X's favor. and 25 years on, we are not changing
people's perceptions. it's only been a quarter of a century; have some
patience.
randy
iij joined in '97. and helped others who asked. but i'm from the rainy
pacific northwest (of the states). we don't try to push water uphill.
randy
elping others deploy as
opposed to screaming at them that they must do it asap, we might get
that first derivative up a wee bit. but i fear that, at this point,
patience is what is most useful.
randy
> it’s unclear if there’s been any systematic look-back or institutional
> learning coming out of the entire experience.
i am always impressed by optimism in the face of cold reality
> From the latest update it sounds like rolling power outages in Dallas as
> most places in Texas
https://www.texastribune.org/2011/02/08/texplainer-why-does-texas-have-its-own-power-grid/
actually, the 129/8 incident was as damaging as 7007, but folk tend not
to remember it; maybe because it was a bit embarrassing
and the baltimore tunnel is a gift that gave a few times
and the quake/mudslides off taiwan
the tohoku quake was also fun, in some sense of the word
but the list of re
> actually, the 129/8 incident
a friend pointed out that it was the 128/9 incident
> but folk tend not to remember it
qed, eh? :)
when employer had shipped 2xJ to london, had the circuits up, ...
the local office sat on their hands. for weeks. i finally was
pissed enough to throw my toolbag over my shoulder, get on a
plane, and fly over. i walked into the fancy office and said
"hi, i am randy, vp eng, here to hel
t model straight.
randy
ically not to be considered an identity service. this
permeated the design; e.g., organization names were specifically
forbidden in certificate CN, Subject Alternative Name, etc.
aside: of course a few rirs thought that *their* names should be in
their certs as exeptions. i remember the laughter.
the colo folks perhaps?) may already have incentives
> in places to use their RPKI goop for this function.
this would work only if the LOA is being sent to someone with whom my
contract is signed with a key validating through the same hierarchy, or
the credential was associated contractually. i do not think equinix
is up to this yet.
randy
o use rpki data to attest to ip
address ownership. the problem there is that the draft is a cool proof
of concept, but is not operationally easy to use.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header mangling
> Really, does anyone here think that it is good form to send email with
> font size *SMALL*?
rofl!
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header mangling
> you can sign over something which ways "the person identified by the
> following public key is to be permitted to ..."
you mean the fraudlent attacker who owned that INR seems to have signed
this request for a €1.000.000,49 wire transfer to their iban. a person
is not identified by that signatu
in that identity space.
but think about the dance that prudent folk do to accept pgp keys, and
pgp has fingerprints to make it a bit easier to do oob verification.
but that verification uses an external identity provider, e.g. passport
or whatever makes you comfortable. now infer what we would need
ation, and they had wiped out the entire
array. at that point they called me; so i missed the really creative
part.
[0] https://www.ibm.com/ibm/history/exhibits/storage/storage_2314.html
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are
the night again.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header mangling
the conjecturbation is only surpassed by the vitrol
> No, French Superheroes flew in from Le Café du Peintre near the
> Bastille in under 30 nanoseconds. However, it was still futile.
jingoism does not deter fires
e never have to stand in front of that
camera to explain a similar incident
a few things stood out: where backups are located, the ability to build
a lot of new servers and the supporting infra, ... but in a week or two
i hope he can tell us results of more analysis.
randy
---
ra...@psg.com
`gp
> It surprises that important sites don't do mirroring.
depends on what you mean by 'mirroring.' think latency.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back thanks to dmarc header mangling
ait for it to hit the spinning oxide
1,000km away. as i said, depends on what you mean by 'mirroring.' i
would not recommend raid, drbd, ... maybe periodic rsync, or an app
level sync designed for latency.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...
> https://www.itc.sa/en/
mehmet, you actually answered rod's question. that is not allowed on
the nanog list. you need to start a 20 message thread excoriating him
for asking for actual operational help finding a circuit in a difficult
place.
what is this world coming to? sheesh
i do not find the volume or diversity on the nanog list problematic.
in fact, i suspect its diversity and openness are major factors in
it being the de facto global anything-ops list. perhaps we do not
need to fix that.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd
> Agreed. Don't fix what isn't broken.
ryuu.rg.net:/Users/randy> whois oldnog.org
GeekTools Whois Proxy v5.0.6 Ready.
Checking access for 162.195.241.81... ok.
Checking server [whois.publicinterestregistry.net]
Results:
NOT FOUND
>>> Last
> ...not to mention that all mature networks are moving more towards GUI
> front ends for their automated network. As the complexity of a network
> increases, CLI access becomes considerably more risky.
>
> The idea that "real engineers use the CLI" is dinosaur thinking that will
> eventually lan
> I think you will find that most SMTP / anti-spam focused RBL tools
> give a very similar result for IP reputation on a per /24 block basis
got cites? this got me curious the other day.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatur
in 2010, the internet society made some videos on possible internet
futures ten years out, i.e. nowish. nothing spot on, but themes
can be seen for sure.
https://www.youtube.com/watch?v=PB4zfGwctGc
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com
> tl;dr - If I only have a /24 PI - is there any way to use this and not
> “chop it up / deagg” to use for ptp/loopbacks ?
i take real addresses out of the /24 for p2p
i take 1918 addresses for ibgp loopbacks
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate
; computer is also compromised isn't overly unrealistic.
by the same attacker? raises the bar a bit. it's just a second factor,
not a guarantee.
i am a fan of the google token and don't like having to carry a
different hw token for everyone who wants to hw 2fa me.
but i think $ub
The DACs with the metal release are definitely considerably more robust. They
are, however, sometimes more difficult to unlatch to remove, particularly in
scenarios with tightly-spaced ports.
thanks,
-Randy
- On Apr 23, 2021, at 12:45 PM, George Metz george.m...@gmail.com wrote:
>
d you refresh my memory, e.g. with the document, please? thanks.
randy
--
[0] which they are still trying to figure out how to use; bit isn't half
the internet in a similar pinch. :)
[1] since the dod probably did not get the space from arin, 'return' is
probably not a
anyone seeing roas in 11/8? i am not.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
pe community.
---
From: Randy Bush
Subject: Re: [anti-abuse-wg] AS8003 and U.S. Department of Defense routing
To: Brian Nisbet
Cc: Anti Abuse WG
Date: Tue, 27 Apr 2021 08:22:16 -0700
interesting wg to do routing security analysis.
as i do really not know the dod's or their proxy'
insight`
though i have been asking for years
:)
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
all sorts of wild things can happen.
but there is no need for arin to formally test that last as each of
the RIRs has untentionally done so at least once; sometimes for over
a day.
randy
confident that in the global context, not just within an isp,
there is negligible, well acceptable, oscillation?
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
f the above
i am sure there are more things to do; and hope that wiser folk will
expand, comment, and correct.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
>> i am sure there are more things to do; and hope that wiser folk will
>> expand, comment, and correct.
>
> Stay far away from AS0...
one of 42 ways, invented by clever people, to shoot yourself in the foot
randy
> Finding vulnerabilities and how to exploit them to run malware
> in closed source code is nigh on impossible.
which explains why it never happens
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
> I just noticed (although it appears to have come in version 13.0) that
> FreeBSD's "ping" app now defaults to IPv6, i.e., no need for ping6:
pola breakage. especially fun if you have tools which run on both sides
of the koolaid.
randy
---
ra...@psg.com
`gpg --locate-ext
> Well, for SLAAC you need a /64
this is not true
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
On Mon, 19 Jul 2021 09:27:13 -0700,
Nathan Angelacos wrote:
>
> On Mon, 2021-07-19 at 08:51 -0700, Randy Bush wrote:
> > > Well, for SLAAC you need a /64
> >
> > this is not true
> >
> > randy
>
>
> That is cool! Can you point me to the
evpn, srv6, blah blah blah, we don't really so much exciting at
layer two switching.
randy
> Very often the corrective and preventive actions appear to be
> different versions and wordings of 'dont make mistakes', in this case:
>
> - Reviewing and improving input safety checks for mapping components
> - Validate and strengthen the safety checks for the configuration
> deployment zoning
we, verio, did anycast tcp streaming (hour long) of the tony awards in
about '96. solid.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
https://www.businessinsider.com/russia-cuts-self-off-from-global-internet-tests-defenses-rbc-2021-7
says "Russia disconnected itself from the rest of the internet, a test
of its new defense from cyber warfare, report says"
did this show up in bgp? e.g. rv/ris?
randy
> Looks like it did shown on news only.
:)
i wondered
w how to run your network better than you do.
perhaps if we figured out how to stop DoSsing abuse systems, they would
evolve back to being easier to use. though it is hard to wind back
defenses. so it goes.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg
es not work
for me | must be used immediately if not sooner | ...} is that it
provides such a rich field for posting to nanog etc. and folk think of
new brilliant discussion points every day.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures a
> He'd be 78 today.
yes, being a year senior, he used to give me a hard time about his being
older and wiser. i think it was just his way of pulling rank :)
> Still miss him, he was a great mentor and human being.
indeed.
still at usc; cool! patience and perseverance.
randy
have you looked at the validation log report at the warning and error
levels? not pretty. not a very pleasing picture of the state of the
RPKI repos out there.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header
4, 147.28.4.0/24, 147.28.5.0/24, 147.28.6.0/24, 147.28.7.0/24,
147.28.2.0/24, 147.28.3.0/24, 147.28.0.0/23, 45.132.188.0/24, 45.132.189.0/24,
45.132.190.0/24, 45.132.191.0/24})
```
i do not see how to get around this. clue bat please
randy
IPv4 Prefix|
| |
+---+
| |
| Autonomous System Number |
| |
`---'
randy
router and it reset bgp sessions. i
gather from heas that things are better these years.
i guess i really should have a go at doing it for arcos, but ...
> It's all open source, available at
> https://github.com/wolcomm/eos-prefix-list-agent
very cool.
randy
> Currently RPKI can only validate origin, not paths.
not exactly you ar speaking of route origin validation
RPKI
The RPKI is an X.509 based hierarchy [RFC 6481] which is congruent
with the internet IP address allocation administration, the IANA,
RIRs, ISPs, ... It is just a da
i can learn your bank
balance?
< / >
peeringdb has a mission, public exchange point documentation. please
don't get creepy.
randy
https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru
used to get dissidents, activists, and journos killed
at&t, comcast, ... zayo, please tell us you do not do this.
randy
lotta words. i put my money where my mouth was days ago. you should
too.
randy
FIBER
Module-Capability F_10G
Length 255
Length-Description
which i am swapping out for the delta 9020
so i am look at something such as https://www.fs.com/products/30900.html
except i do not understand active/passive, AOC1M, etc
thanks in advance
randy
Old module says "10G_BASE_SX" so that is multimode fiber, which complicates
things a bit.
You can see about getting a single-mode handoff instead, or you may need the
QSFP-SFP+ adapter (or intermediary switch).
thanks,
-Randy
- On Jan 8, 2020, at 2:26 PM, Ben Cannon b...@6by7
/www.fs.com/products/72582.html
looks to be the simplest solution.
thank you all!
randy
> However, if you just need to use 10g of the 40g port, you can do it
> much cheaper and easier with just this part:
>
> https://www.fs.com/products/72582.html
we will test to be sure this appears as one port of a breakout
randy
>>> good golly, so glad everyone's enterprise is a hard candy version of same.
>>> no need for these remote workers, or discontiguous offices, or
>>> 'internet centric workforces'.
>>
>> VPN.
>
> I love it when my home network gets full access to the corporate network!
make things simpler and L2
> I recently figured it out and posted it on the NLNetLabs RPKI mailing list.
> https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html
nice. thank you.
randy
Feb 7 05:30:12 rpd[1752]: Prefix Send failed ! 103.148.40.0/24
bgp_rt_trace_too_big_message:1209 path attribute too big. Cannot build update.
anyone else seen this one? another kiddie?
randy
140076 140076 140076 140076 140076 140076
> ...
and so on
as140076 is Mir Internet Service in Dhaka
microtik prepend gl!tch?
randy
> I feel like I saw this once with large communities, but memory is a
> bit fuzzy.
yes, with this large an ops community, the clue distribution will likely
be long tailed :)
am i correct that the only option to drop a ubiquiti infinity into an
IS-IS LAN and have RPKI-based ROV too is FRR? if so, would someone
who has been to the movie care to share some clue off-list? thanks.
randy
> We use plenty of multi-mode, but only in the data centre, between our
> own kit, for racks within the same cage.
so you have to stock both single and multi? hmmm
randy
act...@nanog.org seems to no longer exist. how should i be whining
about the following?
From: Electric Forest Festival
Subject: Forest HQ Has Received Your Message: Re: Hi-Rise Building Fiber
Suggestions
To: ra...@psg.com
Date: Wed, 26 Feb 2020 16:15:25 +
Electric Forest 2020 will take p
ces whose sole pupose is to interconnect the two boxes,
and the optics are coded for different vendors. unbelievable.
randy
since we're at this layer, should i worry about going 3m with dacs at
low speed, i.e. 10g? may need to do runs to neighbor rack.
randy
this with some of the ISPs I work with. It was no
additional cost since the physical connections are already in place and
actually was highly recommended when first turning up the IX circuits.
-Randy
>> What is an "ebony phone"? (Google results for that phrase are mostly porn.)
>
> https://www.ebay.com/itm/1950S-WESTERN-ELECTRIC-EBONY-BLACK-ROTARY-DIAL-DESK-TELEPHONE-/333465026527
at least the swedes knew basic arithmetic
https://www.ebay.com/itm/C-Late-40s-early-50s-Vintage-Swedish-Rotary-D
Prefix Send failed ! 103.199.169.0/24 bgp_rt_trace_too_big_message:1209
path attribute too big. Cannot build update.
lovely
randy
it has "Places Tracking the Data" but needs "Places Tracking You"
considering the javascript i had to enable in the scratch vm i spun up
to read it, i suspect this would be on that list.
randy
ee gets too big, think about what happens when the
> multicast covers 3,000 people in 117 ASN's, with people from multiple
> ASN's joining and leaving every few seconds.
add to that it is the TV model in a VOD world. works for sports, maybe,
not for netflix
randy
> He's a network operator. From North America, on the North American Network
> Operators mailing list. Something you are not, so please stop spouting your
> drivel on a list that has nothing to do with you.
this is not how we should act in under pressure
lost key engineers last year because they would not let them work
remotely. now the entire company is working remotely, and successfully.
randy
some of us still do uucp, over tcp and over pots. archaic, but still
the right tool for some tasks.
randy
ok, if IS-IS is kinda working on FRR, at least enough to get loopbacks
and external interfaces around a pop, i gotta ask.
anyone running a ubiquity edgerouter infinity with frr, is-is, and four
or so full bgp feeds?
randy
0.0.0.0/0;
> }
> }
> then {
> count filter-incoming-anti-spoofing-counter;
> syslog;
> discard;
> }
> }
i think i will add those last prefixes to my filters. will shut some of
the mailing list noise down. :)
randy
> Just encode the router loopback IPv4 address in the system identifier bytes
> and call it a day.
i think asp wrote this up back in the early '90s. anyone have a cite?
randy
.
e.g. a nice query to ris or rv given the prefix, 103.148.41.0/24, and
the uct time, Apr 12 17:57:42.
randy
address 127.0.0.1/32;
address 192.168.254.10/32 {
primary;
}
}
family iso {
address 47.0001.1921.6825.4010.00;
}
}
}
some glorp omitted to protect the innocent
randy
> I’m using CAIDA’s bgpreader and this one looks like it might be an
> example of what you want.
>
> R|R|1586714402.00|routeviews|route-views.eqix|||2914|206.126.236.12|103.148.41.0/24|206.126.236.12|2914
> 58717 134371 134371 134371 134371 140076 140076 140076 140076 140076 140076
> 140076
origin AS to their malicious announcement.
randy
> there and RPKI creates a higher quality database for prefix origin
> information than what we have had.
essentially agree. my pedantic quibble is that i would like to
differentiate between the RPKI, which is a database, and ROV, which
uses it.
randy
ssed were indeed those which the sender/forwarder
at each hop intended.
currently, bgosec still has no traction. there are other proposals in
the space, e.g. ASPA. but the point is that they USE the rpki, they are
not the rpki.
randy
> I think you just need to let scripts run in your browser for
> nanog.org.
sad. http://nanog.org used to be the brilliant example of a fully
featured web site sans javascript, flash, ...
randy
>> Another member of the illegal anonymous organization "The Spamhaus Project".
> wait, what?
be proud. i like spamhaus. solid, responsive, and responsible.
randy
> I tend to read email with EMACS/VM.
fwiw, i moved from VM to Wanderlust a dozen years ago; if i remember
aright, for better imap support. both have kill thread in current
messages. neither remembers the kill order for newly received msgs a
la nn et alia.
randy
well, but
commercial support lacking" market cornered.
thanks,
-Randy
- On May 18, 2020, at 5:43 PM, nanog wrote:
> Yep, run SwichOS, prevents you from running things in software. 😊
> Dennis Burgess, Mikrotik Certified Trainer
> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE, MTCSE, HE
< note that i am wearing arrcus hat >
> I'll be honest, none of our customers ever asked us to deploy RPKI and
> ROV. Will they benefit from it, sure? Is it about to become part of an
> RFP requirements document? Probably not.
we have rov in rfps received from paying customers
randy
chris at the ever fantastic six has done a stunning bit of work to let
six members see rpki/irr announcement issues
https://www.seattleix.net/rs-drops
randy
long at a swift pace.
thanks to a few vendor engineers who implemented as skunkworks,
to jay, you, and other large ops who have deployed, and to job
who has taken over waving the pom poms, i am rather optimistic.
randy
hink you are protected when you
are not.
my inner naggumite is starting to wonder if fail soft was a mistake.
randy
tic BGP routing information.
do you have measurement of that? i would be *really* interested.
randy
101 - 200 of 2576 matches
Mail list logo
