g the update
> onwards. I’m not sure what came of this.
RFC 9324
and
https://archive.psg.com/220214.nanog-rov-no-rr.pdf
randy
PacketViz reports
Possible TA malfunction: 29.17% of the ROAs disappeared from ARIN.
Type: ta-malfunction
Severity: medium
Monitored: ASarin
When: 2025-01-30 10:40 UTC
randy
> For those using RPKI, there is now optional functionality in ARIN
> Online that allows for automatic syncing of IRR route objects to ROAs
thank you for making it optional and giving the op the choice
randy
r installations?
>
> one way to think of it is that each pizza box (customer facing ports)
> recognizes control plane messages (e.g. port 179) and "punts" them to
> the control plane box, aka routing engine.
fwiw, that is pretty much what line cards on a big-box fabric do, punt
to the RE.
randy
ions?
one way to think of it is that each pizza box (customer facing ports)
recognizes control plane messages (e.g. port 179) and "punts" them to
the control plane box, aka routing engine.
randy
ticularly saku among others if i remember
aright, helped a lot.
randy
> IMHO, this is exactly the thing NANOG is here for, helping others run
> BGP.
where does one go for is-is help? the mtu issie can be painful!!!
randy
to networkers since dirt was invented.
randy
used Starlink in remote areas while overlanding with zero
cellular and was able to make/recieve calls and even standard SMS. VZW
by the way.
---
~Randy (K6RP)
i have not seen mention that a single validing roa wins over any number
of 'coerced' invalidating roas. this has implications in the space of
'saving' action(s) by an other rir, iana, an alternate registry, etc.
randy
ebug issues[0].
but, as i have gotten older and lazier, and as you say, route servers
have gotten quite reliable, i have come over to the route server side.
randy
[0] - https://datatracker.ietf.org/doc/draft-ietf-idr-rs-bfd/
they should give me transit for free
randy
> There is a memorial fund for his ISOC Service Award, to which
> interested people can contribute:
don't. the award is formally declared done.
randy
and today in 2007, itojun died. ipv6 samurai, researcher, netbsd, iab,
... a gentle soul and friend to many
randy
on this day in 2001, abha ahuja, computer scientist, routing geek, and
friend to many died.
a bit of cheer: tomorrow is rob blokzijl's birthday. october is not
all sad.
randy
>> what's an as-set?
> An IRR object that contains ASNs and other as-sets. Generally used to
> represent a network’s customer cone.
ahhh. cool. i was worried you meant {1,2,3}, which is pretty much
dead.
randy
> In some cases, you can identify customers of DDoS mitigation services
> by looking at as-sets published by these providers
what's an as-set?
randy
dr postel died this day in 1998. october is a bad month for internet
hero[ine]s
randy
> https://www.amazon.com/Console-Compatible-Windows-Switch-Router/dp/B08BCQ8LLR/
have that. and the one that goes from rj45m to db9f. it was the usb to
db9f for which i hungered. ordered the pink one from china; how could i
resist? :)
randy
> https://www.metabee.com/usb-type-c-to-rs-232-serial-db09-female-adapter-cable-with-100cm-round-black-cable.html
!
> Try B0CL4T6NN9 at Amazon
looks as closeas i'm gonna get. a bit clunky and thick wires. but i
guess i am not in japan where smaller is more appreciated. thanks.
randy
Probably not much bulkier to just add a DB9-RJ45 adapter shell like this:
https://www.monoprice.com/product?p_id=1153
Then, you can just use your existing USB-C to RJ45 cable and have both options.
thanks,
-Randy
- On Sep 23, 2024, at 9:41 PM, Randy Bush ra...@psg.com wrote:
> i k
lunky keyspan to usb-a;
old, clunky, usb-a.
i want the equivalent usb-c ftdi (mac compat) to db9f *server* serial
console cable. 1-2m. integrated, slick, and sexy. magenta preferred,
of course :)
know any nice ones?
randy
.pgpkeys.eu/sks-peers
yay! i chose randomly, and hkps://pgp.cyberbits.eu worked. thank you!
we have been very good at making pgp hard to use. we probably want to
not do that so much.
randy
.gnupg/gpg.conf`. probably my fault.
randy
> I think the hipster thing to do now, though, is --auto-locate-key with
> the Web Key Distribution or the DNSSEC Key Distribution mechanism.
i have done wkd for a fair while. but some folk like to pull keyrings,
so i try to keep them updated.
randy
---
ra...@psg.com
`gpg --locate-ex
are there any old keyservers still working? or only the new hipster
ones? i tried three and no love
hkps://pgp.mit.edu
hkps://pgp.uni-mainz.de
hkps://hkps.pool.sks-keyservers
randy
play
hak whacked me to add
http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html
to my nagios deployment.
anyone have some known sick in various ways dns zones against which to
test?
randy
not to distract from everyone diagnosing someone else's problem, but ...
what foss dns monitoring tools do folk use to alert of
- iminent delegation expiry
- inconsistent service (lame, soa mismatches, ...)
- dnssec signing and timer issues
- etc.
randy
> https://datatracker.ietf.org/doc/html/rfc8805
https://datatracker.ietf.org/doc/html/rfc9092
will show you how to use 8805
randy
has charging for config changes a la
https://www.arelion.com/customer-excellence/customer-support/online-technical-change-pricing
become common while i was not looking? admittedly, i have not looked
for a long time.
randy
kinda summary: comcast and cogent/sprint very helpful. likely
cause a misconfig in cogent norcal when trying to route around
a power outage in seattle.
fwiw, HE and IIJ IPv6 transit (tyvm) in seattle allowed us to keep
working through the outage.
randy
a bunch of us comcast soho folk, and monitoring gear, are seeing
v4 breakage in orygon and maybe washington but only for seattle
destinations. v6 works. johnb, is comcast going v6-only? :)
ryuu.rg.net:/Users/randy> ping r0.iad
PING r0.iad.rg.net (198.180.150.120): 56 data bytes
64 bytes f
> There is always talk to the local politician route so it gets raised
> in the state legislature.
this is illinois/chicago. you slip them a $100 bill under youe drivers'
license
> You could try publishing Geo loc data per RFC8805
> https://datatracker.ietf.org/doc/html/rfc8805
or, more specifically, 9092
randy
ttps://berthub.eu/articles/posts/cyber-security-pre-war-reality-check/
interesting
randy
> The minimum addressable on a LAN is a /64.
not really
randy
> (Low but distinct possibility of effects to radio and transmission
> systems)
no one will notice as we will all be outside looking at the aurora!
randy
> Wonderful news, this has now been fixed :)
> Thank you to Cogent for fixing this
indee. otoh, i still can not resist https://www.kame.net/
randy
> Amazon's spider got stuck there a month or two ago but fortunately I was
> able to find someone to pass the word and it stopped. Got any contacts
> at OpenAI?
why? you are doing a societal good by ensnaring them. dig a deeper
hole.
randy
en.wikipedia.org/wiki/Ad_hominem
anne has been a constructive list participant for years
randy
we definitely need more men's opinions on what women should want and do
randy
in space?”
> “How do I comment on an existing IETF document?”
>
perhaps the internet would benefit more from the inverse, a help desk at
the ietf for "what is internet operation and how does it actually work?"
randy
RR
> objects
whoops! i still code around another RIR doing that. vendors have a
long history of thinking they know best what operators should do. some
RIRs seem to have such hubris.
ok, i can see opening up discussion to reduce foot shooting risks.
sorry for skepticism.
randy
john,
> Read the full text of the consultation at:
> https://www.arin.net/participate/community/acsp/consultations/2024/2024-1/
please explain the need for bureaucrazy to do what RPKI CAs have been
doing since dirt was invented.
randy
> For taking care of referrals and delegations, ietf has started
> preliminary work. More info here -
>
> https://mailarchive.ietf.org/arch/msg/dd/srNtevzS-jrPzMxYv1nATCY5JkM/
dns is not complex enough that folk have assured careers. need to make
it more complex.
randy
ed. i guess it has
been from the perspective of geologic time.
randy
> Some of us still use pine…
i thought most pine users had moved to mutt
randy, who uses wanderlust under emacs :)
ipv4 less palatable. In particular, any effect from a
> hard landing compared would have been ephemeral.
amen
randy
interesting side note:
when iij was deploying the v6 backbone in '97, commercial routers did
not support dual stack. so it was a parallel backbone built on netbsd
with the kame stack, which was developed in iij lab.
we remember itojun.
randy
s the clue level is going down as well
as the temp.
randy
> I go into my cave to finish the todo list for the week, and I come out
> to see Mr. Chen :
> - Telling Randy Bush he should "read some history" on IPv6
> - Implying that Vint Cerf ever said anything about EzIP
>
> Fairly impressive sequence of self ownage.
but i
tupidities (TLA, NLA, ...) pulled out of the spec. at iij, we
rolled ipv6 on the backbone in 1997.
randy
been a bit better thought out.
>
> What was not intended though was the transition period to last for 30
> years and counting… If things go reasonably well we’re gonna be dual
> stack for another 20, at least.
like many things about ipv6, it could have been a bit better thought
out.
randy
> We don't need to extend IPv4, we need to figure out why we are in this
> dual-stack mess, which was never intended, and how to get out of it.
it was intended. it was the original transition plan. like many things
about ipv6, it could have been a bit better thought out.
randy
> I might be reading this wrong, but I don't think the point Randy was
> trying to make was 'NS queries are an attack', 'UDP packets are an
> attack' or 'IP packets are an attack' . I base this on the list of
> queries Randy decided to include as re
ya, right, and at a whole bunch of other cctld servers
from a network called domaincrawler-hosting
shall we smoke another?
/home/randy> sudo tcpdump -pni vtnet0 -c 500 port 53 and net 193.235.141
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtn
i have blocked a zone enumerator, though i guess they will be a
whack-a-mole
others have reported them as well
/home/randy> sudo tcpdump -pni vtnet0 -c 10 port 53 and net 193.235.141
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, link-type EN1
this day in 2007 dr jun-ichiro (itojun) hagino died. a gentle soul, an
engineer's engineer, the ipv6 samurai, iab member, and fiat 500 lover.
the v6 stack you're running could have descended from his netbsd one.
http://www.itojun.org/
randy
> wish this was included with every subscription to internet services
>
you did not get it with your AOL CD? ask for a refund.
as a bonus, https://neal.fun/internet-artifacts/
randy
another old dog doing a search wrote to tell me they really appreciated
that i still had some antique advice up. i had long forgotten this one.
but found it amusing and still more relevant than i might wish.
https://psg.com/emily.html
randy
> Believe it or not, Job, there are parts of the internet that exchange
> traffic and move packets that are not IXPs.
in fact, measurements had shown that the majority of inter-domain
traffic is over pnis
randy
another tragic october death was that of abha ahuja, researcher,
operator, and amazing person, this day in 2001. worth a search.
jake's http://www.neebu.net/~khuon/abha/ is a start.
randy
>> has arin not made it easier, lowering the legal insanity, for legacy
>> holders to obtain services?
> Yes but they need to jump now if they want to take advantage of it, as
> I understand it.
arin has deep expertise in hurdles
randy
> For legacy resource holders it is a problem but then it’s a
> bureaucratic issue rather technical and technology has a solution
> called SLURM.
has arin not made it easier, lowering the legal insanity, for legacy
holders to obtain services?
randy
think of the folk making careers complicating dns, rpki, bgp, ...
randy
25 years ago, jon postel died. we stand on the shoulders of jon and
others, a number of whom died in october. not a cheering month for
old timers.
randy
i received an arin board electioneering "vote for me" today. i guess
now i have to go vote against then.
randy
this pain-to-maintain list be distributed? how do i know
a copy is authentic not an attack?
i am all for a single root of trust. it's just that i thought it was
the iana's job. but i am easily confused.
randy
e from the loopback. and, for replies to get back to that
loopback, it needs to be in real global space.
randy
e have
ourselves to blame; but blame does not move packets.
randy, who was in the danvers cabal for the /19 agreement
one *years* without
being complete. There are also currently some
breaking-the-entire-regional-network sorts of outages going on currently. I am
guessing what clued employees they still have are quite tied up.
-Randy
- On Sep 18, 2023, at 7:06 PM, JASON BOTHE via NANOG nanog@nanog.org wrot
perhaps this is not a nanog operational topic
i am going to be foolish and comment, as i have not seen this raised
if i am running a lag, i can not resist adding a bit of resilience by
having it spread across line cards.
surprise! line cards from vendor do not have uniform hashing
or rotating algorithms.
randy
s by default, too:
>
> https://mailchimp.com/help/about-open-tracking/
as usual, the problem is not technical. there is no need for mailchump
at all.
nanog management has made a very intentional decision to sell my
privacy. nanog has come a long way, not all of it good.
randy
> *READ MORE
> <https://www.google.com/url?q=https://nanog.us20.list-manage.com/track/click?u%3D4d708401d0e69d9dc73d1c204%26id%3Dd77e95d2fb%26e%3De429f79d5a&source=gmail&ust=1694187666719000&usg=AOvVaw3Cfz_DNu6fUMvOglI_i3nd>Last
can we please get URLs without all the invasive tracking?
randy
> Mail in transit is mostly TLS transport these days,
yep. mostly. opsec folk are not fond of 'mostly.'
> BUT mail in storage and idle state isn't always secured. I'm sure
> that most any of us could find a public s3 bucket with an mbox file on
> it if we cared to look.
sigh
randy
and i just have to wonder about sending passords over the net in
cleartext in 2023. really?
randy
route origin validation.
randy
is a massive route leak not even menntioned when it is only ipv6?
the guess i heard was it looked like a classic config reorigination
disaster.
randy
w is one way to visualize ix connectivity, the op's
> question.
i guess the list does not like graphs. decline of net predicted; news
at eleven. if you care, unicast.
randy
raph below is one way to visualize ix connectivity, the op's question.
randy
> We are seeing some weird routing from them, and the AS2 they are
> attached to (University of Delaware) seems odd.
classic microtik prepend syntax confusion?
randy
i did not think i was special, and assumed everybody is getting them.
but i figured that if i kept one or three people from falling for the
trap it was worth the pollution.
randy
we can round off the rough edges where
they got caught.
randy
---
note that i use the first person plural
> the memo:
> https://web.archive.org/web/20230523204911/http://www.geektools.com/
404
```
% host whois.geektools.com
Host whois.geektools.com not found: 3(NXDOMAIN)
```
i guess i missed the memo :(
randy
let's get to the protein. where is the most reasonable parking near the
venue?
randy, who will soon start driving up from portland
it at recent RIPE and LACNIC conferences. Supposedly all of
> the big geolocation providers support it or are planning on supporting
> it.
we're working on an small update. see
https://datatracker.ietf.org/doc/draft-ymbk-opsawg-9092-update/
randy
thanks aftab
i remember a bit more. the hidden command was there to help debug CEF,
which was new at the time. the CEFlapods wanted a large blob of
prefixes to push the FIB. it kinda pushed the operational FIBs a bit
too far :)
randy
into /24s. took uunet
down, but not before it propagated.
does anyone have a useful cite?
randy
> some ASes may perform RPKI-invalid filtering only at partial
> interfaces (e.g., provider interfaces, customer interfaces, and peer
> interfaces).
i have heard it said that "my customer pays me to propagate their
announcement, so i do not apply rov. let my peers filter it."
randy
> It's super annoying, and somewhat terrifying to be banging on a rack
> containing a bunch of spinning rust, but all too often it's necessary
we just moved a rack's content from the westin to komo plaza [0] and
only had one questionable drive. terrifying is the right word.
> "small mounting shelf"
we use mounting shelves for all sorts of recalcitrant devices
randy
> I would say the absence of reverse DNS tells useful info to receiving
> MTAs - to preferably not accept.
yep
this company(s) is in the business of spam. they're just trying to
game nanog. discussing further a waste of pixels.
ranady
>> I don't think any ISP would reject an IP that is on the Spamhaus
>> list.
> you, clearly, have been living under several rocks for a very long
> time.
we reject automagically on spamhaus, mail-abuse.org, and sorbs. really
appreciate their services.
randy
> RFC4364 ... I believe - Arccus has implemented it (Keyur to confirm)
i am not keyur and do not play one on the net, but ...
ucceeded.
and the ops community has paid an insane penalty ere since.
randy
>
> darn shame there is no general automatable mechanism for this
too many folk have written to ask. here is the clue by four
https://www.rfc-archive.org/getrfc?rfc=9092
and note that massimo has a collio toolset
https://github.com/massimocandela/geofeed-finder
randy
1 - 100 of 1024 matches
Mail list logo
