is nanog really in the spoofer report?

[scott via NANOG]

I just realized that many automatically put emails with the subject line 
of "Spoofer Report for NANOG" in the trash, so I changed it.


Is that for real or a spoof itself?  If it's real I know a buncha guys 
that will help. ;)


scott



On 7/8/2022 10:35 AM, scott wrote:



"> 19230  NANOG 2016-06-13   2022-06-07"

Wait...what?  :)

scott


On 7/8/2022 7:00 AM, CAIDA Spoofer Project wrote:

In response to feedback from operational security communities,
CAIDA's source address validation measurement project
(https://spoofer.caida.org) is automatically generating monthly
reports of ASes originating prefixes in BGP for systems from which
we received packets with a spoofed source address.
We are publishing these reports to network and security operations
lists in order to ensure this information reaches operational
contacts in these ASes.

This report summarises tests conducted within usa, can.

Inferred improvements during Jun 2022:
ASN    Name   Fixed-By
22898  ATLINK 2022-06-02
208563 LINUXGEMINI    2022-06-15
33696  NEXTARRAY-ASN-01   2022-06-23

Further information for the inferred remediation is available at:
https://spoofer.caida.org/remedy.php

Source Address Validation issues inferred during Jun 2022:
ASN    Name   First-Spoofed Last-Spoofed
5650   FRONTIER-FRTR 2016-02-22   2022-06-30
54825  PACKET    2016-04-15   2022-06-23
19230  NANOG 2016-06-13   2022-06-07
7029   WINDSTREAM    2016-06-21   2022-06-30
40285  NORTHLAND-CABLE   2016-07-17   2022-06-28
209    CENTURYLINK-US-LEGACY-QWEST   2016-08-16   2022-06-17
6128   CABLE-NET-1   2016-09-03   2022-06-02
27364  ACS-INTERNET  2016-09-27   2022-06-18
20412  CLARITY-TELECOM   2016-09-30   2022-06-30
271    BCNET 2016-10-24   2022-06-30
22898  ATLINK    2016-12-16   2022-06-28
1246   TLL-WEST  2017-04-20   2022-06-29
63296  AWBROADBAND   2017-09-01   2022-06-29
33452  RW    2018-09-19   2022-06-21
8047   GCI   2019-04-11   2022-06-13
21804  ACCESS-SK 2019-06-09   2022-06-18
53703  KWIKOM    2021-01-17   2022-06-30
398836 NP-NETWORKS   2021-03-12   2022-06-18
56207  Converge  2021-03-26   2022-06-06
212934 AS_POTVIN 2021-10-03   2022-06-28
394437 PSLIGHTWAVE   2021-12-02   2022-06-19
12119  ITV-3 2022-06-07   2022-06-14
59 WISC-MADISON  2022-06-14   2022-06-14
32645  PIVOT 2022-06-16   2022-06-16
397086 LAYER-HOST-HOUSTON    2022-06-16   2022-06-23
399486   2022-06-18   2022-06-18

Further information for these tests where we received spoofed
packets is available at:
https://spoofer.caida.org/recent_tests.php?country_include=usa,can_block=1 



Please send any feedback or suggestions to spoofer-i...@caida.org

Any admins for Yahoo mail here?

[Milt Aitken]

Big customer cannot exchange email with yahoo either way.

Error message is ambiguous.

No joy through the usual channels.

If there's a yahoo admin here, please contact me off list.

 

Thanks

Milt Aitken

Net2Atlanta

Re: Mystery MAC address

[JoeSox]

FOLLOWUP:

Looks like that MAC is our Sonicwall firewall and the packets are coming in
from upstream on a shared VLAN but not a shared subnet (not sure how this
is happening).
Our sonicwall shows one virus hit on one of the new 10.1.2.0
addresses (upstream subnet) seen today.
Thanks for all the responses. The upstream is investigating now.
--
Thank You,
Joe


On Fri, Jul 8, 2022 at 11:40 AM William Herrin  wrote:

> On Fri, Jul 8, 2022 at 9:22 AM JoeSox  wrote:
> > And it shows an unrecognized MAC address. This virtual machine is in a
> Nutanix environment.
> > I am trying to figure this out without bringing in paid outside help.
> Thanks in advance for any responses.
> > c2:ea:e4:c5:57:e6
> > is the MAC in question.
>
> Hi Joe,
>
> Any MAC address with the 2 bit set in the first byte (e.g. c2) is
> locally generated. Those are x2, x6, xA and xE. Typically this means a
> virtual machine but not always.
>
> Best bet: trace it through your switch. If you have managed switches,
> they know which port any given mac address came from. You can trace
> that back to the machine and then look at the virtual switch on the
> machine to figure out which VM.
>
> Incidentally, the 1 bit in the first byte means broadcast (1) or unicast
> (0).
>
> Regards,
> Bill Herrin
>
>
> --
> For hire. https://bill.herrin.us/resume/
>

Re: ICANN

[bzs]

You'd probably be 99.999% more successful in improving the state of
humanity by being more specific about what you are referring to.

Put another way you've probably reached "ICANN" by posting here, or as
well as you're likely to by any other means you're imagining.

On July 8, 2022 at 09:21 kmedc...@dessus.com (Keith Medcalf) wrote:
 > 
 > Does anyone have contact information (or address for service of legal
 > documents) for ICANN?  There web site does not appear to contain contact
 > information.
 > 
 > ICANN apparently promulgates a policy which requires clickage on spam
 > links in e-mail.  I intend to sue them for trillions of dollars for this
 > policy.
 > 
 > 
 > -- 
 > (CAUTION) You are advised that if you attack my person or property, you
 > will be put down in accordance with the provisions of section 34 & 35 of
 > the Criminal Code respectively.  If you are brandishing (or in
 > possession) of a weapon then lethal force will be applied to your person
 > in accordance with the law.  This means that your misadventures may end
 > in your death.  Consider yourself cautioned and govern your actions
 > appropriately.
 > 
 > 
 > 
 > 

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Spoofer Report for NANOG for Jun 2022

[scott via NANOG]

"> 19230  NANOG 2016-06-13   2022-06-07"

Wait...what?  :)

scott


On 7/8/2022 7:00 AM, CAIDA Spoofer Project wrote:

In response to feedback from operational security communities,
CAIDA's source address validation measurement project
(https://spoofer.caida.org) is automatically generating monthly
reports of ASes originating prefixes in BGP for systems from which
we received packets with a spoofed source address.
We are publishing these reports to network and security operations
lists in order to ensure this information reaches operational
contacts in these ASes.

This report summarises tests conducted within usa, can.

Inferred improvements during Jun 2022:
ASNName   Fixed-By
22898  ATLINK 2022-06-02
208563 LINUXGEMINI2022-06-15
33696  NEXTARRAY-ASN-01   2022-06-23

Further information for the inferred remediation is available at:
https://spoofer.caida.org/remedy.php

Source Address Validation issues inferred during Jun 2022:
ASNName   First-Spoofed Last-Spoofed
5650   FRONTIER-FRTR 2016-02-22   2022-06-30
54825  PACKET2016-04-15   2022-06-23
19230  NANOG 2016-06-13   2022-06-07
7029   WINDSTREAM2016-06-21   2022-06-30
40285  NORTHLAND-CABLE   2016-07-17   2022-06-28
209CENTURYLINK-US-LEGACY-QWEST   2016-08-16   2022-06-17
6128   CABLE-NET-1   2016-09-03   2022-06-02
27364  ACS-INTERNET  2016-09-27   2022-06-18
20412  CLARITY-TELECOM   2016-09-30   2022-06-30
271BCNET 2016-10-24   2022-06-30
22898  ATLINK2016-12-16   2022-06-28
1246   TLL-WEST  2017-04-20   2022-06-29
63296  AWBROADBAND   2017-09-01   2022-06-29
33452  RW2018-09-19   2022-06-21
8047   GCI   2019-04-11   2022-06-13
21804  ACCESS-SK 2019-06-09   2022-06-18
53703  KWIKOM2021-01-17   2022-06-30
398836 NP-NETWORKS   2021-03-12   2022-06-18
56207  Converge  2021-03-26   2022-06-06
212934 AS_POTVIN 2021-10-03   2022-06-28
394437 PSLIGHTWAVE   2021-12-02   2022-06-19
12119  ITV-3 2022-06-07   2022-06-14
59 WISC-MADISON  2022-06-14   2022-06-14
32645  PIVOT 2022-06-16   2022-06-16
397086 LAYER-HOST-HOUSTON2022-06-16   2022-06-23
399486   2022-06-18   2022-06-18

Further information for these tests where we received spoofed
packets is available at:
https://spoofer.caida.org/recent_tests.php?country_include=usa,can_block=1

Please send any feedback or suggestions to spoofer-i...@caida.org

Re: Rogers Outage Canada

[Clayton Zekelman]

The E911 network in Ontario and Quebec is run by Bell Canada.

The PSAPs may have non-emergency lines that are provided by other carriers.


At 03:56 PM 08/07/2022, Andrew Paolucci via NANOG wrote:
I believe the call centers run by law enforcement and municipalities 
in the GTA are mostly homed on single providers, I know some Bell 
and Telus users in certain areas are still able to reach emergency services.



Regards,

Andrew Paolucci







--

Clayton Zekelman
Managed Network Systems Inc. (MNSi)
3363 Tecumseh Rd. E
Windsor, Ontario
N8W 1H4

tel. 519-985-8410
fax. 519-985-8409

Re: Rogers Outage Canada

[Andrew Paolucci via NANOG]

I believe the call centers run by law enforcement and municipalities in the GTA 
are mostly homed on single providers, I know some Bell and Telus users in 
certain areas are still able to reach emergency services.

Regards,

Andrew Paolucci

 Original Message 
On Jul. 8, 2022, 3:39 p.m., Clayton Zekelman wrote:

> Why not? If the SS7 is encapsulated in IP... (think SIGTRAN).
>
> At 03:30 PM 08/07/2022, jim deleskie wrote:
>
>> i cant see BGP taking out SS7.
>>
>> -jim
>
> --
>
> Clayton Zekelman
> Managed Network Systems Inc. (MNSi)
> 3363 Tecumseh Rd. E
> Windsor, Ontario
> N8W 1H4
>
> tel. 519-985-8410
> fax. 519-985-8409

Re: Rogers Outage Canada

[Clayton Zekelman]

Why not?  If the SS7 is encapsulated in IP... (think SIGTRAN).

At 03:30 PM 08/07/2022, jim deleskie wrote:

i cant see BGP taking out SS7.

-jim



--

Clayton Zekelman
Managed Network Systems Inc. (MNSi)
3363 Tecumseh Rd. E
Windsor, Ontario
N8W 1H4

tel. 519-985-8410
fax. 519-985-8409

Re: Rogers Outage Canada

[Pete Baldwin - TCC]

Seems like their external BGP peers are dead.  If their internal network 
is the same, and they carry M2PA etc, or use BGP/MPLS to carry SS7 
traffic, or their softswitches/STPs rely on BGP/MPLS in some way then 
SS7 might exist, but not be functional.


--
Pete Baldwin


On 2022-07-08 15:30, jim deleskie wrote:

i cant see BGP taking out SS7.

-jim

On Fri, Jul 8, 2022 at 2:45 PM Snowmobile2004 > wrote:


According to Cloudflare Radar
,
Rogers BGP announcements spiked massively to levels 536,777% higher
than normal (343,601 vs 64 normally) just minutes before the outage.
I would not be surprised if this happened to be the culprit.

Regards,
Josh Green

On Fri, Jul 8, 2022 at 2:19 PM Andrew Paolucci via NANOG
mailto:nanog@nanog.org>> wrote:

In the early hours of the morning around 2-3am my modem got hit
with a configuration update that caused a DHCP release that
wasn't renewed for about two hours, after rollback the
connection was fine for 3 hours before this network wide outage.


Maybe a failed night time update was attempted again during
office hours, I've heard daytime guys are still WFH and night
shift is in building.


I expect we'll never get a real explanation. Rogers is notorious
for withholding any type of helpful or technical information.


Sent from my inoperable Rogers Mobile via emergency eSIM.


Regards,

Andrew Paolucci
 Original Message 
On Jul. 8, 2022, 1:48 p.m., Jay Hennigan < j...@west.net
> wrote:


On 7/8/22 07:44, Robert DeVita wrote: > Does anyone have
information on a widespread Rogers outage in Canada. I >
have customers with multiple sites down. There's discussion
on the Outages mailing list. Seems widespread, affecting all
services, mobile, voice, Internet. No cause or ETR posted
yet. -- Jay Hennigan - j...@west.net 
Network Engineering - CCIE #7880 503 897-8550 - WB6RDV 




-- 
*Josh Green.*

Re: Rogers Outage Canada

[Eric Kuhnke]

I can't either, but the reality right now seems to be that 911 calls are
failing for anyone on a Rogers cellphone.

I have seen anecdotal reports that the mobile network is in a half broken
state that phones remain registered to, so a 911 call will attempt and then
fail.

This is unlike what would happen if you had a US/Canada cellphone with
battery power but no SIM card in it that would search for any available
network in RF range for a 911 call if needed.

On Fri, 8 Jul 2022 at 12:31, jim deleskie  wrote:

> i cant see BGP taking out SS7.
>
> -jim
>
> On Fri, Jul 8, 2022 at 2:45 PM Snowmobile2004 
> wrote:
>
>> According to Cloudflare Radar
>> , Rogers
>> BGP announcements spiked massively to levels 536,777% higher than normal
>> (343,601 vs 64 normally) just minutes before the outage. I would not be
>> surprised if this happened to be the culprit.
>>
>> Regards,
>> Josh Green
>>
>> On Fri, Jul 8, 2022 at 2:19 PM Andrew Paolucci via NANOG 
>> wrote:
>>
>>> In the early hours of the morning around 2-3am my modem got hit with a
>>> configuration update that caused a DHCP release that wasn't renewed for
>>> about two hours, after rollback the connection was fine for 3 hours before
>>> this network wide outage.
>>>
>>>
>>> Maybe a failed night time update was attempted again during office
>>> hours, I've heard daytime guys are still WFH and night shift is in building.
>>>
>>>
>>> I expect we'll never get a real explanation. Rogers is notorious for
>>> withholding any type of helpful or technical information.
>>>
>>>
>>> Sent from my inoperable Rogers Mobile via emergency eSIM.
>>>
>>>
>>> Regards,
>>>
>>> Andrew Paolucci
>>>  Original Message 
>>> On Jul. 8, 2022, 1:48 p.m., Jay Hennigan < j...@west.net> wrote:
>>>
>>>
>>> On 7/8/22 07:44, Robert DeVita wrote: > Does anyone have information on
>>> a widespread Rogers outage in Canada. I > have customers with multiple
>>> sites down. There's discussion on the Outages mailing list. Seems
>>> widespread, affecting all services, mobile, voice, Internet. No cause or
>>> ETR posted yet. -- Jay Hennigan - j...@west.net Network Engineering -
>>> CCIE #7880 503 897-8550 - WB6RDV
>>>
>>>
>>
>> --
>> *Josh Green.*
>>
>

Re: Rogers Outage Canada

[jim deleskie]

i cant see BGP taking out SS7.

-jim

On Fri, Jul 8, 2022 at 2:45 PM Snowmobile2004 
wrote:

> According to Cloudflare Radar
> , Rogers
> BGP announcements spiked massively to levels 536,777% higher than normal
> (343,601 vs 64 normally) just minutes before the outage. I would not be
> surprised if this happened to be the culprit.
>
> Regards,
> Josh Green
>
> On Fri, Jul 8, 2022 at 2:19 PM Andrew Paolucci via NANOG 
> wrote:
>
>> In the early hours of the morning around 2-3am my modem got hit with a
>> configuration update that caused a DHCP release that wasn't renewed for
>> about two hours, after rollback the connection was fine for 3 hours before
>> this network wide outage.
>>
>>
>> Maybe a failed night time update was attempted again during office hours,
>> I've heard daytime guys are still WFH and night shift is in building.
>>
>>
>> I expect we'll never get a real explanation. Rogers is notorious for
>> withholding any type of helpful or technical information.
>>
>>
>> Sent from my inoperable Rogers Mobile via emergency eSIM.
>>
>>
>> Regards,
>>
>> Andrew Paolucci
>>  Original Message 
>> On Jul. 8, 2022, 1:48 p.m., Jay Hennigan < j...@west.net> wrote:
>>
>>
>> On 7/8/22 07:44, Robert DeVita wrote: > Does anyone have information on a
>> widespread Rogers outage in Canada. I > have customers with multiple sites
>> down. There's discussion on the Outages mailing list. Seems widespread,
>> affecting all services, mobile, voice, Internet. No cause or ETR posted
>> yet. -- Jay Hennigan - j...@west.net Network Engineering - CCIE #7880 503
>> 897-8550 - WB6RDV
>>
>>
>
> --
> *Josh Green.*
>

Re: Rogers Outage Canada

[Eric Kuhnke]

Whatever they did, it has also taken out SS7/PSTN 911 services for many
millions of people.

https://www.cbc.ca/news/business/rogers-outage-cell-mobile-wifi-1.6514373

On Fri, 8 Jul 2022 at 11:44, Snowmobile2004  wrote:

> According to Cloudflare Radar
> , Rogers
> BGP announcements spiked massively to levels 536,777% higher than normal
> (343,601 vs 64 normally) just minutes before the outage. I would not be
> surprised if this happened to be the culprit.
>
> Regards,
> Josh Green
>
> On Fri, Jul 8, 2022 at 2:19 PM Andrew Paolucci via NANOG 
> wrote:
>
>> In the early hours of the morning around 2-3am my modem got hit with a
>> configuration update that caused a DHCP release that wasn't renewed for
>> about two hours, after rollback the connection was fine for 3 hours before
>> this network wide outage.
>>
>>
>> Maybe a failed night time update was attempted again during office hours,
>> I've heard daytime guys are still WFH and night shift is in building.
>>
>>
>> I expect we'll never get a real explanation. Rogers is notorious for
>> withholding any type of helpful or technical information.
>>
>>
>> Sent from my inoperable Rogers Mobile via emergency eSIM.
>>
>>
>> Regards,
>>
>> Andrew Paolucci
>>  Original Message 
>> On Jul. 8, 2022, 1:48 p.m., Jay Hennigan < j...@west.net> wrote:
>>
>>
>> On 7/8/22 07:44, Robert DeVita wrote: > Does anyone have information on a
>> widespread Rogers outage in Canada. I > have customers with multiple sites
>> down. There's discussion on the Outages mailing list. Seems widespread,
>> affecting all services, mobile, voice, Internet. No cause or ETR posted
>> yet. -- Jay Hennigan - j...@west.net Network Engineering - CCIE #7880 503
>> 897-8550 - WB6RDV
>>
>>
>
> --
> *Josh Green.*
>

Re: Rogers Outage Canada

[Snowmobile2004]

According to Cloudflare Radar
, Rogers
BGP announcements spiked massively to levels 536,777% higher than normal
(343,601 vs 64 normally) just minutes before the outage. I would not be
surprised if this happened to be the culprit.

Regards,
Josh Green

On Fri, Jul 8, 2022 at 2:19 PM Andrew Paolucci via NANOG 
wrote:

> In the early hours of the morning around 2-3am my modem got hit with a
> configuration update that caused a DHCP release that wasn't renewed for
> about two hours, after rollback the connection was fine for 3 hours before
> this network wide outage.
>
>
> Maybe a failed night time update was attempted again during office hours,
> I've heard daytime guys are still WFH and night shift is in building.
>
>
> I expect we'll never get a real explanation. Rogers is notorious for
> withholding any type of helpful or technical information.
>
>
> Sent from my inoperable Rogers Mobile via emergency eSIM.
>
>
> Regards,
>
> Andrew Paolucci
>  Original Message 
> On Jul. 8, 2022, 1:48 p.m., Jay Hennigan < j...@west.net> wrote:
>
>
> On 7/8/22 07:44, Robert DeVita wrote: > Does anyone have information on a
> widespread Rogers outage in Canada. I > have customers with multiple sites
> down. There's discussion on the Outages mailing list. Seems widespread,
> affecting all services, mobile, voice, Internet. No cause or ETR posted
> yet. -- Jay Hennigan - j...@west.net Network Engineering - CCIE #7880 503
> 897-8550 - WB6RDV
>
>

-- 
*Josh Green.*

Re: Mystery MAC address

[William Herrin]

On Fri, Jul 8, 2022 at 9:22 AM JoeSox  wrote:
> And it shows an unrecognized MAC address. This virtual machine is in a 
> Nutanix environment.
> I am trying to figure this out without bringing in paid outside help. Thanks 
> in advance for any responses.
> c2:ea:e4:c5:57:e6
> is the MAC in question.

Hi Joe,

Any MAC address with the 2 bit set in the first byte (e.g. c2) is
locally generated. Those are x2, x6, xA and xE. Typically this means a
virtual machine but not always.

Best bet: trace it through your switch. If you have managed switches,
they know which port any given mac address came from. You can trace
that back to the machine and then look at the virtual switch on the
machine to figure out which VM.

Incidentally, the 1 bit in the first byte means broadcast (1) or unicast (0).

Regards,
Bill Herrin


-- 
For hire. https://bill.herrin.us/resume/

Re: Rogers Outage Canada

[Andrew Paolucci via NANOG]

In the early hours of the morning around 2-3am my modem got hit with a 
configuration update that caused a DHCP release that wasn't renewed for about 
two hours, after rollback the connection was fine for 3 hours before this 
network wide outage.

Maybe a failed night time update was attempted again during office hours, I've 
heard daytime guys are still WFH and night shift is in building.

I expect we'll never get a real explanation. Rogers is notorious for 
withholding any type of helpful or technical information.

Sent from my inoperable Rogers Mobile via emergency eSIM.

Regards,

Andrew Paolucci
 Original Message 
On Jul. 8, 2022, 1:48 p.m., Jay Hennigan wrote:

> On 7/8/22 07:44, Robert DeVita wrote: > Does anyone have information on a 
> widespread Rogers outage in Canada. I > have customers with multiple sites 
> down. There's discussion on the Outages mailing list. Seems widespread, 
> affecting all services, mobile, voice, Internet. No cause or ETR posted yet. 
> -- Jay Hennigan - j...@west.net Network Engineering - CCIE #7880 503 897-8550 
> - WB6RDV

Re: Mystery MAC address

[Crist Clark]

The vendor code C0-EA-E4 looks like Sonicwall.

It’s not going unusual for a device take a global address on the device and
flip the local bit for some other use.

On Fri, Jul 8, 2022 at 10:13 AM Saku Ytti  wrote:

> Technically the right most is multicast bit, the 2nd right most is locally
> assigned, it doesn't imply randomisation, it is unknowable how it was
> assigned.
>
> On Fri, 8 Jul 2022 at 20:07, Brandon Svec via NANOG 
> wrote:
>
>> I think that is a randomized address. Look at the second character in a
>> MAC address, if it is a 2, 6, A, or E it is a randomized address.  Per
>> https://www.mist.com/get-to-know-mac-address-randomization-in-2020/
>> *Brandon Svec*
>>
>>
>>
>> On Fri, Jul 8, 2022 at 9:24 AM JoeSox  wrote:
>>
>>> Hello,
>>>
>>> I have something I have never seen before and was wondering if anyone in
>>> the community has seen something like this?
>>>
>>> So some active directory accounts are getting locked intermittently and
>>> I had to do some sniffing and I have an IP address showing up in a non-used
>>> subnet 10.1.2.x
>>> And it shows an unrecognized MAC address. This virtual machine is in a
>>> Nutanix environment.
>>>
>>> I am trying to figure this out without bringing in paid outside help.
>>> Thanks in advance for any responses.
>>> c2:ea:e4:c5:57:e6
>>> is the MAC in question. I don't fully understand this request. 10.1.2.18
>>> is the mystery ip that doesn't ping, 10.1.3.9 is the DC.
>>> AD Audit provides nonexistent machines making the requests and even
>>> blank.
>>> "User account 'Administrator' was locked from computer ''."
>>>
>>> [image: image.png]
>>>
>>> --
>>> Thank You,
>>> Joe
>>>
>>
>
> --
>   ++ytti
>

Re: ICANN

[Jay Hennigan]

On 7/8/22 08:24, Rubens Kuhl wrote:

If you believe in everything an email says, I have an island to sell
that you might be interested in.


I have a bridge for sale. This will be beneficial in reaching your 
newly-purchased island.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

Re: Rogers Outage Canada

[Jay Hennigan]

On 7/8/22 07:44, Robert DeVita wrote:
Does anyone have information on a widespread Rogers outage in Canada. I 
have customers with multiple sites down.


There's discussion on the Outages mailing list. Seems widespread, 
affecting all services, mobile, voice, Internet. No cause or ETR posted 
yet.


--
Jay Hennigan - j...@west.net
Network Engineering - CCIE #7880
503 897-8550 - WB6RDV

Re: ICANN

[John Levine]

It appears that Keith Medcalf  said:
>
>Does anyone have contact information (or address for service of legal
>documents) for ICANN?  There web site does not appear to contain contact
>information.

If you really wish to send such a letter, I would send it by paper mail,
attn General Counsel.  Their address is on the web site.  But first ...

>ICANN apparently promulgates a policy which requires clickage on spam
>links in e-mail.  I intend to sue them for trillions of dollars for this
>policy.

Could you give us some hints about the legal theory under which you believe
they are liable?  ICANN is incorporated in California so only laws that apply
in the US matter.

R's,
John

Re: Mystery MAC address

[Saku Ytti]

Technically the right most is multicast bit, the 2nd right most is locally
assigned, it doesn't imply randomisation, it is unknowable how it was
assigned.

On Fri, 8 Jul 2022 at 20:07, Brandon Svec via NANOG  wrote:

> I think that is a randomized address. Look at the second character in a
> MAC address, if it is a 2, 6, A, or E it is a randomized address.  Per
> https://www.mist.com/get-to-know-mac-address-randomization-in-2020/
> *Brandon Svec*
>
>
>
> On Fri, Jul 8, 2022 at 9:24 AM JoeSox  wrote:
>
>> Hello,
>>
>> I have something I have never seen before and was wondering if anyone in
>> the community has seen something like this?
>>
>> So some active directory accounts are getting locked intermittently and I
>> had to do some sniffing and I have an IP address showing up in a non-used
>> subnet 10.1.2.x
>> And it shows an unrecognized MAC address. This virtual machine is in a
>> Nutanix environment.
>>
>> I am trying to figure this out without bringing in paid outside help.
>> Thanks in advance for any responses.
>> c2:ea:e4:c5:57:e6
>> is the MAC in question. I don't fully understand this request. 10.1.2.18
>> is the mystery ip that doesn't ping, 10.1.3.9 is the DC.
>> AD Audit provides nonexistent machines making the requests and even blank.
>> "User account 'Administrator' was locked from computer ''."
>>
>> [image: image.png]
>>
>> --
>> Thank You,
>> Joe
>>
>

-- 
  ++ytti

Re: Mystery MAC address

[Brandon Svec via NANOG]

I think that is a randomized address. Look at the second character in a MAC
address, if it is a 2, 6, A, or E it is a randomized address.  Per
https://www.mist.com/get-to-know-mac-address-randomization-in-2020/
*Brandon Svec*



On Fri, Jul 8, 2022 at 9:24 AM JoeSox  wrote:

> Hello,
>
> I have something I have never seen before and was wondering if anyone in
> the community has seen something like this?
>
> So some active directory accounts are getting locked intermittently and I
> had to do some sniffing and I have an IP address showing up in a non-used
> subnet 10.1.2.x
> And it shows an unrecognized MAC address. This virtual machine is in a
> Nutanix environment.
>
> I am trying to figure this out without bringing in paid outside help.
> Thanks in advance for any responses.
> c2:ea:e4:c5:57:e6
> is the MAC in question. I don't fully understand this request. 10.1.2.18
> is the mystery ip that doesn't ping, 10.1.3.9 is the DC.
> AD Audit provides nonexistent machines making the requests and even blank.
> "User account 'Administrator' was locked from computer ''."
>
> [image: image.png]
>
> --
> Thank You,
> Joe
>

Spoofer Report for NANOG for Jun 2022

[CAIDA Spoofer Project]

In response to feedback from operational security communities,
CAIDA's source address validation measurement project
(https://spoofer.caida.org) is automatically generating monthly
reports of ASes originating prefixes in BGP for systems from which
we received packets with a spoofed source address.
We are publishing these reports to network and security operations
lists in order to ensure this information reaches operational
contacts in these ASes.

This report summarises tests conducted within usa, can.

Inferred improvements during Jun 2022:
ASNName   Fixed-By
22898  ATLINK 2022-06-02
208563 LINUXGEMINI2022-06-15
33696  NEXTARRAY-ASN-01   2022-06-23

Further information for the inferred remediation is available at:
https://spoofer.caida.org/remedy.php

Source Address Validation issues inferred during Jun 2022:
ASNName   First-Spoofed Last-Spoofed
5650   FRONTIER-FRTR 2016-02-22   2022-06-30
54825  PACKET2016-04-15   2022-06-23
19230  NANOG 2016-06-13   2022-06-07
7029   WINDSTREAM2016-06-21   2022-06-30
40285  NORTHLAND-CABLE   2016-07-17   2022-06-28
209CENTURYLINK-US-LEGACY-QWEST   2016-08-16   2022-06-17
6128   CABLE-NET-1   2016-09-03   2022-06-02
27364  ACS-INTERNET  2016-09-27   2022-06-18
20412  CLARITY-TELECOM   2016-09-30   2022-06-30
271BCNET 2016-10-24   2022-06-30
22898  ATLINK2016-12-16   2022-06-28
1246   TLL-WEST  2017-04-20   2022-06-29
63296  AWBROADBAND   2017-09-01   2022-06-29
33452  RW2018-09-19   2022-06-21
8047   GCI   2019-04-11   2022-06-13
21804  ACCESS-SK 2019-06-09   2022-06-18
53703  KWIKOM2021-01-17   2022-06-30
398836 NP-NETWORKS   2021-03-12   2022-06-18
56207  Converge  2021-03-26   2022-06-06
212934 AS_POTVIN 2021-10-03   2022-06-28
394437 PSLIGHTWAVE   2021-12-02   2022-06-19
12119  ITV-3 2022-06-07   2022-06-14
59 WISC-MADISON  2022-06-14   2022-06-14
32645  PIVOT 2022-06-16   2022-06-16
397086 LAYER-HOST-HOUSTON2022-06-16   2022-06-23
399486   2022-06-18   2022-06-18

Further information for these tests where we received spoofed
packets is available at:
https://spoofer.caida.org/recent_tests.php?country_include=usa,can_block=1

Please send any feedback or suggestions to spoofer-i...@caida.org

Re: Mystery MAC address

[heasley]

Fri, Jul 08, 2022 at 12:43:49PM -0400, Christopher Morrow:
> mac addresses can be lies... and they can repeat... joy!
> 

eg; 
https://www.extremenetworks.com/extreme-networks-blog/wi-fi-mac-randomization-privacy-and-collateral-damage/

> On Fri, Jul 8, 2022 at 12:22 PM JoeSox  wrote:
> 
> > Hello,
> >
> > I have something I have never seen before and was wondering if anyone in
> > the community has seen something like this?
> >
> > So some active directory accounts are getting locked intermittently and I
> > had to do some sniffing and I have an IP address showing up in a non-used
> > subnet 10.1.2.x
> > And it shows an unrecognized MAC address. This virtual machine is in a
> > Nutanix environment.
> >
> > I am trying to figure this out without bringing in paid outside help.
> > Thanks in advance for any responses.
> > c2:ea:e4:c5:57:e6
> > is the MAC in question. I don't fully understand this request. 10.1.2.18
> > is the mystery ip that doesn't ping, 10.1.3.9 is the DC.
> > AD Audit provides nonexistent machines making the requests and even blank.
> > "User account 'Administrator' was locked from computer ''."
> >
> > [image: image.png]
> >
> > --
> > Thank You,
> > Joe
> >

Re: Mystery MAC address

[Christopher Morrow]

mac addresses can be lies... and they can repeat... joy!


On Fri, Jul 8, 2022 at 12:22 PM JoeSox  wrote:

> Hello,
>
> I have something I have never seen before and was wondering if anyone in
> the community has seen something like this?
>
> So some active directory accounts are getting locked intermittently and I
> had to do some sniffing and I have an IP address showing up in a non-used
> subnet 10.1.2.x
> And it shows an unrecognized MAC address. This virtual machine is in a
> Nutanix environment.
>
> I am trying to figure this out without bringing in paid outside help.
> Thanks in advance for any responses.
> c2:ea:e4:c5:57:e6
> is the MAC in question. I don't fully understand this request. 10.1.2.18
> is the mystery ip that doesn't ping, 10.1.3.9 is the DC.
> AD Audit provides nonexistent machines making the requests and even blank.
> "User account 'Administrator' was locked from computer ''."
>
> [image: image.png]
>
> --
> Thank You,
> Joe
>

Mystery MAC address

[JoeSox]

Hello,

I have something I have never seen before and was wondering if anyone in
the community has seen something like this?

So some active directory accounts are getting locked intermittently and I
had to do some sniffing and I have an IP address showing up in a non-used
subnet 10.1.2.x
And it shows an unrecognized MAC address. This virtual machine is in a
Nutanix environment.

I am trying to figure this out without bringing in paid outside help.
Thanks in advance for any responses.
c2:ea:e4:c5:57:e6
is the MAC in question. I don't fully understand this request. 10.1.2.18 is
the mystery ip that doesn't ping, 10.1.3.9 is the DC.
AD Audit provides nonexistent machines making the requests and even blank.
"User account 'Administrator' was locked from computer ''."

[image: image.png]

--
Thank You,
Joe

Re: ICANN

[David Conrad]

On Jul 8, 2022, at 8:21 AM, Keith Medcalf  wrote:
> Does anyone have contact information (or address for service of legal
> documents) for ICANN?

https://www.icann.org/locations? 

> There web site does not appear to contain contact
> information.

Sure it does.  If nothing else, at the bottom of that page, it points to the 
Global Support Center (a link to 
https://www.icann.org/resources/pages/customer-support-2015-06-22-en 
)

> ICANN apparently promulgates a policy which requires clickage on spam
> links in e-mail.

I’m guessing you’re talking about one or more of 
https://www.icann.org/resources/pages/contact-verification-2013-05-03-en 
, 
probably WDRP.   There is a FAQ on that: 
https://www.icann.org/resources/pages/faqs-f0-2012-02-25-en 
.

> I intend to sue them for trillions of dollars for this policy.

Have fun.

Regards,
-drc



signature.asc
Description: Message signed with OpenPGP

ICANN

[Sylvain Baya]

Dear NANOG-ers,

Hopefully, this email finds you in good health!

Please see my comments below, inline...

Le vendredi 8 juillet 2022, Rubens Kuhl  a écrit :

> If you believe in everything an email says, I have an island to sell
> that you might be interested in.
>
> That said, ICANN has a compliance department:
> https://www.icann.org/compliance/complaint
>
>
>
Hi Rubens,
Thanks for your email, brother.

...maybe he should start by the Ombudsman [1]?
__
[1]: Ombudsman - ICANN


Shalom,
--sb.



> Rubens
>
> On Fri, Jul 8, 2022 at 12:22 PM Keith Medcalf  wrote:
> >
> >
> > [...]
> >
>


-- 

Best Regards !
__
baya.sylvain[AT cmNOG DOT cm]|
Subscribe to Mailing List: 
__
#‎LASAINTEBIBLE‬|#‎Romains15‬:33«Que LE ‪#‎DIEU‬ de ‪#‎Paix‬ soit avec vous
tous! ‪#‎Amen‬!»
‪#‎MaPrière‬ est que tu naisses de nouveau. #Chrétiennement‬
«Comme une biche soupire après des courants d’eau, ainsi mon âme soupire
après TOI, ô DIEU!»(#Psaumes42:2)

Re: ICANN

[Rubens Kuhl]

If you believe in everything an email says, I have an island to sell
that you might be interested in.

That said, ICANN has a compliance department:
https://www.icann.org/compliance/complaint


Rubens

On Fri, Jul 8, 2022 at 12:22 PM Keith Medcalf  wrote:
>
>
> Does anyone have contact information (or address for service of legal
> documents) for ICANN?  There web site does not appear to contain contact
> information.
>
> ICANN apparently promulgates a policy which requires clickage on spam
> links in e-mail.  I intend to sue them for trillions of dollars for this
> policy.
>
>
> --
> (CAUTION) You are advised that if you attack my person or property, you
> will be put down in accordance with the provisions of section 34 & 35 of
> the Criminal Code respectively.  If you are brandishing (or in
> possession) of a weapon then lethal force will be applied to your person
> in accordance with the law.  This means that your misadventures may end
> in your death.  Consider yourself cautioned and govern your actions
> appropriately.
>
>
>
>

ICANN

[Keith Medcalf]

Does anyone have contact information (or address for service of legal
documents) for ICANN?  There web site does not appear to contain contact
information.

ICANN apparently promulgates a policy which requires clickage on spam
links in e-mail.  I intend to sue them for trillions of dollars for this
policy.


--
(CAUTION) You are advised that if you attack my person or property, you
will be put down in accordance with the provisions of section 34 & 35 of
the Criminal Code respectively.  If you are brandishing (or in
possession) of a weapon then lethal force will be applied to your person
in accordance with the law.  This means that your misadventures may end
in your death.  Consider yourself cautioned and govern your actions
appropriately.

EVPN-VXLAN Service Types

[Graham Johnston via NANOG]

Good day, NANOG.

I'm at the front end of an expected implementation of EVPN-VXLAN as the primary 
method to shift a network that is largely based on traditional Ethernet 
switching and spanning-tree to one that attempts to route traffic as often as 
possible, and where we want to separate the physical topology from the logical 
services. We are selecting EVPN-VXLAN as it seems to inherently provide for the 
Network Virtualization Overlay function, as well as routing since the entire 
underlay will be routed. As part of all the reading we are doing, and lab 
testing that is just about to commence, I'm trying to weigh the options around 
VLAN-based services and VLAN-aware bundle services. I know that the options 
aren't mutually exclusive, and that I can mix and match, at least I expect that 
this to be an option.

In case it matters, our implementation will initially involve VTEPs based on a 
mix of Juniper QFX5100, QFX5110, QFX5120, and EX4650 switches, as well as MX. 
Yes, I do recognize the RIOT capabilities that aren't present in the QFX5100.  
From a basic FIB standpoint, we do believe that we are well below the quote 
limits in terms of hosts, routes, etc. I do believe that we've effectively 
weighed the use of VXLAN over MPLS. We currently believe that our use cases 
don't require some of the more advanced features and control knobs available in 
MPLS. We are also pragmatic and are trying to use the equipment that we have. 
We believe that the Trident ASICs in our devices are likely better suited for 
VXLAN than MPLS, despite the glossy datasheets quoting support for various MPLS 
features. Feel free to comment on this.

For internal use, I can see the VLAN-aware bundles as advantageous to group all 
our own services together in a single MAC-VRF, treat ourselves as a tenant. I'm 
not clear yet if I should be concerned or not about each switch that is 
involved in this EVI having to populate all entries into FIB. Our own use cases 
are likely of a small enough scale that it wouldn't matter in comparison to the 
positive outcomes. As for customer use cases, I can't yet see an advantage to 
VLAN-aware bundles as our customers don't interact with multiple VLANs where 
those individual VLANs are terminating on individual VTEP ports. The customer 
use cases feel more like a traditional Q-in-Q type activity that has us 
treating them as single outer VLAN, and thus the VLAN-based service seems more 
appropriate. I'm flat out ignoring the middle ground option of VLAN-bundle 
service as I can't see anything that seems compelling compared to the other two.

I know there is bunch that I don't know here. Am I focusing on the right two 
choices of the three service types? Do organizations regularly use both two 
that I am focusing on? How do you decide between the two models when 
provisioning an EVI? What gotchas await me with the Juniper equipment, or the 
Trident ASICs, that just aren't spelled out in the documentation? Answers to 
these questions and anything else you have to offer is appreciated.

Thanks in advance,
Graham

Rogers Outage Canada

[Robert DeVita]

Does anyone have information on a widespread Rogers outage in Canada. I have 
customers with multiple sites down.

Thanks

Rob

[cid:image001.jpg@01D892AF.488E0A30]
Robert DeVita​​
CEO and Founder
t: (469) 581-2160
 |
m: (469) 441-8864
e: radev...@mejeticks.com
 |
w: mejeticks.com
a:
3100 Carlisle St
,
Dallas
,
75204
[cid:image002.png@01D892AF.488E0A30]
[cid:image003.png@01D892AF.488E0A30]
[cid:image004.png@01D892AF.488E0A30]