http://tools.ietf.org - Down
Is it just me? http://www.downforeveryoneorjustme.com/tools.ietf.org doesn't seem to think so. Mark. signature.asc Description: This is a digitally signed message part.
Re: Console Server Recommendation
On (2012-01-30 11:08 -0500), Ray Soucy wrote: What are people using for console servers these days? We've historically used retired routers with ASYNC ports, but it's time for an upgrade. This is very very common thread, replaying couple times a year in various lists, with to my cursory look no new information between iterations. I'd be more curious if people listed what do they think good console server should have, and if or not given model has them. For me, required features are - multiplexed connect to console port, console port should never, ever be busy, blocking. You don't want to find your most competent people blocked from accessing console, because 1st line is in lunch keeping the port busy. - console port output always buffered persistently (if devices crashes and burns, at least you have post-network-reachability logs puked in console stored, good for troubleshooting) - IP address mappable to a console port. So that accessing device normally is 'ssh router' and via OOB 'ssh router.oob' no need to train people Nice to have - Configuration import/export as ascii, from single place, so configuration backups are easy - DC PSU support, redundantly - No moving parts - TACACS+ support - 3G support with IPSEC tunneling - Some clean and well designed webUI I also have to ask, why do we even need these? Why do we still get new gear with RS232 console only? Why only Cisco Nexus7k and SUP2T have seen the light? Dedicated management-plane separated from control-plane, so regardless of control-plane status, you can connect over ethernet to management-plane and copy images to control-plane, reset control-plane, check logs etc. Ethernet port is lot cheaper than RS232 port, so OOB gear would be cheaper. RS232 console on control-plane is ridiculously useless, you cannot copy images over it (even if supported, images are several hundreds megabytes). It is completely dependant on control-plane working which is very poor requirement for OOB. When 50bucks intel desktop mobo has proper OOB, why does not every router and switch have? -- ++ytti
Re: Console Server Recommendation
On 31/01/2012 09:11, Saku Ytti wrote: For me, required features are This is part of the problem here. You want a terminal server which was designed for console access. Most of the terminal servers on the market are by-products of the modem dialin era and their development function was aimed at a different market. Consequently, they are better at stuff like modem dialin and stuff like that rather than console management. The problem is that there isn't a large market for console servers designed specifically for management console access, and there are a pile of incumbents in the existing market place. I like feature list you posted, btw. If there were any console servers out there with these features, I would buy a bunch of them. RS232 console on control-plane is ridiculously useless, you cannot copy images over it (even if supported, images are several hundreds megabytes). It is completely dependant on control-plane working which is very poor requirement for OOB. Yeah, indeed. And most of us have been stuck in the omfg, the router is crashing and I'm in a hotel 2000km away, with crap OOB access, FML situation more than once. Nick
Re: Console Server Recommendation
On (2012-01-31 10:01 +), Nick Hilliard wrote: I like feature list you posted, btw. If there were any console servers out there with these features, I would buy a bunch of them. I think OpenGear supports all of them (according to co-worker who tested them recently), but not 100% sure particularly of 3G with IPSEC (I couldn't use it anyhow, as I'd need DMVPN, so Cisco CPE) and clean and well designed UI is too subjectively defined requirement. -- ++ytti
Re: Please help our simple bgp
Am 31.01.2012 04:06, schrieb Joel Maslak: There are several ways to handle this is, if you have at least two /24s of space. Let's say you just have two /24s, both part of the same /23. [...] Sad to see that deaggregation is still propagated to handle this issue. As a matter of fact deaggregation pollutes the global BGP table with more than 40% of rubbish, mainly caused by this silly type of traffic engineering. See the weekly routing table report or the CIDR report: Analysis Summary BGP routing table entries examined: 394446 Prefixes after maximum aggregation: 169250 Deaggregation factor: 2.33 Unique aggregates announced to Internet: 191523 There are many smarter ways to manage unbalanced links. See my slides presented on various occations (page 31 to 48) which describes the disadvantages and collateral damage of deaggregation: http://www.swinog.ch/meetings/swinog23/p/03_BGP-traffic-engineering-considerations-v0.2.pdf HTH, -- Fredy Künzler Init7 / AS13030
Re: http://tools.ietf.org - Down
Up from here (.ch) Sébastien On 31.01.2012 10:02, Mark Tinka wrote: Is it just me? http://www.downforeveryoneorjustme.com/tools.ietf.org doesn't seem to think so. Mark.
Re: http://tools.ietf.org - Down
Fine for me, .au Matt. On 31/01/2012 9:59 PM, Sébastien Riccio wrote: Up from here (.ch) Sébastien On 31.01.2012 10:02, Mark Tinka wrote: Is it just me? http://www.downforeveryoneorjustme.com/tools.ietf.org doesn't seem to think so. Mark. On 31/01/2012 9:59 PM, Sébastien Riccio wrote: Up from here (.ch) Sébastien On 31.01.2012 10:02, Mark Tinka wrote: Is it just me? http://www.downforeveryoneorjustme.com/tools.ietf.org doesn't seem to think so. Mark.
Re: http://tools.ietf.org - Down
There was some discussion of this on tools-disc...@tools.ietf.org. There was a temporary issue that I believe has been resolved. --Richard On Tue, Jan 31, 2012 at 11:59 AM, Matt Taylor m...@mt.au.com wrote: Fine for me, .au Matt. On 31/01/2012 9:59 PM, Sébastien Riccio wrote: Up from here (.ch) Sébastien On 31.01.2012 10:02, Mark Tinka wrote: Is it just me? http://www.downforeveryoneorjustme.com/tools.ietf.org doesn't seem to think so. Mark. On 31/01/2012 9:59 PM, Sébastien Riccio wrote: Up from here (.ch) Sébastien On 31.01.2012 10:02, Mark Tinka wrote: Is it just me? http://www.downforeveryoneorjustme.com/tools.ietf.org doesn't seem to think so. Mark.
Re: ARP is sourced from loopback address
We ran into a lot of quirkiness with Linux when we started rolling out Linux-based CPE with XORP as a routing engine. I've thrown some sane defaults you might want to consider into a text file at: http://soucy.org/xorp/xorp-1.7-pre/TUNING Specifically, you prob. want option 2 instead of 1 for arp_ignore, otherwise you'll see funkiness with ARPs coming from the wrong IP in a multi-interface configuration. 8 ARP_IGNORE values: 0- Reply for any local address. 1- Reply only if the target IP is configured on the receiving interface. 2- Like 1, but the source IP (sender's address) must belong to the same subnet as the target IP. 3- Reply only if the scope of the target IP is not the local host (e.g., that address is not used to communicate with other hosts). 4-7 - Reserved. 8- Do not reply. 8 - Unknown value; accept request. 8 Hope this helps, On Mon, Jan 30, 2012 at 7:09 PM, William Herrin b...@herrin.us wrote: On Mon, Jan 30, 2012 at 6:24 PM, Joe Maimon jmai...@ttec.com wrote: Golden. Thank you, William. Hi Joe, You're welcome. The flip side of Linux's arp funkiness is that you can get it to do some nifty stuff. For example, a /32 ethernet looks more or less like this: ifconfig lo:1 198.51.100.1 netmask 255.255.255.255 ifconfig eth1 192.168.0.1 netmask 255.255.255.252 ip route add 198.51.100.44/32 dev eth1 src 198.51.100.1 arptables --out-interface eth1 -j mangle -s 192.168.0.1 --mangle-ip-s 198.51.100.1 The implicit proxy arp takes care of the rest with the machine hanging off the interface thinking that it's part of a /24. This sort of thing is how I'm using all 17 of the IP addresses in my Cox /28. :-) Regards, Bill Herrin -- William D. Herrin her...@dirtside.com b...@herrin.us 3005 Crane Dr. .. Web: http://bill.herrin.us/ Falls Church, VA 22042-3004 -- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/
Re: MD5 considered harmful
My thoughts are that you should filter traffic routed directly to your BGP speaking devices, traffic routing through a edge device and to an edge device are treated differently. BGP session protection using a MD5 password by itself is not securing the control plane, but it is a component of an overall secure edge posture. For example, md5 protection, plus edge filtering polices, plus ttl security, plus ., make for a more secure edge. Also, It does not matter how many attempts compromising a BGP session occurs, it only takes one, so why not nail it down. Mike On Tue, Jan 31, 2012 at 12:39 AM, Keegan Holley keegan.hol...@sungard.comwrote: I suppose so but BFD certainly has alot more moving parts then adding MDF checksums to an existing control packet. I'm not saying everyone should turn it on or off for that matter. I just don't see what the big deal is. Most of the shops I've seen have it on because of some long forgotten engineering standard. 2012/1/30 John Kristoff j...@cymru.com: On Fri, 27 Jan 2012 15:52:41 -0500 Patrick W. Gilmore patr...@ianai.net wrote: Unfortunately, Network Engineers are lazy, impatient, and frequently clueless as well. While the quantity of peering sessions I've had is far less than yours, once upon a time when I had tried to get MD5 on dozens of peering sessions I learned quite a bit about those engineers and those networks. I got to find out who couldn't do password management, who never heard of MD5 and who had been listening to Patrick. :-) All good input that inform what else I might want to do to protect myself from those networks or who I wouldn't mind having a business relationship with. John
Bid Software
Hi folks. I'm looking for an in-house solution for circuit bidding. Today, when we get a request for WAN services, transport, transit etc we have folks that email out to a list of contacts and ask them for a price. I've seen some pretty neat systems in the past where vendors can send us their quotes via a web portal or similar - hoping to find something rather simple for our own use. open source would be awesome. Basically, we would notify potential vendors of that A and Z end of the circuit and any particulars such as speed that are required. What are folks using today and your experiences? Thanks, Paul
Re: Please help our simple bgp
On Jan 30, 2012, at 9:27 PM, Ann Kwok wrote: Hello Our router is running simple bgp. one BGP router, two upstreams (each 100M from ISP A and ISP B) We are getting full feeds tables from them We discover the routes is going to ISP A only even the bandwidth 100M is full Can we set the weight to change to ISP B to use ISP B as preference routes? Can the following configuration work? What suggest to this weight no. too? neighbor 1.2.3.4 description ISP B neighbor 1.2.3.4 remote-as 111 neighbor 1.2.3.4 weight 2000 If this works, how is ISP B upstream connection is down? Can it still be failover to ISP A automatically? If it won't work, Do you have any suggestion? Please implement an AS-PATH filter on your outbound to your upstreams blocking yourself from re-annoucing their routes to them. You can see many of these cases here: http://puck.nether.net/bgp/leakinfo.cgi eg: 41.217.236.0/24 852 3561 6453 15399 15399 15399 174 3491 33770 36997 37063 37113 15399 (Wananchi Online Limited) is leaking their upstream (Cogent) routes to TATA (6453) - Jared
non-congested comcast peers?
Are there any providers that Comcast doesn't regularly run hot? Seems like no matter who I deliver through at some magical point in the evening they start spiking jitter and a little loss. Almost like everyone hits PLAY on netflix at the same time. -shac
Re: ARP is sourced from loopback address
That's still a different part of the packet. Below is the source address in the ethernet header used to deliver the arp request itself. In side the ARP payload there is also a field for source and destination mac. I couldn't get tcpdump to show it even with the -n and -vvv switches. Wireshark will show it though. You may be able to use -w and -s0 to save to a cap file and then look at arp in wireshark. There still seem to be no responses. You can try the tweaks suggested by others. I've sent traffic from a loopback before and I've never seen this problem though. 2012/1/30 Joe Maimon jmai...@ttec.com: Thanks for the reply. Yes, it does appear to have the correct mac. root@debian31:~# tcpdump -e -n -i eth1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 12:54:17.882537 00:03:fd:03:38:08 00:0c:29:b8:2a:14, ethertype IPv4 (0x0800), length 114: 69.90.15.224 216.222.144.24: ICMP echo request, id 161, seq 4, length 80 12:54:18.084320 00:0c:29:b8:2a:14 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.76.1 tell 209.54.140.64, length 28 12:54:19.083580 00:0c:29:b8:2a:14 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.76.1 tell 209.54.140.64, length 28 12:54:19.838376 00:03:fd:03:38:08 00:0c:29:b8:2a:14, ethertype IPv4 (0x0800), length 407: 69.90.15.224.179 216.222.144.24.60714: Flags [P.], seq 4062306194:4062306547, ack 170308540, win 16365, length 353: BGP, length: 353 12:54:20.083649 00:0c:29:b8:2a:14 ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 42: Request who-has 192.168.76.1 tell 209.54.140.64, length 28 ^C root@debian31:~# ifconfig eth1 eth1 Link encap:Ethernet HWaddr 00:0c:29:b8:2a:14 inet addr:192.168.76.16 Bcast:192.168.76.255 Mask:255.255.255.0 Keegan Holley wrote: Even though TCP dump doesn't show it the ARP packets should have a source mac address that is reachable on the link. I think the reply is unicast to that mac address regardless of the IP in the request. Otherwise the receiving station would have to do an arp request for the source IP in the packet before it replied, in order to reply that station would need to have the very mapping it just requested making the whole thing useless. I've never seen arp sourced from a non-local interface IP unless there was some sort of tunnel or bridging configured, but then again I don't spend my days staring at ARP packets so I could be missing something. 2012/1/30 Joe Maimonjmai...@ttec.com: Hey All, Anycast related. Is this normal behavior? Whats the workaround? Why havent I run into this before? 192.168.76.1 is a HSRP address on a ring of routers transiting a private non routed vlan to the service addresses hosted on systems that have independent management interfaces. Best, Joe root@debian31:~# ifconfig lo:0 lo:0 Link encap:Local Loopback inet addr:209.54.140.64 Mask:255.255.255.255 UP LOOPBACK RUNNING MTU:16436 Metric:1 root@debian31:~# ip rule list 0: from all lookup local 32764: from 209.54.140.0/24 lookup pbr1-exit 32765: from 216.222.144.16/28 lookup pbr1-exit 32766: from all lookup main 32767: from all lookup default root@debian31:~# ip route list table pbr1-exit default via 192.168.76.1 dev eth1 192.168.34.0/24 dev eth1 scope link src 192.168.76.16 192.168.76.0/24 dev eth1 scope link src 192.168.76.16 root@debian31:~# tcpdump -i eth1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 11:08:09.053943 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, length 28 11:08:10.035126 IP noc08rt08.noc08.chl.net 209.54.140.64: ICMP echo request, id 517, seq 0, length 80 11:08:10.051276 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, length 28 11:08:11.052548 ARP, Request who-has 192.168.76.1 tell 209.54.140.64, length 28 11:08:12.035964 IP noc08rt08.noc08.chl.net 209.54.140.64: ICMP echo request, id 517, seq 1, length 80 ^C root@debian31:~# ip neigh fe80::230:71ff:fe3b:6808 dev eth0 lladdr 00:30:71:3b:68:08 router STALE 192.168.76.1 dev eth1 FAILED 192.168.34.254 dev eth0 lladdr 00:11:93:04:7a:1b DELAY 192.168.34.48 dev eth0 lladdr 00:0c:29:fd:64:8a STALE root@debian31:~# uname -a Linux debian31 3.2.0-1-686-pae #1 SMP Tue Jan 24 06:09:30 UTC 2012 i686 GNU/Linux root@debian31:~# ping 192.168.76.1 PING 192.168.76.1 (192.168.76.1) 56(84) bytes of data. 64 bytes from 192.168.76.1: icmp_req=1 ttl=255 time=2.95 ms ^C --- 192.168.76.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 2.952/2.952/2.952/0.000 ms root@debian31:~# ip neigh fe80::230:71ff:fe3b:6808 dev eth0 lladdr 00:30:71:3b:68:08 router STALE 192.168.76.1 dev eth1 lladdr
Microbursts on Ceragon IP-10G
Hello, I have a Ceragon IP-10G to provide backhaul access for an LTE network. The client wants to have 50Mbps of throughput with an RTT of 50ms on a single TCP session. The problem are the packet drops due to microbursts due to tcp slow start come from a 1GE port and then they get dropped at the radio. I can burst about 60KB of data before experiencing packet loss. Has anyone has a similar problem with this problem and found a solution? PS: I already have a case open, its just going kind of slow. Thanks, Abel.
Re: non-congested comcast peers?
Hi Shacolby Can you share some mtr results to Netflix, Google, etc ? Curious to see how bad it is really. On Tue, Jan 31, 2012 at 8:50 PM, Shacolby Jackson shaco...@bluejeans.comwrote: Are there any providers that Comcast doesn't regularly run hot? Seems like no matter who I deliver through at some magical point in the evening they start spiking jitter and a little loss. Almost like everyone hits PLAY on netflix at the same time. -shac -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia https://twitter.com/#!/anurag_bhatia Linkedin: http://linkedin.anuragbhatia.com
Re: MD5 considered harmful
From: harbor235 harbor...@gmail.com Also, It does not matter how many attempts compromising a BGP session occurs, it only takes one, so why not nail it down. Because downtime is a security issue too, and MD5 is more likely to contribute to downtime (either via lost password, crypto load on CPU, or other) than the problem it purports to fix. The goal of a network engineer is to move packets from A - B. The goal of a security engineer is to keep that from happening. A business needs to weigh the cost and benefit of any given approach, and MD5 BGP auth does not come out well in the of situations. David Barak Need Geek Rock? Try The Franchise: http://www.listentothefranchise.com
IPv6 BGP MIBs
Hi all, Can anyone point me to ongoing discussion about IPv6 BGP SNMP MIBs going on in the IETF? As I understand it RFC 4293 was somewhat abandoned by most vendors. Cisco has a new BGPV4-2 Mib but that still doesn't address all the needs. While I can try and push all my vendors to come up with a MIB that has parity with IPv4 I assume our standards bodies are working towards that goal as well. I can't seem to locate where these discussions are happening within the IETF...or if they even are. Any pointers or education for my ignorance is appreciated. Thanks all, --chip -- Just my $.02, your mileage may vary, batteries not included, etc
Re: Wireless Recommendations
On 1/30/12 12:46 , Jim Gonzalez wrote: Hi, I am looking for a Wireless bridge or Router that will support 600 wireless clients concurrently (mostly cell phones). I need it for a proof of concept. an aruba controller and 8 dual radio aps. Thanks in advance Jim
Re: IPv6 BGP MIBs
On 31/01/2012 16:42, chip wrote: Can anyone point me to ongoing discussion about IPv6 BGP SNMP MIBs going on in the IETF? As I understand it RFC 4293 was somewhat abandoned by most vendors. Cisco has a new BGPV4-2 Mib but that still doesn't address all the needs. While I can try and push all my vendors to come up with a MIB that has parity with IPv4 I assume our standards bodies are working towards that goal as well. I can't seem to locate where these discussions are happening within the IETF...or if they even are. Any pointers or education for my ignorance is appreciated. bgp4-mibv2: http://tools.ietf.org/html/draft-ietf-idr-bgp4-mibv2 Nick
Re: Wireless Recommendations
Hi, I do not know all the details, but the high school i graduated from recently implemented an Aruba system. From what i hear, it has never worked as designed and the IT dept there says its hard to manage. I was told the school got it since it was the cheapest. -Grant On Tue, Jan 31, 2012 at 10:45 AM, Joel jaeggli joe...@bogus.com wrote: On 1/30/12 12:46 , Jim Gonzalez wrote: Hi, I am looking for a Wireless bridge or Router that will support 600 wireless clients concurrently (mostly cell phones). I need it for a proof of concept. an aruba controller and 8 dual radio aps. Thanks in advance Jim
Re: IPv6 BGP MIBs
On 1/31/12 11:42 , chip wrote: Hi all, Can anyone point me to ongoing discussion about IPv6 BGP SNMP MIBs going on in the IETF? As I understand it RFC 4293 was somewhat abandoned by most vendors. Cisco has a new BGPV4-2 Mib but that still doesn't address all the needs. While I can try and push all my vendors to come up with a MIB that has parity with IPv4 I assume our standards bodies are working towards that goal as well. I can't seem to locate where these discussions are happening within the IETF...or if they even are. Any pointers or education for my ignorance is appreciated. There's little-to-no ongoing discussion happening, but such as there is happens on the IDR working group list (https://datatracker.ietf.org/wg/idr/charter/). The latest rev is draft-ietf-idr-bgp4-mibv2-12.txt and draft-ietf-idr-bgp4-mibv2-tc-mib-03.txt; both just expired again. Jeff's been refreshing them periodically to keep them active, but there have been no substantial changes since -09 (Feb 2009). As I understand it, there are no known issues, it's just waiting on the chicken-and-egg problem of needing implementations to demonstrate that it's complete before publishing as an RFC, and vendors have been reluctant to implement it until it was actually a published RFC. I strongly encourage anyone who enjoys monitoring their BGP infrastructure to pressure their vendors to implement the draft as it stands with the idea of finally getting this to standard level. At one point I had multiple vendors committed to doing so, and I think at least C and B still have it on their respective roadmaps for RSN. -e
RE: Console Server Recommendation
I like feature list you posted, btw. If there were any console servers out there with these features, I would buy a bunch of them. Wouldn't a program such as conserver running on a linux box someplace potentially provide these (maybe with a little extra hackery)? We use that quite a bit. One interesting option is that it allows another person to also watch the console session. So, for example, I can give someone a console session while watching the progress of it. http://conserver.com/ In other words, combining some software on a cheapo box someplace can give many of those features with just about any hardware console server.
Hijacked Network Ranges
Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: MD5 considered harmful
Sounds like we want a well thought out plan in place in case there is a screw up with an org's lack of planning and management capabilities.. Mike On Tue, Jan 31, 2012 at 12:56 PM, Nick Hilliard n...@foobar.org wrote: On 31/01/2012 16:40, David Barak wrote: Because downtime is a security issue too, and MD5 is more likely to contribute to downtime (either via lost password, crypto load on CPU, or other) than the problem it purports to fix. The goal of a network engineer is to move packets from A - B. The goal of a security engineer is to keep that from happening. A business needs to weigh the cost and benefit of any given approach, and MD5 BGP auth does not come out well in the of situations. cpu load is negligible and is done in hardware on several platforms. Lost passwords can occur but if you have properly stored configuration backups, they shouldn't be a major problem. Also, they can be trivially decrypted from C/J configuration files. From my point of view, MD5 passwords serve two purposes: 1. they prevent intentional session hijacking at IXPs when IP addresses get re-used and new IP address assignees suddenly notice that some people haven't torn down their old BGP sessions to the previous users of the address 2. they can be used to convince security auditors that the network is secure and that they can now sod off and stop harassing me, kthxbai Other people may have other reasons for liking / not liking them. Nick
Re: Hijacked Network Ranges
Hi, What is keeping you from advertising a more specific route (i.e /25's)? -Grant On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams kwilli...@altuscgi.comwrote: Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Hijacked Network Ranges
On Tue, 31 Jan 2012, Grant Ridder wrote: What is keeping you from advertising a more specific route (i.e /25's)? Many providers filter out anything longer (smaller) than /24. jms On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams kwilli...@altuscgi.comwrote: Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Hijacked Network Ranges
Many/most transit providers filter prefixes longer than /24, so the effectiveness may be minimal. At the very least I'd advertise /24s yourself because if the forger is geographically further away, some local sites may still work. Better than nothing. On Tue, Jan 31, 2012 at 11:19 AM, Grant Ridder shortdudey...@gmail.comwrote: Hi, What is keeping you from advertising a more specific route (i.e /25's)? -Grant On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams kwilli...@altuscgi.com wrote: Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Hijacked Network Ranges
You can break your blocks into /24's or smaller and readvertise them to your upstreams. You can also modify local preference using community tags with most upstreams. If you have tier 1 peerings you may be able to get them to filter the bad routes if you can prove they were assigned to you by ARIN. There's no real way to get 100% of your traffic back until you get the other company to stop advertising your routes though. You may also get traction from the AS's directly connected to the problem AS. I'm not sure how quickly you can get the other AS's to act on your behalf. The short blocks and local pref should get some of your traffic back though. 2012/1/31 Kelvin Williams kwilli...@altuscgi.com Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Hijacked Network Ranges
Upstream requirements. Additionally, I don't believe it would do us any good. If they're announcing /24 now, why would they not announce a /25. On Jan 31, 2012 1:19 PM, Grant Ridder shortdudey...@gmail.com wrote: Hi, What is keeping you from advertising a more specific route (i.e /25's)? -Grant On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams kwilli...@altuscgi.comwrote: Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Console Server Recommendation
On 31/01/2012 17:27, George Bonser wrote: Wouldn't a program such as conserver running on a linux box someplace potentially provide these (maybe with a little extra hackery)? We use that quite a bit. One interesting option is that it allows another person to also watch the console session. So, for example, I can give someone a console session while watching the progress of it. yes, except that I would prefer to spend money on getting a pre-packaged solution rather than spending time customising boxes, dealing with customised upgrades, and so on. Fascinating and all as they are, console servers are a means to an end, and the less time I'm forced to spend trashing them into submission and maintaining them on an ongoing basis, the more time I have for productive work. Nick
Re: Hijacked Network Ranges
2012/1/31 Justin M. Streiner strei...@cluebyfour.org On Tue, 31 Jan 2012, Grant Ridder wrote: What is keeping you from advertising a more specific route (i.e /25's)? Many providers filter out anything longer (smaller) than /24. Some will accept it but not propagate it upstream. This may be useful in redirecting all the traffic from a large AS if you are directly connected. jms On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams kwilli...@altuscgi.com wrote: Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Hijacked Network Ranges
On Tue, Jan 31, 2012 at 10:19 AM, Grant Ridder shortdudey...@gmail.com wrote: Hi, What is keeping you from advertising a more specific route (i.e /25's)? Most large transits and NSPs filter out prefixes more specific than a /24. Conventionally, at least in my experience, /24's are the most-specific prefix you can use and expect that it will end up in most places. Some shops with limited router processing or table storage capacity will filter even more restrictively, so a bigger aggregate is worth announcing as well. Cheers, jof
Re: Hijacked Network Ranges
On Tue, Jan 31, 2012 at 10:00 AM, Kelvin Williams kwilli...@altuscgi.com wrote: We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. [ ...snip...] Ugh, what a hassle. I've been there, and it's really no fun. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Have you tried the contacts listed at PeeringDB for AS19181? Check out: as19181.peeringdb.com Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. If you fail to get AS19181 to respond, you might consider contacting *their* upstreams and explaining the situation. Cheers, jof
RE: Hijacked Network Ranges
Shouldn't a forged LOA be justification to contact law enforcement? Chuck -Original Message- From: Kelvin Williams [mailto:kwilli...@altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog@nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Hijacked Network Ranges
We are. On Tue, Jan 31, 2012 at 1:32 PM, Chuck Church chuckchu...@gmail.com wrote: Shouldn't a forged LOA be justification to contact law enforcement? Chuck -Original Message- From: Kelvin Williams [mailto:kwilli...@altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog@nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. Office - Direct: 404.682.2151 Office - Main: 404.682.2150 Mobile: 404.931.4888 Fax: 866.895.8557 If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Route Management Best Practices
Thanks Mark, This helps and definitely shows Im heading in the right direction. Thanks, On Tue, Jan 31, 2012 at 2:17 AM, Mark Tinka mti...@globaltransit.netwrote: On Tuesday, January 31, 2012 03:04:15 PM Joe Marr wrote: What do you use for reflectors, hardware(Cisco/Juniper) or software daemons(Quagga)? We operate 2x networks. One of them runs Cisco 7201 routers as route reflectors, while the other runs Juniper M120 routers. The large Juniper routers were due to particular BGP AFI's that Cisco IOS does not support (yet). I've been toying with the idea of using Quagga route servers to announce our prefixes to our edge routers and redistribute BGP annoucements learned from downstream customers. You can certainly use any device in your network to originate your allocations. We just use the route reflectors because it is a natural fit, but you can use any device provided it would be as stable and independent as a route reflector. The last thing you want is a blackhole or a route going away because your backhaul failed or your customer DoS'ed your edge router :-). Only drawback is the lack of support for tagged static routes, so it looks like I'm going to have to use a network statement w/ route-map to set the attributes. There was a time when networks were ran without prefix lists, BGP communities or even route maps. I'm too young to have ever experienced those times, but I always joke with a friend (from those times) about how good we have it today, and how hard life must have been for Internet engineers of old :-). If you have the opportunity, I'd advise against operating without these very useful tools. Has anyone tried this, or is it suicide? I'm sure there are several networks out there that are intimidated by additional BGP features such as communities, advanced routing policy, e.t.c. They do survive without having to deal with this, probably because they're networks are small and the pain is better than trying something new. But I certainly wouldn't recommend it to anyone (except, as Randy would say, my competitors). Mark.
Re: Hijacked Network Ranges
Surely something is better than nothing. Advertise the /24's and the /25's, see what happens. At the least it's a step forwards until you get their routes filtered. Tony On 31 January 2012 18:22, Kelvin Williams kwilli...@altuscgi.com wrote: Upstream requirements. Additionally, I don't believe it would do us any good. If they're announcing /24 now, why would they not announce a /25. On Jan 31, 2012 1:19 PM, Grant Ridder shortdudey...@gmail.com wrote: Hi, What is keeping you from advertising a more specific route (i.e /25's)? -Grant On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams kwilli...@altuscgi.comwrote: Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Hijacked Network Ranges
I can routes are wrong for all /24 annoucements. May be contacting Level3+Telia+AboveNet+Hurricane Electric since all these are upstream providers of AS29791 which is your upstream carrier? I guess they would be able to neutralize effect significantly by filtering those routes? On Wed, Feb 1, 2012 at 12:27 AM, Tony McCrory tony.mccr...@gmail.comwrote: Surely something is better than nothing. Advertise the /24's and the /25's, see what happens. At the least it's a step forwards until you get their routes filtered. Tony On 31 January 2012 18:22, Kelvin Williams kwilli...@altuscgi.com wrote: Upstream requirements. Additionally, I don't believe it would do us any good. If they're announcing /24 now, why would they not announce a /25. On Jan 31, 2012 1:19 PM, Grant Ridder shortdudey...@gmail.com wrote: Hi, What is keeping you from advertising a more specific route (i.e /25's)? -Grant On Tue, Jan 31, 2012 at 12:00 PM, Kelvin Williams kwilli...@altuscgi.comwrote: Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow -- Anurag Bhatia anuragbhatia.com or simply - http://[2001:470:26:78f::5] if you are on IPv6 connected network! Twitter: @anurag_bhatia https://twitter.com/#!/anurag_bhatia Linkedin: http://linkedin.anuragbhatia.com
Re: Console Server Recommendation
On Jan 31, 2012, at 1:11 AM, Saku Ytti wrote: On (2012-01-30 11:08 -0500), Ray Soucy wrote: What are people using for console servers these days? We've historically used retired routers with ASYNC ports, but it's time for an upgrade. This is very very common thread, replaying couple times a year in various lists, with to my cursory look no new information between iterations. I'd be more curious if people listed what do they think good console server should have, and if or not given model has them. For me, required features are - multiplexed connect to console port, console port should never, ever be busy, blocking. You don't want to find your most competent people blocked from accessing console, because 1st line is in lunch keeping the port busy. +1 for conserver software as interface to existing terminal servers. It's a really awesome package with very nice capabilities built by operations folks for operations folks. It provides this ability and much more. - console port output always buffered persistently (if devices crashes and burns, at least you have post-network-reachability logs puked in console stored, good for troubleshooting) Conserver does this, too with the added advantage that the logs are stored on an independent box not likely affected by whatever caused the crash. - IP address mappable to a console port. So that accessing device normally is 'ssh router' and via OOB 'ssh router.oob' no need to train people How about normal is 'ssh device' and OOB is 'console device'? Conserver does that. Nice to have - Configuration import/export as ascii, from single place, so configuration backups are easy There are other tools that do this, such as rancid. I'm not sure I see significant advantage to integrating it. - DC PSU support, redundantly - No moving parts - TACACS+ support - 3G support with IPSEC tunneling - Some clean and well designed webUI These get more into the hardware actually connecting to the console port, so they obviously aren't addressed by conserver. I believe that the MRV stuff has the first three covered. The web UI, well, clean/well designed is in the eye of the beholder, I suppose. I'm not overly impressed with any of the webUIs I've seen on any of these products. The 3G with IPSEC is a nice thought. I haven't seen anyone do that yet. I also have to ask, why do we even need these? Why do we still get new gear with RS232 console only? Why only Cisco Nexus7k and SUP2T have seen the light? Dedicated management-plane separated from control-plane, so regardless of control-plane status, you can connect over ethernet to management-plane and copy images to control-plane, reset control-plane, check logs etc. Ethernet port is lot cheaper than RS232 port, so OOB gear would be cheaper. I hink there are a few reasons. First, for all its failings, RS-232 is dirt-simple and extremely reliable without any configuration or external dependencies. Unless the box is a complete brick, the RS-232 console port probably works, or, at least works once the box is power- cycled. Ethernet, even ethernet on a dedicated management plane still depends on a lot of things outside of the ethernet chip. It needs configuration (whether DHCP or configuration file) and additional support hardware. Yes, much of this has become cheaper than UART/driver chipsets, but, cheaper doesn't necessarily mean more rock-solid reliable. RS232 console on control-plane is ridiculously useless, you cannot copy images over it (even if supported, images are several hundreds megabytes). It is completely dependant on control-plane working which is very poor requirement for OOB. I agree that RS232 on a management plane would be a better choice. Personally, I like the idea of having both RS232 and ethernet on dedicated management plane. The RS232 allows you to deal with failures on the ethernet and the ethernet provides support for image transfers, etc. When 50bucks intel desktop mobo has proper OOB, why does not every router and switch have? I will point out that the intel mobo OOB has not completely eliminated the need for IPKVM in the datacenter. YMMV. Owen
Re: Hijacked Network Ranges
If you both announce a /24, the BGP route selection process should begin to return some of the traffic to these prefixes back to your AS. Also, if you begin to advertise your prefixes as /24s and as a result, they try to advertise /25s, I would venture a guess that their /25s would get blocked entirely, effectively returning traffic to those prefixes to you. that would be best-case scenario until you can get someone at AS36111 to listen to you. Best of Luck to you Upstream requirements. Additionally, I don't believe it would do us any good. If they're announcing /24 now, why would they not announce a /25.
Re: using ULA for 'hidden' v6 devices?
Tim Chown t...@ecs.soton.ac.uk writes: On 26 Jan 2012, at 16:53, Owen DeLong wrote: On Jan 26, 2012, at 8:14 AM, Ray Soucy wrote: Does this mean we're also looking at residential allocations larger than a /64 as the norm? We certainly should be. I still think that /48s for residential is the right answer. My /48 is working quite nicely in my house. There seems to be a lot of discussion happening around a /60 or /56. I wouldn't assume a /48 for residential networks, or a static prefix. The big question is what constitutes an end site and do we want/need to have multiple classes of end site in the interests of conserving IPv6 space, or do we want to have only a single class in the interests of conserving technical person brain cells? Food for thought: There are approximately 7 billion people in the world right now. US billion, 10^9. If we defined an end site as an Internet provider access device that could allow subsidiary devices to connect downstream... AND Every human on the face of the earth was Avi Freedman or Vijay Gill and had ten cell phones that would act as APs, each of which with its own /48... THEN... We would be using between 2^36 and 2^37 end site allocations (70 billion). OR between a /11 and a /12 OR right around 0.03% of the space, assuming 100% utilization efficiency. If the goal in putting small chunks of space at residences is to conserve space in order to fit within the RIR's policies, then it is the policies that ought to change. Stewardship is not the same as parsimony. -r
RE: Hijacked Network Ranges - paging Cogent and GBLX/L3
Or roll it up hill: 33611 looks like they get transit from 19181, who's only upstream appears to be 12189. 12189 gets connectivity from 174 and 3549. 174 = Cogent 3549 = GBLX/L3 --Heather -Original Message- From: Kelvin Williams [mailto:kwilli...@altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog@nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Hijacked Network Ranges - paging Cogent and GBLX/L3
To be honest I haven't had much success it convincing a tier 1 to modify someone else's routes on my behalf for whatever reason. I also have had limited success in getting them to do anything quickly. I'd first look to modify your advertisements as much as possible to mitigate the issue and then work with the other guys upstreams second. 2012/1/31 Schiller, Heather A heather.schil...@verizon.com: Or roll it up hill: 33611 looks like they get transit from 19181, who's only upstream appears to be 12189. 12189 gets connectivity from 174 and 3549. 174 = Cogent 3549 = GBLX/L3 --Heather -Original Message- From: Kelvin Williams [mailto:kwilli...@altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog@nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: MD5 considered harmful
On 1/31/12, Nick Hilliard n...@foobar.org wrote: On 31/01/2012 16:40, David Barak wrote: Because downtime is a security issue too, and MD5 is more likely to contribute to downtime (either via lost password, crypto load on CPU, or other) than the problem it purports to fix. The goal of a network engineer is to move packets from A - B. The goal of a security engineer is to keep that from happening. A business needs to weigh the cost and benefit of any given approach, and MD5 BGP auth does not come out well in the of situations. cpu load is negligible and is done in hardware on several platforms. Lost passwords can occur but if you have properly stored configuration backups, they shouldn't be a major problem. Also, they can be trivially decrypted from C/J configuration files. From my point of view, MD5 passwords serve two purposes: .. snip .. 2. they can be used to convince security auditors that the network is secure and that they can now sod off and stop harassing me, kthxbai +1 It isn't worth the time or effort trying to get an exception to their 'best practice'. Lee
Re: Route Management Best Practices
To elaborate slightly on what others have said in terms of protecting against leaks; it's a good idea to filter outbound in a conservative way such that you only send what you expect in terms of community values and/or prefixes and/or AS-paths. For instance, if something gets into your BGP that isn't tagged with one of your expected communities (e.g. applied where you inject your aggs), don't re-advertise it. If something has the right community, but not an expected AS-path (e.g. contains the AS of one of your transit providers), don't re-advertise. Implicitly deny all unexpected cases. Building that kind of restrictive logic will be less likely to you becoming a path for traffic you didn't expect (and might swamp you) and also you'll be a better citizen in general. Cheers, Tony On Tue, Jan 31, 2012 at 1:52 PM, Joe Marr jimmy.changa...@gmail.com wrote: Thanks Mark, This helps and definitely shows Im heading in the right direction. Thanks, On Tue, Jan 31, 2012 at 2:17 AM, Mark Tinka mti...@globaltransit.net wrote: On Tuesday, January 31, 2012 03:04:15 PM Joe Marr wrote: What do you use for reflectors, hardware(Cisco/Juniper) or software daemons(Quagga)? We operate 2x networks. One of them runs Cisco 7201 routers as route reflectors, while the other runs Juniper M120 routers. The large Juniper routers were due to particular BGP AFI's that Cisco IOS does not support (yet). I've been toying with the idea of using Quagga route servers to announce our prefixes to our edge routers and redistribute BGP annoucements learned from downstream customers. You can certainly use any device in your network to originate your allocations. We just use the route reflectors because it is a natural fit, but you can use any device provided it would be as stable and independent as a route reflector. The last thing you want is a blackhole or a route going away because your backhaul failed or your customer DoS'ed your edge router :-). Only drawback is the lack of support for tagged static routes, so it looks like I'm going to have to use a network statement w/ route-map to set the attributes. There was a time when networks were ran without prefix lists, BGP communities or even route maps. I'm too young to have ever experienced those times, but I always joke with a friend (from those times) about how good we have it today, and how hard life must have been for Internet engineers of old :-). If you have the opportunity, I'd advise against operating without these very useful tools. Has anyone tried this, or is it suicide? I'm sure there are several networks out there that are intimidated by additional BGP features such as communities, advanced routing policy, e.t.c. They do survive without having to deal with this, probably because they're networks are small and the pain is better than trying something new. But I certainly wouldn't recommend it to anyone (except, as Randy would say, my competitors). Mark.
RE: Hijacked Network Ranges - paging Cogent and GBLX/L3
Looks fixed now.. --heather -Original Message- From: Keegan Holley [mailto:keegan.hol...@sungard.com] Sent: Tuesday, January 31, 2012 2:50 PM To: Schiller, Heather A Cc: Kelvin Williams; nanog@nanog.org Subject: Re: Hijacked Network Ranges - paging Cogent and GBLX/L3 To be honest I haven't had much success it convincing a tier 1 to modify someone else's routes on my behalf for whatever reason. I also have had limited success in getting them to do anything quickly. I'd first look to modify your advertisements as much as possible to mitigate the issue and then work with the other guys upstreams second. 2012/1/31 Schiller, Heather A heather.schil...@verizon.com: Or roll it up hill: 33611 looks like they get transit from 19181, who's only upstream appears to be 12189. 12189 gets connectivity from 174 and 3549. 174 = Cogent 3549 = GBLX/L3 --Heather -Original Message- From: Kelvin Williams [mailto:kwilli...@altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog@nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
RE: Hijacked Network Ranges - paging Cogent and GBLX/L3
Sorry -- was looking at the wrong thing. Doh! --heather -Original Message- From: Schiller, Heather A Sent: Tuesday, January 31, 2012 3:05 PM To: 'Keegan Holley' Cc: Kelvin Williams; nanog@nanog.org Subject: RE: Hijacked Network Ranges - paging Cogent and GBLX/L3 Looks fixed now.. --heather -Original Message- From: Keegan Holley [mailto:keegan.hol...@sungard.com] Sent: Tuesday, January 31, 2012 2:50 PM To: Schiller, Heather A Cc: Kelvin Williams; nanog@nanog.org Subject: Re: Hijacked Network Ranges - paging Cogent and GBLX/L3 To be honest I haven't had much success it convincing a tier 1 to modify someone else's routes on my behalf for whatever reason. I also have had limited success in getting them to do anything quickly. I'd first look to modify your advertisements as much as possible to mitigate the issue and then work with the other guys upstreams second. 2012/1/31 Schiller, Heather A heather.schil...@verizon.com: Or roll it up hill: 33611 looks like they get transit from 19181, who's only upstream appears to be 12189. 12189 gets connectivity from 174 and 3549. 174 = Cogent 3549 = GBLX/L3 --Heather -Original Message- From: Kelvin Williams [mailto:kwilli...@altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog@nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
RE: Hijacked Network Ranges - paging Cogent and GBLX/L3
I would go at first by advertising your prefixes as a /24 as well, just randomly checked 2 different locations and the as-path to 11325 is shorter than to 33611 This seems to be the case for customers of Tiscali and L3, so this will probably get most of your traffic back to you... Regards, Ido -Original Message- From: Kelvin Williams [mailto:kwilli...@altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog@nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow smime.p7s Description: S/MIME cryptographic signature
RE: Hijacked Network Ranges - paging Cogent and GBLX/L3
Haven't really been following, but you've got a 50/50 shot for BGP on Cogent for us, but Level3 is shorter so would take precedence. 208.110.48.0/20 3356 29791 11325 i 174 1299 29791 11325 i 208.110.49.03356 12189 19181 33611 i 174 12189 19181 33611 i -Original Message- From: Ido Szargel [mailto:i...@oasis-tech.net] Sent: Tuesday, January 31, 2012 3:06 PM To: Schiller, Heather A; Kelvin Williams; nanog@nanog.org Subject: RE: Hijacked Network Ranges - paging Cogent and GBLX/L3 I would go at first by advertising your prefixes as a /24 as well, just randomly checked 2 different locations and the as-path to 11325 is shorter than to 33611 This seems to be the case for customers of Tiscali and L3, so this will probably get most of your traffic back to you... Regards, Ido -Original Message- From: Kelvin Williams [mailto:kwilli...@altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog@nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
RE: Hijacked Network Ranges - paging Cogent and GBLX/L3
You can take a closer look at the aspaths (lengths) to various global locations by looking at the following: http://bgptables.merit.edu/prefix.php?z=z=prefixcw=208.110.48.0/20view=allcount=1000 http://bgptables.merit.edu/prefix.php?z=z=prefixcw=63.246.112.0/20view=allcount=1000 http://bgptables.merit.edu/prefix.php?z=z=prefixcw=68.66.112.0/20view=allcount=1000 Hope that helps. -manish Message: 7 Date: Tue, 31 Jan 2012 22:06:03 +0200 From: Ido Szargel i...@oasis-tech.net To: Schiller, Heather A heather.schil...@verizon.com, Kelvin Williams kwilli...@altuscgi.com, nanog@nanog.org nanog@nanog.org Subject: RE: Hijacked Network Ranges - paging Cogent and GBLX/L3 Message-ID: 7A848D4888ADA94B8A46A17296740133B38D3E5473@DEXTER.oasis-tech.local Content-Type: text/plain; charset=us-ascii I would go at first by advertising your prefixes as a /24 as well, just randomly checked 2 different locations and the as-path to 11325 is shorter than to 33611 This seems to be the case for customers of Tiscali and L3, so this will probably get most of your traffic back to you... Regards, Ido -Original Message- From: Kelvin Williams [mailto:kwilli...@altuscgi.com] Sent: Tuesday, January 31, 2012 1:01 PM To: nanog@nanog.org Subject: Hijacked Network Ranges Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream. -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Route Management Best Practices
Thanks for the advice. Filtering and route manipulation hasn’t been a problem for me. I’m very careful to prevent leakage, etc. My current issue is scaling my management of our prefix announcements. Every time I add a new block, I need to modify all of my edge routers etc. I understand I can use IRR etc. to automate prefix-list deployments, but the blocks need to still be injected into the network? So my thought was to use a routeserver (quagga or a 7200) to do this. Im looking to understand how others handle this. On Tue, Jan 31, 2012 at 2:59 PM, Tony Tauber ttau...@1-4-5.net wrote: To elaborate slightly on what others have said in terms of protecting against leaks; it's a good idea to filter outbound in a conservative way such that you only send what you expect in terms of community values and/or prefixes and/or AS-paths. For instance, if something gets into your BGP that isn't tagged with one of your expected communities (e.g. applied where you inject your aggs), don't re-advertise it. If something has the right community, but not an expected AS-path (e.g. contains the AS of one of your transit providers), don't re-advertise. Implicitly deny all unexpected cases. Building that kind of restrictive logic will be less likely to you becoming a path for traffic you didn't expect (and might swamp you) and also you'll be a better citizen in general. Cheers, Tony On Tue, Jan 31, 2012 at 1:52 PM, Joe Marr jimmy.changa...@gmail.comwrote: Thanks Mark, This helps and definitely shows Im heading in the right direction. Thanks, On Tue, Jan 31, 2012 at 2:17 AM, Mark Tinka mti...@globaltransit.net wrote: On Tuesday, January 31, 2012 03:04:15 PM Joe Marr wrote: What do you use for reflectors, hardware(Cisco/Juniper) or software daemons(Quagga)? We operate 2x networks. One of them runs Cisco 7201 routers as route reflectors, while the other runs Juniper M120 routers. The large Juniper routers were due to particular BGP AFI's that Cisco IOS does not support (yet). I've been toying with the idea of using Quagga route servers to announce our prefixes to our edge routers and redistribute BGP annoucements learned from downstream customers. You can certainly use any device in your network to originate your allocations. We just use the route reflectors because it is a natural fit, but you can use any device provided it would be as stable and independent as a route reflector. The last thing you want is a blackhole or a route going away because your backhaul failed or your customer DoS'ed your edge router :-). Only drawback is the lack of support for tagged static routes, so it looks like I'm going to have to use a network statement w/ route-map to set the attributes. There was a time when networks were ran without prefix lists, BGP communities or even route maps. I'm too young to have ever experienced those times, but I always joke with a friend (from those times) about how good we have it today, and how hard life must have been for Internet engineers of old :-). If you have the opportunity, I'd advise against operating without these very useful tools. Has anyone tried this, or is it suicide? I'm sure there are several networks out there that are intimidated by additional BGP features such as communities, advanced routing policy, e.t.c. They do survive without having to deal with this, probably because they're networks are small and the pain is better than trying something new. But I certainly wouldn't recommend it to anyone (except, as Randy would say, my competitors). Mark.
Re: Hijacked Network Ranges
The interesting thing is that I'm not seeing any new hosts from those subnets in passive dns. It almost seems that their purpose for hijacking the space was to direct traffic to themselves, possibly for collecting login attempts. Andrew Fried andrew.fr...@gmail.com On 1/31/12 1:00 PM, Kelvin Williams wrote: Greetings all. We've been in a 12+ hour ordeal requesting that AS19181 (Cavecreek Internet Exchange) immediately filter out network blocks that are being advertised by ASAS33611 (SBJ Media, LLC) who provided to them a forged LOA. The routes for networks: 208.110.48.0/20, 63.246.112.0/20, and 68.66.112.0/20 are registered in various IRRs all as having an origin AS 11325 (ours), and are directly allocated to us. The malicious hijacking is being announced as /24s therefore making route selection pick them. Our customers and services have been impaired. Does anyone have any contacts for anyone at Cavecreek that would actually take a look at ARINs WHOIS, and IRRs so the networks can be restored and our services back in operation? Additionally, does anyone have any suggestion for mitigating in the interim? Since we can't announce as /25s and IRRs are apparently a pipe dream.
Re: US DOJ victim letter
+1 on only IP's on the list where our resolver dns servers for customers. Carlos Alcantar Race Communications / Race Team Member 101 Haskins Way, So. San Francisco, CA. 94080 Phone: +1 415 376 3314 / car...@race.com / http://www.race.com -Original Message- From: Matthew Crocker matt...@corp.crocker.com Date: Mon, 30 Jan 2012 10:56:10 -0500 To: Jack Bates jba...@brightok.net Cc: nanog@nanog.org nanog@nanog.org Subject: Re: US DOJ victim letter - Original Message - From: Jack Bates jba...@brightok.net To: Jon Lewis jle...@lewis.org Cc: nanog@nanog.org Sent: Monday, January 30, 2012 10:54:02 AM Subject: Re: US DOJ victim letter On 1/27/2012 2:23 PM, Jon Lewis wrote: It's definitely real, but seems like they're handling it as incompetently as possible. We got numerous copies to the same email address, the logins didn't work initially. The phone numbers given are of questionable utility. Virtually no useful information was provided. My attitude at this point is, ignore it until they provide some useful information. We finally got the hard copy. No customer IP listed, just our recursive resolvers, both for the customers as well as the ones that handle the MX servers. All that waiting and work for apparently nothing. I'm going to guess that my bind servers aren't malware infected (outside of being bind j/king). Same here, The hard copy came the other day with the access codes to download the IP list. Every IP on the list was for a resolving DNS server on our IP space. Total waste of time.
Re: US DOJ victim letter
On Fri, Jan 27, 2012 at 3:23 PM, Jon Lewis jle...@lewis.org wrote: On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: Bit odd, if it's a phish. Even more odd if it's actually from the Fed. It's definitely real, but seems like they're handling it as incompetently as possible. Yep. That sounds about right. Man, I'm feeling left out. I kinda want one now. phil
Re: Route Optimization Software / Appliance
Hi. Just FYI, we have already launched a stable release. Feel free to contact me off-list if interested.
Re: US DOJ victim letter
I really enjoyed the fact that I called the number, on what I learned later was a Sample, and when I picked the option to speak with an agent I got The mailbox is full message. I feel safe... Ryan Pavely Director Research And Development Net Access Corporation http://www.nac.net/ On 01/31/2012 7:38 PM, Phil Dyer wrote: On Fri, Jan 27, 2012 at 3:23 PM, Jon Lewisjle...@lewis.org wrote: On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: Bit odd, if it's a phish. Even more odd if it's actually from the Fed. It's definitely real, but seems like they're handling it as incompetently as possible. Yep. That sounds about right. Man, I'm feeling left out. I kinda want one now. phil
Fwd: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :) We're still not out of the woods, announcing /24s and working with upper tier carriers to filter out our lists. However, I just got this response from Phoenix NAP and found it funny. The thief is a former customer, whom we terminated their agreement with. They then forged an LOA, submitted it to CWIE.net and Phoenix NAP and resumed using space above and beyond their terminated agreement. So now any request for assistance to stop our networks from being announced is now responded to with an instruction to contact the thief's lawyer. kw -- Forwarded message -- From: Kelvin Williams kwilli...@altuscgi.com Date: Tue, Jan 31, 2012 at 7:43 PM Subject: Re: [#135346] Unauthorized BGP Announcements To: n...@phoenixnap.com We'll be forwarding this to our peers in the industry--rather funny that Phoenix NAP would rather send us to the attorney of the people stealing our space than bothering to perform an ARIN WHOIS search, or querying any of the IRRs. Interesting... Very interesting... So, who all do you have there--spammers and child pornographers? Is this level of protection what you give to them all? On Tue, Jan 31, 2012 at 7:30 PM, Brandon S brand...@phoenixnap.com wrote: Hello, Thank you for your email. Please direct any further questions regarding this issue to the following contact. Bennet Kelley 100 Wilshire Blvd. Suite 950 Santa Monica, CA 90401 bkel...@internetlawcenter.net Telephone 310-452-0401 Facsimile 702-924-8740 -- Brandon S. NOC Services Technician ** We want to hear from you!** We care about the quality of our service. If you’ve received anything less than a prompt response or exceptional service or would like to share any feedback regarding your experience, please let us know by sending an email to management: supportfeedb...@phoenixnap.com -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Fwd: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
I think the correct term for this is bullet proof hosting. Now you know where to go. -Dan On Tue, 31 Jan 2012, Kelvin Williams wrote: I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :) We're still not out of the woods, announcing /24s and working with upper tier carriers to filter out our lists. However, I just got this response from Phoenix NAP and found it funny. The thief is a former customer, whom we terminated their agreement with. They then forged an LOA, submitted it to CWIE.net and Phoenix NAP and resumed using space above and beyond their terminated agreement. So now any request for assistance to stop our networks from being announced is now responded to with an instruction to contact the thief's lawyer. kw -- Forwarded message -- From: Kelvin Williams kwilli...@altuscgi.com Date: Tue, Jan 31, 2012 at 7:43 PM Subject: Re: [#135346] Unauthorized BGP Announcements To: n...@phoenixnap.com We'll be forwarding this to our peers in the industry--rather funny that Phoenix NAP would rather send us to the attorney of the people stealing our space than bothering to perform an ARIN WHOIS search, or querying any of the IRRs. Interesting... Very interesting... So, who all do you have there--spammers and child pornographers? Is this level of protection what you give to them all? On Tue, Jan 31, 2012 at 7:30 PM, Brandon S brand...@phoenixnap.com wrote: Hello, Thank you for your email. Please direct any further questions regarding this issue to the following contact. Bennet Kelley 100 Wilshire Blvd. Suite 950 Santa Monica, CA 90401 bkel...@internetlawcenter.net Telephone 310-452-0401 Facsimile 702-924-8740 -- Brandon S. NOC Services Technician ** We want to hear from you!** We care about the quality of our service. If you’ve received anything less than a prompt response or exceptional service or would like to share any feedback regarding your experience, please let us know by sending an email to management: supportfeedb...@phoenixnap.com -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: Wireless Recommendations
Aruba AP 105. This version comes with a virtual controller that can manage 16 APs without the need of an additional controller. For high capacity areas I would go with Ruckus. -Mario Eirea On Jan 31, 2012, at 11:46 AM, Joel jaeggli joe...@bogus.com wrote: On 1/30/12 12:46 , Jim Gonzalez wrote: Hi, I am looking for a Wireless bridge or Router that will support 600 wireless clients concurrently (mostly cell phones). I need it for a proof of concept. an aruba controller and 8 dual radio aps. Thanks in advance Jim - No virus found in this message. Checked by AVG - www.avg.com Version: 10.0.1416 / Virus Database: 2109/4778 - Release Date: 01/31/12
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :) In the dim past, I had a somewhat similar situation: - A largish (national telco of a small country) ISP started announcing address space a customer of theirs provided. Unfortunately, the address space wasn't the ISP's customer's to provide. - When the ISP was notified by both their RIR and the organization to which the address space was rightfully delegated, the ISP's response was: We have a contractual relationship with our customer to announce that space. We have neither a contractual relationship (in this context) with the RIR nor the RIR's customer. The RIR and/or the RIR's customer should resolve this issue with our customer. It as an eye-opening experience. Regards, -drc On Jan 31, 2012, at 4:49 PM, Kelvin Williams wrote: We're still not out of the woods, announcing /24s and working with upper tier carriers to filter out our lists. However, I just got this response from Phoenix NAP and found it funny. The thief is a former customer, whom we terminated their agreement with. They then forged an LOA, submitted it to CWIE.net and Phoenix NAP and resumed using space above and beyond their terminated agreement. So now any request for assistance to stop our networks from being announced is now responded to with an instruction to contact the thief's lawyer. kw -- Forwarded message -- From: Kelvin Williams kwilli...@altuscgi.com Date: Tue, Jan 31, 2012 at 7:43 PM Subject: Re: [#135346] Unauthorized BGP Announcements To: n...@phoenixnap.com We'll be forwarding this to our peers in the industry--rather funny that Phoenix NAP would rather send us to the attorney of the people stealing our space than bothering to perform an ARIN WHOIS search, or querying any of the IRRs. Interesting... Very interesting... So, who all do you have there--spammers and child pornographers? Is this level of protection what you give to them all? On Tue, Jan 31, 2012 at 7:30 PM, Brandon S brand...@phoenixnap.com wrote: Hello, Thank you for your email. Please direct any further questions regarding this issue to the following contact. Bennet Kelley 100 Wilshire Blvd. Suite 950 Santa Monica, CA 90401 bkel...@internetlawcenter.net Telephone 310-452-0401 Facsimile 702-924-8740 -- Brandon S. NOC Services Technician ** We want to hear from you!** We care about the quality of our service. If you’ve received anything less than a prompt response or exceptional service or would like to share any feedback regarding your experience, please let us know by sending an email to management: supportfeedb...@phoenixnap.com -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
Curious, What was the outcome of this? In any case, I'm hoping the major Tier-1s do the right thing and filter the rogue annoucements, while allowing the OP's. Hopefully after enough pressure and dysfunction, they will give it up. On Tue, Jan 31, 2012 at 6:15 PM, David Conrad d...@virtualized.org wrote: I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :) In the dim past, I had a somewhat similar situation: - A largish (national telco of a small country) ISP started announcing address space a customer of theirs provided. Unfortunately, the address space wasn't the ISP's customer's to provide. - When the ISP was notified by both their RIR and the organization to which the address space was rightfully delegated, the ISP's response was: We have a contractual relationship with our customer to announce that space. We have neither a contractual relationship (in this context) with the RIR nor the RIR's customer. The RIR and/or the RIR's customer should resolve this issue with our customer. It as an eye-opening experience. Regards, -drc On Jan 31, 2012, at 4:49 PM, Kelvin Williams wrote: We're still not out of the woods, announcing /24s and working with upper tier carriers to filter out our lists. However, I just got this response from Phoenix NAP and found it funny. The thief is a former customer, whom we terminated their agreement with. They then forged an LOA, submitted it to CWIE.net and Phoenix NAP and resumed using space above and beyond their terminated agreement. So now any request for assistance to stop our networks from being announced is now responded to with an instruction to contact the thief's lawyer. kw -- Forwarded message -- From: Kelvin Williams kwilli...@altuscgi.com Date: Tue, Jan 31, 2012 at 7:43 PM Subject: Re: [#135346] Unauthorized BGP Announcements To: n...@phoenixnap.com We'll be forwarding this to our peers in the industry--rather funny that Phoenix NAP would rather send us to the attorney of the people stealing our space than bothering to perform an ARIN WHOIS search, or querying any of the IRRs. Interesting... Very interesting... So, who all do you have there--spammers and child pornographers? Is this level of protection what you give to them all? On Tue, Jan 31, 2012 at 7:30 PM, Brandon S brand...@phoenixnap.com wrote: Hello, Thank you for your email. Please direct any further questions regarding this issue to the following contact. Bennet Kelley 100 Wilshire Blvd. Suite 950 Santa Monica, CA 90401 bkel...@internetlawcenter.net Telephone 310-452-0401 Facsimile 702-924-8740 -- Brandon S. NOC Services Technician ** We want to hear from you!** We care about the quality of our service. If you’ve received anything less than a prompt response or exceptional service or would like to share any feedback regarding your experience, please let us know by sending an email to management: supportfeedb...@phoenixnap.com -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
We started announcing /24s, combined with the shorter path it seems to be fine. Still jumping through hoops upstream. On Jan 31, 2012 8:26 PM, PC paul4...@gmail.com wrote: Curious, What was the outcome of this? In any case, I'm hoping the major Tier-1s do the right thing and filter the rogue annoucements, while allowing the OP's. Hopefully after enough pressure and dysfunction, they will give it up. On Tue, Jan 31, 2012 at 6:15 PM, David Conrad d...@virtualized.org wrote: I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :) In the dim past, I had a somewhat similar situation: - A largish (national telco of a small country) ISP started announcing address space a customer of theirs provided. Unfortunately, the address space wasn't the ISP's customer's to provide. - When the ISP was notified by both their RIR and the organization to which the address space was rightfully delegated, the ISP's response was: We have a contractual relationship with our customer to announce that space. We have neither a contractual relationship (in this context) with the RIR nor the RIR's customer. The RIR and/or the RIR's customer should resolve this issue with our customer. It as an eye-opening experience. Regards, -drc On Jan 31, 2012, at 4:49 PM, Kelvin Williams wrote: We're still not out of the woods, announcing /24s and working with upper tier carriers to filter out our lists. However, I just got this response from Phoenix NAP and found it funny. The thief is a former customer, whom we terminated their agreement with. They then forged an LOA, submitted it to CWIE.net and Phoenix NAP and resumed using space above and beyond their terminated agreement. So now any request for assistance to stop our networks from being announced is now responded to with an instruction to contact the thief's lawyer. kw -- Forwarded message -- From: Kelvin Williams kwilli...@altuscgi.com Date: Tue, Jan 31, 2012 at 7:43 PM Subject: Re: [#135346] Unauthorized BGP Announcements To: n...@phoenixnap.com We'll be forwarding this to our peers in the industry--rather funny that Phoenix NAP would rather send us to the attorney of the people stealing our space than bothering to perform an ARIN WHOIS search, or querying any of the IRRs. Interesting... Very interesting... So, who all do you have there--spammers and child pornographers? Is this level of protection what you give to them all? On Tue, Jan 31, 2012 at 7:30 PM, Brandon S brand...@phoenixnap.com wrote: Hello, Thank you for your email. Please direct any further questions regarding this issue to the following contact. Bennet Kelley 100 Wilshire Blvd. Suite 950 Santa Monica, CA 90401 bkel...@internetlawcenter.net Telephone 310-452-0401 Facsimile 702-924-8740 -- Brandon S. NOC Services Technician ** We want to hear from you!** We care about the quality of our service. If you’ve received anything less than a prompt response or exceptional service or would like to share any feedback regarding your experience, please let us know by sending an email to management: supportfeedb...@phoenixnap.com -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
RE: US DOJ victim letter
Folks, I received a DoJ Victim Notification letter yesterday, which was pretty amazing considering the fact that I don't run a network. My letter referenced United States v. Menachem Youlus. I suspect that the letters that you guys received referenced a different case. Do I have that right? Ron -Original Message- From: Phil Dyer [mailto:p...@cluestick.net] Sent: Tuesday, January 31, 2012 7:39 PM To: nanog@nanog.org Subject: Re: US DOJ victim letter On Fri, Jan 27, 2012 at 3:23 PM, Jon Lewis jle...@lewis.org wrote: On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: Bit odd, if it's a phish. Even more odd if it's actually from the Fed. It's definitely real, but seems like they're handling it as incompetently as possible. Yep. That sounds about right. Man, I'm feeling left out. I kinda want one now. phil
Re: Hijacked Network Ranges
Another interesting thing that I noticed, is that AS33611 is not advertising any prefixes other than yours. Either they do not have any of their own (unlikely) or they are advertising their own legitimate prefixes from another AS however I doubt that is the case. It sounds like you were able to verify that this is indeed a malicious attack. If that is truly the case, I would certainly be in contact with your lawyers as this is certainly causing you financial loss and since it is easily verifiable, you would have a solid case i would think. I am no attorney but it seems like a no-brainer to me. So, it does look like you are finally announcing your prefixes as a /24 and that most traffic is again coming to your AS. that probably helped quite a bit right? Regards, John
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
In message 7b85f9d8-ba9e-4341-9242-5eb514895...@virtualized.org, David Conrad writes: I hope none of you ever get hijacked by a spammer housed at Phoenix = NAP. :) In the dim past, I had a somewhat similar situation: - A largish (national telco of a small country) ISP started announcing = address space a customer of theirs provided. Unfortunately, the address = space wasn't the ISP's customer's to provide. - When the ISP was notified by both their RIR and the organization to = which the address space was rightfully delegated, the ISP's response = was: We have a contractual relationship with our customer to announce that = space. We have neither a contractual relationship (in this context) = with the RIR nor the RIR's customer. The RIR and/or the RIR's customer = should resolve this issue with our customer. It as an eye-opening experience. Regards, -drc And if I have a contract to commit murder that doesn't mean that it is right nor legal. A contract can't get you out of dealing with the law of the land and in most place in the world aiding and abetting is illegal. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: non-congested comcast peers?
Some datapoints based on ~500mb constant UDP telemetry data feed (total) spread across many different comcast endpoints. All Cogent - Comcast. Even though there's heavy forward error correction provisioned to accommodate 5-10% packet loss, it's hardly used. In fact, packet delivery is incredible impressive to comcast. Loss is well below 0.01% and often involves another zero in there, too. It's one of the best consumer access networks I've seen and I give them a huge thumbs up for it. Needless to say, I can't back up the same stats against some other carriers (Verizon being the biggest offender, with their congestion being localized to the ATM/DSLAM level and sometimes very high based on my metrics and sampling). That's why the FEC is there. On Tue, Jan 31, 2012 at 8:20 AM, Shacolby Jackson shaco...@bluejeans.comwrote: Are there any providers that Comcast doesn't regularly run hot? Seems like no matter who I deliver through at some magical point in the evening they start spiking jitter and a little loss. Almost like everyone hits PLAY on netflix at the same time. -shac
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
On Jan 31, 2012, at 5:52 PM, Mark Andrews wrote: We have a contractual relationship with our customer to announce that = space. We have neither a contractual relationship (in this context) = with the RIR nor the RIR's customer. The RIR and/or the RIR's customer = should resolve this issue with our customer. And if I have a contract to commit murder that doesn't mean that it is right nor legal. A contract can't get you out of dealing with the law of the land and in most place in the world aiding and abetting is illegal. You appear to be making a large number of assumptions on limited evidence. In the case I'm familiar with, I can assure you that no laws were being broken (even if all the parties were in the same country, which they weren't). However, this is getting off-topic and I don't want to hijack the thread. The issue of route hijacking is quite serious and it will be interesting to see how this all works out. Regards, -drc
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
On Jan 31, 2012, at 5:52 PM, Mark Andrews wrote: In message 7b85f9d8-ba9e-4341-9242-5eb514895...@virtualized.org, David Conrad writes: I hope none of you ever get hijacked by a spammer housed at Phoenix = NAP. :) In the dim past, I had a somewhat similar situation: - A largish (national telco of a small country) ISP started announcing = address space a customer of theirs provided. Unfortunately, the address = space wasn't the ISP's customer's to provide. - When the ISP was notified by both their RIR and the organization to = which the address space was rightfully delegated, the ISP's response = was: We have a contractual relationship with our customer to announce that = space. We have neither a contractual relationship (in this context) = with the RIR nor the RIR's customer. The RIR and/or the RIR's customer = should resolve this issue with our customer. It as an eye-opening experience. Regards, -drc And if I have a contract to commit murder that doesn't mean that it is right nor legal. A contract can't get you out of dealing with the law of the land and in most place in the world aiding and abetting is illegal. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org Not to put a damper on things, but, is there actually any law that precludes use of integers as internet addresses contrary to the registration data contained in RIR databases? I can see how a case might be made for tortious interference, but I think it's quite nebulous and I believe a civil matter at best. IANAL, but, I actually wonder if there is any way to construe the behavior in question as criminal and if so, under what statute(s). Owen
Re: Megaupload.com seized
Steven Bellovin wrote: Note this from the NY Times article: The Megaupload case is unusual, said Orin S. Kerr, a law professor at George Washington University, in that federal prosecutors obtained the private e-mails of Megaupload�s operators in an effort to show they were operating in bad faith. The government hopes to use their private words against them, Mr. Kerr said. This should scare the owners and operators of similar sites. (I base my rant on the assumption megaupload had outsourced their email to one of those enterprise level offerings, such as gmail or yahoo). If this isn't a convincing argument for using your own physical email servers (with encrypted filesystems and limited log keeping and what have you) and against outsourcing your email, then I don't know. I understand they can seize your servers and get your email that way if you were not smart enough to delete it and/or use encrypted filesystems. However it's much much harder to use email against you in preparation of a case when you run your own servers. Because they can't just quietly ask your email provider to hand over the data and forbid them to talk about it... Besides, running an email server is almost a trivial exercise for any marginally competent IT person. If you can set up a system such as megaupload you for sure can run your own, secure, email servers. If not ask someone competent enough to do it for you. Greetings, Jeroen -- Earthquake Magnitude: 4.8 Date: Tuesday, January 31, 2012 07:26:11 UTC Location: Fiji region Latitude: -21.9943; Longitude: -179.4848 Depth: 596.00 km
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
Internet number resource certification and origin validation sure would be nice here ;-) -danny On Jan 31, 2012, at 7:49 PM, Kelvin Williams wrote: I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :) We're still not out of the woods, announcing /24s and working with upper tier carriers to filter out our lists. However, I just got this response from Phoenix NAP and found it funny. The thief is a former customer, whom we terminated their agreement with. They then forged an LOA, submitted it to CWIE.net and Phoenix NAP and resumed using space above and beyond their terminated agreement. So now any request for assistance to stop our networks from being announced is now responded to with an instruction to contact the thief's lawyer.
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
On Tue, Jan 31, 2012 at 6:03 PM, Owen DeLong o...@delong.com wrote: On Jan 31, 2012, at 5:52 PM, Mark Andrews wrote: In message 7b85f9d8-ba9e-4341-9242-5eb514895...@virtualized.org, David Conrad writes: I hope none of you ever get hijacked by a spammer housed at Phoenix = NAP. :) In the dim past, I had a somewhat similar situation: - A largish (national telco of a small country) ISP started announcing = address space a customer of theirs provided. Unfortunately, the address = space wasn't the ISP's customer's to provide. - When the ISP was notified by both their RIR and the organization to = which the address space was rightfully delegated, the ISP's response = was: We have a contractual relationship with our customer to announce that = space. We have neither a contractual relationship (in this context) = with the RIR nor the RIR's customer. The RIR and/or the RIR's customer = should resolve this issue with our customer. It as an eye-opening experience. Regards, -drc And if I have a contract to commit murder that doesn't mean that it is right nor legal. A contract can't get you out of dealing with the law of the land and in most place in the world aiding and abetting is illegal. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org Not to put a damper on things, but, is there actually any law that precludes use of integers as internet addresses contrary to the registration data contained in RIR databases? I can see how a case might be made for tortious interference, but I think it's quite nebulous and I believe a civil matter at best. IANAL, but, I actually wonder if there is any way to construe the behavior in question as criminal and if so, under what statute(s). Owen An interesting thought experiment series: Imagine that instead of joe-random-small-ISP, this was Tier-1 ISP customer space being hijacked. Imagine that instead of Tier-1 customer, it was Tier-1 core services (www.company, etc). Imagine that instead of Tier-1 core services, it was the blocks www.apple.com/iTunes or www.google.com lived in. Imagine that instead of www.google.com, it was www.whitehouse.gov At some point, I suspect that this gets service to get it fixed RIGHT NOW. At some point, the guys informing you it's RIGHT NOW show up with badges. The question is, when is it badges? It can be construed as a denial of service attack on the addresses' rightful owners. They will respond to any major government site being hijacked. Probably to Apple or Google. Likely to a Tier-1 ISPs internal infrastructure. That they probably won't to the current situation is a matter of failure of the system to scale, not that the ethics, morality, or legality of the situation are any different now than www.whitehouse.gov going poof. IMHO. -- -george william herbert george.herb...@gmail.com
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
On Wed, 01 Feb 2012 12:52:57 +1100, Mark Andrews said: - A largish (national telco of a small country) ISP started announcing national telco. oooh ka... And if I have a contract to commit murder that doesn't mean that it is right nor legal. A contract can't get you out of dealing with the law of the land and in most place in the world aiding and abetting is illegal. Vercotti. andd one night Dinsdale walked in with a couple of big lads, one of whom was carrying a tactical nuclear missile. They said I'd bought one of their fruit machines and would I pay for it. Interviewer How much did they want? VercottiThree quarters of a million pounds. Then they went out. Interviewer Why didn't you call the police? VercottiWell I had noticed that the lad with the thermo-nuclear device was the Chief Constable for the area. pgpyL1MYYZ5N3.pgp Description: PGP signature
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
From nanog-bounces+bonomi=mail.r-bonomi@nanog.org Tue Jan 31 19:57:51 2012 To: David Conrad d...@virtualized.org From: Mark Andrews ma...@isc.org Subject: Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks) Date: Wed, 01 Feb 2012 12:52:57 +1100 Cc: nanog@nanog.org In message 7b85f9d8-ba9e-4341-9242-5eb514895...@virtualized.org, David Conrad writes: I hope none of you ever get hijacked by a spammer housed at Phoenix = NAP. :) In the dim past, I had a somewhat similar situation: - A largish (national telco of a small country) ISP started announcing = address space a customer of theirs provided. Unfortunately, the address = space wasn't the ISP's customer's to provide. - When the ISP was notified by both their RIR and the organization to = which the address space was rightfully delegated, the ISP's response = was: We have a contractual relationship with our customer to announce that = space. We have neither a contractual relationship (in this context) = with the RIR nor the RIR's customer. The RIR and/or the RIR's customer = should resolve this issue with our customer. It as an eye-opening experience. Regards, -drc And if I have a contract to commit murder that doesn't mean that it is right nor legal. A contract can't get you out of dealing with the law of the land and in most place in the world aiding and abetting is illegal. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
Internet number resource certification and origin validation sure would be nice here ;-) this is arin address space. arin is the only rir which has not deployed and there is running code randy
Re: US DOJ victim letter
Mine is showing United States v. Vladimir Tsastsin Carlos Alcantar Race Communications / Race Team Member 101 Haskins Way, So. San Francisco, CA. 94080 Phone: +1 415 376 3314 / car...@race.com / http://www.race.com -Original Message- From: Ronald Bonica rbon...@juniper.net Date: Tue, 31 Jan 2012 20:29:52 -0500 To: Phil Dyer p...@cluestick.net, nanog@nanog.org nanog@nanog.org Subject: RE: US DOJ victim letter Folks, I received a DoJ Victim Notification letter yesterday, which was pretty amazing considering the fact that I don't run a network. My letter referenced United States v. Menachem Youlus. I suspect that the letters that you guys received referenced a different case. Do I have that right? Ron -Original Message- From: Phil Dyer [mailto:p...@cluestick.net] Sent: Tuesday, January 31, 2012 7:39 PM To: nanog@nanog.org Subject: Re: US DOJ victim letter On Fri, Jan 27, 2012 at 3:23 PM, Jon Lewis jle...@lewis.org wrote: On Fri, 27 Jan 2012, Bryan Horstmann-Allen wrote: Bit odd, if it's a phish. Even more odd if it's actually from the Fed. It's definitely real, but seems like they're handling it as incompetently as possible. Yep. That sounds about right. Man, I'm feeling left out. I kinda want one now. phil
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
On Tue, Jan 31, 2012 at 7:15 PM, David Conrad d...@virtualized.org wrote: We have a contractual relationship with our customer to announce that space. We have neither a contractual relationship (in this context) with the RIR nor the RIR's customer. The RIR and/or the RIR's customer should resolve this issue with our customer. This is the point at which you really really want to turn the tables and get someone who desires to announce that very provider's own space approaching you, so you enter a contractual relationship with that party to do so, since (apparently) according to that provider you don't have an obligation to prevent this. And you have a nice letter from them to prove it to any upstreams, that resource issues are to be resolved with end users. If according to that provider those issues should be resolved between the RIR listed address space holder and the customer directly, (apparently), you are not to be involved in preventing a customer from hijacking theirown assigned prefix.Because the same logic must apply to their very own address space; it is up to them and the RIR to resolve their issue with the elusive end user. But then you realize the only party that could ever approach you with a request to route them another provider's space would be one of those evil spammers It as an eye-opening experience. Regards, -drc -- -JH
Re: non-congested comcast peers?
On 1/31/12, Shacolby Jackson shaco...@bluejeans.com wrote: Are there any providers that Comcast doesn't regularly run hot? Seems like no matter who I deliver through at some magical point in the evening they start spiking jitter and a little loss. Almost like everyone hits PLAY on netflix at the same time. You could try Cogent, ATT, or Savvis, though they'll probably fill up now that I've mentioned it. Drive Slow (like a download going over Comcast-GBLX), Paul Wall
Re: [c-nsp] ASR opinions..
On Tuesday, January 31, 2012 06:38:10 AM Christopher J. Pilkington wrote: Does anyone have a link to a definitive document clearly showing FIB numbers for the ASR1001? I've got an email into our Cisco SE, but I don't think they're motivated to sell us a lower-end box. :-) On that link, Tables 1 and 3 contradict each other re: the ASR1001. However, I confirmed with our SE, and he says no way the ASR1001 supports anything more than 512,000 v4 entries and 128,000 v6 entries (which is Table 3). Maybe someone on the list from Cisco can help fix the documentation. Mark. signature.asc Description: This is a digitally signed message part.
Arriving early...
Hi there all, I'm arriving on Friday evening -- was wondering who all might be around on Saturday? Anyone interested in doing something? Sightseeing, wandering around, etc? W -- Some people are like Slinkies..Not really good for anything but they still bring a smile to your face when you push them down the stairs.
RE: Hijacked Network Ranges
-Original Message- From: John Schneider Sent: Tuesday, January 31, 2012 5:34 PM To: Kelvin Williams Subject: Re: Hijacked Network Ranges Another interesting thing that I noticed, is that AS33611 is not advertising any prefixes other than yours. Either they do not have any of their own (unlikely) or they are advertising their own legitimate prefixes from another AS however I doubt that is the case. It sounds like you were able to verify that this is indeed a malicious attack. If I read the previous material correctly, it seems to have gone something like: Customer was initially a customer of Kelvin's firm and had the address assignments in question. Customer relationship with Kelvin's firm terminated and they contracted for service elsewhere but are apparently attempting to maintain the use of the address allocation(s) they received from Kelvin's firm. They apparently did this by misrepresenting the fact that they were entitled to use that address space. If that is the case, it isn't so much a malicious attack as it is just plain stealing the use of IP address space they aren't entitled to.
Re: Hijacked Network Ranges
On Tue, 31 Jan 2012 13:32:35 -0500, Chuck Church chuckchu...@gmail.com wrote: Shouldn't a forged LOA be justification to contact law enforcement? It is, but if you want anything done about it before the polar ice caps melt, you'll seek other paths as well. a) law enforcement doesn't understand the problem. and b) the law moves very slowly. --Ricky
Re: Arriving early...
Am a bit north of sd ... might make it down on Saturday. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. Warren Kumari war...@kumari.net wrote: Hi there all, I'm arriving on Friday evening -- was wondering who all might be around on Saturday? Anyone interested in doing something? Sightseeing, wandering around, etc? W -- Some people are like Slinkies..Not really good for anything but they still bring a smile to your face when you push them down the stairs.
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
On Tue, 31 Jan 2012, David Conrad wrote: In the dim past, I had a somewhat similar situation: - A largish (national telco of a small country) ISP started announcing address space a customer of theirs provided. Unfortunately, the address space wasn't the ISP's customer's to provide. - When the ISP was notified by both their RIR and the organization to which the address space was rightfully delegated, the ISP's response was: We have a contractual relationship with our customer to announce that space. We have neither a contractual relationship (in this context) with the RIR nor the RIR's customer. The RIR and/or the RIR's customer should resolve this issue with our customer. It as an eye-opening experience. Contracts are generally not a valid reason to be breaking laws. Antonio Querubin e-mail: t...@lavanauts.org xmpp: antonioqueru...@gmail.com
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
That may not be a bad idea. Have you gotten your company's lawyers involved? They may be able to get some sort of court action started and get things moving. They may also be able to compel the ISP's to act. 2012/1/31 Kelvin Williams kwilli...@altuscgi.com I hope none of you ever get hijacked by a spammer housed at Phoenix NAP. :) We're still not out of the woods, announcing /24s and working with upper tier carriers to filter out our lists. However, I just got this response from Phoenix NAP and found it funny. The thief is a former customer, whom we terminated their agreement with. They then forged an LOA, submitted it to CWIE.net and Phoenix NAP and resumed using space above and beyond their terminated agreement. So now any request for assistance to stop our networks from being announced is now responded to with an instruction to contact the thief's lawyer. kw -- Forwarded message -- From: Kelvin Williams kwilli...@altuscgi.com Date: Tue, Jan 31, 2012 at 7:43 PM Subject: Re: [#135346] Unauthorized BGP Announcements To: n...@phoenixnap.com We'll be forwarding this to our peers in the industry--rather funny that Phoenix NAP would rather send us to the attorney of the people stealing our space than bothering to perform an ARIN WHOIS search, or querying any of the IRRs. Interesting... Very interesting... So, who all do you have there--spammers and child pornographers? Is this level of protection what you give to them all? On Tue, Jan 31, 2012 at 7:30 PM, Brandon S brand...@phoenixnap.com wrote: Hello, Thank you for your email. Please direct any further questions regarding this issue to the following contact. Bennet Kelley 100 Wilshire Blvd. Suite 950 Santa Monica, CA 90401 bkel...@internetlawcenter.net Telephone 310-452-0401 Facsimile 702-924-8740 -- Brandon S. NOC Services Technician ** We want to hear from you!** We care about the quality of our service. If you’ve received anything less than a prompt response or exceptional service or would like to share any feedback regarding your experience, please let us know by sending an email to management: supportfeedb...@phoenixnap.com -- Kelvin Williams Sr. Service Delivery Engineer Broadband Carrier Services Altus Communications Group, Inc. If you only have a hammer, you tend to see every problem as a nail. -- Abraham Maslow
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
In message d73af1af-b75e-49b6-937a-5fbe770ad...@virtualized.org, David Conrad writes: On Jan 31, 2012, at 5:52 PM, Mark Andrews wrote: We have a contractual relationship with our customer to announce = that =3D space. We have neither a contractual relationship (in this context) = =3D with the RIR nor the RIR's customer. The RIR and/or the RIR's = customer =3D should resolve this issue with our customer. =20 And if I have a contract to commit murder that doesn't mean that it is right nor legal. A contract can't get you out of dealing with the law of the land and in most place in the world aiding and abetting is illegal. You appear to be making a large number of assumptions on limited = evidence. In the case I'm familiar with, I can assure you that no laws = were being broken (even if all the parties were in the same country, = which they weren't). However, this is getting off-topic and I don't = want to hijack the thread. The issue of route hijacking is quite = serious and it will be interesting to see how this all works out. And would sidr have helped. Regards, -drc -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Console Server Recommendation
On (2012-01-31 11:09 -0800), Owen DeLong wrote: - IP address mappable to a console port. So that accessing device normally is 'ssh router' and via OOB 'ssh router.oob' no need to train people How about normal is 'ssh device' and OOB is 'console device'? Home-baked systems are certainly good option to many, but for some of us it means we need to either hire worker to design, acquire, build and support them or consultant. And as you can find devices which support above requirements (opengear) TCO for us is simply just lower to buy one ready. 'console device' is what we do today, which is script someone needs to maintain (it picks up from DNS TXT records OOB and port where to connect). I prefer giving each port an IP and just use it via ssh (at least cyclades and opengear do this), if you are brave you could even setup same IP address for console and on-band loop, but I found that to be suboptimal, as you sometimes want to connect to OOB even when on-band is working. There are other tools that do this, such as rancid. I'm not sure I see significant advantage to integrating it. This was exactly for easy integration to rancid, if you cannot puke all config easily from one place, doing rancid module is lot more work. Few of the boxes I've seen, need to have some files hacked via linux cli and are PITA to backup. But as it was nice to have, it by no means is no show-stopper. I agree that RS232 on a management plane would be a better choice. Personally, I like the idea of having both RS232 and ethernet on dedicated management plane. The RS232 allows you to deal with failures on the ethernet and the ethernet provides support for image transfers, etc. You can get that from Nexus7k and Sup7. I wouldn't use the RS232 at all myself. Probably it's easier to sell this at day1 with RS232 port, as it is required in many RFPs and when everyone has migrated to ethernet OOB, phase-out RS232. So people please add to your 'nice to have' requirements in RFP, proper OOB :). (Can't tell how many times we've had to power-cycle CSCO or JNPR due to control-plane console not responding) I will point out that the intel mobo OOB has not completely eliminated the need for IPKVM in the datacenter. YMMV. This is bit drifting on the subject, but what are you missing specifically? You get VNC KVM, all the way from boot to bios, to GUI or CLI. You also get IDE redirection, to boot the remote box from your laptop CDROM. And you get API to automatically install factory fresh boxes without ever touching the boxes. -- ++ytti
Re: [#135346] Unauthorized BGP Announcements (follow up to Hijacked Networks)
On Wed, 1 Feb 2012, Mark Andrews wrote: And if I have a contract to commit murder that doesn't mean that it is right nor legal. A contract can't get you out of dealing with the law of the land and in most place in the world aiding and abetting is illegal. the topic at hand would appear to be more 'willful negligence' than 'aiding and abetting'. punitive damages could apply. -Dan