quantity, you get a low end american supermarket, a jillion false
choices of poor food.
randy
> When a cache loses connectivity, the entries from that cache
> are purged after a time interval. Default is 60 seconds
why not the poll interval for that cache server?
randy
tcpdump is your friend
ight better
be set to cache refresh interval than 60 secs.
randy
ge L2 networks. SMITH: Doctor, it hurts when I do this. DALE: Don't
do that.
> sFlow statistics isn't a luxury function. Neither is remote peering.
by 'remote peering' do you mean an exchange essentially selling transit?
randy
iagram at bottom of
https://www.seattleix.net/topology. this makes sense to me. extensions
to distant cities make less sense to me; but i am an old fogey.
randy
been unable
to refresh from that cache for a configurable timer value. The
default for that value is twice the polling period for that cache.
randy
are transported long distance".
>
> I believe this is still the case at a lot of ISPs. Not all, hopefully not
> even most, but I'm sure there are some.
you underestimate the extent of the dogged determination of circuitzilla
to hang on to the fiber with her/his fingernails.
randy
> In single cache scenarios, waiting for some time after the cache has
> disappeared is akin to standard BGP session keepalive protocols.
> However, several vendors have implemented protocol enhancements to
> immediately drop BGP sessions that have failed, rather than wait for the
> Hold timer to e
.
as the OP made pretty clear, it's not a matter of an abuse contact.
it is the service not acting as a law enforcement agency and asking
for a court order. most large service providers operate in that way.
randy
> They just lost all respect from here. Would someone from USA please
> report these guys to the feds? What they are doing is outright
> criminal.
hyperbole. it is not criminal. you just don't happen to like it.
>> Actually, as someone pointed out, it might well be conspiracy - which
>> is criminal.
> looking forward to the court case, if it's really important it'll
> happen shortly, right?
we don't need no flippin' court. we can lynch 'em right here.
>> They don't discriminate, anyone can be a customer
>> https://www.youtube.com/watch?v=T4GfoSZ_sDc
>
> Holy crap that girl was painful to listen to!
missed the girl. all i saw was prince and a fox 'news' woman. it was
pretty much like reading nanog.
randy
> great quote from the reporter "why do you need a court order to do the
> right thing?"
because i am not judge and jury. we leave that to network technicians.
randy
> This is silly. Anyone is of course allowed to deny service to parties
> involved in obvious criminal activity.
so block cloudflare from your network and go back to work already.
randy
t working out for you?
all that is happening is the subject that won't die is being a dos on
this list (yes, including this response)
randy
e that much difference whether it's a
YFRV or a SuperMicro. but i sure wish bird and quagga had solid is-is,
supported communities, ...
randy
hi. i would really appreciate a conversation with a routing geek in
12369. research measurements have raised some questions, and we would
love an inside clue. thanks.
randy
> hi. i would really appreciate a conversation with a routing geek in
> 12369. research measurements have raised some questions, and we would
> love an inside clue. thanks.
make that 12389, Rostelecom
randy
> They are moving offices.
> https://www.arin.net/announcements/2016/20160804.html
"All other customer support business systems (website, email, ARIN
Online, RESTful Provisioning, Whois, RDAP, IRR, RPKI repository, etc.)
will remain operational during the move."
oning, Whois, RDAP, IRR, RPKI repository, etc.)
> will remain operational during the move."
the op was reporting a problem with email-based irr updated
randy
my poor memory says that, some years back, someone announced or
mentioned an open tool which i, a small isp, could feed my netflow data
and bgp and ask if i should peer with X or build out or ...
anyone with a more precise memory than i?
randy
ices across continent/country?
i.e. are there inter-provider mpls vpn issues?
randy
anyone know if comcast residential filters 139/445?
randy
sigh. well that was some fun hours debugging; not.
thanks
randy
> The agency with actual authority in these matters (NTIA)
inappropriate use of present tense
with caution. if this space is strange to you, recommendations
of using a broker or lawyer who has trod the path are apt.
randy
october, the month of deep sadness, jon, abha, itojun, ...
anyone who relies on a single dns provider is just asking for stuff such
as this.
randy
> amen.
>> anyone who relies on a single dns provider is just asking for stuff
>> such as this.
part of the problem is that we think of it as attack surface when, in
fact, it usually has more than two dimensions.
randy
ome up with more clever schemes.
randy
> What does BCP38 have to do with this?
nothing technical, as these iot attacks are not spoofed.
think of it as a religion.
>>> What does BCP38 have to do with this?
>> nothing technical, as these iot attacks are not spoofed.
>> think of it as a religion.
> I'm going to save this e-mail forever!
no extra charge
we deploy it more than most. we talk about it less than most. and
every time something untoward happens on
> No. Anycast addresses are real IP addresses.
true.
> There isn't a "real" address to attack.
usually false. dns clusters have management interfaces. i suspect the
congestion pattern attacking them would be different than that of attack
on the anycast; but that i
> 0 - to get an idea of the vast scale of cgn deployment see philipp's
> preso of our imc paper from ripe 75
let's try again. how about ripe 73. specifically,
https://ripe73.ripe.net/archives/video/1244/
randy
actually, the one technical hack i liked the most so far was the
suggestion to put throttling into openwrt/lede, as they are used
for the base in much cpe.
randy
> read the IDR thread(1), the vendors in question actually self reported.
> I don't think 'shame' here is quite appropriate, but certainly owen's note
> about: "Hey, pls don't do this again" with the added: ""this is not a good
> path to continue" were noted by several folks on the IDR list.
lucki
the users' dilemma: do you buy a mac today, or wait six month hoping
they will fix X (for your particular X)?
the sysadmins' dilemma: do you install today's critical update or wait a
day until the next one is out before you reboot 50 servers?
On Thu, 03 Nov 2016 12:03:32 +0900, Royce Williams wrote:
> On Wed, Nov 2, 2016 at 6:47 PM, William Herrin wrote:
>> On Wed, Nov 2, 2016 at 10:39 PM, Randy Bush wrote:
>>> the sysadmins' dilemma: do you install today's critical update or
>>> wait a day until
>> https://blog.pinboard.in/2016/10/benjamin_button_reviews_the_new_macbook_pro/
>
> I'm going to wait for this one before buying. Looks like a much better
> option than what's on the table right now.
i loved that one!
while i did whine about patching, looking at logs makes me glad i do.
the time from patch to active attack is decreasing alarmingly.
randy
vi users prefer ospf
emacs users prefer is-is
randy
>> vi users prefer ospf
>> emacs users prefer is-is
> So that leaves EIGRP for the nano users?
teco
> Running multi-level IS-IS means you need to plan your L1/L2
> intersections
as painful as ospf
in a research rack with more than one router, i run is-is.
randy
i am running my own (why rent at silly costs) dpc3008 and wfm.
randy
> I just want to come back on behalf of Cisco on this. We just
> investigated this issue and the issue is not an ASIC bug, but a flag
> set wrong by SW.
damn! you just took all the fun out of lynching ieee. sheesh!
randy
this is called path poisoning. an italian friend used it in his phd
thesis. a few friends and i used it to detect use of default across
the internet.
but 42 people will scream "that's my AS!" of course, as it is your
prefix, that is ASinine :)
ramdu
e.
apologies. i should have been more explicit. both of the examples
were using path poisoning for routing research. it is not a technique
i would reccommend in normal operations.
randy
>> "If it's a politically-generated thing I'll have to deal with at an
>> operational level, it's on topic."
> Hmm.. works for me.
and do not omit the amplification attack of endless rinse repeat of
self-righteous pontification of what people should and should not post
randy
viates the vendor
> "ownership" issue though...
i think this is where i say that i hope my competitors do this. it
is a recipe for a complex set of delicate dependencies and great fun
debugging.
randy
> I apparently wasn't very clear. In the layered approach to multiple
> vendors, you would (obviously) choose your layer definitions to avoid
> such delicate interdependence.
can you describe in useful detail your operational experience doing
this?
randy
other topology, including those
with rrs, is automation.
> As for 7206VXR with NPE-G1 or G2 cards, we have many sitting in a
> decommissioned state on shelves
i suspect there is a reason.
randy
[ where does one discuss IRR issues these days? ]
ryuu.psg.com:/Users/randy> whois -h whois.radb.net 98.128.244.0/24
route: 98.128.244.0/24
descr: RGNET-98-244
origin: AS3130
notify: r...@rg.net
mnt-by: MAINT-RGNET
changed:ra...@psg.com 20090411
source: RGNET
merit and i are in contact.
randy
do we have a central, updatable, registry of IRR instances and their
mirrorable URLs?
randy
> Merit maintains an updated list on the web.
> http://irr.net/docs/list.html
and thank you for helping me update RGNET's entry
randy
> On Tue, Feb 07, 2017 at 06:56:40AM -0500, William Herrin wrote:
>> Immaterial. The point is to catch vulnerable devices before they're
>> hacked.
you have a 30 second window there, maybe five minutes if you are lucky.
northerners who have never traveled pontificating about africa might, or
might not, be interested in
https://afrinic.net/blog/333-revealing-latency-clusters-in-africa
randy
> Ethiopia is significantly different and unique, in its own unusual
> way, because of the government monopoly telecom.
sadly, these are far from unique; not only in africa, but asia,
oceania, even alyc, ...
randy
once upon a time, when one received what had yet to be called spam, or
logs showed an attack, one wrote to the owner of the source ip to tell
them their system had been hacked. dunno about everyone else, but i
stopped doing that sometime in the '80s.
randy
_ //` `\
_,-"\% // /``\`\
~^~ >__^ |% // / } `\`\
) )%// / } } }`\`\
/ (%/`/.\_/\_/\_/\`/
(` `-._`
\ , ( \ _`-.__.-%>
/_`\ \ `\ \." `-..- `
``` /_/`"-=-``/_/
``` ```
> If you start with Excel, down Will It Scale Road, you will be sorry,
> so very sorry. Especially when it comes to v6.
emacs!
>>> Once upon a time, Randy Bush said:
>>>>> If you start with Excel, down Will It Scale Road, you will be sorry,
>>>>> so very sorry. Especially when it comes to v6.
>>>>
>>>> emacs!
>>>
>>> vim!
>>>
>>
>> ed!
>
> TECO!
cat
emacs!
>>> vim!
>> ed!
> TECO!
cat
>>> IBM 029.
>> Youngster. IBM 026.
> Infants! Hollerith (IBM Type 1). I still own it.
but i actually do use emacs
>> Does anyone have a contact and TMobiles Telco fraud department?
> ab...@t-mobile.com
rofl!
.
anyone been to this movie and care to divulge the plot?
thanks
randy
by virtue of the
> fact that you're using static IP addresses, because they're a headache
> for cable operators.
aha! makes sense.
i'll settle for dynamic. if i need static internally, i can always do
nat66 :)/2
i do not want to play how hard can we make ipv6 deployment; just want to
enable it on a five-segment office lan.
but i am beginning to see that there may be a reason i am having
problems getting past an account rep.
randy
job security for a thousand engineers who maximize
complexity.
randy
players
of note. i was mostly happy with a netgear into which i blew openwrt,
but the netgear was mediocre hardware.
randy
> People - please just stop the off topic chatter. It is ludicrous that a
> thread about bgp hijacks morphed into font discussions.
>
> Either contribute to the operational issue at hand by evaluating your terms
> & conditions (or abuse policies) and applying them to your operations, or
> remain s
> The IP NOC is unable to locate anyone because it’s Sunday
you can't be talking about ntt noc. ntt noc is aggressively responsive.
randy
n because it is usefully
implemented by many vendors.
randy
>> It's curious phenomena where we are very willing to ignore all the
>> data points that disagree with us, and accept the one data point that
>> agrees with us, even when admitted to be fabrication.
> Some people just always prefer to do the opposite of everyone else,
> and/or the obvious. I have
[y]our bgp sessions.
randy
.
thanks john for the one (so far) answer to my question instead of
telling me how to run my routers
what i see also looks like config as opposed to attack
---
follow-on question:
anyone using the timed key-chain stuff?
randy
l-if-compromise. (and no, i do not want automated compromise
heuristics, a recipe for death).
>
> we need something that’s stable enough to last 5-7 years, which is
> very different from a HTTP transaction that may live only a few
> seconds.
something such as, or close to, rfc 4808?
randy
tigated by LPTS and not require the mpp/control plane filters to be
> involved.
>
> Basically, once you roll md5 you may be at risk for having rolled it
> to need a way to undo and that pathway may not be easy, with or
> without automation.
one or both of us needs to reread 4808
randy
moved on
to more lucrative endeavors.
randy
se.
i am focused on bgp, not the daily craptastic packet fling.
randy
the domains on which they rely.
randy
> Affected networks might soon (by the end of the year) loose the
> ability to talk to Cloudflare networks since they plan to deploy ROV.
and then they will clean up their messes
until then you can generate a lot of email if it amuses you
randy
.
what i would love to see/know is how apple tries to vet the macs made in
shenzhen.
randy
> To me this looks like a Chinese version of the NSA FIREWALK product.
so the good thing about the trade war with china is that it keeps
implant designers fully employed on both sides. they can't just buy
eachother's implants; the tariffs would be too high.
randy
> Classified networks do not connect to other networks unless
> they are equally or higher classified.
that sentence makes no sense. if A can connect to B because B is more
highly classified than A, then B is connecting to a less classified
network A.
randy
> So I tend not to be in a big rush to look at those alerts, actually I
> think I turned them off which in that case was an option.
i turned them off long ago.
i did get a presidential alert in november '16. turned out to be a very
serious disaster.
randy
> You just need to fire any contractor that allows a server with
> sensitive data out to an unknown address on the Internet. Security
> 101.
'cept the goal is not unemployed contractors
do folk have experience with platforms where ifIndexes are not stable
across reboots etc? how do you deal with it? do some of those
platforms trap on change?
randy, who hates ifIndex changes
these hacks could have been done from any pwned core router. this is
just a desire to get footprint in prc.
randy
> I heard that OSPF is only famous in asia region...
> So that, please could you explain me
>
> 1. what is your backbone's IGP protocol?
emacs
ginations and route leaks every day. oh, wait.
randy
>>> They forgot to mention that it's technically possible to filter
>>> advertisements from their customer. Which apparently they were/are
>>> not really doing.
>>
>> luckily, CT is the only isp not doing good filtering, or we would be
>> having mis-originations and route leaks every day. oh, wait
be again.
and those mean, nasty, godless, commie, ... chinese have no worse
hygiene than 94.3% of the internet. non-chinese just love to get
hysterical and accusatory when some prc isp does what almost everyone
else is doing multiple times a day.
and focusing on china telecom is a red herring, because damned near
everyone leaks. and it is the everyone who has to change. doughnut,
hole.
randy
here is 'behind' 6453 en route 198.180.152.15, can you send
a trace, please?
thanks.
randy
thanks all. now i have too much data and not enough insight
randy
do you have rfd on? with what parms?
randy
> We plan to resume the experiments January 16th (next Wednesday), and
> have updated the experiment schedule [A] accordingly. As always, we
> welcome your feedback.
i did not realize that frr updates propagated so quickly. very cool.
randy
RR is undergoing a fairly rapid pace of development
that is impressive but irrelevant. the question is how soon the frr
users out on the internet will upgrade. there are a lot of studies on
this. it sure isn't on the order of a week.
randy
> It's because you see problems it causes, and do not see problems it
> solves ;)
>
>> Thanks for the update that dnssec STILL causes more real world problems
>> than it solves.
hmmm. has anyone set about to measure that?
randy
> Isn't the underlying assumption with non-plaintext that: "I know what
> will work better for you than you do"
as i said in the '90s, mime, a syntax for encoding incompatibility.
> (comic-sans, colors, contrasting...)
hey! if it will do magenta comic sans, i may have to recant! :)
randy
> Running a few exchange points in Africa since 2002, the news was that
> the exchange point LAN should not be visible anywhere on the Internet.
> It would be interesting to know that this wasn't the case in other parts
> of the world.
slide 8 of http://archive.psg.com/970210.nanog.pdf
> Do you use AS0 as origin on the RPKI objects for said exchange point
> LAN(s) to prevent route propagation?
but as0 does not exactly do that as it can be overridden by a different
roa for the same prefix. as0 is pretty useless.
randy
501 - 600 of 2576 matches
Mail list logo
