Re: NAT firewall for IPv6?

[Larry Sheldon]

On 7/5/2016 18:46, Matt Palmer wrote:

On Fri, Jul 01, 2016 at 09:28:54PM -0500, Edgar Carver wrote:

Hello NANOG community. I was directed here by our network administrator
since she is on vacation. Luckily, I minored in Computer Science so I have
some familiarity.


Well played, Tay.  Well played.


I was suspicious at the "minored" announcement, but it looked so much 
like traffic here.


I guess the reality is that for legitimate traffic, this list is used 
only as a "calling frequency" with the "working frequency" being 
somewhere secret.


Sad.



For everyone else:

https://twitter.com/SwiftOnSecurity/status/749062835687174144


--
"Everybody is a genius.  But if you judge a fish by
its ability to climb a tree, it will live its whole
life believing that it is stupid."

--Albert Einstein

From Larry's Cox account.

Re: NAT firewall for IPv6?

[Matt Palmer]

On Fri, Jul 01, 2016 at 09:28:54PM -0500, Edgar Carver wrote:
> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation. Luckily, I minored in Computer Science so I have
> some familiarity.

Well played, Tay.  Well played.

For everyone else:

https://twitter.com/SwiftOnSecurity/status/749062835687174144

- Matt

Re: NAT firewall for IPv6?

[Eric Kuhnke]

You know the cosmological model that the earth is balanced on the back of a
giant turtle, which is supported by successive lower tiers of other turtles?

https://en.wikipedia.org/wiki/Turtles_all_the_way_down

It's like that, except it's trolls all the way down.



On Tue, Jul 5, 2016 at 3:24 PM, Chase Christian  wrote:

> The original email was not a serious question, but a joke:
>
> https://twitter.com/SwiftOnSecurity/status/749059605360062464
> https://twitter.com/SwiftOnSecurity/status/749062835687174144
> https://twitter.com/SwiftOnSecurity/status/749068172460847105
>
>
>
> On Tue, Jul 5, 2016 at 1:41 PM, Naslund, Steve 
> wrote:
>
> > It is all about defense in depth.  The engineers here are speaking to the
> > network pieces (the second N in NANOG is network, right :) and we have
> told
> > this person that it is unlikely that v6 in the only vector and I myself
> > talked about malware handling on the clients themselves.  From a network
> > engineering perspective many of us agreed that the biggest single threat
> to
> > his network was a firewall in an unknown state with an unknown
> > administrator password that could be owned by anyone on earth at this
> > point.  That single piece threatens the entire network as a whole and is
> a
> > ticking time bomb ready to blow his entire LAN off the Internet if it
> fails.
> >
> > He probably does not own the entire environment himself, he is filling in
> > for a vacationing network engineer.  So he is working on the network
> piece
> > and is probably not responsible for the anti-malware software on the
> > clients (if anyone is, see below).
> >
> > Our "support" as you call it was a response to this person questions
> about
> > blocking v6 as an attack vector in the first place.  We answered his
> > question but then told him that was unlikely to be the problem and what
> he
> > should do about taking back his firewall, securing v6 via the firewall,
> and
> > handling the malware at the client.  Seems solid advise to me so far.
> >
> > BTW we did not bill him for anything.  He got a lot of free advice from a
> > lot of people he could not even begin to afford to employ, so not a bad
> > deal for him.  You also have to understand that this gentleman seems to
> be
> > in an educational environment which usually means lots of clients he does
> > not have control over so having some kind of network based malware
> control
> > is helpful.  Clients in this type of environment have to defend
> themselves
> > from each other and he will likely have stuff brought in from the
> outside.
> > Good malware detection in the network can help identify clients that
> > contain malware and are a threat to other devices.  Fancier network
> > gear/IDS/IDP would actually remove offending clients from the network or
> at
> > least segments them into an isolation area.
> >
> > Let me re-iterate:
> >
> > 1.  Take back ownership of your firewall and bring it up to
> > date including new malware signatures.  If you don't have current
> support,
> > get it...directly so if your consultant bails you are not dead
> > meat.  This will ensure that the outside world will not own or control
> > stuff inside your network while you put the fires out.  At the very least
> > it can help malware infected machines from phoning home to their command
> > and control servers which sometimes prevents a lot of damage.
> > 2.  Make your v6 rules mirror at least the security level of
> > your v4 rules.  Passing v6 unchallenged is unacceptable.  If your
> firewall
> > won't do it replace it with one that will.
> > 3.  Ensure all clients under your control have current
> > anti-virus/anti-malware detection.  Clients have to defend themselves
> from
> > threats internal to the firewall as well as ones outside.  Don't be hard
> on
> > the outside with a soft chewy center.
> > 4.  Never, ever accept anything less than full administrative
> > control passwords and accounts from your consultants, before you give
> them
> > final payment.  I actually prefer to lock them out when they complete an
> > install until I need them to help with something.  This prevents them
> from
> > holding you hostage or one of their "postal" employees from wiping you
> out
> > as well as preventing them from using your network for experimentation
> > without you knowing it.  It is an important part of change control to
> > ensure that outsiders cannot modify your configuration without contacting
> > you first.  We usually give our consultants highly logged VPN accounts
> that
> > we can disable or enable as needed.
> >
> > Steven Naslund
> > Chicago IL
> >
> >
> >
> > >>No while that is also needed, it is very unlikely to fix his issue. The
> > issue at hand is that some of their computers have become virus infected.
> > >>The fix for that is to upgrade the virus scanner and making sure that
> > all software upgrades are done.
> >
> > >>Someone comes to you and says his 

Re: NAT firewall for IPv6?

[Larry Sheldon]

My how the world has changed!

On 7/1/2016 21:28, Edgar Carver wrote:

Hello NANOG community. I was directed here by our network administrator
since she is on vacation.


I am Old School, I guess.  In my day Step One would be "Fire the 
administrator."  The job is by nature a 24 X 7 X 52 job and "On Call" 
the rest of the time.  "Vacation" is never a reason to leave your 
assignment insecure.


"NAT-based firewall"?  Really?

How long has the consultant been out of business?

Luckily, I minored in Computer Science so I have

some familiarity.


I have no idea how I fat-fingered a "send" at this point/

I started to write that you have an emergency on your hands and you need 
to focus your attention of finding a person or firm that can take charge 
and fix problems you don't even know about yet.


A "Dear Abby" approach is going do way more harm than good.

--
"Everybody is a genius.  But if you judge a fish by
its ability to climb a tree, it will live its whole
life believing that it is stupid."

--Albert Einstein

 From Larry's Cox account.

Re: NAT firewall for IPv6?

[Larry Sheldon]

My how the world has changed!

On 7/1/2016 21:28, Edgar Carver wrote:

Hello NANOG community. I was directed here by our network administrator
since she is on vacation.


I am Old School, I guess.  In my day Step One would be "Fire the 
administrator."  The job is by nature a 24 X 7 X 52 job and "On Call" 
the rest of the time.  "Vacation" is never a reason to leave your 
assignment insecure.


"NAT-based firewall"?  Really?

How long has the consultant been out of business?

Luckily, I minored in Computer Science so I have

some familiarity.

We have a small satellite campus of around 170 devices that share one
external IPv4 and IPv6 address via NAT for internet traffic. Internal
traffic is over an MPLS.

We're having problems where viruses are getting through Firefox, and we
think it's because our Palo Alto firewall is set to bypass filtering for
IPv6. Unfortunately, the network admin couldn't give me the password since
a local consultant set it up, and it seems they went out of business. I
need to think outside the box.

Is there some kind of NAT-based IPv6 firewall I can setup on the router
that can help block viruses? I figure that's the right place to start since
all the traffic gets funneled there. We have a Cisco Catalyst as a
router. Or, ideally, is there an easy way to turn off IPv6 completely? I
really don't see a need for it, any legitimate service should have an IPv4
address.

I'd really appreciate your advice. I plan to drive out there tomorrow,
where I can get the exact model numbers and stuff.

Regards,
Dr. Edgar Carver



--
"Everybody is a genius.  But if you judge a fish by
its ability to climb a tree, it will live its whole
life believing that it is stupid."

--Albert Einstein

From Larry's Cox account.

Re: NAT firewall for IPv6?

[Scott Weeks]

--- se...@rollernet.us wrote:
From: Seth Mattinen 

On 7/1/16 19:28, Edgar Carver wrote:
> Hello NANOG community. I was directed here 
> by our network administrator since she is 
> on vacation. Luckily, I minored in Computer 
> Science so I have some familiarity.


:: This is not legit, ya'll are being trolled.



Luckily, I can't imagine having such a sh!++y
life that this is seen as fun.  

Apparently, the high school kids got tired of 
ordering pizza to the next door neighbors 
house and watching them get mad.

scott

Re: NAT firewall for IPv6?

[Seth Mattinen]

On 7/1/16 19:28, Edgar Carver wrote:

Hello NANOG community. I was directed here by our network administrator
since she is on vacation. Luckily, I minored in Computer Science so I have
some familiarity.



This is not legit, ya'll are being trolled.

~Seth

Re: NAT firewall for IPv6?

[Chase Christian]

The original email was not a serious question, but a joke:

https://twitter.com/SwiftOnSecurity/status/749059605360062464
https://twitter.com/SwiftOnSecurity/status/749062835687174144
https://twitter.com/SwiftOnSecurity/status/749068172460847105



On Tue, Jul 5, 2016 at 1:41 PM, Naslund, Steve  wrote:

> It is all about defense in depth.  The engineers here are speaking to the
> network pieces (the second N in NANOG is network, right :) and we have told
> this person that it is unlikely that v6 in the only vector and I myself
> talked about malware handling on the clients themselves.  From a network
> engineering perspective many of us agreed that the biggest single threat to
> his network was a firewall in an unknown state with an unknown
> administrator password that could be owned by anyone on earth at this
> point.  That single piece threatens the entire network as a whole and is a
> ticking time bomb ready to blow his entire LAN off the Internet if it fails.
>
> He probably does not own the entire environment himself, he is filling in
> for a vacationing network engineer.  So he is working on the network piece
> and is probably not responsible for the anti-malware software on the
> clients (if anyone is, see below).
>
> Our "support" as you call it was a response to this person questions about
> blocking v6 as an attack vector in the first place.  We answered his
> question but then told him that was unlikely to be the problem and what he
> should do about taking back his firewall, securing v6 via the firewall, and
> handling the malware at the client.  Seems solid advise to me so far.
>
> BTW we did not bill him for anything.  He got a lot of free advice from a
> lot of people he could not even begin to afford to employ, so not a bad
> deal for him.  You also have to understand that this gentleman seems to be
> in an educational environment which usually means lots of clients he does
> not have control over so having some kind of network based malware control
> is helpful.  Clients in this type of environment have to defend themselves
> from each other and he will likely have stuff brought in from the outside.
> Good malware detection in the network can help identify clients that
> contain malware and are a threat to other devices.  Fancier network
> gear/IDS/IDP would actually remove offending clients from the network or at
> least segments them into an isolation area.
>
> Let me re-iterate:
>
> 1.  Take back ownership of your firewall and bring it up to
> date including new malware signatures.  If you don't have current support,
> get it...directly so if your consultant bails you are not dead
> meat.  This will ensure that the outside world will not own or control
> stuff inside your network while you put the fires out.  At the very least
> it can help malware infected machines from phoning home to their command
> and control servers which sometimes prevents a lot of damage.
> 2.  Make your v6 rules mirror at least the security level of
> your v4 rules.  Passing v6 unchallenged is unacceptable.  If your firewall
> won't do it replace it with one that will.
> 3.  Ensure all clients under your control have current
> anti-virus/anti-malware detection.  Clients have to defend themselves from
> threats internal to the firewall as well as ones outside.  Don't be hard on
> the outside with a soft chewy center.
> 4.  Never, ever accept anything less than full administrative
> control passwords and accounts from your consultants, before you give them
> final payment.  I actually prefer to lock them out when they complete an
> install until I need them to help with something.  This prevents them from
> holding you hostage or one of their "postal" employees from wiping you out
> as well as preventing them from using your network for experimentation
> without you knowing it.  It is an important part of change control to
> ensure that outsiders cannot modify your configuration without contacting
> you first.  We usually give our consultants highly logged VPN accounts that
> we can disable or enable as needed.
>
> Steven Naslund
> Chicago IL
>
>
>
> >>No while that is also needed, it is very unlikely to fix his issue. The
> issue at hand is that some of their computers have become virus infected.
> >>The fix for that is to upgrade the virus scanner and making sure that
> all software upgrades are done.
>
> >>Someone comes to you and says his Firefox is getting infected through
> IPv6.
> >>If your support is worth anything, you will not take that at face value
> and bill him for a ton work related to IPv6. No, you will go find out what
> the real issue is and solve that. The only thing we know right now is that
> he is >>confused.
> >>
> >>Regards,
> >>
> >>Baldur
>

Office 365

[Ryan Finnesey]

I was hoping to touch base with providers that are offering office 365 or would 
like to offer office 365.  Please ping me off list I have a few questions.

Cheers
Ryan

RE: NAT firewall for IPv6?

[Naslund, Steve]

It is all about defense in depth.  The engineers here are speaking to the 
network pieces (the second N in NANOG is network, right :) and we have told 
this person that it is unlikely that v6 in the only vector and I myself talked 
about malware handling on the clients themselves.  From a network engineering 
perspective many of us agreed that the biggest single threat to his network was 
a firewall in an unknown state with an unknown administrator password that 
could be owned by anyone on earth at this point.  That single piece threatens 
the entire network as a whole and is a ticking time bomb ready to blow his 
entire LAN off the Internet if it fails.  

He probably does not own the entire environment himself, he is filling in for a 
vacationing network engineer.  So he is working on the network piece and is 
probably not responsible for the anti-malware software on the clients (if 
anyone is, see below).

Our "support" as you call it was a response to this person questions about 
blocking v6 as an attack vector in the first place.  We answered his question 
but then told him that was unlikely to be the problem and what he should do 
about taking back his firewall, securing v6 via the firewall, and handling the 
malware at the client.  Seems solid advise to me so far.

BTW we did not bill him for anything.  He got a lot of free advice from a lot 
of people he could not even begin to afford to employ, so not a bad deal for 
him.  You also have to understand that this gentleman seems to be in an 
educational environment which usually means lots of clients he does not have 
control over so having some kind of network based malware control is helpful.  
Clients in this type of environment have to defend themselves from each other 
and he will likely have stuff brought in from the outside.  Good malware 
detection in the network can help identify clients that contain malware and are 
a threat to other devices.  Fancier network gear/IDS/IDP would actually remove 
offending clients from the network or at least segments them into an isolation 
area.

Let me re-iterate:

1.  Take back ownership of your firewall and bring it up to date 
including new malware signatures.  If you don't have current support, get 
it...directly so if your consultant bails you are not dead meat.  This 
will ensure that the outside world will not own or control stuff inside your 
network while you put the fires out.  At the very least it can help malware 
infected machines from phoning home to their command and control servers which 
sometimes prevents a lot of damage.
2.  Make your v6 rules mirror at least the security level of your 
v4 rules.  Passing v6 unchallenged is unacceptable.  If your firewall won't do 
it replace it with one that will.
3.  Ensure all clients under your control have current 
anti-virus/anti-malware detection.  Clients have to defend themselves from 
threats internal to the firewall as well as ones outside.  Don't be hard on the 
outside with a soft chewy center.
4.  Never, ever accept anything less than full administrative 
control passwords and accounts from your consultants, before you give them 
final payment.  I actually prefer to lock them out when they complete an 
install until I need them to help with something.  This prevents them from 
holding you hostage or one of their "postal" employees from wiping you out as 
well as preventing them from using your network for experimentation without you 
knowing it.  It is an important part of change control to ensure that outsiders 
cannot modify your configuration without contacting you first.  We usually give 
our consultants highly logged VPN accounts that we can disable or enable as 
needed.

Steven Naslund
Chicago IL



>>No while that is also needed, it is very unlikely to fix his issue. The issue 
>>at hand is that some of their computers have become virus infected.
>>The fix for that is to upgrade the virus scanner and making sure that all 
>>software upgrades are done.

>>Someone comes to you and says his Firefox is getting infected through IPv6.
>>If your support is worth anything, you will not take that at face value and 
>>bill him for a ton work related to IPv6. No, you will go find out what the 
>>real issue is and solve that. The only thing we know right now is that he is 
confused.
>>
>>Regards,
>>
>>Baldur

Re: NAT firewall for IPv6?

[Dovid Bender]

You may want to look into a new product by Ixia
https://www.ixiacom.com/products/threatarmor (seems their site is under
maint atm).


On Tue, Jul 5, 2016 at 10:31 AM, Naslund, Steve 
wrote:

> On another note, using a firewall to stop viruses is probably not going to
> work in general (unless the firewall has some additional malware detection
> engine).
>
> Here is the issue in a nutshell.  A firewall primarily controls where
> people can connect to and from on a network.  The problem with that is that
> a lot of malware is received from sites that your users intended to go to.
> People click on links without knowing where they go and people go to less
> than reputable web sites (or reputable sites that we recently
> compromised).  If you, by default, allow your users to access the Internet
> with a browser they are vulnerable to malware.  Even with malware detection
> capability you are still vulnerable to signatures and attacks that are not
> yet able to be detected.
>
> Even if filtering was enabled on your Palo Alto for ipv6 it would not help
> at this point because you have no idea what signatures it is using to
> filter with and when the last time those were updated  I doubt your v4
> filtering is of much use either at this point.  URL filtering is largely a
> big game of whack a mole that you will lose eventually.  Malware filtering
> is based on one or both of the following methods.
>
> 1.  You filter URLs known to be bad players (you are vulnerable
> until your protection vendor realizes they are bad players).
>
> 2.  You filter based on adaptive detection of code that looks
> suspicious.  This is a bit better but still vulnerable because the bad guys
> are always innovating to pass through these devices.
>
> My recommendation would be network malware detection (possibly through a
> firewall add-on) as well as good virus/malware detection on the client
> computers.  Sometimes the malware is easier to detect at the client because
> it reveals itself by trying to access unauthorized memory, processes, or
> storage.
>
> Steven Naslund
> Chicago IL
>
>
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Edgar Carver
> Sent: Friday, July 01, 2016 9:29 PM
> To: nanog@nanog.org
> Subject: NAT firewall for IPv6?
>
> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation. Luckily, I minored in Computer Science so I have
> some familiarity.
>
> We have a small satellite campus of around 170 devices that share one
> external IPv4 and IPv6 address via NAT for internet traffic. Internal
> traffic is over an MPLS.
>
> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6. Unfortunately, the network admin couldn't give me the password since
> a local consultant set it up, and it seems they went out of business. I
> need to think outside the box.
>
> Is there some kind of NAT-based IPv6 firewall I can setup on the router
> that can help block viruses? I figure that's the right place to start since
> all the traffic gets funneled there. We have a Cisco Catalyst as a router.
> Or, ideally, is there an easy way to turn off IPv6 completely? I really
> don't see a need for it, any legitimate service should have an IPv4 address.
>
> I'd really appreciate your advice. I plan to drive out there tomorrow,
> where I can get the exact model numbers and stuff.
>
> Regards,
> Dr. Edgar Carver
>

Re: NAT firewall for IPv6?

[Baldur Norddahl]

On 5 July 2016 at 21:47, Octavio Alvarez  wrote:

> Everything else has been already said by others: fixing the Palo Alto is
> still your best bet.
>


No while that is also needed, it is very unlikely to fix his issue. The
issue at hand is that some of their computers have become virus infected.
The fix for that is to upgrade the virus scanner and making sure that all
software upgrades are done.

Someone comes to you and says his Firefox is getting infected through IPv6.
If your support is worth anything, you will not take that at face value and
bill him for a ton work related to IPv6. No, you will go find out what the
real issue is and solve that. The only thing we know right now is that he
is confused.

Regards,

Baldur

Re: NAT firewall for IPv6?

[Octavio Alvarez]

On 07/01/2016 07:28 PM, Edgar Carver wrote:
> Is there some kind of NAT-based IPv6 firewall I can setup on the router
> that can help block viruses?

You need layer-7 firewalls for this. NAT-based "firewalls"
(pseudo-firewalls, really) are layer-4 only. Those will not help you
block typical viruses, as people will usually get infected from
connecting to a compromised Website, or from an e-mail attachments. And
even more, if connections are encrypted, an L7 firewall will not be able
to do anything (whether IPv4 or v6) unless... better not open a can of
worms.

They will just help you block *some* attack vectors, though: those that
rely on starting connections to your hosts from the outside.

My guess is that, with regard to e-mail attachments and compromised
Websites, IPv4 hosts are still attacked more than IPv6 ones, so, even if
you turn off IPv6 you will still get attacked through IPv4.

Everything else has been already said by others: fixing the Palo Alto is
still your best bet.

Good luck!

Re: NAT firewall for IPv6?

[A . L . M . Buxey]

Hi,

> Right.  But how long is it going to take to secure the Palo Alto firewall?

around 5 minutes?

recover password, restart, log in, fix rules.

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Reset-the-Administrator-Password/ta-p/57581


obviously the firewall is also blocking google access! ;-)

alan

Re: NAT firewall for IPv6?

[A . L . M . Buxey]

Hi,

> > The Palo-Alto's also don't support anything but NAT64,
> 
> They don't support proper dual-stack??  Or NAT64 is the only NAT flavor

of course they support native IPv6 ...or IPv4 with IPv6 in dual-stack.

i believe the comment was related to the 6/4 xlat stuff - ie just NAT64 and not 
464XLAT etc - 
I've not looked into that myself as we do dual stack

alan

Re: NAT firewall for IPv6?

[Baldur Norddahl]

On 5 July 2016 at 17:40, Lee  wrote:

>
> Right.  But how long is it going to take to secure the Palo Alto firewall?
> If the central Cisco Catalyst really is an IPv6 router, doing a
> conf t
> ipv6 access-list denyIPv6
>   deny ipv6 any any
>
> interface [whatever connects to the ISP]
>  ipv6 traffic-filter denyIPv6 in
>  ipv6 traffic-filter denyIPv6 out
> end
> would be a quick fix for the firewall not doing any ipv6 filtering.
>

Nope, that is not going to stop his IPv6 address from appearing, which I
will bet you good money is in the range of fe80::/64.

Re: NAT firewall for IPv6?

[Lee]

On 7/5/16, Naslund, Steve  wrote:
> Did you get the impression that this person asking for help was going to be
> able to set that up?

Yes, I think the OP could create & apply the acl.  Which is why I said
it could break their network & suggested they get Cisco tech support
on the phone to figure out how to safely turn off IPv6.

I'm also giving them the benefit of the doubt that IPv6 really is the
malware infection vector.

>  I didn't (if he was he would probably already know
> what an ACL is).  I do not know if the Catalyst he is looking at is his or
> his service providers edge devices (or maybe the consultants didn't give
> them access to that either),  I don't know that that Catalyst is the primary
> router for their network (could be an L2 switch behind the firewall).  I
> also doubt the problem stems from ipv6 as much as it comes from having an
> out of control firewall. Given what I am hearing about this network I am
> kind of doubting that it is really ipv6 enabled in any case so your fix
> prevents ipv6 traffic that is probably not even being routed in the first
> place.  In my opinion not having control of your own firewall is the five
> alarm emergency in that network right now.

Maybe I wasn't clear that the call to Cisco tech support should be a
parallel effort?

> If the network is ipv6 enabled, blocking all ipv6 traffic at that router is
> probably not a good idea without knowing more.

Which is why I suggested getting Cisco tech support involved.  A
mailing list is not where they should be going for help right now.

Best Regards,
Lee


> ...  If it is not ipv6 enabled
> then it will have no effect on the reported issue (malware).
>
>
> Steven Naslund
> Chicago IL
>
>
>>Right.  But how long is it going to take to secure the Palo Alto firewall?
>>If the central Cisco Catalyst really is an IPv6 router, doing a conf t
>>ipv6 access-list denyIPv6
>>  deny ipv6 any any
>
>>interface [whatever connects to the ISP]
>> ipv6 traffic-filter denyIPv6 in
>> ipv6 traffic-filter denyIPv6 out
>>end
>>would be a quick fix for the firewall not doing any ipv6 filtering.
>>It could also break ipv6 enabled web sites or even internal connectivity,
>> so it'd be better to get someone on the phone w/ Cisco tech support and
>> have Cisco figure out the best way to block IPv6 for you.
>
>>True.  But they're in "stop the bleeding" mode and disabling ipv6 is just a
>> temp work-around until the firewall is fixed.
>
>
>

Re: Gmail down

[Charles Mills]

saw it down as well.   came back for me in < 5 minutes.

On Tue, Jul 5, 2016 at 10:49 AM, Josh Luthman 
wrote:

> Web interface is broken, downdetector sure sees activity.  This attempt is
> from mobile.
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>

Re: Gmail down

[Matt Freitag]

All good in Houghton, MI
[image: Inline image 1]

Matt Freitag
Network Engineer I
Information Technology
Michigan Technological University
(906) 487-3696 <%28906%29%20487-3696>
https://www.mtu.edu/
https://www.it.mtu.edu/

On Tue, Jul 5, 2016 at 11:33 AM, Josh Luthman 
wrote:

> I believe that only checks for an HTTP response, which would have responded
> successfully.  Not relevant to the issue.
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Tue, Jul 5, 2016 at 11:18 AM, John Peach 
> wrote:
>
> > https://downforeveryoneorjustme.com/gmail.com
> >
> >
> > On Tue, 5 Jul 2016 10:49:31 -0400
> > Josh Luthman  wrote:
> >
> > > Web interface is broken, downdetector sure sees activity.  This
> > > attempt is from mobile.
> > >
> > > Josh Luthman
> > > Office: 937-552-2340
> > > Direct: 937-552-2343
> > > 1100 Wayne St
> > > Suite 1337
> > > Troy, OH 45373
> >
> >
>

Re: NAT firewall for IPv6?

[Tom Beecher]

Not to belabor the point, because it will likely be made frequently in
responses, but every legitimate service _should_ have both IPv4 and IPv6
addresses.

Get Palo Alto on the horn, and get access to that box. Get it configured
properly.

I won't hammer you since you're just trying to solve a problem, but v6 is
not a second class citizen. You must consider v4 and v6 for these types of
issues, and making one or the other 'go away' is simply collecting some
tech debt that you'll have to eventually pay off.

On Friday, July 1, 2016, Edgar Carver  wrote:

> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation. Luckily, I minored in Computer Science so I have
> some familiarity.
>
> We have a small satellite campus of around 170 devices that share one
> external IPv4 and IPv6 address via NAT for internet traffic. Internal
> traffic is over an MPLS.
>
> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6. Unfortunately, the network admin couldn't give me the password since
> a local consultant set it up, and it seems they went out of business. I
> need to think outside the box.
>
> Is there some kind of NAT-based IPv6 firewall I can setup on the router
> that can help block viruses? I figure that's the right place to start since
> all the traffic gets funneled there. We have a Cisco Catalyst as a
> router. Or, ideally, is there an easy way to turn off IPv6 completely? I
> really don't see a need for it, any legitimate service should have an IPv4
> address.
>
> I'd really appreciate your advice. I plan to drive out there tomorrow,
> where I can get the exact model numbers and stuff.
>
> Regards,
> Dr. Edgar Carver
>

Re: NAT firewall for IPv6?

[J Edgar Carver]

On Fri, 1 Jul 2016 21:28:54 -0500
Edgar Carver  wrote:

> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation. Luckily, I minored in Computer Science so I have
> some familiarity.

Luckily!

> router. Or, ideally, is there an easy way to turn off IPv6 completely? I
> really don't see a need for it, any legitimate service should have an IPv4
> address.

Obvious troll is obvious after we just spent a week on this ...

Re: NAT firewall for IPv6?

[Spencer Ryan]

NAT64 is the only type of IPv6 NAT they support.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Tue, Jul 5, 2016 at 12:18 PM,  wrote:

> On Tue, 05 Jul 2016 11:54:14 -0400, Spencer Ryan said:
> > The Palo-Alto's also don't support anything but NAT64,
>
> They don't support proper dual-stack??  Or NAT64 is the only NAT flavor
> they support on the v6 side?
>

Re: NAT firewall for IPv6?

[Valdis . Kletnieks]

On Tue, 05 Jul 2016 11:54:14 -0400, Spencer Ryan said:
> The Palo-Alto's also don't support anything but NAT64,

They don't support proper dual-stack??  Or NAT64 is the only NAT flavor
they support on the v6 side?


pgpMGuNc6KiEk.pgp
Description: PGP signature

RE: NAT firewall for IPv6?

[Naslund, Steve]

Did you get the impression that this person asking for help was going to be 
able to set that up?  I didn't (if he was he would probably already know what 
an ACL is).  I do not know if the Catalyst he is looking at is his or his 
service providers edge devices (or maybe the consultants didn't give them 
access to that either),  I don't know that that Catalyst is the primary router 
for their network (could be an L2 switch behind the firewall).  I also doubt 
the problem stems from ipv6 as much as it comes from having an out of control 
firewall. Given what I am hearing about this network I am kind of doubting that 
it is really ipv6 enabled in any case so your fix prevents ipv6 traffic that is 
probably not even being routed in the first place.  In my opinion not having 
control of your own firewall is the five alarm emergency in that network right 
now.

If the network is ipv6 enabled, blocking all ipv6 traffic at that router is 
probably not a good idea without knowing more.  If it is not ipv6 enabled then 
it will have no effect on the reported issue (malware).  


Steven Naslund
Chicago IL


>Right.  But how long is it going to take to secure the Palo Alto firewall?
>If the central Cisco Catalyst really is an IPv6 router, doing a conf t
>ipv6 access-list denyIPv6
>  deny ipv6 any any

>interface [whatever connects to the ISP]
> ipv6 traffic-filter denyIPv6 in
> ipv6 traffic-filter denyIPv6 out
>end
>would be a quick fix for the firewall not doing any ipv6 filtering.
>It could also break ipv6 enabled web sites or even internal connectivity, so 
>it'd be better to get someone on the phone w/ Cisco tech support and have 
>Cisco figure out the best way to block IPv6 for you.

>True.  But they're in "stop the bleeding" mode and disabling ipv6 is just a 
>temp work-around until the firewall is fixed.

Re: Gmail down

[Josh Luthman]

You're right, I should have posted to Outages.  That was my mistake.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Jul 5, 2016 at 11:54 AM, J. Oquendo  wrote:

> On Tue, 05 Jul 2016, Mel Beckman wrote:
>
> > Josh,
> >
> > No, that downdetector.com page is specifically for gmail.
> >
> >  -mel
>
> Unsure about others, but I certainly trust downdetector
> and others versus checking out Google's very own service
> status dashboard (https://www.google.com/appsstatus#hl=en&v=status)
>
> As an aside, as mentioned this is best reported on the
> Outage mailing list versus here on NANOG. $DIETY knows
> these threads can become epic length'd noise. So here is
> what would have been a better bet versus the good old
> 'sky is falling' response.
>
> Step 1) Gmail/Hotmail/Whatever doesn't work on your
> phone
>
> Step 2) Check it on something OTHER than your phone
> where your provider may not be reliable
>
> Step 3) Does it work on something else? If so problem
> solved if not go to step 4
>
> Step 4) Find the provider's page (if availble) and
> see what others are saying. If others state it is up
> for them, but down for you... It may be an issue on
> YOUR network, or your providers.
>
> Step 5) If it is down for EVERYONE on the planet
> post it to Outages amongst the other dozen entries
>
> Step 6) Live life ;) World does not stop because
> Gmail, Facebook, Twitter, even the stock markets
> hiccup.
>
> --
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> J. Oquendo
> SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM
>
> "Where ignorance is our master, there is no possibility of
> real peace" - Dalai Lama
>
> 0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
> https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463
>

Re: Gmail down

[Spencer Ryan]

We've seen issues in the past where our upstream ISP had to de-peer with
Google in the Detroit IX as the Google side seemed to be eating traffic,
sending everything via L3/Chicago usually fixed it.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Tue, Jul 5, 2016 at 11:42 AM, Mel Beckman  wrote:

> Sorry, I misread your post.
>
> Ironically, I can reach Gmail through Level3, but not through Frontier or
> AT&T. So this may be a global routing issue.
>
>  -mel
>
> On Jul 5, 2016, at 8:39 AM, Josh Luthman  > wrote:
>
> I know.  That's what I'm saying.
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Tue, Jul 5, 2016 at 11:37 AM, Mel Beckman  m...@beckman.org>> wrote:
> Josh,
>
> No, that downdetector.com page is specifically
> for gmail.
>
>  -mel
>
> > On Jul 5, 2016, at 8:30 AM, Josh Luthman  > wrote:
> >
> > That's Google Apps.  Not Gmail.  As per the subject, it's Gmail.
> >
> > http://downdetector.com/status/gmail
> >
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
> > On Tue, Jul 5, 2016 at 11:03 AM, Steven Miano  mian...@gmail.com>> wrote:
> >
> >> Nothing being reported by the vendor:
> >>
> >> http://www.google.com/appsstatus#hl=en&v=status
> >>
> >> Seems all but calendar has been spotless for the past week
> >>
> >> On Tue, Jul 5, 2016 at 10:53 AM, Josh Luthman <
> j...@imaginenetworksllc.com
> >>>
> >> wrote:
> >>
> >>> Looks like it's back up for both my personal and work accounts (issue
> >>> limited to the web interface).
> >>>
> >>> 851 reports and climbing every time I refresh @
> >>> http://downdetector.com/status/gmail
> >>>
> >>>
> >>> Josh Luthman
> >>> Office: 937-552-2340
> >>> Direct: 937-552-2343
> >>> 1100 Wayne St
> >>> Suite 1337
> >>> Troy, OH 45373
> >>>
> >>> On Tue, Jul 5, 2016 at 10:49 AM, Josh Luthman <
> >> j...@imaginenetworksllc.com
> 
> >>> wrote:
> >>>
>  Web interface is broken, downdetector sure sees activity.  This
> attempt
> >>> is
>  from mobile.
> 
>  Josh Luthman
>  Office: 937-552-2340
>  Direct: 937-552-2343
>  1100 Wayne St
>  Suite 1337
>  Troy, OH 45373
> 
> >>>
> >>
> >>
> >>
> >> --
> >> Miano, Steven M.
> >> http://stevenmiano.com
> >>
>
>
>
>

Re: Gmail down

[J. Oquendo]

On Tue, 05 Jul 2016, Mel Beckman wrote:

> Josh,
> 
> No, that downdetector.com page is specifically for gmail.
> 
>  -mel

Unsure about others, but I certainly trust downdetector
and others versus checking out Google's very own service
status dashboard (https://www.google.com/appsstatus#hl=en&v=status)

As an aside, as mentioned this is best reported on the
Outage mailing list versus here on NANOG. $DIETY knows
these threads can become epic length'd noise. So here is
what would have been a better bet versus the good old
'sky is falling' response.

Step 1) Gmail/Hotmail/Whatever doesn't work on your
phone

Step 2) Check it on something OTHER than your phone
where your provider may not be reliable

Step 3) Does it work on something else? If so problem
solved if not go to step 4

Step 4) Find the provider's page (if availble) and
see what others are saying. If others state it is up
for them, but down for you... It may be an issue on
YOUR network, or your providers. 

Step 5) If it is down for EVERYONE on the planet
post it to Outages amongst the other dozen entries

Step 6) Live life ;) World does not stop because
Gmail, Facebook, Twitter, even the stock markets
hiccup.

-- 
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, C|EH, CNDA, CHFI, OSCP, CPT, RWSP, GREM

"Where ignorance is our master, there is no possibility of
real peace" - Dalai Lama

0B23 595C F07C 6092 8AEB  074B FC83 7AF5 9D8A 4463
https://pgp.mit.edu/pks/lookup?op=get&search=0xFC837AF59D8A4463

Re: NAT firewall for IPv6?

[Spencer Ryan]

The Palo-Alto's also don't support anything but NAT64, so depending on what
you meant by the IPv6 side is sharing "one address" might not be correct.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Tue, Jul 5, 2016 at 11:40 AM,  wrote:

> Hi,
>
>
> I would go through the password recovery options on the PaloAlto.
>
> as a next gen firewall you need to ensure you are getting all the latets
> rulesets
> and detection code through - check your subscription with them
>
>
> once you've sorted out access you can look at the policies and ensure that
> the IPv6 AV filtering rules match that for IPv4 - fairly easy with their
> interface.
> (check your codebase version for feature abilitiesonce again, you may
> need to
> deal with PA to ensure your codebase is current. these things get OLD
> quickly
>
>
> as for NAT for IOV6. nope.   and turning it off ISNT the answer (yes, its
> an answer...just
> the wrong one! ;-) )
>
>
> alan
>

Re: Gmail down

[Mel Beckman]

Sorry, I misread your post.

Ironically, I can reach Gmail through Level3, but not through Frontier or AT&T. 
So this may be a global routing issue.

 -mel

On Jul 5, 2016, at 8:39 AM, Josh Luthman 
mailto:j...@imaginenetworksllc.com>> wrote:

I know.  That's what I'm saying.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Jul 5, 2016 at 11:37 AM, Mel Beckman 
mailto:m...@beckman.org>> wrote:
Josh,

No, that downdetector.com page is specifically for 
gmail.

 -mel

> On Jul 5, 2016, at 8:30 AM, Josh Luthman 
> mailto:j...@imaginenetworksllc.com>> wrote:
>
> That's Google Apps.  Not Gmail.  As per the subject, it's Gmail.
>
> http://downdetector.com/status/gmail
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Tue, Jul 5, 2016 at 11:03 AM, Steven Miano 
> mailto:mian...@gmail.com>> wrote:
>
>> Nothing being reported by the vendor:
>>
>> http://www.google.com/appsstatus#hl=en&v=status
>>
>> Seems all but calendar has been spotless for the past week
>>
>> On Tue, Jul 5, 2016 at 10:53 AM, Josh Luthman 
>> mailto:j...@imaginenetworksllc.com>
>>>
>> wrote:
>>
>>> Looks like it's back up for both my personal and work accounts (issue
>>> limited to the web interface).
>>>
>>> 851 reports and climbing every time I refresh @
>>> http://downdetector.com/status/gmail
>>>
>>>
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>>
>>> On Tue, Jul 5, 2016 at 10:49 AM, Josh Luthman <
>> j...@imaginenetworksllc.com

>>> wrote:
>>>
 Web interface is broken, downdetector sure sees activity.  This attempt
>>> is
 from mobile.

 Josh Luthman
 Office: 937-552-2340
 Direct: 937-552-2343
 1100 Wayne St
 Suite 1337
 Troy, OH 45373

>>>
>>
>>
>>
>> --
>> Miano, Steven M.
>> http://stevenmiano.com
>>

Re: NAT firewall for IPv6?

[A . L . M . Buxey]

Hi,


I would go through the password recovery options on the PaloAlto.

as a next gen firewall you need to ensure you are getting all the latets 
rulesets
and detection code through - check your subscription with them


once you've sorted out access you can look at the policies and ensure that
the IPv6 AV filtering rules match that for IPv4 - fairly easy with their 
interface.
(check your codebase version for feature abilitiesonce again, you may need 
to
deal with PA to ensure your codebase is current. these things get OLD quickly


as for NAT for IOV6. nope.   and turning it off ISNT the answer (yes, its an 
answer...just
the wrong one! ;-) )


alan

Re: NAT firewall for IPv6?

[Lee]

On 7/5/16, Naslund, Steve  wrote:
> Hard to know where to begin with this one, but let me take a shot at it.
>
> 1.  My top priority would be to get into that Palo Alto firewall.  Get Palo
> Alto on the phone and figure out password recovery with them.  Since you
> don’t have the password it is possible that firewall is compromised.  Do not
> be surprised if you have to jump through some hoops with Palo Alto to prove
> that you own it and what has happened.  Remember their job is to keep people
> out of your network.  They are probably also going to want you to be current
> on support.  If you have to pay to get current on support, do it.  You need
> that help right now badly.
>
> You could ask Palo Alto how to block the v6 while you are at it or even
> better set up a rules that mirror your v4 protection.   I cannot stress
> enough how big a security issue it is to not have access to your firewall
> and not know who does.
>
> 2.  There are lots of ways to shut off ipv6 but my suggestion would be to
> just secure the Palo Alto firewall,

Right.  But how long is it going to take to secure the Palo Alto firewall?
If the central Cisco Catalyst really is an IPv6 router, doing a
conf t
ipv6 access-list denyIPv6
  deny ipv6 any any

interface [whatever connects to the ISP]
 ipv6 traffic-filter denyIPv6 in
 ipv6 traffic-filter denyIPv6 out
end
would be a quick fix for the firewall not doing any ipv6 filtering.
It could also break ipv6 enabled web sites or even internal
connectivity, so it'd be better to get someone on the phone w/ Cisco
tech support and have Cisco figure out the best way to block IPv6 for
you.


>  ... to say that any legitimate service
> should have a ipv4 address is not quite true now and will definitely not be
> true in the near future.

True.  But they're in "stop the bleeding" mode and disabling ipv6 is
just a temp work-around until the firewall is fixed.

Regards,
Lee



> 3.  Just about any kind of firewall or router CPE device can block or
> firewall ipv4 and ipv6 as long as its firmware is fairly recent.  However,
> you would most likely have to replace the Palo Alto with it.  You DO NOT
> WANT THEM BOTH INLINE!  Most likely they are both configured to do ipv4 NAT
> out of the box and that will not work correctly to have them both inline
> together.  While it is possible to set up that sort of thing to work
> correctly, it’s a bad idea and pretty advanced configuration for a temporary
> network admin.  The interaction of one firewall fronting another can be very
> difficult to troubleshoot without a deep understanding of what is going on.
> Referring back to item 1, you are probably going to need to get the
> configuration of the current firewall if you seek to replace it (there will
> be rules in the Palo Alto that you would want to replicate if you are going
> to replace it).
>
> 4.  Cisco Catalyst as the router.there could be a lot of things going on
> in there.  The Catalyst is primarily a switch with routing functionality.
> It can definitely block ipv6 if configured to do so but we would need to
> know a lot more about its current configuration to give you the best way to
> do that.  It could just be a service providers switch on your premise in
> which case you can't do much with it.  Again, much easier to accomplish Item
> 1 with Palo Alto and let your firewall do what it is supposed to do.
>
> Steven Naslund
> Chicago IL
>
>
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Edgar Carver
> Sent: Friday, July 01, 2016 9:29 PM
> To: nanog@nanog.org
> Subject: NAT firewall for IPv6?
>
> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation. Luckily, I minored in Computer Science so I have
> some familiarity.
>
> We have a small satellite campus of around 170 devices that share one
> external IPv4 and IPv6 address via NAT for internet traffic. Internal
> traffic is over an MPLS.
>
> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6. Unfortunately, the network admin couldn't give me the password since a
> local consultant set it up, and it seems they went out of business. I need
> to think outside the box.
>
> Is there some kind of NAT-based IPv6 firewall I can setup on the router that
> can help block viruses? I figure that's the right place to start since all
> the traffic gets funneled there. We have a Cisco Catalyst as a router. Or,
> ideally, is there an easy way to turn off IPv6 completely? I really don't
> see a need for it, any legitimate service should have an IPv4 address.
>
> I'd really appreciate your advice. I plan to drive out there tomorrow, where
> I can get the exact model numbers and stuff.
>
> Regards,
> Dr. Edgar Carver
>

Re: Gmail down

[Josh Luthman]

I know.  That's what I'm saying.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Jul 5, 2016 at 11:37 AM, Mel Beckman  wrote:

> Josh,
>
> No, that downdetector.com page is specifically for gmail.
>
>  -mel
>
> > On Jul 5, 2016, at 8:30 AM, Josh Luthman 
> wrote:
> >
> > That's Google Apps.  Not Gmail.  As per the subject, it's Gmail.
> >
> > http://downdetector.com/status/gmail
> >
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
> > On Tue, Jul 5, 2016 at 11:03 AM, Steven Miano  wrote:
> >
> >> Nothing being reported by the vendor:
> >>
> >> http://www.google.com/appsstatus#hl=en&v=status
> >>
> >> Seems all but calendar has been spotless for the past week
> >>
> >> On Tue, Jul 5, 2016 at 10:53 AM, Josh Luthman <
> j...@imaginenetworksllc.com
> >>>
> >> wrote:
> >>
> >>> Looks like it's back up for both my personal and work accounts (issue
> >>> limited to the web interface).
> >>>
> >>> 851 reports and climbing every time I refresh @
> >>> http://downdetector.com/status/gmail
> >>>
> >>>
> >>> Josh Luthman
> >>> Office: 937-552-2340
> >>> Direct: 937-552-2343
> >>> 1100 Wayne St
> >>> Suite 1337
> >>> Troy, OH 45373
> >>>
> >>> On Tue, Jul 5, 2016 at 10:49 AM, Josh Luthman <
> >> j...@imaginenetworksllc.com
> 
> >>> wrote:
> >>>
>  Web interface is broken, downdetector sure sees activity.  This
> attempt
> >>> is
>  from mobile.
> 
>  Josh Luthman
>  Office: 937-552-2340
>  Direct: 937-552-2343
>  1100 Wayne St
>  Suite 1337
>  Troy, OH 45373
> 
> >>>
> >>
> >>
> >>
> >> --
> >> Miano, Steven M.
> >> http://stevenmiano.com
> >>
>
>

Re: Gmail down

[Mel Beckman]

Josh,

No, that downdetector.com page is specifically for gmail.

 -mel

> On Jul 5, 2016, at 8:30 AM, Josh Luthman  wrote:
> 
> That's Google Apps.  Not Gmail.  As per the subject, it's Gmail.
> 
> http://downdetector.com/status/gmail
> 
> 
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> 
> On Tue, Jul 5, 2016 at 11:03 AM, Steven Miano  wrote:
> 
>> Nothing being reported by the vendor:
>> 
>> http://www.google.com/appsstatus#hl=en&v=status
>> 
>> Seems all but calendar has been spotless for the past week
>> 
>> On Tue, Jul 5, 2016 at 10:53 AM, Josh Luthman >> 
>> wrote:
>> 
>>> Looks like it's back up for both my personal and work accounts (issue
>>> limited to the web interface).
>>> 
>>> 851 reports and climbing every time I refresh @
>>> http://downdetector.com/status/gmail
>>> 
>>> 
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>> 
>>> On Tue, Jul 5, 2016 at 10:49 AM, Josh Luthman <
>> j...@imaginenetworksllc.com
 
>>> wrote:
>>> 
 Web interface is broken, downdetector sure sees activity.  This attempt
>>> is
 from mobile.
 
 Josh Luthman
 Office: 937-552-2340
 Direct: 937-552-2343
 1100 Wayne St
 Suite 1337
 Troy, OH 45373
 
>>> 
>> 
>> 
>> 
>> --
>> Miano, Steven M.
>> http://stevenmiano.com
>> 

Re: Gmail down

[Josh Luthman]

I believe that only checks for an HTTP response, which would have responded
successfully.  Not relevant to the issue.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Jul 5, 2016 at 11:18 AM, John Peach 
wrote:

> https://downforeveryoneorjustme.com/gmail.com
>
>
> On Tue, 5 Jul 2016 10:49:31 -0400
> Josh Luthman  wrote:
>
> > Web interface is broken, downdetector sure sees activity.  This
> > attempt is from mobile.
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
>
>

Re: Gmail down

[Josh Luthman]

That's Google Apps.  Not Gmail.  As per the subject, it's Gmail.

http://downdetector.com/status/gmail


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Jul 5, 2016 at 11:03 AM, Steven Miano  wrote:

> Nothing being reported by the vendor:
>
> http://www.google.com/appsstatus#hl=en&v=status
>
> Seems all but calendar has been spotless for the past week
>
> On Tue, Jul 5, 2016 at 10:53 AM, Josh Luthman  >
> wrote:
>
> > Looks like it's back up for both my personal and work accounts (issue
> > limited to the web interface).
> >
> > 851 reports and climbing every time I refresh @
> > http://downdetector.com/status/gmail
> >
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
> > On Tue, Jul 5, 2016 at 10:49 AM, Josh Luthman <
> j...@imaginenetworksllc.com
> > >
> > wrote:
> >
> > > Web interface is broken, downdetector sure sees activity.  This attempt
> > is
> > > from mobile.
> > >
> > > Josh Luthman
> > > Office: 937-552-2340
> > > Direct: 937-552-2343
> > > 1100 Wayne St
> > > Suite 1337
> > > Troy, OH 45373
> > >
> >
>
>
>
> --
> Miano, Steven M.
> http://stevenmiano.com
>

Re: Gmail down

[John Peach]

https://downforeveryoneorjustme.com/gmail.com


On Tue, 5 Jul 2016 10:49:31 -0400
Josh Luthman  wrote:

> Web interface is broken, downdetector sure sees activity.  This
> attempt is from mobile.
> 
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373



signature.asc
Description: PGP signature

Re: Gmail down

[Hugo Slabbert]

On Tue 2016-Jul-05 10:53:34 -0400, Josh Luthman  
wrote:


Looks like it's back up for both my personal and work accounts (issue
limited to the web interface).

851 reports and climbing every time I refresh @
http://downdetector.com/status/gmail



No issues from Vancouver, BC.  Reaching over v6 on 2607:f8b0:400a:801::2005 
via peering at the SIX.




On Tue, Jul 5, 2016 at 10:49 AM, Josh Luthman 
wrote:


Web interface is broken, downdetector sure sees activity.  This attempt is
from mobile.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373



--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal


signature.asc
Description: Digital signature

Re: Gmail down

[Steven Miano]

Nothing being reported by the vendor:

http://www.google.com/appsstatus#hl=en&v=status

Seems all but calendar has been spotless for the past week

On Tue, Jul 5, 2016 at 10:53 AM, Josh Luthman 
wrote:

> Looks like it's back up for both my personal and work accounts (issue
> limited to the web interface).
>
> 851 reports and climbing every time I refresh @
> http://downdetector.com/status/gmail
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Tue, Jul 5, 2016 at 10:49 AM, Josh Luthman  >
> wrote:
>
> > Web interface is broken, downdetector sure sees activity.  This attempt
> is
> > from mobile.
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
>



-- 
Miano, Steven M.
http://stevenmiano.com

Re: Gmail down

[Filip Hruska]

Hi,

It's UP for me.
Location: Czech Republic, IPv6 access via TunnelBroker.

Regards,
Filip

On 07/05/2016 04:56 PM, Martin Hepworth wrote:

Ok from here in the UK

Re: Gmail down

[Josh Reynolds]

There is an outages list @ puck.nether.net that this might have been better
suited for.

In the future, please list:
Time the issue started (followed by timezone)
Nature of the issue
Troubleshooting steps you've tried
Location
Any additional helpful information to replicate the issue
Time of resolution
On Jul 5, 2016 9:56 AM, "Josh Luthman"  wrote:

> Looks like it's back up for both my personal and work accounts (issue
> limited to the web interface).
>
> 851 reports and climbing every time I refresh @
> http://downdetector.com/status/gmail
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Tue, Jul 5, 2016 at 10:49 AM, Josh Luthman  >
> wrote:
>
> > Web interface is broken, downdetector sure sees activity.  This attempt
> is
> > from mobile.
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
>

Re: Gmail down

[Josh Luthman]

With an web interface being broken I don't believe that would be network
related.  1500 other people from different networks all saw the same issue.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Jul 5, 2016 at 10:56 AM, Josh Reynolds  wrote:

> What a terrible report.
>
> From where? What network? Do you see issues through other networks?
>
> - Sent from the gmail web interface
>
> On Tue, Jul 5, 2016 at 9:49 AM, Josh Luthman
>  wrote:
> > Web interface is broken, downdetector sure sees activity.  This attempt
> is
> > from mobile.
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
>

Re: Gmail down

[Josh Reynolds]

What a terrible report.

>From where? What network? Do you see issues through other networks?

- Sent from the gmail web interface

On Tue, Jul 5, 2016 at 9:49 AM, Josh Luthman
 wrote:
> Web interface is broken, downdetector sure sees activity.  This attempt is
> from mobile.
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373

Re: Gmail down

[Dovid Bender]

Just came back up.


Regards,

Dovid

-Original Message-
From: Josh Luthman 
Sender: "NANOG" Date: Tue, 5 Jul 2016 10:49:31 
To: NANOG list
Subject: Gmail down

Web interface is broken, downdetector sure sees activity.  This attempt is
from mobile.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Re: Gmail down

[Nicholas Suan]

I was having issues remaining connected to Gtalk but it seems to have
corrected itself.

On Tue, Jul 5, 2016 at 10:49 AM, Josh Luthman
 wrote:
> Web interface is broken, downdetector sure sees activity.  This attempt is
> from mobile.
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373

Re: Gmail down

[Martin Hepworth]

Ok from here in the UK

-- 
Martin Hepworth, CISSP
Oxford, UK

On 5 July 2016 at 15:53, Josh Luthman  wrote:

> Looks like it's back up for both my personal and work accounts (issue
> limited to the web interface).
>
> 851 reports and climbing every time I refresh @
> http://downdetector.com/status/gmail
>
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>
> On Tue, Jul 5, 2016 at 10:49 AM, Josh Luthman  >
> wrote:
>
> > Web interface is broken, downdetector sure sees activity.  This attempt
> is
> > from mobile.
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
>

RE: NAT firewall for IPv6?

[Naslund, Steve]

That is a good point.  In order for your PCs to be compromised via ipv6, they 
would have to be able to establish ipv6 connectivity to each other or to an 
internet location.  

If your network is not configured to support ipv6 it will probably only be 
possible for your clients to communicate with each other via ipv6 on the local 
LAN meaning they could only be infecting each other.  In order for your clients 
to be receiving traffic from the Internet via ipv6 would probably require 
routing and ipv6 configuration support that it sounds like your network does 
not have.  If your firewall is passing v6 traffic, it must understand it enough 
to forward it across interfaces.

At this point it does not much matter whether the transport layer is v4 or v6 
because this problem is higher up the protocol stack.  Setting up your firewall 
to bypass v6 (i.e. just pass it) was a huge tactical error (might be why your 
consultant is out of business :) and a bit hard for me to understand.  If you 
want v6 then you would apply the same policies that you do to v4 traffic and if 
you don't want v6 you would just tell the firewall to drop it.  

I think it is much more probable that you are receiving malware via ipv4 or 
even executable attachments that the out of control firewall is not detecting.

I can tell you that we use the most current versions of Checkpoint firewalls 
with all of the malware bells and whistles (megabucks) and they are not still 
100% effective all of the time.  We stop thousands of hacking and malware 
attempts per hour but it only takes one to become a big pain to deal with.


Steven Naslund 
Chicago IL




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of 
valdis.kletni...@vt.edu
Sent: Tuesday, July 05, 2016 9:33 AM
To: Edgar Carver
Cc: nanog@nanog.org
Subject: Re: NAT firewall for IPv6?

On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:

> We're having problems where viruses are getting through Firefox, and 
> we think it's because our Palo Alto firewall is set to bypass 
> filtering for IPv6.

Do you have any actual evidence (device logs, tcpdump, netflow,  etc) that 
support that train of thought?

Remember that your Palo Alto isn't stopping 100% of the icky stuff on the
IPv4 side either - the sad truth is that most commercial security software is 
only able to identify and block between 30% and 70% of the crap that's out in 
the wild. There's also BYOD issues where a laptop comes in and infects all your 
systems from behind the firewall (as Marcus Ranum says: "Crunchy on the 
outside, soft and chewy inside").

In any case,your first two actions should be to recover the password for the 
Palo Alto, and make sure it has updated pattern definitions in effect on both
IPv4 and IPv6 connections.

And your third should be to re-examine your vendor rules of engagement, to 
ensure your deliverables include things like passwords and update support so 
you're not stuck if your vendor goes belly up..

Re: Gmail down

[Josh Luthman]

Looks like it's back up for both my personal and work accounts (issue
limited to the web interface).

851 reports and climbing every time I refresh @
http://downdetector.com/status/gmail


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Jul 5, 2016 at 10:49 AM, Josh Luthman 
wrote:

> Web interface is broken, downdetector sure sees activity.  This attempt is
> from mobile.
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
>

Gmail down

[Josh Luthman]

Web interface is broken, downdetector sure sees activity.  This attempt is
from mobile.

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

Re: NAT firewall for IPv6?

[Bruce Curtis]

> On Jul 5, 2016, at 9:33 AM, valdis.kletni...@vt.edu wrote:
> 
> On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:
> 
>> We're having problems where viruses are getting through Firefox, and we
>> think it's because our Palo Alto firewall is set to bypass filtering for
>> IPv6.
> 
> Do you have any actual evidence (device logs, tcpdump, netflow,  etc) that
> support that train of thought?
> 
> Remember that your Palo Alto isn't stopping 100% of the icky stuff on the
> IPv4 side either - the sad truth is that most commercial security software
> is only able to identify and block between 30% and 70% of the crap that's
> out in the wild.

  That is only the percentage that it identifies from what it can see.  It most 
likely can not see viruses in encrypted traffic.

"   • A forecast that 70% of global Internet traffic will be encrypted in 
2016, with many networks exceeding 80%”

https://www.sandvine.com/pr/2016/2/11/sandvine-70-of-global-internet-traffic-will-be-encrypted-in-2016.html


"In the fourth quarter of 2015 nearly 65 percent of all web connections that 
Dell observed were encrypted, leading to a lot more under-the-radar attacks, 
according to the company. Gartner has predicted that 50 percent of all network 
attacks will take advantage of SSL/TLS by 2017."

http://www.darkreading.com/attacks-breaches/when-encryption-becomes-the-enemys-best-friend/d/d-id/1324580

This article mentions how difficult is it for Sandboxes to detect malware.

https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/fireeye-hot-knives-through-butter.pdf

This article mentions malware that changes it’s download image every 15 seconds.

http://www.darkreading.com/vulnerabilities---threats/cerber-strikes-with-office-365-zero-day-attacks/d/d-id/1326070?_mc=NL_DR_EDT_DR_weekly_20160630&cid=NL_DR_EDT_DR_weekly_20160630&elqTrackId=1d7f1b5bcdb24c469164471a423f746b&elq=01e6838c279149a08e460cdbe3b8b54a&elqaid=70982&elqat=1&elqCampaignId=21896





> There's also BYOD issues where a laptop comes in and infects
> all your systems from behind the firewall (as Marcus Ranum says: "Crunchy on
> the outside, soft and chewy inside”).

  

> In any case,your first two actions should be to recover the password for the
> Palo Alto, and make sure it has updated pattern definitions in effect on both
> IPv4 and IPv6 connections.
> 
> And your third should be to re-examine your vendor rules of engagement, to
> ensure your deliverables include things like passwords and update support
> so you're not stuck if your vendor goes belly up..
> 
> 

---
Bruce Curtis bruce.cur...@ndsu.edu
Certified NetAnalyst II701-231-8527
North Dakota State University

Re: NAT firewall for IPv6?

[Brielle Bruns]

On 7/1/16 8:28 PM, Edgar Carver wrote:

Unfortunately, the network admin couldn't give me the password since
a local consultant set it up, and it seems they went out of business. I
need to think outside the box.


So your network admin didn't bother to get the login/enable password for 
a device that is an integral part of your network?   That's...  a very 
big lapse in their responsibilities.


I had a consultant recently in CO try to pull the same stunt on me for 
one of the companies I consult for - stalling, giving bullshit reasons, 
etc on why they couldn't just hand over the administrative passwords to 
the actual IT people in the company.


Why were we demanding admin access?  Because the company we were paying 
to maintain it we suspected weren't doing their job.  We figured they 
knew exactly why we were asking for the information, and were buying time.


IIRC, we were right about the condition of the firewall, switches, etc.


Anyways, moral of the story, don't let a consultant hold any and all the 
keys to the castle for exactly the situation you have right now.


--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: NAT firewall for IPv6?

[Valdis . Kletnieks]

On Fri, 01 Jul 2016 21:28:54 -0500, Edgar Carver said:

> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6.

Do you have any actual evidence (device logs, tcpdump, netflow,  etc) that
support that train of thought?

Remember that your Palo Alto isn't stopping 100% of the icky stuff on the
IPv4 side either - the sad truth is that most commercial security software
is only able to identify and block between 30% and 70% of the crap that's
out in the wild. There's also BYOD issues where a laptop comes in and infects
all your systems from behind the firewall (as Marcus Ranum says: "Crunchy on
the outside, soft and chewy inside").

In any case,your first two actions should be to recover the password for the
Palo Alto, and make sure it has updated pattern definitions in effect on both
IPv4 and IPv6 connections.

And your third should be to re-examine your vendor rules of engagement, to
ensure your deliverables include things like passwords and update support
so you're not stuck if your vendor goes belly up..




pgpEcm7mstgYd.pgp
Description: PGP signature

RE: NAT firewall for IPv6?

[Naslund, Steve]

On another note, using a firewall to stop viruses is probably not going to work 
in general (unless the firewall has some additional malware detection engine).  

Here is the issue in a nutshell.  A firewall primarily controls where people 
can connect to and from on a network.  The problem with that is that a lot of 
malware is received from sites that your users intended to go to.  People click 
on links without knowing where they go and people go to less than reputable web 
sites (or reputable sites that we recently compromised).  If you, by default, 
allow your users to access the Internet with a browser they are vulnerable to 
malware.  Even with malware detection capability you are still vulnerable to 
signatures and attacks that are not yet able to be detected.

Even if filtering was enabled on your Palo Alto for ipv6 it would not help at 
this point because you have no idea what signatures it is using to filter with 
and when the last time those were updated  I doubt your v4 filtering is of much 
use either at this point.  URL filtering is largely a big game of whack a mole 
that you will lose eventually.  Malware filtering is based on one or both of 
the following methods.  

1.  You filter URLs known to be bad players (you are vulnerable until 
your protection vendor realizes they are bad players).

2.  You filter based on adaptive detection of code that looks 
suspicious.  This is a bit better but still vulnerable because the bad guys are 
always innovating to pass through these devices.

My recommendation would be network malware detection (possibly through a 
firewall add-on) as well as good virus/malware detection on the client 
computers.  Sometimes the malware is easier to detect at the client because it 
reveals itself by trying to access unauthorized memory, processes, or storage.

Steven Naslund
Chicago IL




-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Edgar Carver
Sent: Friday, July 01, 2016 9:29 PM
To: nanog@nanog.org
Subject: NAT firewall for IPv6?

Hello NANOG community. I was directed here by our network administrator since 
she is on vacation. Luckily, I minored in Computer Science so I have some 
familiarity.

We have a small satellite campus of around 170 devices that share one external 
IPv4 and IPv6 address via NAT for internet traffic. Internal traffic is over an 
MPLS.

We're having problems where viruses are getting through Firefox, and we think 
it's because our Palo Alto firewall is set to bypass filtering for IPv6. 
Unfortunately, the network admin couldn't give me the password since a local 
consultant set it up, and it seems they went out of business. I need to think 
outside the box.

Is there some kind of NAT-based IPv6 firewall I can setup on the router that 
can help block viruses? I figure that's the right place to start since all the 
traffic gets funneled there. We have a Cisco Catalyst as a router. Or, ideally, 
is there an easy way to turn off IPv6 completely? I really don't see a need for 
it, any legitimate service should have an IPv4 address.

I'd really appreciate your advice. I plan to drive out there tomorrow, where I 
can get the exact model numbers and stuff.

Regards,
Dr. Edgar Carver

RE: NAT firewall for IPv6?

[Naslund, Steve]

Hard to know where to begin with this one, but let me take a shot at it.

1.  My top priority would be to get into that Palo Alto firewall.  Get Palo 
Alto on the phone and figure out password recovery with them.  Since you don’t 
have the password it is possible that firewall is compromised.  Do not be 
surprised if you have to jump through some hoops with Palo Alto to prove that 
you own it and what has happened.  Remember their job is to keep people out of 
your network.  They are probably also going to want you to be current on 
support.  If you have to pay to get current on support, do it.  You need that 
help right now badly.

You could ask Palo Alto how to block the v6 while you are at it or even better 
set up a rules that mirror your v4 protection.   I cannot stress enough how big 
a security issue it is to not have access to your firewall and not know who 
does.

2.  There are lots of ways to shut off ipv6 but my suggestion would be to just 
secure the Palo Alto firewall, to say that any legitimate service should have a 
ipv4 address is not quite true now and will definitely not be true in the near 
future.

3.  Just about any kind of firewall or router CPE device can block or firewall 
ipv4 and ipv6 as long as its firmware is fairly recent.  However, you would 
most likely have to replace the Palo Alto with it.  You DO NOT WANT THEM BOTH 
INLINE!  Most likely they are both configured to do ipv4 NAT out of the box and 
that will not work correctly to have them both inline together.  While it is 
possible to set up that sort of thing to work correctly, it’s a bad idea and 
pretty advanced configuration for a temporary network admin.  The interaction 
of one firewall fronting another can be very difficult to troubleshoot without 
a deep understanding of what is going on.  Referring back to item 1, you are 
probably going to need to get the configuration of the current firewall if you 
seek to replace it (there will be rules in the Palo Alto that you would want to 
replicate if you are going to replace it).

4.  Cisco Catalyst as the router.there could be a lot of things going on in 
there.  The Catalyst is primarily a switch with routing functionality.  It can 
definitely block ipv6 if configured to do so but we would need to know a lot 
more about its current configuration to give you the best way to do that.  It 
could just be a service providers switch on your premise in which case you 
can't do much with it.  Again, much easier to accomplish Item 1 with Palo Alto 
and let your firewall do what it is supposed to do.

Steven Naslund
Chicago IL



-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Edgar Carver
Sent: Friday, July 01, 2016 9:29 PM
To: nanog@nanog.org
Subject: NAT firewall for IPv6?

Hello NANOG community. I was directed here by our network administrator since 
she is on vacation. Luckily, I minored in Computer Science so I have some 
familiarity.

We have a small satellite campus of around 170 devices that share one external 
IPv4 and IPv6 address via NAT for internet traffic. Internal traffic is over an 
MPLS.

We're having problems where viruses are getting through Firefox, and we think 
it's because our Palo Alto firewall is set to bypass filtering for IPv6. 
Unfortunately, the network admin couldn't give me the password since a local 
consultant set it up, and it seems they went out of business. I need to think 
outside the box.

Is there some kind of NAT-based IPv6 firewall I can setup on the router that 
can help block viruses? I figure that's the right place to start since all the 
traffic gets funneled there. We have a Cisco Catalyst as a router. Or, ideally, 
is there an easy way to turn off IPv6 completely? I really don't see a need for 
it, any legitimate service should have an IPv4 address.

I'd really appreciate your advice. I plan to drive out there tomorrow, where I 
can get the exact model numbers and stuff.

Regards,
Dr. Edgar Carver

Re: Recommendations for used satellite decoder resellers

[Tim Jackson]

This Yahoo group has a bunch of CATV gear for sale and is still pretty
active.. Shooting a message on here might work:

https://beta.groups.yahoo.com/neo/groups/buyandsellCATV/info

--
Tim

On Tue, Jul 5, 2016 at 8:41 AM, Jason Lixfeld 
wrote:

> Hello,
>
> I’m wondering if anyone can refer me to a company they’ve used in the past
> who may have (access to) used satellite decoder equipment.  I’m in the
> market for some used Sencore kit.
>
> Thanks in advance!

Re: NAT firewall for IPv6?

[Spencer Ryan]

You emailed the wrong list to say this "Or, ideally, is there an easy way
to turn off IPv6 completely? I
really don't see a need for it, any legitimate service should have an IPv4
address."

Turning off IPv6 is not the right solution, nor will it magically fix your
issues.

Fix the Palo Alto, either hire another consultant or just erase it and
start over. Although even PA's Layer7 inspection won't catch everything and
you should have antivirus/antimailware software on the end user computers.


*Spencer Ryan* | Senior Systems Administrator | sr...@arbor.net
*Arbor Networks*
+1.734.794.5033 (d) | +1.734.846.2053 (m)
www.arbornetworks.com

On Fri, Jul 1, 2016 at 10:28 PM, Edgar Carver 
wrote:

> Hello NANOG community. I was directed here by our network administrator
> since she is on vacation. Luckily, I minored in Computer Science so I have
> some familiarity.
>
> We have a small satellite campus of around 170 devices that share one
> external IPv4 and IPv6 address via NAT for internet traffic. Internal
> traffic is over an MPLS.
>
> We're having problems where viruses are getting through Firefox, and we
> think it's because our Palo Alto firewall is set to bypass filtering for
> IPv6. Unfortunately, the network admin couldn't give me the password since
> a local consultant set it up, and it seems they went out of business. I
> need to think outside the box.
>
> Is there some kind of NAT-based IPv6 firewall I can setup on the router
> that can help block viruses? I figure that's the right place to start since
> all the traffic gets funneled there. We have a Cisco Catalyst as a
> router. Or, ideally, is there an easy way to turn off IPv6 completely? I
> really don't see a need for it, any legitimate service should have an IPv4
> address.
>
> I'd really appreciate your advice. I plan to drive out there tomorrow,
> where I can get the exact model numbers and stuff.
>
> Regards,
> Dr. Edgar Carver
>

NAT firewall for IPv6?

[Edgar Carver]

Hello NANOG community. I was directed here by our network administrator
since she is on vacation. Luckily, I minored in Computer Science so I have
some familiarity.

We have a small satellite campus of around 170 devices that share one
external IPv4 and IPv6 address via NAT for internet traffic. Internal
traffic is over an MPLS.

We're having problems where viruses are getting through Firefox, and we
think it's because our Palo Alto firewall is set to bypass filtering for
IPv6. Unfortunately, the network admin couldn't give me the password since
a local consultant set it up, and it seems they went out of business. I
need to think outside the box.

Is there some kind of NAT-based IPv6 firewall I can setup on the router
that can help block viruses? I figure that's the right place to start since
all the traffic gets funneled there. We have a Cisco Catalyst as a
router. Or, ideally, is there an easy way to turn off IPv6 completely? I
really don't see a need for it, any legitimate service should have an IPv4
address.

I'd really appreciate your advice. I plan to drive out there tomorrow,
where I can get the exact model numbers and stuff.

Regards,
Dr. Edgar Carver

XO NOC

[Morgan A. Miskell]

Anyone from the XO NOC online that can help with a routing issue?
If so, contact me directly off-list please.oh and due to the routing 
issue you would need to email me at mormi...@gmail.com.


--
Morgan A. Miskell
CaroNet Data Centers
704-643-8330 x206

The information contained in this e-mail is confidential and is intended
only for the named recipient(s). If you are not the intended recipient
you must not copy, distribute, or take any action or reliance on it. If
you have received this e-mail in error, please notify the sender. Any
unauthorized disclosure of the information contained in this e-mail is
strictly prohibited.

Recommendations for used satellite decoder resellers

[Jason Lixfeld]

Hello,

I’m wondering if anyone can refer me to a company they’ve used in the past who 
may have (access to) used satellite decoder equipment.  I’m in the market for 
some used Sencore kit.

Thanks in advance!

Re: IPv6 deployment excuses

[Mike Hammett]

Are you saying that functional game consoles aren't your problem? 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Masataka Ohta"  
To: "Valdis Kletnieks"  
Cc: nanog@nanog.org 
Sent: Monday, July 4, 2016 11:22:59 PM 
Subject: Re: IPv6 deployment excuses 

valdis.kletni...@vt.edu wrote: 

>> A large ISP should just set up usual NAT. In addition, 

> Thus almost guaranteeing a call to the support desk for each and every single 
> game console, because the PS3 and PS4 doesn't have a configuration interface 
> for that, and the XBox probably doesn't either (and if it does, it's probably 
> something that Joe Sixpack can't do without help). 

With usual NAT? That is not my problem. 

>> But, if you want to run a server at fixed IP address 
>> and port, port forwarding must be static. 
> 
> A laudable network design for my competitors. Feel free to deploy it at a 
> realistic sized ISP and let us know how it works out. 

Are you saying there is no realistic sized ISP offering fixed 
IP addresses without NAT? 

If not, additional setup of static port forwarding on NAT boxes 
can not be a problem. 

Masataka Ohta 

Re: IPv6 deployment excuses

[Mikael Abrahamsson]

On Tue, 5 Jul 2016, Baldur Norddahl wrote:

We will tell you to use IPv6 for that or make you pay extra for a 
dedicated IPv4 address.


That is a good solution to that problem. I hope all ISPs implementing A+P 
protocols does that. It also puts a monthly cost that teleworkers have to 
pay (or their employers have to pay) for not supporting IPv6 on their 
enterprise solutions. Hopefully that'll drive IPv6 interest in the 
enterprise space as well.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: IPv6 deployment excuses

[Baldur Norddahl]

On 5 July 2016 at 07:27, Mikael Abrahamsson  wrote:

> On Mon, 4 Jul 2016, Baldur Norddahl wrote:
>
> The two other technologies mentioned do the same as MAP more or less, but
>> both requires carrier NAT, which is expensive for the ISP and has a lack of
>> control as seen from the end user point of view (no port forwarding etc).
>>
>
> What it does however, is make things like GRE work. Some are surprised
> that there is actually non A+P protocols being used by customers. For
> instance legacy PPTP uses this, so some business VPNs run into problem with
> MAP or LW4o6.


We will tell you to use IPv6 for that or make you pay extra for a dedicated
IPv4 address. Everyone else do not need to help pay for a CGN solution just
because you did not move ahead with IPv6.

To clarify, right now at this moment we are pure dual stack with everyone
have both their own IPv4 and a /48 IPv6 prefix. But I can see some time in
the not too distant future where there will be market acceptance of a
solution with crippled IPv4 MAP style NAT plus full connectivity using
IPv6. In fact I believe we are already there as most people really do not
care as long their gmail and Facebook works.

The only thing that stops me from deploying MAP is lack of vendor support.
I am working on that.

Regards,

Baldur