Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

[Ronald F. Guilmette]

In message <06570278-e1ad-4bb0-a9fc-11a77bed7...@arin.net>, 
John Curran  wrote:

>Even so, we at ARIN are in the midst of a Board-directed review of the RPKI
>legal framework to see if any improvements can be made vault/participate/meetings/reports/ARIN_43/PDF/PPM/curran_rpki.pdf>  – I will
>provide further updates once it is completed. 

This is an excellent presentation John, and I'm real glad to see that you
have done such a nice job on it and touched on all of the important points.

In particular, I'm glad that you clarified that if everyone is just doing
what they ought to be doing, i.e. following best practices, then even if
RPKI central and all of its sister satellites should all be simultaneously
hit by metorites, then in theory at least, nobody should be any worse off
than they already are today.

And yes, I can't argue and won't argue that some folks aren't going to be
bozos and screw up their RPKI deployment, and then some of them -may-
possibly want to blame ARIN for -their- screw ups, but I continue to have
trouble envisioning how this would ever traslate into a lawsuit that
wouldn't simply be laughed out of court in about five seconds if handled
properly.

Some arguably proximate historical analogs might be relevant here.

In the past, there have occasionally been problems when one or more of
the root name servers have been DDoSd or have otherwise had issues.
I don't recall anybody lining up to sue ICANN in those instances.

Spamhaus and other public anti-spam services publish their stuff to all
comers, without demanding indemnification.  Yes, they have been sued
from time to time, but none of that has ever resulted in any meaningful
damages, and if the company itself had just been more consistant in
obtaining sound legal advice, none of those events would even have been
all that bothersome.

So, what makes ARIN so special that it can't do what these others are doing
and just simply publish some information?  ARIN is in the State of Virginia
the last time I checked, and I do believe that the First Amendment still
applies in the State of Virginia, and indeed in all 50 states.  I mean it
isn't as if ARIN is going to go around yelling "Fire!" in a crowded theater
for God's sake!

So, you just slap a label on the whole bloody RPKI thing that says "Use at
your own risk" and that ought to do it, I think.  I understand that Steve
Ryan may not see it that way, but it's his job not to see it that way.
In practice, there is no need for -both- belt -and- suspenders.


Regards,
rfg


P.S.  Proactive failure testing (slide #15) is an excellent idea.  You could
and probably should fail the whole thing deliberately for 24 hours once a
year, just as a way of shaking the trees to see what idiots fall out.  It
would be like DNS Flag Day, on steroids.

Re: RPKI adoption

[William Herrin]

On Tue, Aug 13, 2019 at 9:51 PM Hank Nussbacher 
wrote:

> Just like to add kudos to John for being open and responsive on this list
> and other lists to numerous issues and questions in regards to ARIN.  Not
> many CEOs are willing or able to respond as you do.
>
> Thanks for your time and effort,
>

I'll second that despite my criticism.

Regards,
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

[William Herrin]

On Tue, Aug 13, 2019 at 8:25 PM John Curran  wrote:
> On 13 Aug 2019, at 11:03 PM, William Herrin  wrote:
> I signed no legal agreement either to register my legacy addresses or to
do a whois lookup to check someone else's addresses. Just sayin’.
>
> If you instead used a command line interface (e.g. "whois -h
whois.arin.net …”),
> then you received output from ARIN’s Whois server along with notice of
the applicable terms of service…

Hi John,

As I no longer live within or act from within one of the 2 states to have
passed UCITA, you'll find that notice difficult to enforce.


>  I would observe that continued use at that point has been held
> to indicate agreement on your part [ref: Register.com, Inc. v. Verio,
Inc., 356 F.3d 393 (2d Cir. 2004)]

In which Verio admitted to the court that they knew they were abusing
Register's computers but figured Register's contract with ICANN gave them
the right. The court would have reached the same decision regardless of
Register's notice: You're abusing computers that aren't yours. Stop it.

Specht v. Netscape Communications Corp, on the other hand, found that,
"plaintiffs neither received reasonable notice of the existence of the
license terms nor manifested unambiguous assent" to the contract Netscape
offered for the use of their software at download-time, including assent to
settle disputes through arbitration.

I'll take any bet you care to offer that the latter precedent applies to
casual consumer use of ARIN's whois. I won't take any such bet when it
comes to the legal safety of redistributing ARIN's RPKI Trust Anchor
Locator in my software. And neither, apparently, do many of the folks who
would have to redistribute that TAL for ARIN's RPKI to be useful, as was
discussed here last September:
https://mailman.nanog.org/pipermail/nanog/2018-September/097161.html

Regards,
Bill Herrin


--
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: RPKI adoption

[Hank Nussbacher]

On 14/08/2019 06:24, John Curran wrote:


When you did that Whois look up at the ARIN website, you did agree to 
terms of use for the Whois service which contains indemnification 
provisions and are legally enforceable. 



If you instead used a command line interface (e.g. "whois -h 
whois.arin.net  …”), then you received output 
from ARIN’s Whois server along with notice of the applicable terms of 
service…  I would observe that continued use at that point has been 
held to indicate agreement on your part [ref: Register.com 
, Inc. v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004)]


Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers

Just like to add kudos to John for being open and responsive on this 
list and other lists to numerous issues and questions in regards to 
ARIN.  Not many CEOs are willing or able to respond as you do.


Thanks for your time and effort,

-Hank

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

[Hank Nussbacher]

On 13/08/2019 22:17, Ronald F. Guilmette wrote:

Just as an observer to your long resource theft postings:
- Do you attempt to contact directly the organization or person who have 
had their resource taken over?

- Do they care or are they apathetic?
- If the resource owner is no where to be found, why should we as a 
community care?  Report it on some webpage and call it "Internet 
Resources stolen", document every incident as you do via email, send a 
copy to the appropriate RIR and upstream ISP allowing the hijack in 
question to show that you did the appropriate effort and we can then 
move on.


Regards,
Hank

Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

[John Curran]

On 13 Aug 2019, at 11:03 PM, William Herrin 
mailto:b...@herrin.us>> wrote:

On Tue, Aug 13, 2019 at 7:42 PM John Curran 
mailto:jcur...@arin.net>> wrote:
On 13 Aug 2019, at 9:28 PM, Ronald F. Guilmette 
mailto:r...@tristatelogic.com>> wrote:
The last time I looked, RPKI adoption was sitting at around a grand total
of 15% worldwide.  Ah yes, here it is...

  https://rpki-monitor.antd.nist.gov/

I've asked many people and many companies why adoption remains so low, and
why their own companies aren't doing RPKI.  I've gotten the usual assortment
of utterly lame excuses, but the one that I have had the hardest time
trying to counter is the one where a network engineer says to me "Well,
ya know, we were GOING to do that, but then ARIN... unlike the other four
regional authorities... demanded that we sign some silly thing indemnifying
them in case of something.

Interestingly enough, those same indemnification clauses are in the 
registration services agreement that they already signed but apparently they 
were not an issue at all when requesting IP address space or receiving a 
transfer.

I signed no legal agreement either to register my legacy addresses or to do a 
whois lookup to check someone else's addresses. Just sayin’.

Bill -

When you did that Whois look up at the ARIN website, you did agree to terms of 
use for the Whois service which contains indemnification provisions and are 
legally enforceable. 

If you instead used a command line interface (e.g. "whois -h 
whois.arin.net …”), then you received output from ARIN’s 
Whois server along with notice of the applicable terms of service…  I would 
observe that continued use at that point has been held to indicate agreement on 
your part [ref: Register.com, Inc. v. Verio, Inc., 356 
F.3d 393 (2d Cir. 2004)]

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers

Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

[William Herrin]

On Tue, Aug 13, 2019 at 7:42 PM John Curran  wrote:

> On 13 Aug 2019, at 9:28 PM, Ronald F. Guilmette 
> wrote:
>
> The last time I looked, RPKI adoption was sitting at around a grand total
> of 15% worldwide.  Ah yes, here it is...
>
>   https://rpki-monitor.antd.nist.gov/
>
> I've asked many people and many companies why adoption remains so low, and
> why their own companies aren't doing RPKI.  I've gotten the usual
> assortment
> of utterly lame excuses, but the one that I have had the hardest time
> trying to counter is the one where a network engineer says to me "Well,
> ya know, we were GOING to do that, but then ARIN... unlike the other four
> regional authorities... demanded that we sign some silly thing indemnifying
> them in case of something.
>
>
> Interestingly enough, those same indemnification clauses are in the
> registration services agreement that they already signed but apparently
> they were not an issue at all when requesting IP address space or receiving
> a transfer.
>

I signed no legal agreement either to register my legacy addresses or to do
a whois lookup to check someone else's addresses. Just sayin'.

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

[John Curran]

On 13 Aug 2019, at 9:28 PM, Ronald F. Guilmette 
mailto:r...@tristatelogic.com>> wrote:
...
The last time I looked, RPKI adoption was sitting at around a grand total
of 15% worldwide.  Ah yes, here it is...

  https://rpki-monitor.antd.nist.gov/

I've asked many people and many companies why adoption remains so low, and
why their own companies aren't doing RPKI.  I've gotten the usual assortment
of utterly lame excuses, but the one that I have had the hardest time
trying to counter is the one where a network engineer says to me "Well,
ya know, we were GOING to do that, but then ARIN... unlike the other four
regional authorities... demanded that we sign some silly thing indemnifying
them in case of something.

Interestingly enough, those same indemnification clauses are in the 
registration services agreement that they already signed but apparently they 
were not an issue at all when requesting IP address space or receiving a 
transfer.
You might want want to ask them why they are now a problem when they weren’t 
before (Also worth noting that many of these ISP's own contracts with their 
customers have rather similar indemnification clauses.)

Even so, we at ARIN are in the midst of a Board-directed review of the RPKI 
legal framework to see if any improvements can be made 

  – I will provide further updates once it is completed.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

[Ronald F. Guilmette]

In message ,
Eric Kuhnke  wrote:

rfg>>   4)  Filing a "fraud request" with ARIN is a serious step and one that
rfg>could quite conceivably end up with the party filing such a formal
rfg>report being on the business end of lawsuit, just for having filed
rfg>such a report.
rfg>
>What makes you think that the sort of persons who would hijack a /17 sized
>piece of space, for spam generation purposes, would sue you over some
>formal submission you might make to ARIN, but would not already have sued
>you over your already exhaustively detailed posts to the public NANOG list?

Let me see if I understand this.  You don't have any argument with the
other three reasons I gave for sending my alert to the NANOG list, but you
-would- like to quible with reason #4.  Have I understood you clearly?

Assuming so, let me answer your question with a question (or two).

Is my fear of the potential for lawsuits actually LESS reasonable than
ARIN's use of the same vague and non-specific bogeyman to thwart and
impede, on a global scale, the more widespread adoption of RPKI...
adoption which would, if it ever became universal, put an end to most
or all of these nefarious and malevolent IP block hanky panky games?

The last time I looked, RPKI adoption was sitting at around a grand total
of 15% worldwide.  Ah yes, here it is...

   https://rpki-monitor.antd.nist.gov/

I've asked many people and many companies why adoption remains so low, and
why their own companies aren't doing RPKI.  I've gotten the usual assortment
of utterly lame excuses, but the one that I have had the hardest time
trying to counter is the one where a network engineer says to me "Well,
ya know, we were GOING to do that, but then ARIN... unlike the other four
regional authorities... demanded that we sign some silly thing indemnifying
them in case of something.  We're not even sure what ``something''
actually is in this case, other than some demented lawsuit from some
deranged ``lone wolf'' individual, but since ARIN demanded that we sign
it, the thing had to go to -our- lawyers, and they took one look at it and
said, in effect, ``F that!  We are NOT going to accept any new potential
liability if we don't have to'', so that was the end of that."

As I have often said, if we all only did things that had been pre-cleared
as being ``utterly safe'' by our respective lawyers, then none of us would
ever even get out of bed in the morning.

Regadless of whether ARIN was in any way indemnified against such an event,
the Micfo guy elected to name ARIN in a lawsuit.  This is a matter of
public record.  It's ludicrous and laughable, obviously, but he apparently
sued ARIN when they woudn't just roll over and allow him to continue to
play his ridiculous little fraud games.  Like I say, in this country, at
least (USA), you run the risk of getting sued if you even so much as get
out a bed in the morning.  BUT SO BLOODY WHAT?  Neither we as individuals
nor ARIN as an organization should cower in fear in our caves because of a
bogeyman that may never come to pass, or that may be totally inconsequential 
even if it does, as in the case of Mr. Micfo's joke of a lawsuit. 

So I put it to everyone here... Are ARIN policies and its over-hyped fear
of the vague bogeyman of lawsuits materially impeding the adoption of
RPKI, and if so, what should be done about this?

In the meantime, I decline to accept criticism of -my- perhaps misplaced
fears of lawsuits.  Mine have essentially no real world consequences.
ARIN's, on the other hand, appear to be keeping some finite non-zero
fraction of 85% of the world's route announcements unchecked, at least
for any meaningful sense of the word "checked".


Regards,
rfg

Re: Protecting 1Gb Ethernet From Lightning Strikes

[Jared Mauch]

I would try to isolate it with something like the RBFTC11 or similar if you 
can.  They’re great boxes, but as with all things lightning you usually can’t 
protect from everything.  I’ve had a lightning hit cause some major issues 
before at a tower site.

You do what you can and keep suitable spares at the ready.  You never know why 
there will be a failure.

- Jared

> On Aug 13, 2019, at 7:56 PM, Matthew Crocker  wrote:
> 
>  
> Could you use a transceiver for the 1000Base-T?  copper <-> fiber <-> copper 
> that will create an ‘air gap’ on the data circuit.   You still run the risk 
> of a lightning strike entering through the transceiver power.   You could 
> filter that through a -48VDC power supply, rectifier/inverter pair.
>  
>  
> From: NANOG  on behalf of Javier J 
> 
> Date: Tuesday, August 13, 2019 at 2:23 PM
> To: "nanog@nanog.org" 
> Subject: Protecting 1Gb Ethernet From Lightning Strikes
>  
> I'm working with a client site that has been hit twice, very close by 
> lightening.
>  
> I did lots of electrical work/upgrades/grounding but now I want to focus on 
> protecting Ethernet connections between core switching/other devices that 
> can't be migrated to fiber optic.
>  
> I was looking for surge protection devices for Ethernet but have never 
> shopped for anything like this before. Was wondering if anyone has deployed a 
> solution?
> They don't have a large presence on site (I have been moving all of their 
> core stuff to AWS) but they still have core networking / connectivity and PoE 
> cameras / APs around the property.
> Since migrating their onsite servers/infra to the cloud, now their 
> connectivity is even more important.
>  
> This is a small site, maybe about 200 switch ports, but I would only need to 
> protect maybe 12 core ones. but would be something I could use in the future 
> with larger deployments.
> it's just a 1Gbe network BTW.
>  
> Hope someone with more experience can help make hardware recommendations?
>  
> Thanks in advance.
>  
> - Javier

Re: Protecting 1Gb Ethernet From Lightning Strikes

[Matthew Crocker]

Could you use a transceiver for the 1000Base-T?  copper <-> fiber <-> copper 
that will create an ‘air gap’ on the data circuit.   You still run the risk of 
a lightning strike entering through the transceiver power.   You could filter 
that through a -48VDC power supply, rectifier/inverter pair.


From: NANOG  on behalf of Javier J 

Date: Tuesday, August 13, 2019 at 2:23 PM
To: "nanog@nanog.org" 
Subject: Protecting 1Gb Ethernet From Lightning Strikes

I'm working with a client site that has been hit twice, very close by 
lightening.

I did lots of electrical work/upgrades/grounding but now I want to focus on 
protecting Ethernet connections between core switching/other devices that can't 
be migrated to fiber optic.

I was looking for surge protection devices for Ethernet but have never shopped 
for anything like this before. Was wondering if anyone has deployed a solution?
They don't have a large presence on site (I have been moving all of their core 
stuff to AWS) but they still have core networking / connectivity and PoE 
cameras / APs around the property.
Since migrating their onsite servers/infra to the cloud, now their connectivity 
is even more important.

This is a small site, maybe about 200 switch ports, but I would only need to 
protect maybe 12 core ones. but would be something I could use in the future 
with larger deployments.
it's just a 1Gbe network BTW.

Hope someone with more experience can help make hardware recommendations?

Thanks in advance.

- Javier

Re: User Unknown (WAS: really amazon?)

[Stephen Satchell]

On 8/13/19 3:10 PM, Matthew Petach wrote:
> With a global company, there's no such thing
> as a local natural monopoly in play; how would
> you assign oversight to a global entity?  Which
> "public" would be the ones being protected?
> The city of Seattle, WA, where Amazon is
> headquartered?  The State of Washington?
> The United States, at a federal level?   What
> about the "public" that uses Amazon in all
> the other countries of the world?

Consider how radio, television, and telephony grew and became regulated.
 (For a moment there, it felt like a discussion that I would have on the
CyberTelecomm mailing list.)  Each country would regulate the monopoly
in the manner best suited for that country.  Amazon would need to set up
divisions in each country, or union of countries such as the EU.

> There's no way to make a global entity a
> regulated public utility; we don't have an
> organization that has that level of oversight
> across country boundaries, unless you start
> thinking about entities that can enforce *treaties*
> between countries.

Actually, you'd be surprised to learn we already have infrastructure in
place to do exactly that.  The International Telecommunication Union is
a fine example of how this could be done.  Study up on it.  From my
experience in the telco and modem world, the individual countries have
working parties for each element.  The working parties develop Standards
(the initial cap is intentional) within each country.  The output from
the working parties in each country send their recommendations to a
government bureau -- in the United States, that would be a working party
associated with the State Department.  (For example, my work on in-band
modem control went through TIA/EIA TR-29, which then was passed on to
Study Group D, which went to the ITU.)

> And I'm not sure I'd want our Ambassadors
> being the ones at the table deciding how best
> to regulate Amazon.   :/

That's just the point.  The regulation would *not* be done by
ambassadors.  The treaties, rule, regulations, and procedures are
*already* in place to smooth the process through people that are not
political appointees.

Regulation of Amazon would probably be broken into parts: technical,
policy, managment, auditing, perhaps more.  Policy would originate in
the USA with Congress, with help from the industry.  Other parts would
be parceled out to the people better (not necessarily the best) equipped
to do the job.

And that's my pair-o-pennies on the subject.  Other people may have
differing opinions.

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

[Eric Kuhnke]

>   4)  Filing a "fraud request" with ARIN is a serious step and one that
could quite conceivably end up with the party filing such a formal
report being on the business end of lawsuit, just for having filed
such a report.

What makes you think that the sort of persons who would hijack a /17 sized
piece of space, for spam generation purposes, would sue you over some
formal submission you might make to ARIN, but would not already have sued
you over your already exhaustively detailed posts to the public NANOG list?



On Tue, Aug 13, 2019 at 12:18 PM Ronald F. Guilmette 
wrote:

> In message ,
> John Curran  wrote:
>
> >On 9 Aug 2019, at 4:09 PM, Ronald F. Guilmette 
> wrote:
> >> ...
> >> Unfortunately, we cannot read too much into this change that was made
> >> to the block's public-facing WHOIS record.  Neither the new WHOIS info
> >> nor even the old WHOIS info can be used to reliably infer who or what
> >> is the legitimate registrant of the block at any point in time.  This
> >> is because ARIN, like all of the other Regional Internet Registries,
> >> allows registrants to put essentially any bovine excrement they desire
> >> into their public-facing WHOIS records.
> >
> >That is not the case – ARIN confirms the legal status of organizations
> >receiving number resources.
>
> This is NOT the message that I got from our recent discussion of the giant
> Micfo fraud on the ARIN Public Policy Mailing List.  When I raised
> questions about why various of the Micfo phoney baloney shell companies
> has block with WHOIS records saying they were located in states that
> they were obviously not located in, I believe that you said that once
> a black has been allocated, by ARIN, to some (properly vetted) entity,
> that after that point in time, the entity could -change- the relevant
> WHOIS record to say any bloody thing it wanted, and that such -changes-
> to ARIN WHOIS records are not vetted in any way.
>
> If I got the Wrong Impression from your prior statements, then by all
> means, please do correct me.  And then please do explain why several of
> the Micfo phony shell companies did in fact have WHOIS records for ARIN-
> issued IPv4 space that gave street addreses in states where none of these
> phony shell companies were actually registered to do business.
>
> >> (And, it should be noted, the
> >> man behind the recent large scale "Micfo" fraud apparently availed
> >> himself of this exact opportunity far subterfuge, in spades.)
> >
> >As previously noted on this list, such was only possible because of the
> >use of falsely notarized documents.
>
> I -do- understand that the fradulent documents that were originally
> presented to you/ARIN provided information indicating that the phoney
> Micfo shell companies -did- actually exist in -some- state (Delaware?),
> and that ARIN -did- verify, to the best of its ability, that those
> companies -did- exist, legally spekaing, in their originally declared
> home state(s).  But that fact is just skirting the real issue here,
> which is the question of whether or not ARIN even looks at -changes_
> that a registrant may make to the WHOIS records (e.g. for IPv4 blocks)
> -after- those blocks have been assigned.
>
> It appears from where I am sitting that ARIN dos not do so.  And thus,
> I stand by my comment that a registrant -can- in fact put any bloody
> nonsense they want into their WHOIS records, at least as long as they
> do it via -changes- and not in the original/initial WHOIS records.
>
> >> Regardless, the available records suggest that there are only two likely
> >> possibilities in this case:
> >>
> >> {trimmed}
> >> 1) 216.179.128.0/17 was transferred in violation of ARIN policy.
> >>
> >> 2) The current WHOIS for 216.179.128.0/17 is simply fradulent.
>
> >That is easy to address:  submit a fraud request, and it will be reviewed
> >and corrected if it was done fraudulently.
>
> I would do that, but for the following four things:
>
> 1)  ARIN is not the Internet Police and has no power to affect routing
> decisions of anybody.
>
> 2)  Getting the info out here, on the NANOG list, allows people to make
> up their own minds and to ignore the relevant route announcements
> and/or cease peering if they are persuaded that 216.179.128.0/17
> is likely a source of "undesirable" packets.
>
> 3)  An investigation by ARIN of 216.179.128.0/17 could take weeks or
> perhaps even months.  In contrast, packets, including bad ones,
> travel from one end of the planet to another in milliseconds.
> ARIN and its careful review processes are a sure and steady and
> reliable check on fradulent behavior over the longer term.  But
> they will not do much to addres the bad packets that may be
> flowing out of 216.179.128.0/17 this week, or even next.
>
> 4)  Filing a "fraud request" with ARIN is a serious step and one that
> could quite conceivably 

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

[Marco Belmonte]

  
  
For the record, there are just as many of us that appreciate your
  verbosity.

On 8/13/2019 12:35 PM, Ronald F.
  Guilmette wrote:


  In message 
Ross Tajvar  wrote:


  
Seems like submitting a fraud request to ARIN is more effective than
writing a novel and sending it to NANOG, and doesn't require the latter...

  
  
As noted in my immediately prior posting, ARIN's careful adjudication of
this or any other possible case of fraud could take weeks or even months.
And even if, after careful and thoughtful deliberation, ARIN concludes
that there is indeed something wrong here, ARIN has neither the power nor
the authority to tell anyone how to configure their routers, and thus,
any decision or conclusion made by ARIN, regarding this or any other case
of possible fraud, will have no immediate effect on the flow of bad packets.


Regards,
rfg


P.S.  I do apologize for my verbosity.  As the late Carl Sagan often said,
extraordinary claims require extraordinary evidence.  I made the extraordinary
claim, on this public mailing list, that -something- fradulent had gone on
with respect to the 216.179.128.0/17 block which has resulted in the WHOIS
record for that bearing little or no relationship to actual reality.
Having made the claim, I felt a duty to explain and to provide the evidence,
not in 140 characters, but in detail.


  

Re: User Unknown (WAS: really amazon?)

[Matthew Petach]

On Fri, Aug 9, 2019 at 4:31 PM Stephen Satchell  wrote:

> On 8/9/19 4:03 PM, Matthew Petach wrote:
> > ...apparently Amazon has become a public utility
> > now?
> >
> > I look forward with bemusement to the PUC
> > tariff filings for AWS pricing.  ^_^;;
>
> [...]

>
> And it wouldn't be the PUC, as Amazon is a company national in scope.
> It would be something like the FCC.  Public Utility Commissions are at
> the local (usually county) or state level.
>

That was somewhat the point.
Public utilities make some amount
of sense when there's a local natural monopoly.

With a global company, there's no such thing
as a local natural monopoly in play; how would
you assign oversight to a global entity?  Which
"public" would be the ones being protected?
The city of Seattle, WA, where Amazon is
headquartered?  The State of Washington?
The United States, at a federal level?   What
about the "public" that uses Amazon in all
the other countries of the world?

There's no way to make a global entity a
regulated public utility; we don't have an
organization that has that level of oversight
across country boundaries, unless you start
thinking about entities that can enforce *treaties*
between countries.

And I'm not sure I'd want our Ambassadors
being the ones at the table deciding how best
to regulate Amazon.   :/

RE: Protecting 1Gb Ethernet From Lightning Strikes

[Kevin McCormick]

The university I worked at used ITW Linx surge arrestors for years, never had 
any issues.

https://www.itwlinx.com/products/surgegate-modular-communications-surge-protectors/cat6-75z

The model above will work with POE+, careful of their cheaper CAT5-POE and 
CAT6-POE models as they are not designed for POE+ and did not work well with 
Cisco POE.

Never had issues with the CAT6-75 model, worked perfect with Cisco equipment.

We also used the CAT6-LAN models where POE was not needed, as they clamp to 16v 
vs the 75v of the CAT6-75 model.

Thank you,

Kevin McCormick

From: NANOG  On Behalf Of Javier J
Sent: Tuesday, August 13, 2019 1:22 PM
To: nanog@nanog.org
Subject: Protecting 1Gb Ethernet From Lightning Strikes

I'm working with a client site that has been hit twice, very close by 
lightening.

I did lots of electrical work/upgrades/grounding but now I want to focus on 
protecting Ethernet connections between core switching/other devices that can't 
be migrated to fiber optic.

I was looking for surge protection devices for Ethernet but have never shopped 
for anything like this before. Was wondering if anyone has deployed a solution?
They don't have a large presence on site (I have been moving all of their core 
stuff to AWS) but they still have core networking / connectivity and PoE 
cameras / APs around the property.
Since migrating their onsite servers/infra to the cloud, now their connectivity 
is even more important.

This is a small site, maybe about 200 switch ports, but I would only need to 
protect maybe 12 core ones. but would be something I could use in the future 
with larger deployments.
it's just a 1Gbe network BTW.

Hope someone with more experience can help make hardware recommendations?

Thanks in advance.

- Javier

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

[Rich Kulawiec]

On Mon, Aug 12, 2019 at 04:11:00PM -0400, Ross Tajvar wrote:
> Seems like submitting a fraud request to ARIN is more effective than
> writing a novel and sending it to NANOG, and doesn't require the latter...

But if he didn't fully document his assertion(s), then he would be faced
with a plethora of replies decrying the lack of substantiating evidence.
Better to lay the case out in detail so that everyone can see the work
and so that anyone who cares to can check it for themselves.

And -- given Ron's long history of thorough documentation -- there are
some of us who are willing to take his word for it and make operational
decisions based on what he reports, independent of what ARIN decides to
do or not do, or when it decides to do it.

---rsk

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

[Ronald F. Guilmette]

In message 

Ross Tajvar  wrote:

>Seems like submitting a fraud request to ARIN is more effective than
>writing a novel and sending it to NANOG, and doesn't require the latter...

As noted in my immediately prior posting, ARIN's careful adjudication of
this or any other possible case of fraud could take weeks or even months.
And even if, after careful and thoughtful deliberation, ARIN concludes
that there is indeed something wrong here, ARIN has neither the power nor
the authority to tell anyone how to configure their routers, and thus,
any decision or conclusion made by ARIN, regarding this or any other case
of possible fraud, will have no immediate effect on the flow of bad packets.


Regards,
rfg


P.S.  I do apologize for my verbosity.  As the late Carl Sagan often said,
extraordinary claims require extraordinary evidence.  I made the extraordinary
claim, on this public mailing list, that -something- fradulent had gone on
with respect to the 216.179.128.0/17 block which has resulted in the WHOIS
record for that bearing little or no relationship to actual reality.
Having made the claim, I felt a duty to explain and to provide the evidence,
not in 140 characters, but in detail.

Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17

[Ronald F. Guilmette]

In message , 
John Curran  wrote:

>On 9 Aug 2019, at 4:09 PM, Ronald F. Guilmette  wrote:
>> ...
>> Unfortunately, we cannot read too much into this change that was made
>> to the block's public-facing WHOIS record.  Neither the new WHOIS info
>> nor even the old WHOIS info can be used to reliably infer who or what
>> is the legitimate registrant of the block at any point in time.  This
>> is because ARIN, like all of the other Regional Internet Registries,
>> allows registrants to put essentially any bovine excrement they desire
>> into their public-facing WHOIS records.
>
>That is not the case – ARIN confirms the legal status of organizations
>receiving number resources. 

This is NOT the message that I got from our recent discussion of the giant
Micfo fraud on the ARIN Public Policy Mailing List.  When I raised
questions about why various of the Micfo phoney baloney shell companies
has block with WHOIS records saying they were located in states that
they were obviously not located in, I believe that you said that once
a black has been allocated, by ARIN, to some (properly vetted) entity,
that after that point in time, the entity could -change- the relevant
WHOIS record to say any bloody thing it wanted, and that such -changes-
to ARIN WHOIS records are not vetted in any way.

If I got the Wrong Impression from your prior statements, then by all
means, please do correct me.  And then please do explain why several of
the Micfo phony shell companies did in fact have WHOIS records for ARIN-
issued IPv4 space that gave street addreses in states where none of these
phony shell companies were actually registered to do business.

>> (And, it should be noted, the
>> man behind the recent large scale "Micfo" fraud apparently availed
>> himself of this exact opportunity far subterfuge, in spades.)
>
>As previously noted on this list, such was only possible because of the
>use of falsely notarized documents. 

I -do- understand that the fradulent documents that were originally
presented to you/ARIN provided information indicating that the phoney
Micfo shell companies -did- actually exist in -some- state (Delaware?),
and that ARIN -did- verify, to the best of its ability, that those
companies -did- exist, legally spekaing, in their originally declared
home state(s).  But that fact is just skirting the real issue here,
which is the question of whether or not ARIN even looks at -changes_
that a registrant may make to the WHOIS records (e.g. for IPv4 blocks)
-after- those blocks have been assigned.

It appears from where I am sitting that ARIN dos not do so.  And thus,
I stand by my comment that a registrant -can- in fact put any bloody
nonsense they want into their WHOIS records, at least as long as they
do it via -changes- and not in the original/initial WHOIS records.

>> Regardless, the available records suggest that there are only two likely
>> possibilities in this case:
>>
>> {trimmed}
>> 1) 216.179.128.0/17 was transferred in violation of ARIN policy.
>>
>> 2) The current WHOIS for 216.179.128.0/17 is simply fradulent.
 
>That is easy to address:  submit a fraud request, and it will be reviewed
>and corrected if it was done fraudulently.

I would do that, but for the following four things:

1)  ARIN is not the Internet Police and has no power to affect routing
decisions of anybody.

2)  Getting the info out here, on the NANOG list, allows people to make
up their own minds and to ignore the relevant route announcements
and/or cease peering if they are persuaded that 216.179.128.0/17
is likely a source of "undesirable" packets.

3)  An investigation by ARIN of 216.179.128.0/17 could take weeks or
perhaps even months.  In contrast, packets, including bad ones,
travel from one end of the planet to another in milliseconds.
ARIN and its careful review processes are a sure and steady and
reliable check on fradulent behavior over the longer term.  But
they will not do much to addres the bad packets that may be
flowing out of 216.179.128.0/17 this week, or even next.

4)  Filing a "fraud request" with ARIN is a serious step and one that
could quite conceivably end up with the party filing such a formal
report being on the business end of lawsuit, just for having filed
such a report.

Does ARIN indemnify the parties who file such reports against such
claims, as ARIN is currently asking ARIN-region networks to do for
ARIN if they want to avail themselves of the added security of RPKI?


Regards,
rfg

Re: Protecting 1Gb Ethernet From Lightning Strikes

[Nate Burke]

You will want to check out these.

https://mccowntech.wptstaging.space/product-category/surge-protectors/rack-mount-surge-protectors/

They are made to fit into the 1U APC Chassis PRM24.

We rely on them heavily in the WISP Market.  I've had equipment on a 
tower that was physically destroyed by lightening, and the Router Port 
on the other side of these arrestors was just fine.


On 8/13/2019 1:51 PM, Rob Pickering wrote:
On Tue, 13 Aug 2019 at 19:23, Javier J > wrote:


I'm working with a client site that has been hit twice, very close
by lightening.

I did lots of electrical work/upgrades/grounding but now I want to
focus on protecting Ethernet connections between core
switching/other devices that can't be migrated to fiber optic.

I was looking for surge protection devices for Ethernet but have
never shopped for anything like this before. Was wondering if
anyone has deployed a solution?
They don't have a large presence on site (I have been moving all
of their core stuff to AWS) but they still have core networking /
connectivity and PoE cameras / APs around the property.
Since migrating their onsite servers/infra to the cloud, now their
connectivity is even more important.


The correct answer is use fiber.

If you really, really can't then APC make a single port transient 
arrestor p/n PNET1GB.


I've used these in the past for a PoE phone in a wooden gatehouse hut 
right on the 100M max length with no power for active kit and they 
seem to work fine. I'm using one at the moment for a PoE access point 
in my garden shed. Not sure I would bring an inter building link in 
copper onto an expensive core switch though.


Don't know of anything in higher density than "one port".

--
Rob Pickering, r...@pickering.org 

Re: Protecting 1Gb Ethernet From Lightning Strikes

[Bill Woodcock]

> The correct answer is use fiber.
> Not sure I would bring an inter building link in copper onto an expensive 
> core switch though.

Yeah.

> Don't know of anything in higher density than "one port”.

This on Amazon:

https://smile.amazon.com/Protector-Lightning-Suppressor-Protection-TP323/dp/B07P3XDXN3/ref=sr_1_6?keywords=apc+PNET1GB=1565722471=gateway=8-6

…but I haven’t used it, so can’t specifically recommend.

-Bill



signature.asc
Description: Message signed with OpenPGP

Re: Protecting 1Gb Ethernet From Lightning Strikes

[Larry Smith]

You might look at mccowntech.com,
they make surge suppressors geared toward
the wireless provider market which are pretty good.
(not associated, we just use their products).

-- 
Larry Smith
lesm...@ecsis.net

On Tue August 13 2019 13:22, Javier J wrote:
> I'm working with a client site that has been hit twice, very close by
> lightening.
>
> I did lots of electrical work/upgrades/grounding but now I want to focus on
> protecting Ethernet connections between core switching/other devices that
> can't be migrated to fiber optic.
>
> I was looking for surge protection devices for Ethernet but have never
> shopped for anything like this before. Was wondering if anyone has deployed
> a solution?
> They don't have a large presence on site (I have been moving all of their
> core stuff to AWS) but they still have core networking / connectivity and
> PoE cameras / APs around the property.
> Since migrating their onsite servers/infra to the cloud, now their
> connectivity is even more important.
>
> This is a small site, maybe about 200 switch ports, but I would only need
> to protect maybe 12 core ones. but would be something I could use in the
> future with larger deployments.
> it's just a 1Gbe network BTW.
>
> Hope someone with more experience can help make hardware recommendations?
>
> Thanks in advance.
>
> - Javier

Re: Protecting 1Gb Ethernet From Lightning Strikes

[Blake Hudson]

+1 on the Ubiquiti surge protectors specifically designed for PoE gear 
in mind (other brands like Cambium that are outdoor AP or camera 
oriented may work equally as well). I would also recommend continuing to 
isolate and protect as much as possible. For example, connecting your 
outdoor PoE cameras or APs to dedicated PoE switches that connect back 
to the core or aggregation switches via fiber. The PoE switches powering 
the outdoor gear could be connected to power on dedicated PDUs that are 
connected to dedicated circuits. I would imagine that PDUs that provide 
surge protection or on-line/line-interactive UPS units would be 
preferred over standby UPS units or PDUs that do not provide surge 
protection. Would also be nice to keep spare parts on-site or 
conveniently accessible, but not connected to power (e.g. focus on cold 
spares before focusing on hot spares).


--Blake

Warren Kumari wrote on 8/13/2019 1:32 PM:

This probably won't fully solve your problem, but I run a bunch of
Ubiquiti access points and similar -- I suffered a number of lightning
related outages, and then started using their TOUGHcable -
https://www.ui.com/accessories/toughcable/
(don't forget to also get the special jacks / ends). Since changing to
this I've had no more issues. You should also look at
https://www.ui.com/accessories/ethernet-surge-protector/- I haven't
needed them, but...

W



On Tue, Aug 13, 2019 at 2:23 PM Javier J  wrote:

I'm working with a client site that has been hit twice, very close by 
lightening.

I did lots of electrical work/upgrades/grounding but now I want to focus on 
protecting Ethernet connections between core switching/other devices that can't 
be migrated to fiber optic.

I was looking for surge protection devices for Ethernet but have never shopped 
for anything like this before. Was wondering if anyone has deployed a solution?
They don't have a large presence on site (I have been moving all of their core 
stuff to AWS) but they still have core networking / connectivity and PoE 
cameras / APs around the property.
Since migrating their onsite servers/infra to the cloud, now their connectivity 
is even more important.

This is a small site, maybe about 200 switch ports, but I would only need to 
protect maybe 12 core ones. but would be something I could use in the future 
with larger deployments.
it's just a 1Gbe network BTW.

Hope someone with more experience can help make hardware recommendations?

Thanks in advance.

- Javier

Re: Protecting 1Gb Ethernet From Lightning Strikes

[Rob Pickering]

On Tue, 13 Aug 2019 at 19:23, Javier J  wrote:

> I'm working with a client site that has been hit twice, very close by
> lightening.
>
> I did lots of electrical work/upgrades/grounding but now I want to focus
> on protecting Ethernet connections between core switching/other devices
> that can't be migrated to fiber optic.
>
> I was looking for surge protection devices for Ethernet but have never
> shopped for anything like this before. Was wondering if anyone has deployed
> a solution?
> They don't have a large presence on site (I have been moving all of their
> core stuff to AWS) but they still have core networking / connectivity and
> PoE cameras / APs around the property.
> Since migrating their onsite servers/infra to the cloud, now their
> connectivity is even more important.
>

The correct answer is use fiber.

If you really, really can't then APC make a single port transient arrestor
p/n PNET1GB.

I've used these in the past for a PoE phone in a wooden gatehouse hut right
on the 100M max length with no power for active kit and they seem to work
fine. I'm using one at the moment for a PoE access point in my garden shed.
Not sure I would bring an inter building link in copper onto an expensive
core switch though.

Don't know of anything in higher density than "one port".

--
Rob Pickering, r...@pickering.org

Re: Protecting 1Gb Ethernet From Lightning Strikes

[Warren Kumari]

This probably won't fully solve your problem, but I run a bunch of
Ubiquiti access points and similar -- I suffered a number of lightning
related outages, and then started using their TOUGHcable -
https://www.ui.com/accessories/toughcable/
(don't forget to also get the special jacks / ends). Since changing to
this I've had no more issues. You should also look at
https://www.ui.com/accessories/ethernet-surge-protector/- I haven't
needed them, but...

W



On Tue, Aug 13, 2019 at 2:23 PM Javier J  wrote:
>
> I'm working with a client site that has been hit twice, very close by 
> lightening.
>
> I did lots of electrical work/upgrades/grounding but now I want to focus on 
> protecting Ethernet connections between core switching/other devices that 
> can't be migrated to fiber optic.
>
> I was looking for surge protection devices for Ethernet but have never 
> shopped for anything like this before. Was wondering if anyone has deployed a 
> solution?
> They don't have a large presence on site (I have been moving all of their 
> core stuff to AWS) but they still have core networking / connectivity and PoE 
> cameras / APs around the property.
> Since migrating their onsite servers/infra to the cloud, now their 
> connectivity is even more important.
>
> This is a small site, maybe about 200 switch ports, but I would only need to 
> protect maybe 12 core ones. but would be something I could use in the future 
> with larger deployments.
> it's just a 1Gbe network BTW.
>
> Hope someone with more experience can help make hardware recommendations?
>
> Thanks in advance.
>
> - Javier



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

Protecting 1Gb Ethernet From Lightning Strikes

[Javier J]

I'm working with a client site that has been hit twice, very close by
lightening.

I did lots of electrical work/upgrades/grounding but now I want to focus on
protecting Ethernet connections between core switching/other devices that
can't be migrated to fiber optic.

I was looking for surge protection devices for Ethernet but have never
shopped for anything like this before. Was wondering if anyone has deployed
a solution?
They don't have a large presence on site (I have been moving all of their
core stuff to AWS) but they still have core networking / connectivity and
PoE cameras / APs around the property.
Since migrating their onsite servers/infra to the cloud, now their
connectivity is even more important.

This is a small site, maybe about 200 switch ports, but I would only need
to protect maybe 12 core ones. but would be something I could use in the
future with larger deployments.
it's just a 1Gbe network BTW.

Hope someone with more experience can help make hardware recommendations?

Thanks in advance.

- Javier