I have been recommending to many friends to check in daily at
http://irrexplorer.nlnog.net/ to make sure everything is healthy with their
prefixes ...
Today a colleague reported a problem with an AS58299 ad appearing in "their
prefixes".
I went look and was showing up on our ASNs too.
It took me
The route has already been removed!
Thanks!
Em qua, 13 de nov de 2019 às 14:00, Douglas Fischer <
fischerdoug...@gmail.com> escreveu:
> I have been recommending to many friends to check in daily at
> http://irrexplorer.nlnog.net/ to make sure everything is healthy with
>
94 2
95 1
99 1
100 1
102 1
105 1
109 1
111 1
114 1
116 1
119 1
121 1
124 1
136 1
143 1
151 2
152 1
162 1
169 1
218 1
220 1
238 1
300 1
355 1
384 1
457 1
473 1
481 1
502 1
604 1
fischer-mac-3:~ fischerdouglas$
Em qui., 7 de mai. de 2020 às 14:24, Douglas Fischer <
fischerdoug...@gmail.com>
Hello everyone
P.S .: I apologize, but I write for multiple email lists, precisely because
it is a topic that interests multiple regions.
P.S.2: The objective in this proposal is to make feasible the creation of
validation mechanisms for the creation of IRR Route / Route6 Objects,
without
Hey Tomas !
I would like to buy you a very large beber mug!
They are just another AS!
For example...
What gives then the theorical right to not publish informations on
PeeringDB like AS-SET, to allow the paid Peering partners of then go filter
theyr announced routes?
And I'm not talking
Time-to-time, in some IXP in the world some issue on the forwarding plane
occurs.
When it occurs, this topic comes back.
The failures are not big enough to drop the BGP sessions between IXP
participants and route-servers.
But are enough to prejudice traffic between participants.
And then the
I'm looking for some tool to work as a Comand and Control of several remote
nodes.
The idea is to have many-many nodes of Virtual Machines running on every
ASN voluntarily to deploy some services spread everywhere we can.
Something like a Call-Home, that allows the headquarter to track
I think that the subject of the e-mail is very self-explanatory.
With some analysis of what is running over our network, ISP or ITP, we will
be able to see some TCP/UDP(mostly UDP) packets with source or
destination to port 0.
I can think of a genuine use of it.
(Maybe someone cloud help me see
Sorry!
sed 's/"I can think"/"I can't think"/g'
Em ter., 25 de ago. de 2020 às 09:16, Töma Gavrichenkov
escreveu:
> Peace,
>
> On Tue, Aug 25, 2020, 2:14 PM Douglas Fischer
>
>> I can think of a genuine use of it.
>>
>
> I'm curious which one.
About this comparison between CAM-Table Timeout, and ARP-Table Timeout.
I tend to partially agree with you...
Ethernet is a so widely used protocol to sever scenarios.
We need to consider the different needs of the type of communications.
For example:
I'm not a big fan of Mikrotik/RouterOS.
But
Well...
My idea with the initial mail was:
a) Check if there is anything hindering the evolution of this draft to an
RFC.
b) Bet in try to make possible a thing that nowadays could be considered
impossible, like:
"How to enable the BFD capability on a route-server with 2000 BGP
Sessions
at doesn't like to be waked up at dawn will become
happy(at least by this reason).
Em qui., 17 de set. de 2020 às 15:07, Saku Ytti escreveu:
> On Thu, 17 Sep 2020 at 20:51, Douglas Fischer
> wrote:
>
> > Why should we spend CPU Cycles with 576K ARP Requests a day(2K
> par
We are looking for a CGNAT solution open source based.
Yep, I know that basic CGNAT can be done with iptables / nftables, or PF /
IPFILTER / IPFW.
But I only know Open Source CGNAT recipes with predefined public-ports <->
private IPs mapping.
What It brings two types of issues:
A - The need to
TL;DR.
There are several tools[1] to automate the creation of Prefix Filtering on
Internet Routing.
I want the opposite!
A tool to help-me to create/alter/delete IRR Objects based on the
information of my Cone.
Sad history
---
For a long time, I'm creating some auxiliary scripts to do
We are creating some auxiliary to help on the deploy of our BGP Sessions.
Most of the information we are getting from Peering DB.
For Bilateral Sessions(over Private media, or over MPLA vlan), we use the
max-prefix defined on PeeringDB profile of the partner.
(And other information also, like
By Suggestion of a colleague I opened an issue about it on PeeringDB Github
https://github.com/peeringdb/peeringdb/issues/755
Em qui., 25 de jun. de 2020 às 11:59, Douglas Fischer <
fischerdoug...@gmail.com> escreveu:
> We are creating some auxiliary to help on the deploy of our BGP
Just a complementary demonstration of a cenário we this "bgpfs2acl" been
used.
https://youtu.be/8pNZJUHlRPk
Em ter., 16 de jun. de 2020 às 15:39, Douglas Fischer <
fischerdoug...@gmail.com> escreveu:
> We were looking for some way to implement BGP Flowspec Filtering(just the
We were looking for some way to implement BGP Flowspec Filtering(just the
permit/deny basic) using L3 switches in an automated way.
Searching a bit we found https://github.com/ios-xr/bgpfs2acl
Is almost what we are looking for!
But is focused on Cisco devices.
We even considered fork it to our
Let's just jump all the arguing about lack of IPv4, the need of IPv6, and
etc...
I must confess that I don't know all the RFCs.
I would like it, but I don't!
And today, I reached on https://tools.ietf.org/html/rfc5549
I knew that was possible to transfer v4 routes over v6 BGP sessions, or v6
The primary thing that you need to do is to create ROAs of your block
allowing only your ASN as Origin.
Second, as Siyuan and Justin mentioned, get in touch with Merit RADB.
They are great! If you do the full job right in the first e-mail,
presenting the allocation of the RIR and the transfer,
ting in case something goes wrong
> (however I can understand it's a nice feature to have and in might be
> useful in some scenarios).
>
>
> But you are right I do not know much about networks doing it, I also would
> like hear about it.
>
>
> Alejandro,
>
>
> On
I received some contacts in PVT...
And joining the recommendations of some of them, I will give a shot with
BSDRP+Napalm(with Ansible).
Let's see if it can scale as expected.
Thank you all.
Em qua., 4 de nov. de 2020 às 05:15, Douglas Fischer <
fischerdoug...@gmail.com> escreveu:
I'm designing a tool for provisioning configurations for an ITP and his
Peers.
The idea is that based on that, all the configs to all the involved
components configurations to be deployed based on that source of data. I'm
Talking about Routers, BMP, SNMP tool(Ex.: Zabbix), etc...
But, once again,
I'm deploying some Linux based routers with BIRD as the routing daemon.
-> Yep, Bird is a specific requirement for this project.
But is taking me to much time to adjust(and in the future keep it running
good) the basic like, sysctl adjustments for routing and performance on
that, ssh/snmp and
I think most here know (way better than me) the concepts of DDoS, anomaly
detection, and reactions.
Some of the reactions that can be implemented to reduce the impact of an
attack are Remote-Triggered BlackHole and FlowSpec Filtering.
In theory, using FlowSpec would be possible to de source the
gt; On Feb 2, 2021, at 00:34, Douglas Fischer
> wrote:
>
>
> Or even know if already there is a solution to that and I'm trying to
> invent the wheel.
>
>
> Many flow telemetry export implementations on routers/layer3 switches
> report both passed & dropped traffic o
ver under any
> circumstances provide access to a 3rd party company to push a FlowSpec rule
> or trigger RTBH on my networks. No way. You would be handing over a
> nuclear trigger and saying "Please break me at my earliest inconvenience."
>
> On Tue, Feb 2, 2021 at 5:56 AM Dou
, and filtering and refiltering should be done on both
layers.
Em qua., 3 de fev. de 2021 às 02:43, Hank Nussbacher
escreveu:
> On 02/02/2021 19:08, Douglas Fischer wrote:
>
> Well... That is a point of view!
> And I must respect that.
>
> Against this position, there are several compani
oon.
>
>
>
> -Rich Compton
>
>
>
> *From: *NANOG on
> behalf of Douglas Fischer
> *Date: *Tuesday, February 2, 2021 at 10:10 AM
> *To: *Tom Beecher
> *Cc: *NANOG list
> *Subject: *[EXTERNAL] Re: RTBH and Flowspec Measurements - Stop guessing
> when t
http://aka.ms/weboutlook>
> --
> *Van:* NANOG namens
> Douglas Fischer
> *Verzonden:* woensdag 3 februari 2021 10:59
> *Aan:* Hank Nussbacher
> *CC:* NANOG
> *Onderwerp:* Re: RTBH and Flowspec Measurements - Stop guessing when the
> attack will
Hello William!
An ARP Controller to compose a L2 Cluster solution seems a good Idea to a
begging...
(I would include ND)
I will try to think a bit on that...
Any suggestions are welcome.
Em qui., 1 de jul. de 2021 às 16:06, William Herrin
escreveu:
> On Thu, Jul 1, 2021 at 11:05 AM Doug
:51, Masataka Ohta <
mo...@necom830.hpcl.titech.ac.jp> escreveu:
> Douglas Fischer wrote:
>
> > I'm looking for solutions do deploy some type of selective high
> > availability and load balance based on the glue between Layer 2 and
> Layer 3
> > (ARP or ND).
>
I'm looking for solutions do deploy some type of selective high
availability and load balance based on the glue between Layer 2 and Layer 3
(ARP or ND).
And I'm coming here to ask help to avoid reinventing the wheel.
I know VRRP / Heartbeat, and their downside is the Active/Passive
For me, every day it becomes more evident the need to validate information
managed by the RIRs / NIRs / LIRs on separate information platforms.
A very simple example is PeeringDB itself, which requires confirmation of
correlation between the ASN whois contact and the account that is
registering
o that, I’ve done a very complete testing, for a customer, with a
> PS4 in a LAN with 464XLAT and everything worked fine. Unfortunately, as
> this was contracted by a customer, I can’t disclose all the test set, but
> believe me it worked. It is a deployment with 25.000.000 customers, using
> GPON, DSL a
Here goes a link fo an excellent analysis of IPv6 and Playstation
This says a lot about why some prefer DualStack.
https://toreanderson.github.io/2021/02/23/ipv6-support-in-the-playstation-5.html
Em ter., 2 de mar. de 2021 às 07:59, Douglas Fischer <
fischerdoug...@gmail.com> es
The important message on Tore's post IS ALL ABOUT "Sony and Playstation are
doing IPv6 in the wrong way!".
Em seg., 5 de abr. de 2021 às 19:16, Douglas Fischer <
fischerdoug...@gmail.com> escreveu:
> Jordi, If I sum the numbers of times "It is a deployment with 25.000.000
Em ter., 6 de abr. de 2021 às 04:32, JORDI PALET MARTINEZ via NANOG <
nanog@nanog.org> escreveu:
>
>
> I don’t understand what you mean with the support folks, they just do
what their boss decides, like in any other technology deployment.
Well, Jordi... Do You know what is the important Body
hat time. What's the story?
>
> ----------
> *From:* NANOG
> on behalf of William Herrin
> *Sent:* Tuesday, March 16, 2021 1:01 AM
> *To:* Douglas Fischer
> *Cc:* NANOG
> *Subject:* Re: SFI/SBI/Transit - Dumping
>
> On Mon, Mar 15, 2021 at 11:35 A
them to make this work for selected purposes. Router-to-Router
> links, especially between higher-end routers seems to be one of those cases
> that it might be useful. It might be the case that Amazon is already
> doing this
>
>
> On Mon, Mar 8, 2021 at 12:07 PM Douglas Fis
Here in Brazil we had a similar issue...
The cause here was the lack of maintenance contract between the Firewall
Suppliers and the Government Department.
GeoIPBased Firewall Rule was deployed on the Public Health System in
Brazil, saying:
"To those servers, if IP is not from Brazil, drop!"
Hello all!
I'm going a bit deeper into the study of Peering Relationships...
And one of the possibilities that I'm trying to understand better on the
Peering Relationships on the Internet been considered dumping(economy).
The matter here is more on the economic and commercial aspects than on the
Based on the difficulties I have already experienced, I would bet on some
default route (or for example 2001::/16) statically placed on your FIB
pointing to an Upstream.
Or even the simple absence of the default route (::/0) pointing to null.
Em ter., 2 de mar. de 2021 às 11:21, Pirawat
r side.
>
> > On 25 Feb 2021, at 01:48, Douglas Fischer
> wrote:
> >
> >
> >
> > Is this pain you have lived or verified with first hand testing?
> >
> > Yep! A lot!
> >
> > LOL gamers can be pretty much insistent...
> > (haha.jpg
P.S.: Forking thread from CGNAT.
Hello Jordi!
Since our last heated talk about transitions methods(Rosario, 2018?), I
must recognize that the intolerance to other scenarios other than
dual-stack had reduced(mostly because of improvements on the applications
in generral). I'm even considering the
The statement used on the survey "Are you aware that use of DPDK on a
processor core keeps utilization at 100% regardless of packet activity?"
can be easily distorted and badly used.
I sincerely do not agree with the approach of presuming and declaring "DPDK
spent too much power".
Mainly because
>
> Is this pain you have lived or verified with first hand testing?
>
>>
>> Yep! A lot!
LOL gamers can be pretty much insistent...
(haha.jpg + haha-crying.jpg)
And Specifically on SIP/Voip over the Internet, with deep analysis at all
the parts involved.
The most common issue is incoming Calls
I'm not sure if it Covers IRR.
But considering IRR is an extension of Whois...
Arin keeps the service of "whowas"
https://www.arin.net/reference/research/whowas/
I suggest you take a look there.
And also, some IRRs keeps an archive folder on the FTP.
ftp://ftp.radb.net/radb/dbase/archive/
https://pasteboard.co/JRHNVKw.png
Em seg., 8 de mar. de 2021 às 16:07, Douglas Fischer <
fischerdoug...@gmail.com> escreveu:
> Has anybody seen that also?
>
> P.S.: I'm completely in favor of a complementary RFC assing FUTURE USE
> exclusively to "Between
Has anybody seen that also?
P.S.: I'm completely in favor of a complementary RFC assing FUTURE USE
exclusively to "Between Routers" Link Networks...
--
Douglas Fernando Fischer
Engº de Controle e Automação
I'm very happy to see interest in DPDK and power consumption.
But IMHO, the questions do not cover the actual reality of DPDK.
That característic of "100% CPU" depends on several aspects, like:
- How old are the hardware on DPDK.
- What type of DPDK Instructions are made(Very Dynamic as
ed
> inside of it...
> > I'm not sure if it is the better solution for the scope of LOAs, but
> certainly is a valid discussion.
> >
> >
> > What is bubbling in my mind is the standard data model for each type of
> different attribute that can exist...
> >
I recommend you to take a look at DANOS.
https://danosproject.atlassian.net/wiki/spaces/DAN/pages/416153601/Carrier+Grade+NAT+CGNAT
- A very active open-source project.
- Sponsored by AT
- Uses Vyatta (and DPDK for good performance)
- The Routing Engine is based on FRR.
- Syntax sounds like
I believe that almost everyone in here knows that LOAs for Cross Connects
in Datacenters and Telecom Rooms can be a pain...
I don't know if I'm suggesting something that already exists.
Or even if I'm suggesting something that could be unpopular for some reason.
But every time I need to deal
different attribute that can exist...
Who will define that?
Em seg., 22 de fev. de 2021 às 12:26, Christopher Morrow <
morrowc.li...@gmail.com> escreveu:
> On Mon, Feb 22, 2021 at 9:19 AM Douglas Fischer
> wrote:
> >
> > I believe that almost everyone in here knows t
What if PeeringDB would be the CA for the Facilities?
Supposedly this solves the CA problem of the "Colo Folks".
Would PeeringDB be interested in that?
Em seg., 22 de fev. de 2021 às 16:04, Christopher Morrow <
morrowc.li...@gmail.com> escreveu:
> On Mon, Feb 22, 2021 at 1:39 PM Randy Bush
Does anybody else have problems with Cloudflare's RPKI Validator with
prefixes from LACNIC?
Customers were sending us some reports of issues with LACNIC's IPBlocks
using Cloudflare RPKI as source of validation.
A friend and I did some checks. And looks like that some issue is happening
on the
:47, Douglas Fischer <
fischerdoug...@gmail.com> escreveu:
> Does anybody else have problems with Cloudflare's RPKI Validator with
> prefixes from LACNIC?
>
> Customers were sending us some reports of issues with LACNIC's IPBlocks
> using Cloudflare RPKI as source of validatio
Hello!
I also found a recent draft(expires Novembre 2021) about using Route
Distinguisher as a Value on ORF.
https://datatracker.ietf.org/doc/draft-wang-idr-rd-orf/
Em qua., 18 de ago. de 2021 às 11:41, Humberto Galiza <
humbertogal...@gmail.com> escreveu:
> Hi,
>
> Is anyone aware of any
ould have been
> to define a regex that is for the feature. I half suspect if people pushed
> on this these days, they'd want PCRE. :-)
>
> The RD-ORF work is part of some ongoing discussion about how to deal with
> VRF overwhelm (prefix-limit exceed).
>
> -- Jeff (IDR co-chair)
>
09:16, Jeffrey Haas
escreveu:
>
>
> > On Aug 19, 2021, at 12:18 AM, Douglas Fischer
> wrote:
> >
> > I agree that without combining prefix-list and as-path, the
> effectiveness of ORF, considering its initial purpose, the pros and cons
> does not pay t
I begin my questioning by mentioning the recent moves towards
standardization of BGP Roles made formalized initially by RFC 9234, and
also by what is proposed with the ASPA that we should see soon.
And from what I can see, it makes a lot of sense to have an IRR
representation through AS-SET of
I was thinking a little about this case...
I'm almost certain that this case cited by Siyuan would have been avoided
if there was a cross-check between the items contained in the AS-SET
objects (and others such as the Route-Set), and the "member-of" attributes
of the referred objects.
I
I already had this idea, I even implemented it in the desperate time of the
512K "bug".
And with that I can tell you:
Do not do it! You will be bothered!
But if you want to go this way, what I can recommend is to try not to put
routes in the FIB that match your Default.
Talking about having a
Your research is remarkably interesting.
I intend to study it more closely in the coming days.
I just like to share a methodology that I came across to mitigate this type
of problem, and that I found very elegant.
It's not ideal, but it has very small implementation requirements.
Using
I imagine it's an ISP you are talking about, where the traffic is mostly
inbound.
Hire transit companies that have good traffic engineering community
policies.
- Selective prepending or seletive no-export by:
-> Type of peer.
-> Geographic location of their routers.
-> ASN specific.
And then you
If your Upstream(Transit provider) prepends your routes without you asking
or authorizing it to do so, you should SERIOUSLY consider switching
providers!
In the other email I talked about traffic engineering BGP communities.
If those prepends were made from some community you were applying... OK,
I have recollection of something like embeded quality testing on youtube.
I don't remember if it was a speed test or a latency/jitter test.
I looked quickly to see if I could find it... But I couldn't find it.
Em qua., 28 de dez. de 2022 às 13:43, Mike Hammett
escreveu:
> Does AS15169 have a
Good news!
Good perspectives for the future...
But this thread remembered-me about RFC 3021 and Windows... Since December
2000.
https://social.technet.microsoft.com/Forums/en-US/6da37a2d-6884-4c3c-bdd5-1b8356edfced/windows-102019-non-compliant-with-rfc-3021-ipv4-31-subnet-mask?forum=winserverPN
Hello Abraham!
I believe your e-mail client (MUA) is splitting every message on a new
thread.
I'm not sure if it is happening with everyone, but using Gmail as MUA, it
isn't aggregating the mails on the same thread.
Cloud you please check the confs of your tool to avoid it?
Thanks in advance.
I do not like mikrotik, but I need to say that RouterOS does support /31.
All that you need to do, beyond set /31 at address for netmask, is check if
the other address is defined at the network address.
Em sáb., 19 de nov. de 2022 15:58, Denis Fondras
escreveu:
> Le Sat, Nov 19, 2022 at
At least when accessing here from Brazil, it gets stuck in the cloudflare
tool.
Anyone else with this problem?
[image: image.png]
--
Douglas Fernando Fischer
Engº de Controle e Automação
I just did a new test.
It's working again.
Thanks!
Em sex., 27 de jan. de 2023 às 08:49, Douglas Fischer <
fischerdoug...@gmail.com> escreveu:
> At least when accessing here from Brazil, it gets stuck in the cloudflare
> tool.
> Anyone else with this problem?
>
&
I also have this concern about Spoofing coming from Downstreams.
And after a lot of struggle I can say that using uRPF in strict mode per
interface doing FIB lookup is not a good idea!
And I feel sad to have to say that.
I've spent a lot of time wrestling with this issue, and the measurement
If the route can exist on a FIB, can exist a ROA to that.
So, there is no reason to no create the ROAs.
Em ter., 1 de nov. de 2022 às 11:12, Samuel Jackson
escreveu:
> Hello,
> I am new to RPKI/ROA and still learning about RPKI. From all my reading on
> ARIN's documents I am not able to answer
We are implementing an interesting L3VPN scenario for distributed DFZ on
mid-size PEs.
And we believe that the RT Constrained Route Distribution, RFC4684, will be
ideal to solve the problems of operational levels for the intervention of
configurations between PEs and Route-Reflectors.
However,
Does any colleague have a suggestion for a tool with some kind of support
for managing the Telephone Numeric Address Space?
Maybe some plugin for PHPIPAM or NETBOX?
--
Douglas Fernando Fischer
Engº de Controle e Automação
Replicating to public list the suggestions I've received on private:
- PHPIPAM > Administration > phpIPAM settings >Section:"Feature Settings"
and enable the PSTN module
- https://github.com/iDebugAll/phonebox_plugin
Thanks!
Em seg., 27 de mar. de 2023 às 16:16, Douglas Fi
Most of us have already used some BGP community policy to no-export some
routes to some where.
On the majority of IXPs, and most of the Transit Providers, the very common
community tell to route-servers and routers "Please do no-export these
routes to that ASN" is:
-> 0:
So we could say that
ke Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> --
> *From: *"Tom Beecher via NANOG"
> *To: *"Douglas Fischer"
> *Cc: *"NANOG"
> *Sent:
80 matches
Mail list logo