Hi,

First submission so be nice :-)

Ex. CenturyLink'er here so happy to share my knowledge of their network based solution if anyone is interested.

Cheers

Chris

On Wed, 5 Feb 2020, 12:00 , <nanog-request@nanog.org> wrote:
Send NANOG mailing list submissions to
        nanog@nanog.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://mailman.nanog.org/mailman/listinfo/nanog
or, via email, send a message with subject or body 'help' to
        nanog-request@nanog.org

You can reach the person managing the list at
        nanog-owner@nanog.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of NANOG digest..."


Today's Topics:

   1. Re: Recommended DDoS mitigation appliance? (Colton Conor)
   2. RE: Recommended DDoS mitigation appliance? (Phil Lavin)
   3. RE: Recommended DDoS mitigation appliance? (Kushal R.)
   4. Re: Recommended DDoS mitigation appliance? (J. Hellenthal)
   5. Re: Recommended DDoS mitigation appliance? (Colton Conor)
   6. RE: Recommended DDoS mitigation appliance? (Phil Lavin)
   7. Re: Jenkins amplification (Daryl)
   8. Re: Jenkins amplification (Mike Meredith)
   9. Re: EVPN multicast route (multi home case ) implementation /
      deployment information (Andrey Kostin)
  10. WTR: 1-2RU @ Equinix Ashburn (Jason Lixfeld)
  11. Help with survey on enterprise network challenges?
      (Joseph Severini)
  12. Re: Jenkins amplification (Christopher Morrow)
  13. Re: Has Anyone managed to get Delegated RPKI working with
      ARIN (Cynthia Revström)
  14. Re: Has Anyone managed to get Delegated RPKI working with
      ARIN (Randy Bush)


----------------------------------------------------------------------

Message: 1
Date: Tue, 4 Feb 2020 07:40:18 -0600
From: Colton Conor <colton.conor@gmail.com>
To: Javier Juan <javier.juan@gmail.com>
Cc: Rabbi Rob Thomas <robt@cymru.com>, NANOG <nanog@nanog.org>
Subject: Re: Recommended DDoS mitigation appliance?
Message-ID:
        <CAMDdSzN0vhwK70Gd0EnNPRvP9QAfqoXZ_GUZiaVtgzcWgwN_GQ@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Javier,

So is Imperva similar to how Kentik operates? What was it priced liked?  I
like the Kentik solution, but their per router per month pricing is too
expensive even for a small network.

On Mon, Feb 3, 2020 at 11:01 AM Javier Juan <javier.juan@gmail.com> wrote:

> Hi !
>
> I was looking around (a couple years ago) for mitigation appliances
> (Riorey, Arbor, F5 and so on).... but the best and almost affordable
> solution I found was Incapsula/Imperva.
>
> https://docs.imperva.com/bundle/cloud-application-security/page/introducing/network-ddos-monitoring.htm
>
>
> Basically, You send your flows to Imperva on cloud for analysis. As soon
> as they find DDoS attack , they activate mitigation. It´s some kind of
> elegant-hybrid solution without on-premise appliances . Just check it out :)
>
> Regards,
>
> JJ
>
>
>
> On Sun, Nov 17, 2019 at 11:20 PM Rabbi Rob Thomas <robt@cymru.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>>
>> Hello, NANOG!
>>
>> I'm in the midst of rebuilding/upgrading our backbone and peering -
>> sessions cheerfully accepted :) - and am curious what folks recommend
>> in the DDoS mitigation appliance realm?  Ideally it would be capable
>> of 10Gbps and circa 14Mpps rate of mitigation.  If you have a
>> recommendation, I'd love to hear it and the reasons for it.  If you
>> have an alternative to an appliance that has worked well for you
>> (we're a mix of Cisco and Juniper), I'm all ears.
>>
>> Private responses are fine, and I'm happy to summarize back to the
>> list if there is interest.
>>
>> Thank you!
>> Rob.
>> - --
>> Rabbi Rob Thomas                                           Team Cymru
>>    "It is easy to believe in freedom of speech for those with whom we
>>     agree." - Leo McKern
>> -----BEGIN PGP SIGNATURE-----
>>
>> iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF
>> 8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF
>> xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV
>> 7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv
>> oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ
>> N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y
>> 7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti
>> 27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ
>> hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka
>> VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC
>> g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP
>> d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo=
>> =uuel
>> -----END PGP SIGNATURE-----
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200204/f146a39e/attachment-0001.html>

------------------------------

Message: 2
Date: Tue, 4 Feb 2020 13:50:07 +0000
From: Phil Lavin <phil.lavin@cloudcall.com>
To: Colton Conor <colton.conor@gmail.com>, Javier Juan
        <javier.juan@gmail.com>
Cc: NANOG <nanog@nanog.org>
Subject: RE: Recommended DDoS mitigation appliance?
Message-ID:
        <DB6PR0301MB2533F880B73AEE1AA43C483089030@DB6PR0301MB2533.eurprd03.prod.outlook.com>

Content-Type: text/plain; charset="utf-8"

> So is Imperva similar to how Kentik operates? What was it priced liked?

It is a nice model as you don't need additional hardware or virtual appliances on-prem, which cuts down on the CAPEX cost. Like everyone else, they price the scrubbing based on your clean traffic levels. Price I have is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year for 500mbit clean traffic. Reasonably good value if you get attacked a lot - a very expensive insurance policy if not. Yearly pricing is broadly on par with Radware, Arbor and A10 (Verisign).

------------------------------

Message: 3
Date: Tue, 4 Feb 2020 19:27:13 +0530
From: "Kushal R." <kushal.r@h4g.co>
To: Colton Conor <colton.conor@gmail.com>, Javier Juan
        <javier.juan@gmail.com>, Phil Lavin <phil.lavin@cloudcall.com>
Cc: NANOG <nanog@nanog.org>
Subject: RE: Recommended DDoS mitigation appliance?
Message-ID: <8dfb7e0c-f61b-45eb-bd75-f93a3ec92277@Spark>
Content-Type: text/plain; charset="utf-8"

If you are looking for remote scrubbing, I can high recommend DDoS-Guard (ddos-guard.com), they do not have any “limits” on the size or the number of attacks, the billing is simply based on the clean bandwidth. The highest they have mitigated for us is about 40G. You can either have it in an always on mode, with all incoming traffic coming via their 4 POPs (Los Angeles, Amsterdam, Hong Kong or Almaty) or you can use something like FastNetMon or DDoS-Guard’s own application that runs on any hardware and use eBGP to route the victim /24 over DDG’s network.

--

Kushal R. | Management
Office: +1-8557374335 (Global) | +91-8080807931 (India)

WhatsApp: +1-3104050010 (Global) | +91-9834801976 (India)

host4geeks.com
host4geeks.in



On 4 Feb 2020, 7:22 PM +0530, Phil Lavin <phil.lavin@cloudcall.com>, wrote:
> > So is Imperva similar to how Kentik operates? What was it priced liked?
>
> It is a nice model as you don't need additional hardware or virtual appliances on-prem, which cuts down on the CAPEX cost. Like everyone else, they price the scrubbing based on your clean traffic levels. Price I have is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year for 500mbit clean traffic. Reasonably good value if you get attacked a lot - a very expensive insurance policy if not. Yearly pricing is broadly on par with Radware, Arbor and A10 (Verisign).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200204/021b4821/attachment-0001.html>

------------------------------

Message: 4
Date: Tue, 4 Feb 2020 08:04:30 -0600
From: "J. Hellenthal" <jhellenthal@dataix.net>
To: Javier Juan <javier.juan@gmail.com>
Cc: Rabbi Rob Thomas <robt@cymru.com>, nanog@nanog.org
Subject: Re: Recommended DDoS mitigation appliance?
Message-ID: <654D5FD3-7D9D-423A-B2A9-817CC443A54E@dataix.net>
Content-Type: text/plain; charset="utf-8"

Hopefully you would be sending those flows out a different circuit than the one that’s going to get swamped with a DDoS otherwise... it might just take a while to mitigate that ;-) depending on the type obviously.

--
 J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume.

> On Feb 3, 2020, at 11:01, Javier Juan <javier.juan@gmail.com> wrote:
>
> 
> Hi !
>
> I was looking around (a couple years ago) for mitigation appliances (Riorey, Arbor, F5 and so on).... but the best and almost affordable solution I found was Incapsula/Imperva.
> https://docs.imperva.com/bundle/cloud-application-security/page/introducing/network-ddos-monitoring.htm
>
> Basically, You send your flows to Imperva on cloud for analysis. As soon as they find DDoS attack , they activate mitigation. It´s some kind of elegant-hybrid solution without on-premise appliances . Just check it out :)
>
> Regards,
>
> JJ
>
>
>
>> On Sun, Nov 17, 2019 at 11:20 PM Rabbi Rob Thomas <robt@cymru.com> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>>
>> Hello, NANOG!
>>
>> I'm in the midst of rebuilding/upgrading our backbone and peering -
>> sessions cheerfully accepted :) - and am curious what folks recommend
>> in the DDoS mitigation appliance realm?  Ideally it would be capable
>> of 10Gbps and circa 14Mpps rate of mitigation.  If you have a
>> recommendation, I'd love to hear it and the reasons for it.  If you
>> have an alternative to an appliance that has worked well for you
>> (we're a mix of Cisco and Juniper), I'm all ears.
>>
>> Private responses are fine, and I'm happy to summarize back to the
>> list if there is interest.
>>
>> Thank you!
>> Rob.
>> - --
>> Rabbi Rob Thomas                                           Team Cymru
>>    "It is easy to believe in freedom of speech for those with whom we
>>     agree." - Leo McKern
>> -----BEGIN PGP SIGNATURE-----
>>
>> iQIzBAEBCAAdFiEEDcVjavXj08cL/QwdQ+hhYvqF8o0FAl3Rx08ACgkQQ+hhYvqF
>> 8o0snw/8CxTOujcodNh/huMXZaUNlMNoNRz3IoPqBiAP9BZomMz9xqlpDW/qvWBF
>> xhoJ07C0O0mo5ilNjnPR308uifIBu6ylw02PshOCU06dV0afgtndxGg5AoG9npUV
>> 7uCi2afWaf22dq5TwKLut8QPNNQJTRzndX88xJw9MzzoBTemxRtM7ft4H3UhJ0hv
>> oKo83FCNZQt36I+GZA9GBJeXM+o0f5h0w6fhRqARzttf6brJZdXgROyIQ7jptGuZ
>> N3Yrjk/8RM4XKMnYbtIwl8NS3c0nEGN3ndn+Bz7p2FE7QJrZKonk/o03dvr2kU0Y
>> 7gUQliOOzV9EsptVGyLCVyDJSElvXTBaps0giEVZhdmEIDJPWvBc+93j1g7xbmti
>> 27lT6+5qBmEN0oKJWxXgtw9/n1yX9vsc7tXlgYDoXGhIlszdB3baRao1tYEp8BBQ
>> hTGAULRfHe94tRzvOOQUQIuhzNcK1Q4E2jU6kzBB1wJsBD4zuHk+QIJLSHBmmnka
>> VNKlQ+5zP8dmSMBp6k4feqAtt3hy0Bj+34FbdQZYPutIe3VXHEjpWI3jI9vKjhtC
>> g7U/9CQIjVUl2APn1IllArpUpETBlNq7dSeJNUN/4Xh+eHglUnEn/m2kFG5mizmP
>> d0YvLEVe0/+WzDUz+y3KxDVP5tdJT1VM46FHIgeiB4KrWNGRPUo=
>> =uuel
>> -----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200204/a0d80487/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3944 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200204/a0d80487/attachment-0001.bin>

------------------------------

Message: 5
Date: Tue, 4 Feb 2020 08:25:21 -0600
From: Colton Conor <colton.conor@gmail.com>
To: Phil Lavin <phil.lavin@cloudcall.com>
Cc: Javier Juan <javier.juan@gmail.com>, NANOG <nanog@nanog.org>
Subject: Re: Recommended DDoS mitigation appliance?
Message-ID:
        <CAMDdSzONkYYT4AeMGLm7iOHYPhZbB7NKbU_rSR+Y6_GAbAN+sw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

Phil,

This sounds like a different model to me. Kentik I think averages out
around $500 per 10G per month. Kentik doesn't do any scrubbing however.
Does anyone have guide to DDoS services? Seems like there is a wide array
of pricing and technology options.

On Tue, Feb 4, 2020 at 7:50 AM Phil Lavin <phil.lavin@cloudcall.com> wrote:

> > So is Imperva similar to how Kentik operates? What was it priced liked?
>
> It is a nice model as you don't need additional hardware or virtual
> appliances on-prem, which cuts down on the CAPEX cost. Like everyone else,
> they price the scrubbing based on your clean traffic levels. Price I have
> is circa $73,000 a year for 250mbit clean traffic and circa $94,000 a year
> for 500mbit clean traffic. Reasonably good value if you get attacked a lot
> - a very expensive insurance policy if not. Yearly pricing is broadly on
> par with Radware, Arbor and A10 (Verisign).
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200204/64450404/attachment-0001.html>

------------------------------

Message: 6
Date: Tue, 4 Feb 2020 14:27:33 +0000
From: Phil Lavin <phil.lavin@cloudcall.com>
To: Colton Conor <colton.conor@gmail.com>
Cc: Javier Juan <javier.juan@gmail.com>, NANOG <nanog@nanog.org>
Subject: RE: Recommended DDoS mitigation appliance?
Message-ID:
        <DB6PR0301MB2533333514B0C540168E7B6189030@DB6PR0301MB2533.eurprd03.prod.outlook.com>

Content-Type: text/plain; charset="utf-8"

> This sounds like a different model to me. Kentik I think averages out around $500 per 10G per month

I was talking about Imperva

------------------------------

Message: 7
Date: Mon, 3 Feb 2020 13:39:10 -0600
From: Daryl <lists@soldmydata.online>
To: nanog@nanog.org
Subject: Re: Jenkins amplification
Message-ID: <20200203133910.2dfb5f5c@mail>
Content-Type: text/plain; charset=US-ASCII

On Mon, 3 Feb 2020 10:55:35 -0800 (PST)
Sabri Berisha <sabri@cluecentral.net> wrote:

> ----- On Feb 3, 2020, at 10:35 AM, Christopher Morrow
> morrowc.lists@gmail.com wrote:
>
> > On Mon, Feb 3, 2020 at 1:26 PM William Herrin <bill@herrin.us>
> > wrote: 
>
> >> VPN. 
> >
> > I love it when my home network gets full access to the corporate
> > network! 
>
> Most places I've worked at issue company controlled laptops with
> company controlled VPN software which will disable all local access
> and even disconnect if you dare to manually change the routing table
> to access the printer in your home office.
>
> In fact, a too tightly controlled VPN contributed to a 7 figure loss
> during an outage at a company which name shall not be mentioned.
>
> Your home network should have no access to the corp network. Your
> company issued laptop should.
>
> Thanks,
>
> Sabri

That's how our company operates. I went a step further and put all
company issued equipment on it's own vlan at home.


------------------------------

Message: 8
Date: Tue, 4 Feb 2020 16:12:45 +0000
From: Mike Meredith <mike.meredith@port.ac.uk>
To: nanog@nanog.org
Subject: Re: Jenkins amplification
Message-ID: <20200204161245.10aac79f@scrofula.eps.is.port.ac.uk>
Content-Type: text/plain; charset="utf-8"

On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow
<morrowc.lists@gmail.com> may have written:
> My experience, and granted it's fairly scoped, is that this sort of thing
> works fine for a relatively small set of 'persons' and 'resources'.

Seeing as managing this sort of thing is my primary job these days ...

> it ends up being about the cross-product of #users * #resources.

That's the interesting part of the job - coalescing rules in a way that
minimises the security impact but maximises the decrease of complexity. If
you don't, you get an explosion of complexity that results in a set of
rules (I know of an equivalent organisation that has over 1,000 firewall
rules) that becomes insanely complex to manage.

> certainly a more holistic version of the story is correct.
> the relatively flippant answer way-back-up-list of: "vpn"

I think that "vpn" is the right answer - it's preferrable to publishing
services to the entire world that only need to be used by empoyees. But
it's not cheap or easy.

--
Mike Meredith, University of Portsmouth
Hostmaster, Security, and Chief Systems Engineer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200204/51fff1b7/attachment-0001.sig>

------------------------------

Message: 9
Date: Tue, 04 Feb 2020 11:59:13 -0500
From: Andrey Kostin <ankost@podolsk.ru>
To: "Mankamana Mishra (mankamis)" <mankamis@cisco.com>
Cc: nanog@nanog.org
Subject: Re: EVPN multicast route (multi home case ) implementation /
        deployment information
Message-ID: <af953fad372932f55b167921bd415962@podolsk.ru>
Content-Type: text/plain; charset=UTF-8; format=flowed

Hi Mankamana,

For Juniper:

Starting in Junos OS 18.4R1, devices with IGMP snooping enabled use
selective multicast forwarding in a centrally routed EVPN-VXLAN network
to replicate and forward multicast traffic. As before, IGMP snooping
allows the leaf device to send multicast traffic only to the access
interface with an interested receiver. But now, when IGMP snooping is
enabled, the leaf device selectively sends multicast traffic to only the
leaf devices in the core that have expressed an interest in that
multicast group. In selective multicast forwarding, leaf devices always
send multicast traffic to the spine device so that it can route
inter-VLAN multicast traffic through its IRB interface.

https://www.juniper.net/documentation/en_US/junos/topics/concept/evpn-selective-multicast-forwarding.html

Kind regards,
Andrey

Mankamana Mishra (mankamis) via NANOG писал 2020-02-03 18:34:
> Folks
>
> Wondering if there is any known implementation of EVPN multihome
> multicast routes which are defined in
>
> https://tools.ietf.org/html/draft-ietf-bess-evpn-igmp-mld-proxy-04
>
> there is some change planned in NLRI , we want to make sure to have
> solution which does work well with existing implementation.
>
> NOTE:  Discussion INVOLVES NOKIA, JUNIPER, CISCO, ARISTA ALREADY. SO
> LOOKING FOR ANY OTHER VENDOR WHO HAVE IMPLEMENTATION.
>
> Mankamana



------------------------------

Message: 10
Date: Tue, 4 Feb 2020 12:10:00 -0500
From: Jason Lixfeld <jason+nanog@lixfeld.ca>
To: NANOG mailing list <nanog@nanog.org>
Subject: WTR: 1-2RU @ Equinix Ashburn
Message-ID: <7BC7D4A3-5691-45D8-9C27-D8A21CD0BDB4@lixfeld.ca>
Content-Type: text/plain;       charset=utf-8

Hi,

I’m wondering if anyone is looking to subsidize their Equinix Ashburn colo costs by way of carving out 1-2 RU to a friendly for a low density networking application.  If so, I’d love to hear from you!

Thanks in advance!

------------------------------

Message: 11
Date: Tue, 4 Feb 2020 13:04:19 -0500
From: Joseph Severini <jseverin@andrew.cmu.edu>
To: nanog@nanog.org
Subject: Help with survey on enterprise network challenges?
Message-ID:
        <CAGBamiMrvAk599A0_fAW=sdmxjOHR8MVe9j9yXmHq+r52PjZGQ@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

Hi,

My name is Joseph Severini, and I am a PhD student in the Computer
Science Department at Carnegie Mellon University.

I’m working on a research project to identify common operational
challenges in modern enterprise computer networks. I’ve put together a
survey to identify these challenges by analyzing some operational
problems found in the Network Engineering Stack Exchange open-source
dataset. You’ll be given a problem from the dataset and asked some
questions about it.

I would appreciate it if you would consider taking this survey, which
can be found at the link below:

http://cmu.ca1.qualtrics.com/jfe/form/SV_dm6i9znuPWlLDN3

The survey should take ~15 minutes. Participation is voluntary, with
no compensation, and all responses are anonymous. You must be at least
18 years old to complete the survey.

Thanks,
Joseph Severini

PhD Student
CMU Computer Science Department


------------------------------

Message: 12
Date: Tue, 4 Feb 2020 15:59:37 -0500
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Mike Meredith <mike.meredith@port.ac.uk>
Cc: nanog list <nanog@nanog.org>
Subject: Re: Jenkins amplification
Message-ID:
        <CAL9jLaaiiLsOqShddYcdn_HYO0aeY+skF+XDefK3Uhvm+=A6cw@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"

On Tue, Feb 4, 2020 at 11:15 AM Mike Meredith <mike.meredith@port.ac.uk> wrote:
>
> On Mon, 3 Feb 2020 16:13:34 -0500, Christopher Morrow
> <morrowc.lists@gmail.com> may have written:
> > My experience, and granted it's fairly scoped, is that this sort of thing
> > works fine for a relatively small set of 'persons' and 'resources'.
>
> Seeing as managing this sort of thing is my primary job these days ...

<beer, you probably deserve one> :)

> > it ends up being about the cross-product of #users * #resources.
>
> That's the interesting part of the job - coalescing rules in a way that
> minimises the security impact but maximises the decrease of complexity. If
> you don't, you get an explosion of complexity that results in a set of
> rules (I know of an equivalent organisation that has over 1,000 firewall
> rules) that becomes insanely complex to manage.
>

I think the fact that it's hard to keep all of this going and to
contain the natural spread of destruction (that it takes someone with
a pretty singular foc us) makes my point.

> > certainly a more holistic version of the story is correct.
> > the relatively flippant answer way-back-up-list of: "vpn"
>
> I think that "vpn" is the right answer - it's preferrable to publishing
> services to the entire world that only need to be used by empoyees. But
> it's not cheap or easy.

Weighing the cost/benefit is certainly each org's decision.
having lived without vpn for a long while and under the regime of
authen/author for users with proper token/etc access... I'd not want
my internal network opened to the wilds of vpn users :( (I actively
discourage this at work because there are vanishingly small reasons
why a full network connection is really required by a user at this
point).

anyway, good luck!


------------------------------

Message: 13
Date: Wed, 5 Feb 2020 10:56:51 +0100
From: Cynthia Revström <me@cynthia.re>
To: christopher@ve7alb.ca
Cc: NANOG list <nanog@nanog.org>
Subject: Re: Has Anyone managed to get Delegated RPKI working with
        ARIN
Message-ID:
        <CAKw1M3PQTvB6zyJkn5eMdByJTSqXX4seUYFBduf-jQnLWSMJFw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"

(Re-sent as I forgot to include the ML the first time, oops)
Hi Chris,

I recently figured it out and posted it on the NLNetLabs RPKI mailing list.
https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html
I hope it helps :)

- Cynthia

On Wed, Jan 29, 2020 at 6:31 PM Christopher Munz-Michielin <
christopher@ve7alb.ca> wrote:

> Hi Nanog,
>
> Posting here since my Google-fu is coming up short.  I'm trying to setup
> delegated RPKI in ARIN using rpki.net's rpkid Python daemon and am
> running into an issue submitting the identity file to ARIN's control panel.
> The same file submitted to RIPE's  test environment at
> https://localcert.ripe.net/#/rpki works without issue, while submitting
> to ARIN results in "Invalid Identity.xml file."
>
> The guide I'm following is this one:
> https://github.com/dragonresearch/rpki.net/blob/master/doc/quickstart/xenial-ca.md
> and I'm able to get as far as generating the identity file.
>
> Wondering if anyone has gone down this road before and has any helpful
> hints to make this work?
>
> Cheers,
> Chris
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20200205/49b8cf46/attachment-0001.html>

------------------------------

Message: 14
Date: Wed, 05 Feb 2020 02:52:08 -0800
From: Randy Bush <randy@psg.com>
To: "Cynthia Revström" <me@cynthia.re>
Cc: christopher@ve7alb.ca,      NANOG list <nanog@nanog.org>
Subject: Re: Has Anyone managed to get Delegated RPKI working with
        ARIN
Message-ID: <m2o8ud71d3.wl-randy@psg.com>
Content-Type: text/plain; charset=US-ASCII

> I recently figured it out and posted it on the NLNetLabs RPKI mailing list.
> https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html

nice.  thank you.

randy


End of NANOG Digest, Vol 145, Issue 5
*************************************