Re: subrate SFP?
I got quite a bit of replies from sellers selling me cuSFP, insisting they work. So I'd like to clear up on this. For 10/100 to work on SFP slot, the PHY in the host needs to be multirate. Exception is SGMII which supposedly supports magic mode where SFP can ask it to send same bit 10 times, then SFP can discard 9/10 bits, to remain very dumb yet deliver 100M client on 1GE host. RGMII does not support this trick and this trick does not bring you down to 10M. One box that we have right now, which can't do any of this is ME-4924. There is absolutely no reason that you couldn't deliver 'media converter' or '2 port switch' in a SFP casing, to get that 1 10/100 port in every 4500-X or EX4550 port you need to cater some legacy. If my desire is odd (2 people have expressed off list they want same) this won't be built. But if this is somewhat common demand and missing product, we can certainly get such SFP built. Obviously this SFP would cost bit more than normal cuSFP, as it needs to do rudimentary buffering, packet dropping and it needs to have frame parser. On 29 August 2013 23:38, joel jaeggli joe...@bogus.com wrote: On 8/29/13 6:08 AM, Saku Ytti wrote: How do people deal with situation where you need =48 SFP/SFP+ ports, but you occasionally need one or two cu 10/100 ports? arista 7050s support 100 Mb/s on their copper sfp I have leveraged that, if you can break out the 40Gb/s ports you have as many as 64 ports of 10Gb/s. there are other switches that I've seen do this but they're not common. My problem is mostly around PDU/CDU management, in racks that otherwise would be 10Gb/s only and in general I've addressed it with dedicated switches that support many of these devices rather than just two. For some reason it's becoming quite rare for SFP port to natively support 10M and 100M rates. Technically obviously solution to me would be subrate SFP, which presents itself as 1GE to host, offering 100M or 10M to client. This would obviously break QoS at the host as host would still think it's 1GE and SFP itself would need to drop+buffer. But for my applications it would be fine, the 10M or 100M ports are typical some MGMT access interfaces. I can't imagine such SFP being complex or expensive, considering we have E1 over IP in a SFP, which includes control-plane and forwarding-plane inside SFP form-factor Is this demand peculiar? Could I source such SFP somewhere by showing there is demand? Putting 2 port switches or fibre converters with external PSU just to support few ports seem dirty. -- ++ytti
Re: IP Fragmentation - Not reliable over the Internet?
Mark Andrews wrote: Ensure that the firealls at both ends pass ICMP/ICMPv6 PTB. Only idiots block all ICMP/ICMPv6. Yes there are a lot of idiots in the world. The worst idiots are people who designed ICMPv6 [RFC2463] as: (e.2) a packet destined to an IPv6 multicast address (there are two exceptions to this rule: (1) the Packet Too Big Message - Section 3.2 - to allow Path MTU discovery to work for IPv6 multicast, and (2) the Parameter Problem Message, Code 2 - Section 3.4 - reporting an unrecognized IPv6 option that has the Option Type highest-order two bits set to 10), or which makes it necessary, unless you are idiots, to filter ICMPv6 PTB against certain packets, including but not limited to, multicast ones. Masataka Ohta
Re: subrate SFP?
There is absolutely no reason that you couldn't deliver 'media converter' or '2 port switch' in a SFP casing Yes, similar devices exist http://www.rad.com/10/SFP-Format-TDM-Pseudowire-Gateway/10267/ so it probably just needs more demand brandon
Re: subrate SFP?
I actually emailed RAD, MethodE and Avago yesterday and pitched the idea. MiTOP is my exact justification why it should technically be feasible. I guess it would be easier to pitch, if there would be commitment to buy, but I don't personally need many units, just 1-2 here and there. On 30 August 2013 11:56, Brandon Butterworth bran...@rd.bbc.co.uk wrote: There is absolutely no reason that you couldn't deliver 'media converter' or '2 port switch' in a SFP casing Yes, similar devices exist http://www.rad.com/10/SFP-Format-TDM-Pseudowire-Gateway/10267/ so it probably just needs more demand brandon -- ++ytti
Re: subrate SFP?
I actually emailed RAD, MethodE and Avago yesterday and pitched the idea. MiTOP is my exact justification why it should technically be feasible. I guess it would be easier to pitch, if there would be commitment to buy, but I don't personally need many units, just 1-2 here and there. I doubt you'd want to pay MiTOP prices, though. Steinar Haug, AS 2116
RE: subrate SFP?
From: Saku Ytti [mailto:s...@ytti.fi] I got quite a bit of replies from sellers selling me cuSFP, insisting they work. So I'd like to clear up on this. For 10/100 to work on SFP slot, the PHY in the host needs to be multirate. Exception is SGMII which supposedly supports magic mode where SFP can ask it to send same bit 10 times, then SFP can discard 9/10 bits, to remain very dumb yet deliver 100M client on 1GE host. RGMII does not support this trick and this trick does not bring you down to 10M. One box that we have right now, which can't do any of this is ME-4924. There is absolutely no reason that you couldn't deliver 'media converter' or '2 port switch' in a SFP casing, to get that 1 10/100 port in every 4500-X or EX4550 port you need to cater some legacy. If my desire is odd (2 people have expressed off list they want same) this won't be built. But if this is somewhat common demand and missing product, we can certainly get such SFP built. Obviously this SFP would cost bit more than normal cuSFP, as it needs to do rudimentary buffering, packet dropping and it needs to have frame parser. Considering that Dell and HP at least are shipping brand new hardware with IPMI/BMC/iLO/whatever management ports that can only speak 100mbit when every other Ethernet interface in the box at least gigabit, having a useful way to talk to that port without having to keep separate switching hardware around would be nice. I'm not holding my breath, but you know, along with a pony, this would be nice. Jamie
Re: IP Fragmentation - Not reliable over the Internet?
In a study using the RIPE Atlas probes, we have used a heuristic to figure out where the fragments where dropped. And from the Atlas probes where IP fragments did not arrive, there is a high likelihood the problem is with the last hop to the Atlas probe. i wonder if this is correlated with the high number of probes being behind nats. randy
Re: Parsing Syslog and Acting on it, using other input too
Christopher Morrow morrowc.li...@gmail.com wrote: On Thu, Aug 29, 2013 at 10:50 AM, Don Wilder don.wil...@gmail.com wrote: I wrote a script in Linux that watches for unauthorized login attempts and adds the ip address to the blocked list in my firewall. You might want to search sourceforge for a DYN Firewall and modify it from there. because fail2ban was too hard to install? or because you just wanted to test yourself? Actually I did the same. I use ipset lists (generally with a timeout) and take a regex or two and black / white list from a YAML file and just take (possibly multiple inputs) from piping tail -F. I also store addresses for future reference (by the script or otherwise). This is quite maintainable as I can look at a list of people who have attacked the mail server and compare it to web attacks. Each process is a different type of service (different config file) and probably a different ipset. Due to ipset not actually doing anything until I make an iptables rule for it, I can run my script in a test mode (by default) and just see what happens (check it's logs and the ipset list it generates). I haven't found the need for this yet but I can use cymru to look up how big their net is (see geocidr for an example of how to do this in perl) and use a hash:net ipset type and cover a whole net. Basically what I'm saying in doing it this way is quite expandable and isn't very hard and I can do tons of stuff that fail2ban can't (I don't think - it's been a while since I looked).
Re: IP Fragmentation - Not reliable over the Internet?
On 08/30/2013 01:58 PM, Randy Bush wrote: In a study using the RIPE Atlas probes, we have used a heuristic to figure out where the fragments where dropped. And from the Atlas probes where IP fragments did not arrive, there is a high likelihood the problem is with the last hop to the Atlas probe. i wonder if this is correlated with the high number of probes being behind nats. That would be a viable explanation, although we have not tried to fingerprint the probes to figure out if this was true. If we will rerun the experiments in the future, we should spent more effort into identifying the router/middlebox that is giving the IP fragmentation problems (drops or blocking PMTUD ICMP). -- Benno -- Benno J. Overeinder NLnet Labs http://www.nlnetlabs.nl/
Re: Parsing Syslog and Acting on it, using other input too
On Fri, Aug 30, 2013 at 8:55 AM, Shawn Wilson ag4ve...@gmail.com wrote: Christopher Morrow morrowc.li...@gmail.com wrote: On Thu, Aug 29, 2013 at 10:50 AM, Don Wilder don.wil...@gmail.com wrote: I wrote a script in Linux that watches for unauthorized login attempts and adds the ip address to the blocked list in my firewall. You might want to search sourceforge for a DYN Firewall and modify it from there. because fail2ban was too hard to install? or because you just wanted to test yourself? Actually I did the same. I use ipset lists (generally with a timeout) and take a regex or two and black / white list from a YAML file and just take (possibly multiple inputs) from piping tail -F. I also store addresses for future reference (by the script or otherwise). This is quite maintainable as I can look at a list of people who have attacked the mail server and compare it to web attacks. Each process is a different type of service (different config file) and probably a different ipset. Due to ipset not actually doing anything until I make an iptables rule for it, I can run my script in a test mode (by default) and just see what happens (check it's logs and the ipset list it generates). I haven't found the need for this yet but I can use cymru to look up how big their net is (see geocidr for an example of how to do this in perl) and use a hash:net ipset type and cover a whole net. Basically what I'm saying in doing it this way is quite expandable and isn't very hard and I can do tons of stuff that fail2ban can't (I don't think - it's been a while since I looked). you seem to be describing what fail2ban does... that and some grep of syslog for fail2ban messages. If your solution works then great! :)
Re: Parsing Syslog and Acting on it, using other input too
Ah it seems they do: https://github.com/fail2ban/fail2ban/blob/master/config/action.d/iptables-ipset-proto6.conf IDK enough about fail2ban to know whether I can assign a per proto or per log type config (I assume I can). In which casethis does what my script does and then some. I would probably dump out a ipset save on exit and try to 'restore' on resume (which /I/ do) and I'm sure there's a way fail2ban can check a store of addresses and check what network a host belongs to (instead of just a host). So, fail2ban is probably the way to go. On Fri, Aug 30, 2013 at 10:00 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Fri, Aug 30, 2013 at 8:55 AM, Shawn Wilson ag4ve...@gmail.com wrote: Christopher Morrow morrowc.li...@gmail.com wrote: On Thu, Aug 29, 2013 at 10:50 AM, Don Wilder don.wil...@gmail.com wrote: I wrote a script in Linux that watches for unauthorized login attempts and adds the ip address to the blocked list in my firewall. You might want to search sourceforge for a DYN Firewall and modify it from there. because fail2ban was too hard to install? or because you just wanted to test yourself? Actually I did the same. I use ipset lists (generally with a timeout) and take a regex or two and black / white list from a YAML file and just take (possibly multiple inputs) from piping tail -F. I also store addresses for future reference (by the script or otherwise). This is quite maintainable as I can look at a list of people who have attacked the mail server and compare it to web attacks. Each process is a different type of service (different config file) and probably a different ipset. Due to ipset not actually doing anything until I make an iptables rule for it, I can run my script in a test mode (by default) and just see what happens (check it's logs and the ipset list it generates). I haven't found the need for this yet but I can use cymru to look up how big their net is (see geocidr for an example of how to do this in perl) and use a hash:net ipset type and cover a whole net. Basically what I'm saying in doing it this way is quite expandable and isn't very hard and I can do tons of stuff that fail2ban can't (I don't think - it's been a while since I looked). you seem to be describing what fail2ban does... that and some grep of syslog for fail2ban messages. If your solution works then great! :)
Re: subrate SFP?
I think this is a great idea. Maybe not a huge market, but I would buy them, instead of having to use dumb transceivers. It would be interesting to have some other smart SFP options too, like macsec for example... Tim: On Fri, Aug 30, 2013 at 5:00 AM, Saku Ytti s...@ytti.fi wrote: I actually emailed RAD, MethodE and Avago yesterday and pitched the idea. MiTOP is my exact justification why it should technically be feasible. I guess it would be easier to pitch, if there would be commitment to buy, but I don't personally need many units, just 1-2 here and there. On 30 August 2013 11:56, Brandon Butterworth bran...@rd.bbc.co.uk wrote: There is absolutely no reason that you couldn't deliver 'media converter' or '2 port switch' in a SFP casing Yes, similar devices exist http://www.rad.com/10/SFP-Format-TDM-Pseudowire-Gateway/10267/ so it probably just needs more demand brandon -- ++ytti -- Tim:
Google corporate network engineer
Hello, Is there a Google corporate network engineer here who can contact me off list please? It's regarding some issues with connectivity to the Google corporate network services and load balancing (not Google apps). Thanks! Ken
Weekly Routing Table Report
This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, AusNOG, SANOG, PacNOG, LacNOG, TRNOG, CaribNOG and the RIPE Routing Working Group. Daily listings are sent to bgp-st...@lists.apnic.net For historical data, please see http://thyme.rand.apnic.net. If you have any comments please contact Philip Smith pfsi...@gmail.com. Routing Table Report 04:00 +10GMT Sat 31 Aug, 2013 Report Website: http://thyme.rand.apnic.net Detailed Analysis: http://thyme.rand.apnic.net/current/ Analysis Summary BGP routing table entries examined: 465107 Prefixes after maximum aggregation: 187550 Deaggregation factor: 2.48 Unique aggregates announced to Internet: 231015 Total ASes present in the Internet Routing Table: 44850 Prefixes per ASN: 10.37 Origin-only ASes present in the Internet Routing Table: 35058 Origin ASes announcing only one prefix: 16251 Transit ASes present in the Internet Routing Table:5917 Transit-only ASes present in the Internet Routing Table:178 Average AS path length visible in the Internet Routing Table: 4.6 Max AS path length visible: 29 Max AS path prepend of ASN ( 36992) 22 Prefixes from unregistered ASNs in the Routing Table: 5356 Unregistered ASNs in the Routing Table:1757 Number of 32-bit ASNs allocated by the RIRs: 4989 Number of 32-bit ASNs visible in the Routing Table:3875 Prefixes from 32-bit ASNs in the Routing Table: 11812 Special use prefixes present in the Routing Table:1 Prefixes being announced from unallocated address space:352 Number of addresses announced to Internet: 2638983692 Equivalent to 157 /8s, 75 /16s and 178 /24s Percentage of available address space announced: 71.3 Percentage of allocated address space announced: 71.3 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 94.9 Total number of prefixes smaller than registry allocations: 162731 APNIC Region Analysis Summary - Prefixes being announced by APNIC Region ASes: 110153 Total APNIC prefixes after maximum aggregation: 33429 APNIC Deaggregation factor:3.30 Prefixes being announced from the APNIC address blocks: 112046 Unique aggregates announced from the APNIC address blocks:46620 APNIC Region origin ASes present in the Internet Routing Table:4873 APNIC Prefixes per ASN: 22.99 APNIC Region origin ASes announcing only one prefix: 1230 APNIC Region transit ASes present in the Internet Routing Table:828 Average APNIC Region AS path length visible:4.7 Max APNIC Region AS path length visible: 23 Number of APNIC region 32-bit ASNs visible in the Routing Table:650 Number of APNIC addresses announced to Internet: 727650304 Equivalent to 43 /8s, 95 /16s and 16 /24s Percentage of available APNIC address space announced: 85.0 APNIC AS Blocks4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 131072-133119 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary Prefixes being announced by ARIN Region ASes:161368 Total ARIN prefixes after maximum aggregation:80974 ARIN Deaggregation factor: 1.99 Prefixes being announced from the ARIN address blocks: 161870 Unique aggregates announced from the ARIN address blocks: 75307 ARIN Region origin ASes present in the Internet Routing Table:15853 ARIN Prefixes per ASN:10.21 ARIN Region origin ASes
Re: looking for hostname geographic hint validation
On 08/27/2013 12:33 PM, Bradley Huffaker wrote: We are currently working on an algorithm that automatically detects geographic hints inside of hostnames. At this point we are seeking operators who can validate some of our inferences. Please contact me if you can valid one of the inferences below or can provide us with one we have missed. ### # Inferences ### iata (International Air Transport Association airport code) http://en.wikipedia.org/wiki/International_Air_Transport_Association_airport_code iaco International Civil Aviation Organization airport code http://en.wikipedia.org/wiki/International_Civil_Aviation_Organization_airport_code clli COMMON LANGUAGE Location Identifier Code http://en.wikipedia.org/wiki/CLLI city name largest populated city with the given name for example sandiego is San Diego, CA, US iata.yahoo.com not in every case is iata helpful for yahoo. There is lax.yahoo.com and sjc.yahoo.com, but that's really only true for a few limited peering-points. for non-US, most of the actual data centres have names related to the country. in US often more city related, but even that's a bit hairy with places like 'mud.yahoo.com' peering points are still somewhat more random, may be city, country, or partner related ['the' is in london, for example]
Re: looking for hostname geographic hint validation
On Tue, Aug 27, 2013 at 1:35 PM, tabris tab...@tabris.net wrote: On 08/27/2013 12:33 PM, Bradley Huffaker wrote: We are currently working on an algorithm that automatically detects geographic hints inside of hostnames. At this point we are seeking operators who can validate some of our inferences. Please contact me if you can valid one of the inferences below or can provide us with one we have missed. ### # Inferences ### iata (International Air Transport Association airport code) http://en.wikipedia.org/wiki/International_Air_Transport_Association_airport_code iaco International Civil Aviation Organization airport code http://en.wikipedia.org/wiki/International_Civil_Aviation_Organization_airport_code clli COMMON LANGUAGE Location Identifier Code http://en.wikipedia.org/wiki/CLLI city name largest populated city with the given name for example sandiego is San Diego, CA, US iata.yahoo.com not in every case is iata helpful for yahoo. There is lax.yahoo.com and sjc.yahoo.com, but that's really only true for a few limited peering-points. for non-US, most of the actual data centres have names related to the country. in US often more city related, but even that's a bit hairy with places like 'mud.yahoo.com' Hey, MUD made sense at the time; it's the Mid US Datacenter. :P (now, good luck fitting that into any pattern scheme...) peering points are still somewhat more random, may be city, country, or partner related ['the' is in london, for example] THE makes sense; everyone knows TeleHouse East. I actually didn't even know about the IATA acronym until this thread, so I can honestly say it didn't enter into the naming discussions; I dare say there's a lot of other networks out there in a similar situation. Hitting 93% accuracy is actually pretty mindblowing from my perspective, given how random some of the naming choices are. ^_^; Matt
Re: looking for hostname geographic hint validation
On Fri, Aug 30, 2013 at 02:45:09PM -0700, Matthew Petach wrote: Hitting 93% accuracy is actually pretty mindblowing from my perspective, given how random some of the naming choices are. ^_^; This is the number of times we think we have an answer and it is wrong. It does not include the number of times we failed to find an answer that is there. Although we have plans to search for nonstandard names in the future, we curreently do not look for them and so can't get them wrong. -- the value of a world model is not how accurately it captures reality but how often it leads us to take appropriate action
Is the FBI's DNSSEC broken?
I don't claim to be a big DNSSEC expert, but this looks just plain wrong to me, and unbound agrees, turning it into a SERVFAIL. Here's a lookup that succeeds, an A record for mail.ic.fbi.gov: $ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec ;; -HEADER- opcode: QUERY, status: NOERROR, id: 7222 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65235 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN A ;; ANSWER SECTION: mail.ic.fbi.gov.600 IN A 153.31.119.142 mail.ic.fbi.gov.600 IN RRSIG A 7 4 600 20131124123847 20130826123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiGryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IRb3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU= ;; AUTHORITY SECTION: fbi.gov.600 IN NS ns3.fbi.gov. fbi.gov.600 IN NS ns5.fbi.gov. fbi.gov.600 IN NS ns4.fbi.gov. fbi.gov.600 IN NS ns2.fbi.gov. fbi.gov.600 IN NS ns1.fbi.gov. fbi.gov.600 IN NS ns6.fbi.gov. fbi.gov.600 IN RRSIG NS 7 2 600 20131124123847 20130826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0DhZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYccR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY= Here's a query for the same name, but for which it doesn't have: $ dig @ns1.fbi.gov mail.ic.fbi.gov +dnssec ; DiG 9.8.3-P4 @ns1.fbi.gov mail.ic.fbi.gov +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41056 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65235 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN ;; AUTHORITY SECTION: fbi.gov.600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013082601 7200 3600 2592000 43200 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200 IN NSEC3 1 0 10 BBAB 97S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG fbi.gov.600 IN RRSIG SOA 7 2 600 20131124123847 20130826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MMc9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA= Shouldn't there be some more stuff there in the authority section, like an NSEC3 and RRSIG for mail.ic.fbi.gov? Am I missing something, or is it broken? The server says it's from Ultradns. R's, John
Re: Is the FBI's DNSSEC broken?
On Fri, Aug 30, 2013 at 10:27:36PM +, John Levine wrote: I don't claim to be a big DNSSEC expert, but this looks just plain wrong to me, and unbound agrees, turning it into a SERVFAIL. Here's a lookup that succeeds, an A record for mail.ic.fbi.gov: $ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec ;; -HEADER- opcode: QUERY, status: NOERROR, id: 7222 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65235 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN A ;; ANSWER SECTION: mail.ic.fbi.gov. 600 IN A 153.31.119.142 mail.ic.fbi.gov. 600 IN RRSIG A 7 4 600 20131124123847 20130826123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiGryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IRb3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU= ;; AUTHORITY SECTION: fbi.gov. 600 IN NS ns3.fbi.gov. fbi.gov. 600 IN NS ns5.fbi.gov. fbi.gov. 600 IN NS ns4.fbi.gov. fbi.gov. 600 IN NS ns2.fbi.gov. fbi.gov. 600 IN NS ns1.fbi.gov. fbi.gov. 600 IN NS ns6.fbi.gov. fbi.gov. 600 IN RRSIG NS 7 2 600 20131124123847 20130826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0DhZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYccR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY= Here's a query for the same name, but for which it doesn't have: $ dig @ns1.fbi.gov mail.ic.fbi.gov +dnssec ; DiG 9.8.3-P4 @ns1.fbi.gov mail.ic.fbi.gov +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41056 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65235 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN ;; AUTHORITY SECTION: fbi.gov. 600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013082601 7200 3600 2592000 43200 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200 IN NSEC3 1 0 10 BBAB 97S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG fbi.gov. 600 IN RRSIG SOA 7 2 600 20131124123847 20130826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MMc9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA= Shouldn't there be some more stuff there in the authority section, like an NSEC3 and RRSIG for mail.ic.fbi.gov? Am I missing something, or is it broken? The server says it's from Ultradns. R's, John Hi John; I don't think you're alone on this! Ref this thread (an issue we ran into with accepting mail from ic.fbi.gov due to DNSSEC validation failure) from July[1]. Have done my best to get someone's attention to fix the issue, but so far no joy. Ray [1] https://lists.isc.org/pipermail/bind-users/2013-July/091140.html
The Cidr Report
This report has been generated at Fri Aug 30 21:13:28 2013 AEST. The report analyses the BGP Routing Table of AS2.0 router and generates a report on aggregation potential within the table. Check http://www.cidr-report.org for a current version of this report. Recent Table History Date PrefixesCIDR Agg 23-08-13475628 270610 24-08-13476232 270671 25-08-13476677 270524 26-08-13476502 270544 27-08-13476404 272206 28-08-13479770 272778 29-08-13479591 271300 30-08-13479696 271126 AS Summary 45021 Number of ASes in routing system 18534 Number of ASes announcing only one prefix 4172 Largest number of prefixes announced by an AS AS7029 : WINDSTREAM - Windstream Communications Inc 117919968 Largest address span announced by an AS (/32s) AS4134 : CHINANET-BACKBONE No.31,Jin-rong Street Aggregation Summary The algorithm used in this report proposes aggregation only when there is a precise match using the AS path, so as to preserve traffic transit policies. Aggregation is also proposed across non-advertised address space ('holes'). --- 30Aug13 --- ASnumNetsNow NetsAggr NetGain % Gain Description Table 479732 271245 20848743.5% All ASes AS6389 3069 65 300497.9% BELLSOUTH-NET-BLK - BellSouth.net Inc. AS28573 3225 472 275385.4% NET Serviços de Comunicação S.A. AS17974 2667 259 240890.3% TELKOMNET-AS2-AP PT Telekomunikasi Indonesia AS7029 4172 2020 215251.6% WINDSTREAM - Windstream Communications Inc AS4766 2872 915 195768.1% KIXS-AS-KR Korea Telecom AS22773 2045 132 191393.5% ASN-CXA-ALL-CCI-22773-RDC - Cox Communications Inc. AS18566 2065 468 159777.3% COVAD - Covad Communications Co. AS10620 2615 1039 157660.3% Telmex Colombia S.A. AS3356 3244 1715 152947.1% LEVEL3 Level 3 Communications AS36998 1862 394 146878.8% SDN-MOBITEL AS4323 2970 1533 143748.4% TWTC - tw telecom holdings, inc. AS18881 1452 67 138595.4% Global Village Telecom AS2118 1368 53 131596.1% RELCOM-AS OOO NPO Relcom AS7303 1733 455 127873.7% Telecom Argentina S.A. AS4755 1766 585 118166.9% TATACOMM-AS TATA Communications formerly VSNL is Leading ISP AS7552 1139 91 104892.0% VIETEL-AS-AP Vietel Corporation AS22561 1197 212 98582.3% DIGITAL-TELEPORT - Digital Teleport Inc. AS1785 2006 1155 85142.4% AS-PAETEC-NET - PaeTec Communications, Inc. AS11830 946 117 82987.6% Instituto Costarricense de Electricidad y Telecom. AS18101 982 179 80381.8% RELIANCE-COMMUNICATIONS-IN Reliance Communications Ltd.DAKC MUMBAI AS4808 1155 397 75865.6% CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network AS7545 2066 1340 72635.1% TPG-INTERNET-AP TPG Telecom Limited AS701 1523 801 72247.4% UUNET - MCI Communications Services, Inc. d/b/a Verizon Business AS13977 854 140 71483.6% CTELCO - FAIRPOINT COMMUNICATIONS, INC. AS8151 1290 587 70354.5% Uninet S.A. de C.V. AS855736 55 68192.5% CANET-ASN-4 - Bell Aliant Regional Communications, Inc. AS6983 1153 484 66958.0% ITCDELTA - ITC^Deltacom AS24560 1089 430 65960.5% AIRTELBROADBAND-AS-AP Bharti Airtel Ltd., Telemedia Services AS17676 759 133 62682.5% GIGAINFRA Softbank BB Corp. AS33363
BGP Update Report
BGP Update Report Interval: 22-Aug-13 -to- 29-Aug-13 (7 days) Observation Point: BGP Peering with AS131072 TOP 20 Unstable Origin AS Rank ASNUpds % Upds/PfxAS-Name 1 - AS359361034 2.5% 256.4 -- FRONTIER-EPIX - Frontier Communications of America, Inc. 2 - AS27738 41907 1.7% 72.8 -- Ecuadortelecom S.A. 3 - AS840240274 1.7% 21.7 -- CORBINA-AS OJSC Vimpelcom 4 - AS982931450 1.3% 23.9 -- BSNL-NIB National Internet Backbone 5 - AS18403 31330 1.3% 53.1 -- FPT-AS-AP The Corporation for Financing Promoting Technology 6 - AS28573 28643 1.2% 8.7 -- NET Serviços de Comunicação S.A. 7 - AS55714 25129 1.0% 97.8 -- APNIC-FIBERLINK-PK Fiberlink Pvt.Ltd 8 - AS211822648 0.9% 16.5 -- RELCOM-AS OOO NPO Relcom 9 - AS941618951 0.8% 321.2 -- MULTIMEDIA-AS-AP Hoshin Multimedia Center Inc. 10 - AS14287 18878 0.8% 349.6 -- TRIAD-TELECOM - Triad Telecom, Inc. 11 - AS453817187 0.7% 31.5 -- ERX-CERNET-BKB China Education and Research Network Center 12 - AS50710 16692 0.7% 69.5 -- EARTHLINK-AS EarthLink Ltd. CommunicationsInternet Services 13 - AS477516377 0.7% 195.0 -- GLOBE-TELECOM-AS Globe Telecoms 14 - AS949815148 0.6% 12.8 -- BBIL-AP BHARTI Airtel Ltd. 15 - AS475514230 0.6% 8.1 -- TATACOMM-AS TATA Communications formerly VSNL is Leading ISP 16 - AS647 12307 0.5% 83.7 -- DNIC-ASBLK-00616-00665 - DoD Network Information Center 17 - AS10620 12255 0.5% 4.9 -- Telmex Colombia S.A. 18 - AS38654 11671 0.5%1945.2 -- INES-NETWORK INES Corporation. 19 - AS754511591 0.5% 6.8 -- TPG-INTERNET-AP TPG Telecom Limited 20 - AS15003 11434 0.5% 13.7 -- NOBIS-TECH - Nobis Technology Group, LLC TOP 20 Unstable Origin AS (Updates per announced prefix) Rank ASNUpds % Upds/PfxAS-Name 1 - AS373673547 0.1%3547.0 -- CALLKEY 2 - AS6174 7031 0.3%3515.5 -- SPRINTLINK8 - Sprint 3 - AS223353163 0.1%3163.0 -- MREN - Metropolitan Research and Education Network 4 - AS423342667 0.1%2667.0 -- BBP-AS Broadband Plus s.a.l. 5 - AS53008 10271 0.4%2567.8 -- Pontal Cabo Ltda 6 - AS374254681 0.2%2340.5 -- Somcable 7 - AS38654 11671 0.5%1945.2 -- INES-NETWORK INES Corporation. 8 - AS193013843 0.2%1921.5 -- CERIDIAN-TAX - CERIDIAN TAX SERVICE, INC 9 - AS336483747 0.2%1249.0 -- ELEPHANT - ColoFlorida / Elephant Outlook 10 - AS6629 9090 0.4% 909.0 -- NOAA-AS - NOAA 11 - AS147584922 0.2% 820.3 -- SJILLC-ASN - Vision Communications 12 - AS43884 776 0.0% 776.0 -- EG-CONSULTING-AS EG Information Consulting Ltd 13 - AS486129723 0.4% 694.5 -- RTC-ORENBURG-AS CJSC Comstar-Regions 14 - AS1880 4834 0.2% 604.2 -- STUPI Svensk Teleutveckling Produktinnovation, STUPI AB 15 - AS442652235 0.1% 558.8 -- SMOLTELECOM-NET Smoltelecom Ltd 16 - AS22688 988 0.0% 494.0 -- DOLGENCORP - Dollar General Corporation 17 - AS166088133 0.3% 478.4 -- KENTEC - Kentec Communications, Inc. 18 - AS57201 430 0.0% 430.0 -- EDF-AS Estonian Defence Forces 19 - AS286981235 0.1% 411.7 -- UUNETZM-AS 20 - AS194064395 0.2% 399.5 -- TWRS-MA - Towerstream I, Inc. TOP 20 Unstable Prefixes Rank Prefix Upds % Origin AS -- AS Name 1 - 199.224.95.0/24 12162 0.5% AS3593 -- FRONTIER-EPIX - Frontier Communications of America, Inc. 2 - 209.74.11.0/2412160 0.5% AS3593 -- FRONTIER-EPIX - Frontier Communications of America, Inc. 3 - 199.224.82.0/24 12160 0.5% AS3593 -- FRONTIER-EPIX - Frontier Communications of America, Inc. 4 - 205.238.218.0/24 12159 0.5% AS3593 -- FRONTIER-EPIX - Frontier Communications of America, Inc. 5 - 199.224.78.0/24 12158 0.5% AS3593 -- FRONTIER-EPIX - Frontier Communications of America, Inc. 6 - 61.95.239.0/2411838 0.5% AS9498 -- BBIL-AP BHARTI Airtel Ltd. 7 - 150.39.0.0/16 11666 0.5% AS38654 -- INES-NETWORK INES Corporation. 8 - 177.185.160.0/20 10256 0.4% AS53008 -- Pontal Cabo Ltda 9 - 92.246.207.0/249507 0.4% AS48612 -- RTC-ORENBURG-AS CJSC Comstar-Regions 10 - 203.118.232.0/21 9399 0.4% AS9416 -- MULTIMEDIA-AS-AP Hoshin Multimedia Center Inc. 11 - 203.118.224.0/21 9384 0.4% AS9416 -- MULTIMEDIA-AS-AP Hoshin Multimedia Center Inc. 12 - 192.58.232.0/248998 0.3% AS6629 -- NOAA-AS - NOAA 13 - 202.154.17.0/248768 0.3% AS4434 -- ERX-RADNET1-AS PT Rahajasa Media Internet 14 - 194.219.56.0/248563 0.3% AS1241 -- FORTHNET-GR
Re: Is the FBI's DNSSEC broken?
In message 20130830223510.ga10...@esri.com, Ray Van Dolson writes: On Fri, Aug 30, 2013 at 10:27:36PM +, John Levine wrote: I don't claim to be a big DNSSEC expert, but this looks just plain wrong to me, and unbound agrees, turning it into a SERVFAIL. Here's a lookup that succeeds, an A record for mail.ic.fbi.gov: $ dig @ns1.fbi.gov mail.ic.fbi.gov a +dnssec ;; -HEADER- opcode: QUERY, status: NOERROR, id: 7222 ;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65235 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN A ;; ANSWER SECTION: mail.ic.fbi.gov.600 IN A 153.31.119.142 mail.ic.fbi.gov.600 IN RRSIG A 7 4 600 20131124123847 201308 26123847 32497 fbi.gov. dYs+1bPdO+8y3T5ij8qSn0BvTDv7X51wi++HV681rKzlK5SLKrZiG ryV ow67iO30CWwztI3d5oCF7/6bEn3NetWq9IajeM19aorIdJMA6tAp1BQI EZMTcCsnInSIn2IR b3V2MXXOBx6r6wMt7ptNfp/Tro89h2K7q+Pgp0O2 WdU= ;; AUTHORITY SECTION: fbi.gov.600 IN NS ns3.fbi.gov. fbi.gov.600 IN NS ns5.fbi.gov. fbi.gov.600 IN NS ns4.fbi.gov. fbi.gov.600 IN NS ns2.fbi.gov. fbi.gov.600 IN NS ns1.fbi.gov. fbi.gov.600 IN NS ns6.fbi.gov. fbi.gov.600 IN RRSIG NS 7 2 600 20131124123847 20130 826123847 32497 fbi.gov. l/AcT+Pmr/5yosWyvP3zbFIJE7f07F+AA8eh1X3qv8ulw9FbC0Dh ZfSo 1f5ctD6DIb613ButzKG01PdMzIknMroraOyGyRcAq27qYXzKRE0cTqhv UWz15jLa7N7YKYc cR8Hmt6GY1DJitY41EwQP7Z2Fpac9yPTRnybc4mTS 4eY= Here's a query for the same name, but for which it doesn't have: $ dig @ns1.fbi.gov mail.ic.fbi.gov +dnssec ; DiG 9.8.3-P4 @ns1.fbi.gov mail.ic.fbi.gov +dnssec ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 41056 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 65235 ;; QUESTION SECTION: ;mail.ic.fbi.gov. IN ;; AUTHORITY SECTION: fbi.gov.600 IN SOA ns1.fbi.gov. dns-admin.fbi.gov. 2013082601 7200 3600 2592000 43200 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR.fbi.gov. 43200 IN NSEC3 1 0 10 BBAB 97 S2G907NEFOJ79P721E4FEQ9LR3IT1S A RRSIG fbi.gov.600 IN RRSIG SOA 7 2 600 20131124123847 2013 0826123847 32497 fbi.gov. QgsdhUT7AHic8tJv39br+994eoyJ4c8/SuQr35dRudceE/bYyZV 26IPI 4qnR8Cy35WoepW12bhhhY0Ug26Qy81KWcWHYPw0Wa7g5Ig8Pw27l8gCV J7NDY6O5jTb4MM c9THTPKEvXjeX/YE4060HrbJXo1U93qhdILkGTvno7 3hA= Shouldn't there be some more stuff there in the authority section, like an NSEC3 and RRSIG for mail.ic.fbi.gov? The NSEC3 is there and it is correct. What is missing is the signature for the NSEC3. % nsec3hash BBAB 1 10 mail.ic.fbi.gov 95RIPFTKTJC9I7J8HDAIA7CM6L279FSR (salt=BBAB, hash=1, iterations=10) % Mark Am I missing something, or is it broken? The server says it's from Ultradns. R's, John Hi John; I don't think you're alone on this! Ref this thread (an issue we ran into with accepting mail from ic.fbi.gov due to DNSSEC validation failure) from July[1]. Have done my best to get someone's attention to fix the issue, but so far no joy. Ray [1] https://lists.isc.org/pipermail/bind-users/2013-July/091140.html -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: looking for hostname geographic hint validation
On Fri, Aug 30, 2013 at 3:25 PM, Bradley Huffaker bhuff...@caida.orgwrote: On Fri, Aug 30, 2013 at 02:45:09PM -0700, Matthew Petach wrote: Hitting 93% accuracy is actually pretty mindblowing from my perspective, given how random some of the naming choices are. ^_^; This is the number of times we think we have an answer and it is wrong. Ah, so that would include cases like thinking CH1 and CHE might be nearby, rather than halfway around the planet, but wouldn't include things like MUD, where there wouldn't even be a guess at an answer. It does not include the number of times we failed to find an answer that is there. Although we have plans to search for nonstandard names in the future, we currently do not look for them and so can't get them wrong. Thanks for the clarification around the number--makes much more sense now. :) Matt