Re: Comcast IPv6 Trials
On Wed, 27 Jan 2010 17:50:22 EST, Steven Bellovin said: In all seriousness, will any attempt be made to select trial applicants based on (apparent) clue level and/or to receive feedback through channels other than the usual Tier 1 support? Two comments: 1) People who manage to find out about the trial and apply probably have already done some self-selection on clue level. Big difference between Joe Sixpack and Joe IPV6-pack. 2) Even if some Joe Sixpacks manage to get into the test, that's good - because Comcast needs to know what the unclued masses need for support, etc. pgp2N2EDXmtvD.pgp Description: PGP signature
Re: Strange Cisco 6503 problem
On Thu, 2010-01-28 at 18:36 -0500, Steven Bellovin wrote: Actually, it's not at all surprising, but it depends on the UART or equivalent. and the dynamic characteristics of the power rails, to a certain extent. Sun kit is quite sensitive to this sort of thing. Zonker has a good guide to what does what and what borks in his conserver pages: http://www.conserver.com/consoles/ as well as a bucketload of pinout info for console ports and console servers in general. The whole site is good reference for younger techies born in the USB age ;) Gord -- I'm giving up the sigs - I'm on patches and gum.
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. Daily listings are sent to bgp-st...@lists.apnic.net For historical data, please see http://thyme.apnic.net. If you have any comments please contact Philip Smith p...@cisco.com. Routing Table Report 04:00 +10GMT Sat 30 Jan, 2010 Report Website: http://thyme.apnic.net Detailed Analysis: http://thyme.apnic.net/current/ Analysis Summary BGP routing table entries examined: 310401 Prefixes after maximum aggregation: 143857 Deaggregation factor: 2.16 Unique aggregates announced to Internet: 152150 Total ASes present in the Internet Routing Table: 33195 Prefixes per ASN: 9.35 Origin-only ASes present in the Internet Routing Table: 28813 Origin ASes announcing only one prefix: 14071 Transit ASes present in the Internet Routing Table:4382 Transit-only ASes present in the Internet Routing Table:110 Average AS path length visible in the Internet Routing Table: 3.6 Max AS path length visible: 23 Max AS path prepend of ASN ( 9503) 21 Prefixes from unregistered ASNs in the Routing Table: 803 Unregistered ASNs in the Routing Table: 130 Number of 32-bit ASNs allocated by the RIRs:409 Prefixes from 32-bit ASNs in the Routing Table: 367 Special use prefixes present in the Routing Table:0 Prefixes being announced from unallocated address space:208 Number of addresses announced to Internet: 2182859712 Equivalent to 130 /8s, 27 /16s and 203 /24s Percentage of available address space announced: 58.9 Percentage of allocated address space announced: 66.1 Percentage of available address space allocated: 89.1 Percentage of address space in use by end-sites: 81.0 Total number of prefixes smaller than registry allocations: 149507 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes:74994 Total APNIC prefixes after maximum aggregation: 25835 APNIC Deaggregation factor:2.90 Prefixes being announced from the APNIC address blocks: 71687 Unique aggregates announced from the APNIC address blocks:31510 APNIC Region origin ASes present in the Internet Routing Table:3940 APNIC Prefixes per ASN: 18.19 APNIC Region origin ASes announcing only one prefix: 1084 APNIC Region transit ASes present in the Internet Routing Table:623 Average APNIC Region AS path length visible:3.6 Max APNIC Region AS path length visible: 23 Number of APNIC addresses announced to Internet: 490424864 Equivalent to 29 /8s, 59 /16s and 74 /24s Percentage of available APNIC address space announced: 76.9 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079 55296-56319, 131072-132095 APNIC Address Blocks 1/8, 27/8, 43/8, 58/8, 59/8, 60/8, 61/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:129648 Total ARIN prefixes after maximum aggregation:67654 ARIN Deaggregation factor: 1.92 Prefixes being announced from the ARIN address blocks: 103715 Unique aggregates announced from the ARIN address blocks: 39327 ARIN Region origin ASes present in the Internet Routing Table:13468 ARIN Prefixes per ASN: 7.70 ARIN Region origin ASes announcing only one prefix:5204 ARIN Region transit ASes present in the Internet Routing Table:1331 Average ARIN Region AS path length visible: 3.3 Max ARIN Region AS path length visible: 22 Number of ARIN addresses announced to Internet: 738182688 Equivalent to 43 /8s, 255 /16s and 198 /24s Percentage of available ARIN address space announced:
Level 3 DC issues?
Anyone see any connectivity issues with Level-3 in the DC area? This issue is causing big latency problems that appeared to have taken out Bank of America's website.
Re: Level 3 DC issues?
I've got low latency TO 'Level3 Washington' - but I time out about three hops later. I'm coming from the Sprintlink. On Jan 29, 2010, at 2:22 PM, John Palmer (NANOG Acct) wrote: Anyone see any connectivity issues with Level-3 in the DC area? This issue is causing big latency problems that appeared to have taken out Bank of America's website.
RE: Level 3 DC issues?
Looks like an internal problem to BoA. The redirect works, and I get an immediate reply. The https redirect page appears boinked. Even with a -k curl took over 30 seconds to get the page, and the browser would have timed out. rob...@robert ~ $ curl -i -G www.bankofamerica.com HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Fri, 29 Jan 2010 19:25:08 GMT Content-length: 122 Content-type: text/html Location: https://www.bankofamerica.com/index.jsp Connection: close HTMLHEADTITLEMoved Permanently/TITLE/HEAD BODYH1Moved Permanently/H1 An error has occurred. /BODY/HTML rob...@robert ~ $ curl -i -G www.bankofamerica.com HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Fri, 29 Jan 2010 19:25:28 GMT Content-length: 122 Content-type: text/html Location: https://www.bankofamerica.com/index.jsp Connection: close HTMLHEADTITLEMoved Permanently/TITLE/HEAD BODYH1Moved Permanently/H1 An error has occurred. /BODY/HTML rob...@robert ~ $ curl -i -G https://www.bankofamerica.com/index.jsp curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. rob...@robert ~ $ curl -k -i -G https://www.bankofamerica.com/index.jsp Robert D. Scott rob...@ufl.edu Senior Network Engineer 352-273-0113 Phone CNS - Network Services 352-392-2061 CNS Phone Tree University of Florida 352-392-9440 FAX Florida Lambda Rail 352-294-3571 FLR NOC Gainesville, FL 32611 321-663-0421 Cell -Original Message- From: John Palmer (NANOG Acct) [mailto:nan...@adns.net] Sent: Friday, January 29, 2010 2:22 PM To: NANOG list Subject: Level 3 DC issues? Anyone see any connectivity issues with Level-3 in the DC area? This issue is causing big latency problems that appeared to have taken out Bank of America's website.
Re: Level 3 DC issues?
John Palmer (NANOG Acct) wrote: Anyone see any connectivity issues with Level-3 in the DC area? This issue is causing big latency problems that appeared to have taken out Bank of America's website. Los angeles Downtown had a big power outage which affected quite a few dc's dont know if its related though
Re: Level 3 DC issues?
Looks like it may be a BoA issue. I also see their AS number peering to AS 701 (Verizon Business / UUNet) with a dead traceroute to BoA. On Jan 29, 2010, at 2:22 PM, John Palmer (NANOG Acct) wrote: Anyone see any connectivity issues with Level-3 in the DC area? This issue is causing big latency problems that appeared to have taken out Bank of America's website.
BGP Update Report
BGP Update Report Interval: 21-Jan-10 -to- 28-Jan-10 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS268621921 2.1% 139.6 -- ATT Global Network Services - EMEA 2 - AS18170 20829 2.0% 946.8 -- CHANGWON-AS-KR Changwon National University 3 - AS764319874 1.9% 32.2 -- VNPT-AS-VN Vietnam Posts and Telecommunications (VNPT) 4 - AS18106 18698 1.8% 271.0 -- VIEWQWEST-SG-AP Viewqwest Pte Ltd 5 - AS580017908 1.7% 88.7 -- DNIC-ASBLK-05800-06055 - DoD Network Information Center 6 - AS730312288 1.2% 18.3 -- Telecom Argentina S.A. 7 - AS45408 11986 1.1%5993.0 -- 8 - AS14420 11554 1.1% 37.5 -- CORPORACION NACIONAL DE TELECOMUNICACIONES CNT S.A. 9 - AS37986 11383 1.1% 129.4 -- TULIP Tulip Telecom Ltd. 10 - AS4270 9020 0.9%1804.0 -- Red de Interconexion Universitaria 11 - AS9829 7823 0.7% 20.7 -- BSNL-NIB National Internet Backbone 12 - AS4134 7407 0.7% 7.3 -- CHINANET-BACKBONE No.31,Jin-rong Street 13 - AS235777312 0.7% 12.6 -- ATM-MPLS-AS-KR Korea Telecom 14 - AS179647008 0.7% 44.1 -- DXTNET Beijing Dian-Xin-Tong Network Technologies Co., Ltd. 15 - AS145226725 0.6% 26.8 -- Satnet 16 - AS358056686 0.6% 17.3 -- UTG-AS United Telecom AS 17 - AS111395639 0.5% 20.1 -- CWRIN CW BARBADOS 18 - AS8151 5587 0.5% 7.8 -- Uninet S.A. de C.V. 19 - AS179745362 0.5% 7.7 -- TELKOMNET-AS2-AP PT Telekomunikasi Indonesia 20 - AS1237 5350 0.5% 37.4 -- KREONET-AS-KR Korea Institute of Science and Technology Information TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS45408 11986 1.1%5993.0 -- 2 - AS5691 2436 0.2%2436.0 -- MITRE-AS-5 - The MITRE Corporation 3 - AS4270 9020 0.9%1804.0 -- Red de Interconexion Universitaria 4 - AS151 3951 0.4% 987.8 -- IND-NTC-AS - Hewlett-Packard Company 5 - AS18170 20829 2.0% 946.8 -- CHANGWON-AS-KR Changwon National University 6 - AS37020 795 0.1% 795.0 -- CELTEL-DRC 7 - AS310552282 0.2% 760.7 -- CONSULTIX-AS Consultix GmbH 8 - AS48672 630 0.1% 630.0 -- OKCIBANK-AS Commercial Bank GALS 9 - AS8668 3981 0.4% 568.7 -- TELONE-AS TelOne Zimbabwe P/L 10 - AS236992259 0.2% 564.8 -- EZNET-AS-ID IP Teknologi Komunikasi, PT. 11 - AS6822 2780 0.3% 556.0 -- SUPERONLINE-AS SuperOnline autonomous system 12 - AS483591589 0.1% 529.7 -- HESABGAR-AS Hesabgar Pardaz Gharb Co. Private J.S. 13 - AS36451 493 0.1% 493.0 -- FUJI-BEDFORD - Fujifilm Microdisks U.S.A., Inc. 14 - AS43818 484 0.1% 484.0 -- MELLAT-AS bankmellat 15 - AS41492 478 0.1% 478.0 -- EXIMBANK-AS BANCA DE EXPORT IMPORT A ROMANIEI (EXIMBANK) S.A 16 - AS288782237 0.2% 447.4 -- SIGNET-AS Signet B.V. 17 - AS3475 385 0.0% 385.0 -- LANT-AFLOAT - Navy Network Information Center (NNIC) 18 - AS104452851 0.3% 356.4 -- HTG - Huntleigh Telcom 19 - AS11057 349 0.0% 349.0 -- WTHOMPSONCO - J. Walter Thompson 20 - AS20066 319 0.0% 319.0 -- MORRISTECH - Morris Technologies, Inc. TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 170.210.56.0/228949 0.8% AS4270 -- Red de Interconexion Universitaria 2 - 114.70.96.0/24 5993 0.5% AS45408 -- 3 - 114.70.97.0/24 5993 0.5% AS45408 -- 4 - 203.162.118.128/ 4970 0.4% AS7643 -- VNPT-AS-VN Vietnam Posts and Telecommunications (VNPT) 5 - 110.234.206.0/23 3749 0.3% AS37986 -- TULIP Tulip Telecom Ltd. 6 - 110.234.208.0/23 3749 0.3% AS37986 -- TULIP Tulip Telecom Ltd. 7 - 110.234.204.0/23 3749 0.3% AS37986 -- TULIP Tulip Telecom Ltd. 8 - 222.255.186.0/25 3123 0.3% AS7643 -- VNPT-AS-VN Vietnam Posts and Telecommunications (VNPT) 11 - 192.12.120.0/242436 0.2% AS5691 -- MITRE-AS-5 - The MITRE Corporation 12 - 62.168.199.0/242275 0.2% AS31055 -- CONSULTIX-AS Consultix GmbH 13 - 202.177.223.0/24 2239 0.2% AS17819 -- ASN-EQUINIX-AP Equinix Asia Pacific 14 - 143.138.107.0/24 2144 0.2% AS747 -- TAEGU-AS - Headquarters, USAISC 15 - 203.246.0.0/24 1728 0.1% AS18170 -- CHANGWON-AS-KR Changwon National University 16 - 59.22.142.0/24 1728 0.1% AS18170 -- CHANGWON-AS-KR Changwon National University 17 - 203.246.23.0/241728 0.1% AS18170 -- CHANGWON-AS-KR Changwon National University 18 - 59.22.138.0/23 1721 0.1% AS18170 --
Re: Using /126 for IPv6 router links
On Wed, Jan 27, 2010 at 1:19 PM, Igor Gashinsky i...@gashinsky.net wrote: 1) ping-ponging of packets on Sonet/SDH links 2) ping sweep of death ... For most people, using /127's will be a lot operationaly easier then maintain those crazy ACLs, but, like I said before, YMMV.. I'm in the /112 camp - it's not going to be much worse for attack 2, and I've been dealing with a lot of IPv4 operational issues where you need subnets with enough addresses for VRRP/HSRP/NSRP/etc, equipment management addresses for devices that aren't the main address, byte-aligned database entries, monitoring boxes of various sorts, extra NATs for applications nobody told you about when you set things up, splitting subnets into smaller contiguous subnets because of equipment limitations or vendor compatibility problems with IPSEC tunnels, etc. And the other interesting address length proposal was 80 bits, typically imagined as 20 BCD digits, proposed by phone company types. 128 is better... -- Thanks; Bill Note that this isn't my regular email account - It's still experimental so far. And Google probably logs and indexes everything you send it.
Re: Level 3 DC issues?
On 01/29/2010 08:30 PM, Robert D. Scott wrote: Looks like an internal problem to BoA. The redirect works, and I get an immediate reply. The https redirect page appears boinked. Even with a -k curl took over 30 seconds to get the page, and the browser would have timed out. Hi, Just noticed this article, maybe BoA is also a target ?: CIA, PayPal under bizarre SSL assault The massive flood of requests is made over the websites' SSL, or secure-sockets layer, port, causing them to consume more resources than normal connections, according to researchers at Shadowserver Foundation, a volunteer security collective. The torrent started about a week ago and appears to be caused by recent changes made to a botnet known as Pushdo http://www.theregister.co.uk/2008/02/29/botnet_spam_deluge/. http://www.theregister.co.uk/2010/01/29/strange_ssl_web_attack/ http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100129 Maybe that has something to do with this ? Hope you have a nice weekend. rob...@robert ~ $ curl -i -G www.bankofamerica.com HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Fri, 29 Jan 2010 19:25:08 GMT Content-length: 122 Content-type: text/html Location: https://www.bankofamerica.com/index.jsp Connection: close HTMLHEADTITLEMoved Permanently/TITLE/HEAD BODYH1Moved Permanently/H1 An error has occurred. /BODY/HTML rob...@robert ~ $ curl -i -G www.bankofamerica.com HTTP/1.1 301 Moved Permanently Server: Sun-ONE-Web-Server/6.1 Date: Fri, 29 Jan 2010 19:25:28 GMT Content-length: 122 Content-type: text/html Location: https://www.bankofamerica.com/index.jsp Connection: close HTMLHEADTITLEMoved Permanently/TITLE/HEAD BODYH1Moved Permanently/H1 An error has occurred. /BODY/HTML rob...@robert ~ $ curl -i -G https://www.bankofamerica.com/index.jsp curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a bundle of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option. rob...@robert ~ $ curl -k -i -G https://www.bankofamerica.com/index.jsp Robert D. Scott rob...@ufl.edu Senior Network Engineer 352-273-0113 Phone CNS - Network Services 352-392-2061 CNS Phone Tree University of Florida 352-392-9440 FAX Florida Lambda Rail 352-294-3571 FLR NOC Gainesville, FL 32611 321-663-0421 Cell -Original Message- From: John Palmer (NANOG Acct) [mailto:nan...@adns.net] Sent: Friday, January 29, 2010 2:22 PM To: NANOG list Subject: Level 3 DC issues? Anyone see any connectivity issues with Level-3 in the DC area? This issue is causing big latency problems that appeared to have taken out Bank of America's website.
Apply Now for ARIN Meetings Fellowship to Attend ARIN XXV
ARIN is pleased to offer a Meetings Fellowship Program to bring new voices and ideas to public policy discussions. This call is for Fellows to attend ARIN XXV in Toronto, Canada 18-21 April 2010. If you are interested in participating in the program, submit your application by 19 February. The application, submission instructions, and a detailed description of the program can be found at: https://www.arin.net/participate/meetings/fellowship.html One individual from each of the three sectors within ARIN's service region (Canada, the Caribbean and North Atlantic Islands, and the United States and Outlying Areas) will be selected. Fellows receive financial support to attend the Public Policy and Members Meeting, and ARIN Advisory Council representatives will serve as mentors to the fellows to help maximize their meeting experience. Individuals selected for the fellowship receive: * Free meeting registration https://www.arin.net/participate/meetings/ARIN-XXV/ * Round-trip economy class airfare to the meeting, booked directly by ARIN * Hotel accommodations at the venue hotel, booked directly by ARIN * A stipend to cover meals and incidental travel expenses. Please contact i...@arin.net if you have any questions concerning the program and the application process. Regards, Cathy Aronson ARIN Advisory Council
SSH brute force China and Linux: best practices
Hola Nanog: So after many years of a hiatus from Linux, I recently dropped XP in favour of Fedora. Now that my happy windows blinders are off, I see alarming things. Ugly ssh brute force, DNS server IP spoofing with scans and typical script kiddie tactics. What are the new set of best practices for those running a NIX home computer. Yes I have a firewall and I do peruse my logs on a regular basis. BTW: ever drop a malformed URL to alert an admin to some thing that sucks? w3.hp.com/execs/makes/too/much/money or www.yourbuddiesdomain.com/it/is/all/rfc/space/use/1918/when/referring/to/non/routable Thanks, BobbyMac
Re: Using /126 for IPv6 router links
Daniel Senie wrote: On Jan 26, 2010, at 9:54 AM, Joe Maimon wrote: For me, the entire debate boils down to this question. What should the objective be, decades or centuries? If centuries, how many planets and moons will the address space cover? (If we as a species manages to spread beyond this world before we destroy it). Will separate /3's, or subdivisions of subsequent /3's, be the best approach to deploying a large-scale IPv6 network on Mars? (and yes, a bit of work would be required to make the round-trip times fall within TCP's windows). If The useful life of ipv6 is as long as ipv4 we've been pretty successful. It's is (or seems that way to me) likely that pressures other than address exhaustion will consign it to the historybooks.