Re: NANOG Digest, Vol 145, Issue 5

[Chris Orsman <chris () ctl-alt-del net>]

Hi,

First submission so be nice :-)

Ex. CenturyLink'er here so happy to share my knowledge of their network
based solution if anyone is interested.

Cheers

Chris

On Wed, 5 Feb 2020, 12:00 , <nanog-request () nanog org> wrote:

> Send NANOG mailing list submissions to
>         nanog () nanog org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://mailman.nanog.org/mailman/listinfo/nanog
> or, via email, send a message with subject or body 'help' to
>         nanog-request () nanog org
>
> You can reach the person managing the list at
>         nanog-owner () nanog org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of NANOG digest..."
>
>
> Today's Topics:
>
>    1. Re: Recommended DDoS mitigation appliance? (Colton Conor)
>    2. RE: Recommended DDoS mitigation appliance? (Phil Lavin)
>    3. RE: Recommended DDoS mitigation appliance? (Kushal R.)
>    4. Re: Recommended DDoS mitigation appliance? (J. Hellenthal)
>    5. Re: Recommended DDoS mitigation appliance? (Colton Conor)
>    6. RE: Recommended DDoS mitigation appliance? (Phil Lavin)
>    7. Re: Jenkins amplification (Daryl)
>    8. Re: Jenkins amplification (Mike Meredith)
>    9. Re: EVPN multicast route (multi home case ) implementation /
>       deployment information (Andrey Kostin)
>   10. WTR: 1-2RU @ Equinix Ashburn (Jason Lixfeld)
>   11. Help with survey on enterprise network challenges?
>       (Joseph Severini)
>   12. Re: Jenkins amplification (Christopher Morrow)
>   13. Re: Has Anyone managed to get Delegated RPKI working with
>       ARIN (Cynthia Revström)
>   14. Re: Has Anyone managed to get Delegated RPKI working with
>       ARIN (Randy Bush)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Tue, 4 Feb 2020 07:40:18 -0600
> From: Colton Conor <colton.conor () gmail com>
> To: Javier Juan <javier.juan () gmail com>
> Cc: Rabbi Rob Thomas <robt () cymru com>, NANOG <nanog () nanog org>
> Subject: Re: Recommended DDoS mitigation appliance?
> Message-ID:
>         <
> CAMDdSzN0vhwK70Gd0EnNPRvP9QAfqoXZ_GUZiaVtgzcWgwN_GQ () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> Javier,
>
> So is Imperva similar to how Kentik operates? What was it priced liked?  I
> like the Kentik solution, but their per router per month pricing is too
> expensive even for a small network.
>
> On Mon, Feb 3, 2020 at 11:01 AM Javier Juan <javier.juan () gmail com> wrote:
>
> > Hi !
> >
> > I was looking around (a couple years ago) for mitigation appliances
> > (Riorey, Arbor, F5 and so on).... but the best and almost affordable
> > solution I found was Incapsula/Imperva.
> https://docs.imperva.com/bundle/cloud-application-security/page/introducing/network-ddos-monitoring.htm
> > Basically, You send your flows to Imperva on cloud for analysis. As soon
> > as they find DDoS attack , they activate mitigation. It´s some kind of
> > elegant-hybrid solution without on-premise appliances . Just check it
> out :)
> > Regards,
> >
> > JJ
> >
> >
> >
> > On Sun, Nov 17, 2019 at 11:20 PM Rabbi Rob Thomas <robt () cymru com>
> wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA256
> > >
> > >
> > > Hello, NANOG!
> > >
> > > I'm in the midst of rebuilding/upgrading our backbone and peering -
> > > sessions cheerfully accepted :) - and am curious what folks recommend
> > > in the DDoS mitigation appliance realm?  Ideally it would be capable
> > > of 10Gbps and circa 14Mpps rate of mitigation.  If you have a
> > > recommendation, I'd love to hear it and the reasons for it.  If you
> > > have an alternative to an appliance that has worked well for you
> > > (we're a mix of Cisco and Juniper), I'm all ears.
> > >
> > > Private responses are fine, and I'm happy to summarize back to the
> > > list if there is interest.
> > >
> > > Thank you!
> > > Rob.
> > > - --
> > > Rabbi Rob Thomas                                           Team Cymru
> > >    "It is easy to believe in freedom of speech for those with whom we
> > >     agree." - Leo McKern
> > > -----BEGIN PGP SIGNATURE-----
> > >
> > > iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF
> > > 8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF
> > > xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV
> > > 7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv
> > > oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ
> > > N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y
> > > 7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti
> > > 27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ
> > > hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka
> > > VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC
> > > g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP
> > > d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo=
> > > =uuel
> > > -----END PGP SIGNATURE-----
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mailman.nanog.org/pipermail/nanog/attachments/20200204/f146a39e/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Tue, 4 Feb 2020 13:50:07 +0000
> From: Phil Lavin <phil.lavin () cloudcall com>
> To: Colton Conor <colton.conor () gmail com>, Javier Juan
>         <javier.juan () gmail com>
> Cc: NANOG <nanog () nanog org>
> Subject: RE: Recommended DDoS mitigation appliance?
> Message-ID:
>         <
> DB6PR0301MB2533F880B73AEE1AA43C483089030 () DB6PR0301MB2533 eurprd03 prod outlook com
> >
>
> Content-Type: text/plain; charset="utf-8"
>
> > So is Imperva similar to how Kentik operates? What was it priced liked?
>
> It is a nice model as you don't need additional hardware or virtual
> appliances on-prem, which cuts down on the CAPEX cost. Like everyone else,
> they price the scrubbing based on your clean traffic levels. Price I have
> is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year
> for 500mbit clean traffic. Reasonably good value if you get attacked a lot
> - a very expensive insurance policy if not. Yearly pricing is broadly on
> par with Radware, Arbor and A10 (Verisign).
>
> ------------------------------
>
> Message: 3
> Date: Tue, 4 Feb 2020 19:27:13 +0530
> From: "Kushal R." <kushal.r () h4g co>
> To: Colton Conor <colton.conor () gmail com>, Javier Juan
>         <javier.juan () gmail com>, Phil Lavin <phil.lavin () cloudcall com>
> Cc: NANOG <nanog () nanog org>
> Subject: RE: Recommended DDoS mitigation appliance?
> Message-ID: <8dfb7e0c-f61b-45eb-bd75-f93a3ec92277@Spark>
> Content-Type: text/plain; charset="utf-8"
>
> If you are looking for remote scrubbing, I can high recommend DDoS-Guard (
> ddos-guard.com), they do not have any “limits” on the size or the number
> of attacks, the billing is simply based on the clean bandwidth. The highest
> they have mitigated for us is about 40G. You can either have it in an
> always on mode, with all incoming traffic coming via their 4 POPs (Los
> Angeles, Amsterdam, Hong Kong or Almaty) or you can use something like
> FastNetMon or DDoS-Guard’s own application that runs on any hardware and
> use eBGP to route the victim /24 over DDG’s network.
>
> --
>
> Kushal R. | Management
> Office: +1-8557374335 (Global) | +91-8080807931 (India)
>
> WhatsApp: +1-3104050010 (Global) | +91-9834801976 (India)
>
> host4geeks.com
> host4geeks.in
>
>
>
> On 4 Feb 2020, 7:22 PM +0530, Phil Lavin <phil.lavin () cloudcall com>,
> wrote:
> > > So is Imperva similar to how Kentik operates? What was it priced liked?
> >
> > It is a nice model as you don't need additional hardware or virtual
> appliances on-prem, which cuts down on the CAPEX cost. Like everyone else,
> they price the scrubbing based on your clean traffic levels. Price I have
> is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year
> for 500mbit clean traffic. Reasonably good value if you get attacked a lot
> - a very expensive insurance policy if not. Yearly pricing is broadly on
> par with Radware, Arbor and A10 (Verisign).
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mailman.nanog.org/pipermail/nanog/attachments/20200204/021b4821/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 4
> Date: Tue, 4 Feb 2020 08:04:30 -0600
> From: "J. Hellenthal" <jhellenthal () dataix net>
> To: Javier Juan <javier.juan () gmail com>
> Cc: Rabbi Rob Thomas <robt () cymru com>, nanog () nanog org
> Subject: Re: Recommended DDoS mitigation appliance?
> Message-ID: <654D5FD3-7D9D-423A-B2A9-817CC443A54E () dataix net>
> Content-Type: text/plain; charset="utf-8"
>
> Hopefully you would be sending those flows out a different circuit than
> the one that’s going to get swamped with a DDoS otherwise... it might just
> take a while to mitigate that ;-) depending on the type obviously.
>
> --
>  J. Hellenthal
>
> The fact that there's a highway to Hell but only a stairway to Heaven says
> a lot about anticipated traffic volume.
>
> > On Feb 3, 2020, at 11:01, Javier Juan <javier.juan () gmail com> wrote:
> >
> > 
> > Hi !
> >
> > I was looking around (a couple years ago) for mitigation appliances
> (Riorey, Arbor, F5 and so on).... but the best and almost affordable
> solution I found was Incapsula/Imperva.
> >
> https://docs.imperva.com/bundle/cloud-application-security/page/introducing/network-ddos-monitoring.htm
> > Basically, You send your flows to Imperva on cloud for analysis. As soon
> as they find DDoS attack , they activate mitigation. It´s some kind of
> elegant-hybrid solution without on-premise appliances . Just check it out :)
> > Regards,
> >
> > JJ
> >
> >
> >
> > > On Sun, Nov 17, 2019 at 11:20 PM Rabbi Rob Thomas <robt () cymru com>
> wrote:
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA256
> > >
> > >
> > > Hello, NANOG!
> > >
> > > I'm in the midst of rebuilding/upgrading our backbone and peering -
> > > sessions cheerfully accepted :) - and am curious what folks recommend
> > > in the DDoS mitigation appliance realm?  Ideally it would be capable
> > > of 10Gbps and circa 14Mpps rate of mitigation.  If you have a
> > > recommendation, I'd love to hear it and the reasons for it.  If you
> > > have an alternative to an appliance that has worked well for you
> > > (we're a mix of Cisco and Juniper), I'm all ears.
> > >
> > > Private responses are fine, and I'm happy to summarize back to the
> > > list if there is interest.
> > >
> > > Thank you!
> > > Rob.
> > > - --
> > > Rabbi Rob Thomas                                           Team Cymru
> > >    "It is easy to believe in freedom of speech for those with whom we
> > >     agree." - Leo McKern
> > > -----BEGIN PGP SIGNATURE-----
> > >
> > > iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF
> > > 8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF
> > > xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV
> > > 7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv
> > > oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ
> > > N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y
> > > 7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti
> > > 27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ
> > > hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka
> > > VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC
> > > g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP
> > > d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo=
> > > =uuel
> > > -----END PGP SIGNATURE-----
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mailman.nanog.org/pipermail/nanog/attachments/20200204/a0d80487/attachment-0001.html
> >
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: smime.p7s
> Type: application/pkcs7-signature
> Size: 3944 bytes
> Desc: not available
> URL: <
> http://mailman.nanog.org/pipermail/nanog/attachments/20200204/a0d80487/attachment-0001.bin
> >
>
> ------------------------------
>
> Message: 5
> Date: Tue, 4 Feb 2020 08:25:21 -0600
> From: Colton Conor <colton.conor () gmail com>
> To: Phil Lavin <phil.lavin () cloudcall com>
> Cc: Javier Juan <javier.juan () gmail com>, NANOG <nanog () nanog org>
> Subject: Re: Recommended DDoS mitigation appliance?
> Message-ID:
>         <
> CAMDdSzONkYYT4AeMGLm7iOHYPhZbB7NKbU_rSR+Y6_GAbAN+sw () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> Phil,
>
> This sounds like a different model to me. Kentik I think averages out
> around $500 per 10G per month. Kentik doesn't do any scrubbing however.
> Does anyone have guide to DDoS services? Seems like there is a wide array
> of pricing and technology options.
>
> On Tue, Feb 4, 2020 at 7:50 AM Phil Lavin <phil.lavin () cloudcall com>
> wrote:
>
> > > So is Imperva similar to how Kentik operates? What was it priced liked?
> >
> > It is a nice model as you don't need additional hardware or virtual
> > appliances on-prem, which cuts down on the CAPEX cost. Like everyone
> else,
> > they price the scrubbing based on your clean traffic levels. Price I have
> > is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a
> year
> > for 500mbit clean traffic. Reasonably good value if you get attacked a
> lot
> > - a very expensive insurance policy if not. Yearly pricing is broadly on
> > par with Radware, Arbor and A10 (Verisign).
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mailman.nanog.org/pipermail/nanog/attachments/20200204/64450404/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 6
> Date: Tue, 4 Feb 2020 14:27:33 +0000
> From: Phil Lavin <phil.lavin () cloudcall com>
> To: Colton Conor <colton.conor () gmail com>
> Cc: Javier Juan <javier.juan () gmail com>, NANOG <nanog () nanog org>
> Subject: RE: Recommended DDoS mitigation appliance?
> Message-ID:
>         <
> DB6PR0301MB2533333514B0C540168E7B6189030 () DB6PR0301MB2533 eurprd03 prod outlook com
> >
>
> Content-Type: text/plain; charset="utf-8"
>
> > This sounds like a different model to me. Kentik I think averages out
> around $500 per 10G per month
>
> I was talking about Imperva
>
> ------------------------------
>
> Message: 7
> Date: Mon, 3 Feb 2020 13:39:10 -0600
> From: Daryl <lists@soldmydata.online>
> To: nanog () nanog org
> Subject: Re: Jenkins amplification
> Message-ID: <20200203133910.2dfb5f5c@mail>
> Content-Type: text/plain; charset=US-ASCII
>
> On Mon, 3 Feb 2020 10:55:35 -0800 (PST)
> Sabri Berisha <sabri () cluecentral net> wrote:
>
> > ----- On Feb 3, 2020, at 10:35 AM, Christopher Morrow
> > morrowc.lists () gmail com wrote:
> >
> > > On Mon, Feb 3, 2020 at 1:26 PM William Herrin <bill () herrin us>
> > > wrote:
> >
> > > > VPN.
> > >
> > > I love it when my home network gets full access to the corporate
> > > network!
> >
> > Most places I've worked at issue company controlled laptops with
> > company controlled VPN software which will disable all local access
> > and even disconnect if you dare to manually change the routing table
> > to access the printer in your home office.
> >
> > In fact, a too tightly controlled VPN contributed to a 7 figure loss
> > during an outage at a company which name shall not be mentioned.
> >
> > Your home network should have no access to the corp network. Your
> > company issued laptop should.
> >
> > Thanks,
> >
> > Sabri
>
> That's how our company operates. I went a step further and put all
> company issued equipment on it's own vlan at home.
>
>
> ------------------------------
>
> Message: 8
> Date: Tue, 4 Feb 2020 16:12:45 +0000
> From: Mike Meredith <mike.meredith () port ac uk>
> To: nanog () nanog org
> Subject: Re: Jenkins amplification
> Message-ID: <20200204161245.10aac79f () scrofula eps is port ac uk>
> Content-Type: text/plain; charset="utf-8"
>
> On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow
> <morrowc.lists () gmail com> may have written:
> > My experience, and granted it's fairly scoped, is that this sort of thing
> > works fine for a relatively small set of 'persons' and 'resources'.
>
> Seeing as managing this sort of thing is my primary job these days ...
>
> > it ends up being about the cross-product of #users * #resources.
>
> That's the interesting part of the job - coalescing rules in a way that
> minimises the security impact but maximises the decrease of complexity. If
> you don't, you get an explosion of complexity that results in a set of
> rules (I know of an equivalent organisation that has over 1,000 firewall
> rules) that becomes insanely complex to manage.
>
> > certainly a more holistic version of the story is correct.
> > the relatively flippant answer way-back-up-list of: "vpn"
>
> I think that "vpn" is the right answer - it's preferrable to publishing
> services to the entire world that only need to be used by empoyees. But
> it's not cheap or easy.
>
> --
> Mike Meredith, University of Portsmouth
> Hostmaster, Security, and Chief Systems Engineer
>
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: not available
> Type: application/pgp-signature
> Size: 488 bytes
> Desc: OpenPGP digital signature
> URL: <
> http://mailman.nanog.org/pipermail/nanog/attachments/20200204/51fff1b7/attachment-0001.sig
> >
>
> ------------------------------
>
> Message: 9
> Date: Tue, 04 Feb 2020 11:59:13 -0500
> From: Andrey Kostin <ankost () podolsk ru>
> To: "Mankamana Mishra (mankamis)" <mankamis () cisco com>
> Cc: nanog () nanog org
> Subject: Re: EVPN multicast route (multi home case ) implementation /
>         deployment information
> Message-ID: <af953fad372932f55b167921bd415962 () podolsk ru>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Hi Mankamana,
>
> For Juniper:
>
> Starting in Junos OS 18.4R1, devices with IGMP snooping enabled use
> selective multicast forwarding in a centrally routed EVPN-VXLAN network
> to replicate and forward multicast traffic. As before, IGMP snooping
> allows the leaf device to send multicast traffic only to the access
> interface with an interested receiver. But now, when IGMP snooping is
> enabled, the leaf device selectively sends multicast traffic to only the
> leaf devices in the core that have expressed an interest in that
> multicast group. In selective multicast forwarding, leaf devices always
> send multicast traffic to the spine device so that it can route
> inter-VLAN multicast traffic through its IRB interface.
>
>
> https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-selective-multicast-forwarding.html
>
> Kind regards,
> Andrey
>
> Mankamana Mishra (mankamis) via NANOG писал 2020-02-03 18:34:
> > Folks
> >
> > Wondering if there is any known implementation of EVPN multihome
> > multicast routes which are defined in
> >
> > https://tools.ietf.org/html/draft-ietf-bess-evpn-igmp-mld-proxy-04
> >
> > there is some change planned in NLRI , we want to make sure to have
> > solution which does work well with existing implementation.
> >
> > NOTE:  Discussion INVOLVES NOKIA, JUNIPER, CISCO, ARISTA ALREADY. SO
> > LOOKING FOR ANY OTHER VENDOR WHO HAVE IMPLEMENTATION.
> >
> > Mankamana
>
>
>
> ------------------------------
>
> Message: 10
> Date: Tue, 4 Feb 2020 12:10:00 -0500
> From: Jason Lixfeld <jason+nanog () lixfeld ca>
> To: NANOG mailing list <nanog () nanog org>
> Subject: WTR: 1-2RU @ Equinix Ashburn
> Message-ID: <7BC7D4A3-5691-45D8-9C27-D8A21CD0BDB4 () lixfeld ca>
> Content-Type: text/plain;       charset=utf-8
>
> Hi,
>
> I’m wondering if anyone is looking to subsidize their Equinix Ashburn colo
> costs by way of carving out 1-2 RU to a friendly for a low density
> networking application.  If so, I’d love to hear from you!
>
> Thanks in advance!
>
> ------------------------------
>
> Message: 11
> Date: Tue, 4 Feb 2020 13:04:19 -0500
> From: Joseph Severini <jseverin () andrew cmu edu>
> To: nanog () nanog org
> Subject: Help with survey on enterprise network challenges?
> Message-ID:
>         <CAGBamiMrvAk599A0_fAW=
> sdmxjOHR8MVe9j9yXmHq+r52PjZGQ () mail gmail com>
> Content-Type: text/plain; charset="UTF-8"
>
> Hi,
>
> My name is Joseph Severini, and I am a PhD student in the Computer
> Science Department at Carnegie Mellon University.
>
> I’m working on a research project to identify common operational
> challenges in modern enterprise computer networks. I’ve put together a
> survey to identify these challenges by analyzing some operational
> problems found in the Network Engineering Stack Exchange open-source
> dataset. You’ll be given a problem from the dataset and asked some
> questions about it.
>
> I would appreciate it if you would consider taking this survey, which
> can be found at the link below:
>
> http://cmu.ca1.qualtrics.com/jfe/form/SV_dm6i9znuPWlLDN3
>
> The survey should take ~15 minutes. Participation is voluntary, with
> no compensation, and all responses are anonymous. You must be at least
> 18 years old to complete the survey.
>
> Thanks,
> Joseph Severini
>
> PhD Student
> CMU Computer Science Department
>
>
> ------------------------------
>
> Message: 12
> Date: Tue, 4 Feb 2020 15:59:37 -0500
> From: Christopher Morrow <morrowc.lists () gmail com>
> To: Mike Meredith <mike.meredith () port ac uk>
> Cc: nanog list <nanog () nanog org>
> Subject: Re: Jenkins amplification
> Message-ID:
>         <CAL9jLaaiiLsOqShddYcdn_HYO0aeY+skF+XDefK3Uhvm+=
> A6cw () mail gmail com>
> Content-Type: text/plain; charset="UTF-8"
>
> On Tue, Feb 4, 2020 at 11:15 AM Mike Meredith <mike.meredith () port ac uk>
> wrote:
> > On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow
> > <morrowc.lists () gmail com> may have written:
> > > My experience, and granted it's fairly scoped, is that this sort of
> thing
> > > works fine for a relatively small set of 'persons' and 'resources'.
> >
> > Seeing as managing this sort of thing is my primary job these days ...
>
> <beer, you probably deserve one> :)
>
> > > it ends up being about the cross-product of #users * #resources.
> >
> > That's the interesting part of the job - coalescing rules in a way that
> > minimises the security impact but maximises the decrease of complexity.
> If
> > you don't, you get an explosion of complexity that results in a set of
> > rules (I know of an equivalent organisation that has over 1,000 firewall
> > rules) that becomes insanely complex to manage.
>
> I think the fact that it's hard to keep all of this going and to
> contain the natural spread of destruction (that it takes someone with
> a pretty singular foc us) makes my point.
>
> > > certainly a more holistic version of the story is correct.
> > > the relatively flippant answer way-back-up-list of: "vpn"
> >
> > I think that "vpn" is the right answer - it's preferrable to publishing
> > services to the entire world that only need to be used by empoyees. But
> > it's not cheap or easy.
>
> Weighing the cost/benefit is certainly each org's decision.
> having lived without vpn for a long while and under the regime of
> authen/author for users with proper token/etc access... I'd not want
> my internal network opened to the wilds of vpn users :( (I actively
> discourage this at work because there are vanishingly small reasons
> why a full network connection is really required by a user at this
> point).
>
> anyway, good luck!
>
>
> ------------------------------
>
> Message: 13
> Date: Wed, 5 Feb 2020 10:56:51 +0100
> From: Cynthia Revström <me () cynthia re>
> To: christopher () ve7alb ca
> Cc: NANOG list <nanog () nanog org>
> Subject: Re: Has Anyone managed to get Delegated RPKI working with
>         ARIN
> Message-ID:
>         <
> CAKw1M3PQTvB6zyJkn5eMdByJTSqXX4seUYFBduf-jQnLWSMJFw () mail gmail com>
> Content-Type: text/plain; charset="utf-8"
>
> (Re-sent as I forgot to include the ML the first time, oops)
> Hi Chris,
>
> I recently figured it out and posted it on the NLNetLabs RPKI mailing list.
> https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html
> I hope it helps :)
>
> - Cynthia
>
> On Wed, Jan 29, 2020 at 6:31 PM Christopher Munz-Michielin <
> christopher () ve7alb ca> wrote:
>
> > Hi Nanog,
> >
> > Posting here since my Google-fu is coming up short.  I'm trying to setup
> > delegated RPKI in ARIN using rpki.net's rpkid Python daemon and am
> > running into an issue submitting the identity file to ARIN's control
> panel.
> > The same file submitted to RIPE's  test environment at
> > https://localcert.ripe.net/#/rpki works without issue, while submitting
> > to ARIN results in "Invalid Identity.xml file."
> >
> > The guide I'm following is this one:
> https://github.com/dragonresearch/rpki.net/blob/master/doc/quickstart/xenial-ca.md
> > and I'm able to get as far as generating the identity file.
> >
> > Wondering if anyone has gone down this road before and has any helpful
> > hints to make this work?
> >
> > Cheers,
> > Chris
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://mailman.nanog.org/pipermail/nanog/attachments/20200205/49b8cf46/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 14
> Date: Wed, 05 Feb 2020 02:52:08 -0800
> From: Randy Bush <randy () psg com>
> To: "Cynthia Revström" <me () cynthia re>
> Cc: christopher () ve7alb ca,      NANOG list <nanog () nanog org>
> Subject: Re: Has Anyone managed to get Delegated RPKI working with
>         ARIN
> Message-ID: <m2o8ud71d3.wl-randy () psg com>
> Content-Type: text/plain; charset=US-ASCII
>
> > I recently figured it out and posted it on the NLNetLabs RPKI mailing
> list.
> > https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html
>
> nice.  thank you.
>
> randy
>
>
> End of NANOG Digest, Vol 145, Issue 5
> *************************************