Re: AS16512 Unauthorized Announcement by Lumen

[Alistair Mackenzie]

Austin,

This prefix isn't being announced by Lumen, it is merely in their IRR db.
This is quite different from your accusation of "unauthorized announcement".

Stale IRR entries are very common and usually cause no issue on their own.
These should be cleaned up to avoid any accidents but that doesn't always
happen.

On Tue, 17 Jan 2023 at 13:36, Austin Ayers, CoreTransit via NANOG <
nanog@nanog.org> wrote:

> Hello,
>
> My name is Austin and I work with Rackifi LLC dba CoreTransit. Our ASN is
> 16512.
>
> We were reassigned this ASN by ARIN.
>
> Level 3/CTL/Lumen currently has 66.223.233.0/24
>  being shown in the
> IRR directory for AS16512.
>
> https://irrexplorer.nlnog.net/asn/AS16512
>
> As we operate the AS16512 ASN, we respectfully ask Lumen to remove this
> from their IRR records as NewEdgeNetworks does not exist, as it was sold to
> EarthLink and then Windstream. We do not own the /17 the subnet is part of.
>
> Thank you,
> Austin Ayers
> Rackifi LLC dba CoreTransit
>

Re: Longest prepend( 255 times) as path found

[Alistair Mackenzie]

There are some generally accepted and useful filters found at
https://bgpfilterguide.nlnog.net/. There is one which covers excess
prepends.

On Thu, 25 Aug 2022 at 15:25, anonymous  wrote:

> Hey everyone,
>
> Too many hops found as below.
> Usually What shoud we do ? Should we filter it ?
>
> 91.246.12.0/24
>
>
>   AS path: 4788 9002 41313 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 I
>
>   AS path: 9930 9002 41313 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196
> 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 51196 I
>
> /noname
>

Re: akamai yesterday - what in the world was that

[Alistair Mackenzie]

Off-peak hours are on-peak somewhere else in the world.

On Sat, Jan 25, 2020 at 7:37 PM Darin Steffl 
wrote:

> Shouldn't game patches like this be released overnight during off-peak
> hours? Fortnite releases their updates around 3 or 4am when most ISP's
> networks are at their lowest utilization. It seems somewhat reckless to
> release such a large patch during awake hours.
>
> On Sat, Jan 25, 2020, 12:08 PM Brandon Jackson via NANOG 
> wrote:
>
>> "Call of Duty: Modern Warfare fragged our business VOIP: US ISP blames
>> outage on smash-hit video game rush
>> This is Windstream, going dark..."
>> https://www.theregister.co.uk/2020/01/23/windstream_fvoip_outage/
>>
>> Apparently not everyone came out unscathed.
>>
>> --
>> Brandon Jackson
>> bjack...@napshome.net
>>
>>
>> On Thu, Jan 23, 2020 at 10:14 AM Aaron Gould  wrote:
>>
>>> My gosh, what in the word was that coming out of my local Akamai aanp
>>> servers yesterday !?  starting at about 12:00 noon central time lasting
>>> several hours ?
>>>
>>>
>>>
>>> -Aaron
>>>
>>

Re: Any info on devices that are running eBGP on the Internet?

[Alistair Mackenzie]

LINX has the mac addresses of their LANs public.

https://portal.linx.net/members/list-ip-asn?columns=asn+mac_addresses+short_name+website==


On Thu, Nov 7, 2019 at 7:26 PM Owen DeLong  wrote:

> MAC Addresses may cross into fear of disclosure of private identifying
> information.
>
> All they really need is the OUI portion of the MAC addresses which is
> fairly anonymous in terms of identifying anyone specific, yet provides all
> the needed data.
>
> Owen
>
>
> On Nov 7, 2019, at 11:08 , Sabri Berisha  wrote:
>
> Hi,
>
> What you could consider is asking a few of the major internet exchanges if
> they'd be so kind to send you a list of MAC addresses seen on their LANs.
> Based on the MAC you can determine the manufacturer. If you have three or
> four big ones, you have a decent sample size as most larger networks are on
> multiple IXes anyway.
>
> If you do compile a list, I'm sure this list would be interested in the
> results :)
>
> Thanks,
>
> Sabri
>
>
> - On Nov 6, 2019, at 10:39 AM, Compton, Rich A <
> rich.comp...@charter.com> wrote:
>
> Hi, I am working with MANRS (https://www.manrs.org) on a tool for
> checking router configs for BGP security / spoofing prevention (e.g. uRPF)
>  https://github.com/manrs-tools/MANRS-validator
> We are wondering if there is any research on the percentages of different
> types of devices running BGP on the Internet.
> Something like:
> Cisco IOS 30%
> Junos 30%
> Mikrotik 20%
> etc…
> We are looking to focus our tool on the most prevalent types of devices
> doing BGP (and the most prevalent with BGP security/spoofing issues) so
> that we can have the greatest impact.  Does anyone have any information on
> this or know where I can obtain this information?  Thanks in advance!
>
>  -Rich
> The contents of this e-mail message and
> any attachments are intended solely for the
> addressee(s) and may contain confidential
> and/or legally privileged information. If you
> are not the intended recipient of this message
> or if this message has been addressed to you
> in error, please immediately alert the sender
> by reply e-mail and then delete this message
> and any attachments. If you are not the
> intended recipient, you are notified that
> any use, dissemination, distribution, copying,
> or storage of this message or any attachment
> is strictly prohibited.
>
>
>

Re: Vultr contact

[Alistair Mackenzie]

Have you tried choopa? They own and/or operate vultr.

On Fri, Sep 7, 2018 at 2:09 PM Mehmet Akcin  wrote:

> I got no response really. people were more like sharing their experience.
> i guess there isn't anyone.
>
> On Fri, Sep 7, 2018 at 7:03 AM Niels Bakker 
> wrote:
>
>> * meh...@akcin.net (Mehmet Akcin) [Fri 07 Sep 2018, 14:51 CEST]:
>> >I have been looking for a contact in Vultr for awhile now. Can
>> >anyone help me contact with them?
>> >
>> >(i need help beyond their sales/support channels)
>>
>> You posted the same thing on 29 August.  I suggest you look for
>> replies to that email.
>>
>>
>> -- Niels.
>>
>

Re: Cogent ops contact

[Alistair Mackenzie]

I've had no problem dealing with their noc on these sort of issues in the
past.

On 18 Jan 2018 10:54, "Youssef Bengelloun-Zahr"  wrote:

> Dear Nanog community,
>
> I have an issue with a client trying to reach an IP that has been
> blackholed on Cogent backbone for shady "security reasons".
>
> Can someone reach out in MP please ?
>
> Thank you.
>

Re: Geolocate data for allocated blocks

[Alistair Mackenzie]

Most places are using Maxmind for their GeoIP. You can ask them to update
the database here:
https://support.maxmind.com/geoip-data-correction-request/
It takes about a month in my experience to see results.

Make sure the data in whois is also up to date for your blocks.

On Tue, Dec 19, 2017 at 4:16 PM, JASON BOTHE  wrote:

>
>
> I am seeking assistance in getting nets I’ve allocated (several months
> ago) to an office in another RIR region to properly update its geolocate
> data. In this particular case, I have a net in use in India, but currently
> reflects Houston as its address although the allocation indicates
> otherwise. Any databases I should contact or other info is appreciated.
>
> Cheers!
>
> Jason
>
>
>

Re: euNetworks, DE-CIX

[Alistair Mackenzie]

Which location?

On 24 May 2017 at 09:49, Michael J McCafferty  wrote:

> Operators,
> We are a US hosting company, expanding in to Europe. In the US we
> use Level 3 and AIS (AS6130) and Cogent. We planned to use Level 3 and
> Cogent in EU as well, but our experience with Level 3 support has been less
> than stellar. I am looking for an Internet provider with whom we can
> receive full tables, announce our AS/IP space, RTBH, and get a 10G port.
> Prefer someone that will not have peering fights (we already have that with
> Cogent). I am interested in feedback from anyone with similar service with
> euNetworks in Europe (especially Germany).
> By extension, we will be moving some data through the DE-CIX.
>
> Any first-hand experience you might have to share is greatly
> appreciated, in public or private replies.
>
> Thank you very much!
> Mike
> 
> Michael J. McCafferty
> M5 Hosting
> http://www.m5hosting.com 
>
> Like us on Facebook for updates and photos:
> https://www.facebook.com/m5hosting 
> 
>
>

Re: backbones filtering unsanctioned sites

[Alistair Mackenzie]

Cogent confirmed on the phone that they are the ones who put the blackhole
in place. This is after they closed our ticket twice without response.

Purposely didn't mention a website in the ticket yet they asked on the
phone if it was regarding thepiratebay so they are very aware of this...

On 11 February 2017 at 15:18, Bryan Holloway <br...@shout.net> wrote:

> Yup, they do indeed. And for fun, I black-listed one of our IPs, and sure
> enough, the next-hop shows up as 10.255.255.255, and the communities are
> the same aside from what appear to be regional things.
>
> --
>
> BGP routing table entry for 66.253.214.90/32, version 638637516
> Paths: (1 available, best #1, table Default-IP-Routing-Table)
> Flag: 0x820
>   23473
> 10.255.255.255 (metric 10177050) from 154.54.66.21 (154.54.66.21)
>   Origin IGP, localpref 150, valid, internal, best
>   Community: 174:990 174:20912 174:21001 174:22013
>   Originator: 66.28.1.228, Cluster list: 154.54.66.21, 66.28.1.9
>
>
>
> On 2/10/17 1:49 PM, Alistair Mackenzie wrote:
>
>> Cogent also have a blackhole route-server that they will provide to you to
>> announce /32's for blackholing.
>>
>> The address for this is 66.28.1.228 which is the originator for the
>> 104.31.19.30/3 <http://104.31.19.30/32>2 and 104.31.18.30/32 routes.
>>
>>
>> On 10 February 2017 at 18:46, Jason Rokeach <ja...@rokeach.net> wrote:
>>
>> This looks pretty intentional to me.  From
>>> http://www.cogentco.com/en/network/looking-glass:
>>>
>>> BGP routing table entry for 104.31.18.30/32, version 611495773
>>> Paths: (1 available, best #1, table Default-IP-Routing-Table)
>>>   Local
>>> 10.255.255.255 (metric 10177050) from 154.54.66.21 (154.54.66.21)
>>>   Origin IGP, metric 0, localpref 150, valid, internal, best
>>>   Community: 174:990 174:20912 174:21001
>>>   Originator: 66.28.1.228, Cluster list: 154.54.66.21, 66.28.1.9
>>>
>>> BGP routing table entry for 104.31.19.30/32, version 611495772
>>> Paths: (1 available, best #1, table Default-IP-Routing-Table)
>>>   Local
>>> 10.255.255.255 (metric 10177050) from 154.54.66.21 (154.54.66.21)
>>>   Origin IGP, metric 0, localpref 150, valid, internal, best
>>>   Community: 174:990 174:20912 174:21001
>>>   Originator: 66.28.1.228, Cluster list: 154.54.66.21, 66.28.1.9
>>>
>>>
>>> Call it a "hunch" but I doubt 10.255.255.255 is a valid next-hop router.
>>>
>>> On Fri, Feb 10, 2017 at 1:39 PM, Mike Hammett <na...@ics-il.net> wrote:
>>>
>>> Have we determined that this is intentional vs. some screw up?
>>>>
>>>>
>>>>
>>>>
>>>> -
>>>> Mike Hammett
>>>> Intelligent Computing Solutions
>>>> http://www.ics-il.com
>>>>
>>>> Midwest-IX
>>>> http://www.midwest-ix.com
>>>>
>>>> - Original Message -
>>>>
>>>> From: "Brielle Bruns" <br...@2mbit.com>
>>>> To: nanog@nanog.org
>>>> Sent: Friday, February 10, 2017 12:28:53 PM
>>>> Subject: Re: backbones filtering unsanctioned sites
>>>>
>>>> On 2/9/17 9:18 PM, Ken Chase wrote:
>>>>
>>>>> https://torrentfreak.com/internet-backbone-provider-
>>>>>
>>>> cogent-blocks-pirate-bay-and-other-pirate-sites-170209/
>>>>
>>>>>
>>>>> /kc
>>>>>
>>>>>
>>>> Funny. Someone else got back:
>>>>
>>>> "Abuse cannot not provide you a list of websites that may be
>>>> encountering reduced visibility via Cogent"
>>>>
>>>> I almost wish I had a Cogent circuit just to bring this up with an
>>>> account rep. Almost.
>>>>
>>>> I'd very much so view this as a contractual violation on Cogent's part.
>>>>
>>>> Cogent keeps contacting me every year wanting to sell me service. This
>>>> will be a good one to bring up when they call me next time.
>>>>
>>>> --
>>>> Brielle Bruns
>>>> The Summit Open Source Development Group
>>>> http://www.sosdg.org / http://www.ahbl.org
>>>>
>>>>
>>>>
>>>

Re: backbones filtering unsanctioned sites

[Alistair Mackenzie]

Cogent also have a blackhole route-server that they will provide to you to
announce /32's for blackholing.

The address for this is 66.28.1.228 which is the originator for the
104.31.19.30/3 2 and 104.31.18.30/32 routes.

On 10 February 2017 at 18:46, Jason Rokeach  wrote:

> This looks pretty intentional to me.  From
> http://www.cogentco.com/en/network/looking-glass:
>
> BGP routing table entry for 104.31.18.30/32, version 611495773
> Paths: (1 available, best #1, table Default-IP-Routing-Table)
>   Local
> 10.255.255.255 (metric 10177050) from 154.54.66.21 (154.54.66.21)
>   Origin IGP, metric 0, localpref 150, valid, internal, best
>   Community: 174:990 174:20912 174:21001
>   Originator: 66.28.1.228, Cluster list: 154.54.66.21, 66.28.1.9
>
> BGP routing table entry for 104.31.19.30/32, version 611495772
> Paths: (1 available, best #1, table Default-IP-Routing-Table)
>   Local
> 10.255.255.255 (metric 10177050) from 154.54.66.21 (154.54.66.21)
>   Origin IGP, metric 0, localpref 150, valid, internal, best
>   Community: 174:990 174:20912 174:21001
>   Originator: 66.28.1.228, Cluster list: 154.54.66.21, 66.28.1.9
>
>
> Call it a "hunch" but I doubt 10.255.255.255 is a valid next-hop router.
>
> On Fri, Feb 10, 2017 at 1:39 PM, Mike Hammett  wrote:
>
> > Have we determined that this is intentional vs. some screw up?
> >
> >
> >
> >
> > -
> > Mike Hammett
> > Intelligent Computing Solutions
> > http://www.ics-il.com
> >
> > Midwest-IX
> > http://www.midwest-ix.com
> >
> > - Original Message -
> >
> > From: "Brielle Bruns" 
> > To: nanog@nanog.org
> > Sent: Friday, February 10, 2017 12:28:53 PM
> > Subject: Re: backbones filtering unsanctioned sites
> >
> > On 2/9/17 9:18 PM, Ken Chase wrote:
> > > https://torrentfreak.com/internet-backbone-provider-
> > cogent-blocks-pirate-bay-and-other-pirate-sites-170209/
> > >
> > > /kc
> > >
> >
> > Funny. Someone else got back:
> >
> > "Abuse cannot not provide you a list of websites that may be
> > encountering reduced visibility via Cogent"
> >
> > I almost wish I had a Cogent circuit just to bring this up with an
> > account rep. Almost.
> >
> > I'd very much so view this as a contractual violation on Cogent's part.
> >
> > Cogent keeps contacting me every year wanting to sell me service. This
> > will be a good one to bring up when they call me next time.
> >
> > --
> > Brielle Bruns
> > The Summit Open Source Development Group
> > http://www.sosdg.org / http://www.ahbl.org
> >
> >
>

IPv6 BGP prefix filters

[Alistair Mackenzie]

Hi,

So recently I've come across an issue with a large ISP announcing a /22 and
/25 of IPv6 space. We are currently filtering <28 and >48 which until now
has worked fine for us.

What are others using as their prefix filters in the DFZ?

Thanks,
Alistair

Re: Providing transit to unallocated networks

[Alistair Mackenzie]

Thanks for this, it shows as

apnic|ZZ|ipv4|103.***.***.0|1024|20160927|reserved||e-stats

I expect this still stands with it being reserved?


William, it's 100% an apnic range and shows no org and is registered
to the APNIC Hostmaster. This applies for both the ASN and the address
space.


On 28 September 2016 at 01:28, William Herrin <b...@herrin.us> wrote:

> On Tue, Sep 27, 2016 at 8:18 PM, Alistair Mackenzie <magics...@gmail.com> 
> wrote:
> > I've come across a network which seem to be getting transit yet both the
> > ASN and IP space is not allocated by the RIR.
>
> Hi Alistair,
>
> There is still unicast address space that isn't allocated by any RIR?
>
> Seriously though, check all your bases. Is not the space unallocated
> by all RIRs or just the one you expect to hold it?  If you have a
> transit provider that's not playing by the rules, contact their
> transit providers to complain and if you still don't get satisfaction,
> I'd name and shame the lot of them. Failure to filter bad actors is
> how prefix hijacking happens.
>
> Regards,
> Bill Herrin
>
>
>
> --
> William Herrin  her...@dirtside.com  b...@herrin.us
> Owner, Dirtside Systems . Web: <http://www.dirtside.com/>
>
>
On 28 September 2016 at 01:36, George Michaelson <g...@algebras.org> wrote:

> check if the block is in this file.
>
> http://labs.apnic.net/delegated-nro-extended
>
> If not, then the block is hijacked or being abused.
>
> the file format is a bit obscure: the ipv4 record is base-ip|hostcount
> but converting that to prefix length is pretty simple.
>
> -G
>
> On Wed, Sep 28, 2016 at 10:18 AM, Alistair Mackenzie
> <magics...@gmail.com> wrote:
> > Hi,
> >
> > I've come across a network which seem to be getting transit yet both the
> > ASN and IP space is not allocated by the RIR. It does appear at some
> point
> > that it was valid however this is no longer the case.
> >
> > The network is single homed and I tried asking the transit provider what
> > their policy was on this but got no answer.
> >
> > Has anyone seen anything like this? What has happened in the past with
> > things like this?
> >
> > Thanks,
> > Alistair
>

Providing transit to unallocated networks

[Alistair Mackenzie]

Hi,

I've come across a network which seem to be getting transit yet both the
ASN and IP space is not allocated by the RIR. It does appear at some point
that it was valid however this is no longer the case.

The network is single homed and I tried asking the transit provider what
their policy was on this but got no answer.

Has anyone seen anything like this? What has happened in the past with
things like this?

Thanks,
Alistair

Re: Netflix VPN detection - actual engineer needed

[Alistair Mackenzie]

+1

On 4 June 2016 at 01:35, Owen DeLong  wrote:

> I think the day that Netflix tells me to turn off IPv6 or doesn’t serve me
> content
> because one of my routes to the internet for IPv6 is via an HE tunnel (the
> other
> two are different tunnels, but all of my IPv4 also goes through tunnels)
> will be the
> day I tell Netflix that I will turn them off instead.
>
> Let’s face it folks, if we want to encourage Netflix to tell the content
> providers
> to give up the silly geo-shit, then we have to stop patronizing channels
> that do
> silly geo-shit.
>
> The only real impact is to vote with your $$$ and tell the companies you
> are
> unsubscribing from exactly why you are unsubscribing.
>
> So far, I haven’t run into an issue where I couldn’t get what I wanted to
> watch
> via a tunnel I was able to set up. When/If Netflix gets good enough to
> detect
> and block my tunnel, I’ll stop using Netflix and stop paying them. I’ll
> also
> make sure that they know why.
>
> I’m sure if they lose enough customers for this reason, they’ll choose to
> do something
> about it with their content providers. After all, the fewer subscribers
> Netflix has,
> the less they pay the content providers, too.
>
> Sure, nobody cares about my $10/month or whatever it’s up to these days,
> but if a
> few thousand of us start walking off and it starts to look like a trend,
> it can
> change things.
>
> Owen
>
> > On Jun 3, 2016, at 17:17 , Cryptographrix 
> wrote:
> >
> > Very true. Telling people to turn off IPv6 support through their customer
> > service portal is completely infuriating for those that can't get IPv6
> > through their ISP and need it.
> >
> >
> > On Fri, Jun 3, 2016 at 8:13 PM Spencer Ryan  wrote:
> >
> >> Yes but HE doesn't serve residential users directly. To a normal person
> HE
> >> is no different than NTT/GTT/Verizon/Sprint/Any other transit carrier.
> They
> >> may move the most v6 traffic, but Comcast is the largest ISP actually
> >> getting v6 to end users.
> >>
> >>
> >> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> >> *Arbor Networks*
> >> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> >> www.arbornetworks.com
> >>
> >> On Fri, Jun 3, 2016 at 8:07 PM, Cryptographrix <
> cryptograph...@gmail.com>
> >> wrote:
> >>
> >>> I don't remember the source, but I do remember that even with Comcast's
> >>> deployment, HE still represented the majority of IPv6 traffic in the
> US.
> >>>
> >>> Of course, it could just be a bunch of us heavy IPv6 users.
> >>>
> >>>
> >>>
> >>> On Fri, Jun 3, 2016 at 8:03 PM Spencer Ryan  wrote:
> >>>
>  Comcast is near 100% on their DOCSIS network (Busniess and
> residential).
>  That should be the largest single ISP for IPv6 for end users in the
> USA.
> 
> 
>  *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
>  *Arbor Networks*
>  +1.734.794.5033 (d) | +1.734.846.2053 (m)
>  www.arbornetworks.com
> 
>  On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix <
> cryptograph...@gmail.com
> > wrote:
> 
> > Depends - how many US users have native IPv6 through their ISPs?
> >
> > If I remember correctly (I can't find the source at the moment),
> HE.net
> > represents something like 70% of IPv6 traffic in the US.
> >
> > And yeah, not doing that - actually in the middle of an IPv6 project
> at
> > work at the moment that's a bit important to me.
> >
> >
> >
> >
> > On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
> > baldur.nordd...@gmail.com>
> > wrote:
> >
> >> Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
> > cryptograph...@gmail.com>:
> >>>
> >>> The information I'm getting from Netflix support now is explicitly
> >> telling
> >>> me to turn off IPv6 - someone might want to stop them before they
> >>> completely kill US IPv6 adoption.
> >>
> >> Not allowing he.net tunnels is not killing ipv6. You just need need
> > native
> >> ipv6.
> >>
> >> On the other hand it would be nice if Netflix would try the other
> > protocol
> >> before blocking.
> >>
> >
> 
> 
> >>
>
>

Netflix IP Space

[Alistair Mackenzie]

Hi All,

Does anyone on either lists have a list of Netflix's IP space that they are
using for streams and "unblocker" detection?

We are doing policy based VPN and Netflix needs to be excluded from this to
work around their restrictions.

They are on AWS so not as easy as just finding their ASN...

Thanks,
Alistair

Re: Skype off line ??

[Alistair Mackenzie]

Seems fine on mobile in the UK for me too.
On 21 Sep 2015 18:36, "Paul Rolland (ポール・ロラン)"  wrote:

> Hello,
>
> On Mon, 21 Sep 2015 18:21:40 +0200
> Marco Paesani  wrote:
>
> > No solution 
> > http://heartbeat.skype.com/2015/09/skype_presence_issues.html
>
> Back for me (France): presence updated. Using Skype on Linux
>
> Paul
>

Re: IP's with jitter/packet loss and very far away

[Alistair Mackenzie]

Comcast?

On 18 September 2015 at 16:42, Dovid Bender  wrote:

> Hi,
>
> I am working on a presentation and looking to create samples of what a
> trace should not look like? Anyone have IP's that I can trace from the US
> or UK that will show
> 1) jitter
> 2) packet loss
> 3) very far away (perhaps an IP on a sat. link). Pref over 2000 ms
>
> TIA.
>
> Dovid
>

Re: BRAS sugestion

[Alistair Mackenzie]

I'm pretty sure this would get expensive for 30k+.

Perhaps try Walmart?

On 14 August 2015 at 17:01, Mike Lyon mike.l...@gmail.com wrote:

 Victoria's Secret
 On Aug 14, 2015 8:08 AM, Julian Eble juliane...@yahoo.com.br wrote:

  Hello Nanog,
  Our company are constantly growing and we're looking for a 30k+
  subscribers BRAS, does the community have a sugestion?
 
  Thank you!
 

Re: Yet Another BGP (Border Gateway Protocol) Python Implementation

[Alistair Mackenzie]

As our priority, we will do MPLS VPN, IPv6, *Flowspec* firstly. In the
future, we will consider multicast and EVPN.
Thanks.

On 7 August 2015 at 10:05, Pavel Odintsov pavel.odint...@gmail.com wrote:

 Hi!

 Thanks for your code! I have used ExaBGP for one year and will try your
 tool too!

 Do you have any plans about BGP Flow Spec?

 On Friday, August 7, 2015, Bjørn Mork bj...@mork.no wrote:

  Randy Bush ra...@psg.com javascript:; writes:
 
   perhaps dissing someone for their free code is even ruder than not
 doing
   ipv6 in 2015?  you don't have to use either.
 
  Definitely.  In any case, one advantage of open sourcing stuff is that
  you can always answer such comments with a simple
 
Patches welcome!
 
  which tends to silence critics :-)
 
 
  Bjørn
 


 --
 Sincerely yours, Pavel Odintsov

Re: GoDaddy : DoS :: Contact

[Alistair Mackenzie]

Source based black holing would work in this case providing it was done at
GoDaddy's edge.
On 3 Aug 2015 01:58, Mel Beckman m...@beckman.org wrote:

 Blackholing isn't what you want. That will still permit his source IP into
 your network, and only blackhole replies from your network, so the attack
 will still consume bandwidth. What you should request is a source IP ACL
 blocking that address at your upstream' border.

 BGP is no help in these situations, unless you use a BGP-based DDoS
 protection service.

  -mel beckman

 On Aug 2, 2015, at 5:17 PM, Jason LeBlanc jason.lebl...@infusionsoft.com
 mailto:jason.lebl...@infusionsoft.com wrote:

 Thanks Mel.  You are not being difficult, I meant DoS.  The network I
 inherited doesn't have BGP yet so I have asked our upstream to blackhole it
 and I emailed abuse neither have happened yet.  I do block it but that's
 after it hits our side.

 //Jason

 From: Mel Beckman m...@beckman.orgmailto:m...@beckman.org
 Date: Sunday, August 2, 2015 at 4:20 PM
 To: Jason LeBlanc jason.lebl...@infusionsoft.commailto:
 jason.lebl...@infusionsoft.com
 Cc: NANOG nanog@nanog.orgmailto:nanog@nanog.org
 Subject: Re: GoDaddy : DDoS :: Contact

 Not to be difficult, but how can it be a DDoS attack if it's coming from a
 single IP? Normally you would just block this IP at your borders or ask
 your upstreams to do so before it consumes your bandwidth. You still want
 to get GoDaddy to address the problem, of course, but you should do that
 via their ab...@godaddy.commailto:ab...@godaddy.com contact, or their
 abuse page at https://supportcenter.godaddy.com/AbuseReport/Index (submit
 via the malware button).

  -mel

 On Aug 2, 2015, at 12:59 PM, Jason LeBlanc jason.lebl...@infusionsoft.com
 mailto:jason.lebl...@infusionsoft.com wrote:

 My company is being DDoS'd by a single IP from a GoDaddy customer.

 I havent had success with the ab...@godaddy.commailto:ab...@godaddy.com
 email.  Was hoping someone
 that could help might be watching the list and could contact me off-list.


 //Jason

Re: Quakecon: Network Operations Center tour

[Alistair Mackenzie]

While increasing bandwidth to the endpoint isn't viable wouldn't increasing
the edge bandwidth out to the ISP be a start in the right direction?

I would assume this would a start to the problem if your attacks were
volumetric.

Once the bandwidth is there you can look at mitigation before it reaches
the endpoint, in this case the computers on the floor (assuming no NAT).
On 2 Aug 2015 16:51, Roland Dobbins rdobb...@arbor.net wrote:

 On 2 Aug 2015, at 22:44, Dave Pooser wrote:

 I wonder if that would be a reason for the relatively anemic 1Gb Internet

 pipe-- making sure that a DDoS couldn't push enough packets through to
 inconvenience the LAN party.


 While increasing bandwidth is not a viable DDoS defense tactic, decreasing
 it isn't one, either.

 ---
 Roland Dobbins rdobb...@arbor.net

Re: ISP in NYC

[Alistair Mackenzie]

Hibernia (5580) have good latency throughout Europe and are huge on AMS-IX.

Latency is around 18ms from Edinburgh to Amsterdam and 5ms from London via
their network.

Used them for transit and they gave me a circuit onto AMS-IX too which
could be worth you looking into.

Between the route servers and peers on the exchange I was getting ~210k
routes.
On 17 Jul 2015 08:22, Paul S. cont...@winterei.se wrote:

 Rather than a peer, it might be an okay idea to try out peering at NYIIX
 (and if the funds permit to get transport, AMS-IX/DE-CIX).

 You'll quickly find that peering is *very* useful in Europe, if you have
 any EU bound traffic at all.

 On 7/17/2015 午後 04:06, Colin Johnston wrote:

 good isp's / peers are in no particular order
 bt
 telstra ex psinet uk/eu

 colin

 Sent from my iPhone

  On 17 Jul 2015, at 07:52, Jared Geiger ja...@compuwizz.net wrote:

 HE uses Telia for Transit. So you won't gain much redundancy there. I
 would
 go with Cogent if you have lots of European customers and North American
 business customers. One not on your list is Level3. They would be strong
 in
 that blend too.

 You might also try joining a peering point. You'll gain a lot by just
 peering with the route servers.

  On Thu, Jul 16, 2015 at 6:34 AM, Dovid Bender do...@telecurve.com
 wrote:

 Hi,

 We are looking to peer with another ISP in NY. My options are:
 Telia
 Tata
 Cogent

 We currently have (and will keep):
 HE
 NTT
 TELX (They use NTT and HE and we are looking to replace them).

 We need an ISP that has a good peering/connectivity in Europe and Asia
 (Israel specific).

 Any advice on who to go with?

Re: NTP versions in production use?

[Alistair Mackenzie]

I’m currently running a scan of the internet and querying NTP versions.

I’ll publish the results of it on Github and mail them in here :)




On 12/07/2015 15:15, NANOG on behalf of Mike O'Connor 
nanog-boun...@nanog.org on behalf of m...@dojo.mi.org wrote:

:Thanks, and I'm kinda stunned that folks are running such ancient
:versions of NTP.

I suggest you get accustomed to being stunned.  

:https://support.ntp.org/bin/view/Dev/ReleaseTimeline
:
:4.2.0 was EOL'd in June of 2006, and we've fixed about 3,000 issues in
:the codebase since then.

4.2.0 may have been EOL'd in 2006, but it was still shipping as the
default in FreeBSD until 2009. 

Out of those 3000 issues, only a tiny fraction are security-related
that would apply to JunOS.  I expect that they backport security and
other fixes as necessary, until some bigger engineering effort and|or
headache calls for a forklift/mass upgrade of things.


-- 
 Michael J. O'Connor  m...@dojo.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
Fire me, boy! -The Human Bullet

Riot Games

[Alistair Mackenzie]

Hi,

Is there anyone on this list from Riot Games that can reach out to me?

I'm having some issues with customers reaching your network.

Thanks,
Alistair

Re: Hulu and HBO

[Alistair Mackenzie]

I know Netflix has caching boxes that the ISP can install. Perhaps Hulu and
HBO have or do the same thing?
On 17 May 2015 23:06, Mike Hammett na...@ics-il.net wrote:

 When I fire up their streams, they come from Level3 IPs. Can anyone
 confirm that Hulu and HBO come from Level 3 and not just someone that has
 the box I was talking to on Level3's network?




 -
 Mike Hammett
 Intelligent Computing Solutions
 http://www.ics-il.com



 Midwest Internet Exchange
 http://www.midwest-ix.com

Re: Route Optimization Products

[Alistair Mackenzie]

There is this but its old and not been updated in quote some time.

Never got around to playing with it.

https://github.com/kvogt/kyro

On 15 May 2015 at 17:26, Paul S. cont...@winterei.se wrote:

 Problem in this space is, none of the products offered are genuinely
 affordable.

 When your route optimization software costs more monthly than yet another
 link to yet another tier one provider... `-`


 On 5/16/2015 午前 12:27, Rafael Possamai wrote:

 Internap also has a product called MIRO, although I am not sure how it
 differs from FCP.

 On Fri, May 15, 2015 at 10:19 AM, Mike Hammett na...@ics-il.net wrote:

  What is out there for route optimization products? I can think of Noction
 (no inbound) or Internap FCP (old).



 -
 Mike Hammett
 Intelligent Computing Solutions
 http://www.ics-il.com



 Midwest Internet Exchange
 http://www.midwest-ix.com

Re: Input Regarding Cogent and NTT

[Alistair Mackenzie]

Don't be surprised if cogent contact you for even posting this.

They did it to me when I asked for hibernia.
On 5 Feb 2015 19:16, Mike Hammett na...@ics-il.net wrote:

 Working on it. ;-)

 Being an eyeball network, most of my traffic just goes to NetFlix, Akamai,
 LimeLight, FaceBook, Google, etc. anyway. Peer what you can peer, Cogent
 for customer routes, then grab a couple nicer carriers and call it a day.




 -
 Mike Hammett
 Intelligent Computing Solutions
 http://www.ics-il.com



 - Original Message -

 From: Patrick W. Gilmore patr...@ianai.net
 To: nanog@nanog.org
 Sent: Thursday, February 5, 2015 12:54:43 PM
 Subject: Re: Input Regarding Cogent and NTT

 By that logic, and giving you the benefit of the doubt that you follow
 your own advice, you have 15-20 upstreams?

 I've never tried that on a standard network with BGP as the only tool. See
 any interesting operational stuff with that many upstreams?

 Also, while many people knock Cogent, I would submit that many people have
 bad first-hand experiences with Cogent (including me).

 Every network has its bad days. Even the best companies screw customers
 from time-to-time. But the preponderance of evidence is a useful guidepost.
 Cogent is large, but does not have even half the customers NTT has. Do
 lots of people knock NTT? Given NTT's much larger number of customers,
 shouldn't that mean they have more knocks?

 If not, I submit the disparity is a useful datapoint when choosing a
 provider.

 --
 TTFN,
 patrick

 Composed on a virtual keyboard, please forgive typos.


  On Feb 5, 2015, at 12:29, Mike Hammett na...@ics-il.net wrote:
 
  A lot of people knock Cogent, but the best way to get to Cogent's
 customer's is probably through Cogent. Given that they do have a very large
 network, they're worth picking up even if you only use them for customer
 routes.
 
 
 
 
  -
  Mike Hammett
  Intelligent Computing Solutions
  http://www.ics-il.com
 
 
 
  - Original Message -
 
  From: Jack Stonebraker jack.stonebra...@mygrande.com
  To: nanog@nanog.org
  Sent: Thursday, February 5, 2015 11:24:59 AM
  Subject: Input Regarding Cogent and NTT
 
  My organization is currently shopping for some additional Transit
 Capacity to augment our existing interconnects. We've got around 8 distinct
 AS's that we're receiving transit routes from, followed by a handful of
 Public IX's and Private PNI's to AS's that warrant them. That said, the
 networks that are on our radar are Cogent and NTT. I've done some due
 diligence poking around on their Looking Glass, but I'd love to hear any
 user experiences from the community, both from a Layer 3 Perspective, as
 well as an Operational Perspective (Working with the businesses
 themselves). Feel free to contact me off-list and thanks in advance for
 your time.
 
  [cid:image002.jpg@01CFE2F3.A6F973D0]
 
 
  Jack Stonebraker | Sr. IP Network Engineer
  (512) 878-5627 | jack.stonebra...@mygrande.commailto:
 john.ho...@mygrande.com
  Grande Communications Networks
  401 Carlson Circle | San Marcos, Texas | 78666
 
 
 
 

Re: Hibernia/Atrato contacts

[Alistair Mackenzie]

Thanks for the information.

I've got a few contacts now and will be reaching out to them.
On 3 Dec 2014 02:13, Alistair Mackenzie magics...@gmail.com wrote:

 Hi,

 Does anyone have a contact for a sales/account manager at Hibernia/Atrato
 located in the UK timezone or even +1?

 Please contact me off list with the details.

 Thanks,
 Alistair

Hibernia/Atrato contacts

[Alistair Mackenzie]

Hi,

Does anyone have a contact for a sales/account manager at Hibernia/Atrato
located in the UK timezone or even +1?

Please contact me off list with the details.

Thanks,
Alistair

Re: TeliaSonera IC Contacts

[Alistair Mackenzie]

I'd be inclined to not buy from them if they are not replying to sales
emails.

You've got to ask what their NOC will be like once you are a customer...

On 29 November 2014 at 16:08, Sander Steffann san...@steffann.nl wrote:

 Hi,

  It's more of a have to buy from them as opposed to a want to buy from
 them. I'd much prefer NTT, but they are nowhere near where we are
 unfortunately.

 You were talking about Amsterdam, right? There are plenty of transits you
 can buy from.

 Cheers,
 Sander

Re: Anyone else having trouble reaching thepiratebay.se? AS39138

[Alistair Mackenzie]

All good from hibernia's network (AS5580).
On 26 Nov 2014 17:43, Javier J jav...@advancedmachines.us wrote:

 Name:   thepiratebay.se
 Address: 194.71.107.27

 Its reachable from some places and not others.

 Is it being filtered?

 Is it being hijacked?

 Email to them bounced from google apps.

 Are we now officially living in a police state?

 mtr dies at hop 2 for me:

 2. l100.nwrknj-vfttp-134.verizon-gni.net  ( 173.70.26.1 )

 Is verizon now censoring the internet for me?

Re: Anyone else having trouble reaching thepiratebay.se? AS39138

[Alistair Mackenzie]

They do some wacky routing with internal IP addresses and AS prepending to
make it seem like that they see hosted in Korea.

I have no idea why anyone would but they do.
On 26 Nov 2014 17:54, Ken Chase m...@sizone.org wrote:

 im hitting 30 hops tracing from one location, and 30 from some EC2s.
 another shows

  4. v638.core1.tor1.he.net
  5. 100ge1-2.core1.nyc4.he.net
  6. 100ge7-2.core1.lon2.he.net
  7. 100ge3-2.core1.ams1.he.net
  8. 100ge5-1.core1.fra1.he.net
  9. rrbone.dus.ecix.net
 10. te-2-1-800.bbr-dtm-01.de.infra.rrbone.net
 11. ???
 12. xe-3-2.r02.dsdfge01.de.bb.gin.ntt.net
 13. xe-0-1-0-20.r02.amstnl02.nl.bb.gin.ntt.net
 14. 129.250.9.50
 15. sl-bb21-ams-.sprintlink.net
 16. sl-crs2-lon-0-8-3-0.sprintlink.net
 17. sl-crs2-lon-.sprintlink.net
 18. sl-crs1-nyc-0-5-2-0.sprintlink.net
 19. 144.232.5.216
 20. 144.232.18.59
 21. 144.232.1.73
 22. 144.232.11.17
 23. 144.232.12.41
 24. 144.232.7.124
 25. sl-st20-sj-0-0-0.sprintlink.net
 26. sl-china6-192107-0.sprintlink.net
 27. 219.158.32.174
 28. 175.45.177.217
 29. ???

 with some 1/2 ping times by the end. that's quite the trip around the
 world,
 hitting nyc twice. (no hesprintlink peering?)

 /kc


 On Wed, Nov 26, 2014 at 12:41:07PM -0500, Javier J said:
   Name:   thepiratebay.se
   Address: 194.71.107.27
   
   Its reachable from some places and not others.
   
   Is it being filtered?
   
   Is it being hijacked?
   
   Email to them bounced from google apps.
   
   Are we now officially living in a police state?
   
   mtr dies at hop 2 for me:
   
   2. l100.nwrknj-vfttp-134.verizon-gni.net  ( 173.70.26.1 )
   
   Is verizon now censoring the internet for me?

 --
 Ken Chase - m...@sizone.org Toronto

Re: Equinix Virginia - Ethernet OOB suggestions

[Alistair Mackenzie]

Couldn't you put a router or VPN system on the single IP they are giving
you and use RFC1918 addressing space?

OOB doesn't normally justify a /24 let alone a /23.

On 10 November 2014 13:18, Ruairi Carroll ruairi.carr...@gmail.com wrote:

 Dear List,

 I've got an upcoming deployment in Equinix (DC10) and I'm struggling to
 find a provider who can give me a 100Mbit port (With a commit of about
 5-10Mbit) with a /23 or /24 of public space , for OOB purposes. We had
 hoped to use Equinixs services, however they're limiting us to a single
 public IP.

 I'm also open to other solutions - xDSL or similar, but emphasis is on
 cheap and on-net.

 Cheers
 /Ruairi

Re: peer1 contact?

[Alistair Mackenzie]

Just a heads up,

Gmail gave me a warning about this email too so that may be your problem.

On 10 October 2014 18:15, goe...@anime.net wrote:

 Can someone from peer1.net contact me?

 You are filtering your ab...@peer1.net mailbox.

 -Dan

Re: Marriott wifi blocking

[Alistair Mackenzie]

You could monitor it with something like airodump-ng and send deauth
packets if its not associated with your own BSSID(s)

On 3 October 2014 21:06, David Hubbard dhubb...@dino.hostasaurus.com
wrote:

 Saw this article:

 http://www.cnn.com/2014/10/03/travel/marriott-fcc-wi-fi-fine/

 The interesting part:

 'A federal investigation of the Gaylord Opryland Resort and
 Convention Center in Nashville found that Marriott employees
 had used containment features of a Wi-Fi monitoring system
 at the hotel to prevent people from accessing their own
 personal Wi-Fi networks.'

 I'm aware of how the illegal wifi blocking devices work, but
 any idea what legal hardware they were using to effectively
 keep their own wifi available but render everyone else's
 inaccessible?

 David