Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: NANOG: users

ISP best practices

  

 
First page Previous page 1 2 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded


source_route at yahoo

May 21, 2009, 6:38 AM

Post #1 of 33 (2303 views)
Permalink
ISP best practices
To all,

I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.

Thx

Philip


dwhite at olp

May 21, 2009, 6:44 AM

Post #2 of 33 (2243 views)
Permalink
Re: ISP best practices [In reply to]
Philip Lavine wrote:
> To all,
>
> I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
>
> Thx
>
> Philip
>

Highering a consultant to do your initial configuration is highly
recommended. We took this route when we originally configured BGP and it
allowed me to learn from and study a known 'good' configuration.

- Dan


steve at ibctech

May 21, 2009, 6:45 AM

Post #3 of 33 (2243 views)
Permalink
Re: ISP best practices [In reply to]
Philip Lavine wrote:
> To all,
>
> I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.

BCP 38:
- http://www.ietf.org/rfc/rfc3704.txt

ISP Essentials:
- http://www.ciscopress.com/bookstore/product.asp?isbn=1587050412

Securing IP Network Traffic Planes:
- http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365

- anything and everything regarding IPv6.

...would be a VERY good start (I've read Securing IP Traffic Planes
which is also great reference, and am just finishing up ISP Essentials,
which is dated, but the principles still apply).

Steve
Attachments: smime.p7s (3.16 KB)


bradley.freeman at csirt

May 21, 2009, 6:48 AM

Post #4 of 33 (2243 views)
Permalink
RE: ISP best practices [In reply to]
In regards to DNS there is a great secure BIND template here
http://www.cymru.com/Documents/secure-bind-template.html which will help
stop your server from being an unneeded open resolver, or sending out root
hints which are used all the time to amplify DDOS attacks often without you
realising.

Bradley


-----Original Message-----
From: Philip Lavine [mailto:source_route[at]yahoo.com]
Sent: 21 May 2009 14:39
To: nanog[at]nanog.org
Subject: ISP best practices


To all,

I am sure this has been asked 10 to the 1 millionth power times, however may
be the rules have changed. I am looking to set up a really small ISP with a
few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best
practices on setting up multihomed BGP and DNS with BIND so I don't blow up
the Internet.

Thx

Philip


jlewis at lewis

May 21, 2009, 7:00 AM

Post #5 of 33 (2243 views)
Permalink
Re: ISP best practices [In reply to]
On Thu, 21 May 2009, Philip Lavine wrote:

> I am sure this has been asked 10 to the 1 millionth power times, however
> may be the rules have changed. I am looking to set up a really small ISP
> with a few /24's. I want to host DNS as well. Is there any
> whitepapers/howtos/best practices on setting up multihomed BGP and DNS
> with BIND so I don't blow up the Internet.

A few minutes with google would probably find sample BGP multihoming
configs. The big things to avoid are unnecessary deaggregation and
announcing routes received from one provider to the other.

i.e. If you have a /22 of IP space, you may use/see that as 4 /24's or a
larger number of smaller subnets, but where eBGP is concerned, you should
announce just the /22 route and keep your subnetting to yourself.

If you have competent providers, they won't accept routes from you that
they're not expecting, which will stop you from offering transit to them
by announcing routes received from your other provider. Still, it's
better to get your config done right than rely on your providers to ignore
what you shouldn't be advertising.

----------------------------------------------------------------------
Jon Lewis | I route
Senior Network Engineer | therefore you are
Atlantic Net |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________


bbc at misn

May 21, 2009, 7:10 AM

Post #6 of 33 (2243 views)
Permalink
Re: ISP best practices [In reply to]
This is the Nanog list . . .

How about some Nanog resources . . .

http://www.nanog.org/resources/tutorials/

And, yes, hiring a consultant is a good idea. But, being an informed
consumer is also a good idea. Read lots! Ask lots of questions!

Cheers!

bbc


On Thu, 2009-05-21 at 06:38 -0700, Philip Lavine wrote:
> To all,
>
> I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
>
> Thx
>
> Philip
>
>
>
>


rdobbins at arbor

May 21, 2009, 7:14 AM

Post #7 of 33 (2243 views)
Permalink
Re: ISP best practices [In reply to]
On May 21, 2009, at 8:45 PM, Steve Bertrand wrote:

> Securing IP Network Traffic Planes:
> - http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365

I can't recommend this book enough - it's the current canonical
reference on opsec-related BCPs for network infrastructure, IMHO (full
disclosure: I was fortunate enough to have the opportunity to provide
some feedback to the authors as they worked on this tome, but have no
financial interest whatsoever in its publication or sales thereof).

-----------------------------------------------------------------------
Roland Dobbins <rdobbins[at]arbor.net> // <http://www.arbornetworks.com>

Unfortunately, inefficiency scales really well.

-- Kevin Lawton


lists at mtin

May 21, 2009, 7:19 AM

Post #8 of 33 (2246 views)
Permalink
Re: ISP best practices [In reply to]
The problem with ISP essentials is it was published in 2002. Same goes
for some of the other good Cisco books. A lot has changed in the ISP world
since. Sure it has good information but I wouldnąt spend the $ for a new
copy. Find it on half.com or somewhere.

Justin



From: Steve Bertrand <steve[at]ibctech.ca>
Date: Thu, 21 May 2009 09:45:13 -0400
To: Philip Lavine <source_route[at]yahoo.com>
Cc: <nanog[at]nanog.org>
Subject: Re: ISP best practices

Philip Lavine wrote:
> To all,
>
> I am sure this has been asked 10 to the 1 millionth power times, however may
be the rules have changed. I am looking to set up a really small ISP with a few
/24's. I want to host DNS as well. Is there any whitepapers/howtos/best
practices on setting up multihomed BGP and DNS with BIND so I don't blow up the
Internet.

BCP 38:
- http://www.ietf.org/rfc/rfc3704.txt

ISP Essentials:
- http://www.ciscopress.com/bookstore/product.asp?isbn=1587050412

Securing IP Network Traffic Planes:
- http://www.ciscopress.com/bookstore/product.asp?isbn=1587053365

- anything and everything regarding IPv6.

...would be a VERY good start (I've read Securing IP Traffic Planes
which is also great reference, and am just finishing up ISP Essentials,
which is dated, but the principles still apply).

Steve


joelja at bogus

May 21, 2009, 7:20 AM

Post #9 of 33 (2244 views)
Permalink
Re: ISP best practices [In reply to]
The African Network Operators Group has quite a good set of workshop
materials for both isp routing (including v6) and DNS (seperate workshops)

weeklong course materials for the routing track are here:

http://www.ws.afnog.org/afnog2009/sie/detail.html


Bryan Campbell wrote:
> This is the Nanog list . . .
>
> How about some Nanog resources . . .
>
> http://www.nanog.org/resources/tutorials/
>
> And, yes, hiring a consultant is a good idea. But, being an informed
> consumer is also a good idea. Read lots! Ask lots of questions!
>
> Cheers!
>
> bbc
>
>
> On Thu, 2009-05-21 at 06:38 -0700, Philip Lavine wrote:
>> To all,
>>
>> I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
>>
>> Thx
>>
>> Philip
>>
>>
>>
>>
>
>


steve at ibctech

May 21, 2009, 7:30 AM

Post #10 of 33 (2245 views)
Permalink
Re: ISP best practices [In reply to]
Jon Lewis wrote:

> Still, it's
> better to get your config done right than rely on your providers to
> ignore what you shouldn't be advertising.

I have to agree completely with Jon here.

As a small SP, it is prudent to do everything you can to be a good 'netizen.

Apply your outbound prefix lists *before* you turn up your BGP
session(s). You should also ensure that you have a good grasp on BCP 38
prior to connecting yourself. This should be done no matter who your
upstreams are, large or small.

There is nothing more frustrating than seeing RFC 1918, BOGON and/or
your own IP space coming back at you eating your bandwidth from your
upstreams, so ensure you are not responsible for doing it to them.

Steve
Attachments: smime.p7s (3.16 KB)


cmaurand at xyonet

May 21, 2009, 8:06 AM

Post #11 of 33 (2243 views)
Permalink
Re: ISP best practices [In reply to]
Check out www.powerdns.com as an alternative to bind. Its faster, more
secure, does IPV6 and easier to maintain.

Curtis

Philip Lavine wrote:
> To all,
>
> I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
>
> Thx
>
> Philip
>
>
>
>
>
>


bclark at spectraaccess

May 21, 2009, 8:27 AM

Post #12 of 33 (2233 views)
Permalink
Re: ISP best practices [In reply to]
While BGP can become a rather complex protocol to implement as a network
grows, basic BGP peering between two providers isn't really that
complex...probably talking 10 config lines at most (excluding
bogon/filtering). The first thing you want to make sure is that you're
upstream providers are implementing filtering, which most of the serious
providers do. That way all you can do is hurt yourself while keeping the
rest of us on the list here happy :).

It's best to get your own IP address space from ARIN if possible,
because if you use IP space from your upstream provider, it's becomes a
nightmare to change over at a later date...IP renumbering is not fun!
That was the one mistake we made when we first started.

Personally I'm a fan of the "do it yourself" club...yeah you'll make
mistakes, but the hands-on approach is by far the best way too learn.
Bret


On Thu, 2009-05-21 at 06:38 -0700, Philip Lavine wrote:

> To all,
>
> I am sure this has been asked 10 to the 1 millionth power times, however may be the rules have changed. I am looking to set up a really small ISP with a few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best practices on setting up multihomed BGP and DNS with BIND so I don't blow up the Internet.
>
> Thx
>
> Philip
>
>
>
>
>


ben at hns

May 21, 2009, 8:29 AM

Post #13 of 33 (2233 views)
Permalink
Re: ISP best practices [In reply to]
I've deployed PowerDNS before, along with PowerAdmin
(https://www.poweradmin.org/trac/). Very easy to set up and manage.

Ben

For system or network support, please email support[at]hns.net

Curtis Maurand wrote:
>
> Check out www.powerdns.com as an alternative to bind. Its faster, more
> secure, does IPV6 and easier to maintain.
>
> Curtis
>
> Philip Lavine wrote:
>> To all,
>>
>> I am sure this has been asked 10 to the 1 millionth power times,
>> however may be the rules have changed. I am looking to set up a really
>> small ISP with a few /24's. I want to host DNS as well. Is there any
>> whitepapers/howtos/best practices on setting up multihomed BGP and DNS
>> with BIND so I don't blow up the Internet.
>>
>> Thx
>>
>> Philip
>>
>>
>>
>>
>>
>
>
>
>


list-nanog2 at dragon

May 21, 2009, 8:47 AM

Post #14 of 33 (2230 views)
Permalink
Re: ISP best practices [In reply to]
cmaurand> Check out www.powerdns.com as an alternative to bind. Its
cmaurand> faster, more secure, does IPV6 and easier to maintain.

This is purely opinion.

BIND has warts, just as any large piece of code in wide spread use and
with lots of features will have. However, that's also one of its
advantages. Lots of folks run it and know it and fix it when it breaks.

Works for root & gtld servers, must not totally suck.

BIND does ipV6, has since BIND8.

It is also fully DNSSEC compliant. Is powerdns yet?

Yes. Do check out all the alternatives for DNS. But if you're looking at
ipV6 support because you want to be able to support upcoming protocols,
make sure your DNS can do DNSSEC correctly too.


ben at hns

May 21, 2009, 8:59 AM

Post #15 of 33 (2230 views)
Permalink
Re: ISP best practices [In reply to]
If you want to go down the BIND route, I'd recommend using xname as a
frontend (http://source.xname.org/).

Paul E wrote:
> cmaurand> Check out www.powerdns.com as an alternative to bind. Its
> cmaurand> faster, more secure, does IPV6 and easier to maintain.
>
> This is purely opinion.
>
> BIND has warts, just as any large piece of code in wide spread use and
> with lots of features will have. However, that's also one of its
> advantages. Lots of folks run it and know it and fix it when it breaks.
>
> Works for root & gtld servers, must not totally suck.
>
> BIND does ipV6, has since BIND8.
>
> It is also fully DNSSEC compliant. Is powerdns yet?
>
> Yes. Do check out all the alternatives for DNS. But if you're looking at
> ipV6 support because you want to be able to support upcoming protocols,
> make sure your DNS can do DNSSEC correctly too.
>
>
>
>


jabley at hopcount

May 21, 2009, 9:00 AM

Post #16 of 33 (2231 views)
Permalink
Re: ISP best practices [In reply to]
On 21-May-2009, at 11:06, Curtis Maurand wrote:

> Check out www.powerdns.com as an alternative to bind. Its faster,
> more secure, does IPV6 and easier to maintain.

I have heard lots of good things about PowerDNS, and I'm quite
prepared to believe that it's a natural choice for a DNS hosting
service where the database back-end makes for far simpler provisioning
and control than managing a pile of config files.

However, you're not necessarily doing anybody any favours in making
statements like "faster", "more secure" and "does IPv6". DNS servers
are complicated beasts, and simplistic comparisons are not useful for
much (it'd be trivial to give you examples where PowerDNS is slower
and less secure, for example, and BIND9 has done IPv6 for the better
part of a decade).


Joe


bmanning at vacation

May 21, 2009, 9:14 AM

Post #17 of 33 (2231 views)
Permalink
Re: ISP best practices [In reply to]
On Thu, May 21, 2009 at 12:00:58PM -0400, Joe Abley wrote:
>
> However, you're not necessarily doing anybody any favours in making
> statements like "faster", "more secure" and "does IPv6". DNS servers
> are complicated beasts, and simplistic comparisons are not useful for
> much (it'd be trivial to give you examples where PowerDNS is slower
> and less secure, for example, and BIND9 has done IPv6 for the better
> part of a decade).

...done IPv6 for the better part of a decade...

well yeah, for some very loose definition of "doing IPv6"....


> Joe


jabley at hopcount

May 21, 2009, 9:17 AM

Post #18 of 33 (2233 views)
Permalink
Re: ISP best practices [In reply to]
On 21-May-2009, at 12:14, bmanning[at]vacation.karoshi.com wrote:

> ...done IPv6 for the better part of a decade...
>
> well yeah, for some very loose definition of "doing IPv6"....

You no doubt have greater expectations than I in that regard :-)


Joe


cmaurand at xyonet

May 21, 2009, 12:09 PM

Post #19 of 33 (2226 views)
Permalink
Re: ISP best practices [In reply to]
You're correct on the blanket statement. apologies.

--C

Joe Abley wrote:
>
> On 21-May-2009, at 11:06, Curtis Maurand wrote:
>
>> Check out www.powerdns.com as an alternative to bind. Its faster,
>> more secure, does IPV6 and easier to maintain.
>
> I have heard lots of good things about PowerDNS, and I'm quite
> prepared to believe that it's a natural choice for a DNS hosting
> service where the database back-end makes for far simpler provisioning
> and control than managing a pile of config files.
>
> However, you're not necessarily doing anybody any favours in making
> statements like "faster", "more secure" and "does IPv6". DNS servers
> are complicated beasts, and simplistic comparisons are not useful for
> much (it'd be trivial to give you examples where PowerDNS is slower
> and less secure, for example, and BIND9 has done IPv6 for the better
> part of a decade).
>
>
> Joe


sronan at fattoc

May 21, 2009, 1:38 PM

Post #20 of 33 (2212 views)
Permalink
Re: ISP best practices [In reply to]
I learned DNS initially by reading some great documents by Avi
Freedman, they are a little out dated, but still very relevant and
posted on his website @ http://www.freedman.net/


On May 21, 2009, at 9:38 AM, Philip Lavine wrote:

>
> To all,
>
> I am sure this has been asked 10 to the 1 millionth power times,
> however may be the rules have changed. I am looking to set up a
> really small ISP with a few /24's. I want to host DNS as well. Is
> there any whitepapers/howtos/best practices on setting up multihomed
> BGP and DNS with BIND so I don't blow up the Internet.
>
> Thx
>
> Philip
>
>
>
>
>


akennedy at cyberlinktech

May 21, 2009, 1:40 PM

Post #21 of 33 (2211 views)
Permalink
Re: ISP best practices [In reply to]
Bind is fully capable of IPv6. When combined with Webmin (www.webmin.com),
I'm not sure how much easier Bind can get. Webmin will also keep DNSSEC keys
up to date with changes, so long as you make those changes from within
Webmin. If you make changes in CLI, you can tell Webmin to rehash the keys
manually. It's as simple as clicking a GUI button.


On 5/21/09 11:06 AM, "Curtis Maurand" <cmaurand[at]xyonet.com> wrote:

>
> Check out www.powerdns.com as an alternative to bind. Its faster, more
> secure, does IPV6 and easier to maintain.
>
> Curtis
>
> Philip Lavine wrote:
>> To all,
>>
>> I am sure this has been asked 10 to the 1 millionth power times, however may
>> be the rules have changed. I am looking to set up a really small ISP with a
>> few /24's. I want to host DNS as well. Is there any whitepapers/howtos/best
>> practices on setting up multihomed BGP and DNS with BIND so I don't blow up
>> the Internet.
>>
>> Thx
>>
>> Philip
>>
>>
>>
>>
>>
>>
>

--
Adam Kennedy
Senior Network Administrator
Cyberlink Technologies, Inc.
Phone: 888-293-3693 x4352
Fax: 574-855-5761


sronan at fattoc

May 21, 2009, 1:41 PM

Post #22 of 33 (2212 views)
Permalink
Re: ISP best practices [In reply to]
Apologies, this should have said I learned BGP initially not DNS.

Sorry!!

On May 21, 2009, at 4:38 PM, Shane Ronan wrote:

> I learned DNS initially by reading some great documents by Avi
> Freedman, they are a little out dated, but still very relevant and
> posted on his website @ http://www.freedman.net/
>
>
> On May 21, 2009, at 9:38 AM, Philip Lavine wrote:
>
>>
>> To all,
>>
>> I am sure this has been asked 10 to the 1 millionth power times,
>> however may be the rules have changed. I am looking to set up a
>> really small ISP with a few /24's. I want to host DNS as well. Is
>> there any whitepapers/howtos/best practices on setting up
>> multihomed BGP and DNS with BIND so I don't blow up the Internet.
>>
>> Thx
>>
>> Philip
>>
>>
>>
>>
>>
>
>


jason at electronet

May 21, 2009, 1:48 PM

Post #23 of 33 (2213 views)
Permalink
RE: ISP best practices [In reply to]
> -----Original Message-----
> From: Adam Kennedy [mailto:akennedy[at]cyberlinktech.com]
> Sent: Thursday, May 21, 2009 4:41 PM
> To: NANOG
> Subject: Re: ISP best practices
>
> ...When combined with Webmin (www.webmin.com),

<shudder>


Jason A. Bertoch
Network Administrator
jason[at]electronet.net
Electronet Broadband Communications
3411 Capital Medical Blvd.
Tallahassee, FL 32308
(V) 850.222.0229 (F) 850.222.8771


lists at mtin

May 21, 2009, 1:58 PM

Post #24 of 33 (2211 views)
Permalink
Re: ISP best practices [In reply to]
We have several clients using Webmin. If you donąt know command line
Webmin is another tool to help you learn. You can have webmin do it and
then look at the config to learn.

Justin


From: Jason Bertoch <jason[at]electronet.net>
Date: Thu, 21 May 2009 16:48:42 -0400
To: <nanog[at]nanog.org>
Subject: RE: ISP best practices

> -----Original Message-----
> From: Adam Kennedy [mailto:akennedy[at]cyberlinktech.com]
> Sent: Thursday, May 21, 2009 4:41 PM
> To: NANOG
> Subject: Re: ISP best practices
>
> ...When combined with Webmin (www.webmin.com),

<shudder>


Jason A. Bertoch
Network Administrator
jason[at]electronet.net
Electronet Broadband Communications
3411 Capital Medical Blvd.
Tallahassee, FL 32308
(V) 850.222.0229 (F) 850.222.8771


sronan at fattoc

May 21, 2009, 2:07 PM

Post #25 of 33 (2211 views)
Permalink
Re: ISP best practices [In reply to]
I have to agree.

I've been working with BIND for over 10 years, and still use webmin to
help me keep things organized.


On May 21, 2009, at 4:58 PM, Justin Wilson - MTIN wrote:

>
> We have several clients using Webmin. If you don’t know command
> line
> Webmin is another tool to help you learn. You can have webmin do it
> and
> then look at the config to learn.
>
> Justin
>
>
> From: Jason Bertoch <jason[at]electronet.net>
> Date: Thu, 21 May 2009 16:48:42 -0400
> To: <nanog[at]nanog.org>
> Subject: RE: ISP best practices
>
>> -----Original Message-----
>> From: Adam Kennedy [mailto:akennedy[at]cyberlinktech.com]
>> Sent: Thursday, May 21, 2009 4:41 PM
>> To: NANOG
>> Subject: Re: ISP best practices
>>
>> ...When combined with Webmin (www.webmin.com),
>
> <shudder>
>
>
> Jason A. Bertoch
> Network Administrator
> jason[at]electronet.net
> Electronet Broadband Communications
> 3411 Capital Medical Blvd.
> Tallahassee, FL 32308
> (V) 850.222.0229 (F) 850.222.8771
>
>

First page Previous page 1 2 Next page Last page  View All NANOG users RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact lists@gossamer-threads.com
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.