Re: Voice channels (FTTH, DOCSIS, VoLTE)

[Marcin Cieslak]

On Mon, 21 Nov 2016, Jean-Francois Mezei wrote:

> Would DOCSIS be the same as FTTH, with the cableco voice service riding
> isnide the same DOCSIS bandwidth but with pre-allocated bandwidth, or do
> they allocate separate NTSC channels with a totally separate data pipe ?

DOCSIS has a possibility to provision unidirectional data flows with
certain quality of service characteristics. A pair of these is usually
dedicated to a casual Internet connection, another one can be used for
layer 2 telephony service, etc. Allocating a whole TV channel frequency
would be a big waste. Not even sure it would be possible with standard
DOCSIS.

Marcin Cieślak

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

[Marcin Cieslak]

On Fri, 23 Sep 2016, jim deleskie wrote:

> They were hosting him for free, and like insurance, I can assure you if you
> are consistently using a service, and not covering the costs of that
> service you won't be a client for long.  This is the basis for AUP/client
> contracts and have been going back to the days when we all offered only
> dialup internet.

Does being a victim of a DDoS constitute a breach of AUP?

Marcin Cieślak

Re: Fwd: [ PRIVACY Forum ] Critical bug threatens to bite mobile phones and networks

[Marcin Cieslak]

On Tue, 19 Jul 2016, Jay R. Ashworth wrote:

> Heap overflow bug in either a widely used ASN.1 library from Objective 
> Systems,
> apparently popular with cell-radio industry people.  Not sure if this will 
> leak over into NANOG land -- but neither are you, and that's most of my point.
> 
> DO *you* know if this library is used in your routers?  Can you find out?
> 
> How easily and quickly?

CERT/CC has published a list of contacted vendors:

http://www.kb.cert.org/vuls/byvendor?searchview=FIELD+Reference=790839=4

>From the timeline:

https://github.com/programa-stic/security-advisories/tree/master/ObjSys/CVE-2016-5080#8-report-timeline

it is not clear if all vendors have been contacted.

Wonder how to grep for rtxMemHeapAlloc in the possibly encrypted
baseband module firmware.


Marcin

Re: IPv6 deployment excuses

[Marcin Cieslak]

On Fri, 1 Jul 2016, Mike Jones wrote:

> Hi,
> 
> I am in contact with a couple of network operators trying to prod them
> to deploy IPv6, I figured that 10 minutes to send a couple of emails
> was worth the effort to make them "see a customer demand" (now none of
> them can use the excuse that nobody has asked for it!), but the
> replies I got were less than impressive to say the least.

When I talked to one European residential cable provider ca. 2008
they used a similar argument. Fast forward to 2016 and
IPv6 (and dual stack lite) is *the* way they provide Internet access
those days. The reason is simple: their growth rate is way too high
to provide IPv4 to everyone at this point.

If the provider is still using the "see a customer demand" argument
this could mean their IPv4 demand may not be growing fast enough. 
Depending on the market they operate on this an be an indication that
their market growth rate may not be fast enough.

Maybe their customer demand for IP(v4) leaves something to be desired?
Or they sit on some almost empty /8s.

Marcin

Re: Southwest Airlines captive portal

[Marcin Cieslak]

On Sat, 27 Feb 2016, Constantine A. Murenin wrote:

> On 27 February 2016 at 10:26, Frank Bulk  wrote:
> > Anyone from Southwest Airlines on this list?
> >
> > On a recent flight I discovered I couldn't complete payment through PayPal
> > because my web browsers properly noticed that the Southwest Airlines SSL
> > certificate that the captive portal was giving for PayPal didn't match up.
> > =)  I had to create an exception for PayPal just to complete payment.
> >
> > Frank
> 
> I think it is PayPal you should be contacting instead.
> 
> PayPal User Agreement requires that you maintain adequate security of
> your account credentials, and immediately notify PayPal that your
> password has been compromised.
> 
> https://www.paypal.com/webapps/mpp/ua/useragreement-full
> 
> > 1.6 Password Security and Keeping Your Email and Address Current. You are 
> > responsible for maintaining adequate security and control of any and all 
> > IDs, passwords, personal identification numbers (PINs), or any other codes 
> > that you use to access the Services.
> ...

in theory

I suspected I was almost mit'med once, I have notified them immediately
and got a standard blurb about keeping my anti virus software up to date...

Marcin

Re: OT: ID/RFC formatting

[Marcin Cieslak]

On Mon, 25 Jan 2016, Jay R. Ashworth wrote:

> I know we have to have a few people on here who've written technical RFCs 
> (as opposed to 1 April ones like my RFC 2100)...
> 
> Any tips on 1) how to do inline boldface and 2) what to do with ASCIIart 
> illustrations that are too wide for the page?
> 
> I'm using Stefan Santteson's nroffEdit (since I'm presently stuck on Windows),
> but it doesn't seem to like .B/.R or \fB / \fP for the former, and on the 
> latter point,
> it's simple unclear how I should approach the thing (a four-column 
> time-sequence
> diagram of a network transaction, similar to that of the four-point SIP call.

Those days I think the things are done with the help
of xml2rfc, I have used xxe Personal Edition with
the xxe-xml2rfc plugin, so no nroff needed really anymore.

Marcin

Re: Gmail spam filtering

[Marcin Cieslak]

On Sun, 22 Nov 2015, Grant Taylor via NANOG wrote:

> On 11/22/2015 12:36 PM, Jay R. Ashworth wrote:
> > I've just added an SPF for the domain.
> 
> While you are at it, consider adding DKIM too.
> 
> You might as well publish DMARC records if you have SPF and DKIM.

I do only DKIM and no SPF for my domain names and it mostly works with Gmail.

Marcin

Re: *tap tap* is this thing on?

[Marcin Cieslak]

On Mon, 26 Oct 2015, Josh Luthman wrote:

> > It's mailman - I believe there's a moderation switch to stop all messages
> > dead in their tracks for approval.  I've used it before, but don't remember
> > the exact name of the feature in the mailman admin UI.

http://mailman.nanog.org/mailman/admin/nanog/?VARHELP=general/emergency

Emergency moderation

> That would be a lot of work to keep up with, though...

Almost no real messages were sent for more than a day...

Marcin

Re: Does no one monitor the list on weekends?

[Marcin Cieslak]

On Mon, 26 Oct 2015, Jim Mercer wrote:

> On Sun, Oct 25, 2015 at 09:59:40PM -0400, Robert Webb wrote:
> > This spam is ridiculous!
> 
> it should be noted that it has been flowing all weekend, and nobody really
> complained or even commented on it until this morning.
> 
> so, yeah, maybe the list is on auto-pilot, which is totally understandable.
> 
> however, all the members seemed to be on auto-pilot as well.
> 
> (or maybe enjoying their weekend)

No real on-call, shift-work operators here any more :)

Re: The spam is real

[Marcin Cieslak]

On Sun, 25 Oct 2015, Josh Luthman wrote:

> Can we please get a filter for messages with the subject "Fw: new message"
> ???

I have this in my $HOME/.procmailrc:

:0:
* ^List-ID:.*nanog.nanog.org>
* ^Subject: Fw: new message
nanog-junk

355 pieces since I put this rule (only two or so missed).

Marcin

Re: cisco.com unavailable

[Marcin Cieslak]

On Mon, 21 Sep 2015, Murat Kaipov wrote:

> Hi folks!
> Is cisco.com  unavailable or it is affected just for 
> Rostelecom?

http://www.downforeveryoneorjustme.com/cisco.com

> It's just you. http://cisco.com is up.

~Marcin

Re: Microsoft blocking mail

[Marcin Cieslak]

On Fri, 18 Sep 2015, Tei wrote:

> On 18 September 2015 at 04:48, Keith Medcalf  wrote:
> >
> > Being blocked is probably a good thing ...
> 
> 
> CGI forms that do the validation in the serverside are not up to
> modern expectations*.  You want to do validation clientside.

If you do client-side and no server-side, you have a huge security problem.

~Marcin

Re: Synful Knock questions...

[Marcin Cieslak]

On Tue, 15 Sep 2015, Jake Mertel wrote:

> Reading through the article @
> https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-_acis.html,
> I'm lead to believe that the process(s) they overwrite are selected to
> cause no impact to the device. Relevant excerpt:
> 
> ###
> Malware Executable Code Placement
> 
> To prevent the size of the image from changing, the malware overwrites
> several legitimate IOS functions with its own executable code. The
> attackers will examine the current functionality of the router and
> determine functions that can be overwritten without causing issues on the
> router. Thus, the overwritten functions will vary upon deployment.
> ###
> 
> So, if the device in question isn't using OSPF, then the malware may
> overwrite the code for the OSPF process, allowing them to A) infect the
> device; B) cause no disruption to the operational state of the device
> (since, presumably, OSPF isn't going to be turned on); and C) keep the
> image firmware file size the same, preventing easy detection of the
> compromise.

That explains why on my home IOS router either IPsec works properly or 802.11,
but never both :)

~Marcin

Re: outlook.com outgoing blacklists?

[Marcin Cieslak]

On Thu, 10 Sep 2015, Todd K Grand wrote:

> The problem has been resolved.
> Thanks to everybody that contributed.

And the issue was...?

~Marcin

Re: Whois.net down?

[Marcin Cieslak]

On Thu, 3 Sep 2015, Brian Reichert wrote:

> On Thu, Sep 03, 2015 at 09:59:02PM +0700, David S. wrote:
> > Hi Brian,
> > 
> > I'm able to access https://whois.net, have you check the nameserver of
> > numachi.com?
> > Is the other domain use same authoritative DNS?
> 
> I can access the web page.  When I use the page for certain domains,
> sometimes, I successfully get results.
> 
> Other domains, such as NUMACHI.COM, I get the error I reported.
> 
> CLI-based versions of whois work just fine for all domains I'm
> concerned about; it's that web-baed version that is selectively
> failing.

whois.net is some site operated by NTT/Verio, 
this domain tech contact seems to be:

Tech Name: Verio Hostmaster
Tech Organization:
Tech Street: 8005 S. Chester Street Suite 200
Tech City: Englewood
Tech State/Province: CO
Tech Postal Code: 80112
Tech Country: US
Tech Phone: +1.2142908620
Tech Phone Ext:
Tech Fax: +1.2147451877
Tech Fax Ext:
Tech Email: hostmas...@verio.net

although you might have better chance via Twitter
https://twitter.com/WhoisNet :(

~Marcin

Re: On Cisco gear, is it possible to retrieve communities associated with a recieved BGP route via SNMP?

[Marcin Cieslak]

On Thu, 20 Aug 2015, Jesse McGraw wrote:

 I'm looking through their MIB browser and I don't see anything about
 communities nor anything that sounds likely under bgp4PathAttrEntry
 
 Can anyone point me in the right direction?

Doesn't seem to be there. Can you check if they
end up as strings with bgp4PathAttrUnknown ?
Although those should be not understood
by this BGP4 speaker

~Marcin

Re: Data Center operations mail list?

[Marcin Cieslak]

On Tue, 11 Aug 2015, James Downs wrote:

 
  On Aug 11, 2015, at 06:01, Rafael Possamai raf...@gav.ufsc.br wrote:
 
  style as nanog and registered the nadcog.org domain.
 
 Nad Cog?


datacenterops.org is still available *hint*hint*

~Marcin

Re: Hotels/Airports with IPv6

[Marcin Cieslak]

On Thu, 9 Jul 2015, Ca By wrote:

 On Thursday, July 9, 2015, Mel Beckman m...@beckman.org wrote:
 
  I working on a large airport WiFi deployment right now. IPv6 is allowed
  for in the future but not configured in the short term. With less than
  10,000 ephemeral users, we don't expect users to demand IPv6 until most
  mobile devices and apps come ready to use IPv6 by default.
 
 
 1. Users will never demand ipv6. They demand google and facebook. So that
 road goes nowhere

I wonder if the front desk ever understood and forwarded my complaints
about filtered ports (like 22) and other issues with NAT and firewalls.

How do we know what customers demand if they don't bother reporting
or are unable to produce a sophisticated report going beyond
it does not work for me?

What if Microsoft releases a portable IPv6-only game console one day?

~Marcin

Re: Fkiws with destination port 0 and TCP SYN flag set

[Marcin Cieslak]

On Wed, 17 Jun 2015, Maqbool Hashim wrote:

 It is always the same destination servers and in normal operations
 these source and destination hosts do have a bunch of legitimate flows
 between them.  I was leaning towards it being a reporting artifact,
 but it's interesting that there are a whole set of Ack Reset packets
 from the destination hosts with a source port of 0 also.

So the destination host is sending ACK+RST with the *source* port
set to zero, or the *destination* port?

 Does this not indicate that it probably isn't a reporting artifact?

I would just tcpdump on one of the source machines to find out.

~Marcin

Re: Multiple vendors' IPv6 issues

[Marcin Cieslak]

On Tue, 26 May 2015, David Sotnick wrote:

 Arista EOS code — and it only appears to affect Virtual Machines which are
 behind our RedHat Enterprise Virtualization cluster. None of the hundreds
 of VMware-connected hosts are affected. The symptom is basically the same
 as the Palo Alto bug. Neighbor table gets in some weird state where ND

Is VMWare contributing somehow to the problem?

Marcin

Re: Transparent hijacking of SMTP submission...

[Marcin Cieslak]

On Thu, 27 Nov 2014, joel jaeggli wrote:

 I don't see this in my home market, but I do see it in someone else's...
 I kind of expect this for port 25 but...
 
 J@mb-aye:~$telnet 147.28.0.81 587
 Trying 147.28.0.81...
 Connected to nagasaki.bogus.com.
 Escape character is '^]'.
 220 nagasaki.bogus.com ESMTP Sendmail 8.14.9/8.14.9; Thu, 27 Nov 2014
 19:17:44 GMT
 ehlo bogus.com
 250-nagasaki.bogus.com Hello XXX.wa.comcast.net
 [XXX.XXX.XXX.XXX], pleased to meet you
 250 ENHANCEDSTATUSCODES

Seen some anti-virus software (on Windows) doing this.
You might not be running Windows though. Some home
router with some security improvement ?

//Marcin

Re: Netalyzr Android: call for volunteers

[Marcin Cieslak]

On Sun, 5 Oct 2014, Srikanth Sundaresan wrote:


If you're interested, you can download and run the app from
Google Play [1]. 


[1] 
https://play.google.com/store/apps/details?id=edu.berkeley.icsi.netalyzr.androidhl=en


For those few who use Android (Cyanogenmod)
and opt out of using Google services, is
a direct .apk download available somewhere?

If the app itself is open source, .apk
could be provided by the alternative
markets such as fdroid.org

//Marcin