[168828] in North American Network Operators' Group
Re: BCP38 is hard, was TWC (AS11351) blocking all NTP?
daemon@ATHENA.MIT.EDU (Jared Mauch)
Wed Feb 5 11:15:46 2014
From: Jared Mauch <jared@puck.nether.net>
In-Reply-To: <20140205083507.GA20473@pob.ytti.fi>
Date: Wed, 5 Feb 2014 11:15:25 -0500
To: Saku Ytti <saku@ytti.fi>
Cc: nanog list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Feb 5, 2014, at 3:35 AM, Saku Ytti <saku@ytti.fi> wrote:
> If what you say was actual reason, it could be solved by logging ACL.
>=20
> We the community, could produce tooling to automate this in few =
popular
> platforms. Automatically builds the ACL, web interface for humans to =
classify
> the logged/unknown. When classified by human as legit source, =
automatically
> create route object for it.
> Recreate ACL from route-objects, submit to router.=20
The problem is many of these can compile to larger than the physical =
amount of space in the router/LC have to handle it. I=92ve done =
presentations to vendors about what percentage (in bytes and per-line) =
of the configuration is of what component. 90%+ tends to be =
customer-specific prefix-list/set/filter lines.
These can easily reach many megabytes of configuration and tens or =
hundreds of thousands of lines. Asking someone to duplicate that to =
also have an ingress ACL of equivalent size, and *assuming* the router =
can handle that ACL and compile it properly is a challenge to say the =
least.
> Repeat until human operator is confident no further classification is =
needed,
> and ask tool to swap log+permit + deny.
Similar to the above, doing the log permit, etc.. is all dependent on =
the platform and what scale is feasible. Some devices you can=92t do =
things like log-input and capture the ingress MAC that originated the =
packet as it=92s been stripped off before it gets to that part of the =
engine.
Similar to Randys previous comments, I would like to see another =
operator talk about their efforts here that has actually implemented =
something and is willing to share. Right now, I=92ve seen a lot of =
people say what others should do with =93their=94 network, and limited =
data about what they have done to help solve this problem. It=92s =
harder than it seems, and even those that invite regulation and other =
things, the technology isn=92t capable because it=92s not something =
folks =93ask for=94.
> Probably takes like maybe 50h development work.
Let me know how that goes. I=92ve found estimates for this stuff can be =
off by as much as 10x + once all the details are chased down. my wife =
has regularly been very patient with me when i say =9310 minutes=94 and =
it=92s closer to 2+ hours. I know we can do better than what the state =
is today, but there=92s only so much that one network can do.
- Jared=
