Re: [nznog] SDN APE, and IX stats from Citylink

Hi Guys, see below for current status from Nick Willis........... Thanks Tim, You are right we have been working on SDN/Openflow solutions for NZIX. In the last month we have finished a Proof of Concept of the SDN for NZIX based on Noviflow hardware that looks at the following use cases. * Enforce router hygiene * NZIX2 will block IGP, CDP, STP etc noise leaked by peers, by only allowing DIX Ethernet (Ethernet II) encapsulated frames and not LLC/SNAP frames * ARP, DHCP, PIM, ICMPv6 ND-RA etc broadcast and multicast messages will be blocked. We have an exception for ARP messages sourced from the exchange peering subnet and IPv6 ND (NB: IPv6 traffic is still not supported in this demo version) * Implement IETF BCP38 * Instead of relying on peers to implement BCP38, NZIX2 enforces it by only allowing traffic sourced from a prefix which has been registered on the NZIX2 portal to enter the exchange * Reflection attack mitigation * switch ports are tied to prefixes and mac addresses so the exchange SDN switch will not accept traffic sourced from a prefix which is not supposed to be coming from this particular port, as registered on the NZIX2 portal * Prevent capacity stealing * traffic is allowed on the exchange only if it's sourced/destined from/to a prefix that has been registered on the NZIX2 portal. This means that if a peer configures a static default route to an ISP that has the full internet routing table, his traffic destined to international prefixes will be dropped The next steps is a demonstration this Proof of Concept version to interested parties in the technical community to get their feedback on the value of these features for network operators. The details of this demonstration are still being worked through. While aggregated traffic reporting would be part of this, we do not have a release date yet for an SDN/Openflow based exchange. I will investigate whether we can release aggregated traffic reporting on the current exchanges earlier. Regards Nick Willis From: mailto:nznog-bounces(a)list.waikato.ac.nz> on behalf of Tim Hoffman mailto:tim(a)hoffman.net.nz> Date: Tuesday, 21 July 2015 3:14 pm To: NZNOG Mailing-List mailto:nznog(a)list.waikato.ac.nz> Subject: [nznog] SDN APE, and IX stats from Citylink Greetings, There was some discussion over the last couple of years with the NZNOG community at conferences and on the mailing list about Citylink doing a SDN based IX. This was to include with it Citylink releasing statistics of the aggregated traffic over their IX - a measure (published by most IXs) that many use to decide if it's worth connecting to an IX. Given the public nature of this discussion so far, and the fact that it's died off, can a representative of Citylink please confirm to the list; 1/ Is there an intention to move to some sort of SDN driven IX still, and if so what the timeframe for this will be? If this project has been abandoned, how will the IXs be developed in place of this project? 2/ Do they have any intention to publish an aggregated traffic on their IXs, and if so what the timeframe for this will be? I am sure many of us in the peering community will be eager to hear the answers to these questions.... Cheers, Hoff