Hi all, Finally we have a mailing list (thnx to staff @RIPE-NCC) that we identified as one of the first next steps at BOF in Dublin RIPE meeting. Please send emails to: bcop@ripe.net This is the place, where we can discuss how to move forward with the Best Current Operational Practices work, how to maybe move it forward towards more official status, who is willing to participate and start the documents - but first of all - we agreed that we need to identify the topics of discussion. First few that I heard were: - source addr antispoofing operational practices - peering good practices - how to implement IPv6 at ISP (different network types and flavors) - DNSsec how-to and practices ... I would like to invite all to send suggestions so we can identify the topics - and then we can see later where we can start some effort and form a groups that would start producing a documentation. Thank you all for participating at BOF, we are aiming for another BOF in Athens (this time with beer and chips in the room, as the BOF should be :) ) Cheers, Jan Zorz
On 16/06/2013, at 17.19, Jan Zorz - ISOC <zorz@isoc.org> wrote:
Hi all,
Finally we have a mailing list (thnx to staff @RIPE-NCC) that we identified as one of the first next steps at BOF in Dublin RIPE meeting.
Please send emails to: bcop@ripe.net
This is the place, where we can discuss how to move forward with the Best Current Operational Practices work, how to maybe move it forward towards more official status, who is willing to participate and start the documents - but first of all - we agreed that we need to identify the topics of discussion.
First few that I heard were:
- source addr antispoofing operational practices - peering good practices - how to implement IPv6 at ISP (different network types and flavors) - DNSsec how-to and practices ...
I would like to invite all to send suggestions so we can identify the topics - and then we can see later where we can start some effort and form a groups that would start producing a documentation.
In no particular order, and based on stuff I do myself. *) DNS in auth and recursive, I always suggest keeping them in too separate "servers" (might be VMs) to ensure not opening up auth server for recursion etc. *) Perhaps best current practice documents that even present BGP policies in general, like the old book "Cisco ISP Essentials (Cisco Press Networking Technology)[Paperback]" from 2002 available in free and open format would be great for getting more secure and robust networking. Having examples in some popular variants would be great Juniper, Cisco, BIRD, OpenBGPD - I also myself used the cymru web site a lot for similar stuff, http://www.team-cymru.org/ReadingRoom/Templates/ *) a small subject I would like see also is ICMP filtering. We want people to know that blocking all of ICMP is bad for them and the internet. It prevents PMTU from working and is required for a lot of testing. So maybe some re-iteration of the ICMP and presenting also the pingable attribute in whois? (I dont use pingable myself yet, but perhaps receiving a nice BCOP doc would make me add some) I wonder if testing is also part of this? *) How to test your network performance, recommending some starting point for common testing inside networks, in my end of the world it seems to be iperf and smokeping that rules the land. I was pretty inspired by Jen Linkova at the RIPE65 meeting talking about creating stacked packet for testing MPLS Best regards Henrik -- Henrik Lund Kramshøj, Follower of the Great Way of Unix internet samurai cand.scient CISSP hlk@kramse.org hlk@solidonetworks.com +45 2026 6000 http://solidonetworks.com/ Network Security is a business enabler
On 7/8/13 3:22 PM, Henrik Lund Kramshøj wrote:
In no particular order, and based on stuff I do myself.
*) DNS in auth and recursive, I always suggest keeping them in too separate "servers" (might be VMs) to ensure not opening up auth server for recursion etc.
Hi, This could be a great and useful document. I also heard that some operators also use different HW/OS platforms and different DNS server combinations (and anycast resolvers in their network) to minimize the probability that one vulnerability (OS or server) brings down all their resolvers. I think that this is also one of the good practices that could be useful to many.
*) Perhaps best current practice documents that even present BGP policies in general, like the old book "Cisco ISP Essentials (Cisco Press Networking Technology)[Paperback]" from 2002 available in free and open format would be great for getting more secure and robust networking. Having examples in some popular variants would be great Juniper, Cisco, BIRD, OpenBGPD - I also myself used the cymru web site a lot for similar stuff, http://www.team-cymru.org/ReadingRoom/Templates/
This is a good resource and should be included in a BCOP document about BGP practices in general.
*) a small subject I would like see also is ICMP filtering. We want people to know that blocking all of ICMP is bad for them and the internet. It prevents PMTU from working and is required for a lot of testing.
With practical filter examples for different firewalls from different vendors? Agree :)
So maybe some re-iteration of the ICMP and presenting also the pingable attribute in whois? (I dont use pingable myself yet, but perhaps receiving a nice BCOP doc would make me add some)
Wow, nice suggestion.
I wonder if testing is also part of this?
*) How to test your network performance, recommending some starting point for common testing inside networks, in my end of the world it seems to be iperf and smokeping that rules the land. I was pretty inspired by Jen Linkova at the RIPE65 meeting talking about creating stacked packet for testing MPLS
That is a good topic, that should be documented - and also reminds me of another one - how to measure and understand the global visibility/performance of your network. Many people don't entirely understand, that visibility from the Internet is an issue - they connect to upstreams, announce their resources and live happily ever after. Nice, practical and clear document on how to measure their visibility from other parts of the world would also help many people. Adding Job Sneiders to cc: (not sure he's on the mailinglist), Job would you be interested in adding some experience on this topic (or maybe even start a BCOP document?)? Cheers, Jan Zorz P.S: BCOP ml subscription link: https://www.ripe.net/mailman/listinfo/bcop
On 09/07/2013, at 13.01, Jan Zorz - ISOC <zorz@isoc.org> wrote:
On 7/8/13 3:22 PM, Henrik Lund Kramshøj wrote:
In no particular order, and based on stuff I do myself. ...
I wonder if testing is also part of this?
*) How to test your network performance, recommending some starting point for common testing inside networks, in my end of the world it seems to be iperf and smokeping that rules the land. I was pretty inspired by Jen Linkova at the RIPE65 meeting talking about creating stacked packet for testing MPLS
That is a good topic, that should be documented - and also reminds me of another one - how to measure and understand the global visibility/performance of your network.
Many people don't entirely understand, that visibility from the Internet is an issue - they connect to upstreams, announce their resources and live happily ever after.
Nice, practical and clear document on how to measure their visibility from other parts of the world would also help many people.
Adding Job Sneiders to cc: (not sure he's on the mailinglist), Job would you be interested in adding some experience on this topic (or maybe even start a BCOP document?)?
I am not sure it belongs here, would be nice to have a list of this though. Off the top of my head, we use the following external resources to demonstrate visibility: https://stat.ripe.net/ - with all the nice widgets for embedding etc. Cyclops BGP http://cyclops.cs.ucla.edu/ BGPmon.net http://routeviews.org/ and http://bgplay.routeviews.org/ - note bgplay is also integrated into RIPEstat traceroute.org - I use this less now that http://RING.nlnog.org has expanded so nicely, but for non-ring-users pingdom (has no IPv6, and it really is becoming a problem, where to monitor IPv6 services from outside?) Best regards Henrik -- Henrik Lund Kramshøj, Follower of the Great Way of Unix internet samurai cand.scient CISSP hlk@kramse.org hlk@solidonetworks.com +45 2026 6000 http://solidonetworks.com/ Network Security is a business enabler
On Tue, 9 Jul 2013, Henrik Lund Kramshøj wrote:
pingdom (has no IPv6, and it really is becoming a problem, where to monitor IPv6 services from outside?)
http://www.v6sonar.com/ has some interesting capabilities, which may or may not fit what you need - anyway if there's something you need that it does not do - you can ping Chip - he's very very open to feedback. --a
Best regards
Henrik
-- Henrik Lund Kramshøj, Follower of the Great Way of Unix internet samurai cand.scient CISSP hlk@kramse.org hlk@solidonetworks.com +45 2026 6000 http://solidonetworks.com/ Network Security is a business enabler
Hi, I think BCOP regarding BGP configuration can be interesting for many companies especially covering topic about "community controlled policies/route-maps for BGP" Regards. /Alex On 07/09/2013 05:17 PM, Andrew Yourtchenko wrote:
On Tue, 9 Jul 2013, Henrik Lund Kramshøj wrote:
pingdom (has no IPv6, and it really is becoming a problem, where to monitor IPv6 services from outside?)
http://www.v6sonar.com/ has some interesting capabilities, which may or may not fit what you need - anyway if there's something you need that it does not do - you can ping Chip - he's very very open to feedback.
--a
Best regards
Henrik
-- Henrik Lund Kramshøj, Follower of the Great Way of Unix internet samurai cand.scient CISSP hlk@kramse.org hlk@solidonetworks.com +45 2026 6000 http://solidonetworks.com/ Network Security is a business enabler
On 7/19/13 3:10 PM, Alex Saroyan wrote:
Hi,
I think BCOP regarding BGP configuration can be interesting for many companies especially covering topic about "community controlled policies/route-maps for BGP"
Hi, thnx for a great suggestion. Added to the list of identified topics: http://www.internetsociety.org/deploy360/about/bcop/topics/ One of the much needed documents that I heard of lately is also: "IPv6 basics and troubleshooting for helpdesks around the world" It should be some sort of lowest-common-denominator document of common issues helpdesks around the world are encountering and used as a template to translate it and use it. I see this as a next speed-bump in IPv6 deployment, as operations configures and tests the IPv6-everything, but then the company is afraid of "releasing it into the wild" because of fear of helpdesk not being able to cope with it. Should I add it as one of the topics? I submitted the lightning-talk and BOF proposal to RIPE PC for Athens meeting, hope to see you all there to move this process a step forther towards some results. Cheers, Jan
participants (4)
-
Alex Saroyan -
Andrew Yourtchenko -
Henrik Lund Kramshøj -
Jan Zorz - ISOC