Re: Regarding BGP offloading

[Yang Yu]

more details on the particular implementation
https://www.cs.princeton.edu/courses/archive/fall17/cos561/papers/espresso17.pdf

On Wed, Mar 16, 2022 at 6:14 PM Anurag Bhatia  wrote:
>
> Hello NANOG!
>
>
> I have seen limited talks about offloading of BGP as a whole into 
> containers/VMs etc. Take e.g this old Google blog post from 2017. Quoting 
> from that:
>
>> Second, we separate the logic and control of traffic management from the 
>> confines of individual router “boxes.” Rather than relying on thousands of 
>> individual routers to manage and learn from packet streams, we push the 
>> functionality to a distributed system that extracts the aggregate 
>> information. We leverage our large-scale computing infrastructure and 
>> signals from the application itself to learn how individual flows are 
>> performing, as determined by the end user’s perception of quality.
>
>
>
> If I am reading this correctly, it gives an impression of just BGP signalling 
> offload (to VMs/containers...). Is that understanding correct? Speaking from 
> network topology wise anyone here has an idea or could point to a resource on 
> how it is actually achieved? If the frontend device simply starts passing TCP 
> 179 requests to some backend server running say bird, frr etc, how will that 
> information be passed back to the forwarding plane? Are there more public 
> deployments of this sort of setup where BGP as a whole (that is sessions, 
> route calculation, policies, filtering etc) is offloaded to some x86 device 
> in the backend?
>
> Or am I just reading it wrong and it's actually smaller VM/containers will 
> full router functionality and BGP alone is not being offloaded? So the 
> logical L3 endpoint here is VMs? What sort of config the device sitting in 
> frontend would have at the interface level to achieve that?
>
>
>
> Appreciate your responses!
>
> Thanks.
>
> --
> Anurag Bhatia
> anuragbhatia.com

Re: Regarding BGP offloading

[Yang Yu]

One way to do it https://inog.net/files/iNOG14v_oliver_sourcerouting.pdf

On Wed, Mar 16, 2022 at 6:14 PM Anurag Bhatia  wrote:
>
> Hello NANOG!
>
>
> I have seen limited talks about offloading of BGP as a whole into 
> containers/VMs etc. Take e.g this old Google blog post from 2017. Quoting 
> from that:
>
>> Second, we separate the logic and control of traffic management from the 
>> confines of individual router “boxes.” Rather than relying on thousands of 
>> individual routers to manage and learn from packet streams, we push the 
>> functionality to a distributed system that extracts the aggregate 
>> information. We leverage our large-scale computing infrastructure and 
>> signals from the application itself to learn how individual flows are 
>> performing, as determined by the end user’s perception of quality.
>
>
>
> If I am reading this correctly, it gives an impression of just BGP signalling 
> offload (to VMs/containers...). Is that understanding correct? Speaking from 
> network topology wise anyone here has an idea or could point to a resource on 
> how it is actually achieved? If the frontend device simply starts passing TCP 
> 179 requests to some backend server running say bird, frr etc, how will that 
> information be passed back to the forwarding plane? Are there more public 
> deployments of this sort of setup where BGP as a whole (that is sessions, 
> route calculation, policies, filtering etc) is offloaded to some x86 device 
> in the backend?
>
> Or am I just reading it wrong and it's actually smaller VM/containers will 
> full router functionality and BGP alone is not being offloaded? So the 
> logical L3 endpoint here is VMs? What sort of config the device sitting in 
> frontend would have at the interface level to achieve that?
>
>
>
> Appreciate your responses!
>
> Thanks.
>
> --
> Anurag Bhatia
> anuragbhatia.com

Re: Do you care about "gray" failures? Can we (network academics) help? A 10-min survey

[Yang Yu]

On Thu, Jul 8, 2021 at 4:03 PM William Herrin  wrote:
>
> On Thu, Jul 8, 2021 at 5:31 AM Saku Ytti  wrote:
> > Network experiences gray failures all the time, and I almost never
> > care, unless a customer does.
>
> I would suggest that your customer does care, but as there is no
> simple test to demonstrate gray failures, your customer rarely makes
> it past first tier support to bring the issue to your attention and
> gives up trying. Indeed, name the networks with the worst reputations
> around here and many of them have those reputations because of a
> routine, uncorrected state of gray failure.

Networks originating/receiving the traffic tend to have more
incentives to resolve these issues, which might be not so rare

If you have connection/application level health metrics (e.g. TLS
handshake failures, TCP retransmits), identifying a problem exists is
not too difficult. Having health metrics associated with network paths
can greatly simplify repro. Then it's mostly troubleshooting datapath
issues on your favorite platform.

It takes quite some effort to figure out/collect relevant metrics and
present them in a usable way. Something like connections from PoP A to
destination ASN/prefix (via interface X) had TLS handshake failure
rate increased from 0.02% to 1% is a good starting point for
troubleshooting (may or may not be a network issue, the
origin/receiver probably wants to fix it regardless).

Things can get more complicated when traffic crosses network
boundaries with things you don't have visibility into (IX fabric,
remote peering, another networks' optical systems, complicated setups
like stateful firewall / MC-LAG)

Re: BGP Graceful Restart

[Yang Yu]

On Fri, Apr 16, 2021 at 11:09 AM Graham Johnston
 wrote:
> Largely, I suspect that his point was that if you otherwise do the
> right things during maintenance that graceful-restart has the
> potential of being really problematic if things go wrong, and thus he
> was discouraging the use of it. Is there consensus as to whether
> graceful-restart has any place in a service provider network?

RFC4724 Graceful Restart is used to retain BGP routes where forwarding
plane is NOT disrupted. It can be useful for things that don't have
any alternative path to reduce exposure to control plane outages (e.g.
process restart).
Also sending End of Rib marker (not necessarily enabling GR) can be
helpful to troubleshoot BGP route collection (clear signal on
completion of initial convergence).

There is also LLGR https://tools.ietf.org/html/draft-ietf-idr-long-lived-gr-00

Re: Texas ERCOT power shortages (again) April 13

[Yang Yu]

On Tue, Apr 13, 2021 at 8:51 PM Sean Donelan  wrote:
>
>
> ERCOT ISO Texas has announced the end of today's emergency energy
> conservation appeal due to a shortage of generation capacity and higher
> than forecasted demand caused by a cold front.
>
> No this is not an old message. Yep, Texas is having power shortages again
> in mild April weather.

a watch that has been cancelled, not an emergency
http://www.ercot.com/services/comm/mkt_notices/opsmessages/2021/04

>
Apr 13 2021 19:22:55 CST
Physical Responsive Capability < 2500 MW: ERCOT has cancelled the
following notice: ERCOT is issuing a Watch due to Physical Responsive
Capability being below 2500 MW.
Watch
Cancelled


there was no supply shortage in day ahead market (not a generation
capacity shortage)
http://www.ercot.com/content/cdr/html/20210413_dam_spp

day-ahead forecast peak was ~2800 MW lower than current-day forecast,
as a result actual load exceeded current-day HSL (High Sustained
Limit). The  gap peaked 340MW at 4pm
http://www.ercot.com/content/cdr/html/loadForecastVsActualPreviousDay.html
https://imgur.com/a/6MW5qU4 (screenshot)

ancillary services (10 minute responsive reserve service, 30 minute
non-spin) were deployed to meet higher than forecast demand and worked
as expected

reserve never dropped under 2300MW which would have triggered an
emergency (EEA-1)

emergency response service (additional generation/load resources
reserved for emergencies) wasn't deployed
http://www.ercot.com/services/programs/load/eils

Re: Perhaps it's time to think about enhancements to the NANOG list...?

[Yang Yu]

> On 21/03/2021 16:00, nanog-requ...@nanog.org wrote:
> > Message: 13
> > Date: Sat, 20 Mar 2021 12:46:57 -0600
> > From: David Siegel 
> >[...]
> > The board has been thinking about enhancements to the NANOG list for a
> > couple of years now, with the goal of creating a modern interface that the
> > younger generation of engineers will be more comfortable using.

Is discontinuing youtube livestream and putting livestream behind
paywall also an attempt to make NANOG more comfortable for the younger
generation of engineers?

Re: Texas internet connectivity declining due to blackouts

[Yang Yu]

On Wed, Feb 17, 2021 at 10:46 AM John Sage  wrote:
> This article is an interest description of Texas electricity pricing for
> one provider and for the market in general:
> https://www.dallasnews.com/business/energy/2021/02/16/electricity-retailer-griddys-unusual-plea-to-texas-customers-leave-now-before-you-get-a-big-bill/

That is far from the market in general.

Most people use a fixed rate plan (can easily find one without rebate
for <10c/kwh after taxes & fees). The customer would have to make an
explicit decision to pick a variable/market rate plan (excluded by
default on http://powertochoose.org/) with higher risk and cheaper
electricity when the wholesale price is low.

http://www.puc.texas.gov/consumer/facts/factsheets/elecfacts/Electricplans.pdf

>Changing Rate (Variable) Plans have rates per kWh that can vary according to a 
>method determined solely by the provider and may be dependent on market 
>changes and other exceptions beyond the provider's control
>Market Rate (Indexed) Plans have rates per kWh that can vary according to 
>pre-defined publicly available indices or information and other exceptions 
>beyond the provider's control


> The highest the price can go to is $9/kWh (which has only ever happened 
> 0.005% of the time.) Most of the time though, 96.9% to be exact, it is below 
> the Texas Average of 6.8¢/kWh
https://www.griddy.com/texas/learn-more#learn-pricing

Re: Texas internet connectivity declining due to blackouts

[Yang Yu]

On Tue, Feb 16, 2021 at 6:11 AM Rod Beck 
wrote:

> Anyone wants to provide some details on where the system has faltered? It
> is transmission? Or generation? Or just everything in general? 
>


You can find ERCOT Operations Messageshttp://
www.ercot.com/services/comm/mkt_notices/opsmessages
>From what I understand generation/transmission/distribution are all
affected to different degrees.

On Fuel Mix Report: 2021, wind was 25% by GWh for 2021 January, current it
is ~9%

http://www.ercot.com/gridinfo/generation
http://www.ercot.com/content/cdr/html/real_time_system_conditions.html  (DC
Tie is non-synchronize connection to other grids)


>Market Participants that own or operate facilities that are part of the
Bulk Electric System, as defined in federal law, are subject to oversight
by the Federal Energy Regulatory Commission (FERC), the North American
Electric Reliability Corporation (NERC), and Texas Reliability Entity, Inc.
(Texas RE).
http://www.ercot.com/mktrules/compliance

ERCOT is subject to (federal) NERC Reliability Standards, but not
interstate transmission regulations.
Only generation and retail electric providers are deregulated. Transmission
and distribution are not. Municipally owned utilities and electric coop in
ERCOT region are exempt from unbundling (from vertically integrated
monopoly).

Re: Texas internet connectivity declining due to blackouts

[Yang Yu]

On Mon, Feb 15, 2021 at 10:49 PM Sean Donelan  wrote:
> Strange the massive shortages and failures are only in one state.

sounds familiar, even connected to a much bigger grid
http://www.caiso.com/Documents/Final-Root-Cause-Analysis-Mid-August-2020-Extreme-Heat-Wave.pdf

handling DDoS to hosted CDN cache

[Yang Yu]

How often does your hosted CDN cache get DDoS'ed? I am curious how
these get handled (especially when it would cause upstream/backbone
congestion). Is this treated differently than DDoS to customers? Any
experience to share on working with CDNs to solve these issues?

Any CDN that provides good information/resources for mitigation (e.g.
drop A traffic, ratelimit B traffic to x pps)?

If the cache provides flowspec feed, how useful would it be?


Yang

Re: how would draft-ymbk-opsawg-finding-geofeeds work in noam

[Yang Yu]

> > Why not publish RFC8805 Geofeed directly in inetnum remarks section?
>
> for some flat fan out last kilometer providers that could be the
> inetnum: object from hell.  there are global providers which segment
> large prefixes over diverse areas.  etc.
>
> i doubt the rpsl providers would like multi-megabyte inetnum:s.  rpsl
> providers already throttle in defense.

I was thinking about geofeed on customer assignment objects for
networks that manage their own objects
(https://www.afrinic.net/press/214-creating-customer-assignments),
only 1 line of geofeed remark needed on each object (more objects
should be created if used in different locations).
But not all RIR have customer assignment objects (can't create
sub-assignment objects on ARIN direct assignment resources). HTTP feed
does make sense when customer assignment object is not an option.

> we are not expecting these lookups to be done frequently.  i agree that
> would hammer servers, both rpsl and geofeed.  do you have stronger words
> to suggest than
>
>5.  Operational Considerations
>...
>An entity fetching geofeed data through these mechanisms MUST NOT do
>frequent real-time look-ups to prevent load on RPSL servers.  And do
>not fetch at midnight, because everyone else may.
>
> i agree that we do not want the DDoS that is currently happening to RPKI
> publication servers.  perhaps explicit time limits, e.g daily?
I am more concerned about clients having to make large amount of HTTP
requests if this field gets widely used, maybe some clients can just
read input like RPKI VRP (https://rpki.cloudflare.com/rpki.json)
Client can try to keep track of geofeed URLs and only download the
file during iteration, despite the same file referenced by multiple
objects.

>
> > How to handle other stuff that might exist in remarks field? Or the
> > draft would explicitly require Geofeed to be in its own remarks field?
>
> the document tries to be explicit that it is the latter.  that is the
> intent of
>
>3.  inetnum: Class
>...
>the syntax of a Geofeed remarks: attribute which contains a URL of a
>geofeed file.  The format MUST be as in this example, "remarks:
>Geofeed " followed by a URL which will vary.  ---> probably add 
> clarification here that Geofeed MUST be the only value in this particular 
> remarks field, nothing before/after it
>
>inetnum: 192.0.2.0/24 # example
>remarks: Geofeed https://example.com/geofeed.csv
>
>Any particular inetnum: object MAY have, at most, one geofeed
>reference.
>
> is there more specific wording that would help clarify?
see above


Yang

Re: how would draft-ymbk-opsawg-finding-geofeeds work in noam

[Yang Yu]

On Fri, Sep 11, 2020 at 1:48 PM Randy Bush  wrote:
>
> would folk familiar with the north american RIR and IRR registries be
> kind enough to suggest how this might adapt?  thanks.
>

Hi Randy,

Why not publish RFC8805 Geofeed directly in inetnum remarks section?
Then there is no more need to host HTTP server. 1 HTTP request per
inetnum/inetnum6 object seems a bit tedious.

How to handle other stuff that might exist in remarks field? Or the
draft would explicitly require Geofeed to be in its own remarks field?

Specific to the north american RIR, NetHandle is in registry (not in
irr) abd bulk access requires application
(https://www.arin.net/reference/research/bulkwhois/#accessing-bulk-whois-data),
download requires cookies and takes ~10 mins. imo this could be made
easier like https://ftp.ripe.net/ripe/dbase/split/ripe.db.inetnum.gz

NetHandle is not exactly inetnum (e.g. comments instead of remarks
field, different prefix format). Would the RIR provide converted
inetnum objects or the users would be expected to handle this?


Yang

Re: BGP route hijack by AS10990

[Yang Yu]

On Thu, Jul 30, 2020 at 9:37 AM Owen DeLong  wrote:
>
> Looks like the real question here is why doesn’t 7219 do a better job of 
> filtering what they accept.
>
> Has anyone reached out to them?

You mean 1299? 7219 and 10990 are the same entity.

Re: Is there any data on packet duplication?

[Yang Yu]

On Mon, Jun 22, 2020 at 5:30 PM Hal Murray
 wrote:
>
>
> How often do packets magically get duplicated within the network so that the
> target receives 2 copies?  That seems like something somebody at NANOG might
> have studied and given a talk on.
>
> Any suggestions for other places to look?


bugs like https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvn71311
where both hw forwarded and punted packet are sent to destination?

Re: Network card with relay in case of power failure

[Yang Yu]

something like 
https://www.chelsio.com/wp-content/uploads/2012/02/B420-021412.pdf
?

On Wed, Jun 17, 2020 at 1:16 PM Dovid Bender  wrote:
>
> Hi,
>
> I am sorry if this is off topic.I was once demoed a network device that had 
> two interfaces. The traffic would go through the device. If there was a power 
> cut or some other malfunction there would be a relay that would physically 
> bridge the two network interfaces so the traffic would flow as if it was just 
> a network cable. Is anyone aware of such a network card or device?
>
> TIA.
>
>

Re: Partial vs Full tables

[Yang Yu]

On Fri, Jun 5, 2020 at 10:39 AM William Herrin  wrote:
> Speak of which, did anyone ever implement FIB compression? I seem to
> remember the calculations looked really favorable for the leaf node
> use case (like James') where the router sits at the edge with a small
> number of more or less equivalent upstream transits. The FIB is the
> expensive memory. The RIB sits in the cheap part of the hardware.


fib optimize => using LPM table for LEM
https://www.arista.com/en/um-eos/eos-section-28-11-ipv4-commands#ww1173031

FIB compression => install only 1 entry into FIB for compressable
routes with shared nexthop
https://eos.arista.com/eos-4-21-3f/fib-compression/

The feature itself works as intended. version/platform/config
compatibility needs some considerations.

Re: How to manage Static IPs to customers

[Yang Yu]

On Fri, May 8, 2020 at 8:56 AM Michael Crapse  wrote:
>
> On our network(which isn't docsis, granted) we use PPPoE for all static IP 
> addresses, because it allows /32 ip address allocations for all home CPE 
> routers, upstream, the routers handle routing via ospf to change the path of 
> where that /32 public IP goes. It allows "zero touch" moving of a customer 
> from one PoP to another.

Portable long prefix makes geoip more challenging (e.g. /29s in a
single /24 used in different markets)
I am curious for static IP services, how often does the address come
from a local (PoP/metro) pool, and what the policy is for keeping the
same IP when service address moves.

Re: WIKI documentation Software?

[Yang Yu]

On Sat, Mar 14, 2020 at 7:07 AM Brielle  wrote:
>
> I personally like Dokuwiki a lot.
>
> From a usability standpoint, once you spend a few learning the interface, 
> it’s very simplistic and not overwhelming in features.  You can always add 
> extensions for stuff you need that isn’t there out of box.
>
> From a technical standpoint, it doesn’t need a database.  The entire 
> structure is text files, so it can be run on even a super small VM, and doing 
> backups is as easy as tarballing the data directory.
>
> It’s got support for LDAP for authentication too, which might be useful.

+1 for dokuwiki

easy to maintain, has enough features while not become distracting

only complaint is that it doesn't support markdown, but the syntax is
easy enough (much easier than MediaWiki imo)

Re: sflow -> aggregated aspath visualization?

[Yang Yu]

On Sat, Mar 14, 2020 at 12:33 PM Adam Thompson 
wrote:

> I’m looking for product recommendations:
>
>
>
> We’ve noticed that about 20% of our traffic here lately has decamped from
> the free (or, at least, flat-rate) connection to CANARIE (our R network)
> and its various connected content-delivery networks, and onto our
> commercial provider.
>
> While this is presumptively a legitimate shift, we’d like to better
> understand these changes when they occur, in a way that our executive can
> understand at a glance.
>
> We do have sFlow (et al.) going to an Arbor PeakFlow box for analysis, but
> it’s lacklustre at best at understanding changes like this.
>
> I want:
>
>- Top #n ASNs by traffic volume, per router/interface, stacked chart
>- Some way to visualize large jumps in that dataset, e.g. if
>Cloudflare ditched their CANARIE connection and now that traffic all goes
>commercial, I don’t know what sort of graphic would be useful, maybe a
>stacked polar chart so you could see when an AS jumped from one sector to
>another?  Even stacked bar charts could be useful.
>
>
I haven't used Kentik in production, but heard good things about it

https://techfieldday.com/video/the-kentik-experience-an-overview-demo-with-akshay-dhawale/
https://techfieldday.com/video/kentik-interconnection-and-metrics-from-kentik-for-service-provider-networks/



Just a reminder network devices might not export 100% samples/flows
correctly (sampling rate/export rate limitation, dropped packets on
ingress/egress, recirculated packet, policy routing actions, multiple
routing tables/vrf). The accuracy/availability of metadata in flow itself
(sFlow Extended Flow Data, sFlow input/output/source interface, IPFIX
information elements that are not directly extracted from packet lookup
header) might have limitations

Re: NANOG 78 Webcasts

[Yang Yu]

On Sat, Feb 15, 2020 at 3:04 PM Grant Taylor via NANOG  wrote:
> Live streams through YouTube are quite different than videos uploaded to
> YouTube.
>
> YouTube doesn't store the live stream for later playback.  A separate
> copy of the video must be uploaded.

youtube live stream can be played back at a later time
e.g. https://www.youtube.com/watch?v=GI-jIY_lFnM

If a session shouldn't not be recorded, why not just pause the
stream/play a break video instead of making the entire day's recording
unavailable?

Re: NANOG 78 Webcasts

[Yang Yu]

On Sat, Feb 15, 2020 at 12:32 PM Chriztoffer Hansen
 wrote:
> Wish they would keep the Day 1, Day 2, Day 3 videos online until the
> edited talks have been published.
>
> https://www.youtube.com/playlist?list=PLO8DR5ZGla8jSzWlrWt_cz13LLAz44rHY

I asked NANOG several times to keep YouTube stream videos up until
edited videos are published (usually a week later), never got a
response on why they are not doing it.

Re: Wikipedia drops support for old Android smartphones; mandates TLSv1.2 to read

[Yang Yu]

On Tue, Dec 31, 2019 at 4:17 AM Keith Medcalf  wrote:
> I am curious -- what exactly are those "obvious reasons"?  (And for the 
> record HTTP *IS* being used, it is just being tunneled inside a TLS 
> connection).

For a popular site, it would be doing a disservice to its customers by
not using HTTPS, even for static content.

https://www.usenix.org/system/files/conference/foci15/foci15-paper-marczak.pdf

Re: Akamai/HollisterCo

[Yang Yu]

On Wed, Dec 18, 2019 at 1:57 PM Jared Mauch  wrote:
> I’ll give you these links:
>
> https://community.akamai.com/customers/s/article/Why-is-Akamai-Blocking-Me-Part-3-Partners-Performing-Web-Scraping-Activity?language=en_US
> https://www.akamai.com/us/en/clientrep-lookup/

Thanks Jared. Would be great if this returns v6 reputation as well.
Btw TTFB to v6ds.iplookup.akamai.com is 1 minute.

Re: Comcast storing WiFi passwords in cleartext?

[Yang Yu]

On Tue, Apr 23, 2019 at 4:48 PM Töma Gavrichenkov  wrote:

> Apparently there's a concern with customers that their seemingly
> private passphrases, entered in their own boxes, are being shared with
> the upstream ISP without an explicit customer consent, and are kept in
> the ISP database for an unspecified period of time. Is it there by
> design?

Not sure what the concern is here. Cable model with builtin WiFi
(managed WiFi) is part of the service you signed up for and you are
free to use your own WiFi solutions. Chances are the CPE is rented
from ISP... Are you expecting the passphrase to get stored as a one
way hash?

Arris Touchstone has TR-069 connecting to ACS for configuration/management.

This platform is ridiculously insecure and the web interface
essentially does SNMP read/write over HTTP.
https://w00tsec.blogspot.com/2015/11/arris-cable-modem-has-backdoor-in.html

Re: Sflow billing or usage calculation software

[Yang Yu]

>On Tue, Apr 16, 2019 at 2:14 AM Nick Morrison  wrote:
>
> Actually the sflow standard is flexible, and there are many fields widely 
> available, including input interface and output interface, vlan/vxlan/mpls 
> headers, etc. The sending device just needs to support the fields.


Vendor support for sFlow extended data types seems to be very limited
and there are quite a few caveats on when the data is
missing/inaccurate.

RFC5472 Section 4.2 Using IPFIX for Billing (Reliability Limitations)
might be applicable to sFlow as well.
https://tools.ietf.org/html/rfc5472#section-4.2


Yang

Re: Announcing: "dumpsterfire", the mailing list for IoT security/privacy issues

[Yang Yu]

On Thu, Jan 10, 2019 at 8:23 AM Rich Kulawiec  wrote:
>
> The "dumpsterfire" mailing list is for the discussion of security and
> privacy issues related to the IoT (Internet of Things).  Arguably,
> the entire IoT *is* a security and privacy issue, but we'll get to that
> in good time.
>
> If you want to join, you can either use the list's web page:
>
> http://www.firemountain.net/mailman/listinfo/dumpsterfire
>
> or the list's subscription/unsubscription address:
>
> dumpsterfire-requ...@firemountain.net
>
> The list is public and so is its archive.

  * no HTTPS
  * archive is returning HTTP 403

Re: CenturyLink

[Yang Yu]

On Fri, Dec 28, 2018 at 12:05 AM Stephane Bortzmeyer  wrote:
> Is this problem also responsible for the 911 outage? If so, the
> post-mortem analysis is not useful only for CenturyLink customers but
> for everyone on the west coast.

Looks like most time.nist.gov servers (3 x NIST sites on AS49) are
single homed on CenturyLink, anyone noticed NTP issues yesterday?

https://tf.nist.gov/tf-cgi/servers.cgi

Re: historic SWIP (or rwhois) data?

[Yang Yu]

APNIC has whowas also
https://www.apnic.net/static/whowas-ui/

For RWhois, check with the organization operating rwhoisd? They might
have the information beyond RWhois.


Yang

On Mon, Dec 18, 2017 at 9:11 AM, Benoit Panizzon  wrote:
> Well @ RIPE ist is quite simple to query historical data:
>
> https://www.ripe.net/manage-ips-and-asns/db/support/documentation/ripe-database-documentation/types-of-queries/16-12-historical-queries
>
> I don't know if other registries offer similar services.
>
> Mit freundlichen Grüssen
>
> -Benoît Panizzon-
> --
> I m p r o W a r e   A G-Leiter Commerce Kunden
> __
>
> Zurlindenstrasse 29 Tel  +41 61 826 93 00
> CH-4133 PrattelnFax  +41 61 826 93 01
> Schweiz Web  http://www.imp.ch
> __

Re: Qrator Radar - Peerings

[Yang Yu]

Have you received a response from qrator? My guess is that they
dropped a BGP collector session that was advertising garbage
(modifying AS path to make non-connected ASNs appear connected).


>most ASNs left permanently on at 2017-03-11 21:00:00 were never connected
https://radar.qrator.net/as11537/peerings#startDate=2017-03-06=2017-03-15=left


Yang

On Tue, Dec 5, 2017 at 6:06 PM, Mike Hammett  wrote:
> Does anyone use this site much? Has something happened to reduce their 
> visibility?
>
> I've noticed multiple networks that had massive drops in peerings on or 
> around March 11, 2017. AS5650 went from 66 to 12. AS53828 went from 436 to 
> 19. PCH's AS3856 looking glass still reports adjacencies to both of those 
> ASes. AS3856 went from 183 adjacencies to 113 that same day (and didn't 
> bounce back). It seems rather unlikely that PCH would lose that much, given 
> that their goal is to collect route table information. Even more odd that 
> those two ASNs would also lose a ton of peers the same day.
>
> Thoughts?
>
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions
>
> Midwest Internet Exchange
>
> The Brothers WISP
>

Re: Multicom Hijacks: Do you peer with these turkeys (AS35916)?

[Yang Yu]

Also AS57166 (single upstream AS29632 NetAssist) is likely hijacking
10 ASNs, and AS43659 (currently inactive). Both with mnt-by:
D2INVEST-MNT.

http://bgp.he.net/AS57166#_peers


DATASTAR-MNT created 14 autnum and 31 route dummy objects in RIPE, on
resources that looks abandoned (2 of them confirmed hijacking)

https://apps.db.ripe.net/search/query.html?searchtext=DATASTAR-MNT=mnt-by;mnt-domains;mnt-irt;mnt-lower;mnt-nfy;mnt-ref;mnt-routes=true=RIPE#resultsAnchor


Someone actually mentioned these back in Oct
https://mailman.nanog.org/pipermail/nanog/2016-October/088487.html

Re: Re: Autunomous system filtering?

[Yang Yu]

On Fri, Nov 18, 2016 at 1:39 PM,   wrote:

> Consider that when we were announcing the whole /22 everything was working 
> correctly, then suddenly some ASs stopped to accept our prefixes. That's why 
> we decided to split the network and announce prefixes with different AS. 
> Moreover the /23 announced by AS2876 spreaded correctly, even if the object 
> has been created at the same time as the other...


around 11/16 16:00UTC, 185.85.20.0/22's originating ASN changed from
AS28716 to AS207029

The route object for 185.85.20.0/22 had origin changed from AS28716 to
AS207029 at 2016-11-16T15:09:22Z but AS207029 was not in AS-RETELIT
(it is now 2016-11-18T14:34:44Z). So when AS28716's upstreams rebuilt
the inbound filter, 185.85.20.0/22 got dropped.

When AS28716's upstreams update the filter again, 185.85.22.0/23
should become visible. It looks like the route object for
185.85.20.0/22 has been deleted.

Is there a whowas service for routing registries?


Yang

Re: How to find all of an ISP's ASNs

[Yang Yu]

as-set if they keep their routing registry updated?

something like this
http://bgp.he.net/irr/as-set/AS-RR-Res

Normally I use IRR Explorer, but somehow the return is empty
http://irrexplorer.nlnog.net/search/AS-RR-Res


Yang

On Tue, Oct 25, 2016 at 12:41 PM, Gary Baribault  wrote:
> Hi folks, how to I find all ASNs that belong to an ISP? I want to block
> access to my IoT cameras from the world other than the two local major ISPs
> (keeping last Friday in mind!)
>
> Gary B
>
>

Re: Dyn DDoS this AM?

[Yang Yu]

On Fri, Oct 21, 2016 at 11:45 AM, Patrick W. Gilmore  wrote:
> My guess is you should track anything to as33517.

And AS15135?

Re: Use of unique local IPv6 addressing rfc4193

[Yang Yu]

On Thu, Sep 8, 2016 at 7:17 PM, Ca By  wrote:
> NAT is bad

https://www.youtube.com/watch?v=v26BAlfWBm8

Akamai IPv6 contact needed

[Yang Yu]

Some servers are not serving content over IPv6 HTTPS. It fails in such
a way that most applications can't fall back to IPv4. tcp/443 is open
but RST as soon as client sends TLS 1.2 client hello. It has been this
way for 24+ hours.

>>>
$ telnet 2600:1404:18::17d7:fbc 443
Trying 2600:1404:18::17d7:fbc...
Connected to 2600:1404:18::17d7:fbc.
Escape character is '^]'.

Connection closed by foreign host

>
ncat -6 --ssl -v 2600:1404:18::17d7:fac 443
Ncat: Version 7.00SVN ( https://nmap.org/ncat )
Ncat: Input/output error.


>>>
www.apple.com.  681 IN  CNAME   www.apple.com.edgekey.net.
www.apple.com.edgekey.net. 11306 IN CNAME
www.apple.com.edgekey.net.globalredir.akadns.net.
www.apple.com.edgekey.net.globalredir.akadns.net. 1664 IN CNAME
e6858.dscc.akamaiedge.net.
e6858.dscc.akamaiedge.net. 5IN  2600:1404:18::17d7:fac
e6858.dscc.akamaiedge.net. 5IN  2600:1404:18::17d7:fbc

>
2600:1404:18::17d7:0/112 serves www.apple.com, download.microsoft.com etc.


>>> HTTP does work
$ wget http://www.apple.com
--2016-07-25 03:09:17--  http://www.apple.com/
Resolving www.apple.com (www.apple.com)... 2600:1404:18::17d7:fbc,
2600:1404:18::17d7:fac, 23.11.55.206
Connecting to www.apple.com
(www.apple.com)|2600:1404:18::17d7:fbc|:80... connected.
HTTP request sent, awaiting response... 200 OK

>>>
$ dig whoami.akamai.com +short
whoami.akamai.net.
72.183.81.39


Thanks.


Yang

Re: Mobile providers in the US for backup access

[Yang Yu]

On Wed, Apr 20, 2016 at 1:49 PM, Dovid Bender  wrote:
> Thank you everyone for your feedback. I also wanted to know if any
> providers offered unlimited 2g since in some cases they want to stream back
> some audio as well.

4gantennashop has T-Mobile business with LTE data and unlimited 2G afterwards

Re: Facebook & Traceroute

[Yang Yu]

On Thu, Mar 10, 2016 at 9:35 AM, Christopher Morrow
 wrote:

> unclear, that traceroute was from someplace I don't own the network for...
> from another place I do though...
>
>  5  ae0.dr07.ash2.tfbnw.net (31.13.26.233)  4 ms
> ae0.dr05.ash3.tfbnw.net (31.13.29.21)  4 ms ae0.dr08.ash2.tfbnw.net
> (31.13.26.235)  2 ms
>  6  * * *
>  7  * * *
>  8  * * *
>  9  edge-star-mini-shv-07-ash4.facebook.com (66.220.156.68)  3 ms  3 ms  2 ms
>
> same-ish results, no spoofed bits.

https://atlas.ripe.net/measurements/3612424/#!probes

I did a atlas measurement of 500 probes, 104 probes (21%) had their
outside IP shown in traceroute. Some peers of AS32934 don't have
ingress filtering. It seems all prefixes advertised by Facebook are
ROA signed and valid tho.

Re: Southwest Airlines captive portal

[Yang Yu]

On Sat, Feb 27, 2016 at 5:40 PM, Rubens Kuhl  wrote:

> Since many commonly used web properties are moving to HSTS + HPKP + CT it
> will become increasingly difficult to balance performance and security in
> high latency connections, but when it comes to a payment gateway, that
> airline should probably turn off acceleration for paypal.com and 3-D Secure
> bank pages.


Paypal's certificate is not pinned in Chrome/Firefox. imo a hard error
is desirable in this kind of scenario.
https://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json?view=markup
https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning#New_sites_pinned_in_Firefox_32

FWIW Southwest uses Row 44 (GEE Media) for inflight wifi.
http://www.geemedia.com/products/connectivity

Sprint Wireless DNS server not resolving ietf.org

[Yang Yu]

ietf.org and its subdomains such as tools.ietf.org are not accessible
on Sprint 3G/LTE (DNS timeout). From what I gathered this is affecting
Sprint wireless customers nationwide. I created a DNS measurement on
ripe atlas and no signs of other carriers experiencing the same issue.

Emailed Sprint NOC and opened a ticket via support channel, got no
update. Is there someone from Sprint Wireless on this list?

DNS servers
68.28.169.132
68.28.168.132

Thanks.


Yang

Re: Softlayer / Blocking Cuba IP's ?

[Yang Yu]

On Fri, Feb 19, 2016 at 9:18 PM, Tony Wicks  wrote:
> I had a couple of VM's (personal mail/web hosting) with a provider who used 
> Softlayer for transit. About a month ago Softlayer (without any notice or 
> warning) blocked all outgoing port 25 at multipole datacentres for this 
> provider. It took the hosting provider half a day to work out what had 
> happened. Needless to say as much as I liked the company I had to move my 
> hosts elsewhere (they did refund me to their credit). It seems that someone 
> at Softlayer is extremely aggressive on their blocking policies to the point 
> of making their service unusable. I would highly recommend the community 
> votes with its wallet when it comes to these turkeys.
>

http://knowledgelayer.softlayer.com/content/outbound-email-port-25

The announcement supposedly came out sometime late last year.
"We offer a trusted third party email relay service from SendGrid for
those customers who need to be able to send outbound email from their
domains or applications."

It seems some indirect customers were not informed of it until it went
into effect on Feb 1, 2016. For me the monitoring service on port 25
stopped working.

Re: Equipment Supporting 2.5gbps and 5gbps

[Yang Yu]

On Thu, Jan 28, 2016 at 10:10 AM, Brandon Butterworth
 wrote:

> With 10G it's been the opposite, nobody was using copper so SFP+ is
> cheap. Only recently has copper 10G started to become common, a bit too
> late to be worth bothering with now and as there are no copper SFP+
> Having new servers switch to copper instead of sfp is a nuisance

 SFP+ Copper Twinax is another option for 10G to save on the transceivers

Re: Cisco CMTS SNMP OID's

[Yang Yu]

On Sun, Jan 24, 2016 at 1:06 PM, Lorell Hathcock  wrote:

> Signal to Noise per upstream channel

CISCO-CABLE-SPECTRUM-MIB::ccsUpSpecMgmtSNR
http://tools.cisco.com/Support/SNMP/do/BrowseOID.do?local=en=Translate=ccsUpSpecMgmtSNR

> Cable Modem counts of all kinds
> connected / online
> ranging
> offline

Not there if there are OIDs for `show cable modem docsis version summary`

Re: Looking for VPS providers with BGP session

[Yang Yu]

On Tue, Dec 8, 2015 at 8:52 PM, Yucong Sun  wrote:
> I recommend http://www.quadranet.com/ ! I have been a happy customer
> for almost two years,
>
> I have a single dedicated server over there,  running full BGP feed
> with them, It's a fairly extensive setup with multiple sessions,
> automatic null routing and all the communities tinkering! Their NOC is
> very friendly and very easy to work with!
>

I would avoid QuadraNet for VPS services. They refused to give me a
/48 (not even another /64). And it took a shout on WHT for them to
respond to my tickets opened months ago.


Yang

Time Waner Cable IPv6 help needed

[Yang Yu]

Last month after a service upgrade/reprovisioning I am no longer
getting an IPv6 prefix. Now all I see are RAs and never a response to
DHCPv6 solicit. I have tried different support channels but no luck
getting an answer.

>From what I gathered IPv6 is available in my market and no known
outages. Can someone please ping me offline? Very much appreciated

Yang

Re: Route leaks from AS9498 (BHARTI Airtel)?

[Yang Yu]

On Fri, Nov 6, 2015 at 9:38 AM, Andrew Duey
 wrote:
> Is anyone else seeing their routes leaked from AS9498 (BHARTI Airtel) in
> India?
>
> According to bgpmon.net they started leaking our Level 3 provided IP space
> at 2015-11-06 05:52 UTC.  Oddly, they're not leaking our ARIN assigned IP
> blocks but our prefixes inside the 8.0.0.0/8 range they are (8.34.96.0/21
> and 8.33.2.0/24).
>

Yes I saw the same thing. Level 3 customer space inside 8.0.0.0/8 got
leaked by AS9498 through 174, 4323, 5580 and 12989.

I did got alerts from bgpmon but the event is not shown on
bgpstream.com. What are the criteria for listing on bgpstream.com?

Yang

Re: M$ no v6 or just me?

[Yang Yu]

On Wed, Jul 15, 2015 at 4:33 AM, Nicholas Warren
nwar...@barryelectric.com wrote:
 Surely Microsoft has IPv6 connectivity? Is there a problem with my dns, or is 
 Microsoft not available over v6?

 Thanks,
 Nich


probably not Google DNS filtering


test point 1

$ dig e10088.dspb.akamaiedge.net  @n0dspb.akamaiedge.net

;  DiG 9.10.2-P2  e10088.dspb.akamaiedge.net  @n0dspb.akamaiedge.net
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 51914
;; flags: qr aa rd ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;e10088.dspb.akamaiedge.net.IN  

;; AUTHORITY SECTION:
dspb.akamaiedge.net.1000IN  SOA n0dspb.akamaiedge.net.
hostmaster.akamai.com. 1436917052 1000 1000 1000 1800

;; Query time: 51 msec
;; SERVER: 96.7.248.137#53(96.7.248.137)
;; WHEN: Wed Jul 15 08:37:32 KST 2015
;; MSG SIZE  rcvd: 119



test point 2

$ dig e10088.dspb.akamaiedge.net  @n0dspb.akamaiedge.net

;  DiG 9.8.1-P1  e10088.dspb.akamaiedge.net  @n0dspb.akamaiedge.net
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 27887
;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;e10088.dspb.akamaiedge.net.IN  

;; ANSWER SECTION:
e10088.dspb.akamaiedge.net. 20  IN  2600:1408:10:18f::2768
e10088.dspb.akamaiedge.net. 20  IN  2600:1408:10:181::2768
e10088.dspb.akamaiedge.net. 20  IN  2600:1408:10:188::2768

;; Query time: 18 msec
;; SERVER: 88.221.81.193#53(88.221.81.193)
;; WHEN: Tue Jul 14 16:37:17 2015
;; MSG SIZE  rcvd: 128


I get different IPs for n0dspb.akamaiedge.net / n0dscb.akamaiedge.net
every time.

So it depends on source IP of the query and which akamai DNS server is
answering?

Re: Level3 routing issue US west coast?

[Yang Yu]

On Mon, Jul 13, 2015 at 4:14 AM, Jürgen Jaritsch j...@anexia.at wrote:
 One the DDoS targets was PCCW and their ports were congested ... this was the 
 official explanation we got.

 Lots of discussion starts from here 

Can it be somehow related to the DDoS on Telegram (AS62041, AS59930)?
200Gbps SYN flood was what they said on twitter. I don't see 3491 as
an upstream for either ASN any more.
On a side note 3356 became upstream for 62041 about a week ago

http://www.inmediahk.net/files/imagecache/w456/column_images/113252.png
(the tweet has been deleted)

AS3549 Level3/GBLX carrying routing for 10.0.0.0/8

[Yang Yu]

It appears AS3549 is announcing 10.0.0.0/8. I noticed it from an
AS3549 customer.

From GBLX looking glass, ATL1

traceroute
Protocol [ip]: ip
Target IP address: 10.0.0.1
Source address:
Numeric display [n]: n
Timeout in seconds [3]: 1
Probe count [3]: 2
Minimum Time to Live [1]: 1
Maximum Time to Live [30]: 30
Port Number [33434]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Type escape sequence to abort.
Tracing the route to 10.0.0.1
VRF info: (vrf in name/id, vrf out name/id)
  1 te3-1-10G.par9.CTA1.GRU.gblx.net (67.16.142.26) 120 msec 124 msec
  2 122.5.125.189.static.impsat.net.br (189.125.5.122) 120 msec 120 msec
  3 10.0.0.1 [AS 262487] 124 msec 120 msec

Apparently the customer didn't have proper inbound filter..
Reply from 10.0.0.1: bytes=32 time=132ms TTL=61

Re: Network Engineering Stack Exchange site in Area51 (fwd)

[Yang Yu]

Now it's public :)

 The new Network Engineering Stack Exchange site is now open to the public!

 After just 8 days in private beta, we've already got 451 users who have
 asked 99 questions and written 258 answers. We're off to a good start, and
 it's time to unleash this baby on the public and see if it flies. (Sorry;
 mixed metaphor.)

 Tell all your friends, blog about it, tweet about it, and write the URL
 (http://networkengineering.stackexchange.com) in chalk on the sidewalk in
 front of your neighbor's house. Or paint. No, never mind, better use chalk.

 Most importantly, go to the site now and start earning reputation and
 badges! We'll see you there! Right now!

 http://networkengineering.stackexchange.com -- that is the URL again
 http://networkengineering.stackexchange.com -- it has not changed in the
 last 10 microseconds

 All the best,

 The Stack Exchange Team

On Tue, May 7, 2013 at 4:44 PM, Yang Yu yang.yu.l...@gmail.com wrote:
 Network Engineering QA site - Area 51 - Stack Exchange just started
 private beta.
 http://networkengineering.stackexchange.com/

 If anyone needs a private beta invitation, feel free to email me
 offlist. Thanks.

 On Tue, Apr 30, 2013 at 7:40 PM, Simon Lyall si...@darkmere.gen.nz wrote:

 The proposal currently needs just 13 more committers with 200+ SE points on
 any site...

 http://area51.stackexchange.com/proposals/52519/network-engineering

 The SE site proposal for 'network engineering' is so close to going into
 Beta. It's up to
 441 committers, and is currently 7th overall, (of 800+ proposals,) on the
 hottest proposal list.

 --
 Simon Lyall  |  Very Busy  |  Web: http://www.darkmere.gen.nz/
 To stay awake all night adds a day to your life - Stilgar | eMT.

Re: Network Engineering Stack Exchange site in Area51 (fwd)

[Yang Yu]

Network Engineering QA site - Area 51 - Stack Exchange just started
private beta.
http://networkengineering.stackexchange.com/

If anyone needs a private beta invitation, feel free to email me
offlist. Thanks.

On Tue, Apr 30, 2013 at 7:40 PM, Simon Lyall si...@darkmere.gen.nz wrote:

 The proposal currently needs just 13 more committers with 200+ SE points on
 any site...

 http://area51.stackexchange.com/proposals/52519/network-engineering

 The SE site proposal for 'network engineering' is so close to going into
 Beta. It's up to
 441 committers, and is currently 7th overall, (of 800+ proposals,) on the
 hottest proposal list.

 --
 Simon Lyall  |  Very Busy  |  Web: http://www.darkmere.gen.nz/
 To stay awake all night adds a day to your life - Stilgar | eMT.

Re: Google Public DNS Problems?

[Yang Yu]

It is very courteous to reply a SERVFAIL for requests being rate limited.

On Wed, May 1, 2013 at 1:17 PM, Andrew Fried andrew.fr...@gmail.com wrote:
 Your IPs may have been rate limited...

 Andy

 Andrew Fried
 andrew.fr...@gmail.com

 On 5/1/13 12:38 PM, Blair Trosper wrote:
 That's all well and good, but I certainly wouldn't expect nslookup
 gmail.com or for nslookup google.com to return SERVFAIL


 On Wed, May 1, 2013 at 9:34 AM, Joe Abley jab...@hopcount.ca wrote:


 On 2013-05-01, at 12:09, Blair Trosper blair.tros...@gmail.com wrote:

 Is anyone else seeing this?  From Santa Clara, CA, on Comcast
 Business...I'm getting SERVFAIL for any query I throw at 8.8.8.8 and
 8.8.4.4...

 Level 3's own public resolvers are fine for me, as are OpenDNS's
 resolvers.

 Google just turned on validation across the whole of 8.8.8.8 and 8.8.4.4.
 The expected behaviour in the case where a response does not validate is to
 return SERVFAIL to the client.

 You could check that the queries you are sending are not suffering from
 poor signing hygiene (e.g. use the handy-dandy dnsviz.net visualisation).

 If this is a repeatable, consistent problem even for unsigned zones (or
 for zones that you've verified are signed correctly) and especially if it's
 widespread you might want to call google on the nanog courtesy phone and
 have them look for collateral damage from their recent foray into 8.8.8.8
 validation.

 Raw output from dig/drill and traceroutes to 8.8.8.8/8.8.4.4 are highly
 recommended if you need to take this further.


 Joe

Re: IPv6 and HTTPS

[Yang Yu]

If the hosting provider can still charge for IPv4 addresses, why would
they support SNI or IPv6 SSL ;)

I have seen a CDN using certificates with tons of domain names in
subject alternative name. Old Symbian phones don't support SAN..


On Thu, Apr 25, 2013 at 10:32 PM, Jay Ashworth j...@baylink.com wrote:
 - Original Message -
 From: David Hubbard dhubb...@dino.hostasaurus.com

 The web server has to support it too, which means compiling
 apache with SNI support and there are of course plenty of
 hosts running old apache.

 Well, sure, but for the hoster, it's a direct benefit, not an externality;
 they have motive to fix it.

 Cheers,
 -- jra
 --
 Jay R. Ashworth  Baylink   
 j...@baylink.com
 Designer The Things I Think   RFC 2100
 Ashworth  Associates http://baylink.pitas.com 2000 Land Rover DII
 St Petersburg FL USA   #natog  +1 727 647 1274

AboveNet Atlanta to DC route

[Yang Yu]

From 21:15 EDT the RTT from ATL to IAD jumped from 15ms to 80ms. Is
there any maintenance going on?


6  xe-1-0-0.mpr3.atl6.us.above.net (64.125.31.45)  22.813 ms  16.716
ms  16.679 ms
 7  xe-2-1-0.cr2.iah1.us.above.net (64.125.31.50)  91.618 ms  66.028
ms  66.042 ms
 8  xe-0-0-0.cr1.iah1.us.above.net (64.125.30.65)  66.036 ms  66.039
ms  66.015 ms
 9  xe-1-2-0.cr1.dfw2.us.above.net (64.125.26.129)  66.528 ms  66.542
ms  66.523 ms
10  xe-2-1-0.cr1.ord2.us.above.net (64.125.30.62)  72.045 ms  72.059
ms  72.058 ms
11  xe-3-0-0.cr1.lga5.us.above.net (64.125.24.37)  83.509 ms  83.520
ms  83.480 ms
12  xe-1-1-0.mpr3.phl2.us.above.net (64.125.31.33)  156.272 ms
121.225 ms  89.677 ms
13  xe-1-0-0.mpr4.phl2.us.above.net (64.125.31.30)  80.308 ms  80.003
ms  80.470 ms
14  xe-0-2-0.cr2.dca2.us.above.net (64.125.31.38)  79.252 ms  79.252 ms *
15  xe-1-0-1.er2.iad10.us.above.net (64.125.26.242)  111.178 ms
79.919 ms  80.016 ms
16  xe-1-0-1.er5.iad10.us.above.net (64.125.24.141)  79.647 ms  78.290
ms  78.253 ms

AboveNet LG

Router: mpr3.atl6.us.above.net
Command: show route protocol bgp table inet.0 64.125.24.141 terse

inet.0: 450455 destinations, 1696045 routes (450337 active, 104
holddown, 327 hidden)
Restart Complete
+ = Active Route, - = Last Active, * = Both

A DestinationP Prf   Metric 1   Metric 2  Next hopAS path
  64.125.24.140/30   B 170230 64.125.31.50I
 64.125.31.50
 B 170230 64.125.31.50I
 64.125.31.50

Re: Google incorrect IPv6 GeoIP

[Yang Yu]

Still getting redirected

Resolving www.google.com... 2607:f8b0:400c:c04::69, 74.125.26.104,
74.125.26.99, ...
Connecting to www.google.com|2607:f8b0:400c:c04::69|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: 
http://www.google.com.hk/url?sa=phl=zh-CNpref=hkredirectpval=yesq=http://www.google.com.hk/ust=1366057169806151usg=AFQjCNEQcW1Bg7ROZRYzpFJC-f99YXGF8Q
[following]
--2013-04-15 13:18:59--
http://www.google.com.hk/url?sa=phl=zh-CNpref=hkredirectpval=yesq=http://www.google.com.hk/ust=1366057169806151usg=AFQjCNEQcW1Bg7ROZRYzpFJC-f99YXGF8Q
Resolving www.google.com.hk... 2607:f8b0:400c:c04::69, 74.125.26.103,
74.125.26.106, ...

Re: Google incorrect IPv6 GeoIP

[Yang Yu]

DNS is actually working correctly I think.
1) The outputs are from Dreamhost Ashburn, but I saw the same result
over IPv6 at Dreamhost LAX. Different DNS servers.
2) ping and ping6 times are pretty much the same. I suppose they are
served by the same Google cluster/CDN.
3) No redirect over IPv4



$dig www.google.com 

;  DiG 9.7.3  www.google.com 
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 30269
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.IN  

;; ANSWER SECTION:
www.google.com. 209 IN  2607:f8b0:400c:c04::63

;; Query time: 0 msec
;; SERVER: 208.113.157.201#53(208.113.157.201)
;; WHEN: Fri Apr 12 20:25:24 2013
;; MSG SIZE  rcvd: 60




$ traceroute 2607:f8b0:400c:c04::63
traceroute to 2607:f8b0:400c:c04::63 (2607:f8b0:400c:c04::63), 30 hops
max, 80 byte packets

 4  2607:f298:5:0:208:113:156:1 (2607:f298:5:0:208:113:156:1)  0.175
ms  0.179 ms  0.156 ms
 5  2001:438:fffe::5c5 (2001:438:fffe::5c5)  0.197 ms  0.186 ms  0.183 ms
 6  2001:438:::407d:1882 (2001:438:::407d:1882)  0.233 ms
0.231 ms  0.361 ms
 7  2001:438:::407d:c52 (2001:438:::407d:c52)  0.309 ms  0.288
ms  0.288 ms
 8  2001:4860::1:0:9ff (2001:4860::1:0:9ff)  1.529 ms  1.533 ms  1.601 ms
 9  2001:4860::8:0:3cda (2001:4860::8:0:3cda)  2.177 ms  0.968 ms
2001:4860::8:0:3cd9 (2001:4860::8:0:3cd9)  1.381 ms
10  2001:4860::8:0:33b2 (2001:4860::8:0:33b2)  12.431 ms
2001:4860::8:0:33b3 (2001:4860::8:0:33b3)  44.297 ms
2001:4860::8:0:33b2 (2001:4860::8:0:33b2)  12.371 ms
11  2001:4860::2:0:33b1 (2001:4860::2:0:33b1)  12.406 ms
2001:4860::2:0:33b0 (2001:4860::2:0:33b0)  13.059 ms
2001:4860::2:0:33b1 (2001:4860::2:0:33b1)  12.343 ms
12  vh-in-x63.1e100.net (2607:f8b0:400c:c04::63)  12.872 ms  12.845 ms
 12.899 ms




$ dig www.google.com

;  DiG 9.7.3  www.google.com
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 63365
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com.IN  A

;; ANSWER SECTION:
www.google.com. 244 IN  A   74.125.26.99
www.google.com. 244 IN  A   74.125.26.105
www.google.com. 244 IN  A   74.125.26.104
www.google.com. 244 IN  A   74.125.26.147
www.google.com. 244 IN  A   74.125.26.106
www.google.com. 244 IN  A   74.125.26.103

;; Query time: 0 msec
;; SERVER: 208.113.157.201#53(208.113.157.201)
;; WHEN: Fri Apr 12 20:24:49 2013
;; MSG SIZE  rcvd: 128




wget -4 http://www.google.com
--2013-04-12 20:29:26--  http://www.google.com/
Resolving www.google.com... 74.125.26.103, 74.125.26.99, 74.125.26.104, ...
Connecting to www.google.com|74.125.26.103|:80... connected.
HTTP request sent, awaiting response... 200 OK



Yang

On Fri, Apr 12, 2013 at 9:48 PM, Scott Howard sc...@doc.net.au wrote:
 On Fri, Apr 12, 2013 at 5:58 PM, Christopher Morrow morrowc.li...@gmail.com
 wrote:

 no you don't... the dreamhost example used the google ARIN allocation
 2607::  this example uses the 2404 APNIC allocation.

 note that this may still be 'wrong', but .. it's a different wrong. :)


 But likely caused by exactly the same problem - with the distinction
 between between GeoIP of the DNS server and GeoIP of the client itself.

 (Keeping in mind that the DNS lookup could be occurring over IPv4,
 especially in the first example)

   Scott

Google incorrect IPv6 GeoIP

[Yang Yu]

For some reason Google redirects requests from Dreamhost's IPv6 block
2607:f298::/32 to google.com.hk

$ wget http://www.google.com
--2013-04-11 16:06:45--  http://www.google.com/
Resolving www.google.com... 2607:f8b0:400c:c01::93, 173.194.75.99,
173.194.75.147, ...
Connecting to www.google.com|2607:f8b0:400c:c01::93|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: 
http://www.google.com.hk/url?sa=phl=zh-CNpref=hkredirectpval=yesq=http://www.google.com.hk/ust=1365721636015681usg=AFQjCNEa0yI6UdIVf1tqLtCw3qrBC6Akww
[following]
--2013-04-11 16:06:46--
http://www.google.com.hk/url?sa=phl=zh-CNpref=hkredirectpval=yesq=http://www.google.com.hk/ust=1365721636015681usg=AFQjCNEa0yI6UdIVf1tqLtCw3qrBC6Akww
Resolving www.google.com.hk... 2607:f8b0:400c:c01::6a, 173.194.75.105,
173.194.75.99, ...
Connecting to www.google.com.hk|2607:f8b0:400c:c01::6a|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: http://www.google.com.hk/ [following]
--2013-04-11 16:06:46--  http://www.google.com.hk/
Reusing existing connection to www.google.com.hk:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “index.html”


The report IP problem form
(https://support.google.com/websearch/contact/ip?rd=1) does not think
IPv6 addresses are valid.

Can someone help with this issue?

Thanks.

Yang

Re: route for linx.net in Level3?

[Yang Yu]

I noticed it too this morning from a AS3549 customer. Level 3 LG shows
no route for 195.66.232.0/22 on North American sites.

On Wed, Apr 3, 2013 at 6:52 PM, John Kemp
k...@network-services.uoregon.edu wrote:

 Having trouble reaching route-views.linx.routeviews.org from AS3582.

 I'm assuming that some folks stopped carrying
 this particular linx.net address prefix
 as of this morning. ?!?

 $ whois -h whois.cymru.com  -v 195.66.241.146
 AS  | IP   | BGP Prefix  | CC | Registry |
 Allocated  | AS Name
 5459| 195.66.241.146   | 195.66.240.0/22 | GB | ripencc  |
 1997-12-01 | LINX-AS London Internet Exchange Ltd.

 $ dig +short 146.241.66.195.peer.asn.cymru.com TXT
 1299 2914 3257 10310 | 195.66.240.0/22 | GB | ripencc | 1997-12-01

 --
 John Kemp (k...@routeviews.org)
 RouteViews Engineer
 NOC: n...@routeviews.org
 MAIL: h...@routeviews.org
 WWW: http://www.routeviews.org

Re: Mikrotik visibility

[Yang Yu]

I am using Plixer Scrutinizer Flow Analyzer with RouterOS. It does
have cool looking web panel. But some interfaces (instance 0, instance
1 etc.) reported doesn't exactly match up with interfaces in RouterOS.
I haven't figured out what exactly those are.

Yang

Re: Time Warner Cable YouTube throttling

[Yang Yu]

Also if your upstream has Google Global Cache (or whatever it's
called), the results can be very different I suppose.


Does Google use different naming structure for IPv6 CDN? Maybe this
particular cache does not offer IPv6.

;; QUESTION SECTION:
;r3---sn-n2uxaxjvh-j5xe.c.youtube.com. IN A

;; ANSWER SECTION:
r3---sn-n2uxaxjvh-j5xe.c.youtube.com. 60 IN CNAME
r3.sn-n2uxaxjvh-j5xe.c.youtube.com.
r3.sn-n2uxaxjvh-j5xe.c.youtube.com. 1800 IN A   64.53.1.78



;; QUESTION SECTION:
;r3---sn-n2uxaxjvh-j5xe.c.youtube.com. IN 

;; ANSWER SECTION:
r3---sn-n2uxaxjvh-j5xe.c.youtube.com. 60 IN CNAME
r3.sn-n2uxaxjvh-j5xe.c.youtube.com.



Level3 peers with Google, I am curious why it hand the traffic off to XO.

 On Wed, Mar 6, 2013 at 10:46 PM, Mark Jeremy mej...@rit.edu wrote:

 traceroute to r19.sn-p5qlsm7d.c.youtube.com (208.117.251.184), 30 hops
 max,
 60 byte packets
  3  rit-rit1-pp-core1-vlan2811.rit.edu (129.21.8.42)  0.508 ms  0.497 ms
 0.484 ms
  4  te-7-2.car2.Buffalo1.Level3.net (4.59.214.21)  2.293 ms  2.294 ms
  2.282
 ms
  5  ae-4-4.ebr2.NewYork1.Level3.net (4.69.140.242)  10.332 ms  10.339 ms
 11.022 ms
  6  ae-72-72.csw2.NewYork1.Level3.net (4.69.148.38)  15.274 ms  10.212 ms
 ae-92-92.csw4.NewYork1.Level3.net (4.69.148.46)  10.204 ms
  7  ae-1-60.edge2.NewYork1.Level3.net (4.69.155.16)  10.202 ms
 ae-2-70.edge2.NewYork1.Level3.net (4.69.155.80)  10.174 ms  10.171 ms
  8  206.111.13.65.ptr.us.xo.net (206.111.13.65)  10.160 ms  10.345 ms
 10.336 ms
  9  207.88.14.185.ptr.us.xo.net (207.88.14.185)  18.555 ms  18.541 ms
 20.749 ms
 10  ae0d1.cir1.ashburn-va.us.xo.net (207.88.13.65)  16.241 ms  16.322 ms
 16.261 ms
 11  209.48.42.86 (209.48.42.86)  16.673 ms  64.114 ms  64.054 ms
 12  208.117.251.184 (208.117.251.184)  16.313 ms  16.306 ms  16.486 ms

Re: Microsoft Product Activation server reachability

[Yang Yu]

communication prohibited by filter is just an ICMP response code,
sadly Windows does not under it..
Type 3 (Destination unreachable)
Code 13 (Communication Administratively Prohibited - generated if a
router cannot forward a packet due to administrative filtering;)

ICMP echo request for this ip seems to be filtered by Microsoft. TCP
connection to port 80 is working fine.

tcping wpa.one.microsoft.com

Probing 94.245.126.107:80/tcp - Port is open - time=98.491ms


Yang

On Fri, Jan 11, 2013 at 2:01 AM, Nathan Anderson nath...@fsr.com wrote:

 So the ICMP message communication prohibited by filter must be a normal 
 response to ICMP ping through that gateway.

 Unfortunately, it's not completely fixed yet, but I'm guessing by this 
 measure of progress that they must be working on it.  I now get HTTP 403 in 
 response to any request I send to it.  Tried to reactive this copy of Windows 
 Server once more anyway, and now get Online activation cannot be completed 
 at this time. (Message number: 24579)  Before, it simply claimed I must not 
 have working internet connectivity.

 -- Nathan

 -Original Message-
 From: Scott Howard [mailto:sc...@doc.net.au]
 Sent: Thursday, January 10, 2013 10:55 PM
 To: Ben Carleton
 Cc: Nathan Anderson; nanog@nanog.org
 Subject: Re: Microsoft Product Activation server reachability

 Working now, tested from 3 hosts on different networks on both 80 and 443 :

 $ telnet wpa.one.microsoft.com 443
 Trying 94.245.126.107...
 Connected to wpa.one.microsoft.com.
 Escape character is '^]'.


   Scott



 On Fri, Jan 11, 2013 at 12:02 AM, Ben Carleton carle...@vanoc.net wrote:


 - Original Message -
  From: Nathan Anderson nath...@fsr.com
  To: nanog@nanog.org nanog@nanog.org
  Sent: Thursday, January 10, 2013 11:24:16 PM
  Subject: Microsoft Product Activation server reachability
 
  Anybody else having a problem reaching (what appears to be) the sole
  Microsoft Product Activation server (wpa.one.microsoft.com)?
 
  $ ping wpa.one.microsoft.com
  PING wpa.one.microsoft.com (94.245.126.107): 56 data bytes
  36 bytes from 213.199.189.41: Communication prohibited by filter
 
  I get this sourcing from our network, from ATT 3G, and from ye 
 residential
  DSL connection located in the greater Seattle area. They aren't 
 simply
  source-filtering. Either that or they are source-filtering for 
 0.0.0.0/0.
 
  This is apparently the only server/IP they have set up to respond 
 to these
  requests. wpa.one.microsoft.com resolves to that IP via every DNS 
 server
  I've tried (so no round-robin A records), Microsoft products that 
 need to
  activate over the internet only try to resolve that FQDN, and I've 
 looked
  for others without success (wpa.two.microsoft.com isn't valid, for 
 example).
 
  --
  Nathan Anderson
  First Step Internet, LLC
  nath...@fsr.com
 
 


 I am seeing the same from NYC metro. According to MS 
 (http://technet.microsoft.com/en-us/library/bb457159.aspx#ECAA), access to 
 that host on 80 and 443 is all that should be required to activate. (and 
 wpa.one.microsoft.com has no , go figure)

 [ben@razor ~]$ ping wpa.one.microsoft.com

 PING wpa.one.microsoft.com (94.245.126.107) 56(84) bytes of data.

 From 213.199.189.41 icmp_seq=2 Packet filtered
 ^C
 --- wpa.one.microsoft.com ping statistics ---
 6 packets transmitted, 0 received, +1 errors, 100% packet loss, time 
 5260ms

 [ben@razor ~]$ telnet wpa.one.microsoft.com 80
 Trying 94.245.126.107...
 ^C
 [ben@razor ~]$ telnet wpa.one.microsoft.com 443
 Trying 94.245.126.107...
 ^C

 -- Ben

Re: facebook down

[Yang Yu]

I noticed Google Public DNS was returning ServerFail for www.facebook.com A
earlier around 6pm EST ; , NS records were fine. Now DNS problem is
solved but web still does not work.

On Mon, Dec 10, 2012 at 6:06 PM, Joly MacFie j...@punkcast.com wrote:

 I know there's an outages list, but seriously!

 It seems like a DNS prob?



 --
 ---
 Joly MacFie  218 565 9365 Skype:punkcast
 WWWhatsup NYC - http://wwwhatsup.com
  http://pinstand.com - http://punkcast.com
  VP (Admin) - ISOC-NY - http://isoc-ny.org
 --
 -

Re: is CERNET part of the Internet?

[Yang Yu]

Most networks have some sort of firewall (hopefully...)

Isn't CERNET kind of similar to Internet2/NLR?
Members own their network
Free to join
Serve educationresearch community
Members encourage their users to use the free network instead of public
network when possible

Please correct me if I am wrong.


Yang

On Thu, Sep 27, 2012 at 5:23 AM, Eugen Leitl eu...@leitl.org wrote:


 I'm trying to figure out whether CERNET
 http://en.wikipedia.org/wiki/CERNET
 is part of the official Internet, or is behind the Great Firewall where
 access to invididual networks on the public Internet must be explicitly
 granted. Anyone in the know?