Hi Fredy, Everyone,
I realised my previous reply was sent encrypted, sorry about the noise. Here is the clear content :
Taking back on a wider point of view again, I think temporary and localised/more specific BGP announcements isn't a so bad idea, but I'm the awful example and I can reach most the contents in .ch thru the peering location around my network.
That's also valid for the content I host, or almost because I'm not yet at the point where I can tweak my announcements to all the bigger players in .ch, for instance to that very cooperative cable operator, because they still won't peer with these tiny networks. So I'm already out of that pack of users.
And further more, I also heard that the transit is becoming cheaper than peering, with some LIR/ISP getting it from, let's say HE and Cogent, even if they are based in .ch. I see this becoming a blocking point, if we don't remind the local LIR/ISP that for user experience, we should try to keep traffic local, if possible.
Maybe we should ask the big hosting location in .ch to get free x-connects for the peering ports ?
Will
On 01 Oct 2016, at 22:15, Jeroen Massar jeroen@massar.ch wrote:
On 2016-10-01 20:24, Patrick Albrecht wrote:
Hi
I'm a employee of a good known E-Commerce site here in switzerland and I would like to share some thoughts from my side if that's okay for all. I hope I understood well enough what you plan. Otherwise just ignore what I just wrote :)
Given that e-commerce such as digitec.ch is assumingly making 99.9% of the revenue within Switzerland, their prefix doesn't need to reachable from all over the world.
That's correct, the /customer/ doesn't need to the reach the website from outsite switzerland normaly. But there're many 3rd-Party Provider for Newsletter, Monitoring etc. and distributors that need to be able to resolve digitec.ch outside of switzerland for example.
"resolve" implies DNS.
Peering is about BGP.
(because there server are not located in switzerland) Mostly it's dispensable if they can't reach the website or a ftp server for some minutes, but if they can't access the page for days the E-Commerce Site will have issue with orders, product availability, newsletter shipping etc. Also some 3rd-Party Scripts may use a dns lookup and would fail then.
You need to see that 'limited announce of prefix' would only happen in the case of a DDoS, this, so that local sites / direct peers can reach it, but it is 'dead' over transit, thus cutting off most DDoS traffic that comes from strange countries (not .ch).
As for those external companies, if you are worried about them failing: peer directly with them, setup a VPN or: move your stuff more local where you have control.
Also, do realize that providing Swiss customer data to a foreign entity might break various privacy regulations.... do ask your legal team and of course inform your customers.
There's also a possibilty that the employee reach the internet via a proxy outside of switzerland (due to a enterprise policy) so they wouldn't be able to access there site and couldn't work at all.
That is a weird "Enterprise policy". Doing business that way opens you up to all kind of fun international laws concerning your business.
Also note that you can of course always announce to trusted peers that are not in Switzerland...
The major point is "trusted peers". Ones that will clean up their attacking hosts the moment you notify them.
Of course if the site isn't available at all it's not a good experience for the customer and they may order there article on a other onlineshop, but if the website is online and doesn't work properly that's also not a optimal solution either.
Better test it out today what happens when your site gets DDoSsed to bits, as the script kiddies have access to the same botnet know that Krebs got sent after him... (see other mail).
Addiontally to the fact that more and more E-Commerce Websites use DDoS-Protection services like akamai or cloudflare, only about half hosting there website on server in switzerland.
You might want to reconsider your hosting location ;)
Also, if you are paying those kind of companies: prepare to dig deep in your pockets for DDoS protection... we are going to have a fun X-mas this year...
Greets, Jeroen
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog