Re: Tier1 BGP filter generation data sources & frequency
Hello Jon , On Mon, 24 May 2021, Jon Lewis wrote: On Mon, 24 May 2021, Job Snijders via NANOG wrote: On Mon, May 24, 2021 at 02:04:32PM -0400, Luca Salvatore wrote: Curious if anyone is aware of other Tier1s deprecating support for RADB? Rather than deprecating RADB, I think the industry would be better off if either RADB or the Tier1s (in their local caching layer) deploy IRR database software capable of RPKI Origin Validation ala RIPE-731. I suspect the attitude is "why bother when we can just require that everyone use the IRR run by their RIR, rely on the RIR to not allow bogosity in thier IRR, and keep using our existing software, just limiting the IRR sources from which it'll accept objects?" While I am not a big player (or even a bump in the road) in this group I do find it rather odd that people & corporate entities allow (& sponsor) another grab at , imo , taking over the proper way we as players in this arena should be working WITH each other . The "just leave it to big brother" is just plain a cop out to laziness (agn imo) . Sorry I'll say no more on the above as I'd just rant . BTW...speaking of MANRS, if there's someone on-list who can help out with some questions, I'd appreciate the contact. For $work, I'd been talking to Kevin Meynell about our joining. It fell through the cracks and recently popped back up. Recent email to Kevin got no reply. The MANRS web site could use quite a bit of clarification (or maybe just toss it and start over). To be honest the manrs site left me feeling rather blase' , The place that interested me is the Implementation Guide . Which seems to be a compendium of the [RFC|BCP]'s of the Proper way to maintain records at and with the entity that dispenses the resource(s) being used . Also, I'm curious how common it is for networks to build IRR-based prefix-list filters for all their peers (i.e. IX peers, where you have lots of peers)? -- Jon Lewis, MCP :) | I route StackPath, Sr. Neteng | therefore you are _ http://www.lewis.org/~jlewis/pgp for PGP public key_ Twyl , Back to silent mode . JimL -- +-+ | James W. Laferriere| SystemTechniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +-+
Re: DANE of SMTP Survey
Hello Mark , On Wed, 2 Jun 2021, Mark Tinka wrote: On 6/2/21 11:07, Jeroen Massar via NANOG wrote: As for solutions: better education, more improvements to the tools & making it easier. CDS records already help a lot. But we might also need to improve recovery mechanisms, as f-ups are made, and you don't want to be off this Internet thing for too long. I think DNSSEC implementation needs to be made less scary for folk who are apprehensive, and broken down into two steps, where step 1 is most emphasized: * Enable DNSSEC on your resolvers. Does not require you to sign your zones. Does not require you to read up on what it takes to sign and maintain your zones. Does not require you to worry and test for the next 60 days whether DNSSEC will break your e-mail delivery, e.t.c.: dnssec-enable yes; dnssec-validation auto; Done! Two lines (BIND, in this case), and off you go. Will this handle the case of self-signed only ? And as Jeroen Massar mentioned the resignation of a certificate is a tad troubles some for both DNSSEC & DANE . * Step 2 - take your time cluing up on getting your zone signed, and being part of the solution toward a more secure Internet. No pressure, at your pace. Again , Will this handle the case of self-signed only ? Mark. Tia , JimL -- +-+ | James W. Laferriere| SystemTechniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +-+
Re: DANE of SMTP Survey
Hello Mr. Tinka & Mr. Andrews , Please see below . On Thu, 3 Jun 2021, Mark Tinka wrote: On 6/3/21 00:25, babydr DBA James W. Laferriere wrote: The Below is to keep thread of thought accurate ... On Wed, 2 Jun 2021, Mark Tinka wrote: * Step 2 - take your time cluing up on getting your zone signed, and being part of the solution toward a more secure Internet. No pressure, at your pace. Again , Will this handle the case of self-signed only ? Not sure I understand your question, in both cases of recursion and authoritative. The Signing of the 'Zone' , Can the 'Zone' be signed by a self-signed key ? Or MUST I (and others) rely on a external certificate authority ? Mind you I notice in rfc6487 (note(s)) about self-signed certificates . So Maybe I am being a bit over worried about having to spend more money just to keep my 2 ip-ranges routing in light of the RPKI initative(s) . Which Mr. Andrews response below answers quite succinctly , On Thu, 3 Jun 2021, Mark Andrews wrote: DANE works with self generated CERTs. The TLSA record provides the cryptographic link back to the DNSSEC root. Thank You Mr. Andrews , Muchly . Is what I was hoping for . Thank You Both . JimL -- +-+ | James W. Laferriere| SystemTechniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +-+
aggregation tool that allows a bit of fuzz to aggregating ?
Hello All , google foo isn't pulling up anything but drivel about ip aggregation in cisco and describing the word 'fuzz' . I am looking for a tool such as 'aggregate' , this one is written in c . Which has been a very good tool to me . I use this tool to aggregate ip addresses snagged out of various logs to insert into iptables filtering . Again the afore mentioned tool has work well . But now I am seeing a new trick fro some entities that are transmitting from every other ipv4 address such as (*) below . And the trust (& crusty) ol'tool just doesn't allow for a bitt of fuzz in its aggregation filter . Hoping someone knows of such a tool and or may have patched the aggregate tool to accopmlish such a task . (*) ... 63.81.88.116/32 63.81.88.118/32 63.81.88.120/32 63.81.88.122/32 63.81.88.124/32 63.81.88.126/32 ... Tia , JimL -- +-+ | James W. Laferriere| SystemTechniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +-+
Anyone else expereincing phone line issues from west to east ?
Hello All , Anyone else expereincing phone line issues from west to east ? Just tried calling back east and not even a all lines are busy signal . Tia , JimL -- +-+ | James W. Laferriere| SystemTechniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +-+
Re: questions about ARIN ipv6 allocation
Hello Randy , On Mon, 6 Dec 2021, Randy Bush wrote: You could transfer the resources to RIPE... :-) been there. done that. 2016. "A Happy Story of Inter-RIR Transfer of Legacy Blocks from ARIN to RIPE" https://archive.psg.com/160524.ripe-transfer.pdf In your slides above you mentioned '... just pay ...' , Most of the RIR's webpages (at least to me) are a warren of forward and backward references . Could you or any kind soul post a url that diffinatively defines the fee structure for services provided for Ripe members ? randy Tia , JimL -- +-+ | James W. Laferriere| SystemTechniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +-+
Re: 2749 routes AT RISK - Re: TIMELY/IMPORTANT - Approximately 40 hours until potentially significant routing changes (re: Retirement of ARIN Non-Authenticated IRR scheduled for 4 April 2022)
Hello Job ,
On Tue, 5 Apr 2022, Job Snijders via NANOG wrote:
...snip...
I think there clearly is an industry-wide trend to move away from
'unsigned plain-text non-authoritative' datasets, towards better sources
of truth such as the VRP data available through the RIR RPKI Trust
Anchors.
There are variances in how stakeholders implement this paradigm shift:
some operators move towards wholesale ignorance of non-auth databases
(like Tata); some operators use softer transition mechanisms (examples:
what RIPE NCC did in lieu of RIPE-731, or how IRRd v4 in its default
configuration magically makes RPKI-invalid IRR objects disappear).
I think all of us recognize a need to declaw "third party" IRR databases
like RADB and ALTDB ("declawing" meaning that it is not desirable that
anyone can just register *anything*); on the other hand our community
also has to be cognizant about there being parts of the Internet which
are not squatting on anyone's numbers *and* also are not contracted to a
specific RIR.
Kind regards,
Job
Your final paragraph hits directly on my situation , That is as soon as
I can get my small network connected again via hardline connections again .
I am not a customer of ARIN except for one asn .
I hold maintainership a couple of pre-arin /24's .
And until a (imo) reasonable contract with pre-arin holders can be
created AND a reasonable fund dispersement calculation with HARD Set $ values
assigned , I will not be a Arin customer except for my one little ASN . Which
when I was assigned that resource was just $100/yr , Imo a reasonable cost .
that cost has now only gone up 50% , Again somewhat reasonable cost , BUT that
cost going UP is of concern to my meager financial status .
I am greatly exasperated that I am not hearing about Public versions of
RPKi repositories in the veign of ALTDB .
In other words a Publicly held and Volunteer based entity .
Blast I wish I had the financial witheral to back such an enterprise .
If I did it would remain totally vounteer & a not for profit & I'd really like
it to be Voluntarilly funded by the Community .
I ask the Community why someone or some entity IS not coming forward and
doing so ?
Sorry about the rambling .
Twyl , JimL
--
+-+
| James W. Laferriere| SystemTechniques | Give me VMS |
| Network & System Engineer | 3237 Holden Road | Give me Linux |
| j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP |
+-+
Re: Fwd: Fw: HOST IRR Retirement
Hello Ross , I do not see a host name or IP4or6 in the below . Hth , JimL On Mon, 11 Apr 2022, Ross Tajvar wrote: I tried sending the below message from my work account, but it's not a nanog subscriber, so the email was rejected. If anyone doubts the authenticity, feel free to reach out to me at rtaj...@365datacenters.com. -- *From:* Ross Tajvar *Sent:* Monday, April 11, 2022 3:53 PM *To:* nanog@nanog.org *Subject:* HOST IRR Retirement Hi all, We (365 Datacenters) inherited the HOST IRR. We have removed all stale objects from it, and moved all valid objects to other IRRs. We will eventually (hopefully soon) turn it off altogether. Please, if you are mirroring it, stop doing that. If you maintain documentation that lists IRRs, please update it to reflect that HOST is no longer in use. Thanks! P.S. If anyone thinks I should also announce this somewhere else, please let me know. *Ross Tajvar* Network Engineer Office: (571)-341-8899 Support: (866)-365-6246 -- +-+ | James W. Laferriere| SystemTechniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +-+
Re: FCC proposes higher speed goals (100/20 Mbps) for USF providers
Hello Jason & All , On Thu, 26 May 2022, Livingood, Jason via NANOG wrote: Latency is a limitation for things that are generally relatively low bandwidth (interactive audio, zoom, etc.). Higher bandwidth won?t solve the latency problem +1 You Mean something a little less than ... My traceroute [v0.94] replaceme (192.168.253.147) -> Snipped 2022-05-26T13:06:34-0800 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss%Snt Drop Rcv Last Avg Best Wrst StDev 1. ...Snip... 2. AS???192.168.251.1 0.0%890891.3 1.3 0.8 1.9 0.2 3. AS???10.5.5.227 1.1%89188 227.5 123.9 31.1 276.5 69.8 4. AS???10.5.5.185 2.2%89287 43.5 48.7 28.5 72.0 10.3 5. AS???10.5.21.241 1.1%89188 36.6 40.3 30.5 64.3 5.7 6. AS???10.128.88.234 2.2%89287 52.9 39.8 31.8 63.8 5.3 7. AS???10.128.128.125 10.1% 89980 42.5 40.0 29.6 55.7 4.7 8. AS???10.128.118.217 72.7% 89 6424 36.7 39.6 29.7 49.8 4.8 9. AS???10.128.0.16631.5% 89 2861 60.0 58.8 45.8 86.5 8.0 10. AS???10.128.0.17085.2% 89 7513 101.1 81.7 70.7 101.1 9.7 ...snip... Oh , Sorry you were talking about latncy not Packet loss . While I do understand that icmp responses ARE Low priority the above still gives some useful info . IMO Packet losses like the above are far worse than latency , But as far as an eyeball networks users experience makes absolutely no difference . IMO as we enter the 'post-gigabit era', an extra 1 Gbps to the home will matter less than 100 ms or 500 ms lower working latency (optimally sub-50 ms, if not sub-25 ms). The past is exclusively speed-focused -- the future will be Speed + working latency + reliability/resiliency + consistency of QoE + security/protection + WiFi LAN quality. One more set of nit's , "security/protection" by who's standard should this be taken from , Eyeball users , Eyeball network Operators , His upstreams , US Gov , Nato , ... ? Where can each of those mentioned in the above have their input listened too & acted apon ? -- +-+ | James W. Laferriere| SystemTechniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +-+
Re: Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 2023)
On Tue, 13 Sep 2022, Randy Bush wrote: We strongly encourage all legacy resource holders who have not yet signed an LRSA to cover their legacy resources to consult a competent lawyer before signing an LRSA randy I concur , And seconded . Hth , JimL -- +-+ | James W. Laferriere| SystemTechniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +-+
Re: Announcing N91 Monday Keynote + New on NANOG TV: "Community Deep Dive"
Hello Randy , On Wed, 22 May 2024, Randy Bush wrote: *Abstract: *Once upon a time it was unthinkable to have a company meaningfully more complicated than a local florist that didn't have a network engineer on staff, or at least retainer. Today the world is vastly different... folk interested in this might find https://berthub.eu/articles/posts/cyber-security-pre-war-reality-check/ interesting randy I for one am still after a long read of the main article and the few reference url's he used ... Thank you For posting that re-enlightening article . Tmx , JimL -- +-+ | James W. Laferriere| SystemTechniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +-+
Re: Shaping the Future of ICP-2: Community Input Extended to December 2024
Hello John , I notice an entry without definition within the first document . "Anti-Capture: An RIR must maintain governance rules and controls to prevent itself from becoming captured." Might be nice to either further explain this term "Captured" in the glossary or within the statemnet itself . Hth , JimL On Sat, 16 Nov 2024, John Curran wrote: NANOGers - In October 2023, the Number Resource Organization initiated a process to undertake a significant update to Internet Coordination Policy 2 (ICP-2); the policy which specifies the criteria for establishing new Regional Internet Registries (RIRs). The Address Supporting Organization Address Council (ASO AC) has been tasked with managing the revision process, emphasizing community engagement and transparency. The ASO AC has drafted a document which outlines the principles for the proposed ICP-2 Version 2 policy, and this document is available online for review here - https://www.nro.net/policy/internet-coordination-policy-2/proposed-icp-2-version-2-principles/ The ASO AC is actively seeking feedback from the Internet number resource community and the broader internet community on these proposed principles. At this stage, comments are being solicited on the principles themselves, rather than specific amendments to the text of the document. This collaborative approach aims to refine the principles before drafting a revised version of ICP-2 for further stakeholder input. To facilitate community engagement, there is a questionnaire seeking feedback that available in multiple languages, including English, French, Spanish, and Portuguese. The questionnaire is designed to gather diverse perspectives and can be completed in approximately 7?10 minutes. Recognizing the importance of comprehensive community input, the deadline for input has via the questionnaire has been extended to 6 December 2024. If you have an interest in the governance principles that should be applicable to RIRs, and a moment available to provide input, please consider doing so. More details about the principles and questionnaire are available on the NRO website - https://www.nro.net/nro-announces-that-the-deadline-for-the-icp-2-questionnaire-has-been-extended-to-6-december-2024/ Thanks! /John John Curran President and CEO American Registry for Internet Numbers -- +-+ | James W. Laferriere| SystemTechniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +-+
Re: US executive order forces all US goverment resoruces to be with ARIN/etc?
Hello , All ... On Thu, 16 Jan 2025, William Herrin wrote: On Thu, Jan 16, 2025 at 9:00?AM Ben Cartwright-Cox via NANOG wrote: https://www.whitehouse.gov/briefing-room/presidential-actions/2025/01/16/executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/ (i)Within 90 days of the date of this order, FCEB agencies shall take steps to ensure that all of their assigned Internet number resources (Internet Protocol (IP) address blocks and Autonomous System Numbers) are covered by a Registration Services Agreement with the American Registry for Internet Numbers or another appropriate regional Internet registry. I don't have numbers on hand for how much US Gov space is already with ARIN, but this seems like a pretty nice win for ARIN getting an order for the US Gov legacy space attached to them (mentioned by name), while other RIRs are available in that order, I don't imagine it's going to other RIRs :) For clarity, FCEB stands for Federal CIVILIAN Executive Branch. So, this order excludes the military, probably the intelligence agencies, state and local governments, etc. And not everything operated for the Federal government is done on their IP addresses. This won't affect address space assigned to federal contractors. In a nutshell, this means that the few non-military federal agencies still operating on "legacy" IPv4 addresses will now have to officially sign a contract with ARIN. And nothing more than that. Regards, Bill Herrin While it maybe associated with only FCEB agencies . Seems like one more step toward a State sanctoined Monopoly . Which even in anyones eyes ARIN is , Within the U.S.A. Region . Tooldes , JimL -- +-+ | James W. Laferriere| SystemTechniques | Give me VMS | | Network & System Engineer | 3237 Holden Road | Give me Linux | | j...@system-techniques.com | Fairbanks, AK. 99709 | only on AXP | +-+
