Re: Level 3 problems in Miami?
It's also failing in reverse from the Level 3 LG...doing a traceroute from Miami to myself, this is the result: 1 ae-1-51.edge4.Miami1.Level3.net (4.69.138.76)0.591 ms 7.49 ms 0.540 ms 2 TWC-level3-40G.Miami.Level3.net (4.68.62.182)0.668 ms 0.680 ms 15.2 ms 3 0.0.0.0 * * * 4 0.0.0.0 * * * 5 0.0.0.0 * * * Looks like it can't get any further than the interconnect router between Level 3 and TWC...can someone from Level 3 reach out or look into this please? On Thu, Feb 26, 2015 at 8:34 AM, Blair Trosper blair.tros...@gmail.com wrote: Also seeing it after this one: po5.ar1.mia2.gblx.net (67.16.148.102) On Thu, Feb 26, 2015 at 8:32 AM, Blair Trosper blair.tros...@gmail.com wrote: Anyone else having massive trouble getting to endpoints beyond core routers in Miami on Level 3? I'm cut off (packets die) from Miami and Tampa after this specific router: po4-20g.ar1.mia2.gblx.net (67.16.134.218) If anyone from Level 3 could reach out, or if anyone knows what's going on and can say, I'd appreciate it. Thanks, Blair
Re: Level 3 problems in Miami?
Level 3 confirms, ticket is open. On Thu, Feb 26, 2015 at 8:59 AM, Blair Trosper blair.tros...@gmail.com wrote: It's also failing in reverse from the Level 3 LG...doing a traceroute from Miami to myself, this is the result: 1 ae-1-51.edge4.Miami1.Level3.net (4.69.138.76)0.591 ms 7.49 ms 0.540 ms 2 TWC-level3-40G.Miami.Level3.net (4.68.62.182)0.668 ms 0.680 ms 15.2 ms 3 0.0.0.0 * * * 4 0.0.0.0 * * * 5 0.0.0.0 * * * Looks like it can't get any further than the interconnect router between Level 3 and TWC...can someone from Level 3 reach out or look into this please? On Thu, Feb 26, 2015 at 8:34 AM, Blair Trosper blair.tros...@gmail.com wrote: Also seeing it after this one: po5.ar1.mia2.gblx.net (67.16.148.102) On Thu, Feb 26, 2015 at 8:32 AM, Blair Trosper blair.tros...@gmail.com wrote: Anyone else having massive trouble getting to endpoints beyond core routers in Miami on Level 3? I'm cut off (packets die) from Miami and Tampa after this specific router: po4-20g.ar1.mia2.gblx.net (67.16.134.218) If anyone from Level 3 could reach out, or if anyone knows what's going on and can say, I'd appreciate it. Thanks, Blair
Level 3 problems in Miami?
Anyone else having massive trouble getting to endpoints beyond core routers in Miami on Level 3? I'm cut off (packets die) from Miami and Tampa after this specific router: po4-20g.ar1.mia2.gblx.net (67.16.134.218) If anyone from Level 3 could reach out, or if anyone knows what's going on and can say, I'd appreciate it. Thanks, Blair
Re: AOL Postmaster
On Feb 25, 2015, at 5:54 PM, Suresh Ramasubramanian ops.li...@gmail.com wrote: You think every accountant, realtor, coffee shop etc uses their own domain? No. But they should not, and in many cases *cannot*, rely on aol or yahoo addresses. It would suck for them to have to change all their contact information, business cards, and so on - but a) they chose their email provider unwisely and that's the cost of relying on an inappropriate vendor and b) they don't really need to - inbound mail to those addresses is mostly fine, so they just need to get a second email address and gradually migrate their outbound usage to that. Because the root cause of this issue is a long series of security mistakes by those providers, allowing 3rd parties to have access to user's (supposedly private) account information, the issue is specific to those providers, and there's no strong argument that other email providers are likely to make the same business choices. Cheers, Steve
Re: Level 3 problems in Miami?
Also seeing it after this one: po5.ar1.mia2.gblx.net (67.16.148.102) On Thu, Feb 26, 2015 at 8:32 AM, Blair Trosper blair.tros...@gmail.com wrote: Anyone else having massive trouble getting to endpoints beyond core routers in Miami on Level 3? I'm cut off (packets die) from Miami and Tampa after this specific router: po4-20g.ar1.mia2.gblx.net (67.16.134.218) If anyone from Level 3 could reach out, or if anyone knows what's going on and can say, I'd appreciate it. Thanks, Blair
Re: OT: VPS with Routed IP space
Am 24.02.2015 um 23:59 schrieb Doug Barton: On 2/24/15 1:42 PM, Michael Helmeste wrote: ARP Networks: https://www.arpnetworks.com/vps Routed IP space (v4 and v6) as well as BGP peering. +1 for Arp, I'm a happy customer (no other affiliation). We are going to do this at datapath.io using AWS and others soon. We do some BGP peering on your behalf and expose some parameters to the VPS via API. Best regards, Sebastian
Re: v6 deagg
On 2/24/2015 6:35 PM, William Herrin wrote: Anyway, I heard back from DRAGON's authors. Paraphrasing: An aggregate (e.g. 10.0.0.0/8) must be withdrawn if the aggregate's origin loses its direct route to the filterable disaggregate's origin (e.g. 10.2.3.0/24). The withdrawn aggregate is replaced with a synthesized set of announcements which fully cover the aggregate's address space excluding the unreachable disaggregate (e.g. 10.0.0.0/15, 10.2.0.0/23, 10.2.2.0/24, 10.2.4.0/22, 10.2.8.0/21, 10.2.16.0/20, etc.) When direct connectivity is restored, the aggregate is again announced and the synthetic announcements withdrawn. This overcomes my objection. The aggregate's origin can reasonably be programmed to trigger on the nearby disaggregate's withdrawal. System-wide withdrawal of the aggregate route is a sufficient trigger to cancel filtering on the disaggregate which should then fully propagate. And the overall savings should still be substantial even with transient synthetics in the table. I look forward to seeing how the authors address the many implications of this requirement. I'm not sold just yet but I am suitably impressed. Regards, Bill Herrin Yipee for huge amounts of automatic updates! I guess convergence latency is better than memory? So, how many /16 networks does a core network have which they hand out to customers that are multi-homed? What is the state of flux? Normally, we'd see the transition states of the more specific routes. Now we'll see multiple updates for each of those transition states (/24 removed so /16 is broken. Another /24 is removed so a /17 is broken, another /24 is removed so a /18 is broken). Provider X lost 50 multihomed customers spread across 20 aggregate networks. Process! Aggregates normally cover unassigned space as well. Do we now have to define to the router which space is supposed to be used and which is not so it knows when to break apart an aggregate? Removing a route don't come this way! is roughly the same as breaking the aggregate except for the extra processing time. It is likely that a node choosing between 2 aggregates would also be choosing the same between 2 more specific routes. Until convergence is done, it'd still route the wrong way in either case. One could stipulate that convergence might be slightly longer in this case due to update processing. Routing might be contrary to desire in cases where more specific route is advertised one way only and then an aggregate is used as a fallback. While the node filtering the more specific route may consider the path the same so it filters, the next node is making a choice between aggregates and may choose to send the traffic the other way because it's less AS hops; but don't worry, the 256k line backup will do just fine! Consider this simplistic model: A--B \/ C C is a business or ISP with it's own address space. It normally advertises an aggregate /20 to A and B. A and B local-pref C's routes because that's what transit providers do. C is under a DDOS attack. They issue a covering /24 to B and a /32 to B for blackhole service. B will propagate the /32 through it's entire network because the hop is to a discard (nifty!), however, the /24 will be the same as the /20, so it is filtered out. We can change the local-pref (go communities) of the /24 and that will allow it to propagate to A. A will accept the /24, presumably because the /24 doesn't match the selected /20 chosen (because of local pref). However! A--D---B \/ C D may or may not filter the /24 from B. It depends on their routing policy. A may only see the /20 from D and thus send all it's DDOS traffic on to C due to local-pref. Sorry, C. Next time, please manually change your BGP so you no longer advertise an aggregate. Oh, and it will be simpler for you to change if you just do /24 networks from now on and don't bother with the aggregate headache. SUMMARY: What is the cost if aggregates start being broke apart and not used because people want to insure their traffic does what they want? What is the cost of all these aggregate networks being broken up because their more specific routes aren't there? What is the cost of managing which smaller networks are supposed to be there and which are just unassigned currently to prevent aggregate breakup? Jack P.S. I didn't delve completely into all the documents and so perhaps I misunderstood or missed something important. My concerns may be completely unjustified.
protection.outlook.com SMTP support contact needed
I'm running into TLS interoperability problems with some of the SMTP servers under the inbound.protection.outlook.com domain. Are there any Outlook postmasters lurking here that could contact me off list to help debug this? Thanks, --lyndon
Re: protection.outlook.com SMTP support contact needed
I'm running into TLS interoperability problems with some of the SMTP servers under the inbound.protection.outlook.com domain. Are there any Outlook postmasters lurking here that could contact me off list to help debug this? Maybe... But I'd check to see if you might be on a DNSBL first, just to be sure, as the Exchange Online Protection system doesn't advertise STARTTLS if your IP is blocked. What is the IP address that you are sending from? Otherwise, I would suggest having your recipient open a ticket with Customer Support for fastest resolution and traceability. Aloha mai Nai`a. -- So this is how Liberty dies ... http://kapu.net/~mjwise/ To Thunderous Applause.
[OT] Looking for dhs / fbi contact
obviously off list, but who are we kidding ;) -- jamie rishaw // .com.arpa@j - reverse it. ish. I don't drink alcohol from that portion of the color spectrum. - Ron Swanson ( Nick Offerman ), Parks and Recreation
Re: OT: VPS with Routed IP space
On Feb 26, 2015, at 9:58 AM, Sebastian Spies s+mailinglisten.na...@sloc.de wrote: Am 24.02.2015 um 23:59 schrieb Doug Barton: On 2/24/15 1:42 PM, Michael Helmeste wrote: ARP Networks: https://www.arpnetworks.com/vps Routed IP space (v4 and v6) as well as BGP peering. +1 for Arp, I'm a happy customer (no other affiliation). We are going to do this at datapath.io using AWS and others soon. We do some BGP peering on your behalf and expose some parameters to the VPS via API. Since the requirement included IPv6, I’m not sure how you plan to use AWS. Owen
Re: [OT] Looking for dhs / fbi contact
On Feb 26, 2015, at 1:16 PM, jamie rishaw j...@arpa.com wrote: obviously off list, but who are we kidding ;) Uh, which? They’re unrelated agencies with completely different remits. -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: OT: VPS with Routed IP space
Am 26.02.2015 um 22:14 schrieb Owen DeLong: On Feb 26, 2015, at 9:58 AM, Sebastian Spies s+mailinglisten.na...@sloc.de wrote: Am 24.02.2015 um 23:59 schrieb Doug Barton: On 2/24/15 1:42 PM, Michael Helmeste wrote: ARP Networks: https://www.arpnetworks.com/vps Routed IP space (v4 and v6) as well as BGP peering. +1 for Arp, I'm a happy customer (no other affiliation). We are going to do this at datapath.io using AWS and others soon. We do some BGP peering on your behalf and expose some parameters to the VPS via API. Since the requirement included IPv6, I’m not sure how you plan to use AWS. You are right. Sorry for the sloppiness. OT: There is no way to even let two instances communicate with each other in the same VPC subnet using a protocol other than IPv4, although they transport ethernet headers (no VXLAN). Our only solution was to use v6 load balancers that tunnel with our endpoint on the other side of direct connect.
Re: [OT] Looking for dhs / fbi contact
Jamie, have you tried calling the local FBI office? I’ve had good luck with this when someone was sending me death threats and wanted them to have some good leads if something happened to me. You know where to find me if you want to ask questions off-list. Also, DHS is a sprawling agency, so depending on what you are looking for, you need to be a bit more specific, there are certain crimes that fall under the ICE/CBP side of the house vs USSS which depending on the nature of interagency cooperation is the lead for financial crimes. (Long history of why, but this is why counterfeit bills are USSS vs FBI). I doubt this helps, but there’s also NCFTA which you can contact as well. - Jared On Feb 26, 2015, at 4:16 PM, jamie rishaw j...@arpa.com wrote: obviously off list, but who are we kidding ;) -- jamie rishaw // .com.arpa@j - reverse it. ish. I don't drink alcohol from that portion of the color spectrum. - Ron Swanson ( Nick Offerman ), Parks and Recreation
Re: [OT] Looking for dhs / fbi contact
Thanks for the off list reply. Oh, wait.. I was casting a wide net to fend off the you got something?ers but without addressing your question my query stands On Feb 26, 2015 3:43 PM, Bill Woodcock wo...@pch.net wrote: On Feb 26, 2015, at 1:16 PM, jamie rishaw j...@arpa.com wrote: obviously off list, but who are we kidding ;) Uh, which? They're unrelated agencies with completely different remits. -Bill
Re: [OT] Looking for dhs / fbi contact
They are in the phone book. Call them. Or walk into a field office near you. Don't bother nanog with such a generic / teasing question, its incredibly annoying. No one is going to provide you with a contact of any seriousness with such a generic query. On February 26, 2015 5:41:52 PM CST, jamie rishaw j...@arpa.com wrote: Thanks for the off list reply. Oh, wait.. I was casting a wide net to fend off the you got something?ers but without addressing your question my query stands On Feb 26, 2015 3:43 PM, Bill Woodcock wo...@pch.net wrote: On Feb 26, 2015, at 1:16 PM, jamie rishaw j...@arpa.com wrote: obviously off list, but who are we kidding ;) Uh, which? They're unrelated agencies with completely different remits. -Bill !DSPAM:54efaf7b199101326251351! -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Sub-optimal routing to Google via IPv6
I have noticed that since we deployed IPv6 a number of years ago, that our IPv6 routes to Google's V6-enabled sites (e.g. www.google.com and www.youtube.com) traverse the CONUS from Oakland (where our primary Level 3 ISP connection is) to Washington D.C., New York, and then onto Google's network in New York, where the packets presumably pass across Google's internal networks. My traceroute [v0.71] hivemind (::) Thu Feb 26 18:03:44 2015 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Last Avg Best Wrst StDev 1. 2620:79:0:::ff7d 0.0% 0.4 0.4 0.4 0.4 0.0 2. 2620:79:0:::fd 0.0% 0.4 0.4 0.4 0.4 0.0 3. 2620:79:0:::249 0.0% 1.7 1.7 1.7 1.7 0.0 4. ge-6-24.car1.Oakland1.Level3.net 0.0% 316.3 316.3 316.3 316.3 0.0 5. vl-4043.edge1.SanJose1.Level3.net0.0% 3.0 3.0 3.0 3.0 0.0 6. vl-4045.edge5.LosAngeles.Level3.net 0.0% 9.3 9.3 9.3 9.3 0.0 7. vl-4081.edge6.LosAngeles1.Level3.net 0.0% 9.2 9.2 9.2 9.2 0.0 8. vl-4041.edge1.Washington1.Level3.net 0.0% 116.5 116.5 116.5 116.5 0.0 9. vl-4080.edge2.Washington1.Level3.net 0.0% 75.0 75.0 75.0 75.0 0.0 10. vl-4068.edge2.Washington12.Level3.net0.0% 75.5 75.5 75.5 75.5 0.0 11. vl-4047.car1.NewYork1.Level3.net 0.0% 76.5 76.5 76.5 76.5 0.0 12. vl-60.ear2.NewYork1.Level3.net 0.0% 110.2 110.2 110.2 110.2 0.0 13. Google-level3-30GB.NewYork1.Level3.net 0.0% 75.6 75.6 75.6 75.6 0.0 14. 2001:4860::1:0:3be 0.0% 76.1 76.1 76.1 76.1 0.0 15. 2001:4860::8:0:4397 0.0% 75.9 75.9 75.9 75.9 0.0 16. 2001:4860::8:0:5901 0.0% 73.5 73.5 73.5 73.5 0.0 17. 2001:4860::8:0:7894 0.0% 85.9 85.9 85.9 85.9 0.0 18. 2001:4860::8:0:79e5 0.0% 92.9 92.9 92.9 92.9 0.0 19. 2001:4860::8:0:6117 0.0% 73.5 73.5 73.5 73.5 0.0 20. 2001:4860::1:0:7ea 0.0% 71.9 71.9 71.9 71.9 0.0 21. 2001:4860:0:1::691 0.0% 72.1 72.1 72.1 72.1 0.0 22. ??? I haven't raised this issue with Level(3) yet, as I was wondering if this is really a Level(3) routing issue or a Google IPv6 routing issue? Thank for any insights. Regards, David Sotnick -- Pixar Emeryville, CA