Learning about the internet
Hi, I was just reading about transatlantic cabling in some hopes that I would be able to find an answer as to why the latency between here in greece and Los Angeles is roughly ~250ms. This seems to be a really common thing, although I'd like to understand why and the articles on transatlantic cabling as near as I can tell indicate that I am getting screwed if anything (not enough information?) (from Los Angeles to my house) Konsole output Konsole output gw~ #mtr --report-wide xxx.access.hol.gr Start: Mon Nov 3 13:04:02 2014 HOST: gwLoss% Snt Last Avg Best Wrst StDev 1.|-- 208.79.92.65 10.0%101.5 3.6 1.2 15.5 4.6 2.|-- s7.lax.arpnetworks.com 0.0%100.8 10.9 0.8 54.2 20.7 3.|-- vlan953.car2.LosAngeles1.Level3.net 30.0%10 10.5 10.3 10.1 10.8 0.0 4.|-- ae-27-27.edge6.LosAngeles1.Level3.net 30.0%10 21.8 16.2 8.6 47.6 14.7 5.|-- ae-4-90.edge1.LosAngeles6.Level3.net 80.0%109.0 8.9 8.7 9.0 0.0 6.|-- be3036.ccr21.lax04.atlas.cogentco.com 10.0%101.7 2.1 1.4 4.3 0.7 7.|-- be2076.mpd22.lax01.atlas.cogentco.com 10.0%101.6 1.9 1.6 3.2 0.0 8.|-- be2068.ccr22.iah01.atlas.cogentco.com 0.0%10 37.7 37.7 37.3 39.0 0.3 9.|-- be2173.ccr42.atl01.atlas.cogentco.com 0.0%10 51.6 52.4 51.5 57.5 1.7 10.|-- be2171.mpd22.dca01.atlas.cogentco.com 0.0%10 62.6 62.7 62.4 63.3 0.0 11.|-- be2112.ccr41.iad02.atlas.cogentco.com 0.0%10 155.5 155.8 155.5 156.1 0.0 12.|-- be2268.ccr42.par01.atlas.cogentco.com 0.0%10 152.6 152.7 152.5 153.5 0.0 13.|-- be2278.ccr42.fra03.atlas.cogentco.com 0.0%10 155.3 155.4 155.1 155.5 0.0 14.|-- be2229.ccr22.muc01.atlas.cogentco.com 0.0%10 161.2 161.1 160.9 161.3 0.0 15.|-- be2223.ccr21.vie01.atlas.cogentco.com 0.0%10 164.9 165.1 164.9 165.2 0.0 16.|-- be2046.ccr21.sof02.atlas.cogentco.com 0.0%10 189.5 189.4 189.3 189.9 0.0 17.|-- be2118.rcr11.ath01.atlas.cogentco.com 0.0%10 197.5 197.6 197.4 197.7 0.0 18.|-- 149.11.120.38 0.0%10 202.7 202.2 200.3 204.2 1.4 19.|-- 62.38.97.113 80.0%10 208.5 209.8 208.5 211.1 1.7 20.|-- gigaeth04-13.krs00.ar.hol.gr 60.0%10 211.3 213.0 211.2 218.2 3.4 21.|-- ??? 100.0100.0 0.0 0.0 0.0 0.0 22.|-- .access.hol.gr 40.0%10 231.3 231.4 231.2 231.7 0.0 gw~ # And to be more clear: I am hoping to learn about the complex trials that these packets are going through and how time is being lost if the latency across the transatlantic cable is really capable of less the 60ms of latency? Sure over capacity (3.2Tbits/s wow jeez) is one answer, but what are some other possibilities for loss of time? Also it seems with my VPN (OpenVPN) tunnel I get the most reliable connection (fewest drops) with: Konsole output mssfix 576 fragment 576 Although this could be a false positive as it only *seems* to help with reliability since I changed it. Even then but less often than before I still experience drops but I want to believe that's possibly due to my ISP at that point.. but assuming my ISP was absolutely perfect and never a problem what else there to consider? Any and all insight is appreciated. -Paige
Re: 4.2.2.2 4.2.2.21 High Packet Loss
On 10/25/14 02:03, Rafael Possamai wrote: Those addresses are anycasted, so you would have to do a bit of research and figure out what part of their network is having any packet loss. Here is an alternative: http://www.opennicproject.org/ On Fri, Oct 24, 2014 at 11:05 AM, Emir Sosa emirs...@gmail.com wrote: Any one else experiencing high packet loss*; *Any word out there what's happening? *Regards,Emir sosaemirs...@gmail.com emirs...@gmail.com* Are you familiar with mtr (my traceroute) try this: Konsole output erratic@laptop~ $mtr -c 10 --report 4.2.2.1 Start: Sun Oct 26 14:16:00 2014 HOST: laptop Loss% Snt Last Avg Best Wrst StDev 1.|-- 206.125.168.65 0.0%10 235.6 240.5 235.2 281.3 14.3 2.|-- 208.79.92.65 0.0%10 241.7 249.3 235.8 295.8 17.2 3.|-- 208.79.88.135 0.0%10 245.1 237.2 234.7 245.1 3.1 4.|-- 4.71.143.105 0.0%10 244.4 294.9 243.6 369.4 51.6 5.|-- 4.69.201.170.0%10 245.4 245.8 244.3 248.2 0.9 6.|-- 4.69.144.730.0%10 243.5 249.2 243.3 296.9 16.7 7.|-- 4.2.2.10.0%10 245.4 245.3 244.3 249.3 1.4 erratic@laptop~ $ was seeing quite a bit of loss on level3 a minute ago in --ncurses.
Re: Why is .gov only for US government agencies?
On 10/19/14 12:42, Donald Eastlake wrote: Why is the Greek flag always flow at the Olympics as well as the Olympic and host nation flags? Why is Britain the only country allowed, under Universal Postal Union regulations to have no national identification on its stamps used in international mail? Basically, if you are first, you tend to get extra privileges. Same with .gov for the US government. Thanks, Donald = Donald E. Eastlake 3rd +1-508-333-2270 (cell) 155 Beaver Street, Milford, MA 01757 USA d3e...@gmail.com On Sun, Oct 19, 2014 at 8:05 AM, Matthew Petach mpet...@netflight.com wrote: Wondering if some of the long-time list members can shed some light on the question--why is the .gov top level domain only for use by US government agencies? Where do other world powers put their government agency domains? With the exception of the cctlds, shouldn't the top-level gtlds be generically open to anyone regardless of borders? Would love to get any info about the history of the decision to make it US-only. Thanks! Matt Do as we say, not as we do
Re: IPv6 Default Allocation - What size allocation are you giving out
makes more sense to hand out /48s imho. theres only a mere 65k /48s per /32 (or something like that), though. On 10/09/14 12:29, Mark Andrews wrote: In message 1aa6f1a9-d63b-4066-903d-0e8690c7c...@isi.edu, manning bill writes: yes! by ALL means, hand out /48s. There is huge benefit to announcing = all that dark space, esp. when virtually no one practices BCP-38, esp in IPv6 land. /bill PO Box 12317 Marina del Rey, CA 90295 310.322.8102 and if everyone hands out /48's you just filter /48's. With a mix of /56 and /48 you need to filter at the /56 level. Given enterpises are getting /48's it will be simpler overall for everyone to get /48's. On 8October2014Wednesday, at 18:31, Mark Andrews ma...@isc.org wrote: =20 Give them a /48. This is IPv6 not IPv4. Take the IPv4 glasses off and put on the IPv6 glasses. Stop constraining your customers because you feel that it is a waste. It is not a waste It will also reduce the number of exceptions you need to process and make over all administration easier. =20 As for only two subnets, I expect lots of equipment to request prefixes in the future not just traditional routers. It will have descrete internal components which communicate using IPv6 and those components need to talk to each other and the world. In a IPv4 world they would be NAT'd. In a IPv6 world the router requests a prefix. =20 Mark =20 In message 495d0934da46854a9ca758393724d5906da...@ni-mail02.nii.ads, = Erik Sun dberg writes: I am planning out our IPv6 deployment right now and I am trying to = figure o=3D ut our default allocation for customer LAN blocks. So what is = everyone givi=3D ng for a default LAN allocation for IPv6 Customers. I guess the idea = of ha=3D nding a customer /56 (256 /64s) or a /48 (65,536 /64s) just makes me = cring=3D e at the waste. Especially when you know 90% of customers will never = have m=3D ore than 2 or 3 subnets. As I see it the customer can always ask for = more I=3D Pv6 Space. =20 /64 /60 /56 /48 =20 Small Customer? Medium Customer? Large Customer? =20 Thanks =20 Erik =20 =20 CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, = files =3D or previous e-mail messages attached to it may contain confidential = informa=3D tion that is legally privileged. If you are not the intended = recipient, or =3D a person responsible for delivering it to the intended recipient, you = are h=3D ereby notified that any disclosure, copying, distribution or use of = any of =3D the information contained in or attached to this transmission is = STRICTLY P=3D ROHIBITED. If you have received this transmission in error please = notify th=3D e sender immediately by replying to this e-mail. You must destroy the = origi=3D nal transmission and its attachments without reading or saving in any = manne=3D r. Thank you. --=20 Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: Marriott wifi blocking
On 10/10/14 01:02, Naslund, Steve wrote: Yes, the BART case is different because we are talking about a public safety functionality. It really does not even matter who owns the repeaters. Let's say one of the carriers suddenly shuts down their very own cell sites to purposely deny public service.You can almost guarantee that an FCC enforcement action will result because carriers have a public safety responsibility. The state communications commission could even pull your license for that and the FCC could ultimately pull your spectrum licenses for using a public resource in a way not beneficial to the public. BART disrupting cell repeaters is tantamount to you doing anything to disrupt 911 service which is illegal whether you own the gear or not. I don't know what the exact rule currently is but I'm sure it would take someone like Homeland Security to shut down a cellular network for national security reasons. For example, interrupting a cellular bomb detonator or a coordinated terrorist attack. The legal concept of greater good comes into effect at that point. As a common carrier, I know I would not shut down anything that affects 911 service deliberately without either the proper notifications taking place or a federal court order in my hand (and it better be federal because those are the laws you are asking me to throw out here). The funny thing about cell service (or repeaters in this case) is that there isn't usually a mandate to provide coverage in any particular area but once you provide it you are on the hook to maintain it and not purposely disrupt it. Again, it is the intent in this case that matters. If BART had a maintenance problem or the equipment was damaged, they would be off the hook but they purposely interrupted the service to deny communications services to a group of users. Cell sites go down all the time for maintenance scheduled or otherwise but if you are doing it to purposely deny service, it's another story. Again, intent matters...a lot. I definitely see abuse of authority (not really a criminal act in itself, but not nice for sure) and for sure civil liability, not so much a 1st Amendment issue since the government is under no real obligation to give you the means to communicate (like repeaters). It's the 911 service disruption that is most criminal here. Steve However, that's not what was being discussed in the BART example. In this case, repeaters with unclear ownership operated by cellular providers were shut down by BART authorities to try and disrupt a protest. That's not active jamming, so most likely, not an FCC issue. There are other areas of concern, however, such as 1st amendment violations, abuse of authority, potential civil liability if anyone was unable to reach 911 in an expected manner, etc. Owen see if you can get tor browser to work... download it from torproject.org
netfilter/iptables synproxy; need help deciding
Hi, I guess syncookies wasn't enough and the SYNPROXY target is a relatively new addition to netfilter. If I remember correctly this has been a part of BSD PF for quite some time and is pretty easy to get up and working. I recently tried to set this up on one of my gateways considering that it's just one less uncovered means for somebody to be a dick that I have to deal with in the future. But, after spending some time researching and asking on Freenode I have been unable to determine whether or not it works, or even makes any sense. I'm starting to think it's a moot point. pastie.org/private/gjsypxkpjs8kuev0tlbxrw#22 (iptables rules, plenty of things to pick at but please try to focus on the subject of synproxy for the purpose of this e-mail.) based on the following table I want to say its not working because it seems to never change: http://pastie.org/private/xwct5opbb0aajcko2tnpw more info on /proc/stat/synproxy: http://www.spinics.net/lists/netdev/msg264350.html My only guess is that you can't do this at all with NAT because it relies on conntrack or maybe it will only work with SNAT? I don't understand this well enough to say; are proper firewall rules really a science that need to be understood that far in depth? Why is this not documented? This tutorial seems to indicate that you could use this with a NAT'd network: http://www.academia.edu/6773989/Homemade_DDoS_Protection_Using_IPTables_SYNPROXY I really would like to come to some closure on this subject. Whether it needs to be done right or not done at all, I'm tired of it looming over me. I really want to believe I should do the very best to have all mitigation techniques already in place, but I'm having a hard time understanding why this is next to impossible to figure out if it's so important. #netfilter on freenode is next to no help, the mailing list seems to be unavailable the things people are saying about how I should just switch back to using pf seem like a drastic solution when people in #netfilter are so content (yet many of them have never heard of synproxy before.) Any thoughts on this are appreciated, -Paige
netfilter/iptables synproxy; need help deciding
Hi, I guess syncookies wasn't enough and the SYNPROXY target is a relatively new addition to netfilter. If I remember correctly this has been a part of BSD PF for quite some time and is pretty easy to get up and working. I recently tried to set this up on one of my gateways considering that it's just one less uncovered means for somebody to be a dick that I have to deal with in the future. But, after spending some time researching and asking on Freenode I have been unable to determine whether or not it works, or even makes any sense. I'm starting to think it's a moot point. pastie.org/private/gjsypxkpjs8kuev0tlbxrw#22 (iptables rules, plenty of things to pick at but please try to focus on the subject of synproxy for the purpose of this e-mail.) based on the following table I want to say its not working because it seems to never change: http://pastie.org/private/xwct5opbb0aajcko2tnpw more info on /proc/stat/synproxy:http://www.spinics.net/lists/netdev/msg264350.html My only guess is that you can't do this at all with NAT because it relies on conntrack or maybe it will only work with SNAT? I don't understand this well enough to say; are proper firewall rules really a science that need to be understood that far in depth? Why is this not documented? This tutorial seems to indicate that you could use this with a NAT'd network: http://www.academia.edu/6773989/Homemade_DDoS_Protection_Using_IPTables_SYNPROXY I really would like to come to some closure on this subject. Whether it needs to be done right or not done at all, I'm tired of it looming over me. I really want to believe I should do the very best to have all mitigation techniques already in place, but I'm having a hard time understanding why this is next to impossible to figure out if it's so important. #netfilter on freenode is next to no help, the mailing list seems to be unavailable the things people are saying about how I should just switch back to using pf seem like a drastic solution when people in #netfilter are so content (yet many of them have never heard of synproxy before.) Any thoughts on this are appreciated, -Paige
Re: netfilter/iptables synproxy; need help deciding
On 10/08/14 18:06, Thijs Stuurman wrote: I set up a bridge at home to filter traffic using iptables with synproxy. I tried to adjust the lines so that it would log hits but that wouldn't work It gave me a message to read dmesg why it didn't work but dmesg had no information in it. However, when I turned on the lines in my iptables configuration file (bash script to load in the rules basicly) it did filter out a SYN attack and the output of cat /proc/net/stat/synproxy showed the syn_received go up. (see https://r00t-services.net/knowledgebase/14/Homemade-DDoS-Protection-Using-IPTables-SYNPROXY.html) A tcpdump on the bridge confirmed the packets coming in and on my server behind it they didn't so that worked while I would perfectly fine access the apache service. I haven't done any further testing, just got the setup to work late last night. Kind regards / Vriendelijke groet, IS Group Thijs Stuurman Powered by results. Wielingenstraat 8 | T +31 (0)299 476 185 1441 ZR Purmerend | F +31 (0)299 476 288 http://www.is.nl | KvK Hoorn 36049256 IS Group is ISO 9001:2008, ISO/IEC 27001:2005, ISO 20.000-1:2005, ISAE 3402 en PCI DSS certified. -Oorspronkelijk bericht- Van: NANOG [mailto:nanog-boun...@nanog.org] Namens Paige Thompson Verzonden: Wednesday, October 8, 2014 4:51 PM Aan: Nanog Onderwerp: netfilter/iptables synproxy; need help deciding Hi, I guess syncookies wasn't enough and the SYNPROXY target is a relatively new addition to netfilter. If I remember correctly this has been a part of BSD PF for quite some time and is pretty easy to get up and working. I recently tried to set this up on one of my gateways considering that it's just one less uncovered means for somebody to be a dick that I have to deal with in the future. But, after spending some time researching and asking on Freenode I have been unable to determine whether or not it works, or even makes any sense. I'm starting to think it's a moot point. pastie.org/private/gjsypxkpjs8kuev0tlbxrw#22 (iptables rules, plenty of things to pick at but please try to focus on the subject of synproxy for the purpose of this e-mail.) based on the following table I want to say its not working because it seems to never change: http://pastie.org/private/xwct5opbb0aajcko2tnpw more info on /proc/stat/synproxy:http://www.spinics.net/lists/netdev/msg264350.html My only guess is that you can't do this at all with NAT because it relies on conntrack or maybe it will only work with SNAT? I don't understand this well enough to say; are proper firewall rules really a science that need to be understood that far in depth? Why is this not documented? This tutorial seems to indicate that you could use this with a NAT'd network: http://www.academia.edu/6773989/Homemade_DDoS_Protection_Using_IPTables_SYNPROXY I really would like to come to some closure on this subject. Whether it needs to be done right or not done at all, I'm tired of it looming over me. I really want to believe I should do the very best to have all mitigation techniques already in place, but I'm having a hard time understanding why this is next to impossible to figure out if it's so important. #netfilter on freenode is next to no help, the mailing list seems to be unavailable the things people are saying about how I should just switch back to using pf seem like a drastic solution when people in #netfilter are so content (yet many of them have never heard of synproxy before.) Any thoughts on this are appreciated, -Paige Yeah, I have no way to test for sure but I can tell you this which I forgot to mention: All of my services still work with these rules -A PREROUTING -d 172.16.20.98/32 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack -A PREROUTING -d 172.16.40.98/32 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack -A PREROUTING -d 172.16.80.98/32 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack None of my services worked with this rule: -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j CT --notrack I sort of get it, but I totally don't get it. I'm not sure what traffic that second rule is matching (or if the -d even works in the raw table maybe thats bunk too.) I don't think the first set are working, but I have no way to test it either.
Re: netfilter/iptables synproxy; need help deciding
On 10/08/14 17:54, Roland Dobbins wrote: On Oct 8, 2014, at 9:43 PM, Paige Thompson paigead...@gmail.com wrote: Any thoughts on this are appreciated, http://mailman.nanog.org/pipermail/nanog/2010-January/016747.html https://app.box.com/s/e6hdt0iansu1sdb6m42t pp. 30-36. -- Roland Dobbins rdobb...@arbor.net // http://www.arbornetworks.com Equo ne credite, Teucri. -- Laocoön Re pp: 30-36 I think I catch your drift (ie: using cisco netflow to detect a synflood?) but would you care to summarize just in case because I am not this savvy, but would like to understand. Also in regards to snort inline, I've been trying to figure out whether or not Snort/DAQ/NFQ (netfilter) is appropriate or not. I cannot get this to work but it seems like on a gatway, for example where I have all of this iptables stuff that NFQ would be appropriate and would probably help with all of the false positives (3 way handshake and a couple of others) I see when trying to use the pcap driver (the only one that will work.)
Re: YouTube CDN down?
yt is working for me: 2607:f2f8:a2c4:/48 / 206.125.168.64/28 On 09/30/14 00:22, Blair Trosper wrote: Watching in dev tools, the CDN is returning the dreaded HTTP header 204 (No Content), even though the entire video is buffering. This reminds me of an outage a while back that only affected IPv6. I've confirmed with other users, and YouTube is dead to us from these networks: - AS22645 (Texas Gigapop) - v4/v6 - AS19108 (Suddenlink) - v4 - AS40285 (Northland Cable) - v4/v6 - AS40244 (TurnKey) - v4/v6 It does seem to be regional. People in SC/NC who are presumably hitting the Charleston DC are unaffected. On Mon, Sep 29, 2014 at 4:16 PM, Brandon Martin lists.na...@monmotha.net wrote: On 09/29/2014 05:12 PM, Blair Trosper wrote: Suddenly having an inability to play YouTube videos over IPv4 and IPv6 from multiple ASNs in multiple locations in the United States. Tried multiple operating systems and browsers...all have the same issue. (The very few that do play stall out, even though they're buffered.) Is this just me, or is there an issue afoot? Seems to be working here over a HE.net IPv6 tunnel (Chicago endpoint). -- Brandon Martin
Internet in Venezuela
I have lots of questions, feel free to contact me privately if you have some time or interest in answering some of them. -Paige paigead...@gmail.com PGP: 0x0d5d2688 (keys.gnupg.net), also attached. 0d5d2688.pub.asc Description: application/pgp-encrypted
Re: 2002::/16 [6to4] abuse
On 2014-09-24 20:09, William Herrin wrote: Hi David, 6to4 is a stateless tunnel network. The tunnel entry node advertises 2002::/16 into the native IPv6 network and relays received IPv6 packets inside an IPv4 packet. The tunnel exit node's IPv4 address is encoded in the 6to4 IPv6 destination address. No IPv6 addresses are changed in the transmission of the packet, so unless someone is incorrectly advertising more-specifics for 2002::/16, 2002:af2c:785::af2c:785 is the host that connected to your customer and that host is connected to af.2c.07.85, i.e. 175.44.7.133. Going the other way (towards the native IPv6 network), 175.44.7.133 encapsulates the IPv6 packet into an IPv4 packet addressed to the standard anycast IPv4 address for a 6to4 exit node. This packet finds its way to the nearest 6to4 exit node on the IPv6 native network where it is decapsulated back to an plain IPv6 packet. Repeating af2c:785 in the address is just like saying 10.11.10.11. Don't expect it to mean anything. Regards, Bill Herrin On Wed, Sep 24, 2014 at 12:42 PM, David Hubbard dhubb...@dino.hostasaurus.com wrote: Curious if anyone can tell me, or point me to a link, on how 2002::/16 is actually implemented for 6to4? Strictly for curiosity. We had a customer ask about blocking spam from their wordpress blog that we host and the spammer was using 2002:af2c:785::af2c:785, which was the first time I'd seen wordpress spam coming from IPv6. Per RFC3964, I'm guessing the 175.44.120.5 is just a relay router, not surprisingly, on the China Net network and the spammer was native v6? I see that net advertised from 6939 (HE) and 1103 (SURFnet Netherlands) from the perspective of my feeds, so that just got me more confused. Thanks, David Was gonna say if the customer is complaining that there is wordpress spam (in the apache logs) of an ipv6 address then the customer probably has an ipv6 address that he/she doesn't know about. Most people don't even know about ip6tables vs iptables. Usually apache won't serve the request unless the request includes the hostname of the vhost to server unless its all setup in /var/www/localhost or something, getting back to wordpress kind of makes me wonder how that RBL service (kismet? I think its called?) that they have is going to keep up with ipv6... theres a lot of them. -- GPG: 0x0d5d2688 (keys.gnupg.net)