Re: MX204 and MPC7E-MRATE EoL - REVOKED

[Mark Tinka]

On 1/28/23 09:29, Saku Ytti wrote:


If I'd have to stab in the dark based on nothing, I'd imagine they
forgot HMC is no longer shipping, and then panicked and EOLd all HMC
boxes, until someone did more work, and gathered they probably can
support a few HMC platforms with existing HMC parts they have.
I would be very uneasy committing to HMC gear, unless I'd have a
better understanding of what the problem was, and why it is no longer
a problem. My concern would be, if they were wrong once to EOL all,
then wrong again to revoke some EOL, can I trust them now to have HMC
parts for any RMAs I have down the life expectancy. Not at all
uncommon to run a box for a decade in SP network, and Juniper released
all-new HMC gear, after Micron announced HMC EOL.


What I've been able to gather is that Micron indicated that they could 
support another "couple" of years of the MX204 and MPC7E. After that, 
it's all up in the air again.


Considering how popular the MX204 is, and just how much the MX304 does 
not offer the same value, makes sense for Juniper to milk it while they can.


Personally, I'm okay with it. If they EoL the MX204 in some years from 
now, I have no problem running it until it's on its last legs. With the 
way things are going, we don't really have the same luxuries we used to 
when it comes to refresh cycles.


Mark.

Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

[William Herrin]

On Mon, Feb 6, 2023 at 7:40 PM Fernando Gont  wrote:
> On 7/2/23 00:05, William Herrin wrote:
> > On the one hand, sophisticated attackers already scatter attacks
> > between source addresses to evade protection software.
>
> Whereas in the IPv6 case , you normally have at least a /64 without
> restriction. You might have a /56 or /48 thanks to your ISP, or simply a
> /48 thanks to some free tunnelbroker provider...

That's not what's actually happening. What's happening is a mix of
your computer gets one address unless you bother to enable DHCP/PD, or
your CPE gets an IPv6 block and your computer does SLAAC and/or DHCP
to assign itself a single IPv6 address. A lot of the probing is coming
from hijacked computers, so they have the address they have.

Sophisticated attackers can do more with the address blocks they get
from their own service providers. But sophisticated attackers could
spin up VMs with stolen credit cards, hijack BGP and do all manner of
things with IPv4 and IPv6 too.


> > On the other hand, there are so many addresses in a /64 that an
> > attacker can literally use a fresh one for each and every probe he
> > sends. Without a process for advancing the /128 ban to a /64 ban (and
> > releasing it once activity stops), reactive firewalls are likely to
> > become less and less effective.
>
> Not just /128 to /64, but also e.g. /64 to /56 or possibly /48...

Maybe. But I suggest that in the absence of data about how such
attacks will evolve, it might be best to start with a version of a
defense that's easy to conceptualize and implement.

Risk is vulnerability times threat. You already understand the
vulnerability. Before expending much in the way of resources, you also
have to understand the threat.

Regards,
Bill Herrin


-- 
For hire. https://bill.herrin.us/resume/

Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

[Fernando Gont]

Hi, Bill,

Thanks for your feedback! In-line

On 7/2/23 00:05, William Herrin wrote:

On Mon, Feb 6, 2023 at 6:43 PM Fernando Gont  wrote:

On 6/2/23 20:39, Owen DeLong wrote:

After all, they’re only collecting addresses to ban at the rate they’re 
actually being used to send packets.


Yeah, but the whole point of banning is that the banned address is
actually used by an attacker subsequently,


You both have valuable points here. Listen to each other.

On the one hand, sophisticated attackers already scatter attacks
between source addresses to evade protection software. Attackers who
don't have control over their computer's IP address do not. This is
not new and IPv6 does not really change that picture.


... although the ability to change IP addresses in IPv4 is rather 
limited. -- e.g., if I want do do it at home, I could do a DHCP release 
and try to get a different lease.. but not very practical -- and 
certainly not possible in a e.g. cafe scenario.


Whereas in the IPv6 case , you normally have at least a /64 without 
restriction. You might have a /56 or /48 thanks to your ISP, or simply a 
/48 thanks to some free tunnelbroker provider...




On the other hand, there are so many addresses in a /64 that an
attacker can literally use a fresh one for each and every probe he
sends. Without a process for advancing the /128 ban to a /64 ban (and
releasing it once activity stops), reactive firewalls are likely to
become less and less effective.


Not just /128 to /64, but also e.g. /64 to /56 or possibly /48...

Thanks!

Cheers,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

[William Herrin]

On Mon, Feb 6, 2023 at 6:43 PM Fernando Gont  wrote:
> On 6/2/23 20:39, Owen DeLong wrote:
> > After all, they’re only collecting addresses to ban at the rate they’re 
> > actually being used to send packets.
>
> Yeah, but the whole point of banning is that the banned address is
> actually used by an attacker subsequently,

You both have valuable points here. Listen to each other.

On the one hand, sophisticated attackers already scatter attacks
between source addresses to evade protection software. Attackers who
don't have control over their computer's IP address do not. This is
not new and IPv6 does not really change that picture.

On the other hand, there are so many addresses in a /64 that an
attacker can literally use a fresh one for each and every probe he
sends. Without a process for advancing the /128 ban to a /64 ban (and
releasing it once activity stops), reactive firewalls are likely to
become less and less effective.

Regards,
Bill Herrin

-- 
For hire. https://bill.herrin.us/resume/

Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

[Fernando Gont]

Hi, Owen,

On 6/2/23 20:39, Owen DeLong wrote:

As long as they have a reasonable expiry process, it could work.


What, specifically? Banning /128s?



After all, they’re only collecting addresses to ban at the rate they’re 
actually being used to send packets.


Yeah, but the whole point of banning is that the banned address is 
actually used by an attacker subsequently,


In other words, if:

1. The attacker employs one address for malicious purposes
2. You ban that address
3. The attacker changes the his/her address and goes back to #1

... you´d be doing yourself a disservice by adding addresses to the 
ban-list. You just pay penalties for no actual gain.





While that’s nota. Completely effective throttle, as long as your expiry 
process can keep up and your TTL doesn’t exceed your ring buffer size, it 
should be theoretically OK.


Memory is a limited resource. As soon as you consistently use memory 
iptables-rules slot to store more and more rules/addresses youĺl get no 
benefit from, the attacker is winning


Thanks!

Regards,
--
Fernando Gont
SI6 Networks
e-mail: fg...@si6networks.com
PGP Fingerprint: F242 FF0E A804 AF81 EB10 2F07 7CA1 321D 663B B494

Re: recaptcha

[William Herrin]

On Mon, Feb 6, 2023 at 5:53 PM Gary E. Miller  wrote:
> On Mon, 6 Feb 2023 15:53:02 -0800
> William Herrin  wrote:
> > Has anybody else noticed that when Google Recaptcha falls over to
> > presenting images, their data is of such poor quality that they've
> > misclassified at least one image in upwards of half the presentations,
> > rendering them unsolvable?
>
> Did you ever suspect that it is not a test hat you are a human, but that
> you are training their AI?

That's how it used to work years ago. Now it just claims that you're
the one who is wrong.

Regards,
Bill Herrin


-- 
For hire. https://bill.herrin.us/resume/

Re: About emails impersonating Path Network

[Martin Hannigan]

Is widespread impact confirmed?

Unfortunate. Our ASN’s and location contacts in PDB have not received
anything from Path. I looked in search engines (quickly) and see nothing
negative re: your ASN. I found a reference as new to the platform at AMSIX
7/21 for AS 396998. Lack of mail security bits on most platforms are
flagged or quarantined AFAIK. These are typically called “Joe Jobs”.  I’d
save the LEA path for more important things (credibility).

Warm regards,

-M<




On Mon, Feb 6, 2023 at 3:39 PM Konrad Zemek  wrote:

> Hi Nanog,
>
> It looks like someone with an axe to grind against our company has decided
> to email every AS contact they could find on PeeringDB, impersonating us
> and sometimes spoofing our domains.
>
> We're aware of the emails and are sorry for the inconvenience. We've since
> added SPF records to the domains we own but don't use (the perps have since
> name-squatted some new ones). We're also actively working with law
> enforcement on the matter.
>
> Thanks
> Konrad Zemek
> CTO Path Network
> AS396998
>

Re: recaptcha

[Gary E. Miller]

Yo William!

On Mon, 6 Feb 2023 15:53:02 -0800
William Herrin  wrote:

> Has anybody else noticed that when Google Recaptcha falls over to
> presenting images, their data is of such poor quality that they've
> misclassified at least one image in upwards of half the presentations,
> rendering them unsolvable?

Did you ever suspect that it is not a test hat you are a human, but that
you are training their AI?

RGDS
GARY
---
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com  Tel:+1 541 382 8588

Veritas liberabit vos. -- Quid est veritas?
"If you can't measure it, you can't improve it." - Lord Kelvin


pgp_zItY8ejYj.pgp
Description: OpenPGP digital signature

recaptcha

[William Herrin]

Has anybody else noticed that when Google Recaptcha falls over to
presenting images, their data is of such poor quality that they've
misclassified at least one image in upwards of half the presentations,
rendering them unsolvable?

If y'all aren't going to maintain the service to a production
standard, you should retire it.

Regards,
Bill Herrin

-- 
For hire. https://bill.herrin.us/resume/

Re: (IETF I-D): Implications of IPv6 Addressing on Security Operations (Fwd: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt)

[Owen DeLong via NANOG]

As long as they have a reasonable expiry process, it could work. After all, 
they’re only collecting addresses to ban at the rate they’re actually being 
used to send packets.

While that’s nota. Completely effective throttle, as long as your expiry 
process can keep up and your TTL doesn’t exceed your ring buffer size, it 
should be theoretically OK.

Owen


> On Feb 5, 2023, at 02:44, Fernando Gont  wrote:
> 
> Hi, All,
> 
> Recently, I happened to participate in an IPv6 deployment meeting with some 
> large content provider, and said meeting included a discussion about how to 
> mitigate some attacks using block-lists. These folks argued that they ban 
> offending IPv6 addresses as /128s, following IPv4 practices.
> 
> So it seemed to me that some of the implications arising from the increased 
> IPv6 address space were non-obvious to them.  -- that has been the motivation 
> for the publication of this document.
> 
> * TXT: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt
> * HTML: 
> https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.html
> 
> Comments welcome!
> 
> P.S.: The document is targeted at the IETF opsec wg 
> (https://www.ietf.org/mailman/listinfo/opsec), but I'll be happy to discuss 
> it on this mailing-list, off-list, or at the opsec wg mailing-list...
> 
> Thanks!
> 
> Regards,
> Fernando
> 
> 
> 
> 
>  Forwarded Message 
> Subject: New Version Notification for draft-gont-opsec-ipv6-addressing-00.txt
> Date: Thu, 02 Feb 2023 19:48:40 -0800
> From: internet-dra...@ietf.org
> To: Fernando Gont , Guillermo Gont 
> 
> 
> 
> A new version of I-D, draft-gont-opsec-ipv6-addressing-00.txt
> has been successfully submitted by Fernando Gont and posted to the
> IETF repository.
> 
> Name: draft-gont-opsec-ipv6-addressing
> Revision: 00
> Title:Implications of IPv6 Addressing on Security Operations
> Document date:2023-02-02
> Group:Individual Submission
> Pages:8
> URL: https://www.ietf.org/archive/id/draft-gont-opsec-ipv6-addressing-00.txt
> Status: https://datatracker.ietf.org/doc/draft-gont-opsec-ipv6-addressing/
> Htmlized: 
> https://datatracker.ietf.org/doc/html/draft-gont-opsec-ipv6-addressing
> 
> 
> Abstract:
>   The increased address availability provided by IPv6 has concrete
>   implications on security operations.  This document discusses such
>   implications, and sheds some light on how existing security
>   operations techniques and procedures might need to be modified
>   accommodate the increased IPv6 address availability.
> 
> 
> 
> 
> The IETF Secretariat
> 

Re: About emails impersonating Path Network

[Michael Thomas]

This seems like a perfect object lesson on why you should use DKIM and 
SPF and make sure the sending domain can set up a p=reject policy for 
DMARC.


Mike

On 2/6/23 10:25 AM, Konrad Zemek wrote:

Hi Nanog,

It looks like someone with an axe to grind against our company has decided to 
email every AS contact they could find on PeeringDB, impersonating us and 
sometimes spoofing our domains.

We're aware of the emails and are sorry for the inconvenience. We've since 
added SPF records to the domains we own but don't use (the perps have since 
name-squatted some new ones). We're also actively working with law enforcement 
on the matter.

Thanks
Konrad Zemek
CTO Path Network
AS396998

About emails impersonating Path Network

[Konrad Zemek]

Hi Nanog,

It looks like someone with an axe to grind against our company has decided to 
email every AS contact they could find on PeeringDB, impersonating us and 
sometimes spoofing our domains.

We're aware of the emails and are sorry for the inconvenience. We've since 
added SPF records to the domains we own but don't use (the perps have since 
name-squatted some new ones). We're also actively working with law enforcement 
on the matter.

Thanks
Konrad Zemek
CTO Path Network
AS396998

Widespread connectivity problems in the west, possibly Lumen

[Mel Beckman]

We are getting reports of widespread connectivity problems: VPN failures, email 
delivery failures, RingCentral VoIP dropped calls, and the inability to reach 
O365. Affected users are as far East as Las Cruces, NM. All failing 
destinations are so far in California-based data centers. 

So far a common thread appears to be Lumen connectivity, although we can’t 
verify this is exclusive to Lumen transit. However, the reachability problems 
don’t seem to be getting resolved by BGP routing, so multi homed customers are 
still using lumen, even if lumen has no apparent reachability. 

 -mel

Re: Can rr.ntt.net have a AAAA record please?

[heasley]

Mon, Feb 06, 2023 at 04:45:29PM +0100, Massimo Candela:
> Hi Willy,
> 
> On 05/02/2023 19:36, Willy Manga wrote:
> > Dear admin of rr.ntt.net ,
> > 
> > I'm not one of your customers, but can you please enable IPv6 on your 
> > routing registry?
> 
> This is fixed. Thanks for reporting it.

perhaps report issues directly next time?

https://lmgtfy.app/?q=internet+routing+registry+administrator

Re: Conduit Lease/IRU Pricing

[James Jun]

On Mon, Feb 06, 2023 at 06:57:27AM -0500, Fletcher Kittredge wrote:
> A big issue you don't mention is the easement, the legal right to place
> conduit. What does it mean to buy conduit if you don't have an easement on
> the property to use the conduit?

Typically, in large telecom installs like this (esp. for joint trench builds), 
the lead company obtains an Easement Agreement which allows "other 
telecommunications providers", "licensees" or "other designated agents" of the 
lead company to access and use the full enjoyment of the easement areas.  If 
you dig up registry of deeds for some large telecom joint trench builds (I can 
think of at least two examples), you'll find that these come pretty standard.

Further, conduit lease and license agreements of these sort for the buyer 
typically include Underlying Rights clause that also requires the trench system 
owner (the seller) to maintain underlying rights for the purchaser of rights to 
the conduit.  Seller is required to ensure that the buyer has proper legal 
rights to enter and make full enjoyment of the conduit capacity it purchased or 
otherwise licensed from the seller.

For constructions occuring outside of private property, the lead company is 
responsible for engaging local authorities owning the public right-of-way to 
propose the system installation in a multi-tenancy nature (i.e. the system 
meets and exceeds Dig Once and joint trench requirements set out by the 
municipality and so forth); as such, the right-of-way siting permits are 
developed to allow construction of the entire system and with the understanding 
of access by all users, in principle and procedures as provided under 
respective state laws.


James

Re: Can rr.ntt.net have a AAAA record please?

[Massimo Candela]

Hi Willy,

On 05/02/2023 19:36, Willy Manga wrote:

Dear admin of rr.ntt.net ,

I'm not one of your customers, but can you please enable IPv6 on your 
routing registry?


This is fixed. Thanks for reporting it.

Ciao,
Massimo

Re: Spectrum (legacy TWC) Infrastructure - Contact Off List

[Masataka Ohta]

Mike Hammett wrote:

In no way is what I said wrong. Incumbent operators (coax or copper 
pairs) screw things up constantly (whether technically or in the 
business side of things), prompting a sea of independent operators

to overbuild them (or fill in where they haven't).


See below:

: https://en.wikipedia.org/wiki/Incumbent_local_exchange_carrier
: Various regional independents also held incumbent monopolies
: in their respective regions.

to know many independent operators are incumbent operators.


I don't mean non-RBOC ILECs. I mean WISPs, regional fiber operators,


I'm afraid "non-RBOC" is a synonym of "independent".

Anyway, ILECs including both RBOCs and thousands of non-RBOC ones
should be the regional fiber operators, as I already wrote:

: Many ILECs enjoying regional monopoly should be 100+ years old:

: https://en.wikipedia.org/wiki/Independent_telephone_company
: By 1903 while the Bell system had 1,278,000 subscribers on
: 1,514 main exchanges, the independents, excluding non-profit
: rural cooperatives, claimed about 2 million subscribers on
: 6,150 exchanges.[1]
: The size ranged from small mom and pop companies run by a
: husband and wife team, to large independent companies,

: many of which should now be PON operators still enjoying regional
: monopoly.

> Bob from down the street that retired and built a fiber company to
> serve his small town. I mean companies with less than 10,000
> customers and are younger than 20 years. There are literally
> thousands of them in the US and they're only getting more formidable
> in the face of lousy incumbents.

See above:

: The size ranged from small mom and pop companies run by a
: husband and wife team

Thousands of Bobs from down the street retired and built telephone
companies, now recognized as non-RBOC ILECs, to serve their small
towns 100+ years ago.

Newly coming Bobs can survive as regional fiber operators
only in regions not served by ILECs as PON providers.

Masataka Ohta

Re: Spectrum (legacy TWC) Infrastructure - Contact Off List

[Josh Luthman]

Micro trenching...in suburban or rural deployments?

On Thu, Feb 2, 2023 at 7:59 PM Kevin Shymkiw  wrote:

> Clayton,
>
> Did you leverage things like micro trenching for this project?  I may be
> mislead, but I thought micro trenching these days has helped drive the cost
> of doing this down fairly significantly.
>
> Kevin
>
> On Thu, Feb 2, 2023 at 17:56 Clayton Zekelman  wrote:
>
>>
>> The cost is not low.  Trust me on that.  I've been involved in a pretty
>> massive suburban fibre deployment for the past decade... I expect we'll
>> make money sometime in the 2030's... in time for me to retire.
>>
>> At 12:13 PM 02/02/2023, Forrest Christian (List Account) wrote:
>>
>> The cost to build physical layer in much of the suburban and somewhat
>> rural US is low enough anymore that lots of smaller, independent, ISPs are
>> overbuilding the incumbent with fiber and taking a big chunk of their
>> customer base because they are local and care.  And making money while
>> doing it.Â
>>
>>
>> --
>>
>> Clayton Zekelman
>> Managed Network Systems Inc. (MNSi)
>> 3363 Tecumseh Rd. E
>> Windsor, Ontario
>> N8W 1H4
>>
>> tel. 519-985-8410
>> fax. 519-985-8409
>>
>

Re: Spectrum (legacy TWC) Infrastructure - Contact Off List (Patrick Garner)

[Josh Luthman]

Orange is so you can a) see it and b) orange = telecom

Blue = clean water
Green = sewer
Yellow = gas
Red = high voltage


On Fri, Feb 3, 2023 at 12:20 PM Keith Stokes  wrote:

> I think the bright orange is so you don't run over it with your lawn
> mower, especially since it's going to be there for 3 years.
>
> You'd think in the 3 years in the US South it would be grown over and
> buried itself. 
>
> --
> *From:* NANOG  on behalf of
> Patrick Garner 
> *Sent:* Friday, February 3, 2023 10:16 AM
> *To:* nanog@nanog.org 
> *Subject:* Re: Spectrum (legacy TWC) Infrastructure - Contact Off List
> (Patrick Garner)
>
> We have the same issue here in suburban Atlanta but with Comcast. The
> Comcast ped in my front yard has no cover... it's exposed to the elements.
> There's a bright orange cable running from there to my neighbor's house,
> it's been there for at least 3 years. At the least, it doesn't touch my
> property. There's other spots in my neighborhood where Comcast's bright
> orange coax just runs on the ground, along the road, in the gutter. Not
> saying AT is the greatest but at the very least their peds(they are so
> old they still say Bellsouth) have covers and they come within 3 days of
> install to bury DSL lines. I don't understand why Comcast has to choose the
> absolute ugliest bright orange cables to leave everywhere. If you're going
> to leave it, at least use a black cable.
>
> Yay duopoly!
> --
> Patrick Garner
> Owner
> Cherokee Communications LLC
> 404-406-9864
> patrick@cherokee.network
>

Re: Smaller than a /24 for BGP?

[Masataka Ohta]

Michael Bolton via NANOG wrote:

> We would benefit from advertising /25's but it hurt's more
> than it helps.

That is, IPv6 really hurts.


I'm in the alarm industry and they still haven't started adopting
IPv6. If we allow /25 subnets, some industries will never change. In
a sense, we have to “force” them to change.


FYI, WRT routing table bloat, IPv6 having a lot longer minimum
allocation prefix than /24 (which forbid operators cut IPv6
prefixes longer than /24), that is, a lot beyond direct SRAM
look up, and, worse, needing longer TCAM word size (64 or 128
bits?) than IPv4, is, in a not so long run, a lot lot worse
than IPv4.

Masataka Ohta

Re: Spectrum (legacy TWC) Infrastructure - Contact Off List

[Mike Hammett]

In no way is what I said wrong. Incumbent operators (coax or copper pairs) 
screw things up constantly (whether technically or in the business side of 
things), prompting a sea of independent operators to overbuild them (or fill in 
where they haven't). I was responding specifically to what Eric said, "I wish 
that the people running the networks at residential last mile operators with 
many hundreds of thousands up to dozens of millions of CPEs would push back 
against efforts from executives/management to participate in this race to the 
bottom of cost and network quality." 


I don't mean non-RBOC ILECs. I mean WISPs, regional fiber operators, Bob from 
down the street that retired and built a fiber company to serve his small town. 
I mean companies with less than 10,000 customers and are younger than 20 years. 
There are literally thousands of them in the US and they're only getting more 
formidable in the face of lousy incumbents. 


Oh, and I just noticed that spell check moved me away from condescension, 
rather than closer to it. Oops. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Masataka Ohta"  
To: nanog@nanog.org 
Sent: Monday, February 6, 2023 8:27:07 AM 
Subject: Re: Spectrum (legacy TWC) Infrastructure - Contact Off List 

Mike Hammett wrote: 

> Where did you think that condensation was going to get you in 
> this conversation? 

I was involved in this thread because of your totally wrong 
statement of: 

: I selfishly hope they don't because that's where independent 
: operators will succeed. ;-) 

First of all, "Spectrum (legacy TWC)" is not a small company. 

Moreover, as is stated in wikipedia that: 

> https://en.wikipedia.org/wiki/Incumbent_local_exchange_carrier 
> Various regional independents also held incumbent monopolies 
> in their respective regions. 

many independent operators are keep succeeding for 100+ years 
not because they unreasonably cut maintenance cost but because 
they have archived regional monopoly. 

Masataka Ohta 

Re: Spectrum (legacy TWC) Infrastructure - Contact Off List

[Masataka Ohta]

Mike Hammett wrote:


Where did you think that condensation was going to get you in
this conversation?


I was involved in this thread because of your totally wrong
statement of:

: I selfishly hope they don't because that's where independent
: operators will succeed. ;-)

First of all, "Spectrum (legacy TWC)" is not a small company.

Moreover, as is stated in wikipedia that:

>https://en.wikipedia.org/wiki/Incumbent_local_exchange_carrier
>Various regional independents also held incumbent monopolies
>in their respective regions.

many independent operators are keep succeeding for 100+ years
not because they unreasonably cut maintenance cost but because
they have archived regional monopoly.

Masataka Ohta

Re: Increasing problems with geolocation/IPv4 access

[Tom Beecher]

>
> One would also think that large OTT content providers which publish
> Android and IOS apps could
>

You said the magic word ; could.

It's the natural extension of MBA Math ; If you can pay for something 'as a
service' , it's going to be cheaper than paying people to develop it in
house. That 'service' is usually a reasonably high percentage of 'good
enough' so as not to really impact your revenue. For larger 'chunks' of
problems that could be a notable revenue hit , you'll allocate some
resources to work that out, but the smattering of instances here or there,
sorry Charlie.



On Sun, Feb 5, 2023 at 7:10 PM Eric Kuhnke  wrote:

> One would also think that large OTT content providers which publish
> Android and IOS apps could use the geolocation-permission data gathered
> from the device, telemetry reported to their own internal systems to gather
> their own independent data sets on where customers are geographically
> located, at least as coarse to a specific metro area.. And use that to
> clean up geolocation features where 3rd party IP geolocation datasets don't
> match reality.
>
> At the smallest scale of customer count: For instance if they have many
> dozens or hundreds of subscribers whose devices often sign in from the same
> /24 block, *and* in which that block is not known to be cellular
> carrier/MNO/MVNO IP space, *and* the devices' geolocation API data
> reports they're in a certain suburb of Portland. Or even if you have
> something like a smart TV in a house which has no geolocation ability/API
> exposed but many of the customers' *other* devices which *do* report
> geolocation API often sign in to the same account from the same
> residential-last-mile-provider dhcp pool /32 address.
>
> The amount of telemetry data collected off an android or ios devices these
> days by most consumer apps is quite comprehensive, and as we all known the
> average person is extremely likely to click "Yes/accept" on any
> software/interface modal popups, so the majority of the devices will not
> have geolocation blocked.  They already have whole teams of highly paid
> software developers working on the DRM-specific code in their video
> streaming apps, so clearly some use of that data is made already.
>
>
>
>
>
> On Sat, Feb 4, 2023 at 11:41 PM John van Oppen  wrote:
>
>> Honestly, the only way I’ve found to fix this is completely fill it with
>> subscribers off a BNG and give support a script about what to tell
>> customers.
>>
>>
>>
>> I’ve had folks literally get the wrong TV channels because we assign
>> unused blocks in Portland Oregon out of our parent large aggrigates and the
>> geo folks have our whois address in the seattle area so give them seattle
>> channels.God forbid these OTT folks just design the product right and
>> use the verified billing zip code on the account or something else that
>> actually is authoritative.
>>
>>
>>
>> *From:* NANOG  *On Behalf Of *Josh
>> Luthman
>> *Sent:* Monday, January 23, 2023 1:09 PM
>> *To:* Jared Mauch 
>> *Cc:* nanog 
>> *Subject:* Re: Increasing problems with geolocation/IPv4 access
>>
>>
>>
>> Every block I've gotten I just went through TheBrothersWisp geo location
>> page and just had them fix their information.  This includes virgin and
>> re-issued blocks from ARIN.
>>
>>
>>
>> I've had a couple of random issues like Hulu thinking I'm a VPN, PSN
>> blocking a /24 because a /32 failed his password too many times, and
>> various streaming issues of which I tell customers to complain to the
>> streaming provider because all of the other ones work.
>>
>>
>>
>> On Fri, Jan 20, 2023 at 7:32 PM Jared Mauch 
>> wrote:
>>
>> I’ve been seeing an increasing problem with IP space not having the
>> ability to be used due to the behaviors of either geolocation or worse,
>> people blocking IP space after it’s been in-use for a period of time.
>>
>> Before I go back to someone at ARIN and say “your shiny unused 4.10 IP
>> space” is non-functional and am at a place where I need to
>> start/restart/respawn the timer, I have a few questions for people:
>>
>> 1) Do you see 23.138.114.0/24 in any feeds from a security provider that
>> say it can/should be blocked?  If so, I’d love to hear from you to track
>> this down.  Over the new year we had some local schools start to block this
>> IP space.
>>
>> 2) many companies have geolocation feeds and services that exist and pull
>> in data.  The reputable people are easy to find, there are those that are
>> problematic from time-to-time (I had a few customers leave Sling due to the
>> issues with that service).
>>
>> 3) Have you had similar issues?  How are you chasing all the issues?
>> We’ve seen things from everything works except uploading check images to
>> banks, to other financial service companies block the space our customers
>> are in.  If we move them to another range this solves the problem.
>>
>> 4) We do IPv6, these places aren’t IPv6 modern at all, so that’s no help.
>>
>> 5) IRR+geofeed are 

Re: Conduit Lease/IRU Pricing

[Mike Hammett]

I would imagine that comes down to the wording of the sale and what you're 
actually buying. Are you buying the underlying asset or are you in some 
long-term lease or IRU? 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 

- Original Message -

From: "Fletcher Kittredge"  
To: "James Jun"  
Cc: "Mike Hammett" , "NANOG"  
Sent: Monday, February 6, 2023 5:57:27 AM 
Subject: Re: Conduit Lease/IRU Pricing 




A big issue you don't mention is the easement, the legal right to place 
conduit. What does it mean to buy conduit if you don't have an easement on the 
property to use the conduit? 






On Sun, Feb 5, 2023 at 5:28 PM James Jun < james@towardex.com > wrote: 


On Sun, Feb 05, 2023 at 01:15:11PM -0600, Mike Hammett wrote: 
> I've been following your work on LinkedIn. Great stuff. 
> 
> 
> I'm actually in a situation where I am on both sides of the transaction. I've 
> got a network I built that I've been asked pricing on and interested in 
> growth opportunities. One of the opportunities I have for growth quoted me at 
> roughly the cost of construction (or at least what I would budget for it, 
> anyway) for a 20-year term with a reasonably annual maintenance fee. When I 
> saw that, I kinda figured that if I was going to spend that kind of money, 
> I'd choose a permanent cost as opposed to 20-year terms and the opportunity 
> to place however many conduits I wanted as opposed to just getting one. 
> 
> 

Thanks! 

Without getting into specifics of your potential project, I can only comment on 
what I've seen and can cite examples of. 

You mentioned 'opportunity to place however many conduits I wanted' -- are you 
talking about ability to pull your own innerducts inside an empty outer conduit 
you purchase, or are you talking about a joint trench partaking, where you have 
the opportunity to pay pro-rata share of trench construction to install as many 
conduits you want to have in the ground (subject to local authority approval 
ofcourse)? 


If it is the latter (joint trench), this is very straight forward in the 
utility industry. It often goes like this: 

- Say it costs the lead company (company who is doing the project) a figurative 
(just for example of this conversation) cost of $1 million to install 500 feet 
of 24 - 4" conduits in a large boulevard. 
- Your company proposes to jump into the trench and you want 6 - 4" conduits 
for your own backbone. 
- The most common and simple cost for you is straight-up pro-rata share: 25% of 
the trench costs for 6 ducts out of 24, so you need to pay up $250K to get your 
6 - 4" conduits. 
- If the lead company is installing smaller pull box manholes for cable pulls, 
in most cases, you will have the right of transit to use those manholes so you 
can use the very conduits you own. 
- If the lead company is installing large underground vaults, don't be 
surprised if they don't let you in it -- they'll likely require you to pay 
additional costs to install your own separate manhole, where your 6 - 4" 
conduits will break off from the main trench, and lead into your own dedicated 
4'x4' manhole. If this is not possible (i.e. road is full, local authority 
couldn't permit it due to conflict & heavy congestion with other utility lines 
in the area), then the lead company may also charge you a reasonable manhole 
license fee for you to use their vaults beyond the basic right of transit 
('beyond' as in, if you need to install a splice case or slack coil, as opposed 
to your cable simply transiting thru the said manhole). For example, Empire 
City Subawy (ECS) duct system run by Verizon in NYC charges a publicized rate 
of $314/year for each splice case in an ECS manhole. 


The legal definitions of what you're exactly getting for paying that $250K 
above is largely up to the lead company and the defined contract terms of the 
Joint Trench Agreement. I've seen following cases: (a) you outright own the 
title to those 6 - 4" conduits in perpetuity; (b) you don't own the title, but 
you get an IRU or lease of 99 years to those conduits; or (c) you only get 
short-medium (5-25 years) IRU, but then it would probably have to be at a lower 
price that is more commercially reasonable to both parties. 

Case (a) can be common in joint trench projects that are organized by local 
authorities (i.e. b/c municipality required the street dig to be a joint 
trench), and lead company has no interest in maintaining any manholes or 
conduits, beyond the bare minimum required for their own cable. In these 
situations, manholes (municipalities often call them 'joint manholes') become 
effectively unmanaged chaotic no-man's land, where nobody owns the manholes, 
much less maintain them. I've seen situations where municipality had to step in 
to fix a broken manhole cover/frame, because nobody in the joint trench would 
step in to take responsibility. 

Cases (b) and (c) are often done by more larger telecom 

RE: Smaller than a /24 for BGP?

[Michael Bolton via NANOG]

I’m late to the conversation, but I would have to agree with most. Below a /24 
route advertisement shouldn’t happen.

I have a /24 that I would love to advertise as 2 /25’s, but the affects on 
everyone else is just too much. I take full routes from 4 providers, and I 
certainly don’t want to add over 100K. Carriers and enterprises have to pay a 
lot for our edge routers doing bgp and most don’t want to upgrade. We would 
benefit from advertising /25’s but it hurt’s more than it helps.

I’m in the alarm industry and they still haven’t started adopting IPv6. If we 
allow /25 subnets, some industries will never change. In a sense, we have to 
“force” them to change.

Mike



From: NANOG  On 
Behalf Of Mike Hammett
Sent: Thursday, January 26, 2023 8:52 AM
To: Chris 
Cc: nanog@nanog.org
Subject: Re: Smaller than a /24 for BGP?


CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe.
Implementing v6 is important, but unrelated to allowing smaller v4 prefixes.

Not taking a position either way if smaller v4 prefixes is good or bad.


-
Mike Hammett
Intelligent Computing Solutions
[http://www.ics-il.com/images/fbicon.png][http://www.ics-il.com/images/googleicon.png][http://www.ics-il.com/images/linkedinicon.png][http://www.ics-il.com/images/twittericon.png]
Midwest Internet Exchange
[http://www.ics-il.com/images/fbicon.png][http://www.ics-il.com/images/linkedinicon.png][http://www.ics-il.com/images/twittericon.png]
The Brothers WISP
[http://www.ics-il.com/images/fbicon.png][http://www.ics-il.com/images/youtubeicon.png]

From: "Chris" mailto:ch...@noskillz.com>>
To: "Justin Wilson (Lists)" mailto:li...@mtin.net>>
Cc: nanog@nanog.org
Sent: Wednesday, January 25, 2023 2:24:29 PM
Subject: Re: Smaller than a /24 for BGP?
I would suggest that this is trying to solve the wrong problem.  To me this is 
pressure to migrate to v6, not alter routing rules.

Kind Regards,
Chris Haun

On Tue, Jan 24, 2023 at 12:21 PM Justin Wilson (Lists) 
mailto:li...@mtin.net>> wrote:
Have there been talks about the best practices to accept things smaller than a 
/24? I qm seeing more and more scenarios where folks need to participate in BGP 
but they do not need a full /24 of space.  Seems wasteful.  I know this would 
bloat the routing table immensely.  I know of several folks who could split 
their /24 into /25s across a few regions and still have plenty of IP space.



Justin Wilson
j...@j2sw.com

—
https://blog.j2sw.com - Podcast and Blog
https://www.fd-ix.com

IMPORTANT NOTICE: This e-mail message is intended to be received only by 
persons entitled to receive the confidential information it may contain. E-mail 
messages to clients of Holmes Security Systems may contain information that is 
confidential and legally privileged. Please do not read, copy, forward, or 
store this message unless you are an intended recipient of it. If you have 
received this message in error, please forward it to the sender and delete it 
completely from your computer system.

Looking for PoCs of rootlayer.net in Amsterdam. - AS51447 and in upstream providers

[irish.masms]

Hello NANOG – longtime lurker, first time poster.

I am requesting some assistance today with stopping a pervasive malware 
campaign being sent via email from multiple open proxies in the 
following IP blocks:

45.137.20.0 - 45.137.23.255
185.222.56.0 - 185.222.59.255

This IP space is assigned to rootlayer.net in Amsterdam. - AS51447
% Abuse contact for 'AS51447' is 'compl...@rootlayer.net'

All email has contained some sort of malicious code: ransomware, 
trojans, info sealers, and other various malware (some known and some 
brand new/not detected yet). The email content is spoofing various 
legitimate companies and banks.


Since the beginning of the year when I became involved in a particular 
customer (elderly owner of a small business), we have been sending at 
least 5 complaints a day (one for each email) to compl...@rootlayer.net, 
all reporting has been ignored. The most recent spoof & malware email 
was received at 16:33 PM PST 5 Feb 2023.


Frankly, we have grown tired of filing abuse complaints into the black 
hole while an elderly gentleman is being targeted. I am not sure a 
contact at Rootlayer will be helpful at this point, but if someone has a 
contact it would be appreciated.


More importantly, anyone have a contact at their upstream providers that 
may be able to beat down these criminal activities and Rootlayer?

AS49981 - WorldStream B.V.
AS49453 - Global Layer B.V.

Any assistance would be greatly appreciated – thank you.


Stay safe,

Re: Conduit Lease/IRU Pricing

[Fletcher Kittredge]

A big issue you don't mention is the easement, the legal right to place
conduit. What does it mean to buy conduit if you don't have an easement on
the property to use the conduit?



On Sun, Feb 5, 2023 at 5:28 PM James Jun  wrote:

> On Sun, Feb 05, 2023 at 01:15:11PM -0600, Mike Hammett wrote:
> > I've been following your work on LinkedIn. Great stuff.
> >
> >
> > I'm actually in a situation where I am on both sides of the transaction.
> I've got a network I built that I've been asked pricing on and interested
> in growth opportunities. One of the opportunities I have for growth quoted
> me at roughly the cost of construction (or at least what I would budget for
> it, anyway) for a 20-year term with a reasonably annual maintenance fee.
> When I saw that, I kinda figured that if I was going to spend that kind of
> money, I'd choose a permanent cost as opposed to 20-year terms and the
> opportunity to place however many conduits I wanted as opposed to just
> getting one.
> >
> >
>
> Thanks!
>
> Without getting into specifics of your potential project, I can only
> comment on what I've seen and can cite examples of.
>
> You mentioned 'opportunity to place however many conduits I wanted' -- are
> you talking about ability to pull your own innerducts inside an empty outer
> conduit you purchase, or are you talking about a joint trench partaking,
> where you have the opportunity to pay pro-rata share of trench construction
> to install as many conduits you want to have in the ground (subject to
> local authority approval ofcourse)?
>
>
> If it is the latter (joint trench), this is very straight forward in the
> utility industry.  It often goes like this:
>
> - Say it costs the lead company (company who is doing the project) a
> figurative (just for example of this conversation) cost of $1 million to
> install 500 feet of 24 - 4" conduits in a large boulevard.
> - Your company proposes to jump into the trench and you want 6 - 4"
> conduits for your own backbone.
> - The most common and simple cost for you is straight-up pro-rata share:
> 25% of the trench costs for 6 ducts out of 24, so you need to pay up $250K
> to get your 6 - 4" conduits.
> - If the lead company is installing smaller pull box manholes for cable
> pulls, in most cases, you will have the right of transit to use those
> manholes so you can use the very conduits you own.
> - If the lead company is installing large underground vaults, don't be
> surprised if they don't let you in it -- they'll likely require you to pay
> additional costs to install your own separate manhole, where your 6 - 4"
> conduits will break off from the main trench, and lead into your own
> dedicated 4'x4' manhole.  If this is not possible (i.e. road is full, local
> authority couldn't permit it due to conflict & heavy congestion with other
> utility lines in the area), then the lead company may also charge you a
> reasonable manhole license fee for you to use their vaults beyond the basic
> right of transit ('beyond' as in, if you need to install a splice case or
> slack coil, as opposed to your cable simply transiting thru the said
> manhole).  For example, Empire City Subawy (ECS) duct system run by Verizon
> in NYC charges a publicized rate of $314/year for each splice case in an
> ECS manhole.
>
>
> The legal definitions of what you're exactly getting for paying that $250K
> above is largely up to the lead company and the defined contract terms of
> the Joint Trench Agreement.  I've seen following cases: (a) you outright
> own the title to those 6 - 4" conduits in perpetuity; (b) you don't own the
> title, but you get an IRU or lease of 99 years to those conduits; or (c)
> you only get short-medium (5-25 years) IRU, but then it would probably have
> to be at a lower price that is more commercially reasonable to both parties.
>
> Case (a) can be common in joint trench projects that are organized by
> local authorities (i.e. b/c municipality required the street dig to be a
> joint trench), and lead company has no interest in maintaining any manholes
> or conduits, beyond the bare minimum required for their own cable.  In
> these situations, manholes (municipalities often call them 'joint
> manholes') become effectively unmanaged chaotic no-man's land, where nobody
> owns the manholes, much less maintain them.  I've seen situations where
> municipality had to step in to fix a broken manhole cover/frame, because
> nobody in the joint trench would step in to take responsibility.
>
> Cases (b) and (c) are often done by more larger telecom installations,
> where lead company is building a true joint-use infrastructure and would
> like to maintain it over long term.  These are usually part of large duct
> systems, and the lead company would typically take charge in maintaining
> the entirety of the trench and its manholes over their llifetime; as such,
> members of such joint trench systems will be separately charged maintenance
> fee as previously discussed.
>
>
> Outside