RE: Suspicious IP reporting

but that's it. Do you not understand my issue? I thought that is the real problem with the online bullies in this thread. -- Thank You, Joe On Thu, Feb 4, 2021 at 5:01 PM Ryan Hamel mailto:administra...@rkhtech.org> > wrote: Joe, The underlying premise here is, “pick your b

RE: Suspicious IP reporting

Joe, The underlying premise here is, “pick your battles”. If you don’t want an IP address to access your device in anyway, setup a firewall and properly configure it to accept whitelisted traffic only, or just expose a VPN endpoint. The Internet is full of both good and bad actors that

RE: Verizon FiOS/Google Peering Issues in Northeast?

They’re saying it’s a fiber cut in Brooklyn. https://twitter.com/VerizonSupport/status/1354109889572982786 Would be interesting to see the RFO on this. Ryan From: NANOG On Behalf Of Robert Webb Sent: Tuesday, January 26, 2021 9:14 AM To: Brian Loveland Cc: North American Network

RE: Verizon FiOS/Google Peering Issues in Northeast?

Brian, It’s an overall Verizon issue, they say it’s a fiber cut in Brooklyn https://twitter.com/VerizonSupport/status/1354109889572982786?s=20, but that would be a single point of failure. Quite a discussion on the outages mailing list. Ryan From: NANOG On Behalf Of Brian Loveland

Re: Global Peer Exchange

That's Cogent for ya. Ryan On Mon, Nov 30, 2020, 10:14 AM Paul Emmons wrote: > > You take down a 10g connection and they bill each side $.2 a meg, 95th >> percintile billing. VLAN between the two sites. Both sites have to have a >> different AS number. So if you want to move 1g of data, 95th

Re: Telia Not Withdrawing v6 Routes

This same issue happened in Los Angeles a number of years ago, but for IPv4 and v6. They need to setup sane BGP timers, and/or advocate the use of BFD for BGP sessions both customer facing and internal. Ryan On Nov 15 2020, at 5:58 pm, Matt Corallo wrote: > Has anyone else experienced issues

Re: Asus wifi AP re-writing DNS packets

I'm curious to know why they would add such a thing, and how you got the iptables rules from the device. Do these Asus routers provide SSH directly into the shell? Ryan On Oct 28 2020, at 11:33 am, Anurag Bhatia wrote: > Hello, > > Wondering anyone from Asus here or anyone who could connect me

Re: cheap MPLS router recommendations

It can handle a few full tables, but the performance of an MX80/MX104 is nearly the same as the EX4200 switch. Ryan On Oct 16 2020, at 4:41 pm, Tony Wicks wrote: > Well, there is always the MX104 (if you want redundancy) or MX80 if you > don’t. That will give you 80gig wire speed just don’t

Re: Cogent Layer 2

Ytti wrote: > On Thu, 15 Oct 2020 at 10:28, Ryan Hamel wrote: > > > My experience with multiple carriers is that reroutes happen in under a > > minute but rarely happen, I also have redundant backup circuits to another > > datacenter, so no traffic is truly lost. If an out

Re: Cogent Layer 2

tocol udp; destination-port [ 3784 3785 4784 ]; source-prefix-list bgp_hosts; } then accept; } term deny_bfd { from { protocol udp; destination-port [ 3784 3785 4784 ]; } then discard; } Ryan On Oct 14 2020, at 11:29 pm, Saku Ytti wrote: > On Thu, 15 Oct 2020 at 09:11, Ryan Hamel (mailto

Re: Cogent Layer 2

Yep. Make sure you run BFD with your peering protocols, to catch outages very quickly. On Oct 14 2020, at 12:47 pm, Mike Hammett wrote: > I haven't heard any concerns with reliability, on-net performance (aside from > 2 gig flow limit) or other such things. Do they generally deliver well in >

Re: Cogent Layer 2

ce > of SDH with all the functionality of Ethernet. Very popular service. > Unfortunately, management replaced with Switched Ethernet, which many > customers distrusted because of potential overbooking issues. > > > From: Ryan Hamel > Sent: Wednesday, October 14, 2020 8

Re: Cogent Layer 2

gt; From: NANOG on > behalf of Ryan Hamel > Sent: Wednesday, October 14, 2020 7:54 PM > To: Mike Hammett > Cc: nanog@nanog.org > Subject: Re: Cogent Layer 2 > > > Mike, > > Layer 2 is fine once it works. > You will have to put up with whatever VLAN tags they

Re: Cogent Layer 2

Mike, Layer 2 is fine once it works. You will have to put up with whatever VLAN tags they pick, if you plan on having multiple virtual circuits on a 10G hub. They do like to see into the flows of traffic, as they only allow up to 2Gbits/flow, per there legacy infrastructure. If the circuit

Re: Hurricane Electric AS6939

You would get better peering from Equinix IX, which includes free HE IPv4 Peering + IPv6 Transit Ryan On Oct 13 2020, at 4:29 pm, Aaron Gould wrote: > Do y’all like HE for Internet uplink? I’m thinking about using them for > 100gig in Texas. It would be for my eyeballs ISP. We currently have

Re: Juniper configuration recommendations/BCP

There is linux happening in some devices. https://www.juniper.net/documentation/en_US/junos/topics/concept/evo-overview.html Ryan On Thu, Oct 8, 2020, 4:16 PM Matt Harris wrote: > Matt Harris​ > | Infrastructure Lead Engineer > 816‑256‑5446 > | Direct > Looking for something? > *Helpdesk

Re: BFD for routes learned trough Route-servers in IXPs

> "How can I check if my communication against the NextHop of the routes that I > learn from the route-servers are OK? If it is not OK, how can I remove it > from my FIB?" Install a route optimizer that constantly pings next hops, when the drop threshold is met, remove the routes. No one is

Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)

FZ, they have SOME > responsibility to keep their software from accidentally breaking the internet. > > -Matt > > > On Sat, Aug 1, 2020 at 2:30 PM Ryan Hamel (mailto:r...@rkhtech.org)> wrote: > > Job, > > > > I disagree on the fact that it is not fair to

Re: Issue with Noction IRP default setting (Was: BGP route hijack by AS10990)

Job, I disagree on the fact that it is not fair to the BGP implementation ecosystem, to enforce a single piece of software to activate the no-export community by default, due to ignorance from the engineer(s) implementing the solution. It should be common sense that certain routes that should

Re: Curious Cloudflare DNS behavior

Hey Constantine, John came in with a technical issue. If you have nothing worthy to say about it specifically, it's best to keep quiet. Thanks! Ryan On May 30 2020, at 11:52 am, Constantine A. Murenin wrote: > When you're not paying for service, you're not the customer, you're the > product. >

Re: Contact at Ubiquiti Networks?

ion for spanning-tree protocols - Junos OS 15.1X53-D50 Root protection for spanning-tree protocols - Junos OS 15.1X53-D50 Ryan Hamel On May 26 2020, at 11:09 pm, Phil Lavin wrote: > > Even the big guys like Juniper fail at basic functionality. Our brand new > > MX204 fails to select the correct

Re: RIPE NCC Executive Board election

demonstrating a proof of concept with a couple of Linux VMs, showing off the client and router changes, and release it for the community to play around with. Actions speak louder than words. Just like RIPE votes, and listing your email address as spam. Have a good one. Ryan Hamel On May 13 2020, at 2

Re: Hi-Rise Building Fiber Suggestions

I do not recommend doing that, it's 30 members in a single stack. Mine was only two, directly connected to each other. Treat your control plane like your L2, don't extend it farther than necessary. Ryan On Feb 25 2020, at 9:00 pm, Tim Požár wrote: > > Also, Juniper switches will stack over

Re: Hi-Rise Building Fiber Suggestions

How would that work to solve Norman's problem? That sounds like a lot of money spending, and setup time, for nothing. Ryan On Feb 25 2020, at 8:21 pm, Bradley Burch wrote: > > Should consider DWDM or GPON and in those look at passive optical > technologies that can benefit the project. > > On

Re: Hi-Rise Building Fiber Suggestions

I'd say a pair of Juniper switches on each floor, with their virtual-chassis capability. Terminate the top/bottom floor of fiber 1 into switch 1, and the other into switch two. Create an LACP bond between each floors switches, tag the necessary VLANs, and put the VLAN SVIs onto the first pair

Re: Jenkins amplification

Jean, Do you have facts to support this claim? Signed, A happy pfSense user. On Mon, Feb 3, 2020, 12:42 PM Jean | ddostest.me via NANOG wrote: > Netgate bought Pfsense and they already started to destroy it. > > You should consider to switch to Opnsense. > > On 2020-02-03 14:34, Matt Harris

Re: Wikipedia drops support for old Android smartphones; mandates TLSv1.2 to read

Just let the old platforms ride off into the sunset as originally planned like the SSL implementations in older JRE installs, XP, etc. You shouldn't be holding onto the past. Ryan On Tue, Dec 31, 2019, 12:41 AM Constantine A. Murenin wrote: > On Tue, 31 Dec 2019 at 02:29, Matt Hoppes < >

Re: Holiday route leak

On Mon, Dec 30, 2019, 12:44 PM Job Snijders wrote: > Dear all, > > On Fri, Dec 27, 2019 at 04:06:24PM -0500, Christopher Morrow wrote: > > If there are AS46844 folk listening around their eggnog ... it'd be > > nice if you would stop leaking prefixes: https://imgur.com/a/Js0YvP2 > > > > this

PayPal - IP Address Blocked

Hey everyone, Can someone from PayPal who manages their IP ACLs to reach out to me, offlist? I have an IP address that is acting like its blocked but support is saying it's not. Thank you in advance for your time. Ryan Hamel

Re: Recommended DDoS mitigation appliance?

Rob, I am going to assume you want it to spit out 10G clean, what size dirty traffic are you expecting it to handle? Ryan On Nov 17 2019, at 2:18 pm, Rabbi Rob Thomas wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > > Hello, NANOG! > I'm in the midst of rebuilding/upgrading our

Re: new BGP hijack & visibility tool “BGPalerter”

Job, I appreciate the effort and the intent behind this project, but why should the community contribute to an open source project on GitHub that is mainly powered by a closed source binary? Ryan On Wed, Aug 14, 2019, 10:55 AM Job Snijders wrote: > Dear NANOG, > > Recently NTT investigated

Re: What can ISPs do better? Removing racism out of internet

> could network operators do anything to make these sites “not so easy” to be > found, reached, and used to end innocent lives? Nope. If they follow the word of the providers and services they use, there is no reason to terminate the service. CloudFlare terminating 8chan's service was a one

Re: Spam due to new ARIN allocation

> > Do it. I'd name and shame all of them. Ryan On Fri, Aug 2, 2019, 4:33 PM Tim Burke wrote: > >> We recently received a new ASN from ARIN - you know what that means... >> the sales vultures come out to play! >> >> So far, it has resulted in spam from Cogent (which is, of course, to be >>

RE: Performance metrics used in commercial BGP route optimizers

Nowhere near the number as an engineer fat fingering a route. There are ISPs that accept routes all the way to /32 or /128, for traffic engineering with ease, and/or RTBH. Ryan -Original Message- From: NANOG On Behalf Of Nick Hilliard Sent: Tuesday, July 16, 2019 11:04 AM To: Job

Re: Performance metrics used in commercial BGP route optimizers

The answers which you seek would be considered secret sauce to these vendors. But you can start at running MTRs through a VRF per carrier only containing a default route, and looking at the results. Ryan On Tue, Jul 16, 2019 at 6:11 AM -0700, "Dimeji Fayomi"

RE: Must have ISP Open Source & tools

Java as a dependency this day and age… -Ryan From: Jason Kuehl Sent: Monday, July 08, 2019 6:41 AM To: Mehmet Akcin Cc: Ryan Hamel ; Niels Bakker ; nanog@nanog.org Subject: Re: Must have ISP Open Source & tools We use https://cbackup.me/en/ over Rancid -- Sincerely, Jason W Kuehl Cell

RE: Must have ISP Open Source & tools

My List: Oxidized as a replacement for RANCID Telegraf + InfluxDB = Tons of Grafana Dashboards (Open Source Slack Alternative) Ansible or Python Knowledge with Paramiko or netmiko for network automation. BGP: FRRouting - Mimics Cisco CLI BIRD - Programming style config format. Exabgp - Mostly

RE: Sflow billing or usage calculation software

, that way intelligent routing changes can be made much quicker. -- Ryan Hamel Network Administrator ryan.ha...@quadranet.com | +1 (888) 578-2372 QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud From: NANOG On Behalf Of Tony C Sent: Friday, April 12, 2019 8:22 PM To: nanog@nanog.org

RE: VPS providers contacts

an exception on data it doesn’t know to expect, and rolling back the changes if it’s possible. -- Ryan Hamel Network Administrator ryan.ha...@quadranet.com | +1 (888) 578-2372 QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud

RE: Should ISP block child pornography?

When I receive a report, we follow our procedures with the Cyber Tip Line, and then immediately null route the IP address until the content is removed. From: NANOG On Behalf Of Suresh Ramasubramanian Sent: Thursday, December 06, 2018 10:49 PM To: Mark Seiden Cc: nanog@nanog.org Subject: Re:

RE: Switch with high ACL capacity

or /48 through the carrier that has the filters in place to ensure they get all the traffic. After post processing the spoofed traffic, it should leave you with flooding to take care of. -- Ryan Hamel Network Administrator ryan.ha...@quadranet.com | +1 (888) 578-2372 QuadraNet Enterprises, LLC

RE: Switch with high ACL capacity

this to swing /32's or /128's to said dedicated links so it won't affect your clients traffic. -- Ryan Hamel Network Administrator ryan.ha...@quadranet.com | +1 (888) 578-2372 QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud -Original Message- From: NANOG On Behalf Of Mike

RE: Brocade SLX Internet Edge

+1 SecureCRT in general, and don’t buy Brocade, I was happy when I got to pull out the last Foundry. -- Ryan Hamel Network Engineer ryan.ha...@quadranet.com<mailto:ryan.ha...@quadranet.com> | +1 (888) 578-2372 x201 QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud

RE: Brocade SLX Internet Edge

the Jericho chipset or some variant to get that kind of performance. In the end, your mileage may vary. -- Ryan Hamel Network Engineer ryan.ha...@quadranet.com | +1 (888) 578-2372 x201 QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud -Original Message- From: NANOG

RE: Oct. 3, 2018 EAS Presidential Alert test

Confirmed Verizon - Android - Los Angeles. -- Ryan Hamel Network Engineer ryan.ha...@quadranet.com | +1 (888) 578-2372 x201 QuadraNet Enterprises, LLC. | Dedicated Servers, Colocation, Cloud -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Milt Aitken Sent

RE: NANOG Security Track: Route Security

of knowledge? That's crazy. Ryan Hamel -Original Message- From: NANOG On Behalf Of Ryan Woolley Sent: Monday, October 01, 2018 11:48 AM To: NANOG Subject: Re: NANOG Security Track: Route Security On Mon, Oct 1, 2018 at 8:16 AM Netravnen wrote: > > On Mon, 1 Oct 2018 at 14:01, John Kr

RE: NANOG Security Track: Route Security

Just like how all the email threads on NANOG are archived, all talks should be archived as well. Ryan Hamel From: NANOG On Behalf Of Krassimir Tzvetanov Sent: Sunday, September 30, 2018 3:31 PM To: Sam Oduor Cc: NANOG mailing list Subject: Re: NANOG Security Track: Route Security Sam

RE: Console Servers

I just use a Raspberry Pi with USB to Serial adapters or old servers with PCI(-E) 8 port serial cards. They make it so easy to adapt to any environment, and it phones home to my conserver (https://www.conserver.com/) gateway. The total cost for hardware is less than $150. Ryan From: NANOG On

RE: automatic rtbh trigger using flow data

is going to offer such filtering services for free when DDoS mitigation is a cash cow. Ryan Hamel From: NANOG On Behalf Of Baldur Norddahl Sent: Sunday, September 02, 2018 1:42 AM To: nanog@nanog.org Subject: Re: automatic rtbh trigger using flow data This is not true. Some of our transits do RTBH

RE: automatic rtbh trigger using flow data

No ISP is in the business of filtering traffic unless the client pays the hefty fee since someone still has to tank the attack. I also don’t think there is destination prefix IP filtering in flowspec, which could seriously cause problems. From: NANOG On Behalf Of Baldur Norddahl Sent:

RE: automatic rtbh trigger using flow data

From experience, sflows are horribly inaccurate for DDoS detection, since the volume could disrupt the control plane and render the process useless, thus not giving data to the external system to act upon it. You can't get any better than mirroring your inbound transit, and sampling the output

RE: automatic rtbh trigger using flow data

Exactly Aaron. No provider will allow a customer to null route a source IP address. I could only assume that a null route on Michel's network is tanking the packets at their edge to 192.0.2.1 (discard/null0). -- Ryan Hamel Senior Support Engineer ryan.ha...@quadranet.com | +1 (888) 578-2372

RE: automatic rtbh trigger using flow data

There are software that combine your needs altogether. I'm sure there are others. WANGuard from Andrisoft (https://www.andrisoft.com/software/wanguard) Fastnetmon (https://fastnetmon.com/) From: NANOG On Behalf Of Aaron Gould Sent: Thursday, August 30, 2018 12:53 PM To: Nanog@nanog.org

RE: Web UI DHCP Option 82

no GUI but I'll second the Kea recommendation. At 09:36 AM 8/18/2018, Colton Conor wrote: >Mike, I am looking for the same thing. Does Mikrotik have the ability >to do what you are requesting? > >On Fri, Aug 17, 2018 at 5:11 PM Ryan Hamel ><<mailto:ryan.ha...@

RE: Web UI DHCP Option 82

Mike, Take a look into Kea from ISC. The config is JSON based, which allows for nearly any scripting language to make changes, or you can dig into how it works with MySQL for dynamic operation (https://kea.isc.org/wiki/HostReservationsHowTo). Ryan From: NANOG On Behalf Of Mike Hammett Sent:

RE: unwise filtering policy on abuse mailboxes

All, My colleague has already contacted their friend at Psychz when I received the first message. Not everyone has to be on the list to get the message relayed to them. Rich, shall we all drop your email? It would achieve the same effect, and make this email thread more productive. Ryan

RE: AS3266: BitCanal hijack factory, courtesy of Cogent, GTT, and Level3

Why would we need an RFC for Comic Sans? -Original Message- From: NANOG On Behalf Of Alain Hebert Sent: Wednesday, June 27, 2018 1:50 PM To: nanog@nanog.org Subject: Re: AS3266: BitCanal hijack factory, courtesy of Cogent, GTT, and Level3     I ain't friday, but: There is no RFC for

Intuit - IP Block - Connection Timed Out

. Thanks! -- Ryan Hamel ryan.ha...@quadranet.com | +1 (888) 578-2372 QuadraNet, Inc. | Dedicated Servers, Colocation, Cloud

Re: Attacks on BGP Routing Ranges

lve my issue? I am not sure how this would work. Thanks for your input! Ryan Hamel From: Saku Ytti <s...@ytti.fi> Sent: Wednesday, April 18, 2018 3:48 AM To: Ryan Hamel Cc: nanog@nanog.org Subject: Re: Attacks on BGP Routing Ranges Hey Ryan, I'm

Re: Attacks on BGP Routing Ranges

Job, Unfortunately, with my current situation, we have stopped exporting our prefixes with the tier-1 carrier and still use the outbound bandwidth. I highly doubt they will implement such a solution, but is something to keep in mind for the future. Thanks for the tip! Ryan Hamel

Attacks on BGP Routing Ranges

suggestions. Ryan Hamel

Re: Question about great firewall of China

On Mar 23 2018, at 12:28 am, Jean-Francois Mezei wrote: > > Asking in a sanity check context. > > As you may have heard, Bell Canada has gathered a group called Fairplay > Canada to force all ISPs in Canada to block web sites Fairplay has > decided infringe on

Re: Static Routing 172.16.0.0/32

> At some point, some chucklehead is going to look at that .0.0 and mentally > think /16, and things will go pear-shaped pretty quickly Same for a /12, which is RFC1918. Original message From: valdis.kletni...@vt.edu Date: 12/8/17 1:46 PM (GMT-08:00) To: Ryan

Re: Static Routing 172.16.0.0/32

). Original message From: William Herrin <b...@herrin.us> Date: 12/8/17 1:45 PM (GMT-08:00) To: Ryan Hamel <ryan.ha...@quadranet.com> Cc: nanog@nanog.org Subject: Re: Static Routing 172.16.0.0/32 On Fri, Dec 8, 2017 at 4:37 PM, Ryan Hamel <ryan.ha...@quadranet.com

Re: Static Routing 172.16.0.0/32

.us> Date: 12/8/17 1:34 PM (GMT-08:00) To: Ryan Hamel <ryan.ha...@quadranet.com> Cc: nanog@nanog.org Subject: Re: Static Routing 172.16.0.0/32 On Thu, Dec 7, 2017 at 10:13 PM, Ryan Hamel <ryan.ha...@quadranet.com<mailto:ryan.ha...@quadranet.com>> wrote: A colleague of mine has

Static Routing 172.16.0.0/32

, but something more feasible like a usable IP in a dedicated range (172.31.0.0/24 for example). I would to hear everyone's thoughts on this, as this the first IP address in an RFC1918 range. Thanks, -- Ryan Hamel ryan.ha...@quadranet.com | +1 (888) 578-2372 QuadraNet, Inc. | Dedicated Servers