Any Zayo peeps on the list?

2020-04-13 Thread Mike Lyon 
Howdy!

Any Zayo peeps on the list? Seeing some packet loss on your network and your 
NCC seems to be clueless.

Please shoot me an email offlist.

Thank You,
Mike

Re: Route aggregation w/o AS-Sets

2020-04-13 Thread Alejandro Acosta 
Hello Lars,

 As a comment there is a draft that proposes to deprecate AS_SET  
https://datatracker.ietf.org/doc/draft-ietf-idr-deprecate-as-set-confed-set/?include_text=1


Alejandro,


On 4/11/20 7:09 AM, Lars Prehn wrote:
> Hi everyone,
>
> how exactly do you aggregate routes? When do you add the AS_SET
> attribute, when do you omit it? How does the latter interplay with RPKI?
>
> Best regards,
>
> Lars
>
>


pEpkey.asc
Description: application/pgp-keys

Re: Route aggregation w/o AS-Sets

2020-04-13 Thread Christopher Morrow 
Don't user as-sets step one.
Rpki does not understand how to express an as-sets' authorization.

Why do you want to do this?

On Mon, Apr 13, 2020, 13:34 Lars Prehn  wrote:

> Hi everyone,
>
> how exactly do you aggregate routes? When do you add the AS_SET
> attribute, when do you omit it? How does the latter interplay with RPKI?
>
> Best regards,
>
> Lars
>
>
>

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread Suresh Ramasubramanian 
Handle it in a reasonable amount of time, and please prioritize phishing 
somewhere after the usual threat to life / child abuse type cases (which are, 
fortunately, comparatively rare).  Phishes put people at risk of losing their 
life savings, and especially with covid already threatening to make that 
happen, that’s something we must all work to prevent.

There are providers that are good at handling abuse and responding as well (if 
only with boilerplate text and an automated ticket closure email, that’s fine.. 
as long as the threat is addressed I wouldn’t even need a reply) while there 
are others that have substantial abuse automation but are slow to respond at 
times, while others have no significant abuse prevention AND are slow to 
respond.

If, for whatever reason, the abuse load on a network goes out of control then 
the network does get pressured by escalation in one form or the other. 
Corporate contacts in this individual’s case, could be reports to various 
upstreams in some other case.

--srs
From: Matt Corallo 
Date: Tuesday, 14 April 2020 at 12:41 AM
To: Suresh Ramasubramanian 
Cc: Tom Beecher , Kushal R. , Nanog 
, Rich Kulawiec 
Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ
I don’t really get the point of bothering, then. AWS takes about ~forever to 
respond to SES phishing reports, let alone hosting abuse, and other, cheaper, 
hosts/mailers (OVH etc come up all the time) don’t bother at all. Unless you 
want to automate “1 report = drop customer”, you’re saying that we should all 
stop hosting anything?


On Apr 13, 2020, at 11:50, Suresh Ramasubramanian  wrote:

RiskIQ reports phish URLs for large brands

The life cycle of a typical phish campaign is in hours but I guess people can 
live with 24. If you handle the complaint only after two business days, that’s 
closing the barn door after the horse has bolted and crossed a state line.

--srs

From: NANOG  on behalf of Tom Beecher 

Sent: Tuesday, April 14, 2020 12:11:18 AM
To: Kushal R. 
Cc: Nanog ; Rich Kulawiec 
Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

I would agree that Twitter is not a primary place for abuse reporting.

If they are reporting things via your correct abuse channel and you are indeed 
handling them within 48 business hours, then I would also agree this much extra 
spray and pray is excessive. However RiskIQ is known to be pretty responsible, 
so if they are doing this they likely feel like they are NOT getting 
appropriate responses from you and are resorting to scorched earth. Have you 
attempted to reach out to them and make sure they have the proper direct 
channel for abuse reporting?

On Mon, Apr 13, 2020 at 1:45 PM Kushal R. 
mailto:kusha...@h4g.co>> wrote:
All abuse reports that we receive are dealt within 48 business hours. As far as 
that tweet is concerned, it’s pending for 16 days because they have been 
blocked from sending us any emails due to the sheer amount of emails they 
started sending and then our live support chats.

We send our abuse reports to, but we don’t spam them to every publicly 
available email address for an organisation, it isn’t difficult to lookup the 
Abuse POC for an IP or network and just because you do not get a response in 24 
hours does not mean you forward the same report to 10 other email addresses. 
Similarly twitter isn’t a place to report abuse either.



On Apr 13, 2020 at 9:37 PM, mailto:r...@gsp.org>> wrote:

   On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We 
understand these reports and deal with them as per our policies and timelines 
but this constant spamming by them from various channels is not appreciated. 
Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which 
is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com 
were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and 
they are all STILL active 16 days is unacceptable. If you can't do better than 
that -- MUCH better -- then shut down your entire operation today as it's 
unworthy of being any part of the Internet community. ---rsk

Re: attribution

2020-04-13 Thread Christopher Morrow 
On Mon, Apr 13, 2020 at 7:38 PM Brandon Martin  wrote:
>
> On 4/13/20 4:31 PM, Randy Bush wrote:
> > it seems a lot of folk think prepending acrually works.
>
> I mean, there's prepending and then there's prepending 50+ times...  Has
> the latter EVER been useful in any way, shape, or form?

for ~4 yrs or so there's been possible problems with as-paths longer
than ~50 (I think, i can't recall the exact vendor bug)
so, folk should have already been denying announcements with longer
than ~soemthing-like-45 asn in the path.. right? :)

(yes, any prepend past ~10 is arguably not worth the time)

Re: attribution

2020-04-13 Thread Brandon Martin 

On 4/13/20 4:31 PM, Randy Bush wrote:

it seems a lot of folk think prepending acrually works.


I mean, there's prepending and then there's prepending 50+ times...  Has 
the latter EVER been useful in any way, shape, or form?

--
Brandon Martin

Re: attribution

2020-04-13 Thread Matthew Petach 
Well, according to your router's error message, it *did* work...it ensured
you couldn't propagate that route update, thereby ensuring no traffic from
your neighbors would traverse the prepended path.

Of course, it's a bit of a degenerate case of "working"--but it *did* serve
to shift traffic away.  ^_^;;

Matt



On Mon, Apr 13, 2020, 13:33 Randy Bush  wrote:

> > I’m using CAIDA’s bgpreader and this one looks like it might be an
> > example of what you want.
> >
> > R|R|1586714402.00|routeviews|route-views.eqix|||2914|206.126.236.12|
> 103.148.41.0/24|206.126.236.12|2914
>  58717 134371 134371
> 134371 134371 140076 140076 140076 140076 140076 140076 140076 140076
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076
> 140076 140076 140076 140076 140076 140076|140076|2914:410 2914:1405
> 2914:2406 2914:3400||
>
> aut-num:AS140076
> as-name:MIS-AS-AP
> descr:  Mir Internet Service
> country:BD
> org:ORG-MIS3-AP
> admin-c:MISA2-AP
> tech-c: MISA2-AP
> mnt-by: APNIC-HM
> mnt-irt:IRT-MIS-BD
> mnt-routes: MAINT-MIS-BD
> mnt-lower:  MAINT-MIS-BD
> last-modified:  2020-01-31T06:35:38Z
> source: APNIC
>
> actually, an example of what none of us wants :)
>
> it seems a lot of folk think prepending acrually works.
>
> thanks
>
>
>

Re: attribution

2020-04-13 Thread Mark Tinka 



On 13/Apr/20 23:04, Bryan Holloway wrote:

>  
>
> Oh, it works ... just not for anything pragmatically useful.

In 2020, no less.

Can't recall the last time I used this feature, even if it's one we
offer for BGP communities we accept from customers.

Admittedly, I don't think of any of them use it.

Mark.

Re: attribution

2020-04-13 Thread Bryan Holloway 



On 4/13/20 10:31 PM, Randy Bush wrote:

I’m using CAIDA’s bgpreader and this one looks like it might be an
example of what you want.

R|R|1586714402.00|routeviews|route-views.eqix|||2914|206.126.236.12|103.148.41.0/24|206.126.236.12|2914
 58717 134371 134371 134371 134371 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076|140076|2914:410 
2914:1405 2914:2406 2914:3400||


aut-num:AS140076
as-name:MIS-AS-AP
descr:  Mir Internet Service
country:BD
org:ORG-MIS3-AP
admin-c:MISA2-AP
tech-c: MISA2-AP
mnt-by: APNIC-HM
mnt-irt:IRT-MIS-BD
mnt-routes: MAINT-MIS-BD
mnt-lower:  MAINT-MIS-BD
last-modified:  2020-01-31T06:35:38Z
source: APNIC

actually, an example of what none of us wants :)

it seems a lot of folk think prepending acrually works.

thanks



Oh, it works ... just not for anything pragmatically useful.

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread William Herrin 
On Mon, Apr 13, 2020 at 10:45 AM Kushal R.  wrote:
> All abuse reports that we receive are dealt within 48 business
> hours. As far as that tweet is concerned, it’s pending for 16 days
> because they have been blocked from sending us any emails

Hi Kushal,

I would venture a guess that's why they've escalated to calling you
out on Twitter.

Don't shoot the messenger. However irritating they may be, if they
reported a real problem (as it appears they did) it's strongly in your
interest to fix it.

Regards.
Bill Herrin


-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread Dan Hollis 

On Mon, 13 Apr 2020, Kushal R. wrote:
As far as that tweet is concerned, it???s pending for 16 days because 
they have been blocked from sending us any emails due to the sheer

amount of emails they started sending and then our live support chats.


This is not an acceptable answer.

-Dan

Re: attribution

2020-04-13 Thread Randy Bush 
> I’m using CAIDA’s bgpreader and this one looks like it might be an
> example of what you want.
> 
> R|R|1586714402.00|routeviews|route-views.eqix|||2914|206.126.236.12|103.148.41.0/24|206.126.236.12|2914
>  58717 134371 134371 134371 134371 140076 140076 140076 140076 140076 140076 
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
> 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
> 140076 140076 140076 140076 140076 140076 140076 140076 
> 140076|140076|2914:410 2914:1405 2914:2406 2914:3400||

aut-num:AS140076
as-name:MIS-AS-AP
descr:  Mir Internet Service
country:BD
org:ORG-MIS3-AP
admin-c:MISA2-AP
tech-c: MISA2-AP
mnt-by: APNIC-HM
mnt-irt:IRT-MIS-BD
mnt-routes: MAINT-MIS-BD
mnt-lower:  MAINT-MIS-BD
last-modified:  2020-01-31T06:35:38Z
source: APNIC

actually, an example of what none of us wants :)

it seems a lot of folk think prepending acrually works.

thanks

Re: attribution

2020-04-13 Thread Sandra Murphy 
I’m using CAIDA’s bgpreader and this one looks like it might be an example of 
what you want.

R|R|1586714402.00|routeviews|route-views.eqix|||2914|206.126.236.12|103.148.41.0/24|206.126.236.12|2914
 58717 134371 134371 134371 134371 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 140076 
140076 140076 140076 140076 140076 140076 140076 140076 140076|140076|2914:410 
2914:1405 2914:2406 2914:3400||

—Sandy

> On Apr 13, 2020, at 3:17 PM, Randy Bush  wrote:
> 
> Apr 12 17:57:42 r0.iad rpd[1752]: Prefix Send failed ! 103.148.41.0/24 
> bgp_rt_trace_too_big_message:1209 path attribute too big. Cannot build update.
> 
> so some idiot is barfing out a ridiculous as_path.  dear lazynet, is
> there an easy way to get attribution for this stupidity?  i.e. the
> as_path.
> 
> e.g. a nice query to ris or rv given the prefix, 103.148.41.0/24, and
> the uct time, Apr 12 17:57:42.
> 
> randy

RE: IS-IS IPAM platform

2020-04-13 Thread Aaron Gould 
Our atm network in san diego was the full base 16 hex for the 13 byte nsap 
prefix of all the atm switches in our 4-level PNNI cloud

This may be slightly off topic of ISIS practices though

But, yeah, we didn't encode any switch mgmt. ip into the nsap addressing as I 
recall... just the pnni peer groups had hex identities

-Aaron

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Bryan Holloway
Sent: Monday, April 13, 2020 12:46 PM
To: Randy Bush; Tom Beecher
Cc: Nanog
Subject: Re: IS-IS IPAM platform

I've always wondered about folks' opinions about one thing, though:

In y'all's opinion, do you prefer/recommend using base-10 digits or hex 
in your NSAP addresses? I like the former for readability, but the 
latter can (could) be better for automation. Maybe.

I got into a heated argument about this once with ATM back in the day, 
but my brain's to frazzled to remember the takeaways.


On 4/13/20 7:37 PM, Randy Bush wrote:
>> Just encode the router loopback IPv4 address in the system identifier bytes
>> and call it a day.
> 
> i think asp wrote this up back in the early '90s.  anyone have a cite?
> 
> randy
>

Re: IS-IS IPAM platform

2020-04-13 Thread Randy Bush 
> In y'all's opinion, do you prefer/recommend using base-10 digits or
> hex in your NSAP addresses?

it's the decimal representation of the octets

lo0 {
description "main loopback";
unit 0 {
family inet {
address 127.0.0.1/32;
address 192.168.254.10/32 {
primary;
}
}
family iso {
address 47.0001.1921.6825.4010.00;
}
}
}

some glorp omitted to protect the innocent

randy

attribution

2020-04-13 Thread Randy Bush 
Apr 12 17:57:42 r0.iad rpd[1752]: Prefix Send failed ! 103.148.41.0/24 
bgp_rt_trace_too_big_message:1209 path attribute too big. Cannot build update.

so some idiot is barfing out a ridiculous as_path.  dear lazynet, is
there an easy way to get attribution for this stupidity?  i.e. the
as_path.

e.g. a nice query to ris or rv given the prefix, 103.148.41.0/24, and
the uct time, Apr 12 17:57:42.

randy

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread Matt Corallo via NANOG 
I don’t really get the point of bothering, then. AWS takes about ~forever to 
respond to SES phishing reports, let alone hosting abuse, and other, cheaper, 
hosts/mailers (OVH etc come up all the time) don’t bother at all. Unless you 
want to automate “1 report = drop customer”, you’re saying that we should all 
stop hosting anything?

> On Apr 13, 2020, at 11:50, Suresh Ramasubramanian  wrote:
> 
> 
> RiskIQ reports phish URLs for large brands
> 
> The life cycle of a typical phish campaign is in hours but I guess people can 
> live with 24. If you handle the complaint only after two business days, 
> that’s closing the barn door after the horse has bolted and crossed a state 
> line.
> 
> --srs
> From: NANOG  on behalf of Tom Beecher 
> 
> Sent: Tuesday, April 14, 2020 12:11:18 AM
> To: Kushal R. 
> Cc: Nanog ; Rich Kulawiec 
> Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ
>  
> I would agree that Twitter is not a primary place for abuse reporting. 
> 
> If they are reporting things via your correct abuse channel and you are 
> indeed handling them within 48 business hours, then I would also agree this 
> much extra spray and pray is excessive. However RiskIQ is known to be pretty 
> responsible, so if they are doing this they likely feel like they are NOT 
> getting appropriate responses from you and are resorting to scorched earth. 
> Have you attempted to reach out to them and make sure they have the proper 
> direct channel for abuse reporting? 
> 
>> On Mon, Apr 13, 2020 at 1:45 PM Kushal R.  wrote:
>> All abuse reports that we receive are dealt within 48 business hours. As far 
>> as that tweet is concerned, it’s pending for 16 days because they have been 
>> blocked from sending us any emails due to the sheer amount of emails they 
>> started sending and then our live support chats.
>> 
>> We send our abuse reports to, but we don’t spam them to every publicly 
>> available email address for an organisation, it isn’t difficult to lookup 
>> the Abuse POC for an IP or network and just because you do not get a 
>> response in 24 hours does not mean you forward the same report to 10 other 
>> email addresses. Similarly twitter isn’t a place to report abuse either. 
>> 
>> 
>> On Apr 13, 2020 at 9:37 PM,  wrote:
>> 
>>On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We 
>> understand these reports and deal with them as per our policies and 
>> timelines but this constant spamming by them from various channels is not 
>> appreciated. Quoting from: 
>> https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is dated 
>> 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were 
>> reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and 
>> they are all STILL active 16 days is unacceptable. If you can't do better 
>> than that -- MUCH better -- then shut down your entire operation today as 
>> it's unworthy of being any part of the Internet community. ---rsk

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread Suresh Ramasubramanian 
RiskIQ reports phish URLs for large brands

The life cycle of a typical phish campaign is in hours but I guess people can 
live with 24. If you handle the complaint only after two business days, that’s 
closing the barn door after the horse has bolted and crossed a state line.

--srs

From: NANOG  on behalf of Tom Beecher 

Sent: Tuesday, April 14, 2020 12:11:18 AM
To: Kushal R. 
Cc: Nanog ; Rich Kulawiec 
Subject: Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

I would agree that Twitter is not a primary place for abuse reporting.

If they are reporting things via your correct abuse channel and you are indeed 
handling them within 48 business hours, then I would also agree this much extra 
spray and pray is excessive. However RiskIQ is known to be pretty responsible, 
so if they are doing this they likely feel like they are NOT getting 
appropriate responses from you and are resorting to scorched earth. Have you 
attempted to reach out to them and make sure they have the proper direct 
channel for abuse reporting?

On Mon, Apr 13, 2020 at 1:45 PM Kushal R. 
mailto:kusha...@h4g.co>> wrote:
All abuse reports that we receive are dealt within 48 business hours. As far as 
that tweet is concerned, it’s pending for 16 days because they have been 
blocked from sending us any emails due to the sheer amount of emails they 
started sending and then our live support chats.

We send our abuse reports to, but we don’t spam them to every publicly 
available email address for an organisation, it isn’t difficult to lookup the 
Abuse POC for an IP or network and just because you do not get a response in 24 
hours does not mean you forward the same report to 10 other email addresses. 
Similarly twitter isn’t a place to report abuse either.


On Apr 13, 2020 at 9:37 PM, mailto:r...@gsp.org>> wrote:


   On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We 
understand these reports and deal with them as per our policies and timelines 
but this constant spamming by them from various channels is not appreciated. 
Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which 
is dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com 
were reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and 
they are all STILL active 16 days is unacceptable. If you can't do better than 
that -- MUCH better -- then shut down your entire operation today as it's 
unworthy of being any part of the Internet community. ---rsk

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread Tom Beecher 
I would agree that Twitter is not a primary place for abuse reporting.

If they are reporting things via your correct abuse channel and you are
indeed handling them within 48 business hours, then I would also agree this
much extra spray and pray is excessive. However RiskIQ is known to be
pretty responsible, so if they are doing this they likely feel like they
are NOT getting appropriate responses from you and are resorting to
scorched earth. Have you attempted to reach out to them and make sure they
have the proper direct channel for abuse reporting?

On Mon, Apr 13, 2020 at 1:45 PM Kushal R.  wrote:

> All abuse reports that we receive are dealt within 48 business hours. As
> far as that tweet is concerned, it’s pending for 16 days because they have
> been blocked from sending us any emails due to the sheer amount of emails
> they started sending and then our live support chats.
>
> We send our abuse reports to, but we don’t spam them to every publicly
> available email address for an organisation, it isn’t difficult to lookup
> the Abuse POC for an IP or network and just because you do not get a
> response in 24 hours does not mean you forward the same report to 10 other
> email addresses. Similarly twitter isn’t a place to report abuse either.
>
>
> On Apr 13, 2020 at 9:37 PM, > wrote:
>
>
>  On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We understand 
> these reports and deal with them as per our policies and timelines but this 
> constant spamming by them from various channels is not appreciated. Quoting 
> from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is 
> dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were 
> reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and 
> they are all STILL active 16 days is unacceptable. If you can't do better 
> than that -- MUCH better -- then shut down your entire operation today as 
> it's unworthy of being any part of the Internet community. ---rsk
>
>
>

Re: IS-IS IPAM platform

2020-04-13 Thread Bryan Holloway 

I've always wondered about folks' opinions about one thing, though:

In y'all's opinion, do you prefer/recommend using base-10 digits or hex 
in your NSAP addresses? I like the former for readability, but the 
latter can (could) be better for automation. Maybe.


I got into a heated argument about this once with ATM back in the day, 
but my brain's to frazzled to remember the takeaways.



On 4/13/20 7:37 PM, Randy Bush wrote:

Just encode the router loopback IPv4 address in the system identifier bytes
and call it a day.


i think asp wrote this up back in the early '90s.  anyone have a cite?

randy

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread Kushal R. 
  
  

 All abuse reports that we receive are dealt within 48 business hours. As far 
as that tweet is concerned, it’s pending for 16 days because they have been 
blocked from sending us any emails due to the sheer amount of emails they 
started sending and then our live support chats.
  

  
We send our abuse reports to, but we don’t spam them to every publicly 
available email address for an organisation, it isn’t difficult to lookup the 
Abuse POC for an IP or network and just because you do not get a response in 24 
hours does not mean you forward the same report to 10 other email addresses. 
Similarly twitter isn’t a place to report abuse either.   
  

  
  

  
  
>   
> On Apr 13, 2020 at 9:37 PM,  mailto:r...@gsp.org)>  wrote:
>   
>   
>   
>  On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:  >  We understand 
> these reports and deal with them as per our policies and timelines but this 
> constant spamming by them from various channels is not appreciated. Quoting 
> from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800 which is 
> dated 9:15 AM 4/13/2020: 5 #phishing URLs on admin12.find-textbook[.]com were 
> reported to @Host4Geeks (Walnut, CA) from as far back as 16 days ago, and 
> they are all STILL active 16 days is unacceptable. If you can't do better 
> than that -- MUCH better -- then shut down your entire operation today as 
> it's unworthy of being any part of the Internet community. ---rsk  
>
>

Re: AS27594 / UTSA contact?

2020-04-13 Thread Bryan Holloway 

I'm good -- many thanks to those who reached out!


On 4/11/20 10:20 AM, Bryan Holloway wrote:
Howdy ... if anyone from University of Texas, San Antonio (AS27594) is 
lurking, could you please reach out to me off-list?


We have a mutual reachability problem through an IX in Dallas.

Thanks!

Re: IS-IS IPAM platform

2020-04-13 Thread Randy Bush 
> Just encode the router loopback IPv4 address in the system identifier bytes
> and call it a day.

i think asp wrote this up back in the early '90s.  anyone have a cite?

randy

Re: IS-IS IPAM platform

2020-04-13 Thread Musa Stephen Honlue 
+1,

No need to worry, just use your loopback address as the SystemID.

> On 13 Apr 2020, at 18:02, Tom Beecher  wrote:
> 
> My recommendation would be not to bother. :) 
> 
> Just encode the router loopback IPv4 address in the system identifier bytes 
> and call it a day. 
> 
> On Mon, Apr 13, 2020 at 9:55 AM JASON BOTHE via NANOG  > wrote:
> Does anyone have any recommendations for a database or IPAM platform that can 
> house IS-IS addressing?  Can’t seem to find anything out there. 
> 
> Thanks
> 
> J~

Route aggregation w/o AS-Sets

2020-04-13 Thread Lars Prehn 

Hi everyone,

how exactly do you aggregate routes? When do you add the AS_SET 
attribute, when do you omit it? How does the latter interplay with RPKI?


Best regards,

Lars

Re: IS-IS IPAM platform

2020-04-13 Thread Bryan Holloway 

+1

On 4/13/20 4:02 PM, Tom Beecher wrote:

My recommendation would be not to bother. :)

Just encode the router loopback IPv4 address in the system identifier 
bytes and call it a day.


On Mon, Apr 13, 2020 at 9:55 AM JASON BOTHE via NANOG > wrote:


Does anyone have any recommendations for a database or IPAM platform
that can house IS-IS addressing?  Can’t seem to find anything out
there.

Thanks

J~

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread Rich Kulawiec 
On Mon, Apr 13, 2020 at 07:55:37PM +0530, Kushal R. wrote:
> We understand these reports and deal with them as per our policies and 
> timelines but this constant spamming by them from various channels is not 
> appreciated.


Quoting from: https://twitter.com/RiskIQ_IRT/status/1249696689985740800
which is dated 9:15 AM 4/13/2020:

5 #phishing URLs on admin12.find-textbook[.]com were reported
to @Host4Geeks (Walnut, CA) from as far back as 16 days ago,
and they are all STILL active

16 days is unacceptable.  If you can't do better than that -- MUCH
better -- then shut down your entire operation today as it's unworthy of
being any part of the Internet community.

---rsk

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread William Herrin 
On Mon, Apr 13, 2020 at 7:25 AM Kushal R.  wrote:
> The problem isn’t the abuse reports themselves but the way they send them. We 
> receive copies of the report, on our sales, billing, TECH-POCs and almost 
> everything other email address of ours that is available publicly. It doesn’t 
> end there, they even online on our website and start using our support live 
> chat and as recently as tomorrow they I see that they have now started using 
> Twitter (@riskiq_irt) to do the same.

Hi Kushal,

It seems like they've escalated to "name and shame." I notice that the
site they complained about on their Twitter feed on April 6 is still
alive on your infrastructure at 103.83.192.6 right now. Perhaps your
abuse management practices could be improved.

Regards,
Bill Herrin

-- 
William Herrin
b...@herrin.us
https://bill.herrin.us/

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread Josh Luthman 
Speaking of spam, I just sent a message in and got auto responses from:
c...@rankleads.com
kundserv...@axofinans.se

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Mon, Apr 13, 2020 at 10:53 AM Denys Fedoryshchenko <
nuclear...@nuclearcat.com> wrote:

> On 2020-04-13 17:25, Kushal R. wrote:
> > From the past few months we have been receiving a constant stream of
> > abuse reports from a company that calls themselves RiskIQ
> > (RiskIQ.com).
> >
> > The problem isn’t the abuse reports themselves but the way they send
> > them. We receive copies of the report, on our sales, billing,
> > TECH-POCs and almost everything other email address of ours that is
> > available publicly. It doesn’t end there, they even online on our
> > website and start using our support live chat and as recently as
> > tomorrow they I see that they have now started using Twitter
> > (@riskiq_irt) to do the same.
> >
> > We understand these reports and deal with them as per our policies and
> > timelines but this constant spamming by them from various channels is
> > not appreciated.
> >
> > Does anyone have a similar experience with them?
>
> If the problem of abuse legit and arises with enviable constancy, maybe
> it is time to take fundamental measures to combat abuse?
> I had to block port 25 by default on some operators and create a
> self-care web page for removing it,
>   with the requirement to read legal agreement where consequences stated,
> if the client start spamming.
> For those who are bruteforcing other people's servers / credentials,
> soft-throttling ACL had to be implemented.
> And as they wrote earlier, it’s better to kick out exceptionally bad
> customers than to destroy your reputation.
>

Hulu contact (ipadmin unresponsive)

2020-04-13 Thread Josh Luthman 
I have customers on different parts of the network saying that Hulu doesn't
work.  They've all said other video services work (Amazon, Youtube,
Netflix, etc).  Same complaint from all of them - Hulu just doesn't start.

Can someone from Hulu provide some support for our mutual customer?

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread Denys Fedoryshchenko 

On 2020-04-13 17:25, Kushal R. wrote:

From the past few months we have been receiving a constant stream of
abuse reports from a company that calls themselves RiskIQ
(RiskIQ.com).

The problem isn’t the abuse reports themselves but the way they send
them. We receive copies of the report, on our sales, billing,
TECH-POCs and almost everything other email address of ours that is
available publicly. It doesn’t end there, they even online on our
website and start using our support live chat and as recently as
tomorrow they I see that they have now started using Twitter
(@riskiq_irt) to do the same.

We understand these reports and deal with them as per our policies and
timelines but this constant spamming by them from various channels is
not appreciated.

Does anyone have a similar experience with them?


If the problem of abuse legit and arises with enviable constancy, maybe 
it is time to take fundamental measures to combat abuse?
I had to block port 25 by default on some operators and create a 
self-care web page for removing it,
 with the requirement to read legal agreement where consequences stated, 
if the client start spamming.
For those who are bruteforcing other people's servers / credentials, 
soft-throttling ACL had to be implemented.
And as they wrote earlier, it’s better to kick out exceptionally bad 
customers than to destroy your reputation.

Re: Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread Suresh Ramasubramanian 
RiskIQ is a known good player.  If there’s a stream of abuse reports maybe 
removing whatever customer it is might be a good idea?

I am not sure why they are sending out mail to every contact they can find 
though.  Are abuse tickets resolved in a timely manner?

From: NANOG 
Date: Monday, 13 April 2020 at 7:57 PM
To: NANOG list 
Subject: Constant Abuse Reports / Borderline Spamming from RiskIQ
>From the past few months we have been receiving a constant stream of abuse 
>reports from a company that calls themselves RiskIQ (RiskIQ.com).

The problem isn’t the abuse reports themselves but the way they send them. We 
receive copies of the report, on our sales, billing, TECH-POCs and almost 
everything other email address of ours that is available publicly. It doesn’t 
end there, they even online on our website and start using our support live 
chat and as recently as tomorrow they I see that they have now started using 
Twitter (@riskiq_irt) to do the same.

We understand these reports and deal with them as per our policies and 
timelines but this constant spamming by them from various channels is not 
appreciated.

Does anyone have a similar experience with them?

Constant Abuse Reports / Borderline Spamming from RiskIQ

2020-04-13 Thread Kushal R. 
  
  

 From the past few months we have been receiving a constant stream of abuse 
reports from a company that calls themselves RiskIQ (RiskIQ.com).
  

  
The problem isn’t the abuse reports themselves but the way they send them. We 
receive copies of the report, on our sales, billing, TECH-POCs and almost 
everything other email address of ours that is available publicly. It doesn’t 
end there, they even online on our website and start using our support live 
chat and as recently as tomorrow they I see that they have now started using 
Twitter (@riskiq_irt) to do the same.   
  

  
We understand these reports and deal with them as per our policies and 
timelines but this constant spamming by them from various channels is not 
appreciated.
  

  
Does anyone have a similar experience with them?

Re: IS-IS IPAM platform

2020-04-13 Thread Tom Beecher 
My recommendation would be not to bother. :)

Just encode the router loopback IPv4 address in the system identifier bytes
and call it a day.

On Mon, Apr 13, 2020 at 9:55 AM JASON BOTHE via NANOG 
wrote:

> Does anyone have any recommendations for a database or IPAM platform that
> can house IS-IS addressing?  Can’t seem to find anything out there.
>
> Thanks
>
> J~

IS-IS IPAM platform

2020-04-13 Thread JASON BOTHE via NANOG 
Does anyone have any recommendations for a database or IPAM platform that can 
house IS-IS addressing?  Can’t seem to find anything out there. 

Thanks

J~