backbones filtering unsanctioned sites

[Ken Chase]

https://torrentfreak.com/internet-backbone-provider-cogent-blocks-pirate-bay-and-other-pirate-sites-170209/

/kc
-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: Updating Geolocation of /24 within corporate /16

[David Sotnick]

Hi Tyler,

I have not yet tried this, but am doing so now, thanks!

-Dave

On Thu, Feb 9, 2017 at 6:27 PM, Tyler Conrad  wrote:

> Have you tried submitting a correction to some geolocation services
> directly yet? Maxmind is pretty heavily used.
>
> https://support.maxmind.com/correction-faq/submit-a-
> correction/how-do-i-submit-a-correction-to-geoip-data/
>
>
> On Thursday, February 9, 2017, David Sotnick 
> wrote:
>
>> Hi NANOG,
>>
>> You have given good advice on updating IP Geolocation data in the past,
>> including visiting 'www.google.com' from a mobile device and selecting
>> "use
>> exact location [from GPS]". This worked out well for us a few years ago
>> for
>> a single IP which we were NATting out of in a new geographic location.
>>
>> Now we are in a position where we have been assigned site-local /24 (out
>> of
>> the corporation's larger /20 space) networks for a couple of locations and
>> I'm wondering how I go about updating IP Geolocation data to note that two
>> /24 networks are no longer at the Corporate HQ location.
>>
>> I understand that when users first start using these site-specific /24
>> networks, they will be lumped in with the larger /20 space as far as their
>> geolocation goes, but besides the Google/GPS method, is there a
>> cleaner/better way to do this? Do Geolocation services use SWIP data?
>> Should I have the /24s have separate SWIP data noting the geo location?
>> I'd
>> love a place to be able to say: "This /24 is at this geoloc; this /24 is
>> at
>> this geoloc; and the corporate /20 remains where it always has been."
>>
>> Many thanks for your insights in this matter,
>>
>> -Dave
>>
>

RE: IoT security

[Keith Medcalf]

On Tuesday, 7 February, 2017 06:59, Ray Soucy said:

> I think the fundamental problem here is that these devices aren't good
> network citizens in the first place.  The odds of getting them to add
> functionality to support a new protocol are even likely than getting them
> to not have open services externally IMHO.
>
> Couldn't a lot of this be caught by proactive vulnerability scanning and
> working with customers to have an SPI firewall in place, or am I missing
> something?
>
> Historically residential ISP CPE options have been terrible.  If you could
> deliver something closer to user expectations you would likely see much
> more adoption and less desire to rip and replace.  Ideally a cloud-managed
> device so that the config wouldn't need to be rebuilt in the event of a
> hardware swap.

I do not permit "cloud managed" devices on my network unless the "cloud" also 
belongs to me and is located on my network (in other words, a good old 
fashioned server on my network run by me).  No ISP is permitted to put "cloud" 
or even remotely configured (by anyone who is not me) devices on my network.  
Such devices go on THEIR network not MY network.  If they malfunction or get 
hacked, the problem is THEIRS not MINE.

Such a policy ensures that I am entirely and exclusively responsible for the 
good behaviour of the equipment on MY network.  If I were to permit devices 
managed by NOT-ME on MY network, then I would not be responsible.  Therefore 
such filth should stay on NOT-MY network.

So the CPE equipment owned, managed and configured by the ISP is on the ISP 
network, not my network.  The demarc is the ethernet connection between the ISP 
network and MY network.  The ISP cannot configure nor touch anything on MY 
network, nor I on THEIRS.

As for "cloud" crap, anything that even mentions the work "cloud" on the box or 
glossy brochure gets an immediate 10,000,000 point penalty applied to ensure 
that it is forever off the consideration list.

If someone is opposed to this policy and cannot live with it, either a network 
carrier or ISP, product vendor or whatever, I really do not give a rats butt.  
I will simply go do business with someone who has more sense.

Updating Geolocation of /24 within corporate /16

[David Sotnick]

Hi NANOG,

You have given good advice on updating IP Geolocation data in the past,
including visiting 'www.google.com' from a mobile device and selecting "use
exact location [from GPS]". This worked out well for us a few years ago for
a single IP which we were NATting out of in a new geographic location.

Now we are in a position where we have been assigned site-local /24 (out of
the corporation's larger /20 space) networks for a couple of locations and
I'm wondering how I go about updating IP Geolocation data to note that two
/24 networks are no longer at the Corporate HQ location.

I understand that when users first start using these site-specific /24
networks, they will be lumped in with the larger /20 space as far as their
geolocation goes, but besides the Google/GPS method, is there a
cleaner/better way to do this? Do Geolocation services use SWIP data?
Should I have the /24s have separate SWIP data noting the geo location? I'd
love a place to be able to say: "This /24 is at this geoloc; this /24 is at
this geoloc; and the corporate /20 remains where it always has been."

Many thanks for your insights in this matter,

-Dave

Re: IoT security

[bzs]

On February 9, 2017 at 12:04 r...@gsp.org (Rich Kulawiec) wrote:
 > On Wed, Feb 08, 2017 at 08:30:15AM -0800, Damian Menscher wrote:
 > > The devices are trivially compromised (just log in with the default root
 > > password).  So here's a modest proposal: log in as root and brick the
 > > device.
 > 
 > No.  It's never a good idea to respond to abuse with abuse.  Not only
 > is it unethical and probably illegal (IANAL, this is not legal advice)
 > but it won't take more than a day for someone to figure out that this
 > is happening and use some variety of misdirection to cause third parties
 > to target devices that aren't actually part of the problem.

Ok but what if you broke in and fixed their security w/o breaking the
user experience? Would a vendor, presented with a good demo, sign off
on that? If so isn't it just a mandatory patch?

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: GTT AS3257 router server

[Adam Davenport]

Clinton,

I'll give this a look on our side and ping you directly off-list. Thanks.

On 2/9/17 3:13 PM, Clinton Work wrote:

If anybody is reading the NANOG list from the GTT NOC, can you look at
your route-server with the BGP session flapping every couple of minutes.

route-server.as3257.net>show ip bgp sum

NeighborVAS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down
State/PfxRcd
213.200.64.93   4  3257 68799843  331607000 00:00:50
Active


--
Clinton Work

Re: IoT security

[clinton mielke]

It probably doesn't account for those situations. In the case of security
products, it's also likely that multiple devices are hosting port 80

But it doesn't matter too much. Having this kind of data helps us
prioritize what devices have the biggest chunk of the infected pie.

On Feb 9, 2017 12:04 PM,  wrote:

> On Wed, 08 Feb 2017 22:19:01 -0800, clinton mielke said:
>
> > Yup! All the mapping Ive done is over port 80. Id have a lot more than I
> > currently have if I was looking at other ports, probably.
>
> Wow.  How does this work if more than one IoPT(*)
> device is in play in the home network, especially from different
> manufacturers?
>
> (*) Internet of Pwned Things.
>

Re: IoT security

[valdis . kletnieks]

On Thu, 09 Feb 2017 14:54:26 -0500, William Herrin said:

> Is there some way an industry association could overcome this? Perhaps
> have some trivial way to assign each model of IoT device some kind of
> integer and have the device report the integer instead of its plain
> text manufacturer and hardware model number? Where the assigned
> integer is intentionally not published by the industry association
> though of course trivially determinable by anyone who owns one of the
> devices.

Or anybody who knows how to use the internet to look for reports of owners who
have issues.  All it takes is one smarter than the average bear user posting
"I've got a MobyWombat 3000 light bulb, and it keeps sending 1193432542 to some
server someplace"

> Wouldn't especially impair building a database of vulnerable
> devices but it would raise the bar for trying to turn the

If it doesn't *heavily* impair building a database of vulnerable devices,
it's not a solution to the problem under discussion.





pgpjlt6i21YAd.pgp
Description: PGP signature

GTT AS3257 router server

[Clinton Work]

If anybody is reading the NANOG list from the GTT NOC, can you look at
your route-server with the BGP session flapping every couple of minutes. 

route-server.as3257.net>show ip bgp sum

NeighborVAS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down 
State/PfxRcd
213.200.64.93   4  3257 68799843  331607000 00:00:50
Active


--
Clinton Work

Re: IoT security

[valdis . kletnieks]

On Wed, 08 Feb 2017 22:19:01 -0800, clinton mielke said:

> Yup! All the mapping Ive done is over port 80. Id have a lot more than I
> currently have if I was looking at other ports, probably.

Wow.  How does this work if more than one IoPT(*)
device is in play in the home network, especially from different manufacturers?

(*) Internet of Pwned Things.


pgpaEIWqokf9X.pgp
Description: PGP signature

350 East Main - Buffalo

[Rod Beck]

Looking for a customer list for this building.


Best,


Roderick.

Re: IoT security

[William Herrin]

On Thu, Feb 9, 2017 at 12:04 PM, Rich Kulawiec  wrote:
> On Wed, Feb 08, 2017 at 08:30:15AM -0800, Damian Menscher wrote:
>> The devices are trivially compromised (just log in with the default root
>> password).  So here's a modest proposal: log in as root and brick the
>> device.
>
> No.  It's never a good idea to respond to abuse with abuse.

Hi Rich,

On that we agree. Vigilantism is a non-starter.

> [regarding the tattler kill switch]
> 2. This will allow ISPs to build a database of which customers have
> which IOT devices.  This is an appalling invasion of privacy.

Is there some way an industry association could overcome this? Perhaps
have some trivial way to assign each model of IoT device some kind of
integer and have the device report the integer instead of its plain
text manufacturer and hardware model number? Where the assigned
integer is intentionally not published by the industry association
though of course trivially determinable by anyone who owns one of the
devices. Wouldn't especially impair building a database of vulnerable
devices but it would raise the bar for trying to turn the
self-reporting in to business intelligence. Particularly if industry
association rules forbid retaining a record of device self-reports on
pain of whatever.

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: IoT security

[Rich Kulawiec]

On Wed, Feb 08, 2017 at 08:30:15AM -0800, Damian Menscher wrote:
> The devices are trivially compromised (just log in with the default root
> password).  So here's a modest proposal: log in as root and brick the
> device.

No.  It's never a good idea to respond to abuse with abuse.  Not only
is it unethical and probably illegal (IANAL, this is not legal advice)
but it won't take more than a day for someone to figure out that this
is happening and use some variety of misdirection to cause third parties
to target devices that aren't actually part of the problem.

---rsk

Re: Bandwidth Savings (Keenan Singh)

[Keenan Singh]

Hi Ramy

I reached out to FB and they are looking for a min of 5G Traffic coming
from your AS to qualify for a Cache. Not sure how they came up with 5G as
normally everyone else would ask for 1G Traffic.

Can anyone one else confirm, maybe some one from FB is here and can clarify?

Keenan

On Feb 9, 2017 6:32 AM, "Ramy Hashish"  wrote:

Hello Luke and all,

I stumbled upon some news about Facebook edge network servers, does anybody
know anything about the caches the FB use and the ISPs can host? and is
Facebook a part of SVA alliance?

Thanks,

Ramy


Hi Luke,
>
> Regarding HTTPS Streaming and Netflix...
>
> Netflix announced in the spring of 2015 that it would move to HTTPS
> delivery by April of 2016.  At the time of that first announcement, some
> concluded Netflix might not be able to afford the capital investment
> required to enable HTTPS delivery.
>
> Given Netflix did not complete the HTTPS project by their first deadline,
> we believe they have been focused on other priorities such as their global
> expansion, So, given this history, it's not clear just when or if Netflix
> will make the move to majority HTTPS for delivery.  Furthermore, Netflix is
> under considerable pressure from investors to improve subscriber growth,
> revenue growth and profitability. The HTTPS project does not support any of
> these goals. In fact, Netflix reported net income is marginal and a move to
> full HTTPS delivery would likely consume all profits for the year.
>
> Along with the rest of the industry, we recognize the need for Open
> Caching systems to support HTTPS streaming from upstream content
> providers.  This is one of the reasons why we were a Founding Member, along
> with 16 other streaming companies, in the Streaming Video Alliance in the
> fall of 2014.  The SVA now includes almost 50 member companies from across
> the streaming ecosystem and around the world.  More importantly, the Open
> Caching Working Group has issued functional requirements, unanimously
> approved by SVA members, which include support for HTTPS streams.
>
> The SVA Board has invited Netflix to join the Alliance and, in doing so,
> endorse the Open Caching work underway. This would open up a path in the
> short run to ensure any open cache can continue to support Netflix content
> even if Netflix moves to HTTPS delivery. We expect to see Netflix become
> more active in the SVA soon given other major streaming providers, such as
> Hulu and Amazon, are joining now.
>
> In conclusion, the SVA has developed a solution for Open Cache support of
> HTTPS streaming and we expect all streaming providers, including Netflix,
> will align with the SVA's direction.
>
> http://www.streamingvideoalliance.org/
>
> Let me know if you have any more questions.
>
> Regards,
>
>
>
> Luke Guillory
> Network Operations Manager
>
> Tel:985.536.1212 <(985)%20536-1212>
> Fax:985.536.0300 <(985)%20536-0300>
> Email:  lguill...@reservetele.com
>
> Reserve Telecommunications
> 100 RTC Dr
> Reserve, LA 70084
>
> 
> _
>
> Disclaimer:
> The information transmitted, including attachments, is intended only for
> the person(s) or entity to which it is addressed and may contain
> confidential and/or privileged material which should not disseminate,
> distribute or be copied. Please notify Luke Guillory immediately by e-mail
> if you have received this e-mail by mistake and delete this e-mail from
> your system. E-mail transmission cannot be guaranteed to be secure or
> error-free as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses. Luke Guillory therefore does
> not accept liability for any errors or omissions in the contents of this
> message, which arise as a result of e-mail transmission. .
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Keenan Singh
> Sent: Tuesday, January 10, 2017 10:09 PM
> To: nanog@nanog.org
> Subject: Bandwidth Savings
>
> Hi Guys
>
> We are an ISP in the Caribbean, and are faced with extremely high
> Bandwidth costs, compared to the US, we currently use Peer App for Caching
> however with most services now moving to HTTPS the cache is proving to be
> less and less effective. We are currently looking at any way we can save on
> Bandwidth or to be more Efficient with the Bandwidth we currently have. We
> do have a Layer 2 Circuit between the Island and Miami, I am seeing there
> are WAN Accelerators where they would put a Server on either end and sort
> of Compress and decompress the Traffic before it goes over the Layer 2, I
> have never used this before, has any one here used anything like this, what
> results would I be able to expect for ISP Traffic?
>
> If not any ideas on Bandwidth Savings, or being more Efficient with want
> we currently.
>
> Many thanks for any Help
>
> Keenan
>
>

Re: Bandwidth Savings (Keenan Singh)

[Ramy Hashish]

Hello Luke and all,

I stumbled upon some news about Facebook edge network servers, does anybody
know anything about the caches the FB use and the ISPs can host? and is
Facebook a part of SVA alliance?

Thanks,

Ramy


Hi Luke,
>
> Regarding HTTPS Streaming and Netflix...
>
> Netflix announced in the spring of 2015 that it would move to HTTPS
> delivery by April of 2016.  At the time of that first announcement, some
> concluded Netflix might not be able to afford the capital investment
> required to enable HTTPS delivery.
>
> Given Netflix did not complete the HTTPS project by their first deadline,
> we believe they have been focused on other priorities such as their global
> expansion, So, given this history, it's not clear just when or if Netflix
> will make the move to majority HTTPS for delivery.  Furthermore, Netflix is
> under considerable pressure from investors to improve subscriber growth,
> revenue growth and profitability. The HTTPS project does not support any of
> these goals. In fact, Netflix reported net income is marginal and a move to
> full HTTPS delivery would likely consume all profits for the year.
>
> Along with the rest of the industry, we recognize the need for Open
> Caching systems to support HTTPS streaming from upstream content
> providers.  This is one of the reasons why we were a Founding Member, along
> with 16 other streaming companies, in the Streaming Video Alliance in the
> fall of 2014.  The SVA now includes almost 50 member companies from across
> the streaming ecosystem and around the world.  More importantly, the Open
> Caching Working Group has issued functional requirements, unanimously
> approved by SVA members, which include support for HTTPS streams.
>
> The SVA Board has invited Netflix to join the Alliance and, in doing so,
> endorse the Open Caching work underway. This would open up a path in the
> short run to ensure any open cache can continue to support Netflix content
> even if Netflix moves to HTTPS delivery. We expect to see Netflix become
> more active in the SVA soon given other major streaming providers, such as
> Hulu and Amazon, are joining now.
>
> In conclusion, the SVA has developed a solution for Open Cache support of
> HTTPS streaming and we expect all streaming providers, including Netflix,
> will align with the SVA's direction.
>
> http://www.streamingvideoalliance.org/
>
> Let me know if you have any more questions.
>
> Regards,
>
>
>
> Luke Guillory
> Network Operations Manager
>
> Tel:985.536.1212
> Fax:985.536.0300
> Email:  lguill...@reservetele.com
>
> Reserve Telecommunications
> 100 RTC Dr
> Reserve, LA 70084
>
> 
> _
>
> Disclaimer:
> The information transmitted, including attachments, is intended only for
> the person(s) or entity to which it is addressed and may contain
> confidential and/or privileged material which should not disseminate,
> distribute or be copied. Please notify Luke Guillory immediately by e-mail
> if you have received this e-mail by mistake and delete this e-mail from
> your system. E-mail transmission cannot be guaranteed to be secure or
> error-free as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses. Luke Guillory therefore does
> not accept liability for any errors or omissions in the contents of this
> message, which arise as a result of e-mail transmission. .
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Keenan Singh
> Sent: Tuesday, January 10, 2017 10:09 PM
> To: nanog@nanog.org
> Subject: Bandwidth Savings
>
> Hi Guys
>
> We are an ISP in the Caribbean, and are faced with extremely high
> Bandwidth costs, compared to the US, we currently use Peer App for Caching
> however with most services now moving to HTTPS the cache is proving to be
> less and less effective. We are currently looking at any way we can save on
> Bandwidth or to be more Efficient with the Bandwidth we currently have. We
> do have a Layer 2 Circuit between the Island and Miami, I am seeing there
> are WAN Accelerators where they would put a Server on either end and sort
> of Compress and decompress the Traffic before it goes over the Layer 2, I
> have never used this before, has any one here used anything like this, what
> results would I be able to expect for ISP Traffic?
>
> If not any ideas on Bandwidth Savings, or being more Efficient with want
> we currently.
>
> Many thanks for any Help
>
> Keenan
>
>