RE: new(ish) ipv6 transition tech status on CPE

2018-10-11 Thread Philip Loenneker 
Hi Tom,

CGNAT is the most supported by the technology available in pretty much every 
device. Even keeping an audit trail of IP/port mappings is relatively easy 
(look into deterministic NAT – it will save you a lot of headache). You can 
likely lab it up with gear you already have, unlike the newer transition 
technologies that we’ve been discussing.

However, from my experience, the customer impact of going through 2 layers of 
NAT (NAT44) causes a lot of unhappy customers. I enabled it on my home 
connection for a few weeks to see how it went, and I was surprised that a lot 
of things just worked… Youtube, Netflix, etc had no issues. But there were key 
things such as Facebook Messenger voice and video calls that broke, which 
caused my family to get rather upset with me. Console gaming is also a common 
area of problems. For these types of Internet services, the profit margin can 
get eaten up quickly by the helpdesk calls.

As a side note, from internal discussions here (ie speculation, no real 
evidence to back it up), home users are likely to be impacted far more than 
business users, due to the difference in usage.

Regards,
Philip

From: NANOG  On Behalf Of Tom Ammon
Sent: Friday, 12 October 2018 2:39 PM
To: NANOG 
Subject: Re: new(ish) ipv6 transition tech status on CPE


On Wed, Oct 10, 2018 at 3:08 PM Brock Tice 
mailto:br...@bmwl.co>> wrote:
On 10/09/2018 06:24 PM, Philip Loenneker wrote:
> I have asked several vendors we deal with about the newer technologies
> such as 464XLAT, and have had some responses indicating they will
> investigate internally, however we have not made much progress yet. One
> vendor suggested their device supports NAT46 and NAT64 so may support
> 464XLAT, but since it is incidental rather than an official feature, it
> may not support the full CLAT requirements. I have been meaning to do
> some tests but haven’t had a chance yet. It is also a higher price point
> than our current CPEs.
>
>
>
> I have spoken to people who have looked into options such as OpenWRT
> (which supports several of these technolgoies), however the R and
> ongoing support is a significant roadblock to overcome.
>

We looked into this somewhat intently ~6 months ago and had not much
luck from vendors. Barely on their radar if at all.

We used our own custom OpenWRT build on a few select, tested consumer
routers to do 464XLAT. In the end we went to dual-stack with CGN on
IPv4. I wrote up some documentation on how we did it on my blog, but in
the end I can't recommend the setup we used.

I would love RouterOS and (various mfgr) CPE support for 464XLAT, then I
would be ready to give it another shot.

It sounds like I am where you were 6 months ago. We've been looking at NAT64, 
MAP-T, potentially 464XLAT, and then dual stack with CGN on the v4 side. What 
did you experience with the dual-stack/CGN approach that keeps you from 
recommending it? Academically, that setup seems the least fraught with problems 
among all of the options.




--
-
Tom Ammon
M: (801) 784-2628
thomasam...@gmail.com
-

Re: new(ish) ipv6 transition tech status on CPE

2018-10-11 Thread Tom Ammon 
On Wed, Oct 10, 2018 at 3:08 PM Brock Tice  wrote:

> On 10/09/2018 06:24 PM, Philip Loenneker wrote:
> > I have asked several vendors we deal with about the newer technologies
> > such as 464XLAT, and have had some responses indicating they will
> > investigate internally, however we have not made much progress yet. One
> > vendor suggested their device supports NAT46 and NAT64 so may support
> > 464XLAT, but since it is incidental rather than an official feature, it
> > may not support the full CLAT requirements. I have been meaning to do
> > some tests but haven’t had a chance yet. It is also a higher price point
> > than our current CPEs.
> >
> >
> >
> > I have spoken to people who have looked into options such as OpenWRT
> > (which supports several of these technolgoies), however the R and
> > ongoing support is a significant roadblock to overcome.
> >
>
> We looked into this somewhat intently ~6 months ago and had not much
> luck from vendors. Barely on their radar if at all.
>
> We used our own custom OpenWRT build on a few select, tested consumer
> routers to do 464XLAT. In the end we went to dual-stack with CGN on
> IPv4. I wrote up some documentation on how we did it on my blog, but in
> the end I can't recommend the setup we used.
>
> I would love RouterOS and (various mfgr) CPE support for 464XLAT, then I
> would be ready to give it another shot.
>

It sounds like I am where you were 6 months ago. We've been looking at
NAT64, MAP-T, potentially 464XLAT, and then dual stack with CGN on the v4
side. What did you experience with the dual-stack/CGN approach that keeps
you from recommending it? Academically, that setup seems the least fraught
with problems among all of the options.




-- 
-
Tom Ammon
M: (801) 784-2628
thomasam...@gmail.com
-

Re: Hurricane Michael: Communication Service Provider status

2018-10-11 Thread Sean Donelan 

I haven't found power outage reports from other states yet.


My bad, DOE moved its reports to a different URL on its site. Here are the 
electric grid status for other states, along with some other status info I 
found.


Electric power outages as of October 11, 2018 at 4:00pm EDT

Statewide averages don't reflect severe damage in specific counties:

Alabama: 3% (87,706 customers)
Florida: 3.7% (389,639)
Georgia: 6.4% (268,461)
North Carolina: 9% (361,879)
South Carolina: 2.6% (117,221)

Utilties in the region report 30,000 personnel in position for restoration 
efforts.


The following sea ports are closed

Panama City, FL
Pensacola, FL
Wimington, NC

Retail gas/fuel stations shut (lack of fuel, power or both)

Florida: 6.0% shut
Georgia: 2.6% shut
Alabama: 1.3% shut

Regional fuel stocks available: 28.1 million barrels

NOAA Weather Radio transmitter outages

Columbus, AL
Americus, GA
Macon, GA
Lafayette, LA
New Bern, NC
Beaufort, SC

Hurricane Michael: Communication Service Provider status

2018-10-11 Thread Sean Donelan 



Electric power outages (percentage out of service)

Florida
  Bay County - 98%
  Calhoun County - 100%
  Franklin County - 97%
  Gadsden County - 100%
  Gulf County - 99%
  Holmes County - 99%
  Jackson County - 100%
  Leon County - 91%
  Wakulla County - 97%
  Washington County - 98%

I haven't found power outage reports from other states yet.


1 Public Safety Answering Point out of service
  Jackson County FL

15 Public Safety Answering Points re-routed

Counties with over 60% cell sites out of service

Florida
  Bay County - 78.3%
  Gulf County - 69.6%
  Holmes County - 74.1%
  Jackson County - 77.1%
  Liberty County - 88.9%
  Washington County - 69.2%

Georgia
  Schley County - 66.7%
  Webster County - 64.7%

Cable and Wireline subscribers reported out of service (likely more out of 
service than reported)


  Alabama - 14,855
  Florida - 185,841
  Georgia - 63,473

Radio and Television
   4 TV stations out of service
   30 FM stations out of service
   4 AM stations out of service

Re: CVV (was: Re: bloomberg on supermicro: sky is falling)

2018-10-11 Thread Chris Adams 
Once upon a time, b...@theworld.com  said:
> But asking for photo id is a good thing for legitimate card holders,
> could reduce fraudulent in-person use of stolen cards.

Requiring an ID is also a violation of the merchant agreements, at least
for VISA and MasterCard (not sure about American Express), unless ID is
otherwise required by law (like for age-limited products).  I've walked
out of stores that required an ID.

-- 
Chris Adams

Re: CVV (was: Re: bloomberg on supermicro: sky is falling)

2018-10-11 Thread bzs 


On October 11, 2018 at 13:41 s...@ottie.org (Scott Christopher) wrote:
 > Robert Kisteleki wrote: 
 > 
 > > (this is probably OT now...)
 > > 
 > > > I'm pretty sure the "entire point" of inventing CVV was to prove you
 > > > physically have the card.
 > > 
 > > Except that it doesn't serve that purpose. Anyone who ever had your card
 > > in their hands (e.g. waiters) can just write that down and use it later
 > > hence defeating the purpose of "physically having the card". 
 > 
 > But waiters don't know your ZIP code which is the other thing needed for 
 > online verification (in the U.S.)

So be wary if they ask you for photo id which likely has your zip code!

But asking for photo id is a good thing for legitimate card holders,
could reduce fraudulent in-person use of stolen cards.

What a mess.

 > 3D Secure is good enough. It will probably be mandatory for payment 
 > processors sometime in the future. In the meantime, it just costs the 
 > industry less to cover fraud losses.
 > 
 > -- 
 > S.C.

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

CVV (was: Re: bloomberg on supermicro: sky is falling)

2018-10-11 Thread bzs 


On October 11, 2018 at 10:17 rob...@ripe.net (Robert Kisteleki) wrote:
 > (this is probably OT now...)
 > 
 > > I'm pretty sure the "entire point" of inventing CVV was to prove you
 > > physically have the card.
 > 
 > Except that it doesn't serve that purpose. Anyone who ever had your card
 > in their hands (e.g. waiters) can just write that down and use it later
 > hence defeating the purpose of "physically having the card". (Call me
 > paranoid but I usually use a black pen to make the numbers undreadable
 > because of this, after my card (both sides) has been photocopied a
 > number of times...)

What you're saying is they don't work as well as you might hope, not
that they don't serve that purpose.

If you snatched 5M credit cards numbers and expiraton dates but, as
required by contract, there were no CVVs in that db how well would
that work with sites which require a CVV for a transaction? Not well
at all. So there's a purpose.

Also, traditionally one's signature is on the back right next to that
CVV for a merchant to compare against which leaves forgery a mere
exercise in, well, forgery, since the example one has to reasonably
match is right there.

Which doesn't mean signatures don't work, it's just not much
protection against anyone who can reasonably forge a signature. But
many people can't or won't try, it discourages minor criminals like
your boyfriend using your card surreptitously while you were sleeping.

They're also some reasonable evidence that the transaction was done in
person with the card in hand. I know some merchant contracts wouldn't
allow forgiveness (who eats the fraud) for charges w/o a signature
where their contract claims they only do in-person purchases which
gets them a lower rate.

There is a concern for merchant fraud also in all this, unfortunately
that's very tempting.

BUT IT'S ALL WORSE THAN THAT!

When I had a book of checks stolen (and reported) several turned up
used in major big box stores with information like driver's license
number, date of birth, etc neatly written on them tho none of that
info was mine.

I doubt they went to the trouble of counterfeiting a driver's license,
it's possible but this was small-time fraud.

My suspicion was they were in cahoots with the cashier, simplest
explanation, the cashier was a friend who probably got a cut.

So anything in the presumed chain of events can often be suborned.

 > This has always been an amusing topic. At the end of the day it's a
 > financial risk management call from the banks -- as long as they lose
 > less money on the current system than the cost of fraud, things wiull
 > not change. Of course, they try to push those costs onto others as much
 > as possible, but that doesn't change the bottom line.

I agree with this.

Quite a few years ago I was interviewed by a start-up manufacturer of
a big parallel "mini" to head their OS effort.

Something which came out in the conversation, which went on for hours!
(very pleasant tho), was that a major credit card company had pledged
in writing to buy $150M of their machines on day one of ship if they
could run a set of their anti-fraud algorithms quickly enough (their
spec) to be able to reject transactions in real time.

The company had done forensics and I think the estimate was if they
could have run those algorithms they would have saved them some big
number like $50K/hour in fraud. But they couldn't run them fast enough
to allow for reasonable transaction times.

And then ya sit around the bar thinking you know how this or that
startup is funded or why...that would not have been one of my guesses!

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

ARIN Elections close tomorrow – Friday 12 October at 18:00 eastern time!

2018-10-11 Thread John Curran 
Folks -

If you are an ARIN Member and have not yet voted in this year’s ARIN 
elections, please do so now!

(To do so, log into ARIN Online and click on the “Vote Now” button; see 
additional details below)

Thanks!
/John

John Curran
President and CEO
ARIN

Begin forwarded message:

From: ARIN mailto:i...@arin.net>>
Subject: [arin-announce] Voting Now Open for the 2018 ARIN Board of Trustees, 
ARIN Advisory Council, and NRO NC Elections
Date: 4 October 2018 at 6:00:26 PM EDT
To: mailto:arin-annou...@arin.net>>


Cast your online ballot now in the 2018 ARIN Elections to fill two seats on the 
ARIN Board of Trustees, five seats on the ARIN Advisory Council, and one seat 
on the Number Resource Organization Number Council (NRO NC).

Eligible Voting Contacts from General Members in Good Standing as of the voter 
eligibility deadline of 20 August, may cast an online ballot now through 6:00 
PM EDT, Friday, 12 October. To vote, simply log in to ARIN Online and look for 
the “Vote Now” link on your dashboard.

To view candidate biographies, please view the ARIN Elections 2018 Voter Guide 
at:

https://www.arin.net/participate/elections/candidate_bios.pdf

To view or submit a Statement of Support, please click on the link below. 
Anyone, regardless of voter status, is eligible to submit a Statement of 
Support for a candidate.

https://www.bigpulse.com/p51139/

During the week of 8 October, all eligible Voting Contacts should be aware that 
an ARIN representative will be personally calling them as a gentle reminder to 
please vote and to answer any election-related questions they may have.

Participation in the election process is crucial, requires only minutes of a 
voter’s time, is done online, and is an important member responsibility. A 
single cast ballot provides eligible member organizations an opportunity to 
shape the future of ARIN, our community, and the Internet.

For questions about voting, or if you encounter an issue with the election 
system, please contact a member of the Member Services team immediately via 
email at memb...@arin.net or submit a question via 
ARIN Online and direct it to Meetings/Elections.

Regards,

Wendy Leedy
Member Engagement Coordinator
American Registry for Internet Numbers (ARIN)


___
ARIN-Announce
You are receiving this message because you are subscribed to
the ARIN Announce Mailing List 
(arin-annou...@arin.net).
Unsubscribe or manage your mailing list subscription at:
https://lists.arin.net/mailman/listinfo/arin-announce
Please contact i...@arin.net if you experience any issues.

Re: The root KSK roll has occurred

2018-10-11 Thread Aaron C. de Bruyn via NANOG 
Well that explains the DNS weirdness I was seeing this morning.  I had
just made a significant network change and initially thought I screwed
something up.  After 10 minutes of halfhearted troubleshooting and
poking around my configs I began to suspect DNS issues.  Before I
could do more digging, it magically resolved itself.

-A
On Thu, Oct 11, 2018 at 9:44 AM Selphie Keller  wrote:
>
> Pretty awesome moment in history, confirmed my DNS resolvers are showing 
> 20326. Also, seeing the new key on public resolvers like cloudflare and 
> level3, google 8.8.8.8 and 8.8.4.4 still have 19036, likely cache.
>
>
>
> On Thu, 11 Oct 2018 at 10:07, Mehmet Akcin  wrote:
>>
>> Congratulations for rolling the root zone KSK.
>>
>> On Thu, Oct 11, 2018 at 9:01 AM Matt Larson  wrote:
>>>
>>> On behalf of the root zone management partners (ICANN and Verisign), I 
>>> would like to report that the root KSK rollover occurred at 1600 UTC today, 
>>> 11 October, with the publication of the root zone with serial number 
>>> 2018101100.
>>>
>>> For the 48 hours after the rollover, we will be monitoring several mailing 
>>> lists, including this one, so please reply here with any issues or concerns.
>>>
>>> Matt
>>> --
>>> Matt Larson, VP of Research
>>> ICANN Office of the CTO
>>>

Re: The root KSK roll has occurred

2018-10-11 Thread Bryce Wilson 
I can also confirm that all of my internal DNS systems see the new key. I am 
very excited for the future of DNS especially with many public resolvers 
supporting DNSSEC and DNS over TLS.

Bryce Wilson, AS202313

> On Oct 11, 2018, at 9:42 AM, Selphie Keller  wrote:
> 
> Pretty awesome moment in history, confirmed my DNS resolvers are showing 
> 20326. Also, seeing the new key on public resolvers like cloudflare and 
> level3, google 8.8.8.8 and 8.8.4.4 still have 19036, likely cache.
> 
> 
> 
>> On Thu, 11 Oct 2018 at 10:07, Mehmet Akcin  wrote:
>> Congratulations for rolling the root zone KSK.
>> 
>>> On Thu, Oct 11, 2018 at 9:01 AM Matt Larson  wrote:
>>> On behalf of the root zone management partners (ICANN and Verisign), I 
>>> would like to report that the root KSK rollover occurred at 1600 UTC today, 
>>> 11 October, with the publication of the root zone with serial number 
>>> 2018101100.
>>> 
>>> For the 48 hours after the rollover, we will be monitoring several mailing 
>>> lists, including this one, so please reply here with any issues or concerns.
>>> 
>>> Matt
>>> --
>>> Matt Larson, VP of Research
>>> ICANN Office of the CTO
>>>

Re: The root KSK roll has occurred

2018-10-11 Thread Selphie Keller 
Pretty awesome moment in history, confirmed my DNS resolvers are showing
20326. Also, seeing the new key on public resolvers like cloudflare and
level3, google 8.8.8.8 and 8.8.4.4 still have 19036, likely cache.



On Thu, 11 Oct 2018 at 10:07, Mehmet Akcin  wrote:

> Congratulations for rolling the root zone KSK.
>
> On Thu, Oct 11, 2018 at 9:01 AM Matt Larson  wrote:
>
>> On behalf of the root zone management partners (ICANN and Verisign), I
>> would like to report that the root KSK rollover occurred at 1600 UTC today,
>> 11 October, with the publication of the root zone with serial number
>> 2018101100.
>>
>> For the 48 hours after the rollover, we will be monitoring several
>> mailing lists, including this one, so please reply here with any issues or
>> concerns.
>>
>> Matt
>> --
>> Matt Larson, VP of Research
>> ICANN Office of the CTO
>>
>>

Re: The root KSK roll has occurred

2018-10-11 Thread Mehmet Akcin 
Congratulations for rolling the root zone KSK.

On Thu, Oct 11, 2018 at 9:01 AM Matt Larson  wrote:

> On behalf of the root zone management partners (ICANN and Verisign), I
> would like to report that the root KSK rollover occurred at 1600 UTC today,
> 11 October, with the publication of the root zone with serial number
> 2018101100.
>
> For the 48 hours after the rollover, we will be monitoring several mailing
> lists, including this one, so please reply here with any issues or concerns.
>
> Matt
> --
> Matt Larson, VP of Research
> ICANN Office of the CTO
>
>

The root KSK roll has occurred

2018-10-11 Thread Matt Larson 
On behalf of the root zone management partners (ICANN and Verisign), I would 
like to report that the root KSK rollover occurred at 1600 UTC today, 11 
October, with the publication of the root zone with serial number 2018101100.

For the 48 hours after the rollover, we will be monitoring several mailing 
lists, including this one, so please reply here with any issues or concerns.

Matt
--
Matt Larson, VP of Research
ICANN Office of the CTO

Re: CVV (was: Re: bloomberg on supermicro: sky is falling)

2018-10-11 Thread Scott Christopher 
Robert Kisteleki wrote: 

> (this is probably OT now...)
> 
> > I'm pretty sure the "entire point" of inventing CVV was to prove you
> > physically have the card.
> 
> Except that it doesn't serve that purpose. Anyone who ever had your card
> in their hands (e.g. waiters) can just write that down and use it later
> hence defeating the purpose of "physically having the card". 

But waiters don't know your ZIP code which is the other thing needed for online 
verification (in the U.S.)

3D Secure is good enough. It will probably be mandatory for payment processors 
sometime in the future. In the meantime, it just costs the industry less to 
cover fraud losses.

-- 
S.C.

Re: Oct. 3, 2018 EAS Presidential Alert test

2018-10-11 Thread Tom Beecher 
It's likely worth noting that this specific test was of IPAWS (Integrated
Public Alert and Warning System), a system designed to integrate the
Emergency Alert System, National Warning System, Wireless Emergency Alerts,
and NOAA Weather Alerts.

It's not intended to be cell phone only or replace anything; it's intended
to unify all the pre-existing methods together. This was just the first
time cell phones were included in a nationwide test.

On Wed, Oct 10, 2018 at 11:15 AM Naslund, Steve 
wrote:

> I agree 100% and also have noticed that severe weather systems tend to
> more severe in rural areas due to either open spaces (the plains) or trees
> (forested areas) doing more damage.  I can tell you from living the in
> Midwest that the storms in Iowa and Nebraska are way worse than the ones
> that hit Chicago.  A weather guy I know told me it has something to do with
> convective heat rising from major cities which is why you rarely see
> tornados hitting downtown Chicago and New York.  I have noticed that for
> some reason local weather alerts seem to be more reliable than the national
> level tests on cellular.  Don't know if it has to do with shear volume or
> what.  Also, like I said earlier in rural areas you are less likely to run
> into a bystander that knows what is going on.
>
> Steven Naslund
> Chicago IL
>
>
> >How quickly we forget.  Puerto Rico's catastrophe was only a year ago.
> >Per capita fatalities in rural areas are usually higher than cities after
> >a disaster.  Telecommunications are even more important in rural areas
> >because you have fewer disaster response resources than in cities.
> >Rural areas receive warnings later, have fewer emergency responders,
> fewer
> >advanced trauma hospitals. There are more neighbors helping neighbors in
> >cities, and more potential sources of help in densely populated areas.
> >
> >Telecommunication providers are less likely to spend money hardening
> >infrastructure in rural areas, because there is less business.  Its easy
> >to find alternative telecommunications in New York City. Its hard to find
> >backup telecommunications in Idaho.
> >
> >A nation-wide WEA and EAS system helps warn people in both cities and
> >rural areas. But they still depend on carriers and broadcasters. If there
> >are no backup batteries in cell towers, or backup transmitters for
> >broadcasters, you end up with communication blackouts like in Puerto Rico
> >for months.
>
>

CVV (was: Re: bloomberg on supermicro: sky is falling)

2018-10-11 Thread Robert Kisteleki 
(this is probably OT now...)

> I'm pretty sure the "entire point" of inventing CVV was to prove you
> physically have the card.

Except that it doesn't serve that purpose. Anyone who ever had your card
in their hands (e.g. waiters) can just write that down and use it later
hence defeating the purpose of "physically having the card". (Call me
paranoid but I usually use a black pen to make the numbers undreadable
because of this, after my card (both sides) has been photocopied a
number of times...)

This has always been an amusing topic. At the end of the day it's a
financial risk management call from the banks -- as long as they lose
less money on the current system than the cost of fraud, things wiull
not change. Of course, they try to push those costs onto others as much
as possible, but that doesn't change the bottom line.

Robert