Re: WiFi - login page redirection not working

[Vincent Bernat]

 ❦ 30 novembre 2017 18:26 -0800, Owen DeLong  :

>> SSL requests are.  For example, Google cache's their 301 redirect
>> from http://www.google.com  to
>> https://www.google.com  which means clients
>> that had access while that browser ps stays active will still
>> attempt https instead of http, regardless of what you actually type.
>
> Right, you’re talking about HSTS as I mentioned below.
>
> However, if there’s a well known URL for getting the captive portal to
> work (e.g. http://captive.portal), then we educate users (or
> browsers that they can type captive.portal (or whatever URL we choose)
> instead of google (which was my traditional go to before HSTS,
> I admit) and voila… Problem solved.

You can use http://neverssl.com/.

But as mentioned earlier in the discussion, most OS have a non-HTTPS URL
to detect a captive portal. They can display notifications to the user
when they detect a captive portal. Browsers have that too.

iOS/macOS: http://captive.apple.com/hotspot-detect.html
Windows: http://www.msftncsi.com/ncsi.txt
Ubuntu: http://start.ubuntu.com/connectivity-check
Firefox: http://detectportal.firefox.com/
Chromium: http://clients3.google.com/generate_204

DHCP and neighbor discovery can also provide the information of the
login page: https://tools.ietf.org/html/rfc7710
-- 
After all, all he did was string together a lot of old, well-known quotations.
-- H. L. Mencken, on Shakespeare

RE: End of 2017 hurricane season

[John Souvestre]

Any idea what their pre and post traffic levels are?

John

    John Souvestre - New Orleans LA

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Sean Donelan
Sent: 2017 November 30, Thu 21:35
To: nanog@nanog.org
Subject: End of 2017 hurricane season


November 30 is the official end of hurricane season in North America.

Puerto Rico's Internet routing announcements are 95% of pre-Maria levels.

US Virgin Islands Internet routing announcements are 80% of pre-Maria 
levels.

The #(provider name)sucks tweets on twitter in South Florida and South 
Texas have essentially stopped. I assume this means that providers 
have repaired almost all Hurricane Harvey and Hurricane Irma damage.

Re: Arista Layer3

[Colton Conor]

Jared,

Which Arista box do you use for FTTH features? Whats the cost like as FTTH
boxes are usually inexpensive, and Arista is not know to be inexpensive
compared to something like Calix or Adtran.

On Thu, Nov 30, 2017 at 1:32 PM, Jared Mauch  wrote:

>
>
> > On Nov 30, 2017, at 2:17 PM, Ken Chase  wrote:
> >
> > Back to this discussion! :) Arista as a viable full-table PE router. Was
> hoping
> > for better experience reports since last mention.
> >
> > To make the Q bit more general, are there any PE routers yet that can
> handle 3-8
> > full feeds and use an amp and 1U or so instead of 5 and 4U? Or we're ito
> whitebox/
> > open routers still for that (bird/openbgp?) or microtiks?
>
> The 7280 is likely what you’re looking at.  Lots of folks also use
> MikroTik as well if
> the traffic is in the 1G range or so.
>
> I for one use Arista for Layer3 for FTTH purposes as it gives me good
> software/hardware
> support for my features.
>
> - Jared

End of 2017 hurricane season

[Sean Donelan]

November 30 is the official end of hurricane season in North America.

Puerto Rico's Internet routing announcements are 95% of pre-Maria levels.

US Virgin Islands Internet routing announcements are 80% of pre-Maria 
levels.


The #(provider name)sucks tweets on twitter in South Florida and South 
Texas have essentially stopped. I assume this means that providers 
have repaired almost all Hurricane Harvey and Hurricane Irma damage.

Re: Incoming SMTP in the year 2017 and absence of DKIM

[John R. Levine]

 Yeah, that's what ARC is intended to do.


Hum.  My understanding of ARC is that it's a way for a server to assert 
things about what it received.  -  Where as my interpretation of what we were 
discussing is the sender authorizing intermediary MTAs to send the message. 
The former is after the fact, and the latter is before hand.


I did a draft of a double signing thing that let the sender say who's 
expected to sign a modified forwarded version.  The big mail systems 
weren't interested.  They want the recipient system to decide.


https://datatracker.ietf.org/doc/draft-levine-dkim-conditional/

Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Grant Taylor via NANOG]

On 11/30/2017 06:47 PM, John Levine wrote:
I suppose that would make sense for the 0.1% of mailing lists run by 
people with the skill and interest to hack on their list software.


I guess I'm in the 0.1% then.


ATPS was an experiment that failed.  Nobody uses it, it didn't scale.


That's sort of what I've gathered.

I can't help but note the absence of S/MIME signatures on roughly 100% 
of all of the messages in this thread.


I believe that's because the mailing list strips non-text MIME parts, 
including the S/MIME signatures.



Yeah, that's what ARC is intended to do.


Hum.  My understanding of ARC is that it's a way for a server to assert 
things about what it received.  -  Where as my interpretation of what we 
were discussing is the sender authorizing intermediary MTAs to send the 
message.  The former is after the fact, and the latter is before hand.




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: WiFi - login page redirection not working

[Owen DeLong]

> On Nov 30, 2017, at 13:24 , Josh Luthman  wrote:
> 
> non-SSL requests are not the issue.
> 
> SSL requests are.  For example, Google cache's their 301 redirect from 
> http://www.google.com  to https://www.google.com 
>  which means clients that had access while that 
> browser ps stays active will still attempt https instead of http, regardless 
> of what you actually type.

Right, you’re talking about HSTS as I mentioned below.

However, if there’s a well known URL for getting the captive portal to work 
(e.g. http://captive.portal), then we educate users (or
browsers that they can type captive.portal (or whatever URL we choose) instead 
of google (which was my traditional go to before HSTS,
I admit) and voila… Problem solved.

I’m fortunate enough to have my own non-HSTS domain that I use for this purpose 
and it’s quite easy and effective.

Owen

> 
> 
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> 
> On Thu, Nov 30, 2017 at 1:08 PM, Owen DeLong  > wrote:
> 
> > On Nov 30, 2017, at 08:20 , Josh Luthman  > > wrote:
> >
> >> If TLS  would somehow allow you to redirect...
> >
> > No but it would be nice to have a solution that redirects the user instead
> > of "this page can't load" creating confusion.
> 
> A well-known non-SSL (non-HSTS) URL that users could use for this purpose 
> would
> serve the same purpose without producing the security problems mentioned.
> 
> Owen
> 
> >
> >
> > Josh Luthman
> > Office: 937-552-2340 
> > Direct: 937-552-2343 
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
> > On Thu, Nov 30, 2017 at 2:02 AM, Jimmy Hess  > > wrote:
> >
> >> On Wed, Nov 29, 2017 at 10:34 PM, Ramy Hashish  >> >
> >> wrote:
> >>
> >>
> >>> Two points with this problem: 1)Is there a "non client" solution to the
> >>> problem of the WiFi login notification not showing up on the clients
> >> after
> >>> connecting to the WiFi network?
> >>>
> >>
> >> A  Captive portal  embedding WispR  XML data
> >> for connections from browsers/OSes that request a test page upon network
> >> access.
> >> https://stackoverflow.com/questions/3615147/how-to- 
> >> 
> >> create-wifi-popup-login-page
> >>
> >> However if WPA2 authentication is not method used for access,  then network
> >> traffic is
> >> vulnerable and not secured.
> >>
> >> AP solutions that are non-standard being a "Non client" solution and using
> >> "Open Wireless" mode SSIDs are likely so deficient in security as to be
> >> an unreasonable risk for users to actually connect to.
> >>
> >>
> >>> Second, anything to be done from the AP to show the landing page even if
> >>> the page requested is HTTPs?
> >>>
> >>
> >> If TLS  would somehow allow you to redirect or create a HTTPS connection
> >> from
> >> a domain name that is not yours, then this could obviously be exploited for
> >> attacks.
> >>
> >> --
> >> -JH
> >>
> 
> 

Re: Incoming SMTP in the year 2017 and absence of DKIM

[John Levine]

In article <3d84c686-aa5f-8180-8a37-be77fef94...@tnetconsulting.net> you write:
>I would also configure MLMs to forward unknown bounces to the -owner. 
>Hopefully the -owner would then feed (a sanitized copy of) the unknown 
>bounce type the MLM maintainer(s) to improve said MLM.

I suppose that would make sense for the 0.1% of mailing lists run by
people with the skill and interest to hack on their list software.

>> It's a rathole, it doesn't scale, and it is not a bug that you can 
>> send mail to people who you don't already know.
>
>I wasn't aware that DKIM-ATPS necessitated needing to know who you were 
>going to send to.

ATPS was an experiment that failed.  Nobody uses it, it didn't scale.

>> If identities were a magic bullet, we'd all be signing with S/MIME.
>
>I am (and have been for years) a proponent of S/MIME.

I can't help but note the absence of S/MIME signatures on roughly 100%
of all of the messages in this thread.

>(I think we're still talking about how can an intermediate mail server 
>be authorized to be part of the SMTP end-to-end mail delivery chain. 
>Even if said intermediate mail server is downstream of the sender.)

Yeah, that's what ARC is intended to do.

R's,
John

Re: Arista Layer3

[joel jaeggli]

On 11/30/17 13:00, Ken Chase wrote:
>   >Arista DCS-7280SRA-48C6 is a 1ru box.??
>   >
>   >Has a nominally million route fib, Jericho+ 8GB of packet buffer.
>   >control-plane is 8GB of ram andAMD GX-424CC SOC which is 4 core 2.4ghz.
>   >We do direct fib injection with bird rather than the arista bgpd but the
>   >control-plane is capable of managing quite a few bgp sessions.
>   >
>   >the 1/2ru 7280CR2K-30 and 60 are 2m route fib boxes with still heftier
>   >control planes but they're a different class of box being all 100G and
>   >requiring multi-chip/internal fabrics.
>
> Sounds pretty good - hows your power draw on that thing? Why'd you pick Bird
> in this case?
this a standard sr that's moderately busy but not exactly slammed, I'm
be impressed if you could triple that at full tilt.

#show environment power
Power  Input    Output   Output
Supply  Model    Capacity  Current  Current  Power    Status
---  -   
-
1   PWR-500AC-R   500W    0.35A    5.27A    62.8W Ok
2   PWR-500AC-R   500W    0.32A    4.81A    56.4W Ok
Total   --   1000W   --   --   119.1W --

bird had memory footprint going with it as well as some local
modification and we hacked addpath into it a few years ago. filtering
poilcy is something we programmatically generate and interact with via
agents so a traditional style monolithic config isn't that useful.


> /kc
>
>
>   >> /kc
>   >>
>   >> On Thu, Nov 30, 2017 at 10:45:09AM -0800, Tyler Conrad said:
>   >>   >For Enterprise/DC, it works great. For service provider, they're not 
> 100%
>   >>   >yet. The main issue is going to be around VRFs, as there's no 
> interaction
>   >>   >between them (at least in the code version I'm on, that may have 
> changed
>   >>   >recently or be changing soon). They'll work great as a P-Router, but 
> if you
>   >>   >need a PE with route leaking I'd look at another vendor.
>   >>   >
>   >>   >I use a couple pairs of 7280SRs as edge routers/border leaves. 
> Multiple
>   >>   >full table feeds without any issue.
>   >>   >
>   >>   >On Thu, Nov 30, 2017 at 10:36 AM, Romeo Czumbil 
>>>   >> wrote:
>   >>   >
>   >>   >> So I've been using Arista as layer2 for quite some time, and I'm 
> pretty
>   >>   >> happy with them.
>   >>   >> Kicking the idea around to turn on some Layer3 features but I've 
> been
>   >>   >> hearing some negative feedback.
>   >>   >> The people that I did hear negative feedback don't use Arista 
> themselves.
>   >>   >> (they just heard)
>   >>   >>
>   >>   >> So do we have any Arista L3 people out here that can share some 
> negatives
>   >>   >> or positives?
>   >>   >>
>   >>   >> Use case: Just some MPLS IPv4/IPv6 routing, l2vpn OSPF/BGP
>   >>   >> Maybe 20k routes (no full internet routes)
>   >>   >> 7050 Series
>   >>   >> 7280 Series
>   >>   >>
>   >>   >> -Romeo
>   >>   >>
>   >>
>   >
>   >
>
>
>
>




signature.asc
Description: OpenPGP digital signature

Re: Arista Layer3

[Nick Hilliard]

Ken Chase wrote:
> Sounds pretty good - hows your power draw on that thing? Why'd you pick Bird
> in this case?

this is a 7280SR pushing ~130G-140G of traffic in/out with about 75% of
the ports lit:

> Router#show env power
> Power  InputOutput   Output
> Supply  ModelCapacity  Current  Current  PowerStatus
> ---  -    
> -
> 1   PWR-500AC-F   500W0.37A5.89A70.6W Ok
> 2   PWR-500AC-F   500W0.39A6.30A75.6W Ok
> Total   --   1000W   --   --   146.2W --
> Router#

Also:

> To make the Q bit more general, are there any PE routers yet that can handle 
> 3-8
> full feeds and use an amp and 1U or so instead of 5 and 4U?

juniper claims that the mx204 has a typical power draw of ~250W.

Nick

Re: Arista Layer3

[Job Snijders]

On Thu, Nov 30, 2017 at 10:38:53PM +, Nick Hilliard wrote:
> Jared Mauch wrote:
> > Lots of folks also use MikroTik as well if the traffic is in the 1G
> > range or so.
> 
> mikrotik support for ipv6 is still dodgy: recursive next-hop is not
> supported in bgp/ipv6:
> 
> https://forum.mikrotik.com/viewtopic.php?t=123964#p610239
> 
> ...  and OSPFv3 routes with the local-address flag set are dropped:
> 
> https://forum.mikrotik.com/viewtopic.php?t=51124#p319794
> 
> Between the two of these feature deficits, ipv6 isn't a runner on this
> platform in a SP environment.  Both problems are due to be resolved in
> routeros v7, but the release date for this is elusive.
> 
> Also, the bgp stack is single-threaded and the individual core speeds
> are relatively low, so operating these devices in the ipv4 dfz can be
> troublesome.

And still no support for BGP Large Communities! :(

http://largebgpcommunities.net/implementations/

Kind regards,

Job

Re: Arista Layer3

[Nick Hilliard]

Jared Mauch wrote:
> Lots of folks also use MikroTik as well if the traffic is in the 1G
> range or so.

mikrotik support for ipv6 is still dodgy: recursive next-hop is not
supported in bgp/ipv6:

https://forum.mikrotik.com/viewtopic.php?t=123964#p610239

...  and OSPFv3 routes with the local-address flag set are dropped:

https://forum.mikrotik.com/viewtopic.php?t=51124#p319794

Between the two of these feature deficits, ipv6 isn't a runner on this
platform in a SP environment.  Both problems are due to be resolved in
routeros v7, but the release date for this is elusive.

Also, the bgp stack is single-threaded and the individual core speeds
are relatively low, so operating these devices in the ipv4 dfz can be
troublesome.

Nick

Re: Incoming SMTP in the year 2017 and absence of DKIM

[bzs]

I'd love to hear, not here particularly, from someone very
knowledgeable about the history of postal fraud and abuse.

I suspect there are more than a few parallels and we'd find out how
much of our efforts amount to reinventing wheels once one peels away
the technical abstractions and jargon. Basically authentication for
starters.

(And if someone is about to explain the difference between paper and
electronic mail, per piece cost and all that, please spare us.)

-- 
-Barry Shein

Software Tool & Die| b...@theworld.com | http://www.TheWorld.com
Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
The World: Since 1989  | A Public Information Utility | *oo*

Re: Incoming SMTP in the year 2017 and absence of DKIM

[John R. Levine]

It's a one way correlation.  If the rDNS is busted, you can be pretty
sure you don't want the mail.  If the rDNS is OK, you need more clues.


Pretty sure, but far from certain.

Even this one-way correlation is rather tenuous. It’s mostly harmless because
everyone knows that mail servers are filtering on this basis and legitimate
senders therefore force themselves into workarounds.


Having talked to a lot of people who run large mail systems, it's much 
simpler than that.  If you want people to accept your mail, you better 
have your DNS under control.  If it's not important enough to you to make 
your DNS work, it's not important enough to me to look at what you might 
try to send.



Fortunately for everyone’s sake, Bj0rn, while he may not like it, seems to find
a way to send his email via some mechanism that allows me to receive it from
a  host that has working rDNS.


Yeah, funny about that.


Spamassassin is as good an example as any and while it can be effective if 
you’ve
got the cycles to keep it constantly updated and fed with new information and…,
it’s a rather large PITA for a small site with an admin that needs to count on
most things running on autopilot most of the time in order to survive.


That would be me, a daily cron job to install updates does the trick. 
It's not perfect but it's good enough.



People who want to be malicious are usually less willing to do so if they know 
that
they will be identified, so actually, it does help.

i.e. rarely to bank robbers sign their names to the robbery note.


Of course not.  What it means is that now they attack the authentication 
systems.  They do so in many ways, from stealing grandma's credentials on 
botted computers to buying SIMs in bulk to defeat schemes that want to tie 
a unique phone number to each account.


Regards,
John Levine, jo...@iecc.com, Primary Perpetrator of "The Internet for Dummies",
Please consider the environment before reading this e-mail. https://jl.ly

Re: WiFi - login page redirection not working

[Josh Luthman]

non-SSL requests are not the issue.

SSL requests are.  For example, Google cache's their 301 redirect from
http://www.google.com to https://www.google.com which means clients that
had access while that browser ps stays active will still attempt https
instead of http, regardless of what you actually type.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Thu, Nov 30, 2017 at 1:08 PM, Owen DeLong  wrote:

>
> > On Nov 30, 2017, at 08:20 , Josh Luthman 
> wrote:
> >
> >> If TLS  would somehow allow you to redirect...
> >
> > No but it would be nice to have a solution that redirects the user
> instead
> > of "this page can't load" creating confusion.
>
> A well-known non-SSL (non-HSTS) URL that users could use for this purpose
> would
> serve the same purpose without producing the security problems mentioned.
>
> Owen
>
> >
> >
> > Josh Luthman
> > Office: 937-552-2340
> > Direct: 937-552-2343
> > 1100 Wayne St
> > Suite 1337
> > Troy, OH 45373
> >
> > On Thu, Nov 30, 2017 at 2:02 AM, Jimmy Hess  wrote:
> >
> >> On Wed, Nov 29, 2017 at 10:34 PM, Ramy Hashish  >
> >> wrote:
> >>
> >>
> >>> Two points with this problem: 1)Is there a "non client" solution to the
> >>> problem of the WiFi login notification not showing up on the clients
> >> after
> >>> connecting to the WiFi network?
> >>>
> >>
> >> A  Captive portal  embedding WispR  XML data
> >> for connections from browsers/OSes that request a test page upon network
> >> access.
> >> https://stackoverflow.com/questions/3615147/how-to-
> >> create-wifi-popup-login-page
> >>
> >> However if WPA2 authentication is not method used for access,  then
> network
> >> traffic is
> >> vulnerable and not secured.
> >>
> >> AP solutions that are non-standard being a "Non client" solution and
> using
> >> "Open Wireless" mode SSIDs are likely so deficient in security as to be
> >> an unreasonable risk for users to actually connect to.
> >>
> >>
> >>> Second, anything to be done from the AP to show the landing page even
> if
> >>> the page requested is HTTPs?
> >>>
> >>
> >> If TLS  would somehow allow you to redirect or create a HTTPS connection
> >> from
> >> a domain name that is not yours, then this could obviously be exploited
> for
> >> attacks.
> >>
> >> --
> >> -JH
> >>
>
>

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Grant Taylor via NANOG]

On 11/30/2017 12:16 PM, Owen DeLong wrote:
it’s a rather large PITA for a small site with an admin that needs to count on 
most things running on autopilot most of the time in order to survive.


I have to disagree with that.

I've been running SpamAssassin for > 15 years and have found it to be 
mostly trouble free.  -  I have cron jobs update it's files and rely on 
milters to accept / tag / reject messages.  -  I spend very little time 
caring for / feeding SpamAssassin.  Probably < 5 minutes a month.)


Sure, I occasionally fiddle with things, but that's because I want to, 
not because I need to.


So, while it might be a higher-quality solution, I’d argue that it’s not completely 
“better” in that any autopilotable configuration of it involves a high degree of 
false negatives or an unacceptable level of false positives.


I've had fairly good luck with autopilot.  I also don't see many false 
negatives.  Nor do people report false positives to me.  (Granted, I tag 
at 5 and reject at 15.)



People who want to be malicious are usually less willing to do so if they know 
that
they will be identified, so actually, it does help.


Agreed.



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Owen DeLong]

> On Nov 30, 2017, at 12:11 , valdis.kletni...@vt.edu wrote:
> 
> On Thu, 30 Nov 2017 11:16:09 -0800, Owen DeLong said:
>> i.e. rarely to bank robbers sign their names to the robbery note.
> 
> An amazing number of them use a deposit slip with their name on it for the 
> note.

I’m guessing that the ones that do so only do so once.

Owen

Re: Arista Layer3

[Ken Chase]

  >Arista DCS-7280SRA-48C6 is a 1ru box.??
  >
  >Has a nominally million route fib, Jericho+ 8GB of packet buffer.
  >control-plane is 8GB of ram andAMD GX-424CC SOC which is 4 core 2.4ghz.
  >We do direct fib injection with bird rather than the arista bgpd but the
  >control-plane is capable of managing quite a few bgp sessions.
  >
  >the 1/2ru 7280CR2K-30 and 60 are 2m route fib boxes with still heftier
  >control planes but they're a different class of box being all 100G and
  >requiring multi-chip/internal fabrics.

Sounds pretty good - hows your power draw on that thing? Why'd you pick Bird
in this case?

/kc


  >> /kc
  >>
  >> On Thu, Nov 30, 2017 at 10:45:09AM -0800, Tyler Conrad said:
  >>   >For Enterprise/DC, it works great. For service provider, they're not 
100%
  >>   >yet. The main issue is going to be around VRFs, as there's no 
interaction
  >>   >between them (at least in the code version I'm on, that may have changed
  >>   >recently or be changing soon). They'll work great as a P-Router, but if 
you
  >>   >need a PE with route leaking I'd look at another vendor.
  >>   >
  >>   >I use a couple pairs of 7280SRs as edge routers/border leaves. Multiple
  >>   >full table feeds without any issue.
  >>   >
  >>   >On Thu, Nov 30, 2017 at 10:36 AM, Romeo Czumbil 
>   >> wrote:
  >>   >
  >>   >> So I've been using Arista as layer2 for quite some time, and I'm 
pretty
  >>   >> happy with them.
  >>   >> Kicking the idea around to turn on some Layer3 features but I've been
  >>   >> hearing some negative feedback.
  >>   >> The people that I did hear negative feedback don't use Arista 
themselves.
  >>   >> (they just heard)
  >>   >>
  >>   >> So do we have any Arista L3 people out here that can share some 
negatives
  >>   >> or positives?
  >>   >>
  >>   >> Use case: Just some MPLS IPv4/IPv6 routing, l2vpn OSPF/BGP
  >>   >> Maybe 20k routes (no full internet routes)
  >>   >> 7050 Series
  >>   >> 7280 Series
  >>   >>
  >>   >> -Romeo
  >>   >>
  >>
  >
  >

RE: Incoming SMTP in the year 2017 and absence of DKIM

[Keith Medcalf]

On Thursday, 30 November, 2017 10:55, Bjørn Mork , wrote:

>Steve Atkins  writes:

>>> On Nov 30, 2017, at 1:22 AM, Bjørn Mork  wrote:

>>> "John Levine"  writes:

>> It tells you something about the competence of the operator and
>> whether the host is intended by the owners to send email.

>No.  It only tells you something about the administrative split
>between IP address management and host management.

>There is no way my laptop is going to be able to update the rDNS for
>all addresses it will use in different networks.  This does in no way
>affect its MTA configuration.

Your Laptop should not be an MTA.  Perhaps it is a authenticated submission 
agent sending to MTA, but without properly configured forward/reverse DNS it is 
not an MTA.  Many systems will not accept SMTP from it unless it can 
authenticate.

>> Or, for a more empirical way to look at it, there's reasonable
>> correlation between having missing, generic or incorrect reverse
>> DNS and the host being a source of unwanted or malicious email.

>Really?  Where did you get those numbers?  This is a myth.  Spam
>sources are average Internet hosts.  The split between working and non-
>working rDNS is mostly between IPv4 and IPv6, not between ham and spam.

You are incorrect.  If DNS is not configured correctly then the spam to ham 
ratio is pretty much 100% spam with no ham.

>And if there is some correlation there, then I'd say that an IPv4 host is
>more likely to be a spam source than a dual stack or IPv6 only host.

Actually, you are incorrect again.  In order of "Spaminess" (most spammy first) 
you have the following order:

IPv4 with incorrectly configured DNS.
IPv6 without regard for DNS configuration.
IPv4 with correctly configured DNS.

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Grant Taylor via NANOG]

On 11/30/2017 11:30 AM, John Levine wrote:
If you look at the bounce handling in packages like sympa and mailman, 
they have lots of heuristics to try to figure out what bounces mean. 
 They work OK but I agree they are far from perfect.


I never have.  Further, I think I'd like to not go insane.

I naively would expect that one would look for the most common bounce 
format (likely standard DSN), then the next most common, ... rinse, 
lather, repeat.


I'd bet that between three and eight formats in, you would have a VERY 
LARGE portion of bounces covered.


I would also configure MLMs to forward unknown bounces to the -owner. 
Hopefully the -owner would then feed (a sanitized copy of) the unknown 
bounce type the MLM maintainer(s) to improve said MLM.


It's a rathole, it doesn't scale, and it is not a bug that you can 
send mail to people who you don't already know.


I wasn't aware that DKIM-ATPS necessitated needing to know who you were 
going to send to.


I thought DKIM-ATPS was meant to allow a 3rd party that you contract to 
be an "Authorized Third (party) Sender" of email for your domain.


Though, that doesn't do anything for recipients forwarding to their new 
mailbox.



If identities were a magic bullet, we'd all be signing with S/MIME.


I am (and have been for years) a proponent of S/MIME.  Though I don't 
think that it really does anything to help with this paradigm.  Unless 
you are able to filter incoming messages with the intention that all 
incoming messages MUST be signed and reject (or otherwise filter) 
unsigned messages.


(I think we're still talking about how can an intermediate mail server 
be authorized to be part of the SMTP end-to-end mail delivery chain. 
Even if said intermediate mail server is downstream of the sender.)




--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Re: aggregate6 - a fast versatile prefix list compressor

[Job Snijders]

Someone suggested I should clarify what 'aggregate6' actually does :-)

aggregate6 takes a list of IPv4 and/or IPv6 prefixes in conventional
format, and performs two optimisations to attempt to reduce the length
of the prefix list.

The first optimisation is to remove any supplied prefixes which are
superfluous because they are already included in another supplied
prefix. For example, 2001:67c:208c:10::/64 would be removed if
2001:67c:208c::/48 was also supplied.

The second optimisation identifies adjacent prefixes that can be
combined under a single, shorter-length prefix. For example,
2001:67c:208c::/48 and 2001:67c:208d::/48 can be combined into the
single prefix 2001:67c:208c::/47. As an IPv4 exampl: 10.0.0.0/24 and
10.0.1.0/24 can be joined into 10.0.0.0/23.

The above two optimalisations are useful in context of firewall rule
generation or generation of BGP prefix-list filters.

Kind regards,

Job

Re: Incoming SMTP in the year 2017 and absence of DKIM

[valdis . kletnieks]

On Thu, 30 Nov 2017 11:16:09 -0800, Owen DeLong said:
> i.e. rarely to bank robbers sign their names to the robbery note.

An amazing number of them use a deposit slip with their name on it for the note.


pgpLt6XbYQz1w.pgp
Description: PGP signature

aggregate6 - a fast versatile prefix list compressor

[Job Snijders]

Dear NANOG,

I re-implemented the venerable 'aggregate' tool (by Joe Abley & co) in
python under the name of 'aggregate6'. The 'aggregate6' tool is faster
and also has IPv6 support.

https://github.com/job/aggregate6

Installation is can be done through 'pip', or your operating system's
package manager (if they carry the 'aggregate6' tool). 

$ pip install aggregate6

Example use:

$ echo 10.0.0.0/16 10.0.0.0/24 2000::/4 3000::/4 | aggregate6
10.0.0.0/16
2000::/3

Note that 'aggregate6' can also be imported as module in your own python
project:

>>> import from aggregate6 import aggregate
>>> aggregate(["10.0.0.0/8", "10.0.0.0/24"])
['10.0.0.0/8']
>>>

Related to the above example, NTT uses 'aggregate6' as library in their
network automation toolchain to help compress firewall rules.

When using a dump from the IPv4 Default-Free Zone, it appears that
'aggregate6' can deaggregate that list ~ 50 times faster than
'aggregate'. However the tradeoff is that 'aggregate6' uses a bit more
memory.

Aggregate6 has been tested with pypy, python2 and python3; and can be
used both from the command line or as python module. Aggregate6 is
published under the 2-Clause BSD license.

Kind regards,

Job

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Rich Kulawiec]

On Thu, Nov 30, 2017 at 10:22:40AM +0100, Bj??rn Mork wrote:
> rDNS is not a host attribute, and will therefore tell you exactly
> nothing about the host.

The lack of rDNS disqualifies a system from being a legitimate mail host.
The lack of FCrDNS does the same.  (Note that it's usually prudent to
tempfail some of these cases in order to allow for the circumstance that
something is temporarily wonky with DNS.  Well-run mail services that
are experiencing transient issues will correct those, DNS will once
again be working, and queued mail will eventually make it through.)

The content of rDNS provides additional information, and some of
it's enormously useful: e.g., blah.dynamic.example.com is not a valid
mailhost, and immediate rejection is highly advisable.  Same for
blah.dsl.example.com and blah.unassigned.example.com and many other
patterns.  And of course depending on the expected mix of spam/nonspam
traffic at a particular mail server, there may be no need to accept any
mail traffic from blah.example.TLD for many values of "TLD". [1]

I just checked on a particular mail server that I'm working on, and in
November 2017, 62% of all messages that were rejected were disposed of
thusly because they failed rDNS/DNS-related checks.  (Which includes things
like the above as well as checking HELO, MX validity, etc.)  That means
that roughly 2/3 of the messages didn't need to be checked against a
DNSBL or anything else, reducing the load on valuable shared resources.

rDNS/DNS checks are an efficient, reliable, scalable, first-line MTA
defense -- and they're quite robust in the face of attempts to game them.

---rsk

[1] Or, alternatively, to only accept it at certain MX's designated
for the task -- ones which presumably apply higher scrutiny to such
traffic than would otherwise be employed.  This works for various
geoblocking tactics as well.

Re: Arista Layer3

[joel jaeggli]

On 11/30/17 11:17, Ken Chase wrote:
> Back to this discussion! :) Arista as a viable full-table PE router. Was 
> hoping
> for better experience reports since last mention.
>
> To make the Q bit more general, are there any PE routers yet that can handle 
> 3-8
> full feeds and use an amp and 1U or so instead of 5 and 4U? Or we're ito 
> whitebox/
> open routers still for that (bird/openbgp?) or microtiks?

Arista DCS-7280SRA-48C6 is a 1ru box. 

Has a nominally million route fib, Jericho+ 8GB of packet buffer.
control-plane is 8GB of ram andAMD GX-424CC SOC which is 4 core 2.4ghz.
We do direct fib injection with bird rather than the arista bgpd but the
control-plane is capable of managing quite a few bgp sessions.

the 1/2ru 7280CR2K-30 and 60 are 2m route fib boxes with still heftier
control planes but they're a different class of box being all 100G and
requiring multi-chip/internal fabrics.
> /kc
>
> On Thu, Nov 30, 2017 at 10:45:09AM -0800, Tyler Conrad said:
>   >For Enterprise/DC, it works great. For service provider, they're not 100%
>   >yet. The main issue is going to be around VRFs, as there's no interaction
>   >between them (at least in the code version I'm on, that may have changed
>   >recently or be changing soon). They'll work great as a P-Router, but if you
>   >need a PE with route leaking I'd look at another vendor.
>   >
>   >I use a couple pairs of 7280SRs as edge routers/border leaves. Multiple
>   >full table feeds without any issue.
>   >
>   >On Thu, Nov 30, 2017 at 10:36 AM, Romeo Czumbil 
>>> wrote:
>   >
>   >> So I've been using Arista as layer2 for quite some time, and I'm pretty
>   >> happy with them.
>   >> Kicking the idea around to turn on some Layer3 features but I've been
>   >> hearing some negative feedback.
>   >> The people that I did hear negative feedback don't use Arista themselves.
>   >> (they just heard)
>   >>
>   >> So do we have any Arista L3 people out here that can share some negatives
>   >> or positives?
>   >>
>   >> Use case: Just some MPLS IPv4/IPv6 routing, l2vpn OSPF/BGP
>   >> Maybe 20k routes (no full internet routes)
>   >> 7050 Series
>   >> 7280 Series
>   >>
>   >> -Romeo
>   >>
>




signature.asc
Description: OpenPGP digital signature

Re: Arista Layer3

[Ken Chase]

Thx. Rather steer clear of microtik for now however.

Guess I shoulda mentioned a baseline 10G capability at least on 4 sfp+ ports
(I know there's some 2port Microtiks too). Everyone's got gig-to-the-home now,
I can't see how anyone plans 1G PE builds anymore. They'll be obsolete by the
time they're plugged in (10G for any medium sized op is almost obsolete 
already.)

/kc


On Thu, Nov 30, 2017 at 02:32:14PM -0500, Jared Mauch said:
  >
  >
  >> On Nov 30, 2017, at 2:17 PM, Ken Chase  wrote:
  >> 
  >> Back to this discussion! :) Arista as a viable full-table PE router. Was 
hoping
  >> for better experience reports since last mention.
  >> 
  >> To make the Q bit more general, are there any PE routers yet that can 
handle 3-8
  >> full feeds and use an amp and 1U or so instead of 5 and 4U? Or we're ito 
whitebox/
  >> open routers still for that (bird/openbgp?) or microtiks?
  >
  >The 7280 is likely what you???re looking at.  Lots of folks also use 
MikroTik as well if
  >the traffic is in the 1G range or so.
  >
  >I for one use Arista for Layer3 for FTTH purposes as it gives me good 
software/hardware
  >support for my features.
  >
  >- Jared

Re: Arista Layer3

[Fredrik Korsbäck]

On 2017-11-30 19:36, Romeo Czumbil wrote:

So I've been using Arista as layer2 for quite some time, and I'm pretty happy 
with them.
Kicking the idea around to turn on some Layer3 features but I've been hearing 
some negative feedback.
The people that I did hear negative feedback don't use Arista themselves. (they 
just heard)

So do we have any Arista L3 people out here that can share some negatives or 
positives?

Use case: Just some MPLS IPv4/IPv6 routing, l2vpn OSPF/BGP
Maybe 20k routes (no full internet routes)
7050 Series
7280 Series

-Romeo



I have a whole bunch of 7280SR in production, acting as peering-aggregators to easy be able to scale out PNIs to the 
CDN/Clouds (where you sometimes needs to add 10G of capacity per PoP per month)


They work just fine. Simple PE-functions, a few hundred BGP-peers in each, full tables, as-path filtering (150k lines of 
config), route-maps and sub-route maps. It is certainly not as flexible and easy to work with as for example a 
MX-router. But on the other hand you get 1Tbit worth of ports for the same price as a 16x10G MX-card.


L3VPN, RSVP-TE which could be major things you need is coming to EOS "soon", 
february i think.

The boxes that is coming out here in Q1 (some even out) with Jericho+ and Jericho2 chipsets should be even better with 
even more tables that should suffice for quite some time, the 1mil limit on 7280SR can be borderline especially when you 
mix in L3VPN whenever thats coming.


Huawei (ce6870) and Cisco (ncs5500) is also selling the same boxes and rumours on the streets are that Juniper will also 
release a jericho-based PE-box.


Also Juniper has picked up alot of slack recently with the release of MX204, which seems for whats its worth be a really 
good contender in the "small but modern router" market which has been grossly overlooked by many vendors for quite some 
time.


Not sure where cisco really is with the 9901, which atleast looked really good 
on the CLUS presentations.

--
hugge



signature.asc
Description: OpenPGP digital signature

Re: Arista Layer3

[Jared Mauch]

> On Nov 30, 2017, at 2:17 PM, Ken Chase  wrote:
> 
> Back to this discussion! :) Arista as a viable full-table PE router. Was 
> hoping
> for better experience reports since last mention.
> 
> To make the Q bit more general, are there any PE routers yet that can handle 
> 3-8
> full feeds and use an amp and 1U or so instead of 5 and 4U? Or we're ito 
> whitebox/
> open routers still for that (bird/openbgp?) or microtiks?

The 7280 is likely what you’re looking at.  Lots of folks also use MikroTik as 
well if
the traffic is in the 1G range or so.

I for one use Arista for Layer3 for FTTH purposes as it gives me good 
software/hardware
support for my features.

- Jared

Re: Arista Layer3

[Ken Chase]

Back to this discussion! :) Arista as a viable full-table PE router. Was hoping
for better experience reports since last mention.

To make the Q bit more general, are there any PE routers yet that can handle 3-8
full feeds and use an amp and 1U or so instead of 5 and 4U? Or we're ito 
whitebox/
open routers still for that (bird/openbgp?) or microtiks?

/kc

On Thu, Nov 30, 2017 at 10:45:09AM -0800, Tyler Conrad said:
  >For Enterprise/DC, it works great. For service provider, they're not 100%
  >yet. The main issue is going to be around VRFs, as there's no interaction
  >between them (at least in the code version I'm on, that may have changed
  >recently or be changing soon). They'll work great as a P-Router, but if you
  >need a PE with route leaking I'd look at another vendor.
  >
  >I use a couple pairs of 7280SRs as edge routers/border leaves. Multiple
  >full table feeds without any issue.
  >
  >On Thu, Nov 30, 2017 at 10:36 AM, Romeo Czumbil > wrote:
  >
  >> So I've been using Arista as layer2 for quite some time, and I'm pretty
  >> happy with them.
  >> Kicking the idea around to turn on some Layer3 features but I've been
  >> hearing some negative feedback.
  >> The people that I did hear negative feedback don't use Arista themselves.
  >> (they just heard)
  >>
  >> So do we have any Arista L3 people out here that can share some negatives
  >> or positives?
  >>
  >> Use case: Just some MPLS IPv4/IPv6 routing, l2vpn OSPF/BGP
  >> Maybe 20k routes (no full internet routes)
  >> 7050 Series
  >> 7280 Series
  >>
  >> -Romeo
  >>

-- 
Ken Chase - m...@sizone.org Guelph Canada

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Owen DeLong]

> On Nov 30, 2017, at 10:28 , John Levine  wrote:
> 
> In article  you write:
>>> Or, for a more empirical way to look at it, there's reasonable correlation
>>> between having missing, generic or incorrect reverse DNS and the host
>>> being a source of unwanted or malicious email.
>> 
>> I’m not so sure about that.
> 
> It's a one way correlation.  If the rDNS is busted, you can be pretty
> sure you don't want the mail.  If the rDNS is OK, you need more clues.

Pretty sure, but far from certain.

Even this one-way correlation is rather tenuous. It’s mostly harmless because
everyone knows that mail servers are filtering on this basis and legitimate
senders therefore force themselves into workarounds.

In an ideal world, I wouldn’t mind accepting email from Bj0rn’s laptop directly,
but today, the price of doing so in SPAM is just too high, so I don’t.

Fortunately for everyone’s sake, Bj0rn, while he may not like it, seems to find
a way to send his email via some mechanism that allows me to receive it from
a  host that has working rDNS.

>> Unfortunately, until we get widespread deployment of something better than 
>> IP reputation based
>> systems, ...
> 
> You might take a look at how current spam filters work.  Spamassassin
> is as good an example as any.  It does dynamic weigthted scoring of a
> lot of factors, of which IP reputation is only one.  I find that I can
> use conservatively run IP blacklists as a cheap prepass to avoid
> sending the mail to spamassassin at all, but there's a lot more than
> IP by the time the mail does or does not get delivered.  DKIM is
> useful if have opinions about the reputations of the signing domains,
> not purely by whether there's a signature.

Spamassassin is as good an example as any and while it can be effective if 
you’ve
got the cycles to keep it constantly updated and fed with new information and…,
it’s a rather large PITA for a small site with an admin that needs to count on
most things running on autopilot most of the time in order to survive.

So, while it might be a higher-quality solution, I’d argue that it’s not 
completely
“better” in that any autopilotable configuration of it involves a high degree of
false negatives or an unacceptable level of false positives.

>> Perhaps this is simply the inherent cost of maintaining an open 
>> communications infrastructure with
>> a low barrier to entry and the potential for anonymous communications which 
>> I believe has value
>> to society and should be preserved. Perhaps someone smarter than I will some 
>> day develop a better
>> solution.
> 
> It seems to be an axiom that any community large enough to be
> interesting is large enough to contain people who are malicious, so
> even requiring that people be identified won't help.

People who want to be malicious are usually less willing to do so if they know 
that
they will be identified, so actually, it does help.

i.e. rarely to bank robbers sign their names to the robbery note.

Owen

Re: WiFi - login page redirection not working

[Owen DeLong]

> On Nov 30, 2017, at 10:15 , William Herrin  wrote:
> 
> On Thu, Nov 30, 2017 at 1:08 PM, Owen DeLong  > wrote
> > On Nov 30, 2017, at 08:20 , Josh Luthman  > > wrote:
> >
> >> If TLS  would somehow allow you to redirect...
> >
> > No but it would be nice to have a solution that redirects the user instead
> > of "this page can't load" creating confusion.
> 
> A well-known non-SSL (non-HSTS) URL that users could use for this purpose 
> would
> serve the same purpose without producing the security problems mentioned.
> 
> A well known SSL certificate that if it appears during negotiation means the 
> application should "check for captive portal.”

This would require modification of all clients and I see no advantage to it vs. 
a well known
locally resolvable URL for captive portals that “MUST NOT” indicate HSTS.

Please explain.

Owen

Re: Incoming SMTP in the year 2017 and absence of DKIM

[John Levine]

In article  you write:
>> Without something like VERP to encode the original recipient in the return 
>> address, the percentage of bounces your list successfully processes each 
>> month will slowly but steadily decline.
>
>I think it's entirely possible to teach MLMs about the most common forms 
>of bounces (DSNs).  But it will quickly get into a game of diminishing 
>returns.  Especially if the bounce (because it's not going to be the 
>well known DNS format) goes out of it's way to hide something.  In that 
>case, the only thing that you could count on (that I'm aware of) is 
>something like VERP.

If you look at the bounce handling in packages like sympa and mailman,
they have lots of heuristics to try to figure out what bounces mean.
They work OK but I agree they are far from perfect.

>  -  I think that SPF and DKIM-ATPS can (at least partially) address the 
>latter.  With the latter assuming some sort of established business 
>relationship between the originating and intermediary parties.

It's a rathole, it doesn't scale, and it is not a bug that you can
send mail to people who you don't already know.  If identities were a
magic bullet, we'd all be signing with S/MIME.

R's,
John

Re: Incoming SMTP in the year 2017 and absence of DKIM

[John Levine]

In article  you write:
>> Or, for a more empirical way to look at it, there's reasonable correlation
>> between having missing, generic or incorrect reverse DNS and the host
>> being a source of unwanted or malicious email.
>
>I’m not so sure about that.

It's a one way correlation.  If the rDNS is busted, you can be pretty
sure you don't want the mail.  If the rDNS is OK, you need more clues.

>Unfortunately, until we get widespread deployment of something better than IP 
>reputation based
>systems, ...

You might take a look at how current spam filters work.  Spamassassin
is as good an example as any.  It does dynamic weigthted scoring of a
lot of factors, of which IP reputation is only one.  I find that I can
use conservatively run IP blacklists as a cheap prepass to avoid
sending the mail to spamassassin at all, but there's a lot more than
IP by the time the mail does or does not get delivered.  DKIM is
useful if have opinions about the reputations of the signing domains,
not purely by whether there's a signature.

>Perhaps this is simply the inherent cost of maintaining an open communications 
>infrastructure with
>a low barrier to entry and the potential for anonymous communications which I 
>believe has value
>to society and should be preserved. Perhaps someone smarter than I will some 
>day develop a better
>solution.

It seems to be an axiom that any community large enough to be
interesting is large enough to contain people who are malicious, so
even requiring that people be identified won't help.

R's,
John

Re: Arista Layer3

[Tyler Conrad]

For Enterprise/DC, it works great. For service provider, they're not 100%
yet. The main issue is going to be around VRFs, as there's no interaction
between them (at least in the code version I'm on, that may have changed
recently or be changing soon). They'll work great as a P-Router, but if you
need a PE with route leaking I'd look at another vendor.

I use a couple pairs of 7280SRs as edge routers/border leaves. Multiple
full table feeds without any issue.

On Thu, Nov 30, 2017 at 10:36 AM, Romeo Czumbil  wrote:

> So I've been using Arista as layer2 for quite some time, and I'm pretty
> happy with them.
> Kicking the idea around to turn on some Layer3 features but I've been
> hearing some negative feedback.
> The people that I did hear negative feedback don't use Arista themselves.
> (they just heard)
>
> So do we have any Arista L3 people out here that can share some negatives
> or positives?
>
> Use case: Just some MPLS IPv4/IPv6 routing, l2vpn OSPF/BGP
> Maybe 20k routes (no full internet routes)
> 7050 Series
> 7280 Series
>
> -Romeo
>

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Grant Taylor via NANOG]

On 11/30/2017 01:53 AM, Benoit Panizzon wrote:
DKIM is not widely used and DKIM does break a lot of mailinglists and 
sometimes also SRS compliant forwarding.


How does DKIM break SRS compliant forwarding?  (Assuming that only the 
message envelope is modified.)


Or are you referring to DMARC's interactions there in?



--
Grant. . . .
unix || die



smime.p7s
Description: S/MIME Cryptographic Signature

Arista Layer3

[Romeo Czumbil]

So I've been using Arista as layer2 for quite some time, and I'm pretty happy 
with them.
Kicking the idea around to turn on some Layer3 features but I've been hearing 
some negative feedback.
The people that I did hear negative feedback don't use Arista themselves. (they 
just heard)

So do we have any Arista L3 people out here that can share some negatives or 
positives?

Use case: Just some MPLS IPv4/IPv6 routing, l2vpn OSPF/BGP
Maybe 20k routes (no full internet routes)
7050 Series
7280 Series

-Romeo

Re: WiFi - login page redirection not working

[William Herrin]

On Thu, Nov 30, 2017 at 1:08 PM, Owen DeLong  wrote

> > On Nov 30, 2017, at 08:20 , Josh Luthman 
> wrote:
> >
> >> If TLS  would somehow allow you to redirect...
> >
> > No but it would be nice to have a solution that redirects the user
> instead
> > of "this page can't load" creating confusion.
>
> A well-known non-SSL (non-HSTS) URL that users could use for this purpose
> would
> serve the same purpose without producing the security problems mentioned.


A well known SSL certificate that if it appears during negotiation means
the application should "check for captive portal."




-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: WiFi - login page redirection not working

[Owen DeLong]

> On Nov 30, 2017, at 08:20 , Josh Luthman  wrote:
> 
>> If TLS  would somehow allow you to redirect...
> 
> No but it would be nice to have a solution that redirects the user instead
> of "this page can't load" creating confusion.

A well-known non-SSL (non-HSTS) URL that users could use for this purpose would
serve the same purpose without producing the security problems mentioned.

Owen

> 
> 
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> 
> On Thu, Nov 30, 2017 at 2:02 AM, Jimmy Hess  wrote:
> 
>> On Wed, Nov 29, 2017 at 10:34 PM, Ramy Hashish 
>> wrote:
>> 
>> 
>>> Two points with this problem: 1)Is there a "non client" solution to the
>>> problem of the WiFi login notification not showing up on the clients
>> after
>>> connecting to the WiFi network?
>>> 
>> 
>> A  Captive portal  embedding WispR  XML data
>> for connections from browsers/OSes that request a test page upon network
>> access.
>> https://stackoverflow.com/questions/3615147/how-to-
>> create-wifi-popup-login-page
>> 
>> However if WPA2 authentication is not method used for access,  then network
>> traffic is
>> vulnerable and not secured.
>> 
>> AP solutions that are non-standard being a "Non client" solution and using
>> "Open Wireless" mode SSIDs are likely so deficient in security as to be
>> an unreasonable risk for users to actually connect to.
>> 
>> 
>>> Second, anything to be done from the AP to show the landing page even if
>>> the page requested is HTTPs?
>>> 
>> 
>> If TLS  would somehow allow you to redirect or create a HTTPS connection
>> from
>> a domain name that is not yours, then this could obviously be exploited for
>> attacks.
>> 
>> --
>> -JH
>> 

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Owen DeLong]

> On Nov 30, 2017, at 09:55 , Bjørn Mork  wrote:
> 
> Steve Atkins  writes:
> 
>>> On Nov 30, 2017, at 1:22 AM, Bjørn Mork  wrote:
>>> 
>>> "John Levine"  writes:
>>> 
 Broken rDNS is just broken, since there's approximately no reason ever
 to send from a host that doesn't know its own name.
>>> 
>>> rDNS is not a host attribute, and will therefore tell you exactly
>>> nothing about the host.
>> 
>> It tells you something about the competence of the operator and
>> whether the host is intended by the owners to send email.
> 
> No.  It only tells you something about the administrative split between
> IP address management and host management.
> 
> There is no way my laptop is going to be able to update the rDNS for all
> addresses it will use in different networks.  This does in no way affect
> its MTA configuration.

Perhaps a better way to word it is “It tells us something about whether the
machine is likely to possess properties which make it generally undesirable
for us to accept messages from it directly.”

I, for one, have no interest in accepting messages into my mail server directly
from your laptop, even if they are legitimately from you to me. I’m perfectly
happy to insist that you go via an MTA hosted in a more permanent location on
your side first in order to avoid receiving messages directly from the much
larger quantity of incompetently administered mailservers, many of which I 
suspect
are not intended by their owners (distinct from their pwn3rs) to be mail servers
at all.

>> Or, for a more empirical way to look at it, there's reasonable correlation
>> between having missing, generic or incorrect reverse DNS and the host
>> being a source of unwanted or malicious email.
> 
> Really?  Where did you get those numbers?  This is a myth.  Spam sources
> are average Internet hosts.  The split between working and non-working
> rDNS is mostly between IPv4 and IPv6, not between ham and spam.  And if
> there is some correlation there, then I'd say that an IPv4 host is more
> likely to be a spam source than a dual stack or IPv6 only host.

Really? Most of my hosts have working rDNS for both v4 and v6.

As to an IPv4 host being a more likely source of SPAM, I’m not convinced about
that, either given the amount of SPAM that hits my mailserver via IPv6.

Owen

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Owen DeLong]

> On Nov 30, 2017, at 09:03 , Steve Atkins  wrote:
> 
> 
>> On Nov 30, 2017, at 1:22 AM, Bjørn Mork  wrote:
>> 
>> "John Levine"  writes:
>> 
>>> Broken rDNS is just broken, since there's approximately no reason ever
>>> to send from a host that doesn't know its own name.
>> 
>> rDNS is not a host attribute, and will therefore tell you exactly
>> nothing about the host.
> 
> It tells you something about the competence of the operator and
> whether the host is intended by the owners to send email.
> 
> Or, for a more empirical way to look at it, there's reasonable correlation
> between having missing, generic or incorrect reverse DNS and the host
> being a source of unwanted or malicious email.

I’m not so sure about that.

Lots of hosts that send unwanted/malicious email have missing, generic, or 
obviously incorrect rDNS.
Lots of hosts that send unwanted/malicious email have valid non-generic 
possibly correct rDNS.

I don’t accept email from the former, but I still get plenty of SPAM from the 
latter.

Unfortunately, until we get widespread deployment of something better than IP 
reputation based
systems, SPAM continues to be a low-cost to the sender side with a high burden 
on the delivery side
and therefore remains a very profitable industry.

DKIM certainly could help (though I’m not convinced it’s a 100% effective 
solution, nor am I
particularly convinced we’ve found any particularly effective solutions as yet.

Perhaps this is simply the inherent cost of maintaining an open communications 
infrastructure with
a low barrier to entry and the potential for anonymous communications which I 
believe has value
to society and should be preserved. Perhaps someone smarter than I will some 
day develop a better
solution.

Owen

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Bjørn Mork]

Steve Atkins  writes:

>> On Nov 30, 2017, at 1:22 AM, Bjørn Mork  wrote:
>> 
>> "John Levine"  writes:
>> 
>>> Broken rDNS is just broken, since there's approximately no reason ever
>>> to send from a host that doesn't know its own name.
>> 
>> rDNS is not a host attribute, and will therefore tell you exactly
>> nothing about the host.
>
> It tells you something about the competence of the operator and
> whether the host is intended by the owners to send email.

No.  It only tells you something about the administrative split between
IP address management and host management.

There is no way my laptop is going to be able to update the rDNS for all
addresses it will use in different networks.  This does in no way affect
its MTA configuration.

> Or, for a more empirical way to look at it, there's reasonable correlation
> between having missing, generic or incorrect reverse DNS and the host
> being a source of unwanted or malicious email.

Really?  Where did you get those numbers?  This is a myth.  Spam sources
are average Internet hosts.  The split between working and non-working
rDNS is mostly between IPv4 and IPv6, not between ham and spam.  And if
there is some correlation there, then I'd say that an IPv4 host is more
likely to be a spam source than a dual stack or IPv6 only host.



Bjørn

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Steve Atkins]

> On Nov 30, 2017, at 1:22 AM, Bjørn Mork  wrote:
> 
> "John Levine"  writes:
> 
>> Broken rDNS is just broken, since there's approximately no reason ever
>> to send from a host that doesn't know its own name.
> 
> rDNS is not a host attribute, and will therefore tell you exactly
> nothing about the host.

It tells you something about the competence of the operator and
whether the host is intended by the owners to send email.

Or, for a more empirical way to look at it, there's reasonable correlation
between having missing, generic or incorrect reverse DNS and the host
being a source of unwanted or malicious email.

Cheers,
  Steve

Re: WiFi - login page redirection not working

[Josh Luthman]

>If TLS  would somehow allow you to redirect...

No but it would be nice to have a solution that redirects the user instead
of "this page can't load" creating confusion.


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Thu, Nov 30, 2017 at 2:02 AM, Jimmy Hess  wrote:

> On Wed, Nov 29, 2017 at 10:34 PM, Ramy Hashish 
> wrote:
>
>
> > Two points with this problem: 1)Is there a "non client" solution to the
> > problem of the WiFi login notification not showing up on the clients
> after
> > connecting to the WiFi network?
> >
>
> A  Captive portal  embedding WispR  XML data
> for connections from browsers/OSes that request a test page upon network
> access.
> https://stackoverflow.com/questions/3615147/how-to-
> create-wifi-popup-login-page
>
> However if WPA2 authentication is not method used for access,  then network
> traffic is
> vulnerable and not secured.
>
> AP solutions that are non-standard being a "Non client" solution and using
> "Open Wireless" mode SSIDs are likely so deficient in security as to be
> an unreasonable risk for users to actually connect to.
>
>
> > Second, anything to be done from the AP to show the landing page even if
> > the page requested is HTTPs?
> >
>
> If TLS  would somehow allow you to redirect or create a HTTPS connection
> from
> a domain name that is not yours, then this could obviously be exploited for
> attacks.
>
> --
> -JH
>

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Bjørn Mork]

"John Levine"  writes:

> Broken rDNS is just broken, since there's approximately no reason ever
> to send from a host that doesn't know its own name.

rDNS is not a host attribute, and will therefore tell you exactly
nothing about the host.


Bjørn

Re: Incoming SMTP in the year 2017 and absence of DKIM

[Benoit Panizzon]

Hi

> For those who operate public facing SMTPd that receive a large volume
> of incoming traffic, and accordingly, a lot of spam...
> 
> How much weight do you put on an incoming message, in terms of adding
> additional score towards a possible value of spam, for total absence
> of DKIM signature?

No DKIM = not scored.

DKIM is not widely used and DKIM does break a lot of mailinglists and
sometimes also SRS compliant forwarding.

We do score some points if a DKIM header with invalid signature is
present.

-Benoît Panizzon-
-- 
I m p r o W a r e   A G-Leiter Commerce Kunden
__

Zurlindenstrasse 29 Tel  +41 61 826 93 00
CH-4133 PrattelnFax  +41 61 826 93 01
Schweiz Web  http://www.imp.ch
__