<div dir="auto">Hi,<div dir="auto"><br></div><div dir="auto">First submission so be nice :-)</div><div dir="auto"><br></div><div dir="auto">Ex. CenturyLink'er here so happy to share my knowledge of their network based solution if anyone is interested.</div><div dir="auto"><br></div><div dir="auto">Cheers</div><div dir="auto"><br></div><div dir="auto">Chris</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, 5 Feb 2020, 12:00 , <<a href="mailto:nanog-request@nanog.org">nanog-request@nanog.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Send NANOG mailing list submissions to<br>
<a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a><br>
<br>
To subscribe or unsubscribe via the World Wide Web, visit<br>
<a href="https://mailman.nanog.org/mailman/listinfo/nanog" rel="noreferrer noreferrer" target="_blank">https://mailman.nanog.org/mailman/listinfo/nanog</a><br>
or, via email, send a message with subject or body 'help' to<br>
<a href="mailto:nanog-request@nanog.org" target="_blank" rel="noreferrer">nanog-request@nanog.org</a><br>
<br>
You can reach the person managing the list at<br>
<a href="mailto:nanog-owner@nanog.org" target="_blank" rel="noreferrer">nanog-owner@nanog.org</a><br>
<br>
When replying, please edit your Subject line so it is more specific<br>
than "Re: Contents of NANOG digest..."<br>
<br>
<br>
Today's Topics:<br>
<br>
1. Re: Recommended DDoS mitigation appliance? (Colton Conor)<br>
2. RE: Recommended DDoS mitigation appliance? (Phil Lavin)<br>
3. RE: Recommended DDoS mitigation appliance? (Kushal R.)<br>
4. Re: Recommended DDoS mitigation appliance? (J. Hellenthal)<br>
5. Re: Recommended DDoS mitigation appliance? (Colton Conor)<br>
6. RE: Recommended DDoS mitigation appliance? (Phil Lavin)<br>
7. Re: Jenkins amplification (Daryl)<br>
8. Re: Jenkins amplification (Mike Meredith)<br>
9. Re: EVPN multicast route (multi home case ) implementation /<br>
deployment information (Andrey Kostin)<br>
10. WTR: 1-2RU @ Equinix Ashburn (Jason Lixfeld)<br>
11. Help with survey on enterprise network challenges?<br>
(Joseph Severini)<br>
12. Re: Jenkins amplification (Christopher Morrow)<br>
13. Re: Has Anyone managed to get Delegated RPKI working with<br>
ARIN (Cynthia Revström)<br>
14. Re: Has Anyone managed to get Delegated RPKI working with<br>
ARIN (Randy Bush)<br>
<br>
<br>
----------------------------------------------------------------------<br>
<br>
Message: 1<br>
Date: Tue, 4 Feb 2020 07:40:18 -0600<br>
From: Colton Conor <<a href="mailto:colton.conor@gmail.com" target="_blank" rel="noreferrer">colton.conor@gmail.com</a>><br>
To: Javier Juan <<a href="mailto:javier.juan@gmail.com" target="_blank" rel="noreferrer">javier.juan@gmail.com</a>><br>
Cc: Rabbi Rob Thomas <<a href="mailto:robt@cymru.com" target="_blank" rel="noreferrer">robt@cymru.com</a>>, NANOG <<a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a>><br>
Subject: Re: Recommended DDoS mitigation appliance?<br>
Message-ID:<br>
<<a href="mailto:CAMDdSzN0vhwK70Gd0EnNPRvP9QAfqoXZ_GUZiaVtgzcWgwN_GQ@mail.gmail.com" target="_blank" rel="noreferrer">CAMDdSzN0vhwK70Gd0EnNPRvP9QAfqoXZ_GUZiaVtgzcWgwN_GQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Javier,<br>
<br>
So is Imperva similar to how Kentik operates? What was it priced liked? I<br>
like the Kentik solution, but their per router per month pricing is too<br>
expensive even for a small network.<br>
<br>
On Mon, Feb 3, 2020 at 11:01 AM Javier Juan <<a href="mailto:javier.juan@gmail.com" target="_blank" rel="noreferrer">javier.juan@gmail.com</a>> wrote:<br>
<br>
> Hi !<br>
><br>
> I was looking around (a couple years ago) for mitigation appliances<br>
> (Riorey, Arbor, F5 and so on).... but the best and almost affordable<br>
> solution I found was Incapsula/Imperva.<br>
><br>
> <a href="https://docs.imperva.com/bundle/cloud-application-security/page/introducing/network-ddos-monitoring.htm" rel="noreferrer noreferrer" target="_blank">https://docs.imperva.com/bundle/cloud-application-security/page/introducing/network-ddos-monitoring.htm</a><br>
><br>
><br>
> Basically, You send your flows to Imperva on cloud for analysis. As soon<br>
> as they find DDoS attack , they activate mitigation. It´s some kind of<br>
> elegant-hybrid solution without on-premise appliances . Just check it out :)<br>
><br>
> Regards,<br>
><br>
> JJ<br>
><br>
><br>
><br>
> On Sun, Nov 17, 2019 at 11:20 PM Rabbi Rob Thomas <<a href="mailto:robt@cymru.com" target="_blank" rel="noreferrer">robt@cymru.com</a>> wrote:<br>
><br>
>> -----BEGIN PGP SIGNED MESSAGE-----<br>
>> Hash: SHA256<br>
>><br>
>><br>
>> Hello, NANOG!<br>
>><br>
>> I'm in the midst of rebuilding/upgrading our backbone and peering -<br>
>> sessions cheerfully accepted :) - and am curious what folks recommend<br>
>> in the DDoS mitigation appliance realm? Ideally it would be capable<br>
>> of 10Gbps and circa 14Mpps rate of mitigation. If you have a<br>
>> recommendation, I'd love to hear it and the reasons for it. If you<br>
>> have an alternative to an appliance that has worked well for you<br>
>> (we're a mix of Cisco and Juniper), I'm all ears.<br>
>><br>
>> Private responses are fine, and I'm happy to summarize back to the<br>
>> list if there is interest.<br>
>><br>
>> Thank you!<br>
>> Rob.<br>
>> - --<br>
>> Rabbi Rob Thomas Team Cymru<br>
>> "It is easy to believe in freedom of speech for those with whom we<br>
>> agree." - Leo McKern<br>
>> -----BEGIN PGP SIGNATURE-----<br>
>><br>
>> iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF<br>
>> 8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF<br>
>> xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV<br>
>> 7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv<br>
>> oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ<br>
>> N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y<br>
>> 7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti<br>
>> 27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ<br>
>> hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka<br>
>> VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC<br>
>> g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP<br>
>> d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo=<br>
>> =uuel<br>
>> -----END PGP SIGNATURE-----<br>
>><br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mailman.nanog.org/pipermail/nanog/attachments/20200204/f146a39e/attachment-0001.html" rel="noreferrer noreferrer" target="_blank">http://mailman.nanog.org/pipermail/nanog/attachments/20200204/f146a39e/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 2<br>
Date: Tue, 4 Feb 2020 13:50:07 +0000<br>
From: Phil Lavin <<a href="mailto:phil.lavin@cloudcall.com" target="_blank" rel="noreferrer">phil.lavin@cloudcall.com</a>><br>
To: Colton Conor <<a href="mailto:colton.conor@gmail.com" target="_blank" rel="noreferrer">colton.conor@gmail.com</a>>, Javier Juan<br>
<<a href="mailto:javier.juan@gmail.com" target="_blank" rel="noreferrer">javier.juan@gmail.com</a>><br>
Cc: NANOG <<a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a>><br>
Subject: RE: Recommended DDoS mitigation appliance?<br>
Message-ID:<br>
<<a href="mailto:DB6PR0301MB2533F880B73AEE1AA43C483089030@DB6PR0301MB2533.eurprd03.prod.outlook.com" target="_blank" rel="noreferrer">DB6PR0301MB2533F880B73AEE1AA43C483089030@DB6PR0301MB2533.eurprd03.prod.outlook.com</a>><br>
<br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
> So is Imperva similar to how Kentik operates? What was it priced liked?<br>
<br>
It is a nice model as you don't need additional hardware or virtual appliances on-prem, which cuts down on the CAPEX cost. Like everyone else, they price the scrubbing based on your clean traffic levels. Price I have is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year for 500mbit clean traffic. Reasonably good value if you get attacked a lot - a very expensive insurance policy if not. Yearly pricing is broadly on par with Radware, Arbor and A10 (Verisign).<br>
<br>
------------------------------<br>
<br>
Message: 3<br>
Date: Tue, 4 Feb 2020 19:27:13 +0530<br>
From: "Kushal R." <<a href="mailto:kushal.r@h4g.co" target="_blank" rel="noreferrer">kushal.r@h4g.co</a>><br>
To: Colton Conor <<a href="mailto:colton.conor@gmail.com" target="_blank" rel="noreferrer">colton.conor@gmail.com</a>>, Javier Juan<br>
<<a href="mailto:javier.juan@gmail.com" target="_blank" rel="noreferrer">javier.juan@gmail.com</a>>, Phil Lavin <<a href="mailto:phil.lavin@cloudcall.com" target="_blank" rel="noreferrer">phil.lavin@cloudcall.com</a>><br>
Cc: NANOG <<a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a>><br>
Subject: RE: Recommended DDoS mitigation appliance?<br>
Message-ID: <8dfb7e0c-f61b-45eb-bd75-f93a3ec92277@Spark><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
If you are looking for remote scrubbing, I can high recommend DDoS-Guard (<a href="http://ddos-guard.com" rel="noreferrer noreferrer" target="_blank">ddos-guard.com</a>), they do not have any “limits” on the size or the number of attacks, the billing is simply based on the clean bandwidth. The highest they have mitigated for us is about 40G. You can either have it in an always on mode, with all incoming traffic coming via their 4 POPs (Los Angeles, Amsterdam, Hong Kong or Almaty) or you can use something like FastNetMon or DDoS-Guard’s own application that runs on any hardware and use eBGP to route the victim /24 over DDG’s network.<br>
<br>
--<br>
<br>
Kushal R. | Management<br>
Office: +1-8557374335 (Global) | +91-8080807931 (India)<br>
<br>
WhatsApp: +1-3104050010 (Global) | +91-9834801976 (India)<br>
<br>
<a href="http://host4geeks.com" rel="noreferrer noreferrer" target="_blank">host4geeks.com</a><br>
<a href="http://host4geeks.in" rel="noreferrer noreferrer" target="_blank">host4geeks.in</a><br>
<br>
<br>
<br>
On 4 Feb 2020, 7:22 PM +0530, Phil Lavin <<a href="mailto:phil.lavin@cloudcall.com" target="_blank" rel="noreferrer">phil.lavin@cloudcall.com</a>>, wrote:<br>
> > So is Imperva similar to how Kentik operates? What was it priced liked?<br>
><br>
> It is a nice model as you don't need additional hardware or virtual appliances on-prem, which cuts down on the CAPEX cost. Like everyone else, they price the scrubbing based on your clean traffic levels. Price I have is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year for 500mbit clean traffic. Reasonably good value if you get attacked a lot - a very expensive insurance policy if not. Yearly pricing is broadly on par with Radware, Arbor and A10 (Verisign).<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mailman.nanog.org/pipermail/nanog/attachments/20200204/021b4821/attachment-0001.html" rel="noreferrer noreferrer" target="_blank">http://mailman.nanog.org/pipermail/nanog/attachments/20200204/021b4821/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 4<br>
Date: Tue, 4 Feb 2020 08:04:30 -0600<br>
From: "J. Hellenthal" <<a href="mailto:jhellenthal@dataix.net" target="_blank" rel="noreferrer">jhellenthal@dataix.net</a>><br>
To: Javier Juan <<a href="mailto:javier.juan@gmail.com" target="_blank" rel="noreferrer">javier.juan@gmail.com</a>><br>
Cc: Rabbi Rob Thomas <<a href="mailto:robt@cymru.com" target="_blank" rel="noreferrer">robt@cymru.com</a>>, <a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a><br>
Subject: Re: Recommended DDoS mitigation appliance?<br>
Message-ID: <<a href="mailto:654D5FD3-7D9D-423A-B2A9-817CC443A54E@dataix.net" target="_blank" rel="noreferrer">654D5FD3-7D9D-423A-B2A9-817CC443A54E@dataix.net</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Hopefully you would be sending those flows out a different circuit than the one that’s going to get swamped with a DDoS otherwise... it might just take a while to mitigate that ;-) depending on the type obviously.<br>
<br>
-- <br>
J. Hellenthal<br>
<br>
The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.<br>
<br>
> On Feb 3, 2020, at 11:01, Javier Juan <<a href="mailto:javier.juan@gmail.com" target="_blank" rel="noreferrer">javier.juan@gmail.com</a>> wrote:<br>
> <br>
> <br>
> Hi !<br>
> <br>
> I was looking around (a couple years ago) for mitigation appliances (Riorey, Arbor, F5 and so on).... but the best and almost affordable solution I found was Incapsula/Imperva.<br>
> <a href="https://docs.imperva.com/bundle/cloud-application-security/page/introducing/network-ddos-monitoring.htm" rel="noreferrer noreferrer" target="_blank">https://docs.imperva.com/bundle/cloud-application-security/page/introducing/network-ddos-monitoring.htm</a> <br>
> <br>
> Basically, You send your flows to Imperva on cloud for analysis. As soon as they find DDoS attack , they activate mitigation. It´s some kind of elegant-hybrid solution without on-premise appliances . Just check it out :)<br>
> <br>
> Regards,<br>
> <br>
> JJ<br>
> <br>
> <br>
> <br>
>> On Sun, Nov 17, 2019 at 11:20 PM Rabbi Rob Thomas <<a href="mailto:robt@cymru.com" target="_blank" rel="noreferrer">robt@cymru.com</a>> wrote:<br>
>> -----BEGIN PGP SIGNED MESSAGE-----<br>
>> Hash: SHA256<br>
>> <br>
>> <br>
>> Hello, NANOG!<br>
>> <br>
>> I'm in the midst of rebuilding/upgrading our backbone and peering -<br>
>> sessions cheerfully accepted :) - and am curious what folks recommend<br>
>> in the DDoS mitigation appliance realm? Ideally it would be capable<br>
>> of 10Gbps and circa 14Mpps rate of mitigation. If you have a<br>
>> recommendation, I'd love to hear it and the reasons for it. If you<br>
>> have an alternative to an appliance that has worked well for you<br>
>> (we're a mix of Cisco and Juniper), I'm all ears.<br>
>> <br>
>> Private responses are fine, and I'm happy to summarize back to the<br>
>> list if there is interest.<br>
>> <br>
>> Thank you!<br>
>> Rob.<br>
>> - -- <br>
>> Rabbi Rob Thomas Team Cymru<br>
>> "It is easy to believe in freedom of speech for those with whom we<br>
>> agree." - Leo McKern<br>
>> -----BEGIN PGP SIGNATURE-----<br>
>> <br>
>> iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF<br>
>> 8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF<br>
>> xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV<br>
>> 7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv<br>
>> oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ<br>
>> N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y<br>
>> 7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti<br>
>> 27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ<br>
>> hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka<br>
>> VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC<br>
>> g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP<br>
>> d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo=<br>
>> =uuel<br>
>> -----END PGP SIGNATURE-----<br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mailman.nanog.org/pipermail/nanog/attachments/20200204/a0d80487/attachment-0001.html" rel="noreferrer noreferrer" target="_blank">http://mailman.nanog.org/pipermail/nanog/attachments/20200204/a0d80487/attachment-0001.html</a>><br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: smime.p7s<br>
Type: application/pkcs7-signature<br>
Size: 3944 bytes<br>
Desc: not available<br>
URL: <<a href="http://mailman.nanog.org/pipermail/nanog/attachments/20200204/a0d80487/attachment-0001.bin" rel="noreferrer noreferrer" target="_blank">http://mailman.nanog.org/pipermail/nanog/attachments/20200204/a0d80487/attachment-0001.bin</a>><br>
<br>
------------------------------<br>
<br>
Message: 5<br>
Date: Tue, 4 Feb 2020 08:25:21 -0600<br>
From: Colton Conor <<a href="mailto:colton.conor@gmail.com" target="_blank" rel="noreferrer">colton.conor@gmail.com</a>><br>
To: Phil Lavin <<a href="mailto:phil.lavin@cloudcall.com" target="_blank" rel="noreferrer">phil.lavin@cloudcall.com</a>><br>
Cc: Javier Juan <<a href="mailto:javier.juan@gmail.com" target="_blank" rel="noreferrer">javier.juan@gmail.com</a>>, NANOG <<a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a>><br>
Subject: Re: Recommended DDoS mitigation appliance?<br>
Message-ID:<br>
<<a href="mailto:CAMDdSzONkYYT4AeMGLm7iOHYPhZbB7NKbU_rSR%2BY6_GAbAN%2Bsw@mail.gmail.com" target="_blank" rel="noreferrer">CAMDdSzONkYYT4AeMGLm7iOHYPhZbB7NKbU_rSR+Y6_GAbAN+sw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
Phil,<br>
<br>
This sounds like a different model to me. Kentik I think averages out<br>
around $500 per 10G per month. Kentik doesn't do any scrubbing however.<br>
Does anyone have guide to DDoS services? Seems like there is a wide array<br>
of pricing and technology options.<br>
<br>
On Tue, Feb 4, 2020 at 7:50 AM Phil Lavin <<a href="mailto:phil.lavin@cloudcall.com" target="_blank" rel="noreferrer">phil.lavin@cloudcall.com</a>> wrote:<br>
<br>
> > So is Imperva similar to how Kentik operates? What was it priced liked?<br>
><br>
> It is a nice model as you don't need additional hardware or virtual<br>
> appliances on-prem, which cuts down on the CAPEX cost. Like everyone else,<br>
> they price the scrubbing based on your clean traffic levels. Price I have<br>
> is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year<br>
> for 500mbit clean traffic. Reasonably good value if you get attacked a lot<br>
> - a very expensive insurance policy if not. Yearly pricing is broadly on<br>
> par with Radware, Arbor and A10 (Verisign).<br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mailman.nanog.org/pipermail/nanog/attachments/20200204/64450404/attachment-0001.html" rel="noreferrer noreferrer" target="_blank">http://mailman.nanog.org/pipermail/nanog/attachments/20200204/64450404/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 6<br>
Date: Tue, 4 Feb 2020 14:27:33 +0000<br>
From: Phil Lavin <<a href="mailto:phil.lavin@cloudcall.com" target="_blank" rel="noreferrer">phil.lavin@cloudcall.com</a>><br>
To: Colton Conor <<a href="mailto:colton.conor@gmail.com" target="_blank" rel="noreferrer">colton.conor@gmail.com</a>><br>
Cc: Javier Juan <<a href="mailto:javier.juan@gmail.com" target="_blank" rel="noreferrer">javier.juan@gmail.com</a>>, NANOG <<a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a>><br>
Subject: RE: Recommended DDoS mitigation appliance?<br>
Message-ID:<br>
<<a href="mailto:DB6PR0301MB2533333514B0C540168E7B6189030@DB6PR0301MB2533.eurprd03.prod.outlook.com" target="_blank" rel="noreferrer">DB6PR0301MB2533333514B0C540168E7B6189030@DB6PR0301MB2533.eurprd03.prod.outlook.com</a>><br>
<br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
> This sounds like a different model to me. Kentik I think averages out around $500 per 10G per month<br>
<br>
I was talking about Imperva<br>
<br>
------------------------------<br>
<br>
Message: 7<br>
Date: Mon, 3 Feb 2020 13:39:10 -0600<br>
From: Daryl <lists@soldmydata.online><br>
To: <a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a><br>
Subject: Re: Jenkins amplification<br>
Message-ID: <20200203133910.2dfb5f5c@mail><br>
Content-Type: text/plain; charset=US-ASCII<br>
<br>
On Mon, 3 Feb 2020 10:55:35 -0800 (PST)<br>
Sabri Berisha <<a href="mailto:sabri@cluecentral.net" target="_blank" rel="noreferrer">sabri@cluecentral.net</a>> wrote:<br>
<br>
> ----- On Feb 3, 2020, at 10:35 AM, Christopher Morrow<br>
> <a href="mailto:morrowc.lists@gmail.com" target="_blank" rel="noreferrer">morrowc.lists@gmail.com</a> wrote:<br>
> <br>
> > On Mon, Feb 3, 2020 at 1:26 PM William Herrin <<a href="mailto:bill@herrin.us" target="_blank" rel="noreferrer">bill@herrin.us</a>><br>
> > wrote: <br>
> <br>
> >> VPN. <br>
> > <br>
> > I love it when my home network gets full access to the corporate<br>
> > network! <br>
> <br>
> Most places I've worked at issue company controlled laptops with<br>
> company controlled VPN software which will disable all local access<br>
> and even disconnect if you dare to manually change the routing table<br>
> to access the printer in your home office.<br>
> <br>
> In fact, a too tightly controlled VPN contributed to a 7 figure loss<br>
> during an outage at a company which name shall not be mentioned.<br>
> <br>
> Your home network should have no access to the corp network. Your<br>
> company issued laptop should.<br>
> <br>
> Thanks,<br>
> <br>
> Sabri<br>
<br>
That's how our company operates. I went a step further and put all<br>
company issued equipment on it's own vlan at home.<br>
<br>
<br>
------------------------------<br>
<br>
Message: 8<br>
Date: Tue, 4 Feb 2020 16:12:45 +0000<br>
From: Mike Meredith <<a href="mailto:mike.meredith@port.ac.uk" target="_blank" rel="noreferrer">mike.meredith@port.ac.uk</a>><br>
To: <a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a><br>
Subject: Re: Jenkins amplification<br>
Message-ID: <<a href="mailto:20200204161245.10aac79f@scrofula.eps.is.port.ac.uk" target="_blank" rel="noreferrer">20200204161245.10aac79f@scrofula.eps.is.port.ac.uk</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow<br>
<<a href="mailto:morrowc.lists@gmail.com" target="_blank" rel="noreferrer">morrowc.lists@gmail.com</a>> may have written:<br>
> My experience, and granted it's fairly scoped, is that this sort of thing<br>
> works fine for a relatively small set of 'persons' and 'resources'.<br>
<br>
Seeing as managing this sort of thing is my primary job these days ...<br>
<br>
> it ends up being about the cross-product of #users * #resources.<br>
<br>
That's the interesting part of the job - coalescing rules in a way that<br>
minimises the security impact but maximises the decrease of complexity. If<br>
you don't, you get an explosion of complexity that results in a set of<br>
rules (I know of an equivalent organisation that has over 1,000 firewall<br>
rules) that becomes insanely complex to manage. <br>
<br>
> certainly a more holistic version of the story is correct.<br>
> the relatively flippant answer way-back-up-list of: "vpn"<br>
<br>
I think that "vpn" is the right answer - it's preferrable to publishing<br>
services to the entire world that only need to be used by empoyees. But<br>
it's not cheap or easy. <br>
<br>
-- <br>
Mike Meredith, University of Portsmouth<br>
Hostmaster, Security, and Chief Systems Engineer<br>
<br>
-------------- next part --------------<br>
A non-text attachment was scrubbed...<br>
Name: not available<br>
Type: application/pgp-signature<br>
Size: 488 bytes<br>
Desc: OpenPGP digital signature<br>
URL: <<a href="http://mailman.nanog.org/pipermail/nanog/attachments/20200204/51fff1b7/attachment-0001.sig" rel="noreferrer noreferrer" target="_blank">http://mailman.nanog.org/pipermail/nanog/attachments/20200204/51fff1b7/attachment-0001.sig</a>><br>
<br>
------------------------------<br>
<br>
Message: 9<br>
Date: Tue, 04 Feb 2020 11:59:13 -0500<br>
From: Andrey Kostin <<a href="mailto:ankost@podolsk.ru" target="_blank" rel="noreferrer">ankost@podolsk.ru</a>><br>
To: "Mankamana Mishra (mankamis)" <<a href="mailto:mankamis@cisco.com" target="_blank" rel="noreferrer">mankamis@cisco.com</a>><br>
Cc: <a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a><br>
Subject: Re: EVPN multicast route (multi home case ) implementation /<br>
deployment information<br>
Message-ID: <<a href="mailto:af953fad372932f55b167921bd415962@podolsk.ru" target="_blank" rel="noreferrer">af953fad372932f55b167921bd415962@podolsk.ru</a>><br>
Content-Type: text/plain; charset=UTF-8; format=flowed<br>
<br>
Hi Mankamana,<br>
<br>
For Juniper:<br>
<br>
Starting in Junos OS 18.4R1, devices with IGMP snooping enabled use <br>
selective multicast forwarding in a centrally routed EVPN-VXLAN network <br>
to replicate and forward multicast traffic. As before, IGMP snooping <br>
allows the leaf device to send multicast traffic only to the access <br>
interface with an interested receiver. But now, when IGMP snooping is <br>
enabled, the leaf device selectively sends multicast traffic to only the <br>
leaf devices in the core that have expressed an interest in that <br>
multicast group. In selective multicast forwarding, leaf devices always <br>
send multicast traffic to the spine device so that it can route <br>
inter-VLAN multicast traffic through its IRB interface.<br>
<br>
<a href="https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-selective-multicast-forwarding.html" rel="noreferrer noreferrer" target="_blank">https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-selective-multicast-forwarding.html</a><br>
<br>
Kind regards,<br>
Andrey<br>
<br>
Mankamana Mishra (mankamis) via NANOG писал 2020-02-03 18:34:<br>
> Folks<br>
> <br>
> Wondering if there is any known implementation of EVPN multihome<br>
> multicast routes which are defined in<br>
> <br>
> <a href="https://tools.ietf.org/html/draft-ietf-bess-evpn-igmp-mld-proxy-04" rel="noreferrer noreferrer" target="_blank">https://tools.ietf.org/html/draft-ietf-bess-evpn-igmp-mld-proxy-04</a><br>
> <br>
> there is some change planned in NLRI , we want to make sure to have<br>
> solution which does work well with existing implementation.<br>
> <br>
> NOTE: Discussion INVOLVES NOKIA, JUNIPER, CISCO, ARISTA ALREADY. SO<br>
> LOOKING FOR ANY OTHER VENDOR WHO HAVE IMPLEMENTATION.<br>
> <br>
> Mankamana<br>
<br>
<br>
<br>
------------------------------<br>
<br>
Message: 10<br>
Date: Tue, 4 Feb 2020 12:10:00 -0500<br>
From: Jason Lixfeld <<a href="mailto:jason%2Bnanog@lixfeld.ca" target="_blank" rel="noreferrer">jason+nanog@lixfeld.ca</a>><br>
To: NANOG mailing list <<a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a>><br>
Subject: WTR: 1-2RU @ Equinix Ashburn<br>
Message-ID: <<a href="mailto:7BC7D4A3-5691-45D8-9C27-D8A21CD0BDB4@lixfeld.ca" target="_blank" rel="noreferrer">7BC7D4A3-5691-45D8-9C27-D8A21CD0BDB4@lixfeld.ca</a>><br>
Content-Type: text/plain; charset=utf-8<br>
<br>
Hi,<br>
<br>
I’m wondering if anyone is looking to subsidize their Equinix Ashburn colo costs by way of carving out 1-2 RU to a friendly for a low density networking application. If so, I’d love to hear from you!<br>
<br>
Thanks in advance!<br>
<br>
------------------------------<br>
<br>
Message: 11<br>
Date: Tue, 4 Feb 2020 13:04:19 -0500<br>
From: Joseph Severini <<a href="mailto:jseverin@andrew.cmu.edu" target="_blank" rel="noreferrer">jseverin@andrew.cmu.edu</a>><br>
To: <a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a><br>
Subject: Help with survey on enterprise network challenges?<br>
Message-ID:<br>
<CAGBamiMrvAk599A0_fAW=<a href="mailto:sdmxjOHR8MVe9j9yXmHq%2Br52PjZGQ@mail.gmail.com" target="_blank" rel="noreferrer">sdmxjOHR8MVe9j9yXmHq+r52PjZGQ@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="UTF-8"<br>
<br>
Hi,<br>
<br>
My name is Joseph Severini, and I am a PhD student in the Computer<br>
Science Department at Carnegie Mellon University.<br>
<br>
I’m working on a research project to identify common operational<br>
challenges in modern enterprise computer networks. I’ve put together a<br>
survey to identify these challenges by analyzing some operational<br>
problems found in the Network Engineering Stack Exchange open-source<br>
dataset. You’ll be given a problem from the dataset and asked some<br>
questions about it.<br>
<br>
I would appreciate it if you would consider taking this survey, which<br>
can be found at the link below:<br>
<br>
<a href="http://cmu.ca1.qualtrics.com/jfe/form/SV_dm6i9znuPWlLDN3" rel="noreferrer noreferrer" target="_blank">http://cmu.ca1.qualtrics.com/jfe/form/SV_dm6i9znuPWlLDN3</a><br>
<br>
The survey should take ~15 minutes. Participation is voluntary, with<br>
no compensation, and all responses are anonymous. You must be at least<br>
18 years old to complete the survey.<br>
<br>
Thanks,<br>
Joseph Severini<br>
<br>
PhD Student<br>
CMU Computer Science Department<br>
<br>
<br>
------------------------------<br>
<br>
Message: 12<br>
Date: Tue, 4 Feb 2020 15:59:37 -0500<br>
From: Christopher Morrow <<a href="mailto:morrowc.lists@gmail.com" target="_blank" rel="noreferrer">morrowc.lists@gmail.com</a>><br>
To: Mike Meredith <<a href="mailto:mike.meredith@port.ac.uk" target="_blank" rel="noreferrer">mike.meredith@port.ac.uk</a>><br>
Cc: nanog list <<a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a>><br>
Subject: Re: Jenkins amplification<br>
Message-ID:<br>
<CAL9jLaaiiLsOqShddYcdn_HYO0aeY+skF+XDefK3Uhvm+=<a href="mailto:A6cw@mail.gmail.com" target="_blank" rel="noreferrer">A6cw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="UTF-8"<br>
<br>
On Tue, Feb 4, 2020 at 11:15 AM Mike Meredith <<a href="mailto:mike.meredith@port.ac.uk" target="_blank" rel="noreferrer">mike.meredith@port.ac.uk</a>> wrote:<br>
><br>
> On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow<br>
> <<a href="mailto:morrowc.lists@gmail.com" target="_blank" rel="noreferrer">morrowc.lists@gmail.com</a>> may have written:<br>
> > My experience, and granted it's fairly scoped, is that this sort of thing<br>
> > works fine for a relatively small set of 'persons' and 'resources'.<br>
><br>
> Seeing as managing this sort of thing is my primary job these days ...<br>
<br>
<beer, you probably deserve one> :)<br>
<br>
> > it ends up being about the cross-product of #users * #resources.<br>
><br>
> That's the interesting part of the job - coalescing rules in a way that<br>
> minimises the security impact but maximises the decrease of complexity. If<br>
> you don't, you get an explosion of complexity that results in a set of<br>
> rules (I know of an equivalent organisation that has over 1,000 firewall<br>
> rules) that becomes insanely complex to manage.<br>
><br>
<br>
I think the fact that it's hard to keep all of this going and to<br>
contain the natural spread of destruction (that it takes someone with<br>
a pretty singular foc us) makes my point.<br>
<br>
> > certainly a more holistic version of the story is correct.<br>
> > the relatively flippant answer way-back-up-list of: "vpn"<br>
><br>
> I think that "vpn" is the right answer - it's preferrable to publishing<br>
> services to the entire world that only need to be used by empoyees. But<br>
> it's not cheap or easy.<br>
<br>
Weighing the cost/benefit is certainly each org's decision.<br>
having lived without vpn for a long while and under the regime of<br>
authen/author for users with proper token/etc access... I'd not want<br>
my internal network opened to the wilds of vpn users :( (I actively<br>
discourage this at work because there are vanishingly small reasons<br>
why a full network connection is really required by a user at this<br>
point).<br>
<br>
anyway, good luck!<br>
<br>
<br>
------------------------------<br>
<br>
Message: 13<br>
Date: Wed, 5 Feb 2020 10:56:51 +0100<br>
From: Cynthia Revström <<a href="mailto:me@cynthia.re" target="_blank" rel="noreferrer">me@cynthia.re</a>><br>
To: <a href="mailto:christopher@ve7alb.ca" target="_blank" rel="noreferrer">christopher@ve7alb.ca</a><br>
Cc: NANOG list <<a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a>><br>
Subject: Re: Has Anyone managed to get Delegated RPKI working with<br>
ARIN<br>
Message-ID:<br>
<<a href="mailto:CAKw1M3PQTvB6zyJkn5eMdByJTSqXX4seUYFBduf-jQnLWSMJFw@mail.gmail.com" target="_blank" rel="noreferrer">CAKw1M3PQTvB6zyJkn5eMdByJTSqXX4seUYFBduf-jQnLWSMJFw@mail.gmail.com</a>><br>
Content-Type: text/plain; charset="utf-8"<br>
<br>
(Re-sent as I forgot to include the ML the first time, oops)<br>
Hi Chris,<br>
<br>
I recently figured it out and posted it on the NLNetLabs RPKI mailing list.<br>
<a href="https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html" rel="noreferrer noreferrer" target="_blank">https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html</a><br>
I hope it helps :)<br>
<br>
- Cynthia<br>
<br>
On Wed, Jan 29, 2020 at 6:31 PM Christopher Munz-Michielin <<br>
<a href="mailto:christopher@ve7alb.ca" target="_blank" rel="noreferrer">christopher@ve7alb.ca</a>> wrote:<br>
<br>
> Hi Nanog,<br>
><br>
> Posting here since my Google-fu is coming up short. I'm trying to setup<br>
> delegated RPKI in ARIN using <a href="http://rpki.net" rel="noreferrer noreferrer" target="_blank">rpki.net</a>'s rpkid Python daemon and am<br>
> running into an issue submitting the identity file to ARIN's control panel.<br>
> The same file submitted to RIPE's test environment at<br>
> <a href="https://localcert.ripe.net/#/rpki" rel="noreferrer noreferrer" target="_blank">https://localcert.ripe.net/#/rpki</a> works without issue, while submitting<br>
> to ARIN results in "Invalid Identity.xml file."<br>
><br>
> The guide I'm following is this one:<br>
> <a href="https://github.com/dragonresearch/rpki.net/blob/master/doc/quickstart/xenial-ca.md" rel="noreferrer noreferrer" target="_blank">https://github.com/dragonresearch/rpki.net/blob/master/doc/quickstart/xenial-ca.md</a><br>
> and I'm able to get as far as generating the identity file.<br>
><br>
> Wondering if anyone has gone down this road before and has any helpful<br>
> hints to make this work?<br>
><br>
> Cheers,<br>
> Chris<br>
><br>
-------------- next part --------------<br>
An HTML attachment was scrubbed...<br>
URL: <<a href="http://mailman.nanog.org/pipermail/nanog/attachments/20200205/49b8cf46/attachment-0001.html" rel="noreferrer noreferrer" target="_blank">http://mailman.nanog.org/pipermail/nanog/attachments/20200205/49b8cf46/attachment-0001.html</a>><br>
<br>
------------------------------<br>
<br>
Message: 14<br>
Date: Wed, 05 Feb 2020 02:52:08 -0800<br>
From: Randy Bush <<a href="mailto:randy@psg.com" target="_blank" rel="noreferrer">randy@psg.com</a>><br>
To: "Cynthia Revström" <<a href="mailto:me@cynthia.re" target="_blank" rel="noreferrer">me@cynthia.re</a>><br>
Cc: <a href="mailto:christopher@ve7alb.ca" target="_blank" rel="noreferrer">christopher@ve7alb.ca</a>, NANOG list <<a href="mailto:nanog@nanog.org" target="_blank" rel="noreferrer">nanog@nanog.org</a>><br>
Subject: Re: Has Anyone managed to get Delegated RPKI working with<br>
ARIN<br>
Message-ID: <<a href="mailto:m2o8ud71d3.wl-randy@psg.com" target="_blank" rel="noreferrer">m2o8ud71d3.wl-randy@psg.com</a>><br>
Content-Type: text/plain; charset=US-ASCII<br>
<br>
> I recently figured it out and posted it on the NLNetLabs RPKI mailing list.<br>
> <a href="https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html" rel="noreferrer noreferrer" target="_blank">https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html</a><br>
<br>
nice. thank you.<br>
<br>
randy<br>
<br>
<br>
End of NANOG Digest, Vol 145, Issue 5<br>
*************************************<br>
</blockquote></div>