Re: "Tactical" /24 announcements

2021-08-17 Thread Tim Raphael
We do something similar - build the prefix lists externally (based on
PeeringDB, IRR, RPKI data) and push them with config management on regular
intervals.
This sort of automated policy architecture is clearly becoming more common,
and the drive (see: MANRS) is ever-increasing.
I'd really like some sort of dynamic, standard method to achieve this
off-box.

> It's all open source, available at
> https://github.com/wolcomm/eos-prefix-list-agent

Very neat indeed!

- Tim

On Wed, Aug 18, 2021 at 2:45 AM Randy Bush  wrote:

> for junos, i build the prefix list externally and push config.  sad to
> say, the code is so old ('90s) that it's pearl and uses `peval`.  i
> should fix but (copious spare time) == 0.
>
> originally i tried to also build and push for cisco ios classic, but it
> died in the push.  breathe on the router and it reset bgp sessions.  i
> gather from heas that things are better these years.
>
> i guess i really should have a go at doing it for arcos, but ...
>
> > It's all open source, available at
> > https://github.com/wolcomm/eos-prefix-list-agent
>
> very cool.
>
> randy
>


Re: "Tactical" /24 announcements

2021-08-17 Thread Tim Raphael
I quite like this approach as well - for those that would like to do more 
complicated policy logic off-box, the RTR architecture very much lends itself 
to that.

JNPR already has accessible APIs (JET-based / RPC) you can leverage to push 
configuration into the ephemeral database or be called on certain events (e.g. 
prefix learn). This, however comes with the acceptance of quite a few other 
risks. RTR could be used to signal other prefix options which would potentially 
remove the risks of dealing with the ephemeral config construct for certain 
use-cases, e.g. complex peer prefix filtering. 

- Tim

> On 17 Aug 2021, at 16:24, Saku Ytti  wrote:
> 
> I share your confusion Randy. It seems like perhaps Jakob answered a
> slightly different question and his answer is roughly.
> 
> a) Use this as-set feature to ensure valid set of ASNs from given peer
> b) Validate prefix using RPKI (I'm assuming with rejecting unknowns
> and invalids)
> c) Don't punch in prefix-lists anywhere
> 
> Which in theory works, but in practice it does not, as RPKI validity
> cover is incomplete.
> 
> Somewhat related, when JNPR implemented RTR the architecture was
> planned so that the RTR implementation itself isn't tightly coupled to
> RPKI validity. It was planned day1 that customers could have multiple
> RTR setups feeding prefixes and the NOS side could use these for other
> purposes too. So technically JNPR is mostly missing CLI work to allow
> you to feed prefix-lists dynamically over RTR, instead of punching
> them in vendor-specific way in config.
> 
> I really hope JNPR does that work, I really like the appeal of doing
> things off-box and using the same protocol to talk to on-box. Also,
> give me gRPC/protobuf route policy API, so I can write my route-policy
> in a real programming language once for all my NOS.
> 
> 
>> On Mon, 16 Aug 2021 at 20:32, Randy Bush  wrote:
>> 
>> hi jakob,
>> 
>> i am confused between
>> 
>>> There is no expansion to prefix-set.
>> 
>> and your earlier
>> 
 We have introduced the scalable as-set into the XR route policy language.
 as-path-set does not scale well with 1000's of ASNs.
 Now, you don't need to expand AS-SET into prefix-set, just enter it 
 directly.
>> 
>> expanding AS-SET into prefix filters is exactly what we do.
>> 
>> ```
>> % peval -s RIPE AS-RG-SEA
>> ({198.180.153.0/24, 198.180.151.0/24, 147.28.8.0/24, 147.28.9.0/24, 
>> 147.28.10.0/24, 147.28.11.0/24, 147.28.12.0/24, 147.28.13.0/24, 
>> 147.28.14.0/24, 147.28.15.0/24, 147.28.4.0/24, 147.28.5.0/24, 147.28.6.0/24, 
>> 147.28.7.0/24, 147.28.2.0/24, 147.28.3.0/24, 147.28.0.0/23, 45.132.188.0/24, 
>> 45.132.189.0/24, 45.132.190.0/24, 45.132.191.0/24})
>> ```
>> 
>> i do not see how to get around this.  clue bat please
>> 
>> randy
> 
> 
> 
> -- 
>  ++ytti


Re: Australian Dark Fibre Providers - Sydney

2021-03-10 Thread Tim Raphael
Hi Scott,

NextHop (https://www.nexthop.com.au/) is probably worth a look if you're
looking for within the Sydney 2000 area or between Sydney metro DCs.
Unicast me and I can do an intro if you like.

- Tim

On Thu, Mar 11, 2021 at 12:42 PM scott  wrote:

>
> On 3/10/2021 3:37 PM, Rod Beck wrote:
>
> Anyone besides Superloop?
>
> ---
>
>
> Try over on AusNOG.
>
>
> scott
>


Re: Service Provider NetFlow Collectors

2019-01-02 Thread Tim Raphael
That’s a much better cardinality (AS based) but it’s not the general case. Even 
if you want per-prefix information I’d argue that Influx would still not handle 
the load (~700k ^ 2 cardinality). For limited tag-sets it would do the trick.

I never did attempt to push it to Influx with some foresight that it’d be 
suboptimal for my ultimate use cases. I wanted a solution that could handle a 
wide range of use cases without having to worry about limits on tag-sets.

I found Clickhouse able to do what I wanted in a performant way. 

- Tim

> On 2 Jan 2019, at 20:37, H I Baysal  wrote:
> 
> Hi Tim,
> 
> That absolutely depends on the amount of TAGs you use, and how you aggregate, 
> etc.
> I am collecting DSTAS, SRCAS, en DST AS per IP. And influx is not even 
> sweating a single drop
> 
> We have a 4 Tbps of traffic during peak, and as well as pmacct and influxdb 
> or running very very smooth.
> 
> (With the mentioned aggregations I can see what a single customer costs with 
> Transit, Peering and IX (per IP even if needed) )
> And dst AS per port/description/ethernet name
> 
> From your mail i derive that you just pushed everything to influx from flows, 
> you have to be a bit smarter with the layout, aggregations and continuous 
> queries.
> (collect what you need)
> 
> 
> 
>> On 02-01-19 13:08, Tim Raphael wrote:
>> I would advise against InfluxDB in this case - flow data has a very high 
>> (and open) tag cardinality which is not suited to Influx (although their 
>> recently new index format has improved this).
>> 
>> I’m currently pushing sFlow through Pmacct —> Kafka —> Clickhouse (columnar 
>> store) with a summing merge tree database engine.
>> Clickhouse is very fast for queries across columns as well as aggregating 
>> down them (e.g. summing number of bytes).
>> 
>> For example this is the results of a query of nearly a year’s worth of 
>> MAC-to-MAC flows (7-tuple) queried for the last 7 days between two given 
>> sets of MACs:
>> 
>> 2016 rows in set. Elapsed: 0.208 sec. Processed 17.56 million rows, 1.03 GB 
>> (84.51 million rows/s., 4.97 GB/s.)
>> 
>> There is also a Grafana datasource plugin for Clickhouse :)
>> 
>> - Tim
>> 
>> 
>>> On 2 Jan 2019, at 7:50 pm, H I Baysal  wrote:
>>> 
>>> PMACCT (Works Awesome)
>>> push to influxdb ( Works awesome)
>>> 
>>> With some custom scripts to add/match interface descriptions. And you can 
>>> query whatever you want in grafana :D
>>> And grafana has a nice API for rendering a dashboardgraph 
>>> to a PNG and you can send this png to whatever chat/bot or mail you want.
>>> 
>>> And all for free with 99% of accuracy.
>>> 
>>> (Mucho gracias to Paulo :D )
>>> 
>>> 
>>>> On 01-01-19 05:56, Avi Freedman wrote:
>>>> We do have a minimum for commercial service that's more like $1500/mo but 
>>>> we are coming out with a free tier in Q1 with lower retention (among other 
>>>> deltas, but including fully slice and dice flow analytics +BGP that it 
>>>> sounded like Erik might be looking for).
>>>> 
>>>> Feel free to ping me if anyone would like to help us test the free tier in 
>>>> January.
>>>> 
>>>> Thanks,
>>>> 
>>>> Avi Freedman
>>>> CEO, Kentik
>>>> 
>>>>> Doesn't Kentik cost like $2000 a month minimum?
>>>>> 
>>>>> 
>>>>> On Mon, Dec 31, 2018 at 11:57 AM Matthew Crocker 
>>>>> 
>>>>> wrote:
>>>>> 
>>>>>>  +1 Kentik as well,  DDoS, RTBH, Netflow.  Cloud based so I don't have to
>>>>>> worry about it.
>>>>>> 
>>>>>> On 12/31/18, 11:37 AM, "NANOG on behalf of Bryan Holloway" <
>>>>>> nanog-boun...@nanog.org on behalf of br...@shout.net> wrote:
>>>>>> 
>>>>>> +1 Kentik ...
>>>>>> 
>>>>>> We've been using their DDoS/RTBH mitigation with good success.
>>>>>> 
>>>>>> 
>>>>>> On 12/31/18 3:52 AM, Eric Lindsjö wrote:
>>>>>> > Hi,
>>>>>> >
>>>>>> > We use kentik and we're very happy. Works great, tons of new
>>>>>> features
>>>>>> > coming along all the time. Going to start looking into ddos
>>>>>> detection
>>>>>> > and mitigation soon.

Re: Service Provider NetFlow Collectors

2019-01-02 Thread Tim Raphael
This is correct, 

With a flow database you want to be able to say: “show me all HTTP traffic from 
subnet a.b.c.0/24” which requires you to either keep individual IPs or 
aggregate subnets. Combined with port and protocol data for both source and 
destination, the series count shoots way above 10M.

- Tim

> On 2 Jan 2019, at 20:20, Saku Ytti  wrote:
> 
> Hey Tim,
> 
>> I would advise against InfluxDB in this case - flow data has a very high 
>> (and open) tag cardinality which is not suited to Influx (although their 
>> recently new index format has improved this).
> 
> I'm not entirely sure I understand. Does this mean the permutations of
> tags are high, i.e. series count is high? If so, isn't this general
> problem and advice against all TSDBs? If so, I fully agree, you
> couldn't/shouldn't make for example IP addresses your tags,
> potentially creating 2**32*2 series without any other tags, it's
> rather non-sensical proposal in TSDB.
> 
> Influx themselves comment that >10M series is likely infeasible. So
> you need unique tag combinations to be low millions at most.
> -- 
>  ++ytti


Re: Service Provider NetFlow Collectors

2019-01-02 Thread Tim Raphael
I would advise against InfluxDB in this case - flow data has a very high (and 
open) tag cardinality which is not suited to Influx (although their recently 
new index format has improved this).

I’m currently pushing sFlow through Pmacct —> Kafka —> Clickhouse (columnar 
store) with a summing merge tree database engine.
Clickhouse is very fast for queries across columns as well as aggregating down 
them (e.g. summing number of bytes).

For example this is the results of a query of nearly a year’s worth of 
MAC-to-MAC flows (7-tuple) queried for the last 7 days between two given sets 
of MACs:

2016 rows in set. Elapsed: 0.208 sec. Processed 17.56 million rows, 1.03 GB 
(84.51 million rows/s., 4.97 GB/s.)

There is also a Grafana datasource plugin for Clickhouse :)

- Tim


> On 2 Jan 2019, at 7:50 pm, H I Baysal  wrote:
> 
> PMACCT (Works Awesome)
> push to influxdb ( Works awesome)
> 
> With some custom scripts to add/match interface descriptions. And you can 
> query whatever you want in grafana :D
> And grafana has a nice API for rendering a dashboardgraph to a PNG and you 
> can send this png to whatever chat/bot or mail you want.
> 
> And all for free with 99% of accuracy.
> 
> (Mucho gracias to Paulo :D )
> 
> 
> On 01-01-19 05:56, Avi Freedman wrote:
>> We do have a minimum for commercial service that's more like $1500/mo but we 
>> are coming out with a free tier in Q1 with lower retention (among other 
>> deltas, but including fully slice and dice flow analytics +BGP that it 
>> sounded like Erik might be looking for).
>> 
>> Feel free to ping me if anyone would like to help us test the free tier in 
>> January.
>> 
>> Thanks,
>> 
>> Avi Freedman
>> CEO, Kentik
>> 
>>> Doesn't Kentik cost like $2000 a month minimum?
>>> 
>>> 
>>> On Mon, Dec 31, 2018 at 11:57 AM Matthew Crocker 
>>> wrote:
>>> 
  +1 Kentik as well,  DDoS, RTBH, Netflow.  Cloud based so I don't have to
 worry about it.
 
 On 12/31/18, 11:37 AM, "NANOG on behalf of Bryan Holloway" <
 nanog-boun...@nanog.org on behalf of br...@shout.net> wrote:
 
 +1 Kentik ...
 
 We've been using their DDoS/RTBH mitigation with good success.
 
 
 On 12/31/18 3:52 AM, Eric Lindsjö wrote:
 > Hi,
 >
 > We use kentik and we're very happy. Works great, tons of new
 features
 > coming along all the time. Going to start looking into ddos
 detection
 > and mitigation soon.
 >
 > Would recommend.
 >
 > Kind regards,
 > Eric Lindsjö
 >
 >
 > On 12/31/2018 04:29 AM, Erik Sundberg wrote:
 >>
 >> Hi Nanog….
 >>
 >> We are looking at replacing our Netflow collector. I am wonder what
 >> other service providers are using to collect netflow data off their
 >> Core and Edge Routers. Pros/Cons… What to watch out for any info
 would
 >> help.
 >>
 >> We are mainly looking to analyze the netflow data. Bonus if it does
 >> ddos detection and mitigation.
 >>
 >> We are looking at
 >>
 >> ManageEngine Netflow Analyzer
 >>
 >> PRTG
 >>
 >> Plixer – Scrutinizer
 >>
 >> PeakFlow
 >>
 >> Kentik
 >>
 >> Solarwinds NTA
 >>
 >> Thanks in advance…
 >>
 >> Erik
 >>
 >>
 >>
 
 >>
 >> CONFIDENTIALITY NOTICE: This e-mail transmission, and any
 documents,
 >> files or previous e-mail messages attached to it may contain
 >> confidential information that is legally privileged. If you are not
 >> the intended recipient, or a person responsible for delivering it
 to
 >> the intended recipient, you are hereby notified that any
 disclosure,
 >> copying, distribution or use of any of the information contained in
 or
 >> attached to this transmission is STRICTLY PROHIBITED. If you have
 >> received this transmission in error please notify the sender
 >> immediately by replying to this e-mail. You must destroy the
 original
 >> transmission and its attachments without reading or saving in any
 >> manner. Thank you.
 >
 
 
 



Re: Non-profit IX vs. neutral for-profit IX

2018-12-20 Thread Tim Raphael
The other point to consider is that a NFP can justify more locations and offer 
services (such as extended reach) that don’t have the same profit margins or 
ROI as for-profits.
This often leads to greater value to those with smaller networks and fewer 
customers allowing them to grow and expand without increased aggregation or 
transit costs. This in-turn leads to a richer array of providers and chips away 
at the monopolies in niche markets.

The NFP IXP I work for focuses on providing value to the broader community and 
the Internet as a whole - especially somewhere like Australia which has unique 
constraints.

Additionally, “Neutral” and For-Profit doesn’t always compute in my mind, there 
will always be commercial alliances that lead to not-total neutrality.
When a NFP is owned by it’s members there has to be 100% transparency in 
organisational decisions around member funds and resources which ensures 
accountability reliability.

- Tim


> On 21 Dec 2018, at 3:58 am, Brielle Bruns  wrote:
> 
> On 12/20/2018 12:51 PM, Aaron wrote:
>> Probably price.  Also perception of value.  If you're a for profit 
>> enterprise then they're paying for interconnection plus your bump.  If 
>> you're non-profit the perception is that there is a larger value because 
>> there's no bump.  Whether that's true or not, who knows but that's the 
>> perception I've heard.
> 
> Depending on the size of the non-profit, I'd almost compare it to how the 
> hospitals are here in Boise.
> 
> The non-profits are oversized, monopolistic, price gouging, etc.  Their care 
> can be pretty meh, esp since they bought up all the little independent 
> clinics (yay, ER pricing for a basic family clinic visit).
> 
> The for-profit smaller clinics and hospitals run a pretty tight ship, better 
> value for their money, service is very good, and compete with one another for 
> who has the best service.
> 
> People think they are getting 'better' because they are going to a place that 
> is supposed to be run to benefit people over profit, but alas, you'd be very 
> very wrong.
> -- 
> Brielle Bruns
> The Summit Open Source Development Group
> http://www.sosdg.org/ http://www.ahbl.org
> 




Re: Question about bird RS config with BGP Community support

2018-07-23 Thread Tim Raphael
As an operator of large, established IXP I would also recommend this path. A 
lot of work had gone into the likes of IXPManager and arouteserver and they 
provide great value in providing secure configurations with added features such 
as action communities you are after.

Cheers,

Tim

> On 24 Jul 2018, at 7:05 am, Job Snijders  wrote:
> 
>> On Mon, 23 Jul 2018 at 23:00, Anurag Bhatia  wrote:
>> 
>> We are running a small IX fabric (in Mumbai, India) and with multiple
>> route servers based on a bird. There has been a demand of support of BGP
>> communities from some of our members and I am trying to find a way to set
>> it up in the bird. Idea is to provide a community say 0:123 where tagged
>> routes with 0:123 do not reach AS123. I am new to the bird.
> 
> 
> I strongly recommend to either use “arouteserver” or “IXP manager” to
> generate the BIRD configuration files on your behalf, and no type it by
> hand.
> 
> Setting up a fully featured secure route server is a lot of work and
> research, I’d really recommend to leverage the work others have done in
> this problem space. I fear otherwise you may risk repeating mistakes that
> others already made.
> 
> https://arouteserver.readthedocs.io/en/latest/
> https://github.com/pierky/arouteserver
> https://www.ixpmanager.org/
> 
> And using these automated tools means less work for the IX operator.
> Turning up new peers is a breeze with both tools!
> 
> Kind regards,
> 
> Job
> 
>> 


Re: Proxying NetFlow traffic correctly

2017-06-06 Thread Tim Raphael
nProbe is what you want, it’s another product from NTop.

http://www.ntop.org/products/netflow/nprobe/ 


- Tim


> On 7 Jun 2017, at 7:43 am, Sami via NANOG  wrote:
> 
> Hello,
> I have been searching for a solution that collects/duplicates NetFlow traffic 
> properly for a while but i couldn't find any.
> Do you know any good unix alternative to ntopng, flowd, flow-tools?
> 
> nprobe of netflow seems to be the closest one to fit my needs but i want to 
> see if there are any other solution.
> 
> My goal is to centralize NetFlow traffic into a single machine and then proxy 
> some flows to other destinations for further analysis
> 
> Best Regards,
> Sami



Re: Recent NTP pool traffic increase

2016-12-20 Thread Tim Raphael
Exactly,

Also they’re across Android and iOS and getting parity of operations across 
those two OSs isn’t easy. 
Better to just embed what they need inside the app if it is specialised enough.

- Tim

> On 21 Dec. 2016, at 10:13 am, Emille Blanc <emi...@abccommunications.com> 
> wrote:
> 
> Perhaps the host OS' to which snapchat caters, don't all have a devent ntp 
> subststem available?
> I have vague recollections of some other software (I'm sure we all know 
> which) implemented it's own malloc layer for every system it ran on, for less 
> trivial reasons. ;)
> 
> 
> From: NANOG [nanog-boun...@nanog.org] On Behalf Of Tim Raphael 
> [raphael.timo...@gmail.com]
> Sent: Tuesday, December 20, 2016 5:34 PM
> To: Gary E. Miller
> Cc: nanog@nanog.org
> Subject: Re: Recent NTP pool traffic increase
> 
> This was my thought actually, Apple does offer some time services as part of 
> the OS but it’s becoming common with larger / more popular apps to provide 
> some of these services internally.
> Look at the FB app for example, there are a lot of “system” things they do 
> themselves due to the ability to control specifics. Users don’t want to have 
> to install a second “specialised app” for this either.
> 
> With regard to an ephemeral chat app requiring time sync, I can think of 
> quite a few use cases and mechanisms in the app that might require time 
> services.
> 
> - Tim
> 
> 
>> On 21 Dec. 2016, at 9:26 am, Gary E. Miller <g...@rellim.com> wrote:
>> 
>> Yo valdis.kletni...@vt.edu!
>> 
>> On Tue, 20 Dec 2016 20:20:48 -0500
>> valdis.kletni...@vt.edu wrote:
>> 
>>> On Tue, 20 Dec 2016 18:11:11 -0500, Peter Beckman said:
>>>> Mostly out of curiosity, what was the reason for the change in the
>>>> Snapchat code, and what plans does Snap have for whatever reason
>>>> the NTP change was put in place?
>>> 
>>> From other comments in the thread, it sounds like the app was simply
>>> linked against a broken version of a library
>> 
>> But why is a chat app doing NTP at all?  it should rely on the OS, or
>> a specialized app, to keep local time accurate.
>> 
>> RGDS
>> GARY
>> ---
>> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>>  g...@rellim.com  Tel:+1 541 382 8588



Re: Recent NTP pool traffic increase

2016-12-20 Thread Tim Raphael
This was my thought actually, Apple does offer some time services as part of 
the OS but it’s becoming common with larger / more popular apps to provide some 
of these services internally.
Look at the FB app for example, there are a lot of “system” things they do 
themselves due to the ability to control specifics. Users don’t want to have to 
install a second “specialised app” for this either.

With regard to an ephemeral chat app requiring time sync, I can think of quite 
a few use cases and mechanisms in the app that might require time services.

- Tim


> On 21 Dec. 2016, at 9:26 am, Gary E. Miller  wrote:
> 
> Yo valdis.kletni...@vt.edu!
> 
> On Tue, 20 Dec 2016 20:20:48 -0500
> valdis.kletni...@vt.edu wrote:
> 
>> On Tue, 20 Dec 2016 18:11:11 -0500, Peter Beckman said:
>>> Mostly out of curiosity, what was the reason for the change in the
>>> Snapchat code, and what plans does Snap have for whatever reason
>>> the NTP change was put in place?  
>> 
>> From other comments in the thread, it sounds like the app was simply
>> linked against a broken version of a library
> 
> But why is a chat app doing NTP at all?  it should rely on the OS, or
> a specialized app, to keep local time accurate.
> 
> RGDS
> GARY
> ---
> Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
>   g...@rellim.com  Tel:+1 541 382 8588



Re: automated site to site vpn recommendations

2016-06-29 Thread Tim Raphael
There is a downside to subscription pricing for the vendor: they don't get the 
instant cashflow they're used to. I know Cisco seems to be taking a tactic 
where only some product lines use subscriptions and the others are on a typical 
enterprise 3-5 year replacements cycle to provide Cisco with the  large cash 
injections upon upgrade.

Tim 

> On 30 Jun 2016, at 7:00 AM, Seth Mattinen  wrote:
> 
>> On 6/29/16 15:33, Eric Kuhnke wrote:
>> My biggest issue with Meraki is the fundamentally flawed business model,
>> biased in favor of vendor lock in and endlessly recurring payments to the
>> equipment vendor rather than the ISP or enterprise end user.
>> 
>> You should not have to pay a yearly subscription fee to keep your in-house
>> 802.11(abgn/ac) wifi access points operating. The very idea that the
>> equipment you purchased which worked flawlessly on day one will stop
>> working not because it's broken, or obsolete, but because your
>> *subscription* expired...
> 
> 
> I'm sure most hardware makers would love to lock in a revenue stream of "keep 
> me working" subscriptions if they could get away with it. From the company's 
> perspective what's not to love about that kind of guaranteed revenue?
> 
> I often wonder if Microsoft will someday make Office365 the only way to get 
> Office, which if you don't maintain a subscription your locally installed 
> copy of Word will cease to function.
> 
> ~Seth


Re: sub $500-750 CPE firewall for voip-centric application

2016-05-05 Thread Tim Raphael
The SIP ALG in the Juniper SRXs is definitely one of the best I’ve come across.

I defaulted to turning it off based on my previous experiences with SIP ALGs 
and NAT however it became apparent that it actually worked really well and I 
ended up defaulting it to on.

- Tim


> On 6 May 2016, at 3:37 AM, Andrew Kirch  wrote:
> 
> Both the Juniper SRX, and the Mikrotik will work.
> 
> The problem isn't firewalling, it's NAT.  NAT is evil.
> 
> Perhaps having enough IP Addresses would be a better solution?
> https://www.youtube.com/watch?v=v26BAlfWBm8
> 
> On Thu, May 5, 2016 at 3:09 PM, Matt Freitag  wrote:
> 
>> I'm a huge fan of Juniper's SRX line. I use all the features you point out
>> at home on my SRX210, although that product is end-of-life. A refurbished
>> SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
>> support is extra, but I'm not sure how much.
>> 
>> I haven't used it myself but I have seen the packet capture in action.
>> It'll save any traffic you want right out to a pcap file too. I also like
>> "show security flow session" - shows you the source, destination, ports,
>> how long a session has been going, and number of packets and number of
>> bytes transferred.
>> 
>> Matt Freitag
>> Network Engineer I
>> Information Technology
>> Michigan Technological University
>> (906) 487-3696
>> http://www.mtu.edu/
>> http://www.it.mtu.edu/
>> 
>> 
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Ellermann
>> Sent: Thursday, May 5, 2016 2:51 PM
>> To: Mel Beckman 
>> Cc: nanog@nanog.org
>> Subject: RE: sub $500-750 CPE firewall for voip-centric application
>> 
>> Your exactly right, Mel. Dell has really turned the Sonicwall platform
>> around in the past few year. We dropped it a year or two before Dell took
>> them over. Back then Sonicwall was full of issues and lacked important
>> features that our enterprise customers required. If you have budget, Palo
>> Alto is something to look at as well, but don't overlook Sonicwall and
>> FortiGate.
>> 
>> 
>> Sincerely,
>> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>> 
>> E: nellerm...@broadaspect.com
>> P: 703-297-4639
>> F: 703-996-4443
>> 
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail
>> and its attachments from all computers.
>> 
>> 
>> -Original Message-
>> From: Mel Beckman [mailto:m...@beckman.org]
>> Sent: Thursday, May 05, 2016 2:49 PM
>> To: Nick Ellermann 
>> Cc: Ken Chase ; nanog@nanog.org
>> Subject: Re: sub $500-750 CPE firewall for voip-centric application
>> 
>> I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
>> firewalls.  The best SMB devices are definitely SonicWall and Fortigate.
>> SonicWalls are easier to configure, but have fewer features. Fortigate has
>> many knobs and dials and a very powerful virtual router facility that can
>> do amazing things. The two vendors have equivalent support in my opinion,
>> although Fortigate tends to be more personal (Dell is big and you get
>> random techs).
>> 
>> Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
>> but mostly I think because they're Cisco-only. PaloAlto is expensive for
>> what you get. Functionally they are on the same level as Fortigate, with a
>> slightly more elegant GUI. But Fortigate can be configured via a USB
>> cable, which is a huge advantage in the field. Legacy RS-232 serial ports
>> are error-prone and slow.
>> 
>> -mel
>> 
>>> On May 5, 2016, at 11:39 AM, Nick Ellermann 
>> wrote:
>>> 
>>> We have a lot of luck for smaller VOIP customers having all of their
>> services run through a FortiGate 60D, or higher models. 60D is our go to
>> solution for small enterprise. However, if we are the network carrier for
>> a particular customer and they have a voip deployment of more than about
>> 15 phones, then we deploy a dedicated voice edge gateway, which is more
>> about voice support and handset management than anything.  You do need to
>> disable a couple of things on the FortiGate such as SIP Session Helper and
>> ALG.  We never have voice termination, origination or call quality issues
>> because of the firewall.
>>> FortiGate has a lot of advanced features as well as fine tuning and
>> adjustment capabilities for the network engineering type and is still easy
>> enough for our entry level techs to support. Most of our customers have
>> heavy VPN requirements and FortiGates have great IPsec performance.  We
>> leverage a lot of the network security features and have built a
>> successful managed firewall service with good monitoring and analytics
>> using a third-party monitoring platform and Fortinet's FortiAnaylzer
>> platform.
>>> 

Re: Super Core Hardware suggestions

2015-08-07 Thread Tim Raphael
The Juniper PTX1000 is worth a look.

http://www.juniper.net/us/en/products-services/routing/ptx-series/ptx1000/

Regards,

Tim Raphael

 On 7 Aug 2015, at 10:10 am, Ben Cornish b...@overthewire.com.au wrote:
 
 Hey All
 
 We are looking for suggestions for a device to act as a super Core Device / 
 MPLS P router only.
 There seems to be plenty of Chassis based solutions out there that also cater 
 for a lot more.
 We ideally would like a 1RU or 2RU device - Handling MPLS / IGP only
 
 * Ideally 16 to 48 ports of 10Gig - SFP
 
 * Non-blocking line rate capable on all ports.
 
 * MPLS / OSPF /BFD / ISIS / RSVP-TE capably.
 
 * Deep buffers on the ports would also be nice
 
 * With a possible option of 40Gig uplinks..
 
 Thanks


Re: leap second outage

2015-07-01 Thread Tim Raphael
No, it was a route leak by a colo  provider (Axcelx) downstream.

Regards,

Tim Raphael

 On 1 Jul 2015, at 11:37 am, Justin Paine via NANOG nanog@nanog.org wrote:
 
 Any confirmation if the AWS outage was leap second-related?
 
 
 Justin Paine
 Head of Trust  Safety
 CloudFlare Inc.
 PGP KeyID: 57B6 0114 DE0B 314D
 
 
 On Tue, Jun 30, 2015 at 8:32 PM, Dovid Bender do...@telecurve.com wrote:
 I read that and that at midnight local time since that's when you have the 
 extra second. I know a large carrier in Israel is down. Waiting for conf. If 
 it's leep second related.
 
 --Original Message--
 From: Stefan
 Sender: NANOG
 To: frnk...@iname.com
 Cc: nanog@nanog.org
 Subject: Re: leap second outage
 Sent: Jun 30, 2015 23:30
 
 This was supposed to have happened @midnight UTC, right? Meaning that we
 are past that event. Under which scenarios should people be concerned about
 midnight local time? Lots of confusing messages flying all over...
 On Jun 30, 2015 10:13 PM, frnk...@iname.com wrote:
 
 We experienced our first leap second outage -- our SHE (super head end) is
 using (old) Motorola encoders and we lost those video channels.  They
 restarted all those encoders to restore service.
 
 Frank
 
 Regards,
 
 Dovid


Re: Enterprise network as an ISP with a single huge customer

2015-06-12 Thread Tim Raphael
It will also depend greatly on the knowledge of the design team / person and 
the operations team. If the designer is ex-SP or has a strong knowledge of both 
SP and Enterprise then yes, a good design may result.

There are plenty of people out there that will use MPLS / multiple tables for 
the wrong reasons just so they can say that's what they're doing.

Regards,

Tim Raphael

 On 13 Jun 2015, at 10:48 am, Stepan Kucherenko t...@megagroup.ru wrote:
 
 13.06.2015 05:35, Randy Bush wrote:
 i have seen a lot of this done with firewall devices and vlans.  with
 vlans or mpls, you can make spaghetti without wires, one wheat and one
 semolina.
 
 oh absolutely. you can use many tools to lop off your fingers, my
 point was that things like mpls (or vlans) provide a nice other tool
 to use along with your firewalls and such.
 
 of course you ought not willy-nilly go crazy with this, but... imagine
 if the 'hr department' were in one contiguous 'VRF' which had a
 defined set of 2-3 exit points to control access through... while
 those willy 'engineers' could be stuck in their own ghetto/VRF and
 have a different set of 2-3 exit points to control.
 
 Expand your network over many locations and in large buildings and ...
 it can be attractive to run a 2547 network that the company is a
 'customer' of, or so I was thinking :)
 
 i have seen people successful with this with mpls and with vlans with
 non-mpls tunnel tech (e.g. ipsec for the paranoid).  i have seen them
 screw the pooch with both.
 
 randy
 
 You can compartmentalize your network in lots of ways. What I'd like to know 
 is what ways failed harder in other peoples experience (or at least faster).
 
 I'm not sure doing it ISP style is better, but I think it has some benefits. 
 Then again, the opposite is true as well, less complexity means more 
 stability. Usually.


Re: Rasberry pi - high density

2015-05-08 Thread Tim Raphael
The problem is, I can get more processing power and RAM out of two 10RU blade 
chassis and only needing 64 10G ports...

32 x 256GB RAM per blade = 8.1TB
32 x 16 cores x 2.4GHz = 1,228GHz
(not based on current highest possible, just using reasonable specs)

Needing only 4 QFX5100s which will cost less than a populated 6513 and give 
lower latency. Power, cooling and cost would be lower too.

RPi = 900MHz and 1GB RAM. So to equal the two chassis, you'll need:

1228 / 0.9 = 1364 Pis for compute (main performance aspect of a super computer) 
meaning double the physical space required compared to the chassis option.

So yes, infeasible indeed.

Regards,

Tim Raphael

 On 9 May 2015, at 1:24 pm, char...@thefnf.org wrote:
 
 
 
 So I just crunched the numbers. How many pies could I cram in a rack?
 
 Check my numbers?
 
 48U rack budget
 6513 15U (48-15) = 33U remaining for pie
 6513 max of 576 copper ports
 
 Pi dimensions:
 
 3.37 l (5 front to back)
 2.21 w (6 wide)
 0.83 h
 25 per U (rounding down for Ethernet cable space etc) = 825 pi
 
 Cable management and heat would probably kill this before it ever reached 
 completion, but lol...
 
 
 


Re: Multi-gigabit edge devices as CPE

2015-04-09 Thread Tim Raphael
L3VPN hand off is the only thing I can think of from the top of my head. But 
then, there would be no need to have a full table unless you had customers 
requesting a full table.

It sounds like the OP is looking for one device to do multiple roles where 
two/three different device types and/or sizes would fit better.


 On 9 Apr 2015, at 10:18 pm, Dave Taht dave.t...@gmail.com wrote:
 
 So to return this to a more rational basis - why does an edge network
 need MPLS in the first place?



Re: Multi-gigabit edge devices as CPE

2015-04-09 Thread Tim Raphael
You’ll be looking at a Juniper MX or a Cisco ASK9K I think.

The MXs are targeted as being full-features edge routers. An MX5 will take a 
full feed just fine and do all the *VPN you want.
If you’re talking about multiple full feeds then you’ll need a MX240 with one 
of the higher-power REs for a decent reconvergence time.


 On 9 Apr 2015, at 10:42 pm, Daniel Rohan dro...@gmail.com wrote:
 
 
 On Thu, Apr 9, 2015 at 7:25 AM, Tim Raphael raphael.timo...@gmail.com 
 mailto:raphael.timo...@gmail.com wrote:
 L3VPN hand off is the only thing I can think of from the top of my head. But 
 then, there would be no need to have a full table unless you had customers 
 requesting a full table.
 
 
 I have one customer who needs an L3VPN for some shared private routes along 
 with a full table in inet.0. There are ways of accomplishing this creatively 
 but I'm looking for devices that can handle these types of requests that 
 permit us some level of sanity. 



Re: Multi-gigabit edge devices as CPE

2015-04-09 Thread Tim Raphael
I find this rather offensive as you clearly have no idea what I have 
contributed to the OSS community or more specifically to the VyOS project.

Among working, studying a masters degree and a little sleep to keep me sane, I 
already do what I can.

Tim

 On 9 Apr 2015, at 10:42 am, Dave Taht dave.t...@gmail.com wrote:
 
 On Wed, Apr 8, 2015 at 6:36 PM, Tim Raphael raphael.timo...@gmail.com 
 wrote:
 Correct. But hopefully not far off now that there are x86 packages for 
 simple MPLS operations. With a bit of luck an RSVP or LDP implementation 
 isn't far behind.
 
 Just sitting around whining and waiting for someone else to do the job
 is nowhere near as effective as chipping in and helping... or funding
 the efforts that exist.
 
 -- 
 Dave Täht
 Open Networking needs **Open Source Hardware**
 
 https://plus.google.com/u/0/107942175615993706558/posts/N8mZ5F5iSPU


Re: Multi-gigabit edge devices as CPE

2015-04-08 Thread Tim Raphael
VyOS is a community fork of Vyatta and is still being developed very actively 
and it pushing ahead with many new features! It's pretty stable too imo.

http://vyos.net/wiki/Main_Page

Regards,

Tim Raphael

 On 9 Apr 2015, at 8:14 am, Faisal Imtiaz fai...@snappytelecom.net wrote:
 
 Mikrotik for OS, and Hardware choice would be to use an X86 appliance (Lanner 
 Electronics, Axiomtek etc)
 You should be able to get a cost effective box that will meet your 
 performance requirements.
 As to feature set, while most of them are their you should do some testing to 
 see if feature set meets your requirements.
 
 Most folks often forget that Mikrotik is OS and they also make Hardware (a 
 variety of sizes for a variety of needs), and the OS can be deployed on 
 standard or custom hardware server or appliances.
 
 You can always go the 'Custom' Linux Route, using x86 boxes with your own 
 distro, too bad that Vyatta OS took a different route under Brocade..
 
 
 
 Faisal Imtiaz
 Snappy Internet  Telecom
 
 - Original Message -
 From: Daniel Rohan dro...@gmail.com
 To: NANOG nanog@nanog.org
 Sent: Wednesday, April 8, 2015 6:46:40 PM
 Subject: Multi-gigabit edge devices as CPE
 
 I work at a state REN and we are seeking a lead for a new edge device for
 on prem deployment at customer sites.
 
 We currently deploy two classes of routers-- a high end and a low end. Both
 the high end and the low end use some of the standard edge features:
 MPLS-TE, MBGP, flowspec, vrf, PIM, etc. We deliver full tables over these
 devices to the customers that need them.
 
 We recently finished a new ethernet procurement and have a large number of
 sites (~200) moving from 1Gbps in bandwidth to 1-10Gb in bandwidth. Our
 currently deployed low-end router can't handle these speeds and we can't
 afford to place our high end router at 200+ sites.
 
 So, we're looking for a middle tier router to deploy. Something with 2+
 SFP+ ports, software that can handle the aforementioned features, and
 something with an API that we can leverage for programmatic management.
 
 So far we've not found anything that checks all the boxes. Layer 3 switches
 seem like obvious choices, but lack some of the features and RIB/FIB we
 need at the edge. Other devices like the Juniper MX5/10 certainly meet the
 requirements, but are priced way beyond what we can afford.
 
 Any suggestions for devices we might have overlooked? Preferably in the
 less than 10K per unit price point. If such a magical device exists.
 
 -Dan
 


Re: Multi-gigabit edge devices as CPE

2015-04-08 Thread Tim Raphael
Correct. But hopefully not far off now that there are x86 packages for simple 
MPLS operations. With a bit of luck an RSVP or LDP implementation isn't far 
behind.

Regards,

Tim Raphael

 On 9 Apr 2015, at 9:14 am, Josh Reynolds j...@spitwspots.com wrote:
 
 No MPLS though, if that is a requirement.
 
 On 04/08/2015 05:11 PM, Tim Raphael wrote:
 VyOS is a community fork of Vyatta and is still being developed very 
 actively and it pushing ahead with many new features! It's pretty stable too 
 imo.
 
 http://vyos.net/wiki/Main_Page
 
 Regards,
 
 Tim Raphael
 
 On 9 Apr 2015, at 8:14 am, Faisal Imtiaz fai...@snappytelecom.net wrote:
 
 Mikrotik for OS, and Hardware choice would be to use an X86 appliance 
 (Lanner Electronics, Axiomtek etc)
 You should be able to get a cost effective box that will meet your 
 performance requirements.
 As to feature set, while most of them are their you should do some testing 
 to see if feature set meets your requirements.
 
 Most folks often forget that Mikrotik is OS and they also make Hardware (a 
 variety of sizes for a variety of needs), and the OS can be deployed on 
 standard or custom hardware server or appliances.
 
 You can always go the 'Custom' Linux Route, using x86 boxes with your own 
 distro, too bad that Vyatta OS took a different route under Brocade..
 
 
 
 Faisal Imtiaz
 Snappy Internet  Telecom
 
 - Original Message -
 From: Daniel Rohan dro...@gmail.com
 To: NANOG nanog@nanog.org
 Sent: Wednesday, April 8, 2015 6:46:40 PM
 Subject: Multi-gigabit edge devices as CPE
 
 I work at a state REN and we are seeking a lead for a new edge device for
 on prem deployment at customer sites.
 
 We currently deploy two classes of routers-- a high end and a low end. Both
 the high end and the low end use some of the standard edge features:
 MPLS-TE, MBGP, flowspec, vrf, PIM, etc. We deliver full tables over these
 devices to the customers that need them.
 
 We recently finished a new ethernet procurement and have a large number of
 sites (~200) moving from 1Gbps in bandwidth to 1-10Gb in bandwidth. Our
 currently deployed low-end router can't handle these speeds and we can't
 afford to place our high end router at 200+ sites.
 
 So, we're looking for a middle tier router to deploy. Something with 2+
 SFP+ ports, software that can handle the aforementioned features, and
 something with an API that we can leverage for programmatic management.
 
 So far we've not found anything that checks all the boxes. Layer 3 switches
 seem like obvious choices, but lack some of the features and RIB/FIB we
 need at the edge. Other devices like the Juniper MX5/10 certainly meet the
 requirements, but are priced way beyond what we can afford.
 
 Any suggestions for devices we might have overlooked? Preferably in the
 less than 10K per unit price point. If such a magical device exists.
 
 -Dan
 


Re: OT: VPS with Routed IP space

2015-02-24 Thread Tim Raphael
Same here, we do as well. But as per the OPs question: we will route additional 
space but you generally need a good reason for it.

Regards,

Tim Raphael

 On 25 Feb 2015, at 4:38 am, Jeff Fisher na...@techmonkeys.org wrote:
 
 On 02/24/2015 02:29 PM, Zachary Giles wrote:
 Partial thread jack
 How about VPS providers who will do BGP... Do they exist?
 /Partial thread jack
 
 Hit and miss I find. We do it for the odd client and haven't really had any 
 issues.
 
 


Re: Facebook outage?

2015-01-26 Thread Tim Raphael
And it appears to be back for me.

- Tim


 On 27 Jan 2015, at 3:08 pm, Tim Raphael raphael.timo...@gmail.com wrote:
 
 Instagram used to use Amazon AWS before being purchased by Facebook.
 There has been a slow migration onto FB infrastructure, so yes, a mixture of 
 addresses like that makes sense.
 
 - Tim
 
 
 On 27 Jan 2015, at 2:58 pm, Christopher Morrow morrowc.li...@gmail.com 
 wrote:
 
 On Tue, Jan 27, 2015 at 1:56 AM, Jason Canady ja...@unlimitednet.us wrote:
 Instagram appears to be down as well, but that would make sense since they 
 are part of Facebook.
 
 
 $ dig +short facebook.com
 173.252.120.6
 
 NetRange:   173.252.64.0 - 173.252.127.255
 CIDR:   173.252.64.0/18
 NetName:FACEBOOK-INC
 
 
 but
 $ dig +short instagram.com
 54.209.14.128
 107.23.173.176
 54.175.77.206
 54.208.246.103
 107.23.166.70
 54.236.148.28
 54.209.197.196
 54.236.177.12
 
 
 those are amazon addresses... err, not sure the connection makes sense 
 though?
 
 -chris
 



Re: Facebook outage?

2015-01-26 Thread Tim Raphael
Instagram used to use Amazon AWS before being purchased by Facebook.
There has been a slow migration onto FB infrastructure, so yes, a mixture of 
addresses like that makes sense.

- Tim


 On 27 Jan 2015, at 2:58 pm, Christopher Morrow morrowc.li...@gmail.com 
 wrote:
 
 On Tue, Jan 27, 2015 at 1:56 AM, Jason Canady ja...@unlimitednet.us wrote:
 Instagram appears to be down as well, but that would make sense since they 
 are part of Facebook.
 
 
 $ dig +short facebook.com
 173.252.120.6
 
 NetRange:   173.252.64.0 - 173.252.127.255
 CIDR:   173.252.64.0/18
 NetName:FACEBOOK-INC
 
 
 but
 $ dig +short instagram.com
 54.209.14.128
 107.23.173.176
 54.175.77.206
 54.208.246.103
 107.23.166.70
 54.236.148.28
 54.209.197.196
 54.236.177.12
 
 
 those are amazon addresses... err, not sure the connection makes sense though?
 
 -chris



Re: Recommended L2 switches for a new IXP

2015-01-13 Thread Tim Raphael
Either way, you can do SDN and automation with most Juniper kit. On purchase 
of JCare you get free access to Junos Space - great for provisioning and 
management of an IXP.

Regards,

Tim Raphael

 On 14 Jan 2015, at 6:28 am, Eduardo Schoedler lis...@esds.com.br wrote:
 
 My mistake, it's the OCX1100.
 http://www.networkworld.com/article/2855056/sdn/juniper-unbundles-switch-hardware-software.html
 
 2015-01-13 20:10 GMT-02:00 Jeff Tantsura jeff.tants...@ericsson.com:
 
 What does it mean -  to be SDN ready?
 
 Cheers,
 Jeff
 
 
 
 
 -Original Message-
 From: Eduardo Schoedler lis...@esds.com.br
 Date: Tuesday, January 13, 2015 at 3:25 AM
 To: nanog@nanog.org nanog@nanog.org
 Subject: Re: Recommended L2 switches for a new IXP
 
 QFX5100 is SDN ready.
 
 --
 Eduardo Schoedler
 
 
 2015-01-13 6:29 GMT-02:00 Stepan Kucherenko t...@megagroup.ru:
 
 Is there any particular reason you prefer EX4600 over QFX5100 ? Not
 counting obvious differences like ports and upgrade options.
 
 It's the same chipset after all, and with all upgrades they have the
 same 10G density (with breakouts). Is that because you can have more 40G
 ports with EX4600 ?
 
 I'm still trying to find out if there are any noticeable software or
 feature differences.
 
 On 13.01.2015 09:01, Mark Tinka wrote:
 On Monday, January 12, 2015 11:41:20 PM Tony Wicks wrote:
 
 People seem to be avoiding recommending actual devices,
 well I would recommend the Juniper EX4600 -
 
 http://www.juniper.net/us/en/products-services/switching/
 ex-series/ex4600/
 
 They are affordable, highly scalable, stackable and run
 JunOS.
 
 We've been quite happy with the EX4550, but the EX4600 is
 good too, particularly if you're coming from its younger
 brother.
 
 Mark.
 
 
 
 --
 Eduardo Schoedler
 
 
 -- 
 Eduardo Schoedler


Re: The state of TACACS+

2014-12-29 Thread Tim Raphael
Making the TACAC+ server unavailable is fairly easy - a small LAN-based
DDoS would do it, or a firewall rule change somewhere in the middle. Either
would cause the router to failover to it's local account.

- this is based on the fact that said attacker has some sort of access
previously and wanted to elevate their privileges.

On Tue, Dec 30, 2014 at 2:38 AM, Michael Douglas michael.doug...@ieee.org
wrote:

 If someone has physical access to a Cisco router they can initiate a
 password recovery; tacacs vs local account doesn't matter at that point.

 On Mon, Dec 29, 2014 at 12:28 PM, Colton Conor colton.co...@gmail.com
 wrote:

  Glad to know you can make local access only work if TACAS+ isn't
  available. However, that still doesn't prevent the employee who know the
  local username and password to unplug the device from the network, and
 the
  use the local password to get in. Still better than our current setup of
  having one default username and password that everyone knows.
 
 
 



Re: DDOS, IDS, RTBH, and Rate limiting

2014-11-08 Thread Tim Raphael
Check out Arbour Networks, they produce a range of DDoS scrubbing appliances 
that do pretty much what you want.

Regards,

Tim Raphael

 On 9 Nov 2014, at 9:10 am, Eric C. Miller e...@ericheather.com wrote:
 
 Today, we experienced (3) separate DDoS attacks from Eastern Asia, all 
 generating  2Gbps towards a single IP address in our network. All 3 attacks 
 targeted different IP addresses with dst UDP 19, and the attacks lasted for 
 about 5 minutes and stopped as fast as they started.
 
 Does anyone have any suggestions for mitigating these type of attacks?
 
 A couple of things that we've done already...
 
 We set up BGP communities with our upstreams, and tested that RTBH can be set 
 and it does work. However, by the time that we are able to trigger the black 
 hole, the attack is almost always over.
 
 For now, we've blocked UDP 19 incoming at our edge, so that if future, 
 similar attacks occur, it doesn't affect our internal links.
 
 What I think that I need is an IDS that can watch our edge traffic and 
 automatically trigger a block hole advertisement for any internal IP 
 beginning to receive  100Mbps of traffic. A few searches are initially 
 coming up dry...
 
 
 
 Eric Miller, CCNP
 Network Engineering Consultant
 (407) 257-5115
 
 
 


Re: IPv6 Default Allocation - What size allocation for Loopback Address

2014-10-11 Thread Tim Raphael
From my research, various authorities have recommended that a single /64 be 
allocated to router loopbacks with /128s assigned on interfaces. This makes a 
lot of sense to me as (which has been said) there is no other *need* in the 
foreseeable future to have more than one IP on the loopback - this is the 
purpose of it. Any technology or design that requires this has got scaling 
issues and should not be used anyway.

Regards,

Tim Raphael

 On 11 Oct 2014, at 2:37 pm, Roland Dobbins rdobb...@arbor.net wrote:
 
 
 On Oct 11, 2014, at 1:33 PM, Faisal Imtiaz fai...@snappytelecom.net wrote:
 
 I am trying to understand what is sub-optimal about doing so...Waste of Ipv6 
 space ? or some other technical reason ?
 
 It's wasteful of address space, but more importantly, it turns your router 
 into a sinkole.
 
 (is a /64 address are a 'sinkhole' the only reason ? )
 
 That's a pretty big reason not to use /64s.
 
 --
 Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com
 
   Equo ne credite, Teucri.
 
 -- Laocoön