Re: Free(opensource) Ticketing solutions

[John Stitt]

We're using Zammad


John Stitt

Senior Network Engineer



From: NANOG  on behalf of 
Pascal Masha 
Sent: Monday, May 27, 2024 12:28 PM
To: nanog 
Subject: Free(opensource) Ticketing solutions

Hello,

Which free and good ticketing systems do you folks(for those who do) use?

Regards,
Paschal Masha


CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. If you are not expecting this message contact the sender directly via 
phone/text to verify.

Re: who runs the root, Cogent-TATA peering dispute?

[John Levine]

It appears that Bryan Fields  said:
>Suppose the community wanted to change this or make a formal policy on root
>server hosting requirements.  Where would this be done?  Could a party submit
>a proposal to ICANN via the policy development process?  If not where should
>the community start this?

The Governance Working Group that David mentioned has been grinding
along for the better part of a decade. It's quite a difficult problem.
The existing roots are doing a decent job, and any more formal
arrangement runs the risk of politically motivated "improvements".

People are worried about what happens if a root goes rogue or
disappears but unless the rogue operator were Verisign, which is
utterly implausible, the result would be not much. These days a lot of
web caches have their own copies of the root that they get directly
from ICANN or Verisign. (See RFC 8806. It's really easy.) For everyone
else, most clients now make DNSSEC queries and the root's signatures
expire after two weeks.

I would be a lot more worried about the other scenario David hinted
at, a future iteration of the US government tells ICANN or Verisign to
do something to the root zone, e.g., delete Iran or Russia or point
their name servers at something else.

https://community.icann.org/pages/viewpage.action?pageId=120820189

R's,
John

Re: who runs the root, Cogent-TATA peering dispute?

[John R. Levine]

On Sun, 19 May 2024, David Conrad wrote:

They provide this to Verisign, the Root Zone Maintainer, who create the
root zone and distribute it to the root server operators.


Technically, IANA provides database change requests to Verisign. The actual 
database is maintained by the Root Zone Maintainer (hence the name).


Good point.

In any event, I think we agree that none of IANA, ICANN, and/or Verisign 
has the authority to remove one of the root operators, no matter how much 
someone might dislike their peering policies.


R's,
John

PS: Perhaps the GWG will eventually come up with a way to do that but I'm 
not holding my breath. It's been six years since RSSAC 037 and 038.  I 
can't blame them for moving very slowly since it would be all too easy to 
come up with something worse than the current non-system

Re: who runs the root, Cogent-TATA peering dispute?

[John R. Levine]

On Fri, 17 May 2024, William Herrin wrote:

That said, ICANN generates the root zone including the servers
declared authoritative for the zone.


Nope.


So they do have an ability to
say: nope, you've crossed the line to any of the root operators.


Very very nope.

ICANN as the IANA Functions Operator maintains the database of TLD info. 
They provide this to Verisign, the Root Zone Maintainer, who create the 
root zone and distribute it to the root server operators.  Verisign does 
this under a contract with NTIA, one of the few bits of the Internet that 
is still under a US government contract:


https://www.ntia.gov/page/verisign-cooperative-agreement

Should ICANN attempt to mess with the distribution of the root zone, let 
us just say that the results would not be pretty.  There's a balance of 
terror here.  ICANN carefully never does anything that would make the root 
server operators say no, and the root server operators carefully avoid 
putting ICANN in a position where they might have to do that.


I'm not guessing here, I go to ICANN meetings and talk to these people.

R's,
John

Re: Cogent-TATA peering dispute?

[John Levine]

It appears that William Herrin  said:
>I don't understand why Cogent is allowed to operate one of the root
>servers. Doesn't ICANN do any kind of technical background check on
>companies when letting the contract?

You must be new here. There is no contract for running root servers
and never has been.

We can all have our own opinions about the various operators.

R's,
John































































>
>For those who haven't been around long enough, this isn't Cogent's
>first depeering argument. Nor their second. And they're behaving
>unreasonably. I don't know any of the details -this time- but
>historically speaking Cogent is behaving badly -again- and you can
>take that to the bank.
>
>Regards,
>Bill Herrin
>
>
>
>-- 
>William Herrin
>b...@herrin.us
>https://bill.herrin.us/
>

Re: Mailing list SPF Failure

[John R. Levine]

I think a lot of us have nanog whitelisted or otherwise special cased.

Also, it's been pumping out list mail for decades and I expect has a close 
to zero complaint rate so even without the SPF ths IPs it sends from have 
a good reputation.


On Thu, 16 May 2024, Scott Q. wrote:


I'm surprised nobody noticed for close to 10 days. I was away
from work and upon coming back I saw the little discussion there was ,
in my Spam folder.

On Thursday, 16/05/2024 at 18:56 John R. Levine wrote:

On Thu, 16 May 2024, William Herrin wrote:

The message content (including the message headers) is theoretically
not used for SPF validation. In practice, some SPF validators don't
have direct access to the SMTP session so they rely on the SMTP
session placing the envelope sender in the Return-path header.


But that wasn't the problem here, the SPF record was just
gone.  Oops.

I see that the SPF record is back and seems have the correct addresses
so we can now return to our previously scheduled flamage.

Re: Should FCC look at SS7 vulnerabilities or BGP vulnerabilities

[John Levine]

It appears that Brandon Martin  said:
>I think the issue with their lack of effectiveness on spam calls is due 
>to the comparatively small number of players in the PSTN (speaking of 
>both classic TDM and modern IP voice-carrying and signaling networks) 
>world allowing lots of regulatory capture.

It's the opposite. SS7 was designed for a world with a handful of
large trustworthy telcos. But now that we have VoIP, it's a world of a
zillion sleasy little VoIP carriers stuffing junk into the network.
The real telcos have no desire to deliver spam calls. Everything is
bill and keep so they get no revenue and a lot of complaints.

Mike is right that STIR/SHAKEN is more complex than it needs to be but
even after it was widely deployed, the telcos had to argue with the
FCC to change the rules so they were allowed to drop spam calls which
only changed recently. That's why you see PROBABLE SPAM rather than
just not getting the call.

R's,
John

Re: Mailing list SPF Failure

[John R. Levine]

On Thu, 16 May 2024, William Herrin wrote:

The message content (including the message headers) is theoretically
not used for SPF validation. In practice, some SPF validators don't
have direct access to the SMTP session so they rely on the SMTP
session placing the envelope sender in the Return-path header.


But that wasn't the problem here, the SPF record was just gone.  Oops.

I see that the SPF record is back and seems have the correct addresses so 
we can now return to our previously scheduled flamage.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: Mailing list SPF Failure

[John Levine]

It appears that Michael Thomas  said:
>On 5/16/24 8:11 AM, Peter Potvin via NANOG wrote:
>> Appears there’s no SPF record at all now for nanog.org 
>> <http://nanog.org>, which is not ideal…
>
>Since probably 99% of the mail from NANOG is through this list, it 
>hardly matters since SPF will always fail.

Sorry, but no. A mailing list puts its own envelope return address on
the message so with a reasonable SPF record, SPF will normally
succeed. (If the mail is subsequently forwarded SPF will fail, but
that's not unique to mailing lists.)

DKIM and DMARC do not get along with mailing lists, but SPF is OK, at
least as OK as SPF ever is.

tl;dr nanog needs to put back its SPF record. It'll make some systems
such as Gmail considerably more likely to accept the mail.

R's,
John

On consistency and 192.0.0.0/24

[John Kristoff]

As one to never let a good academic question go unasked... what is it
about 192.0.0.0/24 that is or isn't a bogon. This doesn't seem so
straightforward an answer to me, at least in theory.  Although in
practice it may already be decided whether one likes the answer or not.

192.0.0.0/24 was originally assigned to IANA for "protocol assignments"
in IETF RFC 5736, and later added to the list of reserved / special use
addresses in IETF RFC 6890 (aka BCP 153).   There is a corresponding
IPv6 block (2001::/23), but it has a significantly different history.

Team Cymru's bogon list includes the v4 prefix.  NLNOG's bogon
filtering guide does not.  When I asked Job about NLNOG's position he
said:

  "I was unsure what this prefix’s future plans would be and erred on
  the side of caution and didn’t include this prefix in the NLNOG bogon
  list recommendations."

The /24 as specified is not for "global" use, but some of the more
specific assignments are or can be.  See:
<https://www.iana.org/assignments/iana-ipv4-special-registry/iana-ipv4-special-registry.xhtml>.

From my cursory examination I can't find cases where the v4 prefix or
more specifics have been publicly announced to any significant degree.
This however is not the case for the IPv6 prefix (e.g., the AS112
project, Teredo).

Maybe you'd say the /24 should be filtered, but not the more specifics
that are deemed available for global use.  That might be reasonable,
except many reasonable people will filter small prefixes.

IANA's language may have put any "do not filter" camp in a relatively
weak position:

  "Address prefixes listed in the Special-Purpose Address Registry are
  not guaranteed routability in any particular local or global context."

I can't remember hearing anyone complaining about bogon-related
reachability problems with the aggregate IANA prefixes generally.  Is
there a strong case to make that ops should not bogon filter any
addresses in these prefixes?  At least with IPv4?  What about for IPv6?

John

TIMELY - FINAL REMINDER - ARIN Email Template Retirement Scheduled for 3 June 2024

[John Curran]

NANOGers -

If you are still emailing SWIP requests to ARIN for reporting reallocations and 
reassignments, please contact the ARIN Helpdesk ASAP to move a more 
appropriate/secure technology.

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers


Begin forwarded message:

Subject: [arin-announce] FINAL REMINDER - ARIN Email Template Retirement 
Scheduled for 3 June 2024
...
On 3 June 2024, ARIN will retire SWIP email templates for reporting 
reallocations and reassignments as described in the community Consultation 
conducted in November of 2023. After 3 June 2024, ARIN will not accept or 
respond to email templates.

We recognize this change is significant and have several alternative options 
for submitting reassignment information. To facilitate a smooth transition, we 
encourage users to explore ARIN’s Reg-RWS service, a secure and efficient means 
of interacting with ARIN’s database.

Those who do not need to automate reallocation and reassignment submissions may 
find it convenient to use ARIN Online to report this information to ARIN.

For organizations who are unable to utilize Reg-RWS or ARIN Online, or for 
those who prefer to continue composing reassignment information in email 
templates, ARIN has provided an open-source template processor that customers 
may run within their network. This software will allow users to convert email 
templates to REST calls compatible with Reg-RWS. This open-source template 
processor was released on GitHub on 1 November 2023, and is no longer 
maintained by ARIN post release. If you wish to use this product beyond its 
initial release, you will be able to fork the repository and maintain it as 
your needs require. To learn more, please visit: 
https://www.arin.net/resources/registry/reassignments/ostp/

If you have questions about this transition, or need assistance using Reg-RWS, 
please contact us by submitting an Ask ARIN ticket or chatting with us using 
ARIN Online, or calling the Registration Services Help Desk at +1.703.227.0660 
(Monday-Friday, 7:00 AM – 7:00 PM ET).

Regards,

John Sweeting
Chief Customer Officer
American Registry for Internet Numbers (ARIN)

---
REFERENCES:
ARIN Reg-RWS Service: https://www.arin.net/resources/manage/regrws/
Reporting Reassignments Using ARIN Online: 
https://www.arin.net/resources/registry/reassignments/#reporting-reassignments-using-arin-online

NOAA Space Weather Prediction Center issued a Severe (G4) Geomagnetic Storm Watch

[John Curran]

<https://www.swpc.noaa.gov/news/swpc-issues-its-first-g4-watch-2005>
SWPC Issues Its First G4 Watch Since 2005 | NOAA / NWS Space Weather Prediction 
Center<https://www.swpc.noaa.gov/news/swpc-issues-its-first-g4-watch-2005>
swpc.noaa.gov<https://www.swpc.noaa.gov/news/swpc-issues-its-first-g4-watch-2005>
[favicon.ico]<https://www.swpc.noaa.gov/news/swpc-issues-its-first-g4-watch-2005>

"Multiple CMEs erupted associated with flare activity from Region 3664 on 07-09 
May. These CMEs are expected to merge with potential arrival expected by early 
May 11 on the UTC day.”

(Low but distinct possibility of effects to radio and transmission systems)

FYI,
/John

John Curran
President and CEO
American Registry for Internet Numbers

Apply Now for an ARIN Community Grant

[John Sweeting]

Hi NANOG’ers,

ARIN has announced the opening of applying for an ARIN grant. See below 
announcement.


Do you have a project that needs funding, is noncommercial in nature, and 
benefits the Internet community within the ARIN service region? Apply now for a 
2024 ARIN Community Grant.

The ARIN Community Grant Program provides financial grants in support of 
operational and research projects that improve the overall Internet industry 
and user environment, advancing ARIN’s mission and broadly benefiting the ARIN 
community within our region. Projects must fit into one or more of these four 
broad categories:

- Internet technical improvements that promote and facilitate the expansion, 
development, and growth of the infrastructure of the Internet consistent with 
the public interest
- Registry processes and technology improvements that help maintain a globally 
consistent and highly usable Internet number registry system
- Informational outreach that advances the Internet on topics such as, but not 
limited to, IPv6 deployment, Internet research, and Internet governance
- Research related to ARIN’s mission and operations

For 2024, the ARIN Board of Trustees has approved a total expenditure of up to 
US$60,000 for grants of varying amounts, from $1,000 to $20,000, and based on 
project need. We invite you to learn more about ARIN’s Community Grant Program 
and to find the link to the application form at: https://www.arin.net/grants.

The call for applications is open now through 7 June 2024. We encourage all 
applicants to clearly demonstrate how projects meet eligibility guidelines and 
selection criteria through the application form to improve chances of selection.

ARIN looks forward to funding important projects through the ARIN Community 
Grant Program in 2024.

Regards,

American Registry for Internet Numbers (ARIN)

RE: Roku Streaming Issues

[John Stitt]

I saw a lot of tickets yesterday afternoon/evening for issues with streaming 
services on roku devices, and downdetector also had a very large spike in user 
reports, but I haven’t seen any issues from our customers today. I haven’t seen 
any reports on the  puck.nether.net Outages mailing list related to it either.

We’re in southwest Kentucky, for what that’s worth.

John Stitt
HES Energynet



From: NANOG  On Behalf Of 
Corey Smith via NANOG
Sent: Tuesday, May 7, 2024 6:31 PM
To: nanog@nanog.org
Subject: Roku Streaming Issues

Is anyone else seeing issues with Streaming services on Roku?

Thanks

Corey  Smith
IT Manager | Information Technology
NCTC - North Central | www.nctc.com<http://www.nctc.com>
872 Highway 52 Bypass East | Lafayette, Tennessee 37083
Office 615.666.2151| Mobile 615.388.6864
corey.sm...@nctc.com<mailto:corey.sm...@nctc.com>


Corey Smith
IT Manager
Information Technology
NCTC - North Central
872 Highway 52 Bypass East
Lafayette, Tennessee 37083
corey.sm...@nctcstaff.com<mailto:corey.sm...@nctcstaff.com>
Office 615-666-2151
Mobile 615-388-6864




Disclaimer

The information contained in this communication from the sender is 
confidential. It is intended solely for use by the recipient and others 
authorized to receive it. If you are not the recipient, you are hereby notified 
that any disclosure, copying, distribution or taking action in relation of the 
contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been 
automatically archived by Mimecast, a leader in email security and cyber 
resilience. Mimecast integrates email defenses with brand protection, security 
awareness training, web security, compliance and other essential capabilities. 
Mimecast helps protect large and small organizations from malicious activity, 
human error and technology failure; and to lead the movement toward building a 
more resilient world. To find out more, visit our website.

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. If you are not expecting this message contact the sender directly via 
phone/text to verify.

OARC 43 - Call for Contribution

[John Todd]

The DNS-OARC Programme Committee is seeking contributions from the community.

This workshop will be a hybrid event.

Date - likely in the week of 23-27 September 2024, details will be confirmed 
later
Location - South America, exact location will be confirmed later
Time zone - approximately 09:00-17:00 UTC -5 (TBC)
Partnered/co-located with - related industry events, will be confirmed later

Submission requirements
Topic must be related to DNS
10 or 20 minutes (there will be additional 5 min of Q following each talk)
Will be broadcast live and recorded for future reference
Presentation slides will be publicly available before, during and after meeting

Acceptance Criteria
Proposal should be at a high technical level suitable to the audience
Submissions should include draft slides or at least detailed description of the 
proposed talk content
PC might require improvements to slides before and after talk acceptance

How to submit
Submission deadline: 2024-06-23 23:59 UTC
You will need to create an account in the Indico system
A Step-by-Step guide to submitting in Indico can be found here: 
<https://bit.ly/49GftMx>

Suggested Topics
All DNS-related subjects and discussion topics are welcome!

Here’s a non-exhaustive list of ideas:

Operations: Any operational gotchas, lessons learned from an outage, 
details/reasons for a recent outage (how to improve time to recovery, tooling), 
interoperability concerns and experience.
Deployment: DNS config management and release process.
Monitoring: Log ingestion pipeline, analytics infrastructure, anomaly detection.
Scaling: DNS performance management and metrics. Increasing DNS server 
efficiency
Security/Privacy: DNSSEC signing and validation, key storage, qname 
minimization, DoH/DoT/DoQ

Workshop Milestones
CFP submissions open in Indico: now
Deadline for Submissions: 2024-06-23 23:59 UTC
Preliminary list of contributions published: end of June 2024
Full agenda published: beginning of July 2024
Deadline for slides submission - no changes possible: 2024-09-12 23:59 UTC
Remote speaker rehearsal: will be confirmed later

Relevant Links
Registration page and details for presentation submission 
<https://www.dns-oarc.net/oarc43>
FAQ - Submitting a Proposal for the Workshop  <https://bit.ly/49GftMx>
Contact information (who to contact for what) 
<https://indico.dns-oarc.net/event/51/page/294-who-do-i-contact>
Guidelines for presentation slides <https://www.devconf.info/cz/speakerguide/>

Note: DNS-OARC provides registration fee waivers for the workshop to support 
those who are part of underrepresented groups to speak at and/or attend 
DNS-OARC. More details will be provided when registration opens.

If you have questions or concerns you can contact the Programme Committee:
https://www.dns-oarc.net/oarc/programme
via submissi...@dns-oarc.net

John Todd, for the DNS-OARC Programme Committee

For OARC 43 we are open to patronage and donations to fund the Workshop and 
associated events. Please contact spon...@dns-oarc.net if your organization is 
interested in becoming an OARC 43 patron.

(Please note that OARC is run on a non-profit basis, and is not in a position 
to reimburse expenses or time for speakers at its meetings.)

Re: Help with removing DNS shinkhole FP from Charter/Spectrum

[John R. Levine]

I'm not sure where you saw that message, but I got this message via email
after I submitted an unblock request with Spectrum Shield:


We have reviewed your request to unblock validin.com. This site was not

found to be blocked by Spectrum Shield and should be accessible from your
browser.


Sigh.


I've cleaned up everything I could from that botched blocklist aggregation.
However, there's no correction process for Spectrum's DNS sinkhole, and I'm
not even sure that's how our domain got mixed up there. The support staff
I've spoken with have denied the existence of DNS sinkholing at Spectrum,
and demonstrated they lack the basic technical sophistication needed to
understand the concept.


Yeah, that's the problem.  And given stuff like this link below, I 
wouldn't expect their legal department to be any better.  Clearly there is 
someone somewhere who is competent because their network mostly works, but 
damned if I know how to find them.


https://www.theverge.com/2022/7/29/23282522/charter-spectrum-customer-murder-forged-terms-of-service

R's,
John

Re: Help with removing DNS shinkhole FP from Charter/Spectrum

[John R. Levine]

Bill is absolutely correct. The spammers lost their case because they 
were demonstrably spammers.


No, really they did not.  I read the decisions.  Have you?  Hint: under 
CAN SPAM a great deal of spam is completely legal so it didn't matter.


We’ve had accidental black hole cases with *US* providers that removed 
the block once they received a C If they don’t have iron clad proof 
in hand. (More than just a few complaints and no traffic analysis), it’s 
just the least risky response.


I will believe that there are people that cave in response to threats like 
this, but again, there is no case law to support it.


R's,
John

Re: Help with removing DNS shinkhole FP from Charter/Spectrum

[John R. Levine]

On Mon, 22 Apr 2024, William Herrin wrote:

Respectfully, you're mistaken. Look up "tortious interference."


I'm familiar with it.

But I am also familar with many cases were spammers have sued network 
operators claiming that they're falsely defamed, so the operator has to 
deliver their mail.  They have without exception lost.  If you can find 
actual cases where a court forced an operator to deliver a third party's 
traffic I would like to hear about it.*


43 USC 230(c)(A) provides extremely broad protection for "good faith" 
blocking, which means that a complaint would have to show that the 
blocking was malicious rather than merited or accidental.  In this case it 
seems probably accidental, but for all I know there might have been bad 
traffic to merit a block.


Here's one of the cases where a spammer lost:

https://jl.ly/Email/holomaxx.html
https://jl.ly/Email/holo4.html

And here's one where the judge rejected tortious interference:

https://jl.ly/Email/spamarrest.html


My results going through the support front-door at large companies for
oddball problems have been less than stellar. Has your experience
truly been different?


No, it's terrible, and Spectrum is particularly bad.  I am now in month 
three of trying to get them to route a /24 to my host that belongs to one 
of my users, and their responses can be summarized as very complex 
exegeses of "duh?"


But bogus lawyer letters will just make things worse.

R's,
John

* - let's stay away for now from the Texas and Florida social network 
common carrier laws which are a whole other can of s*

Re: Help with removing DNS shinkhole FP from Charter/Spectrum

[John Levine]

It appears that William Herrin  said:
>On Sun, Apr 21, 2024 at 6:21 PM Validin Axon  wrote:
>> Looking for some help/advice. Spectrum is sinkholing my company's domain, 
>> validin[.]com, to 127.0.0.54.
>
>Howdy,
>
>If you can't reach a technical POC, use the legal one. Your lawyer can
>find the appropriate recipient and write a cease-and-desist letter for
>you. After that, it's -their- lawyer's problem to track down the
>correct technical people.

No, that is terrible advice.  In the immortal acronym of Laura Atkins, TWSD.

The only response to a letter like that is "we run our network to
serve our customers and manage it the way we think is best" and you
know what, they're right. It is absolutely legal to block traffic you
think is malicious, even if you are wrong, and there is case law.

Having said that, I suspect the least bad alternative if you can't
find an out of band contact is to get some of the Spectrum customers
who can't reach you to complain. They're customers, you aren't.

R's,
John

Anyone got a contact at OpenAI. They have a spider problem.

[John Levine]

As I think I have mentioned before, I have the world's lamest content farm
at https://www.web.sp.am/.  Click on a link or two and you'll get the idea.

Unfortunately, GPTBot has found it and has not gotten the idea. It has
fetched over 3 million pages today. Before someone tells me to fix my
robots.txt, this is a content farm so rather than being one web site
with 6,859,000,000 pages, it is 6,859,000,000 web sites each with one
page. Of those 3 million page fetches, 1.8 million were for robots.txt.

It's not like it's hard to figure out what's going on since the pages
all look nearly the same, and they're all on the same IP address with
the same wildcard SSL certificate.

Amazon's spider got stuck there a month or two ago but fortunately I was
able to find someone to pass the word and it stopped.  Got any contacts
at OpenAI?

R's,
John

PS: If you were wondering what they're using to train GPT-5, well, now you know.

RE: Netskrt - ISP-colo CDN

[John Stitt]

The website says they are part of the Streaming Video Technology Alliance.

I wonder if this is a prepackaged Open Cache box.

https://opencaching.svta.org/

We also don’t appear to have had any traffic from them.  Not much on the 
peeringdb for the USA ASN either.

BGP.tools shows they have upstreams with each ASN, and are on Ohio IX with 
AS53471, but not really any peers anywhere.  Looks like Cogent and Zayo for 
upstreams and only peer I see is AS1239 (Sprint Wireline (Cogent))

John Stitt

From: NANOG  On Behalf Of 
Aaron Gould
Sent: Thursday, April 4, 2024 4:36 PM
To: Eric Dugas 
Cc: nanog@nanog.org
Subject: Re: Netskrt - ISP-colo CDN

You don't often get email from aar...@gvtc.com<mailto:aar...@gvtc.com>. Learn 
why this is important<https://aka.ms/LearnAboutSenderIdentification>

Thanks... they told me it was free.

-Aaron
On 4/4/2024 4:12 PM, Eric Dugas wrote:
That name rang a bell so I looked up my emails.

They contacted me last year, they were claiming to be "working with some of the 
major streaming brands, such as Amazon Prime Video, to improve the quality of 
both VOD and live streaming while also reducing the load on ISP networks such 
as your own.".

Based on my quick research, they have a few registered ASNs (their peeringdb 
page<https://www.peeringdb.com/org/36226>) with a few netblocks but I get 0 
traffic from them (we're a sizable eyeball network). Their origin network might 
still not be ready but digging a little bit more, it seems they act as a 
third-party video caching solution and not as an origin CDN so in the end, 
they're really just trying to sell ISPs and other types of customers their 
caching solutions.

Eric

On Thu, Apr 4, 2024 at 4:00 PM Aaron Gould 
mailto:aar...@gvtc.com>> wrote:
Anyone out there using Netskrt CDN?  I mean, installed in your network
for content delivery to your customers.  I understand Netskrt provides
caching for some well known online video streaming services... just
wondering if there are any network operators that have worked with
Netskrt and deployed their caching servers in your networks and what
have you thought about it?  What Internet uplink savings are you seeing?

Netskrt - https://www.netskrt.io/


--
-Aaron

--

-Aaron

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. If you are not expecting this message contact the sender directly via 
phone/text to verify.

Re: Microsoft missing public DNS TXT entry for DKIM records (msn.com)

[John Levine]

It appears that Adam Brenner via NANOG  said:
>mail server. Our mail server checks if DKIM email headers are present 
>and if they are, tries to validate them. If the check fails, we reject 
>the message.

MSN's setup is broken but let me strongly reiterate the advice DON'T DO THAT.

If a DKIM signature isn't valid, you ignore it.  If you do anything else,
as you have just discovered, you will be sorry.

R's,
John

Re: SRI's Dan Lynch dies

[John Stitt]

I didn’t have the pleasure of meeting Mr. Lynch, but I thought id add that from 
other sources I am told he was 82 years old.

https://www.nytimes.com/2024/03/31/technology/daniel-c-lynch-dead.html

Thank you for sharing the news to this list. I’m sure he is and will be greatly 
missed by those who knew him.  I’m thankful for all he did for computing and 
the Internet.

John Stitt

Sent from my pocket CRAY-1

On Mar 31, 2024, at 2:20 PM, Jay R. Ashworth  wrote:

[You don't often get email from j...@baylink.com. Learn why this is important 
at https://aka.ms/LearnAboutSenderIdentification ]

From Lauren Weinstein @ PRIVACY Digest:

"""
Dan Lynch, one of the key people involved in building the Internet and
ARPANET before it, has died.

Dan was director of computing facilities at SRI International, where
ARPANET node #2 was located and he worked on development of TCP/IP, and
where the first packets were received from our site at UCLA node #1 to
SRI, and later at USC-ISI led the team that made the transition from the
original ARPANET NCP protocols to TCP/IP for the Internet. And much more.

Peace. -L
"""

He was well written up across the web, but here's a 2021 piece for those
who aren't as familiar with his background:

https://www.internethalloffame.org/2021/04/19/dan-lynchs-love-brilliant-complexity-fuels-early-internet-development-growth/

And his IHoF induction speech:

http://opentranscripts.org/transcript/dan-lynch-ihof-2019-speech/

I would note his age here, as obits usually do, but it seems unusually difficult
to learn.

Happy landings, Mr Lynch.

Cheers,
-- jra
--
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. If you are not expecting this message contact the sender directly via 
phone/text to verify.

Re: Open source Netflow analysis for monitoring AS-to-AS traffic

[John Stitt]

I’m using Alvarado for netflow and I’m pretty happy with it. Seeing it 
recommended more frequently on Reddit and elsewhere lately too.


<https://github.com/akvorado/akvorado>
[akvorado.png]
akvorado/akvorado: Flow collector, enricher and 
visualizer<https://github.com/akvorado/akvorado>
github.com<https://github.com/akvorado/akvorado>

John Stitt

Sent from my pocket CRAY-1

On Mar 26, 2024, at 7:05 PM, Brian Knight via NANOG  wrote:


What's presently the most commonly used open source toolset for monitoring 
AS-to-AS traffic?

I want to see with which ASes I am exchanging the most traffic across my 
transits and IX links. I want to look for opportunities to peer so I can better 
sell expansion of peering to upper management.

Our routers are mostly $VENDOR_C_XR so Netflow support is key.

In the past, I've used AS-Stats<https://github.com/manuelkasper/AS-Stats> for 
this purpose. However, it is particularly CPU and disk IO intensive. Also, it 
has not been actively maintained since 2017.

InfluxDB wants to sell 
me<https://www.influxdata.com/what-are-netflow-and-sflow/> on Telegraf + 
InfluxDB + Chronograf + Kapacitor, but I can't find any clear guide on what 
hardware I would need for that, never mind how to set up the software. It does 
appear to have an open source option, however.

pmacct seems to be good at gathering Netflow, but doesn't seem to analyze data. 
I don't see any concise howto guides for setting this up for my purpose, 
however.

I'm aware Kentik does this very well, but I have no budget at the moment, my 
testing window is longer than the 30 day trial, and we are not prepared to 
share our Netflow data with a third party.

Elastiflow<https://www.elastiflow.com/> appears to have been open 
source<https://github.com/robcowart/elastiflow?tab=readme-ov-file> at one time 
in the past, but no longer. Since it too appears to be hosted, I have the same 
objections as I do with Kentik above.

On-list and off-list replies are welcome.

Thanks,

-Brian



CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. If you are not expecting this message contact the sender directly via 
phone/text to verify.

Re: AT ARIN Contact

[John Sweeting]

Hi John,

If you CC: hostmas...@arin.net<mailto:hostmas...@arin.net> on the email to 
ipadmin-b...@att.com<mailto:ipadmin-b...@att.com>, ARIN will reach out to them 
and if the entries are not removed in 7 days ARIN will remove them for you.

Thanks,
John S.
ARIN CCO

From: NANOG  on behalf of John 
Conley via NANOG 
Date: Tuesday, March 26, 2024 at 9:58 AM
To: nanog@nanog.org 
Subject: AT ARIN Contact
I have a few old netblocks that were allocated to my company back in the early 
2010s that our security vendor is requiring us to either secure or remove from 
being registered to us. I've been unable to reach anyone at 
ipadmin-b...@att.com, and the number listed isn't connected anymore.

does anyone have some contact info at ATT/Bell for getting these records 
corrected?

John Conley - Covenant - Network Engineer - 423.463.3342


__
This communication and the information transmitted is intended solely for the 
individual or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other 
use of or taking action in reliance upon this information by persons or 
entities other than the intended recipient is prohibited. If you have received 
this email in error please contact the sender immediately and delete the 
material from any computer. As a recipient of this email, you are responsible 
for screening its contents and the contents of any attachments for the presence 
of viruses. The organization sending this communication and its affiliates 
accept no liability for any damages caused by any virus transmitted by this 
email.

AT ARIN Contact

[John Conley via NANOG]

I have a few old netblocks that were allocated to my company back in the early 
2010s that our security vendor is requiring us to either secure or remove from 
being registered to us. I've been unable to reach anyone at 
ipadmin-b...@att.com, and the number listed isn't connected anymore.

does anyone have some contact info at ATT/Bell for getting these records 
corrected?

John Conley - Covenant - Network Engineer - 423.463.3342


__
This communication and the information transmitted is intended solely for the 
individual or entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, dissemination or other 
use of or taking action in reliance upon this information by persons or 
entities other than the intended recipient is prohibited. If you have received 
this email in error please contact the sender immediately and delete the 
material from any computer. As a recipient of this email, you are responsible 
for screening its contents and the contents of any attachments for the presence 
of viruses. The organization sending this communication and its affiliates 
accept no liability for any damages caused by any virus transmitted by this 
email.

Disclaimer

The information contained in this communication from the sender is 
confidential. It is intended solely for use by the recipient and others 
authorized to receive it. If you are not the recipient, you are hereby notified 
that any disclosure, copying, distribution or taking action in relation of the 
contents of this information is strictly prohibited and may be unlawful.

This email has been scanned for viruses and malware, and may have been 
automatically archived by Mimecast Ltd, an innovator in Software as a Service 
(SaaS) for business. Providing a safer and more useful place for your human 
generated data. Specializing in; Security, archiving and compliance. To find 
out more visit the Mimecast website.

Who is security-research.org ?

[John Levine]

I noticed them in my DNS logs, trying to do AXFRs of random zones I host.  The 
probes
are coming from Hetzner, a low-cost German hosting provider with a history of 
tolerating
dodgy customer behavior.

Their website, which is hosted at Vultr, airly assures us it's nothing 
personal, they
scan everyone to make the Internet better, just filter us, but if you insist, 
you can
send objections to n...@m-d.net.

Any idea who they are?  I expect it's more likely that they're self-important 
than
evil. but still, sigh.

R's,
John

Re: registry for onmicrosoft[dot]com

[John R. Levine]

Maybe Microsoft allows your small domain as an exception?  In the mean time, 
use Gmail or another cloud provider to get your email.


It may be because I have a few mailing lists that keep the volume up 
enough to avoid falling off their radar.


It's kind of ironic that MS throws people's mail away since they send far 
more mail that recipients want to throw away than either of their large 
competitors.  I've set up special filters that send everything from MS to 
the spam trap if it's not on a static whitelist.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: registry for onmicrosoft[dot]com

[John R. Levine]

Yep, just had another one.  Email to local election office silently
vanishes because it uses Office365 Cloud email.


I believe they're throwing your mail away, but it's not just because 
you're small.  Like I said, I'm just as small and my mail gets there OK.




Needed to use Gmail instead.


On Tue, 12 Mar 2024, John Levine wrote:

It appears that Sean Donelan  said:


Microsoft's corporate email systems appear to silently drop email from
small domains (like mine).


It can't be that simple -- I have some tiny domains and correspond with
Microsoft employees all the time.

R's,
John






Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: DNSSEC & WIldcards

[John Levine]

It appears that Niels Bakker  said:
>* nanog@nanog.org (Dennis Burgess via NANOG) [Fri 15 Mar 2024, 16:26 CET]:
>>So have *.app.linktechs.net that I have been trying to get to work, 
>>we have DNSSEC on this, and its failing, but cannot for the life of 
>>me understand why.  I think it may have something to do with proving 
>>it exists as a wildcard, but any DNSSEC experts want to take a stab 
>>at it ?
>
>There are better mailing lists to ask this question (like 
>dns-operations at dns-oarc.net) but have you checked 
>https://dnsviz.net/d/www.app.linktechs.net/dnssec/ ?

I agree there are better places to ask, but here's a quick
diagnosis: your nameserver is returning the wrong answer.

What kind of server is it? Any modern nameserver should automatically
return the correct DNSSEC stuff for wildcard responses.

R's,
John

Re: registry for onmicrosoft[dot]com

[John Levine]

It appears that Sean Donelan  said:
>
>Microsoft's corporate email systems appear to silently drop email from 
>small domains (like mine). 

It can't be that simple -- I have some tiny domains and correspond with
Microsoft employees all the time.

R's,
John

Re: Best TAC Services from Equipment Vendors

[Lyden, John C]

> when a TAC engineer wanted to bounce our Voice VLAN SVI in the middle of an 
> *airport* production day. 
> I about turned over my desk trying to wrest the remote control session back 
> from him before he hit enter 
> on the shut. Since then, I have had to go through a not insignificant 
> evaluation period of TAC engineers 
> before I let them take control of a remote session, and it is now simply pure 
> instinct to log SSH sessions.

Picture it, Cisco TAC, on a troubleshooting call, runs 'no ip routing' and hits 
enter before our engineer could scream "NO" at 11:30AM on a core L3 on a 
college campus.

RCA afterwards:

1. "Always log all terminals (we prefer SecureCRT) from Windows bastion host to 
OneDrive or Google Drive" 
2. New CiscoTAC TACACS login created allowing Enable but Denying "configure" as 
a command. When you troubleshoot, you log in as CiscoTAC. 

The CiscoTAC tacacs profile description in Clearpass makes it clear why it's 
there. I left the curse words out.

-J

John C. Lyden
Associate Director, Network Operations
Division of Information Resources & Technology
Rowan University 

RE: Best TAC Services from Equipment Vendors

[John van Oppen]

That honestly is what my experience used to be but this has not been my 
observation recently, even when we as a large NSP provide all detail and 
literally ask about possible bugs.

From: NANOG  On Behalf Of Joel Esler
Sent: Thursday, March 7, 2024 11:46 AM
To: Pascal Masha 
Cc: nanog 
Subject: Re: Best TAC Services from Equipment Vendors

It may be a pain in the butt to get Cisco equipment, but their TAC is sublime.  
If something is critical enough, and you push hard enough, Cisco will move 
heaven and earth to solve your issue.

Re: Why are paper LOAs still used?

[John Kristoff]

On Mon, 26 Feb 2024 10:57:05 -0800
Seth Mattinen via NANOG  wrote:

> Why do companies still insist on, or deploy new systems that rely on 
> paper LOA for IP and ASN resources? How can this be considered more 
> trustworthy than RIR based IRR records?

For routing, some have been proposing that the RPKI.  There was some
discussion here a few months ago:

  <https://mailman.nanog.org/pipermail/nanog/2023-November/224035.html>

Shortly thereafter this blog post appeared:

  <https://mailman.nanog.org/pipermail/nanog/2023-November/224035.html>

> And I'm not even talking about old companies, I have a situation
> right now where a VPS provider I'm using will no longer use IRR and
> only accepts new paper LOAs. In the year 2024. I don't understand how
> anyone can go backwards like that.

Did you ask them why or can you name the provider?

John

Re: Any info on AT Wireless Outage?

[John Councilman]

>From what I've read, they lost their database of SIM cards.  I could be
wrong of course.

On Thu, Feb 22, 2024 at 2:02 PM Dorn Hetzel  wrote:

> As widespread as it seemed to be, it feels like it would be quite a trick
> if it were a single piece of hardware.  Firmware load that ended badly, I
> wonder?
>
>
> On Thu, Feb 22, 2024 at 1:51 PM Leato, Gary via NANOG 
> wrote:
>
>> Do you have the ability to expand on this at all? Do you mean a hardware
>> failure of some kind IE router, optitcs, etc?
>>
>>
>>
>> *From:* NANOG  *On
>> Behalf Of *R. Leigh Hennig
>> *Sent:* Thursday, February 22, 2024 8:17 AM
>> *To:* Robert DeVita 
>> *Cc:* nanog@nanog.org
>> *Subject:* Re: Any info on AT Wireless Outage?
>>
>>
>>
>> Word around the campfire is that it’s a Cisco issue.
>>
>>
>>
>> On Feb 22, 2024, at 8:03 AM, Robert DeVita 
>> wrote:
>>
>>
>>
>> Reports have it starting at 4:30 a.m.. SOS on all phones..
>>
>>
>>
>>
>>
>>
>>
>> *Robert DeVita**​**​**​**​*
>>
>> *CEO and Founder*
>>
>> t: (469) 581-2160 <(469)%20581-2160>
>>
>>  |
>>
>> m: (469) 441-8864 <(469)%20441-8864>
>>
>> e: radev...@mejeticks.com
>>
>>  |
>>
>> w: mejeticks.com 
>>
>> a:
>>
>> 2323 N Akard Street
>>
>> ,
>>
>> Dallas
>>
>> ,
>>
>> 75201
>>
>> 
>>
>> 
>>
>> 
>>
>> 
>>
>>
>>
>>
>> The risk of trading futures and options can be substantial. All
>> information, publications, and material used and distributed by Advance
>> Trading Inc. shall be construed as a solicitation. ATI does not maintain an
>> independent research department as defined in CFTC Regulation 1.71.
>> Information obtained from third-party sources is believed to be reliable,
>> but its accuracy is not guaranteed by Advance Trading Inc. Past performance
>> is not necessarily indicative of future results.
>>
>

RE: Akamai AANP minimum traffic?

[John Stitt]

I can't speak with authority since I'm not with Akamai, but I requested a cache 
maybe a year or so ago. At the time I was told they were moving away from 
caching unless you were doing well over 100Gbps consistently, just due to the 
massive scale of their data not lending itself well to caching in smaller 
installs. Their cache hit percentages were getting lower all the time.

They were really pushing for doing PNI or hitting them over an IXP instead.

It's possible something has changed though, just wanted to throw my experience 
out in case it helps.  Can't hurt to reach out and make a request and see what 
they tell you directly. I got a response pretty quickly and they were nice 
about it.

John Stitt

-Original Message-
From: NANOG  On Behalf Of Tom 
Samplonius
Sent: Thursday, February 22, 2024 12:29 PM
To: NANOG 
Subject: Akamai AANP minimum traffic?

[You don't often get email from t...@samplonius.org. Learn why this is 
important at https://aka.ms/LearnAboutSenderIdentification ]

  Does anyone know what the minimum traffic is to qualify for an Akamai AANP 
cache?



Tom

CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. If you are not expecting this message contact the sender directly via 
phone/text to verify.

Re: IPv6 uptake

[John Levine]

It appears that Nick Hilliard  said:
>full control of all modems and they're all relatively recent, properly 
>supported units, fully managed by the cable operator. If you start 
>adding poor quality cheap units into the mix, it can cause service problems.

The cablecos I've dealt with have a list of modems they let you use.
Since you have to give them the modem's serial number so they can
provision it from the head end, they can enforce it. Here's Spectrum's
and Comcast's list:

https://www.spectrum.net/support/internet/compliant-modems-charter-network

https://www.xfinity.com/support/devices/

>Cable modem rent is a political issue.

That too, but if you're somewhat technically competent, your own modem
and router is generally a better deal even if you have to replace the
modem every few years. You can get reasonable modems for $100 on eBay
or at big box closeouts, $150 to $200 otherwise.

Re: IPv6 mail The Reg does 240/4

[John Levine]

It appears that Michael Thomas  said:
>I kind of get the impression that once you get to aggregates at the 
>domain level like DKIM or SPF, addresses as a reputation vehicle don't 
>much figure into decision making.

It definitely does, since there are plenty of IPs that send only
malicious mail, or that shouldn't be sending mail at all. Every large
mail system uses Spamhaus' IP lists as part of their filtering
process. 

I hear that SPF is largely useless these days because most SPF records
include IP ranges for many mail providers, and a lot of those
providers do a poor job of keeping one customer from spoofing mail
from another. DKIM is still quite useful.

K. But what happens under the hood at 
>major mailbox providers is maddeningly opaque so who really knows? It 
>would be nice if MAAWG published a best practices or something like that 
>to outline what is actually happening in live deployments.

Unfortunately, spammers can read just as well as we can so it's not
going to happen.

R's,
John

Re: IPv6 uptake (was: The Reg does 240/4)

[John R. Levine]

That it's possible to implement network security well without using
NAT does not contradict the claim that NAT enhances network security.


I think we're each overgeneralizing from our individual expeience.

You can configure a V6 firewall to be default closed as easily as you can 
configure a NAT.  Once you start making exceptions, it depends on the 
nature of the exceptions, the way you tell the router about them (CLI, web 
crudware, whatever) and doubtless other stuff too.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: IPv6 uptake (was: The Reg does 240/4)

[John Levine]

It appears that William Herrin  said:
>Now suppose I have a firewall at 199.33.225.1 with an internal network
>of 192.168.55.0/24. Inside the network on 192.168.55.4 I have a switch
>that accepts telnet connections with a user/password of admin/admin.
>On the firewall, I program it to do NAT translation from
>192.168.55.0/24 to 199.33.225.1 when sending packets outbound, which
>also has the effect of disallowing inbound packets to 192.168.55.0/24
>which are not part of an established connection.

Or you set up port forwarding for some other device but you mistype the
internal address an forward it to the switch.  Or the switch helpfully
uses UPNP to do its own port forwarding and you forget to turn it off.

If you configure your firewall wrong, bad things will happen.  I have both
IPv6 and NAT IPv4 on my network here and I haven't found it particularly
hard to get the config correct for IPv6.

Normally the ISP will give you an IPv6 /56 or larger so you can have
multiple segments behind the router each with a /64 and different
policies for each segment.

Re: The Reg does 240/4

[John Levine]

It appears that Mike Hammett  said:
>-=-=-=-=-=-
>
>" Does any IPv6 enabled ISP provide PTR records for mail servers?" 
>
>
>I think people will conflate doing so at ISP-scale and doing so at residential 
>hobbiyst scale (and everything in between). One would
>expect differences in outcomes of attempting PTR records in DIA vs. broadband. 

Most consumer ISPs block port 25 so rDNS would be the least of your problems 
trying to run a home mail server.

>"How does Google handle mail from an IPv6 server?" 
>
>A few people have posted that it works for them, but unless it has changed 
>recently, per conversations on the mailop mailing list,
>Google does not treat IPv6 and IPv4 mail the same and that causes non-null 
>issues. 

As has been widely reported, Google has recently tightened up authentication 
requirements so
v4 and v6 are now pretty similar.

They won't accept v6 mail that isn't authenticated with SPF or DKIM
but honestly, if you can't figure out how to publish an SPF record you
shouldn't try to run a mail server.

R's,
John

Re: IPv6 uptake (was: The Reg does 240/4)

[John Levine]

It appears that Stephen Satchell  said:
>Several people in NANOG have opined that there are a number of mail 
>servers on the Internet operating with IPv6 addresses.  OK.  I have a 
>mail server, which has been on the Internet for decades.  On IPv4.
>
>For the last four years, every attempt to get a PTR record in ip6.arpa 
>from my ISP has been rejected, usually with a nasty dismissive.

I don't think you'll get much disagreement that AT is not a great ISP.

One straightforward workaround is to get an IPv6 tunnel from
Hurricane. It's free, it works, and they will delegate the rDNS
anywhere you want. My local ISP doesn't do IPv6 at all (they're a
rural phone company who of course say you are the only person who's
ever asked) so until they do, HE is a quite adequate option.

R's,
John

Re: mail and IPv6, not The Reg does 240/4

[John Levine]

It appears that Stephen Satchell  said:
>On 2/14/24 4:23 PM, Tom Samplonius wrote:
>> The best option is what is happening right now:  you can’t get new IPv4
>> addresses, so you have to either buy them, or use IPv6.  The free market
>>   is solving the problem right now.  Another solution isn’t needed.
>
>Really?  How many mail servers are up on IPv6?  How many legacy mail 
>clients can handle IPv6?  How many MTA software packages can handle IPv6 
>today "right out of the box" without specific configuration?

These days most of them.  The popular open source sendmail, postfix,
and exim all do.  The mail programs on my Android phone and iPad do.
Thunderbird does.

>Does any IPv6 enabled ISP provide PTR records for mail servers?

I'm not sure what you're asking. Every IPv6 mail server has rDNS since
otherwise nobody would accept its mail, same as IPv4.

>How does Google handle mail from an IPv6 server?

Assuming it's authenticated with SPF or DKIM, better than IPv4. All
the mail between Gmail and my system runs over IPv6.

A fair amount of mail from Hotmail/Outlook arrives over IPv6 as well
which is surprising since they don't publish  records for their
inbound mail.

R's,
John

Re: The Reg does 240/4

[John Levine]

It appears that William Herrin  said:
>On Wed, Feb 14, 2024 at 9:23 AM Owen DeLong via NANOG  wrote:
>> Think how many more sites could have IPv6 capability already if this wasted 
>> effort had been put into that, instead.
>
>"Zero-sum bias is a cognitive bias towards zero-sum thinking; 

Well, OK, think how many more sites could hav IPv6 if people weren't
wasting time arguing about this nonsense.

R's,
John

Re: Ongoing ARIN consultation on Resource Public Key Infrastructure/BGP intelligence

[John Curran]

On Feb 14, 2024, at 2:09 PM, Randy Bush  wrote:

john,

Read the full text of the consultation at:
https://www.arin.net/participate/community/acsp/consultations/2024/2024-1/

please explain the need for bureaucrazy to do what RPKI CAs have been
doing since dirt was invented.

Randy -

I’d tend to agree with you, but ARIN already once attempted to rollout such 
functionality –
alas, with overly ambitious scope that not only provided increased visibility 
after potentially
affected routes but functionality that also created default linkage to matching 
IRR objects –
and thus created a real potential for subtle operational impacts at the time of 
the rollout.
<https://mailman.nanog.org/pipermail/nanog/2023-August/222790.html>

Rather than have a repeat of that fiasco, we’re now moving ahead with changes 
that have
any potential for causing routing changes in a more deliberate and consultative 
manner.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

Ongoing ARIN consultation on Resource Public Key Infrastructure/BGP intelligence

[John Curran]

NANOGers -

ARIN would like to remind the community about the ongoing consultation on 
Resource Public Key Infrastructure/BGP intelligence. This consultation is 
slated to close on Thursday, 29 February. Please be sure to submit your 
comments to the arin-consult mailing list before then.

Read the full text of the consultation at: 
https://www.arin.net/participate/community/acsp/consultations/2024/2024-1/

As of 14 February 2024, we have received very few comments from the community 
regarding this consultation. We believe adding this feature would benefit many 
ARIN customers, and we are seeking input from our community for any additional 
information or capabilities that should be included in this proposed 
functionality development.

If you have feedback you’d like to share with ARIN, please provide it to the 
arin-consult mailing list via arin-cons...@arin.net. You may subscribe to this 
mailing list at https://lists.arin.net/mailman/listinfo/arin-consult. ARIN will 
use the feedback provided to determine how we move forward with improvements to 
our routing security services.

Thank you in advance for your participation in this community consultation.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers (ARIN)

Re: Anyone have contacts at the Amazon or OpenAI web spiders?

[John Levine]

It appears that Patrick Clochesy  said:
>Both robots respect robots.txt, of course they’re not going to answer.

The content farm is not one site with six billion pages, it's six billion
sites each with one page.  They check the robots.txt for each site they
visit but by then its's too late.

Most spiders can take the hint that they're all on the same IP.  But not
these two.

R's,
John

>
>On Feb 13, 2024, at 8:35 PM, John Levine  wrote:
>> 
>> One day I set up the world's lamest content farm. You can see it here:
>> 
>> https://www.web.sp.am/
>> 
>> While humans tend not to find its six billion pages very interesting,
>> some web spiders are entranced. In the past week or so, Amazon's
>> amazonbot has visited it 6 million times, and OpenAI's gptbot 2.6
>> million. (If you were wondering what they use to train ChatGPT, now
>> you know.) I don't care that googlebot comes by every 5 or 10 minutes,
>> but gptbot is every few seconds and amazon as fast as the server will
>> respond.
>> 
>> They both come from predictable IPs so I can set packet filters but
>> they're still hammering pretty hard. Each has a URL in the user agent
>> string, Amazon's page has an address to write to but OpenAI's doesn't.
>> I wrote to the Amazon address, no response.
>> 
>> If anyone has contacts at either I would appreciate it. A few years
>> ago the bingbot got trapped but fortunately I knew someone at
>> Microsoft who could pass the word. He reported back that while he
>> could not go into detail, there was a great deal of animated
>> conversation at the other end of the hall, and shortly after that it
>> stopped.
>> 
>> R's,
>> John
>

Re: Utilizing USG networks for internal purposes (Re: route: 0.0.0.0/32 in LEVEL3 IRR)

[John Curran]

Dave - 

You’d need to ask someone who speaks for the USG to address that question – and 
that’s 
definitely not my job. 

However, I will observe in the time since then, the DoD has taken to 
occasionally publicly
routing some of its address blocks, so the probability of inadvertent routing 
impact has 
almost certainly increased.

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers


> On Feb 14, 2024, at 1:25 AM, Dave Taht  wrote:
> 
> Excellent summary of the USG position as of 2019. It is, um, nearly 5
> years later, has any of these stuff evolved?
> 
> On Tue, Feb 13, 2024 at 9:58 PM John Curran  wrote:
>> 
>> On Jan 31, 2024, at 12:48 AM, Rubens Kuhl  wrote:
>> 
>> DoD's /8s are usually squatted by networks that run out of private IPv4 
>> space.
>> Even though it is very risky to steal resources from an organization
>> that can deploy a black helicopter or a nuclear warhead over you, for
>> some reason like it not appearing in the DFZ people seem to like it.
>> 
>> 
>> Folks -
>> 
>> A network that wants to be creative and utilize an address block that’s 
>> assigned to others
>> for their own internal purposes runs two distinct risks:
>> 
>> 1. An address block that’s not utilized today may easily become publicly 
>> routed tomorrow
>>(either by the original address holder or by their assignee/successor) 
>> and it is not possible
>>to reliably predict whether your customers will need access to the 
>> resources that end up
>>on that address space.
>> 
>> 2. If you should leak routes publicly for another's address space, there are 
>> organizations that
>>will object – and in the case US government networks, this can include 
>> some uncomfortable
>>conversations.  [1]
>> 
>> None of this suggests that one cannot configure their routers any way that 
>> they wish – just that
>> it’d be best if done with appropriate care and an upfront understanding of 
>> the risks involved.
>> 
>> Thanks!
>> /John
>> 
>> John Curran
>> President and CEO
>> American Registry for Internet Numbers
>> 
>> [1] 
>> https://pc.nanog.org/static/published/meetings/NANOG77/2108/20191028_Elverson_Your_As_Is_v1.pdf
>> pg 4.
>> 
> 
> 
> -- 
> 40 years of net history, a couple songs:
> https://www.youtube.com/watch?v=D9RGX6QFm5E
> Dave Täht CSO, LibreQos

Re: Anyone have contacts at the Amazon or OpenAI web spiders?

[John R. Levine]

If anyone has contacts at either I would appreciate it.



https://developer.amazon.com/support/amazonbot


Um, that is the site I mentioned in the line above the one you quoted. 
As I said, I wrote to the contact address, no reply.




probably returned as a result of searching "amazonbot" on your favourite
search engine.



Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Utilizing USG networks for internal purposes (Re: route: 0.0.0.0/32 in LEVEL3 IRR)

[John Curran]

On Jan 31, 2024, at 12:48 AM, Rubens Kuhl  wrote:

DoD's /8s are usually squatted by networks that run out of private IPv4 space.
Even though it is very risky to steal resources from an organization
that can deploy a black helicopter or a nuclear warhead over you, for
some reason like it not appearing in the DFZ people seem to like it.

Folks -

A network that wants to be creative and utilize an address block that’s 
assigned to others
for their own internal purposes runs two distinct risks:

1. An address block that’s not utilized today may easily become publicly routed 
tomorrow
(either by the original address holder or by their assignee/successor) and 
it is not possible
to reliably predict whether your customers will need access to the 
resources that end up
on that address space.

2. If you should leak routes publicly for another's address space, there are 
organizations that
will object – and in the case US government networks, this can include some 
uncomfortable
conversations.  [1]

None of this suggests that one cannot configure their routers any way that they 
wish – just that
it’d be best if done with appropriate care and an upfront understanding of the 
risks involved.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

[1] 
https://pc.nanog.org/static/published/meetings/NANOG77/2108/20191028_Elverson_Your_As_Is_v1.pdf
 pg 4.

Anyone have contacts at the Amazon or OpenAI web spiders?

[John Levine]

One day I set up the world's lamest content farm. You can see it here:

https://www.web.sp.am/

While humans tend not to find its six billion pages very interesting,
some web spiders are entranced. In the past week or so, Amazon's
amazonbot has visited it 6 million times, and OpenAI's gptbot 2.6
million. (If you were wondering what they use to train ChatGPT, now
you know.) I don't care that googlebot comes by every 5 or 10 minutes,
but gptbot is every few seconds and amazon as fast as the server will
respond.

They both come from predictable IPs so I can set packet filters but
they're still hammering pretty hard. Each has a URL in the user agent
string, Amazon's page has an address to write to but OpenAI's doesn't.
I wrote to the Amazon address, no response.

If anyone has contacts at either I would appreciate it. A few years
ago the bingbot got trapped but fortunately I knew someone at
Microsoft who could pass the word. He reported back that while he
could not go into detail, there was a great deal of animated
conversation at the other end of the hall, and shortly after that it
stopped.

R's,
John

Re: Enough of The Reg does 240/4

[John Levine]

It appears that Tom Beecher  said:
>> We aren't trying to have a debate on this. All we can do is present our
>> case, explain our reasons and hope that we can gain a consensus from the
>> community.
>
>Respectfully, if you're just putting your case out there and hoping that
>people come around to your position, it's never going to happen.

I think we have once again established that repeating a bad idea over
and over and over does not make it any less bad.

Let's argue about something else, OK?

R's,
John

Re: The Reg does 240/4

[John Levine]

It appears that Lyndon Nerenberg (VE7TFX/VE6BBM)  said:
>And what are they going to do when 240/4 runs out?

That will be a hundred years from now, so who cares?

R's,
John

PS: I know this because it will take 98 years of process before the
RIRs can start allocating it.

Re: IPv6 Test Pages for Fortune 500 and Top 100 web sites are back

[John Lightfoot]

Well that data is disappointing.

From: NANOG  on behalf of Owen 
DeLong via NANOG 
Date: Monday, February 12, 2024 at 5:03 PM
To: NANOG list 
Subject: IPv6 Test Pages for Fortune 500 and Top 100 web sites are back
Don’t know how much anyone will still care about these pages as there are lots 
of other sources of similar data these days.

However, I finally got around to fixing the two pages I maintain:

http://www.delong.com/ipv6_fortune500.html and
http://www.delong.com/ipv6_alexa500.html

In the case of Alexa, the page is no longer based on Alexa since Amazon 
discontinued that service and now uses the Majestic 1,000,000 as a source 
(grabs the first 500 entries from their list). This page was broken since 
Amazon discontinued the Alexa service.

The Fortune 500 site still uses the same datasource, but the script was 
crashing due to sites with borked SSL implementations which caused PERL to 
abort on an exception that I never figured out how to trap or ignore. As such, 
I’m now manually maintaining an exception list of such sites in the script and 
testing them is bypassed to prevent the script from crashing. Obviously, this 
is not ideal, but I found no better solution so far.

We now return you to your regularly scheduled NANOG chatter.

Owen

Know of any organization that uses SWIP email templates? (was: Fwd: [arin-announce] Email Template Retirement Scheduled for 3 June 2024)

[John Curran]

NANOGers -

Please note the following announcement from ARIN regarding retirement of 
email-based SWIP updates to the ARIN registry.

While we are presently providing transition assistance to several organizations 
identified by their use of this functionality in the recent past, it is 
possible that some organizations have little-used tools who may be unaware of 
this upcoming transition – hence this wider email distribution to make sure 
that the community is apprised of the retirement of SWIP email template 
processing at ARIN as of 3 June 2023.   See the attached announcement for 
information on the consultation that was held, the open source template 
processor we’ve made available and the REST-based alternative.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers


Begin forwarded message:

From: ARIN 
Subject: [arin-announce] Email Template Retirement Scheduled for 3 June 2024
Date: January 11, 2024 at 5:24:56 AM HST
To: "arin-annou...@arin.net" 

Effective 3 June 2024, ARIN will be retiring SWIP email templates for reporting 
reallocations and reassignments as described in the community Consultation 
conducted in November of 2023.

Staff conducted analysis of email template usage and determined that this 
change will impact less than 75 organizations, and we will be working with 
these customers directly to guide them through this transition.

We recognize that this presents a meaningful change for users, and ARIN has 
completed two major improvements to ease the impact prior to retiring the 
template processor:

- Published an open-source template processor through GitHub on 31 October 2023 
that can convert email templates to REST calls that can be received by Reg-RWS. 
This template processor is a self-contained product that customers may run 
within their network to process templates. This is meant as a stopgap solution 
and, once released, will not be maintained, or supported. If customers wish to 
use this product beyond its initial release, they will be able to fork the 
repository and maintain it as their needs require.
- Deployed updates to ARIN Online on 7 August 2023 to provide feature parity 
with the existing template processor for reassignments.

We will continue to engage with customers who use email templates to educate 
them on alternative options and assist with their direct transition to our 
Restful API, Reg-RWS.

If you have questions about this transition or need assistance, you can contact 
us by:

- submitting an Ask ARIN ticket or chat with us using your ARIN Online account, 
or
- contacting the Registration Services Help Desk by phone Monday through 
Friday, 7:00 AM to 7:00 PM ET at +1.703.227.0660

Regards,

American Registry for Internet Numbers (ARIN)

--
Resources:

Community Consultation: 
https://www.arin.net/participate/community/acsp/consultations/2023/2023-5/
Open-source Template Processor: 
https://www.arin.net/resources/registry/reassignments/ostp/
Reg-RWS Information: https://www.arin.net/resources/manage/regrws/


___
ARIN-Announce

Re: Diversity in threading, Diversity of MUAs (was Re: How threading works

[John Levine]

It appears that Peter Potvin via NANOG  
said:
>-=-=-=-=-=-
>
>*audible sigh*
>
>Yet another useless thread added to my Gmail inbox because of a changed
>subject line.
>
>Can we please stop doing this for conversations that are about the same
>topic?

I don't think the rest of us are obliged to arrange our lives around one
mail provider's imperfect heuristics.

If I were you, I would call up Google and demand that they fix this bug.
What do they think you're paying for?  Oh, wait ...

R's,
John

Re: classic mail, was Vint Cerf Re: Backward Compatibility Re: IPv4 address block

[John Levine]

It appears that Randy Bush  said:
>> Some of us still use pine$B!D(B
>
>i thought most pine users had moved to mutt

Some, but pine (now called alpine) is still actively maintained and
does some things better than mutt, particularly if you want to keep
track of multiple inboxes on different servers.

>randy, who uses wanderlust under emacs :)
>

Re: IPv4 address block

[John Curran]

On Jan 7, 2024, at 9:04 PM, Eric Kuhnke  wrote:

I might note that one of the qualified facilitators on the list recently "sold" 
me a block where the original entity which obtained it in the 1990s was still 
announcing it to all of their peers and trantsi after the wire transfer had 
been done, the ARIN process was done/ticket closed, and the block resided with 
my AS.

Interesting.  If you believe that the qualified facilitator failed in their 
duty to you (more specifically, if they did not live up to an aspect of the 
code of conduct –  
https://www.arin.net/resources/registry/transfers/facilitators/codeofconduct/) 
then please drop ARIN a message with the specifics to 
facilitator-supp...@arin.net<mailto:facilitator-supp...@arin.net>

It took a significant amount of badgering the original block holder (an entity 
with which we had no pre-existing relationship or direct contacts into their 
engineering department) to get them to withdraw the announcement, which we did 
independently of the broker and quicker than they responded to us. So my 
message would be to do your own due diligence and investigation of IP space and 
don't trust what the "broker" tells you.

Absolutely - always a good idea.

Thanks for feedback!
/John

John Curran
President and CEO
American Registry for Internet Numbers

Re: IPv4 address block

[John Curran]

On Jan 7, 2024, at 7:46 PM, KARIM MEKKAOUI  wrote:

Hi Nanog Community

Any idea please on the best way to buy IPv4 blocs and what is the price?

Karim -

Many folks make use of a broker for the purpose of finding an IPv4 address 
block – ARIN refers to organizations that aid others with transfers of address 
blocks as “facilitators”.

As a result of community concerns regarding less than stellar performance of 
some ARIN-listed facilitators, we recently relaunched the ARIN facilitator 
program with significantly more robust legal, accountability and transparency 
requirements – 
https://www.arin.net/resources/registry/transfers/facilitators/#qualified-facilitator-requirements

This has resulted in a significant reduction in the number of organizations 
listed by ARIN as Qualified Facilitators, but there are plenty that meet the 
higher operational and customer satisfaction criteria and can be found here – 
https://www.arin.net/resources/registry/transfers/facilitators/qualifiedfacilitators/
  –  any of them should be able to do a credible job in helping you obtain an 
IPv4 address block from the marketplace.

Best wishes,
/John

John Curran
President and CEO
American Registry for Internet Numbers

Fellowships for ARIN 53

[John Sweeting]

NANOGers –

For those folks (e.g., yourself, friends, coworkers, ...) who are looking for 
an in-depth mentored introduction to
ARIN, please consider applying to participate in the ARIN 53 Fellowship 
Program! Details
attached below, and more online at https://www.arin.net/fellowships.

Thanks,
John S.

Re: What are these Google IPs hammering on my DNS server?

[John R. Levine]

On Mon, 4 Dec 2023, Damian Menscher wrote:

have more redundancy/capacity).  Based on these estimates, we haven't
treated mitigation of small attacks as a high priority.  If O(25Kpps)
attacks are causing real problems for the community, I'd appreciate that
feedback and some hints as to why your experience differs from the ISC BIND
load-tests.


Thanks for your note.

Here's my problem, which I freely admit puts me way out at the tail of the 
weird curve.  I run abuse.net which lets you look up abuse reporting 
addresses for domains.  If you look up, say, bt.co.uk or mail.bt.co.uk, 
it'll look the domain up in its internal database and tell you to send 
reports to ab...@bt.com.


I provide lookups via a web site and a whois server, but it occurred to me 
a while ago that it'd be much faster for everyone if I made a stunt DNS 
server that does the lookups and synthesizes the answers, e.g.:


$ dig mail.bt.co.uk.contacts.abuse.net txt

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;mail.bt.co.uk.contacts.abuse.net. IN   TXT

;; ANSWER SECTION:
mail.bt.co.uk.contacts.abuse.net. 43200 IN TXT  "ab...@bt.com"

The DNS server is a perl script I wrote a while ago that synthesizes 
answers on the fly.  It can't be a normal DNS server because the mapping 
from queries to responses is more complex than you can express with DNS 
wildcards, and if a domain isn't in the database it returns a default of 
abuse@.


I have two servers on two networks and normally it works fine until some 
nitwit does a query flood, probably looking up every domain in every 
message they see, or maybe an inept listwasher, and the two little perl 
scripts just can't keep up.


What I would like is if large public DNS systems like yours refused to 
look up anything in contacts.abuse.net, and I tell people that if they 
want to use the DNS lookup, use your own DNS cache, similar to what DNSBLs 
do.


I suppose I could try and do a split horizon hack on the parent server 
(abuse.net itself is on ordinary NSD servers) and say the NS for 
contacts.abuse.net is at 127.0.0.1, but as we've seen it's a challenge 
keeping track of all the places your queries can come from.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: What are these Google IPs hammering on my DNS server?

[John R. Levine]

Just set TC=1 for those clients.  If you get queries over TCP then they where 
not spoofed.  If they are using DNS COOKIE (RFC 7873) you can send back 
BADCOOKIE to the initial (client cookie only) UDP request with your server 
cookie.  Identifying real DNS clients has been possible for years now.  It’s 
not hard.


I could do that but with the other clues I think it's unlikely they're 
spoofed and far more likely they're real traffic from clueless users.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

RE: What are these Google IPs hammering on my DNS server?

[John R. Levine]

On Sun, 3 Dec 2023, Michael Hare wrote:

This is little consolation, but at AS3128, I see the same thing to our downstream at 
times, claiming to come from both 13335 and 15169 often simultaneously at the tune of 
25Kpps , "assuming it's not spoofed", which is pragmatically impossible to 
prove for me given our indirect relationships with these companies.  When I see these 
events, I typically also see a wide variety of country codes participating 
simultaneously.  Again, assuming it's not spoofed.  To me it just looks like effective 
harassment with 13335/15169 helping out.  I pine for the internet of the 1990s.


Assuming it's really Google and Cloudflare, it is probably not malicious, 
just very inept mail admins.


They assume that abuse.net is some sort of DNSBL so they configure their 
mail server to query it for every domain in every message they see, even 
though the results are useless.  I have never been able to get anyone who 
does this to stop.


It's not unlike the multirbl page at valli.org which proves the truism 
that any idiot can run a blacklist and many idiots do.  He included the 
abuse.net results and despite a warning right next to the results saying 
it's not a blacklist, I got a stream of outraged people insisting I was 
personally blocking their mail.  So I was finally able to get him to take 
it out by returning this custom result:


'Blacklisted.  To remove send $100 to x...@valli.org'

R's,
John


Recent events in GMT for us were the following, curious if you see the same
~ Nov 26 05:40
~ Nov 30 00:40
~ Nov 30 05:55

Application agnostic, on the low $ end for "fixes", if it's either do something 
or face an outage, I've found some utility in short term automated DSCP coloring on 
ingress paired with light touch policing as close to the end host as possible, which at 
least keeps things mostly working during times of conformance.  Cheap/fast and working 
... most of the time.  Definitely not great or complete at all, and a role I'd rather not 
play as an educational ISP/enterprise.

So what are most folks doing to survive crap like this?  Nothing/waiting it 
out?  Oursourcing DNS?  Scrubbing appliance?  Poormans stuff like I mention 
above?

-Michael


-Original Message-
From: NANOG  On
Behalf Of John R. Levine
Sent: Sunday, December 3, 2023 1:18 PM
To: Peter Potvin 
Cc: nanog@nanog.org
Subject: Re: What are these Google IPs hammering on my DNS server?


Did a bit of digging on Google's developer site and came across this:
https://developers.google.com/speed/public-

dns/faq#locations_of_ip_address_ranges_google_public_dns_uses_to_send_
queries


Looks like the IPs you mentioned belong to Google's public DNS resolver
based on that list on their site. They could also be spoofed though from a
DNS AMP attack, so keep that in mind.


Per my recent message, the replies are tiny so if it's an amplification
attack, it's a very incompetent one.  The queries are case randomized so I
guess it's really Google.  Sigh.

If anyone is wondering, I have a passive aggressive countermeasure against
some overqueriers that returns ten NS referral names, and then 25 random
IP addresses for each of those names, but I don't do that to Google.

Re: What are these Google IPs hammering on my DNS server?

[John R. Levine]

Did a bit of digging on Google's developer site and came across this:
https://developers.google.com/speed/public-dns/faq#locations_of_ip_address_ranges_google_public_dns_uses_to_send_queries

Looks like the IPs you mentioned belong to Google's public DNS resolver
based on that list on their site. They could also be spoofed though from a
DNS AMP attack, so keep that in mind.


Per my recent message, the replies are tiny so if it's an amplification 
attack, it's a very incompetent one.  The queries are case randomized so I 
guess it's really Google.  Sigh.


If anyone is wondering, I have a passive aggressive countermeasure against 
some overqueriers that returns ten NS referral names, and then 25 random 
IP addresses for each of those names, but I don't do that to Google.


R's,
John


--
*Accuris Technologies Ltd.*


On Sun, Dec 3, 2023 at 1:51 PM John Levine  wrote:


At contacts.abuse.net, I have a little stunt DNS server that provides
domain contact info, e.g.:

$ host -t txt comcast.net.contacts.abuse.net
comcast.net.contacts.abuse.net descriptive text "ab...@comcast.net"

$ host -t hinfo comcast.net.contacts.abuse.net
comcast.net.contacts.abuse.net host information "lookup" "comcast.net"

Every once in a while someone decides to look up every domain in the
world and DoS'es it until I update my packet filters. This week it's
been this set of IPs that belong to Google. I don't think they're
8.8.8.8. Any idea what they are? Random Google Cloud customers? A
secret DNS mapping project?

 172.253.1.133
 172.253.206.36
 172.253.1.130
 172.253.206.37
 172.253.13.196
 172.253.255.36
 172.253.13.197
 172.253.1.131
 172.253.255.35
 172.253.255.37
 172.253.1.132
 172.253.13.193
 172.253.1.129
 172.253.255.33
 172.253.206.35
 172.253.255.34
 172.253.206.33
 172.253.206.34
 172.253.13.194
 172.253.13.195
 172.71.125.63
 172.71.117.60
 172.71.133.51

R's,
John





Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: What are these Google IPs hammering on my DNS server?

[John R. Levine]

They are probably spoofed IPs.  So those are the target IP IPs of a DDoS

What king of amplification factor does your DNS server have?  I bet with the 
changes you’ve made, it’s super high.  People are looking for DNS servers like 
that.


On the contrary, the reponse packets are tiny.


$ host -t txt comcast.net.contacts.abuse.net
comcast.net.contacts.abuse.net descriptive text "ab...@comcast.net"

$ host -t hinfo comcast.net.contacts.abuse.net
comcast.net.contacts.abuse.net host information "lookup" "comcast.net"


Those reply packets are 108 and 109 bytes, no addditional section, no 
DNSSSEC, no nothing.


Any other ideas?  One clue is that the queries have random capitalization 
which would be consistent with them really coming from Google.



Every once in a while someone decides to look up every domain in the
world and DoS'es it until I update my packet filters. This week it's
been this set of IPs that belong to Google. I don't think they're
8.8.8.8. Any idea what they are? Random Google Cloud customers? A
secret DNS mapping project?

172.253.1.133
172.253.206.36
172.253.1.130
172.253.206.37
172.253.13.196
172.253.255.36
172.253.13.197
172.253.1.131
172.253.255.35
172.253.255.37
172.253.1.132
172.253.13.193
172.253.1.129
172.253.255.33
172.253.206.35
172.253.255.34
172.253.206.33
172.253.206.34
172.253.13.194
172.253.13.195
172.71.125.63
172.71.117.60
172.71.133.51

What are these Google IPs hammering on my DNS server?

[John Levine]

At contacts.abuse.net, I have a little stunt DNS server that provides domain 
contact info, e.g.:

$ host -t txt comcast.net.contacts.abuse.net
comcast.net.contacts.abuse.net descriptive text "ab...@comcast.net"

$ host -t hinfo comcast.net.contacts.abuse.net
comcast.net.contacts.abuse.net host information "lookup" "comcast.net"

Every once in a while someone decides to look up every domain in the
world and DoS'es it until I update my packet filters. This week it's
been this set of IPs that belong to Google. I don't think they're
8.8.8.8. Any idea what they are? Random Google Cloud customers? A
secret DNS mapping project?

 172.253.1.133 
 172.253.206.36 
 172.253.1.130 
 172.253.206.37 
 172.253.13.196 
 172.253.255.36 
 172.253.13.197 
 172.253.1.131 
 172.253.255.35 
 172.253.255.37 
 172.253.1.132 
 172.253.13.193 
 172.253.1.129 
 172.253.255.33 
 172.253.206.35 
 172.253.255.34 
 172.253.206.33 
 172.253.206.34 
 172.253.13.194 
 172.253.13.195 
 172.71.125.63 
 172.71.117.60 
 172.71.133.51 

R's,
John

Re: Advantages and disadvantages of legacy assets

[John Curran]

Gary -

It is unclear if/when such an outcome will occur, but the potential of such an 
endstate highlights the importance of being involved in governance activities 
of one (or more) of the community-based RIR organizations – as a preparatory 
measure should such a change occur in the future.

Note that there is a near-universal expectation of governments that forbearance 
of public regulation (due to industry self-regulation) is only warranted when 
the private alternative covers all of those engaged in similar business, so 
your expressed trajectory has a sound basis.

Best wishes (& Happy Holidays!),
/John

John Curran
President and CEO
American Registry for Internet Numbers


On Nov 22, 2023, at 10:02 PM, Gary Buhrmaster  wrote:

On Wed, Nov 22, 2023 at 8:14 PM William Herrin  wrote:

It still seems unwise, but not entirely insane.

I would expect that at some point in the future
that many/all of the major players will require
RIR validated routing information, and whether
that is due to regulation or best practices for
which the majors will not want to become liable
for ignoring (and "think of the children") is hard
to know.  In the end I suspect we are likely just
trying to discern when that date will be, not the
eventual end result ("not today" is not, really,
a valid target goal).

Re: Your Input Needed: Can ROA Replace LOA? – Short Survey (7 mins)

[John Kristoff]

On Thu, 16 Nov 2023 03:47:43 +
Christopher Hawker  wrote:

> Aftab Siddiqui is currently exploring the possibility of using Route
> Object Authorisations (ROAs) as a potential replacement to LOAs.
> Separate to this (and unknowing of Aftab's research), I had started a
> discussion on the RPKI Community guild on Discord
> (https://discord.gg/9jYcqpbdRE) discussing the usage of ROAs instead
> of LOAs.

There is similar work also being done in the NETSEC SIG in FIRST.org.
Aftab may be aware of that and possibly this is where it seems from.
Started by Carlos Friacas (fccn.pt) there is a blog post in the works
that begins by raising questions about when and whether to accept a LoA
as the primary means of agreeing to announce a prefix.  The answer is
not so cut and dry.  If anyone wants to comment on the draft before it
gets published, which should be imminently, let me know and I'll put
you in touch with Carlos and a draft.

John

DDOS scrubbing

[john doe]

Hi!

I could not find any recent thread on the list about ddos scrubbing
devices. We are looking into some kind of hybrid service with onprem
hardware and scrubbing centers. At the moment we are evaluating NSFocus and
Riorey, do the list have any experience from them?

Johan

Re: .US Harbors Prolific Malicious Link Shortening Service

[John Levine]

It appears that Eric Kuhnke  said:
>-=-=-=-=-=-
>
>I've seen a US based ISP do its internal management network reverse DNS
>using '.us' as a suffix, where the hierarchy is like POP name, then
>city/airport code, then state (eg: CA, NJ, FL), then .us for geographical
>location of equipment in USA.

For a long time, .US had an odd geographic structure invented by Jon
Postel. Everything was ...us. There are also some
special cases, notably k12..us for K-12 schools in each state. One
could volunteer to be a local subregistrar and a fair number of us
still exist. If you have a use for a domain name in
watkins-glen.ny.us, just ask. In that era it was up to each
subregistrar what to charge, and most of us charged and still charge
nothing. Or check out my church's web site at unitarian.ithaca.ny.us.

In 2002 the US government contracted with Neustar to run .US and since
then it's been a lot like generic TLDs, with second level domains
rented for a yearly fee.  The old geographic names are still grandfathered
but the registry, now run by Godaddy, isn't delegating any new ones.

R's,
John

Re: .US Harbors Prolific Malicious Link Shortening Service

[John McCormac]

ntability for a top-level domain that is already overrun with
cybercrime activity."

What hope is there when registrars are actively aiding and abeting
criminal enterprises?

Are there any legitimate services running solely on .us domain names?

-Dan



--
**
John McCormac  *  e-mail: j...@hosterstats.com
MC2*  web: http://www.hosterstats.com/
22 Viewmount   *  Domain Registrations Statistics
Waterford  *  Domnomics - the business of domain names
Ireland*  https://amzn.to/2OPtEIO
IE *  Skype: hosterstats.com
**


--
This email has been checked for viruses by Avast antivirus software.
www.avast.com

Re: swedish dns zone enumerator

[John McCormac]

On 02/11/2023 05:15, Randy Bush wrote:

ya, right,  and at a whole bunch of other cctld servers

from a network called domaincrawler-hosting

It looks like a list based attempt to discover domain names registered 
in some small ccTLDs. The problem with some of the queries is that a few 
of the second level subdomains of those ccTLDs have just hundreds of 
registrations. Not sure if it is an DNSSEC based attack.


Unlike the gTLDs, available via the ICANN CZDS, most ccTLDs don't 
provide access to their zone files. Some of the queries are odd because 
it seems to be applying lists from Swedish or German language sources to 
small ccTLDs where the main languages of the countries are not Swedish 
or German. Some of those domain name strings don't exist in the gTLDs. A 
few of the examples don't exist in the .SE or .DE ccTLDs either.


The ccTLDs become more "unique" when the main language of their country 
is not English. As a ccTLD's market evolves, registrants will often 
decide to only register in their ccTLD rather than in .COM or other 
gTLDs. The percentage of these unique registrations, as opposed to 
registrations having an equivalent in the gTLDs, can be upwards of 15%. 
The percentage is also affected by economic conditions in the ccTLD's 
market and the price of a ccTLD registration compared to a .COM 
registration. The problems for a list based dns enumeration on these 
small ccTLDs are that there is a lot of them and they are small.


It might be an idea to contact Domaincrawler(.)com and ask what it is 
doing.


Regards...jmcc
--
**
John McCormac  *  e-mail: j...@hosterstats.com
MC2*  web: http://www.hosterstats.com/
22 Viewmount   *  Domain Registrations Statistics
Waterford  *  Domnomics - the business of domain names
Ireland*  https://amzn.to/2OPtEIO
IE *  Skype: hosterstats.com
**


--
This email has been checked for viruses by Avast antivirus software.
www.avast.com

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[John R. Levine]

On Mon, 30 Oct 2023, Livingood, Jason wrote:

On 10/27/23, 19:01, "NANOG on behalf of Owen DeLong wrote:


If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 
1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
DNS isn’t the right place to attack this, IMHO.


Are we sure that the filtering is done in the default view - I would suggest the 
user check to ensure they don't have a filtering service (e.g. parental 
controls/malware protection) turned on. In my **personal** opinion, the default 
view should have DNSSEC validation & no filtering; users can always optionally 
select additional protection services that might include DNS-based filtering as 
well as other mechanisms.


At Quad9 they are clear that 9.9.9.9 is filtered.  Cloudflare 1.1.1.1 is 
unfiltered, 1.1.1.2 filters malware, 1.1.1.3 malware and stuff unsuitable 
for children.


I have no idea whether Charter uses one of these, some other third party, 
or their own.  We must know someone there who could tell us.


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: Charter DNS servers returning malware filtered IP addresses

[John Levine]

It appears that   said:
>* Owen DeLong [Sat 28 Oct 2023, 01:00 CEST]:
>>If it’s such a reasonable default, why don’t any of the public 
>>resolvers (e.g. 1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?
>
>It's generally a service that's offered for money. Quad9 definitely 
>offer it: https://www.quad9.net/service/threat-blocking

Not really for money.  Quad9, Cloudflare, and OpenDNS provide filtered DNS for 
free.

There are expensive versions for enterprise networks but there's
plenty of malware filtering DNS for users.

I'm with you about the purity argument. While it certainly would be
possible to use DNS filtering for political reasons (the "family
friendly" versions arguably do that), the amount of malware and phish
is a large and real threat.

By the way, don't miss Interisle's new report on the cybercrime
supply chain.  They (we, actually) found five millions domains
used in crime of at least a million were registered only to do crime.

https://interisle.net/CybercrimeSupplyChain2023.html

R's,
John

Re: [EXTERNAL] DNS filtering in practice, Re: Charter DNS servers returning malware filtered IP addresses

[John Levine]

It appears that Michael Thomas  said:
>> If you're one of the small minority of retail users that knows enough
>> about the technology to pick your own resolver, go ahead.  But it's
>> a reasonable default to keep malware out of Grandma's iPad.
>
>How does this line up with DoH? Aren't they using hardwired resolver 
>addresses? I would hope they are not doing anything heroic.

Generally, no.  I believe that Chrome probes whatever resolver is configured
into the system and uses that if it does DoH or DoT.

At one point Firefox was going to send everything to their favorite
DoH resolver but they got a great deal of pushback from people who
pointed out that they had policies on their networks and they'd have
to ban Firefox.  Firefox responded with a lame hack
where you can tell your cache to respond to some name and if so
Firefox will use your resolver.

R's,
John

Re: [EXTERNAL] Charter DNS servers returning malware filtered IP addresses

[John R. Levine]

If it’s such a reasonable default, why don’t any of the public resolvers (e.g. 
1.1.1.1, 8.8.8.8, 9.9.9.9, etc.) do so?


Oh my, you walked right into that one.

https://www.quad9.net/service/threat-blocking/

https://blog.cloudflare.com/introducing-1-1-1-1-for-families/

I'm also surprised nobody seems familiar with Vixie's Response Policy 
Zones, a widely supported way to put DNS filtering rules into your own DNS 
cache.


https://www.first.org/resources/papers/aa-dec2021/Protective-DNS-a-Boris-Slides.pdf


Regards,
John Levine, jo...@taugh.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: [EXTERNAL] Re: Charter DNS servers returning malware filtered IP addresses

[John Levine]

It appears that Bryan Fields  said:
>-=-=-=-=-=-
>-=-=-=-=-=-
>On 10/27/23 7:49 AM, John Levine wrote:
>> But for obvious good reasons,
>> the vast majority of their customers don't
>
>I'd argue that as a service provider deliberately messing with DNS is an 
>obvious bad thing.  They're there to deliver packets.

For a network feeding a data center, sure. For a network like
Charter's which is feeding unsophisticated nontechnical users, they
need all the messing they can get.

If you're one of the small minority of retail users that knows enough
about the technology to pick your own resolver, go ahead.  But it's
a reasonable default to keep malware out of Grandma's iPad.

R's,
John

Re: [EXTERNAL] Re: Charter DNS servers returning malware filtered IP addresses

[John Levine]

According to Bryan Fields :
>On 10/25/23 4:58 PM, Compton, Rich A wrote:
>> Charter uses threat intel from Akamai to block certain "malicious" domains.
>
>Does charter do this on signed domains too?

Of course.

If you want to run your own DNSSEC resolver and bypass their malware
protection, you are welcome to do so. But for obvious good reasons,
the vast majority of their customers don't.

R's,
John

Re: Charter DNS servers returning invalid IP addresses

[John Levine]

It appears that J. Hellenthal via NANOG  said:
>-=-=-=-=-=-
>
>Maybe the site "has/had" a shopping cart infection at one point that has been 
>found and eradicated at one point ?

Virustotal reported it four days ago, which suggests that whatever was
wrong with it is still wrong with it,

The usual (correct) response to "whitelist us because your malware
report is wrong" is "no, because it's not."

R's,
John

Re: ARIN election statistics, eligible-to-vote ASNs/Org IDs vs. number of votes cast

[John Curran]

On Oct 19, 2023, at 5:25 PM, Eric Kuhnke  wrote:

Does anyone have general statistics on:

a) Number of eligible voting org IDs

b) Percentage of eligible voting org IDs which actually cast ballots in 
previous ARIN elections

That’s an interesting question to ask over here on nanog’s mailing list, but 
anyway here goes -

ARIN 2022 Election Results - 
https://www.arin.net/announcements/20221031_results/
ARIN 2021 Election Results - 
https://www.arin.net/announcements/2027_election/
ARIN 2020 Election Results - 
https://www.arin.net/announcements/20201103_election/

Each election result posting contains a summary at the bottom that includes 
metrics you seek - For example -
===
2020 Voter Statistics

 *   6,689 ARIN Members as of 8 September 2020
 *   5,684 ARIN eligible Voting Organizations* as of 8 September 2020
 *   ARIN Board of Trustees election: 490 voters on behalf of 603 unique 
ARIN Member organizations cast a ballot in the ARIN Board of Trustees election
 *   ARIN Advisory Council election: 485 voters on behalf of 595 unique 
ARIN Member organizations cast a ballot in the ARIN Advisory Council election

*ARIN Member in Good Standing with a properly registered Voting Contact linked 
to an ARIN Online account as of 8 September 2020.

===


Best wishes,
/John

John Curran
President and CEO
American Registry for Internet Numbers

Re: transit and peering costs projections

[John Kristoff]

On Sat, 14 Oct 2023 16:01:54 -0700
Dave Taht  wrote:

> This set of trendlines was very interesting. Unfortunately the data
> stops in 2015. Does anyone have more recent data?

This may be of interest:

  Peering Costs and Fees
  <https://arxiv.org/abs/2310.04651>

John

Re: ARIN whois contact abuse from ipv4depot aka Silicon Desert International Inc

[John Stitt]

Our organization has also received cold contact emails from this company, and 
their unsubscribe link doesn’t appear to have slowed them down.

They now hit my junk folder.

John Stitt
HES Energynet

On Oct 11, 2023, at 6:56 PM, Peter Potvin via NANOG  wrote:


Definitely have received this same spam multiple times and so have a few others 
I know. It's ridiculous that they resort to scraping public lists and DBs to 
try and achieve what they're attempting to do.

Regards,
Peter Potvin | Executive Director
--
Accuris Technologies Ltd.



On Wed, Oct 11, 2023 at 7:52 PM Eric Kuhnke 
mailto:eric.kuh...@gmail.com>> wrote:
Is anyone else receiving spam from this organization? Based on the contents of 
the cold solicitations they are sending us, and the addresses being sent to, 
they have scraped ARIN WHOIS data for noc and abuse POC contact info and recent 
ipv4 block transfers.

It's trivially easy to block their entire domain at the mail server level, of 
course...




CAUTION: This email originated from outside of the organization. Do not click 
links or open attachments unless you recognize the sender and know the content 
is safe. If you are not expecting this message contact the sender directly via 
phone/text to verify.

Re: ARIN Election

[John Curran]

Hello Nich!

On Oct 3, 2023, at 4:26 PM, Nicholas Warren  wrote:

Does anyone know how many people will be elected from each category?

This year’s ARIN election will fill four (4) seats on the ARIN Board of 
Trustees and seven (7) seats on the ARIN Advisory Council.

I don’t regularly keep up with everyone’s business. So, are any of candidates 
overachievers or, well, underachievers?

I don’t know the scope of appropriate discussions on the nanog mailing list, 
but I would be remiss if I didn’t point out that there’s ARIN general-members 
mailing list where such discussion is actively encouraged –


All candidates for the Board and Advisory Council will be offered the ability 
to subscribe to the General Members Mailing 
List<https://lists.arin.net/mailman/listinfo/general-members> to answer 
questions from the voting community. If your organization is a General Member 
at ARIN and plans to vote this year, we encourage you to join the mailing list 
to stay up to date on ARIN Election activity. Candidates have also been offered 
the opportunity to present themselves to the general membership in a brief, 
pre-recorded speech during ARIN 52<https://www.arin.net/ARIN52/>, and those 
speeches will be made available online during the voting period.

I’ve attached the full ARIN Candidate Slate announcement below, for those 
interested in such matters.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers


===


Begin forwarded message:

From: ARIN 
Subject: [arin-announce] The 2023 Slate of Candidates for ARIN Elections
Date: September 12, 2023 at 4:38:42 PM EDT
To: "arin-annou...@arin.net" 

The 2023 ARIN Slate of Candidates has been amended to reflect that Rebecca 
Naughton has withdrawn as a candidate from the election for the Board of 
Trustees.
Candidates for ARIN Elections
ARIN Elections will be held online from 3:00 PM EDT on Thursday, 19 October 
2023 through 7:00 PM EDT on Friday, 27 October 2023. These elections will fill 
four seats on the Board of Trustees and seven seats on the Advisory Council. 
The Nomination Committee (NomCom) has put forward the following slates of 
candidates with classifications for the terms beginning 1 January 2024:
Board of Trustees Candidates:

  *   Dan Alexander (Well Qualified)
  *   Nancy Carter (Well Qualified)
  *   Jack Cathey (Qualified)
  *   Philip Duclos (Qualifications not Demonstrated)
  *   Andrew Dul (Qualified)
  *   Khaled Koubaa (Well Qualified)
  *   Tina Morris (Well Qualified)
  *   William Sylvester (Well Qualified)
  *   Christian Tacit (Well Qualified)
  *   David Zumwalt (Well Qualified)

Advisory Council Candidates:

  *   Douglas Camin (Well Qualified)
  *   Anthony Delacruz (Qualified)
  *   Matthew Gamble (Well Qualified)
  *   Elizabeth Goodson (Qualified)
  *   Dean Hardy (Qualifications not Demonstrated)
  *   Roy Hoover (Qualified)
  *   Rob Johnstone (Qualifications not Demonstrated)
  *   Dustin Moses (Qualified)
  *   Kaitlyn Pellak (Qualified)
  *   Leif Sawyer (Qualified)
  *   Daniel Schatte (Qualified)
  *   Ibrahim (Ibro) Seremet (Qualifications not Demonstrated)
  *   Jason Weil (Qualified)
  *   Matthew Wilder (Well Qualified)

A compilation of candidate biographies and questionnaire responses is available 
at:
https://www.arin.net/participate/oversight/elections/candidate_bios.pdf
Each candidate for the Board of Trustees and Advisory Council, listed above, 
has a classification next to their name. The candidates were classified by an 
independent third-party vendor firm based on the Nominee Classification Process 
in the NomCom Charter. Every nominee is put forward on the initial slate unless 
the third-party vendor firm classifies a nominee as “Unable to Qualify.” No 
nominees were classified as “Unable to Qualify” this year. Fourteen nominations 
were received for the Advisory Council and twelve were received for the Board; 
all are present on the Final Slate of Candidates except for one Board nominee 
who withdrew their candidacy.
You are encouraged to submit and view Statements of Support for the candidates 
at: https://www.arin-elections.net/. Please note that all Statements of Support 
are automatically held for moderation and will be posted, upon approval, within 
one business day. All submissions are subject to the Statements of Support 
Acceptable Use 
Policy<https://arin-elections.net/statements-of-support-acceptable-use-policy/>.
All candidates for the Board and Advisory Council will be offered the ability 
to subscribe to the General Members Mailing 
List<https://lists.arin.net/mailman/listinfo/general-members> to answer 
questions from the voting community. If your organization is a General Member 
at ARIN and plans to vote this year, we encourage you to join the mailing list 
to stay up to date on ARIN Election activity. Candidates have also been offered 
the opportunity to present themselves to the general membership in a brief, 
pre-re

Re: ARIN email address (was cogent spamming directly from ARIN records?)

[John Curran]

On Oct 3, 2023, at 11:52 AM, Bryan Fields  wrote:

On 10/2/23 11:28 AM, Mel Beckman wrote:
I believe they got the contact information from ARIN

I'd suggest everyone use an alias unique to ARIN for your POC and/or public 
email.  Makes it super simple to verify where it was sourced from.

(and yes I've got the same spam)

Bryan -

You are absolutely correct - it is wise to use a unique email address if at all 
possible, and please report misuse to 
complia...@arin.net<mailto:complia...@arin.net>.

It does make a difference, as abuse reports result in discussions with 
organizations regarding appropriate reeducation regimes for violating staff – 
and further implications if the pattern of abuse appears systemic as opposed to 
incidental.

(It is not a perfect system, as it often needs periodically refreshment in some 
orgs due to inevitable turnover and miscreant creativity, but it does tamp down 
the worst of the abuse that would occur otherwise…)

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

Re: ARIN email address (was cogent spamming directly from ARIN records?)

[John Curran]

> On Oct 3, 2023, at 11:52 AM, Bryan Fields  wrote:
> 
> On 10/2/23 11:28 AM, Mel Beckman wrote:
>> I believe they got the contact information from ARIN
> 
> I'd suggest everyone use an alias unique to ARIN for your POC and/or public 
> email.  Makes it super simple to verify where it was sourced from.
> 
> (and yes I've got the same spam)

Bryan - 

You are absolutely correct - it is wise to use a unique email address if at all 
possible, and please report misuse to complia...@arin.net 
<mailto:complia...@arin.net>. 

It does make a difference, as abuse reports result in discussions with 
organizations regarding appropriate reeducation regimes for violating staff – 
and further implications if the pattern of abuse appears systemic as opposed to 
incidental. 

(It is not a perfect system, as it often needs periodically refreshment in some 
orgs due to inevitable turnover and miscreant creativity, but it does tamp down 
the worst of the abuse that would occur otherwise…)

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

Re: cogent spamming directly from ARIN records?

[John Sweeting]

Mel, I will reply to you off list. Thanks.

On 10/2/23, 11:28 AM, "NANOG on behalf of Mel Beckman" 
mailto:arin@nanog.org> on 
behalf of m...@beckman.org > wrote:


This morning I received an email from someone at Cogent asking about an ASN I 
administer. They didn’t give any details, but I assumed it might be related to 
some kind of network transport issue. I replied cordially, asking them what 
they needed. The person then replied with a blatant spam, advertising Cogent IP 
services, in violation of the U.S. CAN-SPAM Act’s prohibition against deceptive 
UCE.


I believe they got the contact information from ARIN, because the ARIN 
technical POC is the only place where my name and the ASN are connected. I 
believe this is a violation of Cogent’s contract with ARIN. Does anybody know 
how I can effectively report this to ARIN? If we can’t even police 
infrastructure providers for spamming, LIOAWKI.


-mel beckman

OARC 42 - Call for Contributions (co-located with NANOG 90)

[John Todd]

OARC 42 will be a two-day hybrid meeting and the dates are 8th and 9th 
February to be co-located with NANOG 90 in Charlotte, North Carolina, 
USA.


The Programme Committee is seeking contributions from the community.

All DNS-related subjects and suggestions for discussion topics are 
welcome. For inspiration, we provide a non-exhaustive list of ideas:
Operations: Any operational gotchas, lessons learned from an outage, 
details/reasons for a recent outage (how to improve TTR, tooling).

Deployment: DNS config management and release process.
Monitoring: Log ingestion pipeline, analytics infrastructure, anomaly 
detection.
Scaling: DNS performance management and metrics. Increasing DNS Server 
Efficiency
Security/Privacy: DNSSEC signing and validation, key storage, rollovers, 
qname minimization, DoH/DoT


The presentations can be either 10 or 20 minutes in length (plus 5 
minutes for Q). Proposals for in-person lightning presentations will 
be opened closer to the Workshop dates.


Workshop Milestones:

2023-09-07 Submissions open via Indico
2023-11-22 Deadline for submission (23:59 UTC)
2023-11-29 Preliminary list of contributions published
2023-12-13 Full agenda published
2024-01-10 Deadline for slideset submission and Rehearsal
2024-02-08 OARC 42 Workshop - Day1
2024-02-09 OARC 42 Workshop - Day2

The Registration page and details for presentation submission are 
published at:

<https://www.dns-oarc.net/oarc42>

To allow the Programme Committee to make objective assessments of 
submissions, so as to ensure the quality of the workshop, submissions 
SHOULD include slides. Draft slides are acceptable on submission. 
Example guidelines for presentation slides: 
https://www.grammarly.com/blog/presentation-tips/


Additional information for speakers of OARC 42
 - your talk will be broadcast live and recorded for future reference
 - your presentation slides will be available for delegates and others 
to download and refer to, before, during and after the meeting
 - remote speakers have mandatory rehearsal (Date and Time TBD). It 
would be very useful to have your slides (even if draft) ready for this


Note: DNS-OARC provides registration fee waivers for the workshop to 
support those who are part of underrepresented groups to speak at and/or 
attend DNS-OARC. More details will be provided when registration opens.


If you have questions or concerns you can contact the Programme 
Committee:

https://www.dns-oarc.net/oarc/programme
via submissi...@dns-oarc.net

OARC depends on sponsorship to fund its workshops and associated social 
events. Please contact spon...@dns-oarc.net if your organization is 
interested in becoming a sponsor.


(Please note that OARC is run on a non-profit basis, and is not in a 
position to reimburse expenses or time for speakers at its meetings.)


John Todd, for the DNS-OARC Programme Committee

--
John Todd - jt...@quad9.net
General Manager - Quad9 Recursive Resolver

Re: Contact at VuDu

[John Stitt]

I’ve been trying to reach someone at Vudu with the exact same problem. So far 
haven’t had any luck.

John Stitt
HES Energynet

Sent from my iPhone

> On Sep 18, 2023, at 2:45 PM, Brad Bendy  wrote:
> 
> Can anyone at VuDu contact me off list? Have issues with some new
> subnets we have and our end users cannot access the VuDu service with
> various error messages.
> 
> Thanks
> 
> CAUTION: This email originated from outside of the organization. Do not click 
> links or open attachments unless you recognize the sender and know the 
> content is safe. If you are not expecting this message contact the sender 
> directly via phone/text to verify.
> 

Re: AFRINIC placed in receivership

[John Curran]

That’s a legal question, and so should be answered by a lawyer of competent 
jurisdiction…   I am not such an individual, but I do understand that for 
parties that have a bona fide business interest with AFRINIC, it should be 
possible to contact the honorable receiver in order to obtain clarity on how 
any given matter will be handled. 

Hope this helps,
/John

John Curran
President and CEO
American Registry for Internet Numbers


> On Sep 15, 2023, at 11:39 AM, Collider  wrote:
> 
> Are amicus briefs a thing in the court governing AFRINIC's operations?
> 
> 
> Le 15 septembre 2023 15:27:33 UTC, John Curran  a écrit :
>> Noah - 
>> 
>> I have had serious concerns with the operational risk posed by AFRINIC’s 
>> lack of governance body and lack of CEO – and thus have provided updates to 
>> NANOG several times to keep the community informed – but now there is 
>> finally a clear path to resolution; a situation that I see as far better 
>> than the convolutions of the organization over the past year with zero 
>> progress. 
>> 
>> You indicate that there is a real concern with the appointment of a receiver 
>> for AFRINIC – despite the fact that the receiver is directed by the court to 
>> hold an election for a new board of directors within six months. 
>> 
>> (Prior to this appointment, there has been no progress in getting AFRINIC 
>> back to normal member-elected governance – while one might have expected the 
>> individual directors to work together to achieve this outcome, that did not 
>> occur.) 
>> 
>> Could you elaborate on the "real concern” that now exists so that operator 
>> community can better understand?   The receiver may not operate 
>> transparently with respect to the community, but does operate under court 
>> supervision and authority –  I concur that this isn’t the typical way that 
>> we’d like an RIR to operate, but it is quite reasonable stricture for an 
>> organization that remains inquorate for nearly a year.
>> 
>> Thanks,
>> /John
>> 
>> John Curran
>> President and CEO
>> American Registry for Internet Numbers
>> 
>>> On Sep 15, 2023, at 9:30 AM, Noah  wrote:
>>> 
>>> 
>>> 
>>> On Fri, 15 Sept 2023, 15:53 John Curran, >> <mailto:jcur...@arin.net>> wrote:
>>>> Noah - 
>>>> 
>>>> Indeed, that was a less than ideal situation – but I will note that the 
>>>> technical advisor was sent away by the Receiver once the Receiver was 
>>>> apprised of his litigation against AFRINIC.
>>> 
>>> 
>>> John
>>> 
>>> It was not a less than ideal situation. Please dont take things lightly 
>>> here.
>>> 
>>> This issue of the so called Technical Advisor showing up with the Official 
>>> Receiver at AFRINIC offices is a real concern to us considering the lack of 
>>> transparency by the OR on the matter.
>>> 
>>> Noah
>>> 
>>>> 
>>>> Thanks,
>>>> /John
>>>> 
>>>> John Curran
>>>> President and CEO
>>>> American Registry for Internet Numbers
>>>> 
>>>>> On Sep 15, 2023, at 8:49 AM, Noah >>>> <mailto:n...@neo.co.tz>> wrote:
>>>>> 
>>>>> 
>>>>> 
>>>>> On Fri, 15 Sept 2023, 15:06 John Curran, >>>> <mailto:jcur...@arin.net>> wrote:
>>>>>> Indeed - AFRINIC has been going through quite a bit over the few months 
>>>>>> – including loss of their governing board – but the receiver appointment 
>>>>>> actually provides a fairly straightforward path towards resolution.
>>>>> 
>>>>> 
>>>>> John,
>>>>> 
>>>>> The receiver appointed showed up at AFRINIC offices with an IT contractor 
>>>>> who is a party directly involved in ligitations against AFRINIC.
>>>>> 
>>>>> How is such an act a fairly straight forward path forward. ?
>>>>> 
>>>>> Noah
>>>> 
>> 
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: AFRINIC placed in receivership

[John Curran]

Noah -

I have had serious concerns with the operational risk posed by AFRINIC’s lack 
of governance body and lack of CEO – and thus have provided updates to NANOG 
several times to keep the community informed – but now there is finally a clear 
path to resolution; a situation that I see as far better than the convolutions 
of the organization over the past year with zero progress.

You indicate that there is a real concern with the appointment of a receiver 
for AFRINIC – despite the fact that the receiver is directed by the court to 
hold an election for a new board of directors within six months.

(Prior to this appointment, there has been no progress in getting AFRINIC back 
to normal member-elected governance – while one might have expected the 
individual directors to work together to achieve this outcome, that did not 
occur.)

Could you elaborate on the "real concern” that now exists so that operator 
community can better understand?   The receiver may not operate transparently 
with respect to the community, but does operate under court supervision and 
authority –  I concur that this isn’t the typical way that we’d like an RIR to 
operate, but it is quite reasonable stricture for an organization that remains 
inquorate for nearly a year.

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers

On Sep 15, 2023, at 9:30 AM, Noah  wrote:



On Fri, 15 Sept 2023, 15:53 John Curran, 
mailto:jcur...@arin.net>> wrote:
Noah -

Indeed, that was a less than ideal situation – but I will note that the 
technical advisor was sent away by the Receiver once the Receiver was apprised 
of his litigation against AFRINIC.

John

It was not a less than ideal situation. Please dont take things lightly here.

This issue of the so called Technical Advisor showing up with the Official 
Receiver at AFRINIC offices is a real concern to us considering the lack of 
transparency by the OR on the matter.

Noah


Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers

On Sep 15, 2023, at 8:49 AM, Noah mailto:n...@neo.co.tz>> wrote:



On Fri, 15 Sept 2023, 15:06 John Curran, 
mailto:jcur...@arin.net>> wrote:
Indeed - AFRINIC has been going through quite a bit over the few months – 
including loss of their governing board – but the receiver appointment actually 
provides a fairly straightforward path towards resolution.

John,

The receiver appointed showed up at AFRINIC offices with an IT contractor who 
is a party directly involved in ligitations against AFRINIC.

How is such an act a fairly straight forward path forward. ?

Noah

Re: AFRINIC placed in receivership

[John Curran]

Noah -

Indeed, that was a less than ideal situation – but I will note that the 
technical advisor was sent away by the Receiver once the Receiver was apprised 
of his litigation against AFRINIC.

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers

On Sep 15, 2023, at 8:49 AM, Noah  wrote:



On Fri, 15 Sept 2023, 15:06 John Curran, 
mailto:jcur...@arin.net>> wrote:
Indeed - AFRINIC has been going through quite a bit over the few months – 
including loss of their governing board – but the receiver appointment actually 
provides a fairly straightforward path towards resolution.

John,

The receiver appointed showed up at AFRINIC offices with an IT contractor who 
is a party directly involved in ligitations against AFRINIC.

How is such an act a fairly straight forward path forward. ?

Noah

Re: AFRINIC placed in receivership

[John Curran]

Indeed - AFRINIC has been going through quite a bit over the few months – 
including loss of their governing board – but the receiver appointment actually 
provides a fairly straightforward path towards resolution.

See the NRO statement on this matter for specifics.

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers



<https://www.nro.net/nro-statement-on-appointment-of-an-official-receiver-for-afrinic/>
NRO Statement on Appointment of an Official Receiver for AFRINIC | The Number 
Resource 
Organization<https://www.nro.net/nro-statement-on-appointment-of-an-official-receiver-for-afrinic/>
nro.net<https://www.nro.net/nro-statement-on-appointment-of-an-official-receiver-for-afrinic/>
[apple-touch-icon-180x180.png] 
<https://www.nro.net/nro-statement-on-appointment-of-an-official-receiver-for-afrinic/>



On Sep 14, 2023, at 3:08 AM, Bryan Fields  wrote:

On 9/13/23 9:27 PM, Bryan Fields wrote:
I think this qualifies as potentially operational.

Afrinic placed in receivership, board elections to be held in six months:
https://archive.ph/jOFE4

Looks like archive.ph is having problems.  This is the original article.

https://www.capacitymedia.com/article/2c6pnx4ymt7sd5c493wg0/news/exclusive-afrinic-placed-in-receivership-board-elections-to-be-held-in-six-months
--
Bryan Fields

727-409-1194 - Voice
http://bryanfields.net

Re: Spam from ARIN to POC addresses

[John Curran]

On Sep 12, 2023, at 5:56 PM, packetcat  wrote:

At 14:01 and 14.46 EST I received two identical emails from 
meeti...@arin-events.net with the subject “Join us for ARIN 52 in October”. One 
was sent to the NOC POC address and one to the abuse POC address for my ASN.

As far as I am aware, I never signed up for whatever that mailing list is and 
if I did I wouldn’t subscribe to it on those addresses. Furthermore, I am not 
seeing an unsubscribe button on either email. That makes both messages spam.

Considering I’ve never received messages like those from ARIN on those 
addresses, I’ll give ARIN the benefit of the doubt and say someone accidentally 
imported the wrong list of emails into their MSP. I hope this is not the start 
of a new pattern of behaviour because that would not be…good to put it mildly.

Thanks for raising this…   here’s how ARIN Meeting Invites are handled –

A series of announcements about registration and related reminders are sent to 
arin-announce and published on www.arin.net, including:
Registration Open – 12-16 weeks prior
Meeting Materials Available – 1 week prior
Meeting Open – Day 1

There are two direct email invitations:
Admin and Tech POCs within 100 – 150 miles of the meeting location – 45-30 days 
prior
Admin, Tech, and Voting Contacts for all Member organizations (Service and 
General) – “Per the VA nonstock corporation act - Formal notice (to membership) 
shall be no more than 60 days and no less than 10 days prior to the announced 
date of the special meeting.”
(Note that our registration system will dedupe so that contacts do not receive 
both of these emails.)

All ASN holders are now legal members of ARIN, and therefore by applicable law 
get notice of the meetings.

We could probably cut this list to just Admin and Voting by dropping Tech 
contacts, but you’d end up getting one via the Admin POC.
(you want to suggest such a change - or any other change on how our meeting 
announcements are handled, then please
submit such to the ARIN Consultation and Suggestion Process -  
https://www.arin.net/participate/community/acsp/process/ )

Thanks!
/John

John Curran
President and CEO
American Registry for Internet Numbers

Re: Traffic being directed at random infrastructure with pornhub.com host header (?)

[John Kristoff]

On Wed, 13 Sep 2023 13:35:30 +
Drew Weaver  wrote:

> Has anyone else recently seen a spike of port 80 traffic being sent
> at seemingly random IP addresses that include the Pornhub host header?

Yes.  The source possible, hopefully being research or commercial
scanners perhaps?  I've seen a host from a US midwest EDU source
doing this. User agent string in that case was "Mozilla/5.0 quack/1.x"

It may be some sort of censorship measurement or perhaps even something
like this type of work:

  <https://www.usenix.org/conference/usenixsecurity21/presentation/bock>

John

Re: Guest Column: Kentik's Doug Madory, Last Call for Upcoming ISOC Course + More

[John Springer]

Inline

On Sat, Sep 9, 2023 at 09:51 Ryan Hamel  wrote:

> Martin and Tom,
>
> How is it a private marketing initiative exactly if the links go to
> stories on NANOG's website?
>

This seems deliberately obtuse. It is a private marketing initiative
exactly if the links go to private marketing stories on NANOG's website.

Are you saying the very org that brings us together, is not allowed to spur
> discussion based on newsletter content and cannot provide us with updates
> and/or reminders about various things?
>

More deliberate and fairly unhelpful tongue in cheekery. A link to The
NANOG Mailing List Usage Guidelines was cited. That was helpful and
authoritative. If the marketing arm of NANOG wishes to change the
Guidelines, that will presumably take more formalities than some snarky
remarks.

>
> Y'all have been making a mountain out of a molehill.
>

Last I looked, NANOG members have been making mountains out of any handy
materials (or none at all) for several decades now. Folksy condescension is
no more welcome or constructive than it has ever been.

And FTR, Tom and Marty make most sense to me in this thread. So far.

Springer


> Ryan
>
> --
> *From:* Tom Beecher 
> *Sent:* Saturday, September 9, 2023 9:30:13 AM
> *To:* Martin Hannigan 
> *Cc:* Ryan Hamel ; nanog@nanog.org 
>
> *Subject:* Re: Guest Column: Kentik's Doug Madory, Last Call for Upcoming
> ISOC Course + More
>
> Caution: This is an external email and may be malicious. Please take care
> when clicking links or opening attachments.
>
> What network does Nanog-news operate?
>>
>> Marketing email doesn’t  belong on an operational list.  Even if its
>> NANOG marketing itself.  (Ack Kentik non involvement).
>>
>
> This is the right comment.
>
> The NANOG Mailing List Usage Guidelines  (
> https://www.nanog.org/resources/usage-guidelines/ ) are fairly clear
> about this.
>
> Posts to NANOG’s Mailing List should be focused on operational and
>> technical content only, as described by the NANOG Bylaws.
>> Using the NANOG Mailing List as a source for private marketing
>> initiatives, or product marketing of any kind, is prohibited.
>
>
> Sending this type of message to nanog@ is not appropriate, by our own
> rules. This issue will be raised at the next members meeting.
>
>
>
>
> On Fri, Sep 8, 2023 at 9:39 PM Martin Hannigan  wrote:
>
>>
>> What network does Nanog-news operate?
>>
>> Marketing email doesn’t  belong on an operational list.  Even if its
>> NANOG marketing itself.  (Ack Kentik non involvement).
>>
>> Warm regards,
>>
>> -M<
>>
>>
>

Re: Guest Column: Kentik's Doug Madory, Last Call for Upcoming ISOC Course + More

[John Gilmore]

Ryan Hamel  wrote:
> For you to say, "my privacy has been sold", is simply not true.

I agree with you somewhat about tracking links.  They only spy on a
person when that person tries to follow them.  I do find it much less
useful to read mailing lists that include references to external
resources that I decline to access, because I don't want to follow
bugged links.

But the "web bugs" that I mentioned as a second default-on Mailchimp
tracking technology ARE specifically designed to be triggered any time a
recipient reads a message in an HTML-based web browser.

Back when postal mail was the default, senders had no idea whether the
recipient opened, read, or forwarded a letter, versus tossing it into
the fireplace as kindling.  Society carried forward that expectation
when postal mail was gradually replaced by electronic mail.  Ordinary
email senders don't know if you have read their message (unless they get
social clues from your subsequent actions, just as with paper mail).
Tracking was never part of the Internet email protocols; it was glued-on
by abusing HTML email features and making unique URLs sent to each
recipient, whose corresponding web server logs when they are accessed.

These email tracking technologies deliberately violate the social
expectation that reading a letter is a private act.  They produce
detailed records of the private, in-home or at-work activities of every
recipient.  They do all this covertly; you will not find a MailChimp
mailing list message plainly telling you, "If you want to safeguard your
privacy as an email reader, do not open these messages, because we have
filled them with spyware."  That would produce too many unsubscribes and
too much outrage.  Instead, a recipient has to be technically
sophisticated to even notice that it's happening.  (Many bulk email
senders also don't know that their emails have spyware quietly inserted
into them as they are distributed.  I have engaged on this topic with
many nonprofit CEOs and marketing executives, who really had no idea.)

Those detailed email-reading and link-clicking records are not just
accessible to the sender.  There's an agency problem.  They are kept and
stored and sold by the intermediary (MailChimp), both individually and
in bulk.  They are accessible to any government that wants to ask,
without a warrant, without probable cause, in bulk or individually,
since they are "third-party" records about you, like your banking
records or license-plate-reader records.  They are accessible to private
investigators via data brokers.  They are accessible to any business
that offers a sufficiently attractive deal to MailChimp -- places like
Google or Facebook who make billions of dollars a year from tracking
people to manipulate them with advertising.

And wouldn't you like to know just which emails your competitors'
engineers and executives are reading, and when, and where, and how many
times, and whether they forwarded the messages?  (I've often wanted the
Google Detective Agency, that I could merely pay to tell me what my wife
or my competitor or that rude guy who insulted me is searching for on
Google, what web pages they are looking at, what emails they are reading
or sending, and exactly where they are navigating in their car or on
their bike or on transit.  Google has all this information; why won't
they sell it to me?  They definitely sell it to the government, so why
not to me?  It's amazing to me that people treat Google like Santa Claus
giving them free gifts, when it's really like an NSA.gov that is
unencumbered by laws or oversight.  MailChimp isn't as bad as Google.
Its scope is smaller, but its defaults are deliberately bad, and it's
created quite a honeypot of trillions of records about billions of
people.  The point is that besides being a gross violation of the
personal privacy of the home and office, this data also has real
commercial value.

I suggest that as a technically aware organization, NANOG.org should not
be creating detailed spy dossiers on its members who read emails, and
then letting its subcontractor MailChimp sell or trade that info out
into the world.

John Gilmore

Re: Guest Column: Kentik's Doug Madory, Last Call for Upcoming ISOC Course + More

[John Gilmore]

It is totally possible to turn off the spyware in MailChimp.  You just
need to buy an actual commercial account rather than using their
"free" service.  To save $13 or $20 per month, you are instead selling
the privacy of every recipient of your emails.  See:

  https://mailchimp.com/help/enable-and-view-click-tracking/

  "Check the Track clicks box to enable click tracking, or uncheck the
  box to disable click tracking.  ...  Mailchimp will continue to
  redirect URLs for users with free account plans to protect against
  malicious links.  ...  When a paid user turns off click tracking,
  Mailchimp will continue to redirect their URLs until certain account
  activity thresholds are met."

Don't forget to turn off the spyware 1x1 pixel "web bugs" that
MailChimp inserts by default, too:

  https://mailchimp.com/help/about-open-tracking/

John

Re: it's mailman time again

[John Levine]

It appears that Aaron de Bruyn via NANOG  said:
>-=-=-=-=-=-
>
>I donno Rich...a couple of decades ago I lost my Slashdot account because 
>someone was able to access it.
>I used the password in two places...Slashdot and all the blasted mailman 
>instances I was signed up with.

I can believe that your Slashdot account got hacked, but why do you
think that's because someone read a monthly mailing list reminder,
figured out how to connect that list to your Slashdot account, and
broke in? That's quite a stretch.

More likely some Slashdot subcontractor sold it*, or you logged in
from a device that was compromised somehow. Or maybe it was just brute
forced.

R's,
John

* - I use tagged email on all my subscriptions and it's amazing how
passwords leak from places like the Wall Street Journal and the
Economist who really should know better. On the other hand, the NY
Times and WaPo don't leak, so pick your subcontractors carefully.

Re: it's mailman time again

[John Levine]

It appears that Rich Kulawiec  said:
>On Fri, Sep 01, 2023 at 10:16:05AM -0700, Randy Bush wrote:
>> and i just have to wonder about sending passords over the net in
>> cleartext in 2023.  really?
>
>This is a non-issue.

It's like changing your password, it sort of made sense in the 1980s
when networks meant coax Ethernets and bored students could sniff
passwords, and now it's cargo cult security. These days the only
sniffable shared media left is passwordless wifi and even there as you
note, mail all goes through TLS tunnels.

RE: Internet Exchange Visualization

[John van Oppen]

I've always been a little less harsh than What Jared mentions, but my theory is 
like within say 5-7 ms is probably reasonable as long as the endpoint is closer 
than the next major IX both are present on.   I don't really know what folks 
think they are getting by peering across the world. I think this might be 
one of those vanity peering type situations instead of any real technical 
justification.   I have a hard time understanding how it would not often make 
routing worse.

John