Re: NG Firewalls & IPv6

Hey Joe, I don't know how next-gen they'd be considered, but I've had reasonably good luck with Cisco ASA (v9+), and to a lesser degree Juniper ScreenOS (v6.3+). Modern-ish ASA does v6-only pretty well; ScreenOS has more v4-dependent nuances, that I've found. I do like the NAT64 support in

Re: Are any of you starting to get AI robocalls?

do it, and the spoofing is nearly impossible to trace back to the origin, so those who do it can safely ignore other laws because they know they won't be caught. Forward to an 800, grab it from the ANI versus CID? - Ethan O'Toole

RE: CDN-provided caching platforms?

I'm wondering if/when Amazon Prime Video will have a CDN system to roll-out to ISP's like OCA, FNA, GGC, etc Anyone here anything about Amazon Video or any other big names like that ? - Aaron -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of

Re: Are any of you starting to get AI robocalls?

And revenues wont be impacted because few have a cell for voice anymore. With increasing data reliability we can move to voip on phones and provider of choice who offer proper filtering and our our own skill testing AI attendants (Im thinking something along the lines of 'unladen swallow'.) /kc

RE: CDN-provided caching platforms?

Ericsson UDN https://www.ericsson.com/en/tech-innovation/offerings/udn/service-providers Gerardo -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Russell Berg Sent: lunes, 26 de marzo de 2018 08:26 p. m. To: nanog@nanog.org Subject: CDN-provided caching

Re: Are any of you starting to get AI robocalls?

On Tue, 3 Apr 2018, Ken Chase wrote: All this boils my blood. I am not sure why/how spoofing ph#s is legal. I get sms mass spam too. Whether or not its legal is irrelevant. It's trivial to do if your link to the PSTN is digital and you have a provider not filtering based on sent caller-id.

Re: Are any of you starting to get AI robocalls?

On 4/3/18 3:32 PM, William Herrin wrote: > Howdy. > > Have any of you started to get AI robocalls? I've had a couple of > calls recently where I get the connect silence of a predictive dialer > followed by a woman speaking with call center background noise. She > gives her name and asks how I'm

Re: Are any of you starting to get AI robocalls?

Just throw a dial tree plan in front of getting ahold of you. "Press 1 to speak to a human." this foils most dialers which wait for a human to answer before they throw anyone (anything?) on the line. They may also have the AI get through the unpleasantries before they stick a human on it. Many

Are any of you starting to get AI robocalls?

Howdy. Have any of you started to get AI robocalls? I've had a couple of calls recently where I get the connect silence of a predictive dialer followed by a woman speaking with call center background noise. She gives her name and asks how I'm doing. The first time it happened it seemed off for

Re: Yet another Quadruple DNS?

--- bortzme...@nic.fr wrote: From: Stephane Bortzmeyer Rich Kulawiec wrote a message of 10 lines which said: > Watch what you wish for: you might get it. The number of > attack/abuse vectors (and the severity of their consequences for > security and

COX contact

Can I get a network engineer from COX to give me a call or email me please :) I have a routing issue that I need taken a look at.. Dennis Burgess, Mikrotik Certified Trainer Author of "Learn RouterOS- Second Edition" Link Technologies, Inc -- Mikrotik & WISP Support Services Office:

Re: Why doesn't "Cloudflare 1.1.1.1" compress root answers?

I am sure they will after this ;) On Tue, Apr 3, 2018 at 4:00 PM, Bjørn Mork wrote: > At first I thought they had disabled compression: > > bjorn@miraculix:~$ dig . ns @1.1.1.1|grep SIZE > ;; MSG SIZE rcvd: 431 > bjorn@miraculix:~$ dig . ns @8.8.8.8|grep SIZE > ;; MSG SIZE

Why doesn't "Cloudflare 1.1.1.1" compress root answers?

At first I thought they had disabled compression: bjorn@miraculix:~$ dig . ns @1.1.1.1|grep SIZE ;; MSG SIZE rcvd: 431 bjorn@miraculix:~$ dig . ns @8.8.8.8|grep SIZE ;; MSG SIZE rcvd: 239 bjorn@miraculix:~$ dig . ns @9.9.9.9|grep SIZE ;; MSG SIZE rcvd: 239 But then I noticed that they

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

I'm finding it unreachable from at least one Level 3 router. I'm seeing behavior which makes me suspect 1.1.1.1/32 has been incorrectly defined an interface IP on that device; one of our locations gets an immediate ping response for 1.1.1.1, and a traceroute of one hop, which is that first

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

Very interesting... I just heard about this problem today from one of my friend’s who supports of the big SP network (Russia). He got complains from one of their peer. After short investigation he found that they blackholing 1.1.1.1. When I asked him about the reasons, he can’t explain because

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

On 2018-04-03 (Tue) at 01:22 EDT, Tore Anderson wrote: > Any plans to support NSID and/or "hostname.bind" to allow clients to > identify which node is serving their requests? For example: FWIW: $ dig @1.0.0.1 id.server. CH TXT [...] ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp:

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

On 04/02/2018 11:58 AM, Rhys Williams wrote: Yep, Because you should have been setting up your networks correctly in the first place. There's plenty of private space assigned, use it. Regards, Rhys Williams April 2, 2018 4:54 PM, "Simon Lockhart" wrote: and now suddenly

Network Info Anonymizer

Sharing network configuration files (e.g. to get help debugging) can be quite tricky because they contain sensitive information. At the same time, simply removing the sensitive information (e.g. removing or changing all IP addresses) removes important structure from the files, defeating the

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

Great article! Thanks for sharing :) On Mon, Apr 2, 2018 at 11:12 PM, Hank Nussbacher wrote: > On 03/04/2018 01:39, Matt Hoppes wrote: > > You might be interested in these links which compare the services: > https://medium.com/@nykolas.z/dns-resolvers-performance- >

Re: Cloudflare 1.1.1.1 public DNS different as path info for 1.0.0.1 and 1.1.1.1 london

1.1.1.1 not usable via Windstream peering in Chicago. # traceroute 1.1.1.1 traceroute to 1.1.1.1 (1.1.1.1), 30 hops max, 60 byte packets ...  3  be4.agr01.chcg02-il.us.windstream.net (40.136.99.22)  5.158 ms 5.116 ms  7.565 ms  4  ae13-0.cr01.chcg01-il.us.windstream.net (40.136.99.44)  4.673 ms 

Re: From Nov 2017...

That database could possibly be ingested and used locally. Traffic may not even be traversing to the database hosted by IBM. At least they are open about where they are getting the data that allows for blocking to certain FQDNs. On Mon, Apr 2, 2018 at 10:36 PM, Seth Mattinen

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

Yep, Because you should have been setting up your networks correctly in the first place. There's plenty of private space assigned, use it. Regards, Rhys Williams April 2, 2018 4:54 PM, "Simon Lockhart" wrote: > and now suddenly it's our responsibility to make significant

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

Re: New DNS Service

Like a wildcard DNS entry ! -- The fact that there's a highway to Hell but only a stairway to Heaven says a lot about anticipated traffic volume. > On Apr 3, 2018, at 10:25, Lee wrote: > > It depends. If the web site is hosted on.. let's say cloudflare, > there could

Re: Yet another Quadruple DNS?

ebersman> In the pipe dream category, it would be great to think that as ebersman> IoT becomes unavoidable, we'll get more boxes that do ebersman> auto-update. rsk> Watch what you wish for: you might get it. The number of rsk> attack/abuse vectors (and the severity of their consequences for rsk>

Re: New DNS Service

On 4/3/18, Rod Beck wrote: > And any consensus regarding the service? My layman question is how does this > provide privacy? You have to look for it & know what you're looking for: https://developers.cloudflare.com/1.1.1.1/dns-over-https/

Re: From Nov 2017...

On 4/3/18 12:15 AM, Bill Woodcock wrote: Ok, sorry if I was being overly persnickety. My apologies. I’ve been spending too much time answering questions on “social media” and it’s making me antisocial. Commenting on social media is like having to write a dissertation perfectly with your

Re: Yet another Quadruple DNS?

On Tue, Apr 03, 2018 at 10:54:34AM -0400, Rich Kulawiec wrote a message of 10 lines which said: > Watch what you wish for: you might get it. The number of > attack/abuse vectors (and the severity of their consequences for > security and privacy) involved in doing auto-update

Re: Yet another Quadruple DNS?

On Tue, Apr 03, 2018 at 08:21:02AM -0600, Paul Ebersman wrote: > In the pipe dream category, it would be great to think that as IoT > becomes unavoidable, we'll get more boxes that do auto-update. Watch what you wish for: you might get it. The number of attack/abuse vectors (and the severity of

Re: Yet another Quadruple DNS?

ebersman> And EDNS client subnet mostly works. bortzmeyer> It is awful, privacy-wise, complicates the cache a lot and bortzmeyer> seriously decreases hit rate in cache (since the key to a bortzmeyer> cached resource is no longer type+name but bortzmeyer> type+name+source_address). I was trying

Re: New DNS Service

On Apr 3, 2018, at 9:06 AM, Rod Beck wrote: > > And any consensus regarding the service? My layman question is how does this > provide privacy? The routers still need to know the IP address of the far end > point. I would assume that it would be easy to deduce

Re: New DNS Service

And any consensus regarding the service? My layman question is how does this provide privacy? The routers still need to know the IP address of the far end point. I would assume that it would be easy to deduce the domain name from the IP address. - R. From:

Re: New DNS Service

> On Apr 3, 2018, at 8:55 AM, Rod Beck wrote: > > https://techxplore.com/news/2018-04-dns-privacy.html > > > Not associated with Cloudflare in any way. > > > Regards, > > > Roderick. > Mildly interesting but very much old news. The new Cloudflare DNS has

New DNS Service

https://techxplore.com/news/2018-04-dns-privacy.html Not associated with Cloudflare in any way. Regards, Roderick. Roderick Beck Director of Global Sales United Cable Company www.unitedcablecompany.com New York City & Budapest

Re: NG Firewalls & IPv6

If by NextGen you meant performance, then I recommend to have a look at kipfw over Netmap driver on a FreeBSD 11 box. You buy a couple of Chelsio 40 Gbps or 100 Gbps NIC and you are in business. It was mentioned here in NANOG couple of years ago. Very good stuff, but you will need to invest a

Re: Yet another Quadruple DNS?

> > This also ignores the shift if every house in the world did its own > > recursion. TLD servers and auth servers all over the world would > > have to massively up their capacity to cope. > > With my TLD operator hat, I tend to say it is not a problem, we > already have a lot of extra capacity,

Re: Yet another Quadruple DNS?

On Tue, Apr 03, 2018 at 12:09:27PM +0200, Stephane Bortzmeyer wrote: > On Tue, Apr 03, 2018 at 03:01:19AM -0700, > Brian Kantor wrote > a message of 12 lines which said: > > > > That would be a terrible violation of network neutrality. I hope > > > that such ISP will go

Re: NG Firewalls & IPv6

Done Checkpoint, Netscreen, SRX , iptables, nftables IPv6 FW all with dynamic routing, but only under extreme duress, like I'm sure everyone who is forced to touch stateful firewalls. Send help. Seems to me this has mostly worked for over decade, worked in context where stateful FW can be said to

Re: Yet another Quadruple DNS?

On Tue, Apr 03, 2018 at 03:01:19AM -0700, Brian Kantor wrote a message of 12 lines which said: > > That would be a terrible violation of network neutrality. I hope > > that such ISP will go bankrupt. > > On the contrary: it will enable them to collect more usage > statistics

Re: Yet another Quadruple DNS?

On Tue, Apr 03, 2018 at 11:54:36AM +0200, Stephane Bortzmeyer wrote: > On Sun, Apr 01, 2018 at 02:03:41PM -0600, > Paul Ebersman wrote > > As long as ISPs don't actually disallow running of recursive servers > > That would be a terrible violation of network neutrality.

Re: Yet another Quadruple DNS?

On Sun, Apr 01, 2018 at 02:03:41PM -0600, Paul Ebersman wrote a message of 38 lines which said: > And EDNS client subnet mostly works. It is awful, privacy-wise, complicates the cache a lot and seriously decreases hit rate in cache (since the key to a cached resource

Re: Yet another Quadruple DNS?

On Sun, Apr 01, 2018 at 09:22:10AM -0700, Stephen Satchell wrote a message of 39 lines which said: > Recursive lookups take bandwidth and wall time. The closer you can > get your recursive DNS server to the core of the internet, the > faster the lookups. I think the exact

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

Still believe in santa ? ;-) Good luck with that. Best regards. 2018-04-03 8:37 GMT+02:00 Marty Strong via NANOG : > Orange France is known, they just didn’t tell us the exact reason. > > They said that if you contact them, they’ll provide you with an official >

Re: From Nov 2017...

On 4/3/2018 3:15 AM, Bill Woodcock wrote: >> Since when is it an offense, to merely share a publicly available URL? >> >> More to the point of Privacy, you have shared some information here >> regarding Quad9 operations that may have been beneficial to some, or many. >> It has been of benefit

Re: From Nov 2017...

> Since when is it an offense, to merely share a publicly available URL? > > More to the point of Privacy, you have shared some information here regarding > Quad9 operations that may have been beneficial to some, or many. It has been > of benefit to me, and thanks for sharing that which what

Re: From Nov 2017...

On 4/3/2018 2:37 AM, Bill Woodcock wrote: > What’s your point, though? Are you talking about Quad9, or about GCA? > > If you’re talking about Quad9, you’re misleading people by implying that the > quote you pulled from the Register piece pertains to Quad9, when it does not. > > If you’re

Re: From Nov 2017...

> On Apr 2, 2018, at 11:28 PM, Robert Mathews (OSIA) wrote: > > On 4/3/2018 1:04 AM, Bill Woodcock wrote: >>> On Apr 2, 2018, at 7:24 PM, Robert Mathews (OSIA) >>> wrote: *Group Co-founded by City of London >>> Police promises 'no snooping on your

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

Orange France is known, they just didn’t tell us the exact reason. They said that if you contact them, they’ll provide you with an official explanation. Regards, Marty Strong -- Cloudflare - AS13335 Network Engineer ma...@cloudflare.com +44 7584 906 055

Re: From Nov 2017...

On 4/3/2018 1:04 AM, Bill Woodcock wrote: >> On Apr 2, 2018, at 7:24 PM, Robert Mathews (OSIA) >> wrote: *Group Co-founded by City of London >> Police promises 'no snooping on your requests’* > Note that this is _extremely_ misleading, since the group being > referred to here

Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

Hello, On Mon, 2 Apr 2018 16:26:13 +0100 Marty Strong via NANOG wrote: > So far we know about a few CPEs which answer for 1.1.1.1 themselves: > > - Pace 5268 > - Calix GigaCenter > - Various Cisco Wifi access points > > If you know of others please send them my way so we can