Re: Recent trouble with QUIC?

[Mike Hale]

OH SNAP!

On Fri, Sep 25, 2015 at 10:07 PM, Matthew Kaufman  wrote:
>
>
> On 9/25/15 5:43 PM, Stephen Satchell wrote:
>>
>> On 09/25/2015 04:20 PM, Ca By wrote:
>>>
>>> RFO: Google unilaterally deployed a non-standard protocol to our
>>> production
>>> environment, driving up helpdesk calls x%
>>>
>>> After action: block udp 80/443 until production ready and standard
>>> ratified
>>> use deployed.
>>
>>
>> Let me be gentle about this.  Why were you allowing 80/udp and 443/udp in
>> the first place into your production environment?
>>
>
> Which ISP do you run that blocks UDP by default? I'm curious, so I can be
> sure I don't buy mislabeled "Internet" service from you.
>
> Matthew Kaufman



-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Re: Ear protection

[Alan Buxey]

Great summary of the thread


No-one using remote control robots with video feed etc for working in these 
environments then?  Plans to?  ;)

alan

Re: ARIN Region IPv4 Free Pool Reaches Zero

[Randy Bush]

> The IPv4 free pool for the ARIN region is now depleted

and the world goes on

randy

Re: Recent trouble with QUIC?

[James Bensley]

On 26 September 2015 at 08:20, Mike Hale  wrote:
> OH SNAP!

Tiny Rick!!!

Re: ARIN Region IPv4 Free Pool Reaches Zero

[John Curran]

On Sep 26, 2015, at 5:11 AM, Randy Bush > 
wrote:

The IPv4 free pool for the ARIN region is now depleted

and the world goes on

Indeed.

…then again, the real traffic growth having already moved off of IPv4 to IPv6 
probably helps a bit -


FYI,
/John

John Curran
President and CEO
ARIN

Re: ARIN Region IPv4 Free Pool Reaches Zero

[Seth Mattinen]

On 9/24/15 09:59, William Astle wrote:

On 2015-09-24 10:49, Dovid Bender wrote:

The issue now is convincing clients that they need it. The other issue
is many software vendors still don't support it.

Regards,

Dovid


Actually, the issue now is convincing certain big providers to actually
make IPv6 service available to their customers in data centres and the
like across their *whole* networks rather than giving people the
"there's no demand so we can't justify the cost" run around. (I'm
looking at you AS701.)

For that matter, it would also help if certain large end user providers
would make IPv6 available rather than giving a standard "we have no
information at this time" type response. (I'm looking at you, Shaw.)




What's worked for me is not signing or renewing or buying things that 
lack IPv6 support. I realize that may not always be possible but it does 
work better to require it from the sales side than as a technical 
problem to try and solve later.


~Seth

Re: Question re session hijacking in dual stack environments w/MacOS

[Brandon Butterworth]

> From: David Hubbard 
> Websites that require some type of authentication that is handled via
> session cookies have been booting our users out randomly with "your ip
> address has changed" type message.  This occurs when their Mac decides
> to switch between protocols because the site views it as a session
> hijacking attempt when Joe User with session ID xyz switches from
> 192.0.2.10 to 2001:db8::1:1:a or vice versa.
> 
> Has anyone run into this?

It's 1997 again? This used to be a common IPv4 problem for us as users
exited through a cluster of squid caches which could result in a
different address per request. Those site eventually learnt after much
feedback not to assume on IPv4 address continuity.

brandon

Re: Question re session hijacking in dual stack environments w/MacOS

[Ca By]

On Saturday, September 26, 2015, David Hubbard <
dhubb...@dino.hostasaurus.com> wrote:

> Hey all, as we've slowly deployed IPv6 to our end users, it has begun to
> cause some issues for those on Mac's specifically.  Apple apparently has
> an algorithm at some point in the network stack to decide whether IPv4
> or IPv6 is, perhaps, 'better' or 'faster' at any given point in time
> during an ongoing session.  This allows a computer talking to a dual
> stack remote website to flip flop between v4 and v6 as activity is
> conducted.
>
> Websites that require some type of authentication that is handled via
> session cookies have been booting our users out randomly with "your ip
> address has changed" type message.  This occurs when their Mac decides
> to switch between protocols because the site views it as a session
> hijacking attempt when Joe User with session ID xyz switches from
> 192.0.2.10 to 2001:db8::1:1:a or vice versa.
>
> Has anyone run into this?  Our users on other platforms don't seem to
> have this issue; linux and MS desktops seem to just use v6 if it's
> available and v4 if not.
>
> Thanks,
>
> David
>


Info about Apple and their unique IPv6 selection process

 https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html

Re: Question re session hijacking in dual stack environments w/MacOS

[Laszlo Hanyecz]

On 2015-09-26 14:34, David Hubbard wrote:

Websites that require some type of authentication that is handled via
session cookies have been booting our users out randomly with "your ip
address has changed" type message.  This occurs when their Mac decides
to switch between protocols because the site views it as a session
hijacking attempt when Joe User with session ID xyz switches from
192.0.2.10 to 2001:db8::1:1:a or vice versa.




This sounds like a really poor practice on the part of the website 
operators.  Users on wireless devices may be switching networks 
throughout the same session (wifi/LTE), or there could be a cluster of 
proxies, or short DHCP leases, or tor circuit changes, or privacy 
extensions, etc.  This is almost as bad as using GeoIP databases to 
authenticate.


-Laszlo

Re: Synful Knock questions...

[Hank Nussbacher]

At 11:42 25/09/2015 -0700, Jake Mertel wrote:


Looks like Cisco's Talos just released a tool to scan your network for
indications of the SYNful Knock malware. Details @
http://talosintel.com/scanner/ .


More details here:
http://blogs.cisco.com/security/talos/synful-scanner

-Hank





--
Regards,

Jake Mertel
Ubiquity Hosting



*Web: *https://www.ubiquityhosting.com
*Phone (direct): *1-480-478-1510
*Mail:* 5350 East High Street, Suite 300, Phoenix, AZ 85054


On Wed, Sep 16, 2015 at 7:33 AM, Stephen Fulton 
wrote:

> Follow-up to my own post, Fireeye has code on github:
>
> https://github.com/fireeye/synfulknock
>
>
> On 2015-09-16 10:27 AM, Stephen Fulton wrote:
>
>> Interesting, anyone have more details on how to construct the scan using
>> something like nmap?
>>
>> -- Stephen
>>
>> On 2015-09-16 9:20 AM, Royce Williams wrote:
>>
>>> HD Moore just posted the results of a full-Internet ZMap scan.  I didn't
>>> realize that it was remotely detectable.
>>>
>>> 79 hosts total in 19 countries.
>>>
>>> https://zmap.io/synful/
>>>
>>> Royce
>>>
>>>

Re: Recent trouble with QUIC?

[Dovid Bender]

I forgot who it was but I think it was a uni network. As an isp everything 
should be allowed as an end network you want to cya. 

Much like the hospital I was just at that had free wifi. Only ports 80 and 443 
over tcp were allowed. That's when having ssh on 443 so you can proxy for alt 
ports really helps.


--Original Message--
From: James Bensley
Sender: NANOG
To: NANOG Operators' Group
Subject: Re: Recent trouble with QUIC?
Sent: Sep 26, 2015 10:54

On 26 September 2015 at 08:20, Mike Hale  wrote:
> OH SNAP!

Tiny Rick!!!

Regards,

Dovid

Re: Question re session hijacking in dual stack environments w/MacOS

[Michael Brown]

‎> Those site eventually learnt after much feedback not to assume on IPv4 
address continuity.

I could envision that those checks might now be relaxed‎ to checking for 
address continuity in the same /24 for instance.

But when you're seeing the same session being used from two wildly different 
places (in this case, IPv4 and IPv6) at the SAME TIME, that does seem rather 
suspicious in the absence of other information.

M.

Re: Question re session hijacking in dual stack environments w/MacOS

[Dovid Bender]

What about users on cgnat? I know isp's in the far east that only offer cgnat 
and it's pot lock how you go out.

--Original Message--
From: Michael Brown
Sender: NANOG
To: Brandon Butterworth
To: nanog@nanog.org
To: dhubb...@dino.hostasaurus.com
Subject: Re: Question re session hijacking in dual stack environments w/MacOS
Sent: Sep 26, 2015 23:19

‎> Those site eventually learnt after much feedback not to assume on IPv4 
address continuity.

I could envision that those checks might now be relaxed‎ to checking for 
address continuity in the same /24 for instance.

But when you're seeing the same session being used from two wildly different 
places (in this case, IPv4 and IPv6) at the SAME TIME, that does seem rather 
suspicious in the absence of other information.

M.

Regards,

Dovid

Re: Ear protection

[Dovid Bender]

No but some one in Australia just bought the iPhone 6s via a robot.


--Original Message--
From: Alan Buxey
Sender: NANOG
To: Nick Hilliard
To: nanog@nanog.org
Subject: Re: Ear protection
Sent: Sep 26, 2015 04:21

Great summary of the thread


No-one using remote control robots with video feed etc for working in these 
environments then?  Plans to?  ;)

alan

Regards,

Dovid

Question re session hijacking in dual stack environments w/MacOS

[David Hubbard]

Hey all, as we've slowly deployed IPv6 to our end users, it has begun to
cause some issues for those on Mac's specifically.  Apple apparently has
an algorithm at some point in the network stack to decide whether IPv4
or IPv6 is, perhaps, 'better' or 'faster' at any given point in time
during an ongoing session.  This allows a computer talking to a dual
stack remote website to flip flop between v4 and v6 as activity is
conducted.

Websites that require some type of authentication that is handled via
session cookies have been booting our users out randomly with "your ip
address has changed" type message.  This occurs when their Mac decides
to switch between protocols because the site views it as a session
hijacking attempt when Joe User with session ID xyz switches from
192.0.2.10 to 2001:db8::1:1:a or vice versa.

Has anyone run into this?  Our users on other platforms don't seem to
have this issue; linux and MS desktops seem to just use v6 if it's
available and v4 if not.

Thanks,

David

Last Call for presentations and Draft programme for RIPE 71

[Benno Overeinder]

Colleagues,

A list of currently accepted RIPE 71 presentations is now published at:

https://ripe71.ripe.net/programme/

There are still few slots remaining for a final RIPE 71 programme and
RIPE Programme Committee will accept new proposals until 11 October 2015.

This is our last call for you to submit your proposals.

You can find the CFP for RIPE 71 below, or at
https://ripe71.ripe.net/submit-topic/cfp/, for your proposals for
plenary session presentations, tutorials, workshops, BoFs (Birds of a
Feather sessions) and lightning talks.

Please also note that speakers do not receive any extra reduction or
funding towards the meeting fee at the RIPE Meetings.

Kind regards,

Benno Overeinder
RIPE PC Chair
https://www.ripe.net/participate/meetings/ripe-meetings/pc




Call for Presentations

A RIPE Meeting is an open event where Internet Service Providers,
network operators and other interested parties get together.  Although
the meeting is mostly technical, it is also a chance for people to meet
and network with others in their field.

RIPE 71 will take place from 16-20 November 2015 in Bucharest, Romania.

The RIPE Programme Committee (PC) is now seeking content proposals from
the RIPE community for the plenary sessions, BoFs (Birds of a Feather
sessions), panels, workshops, tutorials and lightning talks at RIPE 71.
See the full descriptions of the different presentation formats,
https://ripe71.ripe.net/submit-topic/presentation-formats/.

Proposals for plenary sessions, BoFs, panels, workshops and tutorials
must be submitted for full consideration no later than 11 October 2015.
 Proposals submitted after this date will be considered depending
on the remaining available space in the programme.

The PC is looking for presentations covering topics of network
engineering and operations, including but not limited to:

- IPv6 deployment
- Managing IPv4 scarcity in operations
- Commercial transactions of IPv4 addresses
- Data centre technologies
- Network and DNS operations
- Internet governance and regulatory practices
- Network and routing security
- Content delivery
- Internet peering and mobile data exchange

Submissions

RIPE Meeting attendees are quite sensitive to keeping presentations
non-commercial, and product marketing talks are strongly discouraged.
Repeated audience feedback shows that the most successful talks focus on
operational experience, research results, or case studies.  For example,
presenters wishing to describe a commercial solution should focus on
the underlying technology and not attempt a product demonstration.

Presenters should indicate how much time they will require. In general,
the time allocated for the different presentation formats is as follows:

- Plenary presentations: 20-25 minutes presentation with
  5-10 minutes discussion
- Tutorials: up to two hours (Monday morning)
- Workshops: one hour (during evening sessions) to two hours
  (Monday morning)
- BoFs: approximately one hour
- Lightning talks: 10 minutes

The following general requirements apply:

- Proposals must be submitted using the meeting submission system,
  https://ripe71.ripe.net/submit-topic/submission-form/.

- Lightning talks should also be submitted using the meeting submission
  system (https://ripe71.ripe.net/submit-topic/submission-form/) and
  can be submitted any time up to and including the meeting week. The
  allocation of lightning talks will be announced on short notice---in
  some cases on the same day but often one day prior to the time slot
  allocated.

- Presenters who propose a panel or BoF are encouraged to include
  speakers from several (perhaps even competing) companies and/or a
  neutral facilitator.

- All presentation proposals will only be considered by the PC if they
  contain at least draft presentation slides (slides may be updated
  later on). For panels, proposals must contain a clear description, as
  well as the names of invited panellists, presenters and moderators.

- Due to potential technical issues, presenters/panellists should be
  physically present at the RIPE Meeting.

If you have any questions or requests concerning content submissions,
please email pc [at] ripe [dot] net.


-- 
Benno J. Overeinder
NLnet Labs
http://www.nlnetlabs.nl/