Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking

[Mike Meredith]

On 27 Feb 2019 13:07:09 -0500, "John Levine"  may have
written:
> The IETF one says that nobody used type 99, and some of the few
> implementations we saw were broken, so we deprecated it.

And just after I'd finished adding in all the SPF records too, so I had to
turn around and take all them out again immediately after.

-- 
Mike Meredith, University of Portsmouth
Hostmaster, Security, and Chief Systems Engineer
 


pgpCzfMA47BMs.pgp
Description: OpenPGP digital signature

Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking

[Mike Meredith]

On Wed, 27 Feb 2019 19:59:49 -0800, Seth Mattinen  may
have written:
> We kind of have that with RP records. But does anyone do it?

I used to before various IPAM vendors claimed it was deprecated; I've still
got legacy code that queries for it (and the TXT equivalent) as well as the
new gooey IPAM thing.


-- 
Mike Meredith, University of Portsmouth
Chief Systems Engineer, Hostmaster, Security, and Timelord!
 


pgpLPwWeNBTLF.pgp
Description: OpenPGP digital signature

a quick survey about LLDP and similar

[Pierfrancesco Caci]

Hello,
having a bit of a debate in my team about turning on LLDP and/or CDP.
I would appreciate if you could spend a minute answering this
survey so I have some numbers to back up my reasoning, or to accept
defeat.

https://www.surveymonkey.com/r/TH3WCWP

Feel free to cross-post to other relevant lists. 

Thank you

Pf

-- 
Pierfrancesco Caci, ik5pvx

Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking

[Måns Nilsson]

Subject: Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS 
Hijacking Date: Wed, Feb 27, 2019 at 07:59:49PM -0800 Quoting Seth Mattinen 
(se...@rollernet.us):
> On 2/27/19 7:02 PM, b...@theworld.com wrote:
> > I have proposed many times to just move domain WHOIS data into a new
> > RRTYPE and let whoever owns the domain put in that whatever they want,
> > including (and perhaps most usefully for many) just a URL for further
> > detail.
> 
> 
> We kind of have that with RP records. But does anyone do it?

I do, as preserver of strange RRtypes people try to deprecate. 

dig @primary.se besserwisser.org AXFR | awk '\
/^;/ { 
next; 
}; 
/besserwisser.org/ { 
types[$4]++; 
}; 
END { 
for ( RRTYPE in types ) { 
count++; 
printf "%s\t%d\n", 
RRTYPE, 
types[RRTYPE]; 
}; 
printf "Total:\t%d rrtypes in zone\n", 
count; 
};'

NS  5
21
DNSKEY  3
SPF 1
A   28
NSEC62
AFSDB   3
RP  1
MX  2
CNAME   9
SOA 2
RRSIG   147
TXT 6
SSHFP   14
SRV 20
DS  4
Total:  16 rrtypes in zone

(Yes, there's a bug there, but the end figure is correct.) 

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
TONY RANDALL!  Is YOUR life a PATIO of FUN??


signature.asc
Description: PGP signature

Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking

[Måns Nilsson]

Subject: Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS 
Hijacking Date: Thu, Feb 28, 2019 at 08:47:19AM + Quoting Mike Meredith 
(mike.mered...@port.ac.uk):
> On 27 Feb 2019 13:07:09 -0500, "John Levine"  may have
> written:
> > The IETF one says that nobody used type 99, and some of the few
> > implementations we saw were broken, so we deprecated it.
> 
> And just after I'd finished adding in all the SPF records too, so I had to
> turn around and take all them out again immediately after.

You did not have to. I still have them in. (As well as TXT records that
almost look like them, but mostly are there to tickle parser bugs. ) 

I still get queries for SPF.  Obviously "TXT as RRtype for SPF data"
is a failure and needs to be re-deprecated. (No, I'm joking, but I wish I 
wasn't.) 

Type-squatting is bad for the Internet, and should be discouraged. And,
Carthago should be destroyed.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE   SA0XLR+46 705 989668
Yow!  Now I get to think about all the BAD THINGS I did to a BOWLING
BALL when I was in JUNIOR HIGH SCHOOL!


signature.asc
Description: PGP signature

Re: a quick survey about LLDP and similar

[Owen DeLong]

The problem with your survey is that there’s no option to answer “it depends”.

Hard yes or no answers aren’t realistic to the questions you’re asking because 
the context,
security parameters, sensitivity, and other parameters about the network all 
factor into a
decision whether to run or not run such protocols.

There are some environments where the benefit and convenience is moderately high
and the risk is extremely low. There are other environments where the benefit 
is relatively
low, but the risks are significantly higher.

Owen


> On Feb 28, 2019, at 01:00 , Pierfrancesco Caci  wrote:
> 
> 
> Hello,
> having a bit of a debate in my team about turning on LLDP and/or CDP.
> I would appreciate if you could spend a minute answering this
> survey so I have some numbers to back up my reasoning, or to accept
> defeat.
> 
> https://www.surveymonkey.com/r/TH3WCWP
> 
> Feel free to cross-post to other relevant lists. 
> 
> Thank you
> 
> Pf
> 
> -- 
> Pierfrancesco Caci, ik5pvx

Re: a quick survey about LLDP and similar

[Pierfrancesco Caci]

Thank you both for the feedback.
I left out the "it depends" because it is more suited to a conversation
or email thread like this than to a quick survey. I'm aware of a few
reasons for which "it depends" and I'm learning a few more from the
feedback I'm getting.

Pf


> "Eddie" == Eddie Parra  writes:


Eddie> +1 on it depends.  IMO, I would prefer LLDP vs. a vendor proprietary
Eddie> discovery protocol.  Where you intend to run it in your network is a
Eddie> major factor for risk.

Eddie> Also, you forgot to add LLDP-MED to #5 (but it might not be relevant
Eddie> to your services).

Eddie> -Eddie



>> On Feb 28, 2019, at 1:27 AM, Owen DeLong  wrote:
>> 
>> The problem with your survey is that there’s no option to answer “it 
depends”.
>> 
>> Hard yes or no answers aren’t realistic to the questions you’re
>> asking because the context,
>> security parameters, sensitivity, and other parameters about the
>> network all factor into a
>> decision whether to run or not run such protocols.
>> 
>> There are some environments where the benefit and convenience is
>> moderately high
>> and the risk is extremely low. There are other environments where
>> the benefit is relatively
>> low, but the risks are significantly higher.
>> 
>> Owen
>> 
>> 
>>> On Feb 28, 2019, at 01:00 , Pierfrancesco Caci  wrote:
>>> 
>>> 
>>> Hello,
>>> having a bit of a debate in my team about turning on LLDP and/or CDP.
>>> I would appreciate if you could spend a minute answering this
>>> survey so I have some numbers to back up my reasoning, or to accept
>>> defeat.
>>> 
>>> https://www.surveymonkey.com/r/TH3WCWP
>>> 
>>> Feel free to cross-post to other relevant lists. 
>>> 
>>> Thank you
>>> 
>>> Pf
>>> 
>>> -- 
>>> Pierfrancesco Caci, ik5pvx
>> 


-- 
Pierfrancesco Caci, ik5pvx

Re: Question about ISP billing procedures

[Alain Hebert]

As per our village lawyer and accountant ...

    Assuming

        95th percentile billing, sampling every 5 minutes.

    You'll need about 1.5days worth of 0 (~447 samples missing in a 
row) to bork the curve...  and it goes the bith ways.


    If you're 5Gbps committed on a 10Gbps and you burst 10Gbs for 1.6 
days, you pay for 10Gbps for that month.


    And yes that include the best effort to manage DDoS from both 
part.  We're capitalist, but no one is from big pharma =D.


-
Alain Hebertaheb...@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911  http://www.pubnix.netFax: 514-990-9443

On 2/28/19 12:16 AM, Ben Cannon wrote:

You have to zero it.

-Ben

On Feb 27, 2019, at 8:10 PM, Michael Gehrmann > wrote:



From my provider days if you miss data you can't bill it or assume zero.

Mike


On Thu, 28 Feb 2019 at 15:06, Steve Meuse > wrote:


I can say that missing samples weren’t back filled when we
billed. Never had any complaints.

-Steve

On Wed, Feb 27, 2019 at 10:31 PM Daniel Rohan mailto:dro...@gmail.com>> wrote:

Can anyone shed light on how ISPs handle missing samples when
calculating p95s for monthly billing cycles? Do they fill
null samples with zeros or leave them as null?

I’m working on a billing sanity tool and want to make sure to
cover my corner cases well.

Thanks!

Dan
-- 
Thanks, Dan

Re: Question about ISP billing procedures

[Jared Mauch]

Background: I used to own the code that was used to bill for awhile...

> On Feb 27, 2019, at 11:10 PM, Michael Gehrmann  
> wrote:
> 
> From my provider days if you miss data you can't bill it or assume zero.


This was my experience as well.  I remember a router vendor bug that if the 
traffic was low enough (idle) where the counters would go backwards(!!) meaning 
there were issues with the samples stored.  I had to make a way to assume zero 
for missing samples as that wasn’t already in the codebase.  It wasn’t hard, 
but was not in the code at the time.

Make sure you store a zero value differently than a missed sample so you 
understand what that is/means.  I still have some PTSD from those days :-)

I recall people would come back and ask questions 3 months later, so keep all 
that stored data and poller logs so you can determine what happened.  Even 
writing about it, I have the log messages showing up in my brain that described 
routers that were behaving poorly.

- Jared

Re: a detour DANE, was A Deep Dive on the Recent Widespread DNS Hijacking

[Bjørn Mork]

Måns Nilsson  writes:

> NS5
>   21
> DNSKEY3
> SPF   1
> A 28
> NSEC  62
> AFSDB 3
> RP1
> MX2
> CNAME 9
> SOA   2
> RRSIG 147
> TXT   6
> SSHFP 14
> SRV   20
> DS4
> Total:16 rrtypes in zone

No TLSA records? 


Bjørn

Re: A Deep Dive on the Recent Widespread DNS Hijacking

[Bill Woodcock]

> On Feb 24, 2019, at 9:20 PM, Bill Woodcock  wrote:
> 
> 
> 
>> On Feb 24, 2019, at 7:41 PM, Montgomery, Douglas (Fed)  
>> wrote:
>> In the 3rd attack noted below, do we know if the CA that issued the DV CERTS 
>> does DNSSEC validation on its DNS challenge queries?
> 
> We know that neither Comodo nor Let's Encrypt were DNSSEC validating before 
> issuing certs.  The Let’s Encrypt guys at least seemed interested in learning 
> from their mistake.  Can’t say as much of Comodo.

Sorry, a correction:

Apparently Let’s Encrypt _does_ do a DNSSEC validation check, and presumably 
that’s why a Comodo cert was used to attack us.  It was my prior understanding 
that Let’s Encrypt certs had been used against DNSSEC-signed zones, but 
apparently that was not the case.

My apologies for my confusion.  Nonetheless, even with the DNSSEC validation, 
there’s a problem here that needs to be solved, on both the parts of the CAs 
involved and the registry/registrar chain.

-Bill



signature.asc
Description: Message signed with OpenPGP