Re: Announcing Peering-LAN prefixes to customers

On Wed, Jan 16, 2019 at 19:40 Christoffer Hansen wrote: > On 16/01/2019 15:55, John Kristoff wrote: > > In Randy's presentation there is the suggestion to develop an IX filter > > list. Nearly 20 years later that actually happened. > > > > > > > > This was

Re: BGP Experiment

Dear Ben, all, I'm not sure this experiment should be canceled. On the public Internet we MUST assume BGP speakers are compliant with the BGP-4 protocol. Broken BGP-4 speakers are what they are: broken. They must be fixed, or the operator must accept the consequences. "Get a sandbox like every ot

Re: Verizon(AS701) announcing Comcast(AS7922) subnet 68.80.240.0/24

Dear Courtney, (This suggestion does not address the immediate issue at hand) On Mon, Jan 28, 2019 at 06:47:29PM +, Smith, Courtney wrote: > Verizon (AS701) is currently originating 68.80.240.0/24. This is part > of 68.80.0.0/13 allocated to Comcast (AS7922). We have reached out to > Verizo

Re: [Community bleaching on edge] RTBH no_export

Hi Adam, On Wed, Feb 06, 2019 at 01:53:48PM -, adamv0...@netconsultings.com wrote: > This "RTBH no_export" thread made me wonder what is the latest view on > BGP community bleaching at the edge (in/out). At NTT/AS 2914 we took a look at BGP community bleaching recently. We intend to deploy so

Re: Comcast - NTT seeing congestion in Chicago at 350 Cermak

Hi, I'll follow up off list. Kind regards, Job On Sat, Feb 09, 2019 at 03:05:22AM +, Erik Sundberg wrote: > Comcast\NTT, > > I am seeing a bit of congestion between the NTT and Comcast connection in > Chicago. Can you guys take a look at this? > > > Normally this is a sub 10ms path, it

Re: AT&T/as7018 now drops invalid prefixes from peers

Dear Jay, AT&T, On Mon, Feb 11, 2019 at 09:53:45AM -0500, Jay Borkenhagen wrote: > The AT&T/as7018 network is now dropping all RPKI-invalid route > announcements that we receive from our peers. Thanks for filtering us! :-) AT&T doing origin validation combined with the peerlock-style AS_PATH fil

Re: AT&T/as7018 now drops invalid prefixes from peers

On Tue, Feb 12, 2019 at 3:06 PM Nick Hilliard wrote: > > Matthew Walster wrote on 12/02/2019 14:50: > > For initial deployment, this can seem attractive, but remember that one > > of the benefits an ROA gives is specifying the maximum prefix length. > > This means that someone can't hijack a /23 w

Analysing traffic in context of rejecting RPKI invalids using pmacct

Dear all, Whether to deploy RPKI Origin Validation with an "invalid == reject" policy really is a business decision. One has to weigh the pros and cons: what are the direct and indirect costs of accepting misconfigurations or hijacks for my company? what is the cost of deploying RPKI? What is the

Re: AT&T/as7018 now drops invalid prefixes from peers

On Tue, Feb 12, 2019 at 6:40 PM Owen DeLong wrote: > > To be clear, I don’t believe they are dropping all routes which don’t > validate (have no ROAs), only routes where the prefix matches an existing ROA > and the origin AS in the AS PATH does not match. Small addition: routes are not only rej

Re: AT&T/as7018 now drops invalid prefixes from peers

On Tue, Feb 12, 2019 at 7:30 PM Matthew Walster wrote: > On Tue, 12 Feb 2019 at 16:05, Nick Hilliard wrote: >> Matthew Walster wrote on 12/02/2019 14:50: >> > For initial deployment, this can seem attractive, but remember that one >> > of the benefits an ROA gives is specifying the maximum prefix

Re: OT/venting: RIPE legal - please stop this madness!

Dear Markus, I think you are better off taking a deep breath, perhaps removing some strongly worded sentences, and bring up the topic on one of the RIPE mailing lists: https://www.ripe.net/participate/mail/ripe-mailing-lists/ripe-list Kind regards, Job On Fri, Feb 15, 2019 at 9:47 Mel Beckman

Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking

Keith, On Tue, Feb 26, 2019 at 6:00 AM Keith Medcalf wrote: > >https://twofactorauth.org/#domains gives a good view of the domain > >management landscape regarding 2FA. > > Seems to require the unfettered execution of third-party code ... > > Are you offering an indemnity in case that code is mal

Re: Best practices for BGP Communities

On Sun, Mar 03, 2019 at 08:42:02PM -0500, Joshua Miller wrote: > A while back I read somewhere that transit providers shouldn't delete > communities unless the communities have a specific impact to their > network, but my google-fu is failing me and I can't find any sources. > > Is this still the

Re: Best practices for BGP Communities

On Wed, Mar 6, 2019 at 8:32 Smith, Courtney wrote: > On 3/5/19, 6:04 PM, "NANOG on behalf of Job Snijders" > j...@instituut.net> wrote: > > On Sun, Mar 03, 2019 at 08:42:02PM -0500, Joshua Miller wrote: > > A while back I read somewhere that tra

Re: FB? / AS 200020 leak

Hi, On Thu, Mar 14, 2019 at 02:04:39PM +, Jeroen Wunnink wrote: > The route-leak was something different that seems to have mainly hit > west-Europe between 16:52 UTC to 17:08 UTC. There’s a few people in > the *NOG communities still digging at the complete details of that > right now, but it

Re: IRR database for local usage

On Wed, Mar 01, 2017 at 10:49:07AM +, Nagarjun Govindraj via NANOG wrote: > Is it possible to maintian an IRR database locally for quering route > objects from various RIR's and do a regular sync like what RPKI validator > does for ROA's. IRRExplorer's database is available as json blob, if yo

Re: google ipv6 routes via cogent

On Fri, Mar 03, 2017 at 09:42:04AM -0500, Patrick W. Gilmore wrote: > On Mar 3, 2017, at 7:00 AM, Nick Hilliard wrote: > > Niels Bakker wrote: > >> As I explained in the rest of my email that you conveniently didn't > >> quote, it's so that you can selectively import routes from all your > >> prov

Re: IPv6 doc. prefix (2001:db8::/32) - APNIC object ?

Hi, On Mon, Mar 6, 2017 at 4:55 PM, Brandon Applegate wrote: > Just did a whois on the documentation prefix and was surprised to see what > looks like a user object registered for it: > > % Information related to '2001:0DB8::/32AS132111' > > route6: 2001:0DB8::/32 > descr: FUTUR

Re: IPv6 doc. prefix (2001:db8::/32) - APNIC object ?

Hi. On Mon, Mar 6, 2017 at 5:03 PM, Alarig Le Lay wrote: > On lun. 6 mars 10:55:18 2017, Brandon Applegate wrote: >> Just did a whois on the documentation prefix and was surprised to see what >> looks like a user object registered for it: >> >> % Information related to '2001:0DB8::/32AS132111'

Re: ARIN contact needed: something bad happens with legacy IPv4 block's reverse delegations

171 also seems affected. Job On Fri, 17 Mar 2017 at 10:54, Stephane Bortzmeyer wrote: > On Fri, Mar 17, 2017 at 12:03:58PM +0300, > Eygene Ryabinkin wrote > a message of 71 lines which said: > > > Seems like the other /16 from 144.in-addr.arpa are affected too > > (at least). > > Also in 164

Re: AS9498 Bharti BGP hijacks

Hi all, Perhaps another explanation is that these are router2router linknets between the involved parties, and all we are seeing is the effect of "redistribute connected". If this is the case, the word "hijack" might be somewhat strong worded. Kind regards, Job On Sat, 1 Apr 2017 at 23:25, Tyle

Re: Facebook more specific via Level3 ?

On Sun, Apr 16, 2017 at 04:20:20PM +0300, Max Tulyev wrote: > got the same from Kiev, Ukraine: > > dig fbcdn.com > fbcdn.com.300 IN A 31.13.74.1 > which is slow and routed through USA > > and > dig fbcdn.com @8.8.8.8 > fbcdn.com.299 IN A 31.13

Re: Amazon EU-West 1 trouble

On Sun, Apr 23, 2017 at 12:52:08PM +0200, Baldur Norddahl wrote: > We are currently experiencing massive packet loss from Amazon EU-West 1. > This page http://ec2-reachability.amazonaws.com/ will show most of eu-west-1 > as down but actually it is packet loss of 90+ %. > > I have found that if I s

Re: ipv6 accepted & announcement size upto /48 or longer than /48 ?

On Thu, Apr 27, 2017 at 09:30:48AM -0700, Seth Mattinen wrote: > On 4/27/17 06:47, root wrote: > > > > Am i right ? > > > > Policy for ipv4 accept and send upto /24 > > Policy for ipv6 accept and send upto /48 > > > > - > > > > I conf

Re: Financial services BGP hijack last week?

On Tue, May 02, 2017 at 08:29:32AM +0100, Nikos Leontsinis wrote: > it only proves the need for wider RPKI adoption How can we actually encourage RPKI adoption? Kind regards, Job

Re: Need recommendation on an affordable internet edge router

What have you compared so far yourself? Job On Thu, 4 May 2017 at 22:40, c b wrote: > We have a number of internet edge routers across several data centers > approaching EOL/EOS, and are budgeting for replacements. Like most > enterprises, we have been Cisco-centric in our routing/switching pla

Re: Templating/automating configuration

Hi, Here are some extra pointers: https://youtube.com/watch?v=C7pkab8n7ys https://www.nanog.org/sites/default/files/dosdontsnetworkautomation.pdf https://github.com/coloclue/kees Kind regards, Job On Tue, 6 Jun 2017 at 13:49, Brian Knight wrote: > Because we had different sources of truth

Re: Templating/automating configuration

Hi Graham, The talk was giving in context of motivating people to start with network automation and help them go from 'no automation' to a step further 'some automation'. On Wed, Jun 14, 2017 at 07:50:05PM +, Graham Johnston wrote: > Would you be able to provide any further insight into your

Re: Templating/automating configuration

On Wed, Jun 14, 2017 at 09:35:59PM +0100, Nick Hilliard wrote: > Graham Johnston wrote: > > Would you be able to provide any further insight into your Don’t #5 – > > “Don’t agree to change management. Managers are rarely engineers and > > should not be making technical decisions. (nor should sales)

Re: Point 2 point IPs between ASes

On Tue, 27 Jun 2017 at 22:29, Krunal Shah wrote: > Hello, > > What subnet mask you are people using for point to point IPs between two > ASes? Specially with IPv6, We have a transit provider who wants us to use > /64 which does not make sense for this purpose. isn’t it recommended to use > /127 a

Re: Point 2 point IPs between ASes

On Wed, Jun 28, 2017 at 11:09:25PM +0200, Thomas Bellman wrote: > On 2017-06-28 17:03, William Herrin wrote: > > The common recommendations for IPv6 point to point interface numbering are: > > > > /64 > > /124 > > /126 > > /127 > > I thought the only allowed subnet prefix lengths for IPv6 were /6

RFC 8195 "Use of Large Communities"

Dear all, RFC 8195 "Use of BGP Large Communities" was just now published: https://tools.ietf.org/html/rfc8195 RFC 8195 presents examples and inspiration for the operational application of Large Communities. The document suggests logical categories of Large Communities and demonstrates an

EdgeRouter Infinity as medium-sized "IXP Peering Router"?

Dear NANOG, Some friends of mine are operating a nonprofit (on shoe string) and looking to connect some CDN caches to an IX fabric. A BGP speaking device is needed between the caches and the BGP peers connected to the fabric. The BGP speaker is needed to present the peers on the IX with a unified

Heads-up: RFC 8212 on default EBGP route handling behavior

Dear NANOG, After a bit of tug-of-war common sense prevailed and RFC 8212 "External BGP (EBGP) Route Propagation Behavior without Policies" was published: https://tools.ietf.org/html/rfc8212 This industry has a long history of improving default behavior: DEC MOP is no longer enabled by default, t

Re: Contact at Orange?

Hi Anne, You aren't very specific about what you are looking for. Orange has many business units and subsidiaries. Are you looking for sales contacts or investor relations? Kind regards, Job ps. Do you think it's possible to make your footer somewhat longer? It doesn't quite yet fill a 28" scre

Re: Multicom Hijacks: Do you peer with these turkeys (AS35916)?

Dear Ronald, Thanks for your report, we'll investigate. Kind regards, Job

Re: Verizon 701 Route leak?

On Mon, Aug 28, 2017 at 03:48:44PM +, someone wrote: > Damn you Google.. yup. I am not sure it is fair to say "damn you Google", because accidents happen (be it through human error or software defects). All of us have entered commands at some point and subsequently https://media.giphy.com/medi

Re: Cogent BCP-38

On Tue, Aug 29, 2017 at 08:41:12AM -0400, Robert Blayzor wrote: > > On 29 August 2017 at 03:38, Robert Blayzor wrote: > > > >> Well not completely useless. BCP will still drop BOGONs at the edge > >> before they leak into your network. > > > > Assuming you don't use them in your own infra. And c

Re: Max Prefix Out, was Re: Verizon 701 Route leak?

Dear Jörg, On Thu, Aug 31, 2017 at 12:50:58PM +0200, Jörg Kost wrote: > but isn't peer A prefix-out a synonym for peer B prefix-in, that will > lead to the same result, e.g. a BGP teardown? > > I just feel that this will add another factor, that people will not > use or abuse: neigh $x max-out in

Re: Validating possible BGP MITM attack

Hi Andy, It smells like someone in 38478 or 131477 is using Noction or some other BGP "optimizer" that injects hijacks for the purpose of traffic engineering. :-( Kind regards, Job On Thu, 31 Aug 2017 at 19:38, Andy Litzinger wrote: > Hello, > we use BGPMon.net to monitor our BGP announcemen

BGP Optimizers (Was: Validating possible BGP MITM attack)

Dear all, disclaimer: [ The following is targetted at the context where a BGP optimizer generates BGP announcement that are ordinarily not seen in the Default-Free Zone. The OP indicated they announce a /23, and were unpleasantly surprised to see two unauthorized announcements for

Re: Max Prefix Out, was Re: Verizon 701 Route leak?

On Sat, 2 Sep 2017 at 05:41, Randy Bush wrote: > >>> i have 142 largish bgp customers, a large enough number that the number > >>> of prefixes i receive from them varies annoyingly. how do i reasonably > >>> automate setting of my outbound prefix limit? > >> > >> First, it seems you know the inb

Re: Max Prefix Out, was Re: Verizon 701 Route leak?

On Sat, Sep 02, 2017 at 04:27:03PM +0900, Randy Bush wrote: > > I am not sure what the issue here is. If I can tell my peering > > partner a recommended maximum prefix value for them to set on their > > side, surely I can configure that same value on my side as the upper > > outbound limit. > > wh

Re: Max Prefix Out, was Re: Verizon 701 Route leak?

On Sat, Sep 02, 2017 at 12:08:41PM -0400, Christopher Morrow wrote: > > I think you'll find that some of your peers will make an educated > > guess and set an inbound limit anyway. Actively requesting that no > > limit is applied may make one part of a fringe minority. > > This is a quick survey o

Re: IPv6 Loopback/Point-to-Point address allocation

Hi, On Sun, Sep 10, 2017 at 11:53:20AM +0200, Enno Rey wrote: > On Sun, Sep 10, 2017 at 10:47:05AM +0100, Nick Hilliard wrote: > > Baldur Norddahl wrote: > > > Loopback interfaces should be configured as /128. How you allocate these > > > do > > > not matter. > > > > ..so long as there are inter

Re: Getting an RADB entry removed that was added by a previous peer

On Wed, 13 Sep 2017 at 13:08, Matthew Huff wrote: > It appears that Reliance Globalcom (AS6157) added an RADB entry for our > prefix (129.77.0.0/16) when we were a peer of theirs years ago, and it > was never removed when we ended the relationship. We are ASN 14607. > > I've reached out to their

Re: Find carriers that peer in two IX's

On Fri, Sep 15, 2017 at 11:25:10AM -0400, Dovid Bender wrote: > Does anyone know of a tool like PeeringDB where I can select two exchanges > say TELX 60 Hudson and then SIX (Seattle IX) and find all carriers that > have a presence in both locations? a bit hacky ;-) Vurt:~ job$ comm -1 -2 <(curl -

Re: IOS new versions and network load

On Mon, Sep 18, 2017 at 12:48:45AM -0400, Christopher Morrow wrote: > On Sun, Sep 17, 2017 at 11:05 PM, JASON BOTHE wrote: > > My best experience with Apple has been directly peering with them. > > Definitely handles the update issue without putting strain on transit > > links. Apple is very well

Sideloading RFC 8212 on Junos

Dear all, Adam Chappell created an interesting shim to improve the default behaviour related to EBGP Internet routing on Juniper Junos. https://twitter.com/packetsource/status/910219911150080007 SLAX script here: https://github.com/packetsource/rfc8212-junos Props to both Adam for creating the s

Re: Settle Free Peering - Default Route Abuse Monitoring

Dear Raymond, On Sun, 24 Sep 2017 at 21:33, Raymond Beaudoin < raymond.beaud...@icarustech.com> wrote: > How is this monitored and tracked? Are ACLs applied to help enforce this > (seems to be limited at scale)? Flow export and alarming? Analytics and > anomalous behavior detection? Common profes

Re: Regex expression

Hi Craig, You are probably best off by reaching out to the Juniper NSP mailing list at https://puck.nether.net/mailman/listinfo/juniper-nsp Kind regards, Job On Mon, Sep 25, 2017 at 3:31 PM, craig washington < craigwashingto...@hotmail.com> wrote: > Hello all, not sure if this is the right pla

Re: Peering at public exchange authentication

Hi Craig, It may be simplest to use GTSM https://tools.ietf.org/html/rfc5082 Kind regards, Job On Fri, Sep 29, 2017 at 10:41 AM, craig washington wrote: > Hello all, > > > Wondering your views or common practices for using authentication via BGP at > public exchange locations. > > Just for ex

zayo / AS 6461 maximum prefix limit

Hi all, It appears one of our fellow network operators ran into some issues earlier today, probably due to the turn-up of a some new circuits for customers. In order to expedite the restoration I'm sharing the below information. I recommend any peering partners that saw BGP sessions go down with

Re: Long BGP AS paths

On Sat, 30 Sep 2017 at 15:33, William Herrin wrote: > To the chucklehead who started announcing a 2200+ byte AS path yesterday > around 18:27 EDT, I beg of you: STOP. You've triggered a bug in Quagga > that's present in all versions released in the last decade. Your > announcement causes routers

Re: AS PATH limits

Has anyone tried calling them? Kind regards, Job On Fri, 13 Oct 2017 at 23:03, Ken Chase wrote: > It is happening AGAIN. > > And of course it started on a friday aft 15 min before quittin' time in > EDT: > > Last time it was 186.177.184.0/23 0 174 262206 262206 262197 262197 > > *> 186.176.

Re: Gonna be a long day for anybody with CPE that does WPA2..

Dear all, Website with logo: https://www.krackattacks.com/ Paper with background info: https://papers.mathyvanhoef.com/ccs2017.pdf Kind regards, Job

Re: AS-Path - ORF Draft

Hi Mike, On Sun, 22 Oct 2017 at 20:45, Mike Hammett wrote: > https://tools.ietf.org/html/draft-ietf-idr-aspath-orf-13 > > Not knowing anything about the draft\RFC process (and not really wanting > to go beyond a 30k foot view), is this something with movement? Traction? > > This would have solve

Re: AS-Path - ORF Draft

On Sun, Oct 22, 2017 at 05:37:52PM -0500, Mike Hammett wrote: > Network A was sending more routes into the route server than Network B > could handle. Network B would like Network A's routes filtered before > they even got to their router. > > Googling a bit I saw pages talking about saving CPU o

Re: AS-Path - ORF Draft

Dear Baldur, On Mon, Oct 23, 2017 at 12:53:48AM +0200, Baldur Norddahl wrote: > I do not get why every BGP implementation kills the session at the > prefix limit. It appears that is making a bad situation worse. Routing > flaps creating lots of visible disturbance for end users. When the BGP > ses

Re: AS-Path - ORF Draft

On Mon, Oct 23, 2017 at 08:35:42AM +0200, Job Snijders wrote: > > or it could compare each additional prefix received to already learned > > prefixes and decide to drop one to make room for the new one. For > > example you could drop the most specific routes before less s

Re: AS-Path - ORF Draft

On Mon, Oct 23, 2017 at 07:53:03AM -0500, Mike Hammett wrote: > Should I assume that invigorating traction for a 17 year old draft is > rather difficult? John Heasley told me that a fundamental difficulty here is that not every implementation uses the same style/type of regular expressions. Unify

Re: AS-Path - ORF Draft

On Mon, 23 Oct 2017 at 16:57, Mike Hammett wrote: > I was looking at using arouteserver to automate my prefix filter > generation. Excellent choice. I would happily recommend arouteserver to any internet exchange operator looking to modernize their route servers. I'll do a feature request ov

Re: AS-Path - ORF Draft

On Mon, Oct 23, 2017 at 10:13:15AM -0500, Mike Hammett wrote: > > Great news! You can already do that in arouteserver: > > http://arouteserver.readthedocs.io/en/latest/CONFIG.html > > If you're using Bird. ;-) We're using OpenBGPd. I enjoy using both BIRD and OpenBGPD. Please look more closely.

Re: What's the point of prepend communities?

Hi, In context of traffic engineering it may be that Network A (customer of Network B) observes that performance is suboptimal between Network B and Network C. If Network B offers some kind of “Prepend to Network C” BGP community, network A will be able to utilize all of network B except the piec

Re: Juniper MX80 strange dst MAC address behavior

This smells like broken memory. I recommend to open a TAC/JTAC case. Kind regards, Job

Re: Issues with 4-octet BGP AS and Akamai?

Hi, What prefix and ASN is this about? Are you sure you are advertising from an AS4 capable router? Do you see the expected 4-byte ASN as origin in a aggregator looking glass like http://lg.ring.nlnog.net/prefix_detail/lg01/ipv4?q=www.nlnog.net ? Kind regards, Job

Re: Issues with 4-octet BGP AS and Akamai?

Hi James, On Wed, Nov 15, 2017 at 1:40 AM, james machado wrote: > I don't see a routing database object for your routes pointing too your > AS394666 /24's, I only see one for AS12 for the /23 and /24's. It is > possible (and probable) you are being filtered due to that. This is a really good ob

aggregate6 - a fast versatile prefix list compressor

Dear NANOG, I re-implemented the venerable 'aggregate' tool (by Joe Abley & co) in python under the name of 'aggregate6'. The 'aggregate6' tool is faster and also has IPv6 support. https://github.com/job/aggregate6 Installation is can be done through 'pip', or your operating system's package

Re: aggregate6 - a fast versatile prefix list compressor

Someone suggested I should clarify what 'aggregate6' actually does :-) aggregate6 takes a list of IPv4 and/or IPv6 prefixes in conventional format, and performs two optimisations to attempt to reduce the length of the prefix list. The first optimisation is to remove any supplied prefixes which ar

Re: Arista Layer3

On Thu, Nov 30, 2017 at 10:38:53PM +, Nick Hilliard wrote: > Jared Mauch wrote: > > Lots of folks also use MikroTik as well if the traffic is in the 1G > > range or so. > > mikrotik support for ipv6 is still dodgy: recursive next-hop is not > supported in bgp/ipv6: > > https://forum.mikrotik.

Re: aggregate6 - a fast versatile prefix list compressor

On Fri, Dec 01, 2017 at 09:09:38PM +1100, Julien Goodwin wrote: > Will it catch cases like: > 10.0.0.0/24 10.0.1.0/24 10.0.2.0/23 -> 10.0.0.0/22 Yes it does! hanna:~ job$ echo 10.0.0.0/24 10.0.1.0/24 10.0.2.0/23 | aggregate6 10.0.0.0/22 hanna:~ job$ Kind regards, Job

Re: aggregate6 - a fast versatile prefix list compressor

On Fri, Dec 01, 2017 at 12:35:13PM -0500, Aliaksei Sheshka wrote: > On Thu, Nov 30, 2017 at 3:07 PM, Job Snijders wrote: > > I re-implemented the venerable 'aggregate' tool (by Joe Abley & co) > > in python under the name of 'aggregate6'. The 'aggr

Re: Qrator Radar - Peerings

On Wed, 6 Dec 2017 at 15:42, Mike Hammett wrote: > I haven't brought it up with them, no. I didn't think it was a mass issue > until last night. I wanted to check with other users before I went to them. > Maybe I should have done the opposite. Yes, you should’ve. The Qrator folks are good peop

Re: Static Routing 172.16.0.0/32

Nothing wrong with using xxx.0 or xxx::0 in the context of a host route (/32 or /128).

Re: Static Routing 172.16.0.0/32

On Fri, 8 Dec 2017 at 23:09, Christopher Morrow wrote: > On Fri, Dec 8, 2017 at 3:02 PM, Job Snijders wrote: > Nothing wrong with using xxx.0 or xxx::0 in the context of a host route >> (/32 or /128). >> > > note that in times past (perhaps even now marked historical

Re: Static Routing 172.16.0.0/32

On Fri, Dec 8, 2017 at 10:44 PM, Ken Chase wrote: > why not use 192.0.2.0/24 addrs? > > lots of other ranges you could probably use safely. > >https://en.wikipedia.org/wiki/Reserved_IP_addresses > > Using .0 you're asking to exercise bugs and undefined implimentation choices > of various tcp s

What to do about BGP Hijacks

Some carriers view measures to improve routing security as a hinderance rather than as a safeguard to enable business. The BGP protocol itself has no inherent safety mechanisms, so the network operator has to ensure adequate layers of protection are implemented on the boundary between their own net

a new source for authoritative routing data: ARIN WHOIS

Dear NANOG, I'd like to share an update on some routing security activities that ARIN, NTT Communications, YYCIX (Calgary Internet Exchange), the NLNOG Foundation, and the arouteserver project have been collaborating on. Quite some puzzles pieces were brought together! :) Traditionally, there are

Re: AS Numbers unused/sitting for long periods of time

Dear James, On Tue, Jan 02, 2018 at 10:46:35PM +, James Breeden wrote: > Before I take this to the ARIN PPML, wanted to get NANOG's thoughts. > > I'm amazed at the number of AS numbers that are assigned, but not > actively being used. I'm not talking just like they are offline for a > week or

Re: IPv4 smaller than /24 leasing?

On Thu, 4 Jan 2018 at 20:13, Filip Hruska wrote: > I have stumbled upon this site [1] which seems to offer /27 IPv4 leasing. > They also claim "All of our IPv4 address space can be used on any network > in any location." > > I thought that the smallest prefix size one could get routed globally is

Re: IRR AS-SET best practices - AS-SET Clash

On Wed, Jan 24, 2018 at 02:23:48PM +, Nick Hilliard wrote: > Alain Hebert wrote: > > Any feedback on best practices and "other avenue" about IRR naming? > > Known problem - you're asking for trouble unless you filter IRRDB > queries by source: > > There isn't a global namespace for as-set nam

Re: IRR AS-SET best practices - AS-SET Clash

On Sat, Jan 27, 2018 at 04:30:56PM -0500, Jared Mauch wrote: > On Wed, Jan 24, 2018 at 02:48:58PM +0000, Job Snijders wrote: > > --- thread hijack --- > > > > Coincidentally, I'm working to define something like "AS-SETs in > > RPKI". There ar

Re: IRR AS-SET best practices - AS-SET Clash

On Sun, Jan 28, 2018 at 04:02:44AM +0100, Baldur Norddahl wrote: > The hierarchical as-set strategy has the problem that many fails to > parse it correctly. We use it at NL-IX with the result that their > portal believe we have no peers. That sounds like a simple bug in that specific portal. If yo

Re: Anyone from NTT on the list

You can always try whispering my name three times facing West, but n...@ntt.net is a smoother running operation. Kind regards, Job

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Dear all, Before the group takes on the pitchforks and torches and travels down to the hosting providers' headquarters - let's take a step back and look at the root of this issue: the memcached software has failed both the Internet community and its own memcached users. It is INSANE that memcache

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On Tue, Feb 27, 2018 at 09:52:54PM +, Chip Marshall wrote: > On 2018-02-27, Ca By sent: > > Please do take a look at the cloudflare blog specifically as they > > name and shame OVH and Digital Ocean for being the primary sources > > of mega crap traffic > > > > https://blog.cloudflare.com/mem

Re: Peering with abusers...good or bad?

On Sat, 3 Mar 2018 at 01:08, Bryan Holloway wrote: > > On 3/2/18 5:29 PM, Ca By wrote: > > On Fri, Mar 2, 2018 at 2:13 PM Matthew Petach > wrote: > > > >> On Tue, Feb 27, 2018 at 4:13 PM, Dan Hollis > >> wrote: > >>> OVH does not suprise me in the least. > >>> > >>> Maybe this is finally what i

Re: Peering with abusers...good or bad?

On Sat, 3 Mar 2018 at 01:23, Baldur Norddahl wrote: > So I want to buy additional ports at each IX. The slowest speed they offer. > If I am lucky they have a free 100 Mbps. And then I just announce the > prefix I want to blackhole. Doesn't matter that the port overloads. I am > just going to null

Re: Proof of ownership; when someone demands you remove a prefix

Dear Sean, On Tue, Mar 13, 2018 at 10:38:49AM -0700, Sean Pedersen wrote: > This is more or less the situation we're in. We contacted the customer > and they informed us the matter is in dispute with the RIR and that > their customer (the assignee) is in the process of resolving the > issue. We ha

Re: hijacking of 128.255.192.0/22

On Tue, 20 Mar 2018 at 19:26, Ken Chase wrote: > A reason to de-aggregate down to /24s, to make hijacks more difficult/less > effective? Or perhaps something less costly for everyone: a reason for HE to implement prefix-based EBGP filters? At any given moment there appear to be roughly 5500 pr

Re: How are you configuring BFD timers?

Silly question perhaps, but why would you do BFD on dark fiber? Kind regards, Job

Re: new diffserv code point LE PHB

Dear Mikael, On Fri, Mar 30, 2018 at 12:27:52PM +0200, Mikael Abrahamsson wrote: > I would like to bring attention to the following IETF draft: > > https://tools.ietf.org/html/draft-ietf-tsvwg-le-phb-04 > > I believe this is well under way through the IETF process, and if someone > has strong op

IPv6 addressing plan spreadsheet issue

Hi all, I made a list of the IPv6 addresses in my home LAN, but have trouble copy+pasting the list into a cloud spreadsheet. My address list is here: http://pete.meerval.net/~job/ How do other folks do this? Just administrate things in text files? Kind regards, Job

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

On Mon, Apr 2, 2018 at 8:14 PM, Saku Ytti wrote: > If they are for redundancy, wouldn't it be preferable to route them to > different place to cover more fault scenarios. > > I would complain if they are routed to same place. Better start complaining then :-) Kind regards, Job

Re: IPv4 and IPv6 hijacking by AS 6

On Thu, 12 Apr 2018 at 11:52, Matt Harris wrote: > On Thu, Apr 12, 2018 at 12:05 PM, wrote: > > > Have you tried their IRR entries? Bull appears to redirect to Atos now > > (site-wise). > > > > notify: ed.gie...@atos.net > > notify: charlie.mol...@atos.net > > changed:christophe.fra.

Re: IPv4 and IPv6 hijacking by AS 6

Dear Jason, On Fri, Apr 13, 2018 at 02:17:47PM -0400, Jason S. Cash wrote: > Yes, ASN2 sees about 1-4 configuration related "rogue" announcements > per month. What is going on right now does not appear to be a small > misconfiguration. > > The only route we (University of Delaware) are annou

Re: Attacks on BGP Routing Ranges

Hi, On Wed, 18 Apr 2018 at 11:39, Ryan Hamel wrote: > I wanted to poll everyones thoughts on how to deal with attacks directly > on BGP peering ranges (/30's, /127's). > > I know that sending an RTBH for our side of the upstream routing range > does not resolve the issue, and it would actually m

Re: Are specific "route" objects in RIR databases needed?

On Thu, Jan 30, 2014 at 06:51:59PM +0200, Martin T wrote: > for example there is a small company with /22 IPv4 allocation from > RIPE in European region. This company is dual-homed and would like to > announce 4x /24 prefixes to both ISPs. Both ISP's update their > prefix-lists automatically based

Re: While on the subject of IRR and route objects

On Fri, Jan 31, 2014 at 08:58:06AM -0500, Alain Hebert wrote: > IRRToolset 5.0.1 (rtconfig really) finally gave out on a pretty > messy RPSL parse. > > After a few hours of research, it seems that its dead since 2009 :(. > > There is some effort at http://irrtoolset.isc.org to reboot

Re: While on the subject of IRR and route objects

On Fri, Jan 31, 2014 at 11:32:17AM -0500, Alain Hebert wrote: > bgpq3 works great the as-set that was borking rtlookup generate a > ~183k long prefix list =D. I recommend using it like this, to enable aggregation where possible: bgpq3 -A Kind regards, Job > pgpjISSQ47YFj.pgp Description:

<    1   2   3   4   5   6   >