Re: de-peering for security sake

[Valdis . Kletnieks]

On Sun, 17 Jan 2016 19:39:52 -0500, b...@theworld.com said:
> How about if backed by an agreement with the 5 RIRs stating no new
> resource allocations or transfers etc unless a contract is signed and
> enforced? Or similar.

Then they'd just resort to hijacking address space.

Oh wait, they already do that and get away with it

(And a threat of withholding IP address space from long-haul providers isn't as
credible - they have much less need for publicly routed IP addresses than
either eyeball farms or content farms, so you'll have to find some other way to
motivate them to not accept a hijacked route announcement...)



pgpM7i77CxkzJ.pgp
Description: PGP signature

St. Louis Region - SCIX Internet Exchange Meetup - Thursday January 21st

[David Sandel]

*WELCOME - SCIX-STL Internet Exchange Meetup !*

*Join us January 21st at the T-REX for a regional
design review for the SCIX-STL **Internet Exchange point for the greater
St. Louis area.*

SCIX is working to provide a single peering fabric and peering services for
local service providers, data centers, and carrier hotels. SCIX will also
provide a second fabric for Smart City IoE, regional sensor networks,
advanced security services and high speed wireless networks.

Bill Woodcock from the Packet Clearing House  , SCIX team
members and Sandel & Associates 
 will be providing a full day presentation
regarding design, operation, governance and operational issues for
SCIX-STL. PCH has offered to provide SCIX-STL with switch gear to make this
a reality for the St. Louis area.

For more information and to get a ticket, check out Eventbrite


Thank you,
Dave Sandel

Re: de-peering for security sake

[Dan Hollis]

On Sun, 17 Jan 2016, Doug Barton wrote:

On 1/17/2016 12:44 PM, b...@theworld.com wrote:

We need an effective forum with effective participation perhaps
eventually leading to signed contractual obligations agreed to by all
parties.
Not gonna help. The same people who have no incentive to do the right thing 
now will still have no incentive to join the group you propose.


I've said it before, and it's an unpopular option, but the only way that this 
will change is to make it more expensive to do the wrong thing than it is to 
do the right thing.


I think it can happen without lawsuits. look at RBLs and spamhaus. a bit 
sad that spamhaus has to exist in order to motivate operators to clean up 
their cesspools, but it does work to a certain extent.


-Dan

Re: de-peering for security sake

[Ca By]

On Sunday, January 17, 2016, Dan Hollis  wrote:

> On Sun, 17 Jan 2016, b...@theworld.com wrote:
>
>> Sure, you have your hands on BGP etc, so what router commands (hammer)
>> can effect international policy (nail)?
>>
>> This is fundamentally a social and political issue and needs to be
>> dealt with on that level, not with changes in router configs.
>>
>
> bgp blackhole fed by rbl?
>
> at the very least, scavenger queue packets by rbl.
>
>
If you are not already scoring packets by reputation, you are at very least
behind what AWS is doing for volumetric ddos mitigation

Check out around minute 12 and 13

http://youtu.be/Ys0gG1koqJA

As stated earlier, ip packets are going the way of spam mail :(

complacency / willful negligence needs to have a monetary cost.
>
> -Dan
>

Re: de-peering for security sake

[Doug Barton]

On 1/17/2016 12:44 PM, b...@theworld.com wrote:

We need an effective forum with effective participation perhaps
eventually leading to signed contractual obligations agreed to by all
parties.


Not gonna help. The same people who have no incentive to do the right 
thing now will still have no incentive to join the group you propose.


I've said it before, and it's an unpopular option, but the only way that 
this will change is to make it more expensive to do the wrong thing than 
it is to do the right thing. That means lawsuits filed by companies that 
have been harmed as a result of those that are not doing the right 
thing. That will produce the incentives which will be recognized and 
understood by all layers of management, and result in real action for 
the better.


As nice as it would be if everyone were to do the right thing because 
it's the right thing, we already have ample evidence that won't happen. 
Time to stop pretending otherwise.


Doug

Re: de-peering for security sake

[bzs]

When all you have is a hammer the whole world looks like a nail.

That's what "de-peering for security sake" sounds like to me.

Sure, you have your hands on BGP etc, so what router commands (hammer)
can effect international policy (nail)?

This is fundamentally a social and political issue and needs to be
dealt with on that level, not with changes in router configs.

We need an effective forum with effective participation perhaps
eventually leading to signed contractual obligations agreed to by all
parties.

Perhaps way at the end of that process router commands can be used to
enforce agreed contracts and respond to adjudicated breeches, if and
when necessary.

Otherwise it's just rule by an angry mob. The internet has gotten way
too big and critical for that sort of approach.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: de-peering for security sake

[Dan Hollis]

On Sun, 17 Jan 2016, b...@theworld.com wrote:

Sure, you have your hands on BGP etc, so what router commands (hammer)
can effect international policy (nail)?

This is fundamentally a social and political issue and needs to be
dealt with on that level, not with changes in router configs.


bgp blackhole fed by rbl?

at the very least, scavenger queue packets by rbl.

complacency / willful negligence needs to have a monetary cost.

-Dan

Re: de-peering for security sake

[bzs]

On January 17, 2016 at 13:06 goe...@sasami.anime.net (Dan Hollis) wrote:
 > On Sun, 17 Jan 2016, b...@theworld.com wrote:
 > > Sure, you have your hands on BGP etc, so what router commands (hammer)
 > > can effect international policy (nail)?
 > >
 > > This is fundamentally a social and political issue and needs to be
 > > dealt with on that level, not with changes in router configs.
 > 
 > bgp blackhole fed by rbl?
 > 
 > at the very least, scavenger queue packets by rbl.
 > 
 > complacency / willful negligence needs to have a monetary cost.

How well is this approach working so far?

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: de-peering for security sake

[bzs]

On January 17, 2016 at 13:09 do...@dougbarton.us (Doug Barton) wrote:
 > On 1/17/2016 12:44 PM, b...@theworld.com wrote:
 > > We need an effective forum with effective participation perhaps
 > > eventually leading to signed contractual obligations agreed to by all
 > > parties.
 > 
 > Not gonna help. The same people who have no incentive to do the right 
 > thing now will still have no incentive to join the group you propose.

How about if backed by an agreement with the 5 RIRs stating no new
resource allocations or transfers etc unless a contract is signed and
enforced? Or similar.

Anyhow the point is that the same methods can be used, it's just that
if one uses a contractual obligation (or refusal to sign thereto) and
some process for adjudication at least it can take on the appearance
of transparent fair play and violation of rules everyone has agreed to
abide by rather than vigilantism.

 > 
 > I've said it before, and it's an unpopular option, but the only way that 
 > this will change is to make it more expensive to do the wrong thing than 
 > it is to do the right thing. That means lawsuits filed by companies that 
 > have been harmed as a result of those that are not doing the right 
 > thing. That will produce the incentives which will be recognized and 
 > understood by all layers of management, and result in real action for 
 > the better.

Lawsuits are just looking for some external authority (a court, of
what jurisdiction?) to do what should have been done within the
industry itself. So now we'd have a court, and a jury of bus drivers
and senior citizens, trying to figure out what the problem really is?

I thought a lot of this started over international problems. Ever
tried to get a court order or subpoena enforced in Lower Slobbovia?

(no, because there is no such place as Lower Slobbovia, but you can
fill in that blank I'm sure.)

 > As nice as it would be if everyone were to do the right thing because 
 > it's the right thing, we already have ample evidence that won't happen. 
 > Time to stop pretending otherwise.

Might have something to do with the unsophisticated way this is being
approached?

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

New Switches with Broadcom StrataDNX

[Colton Conor]

Does anyone know when the switching and router vendors will release their
new models with the Broadcom BCM88370 and BCM88670 chips? It looks like
these chips could be used as a carrier grade router and/or metro E device.

More information here: http://www.broadcom.com/press/release.php?id=s902223

and here:
http://www.nextplatform.com/2015/03/19/new-dune-chips-enable-heftier-switches/

Re: network issue on ec2 classic us-east-1??

[Dovid Bender]

Sorry for the delayed reply. It's been going on for about two weeks. The last 
few days have been ok but unless we know it's been fixed we will keep looking.

How has it been for you the last few days?


Regards,

Dovid

-Original Message-
From: Grant Ridder 
Date: Fri, 15 Jan 2016 14:02:06 
To: Neil Robst
Cc: do...@telecurve.com; NANOG; 
nanog@nanog.org
Subject: Re: network issue on ec2 classic us-east-1??

Gotcha, thanks for the info.
I am at 128 instances and counting in the last 8 hrs

-Grant

On Fri, Jan 15, 2016 at 1:58 PM, Neil Robst  wrote:

> Hi Grant,
> We saw the first confirmed issue last week. So far only
> experienced 2
> confirmed - that last week and one this morning, but its possible there
> have been others.
>
> Neil
>
> From:  Grant Ridder 
> Date:  Friday, January 15, 2016 at 1:54 PM
> To:  Neil Robst 
> Cc:  "do...@telecurve.com" , NANOG
> , "nanog@nanog.org" 
> Subject:  Re: network issue on ec2 classic us-east-1??
>
>
> Neil / Dovid,
> How long ago did your issues start?  Symptoms are the same, but the issue
> for me started early this morning at an alarming rate.
>
> -Grant
>
>
> On Fri, Jan 15, 2016 at 1:45 PM, Neil Robst
>  wrote:
>
> Hi David and Grant,
>
> We have been experiencing exactly the same issue also now whereby
> our
> instances randomly stop getting their DHCP reservation and then drop
> offline. A simple reboot in the AWS console usually sorts it but as yet we
> do not know the root cause.
>
> Regards,
> Neil
>
> On 1/15/16, 1:31 PM, "NANOG on behalf of Dovid Bender"
>  do...@telecurve.com> wrote:
>
> >Grant,
> >
> >We have been having issues for a few weeks now with instances that
> >randomly stop getting their IP from DHCP. Did you see any dhcp errors?
> >
> >
> >Regards,
> >
> >Dovid
> >
> >-Original Message-
> >From: Grant Ridder 
> >Sender: "NANOG" Date: Fri, 15 Jan 2016 12:58:58
> >To: nanog@nanog.org
> >Subject: network issue on ec2 classic us-east-1??
> >
> >Hi,
> >
> >Over the last 6 hrs i have had over 100 instances in us-east-1 in EC2
> >Classic fail their instance health checks and a reboot via the console
> >solves them.  Logs on the host point to a loss of all network
> >connectivity.  Anyone else experiencing something like this?
> >
> >Reached out to AWS support and haven't gotten anywhere with that yet.
> >
> >-Grant
>
>
>
>
>
>
>
>
>

Sao Tome and Principe off net

[Randy Bush]

anyone know why Sao Tome and Principe fell off the net at 01:04?

https://stat.ripe.net/ST#tabId=routing

randy