Cisco Crosswork Network Insights - or how to destroy a useful service
I have started to use Cisco Crosswork Network Insights which is the replacement for BGPmon and I am shocked at how Cisco has managed to destroy a useful tool.I have had a paid 50 prefix account since the day BGPmon became available and helped two clients implement a 500 prefix license over the past 4 years.None will be buying Cisco Crosswork Network Insights, based on my recommendation. I really don’t know where to begin since there is so much to dislike in this new GUI.I will try to give you just a small taste but I suggest you request a 90 day trial license and try it out for yourself. This was not designed by someone who deals with BGP hijacks or who manages a network.It was probably given to some GUI developer with a minimal understanding of what the users needed.How do I know this?Take for example the main configuration menu: https://crosswork.cisco.com/#/configuration with the first tab of “prefixes”.On that page there is *no* mention of which ASN the prefix is associated with.That of course was fundamental in the BGPmon menu: https://portal.bgpmon.net/myprefixes.php Or take for example its “express configuration”, where you insert an ASN and it automatically finds all prefixes and creates a policy.But does it know the name of the ASN?Nope.Something again that was basic in BGPmon via: https://portal.bgpmon.net/myasn.php is non-existent in CNI. Or how about the alarms one gets to an email?Want to see how that looks? From: Crosswork Admin [mailto:admin@crosswork.cisco.com] Sent: 15 May 2019 11:39 To: Hank Nussbacher <Hank@mail.iucc.ac.il> Subject: CCNI Notification Active alarm count 1 starting at 2019-05-15 08:34:42.960762315 +0000 UTC. Please click on the link for each alarm below: https://crosswork.cisco.com/#/alarm/ba7c5084-f05d-4c12-a17f-be9e815d6647 Compare that with what we used to get: ==================================================================== Possible Prefix Hijack (Code: 10) ==================================================================== Your prefix:99.201.0.0/16: Prefix Description:Kuku net Update time:2018-08-12 17:50 (UTC) Detected by #peers:140 Detected prefix:99.201.131.0/24 Announced by:AS222246 (BGP hijacking Ltd) Upstream AS:AS111111 (Clueless ISP allowing customer hijacking Ltd) ASpath:555555 444444 333333 111111 222246 Alert details:https://portal.bgpmon.net/alerts.php?details&alert_id=830521190 Mark as false alert:https://portal.bgpmon.net/fp.php?aid=830521190 That is just a small sampling.Maybe two years down the road, Cisco will speak to customers first before destroying a useful service. Anyone else trying this out and feels the same or feels differently? Disappointed, Hank
Hi, I recognise the issue you describe, and I'd like to share with you that we're going down another road. Nowadays, RIPE NCC offers a streaming API ("RIS Live") which has the data needed to analyse and correlate BGP UPDATES seen in the wild to business rules you as operator define. NTT folks are working on https://github.com/nlnog/bgpalerter/ - which relies on "RIPE RIS Live", this software should become a competitive replacement to current BGP monitoring tools. Stay tuned, the software will be more useful in the course of the next few weeks. Kind regards, Job
Hi Job, All, It relies *exclusively* on "RIPE RIS Live", or does it also use other sources? Regards, Carlos On Wed, 15 May 2019, Job Snijders wrote:
Hi,
I recognise the issue you describe, and I'd like to share with you that we're going down another road. Nowadays, RIPE NCC offers a streaming API ("RIS Live") which has the data needed to analyse and correlate BGP UPDATES seen in the wild to business rules you as operator define.
NTT folks are working on https://github.com/nlnog/bgpalerter/ - which relies on "RIPE RIS Live", this software should become a competitive replacement to current BGP monitoring tools. Stay tuned, the software will be more useful in the course of the next few weeks.
Kind regards,
Job
On Wed, May 15, 2019 at 11:37:57AM +0100, Carlos Friaças wrote:
It relies *exclusively* on "RIPE RIS Live", or does it also use other sources?
The first useful version will rely exclusively on the "RIS Live" interface. In a later stage we can consider adding something like the NLNOG Looking Glass data source. Kind regards, Job
Thus spake Job Snijders (job@ntt.net) on Wed, May 15, 2019 at 12:16:06PM +0200:
I recognise the issue you describe, and I'd like to share with you that we're going down another road. Nowadays, RIPE NCC offers a streaming API ("RIS Live") which has the data needed to analyse and correlate BGP UPDATES seen in the wild to business rules you as operator define.
NTT folks are working on https://github.com/nlnog/bgpalerter/ - which relies on "RIPE RIS Live", this software should become a competitive replacement to current BGP monitoring tools. Stay tuned, the software will be more useful in the course of the next few weeks.
Similarly, one can integrate CAIDA's BGPStream Broker Service[1] into their own tools. Like bgpalerter above, working with open source or rolling your own tools is increasingly straightforward[2] due to these community projects. Another viable project to keep an eye on is ARTEMIS[3] for monitoring. Dale [1] https://bgpstream.caida.org/data [2] https://github.com/dwcarder/bgpwatch [3] https://www.inspire.edu.gr/artemis/
Hello, we would be happy to collaborate to deploy and extend the ARTEMIS open-source software tool for monitoring, detection and potential automated mitigation of prefix hijacks, available on GitHub at https://github.com/FORTH-ICS-INSPIRE/artemis . Current monitoring sources include RIS live, BGPStream (classic RV + RIS and beta BMP support) and ExaBGP APIs to local monitors. You are most welcome to check out the code and test, provide feedback and/or integrate with existing custom tools you might use. Best regards, Vasileios On 15/5/19 8:58 μ.μ., Dale W. Carder wrote:
I recognise the issue you describe, and I'd like to share with you that we're going down another road. Nowadays, RIPE NCC offers a streaming API ("RIS Live") which has the data needed to analyse and correlate BGP UPDATES seen in the wild to business rules you as operator define.
NTT folks are working on https://github.com/nlnog/bgpalerter/ - which relies on "RIPE RIS Live", this software should become a competitive replacement to current BGP monitoring tools. Stay tuned, the software will be more useful in the course of the next few weeks. Similarly, one can integrate CAIDA's BGPStream Broker Service[1] into
Thus spake Job Snijders (job@ntt.net) on Wed, May 15, 2019 at 12:16:06PM +0200: their own tools. Like bgpalerter above, working with open source or rolling your own tools is increasingly straightforward[2] due to these community projects.
Another viable project to keep an eye on is ARTEMIS[3] for monitoring.
Dale
[1] https://bgpstream.caida.org/data [2] https://github.com/dwcarder/bgpwatch [3] https://www.inspire.edu.gr/artemis/
-- ======================================= Vasileios Kotronis Postdoctoral Researcher, member of the INSPIRE Group INSPIRE = INternet Security, Privacy, and Intelligence REsearch Telecommunications and Networks Lab (TNL) Foundation for Research and Technology - Hellas (FORTH) Leoforos Plastira 100, Heraklion 70013, Greece Tel: +302810391241 Office: G-060 e-mail : vkotronis@ics.forth.gr url: http://inspire.edu.gr =======================================
Hi, Maybe you should contact https://www.isolario.it/ for intergration? Thanks, -- Marcin Gondek / Drixter http://fido.e-utp.net/ AS56662 -----Original Message----- From: NANOG <nanog-bounces@nanog.org> On Behalf Of Vasileios Kotronis Sent: Wednesday, May 15, 2019 10:27 PM To: Dale W. Carder <dwcarder@es.net> Cc: nanog@nanog.org Subject: Re: Cisco Crosswork Network Insights - or how to destroy a useful service Hello, we would be happy to collaborate to deploy and extend the ARTEMIS open-source software tool for monitoring, detection and potential automated mitigation of prefix hijacks, available on GitHub at https://github.com/FORTH-ICS-INSPIRE/artemis . Current monitoring sources include RIS live, BGPStream (classic RV + RIS and beta BMP support) and ExaBGP APIs to local monitors. You are most welcome to check out the code and test, provide feedback and/or integrate with existing custom tools you might use. Best regards, Vasileios On 15/5/19 8:58 μ.μ., Dale W. Carder wrote:
I recognise the issue you describe, and I'd like to share with you that we're going down another road. Nowadays, RIPE NCC offers a streaming API ("RIS Live") which has the data needed to analyse and correlate BGP UPDATES seen in the wild to business rules you as operator define.
NTT folks are working on https://github.com/nlnog/bgpalerter/ - which relies on "RIPE RIS Live", this software should become a competitive replacement to current BGP monitoring tools. Stay tuned, the software will be more useful in the course of the next few weeks. Similarly, one can integrate CAIDA's BGPStream Broker Service[1] into
Thus spake Job Snijders (job@ntt.net) on Wed, May 15, 2019 at 12:16:06PM +0200: their own tools. Like bgpalerter above, working with open source or rolling your own tools is increasingly straightforward[2] due to these community projects.
Another viable project to keep an eye on is ARTEMIS[3] for monitoring.
Dale
[1] https://bgpstream.caida.org/data [2] https://github.com/dwcarder/bgpwatch [3] https://www.inspire.edu.gr/artemis/
-- ======================================= Vasileios Kotronis Postdoctoral Researcher, member of the INSPIRE Group INSPIRE = INternet Security, Privacy, and Intelligence REsearch Telecommunications and Networks Lab (TNL) Foundation for Research and Technology - Hellas (FORTH) Leoforos Plastira 100, Heraklion 70013, Greece Tel: +302810391241 Office: G-060 e-mail : vkotronis@ics.forth.gr url: http://inspire.edu.gr =======================================
?Is BGPmon going away? ________________________________ From: NANOG <nanog-bounces@nanog.org> on behalf of Hank Nussbacher <hank@efes.iucc.ac.il> Sent: Wednesday, May 15, 2019 3:50 AM To: nanog@nanog.org Subject: Cisco Crosswork Network Insights - or how to destroy a useful service I have started to use Cisco Crosswork Network Insights which is the replacement for BGPmon and I am shocked at how Cisco has managed to destroy a useful tool. I have had a paid 50 prefix account since the day BGPmon became available and helped two clients implement a 500 prefix license over the past 4 years. None will be buying Cisco Crosswork Network Insights, based on my recommendation. I really don't know where to begin since there is so much to dislike in this new GUI. I will try to give you just a small taste but I suggest you request a 90 day trial license and try it out for yourself. This was not designed by someone who deals with BGP hijacks or who manages a network. It was probably given to some GUI developer with a minimal understanding of what the users needed. How do I know this? Take for example the main configuration menu: https://crosswork.cisco.com/#/configuration<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrosswork.cisco.com%2F%23%2Fconfiguration&data=02%7C01%7Cjamann%40mt.gov%7Cad0e7d34170c4c4c5ba308d6d91b24f6%7C07a94c98f30f4abbbd7ed63f8720dc02%7C0%7C0%7C636935107944493959&sdata=bdDTxnmNMYK1CerIUqB%2BdmyjWZbIPZHyIKei3ocU%2Ffk%3D&reserved=0> with the first tab of "prefixes". On that page there is no mention of which ASN the prefix is associated with. That of course was fundamental in the BGPmon menu: https://portal.bgpmon.net/myprefixes.php<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fportal.bgpmon.net%2Fmyprefixes.php&data=02%7C01%7Cjamann%40mt.gov%7Cad0e7d34170c4c4c5ba308d6d91b24f6%7C07a94c98f30f4abbbd7ed63f8720dc02%7C0%7C0%7C636935107944493959&sdata=BJ5gv1z3Olqa25%2FAN49vAf5g3Ay4BA2DVLNcLJB8nWo%3D&reserved=0> Or take for example its "express configuration", where you insert an ASN and it automatically finds all prefixes and creates a policy. But does it know the name of the ASN? Nope. Something again that was basic in BGPmon via: https://portal.bgpmon.net/myasn.php<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fportal.bgpmon.net%2Fmyasn.php&data=02%7C01%7Cjamann%40mt.gov%7Cad0e7d34170c4c4c5ba308d6d91b24f6%7C07a94c98f30f4abbbd7ed63f8720dc02%7C0%7C0%7C636935107944503949&sdata=TzGEF2aobeKBpPsA89XAZAUYNrDVtPsmJvnVL2A71JM%3D&reserved=0> is non-existent in CNI. Or how about the alarms one gets to an email? Want to see how that looks? From: Crosswork Admin [mailto:admin@crosswork.cisco.com] Sent: 15 May 2019 11:39 To: Hank Nussbacher <Hank@mail.iucc.ac.il><mailto:Hank@mail.iucc.ac.il> Subject: CCNI Notification Active alarm count 1 starting at 2019-05-15 08:34:42.960762315 +0000 UTC. Please click on the link for each alarm below: https://crosswork.cisco.com/#/alarm/ba7c5084-f05d-4c12-a17f-be9e815d6647<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcrosswork.cisco.com%2F%23%2Falarm%2Fba7c5084-f05d-4c12-a17f-be9e815d6647&data=02%7C01%7Cjamann%40mt.gov%7Cad0e7d34170c4c4c5ba308d6d91b24f6%7C07a94c98f30f4abbbd7ed63f8720dc02%7C0%7C0%7C636935107944503949&sdata=snL40%2Bb6OdCIqDCmDtB8SQYLFEXWa2loDlgdncqz38E%3D&reserved=0> Compare that with what we used to get: ==================================================================== Possible Prefix Hijack (Code: 10) ==================================================================== Your prefix: 99.201.0.0/16: Prefix Description: Kuku net Update time: 2018-08-12 17:50 (UTC) Detected by #peers: 140 Detected prefix: 99.201.131.0/24 Announced by: AS222246 (BGP hijacking Ltd) Upstream AS: AS111111 (Clueless ISP allowing customer hijacking Ltd) ASpath: 555555 444444 333333 111111 222246 Alert details: https://portal.bgpmon.net/alerts.php?details&alert_id=830521190<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fportal.bgpmon.net%2Falerts.php%3Fdetails%26alert_id%3D830521190&data=02%7C01%7Cjamann%40mt.gov%7Cad0e7d34170c4c4c5ba308d6d91b24f6%7C07a94c98f30f4abbbd7ed63f8720dc02%7C0%7C0%7C636935107944513943&sdata=WATe3hamPpjgl1oOev0Yt4EwIUpYa20kvOMZKkqe28o%3D&reserved=0> Mark as false alert: https://portal.bgpmon.net/fp.php?aid=830521190<https://gcc01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fportal.bgpmon.net%2Ffp.php%3Faid%3D830521190&data=02%7C01%7Cjamann%40mt.gov%7Cad0e7d34170c4c4c5ba308d6d91b24f6%7C07a94c98f30f4abbbd7ed63f8720dc02%7C0%7C0%7C636935107944513943&sdata=GhpkGT65EFe6Pg6Mft%2FA9F3zY6lNc%2FfRcwNRdBqS9q0%3D&reserved=0> That is just a small sampling. Maybe two years down the road, Cisco will speak to customers first before destroying a useful service. Anyone else trying this out and feels the same or feels differently? Disappointed, Hank
On Wed, May 15, 2019 at 11:52:16AM +0000, Mann, Jason via NANOG wrote:
?Is BGPmon going away?
Yes, see https://bgpmon.net/wp-content/uploads/2019/01/BGPMon.net-EOL-EOS-faq.pdf Kind regards, Job
Cisco ruins everything they touch. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Hank Nussbacher" <hank@efes.iucc.ac.il> To: nanog@nanog.org Sent: Wednesday, May 15, 2019 4:50:10 AM Subject: Cisco Crosswork Network Insights - or how to destroy a useful service I have started to use Cisco Crosswork Network Insights which is the replacement for BGPmon and I am shocked at how Cisco has managed to destroy a useful tool. I have had a paid 50 prefix account since the day BGPmon became available and helped two clients implement a 500 prefix license over the past 4 years. None will be buying Cisco Crosswork Network Insights, based on my recommendation. I really don’t know where to begin since there is so much to dislike in this new GUI. I will try to give you just a small taste but I suggest you request a 90 day trial license and try it out for yourself. This was not designed by someone who deals with BGP hijacks or who manages a network. It was probably given to some GUI developer with a minimal understanding of what the users needed. How do I know this? Take for example the main configuration menu: https://crosswork.cisco.com/#/configuration with the first tab of “prefixes”. On that page there is no mention of which ASN the prefix is associated with. That of course was fundamental in the BGPmon menu: https://portal.bgpmon.net/myprefixes.php Or take for example its “express configuration”, where you insert an ASN and it automatically finds all prefixes and creates a policy. But does it know the name of the ASN? Nope. Something again that was basic in BGPmon via: https://portal.bgpmon.net/myasn.php is non-existent in CNI. Or how about the alarms one gets to an email? Want to see how that looks? From: Crosswork Admin [ mailto:admin@crosswork.cisco.com ] Sent: 15 May 2019 11:39 To: Hank Nussbacher <Hank@mail.iucc.ac.il> Subject: CCNI Notification Active alarm count 1 starting at 2019-05-15 08:34:42.960762315 +0000 UTC. Please click on the link for each alarm below: https://crosswork.cisco.com/#/alarm/ba7c5084-f05d-4c12-a17f-be9e815d6647 Compare that with what we used to get: ==================================================================== Possible Prefix Hijack (Code: 10) ==================================================================== Your prefix: 99.201.0.0/16: Prefix Description: Kuku net Update time: 2018-08-12 17:50 (UTC) Detected by #peers: 140 Detected prefix: 99.201.131.0/24 Announced by: AS222246 (BGP hijacking Ltd) Upstream AS: AS111111 (Clueless ISP allowing customer hijacking Ltd) ASpath: 555555 444444 333333 111111 222246 Alert details: https://portal.bgpmon.net/alerts.php?details&alert_id=830521190 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=830521190 That is just a small sampling. Maybe two years down the road, Cisco will speak to customers first before destroying a useful service. Anyone else trying this out and feels the same or feels differently? Disappointed, Hank
I would like to point out another more straightforward ignorant UI design decision for this new service. The login screen assumes and requires all Cisco.com account usernames to be email addresses. Many are not, especially for folks like me who have had theirs for decades. On 5/15/2019 4:50 AM, Hank Nussbacher wrote:
I have started to use Cisco Crosswork Network Insights which is the replacement for BGPmon and I am shocked at how Cisco has managed to destroy a useful tool. I have had a paid 50 prefix account since the day BGPmon became available and helped two clients implement a 500 prefix license over the past 4 years. None will be buying Cisco Crosswork Network Insights, based on my recommendation.
I really don’t know where to begin since there is so much to dislike in this new GUI. I will try to give you just a small taste but I suggest you request a 90 day trial license and try it out for yourself.
This was not designed by someone who deals with BGP hijacks or who manages a network. It was probably given to some GUI developer with a minimal understanding of what the users needed. How do I know this? Take for example the main configuration menu: https://crosswork.cisco.com/#/configuration with the first tab of “prefixes”. On that page there is *no* mention of which ASN the prefix is associated with. That of course was fundamental in the BGPmon menu: https://portal.bgpmon.net/myprefixes.php
Or take for example its “express configuration”, where you insert an ASN and it automatically finds all prefixes and creates a policy. But does it know the name of the ASN? Nope. Something again that was basic in BGPmon via: https://portal.bgpmon.net/myasn.php is non-existent in CNI.
Or how about the alarms one gets to an email? Want to see how that looks?
From: Crosswork Admin [mailto:admin@crosswork.cisco.com] Sent: 15 May 2019 11:39 To: Hank Nussbacher <Hank@mail.iucc.ac.il> Subject: CCNI Notification
Active alarm count 1 starting at 2019-05-15 08:34:42.960762315 +0000 UTC. Please click on the link for each alarm below: https://crosswork.cisco.com/#/alarm/ba7c5084-f05d-4c12-a17f-be9e815d6647
Compare that with what we used to get:
==================================================================== Possible Prefix Hijack (Code: 10) ====================================================================
Your prefix: 99.201.0.0/16: Prefix Description: Kuku net Update time: 2018-08-12 17:50 (UTC) Detected by #peers: 140 Detected prefix: 99.201.131.0/24 Announced by: AS222246 (BGP hijacking Ltd) Upstream AS: AS111111 (Clueless ISP allowing customer hijacking Ltd) ASpath: 555555 444444 333333 111111 222246 Alert details: https://portal.bgpmon.net/alerts.php?details&alert_id=830521190 Mark as false alert: https://portal.bgpmon.net/fp.php?aid=830521190
That is just a small sampling. Maybe two years down the road, Cisco will speak to customers first before destroying a useful service.
Anyone else trying this out and feels the same or feels differently?
Disappointed, Hank
-- Douglas C. Stephens | Network Systems Analyst Information Technology | Phone: (515) 294-6102 Ames Laboratory, US DOE | Email: stephend@ameslab.gov
participants (10)
-
Carlos Friaças -
Dale W. Carder -
Douglas C. Stephens -
Hank Nussbacher -
hank@efes.iucc.ac.il
-
Job Snijders -
Mann, Jason -
Marcin Gondek -
Mike Hammett -
Vasileios Kotronis