From snash at arbor.net Wed Sep 9 12:13:59 2015 From: snash at arbor.net (snash) Date: Wed, 09 Sep 2015 10:13:59 +0000 Subject: [connect-wg] Programmatic way to answer, "Who is sending me this stuff?" Message-ID: If I receive some traffic at an IXpeering router interface, I might want to know how I got it. If it is a stream of bad traffic I might want to ask my upstream peer to help turn it off. How do I find out who did send it to me? If I capture a sample packet I could see the source MAC address. Now I have to identify who owns the device with that MAC. Is there any guidance from the IX operators on how to do this? I'm sure phone calls / emails to Ops teams are not cost effective for anyone. A common programmatic method across IXes would suit my use-case admirably. I'd like to hear from anybody who either has a method in an IX, or who would like a method to exist. Regards Steve Steve Nash CEng MIET | Consultant Engineer EMEA Arbor Networks +44 7720 291359 (m) http://www.arbornetworks.com/ -------------- next part -------------- An HTML attachment was scrubbed... URL: From snash at arbor.net Wed Sep 9 12:19:44 2015 From: snash at arbor.net (snash) Date: Wed, 09 Sep 2015 10:19:44 +0000 Subject: [connect-wg] Programmatic way to answer, "Who is sending me this stuff?" Message-ID: If I receive some traffic at an IXpeering router interface, I might want to know how I got it. If it is a stream of bad traffic I might want to ask my upstream peer to help turn it off. How do I find out who did send it to me? If I capture a sample packet I could see the source MAC address. Now I have to identify who owns the device with that MAC. Is there any guidance from the IX operators on how to do this? I'm sure phone calls to Ops teams are not cost effective or time efficient for anyone. A common programmatic method across IXes would suit my use-case admirably. I'd like to hear from anybody who either has a method in an IX, or who would like a method to exist. Regards Steve Steve Nash CEng MIET | Consultant Engineer EMEA Arbor Networks +44 7720 291359 (m) www.arbornetworks.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From rob at lonap.net Wed Sep 9 13:21:01 2015 From: rob at lonap.net (Rob Lister) Date: Wed, 9 Sep 2015 12:21:01 +0100 Subject: [connect-wg] Programmatic way to answer, "Who is sending me this stuff?" In-Reply-To: References: Message-ID: <1938396906.20150909122101@lonap.net> Hi Steve, There have been moves to unify IXP data in JSON format to describe members at an IXP, and to a certain extent, VLANs and infrastructure. https://ripe69.ripe.net/presentations/94-1411-ej-ixp-json-api.pdf https://github.com/euro-ix/json-schemas Many exchanges have already implemented this JSON schema. Though the schema allows for MAC address, I am not sure how widely implemented this is yet. For example, while we implement the JSON schema, mac address doesn't show in there yet owing to limitations in the back-end database, though this is hopefully going to be addressed. The only other reliable ways would be to use the ARP table at each IXP connection to map the MAC <-> Peering LAN IP and also ASN. (this can usually be collected via SNMP, for example, though if you are using route servers, may require more effort again.) Combining this with sflow data is another possibility. Rob On Wed, Sep 09 at 11:19:44 AM, snash wrote: > If I receive some traffic at an IX peering router interface, I might want to know how I got it. > If it is a stream of bad traffic I might want to ask my upstream peer to help turn it off. > > How do I find out who did send it to me? > If I capture a sample packet I could see the source MAC address. Now > I have to identify who owns the device with that MAC. > > Is there any guidance from the IX operators on how to do this? > I'm sure phone calls to Ops teams are not cost effective or time efficient for anyone. > A common programmatic method across IXes would suit my use-case admirably. > > I'd like to hear from anybody who either has a method in an IX, or who would like a method to exist. -- Rob Lister rob at lonap.net LONAP Ltd From ripe-ml-2015 at ssd.axu.tm Thu Sep 10 12:20:18 2015 From: ripe-ml-2015 at ssd.axu.tm (Aleksi Suhonen) Date: Thu, 10 Sep 2015 13:20:18 +0300 Subject: [connect-wg] Programmatic way to answer, "Who is sending me this stuff?" In-Reply-To: References: Message-ID: <55F15962.50602@ssd.axu.tm> Hello, On 09/09/2015 01:13 PM, snash wrote: > If I receive some traffic at an IXpeering router interface, I might want > to know how I got it. > How do I find out who did send it to me? > If I capture a sample packet I could see the source MAC address. Now I > have to identify who owns the device with that MAC. There is no unified method for doing what you want apart from the above that would work on all IXPs. Some IXPs enforce a policy that their members have to use certain pre-determined MAC addresses. Here's an example: (scroll to bottom) http://www.trex.fi/service/unicast.html There are also some IXPs that use an SDN core where they are able to filter L2 traffic based on either IRR registered peering relationships or actual BGP negotiated routes. I remember seeing nice presentations about these at Euro-IX Fora, but I couldn't quickly find information about them in the wild. Both of the above examples are rare and both have problems which hinder their real world adoption. -- Aleksi Suhonen () ascii ribbon campaign /\ support plain text e-mail From snash at arbor.net Thu Sep 10 15:27:35 2015 From: snash at arbor.net (snash) Date: Thu, 10 Sep 2015 13:27:35 +0000 Subject: [connect-wg] Programmatic way to answer, "Who is sending me this stuff?" In-Reply-To: <55F15962.50602@ssd.axu.tm> Message-ID: Aleksi Thank you for the TREX document. It would certainly help traceback if all parties adopted locally administered MAC addresses like this. I encourage all IX's to consider this as at least a recommendation to members. Of course, the IX itself has visibility via its switches, but members do not see that information so easily. So this would be advice to members themselves for their own (mutual) benefit. It certainly has less overhead then creating additional databases. Regards Steve ------ Original Message ------ From: "Aleksi Suhonen" To: "snash" Cc: connect-wg at ripe.net Sent: 10/09/2015 11:20:18 Subject: Re: [connect-wg] Programmatic way to answer, "Who is sending me this stuff?" >Hello, > >On 09/09/2015 01:13 PM, snash wrote: >>If I receive some traffic at an IXpeering router interface, I might >>want >>to know how I got it. > >>How do I find out who did send it to me? >>If I capture a sample packet I could see the source MAC address. Now >>I >>have to identify who owns the device with that MAC. > >There is no unified method for doing what you want apart from the above >that would work on all IXPs. > >Some IXPs enforce a policy that their members have to use certain >pre-determined MAC addresses. Here's an example: (scroll to bottom) > >http://www.trex.fi/service/unicast.html > >There are also some IXPs that use an SDN core where they are able to >filter L2 traffic based on either IRR registered peering relationships >or actual BGP negotiated routes. I remember seeing nice presentations >about these at Euro-IX Fora, but I couldn't quickly find information >about them in the wild. > >Both of the above examples are rare and both have problems which hinder >their real world adoption. > >-- Aleksi Suhonen > > () ascii ribbon campaign > /\ support plain text e-mail From jwbensley at gmail.com Thu Sep 10 21:51:15 2015 From: jwbensley at gmail.com (James Bensley) Date: Thu, 10 Sep 2015 20:51:15 +0100 Subject: [connect-wg] Programmatic way to answer, "Who is sending me this stuff?" In-Reply-To: References: Message-ID: On 9 September 2015 at 11:13, snash wrote: > > If I receive some traffic at an IX peering router interface, I might want to know how I got it. > If it is a stream of bad traffic I might want to ask my upstream peer to help turn it off. > > How do I find out who did send it to me? > If I capture a sample packet I could see the source MAC address. Now I have to identify who owns the device with that MAC. On my peering router I look at the ?ARP table?, it's a magical thing that lists layer 2 MAC addresses and the corresponding layer 3 IP address. Whilst not many IX's provide real time lists of member MACs (as members change hardware or ports on hardware, move links between IX edge devices etc) the IPs are usually (always?) manually assigned by the IX so they are fully know to which member they are in use by, at any given time. [1] > Is there any guidance from the IX operators on how to do this? As above, I've not seen an IX that doesn't distribute the IPs manually so by giving them the IP they can tell me straight away (if it isn't listen in the members portal, which at LINX for example, it is!). Another option is looking through peeringDB through the existing MySQL interface or new API in version 2 of the site. > I'm sure phone calls / emails to Ops teams are not cost effective for anyone. If I called an IXP I was present at and asked them to trace a MAC address through the MAC tables of their devices, and they couldn't, we have a much bigger problem than a bit of unwanted traffic. We have clowns running an IXP! > A common programmatic method across IXes would suit my use-case admirably. > > I'd like to hear from anybody who either has a method in an IX, or who would like a method to exist. I must be missing the point because this doesn't seem like a major issue, or am I spoilt in the UK and the IXPs here are just way better than everywhere else? [2] Cheers, James, [1] Any IX not limiting the number of MAC addresses per port (and doing ARP inspection if possible) is asking for trouble. [2] When I say ?way better?, I mean being able to look at MAC tables and find a port that originates a MAC address, would be the minimum requirement to be better than "shit". From mir at ripe.net Thu Sep 24 10:45:07 2015 From: mir at ripe.net (Mirjam Kuehne) Date: Thu, 24 Sep 2015 10:45:07 +0200 Subject: [connect-wg] New on RIPE Labs: Looking at France-IX with RIPE Atlas and RIS Message-ID: <5603B813.8070709@ripe.net> Dear colleagues, Please find a new article on RIPE Labs describing our recent collaborations with France-IX on collecting data plane and control plane Internet data with RIPE Atlas and the RIPE NCC's Routing Information Service (RIS): https://labs.ripe.net/Members/emileaben/looking-at-france-ix-with-ripe-atlas-and-ris Kind regards, Mirjam Kuehne RIPE NCC