Re: Netflix VPN detection - actual engineer needed
Right, but I think we know what Netflix is implying when they say "proxy unblocker" or "VPN" -- they mean people are deliberately going around GeoIP. In this case, I don't know anyone who uses TunnelBroker that way. They're using it for V6. That is to say, everyone I know with this issue could simply solve it by disabling IPv6 (and TunnelBroker) -- meaning they're already in the US (or $region) -- and the IPv6 detection on the CDN/web is what's wrong. I think I will go further here and say that the message sort if implies the user is acting in bad faith, which may raise some animosity towards Netflix. On Mon, Jun 6, 2016 at 8:25 PM, Spencer Ryan <sr...@arbor.net> wrote: > The tunnelbroker service acts exactly like a VPN. It allows you, from any > arbitrary location in the world with an IPv4 address, to bring traffic out > via one of HE's 4 POP's, while completely masking your actual location. > > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net > *Arbor Networks* > +1.734.794.5033 (d) | +1.734.846.2053 (m) > www.arbornetworks.com > > On Mon, Jun 6, 2016 at 11:22 PM, Blair Trosper <blair.tros...@gmail.com> > wrote: > >> It should be pointed out that -- the SPECIFIC accusation from Netflix -- >> is >> that people on TunnelBroker are on a VPN or proxy unblocker. >> >> The data does not bear that out. Hash tag just saying. >> >> >> >> On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam <jfb...@gmail.com> wrote: >> >> > On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews <ma...@isc.org> wrote: >> > >> >> What lie? Truly who is lying here. Not the end user. Not HE. There >> is >> >> no requirement to report physical location. >> >> >> > >> > The general lie that is IP Geolocation. HE only has what I tell them >> (100% >> > unverified), and what MaxMind (et.al.) tell them (~95% unverified.) >> They >> > know my IPv4 endpoint address, but that doesn't give them a concrete >> street >> > address -- they're guessing in exactly the same way everyone else does. >> And >> > more to the point, HE doesn't share that information with anyone. >> (whois is >> > populated with your account information. they don't ask where your >> tunnels >> > are going.) >> > >> > Are they legally required to go to this level? >> >> >> > >> > Possibly, but Netflix isn't going to push this. Win or Lose, they still >> > lose distribution rights. >> > >> > Netflix (and their licensees) know people are using HE tunnels to get >> >>> around region restrictions. Their hands are tied; they have to show >> >>> they're doing something to limit this. >> >>> >> >> >> >> No, they do not know. The purpose of HE tunnels is to get IPv6 >> service. >> >> The fact that the endpoints are in different countries some of the time >> >> is incidental to that. >> >> >> > >> > YES. THEY. DO. There have been entire COMPANIES doing this. (which is >> > likely what sparked this level of response.) Neither HE nor Netflix are >> > naming names, but a short walk through the more colorful parts of the >> > internet should be enlightening. >> > >> > Garbage. You have to establish the tunnel which requires registering >> >> a account. It also requires a machine at the other end. Virtual >> >> or physical they don't move around the world in a DDNS update. The >> >> addresses associated with a tunnel don't change for the life of >> >> that tunnel. >> >> >> > >> > True. 'tho, you can list any nonsense address you want. They do nothing >> to >> > validate it. (Use my favorite BS address: Independence MT -- pop: zero. >> > It's a dirt road across a mountain in the middle of absolutely nowhere. >> > Google it!) >> > >> > The tunnel endpoint (your IPv4 address) is known only to HE, and not >> > exposed to ANYONE. That's not going to EVER change. Once your tunnel has >> > been setup, that address ("Client IPv4 Address") is not set in stone. >> > People have dynamic addresses, and HE recognizes this, so there are >> > numerous methods to change the tunnel endpoint address. (tunnel >> > configuration page, update through an http(s) request, etc.) THUS, a >> tunnel >> > can move; it can be terminated anywhere, at anytime. Not only can one >> > update the endpoint to a different address on the same box, but to a >> > completely different box entirely. >> > >> > Furthermore, one account can have several tunnels through different >> > servers that present addresses from different regions. Where I appear >> to be >> > in the world, thus, depends on which tunnel I have enabled. (and in >> which >> > countries HE has prefixes, which currently appears to be 4) >> > >> > >
Re: Netflix VPN detection - actual engineer needed
It should be pointed out that -- the SPECIFIC accusation from Netflix -- is that people on TunnelBroker are on a VPN or proxy unblocker. The data does not bear that out. Hash tag just saying. On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beamwrote: > On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews wrote: > >> What lie? Truly who is lying here. Not the end user. Not HE. There is >> no requirement to report physical location. >> > > The general lie that is IP Geolocation. HE only has what I tell them (100% > unverified), and what MaxMind (et.al.) tell them (~95% unverified.) They > know my IPv4 endpoint address, but that doesn't give them a concrete street > address -- they're guessing in exactly the same way everyone else does. And > more to the point, HE doesn't share that information with anyone. (whois is > populated with your account information. they don't ask where your tunnels > are going.) > > Are they legally required to go to this level? >> > > Possibly, but Netflix isn't going to push this. Win or Lose, they still > lose distribution rights. > > Netflix (and their licensees) know people are using HE tunnels to get >>> around region restrictions. Their hands are tied; they have to show >>> they're doing something to limit this. >>> >> >> No, they do not know. The purpose of HE tunnels is to get IPv6 service. >> The fact that the endpoints are in different countries some of the time >> is incidental to that. >> > > YES. THEY. DO. There have been entire COMPANIES doing this. (which is > likely what sparked this level of response.) Neither HE nor Netflix are > naming names, but a short walk through the more colorful parts of the > internet should be enlightening. > > Garbage. You have to establish the tunnel which requires registering >> a account. It also requires a machine at the other end. Virtual >> or physical they don't move around the world in a DDNS update. The >> addresses associated with a tunnel don't change for the life of >> that tunnel. >> > > True. 'tho, you can list any nonsense address you want. They do nothing to > validate it. (Use my favorite BS address: Independence MT -- pop: zero. > It's a dirt road across a mountain in the middle of absolutely nowhere. > Google it!) > > The tunnel endpoint (your IPv4 address) is known only to HE, and not > exposed to ANYONE. That's not going to EVER change. Once your tunnel has > been setup, that address ("Client IPv4 Address") is not set in stone. > People have dynamic addresses, and HE recognizes this, so there are > numerous methods to change the tunnel endpoint address. (tunnel > configuration page, update through an http(s) request, etc.) THUS, a tunnel > can move; it can be terminated anywhere, at anytime. Not only can one > update the endpoint to a different address on the same box, but to a > completely different box entirely. > > Furthermore, one account can have several tunnels through different > servers that present addresses from different regions. Where I appear to be > in the world, thus, depends on which tunnel I have enabled. (and in which > countries HE has prefixes, which currently appears to be 4) >
Re: Netflix VPN detection - actual engineer needed
...IF (and that's a big IF in the Bay Area at least) you can get the newest modems. Easier said than done. On Fri, Jun 3, 2016 at 5:03 PM, Spencer Ryanwrote: > Comcast is near 100% on their DOCSIS network (Busniess and residential). > That should be the largest single ISP for IPv6 for end users in the USA. > > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net > *Arbor Networks* > +1.734.794.5033 (d) | +1.734.846.2053 (m) > www.arbornetworks.com > > On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix > wrote: > > > Depends - how many US users have native IPv6 through their ISPs? > > > > If I remember correctly (I can't find the source at the moment), HE.net > > represents something like 70% of IPv6 traffic in the US. > > > > And yeah, not doing that - actually in the middle of an IPv6 project at > > work at the moment that's a bit important to me. > > > > > > > > > > On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl < > baldur.nordd...@gmail.com> > > wrote: > > > > > Den 4. jun. 2016 01.26 skrev "Cryptographrix" < > cryptograph...@gmail.com > > >: > > > > > > > > The information I'm getting from Netflix support now is explicitly > > > telling > > > > me to turn off IPv6 - someone might want to stop them before they > > > > completely kill US IPv6 adoption. > > > > > > Not allowing he.net tunnels is not killing ipv6. You just need need > > native > > > ipv6. > > > > > > On the other hand it would be nice if Netflix would try the other > > protocol > > > before blocking. > > > > > >
Re: Netflix VPN detection - actual engineer needed
I dunno. I could argue that I could -- to extend that idea -- let literally ANYONE tunnel through my Comcast Business connection to appear to be in the Bay Area. How's that fundamentally different than a service like TunnelBroker apart from economies of scale? More than a few people I know are ready to dump Netflix for this. Fortunately, where I live, Comcast Business has native dual stack... On Fri, Jun 3, 2016 at 1:05 PM, Spencer Ryan <sr...@arbor.net> wrote: > There is no way for Netflix to know the difference between you being in NY > and using the tunnel, and you living in Hong Kong and using the tunnel. > > > *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net > *Arbor Networks* > +1.734.794.5033 (d) | +1.734.846.2053 (m) > www.arbornetworks.com > > On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptograph...@gmail.com> > wrote: > >> Same, but until there's a real IPv6 presence in the US, it's really >> annoying that they haven't come up with some fix for this. >> >> I have no plans to turn off IPv6 at home - I actually have many uses for >> it, and as much as I dislike the controversy around it, think that adoption >> needs to be prioritized, not penalized. >> >> Additionally, I think that discussing content provider control over >> regional decisions isn't productive to the conversation, as they didn't >> build the banhammer (wouldn't you want to control your own content if you >> had made content specific to regional laws etc?). >> >> I.e. - not all shows need to have regional restrictions between New York >> (where I live) and California (where my IPv6 /64 says I live). >> >> I'm able to watch House in the any state in the U.S.? Great - ignore my >> intra-US proxy connection. >> >> My Netflix account randomly tries to connect from Tokyo because I forgot >> to shut off my work VPN? Finelet me know and I'll turn *that* off. >> >> >> >> >> >> >> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sr...@arbor.net> wrote: >> >>> I don't blame them for blocking a (effectively) anonymous tunnel broker. >>> I'm sure their content providers are forcing their hand. >>> On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptograph...@gmail.com> >>> wrote: >>> >>>> Netflix needs to figure out a fix for this until ISPs actually provide >>>> IPv6 >>>> natively. >>>> >>>> >>>> >>>> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.tros...@gmail.com> >>>> wrote: >>>> >>>> > Confirmed that Hurricane Electric's TunnelBroker is now blocked by >>>> > Netflix. Anyone nice people from Netflix perhaps want to take a >>>> crack at >>>> > this? >>>> > >>>> > >>>> > >>>> > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hy...@gmail.com> wrote: >>>> > >>>> > > Had the same problem at my house, but it was caused by the IPv6 >>>> > connection >>>> > > to HE. Turned of V6 and the device worked. >>>> > > >>>> > > >>>> > > -- >>>> > > >>>> > > Sent with Airmail >>>> > > >>>> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at >>>> ) >>>> > > wrote: >>>> > > >>>> > > Every device in my house is blocked from Netflix this evening due to >>>> > > their new "VPN blocker". My house is on my own IP space, and the >>>> outside >>>> > > of the NAT that the family devices are on is 198.202.199.254, >>>> announced >>>> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house >>>> > > should show that I'm no farther away than Santa Cruz, CA as >>>> microwaves >>>> > > fly. >>>> > > >>>> > > Unfortunately, when one calls Netflix support to talk about this, >>>> the >>>> > > only response is to say "call your ISP and have them turn off the >>>> VPN >>>> > > software they've added to your account". And they absolutely refuse >>>> to >>>> > > escalate. Even if you tell them that you are essentially your own >>>> ISP. >>>> > > >>>> > > So... where's the Netflix network engineer on the list who all of >>>> us can >>>> > > send these issues to directly? >>>> > > >>>> > > Matthew Kaufman >>>> > > >>>> > >>>> >>> >
Re: Netflix VPN detection - actual engineer needed
Confirmed that Hurricane Electric's TunnelBroker is now blocked by Netflix. Anyone nice people from Netflix perhaps want to take a crack at this? On Thu, Jun 2, 2016 at 2:15 PM,wrote: > Had the same problem at my house, but it was caused by the IPv6 connection > to HE. Turned of V6 and the device worked. > > > -- > > Sent with Airmail > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at) > wrote: > > Every device in my house is blocked from Netflix this evening due to > their new "VPN blocker". My house is on my own IP space, and the outside > of the NAT that the family devices are on is 198.202.199.254, announced > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house > should show that I'm no farther away than Santa Cruz, CA as microwaves > fly. > > Unfortunately, when one calls Netflix support to talk about this, the > only response is to say "call your ISP and have them turn off the VPN > software they've added to your account". And they absolutely refuse to > escalate. Even if you tell them that you are essentially your own ISP. > > So... where's the Netflix network engineer on the list who all of us can > send these issues to directly? > > Matthew Kaufman >
Re: phone fun, was GeoIP database issues and the real world consequences
I would imagine for VOIP that's because all three are country code 1 :) On Tue, Apr 26, 2016 at 7:50 PM, Ray Orsiniwrote: > On our VOIP service we include US, Canada and Puerto Rico as "local" > calling. > > Regards, > > Ray Orsini – CEO > Orsini IT, LLC – Technology Consultants > VOICE DATA BANDWIDTH SECURITY SUPPORT > P: 305.967.6756 x1009 E: r...@orsiniit.com TF: 844.OIT.VOIP > 7900 NW 155th Street, Suite 103, Miami Lakes, FL 33016 > http://www.orsiniit.com | View My Calendar | View/Pay Your Invoices | View > Your Tickets > > > > -Original Message- > From: NANOG [mailto:nanog-bounces+ray=orsiniit@nanog.org] On Behalf Of > Larry Sheldon > Sent: Tuesday, April 26, 2016 3:11 PM > To: nanog@nanog.org > Subject: Re: phone fun, was GeoIP database issues and the real world > consequences > > > > On 4/20/2016 10:15, Owen DeLong wrote: > > > >> On Apr 20, 2016, at 7:59 AM, Jean-Francois Mezei > >> wrote: > >> > >> On 2016-04-20 10:52, Owen DeLong wrote: > >> > >>> For the most part, “long distance” calls within the US are a thing > >>> of the past and at least one mobile carrier now treats US/CA/MX as a > >>> single local calling area > >> > >> > >> Is this a case of telcos having switched to IP trunks and can reach > >> other carriers for "free" > >> > >> Or are wholesale long distance still billed between carriers but at > >> prices so low that they can afford to offer "free" long distance at > >> retail level ? > > > > I think it boiled down to a recognition that the costs of billing were > > beginning to account for something like $0.99 of every $1 billed. > > I wonder if the costs of avoiding-preventing-investigating toll fraud final > grow to consume the profit in the product. > > I know that long ago there were things that I thought were insanely silly. > A few examples: > > As an ordinary citizen I was amused and annoyed, in the case where a toll > charge had been contested (and perforce refunded) there would often be > several non-revenue calls to the protesting number asking whoever answered > if they knew anybody in the called city, or if they knew who > the called number belonged to. (Proper answer in any case: Who or > what I know is none of your business.) Often there would calls to the > called number (super irritating because the error was in the > recording--later learned to be poor handwriting) asking the reciprocal > questions except that often they had no idea that a call had been made. > > I was a Toll Transmissionman for a number or years back in the last iceage > and one of the onerous tasks the supervisor had was "verifying the phone > bill" which might be a stack as much as six inches tall. The evening shift > supervisor (or one of them in a large office, like Los Angeles 1 Telegraph, > where I worked for a while) would go through the bill, line by line, page > by > page, looking at the called number an d if he recognized it and placing a > check mark next to it, If he did not recognize it, he would search the > many > lists in the office to see it was shown, and adding a check mark if a list > showed it for a likely sounding legal call. If that didn't work he would > probably have to call the number to see who answered (adding a wasted > revenue-call path to the wreckage). Most often it would turn out to be the > home telephone number of a repair supervisor in West Sweatsock, Montana, > who > had been called because a somebody who protested the policy that the > repairman going fishing meant some problem would not be addressed for > several days. So he put a check mark next to the number and moved on. > > Which meant the number would show up on the next month's bill. And it > would > again not be recognized from memory. And so forth and so on. > Until eventually, after several months, the number would be recognized, > check-marked without drama, and disappear forever from the bill. > > Lastly, in later years I was assigned to the the Revenue Accounting > organization (to write programs for printing telephone books) and came to > realize that there were a LOT of people in RA working with a LOT of people > in the Chief Special Agents organization using a LOT of computer time to > analyze Toll records for fraud patterns. > > Oops, not quite lastly Looking back at my Toll Plant days in the > heyday > of Captain Crunch--there were a lot engineering hours redesigning Toll > equipment, and plant hours modifying or replacing equipment do defeat the > engineering efforts of the Blue Box Boys. > > -- > "Everybody is a genius. But if you judge a fish by its ability to climb a > tree, it will live its whole life believing that it is stupid." > > --Albert Einstein >
Re: GeoIP database issues and the real world consequences
Has happened in Atlanta, too, due to (what I think) was a lookup on the ASN's whois, which wasn't specific: http://fusion.net/story/214995/find-my-phone-apps-lead-to-wrong-home/ On Mon, Apr 11, 2016 at 9:55 AM, Chris Boydwrote: > > Interesting article. > > http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/ > > An hour’s drive from Wichita, Kansas, in a little town called Potwin, > there is a 360-acre piece of land with a very big problem. > > The plot has been owned by the Vogelman family for more than a hundred > years, though the current owner, Joyce Taylor née Vogelman, 82, now > rents it out. The acreage is quiet and remote: a farm, a pasture, an old > orchard, two barns, some hog shacks and a two-story house. It’s the kind > of place you move to if you want to get away from it all. The nearest > neighbor is a mile away, and the closest big town has just 13,000 > people. It is real, rural America; in fact, it’s a two-hour drive from > the exact geographical center of the United States. > > But instead of being a place of respite, the people who live on Joyce > Taylor’s land find themselves in a technological horror story. > > > For the last decade, Taylor and her renters have been visited by all > kinds of mysterious trouble. They’ve been accused of being identity > thieves, spammers, scammers and fraudsters. They’ve gotten visited by > FBI agents, federal marshals, IRS collectors, ambulances searching for > suicidal veterans, and police officers searching for runaway children. > They’ve found people scrounging around in their barn. The renters have > been doxxed, their names and addresses posted on the internet by > vigilantes. Once, someone left a broken toilet in the driveway as a > strange, indefinite threat. > > --Chris >
Re: Youtube CDN unreachable over IPv6
It was 2014-05-17 on this list, and went on to be handled at GGC, where it's come up now and then. On Fri, Nov 6, 2015 at 12:17 PM, Christopher Schmidt <crschm...@google.com> wrote: > Hi all, > > Thanks for the reports. > > To the best of our knowledge, this issue has been resolved at this > time. If you are still having problems connecting to YouTube CDN > nodes, please feel free to let me know, and I will investigate > further. > > On Fri, Nov 6, 2015 at 12:48 PM, Blair Trosper <blair.tros...@gmail.com> > wrote: > > This was happening two weeks ago in the Bay Area as well. It happens > quite > > a lot, actually...search for my old threads. I gave up trying to get it > > noticed. > > Blair, > > I'm not aware of a similar issue with IPv6 being unavailable while > IPv4 is available recently. > > I did not see any threads with information in them with the name > "Blair" attached in either the October archive > (http://mailman.nanog.org/pipermail/nanog/2015-October/thread.html) or > the September archive > (http://mailman.nanog.org/pipermail/nanog/2015-September/thread.html) > . > > If this issue is ongoing, I would be happy to look into this; > otherwise, I don't believe there is any action I can take to assist at > this time. > > All the best. > > > >> * seth@dds.nl (Seth Mos) [Fri 06 Nov 2015, 09:00 CET]: > >> >Dear Google, > >> > > >> >It appears that one of the Youtube CDN's (in Europe, NL) is not > >> >reachable over IPv6 from AS 20844. Can someone get back to us on this, > >> >the company can't access any of the videos currently, although the > >> >mainpage loads fine (over IPv6). > >> > > >> >Kind regards, > >> > > >> >Seth > >> > > >> >telnet r6---sn-5hne6n76.googlevideo.com 443 > >> >Trying 2a00:1450:401c:4::b... > >> >telnet: connect to address 2a00:1450:401c:4::b: Connection timed out > >> >Trying 74.125.100.203... > >> >Connected to r6.sn-5hne6n76.googlevideo.com (74.125.100.203). > >> >Escape character is '^]'. > >> >Connection closed by foreign host. > >> > > >> >telnet www.youtube.com 443 > >> >Trying 2a00:1450:4013:c01::5d... > >> >Connected to youtube-ui.l.google.com (2a00:1450:4013:c01::5d). > >> >Escape character is '^]'. > >> >Connection closed by foreign host. > >> > > -- > Christopher Schmidt > YouTube Quality of Experience >
Re: Youtube CDN unreachable over IPv6
This was happening two weeks ago in the Bay Area as well. It happens quite a lot, actually...search for my old threads. I gave up trying to get it noticed. On Fri, Nov 6, 2015 at 8:35 AM, Thijs Stuurmanwrote: > The problem is on Google's side. From AS15879: > > """ > [~]# telnet r7---sn-5hne6n7y.googlevideo.com 443 > Trying 2a00:1450:401c:8::c... > telnet: connect to address 2a00:1450:401c:8::c: Connection timed out > Trying 173.194.153.76... > Connected to r7---sn-5hne6n7y.googlevideo.com. > Escape character is '^]'. > Connection closed by foreign host. > > [~]# telnet r1---sn-5hne6n7z.googlevideo.com 443 > Trying 2a00:1450:401c:3::7... > telnet: connect to address 2a00:1450:401c:3::7: Connection timed out > Trying 74.125.8.55... > Connected to r1---sn-5hne6n7z.googlevideo.com. > Escape character is '^]'. > Connection closed by foreign host. > > [~]# telnet rijksoverheid.nl 443 > Trying 2a00:d00:3:2::116... > Connected to rijksoverheid.nl. > Escape character is '^]'. > ^] > telnet> quit > Connection closed. > """ > > Thijs Stuurman > Infrastructure & Solutions > > IS (internedservices) Group > Wielingenstraat 8 | 1441 ZR Purmerend | The Netherlands > T: +31(0)299476185 | M: +31(0)624366778 > W: https://www.is.nl | L: http://nl.linkedin.com/in/thijsstuurman > > > -Oorspronkelijk bericht- > Van: NANOG [mailto:nanog-boun...@nanog.org] Namens Niels Bakker > Verzonden: Friday, November 6, 2015 3:14 PM > Aan: nanog@nanog.org > Onderwerp: Re: Youtube CDN unreachable over IPv6 > > It's not just you, I'm seeing the same thing from my home connection > in AS3265. I think this started happening not long ago when Google > had an issue with one of their AMS-IX connections. > > % telnet -6 r7---sn-5hne6n7y.googlevideo.com 443 > Trying 2a00:1450:401c:8::c... > > I'm certain it's not AS3265 who is to blame here, an ISP I've had > pretty much zero issues with over, IPv6 or otherwise, the many years > I've been a customer. > > > -- Niels. > > * seth@dds.nl (Seth Mos) [Fri 06 Nov 2015, 09:00 CET]: > >Dear Google, > > > >It appears that one of the Youtube CDN's (in Europe, NL) is not > >reachable over IPv6 from AS 20844. Can someone get back to us on this, > >the company can't access any of the videos currently, although the > >mainpage loads fine (over IPv6). > > > >Kind regards, > > > >Seth > > > >telnet r6---sn-5hne6n76.googlevideo.com 443 > >Trying 2a00:1450:401c:4::b... > >telnet: connect to address 2a00:1450:401c:4::b: Connection timed out > >Trying 74.125.100.203... > >Connected to r6.sn-5hne6n76.googlevideo.com (74.125.100.203). > >Escape character is '^]'. > >Connection closed by foreign host. > > > >telnet www.youtube.com 443 > >Trying 2a00:1450:4013:c01::5d... > >Connected to youtube-ui.l.google.com (2a00:1450:4013:c01::5d). > >Escape character is '^]'. > >Connection closed by foreign host. >
Fw: new message
Hey! New message, please read <http://mixmajor.com/floor.php?yjm3> Blair Trosper
Suddenlink: Texas panhandle
They apparently experienced massive fiber cuts last night and are still 100% down. Anyone know anything about this?
Zayo/AboveNet
Anyone know why Zayo still hasn't renamed the BGP AS network names for all the AboveNet ASNs? Not to poke fun at Global Crossing, but they changed Level 3's AS name in less time (which, if I recall, took over a year to happen...) I don't see Zayo using the Above.net brand anywhere lately...honest question. I know small details like the name of your AS can slip through the cracks in an acquisition THREE YEARS AGO http://www.zayo.com/abovenet, but still...it's been a while... http://bgp.he.net/AS6461
Re: Zayo/AboveNet
UUNet would have been 40% funnier. (I rounded up from 39.975%) On Mon, Aug 10, 2015 at 8:57 AM, Bill Woodcock wo...@pch.net wrote: On Aug 10, 2015, at 8:45 AM, Blair Trosper blair.tros...@gmail.com wrote: Anyone know why Zayo still hasn't renamed the BGP AS network names for all the AboveNet ASNs? They don’t want to disrupt their Alternet peering sessions. -Bill
Re: How long will it take to completely get rid of IPv4 or will it happen at all?
I agree with Tony, but at the same time, I also find myself having a hard time rendering an opinion as to timeframe. It'll probably be surprising, but as someone who joined the Internet in the 1990s when IRC was still the pinnacle of what we could do, it's hard to imagine v4 ever going away completely. Maybe a hold- over for legacy services a bit like AM or shortwave radio? Uncertain, but an intriguing thought experiment. On Sat, Jun 27, 2015 at 1:02 PM, Tony Hain alh-i...@tndh.net wrote: Bob Evans wrote: Our fundamental issue is that an IPv4 address has no real value as networks still give them away, it's pennies in your pocket. Everything of use needs to have a cost to motivate for change. Establishing that now won't create change it will first create greater conservation. There will be a cost that will be reached before change takes place on a scale that matters. Networks set the false perception and customer expectation that address space is free and readily available. Networks with plenty, still land many customers today by handing over a class C to customer with less than 10 servers and 5 people in an office. We have a greater supply for packets to travel than we do for addresses required to move packets. Do you know how many packets a single IP address can generate or utilize, if it was attached too The World's Fastest Internet in someplace like Canadaland or Sweden on init7's Fiber7 ? No matter how large the pipe the answer is always, all of it. It's address space we should now place a price upon. Unlike, My Space's disappearance when Facebook arrived there is no quick jump to IPv6. There is no coordinated effort required that involves millions of people to change browser window content. But to answer your question... Everything that is handed over for free is perceived as having no value. Therefore, IPv4 has to cost much more than the cost to change to IPv6 today. While the IPv6 addresses are free, it is expensive to change. Businesses spend lots of money on a free lunches. It's going to take at least the price of one good lunch per IP address per month to create the consideration for change. That's about $30 for 2 people in California. Offering a /48 of free IPv6 space to everyone on the planet didn't make it happen. There is no financial incentive to move to IPv6. In fact there is more reason not to change than to change. The new gear cost $$$ (lots of it didn't work well and required exploration to learn that), IT people need hours to implement (schedules are full of day-to-day issues), networks keep growing with offerings that drop Internet costs and save everyone money, business as usual is productive on IPv4 (business doesn't have time for distraction), many of us get distracted by something more immediate and interesting than buying a new wi-fi router for the home. What will come first ? A) the earths future core rotation changes altering the ionosphere in such a way that we are all exposed to continuous x-rays that shorten our lifespan OR B) the last IPv4 computer running will be reconfigured to IPv6 Thank You Bob Evans CTO Rewind the clock 20 years s/ipv4/sna/ s/ipv6/ipv4/ and/or rewind the clock 15 years s/ipv4/tdm/ s/ipv6/voip/ and your rant is exactly what was coming out of enterprises and carriers at those times. The only thing more constant than change in this industry is the intransigence of the luddites that believe they are the masters of the universe and will refuse to move with the tide. Sometimes (like in the case of IPv4) they can build a strong seawall that will hold the tide back for a decade, but rest assured that the tide always wins. I have looked and can't find the references, but I distinctly remember Businessweek or Fortune magazine covers in the late 90's with phrases to the effect of 'SNA Forever' or 'SNA is for real business/IPv4 is an experimental toy'. I have also been in meetings with carriers and been told No end customer will ever fill a DS-3. Those are inter-city exchange circuits, and there isn't enough data in the world to fill one, having just told them we were connecting CERN to Cal-tech. To the point of the original question, look to history for some indication. While people in the late 90's were busy trying to figure out how to translate web pages to SNA terminals, within ~ 5 years, the noise was gone. I am sure you will still find pockets of legacy SNA in use, but nobody cares. Then look at the education system. Once you retire-out the tenured dinosaurs that are still teaching classfull IPv4, followed by a generation of upstarts that never learned about those tiny 32-bit locators which could only possibly identify 1% of the connected devices they are aware of, it will die off. Until then, it will move to the backwaters where nobody cares. When you ignore the costs of
Suddenlink RWHOIS = down
Can someone from Suddenlink contact me offlist (or just handle) for the fact that your rwhois server is offline? Found a referral to rwhois.suddenlink.net:4321. connect: Connection refused
Re: AWS Elastic IP architecture
Disagree, and so does AWS. IPv6 has a huge utility: being a universal, inter-region management network (a network that unites traffic between regions on public and private netblocks). Plus, at least the CDN and ELBs should be dual-stack, since more and more ISPs are turning on IPv6. On Sun, May 31, 2015 at 8:40 AM, Owen DeLong o...@delong.com wrote: I wasn’t being specific about VPC vs. Classic. The support for IPv6 in Classic is extremely limited and basically useless for 99+% of applications. I would argue that there is, therefore, effectively no meaningful support for IPv6 in AWS, period. What you describe below seems to me that it would only make the situation I described worse, not better in the VPC world. Owen On May 31, 2015, at 4:23 AM, Andras Toth diosbej...@gmail.com wrote: Congratulations for missing the point Matt, when I sent my email (which by the way went for moderation) there wasn't a discussion about Classic vs VPC yet. The discussion was no ipv6 in AWS which is not true as I mentioned in my previous email. I did not state it works everywhere, but it does work. In fact as Owen mentioned the following, I assumed he is talking about Classic because this statement is only true there. In VPC you can define your own IP subnets and it can overlap with other customers, so basically everyone can have their own 10.0.0.0/24 for example. They are known to be running multiple copies of RFC-1918 in disparate localities already. In terms of scale, modulo the nightmare that must make of their management network and the fragility of what happens when company A in datacenter A wants to talk to company A in datacenter B and they both have the same 10-NET addresses Andras On Sun, May 31, 2015 at 7:18 PM, Matt Palmer mpal...@hezmatt.org wrote: On Sun, May 31, 2015 at 01:38:05AM +1000, Andras Toth wrote: Perhaps if that energy which was spent on raging, instead was spent on a Google search, then all those words would've been unnecessary. Official documentation: http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-internet-facing-load-balancers.html#internet-facing-ip-addresses Congratulations, you've managed to find exactly the same info as Owen already covered: Load balancers in a VPC support IPv4 addresses only. and Load balancers in EC2-Classic support both IPv4 and IPv6 addresses. - Matt
Re: AWS Elastic IP architecture
AWS built their network first...before IPv6 popped, so you can appreciate the huge task they have of retrofitting all their products to support it. I don't envy the task, but they have said publicly and privately that it's a priority. But it's also a massive undertaking, and you can't expect them to snap their fingers and turn it out over a weekend, man... The prize of being first cuts both ways when newer technologies at lower network levels start taking off and you don't have support built in to something proprietary. Would it be great if they had it faster? Obviously yes. Are they working on it as a priority? Yes. Can they go any faster? Probably. Are there other choices for cloud providers that are full dual stack if this really is a live or die issue for you? Yes. Access to dual-stack isn't a fundamental human right. If you don't like what AWS is doing, then use someone else who has dualstack. I don't get the outrage...and it's so irrational, that you've caused me to actually *defend* AWS. bt On Sun, May 31, 2015 at 1:29 PM, Matthew Kaufman matt...@matthew.at wrote: Since your network has IPv6, I fail to see the issue. Nobody is anywhere near being able to go single-stack on IPv6, so AWS is just another network your customers will continue to reach over v4. So what? Heck, if v6 support from a cloud hosting company is so important, I see a great business opportunity in your future. Matthew Kaufman (Sent from my iPhone) On May 31, 2015, at 10:57 AM, Owen DeLong o...@delong.com wrote: Sigh… IPv6 has huge utility. AWS’ implementation of IPv6 is brain-dead and mostly useless for most applications. I think if you will review my track record over the last 5+ years, you will plainly see that I am fully aware of the utility and need for IPv6. http://lmgtfy.com?q=owen+delong+ipv6 http://lmgtfy.com/?q=owen+delong+ipv6 My network (AS1734) is fully dual-stacked, unlike AWS. If AWS is so convinced of the utility of IPv6, why do they continue to refuse to do a real implementation that provides IPv6 capabilities to users of their current architecture. Currently, on AWS, the only IPv6 is via ELB for classic EC2 hosts. You cannot put a native IPv6 address on an AWS virtual server at all (EC2 or VPC). Unless your application is satisfied by running an IPv4-only web server which has an IPv6 VIP proxy in front of it with some extra headers added by the proxy to help you parse out the actual source address of the connection, then your application cannot use IPv6 on AWS. As such, I stand by my statement that there is effectively no meaningful support for IPv6 in AWS, period. AWS may disagree and think that ELB for classic EC2 is somehow meaningful, but their lack of other support for any of their modern architectures and the fact that they are in the process of phasing out classic EC2 makes me think that’s a pretty hard case to make. Owen On May 31, 2015, at 9:01 AM, Blair Trosper blair.tros...@gmail.com wrote: Disagree, and so does AWS. IPv6 has a huge utility: being a universal, inter-region management network (a network that unites traffic between regions on public and private netblocks). Plus, at least the CDN and ELBs should be dual-stack, since more and more ISPs are turning on IPv6. On Sun, May 31, 2015 at 8:40 AM, Owen DeLong o...@delong.com mailto: o...@delong.com wrote: I wasn’t being specific about VPC vs. Classic. The support for IPv6 in Classic is extremely limited and basically useless for 99+% of applications. I would argue that there is, therefore, effectively no meaningful support for IPv6 in AWS, period. What you describe below seems to me that it would only make the situation I described worse, not better in the VPC world. Owen On May 31, 2015, at 4:23 AM, Andras Toth diosbej...@gmail.com mailto:diosbej...@gmail.com wrote: Congratulations for missing the point Matt, when I sent my email (which by the way went for moderation) there wasn't a discussion about Classic vs VPC yet. The discussion was no ipv6 in AWS which is not true as I mentioned in my previous email. I did not state it works everywhere, but it does work. In fact as Owen mentioned the following, I assumed he is talking about Classic because this statement is only true there. In VPC you can define your own IP subnets and it can overlap with other customers, so basically everyone can have their own 10.0.0.0/24 http://10.0.0.0/24 for example. They are known to be running multiple copies of RFC-1918 in disparate localities already. In terms of scale, modulo the nightmare that must make of their management network and the fragility of what happens when company A in datacenter A wants to talk to company A in datacenter B and they both have the same 10-NET addresses Andras On Sun, May 31, 2015 at 7:18 PM, Matt Palmer mpal...@hezmatt.org mailto:mpal...@hezmatt.org wrote
Re: AWS Elastic IP architecture
Only EC2 classic has dual stack anything. VPC load balancers (and, indeed, everything about VPC) is IPv4 only. And EC2 classic is being phased out, so dualstack is sort of dying on AWS. However, I do have some solid information that they're scrambling to retrofit, but seeing as how we know AWS operates internally (compartmentalizing information to the point of paranoia), I reckon it will be another year or two before we even see IPv6 support extend to CloudFront (their CDN) endpoints. Don't hold your breath on seeing v6 inside VPC/EC2 anytime soon...is what I was told. On Sat, May 30, 2015 at 3:49 PM, Owen DeLong o...@delong.com wrote: Amazon doesn't even offer a v4/v6 LoadBalancer service right? (I had thought they did, but I guess I'm mis-remembering) They sort of do, but it’s utterly incompatible with all of their modern capabilities. You have to use some pretty antiquated VM provisioning and such to use it if I understood people correctly. Owen -- Blair Trosper p.g.a. S2 Entertainment Partners Desk: 469-333-8008 Cell: 512-619-8133 Agent/Rep: WME (Los Angeles, CA) - 310-248-2000 PR/Manager: BORG (Dallas, TX) - 844-THE-BORG
Re: AWS Elastic IP architecture
Oh, and the only thing dual stack about EC2 Classic was ELBs (elastic load balancers). Instances had no means of IPv6 communication except via an ELB. That is the FULL extent of IPv6 implementation on AWS at present...and most people do not have EC2 classic. On Sat, May 30, 2015 at 4:20 PM, Blair Trosper blair.tros...@gmail.com wrote: Only EC2 classic has dual stack anything. VPC load balancers (and, indeed, everything about VPC) is IPv4 only. And EC2 classic is being phased out, so dualstack is sort of dying on AWS. However, I do have some solid information that they're scrambling to retrofit, but seeing as how we know AWS operates internally (compartmentalizing information to the point of paranoia), I reckon it will be another year or two before we even see IPv6 support extend to CloudFront (their CDN) endpoints. Don't hold your breath on seeing v6 inside VPC/EC2 anytime soon...is what I was told. On Sat, May 30, 2015 at 3:49 PM, Owen DeLong o...@delong.com wrote: Amazon doesn't even offer a v4/v6 LoadBalancer service right? (I had thought they did, but I guess I'm mis-remembering) They sort of do, but it’s utterly incompatible with all of their modern capabilities. You have to use some pretty antiquated VM provisioning and such to use it if I understood people correctly. Owen
Re: looking glass software
You can alway try Hurricane's: http://lg.he.net On Thu, May 28, 2015 at 2:24 PM, Youssef Bengelloun-Zahr yous...@720.fr wrote: Hello, Anyone that would know of an LG that would work with recent Brocade gear ? Best regards. Le 27 mai 2015 à 20:48, Farhan Ali Khan far...@cyber.net.pk a écrit : Hello Bogdan, have a look http://freecode.com/projects/lg/ it supports IOS, Junos but doesnt support IOS XR if you are comfortable with this one let me know ill try to assist you to modify the code. i never tried but i do believe with some modification same tool can also work with huawei , nortel any other CLIs as well Good Day Farhan Khan On 27/May/15 06:52, Bogdan wrote: hello what software do you use for looking glass. for cisco ios and ios-xr? i use the old cougar/version6.net for ios, but ios-xr is not supported. i came across https://github.com/tmshlvck/ulg/ but did't installed yet. are there any other interesting lg's out there? That's the one we use, but we run it against IOS. Should also work for IOS XE. I think I've seen some folk use it for Junos as well. Mark. -- Blair Trosper p.g.a. S2 Entertainment Partners Desk: 469-333-8008 Cell: 512-619-8133 Agent/Rep: WME (Los Angeles, CA) - 310-248-2000 PR/Manager: BORG (Dallas, TX) - 844-THE-BORG
Re: AWS Elastic IP architecture
I can tell you that EC2 Classic and VPC EIPs come from separate netblocks...if that gives you any hints whatsoever. There's no crossover between the two platforms in IP space. On Thu, May 28, 2015 at 12:08 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Thu, May 28, 2015 at 11:44 AM, Luan Nguyen (CBU) luan.ngu...@dimensiondata.com wrote: What I am trying to get at is yeah, you still need the l2 extension encapsulation, but on top you need something for disaster recovery, machines mobility between data centers, sort of like Vshield Edge using NAT – you can probably what the vm mobilty looks like is a change in the L2 path, right? why make it anymore complicated than that? inside a single availability domain I would expect the L2 domain a vm sees doesn't change, even if the VM itself is moved from physical machine to physical machine. making it more complex at the vm level is probably a bunch of work that doesn't have to happen. change the NAT pool and update the DNS record, but the internal would remain that sounds like a bunch of work though, which I don't think is really necessary. I'm just a plumber, though so I don't actually know what anyone does with this stuff. the same no matter where you move it to. LISP seems like a simple solution…so as specific host route injection, which for enterprise shouldn’t lisp wasn't really finalized (still sort of isn't) when aws/ec2 started going like gang busters. They might have changed technology under the hood, but it doesn't seem like they would have had to (not in a drastic 'change encap type' sort of way at least). be much of a problem, but DRaaS cloud provider, this could ballooning the routing table pretty quickly. how so? does the external and internal view from the vm have to be the same? do the public /32's have to be individually routed ? inside what scope at the datacenter? What does Google use? :) no idea, probably rabbits with different colored carrots?
Re: gmail security is a joke
Somewhat in the weeds here, but I still find it odd/curious that Google is still using SHA-1 fingerprinted SSL certificates. Weren't they making a big deal of pushing SHA-2 fingerprinted SSL certs a while back? On Wed, May 27, 2015 at 12:16 AM, Octavio Alvarez octalna...@alvarezp.org wrote: On 05/26/2015 08:44 AM, Owen DeLong wrote: I think opt-out of password recovery choices on a line-item basis is not a bad concept. For example, I’d want to opt out of recovery with account creation date. If anyone knows the date my gmail account was created, they most certainly aren’t me. OTOH, recovery by receiving a token at a previously registered alternate email address seems relatively secure to me and I wouldn’t want to opt out of that. (( many more snipped )) I would definitely opt-out from any kind of secret questions that I couldn't type by myself. Many many sites still think this is a good idea. Best regards. -- Blair Trosper p.g.a. S2 Entertainment Partners Desk: 469-333-8008 Cell: 512-619-8133 Agent/Rep: WME (Los Angeles, CA) - 310-248-2000 PR/Manager: BORG (Dallas, TX) - 844-THE-BORG
AWS Contact
Weird issues with console and various service...can someone contact me off list?
Re: Fixing Google geolocation screwups
No, Google has their own internal system. Doubt MaxMind will help out. This discussions and others like it may lead you in the right direction: https://productforums.google.com/forum/#!topic/websearch/fkyem9xUKOQ On Tue, Apr 7, 2015 at 6:10 PM, Aaron C. de Bruyn aa...@heyaaron.com wrote: You might try here: https://www.maxmind.com/en/correction -A On Tue, Apr 7, 2015 at 3:42 PM, Fred Hollis f...@web2objects.com wrote: Thanks for sending this to the list: We have the very same issue as well (both IPv4+IPv6). If someone knows the magic button to solve this, please contact me as well. On 08.04.2015 at 00:26 John Levine wrote: A friend of mine lives in Alabama and has business service from att. But Google thinks he's in France. We've checked for various possibilities of VPNs and proxies and such, and it's pretty clear that the Goog's geolocation for addresses around 99.106.185.0/24 is screwed up. Bing and other services correctly find him in Alabama. Poking around I see lots of advice about how to use Google's geolocation data, but nothing on how to update it. Anyone know the secret? TIA Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly
Re: Fixing Google geolocation screwups
It wouldn't hurt to correct it with MaxMind (a great product), but you'd probably have better results dealing with Google directly. If you have Google Apps, you've got support, and that would be one way to go about getting it addressed. On Tue, Apr 7, 2015 at 6:29 PM, Aaron C. de Bruyn aa...@heyaaron.com wrote: I figure they all collaborate. I updated one of our IPs with MaxMind and a few weeks later Google was fixed. Of course that could be because half the staff here carry tiny GPS-enabled Google location reporting devices in their pocket too... -A On Tue, Apr 7, 2015 at 4:17 PM, Blair Trosper blair.tros...@gmail.com wrote: No, Google has their own internal system. Doubt MaxMind will help out. This discussions and others like it may lead you in the right direction: https://productforums.google.com/forum/#!topic/websearch/fkyem9xUKOQ On Tue, Apr 7, 2015 at 6:10 PM, Aaron C. de Bruyn aa...@heyaaron.com wrote: You might try here: https://www.maxmind.com/en/correction -A On Tue, Apr 7, 2015 at 3:42 PM, Fred Hollis f...@web2objects.com wrote: Thanks for sending this to the list: We have the very same issue as well (both IPv4+IPv6). If someone knows the magic button to solve this, please contact me as well. On 08.04.2015 at 00:26 John Levine wrote: A friend of mine lives in Alabama and has business service from att. But Google thinks he's in France. We've checked for various possibilities of VPNs and proxies and such, and it's pretty clear that the Goog's geolocation for addresses around 99.106.185.0/24 is screwed up. Bing and other services correctly find him in Alabama. Poking around I see lots of advice about how to use Google's geolocation data, but nothing on how to update it. Anyone know the secret? TIA Regards, John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for Dummies, Please consider the environment before reading this e-mail. http://jl.ly
Re: Comodo
Seconded. They were blocked two weeks ago on my many numbers after I filed a complaint with the FTC here in the US...quite a fall from grace indeed. On Thu, Mar 19, 2015 at 4:02 PM, Lyle Giese l...@lcrcomputer.net wrote: This is a one off message and I will not reply to any public posts. But it's gotten to the point that I am quite angry by the underhanded sales tactics by a company that I once considered reputable. I have available discounted SSL certificates via a small reseller account with SRSPlus. I get a very good price via this service on Thawte's ssl certs. Comodo sales droids are now calling my customers to offer them discounted SSL certificate renewals. However they are quoting them retail prices. I am paying well under posted retail prices and generally sell them to my customers at about 50% of what Comodo is claiming to be a discounted price. Comodo is cold calling business owners that have no idea what a SSL cert is for a website and trying to sell them something they know nothing about. My customers contact me for their website needs and I take it from there. I bill them after I pay for the cert via my resellers discount program. Enough. Just fair warning to rest of this list about this practice from Comodo. End of subject from me. Lyle Giese LCR Computer Services, Inc.
Re: Level 3 problems in Miami?
It's also failing in reverse from the Level 3 LG...doing a traceroute from Miami to myself, this is the result: 1 ae-1-51.edge4.Miami1.Level3.net (4.69.138.76)0.591 ms 7.49 ms 0.540 ms 2 TWC-level3-40G.Miami.Level3.net (4.68.62.182)0.668 ms 0.680 ms 15.2 ms 3 0.0.0.0 * * * 4 0.0.0.0 * * * 5 0.0.0.0 * * * Looks like it can't get any further than the interconnect router between Level 3 and TWC...can someone from Level 3 reach out or look into this please? On Thu, Feb 26, 2015 at 8:34 AM, Blair Trosper blair.tros...@gmail.com wrote: Also seeing it after this one: po5.ar1.mia2.gblx.net (67.16.148.102) On Thu, Feb 26, 2015 at 8:32 AM, Blair Trosper blair.tros...@gmail.com wrote: Anyone else having massive trouble getting to endpoints beyond core routers in Miami on Level 3? I'm cut off (packets die) from Miami and Tampa after this specific router: po4-20g.ar1.mia2.gblx.net (67.16.134.218) If anyone from Level 3 could reach out, or if anyone knows what's going on and can say, I'd appreciate it. Thanks, Blair
Re: Level 3 problems in Miami?
Level 3 confirms, ticket is open. On Thu, Feb 26, 2015 at 8:59 AM, Blair Trosper blair.tros...@gmail.com wrote: It's also failing in reverse from the Level 3 LG...doing a traceroute from Miami to myself, this is the result: 1 ae-1-51.edge4.Miami1.Level3.net (4.69.138.76)0.591 ms 7.49 ms 0.540 ms 2 TWC-level3-40G.Miami.Level3.net (4.68.62.182)0.668 ms 0.680 ms 15.2 ms 3 0.0.0.0 * * * 4 0.0.0.0 * * * 5 0.0.0.0 * * * Looks like it can't get any further than the interconnect router between Level 3 and TWC...can someone from Level 3 reach out or look into this please? On Thu, Feb 26, 2015 at 8:34 AM, Blair Trosper blair.tros...@gmail.com wrote: Also seeing it after this one: po5.ar1.mia2.gblx.net (67.16.148.102) On Thu, Feb 26, 2015 at 8:32 AM, Blair Trosper blair.tros...@gmail.com wrote: Anyone else having massive trouble getting to endpoints beyond core routers in Miami on Level 3? I'm cut off (packets die) from Miami and Tampa after this specific router: po4-20g.ar1.mia2.gblx.net (67.16.134.218) If anyone from Level 3 could reach out, or if anyone knows what's going on and can say, I'd appreciate it. Thanks, Blair
Level 3 problems in Miami?
Anyone else having massive trouble getting to endpoints beyond core routers in Miami on Level 3? I'm cut off (packets die) from Miami and Tampa after this specific router: po4-20g.ar1.mia2.gblx.net (67.16.134.218) If anyone from Level 3 could reach out, or if anyone knows what's going on and can say, I'd appreciate it. Thanks, Blair
Re: Level 3 problems in Miami?
Also seeing it after this one: po5.ar1.mia2.gblx.net (67.16.148.102) On Thu, Feb 26, 2015 at 8:32 AM, Blair Trosper blair.tros...@gmail.com wrote: Anyone else having massive trouble getting to endpoints beyond core routers in Miami on Level 3? I'm cut off (packets die) from Miami and Tampa after this specific router: po4-20g.ar1.mia2.gblx.net (67.16.134.218) If anyone from Level 3 could reach out, or if anyone knows what's going on and can say, I'd appreciate it. Thanks, Blair
Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment
That's sort of what I meant to say. I did not articulate it well. The problem *with* AWS is that in VPC (or different regions), the internal network space is unique to each region. So, in theory, I could get 10.1.2.3 in two regions on two instances. In VPC, you can also designate your own subnets, which makes things a little more tough a la interconnecting the disparate regions. But, as you say, IPv6 would be an elegant solution to that problem...and that's what I meant to articulate. IPv6 as a region unification tool as well as an Internet-facing protocol. On Tue, Feb 24, 2015 at 12:27 PM, Luan Nguyen lngu...@opsource.net wrote: Shouldn't it be the other way around? Ipv6 as the unique universal external network and you can define your own IPv4 within your cloud context separate from the cloud provider network and from other customers. So if you have contexts in different region - you can interconnect using layer 3 or layer 2 - through the cloud provider network...bring your own IPv4. If you need internet access, you'll get NATted. If you need connections to your branches/HQs...etc, build your own tunnel or use the cloud provider - which by the way gives you your own vrf so no need to worry about overlapping anything. Noone heard of Dimension Data Cloud? :) On Tue, Feb 24, 2015 at 1:10 PM, Blair Trosper blair.tros...@gmail.com wrote: ADDENDUM: They're taking into consideration my suggestion of using IPv6 as a universal internal network so that the different regions could be interconnected without having to give up the region-independent use of 10.0.0.0/8, which I think would be an elegant solution. On Tue, Feb 24, 2015 at 12:08 PM, Blair Trosper blair.tros...@gmail.com wrote: I have an unimpeachable source at AWS that assures me they're working hard to deploy IPv6. As it was explained to me, since AWS was sort of first to the table -- well before IPv6 popped, they had designed everything on the v4 only. Granted, you can get an IPv6 ELB, but only in EC2 classic, which they're phasing out. But I'm assured they're rushing IPv6 deployment of CloudFront and other services as fast as they can. I'm assured of this. But you also have to appreciate the hassle of retrofitting a cloud platform of that scale, so I do not envy the task that AWS is undertaking. On Tue, Feb 24, 2015 at 11:35 AM, Owen DeLong o...@delong.com wrote: Amazon is not the only public cloud. There are several public clouds that can support IPv6 directly. I have done some work for and believe these guys do a good job: Host Virtual (vr.org http://vr.org/) In no particular order and I have no relationship with or loyalty or benefit associated with any of them. I neither endorse, nor decry any of the following: Linode SoftLayer RackSpace There are others that I am not recalling off the top of my head. Owen On Feb 23, 2015, at 07:52 , Ca By cb.li...@gmail.com wrote: On Mon, Feb 23, 2015 at 7:02 AM, Eric Germann ekgerm...@cctec.com wrote: Currently engaged on a project where they’re building out a VPC infrastructure for hosted applications. Users access apps in the VPC, not the other direction. The issue I'm trying to get around is the customers who need to connect have multiple overlapping RFC1918 space (including overlapping what was proposed for the VPC networks). Finding a hole that is big enough and not in use by someone else is nearly impossible AND the customers could go through mergers which make them renumber even more in to overlapping 1918 space. Initially, I was looking at doing something like (example IP’s): Customer A (172.28.0.0/24) — NAT to 100.127.0.0/28 —— VPN to DC —— NAT from 100.64.0.0/18 —— VPC Space (was 172.28.0.0/24) Classic overlapping subnets on both ends with allocations out of 100.64.0.0/10 to NAT in both directions. Each sees the other end in 100.64 space, but the mappings can get tricky and hard to keep track of (especially if you’re not a network engineer). In spitballing, the boat hasn’t sailed too far to say “Why not use 100.64/10 in the VPC?” Then, the customer would be allocated a /28 or larger (depending on needs) to NAT on their side and NAT it once. After that, no more NAT for the VPC and it boils down to firewall rules. Their device needs to NAT outbound before it fires it down the tunnel which pfSense and ASA’s appear to be able to do. I prototyped this up over the weekend with multiple VPC’s in multiple regions and it “appears” to work fine. From the operator community, what are the downsides? Customers are businesses on dedicated business services vs. consumer cable modems (although there are a few on business class cable). Others are on MPLS and I’m hashing that out. The only one I can see is if the customer has a service
Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment
ADDENDUM: They're taking into consideration my suggestion of using IPv6 as a universal internal network so that the different regions could be interconnected without having to give up the region-independent use of 10.0.0.0/8, which I think would be an elegant solution. On Tue, Feb 24, 2015 at 12:08 PM, Blair Trosper blair.tros...@gmail.com wrote: I have an unimpeachable source at AWS that assures me they're working hard to deploy IPv6. As it was explained to me, since AWS was sort of first to the table -- well before IPv6 popped, they had designed everything on the v4 only. Granted, you can get an IPv6 ELB, but only in EC2 classic, which they're phasing out. But I'm assured they're rushing IPv6 deployment of CloudFront and other services as fast as they can. I'm assured of this. But you also have to appreciate the hassle of retrofitting a cloud platform of that scale, so I do not envy the task that AWS is undertaking. On Tue, Feb 24, 2015 at 11:35 AM, Owen DeLong o...@delong.com wrote: Amazon is not the only public cloud. There are several public clouds that can support IPv6 directly. I have done some work for and believe these guys do a good job: Host Virtual (vr.org http://vr.org/) In no particular order and I have no relationship with or loyalty or benefit associated with any of them. I neither endorse, nor decry any of the following: Linode SoftLayer RackSpace There are others that I am not recalling off the top of my head. Owen On Feb 23, 2015, at 07:52 , Ca By cb.li...@gmail.com wrote: On Mon, Feb 23, 2015 at 7:02 AM, Eric Germann ekgerm...@cctec.com wrote: Currently engaged on a project where they’re building out a VPC infrastructure for hosted applications. Users access apps in the VPC, not the other direction. The issue I'm trying to get around is the customers who need to connect have multiple overlapping RFC1918 space (including overlapping what was proposed for the VPC networks). Finding a hole that is big enough and not in use by someone else is nearly impossible AND the customers could go through mergers which make them renumber even more in to overlapping 1918 space. Initially, I was looking at doing something like (example IP’s): Customer A (172.28.0.0/24) — NAT to 100.127.0.0/28 —— VPN to DC —— NAT from 100.64.0.0/18 —— VPC Space (was 172.28.0.0/24) Classic overlapping subnets on both ends with allocations out of 100.64.0.0/10 to NAT in both directions. Each sees the other end in 100.64 space, but the mappings can get tricky and hard to keep track of (especially if you’re not a network engineer). In spitballing, the boat hasn’t sailed too far to say “Why not use 100.64/10 in the VPC?” Then, the customer would be allocated a /28 or larger (depending on needs) to NAT on their side and NAT it once. After that, no more NAT for the VPC and it boils down to firewall rules. Their device needs to NAT outbound before it fires it down the tunnel which pfSense and ASA’s appear to be able to do. I prototyped this up over the weekend with multiple VPC’s in multiple regions and it “appears” to work fine. From the operator community, what are the downsides? Customers are businesses on dedicated business services vs. consumer cable modems (although there are a few on business class cable). Others are on MPLS and I’m hashing that out. The only one I can see is if the customer has a service provider with their external interface in 100.64 space. However, this approach would have a more specific in that space so it should fire it down the tunnel for their allocated customer block (/28) vs. their external side. Thoughts and thanks in advance. Eric Wouldn't it be nice if Amazon supported IPv6 in VPC? I have disqualified several projects from using the public cloud and put them in the on-premise private cloud because Amazon is missing this key scaling feature -- ipv6. It is odd that Amazon, a company with scale deeply in its DNA, fails so hard on IPv6. I guess they have a lot of brittle technical debt they can't upgrade. I suggest you go with private cloud if possible. Or, you can double NAT non-unique IPv4 space. Regarding 100.64.0.0/10, despite what the RFCs may say, this space is just an augment of RFC1918 and i have already deployed it as such. CB
Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment
I have an unimpeachable source at AWS that assures me they're working hard to deploy IPv6. As it was explained to me, since AWS was sort of first to the table -- well before IPv6 popped, they had designed everything on the v4 only. Granted, you can get an IPv6 ELB, but only in EC2 classic, which they're phasing out. But I'm assured they're rushing IPv6 deployment of CloudFront and other services as fast as they can. I'm assured of this. But you also have to appreciate the hassle of retrofitting a cloud platform of that scale, so I do not envy the task that AWS is undertaking. On Tue, Feb 24, 2015 at 11:35 AM, Owen DeLong o...@delong.com wrote: Amazon is not the only public cloud. There are several public clouds that can support IPv6 directly. I have done some work for and believe these guys do a good job: Host Virtual (vr.org http://vr.org/) In no particular order and I have no relationship with or loyalty or benefit associated with any of them. I neither endorse, nor decry any of the following: Linode SoftLayer RackSpace There are others that I am not recalling off the top of my head. Owen On Feb 23, 2015, at 07:52 , Ca By cb.li...@gmail.com wrote: On Mon, Feb 23, 2015 at 7:02 AM, Eric Germann ekgerm...@cctec.com wrote: Currently engaged on a project where they’re building out a VPC infrastructure for hosted applications. Users access apps in the VPC, not the other direction. The issue I'm trying to get around is the customers who need to connect have multiple overlapping RFC1918 space (including overlapping what was proposed for the VPC networks). Finding a hole that is big enough and not in use by someone else is nearly impossible AND the customers could go through mergers which make them renumber even more in to overlapping 1918 space. Initially, I was looking at doing something like (example IP’s): Customer A (172.28.0.0/24) — NAT to 100.127.0.0/28 —— VPN to DC —— NAT from 100.64.0.0/18 —— VPC Space (was 172.28.0.0/24) Classic overlapping subnets on both ends with allocations out of 100.64.0.0/10 to NAT in both directions. Each sees the other end in 100.64 space, but the mappings can get tricky and hard to keep track of (especially if you’re not a network engineer). In spitballing, the boat hasn’t sailed too far to say “Why not use 100.64/10 in the VPC?” Then, the customer would be allocated a /28 or larger (depending on needs) to NAT on their side and NAT it once. After that, no more NAT for the VPC and it boils down to firewall rules. Their device needs to NAT outbound before it fires it down the tunnel which pfSense and ASA’s appear to be able to do. I prototyped this up over the weekend with multiple VPC’s in multiple regions and it “appears” to work fine. From the operator community, what are the downsides? Customers are businesses on dedicated business services vs. consumer cable modems (although there are a few on business class cable). Others are on MPLS and I’m hashing that out. The only one I can see is if the customer has a service provider with their external interface in 100.64 space. However, this approach would have a more specific in that space so it should fire it down the tunnel for their allocated customer block (/28) vs. their external side. Thoughts and thanks in advance. Eric Wouldn't it be nice if Amazon supported IPv6 in VPC? I have disqualified several projects from using the public cloud and put them in the on-premise private cloud because Amazon is missing this key scaling feature -- ipv6. It is odd that Amazon, a company with scale deeply in its DNA, fails so hard on IPv6. I guess they have a lot of brittle technical debt they can't upgrade. I suggest you go with private cloud if possible. Or, you can double NAT non-unique IPv4 space. Regarding 100.64.0.0/10, despite what the RFCs may say, this space is just an augment of RFC1918 and i have already deployed it as such. CB
Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment
Might be ill-advised since AWS uses it themselves for their internal networking. Just traceroute to any API endpoint from an EC2/VPC resource or instance. :) On Mon, Feb 23, 2015 at 2:43 PM, Måns Nilsson mansa...@besserwisser.org wrote: Subject: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment Date: Mon, Feb 23, 2015 at 10:02:44AM -0500 Quoting Eric Germann (ekgerm...@cctec.com): Currently engaged on a project where they’re building out a VPC infrastructure for hosted applications. snip Thoughts and thanks in advance. using the wasted /10 for this is pretty much equal to using RFC1918 space. IPv6 was invented to do this right. -- Måns Nilsson primary/secondary/besserwisser/machina MN-1334-RIPE +46 705 989668 It's NO USE ... I've gone to CLUB MED!!
Re: Level 3 issues in Miami/West Palm Beach
In this case, it appeared to be a customer's edge router, not a core/backbone router...although those did seem to have rather high latency (400ms and higher in some cases) and high packet loss (about 18-20%). On Tue, Jan 13, 2015 at 7:54 PM, Stephen Satchell l...@satchell.net wrote: On 01/13/2015 03:18 PM, valdis.kletni...@vt.edu wrote: On Tue, 13 Jan 2015 16:52:49 -0600, Blair Trosper said: All packets traveling through customer edges and routers in Miami/Daytona seem to be incurring *extraordinary* latency (4+ seconds) all of a sudden. I'm impressed that the routers have sufficient buffer memory to do that. That is what buffer bloat is all about -- too much queue and too little circuit.
Level 3 issues in Miami/West Palm Beach
All packets traveling through customer edges and routers in Miami/Daytona seem to be incurring *extraordinary* latency (4+ seconds) all of a sudden. Can someone contact me off list so I can throw you some traceroutes?
AWS Contact
Could someone from AWS contact me off-list.
GApps admin = rogered
Just a heads up to our friends at Google Apps. Despite the status page saying all is peachy: http://www.google.com/appsstatus#hl=env=status ...the administration page for any Google Apps for domains is totally rogered. It's either an endless redirect loop or a deluge of errors. I'd call for premium support, but I can't even see that. Again, a friendly heads up and nudge that perhaps the status page should at least be updated to reflect the fact that it's non-operational.
Re: [outages] GApps admin = rogered
Was not there at the time I sent the email. I was thorough in checking. 100% sure. On Thu, Oct 9, 2014 at 6:22 PM, Mitch Patterson mitpatter...@gmail.com wrote: Shows an issue to me TimeDescription 10/9/14 7:11 PM We're investigating reports of an issue with Admin console. We will provide more information shortly. Users are seeing the Admin console refresh continuously on loading. On Thu, Oct 9, 2014 at 7:07 PM, Blair Trosper via Outages outa...@outages.org wrote: Just a heads up to our friends at Google Apps. Despite the status page saying all is peachy: http://www.google.com/appsstatus#hl=env=status ...the administration page for any Google Apps for domains is totally rogered. It's either an endless redirect loop or a deluge of errors. I'd call for premium support, but I can't even see that. Again, a friendly heads up and nudge that perhaps the status page should at least be updated to reflect the fact that it's non-operational. ___ Outages mailing list outa...@outages.org https://puck.nether.net/mailman/listinfo/outages
YouTube CDN down?
Suddenly having an inability to play YouTube videos over IPv4 and IPv6 from multiple ASNs in multiple locations in the United States. Tried multiple operating systems and browsers...all have the same issue. (The very few that do play stall out, even though they're buffered.) Is this just me, or is there an issue afoot?
Re: YouTube CDN down?
Watching in dev tools, the CDN is returning the dreaded HTTP header 204 (No Content), even though the entire video is buffering. This reminds me of an outage a while back that only affected IPv6. I've confirmed with other users, and YouTube is dead to us from these networks: - AS22645 (Texas Gigapop) - v4/v6 - AS19108 (Suddenlink) - v4 - AS40285 (Northland Cable) - v4/v6 - AS40244 (TurnKey) - v4/v6 It does seem to be regional. People in SC/NC who are presumably hitting the Charleston DC are unaffected. On Mon, Sep 29, 2014 at 4:16 PM, Brandon Martin lists.na...@monmotha.net wrote: On 09/29/2014 05:12 PM, Blair Trosper wrote: Suddenly having an inability to play YouTube videos over IPv4 and IPv6 from multiple ASNs in multiple locations in the United States. Tried multiple operating systems and browsers...all have the same issue. (The very few that do play stall out, even though they're buffered.) Is this just me, or is there an issue afoot? Seems to be working here over a HE.net IPv6 tunnel (Chicago endpoint). -- Brandon Martin
AWS Outage
Can someone from AWS contact me off-list? You have an entire availability zone completely offline at us-east-1 that hasn't been detected, and it's been down for 20 minutes.
YouTube contact? (IPv6 streaming broken)
Can someone from YouTube/Google give me a shout off list? The HTML5 player is getting a 204 No Content error when it sends the stream request via IPv6...but works fine on IPv4. Confirmed from multiple locations in the US.
Re: YouTube contact? (IPv6 streaming broken)
Specifically: - 2001:4860:400b:c01::64 returns a 204 - 2607:f8b0:4002:10::8 is about 50/50 between a 204 and 200 On Thu, May 1, 2014 at 3:55 PM, Blair Trosper blair.tros...@gmail.comwrote: Can someone from YouTube/Google give me a shout off list? The HTML5 player is getting a 204 No Content error when it sends the stream request via IPv6...but works fine on IPv4. Confirmed from multiple locations in the US.
Comcast transit problems?
I'm being inundated with reports from Comcast customers in various markets about their inability to reach anything on AWS. For example, we have a few people in Atlanta that are all having this issue. What's more, they're having weird issues reaching things like Twitter or RingCentral (while other sites like Google and CNN work fine). (RingCentral's support department apparently knows about this and is telling their customers that use Comcast that they're aware of the issue but don't know what's going on at the present time.) Calls to the Comcast customer support just yield the everything's fine, you're crazy response from the staff. Can anyone from Comcast give me some help (or information) off list? -bt
Re: Comcast transit problems?
At least it's not a Friday or a holiday. :) On Tue, Apr 22, 2014 at 9:19 AM, John Neiberger jneiber...@gmail.comwrote: Yep, that does seem to be the problem. John On Apr 22, 2014 8:17 AM, Joshua McDonald j...@2cold.net wrote: Not sure what the connectivity is between Comcast and AWS, but Level3 is having issues in Atlanta. Sent from my iPhone On Apr 22, 2014, at 10:07, Blair Trosper blair.tros...@gmail.com wrote: I'm being inundated with reports from Comcast customers in various markets about their inability to reach anything on AWS. For example, we have a few people in Atlanta that are all having this issue. What's more, they're having weird issues reaching things like Twitter or RingCentral (while other sites like Google and CNN work fine). (RingCentral's support department apparently knows about this and is telling their customers that use Comcast that they're aware of the issue but don't know what's going on at the present time.) Calls to the Comcast customer support just yield the everything's fine, you're crazy response from the staff. Can anyone from Comcast give me some help (or information) off list? -bt
Amazon network contact
Could someone from Amazon Web Services contact me off list? You appear to be having connectivity problems on the private network (10.0.0.0/8) at US-EAST-1 between two or more zones, causing dozens of alarms and failures over the last 2-3 hours...however, there is no notation on the status page or any hint whatsoever of the problem. (The alarms are coming from the instance checks on the instances...which is the network...not the status checks...which would be the instance's health inside the PVM virtualization.)
Re: gmail.com - 550 error for ipv6/PTR ?
FWIW I do know there was a MASSIVE failure last night around 0800 UTC with Google's DNS system, and it caused their routing to not only go bat shit insane, but also for the edge nodes that serve their content to return largely 503 errors (service unavailable) for several hours. It wasn't until a few hours ago that the BGP table stabilized. It was a horrific mess last night...not sure if perhaps there's still problems unresolved from that same incident. On Tue, Jan 14, 2014 at 7:51 PM, Ted Cooper ml-nanog0903...@elcsplace.comwrote: On 15/01/14 10:06, Brandon Applegate wrote: Off-list replies are fine to minimize noise, and if there is an answer or any meaningful correlation I will reply on-list. Thanks in advance for any info/feedback. I have been running into these a lot also and have so far concluded that it is an error within Google. The PTR/, SPF and DKIM are all matched up and tested as working. It also occurring on domains using google apps to handle their email so it is platform wide. All of the emails are personal emails, but coming from multiple domains/senders. The exact same email will be rejected when sent to any google IPv6 server for minutes/hours, but 3-4 hours later it will be accepted without error. The fact that it is being hard rejected is really quite annoying and generating a lot more support work. Unfortunately, my only fix at present is to turn off IPv6 delivery for all google hosted domains as I encounter them. It would be really nice if it was fixed. My theory is that they are failing PTR lookups.
Re: gmail.com - 550 error for ipv6/PTR ?
Possibly related, a lot of 503 errors are starting to show up in the javascript served by Google inside Gmail...reminds me of the issue in the early morning hours (US time)...very similar to what I'm starting to see on the front end. I've not had any IPv6 emails bounce, but I do have some that are MIA from Google Apps. They were sent from one GApps domain to another, but they haven't materialized on the other end...but they also haven't bounced back to me. As a matter of curiosity, I also sent my personal Gmail account email over v6, and it's doing the same thing...either it's delayed or it's going to bounce. The front-end of Gmail is starting to behave weirdly, as well, spitting out bizarre errors like technical code: undefined, and saying it wasn't able to send a message, but the message going through. There's a fair amount of chatter about this on Twitter, so I know it's not just me. It also thinks it's offline in one tab, when an account in another is perfectly fine. Maybe a DC somewhere is having trouble again? On Tue, Jan 14, 2014 at 8:10 PM, Christopher Morrow morrowc.li...@gmail.com wrote: On Tue, Jan 14, 2014 at 8:51 PM, Ted Cooper ml-nanog0903...@elcsplace.com wrote: On 15/01/14 10:06, Brandon Applegate wrote: Off-list replies are fine to minimize noise, and if there is an answer or any meaningful correlation I will reply on-list. Thanks in advance for any info/feedback. brandon, I didn't get your original... but could you ping me off-list and maybe I can get some data about what it is you're seeing? :) I have been running into these a lot also and have so far concluded that it is an error within Google. The PTR/, SPF and DKIM are all matched up and tested as working. It also occurring on domains using google apps to handle their email so it is platform wide. All of the emails are personal emails, but coming from multiple domains/senders. The exact same email will be rejected when sent to any google IPv6 server for minutes/hours, but 3-4 hours later it will be accepted without error. The fact that it is being hard rejected is really quite annoying and generating a lot more support work. Unfortunately, my only fix at present is to turn off IPv6 delivery for all google hosted domains as I encounter them. It would be really nice if it was fixed. My theory is that they are failing PTR lookups.
Google GCE
Can someone from GCE contact me off list? Your service is a big pile of 503s from multiple locations and from multiple servers. The console is inoperable and instances are unreachable. I'm getting sent across the country to a VIP in LAX. A friend in California is getting a VIP in Hong Kong. You're having issues but it doesn't seem to have been detected.
Amazon help
Can someone from AWS/Amazon netops contact me off-list for help an issue?
Re: NSA able to compromise Cisco, Juniper, Huawei switches
I'm torn on this. On one hand, it seems sinister. On the other, it's not only what the NSA is tasked with doing, but it's what you'd EXPECT them to be doing in the role as the NSA. I'm not saying it's right or wrong...it creeps me out a little, though...but these are the kinds of things we have demanded that they do (via our elected representatives). More to the point, I really doubt the NSA has any interest whatsoever in my Facebook or Twitter account. It's probable a means to and end...a transitory stop on their way to propagating more widely. They need regular folks to propagate, but in reality, they likely have zero interest in our actual accounts at the end of the day. I think of it a bit like a virus with a slightly less hysterical outcome/plan. On Mon, Dec 30, 2013 at 10:33 PM, Dobbins, Roland rdobb...@arbor.netwrote: On Dec 31, 2013, at 11:06 AM, [AP] NANOG na...@armoredpackets.com wrote: Then looking at things from the evil side though, if they owned the system which provides the signing then they could sign virtually anything they wish. Or if they owned *people* with the right level of access to do so, or if there were implementation bugs which could be utilized to bypass or obviate the signing . . . None of the alleged capabilities described in the purported documents is really standalone; they all rely upon other methods/mechanisms in order to provide the required foundation to accomplish their stated goals. I think we need to watch and listen/read over the coming weeks and months before we go assuming we have it figured out. This is the most pertinent and insightful comment made in this thread. --- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Luck is the residue of opportunity and design. -- John Milton
Re: NSA able to compromise Cisco, Juniper, Huawei switches
To supplement and amend what I said: These are the KINDS of things we want the NSA to do; however, the institutional oversight necessary to make sure it's Constitutional, warranted, and kept in bounds is woefully lacking (if any exists at all). Even FISA is unsatisfactory. At any rate, I agree that the current disposition of the NSA (or, at least, what's been leaking the last few months) is simply unacceptable and cannot be allowed. I say that last part from the perspective of a US citizen, though I'd imagine most people of other nationalities would agree with me, but probably for different reasons. On Mon, Dec 30, 2013 at 11:08 PM, Jimmy Hess mysi...@gmail.com wrote: On Mon, Dec 30, 2013 at 10:41 PM, Blair Trosper blair.tros...@gmail.comwrote: I'm torn on this. On one hand, it seems sinister. On the other, it's not only what the NSA is tasked with doing, but it's what you'd EXPECT them to be doing in the role as the NSA. [snip] The NSA's role is not supposed to include subterfuge and undermining the integrity or security of domestic enterprise infrastructure With any luck, we'll hopefully find absolutely nothing, or that it was targetted backdooring against specific targets only. And people have a need to know that the security agencies haven't left a trail of artificially inserted bugs and backdoors in common IT equipment providing critical infrastructures services, and that the agencies haven't prepared a collection of instant-root 0days, that are no more protected then the agencies' other poorly guarded secrets. There would be a risk that any 'backdoors' are ready to be exploited by other unintended nefarious actors! Because the NSA are apparently great at prepping the flammables and setting fires,but totally incapable of keeping the fires contained, once they (or someone else) lights it. It is not the least bit necessary for the NSA itself to be a nefarious actor exploiting things or even complicit; for the mere presence of any backdoor or surreptitious code to eventually have the potential for serious damage. It could well be a rogue ex-employee of the NSA, such as Snowden, or others, that happened to be aware of technical details, hackers, or members of a foreign nation state, who will just happen to have the time and energy to track down open doors waiting for the taking, AND figure out how to abuse them for evil purposes. There are enough potential 0day risks, without intentional ones, waiting for bad guys to co-opt! -- -JH
ipv6 and geolocation
Everyone loves IPv6, and it's a fantastic technology. However, I've been pondering a few quirks of v6, including the low priority of PTR, but I have a question I want to throw out there: Do you think IPv6 geolocatoin (GeoIP) will ever be viable? If so, when do you think this will happen? If not, what's the superseding solution? (The W3C location technology fails miserably for me 100% of the time even on IPv4). Two of the big four GeoIP providers don't even catalog IPv6, and the other two's IPv6 database is unremarkable and usually only has the country. (Or, in my case, a block that's clearly in the United States is deemed as simply (somewhere in) Asia.) What I'm getting at is: IPv6 geolocation is presently rather hopeless and useless. Eager to hear thoughts from my fellow network thinkers! - Blair
Re: ipv6 and geolocation
I meant that PTR isn't a priority for ISPs. A la Comcast's rollout of IPv6 lacks PTR, as does Google in general for v4 and v6 (even though they have it internally). On Tue, Oct 22, 2013 at 2:21 PM, Joe Abley jab...@hopcount.ca wrote: On 2013-10-22, at 15:16, Blair Trosper blair.tros...@gmail.com wrote: Everyone loves IPv6, and it's a fantastic technology. However, I've been pondering a few quirks of v6, including the low priority of PTR, Not sure what that means, but... but I have a question I want to throw out there: Do you think IPv6 geolocatoin (GeoIP) will ever be viable? To me it seems like an easier problem to solve than IPv4. There's no historical assignment swamp. Subnets are of fixed size. Many/most organisations who receive a direct assignment will never need a second. If so, when do you think this will happen? As soon as enough people using geo-located services start doing so over v6. Joe
Re: comcast ipv6 PTR
That gets to the core of the original question. I figured there must be a reason for the conscious omission. However, I've noticed also that Comcast hasn't bothered to give PTR to their routers, either. I think that's a horse of a different color. Leaving out PTR on the last hop for the residential customer? Sure. Leaving out v6 PTR on your core/backbone/edge routers? Surely that's not acceptable... On Mon, Oct 14, 2013 at 9:47 PM, John Levine jo...@iecc.com wrote: Is there any reason other than email where clients might demand RDNS? There's a few other protocols that want rDNS on the servers. IRC maybe. Doing rDNS on random hosts in IPv6 would be very hard. Servers are configured with static addresses which you can put in the DNS and rDNS, but normal user machines do SLAAC where the low 64 bits of the address are quasi-random. To get any sort of DNS you'd need for the routers to watch when new hosts come on line and somehow tell the relevant DNS servers what hosts need names. This would be a lot of work, so nobody does it. R's, John
google / massive problems
Can someone from Google Drive or Gmail contact me off-list? The sign in services and applications are outright down trying to use them in Chrome. Trying to contact enterprise support via several numbers just results in an immediate disconnect. The App Status page shows no problem, but Twitter and Facebook are blowing up with trouble reports, and I have tons of technical status codes to share, but no one with whom to share them. Thanks, Blair
Re: google / massive problems
This is the delight I'm faced with, but seems to be affecting the latest version of Chrome, both on Win7 and MacBook Pro (OS X 10.8.5)...again, confined to Chrome (image attached). Emails won't sent, drafts won't save, and no apps will load without an error. Sign-in also fails with numeric code 5. I'm in Dallas, but I've also tried over VPN from endpoints in Atlanta, New York, Los Angeles, Seattle, Amsterdam, Singapore, and London with no change. On Wed, Oct 9, 2013 at 11:25 AM, Jake Mertel j...@nobistech.net wrote: No issues from my site routing over AboveNet and using Google Apps for Business -- Drive and Gmail working as expected. On Wednesday, October 9, 2013, Blair Trosper wrote: Can someone from Google Drive or Gmail contact me off-list? The sign in services and applications are outright down trying to use them in Chrome. Trying to contact enterprise support via several numbers just results in an immediate disconnect. The App Status page shows no problem, but Twitter and Facebook are blowing up with trouble reports, and I have tons of technical status codes to share, but no one with whom to share them. Thanks, Blair -- -- Regards, Jake Mertel Nobis Technology Group, LLC *Web: *http://www.nobistech.net *Phone: *1-480-212-1710 *Mail:* 6930 East Chauncey Lane, Suite 150, Phoenix, AZ 85054 attachment: gdrive_chrome_win7.png
comcast ipv6 PTR
Does anyone know why (or can someone from Comcast explain why) there is no PTR on their residential/business IPv6 addresses?
Re: comcast ipv6 PTR
That's essentially what I'm getting at. If the v6 addresses/blocks are allocated in a similar fashion to IPv4, where the octets are clearly named by state and hsd1, then I don't see why they should lack PTR. However, even if they're not assigned or delegated in that way, it'd be helpful to have SOME form of PTR on there. Otherwise, they'd be a lot like Google, leaving the traceroute and end-point PTR left up to our imagination (even though it's available internally to Google employees). I understand why Google lacks PTR to some extent with anycast and the mobility of their v4 addresses, but I suspect that Comcast isn't doing anything that sophisticated. On Wed, Oct 9, 2013 at 11:47 AM, Robert Webb rw...@ropeguru.com wrote: On Wed, 9 Oct 2013 11:41:50 -0500 Chris Adams c...@cmadams.net wrote: Once upon a time, Blair Trosper blair.tros...@gmail.com said: Does anyone know why (or can someone from Comcast explain why) there is no PTR on their residential/business IPv6 addresses? I believe business customers (with a static assignment) can request reverse DNS entries. Residential customers are not guaranteed a static assignment, so they can't get reverse set. -- Chris Adams c...@cmadams.net But how would thet differ from the IPv4 address space which has PTR records for all their IP's? Just the shear number they would have to deal with in the IPv6 space? Robert
Re: comcast ipv6 PTR
True, but the location information, at least the state, is quasi-helpful. You may be right about PTR being a mistake, but I guess my mind approaches it from a practical, quasi-GeoIP approach. IPv6 seems to be somewhat chaotic in that realm. Plus, with web applications and services, accurate GeoIP has implications for security. On Wed, Oct 9, 2013 at 11:49 AM, Chris Adams c...@cmadams.net wrote: Once upon a time, Robert Webb rw...@ropeguru.com said: But how would thet differ from the IPv4 address space which has PTR records for all their IP's? Just the shear number they would have to deal with in the IPv6 space? Oh, are you looking for auto-generated reverse for every address? That's not going to happen for IPv6 (and it turns out that it wasn't really a good idea for IPv4). There's no reason to have reverse DNS unless it has meaning, and 12-34-56-78.rev.domain.net isn't really all that useful. -- Chris Adams c...@cmadams.net
Facebook over IPv6
Could someone @ Facebook kindly drop me a line? Your site appears to be riddled with problems on the IPv6 side (whereas it's demonstrably fine on v4). Much of the static JavaScript content being served off your IPv6 CDN is corrupt, missing, or perhaps just outdated. It's preventing the page from doing anything but rendering...it has no interactivity. It's been this way about 24 hours now. Blair
google troubles?
Seeing lots of reports of people unable to get to many Google services. Seems to be affecting Comcast users disproportionately. It's fine for me, but a lot of my staff are basically out of luck...but according to the Google Apps Status page, everything is fine. It's anecdotal, but it would seem like there's an issue based on these reports. Oh, and this: http://www.cnn.com/2013/07/10/tech/web/google-down/index.html Anyone know what's up? Fiber cut? DC outages? -- blair
google mail problems?
Our entire organization and three of my other accounts are getting this pop-up when sending a message: Oops... a server error occurred and your email was not sent. (#793) But, as usual, everything is totally fine according to the GApps status page: http://www.google.com/appsstatus#hl=env=statusts=1372272841152 -- Blair Trosper Weather Data / Updraft Networks blair.tros...@updraftnetworks.com blair.tros...@updraft.us NOC: 512-666-0536
Google Public DNS Problems?
Is anyone else seeing this? From Santa Clara, CA, on Comcast Business...I'm getting SERVFAIL for any query I throw at 8.8.8.8 and 8.8.4.4... Level 3's own public resolvers are fine for me, as are OpenDNS's resolvers. Blair
Re: Google Public DNS Problems?
That's all well and good, but I certainly wouldn't expect nslookup gmail.com or for nslookup google.com to return SERVFAIL On Wed, May 1, 2013 at 9:34 AM, Joe Abley jab...@hopcount.ca wrote: On 2013-05-01, at 12:09, Blair Trosper blair.tros...@gmail.com wrote: Is anyone else seeing this? From Santa Clara, CA, on Comcast Business...I'm getting SERVFAIL for any query I throw at 8.8.8.8 and 8.8.4.4... Level 3's own public resolvers are fine for me, as are OpenDNS's resolvers. Google just turned on validation across the whole of 8.8.8.8 and 8.8.4.4. The expected behaviour in the case where a response does not validate is to return SERVFAIL to the client. You could check that the queries you are sending are not suffering from poor signing hygiene (e.g. use the handy-dandy dnsviz.net visualisation). If this is a repeatable, consistent problem even for unsigned zones (or for zones that you've verified are signed correctly) and especially if it's widespread you might want to call google on the nanog courtesy phone and have them look for collateral damage from their recent foray into 8.8.8.8 validation. Raw output from dig/drill and traceroutes to 8.8.8.8/8.8.4.4 are highly recommended if you need to take this further. Joe
Re: Google Public DNS Problems?
Goes all the way up to the A root server before failing spectacularly. Europa:~ blair$ dig +cd @8.8.8.8 google.com A ; DiG 9.8.3-P1 +cd @8.8.8.8 google.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 47332 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;google.com. IN A ;; AUTHORITY SECTION: . 467 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2013050100 1800 900 604800 86400 ;; Query time: 46 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed May 1 10:05:46 2013 ;; MSG SIZE rcvd: 104 On Wed, May 1, 2013 at 9:58 AM, Casey Deccio ca...@deccio.net wrote: On Wed, May 1, 2013 at 9:38 AM, Blair Trosper blair.tros...@gmail.com wrote: That's all well and good, but I certainly wouldn't expect nslookup gmail.com or for nslookup google.com to return SERVFAIL If you set the CD (checking disabled) in the request, a response that would normally be SERVFAIL due to DNSSEC validation failure will return with the non-authenticated answer. With dig the flag to add is +cd. I don't know if there's an equivalent for nslookup. For example: dig +cd @8.8.8.8 google.com Casey
Re: Google Public DNS Problems?
8.8.4.4 is now replying SERVFAIL whereas 8.8.8.8 is suddenly working fine again... On Wed, May 1, 2013 at 10:07 AM, Blair Trosper blair.tros...@gmail.comwrote: Goes all the way up to the A root server before failing spectacularly. Europa:~ blair$ dig +cd @8.8.8.8 google.com A ; DiG 9.8.3-P1 +cd @8.8.8.8 google.com A ; (1 server found) ;; global options: +cmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 47332 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;google.com. IN A ;; AUTHORITY SECTION: . 467 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2013050100 1800 900 604800 86400 ;; Query time: 46 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Wed May 1 10:05:46 2013 ;; MSG SIZE rcvd: 104 On Wed, May 1, 2013 at 9:58 AM, Casey Deccio ca...@deccio.net wrote: On Wed, May 1, 2013 at 9:38 AM, Blair Trosper blair.tros...@gmail.com wrote: That's all well and good, but I certainly wouldn't expect nslookup gmail.com or for nslookup google.com to return SERVFAIL If you set the CD (checking disabled) in the request, a response that would normally be SERVFAIL due to DNSSEC validation failure will return with the non-authenticated answer. With dig the flag to add is +cd. I don't know if there's an equivalent for nslookup. For example: dig +cd @8.8.8.8 google.com Casey
Re: Google Public DNS Problems?
Traceroute is getting the right place and 8.8.8.8 is working, though :) On Wed, May 1, 2013 at 11:23 AM, Jared Mauch ja...@puck.nether.net wrote: On May 1, 2013, at 1:39 PM, Tony Finch d...@dotat.at wrote: Blair Trosper blair.tros...@gmail.com wrote: Goes all the way up to the A root server before failing spectacularly. That is an extremely weird response. Are you sure your queries are not being intercepted by a middlebox? What happens if you use dig +vc ? Do you get a similar round-trip time when pinging 8.8.8.8 to the one reported by dig? Some places like Wayport/attwifi intercept all udp/53 traffic and direct it to their local server. You won't notice this with a ping, but you will see it in the 0 or 1ms reply :) - Jared
Google public DNS flapping/non-functional
Could someone from Google contact me off list to discuss the public resolvers? I'm getting NXDOMAIN and then a proper response literally one second later. And from there it's just 20 GOTO 10...the resolver seems to be having a psychotic episode, or...at the very least...an identity crisis. Other public resolver services have no issue with this, but the problem seems to be affected by anything I throw at either 8.8.8.8 or 8.8.4.4 to resolve. (The IPv6 public resolvers are doing the same thing, I should point out.) I understand that those ingress addresses are any/multicast, so perhaps the problem I'm having is confined to a single datacenter in my region...and thus may not be affecting people outside of that DC. Thanks, Blair
Google Public DNS having issues.
...seems to be having trouble as reported by Systems Watch: https://twitter.com/systemswatch/status/299572918936039424 Indeed, it's inaccessible to me from Minneapolis, Tampa, SJC, and Seattle...both 8.8.8.8 and 8.8.4.4. I know it's anycast, so I'm not sure which DCs are affected... Blair
Comcast Business / Miami, FL
Can someone from Comcast contact me off list to help diagnose a business class issue to do with the Comcast AS and peering to cloud services and outrageously high latency confined to a few adjacent ASes?
Re: Cogent outage?
We've seen BGP resets on our servers in Tampa...with Cogent no longer being the preferred route for outgoing traffic. The preferred path from out DC is now through Hurricane (AS6939). Blair Trosper Updraft Networks LEARN (North Texas GigaPOP) On Thu, Dec 6, 2012 at 3:09 PM, Michael Bubb michael.b...@gmail.com wrote: We got a notice from Internap a few hours ago: At approximately 12:10 EST Internap shut down the BGP session with Cogent as we were widespread packet loss issues through their network out of our New York (NYM) PNAP. We are contacting Cogent to see if they are aware of what the issue is. They have not as yet updated this yrs Michael -- Michael Bubb +1.646.783.8769 https://www.google.com/profiles/michael.bubb The first principle is that you must not fool yourself--and you are the easiest person to fool. - Richard Feynman All things are a flowing, Sage Heraclitus says; But a tawdry cheapness Shall reign throughout our days. - Pound
Re: Big day for IPv6 - 1% native penetration
I've found myself becoming a snob about IPv6. I almost look down on IPv4-only networks in the same way that I won't go see a film that isn't projected on DLP unless my arm is twisted. I'm a convert, and I'm glad to see the adoption rate edging up. However, I still scratch my head on why most major US ISPs *have* robust IPv6 peering and infrastructure and are ready to go, but they have not turned it on for their fiber/cable/DSL customers for reasons that are not clear to me. I keep pestering my home ISP about turning it on (since their network is now 100% DOCSIS 3), but they just seem to think I'm making up words. One can hope, though. Blair On Tue, Nov 20, 2012 at 11:53 AM, TJ trej...@gmail.com wrote: On Tue, 20 Nov 2012 10:14:18 +0100 Tomas Podermanski tpo...@cis.vutbr.cz wrote: It seems that today is a big day for IPv6. It is the very first time when native IPv6 on google statistics (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some might say it is tremendous success after 16 years of deploying IPv6 :-) Funny enough, the peaks are indicating... week-ends ! Do people use more google during the WE, or do they have more IPv6 @ home ? Purely anecdotally, I can say: Yes. Atleast in my case I have native IPv6 at home and via my mobile devices, but not at my client sites. *Sidenote: That's why I am at those client sites, helping 'fix' that. ;) ... * /TJ
Google burp
I guess I'll be the one to ask...what's going on over at Google? Service interruptions and front-end errors all over the place across what appears to be all services, though Gmail seems to have bounced back up. Google's service disruption is about to bring Twitter's service to its knees as people complain and try to figure out what's going on. Blair Trosper Updraft Networks The North Texas GigaPOP
Re: Google burp
I was editorializing the quantity of tweets about the Google outage more so than the quality of service of Twitter. :) Apologies. On Wed, Oct 31, 2012 at 5:01 PM, John Adams j...@retina.net wrote: Hey now, we're doing fine over here at Twitter. :P -j On Wed, Oct 31, 2012 at 2:55 PM, Blair Trosper blair.tros...@updraftnetworks.com wrote: I guess I'll be the one to ask...what's going on over at Google? Service interruptions and front-end errors all over the place across what appears to be all services, though Gmail seems to have bounced back up. Google's service disruption is about to bring Twitter's service to its knees as people complain and try to figure out what's going on. Blair Trosper Updraft Networks The North Texas GigaPOP
Google PTR?
I'm sure I'm bringing up a topic that's been brought up before, but I figured I'd have a go. Anyone from Google around that could answer to why there is no reverse DNS/PTR with most Google IP addresses (from traceroute, etc)? Alternatively, is there a server that can be utilized by the net operators community to at least get an answer on some of the IPs? It's very frustrating to contend with no PTR records in traces for troubleshooting and the like. Any information (off list or on) would be greatly appreciated. Thanks, Blair Trosper Updraft Networks North Texas GigaPOP
Re: The Department of Work and Pensions, UK has an entire /8
Not to mention Ford Motor Company has 19.0.0.0/8, and there are no announcements for it whatsoever. There are other /8s like it...lots of them early allocations. Why ARIN doesn't revoke them is frankly baffling to me. On Tue, Sep 18, 2012 at 10:27 PM, Randy Bush ra...@psg.com wrote: When IPv4 exhaustion pain reaches a sufficiently high level of pain; there is a significant chance people who will be convinced that any use of IPv4 which does not involve announcing and routing the address space on the internet is a Non-Use of IPv4 addresses, and that that particular point of view will prevail over the concept and convenience of being allowed to maintain unique registration for non-connected usage. And perception that those addresses are up for grabs, either for using on RFC1918 networks for NAT, or for insisting that internet registry allocations be recalled and those resources put towards use by connected networks.. If you do have such an unconnected network, it may be prudent to have a connected network as well, and announce all your space anyways (just not route the addresses) this is the arin vigilante cultural view of the world. luckily, the disease does not propagate sufficiently to cross oceans. randy
Re: above.net issues
I've been seeing it all day from inside AS19108...in direct connection to a (huge frustration and) disruption of service from my end to AWS/EC2. On Tue, Sep 11, 2012 at 1:20 PM, Joe Williams williams@gmail.com wrote: Oops, this was intended for the outages list but I suppose this list works too. -- Name: Joseph A. Williams Email: williams@gmail.com On Tuesday, September 11, 2012 at 11:18 AM, Joe Williams wrote: Anyone experiencing packet loss on abovenet (to/from Ashburn)? We first got a round of packet loss around 8:45 PDT and then again just a few minutes ago. Thanks. -Joe -- Name: Joseph A. Williams Email: williams@gmail.com (mailto:williams@gmail.com)