Re: How to track DNS resolution sources
Hi Nick and List Yes it's possible. The dud DNS response in some parts of the internet was the public IP address being used by their proxy server. I'm not sure what the proxy is, but it's a windows box. I was going to try to dig trace but by then the poisoning suddenly stopped happening. Any other ideas on how to deal with this ? What can I proactively do in case it happens again? On Thursday, 4 December 2014, Nicholas Oas nicholas@gmail.com wrote: Is it possible that your client site has a helpful firewall that is performing DNS doctoring? http://www.juniper.net/techpubs/en_US/junos12.1/topics/concept/dns-alg-nat-doctoring-overview.html The first time I encountered this neither myself nor my customer expected it. We upgraded the firewall and suddenly their external hostname resolution was coming back with internal IP addresses, as defined by the firewall's NAT table. Note this only really happens with NAT. If the spoofed records are internal its most likely something else. On Wed, Dec 3, 2014 at 11:22 AM, Notify Me notify.s...@gmail.com javascript:_e(%7B%7D,'cvml','notify.s...@gmail.com'); wrote: Hi! I hope I'm wording this correctly. I had a incident at a client site where a DNS record was being spoofed. How does one track down the IP address that's returning the false records ? What tool can one use? Thanks! -- Sent from MetroMail -- Sent from MetroMail
DWDM Documentation
Hi guys, we, a Berlin / Germany based carrier, are looking for a smart documentation (shelfs, connections, fibers) and visualization tool for our ADVA-based DWDM-enviroment. Do you have any suggestions or hints for me? We’re testing „cableScout“, the only one I found, next week but. Unfortunately it isn’t easy to get any information about such tools! :( Thanks in advance! Best regards, Theo Voss (AS25291)
ARIN's RPKI Relying agreement
Greetings: In the past few months, I've spoken with, or heard second hand, from a number of organizations that will not or cannot sign ARIN's RPKI Relying Agreement. Acceptance of this agreement is required in order to gain access to ARIN's Trust Anchor Locator (TAL). Given the size and number of these organizations that can't or wont accept the agreement makes me wonder if this is a show stopper that will prevent the adoption of this technology. I've created a quick survey to get an idea of the community's take on this agreement with the idea that if enough organizations indicate it is unacceptable, maybe we can get this agreement changed, or as with other regions, not explicitly required to use the TAL. https://docs.google.com/forms/d/10RLBBpL05n1c_H4unHitlsVqNM3rZI5aXAX8iSBc_Kk/viewform?usp=send_form Thank you.
Re: ARIN's RPKI Relying agreement
On Thu, 04 Dec 2014 09:57:05 -0500, Andrew Gallo said: In the past few months, I've spoken with, or heard second hand, from a number of organizations that will not or cannot sign ARIN's RPKI Relying Agreement. Do we have a handle on *why* organizations are having issues with the agreement? pgpk49N7oQqJO.pgp Description: PGP signature
Re: ARIN's RPKI Relying agreement
On Thu, Dec 4, 2014 at 10:04 AM, valdis.kletni...@vt.edu wrote: On Thu, 04 Dec 2014 09:57:05 -0500, Andrew Gallo said: In the past few months, I've spoken with, or heard second hand, from a number of organizations that will not or cannot sign ARIN's RPKI Relying Agreement. Do we have a handle on *why* organizations are having issues with the agreement? wes outlined some of his reasons here: https://www.nanog.org/sites/default/files/wednesday_george_adventuresinrpki_62.9.pdf michael sinatra did a reasonable coverage as well in a previous nanog meeting (I think?)
Re: ARIN's RPKI Relying agreement
On Thu, Dec 4, 2014 at 10:21 AM, Christopher Morrow morrowc.li...@gmail.com wrote: On Thu, Dec 4, 2014 at 10:04 AM, valdis.kletni...@vt.edu wrote: On Thu, 04 Dec 2014 09:57:05 -0500, Andrew Gallo said: In the past few months, I've spoken with, or heard second hand, from a number of organizations that will not or cannot sign ARIN's RPKI Relying Agreement. Do we have a handle on *why* organizations are having issues with the agreement? wes outlined some of his reasons here: https://www.nanog.org/sites/default/files/wednesday_george_adventuresinrpki_62.9.pdf michael sinatra did a reasonable coverage as well in a previous nanog meeting (I think?) also, john curran covers some of the legal indemnification stuff about here: https://www.youtube.com/watch?v=uGSo4uiYyAc#t=1868 in the video of the slide presentation above.
Re: ARIN's RPKI Relying agreement
Honestly, that's what I'm trying to figure out as well. In my informal conversations, what I got was that lawyers read the agreement, said 'no, we wont sign it' and then dropped it. If specific legal feedback isn't making it back to ARIN, then we need to start providing it, otherwise, the agreement will stand. On 12/4/2014 10:04 AM, valdis.kletni...@vt.edu wrote: On Thu, 04 Dec 2014 09:57:05 -0500, Andrew Gallo said: In the past few months, I've spoken with, or heard second hand, from a number of organizations that will not or cannot sign ARIN's RPKI Relying Agreement. Do we have a handle on *why* organizations are having issues with the agreement?
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 7:35 AM, Andrew Gallo akg1...@gmail.com wrote: In my informal conversations, what I got was that lawyers read the agreement, said 'no, we wont sign it' and then dropped it. If specific legal feedback isn't making it back to ARIN, then we need to start providing it, All the specific legal feedback I’ve heard is that this is a liability nightmare, and that everyone wants ARIN to take on all the liability, but nobody wants to pay for it. Are you hearing something more useful than that? -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: ARIN's RPKI Relying agreement
On Thu, Dec 4, 2014 at 7:51 AM, Bill Woodcock wo...@pch.net wrote: On Dec 4, 2014, at 7:35 AM, Andrew Gallo akg1...@gmail.com wrote: In my informal conversations, what I got was that lawyers read the agreement, said 'no, we wont sign it' and then dropped it. If specific legal feedback isn't making it back to ARIN, then we need to start providing it, All the specific legal feedback I’ve heard is that this is a liability nightmare, and that everyone wants ARIN to take on all the liability, but nobody wants to pay for it. Are you hearing something more useful than that? -Bill This is the same legal feedback most lawyers will give you about settlement free peering as well. CB
Anybody at Amazon AWS?
Anybody have a contact at Amazon AWS? I sent in a spam complaint, and got back the below response - while I give them kudos for actually, you know, responding, I'm pretty sure that we can all agree that sending the same canned message to email addresses scraped off websites is the very definition of spam, yet somehow the EC2 abuse team seems to consider it a perfectly acceptable explanation - I'd sure love to discuss this with someone with a clue at Amazon AWS --- Our customer has responded to your abuse report and provided the following information The below emails were sent individually to the recipient using a canned message. There is no automation or mass emailing at all. Our publisher representative personally visited each of the below websites, decided they were right for our service and emailed them individually. The emails are sent through gmail using a web interface to their API. Let me know if you require any additional information. Dwayne If you are satisfied with the above information, there is no need to respond to this notice. If you are not satisfied, please respond with a clear, succinct reason for dissatisfaction and what results you desire from our customer. We will make every reasonable attempt to work with you and our customer to resolve this matter. Thank you, The EC2 Abuse team --- Anne Anne P. Mitchell, Esq. CEO/President ISIPP SuretyMail Email Accreditation Certification Your mail system + SuretyMail accreditation = delivered to their inbox! http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Author: Section 6 of the Federal CAN-SPAM Act of 2003 Member, California Bar Cyberspace Law Committee Ret. Professor of Law, Lincoln Law School of San Jose https://www.linkedin.com/in/annemitchell 303-731-2121 | amitch...@isipp.com | @AnnePMitchell | Facebook/AnnePMitchell
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 7:35 AM, Andrew Gallo akg1...@gmail.com wrote: In my informal conversations, what I got was that lawyers read the agreement, said 'no, we wont sign it' and then dropped it. If specific legal feedback isn't making it back to ARIN, then we need to start providing it, Hi Andrew, The short version is that the would-be consumers of the RPKI data want the data published in much the same way that whois data is published. Many of the organizations aren't even in the ARIN region. Virtually any formal contract ARIN is able to offer will be a non-starter for these folks. On Thu, Dec 4, 2014 at 10:51 AM, Bill Woodcock wo...@pch.net wrote: All the specific legal feedback I’ve heard is that this is a liability nightmare, and that everyone wants ARIN to take on all the liability, but nobody wants to pay for it. Are you hearing something more useful than that? Hi Bill, No, nothing more useful. I've seen a lot of hand waving, but I still have no clue how the publication of RPKI data places ARIN at a different risk than publication of whois data. I think if we could better understand that, we'd be better able assess what the next steps are. Do we beat down ARIN's door and insist they publish the data? Do we pursue the creation of some new organization to manage RPKI, one with intentionally shallow pockets, and ask ARIN to cede the function? Something else? I think we all need a better understanding of the alleged legal issue before we can zero in on what should come next. For sure ARIN's current solution, a contract few will sign, is unsatisfactory. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ May I solve your unusual networking challenges?
Re: Anybody at Amazon AWS?
Wether the addresses were gleaned using specially trained hedgehogs or by people looking at the sites to target who they're going to SPAM, targeted UCE is still UCE. Apparently AWS doesn't grok that. At 11:15 AM 04/12/2014, Anne P. Mitchell, Esq. wrote: Anybody have a contact at Amazon AWS? I sent in a spam complaint, and got back the below response - while I give them kudos for actually, you know, responding, I'm pretty sure that we can all agree that sending the same canned message to email addresses scraped off websites is the very definition of spam, yet somehow the EC2 abuse team seems to consider it a perfectly acceptable explanation - I'd sure love to discuss this with someone with a clue at Amazon AWS --- Our customer has responded to your abuse report and provided the following information The below emails were sent individually to the recipient using a canned message. There is no automation or mass emailing at all. Our publisher representative personally visited each of the below websites, decided they were right for our service and emailed them individually. The emails are sent through gmail using a web interface to their API. Let me know if you require any additional information. Dwayne If you are satisfied with the above information, there is no need to respond to this notice. If you are not satisfied, please respond with a clear, succinct reason for dissatisfaction and what results you desire from our customer. We will make every reasonable attempt to work with you and our customer to resolve this matter. Thank you, The EC2 Abuse team --- Anne Anne P. Mitchell, Esq. CEO/President ISIPP SuretyMail Email Accreditation Certification Your mail system + SuretyMail accreditation = delivered to their inbox! http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Author: Section 6 of the Federal CAN-SPAM Act of 2003 Member, California Bar Cyberspace Law Committee Ret. Professor of Law, Lincoln Law School of San Jose https://www.linkedin.com/in/annemitchell 303-731-2121 | amitch...@isipp.com | @AnnePMitchell | Facebook/AnnePMitchell --- Clayton Zekelman Managed Network Systems Inc. (MNSi) 3363 Tecumseh Rd. E Windsor, Ontario N8W 1H4 tel. 519-985-8410 fax. 519-985-8409
Re: ARIN's RPKI Relying agreement
- Original Message - From: Ca By cb.li...@gmail.com On Thu, Dec 4, 2014 at 7:51 AM, Bill Woodcock wo...@pch.net wrote: All the specific legal feedback I’ve heard is that this is a liability nightmare, and that everyone wants ARIN to take on all the liability, but nobody wants to pay for it. Are you hearing something more useful than that? This is the same legal feedback most lawyers will give you about settlement free peering as well. And this delightfully illustrates what IMG's Mark MacCormack is pleased to call the Terrible Truth About Lawyers, to wit: Lawyers believe that their job is to tell you what not to do. Their *actual job* is to tell where risks lie, so that you can make informed business decisions about which risks to take, and how to allow for them. If you as a businessman believe the lawyers' point of view, though, you will never accomplish anything. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth Associates http://www.bcp38.info 2000 Land Rover DII St Petersburg FL USA BCP38: Ask For It By Name! +1 727 647 1274
Re: ARIN's RPKI Relying agreement
On 12/4/2014 11:22 AM, William Herrin wrote: On Dec 4, 2014, at 7:35 AM, Andrew Gallo akg1...@gmail.com wrote: In my informal conversations, what I got was that lawyers read the agreement, said 'no, we wont sign it' and then dropped it. If specific legal feedback isn't making it back to ARIN, then we need to start providing it, Hi Andrew, The short version is that the would-be consumers of the RPKI data want the data published in much the same way that whois data is published. Many of the organizations aren't even in the ARIN region. Virtually any formal contract ARIN is able to offer will be a non-starter for these folks. Understood and good point. I've heard rumblings of setting up a non-ARIN TAL, though I wonder what the value is in separating RPKI from the registry. Wouldn't this put us in the same position we're in with routing registries (with respect to data quality)? On Thu, Dec 4, 2014 at 10:51 AM, Bill Woodcock wo...@pch.net wrote: All the specific legal feedback I’ve heard is that this is a liability nightmare, and that everyone wants ARIN to take on all the liability, but nobody wants to pay for it. Are you hearing something more useful than that? Hi Bill, No, nothing more useful. I've seen a lot of hand waving, but I still have no clue how the publication of RPKI data places ARIN at a different risk than publication of whois data. I think if we could better understand that, we'd be better able assess what the next steps are. Do we beat down ARIN's door and insist they publish the data? Do we pursue the creation of some new organization to manage RPKI, one with intentionally shallow pockets, and ask ARIN to cede the function? Something else? I think we all need a better understanding of the alleged legal issue before we can zero in on what should come next. For sure ARIN's current solution, a contract few will sign, is unsatisfactory. Regards, Bill Herrin -- William Herrin her...@dirtside.com b...@herrin.us Owner, Dirtside Systems . Web: http://www.dirtside.com/ May I solve your unusual networking challenges?
Re: ARIN's RPKI Relying agreement
On Thu, Dec 4, 2014 at 11:22 AM, William Herrin b...@herrin.us wrote: On Thu, Dec 4, 2014 at 10:51 AM, Bill Woodcock wo...@pch.net wrote: All the specific legal feedback I’ve heard is that this is a liability nightmare, and that everyone wants ARIN to take on all the liability, but nobody wants to pay for it. Are you hearing something more useful than that? snip No, nothing more useful. I've seen a lot of hand waving, but I still have no clue how the publication of RPKI data places ARIN at a different risk than publication of whois data. I think if we could better understand that, (oops, I assumed that the decision to have the rpa implemented in the way it is is due to 'arin counsel') Maybe it would be helpful for the ARIN Counsel to document in a more public way (than the RPA) what the concerns are and how that translates into 'different risk than the publication of whois data' ? we'd be better able assess what the next steps are. Do we beat down ARIN's door and insist they publish the data? Do we pursue the creation of some new organization to manage RPKI, one with intentionally shallow pockets, and ask ARIN to cede the function? Something else? I think we all need a better understanding of the alleged legal issue before we can zero in on what should come next. One of the complaints I've heard is that for out-of-region folk to get the TA details they need to sign the RPA, and potentially be bound by a contract that they can't be bound by anyway... so the process is looked upon as a bit 'foolish' or perhaps: over-reaching is the more polite term used. First though I think Bill's point about: How did we get into this mess? could someone walk us through the process/steps taken to get here? maybe we zigged when we ought to have zagged? -chris
Re: ARIN's RPKI Relying agreement
Hello, On 12/4/2014 2:33 PM, Andrew Gallo wrote: On 12/4/2014 11:22 AM, William Herrin wrote: Understood and good point. I've heard rumblings of setting up a non-ARIN TAL, though I wonder what the value is in separating RPKI from the registry. Wouldn't this put us in the same position we're in with routing registries (with respect to data quality)? Exactly the same. RPKI without the tie-in to the registration database is just another random database, like the dozens that are out there, bound to suffer from exactly the same problems current IRRs suffer. Disclaimer: I work for LACNIC, but in this case, if I was a beggar playing music at subway stations my opinion would be exactly the same. Cheers! Carlos
Re: ARIN's RPKI Relying agreement
Hello, On 12/4/2014 2:33 PM, Andrew Gallo wrote: On 12/4/2014 11:22 AM, William Herrin wrote: Understood and good point. I've heard rumblings of setting up a non-ARIN TAL, though I wonder what the value is in separating RPKI from the registry. Wouldn't this put us in the same position we're in with routing registries (with respect to data quality)? Exactly the same. RPKI without the tie-in to the registration database is just another random database, like the dozens that are out there, bound to suffer from exactly the same problems current IRRs suffer. Disclaimer: I work for LACNIC, but in this case, if I was a beggar playing music at subway stations my opinion would be exactly the same. Cheers! Carlos
Re: ARIN's RPKI Relying agreement
On 12/4/14, 10:35 AM, Andrew Gallo akg1...@gmail.com wrote: Honestly, that's what I'm trying to figure out as well. In my informal conversations, what I got was that lawyers read the agreement, said 'no, we wont sign it' and then dropped it. If specific legal feedback isn't making it back to ARIN, then we need to start providing it, otherwise, the agreement will stand. For my part, I have had discussions with ARIN's internal legal council and other staff about our specific concerns and how to address them, and intend to continue doing so, as I agree that this won't get solved if we just say unacceptable and drop the subject. That said, this is harder to manage because it doesn't fall into the existing ARIN policy development process, so the community doesn't have as direct of a voice on changes to the policies. I can't just submit a policy proposal to change how ARIN words its RPA, who is bound by it, and how ARIN provides RPKI services. Those are operational matters, implemented by the staff, governed by the board, who is informed by their legal council and staff. That is part of the reason why I brought some of the issues to the NANOG community, since interaction with ARIN board members and staff is what's necessary to make sure the concerns are addressed, and thus it benefits from wider discussion. I'll try to go through your survey as well. Thanks, Wes Anything below this line has been added by my company’s mail server, I have no control over it. --- This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 11:35 AM, Christopher Morrow morrowc.li...@gmail.com wrote: ... Maybe it would be helpful for the ARIN Counsel to document in a more public way (than the RPA) what the concerns are and how that translates into 'different risk than the publication of whois data' ? This is apparently being discussed on two different lists (PPML and NANOG) at the same time, so apologies for the cross-posting... The reason that the RIRs have disclaimer of warranty and indemnification clauses for RPKI services is actually quite simple: despite striving to deliver highly available RPKI services, you are supposed to be using best practices in use of the service, and this include recognizing that failures can occur and such should not result in operation impact (i.e. exactly the opposite of your “my routing decisions are affected and breakage happens” statement in your prior email.) Specifically, your RPKI deployment approach should be following known operational best practices for RPKI, such as those in RFC 7115 / BCP 185, Origin Validation Operation Based on the Resource Public Key Infrastructure (RPKI)” - “… Local policy using relative preference is suggested to manage the uncertainty associated with a system in early deployment; local policy can be applied to eliminate the threat of unreachability of prefixes due to ill-advised certification policies and/or incorrect certification data. “ Note that the claims that could ensue from an operator failing to follow best practices and then third-parties suffering an major operational outage is likely to be large and extremely protracted, with potential for endangering the registry itself due to the nature of litigation and its requirement to actually go to all the way to trial in order to be able to then introduce evidence and prove that the RPKI services were operating properly at the time of the event. If the RIRs did not seek indemnification for use of the RPKI services, then all of their other registry services could potentially be put at risk due to the need to defend errant litigation, even presuming perfect RPKI service delivery. Undertaking that risk to the other services that everyone else presently rely upon (Whois, reverse DNS) is not reasonable particularly during this time when the RPKI parties are supposed to be deploying via conservative routing preference practices. ARIN does make the expectations very clear and explicit in its agreements, and that is different from the other RIRs. Again, are the other RIR RPKI non-warranty and indemnification clauses equally problematic for you, or is the fact that they are implicitly bound address your concerns? This has come up before on the NANOG mailing list (see attached) but it was unclear if the outcome was an expectation that all RIRs should drop these clauses, or that ARIN should make agreement to them be implicit. Thanks! /John John Curran President and CEO ARIN === Begin forwarded message: Subject: Re: APNIC RPKI TAL agreement From: John Curran jcur...@arin.net Date: October 16, 2014 at 7:30:48 PM EDT Cc: Wes George wesley.geo...@twcable.com, Randy Bush ra...@psg.com, Geoff Huston g...@apnic.net To: Michael Sinatra mich...@burnttofu.net On Oct 16, 2014, at 3:19 PM, Michael Sinatra mich...@burnttofu.net wrote: Hi John: At NANOG 62, you mentioned that APNIC has a similar agreement as ARIN to use its trust-anchor locator (TAL), but that it is not a click-through agreement like ARIN's. I have searched using basic google-foo for this agreement, and have also looked on APNIC's certificate rsync server (which also has an HTTP interface) and I can't find it. Can you, or any other recipient of this message who is familiar with the APNIC agreement, point me in the right direction? Michael - Review http://www.apnic.net/services/manage-resources/digital-certificates/terms-and-conditions wherein there is a limitation of liability and requirement that a recipient of any digital certificate will indemnify APNIC against any and all claims by third parties for damages of any kind arising from the use of that certificate. (last two bullets) /John John Curran President and CEO ARIN ===
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 12:32 PM, George, Wes wesley.geo...@twcable.com wrote: Those are operational matters, implemented by the staff, governed by the board, who is informed by their legal council and staff. That is part of the reason why I brought some of the issues to the NANOG community, since interaction with ARIN board members and staff is what's necessary to make sure the concerns are addressed, and thus it benefits from wider discussion. Wes - I am happy to champion the change that you seek (i.e. will get it reviewed by legal and brought before the ARIN Board) but still need clarity on what change you wish to occur - A) Implicit binding to the indemnification/warrant disclaimer clauses (as done by the other RIRs) B) Removal of the indemnification warranty disclaimer clause I asked this directly during your NANOG presentation, but you did not respond either way. I also noted that your own business customer agreements have the same indemnification non-warranty clauses (as they are common in nearly all telecommunication and ISP service agreements) - are these now being dropped by TWC in agreements? Thanks! /John John Curran President and CEO ARIN
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 12:53 PM, John Curran jcur...@arin.net wrote: On Dec 4, 2014, at 12:32 PM, George, Wes wesley.geo...@twcable.com wrote: Those are operational matters, implemented by the staff, governed by the board, who is informed by their legal council and staff. That is part of the reason why I brought some of the issues to the NANOG community, since interaction with ARIN board members and staff is what's necessary to make sure the concerns are addressed, and thus it benefits from wider discussion. Wes - I am happy to champion the change that you seek (i.e. will get it reviewed by legal and brought before the ARIN Board) but still need clarity on what change you wish to occur - A) Implicit binding to the indemnification/warrant disclaimer clauses (as done by the other RIRs) B) Removal of the indemnification warranty disclaimer clause I asked this directly during your NANOG presentation, but you did not respond either way. I also noted that your own business customer agreements have the same indemnification non-warranty clauses (as they are common in nearly all telecommunication and ISP service agreements) - are these now being dropped by TWC in agreements? I recall a lengthly discussion about this at the NANOG meeting that occurred after the session. I think there is a very strong emotional thing here where we said to you (which you seem to have forgotten) that option B above would be helpful as it’s already covered by the general registration agreement (which was your assertion). Comparing what you do with Time Warner cable seems like pure hyperbole and an attempt as CEO to inflame community discussion at minimum. - Jared
Re: ARIN's RPKI Relying agreement
Bill Woodcock wo...@pch.net writes: On Dec 4, 2014, at 7:35 AM, Andrew Gallo akg1...@gmail.com wrote: In my informal conversations, what I got was that lawyers read the agreement, said 'no, we wont sign it' and then dropped it. If specific legal feedback isn't making it back to ARIN, then we need to start providing it, All the specific legal feedback Ive heard is that this is a liability nightmare, and that everyone wants ARIN to take on all the liability, but nobody wants to pay for it. Are you hearing something more useful than that? The way the RPA is worded, ARIN seems to be attempting to offload all the risk to its member organizations. Anything that ARIN does has some degree of risk associated with it. Twice a year we host parties where alcohol is served. That's a risky endeavor on all sorts of ways - at least we're typically taking buses to and from the event so we aren't driving. I have heard it asserted the board is unwilling for the organization to shoulder even that level of risk as part of providing RPKI. As a board member, can you speak to this? Whether this extreme level of risk aversity is a matter of mistaken priorities (putting the organization itself ahead of accomplishing the organization's mission) or a way of making sure that we stop wasting money on RPKI due to demonstrable non-uptake is left as an exercise to the reader. You can infer from the last statement that I would applaud cutting our losses on RPKI. The quote on slide 23 of Wes' deck about replacing complex stuff like email templates with simple, easy to understand public key crypto was mine. If you can't get people to play ball nicely with client filtering, IRR components, etc. where the bar to entry is low, who can _possibly_ say with a straight face that we can get people to embrace RPKI? To the usual suspects: sorry to call your kid ugly. Don't hate the messenger. -r
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 1:01 PM, Jared Mauch ja...@puck.nether.net wrote: I am happy to champion the change that you seek (i.e. will get it reviewed by legal and brought before the ARIN Board) but still need clarity on what change you wish to occur - A) Implicit binding to the indemnification/warrant disclaimer clauses (as done by the other RIRs) B) Removal of the indemnification warranty disclaimer clause I asked this directly during your NANOG presentation, but you did not respond either way. I also noted that your own business customer agreements have the same indemnification non-warranty clauses (as they are common in nearly all telecommunication and ISP service agreements) - are these now being dropped by TWC in agreements? I recall a lengthly discussion about this at the NANOG meeting that occurred after the session. I think there is a very strong emotional thing here where we said to you (which you seem to have forgotten) that option B above would be helpful as it’s already covered by the general registration agreement (which was your assertion). Several folks suggested making the RPKI indemnification tie back to the language in the existing RSA (it is not presently but instead done via separate language). However, when I asked Wes about that approach he did not know at the time if that would address TWC's particular concern (hence my reason for following up now via email) Comparing what you do with Time Warner cable seems like pure hyperbole and an attempt as CEO to inflame community discussion at minimum. Actually, it is to remind folks that such indemnification language is sought by most ISPs, despite their services being used in a mission critical mode by many customers and despite the ISPs efforts to make their services be highly reliable. (One can easily argue that best practices require multiple connections or service providers, but that is the same with best practices for RPKI use requiring proper preferences to issues with certification data...) /John John Curran President and CEO ARIN
Re: ARIN's RPKI Relying agreement
On Thu, Dec 4, 2014 at 7:51 AM, Bill Woodcock wo...@pch.net wrote: All the specific legal feedback I’ve heard is that this is a liability nightmare, and that everyone wants ARIN to take on all the liability, but nobody wants to pay for it. WG] Has there been any actual discussion about how much nobody would have to pay for ARIN (or another party) to fix the balance of liability and provide a proper SLA that led to no, I don't want to pay for that responses from those who are expressing the concern, or is this just conjecture on your part? I know that despite being fairly vocal on the matter, I've not been party to any such discussion, though I know that ARIN fees and what services they provide for those fees is an ongoing discussion in other forums. The problem with free services is that often you get what you pay for when it comes to support, warranty, etc. There are plenty of models where you take something free, say FOSS, and then pay someone (Red Hat, ISC) to support it in order to manage the risk associated with putting it in the middle of your business-critical system. It gives you some determinism about what happens when it breaks or you need a feature, and recourse when it goes pear-shaped. I think there's room for discussion around how much an SLA-backed RPKI service might be worth to its potential customers, given its ability to either protect or badly break global routing. On 12/4/14, 11:33 AM, Jay Ashworth j...@baylink.com wrote: Lawyers believe that their job is to tell you what not to do. Their *actual job* is to tell where risks lie, so that you can make informed business decisions about which risks to take, and how to allow for them WG] FWIW, I believe that my lawyers did their actual job. But as I said in my presentation, the combination of technical fragility and liability risk I incur if it breaks in a way that impacts my customers led me to decide that I'm not yet willing to bet my continued gainful employment on Route Origin Validation working well enough that the benefit of having it outweighs the risks. INAL, YMMV, void where prohibited, caveat lector, of course. Fixing the liability issues certainly removes one barrier to entry, but it's not the only one, and the technical issues are being worked in parallel. Wes George Anything below this line has been added by my company’s mail server, I have no control over it. --- This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
Re: ARIN's RPKI Relying agreement
Comparing what you do with Time Warner cable seems like pure hyperbole and an attempt as CEO to inflame community discussion at minimum. Actually, it is to remind folks that such indemnification language is sought by most ISPs, despite their services being used in a mission critical mode by many customers and despite the ISPs efforts to make their services be highly reliable. (One can easily argue that best practices require multiple connections or service providers, but that is the same with best practices for RPKI use requiring proper preferences to issues with certification data...) /John John Curran President and CEO ARIN I think your question is fair if you are talking to the TWC CEO, but in this case you are not and it’s disingenuous to pretend otherwise (which you are attempting through your weak straw-man). If ARIN isn’t capable of running RPKI or performing its function, which perhaps we should infer from your talking points, perhaps we should all transfer our resources out of region and dissolve ARIN? I don’t think that would suit the community needs though. I (similar to Rob) have my own concerns about RPKI but do feel that this is an ARIN specific construct/wall that has been raised without action yet from ARIN. The fact that the meeting was 2 months ago and you have not acted/discussed with your counsel says everything I need to know about the situation, your personal motives and your personal desires for the outcomes. I hope it doesn’t represent your employer and that the ARIN Board brings it up with you. - Jared
Re: ARIN's RPKI Relying agreement
On 4 Dec 2014, at 18:53, John Curran jcur...@arin.net wrote: On Dec 4, 2014, at 12:32 PM, George, Wes wesley.geo...@twcable.com wrote: Those are operational matters, implemented by the staff, governed by the board, who is informed by their legal council and staff. That is part of the reason why I brought some of the issues to the NANOG community, since interaction with ARIN board members and staff is what's necessary to make sure the concerns are addressed, and thus it benefits from wider discussion. Wes - I am happy to champion the change that you seek (i.e. will get it reviewed by legal and brought before the ARIN Board) but still need clarity on what change you wish to occur - A) Implicit binding to the indemnification/warrant disclaimer clauses (as done by the other RIRs) Some details on this: The RIPE NCC offers an RPKI Validator toolset which includes the Trust Anchors for all the RIR repositories except the one for ARIN. On the download page, there is this statement: By setting up the RIPE NCC RPKI Validator, you confirm that you have read, understood and agree to the RIPE NCC Certification Repository Terms and Conditions. Download page: https://www.ripe.net/certification/tools-and-resources TC: http://www.ripe.net/lir-services/resource-management/certification/legal/ripe-ncc-certification-repository-terms-and-conditions There are instructions to get the ARIN TAL in the readme and UI of the RPKI Validator: - http://localcert.ripe.net:8088 - https://github.com/RIPE-NCC/rpki-validator/blob/master/rpki-validator-app/README.txt#L122 Cheers, Alex
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 10:17 AM, George, Wes wesley.geo...@twcable.com wrote: WG] Has there been any actual discussion about how much nobody would have to pay for ARIN (or another party) to fix the balance of liability and provide a proper SLA that led to no, I don't want to pay for that responses from those who are expressing the concern, or is this just conjecture on your part? I’ve asked a lot of people, “Would you be willing to pay ARIN for RPKI services,” and the answer has always been “no.” Until I get a “yes,” it’s hard to put a number (other than zero) on how the market values RPKI. So, asking how much more risk ARIN is willing to take on seems a little premature. The problem with free services is that often you get what you pay for when it comes to support, warranty, etc. Yep. -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: ARIN's RPKI Relying agreement
On 12/4/14, 1:13 PM, John Curran jcur...@arin.net wrote: I am happy to champion the change that you seek (i.e. will get it reviewed by legal and brought before the ARIN Board) but still need clarity on what change you wish to occur - A) Implicit binding to the indemnification/warrant disclaimer clauses (as done by the other RIRs) B) Removal of the indemnification warranty disclaimer clause I asked this directly during your NANOG presentation, but you did not respond either way. WG] I deferred because I am not a lawyer and am not empowered to speak anything more than my opinion on the matter. I believe that the more useful response to your question came during the ARIN members' meeting post-NANOG, where Rob Seastrom suggested at the mic that rather than a bunch of engineers and policy wonks playing armchair lawyer and guessing at what will make the actual lawyers happy, that we should organize a separate meeting involving: - the ARIN board - ARIN legal counsel and other relevant ARIN staff - legal representatives from as many of the operators and others expressing concern over this as appropriate, - along with a few of the technical folks to help deal with the interaction between the technical and the legal and use it to discuss the issues in order to come up with something better. (One can easily argue that best practices require multiple connections or service providers, but that is the same with best practices for RPKI use requiring proper preferences to issues with certification data...) WG] So how would I as an ARIN member go about getting a redundant RPKI provider? I'm uncomfortable being single-homed to ARIN since that seems contrary to best practices. Also: Most SPs provide an SLA to their customers that serves as a balance to contractual liability weasel words. Wes Anything below this line has been added by my company’s mail server, I have no control over it. --- This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 1:34 PM, Bill Woodcock wo...@pch.net wrote: On Dec 4, 2014, at 10:17 AM, George, Wes wesley.geo...@twcable.com wrote: WG] Has there been any actual discussion about how much nobody would have to pay for ARIN (or another party) to fix the balance of liability and provide a proper SLA that led to no, I don't want to pay for that responses from those who are expressing the concern, or is this just conjecture on your part? I’ve asked a lot of people, “Would you be willing to pay ARIN for RPKI services,” and the answer has always been “no.” Until I get a “yes,” it’s hard to put a number (other than zero) on how the market values RPKI. So, asking how much more risk ARIN is willing to take on seems a little premature. I suspect you would get a similar answer if you asked people Would you be willing to pay ARIN for whois services or would you be willing to pay ARIN for in-addr.arpa services. I've always been under the impression that the fees charged annually to my orgid were in part to cover the costs associated with running the registry, which by definition involves a certain amount of risk. Am I mistaken? -r
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 11:11 AM, Robert Seastrom r...@seastrom.com wrote: I suspect you would get a similar answer if you asked people Would you be willing to pay ARIN for whois services or would you be willing to pay ARIN for in-addr.arpa services”. Actually, since those are relatively inexpensive, I suspect there are plenty of people who’d be willing to cover those costs, if they needed to be paid separately. However... I've always been under the impression that the fees charged annually to my orgid were in part to cover the costs associated with running the registry, which by definition involves a certain amount of risk. …the RPKI costs are many orders of magnitude higher, and that’s before anyone sues us. So, the question is how much of your fees you want to see going toward RPKI, and how much of that you want to go toward trying to make it functional, versus mitigating the risk when it’s not. -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 12:39 PM, John Curran jcur...@arin.net wrote: On Dec 4, 2014, at 11:35 AM, Christopher Morrow morrowc.li...@gmail.com wrote: Note that the claims that could ensue from an operator failing to follow best practices and then third-parties suffering an major operational outage is likely to be large Undertaking that risk to the other services that everyone else presently rely upon (Whois, reverse DNS) is not reasonable Which begs the question for me -- ARIN already operates services that operators rely upon. Why are they different? Does ARIN run no risk of litigation due to some perceived involvement of those services in someone's operational outage? Has there been litigation against ARIN tied to, for example, reverse DNS? Or the IRR? --Sandy signature.asc Description: Message signed with OpenPGP using GPGMail
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 1:19 PM, Jared Mauch ja...@puck.nether.net wrote: I (similar to Rob) have my own concerns about RPKI but do feel that this is an ARIN specific construct/wall that has been raised without action yet from ARIN. Jared - Please be specific - are you referring to the indemnification clauses (which are existing in other RIRs as well), the method of agreement, or not having ready access to the TAL, i.e. the click-accept access? The fact that the meeting was 2 months ago and you have not acted/discussed with your counsel says everything I need to know about the situation, your personal motives and your personal desires for the outcomes. I hope it doesn’t represent your employer and that the ARIN Board brings it up with you. Incorrect. Despite the lack of clarity, we started work on 27 October with both inside and external counsel regarding drafting some updates to the RPKI legal framework. This effort should be ready to be brought to the ARIN Board in January for their consideration, but it would be helpful to have more clarity on the concerns (i.e. is it access to the TAL, or the requirement for explicit agreement to terms and conditions, or the presence of indemnification/warrant-disclaimer language regardless of method of binding) At present, I am working on addressing the TAL access and the explicit agreement concerns that were raised during Wes's NANOG session. These are relatively straightforward to work with counsel and propose to the ARIN Board for their consideration. The issue of indemnification is far more challenging, and hence my reason for asking about the underlying need for such and how folks are handling its presence in other RIR RPKI terms and conditions. Thanks! /John John Curran President and CEO ARIN
Re: ARIN's RPKI Relying agreement
On Thu, 04 Dec 2014 11:17:34 -0800, Bill Woodcock said: the RPKI costs are many orders of magnitude higher Orders of magnitude? Seriously? I can buy it costs 2x or 3x. But an additional 2 or 3 zeros on the price? pgp_PXDy5bSuP.pgp Description: PGP signature
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 11:21 AM, valdis.kletni...@vt.edu wrote: On Thu, 04 Dec 2014 11:17:34 -0800, Bill Woodcock said: the RPKI costs are many orders of magnitude higher Orders of magnitude? Seriously? I can buy it costs 2x or 3x. But an additional 2 or 3 zeros on the price? Yep, that’s why all this is at issue. If it were cheap, and worked, like in-addr or whois, there wouldn’t be an issue, would there? -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: ARIN's RPKI Relying agreement
Am I correct in thinking that the SIDR work going on in the IETF takes the registries out of the real-time processing of route authentication/attestation? Is RPKI a stop-gap while we wait for full path validation? Should we be focusing our energies in that area? On Thu, Dec 4, 2014 at 2:19 PM, Sandra Murphy sa...@tislabs.com wrote: On Dec 4, 2014, at 12:39 PM, John Curran jcur...@arin.net wrote: On Dec 4, 2014, at 11:35 AM, Christopher Morrow morrowc.li...@gmail.com wrote: Note that the claims that could ensue from an operator failing to follow best practices and then third-parties suffering an major operational outage is likely to be large Undertaking that risk to the other services that everyone else presently rely upon (Whois, reverse DNS) is not reasonable Which begs the question for me -- ARIN already operates services that operators rely upon. Why are they different? Does ARIN run no risk of litigation due to some perceived involvement of those services in someone's operational outage? Has there been litigation against ARIN tied to, for example, reverse DNS? Or the IRR? --Sandy
Re: ARIN's RPKI Relying agreement
On 12/4/14, 1:34 PM, Bill Woodcock wo...@pch.net wrote: I’ve asked a lot of people, “Would you be willing to pay ARIN for RPKI services,” and the answer has always been “no.” Until I get a “yes,” it’s hard to put a number (other than zero) on how the market values RPKI. WG] well, if it wasn't clear from my previous message, you've gotten a yes, but it's a qualified yes, and the timeframe, as well as what I'm paying for, matters. We need to put some daylight between how the market values RPKI and whether RPKI is ready for wide-scale deployment and what the market expects from ARIN as a service provider for a critical piece of that system when it's in wide-scale deployment. You can see multiple folks expressing concern about other aspects of RPKI beyond ARIN's RPA and liability. Those problems have to be solved before we can have a real discussion about how the market values RPKI, because prior to that it's simply not ready for wide-scale deployment. Additionally, we have a catch-22 in that most of RPKI's benefit is not realized until there are enough prefixes signed and enough large networks validating signatures and dropping invalid announcements, which means the incentive for early adopters is hard to quantify. In other words, the benefits of deploying RPKI that we have to use to justify the costs, whether it's increased ARIN fees or the hardware, complexity, and headcount costs associated with deploying and maintaining it, cannot be realized yet. So, the only thing I know to do is to make sure that I'm working these issues in parallel so that we don't remove one barrier to entry only to crash into the next one. Thanks, Wes Anything below this line has been added by my company’s mail server, I have no control over it. --- This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 11:33 AM, Jared Mauch ja...@puck.nether.net wrote: the fact it’s taken 3 months to reach the board is of concern Jared, ARIN is now nine years in to applying thrust to this pig. The board does in fact revisit it with some frequency, since it’s expensive and the primary thing blocking other software development efforts, like ARIN Online functionality and so forth. It has not been ignored for the past three months, and it has not been ignored for the past nine years. The question of what to do about it, however, is no more likely to be resolved right now than it has been at any point in its painful history. Please focus on what we can do about it, rather than on the timeframe. John is doing his job. -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: ARIN's RPKI Relying agreement
On Thu, 04 Dec 2014 11:28:42 -0800, Bill Woodcock said: On Dec 4, 2014, at 11:21 AM, valdis.kletni...@vt.edu wrote: Orders of magnitude? Seriously? I can buy it costs 2x or 3x. But an additional 2 or 3 zeros on the price? Yep, thats why all this is at issue. If it were cheap, and worked, like in-addr or whois, there wouldn't be an issue, would there? So why does an RPKI request cost *500 times* as much as (say) a request to assign an address block? Why is it *that* much more expensive to handle? pgpXuhUzbI0BT.pgp Description: PGP signature
Re: ARIN's RPKI Relying agreement
On 12/4/14, 2:34 PM, Andrew Gallo akg1...@gmail.com wrote: Am I correct in thinking that the SIDR work going on in the IETF takes the registries out of the real-time processing of route authentication/attestation? WG] no, but they're at least discussing ways of making the dependencies less fragile and more scalable (e.g. Eliminating rsync). Is RPKI a stop-gap while we wait for full path validation? Should we be focusing our energies in that area? WG] Path Validation is a completely separate pig, one which may require significantly more thrust to achieve escape velocity when compared with Origin Validation. Origin Validation isn't a stop gap, as much as it is an incremental step that Path Validation builds on to provide more additional protection that Origin Validation alone cannot provide. They're intended to coexist, not replace. Thanks, Wes Anything below this line has been added by my company’s mail server, I have no control over it. --- This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
RE: Cisco CCNA Training (Udemy Discounted Training)
Anybody got codes valid for December? On 14 Nov 2014 18:07, Wakefield, Thad M. twakefi...@stcloudstate.edu wrote: Since there was some interest in the Udemy CCNA training, I'll risk forwarding these additional discounts: Remember that this is ONLY for the month of NOVEMBER! *** CCNA Course is now $24 with coupon code: THANKS24 https://www.udemy.com/the-complete-ccna-200-120-course/?couponCode=THANKS24 *** ROUTING Course is now $14 with coupon code: THANKS14 https://www.udemy.com/routing-configuration-router-administration/?couponCode=THANKS14 *** SWITCHING Course is now $9 with coupon code: THANKS9 https://www.udemy.com/layer-2-switching-vlans/?couponCode=THANKS9 *** IPv4 Course is now $9 with coupon code: THANKS9 https://www.udemy.com/everything-you-need-to-know-about-ipv4-and-its-configuration/?couponCode=THANKS9 *** IPv6 Course is now $9 with coupon code: THANKS9 https://www.udemy.com/the_abcs_of_ipv6/?couponCode=THANKS9 *** VLANs Course is now $5 with coupon code: THANKS5 https://www.udemy.com/overview-of-vlans-access-list-nat-bonus-material/?couponCode=THANKS5 *** OSPF Course is now $14 with coupon code: THANKS14 https://www.udemy.com/ospf-breakdown/?couponCode=THANKS14 *** HEX Course is FREE *** use coupon code: THANKSFREE https://www.udemy.com/learn-how-to-do-hex-conversions-in-under-30-seconds/?couponCode=THANKSFREE
Re: ARIN's RPKI Relying agreement
On 12/4/14, 2:19 PM, Sandra Murphy sa...@tislabs.com wrote: Which begs the question for me -- ARIN already operates services that operators rely upon. Why are they different? Does ARIN run no risk of litigation due to some perceived involvement of those services in someone's operational outage? WG] I'm hard-pressed to come up with a case where packets stop flowing or flow to the wrong party because whois is down. *Maybe* you can make that case for reverse DNS since lots of anti-spam/anti-spoof relies on forward/reverse DNS agreement, but that doesn't affect routing. RPKI ups the ante considerably. I believe ARIN when they say that the liability risks are higher for this. Thanks, Wes Anything below this line has been added by my company’s mail server, I have no control over it. --- This E-mail and any of its attachments may contain Time Warner Cable proprietary information, which is privileged, confidential, or subject to copyright belonging to Time Warner Cable. This E-mail is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient of this E-mail, you are hereby notified that any dissemination, distribution, copying, or action taken in relation to the contents of and attachments to this E-mail is strictly prohibited and may be unlawful. If you have received this E-mail in error, please notify the sender immediately and permanently delete the original and any copy of this E-mail and any printout.
Re: Cisco CCNA Training (Udemy Discounted Training)
have some juniper but not cisco. On Thu, Dec 4, 2014 at 12:08 PM, Bacon Zombie baconzom...@gmail.com wrote: Anybody got codes valid for December? On 14 Nov 2014 18:07, Wakefield, Thad M. twakefi...@stcloudstate.edu wrote: Since there was some interest in the Udemy CCNA training, I'll risk forwarding these additional discounts: Remember that this is ONLY for the month of NOVEMBER! *** CCNA Course is now $24 with coupon code: THANKS24 https://www.udemy.com/the-complete-ccna-200-120-course/?couponCode=THANKS24 *** ROUTING Course is now $14 with coupon code: THANKS14 https://www.udemy.com/routing-configuration-router-administration/?couponCode=THANKS14 *** SWITCHING Course is now $9 with coupon code: THANKS9 https://www.udemy.com/layer-2-switching-vlans/?couponCode=THANKS9 *** IPv4 Course is now $9 with coupon code: THANKS9 https://www.udemy.com/everything-you-need-to-know-about-ipv4-and-its-configuration/?couponCode=THANKS9 *** IPv6 Course is now $9 with coupon code: THANKS9 https://www.udemy.com/the_abcs_of_ipv6/?couponCode=THANKS9 *** VLANs Course is now $5 with coupon code: THANKS5 https://www.udemy.com/overview-of-vlans-access-list-nat-bonus-material/?couponCode=THANKS5 *** OSPF Course is now $14 with coupon code: THANKS14 https://www.udemy.com/ospf-breakdown/?couponCode=THANKS14 *** HEX Course is FREE *** use coupon code: THANKSFREE https://www.udemy.com/learn-how-to-do-hex-conversions-in-under-30-seconds/?couponCode=THANKSFREE -- Eric Litvin President e...@lumaoptics.net Direct: (650)440-4382 Mobile:(*650)996-7270* Fax: (650) 618-1870
Re: Cisco CCNA Training (Udemy Discounted Training)
Share them anyway? Juniper's certs have enough demand as well :) On 12/5/2014 午前 05:13, Eric Litvin wrote: have some juniper but not cisco. On Thu, Dec 4, 2014 at 12:08 PM, Bacon Zombie baconzom...@gmail.com wrote: Anybody got codes valid for December? On 14 Nov 2014 18:07, Wakefield, Thad M. twakefi...@stcloudstate.edu wrote: Since there was some interest in the Udemy CCNA training, I'll risk forwarding these additional discounts: Remember that this is ONLY for the month of NOVEMBER! *** CCNA Course is now $24 with coupon code: THANKS24 https://www.udemy.com/the-complete-ccna-200-120-course/?couponCode=THANKS24 *** ROUTING Course is now $14 with coupon code: THANKS14 https://www.udemy.com/routing-configuration-router-administration/?couponCode=THANKS14 *** SWITCHING Course is now $9 with coupon code: THANKS9 https://www.udemy.com/layer-2-switching-vlans/?couponCode=THANKS9 *** IPv4 Course is now $9 with coupon code: THANKS9 https://www.udemy.com/everything-you-need-to-know-about-ipv4-and-its-configuration/?couponCode=THANKS9 *** IPv6 Course is now $9 with coupon code: THANKS9 https://www.udemy.com/the_abcs_of_ipv6/?couponCode=THANKS9 *** VLANs Course is now $5 with coupon code: THANKS5 https://www.udemy.com/overview-of-vlans-access-list-nat-bonus-material/?couponCode=THANKS5 *** OSPF Course is now $14 with coupon code: THANKS14 https://www.udemy.com/ospf-breakdown/?couponCode=THANKS14 *** HEX Course is FREE *** use coupon code: THANKSFREE https://www.udemy.com/learn-how-to-do-hex-conversions-in-under-30-seconds/?couponCode=THANKSFREE
RE: Anybody at Amazon AWS?
From: amitch...@isipp.com Subject: Anybody at Amazon AWS? Date: Thu, 4 Dec 2014 09:15:36 -0700 To: nanog@nanog.org Anybody have a contact at Amazon AWS? I sent in a spam complaint, and got back the below response - while I give them kudos for actually, you know, responding, I'm pretty sure that we can all agree that sending the same canned message to email addresses scraped off websites is the very definition of spam, yet somehow the EC2 abuse team seems to consider it a perfectly acceptable explanation - I'd sure love to discuss this with someone with a clue at Amazon AWS Did you try their abuse telephone? +1 (206) 266-2187? Once I needed I had proper services on that number. Anyway I am not sure if your contact will make a difference. As I see the case, honestly, it's you complaining against their customer, and Amazon is profiting from that customer. If you and only you are complaining I don't believe you will be heard. Anyway the customer assumed they sent UCE. But won't assume it was a SPAM. As I see the customer states that a e-mail was sent to an e-mail address you have published as contact e-mail address and therefore, they have contacted you. In a canned way, but if it was a personal e-mail offering you something you don't care about, would you fill an abuse report? Or just ignoring/declining the offer? If I right you a polite message right from my MUA and don't mention your name, treating you pretty much like a generic person I don't know, and offering my services, my curricula, or trying to show you a product I have created myself and believe it might be off your interest, it's certainly UCE but will you complain to my provider stating I was spamming you? Well if it's true tha the sender used gmail (you can check your e-mail headers), pasted your address on their MUA or webmail as a Bcc or something like that, and Gmail didn't block the outgoing message, and you (and maybe 2 or 3 other individuals) didn't like that, I don't think Amazon or Google will find it as abuse of services. Certainly it's not a good practice. Not something nice to do, or to receive. But is that an abuse? I don't think so. Specially of a minimum good practice is in place, just like a an opt-out mechanism or similar. Good luck with that phone call. You will find someone to talk to. But I'm not sure you will find someone to agree with you it's an abuse. --- Our customer has responded to your abuse report and provided the following information The below emails were sent individually to the recipient using a canned message. There is no automation or mass emailing at all. Our publisher representative personally visited each of the below websites, decided they were right for our service and emailed them individually. The emails are sent through gmail using a web interface to their API. Let me know if you require any additional information. Dwayne If you are satisfied with the above information, there is no need to respond to this notice. If you are not satisfied, please respond with a clear, succinct reason for dissatisfaction and what results you desire from our customer. We will make every reasonable attempt to work with you and our customer to resolve this matter. Thank you, The EC2 Abuse team --- Anne Anne P. Mitchell, Esq. CEO/President ISIPP SuretyMail Email Accreditation Certification Your mail system + SuretyMail accreditation = delivered to their inbox! http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Author: Section 6 of the Federal CAN-SPAM Act of 2003 Member, California Bar Cyberspace Law Committee Ret. Professor of Law, Lincoln Law School of San Jose https://www.linkedin.com/in/annemitchell 303-731-2121 | amitch...@isipp.com | @AnnePMitchell | Facebook/AnnePMitchell
Re: ARIN's RPKI Relying agreement
This pig is less aerodynamic, and fewer people are pushing. In-addr DNS and whois are simple and well-understood protocols, with many programmer-years of software development behind them. The problem isn't the marginal cost of a single transaction, that might only be one or two orders of magnitude higher. The problem is the overhead cost of trying to force a poorly-architected system into a semblance of production-quality. If you want something that anyone can _actually rely upon_, that's a precursor to doing the incremental transactions. -Bill On Dec 4, 2014, at 11:49, valdis.kletni...@vt.edu valdis.kletni...@vt.edu wrote: On Thu, 04 Dec 2014 11:28:42 -0800, Bill Woodcock said: On Dec 4, 2014, at 11:21 AM, valdis.kletni...@vt.edu wrote: Orders of magnitude? Seriously? I can buy it costs 2x or 3x. But an additional 2 or 3 zeros on the price? Yep, thats why all this is at issue. If it were cheap, and worked, like in-addr or whois, there wouldn't be an issue, would there? So why does an RPKI request cost *500 times* as much as (say) a request to assign an address block? Why is it *that* much more expensive to handle?
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 2:41 PM, Bill Woodcock wo...@pch.net wrote: On Dec 4, 2014, at 11:33 AM, Jared Mauch ja...@puck.nether.net wrote: the fact it’s taken 3 months to reach the board is of concern Jared, ARIN is now nine years in to applying thrust to this pig. The board does in fact revisit it with some frequency, since it’s expensive and the primary thing blocking other software development efforts, like ARIN Online functionality and so forth. It has not been ignored for the past three months, and it has not been ignored for the past nine years. The question of what to do about it, however, is no more likely to be resolved right now than it has been at any point in its painful history. Please focus on what we can do about it, rather than on the timeframe. John is doing his job. Part of that is collecting the feedback, which it seemed was unheard as more than Wes was part of the discussion. If ARIN has given up on RPKI, it would be helpful if that message were communicated to the community. - Jared
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 2:33 PM, Jared Mauch ja...@puck.nether.net wrote: the fact it’s taken 3 months to reach the board is of concern to me for an issue that was raised (prior to the October meeting) by operators, andwhere you were an active part of the discussion afterwards in the back of the plenary room. Jared - We kicked off a project to address the concerns within two weeks of ARIN/NANOG, doing so despite not have any clear consensus that providing ready access to the TAL without a click-accept RPA and switching to an implicit service agreement would materially improve things. I guess we could have waited for consensus on indemnification (or no indemnification), but it's not clear whether any consensus will ever emerge on that issue. While you asked Wes, I certainly felt I was clear in telling you Yes that letting the existing RSA where you claimed also covered this would protect ARIN. If you have not discussed this with counsel since then, that feels to me like something that should have already occurred. Perhaps you are waiting until January though, I don’t know your thought process but it seems that a few months is enough time for it to occur (IMHO). Addressing these RPKI issues is important, but there is quite a bit of other activities going on at the same time. Furthermore, revisiting RPKI terms and conditions and the imputed risk definitely requires a face-to-face Board discussion, and January is the first one scheduled after the ARIM Baltimore meeting in October. The actions of ARIN here speak volumes to the contempt that we observe towards those desiring to do standards body work on RPKI. This concerns me in my role of obtaining ARIN resources. I also wonder what other ways that ARIN has displeasure in the members that it’s not publicly voicing or making apparent. Jared - Feel free to raise any concerns with the Board if you wish; many (like Bill Woodcock) are on the nanog list, but in any case they all have emails listed here - https://www.arin.net/about_us/bot.html I’m also willing to accept that I may be sleep deprived, grumpy and that everyone here has hit upon a nerve about the RPA which I see as unresolved. Agreed, and work is underway to address. At the last IETF meeting I raised the issue that if this (RPKI) goes poorly in its deployment, here we would just be turning it off if there was some catastrophic protocol or operational issue. People depend upon the internet to work and anything to reduce the reliability of it won’t be widely used. That's very true, but getting folks to invest time effort in internal, non-customer facing capabilities is very hard (and doubly so for things still in flux like RPKI.) If it were easy, we'll already have a community all of whom used some form of route filtering, either registry or IRR derived, and payoff from adding RPKI would be nominal... I am hoping that ARIN will be a partner in these activities vs what feels like feet dragging along the way. RPKI/SIDR may not be successful in the long term, but until that outcome is reached, we need ARIN to be part of the community and your leadership here is welcome and necessary. ARIN is very much part of the RPKI community, including participating in the IETF sidr activities, deploying both hosted and delegated RPKI support, etc. We're actively involved, but also attentive to details, particular when it comes to risk analysis. /John John Curran President and CEO ARIN
Re: DWDM Documentation
Replying offline to Theo. Schwer zu finden. Roy *Roy Hirst* | 425-556-5773 | 425-324-0941 cell XKL LLC | 12020 113th Ave NE, Suite 100 | Kirkland, WA 98034 | USA On 12/4/2014 5:21 AM, Theo Voss wrote: Hi guys, we, a Berlin / Germany based carrier, are looking for a smart documentation (shelfs, connections, fibers) and visualization tool for our ADVA-based DWDM-enviroment. Do you have any suggestions or hints for me? We’re testing „cableScout“, the only one I found, next week but. Unfortunately it isn’t easy to get any information about such tools! :( Thanks in advance! Best regards, Theo Voss (AS25291) The information contained in this e-mail message may be privileged, confidential and protected from disclosure. If you are not the intended recipient, any dissemination, distribution or copying is strictly prohibited. If you think that you have received this e-mail message in error, please e-mail the sender at the above e-mail address.
Re: determine relationship between the operators based on import and export statements in aut-num object?
Hi, thanks! I guess one of the most exhaustive and freely-available route-views data to analyze is from RIPE Routing Information Service project? For example if I would like to analyze a certain prefix announced by a certain AS for time period from 1.11.2014 to 30.11.2014, then I should download route-views data for this period(for rrc_id in {00..14}; do for d in {01..30}; do wget http://data.ris.ripe.net/rrc$rrc_id/2014.11/bview.201411$d.0800.gz; done; done) and anayze this with bgpdump(bgpdump -m bview* | grep -w 65133)? Other option would be to use one of the tools like RIPEstat BGPlay? thanks, Martin On 11/25/14, William Waites w...@styx.org wrote: On Tue, 25 Nov 2014 17:36:47 +0200, Martin T m4rtn...@gmail.com said: Last but not least, maybe there is altogether a more reliable way to understand the relationship between the operators than aut-num objects(often not updated) in RIR database? The first thing to do is look and see if the policy of, e.g. AS65133 is consistent with what you see there. I suspect you'll find a lot of mismatches but I don't know if that has been studied systematically, but it should be simple to do. Next, much more data intensive, is trawl through the route views data and see to what extent the actual updates seen are consistent with the RIR objects, and also see what (topological, not financial as Valdis points out) relationships they imply that are not present in the RIR database. -w
Re: ARIN's RPKI Relying agreement
On Dec 4, 2014, at 2:19 PM, Sandra Murphy sa...@tislabs.com wrote: ... Which begs the question for me -- ARIN already operates services that operators rely upon. Why are they different? Does ARIN run no risk of litigation due to some perceived involvement of those services in someone's operational outage? Sandra - From the discussion over on PPML... Parties are likely to use RPKI services such that (as someone put it recently) - routing decisions are affected and breakage happens” While such impacts could happen with whois, parties would have to create the linkages themselves, whereas with RPKI it is recognized that the system is designed to provide information for influencing of routing decisions (a major difference, and one that a judge could be made to recognize if some service provider has a prolonged outage due to their own self-inflicted Whois data wrangling into routing filters.) Given the nature of RPKI, it is clear that ARIN needs to engineer the service with full awareness of the potential risks (even though such risks are predominantly the result of parties using RPKI data without appropriate best practices.) We have no problem offering a highly- reliable service; the risk of concern stems from third-parties who suffer major damages and want to assert that it was the result of an ISP’s misusage of ARIN’s RPKI service or ARIN’s RPKI service itself, even if the underlying cause in truth was completely unrelated to ARIN’s RPKI services. Recognize that large harmed parties tend to litigate everyone, with the innocent parties extracting themselves only after lengthy battles, and such battles are very difficult when it comes to proving the proper state of technical service at a given point in time. I hope this helps in outlining some of the significant differences. /John John Curran President and CEO ARIN