>> slide 8 of http://archive.psg.com/970210.nanog.pdf
> In Randy's presentation
from the credit where due department: this was not my bright idea. the
presentation was from a get together of some large isp operators a few
weeks prior.
randy
there's an old saying, is-is is deployed in few networks, just some of
the world's largest ones. there might be a reason for that.
personally, i prefer emacs.
randy
> Next thing we know someone is going to start pumping up EIGRP.
>
>> there's an old saying, is-is is deployed in few networks, just some of
>> the world's largest ones. there might be a reason for that.
>>
>> personally, i prefer emacs.
idrp please
randy
encourage fixing of the hole.
given the number of bugs/vulns, are you comfortable that this is going
to scale well? and this is prudent when our primary responsibility is a
running internet?
just checkin'
randy
PS: if you think this, speak up so i can note to never hire or recommend
you.
ence in the latter.
while it is tragicaly true that someone will be willing to load mrs
schächter on the cattle car, it damned well ain't gonna be me.
randy
big vendors to give us a fix with
which to start the lab test cycle. bug reports to tac seem not to.
randy
> OK, Randy, you peaked my interest: what is a naggumite?
erik naggum, an early and strong proponent of being strict. you've been
around long enough you should remember erik.
> Many of us disagreed with Jon Postel from time to time, but he usually
> understood the alternative
.
and then there is ewd's famous quote about testing.
randy
> One more thing, RFC7999 has category Informational
and what exactly do you think that means. in ietf terms, it is a formal
spec which does not specify a protocol. it is still a formal spec.
randy
an update to skype will pop up and ask you
deny. you will have to deny repeatedly. there is no reason in the
world skype should have access to your icloud, contacts, ...
randy
> Y U USE SKYPE?
yep. some researchers are still stuck there for con calls. i hate it.
randy
>> yep. some researchers are still stuck there for con calls. i hate
>> it.
> welp, at least the nsa can keep trac in real-time.
the nsa is not in the researchers' threat model. this is not that kind
of math.
randy
> Perhaps (issue created on 6 Dec 2017) relevant:
>
> https://answers.microsoft.com/en-us/skype/forum/skype_accountms-skype_privacyms/skype-suggests-people-from-my-contact-list-to/d8cc03ad-fa15-4de7-8d96-51510615cff4
perms for contact list is one thing. perms for icloud account is
another. this
ortunity
for advertisement.
randy
On Wed, 13 Feb 2019 15:06:17 -0800,
Hunter Fuller wrote:
> Was there meant to be a screenshot or some explanation of what would
> be denied here?
sorry
>> Was there meant to be a screenshot or some explanation of what would
>> be denied here?
>
> sorry
seems mailing list filters; so it was not my fault.
try https://archive.psg.com/skype.jpg
randy
> How does one distinguish "informational" and "action" of unknown
> communities?
the action ones are divisible by 3
you are in a twisty maze where there are no formnally defined semantics,
only a #:# syntax. if there were general formal semantics, it could
have been put directly in bgp attrib
ute valid, and if not,
> will we recurse and look for another covering route that is valid?
daniele's pam paper and ripe preso, layed it out pretty well
Daniele Iamartino, Cristel Pelsser, Randy Bush. "Measuring BGP Route
Origin Registration and Validation," PAM 2015.
h
> This is totally off-topic.
ya. none of us run oracle
e have
ourselves to blame; but blame does not move packets.
randy, who was in the danvers cabal for the /19 agreement
e from the loopback. and, for replies to get back to that
loopback, it needs to be in real global space.
randy
this pain-to-maintain list be distributed? how do i know
a copy is authentic not an attack?
i am all for a single root of trust. it's just that i thought it was
the iana's job. but i am easily confused.
randy
i received an arin board electioneering "vote for me" today. i guess
now i have to go vote against then.
randy
25 years ago, jon postel died. we stand on the shoulders of jon and
others, a number of whom died in october. not a cheering month for
old timers.
randy
think of the folk making careers complicating dns, rpki, bgp, ...
randy
> For legacy resource holders it is a problem but then it’s a
> bureaucratic issue rather technical and technology has a solution
> called SLURM.
has arin not made it easier, lowering the legal insanity, for legacy
holders to obtain services?
randy
>> has arin not made it easier, lowering the legal insanity, for legacy
>> holders to obtain services?
> Yes but they need to jump now if they want to take advantage of it, as
> I understand it.
arin has deep expertise in hurdles
randy
another tragic october death was that of abha ahuja, researcher,
operator, and amazing person, this day in 2001. worth a search.
jake's http://www.neebu.net/~khuon/abha/ is a start.
randy
> Believe it or not, Job, there are parts of the internet that exchange
> traffic and move packets that are not IXPs.
in fact, measurements had shown that the majority of inter-domain
traffic is over pnis
randy
another old dog doing a search wrote to tell me they really appreciated
that i still had some antique advice up. i had long forgotten this one.
but found it amusing and still more relevant than i might wish.
https://psg.com/emily.html
randy
> wish this was included with every subscription to internet services
>
you did not get it with your AOL CD? ask for a refund.
as a bonus, https://neal.fun/internet-artifacts/
randy
this day in 2007 dr jun-ichiro (itojun) hagino died. a gentle soul, an
engineer's engineer, the ipv6 samurai, iab member, and fiat 500 lover.
the v6 stack you're running could have descended from his netbsd one.
http://www.itojun.org/
randy
i have blocked a zone enumerator, though i guess they will be a
whack-a-mole
others have reported them as well
/home/randy> sudo tcpdump -pni vtnet0 -c 10 port 53 and net 193.235.141
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtnet0, link-type EN1
ya, right, and at a whole bunch of other cctld servers
from a network called domaincrawler-hosting
shall we smoke another?
/home/randy> sudo tcpdump -pni vtnet0 -c 500 port 53 and net 193.235.141
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vtn
> I might be reading this wrong, but I don't think the point Randy was
> trying to make was 'NS queries are an attack', 'UDP packets are an
> attack' or 'IP packets are an attack' . I base this on the list of
> queries Randy decided to include as re
> We don't need to extend IPv4, we need to figure out why we are in this
> dual-stack mess, which was never intended, and how to get out of it.
it was intended. it was the original transition plan. like many things
about ipv6, it could have been a bit better thought out.
randy
been a bit better thought out.
>
> What was not intended though was the transition period to last for 30
> years and counting… If things go reasonably well we’re gonna be dual
> stack for another 20, at least.
like many things about ipv6, it could have been a bit better thought
out.
randy
tupidities (TLA, NLA, ...) pulled out of the spec. at iij, we
rolled ipv6 on the backbone in 1997.
randy
> I go into my cave to finish the todo list for the week, and I come out
> to see Mr. Chen :
> - Telling Randy Bush he should "read some history" on IPv6
> - Implying that Vint Cerf ever said anything about EzIP
>
> Fairly impressive sequence of self ownage.
but i
s the clue level is going down as well
as the temp.
randy
interesting side note:
when iij was deploying the v6 backbone in '97, commercial routers did
not support dual stack. so it was a parallel backbone built on netbsd
with the kame stack, which was developed in iij lab.
we remember itojun.
randy
ipv4 less palatable. In particular, any effect from a
> hard landing compared would have been ephemeral.
amen
randy
> Some of us still use pine…
i thought most pine users had moved to mutt
randy, who uses wanderlust under emacs :)
ed. i guess it has
been from the perspective of geologic time.
randy
> For taking care of referrals and delegations, ietf has started
> preliminary work. More info here -
>
> https://mailarchive.ietf.org/arch/msg/dd/srNtevzS-jrPzMxYv1nATCY5JkM/
dns is not complex enough that folk have assured careers. need to make
it more complex.
randy
john,
> Read the full text of the consultation at:
> https://www.arin.net/participate/community/acsp/consultations/2024/2024-1/
please explain the need for bureaucrazy to do what RPKI CAs have been
doing since dirt was invented.
randy
RR
> objects
whoops! i still code around another RIR doing that. vendors have a
long history of thinking they know best what operators should do. some
RIRs seem to have such hubris.
ok, i can see opening up discussion to reduce foot shooting risks.
sorry for skepticism.
randy
in space?”
> “How do I comment on an existing IETF document?”
>
perhaps the internet would benefit more from the inverse, a help desk at
the ietf for "what is internet operation and how does it actually work?"
randy
we definitely need more men's opinions on what women should want and do
randy
en.wikipedia.org/wiki/Ad_hominem
anne has been a constructive list participant for years
randy
> Amazon's spider got stuck there a month or two ago but fortunately I was
> able to find someone to pass the word and it stopped. Got any contacts
> at OpenAI?
why? you are doing a societal good by ensnaring them. dig a deeper
hole.
randy
> Wonderful news, this has now been fixed :)
> Thank you to Cogent for fixing this
indee. otoh, i still can not resist https://www.kame.net/
randy
> (Low but distinct possibility of effects to radio and transmission
> systems)
no one will notice as we will all be outside looking at the aurora!
randy
> The minimum addressable on a LAN is a /64.
not really
randy
ttps://berthub.eu/articles/posts/cyber-security-pre-war-reality-check/
interesting
randy
> You could try publishing Geo loc data per RFC8805
> https://datatracker.ietf.org/doc/html/rfc8805
or, more specifically, 9092
randy
> There is always talk to the local politician route so it gets raised
> in the state legislature.
this is illinois/chicago. you slip them a $100 bill under youe drivers'
license
a bunch of us comcast soho folk, and monitoring gear, are seeing
v4 breakage in orygon and maybe washington but only for seattle
destinations. v6 works. johnb, is comcast going v6-only? :)
ryuu.rg.net:/Users/randy> ping r0.iad
PING r0.iad.rg.net (198.180.150.120): 56 data bytes
64 bytes f
kinda summary: comcast and cogent/sprint very helpful. likely
cause a misconfig in cogent norcal when trying to route around
a power outage in seattle.
fwiw, HE and IIJ IPv6 transit (tyvm) in seattle allowed us to keep
working through the outage.
randy
has charging for config changes a la
https://www.arelion.com/customer-excellence/customer-support/online-technical-change-pricing
become common while i was not looking? admittedly, i have not looked
for a long time.
randy
> https://datatracker.ietf.org/doc/html/rfc8805
https://datatracker.ietf.org/doc/html/rfc9092
will show you how to use 8805
randy
not to distract from everyone diagnosing someone else's problem, but ...
what foss dns monitoring tools do folk use to alert of
- iminent delegation expiry
- inconsistent service (lame, soa mismatches, ...)
- dnssec signing and timer issues
- etc.
randy
play
hak whacked me to add
http://dns.measurement-factory.com/tools/nagios-plugins/check_zone_rrsig_expiration.html
to my nagios deployment.
anyone have some known sick in various ways dns zones against which to
test?
randy
are there any old keyservers still working? or only the new hipster
ones? i tried three and no love
hkps://pgp.mit.edu
hkps://pgp.uni-mainz.de
hkps://hkps.pool.sks-keyservers
randy
> I think the hipster thing to do now, though, is --auto-locate-key with
> the Web Key Distribution or the DNSSEC Key Distribution mechanism.
i have done wkd for a fair while. but some folk like to pull keyrings,
so i try to keep them updated.
randy
---
ra...@psg.com
`gpg --locate-ex
.gnupg/gpg.conf`. probably my fault.
randy
.pgpkeys.eu/sks-peers
yay! i chose randomly, and hkps://pgp.cyberbits.eu worked. thank you!
we have been very good at making pgp hard to use. we probably want to
not do that so much.
randy
> Git prefixes blobs with its own data. You're not going to break git with a
> SHA-1 binary collision.
http://www.metzdowd.com/pipermail/cryptography/2017-February/031623.html
> 1. Create a certificate C[ert] for a single domain you control with hash h(c).
> 2. Create a second certificate A[ttack] marked as a certificate
>authority such that h(C) = h(A).
> 3. Have a certificate authority sign cert C
> 4. Present the signature for A along with A for whatever nefarious
It would have been nice if Verizon had starting issuing IPv6 while still
issuing IPv4 for an easy transition. The current situation is that you can't
get static IPv6 at all. I have been bugging them about this for many years.
thanks,
-Randy
- On Mar 8, 2017, at 12:16 PM, David Hu
the UDP
payload size was decreased, indicating that the server might be
attempting to send a payload that exceeds the path maximum
transmission unit (PMTU) size. (2001:500:12::d0d,
UDP_0_EDNS0_32768_4096)
randy
feed of mis-
originations at andree's http://bgpmon.net/. as the sea level rises,
maybe we'll do more about this problem.
randy
back, our research group actually used large clusters to
emulate large deployments with multi-level caching and found it quite
efficient. see
Olaf Maennel, Iain Phillips, Debbie Perouli, Randy Bush, Rob Austein,
and Askar Jaboldinov, "Towards a Framework for Evaluating BGP
Security,
so, it would be helpful if some core networks would either report the
details of an outage every week or so, or create a nice variety of
planned outages and descrive the details.
randy
ch, turn off unnecessary services/options, rinse
repeat. and try to promote prudent use among friends, family, and
workplace.
randy
fyi, current opinion in the security community seems to be that win10 is
better secured than linuxes, bsds, ... see http://cyber-itl.org/; still
pretty sparse, but getting flushed out.
randy
which does not
return s because the v6 connectivity over ntt bflets transport sucks
caterpillar snot.
it's a whacky world. as geoff said long ago, if there ever is real
money counting on v6 transport, these messes will straighten out.
randy
> Putting aside the question of their importance, there is a small number
> of ISPs that do no pay for transit. If you don't call them Tier 1, what
> do you call them? Transit Free Providers (TFPs)?
LFB, late for breakfast
> A report that all Cogent traffic got re-routed into Moscow. Looks
> innocent but happened right after UA blocked RU websites (e.g.,
> VKontakte, Yandex, etc)
a peering war between the martians and the venusians?
e one day.
to me, this was the dream of optical switching and gmpls (which is not
mpls)
randy
merely encapsulated
> inside a tunnel?
read "which is not mpls" a few more times. than maybe read a bit on
gmpls and optical switching. you may find
https://en.wikipedia.org/wiki/Generalized_Multi-Protocol_Label_Switching
a reasonable place to start.
randy
-suppose that an appropriate physical
> path that has sufficient available bandwidth/slots is already present?
not *a* physical path, but a swath of paths from which sufficient
capacity can be configured. sadly, gmpls over optical has not yet
defied the laws of physics.
randy
randy
attitudes left the building long ago. nanog has
become a trade show, for which this is normal behavior. i expect mail
"stop by our booth at nanog 42," and so forth.
randy
> Fun fact about letsencrypt certs, they expire after a month or so.
90 days
> How else would one maintain government control over free encryption
> certificates?
black helicopters
heir upstreams all
prefer customers, so they keep adding prepends in some vain hope.
randy
> I wouldn't use link-local in context of Inter-Domain Routing.
indeed
randy
> if you don't need SLAAC, do whatever makes sense for you. And never be
> greedy: give your end-users a /48
i say give them a /129 just to piss off a certin bigot :)
> Only if you sign the RSA and give up certain legal rights to your legacy
> blocks/property.
the word 'certain' is not apt given that the LRSA Ts&Cs may be
arbitrarily changed by ARIN
some years back, narita blocked 443 not 80, blocked 465 & 587 not 25,
etc. i actually found a clue receptacle and it was fixed some weeks
later.
i suspect the number of things they can do wrongly may be bounded but is
quite large.
randy
l them the price
for which you are willing to sell it.
randy
anyone can send $ubject? specifically 1ru & 2ru.
one needs a supermicro sales rep, and their email addy to get from
supermicro site, and i buy from a reseller.
thanks
randy
> https://miketabor.com/tools/A
> mike seems to have them on his site..
junk. there is a lot of junk vss out there on the intertubes.
randy
> I emailed supp...@supermicro.com When I needed them
RNA so far
k was for aybe 20 minutes.
almost no one over here noticed.
but the press, isoc, ... said "japan knocked off the internet." take
that as a calibration of the press, isoc, ...
randy
detection and repair?
this was an easily preventable ops failure. but what we will do is go
to idr and grow and invent 42 more hacks, kinda like ipv6 transition
mechanisms.
randy
i have 142 largish bgp customers, a large enough number that the number
of prefixes i receive from them varies annoyingly. how do i reasonably
automate setting of my outbound prefix limit?
randy
>>> i have 142 largish bgp customers, a large enough number that the number
>>> of prefixes i receive from them varies annoyingly. how do i reasonably
>>> automate setting of my outbound prefix limit?
>>
>> First, it seems you know the inbound so automating the outbound is simple
>> arithmetic.
>
hat same value on my side as the upper
> outbound limit.
which is why i do not tell peers a max count.
this stuff works for small isps, in the lab, ... but not at scale;
especially when you have isps as customers. i wish it did.
bgp at scale is rather dynamic. i suspect your $dayjob's irr filters
being exact help a bit.
randy
601 - 700 of 2576 matches
Mail list logo
