swinog October 2019

swinog@lists.swinog.ch

11 participants
6 discussions

Switzerlandwide Internet problem
by Michele Capobianco 16 Jul '23

16 Jul '23

Hey all A friend just told me that Cybernet told him there is a Switzerlandwide Internet Problem. Does anybody know something? Cheers Michele -------- Online Consulting AG, Michele Capobianco, System Administrator, Weststrasse 38, CH-9500 Wil Phone +41 (0)71 913 31 31, Fax +41 (0)71 913 31 32 http://www.online.ch, michele.capobianco(a)online.ch<mailto:michele.capobianco@online.ch> --------

8 7

new project: DHCP Protect
by Pascal Gloor 31 Oct '19

31 Oct '19

Hi Community, I don’t know about you, but as an ISP we’ve always faced the problem of crazy DHCP clients (v4 and v6) flooding our servers. While at Quickline we have a DHCP server with anti-flood mechanisms it might not the case for everyone. This is why I wrote DHCP Protect. DHCP Protect works with the userspace API of Netfilter (iptables/ip6tables) and will treat each DHCP(v4/v6) packet and decide if it should be forwarded or not. Don’t worry, iptables can be configured in a way that if the program is not working, it will ACCEPT the packets by default. There are no packages available, but don’t be scared, it’s really simple to install and it will do all the systemd stuff for you! After make install it will already be running (you can also make uninstall which will delete everything and remove it from systemd). git clone https://git.home.spale.com/dhcp_protect.git cd dhcp_protect sudo apt-get install build-essential uthash-dev libnetfilter-queue-dev make all sudo make install That’s it. And then you need the iptables/ip6tables rule: iptables -A INPUT -p udp -m udp --dport 67 -j NFQUEUE --queue-num 67 --queue-bypass ip6tables -A INPUT -p udp -m udp --dport 547 -j NFQUEUE --queue-num 67 --queue-bypass (SAME queue number! the program can treat v4/v6 at the same time) The program will log to syslog when it blacklists. I’ve tested this with 10kpps and the CPU load of the program was about 4-6% on one core (AMD Ryzen 7 2700X). There’s also a flooding perl client in the repository to test the performance. It can do pseudo DHCPv4/DHCPv6, but since it’s pseudo, don’t use the perftest.pl again a real DHCP server. More information in the README -> https://git.home.spale.com/public/dhcp_protect I’d be glad on feedback! It is useful? what additional features would you like to see? Thanks for reading See you at Swing#36 Pascal

4 9

## SwiNOG #36 - November 14th - Agenda (preview) ##
by Simon Ryf 28 Oct '19

28 Oct '19

Dear SwiNOGers, the Agenda is almost complete and we’re (almost) ready for the 14th of November. Below is a preview for the agenda (in random order). You can also let us know what you expect or wish to hear by answering to the mailing list. The Speakers are also listening ;-) Please register now: https://register.swinog.ch/ 30min | AI in Networking | Jörg Ammon (Extreme Networks) AI is gaining momentum to solve problems that are difficult for humans as it requires analytics of huge amounts of data. This talk discusses attempts to apply similar methodology to problems in networking. 25min | The Future of Passive Multiplexing and Multiplexing Beyond 10G | Wouter van Diepen (Alturna Networks/Solid Optics) The Future of Passive Multiplexing and Multiplexing Beyond 10G. In the past, it was easy to change your optical network from 1G to 10G by simply changing the transceiver, but what if you want to do more than 10G? What if you want to go beyond 80km? What are your options and why is there no QSFP28-DWDM-ZR? These are the central questions in this presentation. We will cover the 3 “ingredients” of Multiplexing: The Fiber, the Passive Mux, and the Transceiver, and talk about the limitations and possibilities of multiple times 100G over one fiber pair. We will also cover the following topics: The challenges that arise due to attenuation and chromatic dispersion; Different types of Multiplexers - Cascaded TFF and AWG (including Gaussian Fit and Flat Top); ITU Grids such as DWDM and the new LWDM band (often used for 5G deployment); Modulation & Coherent 100G/200G/400G; How to use QSFP28 DWDM PAM4; and what is coming in 2020 - 400G DWDM QSFP-DD. At the end of this talk, you will understand the future of 100G multiplexing and how it can fit into your network. 30min | the complexity of hyper speed transceivers – let’s make it | Thomas Weible (Flexoptix GmbH) Thomas will describe in detail the structures inside optical transceivers. A Transmitter / Receiver Optical Sub Assembly (TOSA / ROSA) is no longer just a diode in a housing handling the light path to and fro to the fiber. The performance increases from 10G to 100G onwards to 400G - are not only giant steps in bandwidth there are matching leaps in manufacturing. How did the optical industry players around the globe make it possible to squeeze everything into the tiny form factors we see today? It is all about precision - a microscope with a calm and competent hand is no longer sufficient, now it is about; nano tolerances, testing, complex transceiver firmware and a shed load of money. This is the high precision optical mechanical engineering revolution which fuels the hyper growth of data centers and optical networking worldwide… If you face design issues with your current optical network design Thomas will give insights into the latest 40G to 400G transceiver developments (e.g. long distance 80km) which you can expect to see in the upcoming months. Hopefully this might save you some headaches. As a small „one more thing" Thomas will dive into the basics of how FEC compensates for errors caused by PAM4 modulation. 10min | RPKI, a piece of pie | Will van Gulik (Saitis - Nimag Networks / RomandIX) RPKI is something we hear about everywhere nowadays. Is it hard to deploy? 30min | A new approach to select SIEM Use Cases by avoiding events per second estimations | Pascal Imthurn (ISPIN AG) Did you ever experience the challenge to identify the adequate SIEM use cases to fulfil not only the compliance driven requirements but also the ability to have a high security detection coverage from day one? How can you ensure you will detect all attacks respectively you collect, and analysis all required events to identify anomalies? We will introduce a comprehensive approach to directly address the challenge of SIEM use case identification and selection. In addition, we explain the answer of the problem of having a high detection maturity from day one with still a price efficient strategy and the capability to scale easily. Moreover, we present a recommended solution method to respond to attacks immediately, focused to the origin of the attack and to be able to collect all relevant data for additional investigations. 10min | How to build a typical home network | Pascal Gloor (Quickline AG) beyond and above all expectations 30min | NBIP | Pim van Stam (Infomaniak Network SA) The director of NBIP would share the experience in seting up a multi-organization not for profit fundation to provide a DDoS mitigation and protection platform for national ISPs. 5min | Rheintal Internet Exchange | Thomas Fritz (Rheintal IX) Short introduction of the small Internet Exchange in the Rheintal region spread over FL, AT and CH. 30min | Weird and broken BGP on the Internet | Martin Winter (Hurricane Electric) The presentation gives a quick introduction to the RT-BGP tool (https://rt-bgp.he.net) and then we spend most of the time looking at issues seen with it. An example of few weird and broken BGP announcements as currently seen on the Internet by it are then discussed. 15min | Poor man's explanation why IPv6 is stalling in CH | Jean-Pierre Schwickerath (HILOTEC Engineering + Consulting AG) As a service provider for SME, we use on default ISP products for internet connectivity. The presentation will provide an overview of our experience with IPV6 on those products and where we believe improvements are (over)due. 20min | IP design and exploitation of Geneva city transport network | Gregoire Huet (TPG) How the IP network for 700 vehicles has been designed. From hardware constraints to BGP implementation and up to TICK monitoring and alerting. @Mobile IP, @BGP, @Linux, @Cisco, @NetModule, @Swisscom CNA, @SNMP, @TICK, @Grafana 15min | tbd/Cybersecurity | Levente Dobszay (Electrosuisse) tbd/Cybersecurity I like to thank you for our sponsors – without them we would have no SwiNOG !!! Extreme Networks ngworx Alturna Networks SWITCH Centurylink RIPE NCC Final agenda with Schedule will be published soon. Till then… Br Simon SwiNOG

1 0

Swisscom routing question / problem
by DUCHET Rémy 25 Oct '19

25 Oct '19

Hello, Can someone from Swisscom can contact me about a BGP routing issue ? Many thanks in advance. Rémy

1 0

A1/aon.at contact
by Jan-Philipp Benecke 25 Oct '19

25 Oct '19

Hey together, hoping there is someone from aon.at/A1 on list. We tried to reach out to you but your postmaster@ mailbox exceeded the quota ;) Can someone may contact me off-list ? Thanks a lot. Have a nice day, Jan-Philipp -- Jan-Philipp Benecke Deliverability Team Fon: +49 4402 97390-00 <tel:+49 4402 97390-00> E-Mail: jpb(a)cleverreach.com <mailto:jpb@cleverreach.com> Xing <https://www.xing.com/profile/JanPhilipp_Benecke/cv?sc_o> LinkedIn <https://www.linkedin.com/in/jan-philipp-benecke-b3058575/> *CleverReach GmbH & Co. KG HRA 4020 Oldenburg (Oldb.)* cleverreach.de <https://cleverreach.com/de/> CleverReach® <http://www.cleverreach.com/de/> CleverReach® <http://www.cleverreach.com/de/> Vertreten durch: CleverReach Verwaltungs GmbH, HRB 210079 Oldenburg (Oldb.) //CRASH Building | Schafjückenweg 2 | 26180 Rastede | Germany Geschäftsführung: Jens Klibingat & Sebastian Schwarz Aufsichtsrat: Rolf Hilchner & Heinz-Wilhelm Bogena PUSH/// <https://www.cleverreach.com/push/> CleverReach® <http://www.facebook.com/cleverreach> CleverReach @Instagram <https://www.instagram.com/cleverreach/> https://twitter.com/cleverreach <https://twitter.com/cleverreach> CleverReach @YouTube <https://www.youtube.com/user/cleverreach> Aktuell können Sie einige Informationen nicht sehen.Bitte aktivieren Sie externe Inhalte, um die Mail vollständig angezeigt zu bekommen oder klicken Sie hier. <https://app.mailtastic.de/api/li/0c3883f2-d7bc-4f1f-8d34-41da5b983637>

1 0

SBB partially reachable via IPv6
by Nico Schottelius 21 Oct '19

21 Oct '19

Hello everyone, if anyone from SBB reads the swinog ml: it's very cool that you added an AAAA record to sbb.ch. However it seems that only the HTTP, but not the HTTPS port is open via IPv6. Logs are attached below. Best regards from Glarus, Nico [20:31] diamond:~% curl -6 -I -v https://sbb.ch * Trying 2a00:4bc0:ffff:ffff::c296:f58e:443... * TCP_NODELAY set * Connected to sbb.ch (2a00:4bc0:ffff:ffff::c296:f58e) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.3 (OUT), TLS handshake, Client hello (1): ^C [20:33] diamond:~% curl -6 -I -v http://sbb.ch * Trying 2a00:4bc0:ffff:ffff::c296:f58e:80... * TCP_NODELAY set * Connected to sbb.ch (2a00:4bc0:ffff:ffff::c296:f58e) port 80 (#0) > HEAD / HTTP/1.1 > Host: sbb.ch > User-Agent: curl/7.66.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 301 Moved Permanently HTTP/1.1 301 Moved Permanently < Date: Sun, 20 Oct 2019 18:32:39 GMT Date: Sun, 20 Oct 2019 18:32:39 GMT < Server: Apache Server: Apache < Location: https://sbb.ch/ Location: https://sbb.ch/ < Content-Type: text/html; charset=iso-8859-1 Content-Type: text/html; charset=iso-8859-1 < * Connection #0 to host sbb.ch left intact -- Modern, affordable, Swiss Virtual Machines. Visit www.datacenterlight.ch

5 5

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

swinog October 2019