>> Do you remember the old BSD paradigm? ... "less is more"
> s/bsd/mies/ credit where due.
recant. it was well before mies. i was just raised by and architect,
and had uni roomies who were in the architecture school mies founded.
so my own narrow vision. sorry.
randy
computer
which took a large room when i was but a youth? and we have barely
avoided writing stacks in cobol; but we're close, assembler++.
randy
> MPLS was since day one proposed as enabler for services originally
> L3VPNs and RSVP-TE.
MPLS day one was mike o'dell wanting to move his city/city traffic
matrix from ATM to tag switching and open cascade's hold on tags.
randy
ime it takes to run valgrind a few dozen
times.
we're extracting ore with hammers and chisels, and then hammering it
into shiny objects rather than safe and securable network design and
construction tools.
apologies. i hope you did not read this far.
randy
>> The requirement from the E2E principle is that routers should be
>> dumb and hosts should be clever or the entire system do not.
>> scale reliably.
>
> And yet in the PTT world, it was the other way around. Clever switching
> and dumb telephone boxes.
how did that work out for the ptts? :)
> Perhaps BGP Alerter is a solution for you:
> https://github.com/nttgin/BGPalerter
yes! very happy user here. i run it into the slack api.
randy
> If you don't use some kind of device to connect to Netflix, if you
> have a reasonably modern TV that supports a native Netflix app as
> well as IPv6, you'd be good to go.
think of the burden on the netflix customer support of HE's IPv6
tunnels.
randy
al. It also has a very stupid list price.
thanks,
-Randy
- On Jul 16, 2020, at 3:53 PM, Luke Guillory lguill...@reservetele.com
wrote:
> Yup, the same terrible ones that came with the QFX's and ACX's.
>
>
>
>
> -Original Message-
> From: NANOG On B
that you can actually
use their product. how can we resist?
randy
. They even have gotten an
RADB entry in place for it.
Does anyone have some tips on how to deal with this? I have a feeling that
dealing directly with the offending entity will not be very fruitful.
thanks,
-Randy
> I’m leaning toward DS-lite and NAT444
a great path. fork lift all cpe and cgn in the core. the vendors'
dream
randy
> OK Randy. How about a suggestion that is useful.
>>> I’m leaning toward DS-lite and NAT444
>> a great path. fork lift all cpe and cgn in the core. the vendors'
>> dream
$subject. map-e. ... the list is long. ds-lite is close to the bottom
of it, except if
i backup using arq on macos catalina. on two macs, i need maybe 3-4tb
max. google seems to be $100/mo for 20tb (big jump from $100/yr for
2tb). backblaze b2 looks more like $20/mo for 4tb ($0.005/gb/mo).
anyone else done a similar analysis?
randy
well, i was once given a tee shirt which said
"i may have helped build the information
superhighway, but i can not drive a car" :)
after work, a time which rarely occurs, we're all
end users. and if you're not concerned about
backup, ...
randy
> Just out of curiosity, do you folks encrypt the data prior to upload
> to the cloud
uh, ja
://www.apnic.net/community/security/resource-certification/
requires javascript!
not to mention the ARIN stupidity
as if we needed another exercise in bureaucrats making operations
painful. most operations of any size have internal departments
perfectly capable of doing that.
randy
> i kinda hacked with emacs and get
>
> rsync://rpki.ripe.net/ta/ripe-ncc-ta.cerpublic.key.info
>
>
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0URYSGqUz2myBsOzeW1jQ6NsxNvlLMyhWknvnl8NiBCs/T/S2XuNKQNZ+wBZxIgPPV2pFBFeQAvoH/WK83HwA26V2siwm/MY2nKZ+Olw+wlpzlZ1p3Ipj2eNcKrmit8BwBC8xImzuCGaV0
up of ripe.net, tls secured lookup, find a TAL
as defind in the RFCs, and fetch it via tls.
randy
i ignore the bumph,
i can connect to their web site dnssec, tls, ... and get a viable TAL
which meets RFC specs. that seems to me more than one can say for some
other RIRs.
randy
ng' it. and then
you will pay annual fees to some RIR.
randy
> https://tal.rpki.ripe.net/ripe-ncc.tal (preferred)
looks great visually. stuffed in a dragon validator, just for qa.
thanks!
randy
> We've also simplified our webpage:
> https://afrinic.net/rpki/tal
>
> And the URL to the TAL:
> https://rpki.afrinic.net/tal/afrinic.tal
thanks! wfm
randy
> To John and the others that have responded thanks for all the
> explanations. It makes things a lot clearer now.
ripe/ncc and isoc/manrs have some gl!tzich webinarz etc on all this
randy
s held at u oregon, on the side of the eugene
nanog in either 1999 or 2000. a few large isps, bbn folk, ... this was
where ops met crypto theorists and started s-bgp's evolution into the
separate threads of rpki, rov, and bgpsec.
randy
the RFO is making the rounds
http://seele.lamehost.it/~marco/blind/Network_Event_Formal_RFO_Multiple_Markets_19543671_19544042_30_August.pdf
it kinda explains the flowspec issue but completely ignores the stuck
routes, which imiho was the more damaging problem.
randy
creative engineers can conjecturbate for days on how some turtle in the
pond might write code what did not withdraw for a month, or other
delightful reasons CL might have had this really really bad behavior.
the point is that the actual symptoms and cause really really should be
in the RFO
randy
> we don't form disaster response plans by saying "well, we could think
> about what *could* happen for days, but we'll just wait for something
> to occur".
from an old talk of mine, if it was part of the “plan” it’s an “event,”
if it is not then it’s a “disaster.”
would folk familiar with the north american RIR and IRR registries be
kind enough to suggest how this might adapt? thanks.
A new version of I-D, draft-ymbk-opsawg-finding-geofeeds-02.txt
has been successfully submitted by Randy Bush and posted to the
IETF repository.
Name: draft-ymbk
y; geofeed file format was assumed.
i hope you noted that the rpki-based signing is entirely optional. i
certainly do not sign my geofeed files, and am not aware of any other
deployment of this tech which does.
randy
t exactly inetnum (e.g. comments instead of remarks
> field, different prefix format). Would the RIR provide converted
> inetnum objects or the users would be expected to handle this?
i currently fear a custom stub to do just this for consumers of north
american data.
randy
nada.
my personal guess is that radb might choose to adapt, similarly to
irrd's thoughts. but arin? ha ha.
so my guess is an open source simple shim to adapt the the noam
snowflakiness. i.e. be able to consume arin nethandle and radb
comments.
but i am hoping that others might have brighter ideas.
randy
ed by a URL which will vary.
> ---> probably add clarification here that Geofeed MUST be the only
> value in this particular remarks field, nothing before/after it
between the MUST and the example, i do not see the wiggle room you
fear.
randy
i get 50 times as many emails bitching about cogent spam as i get cogent
spam. and my spam filter is trained to take care of the latter.
randy
uot;remarks".
comments appreciated
randy
servers give you the nearest enclosing object.
e.g., if i query for the ip address of psg.com, 147.28.0.62, i get the
encompassing inetnum: object.
ryuu.rg.net:/Users/randy> whois -h whois.ripe.net 147.28.0.62
inetnum:147.28.0.0 - 147.28.31.255
netname:RGNET-RSCH-14
quot; files, the data of record, are pretty incompatible, and we
could not add data to them anyway.
reverse dns delegations might be interesting except for the showstopper
issues i recently posted in another message.
that leaves whois and the rpsl-like data. unless i am missing
something.
< imagine snark here >
randy
> Would your arin approach of netrange work in all regions?
no. to the best of my knowledge, other regional registries and
independent irr registries use rpsl; i.e. inetnum: and remarks:.
randy
ect.
ryuu.rg.net:/Users/randy> whois -h whois.arin.net 192.169.0.0
NetRange: 192.169.0.0 - 192.169.1.255
CIDR: 192.169.0.0/23
NetName:PSG169
NetHandle: NET-192-169-0-0-1
Parent: NET192 (NET-192-0-0-0-0)
NetType:Direct Assi
> I'm still learning, but, It does seem interesting that the IP layer
> (v6) can now support vpn's without mpls.
as the packet payload is nekkid cleartext, where is the P in vpn?
> GRE, VXLAN or any other tunneling encap of the day.
> As long as next-hop could be resolved behind remote end
i was not aware that GRE, VXLAN (without CN103618596A), and other tunnel
encaps encrypted the payload. learn something new every day. thanks!
>>> I'm still learning, but, It does seem
perchance is RDAP implemented by all RIRs?
randy
> You might be on to something, but I'm unsure... are you suggesting that it's
> any less private over SRv6 than it was over MPLS ?
neither srv6, srmpls, mpls, gre, ... provide privacy. they all
transport the payload in nekkid cleartext.
Dance like no one's watching. Encrypt like everyone is.
o implementations, as
is the wont of the idr wg.
randy
> Privacy != encryption.
cleartext == privacy * 0
cleartext * complexity == privacy * 0
randy
this document,
> unless they have coin bearing customers who wish to see this feature
> implemented"
if i had meant to say that, i probably would have. no one on this
thread has called it anything other than a draft, so i am quite unsure
what your point is; and i will not put words in your mouth.
sadly, these years, vendors do not seem to care a lot about drafts,
rfcs, ... anything which sells.
randy
ve their own private address
> space and routing tables.
i think we wrote the paper on that :)
http://www.ieee-infocom.org/2003/papers/36_02.PDF
randy
$ubject changed as it is now where to put the pointer
[ we have email suggesting putting the geoloc pointer in dns, routing
databases, ... no one has suggested bgp yet, but i assume it is
coming ]
> I assume that someone (entity) publishes a geo-feed
> I assume that location of this feed (a
> a) Check if there is anything hindering the evolution of this draft to
> an RFC.
was i unclear?
>>>>> the draft passed wglc in 1948. it is awaiting two
>>>>> implementations, as is the wont of the idr wg.
randy
> Information can be in plaintext and private
Three can keep a secret, if two of them are dead. -- franklin
i know you truely believe the tunnel k00laid. the security
community does not.
randy
> One thing that is true: not all present or historical definitions
> (or acceptable uses) of the word "private" strictly imply or infer
> privacy.
newspeak -- 1984
> I already taught my SpamAssasin and then deleted them
:0
* ^From:.*@csvwebsupport.com
| /usr/bin/mail -s 'Screw You' dating.supp...@csvwebsupport.com <
~/screw-you.txt
james,
> I'm not sure what you're saying here, I never said MPLS VPNs are
> secure, only private. I hope others recognise that they are
> different concepts.
yes, privacy is one aspect of security. and, as mpls vns are not
private sans encryption, they are not secure.
randy
have folk looked at https://github.com/nttgin/BGPalerter
randy
> Does anyone have a quick answer as to what public data sources are
> used? I tried looking at the main github page for the project but I
> either missed it or it isn't there.
>
>> have folk looked at https://github.com/nttgin/BGPalerter
ripe/ncc bgp stream
so support IPv6.
ok, i gotta ask. has someone tested to see if they all produce the same
result givem the same input? i do not mean to imply they do not. i
just have to wonder.
randy
81e3ad419
> job@bench $ aggregate-prefixes < dfz_ipv6 | md5
> 1193796d41cc47f32230da281e3ad419
great. thanks. glad to see folk thinking this way.
randy
> Is it fair to say that an NGFW *must* decrypt SSL traffic in order to
> fully categorize for IPS/IDS prevention?
well, not really. aside from damage, it will not 'protect' you against
more modern transports, such as quic, which were designed to keep the
net open.
randy
we all, in true nanog tradition, sure do talk a lot. but, to repeat,
i put my money where my mouth is. you should too.
https://www.tespok.co.ke/?page_id=14001
randy
again, do not be distracted by the rather obvious DoS on this list. our
administrative infra is being attacked. defend it by putting your money
where your mouth is.
https://www.tespok.co.ke/?page_id=14001
i did and will again.
randy
this amazing thread is so new, fresh, and enlightening. why has no one
brought these facts and ideas up before? just wow!
randy
to control inbound traffic, how do bgp optimizers decide how to tune
what they announce? slfow? exploration? ouija board?
randy
they are bad people. neither is the
case. it is what they see as their best business interest.
being from the pacific northwest, i have learned not to try to push
water uphill. so, until we can tilt the hill, it's probably bast for
one's health if one gets over it.
randy
> Edicts never work. More carrot, less stick.
but the ipv6 stick has worked so well over the last 25 years
> I doubt many vendors were chomping at the bit to support CGNAT
definitely. they hate to sell big expensive boxes.
randy
not go away.
and dual stack does not scale, as it requires v4 space proportional to
deployed v6 space.
we are left to make the mess work for the users, while being excoriated
for not doing it quickly or well enough, and for trying to make ends
meet financially.
randy, trying to deal with the mess sin
> it's easy to be critical of design decisions with 25y of hindsight
there was a good number of senior implementors and ops who screamed
loudly at the time. to no avail.
randy
and 8+8, variable length, ... just didn't happen, eh?
the nice thing about revisionist history is that anybody can play.
randy
> I wasn't there at actual meetings at the time
but your opinion was?
> but I find the notion that operators were ignored pretty preposterous
> too
so did we, the ops who were there at the time
randy
> Just because I didn't attend IETF meetings doesn't mean that I didn't
> read drafts, etc. Lurkers are a thing and lurkers are allowed opinions
> too.
i missed the rfc where the chair of the v6 wg said the ops did not
understand the h ratio because we did not understand logarithms.
randy
more gl!tches, than ipv6.
and have you seen what's going on in the 6man wg?!?!
randy
Considering that the typical $5 pieces of bent metal list for ~$500 from most
vendors, can you imagine the price of fancy tool-less rack kits?
Brand new switch: $2,000
Rack kit: $2,000
-Randy
there being an equivalent official part.
The application is an ISP upgrading from Nx10G, where one of their fiber paths
is ~35km and the other is ~60km.
thanks,
-Randy
Looking at EDFA options... they are all ~1500nm as far as I can tell. Is there
a specific model you are talking about?
thanks,
-Randy
- On Sep 27, 2021, at 10:25 AM, Dan Murphy wrote:
>> Are you saying we could use normal QSFP28 LR4 or ER4 modules with an
>> amplifier
&g
tworks;
Karl Olson, Jack Wampler, Fan Shen, and Nolen Scaife
https://link.springer.com/content/pdf/10.1007%2F978-3-030-72582-2_22.pdf
the ietf did not give guidance to cpe vendors to protect toys inside
your LAN
randy
i cited
> I also thought 'homenet' (https://datatracker.ietf.org/wg/homenet) was
> supposed to have provided the guidance you seek here?
got a cite for the guidance?
randy
do folk use uPRF strict mode? i always worried about the multi-homed
customer sending packets out the other way which loop back to me; see
RFC 8704 §2.2
do vendors implement the complexity of 8704; and, if so, do operators
use it?
clue bat please
randy
> https://datatracker.ietf.org/doc/html/rfc6092
good stuff. thanks.
ems to be the modern conservative style for some years.
i sometimes wonder if it is worth the config pain.
randy
space doing?
[ and let's not descend into the rat-hole of dissing the IRR. i have
heard of this RPKI thing and might try it some day. ]
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
ing for the SIX to filter, though they do filtering.
my issue is
3130 --- SIX --- martha --- RIS
artemis runs off a RIS feed
martha is telling RIS MARTHA_3130 and artemis is saying that martha
is trying to hijack 3130's prefix.
i was hoping that, if 3130 said it is peering with martha, artemis would
get a clue and stfu
randy
hi ben,
a SIX peer's customer could be the feed to RIS
randy
>> a SIX peer's customer could be the feed to RIS
> Sure, but how do you describe the policy between your peer and their
> customer in your aut-num?! That's not a thing.
yup
these rat holes are a pita
randy
> Can someone explain to me, preferably in baby words, why so many providers
> view information like https://as37100.net/?bgp as secret/proprietary?
it shows we're important
ged, thanks sean; though to make the point that it was not
at all authenticated.
it has proved useful, though far from a panacea. but i fear that
scaling issues, lack of authentication, etc. discouraged work and
it is slowly fading.
randy
abha died 20 years ago today
my old DRL RP instances produce MRTG graphs etc of the CA
fetching side, though nothing on the rpki-rtr side.
randy
---
https://seclists.org/nanog/2021/Jun/259 and ggm's excellent
decoding thereof,
https://blog.apnic.net/2021/07/15/some-handy-roa-advice-from-randy-bush/
received this vuln notice four days before these children intend to
disclose. so you can guess how inclined to embargo.
randy
From: Koen van Hove
Subject: CVD: Vulnerabilities in RPKI Validators
To: ra...@psg.com, s...@hactrn.net
Cc: c...@ncsc.nl
Date: Wed, 27 Oct 2021 14:59:21 -0700
Dear
i would not be surprised if email to my previous addresses
...!uunet!m2xenix!randy
...!uunet!oresoft!randy
bounced, making it difficult for these kiddies to reach me.
https://en.wikipedia.org/wiki/Responsible_disclosure
randy
tric grid or other scada network? the
internet's openness and kindness has led them to think we can be abused
willy nilly.
we will remember their names.
randy
this specific thing I command because I
> control the assets"
this seems to be a reasonable use of rta and/or rsc.
randy, author of draft-ietf-sidrops-rpki-has-no-identity
as a measurement kinda person, i wonder if anyone has looked at how much
progress has been made on getting hard coded dependencies on D, E, 127,
... out of the firmware in all networked devices.
randy
these measurements would be great if there could be a full research-
style paper, with methodology artifacts, and reproducible results.
otherwise it disappears in the gossip stream of mailimg lists.
randy
> You could transfer the resources to RIPE... :-)
been there. done that. 2016.
"A Happy Story of Inter-RIR Transfer of Legacy Blocks from ARIN to RIPE"
https://archive.psg.com/160524.ripe-transfer.pdf
randy
that diffinatively
> defines the fee structure for services provided for Ripe members ?
pretty simple, https://www.ripe.net/participate/member-support/payment
randy
> I can't imagine, as a percentage, a significant amount of voting ARIN
> members give a crap about what happens with legacy resources.
there are more legacy non-members than total members. wonder why?
randy
resource holders, members and
non-members; where members == signed a *RSA? thanks.
randy
vernance if they wish.
is arin going to a flat rate scheme from scaled while ripe is
contemplating going from flat to scaled? i would be the proverbial fly
on the wall if/when you and hans petter exchange lessons learned.
randy
may merge to form larger islands.
randy
without enabling
srv6 everywhere, only at the marking encaps or embed) points. nice for
partial and/or incremental deployment.
randy, with no dog in this fight
ecided to ping that site to
test liveness/access
but, heck, we don't publish a list of pingables. so we're gonna get
random behavior. and some days all the air molecules go to one corner
of the room.
randy
201 - 300 of 2576 matches
Mail list logo
