Re: NG Firewalls & IPv6

[Jima]

Hey Joe,

I don't know how next-gen they'd be considered, but I've had reasonably good 
luck with Cisco ASA (v9+), and to a lesser degree Juniper ScreenOS (v6.3+). 
Modern-ish ASA does v6-only pretty well; ScreenOS has more v4-dependent 
nuances, that I've found.

I do like the NAT64 support in ASA (although it sadly doesn't support the 
Well-Known Prefix) -- no love in ScreenOS, as far as I've ever found.

- Jima

> On Apr 2, 2018, at 16:58, Joe Klein  wrote:
> 
> All,
> 
> At security and network tradeshows over the last 15 years, I have asked
> companies if their products supported "IPv6". They all claimed they did,
> but were unable to verify any successful installations. Later they told me
> it was on their "Roadmap" but were unable to provide an estimated year,
> because it was a trade secret.
> 
> Starting this last year at BlackHat US, I again visited every product
> booth, asking if their products supported dual-stack or IPv6 only
> operations. Receiving only the same unsupported answers, I decided to focus
> on one product category.
> 
> To the gurus of the NANOG community, What are your experiences with
> installing and managing Next Generations firewalls? Do they support IPv6
> only environments? Details? Stories?
> 
> If you prefer not to disparage those poor product companies, please contact
> me off the list.
> 
> Thanks,
> 
> Joe Klein
> 
> "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
> PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

Re: Are any of you starting to get AI robocalls?

[Ethan O'Toole]

do it, and the spoofing is nearly impossible to trace back to the origin, so 
those who do it can safely ignore other laws because they know they won't be 
caught.


Forward to an 800, grab it from the ANI versus CID?

- Ethan O'Toole

RE: CDN-provided caching platforms?

[Aaron Gould]

I'm wondering if/when Amazon Prime Video will have a CDN system to roll-out
to ISP's like OCA, FNA, GGC, etc

Anyone here anything about Amazon Video or any other big names like that ?

- Aaron

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of
valdis.kletni...@vt.edu
Sent: Tuesday, March 27, 2018 10:23 AM
To: Russell Berg
Cc: nanog@nanog.org
Subject: Re: CDN-provided caching platforms?

On Tue, 27 Mar 2018 02:26:24 -, Russell Berg said:

> I was wondering if there are other CDN caching platforms out there we 
> should be researching/deploying?

Does traffic analysis show any other destinations that have enough traffic
that caching might help?

Re: Are any of you starting to get AI robocalls?

[Ken Chase]

And revenues wont be impacted because few have a cell for voice
anymore. With increasing data reliability we can move to voip
on phones and provider of choice who offer proper filtering and our
our own skill testing AI attendants

(Im thinking something along the lines of 'unladen swallow'.)

/kc


On Tue, Apr 03, 2018 at 07:26:36PM -0400, Jon Lewis said:
  >On Tue, 3 Apr 2018, Ken Chase wrote:
  >
  >>All this boils my blood. I am not sure why/how spoofing ph#s is legal. I get
  >>sms mass spam too.
  >
  >Whether or not its legal is irrelevant.  It's trivial to do if your link
  >to the PSTN is digital and you have a provider not filtering based on sent
  >caller-id.  It's kind of the PSTN version of the Internet's BCP-38 issue.
  >All providers should be filtering based on "valid" caller-id...but so many
  >don't do it, and the spoofing is nearly impossible to trace back to the
  >origin, so those who do it can safely ignore other laws because they know
  >they won't be caught.
  >
  >--
  > Jon Lewis, MCP :)   |  I route
  > |  therefore you are
  >_ http://www.lewis.org/~jlewis/pgp for PGP public key_

-- 
Ken Chase - m...@sizone.org Guelph Canada

RE: CDN-provided caching platforms?

[Jose Gerardo Perales Soto]

Ericsson UDN

https://www.ericsson.com/en/tech-innovation/offerings/udn/service-providers

Gerardo

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Russell Berg
Sent: lunes, 26 de marzo de 2018 08:26 p. m.
To: nanog@nanog.org
Subject: CDN-provided caching platforms?

I work for a regional Midwestern US "Tier 2" ISP that provides both wholesale 
and enterprise Internet connectivity.  We have caching platforms in place from 
the likes of Akamai, Google, Netflix, and Facebook; I was wondering if there 
are other CDN caching platforms out there we should be researching/deploying? 
PM me if more appropriate...

TIA

Russ

Russell Berg
Chief Technology Officer
WIN / Airstream Communications (AS 11796)
P: 715-832-3726 | C: 715-579-8227
www.wins.net




NOTA: La información de este correo es de propiedad exclusiva y confidencial. 
Este mensaje es sólo para el destinatario señalado, si usted no lo es, 
destrúyalo de inmediato. Ninguna información aquí contenida debe ser entendida 
como dada o avalada por AXTEL, S.A.B. de C.V, sus subsidiarias o sus empleados, 
salvo cuando ello expresamente se indique. Es responsabilidad de quien recibe 
este correo de asegurarse que esté libre de virus, por lo tanto ni AXTEL, 
S.A.B. de C.V, sus subsidiarias ni sus empleados aceptan responsabilidad alguna.
NOTE: The information in this email is proprietary and confidential. This 
message is for the designated recipient only, if you are not the intended 
recipient, you should destroy it immediately. Any information in this message 
shall not be understood as given or endorsed by AXTEL, S.A.B. de C.V, its 
subsidiaries or their employees, unless expressly so stated. It is the 
responsibility of the recipient to ensure that this email is virus free, 
therefore neither AXTEL, S.A.B. de C.V, its subsidiaries nor their employees 
accept any responsibility.

Re: Are any of you starting to get AI robocalls?

[Jon Lewis]

On Tue, 3 Apr 2018, Ken Chase wrote:


All this boils my blood. I am not sure why/how spoofing ph#s is legal. I get
sms mass spam too.


Whether or not its legal is irrelevant.  It's trivial to do if your link 
to the PSTN is digital and you have a provider not filtering based on sent 
caller-id.  It's kind of the PSTN version of the Internet's BCP-38 issue. 
All providers should be filtering based on "valid" caller-id...but so many 
don't do it, and the spoofing is nearly impossible to trace back to the 
origin, so those who do it can safely ignore other laws because they know 
they won't be caught.


--
 Jon Lewis, MCP :)   |  I route
 |  therefore you are
_ http://www.lewis.org/~jlewis/pgp for PGP public key_

Re: Are any of you starting to get AI robocalls?

[joel jaeggli]

On 4/3/18 3:32 PM, William Herrin wrote:
> Howdy.
>
> Have any of you started to get AI robocalls? I've had a couple of
> calls recently where I get the connect silence of a predictive dialer
> followed by a woman speaking with call center background noise. She
> gives her name and asks how I'm doing. The first time it happened it
> seemed off for reasons I can't quite articulate, so I asked: "Are you
> a robot or a person?" She responded "yes" and then launched in to a
> sales pitch. The next time I asked, "where can I direct your call?"
> She responded "that's good" and launched in to her pitch.
They're more in the domain of artificially stupid but yes.

https://www.theverge.com/2018/1/1/16837814/robocall-spam-phone-call-increase-2017-ftc-report

The anti spoofing/spam app I have that screens calls to several DIDs I
have pointed at one phone reports a dozen or so calls per day.

I would generally assume that the current rate will hasten the demise of
the remaining pots services.
> Regards,
> Bill Herrin
>
>

Re: Are any of you starting to get AI robocalls?

[Ken Chase]

Just throw a dial tree plan in front of getting ahold of you. "Press 1 to
speak to a human." this foils most dialers which wait for a human to answer
before they throw anyone (anything?) on the line. They may also have the AI 
get through the unpleasantries before they stick a human on it.

Many voip providers offer a dial tree. I have a provider with a snazzy web drag 
n
drop tree construction system, so you dont need to learn m4/asterisk/linenoise
and even directs SMS's to email for me. I've set it up for my wife and myself
(hit 1 for me, 2 for her) and I use it on all my online ordering stuff because
I know they'll be hacked sooner or later and my info leaked into the wild for
abuse.

I dont know how cell companies expect to be able to continue to offer any
voice services with the lack of enforcement against robodialing - I get calls in
the middle of the night (and have to leave my phone on for on-call from random
customers I dont know the ph# for). Even though I give my direct cel # out to
almost no one, I get 3-5 random calls a week. (I dont doubt that phone hacks are
uploading people's contact lists to the cloud for further infection/robodials,
as well as plain war-dial trawls).

I have a spam contact with > 150 ph#s in it. (I need an app to share these and
subscribe to autoblock but havent gotten a round tuit it yet.) Worse, they're
spoofing real ph#s - I call back calls I didnt answer and they all claim they
didnt call me - because a robodialer spoofed a legit ph# to avoid mass filter
lists. (Beware ph#s that use your NXX - human gut reaction is to answer ph#s
that look like your own supposedly, but its likely a robodial).

All this boils my blood. I am not sure why/how spoofing ph#s is legal. I get
sms mass spam too.

Too much control is left in the sending side, need way better filtering tools
on the receiver. Soon enough however I hope to just be able to dispense with
voice communication and point customers at something else (even SMS would be
better). Im not sure we're at the point you can enforce that without pissing
off customers but we're close.

(I dont support capital punishment for much, but this might be one thing... :)

/kc


On Tue, Apr 03, 2018 at 06:32:19PM -0400, William Herrin said:
  >Howdy.
  >
  >Have any of you started to get AI robocalls? I've had a couple of
  >calls recently where I get the connect silence of a predictive dialer
  >followed by a woman speaking with call center background noise. She
  >gives her name and asks how I'm doing. The first time it happened it
  >seemed off for reasons I can't quite articulate, so I asked: "Are you
  >a robot or a person?" She responded "yes" and then launched in to a
  >sales pitch. The next time I asked, "where can I direct your call?"
  >She responded "that's good" and launched in to her pitch.
  >
  >Regards,
  >Bill Herrin
  >
  >
  >-- 
  >William Herrin  her...@dirtside.com  b...@herrin.us
  >Dirtside Systems . Web: 

--
Ken Chase - m...@sizone.org Guelph Canada

Are any of you starting to get AI robocalls?

[William Herrin]

Howdy.

Have any of you started to get AI robocalls? I've had a couple of
calls recently where I get the connect silence of a predictive dialer
followed by a woman speaking with call center background noise. She
gives her name and asks how I'm doing. The first time it happened it
seemed off for reasons I can't quite articulate, so I asked: "Are you
a robot or a person?" She responded "yes" and then launched in to a
sales pitch. The next time I asked, "where can I direct your call?"
She responded "that's good" and launched in to her pitch.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Yet another Quadruple DNS?

[Scott Weeks]

--- bortzme...@nic.fr wrote:
From: Stephane Bortzmeyer 

 Rich Kulawiec  wrote 
 a message of 10 lines which said:

> Watch what you wish for: you might get it.  The number of
> attack/abuse vectors (and the severity of their consequences for
> security and privacy) involved in doing auto-update may rival those
> involved in not doing auto-update.

Also, there is the risk of getting updates that will disable some
features, if there is a change in the commercial strategy of the
vendor
.
All these risks are documented in RFC 8240, a highly recommended
reading.
---


Regarding the HP example story, won't natural attrition fix this?  My 
stuff has been in storage for well over a year for various reasons and 
if I pull out my HP printer (which has non-HP cartridges) and it does 
this to me, I surely won't get another one.  I'm also sure I'd be the 
norm on this as it would anger other non-technical HP customers, as 
well.  (I was on the fence with HP anyway as they try to take over my 
equipment too much)

scott


ps. Who knows, I don't let my printer talk outside my network anyway, 
so maybe I didn't get the update.

COX contact

[Dennis Burgess]

Can I get a network engineer from COX to give me a call or email me please :)  
I have a routing issue that I need taken a look at..



Dennis Burgess, Mikrotik Certified Trainer
Author of "Learn RouterOS- Second Edition"
Link Technologies, Inc -- Mikrotik & WISP Support Services
Office: 314-735-0270  Website: 
http://www.linktechs.net
Create Wireless Coverage's with www.towercoverage.com

Re: Why doesn't "Cloudflare 1.1.1.1" compress root answers?

[Mehmet Akcin]

I am sure they will after this ;)

On Tue, Apr 3, 2018 at 4:00 PM, Bjørn Mork  wrote:

> At first I thought they had disabled compression:
>
>  bjorn@miraculix:~$ dig . ns @1.1.1.1|grep SIZE
>  ;; MSG SIZE  rcvd: 431
>  bjorn@miraculix:~$ dig . ns @8.8.8.8|grep SIZE
>  ;; MSG SIZE  rcvd: 239
>  bjorn@miraculix:~$ dig . ns @9.9.9.9|grep SIZE
>  ;; MSG SIZE  rcvd: 239
>
>
> But then I noticed that they *do* compress other names:
>
>  bjorn@miraculix:~$ dig net ns @1.1.1.1|grep SIZE
>  ;; MSG SIZE  rcvd: 253
>  bjorn@miraculix:~$ dig net ns @8.8.8.8|grep SIZE
>  ;; MSG SIZE  rcvd: 253
>  bjorn@miraculix:~$ dig net ns @9.9.9.9|grep SIZE
>  ;; MSG SIZE  rcvd: 253
>
>
> Which just makes it even more confusing.  What's so special about root?
> Except for the obvious :-)
>
>
>
> Bjørn
>
>

Why doesn't "Cloudflare 1.1.1.1" compress root answers?

[Bjørn Mork]

At first I thought they had disabled compression:

 bjorn@miraculix:~$ dig . ns @1.1.1.1|grep SIZE
 ;; MSG SIZE  rcvd: 431
 bjorn@miraculix:~$ dig . ns @8.8.8.8|grep SIZE
 ;; MSG SIZE  rcvd: 239
 bjorn@miraculix:~$ dig . ns @9.9.9.9|grep SIZE
 ;; MSG SIZE  rcvd: 239


But then I noticed that they *do* compress other names:

 bjorn@miraculix:~$ dig net ns @1.1.1.1|grep SIZE
 ;; MSG SIZE  rcvd: 253
 bjorn@miraculix:~$ dig net ns @8.8.8.8|grep SIZE
 ;; MSG SIZE  rcvd: 253
 bjorn@miraculix:~$ dig net ns @9.9.9.9|grep SIZE
 ;; MSG SIZE  rcvd: 253


Which just makes it even more confusing.  What's so special about root?
Except for the obvious :-)



Bjørn

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

[David Hubbard]

I'm finding it unreachable from at least one Level 3 router.  I'm seeing 
behavior which makes me suspect 1.1.1.1/32 has been incorrectly defined an 
interface IP on that device; one of our locations gets an immediate ping 
response for 1.1.1.1, and a traceroute of one hop, which is that first upstream 
hop.  1.0.0.1 is reachable like normal across several hops.

On 4/3/18, 1:36 PM, "NANOG on behalf of George Skorup" 
 wrote:

1.1.1.1 not usable via Windstream peering in Chicago.

# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
...
  3  be4.agr01.chcg02-il.us.windstream.net (40.136.99.22)  5.158 ms 
5.116 ms  7.565 ms
  4  ae13-0.cr01.chcg01-il.us.windstream.net (40.136.99.44)  4.673 ms  
4.644 ms  4.600 ms
  5  et8-0-0-0.cr02.dlls01-tx.us.windstream.net (40.128.10.135) 27.136 
ms  27.099 ms  27.053 ms
  6  xe0-2-3-0.cr02.dnvt01-co.us.windstream.net (40.136.97.125) 29.075 
ms  28.381 ms  28.336 ms
  7  xe3-3-1-0.pe03.dums01-tx.us.windstream.net (173.189.57.195) 46.121 
ms  46.193 ms  46.148 ms
  8  * * *
  9  * * *
10  * * *
11  * * *
12  * * *
13  *^C

# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=248 time=43.2 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=248 time=43.9 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=248 time=42.8 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 42.892/43.344/43.915/0.489 ms

# nslookup
 > server 1.1.1.1
Default server: 1.1.1.1
Address: 1.1.1.1#53
 > google.com
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

[Andrey Slastenov]

Very interesting...

I just heard about this problem today from one of my friend’s who supports of 
the big SP network (Russia). He got complains from one of their peer. After 
short investigation he found that they blackholing 1.1.1.1. 
When I asked him about the reasons, he can’t explain because as he said “it was 
there from the Big Bang times”.



BR, Andrey Slastenov

> 3 апр. 2018 г., в 20:41, Jeremy L. Gaddis  написал(а):
> 
>> On 2018-04-03 (Tue) at 01:22 EDT, Tore Anderson wrote:
>> Any plans to support NSID and/or "hostname.bind" to allow clients to
>> identify which node is serving their requests? For example:
> 
> FWIW:
> 
>  $ dig @1.0.0.1 id.server. CH TXT
>  [...]
>  ;; OPT PSEUDOSECTION:
>  ; EDNS: version: 0, flags:; udp: 1536
>  ;; QUESTION SECTION:
>  ;id.server. CH  TXT
> 
>  ;; ANSWER SECTION:
>  id.server.  0   CH  TXT "dtw01"
>  [...]
> 
> 
> -- 
> Jeremy L. Gaddis
> 

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

[Jeremy L. Gaddis]

On 2018-04-03 (Tue) at 01:22 EDT, Tore Anderson wrote:
> Any plans to support NSID and/or "hostname.bind" to allow clients to
> identify which node is serving their requests? For example:

FWIW:

  $ dig @1.0.0.1 id.server. CH TXT
  [...]
  ;; OPT PSEUDOSECTION:
  ; EDNS: version: 0, flags:; udp: 1536
  ;; QUESTION SECTION:
  ;id.server. CH  TXT
  
  ;; ANSWER SECTION:
  id.server.  0   CH  TXT "dtw01"
  [...]


-- 
Jeremy L. Gaddis

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

[Stephen Satchell]

On 04/02/2018 11:58 AM, Rhys Williams wrote:

Yep, Because you should have been setting up your networks correctly in the 
first place. There's plenty of private space assigned, use it.

Regards,

Rhys Williams

April 2, 2018 4:54 PM, "Simon Lockhart"  wrote:

and now suddenly it's our responsibility to make significant changes to live
infrastructures just so they can continue to look clever with the IP address.


(ah, the top-posting)

We go by the guidance of our vendors, and in this case the vendors are 
the one who made inappropriate use of Net 1.  Many of them.  So to put 
the onus on just Mr. Lockhart is plainly inappropriate.


"Fixing the blame" is not going to take us very far.  We as a community 
need to "fix the problem" -- that road will lead to proper functioning 
of all of our networks.


Even the little ones.

Network Info Anonymizer

[Spencer Fraint via NANOG]

Sharing network configuration files (e.g. to get help debugging) can be
quite tricky because they contain sensitive information.  At the same time,
simply removing the sensitive information (e.g. removing or changing all IP
addresses) removes important structure from the files, defeating the
purpose of sharing.  We created Netconan to help.

Netconan is an open source Python tool that anonymizes sensitive network
information from text files, while preserving important structure.  For
example: it can take in router configuration files and remove passwords and
anonymize IP addresses, while preserving IP address relationships
(prefixes/subnets that matched before anonymization will still match after
anonymization).

Check it out on PyPI (https://pypi.python.org/pypi/netconan/) or GitHub (
https://github.com/intentionet/netconan) and let us know what you think!


Thanks,

Spencer

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

[Alejandra Moreno]

Great article!

Thanks for sharing :)


On Mon, Apr 2, 2018 at 11:12 PM, Hank Nussbacher 
wrote:

> On 03/04/2018 01:39, Matt Hoppes wrote:
>
> You might be interested in these links which compare the services:
> https://medium.com/@nykolas.z/dns-resolvers-performance-
> compared-cloudflare-x-google-x-quad9-x-opendns-149e803734e5
> https://webxtrakt.com/public-dns-performance
>
> -Hank
>
> > So in all this discussion, what I'm finding interesting is that
> > 8.8.8.8 is actually more hops away from me than either 9.9.9.9 or 1.1.1.1
> >
> > On 4/2/18 6:06 PM, Seth Mattinen wrote:
> >> On 4/2/18 14:58, Marty Strong via NANOG wrote:
> >>> Routing from ~150 locations, plenty of redundancy.
> >>>
> >>> https://www.cloudflare.com/network/
> >>
> >>
> >> I recommend 9.9.9.9 to people (if they must use a public resolver)
> >> because Quad9/PCH serves local markets of all sizes with anycast
> >> nodes and peering, not just "major markets". Since I'm not in a major
> >> market I want to support those who support the small markets that are
> >> overlooked by the big guys.
> >
>
>

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

[George Skorup]

1.1.1.1 not usable via Windstream peering in Chicago.

# traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
...
 3  be4.agr01.chcg02-il.us.windstream.net (40.136.99.22)  5.158 ms 
5.116 ms  7.565 ms
 4  ae13-0.cr01.chcg01-il.us.windstream.net (40.136.99.44)  4.673 ms  
4.644 ms  4.600 ms
 5  et8-0-0-0.cr02.dlls01-tx.us.windstream.net (40.128.10.135) 27.136 
ms  27.099 ms  27.053 ms
 6  xe0-2-3-0.cr02.dnvt01-co.us.windstream.net (40.136.97.125) 29.075 
ms  28.381 ms  28.336 ms
 7  xe3-3-1-0.pe03.dums01-tx.us.windstream.net (173.189.57.195) 46.121 
ms  46.193 ms  46.148 ms

 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  *^C

# ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=248 time=43.2 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=248 time=43.9 ms
64 bytes from 1.1.1.1: icmp_seq=3 ttl=248 time=42.8 ms
^C
--- 1.1.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 42.892/43.344/43.915/0.489 ms

# nslookup
> server 1.1.1.1
Default server: 1.1.1.1
Address: 1.1.1.1#53
> google.com
;; connection timed out; trying next origin
;; connection timed out; no servers could be reached

Re: From Nov 2017...

[J Crowe]

That database could possibly be ingested and used locally. Traffic may not
even be traversing to the database hosted by IBM.

At least they are open about where they are getting the data that allows
for blocking to certain FQDNs.



On Mon, Apr 2, 2018 at 10:36 PM, Seth Mattinen  wrote:

> On 4/2/18 7:24 PM, Robert Mathews (OSIA) wrote:
>
>> To be clear.
>>
>> *DNS resolver 9.9.9.9 will check requests against IBM threat database*
>>
>
>
> To be clear on what? That an IBM database is queried, just like it says on
> their website? That doesn't mean they are recording who is making what
> requests.
>

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

[Rhys Williams]

Yep, Because you should have been setting up your networks correctly in the 
first place. There's plenty of private space assigned, use it.

Regards,

Rhys Williams

April 2, 2018 4:54 PM, "Simon Lockhart"  wrote:
> and now suddenly it's our responsibility to make significant changes to live
> infrastructures just so they can continue to look clever with the IP address.

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

[blakangel]

Re: New DNS Service

[Jason Hellenthal]

Like a wildcard DNS entry !

-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.





> On Apr 3, 2018, at 10:25, Lee  wrote:
> 
> It depends.  If the web site is hosted on.. let's say cloudflare,
> there could be hundreds of names pointing to the same IP address.
> 
> Lee

Re: Yet another Quadruple DNS?

[Paul Ebersman]

ebersman> In the pipe dream category, it would be great to think that as
ebersman> IoT becomes unavoidable, we'll get more boxes that do
ebersman> auto-update.

rsk> Watch what you wish for: you might get it.  The number of
rsk> attack/abuse vectors (and the severity of their consequences for
rsk> security and privacy) involved in doing auto-update may rival those
rsk> involved in not doing auto-update.

I used to hate auto-update but after doing some large scale consumer
work, less than I used to. It's all "pick your poison". As Stephane
points out too, all sorts of issues patching vs not patching.

I'm thinking the "let's go to the movies" idea is looking better all the
time...

Re: New DNS Service

[Lee]

On 4/3/18, Rod Beck  wrote:
> And any consensus regarding the service? My layman question is how does this
> provide privacy?

You have to look for it & know what you're looking for:
https://developers.cloudflare.com/1.1.1.1/dns-over-https/
https://developers.cloudflare.com/1.1.1.1/dns-over-tls/

> The routers still need to know the IP address of the far
> end point. I would assume that it would be easy to deduce the domain name
> from the IP address.

It depends.  If the web site is hosted on.. let's say cloudflare,
there could be hundreds of names pointing to the same IP address.

Lee

Re: From Nov 2017...

[Seth Mattinen]

On 4/3/18 12:15 AM, Bill Woodcock wrote:

Ok, sorry if I was being overly persnickety.  My apologies.  I’ve been spending 
too much time answering questions on “social media” and it’s making me 
antisocial.



Commenting on social media is like having to write a dissertation 
perfectly with your first draft in 5 seconds.

Re: Yet another Quadruple DNS?

[Stephane Bortzmeyer]

On Tue, Apr 03, 2018 at 10:54:34AM -0400,
 Rich Kulawiec  wrote 
 a message of 10 lines which said:

> Watch what you wish for: you might get it.  The number of
> attack/abuse vectors (and the severity of their consequences for
> security and privacy) involved in doing auto-update may rival those
> involved in not doing auto-update.

Also, there is the risk of getting updates that will disable some
features, if there is a change in the commercial strategy of the
vendor
.
All these risks are documented in RFC 8240, a highly recommended
reading.

Re: Yet another Quadruple DNS?

[Rich Kulawiec]

On Tue, Apr 03, 2018 at 08:21:02AM -0600, Paul Ebersman wrote:
> In the pipe dream category, it would be great to think that as IoT
> becomes unavoidable, we'll get more boxes that do auto-update. 

Watch what you wish for: you might get it.  The number of attack/abuse
vectors (and the severity of their consequences for security and privacy)
involved in doing auto-update may rival those involved in not doing
auto-update.

---rsk

Re: Yet another Quadruple DNS?

[Paul Ebersman]

ebersman> And EDNS client subnet mostly works.

bortzmeyer> It is awful, privacy-wise, complicates the cache a lot and
bortzmeyer> seriously decreases hit rate in cache (since the key to a
bortzmeyer> cached resource is no longer type+name but
bortzmeyer> type+name+source_address).

I was trying to be kind. Yes. It was a hack that solved a problem for a
particular pair of CDN and anycast resolver but tends to be a bad idea
for much of the world. But it's there and does sometimes improve CDN
performance. I seem to recall that quad9 has (or will shortly) different
IPs so you can choose if you want to have ECS in your queries or not.

bortzmeyer> It is not just an issue of knowledge and skills. Even if you
bortzmeyer> have both, you may lack time, and prefer a shrink-wrapped
bortzmeyer> solution. The future is in "boxes" which are both
bortzmeyer> ready-to-use (for the guy who lacks sysadmin skills, and/or
bortzmeyer> lacks time) and open (for the tinkerer). The Turris Omnia
bortzmeyer>  is a very good example.

Indeed. The vast majority of the world doesn't even know DNS exists,
much less wants to dive into all sorts of obscure settings. They want to
go to the local big-box electronics store and buy a "solution". And the
Turris box is a great solution but way more than most consumers will
spend. I have hopes the new Turris modular approach will mean a lower
price point so we have more of these and less cheap/crappy CPEs on the
internet.

In the pipe dream category, it would be great to think that as IoT
becomes unavoidable, we'll get more boxes that do auto-update. But I'm
not holding my breath...

Re: New DNS Service

[Andy Ringsmuth]

On Apr 3, 2018, at 9:06 AM, Rod Beck  wrote:
> 
> And any consensus regarding the service? My layman question is how does this 
> provide privacy? The routers still need to know the IP address of the far end 
> point. I would assume that it would be easy to deduce the domain name from 
> the IP address. 
> 
> - R. 
> 
> 
> From: Andy Ringsmuth 
> Sent: Tuesday, April 3, 2018 4:03 PM
> To: Rod Beck
> Cc: nanog@nanog.org
> Subject: Re: New DNS Service
>  
> 
> > On Apr 3, 2018, at 8:55 AM, Rod Beck  
> > wrote:
> > 
> > https://techxplore.com/news/2018-04-dns-privacy.html
> 
> DNS service announced, puts privacy first
> techxplore.com
> A new service that is offering privacy protection when you browse the web was 
> announced Sunday. The security company Cloudflare is delivering a consumer 
> DNS service called 1.1.1.1.
> 
> > 
> > 
> > Not associated with Cloudflare in any way.
> > 
> > 
> > Regards,
> > 
> > 
> > Roderick.
> > 
> 
> Mildly interesting but very much old news. The new Cloudflare DNS has been 
> discussed extensively right here on NANOG for the last few days.
> 
> 
> -Andy


A couple points, Rod:

1. I believe bottom posting is preferred here.

2. Well, yeah, it’s easy to go “backwards” with DNS/IP addresses. You can do it 
from any command line interface. That’s not the point here with Cloudflare’s 
DNS, or other publicly available DNS services. When you default to your ISP’s 
DNS servers, it’s easy for them to tie DNS requests to a particular customer 
(you) and monetize (share, sell, etc.) that information. What I believe 
Cloudflare is saying with their DNS service is “Hey, we won’t do that.”


-Andy

Re: New DNS Service

[Rod Beck]

And any consensus regarding the service? My layman question is how does this 
provide privacy? The routers still need to know the IP address of the far end 
point. I would assume that it would be easy to deduce the domain name from the 
IP address.


- R.



From: Andy Ringsmuth 
Sent: Tuesday, April 3, 2018 4:03 PM
To: Rod Beck
Cc: nanog@nanog.org
Subject: Re: New DNS Service


> On Apr 3, 2018, at 8:55 AM, Rod Beck  wrote:
>
> https://techxplore.com/news/2018-04-dns-privacy.html
[https://3c1703fe8d.site.internapcdn.net/newman/gfx/news/hires/2018/dnsservicean.jpg]

DNS service announced, puts privacy 
first
techxplore.com
A new service that is offering privacy protection when you browse the web was 
announced Sunday. The security company Cloudflare is delivering a consumer DNS 
service called 1.1.1.1.


>
>
> Not associated with Cloudflare in any way.
>
>
> Regards,
>
>
> Roderick.
>

Mildly interesting but very much old news. The new Cloudflare DNS has been 
discussed extensively right here on NANOG for the last few days.


-Andy

Re: New DNS Service

[Andy Ringsmuth]

> On Apr 3, 2018, at 8:55 AM, Rod Beck  wrote:
> 
> https://techxplore.com/news/2018-04-dns-privacy.html
> 
> 
> Not associated with Cloudflare in any way.
> 
> 
> Regards,
> 
> 
> Roderick.
> 

Mildly interesting but very much old news. The new Cloudflare DNS has been 
discussed extensively right here on NANOG for the last few days.



Andy Ringsmuth
a...@newslink.com
News Link – Manager Technology, Travel & Facilities
2201 Winthrop Rd., Lincoln, NE 68502-4158
(402) 475-6397(402) 304-0083 cellular

New DNS Service

[Rod Beck]

https://techxplore.com/news/2018-04-dns-privacy.html


Not associated with Cloudflare in any way.


Regards,


Roderick.


Roderick Beck

Director of Global Sales

United Cable Company

www.unitedcablecompany.com

New York City & Budapest

rod.b...@unitedcablecompany.com

36-30-859-5144


[1467221477350_image005.png]

Re: NG Firewalls & IPv6

[Jean | ddostest.me via NANOG]

If by NextGen you meant performance, then I recommend to have a look at 
kipfw over Netmap driver on a FreeBSD 11 box. You buy a couple of 
Chelsio 40 Gbps or 100 Gbps NIC and you are in business.


It was mentioned here in NANOG couple of years ago. Very good stuff, but 
you will need to invest a bit of time in writing your own scripts.


It's a kind of bridging firewall though, so you can't route through it IIRC.

If by NextGen you meant features riched, then don't go this way. ;)

Jean

On 04/03/2018 06:16 AM, Saku Ytti wrote:

Done Checkpoint, Netscreen, SRX , iptables, nftables IPv6 FW all with
dynamic routing, but only under extreme duress, like I'm sure everyone
who is forced to touch stateful firewalls. Send help.

Seems to me this has mostly worked for over decade, worked in context
where stateful FW can be said to work at all. Of course like in every
other context, IPv6 is second class citizen, so you're going to find
more bugs, as less people are using the feature, there are less people
doing bug scrubbing and fewer people bridging feature gaps. This isn't
going to go away any time soon.

On 3 April 2018 at 03:28, David Hubbard  wrote:

I’ve been doing dual stack through Fortinet products for many years without 
issue.  Well, no issue from a technical perspective.  Sometimes you have to dig 
for a bit to find the equivalent v6 CLI commands, and occasionally there’s GUI 
stuff missing that requires CLI where the v4 equivalent didn’t, but not a bad 
experience overall.  Does v6 vpn’s great too.  Haven’t delved into dynamic 
routing protocols on them so can’t speak to that.  Happy to answer questions.

David

From: NANOG  on behalf of Joe Klein 
Sent: Monday, April 2, 2018 6:58:14 PM
To: NANOG list
Subject: NG Firewalls & IPv6

All,

At security and network tradeshows over the last 15 years, I have asked
companies if their products supported "IPv6". They all claimed they did,
but were unable to verify any successful installations. Later they told me
it was on their "Roadmap" but were unable to provide an estimated year,
because it was a trade secret.

Starting this last year at BlackHat US, I again visited every product
booth, asking if their products supported dual-stack or IPv6 only
operations. Receiving only the same unsupported answers, I decided to focus
on one product category.

To the gurus of the NANOG community, What are your experiences with
installing and managing Next Generations firewalls? Do they support IPv6
only environments? Details? Stories?

If you prefer not to disparage those poor product companies, please contact
me off the list.

Thanks,

Joe Klein

"inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8

Re: Yet another Quadruple DNS?

[sthaug]

> > This also ignores the shift if every house in the world did its own
> > recursion. TLD servers and auth servers all over the world would
> > have to massively up their capacity to cope.
> 
> With my TLD operator hat, I tend to say it is not a problem, we
> already have a lot of extra capacity, to handle dDoS.
> 
> > As long as ISPs don't actually disallow running of recursive servers
> 
> That would be a terrible violation of network neutrality. I hope that
> such ISP will go bankrupt.

With my ISP hat on: I see no problem with this as long as the
resolver is not open to the Internet.

There are unfortunately plenty of home user equipment with an open
DNS proxy (probably also some resolvers). This *will* be misused.

Steinar Haug, Nethelp consulting, sth...@nethelp.no

Re: Yet another Quadruple DNS?

[Brian Kantor]

On Tue, Apr 03, 2018 at 12:09:27PM +0200, Stephane Bortzmeyer wrote:
> On Tue, Apr 03, 2018 at 03:01:19AM -0700,
>  Brian Kantor  wrote 
>  a message of 12 lines which said:
> 
> > > That would be a terrible violation of network neutrality. I hope
> > > that such ISP will go bankrupt.
> > 
> > On the contrary: it will enable them to collect more usage
> > statistics and from that sell more directed advertising.  They will
> > make MORE money off doing so.  And so they will.
> 
> Then, I'm going to stop reading NANOG and go to the movie
> instead. Because, in the movies, the bad guys lose.

Yes, I'm afraid that the situation is now like that of commercial
television - those who were the clients are now the product, and
the real paying customer is the advertisers.
- Brian

Re: NG Firewalls & IPv6

[Saku Ytti]

Done Checkpoint, Netscreen, SRX , iptables, nftables IPv6 FW all with
dynamic routing, but only under extreme duress, like I'm sure everyone
who is forced to touch stateful firewalls. Send help.

Seems to me this has mostly worked for over decade, worked in context
where stateful FW can be said to work at all. Of course like in every
other context, IPv6 is second class citizen, so you're going to find
more bugs, as less people are using the feature, there are less people
doing bug scrubbing and fewer people bridging feature gaps. This isn't
going to go away any time soon.

On 3 April 2018 at 03:28, David Hubbard  wrote:
> I’ve been doing dual stack through Fortinet products for many years without 
> issue.  Well, no issue from a technical perspective.  Sometimes you have to 
> dig for a bit to find the equivalent v6 CLI commands, and occasionally 
> there’s GUI stuff missing that requires CLI where the v4 equivalent didn’t, 
> but not a bad experience overall.  Does v6 vpn’s great too.  Haven’t delved 
> into dynamic routing protocols on them so can’t speak to that.  Happy to 
> answer questions.
>
> David
> 
> From: NANOG  on behalf of Joe Klein 
> 
> Sent: Monday, April 2, 2018 6:58:14 PM
> To: NANOG list
> Subject: NG Firewalls & IPv6
>
> All,
>
> At security and network tradeshows over the last 15 years, I have asked
> companies if their products supported "IPv6". They all claimed they did,
> but were unable to verify any successful installations. Later they told me
> it was on their "Roadmap" but were unable to provide an estimated year,
> because it was a trade secret.
>
> Starting this last year at BlackHat US, I again visited every product
> booth, asking if their products supported dual-stack or IPv6 only
> operations. Receiving only the same unsupported answers, I decided to focus
> on one product category.
>
> To the gurus of the NANOG community, What are your experiences with
> installing and managing Next Generations firewalls? Do they support IPv6
> only environments? Details? Stories?
>
> If you prefer not to disparage those poor product companies, please contact
> me off the list.
>
> Thanks,
>
> Joe Klein
>
> "inveniet viam, aut faciet" --- Seneca's Hercules Furens (Act II, Scene 1)
> PGP Fingerprint: 295E 2691 F377 C87D 2841 00C1 4174 FEDF 8ECF 0CC8



-- 
  ++ytti

Re: Yet another Quadruple DNS?

[Stephane Bortzmeyer]

On Tue, Apr 03, 2018 at 03:01:19AM -0700,
 Brian Kantor  wrote 
 a message of 12 lines which said:

> > That would be a terrible violation of network neutrality. I hope
> > that such ISP will go bankrupt.
> 
> On the contrary: it will enable them to collect more usage
> statistics and from that sell more directed advertising.  They will
> make MORE money off doing so.  And so they will.

Then, I'm going to stop reading NANOG and go to the movie
instead. Because, in the movies, the bad guys lose.

Re: Yet another Quadruple DNS?

[Brian Kantor]

On Tue, Apr 03, 2018 at 11:54:36AM +0200, Stephane Bortzmeyer wrote:
> On Sun, Apr 01, 2018 at 02:03:41PM -0600,
>  Paul Ebersman  wrote 
> > As long as ISPs don't actually disallow running of recursive servers
> 
> That would be a terrible violation of network neutrality. I hope that
> such ISP will go bankrupt.

On the contrary:  it will enable them to collect more usage statistics
and from that sell more directed advertising.  They will make MORE
money off doing so.  And so they will.
- Brian

Re: Yet another Quadruple DNS?

[Stephane Bortzmeyer]

On Sun, Apr 01, 2018 at 02:03:41PM -0600,
 Paul Ebersman  wrote 
 a message of 38 lines which said:

> And EDNS client subnet mostly works.

It is awful, privacy-wise, complicates the cache a lot and seriously
decreases hit rate in cache (since the key to a cached resource is no
longer type+name but type+name+source_address).

> And yes, running your own resolver is more private. So is running
> your own home linux server instead of antique consumer OSs on
> consumer grade gear and using VPNs. But how many folks can do that?

It is not just an issue of knowledge and skills. Even if you have
both, you may lack time, and prefer a shrink-wrapped solution. The
future is in "boxes" which are both ready-to-use (for the guy who
lacks sysadmin skills, and/or lacks time) and open (for the
tinkerer). The Turris Omnia  is a very
good example.

> This also ignores the shift if every house in the world did its own
> recursion. TLD servers and auth servers all over the world would
> have to massively up their capacity to cope.

With my TLD operator hat, I tend to say it is not a problem, we
already have a lot of extra capacity, to handle dDoS.

> As long as ISPs don't actually disallow running of recursive servers

That would be a terrible violation of network neutrality. I hope that
such ISP will go bankrupt.

Re: Yet another Quadruple DNS?

[Stephane Bortzmeyer]

On Sun, Apr 01, 2018 at 09:22:10AM -0700,
 Stephen Satchell  wrote 
 a message of 39 lines which said:

> Recursive lookups take bandwidth and wall time.  The closer you can
> get your recursive DNS server to the core of the internet, the
> faster the lookups.

I think the exact opposite is true: many DNS requests hit the cache,
so the important factor is the latency between the end user and the
cache. So, local resolvers win.

> This is particularly true of mobile and satellite.

Yes, because they have awful latency, it is important to have a local
resolver.

> (I wonder if the Internet Systems Consortium has considered adding a
> cache-hit counter, or even a very coarse heat map (say, four 16-bit counters
> cycled every five minutes), to DNS entries, to figure out the best ones to
> drop?  It would increase the complexity of BIND, but the benefit for a BIND
> server serving a largish customer population could be significant.

Making the largest and richest services even faster and so increase
centralisation? It does not strike me as a good strategy.

> I've not personally measured the number of times a look-up could be
> satisfied from a cache in a production environment;

For instance, at my home:

% cache.stats()
[hit] => 276089296
[delete] => 5
[miss] => 423661208
[insert] => 18850452

> The main reason for *not* implementing recursion exclusively in CPE
> is that a recursive lookup is a complex operation, and I have my
> doubts if BIND or equivalent could be maintained properly in, say, a
> wireless access point (router) -- how would you update a hints
> table?

There is nothing DNS-specific here: routers/CPE with automatic updates
exist for several years (I use the Turris Omnia
). The hints file is the *last* problem:
most IP addresses of the root name servers didn't change for more than
ten years.

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

[Youssef Bengelloun-Zahr]

Still believe in santa ?   ;-)

Good luck with that.

Best regards.



2018-04-03 8:37 GMT+02:00 Marty Strong via NANOG :

> Orange France is known, they just didn’t tell us the exact reason.
>
> They said that if you contact them, they’ll provide you with an official
> explanation.
>
> Regards,
> Marty Strong
> --
> Cloudflare - AS13335
> Network Engineer
> ma...@cloudflare.com
> +44 7584 906 055
> smartflare (Skype)
>
> https://www.peeringdb.com/asn/13335
>
> > On 3 Apr 2018, at 07:22, Paul Rolland (ポール・ロラン)  wrote:
> >
> > Hello,
> >
> > On Mon, 2 Apr 2018 16:26:13 +0100
> > Marty Strong via NANOG  wrote:
> >
> >> So far we know about a few CPEs which answer for 1.1.1.1 themselves:
> >>
> >> - Pace 5268
> >> - Calix GigaCenter
> >> - Various Cisco Wifi access points
> >>
> >> If you know of others please send them my way so we can investigate.
> >
> > It seems that in France, Orange's Livebox is also using 1.1.1.1 is some
> > way...
> >
> > 215 [6:20] rol@riri:~> traceroute 1.1.1.1
> > traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
> > 1  * * *
> > 2  * * *
> > 3  * * *
> > 4  * * *
> >
> > 216 [6:20] rol@riri:~> ping 1.1.1.1
> > PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
> > 64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.371 ms
> > 64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.292 ms
> > ^C
> > --- 1.1.1.1 ping statistics ---
> > 2 packets transmitted, 2 received, 0% packet loss, time 1037ms
> > rtt min/avg/max/mdev = 0.292/0.331/0.371/0.043 ms
> >
> > 217 [6:20] rol@riri:~> traceroute 8.8.8.8
> > traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
> > 1  livebox.home (192.168.1.254)  0.268 ms  0.236 ms  0.263 ms
> > 2  * * *
> > 3  ae102-0.ncidf103.Puteaux.francetelecom.net (193.253.80.138)  1.724
> ms  1.733 ms  1.793 ms
> > ...
> >
> > That IP address is definitely full of magic...
> >
> > Paul
> >
> >
>
>

Re: From Nov 2017...

[Mathews, Robert]

On 4/3/2018 3:15 AM, Bill Woodcock wrote:

>> Since when is it an offense, to merely share a publicly available URL?
>>
>> More to the point of Privacy, you have shared some information here 
>> regarding Quad9 operations that may have been beneficial to some, or many.  
>> It has been of benefit to me, and thanks for sharing that which what you 
>> have.
> Ok, sorry if I was being overly persnickety.  My apologies.  I’ve been 
> spending too much time answering questions on “social media” and it’s making 
> me antisocial.
>
> -Bill


Bill:   No offense taken...  it is quite alright... and thank you, for
the information you had cared to share

All the best,
Robert.

Re: From Nov 2017...

[Bill Woodcock]

> Since when is it an offense, to merely share a publicly available URL?
> 
> More to the point of Privacy, you have shared some information here regarding 
> Quad9 operations that may have been beneficial to some, or many.  It has been 
> of benefit to me, and thanks for sharing that which what you have.

Ok, sorry if I was being overly persnickety.  My apologies.  I’ve been spending 
too much time answering questions on “social media” and it’s making me 
antisocial.

-Bill



signature.asc
Description: Message signed with OpenPGP

Re: From Nov 2017...

[Robert Mathews (OSIA)]

On 4/3/2018 2:37 AM, Bill Woodcock wrote:

> What’s your point, though?  Are you talking about Quad9, or about GCA?
>
> If you’re talking about Quad9, you’re misleading people by implying that the 
> quote you pulled from the Register piece pertains to Quad9, when it does not.
>
> If you’re talking about GCA, you’re misleading people by implying that what 
> you’re saying about GCA somehow applies to Quad9.
>
> If you’re talking about Quad9, John Todd or I can address any questions.  If 
> you’re talking about GCA, that’s between you and them.
>
> -Bill


Bill and others:

The story from The Register was posted as it was...   the added words,
"to be clear" was intended to focus exchanges (if there was interest) in
relation to Privacy, The Register's reporting.  NOTHING more.  The fact
that you have somehow INTERPRETED here, that I have personally taken a
FOR, or AGAINST position to Quad9 operation, would be an error.  Since
when is it an offense, to merely share a publicly available URL?

More to the point of Privacy, you have shared some information here
regarding Quad9 operations that may have been beneficial to some, or
many.  It has been of benefit to me, and thanks for sharing that which
what you have.


All the best.

Re: From Nov 2017...

[Bill Woodcock]

> On Apr 2, 2018, at 11:28 PM, Robert Mathews (OSIA)  wrote:
> 
> On 4/3/2018 1:04 AM, Bill Woodcock wrote:
>>> On Apr 2, 2018, at 7:24 PM, Robert Mathews (OSIA)
>>>  wrote: *Group Co-founded by City of London
>>> Police promises 'no snooping on your requests’*
>> Note that this is _extremely_ misleading, since the group being
>> referred to here is _not_ Quad9, but instead GCA, one of the many
>> donors that are supporting the Quad9 project. Quad9 doesn’t have any
>> association with the City of London Police, other than that they’re
>> among the many tens of millions of users in the general public.
> 
> 
> Bill:   As you will have noted, the post was a reflection of that which
> The Register had published, and at the URL that was provided.

What’s your point, though?  Are you talking about Quad9, or about GCA?

If you’re talking about Quad9, you’re misleading people by implying that the 
quote you pulled from the Register piece pertains to Quad9, when it does not.

If you’re talking about GCA, you’re misleading people by implying that what 
you’re saying about GCA somehow applies to Quad9.

If you’re talking about Quad9, John Todd or I can address any questions.  If 
you’re talking about GCA, that’s between you and them.

-Bill



signature.asc
Description: Message signed with OpenPGP

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

[Marty Strong via NANOG]

Orange France is known, they just didn’t tell us the exact reason.

They said that if you contact them, they’ll provide you with an official 
explanation.

Regards,
Marty Strong
--
Cloudflare - AS13335
Network Engineer
ma...@cloudflare.com
+44 7584 906 055
smartflare (Skype)

https://www.peeringdb.com/asn/13335

> On 3 Apr 2018, at 07:22, Paul Rolland (ポール・ロラン)  wrote:
> 
> Hello,
> 
> On Mon, 2 Apr 2018 16:26:13 +0100
> Marty Strong via NANOG  wrote:
> 
>> So far we know about a few CPEs which answer for 1.1.1.1 themselves:
>> 
>> - Pace 5268
>> - Calix GigaCenter
>> - Various Cisco Wifi access points
>> 
>> If you know of others please send them my way so we can investigate. 
> 
> It seems that in France, Orange's Livebox is also using 1.1.1.1 is some
> way...
> 
> 215 [6:20] rol@riri:~> traceroute 1.1.1.1
> traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
> 1  * * *
> 2  * * *
> 3  * * *
> 4  * * *
> 
> 216 [6:20] rol@riri:~> ping 1.1.1.1
> PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
> 64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.371 ms
> 64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.292 ms
> ^C
> --- 1.1.1.1 ping statistics ---
> 2 packets transmitted, 2 received, 0% packet loss, time 1037ms
> rtt min/avg/max/mdev = 0.292/0.331/0.371/0.043 ms
> 
> 217 [6:20] rol@riri:~> traceroute 8.8.8.8
> traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
> 1  livebox.home (192.168.1.254)  0.268 ms  0.236 ms  0.263 ms
> 2  * * *
> 3  ae102-0.ncidf103.Puteaux.francetelecom.net (193.253.80.138)  1.724 ms  
> 1.733 ms  1.793 ms
> ...
> 
> That IP address is definitely full of magic...
> 
> Paul
> 
> 

Re: From Nov 2017...

[Robert Mathews (OSIA)]

On 4/3/2018 1:04 AM, Bill Woodcock wrote:
>> On Apr 2, 2018, at 7:24 PM, Robert Mathews (OSIA)
>>  wrote: *Group Co-founded by City of London
>> Police promises 'no snooping on your requests’* 
> Note that this is _extremely_ misleading, since the group being
> referred to here is _not_ Quad9, but instead GCA, one of the many
> donors that are supporting the Quad9 project. Quad9 doesn’t have any
> association with the City of London Police, other than that they’re
> among the many tens of millions of users in the general public.


Bill:   As you will have noted, the post was a reflection of that which
The Register had published, and at the URL that was provided.   Have
you, or others at Quad9, reached out to The Register to have the details
in their reporting corrected?

In focus, within the Cloudflare announcement, is the subject of
Privacy.  Subsequently, some on the list had also spoken of Privacy
needs in relation to the DNS Ops.  It is solely for that reason, The
Register publication was shared. 

> -Bill

All the best,
Robert.
-- 

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

[Paul Rolland (ポール・ロラン)]

Hello,

On Mon, 2 Apr 2018 16:26:13 +0100
Marty Strong via NANOG  wrote:

> So far we know about a few CPEs which answer for 1.1.1.1 themselves:
> 
> - Pace 5268
> - Calix GigaCenter
> - Various Cisco Wifi access points
> 
> If you know of others please send them my way so we can investigate. 

It seems that in France, Orange's Livebox is also using 1.1.1.1 is some
way...

215 [6:20] rol@riri:~> traceroute 1.1.1.1
traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *

216 [6:20] rol@riri:~> ping 1.1.1.1
PING 1.1.1.1 (1.1.1.1) 56(84) bytes of data.
64 bytes from 1.1.1.1: icmp_seq=1 ttl=64 time=0.371 ms
64 bytes from 1.1.1.1: icmp_seq=2 ttl=64 time=0.292 ms
^C
--- 1.1.1.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1037ms
rtt min/avg/max/mdev = 0.292/0.331/0.371/0.043 ms

217 [6:20] rol@riri:~> traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 30 hops max, 60 byte packets
 1  livebox.home (192.168.1.254)  0.268 ms  0.236 ms  0.263 ms
 2  * * *
 3  ae102-0.ncidf103.Puteaux.francetelecom.net (193.253.80.138)  1.724 ms  
1.733 ms  1.793 ms
...

That IP address is definitely full of magic...

Paul




pgpeF9LT535CB.pgp
Description: OpenPGP digital signature