Re: Carrier Options in Bogota

[Max Tulyev]

01.07.22 16:47, nanoguser99 via NANOG пише:

Nanog,

I need good connectivity to local eyeball networks there.  I've explored 
Cogent, Lumen, and a local clled Telxius and results are all over the 
map.  Is there a provider that's 'well peered' with all the locals?  
Hoping this formats correctly but here's the results of ping tests on 
various looking glasses to prefixes of the various locals.


Local Carriers  IP Prefix   Telxius Lumen   Cogent
COLOMBIA TELECOMUNICACIONES S.A. ESP 	152.200.0.0/14 	22.025 ms 	164ms 
115 ms

Telmex Colombia S.A. (Claro)190.144.0.0/14  14.319 ms   63ms115 ms
Empresas Públicas de Medellín E.S.P. 	201.220.30.0/23 	94.264 ms 	126 
ms 	102 ms

Movistar Colombia   186.116.14.0/24 38.894 ms   193ms   118 ms
ETB - Colombia  186.154.0.0/16  5.340 ms130ms   2.21 ms
Columbus Networks Colombia  138.121.12.0/24 60.212 ms   99ms
89.8 ms
Metrotel Colombia   190.1.128.0/19  20.989 ms   148ms   90.5 ms


Any advice?


If your service is critical to RTT and bandwith - you only have to rent 
a DWDM channels to Bogota and build your own connectivity there.

Re: FCC proposes higher speed goals (100/20 Mbps) for USF providers

[Max Tulyev]

Do they help with a local government ("we do not need your cables, go 
avway")?


23.05.22 21:56, Sean Donelan пише:


Money, money, money.


On Mon, 23 May 2022, Aaron Wendel wrote:

The Fiber Broadband Association estimates that the average US 
household will need more than a gig within 5 years.  Why not just jump 
it to a gig or more?



On 5/23/2022 1:40 PM, Sean Donelan wrote:


https://www.fcc.gov/document/fcc-proposes-higher-speed-goals-small-rural-broadband-providers-0 

The Federal Communications Commission voted [May 19, 2022] to seek 
comment on a proposal to provide additional universal service support 
to certain rural carriers in exchange for increasing deployment to 
more locations at higher speeds. The proposal would make changes to 
the Alternative Connect America Cost Model (A-CAM) program, with the 
goal of achieving widespread deployment of faster 100/20 Mbps 
broadband service throughout the rural areas served by rural carriers 
currently receiving A-CAM support.

Re: Question re prevention of enumeration with DNSSEC (NSEC3, etc.)

[Max Tulyev]

11.05.22 15:31, Masataka Ohta пише:

As I wrote:


But some spam actors
deliberately compared zone file editions to single out additions, and
then harass the owners of newly registered domains, both by e-mail and
phone.


If that is a serious concern, stop whois.


There are various ways, such as crawling the web, to enumerate
domain names.


Come on, web is dying! People are moving to mobile applications!
So more and more domains do not need any web site by design.

Re: Newbie x Cisco IOS-XR x ROV: BCP to not harassing peer(s)

[Max Tulyev]

15.05.22 00:19, Nick Hilliard пише:
a malicious actor will spoof the origin AS.  The aim of RPKI to help 
stop mis-origination of prefixes, and the root cause of most of this is 
accidental.


To make a working hijack of the routed prefix (for sniffing traffic, 
DDoS or something similar), you have to announce a more specific 
prefix(es). It can be denied by RPKI.


If you signed RPKI prefix is still unannounced - yes, somebody can 
hijack it by forging the origin ASN - that's quite easy.

Re: Russian aligned ASNs?

[Max Tulyev]

Better just apply EU sanctions to RIPE NCC. Wait for some time. And see 
all Russians are NATed to several Chinese IPs ;) No ASN, no BGP, no 
hijacks, no DDoSes...


25.02.22 02:40, William Allen Simpson пише:

There have been reports of DDoS and new targeted malware attacks.

There were questions in the media about cutting off the Internet.

Apparently some Russian government sites have already cut themselves
off, presumably to avoid counterattacks.

Would it improve Internet health to refuse Russian ASN announcements?

What is our community doing to assist Ukraine against these attacks?

Re: SentryPeer: A distributed peer to peer list of bad IP addresses and phone numbers collected via a SIP Honeypot

[Max Tulyev]

Hi Gavin,

I thought to do something similar ;)

As I can see in the code, you count somebody as a bad actor just because 
of one UDP packet is received. It is a bad idea, because it is easy to 
spoof that packet and make a DoS against some good actor.


Right way: you have to simulate a SIP dialog with this actor, i.e. reply 
them something and wait for the reaction. If the reaction will be like 
in a normal SIP call processing - congratulations, you found a hacker! 
If not, like you sent them a packet they do not expect - it is a DoS and 
a spoofed packet.


24.11.21 23:19, Gavin Henry пише:

Hi all,

I hope you don't mind the post, but thought this might be of use and
in the spirit of release early, release often I've done an alpha
release:

https://github.com/SentryPeer/SentryPeer

There's a presentation too if you'd like to watch/read where I hope to
go with this:

https://blog.tadsummit.com/2021/11/17/sentrypeer/

Working on the API and web UI next, then the p2p part of it. Feel free
to submit any feature requests or have a play :-)

Thanks for reading and any feedback is welcome!

Re: IPv6 and CDN's

[Max Tulyev]

Implementing IPv6 reduces costs for CGNAT. You will have (twice?) less 
traffic flow through CGNAT, so cheaper hardware and less IPv4 address 
space. Isn't it?


22.10.21 20:19, Mark Tinka пише:



On 10/22/21 18:08, t...@pelican.org wrote:

I don't think it'll ever make money, but I think it will reduce 
costs.  CGNAT boxes cost money, operating them costs money, dealing 
with the support fallout from them costs money.  Especially in the 
residential space, where essentially if the customer calls you, ever, 
you just blew years' worth of margin.


The problem is accurately modelling cost reduction using native IPv6 in 
lieu of CG-NAT is hard when the folk that need convincing are the CFO's.


They are more used to "spend 1 to get 2". Convincing them to "save 2 by 
spending 1" - not as easy as one may think.


Mark.

Re: Global issues @ Telia - doing a "FB/hold my beer" move?

[Max Tulyev]

Really it depends on the problem source. BGP do not know either route 
really reachable or not. This time we was just lucky.


07.10.21 22:36, Ca By пише:



On Thu, Oct 7, 2021 at 11:47 AM Max Tulyev <mailto:max...@netassist.ua>> wrote:


We have 2 ports from Telia, one in Kiev (Ukraine) and one in New York
(USA). I have seen both ports simultaneously dropped traffic volume for
about one hour today.

It was not critical (for us), as traffic was shifted to another links,
and there was no unreachable destinations like BGP announces with
traffic blackholed. But looks strange.


Thats why it is called the bridging gap protocol

While Telia barfed, it bridged the gap.

See, bgp is not all bad. There are no bad routes, only bad days



07.10.21 21:23, Vincentz Petzholtz пише:
 > Hi everyone,
 >
 > Looks like the season for outages is on. Does anyone has more
details regarding the issues at Telia? I didn't found any public
available information. They say it's over but this is clearly not
the case.
 >
 > Best regards,
 > Vincentz
 >

Re: Global issues @ Telia - doing a "FB/hold my beer" move?

[Max Tulyev]

We have 2 ports from Telia, one in Kiev (Ukraine) and one in New York 
(USA). I have seen both ports simultaneously dropped traffic volume for 
about one hour today.


It was not critical (for us), as traffic was shifted to another links, 
and there was no unreachable destinations like BGP announces with 
traffic blackholed. But looks strange.


07.10.21 21:23, Vincentz Petzholtz пише:

Hi everyone,

Looks like the season for outages is on. Does anyone has more details regarding 
the issues at Telia? I didn't found any public available information. They say 
it's over but this is clearly not the case.

Best regards,
Vincentz

Re: [EXTERNAL] Re: dumb question: are any of the RIR's out of IPv4 addresses?

[Max Tulyev]

We can help, of course ;)

Mail me off-list for details. Or isn't it off-topic right here?

17.02.21 06:53, Mann, Jason via NANOG пише:

Any recommendations for legitimate ip brokers?


*From:* NANOG  on behalf of 
Michael Thomas 

*Sent:* Tuesday, February 16, 2021 5:46 PM
*To:* Fred Baker 
*Cc:* nanog@nanog.org 
*Subject:* [EXTERNAL] Re: dumb question: are any of the RIR's out of 
IPv4 addresses?


On 2/16/21 4:18 PM, Fred Baker wrote:
You may find this article interesting: 
https://urldefense.com/v3/__https://blog.apnic.net/2019/12/13/keep-calm-and-carry-on-the-status-of-ipv4-address-allocation/__;!!GaaboA!999i8DMj5mceMG2R6J8wgZ29XjBhQvAJU3QMixqhvjqpQCsdAvcck6BpWKVqMw$ 
 





So aside from Afrinic, this is all being done on the gray market?
Wouldn't you expect that price to follow something like an exponential
curve as available addresses become more and more scarce and unavailable
for essentially any price?

Mike



Sent from my iPad


On Feb 16, 2021, at 3:07 PM, Michael Thomas  wrote:


Basically are there places that you can't get allocations? If so, 
what is happening?


Mike

Microsoft is hacking my Asterisk??? O_o

[Max Tulyev]

Hi All,

I have just seen a number of IPs trying to brute-force my VoIP server 
from Microsoft network. For example, 13.90.148.133, 20.55.203.249, 
40.76.244.210... Traceroute really goes to MSN. More than a half of all 
usual attempts to hack my Asterisk I got today, came from MSN.


What is happening? Am I missed something?

Netflix people?

[Max Tulyev]

Hi All,

is there anyone from Netflix?

We have a strange problem: our customers also customers of Netflix when 
connecting to Netfilx sees 404 error. If they change IP to another ISP - 
everything works fine. The support can't solve it.

SaoPaolo to Frankfurt

[Max Tulyev]

Hi All!

Who can provide a VLAN from SaoPaolo to Frankfurt for remote IX.BR 
participation? Please contact me off-list.


I see there is only one undersea cable going directly from Brazil to 
Europe. Why?

Re: Quality of the internet

[Max Tulyev]

Hi,

in our region (CIS, eastern Europe) we still have issues
with overloaded international transport and bad quality of international 
channels from time to time (especially at the beginning of COVID19).


While Internet looks slow, but still usable, this case VoIP goes really bad.

Our regional specific is strong and very cheap internal (inside country) 
connectivity. So one of solution can be join local IXes by dedicated L2 
(DWDM) channels.


Ask me off-list if you want some help/solutions ;)


17.06.20 23:47, Dovid Bender пише:

Hi,

My 9-5 is working for a VoIP provider. When we started in 2006 we had a 
lot of issues with the quality of the internet in eastern europe and 
central Asia. It was not rare for us to have to play around with routing 
to get the quality that we needed. In a review of tickets for the last 
two years it seems as if we barely do any of that these days. Rarely do 
we get a quality complaint that comes back to an issue where a carrier 
or ISP dropping or mangling packets. Has anyone else observed this as well?

Re: FCC proposes $10 Million fine for spoofed robocalls

[Max Tulyev]

Not only international call costs money (yes, it is extremely cheap SIP 
nowdays), but the time of call center operators costs money as well, And 
it is really not so cheap for the end customer (i.e. spammer), even in 
India.


20.12.19 19:56, Mark Milhollan пише:

On Thu, 19 Dec 2019, Keith Medcalf wrote:

You should ALWAYS talk to the call center behind the robocaller.  The 
robocaller (the one playing the message) is relatively local and the 
cost of that call is minimal.  When you select to talk to the 
robocaller, that generates an international handoff to a call center 
in India.


Generally the call center phone number is also "local" even if the warm 
body is in some other country as that usually occurs via SIP.



/mark

Re: FCC proposes $10 Million fine for spoofed robocalls

[Max Tulyev]

I do that every time ;)

As the owner of telco, I even get small money for this call termination.

Also, we implemented immediate answer and voice menu option, it says 
"Welcome, press ... to reach ...!" and circles. So me (as the telco 
operator) receive the money for call termination, and real customer do 
not get a spam call. Looks like captcha in the Internet!


20.12.19 02:09, Keith Medcalf пише:


This, of course, will do no good.  These so called "Robocalls" are exactly 
that.  They generate a random number to call and play the silly canned message.  If you 
press whatever the code is to talk to the idiots, they then hand off the call to a call 
center.

You should ALWAYS talk to the call center behind the robocaller.  The 
robocaller (the one playing the message) is relatively local and the cost of 
that call is minimal.  When you select to talk to the robocaller, that 
generates an international handoff to a call center in India.  This costs more 
money (it costs THEM more money).  The longer you can keep the bastards talking 
on the phone, the MORE it costs them.  It can also be quite entertaining and 
you can keep them on the line for HOURS with enough practice.

If you do this EVERY SINGLE TIME then in rather short order your telephone number will be fed back 
to the company doing the "robocalling" as a "bad target" and you will get no 
more robocalls (since there are only two or three companies in the whole world who run the front 
end for a whole shitload of scammers).

Conversely if you do not answer or hang up on the robo-message, you will be classified as 
an "excellent target" and you will get MORE calls.

Re: CloudFlare issues?

[Max Tulyev]

24.06.19 19:04, Matthew Walster пише:



On Mon, 24 Jun 2019, 16:28 Max Tulyev, <mailto:max...@netassist.ua>> wrote:


1. Why Cloudflare did not immediately announced all their address space
by /24s? This can put the service up instantly for almost all places
Probably RPKI and that being a really bad idea that takes a long time to 
configure across every device, especially when you're dealing with an 
anycast network.


Good idea is to prepare it and provisioning tools before ;)


2. Why almost all carriers did not filter the leak on their side, but
waited for "a better weather on Mars" for several hours?


Probably most did not notice immediately, or trusted their fellow large 
carrier peers to fix the matter faster than their own change control 
process would accept such a drastic change that had not been fully 
analysed and identified. The duration was actually quite low, on a human 
scale...


Did not notice a lot of calls "I can't access ..."? Really?
OK, then another question. Which time from that calls starts to "people 
who know BGP know about it" is good?

Re: Verizon Routing issue

[Max Tulyev]

24.06.19 17:44, Jared Mauch пише:

1. Why Cloudflare did not immediately announced all their address space by 
/24s? This can put the service up instantly for almost all places.

They may not want to pollute the global routing table with these entries.  It 
has a cost for everyone.  If we all did this, the table would be a mess.


yes, it is. But it is a working, quick and temporary fix of the problem.


2. Why almost all carriers did not filter the leak on their side, but waited for "a 
better weather on Mars" for several hours?

There’s several major issues here

- Verizon accepted garbage from their customer
- Other networks accepted the garbage from Verizon (eg: Cogent)
- known best practices from over a decade ago are not applied


That's it.

We have several IXes connected, all of them had a correct aggregated 
route to CF. And there was one upstream distributed leaked more specifics.


I think 30min maximum is enough to find out a problem and filter out 
it's source on their side. Almost nobody did it. Why?

Re: CloudFlare issues?

[Max Tulyev]

Hi All,

here in Ukraine we got an impact as well!

Have two questions:

1. Why Cloudflare did not immediately announced all their address space 
by /24s? This can put the service up instantly for almost all places.


2. Why almost all carriers did not filter the leak on their side, but 
waited for "a better weather on Mars" for several hours?


24.06.19 13:55, Dmitry Sherman пише:

Hello are there any issues with CloudFlare services now?

Dmitry Sherman
dmi...@interhost.net
Interhost Networks Ltd
Web: http://www.interhost.co.il
fb: https://www.facebook.com/InterhostIL
Office: (+972)-(0)74-7029881 Fax: (+972)-(0)53-7976157

Re: Webzilla

[Max Tulyev]

It's quite conveniently to have all botnets C in several known ASNs. 
More pain if it will be spread through thousands regular residential 
customers, like when use fast(double)flux or peertopeer technologies ;) 
Joke.


Really, there were a lot of cases all upstreams had disconnected some 
ASN for that type of activity. So it really works.


16.03.19 22:51, Ronald F. Guilmette пише:

[[ My apologies to thos eof you who may see this twice.  I have posted the
message below also to the RIPE Anti-Abuse Working Group mailing list,
so any of you who are on that list also will see this twice.  But I
believe that it is relevant here also. ]]



Perhaps some folks here might be interested to read these two reports,
the first of which is a fresh news report published just a couple of
days ago, and the other one is a far more detailed investigative report
that was completed some time ago now.

https://www.buzzfeednews.com/article/kenbensinger/dossier-gubarev-russian-hackers-dnc

https://www.documentcloud.org/documents/5770258-Fti.html

Please share these links widely.

The detailed technical report makes it quite abundantly clear that
Webzilla, and all of its various tentacles... many of which even I didn't
know about until seeing this report... most probably qualifies as, and
has qualified as a "bullet proof hosting" operation for some considerable
time now.  As the report notes, the company has received over 400,000
complaints or reports of bad behavior, and it is not clear to me, from
reading the report, if anyone at the company even bothered to read any
more than a small handful of those.

I have two comments about this.

First, I am inclined to wonder aloud why anyone is even still peering
with any of the several ASNs mentioned in the report.  To me, the mere
fact that any of these ASNs still have connectivity represents a clear
and self-evident failure of "self policing" in and among the networks
that comprise the Internet.

Second, its has already been a well know fact, both to me and to many
others, for some years now, that Webzilla is by no means alone in the
category commonly refered to as "bullet proof hosters".  This fact
itself raises some obvious questions.

It is clear and apparent, not only from the report linked to above, but
from the continuous and years-long existance of -many- "bullet proof
hosters" on the Internet that there is no shortage of a market for the
services of such hosting companies.  The demand for "bullet proof"
services is clearly there, and it is not likely to go away any time
soon.  In addition to the criminal element, there are also various
mischevious governments, or their agents, that will always be more
than happy to pay premium prices for no-questions-asked connectivity.

So the question naturally arises:  Other than de-peering by other networks,
are there any other steps that can be taken to disincentivize networks
from participating in this "bullet proof" market and/or to incentivize
them to give a damn about their received network abuse complaints?

I have no answers for this question myself, but I felt that it was about
time that someone at least posed the question.

The industry generally, and especially in the RIPE region, has a clear
and evident problem that traditional "self policing" is not solving.
Worse yet, it is not even discussed much, and that is allowing it to
fester and worsen, over time.

It would be Good if there was some actual leadership on this issue, at
least from -some- quarter.  So far I have not noticed any such worth
mentioning.  And even looking out towards the future horizon, I don't
see any arriving any time soon.


Regards,
rfg

Re: IPv6 and forensic requests

[Max Tulyev]

Great, thank you!

Did you manage to whitelist APN at Apple so iOS devices can use it too?

10.02.19 20:06, JORDI PALET MARTINEZ пише:

Well, if it is mobile, then definitively you should use /64 for every PDP 
context, and clearly is NAT64.

In this case, you don't need to take care about the CLAT part, just look at the 
/64 prefix for the logging.

Make sure to talk about stateful NAT64 ... otherwise you create lot of 
confusion.

You've some deployment hints at
https://datatracker.ietf.org/doc/draft-ietf-v6ops-nat64-deployment/

Also, google for some of my IPv6-only tutorials (last RIPE meeting, APNIC 
meeting, etc., there are even videos of them).

Regards,
Jordi
  
  


-Mensaje original-
De: NANOG  en nombre de Max Tulyev 

Fecha: domingo, 10 de febrero de 2019, 16:30
CC: NANOG 
Asunto: Re: IPv6 and forensic requests

 Hello Jordi,
 
 thank you, I will take a look on Jool!
 
 Exactly CLAT was the issue.
 
 First, I thought to provide a /128 to every mobile, and then do a static

 6to4 to certain public IPv4. But it seems mobile need a /64, and it uses
 a lot of random IPv6 inside assigned /64, several addresses together at
 each time, CLAT uses the most of it (on Android). So direct translation
 6->public4 is impossible.
 
 10.02.19 15:51, JORDI PALET MARTINEZ пише:

 > Do you really mean 6to4 or NAT64? Totally different things ...
 >
 > If that's the case, I will suggest you go for Jool instead of Tayga.
 >
 > Also, if you want the customers are able to use old IPv4 apps and 
devices, NAT64 is not sufficient, you need also CLAT at the customer premises (so 
they can run 464XLAT).
 >
 > Regards,
 > Jordi
 >
 >
 >
 > -Mensaje original-----
     > De: NANOG  en nombre de Max Tulyev 

 > Fecha: domingo, 10 de febrero de 2019, 14:26
 > Para: NANOG 
 > Asunto: IPv6 and forensic requests
 >
 >  Hi All,
 >
 >  we are implementing IPv6 only infrastructure.
 >
 >  For IPv4 access, we using tayga for 6to4 translation and then CGN 
for NAT.
 >
 >  There is a number of ways for Linux based NAT to store information 
for
 >  future forensic requests (i.e. "who was it cracking that website?").
 >
 >  But what about 6to4 translators, as tayga? I believe there should be
 >  well-known patches or solutions. The aim is to have what /64 (not 
even
 >  /128) was translated to what IPv4 at the requested time.
 >
 >  Is there any?
 >
 >
 >
 >
 > **
 > IPv4 is over
 > Are you ready for the new Internet ?
 > http://www.theipv6company.com
 > The IPv6 Company
 >
 > This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be considered 
a criminal offense. If you are not the intended recipient be aware that any 
disclosure, copying, distribution or use of the contents of this information, even 
if partially, including attached files, is strictly prohibited, will be considered 
a criminal offense, so you must reply to the original sender to inform about this 
communication and delete it.
 >
 >
 >
 >
 




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

Re: IPv6 and forensic requests

[Max Tulyev]

Hello Jordi,

thank you, I will take a look on Jool!

Exactly CLAT was the issue.

First, I thought to provide a /128 to every mobile, and then do a static 
6to4 to certain public IPv4. But it seems mobile need a /64, and it uses 
a lot of random IPv6 inside assigned /64, several addresses together at 
each time, CLAT uses the most of it (on Android). So direct translation 
6->public4 is impossible.


10.02.19 15:51, JORDI PALET MARTINEZ пише:

Do you really mean 6to4 or NAT64? Totally different things ...

If that's the case, I will suggest you go for Jool instead of Tayga.

Also, if you want the customers are able to use old IPv4 apps and devices, 
NAT64 is not sufficient, you need also CLAT at the customer premises (so they 
can run 464XLAT).

Regards,
Jordi
  
  


-Mensaje original-
De: NANOG  en nombre de Max Tulyev 

Fecha: domingo, 10 de febrero de 2019, 14:26
Para: NANOG 
Asunto: IPv6 and forensic requests

 Hi All,
 
 we are implementing IPv6 only infrastructure.
 
 For IPv4 access, we using tayga for 6to4 translation and then CGN for NAT.
 
 There is a number of ways for Linux based NAT to store information for

 future forensic requests (i.e. "who was it cracking that website?").
 
 But what about 6to4 translators, as tayga? I believe there should be

 well-known patches or solutions. The aim is to have what /64 (not even
 /128) was translated to what IPv4 at the requested time.
 
 Is there any?
 




**
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.

IPv6 and forensic requests

[Max Tulyev]

Hi All,

we are implementing IPv6 only infrastructure.

For IPv4 access, we using tayga for 6to4 translation and then CGN for NAT.

There is a number of ways for Linux based NAT to store information for 
future forensic requests (i.e. "who was it cracking that website?").


But what about 6to4 translators, as tayga? I believe there should be 
well-known patches or solutions. The aim is to have what /64 (not even 
/128) was translated to what IPv4 at the requested time.


Is there any?

Re: Dnssec still inoperable on the internet ?— was ARIN NS down?

[Max Tulyev]

It's because you see problems it causes, and do not see problems it
solves ;)

11.01.19 17:58, Ca By пише:
> Thanks for the update that dnssec STILL causes more real world problems
> than it solves. 
> 
> .
> 
> That said, arin is a pro outfit. If they can screw it up, like nasa, so
> can you. No your threats and deploy wisely
> 
> -- Forwarded message -
> From: *John Curran* mailto:jcur...@istaff.org>>
> Date: Fri, Jan 11, 2019 at 6:36 AM
> Subject: Re: ARIN NS down?
> To: Suresh Ramasubramanian  >
> CC: NANOG mailto:nanog@nanog.org>>
> 
> 
> Suresh -
> 
> We’re aware and working the problem.  It looks to me like expired
> RRSIG/DNSKEY’s for the zone, 
> so if you’re using a DNSSEC validating resolver (e.g. Google,
> Cloudflare, Cogent) then ARIN.NET 
> is unreachable.   ARIN’s engineering team is working on resolution now.
> 
> /John
> 
> John Curran
> President and CEO
> American Registry for Internet Numbers
> 
> 
>> On 11 Jan 2019, at 9:27 AM, Suresh Ramasubramanian
>> mailto:ops.li...@gmail.com>> wrote:
>>
>> couldn't get address for 'ns1.arin.net ': not found
>> couldn't get address for 'ns2.arin.net ': not found
>> couldn't get address for 'u.arin.net ': not found
>> couldn't get address for 'ns3.arin.net ': not found
>> dig: couldn't get address for 'ns1.arin.net ':
>> no more
>>
>> srs@Sureshs-MacBook-Pro-2 19:56:18 <~> $ dig +trace +norec
>> whois.arin.net 
>>
>> ; <<>> DiG 9.10.6 <<>> +trace +norec whois.arin.net
>> 
>> ;; global options: +cmd
>> .2230INNSm.root-servers.net .
>> .2230INNSb.root-servers.net .
>> .2230INNSc.root-servers.net .
>> .2230INNSd.root-servers.net .
>> .2230INNSe.root-servers.net .
>> .2230INNSf.root-servers.net .
>> .2230INNSg.root-servers.net .
>> .2230INNSh.root-servers.net .
>> .2230INNSi.root-servers.net .
>> .2230INNSj.root-servers.net .
>> .2230INNSa.root-servers.net .
>> .2230INNSk.root-servers.net .
>> .2230INNSl.root-servers.net .
>> .2230INRRSIGNS 8 0 518400 2019012105 2019010804 16749 .
>> JqXTRb0qik0Iy1zDpwKRfKr1iZjTeiJRTk1GCfIWh9dFFvhN0c7Fiz6H
>> lbNfhgQbPsacG0b/1I3rguS13H2guX7apppK2w88h+z8mzym2Bw1C1HR
>> ZR3ocj/jHLJbMqHdQ+DFyRdw/AxCXBdhnbX46C8+unhQ03D/MzS0M0t4
>> vgadYi7BN4sa+iZIilwFV56n2dOfpzyO+evVbcnTLRZ6D4bjCHZLCtO8
>> EDziAPUbVAPZWiflb7/Y2dECe5gbOuGYYU/xv/Pal5+v9cjgMjcf8buG
>> S+iTIL/lnus0JJSRDmkM6yzfYMBXC2ZqhOp+Ls+EfvmqFjIZzi394XCi pdKRZw==
>> ;; Received 525 bytes from 10.0.0.1#53(10.0.0.1) in 40 ms
>>
>> net.172800INNSg.gtld-servers.net .
>> net.172800INNSc.gtld-servers.net .
>> net.172800INNSj.gtld-servers.net .
>> net.172800INNSe.gtld-servers.net .
>> net.172800INNSh.gtld-servers.net .
>> net.172800INNSk.gtld-servers.net .
>> net.172800INNSm.gtld-servers.net .
>> net.172800INNSi.gtld-servers.net .
>> net.172800INNSf.gtld-servers.net .
>> net.172800INNSb.gtld-servers.net .
>> net.172800INNSa.gtld-servers.net .
>> net.172800INNSd.gtld-servers.net .
>> net.172800INNSl.gtld-servers.net .
>> net.86400INDS35886 8 2
>> 7862B27F5F516EBE19680444D4CE5E762981931842C465F00236401D 8BD973EE
>> net.86400INRRSIGDS 8 1 86400 2019012413 201902 16749 .
>> uahpltN27UkKaFJRaAU1on+IpC2lpgZo84XEM7Pk7dQysKfSnqUkaVLY
>> PXQf9kvgW5eOx/+BttQB2OWFLckJs8vv5ScOpz7dDhs8zR2FPLm93HTD
>> 4F/XEKDNOQbFGSA3g4pZq3fatY7kFEkV9sFTH90WqJt0sXe64LYFcwr2
>> FtrJaS/yhEV4XDbsN3RLkBP58bf526LPpvonwSZsMUTDZcnXtUnc57ZI
>> dlTHg2snNhVWu4qJfHDsEQPwOZagRXJhjlRT8Ox/7HwXvplmRfmeuhZb
>> Vj5kdiY+3j0RTxpLRCG/SZRDIRcvdFKh9umdwQvAzuTS0xzO8OyPw9q8 8QCCYg==
>> ;; Received 1171 bytes from 192.112.36.4#53(g.root-servers.net
>> ) in 207 ms
>>
>> arin.net .172800INNSns1.arin.net .
>> arin.net .172800INNSns2.arin.net .
>> arin.net .172800INNSu.arin.net .
>> arin.net .172800INNSns3.arin.net .
>> arin.net .86400INDS48281 5 2
>> 6EB0CCF325A8101A768C93D10CE084303D3714D4E92FEE53D6E683D2 22291017
>> arin.net .86400INDS48281 5 1
>> 

Re: Facebook doesn't have a route to my ISP's (Cogeco) IPv6 space?

[Max Tulyev]

Well known problem.

You can use our tunnel broker connection (tb.netassist.ua) as a workaround.

17.12.18 22:01, Brian J. Murrell пише:
> I've been trying to figure out why I can reach an IPv6 address at
> Facebook (2a03:2880:f012:3:face:b00c:0:1) through (only) one of my two
> Internet connections as well as via an HE IPv6 tunnel but not the other
> of my two ISP connections
> 
> At one point in time a traceroute was dying inside of he.net:
> 
>  Host  Loss%   Snt   Last   Avg  Best  
> Wrst StDev
>  1. 2001:1970:5261:d600::1  0.0% 72.1   1.3   0.7   
> 2.9   0.8
>  2. 2001:1970:4000:82::10.0% 7   10.0  14.0   8.3  
> 37.9  10.6
>  3. 2001:1970:0:1a6::1 16.7% 7   13.2 215.5  10.8 
> 1031. 455.9
>  4. he.ip6.torontointernetxchange.net   0.0% 7   12.3  12.9  11.2  
> 15.3   1.6
>  5. 100ge9-2.core2.chi1.he.net  0.0% 7   23.6  23.0  21.3  
> 27.6   2.2
>  6. 100ge15-2.core1.chi1.he.net 0.0% 7   21.7  22.5  21.6  
> 24.9   1.2
>  7. 100ge12-1.core1.atl1.he.net 0.0% 7   34.2  35.1  34.1  
> 36.1   0.7
>  8. 100ge5-1.core1.tpa1.he.net  0.0% 7   49.1  46.6  44.8  
> 49.1   1.5
>  9. 100ge12-1.core1.mia1.he.net 0.0% 7   51.6  54.5  50.5  
> 73.3   8.3
> 10. ???
> 
> But I think it getting that far time was an anomaly and frankly it
> usually dies even before exiting my ISP's (Cogeco) network like this:
> 
>  Host   Loss%   Snt   Last   Avg  Best  
> Wrst StDev
>  1. 2001:1970:5261:d600::1   0.0%330.6   0.7   0.6   
> 1.0   0.1
>  2. 2001:1970:4000:82::1 0.0%338.2  10.8   8.1  
> 40.5   5.6
>  3. 2001:1970:0:1a7::1  15.2%33   23.4  20.1  16.5  
> 23.4   1.5
>  4. 2001:1970:0:61::1   33.3%33   16.8  17.6  14.5  
> 25.9   2.5
>  5. 2001:1978:1300::10.0%33   16.0  17.5  14.2  
> 29.6   3.1
>  6. 2001:1978:203::450.0%33   30.7  30.7  28.4  
> 35.1   1.7
>  7. ???
> 
> When I asked the kind folks at he.net for some advice about the problem
> (i.e. in the first traceroute above) their diagnosis was that
> Facebook's IPv6 router(s) likely didn't have a route back to my Cogeco
> IPv6 address.
> 
> Trying to talk to my ISP (again, Cogeco) has been impossible.  One
> simply cannot reach the people who know more than how to reset your
> router and configure your e-mail.
> 
> I wonder how I could go any further with this to confirm the diagnosis
> that Facebook doesn't have a route to the Cogeco network's IPv6 address
> space given that I only have access to my end of the path.
> 
> Cheers,
> b.
> 

Re: Should ISP block child pornography?

[Max Tulyev]

Yes, in some countries (NOT in US, AFAIK) court can issue an order to
block IP/domain/URL.

If home operator of crime man is blocking the direct access - he have to
use TOR/VPN/... to avoid blocking (or may be you really believe he just
stop any tries to watch his lovely CP?)

If he use TOR/VPN/... to avoid blocking - the original home IP address
will be changed to the exit node of TOR/VPN - and we will lost any
chance to catch the crime man.

Is it clear?

11.12.18 21:06, John Lee пише:
> It is my understanding that ISPs block IP addresses and domains under
> court order now for copyright violations, criminal activity which would
> include CP. They require a court order as they cannot ascertain if it is
> CP or not, that is a Law Enforcement decision. The US Supreme Court
> decision's was just being nude is not lewd, also with aging software
> which can regress photos, LEOs in the US have to ascertain if this is CP
> or photo shopped. 
> 
> On Tue, Dec 11, 2018 at 12:54 PM Max Tulyev  <mailto:max...@netassist.ua>> wrote:
> 
> ...and you will see the TOR exit nodes instead of crime home IP if
> censorship is implemented.
> 
> 11.12.18 19:35, Aaron1 пише:
> > ... The only thing I can think of is the idea that I’ve heard
> before is
> > the way to catch someone is to watch them well they are accessing, the
> > concept of honeypots comes to mind
> >
> > Aaron
> >
> > On Dec 11, 2018, at 10:43 AM, Larry Allen  <mailto:mrallen1...@gmail.com>
> > <mailto:mrallen1...@gmail.com <mailto:mrallen1...@gmail.com>>> wrote:
> >
> >> I can't imagine a single rational argument against this. 
> >>
> >> On Tue, Dec 11, 2018, 10:56 William Anderson  <mailto:ne...@well.com>
> >> <mailto:ne...@well.com <mailto:ne...@well.com>> wrote:
> >>
> >>     On Fri, 7 Dec 2018 at 06:08, Lotia, Pratik M
> >>     mailto:pratik.lo...@charter.com>
> <mailto:pratik.lo...@charter.com <mailto:pratik.lo...@charter.com>>>
> wrote:
> >>
> >>         Hello all, was curious to know the community’s opinion on
> >>         whether an ISP should block domains hosting CPE (child
> >>         pornography exploitation) content? Interpol has a ‘worst-of’
> >>         list which contains such domains and it wants ISPs to
> block it.
> >>
> >>
> >>     This already happens in the UK, and has done for years.
> >>
> >>     https://en.wikipedia.org/wiki/Child_abuse_image_content_list 
> >>
> >>
> >>     -n
> >>
> 

Re: Should ISP block child pornography?

[Max Tulyev]

...and you will see the TOR exit nodes instead of crime home IP if
censorship is implemented.

11.12.18 19:35, Aaron1 пише:
> ... The only thing I can think of is the idea that I’ve heard before is
> the way to catch someone is to watch them well they are accessing, the
> concept of honeypots comes to mind
> 
> Aaron
> 
> On Dec 11, 2018, at 10:43 AM, Larry Allen  > wrote:
> 
>> I can't imagine a single rational argument against this. 
>>
>> On Tue, Dec 11, 2018, 10:56 William Anderson >  wrote:
>>
>> On Fri, 7 Dec 2018 at 06:08, Lotia, Pratik M
>> mailto:pratik.lo...@charter.com>> wrote:
>>
>> Hello all, was curious to know the community’s opinion on
>> whether an ISP should block domains hosting CPE (child
>> pornography exploitation) content? Interpol has a ‘worst-of’
>> list which contains such domains and it wants ISPs to block it.
>>
>>
>> This already happens in the UK, and has done for years.
>>
>> https://en.wikipedia.org/wiki/Child_abuse_image_content_list 
>>
>>
>> -n
>>

Re: Should ISP block child pornography?

[Max Tulyev]

Remember what I said... If the censorship system will be created FOR
ANY, ANY REASON - you will forget the initial reason very quickly.

11.12.18 19:34, Aaron1 пише:
> Right... When would it ever be wrong to stop terrible internet activity
> such as this?!
> 
> Aaron
> 
> On Dec 11, 2018, at 10:43 AM, Larry Allen  > wrote:
> 
>> I can't imagine a single rational argument against this. 
>>
>> On Tue, Dec 11, 2018, 10:56 William Anderson >  wrote:
>>
>> On Fri, 7 Dec 2018 at 06:08, Lotia, Pratik M
>> mailto:pratik.lo...@charter.com>> wrote:
>>
>> Hello all, was curious to know the community’s opinion on
>> whether an ISP should block domains hosting CPE (child
>> pornography exploitation) content? Interpol has a ‘worst-of’
>> list which contains such domains and it wants ISPs to block it.
>>
>>
>> This already happens in the UK, and has done for years.
>>
>> https://en.wikipedia.org/wiki/Child_abuse_image_content_list 
>>
>>
>> -n
>>

Re: Should ISP block child pornography?

[Max Tulyev]

Because of USA does not have any block lists for example ;)

08.12.18 22:29, Keith Medcalf пише:
> 
>> They put IP of some government or critical (for example,
>> VISA/Mastercard processing) sites in their blocked 
>> domain - and those victim sites will be blocked. 
>> This trolling is very popular in Russia, for example.
> 
> This should be very popular everywhere in the free world -- explaining why it 
> is popular in Russia but not in non-free countries such as the United States 
> of America ...
> 
> ---
> The fact that there's a Highway to Hell but only a Stairway to Heaven says a 
> lot about anticipated traffic volume.
> 
> 
> 
> 

Re: Should ISP block child pornography?

[Max Tulyev]

Correct.

Also if you update IPs automatically by cron (and you have to automate
it as lists only growing and growing) - blocked sites will troll the
censorship system.

They put IP of some government or critical (for example, VISA/Mastercard
processing) sites in their blocked domain - and those victim sites will
be blocked. This trolling is very popular in Russia, for example.

08.12.18 19:41, Hank Nussbacher пише:
> On 07/12/2018 20:48, Max Tulyev wrote:
>> Yes, you may nullroute some IP with some site, but as the collateral
>> damage you will block part of Cloudflare or Amazon, for example. So
>> you have to buy and install additional equipment and software to do it
>> a bit less painful. That's not so cheap, that should be planned,
>> brought, installed, checked and personal should be learned. After
>> that, your system will be capable to block some website for ~90% of
>> your customers will not proactively avoid blocking. And for *NONE* who
>> will, as CP addicts, terrorists, blackmarkets, gambling, porn and
>> others do.
> It is even more complex.  As you said filtering by IP address causing
> collateral damage to multi-host sites.
> But there are sites that use primarily IPv6 addresses so you need to
> filter  not only IPv4 but IPv6 as well.
> Also, sites change their IP address after they find out they are
> blocked, so you need a cron job which checks the IP addresses every
> 10-15 minutes and updates the filters (if you are willing to accept
> collateral damage).
> 
> But when requested to block a FQDN, and filtering by IPv4 or IPv6 is not
> an option, again there are issues.
> 
> You filter/block in your central DNS server, but what about the user at
> home who is using 8.8.8.8 or 9.9.9.9?  Or the corporate link to some
> Fortune 500 company with their own DNS servers that bypass the ISP
> servers.  So now you are in a situation where you have to divert/capture
> *all *udp/53 and tcp/53 and pass it to some scrubbing server which will
> only block the requests to the forbidden FQDNs.   Oh but wait, what
> about DoH?
> 
> Governments that require ISPs to block "certain" sites have no clue what
> is required technologically to adhere to their demands.
> 
> -Hank
> 
> 

Re: Should ISP block child pornography?

[Max Tulyev]

Hi All,

we are fighting with censorship in our country. So I have something to say.

First, censorship is not just "switch off this website and that
webpage". No magic button exist. It is more complex, if you think as for
while system.

Initially, networks was build without systems (hardware and software)
can block something.

Yes, you may nullroute some IP with some site, but as the collateral
damage you will block part of Cloudflare or Amazon, for example. So you
have to buy and install additional equipment and software to do it a bit
less painful. That's not so cheap, that should be planned, brought,
installed, checked and personal should be learned. After that, your
system will be capable to block some website for ~90% of your customers
will not proactively avoid blocking. And for *NONE* who will, as CP
addicts, terrorists, blackmarkets, gambling, porn and others do.

Yep. Now you network is capable to censor something. You just maid the
first step to the hell. What's next? Some people send you some websites
to ban. This list with CP, Spamhaus DROP, some court orders, some
semi-legal copyright protectors orders, some "we just want to block it"
requests... And some list positions from time to time became outdated,
so you need to clean it from time to time. Do not even expect people
sent you the block request will send you unblock request, of course.
Then, we have >6000 ISPs in our country - it is not possible to interact
with all of them directly.

So, you end up under a lot of papers, random interactions with random
people and outdated and desyncronized blocking list. It will not work.

Next, government realizes there should be one centralized blocking list
and introduces it.

Ok. Now we have censored Internet. THE SWITCH IS ON.

In a very short time the number of organizations have permission to
insert something in the list dramatically increases. Corruption rises,
it becomes possible, and then becomes cheap to put your competitor's
website into the list for some time. And of course, primary target of
any censorship is the elections...

What about CP and porn addicts, gamblers, killers, terrorists? Surprise,
they are even more fine than at the beginning! Why? Because they learned
VPN, TOR and have to use it! Investigators end up with TOR and VPN exit
IP addresses from another countries instead of their home IPs.

Hey. It is a very very bad and very very danger game. Avoid it.
Goal of that game is to SWITCH ON that system BY ANY REASON. CP, war,
gambling - any reason that will work. After the system will be switched
on - in several months you will forget the initial reason. And will
awake in another world.

07.12.18 08:06, Lotia, Pratik M пише:
> Hello all, was curious to know the community’s opinion on whether an ISP
> should block domains hosting CPE (child pornography exploitation)
> content? Interpol has a ‘worst-of’ list which contains such domains and
> it wants ISPs to block it.
> 
> On one side we want the ISP to not do any kind of censorship or
> inspection of customer traffic (customers are paying for pipes – not for
> filtered pipes), on the other side morals/ethics come into play. Keep in
> mind that if an ISP is blocking it would mean that it is also logging
> the information (source IP) and law agencies might be wanting access to it.
> 
>  
> 
> Wondering if any operator is actively doing it or has ever considered
> doing it?
> 
>  
> 
> Thanks.
> 
>  
> 
>  
> 
> With Gratitude,
> 
> * *
> 
> *Pratik Lotia*  
> 
>  
> 
> “Information is not knowledge.”
> 
> The contents of this e-mail message and
> any attachments are intended solely for the
> addressee(s) and may contain confidential
> and/or legally privileged information. If you
> are not the intended recipient of this message
> or if this message has been addressed to you
> in error, please immediately alert the sender
> by reply e-mail and then delete this message
> and any attachments. If you are not the
> intended recipient, you are notified that
> any use, dissemination, distribution, copying,
> or storage of this message or any attachment
> is strictly prohibited.

Re: Proving Gig Speed

[Max Tulyev]

Hi!

Here I have http://www.speedtest.net/result/7475546550 from my notebook
right now. It is i5-2540M CPU.

First of all, NIC is much more important than CPU. Intel NIC can give
1Gbps easy, while Realtek or Broadcom probably never gives you more than
~300mbps.

Linux times faster than Windows in the same hardware config. Speedtest
very dependent on the browser, so try different and find better with
your configuration as well.

Sometimes you will need to tune TCP stack options to have >100mbps in
one TCP session.

Speedtest usually shows good results on download, but somewhy shows slow
upload speed. Nowdays it is better, but several years ago I can't get
more than 100mbps upload in same configuration of notebook and network I
have now. Real uploads was on gig speeds.

But the best is to use IPERF to do meansurements. It is really accurate.

16.07.18 20:58, Chris Gross пише:
> I'm curious what people here have found as a good standard for providing 
> solid speedtest results to customers. All our techs have Dell laptops of 
> various models, but we always hit 100% CPU when doing a Ookla speedtest for a 
> server we have on site. So then if you have a customer paying for 600M or 
> 1000M symmetric, they get mad and demand you prove it's full speed. At that 
> point we have to roll out different people with JDSU's to test and prove it's 
> functional where a Ookla result would substitute fine if we didn't have 
> crummy laptops possibly. Even though from what I can see on some google 
> results, we exceed the standards several providers call for.
> 
> Most of these complaints come from the typical "power" internet user of 
> course that never actually uses more than 50M sustained paying for a 
> residential connection, so running a circuit test on each turn up is uncalled 
> for.
> 
> Anyone have any suggestions of the requirements (CPU/RAM/etc) for a laptop 
> that can actually do symmetric gig, a rugged small inexpensive device we can 
> roll with instead to prove, or any other weird solution involving ritual 
> sacrifice that isn't too offensive to the eyes?
> 

Re: AS3266: BitCanal hijack factory, courtesy of many connectivity providers

[Max Tulyev]

RPKI? BGPsec?

26.06.18 21:27, Mike Hammett пише:
> Any solution to that? Yell at the IRRs more? 
> 
> 
> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
> 
> Midwest-IX 
> http://www.midwest-ix.com 
> 
> - Original Message -
> 
> From: "Job Snijders"  
> To: "Simon Muyal"  
> Cc: nanog@nanog.org 
> Sent: Tuesday, June 26, 2018 1:23:55 PM 
> Subject: Re: AS3266: BitCanal hijack factory, courtesy of many connectivity 
> providers 
> 
> Dear Simon, 
> 
> On Tue, Jun 26, 2018 at 12:13:26PM -0600, Simon Muyal wrote: 
>> On the France-IX route servers, we are applying filters based on IRR 
>> DBs. I double checked the list https://pastebin.com/raw/Jw1my9Bb and 
>> these prefixes should be filtered if bitcanal starts announcing them. 
>> Currently, bitcanal/AS197426 is not announcing any prefix on our route 
>> servers: 
>>
>> https://lg.franceix.net/irr_found_for/RS1+RS2/ipv4?q=197426 
>> https://lg.franceix.net/irr_notfound_for/RS1+RS2/ipv4?q=197426 
> 
> I'm very happy FranceIX apply filters - however Bitcanal is known to 
> submit fabricated/falsified IRR information to databases like RADB and 
> RIPE. I've reported this multiple times over the years to IRR database 
> operators. 
> 
> In conclusion in the case of Bitcanal, most of your filtering is useless 
> (and so is mine). Participants like Bitcanal dillute the value of your 
> route servers and the IXP as a whole. 
> 
> Kind regards, 
> 
> Job 
> 
> 

Re: BGP in a containers

[Max Tulyev]

bird is better than quagga!

(runs away) ;)

14.06.18 21:56, james jones пише:
> I am working on an personal experiment and was wondering what is the best
> option for running BGP in a docker base container. I have seen a lot blogs
> and docs referencing Quagga. I just want to make sure I am not over looking
> any other options before I dive in. Any thoughts or suggestions?
> 
> -James
> 

Re: FW: Satelite Internet Provider

[Max Tulyev]

Uses Yamal 402 Russian (spy)service ;)

07.06.18 08:35, Itay Fisher пише:
> Dear Edwin,
> 
> IO-SAT is a Vsat internet provider for both fixed and 
> maritime purposes.
> Please share with us what exactly do you need and the estimate capacity you 
> are looking for.
> 
> 
> Regards ,
> Itay Fisher
> [Description: 250x100]
> www.io-sat.com
> 
> +972 537755134
> Phone.: +972 772201298
> email: it...@io-sat.com
> 
> 
> 
> iosat Support:
> Telephone:  +972-3-9784270
> Internal Extension: 550003
> Emergency Tel:  +44-19-23381108
> Email: supp...@io-sat.com
> 
> 
> 
> 
> 
> 
> 
> 
> -- Forwarded message --
> From: Ing. Edwin Salazar via NANOG mailto:nanog@nanog.org>>
> Date: Mon, May 28, 2018 at 12:28 PM
> Subject: Satelite Internet Provider
> To: nanog@nanog.org
> 
> 
> Hi,
> 
> I would like to know if anyone knows any satellite internet provider for the 
> Galapagos Islands in Ecuador that I can contact?
> 
> Best regards,
> Edwin Salazar.
> 
> 

Re: SIP fax sending software?

[Max Tulyev]

Hi All,

Looking for similar, but other one.

Have Asterisk with E1 connection to PSTN (not VoIP). Is there some
software to let it work as a fax and modem?

30.05.18 23:13, John R. Levine пише:
> Can anyone recommend software that sends faxes over SIP?  I have plenty
> of inbound fax to email services, but now and then I need to send a
> reply and it looks tacky to use one of the free web ones that put an ad
> on it.
> 
> I know that if I wanted to pay $15/mo there are lots of lovely services
> but we're taking about one fax a month, maybe, here.
> 
> Ideally it'd take a postscript or PDF or Word document and a phone
> number and fax it to that number.  I have Ubuntu, FreeBSD, and MacOS
> boxes.  Any suggestions?
> 
> Regards,
> John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for
> Dummies",
> Please consider the environment before reading this e-mail. https://jl.ly
> 

Re: Subsea availability

[Max Tulyev]

May be there is something similar, but with the sales contact for each
cable system? ;)

22.05.18 08:54, Reid Fishler пише:
> Not to mention:
> https://www.cablemap.info/
> 
> Reid
> 
> 
> On Tue, May 22, 2018 at 1:46 AM james jones  wrote:
> 
>> Not interactive but cool animation:
>>
>> https://www.youtube.com/watch?v=IlAJJI-qG2k
>>
>> On Tue, May 22, 2018 at 1:37 AM, Mehmet Akcin  wrote:
>>
>>> yeah, I know and already reached out to my friends at Telegeography on
>> how
>>> to make www.submarinecablemap.com interactive
>>>
>>> On Mon, May 21, 2018 at 10:35 PM, Martin Hepworth 
>>> wrote:
>>>
 I'll put this as a starter

 http://submarine-cable-map-2018.telegeography.com/

 There's probably better by now

 Martin

 On Tue, 22 May 2018 at 06:13, Mehmet Akcin  wrote:

> Hello there,
>
> I am working on a masters project idea to create an interactive map of
>>> the
> world’s subsea cables (cls to cla without local loops from cls to dc)
>
> I would like to know if anyone have worked with something like this in
>>> the
> past, and whether you think it would be cool to have a map where you
>> can
> see subsea cable availability.
>
> I am also going to be at nanog denver to talk about this project with
> people. Let me know if you are available and interested in talking on
>>> ways
> to collaborate.
>
> I have few ideas on how to make this work with using ripe atlas probe
>>> like
> devices installed in strategic locations.
>
> Mehmet
>
 --
 --
 Martin Hepworth, CISSP
 Oxford, UK

>>>
> 

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Max Tulyev]

I did a lot. Centralized proprietary messenger with a lot of noise around.

Unlike for example clear p2p tox, federalized own jabber server, with
TOR to hide a metadata.

15.05.18 19:36, John Levine пише:
> In article <47acebac-7df1-0dbb-9584-27062a945...@netassist.ua> you write:
>> Really? Use extremely centralized closed source "solution"?
> 
> You might want to learn a little about Signal.
> 
> R's,
> John
> 
>>
>> LOL.
>>
>> 15.05.18 18:47, John Levine пише:
>>> In article <240538927.8145.1526388210820.JavaMail.mhammett@ThunderFuck> you 
>>> write:
 Encrypted e-mail is so incredibly niche, this won't affect almost 
 everyone. 
>>>
>>> Bruce Schneier's blog entry on this arcane buglet ended by saying that
>>> if you care about encryption use Signal or WhatsApp.
> 

Re: Email security: PGP/GPG & S/MIME vulnerability drop imminent

[Max Tulyev]

Really? Use extremely centralized closed source "solution"?

LOL.

15.05.18 18:47, John Levine пише:
> In article <240538927.8145.1526388210820.JavaMail.mhammett@ThunderFuck> you 
> write:
>> Encrypted e-mail is so incredibly niche, this won't affect almost everyone. 
> 
> Bruce Schneier's blog entry on this arcane buglet ended by saying that
> if you care about encryption use Signal or WhatsApp.
> 
> R's,
> John
> 
> PS: I don't see any point in following up the discussion of HTML mail
> because it appears to have fallen through a wormhole from 15 years ago.
> 

Re: Question about great firewall of China

[Max Tulyev]

Hi,

even in China it is not possible to block content from people
proactively want to reach it (VPN, TOR, etc). So terrorists, child
pornographers, drug dealer, copyright violators and other s*it are in safe.

Only can really do the Internel Censorship is to decrease of circle of
spreading information. It will not reach 100%, but reach say 5% of
initial expected auditory. This system can ONLY be used to change MASS
MIND of people, i.e. POLITICAL CENSORSHIP.

Don't believe bastards say they protect you by censorship. ONLY can they
really do with this system (not now of course, a bit later - look for
history of raising Russian censorship system for example) - is to
influence of the mass mind, i.e. results of elections. NOTHING ELSE.

24.03.18 01:34, Scott Weeks пише:
> 
> 
> It looks like a "Great Firewall of Canada" is going up.
> They should look at the dismal record of how Australia
> implemented theirs (all the while knowing how easy it 
> is for the "criminals and terrorists" to bypass their 
> blocks).
> 
> https://en.wikipedia.org/wiki/Internet_censorship_in_Australia
>   
> But,it really isn't about the "criminals and terrorists" 
> is it?
> 
> The people in positions of power worldwide are feverishly 
> drooling over the ability to control what others can know, 
> while not blocking the information from themselves.  What 
> a sad, sad life those people live!  Sounds like the Dark 
> Ages.
> 
> scott
> 

Re: Free access to measurement network

[Max Tulyev]

So for my point of view, better solution is to push some law that ease
access to the buildings for ISPs.

15.12.17 19:40, valdis.kletni...@vt.edu пише:
> On Fri, 15 Dec 2017 07:47:42 -0500, Dovid Bender said:
>> What kind of internet are these devices on? With Net Neutrality gone here
>> in the US it would be a good way to measure certain services such as SIP to
>> see which ISP's if any are tampering with packets.
> 
> Given previous history, the answer will probably be "most of them".
> 
> "The results are not inspiring. More than 129 million people are limited to a
> single provider for broadband Internet access using the FCC definition of 25
> Mbps download and 3 Mbps upload. Out of those 129 million Americans, about 52
> million must obtain Internet access from a company that has violated network
> neutrality protections in the past and continues to undermine the policy 
> today.
> 
> In locations where subscribers have the benefit of limited competition, the
> situation isn't much better. Among the 146 million Americans with the ability
> to choose between two providers, 48 million Americans must choose between two
> companies that have a record of violating network neutrality."
> 
> https://muninetworks.org/content/177-million-americans-harmed-net-neutrality
> 

Re: USA local SIM card

[Max Tulyev]

Nice advertising, thank you! =)

But still have open some questions I asked before:

1. My phone is not LTE but 3G GSM/UMTS capable (all bands,
850/900/1700/1900/2100). Will it work? Is 3G coverage good enough in New
York and Orlando for VoIP calls (SIP, Viber, Skype)?

2. Is there public or private IP address? IPv6?

On 17.09.17 22:52, Jean-Francois Mezei wrote:
> On 2017-09-17 13:07, Max Tulyev wrote:
> 
> 
> AT's $45 prepaid pans and its more expemsive sibbling (I think $65)
> allow over 6GB of data at LTE speeds, and the rest is unlimited but at
> 2G speeds (I think).
> 
> 
> The AT plans at the $45 and higher levels allows data and voice
> roaming into Canada, as long as your usage in Canada represents less
> than 50% of total use.
> 
> The AT plan allows you to remove video throttling (the T-Mobile plan
> doesn't and has more severe net neutrality violations).
> 
> If you obtain a SIM card from eBay, there is a hard to find web access
> to set it up (normal AT web site forces you to buy a SIM card which
> AT won't deliver outside of USA).
> 
> https://www.att.com/prepaid/activations/#/activate.html
> 
> In my case, I choose AT because I tested T-Mobile a few years ago
> along the route taken and found too many areas without service,
> interestingly, one area where in 1998-1999, I had service with Omnipoint
> on a 1900 only phone (Fort Edward NY).
> 
> Note on T-Mobile: its coverage map expects you to be on postpaid plans
> which includes areas where you're allowed to roam on AT, but not
> necessarily if on prepaid, so hard to tell if you will really get
> service based on its maps.
> 
> Also note: AT on an iPhone gets to disable the "manual" seach for
> available carriers, so you can't test in a town if T-Mobile would also
> be available. You can insert you own SIM card just to scan for networks
> and with roaming disbaled, you won't encurr any charges by home carrier.
> 

Re: IPv6 migration steps for mid-scale isp

[Max Tulyev]

Hello,

for my point of view, the start question is do you control CPEs (can
re-configure and re-flash it), or users buy and own CPEs themself?

On 13.09.17 15:08, Fredrik Sallinen wrote:
> Hello,
> 
> Recently we have decided to start IPv6 migration in our network. We
> have ~1K BNGs and connecting our customers to network using PPPoE.
> I'd be interested in hearing from the technical community about their
> experiences and recommendations on this process. I'm wondering:
> 
> Shall I go for IPv6-only deployment or dual stack?
> Where to start with IPv6? (core, edge or ...)
> What are the best practices for ISPs?
> What are the costs and return on investment?
> How to identify address CPE and legacy application issues?
> 
> Fredrik
> 

USA local SIM card

[Max Tulyev]

Hi All,

sorry for possible off-topic, I really did not know where to ask this.

I'm going to visit USA for two weeks. I want to buy a local prepaid SIM
card mostly for IP access.

Is it possible in USA to buy a prepaid SIM as a visitor, without long
term contract?

I need a public (can be dynamic) IP address, NOT over NAT, and (or)
IPv6, if possible.

My phone is GSM UMTS 3G.

Expected traffic volume is about 10G.

Will use it in New York City and Orlando City, not in rural areas.

Good data roaming tariff in Cannada will be a big advantage.

What can you advice?

Thank you!

Re: PCIe adapters supporting long distance 10GB fiber?

[Max Tulyev]

We use Intel NICs with SFP+ holes. It works good with long and short
range SFP+ modules, including CWDM/DWDM.

On 15.06.17 12:10, chiel wrote:
> Hello,
> 
> We are deploying more and more server based routers (based on BSD). We
> have now come to the point where we need to have 10GB uplinks one these
> devices and I prefer to plug in a long range 10GB fiber straight into
> the server without it going first into a router/switch from vendor x. It
> seems to me that all the 10GB PCIe cards only support either copper
> 10GBASE-T, short range 10GBASE-SR or the 10 Km 10GBASE-LR (but only very
> few). Are there any PCIe cards that support 10GBASE-ER and 10GBASE-ZR? I
> can't seem to find any.
> 
> Chiel
> 

Re: Financial services BGP hijack last week?

[Max Tulyev]

All know. Nobody care.

On 02.05.17 08:49, valdis.kletni...@vt.edu wrote:
> I didn't see any mention of this here.  Any comments?
> 
> "On Wednesday, large chunks of network traffic belonging to MasterCard, Visa,
> and more than two dozen other financial services companies were briefly routed
> through a Russian government-controlled telecom under unexplained 
> circumstances
> that renew lingering questions about the trust and reliability of some of the
> most sensitive Internet communications."
> 
> https://arstechnica.com/security/2017/04/russian-controlled-telecom-hijacks-financial-services-internet-traffic/
> 

Re: ipv6 accepted & announcement size upto /48 or longer than /48 ?

[Max Tulyev]

Yes, but that's not a policy, that's a BCP.

On 27.04.17 16:47, root  wrote:
> Am i right ?
> 
> Policy for ipv4 accept and send upto /24
> Policy for ipv6 accept and send upto /48
> 

Re: Facebook more specific via Level3 ?

[Max Tulyev]

Hi,

got the same from Kiev, Ukraine:

dig fbcdn.com
fbcdn.com.  300 IN  A   31.13.74.1
which is slow and routed through USA

and
dig fbcdn.com @8.8.8.8
fbcdn.com.  299 IN  A   31.13.93.3
which is fast and routed through Germany

Same is for IPv6.

Is there any solutions without dirty hacks?

On 22.03.17 12:02, Radu-Adrian Feurdean wrote:
> Hi, the load-balancing definitely doesn't choose the *nearest* mirror.
> We are in France and unless we do dirty tricks, we *always* get directed
> to US sites (as far as LA), with horrible performance. Everything since
> end of December. As a consequence we let the dirty tricks in place
> (query facebook.com and fbcdn.com on 8.8.8.8 instead of regular
> recursive resolving) and we get directed to Frankfurt or Amsterdam
> (never London or Paris).
> 

Re: CGNAT

[Max Tulyev]

BTW, does somebody check how implementing a native IPv6 decrease actual
load of CGNAT?


On 06.04.17 23:33, Aaron Gould wrote:
> Last year I evaluated Cisco ASR9006/VSM-500 and Juniper MX104/MS-MIC-16G in
> my lab.
> 
> I went with MX104/MS-MIC-16G.  I love it.
> 
> I deployed (2) MX104's.  Each MX104 has a single MX-MIC-16G card in it.  I
> integrated this CGNAT with MPLS L3VPN's for NAT Inside vrf and NAT outside
> vrf.  Both MX104's learn 0/0 route for outside and send a 0/0 route for
> inside to all the PE's that have DSLAMs connected to them.  So each PE with
> DSL connected to it learns default route towards 2 equal cost MX104's.  I
> could easily add a third MX104 to this modular architecture.
> 
> I have 7,000 DSL broadband customers behind it.  Peak time throughput is
> hitting up at 4 gbps... I see a little over 100,000 service flows
> (translations) at peak time
> 
> I think each MX104 MS-MIC-16G can able about ~7 million translations and
> about 7 gbps of cgnat throughput... so I'm good.
> 
> I have a /25 for each MX104 outside public address pool (so /24 total for
> both MX104's)... pretty sweet how I use /24 for ~7,000 customers :) 
> 
> I'll freeze this probably for DSL and not put anything else behind it.  I
> want to leave well-enough alone.
> 
> If I move forward with CGNAT'ing Cable Modem (~6,000 more subsrcibers) I'll
> probably roll-out (2) more MX104's with a new vrf for that...
> 
> If I move forward with CGNAT'ing FTTH (~20,000 more subsrcibers) I'll
> probably roll-out (2) MX240/480/960 with MS-MPC... I feel I'd want/need
> something beefier for FTTH...
> 
> - Aaron
> 
> 
> 

Re: Passive Optical Network (PON)

[Max Tulyev]

Hi,

using in rural area, it works. Much cheaper than ETTH.

On 21.01.17 18:44, Kenneth McRae wrote:
> Greeting all,
> 
> Is anyone out there using PON in a campus or facility environment?  I am 
> talking to a few vendors who are pushing PON as a replacement for edge 
> switching on the campus and in some cases, ToR switch in the DC.  Opinions on 
> this technology would be greatly appreciated.
> 
> Thanks,
> 
> Kenneth
> 

Re: Safe IPv4 Was: Re: premiumcolo.net IP address rental

[Max Tulyev]

Very strange. Everytime it was open for all companies need IP network
will be used in RIPE region. Not for those having (any? main? branch?
legal address?) office in the RIPE region.

And it is still possible to open a RIPE LIR for offshore companies like
BVI, Belize, Seychelles without any questions.

On 18.01.17 01:28, Martin Hannigan wrote:
> On Mon, Jan 9, 2017 at 2:34 PM, Robert Story  wrote:
> 
>> On Mon, 9 Jan 2017 13:40:23 -0500 Martin wrote:
>> MH> 2. Apply for and receive a last /22 from RIPE. EVERYONE can do this.
>>
>> Not quite everyone. You have to be a RIPE NCC member, which not everyone
>> can do.
>>
>> "Who can become a Local Internet Registry (LIR)/RIPE NCC member?
>>
>> Any organisation with a legally established office in the RIPE NCC
>> service region can become a member of the RIPE NCC."
>>
>> https://www.ripe.net/manage-ips-and-asns/resource-management/faq/faq-ipv4-
>> address-space
>>
>>
>>
> 
> I'm not sure this applies to the situation we're discussing. For example, a
> US based corporation can apply and will receive an allocation of a /22 from
> the RIPE last /8. I believe they do become an LIR. That does not require an
> EU subsidiary or physical office. This is "good" for a variety of reasons
> including providing for need and rushing towards exhaustion. This isn't
> surreptitious. It is within policy.
> 
> 
> Best,
> 
> -M<
> 

Re: Measuring the quality of Internet access

[Max Tulyev]

All results will be very depend of target choise, as we can understand.
So that's the main point.

On 13.06.16 23:58, Collin Anderson wrote:
> 
> On Mon, Jun 13, 2016 at 4:18 PM, Max Tulyev <max...@netassist.ua
> <mailto:max...@netassist.ua>> wrote:
> 
> But I can't figure out what SamKnows uses as the destination for tests?
> 
> 
> As I understand the destination differs per measurement partnership, but
> in at least the United States a substantial portion of the
> infrastructure is provided by Measurement Lab, as a virtualized host
> within the broader set of tools that the platform supports. 
> 
> M-Lab also provides resources to a number of other quality of service
> and experience measurement tools, such as NDT, BISmark and Neubot.
> CIRA's initiative, noted earlier, also uses M-Lab and NDT, as do a few
> regulators in Europe and elsewhere. 
> 
> Please always feel free to reach out, we are always eager to collaborate
> with network operators to use our tools and extend our platform –
> everything is open source and open access. 
> 
> Cordially,
> Collin
> -- 
> *Collin David Anderson*
> averysmallbird.com <http://averysmallbird.com> | @cda | Washington, D.C.

Re: Measuring the quality of Internet access

[Max Tulyev]

Well, that was MY question! =)

What who where (goverment/regulators) define as the quality?

On 13.06.16 23:38, valdis.kletni...@vt.edu wrote:
> On Mon, 13 Jun 2016 22:11:47 +0300, Max Tulyev said:
>> Is it possible in general to measure the quality of Internet access? And
>> if yes - how?
> 
> First, *define* "quality".  Raw bandwidth to a test server?  Raw bandwidth
> to a weighted average of the Alexa Top 100? Does RTT/bufferbloat count?
> What about RTT jitter?
> 

Re: Measuring the quality of Internet access

[Max Tulyev]

Sure, even host some ;)

But my question about govermental initiatives/regulations about it, if any.

On 13.06.16 23:51, Marco Teixeira wrote:
> Are you aware of https://atlas.ripe.net/ ?
> 
> ---
> Enviado do um dispositivo com teclado reduzido.
> Sent from a device with a diminished keyboard.
> 
> No dia 13/06/2016, às 20:11, Max Tulyev <max...@netassist.ua
> <mailto:max...@netassist.ua>> escreveu:
> 
>> Hi All,
>>
>> I know there are many people from many countries.
>>
>> Do you know something about mandatory measurements of Internet access
>> quality from country telecom regulators? If yes, could you please share
>> that information with me?
>>
>> I found ETSI EG 202 057-4 standard
>> (http://www.etsi.org/deliver/etsi_eg/202000_202099/20205704/01.02.01_60/eg_20205704v010201p.pdf),
>> but in fact it is about measurements inside operator's network, not
>> Internet access itself.
>>
>> Is it possible in general to measure the quality of Internet access? And
>> if yes - how?

Re: Measuring the quality of Internet access

[Max Tulyev]

Thank you!

I got one more reply off-list - and again it is connected to SamKnows.

But I can't figure out what SamKnows uses as the destination for tests?

On 13.06.16 23:04, Eric Dugas wrote:
> CIRA (.CA) started a project one or two years ago: 
> https://cira.ca/build-better-internet/cira-internet-performance-test
> 
> CRTC (Canadian equivalent of the FCC) also conducted tests by sending test 
> boxes to volunteers: http://www.crtc.gc.ca/eng/internet/performance.htm and 
> https://www.measuringbroadbandcanada.com
> 
> Eric
> 
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Max Tulyev
> Sent: June 13, 2016 3:12 PM
> To: NANOG list <nanog@nanog.org>
> Subject: Measuring the quality of Internet access
> 
> Hi All,
> 
> I know there are many people from many countries.
> 
> Do you know something about mandatory measurements of Internet access quality 
> from country telecom regulators? If yes, could you please share that 
> information with me?
> 
> I found ETSI EG 202 057-4 standard
> (http://www.etsi.org/deliver/etsi_eg/202000_202099/20205704/01.02.01_60/eg_20205704v010201p.pdf),
> but in fact it is about measurements inside operator's network, not Internet 
> access itself.
> 
> Is it possible in general to measure the quality of Internet access? And if 
> yes - how?
> 

Measuring the quality of Internet access

[Max Tulyev]

Hi All,

I know there are many people from many countries.

Do you know something about mandatory measurements of Internet access
quality from country telecom regulators? If yes, could you please share
that information with me?

I found ETSI EG 202 057-4 standard
(http://www.etsi.org/deliver/etsi_eg/202000_202099/20205704/01.02.01_60/eg_20205704v010201p.pdf),
but in fact it is about measurements inside operator's network, not
Internet access itself.

Is it possible in general to measure the quality of Internet access? And
if yes - how?

Re: Question on peering strategies

[Max Tulyev]

I'm right here at RIPE 72 now, so I saw it of course ;)

The problem is not peering itself, but more general problem of filtering
nets, and it was told in the presentation.

On 24.05.16 13:19, Jared Mauch wrote:
> 
>> On May 24, 2016, at 6:11 AM, Max Tulyev <max...@netassist.ua> wrote:
>>
>> If you dig into hijacking topic more, you will see that hijacks through
>> Tier1 is same or even more popular than through IXes.
> 
> You may not have a view into that you’re being hijacked and used to send
> SPAM for example:
> 
> https://ripe72.ripe.net/presentations/45-Invisible_Hijacking.pdf
> 
> Their space was hijacked and announced facing Yahoo.  I’m hoping that
> Yahoo is now feeding public route views services as a method to help
> with detection.  Same goes for Microsoft and Google and other e-mail
> providers.  Some sunlight here would help avoid similar localized hijacks.
> 
>> And if someone want to make me a transit offer for the price of DE-CIX
>> (I do not even ask the price of DTEL-IX peering ;) ) - please, contact
>> me off-list, I will be really happy.
> 
> Pricing obviously varies based on location and a few other criteria, but
> you should be shopping if this is a major part of your business.
> 
> - Jared
> 

Re: Question on peering strategies

[Max Tulyev]

If you dig into hijacking topic more, you will see that hijacks through
Tier1 is same or even more popular than through IXes.

And if someone want to make me a transit offer for the price of DE-CIX
(I do not even ask the price of DTEL-IX peering ;) ) - please, contact
me off-list, I will be really happy.

On 24.05.16 11:03, Jared Mauch wrote:
> 
>> On May 16, 2016, at 4:29 PM, Baldur Norddahl  
>> wrote:
>>
>> Router ports are expensive, so even if cross connects were free, you would
>> still use the public switch fabric until you reach a traffic level that
>> justifies a direct connection. The point of having a IX switch is that you
>> can connect to many others with just one single router port.
>>
> 
> 
> The cost of an IX can be quite expensive actually.  If you look at the RIPE
> presentations from this week, there are stealth routing hijacks that come from
> promiscuous peering as well as just the flat economics of connecting with a 
> 10GE
> or 100GE interface and the cost per gigabit you assign to the IX port.  These
> are flat rate ports, unlike transit that may offer you a price and commit 
> rates
> that allow you to reach everyone vs those just at the IX.
> 
> I’m hoping I don’t get in trouble for sharing this, but this collaboration 
> exists
> for europe on peering costs which are normalized in euro cents per megabit.
> 
> https://docs.google.com/spreadsheets/d/18ztPX_ysWYqEhJlf2SKQQsTNRbkwoxPSfaC6ScEZAG8/edit#gid=0
> 
> - Jared
> 

Re: Question on peering strategies

[Max Tulyev]

Hi All,

I wonder why a "VLAN exchange" does not exists. Or I do not know any?

In my understanding it should be a switch, and people connected can
easily order a private VLAN between each other (or to private group)
through some kind of web interface.

That should be a more easy and much less expensive way for private
interconnects than direct wires.

On 16.05.16 20:46, Reza Motamedi wrote:
> Dear Nanogers,
> 
> I have a question about common/best network interconnection practices.
> Assume that two networks (let's refer to them as AS-a and AS-b) are present
> in a colocation facility say Equinix LA. As many of you know, Equininx runs
> an IXP in LA as well. So AS-as and AS-b can interconnct
> 1) using private cross-connect
> 2) through the public IXP's switching fabric.
> Is it a common/good practice for the two networks to establish connections
> both through the IXP and also using a private cross-connect?
> 
> I was thinking considering the cost of cross-connects (my understanding is
> that the colocation provider charges the customers for each cross-connect
> in addition to the rent of the rack or cage or whatever), it would not be
> economically reasonable to have both. Although, if the cross-connect is the
> primary method of interconnection, and the IXP provides a router-server the
> public-peering over IXP would essentially be free. So it might makes sense
> to assume that for the private cross-connect, there exists a back-up
> connection though the IXP. Anyway, I guess some discussion may give more
> insight about which one is more reasonable to assume and do.
> 
> Now my last question is that if the two connections exist (one private
> cross-connect and another back-up through the IXP), what are the chances
> that periodically launched traceroutes that pass the inter-AS connection in
> that colo see both types of connection in a week. I guess what I'm asking
> is how often back-up routes are taken? Can the networks do load balancing
> on the two connection and essentially use them as primary routes?
> 
> Best Regards
> Reza Motamedi (R.M)
> Graduate Research Fellow
> Oregon Network Research Group
> Computer and Information Science
> University of Oregon
> 

Re: Major IX bandwidth sharing

[Max Tulyev]

They fight with DDoS, so it means every month 95% traffic will be full 100G.

On 21.04.16 22:40, Pavel Odintsov wrote:
> If they could offer 95th percentile usage no more than commit they
> should pay only for it. But actually it depends on certain carrier and
> certain agreement conditions. 
> 
> On Thursday, 21 April 2016, Max Tulyev <max...@netassist.ua
> <mailto:max...@netassist.ua>> wrote:
> 
> Hello,
> 
> I'm sure in this case they will pay for 100G every month, not for
> 10-20G ;)
> 
> On 21.04.16 20:25, Pavel Odintsov wrote:
> > Hello!
> >
> > If you want cheaper price just ask any TIER-1 provider for link
> with commit
> > 10ge and burst up to 100GE. It will be definitely cheaper and
> simpler than
> > your "magic" with IX cost reduction.
> >
> > On Thursday, 21 April 2016, Paras Jha <pa...@protrafsolutions.com
> <javascript:;>> wrote:
> >
> >> Interesting to see how the idea is gaining traction
> >>
> >> On Thu, Apr 21, 2016 at 8:52 AM, Piotr Iwanejko
> <piotr.iwane...@gmail.com <javascript:;>
> >> <javascript:;>>
> >> wrote:
> >>
> >>> Hello Nanog-ers,
> >>>
> >>> We are looking for a company that has >=100G connectivity to
> major IX-es
> >>> (AMS-IX, DE-CIX preferred) with traffic asymmetry/heavy outgoing
> traffic,
> >>> willing to resell incoming fraction n*10G/1*100G IX-only IP transit.
> >>> Our company develops custom Anti-DDoS solution on PC platform (
> >>> http://www.slideshare.net/atendesoftware/100-mpps-on-pc) and we
> want to
> >>> collocate 1U scrubbing node.
> >>>
> >>> Please contact me off list for more details.
> >>>
> >>> Thank you.
> >>> --
> >>> Piotr Iwanejko
> >>
> >>
> >>
> >>
> >> --
> >> Regards,
> >> Paras
> >>
> >> President
> >> ProTraf Solutions, LLC
> >> Enterprise DDoS Mitigation
> >>
> >
> >
> 
> 
> 
> -- 
> Sincerely yours, Pavel Odintsov

Re: Major IX bandwidth sharing

[Max Tulyev]

Hello,

I'm sure in this case they will pay for 100G every month, not for 10-20G ;)

On 21.04.16 20:25, Pavel Odintsov wrote:
> Hello!
> 
> If you want cheaper price just ask any TIER-1 provider for link with commit
> 10ge and burst up to 100GE. It will be definitely cheaper and simpler than
> your "magic" with IX cost reduction.
> 
> On Thursday, 21 April 2016, Paras Jha  wrote:
> 
>> Interesting to see how the idea is gaining traction
>>
>> On Thu, Apr 21, 2016 at 8:52 AM, Piotr Iwanejko > >
>> wrote:
>>
>>> Hello Nanog-ers,
>>>
>>> We are looking for a company that has >=100G connectivity to major IX-es
>>> (AMS-IX, DE-CIX preferred) with traffic asymmetry/heavy outgoing traffic,
>>> willing to resell incoming fraction n*10G/1*100G IX-only IP transit.
>>> Our company develops custom Anti-DDoS solution on PC platform (
>>> http://www.slideshare.net/atendesoftware/100-mpps-on-pc) and we want to
>>> collocate 1U scrubbing node.
>>>
>>> Please contact me off list for more details.
>>>
>>> Thank you.
>>> --
>>> Piotr Iwanejko
>>
>>
>>
>>
>> --
>> Regards,
>> Paras
>>
>> President
>> ProTraf Solutions, LLC
>> Enterprise DDoS Mitigation
>>
> 
> 

Re: Stop IPv6 Google traffic

[Max Tulyev]

That's the problem. Nobody want to say which customer (IP) violates
which policy.

On 10.04.16 18:31, a.l.m.bu...@lboro.ac.uk wrote:
> give clients their own bigger blocks - or identify the clients violating 
> policy (what the policy
> they are violating?) - you'll probably find the ones getting the captchas are 
> the ones violating! ;-)

Re: Stop IPv6 Google traffic

[Max Tulyev]

That was another Google reply, but all /32 still affected. IPv4 is not
affected (at least no complaints), so...

On 10.04.16 17:36, Filip Hruska wrote:
> If I'm not mistaken, when there is some "abuse",
> Google typically shows captcha for the single IPs, not for whole
> provider, so only the customers who actually do something nefarious
> should get flagged.
> 
> Also, if you see captcha while using IPv6, switching to IPv4-only won't
> solve the problem because if there really is abuse, Google will flag the
> IPs regardless of IP protocol version.
> 
> 
> 
> On 04/10/2016 04:27 PM, Max Tulyev wrote:
>> The problem is IPv6-enabled customers complaints see captcha, and Google
>> NOC refuses to help solve it saying like find out some of your customer
>> violating some of our policy. As you can imagine, this is not possible.
>>
>> So, the working solutions is either correctly cut IPv6 to Google, or cut
>> all IPv6 (which I don't want to do).
>>
>> On 10.04.16 17:17, Mike Hammett wrote:
>>> I think the group wants to know what problem you're trying to solve.
>>> Obviously if you block something, there will be a timeout in getting
>>> to it.
>>>
>>> What is broken that you're trying to fix by blackholing them?
>>>
>>>
>>>
>>>
>>> -
>>> Mike Hammett
>>> Intelligent Computing Solutions
>>> http://www.ics-il.com
>>>
>>>
>>>
>>> Midwest Internet Exchange
>>> http://www.midwest-ix.com
>>>
>>>
>>> - Original Message -
>>>
>>> From: "Max Tulyev" <max...@netassist.ua>
>>> To: nanog@nanog.org
>>> Sent: Sunday, April 10, 2016 9:07:47 AM
>>> Subject: Re: Stop IPv6 Google traffic
>>>
>>> Customers see timeouts if I blackhole Google network. I looking for
>>> alternatives (other than stop providing IPv6 to customers at all).
>>>
>>> On 10.04.16 16:50, valdis.kletni...@vt.edu wrote:
>>>> On Sun, 10 Apr 2016 16:29:39 +0300, Max Tulyev said:
>>>>
>>>>> I need to stop IPv6 web traffic going from our customers to Google
>>>>> without touching all other IPv6 and without blackhole IPv6 Google
>>>>> network (this case my customers are complaining on long timeouts).
>>>>>
>>>>> What can you advice for that?
>>>>
>>>> Umm.. fix the reasons why they're seeing timeouts? :)
>>>>
>>>> Have you determined why the timeouts are happening?
>>>>
>>>
>>>
>>>
>>
> 

Re: Stop IPv6 Google traffic

[Max Tulyev]

Thank you! I think it is what I need now ;)

On 10.04.16 17:50, Niels Bakker wrote:
> You can add a reject route at your borders rather than nullroute.  That
> will cause ICMP Unreachables to be sent by your routers back to your
> customers so their applications will know immediately to retry using
> IPv4 rather than waiting for TCP timeouts.

Re: Stop IPv6 Google traffic

[Max Tulyev]

Every have /56 or /48, depending on type of service. All our /32
allocation is affacted.

On 10.04.16 17:35, Chuck Anderson wrote:
> Assign your customers larger v6 prefixes so one customer's bad
> behavior doesn't affect the others?
> 
> On Sun, Apr 10, 2016 at 05:27:53PM +0300, Max Tulyev wrote:
>> The problem is IPv6-enabled customers complaints see captcha, and Google
>> NOC refuses to help solve it saying like find out some of your customer
>> violating some of our policy. As you can imagine, this is not possible.
>>
>> So, the working solutions is either correctly cut IPv6 to Google, or cut
>> all IPv6 (which I don't want to do).
>>
>> On 10.04.16 17:17, Mike Hammett wrote:
>>> I think the group wants to know what problem you're trying to solve. 
>>> Obviously if you block something, there will be a timeout in getting to it. 
>>>
>>> What is broken that you're trying to fix by blackholing them? 
>>>
>>>
>>>
>>>
>>> - 
>>> Mike Hammett 
>>> Intelligent Computing Solutions 
>>> http://www.ics-il.com 
>>>
>>>
>>>
>>> Midwest Internet Exchange 
>>> http://www.midwest-ix.com 
>>>
>>>
>>> - Original Message -
>>>
>>> From: "Max Tulyev" <max...@netassist.ua> 
>>> To: nanog@nanog.org 
>>> Sent: Sunday, April 10, 2016 9:07:47 AM 
>>> Subject: Re: Stop IPv6 Google traffic 
>>>
>>> Customers see timeouts if I blackhole Google network. I looking for 
>>> alternatives (other than stop providing IPv6 to customers at all). 
>>>
>>> On 10.04.16 16:50, valdis.kletni...@vt.edu wrote: 
>>>> On Sun, 10 Apr 2016 16:29:39 +0300, Max Tulyev said: 
>>>>
>>>>> I need to stop IPv6 web traffic going from our customers to Google 
>>>>> without touching all other IPv6 and without blackhole IPv6 Google 
>>>>> network (this case my customers are complaining on long timeouts). 
>>>>>
>>>>> What can you advice for that? 
>>>>
>>>> Umm.. fix the reasons why they're seeing timeouts? :) 
>>>>
>>>> Have you determined why the timeouts are happening? 
> 

Re: Stop IPv6 Google traffic

[Max Tulyev]

The problem is IPv6-enabled customers complaints see captcha, and Google
NOC refuses to help solve it saying like find out some of your customer
violating some of our policy. As you can imagine, this is not possible.

So, the working solutions is either correctly cut IPv6 to Google, or cut
all IPv6 (which I don't want to do).

On 10.04.16 17:17, Mike Hammett wrote:
> I think the group wants to know what problem you're trying to solve. 
> Obviously if you block something, there will be a timeout in getting to it. 
> 
> What is broken that you're trying to fix by blackholing them? 
> 
> 
> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
> 
> 
> 
> Midwest Internet Exchange 
> http://www.midwest-ix.com 
> 
> 
> - Original Message -
> 
> From: "Max Tulyev" <max...@netassist.ua> 
> To: nanog@nanog.org 
> Sent: Sunday, April 10, 2016 9:07:47 AM 
> Subject: Re: Stop IPv6 Google traffic 
> 
> Customers see timeouts if I blackhole Google network. I looking for 
> alternatives (other than stop providing IPv6 to customers at all). 
> 
> On 10.04.16 16:50, valdis.kletni...@vt.edu wrote: 
>> On Sun, 10 Apr 2016 16:29:39 +0300, Max Tulyev said: 
>>
>>> I need to stop IPv6 web traffic going from our customers to Google 
>>> without touching all other IPv6 and without blackhole IPv6 Google 
>>> network (this case my customers are complaining on long timeouts). 
>>>
>>> What can you advice for that? 
>>
>> Umm.. fix the reasons why they're seeing timeouts? :) 
>>
>> Have you determined why the timeouts are happening? 
>>
> 
> 
> 

Re: Stop IPv6 Google traffic

[Max Tulyev]

Customers see timeouts if I blackhole Google network. I looking for
alternatives (other than stop providing IPv6 to customers at all).

On 10.04.16 16:50, valdis.kletni...@vt.edu wrote:
> On Sun, 10 Apr 2016 16:29:39 +0300, Max Tulyev said:
> 
>> I need to stop IPv6 web traffic going from our customers to Google
>> without touching all other IPv6 and without blackhole IPv6 Google
>> network (this case my customers are complaining on long timeouts).
>>
>> What can you advice for that?
> 
> Umm.. fix the reasons why they're seeing timeouts? :)
> 
> Have you determined why the timeouts are happening?
> 

Stop IPv6 Google traffic

[Max Tulyev]

Hi All,

I need to stop IPv6 web traffic going from our customers to Google
without touching all other IPv6 and without blackhole IPv6 Google
network (this case my customers are complaining on long timeouts).

What can you advice for that?

Re: Cogent & Google IPv6

[Max Tulyev]

If you connected to Internet ONLY through Cogent - there is no other
way. If you have another upstreams - Google should be reachable.

On 24.02.16 21:46, Matt Hoppes wrote:
> Correct me if I'm wrong, but if Cogent isn't peering with Google IPv6,
> shouldn't the traffic flow out to one of their peer points where another
> peer DOES peer with Google IPv6 and get you in?
> 
> Isn't that how the Internet is suppose to work?
> 
> 
> On 2/24/16 2:43 PM, Damien Burke wrote:
>> Not sure. I got the same thing today as well.
>>
>> Is this some kind of ipv6 war?
>>
>> -Original Message-
>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ian Clark
>> Sent: Wednesday, February 24, 2016 10:25 AM
>> To: NANOG
>> Subject: Cogent & Google IPv6
>>
>> Anyone know what's actually going on here?  We received the following
>> information from the two of them, and this just started a week or so ago.
>>
>>
>> *From Cogent, the transit provider for a branch office of ours:*
>>
>> Dear Cogent Customer,
>>
>> Thank you for contacting Cogent Customer Support for information about
>> the Google IPv6 addresses you are unable to reach.
>>
>> Google uses transit providers to announce their IPv4 routes to Cogent.
>>
>> At this time however, Google has chosen not to announce their IPv6
>> routes to Cogent through transit providers.
>>
>> We apologize for any inconvenience this may cause you and will notify
>> you if there is an update to the situation.
>>
>>
>>
>> *From Google (re: Cogent):*
>>
>> Unfortunately it seems that your transit provider does not have IPv6
>> connectivity with Google. We suggest you ask your transit provider to
>> look for alternatives to interconnect with us.
>>
>> Google maintains an open interconnect policy for IPv6 and welcomes any
>> network to peer with us for access via IPv6 (and IPv4). For those
>> networks that aren't able, or chose not to peer with Google via IPv6,
>> they are able to reach us through any of a large number of transit
>> providers.
>>
>> For more information in how to peer directly with Google please visit
>> https://peering.google.com
>>
>>
>> -- 
>> Ian Clark
>> Lead Network Engineer
>> DreamHost
>>
> 

Re: Softlayer / Blocking Cuba IP's ?

[Max Tulyev]

Why Crimea still not in the list?

On 20.02.16 02:57, frnk...@iname.com wrote:
> Official statement here: 
> https://knowledgelayer.softlayer.com/faq/softlayer-network-wide-ip-blocking
> 
> Frank
> 
> -Original Message-
> From: NANOG [mailto:nanog-bounces+frnkblk=iname@nanog.org] On Behalf Of 
> Faisal Imtiaz
> Sent: Friday, February 19, 2016 5:21 PM
> To: Carlos A. Carnero Delgado 
> Cc: nanog list 
> Subject: Re: Softlayer / Blocking Cuba IP's ?
> 
> Ola Carlos, 
> 
> I am very familiar with Govt. instituted restrictions, and yes, people always 
> find ways to get around it. I cannot speak for the Cuban Gov. nor for the US 
> Gov. as to what they decide to do and when. 
> 
> What was/is irksome about Softlayer's decision is the following:- 
> 
> 1) Unilateral implementation of a restricted policy without any notification. 
> 
> 2) The broad stroke implementation of a Gov Policy that does not apply to the 
> communication service they applied the policy to. 
> 
> i.e. As much as we all dislike Dictatorial Behavior, and we fully recognize 
> Softlayer is a Private Entity, who can exercise it's right to act 
> Dictatorially, Such behavior in the overall community (Internet) is frowned 
> upon and (as it should) have a long term negative affect to business. 
> 
> Saludos. 
> 
> Faisal Imtiaz 
> Snappy Internet & Telecom 
> 7266 SW 48 Street 
> Miami, FL 33155 
> Tel: 305 663 5518 x 232 
> 
> Help-desk: (305)663-5518 Option 2 or Email: supp...@snappytelecom.net 
> 
>> From: "Carlos A. Carnero Delgado" 
>> To: "Faisal Imtiaz" 
>> Cc: "nanog list" 
>> Sent: Friday, February 19, 2016 6:08:42 PM
>> Subject: Re: Softlayer / Blocking Cuba IP's ?
> 
>> Hi,
> 
>> (disclaimer: I'm Cuban national, living in Cuba, and a long time lurker in 
>> this
>> great list)
> 
>> 2016-02-19 15:27 GMT-05:00 Faisal Imtiaz < fai...@snappytelecom.net > :
> 
>>> Considering the fact that such a block was just put in place about a week 
>>> ago ?
>>> Last time I checked, blocking any part of the world is not part of any legal
>>> requirements on any Global Service Provider ? other than a 'company policy' 
>>> ?
> 
>> Being denied access to services, as a Cuban national, is something that we've
>> all experienced here and we (sadly) have come to accept it as a fact of life.
>> Sometimes we resort to proxies/VPNs in order to conceal our origin -- and by 
>> a
>> similar token, sometimes, our destination ;).
> 
>> However, there are a couple of things that have made me wondering how 
>> arbitrary
>> decisions can be. I think sometimes it just boils down to specific provider
>> policies that try to (maybe rightfully) cover their bottoms in the light of 
>> the
>> law. For instance, I can't hide the fact that I have access to Gmail; but at
>> the same time there are many Google properties and services than I can't. 
>> There
>> are many companies, global companies, that I can't access, and others are 
>> open
>> to us which are, paradoxically, completely based on the US and under US law
>> (won't name them publicly to avoid potential damage).
> 
>> Any way, I'm going back to lurk mode. However, feel free to ask anything, 
>> on- of
>> offlist. And I thank you all for this wonderful resource.
>> Carlos.
> 
> 
> 

Re: Cogent <=> Google Peering issue

[Max Tulyev]

If my telepathy still works fine and I understood your question well -
then the answer is "NO, that is not a global well-known issue" ;)

On 17.02.16 18:15, Fred Hollis wrote:
> Anyone else aware of it?
> 

Re: algorithm used by (RIPE region) ISPs to generate automatic BGP prefix filters

[Max Tulyev]

Hi Martin,

well, not only as-set and route.

Assuming only legitimate owner of inetnum and aut-num have passwords for
mntner from that objects can modify their RIPE DB objects and can create
routes.

So to create a route object, you have to have access for inetnum and
aut-num objects (that can be different passwords and owners in general).

Then, you state in your aut-num import and export to some upstream. To
do that, you have to use your password, of course.

Then, your upstream modifying it's aut-num stating import your asn from
you and export your asn to it's upstream... and so on.

So it is possible to provide full chain of trust inside RIPE region that
way.

As-sets is only the way to let manage a lot of downstreams' ASNs more easy.

Many of ISPs using it, there is some software like RETN made, to build
prefix list to your downstreams automatically. And it works.

There is three problems: first, it is only RIPE region specific. You
can't do that with ARIN nets for example. Second, it is RIPE-dependent.
So we depend on RIPE DB when do routing. In some cases it can make some
harm. Third, if someone steal or "recover" RIPE DB password from some
inetnum - he can easy do a hijack through system uses RIPE DB filtering.

On 04.02.16 13:14, Martin T wrote:
> Hi,
> 
> am I correct that ISPs (in RIPE region), who update their BGP prefix
> filters automatically, ask their IP transit customer or peering
> partner to provide their "route"/"route6" object(s) or "as-set" object
> in order to find all the prefixes which they should accept? If the IP
> transit customer or peering partner provides an "as-set", then ISP
> needs to ensure that this "as-set" belongs to this IP transit customer
> or peering partner because there is no automatic authentication for
> this, i.e. anybody can create an "as-set" object to database with
> random "members" attributes? This is opposite to "route"/"route6"
> objects which follow a strict authentication scheme. In addition, in
> case of "as-set", an ISP needs to recursively find all the AS numbers
> from "members" attributes because "as-set" can include other
> "as-sets"? Quite a lot of question, but I would simply like to be sure
> that I understand this correctly.
> 
> 
> thanks,
> Martin
> 

Re: Team Cymru BGP bogon status ???

[Max Tulyev]

Looks good for me too (Ukraine/Kiev).

But no IPv6, only IPv4. Is it a bug or a feature? ;)

On 31.01.16 19:23, Tom Storey wrote:
> Working just fine from Virgin Media.
> 
> On 31 January 2016 at 17:19, Daniel Corbe  wrote:
>>> On Jan 31, 2016, at 11:44 AM, Matthew Huff  wrote:
>>>
>>> Starting around 7:17 am EST, we lost our IPv4 & IPv6  BGP connections to 
>>> Cymru. We have two connections in both IPv4 and IPv6 on both of our two 
>>> routers. On each router one connection is stuck in active, the other 
>>> providing 0 prefixes. I can’t get to http://www.team-cymru.org from either 
>>> work or home. Anyone know what’s up?
>>
>> Their website appears to be down as well.  I’m guessing network outage?  
>> Maybe something more sinister?
>>
>>
> 

Re: RADb Outage?

[Max Tulyev]

People do prefix filtering based on *DB may think twice...

On 23.01.16 07:42, Larry J. Blunk wrote:
> 
>Service for the RADb whois protocol has now been restored.  We were 
> experiencing
> extensive DDOS activity directed at the whois service host(s).
> 
>  Regards,
>Larry Blunk
>Merit
> 
> 

Re: Binge On! - get your umbrellas out, stuff's hitting the fan.

[Max Tulyev]

(chewing my pop-corn) Eh... I would like to have that kind of problems!

Here we sell a residental 1Gbps for $5/mo with really unlimited traffic,
and have a lot of complaint calls if there is slightly less than 1Gbps
for that particular users.

THAT is how the high competitive market works! ;)

On 09.01.16 16:06, Mike Hammett wrote:
> Valid points. 
> 
> The best solution for everybody is the solution most consumers are adverse 
> to, which is usage based billing. Granted, many times the providers have shot 
> themselves in the foot by making the charges punitive instead of based on 
> cost plus margin. Reasonable $/gig for everybody! :-) 
> 
> 
> 
> 
> - 
> Mike Hammett 
> Intelligent Computing Solutions 
> http://www.ics-il.com 
> 
> 
> 
> Midwest Internet Exchange 
> http://www.midwest-ix.com 
> 
> 
> - Original Message -
> 
> From: "Alan Buxey"  
> To: "Mike Hammett"  
> Cc: "North American Network Operators' Group"  
> Sent: Saturday, January 9, 2016 4:38:58 AM 
> Subject: Re: Binge On! - get your umbrellas out, stuff's hitting the fan. 
> 
> You're assuming that people are only using phones with their SIM - those that 
> use a mifi dongle and thus view content on a tablet or laptop will notice 
> 
> We could rate limit traffic from YouTube to 1.5mbps and let the adaptive 
> streaming knock the steam to 480p bit our users with 100mbit connections 
> might wonder why they cannot view 720p or 1080p - and why spicy they view 
> such content - its like putting back the web and online video services 5 
> years. Where does it stop? 320x240 ? 
> 
> Bulk data and background update processes are things that could possibly by 
> throttled - after all, that's pretty much what QoS does. Most of my phone 
> data is google play software updates and on woes phone ios and itunes store 
> updates - it doesn't matter if the update ticks along in the background. 
> Audio and video need to be good. 
> 
> alan 
> 

Re: de-peering for security sake

[Max Tulyev]

Come on, keep calm and wait a year: Russia and China will de-peer with
all the world for their security (AKA censorship) reasons! ;)

On 25.12.15 01:44, Colin Johnston wrote:
> see
> http://map.norsecorp.com
> 
> We really need to ask if China and Russia for that matter will not take abuse 
> reports seriously why allow them to network to the internet ?
> 
> Colin
> 
> 

Re: IPv6 Cogent vs Hurricane Electric

[Max Tulyev]

On 04.12.15 01:19, Baldur Norddahl wrote:
> On 1 December 2015 at 20:23, Max Tulyev <max...@netassist.ua> wrote:
>> I have to change at least one of my uplinks because of it, which one is
>> better to drop, HE or Cogent?
>>
> 
> Question: Why would you have to drop one of them? You have no problem if
> you have both.

Because of money, isn't it? I don't want to pay twice!

> Even in the case of a link failure to one of them, you will likely not see
> a big impact since everyone else also keeps multiple transits. You will
> only have trouble with people that are single homed Cogent or HE, in which
> case it is more them having a problem than you.

As I fully implement IPv6 on my net, I got a HUGE impact already. That's
the problem.

So as this is not a bug, but a long time story - I relized for me as a
cutomer connectivity from both Hurricane Electric and Cogent is a crap.
So people should avoid both, and buy for example from Level3 and NTT,
which do not have such problem and do not sell me partial connectivity
without any warning before signing the contract.

I'm just a IP transit customer, and I don't give a something for that
wars who is the real Tier1. I just want a working service for my money
instead of answering a hundreds calls from my subscribers!

IPv6 Cogent vs Hurricane Electric

[Max Tulyev]

Hi All,

we got an issue today that announces from Cogent don't reach Hurricane
Electric. HE support said that's a feature, not a bug.

So we have splitted Internet again?

I have to change at least one of my uplinks because of it, which one is
better to drop, HE or Cogent?

Re: IPv6 Cogent vs Hurricane Electric

[Max Tulyev]

Just hit it for first time...

Is there any other similar splits in IPv6 world?

On 01.12.15 21:33, Christopher Morrow wrote:
> hasn't this been the case for ~10 yrs now?
> 
> On Tue, Dec 1, 2015 at 2:23 PM, Max Tulyev <max...@netassist.ua> wrote:
>> Hi All,
>>
>> we got an issue today that announces from Cogent don't reach Hurricane
>> Electric. HE support said that's a feature, not a bug.
>>
>> So we have splitted Internet again?
>>
>> I have to change at least one of my uplinks because of it, which one is
>> better to drop, HE or Cogent?
> 

Re: IPv6 Irony.

[Max Tulyev]

Well, especially our copmany hire admins already familiar with IPv6. But
yes, some of our friends company had to upgrade admins too.

On 13.10.15 13:22, Stephen Satchell wrote:
> On 10/13/2015 02:56 AM, Max Tulyev wrote:
>> So upgrade hardware and network admins are NOT sufficient for IPv6
>> adoption;)
> 
> Was that a typo?  Didn't you have to upgrade your network admins, too?
> <g,d>
> 

Re: IPv6 Irony.

[Max Tulyev]

On our network, we had to spent times more money in people than in hardware.

Customer support, especially network troubleshootings and so on...

So upgrade hardware and network admins are NOT sufficient for IPv6
adoption ;)

On 13.10.15 06:17, Ca By wrote:
> On Monday, October 12, 2015, Donn Lasher  wrote:
> 
>>
>> Having just returned from NANOG65/ARIN36, and hearing about how far IPv6
>> has come.. I find my experience with  support today
>> Ironic.
>>
>> Oh wait..
>>
>> Hi, my name is Donn, and I’m speaking for… myself.
>>
>> Irony is a cable provider, one of the largest, and earliest adopters of
>> IPv6, having ZERO IPv6 support available via phone, chat, or email. And
>> being pointed, by all of those contact methods, to a single website. A
>> static website. In 2015, when IPv4 is officially exhausted.
>>
>> :sigh:
>>
>>
>>
> Tech support websites are long tail
> 
> Pragmatists are focused on getting ipv6 to the masses by default in
> high traffic use cases.
> 
> Sighing about edge cases in the long tail  with ipv6 ... Not sure what you
> expect.
> 
>  outtages>
> 
> CB
> 

Re: AW: /27 the new /24

[Max Tulyev]

Which routers? DIR-300 with OpenWRT/Quagga? :)

I think all above-the-trash level routers supports >1M routes, isn't it?

On 02.10.15 17:45, Jürgen Jaritsch wrote:
> Hi,
> 
> this would at least help to get rid of many old routing engines around the 
> world :) ... or people would keep their "learn nothing smaller than /24" 
> filters in place. Also an option - but not for companies who act as an IP 
> transit provider.
> 
> 
> best regards
> 
> Jürgen Jaritsch
> Head of Network & Infrastructure
> 
> ANEXIA Internetdienstleistungs GmbH
> 
> Telefon: +43-5-0556-300
> Telefax: +43-5-0556-500
> 
> E-Mail: jjarit...@anexia-it.com 
> Web: http://www.anexia-it.com 
> 
> Anschrift Hauptsitz Klagenfurt: Feldkirchnerstraße 140, 9020 Klagenfurt
> Geschäftsführer: Alexander Windbichler
> Firmenbuch: FN 289918a | Gerichtsstand: Klagenfurt | UID-Nummer: AT U63216601
> 
> 
> -Ursprüngliche Nachricht-
> Von: NANOG [mailto:nanog-boun...@nanog.org] Im Auftrag von Justin Wilson - 
> MTIN
> Gesendet: Freitag, 02. Oktober 2015 16:32
> An: NANOG
> Betreff: /27 the new /24
> 
> I was in a discussion the other day and several Tier2 providers were talking 
> about the idea of adjusting their BGP filters to accept prefixes smaller than 
> a /24.  A few were saying they thought about going down to as small as a /27. 
>  This was mainly due to more networks coming online and not having even a /24 
> of IPv4 space.  The first argument is against this is the potential bloat the 
> global routing table could have.  Many folks have worked hard for years to 
> summarize and such. others were saying they would do a /26 or bigger.  
> 
> However, what do we do about the new networks which want to do BGP but only 
> can get small allocations from someone (either a RIR or one of their 
> upstreams)?
> 
> Just throwing that out there. Seems like an interesting discussion.
> 
> 
> Justin Wilson
> j...@mtin.net
> 
> ---
> http://www.mtin.net Owner/CEO
> xISP Solutions- Consulting – Data Centers - Bandwidth
> 
> http://www.midwest-ix.com  COO/Chairman
> Internet Exchange - Peering - Distributed Fabric
> 

Script for NAT timeout detection

[Max Tulyev]

Hello All,

I have some devices connected under NAT that is not under my control.

Is there some software/script to detect NAT session timeout to adjust
keepalives?

Thank you!

Re: Skype off line ??

[Max Tulyev]

For me yes, it is down for several hours.

BTW, is there any Jabber/XMPP client with similar usability?

I need just scroll up to view all history and one click to join someone
to multiuser conference in fact.

On 21.09.15 11:32, Marco Paesani wrote:
> Hi,
> do you have sone news about it ?
> Best regards,
> 

Re: Skype off line ??

[Max Tulyev]

Google hangouts and jit.si are services, not a client of open protocol.

Feel the difference.

On 21.09.15 13:47, Murat Kaipov wrote:
> 
>  You ca use Google Hangouts, but I don't know about multiuser conference.
> 
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Max Tulyev
> Sent: Monday, September 21, 2015 1:27 PM
> To: nanog@nanog.org
> Subject: Re: Skype off line ??
> 
> For me yes, it is down for several hours.
> 
> BTW, is there any Jabber/XMPP client with similar usability?
> 
> I need just scroll up to view all history and one click to join someone to 
> multiuser conference in fact.
> 
> On 21.09.15 11:32, Marco Paesani wrote:
>> Hi,
>> do you have sone news about it ?
>> Best regards,
>>
> 
> 

Re: Skype off line ??

[Max Tulyev]

This is the question, yes.

But if it will be possible just to scroll up all the history stored by
client - it will be great! Everything I saw was history accessible
through tricky hidden (as user said) menu, not by "just scroll up in the
window".

On 21.09.15 14:21, zaph...@zaphods.net wrote:
> On 2015-09-21 12:58, Max Tulyev wrote:
>> Google hangouts and jit.si are services, not a client of open protocol.
>>
>> Feel the difference.
> 
> Well you can set a server wide default for Jabber/XMPP MUC chats at
> least with ejabberd.
> https://www.process-one.net/docs/ejabberd/guide_en.html#htoc50
> "history_size: Size
> A small history of the current discussion is sent to users when they
> enter the room. With this option you can define the number of history
> messages to keep and send to users joining the room. The value is an
> integer. Setting the value to 0 disables the history feature and, as a
> result, nothing is kept in memory. The default value is 20. This value
> is global and thus affects all rooms on the service."
> 
> Thats not quite the same though as you get with Skype where i think the
> history gets synced in a bi-directional fashion.
> 
> kind regards,
> 
>  Stefan
> 
> 
>> On 21.09.15 13:47, Murat Kaipov wrote:
>>>
>>>  You ca use Google Hangouts, but I don't know about multiuser
>>> conference.
>>>
>>> -Original Message-
>>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Max Tulyev
>>> Sent: Monday, September 21, 2015 1:27 PM
>>> To: nanog@nanog.org
>>> Subject: Re: Skype off line ??
>>>
>>> For me yes, it is down for several hours.
>>>
>>> BTW, is there any Jabber/XMPP client with similar usability?
>>>
>>> I need just scroll up to view all history and one click to join
>>> someone to multiuser conference in fact.
>>>
>>> On 21.09.15 11:32, Marco Paesani wrote:
>>>> Hi,
>>>> do you have sone news about it ?
>>>> Best regards,
>>>>
>>>
>>>
> 
> 

Re: Transit Options in the UK?

[Max Tulyev]

It seems some time if you want a good uplink you have to rent a L2
channel to another country for that ;) So that can be an option too.

On 17.09.15 23:49, Gary T. Giesen wrote:
> I have a customer who's trying to decide whether to renew their existing
> transit contract or not for a POP they have in the UK and wondering what's
> good for transit options out there.
> 
> Looking for:
> 
> - Good peering/reachability to other networks (I've already started perusing
> the LINX peer list)
> - Decent BGP community set (at a minimum RTBH and local pref, obviously the
> richer the better)
> - v6 support
> - Own the last mile a bonus
> 
> Can anyone offer any recommendations?
> 
> Cheers,
> 
> GTG
> 
> 

Re: Can't reach RIPE WHOIS via IPv6 ?

[Max Tulyev]

Same for me from 2a01:d0::/32

telnet whois.ripe.net whois
Trying 2001:67c:2e8:22::c100:687...
Connected to whois.ripe.net.
Escape character is '^]'.
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf

Seems like local routing issue, not global.

On 10.09.15 20:16, Niels Bakker wrote:
> * jo...@iecc.com (John Levine) [Thu 10 Sep 2015, 19:09 CEST]:
>> When I try to contact whois.ripe.net (2001:67c:2e8:22::c100:687) or
>> their REST server rest.db.ripe.net (2001:67c:2e8:22::c100:68e), it
>> times out.  Traceroutes from a couple of different places all seem to
>> loop in Amsterdam, IPv4 is fine.
>>
>> Am I special, or is it just broken?
> 
> WFM
> 
> % telnet whois.ripe.net whois
> Trying 2001:67c:2e8:22::c100:687...
> Connected to whois.ripe.net.
> 
> 
> -- Niels.
> 

Re: internet visualization

[Max Tulyev]

Really nice!

How can I do zoom in/zoom out?

On 06.09.15 03:15, Jared Mauch wrote:
> 
> OT: hit delete, or shameless plug disclaimer
> 
>   one of my colleagues just posted this visualiation
> of the internet from the as_path view of 2914.  if you are on
> a mobile, you have to physically move your device around.
> 
>   http://as2914.net/
> 
>   If you love it, send Job your accolades.  If you hate it,
> see above disclaimer.  If in a country with a holiday on monday,
> enjoy it safely.
> 
>   - Jared
> 

Re: Peering + Transit Circuits

[Max Tulyev]

My solution is:

1. Don't care.
2. If some peer steal your transit, and it is noticeable amount of
traffic causing some problems for you - investigate and terminate that peer.

On 18.08.15 15:29, Tim Durack wrote:
 Question: What is the preferred practice for separating peering and transit
 circuits?
 
 1. Terminate peering and transit on separate routers.
 2. Terminate peering and transit circuits in separate VRFs.
 3. QoS/QPPB (
 https://www.nanog.org/meetings/nanog42/presentations/DavidSmith-PeeringPolicyEnforcement.pdf
 )
 4. Don't worry about peers stealing transit.
 5. What is peering?
 
 Your comments are appreciated.
 

Re: BGP Update Report

[Max Tulyev]

Unassigned ASN is used and even is in top of the list? WTF?!

On 25.07.15 01:00, cidr-rep...@potaroo.net wrote:

 Rank ASNUpds %  Upds/PfxAS-Name
  2 - AS22059  140461  3.6%   70230.5 -- -Reserved AS-,ZZ

Re: United Airlines is Down (!) due to network connectivity problems

[Max Tulyev]

I noticed there are days when different nets has no links with each
other became faultly. It magically happens. We usually stop all our
planned works this days.

On 08.07.15 19:50, Matthew Huff wrote:
 Once is happenstance
 Twice is coincidence
 Three times is enemy action…
 
 Serious, could all be just everyone having a bad day. On the other hand, the 
 WSJ has to deal with DOS/DDOS all the time, and usually if the NYSE has 
 issues, it’s normally on a Monday.
 
 
 
 On Jul 8, 2015, at 12:36 PM, Paul Ferguson fergdawgs...@mykolab.com wrote:

 All completely coincidental networking issues, not related to anything
 malicious.
 
 - ferg
 
 
 On 7/8/2015 9:26 AM, Matthew Huff wrote:
 
 Hmmm,

 Wall Street Journal and NYSE both down….

 WSJ has a static page up…

 DDOS ???



 On Jul 8, 2015, at 10:51 AM, Patrick W. Gilmore
 patr...@ianai.net wrote:


 Lifted as of 0920 EDT.

 http://www.foxnews.com/us/2015/07/08/united-airlines-flights-in-us-g
 rounded-due-to-computer-issues/?intcmp=latestnews



 

Re: Youtube / IPv6 / Netherlands

[Max Tulyev]

Hi,

+1.

Our 2a01:d0::/32 is floating by Google's geo all around the world, it
was Iran, now it is Russia... and I can't do anything with it, and have
no human contact in Google for complaint.

On 25.06.15 15:33, Marco Davids wrote:
 Hi,
 
 Would anyone from Google care to explain to me off-list why certain
 Youtube-content is blocked in the Netherlands while using IPv6 when it
 is working fine via IPv4?
 
 Geolocation imperfections perhaps?
 
 The IPv6-address is within 2a02:a47f:e000::/36
 (actually, it is: 2a02:a444:443b:0::::)
 
 Thank you.
 
 

Re: Anycast provider for SMTP?

[Max Tulyev]

I see no major problems to use anycast for that.

The problem will be in rare case when particular routing chain from
client to one of your servers will be changed until TCP stream is active.

SMTP have short connections. Even if it happens, it will look as just
broken connection for client, and it will shortly re-try it.

Am I lost something?

On 15.06.15 20:50, Joe Hamelin wrote:
 I have a mail system where there are two MX hosts, one in the US and one in
 Europe.  Both have a DNS MX record metric of 10 so a bastardized
 round-robin takes place.  This does not work so well when one site goes
 down.   My solution will be to place a load balancer in a hosting site
 (virtual, of course) and have it provide HA.  But what about HA for the
 LB?  At first glance anycasting would seem to be a great idea but there is
 a problem of broken sessions when routes change.
 
 Have any of you seen something like this work in the wild?
 
 
 --
 Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474
 

Re: BGP in the Washngton Post

[Max Tulyev]

Is there *IN THEIORY* any possibility to make BGP secure enough now?

Yes, RPKI protects from fat fingered people, but NOT protects from
people doing hijacks knowlingly.

The global routing registry really can be the solution, but it
automatically gives one authority a power to cut off any network.
Imagine how fast it will be used for censorship.

On 01.06.15 16:24, William Herrin wrote:
 Interesting story about BGP and security in the Washington Post today:
 
 http://www.washingtonpost.com/sf/business/2015/05/31/net-of-insecurity-part-2/
 
 -Bill
 

Re: Low Cost 10G Router

[Max Tulyev]

Last config I touched: 2xIntel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz, 12
Gbit summary, 5% each core load.

On 19.05.15 21:06, Piotr Iwanejko wrote:
 Wiadomość napisana przez Max Tulyev max...@netassist.ua w dniu 19 maj 2015, 
 o godz. 19:58:
 We are using softrouters based on Supermicro chassis, E5v3 cpu,
 Linux/BIRD and Intel 10G NICs. And VERY happy.
 
 Out of curiosity, how much traffic you pass over those softrouters?
 
 Piotr
 

Re: Spamhaus BGP feed experiences?

[Max Tulyev]

How much false positives (i.e. blackholing traffic users want to reach)?

On 18.05.15 21:04, Marco d'Itri wrote:
 On May 17, Mike Lyon mike.l...@gmail.com wrote:
 
 Any ISPs out there (big or small) ever used the Spamhaus BGP feed to
 prevent against botnet, spam, etc? If so, how has your experience been? Is
 it worthwhile? Has it helped? On / off list responses are appreciated in
 advance.
 We use Spamhaus DROP (not the BGP version: our software asks a human to 
 review each change).
 The benefits are not obvious since we do not have access customers, but 
 it will blackhole some networks you obviously do not want to talk to,
 and it has not caused any troubles either.
 

Re: Low Cost 10G Router

[Max Tulyev]

1.4Mpps now.

On 19.05.15 21:32, Oleg A. Arkhangelsky wrote:
 
 
 19.05.2015, 21:26, Max Tulyev max...@netassist.ua:
 Last config I touched: 2xIntel(R) Xeon(R) CPU E5-2650 0 @ 2.00GHz, 12
 Gbit summary, 5% each core load.
 
 And what PPS rate (in+out)?
 
 --
 wbr, Oleg.
 
 Anarchy is about taking complete responsibility for yourself.
   Alan Moore.
 

Re: Low Cost 10G Router

[Max Tulyev]

We are using softrouters based on Supermicro chassis, E5v3 cpu,
Linux/BIRD and Intel 10G NICs. And VERY happy.

On 19.05.15 20:22, Colton Conor wrote:
 What options are available for a small, low cost router that has at least
 four 10G ports, and can handle full BGP routes? All that I know of are the
 Juniper MX80, and the Brocade CER line. What does Cisco and others have
 that compete with these two? Any other vendors besides Juniper, Brocade,
 and Cisco to look at?
 

Re: Peering and Network Cost

[Max Tulyev]

That's generally good idea, but average TCP session speed depends not
only your side of connection, but another side as well.

On 18.04.15 07:58, Mark Tinka wrote:
 
 
 On 17/Apr/15 15:05, Max Tulyev wrote:
 One more interesting thing.

 If you buy IP transit, mostly you are paying by exact bandwidth, per
 megabit. If you buy IX peering port, you are paying for port. This means
 Tranist ports are overloaded or close to it, while IX ports usually
 always have some extra free capacity.

 In practice, this mean if your customer download some file using IX way,
 speed will be much higher that same file reachable by IP transit.
 
 This depends entirely on how you run your network. If you run links hot,
 you can't guarantee anything (keeping in mind that your less congested
 exchange point ports does not mean other exchange point members are in
 the same position also).
 
 We, for example, buy transit or peer with a minimum of 10Gbps port, with
 the ability to push traffic at line rate if needed. We do not allow
 ports to run hot (typically upgrading them anywhere from between 50% -
 70% utilization). I appreciate that not everyone can be in this
 position, while others can be even more aggressive with their
 over-engineering, but this kind of information is hard to quantify
 reliably.
 
 There is also backhaul from the interconnect point into the backbone to
 think about, but that follows a similar strategy.
 
 Mark.