On 27 Sep 2016, at 12:31, Jason Hofmann wrote:
It probably was a tough sell to get people to realize they were fully
responsible for their in-home wiring, but optional "inside wire
maintenance plans" made that clear while also adding to providers'
coffers. Perhaps something similar would
On 27 Sep 2016, at 12:14, Mark Andrews wrote:
I'm yet to see a set top box, DVR, TV, games console, phone, etc. that
didn't require selecting the WiFi SSID or require you to plug
in a ethernet cable.
I've 'seen' tens of millions of them, worldwide.
You're generalizing your particular
In message , Roland Dobbins
writes:
> On 27 Sep 2016, at 11:43, Mark Andrews wrote:
>
> > Why not? You call a washing machine mechanic when the washing machine
> > plays up. This is not conceptually different.
>
> Washing machines aren't a
On 27 Sep 2016, at 11:43, Mark Andrews wrote:
Why not? You call a washing machine mechanic when the washing machine
plays up. This is not conceptually different.
Washing machines aren't a utility. Internet is viewed as a utility.
Actually I don't believe that. They do know what machines
In message , Roland Dobbins wri
tes:
>
> On 27 Sep 2016, at 6:58, Christopher Morrow wrote:
>
> > wouldn't something as simple as netflow/sflow/ipfix synthesized on the
> > CPE and kept for ~30mins (just guessing) in a circular buffer be 'good
>
This seems to have split into a few different sub-threads and had some
cross-talk on which network is being described where (thanks in no small
part to my flub on John's figures and target), but this seems to be exactly
the kind of info folks are looking for but missing at
On 27 Sep 2016, at 6:58, Christopher Morrow wrote:
wouldn't something as simple as netflow/sflow/ipfix synthesized on the
CPE and kept for ~30mins (just guessing) in a circular buffer be 'good
enough' to present a pretty clear UI to the user?
+1 for this capability in CPE.
OTOH, it will be
In message
Therein lies the problem if the traffic does not look anomalous I suppose. But
even if it does look unusual, ISPs would be asking consumers to
trash/update/turn off a lot of devices in time – like when every home has 10s
or 100s of these devices.
ISP: Dear customer, looks like one of your
On Mon, Sep 26, 2016 at 7:49 PM, Mark Andrews wrote:
>
> Giving them real time access to the anomalous traffic log feed for
> their residence would also help. They or the specialist they bring
> in will be able to use that to trace back the problem.
>
>
wouldn't this work better
In message <20160926234142.6e7705515...@rock.dv.isc.org>, Mark Andrews writes:
>
> In message <03dc1038-024a-4d9f-ac5b-3e88cdf56...@cable.comcast.com>,
> "Livingood, Jason" writes:
> > On 9/26/16, 7:09 PM, "NANOG on behalf of Mark Andrews" > ma...@isc.org> wrote:
> > > A good ISP would be
In message <03dc1038-024a-4d9f-ac5b-3e88cdf56...@cable.comcast.com>,
"Livingood, Jason" writes:
> On 9/26/16, 7:09 PM, "NANOG on behalf of Mark Andrews" ma...@isc.org> wrote:
> > A good ISP would be informing their customers that they are seeing
> anomalous traffic.
>
> Therein lies the problem
On 9/26/16, 7:09 PM, "NANOG on behalf of Mark Andrews" wrote:
> A good ISP would be informing their customers that they are seeing anomalous
> traffic.
Therein lies the problem if the traffic does not look anomalous I suppose. But
even if it does look unusual, ISPs would be asking consumers to
On 9/25/16, 5:57 PM, "NANOG on behalf of Patrick W. Gilmore"
wrote:
> Yeah, ‘cause that was so successful in the past.
> Remember University of Wisconsin vs. D-Link and their hard-coded NTP server
> address?
Ha! Yeah, an oldie but a
In message <20160926155649.14061.qm...@ary.lan>, "John Levine" writes:
> >>That paper is about reflection attacks. From what I've read, this was
> >>not a reflection attack. The IoT devices are infected with botware
> >>which sends attack traffic directly. Address spoofing is not
Starting on 9/23 and really bad over the weekend we have had issues with end
points out on AT's US network specifically in the Texas and Michigan areas.
When our end points with AT drop, we end up losing monitored endpoints on
Level3's network as well. Really bad periods of packetloss. Both of
I think some pretty good information has surfaced, that would be
WONDERFUL to have on that site.
BCP 38 does NOT prevent multi-homed clients. Naive deployment of
BCP 38 prevents multi-homed clients. There is NOTHING in BCP 38 that
says you may not also accept other prefixes allocated to your
clients.
BCP 38 says accept allocated address, drop everything else.
Now it should be possible
Guys,
You're getting wrapped around the axle. Start by solving the 90%
problem, and worry about the 10% one later. BGP38 addresses the former
very well, and the other 10% requires enough manual labor already that
you can charge it back.
Eliot
On 9/26/16 8:44 PM, Laszlo Hanyecz wrote:
>
>
>
Hi all,
there is a well-known BLACKHOLE BGP community underway [0]: 65535:666
All transit providers and IXPs are kindly asked to support it. DE-CIX will
support this community on all its IXPs soon.
Best regards,
Thomas
[0]: https://datatracker.ietf.org/doc/draft-ietf-grow-blackholing/
On
This means we can receive some packet on transit port A and then route out
a ICMP response on port B using the interface address from port A. But
transit B filters this ICMP packet because it has a source address
belonging to transit A.
Interesting. But this looks like a feature request for
Backwards from what you want (sorted by provider rather than supported
"feature" e.g. RTBH), but:
http://onesc.net/communities/
fwiw
--
Hugo Slabbert | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E | also on Signal
On Mon 2016-Sep-26 14:23:10 -0500, George Skorup
Windstream: 7029:4507
GTT: 3257:2666
are the two I know of.
On 9/26/2016 1:58 PM, Nick Ellermann wrote:
I would love to know which ISP's support RTBH? We have struggled to get anyone
to support communities. If their website says they do, their NOC sure doesn't
know it or agree... I don't
* Baldur Norddahl:
> Den 26. sep. 2016 18.02 skrev "Mike Hammett" :
>>
>> The only asymmetric routing broken is when the source isn't in public
> Internet route-able space. That just leaves those multi-ISP WAN routers
> that NAT it.
>
> Some of our IP transits implement
Just give me thise ips so i can add em in dronebl
Kind regards,
Alexander Maassen
- Technical Maintenance Engineer Parkstad Support BV- Maintainer DroneBL-
Peplink Certified Engineer
Oorspronkelijk bericht Van: Brett Glass
Datum: 25-09-16 22:01
Den 26. sep. 2016 18.02 skrev "Mike Hammett" :
>
> The only asymmetric routing broken is when the source isn't in public
Internet route-able space. That just leaves those multi-ISP WAN routers
that NAT it.
Some of our IP transits implement filtering. All of our transits assigned
I would love to know which ISP's support RTBH? We have struggled to get anyone
to support communities. If their website says they do, their NOC sure doesn't
know it or agree... I don't want to list names here, but truly we would love
RTBH capabilities with our upstreams.
Sincerely,
Nick
On 2016-09-26 18:03, John Levine wrote:
If you have links from both ISP A and ISP B and decide to send traffic
out ISP A's link sourced from addresses ISP B allocated to you, ISP A
*should* drop that traffic on the floor.
This is a legitimate and interesting use case that is broken by BCP38.
>>>
>>> If you have links from both ISP A and ISP B and decide to send traffic
>>> out ISP A's link sourced from addresses ISP B allocated to you, ISP A
>>> *should* drop that traffic on the floor.
>
>> This is a legitimate and interesting use case that is broken by BCP38.
>
>I don't agree that
On Mon 2016-Sep-26 12:39:21 -0400, John R. Levine wrote:
If we're talking about networks with that kind of MRC, is it really
that far of a stretch to require PI space for this? Then again:
If we're talking about that kind of MRC, then I'm assuming ISP A
can be coaxed to
If we're talking about networks with that kind of MRC, is it really that far
of a stretch to require PI space for this? Then again: If we're talking
about that kind of MRC, then I'm assuming ISP A can be coaxed to allow
explicit and well-defined exceptions on the customer's links.
Yes.
A)
On Mon 2016-Sep-26 12:25:58 -0400, John R. Levine wrote:
I gather the usual customer response to this is "if you don't want our
$50K/mo, I'm sure we can find another ISP who does."
I myself am talking about the latter and included the option of PI
space to cover that
I would assume that on a broadband grade connection it shouldn't work unless
you have a niche player and proper LOA.
I would assume that on a BGP level circuit that it would work, again, given
proper documentation (LOAs, IRRDB entry, etc.). IRRDBs make this wonderfully
easier. By default,
On 26 September 2016 at 16:47, Laszlo Hanyecz wrote:
>
> On 2016-09-26 15:12, Hugo Slabbert wrote:
>
>>
>> If you have links from both ISP A and ISP B and decide to send traffic
>> out ISP A's link sourced from addresses ISP B allocated to you, ISP A
>> *should* drop that
On Mon 2016-Sep-26 09:21:55 -0700, Hugo Slabbert wrote:
On Mon 2016-Sep-26 11:15:11 -0500, Mike Hammett wrote:
- Original Message -
From: "John Levine"
To: nanog@nanog.org
Sent: Monday, September 26, 2016 11:04:33 AM
Subject:
On Mon 2016-Sep-26 11:15:11 -0500, Mike Hammett wrote:
- Original Message -
From: "John Levine"
To: nanog@nanog.org
Sent: Monday, September 26, 2016 11:04:33 AM
Subject: Re: Request for comment -- BCP38
If you have links from both ISP A and ISP B
Are you talking BGP level customers or individual small businesses' broadband
service?
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Original Message -
From: "John Levine"
To: nanog@nanog.org
>If you have links from both ISP A and ISP B and decide to send traffic out
>ISP A's link sourced from addresses ISP B allocated to you, ISP A *should*
>drop that traffic on the floor. There is no automated or scalable way for
>ISP A to distinguish this "legitimate" use from spoofing; unless
On 9/26/16 07:47, Stephen Satchell wrote:
On 09/26/2016 07:11 AM, Paul Ferguson wrote:
No -- BCP38 only prescribes filtering outbound to ensure that no
packets leave your network with IP source addresses which are not
from within your legitimate allocation.
So, to beat that horse to a
The only asymmetric routing broken is when the source isn't in public Internet
route-able space. That just leaves those multi-ISP WAN routers that NAT it.
-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com
Midwest-IX
http://www.midwest-ix.com
- Original
>>That paper is about reflection attacks. From what I've read, this was
>>not a reflection attack. The IoT devices are infected with botware
>>which sends attack traffic directly. Address spoofing is not particularly
>>useful for controlling botnets.
>
>But that's not only remaining use of
On 2016-09-26 15:12, Hugo Slabbert wrote:
On Mon 2016-Sep-26 10:47:24 -0400, Ken Chase wrote:
This might break some of those badly-behaving "dual ISP" COTS routers
out there
that use different inbound from outbound paths since each is the
fastest of
either link.
As it
On Mon, Sep 26, 2016 at 7:23 AM, Mark Milhollan wrote:
>
> On Sun, 25 Sep 2016, Stephen Satchell wrote:
>
> >Yeah, right. I looked at BCP38.info, and there is very little concrete
> >information.
>
> Yeah, it's pretty naked. But how-to isn't the usual stumbling block, as
>
On Sun, 25 Sep 2016, Stephen Satchell wrote:
>Yeah, right. I looked at BCP38.info, and there is very little concrete
>information.
Yeah, it's pretty naked. But how-to isn't the usual stumbling block, as
has been pointed out in this thread there needs to be the will to spend
resources
On Mon 2016-Sep-26 10:47:24 -0400, Ken Chase wrote:
This might break some of those badly-behaving "dual ISP" COTS routers out there
that use different inbound from outbound paths since each is the fastest of
either link.
As it should.
If you have links from both ISP A and
On Mon 2016-Sep-26 07:47:50 -0700, Stephen Satchell wrote:
On 09/26/2016 07:11 AM, Paul Ferguson wrote:
No -- BCP38 only prescribes filtering outbound to ensure that no
packets leave your network with IP source addresses which are not
from within your legitimate
> On Sep 26, 2016, at 7:47 AM, Stephen Satchell wrote:
>
> On 09/26/2016 07:11 AM, Paul Ferguson wrote:
>> No -- BCP38 only prescribes filtering outbound to ensure that no
>> packets leave your network with IP source addresses which are not
>> from within your legitimate
I've used HE's tunnelbroker (BGP) a few times to get our ARIN space to a site
while waiting on a local carrier to turn up v6, get the proper LOA, etc.
I've received better service from the NOC there for a service I didn't pay for
than I have from any ISP I've ever given money. They are doing a
Re Stephen,
> So, to beat that horse to a fare-thee-well, to be BCP38 compliant I need, on
> every interface sending packets out to the internet, to block any source
> address matching a subnet in the BOGON list OR not matching any of my
> routeable network subnets? Plus add null-route entries
Followup: we did the quote/PO/sign-the-order dance. That took about 3-4 days
not including our side's lag (which was not insignificant, Im not the guy with
the pen). But now it's gone to provisioning and will be a standard *5 days*.
Cogent will do this in about 1-6 hours if you provide the LOA's
On 09/26/2016 07:11 AM, Paul Ferguson wrote:
No -- BCP38 only prescribes filtering outbound to ensure that no
packets leave your network with IP source addresses which are not
from within your legitimate allocation.
So, to beat that horse to a fare-thee-well, to be BCP38 compliant I
need, on
This might break some of those badly-behaving "dual ISP" COTS routers out there
that use different inbound from outbound paths since each is the fastest of
either link.
I did this manually when I was messing around with multiple broadband links on
a fbsd router years ago, was glad it worked at
No -- BCP38 only prescribes filtering outbound to ensure that no packets leave
your network with IP source addresses which are not from within your legitimate
allocation.
- ferg
On September 26, 2016 7:05:49 AM PDT, Stephen Satchell
wrote:
>Is this an accurate thumbnail
Is this an accurate thumbnail summary of BCP38 (ignoring for the moment
the issues of multi-home), or is there something I missed?
The basic philosophy of BCP38 boils down to two axioms:
Don't let the "bad stuff" into your router
Don't let the "bad stuff" leave your router
Looks like they're announcing quite a bit
-Original Message-
From: "Adam Greene"
Sent: Monday, September 26, 2016 8:52am
To: nanog@nanog.org
Subject: AS4233852001 advertising 192.0.0.0/2?
We were alerted to this by https://radar.qrator.net.
This seems
On Sun, 25 Sep 2016 22:59:15 +
Stephen Satchell wrote:
> In short, I have yet to see a "cookbook" for BGP38 filtering, for ANY
> filtering system -- BSD, Linux, Cisco.
There is some here for integrating Team Cymru's bogon BGP service into
various router platforms:
> From: "Owen DeLong"
>
>> I know, but for the "server guys" turning on IPv6 it's pretty low on
>> priority list.
>
> Which is a selfish, arrogant, and extremely short-sighted and unenlightened
> view of self-interest.
Yes, yes, but is it economically rational?
Jared
On Mon, Sep 26, 2016 at 08:52:20AM -0400, Adam Greene wrote:
> We were alerted to this by https://radar.qrator.net.
>
> This seems wrong from a number of angles .
Maybe the alerting system was confused. I don't see this confirmed in
RIPE RIS: https://stat.ripe.net/AS4233852001#tabId=routing
We were alerted to this by https://radar.qrator.net.
This seems wrong from a number of angles .
Adam
On Mon, Sep 26, 2016, at 01:01, Mark Andrews wrote:
>
> In message
> <1474840690.4107784.736591409.28e80...@webmail.messagingengine.com>,
> "Radu-Adrian Feurdean" writes:
> >
> > I know, but for the "server guys" turning on IPv6 it's pretty low on
> > priority list.
>
> Are those server guys
❦ 26 septembre 2016 09:14 CEST, valdis.kletni...@vt.edu :
>> Linux:
>> From /etc/sysctl.conf:
>>
>> # Uncomment the next two lines to enable Spoof protection (reverse-path=20
>> # filter)
>> # Turn on Source Address Verification in all interfaces to
>> # prevent some spoofing attacks
>>
On Sun, 25 Sep 2016 21:19:31 -0700, Hugo Slabbert said:
> Linux:
> From /etc/sysctl.conf:
>
> # Uncomment the next two lines to enable Spoof protection (reverse-path=20
> # filter)
> # Turn on Source Address Verification in all interfaces to
> # prevent some spoofing attacks
>
Hi Ryan,
On 9/25/16 11:50 PM, ryan landry wrote:
> for isp's it's a resourcing vs revenue problem. always has been.
Sure. The question is whether IoT can make a change in consumer
attitudes. Riek, Bohme, et al have been working on this [1]. And there
is earlier work as well. What that
63 matches
Mail list logo