off topic "Help"
Hello, I have a misconfigured postfix installation, I inherited. Does anybody know of anyone who would consider reconfiguring/fixing it. It seems that all mail presented to it appears to be from "localhost", when i reject unautorized destinations, it rejects all mail. Thanks in advance. Bill Kruchas
Hello List, a easy Cisco question.
Hello, I am not a heads down network guy, but I have setup a few firewalls, and have got them to do what I wanted, "eventually". But mostly through reading and trial and error. I am struggling with this one, but I think I know the answer, but want to verify it with some experts. We have a cisco asa 5505, with an internet connection with only one useable ip address (subnet 255.255.255.252). We/they have had a nat setup for outgoing connections for some time, but I have been trying to get a new inbound connection going for terminal services to a specific host on tcp port 3389. I'm using "ASDM" but checking the config file and it's building the correct static statement, and access lists (I think anyway). But It doesn't work, and doesn't give a real good definative log message. I was wondering if possibly the fact that nat is using the one ip address, if that precludes the static mapping from working. I've read several step by steps, and again had this working several other places, but always with more ip's. If having just one ip isn't the isssue, is there any other issues I should be looking for. I'd appreciate any insight you might share. Thanks in advance
RE: Hello List, a easy Cisco question.
Hello,
We have Nat setup on our equipment, just a plain vanilla internet
connection.
Here is the pertinent section of the runing config.
!
interface Ethernet0/2
nameif Etherpoint
security-level 0
ip address outside-ip 255.255.255.252
ospf cost 10
!
object-group service terminal-services tcp
port-object eq 3389
access-list Inside_access_in extended permit icmp any any
access-list Inside_access_in extended permit ip 192.168.125.0
255.255.255.0 any
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 MobileVPN 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.0.0
255.255.255.0 MobileVPN 255.255.255.0 inactive
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 any inactive
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 192.168.1.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 192.168.14.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 192.168.100.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 192.168.101.0 255.255.255.0
access-list Inside_nat0_outbound extended permit ip 192.168.125.0
255.255.255.0 192.168.253.0 255.255.255.0
access-list Haven_splitTunnelAcl_1 standard permit 192.168.125.0
255.255.255.0
access-list Etherpoint_access_in extended permit tcp host 192.168.125.8
eq 3389 any eq 3389
access-list Etherpoint_access_in extended permit tcp any eq 3389 host
192.168.125.8 eq 3389
access-list Etherpoint_access_in extended permit tcp any host
192.168.125.8 eq 3389
access-list Etherpoint_nat0_outbound extended permit ip host
192.168.125.8 host outside-ip
access-list Etherpoint_nat0_outbound extended permit ip host outside-ip
host 192.168.125.8
ip local pool HavenVPN 192.168.253.1-192.168.253.254 mask 255.255.255.0
global (Etherpoint) 2 interface
nat (Inside) 0 access-list Inside_nat0_outbound
nat (Inside) 2 192.168.125.0 255.255.255.0
nat (Etherpoint) 0 access-list Etherpoint_nat0_outbound outside
static (Inside,Etherpoint) tcp interface 3389 192.168.125.8 3389
netmask 255.255.255.255
no threat-detection statistics tcp-intercept
access-group Inside_access_in in interface Inside
access-group Etherpoint_access_in in interface Etherpoint
route Etherpoint 0.0.0.0 0.0.0.0 204.186.102.187 1
Original Message
Subject: Re: Hello List, a easy Cisco question.
From: Dennis <[1]daoden...@gmail.com>
Date: Mon, July 11, 2011 12:39 pm
To: [2]b...@kruchas.com
On Mon, Jul 11, 2011 at 12:33 PM, <[3]b...@kruchas.com> wrote:
> Hello,
>
> I am not a heads down network guy, but I have setup a few
> firewalls, and have got them to do what I wanted, "eventually". But
> mostly through reading and trial and error.
>
> I am struggling with this one, but I think I know the answer,
but
> want to verify it with some experts.
>
>
>
> We have a cisco asa 5505, with an internet connection with only
one
> useable ip address (subnet 255.255.255.252). We/they have had a nat
> setup for outgoing connections for some time, but I have been
trying to
So your provider has your ASA behind a NAT or there is a NAT
inside,outside statement on your ASA?
Some more pieces of the configuration would be helpful here too.
Thanks,
Dennis O.
References
1. mailto:daoden...@gmail.com
2. mailto:b...@kruchas.com
3. mailto:b...@kruchas.com
RE: Hello List, a easy Cisco question.
Hello,
I believe I have setup the appropriate access-lists, even have
created it both ways in case I have the inside and outside reversed.
The packet trace always drops through and hits the implicit rule
which is deny everything. No matter how I have the access list setup. I
have tried it several ways, and also included the nat exclude
statement, but the current config doesn't have that listed anymore as I
wanted to try to keep the config as clean as I can, but if the exclude
is needed I can certainly add it. But none on the examples used it.
Original Message
Subject: Re: Hello List, a easy Cisco question.
From: James Laszko <[1]jam...@mythostech.com>
Date: Mon, July 11, 2011 1:02 pm
To: "[2]b...@kruchas.com" <[3]b...@kruchas.com>
Have you setup the appropriate access rule along with the NAT?
The packet trace button is useful in testing as well...
Regards,
James Laszko
Mythos Technology Inc
[4]jam...@mythostech.com
- Original Message -
From: [5]b...@kruchas.com [[6]mailto:b...@kruchas.com]
Sent: Monday, July 11, 2011 12:33 PM
To: nanog <[7]nanog@nanog.org>
Subject: Hello List, a easy Cisco question.
Hello,
I am not a heads down network guy, but I have setup a few
firewalls, and have got them to do what I wanted, "eventually". But
mostly through reading and trial and error.
I am struggling with this one, but I think I know the answer, but
want to verify it with some experts.
We have a cisco asa 5505, with an internet connection with only one
useable ip address (subnet 255.255.255.252). We/they have had a nat
setup for outgoing connections for some time, but I have been trying to
get a new inbound connection going for terminal services to a specific
host on tcp port 3389. I'm using "ASDM" but checking the config file
and it's building the correct static statement, and access lists (I
think anyway). But It doesn't work, and doesn't give a real good
definative log message. I was wondering if possibly the fact that nat
is using the one ip address, if that precludes the static mapping from
working.
I've read several step by steps, and again had this working several
other places, but always with more ip's. If having just one ip isn't
the isssue, is there any other issues I should be looking for.
I'd appreciate any insight you might share.
Thanks in advance
References
1. mailto:jam...@mythostech.com
2. mailto:b...@kruchas.com
3. mailto:b...@kruchas.com
4. mailto:jam...@mythostech.com
5. mailto:b...@kruchas.com
6. mailto:b...@kruchas.com
7. mailto:nanog@nanog.org
RE: Hello List, a easy Cisco question.
Thank You all,
Here are some of the suggestions so far, all good. And I will followup
on them and report back the final solution.
Some reading for tonite ( I already had it and skimmed thru, but I'll
need to digest it better).
I'm hoping that I'm not beating my head against the wall using Nat
instead of Pat, and not sure if Pat would be acceptable.
Anyway, thanks again.
Bill
**
Hey Bill,
I don't think you can do a static NAT translation on a NAT egress IP
address. Have you considered using Port Address Translation instead?
Cheers,
Taylor
As per [1]http://www.nanog.org/mailinglist/listfaqs/otherlists.php,
since
I don't see any responses to the list here, you'll probably get a more
comprehensive reply from real Cisco experts at
[2]http://puck.nether.net/mailman/listinfo/cisco-nsp
I hope you get the problem solved!
Whatever happens, do post back a reply to the list saying what solved
the problem in the end.
Alex
Original Message
Subject: RE: Hello List, a easy Cisco question.
From: "Eric Tykwinski" <[3]eric-l...@truenet.com>
Date: Mon, July 11, 2011 12:47 pm
To: <[4]b...@kruchas.com>
Bill,
Sounds like you need to use Port Address Translation (PAT), instead of
Network Address Translation (NAT).
Here's a Cisco help file for it:
[5]http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_
note09186a00804708b4.shtml
Sincerely,
Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300
F: 610-429-3222
-Original Message-
From: [6]b...@kruchas.com [[7]mailto:b...@kruchas.com]
Sent: Monday, July 11, 2011 3:34 PM
To: nanog
Subject: Hello List, a easy Cisco question.
Hello,
I am not a heads down network guy, but I have setup a few
firewalls, and have got them to do what I wanted, "eventually". But
mostly through reading and trial and error.
I am struggling with this one, but I think I know the answer, but
want to verify it with some experts.
We have a cisco asa 5505, with an internet connection with only one
useable ip address (subnet 255.255.255.252). We/they have had a nat
setup for outgoing connections for some time, but I have been trying to
get a new inbound connection going for terminal services to a specific
host on tcp port 3389. I'm using "ASDM" but checking the config file
and it's building the correct static statement, and access lists (I
think anyway). But It doesn't work, and doesn't give a real good
definative log message. I was wondering if possibly the fact that nat
is using the one ip address, if that precludes the static mapping from
working.
I've read several step by steps, and again had this working several
other places, but always with more ip's. If having just one ip isn't
the isssue, is there any other issues I should be looking for.
I'd appreciate any insight you might share.
Thanks in advance
References
1. http://www.nanog.org/mailinglist/listfaqs/otherlists.php
2. http://puck.nether.net/mailman/listinfo/cisco-nsp
3. mailto:eric-l...@truenet.com
4. mailto:b...@kruchas.com
5.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00804708b4.shtml
6. mailto:b...@kruchas.com
7. mailto:b...@kruchas.com
Answer to: Hello List Easy Cisco question.
Hello, and thanks for all the help. What the issue boiled down to, I was creating the access list just like the static command. Which means I was using the source and destination ports when creating it. You just need the destination port, actually because the firewall "catches" the packet on a different port and un encapsulates the packet and passes it through. The different port was causing the accesslist to reject the packet. so this is what I had: >access-list Etherpoint_access_in extended permit tcp any eq 5900 host outside-ip eq 5900 This is what worked :) >access-list Etherpoint_access_in extended permit tcp any host outside-ip eq 5900 A complete example if anyone who needs it to route external request to an internal host: * access list to permit traffic in access-list Etherpoint_access_in extended permit tcp any host outside-ip eq 5900 *static command to setup the relationship form outside interface to inside host static (Inside,Etherpoint) tcp interface 5900 192.168.125.8 5900 netmask 255.255.255.255 * command to bind the accesslist to the outside interface access-group Etherpoint_access_in in interface Etherpoint Thanks again list Bill Kruchas Below is the full question and details. * Hello List, First let me say I'm not a heads down network guy, but I have setup several cisco firewalls from pix's some 831's, and now I'm trying to get a asa 5505 configured. ver 7.2 and 5.2 on the ASDM. This has been in and working for some time, granting outbound access. There is only one external useable ip address so everything is using PAT to get out, (although whoever set it up set it up like a nat with a global address pool). I have been trying to get an inbound static command to work, with no luck. First I wonder if I can do a static mapping for ingress on the same IP that is being used for PAT/NAT for egress. And if that is possible why can't I get through, I'm pretty sure the static command is right, and I needed to add two acl's (any to outside) (outside to inside) to get the packet trace in asdm to let the packet into the inside host, but still the translate isn't passing the packet tracing. Please any insight would be greatly appreciated. The log shows the port coming in as something different than what I expect: the 66.152.132.32/1064 should be 66.152.132.32/5900 (for vnc, which is the client I am testing with). These are the lines from the log: >4 Jul 12 2011 11:27:13 106023 66.152.132.32 outside-ip Deny tcp src Etherpoint:66.152.132.32/1064 dst Inside:outside-ip/5900 by access-group "Etherpoint_access_in" [0x0, 0x0] >4 Jul 12 2011 11:27:07 106023 66.152.132.32 outside-ip Deny tcp src Etherpoint:66.152.132.32/1064 dst Inside:outside-ip/5900 by access-group "Etherpoint_access_in" [0x0, 0x0] >4 Jul 12 2011 11:27:04 106023 66.152.132.32 outside-ip Deny tcp src Etherpoint:66.152.132.32/1064 dst Inside:outside-ip/5900 by These are the appropriate lines from the config: >access-list Etherpoint_access_in extended permit tcp any eq 5900 host outside-ip eq 5900 >access-list Etherpoint_access_in extended permit tcp host outside-ip eq 5900 host 192.168.125.8 eq 5900 >global (Etherpoint) 2 interface >nat (Inside) 0 access-list Inside_nat0_outbound >nat (Inside) 2 192.168.125.0 255.255.255.0 >static (Inside,Etherpoint) tcp interface 5900 192.168.125.8 5900 netmask 255.255.255.255 >no threat-detection statistics tcp-intercept >access-group Inside_access_in in interface Inside >access-group Etherpoint_access_in in interface Etherpoint Thanks In Advance Bill Kruchas
verizon.net abuse/support contacts?
I need to report something about an IP belonging to them: pool-.ny325.east.verizon.net I've looked at their website and the whois record...and sent email to [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED] Are these the right addresses? If someone works for verizon.net please let me know here or offline. Thanks a bunch! Bill
Re: Phoenix-IX Contact
> On Nov 10, 2020, at 5:05 PM, Kate Gerry wrote:
> I am running on a huge assumption here, but I think Phoenix-IX runs on
> donated infrastructure.
I believe that’s the case.
> I also wonder how the other Ninja-IX exchanges are running, I haven't heard
> anything about them, is there the same lack of communication? Or do those
> have a local staff?
I just asked the other PCH staff, and the last direct contact we had with Paul
was in August of 2019. The last indirect contact was being cc’d on a work
ticket that he originated in March of this year.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: 10g residential CPE
> On Dec 25, 2020, at 9:16 PM, Mark Tinka wrote:
>> I Have an RB4011 and while it does work very well for the price it is not
>> really practical for the sort of people who don't reside on this list.
> Which says what about 10Gbps-in-the-home practicality?
Mark is right, you’re wrong. 10G home service is great. Everybody I know here
in Paris has it. There’s just no particularly reason to drop down to 1G, for
the EUR 10/month difference.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: Show NOCs: OIG report: Should you charge extra for NOC tours?
> On Jan 7, 2021, at 7:31 PM, Christopher Morrow
> wrote:
> NOC tours seem like a very 1990's thing
Cough, cough *Terremark* cough, cough *disco lights* cough cough.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: Parler
> On Jan 10, 2021, at 4:03 PM, sro...@ronan-online.com wrote:
> Another interesting angle here is that it as ruled President couldn’t block
> people, because his Tweets were government communication.
Right, the _government_ can’t discriminate in which of its citizens it
communicates with, and which it listens to.
> So has Twitter now blocked government communication?
Sure. No problem with that. An unregulated, non-monopoly, private party isn’t
required to provide a forum for anyone, government or individual.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: Parler
> On Jan 10, 2021, at 4:56 PM, Mark Seiden wrote:
>
> at the risk of providing more heat than light, trump violated the
> Presidential Records Act repeatedly by later taking down (aka destroying) his
> own unwise tweets. this repeated violation of law using twitter itself would
> have been enough for twitter to either restrict his using any mechanism for
> revision or deletion or even account termination for aup violations. i
> pointed this out to them 3.91 years ago.
Courtesy of someone who pays closer attention to all this than do I:
https://www.npr.org/2019/10/25/772325133/as-president-trump-tweets-and-deletes-the-historical-record-takes-shape
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: public open resolver list?
Are all y’all allergic to Wikipedia or something? https://en.wikipedia.org/wiki/Public_recursive_name_server -Bill signature.asc Description: Message signed with OpenPGP
Re: Texas internet connectivity declining due to blackouts
> On Feb 17, 2021, at 7:41 PM, Sean Donelan wrote:
> Statistics suck, until you attempt to produce your own.
I don’t even know what word you replace “suck” with, when you’re doing it
yourself. What’s suck cubed?
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: DoD IP Space
> On Apr 25, 2021, at 9:40 AM, Mel Beckman wrote:
> It’s a direct militarization of a civilian utility.
I think I’d characterize it, rather, as a possible privatization of public
property.
If someone builds a house in the middle of a public park, it’s not _what
they’re doing in the house_ that concerns me.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: TLD .so Partial Outage?
> On May 15, 2021, at 9:05 PM, Tom Daly wrote: > > Hello NANOG'ers! > > I'm observing a near global outage of DNS services from d.nic.so. This > appears to be an AfriNIC anycast DNS service. > > Does anyone have contacts at AfriNIC for their DNS systems available? > > e.nic.so seems to be responding (hosted behind PCH, thanks Woody!). Our staff contacted AfriNIC staff and got an acknowledgement that they were in process of resolving it at the time. -Bill signature.asc Description: Message signed with OpenPGP
Re: shadowserver.org
> On Jun 28, 2021, at 5:19 AM, Scott Aldrich wrote:
>
> Anyone have an idea how to get HE/ShadowServer,org servers to stop
> attempting to penetrate the comcast drop at my house?
> Their website claims altruism.. but my logs dont support that claim.
I have no connection with Shadowserver, and no idea what you’re actually seeing
or whether it represents a misconfiguration or bad idea on Shadowserver’s part
or not.
But as someone who frequently receives brief outraged emails from people who
have discovered my insidious plot to infiltrate their recursive nameservers
with packets from port 53, I find that sometimes if people use more words to
explain what they’re seeing, they find that it isn’t what they at first thought
it was.
So, using more words, what specifically are you observing, that leads you to
believe that Shadowserver is attempting to penetrate your home network?
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: Anycast but for egress
> On Jul 27, 2021, at 10:54 AM, Vimal wrote: > > (Unsure if this is the right forum to ask this question Sure, why not… There isn’t anywhere more appropriate, really. > From what I understand, IP Anycast can be used to steer traffic into a server > that's close to the client. That’s the net effect, as it’s normally used. But anycast is really very simple, and has no concept of client/server… An IP address is assigned to multiple devices or processes, in locations which the routing topology views as diverse. In practice, that means that services are bound to a common shared address (an “anycast service address”) as those services are deployed on servers in different locations. The service address is advertised into the BGP routing infrastructure. Clients send packets to the service address, and the BGP routing infrastructure routes each packet on the shortest path to its destination, without knowing that there are multiple destinations. > I am curious if anyone here has/encountered a setup where they use anycast IP > on their gateways... to have a predictable egress IP for their traffic, > regardless of where they are located? > > For example, a search engine crawler could in principle have the same IP > advertised all over the world, but it looks like they don't... I wonder why? I think you’re going to need to construct a clearer and more precise explanation of what you’re imagining, because my reading of these two lines is that they’re saying different things; I don’t see the connection between them that you see. That said, a few reactions: Anycast is often thought to _reduce_ predictability, since it offers multiple exclusive possible termination points for each packet, whereas unicast, multicast or broadcast would each have predictable outcomes by comparison: a specific node would receive the packet, a specific set of nodes would receive the packet, or all (in-scope broadcast domain) nodes would receive the packet. If you’re asking whether it would make sense for border routers, which have access to full-table transit, to advertise that accessibility as an anycasted service, that’s what the special “default route” 0.0.0.0/0 is. Many people configure full-transit BGP routers to redistribute a 0.0.0.0/0 default route into their IGP, their internal routing protocol (albeit that may well be iBGP, nowadays) in order to accommodate routers which haven’t the resources to hold or use full routes. A search engine crawler depends upon a unicast return path in order to establish a TCP session with the web sites it’s crawling, and see the return traffic from them. If a search engine crawler shared an anycast service address with other instances of itself in other locations, the outbound queries would head to web sites (which might be unicast or might be anycast, doesn’t matter), which would then try to reply. If the source address of the query is an anycast service address, the reply will go to the nearest instance of that shared address, rather than to the specific instance which originated the query. It’s for this reason that one normally assigns unique unicast addresses to network-facing interfaces which will originate packets, and anycast addresses to internal loopback interfaces, to which services are bound… The server can receive packets addressed to the anycast shared address, but will originate packets using its unique address. Here’s a tutorial from twenty years ago (when this was all less than fifteen years old!) that explains in some detail… Things haven’t really changed since then: https://www.pch.net/resources/Tutorials/anycast/Anycast-v10.pdf -Bill signature.asc Description: Message signed with OpenPGP
Re: Anycast but for egress
> On Jul 27, 2021, at 6:15 PM, Vimal wrote:
>
> AWS Global Accelerator gives anycast IPs that's good for ingress, but my
> original question was about having predictable egress IPs.
>
> It looks like having a few EIPs/a contiguous network block is the way to go.
Yes. Predictable and unchanging (but each unique per location) static IP
addresses is what you’re looking for.
It would be a huge convenience to others if you could specify a single
contiguous CIDR block for others to “permit” in their access control lists, but
alas that would be very difficult as well… Since BGP announcements generally
need to be aggregated up to at least a /24 or a /48 (though people are less
strict on the v6 side), each group of hosts numbered from the same block of
that size would need to have internally contiguous convex routing, meaning that
it would have to be interconnected by its own network (albeit that could be
tunnels) and accept inbound traffic at any point on the surface of that
network, backhauling it to the appropriate location. So if you wanted to be
able to identify a single CIDR block with eight locations in it, you’d either
need to specify a /24 that was 97% wasted, and was fully internally
interconnected (i.e. no efficiencies in localizing traffic), or you’d need to
advertise eight /24s, which would aggregate up to a single /21, which was 99.6%
wasted.
So, you can see why the combination of scarce IPv4 addresses, scarce BGP
routing slots, and content routing tricks often don’t play well together.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: Anycast but for egress
> On Jul 28, 2021, at 3:21 AM, Mark Tinka wrote: > On 7/28/21 01:16, Daniel Corbe wrote: > >>> This is interesting... I wonder whether Anycast will still have some >>> failure modes and break TCP connections if routing (configuration) were to >>> change? I checked the PDF linked by Bill Woodcock... while the methodology >>> is the same from 20y ago, would the data still be the same (order of >>> magnitude)? :) > > We are Anycast'ing DNS (authoritative and recursive), NTP and TACACS+. All > works well, across 11 or so countries. I was about to say something about us having equal success over 105 or so countries, when I came to the realization that inviting quantitative comparisons of manhood with Mark is the very definition of folly. :-) Anyway, yeah, the folks who were scared of anycast in the 1990s were running from shadows, not basing it on experience or data. In the real world, the number of stateful flows affected by route changes is dwarfed by those disrupted by other causes, and is immeasurably small. And when they do crop up on the radar, it’s almost always someone’s equal-cost-multi-path gone wrong, rather than an actual shift. So, not an issue at all in the real world, just in the imaginations of folks who thought TCP was a complex thing reserved for the specific use-cases that they’d already conceived of in the 1980s. Took a while to get beyond their protestations, but here we are in the 21st century. Planck's principle holds. Science progresses one funeral at a time. -Bill signature.asc Description: Message signed with OpenPGP
Re: Newbie Questions: How-to monitor/control unauthorized uses of our IPs and DNS zones?
Ps/hardware, yes? Yep. See “why you shouldn’t do that” above. > 4. Does that mean I need a big Web Application Firewall (WAF) Absolutely not. I have no idea what a Web Application Firewall is, but if it’s anything like it sounds like, I wouldn’t let one anywhere near anything I was responsible for securing. > The thing is, no one should be able to use organization resources [IPs, > FQDNs, and Web Services, for a start] for his/her own purpose without asking > permission. Sounds like you’re going to be writing a lot of shell scripts and cron jobs. Welcome to security. Remember to test your backups, that’s always the most important thing in any security regime. -Bill signature.asc Description: Message signed with OpenPGP
An update on the AfriNIC situation
As many of you are aware, AfriNIC is under legal attack by Heng Lu / “Cloud Innovation.” John Curran just posted an excellent summary of the current state of affairs here: https://teamarin.net/2021/08/27/afrinic-and-the-stability-of-the-internet-number-registry-system/ If, like me, you feel like chipping in a little bit of money to help AfriNIC make payroll despite Heng having gotten their bank accounts frozen, some of the African ISP associations have put together a fund, which you can donate to here: https://www.tespok.co.ke/?page_id=14001 It’s an unfortunate situation, but the African Internet community has really pulled together to defend themselves, and they’ve got a lot less resources than most of us do. -Bill signature.asc Description: Message signed with OpenPGP
Re: An update on the AfriNIC situation
> On Aug 27, 2021, at 11:49 PM, Baldur Norddahl > wrote: > Let's pretend that I am talking about a completely different case. > > A guy is profiting from leasing out addresses. This is clearly unfair as he > lied to get them back then. However this means the addresses are actually in > use _now_. …by parties other than this hypothetical guy. Some of whom may have legitimate (conformant with current RIR allocation policy) uses, and others might not. And their conformance of use could be tested if the addresses were reclaimed to the RIR, and the actual users were to apply for them. At which point this hypothetical guy, who’s adding no value, but merely extracting an “ill gotten gain” from his prior fraud, will be disintermediated, and the legitimate users will be better-served, because they’ll have a direct relationship with their RIR, under their own name, at a lower cost. > How is this so different from what many many other parties have done? Well, I hope not _many_ other parties. I guess we’re not talking about “a completely different case” after all, then? Bear in mind that this guy is in _no way_ part of the Internet ecosystem. He is _solely_ extracting rent by renting something he stole from us, back to us. If you’re saying, “Well, is that really so bad? This guy steals my car, but at least he’s willing to rent it back to me… doesn’t that happen all the time?” No, not so much. > I think we all know some huge ISPs that got much larger blocks than strictly > needed, and which now are profiting directly or indirectly. …from their business as ISPs. They’re part of the Internet ecosystem, and even if they exaggerated their need to get addresses _early_, their use has been _conformant_ since whatever time the addresses were put into use. > Yes I understand that the case is also about using blocks in a different > region, but that too is something many others have done. And whether that’s conformant or not depends upon the RIR policy, which is set differently in different regions. Take addresses from AfriNIC, and you need to be prepared to comply with AfriNIC policy. -Bill signature.asc Description: Message signed with OpenPGP
Re: An update on the AfriNIC situation
> On Aug 27, 2021, at 10:07 PM, Bryan Fields wrote: > I’d expect that for a court to freeze assets of AFRINIC there must be a very > strong argument. You know what’s funny? There are a bunch of other people copying-and-pasting that same expectation on the AfriNIC and APNIC mailing lists, and they’re all beneficiaries of something called the “Larus Foundation.” So, if you’re not getting paid to copy and paste that, you might want to look into it: https://www.larus.foundation I hear it pays pretty well. -Bill signature.asc Description: Message signed with OpenPGP
Re: An update on the AfriNIC situation
> On Aug 28, 2021, at 12:48 AM, Baldur Norddahl
> wrote:
> just to point out it is not just one guy but a whole region doing business
> like that.
You’re saying a whole region consists of parties who don’t route IP traffic?
If not, you’re making a false equivalency.
> In the RIPE region we had a run with many parties that created fake LIRs to
> get an extra /22 assignment.
That’s unfortunate, and I hope RIPE revokes any allocations which were made
under false pretenses and are being currently used in ways that violate RIPE’s
current policies. As AfriNIC does.
> Did they steal that any less than this guy?
I believe the blocks in question are:
154.80.0.0/12
45.192.0.0/12
156.224.0.0/11
154.192.0.0/11
So, yes, 6,144 times less.
> This guy is a small fish compared to the robbery done by so many others.
If you know of someone who’s fraudulently acquired _more_ than 6.3M IPv4
addresses, and is profiting from their being used in contravention of RIR
policy, I very much encourage you to request that your RIR perform a compliance
audit.
Since, after all, that’s what the RIR’s job is.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: SD-NAP (San Diego) Internet Exchange?
Last I knew it had pretty much devolved into intra-campus and local A/R&E
interconnection, but our contacts here have retired as well.
-Bill
> On Feb 10, 2020, at 21:15, Matt Peterson wrote:
>
>
> Wondering if SD-NAP is still functional? PeeringDB entry looks pretty stale,
> haven't been able to reach any contact aware of the current status.
> Appreciate any help or direction on the status, thanks.
>
> --Matt
Re: Hi-Rise Building Fiber Suggestions
> On 2/25/20 6:32 PM, Norman Jester wrote: > I’m in the process of choosing hardware > for a 30 story building. If anyone has experience with this I’d appreciate > any tips. > > There are two fiber pairs running up the building riser. I need to put a POE > switch on each floor using this fiber. > > The idea is to cut the fiber at each floor and insert a switch and daisy > chain the switches together using one pair, and using the other pair as the > failover side of the ring going back to the source so if one device fails it > doesn’t take the whole string down. > > The problem here is how many switches can be strung together and I would not > try more than 3 to 5. Yeah… I’d regenerate every five L2 devices as well. Which just means going up to L3 periodically. Would it work for you to use the first pair for daisy-chaining switches on each floor that’s not a multiple of five, and then put the switches on the floors that are multiples of five into router mode, with a switch-group facing their own floor, but routed ports facing other floors? Then use the second pair as an “express” lane between the exit, floor 10, and floor 20, to keep L3 hop-sounds down and provide some redundancy? -Bill signature.asc Description: Message signed with OpenPGP
Re: WIKI documentation Software?
> On Mar 14, 2020, at 7:05 AM, Brielle wrote:
> I personally like Dokuwiki a lot.
Dokuwiki is definitely my favorite as well. The UI is appropriate to the task,
so you get work done quickly and without a lot of fuss.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: CISA: Guidance on the Essential Critical Infrastructure Workforce
>> In France I must show a paper (not smartphone) printed permit, each >> sortie one different paper. The receiver of it (police) takes it in >> his/her gloved hands then s/he passes it back to me. I do not have >> gloves. I wished the receiver did not use the same gloves for each >> pereson who passes by and delivers that paper to him. > > Yep, couldn't believe it when my mate in Lyon told me the same thing > this week. > But I suppose this was to be expected, and is an idea that could > potentially spread, worldwide. I’ve been in Paris all week, and have gone out, on average, once a day. I pre-printed a stack of already-filled-out forms at the beginning of the week, so I’ve just checked the appropriate box each time I’ve gone out, no big deal. Seems quite reasonable to me. Gets people to at least give some conscious thought as to whether their reason for going out actually meets one of the listed criteria. And I haven’t actually been stopped any of the times I’ve gone out. It’s early days yet, but Paris is handling this way, way better than I’d have expected. And a giant thumbs up to Free, who are keeping my 10G broadband flying along at an actual, measurable, 10G. -Bill signature.asc Description: Message signed with OpenPGP
Re: free collaborative tools for low BW and losy connections
> On Mar 25, 2020, at 4:59 PM, Grant Taylor via NANOG wrote:
> UUCP doesn't even have the system-to-system (real time) requirement that NNTP
> has.
Brian Buhrow and I replaced a completely failing
database-synchronization-over-Microsoft-Exchange system with UUCP across
American President Lines and Neptune Orient Lines fleets, back in the mid-90s.
UUCP worked perfectly (Exchange connections were failing ~90% of the time), was
much faster (average sync time on each change reduced from about three minutes
to a few seconds), and saved them several million dollars a year in satellite
bandwidth costs.
UUCP kicks ass.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: Command and Control Centres | COVID-19
I think that several businesses already have a BCP in place that includes work from home and a pre-built VPN infrastructure. I can't speak for business units I'm unfamiliar with, but for Engineering/Ops, this is status quo. On Mon, Apr 6, 2020 at 7:52 AM Scott E. MacKenzie wrote: > All, > > This question has arisen and I was wondering if I could request some > feedback from the community. We operate a 24x7x365 Command and > Control Centre that provides mission critical services (Security > Operations, Network Operations, and Enterprise Management) as does > many on this list. > > How many on the list have sent all personnel home using work from home > practices and home many have opted to run skeleton crews while > implementing tight social distancing restrictions? How many are > operating status quo? > > We are trying to find a balanced position and I was wondering what is > the communities position on this topic? > > > Scott > -- Bill Blackford Logged into reality and abusing my sudo privileges.
Re: dot-org TLD sale halted by ICANN
> On May 1, 2020, at 6:19 AM, Andy Ringsmuth wrote:
> https://www.theregister.co.uk/2020/05/01/icann_stops_dot_org_sale/
> I know this has been bantered about on the list in the past. Great (IMHO) to
> see this happen.
Yeah, this is an excellent result in the first-half of the fight. Now that we
know who won’t be acting AGAINST non-profits, we need ICANN to run the
competitive process again to find who will act FOR non-profits.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: dot-org TLD sale halted by ICANN
> On May 1, 2020, at 1:56 PM, james jones wrote: > > I don't know if this feasible, I would rather see the ORG TLD in the hands of > a nonprofit. That is just a personal feeling. I don't how practical that > would be though. That was, right up until the very last moment, a hard requirement in the 2002 criteria. Feverish eleventh-hour work by beltway lobbyists got that restriction removed, last time. It doesn’t need to be removed this time. -Bill signature.asc Description: Message signed with OpenPGP
Re: dot-org TLD sale halted by ICANN
> On May 1, 2020, at 1:19 PM, Lee wrote: > On 5/1/20, Bill Woodcock wrote: >> >>> On May 1, 2020, at 6:19 AM, Andy Ringsmuth wrote: >>> https://www.theregister.co.uk/2020/05/01/icann_stops_dot_org_sale/ >>> I know this has been bantered about on the list in the past. Great (IMHO) >>> to see this happen. >> >> Yeah, this is an excellent result in the first-half of the fight. Now that >> we know who won’t be acting AGAINST non-profits, we need ICANN to run the >> competitive process again to find who will act FOR non-profits. > > Wasn't the price cap removal what started this mess in for first place? Not exactly… The price cap removal was one facet of a more complicated insider/revolving-door deal which was used to set all this up… The change from a three-year renewal to a ten-year renewal, and the removal of the “non profit” purpose were two of the other dominoes which were set up contemporaneously with the price-cap removal. So what ultimately started this was an ethical void in the ICANN leadership which led them to think that they could get away with setting up an insider scam, then step outside to enrich themselves. > Put the price cap back on for .org domains and then start the process > for finding a new home for .org That’s picking a second fight, when it can actually be used to our advantage… The next step is to re-run the established 2002 open competition with a solicitation for proposals. Last time around, there were eleven different proposals, some of them quite good. ISOC was in the middle of the pack, but got the nod despite no public-benefit commitment, because its board was largely overlapping with the ICANN board of the time and it was headquartered in the DC beltway. But the key here is that you want to provide as many opportunities for the proposers to differentiate themselves as possible. All of the existing problems can be fixed. Allowing proposers to differentiate themselves by proposing specific solutions to these problems gives us, as the multistakeholder community, more information on which to judge them. ICANN has become so captured by a small handful of giant commercial registry services providers that the degree to which these problems can be solved in legally-binding ways has been pretty well obscured. But the law, if used right, is there to protect people, and can be used for good. If we can keep ICANN from falling back into its regulatory-capture coma long enough to get the second half of this process done, and calls for proposals, there will be lots of folks ready to submit them. Ethos is so very far from being qualified that I doubt they would try (after all, they just tried to spend $1.1bn to _circumvent_ being measured against any merit-based criteria, which tells you that it would have cost more than $1.1bn to get them to the point where they’d have been competitive), but there are plenty of other organizations that would throw their hat in the ring and come up with a proposal, and each of those proposals is an opportunity to show how the status-quo could be improved. The law gives us a lot of tools to lock such solutions in place and ensure that .ORG registrants are guaranteed the protections in ways that bribes, insiders, et cetera, can’t corrupt again. To the best of my knowledge, the strongest framework for that is a consumer utility cooperative. There’s more than 400 years of legal history in cooperative law, and the protections the law guarantees to members of cooperatives are far stronger than, for instance to the shareholders of stock corporations. Unlike a stock corporation, the board of directors cannot modify the Articles of a cooperative, only the members can. So if you lock the protections into the Articles of a cooperative whose membership consists of the more than ten million .ORG registrants, it would take a majority vote of those registrants to waive any of their protections. Which would simply never happen. There’s no incentive you could offer to six million .ORG registrants to allow you to take money from their pockets. Likewise, all of the profits of a cooperative (called “savings” in cooperative law) are guaranteed by law to be redistributed back to the members; they can’t be held on to, or spent for other purposes, or distributed to anyone else. A few excerpts of note, to illustrate what can be done in a legally-binding framework, using the CCOR’s Articles of Incorporation as an example: Article IV Purposes B. This Corporation is organized exclusively for the mutual benefit of its members within the meaning of Section 501(c)(12) of the Internal Revenue Code, as amended (the “Code”). This Corporation shall not engage in any activity which is not permitted to be engaged in by a corporation exempt from federal income tax under Section 501(c)(12) of the Code. C. The Cooperative
Re: An appeal for more bandwidth to the Internet Archive
> On 2020-05-13 11:00, Mark Delany wrote: >> On 13May20, Denys Fedoryshchenko allegedly wrote: >>> What about introducing some cache offloading, like CDN doing? (Google, >>> Facebook, Netflix, Akamai, etc) >>> Maybe some opensource communities can help as well >> Surely someone has already thought thru the idea of a community CDN? >> Perhaps along the lines of pool.ntp.org? What became of that >> discussion? Yes, Jeff Ubois and I have been discussing it with Brewster. There was significant effort put into this some eighteen or twenty years ago, backed mostly by the New Zealand government… Called the “Internet Capacity Development Group.” It had a NOC and racks full of servers in a bunch of datacenters, mostly around the Pacific Rim, but in Amsterdam and Frankfurt as well, I think. PCH put quite a lot of effort into supporting it, because it’s a win for ISPs and IXPs to have community caches with local or valuable content that they can peer with. There’s also a much higher hit-rate (and thus efficiency) to caching things the community actually cares about, rather than whatever random thing a startup is paying Akamai or Cloudflare or whatever to push, which may never get viewed at all. It ran well enough for about ten years, but over the long term it was just too complex a project to survive at scale on community support alone. It was trending toward more and more of the hard costs being met by PCH’s donors, and less and less by the donors who were supporting the content publishers, which was the goal. The newer conversation is centered around using DAFs to support it on behalf of non-profit content like the Archive, Wikipedia, etc., and that conversation seems to be gaining some traction. Unfortunately because there are now a smaller number of really wealthy people who need places to shove all their extra money. Not how I’d have liked to get here. -Bill signature.asc Description: Message signed with OpenPGP
Re: Did I miss a problem: FCC and CISA stress need for access during pandemic
> On May 27, 2020, at 3:40 AM, Sean Donelan wrote:
> I have not heard of any problems with access for ISP and communications
> workers in any U.S. state or locality during the pandemic.
> Did I miss a big problem requiring the FCC chairman and CISA Director send a
> letter?
That was one of the outcomes of the OECD recommendations to member governments
on the Internet during the pandemic. As you may recall, I emailed you, and
many other members of our community, on March 23, soliciting input for this
document:
http://www.oecd.org/coronavirus/policy-responses/keeping-the-internet-up-and-running-in-times-of-crisis-4017c4c9/
The specific recommendation regarding prioritized access came from several of
the people I mailed, and was of particular concern to global backbone
operators. Whether you think that particular recommendation is a high priority
or not, I’d chalk this up as a successful exercise of our community providing
input to government and having government take it seriously and act upon it in
the way that we requested them to. Exercising that channel periodically, to
keep government thinking of that as normal, would be good.
There’s no provable causality chain here, but it was a concern, we spoke, they
listened, and the problem we were concerned with did not become an issue, so
that’s a success. If only we could do that with public health, we’d be in
great shape.
-Bill
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: Did I miss a problem: FCC and CISA stress need for access during pandemic
> On May 27, 2020, at 2:42 PM, Jared Mauch wrote: > I have had problems with OSP construction ostensibly delayed by closed > permitting agencies. Several people have said this, now, both back to the NANOG list and to me privately, so I’ve conveyed that back. Having more specific anecdotes, or any statistics, that would help illustrate or quantify the issue, would make this easier. -Bill signature.asc Description: Message signed with OpenPGP
Re: Quality of the internet
> On Jun 18, 2020, at 2:28 PM, Saku Ytti wrote: > No one needs strict priority queues anymore, which was absolutely > needed at one point in time. What time was that? -Bill signature.asc Description: Message signed with OpenPGP
Re: Does anyone actually like CenturyLink?
>> On Sun, Aug 30, 2020, 6:02 PM Ross Tajvar wrote:
>> Other than lack of options, why would anyone use them?
>>
> On Aug 30, 2020, at 6:41 PM, Töma Gavrichenkov wrote:
> Connectivity and latency (of Level3 which was acquired).
Yeah. What I think a lot of us liked was Global Crossing. When Global
Crossing was sucked into L3, L3 managed to retain a fair bit of what was good
about Global Crossing. The L3 got sucked into CenturyLink, and CenturyLink
managed to retain a fair bit of what was good about L3. But. There’s still
some inefficiency there. Aggregation isn’t the cleanest way to build a network.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: Phoenix-IX Contact
> On Sep 14, 2020, at 9:31 PM, Kate Gerry wrote:
>
> Does anybody have a contact who works at Phoenix-IX? I have been attempting
> to reach somebody there for a while now without any luck.
>
> Attempts to each out to peer...@phoenix-ix.net as well as Ninja-IX have been
> without any luck. We also tried reaching out to Paul Emmons via LinkedIn mail
> and never received a response.
Paul is the correct person.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: Telecommunications network drafting software
> On Sep 2, 2021, at 9:14 AM, Etienne-Victor Depasquale via NANOG > wrote: > OmniGraffle seems to have some traction. Yep, that’s what I’ve always used. If I need to really clean something up, I save it out of Omnigraffle as a PDF, and clean it up in Illustrator. -Bill signature.asc Description: Message signed with OpenPGP
Re: IPv6 woes - RFC
> On Sep 8, 2021, at 10:24 AM, Bjørn Mork wrote:
> The next thought was SMTP
I assume someone’s tried using MX record precedence to do this? record
references with lower values than A record references, and see what happens?
Anyone have any results to share there?
> and authoritative DNS servers.
If all currently-listed NS are dual-stack, I don’t know how much more would be
gained by pruning them back to IPv6 only, from an actual-change-in-the-world
perspective. Obviously it’s got to happen in the long run, will happen in the
long run, and is the right thing to do, but I’m not sure that’s where our
short-term tactical effort is going to have the most effect.
If there are currently IPv4-only nameservers, deprecating those, dual-stacking
them, or replacing them with IPv6-only is a good move.
> Running IPv6 only in a real production environment should be possible as long
> as you keep IPv4 on at least one of the servers.
Agreed, and in your internal environment you can go IPv6 only with NAT/gateway
at the edge to reach legacy stuff on the outside. That helps get your people
used to IPv6-only, and demonstrates the benefits of less configuration, less
worrying about IP address availability, etc. If people don’t have a taste of
how much easier it is, they don’t have a strong incentive to keep moving
forward.
> But you don't have to look far before you hit snags like this:
> https://www.norid.no/en/om-domenenavn/regelverk-for-no/vedlegg-f/
Ugh. Policy from 2018. Has anyone reached out to them to get this fixed? .NO
is one of the few ccTLDs we don’t have a relationship with. Looks like they’re
using NetNod and Neustar.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: 100GbE beyond 40km
Does this have to be Ethernet? You could look into line gear with coherent optics. IIRC, they have built-in chromatic dispersion compensation, and depending on the card, would include amplification. On Fri, Sep 24, 2021 at 1:40 PM Randy Carpenter wrote: > > How is everyone accomplishing 100GbE at farther than 40km distances? > > Juniper is saying it can't be done with anything they offer, except for a > single CFP-based line card that is EOL. > > There are QSFP "ZR" modules from third parties, but I am hesitant to try > those without there being an equivalent official part. > > > The application is an ISP upgrading from Nx10G, where one of their fiber > paths is ~35km and the other is ~60km. > > > > thanks, > -Randy > -- Bill Blackford Logged into reality and abusing my sudo privileges.
Re: slack.com
We did not use an NTA, but we did flush our cache immediately once Slack had fixed their problem. I think that’s the right balance of carrot and stick. -Bill > On Oct 2, 2021, at 7:30 AM, Mark Tinka wrote: > > So, that wasn't fun, yesterday: > > > https://lists.dns-oarc.net/pipermail/dns-operations/2021-September/021340.html > > We were also hit, given we run DNSSEC on our resolvers. > > Interesting some large open resolver operators use Negative TA's for this > sort of thing. Not sure how this helps with the DNSSEC objective, but given > the kind of pain mistakes like these can cause, I can see why they may lean > on NTA's. > > Mark.
Re: facebook outage
They’re starting to pick themselves back up off the floor in the last two or three minutes. A few answers getting out. I imagine it’ll take a while before things stabilize, though. -Bill signature.asc Description: Message signed with OpenPGP
Re: facebook outage
> On Oct 4, 2021, at 11:10 PM, Bill Woodcock wrote: > > They’re starting to pick themselves back up off the floor in the last two or > three minutes. A few answers getting out. I imagine it’ll take a while > before things stabilize, though. nd we’re back: WoodyNet-2:.ssh woody$ dig www.facebook.com @9.9.9.9 ; <<>> DiG 9.10.6 <<>> www.facebook.com @9.9.9.9 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32839 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;www.facebook.com. IN A ;; ANSWER SECTION: www.facebook.com. 3420IN CNAME star-mini.c10r.facebook.com. star-mini.c10r.facebook.com. 6 IN A 157.240.19.35 ;; Query time: 13 msec ;; SERVER: 9.9.9.9#53(9.9.9.9) ;; WHEN: Mon Oct 04 23:20:41 CEST 2021 ;; MSG SIZE rcvd: 90 -Bill signature.asc Description: Message signed with OpenPGP
Re: facebook outage
> On Oct 4, 2021, at 11:21 PM, Bill Woodcock wrote: > > > >> On Oct 4, 2021, at 11:10 PM, Bill Woodcock wrote: >> >> They’re starting to pick themselves back up off the floor in the last two or >> three minutes. A few answers getting out. I imagine it’ll take a while >> before things stabilize, though. > > nd we’re back: > > WoodyNet-2:.ssh woody$ dig www.facebook.com @9.9.9.9 So that was, what… 15:50 UTC to 21:05 UTC, more or less… five hours and fifteen minutes. That’s a lot of hair burnt all the way to the scalp, and some third-degree burns beyond that. Maybe they’ll get one or two independent secondary authoritatives, so this doesn’t happen again. :-) -Bill signature.asc Description: Message signed with OpenPGP
Re: facebook outage
> On Oct 4, 2021, at 11:50 PM, Ryan Brooks wrote:
> DNS was a victim in this outage, not the cause.
You are absolutely correct. However, people who don’t have this problem avoid
having this problem by not putting all their DNS eggs in one basket.
And then forgetting where they put the basket.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: facebook outage
> On Oct 4, 2021, at 11:41 PM, Baldur Norddahl > wrote: > > > > man. 4. okt. 2021 23.33 skrev Bill Woodcock : > > > > On Oct 4, 2021, at 11:21 PM, Bill Woodcock wrote: > > > > > > > >> On Oct 4, 2021, at 11:10 PM, Bill Woodcock wrote: > >> > >> They’re starting to pick themselves back up off the floor in the last two > >> or three minutes. A few answers getting out. I imagine it’ll take a > >> while before things stabilize, though. > > > > nd we’re back: > > > > WoodyNet-2:.ssh woody$ dig www.facebook.com @9.9.9.9 > > So that was, what… 15:50 UTC to 21:05 UTC, more or less… five hours and > fifteen minutes. > > That’s a lot of hair burnt all the way to the scalp, and some third-degree > burns beyond that. > > Maybe they’ll get one or two independent secondary authoritatives, so this > doesn’t happen again. :-) > > > We have had dns back for a while here but the site is still down. Not > counting this as over yet. Yeah, fair enough. I went back and looked, and it looks like the BGP withdrawals were around 16:40 UTC? And as of 22:15 UTC, application-layer services still aren’t up. Which puts us at 6:35 thus far? -Bill signature.asc Description: Message signed with OpenPGP
Re: facebook outage
> On Oct 5, 2021, at 12:16 AM, Bill Woodcock wrote: > > > >> On Oct 4, 2021, at 11:41 PM, Baldur Norddahl >> wrote: >> >> >> >> man. 4. okt. 2021 23.33 skrev Bill Woodcock : >> >> >>> On Oct 4, 2021, at 11:21 PM, Bill Woodcock wrote: >>> >>> >>> >>>> On Oct 4, 2021, at 11:10 PM, Bill Woodcock wrote: >>>> >>>> They’re starting to pick themselves back up off the floor in the last two >>>> or three minutes. A few answers getting out. I imagine it’ll take a >>>> while before things stabilize, though. >>> >>> nd we’re back: >>> >>> WoodyNet-2:.ssh woody$ dig www.facebook.com @9.9.9.9 >> >> So that was, what… 15:50 UTC to 21:05 UTC, more or less… five hours and >> fifteen minutes. >> >> That’s a lot of hair burnt all the way to the scalp, and some third-degree >> burns beyond that. >> >> Maybe they’ll get one or two independent secondary authoritatives, so this >> doesn’t happen again. :-) >> >> >> We have had dns back for a while here but the site is still down. Not >> counting this as over yet. > > Yeah, fair enough. I went back and looked, and it looks like the BGP > withdrawals were around 16:40 UTC? And as of 22:15 UTC, application-layer > services still aren’t up. Which puts us at 6:35 thus far? A. It’s past midnight here, and my brain is failing to convert between three timezones accurately. My apologies. I’ll stop typing until I’ve had some sleep. Good night. -Bill signature.asc Description: Message signed with OpenPGP
Re: facebook outage
Ok, I lied, I’m still awake. I got my first successful Facebook main page load at 23:13 UTC, for an overall duration of 8:33, or 513 minutes. Multiplied by three billion users, that’s 1.54 trillion person-minutes. That’s a tera-lapse! Have we had one of those before? -Bill signature.asc Description: Message signed with OpenPGP
Re: DNS pulling BGP routes?
> On Oct 7, 2021, at 6:25 PM, Jean St-Laurent via NANOG wrote: > > Nice document. > > In section 2.5 Routing, this is written: > > Distributing Authoritative Name Servers via Shared Unicast Addresses... > > organizations implementing these practices should > always provide at least one authoritative server which is not a > participant in any shared unicast mesh. This was superstition, brought forward from 1992 by the folks who were yelling “damned kids get offa my lawn” at the time. There’s no reason to include a unicast address in an NS set in the 21st century, and plenty of reasons not to (since it’ll be very difficult to load-balance with the rest of the servers). But one should NEVER NEVER depend on a single administrative or technical authority for all your NS records. That’s what shot Facebook in the foot, they were trying to do it all themselves, so when they shot themselves in the foot, they only had the one foot, and nothing left to stand on. Whereas other folks shoot themselves in the foot all the time, and nobody notices, because they paid attention to the spirit of RFC 2182. -Bill signature.asc Description: Message signed with OpenPGP
Re: DNS pulling BGP routes?
> On Oct 9, 2021, at 10:37 AM, Masataka Ohta
> wrote:
> It may be that facebook uses all the four name server IP addresses
> in each edge node. But, it effectively kills essential redundancy
> of DNS to have two or more name servers (at separate locations)
> and the natural consequence is, as you can see, mass disaster.
Yep. I think we even had a NANOG talk on exactly that specific topic a long
time ago.
https://www.pch.net/resources/Papers/dns-service-architecture/dns-service-architecture-v10.pdf
-Bill
signature.asc
Description: Message signed with OpenPGP
PCH Peering Survey 2021
e,0,no,n] For instance: 42 715 false true us true 42 3856 true true us true We need the ASNs so we can avoid double-counting a single pair of peers when we hear from both of them, and so that when we hear about a relationship in responses from both peers we can see how closely the two responses match, an important check on the quality of the survey. As soon as we've collated the data, we will protect your privacy by discarding the raw data of the responses, and only final aggregate statistics will be published. We will never disclose any ASN or any information about any ASN. If you’re peering with an MLPA route-server, you’re welcome to include just the route-server’s ASN, if that’s easiest, rather than trying to include each of the peer ASNs on the other side of the route-server. Either way is fine. If all of your sessions have the same characteristics, you can just tell us what those characteristics are once, your own ASN once, and give us a simple list of your peer ASNs. If your number of peers is small enough to be pasted or typed into an email, rather than attached as a file, and that’s simpler, just go ahead and do that. If you have written peering agreements that are covered by non-disclosure agreements, or if your organizational policy precludes disclosing your peers, but you’d still like to participate in the survey, please let us know, and we’ll work with whatever information you’re able to give us and try to ensure that your practices are statistically represented in our results. If you're able to help us, please email me the data in whatever form you can. If you need a non-disclosure, we're happy to sign one. Finally, if there are questions you’d like us to try to answer when we analyze the data, please suggest them, and if there are any additional questions you’d like us to include in future iterations of the survey, please let us know so that we can consider including them in the 2026 survey. Please respond by replying to this email, by the middle of November, two weeks from now. Thank you for considering participating. We very much appreciate it, and we look forward to returning the results to the community. -Bill Woodcock Executive Director Packet Clearing House signature.asc Description: Message signed with OpenPGP
Re: PCH Peering Survey 2021
> On Oct 29, 2021, at 6:55 PM, Denis Fondras wrote: > Le Fri, Oct 29, 2021 at 01:47:37PM +0200, Bill Woodcock a écrit : >> If you’re peering with an MLPA route-server, you’re welcome to include just >> the route-server’s ASN, if that’s easiest, rather than trying to include each >> of the peer ASNs on the other side of the route-server. Either way is fine. > > I have an agreement with the RS owner (IXP) but not with each participant. > Should the contractual relationship be true or false ? Sorry, we should have been more clear about that… This is just whether a bilateral contract exists between the two peering ASes. We’re looking at multilateral agreements separately, because two ASes may peer directly in some locations and via multilateral route-servers elsewhere. So with that question we just want to know whether there’s a bilateral contract. Thanks, -Bill signature.asc Description: Message signed with OpenPGP
Re: strange scam? email claiming to be from the fbi
> On Nov 13, 2021, at 5:02 PM, Glenn McGurrin via NANOG wrote: > > I had a bit of an odd one this morning It’s this: https://www.engadget.com/fbi-email-server-hack-221052368.html -Bill signature.asc Description: Message signed with OpenPGP
25G SFP28 capable of rate-adaption down to 1G?
Hey, does anyone know of an SFP28 capable of rate-adapting down from 25G on the cage side down to 1G on the line side? Can be copper or fiber on the line side, I don’t care, my interest is in the chip inside. Thanks, -Bill signature.asc Description: Message signed with OpenPGP
Re: 25G SFP28 capable of rate-adaption down to 1G?
> On Jan 31, 2022, at 8:02 PM, Randy Carpenter wrote: > > > Are you talking about an SFP28 module that can link at 25Gb, but also 1Gb? > > We just put 1Gb SFPs in the SFP28 ports and they work fine. I have not seen a > single module that does both, but admittedly, I have not looked too hard, as > the 1Gb modules are so cheap. > > Or, are you talking about a module that presents as 25Gb to the switch, but > 1Gb to the client device? The latter. I remember there were two kinds of copper SFPs: cheap ones, which would talk 1G on both sides, and expensive ones which would talk 1G on the switch/router side, and 10M/100M/1G on the client side. There seem to be similar kids of copper SFP+, though I haven’t actually tested them: https://www.discomp.eu/mikrotik-rj45-sfp-10-100-1000m-2-5g-5g-10g-metalicky-modul_d82667.html https://datainterfaces.com/sfp-1000-rj45-10gbase-t-copper-sfp-transceiver-module-cisco-ready/ https://www.prolineoptions.com/dell-sfp-10g-t-de-pro-100-1000-1base-tx-sfp-plus-transceiver-copper-30m https://www.blackbox.be/en-be/i/14164/SFP+,10-Gbps,RJ-45/ https://www.bestbuy.ca/en-ca/product/startech-hp-jl563a-compatible-sfp-module-10-100-1000-1-copper-transceiver-jl563a-st/14208481 Those seem like they might talk 10G on the switch/router side, and 10M/100M/1G/2.5G/5G/10G on the client side. Or it might be that they establish whatever link speed they can on the client side, and then try to signal the switch/router side to adapt to that rate; which seems possible but improbable. Or it might be that they accept whatever speed the swich/router side tells them it’s running at, and then only provide link at that rate on the client side; again, possible but seems improbable. I haven’t actually taken any of these into the lab to test them, anyway. And those are 10G on the switch/router side, and I’m curious whether anybody knows of one that goes 25G/10G/1G on the switch/router side, and 1G (specifically) on the client side. I don’t actually want the SFP28, I just need to find a chip that does that in the size/power budget of an SFP, and it seemed like the easiest way to do that would be to find an SFP28 that did what I needed and bust it open to see what chip they were using. I’m sure you can guess why, given recent threads. :-) -Bill signature.asc Description: Message signed with OpenPGP
Re: ASN in use, but no whois data?
> On Feb 26, 2022, at 12:07 AM, Jeroen Massar via NANOG wrote: > > > >> On 20220225, at 23:45, Matt Harris wrote: >> >> Hey folks, >> I'm looking at an ASN 394183 and I can't find any whois or other contact >> data. Yeah, in the wake of our peering survey, we’ve been looking into this… A surprising number of ASNs responded to the survey, but then we ran into errors when we went to geo-code their response to a country using the whois. There are zombie ASes like this in ARIN and in the IANA not-yet-delegated pool, but not in the other four RIRs. -Bill signature.asc Description: Message signed with OpenPGP
Re: Certificates for DoT and DoH?
> On Feb 28, 2022, at 3:29 PM, Bjørn Mork wrote: > Any recommendations for a CA with a published policy allowing an IP > address SAN (Subject Alternative Name)? > Both Quad9 got their certificate from DigiCert: > >Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 > 2020 CA1 >Subject: C = US, ST = California, L = Berkeley, O = Quad9, CN = > *.quad9.net >X509v3 Subject Alternative Name: >DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP > Address:9.9.9.10, IP Address:9.9.9.11, IP Address:9.9.9.12, IP > Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP > Address:149.112.112.9, IP Address:149.112.112.10, IP Address:149.112.112.11, > IP Address:149.112.112.12, IP Address:149.112.112.13, IP > Address:149.112.112.14, IP Address:149.112.112.15, IP > Address:149.112.112.112, IP Address:2620:FE:0:0:0:0:0:9, IP > Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP > Address:2620:FE:0:0:0:0:0:12, IP Address:2620:FE:0:0:0:0:0:13, IP > Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP > Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP > Address:2620:FE:0:0:0:0:FE:10, IP Address:2620:FE:0:0:0:0:FE:11, IP > Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP > Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15 > > Does this mean that DigiCert is the only alternative? I assume not, but we’d already used them for other things, and they didn’t have a problem doing it, so we didn’t shop any further. > And do they really have this offer for ordinary users, or is this also some > special > arrangement for big players only? No, we didn’t have to do anything special, to the best of my knowledge. > That does make me wonder how they verify that I'm the rightful owner of > "sites, IP addresses, common names, etc.". In particular, "etc" :-) > Or you could ask yourself if you trust a CA with such an offer... Yep. DANE is the correct answer. CAs are not. But that’s been true for a very long time, and people are still trying to pretend that CAs know what’s what. -Bill signature.asc Description: Message signed with OpenPGP
Re: Russia to disconnect from global Internet
>> According to Nexta (Belorussian media outlet: https://nexta.tv , >> https://en.wikipedia.org/wiki/Nexta ) Russia has begun active preparations >> to disconnection from the global Internet. >> >> No later than March 11, all servers and domains must be transferred to the >> Russian zone. In addition, detailed data on the network infrastructure of >> the sites is being collected. >> >> Source: https://twitter.com/nexta_tv/status/1500553480548892679 This is a complete misrepresentation of the Russian text. This is equivalent to Einstein. And apparently equally successful and quick. This applies exclusively to Russian federal government networks, not ISPs or telecom operators. It’s just trying to get them to document and harmonize their practices isn perfectly reasonable ways, and meet some minimum levels of security and “strategic autonomy,” as the EU is calling it. And everything it says has been the law since 2019 anyway. If I were the administrator in charge of getting government agency IT folks to clean up their work, I’d sure as hell jump on this opportunity to remind them that they’re three years overdue, too. -Bill signature.asc Description: Message signed with OpenPGP
Re: Russia to disconnect from global Internet
> On Mar 7, 2022, at 9:02 AM, Stephane Bortzmeyer wrote: > > On Sun, Mar 06, 2022 at 11:49:54PM +0100, > Bill Woodcock wrote > a message of 62 lines which said: > >> This applies exclusively to Russian federal government networks, not >> ISPs or telecom operators. It’s just trying to get them to document >> and harmonize their practices isn perfectly reasonable ways, > > And I assume that not *one* domain under .gov has name servers in > foreign TLDs and not *one* Web site using .gov loads resources (fonts, > stylesheets, code, etc) from a non-US service. > And yet noone says that the USA are disconnecting from the Internet. The “disconnecting from the Internet” propaganda meme is one of the most annoying US ones. They’ve been doing it at least since Hillary Clinton was Secretary of State, possibly earlier. http://america.aljazeera.com/articles/2013/9/20/brazil-internet-dilmarousseffnsa.html Iran was tarred with the same brush when they managed the diplomatic and logistic feat of building a _terrestrial_ cable all the way to Frankfurt. -Bill signature.asc Description: Message signed with OpenPGP
Re: Russia to disconnect from global Internet
No, that was the original source of the disinformation. I guess she didn’t actually read it, or didn’t understand it, and in any case, failed to fact-check. Ask Russian network operators or government IT folks, or a lawyer… there’s no ambiguity here. -Bill > On Mar 7, 2022, at 8:55 PM, Hank Nussbacher wrote: > > Bill Woodcock wrote: > > > > This applies exclusively to Russian federal government networks, not ISPs > > or telecom operators. > > > https://twitter.com/krisnova/status/1500590779047170048?s=12 > > says otherwise. > > > -Hank >
The role of Internet governance in sanctions
I very much thank all of you who participated in this drafting effort, and I’m really happy that the document is out: https://www.pch.net/resources/Papers/Multistakeholder-Imposition-of-Internet-Sanctions.pdf Now we can focus on operationalization. Mailing list, web site, etc. are in the process of being set up. The goal is to have a minimal, lightweight mechanism with BGP and RPZ feeds that networks can voluntarily subscribe to. 99% of the time, they’d be empty. Occasionally, when the Internet community believes that a military or propaganda agency is problematic enough to be worth sanctioning, IPs and domains would be added to the feed. The mechanism is exactly the same as is currently used for blackholing abuse IPs and domains, so doesn’t take anything new on the subscribing network’s side, just one more feed. We’re anticipating that debate over what goes into the list will only happen very occasionally, and the discussion list will be quiet the rest of the time. A lot like NSP-Sec and Outages. And there’ll probably be a lot of overlap with those groups. All are welcome, look for an announcement in a few more days. Thanks, -Bill signature.asc Description: Message signed with OpenPGP
Re: The role of Internet governance in sanctions
> On Mar 10, 2022, at 1:24 PM, Randy Bush wrote:
> while i abhor the russian invasion of the ukraine, and have put my money
> where my mouth is
(As an aside to others, our friends at the .UA ccTLD have recommended this as a
useful place to donate: https://www.comebackalive.in.ua/donate It’s providing
medical support to combatants.)
> i worry about the precedent of setting ourselves up as legislature, police,
> judge, and jury
We do this with spam, malware and phishing every day. The people who were
trying to benefit from the campaigns are very unhappy about it, but everyone
else seems pleased with the outcome or, if anything, wants it to be even more
effective.
> ...and the long term effects of centralizing such authority.
This is the Internet… when we do it right, nothing that matters is centralized.
There are dozens of spam, ddos, cp and malware BGP and RPZ feeds right now.
Some are better-administered than others, but I wouldn’t call any of them an
“authority,” nor do I worry about them becoming centralized. This is no
different.
> who will we censor and ostracize next? a walt kelly cartoon comes to mind.
I view it more like their rowboat… A different name every time, but not often,
never more than one, and never remarkable enough to warrant notice by the
actors.
> otoh, i would likely close such meager services as i provide to russian use.
Indeed. And I suspect the judgment of many network operators will be similar.
With a principled constraint that only military and propaganda networks will be
included in the feed, I’m not too worried about this turning into fascism.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: The role of Internet governance in sanctions
> On Mar 10, 2022, at 4:25 PM, Mel Beckman wrote:
> In my view, there is a core problematic statement in this document:
> I think it is a colossal mistake to weaponize the Internet. The potential for
> unintended consequences is huge.
It sounds like your problem statement and ours are the same. Pulling the plug
on countries is inappropriate, because it has a lot of unintended consequences
and harms people.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: The role of Internet governance in sanctions
> On Mar 10, 2022, at 5:42 PM, Mel Beckman wrote: > I don’t understand your comment. I don’t think our statements are the same at > all. Perhaps not. My goal is to minimize Internet disconnection. Maybe that’s not your goal. I was trying to give what you wrote the most generous possible interpretation. > You, on the other hand, seem to be referring to — correct me if I’m wrong — > sovereign countries pulling the plug on their Internet access. Perhaps you’re misunderstanding, it’s difficult to tell. The current problem is “sovereign countries” disconnecting (or attempting to disconnect) other countries. That’s a lot of disconnection. That’s bad for people, and bad for business. I’m against that. It’s relatively simple. > The proposal you signed doesn’t address that, that I can see. Perhaps read it again, then, since that’s the only thing it talks about. Reducing the amount of disconnection from whole countries to as near zero as can be achieved in the presence of “sovereign countries." > Slow your roll. This is nowhere near ready for “operationalization”, as the > several comments here objecting to the thing testifies. Putting aside matters of fact... Because a couple of people objecting to a document they haven’t actually read means that the rest of the industry has to put up with national-level disconnection? I’m pretty sure that’s not how the Internet works. But, you seem pretty certain you understand how things work better than I do. Perhaps you can explain it to us. -Bill signature.asc Description: Message signed with OpenPGP
Re: Dropping support for the .ru top level domain
> On Mar 12, 2022, at 11:47 AM, Patrick Bryant wrote: > Unlike Layer 3 disruptions, dropping or disrupting support for the .ru TLD > can be accomplished without disrupting the Russian population's ability to > access information and services in the West. Quoting from https://www.pch.net/resources/Papers/Multistakeholder-Imposition-of-Internet-Sanctions.pdf : Revocation of country-code Top Level Domains (ccTLDs) Every ISO-3166 Alpha-2 two-letter abbreviation of a national name is reserved for the use of the Internet community of that nation as a “country-code Top Level Domain,” or “ccTLD.” This reservation is made expressly for the Internet community of the nation and not the government of the nation. Geographic, political, and sociocultural allocations of “internationalized” top-level domains (such as “.рф” to the Russian Federation, or “.укр” to Ukraine) are made in parallel with the ISO-3166 mechanism. The primary users of any ccTLD are its civilian constituents, who may be distributed globally and may be united by linguistic or cultural identity rather than nationality or national identity. Removal of a ccTLD from the root zone of the domain name system (the sanction suggested by the letter) would make it very difficult for anyone, globally, within Russia or without, to contact users of the affected domains, a group that consists almost entirely of Russian-speaking civilians. At the same time, it would have relatively little effect upon Russian military networks, which are unlikely to rely upon DNS servers outside their own control. We therefore conclude that the revocation, whether temporary or permanent, of a ccTLD is not an effective sanction because it disproportionately harms civilians; specifically, it is ineffective against any government that has taken cyber-defense preparatory measures to alleviate dependence upon foreign nameservers for domain name resolution. In addition, any country against which this sanction was applied would likely immediately set up an “alternate root,” competing with the one administered by the Internet Assigned Numbers Authority, using any of a number of trivial means. If one country did so, others would likely follow suit, leading to an exodus from the consensus Internet that allows general interconnection. It would break DNSSEC within .ru, and it would disrupt civilian communication within Russia. Not a good idea. -Bill signature.asc Description: Message signed with OpenPGP
What's a "normal" ratio of web sites to IP addresses...
…in a run-of-the-mill web hoster? This is really a question specifically for folks with web-site-hosting businesses. If you had, say, ten million web site customers, each with their own unique domain name, how many IPv4 addresses would you think was a reasonable number to host those on? HTTP name-based virtual-hosting means that you could, hypothetically, pile all ten million into a single IP address. At the other end of the spectrum, you could chew up ten million IPv4 addresses, giving a unique one to each customer. Presumably the actual practice lies somewhere in-between. But what ratio do people in that business think is reasonable? 10:1? 100:1? 1,000:1? I’m happy to take private replies and summarize/anonymize back to the list, if people prefer. Thanks! -Bill signature.asc Description: Message signed with OpenPGP
Re: What's a "normal" ratio of web sites to IP addresses...
> On Apr 1, 2022, at 12:15 AM, Bill Woodcock wrote:
> …in a run-of-the-mill web hoster?
> I’m happy to take private replies and summarize/anonymize back to the list,
> if people prefer.
I asked the same question on Twitter, and got quite a lot of answers in both
places pretty quickly. Thus far, 23 answers, with an average of about 490,000
and a median of 1,500.
Obviously there are a lot of different factors that go into this, but the two
that were cited most frequently were that user who want their own individual IP
drive the number down, while large load-balancing/caching infrastructures drive
the number up.
Thank you all very much. I appreciate the education, and I hope it’s useful to
others as well!
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: ARIN ORG ID for non-ARIN region company
> On Oct 14, 2022, at 12:40 AM, George Toma wrote: > Does anybody know if it possible to create ARIN ORG ID for non-ARIN region > company? I just forwarded this to an appropriate person at ARIN to give you an official answer. -Bill signature.asc Description: Message signed with OpenPGP
Re: Caribnog email list
Forwarded to the maintainers. -Bill > On Feb 4, 2023, at 6:44 PM, David Bass wrote: > > Anyone on here run it? The URL to sign up on the website doesn’t seem to > work at the moment.
Re: SF union square area fiber
> On Apr 4, 2023, at 5:39 PM, Jared Mauch wrote: > Can someone who is familiar with the fiber assets around the union square > area in SF ping me off-list? Heh. Somewhere, I have photos that Steve Feldman and I took while spelunking around under there trying to find fiber for the NANOG that was held there in 1997. We found a gas-chandelier maintenance department that people had just locked up and walked away from. Tools still spread out on workbenches, lamps half-rebuilt, everything. It was like electrification had hit one day during lunch-hour. -Bill
Re: Reverse DNS for eyeballs?
> On Apr 21, 2023, at 11:38 AM, Forrest Christian (List Account)
> wrote:
> What's the current thinking around reverse DNS on IPs used by typical
> residential/ small business customers?
> I'm not talking about reverse dns for infrastructure/router IPs here, as I
> still feel those need to be kept up to date. This is just for the individual
> end user IPs.
I think it’s really useful… but as IPv4 becomes a thing of the past, it
probably needs to be supplied dynamically by a plug-in to your nameserver,
rather than in giant static tables.
-Bill
Re: Picking a RIR/obtaining an AS/ressurrecting a legacy space
The ASN really isn’t a big deal. There’s no scarcity of them, you can get a 16-bit one by asking. The legacy IPv4 space, well, if there’s a clear chain of custody to the current holder, and the current holder is responsive, they can use it or transfer it. But also, IPv4 space isn’t scarce… it just costs money, now, to buy. If you’re in the US, just use ARIN. ARIN’s processes aren’t arcane, particularly compared with RIPE, and fees are predictable and relatively low. -Bill > On Jul 6, 2023, at 16:29, Dave Taht wrote: > > I have an old friend still holding onto some legacy IP space that he > has not used in 30 years. The origin goes back to the early 90s, and > originally through ARIN. In the relevant databases it is a /23, but > actually a /22 - but the top 2 addresses are not registered or > announced anywhere I can find. I do not mind losing those to the pool > but getting the /23 up and running would help... and a /22 far more > useful for our purposes. Sadly I also have a lovely 16 bit BGP AS > number AS5768 still unused from my first company of that era but in > the hands of a admin that has been unresponsive about either using it > or giving it back for many years. Sentimentally I would like to find a > way to get that back... but it is ok if that doesn't happen. > > Anyway, LibreQos would really like to obtain a BGP AS number from some > RIR (or is there an unused BGP AS transfer market?) and have some real > IPv4 addresses to vector some traffic through, in our testbeds > initially, and perhaps later on as means to shape traffic for other > services. Most of our market is outside the USA actually and I would > be inclined to get that AS from the simplest AR to deal with, but my > list of preferences is merely based on where we have installations > rather than cost/contacts/customer service... and especially, > "hassle". Honestly coping with figuring out the fee and registration > schedules are is just beyond me. I have heard ripe was easiest to deal > with regarding legacy space. (?) > > Anyone out there that can help sort out this legacy space in a sane > manner? We are subsisting on a tiny amount of donations/month > presently, and the up front cost and yearly costs are quite a lot to > make this step. > > Finding someone(s) to help us become real in this fashion, navigating > the RIRs process, setting up bird or FRR for us (with a touch of > anycast), would help, and help (at some price) moving forward, would > be great. I have not got BGP running myself in over 25 years! > > -- > Podcast: > https://www.linkedin.com/feed/update/urn:li:activity:7058793910227111937/ > Dave Täht CSO, LibreQos signature.asc Description: Message signed with OpenPGP
Re: Internet Exchange Visualization
> On Aug 22, 2023, at 10:39, Thomas Beer wrote:
> to make an (intermediate) summary so far, it's 2023 and there are no tools
> available
> for BGP, ASN and IX interconnection visualization static or dynamic?!
No, that is not at all correct. People have tools that solve their actual
needs. Do you have an actual need, or are you just blathering about how you’re
smarter than the people who do it for a living?
> Nobody has a top-level understanding / awareness of the infrastructure
> topology and fixes
> "bottlenecks", route misconfiguration et al. on a peer - to - peer basis?!
Can you illuminate for us what precisely you’re trying to figure out? Right
now it just looks like you’re mashing words you found together. And you’re
doing it in public, on a mailing list with tens of thousands of people on it.
People who are self-aware enough not to do that, and thus might consider it a
breach of etiquette for you to do so.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: well-known Anycast prefixes
> On Mar 19, 2019, at 10:12 AM, Fredy Kuenzler wrote:
>
> I wonder whether anyone has ever compiled a list of well-known Anycast
> prefixes.
I don’t know of one.
It seems like a good idea.
BGP-multi-hop might be a reasonable way to collect them.
If others agree that it’s a good idea, and it’s not stepping on anyone’s toes,
PCH would be happy to host/coordinate.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: well-known Anycast prefixes
> On Mar 19, 2019, at 1:04 PM, Hansen, Christoffer
> wrote:
>
> something like this?
>
> https://github.com/netravnen/well-known-anycast-prefixes/blob/master/list.txt
>
> PR's and/or suggestions appreciated! (Can be turned into $lirDB friendly
> format->style RPSL)
Generally, static lists like that are difficult to maintain when they’re
tracking multiple routes from multiple parties.
Communities have been suggested, which works as long as they’re passed through
to somewhere people can see. Between PCH, RIS, and Route-Views, most should be
visible somewhere, but not all.
I think a combination of the two is probably most useful… people tag with a
well-known community, then those get eBGP-multi-hopped to a common collector,
and published as a clean machine-readable list.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: well-known Anycast prefixes
> On Mar 19, 2019, at 1:11 PM, Grzegorz Janoszka wrote: > > On 2019-03-19 21:04, Hansen, Christoffer wrote: >> https://github.com/netravnen/well-known-anycast-prefixes/blob/master/list.txt >> PR's and/or suggestions appreciated! (Can be turned into $lirDB friendly >> format->style RPSL) > > Most DNS root servers are anycasted. Right, yeah, I think he was just showing an example, since he had roughly a dozen, out of thousands. -Bill signature.asc Description: Message signed with OpenPGP
Re: well-known Anycast prefixes
> On Mar 19, 2019, at 1:55 PM, Frank Habicht wrote:
>
> Hi,
>
> On 19/03/2019 23:13, Bill Woodcock wrote:
>> Generally, static lists like that are difficult to maintain when
>> they’re tracking multiple routes from multiple parties.
>
> agreed.
> and on the other extreme, communities are very much prone to abuse.
> I guess I could set any community on a number of prefixes (incl anycast)
> right now
>
> So, I think a (moderated) BGP feed of prefixes a'la bogon from a trusted
> {cymru[1], pch[2], ...} could be good [3].
Ok, so, just trying to flesh out the idea to something that can be usefully
implemented…
1) People send an eBGP multi-hop feed of well-known-community routes to a
collector, or send them over normal peering sessions to something that
aggregates…
2) Because those are over BGP sessions, the counterparty is known, and can be
asked for details or clarification by the “moderator,” or the sender could log
in to an interface to add notes about the prefixes, as they would in the IXPdir
or PeeringDB.
3) Known prefixes from known parties would be passed through in real-time, as
they were withdrawn and restored.
4) New prefixes from known parties would be passed through in real-time if they
weren’t unusual (large/overlapping something else/previously announced by other
ASNs).
5) New prefixes from known parties would be “moderated” if they were unusual.
6) New prefixes from new parties would be “moderated” to establish that they
were legit and that there was some documentation explaining what they were.
7) For anyone who really didn’t want to provide a community-tagged BGP feed, a
manual submission process would exist.
8) Everything gets published as a real-time eBGP feed.
9) Everything gets published as HTTPS-downloadable JSON.
10) Everything gets published as a human-readable (and crawler-indexable) web
page.
Does that sound about right?
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: well-known Anycast prefixes
I imagine that the “description” of each entry in the list should include a machine-readable field indicating the use. There was a question about the use-case... I’m sure a lot of people in the ops community have their own reasons related to routing and filtering and so forth, but there’s also a huge demand for this kind of information, aggregated and sanity-checked, to support academic research at the graduate level. And the better we support those kids with real-world data, the more practical an education they receive, and the more ready they are to jump in to jobs we offer them in industry when they graduate. Supporting kids and networking graduate programs like that is a big part of our work, that tends not to be visible on the operations side. Academics downloaded routing-archive snapshots from us nearly 300 million times, last year, for example. -Bill > On Mar 21, 2019, at 09:52, Ross Tajvar wrote: > > Not all any-casted prefixes are DNS resolvers and not all DNS resolvers are > anycasted. It sounds like you would be better served by a list of well-known > DNS resolvers. > >> On Thu, Mar 21, 2019 at 12:35 PM Bryan Holloway wrote: >> >> On 3/21/19 10:59 AM, Frank Habicht wrote: >> > Hi James, >> > >> > On 20/03/2019 21:05, James Shank wrote: >> >> I'm not clear on the use cases, though. What are the imagined use cases? >> >> >> >> It might make sense to solve 'a method to request hot potato routing' >> >> as a separate problem. (Along the lines of Damian's point.) >> > >> > my personal reason/motivation is this: >> > Years ago I noticed that my traffic to the "I" DNS root server was >> > traversing 4 continents. That's from Tanzania, East Africa. >> > Not having a local instance (back then), we naturally sent the traffic >> > to an upstream. That upstream happens to be in that club of those who >> > don't have transit providers (which probably doesn't really matter, but >> > means a "global" network). >> >> /snip >> >> > Greetings, >> > Frank >> > >> >> I can think of another ... >> >> We rate-limit DNS from unknown quantities for reasons that should be >> obvious. We white-list traffic from known trusted (anycast) ones to >> prevent a DDoS attack from throttling legitimate queries. This would be >> a useful way to help auto-generate those ACLs.
Re: Amazon AS16509 peering... how long to wait?
😳🤣 Sent from my iPhone > On Apr 7, 2019, at 17:40, Kieran Murphy wrote: > > Yeah, it takes a while. > > My peering request turned 1 year old on Friday. > There was cake. > >> On Mon, 8 Apr 2019 at 08:36, Ross Tajvar wrote: >> From what I've heard, their peering department is really behind on >> processing new peer turn-ups. >> >>> On Sun, Apr 7, 2019, 6:16 PM Mehmet Akcin wrote: >>> I will connect you to right people offlist >>> >>> I am surprised its taking that long >>> On Sun, Apr 7, 2019 at 16:41 John Von Essen wrote: I applied for peering, received an email, setup the BGP session, waited about a month. Then 3 weeks ago my BGP session with Amazom came up, but with zero routes. I assume I am in some kind of test/waiting period, but after three weeks, I thought I would be getting routes by now. Emails to the peeringdb POC have not returned anything. Anyone here from AS16509, can this be bumped? We are AS17185, and peering is on DE-CIX NYC. Thanks John >>> -- >>> Mehmet >>> +1-424-298-1903
Re: historical BGP announcements? (pre-1997)
> On May 6, 2019, at 12:47 PM, John Osmon wrote:
>
> I've got a need to look for some announcements from the mid 1990s.
> The oldest I've found at at the University of Oregon Route Views
> Project, but the earliest I can find there appears to be November of
> 1997.
That’s when PCH began archiving them (and subsequently turned that archive over
to U of O). We weren’t aware of anyone publicly archiving transit routes prior
to that.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: historical BGP announcements? (pre-1997)
> On May 7, 2019, at 4:12 PM, william manning wrote:
>
> somewhere, I have a DVD of the Route Server logs from when we first turned up
> the NSF/NAPS (circa 1994) until the UO service came online.
Well, if you ever run across them again, I’m sure Brad and Steve and I would
all be happy to publish them.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: Puerto Rico Internet Exchange
.Org, .pr, and a couple of root letters should be on our Puerto Rico node already, along with several hundred other TLDs. -Bill > On Jul 6, 2019, at 17:00, Rubens Kuhl wrote: > > > It would be interesting if ICANN, Verisign and Afilias were able to join the > IX as well making the root and .com/.net/.org/.pr zones available even if the > island is cut off from the globe. There is so much fixation in bits per > second while IX'es are resiliency tools, more than bandwidth saving tools. > > > Rubens > > >> On Sat, Jul 6, 2019 at 6:19 PM Mehmet Akcin wrote: >> Hey there, just a very brief update >> >> We are in the process of RE-launching Internet Exchange in San Juan, Puerto >> Rico in a few weeks. We've got multiple networks in San Juan agreed to join >> the IX in a common neutral point. If you are able to help with the project >> or interested in learning more about it, please contact me offlist. >> (especially if you are in Puerto rico) >> >> Once everything is operational and the website is set up, I hope to contact >> back and update once we've got mrtg, etc is operational. >> >> thank you
Re: Protecting 1Gb Ethernet From Lightning Strikes
> The correct answer is use fiber.
> Not sure I would bring an inter building link in copper onto an expensive
> core switch though.
Yeah.
> Don't know of anything in higher density than "one port”.
This on Amazon:
https://smile.amazon.com/Protector-Lightning-Suppressor-Protection-TP323/dp/B07P3XDXN3/ref=sr_1_6?keywords=apc+PNET1GB&qid=1565722471&s=gateway&sr=8-6
…but I haven’t used it, so can’t specifically recommend.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: FCC Takes Steps to Enforce Quality Standards for Rural Broadband
> On Nov 1, 2019, at 12:37 AM, Jim wrote:
>
> On Thu, Oct 31, 2019 at 1:08 PM Jeff Shultz wrote:
>> What has most people (from anecdotal observation) concerned is that we
>> are usually more than one or two carriers out from an IXP where the
>> speed test server will be...
>
> It sounds like there would be some test method concerns there by
> having merely one performance-testing server.
IXPs are the only useful place to put bandwidth-test servers. Downstream from
an IXP and you don’t measure the relevant portion of the path. Through an IXP,
and you’re testing the combination of your own transit, and the irrelevant and
coincidental transit of the bandwidth test server, not your own.
-Bill
signature.asc
Description: Message signed with OpenPGP
Re: FCC Takes Steps to Enforce Quality Standards for Rural Broadband
> On Oct 31, 2019, at 6:42 PM, Sean Donelan wrote: > There is just so much I want to make sarcastic comments about, but I worry > about offending future potential employers (all of them). > https://www.fcc.gov/document/fcc-takes-steps-enforce-quality-standards-rural-broadband-0 "The Bureaus required ETCs to perform speed and latency tests from the customer premises of an active subscriber to a remote test server located at or reached by passing through an FCC-designated Internet Exchange Point (IXP) and set a daily test period (requiring carriers to conduct tests between 6:00 p.m. and 12:00 a.m. local time) for such tests.” Anybody have a reference for the “FCC-designated IXPs?” And what distinguishes them from the actual set of IXPs? -Bill signature.asc Description: Message signed with OpenPGP
Re: TCP and anycast (was Re: ECN)
> On Nov 14, 2019, at 7:39 AM, Anoop Ghanwani wrote: > RFC 7094 (https://tools.ietf.org/html/rfc7094) describes the pitfalls & risks > of using TCP with an anycast address. It recognizes that there are valid use > cases for it, though. > Specifically, section 3.1 says this: >Most stateful transport protocols (e.g., TCP), without modification, do > not understand the properties of anycast; hence, they will fail >probabilistically, but possibly catastrophically, when using anycast > addresses in the presence of "normal" routing dynamics. >This can lead to a protocol working fine in, say, a test lab but not in > the global Internet. > > On Thu, Nov 14, 2019 at 12:25 AM Matt Corallo wrote: > > This sounds like a bug on Cloudflare’s end (cause trying to do anycast TCP > > is... out of spec to say the least), No. We have been doing anycast TCP for more than _thirty years_, most of that time on a global scale, without operational problems. There were people who seemed gray-bearded at the time, who were scared of anycast because it used IP addresses _non uniquely_ and that wasn’t how they’d intended them to be used, and these kids these days, etc. What you’re seeing is residuum of their pronouncements on the matter, carrying over from the mid-1990s. It’s very true that anycast can be misused and abused in a myriad of ways, leading to unexpected or unpleasant results, but no more so than other routing techniques. We and others have published on many or most of the potential issues and their solutions over the years. That RFC has never actually been a comprehensive source of information on the topic, and it contains a lot of scare-mongering. -Bill
Re: Landing Stations used as datacenter
> On Nov 15, 2019, at 5:42 AM, Mehmet Akcin wrote:
> I can’t find a single cls that is a good peering spot
Correct. The optimum location for peering is at the center of population
density and the center of economic transaction density, since that minimizes
average cable lengths to users. I’ve never observed a cable landing site in
the downtown core of a metro area.
-Bill
Re: 99% of HK internet traffic goes thru uni being fought over?
> On Nov 20, 2019, at 1:41 PM, b...@theworld.com wrote: > Thanks everyone for the replies. My conclusion is that no one here > knows whether HKIX handles 99% of internet traffic for HK or not. That’s incorrect. I’m here, and I know that: 1) HKIX does not handle anywhere near 99% of Hong Kong’s Internet traffic. 2) Much of HKIX is in TKO anyway, rather than up at the CUHK campus. 3) CUHK isn’t the university where the protests are anyway, that’s Hong Kong Polytechnic. 4) CUHK is way up in the New Territories. HK Polytechnic is in Tsim Sha Tsui. TKO is way off in the east. These are all about as far apart as it’s possible to get in Hong Kong. -Bill signature.asc Description: Message signed with OpenPGP
Re: 99% of HK internet traffic goes thru uni being fought over?
Thank you for the authoritative answer. I think we can now consider the question closed. -Bill > On Nov 22, 2019, at 03:36, Che-Hoo CHENG wrote: > > > Some clarifications: > > The 2 HKIX core sites (hosting the spine switches and the major leaf switches > where most participants are connecting to) are located within CUHK campus. > There are only 2 leaf switches of HKIX which are located at TKO area. > > CUHK Campus was heavily attacked by the Police before PolyU Campus was > heavily attacked. There was fear that the attack would affect HKIX which, > although not really handling 99% of HK Internet traffic, does carry up to > 1.4Tbps of Internet traffic at peak. > > Che-Hoo > no longer with HKIX > > >> On Thu, Nov 21, 2019 at 9:14 AM Bill Woodcock wrote: >> >> >> > On Nov 20, 2019, at 1:41 PM, b...@theworld.com wrote: >> > Thanks everyone for the replies. My conclusion is that no one here >> > knows whether HKIX handles 99% of internet traffic for HK or not. >> >> That’s incorrect. I’m here, and I know that: >> >> 1) HKIX does not handle anywhere near 99% of Hong Kong’s Internet traffic. >> >> 2) Much of HKIX is in TKO anyway, rather than up at the CUHK campus. >> >> 3) CUHK isn’t the university where the protests are anyway, that’s Hong Kong >> Polytechnic. >> >> 4) CUHK is way up in the New Territories. HK Polytechnic is in Tsim Sha >> Tsui. TKO is way off in the east. These are all about as far apart as it’s >> possible to get in Hong Kong. >> >> -Bill >>
Re: Disney+ Streaming
>> I think people are going to reject the idea that they need to subscribe >> to a dozen streaming services at $10-$20/mo. each and will be driven >> back the good old "single source" (piracy) they used to use before 1 >> (or perhaps 2) streaming services kept them happy enough to abandon >> piracy. >> >> The content providers are going to piss in their bed again due to >> greed. Again. > > This! > > At the beginning of this year, I dumped Prime Video because while I > initially got it for "The Grand Tour", almost all the other content was > not available in Africa. I foresee a new business model: VPN / streaming bundle. Get all your streaming services bundled together, proxied and VPNd from their native regions. -Bill signature.asc Description: Message signed with OpenPGP
Re: ATT Mobile Outage San Juan, PR 8+ hours, 1 Million out.
> On May 4, 2016, at 4:37 PM, Javier J wrote: > > If there is a better mailing list please let me know. outa...@outages.org -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Netflix VPN detection - actual engineer needed
> On Jun 2, 2016, at 6:27 AM, Matthew Kaufman wrote: > > Every device in my house is blocked from Netflix this evening due to their > new "VPN blocker". My house is on my own IP space, and the outside of the NAT > that the family devices are on is 198.202.199.254, announced by AS 11994. A > simple ping from Netflix HQ in Los Gatos to my house should show that I'm no > farther away than Santa Cruz, CA as microwaves fly. > > Unfortunately, when one calls Netflix support to talk about this, the only > response is to say "call your ISP and have them turn off the VPN software > they've added to your account". And they absolutely refuse to escalate. Even > if you tell them that you are essentially your own ISP. > > So... where's the Netflix network engineer on the list who all of us can send > these issues to directly? > > Matthew Kaufman Matthew, haven’t you told your ISP to stop using the dreaded 198 space? Everyone knows those are magic addresses that belong to NetGear! :-) -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: NANOG67 - Tipping point of community and sponsor bashing?
>>> On 6/15/16 05:37, Mike Hammett wrote: >>> A non-profit donation-based IX that doesn't produce results >>> could be screwing its "customers" over more than a MRC-based >>> for-profit IX that does produce. >> >> On 15.06.2016 21:14, Seth Mattinen wrote: >> An IX just needs to "produce" a layer 2 peering fabric. That's not a >> tall order to get results from. Anything beyond that is extra fluff. >> Some people want to pay more for the fluff, some don't. > > On Jun 15, 2016, at 6:36 PM, Arnold Nipper wrote: > This is a *common* misunderstanding. > The by far easiest part of running a successful IXP is the technical part. > The more challenging is to build a community around it. And that's > purely non technical and involves a lot of *social* networking and > bringing people together. There’s a difference between the cost and the product. As regards the cost, Arnold is exactly right. Across the many hundreds of exchanges that we’ve worked with over the past 22 years, our observation has been that, at a rough average, most IXPs spend 45% of their first-year effort on location selection, 45% on governance definition and establishment, and 10% on technical decisions and implementation. But the total effort and the governance portion both increase drastically for those that choose to handle money; at a very, very rough average, about four-fold. In subsequent years, location selection generally drops away to near zero, except in cases like the JINX, and technical work dips for the first couple of years, and then spikes once every three years or so as switches are replaced and new configs are needed. Many exchanges have an annual in-person meeting where elections are conducted and policy changes ratified, so that typically becomes the largest ongoing expense, as Arnold implies. As regards the product, no, Seth, the layer 2 peering fabric is merely a necessary precondition for producing bandwidth. The actual bandwidth production has other preconditions as well: peers physically connected to the peering switch fabric, BGP sessions established between the peers, routes advertised across those sessions, a reasonable matching of potential traffic sources and sinks available through those routes, and a set of customer behaviors that prefer those source/sink matchings. Only then does an IXP produce bandwidth. So, the role of a salesperson or advocate or evangelist or tout can be a net beneficial one, if they do a good job of recruiting participants, making sure they follow through with peering, and encouraging the preference of locally-available content. WAIX was among the first IXPs to do this well, in my opinion. -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
PCH peering survey 2016
agreements that are covered by non-disclosure agreements, or if your organizational policy precludes disclosing your peers, but you’d still like to participate in the survey, please let us know, and we’ll work with whatever information you’re able to give us and try to ensure that your practices are statistically represented in our results. If you're able to help us, please email me the data in whatever form you can. If you need a non-disclosure, we're happy to sign one. Finally, if there are any other questions you’d like to see answered in the future, please let us know so that we can consider addressing them in the 2021 survey. The question about IPv6 routing in this year’s survey is there because quite a few of the 2011 respondents asked us to include it this time. Please respond by replying to this email, before the end of September. Thank you for considering participating. We very much appreciate it, and we look forward to returning the results to the community. -Bill Woodcock Executive Director Packet Clearing House signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey
> On Sep 24, 2016, at 7:47 AM, John Levine wrote: > >>> Well...by anycast, I meant BGP anycast, spreading the "target" >>> geographically to a dozen or more well connected/peered origins. At that >>> point, your ~600G DDoS might only be around >> >> anycast and tcp? the heck you say! :) > > People who've tried it say it works fine. It’s worked fine for 28 years, for me. -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Two BGP peering sessions on single Comcast Fiber Connection?
It comes down to sizing your failure domain. Any single upstream Transit alone means the failure domain is the whole site (making assumptions about your topology). As mentioned earlier, any single point of failure doesn't reduce your failure footprint and gives little in terms of redundancy. Now if you point that second router to a second provider, now you've reduced the size of your failure domain to a single router/Transit, not the whole site. -b On Fri, Oct 14, 2016 at 10:34 AM, Paul S. wrote: > +1, could not have said it better. > > > On 10/15/2016 01:47 AM, Leo Bicknell wrote: > >> In a message written on Thu, Oct 13, 2016 at 05:48:18PM +, rar wrote: >> >>> The goal is to keep the single BGP router from being a single point of >>> failure. >>> >> I don't really understand the failure analysis / uptime calculation. >> >> There is one router on the Comcast side, which is a single point of >> failure. >> >> There is one circuit to your prem, which is a single point of failure. >> >> To connect two routers on your end you must terminate the circuit >> in a switch, which is a single point of failure. >> >> And yet, in the face of all that somehow running two routers with >> two BGP sessions on your end increases your uptime? >> >> The only way that would even remotely make sense is if the routers >> in question were horribly broken / mismanaged so (had to be?) reboot(ed) >> on a regular basis. However if uptime is so important using gear >> with that property makes no sense! >> >> I'm pretty sure without actually doing the math that you'll be more >> reliable with a single quality router (elminiation of complexity), >> and that if you really need maximum uptime that you had better get >> a second circuit, on a diverse path, into a different router probably >> from a different carrier. >> >> > -- Bill Blackford Logged into reality and abusing my sudo privileges.
Re: Canadian Legacy Subnets & ARIN - Looking for feedback
> On Dec 9, 2016, at 8:32 AM, Alain Hebert wrote:
>We have 4-5 subnets which where erroneously assigned to our
> customers when ARIN took over all the NA smaller registries like UToronto.
>All the paperwork refer to US legalese, which we have some
> difficulties meshing with Canadian resources at our disposal.
I’ve referred this to the appropriate people at ARIN. You should receive a
reply shortly.
-Bill (with ARIN trustee hat on)
