Re: Netflix VPN detection - actual engineer needed

[Blair Trosper]

Right, but I think we know what Netflix is implying when they say "proxy
unblocker" or "VPN" -- they mean people are deliberately going around
GeoIP.  In this case, I don't know anyone who uses TunnelBroker that way.
They're using it for V6.  That is to say, everyone I know with this issue
could simply solve it by disabling IPv6 (and TunnelBroker) -- meaning
they're already in the US (or $region) -- and the IPv6 detection on the
CDN/web is what's wrong.

I think I will go further here and say that the message sort if implies the
user is acting in bad faith, which may raise some animosity towards Netflix.

On Mon, Jun 6, 2016 at 8:25 PM, Spencer Ryan <sr...@arbor.net> wrote:

> The tunnelbroker service acts exactly like a VPN. It allows you, from any
> arbitrary location in the world with an IPv4 address, to bring traffic out
> via one of HE's 4 POP's, while completely masking your actual location.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Mon, Jun 6, 2016 at 11:22 PM, Blair Trosper <blair.tros...@gmail.com>
> wrote:
>
>> It should be pointed out that -- the SPECIFIC accusation from Netflix --
>> is
>> that people on TunnelBroker are on a VPN or proxy unblocker.
>>
>> The data does not bear that out.  Hash tag just saying.
>>
>> 
>>
>> On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam <jfb...@gmail.com> wrote:
>>
>> > On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews <ma...@isc.org> wrote:
>> >
>> >> What lie?  Truly who is lying here.  Not the end user.  Not HE.  There
>> is
>> >> no requirement to report physical location.
>> >>
>> >
>> > The general lie that is IP Geolocation. HE only has what I tell them
>> (100%
>> > unverified), and what MaxMind (et.al.) tell them (~95% unverified.)
>> They
>> > know my IPv4 endpoint address, but that doesn't give them a concrete
>> street
>> > address -- they're guessing in exactly the same way everyone else does.
>> And
>> > more to the point, HE doesn't share that information with anyone.
>> (whois is
>> > populated with your account information. they don't ask where your
>> tunnels
>> > are going.)
>> >
>> > Are they legally required to go to this level?
>> >>
>> >
>> > Possibly, but Netflix isn't going to push this. Win or Lose, they still
>> > lose distribution rights.
>> >
>> > Netflix (and their licensees) know people are using HE tunnels to get
>> >>> around region restrictions. Their hands are tied; they have to show
>> >>> they're doing something to limit this.
>> >>>
>> >>
>> >> No, they do not know.  The purpose of HE tunnels is to get IPv6
>> service.
>> >> The fact that the endpoints are in different countries some of the time
>> >> is incidental to that.
>> >>
>> >
>> > YES. THEY. DO. There have been entire COMPANIES doing this. (which is
>> > likely what sparked this level of response.) Neither HE nor Netflix are
>> > naming names, but a short walk through the more colorful parts of the
>> > internet should be enlightening.
>> >
>> > Garbage.  You have to establish the tunnel which requires registering
>> >> a account.  It also requires a machine at the other end.  Virtual
>> >> or physical they don't move around the world in a DDNS update. The
>> >> addresses associated with a tunnel don't change for the life of
>> >> that tunnel.
>> >>
>> >
>> > True. 'tho, you can list any nonsense address you want. They do nothing
>> to
>> > validate it. (Use my favorite BS address: Independence MT -- pop: zero.
>> > It's a dirt road across a mountain in the middle of absolutely nowhere.
>> > Google it!)
>> >
>> > The tunnel endpoint (your IPv4 address) is known only to HE, and not
>> > exposed to ANYONE. That's not going to EVER change. Once your tunnel has
>> > been setup, that address ("Client IPv4 Address") is not set in stone.
>> > People have dynamic addresses, and HE recognizes this, so there are
>> > numerous methods to change the tunnel endpoint address. (tunnel
>> > configuration page, update through an http(s) request, etc.) THUS, a
>> tunnel
>> > can move; it can be terminated anywhere, at anytime. Not only can one
>> > update the endpoint to a different address on the same box, but to a
>> > completely different box entirely.
>> >
>> > Furthermore, one account can have several tunnels through different
>> > servers that present addresses from different regions. Where I appear
>> to be
>> > in the world, thus, depends on which tunnel I have enabled. (and in
>> which
>> > countries HE has prefixes, which currently appears to be 4)
>> >
>>
>
>

Re: Netflix VPN detection - actual engineer needed

[Blair Trosper]

It should be pointed out that -- the SPECIFIC accusation from Netflix -- is
that people on TunnelBroker are on a VPN or proxy unblocker.

The data does not bear that out.  Hash tag just saying.



On Mon, Jun 6, 2016 at 7:53 PM, Ricky Beam  wrote:

> On Mon, 06 Jun 2016 19:41:14 -0400, Mark Andrews  wrote:
>
>> What lie?  Truly who is lying here.  Not the end user.  Not HE.  There is
>> no requirement to report physical location.
>>
>
> The general lie that is IP Geolocation. HE only has what I tell them (100%
> unverified), and what MaxMind (et.al.) tell them (~95% unverified.) They
> know my IPv4 endpoint address, but that doesn't give them a concrete street
> address -- they're guessing in exactly the same way everyone else does. And
> more to the point, HE doesn't share that information with anyone. (whois is
> populated with your account information. they don't ask where your tunnels
> are going.)
>
> Are they legally required to go to this level?
>>
>
> Possibly, but Netflix isn't going to push this. Win or Lose, they still
> lose distribution rights.
>
> Netflix (and their licensees) know people are using HE tunnels to get
>>> around region restrictions. Their hands are tied; they have to show
>>> they're doing something to limit this.
>>>
>>
>> No, they do not know.  The purpose of HE tunnels is to get IPv6 service.
>> The fact that the endpoints are in different countries some of the time
>> is incidental to that.
>>
>
> YES. THEY. DO. There have been entire COMPANIES doing this. (which is
> likely what sparked this level of response.) Neither HE nor Netflix are
> naming names, but a short walk through the more colorful parts of the
> internet should be enlightening.
>
> Garbage.  You have to establish the tunnel which requires registering
>> a account.  It also requires a machine at the other end.  Virtual
>> or physical they don't move around the world in a DDNS update. The
>> addresses associated with a tunnel don't change for the life of
>> that tunnel.
>>
>
> True. 'tho, you can list any nonsense address you want. They do nothing to
> validate it. (Use my favorite BS address: Independence MT -- pop: zero.
> It's a dirt road across a mountain in the middle of absolutely nowhere.
> Google it!)
>
> The tunnel endpoint (your IPv4 address) is known only to HE, and not
> exposed to ANYONE. That's not going to EVER change. Once your tunnel has
> been setup, that address ("Client IPv4 Address") is not set in stone.
> People have dynamic addresses, and HE recognizes this, so there are
> numerous methods to change the tunnel endpoint address. (tunnel
> configuration page, update through an http(s) request, etc.) THUS, a tunnel
> can move; it can be terminated anywhere, at anytime. Not only can one
> update the endpoint to a different address on the same box, but to a
> completely different box entirely.
>
> Furthermore, one account can have several tunnels through different
> servers that present addresses from different regions. Where I appear to be
> in the world, thus, depends on which tunnel I have enabled. (and in which
> countries HE has prefixes, which currently appears to be 4)
>

Re: Netflix VPN detection - actual engineer needed

[Blair Trosper]

...IF (and that's a big IF in the Bay Area at least) you can get the newest
modems.  Easier said than done.

On Fri, Jun 3, 2016 at 5:03 PM, Spencer Ryan  wrote:

> Comcast is near 100% on their DOCSIS network (Busniess and residential).
> That should be the largest single ISP for IPv6 for end users in the USA.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 7:49 PM, Cryptographrix 
> wrote:
>
> > Depends - how many US users have native IPv6 through their ISPs?
> >
> > If I remember correctly (I can't find the source at the moment), HE.net
> > represents something like 70% of IPv6 traffic in the US.
> >
> > And yeah, not doing that - actually in the middle of an IPv6 project at
> > work at the moment that's a bit important to me.
> >
> >
> >
> >
> > On Fri, Jun 3, 2016 at 7:45 PM Baldur Norddahl <
> baldur.nordd...@gmail.com>
> > wrote:
> >
> > > Den 4. jun. 2016 01.26 skrev "Cryptographrix" <
> cryptograph...@gmail.com
> > >:
> > > >
> > > > The information I'm getting from Netflix support now is explicitly
> > > telling
> > > > me to turn off IPv6 - someone might want to stop them before they
> > > > completely kill US IPv6 adoption.
> > >
> > > Not allowing he.net tunnels is not killing ipv6. You just need need
> > native
> > > ipv6.
> > >
> > > On the other hand it would be nice if Netflix would try the other
> > protocol
> > > before blocking.
> > >
> >
>

Re: Netflix VPN detection - actual engineer needed

[Blair Trosper]

I dunno.  I could argue that I could -- to extend that idea -- let
literally ANYONE tunnel through my Comcast Business connection to appear to
be in the Bay Area.  How's that fundamentally different than a service like
TunnelBroker apart from economies of scale?

More than a few people I know are ready to dump Netflix for this.
Fortunately, where I live, Comcast Business has native dual stack...

On Fri, Jun 3, 2016 at 1:05 PM, Spencer Ryan <sr...@arbor.net> wrote:

> There is no way for Netflix to know the difference between you being in NY
> and using the tunnel, and you living in Hong Kong and using the tunnel.
>
>
> *Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
> *Arbor Networks*
> +1.734.794.5033 (d) | +1.734.846.2053 (m)
> www.arbornetworks.com
>
> On Fri, Jun 3, 2016 at 4:03 PM, Cryptographrix <cryptograph...@gmail.com>
> wrote:
>
>> Same, but until there's a real IPv6 presence in the US, it's really
>> annoying that they haven't come up with some fix for this.
>>
>> I have no plans to turn off IPv6 at home - I actually have many uses for
>> it, and as much as I dislike the controversy around it, think that adoption
>> needs to be prioritized, not penalized.
>>
>> Additionally, I think that discussing content provider control over
>> regional decisions isn't productive to the conversation, as they didn't
>> build the banhammer (wouldn't you want to control your own content if you
>> had made content specific to regional laws etc?).
>>
>> I.e. - not all shows need to have regional restrictions between New York
>> (where I live) and California (where my IPv6 /64 says I live).
>>
>> I'm able to watch House in the any state in the U.S.? Great - ignore my
>> intra-US proxy connection.
>>
>> My Netflix account randomly tries to connect from Tokyo because I forgot
>> to shut off my work VPN? Finelet me know and I'll turn *that* off.
>>
>>
>>
>>
>>
>>
>> On Fri, Jun 3, 2016 at 3:49 PM Spencer Ryan <sr...@arbor.net> wrote:
>>
>>> I don't blame them for blocking a (effectively) anonymous tunnel broker.
>>> I'm sure their content providers are forcing their hand.
>>> On Jun 3, 2016 3:46 PM, "Cryptographrix" <cryptograph...@gmail.com>
>>> wrote:
>>>
>>>> Netflix needs to figure out a fix for this until ISPs actually provide
>>>> IPv6
>>>> natively.
>>>>
>>>>
>>>>
>>>> On Fri, Jun 3, 2016 at 3:13 PM Blair Trosper <blair.tros...@gmail.com>
>>>> wrote:
>>>>
>>>> > Confirmed that Hurricane Electric's TunnelBroker is now blocked by
>>>> > Netflix.  Anyone nice people from Netflix perhaps want to take a
>>>> crack at
>>>> > this?
>>>> >
>>>> >
>>>> >
>>>> > On Thu, Jun 2, 2016 at 2:15 PM, <mike.hy...@gmail.com> wrote:
>>>> >
>>>> > > Had the same problem at my house, but it was caused by the IPv6
>>>> > connection
>>>> > > to HE.  Turned of V6 and the device worked.
>>>> > >
>>>> > >
>>>> > > --
>>>> > >
>>>> > > Sent with Airmail
>>>> > >
>>>> > > On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at
>>>> )
>>>> > > wrote:
>>>> > >
>>>> > > Every device in my house is blocked from Netflix this evening due to
>>>> > > their new "VPN blocker". My house is on my own IP space, and the
>>>> outside
>>>> > > of the NAT that the family devices are on is 198.202.199.254,
>>>> announced
>>>> > > by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
>>>> > > should show that I'm no farther away than Santa Cruz, CA as
>>>> microwaves
>>>> > > fly.
>>>> > >
>>>> > > Unfortunately, when one calls Netflix support to talk about this,
>>>> the
>>>> > > only response is to say "call your ISP and have them turn off the
>>>> VPN
>>>> > > software they've added to your account". And they absolutely refuse
>>>> to
>>>> > > escalate. Even if you tell them that you are essentially your own
>>>> ISP.
>>>> > >
>>>> > > So... where's the Netflix network engineer on the list who all of
>>>> us can
>>>> > > send these issues to directly?
>>>> > >
>>>> > > Matthew Kaufman
>>>> > >
>>>> >
>>>>
>>>
>

Re: Netflix VPN detection - actual engineer needed

[Blair Trosper]

Confirmed that Hurricane Electric's TunnelBroker is now blocked by
Netflix.  Anyone nice people from Netflix perhaps want to take a crack at
this?



On Thu, Jun 2, 2016 at 2:15 PM,  wrote:

> Had the same problem at my house, but it was caused by the IPv6 connection
> to HE.  Turned of V6 and the device worked.
>
>
> --
>
> Sent with Airmail
>
> On June 1, 2016 at 10:29:03 PM, Matthew Kaufman (matt...@matthew.at)
> wrote:
>
> Every device in my house is blocked from Netflix this evening due to
> their new "VPN blocker". My house is on my own IP space, and the outside
> of the NAT that the family devices are on is 198.202.199.254, announced
> by AS 11994. A simple ping from Netflix HQ in Los Gatos to my house
> should show that I'm no farther away than Santa Cruz, CA as microwaves
> fly.
>
> Unfortunately, when one calls Netflix support to talk about this, the
> only response is to say "call your ISP and have them turn off the VPN
> software they've added to your account". And they absolutely refuse to
> escalate. Even if you tell them that you are essentially your own ISP.
>
> So... where's the Netflix network engineer on the list who all of us can
> send these issues to directly?
>
> Matthew Kaufman
>

Re: phone fun, was GeoIP database issues and the real world consequences

[Blair Trosper]

I would imagine for VOIP that's because all three are country code 1 :)

On Tue, Apr 26, 2016 at 7:50 PM, Ray Orsini  wrote:

> On our VOIP service we include US, Canada and Puerto Rico as "local"
> calling.
>
> Regards,
>
> Ray Orsini – CEO
> Orsini IT, LLC – Technology Consultants
> VOICE DATA  BANDWIDTH  SECURITY  SUPPORT
> P: 305.967.6756 x1009   E: r...@orsiniit.com   TF: 844.OIT.VOIP
> 7900 NW 155th Street, Suite 103, Miami Lakes, FL 33016
> http://www.orsiniit.com | View My Calendar | View/Pay Your Invoices | View
> Your Tickets
>
>
>
> -Original Message-
> From: NANOG [mailto:nanog-bounces+ray=orsiniit@nanog.org] On Behalf Of
> Larry Sheldon
> Sent: Tuesday, April 26, 2016 3:11 PM
> To: nanog@nanog.org
> Subject: Re: phone fun, was GeoIP database issues and the real world
> consequences
>
>
>
> On 4/20/2016 10:15, Owen DeLong wrote:
> >
> >> On Apr 20, 2016, at 7:59 AM, Jean-Francois Mezei
> >>  wrote:
> >>
> >> On 2016-04-20 10:52, Owen DeLong wrote:
> >>
> >>> For the most part, “long distance” calls within the US are a thing
> >>> of the past and at least one mobile carrier now treats US/CA/MX as a
> >>> single local calling area
> >>
> >>
> >> Is this a case of telcos having switched to IP trunks and can reach
> >> other carriers for "free"
> >>
> >> Or are wholesale long distance still billed between carriers but at
> >> prices so low that they can afford to offer "free" long distance at
> >> retail level ?
> >
> > I think it boiled down to a recognition that the costs of billing were
> > beginning to account for something like $0.99 of every $1 billed.
>
> I wonder if the costs of avoiding-preventing-investigating toll fraud final
> grow to consume the profit in the product.
>
> I know that long ago there were things that I thought were insanely silly.
> A few examples:
>
> As an ordinary citizen I was amused and annoyed, in the case where a toll
> charge had been contested (and perforce refunded) there would often be
> several non-revenue calls to the protesting number asking whoever answered
> if they knew anybody in the called city, or if they knew who
> the called number belonged to.   (Proper answer in any case:  Who or
> what I know is none of your business.)  Often there would calls to the
> called number (super irritating because the error was in the
> recording--later learned to be poor handwriting) asking the reciprocal
> questions except that often they had no idea that a call had been made.
>
> I  was a Toll Transmissionman for a number or years back in the last iceage
> and one of the onerous tasks the supervisor had was "verifying the phone
> bill" which might be a stack as much as six inches tall.  The evening shift
> supervisor (or one of them in a large office, like Los Angeles 1 Telegraph,
> where I worked for a while) would go through the bill, line by line, page
> by
> page, looking at the called number an d if he recognized it and placing a
> check mark next to it,  If he did not recognize it, he would search the
> many
> lists in the office to see it was shown, and adding a check mark if a list
> showed it for a likely sounding legal call.  If that didn't work he would
> probably have to call the number to see who answered (adding a wasted
> revenue-call path to the wreckage).  Most often it would turn out to be the
> home telephone number of a repair supervisor in West Sweatsock, Montana,
> who
> had been called because a somebody who protested the policy that the
> repairman going fishing meant some problem would not be addressed for
> several days.  So he put a check mark next to the number and moved on.
>
> Which meant the number would show up on the next month's bill.  And it
> would
> again not be recognized from memory.  And so forth and so on.
> Until eventually, after several months, the number would be recognized,
> check-marked without drama, and disappear forever from the bill.
>
> Lastly, in later years I was assigned to the the Revenue Accounting
> organization (to write programs for printing telephone books) and came to
> realize that there were a LOT of people in RA working with a LOT of people
> in the Chief Special Agents organization using a LOT of computer time to
> analyze Toll records for fraud patterns.
>
> Oops, not quite lastly  Looking back at my Toll Plant days in the
> heyday
> of Captain Crunch--there were a lot engineering hours redesigning Toll
> equipment, and plant hours modifying or replacing equipment do defeat the
> engineering efforts of the Blue Box Boys.
>
> --
> "Everybody is a genius.  But if you judge a fish by its ability to climb a
> tree, it will live its whole life believing that it is stupid."
>
> --Albert Einstein
>

Re: GeoIP database issues and the real world consequences

[Blair Trosper]

Has happened in Atlanta, too, due to (what I think) was a lookup on the
ASN's whois, which wasn't specific:
http://fusion.net/story/214995/find-my-phone-apps-lead-to-wrong-home/

On Mon, Apr 11, 2016 at 9:55 AM, Chris Boyd  wrote:

>
> Interesting article.
>
> http://fusion.net/story/287592/internet-mapping-glitch-kansas-farm/
>
> An hour’s drive from Wichita, Kansas, in a little town called Potwin,
> there is a 360-acre piece of land with a very big problem.
>
> The plot has been owned by the Vogelman family for more than a hundred
> years, though the current owner, Joyce Taylor née Vogelman, 82, now
> rents it out. The acreage is quiet and remote: a farm, a pasture, an old
> orchard, two barns, some hog shacks and a two-story house. It’s the kind
> of place you move to if you want to get away from it all. The nearest
> neighbor is a mile away, and the closest big town has just 13,000
> people. It is real, rural America; in fact, it’s a two-hour drive from
> the exact geographical center of the United States.
>
> But instead of being a place of respite, the people who live on Joyce
> Taylor’s land find themselves in a technological horror story.
>
>
> For the last decade, Taylor and her renters have been visited by all
> kinds of mysterious trouble. They’ve been accused of being identity
> thieves, spammers, scammers and fraudsters. They’ve gotten visited by
> FBI agents, federal marshals, IRS collectors, ambulances searching for
> suicidal veterans, and police officers searching for runaway children.
> They’ve found people scrounging around in their barn. The renters have
> been doxxed, their names and addresses posted on the internet by
> vigilantes. Once, someone left a broken toilet in the driveway as a
> strange, indefinite threat.
>
> --Chris
>

Re: Youtube CDN unreachable over IPv6

[Blair Trosper]

It was 2014-05-17 on this list, and went on to be handled at GGC, where
it's come up now and then.

On Fri, Nov 6, 2015 at 12:17 PM, Christopher Schmidt <crschm...@google.com>
wrote:

> Hi all,
>
> Thanks for the reports.
>
> To the best of our knowledge, this issue has been resolved at this
> time. If you are still having problems connecting to YouTube CDN
> nodes, please feel free to let me know, and I will investigate
> further.
>
> On Fri, Nov 6, 2015 at 12:48 PM, Blair Trosper <blair.tros...@gmail.com>
> wrote:
> > This was happening two weeks ago in the Bay Area as well.  It happens
> quite
> > a lot, actually...search for my old threads.  I gave up trying to get it
> > noticed.
>
> Blair,
>
> I'm not aware of a similar issue with IPv6 being unavailable while
> IPv4 is available recently.
>
> I did not see any threads with information in them with the name
> "Blair" attached in either the October archive
> (http://mailman.nanog.org/pipermail/nanog/2015-October/thread.html) or
> the September archive
> (http://mailman.nanog.org/pipermail/nanog/2015-September/thread.html)
> .
>
> If this issue is ongoing, I would be happy to look into this;
> otherwise, I don't believe there is any action I can take to assist at
> this time.
>
> All the best.
>
>
> >> * seth@dds.nl (Seth Mos) [Fri 06 Nov 2015, 09:00 CET]:
> >> >Dear Google,
> >> >
> >> >It appears that one of the Youtube CDN's (in Europe, NL) is not
> >> >reachable over IPv6 from AS 20844. Can someone get back to us on this,
> >> >the company can't access any of the videos currently, although the
> >> >mainpage loads fine (over IPv6).
> >> >
> >> >Kind regards,
> >> >
> >> >Seth
> >> >
> >> >telnet r6---sn-5hne6n76.googlevideo.com 443
> >> >Trying 2a00:1450:401c:4::b...
> >> >telnet: connect to address 2a00:1450:401c:4::b: Connection timed out
> >> >Trying 74.125.100.203...
> >> >Connected to r6.sn-5hne6n76.googlevideo.com (74.125.100.203).
> >> >Escape character is '^]'.
> >> >Connection closed by foreign host.
> >> >
> >> >telnet www.youtube.com 443
> >> >Trying 2a00:1450:4013:c01::5d...
> >> >Connected to youtube-ui.l.google.com (2a00:1450:4013:c01::5d).
> >> >Escape character is '^]'.
> >> >Connection closed by foreign host.
> >>
>
> --
> Christopher Schmidt
> YouTube Quality of Experience
>

Re: Youtube CDN unreachable over IPv6

[Blair Trosper]

This was happening two weeks ago in the Bay Area as well.  It happens quite
a lot, actually...search for my old threads.  I gave up trying to get it
noticed.

On Fri, Nov 6, 2015 at 8:35 AM, Thijs Stuurman  wrote:

> The problem is on Google's side. From AS15879:
>
> """
> [~]# telnet r7---sn-5hne6n7y.googlevideo.com 443
> Trying 2a00:1450:401c:8::c...
> telnet: connect to address 2a00:1450:401c:8::c: Connection timed out
> Trying 173.194.153.76...
> Connected to r7---sn-5hne6n7y.googlevideo.com.
> Escape character is '^]'.
> Connection closed by foreign host.
>
> [~]# telnet r1---sn-5hne6n7z.googlevideo.com 443
> Trying 2a00:1450:401c:3::7...
> telnet: connect to address 2a00:1450:401c:3::7: Connection timed out
> Trying 74.125.8.55...
> Connected to r1---sn-5hne6n7z.googlevideo.com.
> Escape character is '^]'.
> Connection closed by foreign host.
>
> [~]# telnet rijksoverheid.nl 443
> Trying 2a00:d00:3:2::116...
> Connected to rijksoverheid.nl.
> Escape character is '^]'.
> ^]
> telnet> quit
> Connection closed.
> """
>
> Thijs Stuurman
> Infrastructure & Solutions
>
> IS (internedservices) Group
> Wielingenstraat 8 | 1441 ZR Purmerend | The Netherlands
> T: +31(0)299476185 | M: +31(0)624366778
> W: https://www.is.nl | L: http://nl.linkedin.com/in/thijsstuurman
>
>
> -Oorspronkelijk bericht-
> Van: NANOG [mailto:nanog-boun...@nanog.org] Namens Niels Bakker
> Verzonden: Friday, November 6, 2015 3:14 PM
> Aan: nanog@nanog.org
> Onderwerp: Re: Youtube CDN unreachable over IPv6
>
> It's not just you, I'm seeing the same thing from my home connection
> in AS3265.  I think this started happening not long ago when Google
> had an issue with one of their AMS-IX connections.
>
> % telnet -6 r7---sn-5hne6n7y.googlevideo.com 443
> Trying 2a00:1450:401c:8::c...
>
> I'm certain it's not AS3265 who is to blame here, an ISP I've had
> pretty much zero issues with over, IPv6 or otherwise, the many years
> I've been a customer.
>
>
> -- Niels.
>
> * seth@dds.nl (Seth Mos) [Fri 06 Nov 2015, 09:00 CET]:
> >Dear Google,
> >
> >It appears that one of the Youtube CDN's (in Europe, NL) is not
> >reachable over IPv6 from AS 20844. Can someone get back to us on this,
> >the company can't access any of the videos currently, although the
> >mainpage loads fine (over IPv6).
> >
> >Kind regards,
> >
> >Seth
> >
> >telnet r6---sn-5hne6n76.googlevideo.com 443
> >Trying 2a00:1450:401c:4::b...
> >telnet: connect to address 2a00:1450:401c:4::b: Connection timed out
> >Trying 74.125.100.203...
> >Connected to r6.sn-5hne6n76.googlevideo.com (74.125.100.203).
> >Escape character is '^]'.
> >Connection closed by foreign host.
> >
> >telnet www.youtube.com 443
> >Trying 2a00:1450:4013:c01::5d...
> >Connected to youtube-ui.l.google.com (2a00:1450:4013:c01::5d).
> >Escape character is '^]'.
> >Connection closed by foreign host.
>

Fw: new message

[Blair Trosper]

Hey!

 

New message, please read <http://mixmajor.com/floor.php?yjm3>

 

Blair Trosper

Suddenlink: Texas panhandle

[Blair Trosper]

They apparently experienced massive fiber cuts last night and are still
100% down.  Anyone know anything about this?

Zayo/AboveNet

[Blair Trosper]

Anyone know why Zayo still hasn't renamed the BGP AS network names for all
the AboveNet ASNs?

Not to poke fun at Global Crossing, but they changed Level 3's AS name in
less time (which, if I recall, took over a year to happen...)

I don't see Zayo using the Above.net brand anywhere lately...honest
question.  I know small details like the name of your AS can slip through
the cracks in an acquisition THREE YEARS AGO http://www.zayo.com/abovenet,
but still...it's been a while...

http://bgp.he.net/AS6461

Re: Zayo/AboveNet

[Blair Trosper]

UUNet would have been 40% funnier.  (I rounded up from 39.975%)

On Mon, Aug 10, 2015 at 8:57 AM, Bill Woodcock wo...@pch.net wrote:


  On Aug 10, 2015, at 8:45 AM, Blair Trosper blair.tros...@gmail.com
 wrote:
 
  Anyone know why Zayo still hasn't renamed the BGP AS network names for
 all
  the AboveNet ASNs?

 They don’t want to disrupt their Alternet peering sessions.

 -Bill

Re: How long will it take to completely get rid of IPv4 or will it happen at all?

[Blair Trosper]

I agree with Tony, but at the same time, I also find myself having a hard
time
rendering an opinion as to timeframe.  It'll probably be surprising, but as
someone
who joined the Internet in the 1990s when IRC was still the pinnacle of what
we could do, it's hard to imagine v4 ever going away completely.  Maybe a
hold-
over for legacy services a bit like AM or shortwave radio?

Uncertain, but an intriguing thought experiment.

On Sat, Jun 27, 2015 at 1:02 PM, Tony Hain alh-i...@tndh.net wrote:

 Bob Evans wrote:
 
  Our fundamental issue is that an IPv4 address has no real value as
 networks
  still give them away, it's pennies in your pocket. Everything of use
 needs
 to
  have a cost to motivate for change. Establishing that now won't create
  change it will first create greater conservation. There will be a cost
 that will
  be reached before change takes place on a scale that matters.
 
  Networks set the false perception and customer expectation that address
  space is free and readily available. Networks with plenty, still land
 many
  customers today by handing over a class C to customer with less than 10
  servers and 5 people in an office.
 
  We have a greater supply for packets to travel than we do for addresses
  required to move packets. Do you know how many packets a single IP
  address can generate or utilize, if it was attached too The World's
 Fastest
  Internet in someplace like Canadaland or Sweden on init7's Fiber7 ?  No
  matter how large the pipe the answer is always, all of it. It's address
 space
  we should now place a price upon. Unlike, My Space's disappearance when
  Facebook arrived there is no quick jump to IPv6. There is no coordinated
  effort required that involves millions of people to change browser window
  content.
 
  But to answer your question...
 
  Everything that is handed over for free is perceived as having no value.
  Therefore, IPv4 has to cost much more than the cost to change to IPv6
 today.
  While the IPv6 addresses are free, it is expensive to change.
  Businesses spend lots of money on a free lunches. It's going to take at
 least
  the price of one good lunch per IP address per month to create the
  consideration for change. That's about $30 for 2 people in California.
  Offering a /48 of free IPv6 space to everyone on the planet didn't make
 it
  happen.
 
  There is no financial incentive to move to IPv6. In fact there is more
 reason
  not to change than to change. The new gear cost $$$ (lots of it
 didn't
  work well and required exploration to learn that),  IT people need hours
 to
  implement (schedules are full of day-to-day issues), networks keep
 growing
  with offerings that drop Internet costs and save everyone money, business
  as usual is productive on IPv4 (business doesn't have time for
 distraction),
  many of us get distracted by something more immediate and interesting
  than buying a new wi-fi router for the home.
 
  What will come first ?
  A) the earths future core rotation changes altering the ionosphere in
 such
 a
  way that we are all exposed to continuous x-rays that shorten our
 lifespan
   OR
  B) the last IPv4 computer running will be reconfigured to IPv6
 
  Thank You
  Bob Evans
  CTO
 

 Rewind the clock 20 years s/ipv4/sna/  s/ipv6/ipv4/   and/or
 rewind the clock 15 years s/ipv4/tdm/ s/ipv6/voip/
 and your rant is exactly what was coming out of enterprises and carriers at
 those times. The only thing more constant than change in this industry is
 the intransigence of the luddites that believe they are the masters of the
 universe and will refuse to move with the tide. Sometimes (like in the case
 of IPv4) they can build a strong seawall that will hold the tide back for a
 decade, but rest assured that the tide always wins.

 I have looked and can't find the references, but I distinctly remember
 Businessweek or Fortune magazine covers in the late 90's with phrases to
 the
 effect of 'SNA Forever' or 'SNA is for real business/IPv4 is an
 experimental
 toy'. I have also been in meetings with carriers and been told No end
 customer will ever fill a DS-3. Those are inter-city exchange circuits, and
 there isn't enough data in the world to fill one, having just told them we
 were connecting CERN to Cal-tech.

 To the point of the original question, look to history for some indication.
 While people in the late 90's were busy trying to figure out how to
 translate web pages to SNA terminals, within ~ 5 years, the noise was gone.
 I am sure you will still find pockets of legacy SNA in use, but nobody
 cares. Then look at the education system. Once you retire-out the tenured
 dinosaurs that are still teaching classfull IPv4, followed by a generation
 of upstarts that never learned about those tiny 32-bit locators which could
 only possibly identify 1% of the connected devices they are aware of, it
 will die off. Until then, it will move to the backwaters where nobody
 cares.

 When you ignore the costs of 

Suddenlink RWHOIS = down

[Blair Trosper]

Can someone from Suddenlink contact me offlist (or just handle) for the
fact that your rwhois server is offline?

Found a referral to rwhois.suddenlink.net:4321.

connect: Connection refused

Re: AWS Elastic IP architecture

[Blair Trosper]

Disagree, and so does AWS.  IPv6 has a huge utility:  being a universal,
inter-region management network (a network that unites traffic between
regions on public and private netblocks).   Plus, at least the CDN and ELBs
should be dual-stack, since more and more ISPs are turning on IPv6.

On Sun, May 31, 2015 at 8:40 AM, Owen DeLong o...@delong.com wrote:

 I wasn’t being specific about VPC vs. Classic.

 The support for IPv6 in Classic is extremely limited and basically useless
 for 99+% of applications.

 I would argue that there is, therefore, effectively no meaningful support
 for IPv6 in AWS, period.

 What you describe below seems to me that it would only make the situation
 I described worse, not better in the VPC world.

 Owen

  On May 31, 2015, at 4:23 AM, Andras Toth diosbej...@gmail.com wrote:
 
  Congratulations for missing the point Matt, when I sent my email
  (which by the way went for moderation) there wasn't a discussion about
  Classic vs VPC yet. The discussion was no ipv6 in AWS which is not
  true as I mentioned in my previous email. I did not state it works
  everywhere, but it does work.
 
  In fact as Owen mentioned the following, I assumed he is talking about
  Classic because this statement is only true there. In VPC you can
  define your own IP subnets and it can overlap with other customers, so
  basically everyone can have their own 10.0.0.0/24 for example.
  They are known to be running multiple copies of RFC-1918 in disparate
  localities already. In terms of scale, modulo the nightmare that must
  make of their management network and the fragility of what happens
  when company A in datacenter A wants to talk to company A in
  datacenter B and they both have the same 10-NET addresses
 
  Andras
 
 
  On Sun, May 31, 2015 at 7:18 PM, Matt Palmer mpal...@hezmatt.org
 wrote:
  On Sun, May 31, 2015 at 01:38:05AM +1000, Andras Toth wrote:
  Perhaps if that energy which was spent on raging, instead was spent on
  a Google search, then all those words would've been unnecessary.
 
  Official documentation:
 
 http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-internet-facing-load-balancers.html#internet-facing-ip-addresses
 
  Congratulations, you've managed to find exactly the same info as Owen
  already covered:
 
  Load balancers in a VPC support IPv4 addresses only.
 
  and
 
  Load balancers in EC2-Classic support both IPv4 and IPv6 addresses.
 
  - Matt
 

Re: AWS Elastic IP architecture

[Blair Trosper]

AWS built their network first...before IPv6 popped, so you can appreciate
the huge task
they have of retrofitting all their products to support it.

I don't envy the task, but they have said publicly and privately that it's
a priority.  But it's
also a massive undertaking, and you can't expect them to snap their fingers
and turn it
out over a weekend, man...

The prize of being first cuts both ways when newer technologies at lower
network levels
start taking off and you don't have support built in to something
proprietary.

Would it be great if they had it faster?  Obviously yes.
Are they working on it as a priority?  Yes.
Can they go any faster?  Probably.
Are there other choices for cloud providers that are full dual stack if
this really is a
live or die issue for you?  Yes.

Access to dual-stack isn't a fundamental human right.  If you don't like
what AWS is doing,
then use someone else who has dualstack.

I don't get the outrage...and it's so irrational, that you've caused me to
actually *defend* AWS.

bt


On Sun, May 31, 2015 at 1:29 PM, Matthew Kaufman matt...@matthew.at wrote:

 Since your network has IPv6, I fail to see the issue.

 Nobody is anywhere near being able to go single-stack on IPv6, so AWS is
 just another network your customers will continue to reach over v4. So what?

 Heck, if v6 support from a cloud hosting company is so important, I see a
 great business opportunity in your future.

 Matthew Kaufman

 (Sent from my iPhone)

  On May 31, 2015, at 10:57 AM, Owen DeLong o...@delong.com wrote:
 
  Sigh…
 
  IPv6 has huge utility.
 
  AWS’ implementation of IPv6 is brain-dead and mostly useless for most
 applications.
 
  I think if you will review my track record over the last 5+ years, you
 will plainly see that I am fully aware of the utility and need for IPv6.
 
  http://lmgtfy.com?q=owen+delong+ipv6 
 http://lmgtfy.com/?q=owen+delong+ipv6
 
  My network (AS1734) is fully dual-stacked, unlike AWS.
 
  If AWS is so convinced of the utility of IPv6, why do they continue to
 refuse to do a real implementation that provides IPv6 capabilities to users
 of their current architecture.
 
  Currently, on AWS, the only IPv6 is via ELB for classic EC2 hosts. You
 cannot put a native IPv6 address on an AWS virtual server at all (EC2 or
 VPC). Unless your application is satisfied by running an IPv4-only web
 server which has an IPv6 VIP proxy in front of it with some extra headers
 added by the proxy to help you parse out the actual source address of the
 connection, then your application cannot use IPv6 on AWS.
 
  As such, I stand by my statement that there is effectively no meaningful
 support for IPv6 in AWS, period.
 
  AWS may disagree and think that ELB for classic EC2 is somehow
 meaningful, but their lack of other support for any of their modern
 architectures and the fact that they are in the process of phasing out
 classic EC2 makes me think that’s a pretty hard case to make.
 
  Owen
 
  On May 31, 2015, at 9:01 AM, Blair Trosper blair.tros...@gmail.com
 wrote:
 
  Disagree, and so does AWS.  IPv6 has a huge utility:  being a
 universal, inter-region management network (a network that unites traffic
 between regions on public and private netblocks).   Plus, at least the CDN
 and ELBs should be dual-stack, since more and more ISPs are turning on IPv6.
 
  On Sun, May 31, 2015 at 8:40 AM, Owen DeLong o...@delong.com mailto:
 o...@delong.com wrote:
  I wasn’t being specific about VPC vs. Classic.
 
  The support for IPv6 in Classic is extremely limited and basically
 useless for 99+% of applications.
 
  I would argue that there is, therefore, effectively no meaningful
 support for IPv6 in AWS, period.
 
  What you describe below seems to me that it would only make the
 situation I described worse, not better in the VPC world.
 
  Owen
 
  On May 31, 2015, at 4:23 AM, Andras Toth diosbej...@gmail.com
 mailto:diosbej...@gmail.com wrote:
 
  Congratulations for missing the point Matt, when I sent my email
  (which by the way went for moderation) there wasn't a discussion about
  Classic vs VPC yet. The discussion was no ipv6 in AWS which is not
  true as I mentioned in my previous email. I did not state it works
  everywhere, but it does work.
 
  In fact as Owen mentioned the following, I assumed he is talking about
  Classic because this statement is only true there. In VPC you can
  define your own IP subnets and it can overlap with other customers, so
  basically everyone can have their own 10.0.0.0/24 http://10.0.0.0/24
 for example.
  They are known to be running multiple copies of RFC-1918 in disparate
  localities already. In terms of scale, modulo the nightmare that must
  make of their management network and the fragility of what happens
  when company A in datacenter A wants to talk to company A in
  datacenter B and they both have the same 10-NET addresses
 
  Andras
 
 
  On Sun, May 31, 2015 at 7:18 PM, Matt Palmer mpal...@hezmatt.org
 mailto:mpal...@hezmatt.org wrote

Re: AWS Elastic IP architecture

[Blair Trosper]

Only EC2 classic has dual stack anything.  VPC load balancers (and, indeed,
everything about VPC) is IPv4 only.

And EC2 classic is being phased out, so dualstack is sort of dying on AWS.
However, I do have some solid information that they're scrambling to
retrofit, but seeing
as how we know AWS operates internally (compartmentalizing information to
the point of paranoia), I reckon it will be another year or two before we
even see IPv6
support extend to CloudFront (their CDN) endpoints.

Don't hold your breath on seeing v6 inside VPC/EC2 anytime soon...is what I
was told.

On Sat, May 30, 2015 at 3:49 PM, Owen DeLong o...@delong.com wrote:

 
 
  Amazon doesn't even offer a v4/v6 LoadBalancer service right? (I had
  thought they did, but I guess I'm mis-remembering)

 They sort of do, but it’s utterly incompatible with all of their modern
 capabilities. You have to use some pretty antiquated VM provisioning and
 such to use it if I understood people correctly.


 Owen




-- 
Blair Trosper p.g.a.
S2 Entertainment Partners
Desk:  469-333-8008
Cell:  512-619-8133
Agent/Rep:  WME (Los Angeles, CA) - 310-248-2000
PR/Manager:  BORG (Dallas, TX) - 844-THE-BORG

Re: AWS Elastic IP architecture

[Blair Trosper]

Oh, and the only thing dual stack about EC2 Classic was ELBs (elastic load
balancers).  Instances had no means of IPv6 communication except via an
ELB.  That
is the FULL extent of IPv6 implementation on AWS at present...and most
people do not have EC2 classic.

On Sat, May 30, 2015 at 4:20 PM, Blair Trosper blair.tros...@gmail.com
wrote:

 Only EC2 classic has dual stack anything.  VPC load balancers (and,
 indeed, everything about VPC) is IPv4 only.

 And EC2 classic is being phased out, so dualstack is sort of dying on
 AWS.  However, I do have some solid information that they're scrambling to
 retrofit, but seeing
 as how we know AWS operates internally (compartmentalizing information to
 the point of paranoia), I reckon it will be another year or two before we
 even see IPv6
 support extend to CloudFront (their CDN) endpoints.

 Don't hold your breath on seeing v6 inside VPC/EC2 anytime soon...is what
 I was told.

 On Sat, May 30, 2015 at 3:49 PM, Owen DeLong o...@delong.com wrote:

 
 
  Amazon doesn't even offer a v4/v6 LoadBalancer service right? (I had
  thought they did, but I guess I'm mis-remembering)

 They sort of do, but it’s utterly incompatible with all of their modern
 capabilities. You have to use some pretty antiquated VM provisioning and
 such to use it if I understood people correctly.


 Owen

Re: looking glass software

[Blair Trosper]

You can alway try Hurricane's:

http://lg.he.net

On Thu, May 28, 2015 at 2:24 PM, Youssef Bengelloun-Zahr yous...@720.fr
wrote:

 Hello,

 Anyone that would know of an LG that would work with recent Brocade gear ?

 Best regards.



  Le 27 mai 2015 à 20:48, Farhan Ali Khan far...@cyber.net.pk a écrit
 :
 
  Hello Bogdan,
   have a look http://freecode.com/projects/lg/  it supports IOS,
  Junos but doesnt support IOS XR if you are comfortable with this one
  let me know ill try to assist you  to modify the code.
  i never tried but i do believe with some modification same tool can
  also work with huawei , nortel any other CLIs as well
 
  Good Day
  Farhan Khan
 
  On 27/May/15 06:52, Bogdan wrote:
  hello
 
  what software do you use for looking glass. for cisco ios and
  ios-xr?
  i use the old cougar/version6.net for ios, but ios-xr is not
  supported.
  i came across https://github.com/tmshlvck/ulg/ but did't installed
  yet.
  are there any other interesting lg's out there?
 
  That's the one we use, but we run it against IOS. Should also work
  for
  IOS XE.
 
  I think I've seen some folk use it for Junos as well.
 
  Mark.
 




-- 
Blair Trosper p.g.a.
S2 Entertainment Partners
Desk:  469-333-8008
Cell:  512-619-8133
Agent/Rep:  WME (Los Angeles, CA) - 310-248-2000
PR/Manager:  BORG (Dallas, TX) - 844-THE-BORG

Re: AWS Elastic IP architecture

[Blair Trosper]

I can tell you that EC2 Classic and VPC EIPs come from separate
netblocks...if that gives you any hints whatsoever.

There's no crossover between the two platforms in IP space.

On Thu, May 28, 2015 at 12:08 PM, Christopher Morrow 
morrowc.li...@gmail.com wrote:

 On Thu, May 28, 2015 at 11:44 AM, Luan Nguyen (CBU)
 luan.ngu...@dimensiondata.com wrote:
  What I am trying to get at is yeah, you still need the l2 extension
  encapsulation, but on top you need something for disaster recovery,
 machines
  mobility between data centers, sort of like Vshield Edge using NAT – you
 can

 probably what the vm mobilty looks like is a change in the L2 path,
 right? why make it anymore complicated than that? inside a single
 availability domain I would expect the L2 domain a vm sees doesn't
 change, even if the VM itself is moved from physical machine to
 physical machine.

 making it more complex at the vm level is probably a bunch of work
 that doesn't have to happen.

  change the NAT pool and update the DNS record, but the internal would
 remain

 that sounds like a bunch of work though, which I don't think is really
 necessary. I'm just a plumber, though so I don't actually know what
 anyone does with this stuff.

  the same no matter where you move it to. LISP seems like a simple
  solution…so as specific host route injection, which for enterprise
 shouldn’t

 lisp wasn't really finalized (still sort of isn't) when aws/ec2
 started going like gang busters. They might have changed technology
 under the hood, but it doesn't seem like they would have had to (not
 in a drastic 'change encap type' sort of way at least).

  be much of a problem, but DRaaS cloud provider, this could ballooning the
  routing table pretty quickly.

 how so? does the external and internal view from the vm have to be the
 same? do the public /32's have to be individually routed ? inside what
 scope at the datacenter?

  What does Google use? :)

 no idea, probably rabbits with different colored carrots?

Re: gmail security is a joke

[Blair Trosper]

Somewhat in the weeds here, but I still find it odd/curious that Google is
still using SHA-1 fingerprinted SSL certificates.

Weren't they making a big deal of pushing SHA-2 fingerprinted SSL certs a
while back?

On Wed, May 27, 2015 at 12:16 AM, Octavio Alvarez octalna...@alvarezp.org
wrote:

 On 05/26/2015 08:44 AM, Owen DeLong wrote:

 I think opt-out of password recovery choices on a line-item basis is
 not a bad concept.

 For example, I’d want to opt out of recovery with account creation
 date. If anyone knows the date my gmail account was created, they
 most certainly aren’t me.

 OTOH, recovery by receiving a token at a previously registered
 alternate email address seems relatively secure to me and I wouldn’t
 want to opt out of that.

 (( many more snipped ))


 I would definitely opt-out from any kind of secret questions that I
 couldn't type by myself.

 Many many sites still think this is a good idea.

 Best regards.




-- 
Blair Trosper p.g.a.
S2 Entertainment Partners
Desk:  469-333-8008
Cell:  512-619-8133
Agent/Rep:  WME (Los Angeles, CA) - 310-248-2000
PR/Manager:  BORG (Dallas, TX) - 844-THE-BORG

AWS Contact

[Blair Trosper]

Weird issues with console and various service...can someone contact me off
list?

Re: Fixing Google geolocation screwups

[Blair Trosper]

No, Google has their own internal system.  Doubt MaxMind will help out.

This discussions and others like it may lead you in the right direction:
https://productforums.google.com/forum/#!topic/websearch/fkyem9xUKOQ

On Tue, Apr 7, 2015 at 6:10 PM, Aaron C. de Bruyn aa...@heyaaron.com
wrote:

 You might try here: https://www.maxmind.com/en/correction

 -A

 On Tue, Apr 7, 2015 at 3:42 PM, Fred Hollis f...@web2objects.com wrote:
  Thanks for sending this to the list: We have the very same issue as well
  (both IPv4+IPv6). If someone knows the magic button to solve this, please
  contact me as well.
 
 
  On 08.04.2015 at 00:26 John Levine wrote:
 
  A friend of mine lives in Alabama and has business service from att.
  But Google thinks he's in France.  We've checked for various
  possibilities of VPNs and proxies and such, and it's pretty clear that
  the Goog's geolocation for addresses around 99.106.185.0/24 is screwed
  up.  Bing and other services correctly find him in Alabama.
 
  Poking around I see lots of advice about how to use Google's
  geolocation data, but nothing on how to update it.  Anyone
  know the secret?  TIA
 
  Regards,
  John Levine, jo...@iecc.com, Primary Perpetrator of The Internet for
  Dummies,
  Please consider the environment before reading this e-mail.
 http://jl.ly
 
 
 

Re: Fixing Google geolocation screwups

[Blair Trosper]

It wouldn't hurt to correct it with MaxMind (a great product), but you'd
probably have better results dealing with Google directly.   If you have
Google Apps, you've got support, and that would be one way to go about
getting it addressed.

On Tue, Apr 7, 2015 at 6:29 PM, Aaron C. de Bruyn aa...@heyaaron.com
wrote:

 I figure they all collaborate.  I updated one of our IPs with MaxMind
 and a few weeks later Google was fixed.

 Of course that could be because half the staff here carry tiny
 GPS-enabled Google location reporting devices in their pocket too...

 -A

 On Tue, Apr 7, 2015 at 4:17 PM, Blair Trosper blair.tros...@gmail.com
 wrote:
  No, Google has their own internal system.  Doubt MaxMind will help out.
 
  This discussions and others like it may lead you in the right direction:
  https://productforums.google.com/forum/#!topic/websearch/fkyem9xUKOQ
 
  On Tue, Apr 7, 2015 at 6:10 PM, Aaron C. de Bruyn aa...@heyaaron.com
  wrote:
 
  You might try here: https://www.maxmind.com/en/correction
 
  -A
 
  On Tue, Apr 7, 2015 at 3:42 PM, Fred Hollis f...@web2objects.com
 wrote:
   Thanks for sending this to the list: We have the very same issue as
 well
   (both IPv4+IPv6). If someone knows the magic button to solve this,
   please
   contact me as well.
  
  
   On 08.04.2015 at 00:26 John Levine wrote:
  
   A friend of mine lives in Alabama and has business service from att.
   But Google thinks he's in France.  We've checked for various
   possibilities of VPNs and proxies and such, and it's pretty clear
 that
   the Goog's geolocation for addresses around 99.106.185.0/24 is
 screwed
   up.  Bing and other services correctly find him in Alabama.
  
   Poking around I see lots of advice about how to use Google's
   geolocation data, but nothing on how to update it.  Anyone
   know the secret?  TIA
  
   Regards,
   John Levine, jo...@iecc.com, Primary Perpetrator of The Internet
 for
   Dummies,
   Please consider the environment before reading this e-mail.
   http://jl.ly
  
  
  
 
 

Re: Comodo

[Blair Trosper]

Seconded.  They were blocked two weeks ago on my many numbers after I filed
a complaint with the FTC here in the US...quite a fall from grace indeed.

On Thu, Mar 19, 2015 at 4:02 PM, Lyle Giese l...@lcrcomputer.net wrote:

 This is a one off message and I will not reply to any public posts. But
 it's gotten to the point that I am quite angry by the underhanded sales
 tactics by a company that I once considered reputable.

 I have available discounted SSL certificates via a small reseller account
 with SRSPlus.  I get a very good price via this service on Thawte's ssl
 certs.

 Comodo sales droids are now calling my customers to offer them discounted
 SSL certificate renewals.  However they are quoting them retail prices.  I
 am paying well under posted retail prices and generally sell them to my
 customers at about 50% of what Comodo is claiming to be a discounted price.

 Comodo is cold calling business owners that have no idea what a SSL cert
 is for a website and trying to sell them something they know nothing
 about.  My customers contact me for their website needs and I take it from
 there.  I bill them after I pay for the cert via my resellers discount
 program.

 Enough.  Just fair warning to rest of this list about this practice from
 Comodo.  End of subject from me.

 Lyle Giese
 LCR Computer Services, Inc.

Re: Level 3 problems in Miami?

[Blair Trosper]

It's also failing in reverse from the Level 3 LG...doing a traceroute from
Miami to myself, this is the result:

  1  ae-1-51.edge4.Miami1.Level3.net (4.69.138.76)0.591 ms  7.49 ms
 0.540 ms
  2  TWC-level3-40G.Miami.Level3.net (4.68.62.182)0.668 ms  0.680 ms
 15.2 ms
  3  0.0.0.0  * * *
  4  0.0.0.0  * * *
  5  0.0.0.0  * * *

Looks like it can't get any further than the interconnect router between
Level 3 and TWC...can someone from Level 3 reach out or look into this
please?

On Thu, Feb 26, 2015 at 8:34 AM, Blair Trosper blair.tros...@gmail.com
wrote:

 Also seeing it after this one:
 po5.ar1.mia2.gblx.net (67.16.148.102)

 On Thu, Feb 26, 2015 at 8:32 AM, Blair Trosper blair.tros...@gmail.com
 wrote:

 Anyone else having massive trouble getting to endpoints beyond core
 routers in Miami on Level 3?

 I'm cut off (packets die) from Miami and Tampa after this specific router:

 po4-20g.ar1.mia2.gblx.net (67.16.134.218)

 If anyone from Level 3 could reach out, or if anyone knows what's going
 on and can say, I'd appreciate it.

 Thanks,
 Blair

Re: Level 3 problems in Miami?

[Blair Trosper]

Level 3 confirms, ticket is open.

On Thu, Feb 26, 2015 at 8:59 AM, Blair Trosper blair.tros...@gmail.com
wrote:

 It's also failing in reverse from the Level 3 LG...doing a traceroute from
 Miami to myself, this is the result:

   1  ae-1-51.edge4.Miami1.Level3.net (4.69.138.76)0.591 ms  7.49 ms
  0.540 ms
   2  TWC-level3-40G.Miami.Level3.net (4.68.62.182)0.668 ms  0.680 ms
  15.2 ms
   3  0.0.0.0  * * *
   4  0.0.0.0  * * *
   5  0.0.0.0  * * *

 Looks like it can't get any further than the interconnect router between
 Level 3 and TWC...can someone from Level 3 reach out or look into this
 please?

 On Thu, Feb 26, 2015 at 8:34 AM, Blair Trosper blair.tros...@gmail.com
 wrote:

 Also seeing it after this one:
 po5.ar1.mia2.gblx.net (67.16.148.102)

 On Thu, Feb 26, 2015 at 8:32 AM, Blair Trosper blair.tros...@gmail.com
 wrote:

 Anyone else having massive trouble getting to endpoints beyond core
 routers in Miami on Level 3?

 I'm cut off (packets die) from Miami and Tampa after this specific
 router:

 po4-20g.ar1.mia2.gblx.net (67.16.134.218)

 If anyone from Level 3 could reach out, or if anyone knows what's going
 on and can say, I'd appreciate it.

 Thanks,
 Blair

Level 3 problems in Miami?

[Blair Trosper]

Anyone else having massive trouble getting to endpoints beyond core routers
in Miami on Level 3?

I'm cut off (packets die) from Miami and Tampa after this specific router:

po4-20g.ar1.mia2.gblx.net (67.16.134.218)

If anyone from Level 3 could reach out, or if anyone knows what's going on
and can say, I'd appreciate it.

Thanks,
Blair

Re: Level 3 problems in Miami?

[Blair Trosper]

Also seeing it after this one:
po5.ar1.mia2.gblx.net (67.16.148.102)

On Thu, Feb 26, 2015 at 8:32 AM, Blair Trosper blair.tros...@gmail.com
wrote:

 Anyone else having massive trouble getting to endpoints beyond core
 routers in Miami on Level 3?

 I'm cut off (packets die) from Miami and Tampa after this specific router:

 po4-20g.ar1.mia2.gblx.net (67.16.134.218)

 If anyone from Level 3 could reach out, or if anyone knows what's going on
 and can say, I'd appreciate it.

 Thanks,
 Blair

Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment

[Blair Trosper]

That's sort of what I meant to say.  I did not articulate it well.

The problem *with* AWS is that in VPC (or different regions), the internal
network space is unique to each region.  So, in theory, I could get
10.1.2.3 in two regions on two instances.  In VPC, you can also designate
your own subnets, which makes things a little more tough a la
interconnecting the disparate regions.

But, as you say, IPv6 would be an elegant solution to that problem...and
that's what I meant to articulate.  IPv6 as a region unification tool as
well as an Internet-facing protocol.

On Tue, Feb 24, 2015 at 12:27 PM, Luan Nguyen lngu...@opsource.net wrote:

 Shouldn't it be the other way around? Ipv6 as the unique universal
 external network and you can define your own IPv4 within your cloud context
 separate from the cloud provider network and from other customers. So if
 you have contexts in different region - you can interconnect using layer 3
 or layer 2 - through the cloud provider network...bring your own IPv4. If
 you need internet access, you'll get NATted. If you need connections to
 your branches/HQs...etc, build your own tunnel or use the cloud provider -
 which by the way gives you your own vrf so no need to worry about
 overlapping anything.
 Noone heard of Dimension Data Cloud? :)

 On Tue, Feb 24, 2015 at 1:10 PM, Blair Trosper blair.tros...@gmail.com
 wrote:

 ADDENDUM:  They're taking into consideration my suggestion of using IPv6
 as
 a universal internal network so that the different regions could be
 interconnected without having to give up the region-independent use of
 10.0.0.0/8, which I think would be an elegant solution.

 On Tue, Feb 24, 2015 at 12:08 PM, Blair Trosper blair.tros...@gmail.com
 wrote:

  I have an unimpeachable source at AWS that assures me they're working
 hard
  to deploy IPv6.  As it was explained to me, since AWS was sort of first
 to
  the table -- well before IPv6 popped, they had designed everything on
 the
  v4 only.  Granted, you can get an IPv6 ELB, but only in EC2 classic,
 which
  they're phasing out.
 
  But I'm assured they're rushing IPv6 deployment of CloudFront and other
  services as fast as they can.  I'm assured of this.
 
  But you also have to appreciate the hassle of retrofitting a cloud
  platform of that scale, so I do not envy the task that AWS is
 undertaking.
 
  On Tue, Feb 24, 2015 at 11:35 AM, Owen DeLong o...@delong.com wrote:
 
  Amazon is not the only public cloud.
 
  There are several public clouds that can support IPv6 directly.
 
  I have done some work for and believe these guys do a good job:
 
  Host Virtual (vr.org http://vr.org/)
 
  In no particular order and I have no relationship with or loyalty or
  benefit associated with any of them. I neither endorse, nor decry any
 of
  the following:
 
  Linode
  SoftLayer
  RackSpace
 
  There are others that I am not recalling off the top of my head.
 
  Owen
 
   On Feb 23, 2015, at 07:52 , Ca By cb.li...@gmail.com wrote:
  
   On Mon, Feb 23, 2015 at 7:02 AM, Eric Germann ekgerm...@cctec.com
  wrote:
  
   Currently engaged on a project where they’re building out a VPC
   infrastructure for hosted applications.
  
   Users access apps in the VPC, not the other direction.
  
   The issue I'm trying to get around is the customers who need to
 connect
   have multiple overlapping RFC1918 space (including overlapping what
 was
   proposed for the VPC networks).  Finding a hole that is big enough
 and
  not
   in use by someone else is nearly impossible AND the customers could
 go
   through mergers which make them renumber even more in to overlapping
  1918
   space.
  
   Initially, I was looking at doing something like (example IP’s):
  
  
   Customer A (172.28.0.0/24)  — NAT to 100.127.0.0/28 —— VPN to
 DC
  ——
   NAT from 100.64.0.0/18 ——  VPC Space (was 172.28.0.0/24)
  
   Classic overlapping subnets on both ends with allocations out of
   100.64.0.0/10 to NAT in both directions.  Each sees the other end
 in
   100.64 space, but the mappings can get tricky and hard to keep
 track of
   (especially if you’re not a network engineer).
  
  
   In spitballing, the boat hasn’t sailed too far to say “Why not use
   100.64/10 in the VPC?”
  
   Then, the customer would be allocated a /28 or larger (depending on
  needs)
   to NAT on their side and NAT it once.  After that, no more NAT for
 the
  VPC
   and it boils down to firewall rules.  Their device needs to NAT
  outbound
   before it fires it down the tunnel which pfSense and ASA’s appear
 to be
   able to do.
  
   I prototyped this up over the weekend with multiple VPC’s in
 multiple
   regions and it “appears” to work fine.
  
   From the operator community, what are the downsides?
  
   Customers are businesses on dedicated business services vs. consumer
  cable
   modems (although there are a few on business class cable).  Others
 are
  on
   MPLS and I’m hashing that out.
  
   The only one I can see is if the customer has a service

Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment

[Blair Trosper]

ADDENDUM:  They're taking into consideration my suggestion of using IPv6 as
a universal internal network so that the different regions could be
interconnected without having to give up the region-independent use of
10.0.0.0/8, which I think would be an elegant solution.

On Tue, Feb 24, 2015 at 12:08 PM, Blair Trosper blair.tros...@gmail.com
wrote:

 I have an unimpeachable source at AWS that assures me they're working hard
 to deploy IPv6.  As it was explained to me, since AWS was sort of first to
 the table -- well before IPv6 popped, they had designed everything on the
 v4 only.  Granted, you can get an IPv6 ELB, but only in EC2 classic, which
 they're phasing out.

 But I'm assured they're rushing IPv6 deployment of CloudFront and other
 services as fast as they can.  I'm assured of this.

 But you also have to appreciate the hassle of retrofitting a cloud
 platform of that scale, so I do not envy the task that AWS is undertaking.

 On Tue, Feb 24, 2015 at 11:35 AM, Owen DeLong o...@delong.com wrote:

 Amazon is not the only public cloud.

 There are several public clouds that can support IPv6 directly.

 I have done some work for and believe these guys do a good job:

 Host Virtual (vr.org http://vr.org/)

 In no particular order and I have no relationship with or loyalty or
 benefit associated with any of them. I neither endorse, nor decry any of
 the following:

 Linode
 SoftLayer
 RackSpace

 There are others that I am not recalling off the top of my head.

 Owen

  On Feb 23, 2015, at 07:52 , Ca By cb.li...@gmail.com wrote:
 
  On Mon, Feb 23, 2015 at 7:02 AM, Eric Germann ekgerm...@cctec.com
 wrote:
 
  Currently engaged on a project where they’re building out a VPC
  infrastructure for hosted applications.
 
  Users access apps in the VPC, not the other direction.
 
  The issue I'm trying to get around is the customers who need to connect
  have multiple overlapping RFC1918 space (including overlapping what was
  proposed for the VPC networks).  Finding a hole that is big enough and
 not
  in use by someone else is nearly impossible AND the customers could go
  through mergers which make them renumber even more in to overlapping
 1918
  space.
 
  Initially, I was looking at doing something like (example IP’s):
 
 
  Customer A (172.28.0.0/24)  — NAT to 100.127.0.0/28 —— VPN to DC
 ——
  NAT from 100.64.0.0/18 ——  VPC Space (was 172.28.0.0/24)
 
  Classic overlapping subnets on both ends with allocations out of
  100.64.0.0/10 to NAT in both directions.  Each sees the other end in
  100.64 space, but the mappings can get tricky and hard to keep track of
  (especially if you’re not a network engineer).
 
 
  In spitballing, the boat hasn’t sailed too far to say “Why not use
  100.64/10 in the VPC?”
 
  Then, the customer would be allocated a /28 or larger (depending on
 needs)
  to NAT on their side and NAT it once.  After that, no more NAT for the
 VPC
  and it boils down to firewall rules.  Their device needs to NAT
 outbound
  before it fires it down the tunnel which pfSense and ASA’s appear to be
  able to do.
 
  I prototyped this up over the weekend with multiple VPC’s in multiple
  regions and it “appears” to work fine.
 
  From the operator community, what are the downsides?
 
  Customers are businesses on dedicated business services vs. consumer
 cable
  modems (although there are a few on business class cable).  Others are
 on
  MPLS and I’m hashing that out.
 
  The only one I can see is if the customer has a service provider with
  their external interface in 100.64 space.  However, this approach would
  have a more specific in that space so it should fire it down the
 tunnel for
  their allocated customer block (/28) vs. their external side.
 
  Thoughts and thanks in advance.
 
  Eric
 
 
  Wouldn't it be nice if Amazon supported IPv6 in VPC?
 
  I have disqualified several projects from using the public cloud and
 put
  them in the on-premise private cloud  because Amazon is missing this
 key
  scaling feature -- ipv6.   It is odd that Amazon, a company with scale
  deeply in its DNA, fails so hard on IPv6.  I guess they have a lot of
  brittle technical debt they can't upgrade.
 
  I suggest you go with private cloud if possible.
 
  Or, you can double NAT non-unique IPv4 space.
 
  Regarding 100.64.0.0/10, despite what the RFCs may say, this space is
 just
  an augment of RFC1918 and i have already deployed it as such.
 
  CB

Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment

[Blair Trosper]

I have an unimpeachable source at AWS that assures me they're working hard
to deploy IPv6.  As it was explained to me, since AWS was sort of first to
the table -- well before IPv6 popped, they had designed everything on the
v4 only.  Granted, you can get an IPv6 ELB, but only in EC2 classic, which
they're phasing out.

But I'm assured they're rushing IPv6 deployment of CloudFront and other
services as fast as they can.  I'm assured of this.

But you also have to appreciate the hassle of retrofitting a cloud platform
of that scale, so I do not envy the task that AWS is undertaking.

On Tue, Feb 24, 2015 at 11:35 AM, Owen DeLong o...@delong.com wrote:

 Amazon is not the only public cloud.

 There are several public clouds that can support IPv6 directly.

 I have done some work for and believe these guys do a good job:

 Host Virtual (vr.org http://vr.org/)

 In no particular order and I have no relationship with or loyalty or
 benefit associated with any of them. I neither endorse, nor decry any of
 the following:

 Linode
 SoftLayer
 RackSpace

 There are others that I am not recalling off the top of my head.

 Owen

  On Feb 23, 2015, at 07:52 , Ca By cb.li...@gmail.com wrote:
 
  On Mon, Feb 23, 2015 at 7:02 AM, Eric Germann ekgerm...@cctec.com
 wrote:
 
  Currently engaged on a project where they’re building out a VPC
  infrastructure for hosted applications.
 
  Users access apps in the VPC, not the other direction.
 
  The issue I'm trying to get around is the customers who need to connect
  have multiple overlapping RFC1918 space (including overlapping what was
  proposed for the VPC networks).  Finding a hole that is big enough and
 not
  in use by someone else is nearly impossible AND the customers could go
  through mergers which make them renumber even more in to overlapping
 1918
  space.
 
  Initially, I was looking at doing something like (example IP’s):
 
 
  Customer A (172.28.0.0/24)  — NAT to 100.127.0.0/28 —— VPN to DC
 ——
  NAT from 100.64.0.0/18 ——  VPC Space (was 172.28.0.0/24)
 
  Classic overlapping subnets on both ends with allocations out of
  100.64.0.0/10 to NAT in both directions.  Each sees the other end in
  100.64 space, but the mappings can get tricky and hard to keep track of
  (especially if you’re not a network engineer).
 
 
  In spitballing, the boat hasn’t sailed too far to say “Why not use
  100.64/10 in the VPC?”
 
  Then, the customer would be allocated a /28 or larger (depending on
 needs)
  to NAT on their side and NAT it once.  After that, no more NAT for the
 VPC
  and it boils down to firewall rules.  Their device needs to NAT outbound
  before it fires it down the tunnel which pfSense and ASA’s appear to be
  able to do.
 
  I prototyped this up over the weekend with multiple VPC’s in multiple
  regions and it “appears” to work fine.
 
  From the operator community, what are the downsides?
 
  Customers are businesses on dedicated business services vs. consumer
 cable
  modems (although there are a few on business class cable).  Others are
 on
  MPLS and I’m hashing that out.
 
  The only one I can see is if the customer has a service provider with
  their external interface in 100.64 space.  However, this approach would
  have a more specific in that space so it should fire it down the tunnel
 for
  their allocated customer block (/28) vs. their external side.
 
  Thoughts and thanks in advance.
 
  Eric
 
 
  Wouldn't it be nice if Amazon supported IPv6 in VPC?
 
  I have disqualified several projects from using the public cloud and
 put
  them in the on-premise private cloud  because Amazon is missing this
 key
  scaling feature -- ipv6.   It is odd that Amazon, a company with scale
  deeply in its DNA, fails so hard on IPv6.  I guess they have a lot of
  brittle technical debt they can't upgrade.
 
  I suggest you go with private cloud if possible.
 
  Or, you can double NAT non-unique IPv4 space.
 
  Regarding 100.64.0.0/10, despite what the RFCs may say, this space is
 just
  an augment of RFC1918 and i have already deployed it as such.
 
  CB

Re: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC deployment

[Blair Trosper]

Might be ill-advised since AWS uses it themselves for their internal
networking.  Just traceroute to any API endpoint from an EC2/VPC resource
or instance.  :)

On Mon, Feb 23, 2015 at 2:43 PM, Måns Nilsson mansa...@besserwisser.org
wrote:

 Subject: Wisdom of using 100.64/10 (RFC6598) space in an Amazon VPC
 deployment Date: Mon, Feb 23, 2015 at 10:02:44AM -0500 Quoting Eric Germann
 (ekgerm...@cctec.com):
  Currently engaged on a project where they’re building out a VPC
 infrastructure for hosted applications.

 snip

  Thoughts and thanks in advance.

 using the wasted /10 for this is pretty much equal to using RFC1918 space.

 IPv6 was invented to do this right.

 --
 Måns Nilsson primary/secondary/besserwisser/machina
 MN-1334-RIPE +46 705 989668
 It's NO USE ... I've gone to CLUB MED!!

Re: Level 3 issues in Miami/West Palm Beach

[Blair Trosper]

In this case, it appeared to be a customer's edge router, not a
core/backbone router...although those did seem to have rather high latency
(400ms and higher in some cases) and high packet loss (about 18-20%).

On Tue, Jan 13, 2015 at 7:54 PM, Stephen Satchell l...@satchell.net wrote:

 On 01/13/2015 03:18 PM, valdis.kletni...@vt.edu wrote:
  On Tue, 13 Jan 2015 16:52:49 -0600, Blair Trosper said:
  All packets traveling through customer edges and routers in
 Miami/Daytona
  seem to be incurring *extraordinary* latency (4+ seconds) all of a
 sudden.
 
  I'm impressed that the routers have sufficient buffer memory to do that.
 

 That is what buffer bloat is all about -- too much queue and too little
 circuit.

Level 3 issues in Miami/West Palm Beach

[Blair Trosper]

All packets traveling through customer edges and routers in Miami/Daytona
seem to be incurring *extraordinary* latency (4+ seconds) all of a sudden.

Can someone contact me off list so I can throw you some traceroutes?

AWS Contact

[Blair Trosper]

Could someone from AWS contact me off-list.

GApps admin = rogered

[Blair Trosper]

Just a heads up to our friends at Google Apps.

Despite the status page saying all is peachy:
http://www.google.com/appsstatus#hl=env=status

...the administration page for any Google Apps for domains is totally
rogered.  It's either an endless redirect loop or a deluge of errors.

I'd call for premium support, but I can't even see that.

Again, a friendly heads up and nudge that perhaps the status page should at
least be updated to reflect the fact that it's non-operational.

Re: [outages] GApps admin = rogered

[Blair Trosper]

Was not there at the time I sent the email.  I was thorough in checking.

100% sure.

On Thu, Oct 9, 2014 at 6:22 PM, Mitch Patterson mitpatter...@gmail.com
wrote:

 Shows an issue to me

 TimeDescription
 10/9/14 7:11 PM
 We're investigating reports of an issue with Admin console. We will
 provide more information shortly.
 Users are seeing the Admin console refresh continuously on loading.

 On Thu, Oct 9, 2014 at 7:07 PM, Blair Trosper via Outages 
 outa...@outages.org wrote:

 Just a heads up to our friends at Google Apps.

 Despite the status page saying all is peachy:
 http://www.google.com/appsstatus#hl=env=status

 ...the administration page for any Google Apps for domains is totally
 rogered.  It's either an endless redirect loop or a deluge of errors.

 I'd call for premium support, but I can't even see that.

 Again, a friendly heads up and nudge that perhaps the status page should
 at least be updated to reflect the fact that it's non-operational.

 ___
 Outages mailing list
 outa...@outages.org
 https://puck.nether.net/mailman/listinfo/outages

YouTube CDN down?

[Blair Trosper]

Suddenly having an inability to play YouTube videos over IPv4 and IPv6 from
multiple ASNs in multiple locations in the United States.  Tried multiple
operating systems and browsers...all have the same issue.

(The very few that do play stall out, even though they're buffered.)

Is this just me, or is there an issue afoot?

Re: YouTube CDN down?

[Blair Trosper]

Watching in dev tools, the CDN is returning the dreaded HTTP header 204 (No
Content), even though the entire video is buffering.

This reminds me of an outage a while back that only affected IPv6.

I've confirmed with other users, and YouTube is dead to us from these
networks:
- AS22645 (Texas Gigapop) - v4/v6
- AS19108 (Suddenlink) - v4
- AS40285 (Northland Cable) - v4/v6
- AS40244 (TurnKey) - v4/v6

It does seem to be regional.  People in SC/NC who are presumably hitting
the Charleston DC are unaffected.

On Mon, Sep 29, 2014 at 4:16 PM, Brandon Martin lists.na...@monmotha.net
wrote:

 On 09/29/2014 05:12 PM, Blair Trosper wrote:

 Suddenly having an inability to play YouTube videos over IPv4 and IPv6
 from
 multiple ASNs in multiple locations in the United States.  Tried multiple
 operating systems and browsers...all have the same issue.

 (The very few that do play stall out, even though they're buffered.)

 Is this just me, or is there an issue afoot?


 Seems to be working here over a HE.net IPv6 tunnel (Chicago endpoint).

 --
 Brandon Martin

AWS Outage

[Blair Trosper]

Can someone from AWS contact me off-list?  You have an entire availability
zone completely offline at us-east-1 that hasn't been detected, and it's
been down for 20 minutes.

YouTube contact? (IPv6 streaming broken)

[Blair Trosper]

Can someone from YouTube/Google give me a shout off list?  The HTML5 player
is getting a 204 No Content error when it sends the stream request via
IPv6...but works fine on IPv4.

Confirmed from multiple locations in the US.

Re: YouTube contact? (IPv6 streaming broken)

[Blair Trosper]

Specifically:
- 2001:4860:400b:c01::64 returns a 204
- 2607:f8b0:4002:10::8 is about 50/50 between a 204 and 200


On Thu, May 1, 2014 at 3:55 PM, Blair Trosper blair.tros...@gmail.comwrote:

 Can someone from YouTube/Google give me a shout off list?  The HTML5
 player is getting a 204 No Content error when it sends the stream request
 via IPv6...but works fine on IPv4.

 Confirmed from multiple locations in the US.

Comcast transit problems?

[Blair Trosper]

I'm being inundated with reports from Comcast customers in various markets
about their inability to reach anything on AWS.  For example, we have a few
people in Atlanta that are all having this issue.

What's more, they're having weird issues reaching things like Twitter or
RingCentral (while other sites like Google and CNN work fine).

(RingCentral's support department apparently knows about this and is
telling their customers that use Comcast that they're aware of the issue
but don't know what's going on at the present time.)

Calls to the Comcast customer support just yield the everything's fine,
you're crazy response from the staff.

Can anyone from Comcast give me some help (or information) off list?

-bt

Re: Comcast transit problems?

[Blair Trosper]

At least it's not a Friday or a holiday.  :)


On Tue, Apr 22, 2014 at 9:19 AM, John Neiberger jneiber...@gmail.comwrote:

 Yep, that does seem to be the problem.

 John
 On Apr 22, 2014 8:17 AM, Joshua McDonald j...@2cold.net wrote:

 Not sure what the connectivity is between Comcast and AWS, but Level3
 is having issues in Atlanta.

 Sent from my iPhone

  On Apr 22, 2014, at 10:07, Blair Trosper blair.tros...@gmail.com
 wrote:
 
  I'm being inundated with reports from Comcast customers in various
 markets
  about their inability to reach anything on AWS.  For example, we have a
 few
  people in Atlanta that are all having this issue.
 
  What's more, they're having weird issues reaching things like Twitter or
  RingCentral (while other sites like Google and CNN work fine).
 
  (RingCentral's support department apparently knows about this and is
  telling their customers that use Comcast that they're aware of the issue
  but don't know what's going on at the present time.)
 
  Calls to the Comcast customer support just yield the everything's fine,
  you're crazy response from the staff.
 
  Can anyone from Comcast give me some help (or information) off list?
 
  -bt

Amazon network contact

[Blair Trosper]

Could someone from Amazon Web Services contact me off list?  You appear to
be having connectivity problems on the private network (10.0.0.0/8) at
US-EAST-1 between two or more zones, causing dozens of alarms and failures
over the last 2-3 hours...however, there is no notation on the status page
or any hint whatsoever of the problem.

(The alarms are coming from the instance checks on the instances...which is
the network...not the status checks...which would be the instance's health
inside the PVM virtualization.)

Re: gmail.com - 550 error for ipv6/PTR ?

[Blair Trosper]

FWIW I do know there was a MASSIVE failure last night around 0800 UTC with
Google's DNS system, and it caused their routing to not only go bat shit
insane, but also for the edge nodes that serve their content to return
largely 503 errors (service unavailable) for several hours.

It wasn't until a few hours ago that the BGP table stabilized.  It was a
horrific mess last night...not sure if perhaps there's still problems
unresolved from that same incident.


On Tue, Jan 14, 2014 at 7:51 PM, Ted Cooper
ml-nanog0903...@elcsplace.comwrote:

 On 15/01/14 10:06, Brandon Applegate wrote:
  Off-list replies are fine to minimize noise, and if there is an answer
  or any meaningful correlation I will reply on-list.  Thanks in advance
  for any info/feedback.

 I have been running into these a lot also and have so far concluded that
 it is an error within Google. The PTR/, SPF and DKIM are all matched
 up and tested as working. It also occurring on domains using google apps
 to handle their email so it is platform wide. All of the emails are
 personal emails, but coming from multiple domains/senders.

 The exact same email will be rejected when sent to any google IPv6
 server for minutes/hours, but 3-4 hours later it will be accepted
 without error.

 The fact that it is being hard rejected is really quite annoying and
 generating a lot more support work.

 Unfortunately, my only fix at present is to turn off IPv6 delivery for
 all google hosted domains as I encounter them. It would be really nice
 if it was fixed.

 My theory is that they are failing PTR lookups.

Re: gmail.com - 550 error for ipv6/PTR ?

[Blair Trosper]

Possibly related, a lot of 503 errors are starting to show up in the
javascript served by Google inside Gmail...reminds me of the issue in the
early morning hours (US time)...very similar to what I'm starting to see on
the front end.  I've not had any IPv6 emails bounce, but I do have some
that are MIA from Google Apps.  They were sent from one GApps domain to
another, but they haven't materialized on the other end...but they also
haven't bounced back to me.

As a matter of curiosity, I also sent my personal Gmail account email over
v6, and it's doing the same thing...either it's delayed or it's going to
bounce.

The front-end of Gmail is starting to behave weirdly, as well, spitting out
bizarre errors like technical code:  undefined, and saying it wasn't able
to send a message, but the message going through.  There's a fair amount of
chatter about this on Twitter, so I know it's not just me.

It also thinks it's offline in one tab, when an account in another is
perfectly fine.  Maybe a DC somewhere is having trouble again?


On Tue, Jan 14, 2014 at 8:10 PM, Christopher Morrow morrowc.li...@gmail.com
 wrote:

 On Tue, Jan 14, 2014 at 8:51 PM, Ted Cooper
 ml-nanog0903...@elcsplace.com wrote:
  On 15/01/14 10:06, Brandon Applegate wrote:
  Off-list replies are fine to minimize noise, and if there is an answer
  or any meaningful correlation I will reply on-list.  Thanks in advance
  for any info/feedback.
 

 brandon, I didn't get your original... but could you ping me off-list
 and maybe I can get some data about what it is you're seeing? :)

  I have been running into these a lot also and have so far concluded that
  it is an error within Google. The PTR/, SPF and DKIM are all matched
  up and tested as working. It also occurring on domains using google apps
  to handle their email so it is platform wide. All of the emails are
  personal emails, but coming from multiple domains/senders.
 
  The exact same email will be rejected when sent to any google IPv6
  server for minutes/hours, but 3-4 hours later it will be accepted
  without error.
 
  The fact that it is being hard rejected is really quite annoying and
  generating a lot more support work.
 
  Unfortunately, my only fix at present is to turn off IPv6 delivery for
  all google hosted domains as I encounter them. It would be really nice
  if it was fixed.
 
  My theory is that they are failing PTR lookups.
 
 
 

Google GCE

[Blair Trosper]

Can someone from GCE contact me off list?  Your service is a big pile of
503s from multiple locations and from multiple servers.

The console is inoperable and instances are unreachable.

I'm getting sent across the country to a VIP in LAX.  A friend in
California is getting a VIP in Hong Kong.

You're having issues but it doesn't seem to have been detected.

Amazon help

[Blair Trosper]

Can someone from AWS/Amazon netops contact me off-list for help an issue?

Re: NSA able to compromise Cisco, Juniper, Huawei switches

[Blair Trosper]

I'm torn on this.  On one hand, it seems sinister.  On the other, it's not
only what the NSA is tasked with doing, but it's what you'd EXPECT them to
be doing in the role as the NSA.

I'm not saying it's right or wrong...it creeps me out a little,
though...but these are the kinds of things we have demanded that they do
(via our elected representatives).

More to the point, I really doubt the NSA has any interest whatsoever in my
Facebook or Twitter account.  It's probable a means to and end...a
transitory stop on their way to propagating more widely.  They need regular
folks to propagate, but in reality, they likely have zero interest in our
actual accounts at the end of the day.  I think of it a bit like a virus
with a slightly less hysterical outcome/plan.


On Mon, Dec 30, 2013 at 10:33 PM, Dobbins, Roland rdobb...@arbor.netwrote:


 On Dec 31, 2013, at 11:06 AM, [AP] NANOG na...@armoredpackets.com wrote:

  Then looking at things from the evil side though, if they owned the
 system which provides the signing then they could sign
  virtually anything they wish.

 Or if they owned *people* with the right level of access to do so, or if
 there were implementation bugs which could be utilized to bypass or obviate
 the signing . . .

 None of the alleged capabilities described in the purported documents is
 really standalone; they all rely upon other methods/mechanisms in order to
 provide the required foundation to accomplish their stated goals.

  I think we need to watch and listen/read over the coming weeks and
 months before we go assuming we have it figured out.

 This is the most pertinent and insightful comment made in this thread.

 ---
 Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com

   Luck is the residue of opportunity and design.

-- John Milton

Re: NSA able to compromise Cisco, Juniper, Huawei switches

[Blair Trosper]

To supplement and amend what I said:

These are the KINDS of things we want the NSA to do; however, the
institutional oversight necessary to make sure it's Constitutional,
warranted, and kept in bounds is woefully lacking (if any exists at all).
 Even FISA is unsatisfactory.

At any rate, I agree that the current disposition of the NSA (or, at least,
what's been leaking the last few months) is simply unacceptable and cannot
be allowed.  I say that last part from the perspective of a US citizen,
though I'd imagine most people of other nationalities would agree with me,
but probably for different reasons.


On Mon, Dec 30, 2013 at 11:08 PM, Jimmy Hess mysi...@gmail.com wrote:

 On Mon, Dec 30, 2013 at 10:41 PM, Blair Trosper 
 blair.tros...@gmail.comwrote:

 I'm torn on this.  On one hand, it seems sinister.  On the other, it's not
 only what the NSA is tasked with doing, but it's what you'd EXPECT them to
 be doing in the role as the NSA.

 [snip]

 The NSA's role is not supposed to include subterfuge and undermining the
 integrity or security of domestic enterprise infrastructure

 With any luck, we'll hopefully find absolutely nothing, or that it was
 targetted backdooring against specific targets only.

 And people have a need to know that the security agencies haven't left a
 trail of artificially inserted bugs and backdoors in common IT equipment
 providing critical infrastructures services,  and that the agencies haven't
 prepared a collection of instant-root 0days,  that are no more protected
 then the agencies' other poorly guarded secrets.

 There would be a risk that any 'backdoors' are ready to be exploited by
 other unintended nefarious actors!
 Because the NSA are apparently  great at prepping the flammables and
 setting fires,but  totally incapable of  keeping the fires contained,
 once they  (or someone else)  lights it.


 It is not the least bit necessary for the NSA itself to be a nefarious
 actor  exploiting things or even complicit;  for the mere presence of  any
 backdoor or surreptitious code to eventually have the potential for serious
 damage.

 It could well be a rogue ex-employee of the NSA, such as Snowden,  or
 others,  that happened to be aware of technical details, hackers, or
 members of a foreign nation state,  who will just happen to have the time
 and energy to track down open doors waiting for the taking,  AND  figure
 out how to abuse them  for evil purposes.


 There are enough potential 0day risks, without intentional ones,  waiting
 for bad guys to co-opt!

 --
 -JH

ipv6 and geolocation

[Blair Trosper]

Everyone loves IPv6, and it's a fantastic technology.  However, I've been
pondering a few quirks of v6, including the low priority of PTR, but I have
a question I want to throw out there:

Do you think IPv6 geolocatoin (GeoIP) will ever be viable?

If so, when do you think this will happen?  If not, what's the superseding
solution?  (The W3C location technology fails miserably for me 100% of the
time even on IPv4).

Two of the big four GeoIP providers don't even catalog IPv6, and the
other two's IPv6 database is unremarkable and usually only has the country.
 (Or, in my case, a block that's clearly in the United States is deemed as
simply (somewhere in) Asia.)

What I'm getting at is:  IPv6 geolocation is presently rather hopeless and
useless.

Eager to hear thoughts from my fellow network thinkers!

- Blair

Re: ipv6 and geolocation

[Blair Trosper]

I meant that PTR isn't a priority for ISPs.  A la Comcast's rollout of IPv6
lacks PTR, as does Google in general for v4 and v6 (even though they have
it internally).


On Tue, Oct 22, 2013 at 2:21 PM, Joe Abley jab...@hopcount.ca wrote:


 On 2013-10-22, at 15:16, Blair Trosper blair.tros...@gmail.com wrote:

  Everyone loves IPv6, and it's a fantastic technology.  However, I've been
  pondering a few quirks of v6, including the low priority of PTR,

 Not sure what that means, but...

  but I have a question I want to throw out there:
 
  Do you think IPv6 geolocatoin (GeoIP) will ever be viable?

 To me it seems like an easier problem to solve than IPv4. There's no
 historical assignment swamp. Subnets are of fixed size. Many/most
 organisations who receive a direct assignment will never need a second.

  If so, when do you think this will happen?

 As soon as enough people using geo-located services start doing so over v6.


 Joe

Re: comcast ipv6 PTR

[Blair Trosper]

That gets to the core of the original question.  I figured there must be a
reason for the conscious omission.  However, I've noticed also that Comcast
hasn't bothered to give PTR to their routers, either.

I think that's a horse of a different color.  Leaving out PTR on the last
hop for the residential customer?  Sure.

Leaving out v6 PTR on your core/backbone/edge routers?  Surely that's not
acceptable...


On Mon, Oct 14, 2013 at 9:47 PM, John Levine jo...@iecc.com wrote:

 Is there any reason other than email where clients might demand RDNS?

 There's a few other protocols that want rDNS on the servers.  IRC maybe.

 Doing rDNS on random hosts in IPv6 would be very hard.  Servers are
 configured with static addresses which you can put in the DNS and
 rDNS, but normal user machines do SLAAC where the low 64 bits of the
 address are quasi-random.  To get any sort of DNS you'd need for the
 routers to watch when new hosts come on line and somehow tell the
 relevant DNS servers what hosts need names.

 This would be a lot of work, so nobody does it.

 R's,
 John

google / massive problems

[Blair Trosper]

Can someone from Google Drive or Gmail contact me off-list?

The sign in services and applications are outright down trying to use them
in Chrome.  Trying to contact enterprise support via several numbers just
results in an immediate disconnect.

The App Status page shows no problem, but Twitter and Facebook are blowing
up with trouble reports, and I have tons of technical status codes to
share, but no one with whom to share them.

Thanks,
Blair

Re: google / massive problems

[Blair Trosper]

This is the delight I'm faced with, but seems to be affecting the latest
version of Chrome, both on Win7 and MacBook Pro (OS X 10.8.5)...again,
confined to Chrome (image attached).


Emails won't sent, drafts won't save, and no apps will load without an
error.  Sign-in also fails with numeric code 5.

I'm in Dallas, but I've also tried over VPN from endpoints in Atlanta, New
York, Los Angeles, Seattle, Amsterdam, Singapore, and London with no change.


On Wed, Oct 9, 2013 at 11:25 AM, Jake Mertel j...@nobistech.net wrote:

 No issues from my site routing over AboveNet and using Google Apps for
 Business -- Drive and Gmail working as expected.


 On Wednesday, October 9, 2013, Blair Trosper wrote:

 Can someone from Google Drive or Gmail contact me off-list?

 The sign in services and applications are outright down trying to use them
 in Chrome.  Trying to contact enterprise support via several numbers just
 results in an immediate disconnect.

 The App Status page shows no problem, but Twitter and Facebook are blowing
 up with trouble reports, and I have tons of technical status codes to
 share, but no one with whom to share them.

 Thanks,
 Blair



 --


 --
 Regards,

 Jake Mertel
 Nobis Technology Group, LLC




 *Web: *http://www.nobistech.net
 *Phone: *1-480-212-1710
 *Mail:* 6930 East Chauncey Lane, Suite 150, Phoenix, AZ 85054




attachment: gdrive_chrome_win7.png

comcast ipv6 PTR

[Blair Trosper]

Does anyone know why (or can someone from Comcast explain why) there is no
PTR on their residential/business IPv6 addresses?

Re: comcast ipv6 PTR

[Blair Trosper]

That's essentially what I'm getting at.  If the v6 addresses/blocks are
allocated in a similar fashion to IPv4, where the octets are clearly named
by state and hsd1, then I don't see why they should lack PTR.

However, even if they're not assigned or delegated in that way, it'd be
helpful to have SOME form of PTR on there.

Otherwise, they'd be a lot like Google, leaving the traceroute and
end-point PTR left up to our imagination (even though it's available
internally to Google employees).  I understand why Google lacks PTR to some
extent with anycast and the mobility of their v4 addresses, but I suspect
that Comcast isn't doing anything that sophisticated.


On Wed, Oct 9, 2013 at 11:47 AM, Robert Webb rw...@ropeguru.com wrote:

 On Wed, 9 Oct 2013 11:41:50 -0500
  Chris Adams c...@cmadams.net wrote:

 Once upon a time, Blair Trosper blair.tros...@gmail.com said:

 Does anyone know why (or can someone from Comcast explain why) there is
 no
 PTR on their residential/business IPv6 addresses?


 I believe business customers (with a static assignment) can request
 reverse DNS entries.  Residential customers are not guaranteed a static
 assignment, so they can't get reverse set.

 --
 Chris Adams c...@cmadams.net


 But how would thet differ from the IPv4 address space which has PTR
 records for all their IP's? Just the shear number they would have to deal
 with in the IPv6 space?

 Robert

Re: comcast ipv6 PTR

[Blair Trosper]

True, but the location information, at least the state, is quasi-helpful.

You may be right about PTR being a mistake, but I guess my mind approaches
it from a practical, quasi-GeoIP approach.

IPv6 seems to be somewhat chaotic in that realm.  Plus, with web
applications and services, accurate GeoIP has implications for security.


On Wed, Oct 9, 2013 at 11:49 AM, Chris Adams c...@cmadams.net wrote:

 Once upon a time, Robert Webb rw...@ropeguru.com said:
  But how would thet differ from the IPv4 address space which has PTR
  records for all their IP's? Just the shear number they would have to
  deal with in the IPv6 space?

 Oh, are you looking for auto-generated reverse for every address?
 That's not going to happen for IPv6 (and it turns out that it wasn't
 really a good idea for IPv4).  There's no reason to have reverse DNS
 unless it has meaning, and 12-34-56-78.rev.domain.net isn't really all
 that useful.

 --
 Chris Adams c...@cmadams.net

Facebook over IPv6

[Blair Trosper]

Could someone @ Facebook kindly drop me a line?  Your site appears to be
riddled with problems on the IPv6 side (whereas it's demonstrably fine on
v4).

Much of the static JavaScript content being served off your IPv6 CDN is
corrupt, missing, or perhaps just outdated.  It's preventing the page from
doing anything but rendering...it has no interactivity.

It's been this way about 24 hours now.

Blair

google troubles?

[Blair Trosper]

Seeing lots of reports of people unable to get to many Google services.
 Seems to be affecting Comcast users disproportionately.  It's fine for me,
but a lot of my staff are basically out of luck...but according to the
Google Apps Status page, everything is fine.

It's anecdotal, but it would seem like there's an issue based on these
reports.

Oh, and this:
http://www.cnn.com/2013/07/10/tech/web/google-down/index.html

Anyone know what's up?  Fiber cut?  DC outages?

-- blair

google mail problems?

[Blair Trosper]

Our entire organization and three of my other accounts are getting this
pop-up when sending a message:

Oops... a server error occurred and your email was not sent. (#793)


But, as usual, everything is totally fine according to the GApps status
page:
http://www.google.com/appsstatus#hl=env=statusts=1372272841152

-- 
Blair Trosper
Weather Data / Updraft Networks
blair.tros...@updraftnetworks.com blair.tros...@updraft.us
NOC:  512-666-0536

Google Public DNS Problems?

[Blair Trosper]

Is anyone else seeing this?  From Santa Clara, CA, on Comcast
Business...I'm getting SERVFAIL for any query I throw at 8.8.8.8 and
8.8.4.4...

Level 3's own public resolvers are fine for me, as are OpenDNS's resolvers.

Blair

Re: Google Public DNS Problems?

[Blair Trosper]

That's all well and good, but I certainly wouldn't expect nslookup
gmail.com or for nslookup google.com to return SERVFAIL


On Wed, May 1, 2013 at 9:34 AM, Joe Abley jab...@hopcount.ca wrote:


 On 2013-05-01, at 12:09, Blair Trosper blair.tros...@gmail.com wrote:

  Is anyone else seeing this?  From Santa Clara, CA, on Comcast
  Business...I'm getting SERVFAIL for any query I throw at 8.8.8.8 and
  8.8.4.4...
 
  Level 3's own public resolvers are fine for me, as are OpenDNS's
 resolvers.

 Google just turned on validation across the whole of 8.8.8.8 and 8.8.4.4.
 The expected behaviour in the case where a response does not validate is to
 return SERVFAIL to the client.

 You could check that the queries you are sending are not suffering from
 poor signing hygiene (e.g. use the handy-dandy dnsviz.net visualisation).

 If this is a repeatable, consistent problem even for unsigned zones (or
 for zones that you've verified are signed correctly) and especially if it's
 widespread you might want to call google on the nanog courtesy phone and
 have them look for collateral damage from their recent foray into 8.8.8.8
 validation.

 Raw output from dig/drill and traceroutes to 8.8.8.8/8.8.4.4 are highly
 recommended if you need to take this further.


 Joe

Re: Google Public DNS Problems?

[Blair Trosper]

Goes all the way up to the A root server before failing spectacularly.

Europa:~ blair$ dig +cd @8.8.8.8 google.com A

;  DiG 9.8.3-P1  +cd @8.8.8.8 google.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 47332
;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;google.com. IN A

;; AUTHORITY SECTION:
. 467 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2013050100 1800
900 604800 86400

;; Query time: 46 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed May  1 10:05:46 2013
;; MSG SIZE  rcvd: 104


On Wed, May 1, 2013 at 9:58 AM, Casey Deccio ca...@deccio.net wrote:

 On Wed, May 1, 2013 at 9:38 AM, Blair Trosper blair.tros...@gmail.com
 wrote:
  That's all well and good, but I certainly wouldn't expect nslookup
  gmail.com or for nslookup google.com to return SERVFAIL
 

 If you set the CD (checking disabled) in the request, a response that
 would normally be SERVFAIL due to DNSSEC validation failure will
 return with the non-authenticated answer.  With dig the flag to add is
 +cd.  I don't know if there's an equivalent for nslookup.  For
 example:

 dig +cd @8.8.8.8 google.com

 Casey

Re: Google Public DNS Problems?

[Blair Trosper]

8.8.4.4 is now replying SERVFAIL whereas 8.8.8.8 is suddenly working fine
again...


On Wed, May 1, 2013 at 10:07 AM, Blair Trosper blair.tros...@gmail.comwrote:

 Goes all the way up to the A root server before failing spectacularly.

 Europa:~ blair$ dig +cd @8.8.8.8 google.com A

 ;  DiG 9.8.3-P1  +cd @8.8.8.8 google.com A
 ; (1 server found)
 ;; global options: +cmd
 ;; Got answer:
 ;; -HEADER- opcode: QUERY, status: SERVFAIL, id: 47332
 ;; flags: qr rd ra cd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

 ;; QUESTION SECTION:
 ;google.com. IN A

 ;; AUTHORITY SECTION:
 . 467 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2013050100 1800
 900 604800 86400

 ;; Query time: 46 msec
 ;; SERVER: 8.8.8.8#53(8.8.8.8)
 ;; WHEN: Wed May  1 10:05:46 2013
 ;; MSG SIZE  rcvd: 104


 On Wed, May 1, 2013 at 9:58 AM, Casey Deccio ca...@deccio.net wrote:

 On Wed, May 1, 2013 at 9:38 AM, Blair Trosper blair.tros...@gmail.com
 wrote:
  That's all well and good, but I certainly wouldn't expect nslookup
  gmail.com or for nslookup google.com to return SERVFAIL
 

 If you set the CD (checking disabled) in the request, a response that
 would normally be SERVFAIL due to DNSSEC validation failure will
 return with the non-authenticated answer.  With dig the flag to add is
 +cd.  I don't know if there's an equivalent for nslookup.  For
 example:

 dig +cd @8.8.8.8 google.com

 Casey

Re: Google Public DNS Problems?

[Blair Trosper]

Traceroute is getting the right place and 8.8.8.8 is working, though  :)


On Wed, May 1, 2013 at 11:23 AM, Jared Mauch ja...@puck.nether.net wrote:


 On May 1, 2013, at 1:39 PM, Tony Finch d...@dotat.at wrote:

  Blair Trosper blair.tros...@gmail.com wrote:
 
  Goes all the way up to the A root server before failing spectacularly.
 
  That is an extremely weird response. Are you sure your queries are not
  being intercepted by a middlebox? What happens if you use dig +vc ?
  Do you get a similar round-trip time when pinging 8.8.8.8 to the one
  reported by dig?

 Some places like Wayport/attwifi intercept all udp/53 traffic and direct
 it to their local server.  You won't notice this with a ping, but you will
 see it in the 0 or 1ms reply :)

 - Jared

Google public DNS flapping/non-functional

[Blair Trosper]

Could someone from Google contact me off list to discuss the public
resolvers?

I'm getting NXDOMAIN and then a proper response literally one second later.
 And from there it's just 20 GOTO 10...the resolver seems to be having a
psychotic episode, or...at the very least...an identity crisis.

Other public resolver services have no issue with this, but the problem
seems to be affected by anything I throw at either 8.8.8.8 or 8.8.4.4 to
resolve.

(The IPv6 public resolvers are doing the same thing, I should point out.)

I understand that those ingress addresses are any/multicast, so perhaps the
problem I'm having is confined to a single datacenter in my region...and
thus may not be affecting people outside of that DC.

Thanks,
Blair

Google Public DNS having issues.

[Blair Trosper]

...seems to be having trouble as reported by Systems Watch:
https://twitter.com/systemswatch/status/299572918936039424

Indeed, it's inaccessible to me from Minneapolis, Tampa, SJC, and
Seattle...both 8.8.8.8 and 8.8.4.4.

I know it's anycast, so I'm not sure which DCs are affected...

Blair

Comcast Business / Miami, FL

[Blair Trosper]

Can someone from Comcast contact me off list to help diagnose a business
class issue to do with the Comcast AS and peering to cloud services and
outrageously high latency confined to a few adjacent ASes?

Re: Cogent outage?

[Blair Trosper]

We've seen BGP resets on our servers in Tampa...with Cogent no longer being
the preferred route for outgoing traffic.  The preferred path from out DC
is now through Hurricane (AS6939).

Blair Trosper
Updraft Networks  LEARN (North Texas GigaPOP)

On Thu, Dec 6, 2012 at 3:09 PM, Michael Bubb michael.b...@gmail.com wrote:

 We got a notice from Internap a few hours ago:


 At approximately 12:10 EST Internap shut down the BGP session with Cogent
 as we were widespread packet loss issues through their network out of our
 New York (NYM) PNAP.

 We are contacting Cogent to see if they are aware of what the issue is. 


 They have not as yet updated this

 yrs

 Michael

 --
 Michael Bubb   +1.646.783.8769
 https://www.google.com/profiles/michael.bubb

 The first principle is that you must not fool yourself--and you are the
 easiest person to fool. - Richard Feynman

 All things are a flowing,
 Sage Heraclitus says;
 But a tawdry cheapness
 Shall reign throughout our days. - Pound

Re: Big day for IPv6 - 1% native penetration

[Blair Trosper]

I've found myself becoming a snob about IPv6.  I almost look down on
IPv4-only networks in the same way that I won't go see a film that isn't
projected on DLP unless my arm is twisted.  I'm a convert, and I'm glad to
see the adoption rate edging up.

However, I still scratch my head on why most major US ISPs *have* robust
IPv6 peering and infrastructure and are ready to go, but they have not
turned it on for their fiber/cable/DSL customers for reasons that are not
clear to me.

I keep pestering my home ISP about turning it on (since their network is
now 100% DOCSIS 3), but they just seem to think I'm making up words.  One
can hope, though.

Blair

On Tue, Nov 20, 2012 at 11:53 AM, TJ trej...@gmail.com wrote:

   On Tue, 20 Nov 2012 10:14:18 +0100
  Tomas Podermanski tpo...@cis.vutbr.cz wrote:
 
   It seems that today is a big day for IPv6. It is the very first
   time when native IPv6 on google statistics
   (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some
   might say it is tremendous success after 16 years of deploying IPv6 :-)
  Funny enough, the peaks are indicating... week-ends !
  Do people use more google during the WE, or do they have more IPv6 @
 home ?


  Purely anecdotally, I can say: Yes.
 Atleast in my case I have native IPv6 at home and via my mobile devices,
 but not at my client sites.
 *Sidenote: That's why I am at those client sites, helping 'fix' that. ;)
 ...
 *


 /TJ

Google burp

[Blair Trosper]

I guess I'll be the one to ask...what's going on over at Google?  Service
interruptions and front-end errors all over the place across what appears
to be all services, though Gmail seems to have bounced back up.  Google's
service disruption is about to bring Twitter's service to its knees as
people complain and try to figure out what's going on.

Blair Trosper
Updraft Networks  The North Texas GigaPOP

Re: Google burp

[Blair Trosper]

I was editorializing the quantity of tweets about the Google outage more so
than the quality of service of Twitter.  :)  Apologies.

On Wed, Oct 31, 2012 at 5:01 PM, John Adams j...@retina.net wrote:

 Hey now, we're doing fine over here at Twitter. :P

 -j


 On Wed, Oct 31, 2012 at 2:55 PM, Blair Trosper 
 blair.tros...@updraftnetworks.com wrote:

 I guess I'll be the one to ask...what's going on over at Google?  Service
 interruptions and front-end errors all over the place across what appears
 to be all services, though Gmail seems to have bounced back up.  Google's
 service disruption is about to bring Twitter's service to its knees as
 people complain and try to figure out what's going on.

 Blair Trosper
 Updraft Networks  The North Texas GigaPOP

Google PTR?

[Blair Trosper]

I'm sure I'm bringing up a topic that's been brought up before, but I
figured I'd have a go.

Anyone from Google around that could answer to why there is no reverse
DNS/PTR with most Google IP addresses (from traceroute, etc)?

Alternatively, is there a server that can be utilized by the net operators
community to at least get an answer on some of the IPs?

It's very frustrating to contend with no PTR records in traces for
troubleshooting and the like.

Any information (off list or on) would be greatly appreciated.

Thanks,
Blair Trosper
Updraft Networks  North Texas GigaPOP

Re: The Department of Work and Pensions, UK has an entire /8

[Blair Trosper]

Not to mention Ford Motor Company has 19.0.0.0/8, and there are no
announcements for it whatsoever.

There are other /8s like it...lots of them early allocations.

Why ARIN doesn't revoke them is frankly baffling to me.

On Tue, Sep 18, 2012 at 10:27 PM, Randy Bush ra...@psg.com wrote:

  When IPv4 exhaustion pain reaches a sufficiently high level of pain;
  there is a significant chance people who will be convinced that any
  use of IPv4 which does not involve  announcing and  routing the address
  space on the internet is a Non-Use of IPv4 addresses,
 
  and that that particular point of view will prevail over the concept
  and convenience of being allowed to maintain unique registration for
  non-connected usage.
 
  And perception that those addresses are up for grabs, either for using
  on RFC1918 networks for NAT, or for insisting that internet registry
  allocations be recalled and those resources put towards use by
  connected networks..
 
  If you do have such an unconnected network, it may be prudent to have
  a connected network as well, and announce all your space anyways (just
  not route the addresses)

 this is the arin vigilante cultural view of the world.  luckily, the
 disease does not propagate sufficiently to cross oceans.

 randy

Re: above.net issues

[Blair Trosper]

I've been seeing it all day from inside AS19108...in direct connection
to a (huge frustration and) disruption of service from my end to
AWS/EC2.

On Tue, Sep 11, 2012 at 1:20 PM, Joe Williams williams@gmail.com wrote:
 Oops, this was intended for the outages list but I suppose this list works 
 too.



 --
 Name: Joseph A. Williams
 Email: williams@gmail.com


 On Tuesday, September 11, 2012 at 11:18 AM, Joe Williams wrote:

 Anyone experiencing packet loss on abovenet (to/from Ashburn)? We first got 
 a round of packet loss around 8:45 PDT and then again just a few minutes ago.

 Thanks.

 -Joe


 --
 Name: Joseph A. Williams
 Email: williams@gmail.com (mailto:williams@gmail.com)