Re: Spitballing IoT Security
> On Oct 25, 2016, at 3:49 AM, Aled Morris <al...@qix.co.uk> wrote: > > On 25 October 2016 at 09:37, Jean-Francois Mezei < > jfmezei_na...@vaxination.ca> wrote: >> >> One way around this is for the pet feeder to initiate outbound >> connection to a central server, and have the pet onwer connect to that >> server to ask the server to send command to his pet feeder to feed the dog. >> > > This is pretty common but, IMHO, the worst solution to this problem. > > It creates a dependence on a cloud service which is typically undocumented > (what protocol do they use? where is the server located, China?); a > centralised service is a security risk in it's own right (crack one server, > own all the pet feeders); and it is liable to disappear when the operator > goes out of business, rendering all the products sold useless. > > A strength of IP is that it is fundamentally a peer-to-peer protocol, > please don't break that. NAT broke it but IPv6 can fix it again. > > There's nothing wrong with accepting incoming connections if the device is > secure. If your problem is security, fix that. Don't throw the baby out > with the bath water. > > Aled How about SDP? SDP is most often implemented in a gateway in the network today but there is no reason it couldn’t be implemented in each IoT device. With SDP inbound connections are not allowed until they are authenticated by another box. A good quote from Gartner. "Through the end of 2017, at least 10% of enterprise organizations (up from less than 1% today) will leverage software-defined perimeter (SDP) technology to isolate sensitive environments." http://info.vidder.com/gartner-predicts-2016-security-solutions This is the presentation on SDP from the 2015 Internet2 Tech Exchange. http://meetings.internet2.edu/2015-technology-exchange/detail/10003978/ Videos explaining SDP. https://www.vidder.com/product-videos/ https://www.vidder.com/wp-content/uploads/2016/09/rethinking-connectivity.mp4 https://www.vidder.com/wp-content/uploads/2016/09/spa.mp4 SDP info from another vendor. https://www.cryptzone.com/forms/the-software-defined-perimeter-creating-an-invisible-infrastructure http://www.infosecurityeurope.com/__novadocuments/90951?v=63570932772583 https://cloudsecurityalliance.org/group/software-defined-perimeter/ https://en.wikipedia.org/wiki/Software_Defined_Perimeter https://cloudsecurityalliance.org/media/news/cloud-security-alliance-to-host-third-software-defined-perimeter-sdp-hackathon-top-prize-of-1-available/ " no one was able to circumvent even the first of the five SDP security controls layers (single packet authorization protocol), despite more than 5 billion packets being fired at the SDP.” https://www.vidder.com/resources/docs/CSA-Verizon-Vidder-Hackathon4-Reliability.pdf http://www.networkworld.com/article/3053561/security/learning-about-sdp-via-google-beyondcorp.html https://www.sdxcentral.com/articles/news/software-defined-perimeter-remains-undefeated-in-hackathon/2015/08/ --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: CDN Overload?
n the customer has purchased. This could happen briefly as TCP > adjusts to the capacity limitation, but in some situations this has persisted > for days at a time. I'll list out a few situations as best as I can recall > them. Some of these may even be merges of a couple situations. The point is > to show the general issue and develop a better process for collecting what > exactly is happening at the time and how to address it. > > One situation had approximately 45 megabit/s of capacity being used up by a > customer that had a 1.5 megabit/s plan. All other traffic normally held > itself within the 1.5 megabit/s, but this particular CDN sent excessively > more for extended periods of time. > > An often occurrence has someone with a single digit megabit/s limitation > consuming 2x - 3x more than their plan on the other side of the rate limiter. > > Last month on my own network I saw someone with 2x - 3x being consumed > upstream and they had *190* connections downloading said data from Microsoft. > > The past week or two I've been hearing of people only having a single > connection downloading at more than their plan rate. > > > These situations effectively shut out all other Internet traffic to that > customer or even portion of the network for low capacity NLOS areas. It's a > DoS caused by downloads. What happened to the days of MS BITS and you didn't > even notice the download happening? A lot of these guys think that the CDNs > are just a pile of dicks looking to ruin everyone's day and I'm certain that > there are at least a couple people at each CDN that aren't that way. ;-) > > > > > Lots of rambling, sure. What do I need to have these guys collect as evidence > of a problem and who should they send it to? > > > > > - > Mike Hammett > Intelligent Computing Solutions > > Midwest Internet Exchange > > The Brothers WISP > > > > > > --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: NAT firewall for IPv6?
> On Jul 5, 2016, at 9:33 AM, valdis.kletni...@vt.edu wrote: > > On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said: > >> We're having problems where viruses are getting through Firefox, and we >> think it's because our Palo Alto firewall is set to bypass filtering for >> IPv6. > > Do you have any actual evidence (device logs, tcpdump, netflow, etc) that > support that train of thought? > > Remember that your Palo Alto isn't stopping 100% of the icky stuff on the > IPv4 side either - the sad truth is that most commercial security software > is only able to identify and block between 30% and 70% of the crap that's > out in the wild. That is only the percentage that it identifies from what it can see. It most likely can not see viruses in encrypted traffic. " • A forecast that 70% of global Internet traffic will be encrypted in 2016, with many networks exceeding 80%” https://www.sandvine.com/pr/2016/2/11/sandvine-70-of-global-internet-traffic-will-be-encrypted-in-2016.html "In the fourth quarter of 2015 nearly 65 percent of all web connections that Dell observed were encrypted, leading to a lot more under-the-radar attacks, according to the company. Gartner has predicted that 50 percent of all network attacks will take advantage of SSL/TLS by 2017." http://www.darkreading.com/attacks-breaches/when-encryption-becomes-the-enemys-best-friend/d/d-id/1324580 This article mentions how difficult is it for Sandboxes to detect malware. https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-hot-knives-through-butter.pdf This article mentions malware that changes it’s download image every 15 seconds. http://www.darkreading.com/vulnerabilities---threats/cerber-strikes-with-office-365-zero-day-attacks/d/d-id/1326070?_mc=NL_DR_EDT_DR_weekly_20160630=NL_DR_EDT_DR_weekly_20160630=1d7f1b5bcdb24c469164471a423f746b=01e6838c279149a08e460cdbe3b8b54a=70982=1=21896 > There's also BYOD issues where a laptop comes in and infects > all your systems from behind the firewall (as Marcus Ranum says: "Crunchy on > the outside, soft and chewy inside”). > In any case,your first two actions should be to recover the password for the > Palo Alto, and make sure it has updated pattern definitions in effect on both > IPv4 and IPv6 connections. > > And your third should be to re-examine your vendor rules of engagement, to > ensure your deliverables include things like passwords and update support > so you're not stuck if your vendor goes belly up.. > > --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: IPv6 traffic percentages?
> On Jan 20, 2016, at 6:14 AM, nanog-...@mail.com wrote: > > Hello all, > > Would those with IPv6 deployments kindly share some statistics on their > percentage of IPv6 traffic? > > Bonus points for sharing top IPv6 sources. Anything else than the usual > suspects, Google/YouTube, Netflix and Facebook? > > Some public information I've found so far: > - Comcast around 25% IPv6 traffic ( > http://www.lightreading.com/ethernet-ip/ip-protocols-software/facebook-ipv6-is-a-real-world-big-deal/a/d-id/718395 > ) > - Comcast has over 1 Tb/s (of mostly YouTube traffic) over IPv6 ( > http://corporate.comcast.com/comcast-voices/comcast-reaches-key-milestone-in-launch-of-ipv6-broadband-network > ) > - Swisscom 26% IPv6 traffic, 60% YouTube ( > http://www.swinog.ch/meetings/swinog27/p/01_Martin_Gysi.pdf ) > > I'd be very much interested in hearing from smaller ISPs, especially those > having a very limited number of IPv4 addresses and/or running out. > > > Thanks, > > Jared This is some more public info. On this page click to sort on IPv6 deployment. http://www.worldipv6launch.org/measurements/ About 40% of traffic inbound to our University is IPv6. I see several Universities on the list above at more than 60%. There are more links to public info sites at the bottom of the page. You can add Apple and Microsoft to the list of usual suspects, but for state in NAT boxes rather than traffic. With happy eyeballs devices query both IPv4 and IPv6 so end up creating state in the NAT box even if the client ultimately chooses IPv6 for the connection. We have lots of devices that like to check with Apple whenever they wake up and the staff here use Microsoft Exchange in the cloud which is available via IPv6. I don’t have any verified data but I have noticed a relation between Scroll to the bottom of this page and you will see that my latency to Google via IPv6 dropped from 40 ms to 20 ms. http://mcnet.cc.ndsu.nodak.edu/smokeping/?target=Internet.Google_IPv6 If I compare some days before and after the change I see a decrease in my peak NAT pool usage. However on other days I don’t see a difference. The theory is that after my latency dropped to 20 ms that should be less than the magical 25 ms for Apple devices to receive an answer via IPv6 so they don’t even send out an IPv4 query. https://www.ietf.org/mail-archive/web/v6ops/current/msg22455.html This link mentions that Microsoft is already preferring IPv6 over IPv4 95% of the time when both are available. http://labs.apnic.net/?p=657 I’m 30 ms away from Facebook so 95% of Microsoft clients would use IPv6 but for Apple devices it’s a gamble. But it’s not clear if 95% of Microsoft clients would only send an IPv6 SYN and not send an IPv4 SYN (saving NAT table size). The top of our wish list would be for twitter and AWS to support IPv6, I think that those would make the biggest reduction in our NAT table size. If you hover your mouse over the US on this page http://6lab.cisco.com/stats/ it lists 47% for content. What that 47% means is explained here. http://6lab.cisco.com/stats/information.php#content It is fun to play with the type of regression on this page and project 730 days or so in the future. https://www.vyncke.org/ipv6status/project.php --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: Another Big day for IPv6 - 10% native penetration
This page is fun to play with. The 3rd order polynomial currently results in the most optimistic projection and 700 days in the future is enough for a good view of the results. The page is for the US. https://www.vyncke.org/ipv6status/project.php?metric=q=us > On Jan 2, 2016, at 9:35 AM, Tomas Podermanski <tpo...@cis.vutbr.cz> wrote: > > Hi, > >according to Google's statistics > (https://www.google.com/intl/en/ipv6/statistics.html) on 31st December > 2015 the IPv6 penetration reached 10% for the very first time. Just a > little reminder. On 20th Nov 2012 the number was 1%. In December we also > celebrated the 20th anniversary of IPv6 standardization - RFC 1883. > > I'm wondering when we reach another significant milestone - 50% :-) > > Tomas > > > Original Message > Subject: Big day for IPv6 - 1% native penetration > Date: Tue, 20 Nov 2012 10:14:18 +0100 > From: Tomas Podermanski <tpo...@cis.vutbr.cz> > To: nanog@nanog.org > > > > Hi, > >It seems that today is a "big day" for IPv6. It is the very first > time when native IPv6 on google statistics > (http://www.google.com/intl/en/ipv6/statistics.html) reached 1%. Some > might say it is tremendous success after 16 years of deploying IPv6 :-) > > T. > > > --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
DNSSEC broken for login.microsoftonline.com
FYI our DNS requests to resolve login.microsoftonline.com are failing because of a DNSSEC error. http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com http://dnsviz.net/d/login.microsoftonline.com/dnssec/ ns1 domain]$ drill -DT login.microsoftonline.com Warning: No trusted keys were given. Will not be able to verify authenticity! ;; Domain: . ;; Signature ok but no chain to a trusted key or ds record [S] . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b} . 172800 IN DNSKEY 256 3 8 ;{id = 62530 (zsk), size = 1024b} Checking if signing key is trusted: New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} [S] com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 ;; Domain: com. ;; Signature ok but no chain to a trusted key or ds record [S] com. 86400 IN DNSKEY 256 3 8 ;{id = 51797 (zsk), size = 1024b} com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b} [S] Existence denied: microsoftonline.com. DS ;; No ds record for delegation ;; Domain: microsoftonline.com. ;; No DNSKEY record found for microsoftonline.com. ;; No DS for login.microsoftonline.com.;; No ds record for delegation ;; Domain: login.microsoftonline.com. ;; No DNSKEY record found for login.microsoftonline.com. [U] No data found for: login.microsoftonline.com. type A ;;[S] self sig OK; [B] bogus; [T] trusted [ns1 domain]$ [ns1 domain]$ drill -DT medicare.gov Warning: No trusted keys were given. Will not be able to verify authenticity! ;; Domain: . ;; Signature ok but no chain to a trusted key or ds record [S] . 172800 IN DNSKEY 256 3 8 ;{id = 62530 (zsk), size = 1024b} . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b} Checking if signing key is trusted: New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} [S] gov. 86400 IN DS 7698 8 1 6f109b46a80cea9613dc86d5a3e065520505aafe gov. 86400 IN DS 7698 8 2 6bc949e638442ead0bdaf0935763c8d003760384ff15ebbd5ce86bb5559561f0 ;; Domain: gov. ;; Signature ok but no chain to a trusted key or ds record [S] gov. 86400 IN DNSKEY 256 3 8 ;{id = 13175 (zsk), size = 1024b} gov. 86400 IN DNSKEY 257 3 8 ;{id = 7698 (ksk), size = 2048b} Checking if signing key is trusted: New key: gov. 86400 IN DNSKEY 256 3 8 AQPCY4NZARQ0HDzGismy6sZdJ17o2+yzmZSkw6d9PeeJ8NCnw9atj4PGHO50LX1Hy0n4YimUcDEXHu+sI4MBaeTkHY3ilsC2kpWGGOFW2fkXn6XNvvPVRjwk04hDsEFphOXPPdoXWjXtQiTVYkFpgUbxJYo24/JxM5JuC4v0+qDmLQ== ;{id = 13175 (zsk), size = 1024b} [S] medicare.gov. 3600 IN DS 16500 7 1 ea88786ecaa04e66322e4405b1c1a55e31485281 medicare.gov. 3600 IN DS 16500 7 2 43a0e12df89bb342c15229495cd2bc18dddce0d9fb315aeb5b06b0d849b9a3ee ;; Domain: medicare.gov. ;; Signature ok but no chain to a trusted key or ds record [S] medicare.gov. 7200 IN DNSKEY 256 3 7 ;{id = 58988 (zsk), size = 1024b} medicare.gov. 7200 IN DNSKEY 256 3 7 ;{id = 41714 (zsk), size = 1024b} medicare.gov. 7200 IN DNSKEY 257 3 7 ;{id = 16500 (ksk), size = 2048b} [S] medicare.gov. 20 IN A 23.213.71.152 ;;[S] self sig OK; [B] bogus; [T] trusted --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: DNSSEC broken for login.microsoftonline.com
> On Oct 27, 2015, at 12:35 PM, Tony Finch <d...@dotat.at> wrote: > > Bruce Curtis <bruce.cur...@ndsu.edu> wrote: >> >> FYI our DNS requests to resolve login.microsoftonline.com are failing >> because of a DNSSEC error. > > There's no DS record for microsoftonline.com so you shouldn't have any > DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't > show any problems. The only thing which might cause trouble is the > SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC > debugger. DNSvis did list 4 errors earlier. 4 recursive DNS servers here still fail to resolve login.microsoftonline.com. I turned DNSSEC validation off on one and it then resolved correctly. dnssec-validation no; Thanks for the info. Our customers have reported that it does resolve at the Google public DNS servers also. > http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com >> >> http://dnsviz.net/d/login.microsoftonline.com/dnssec/ > > Tony. > -- > f.anthony.n.finch <d...@dotat.at> http://dotat.at/ > Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gale 8 in > west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thundery > showers. Moderate or poor, occasionally good. --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: DNSSEC broken for login.microsoftonline.com
> On Oct 27, 2015, at 2:38 PM, Avdija Ahmedhodžić <avd...@link.ba> wrote: > > Also, ns2.bdm.microsoftonline.com is offline for about 12 hours The problems started yesterday, more than 12 hours ago. Thanks. > >> On 27 Oct 2015, at 18:35, Tony Finch <d...@dotat.at> wrote: >> >> Bruce Curtis <bruce.cur...@ndsu.edu> wrote: >>> >>> FYI our DNS requests to resolve login.microsoftonline.com are failing >>> because of a DNSSEC error. >> >> There's no DS record for microsoftonline.com so you shouldn't have any >> DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't >> show any problems. The only thing which might cause trouble is the >> SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC >> debugger. >> >>> http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com >>> >>> http://dnsviz.net/d/login.microsoftonline.com/dnssec/ >> >> Tony. >> -- >> f.anthony.n.finch <d...@dotat.at> http://dotat.at/ >> Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gale 8 in >> west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thundery >> showers. Moderate or poor, occasionally good. > --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: DNSSEC broken for login.microsoftonline.com
> On Oct 27, 2015, at 3:37 PM, Bruce Curtis <bruce.cur...@ndsu.edu> wrote: > > >> On Oct 27, 2015, at 12:35 PM, Tony Finch <d...@dotat.at> wrote: >> >> Bruce Curtis <bruce.cur...@ndsu.edu> wrote: >>> >>> FYI our DNS requests to resolve login.microsoftonline.com are failing >>> because of a DNSSEC error. >> >> There's no DS record for microsoftonline.com so you shouldn't have any >> DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't >> show any problems. The only thing which might cause trouble is the >> SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC >> debugger. > > > DNSvis did list 4 errors earlier. > > 4 recursive DNS servers here still fail to resolve login.microsoftonline.com. > > I turned DNSSEC validation off on one and it then resolved correctly. > > dnssec-validation no; > > Thanks for the info. Our customers have reported that it does resolve at > the Google public DNS servers also. Drill run on one of our name servers shows that the error is Existence denied: microsoftonline.com [ns1 domain]$ drill -k /tmp/rootkey -DT login.microsoftonline.com ;; Number of trusted keys: 2 ;; Domain: . [T] . 172800 IN DNSKEY 256 3 8 ;{id = 62530 (zsk), size = 1024b} . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b} Checking if signing key is trusted: New key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} Trusted key: . 143619 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} Key is now trusted! Trusted key: . 143619 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} Trusted key: . 172800 IN DNSKEY 256 3 8 AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl ;{id = 62530 (zsk), size = 1024b} Key is now trusted! Trusted key: . 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} [T] com. 86400 IN DS 30909 8 2 e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 ;; Domain: com. [T] com. 86400 IN DNSKEY 256 3 8 ;{id = 51797 (zsk), size = 1024b} com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b} [T] Existence denied: microsoftonline.com. DS ;; No ds record for delegation ;; Domain: microsoftonline.com. ;; No DNSKEY record found for microsoftonline.com. ;; No DS for login.microsoftonline.com.;; No ds record for delegation ;; Domain: login.microsoftonline.com. ;; No DNSKEY record found for login.microsoftonline.com. [U] No data found for: login.microsoftonline.com. type A ;;[S] self sig OK; [B] bogus; [T] trusted > >> http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com >>> >>> http://dnsviz.net/d/login.microsoftonline.com/dnssec/ >> >> Tony. >> -- >> f.anthony.n.finch <d...@dotat.at> http://dotat.at/ >> Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gale 8 in >> west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thundery >> showers. Moderate or poor, occasionally good. > > --- > Bruce Curtis bruce.cur...@ndsu.edu > Certified NetAnalyst II701-231-8527 > North Dakota State University > --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: DNSSEC broken for login.microsoftonline.com
for com.nsatc.net.;; No ds record for delegation [B] ;; Error verifying denial of existence for name com.nsatc.net.NS: No DNSSEC signature(s) > On Oct 27, 2015, at 4:59 PM, Bruce Curtis <bruce.cur...@ndsu.edu> wrote: > > >> On Oct 27, 2015, at 3:37 PM, Bruce Curtis <bruce.cur...@ndsu.edu> wrote: >> >> >>> On Oct 27, 2015, at 12:35 PM, Tony Finch <d...@dotat.at> wrote: >>> >>> Bruce Curtis <bruce.cur...@ndsu.edu> wrote: >>>> >>>> FYI our DNS requests to resolve login.microsoftonline.com are failing >>>> because of a DNSSEC error. >>> >>> There's no DS record for microsoftonline.com so you shouldn't have any >>> DNSSEC problems with it - my servers can resolve it OK. DNSvis doesn't >>> show any problems. The only thing which might cause trouble is the >>> SERVFAIL responses to DNSKEY queries flagged by the Verisign DNSSEC >>> debugger. >> >> >> DNSvis did list 4 errors earlier. >> >> 4 recursive DNS servers here still fail to resolve login.microsoftonline.com. >> >> I turned DNSSEC validation off on one and it then resolved correctly. >> >> dnssec-validation no; >> >> Thanks for the info. Our customers have reported that it does resolve at >> the Google public DNS servers also. > > > Drill run on one of our name servers shows that the error is > > Existence denied: microsoftonline.com > > > [ns1 domain]$ drill -k /tmp/rootkey -DT login.microsoftonline.com > ;; Number of trusted keys: 2 > ;; Domain: . > [T] . 172800 IN DNSKEY 256 3 8 ;{id = 62530 (zsk), size = 1024b} > . 172800 IN DNSKEY 257 3 8 ;{id = 19036 (ksk), size = 2048b} > Checking if signing key is trusted: > New key: .172800 IN DNSKEY 256 3 8 > AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl > ;{id = 62530 (zsk), size = 1024b} > Trusted key: . 143619 IN DNSKEY 256 3 8 > AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl > ;{id = 62530 (zsk), size = 1024b} > Key is now trusted! > Trusted key: . 143619 IN DNSKEY 257 3 8 > AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= > ;{id = 19036 (ksk), size = 2048b} > Trusted key: . 172800 IN DNSKEY 256 3 8 > AwEAAbgVvZmZibtBpha3AIykU0OY4gcCXTcskYJUxGsdmV/awfmKcHlSrjNMioSgy4sByj+HpcbsyrZVGPp+JBXzYwwuEF/6w1k7vKYTK6vMSqgVcgooNkfb5MaRF2y7MEpPxfStnfwu8knE24ExB0hYE1URxJ9CqB3zMSl/vicXYXXl > ;{id = 62530 (zsk), size = 1024b} > Key is now trusted! > Trusted key: . 172800 IN DNSKEY 257 3 8 > AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= > ;{id = 19036 (ksk), size = 2048b} > [T] com. 86400 IN DS 30909 8 2 > e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 > ;; Domain: com. > [T] com. 86400 IN DNSKEY 256 3 8 ;{id = 51797 (zsk), size = 1024b} > com. 86400 IN DNSKEY 257 3 8 ;{id = 30909 (ksk), size = 2048b} > [T] Existence denied: microsoftonline.com. DS > ;; No ds record for delegation > ;; Domain: microsoftonline.com. > ;; No DNSKEY record found for microsoftonline.com. > ;; No DS for login.microsoftonline.com.;; No ds record for delegation > ;; Domain: login.microsoftonline.com. > ;; No DNSKEY record found for login.microsoftonline.com. > [U] No data found for: login.microsoftonline.com. type A > ;;[S] self sig OK; [B] bogus; [T] trusted > > >> >>> http://dnssec-debugger.verisignlabs.com/login.microsoftonline.com >>>> >>>> http://dnsviz.net/d/login.microsoftonline.com/dnssec/ >>> >>> Tony. >>> -- >>> f.anthony.n.finch <d...@dotat.at> http://dotat.at/ >>> Fitzroy, Sole: Cyclonic, mainly southwesterly, 5 to 7, occasionally gale 8 >>> in >>> west Fitzroy. Very rough or high, becoming rough in Sole. Rain or thundery >>> showers. Moderate or poor, occasionally good. >> >> --- >> Bruce Curtis bruce.cur...@ndsu.edu >> Certified NetAnalyst II701-231-8527 >> North Dakota State University >> > > --- > Bruce Curtis bruce.cur...@ndsu.edu > Certified NetAnalyst II701-231-8527 > North Dakota State University > --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: Hotels/Airports with IPv6
On Jul 9, 2015, at 9:53 AM, Jared Mauch ja...@puck.nether.net wrote: It’s my understanding that many captive portals have trouble with IPv6 traffic and this is a blocker for places. I’m wondering what people who deploy captive portals are doing with these things? https://tools.ietf.org/html/draft-wkumari-dhc-capport seems to be trying to document the method to signal to clients how to authenticate. I was having horrible luck with Boingo yesterday at RDU airport with their captive portal and deauthenticating me so just went to cellular data, so wondering if IPv4 doesn’t work well what works for IPv6. Thanks, - Jared We use the HotSpot feature on a Mikrotik box as a captive portal. It does not re-direct IPv6 web traffic but it does redirect all IPv4 DNS traffic to a DNS resolver that only answers with A records. Once a device has been authenticated IPv4 DNS traffic goes to a DNS server that will answer with records also. --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: Android (lack of) support for DHCPv6
We have had IPv6 enabled on our campus network since 2008 (including wireless). We started with SLAAC and did some experimenting with DHCPv6 PD over wireless but haven’t implemented DHCPv6 as a production service yet. I thought that one thing that might push us towards DHCPv6 was desk VoIP phones since current desk IP phones depend on learning lots of special or extra info via DHCP. Assuming that desk IP phones don’t become extinct (not a certainty) and assuming that many desk IP phones will continue to be based on Android it seems that my assumption that desk IP phones will want DHCPv6 might not be correct. So what do the prognosticators think? Will the desk IP phone vendors just add DHCPv6 to their version of Android or will they switch to other means to learn the info they now learn via DHCPv4? --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: Multiple vendors' IPv6 issues
favorite vendor, Cisco. Why is it, Cisco, that I have to restart my IPv6 OSPF3 process on my ASA every time my Palo Alto firewall crashes and fails over, otherwise none of my VPN clients can connect via IPv6? Why do you hurt me so, IPv6? I just wanted to be friends, and now I just want to break up with you. Maybe we can try to be friends again when your vendors get their shit together. -David --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: I don't need no stinking firewall!
On Jan 6, 2010, at 3:56 PM, Brian Johnson wrote: -Original Message- From: Brian Keefer [mailto:ch...@smtps.net] Sent: Wednesday, January 06, 2010 3:12 PM To: Brian Johnson Cc: NANOG list Subject: Re: I don't need no stinking firewall! SNIP SNIP IMO you're better off making sure only the services you intend to provide are listening, and that those services are hardened appropriately for public exposure. OK. This is obvious to anyone with experience in these things. But I also believe in a layered approach. It never hurts to add more layers to prevent human error or even internal breaches as the different systems are under the control of different equipment (servers, routers, switches, security devices). It's like two supports holding up something without knowing if the other one is doing its job. Both need to pull the full weight in case the other fails. I disagree. Never is pretty absolute. If that were true there would be no limit to the number of layers. Realistically I have experienced the harm from having firewalls in the network path. I have witnessed too many video sessions that either couldn't be started or had the sessions dropped prematurely because of firewalls. When the worms were infecting machines a couple of years ago our network was robust and stable and I identified and blocked infected machines quickly. Other universities shut down their residence halls or large portions of their network because their firewalls rolled over and died otherwise from all of the scanning from inside their network. I have talked to universities who consider the firewall the canary of the network world, its the first box in the network to cease functioning when there is a problem. Others have already mentioned the troubleshooting nightmares that firewalls generate, I would consider that a harm also. --- Bruce Curtis bruce.cur...@ndsu.edu Certified NetAnalyst II701-231-8527 North Dakota State University
Re: Another driver for v6?
On Oct 29, 2008, at 10:32 AM, Joe Maimon wrote: Mikael Abrahamsson wrote: On Tue, 28 Oct 2008, Steven M. Bellovin wrote: They claim they will deploy IPv6 in their worldwide enterprise network, do away with central based enterprise firewalls and do host-to-host IPv6+IPSEC, Active Directory based certificates for authentication. You know that windows 2000 was released with this functionality. Its nothing new and it is not ipv6 specific. Who is using it precisely? Microsoft, on 200,000 computers at the time of the paper below. http://technet.microsoft.com/en-us/library/bb735174.aspx We have a couple of departments using IPsec here and one more seriously looking at it. (Mainly a matter of finding time to test and implement.) Plus there are at least a couple of other Universities. http://members.microsoft.com/CustomerEvidence/Search/EvidenceDetails.aspx?EvidenceID=14258LanguageID=1 https://members.microsoft.com/customerevidence/search/EvidenceDetails.aspx?EvidenceID=14205LanguageID=1 And I see a City has been added to the list. http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=400161 http://www.cu.ipv6tf.org/pdf/v6security_6Sense_Jan2006.pdf --- Bruce Curtis [EMAIL PROTECTED] Certified NetAnalyst II701-231-8527 North Dakota State University
Re: [Nanog] ATT VP: Internet to hit capacity by 2010
On Apr 22, 2008, at 9:15 AM, Marc Manthey wrote: Am 22.04.2008 um 16:05 schrieb Bruce Curtis: p2p isn't the only way to deliver content overnight, content could also be delivered via multicast overnight. http://www.intercast.com/Eng/Index.asp http://kazam.com/Eng/About/About.jsp hmm sorry i did not get it IMHO multicast ist uselese for VOD , correct ? marc Michael said the same thing Also note that IP multicast only works for live broadcast TV. and then mentioned that p2p could be used to download content during off-peak hours. Kazam is a beta test that uses Intercast's technology to download content overnight to a users PC via multicast. My point was p2p isn't the only way to deliver content overnight, multicast could also be used to do that, and in fact at least one company is exploring that option. The example seemed to fit in well with the other examples in the the thread that mentioned TiVo type devices recording content for later viewing on demand. I agree that multicast can be used for live TV and others have mentioned the multicasting of the BBC and www.ostn.tv is another example of live multicasting. However since TiVo type devices today record broadcast content for later viewing on demand there could certainly be devices that record multicast content for later viewing on demand. --- Bruce Curtis [EMAIL PROTECTED] Certified NetAnalyst II701-231-8527 North Dakota State University ___ NANOG mailing list NANOG@nanog.org http://mailman.nanog.org/mailman/listinfo/nanog