Re: Routing Insecurity (Re: BGP in the Washington Post)

[Roland Dobbins]

On 5 Jun 2015, at 10:56, David Mandelberg wrote:


Could you elaborate on your enumeration and DDoS concerns?


Crypto = more overhead.  Less priority to crypto plus DDoS = routing 
update issues.


One can infer peering relationships in a way not possible before.

What about bogus signatures?

---
Roland Dobbins 

Re: Routing Insecurity (Re: BGP in the Washington Post)

[David Mandelberg]

On 06/02/2015 10:04 PM, Ethan Katz-Bassett wrote:
> The same folks also followed up that workshop paper with a longer paper on
> the topic:
> https://www.cs.bu.edu/~goldbe/papers/sigRPKI.pdf

And a different set of folks (including me) are working on a different
mechanism to protect against attacks from on high. Any feedback would be
appreciated.

https://tools.ietf.org/html/draft-kent-sidr-suspenders-03

-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/



signature.asc
Description: OpenPGP digital signature

Re: Routing Insecurity (Re: BGP in the Washington Post)

[David Mandelberg]

On 06/03/2015 04:27 AM, Roland Dobbins wrote:
> (not to mention the
> enumeration and enhanced DDoS impact of packeting routers doing crypto
> for their BGP sessions and which aren't protected via iACLs/GTSM).

Could you elaborate on your enumeration and DDoS concerns? If you're
concerned about the public finding out exactly how many routers you have
because you've published one BGPsec router key per router, you can
choose to use the same router key on multiple routers. If you're
concerned about all the crypto work overloading a router, the plan (as
far as I've heard) is for the routers to do the BGPsec crypto work in
the background as a low priority. I.e., incoming signed routes will
initially be treated like unsigned routes, and the BGPsec validation
will be kicked off in the background. Once the validation is complete,
then routing decisions can be made based on the BGPsec validity.

-- 
David Eric Mandelberg / dseomn
http://david.mandelberg.org/



signature.asc
Description: OpenPGP digital signature

Re: VPS + BGP session

[William Herrin]

On Thu, Jun 4, 2015 at 1:53 PM, Sadiq Saif  wrote:
> I am looking for providers that can provide me a VPS with a BGP session
> so I can announce my PI IP space (v4 + v6). I have looked at other
> threads on NANOG regarding this and already have sessions up with ARP
> Networks, Mythic Beasts, and Knightswarm. Host Virtual is unfortunately
> out of my budget.

Hi Sadiq,

I assume you found this:

http://mailman.nanog.org/pipermail/nanog/2015-February/073592.html

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Owner, Dirtside Systems . Web: 

Re: stacking pdu

[shawn wilson]

Well, I was kinda thinking this would turn out to be a dumb question / have
an obvious answer. Apparently not. But it seems I can't go buy a solution
either. I guess there isn't much of a market (though I am just talking
software - maybe someone could make an update :) ).

Re: stacking pdu

[Matthew Petach]

On Thu, Jun 4, 2015 at 2:52 PM, Rob Seastrom  wrote:
>
...
> MC on thereifixed.com or similar sites).

thereifixedit.com

iftfy.  ;P

Matt

Roof space, co-lo...

[Barry Shein]

A company has asked me if I could find anyone who could provide:

1. Roof space for a 1.2m dish
2. About 2U rackspace (i.e., not a whole rack minimum)
3. Modest (5-10mb) bandwith.
4. Cabling between the rackspace and roof dish
5. Power

Prefer Boston/Cambridge area but would consider other venues.

I don't know a lot more about it but I think the key request here is
the roof space for the 1.2m dish and cabling to the boxes.

I don't know which way the dish must face or anything like that if you
do this for a living I will put you in touch and you can work it out.

Respond to me: b...@theworld.com

(some of you were Bcc'd on this)

-- 
-Barry Shein

The World  | b...@theworld.com   | http://www.TheWorld.com
Purveyors to the Trade | Voice: 800-THE-WRLD| Dial-Up: US, PR, Canada
Software Tool & Die| Public Access Internet | SINCE 1989 *oo*

Re: NANOG 64 recordings

[Pete Baldridge]

On June 4, 2015 10:11:02 AM PDT, Victor Zakharyev  
wrote:
>Does anyone have videos from Google presentations on Telemetry?
>
>Thanks!
>
>Victor
>
>чт, 4 июня 2015 г. в 9:51, Jay Ashworth :
>
>> - Original Message -
>> > From: "Sadiq Saif" 
>>
>> > For those that missed them:
>> >
>https://www.youtube.com/playlist?list=PLO8DR5ZGla8ju3ftZv_S6L12jBkZKEJVZ
>>
>> Oh, outstanding.  Thanks.
>>
>> Cheers,
>> -- jra
>> --
>> Jay R. Ashworth  Baylink
>> j...@baylink.com
>> Designer The Things I Think  
>RFC
>> 2100
>> Ashworth & Associates   http://www.bcp38.info  2000 Land
>> Rover DII
>> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727
>647
>> 1274
>>

Can anyone comment on what was in the video that's been removed?  Is there 
somewhere else that it can be found?
-- 
Pete
Sent from mobile.

Re: AWS Elastic IP architecture

[Pete Carah]

On 06/04/2015 01:16 PM, Christopher Morrow wrote:
> On Thu, Jun 4, 2015 at 5:11 AM, Owen DeLong  wrote:
>> I’d argue that SSH is several thousand, not a few hundred. In any case, I 
>> suppose you can make the argument that only a few people are trying to 
>> access their home network resources remotely other than via some sort of 
>> proxy/rendezvous service. However, I would argue that such services exist 
>> solely to provide a workaround for the deficiencies in the network 
>> introduced by NAT. Get rid of the stupid NAT and you no longer need such 
>> services.
> This is an interesting argument/point, but if you remove the rendevous
> service then how do you find the thing in your house? now the user has
> to manage DNS, or the service in question has to manage a dns entry
> for the customer, right?
A large part of my heartburn with this is the proliferation of
unidentified rendezvous services
with no hint of SLA or anything that are burned in to things like door
locks, thermostats, washing machines, etc etc.  (also no hint of where
and even what country has the rendezvous in question...)
Once I've equipped my house with IoT devices, there will be a bunch
(hundred?) outbound connections to different rendezvous services. 
Nothing in the box or literature identifies the server(s) in question
either.
(and likely most of them don't even use https.)  You want your door lock
and thermostat to effectively publish when you are away for a couple of
weeks, onto someone else's unidentified server?  At least dns rendezvous
allow endpoint security if the manufacturer even thinks about that...

-- Pete

Re: stacking pdu

[Joe Hamelin]

This takes me back to the days of old with bread racks full of modems and
the mess of wall-warts and power-strips.

--
Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474

On Thu, Jun 4, 2015 at 2:52 PM, Rob Seastrom  wrote:

>
> William Herrin  writes:
>
> > Isn't it against the NEC and the fire code to stack power strips? We
> > all do it, but isn't it against code?
>
> Sorry to be late to the party (I plead vacation), but no, afaik it is
> not.  About as close as the NEC comes art 400.8 - you can't use
> flexible cord as a substitute for permanent wiring (think of some of
> the shenanigans you've seen with extension cords standing in for NM or
> MC on thereifixed.com or similar sites).
>
> Rack wiring is not "permanent", but I would not go so far as to claim
> it is subject to the "qualified personnel" rules (OSHA subpart S and
> NFPA 70E).  Datacenter workers who could pass a test on LOTO
> procedures and routinely utilize proper PPE (even gloves, safety
> glasses, and steel toe shoes) are the exception rather than the rule.
>
> As always, when someone asserts that "X is against code" whether in
> the form of a statement or a question, the proper response is
> "Citation, please!"
>
> -r
>
>

Re: AWS Elastic IP architecture

[Mark Andrews]

In message 
, Philip Dorr writes:
> On Thu, Jun 4, 2015 at 12:16 PM, Christopher Morrow
>  wrote:
> > On Thu, Jun 4, 2015 at 5:11 AM, Owen DeLong  wrote:
> >> I=E2=80=99d argue that SSH is several thousand, not a few hundred. In an=
> y case, I suppose you can make the argument that only a few people are tryi=
> ng to access their home network resources remotely other than via some sort=
>  of proxy/rendezvous service. However, I would argue that such services exi=
> st solely to provide a workaround for the deficiencies in the network intro=
> duced by NAT. Get rid of the stupid NAT and you no longer need such service=
> s.
> >
> > This is an interesting argument/point, but if you remove the rendevous
> > service then how do you find the thing in your house? now the user has
> > to manage DNS, or the service in question has to manage a dns entry
> > for the customer, right?
> 
> You do not remove the locating service, what you remove is the remote
> proxy service.

And the DNS is the simplest location service.  Windows boxes and
Mac's can register themselves in the DNS today using standardised
protocols.  This really isn't a hard thing to do.  All you need is
a fully qualified hostname, addresses and update credentials
(username/password (TSIG) or a public key pair SIG(0)) and you can
update the addresses records using the DNS and UPDATE.  Windows
uses GSS-TSIG (Kerberos) to authenticate the UPDATE request.  In
theory it could also use plain TSIG and/or SIG(0).

What is hard is giving them a globally unique address today because
it doesn't exist for 99.9% of the devices connected in the world
due to the world having run out of IPv4 address about ~20 years
ago.  At the moment we are at ~1 address per household for IPv4.
We are heading into < 1 address per household for most of the
households in the world.

For a Mac you do System Preference -> Sharing -> Edit and Tick "Use
dynamic global hostname" add the hostname and TSIG credentials
(User/Password).  The Mac will save them.  The Mac will then update
the address records for itself as they change.

What has to happen is making this a regular part of setting up a
machine for the first time.  This requires other OS vendors adding
equivalent functionality to their OS's.

> For example with a webcam on IPv4, you would connect to website to
> download the video.  The camera would also connect to the website to
> upload the video.
> 
> On IPv6 the webcam would connect to the website to say that it is
> alive and what its IP is.  You would connect to the website and your
> computer would get the IP and directly connect to the webcam.  If
> there were multiple people connecting, you may even be able to use
> multicast.

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org

Re: stacking pdu

[Rob Seastrom]

William Herrin  writes:

> Isn't it against the NEC and the fire code to stack power strips? We
> all do it, but isn't it against code?

Sorry to be late to the party (I plead vacation), but no, afaik it is
not.  About as close as the NEC comes art 400.8 - you can't use
flexible cord as a substitute for permanent wiring (think of some of
the shenanigans you've seen with extension cords standing in for NM or
MC on thereifixed.com or similar sites).

Rack wiring is not "permanent", but I would not go so far as to claim
it is subject to the "qualified personnel" rules (OSHA subpart S and
NFPA 70E).  Datacenter workers who could pass a test on LOTO
procedures and routinely utilize proper PPE (even gloves, safety
glasses, and steel toe shoes) are the exception rather than the rule.

As always, when someone asserts that "X is against code" whether in
the form of a statement or a question, the proper response is
"Citation, please!"

-r

Re: AWS Elastic IP architecture

[Philip Dorr]

On Thu, Jun 4, 2015 at 12:16 PM, Christopher Morrow
 wrote:
> On Thu, Jun 4, 2015 at 5:11 AM, Owen DeLong  wrote:
>> I’d argue that SSH is several thousand, not a few hundred. In any case, I 
>> suppose you can make the argument that only a few people are trying to 
>> access their home network resources remotely other than via some sort of 
>> proxy/rendezvous service. However, I would argue that such services exist 
>> solely to provide a workaround for the deficiencies in the network 
>> introduced by NAT. Get rid of the stupid NAT and you no longer need such 
>> services.
>
> This is an interesting argument/point, but if you remove the rendevous
> service then how do you find the thing in your house? now the user has
> to manage DNS, or the service in question has to manage a dns entry
> for the customer, right?

You do not remove the locating service, what you remove is the remote
proxy service.

For example with a webcam on IPv4, you would connect to website to
download the video.  The camera would also connect to the website to
upload the video.

On IPv6 the webcam would connect to the website to say that it is
alive and what its IP is.  You would connect to the website and your
computer would get the IP and directly connect to the webcam.  If
there were multiple people connecting, you may even be able to use
multicast.

Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation

[Rafael Possamai]

You could look into LXD for that type of deployment.

On Thu, Jun 4, 2015 at 12:55 PM, Pavel Odintsov 
wrote:

> Brilliant idea! But in Docker we could offer only sflow and sflow. Port
> mirror capture need support from the kernel side. Will try shortly!
>
> On Thursday, June 4, 2015, Roberto Bertó  wrote:
>
> > What about we build a Docker?
> >
> > 2015-06-04 14:47 GMT-03:00 Alexander Maassen  > >:
> >
> > > It's a security tool. So ppl using it want to publicly hide the fact
> they
> > > use it in case you screw up and it contains leaks ;)
> > >
> > >  Oorspronkelijk bericht 
> > > Van: Pavel Odintsov >
> > > Datum:
> > > Aan: Jim Popovitch >
> > > Cc: nanog@nanog.org 
> > > Onderwerp: Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS
> > > mitigation
> > >
> > > Looks like many folks want hide company emails ;) I'm good guy and will
> > not
> > > spam or offer slmething ;)))
> > >
> > > But I'm impressed about amount of off list requests. Really huge
> interest
> > > in tool.
> > >
> > > On Thursday, June 4, 2015, Jim Popovitch  > > wrote:
> > >
> > > > There's a surprising amount of GMail (yes, including me) and new-ness
> > > > in this thread.Should I be impressed with the freshness or
> > > > concerned about astroturfing?   :-)
> > > >
> > > > Bah Humbug!
> > > >
> > > > -Jim P.
> > > >
> > >
> > >
> > > --
> > > Sincerely yours, Pavel Odintsov
> > >
> >
>
>
> --
> Sincerely yours, Pavel Odintsov
>

Re: Should I Reboot, and Why? (was Re: [RDD] No Play out on Cart Wall)

[Rafael Possamai]

I also reboot for kernel updates!

On Thu, Jun 4, 2015 at 11:57 AM, Jay Ashworth  wrote:

> - Original Message -
> > From: "Cowboy" 
>
> > On Sunday 31 May 2015 03:49:10 pm Graham Wilman wrote:
>
> > > after getting the play out working on clienta terminal for the past
> > > 6 days
> > > the decision was taken today to get clientb terminal working which
> > > it now partially is
> > > unfortunately once all 3 terminals the server.clienta and clientb
> > > were rebooted I could
> > > not get play out to work on clienta again
> >
> > Re-booted why ?
> > I've often said that rebooting a *nix machine is usually a bad idea.
>
> And, again, a good to recap some of Good Sysadmin Practice:
>
> In the Windows world, it's often recommended that you reboot a machine that
> is acting -- as we say in support -- hincky.  That's because Windows is
> sufficiently complicated and fragile that things can get corrupt at
> runtime, and the simple fact you rebooted it can fix a problem.
>
> That's traditionally not been true in the *nix world; particularly on
> purpose-built single function servers, there simply isn't enough code
> running at once to allow for the sort of complicated, multiplicative
> complexity failures that you see in many Windows machines.
>
> But does that mean you should never reboot a Linux box, just because
> you usually don't *have* to, to fix your problem?
>
> No, it doesn't, and here's why:
>
> Some of the things you might change in your configuration can affect
> how things start *when* you boot up, and if you've adjusted one of them,
> the time to boot it and find out *is right now, when you've just made the
> change and it's fresh in your mind*, not 6 months from now at 3 in the
> morning, when you don't remember what you did.
>
> Well, I suppose you could look in your logbook.  Or check your ticketing
> system.  :-)
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth  Baylink
> j...@baylink.com
> Designer The Things I Think   RFC
> 2100
> Ashworth & Associates   http://www.bcp38.info  2000 Land
> Rover DII
> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647
> 1274
>

Re: AWS Elastic IP architecture

[Christopher Morrow]

On Thu, Jun 4, 2015 at 1:44 PM, Måns Nilsson  wrote:
> You have successfully demonstrated that users will need some locating
> service. More so with the cure-all IPv6; because remembering hex is hard
> for People(tm).

but it's not just hex. Even today you (if given a bare ipv4 address)
would need some naming/locating service I suspect. Folk can barely
remember their email address, nevermind the hostname of their
printer/etc for remote use.

Today we 'win' because there's some third-party aggregating 'your
device' and 'you' and connecting them together 'properly'.

> You have, however, not shown that all the possible ways of building a
> locating service that become available once the end-points are uniquely
> reachable (and thus, as long as we're OK with finding just the right host,
> identifyable) present an equal level of suckage.
>

sure, I wasn't really trying to accomplish that, just to point out
that: you still have to find me in the haystack! and 'well then put
dns records in your domain' isn't an answer for 99.99+% of users. Even
if Owen's swag of 'thousands' of users 'use ssh' is on target there
are ~100m users in the US on cable/dsl plant... (so with 10 ssh users
~.01%) that will basically never 'get it'.

> I believe that while the work indeed can be daunting for a sufficiently
> pessimal selection of users, the situation so improves (if we look at
> simplicity of protocol design and resulting fragility) when the end-points
> can ignore any middleboxes that the net result, measured as inconvenicence
> imposed on a standard End User, will improve.

I bet we end up with the same rendezvous services though... perhaps we
wont have to worry about the 'printer' making a long-term (or even
periodic?) connection to that service, but I imagine there'll still be
some service complexity.

It may be better than the current situation, but that's still to be seen.

Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation

[Pavel Odintsov]

Brilliant idea! But in Docker we could offer only sflow and sflow. Port
mirror capture need support from the kernel side. Will try shortly!

On Thursday, June 4, 2015, Roberto Bertó  wrote:

> What about we build a Docker?
>
> 2015-06-04 14:47 GMT-03:00 Alexander Maassen  >:
>
> > It's a security tool. So ppl using it want to publicly hide the fact they
> > use it in case you screw up and it contains leaks ;)
> >
> >  Oorspronkelijk bericht 
> > Van: Pavel Odintsov >
> > Datum:
> > Aan: Jim Popovitch >
> > Cc: nanog@nanog.org 
> > Onderwerp: Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS
> > mitigation
> >
> > Looks like many folks want hide company emails ;) I'm good guy and will
> not
> > spam or offer slmething ;)))
> >
> > But I'm impressed about amount of off list requests. Really huge interest
> > in tool.
> >
> > On Thursday, June 4, 2015, Jim Popovitch  > wrote:
> >
> > > There's a surprising amount of GMail (yes, including me) and new-ness
> > > in this thread.Should I be impressed with the freshness or
> > > concerned about astroturfing?   :-)
> > >
> > > Bah Humbug!
> > >
> > > -Jim P.
> > >
> >
> >
> > --
> > Sincerely yours, Pavel Odintsov
> >
>


-- 
Sincerely yours, Pavel Odintsov

VPS + BGP session

[Sadiq Saif]

Hi,

I am looking for providers that can provide me a VPS with a BGP session
so I can announce my PI IP space (v4 + v6). I have looked at other
threads on NANOG regarding this and already have sessions up with ARP
Networks, Mythic Beasts, and Knightswarm. Host Virtual is unfortunately
out of my budget.

I am looking for providers in the east coast USA and Asia Pacific
regions at this time.

Any pointers are appreciated!

-- 
Sadiq Saif (AS393949)
https://staticsafe.ca

Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation

[Roberto Bertó]

What about we build a Docker?

2015-06-04 14:47 GMT-03:00 Alexander Maassen :

> It's a security tool. So ppl using it want to publicly hide the fact they
> use it in case you screw up and it contains leaks ;)
>
>  Oorspronkelijk bericht 
> Van: Pavel Odintsov 
> Datum:
> Aan: Jim Popovitch 
> Cc: nanog@nanog.org
> Onderwerp: Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS
> mitigation
>
> Looks like many folks want hide company emails ;) I'm good guy and will not
> spam or offer slmething ;)))
>
> But I'm impressed about amount of off list requests. Really huge interest
> in tool.
>
> On Thursday, June 4, 2015, Jim Popovitch  wrote:
>
> > There's a surprising amount of GMail (yes, including me) and new-ness
> > in this thread.Should I be impressed with the freshness or
> > concerned about astroturfing?   :-)
> >
> > Bah Humbug!
> >
> > -Jim P.
> >
>
>
> --
> Sincerely yours, Pavel Odintsov
>

Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation

[Alexander Maassen]

It's a security tool. So ppl using it want to publicly hide the fact they use 
it in case you screw up and it contains leaks ;)

 Oorspronkelijk bericht 
Van: Pavel Odintsov  
Datum:  
Aan: Jim Popovitch  
Cc: nanog@nanog.org 
Onderwerp: Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation 
 
Looks like many folks want hide company emails ;) I'm good guy and will not
spam or offer slmething ;)))

But I'm impressed about amount of off list requests. Really huge interest
in tool.

On Thursday, June 4, 2015, Jim Popovitch  wrote:

> There's a surprising amount of GMail (yes, including me) and new-ness
> in this thread.    Should I be impressed with the freshness or
> concerned about astroturfing?   :-)
>
> Bah Humbug!
>
> -Jim P.
>


-- 
Sincerely yours, Pavel Odintsov

Re: AWS Elastic IP architecture

[Måns Nilsson]

Subject: Re: AWS Elastic IP architecture Date: Thu, Jun 04, 2015 at 01:16:03PM 
-0400 Quoting Christopher Morrow (morrowc.li...@gmail.com):
> On Thu, Jun 4, 2015 at 5:11 AM, Owen DeLong  wrote:
> > I’d argue that SSH is several thousand, not a few hundred. In any case, I 
> > suppose you can make the argument that only a few people are trying to 
> > access their home network resources remotely other than via some sort of 
> > proxy/rendezvous service. However, I would argue that such services exist 
> > solely to provide a workaround for the deficiencies in the network 
> > introduced by NAT. Get rid of the stupid NAT and you no longer need such 
> > services.
> 
> This is an interesting argument/point, but if you remove the rendevous
> service then how do you find the thing in your house? now the user has
> to manage DNS, or the service in question has to manage a dns entry
> for the customer, right?

Or something.
 
> you'll be moving the (some of the) pain from 'nat' to 'dns' (or more
> generally naming and identification). I think though that in a better
> world, a service related to the thing you want to prod from outside
> would manage this stuff for you.

Possibly. 

> It's important (I think) to not simplify the discussion as: "Oh, with
> ipv6 magic happens!" because there are still problems and design
> things to overcome even with unhindered end-to-end connectivity.

You have successfully demonstrated that users will need some locating
service. More so with the cure-all IPv6; because remembering hex is hard
for People(tm).

You have, however, not shown that all the possible ways of building a
locating service that become available once the end-points are uniquely
reachable (and thus, as long as we're OK with finding just the right host,
identifyable) present an equal level of suckage.

I believe that while the work indeed can be daunting for a sufficiently
pessimal selection of users, the situation so improves (if we look at
simplicity of protocol design and resulting fragility) when the end-points
can ignore any middleboxes that the net result, measured as inconvenicence
imposed on a standard End User, will improve.

-- 
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE +46 705 989668
Why is everything made of Lycra Spandex?


signature.asc
Description: Digital signature

Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation

[Pavel Odintsov]

Looks like many folks want hide company emails ;) I'm good guy and will not
spam or offer slmething ;)))

But I'm impressed about amount of off list requests. Really huge interest
in tool.

On Thursday, June 4, 2015, Jim Popovitch  wrote:

> There's a surprising amount of GMail (yes, including me) and new-ness
> in this thread.Should I be impressed with the freshness or
> concerned about astroturfing?   :-)
>
> Bah Humbug!
>
> -Jim P.
>


-- 
Sincerely yours, Pavel Odintsov

Re: AWS Elastic IP architecture

[Christopher Morrow]

On Thu, Jun 4, 2015 at 5:11 AM, Owen DeLong  wrote:
> I’d argue that SSH is several thousand, not a few hundred. In any case, I 
> suppose you can make the argument that only a few people are trying to access 
> their home network resources remotely other than via some sort of 
> proxy/rendezvous service. However, I would argue that such services exist 
> solely to provide a workaround for the deficiencies in the network introduced 
> by NAT. Get rid of the stupid NAT and you no longer need such services.

This is an interesting argument/point, but if you remove the rendevous
service then how do you find the thing in your house? now the user has
to manage DNS, or the service in question has to manage a dns entry
for the customer, right?

you'll be moving the (some of the) pain from 'nat' to 'dns' (or more
generally naming and identification). I think though that in a better
world, a service related to the thing you want to prod from outside
would manage this stuff for you.

It's important (I think) to not simplify the discussion as: "Oh, with
ipv6 magic happens!" because there are still problems and design
things to overcome even with unhindered end-to-end connectivity.

Re: NANOG 64 recordings

[Victor Zakharyev]

Does anyone have videos from Google presentations on Telemetry?

Thanks!

Victor

чт, 4 июня 2015 г. в 9:51, Jay Ashworth :

> - Original Message -
> > From: "Sadiq Saif" 
>
> > For those that missed them:
> > https://www.youtube.com/playlist?list=PLO8DR5ZGla8ju3ftZv_S6L12jBkZKEJVZ
>
> Oh, outstanding.  Thanks.
>
> Cheers,
> -- jra
> --
> Jay R. Ashworth  Baylink
> j...@baylink.com
> Designer The Things I Think   RFC
> 2100
> Ashworth & Associates   http://www.bcp38.info  2000 Land
> Rover DII
> St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647
> 1274
>

Re: AWS Elastic IP architecture

[Christopher Morrow]

On Thu, Jun 4, 2015 at 5:16 AM, Owen DeLong  wrote:
>
>> On Jun 3, 2015, at 9:24 PM, Christopher Morrow  
>> wrote:
>
>> let's skip all NAT discussions on this topic from here on out, yes?
>
> Only if you can promise me 100% that the NAT in question will not break 
> anything.

:) people don't seem to be bothered today.

Should I Reboot, and Why? (was Re: [RDD] No Play out on Cart Wall)

[Jay Ashworth]

- Original Message -
> From: "Cowboy" 

> On Sunday 31 May 2015 03:49:10 pm Graham Wilman wrote:

> > after getting the play out working on clienta terminal for the past
> > 6 days
> > the decision was taken today to get clientb terminal working which
> > it now partially is
> > unfortunately once all 3 terminals the server.clienta and clientb
> > were rebooted I could
> > not get play out to work on clienta again
> 
> Re-booted why ?
> I've often said that rebooting a *nix machine is usually a bad idea.

And, again, a good to recap some of Good Sysadmin Practice:

In the Windows world, it's often recommended that you reboot a machine that
is acting -- as we say in support -- hincky.  That's because Windows is
sufficiently complicated and fragile that things can get corrupt at
runtime, and the simple fact you rebooted it can fix a problem.

That's traditionally not been true in the *nix world; particularly on 
purpose-built single function servers, there simply isn't enough code
running at once to allow for the sort of complicated, multiplicative
complexity failures that you see in many Windows machines.

But does that mean you should never reboot a Linux box, just because
you usually don't *have* to, to fix your problem?

No, it doesn't, and here's why:

Some of the things you might change in your configuration can affect
how things start *when* you boot up, and if you've adjusted one of them,
the time to boot it and find out *is right now, when you've just made the
change and it's fresh in your mind*, not 6 months from now at 3 in the 
morning, when you don't remember what you did.

Well, I suppose you could look in your logbook.  Or check your ticketing
system.  :-)

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: Verizon FiOS outbound mail TLS problem - Superpages people here?

[Blake Hudson]

I have no relation, but as a mail server operator I can say that I 
wouldn't be surprised if this is actually a TLS version mismatch or 
intolerance problem. I would suggest ensuring that both ends support TLS 
1.0, 1.1, and 1.2 and use version tolerant TLS implementations. Next on 
the short list would be not having compatible cyphers between the two 
servers.


Either way, since the error was a 403 error, the expected behavior would 
be to queue and retry in plain text; Sounds like a broken MTA 
implementation or misconfiguration if the sending servers do not revert 
to plain text.


--Blake

Jay Ashworth wrote on 6/4/2015 11:15 AM:

Anyone on the list who does outbound delivery for Verizon (which I think
is actually Superpages)?  A client has smart-hosted outbounds to *one*
of his customers bouncing suddenly with

   Deferred: 403 4.7.0 TLS handshake failed.

*My* inclination is to think that a cert expired somewhere, but his non-tech
contact there tells him that the tech people think things are ok.

I'm trying to get a mailer log fragment from them.

Cheers,
-- jra

Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation

[Jim Popovitch]

There's a surprising amount of GMail (yes, including me) and new-ness
in this thread.Should I be impressed with the freshness or
concerned about astroturfing?   :-)

Bah Humbug!

-Jim P.

Re: NANOG 64 recordings

[Jay Ashworth]

- Original Message -
> From: "Sadiq Saif" 

> For those that missed them:
> https://www.youtube.com/playlist?list=PLO8DR5ZGla8ju3ftZv_S6L12jBkZKEJVZ

Oh, outstanding.  Thanks.

Cheers,
-- jra
-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: FastNetMon 1.1.2 - open source solution for DoS/DDoS mitigation

[Jahangir Hossain]

Dear Pavel ,

This is definitely interesting project .
I already tested the previous version but due to some feature limitation i
could not continue but  i think this new version added very important
features  . Definitely I will trail the new version soon .



On Wed, Jun 3, 2015 at 2:16 AM, Pavel Odintsov 
wrote:

> Hello, Nanog!
>
> I'm very pleased to present my open source DoS/DDoS attack monitoring
> toolkit here!
>
> We have spent about 10 months for development of FastNetMon and could
> present huge feature list now! :)
>
> Stop! What is FastNetMon?
>
> It's really very fast toolkit which could find attacked host in your
> network and block it (or redirect to filtering appliance)
>
> This solution could save your network and your sleep :)
>
> Our site located here: https://github.com/FastVPSEestiOu/fastnetmon
>
> We support following engines for traffic capture:
> - Netflow (v5, v9 and IPFIX)
> - sFLOW v5
> - port mirror/SPAN (PF_RING and netmap supported)
>
> Also we have deep integration with ExaBGP (huge thanks to Thomas
> Mangin) for triggering blackhole on the Core Router or upstream.
>
> Since 1.0 version we have added support for following features:
> - Ability to detect most popular attack types: syn_flood, icmp_flood,
> udp_flood, ip_fragmentation_flood
> - Add support for Netmap for Linux (we have prepared special driver
> for ixgbe users: https://github.com/pavel-odintsov/ixgbe-linux-netmap)
> and FreeBSD.
> - Add support for PF_RING ZC (very fast but need license from ntop folks)
> - Add ability to collect netflow v9/IPFIX data from multiple devices
> with different templates set
> - Basic support for IPv6 (we could receive netflow data over IPv6)
> - Add plugin support for capture engines
> - Add support of L2TP decapsulation (important for DDoS attack
> detection inside tunnel)
> - Add ability to store attack details in Redis
> - Add Graphite/Grafana integration for traffic visualization
> - Add systemd unit file
> - Add ability to unblock host after some timeout
> - Introduce support of moving average for all counters
> - Add ExaBGP integration. We could announce attacked host with BGP to
> border router or uplink
> - Add so much details in attack report
> - Add ability to store attack fingerprint in file
>
> We have complete support for following platforms:
> - Fedora 21
> - Debian 6, 7, 8
> - CentOS 6, 7
> - FreeBSD 9, 10, 11
> - DragonflyBSD 4
> - MacOS X 10.10
>
> From network equipment side we have tested solution with:
> - Cisco ASR
> - Juniper MX
> - Extreme Summit
> - ipt_NETFLOW Linux
>
> We have binary packages for this operation systems:
> - CentOS 6:
> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS6
> - CentOS 7:
> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/CentOS7
> - Fedora 21:
> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/packages/Fedora21
> - FreeBSD:
> https://github.com/FastVPSEestiOu/fastnetmon/tree/master/src/FreeBSD_port
>
> For any other operation systems we recommend automatic installer
> script:
> https://github.com/FastVPSEestiOu/fastnetmon/blob/master/docs/INSTALL.md
>
> Please join to our mail list or ask about anything here
> https://groups.google.com/forum/#!forum/fastnetmon
>
> Thank you for your attention!
>
> --
> Sincerely yours, Pavel Odintsov
>



-- 
- Jahangir

Verizon FiOS outbound mail TLS problem - Superpages people here?

[Jay Ashworth]

Anyone on the list who does outbound delivery for Verizon (which I think
is actually Superpages)?  A client has smart-hosted outbounds to *one* 
of his customers bouncing suddenly with 

  Deferred: 403 4.7.0 TLS handshake failed.

*My* inclination is to think that a cert expired somewhere, but his non-tech
contact there tells him that the tech people think things are ok.

I'm trying to get a mailer log fragment from them.  

Cheers,
-- jra

-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: AWS Elastic IP architecture

[Owen DeLong]

> On Jun 3, 2015, at 9:24 PM, Christopher Morrow  
> wrote:
> 
> On Wed, Jun 3, 2015 at 7:56 AM, Owen DeLong  wrote:
>> For example, let’s say you have 20 machines for whom you want to allow 
>> inbound SSH access. In the IPv4 world, with NAT, you have to configure an 
>> individual port mapping for each machine and you have to either configure 
>> all of the SSH clients, or, specify the particular port for the machine you 
>> want to get to on the command line.
> 
> in the original case in question the fact that there's nat happeng
> isn't material... so all of this discussion of NAT is a red herring,
> right? the user of AWS services cares not that 'nat is happening',
> because they can simply RESTful up a VM instance and ssh into it in
> ~30 seconds, no config required.

That depends… If they have a public address ON their machine or dedicated to 
their machine, then, they MAY not care that NAT is occurring.

If they want to run SIP or some other protocol which depends on being able to 
tell the far end where to connect for secondary channels, then they may care 
anyway.

You can reduce the number of things that NAT breaks, but you can’t eliminate 
them all.

> let's skip all NAT discussions on this topic from here on out, yes?

Only if you can promise me 100% that the NAT in question will not break 
anything.

Owen

Re: AWS Elastic IP architecture

[Owen DeLong]

>>> 
>>> IPv4 with NAT, standard NAT/firewall traversal techniques are used so that 
>>> things inside your house are reachable as necessary. Almost nobody 
>>> configures their firewall to open up anything.
>> 
>> HuH?
>> 
>> How do I SSH into my host behind my home NAT firewall without configuration 
>> of the firewall?
> 
> Nobody but you and a few hundred other people on this mailing list SSH into 
> hosts at your home.

SSH, VNC, HTTP, HTTPs, LPD, whatever… Pick your service. SSH was just an 
example.


> Everyone else in the entire world reaches hosts at their house through their 
> firewall just fine because those hosts are their Nest thermostat, or their 
> Dropcam, or their PC running Skype, or maybe (in rare cases) something like 
> LogMeIn.

I’d argue that SSH is several thousand, not a few hundred. In any case, I 
suppose you can make the argument that only a few people are trying to access 
their home network resources remotely other than via some sort of 
proxy/rendezvous service. However, I would argue that such services exist 
solely to provide a workaround for the deficiencies in the network introduced 
by NAT. Get rid of the stupid NAT and you no longer need such services.

Even if you want to consider all of those services, the reality is that their 
codebases could be substantially improved and simplified as well as their 
security posture improved by eliminating NAT.

> None of those people ever touch the settings of the device they had delivered 
> by their ISP and/or purchased at Best Buy. Not ever.

Sure… They all live like sheeple not even realizing that they’ve been handed a 
deficient and limited internet incapable of living up to its potential. They 
remain blissfully ignorant that they are a rat in a digital cage because they 
are unaware of life outside the cage. What’s your point?

Are you claiming this makes cages a good thing? Are you claiming that since the 
rats are not demanding to be let out of their cages, we shouldn’t seek to 
create an environment where cages are not needed?

>> You are making no sense here. NAT Traversal techniques provide for outbound 
>> connections and/or a way that a pseudo-service can create an inbound 
>> connection that looks like an outbound connection to the firewall.
>> 
>> It does not in any way provide for generic inbound access to ordinary 
>> services without configuration.
> 
> So what?
> 
> Nobody (to several levels of statistical significance) needs "generic inbound 
> access to ordinary services". Heck, the only "ordinary services" that exist 
> any more are HTTP/HTTPS.

This simply isn’t true. To the limited extent that it is true, the reality is 
that it is a consequence of the limitations of IPv4 and NAT rather than a state 
that anyone other than you ever really considered desirable.

 IPv6 — I add a permit statement to the firewall to allow the traffic in to 
 each host/group of hosts that I want and I am done.
>>> 
>>> IPv6, standard NAT?firewall traversal techniques are used so that things 
>>> inside your house are reachable as necessary. Still almost nobody 
>>> configures their firewall to open up anything.
>> 
>> Why would one use NAT with IPv6… You’re making no sense there.
> 
> I didn't say you would... but you need firewall traversal, and the "standard 
> NAT and firewall traversal techniques" are how you traverse your IPv6 
> firewall.

That’s an awful lot of icky overhead vs. the simple clean solution of 
permitting desired traffic.

I suspect that in the IPv6 world, eventually, rather than silly hacks like 
UPnP, STUN, etc., we will see, instead, standardized APIs for authenticating 
with the firewall and automated mechanisms for adding permission after 
authentication.

>>> For those who do, the work needed to open up a few host/port mappings in 
>>> IPv4 is basically identical to opening up a few hosts and ports for IPv6.
>> 
>> Not really…
>> 
>> For example, let’s say you have 20 machines for whom you want to allow 
>> inbound SSH access. In the IPv4 world, with NAT, you have to configure an 
>> individual port mapping for each machine and you have to either configure 
>> all of the SSH clients, or, specify the particular port for the machine you 
>> want to get to on the command line.
> 
> Ok, you go find me 1000 households where nobody in the house is on the NANOG 
> list but where there are 20 machines running SSH already installed.

OK, half a dozen Video Game consoles or whatever other service you want to 
imagine.

Just because the standard way to do things today is with silly workarounds 
required by the lack of address transparency created by NAT, that doesn’t mean 
we have to continue to do things so badly in the future.

>> On the other hand, with IPv6, let’s say the machines are all on 
>> 2001:db8::/64. Further, let’s say that I group machines for which I want to 
>> provide SSH access within 2001:db8::22:0:0:0/80. I can add a single firewall 
>> entry which covers this /80 and I’m done. I c