Tim On 27 Jan 2015, at 2:58 pm, Christopher Morrow morrowc.li...@gmail.com wrote: On Tue, Jan 27, 2015 at

Re: Recommended L2 switches for a new IXP

Either way, you can do SDN and automation with most Juniper kit. On purchase of JCare you get free access to Junos Space - great for provisioning and management of an IXP. Regards, Tim Raphael On 14 Jan 2015, at 6:28 am, Eduardo Schoedler lis...@esds.com.br wrote: My mistake, it's

Re: The state of TACACS+

Making the TACAC+ server unavailable is fairly easy - a small LAN-based DDoS would do it, or a firewall rule change somewhere in the middle. Either would cause the router to failover to it's local account. - this is based on the fact that said attacker has some sort of access previously and

Re: DDOS, IDS, RTBH, and Rate limiting

Check out Arbour Networks, they produce a range of DDoS scrubbing appliances that do pretty much what you want. Regards, Tim Raphael On 9 Nov 2014, at 9:10 am, Eric C. Miller e...@ericheather.com wrote: Today, we experienced (3) separate DDoS attacks from Eastern Asia, all generating

Re: IPv6 Default Allocation - What size allocation for Loopback Address

- this is the purpose of it. Any technology or design that requires this has got scaling issues and should not be used anyway. Regards, Tim Raphael On 11 Oct 2014, at 2:37 pm, Roland Dobbins rdobb...@arbor.net wrote: On Oct 11, 2014, at 1:33 PM, Faisal Imtiaz fai...@snappytelecom.net wrote