Re: Longest prepend( 255 times) as path found

[Alejandro Acosta]

Hello Alistair,

  Are you sure there is one about excess prepends?. I just took a look 
and I did not find any.


  I found one about filtering long as-paths but not specifically about 
prepends.



Thanks,


Alejandro,


On 25/8/22 10:31 AM, Alistair Mackenzie wrote:
There are some generally accepted and useful filters found at 
https://bgpfilterguide.nlnog.net/. There is one which covers excess 
prepends.


On Thu, 25 Aug 2022 at 15:25, anonymous  wrote:

Hey everyone,

Too many hops found as below.
Usually What shoud we do ? Should we filter it ?

91.246.12.0/24 


                      AS path: 4788 9002 41313 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 I

                      AS path: 9930 9002 41313 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 I

/noname

Hardware & Software IPv6 Only

[Alejandro Acosta]

Hello,

  Sorry for the noise. Hopefully this is a good place to ask.

  Are there any IPv6 Only hardware you are aware of?. And IPv6 Only 
software too?


  If so and you don't mind you can contact me off-list.


Thanks,


Alejandro,

Re: FYI - 2FA to be come mandatory for ARIN Online? (was: Fwd: [arin-announce] Consultation on Requiring Two-Factor Authentication (2FA) for ARIN Online Accounts

[Alejandro Acosta]

Hello,
  I am not in the ARIN region but I have attended few Arin meetings.
  As a comment, I live a country were mobile roaming does not exists,
therefore, when 2FA only works with SMS I can not use the service. Having
said that, please consider at least one more way to perform 2FA, maybe send
a code to the email address or something else.

My two cents,

Alejandro,
PS If you have already thought about this sorry for the noise.

On Tue, May 24, 2022, 2:29 PM John Curran  wrote:

> NANOGers -
>
> A consultation opened today on potentially requiring use of 2-factor
> authentication to login into ARIN Online – this would take place once SMS
> 2FA is deployed.   If you think that this is: a) a great idea, b) a bad
> idea, c) anything else, then feel free to subscribe to the arin-consult
> mailing list (open to all at
> http://lists.arin.net/mailman/listinfo/arin-consult) and provide your
> feedback.
>
> Best wishes,
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers
>
>
> Begin forwarded message:
>
> *From: *ARIN 
> *Subject: **[arin-announce] Consultation on Requiring Two-Factor
> Authentication (2FA) for ARIN Online Accounts*
> *Date: *24 May 2022 at 12:45:48 PM EDT
> *To: *"arin-annou...@arin.net" 
>
> **Background**
>
> In 2015, ARIN deployed a Time-Based One-Time password (TOTP)
> implementation of Two-Factor Authentication (2FA). Since the time of
> implementing that login security feature, 3.2 percent of ARIN Online users
> have opted to use 2FA with their accounts.
>
> Since October 2020, the ARIN Online system has been subject to a series of
> dictionary-based password guessing attacks. In March of 2021, we conducted
> ACSP Consultation 2021.2: Password Security for ARIN Online Accounts (
> https://www.arin.net/participate/community/acsp/consultations/2021/2021-2/)
> on proposed improvements to increase account security. This consultation
> resulted in an agreement to move forward with several improvements that
> have subsequently been deployed. However, we continue to see frequent
> attacks on our log-in systems, and ARIN staff continues to be heavily
> engaged in mitigating these attacks. Accounts not using 2FA are susceptible
> to these attacks. We recently updated the community on this topic during
> ARIN 49 held in Nashville and online in April. You can review this
> information from the ARIN 49 Meeting Report (
> https://www.arin.net/participate/meetings/ARIN49/) by looking for the
> presentation titled “Brute Force Login Attacks”.
>
> It is our intention to make 2FA mandatory for all existing and new ARIN
> Online accounts going forward. The security of ARIN Online accounts is
> paramount to the success of the registry, and we do not believe it is
> tenable to continue without making 2FA required for all ARIN Online
> accounts.
>
> We are currently developing a second method of 2FA use with ARIN Online to
> add to our long-deployed TOTP implementation. In the coming months, we will
> deploy a Short Message Service (SMS) 2FA implementation, thereby adding a
> second 2FA option for ARIN Online users. At that time, users will be able
> to choose between two types of 2FA – SMS and TOTP.   Adoption of TOTP 2FA
> has been limited in part due to perceived complexity, and the addition of
> SMS-based 2FA will provide a second option that is easier to use for many
> customers – and provide much more protection than the simple
> username-password condition of many ARIN Online user accounts today.  (ARIN
> also plans on adding support for a third 2FA option in the future – Fast
> Identity Online 2 (FIDO2) – in response to community suggestions, but we do
> not believe it is prudent to delay requiring 2FA on ARIN Online accounts
> until that third option becomes available.)
>
> **Requiring 2FA For ARIN Online Accounts**
>
> By requiring 2FA for ARIN Online accounts that control number resources,
> the ARIN community should see stronger security for the registry, reduced
> risk of account fraud attempts, and increased confidence in the integrity
> of their ARIN resources.
>
> ARIN intends to require 2FA for all ARIN Online accounts shortly after
> SMS-based 2FA authentication is generally available.  We are seeking
> confirmation from the ARIN community regarding this plan, and ask the
> following consultation question:
>
> ---
> Once SMS-based two-factor authentication (2FA) is available for ARIN
> Online, do you believe ARIN *should not* proceed with requiring 2FA
> authentication (SMS-based or TOTP) for all ARIN Online accounts?  If so,
> why?
> ---
>
> The feedback you provide during this consultation will help form our path
> forward to increasing the security of ARIN Online for all customers. Thank
> you for your participation in the ARIN Consultation and Suggestion Process.
> Please provide comments to arin-cons...@arin.net. You can subscribe to
> this mailing list at:
>
> http://lists.arin.net/mailman/listinfo/arin-consult
>
> This 

Re: New minimum speed for US broadband connections

[Alejandro Acosta]

Hello there,

  The other day I was in a place with a very limited internet access 
and I recalled this thread. Sometimes speed is important and many times 
also the amount of data we transfer is too.


  I wonder (sorry if there is and I'm not aware of) some kind of data 
per month suggestion/definition?,  1GB, 10 GB, 50 GB, 100 GB?


  I mean in the same way there is a minimum speed definition, there 
could be also a minimum "data per day/month" definition", am I right?.



Thanks,


Alejandro,



On 27/5/21 8:29 PM, Sean Donelan wrote:


What should be the new minimum speed for "broadband" in the U.S.?


This is the list of past minimum broadband speed definitions by year

year  speed

1999  200 kbps in both directions (this was chosen as faster than 
dialup/ISDN speeds)


2000  200 kbps in at least one direction (changed because too many 
service providers had 128 kbps upload)


2010   4 mbps down / 1 mbps up

2015   25 Mbps down / 3 Mbps up (wired)
    5 Mbps down / 1 Mbps up (wireless)

2021   ??? / ??? (some Senators propose 100/100 mbps)

Not only in major cities, but also rural areas

Note, the official broadband definition only means service providers 
can't advertise it as "broadband" or qualify for subsidies; not that 
they must deliver better service.

Re: Uganda Communications Commission shutdown order

[Alejandro Acosta]

On 13/1/21 4:05 PM, Sean Donelan wrote:


The Uganda Communications Commission has issued a shutdown order for 
the operation of all Internet gateways in Uganda beginning January 13, 
2021 until further notice.


I can't access the official Uganda Communications Commission website, 
but this appears to be a copy of the order


https://twitter.com/DougColtart/status/1349442878481846272/photo/1



So sad to read this. How is it possible to think this is good to 
anybody?.., ok, maybe to the very high politicians of the country, but 
no one else. Not less than 44 million people negative affected.



That's it.


Alejandro,

Re: RFC 5549 - IPv4 Routes with IPv6 next-hop - Does it really exists?

[Alejandro Acosta]

Long time ago I tried it out:

https://blog.acostasite.com/2013/02/publicar-prefijos-ipv4-sobre-una-sesion.html

https://blog.acostasite.com/2013/02/publicando-prefijos-ipv6-sobre-sesiones.html


I did not like, difficult troubleshooting in case something goes wrong 
(however I can understand it's a nice feature to have and in might be 
useful in some scenarios).



But you are right I do not know much about networks doing it, I also 
would like hear about it.



Alejandro,


On 7/29/20 1:51 AM, Douglas Fischer wrote:
Let's just jump all the arguing about lack of IPv4, the need of IPv6, 
and etc...


I must confess that I don't know all the RFCs.
I would like it, but I don't!

And today, I reached on https://tools.ietf.org/html/rfc5549

I knew that was possible to transfer v4 routes over v6 BGP sessions, 
or v6 routes over v4 BGP sessions.
But I got surprised when I saw this youtube vídeo of AMS-IX guys 
considering use a v6 only Lan, and doing v6 next-hops to v4 routes.

https://www.youtube.com/watch?v=uJOtfiHDCMw

Well... I guess that idea didn't go to production.



But the questions are:
There is any network that really implements RFC5549?
Can anyone share some information about it?

--
Douglas Fernando Fischer
Engº de Controle e Automação

Re: 60 ms cross-continent

[Alejandro Acosta]

On 6/21/20 1:53 PM, Brett Frankenberger wrote:

On Sun, Jun 21, 2020 at 02:17:08PM -0300, Rubens Kuhl wrote:

On Sat, Jun 20, 2020 at 5:05 PM Marshall Eubanks 
wrote:


This was also pitched as one of the killer-apps for the SpaceX
Starlink satellite array, particularly for cross-Atlantic and
cross-Pacific trading.


https://blogs.cfainstitute.org/marketintegrity/2019/06/25/fspacex-is-opening-up-the-next-frontier-for-hft/

"Several commentators quickly caught onto the fact that an extremely
expensive network whose main selling point is long-distance,
low-latency coverage has a unique chance to fund its growth by
addressing the needs of a wealthy market that has a high willingness
to pay — high-frequency traders."



This is a nice plot for a movie, but not how HFT is really done. It's so
much easier to colocate on the same datacenter of the exchange and run
algorithms from there; while those algorithms need humans to guide their
strategy, the human thought process takes a couple of seconds anyways. So
the real HFTs keep using the defined strategy while the human controller
doesn't tell it otherwise.

For faster access to one exchange, yes, absolutely, colocate at the
exchange.  But there's more then one exchange.

As one example, many index futures trade in Chicago.  The stocks that
make up those indices mostly trade in New York.  There's money to be
made on the arbitrage, if your Chicago algorithms get faster
information from New York (and vice versa) than everyone else's
algorithms.

More expensive but shorter fiber routes have been build between NYC and
Chicago for this reason, as have a microwave paths (to get
speed-of-light in air rather than in glass).  There's competition to
have the microwave towers as close as possible to the data centers,
because the last mile is fiber so the longer your last mile, the less
valuable your network.

https://www.bloomberg.com/news/features/2019-03-08/the-gazillion-dollar-standoff-over-two-high-frequency-trading-towers



... and similar to this: 
https://www.extremetech.com/extreme/122989-1-5-billion-the-cost-of-cutting-london-toyko-latency-by-60ms





  -- Brett

Re: 60 ms cross-continent

[Alejandro Acosta]

Hello,

  Taking advantage of this thread may I ask something?. I have heard of 
"wireless fiber optic", something like an antenna with a laser pointing 
from one building to the other, having said this I can assume this link 
with have lower RTT than a laser thru a fiber optic made of glass?



Thanks,


Alejandro,


On 6/20/20 1:11 PM, Dave Cohen wrote:
Doing some rough back of the napkin math, an ultra low-latency path 
from, say, the Westin to 1275 K in Seattle will be in the 59 ms range. 
This is considerably longer than the I-90 driving distance would 
suggest because:
- Best case optical distance is more like 5500 km, in part because the 
path actually will go Chicago-NJ-WDC and in part because a distance of 
5000 km by right-of-way will be more like 5500 km when you account for 
things like maintenance coils, in-building wiring, etc.
- You’ll need (at least) three OEO regens on that distance, since 
there’s no value in spending 5x to deploy an optical system that 
wouldn’t need to (like the ones that would manage that distance 
subsea). This is in addition to ~60 in-line amplification nodes, 
although that adds significantly less latency even in aggregate


Some of that is simply due to cost savings. In theory, you could 
probably spend a boatload of money to build a route that cuts off some 
of the distance inefficiency and gets you closer to 4500 km optical 
distance with minimal slack coil, and maybe no regens, so you get a 
real-world performance of 46 ms. But there are no algo trading sites 
of importance in DC, and for everybody else there’s not enough money 
in the difference between 46 and 59 ms for someone to go invest in 
that type of deployment.


Dave Cohen
craetd...@gmail.com


On Jun 20, 2020, at 12:44 PM, Tim Durack  wrote:


And of course in your more realistic example:

2742 miles = 4412 km ~ 44 ms optical rtt with no OEO in the path

On Sat, Jun 20, 2020 at 12:36 PM Tim Durack > wrote:


Speed of light in glass ~200 km/s

100 km rtt = 1ms

Coast-to-coast ~6000 km ~60ms

Tim:>

On Sat, Jun 20, 2020 at 12:27 PM William Herrin mailto:b...@herrin.us>> wrote:

Howdy,

Why is latency between the east and west coasts so bad? Speed
of light
accounts for about 15ms each direction for a 30ms round trip.
Where
does the other 30ms come from and why haven't we gotten rid
of it?

c = 186,282 miles/second
2742 miles from Seattle to Washington DC mainly driving I-90

2742/186282 ~= 0.015 seconds

Thanks,
Bill Herrin

-- 
William Herrin

b...@herrin.us 
https://bill.herrin.us/



-- 
Tim:>




--
Tim:>

Re: Partial vs Full tables

[Alejandro Acosta]

Hello,

  Some time ago we had a similar discussion on this list, in that 
moment I shared a small study we did in LACNIC but we had it only in 
Spanish. Here is the version in English (BGP: To filter or not to filter 
by prefix size. That is the question ):



https://.acostasite.com/2019/07/bgp-to-filter-or-not-to-filter-by.html



Alejandro,



On 6/4/20 11:00 PM, James Breeden wrote:
I have been doing a lot of research recently on operating networks 
with partial tables and a default to the rest of the world. Seems like 
an easy enough approach for regional networks where you have maybe 
only 1 upstream transit and some peering.


I come to NANOG to get feedback from others who may be doing this. We 
have 3 upstream transit providers and PNI and public peers in 2 
locations. It'd obviously be easy to transition to doing partial 
routes for just the peers, etc, but I'm not sure where to draw the 
line on the transit providers. I've thought of straight preferencing 
one over another. I've thought of using BGP filtering and community 
magic to basically allow Transit AS + 1 additional AS (Transit direct 
customer) as specific routes, with summarization to default for the 
rest. I'm sure there are other thoughts that I haven't had about this 
as well


And before I get asked why not just run full tables, I'm looking at 
regional approaches to being able to use smaller, less powerful 
routers (or even layer3 switches) to run some areas of the network 
where we can benefit from summarization and full tables are really 
overkill.



*James W. Breeden*

/Managing Partner/

//

*logo_transparent_background*

*Arenal Group:* Arenal Consulting Group | Acilis Telecom | Pines Media

PO Box 1063 | Smithville, TX 78957

Email: ja...@arenalgroup.co  | office 
512.360. | www.arenalgroup.co 

Re: Route aggregation w/o AS-Sets

[Alejandro Acosta]

Hello Lars,

 As a comment there is a draft that proposes to deprecate AS_SET  
https://datatracker.ietf.org/doc/draft-ietf-idr-deprecate-as-set-confed-set/?include_text=1


Alejandro,


On 4/11/20 7:09 AM, Lars Prehn wrote:
> Hi everyone,
>
> how exactly do you aggregate routes? When do you add the AS_SET
> attribute, when do you omit it? How does the latter interplay with RPKI?
>
> Best regards,
>
> Lars
>
>


pEpkey.asc
Description: application/pgp-keys

Re: Internet services in Antarctica

[Alejandro Acosta]

Hello,

On 1/20/20 6:13 AM, Ask Bjørn Hansen wrote:
> Hi,
>
> I have a hobby project running DNS service to people looking for NTP public 
> servers. I noticed that the DNS servers apparently get ~5 thousand queries 
> per day from IPs that the GeoIP database we use claim are in in Antarctica. 
> It’s less than 0.0001% of the overall DNS queries, 


My apologies for my sideline question, where did you get the number of
the overall DNS queries? or just said a random number to the air?


Thanks,

Alejandro,


> but it made me curious what it’d take to make the service work better there.
>
> I imagine the internet service is fragmented between the various stations 
> with each being best connected to a particular country? Does anyone have 
> contacts there that I could talk to?  I imagine (some of?) the stations would 
> have a local NTP service as part of their compute facilities.
>
>
> Ask
>


pEpkey.asc
Description: application/pgp-keys

Re: Traffic ratio of an ISP

[Alejandro Acosta]

Hello,

  Many years ago I read somewhere that the ratio between inbound &
outbound traffic we used to see at that time was going to change in the
future, the reasons they mentioned at that time was because the
applications would change their behavior, things like: Dropbox, Gdrive
and others would consume upload traffic, I guess these hypotheses
remained in the past.

Alejandro,


On 6/19/19 11:05 AM, Prasun Dey wrote:
> Hello,
> Good morning.
> I’m a Ph.D. candidate from University of Central Florida. I have a
> query, I hope you can help me with it or at least point me to the
> right direction.
> I’ve seen from PeeringDB that every ISP reveals its traffic ratio as
> Heavy/ Mostly Inbound or Balanced or Heavy/ Mostly Outbound. 
> I’m wondering if there is any specific ratio numbers for them. In
> Norton’s Internet Peering Playbook or some other literary work, they
> mention the outbound:inbound traffic ratio as 1:1.2 to up to 1:3 for
> Balanced. But, I couldn’t find the other values.
> I’d really appreciate your help if you can please mention what
> Outbound:Inbound ratios that network admins use frequently to
> represent their traffic ratios for 
> 1. Heavy Inbound:
> 2. Mostly Inbound:
> 3. Mostly Outbound:
> 4. Heavy Outbound:
>
> Thank you.
> -
> Prasun
> -- 
> Sincerely,
> Prasun Kanti Dey,
> Ph.D. candidate,
> Dept. of Electrical and Computer Engineering,
> University of Central Florida.


pEpkey.asc
Description: application/pgp-keys

Re: someone is using my AS number

[Alejandro Acosta]

Unfortunately RPKI is not useful in this case.

Question: What else could be done to prevent this?


Alejandro,



On 6/12/19 12:05 PM, Philip Lavine via NANOG wrote:
> What is the procedure to have another party to cease and desist in
> using my AS number?
>
> Thx


pEpkey.asc
Description: application/pgp-keys

Re: BGP prefix filter list

[Alejandro Acosta]

Hello.., you are totally right, the first reason that came to my mind is 
traffic engineering but there are other reasons too.


On 5/22/19 12:40 PM, Tom Beecher wrote:
There are sometimes legitimate reasons to have a covering aggregate 
with some more specific announcements. Certainly there's a lot of 
cleanup that many should do in this area, but it might not be the best 
approach to this issue.


On Tue, May 21, 2019 at 5:30 AM Alejandro Acosta 
<mailto:alejandroacostaal...@gmail.com>> wrote:



On 5/20/19 7:26 PM, John Kristoff wrote:
> On Mon, 20 May 2019 23:09:02 +
> Seth Mattinen mailto:se...@rollernet.us>>
wrote:
>
>> A good start would be killing any /24 announcement where a covering
>> aggregate exists.
> I wouldn't do this as a general rule.  If an attacker knows
networks are
> 1) not pointing default, 2) dropping /24's, 3) not validating the
> aggregates, and 4) no actual legitimate aggregate exists, (all
> reasonable assumptions so far for many /24's), then they have a
pretty
> good opportunity to capture that traffic.


+1 John

Seth approach could be an option _only_ if prefix has an aggregate
exists && as origin are the same


> John

Re: BGP prefix filter list

[Alejandro Acosta]

On 5/20/19 7:26 PM, John Kristoff wrote:

On Mon, 20 May 2019 23:09:02 +
Seth Mattinen  wrote:


A good start would be killing any /24 announcement where a covering
aggregate exists.

I wouldn't do this as a general rule.  If an attacker knows networks are
1) not pointing default, 2) dropping /24's, 3) not validating the
aggregates, and 4) no actual legitimate aggregate exists, (all
reasonable assumptions so far for many /24's), then they have a pretty
good opportunity to capture that traffic.



+1 John

Seth approach could be an option _only_ if prefix has an aggregate 
exists && as origin are the same




John

Re: BGP prefix filter list

[Alejandro Acosta]

Hello Amir,

On 5/18/19 1:08 PM, Amir Herzberg wrote:
This discussion is very interesting, I didn't know about this problem, 
it has implications to our work on routing security, thanks!


Your welcome..., since long time ago I wanted to expose our findings in 
English.





On Sat, May 18, 2019 at 11:37 AM Alejandro Acosta 
<mailto:alejandroacostaal...@gmail.com>> wrote:



   If you learn, let's say, up to /22 (v4), and someone hijacks
one /21
you will learn the legitimate prefix and the hijacked prefix. Now,
the
owner of the legitimate prefix wants to defends their routes
announcing
/23 or /24, of course those prefixes won't be learnt if they are
filtered.


I wonder if this really is a consideration to avoid filtering small 
prefixes (e.g. /24):



My position is exactly the opposite.




- attackers are quite likely to  do sub-prefix hijacks (or say a 
specific /24), so I'm not sure this `hits' defenders more than it 
`hits' attackers



Yes, you are right, but anyhow -IMHO- this still better than not 
learning small prefixes at all.



- I think we're talking only/mostly about small providers here, right? 
as larger providers probably will not have such problems of tables 
exceeding router resources.I expect such small providers normally 
connect thru several tier-2 or so providers... if these upper-tier 
providers get hijacked, the fact you've prevented this at the 
stub/multihome ISP may not help much - we showed how this happens with 
ROV in our NDSS paper on it:
https://www.ndss-symposium.org/ndss2017/ndss-2017-programme/are-we-there-yet-rpkis-deployment-and-security/ 




You are right here.

Thanks for the link, I will take a look.


Alejandro,




Amir Herzberg
Comcast professor for security innovation
Dept. of Computer Science and Engineering, University of Connecticut

Foundations of Cybersecurity: 
https://www.researchgate.net/project/Lecture-notes-on-Introduction-to-Cyber-Security


Homepage: https://sites.google.com/site/amirherzberg/home

Re: BGP prefix filter list

[Alejandro Acosta]

Hello,

   As a comment, after receiving several complains and after looking 
many cases, we evaluated what is better, to cut the table size filtering 
"big" network or "small" networks.  Of course this is a difficult 
scenario and I guess there are mix thinking about this, however, we 
concluded that the people (networks) that is less affected are those who 
learn small network prefixes (such as /24, /23, /22, /21 in the v4 world).


  If you learn, let's say, up to /22 (v4), and someone hijacks one /21 
you will learn the legitimate prefix and the hijacked prefix. Now, the 
owner of the legitimate prefix wants to defends their routes announcing 
/23 or /24, of course those prefixes won't be learnt if they are filtered.


  We published this some time ago (sorry, in Spanish): 
http://w4.labs.lacnic.net/site/BGP-network-size-filters



That's it, my two cents.


Alejandro,



On 5/15/19 7:43 AM, Baldur Norddahl wrote:

Hello

This morning we apparently had a problem with our routers not handling 
the full table. So I am looking into culling the least useful prefixes 
from our tables. I can hardly be the first one to take on that kind of 
project, and I am wondering if there is a ready made prefix list or 
similar?


Or maybe we have a list of worst offenders? I am looking for ASN that 
announces a lot of unnecessary /24 prefixes and which happens to be 
far away from us? I would filter those to something like /20 and then 
just have a default route to catch all.


Thanks,

Baldur

Re: NTP question

[Alejandro Acosta]

Hello,

  As other have commented before, it looks you need an outdoor antenna,
however, reading the specs it says:


"The built in high sensitivity GPS receiver is able to lock multiple
satellites from within multiple buildings or from a window location*,
eliminating the requirement that an outdoor antenna be installed*."


Weird.


Alejandro,



El 1/5/19 a las 15:22, Mehmet Akcin escribió:
> hey there Nanog,
>
> I am trying to buy a GPS based NTP server like this one 
>
> https://timemachinescorp.com/product/gps-time-server-tm1000a/
>
> but I will be placing this inside a data center, do these need an
> actual view of a sky to be able to get signal or will they work fine
> inside a data center building? if you have any other hardware
> requirements to be able to provide stable time service for hundreds of
> customers, please let me know.
>
> mehmet
>
>

Re: RTBH no_export

[Alejandro Acosta]

One more thing, RFC7999 has category Informational

El 31/1/19 a las 16:21, Theodore Baschak escribió:
>
>> On Jan 31, 2019, at 1:28 PM, Roel Parijs > > wrote:
>>
>> For our BGP customers the problem is more complex. Our BGP customers
>> can send us the RTBH community, and we will drop the traffic at our
>> borders. Since we're only running a small network, we don't have the
>> capacity to deal with large attacks. If we would be able to forward
>> (and maybe alter it) this RTBH community towards our upstream
>> providers, the impact on our network would be limited. However, the
>> RFC states that an announcement tagged with the blackhole community
>> should get the no_advertise or no_export community.
>>
>> What is your opinion on this ?
>>
>
> In RFC7999 section 3.2 the first paragraph talks about what you're
> mentioning, NO_EXPORT and/or NO_ADVERTISE. It uses the word SHOULD.
> SHOULD has special meaning in RFCs, its not MUST. Its also not MAY.
> RFC2119 talks about the way these words should be interpreted. 
>
> In the next paragraph it says that extreme caution should be used when
> "purposefully propagating IP prefixes tagged with the BLACKHOLE
> community outside the local routing domain, unless policy explicitly
> aims at doing just that."
>
> So if your local routing policy is to propagate those blackholes on to
> your upstreams (and its mutually agreed and they're configured to
> accept them), then it can be done. Nothing technical in the RFC
> stopping that. 
>
> Theo
>

Re: Should ISP block child pornography?

[Alejandro Acosta]

Agree


El 7/12/18 a las 06:14, Owen DeLong escribió:
> How is it that Interpol isn’t taking over/shutting down these domains
> in the DNS at the registry/registrar level?
>
> The GAC pushed hard for the provisions that allow them to do so and
> there’s a pretty clear (and quick) process for it.
>
> Owen
>
>
>> On Dec 6, 2018, at 22:06 , Lotia, Pratik M > > wrote:
>>
>> Hello all, was curious to know the community’s opinion on whether an
>> ISP should block domains hosting CPE (child pornography exploitation)
>> content? Interpol has a ‘worst-of’ list which contains such domains
>> and it wants ISPs to block it.
>> On one side we want the ISP to not do any kind of censorship or
>> inspection of customer traffic (customers are paying for pipes – not
>> for filtered pipes), on the other side morals/ethics come into play.
>> Keep in mind that if an ISP is blocking it would mean that it is also
>> logging the information (source IP) and law agencies might be wanting
>> access to it.
>>  
>> Wondering if any operator is actively doing it or has ever considered
>> doing it?
>>  
>> Thanks.
>>  
>>  
>> With Gratitude,
>> * *
>> *Pratik Lotia*  
>>  
>> “Information is not knowledge.”
>> The contents of this e-mail message and 
>> any attachments are intended solely for the 
>> addressee(s) and may contain confidential 
>> and/or legally privileged information. If you
>> are not the intended recipient of this message
>> or if this message has been addressed to you 
>> in error, please immediately alert the sender
>> by reply e-mail and then delete this message 
>> and any attachments. If you are not the 
>> intended recipient, you are notified that 
>> any use, dissemination, distribution, copying,
>> or storage of this message or any attachment 
>> is strictly prohibited.
>

Re: Fwd: [cooperation-wg] Massive IP blockings in Russia

[Alejandro Acosta]

I guess this is already a big issue + this is going to be a problem for
people attending the FIFA World Cup using information from the cloud
(few people, no?)


Ale,



El 19/4/18 a las 1:36 p. m., Sandra Murphy escribió:
> Of possible interest to this group.  
>
> Forwarding at Alexander’s suggestion, who says he has already shared info in 
> the NANOG facebook group "(with updated prefixlist)".
>
> —Sandy
>
>> Begin forwarded message:
>>
>> From: Alexander Isavnin 
>> Subject: [cooperation-wg] Massive IP blockings in Russia
>> Date: April 17, 2018 at 1:36:33 PM EDT
>> To: cooperation...@ripe.net
>>
>> Dear colleagues!
>>
>> I’m not pleased to inform you that RosComNadzor, a Russian Communication 
>> supervisory body, has started blocking huge ranges of IPs belonging to 
>> different cloud infrastructures, mostly Amazon and Google Cloud.
>> Those ranges include: 13.52.0.0/14, 13.56.0.0/14, 18.184.0.0/15, 
>> 18.194.0.0/15, 18.196.0.0/15, 34.192.0.0/10, 34.240.0.0/13, 34.248.0.0/13, 
>> 35.156.0.0/14, 35.160.0.0/13, 35.176.0.0/15, 52.0.0.0/11, 52.192.0.0/11, 
>> 52.208.0.0/13, 52.28.0.0/15, 52.58.0.0/15, 54.144.0.0/12, 54.160.0.0/12, 
>> 54.228.0.0/15, 54.72.0.0/15, 54.88.0.0/16.
>>
>> Russian ISPs MUST fully block all traffic to such networks. The list is 
>> frequently updated and gets automatically propagated to ISP every once in a 
>> while, failure to block any address may result in 1500eur fine.  
>> The infrastructure listed above is being added to the blocklist under 
>> “counter-terrorist and counter-extremist” order of the General Prosecutor 
>> Office, #27-31-2015/Id4082-15, issued in 2015 and often used for blocking an 
>> arbitrary unwanted content.
>> The real reason for such blocking is an attempt to cut access to Telegram 
>> messenger, which refused to provide end-to-end encryption keys to the 
>> Federal Security Service (previously known as KGB). This is a case similar 
>> to San-Bernardino shooter’s, where the FBI was denied access to the 
>> shooter’s iPhone, but courts in Russia have made completely opposite 
>> decision.
>> Telegram’s infrastructure is being blocked by a different decision by 
>> RosKomNadzor, #2-1779/2018.
>> Cloud infrastructures are being blocked for massive proxy and VPN hosting 
>> used to dodge messenger blocking.
>>
>> It is said, that more Apple and Google networks may be blocked soon for apps 
>> updates and push notifications delivery for Telegram.  
>>
>> We hope to still have the global IP connectivity to keep you informed about 
>> how the situation develops.
>> Do not be surprised if some of your services placed in cloud infrastructures 
>> will miss Russian customers.
>>
>> You can monitor the number of IP addresses, domains and URLs to be blocked 
>> in Russia at the https://2018.schors.spb.ru/ page (run by the famous ENOG 
>> community member Phil Kulin).
>> Detailed information (also via API) is available at the 
>> https://reestr.rublacklist.net run by RosKomSvoboda civil society group.
>>
>> Kind regards,
>> Alexander Isavnin
>>
>> Sent via RIPE Forum -- https://www.ripe.net/participate/mail/forum

Re: hijacking of 128.255.192.0/22

[Alejandro Acosta]

Hello,

  Someone in Lacnog privately told me this:


aut-num: AS263971 owner: FaleMais Comunicações LTDA responsible: Paulo
Henrique Mem Pereira owner-c: LEVAL5 routing-c: LEVAL5 abuse-c: LEVAL5
created: 20150831 changed: 20150831 inetnum: 138.255.192.0/22 inetnum:
2804:28a0::/32 inetnum: 170.254.76.0/22 
Regards, Alejandro,


El 20/3/18 a las 2:35 p. m., Jay Ford escribió:
> Something apparently in Brazil is hijacking 128.255.192.0/22, part of
> 128.255.0.0/16 which is held by the University of Iowa.  AS 263971 is
> announcing 128.255.192.0/22 which Hurricane Electric is accepting &
> propagating.  None of that has any authorization.
>
> I can't find any decent contact information for the originating
> entity, so I have reported it to ab...@he.net, but it'd be fabulous if
> some HE folks listening here could whack the hijacking faster than the
> abuse channels will get to it.  Also useful would be some functional
> contact for AS263971.
>
> Any help will be appreciated.
>
> 
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-f...@uiowa.edu, phone: 319-335-

Re: hijacking of 128.255.192.0/22

[Alejandro Acosta]

Hi Jay,

  Please note that there is Lacnog mailing list.., I will forward your
message. Not sure if it will work but worth giving it a try.


Regards,

Alejandro,



El 20/3/18 a las 2:35 p. m., Jay Ford escribió:
> Something apparently in Brazil is hijacking 128.255.192.0/22, part of
> 128.255.0.0/16 which is held by the University of Iowa.  AS 263971 is
> announcing 128.255.192.0/22 which Hurricane Electric is accepting &
> propagating.  None of that has any authorization.
>
> I can't find any decent contact information for the originating
> entity, so I have reported it to ab...@he.net, but it'd be fabulous if
> some HE folks listening here could whack the hijacking faster than the
> abuse channels will get to it.  Also useful would be some functional
> contact for AS263971.
>
> Any help will be appreciated.
>
> 
> Jay Ford, Network Engineering Group, Information Technology Services
> University of Iowa, Iowa City, IA 52242
> email: jay-f...@uiowa.edu, phone: 319-335-

Re: Max Prefix Out, was Re: Verizon 701 Route leak?

[Alejandro Acosta]

What a terrific idea..., simple & useful


El 29/8/17 a las 1:41 p.m., Michael Still escribió:
> I agree a max-prefix outbound could potentially be useful and would
> hopefully not be too terribly difficult to implement for most vendors.
>
> Perhaps RFC4486 would need to be updated to reflect this as a
> possibility as well?
>
>
>
> On Mon, Aug 28, 2017 at 5:41 PM, Julien Goodwin  
> wrote:
>> On 28/08/17 18:34, Job Snijders wrote:
>>> Finally, it may be worthwhile exploring if we can standardize and
>>> promote maximum prefix limits applied on the the _sending_ side. This
>>> way you protect your neighbor (and the Internet at large) by
>>> self-destructing when you inadvertently announce more than what you'd
>>> expect to announce. BIRD has this functionality
>>> http://bird.network.cz/?get_doc=bird-3.html#proto-export-limit
>>> however I am not aware of other implementations. Feedback welcome!
>> Having just dug up the reference for some strange reason...
>>
>> Back at NANOG38 (2006) Tom Scholl mentioned in a talk on max prefix:
>> "Perhaps maximum-prefix outbound?
>> (Suggested by Eric Bell years ago)"
>> https://www.nanog.org/meetings/nanog38/presentations/scholl-maxpfx.pdf
>>
>> Notably Juniper does now have prefix-export-limit, but only for
>> readvertisement into IS-IS or OSPF:
>> https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/prefix-export-limit-edit-protocols-isis.html
>
>

Re: Google DNS --- Figuring out which DNS Cluster you are using

[Alejandro Acosta]

Excellent, thanks for sharing.


El 23/8/17 a las 4:09 p.m., Erik Sundberg escribió:
> I sent this out on the outage list, with a lots of good feedback sent to me. 
> So I figured it would be useful to share the information on nanog as well.
>
>
> A couple months ago had to troubleshoot a google DNS issue with Google’s NOC. 
> Below is some helpful information on how to determine which DNS Cluster you 
> are going to.
>
> Let’s remember that Google runs DNS Anycast for DNS queries to 8.8.8.8 and 
> 8.8.4.4. Anycast routes your DNS queries to the closes DNS cluster based on 
> the best route / lowest metric to 8.8.8.8/8.8.4.4.   Google has deployed 
> multiple DNS clusters across the world and each DNS Cluster has multiple 
> servers.
>
> So a DNS query in Chicago will go to a different DNS clusters than queries 
> from a device in Atlanta or New York.
>
>
> How to get a list of google DNS Cluster’s.
> dig -t TXT +short locations.publicdns.goog. @8.8.8.8
>
> How to print this list in a table format. Script from: 
> https://developers.google.com/speed/public-dns/faq
> ---
> #!/bin/bash
> IFS="\"$IFS"
> for LOC in $(dig -t TXT +short locations.publicdns.goog. @8.8.8.8)
> do
>   case $LOC in
> '') : ;;
> *.*|*:*) printf '%s ' ${LOC} ;;
> *) printf '%s\n' ${LOC} ;;
>   esac
> done
> ---
>
> Which will give you a list like below. This is all of the IP network’s that 
> google uses for their DNS Clusters and their associated locations.
>
> 74.125.18.0/26 iad
> 74.125.18.64/26 iad
> 74.125.18.128/26 syd
> 74.125.18.192/26 lhr
> 74.125.19.0/24 mrn
> 74.125.41.0/24 tpe
> 74.125.42.0/24 atl
> 74.125.44.0/24 mrn
> 74.125.45.0/24 tul
> 74.125.46.0/24 lpp
> 74.125.47.0/24 bru
> 74.125.72.0/24 cbf
> 74.125.73.0/24 bru
> 74.125.74.0/24 lpp
> 74.125.75.0/24 chs
> 74.125.76.0/24 cbf
> 74.125.77.0/24 chs
> 74.125.79.0/24 lpp
> 74.125.80.0/24 dls
> 74.125.81.0/24 dub
> 74.125.92.0/24 mrn
> 74.125.93.0/24 cbf
> 74.125.112.0/24 lpp
> 74.125.113.0/24 cbf
> 74.125.115.0/24 tul
> 74.125.176.0/24 mrn
> 74.125.177.0/24 atl
> 74.125.179.0/24 cbf
> 74.125.181.0/24 bru
> 74.125.182.0/24 cbf
> 74.125.183.0/24 cbf
> 74.125.184.0/24 chs
> 74.125.186.0/24 dls
> 74.125.187.0/24 dls
> 74.125.190.0/24 sin
> 74.125.191.0/24 tul
> 172.217.32.0/26 lhr
> 172.217.32.64/26 lhr
> 172.217.32.128/26 sin
> 172.217.33.0/26 syd
> 172.217.33.64/26 syd
> 172.217.33.128/26 fra
> 172.217.33.192/26 fra
> 172.217.34.0/26 fra
> 172.217.34.64/26 bom
> 172.217.34.192/26 bom
> 172.217.35.0/24 gru
> 172.217.36.0/24 atl
> 172.217.37.0/24 gru
> 173.194.90.0/24 cbf
> 173.194.91.0/24 scl
> 173.194.93.0/24 tpe
> 173.194.94.0/24 cbf
> 173.194.95.0/24 tul
> 173.194.97.0/24 chs
> 173.194.98.0/24 lpp
> 173.194.99.0/24 tul
> 173.194.100.0/24 mrn
> 173.194.101.0/24 tul
> 173.194.102.0/24 atl
> 173.194.103.0/24 cbf
> 173.194.168.0/26 nrt
> 173.194.168.64/26 nrt
> 173.194.168.128/26 nrt
> 173.194.168.192/26 iad
> 173.194.169.0/24 grq
> 173.194.170.0/24 grq
> 173.194.171.0/24 tpe
> 2404:6800:4000::/48 bom
> 2404:6800:4003::/48 sin
> 2404:6800:4006::/48 syd
> 2404:6800:4008::/48 tpe
> 2404:6800:400b::/48 nrt
> 2607:f8b0:4001::/48 cbf
> 2607:f8b0:4002::/48 atl
> 2607:f8b0:4003::/48 tul
> 2607:f8b0:4004::/48 iad
> 2607:f8b0:400c::/48 chs
> 2607:f8b0:400d::/48 mrn
> 2607:f8b0:400e::/48 dls
> 2800:3f0:4001::/48 gru
> 2800:3f0:4003::/48 scl
> 2a00:1450:4001::/48 fra
> 2a00:1450:4009::/48 lhr
> 2a00:1450:400b::/48 dub
> 2a00:1450:400c::/48 bru
> 2a00:1450:4010::/48 lpp
> 2a00:1450:4013::/48 grq
>
> There are
> IPv4 Networks: 68
> IPv6 Networks: 20
> DNS Cluster’s Identified by POP Code’s: 20
>
> DNS Clusters identified by POP Code to City, State, or Country. Not all of 
> these are Google’s Core Datacenters, some of them are Edge Points of 
> Presences (POPs). https://peering.google.com/#/infrastructure and 
> https://www.google.com/about/datacenters/inside/locations/
>
> Most of these are airport codes, it did my best to get the location correct.
> iad  Washington, DC
> syd Sydney, Australia
> lhr  London, UK
> mrnLenoir, NC
> tpe Taiwan
> atl  Altanta, GA
> tul  Tulsa, OK
> lpp  Findland
> bru Brussels, Belgium
> cbf Council Bluffs, IA
> chs Charleston, SC
> dls  The Dalles, Oregon
> dubDublin, Ireland
> sin  Singapore
> fra  Frankfort, Germany
> bom   Mumbai, India
> gru Sao Paulo, Brazil
> scl  Santiago, Chile
> nrt  Tokyo, Japan
> grq Groningen, Netherlans
>
>
>
> Which Google DNS Server Cluster am I using. I am testing this from Chicago, IL
>
> # dig o-o.myaddr.l.google.com -t txt +short @8.8.8.8
> "173.194.94.135" < above to get the cluster, Council Bluffs, IA
> "edns0-client-subnet 207.xxx.xxx.0/24"   
> Your Source IP Block
>
>
> Side note, the google dns servers will not respond to DNS queries to the 
> Cluster’s Member’s IP, 

Looking for AS 263686 contact

[Alejandro Acosta]

Hello,

 If anybody from AS 263686 please contact me off-list.


Thanks,


Alejandro,

Google APIs Rate Limit - Was: Re: google search threshold

[Alejandro Acosta]

Hello,
  Something similar to this topic.
  The other day working with Google APIs (geolocation [1] ) I thought
that in order to promote a little bit IPv6, Google (and others) might do
something like:

  Google Maps Geocoding API Usage Limits

With IPv4:
2,500 free requests per day (from IPv4 clients)
10 requests per second (from IPv4 clients)

With IPv6
5,000 free requests per day (from ipv6 clients)
20 requests per second (from ipv6 clients)

  Summary: increase rate limit to v6 clients

Regards,

Alejandro,
[1]

El 2/29/2016 a las 11:23 AM, Philip Lavine via NANOG escribió:
> I have about 2000 users behind a single NAT. I have been looking at netflow, 
> URL filter logs, IDS logs, etc. The traffic seems to be legit. 
>
> I am going to move more users to IPv6 and divide some of the subnets into 
> different NATS and see if that alleviates the traffic load.
> Thanks for the advice.
> -Philip
>
>
>   From: Damian Menscher 
>  To: Philip Lavine  
> Cc: "nanog@nanog.org" 
>  Sent: Friday, February 26, 2016 6:05 PM
>  Subject: Re: google search threshold
>
> On Fri, Feb 26, 2016 at 3:01 PM, Philip Lavine via NANOG  
> wrote:
>
> Does anybody know what the threshold for google searches is before you get 
> the captcha?I  am trying to decide if I need to break up the overload NAT to 
> a pool.
>
>
> There isn't a threshold -- if you send automated searches from an IP, then it 
> gets blocked (for a while).
>
> So... this comes down to how much you trust your machines/users.  If you're a 
> company with managed systems, then you can have thousands of users share the 
> same IP without problems.  But if you're an ISP, you'll likely run into 
> problems much earlier (since users like their malware).
> Some tips:   - if you do NAT: try to partition users into pools so one 
> abusive user can't get all your external IPs blocked  - if you have a proxy: 
> make sure it inserts the X-Forwarded-For header, and is restricted to your 
> own users  - if you're an ISP: IPv6 will allow each user to have their own 
> /64, which avoids shared-fate from abusive ones
> Damian (responsible for DDoS defense)-- Damian Menscher :: Security 
> Reliability Engineer :: Google :: AS15169
>
>   

Re: Questions regarding equipment for a large LAN event

[Alejandro Acosta]

You have not IPv6 at all?.., this is a good starting point

El 12/7/2015 a las 2:11 AM, Laurent Dumont escribió:
> Hi Nanog,
>
> This email might seem a bit strange but bear with me. I am a member of
> a student club in Montreal named "Lan ETS". Every year, we organize on
> the biggest LAN event in North-America. We have an amazing partnership
> with Cisco where they allow us to request a fair amount of equipment
> so that we can create the best experience for our players.
>
> This year, we are looking into some equipment that slightly out of our
> usual expertise. Usually, we target high-density stackable switches
> like a 3650/3750/3850 with 48 GigE and 4 SFP for our 10G core. We
> design our network around small "islands" of players all linked with
> each other through a 2x10G fiber network. Everyone is assigned a
> public address and we route everyone out through our core switch.
>
> We were looking at either the Nexus 7004 chassis or the ASR 9004/9006
> chassis for this year event. We would then use 48xGigE and 1x24 SFP+
> line cards. Our actual port requirements and somewhat flexible but we
> do need at least 4x10G Fiber ports. And at least 48 GigE ports for
> players or access switches.
>
> I'm also open to any suggestion within Cisco portfolio. Our needs are
> pretty standard and nothing extraordinary but we would like to use
> this opportunity in order to try new equipment and technologies that
> are usually only seem within ISP and large networks.
>
> I appreciate any input on the matter!
>
> Thank you
>

Re: bad announcement taxonomy

[Alejandro Acosta]

El 11/18/2015 a las 7:16 AM, Randy Bush escribió:
>>> how about re-origination?
>> +1 Mis-distribution. or may be Mis-redistribution
> you lost the part of the language which made clear that the *origin* has
> been changed.

mutant?

>
> randy

Re: DNSSEC and ISPs faking DNS responses

[Alejandro Acosta]

Hello,

El 11/13/2015 a las 12:20 AM, John Levine escribió:
> In article <56455885.8090...@vaxination.ca> you write:
>> The Québec government is wanting to pass a law that will force ISPs to
>> block and/or redirect certain sites it doesn't like.  (namely sites that
>> offer on-line gambling that compete against its own Loto Québec).
> Blocking is prettty easy, just don't return the result, or fake an
> NXDOMAIN.  For a signed domain, a DNSSEC client will see a SERVERFAIL
> instead, but they still won't get a result.
>
> Redirecting is much harder -- as others have explained there is a
> chain of signatures from the root to the desired record, and if the
> chain isn't intact, it's SERVERFAIL again.  Inserting a replacement
> record with a fake signature into the original chain is intended to be
> impossible.  (If you figure out how, CSIS would really like to talk to
> you.)  It is possible to configure an ISP's DNS caches to trust
> specific signatures for specific parts of the tree, but that is kludgy
> and fragile and is likely to break DNS for everyone.

I'm not a DNSSEC expert but I wonder what would be the behavior if the
ISP adds a specific trust anchor for the domain they wish to block?


>
> And anyway, it's pointless.  What they're saying is to take the
> gambling sites out of the phone book, but this is the Internet and
> there are a million other phone books available, outside of Quebec,
> such as Google's 8.8.8.8 located in the US, that people can configure
> their computers to use with a few mouse clicks.  Or you can run your
> own cache on your home network like I do, just run NSD or BIND on a
> linux laptop.
>
> They could insist that ISPs block the actual web traffic to the sites,
> by blocking IP ranges, but that is also a losing battle since it's
> trivial to circumvent with widely available free VPN software.  If
> they want to outlaw VPNs, they're outlawing telework, since VPNs is
> how remote workers connect to their employers' systems, and the
> software is identical.
>
> R's,
> John

Thanks,

Alejandro,

Re: Level3 Customer Center Down?

[Alejandro Acosta]

http://www.level3.com/en/customer-center/   also loaded for me.


El 11/11/2015 a las 10:02 AM, Mark Stevens escribió:
>
> Works for me but takes time to load. Running Chrome and Firefox.
>
> On 11/11/2015 9:25 AM, Matt Hoppes wrote:
>> Has anyone else experienced the Level3 Customer Center down for the
>> past 2 days?  All I get when I try to go there is:
>>
>> http://www.level3.com/en/customer-center/
>>
>> An HTTP error occurred while getting:
>>
>> http://www.level3.com/en/customer-center/
>>
>>
>> Tried in multiple browsers from multiple ISPs.
>>
>

Re: the fcc vs wifi lockdown issue

[Alejandro Acosta]

Quite interesting..., please keep us posted.
Good luck with this.

Regards,
Alejandro,

El 10/15/2015 a las 9:33 PM, Dave Taht escribió:
> I had hoped to have seen some discussion of what vint cerf, myself,
> linus torvalds, jim gettys, dave farber, and 260 others just cooked up
> as to solve the edge device, wifi, and iot security problems we face.
>
> Press release here:
>
> http://businesswire.com/news/home/20151014005564/en/Global-Internet-Experts-Reveal-Plan-Secure-Reliable
>
> Document as submitted to the fcc here:
>
> http://fqcodel.bufferbloat.net/~d/fcc_saner_software_practices.pdf
>
>
> Dave Täht
> http://www.bufferbloat.net/projects/bloat/wiki/Daves_Media_Guidance

Re: Android and DHCPv6 again

[Alejandro Acosta]

El 10/7/2015 a las 12:50 AM, Enno Rey escribió:
> Hi,
>
> On Tue, Oct 06, 2015 at 08:59:14PM -0430, Alejandro Acosta wrote:
>> Hello,
>>   This is a question a should test myself but anyhow I would like to
>> hear your comments.
>>   What happen (on the client side/Android maybe)  if I advertise the DNS
>> information in the RA and I also enable the O bit?
> depends on the OS the client is running, see
> https://www.ernw.de/download/ERNW_Whitepaper_IPv6_RAs_RDNSS_DHCPv6_Conflicting_Parameters.pdf
>  &
> https://www.ernw.de/download/ERNW_RIPE70_IPv6_Behavior_Conflicting_Environments_v0_92_short.pdf

Thanks a lot. Great documents, nice job, congrats.

Alejandro,

Re: Android and DHCPv6 again

[Alejandro Acosta]

Hello,
  This is a question a should test myself but anyhow I would like to
hear your comments.
  What happen (on the client side/Android maybe)  if I advertise the DNS
information in the RA and I also enable the O bit?

Thanks,

Alejandro,

El 10/6/2015 a las 8:39 PM, Bruce Horth escribió:
> Your device may be getting an address, but without a recursive DNS server
> it may be useless.
>
> If you're going to do SLAAC you'll also need to supply your client with a
> recursive DNS server. Android prefers RFC 6106. As you mentioned, Google
> has decided not to support DHCPv6 in Android. Unfortunately some router
> manufacturers are only now getting around to implementing RFC 6106.
>
>
>
>
> BH
>
> On Sat, Oct 3, 2015 at 9:52 PM, Baldur Norddahl 
> wrote:
>
>> Hi
>>
>> I noticed that my Nexus 9 tablet did not have any IPv6 although everything
>> else in my house is IPv6 enabled. Then I noticed that my Samsung S6 was
>> also without IPv6. Hmm.
>>
>> A little work with tcpdump and I got this:
>>
>> 03:27:15.978826 IP6 (hlim 255, next-header ICMPv6 (58) payload length: 120)
>> fe80::222:7ff:fe49:ffad > ip6-allnodes: [icmp6 sum ok] ICMP6, router
>> advertisement, length 120
>> hop limit 0, Flags [*managed*, other stateful], pref medium, router
>> lifetime 1800s, reachable time 0s, retrans time 0s
>>  source link-address option (1), length 8 (1): 00:22:07:49:ff:ad
>>  mtu option (5), length 8 (1):  1500
>>  prefix info option (3), length 32 (4): 2a00:7660:5c6::/64, Flags [onlink,
>> *auto*], valid time 7040s, pref. time 1800s
>>  unknown option (24), length 16 (2):
>>  0x:  3000  1b80 2a00 7660 05c6 
>>
>> So my CPE is actually doing DHCPv6 and some nice people at Google decided
>> that it will be better for me to be without IPv6 in that case :-(.
>>
>> But it also has the auto flag, so Android should be able to do SLAAC yes?
>>
>> My Macbook Pro currently has the following set of addresses:
>>
>> en0: flags=8863 mtu 1500
>> ether 3c:15:c2:ba:76:d4
>> inet6 fe80::3e15:c2ff:feba:76d4%en0 prefixlen 64 scopeid 0x4
>> inet 192.168.1.214 netmask 0xff00 broadcast 192.168.1.255
>> inet6 2a00:7660:5c6::3e15:c2ff:feba:76d4 prefixlen 64 autoconf
>> inet6 2a00:7660:5c6::b5a5:5839:ca0f:267e prefixlen 64 autoconf temporary
>> inet6 2a00:7660:5c6::899 prefixlen 64 dynamic
>> nd6 options=1
>> media: autoselect
>> status: active
>>
>> To me it seems that the Macbook has one SLAAC address, one privacy
>> extension address and one DHCPv6 managed address.
>>
>> In fact the CPE manufacturer is a little clever here. They gave me an easy
>> address that I can use to access my computer ("899") while still allowing
>> SLAAC and privacy extensions. If I want to open ports in my firewall I
>> could do that to the "899" address.
>>
>> But why is my Android devices without IPv6 in this setup?
>>
>> Regards,
>>
>> Baldur
>>

Re: Skype off line ??

[Alejandro Acosta]

The same from Spain

El 9/21/2015 a las 6:00 AM, Pui Edylie escribió:
> Reporting the same from Singapore
>
> Sent from TypeMail
>
>
>
> On Sep 21, 2015, 18:27, at 18:27, Max Tulyev  wrote:
>> For me yes, it is down for several hours.
>>
>> BTW, is there any Jabber/XMPP client with similar usability?
>>
>> I need just scroll up to view all history and one click to join someone
>> to multiuser conference in fact.
>>
>> On 21.09.15 11:32, Marco Paesani wrote:
>>> Hi,
>>> do you have sone news about it ?
>>> Best regards,
>>>

Re: Measuring DNS Performance Graphing Logs

[Alejandro Acosta]

Hello Zayed,
  I noticed you have already received some answers regarding how to
integrate it to Cacti.
  Regarding the tools to measure DNS performance I usually use two:
resperf and dnsperf, both are from Nominum and can be found here:
https://nominum.com/measurement-tools/
  Some years ago I posted this in Spanish: 
http://blog.acostasite.com/2010/02/realizar-estudios-de-performance-sobre.html,
probably it can help you:

Regards,

Alejandro,



El 5/19/2015 a las 1:04 PM, Zayed Mahmud escribió:
 Hello!
 This is my first message to NANOG's mailing list. I hope someone can help
 me.

 I was wondering which tool(s) can I use to measure the performance of my 3
 DNS servers (1 primary, 1 secondary, 1 solely cacheDNS)? From the stats I
 would like to know if my DNS server is serving as it should be or if any of
 it's options are set inappropriately and others alike.

 I looked for a while but could not find any. Any help would be highly
 appreciated. I am running bind9 on UNIX platform.

 Question 2) I would also like to know how can I graph my DNS logs? And how
 can I integrate it to my CACTI server as well? I couldn't find any suitable
 plugin. Any suggestion?

Re: best practice for number of era que

[Alejandro Acosta]

A
El ago 1, 2015 12:05, marco da pieve mdapi...@gmail.com escribió:

 Hi Shane,
 for the boxes that are currently installed in the network, this is not a
 valid option (politically/commercially speaking).

 thanks,
 Marco

 On 1 August 2015 at 18:16, Shane Ronan sh...@ronan-online.com wrote:

  Have you considered a virtual route reflector rather than physical
  hardware?
  On Aug 1, 2015 11:39 AM, marco da pieve mdapi...@gmail.com wrote:
 
  Hi all,
  this is my first time in asking for advices here and I hope not to
bother
  you with this topic (if it has been already covered in the past, would
you
  please please point me to that discussion?).
 
  Anyway, I need to decide whether to go for a BGP topology with a single
  cluster of 3 Route Reflectors (to overcome a dual point of failure
issue)
  or maybe to two standalone clusters each with two RR (sacrificing half
of
  the network in case two RR of the same cluster fail).
 
  To give you some input data:
 
  - 8000 actual VPNV4 prefixes
  - 180 BGP neighbors
 
  In case of the 3 RRs option, prefixes will become 24000 on the clients
  (24k
  received routes in total but 1/3 installed. No BGP multipath will be
  used).
  In this scenario considering network growth up to doubling the current
  number of VPNV4 prefixes, I would end up to have 16k actual vpnv4
prefixes
  and 48k vpnv4 prefixes received by the clients, which is almost the
limit
  for the HW used.
 
  In the case of two standalone clusters each with two RRs, BGP
  neighborships
  will be halved among the two clusters and vpnv4 prefixes too. In case
of
  network growth up to doubling the number of prefixes, the clients will
  receive up to 24k vpnv4 prefixes and this is still far below the HW
  limits.
  Of course this option will not prevent a dual failure in the single
  cluster
  and half of the network would end up in outage.
 
  My choice would be to go for the two clusters assuming that each RR has
  supervisor/controlling card protection capabilities.
 
  However I'd like to have a feedback on the pros and cons on the design
  itself if any. I know that design is planned on the resources available
  but
  just for discussing and abstracting from the HW, would there be any
  drawbacks in having an odd number of RR in the network? is one of the
two
  option a no to go choice? what was your experience?
 
  thanks a lot for your time and patience to go through this email,
 
  M.
 
 


 --
 Marco Da Pieve

Re: Windows 10 Release

[Alejandro Acosta]

El 7/28/2015 a las 4:15 PM, Nick Olsen escribió:
 Anyone anxious to see what kind of traffic comes from Windows 10 releasing 
 tomorrow?
   
  Being a 3-4GB download. Each device is moving more data than any Apple 
 update ever did.

Wow, to download 3-4 GB in a developing country (like mine - Venezuela)
where there still 512 kbps -2 Mbps links for home users (and some
offices too) it will have a significant impact.. I hope they are
considering this in somehow. Imagine more than one Microsoft 10 in a
home.., it will never end :-)

   
  Wonder if they'll stage the release as apple appeared to have learned 
 after IOS7 hammered a bunch of networks. 
   
  Nick Olsen
 Network Operations  (855) FLSPEED  x106



Alejandro Acosta,

MaxMind contact

[Alejandro Acosta]

Hi there,
   Sorry for the noise.
   Is there anyone from MaxMind on here?
   I would appreciate it if anyone on, or off-list can provide any
contact details

Thanks in advance,

Alejandro Acosta,

Re: Dark Fiber in Latin America

[Alejandro Acosta]

Hi Beavis,
  Just in case, there is a Lacnog mailing list.., the URL:
https://mail.lacnic.net/mailman/listinfo/lacnog
  In case you don't get a response here you might want to try thee.

Alejandro,


El 2/13/2015 a las 11:32 AM, Beavis escribió:
 All,

 I'm looking for some general information of a dark fiber provider in latin
 america countries namely Nicaragua and Costa Rica. Any info is greatly
 appreciated.

 Please contact me off list.


 thanks,
 -Beavis

Re: Akamai charges for IPv6 support?

[Alejandro Acosta]

El 8/18/2014 12:23 PM, Aaron Hopkins escribió:
 On Mon, 18 Aug 2014, Mehmet Akcin wrote:
 
 What did they say when you asked them(Akamai)?
 
 I quoted their response in my mail; sorry if that wasn't clear.  They
 offered to enable IPv6 service for a non-trivial monthly recurring fee,
 which they offered to send me a revised contract to include.

it's so sad to hear this in August 2014

 
 I would imagine ipv6 to be included in price not an additional fee.
 
 I was surprised to find that wasn't the case.
 
 -- Aaron

Intraway Contact

[Alejandro Acosta]

Hi there,
   Is there anyone from Intraway on here?
   I would appreciate it if anyone on, or off-list can provide any
contact details

Thanks,

Alejandro Acosta,

Re: Canada and IPv6

[Alejandro Acosta]

Not residential IPv6 connectivity but today I got this news:

http://www.ourmidland.com/prweb/cirrushosting-to-support-ipv-on-canadian-vps-and-cloud-hosting/article_4d28a39c-1c3f-5209-939b-10d8cf310564.html


El 6/18/2014 7:46 PM, Sadiq Saif escribió:
 On 6/18/2014 14:25, Lee Howard wrote:
 Canada is way behind, just 0.4% deployment.
 
 Any Canadian ISP folk in here want to shine a light on this dearth of
 residential IPv6 connectivity?
 
 Is there any progress being made on this front?
 

Re: Quad-A records in Network Solutions ?

[Alejandro Acosta]

Hi Carlos, list,
  Today I entered to networksolutions.com and I remembered this
thread. I had to administer a domain name and I sadly found they have
done nothing in IPv6 during the last 12 month.

Regards,

^Ao$

On 3/28/12, Carlos Martinez-Cagnazzo carlosm3...@gmail.com wrote:
 Hello all,

 I just received a heads-up from a friend telling me that Network
 Solutions is unable/unwilling to configure 's for .com/.net domains.
 He works for a large media outlet who will be enabling IPv6 on their
 sites for World IPv6 Launch Day.

 I hope it's just a misunderstanding.  If it's not, I would love to know
 if there is a reason for this, and if they have a timeline for
 supporting 's.

 It's ok to contact me privately.

 regards

 Carlos

Re: Tier 2 ingress filtering

[Alejandro Acosta]

Hi William,
  Thanks for your response, my comments below:

On 3/30/13, William Herrin b...@herrin.us wrote:
 On Fri, Mar 29, 2013 at 11:21 PM, Alejandro Acosta
 alejandroacostaal...@gmail.com wrote:
 On 3/29/13, Patrick na...@haller.ws wrote:
 On 2013-03-29 14:49, William Herrin wrote:
 I've long thought router vendors should introduce a configuration
 option to specify the IP address from which ICMP errors are emitted
 rather than taking the interface address from which the packet causing
 the error was received.

 Concur. An 'ip(v6)? icmp source-interface loop0' sure beats running 'ip
 unnumbered loop0' everywhere. ;)

 Why do you think it will be better?, can you explain?

 Hi Alejandro,

 Consider the alternatives:

 1. Provide a router configuration option (per router and/or per
 interface) to emit ICMP error messages from a specified IP address
 rather than the interface address.

I imagine that and it sounds terrific. I guess at least this option
should come disabled by default.


 2. At every border, kick packets without an Internet-legitimate source
 address up to the slow path for network address translation to a
 source address which is valid.

IMHO this can be achieved with the current behaviour.


 3. Design your network so that any router with at least one network
 interface whose IP address is not valid on the Internet has exactly
 the same MTU on every interface, and at least an MTU of 1500 on all of
 them, guaranteeing that the router will never emit a
 fragmentation-needed message. And do this consistently. Every time.

If you have pmtud enabled you won't need this every time



 4. Redesign TCP so it doesn't rely on ICMP destination unreachable
 messages to determine path MTU and get your new design deployed into
 every piece of software on the Internet.

You will have the same problem using only one output interface for
ICMP error/messages. Of course based in your comments you mean you
will need to troubleshoot this interface only once.


 5. Accept that TCP will break unexpectedly due to lost
 fragmentation-needed messages, presenting as a particularly nasty and
 intermittent failure that's hard to track and harder to fix.

Same answer as in 3.



 Which do you find least offensive?

None of them if offensive, I think this could be a nice feature to
have but I hope it's disable by default.


 Regards,
 Bill Herrin

Thanks,

Regards,
Alejandro Acosta,




 --
 William D. Herrin  her...@dirtside.com  b...@herrin.us
 3005 Crane Dr. .. Web: http://bill.herrin.us/
 Falls Church, VA 22042-3004

Re: Tier 2 ingress filtering

[Alejandro Acosta]

Hi,

On 3/29/13, Patrick na...@haller.ws wrote:
 On 2013-03-29 14:49, William Herrin wrote:
 I've long thought router vendors should introduce a configuration
 option to specify the IP address from which ICMP errors are emitted
 rather than taking the interface address from which the packet causing
 the error was received.

 Concur. An 'ip(v6)? icmp source-interface loop0' sure beats running 'ip
 unnumbered loop0' everywhere. ;)

Why do you think it will be better?, can you explain?
So far I can only think in a more difficult troubleshooting if this
idea/feature gets spread.

I guess based in the scenario where the output interface can not reach
Internet sounds as a practical solution however for sure the output
interface is reachable inside the provider network.

Thks,

Alejandro,

Re: Quad-A records in Network Solutions ?

[Alejandro Acosta]

Hi Carlos,
  You are right... I just entered with my account and after I clicked
Edit DNS there is a dialog box which says:

Advanced Users:

To specify your IPv6 name server address (IPv6 glue record), e-mail us
the domain name, the host name of the name server(s), and their IPv6
address(es).


See you,

Alejandro,


On 3/28/12, Carlos Martinez-Cagnazzo carlosm3...@gmail.com wrote:
 Hello all,

 I just received a heads-up from a friend telling me that Network
 Solutions is unable/unwilling to configure 's for .com/.net domains.
 He works for a large media outlet who will be enabling IPv6 on their
 sites for World IPv6 Launch Day.

 I hope it's just a misunderstanding.  If it's not, I would love to know
 if there is a reason for this, and if they have a timeline for
 supporting 's.

 It's ok to contact me privately.

 regards

 Carlos

RE: SmartNet Alternatives

[Alejandro Acosta]

Right, pretty good idea to look for other altermatives, few years ago I 
wouldn't agree, however my feeling says that Cisco competetitors have grown a 
lot,

AAA-,

-Mensaje original-
De: Ryan Finnesey
Enviados:  12/02/2011 17:03:32
Para: nanog@nanog.org
Cc: John Macleod
Asunto:  RE: SmartNet Alternatives

This is one of the reasons we are starting to look at Juniper for a new network 
build.  It is my understanding we set software updates for life for free.
Cheers
Ryan


-Original Message-
From: Michael Loftis [mailto:mlof...@wgops.com] 
Sent: Friday, February 11, 2011 4:27 PM
To: John Macleod
Cc: nanog@nanog.org
Subject: Re: SmartNet Alternatives

Cisco is making noises that they'll eventually be restricting software access 
to ONLY those devices which have an active SmartNet contract associated to your 
CCO account.  I don't know where this currently stands, and it sure will be a 
huge pain in my rear if/when it happens.

On Fri, Feb 11, 2011 at 1:41 PM, John Macleod jmacl...@alentus.com wrote:
 Just interested in other peoples experience to companies offering 
 alternatives to SmartNet?

 Pros/Cons/Tradeoffs?

 We currently have a mix of SmartNet and internal parts supply.

 John


 __
 John Macleod
 Alentus UK Limited
 Seymour House
 South Street
 Bromley
 BR1 1RH
  +44 (0)208 315 5800
  +44 (0)208 315 5801 fax
 alentus.co.uk  |  alentus.com

 Please consider the environment before printing this e-mail

 This e-mail (and/or any attachment) contains information, which is 
 confidential and intended solely for the attention and use of the named 
 addressee(s). If you are not the intended recipient you must not copy, 
 distribute or use it for any purpose or disclose the contents to any person. 
 If you have received this e-mail in error, please immediately notify the 
 sender. The information contained in this e-mail (and any attachments) is 
 supplied in good faith, but the sender shall not be under any liability in 
 damages or otherwise for any reliance that may be placed upon it by the 
 recipient, nor does it constitute a contract in any way. Any comments or 
 opinions expressed are those of the originator not of Alentus Corporation 
 unless otherwise expressly stated.