Re: DPDK and energy efficiency

2021-03-05 Thread Brian Knight via NANOG
On 2021-03-05 15:40, Eric Kuhnke wrote: For comparison purposes, I'm curious about the difference in wattage results between: a) Your R640 at 420W running DPDK b) The same R640 hardware temporarily booted from a Ubuntu server live USB, in which some common CPU stress and memory disk/IO

Re: DPDK and energy efficiency

2021-03-05 Thread Brian Knight via NANOG
On 2021-03-05 12:22, Etienne-Victor Depasquale wrote: Sure, here goes: https://www.surveymonkey.com/results/SM-BJ9FCT6K9/ Thanks for sharing these results. We run DPDK workloads (Cisco nee Viptela vEdge Cloud) on ESXI. Fwiw, a quick survey of a few of our Dell R640s running mostly vEdge

Re: Famous operational issues

2021-02-18 Thread Brian Knight via NANOG
On 2021-02-17 13:28, John Kristoff wrote: On Wed, 17 Feb 2021 14:07:54 -0500 John Curran wrote: I have no idea what outages were most memorable for others, but the Stanford transfer switch explosion in October 1996 resulted in a much of the Internet in the Bay Area simply not being reachable

Re: Ingress filtering on transits, peers, and IX ports

2020-11-20 Thread Brian Knight via NANOG
As a final update to this thread, we started blocking spoofed and invalid traffic as of early Thursday morning Nov 19th. So far, knock on wood, no reports of issues from our customer base. In addition, I've been able to verify with the security research team's test tool that we are no longer

Re: Ingress filtering on transits, peers, and IX ports

2020-10-22 Thread Brian Knight via NANOG
Randy, thank you for the reminder to look also at what services (L4 ports) should be generally blocked. As I was implementing a similar rule for logging purposes, I discovered an oddity with $VENDOR_C_XR ACLs. I created the following: object-group port TCPUDP-BLOCKED eq 0 eq sunrpc eq

Re: Ingress filtering on transits, peers, and IX ports

2020-10-19 Thread Brian Knight via NANOG
ll.com.au/pfs/_media/workshops/05-bgp-bcp.pdf Regards. El mar., 13 oct. 2020 a las 19:52, Brian Knight via NANOG () escribió: Hi Mel, My understanding of uRPF is: * Strict mode will permit a packet only if there is a route for the source IP in the RIB, and that route points to the interfa

Re: Ingress filtering on transits, peers, and IX ports

2020-10-14 Thread Brian Knight via NANOG
CL. I think that's good for an enterprise network, but as an SP, I'm very hesitant to include this. Is this included in anyone else's transit / peer / IX ACL? Is there anything else that I'm not thinking of? Thanks, -Brian On 2020-10-14 09:25, Brian Knight via NANOG wrote: Hi Marcos, T

Re: Ingress filtering on transits, peers, and IX ports

2020-10-14 Thread Brian Knight via NANOG
o DoS a single /32 endpoint IP > being targeted, as in common online gaming disputes? > > What volume of pps or Mbps would appear as spurious traffic as a result of > this attack? > > On Tue, Oct 13, 2020 at 3:14 PM Brian Knight via NANOG > wrote: > >> We recently

Re: Ingress filtering on transits, peers, and IX ports

2020-10-14 Thread Brian Knight via NANOG
-bcp.pdf Regards. El mar., 13 oct. 2020 a las 19:52, Brian Knight via NANOG () escribió: Hi Mel, My understanding of uRPF is: * Strict mode will permit a packet only if there is a route for the source IP in the RIB, and that route points to the interface where the packet was received * Loose

Re: Ingress filtering on transits, peers, and IX ports

2020-10-13 Thread Brian Knight via NANOG
per: > > https://www.juniper.net/documentation/en_US/junos/topics/task/configuration/interfaces-configuring-unicast-rpf.html > > > -mel beckman > >> On Oct 13, 2020, at 3:15 PM, Brian Knight via NANOG wrote: > >> We recently received an email notice from a grou

Ingress filtering on transits, peers, and IX ports

2020-10-13 Thread Brian Knight via NANOG
We recently received an email notice from a group of security researchers who are looking at the feasibility of attacks using spoofed traffic. Their methodology, in broad strokes, was to send traffic to our DNS servers with a source IP that looked like it came from our network. Their attacks