On Tue, Jun 30, 2015 at 03:32:42PM -0700, Ca By wrote:
> It is NTT that would have mitigated this issue if they deployed and
> enforcer rpki, right?
No, NTT deploying RPKI would not have helped in yesterday's issue.
But, RPKI could've made a difference in today's Bangladesh leak, even if
RPKI val
On Tue, Jun 30, 2015 at 05:40:03PM -0500, Jared Mauch wrote:
> We have been pushing large configurations to devices. You can check my
> slides from the London IEPG meeting.
These are the slides: http://iepg.org/2014-03-02-ietf89/ietf89_iepg_jmauch.pdf
> When 96% of your config is prefix filters
On Wed, Jul 01, 2015 at 09:36:34AM +0900, Randy Bush wrote:
> > - when not using the RTR protocol but generating prefix-list
> > filters based on RPKI data, the devices might not support
> > sufficient entries.
>
> because the rpki generated acls are bigger and heavier than those i
On Wed, Jul 01, 2015 at 11:19:45AM -0400, David H wrote:
> I was wondering if anyone can recommend a software (preferable), or
> hardware-based router with an API, that supports BGP with tags on
> advertised routes? I want to use it for a RTBH feed [ ... ]
Did you look at BIRD? It is one of the m
On Sat, Aug 01, 2015 at 10:24:10AM +0200, Jérôme Nicolle wrote:
> Just saw something suprising : 11/8 just came live from AS23352
> (ServerCentral)
> http://lg.ring.nlnog.net/prefix_detail/lg01/ipv4?q=11.0.0.0 .
>
> ARIN's registry didn't change :
>
> Net Range 11.0.0.0 - 11.255.255.255
> CID
On Sat, Aug 01, 2015 at 08:15:11PM +0700, Roland Dobbins wrote:
> On 1 Aug 2015, at 17:11, Job Snijders wrote:
>
> >I reached out to ServerCentral network engineering to ask.
>
> ServerCentral say it's legit, and that they have the appropriate
> documentation
On Thu, Aug 06, 2015 at 11:09:13AM +0100, Tom Hill wrote:
> On 04/08/15 07:29, Peng Xiao (penxiao) wrote:
> > Cisco has open sourced one part of their BGP monitoring system - YABGP
> > And hosted source code on GitHub. https://github.com/smartbgp/yabgp
> > Documentation: http://yabgp.readthedocs.or
On Mon, Aug 10, 2015 at 04:38:40PM +0300, Pavel Odintsov wrote:
> We have some open source software for this task
> https://github.com/FastVPSEestiOu/fastnetmon :) Feel free to ask me
> any questions off list.
I can attest that fastnetmon is a great tool for dealing with high pps
or high bandwidth
Hi,
On Tue, Aug 11, 2015 at 01:21:09PM -0500, Colton Conor wrote:
> We have an enterprise that has a headquarter office with redundant fiber
> connections, its own ASN, its own /22 IP block from ARIN.
> [ ... ]
>
> If you were to do this with Juniper or Cisco gear what would you have at
> each lo
Hi,
> The alternative is to expect "networks" with 100s or 1000s of locations to
> burn 100s or 1000s of ASNs. Which I think is a bit silly. Hence my question
> about possibly changing the rules.
I see no issue with that, we have an ASN pool of roughly 4294967280 ASNs. There
is no shortage. Al
://nanog.org/sites/default/files/wed.general.peeringdb.accuracy.snijders.14.pdf
Kind regards,
Job
On May 23, 2013, at 12:28 PM, Job Snijders wrote:
> Dear fellow networkers,
>
> I need your help!
>
> For the good of PeeringDB I am researching the accuracy of the current
> Pe
On Jul 26, 2013, at 3:09 PM, Grzegorz Janoszka wrote:
> On 26-07-13 14:59, NetSecGuy wrote:
>> BGPMon.net has alerted me to /32 hijacks. Does anyone have thoughts on
>> what this might be and if it's malicious or misconfiguration?
>> My first thought is leaked null routes.Is this even worth
On Mon, Sep 23, 2013 at 11:28:58PM +1000, Geoff Huston wrote:
> On 23/09/2013, at 8:01 PM, Nick Hilliard wrote:
>
> > I look forward to the day when we have proper 32 bit BGP community
> > support and ASN32s finally become usable on nontrivial networks.
> >
>
> Is there some reference that des
Dear all,
I am unsure what we as networkers have done in the past, but I am sure
we've done our fair share of atonement and don't have to keep using
RANCID.
Some might say "it took ages to get rancid to do kinda what we want!",
but not all software ages well. One might work in environments whe
On Fri, Oct 25, 2013 at 12:59:48PM +0100, Matthew Newton wrote:
> I'll try and post the script (250 lines) somewhere if anyone's
> interested.
It is almost always good to open source your tools, for others to learn
and benefit from! :-)
Kind regards,
Job
pgppFb_K8NqR2.pgp
Description: PGP sig
On Wed, Nov 06, 2013 at 10:51:08PM +, J.J. Mc Kenna wrote:
> Comcast to XO due to Comcast's TATA peering issue.
>
> Ongoing.
I'd love to see verifiable public data to back up that claim.
Kind regards,
Job
pgpkM0i4UwL6b.pgp
Description: PGP signature
Dear Sebastian,
On Sat, Jan 25, 2014 at 02:56:16PM +0100, Sebastian Spies wrote:
> So here's the thing: IXPs usually implement N:M filtering based on
> standard community strings. As standard BGP communities support only 4
> bytes, this only works for IXPs with 2-byte ASNs and peers with 2-byte
>
On Sat, Jan 25, 2014 at 10:04:30AM -0500, Bryan Socha wrote:
> I have over 100,000 servers located in routing diverse datacenters
> with 4byte ASN numbers and have not had 1 problem or complaint related
> to the ASN for not able to communicate with the datacenter. The first
> 1 did make me really
y the CPE. I've been using it to multi-home my house and
it works
fine. I'm multihoming my IPv6 /48 over a v6-only DSL and a v4-only FTTH
connection.
More information about LISP be found here: http://www.lisp4.net/
Kind regards,
Job Snijders
Dear All,
On 8 Apr 2011, at 19:34, Lori Jakab wrote:
> On 04/08/2011 06:39 PM, Owen DeLong wrote:
>> LISP can also be a good option. Comes with slightly more overhead in terms of
>> encapsulation/etc. than the GRE tunnels I use and has limited (if any)
>> functionality
>> for IPv4 (which GRE su
Dear Christina,
On 11 Apr 2011, at 16:49, Christina Klam wrote:
> One of our ISP is planning to do a LISP deployment. (1) Does anyone know if
> Sprint uses LISP? (2) Does anyone know of any good guides/documentation of
> LISP?
I cannot answer question 1.
But I do work for an ISP that's roll
On Mon, Dec 30, 2024 at 05:39:45PM -0300, Rubens Kuhl wrote:
> Thanks for the info. One of the users of ARIN FTP is the IRR
> community; I suggest looking at
> https://github.com/irr-net/irr-net.github.io to update the irr.net
> entry for ARIN with that specification.
https://github.com/irr-net/ir
On Thu, Jan 30, 2025 at 07:53:47AM -0700, michael brooks - ESC via NANOG wrote:
> If we received no notification, can we assume we are part of the
> 70.83%?
Only a single provider was affected, they are aware. You (and everyone
else) are part of the 70.83%.
Kind regards,
Job
On Thu, Jan 30, 2025 at 04:03:58PM +0100, Simon Leinen wrote:
> > It is interesting that the 'trigger event' happened two days ago,
> > but it is only just now that it became quite tangible! It seems this
> > anomaly could've been alerted for earlier on.
>
> Can you elaborate how? (Looking for ove
Dear all,
I analysed the alert, here is my assessment.
If I recall correctly, Packetvis uses multiple data sources (different
versions of validator implementations) and alerts on anomalies spotted
by more than a single data source.
Most RPKI Validator implementations limit the maximum allowable
etwork reliability by
strengthening the security and integrity of the global Internet routing
system. I'm excited to see what the coming year will bring!
Kinds regards,
Job Snijders
Data sources:
RPKI Views - http://rpkiviews.org/
https://dango.attn.jp/rpkidata/2023/12/31/rpki-20231231T235150Z.tgz
https://dango.attn.jp/rpkidata/2024/12/31/rpki-20241231T235251Z.tgz
Dear Justin,
On Mon, Feb 08, 2021 at 03:14:47PM -0500, Justin Wilson (Lists) wrote:
> It acts like the IP block was blacklisted at some point and got on
> some bad lists but I don’t want ti limit myself to that theory.
> I have opened up a ticket with ARIN asking for any guidance. Has
> anyone ran
On Mon, Feb 08, 2021 at 04:02:14PM -0500, Justin Wilson (Lists) wrote:
> I enabled 134.195.47.1 on one of our routers.
Cool! I noticed the following: from many NLNOG RING nodes I can reach
that IP address, but not from 195.66.134.42:
deepmedia01.ring.nlnog.net:~$ mtr -z -w -r 134.195.47.1
On Tue, Feb 16, 2021 at 01:37:35PM -0600, John Kristoff wrote:
> I'd like to start a thread about the most famous and widespread Internet
> operational issues, outages or implementation incompatibilities you
> have seen.
>
> Which examples would make up your top three?
This was a fantastic outage
Dear Hank,
On Sat, Feb 20, 2021 at 07:37:08PM +0200, Hank Nussbacher wrote:
> Is there a place where one can examine RPKI invalid logs for a specific date
> & time
I have set up a publicly accessible archiver instance in Dallas, and one
in Amsterdam which capture and archive data every 20 minute
Dear John,
Thank you for extending the deadline with another 6 months. Obviously 6
months amidst a global pandamic would never be enough time. :-)
Both John Sweeting [1] and myself [2] assert there are tens of thousands
of objects for which the relationship between the object's existence and
the
Dear Jakob, group,
On Wed, Apr 21, 2021 at 08:59:06PM +, Jakob Heitz (jheitz) via NANOG wrote:
> Ben's blog details an experiment in which he advertises routes and then
> withdraws them, but some of them remain stuck for days.
>
> I'd like to get to the bottom of this problem.
I think there
On Wed, Apr 21, 2021 at 09:22:57PM +, Jakob Heitz (jheitz) wrote:
> I'd like to get some data on what actually happened in the real cases
> and analyze it.
>
> [snip]
>
> TCP zero window is possible, but many other things could
> cause it too.
Indeed. There could be a number of reasons that c
On Thu, Apr 22, 2021 at 02:29:31PM +0300, Alexandre Snarskii wrote:
> 9002. Hit by Juniper PR1562090, route stuck in DeletePending..
> Workaround applied, sessions with 6939 restarted, route is gone.
Thank you for the details and clearing the issue.
Kind regards,
Job
Hi Robert, NANOG,
On Mon, Apr 26, 2021 at 09:29:27AM -0400, Robert Blayzor via NANOG wrote:
> According to Cloudflares isbgpsafeyet.com, Cogent has been considered "safe"
> and is filtering invalids.
>
> But I have found that to be untrue (mostly). It appears that some days they
> filter IPv4, so
Dear Ruben, all,
On Tue, Apr 27, 2021 at 10:18:32PM -0300, Rubens Kuhl wrote:
> TC IRR, an IRR operator focused on Brazilian networks, just changed to
> IRRd 4.2. The new version allowed TC to deploy RPKI validation
> (thanks NTT for sponsoring that development) and expose HTTPS
> endpoints for W
On Mon, May 24, 2021 at 02:04:32PM -0400, Luca Salvatore wrote:
> Curious if anyone is aware of other Tier1s deprecating support for RADB?
Rather than deprecating RADB, I think the industry would be better off
if either RADB or the Tier1s (in their local caching layer) deploy IRR
database software
Dear Rubens,
On Mon, Aug 09, 2021 at 08:41:48AM -0300, Rubens Kuhl wrote:
> From a Cogent support ticket:
>> Please see the attached LOA.
>>
>> Regarding the RPKI ROA, for now, we don't create ROA for our prefixes
>> nor for prefixes that we assign to our customers and we don't plan to
>> do it.
Hi Bryan,
On Thu, 16 Sep 2021 at 19:53, Bryan Holloway wrote:
> Hey all ... looking for a Fastly (54113) peering contact that might be
> able to get me in touch with the right folks to do stuff.
I’ll follow up with you off-list.
Kind regards,
Job
Dear Lee,
*ring ring* - "IRR/RPKI helpdesk how may I help you today?" :-)
On Fri, Oct 22, 2021 at 08:25:10AM -0500, Lee Fawkes wrote:
> I have a couple of questions about best practices for Internet Routing
> Registries. I'm able to find lots of documentation about *how* to do
> things, but not a
Hi everyone, goedenmiddag Marco!
On Fri, Oct 22, 2021 at 01:40:42PM +0200, Marco Davids via NANOG wrote:
> We currently live in times where is actually fun to go IPv6-only. In my
> case, as in: running a FreeBSD kernel compiled without the IPv4-stack.
Indeed, this is fun experimentation. Shaking
On Mon, Oct 25, 2021 at 04:20:28PM -0400, Jared Mauch wrote:
> Some of the other CDNs do have IPv6 on the authorities and
> should work without issues.
>
> eg:
>
> dig -6 +trace www.akamai.com.
Yes of course :-)
dig -6 +trace www.fastly.com.
Kind regards,
Job
Dear Edvinas,
On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote:
> We're thinking of enabling BGP ROA, because more and more ISPs are using
> strict RPKI mode.
>
> Does enabling Hosted Mode (where it doesn't requires any additional
> configuration on client end) on RPKI could for som
On Tue, Oct 26, 2021 at 04:58:20PM -0700, Randy Bush wrote:
> i run a FORT RPKI relying party instance. i am looking for some
> visibility into its operation.
>
> is it up: both ways, fetching and serving routers?
>
> from what CAs has it pulled, how recently and frequently with
> what suc
On Fri, Oct 29, 2021 at 01:20:33AM +0400, Musa Stephen Honlue wrote:
> Personally I recommend dropping them invalids.
100%
> However, you could set local preferences as follows:
> - Valids routes get the highest local pref
> - unknown routes get a medium local pref
> - Invalids routes get the lo
Hi Anurag,
Circular dependencies definitely are a thing to keep in mind when designing
IRR and RPKI pipelines!
In the case of IRR: It is quite rare to query the RIR IRR services
directly. Instead, the common practise is that utilities such as bgpq3,
peval, and bgpq4 query “IRRd” (https://IRRd.net
Hi all,
On Fri, 17 Dec 2021 at 19:50, Adrian Perrig wrote:
> other proposed approaches such as RPKI that only protects a route’s origin
> first AS, or BGPsec that requires widespread adoption and significant
> infrastructure upgrades.
>
For both RPKI-based BGP Route Origin Validation and RPKI-
Hi Allen,
Yes, it can be this quiet. It’s good news, it means the thing is mostly
working :-)
I wish everyone a happy and calm 2022!
Kind regards,
Job
On Mon, 3 Jan 2022 at 20:47, Allen McKinley Kitchen (gmail) <
allenmckinleykitc...@gmail.com> wrote:
> Or has NANOG also succumbed to a signed
On Mon, Mar 28, 2022 at 12:33:05PM +, Drew Weaver wrote:
> Is anyone else seeing this route destined for Twitter in the US being
> directed through 8359 announced by 8342?
>
> 104.244.42.0/24
>
> Just curious, replies off list welcome.
Seems visible in a handful of places:
$ w3m -dump
'htt
On Wed, Mar 30, 2022 at 01:29:25PM +, Drew Weaver wrote:
> Ex 45.176.191.0/24 3356 3549 11172 270150
>
> RPKI ROA entry for 45.176.191.0/24-24
> Origin-AS: 265621
>
> Two questions:
>
> First, are you also seeing this on this specific route?
It is visible in a few places, but the 61% sc
Hi all,
It's super official now: no more software bugs in networking gear.
Sorry it took so long to document what the best current practise is!
Kind regards,
Job / Chris / Remco
- Forwarded message from rfc-edi...@rfc-editor.org -
Date: Fri, 1 Apr 2022 10:17:37 -0700 (PDT)
From: rfc-ed
Dear all,
On Sat, Apr 02, 2022 at 09:09:58PM +, John Curran wrote:
> As previously reported here, ARIN will be shutting down the
> ARIN-NONAUTH IRR database on Monday, 4 April 2022 at 12:00 PM ET.
>
> It is quite likely that some network operators will see different
> route processing as a re
Dear Jon, others,
On Mon, Apr 04, 2022 at 05:48:42PM -0400, Jon Lewis wrote:
> On Mon, 4 Apr 2022, Kenneth Finnegan wrote:
> > While I agree that it might be politically entertaining to let this
> > one blow up as a demonstration of how ARIN conducts business, this
> > list of networks includes to
On Mon, Apr 04, 2022 at 06:35:31PM -0400, Jon Lewis wrote:
> On Tue, 5 Apr 2022, Job Snijders wrote:
> > > Are others jumping ship or planning to from ALTDB (no offense intended,
> > > and
> > > grateful for the service you've provided) and other non-auth
Hi Dan!
You highlight a common pitfall in IRR-based prefix filter generation.
On Mon, Apr 11, 2022 at 09:56:59AM -0700, Dan Mahoney (Gushi) wrote:
> [snip]
> as-set: AS-PEERS
> descr: Peer AS Numbers
> members:AS132251,AS132561,AS132516
> source: APNIC
>
> as-set
Hi Shawn,
On Wed, Apr 20, 2022 at 01:14:29PM -1000, Shawn wrote:
> What is the best practice (or peoples preferred methods) to
> update/correct/maintain geolocation data?
> Do most people start with description field info in route/route6 objects?
>
> [snip]
>
> Maybe I am not using the magic word
Hi!
In current versions I think enabling “soft-reconfiguration-inbound always”
(also described at
https://bgpfilterguide.nlnog.net/guides/reject_invalids/#cisco-ios-xr )
should be enough.
Make sure to enable it on every EBGP peer you apply ROV to, or just all
EBGP peers.
This knob slightly incre
On Wed, May 11, 2022 at 01:22:32PM -0600, Grant Taylor via NANOG wrote:
> On 5/11/22 10:53 AM, Job Snijders via NANOG wrote:
> > This knob slightly increase your own memory consumption, but makes your
> > router more “neighbourly”! :-)
>
> I question how accurate &
Hi,
I recommend taking a look at
https://github.com/nttgin/BGPalerter
https://www.lacnic.net/innovaportal/file/4489/1/bgpalerter_lacnic33.pdf
It offers a great blend of BGP and RPKI ROA monitoring
Kind regards,
Job
On Wed, 15 Jun 2022 at 16:45, Mehmet Akcin wrote:
> Hi there
>
> What are th
Hi Randy,
On Sun, 19 Jun 2022 at 23:07, Randy Bush wrote:
> >> It will also take much less RAM if you turn RPKI validation off.
> >
> > oh dear ghod. do i need to turn the dancing donkeys off too?
> >
> > "Make each program do one thing well. To do a new job, build afresh
> > rather than compli
On Fri, Aug 05, 2022 at 11:16:03AM -0400, Justin Wilson (Lists) wrote:
> Whats the availability of two byte asns look like? Anyone able to
> obtain one recently?
Yes, at $work we obtained one recently (without hassle, thank you ARIN
hostmasters!).
So, I recommend to follow normal procedure and j
Dear Siyuan, others,
Thank you for the elaborate write-up and the log snippets. You
contributed a comprehensive overview of what transpired from a
publicly-visible perspective, what steps led up to the strike.
I want to jump in on one small point which I often see as a point of
confusion in our i
On Tue, Aug 23, 2022 at 05:18:42PM +, Compton, Rich A wrote:
> I was under the impression that ASPA could prevent route leaks as well
> as path spoofing. This "BGP Route Security Cycling to the Future!"
> presentation from NANOG seems to indicate this is the case:
> https://youtu.be/0Fi2ghCnXi
Hi Douglas, group,
On Tue, Aug 23, 2022 at 03:03:31PM -0300, Douglas Fischer wrote:
> I was thinking a little about this case...
>
> I'm almost certain that this case cited by Siyuan would have been
> avoided if there was a cross-check between the items contained in the
> AS-SET objects (and othe
Heya,
On Wed, Aug 24, 2022 at 09:17:03AM +0200, Claudio Jeker wrote:
> On Tue, Aug 23, 2022 at 08:07:29PM +0200, Job Snijders via NANOG wrote:
> > In this sense, ASPA (just by itself) suffers the same challenge as
> > RPKI ROA-based Origin Validation: the input (the BGP AS_PATH)
Dear Hugo,
On Tue, Aug 30, 2022 at 12:34:41PM -0700, Hugo Slabbert wrote:
> Google folks:
>
> I see historical reference to needing to use the Google Peering Portal (
> http://peering.google.com) if you need to provide Google with geofeed info
> for GeoIP info on network blocks, ref
> https://mai
On Tue, Aug 30, 2022 at 01:28:18PM -0700, Hugo Slabbert wrote:
> @Job:
>
> Thanks! I was aware of the RIPE whois option, but the relevant resources
> for us are in ARIN. I wasn't aware of the RPSL *remark* option for
> providing that. We should be able to give that a bash.
Hmmm, there might be
Dear Mark,
I’ll follow up off-list.
Kind regards,
Job
On Fri, 16 Sep 2022 at 20:06, Mark Spring wrote:
> In short, I am having issues with a couple of our subnets not being able
> to traverse a fastly peer which I don't manage, it is upstream from me. I
> need to get this resolved as it is ca
Dear all,
I'd like to ask help from the EBGP hivemind: the shiny new BGP looking
glass at https://lg.ring.nlnog.net/ supports displaying text strings
mapped from BGP community values (both simple and large communities).
Mapping BGP Community values to simple English human-readable text
phrases ca
Hi Dustin, others,
Sure thing! Someone from the Fastly peering team will follow up with you
off-list.
Information about peering with Fastly: https://www.peeringdb.com/asn/54113
and https://www.fastly.com/peering/
Kind regards,
Job
On Fri, 30 Sep 2022 at 14:39, Dustin Brooks wrote:
> Can som
Dear 孙乐童,
On Mon, Nov 07, 2022 at 08:40:57PM +0800, 孙乐童 wrote:
> We learned from Cloudflare's https://isbgpsafeyet.com/ that some ASes
> have deployed RPKI Origin Validation (ROV). However, we downloaded BGP
> collection data from RouteViews and RipeRis platforms and found that
> some ROV-ASes can
Hi all,
It appears PacketVis correctly identified an issue.
AFRINIC's self-signed root AfriNIC.cer [1] points via its SIA to
'afrinic-ca.cer' [2] which in turn references a RPKI Manifest named
'K1eJenypZMPIt_e92qek2jSpj4A.mft'.
The K1eJenypZMPIt_e92qek2jSpj4A Manifest lists 499 Certificate
Autho
Hi all,
On Wed, Dec 07, 2022 at 08:24:54PM -0800, Ryan Hamel wrote:
> AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate
> covering over 23K prefixes (just over 25%) of the IPv6 DFZ.
A few months ago I wrote: "Frequently Asked Questions about 2000::/12
and related routing er
The Internet delivers when we need it the most! :-)
https://is2000slash12announcedagain.com/
Props to Ben Cartwright-Cox
On Sat, Dec 17, 2022 at 04:58:18PM -0800, Randy Bush wrote:
> https://www.rfc-archive.org/getrfc?rfc=9092
>
> and note that massimo has a collio toolset
>
> https://github.com/massimocandela/geofeed-finder
Rpki-client (version 8.2 and higher) supports authenticating signed
Geofeed data a
Dear all,
With 2023 at our doorstep, I'd like to share some perspective on how
RPKI evolved in the year 2022.
Impact on the Global Internet Routing System
Decision makers might wonder: is investing time and resources worth it?
What is the effectivenes
Dear John,
On Tue, Jan 03, 2023 at 08:57:47PM +, John Curran wrote:
> NANOGers -
>
> FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor
> authentication (2FA) - this is a noted priority for some
> organizations.
Thank you for sharing this wonderful news! I tried the new shin
Heya NANOG,
I thought this email conversation might be of interest to the group:
https://mailarchive.ietf.org/arch/msg/sidrops/RdbccLbXEHUrmmdIS5K9GOdJFXA/
Kind regards,
Job
- Forwarded message from Job Snijders -
Date: Fri, 19 May 2023 20:54:26 +0200
From: Job Snijders
To: sidr
Dear John, ARIN, NANOG,
On Mon, Aug 07, 2023 at 06:24:09PM +, John Curran wrote:
> We have made some fairly significant changes for those customers using
> ARIN Online for routing security administration – see attached message
> for specifics.
Yes, significant changes! I very much appreciate
Dear Mark,
Thank you for sharing all the details in your previous email. For
brevity I'm snipping most of your reply.
On Tue, Aug 08, 2023 at 03:59:19PM +, Mark Kosters wrote:
> Job Snijders wrote:
>
> > Would it not be advantageous to create at a minimum the 256 of the
&g
On Fri, 11 Aug 2023 at 17:54, Graham Johnston via NANOG
wrote:
> I've been busy over the last few days trying to clean up IRR information
> for our subnets and issue ROAs for our address space. Invariably I came
> across stale entries in various IRR databases. They aren't really hurting
> me, but
On Fri, Sep 01, 2023 at 11:54:57AM +0100, Nick Hilliard wrote:
> it's not really. If the receiving BGP stack understands the attribute,
> then it should be parsed as default, i.e. carefully. Unfortunately,
> junos slipped up on this and didn't validate the input correctly,
> which is a parsing bug
Dear all,
Two weeks ago AFRINIC was placed under receivership by the Supreme Court
of Mauritius. This event prompted me to rethink the RPKI trust model and
associated risk surface.
The RPKI technology was designed to be versatile and flexible to
accommodate a myriad of real-world deployment scena
Dear Matthew,
See below
On Tue, 26 Sep 2023 at 20:49, Matthew Petach wrote:
>
> Job,
>
> This looks fantastic, thank you!
>
> For my edification and clarification, the reason you don't need a
>
> deny 2000::/3
>
> or
>
> deny 0::/0
>
> at the bottom of the ARIN list of allows is that every file
Dear all,
Please see the below announcement, I think this is really good news!
RPKI-based filtering at large databases and mirror services like RADB
really helps take the sting out of potentially harmful RPKI-invalid IRR
route objects. This will positively impact operators who use bgpq3, irrpt,
o
Dear Martin,
On Wed, Oct 11, 2023 at 10:01:53AM +0200, Martin Pels wrote:
> I think this is important work.
Thanks!
> As you indicated in your mail you have spent quite some time compiling
> the constraints files in the appendix. Keeping them up to date
> requires tracking allocations and policy
On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG wrote:
> A question for network operators out there that implement ROV…
>
> Is anyone rejecting RPKI unknown routes at this time?
>
> I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t
> match the route), but I’m wonderin
On Thu, 19 Oct 2023 at 11:56, Owen DeLong wrote:
>
> On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG
> wrote:
>
>> A question for network operators out there that implement ROV…
>>
>> Is anyone rejecting RPKI unknown routes at this time?
>>
>> I know that it’s popular to reject RPKI invalid
On Thu, 19 Oct 2023 at 12:12, Aftab Siddiqui
wrote:
> A quick check to my routing table suggests that I have 206700
> preferred routes (v4/v6) to notfound (unknown) destinations. So yeah I
> don't think anyone can afford to do this right now.
>
I don’t think anyone can afford to ever do this, r
On Sun, 22 Oct 2023 at 17:42, Amir Herzberg wrote:
> Bill, thanks! You explained the issue much better than me. Yes, the
> problem is that, in my example, the operator was allocated 1.2.4/22 but
> the attacker is announcing 1.2.0/20, which is larger than the allocation,
> so the operator cannot
On Sun, 22 Oct 2023 at 18:10, William Herrin wrote:
> Then someone comes along and advertises a portion of the RIR space
> larger than any allocation. Since your subnet is intentionally absent
> from the Internet, that larger route draws the packets allowing a
> hijack of your address space.
>
>
On Sun, 22 Oct 2023 at 19:35, Owen DeLong wrote:
> Actually, Job, the 1.2.0/20 would be the longest prefix announced for
> 1.2.4/24 and 1.2.7/24 in this case. It’s a rather clever end-run. The /20
> won’t match the more specific as0 ROAs, so it gets accepted. The /24s
> either aren’t advertised o
On Sun, 22 Oct 2023 at 20:33, Tom Beecher wrote:
> Basically, I guess, it means that the AS 0 solution shouldn't be used, at
>> least not usually.
>>
>
> It's like everything else. Understand what the tools do and what they
> don't do, and use them appropriately.
>
A primary risk for an IXP is
On Tue, Oct 24, 2023 at 05:28:31PM -0700, Owen DeLong wrote:
> Yes, but we weren’t talking about an IXP here.
> We’re talking about an ISP.
Sure, perhaps you were
I intended to submit an example where a resource holder constructively
uses a ROA designating AS 0 as purported originator, actually h
Dear Amir,
On Fri, Nov 10, 2023 at 06:02:48PM -0500, Amir Herzberg wrote:
> We will present our new work, titled: `BGP-iSec: Improved Security of
> Internet Routing Against Post-ROV Attacks', in NDSS'24.
>
> If you're interested in security of Internet routing (BGP), and want a
> copy, see URL be
Dear NANOG,
It appears the WHOIS service at whois.radb.net is now filtering out
RPKI-invalid IRR route/route6 objects for common expansion queries!
This really is exciting and excellent news. I'll elaborate a bit on what
this exactly means.
Example ROA & IRR object
Take
Dear all,
Happy new year everyone! Having just closed chapter 2023 - let's look
back at the previous year.
In this memo I'll share some RPKI statistics, summarize highlights from
the IETF Standards Development process, and reflect on emerging trends.
Year to Year Growth of the distributed RPKI
On Tue, Jan 30, 2024 at 07:28:01PM +0300, Frank Habicht wrote:
> I believe that the entry of
> route: 0.0.0.0/32
>
> does not serve any good purpose?
I don't think so either, I've created an issue to prevent that in future
releases of IRRd v4: https://github.com/irrdnet/irrd/issues/906
Dear all,
At NANOG 90, Merit presented on their IRRd v4 deployment. At the
microphone Geoff Huston raised a comment which I interpreted as:
"Can an exception be made for my research prefixes?"
There are two sides to this:
INSERTING RPKI-invalid route/route6 objects
=
On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:
> > On 12 Feb 2024, at 3:14 pm, Job Snijders via NANOG wrote:
> > At NANOG 90, Merit presented on their IRRd v4 deployment. At the
> > microphone Geoff Huston raised a comment which I interpreted as:
> >
&g
401 - 500 of 518 matches
Mail list logo
