Re: Certificates for DoT and DoH?

2022-02-28 Thread Bjørn Mork 
John Todd  writes:

> To validate that the addresses were “ours” or at least under our
> control, there were still some hoops to jump through other than the
> standard validation of registry data. For example, we had to activate
> web servers and objects on our anycast network to answer specific
> queries during some of the check processes.
>
> TL;DR: Digicert is still the only player for v6 signing, and it will
> not be entirely hands-free to manage but also not overly difficult.

Thanks a lot!  This is incredibly useful.

Yes, we are sort of prepared for the web server hoops. Not trivial since
our addresses aren't normally reachable from the Internet, even if they
are public and advertised.  We are only providing AS internal DNS
resolver service. Dropping outside traffic is an easy way to add some
protection.  But that's just one more hoop.

The technical challenges are nothing anyway. Getting permission from
sourcing to buy something from a new partner will be far worse... So I
will go another round with our existing partners first.

Thanks again.



Bjørn

Re: Starlink terminals deployed in Ukraine

2022-02-28 Thread Ong Beng Hui 

Curious, will that be with starlink ASN then ?

That throw geo detection via IP out right away.

On 3/1/2022 6:55 AM, Jay Hennigan wrote:
https://www.cnbc.com/2022/02/28/ukraine-updates-starlink-satellite-dishes.html

Re: Certificates for DoT and DoH?

2022-02-28 Thread John Todd 
On 28 Feb 2022, at 7:11, Bill Woodcock wrote:

>> On Feb 28, 2022, at 3:29 PM, Bjørn Mork  wrote:
>> Any recommendations for a CA with a published policy allowing an IP
>> address SAN (Subject Alternative Name)?
>> Both Quad9 got their certificate from DigiCert:
>>
>>Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 
>> 2020 CA1
>>Subject: C = US, ST = California, L = Berkeley, O = Quad9, CN = 
>> *.quad9.net
>>X509v3 Subject Alternative Name:
>>DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP 
>> Address:9.9.9.10, IP Address:9.9.9.11, IP Address:9.9.9.12, IP 
>> Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP 
>> Address:149.112.112.9, IP Address:149.112.112.10, IP Address:149.112.112.11, 
>> IP Address:149.112.112.12, IP Address:149.112.112.13, IP 
>> Address:149.112.112.14, IP Address:149.112.112.15, IP 
>> Address:149.112.112.112, IP Address:2620:FE:0:0:0:0:0:9, IP 
>> Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP 
>> Address:2620:FE:0:0:0:0:0:12, IP Address:2620:FE:0:0:0:0:0:13, IP 
>> Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP 
>> Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP 
>> Address:2620:FE:0:0:0:0:FE:10, IP Address:2620:FE:0:0:0:0:FE:11, IP 
>> Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP 
>> Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15
>>
>> Does this mean that DigiCert is the only alternative?
>
> I assume not, but we’d already used them for other things, and they didn’t 
> have a problem doing it, so we didn’t shop any further.

Update to Bill’s comments:

They were the only CA at that time who would include IPv6 addresses in the 
signature, so it actually was a simple decision but for a different reason. 
We’re happy with how it’s working with them. For a few niche cases like 
recursive DNS, v6 signing is required, and Digicert went out of their way to 
implement that v6 ability. Thanks to them for making it available to what is 
probably a very small group of potential customers - they deserve some credit 
for making the technical effort and product decision.

>> And do they really have this offer for ordinary users, or is this also some 
>> special
>> arrangement for big players only?
>
> No, we didn’t have to do anything special, to the best of my knowledge.

Nothing “special” meaning there is no custom business relationship, but it did 
take time and having a highly capable and persistent team here at Quad9 who 
could track the request through the process and get it done successfully, and 
for Digicert to work to create a process that wasn’t entirely customized. While 
I can’t speak for Digicert, I would suspect v6 address signing is still not 
entirely “off the shelf” or in the best case it is “barely off the shelf” for 
ordering on the website but it is a product they can reliably deliver if you 
talk to someone there.

>> That does make me wonder how they verify that I'm the rightful owner of
>> "sites, IP addresses, common names, etc.".  In particular, "etc" :-)
>> Or you could ask yourself if you trust a CA with such an offer...
[snip]

To validate that the addresses were “ours” or at least under our control, there 
were still some hoops to jump through other than the standard validation of 
registry data. For example, we had to activate web servers and objects on our 
anycast network to answer specific queries during some of the check processes.

TL;DR: Digicert is still the only player for v6 signing, and it will not be 
entirely hands-free to manage but also not overly difficult.

JT

--
John Todd - jt...@quad9.net
General Manager - Quad9 Recursive Resolver

Re: Starlink terminals deployed in Ukraine

2022-02-28 Thread Eric Kuhnke 
As of right now >90% of the starlink satellites in orbit function in what
we would call a bent pipe topology, where a moving LEO satellite at any
given moment in time needs to be simultaneously in view of a starlink-run
earth station and the CPE.

They have been launching satellites with sat-to-sat laser links but such
architecture is by no means fully operational yet. It does appear to be the
intended architecture in the long term, to enable several hops of satellite
in between a CPE and a starlink-run earth station.

My best theory would be that this is using existing starlink earth stations
in Slovakia or Poland. They may have accelerated the commissioning of some
of the newest ones.





On Mon, 28 Feb 2022 at 16:36, Jay Hennigan  wrote:

> On 2/28/22 16:17, Michael Thomas wrote:
>
> > As a practical matter how does this help? You need to have base
> > stations/dishes, right? Can they be beefy ones that can pump out
> > gigabytes that would be capable of backfilling the load? Or would it
> > need to be multiple in parallel? Wouldn't that bandwidth be constrained
> > by the number of visible satellites in the constellation? I wonder if
> > they've ever even tested it with feeding into an internet facing router.
> > Could tables on the satellites explode?
>
> If there aren't fixed Internet-connected earth stations line-of-sight to
> the satellite that's serving the remote terminal, Starlink will relay
> satellite-to-satellite until a path to an Internet-connected earth
> station is in reach.
>
>  From the linked article:
>
> "Musk has previously stressed Starlink’s flexibility of Starlink in
> providing internet service. In September, Musk talked about how the
> company would use links between the satellites to create a network that
> could provide service even in countries that prohibit SpaceX from
> installing ground infrastructure for distribution.
>
> As for government regulators who want to block Starlink from using that
> capability, Musk had a simple answer.
>
> “They can shake their fist at the sky,” Musk said."
>
> --
> Jay Hennigan - j...@west.net
> Network Engineering - CCIE #7880
> 503 897-8550 - WB6RDV
>

Re: Starlink terminals deployed in Ukraine

2022-02-28 Thread Michael Thomas 



On 2/28/22 4:29 PM, Karl Auer wrote:

On Mon, 2022-02-28 at 16:17 -0800, Michael Thomas wrote:

As a practical matter how does this help? You need to have base
stations/dishes, right?

Anyone with a dish and power can connect to the Internet. That's it.

If a dish owner chooses to allow too many people to share their uplink,
then they will run into capacity problems - the Starlink systems are
designed more for households than towns.

There are beefy uplinks, but they are Starlink's, not consumer-owned.
Without them, Starlink would be an isolated network.

Here in rural Oz I know quite a few people who are early adopters of
Starlink and they have been very happy with it. Of course, as the
network starts supporting millions instead of thousands, that may
change. And I'm guessing the number of beefy uplinks will increase,
though they would I imagine be placed in stable geopolitical areas.



That was my intuition. It might help strategic locations but won't be a 
panacea. And of course this could be the mother of all success disasters 
were there to be enough dishes.


Mike

Re: Starlink terminals deployed in Ukraine

2022-02-28 Thread Jay Hennigan 

On 2/28/22 16:17, Michael Thomas wrote:

As a practical matter how does this help? You need to have base 
stations/dishes, right? Can they be beefy ones that can pump out 
gigabytes that would be capable of backfilling the load? Or would it 
need to be multiple in parallel? Wouldn't that bandwidth be constrained 
by the number of visible satellites in the constellation? I wonder if 
they've ever even tested it with feeding into an internet facing router. 
Could tables on the satellites explode?


If there aren't fixed Internet-connected earth stations line-of-sight to 
the satellite that's serving the remote terminal, Starlink will relay 
satellite-to-satellite until a path to an Internet-connected earth 
station is in reach.


From the linked article:

"Musk has previously stressed Starlink’s flexibility of Starlink in 
providing internet service. In September, Musk talked about how the 
company would use links between the satellites to create a network that 
could provide service even in countries that prohibit SpaceX from 
installing ground infrastructure for distribution.


As for government regulators who want to block Starlink from using that 
capability, Musk had a simple answer.


“They can shake their fist at the sky,” Musk said."

--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

Re: Starlink terminals deployed in Ukraine

2022-02-28 Thread Karl Auer 
On Mon, 2022-02-28 at 16:17 -0800, Michael Thomas wrote:
> As a practical matter how does this help? You need to have base 
> stations/dishes, right?

Anyone with a dish and power can connect to the Internet. That's it.

If a dish owner chooses to allow too many people to share their uplink,
then they will run into capacity problems - the Starlink systems are
designed more for households than towns.

There are beefy uplinks, but they are Starlink's, not consumer-owned.
Without them, Starlink would be an isolated network. 

Here in rural Oz I know quite a few people who are early adopters of
Starlink and they have been very happy with it. Of course, as the
network starts supporting millions instead of thousands, that may
change. And I'm guessing the number of beefy uplinks will increase,
though they would I imagine be placed in stable geopolitical areas.

Regards, K.

-- 
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer

GPG fingerprint: 61A0 99A9 8823 3A75 871E 5D90 BADB B237 260C 9C58
Old fingerprint: 2561 E9EC D868 E73C 8AF1 49CF EE50 4B1D CCA1 5170

Re: Starlink terminals deployed in Ukraine

2022-02-28 Thread Michael Thomas 



On 2/28/22 2:55 PM, Jay Hennigan wrote:
https://www.cnbc.com/2022/02/28/ukraine-updates-starlink-satellite-dishes.html 





As a practical matter how does this help? You need to have base 
stations/dishes, right? Can they be beefy ones that can pump out 
gigabytes that would be capable of backfilling the load? Or would it 
need to be multiple in parallel? Wouldn't that bandwidth be constrained 
by the number of visible satellites in the constellation? I wonder if 
they've ever even tested it with feeding into an internet facing router. 
Could tables on the satellites explode?


Mike

Re: New minimum speed for US broadband connections

2022-02-28 Thread Brian Johnson 


> On Feb 28, 2022, at 4:44 PM, Josh Luthman  wrote:
> 
> That is North Dakota, not population centers.  Click the link.

> 
> You're basing fiber availability everywhere on living?  That's a poor excuse 
> for data.

I did. The numbers are related to population, not area. If you move outside of 
the major population centers, you get exponentially better service. I also 
checked several of the area codes I am very familiar with and they list 
wireless carriers over regional/local providers who provide a better and more 
robust service. Several of the details about the providers services are also 
flawed.

It looks more like a marketing site than a truth source.

> 
> >These numbers are crap and nobody should believe them.
> 
> Lol ok but we should believe nearly 100% from you because you lived in a 
> couple places?

I lived there and worked with nearly every regional provider in the state for 
oner a decade. I know their networks and the statewide coop that they own’s 
network. 

> 
> >but this is a problem that is more political than technical.
> 
> Strong disagreement here.  What makes you say this?

I’ve been doing SP network design for more than 20 years. If the LECs wanted to 
provide the service in these areas, they could have. They decided it was better 
to just milk the system, then prepare for the future.

> 
> On Mon, Feb 28, 2022, 5:04 PM Brian Johnson  > wrote:
> I said North Dakota, not population centers (they are where the legacy LECs 
> operate). I have lived and worked there for telecommunications Coops which 
> device the land mass of the state. They had no issues providing the most 
> cutting edge service to extremely rural areas. What is the excuse of the 
> larger LECs? There are many regional Coops and CLECs starting to build out 
> these population centers now. These numbers are crap and nobody should 
> believe them.
> 
> I realize there are differences between rural and urban deployments, but this 
> is a problem that is more political than technical. In rural areas we are 
> more interested in getting things done, while in urban areas we appear to be 
> more interested in political wins.
> 
> 
>> On Feb 28, 2022, at 3:29 PM, Josh Luthman > > wrote:
>> 
>> According to the 477 data it's less than 50% (updated 11/1/2021 and I think 
>> the public 477 is 2 years? behind)  What makes you believe it's nearly 100%?
>> 
>> https://broadbandnow.com/North-Dakota 
>> On Mon, Feb 28, 2022 at 4:22 PM Brian Johnson > > wrote:
>> Given this premise (that it is too expensive to provide access to rural 
>> areas), can you explain why nearly 100% of North Dakota is serviced by FTTH 
>> solutions. The exceptions being the areas still run by the traditional LECs?
>> 
>> I’m not to sure this should be an urban/rural debate. 
>> 
>>> On Feb 28, 2022, at 2:53 PM, Josh Luthman >> > wrote:
>>> 
>>> Ryan,
>>> 
>>> This discussion was in regards to urban areas.
>>> 
>>> Regarding your example, though, I expect you're in a hard to reach rural 
>>> area based on your description.  It looks like there are absolutely a 
>>> massive amount of trees, making it hard for fixed wireless.  Since it 
>>> sounds like your only option, which is better than no option at all, that's 
>>> probably why no wired solution has decided to build service there.  At 
>>> $50k/mile being a pretty modest cost, at $200/mo does that seem like a 
>>> viable business plan to you?
>>> 
>>> On Fri, Feb 25, 2022 at 11:25 PM Ryan Rawdon >> > wrote:
>>> 
 On Feb 16, 2022, at 4:46 PM, Michael Thomas >>> > wrote:
 
 
 
 On 2/16/22 1:36 PM, Josh Luthman wrote:
> What is the embarrassment?
 That in the tech center of the world that we're so embarrassingly behind 
 the times with broadband. I'm going to get fiber in the rural Sierra 
 Nevada before Silicon Valley. In fact, I already have it, they just 
 haven't installed the NID. 
 
 Mike
 
 
 
>>> I will provide another specific example albeit not San Jose but similar 
>>> enough.  I am in  Loudoun County less than 25 minutes from Ashburn, VA.
>>> My best option is fixed wireless from All Points Broadband (hi Tim) which 
>>> is 15/3mbit/s costing $199/mo (they have cheaper, slower tiers available).  
>>> 
>>> Verizon FiOS serves a dense developer-built community less than 1 mile down 
>>> the street from me, but everyone else outside of the towns and 
>>> developer-built communities have almost zero options.
>>> 
>>> Similar to the San Jose examples, we are near some of the most dense 
>>> connectivity in the world.  Travel 20-30 minutes in certain directions from 
>>> Ashburn and you’re quickly seeing farms and limited connectivity.
>>> 
>>> Ryan
 
> 
> On Wed, Feb 16, 2022 at 4:28 PM Michael Thomas

Starlink terminals deployed in Ukraine

2022-02-28 Thread Jay Hennigan 

https://www.cnbc.com/2022/02/28/ukraine-updates-starlink-satellite-dishes.html

--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

Re: New minimum speed for US broadband connections

2022-02-28 Thread Josh Luthman 
That is North Dakota, not population centers.  Click the link.

You're basing fiber availability everywhere on living?  That's a poor
excuse for data.

>These numbers are crap and nobody should believe them.

Lol ok but we should believe nearly 100% from you because you lived in a
couple places?

>but this is a problem that is more political than technical.

Strong disagreement here.  What makes you say this?

On Mon, Feb 28, 2022, 5:04 PM Brian Johnson 
wrote:

> I said North Dakota, not population centers (they are where the legacy
> LECs operate). I have lived and worked there for telecommunications Coops
> which device the land mass of the state. They had no issues providing the
> most cutting edge service to extremely rural areas. What is the excuse of
> the larger LECs? There are many regional Coops and CLECs starting to build
> out these population centers now. These numbers are crap and nobody should
> believe them.
>
> I realize there are differences between rural and urban deployments, but
> this is a problem that is more political than technical. In rural areas we
> are more interested in getting things done, while in urban areas we appear
> to be more interested in political wins.
>
>
> On Feb 28, 2022, at 3:29 PM, Josh Luthman 
> wrote:
>
> According to the 477 data it's less than 50% (updated 11/1/2021 and I
> think the public 477 is 2 years? behind)  What makes you believe it's
> nearly 100%?
>
> https://broadbandnow.com/North-Dakota
>
> On Mon, Feb 28, 2022 at 4:22 PM Brian Johnson 
> wrote:
>
>> Given this premise (that it is too expensive to provide access to rural
>> areas), can you explain why nearly 100% of North Dakota is serviced by FTTH
>> solutions. The exceptions being the areas still run by the traditional LECs?
>>
>> I’m not to sure this should be an urban/rural debate.
>>
>> On Feb 28, 2022, at 2:53 PM, Josh Luthman 
>> wrote:
>>
>> Ryan,
>>
>> This discussion was in regards to urban areas.
>>
>> Regarding your example, though, I expect you're in a hard to reach rural
>> area based on your description.  It looks like there are absolutely a
>> massive amount of trees, making it hard for fixed wireless.  Since it
>> sounds like your only option, which is better than no option at all, that's
>> probably why no wired solution has decided to build service there.  At
>> $50k/mile being a pretty modest cost, at $200/mo does that seem like a
>> viable business plan to you?
>>
>> On Fri, Feb 25, 2022 at 11:25 PM Ryan Rawdon  wrote:
>>
>>>
>>> On Feb 16, 2022, at 4:46 PM, Michael Thomas  wrote:
>>>
>>>
>>> On 2/16/22 1:36 PM, Josh Luthman wrote:
>>>
>>> What is the embarrassment?
>>>
>>> That in the tech center of the world that we're so embarrassingly behind
>>> the times with broadband. I'm going to get fiber in the rural Sierra Nevada
>>> before Silicon Valley. In fact, I already have it, they just haven't
>>> installed the NID.
>>>
>>> Mike
>>>
>>>
>>> I will provide another specific example albeit not San Jose but similar
>>> enough.  I am in  Loudoun County less than 25 minutes from Ashburn, VA.
>>>  My best option is fixed wireless from All Points Broadband (hi Tim) which
>>> is 15/3mbit/s costing $199/mo (they have cheaper, slower tiers available).
>>>
>>> Verizon FiOS serves a dense developer-built community less than 1 mile
>>> down the street from me, but everyone else outside of the towns and
>>> developer-built communities have almost zero options.
>>>
>>> Similar to the San Jose examples, we are near some of the most dense
>>> connectivity in the world.  Travel 20-30 minutes in certain directions from
>>> Ashburn and you’re quickly seeing farms and limited connectivity.
>>>
>>> Ryan
>>>
>>>
>>>
>>> On Wed, Feb 16, 2022 at 4:28 PM Michael Thomas  wrote:
>>>

 On 2/16/22 1:13 PM, Josh Luthman wrote:

 I'll once again please ask for specific examples as I continue to see
 the generic "it isn't in some parts of San Jose".

 On the note of the generic area of San Jose, I'm all but certain this
 has a lot to do with California and its extraordinarily complicated and
 near impossible accessibility to obtain CLEC status.  This makes
 competition pretty much impossible and makes the costs of operating one
 extraordinarily high.  I'm obviously not going to be one that claims that
 government is good or bad, just pointing out a certain correlation which
 could potentially be causation.

 Sonic has been installing fiber in San Francisco and other areas, but
 they are really small. Comcast can't be bothered that I've ever heard. The
 only other real alternative is things like Monkeybrains which is a WISP.
 It's really an embarrassment.

 Mike


 On Wed, Feb 16, 2022 at 12:52 PM Owen DeLong  wrote:

>
>
> On Feb 11, 2022, at 13:14 , Josh Luthman 
> wrote:
>
> Because literally every case I've seen along these lines is someone
> complaining about the coax connection

Re: EPL to Bangalore

2022-02-28 Thread Mehmet Akcin 
Airtel or Tata, both can provide this.

On Mon, Feb 28, 2022 at 17:15 Mark Robinson  wrote:

> Hunting for E-Line;/EPL provider from Los  Angeles to Bangalore India.
> Anyone have recommendations?
>
>
> Thanks,
>
> Mark
>
-- 
Mehmet
+1-424-298-1903

EPL to Bangalore

2022-02-28 Thread Mark Robinson 
Hunting for E-Line;/EPL provider from Los  Angeles to Bangalore India.
Anyone have recommendations?


Thanks,

Mark

Re: New minimum speed for US broadband connections

2022-02-28 Thread Brian Johnson 
I said North Dakota, not population centers (they are where the legacy LECs 
operate). I have lived and worked there for telecommunications Coops which 
device the land mass of the state. They had no issues providing the most 
cutting edge service to extremely rural areas. What is the excuse of the larger 
LECs? There are many regional Coops and CLECs starting to build out these 
population centers now. These numbers are crap and nobody should believe them.

I realize there are differences between rural and urban deployments, but this 
is a problem that is more political than technical. In rural areas we are more 
interested in getting things done, while in urban areas we appear to be more 
interested in political wins.


> On Feb 28, 2022, at 3:29 PM, Josh Luthman  wrote:
> 
> According to the 477 data it's less than 50% (updated 11/1/2021 and I think 
> the public 477 is 2 years? behind)  What makes you believe it's nearly 100%?
> 
> https://broadbandnow.com/North-Dakota 
> On Mon, Feb 28, 2022 at 4:22 PM Brian Johnson  > wrote:
> Given this premise (that it is too expensive to provide access to rural 
> areas), can you explain why nearly 100% of North Dakota is serviced by FTTH 
> solutions. The exceptions being the areas still run by the traditional LECs?
> 
> I’m not to sure this should be an urban/rural debate. 
> 
>> On Feb 28, 2022, at 2:53 PM, Josh Luthman > > wrote:
>> 
>> Ryan,
>> 
>> This discussion was in regards to urban areas.
>> 
>> Regarding your example, though, I expect you're in a hard to reach rural 
>> area based on your description.  It looks like there are absolutely a 
>> massive amount of trees, making it hard for fixed wireless.  Since it sounds 
>> like your only option, which is better than no option at all, that's 
>> probably why no wired solution has decided to build service there.  At 
>> $50k/mile being a pretty modest cost, at $200/mo does that seem like a 
>> viable business plan to you?
>> 
>> On Fri, Feb 25, 2022 at 11:25 PM Ryan Rawdon > > wrote:
>> 
>>> On Feb 16, 2022, at 4:46 PM, Michael Thomas >> > wrote:
>>> 
>>> 
>>> 
>>> On 2/16/22 1:36 PM, Josh Luthman wrote:
 What is the embarrassment?
>>> That in the tech center of the world that we're so embarrassingly behind 
>>> the times with broadband. I'm going to get fiber in the rural Sierra Nevada 
>>> before Silicon Valley. In fact, I already have it, they just haven't 
>>> installed the NID. 
>>> 
>>> Mike
>>> 
>>> 
>>> 
>> I will provide another specific example albeit not San Jose but similar 
>> enough.  I am in  Loudoun County less than 25 minutes from Ashburn, VA.
>> My best option is fixed wireless from All Points Broadband (hi Tim) which is 
>> 15/3mbit/s costing $199/mo (they have cheaper, slower tiers available).  
>> 
>> Verizon FiOS serves a dense developer-built community less than 1 mile down 
>> the street from me, but everyone else outside of the towns and 
>> developer-built communities have almost zero options.
>> 
>> Similar to the San Jose examples, we are near some of the most dense 
>> connectivity in the world.  Travel 20-30 minutes in certain directions from 
>> Ashburn and you’re quickly seeing farms and limited connectivity.
>> 
>> Ryan
>>> 
 
 On Wed, Feb 16, 2022 at 4:28 PM Michael Thomas >>> > wrote:
 
 
 On 2/16/22 1:13 PM, Josh Luthman wrote:
> I'll once again please ask for specific examples as I continue to see the 
> generic "it isn't in some parts of San Jose".
> 
> On the note of the generic area of San Jose, I'm all but certain this has 
> a lot to do with California and its extraordinarily complicated and near 
> impossible accessibility to obtain CLEC status.  This makes competition 
> pretty much impossible and makes the costs of operating one 
> extraordinarily high.  I'm obviously not going to be one that claims that 
> government is good or bad, just pointing out a certain correlation which 
> could potentially be causation.
 Sonic has been installing fiber in San Francisco and other areas, but they 
 are really small. Comcast can't be bothered that I've ever heard. The only 
 other real alternative is things like Monkeybrains which is a WISP. It's 
 really an embarrassment. 
 
 Mike
 
> 
> On Wed, Feb 16, 2022 at 12:52 PM Owen DeLong  > wrote:
> 
> 
>> On Feb 11, 2022, at 13:14 , Josh Luthman > > wrote:
>> 
>> Because literally every case I've seen along these lines is someone 
>> complaining about the coax connection is "only 100 meg when I pay for 
>> 200 meg".  Comcast was the most hated company and yet they factually had 
>> better speeds (possibly in part to their subjectively terrible customer

Re: New minimum speed for US broadband connections

2022-02-28 Thread Josh Luthman 
According to the 477 data it's less than 50% (updated 11/1/2021 and I think
the public 477 is 2 years? behind)  What makes you believe it's nearly 100%?

https://broadbandnow.com/North-Dakota

On Mon, Feb 28, 2022 at 4:22 PM Brian Johnson 
wrote:

> Given this premise (that it is too expensive to provide access to rural
> areas), can you explain why nearly 100% of North Dakota is serviced by FTTH
> solutions. The exceptions being the areas still run by the traditional LECs?
>
> I’m not to sure this should be an urban/rural debate.
>
> On Feb 28, 2022, at 2:53 PM, Josh Luthman 
> wrote:
>
> Ryan,
>
> This discussion was in regards to urban areas.
>
> Regarding your example, though, I expect you're in a hard to reach rural
> area based on your description.  It looks like there are absolutely a
> massive amount of trees, making it hard for fixed wireless.  Since it
> sounds like your only option, which is better than no option at all, that's
> probably why no wired solution has decided to build service there.  At
> $50k/mile being a pretty modest cost, at $200/mo does that seem like a
> viable business plan to you?
>
> On Fri, Feb 25, 2022 at 11:25 PM Ryan Rawdon  wrote:
>
>>
>> On Feb 16, 2022, at 4:46 PM, Michael Thomas  wrote:
>>
>>
>> On 2/16/22 1:36 PM, Josh Luthman wrote:
>>
>> What is the embarrassment?
>>
>> That in the tech center of the world that we're so embarrassingly behind
>> the times with broadband. I'm going to get fiber in the rural Sierra Nevada
>> before Silicon Valley. In fact, I already have it, they just haven't
>> installed the NID.
>>
>> Mike
>>
>>
>> I will provide another specific example albeit not San Jose but similar
>> enough.  I am in  Loudoun County less than 25 minutes from Ashburn, VA.
>>  My best option is fixed wireless from All Points Broadband (hi Tim) which
>> is 15/3mbit/s costing $199/mo (they have cheaper, slower tiers available).
>>
>> Verizon FiOS serves a dense developer-built community less than 1 mile
>> down the street from me, but everyone else outside of the towns and
>> developer-built communities have almost zero options.
>>
>> Similar to the San Jose examples, we are near some of the most dense
>> connectivity in the world.  Travel 20-30 minutes in certain directions from
>> Ashburn and you’re quickly seeing farms and limited connectivity.
>>
>> Ryan
>>
>>
>>
>> On Wed, Feb 16, 2022 at 4:28 PM Michael Thomas  wrote:
>>
>>>
>>> On 2/16/22 1:13 PM, Josh Luthman wrote:
>>>
>>> I'll once again please ask for specific examples as I continue to see
>>> the generic "it isn't in some parts of San Jose".
>>>
>>> On the note of the generic area of San Jose, I'm all but certain this
>>> has a lot to do with California and its extraordinarily complicated and
>>> near impossible accessibility to obtain CLEC status.  This makes
>>> competition pretty much impossible and makes the costs of operating one
>>> extraordinarily high.  I'm obviously not going to be one that claims that
>>> government is good or bad, just pointing out a certain correlation which
>>> could potentially be causation.
>>>
>>> Sonic has been installing fiber in San Francisco and other areas, but
>>> they are really small. Comcast can't be bothered that I've ever heard. The
>>> only other real alternative is things like Monkeybrains which is a WISP.
>>> It's really an embarrassment.
>>>
>>> Mike
>>>
>>>
>>> On Wed, Feb 16, 2022 at 12:52 PM Owen DeLong  wrote:
>>>


 On Feb 11, 2022, at 13:14 , Josh Luthman 
 wrote:

 Because literally every case I've seen along these lines is someone
 complaining about the coax connection is "only 100 meg when I pay for 200
 meg".  Comcast was the most hated company and yet they factually had better
 speeds (possibly in part to their subjectively terrible customer service)
 for years.

 >An apartment building could have cheap 1G fiber and the houses across
 the street have no option but slow DSL.

 Where is this example?  Or is this strictly hypothetical?


 There are literally dozens (if not thousands) of such examples in
 silicon valley alone.

 I am not seeing any examples, anywhere, with accurate data, where it's
 what most consider to be in town/urban and poor speeds.  The only one that
 was close was Jared and I'm pretty sure when I saw the map I wouldn't
 consider that in town (could be wrong) but again, there's gig fiber there
 now.  I don't remember if he actually got his CLEC, or why that matters,
 but there's fiber there now.


 Pretty sure you would have a hard time calling San Jose “not in town”.
 It’s literally #11 in the largest 200 cities in the US with a population of
 1,003,120 (954,940 in the 2010 census) and a population density of 5,642
 people/sq. mile (compare to #4 Houston, TX at 3,632/Sq. Mi.).

 Similar conditions exist in parts of Los Angeles, #2 on the same list
 at 3,985,516 (3,795,512 in 2010

Re: New minimum speed for US broadband connections

2022-02-28 Thread Brian Johnson 
Given this premise (that it is too expensive to provide access to rural areas), 
can you explain why nearly 100% of North Dakota is serviced by FTTH solutions. 
The exceptions being the areas still run by the traditional LECs?

I’m not to sure this should be an urban/rural debate. 

> On Feb 28, 2022, at 2:53 PM, Josh Luthman  wrote:
> 
> Ryan,
> 
> This discussion was in regards to urban areas.
> 
> Regarding your example, though, I expect you're in a hard to reach rural area 
> based on your description.  It looks like there are absolutely a massive 
> amount of trees, making it hard for fixed wireless.  Since it sounds like 
> your only option, which is better than no option at all, that's probably why 
> no wired solution has decided to build service there.  At $50k/mile being a 
> pretty modest cost, at $200/mo does that seem like a viable business plan to 
> you?
> 
> On Fri, Feb 25, 2022 at 11:25 PM Ryan Rawdon  > wrote:
> 
>> On Feb 16, 2022, at 4:46 PM, Michael Thomas > > wrote:
>> 
>> 
>> 
>> On 2/16/22 1:36 PM, Josh Luthman wrote:
>>> What is the embarrassment?
>> That in the tech center of the world that we're so embarrassingly behind the 
>> times with broadband. I'm going to get fiber in the rural Sierra Nevada 
>> before Silicon Valley. In fact, I already have it, they just haven't 
>> installed the NID. 
>> 
>> Mike
>> 
>> 
>> 
> I will provide another specific example albeit not San Jose but similar 
> enough.  I am in  Loudoun County less than 25 minutes from Ashburn, VA.My 
> best option is fixed wireless from All Points Broadband (hi Tim) which is 
> 15/3mbit/s costing $199/mo (they have cheaper, slower tiers available).  
> 
> Verizon FiOS serves a dense developer-built community less than 1 mile down 
> the street from me, but everyone else outside of the towns and 
> developer-built communities have almost zero options.
> 
> Similar to the San Jose examples, we are near some of the most dense 
> connectivity in the world.  Travel 20-30 minutes in certain directions from 
> Ashburn and you’re quickly seeing farms and limited connectivity.
> 
> Ryan
>> 
>>> 
>>> On Wed, Feb 16, 2022 at 4:28 PM Michael Thomas >> > wrote:
>>> 
>>> 
>>> On 2/16/22 1:13 PM, Josh Luthman wrote:
 I'll once again please ask for specific examples as I continue to see the 
 generic "it isn't in some parts of San Jose".
 
 On the note of the generic area of San Jose, I'm all but certain this has 
 a lot to do with California and its extraordinarily complicated and near 
 impossible accessibility to obtain CLEC status.  This makes competition 
 pretty much impossible and makes the costs of operating one 
 extraordinarily high.  I'm obviously not going to be one that claims that 
 government is good or bad, just pointing out a certain correlation which 
 could potentially be causation.
>>> Sonic has been installing fiber in San Francisco and other areas, but they 
>>> are really small. Comcast can't be bothered that I've ever heard. The only 
>>> other real alternative is things like Monkeybrains which is a WISP. It's 
>>> really an embarrassment. 
>>> 
>>> Mike
>>> 
 
 On Wed, Feb 16, 2022 at 12:52 PM Owen DeLong >>> > wrote:
 
 
> On Feb 11, 2022, at 13:14 , Josh Luthman  > wrote:
> 
> Because literally every case I've seen along these lines is someone 
> complaining about the coax connection is "only 100 meg when I pay for 200 
> meg".  Comcast was the most hated company and yet they factually had 
> better speeds (possibly in part to their subjectively terrible customer 
> service) for years.
> 
> >An apartment building could have cheap 1G fiber and the houses across 
> >the street have no option but slow DSL.
> 
> Where is this example?  Or is this strictly hypothetical?
 
 There are literally dozens (if not thousands) of such examples in silicon 
 valley alone.
 
> I am not seeing any examples, anywhere, with accurate data, where it's 
> what most consider to be in town/urban and poor speeds.  The only one 
> that was close was Jared and I'm pretty sure when I saw the map I 
> wouldn't consider that in town (could be wrong) but again, there's gig 
> fiber there now.  I don't remember if he actually got his CLEC, or why 
> that matters, but there's fiber there now.
 
 Pretty sure you would have a hard time calling San Jose “not in town”. 
 It’s literally #11 in the largest 200 cities in the US with a population 
 of 1,003,120 (954,940 in the 2010 census) and a population density of 
 5,642 people/sq. mile (compare to #4 Houston, TX at 3,632/Sq. Mi.).
 
 Similar conditions exist in parts of Los Angeles, #2 on the same list at 
 3,985,516 (3,795,512 in 2010 census) and 8,499/Sq. Mi.
 
 I speak of

Re: New minimum speed for US broadband connections

2022-02-28 Thread Josh Luthman 
Ryan,

This discussion was in regards to urban areas.

Regarding your example, though, I expect you're in a hard to reach rural
area based on your description.  It looks like there are absolutely a
massive amount of trees, making it hard for fixed wireless.  Since it
sounds like your only option, which is better than no option at all, that's
probably why no wired solution has decided to build service there.  At
$50k/mile being a pretty modest cost, at $200/mo does that seem like a
viable business plan to you?

On Fri, Feb 25, 2022 at 11:25 PM Ryan Rawdon  wrote:

>
> On Feb 16, 2022, at 4:46 PM, Michael Thomas  wrote:
>
>
> On 2/16/22 1:36 PM, Josh Luthman wrote:
>
> What is the embarrassment?
>
> That in the tech center of the world that we're so embarrassingly behind
> the times with broadband. I'm going to get fiber in the rural Sierra Nevada
> before Silicon Valley. In fact, I already have it, they just haven't
> installed the NID.
>
> Mike
>
>
> I will provide another specific example albeit not San Jose but similar
> enough.  I am in  Loudoun County less than 25 minutes from Ashburn, VA.
>  My best option is fixed wireless from All Points Broadband (hi Tim) which
> is 15/3mbit/s costing $199/mo (they have cheaper, slower tiers available).
>
> Verizon FiOS serves a dense developer-built community less than 1 mile
> down the street from me, but everyone else outside of the towns and
> developer-built communities have almost zero options.
>
> Similar to the San Jose examples, we are near some of the most dense
> connectivity in the world.  Travel 20-30 minutes in certain directions from
> Ashburn and you’re quickly seeing farms and limited connectivity.
>
> Ryan
>
>
> On Wed, Feb 16, 2022 at 4:28 PM Michael Thomas  wrote:
>
>>
>> On 2/16/22 1:13 PM, Josh Luthman wrote:
>>
>> I'll once again please ask for specific examples as I continue to see the
>> generic "it isn't in some parts of San Jose".
>>
>> On the note of the generic area of San Jose, I'm all but certain this has
>> a lot to do with California and its extraordinarily complicated and near
>> impossible accessibility to obtain CLEC status.  This makes competition
>> pretty much impossible and makes the costs of operating one extraordinarily
>> high.  I'm obviously not going to be one that claims that government is
>> good or bad, just pointing out a certain correlation which could
>> potentially be causation.
>>
>> Sonic has been installing fiber in San Francisco and other areas, but
>> they are really small. Comcast can't be bothered that I've ever heard. The
>> only other real alternative is things like Monkeybrains which is a WISP.
>> It's really an embarrassment.
>>
>> Mike
>>
>>
>> On Wed, Feb 16, 2022 at 12:52 PM Owen DeLong  wrote:
>>
>>>
>>>
>>> On Feb 11, 2022, at 13:14 , Josh Luthman 
>>> wrote:
>>>
>>> Because literally every case I've seen along these lines is someone
>>> complaining about the coax connection is "only 100 meg when I pay for 200
>>> meg".  Comcast was the most hated company and yet they factually had better
>>> speeds (possibly in part to their subjectively terrible customer service)
>>> for years.
>>>
>>> >An apartment building could have cheap 1G fiber and the houses across
>>> the street have no option but slow DSL.
>>>
>>> Where is this example?  Or is this strictly hypothetical?
>>>
>>>
>>> There are literally dozens (if not thousands) of such examples in
>>> silicon valley alone.
>>>
>>> I am not seeing any examples, anywhere, with accurate data, where it's
>>> what most consider to be in town/urban and poor speeds.  The only one that
>>> was close was Jared and I'm pretty sure when I saw the map I wouldn't
>>> consider that in town (could be wrong) but again, there's gig fiber there
>>> now.  I don't remember if he actually got his CLEC, or why that matters,
>>> but there's fiber there now.
>>>
>>>
>>> Pretty sure you would have a hard time calling San Jose “not in town”.
>>> It’s literally #11 in the largest 200 cities in the US with a population of
>>> 1,003,120 (954,940 in the 2010 census) and a population density of 5,642
>>> people/sq. mile (compare to #4 Houston, TX at 3,632/Sq. Mi.).
>>>
>>> Similar conditions exist in parts of Los Angeles, #2 on the same list at
>>> 3,985,516 (3,795,512 in 2010 census) and 8,499/Sq. Mi.
>>>
>>> I speak of California because it’s where I have the most information.
>>> I’m sure this situation exists in other states as well, but I don’t have
>>> actual data.
>>>
>>> The simple reality is that there are three sets of incentives that
>>> utilities tend to chase and neither of them provides for the mezzo-urban
>>> and sub-urban parts of America…
>>> 1. USF — Mostly supports rural deployments.
>>> 2. Extreme High Density — High-Rise apartments in dense arrays, Not
>>> areas of town houses, smaller apartment complexes, or single family
>>> dwellings.
>>> 3. Neighborhoods full of McMansions — Mostly built very recently and
>>> where the developers would literally pay the

Re: Certificates for DoT and DoH?

2022-02-28 Thread Bjørn Mork 
Bill Woodcock  writes:

>> Does this mean that DigiCert is the only alternative?
>
> I assume not, but we’d already used them for other things, and they
> didn’t have a problem doing it, so we didn’t shop any further.

Makes sense.  That's how I started as well.  But we are using Buypass,
and for some unknown reason they did have a problem doing it.


>> And do they really have this offer for ordinary users, or is this also some 
>> special
>> arrangement for big players only?
>
> No, we didn’t have to do anything special, to the best of my knowledge.

Good to know.  Thanks

>> That does make me wonder how they verify that I'm the rightful owner of
>> "sites, IP addresses, common names, etc.".  In particular, "etc" :-)
>> Or you could ask yourself if you trust a CA with such an offer...
>
> Yep.  DANE is the correct answer.  CAs are not.  But that’s been true
> for a very long time, and people are still trying to pretend that CAs
> know what’s what.


Agree 100%.

Now I'm going to ask another stupid question:  How would DANE work for
DoT/DoH?  Having TLSA records in in-addr.arpa and ip6.arpa?


Bjørn

Re: Certificates for DoT and DoH?

2022-02-28 Thread Bjørn Mork 
David Guo  writes:

> You don't need a certificate for your IP address if your DoT and DoH
> use domains.

Sorry if I'm slow, but isn't that a chicken-and-egg problem?

We're going to provide this as an add-on to our standard ISP resolver
service.  Most clients will pick up the addresses from DHCP/DHCPv6.
Very few are configuring DNS resolvers manually, and those who do are
using other providers.  Like you :-)

> For certificates with IPv4 address, we use ZeroSSL / GoGetSSL, both
> are SubCA with Sectigo, which works fine.

Thanks.  That's interesting. I didn't know ZeroSSL offered this.  And
GoGetSSL has better docs than most.  

But we can't run a resolver service without IPv6 in 2022.  Did you ever
get any explanation of this restriction?  Shouldn't be much
harder/different to validate an IPv6 address if you can validate an IPv4
address.

> For IPv6 address, we used Digicert but it's too expensive, so we give up ☹

Hard to claim it's too expensive if no one else thinks it's worth
offering a similar service...

> Our DoT/DoH service is https://dns.sb/

Nice.  Good to have more examples to look at.  


Bjørn

Re: Russian aligned ASNs?

2022-02-28 Thread richey goldberg 
They have the skills and the ability to stop it but the people who report the 
traffic represent 0% of their revenue so they could care less.It’s the same 
actors every single day.   Microsoft,  Amazon, Google, Phychz Networks, Digital 
Ocean, etc. that spew garbage from their networks.   For a while we would send 
abuse reports because management felt it would do nothing even though we told 
them it wouldn’t.   Out all of the reports sent I only ever saw one 
response that wasn’t a canned response and it was from Microsoft that basically 
said “Yea, we know it’s an issue but they pay us and you don’t so block it 
yourself”.

Of course it it’s your customer that’s sending them crap traffic they will go 
nuclear if you don’t remove the offending traffic in .1337 seconds.

-richey


From: Mike Hammett 
Date: Monday, February 28, 2022 at 10:43 AM
To: richey goldberg 
Cc: North American Network Operators Group 
Subject: Re: Russian aligned ASNs?
So the providers most likely to have the skills and capabilities to automate 
abuse mitigation are the least likely to do anything about it, even when asked?




-
Mike Hammett
Intelligent Computing Solutions
[http://www.ics-il.com/images/fbicon.png][http://www.ics-il.com/images/googleicon.png][http://www.ics-il.com/images/linkedinicon.png][http://www.ics-il.com/images/twittericon.png]
Midwest Internet Exchange
[http://www.ics-il.com/images/fbicon.png][http://www.ics-il.com/images/linkedinicon.png][http://www.ics-il.com/images/twittericon.png]
The Brothers WISP
[http://www.ics-il.com/images/fbicon.png][http://www.ics-il.com/images/youtubeicon.png]

From: "richey goldberg" 
To: "North American Network Operators Group" 
Sent: Thursday, February 24, 2022 9:16:13 PM
Subject: Re: Russian aligned ASNs?
I don’t think that refusing Russian ASNs will do much to stop any kind of 
attacks.   They are going to attack from botnets that are global so that’s not 
going to stop them.If anything blocking Russian ASNs will stop the flow of 
information going into Russia. I think we’re better off doing what we can 
to take down any machines that are participating in attacks if they live on 
machines that are downstream from you.   One of the biggest issues I face in my 
daily tasks is getting other provers to take down machines.   I’m talking to 
you Microsoft, Amazon, Digital Ocean and the likes…..


-richey

From: NANOG  on behalf of 
William Allen Simpson 
Date: Thursday, February 24, 2022 at 7:41 PM
To: North American Network Operators Group 
Subject: Russian aligned ASNs?
There have been reports of DDoS and new targeted malware attacks.

There were questions in the media about cutting off the Internet.

Apparently some Russian government sites have already cut themselves
off, presumably to avoid counterattacks.

Would it improve Internet health to refuse Russian ASN announcements?

What is our community doing to assist Ukraine against these attacks?

RE: Certificates for DoT and DoH?

2022-02-28 Thread David Guo via NANOG 
Hi Mork,

You don't need a certificate for your IP address if your DoT and DoH use 
domains.

For certificates with IPv4 address, we use ZeroSSL / GoGetSSL, both are SubCA 
with Sectigo, which works fine.

For IPv6 address, we used Digicert but it's too expensive, so we give up ☹

Our DoT/DoH service is https://dns.sb/

Regards,

David

-Original Message-
From: NANOG  On Behalf Of Bjørn Mork
Sent: Monday, February 28, 2022 10:30 PM
To: nanog@nanog.org
Subject: Certificates for DoT and DoH?

Any recommendations for a CA with a published policy allowing an IP address SAN 
(Subject Alternative Name)?

Preferably someone using ACME with a simple RFC 8738 reference. Let's Encrypt 
had this in their TODO list for a while, but it was removed and the project was 
put on hold:
https://github.com/letsencrypt/boulder/pull/4920#issuecomment-832104881
https://community.letsencrypt.org/t/planned-rfc-8738-support-pulled/152057

And I've been unable to find any other CAs with RFC 8738 support either.
Most of them don't even bother documenting it as unsupported. All I've found is 
this answer from Buypass:
https://community.buypass.com/t/h7hm76w/buypass-support-for-rfc-8738

So what do people use for DoT and DoH?

I see that Google got a certificate from their own CA.  No surprise...

Version: 3 (0x2)
Serial Number:
9c:d9:a2:0f:fe:dd:2b:0a:12:00:00:00:00:03:6f:0b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
Validity
Not Before: Feb 17 11:34:59 2022 GMT
Not After : May 12 11:34:58 2022 GMT
Subject: CN = dns.google
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ec:43:69:7c:2b:7d:99:d5:f3:79:d7:b8:54:bd:
6e:61:7b:8d:50:c5:bb:86:6c:a3:60:27:3e:22:c6:
45:00:68:a2:d2:2e:c9:c2:8f:8e:58:0e:93:0a:a4:
ff:2d:5c:71:d9:0a:5b:f3:1c:ce:79:d2:71:5c:20:
4a:34:21:c1:fa:c3:92:bd:e8:7e:bd:93:79:ef:ad:
0b:74:e0:21:f6:22:4e:9c:39:01:48:49:bc:a0:db:
98:0b:ab:4c:df:99:b1:30:92:09:0d:f8:ea:0f:7f:
85:65:55:e7:9f:ba:88:4a:ca:93:04:71:8d:13:f7:
3b:e3:36:ee:fc:b7:b9:fc:e5:5a:a8:7b:22:ce:0a:
dd:4b:36:ee:d9:8f:09:d4:2e:3f:48:5e:f8:7c:71:
2d:65:26:29:67:b9:c7:b2:77:8a:60:20:4f:dd:74:
00:49:c5:6f:3b:19:d0:ea:f8:78:ef:86:02:37:be:
3d:2e:d1:14:18:22:22:e6:94:65:bb:9d:37:b8:61:
8b:2c:fc:85:bc:04:01:56:74:04:b9:86:dc:59:9a:
75:9d:de:d9:65:67:5d:9f:75:f3:6d:8a:4f:61:d2:
c5:b5:e1:dd:2e:54:78:8a:a8:39:ab:d1:0c:97:4d:
bc:7d:f2:64:cb:d3:21:5a:f0:70:03:08:a6:f4:21:
4c:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: 
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier: 
A6:21:3C:08:17:99:1E:DE:2D:F5:EB:C8:90:C9:71:D2:E9:53:1D:EE
X509v3 Authority Key Identifier: 

keyid:8A:74:7F:AF:85:CD:EE:95:CD:3D:9C:D0:E2:46:14:F3:71:35:1D:27

Authority Information Access: 
OCSP - URI:http://ocsp.pki.goog/gts1c3
CA Issuers - URI:http://pki.goog/repo/certs/gts1c3.der

X509v3 Subject Alternative Name: 
DNS:dns.google, DNS:dns.google.com, DNS:*.dns.google.com, 
DNS:.google, DNS:dns64.dns.google, IP Address:8.8.8.8, IP Address:8.8.4.4, 
IP Address:2001:4860:4860:0:0:0:0:, IP Address:2001:4860:4860:0:0:0:0:8844, 
IP Address:2001:4860:4860:0:0:0:0:6464, IP Address:2001:4860:4860:0:0:0:0:64
X509v3 Certificate Policies: 
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.11129.2.5.3

X509v3 CRL Distribution Points: 

Full Name:
  URI:http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl

[cut]


But this is not an option for anyone else according to
https://pki.goog/faq/#faq-29 :

   How can I get a certificate from Google Trust Services? 

   At this time, the only way to get a certificate from Google Trust
   Services is via an Alphabet or Google product.


I guess it's easy to push for DoT and DoH when you can create rules like that.


Both Quad9 and Cloudflare got their certificates from DigiCert:

Version: 3 (0x2)
Serial Number:
05:45:06:fe:17:98:52:bb:fa:c1:a7:3d:cd:80:39:7b
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384

Re: Russian aligned ASNs?

2022-02-28 Thread Mike Hammett 
So the providers most likely to have the skills and capabilities to automate 
abuse mitigation are the least likely to do anything about it, even when asked? 

 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "richey goldberg"  
To: "North American Network Operators Group"  
Sent: Thursday, February 24, 2022 9:16:13 PM 
Subject: Re: Russian aligned ASNs? 



I don’t think that refusing Russian ASNs will do much to stop any kind of 
attacks. They are going to attack from botnets that are global so that’s not 
going to stop them. If anything blocking Russian ASNs will stop the flow of 
information going into Russia. I think we’re better off doing what we can to 
take down any machines that are participating in attacks if they live on 
machines that are downstream from you. One of the biggest issues I face in my 
daily tasks is getting other provers to take down machines. I’m talking to you 
Microsoft, Amazon, Digital Ocean and the likes….. 


-richey 


From: NANOG  on behalf of 
William Allen Simpson  
Date: Thursday, February 24, 2022 at 7:41 PM 
To: North American Network Operators Group  
Subject: Russian aligned ASNs? 

There have been reports of DDoS and new targeted malware attacks. 

There were questions in the media about cutting off the Internet. 

Apparently some Russian government sites have already cut themselves 
off, presumably to avoid counterattacks. 

Would it improve Internet health to refuse Russian ASN announcements? 

What is our community doing to assist Ukraine against these attacks?

Re: Russian aligned ASNs?

2022-02-28 Thread Mike Hammett 
*nods* Not only cleaning up the infections, but also implementing BCP 38 and 84 
to keep things you miss from leaking. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Seth David Schoen"  
To: "Joe Greco"  
Cc: "North American Network Operators Group"  
Sent: Thursday, February 24, 2022 7:59:08 PM 
Subject: Re: Russian aligned ASNs? 

I also imagine (without data) that most DoS attacks continue to be 
performed by botnets, using other people's connections, rather than 
directly by their ultimate perpetrators. So, the most effective and 
meaningful mitigation would be trying to clean up bots, and prevent 
ongoing bot infections, rather than cutting off suspected or actual 
perpetrators. 

I realize that's much easier said than done!

Re: Get in touch with Cloudflare

2022-02-28 Thread J. Hellenthal via NANOG 
There are a couple to a few that lurk here. Give it a few hours.

This list is a lot less volume than they have on the interim communications.

-- 

J. Hellenthal

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.






> On Feb 28, 2022, at 08:52, Oskar Borgqvist via NANOG  wrote:
> 
> Hi
> 
> We have tried to get hold of cloudflare because we have migrated from one ASN 
> to another.
> 
> We have tried with the contact information that is public (peeringdb). We 
> have been waiting for several weeks without a response.
> 
> Would have appreciated if anyone here could have helped us with this.
> 
> With kind regards,
> Oskar Borgqvist
> Bahnflow AB

Get in touch with Cloudflare

2022-02-28 Thread Oskar Borgqvist via NANOG 
Hi

We have tried to get hold of cloudflare because we have migrated from one ASN 
to another.

We have tried with the contact information that is public (peeringdb). We have 
been waiting for several weeks without a response.

Would have appreciated if anyone here could have helped us with this.

With kind regards,
Oskar Borgqvist
Bahnflow AB

Re: Certificates for DoT and DoH?

2022-02-28 Thread Bill Woodcock 


> On Feb 28, 2022, at 3:29 PM, Bjørn Mork  wrote:
> Any recommendations for a CA with a published policy allowing an IP
> address SAN (Subject Alternative Name)?
> Both Quad9 got their certificate from DigiCert:
> 
>Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 
> 2020 CA1
>Subject: C = US, ST = California, L = Berkeley, O = Quad9, CN = 
> *.quad9.net
>X509v3 Subject Alternative Name:
>DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP 
> Address:9.9.9.10, IP Address:9.9.9.11, IP Address:9.9.9.12, IP 
> Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP 
> Address:149.112.112.9, IP Address:149.112.112.10, IP Address:149.112.112.11, 
> IP Address:149.112.112.12, IP Address:149.112.112.13, IP 
> Address:149.112.112.14, IP Address:149.112.112.15, IP 
> Address:149.112.112.112, IP Address:2620:FE:0:0:0:0:0:9, IP 
> Address:2620:FE:0:0:0:0:0:10, IP Address:2620:FE:0:0:0:0:0:11, IP 
> Address:2620:FE:0:0:0:0:0:12, IP Address:2620:FE:0:0:0:0:0:13, IP 
> Address:2620:FE:0:0:0:0:0:14, IP Address:2620:FE:0:0:0:0:0:15, IP 
> Address:2620:FE:0:0:0:0:0:FE, IP Address:2620:FE:0:0:0:0:FE:9, IP 
> Address:2620:FE:0:0:0:0:FE:10, IP Address:2620:FE:0:0:0:0:FE:11, IP 
> Address:2620:FE:0:0:0:0:FE:12, IP Address:2620:FE:0:0:0:0:FE:13, IP 
> Address:2620:FE:0:0:0:0:FE:14, IP Address:2620:FE:0:0:0:0:FE:15
> 
> Does this mean that DigiCert is the only alternative?

I assume not, but we’d already used them for other things, and they didn’t have 
a problem doing it, so we didn’t shop any further.

> And do they really have this offer for ordinary users, or is this also some 
> special
> arrangement for big players only?

No, we didn’t have to do anything special, to the best of my knowledge.

> That does make me wonder how they verify that I'm the rightful owner of
> "sites, IP addresses, common names, etc.".  In particular, "etc" :-)
> Or you could ask yourself if you trust a CA with such an offer...

Yep.  DANE is the correct answer.  CAs are not.  But that’s been true for a 
very long time, and people are still trying to pretend that CAs know what’s 
what.

-Bill



signature.asc
Description: Message signed with OpenPGP

Certificates for DoT and DoH?

2022-02-28 Thread Bjørn Mork 
Any recommendations for a CA with a published policy allowing an IP
address SAN (Subject Alternative Name)?

Preferably someone using ACME with a simple RFC 8738 reference. Let's
Encrypt had this in their TODO list for a while, but it was removed and
the project was put on hold:
https://github.com/letsencrypt/boulder/pull/4920#issuecomment-832104881
https://community.letsencrypt.org/t/planned-rfc-8738-support-pulled/152057

And I've been unable to find any other CAs with RFC 8738 support either.
Most of them don't even bother documenting it as unsupported. All I've
found is this answer from Buypass:
https://community.buypass.com/t/h7hm76w/buypass-support-for-rfc-8738

So what do people use for DoT and DoH?

I see that Google got a certificate from their own CA.  No surprise...

Version: 3 (0x2)
Serial Number:
9c:d9:a2:0f:fe:dd:2b:0a:12:00:00:00:00:03:6f:0b
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
Validity
Not Before: Feb 17 11:34:59 2022 GMT
Not After : May 12 11:34:58 2022 GMT
Subject: CN = dns.google
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:ec:43:69:7c:2b:7d:99:d5:f3:79:d7:b8:54:bd:
6e:61:7b:8d:50:c5:bb:86:6c:a3:60:27:3e:22:c6:
45:00:68:a2:d2:2e:c9:c2:8f:8e:58:0e:93:0a:a4:
ff:2d:5c:71:d9:0a:5b:f3:1c:ce:79:d2:71:5c:20:
4a:34:21:c1:fa:c3:92:bd:e8:7e:bd:93:79:ef:ad:
0b:74:e0:21:f6:22:4e:9c:39:01:48:49:bc:a0:db:
98:0b:ab:4c:df:99:b1:30:92:09:0d:f8:ea:0f:7f:
85:65:55:e7:9f:ba:88:4a:ca:93:04:71:8d:13:f7:
3b:e3:36:ee:fc:b7:b9:fc:e5:5a:a8:7b:22:ce:0a:
dd:4b:36:ee:d9:8f:09:d4:2e:3f:48:5e:f8:7c:71:
2d:65:26:29:67:b9:c7:b2:77:8a:60:20:4f:dd:74:
00:49:c5:6f:3b:19:d0:ea:f8:78:ef:86:02:37:be:
3d:2e:d1:14:18:22:22:e6:94:65:bb:9d:37:b8:61:
8b:2c:fc:85:bc:04:01:56:74:04:b9:86:dc:59:9a:
75:9d:de:d9:65:67:5d:9f:75:f3:6d:8a:4f:61:d2:
c5:b5:e1:dd:2e:54:78:8a:a8:39:ab:d1:0c:97:4d:
bc:7d:f2:64:cb:d3:21:5a:f0:70:03:08:a6:f4:21:
4c:63
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: 
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier: 
A6:21:3C:08:17:99:1E:DE:2D:F5:EB:C8:90:C9:71:D2:E9:53:1D:EE
X509v3 Authority Key Identifier: 

keyid:8A:74:7F:AF:85:CD:EE:95:CD:3D:9C:D0:E2:46:14:F3:71:35:1D:27

Authority Information Access: 
OCSP - URI:http://ocsp.pki.goog/gts1c3
CA Issuers - URI:http://pki.goog/repo/certs/gts1c3.der

X509v3 Subject Alternative Name: 
DNS:dns.google, DNS:dns.google.com, DNS:*.dns.google.com, 
DNS:.google, DNS:dns64.dns.google, IP Address:8.8.8.8, IP Address:8.8.4.4, 
IP Address:2001:4860:4860:0:0:0:0:, IP Address:2001:4860:4860:0:0:0:0:8844, 
IP Address:2001:4860:4860:0:0:0:0:6464, IP Address:2001:4860:4860:0:0:0:0:64
X509v3 Certificate Policies: 
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.11129.2.5.3

X509v3 CRL Distribution Points: 

Full Name:
  URI:http://crls.pki.goog/gts1c3/zdATt0Ex_Fk.crl

[cut]


But this is not an option for anyone else according to
https://pki.goog/faq/#faq-29 :

   How can I get a certificate from Google Trust Services? 

   At this time, the only way to get a certificate from Google Trust
   Services is via an Alphabet or Google product.


I guess it's easy to push for DoT and DoH when you can create rules like
that.


Both Quad9 and Cloudflare got their certificates from DigiCert:

Version: 3 (0x2)
Serial Number:
05:45:06:fe:17:98:52:bb:fa:c1:a7:3d:cd:80:39:7b
Signature Algorithm: ecdsa-with-SHA384
Issuer: C = US, O = DigiCert Inc, CN = DigiCert TLS Hybrid ECC SHA384 
2020 CA1
Validity
Not Before: Jul 27 00:00:00 2021 GMT
Not After : Aug  4 23:59:59 2022 GMT
Subject: C = US, ST = California, L = Berkeley, O = Quad9, CN = 
*.quad9.net
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:7d:8b:d7:1d:03:85:0d:18:25:b3:34:1c:29:a1:
27:d4:ac:01:25:48:8a:a0:f1:ea:02:b9:d8:51:2c:

Re: Russian aligned ASNs?

2022-02-28 Thread Denys Fedoryshchenko 

AFAIK they don't do that just because they are not being droned.
When they were killed, just because cell towers was used by coordinators
and as a source of information.

Which once again reminds that if telecom doesnt stay neutral as much as
possible, or worse, they side with one of conflicting parties - they 
will

become legitimate target.
To some extent, it resembles the situation with medics.


On 2022-02-25 23:33, Eric Kuhnke wrote:

The four LTE (3GPP rev-whatever) based networks in Afghanistan are all
still operational. Roshan, AWCC, MTN, Etisalat.

In .AF the line between ISP and MNO is very blurry since 98% of
internet using customers do not have fixed line service at home or
office and use a mobile network instead.

These have developed a great deal of institutional knowledge operating
in very difficult conditions. The major change now is that the Taliban
is no longer burning tower site cabinets/shelters.

On Fri, 25 Feb 2022 at 12:20, scott  wrote:


My friend just got a phone call.  Electricity, cell phones and
internet are all functional at this time.


--

Just imagine what it must be like trying to keep those IP networks
functional at a time like this.  Configuring routers while under
fire...
Those engineers should get some kind of award...

scott