Re: NANOG Mail Server Maintenance
As a reminder, this work will begin in approximately 6 hours. -e On Sat, Apr 19, 2014 at 12:55 PM, Larry J. Blunk wrote: > > Greetings, > The NANOG Mail server will be transitioning to a > new system next Saturday, April 26th. The maintenance > window for this transition will be from > 10:00 - 10:30 UTC. This will impact the main NANOG > list and associated lists hosted on mailman.nanog.org. > The addresses for the server will be changing, but they > will remain within the same prefixes (50.31.151.64/28 > and 2001:1838:2001:8::/64). > > Regards, >Larry Blunk >NANOG Communications Committee > >
NANOG 62 and a new tool for presentation submissions
Today we began an upgrade to the site/tool located at pc.nanog.org, known as the pc tool, which is designed to allow the community to propose talks for the next NANOG. The new site has some of the latest fads in web 2.0 web design and buzzwords, for instance we've decided to use a programming language with silent "d" in the name. Don't worry, it's somewhere short of having tag clouds. We hope you like it. Or at least, we hope not too many of you despise it. Please hold of on any talk submissions for a few days while we migrate the data from the old tool to the new. The NANOG Program Committee will issue the NANOG61 call for presentations shortly, marking the availability of the new tool. Thanks, -e -- Eric Oosting Network Architect eoost...@netuf.net | 404-941-6678
CGN fixed/hashed nat question
Let me start out by saying I'm allergic to CGN, but I got to ask the question: Some of the CGN providers are coming out with "fixed" nat solutions for their IPv6 transition/IPv4 preservation technologies to reduce logging. This appears to provide for a static mapping of outside ports/IPs to a particular customer such that the service provider doesn't need to log literally every session through the box. At the last nanog, I seem to remember someone stepping up and discussing the problems associated with just taking ports 1025 through 1025+X and giving it to some customer and had brought up the idea of using a hash or salt to map what would appear to be random ports to a customer in such a way that you could reverse the port back to the customer later if need be. For the life of me, I can't find anything on the internets about this concept. I had it in my head it was a lightning talk or something, but reviewing the agenda doesn't ring any bells. Anyone know what I'm talking about and what it's called? -e
Re: CGN fixed/hashed nat question
On Mon, Jan 21, 2013 at 12:18 PM, Nick Hilliard wrote: > draft-donley-behave-deterministic-cgn > That's it. Or more specifically, the section of that draft that points to https://tools.ietf.org/html/rfc6431#section-2.2 Thanks. -e
Re: verizon fios bounced a legit private email of mine telling me it was spam and they would not allow it
On Thu, Jan 14, 2016 at 11:20 AM, Christopher Morrow < morrowc.li...@gmail.com> wrote: > '4 MILLION IP ADDRESSES!!!' > What is that, an /106? -e > On Wed, Jan 13, 2016 at 4:55 PM, Dan Hollis > wrote: > > This is what's going on at verizon. > > > > http://www.spamhaus.org/news/article/726/ > > > > -Dan > > > > > > On Wed, 13 Jan 2016, Gordon Cook wrote: > > > >> dear Nanog > >> > >> Sorry to bother you, I am sitting here in shock, I have been a > Verizon > >> to FiOS customer for about the past six years at least I think maybe > eight. > >> every now and then the Verizon server will bounce an email back and > tell me > >> that it’s busy or not functioning but just now it bounced one back and > I’m > >> sorry I don’t have a screenshot of what it said but it clearly said > that it > >> considered me to be a spammer. I may be a lot of things but a spammer > I am > >> not. ;-) when I get an email bounced back Apple OS X always > volunteers > >> to use the pair networks server and I always automatically take that > choice > >> giving it never a second thought. > >> > >> it also reminded me that there was a limit on the amount of private > emails > >> a customer could send. > >> > >> And it said I needed to take the alleged spam and send it to > >> > >> spamdetector.upd...@verizon.net and if I remember correctly wait at > least > >> an hour and then try to send the message again. > >> > >> Stating very clearly that no human being would talk to me. > >> > >> what in God’s name is going on? Please a year and a half or two years > >> ago when a route to Ecuador was being filtered a couple of NANOG folk > knew > >> whom to contact and the problem was fixed in record time. I am hoping > >> that I will experience the same thing. I should not be a stranger to > any > >> old time Nanog-ers. but right now I’m feeling really paranoid! > >> > > >
Re: RBL resource to check entire netblock
On Thu, Feb 18, 2016 at 12:46 PM, greg whynott wrote: > Team NANOG, > > I will summarize once I get to looking at things. This isn't an immediate > need but with that said I expect to start on it next week. I may not > evaluate all of them but what I do try I will share. > > My next challenge is finding a router that will forward on 4 x 1 gig > interfaces (2 inside 2 outside) for less than 30k... > Without knowing much about your requirements I can say that the edgerouter pro from ubiquiti doesn't suck, and is fantastic for the price. Cheap enough to self spare, and -e > > -greg > > > > On Wed, Feb 17, 2016 at 1:32 PM, Roberto Alvarado > wrote: > > > You can try this script: > > > > https://github.com/DjinnS/check-rbl > > > > > > -i,--ip The IP or subnet to check > > > > I’m using it to check my subnets > > > > > > Roberto > > > > > > > > > > > > > On Feb 17, 2016, at 15:25, Bernd Spiess > wrote: > > > > > >> I find many sites where you can enter 1 IP to > > >> do a check but they don't seem to accept subnets to check. > > > > > > Maybe this is a help? > > > https://www.senderbase.org/ > > > > > > Bernd > > > > >
Re: ARO Security
On Mon, May 18, 2015 at 12:30 PM, Nicholas Schmidt < nicholas.schm...@controlgroup.com> wrote: > I cant find a way to reach out to whoever manages ARO directly so I figure > it would be best to publish this to the list. > Nicholas, It's normally a good idea to email any questions you have to nanog-supp...@nanog.org. They should always get you an answer or point you in the correct direction. We are a group of network operators who are failing at enforcing extremely > basic security in our own applications. > > 1.) Retrieving an ARO password sends a plain text email of your current > password. Im sure this is minor as its just ARO and none of us would ever > re-use a password in more critical systems. > This is a known problem and I assure you NANOG is working with their vendor to address it. > > 2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be > trying to use the wildcard for amsl.com I'm curious what is going on, but I wonder if it doesn't have something to do with the openssl command you've entered below. When using firefox, chrome, or safari from my laptop and internet explorer from within a VM, I'm being offered the *.nanog.org wildcard cert, not an amsl.com cert. I checked a popular online ssl certificate checker and similarly received the proper certificate. Are you receiving a certificate error of some type in your browser? If so, let's take the conversation off of nanog to spare the list. -e > > $ openssl s_client -showcerts -connect secretariat.nanog.org:443 > > CONNECTED(0003) > > depth=0 /OU=Domain Control Validated/CN=*.amsl.com > > verify error:num=20:unable to get local issuer certificate > > verify return:1 > > depth=0 /OU=Domain Control Validated/CN=*.amsl.com > > verify error:num=27:certificate not trusted > > verify return:1 > > depth=0 /OU=Domain Control Validated/CN=*.amsl.com > > verify error:num=21:unable to verify the first certificate > > verify return:1 > > --- > > Certificate chain > > 0 s:/OU=Domain Control Validated/CN=*.amsl.com > >i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU= > http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate > Authority - G2 >
nanog website down
This morning we suffered a hardware failure in our production environment. The outage affected nanog mail and web services. While mail services have recovered, web services are still down. We apologize for the inconvenience. -e
Re: nanog website down
At this time, we believe all services have been restored. On Wed, Jun 3, 2015 at 11:16 AM, Eric Oosting wrote: > This morning we suffered a hardware failure in our production environment. > The outage affected nanog mail and web services. While mail services have > recovered, web services are still down. > > We apologize for the inconvenience. > > -e >
Re: AT&T UVERSE Native IPv6, a HOWTO
On Mon, Dec 2, 2013 at 11:11 PM, Rob Seastrom wrote: > > "Ricky Beam" writes: > > > On Fri, 29 Nov 2013 08:39:59 -0500, Rob Seastrom > wrote: > >> So there really is no excuse on AT&T's part for the /60s on uverse > 6rd... > > ... > > Handing out /56's like Pez is just wasting address space -- someone > > *is* paying for that space. Yes, it's waste; giving everyone 256 > > networks when they're only ever likely to use one or two (or maybe > > four), is intentionally wasting space you could've assigned to > > someone else. (or **sold** to someone else :-)) IPv6 may be huge to > > the power of huge, but it's still finite. People like you are > > repeating the same mistakes from the early days of IPv4... > > There's finite, and then there's finite. Please complete the > following math assignment so as to calibrate your perceptions before > leveling further allegations of profligate waste. > I know this is rhetorical, but my hobby is answering peoples rhetorical questions. > >Suppose that every mobile phone on the face of the planet was an "end >site" in the classic sense and got a /48 (because miraculously, >the mobile providers aren't being stingy). > Very well, I'll play your silly game. 48 bits remaining. > >Now give such a phone to every human on the face of the earth. > 33 bits should do it. That gets us to nearly 9 billion people. 15 bits remaining. >Unfortunately for our conservation efforts, every person with a >cell phone is actually the cousin of either Avi Freedman or Vijay >Gill, and consequently actually has FIVE cell phones on active >plans at any given time. > 5 is inconvenient. Lets give everyone 8 mobil phones, using 3 bits. 12 bits remaining. > >Assume 2:1 overprovisioning of address space because per Cameron >Byrne's comments on ARIN 2013-2, the cellular equipment providers >can't seem to figure out how to have N+1 or N+2 redundancy rather >than 2N redundancy on Home Agent hardware. > 1 bit for that. 11 bits remaining. Now we're assigning space out of 2000::/3 for now ... lets keep the other 7/8ths of the ipv6 address block in reserve, using another 3 bits ... leaving ... carry the one ... 8 bits. > > What percentage of the total available IPv6 space have we burned > through in this scenario? Show your work. > If we give every man, woman, and child on the face of the earth the equivalent to (16) /48s each, we'll will have used 1/256th of the first 1/8th of the IPv6 address space. Wolfram says there have been 110 billion homo sapiens that have ever lived. We need to give every person who has literally ever lived on planet earth their own /40 before we've used up 2000::/3, and need to move on to the remaining 87.5% of the address space. (this is where someone will ding me for the misuse of "literally" somehow with a pointer to theoatmeal comic, right) -e > > -r > > >
Re: 844 INWATS prefix activated
How does team-cymru.org not have a bgp feed of these? On Sun, Dec 8, 2013 at 1:57 AM, Jay Ashworth wrote: > Note, if you're the PBX guy somewhere, too, that the +1 844 toll free > prefix > was activated at 1200EST today. > > Cheers, > -- jra > > -- > Make Election Day a federal holiday: http://wh.gov/lBm94 100k sigs by > 12/14 > > Jay R. Ashworth Baylink > j...@baylink.com > Designer The Things I Think RFC > 2100 > Ashworth & Associates http://baylink.pitas.com 2000 Land > Rover DII > St Petersburg FL USA #natog +1 727 647 > 1274 > >
Re: turning on comcast v6
On Wed, Dec 11, 2013 at 8:17 AM, Randy Bush wrote: > Randy Bush wrote: > > http://comcast6.net/ tells me that the local cmts is v6 enabled. my > > modem, a cisco dpc3008, is in the supported products list. so how do > > i turn the sucker on? > > > > randy > > after a lot of messing about with the massive help of Chris Adams and > John Brzozowski, problem solved. see http://rtechblog.psg.com/ It brings a tear to my eye that it takes: 0) A long standing and well informed internet technologist; 1) specific, and potentially high end, CPE for the res; 2) specific and custom firmware, unsupported by CPE manufacturer ... or anyone; 3) hand installing several additional packages; 4) hand editing config files; 5) sysctl kernel flags; 6) several shout outs to friends and coworkers for assistance (resources many don't have access to); 7) oh, and probably hours and hours twiddling with it. just to get IPv6 to work correctly. Yea, that's TOTALLY reasonable. -e > > > randy > >
Re: turning on comcast v6
On Wed, Dec 11, 2013 at 10:40 AM, Randy Bush wrote: > > just to get IPv6 to work correctly. > > i would not have had this problem if i had not done the openwrt thing. > the stock netgear would have been fine. i brought this on myself > because i wanted to also run things such as an openvpn server. > > i was documenting for the next to follow, not to whine. > To be clear, I wasn't accusing you of whining. And thanks for documenting it for the next guy. Stock netgear does PD and works out of the box? Didn't realize that. -e > > randy >
Re: turning on comcast v6
On Fri, Dec 20, 2013 at 5:16 PM, Matthew Huff wrote: > Owen, > > Have you ever worked in a corporate environment? Replacing equipment can > be a 5-7 year window and has to be justified and budgeted. Replacing a > piece of equipment because it's an incomplete IPv6 implementation (which > has changed considerably as it has been deployed), isn't feasible. Not to put words in Owen's mouth, but let me explain how I interpret what he was saying: Vote with your feet. It's simple ... maybe you can't replace everything in your network that doesn't support IPv6, ( I wish we all had that kind of discretionary budgets) but you can still base purchasing decisions on IPv6 support, and by and large, that isn't happening. Enterprise purchasing just isn't driven by IPv6 features ... if anything, its a check box feature for vendors and ignored by decision makers. Until the enterprise says to the widget salesperson: "i'm not buying this until and unless you truly commit to supporting IPv6" we're stuck where we are. We don't necessarily need you to replace everything in your network that doesn't support it today, we need you to not put a single thing in your network new, or used, that doesn't. Believe me, the vendors will get the message and suddenly even the legacy stuff will start to be fixed. Remember what a PITA it was to get novel to support IPv4? They didn't do it until they had to. -e > There are a lot of things that have changed as IPv6 has been deployed > such as DHCPv6 (not even talking about setting default GW via DHCP, but > things such as DNS servers, DNS domain name, etc). Not all vendors > especially ones in niche markets can update the firmwares that often, and > certainly not unless they have a business justification. > > > > On Dec 20, 2013, at 4:07 PM, Owen DeLong wrote: > > > > > On Dec 20, 2013, at 12:50 PM, Matthew Huff wrote: > > > >> > >> On Dec 20, 2013, at 3:23 PM, Owen DeLong wrote: > >> > >>> > >>> On Dec 20, 2013, at 6:29 AM, Matthew Huff wrote: > >>> > With RA, what is the smallest interval failover will work? Compare > that with NHRP such as HSRP, VRRP, etc with sub-second failover. > >>> > >>> RA and VRRP are not mutually exclusive. What you can’t have > (currently) is routing information distributed by a DHCP server which may > or may not actually know anything about the routing environment to which it > is sending such information. > >>> > In corporate networks most of the non-client systems will be > statically addressed with privacy addresses turned off. This is for > regulatory, audit, security and monitoring requirement. One of the many > challenges of ipv6 in a corporate environment. > >>> > >>> There’s no problem doing this in IPv6. You can easily statically > address a system and you can easily turn off privacy addresses. You can > even do that and still get your default router via RA or you can statically > configure the default router address. > >>> > >>> As such, can someone please explain what is the actual missing or > problematic requirement for the corporate world? > >>> > >>> Owen > >> > >> Reality. > >> > >> Owen, not all OS and especially hardware appliances (dedicated NTP > appliances, UPS cards, ILO), etc... will work with RA and static addresses. > They just don't. Some OS's won't disable SLAAC unless you disable autoconf > on the switch. When you > > > > Not all devices have working IPv6 stacks. OK, they’re broken, complain > to the vendor and get them to fix their product or buy a working product > from a different vendor. > > > >> do that, they loose the ability to pickup RA. Some will only work with > link local gateway addresses, some will only work with link global gateway > addresses. There is a lot of cruft out there in the enterprise world that > claims IPv6 > > > > Link Local gateway addresses are required functionality in IPv6. A > device which requires a global gateway address is > > broken. See above. > > > >> compatibility, but in the real world doesn't work consistently. Almost > all can be made to work, but require custom configuration. Far too much > work for many organizations to see value in deployment. In at least on IT > department I know of, IPv6 is banned because the CIO read about one of the > “advantages" of IPv6 is bringing back the p2p model of IP, and most > corporate management has zero interest in having any p2p connectivity > within their network. > > > > IPv4 didn’t work perfectly in the beginning either. Enterprises spent > many years getting vendors to correct issues with their iPv4 products and > we’re just starting that process with IPv6. > > > > I’m asking what’s broken in the protocol design since that’s what the > IETF can attempt to fix. > > > > > >> For our desktop environments (Windows 7 and RHEL6) we have two > different configurations on the switches on separate VLANs using SLAAC with > DHPCv6 and that works fine with RA announcing the NHRP. Other equipment, > not so much. > > > > Sounds like you need to
