Re: att or sonic "residential" fiber service at a "nontraditional" residence.

Their site is confusing - they were historically (and still are, in most places) a DSL provider using AT&T for the last hop into the house. Over the past few years they’ve built out their own fiber network which currently has a much smaller footprint. Definitely by far the best residential inter

Telia Not Withdrawing v6 Routes

Has anyone else experienced issues where Telia won't withdraw (though will happily accept an overriding) prefixes for the past week, at least? eg 2620:6e:a003::/48 was a test prefix and should not now appear in any DFZ, has not been announced for a few days at least, but shows up in Telia's LG

Re: Telia Not Withdrawing v6 Routes

. Some years ago we experienced something similar (it was a router of TI Sparkle still advertising a prefix of us in Asia to their clients, that they were previously receiving from our former transit GTT – we were advertising it in Europe...). Le 16 nov. 2020 à 02:58, Matt Corallo a écrit : Has an

Re: Telia Not Withdrawing v6 Routes

One of the routing gears on the path don't like the large community inside > those routes maybe ? :) > By the way we currently see 2620:6e:a002::/48 at LINX LON1 from Choopa and > HE... > >> Le 16 nov. 2020 à 04:44, Matt Corallo a écrit : >> >> Yea, I did

Re: Telia Not Withdrawing v6 Routes

For those curious, Johan indicated on Twitter this was a JunOS bug. https://twitter.com/gustawsson/status/1328298914785730561 Matt > On Nov 15, 2020, at 23:13, Matt Corallo wrote: > > Maybe? Never been an issue before. In this case the route does have a depref > community on Tel

Re: Telia Not Withdrawing v6 Routes

e: - On Nov 15, 2020, at 5:58 PM, Matt Corallo na...@as397444.net wrote: Has anyone else experienced issues where Telia won't withdraw (though will happily accept an overriding) prefixes for the past week, at least? I have seen issues like this in a network that I operated. In that pa

Re: Parler

In case anyone thought Amazon was being particularly *careful* around their enforcement of Parler's ban...this is from today on parler's new host: $ dig parler.com ns ... parler.com. 300 IN NS ns4.epik.com. parler.com. 300 IN NS ns3.epik.com. .

Re: [External] Re: Parler

g Parler's registrar, but that would truly be a reach, since they aren't Parler's Web host. -- Hunter Fuller (they) Router Jockey VBH Annex B-5 +1 256 824 5331 Office of Information Technology The University of Alabama in Huntsville Network Engineering On Wed, Jan 13, 2021 at 5:4

Re: Parler

domain, so it’s not as comparable as I understood it to be. Matt > On Jan 14, 2021, at 00:10, William Herrin wrote: > > On Wed, Jan 13, 2021 at 9:02 PM Valdis Klētnieks > wrote: >> On Wed, 13 Jan 2021 18:41:55 -0500, Matt Corallo said: >>> parler.com.

Re: Parler

can avoid longer negative caching while they work on a real hosting deal. Matt > On Jan 14, 2021, at 00:29, William Herrin wrote: > > On Wed, Jan 13, 2021 at 9:22 PM Matt Corallo wrote: >> Sure, I just found it marginally comical that amazon, after making a big >> stink a

Akamai IP Block Issues

If anyone has a good contact at Akami, please reach out off-list. We are getting Akamai Access Denied errors on eyeballs trying to schedule COVID-19 appointment slots like the below: Access Denied You don't have permission to access "http://www.walgreens.com/findcare/vaccination/covid-19/locati

Re: Abuse Contact Handling

There's a few old threads on this from last year or so, but while unmonitored abuse contacts are terrible, similarly, people have installed automated abuse contact spammer systems which is equally terrible. Thus, lots of the large hosting providers have deemed the cost of actually putting a human

Re: Abuse Contact Handling

> Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > From: "Matt Corallo" > To: "Mike Hammett" , "NANOG" > Sent: Thursday, August 5, 2021 3:44:43 PM > Subject: Re: A

Re: "Using Cloud Resources to Dramatically Improve Internet Routing"

lol no that’s even worse. “We put routing on the blockchain to make it secure and scalable the two things blockchains generally aren’t, now please buy our token “. > On Jan 9, 2020, at 11:28, Aistis Zenkevičius wrote: > > So, a bit like this then: https://noia.network/technology > > -Ais

Re: China’s Slow Transnational Network

It also gives local competitors a leg up by helping domestic apps perform better simply by being hosted domestically (or making foreign players host inside China). > On Mar 2, 2020, at 11:27, Ben Cannon wrote: > >  > It’s the Government doing mandatory content filtering at the border. Their

Re: China’s Slow Transnational Network

tually doing it. > > Best, > Pengxiong Zhu > Department of Computer Science and Engineering > University of California, Riverside > > > On Mon, Mar 2, 2020 at 8:38 AM Matt Corallo <mailto:na...@as397444.net>> wrote: > > It also gives local competitors a leg up

Re: China’s Slow Transnational Network

Note, of course, further, that "the GFW" is not a single appliance, nor even a standard, common appliance. There are very different "GFWs" based on which link you're looking at, which telco it is, etc. Indeed, usually traffic to Hong Kong is effected much less by the GFW than other links (though st

Re: The Cost of Paid Peering with Chinese ISPs

No one suggested it isn’t censorship, you’re bating here. Not deploying enough international capacity is absolutely a form or censorship deployed to great avail - if international sites load too slow, you can skimp on GF appliances! Matt > On Apr 1, 2020, at 12:26, Pengxiong Zhu wrote: > Many

Re: RPKI TAs

While I certainly agree with you, I have a certainly-naive question - what the difference is between ARIN and RIPE's T&C: Aug 3 19:07:15 rpki-validator rpki-client[16164]: The RIPE NCC Certification Repository is subject to Terms and Conditions Aug 3 19:07:15 rpki-validator rpki-client[16164]:

Network Policies Towards Software Supply Chain Compromise

Hi network operators, As RPKI validation continues to become increasingly broadly deployed (yay!), I wanted to highlight and ask what deployment policies are towards dependency validation and pinning of RPKI validation software. For example, routinator's dependency graph is somewhat large, and

Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.)

On 5/6/22 5:58 PM, Amir Herzberg wrote: Hi NANOGers, Questions: - Do you find zone enumeration a real concern? I have found that some people who are concerned about such things will have LetsEncrypt certs for many of the same hosts they were worried about - which of course makes the DNS zo

rsync CVE-2022-29154 and RPKI Validation

Has anyone done an analysis of the rsync CVE-2022-29154 (which "allows malicious remote servers to write arbitrary files inside the directories of connecting peers") and its potential impact on RPKI validators? It looks like both Debian [1] and Ubuntu [2] opted *not* to patch rsync in their rele

Re: rsync CVE-2022-29154 and RPKI Validation

On 9/9/22 2:36 AM, Vincent Bernat wrote: The attacker is still limited to the target directory. The attacker can send files that were excluded or not requested, but they still end up in the target directory. RPKI validators download stuff in a dedicated download directory Ah, okay, thanks,

Re: rsync CVE-2022-29154 and RPKI Validation

On 9/9/22 1:58 PM, Vincent Bernat wrote: On 2022-09-09 19:36, Matt Corallo wrote: The attacker is still limited to the target directory. The attacker can send files that were excluded or not requested, but they still end up in the target directory. RPKI validators download stuff in a

Re: the ipv4 vs ipv6 growth debate

It would be nice if IPvFoo showed the bytes and connection/request count. It's going to be a loonnggg time before we can do consumer internet browsing with no v4, until then it's about reducing cost of CGNAT with reduced packets/connections. For twitter, the main site is v4, yea, but abs.twimg.

Re: Yahoo Mail admin assistance

You might try the Mailop list at https://www.mailop.org/, they're definitely active over there. Matt On 12/14/22 11:54 AM, Sam Roche wrote: If someone from the Yahoo mail admin team is on the list, could you please reach out to me privately? We had an issue where our customer SMTP server was t

Re: A blatant podcast plug

On 3/5/23 12:34 PM, Dave Taht wrote: I rather enjoyed doing this podcast a few weeks ago, (and enjoy this podcast a lot, generally), and it talks to what I've been up to for the past year or so on fixing bufferbloat for ISPs. https://packetpushers.net/podcast/heavy-networking-666-improving-qu

Re: A blatant podcast plug

On 3/5/23 7:00 PM, Matt Corallo wrote: On 3/5/23 12:34 PM, Dave Taht wrote: I rather enjoyed doing this podcast a few weeks ago, (and enjoy this podcast a lot, generally), and it talks to what I've been up to for the past year or so on fixing bufferbloat for ISPs.

Re: ElastiFlow Getting Started?

Is this in relation to the old opensource archived ElastiFlow or the new proprietary one with only subscription options above a certain flow count? Presumably the subscription comes with some kind of support? I think the only option left for open source flow monitoring is the new free.fr-mainta

Re: Best Linux (or BSD) hosted BGP?

Lots of replies saying which of BIRD/exabgp/frr/quagga/openbgpd folks prefer, but they're all pretty good. Honestly for such a project they're all just as great, it comes down mostly to what you're used to config-wise. Used to big metal router configuration? You might find BIRD foreign. Used to

Re: New addresses for b.root-servers.net

On 6/1/23 3:57 PM, William Herrin wrote: Certainly we would appreciate other opinions about what the right length of a change-over time would be, especially from the operational communities that will be most impacted by this change. A server generation is about 3 years before it's obsolete a

Re: New addresses for b.root-servers.net

On 6/3/23 4:17 PM, William Herrin wrote: On Sat, Jun 3, 2023 at 12:46 PM Matt Corallo wrote: I assume RHEL would ship a root hints update during that time, but such things can slip through pretty easily as its not a security update. Hi Matt, It *is* a security update. That's a r

Re: New addresses for b.root-servers.net

On 6/17/23 7:12 AM, Tom Beecher wrote: Bill- Don't say, "We'll keep it up for as long as we feel like it, but at least a year." That's crap. 30% of the root servers have been renumbered in the last 25 years. h : 2015 d: 2013 l : 2007 j : 2002 For these 4 cases, only a 6 month tran

Re: New addresses for b.root-servers.net

relies on no one intercepting or spoofing responses of some of your queries to a root server, it’s been game over for a long time. On Sat, Jun 17, 2023 at 10:29 AM Matt Corallo mailto:na...@as397444.net>> wrote: On 6/17/23 7:12 AM, Tom Beecher wrote: > Bill- >

Re: New addresses for b.root-servers.net

On 6/18/23 12:53 AM, Masataka Ohta wrote: Matt Corallo wrote: That's great in theory, and folks should be using DNSSEC [1], Wrong. Both in theory and practice, DNSSEC is not secure end to end Indeed, but (a) there's active work in the IETF to change that (DNSSEC stapling to

Re: New addresses for b.root-servers.net

On 6/19/23 2:08 AM, Masataka Ohta wrote: Matt Corallo wrote: Both in theory and practice, DNSSEC is not secure end to end Indeed, but (a) there's active work in the IETF to change that (DNSSEC stapling to TLS certs) TLS? What? As was demonstrated by diginotar, PKI i

Re: New addresses for b.root-servers.net

On 6/19/23 8:08 PM, Masataka Ohta wrote: Matt Corallo wrote: This is totally unrelated to the question at hand. There wasn't a question about whether a user relying on trusted authorities can maybe be whacked by said trusted authorities (though there's been a ton of work in this s

Re: New addresses for b.root-servers.net

On 6/20/23 10:20 PM, Masataka Ohta wrote: Matt Corallo wrote: So, let's recognize ISPs as trusted authorities and we are reasonably safe without excessive cost to support DNSSEC with all the untrustworthy hypes of HSMs and four-eyes principle. I think this list probably has a few t

Re: whois server

Loads for me and just has a "we're shutting down notice", copied below. But, like they say, modern whois knows where to look, no need to use anything else, I think as long as you're not stuck trying to use macOS or something else shipping weird ancient un-updated unix tools. Matt geektools.c

Re: Request for assistance with Verizon FIOS connection

I've always had good luck with https://consumercomplaints.fcc.gov/hc/en-us. This tends to result in a higher-level tech getting assigned to your ticket at least at larger providers. Depending on where you are, your local government may have a similar process (e.g. in NYC the city has a similar p

Re: Request for assistance with Verizon FIOS connection

le out the CPE.   -mel *From:* NANOG on behalf of Matt Corallo *Sent:* Friday, July 14, 2023 5:46 PM *To:* Neil Hanlon ; nanog@nanog.org *Subject:* Re: Request for assistance with Verizon FIOS connection I

Re: malware warning

I get quite a bit of spam that is a "reply" to old NANOG posts (some dating back a year or more). Seems to only happen on some specific threads, dunno why though. Definitely recommend using a nanog-specific alias and auto-spam-folder'ing anything to that alias that isn't CC nanog@nanog, that se

.com.au RRSIG Expired

Just in case anyone wonders why *.com.au isn't loading for their customers, the RRSIG covering .com.au/DS expired at 00:05:29 UTC (about 40 minutes ago now). Matt

Re: *.au RRSIG Expired

I believe same for name.au where `name` has a DS record. Same for net.au./DS, etc. Matt On 9/17/23 5:48 PM, Matt Corallo wrote: Just in case anyone wonders why *.com.au isn't loading for their customers, the RRSIG covering .com.au/DS expired at 00:05:29 UTC (about 40 minutes ago now). Matt

Re: constraining RPKI Trust Anchors

Thank you! This is awesome and very, very much needed work. RPKI has plugged some major security issues with the DFZ, but in exchange introduced substantial other ones. It sucks it took AFRINIC imploding to motivate more time fixing it, but I’m super glad you’re working on it! We should also c

Re: BGP prefix filter list

Required or not, I've seen a number of networks doing this. At some point "single global ASN" became a marketable pitch and folks realized they don't actually have to have a single Network to get it. Matt (Oops +nanog, sorry Mel + William) > On May 30, 2019, at 13:10, Mel Beckman wrote: > >

Re: Postmaster@

I presume you were contacting them due to their (apparently) bogus SPF parsing? Seems they recently broke something and email servers I've been sending from for 10 years without much configuration change recently started getting generic SPF-looking failure messages (I guess they don't properly pars

Re: Bgpmon alternatives?

There's also https://github.com/NLNOG/bgpalerter (which I believe they're trying to turn into a website frontend based on RIS, but I run it with patches for as_path regexes and it works pretty well). > On Jun 16, 2019, at 07:40, Michael Hallgren wrote: > > RIS Live API is a choice for this. >

Re: CloudFlare issues?

On my test net I take ROA_INVALIDs and convert them to unreachables with a low preference (ie so that any upstreams taking only the shorter path will be selected, but so that such packets will never be routed). Obviously this isn't a well-supported operation, but I'm curious what people think of s

Re: CloudFlare issues?

Oops, I mean with a script which removes such routes if there is an encompassing route which a different upstream takes, as obviously the more-specific would otherwise still win. Matt On 7/6/19 5:44 PM, Matt Corallo wrote: > On my test net I take ROA_INVALIDs and convert them to unreachab

Re: 44/8

I presume they'd be more than happy to if some HAM's were to file a lawsuit against ARIN (not entirely an un-serious suggestion), but, short that, what do they care if they cooperated in stealing some otherwise-unused IPs and giving them to Amazon? Matt > On Jul 18, 2019, at 23:44, William Wai

Re: CenturyLink/Level3 feedback

Two weeks? We're at two months and counting. Honestly about to walk away from the contract at this point, fees or no. Matt On 7/24/19 12:12 AM, Stephen Frost wrote: > Since there was a comment on this again, I figure I'll provide an update > ('just' the facts...)- it's now been two more weeks wit

Re: UK, NL, & Asia LTE Providers for Opengear Console Servers

When using a data-only Fi SIM (which are free if you have an account, just pay the bandwidth), they always just act as a T-Mobile US MVNO and route back through the US. Still, latency aside, I've found it incredibly reliable (plus in many countries you can pick from multiple networks). If you h

Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users

Because getting each ISP in the world to comply with NSA monitoring requests was too hard, instead they get to centralize the full list of every website the everyone in the world visits on a single fleet of servers in Cloudflare's datacenters. This means we only need to compromise one person to

Re: Elad Cohen

Come on dude, you could just respond with the requested LoAs and purchase agreements and yet instead you threaten lawsuits. No one with half a brain even skimming this thread will conclude that you're innocent in this matter (a lapse in accuracy or two here and there by Mr Guilmette notwithstand

Re: This DNS over HTTP thing

It was mentioned in this (partially related) thread, with all the responses being the predictable “lol these folks in Silicon Valley need to lay off the drugs”. https://mailman.nanog.org/pipermail/nanog/2019-September/103059.html Matt > On Sep 30, 2019, at 19:25, Jay R. Ashworth wrote: > > 

Re: This DNS over HTTP thing

I’m not sure that google has announced any plans to, but Firefox has announced plans to switch everyone to Cloudflare’s DNS. Hope none of y’all are running competing CDNs, cause they’re about to get real slow on Firefox. Matt > On Oct 1, 2019, at 12:38, Damian Menscher via NANOG wrote: > >

Automated Abuse Reports

How do people view the automated generation of abuse reports? I’ve seen lots of (understandable) moaning about large providers not handling abuse reports, and lots of (understandable) suggestions that ARIN test for the reachability of abuse contacts. On the flip side, I run a Tor exit node (as

Re: Cloudflare "Magic" IP Transit

You find it hypocritical that they host booter services? I find it hypocritical (and criminal, if anyone could prove it more than laughably strong correlation) that Cloudflare sales reps had such an impressive knowledge of when sites were getting DDoSed that they could show up to offer service b

Re: ECN

This sounds like a bug on Cloudflare’s end (cause trying to do anycast TCP is... out of spec to say the least), not a bug in ECN/ECMP. > On Nov 13, 2019, at 11:07, Toke Høiland-Jørgensen via NANOG > wrote: > >  >> >> Hello >> >> I have a customer that believes my network has a ECN problem.

Re: ECN

Not ideal, sure, but if it’s only for the SYN (as you seem to indicate), splitting the flow shouldn’t have material performance degradation? > On Nov 13, 2019, at 11:51, Toke Høiland-Jørgensen wrote: > >  > >> On 13 November 2019 17:20:18 CET, Matt Corallo wrote: >>

Re: Starting to Drop Invalids for Customers

Right, but you’re also taking a strong, cryptographically-authenticated system and making it sign non-authenticated data. Please don’t do that. If you want to add the data to RPKI, there should be a way to add the data to RPKI, not sign away control of your number resources to unauthenticated so

Re: Starting to Drop Invalids for Customers

Ah, right. Fair. I was responding, I suppose, to Rubens' original description, which was exactly this. On 12/11/19 5:08 PM, Christopher Morrow wrote: > On Wed, Dec 11, 2019 at 11:35 AM Matt Corallo wrote: >> >> Right, but you’re also taking a strong, cryptographically-auth

Re: Am I the only one who thinks this is disconcerting?

On 11/8/23 2:23 PM, Bryan Fields wrote: On 11/8/23 2:25 PM, o...@delong.com wrote: Seems irresponsible to me that a root-server (or other critical DNS provider) would engage in a peering war to the exclusion of workable DNS. I've brought this up before and the root servers are not really an IA

Re: Am I the only one who thinks this is disconcerting?

hijack Cogent's IP space? That would end in a lawsuit and potentially even more de-peering between them. Ryan Hamel ---- *From:* NANOG on behalf of Matt Corallo *Sent:* Monday, November 13, 20

Re: Am I the only one who thinks this is disconcerting?

On 11/13/23 12:57 PM, Matt Corallo wrote: I'd be very curious to see a lawsuit over an IP hijack that isn't interfering with the operation of any of Cogent's services and is restoring service to HE's customers. Doubly so if they prepend aggressively to avoid it being a pr

Re: Out-of-Bailiwick DNS?

On 7/6/24 8:06 PM, Robert McKay via NANOG wrote: On 2024-07-06 21:11, John Von Essen wrote: Ok…. now a rabbit hole. I looked at some vanity TLDs, and it appears the ALOT of big companies have their names as TLDs, but almost none of them are using it for anything. Why is that? Is it just a cop

Re: Current diameter of the Internet?

On 7/19/24 8:44 PM, joel jaeggli wrote: On 7/19/24 15:07, Sean Donelan wrote: What is the current estimated diameter of the Internet? Maximum (worst-case) RTT edge-to-edge? Most public latency data is now edge-to-cloud, not edge-to-edge. Cloud engineers have done a great job, and edge-to

Re: pgp keyservers

pgp.mit.edu has been sporadically available for me over the last while, but yea AFAIU sks-keyservers shut down after the DoS drama, as did most of the old servers in the pool. I believe keyserver.ubuntu.com generally works and doesn't strip all the signatures and whatnot off keys when they uplo

Re: Any ideas how long gmail cache DNS records ?

You might try posting this type of query to the mailop list at https://www.mailop.org/ There's at least one gmail person who responds every now and again over there. (keeping on-list since these kinds of queries come up every now and again and its useful for folks to see the pointer) Matt On

Re: A plea to ignore abuse reports from "watchdogcyberdefense.com"

There are tons of networks out there that will automatically send an email to abuse records in whois based on fairly braindead criteria. Sadly, this has resulted in abuse contacts being increasingly useless since large hosting providers get such a flood of garbage that they can't actually look in

Re: EA Game IP Geolocation

It doesn't answer your specific question, but the usual suggestion is to start with the list of geoIP providers at http://thebrotherswisp.com/index.php/geo-and-vpn and see if any of them turn up the matching (wrong) values. On 11/9/24 4:36 PM, Claire Dubois wrote: Hi, We’ve recently received

Re: Implementing Decentralized RPKI with Blockchain Technology

On 11/18/24 5:11 AM, Niels Bakker wrote: * na...@as397444.net (Matt Corallo) [Sun 17 Nov 2024, 20:44 CET]: Apologies if it came across as insulting, indeed I wasn't spending my time reading IETF mailing lists in the early 2010s :). That said, the reality today is that RPKI trust anchor

Re: Implementing Decentralized RPKI with Blockchain Technology

Yep, that’s a great point, and IMO all the more reason to seek solutions that provide operators/other RIRs the ability to respond by giving them human timescales, rather than things being taken out overnight. > On Nov 18, 2024, at 13:39, Randy Bush wrote: > > i have not seen mention that a si

Re: Incorrect Reverse DNS in Verizon Fios NYC core router traceroute

Yea, FiOS has a lot of incorrect RDNS entries, you learn not to trust them. (I know, folks always point out that it could be the other side of a different connection on the same router, but I’d still call that a misconfiguration). Matt > On Sep 10, 2024, at 17:21, Neel Chauhan wrote: > Hi, >

Re: Implementing Decentralized RPKI with Blockchain Technology

> On Nov 18, 2024, at 04:18, Niels Bakker wrote: > > * na...@as397444.net (Matt Corallo) [Sun 17 Nov 2024, 20:41 CET]: >> Fair enough. I suppose I wasn't reading the right corner of the internet to >> find it. Either way there's basically no mitigations in p

Re: Implementing Decentralized RPKI with Blockchain Technology

> On Nov 18, 2024, at 00:02, Tom Beecher wrote: > >  >> That said, the reality today is that RPKI trust anchors are perfectly >> capable of (through malice or cybersecurity incidents) AS0-routing as much >> IP space as they want, >> taking entire swaths of the internet offline for a day or mo

Re: Implementing Decentralized RPKI with Blockchain Technology

On 11/13/24 9:39 AM, Brandon Z. wrote: Hi there, Currently, due to political factors, some countries are not particularly proactive in deploying RPKI. Imagine if the RIR of a region were forced to revoke all IP resources of a particular country from RPKI, effectively isolating that country

Re: Implementing Decentralized RPKI with Blockchain Technology

> On Nov 18, 2024, at 08:04, Nick Hilliard wrote: > > Matt Corallo wrote on 18/11/2024 12:53: >> But, no, of course a RIR won’t ignore a court order, indeed that’d be >> nuts, but we could ensure that doing so takes some nontrivial (human) >> time during which

Re: Implementing Decentralized RPKI with Blockchain Technology

On 11/14/24 12:08 PM, Christopher Morrow wrote: On Wed, Nov 13, 2024 at 7:02 PM Matt Corallo wrote: Thanks for raising this topic. In all the rush to deploy RPKI I fear these issues are not talked about enough. you missed ~8yrs of hand wringing and such... so sad. Fair enough. I

Re: Implementing Decentralized RPKI with Blockchain Technology

On 11/13/24 10:45 PM, Seth David Schoen wrote: Matt Corallo writes: I see where you're going - blockchains are an audit log (eg Certificate Transparency) and cryptocurrencies generally use something expensive to perform anti-sybil to gate appending to the audit log, but allowing the la

Re: Implementing Decentralized RPKI with Blockchain Technology

On 11/14/24 2:29 PM, Tom Beecher wrote: In all the rush to deploy RPKI I fear these issues are not talked about enough. The first RPKI deployments started happening in the early 2010s, after many many years of being talked about. I'm sure you didn't mean it, but it's pretty insult

Re: Implementing Decentralized RPKI with Blockchain Technology

Apologies, I missed this email when it was sent. On 11/29/24 11:35 AM, Job Snijders via NANOG wrote: It does though. The constraining-rpki-trust-anchors mechanism effectively prohibits RIRs from issuing ROAs (with any Origin AS, including AS 0), if the ROA at hand violates the locally configure

Re: The Cost of Paid Peering with Chinese ISPs

ote: > > On Wed, 01 Apr 2020 12:47:22 -0700, Matt Corallo said: > >> No one suggested it isn’t censorship, you’re bating here. Not deploying >> enough international capacity is absolutely a form or censorship deployed to >> great avail - if international sites load

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

I don’t really get the point of bothering, then. AWS takes about ~forever to respond to SES phishing reports, let alone hosting abuse, and other, cheaper, hosts/mailers (OVH etc come up all the time) don’t bother at all. Unless you want to automate “1 report = drop customer”, you’re saying that

Re: "Is BGP safe yet?" test

That’s an interesting idea. I’m not sure that LACNIC would want to issue a ROA for RIPE IP space after RIPE issues an AS0 ROA, though. And you’d at least need some kind of time delay to give other RIRs and operators and chance to discuss the matter before allowing RIPE to issue the AS0 ROA, eg i

Re: "Is BGP safe yet?" test

Right until RIPE finishes deploying AS0 ROAs for bogons, which I recall is moving forward :p. > On Apr 21, 2020, at 03:01, Mark Tinka wrote: > >  > >> On 21/Apr/20 08:51, Matt Corallo via NANOG wrote: >> >> Instead of RIRs coordinating address space use by keep

Re: "Is BGP safe yet?" test

Not sure how this helps? If RIPE (or a government official/court) decides the sanctions against Iranian LIRs prevents them from issuing number resources to said LIRs, they would just remove the delegation. They’d probably then issue an AS0 ROA to replace out given the “AS0 ROA for bogons” policy

Re: "Is BGP safe yet?" test

ote: > >  > > >> On Tue, Apr 21, 2020 at 1:10 PM Matt Corallo via NANOG >> wrote: >> That’s an interesting idea. I’m not sure that LACNIC would want to issue a >> ROA for RIPE IP space after RIPE issues an AS0 ROA, though. And you’d at >> least need some kind o

Re: Abuse Desks

Please don't use this kind of crap to send automated "we received 3 login attempts on our SSH box..wa" emails. This is why folks don't have abuse contacts that are responsive to real issues anymore. Matt On 4/28/20 11:57 AM, Mike Hammett wrote: > I noticed over the weekend that a Fail2B

Re: Abuse Desks

Hollis wrote: >>> On Tue, 28 Apr 2020, Matt Corallo via NANOG wrote: >>> Please don't use this kind of crap to send automated "we received 3 login >>> attempts on our SSH box..wa" emails. >>> This is why folks don't have abuse contacts

Re: Abuse Desks

> >> On Tue, Apr 28, 2020 at 11:02:04PM -0700, Matt Corallo wrote: >> DDoS, hijacker, botnet C&C, compromised hosts, >> sufficiently-hard-to-deal-with phishing, etc are all things that carry >> real risk to services that are otherwise well-maintained (primarily in >&

Re: Abuse Desks

s nigh useless, especially given most of the real crap out there comes from hosting providers like the above who don't have the bandwidth to respond. Matt On 4/29/20 7:55 AM, Rich Kulawiec wrote: > On Tue, Apr 28, 2020 at 12:40:12PM -0400, Matt Corallo via NANOG wrote: >> Please d

Re: Abuse Desks

I think we all agree with this. The requl question is...how do we build such a thing? The abuse process we have clearly doesn't work. Maybe its the fault of the Big Providers (AWS/GCP/OVH/etc) who don't invest enough to have a robust abuse-processing system to actually deal with reports, maybe it

Re: Abuse Desks

t. > You're just contributing to the noise. > > On Tue, Apr 28, 2020 at 9:40 AM Matt Corallo via NANOG > wrote: >> Please don't use this kind of crap to send automated "we received 3 login >> attempts on our SSH box..wa" emails. >> This

Re: Abuse Desks

I don't think anyone in this thread meant to suggest that there is no reason to be concerned about such scans, as you point out they are occasionally compromised hosts and the like. The real question here is what is the cost of sending all that mail? The abuse system as it exists today is largel

Re: Abuse Desks

4/29/20 7:00 PM, William Herrin wrote: > On Wed, Apr 29, 2020 at 3:36 PM Matt Corallo wrote: >> I do, in this case, have such a right, because I know exactly what is going >> on in my network, > > Hi Matt, > > If someone in your address space is knock-knocking on a stranger&#

Re: Abuse Desks

act that those solutions often don't involve their abuse system should tell us something. Matt On 4/29/20 3:44 AM, Dan Hollis wrote: > On Tue, 28 Apr 2020, Matt Corallo wrote: >> Sadly dumb kids are plentiful. If you have to nag an abuse desk every time >> they sell a server