RE: Proof of ownership; when someone demands you remove a prefix

[Naslund, Steve]

That is about like saying email from you is the authoritative source of truth 
about youunless your account is hacked.  Sorry but in the real business 
world we give long standing customers the benefit of the doubt.  We all make 
judgments every day in our real lives about who we believe and who we don't 
believe.  It is not rare to know who the original contact for your customer is 
if you have any kind of provisioning records at all.  Nothing is automatic or a 
set procedure in this circumstance.  It's about like proving a false credit 
card charge...does the claim make sense or not.  At the end of the day the RIR 
has to determine who owns the account.  Right now, this minute you have to make 
the call based on incomplete information about what is best for your business, 
your customer, the Internet community, and your professional reputation.

Steven Naslund
Chicago IL




>-Original Message-
>From: Jimmy Hess [mailto:mysi...@gmail.com] 
>Sent: Tuesday, March 13, 2018 5:11 PM
>To: Naslund, Steve
>Cc: nanog@nanog.org
>Subject: Re: Proof of ownership; when someone demands you remove a prefix
>
>I would consider that the RIR WHOIS records are currently the network's 
>authoritative source of truth about  IP number management.
>
>For 99% of situations there's no such proper thing as "delaying addressing 
>abuse"
>so someone claims they can go dispute the RIR record.   The rare exception
>would be  you have  documented  the original contacts and LOAs,  and a 
>stranger who is a new WHOIS POC sends a request that you disrupt what has now 
>>been a long-established operational network,  and  your customer is 
>objecting/claiming the WHOIS record has been hijacked.

Re: Spiffy Netflow tools?

[Chase Christian]

 +1 for ElastiFlow. Couldn't be easier to set up and run. Logstash has
native support for netflow and sflow now via codecs. Kibana is an
easy-to-use dashboard. I trimmed out a bunch of stuff in the ElastiFlow
config that assumed a unidirectional network (like a corporate site).

On Tue, Mar 13, 2018 at 8:48 AM, Luke Guillory 
wrote:

> There is also https://github.com/robcowart/elastiflow which uses the ELK
> stack.
>
>
>
>
>
> Luke Guillory
> Vice President – Technology and Innovation
>
> Tel:985.536.1212
> Fax:985.536.0300
> Email:  lguill...@reservetele.com
>
> Reserve Telecommunications
> 100 RTC Dr
> Reserve, LA 70084
>
> 
> _
>
> Disclaimer:
> The information transmitted, including attachments, is intended only for
> the person(s) or entity to which it is addressed and may contain
> confidential and/or privileged material which should not disseminate,
> distribute or be copied. Please notify Luke Guillory immediately by e-mail
> if you have received this e-mail by mistake and delete this e-mail from
> your system. E-mail transmission cannot be guaranteed to be secure or
> error-free as information could be intercepted, corrupted, lost, destroyed,
> arrive late or incomplete, or contain viruses. Luke Guillory therefore does
> not accept liability for any errors or omissions in the contents of this
> message, which arise as a result of e-mail transmission. .
>
> -Original Message-
> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Hugo Slabbert
> Sent: Tuesday, March 13, 2018 10:44 AM
> To: Fredrik Korsbäck
> Cc: nanog@nanog.org
> Subject: Re: Spiffy Netflow tools?
>
>
> On Tue 2018-Mar-13 00:50:26 +0100, Fredrik Korsbäck 
> wrote:
> >
> >Kentik is probably top of the foodchain right now.
> >
> >But they are certainly not alone in the biz. Ontop of my head...
> >
> >* Flowmon
> >* Talaia
> >* Arbor Peakflow
> >* Deepfield
> >* Pmacct + supporting toolkit
> >* NFsen/Nfdump/AS-stats
> >* Put kibana/ES infront of any collector
>
> Logstash has a netflow plugin as of 5.x or something
> (https://www.elastic.co/guide/en/logstash/current/netflow-module.html) to
> act as a collector.
>
> A walkthrough:
> http://www.routereflector.com/2017/07/elk-as-a-free-netflow-
> ipfix-collector-and-visualizer/
>
> Using the logstash module setup thing adds a whole bunch of pretty netflow
> graphs and visualizations and such into Kibana for you.
>
> Caveat:
> Supports netflow v5 and v9, but does not indicate support for IPFIX
> explicitly.  It definitely does not support sFlow, though if you really
> want you can stick sflowtool in front of it to translate sFlow->netflow,
> e.g. http://blog.sflow.com/2011/12/sflowtool.html.
>
> >* Solarwinds something something
> >* Different vendor toolkits
> >
> >--
> >hugge
>
> --
> Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
> pgp key: B178313E   | also on Signal
>

Re: Proof of ownership; when someone demands you remove a prefix

[Jimmy Hess]

On Tue, Mar 13, 2018 at 1:58 PM, Naslund, Steve  wrote:

I would consider that the RIR WHOIS records are currently the network's
authoritative source of truth about  IP number management.

For 99% of situations there's no such proper thing as "delaying
addressing abuse"
so someone claims they can go dispute the RIR record.   The rare exception
would be  you have  documented  the original contacts and LOAs,  and a stranger
who is a new WHOIS POC sends a request that you disrupt what has now been
a long-established operational network,  and  your customer is
objecting/claiming
the WHOIS record has been hijacked.

In that case:  avoid disrupting the long-established announcement:  to allow the
customer 5 to 10 days  to get it fixed with the RIR  or show you a
court order against
the false WHOIS contacts.

If you started announcing a newly setup prefix,  and it immediately
resulted in a phone call
or e-mail  within a few weeks  from   the resource holder
organization's   RIR-listed
WHOIS contact, then obviously corrective actions are in order to pull that
announcement quickly,  after confirming with the org. listed in WHOIS

That would mean your new announcement is credibly reported as abuse,  AND
"claim of dispute in progress with the RIR" does not hold water  as
any kind of basis
to continue your AS  causing harm to this resource holder.



I would  not blame a legitimate WHOIS contact for immediately escalating to
upstreams and ARIN for  emergency assistance: if they don't  receive an
adequate resolution and removal of the rogue announcement within 15
minutes or so...



While ARIN cannot do anything about the routing issues;  they might be
able to confirm the history of the resource  the Rogue announcement
might include the IP space of 1 or more DNS  or SMTP Servers related to one
or more domain names  that are also  listed WHOIS  E-mail contacts.

You know because ARIN stopped supporting using PGP/GPG keys with POCs
and digitally signed e-mail templates  to formally authorize modifications :


"Wait while we dispute with the RIR" could very well  truly mean:  -

"Please wait while we try to use our rogue IP space announcement  to
quickly setup some

fake SMTP servers on hijacked IPs while we gear up our spamming
campaign to maximum
effectiveness and misuse ARIN's  single-factor  Email-based

password recovery process to fraudulently gain account access and
modify resource
WHOIS POC details  to make it look more like we're the plausible
resource holder."


> The fact that it is a newer customer would make me talk to the RIR direct and 
> verify
> that a dispute is really in progress.
[snip]
> Steven Naslund
> Chicago IL
--
-JH

Re: IPv4 smaller than /24 leasing?

[Lee Howard]

ARIN's fee for a /24 is $250 https://www.arin.net/fees/fee_schedule.html

That's about 1/15th of the price of a /24 on the market.

Of course, they don't have any /24s.

Unless, of course, you're deploying IPv6 and just need the /24 for your 
NAT64 box, DS-Lite AFTR, or MAP-T BR. 
https://www.arin.net/policy/nrpm.html#four10


Lee

PS: Let me know if you're considering this; I'll help.


On 03/13/2018 01:19 PM, Justin Wilson wrote:

On the consulting side, I do smaller than /24 blocks to customers over tunnels. 
 So far this is the only option we have found that works for the smaller ISP. 
We all know the routing table is bloated. We all know everyone *should* be 
moving toward IPV6.  A whole different discussion.  But, for now you have a 
subset of operators that are big enough to do BGP, maybe join an exchange, but 
not big enough to afford buying v4 space for each of their customers.  So they 
are utilizing a full /24 just to utilize it.  Things such as doing 1:many nat 
at each tower, doing Carrier Grade nat, and other things make it where they 
don’t necessarily need an IP per customer.  We all know that is ideal, but it’s 
not practical for the small to medium ISP.   Folks have brought up the argument 
that buying IPS is just the cost of doing business these days.  I argue that it 
isn’t.  I see networks with 2000 users and only a /24 running along very happy.

I agree that the global routing table is pretty bloated as is.  But what kind 
of a solution for providers who need to participate in BGP but only need a /25? 
I can’t see going below that.


Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com


On Mar 13, 2018, at 10:56 AM, Naslund, Steve  wrote:


Yes, exactly right.  You would probably have to tunnel the /27 back to where the >/24 
lives.  That's the only way I can see of it working "anywhere".  That's a 
technically valid solution but maybe not so hot if you are looking for high 
redundancy/availability since you are dependent on the tunnel being up and working.

As always the reputation of the aggregate is going to be critical as to how well this 
works for you.  It seems to me that increasingly these "portable" blocks have 
murky histories as spam and malware sources.  I would rather have a block assigned by a 
reputable upstream provider than to do this.

Steven Naslund
Chicago IL


Le 2018-01-04 20:16, Job Snijders a écrit :

On Thu, 4 Jan 2018 at 20:13, Filip Hruska  wrote:


I have stumbled upon this site [1] which seems to offer /27 IPv4
leasing.
They also claim "All of our IPv4 address space can be used on any
network in any location."

I thought that the smallest prefix size one could get routed
globally is /24?


Yes

So how does this work?
Probably with GRE, IPIP or OpenVPN tunnels.

Kind regards,

Job

IPv4 /24 is commonly the minimal chunk advertised to (and accepted by)
neighbors. If I run a global (or regional) network, I may advertise this
/24 -- or rather an aggregate covering it -- over my diverse
interconnection with neighbors, your /27 being part of the chunk and
routed to you internally (if you're va customer)-- no need for
encapsulation efforts. Similar scenario may be multi-upstream, subject
to acceptance of "punching holes in aggregates"... Am I missing
something? What's the trigger for doing tunneling here?

Happy New Year '18, by the way !

mh

Re: Proof of ownership; when someone demands you remove a prefix

[Tony Tauber]

On Tue, Mar 13, 2018 at 1:59 PM, Job Snijders  wrote:

> Dear Sean,
>
> On Tue, Mar 13, 2018 at 10:38:49AM -0700, Sean Pedersen wrote:
> > This is more or less the situation we're in. We contacted the customer
> > and they informed us the matter is in dispute with the RIR and that
> > their customer (the assignee) is in the process of resolving the
> > issue. We have to allow them time to accomplish this. I've asked for
> > additional information to help us understand the nature of the
> > dispute. In that time we received another request to stop announcing
> > the prefix(s) in addition to a new set of prefixes, and a threat to
> > contact our upstream providers as well as ARIN - which is not the RIR
> > the disputed resources are allocated to.
>
> I've seen disputes too between end users and RIRs - usually this is due
> to non-payment. It can be helpful to do two things: set a reasonable
> deadline for the customer to resolve this, and verify with the RIR
> whether the dispute is actually ongoing or whether the RIR closed the
> case. Example case: customer said they were in dispute, but RIR
> indicated that the case was closed. If the RIR closed the case, I'd lean
> to dropping the announcement.
>

What are people's experiences with the various RIRs discussion of these
situations?
I believe sometimes (though could be mistaken) they consider these matters
confidential.

Perhaps there are official RIR policies stated on how they handle such.
It can be frustrating I'm sure.
For the situation you describe, I'd be inclined to say that if the RIR's
posted registration matches what you've got and has been so for a while,
that ought to stand.

Tony

RE: Proof of ownership; when someone demands you remove a prefix

[Sean Pedersen]

I appreciate everyone's input and will incorporate it into our internal 
policies going forward. 

I also want to assure everyone who has taken the time to read or respond that 
we're going about this methodically; our customer is involved and is responding 
promptly and their customer is has opened a case with the RIR. We're in the 
process of following up with the RIR. Our goal is not to cause an 'operational 
headache' for anyone, but exactly the opposite.

Thanks again for all of your feedback and responses.

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Naslund, Steve
Sent: Tuesday, March 13, 2018 11:59 AM
To: nanog@nanog.org
Subject: Re: Proof of ownership; when someone demands you remove a prefix

The fact that it is a newer customer would make me talk to the RIR direct and 
verify that a dispute is really in progress.  I would also look at some looking 
glasses and see if the prefix is being announced elsewhere, if so that might 
indicate that your customer is indeed stepping on a legit owner.  I would also 
make it clear to the new customer that they are on thin ice here to light a 
fire under their process.  Let them know that it is up to them to convince you 
that they are the legit owner.  No one wants to lose a customer but they are 
threatening your business and putting you in legal jeopardy if they are not 
legit.

Steven Naslund
Chicago IL

>-Original Message-
>From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Sean Pedersen
>Sent: Tuesday, March 13, 2018 12:39 PM
>To: nanog@nanog.org
>Subject: RE: Proof of ownership; when someone demands you remove a prefix
>
>This is more or less the situation we're in. We contacted the customer and 
>they informed us the matter is in dispute with the RIR and that their 
>>customer (the assignee) is in the process of resolving the issue. We have to 
>allow them time to accomplish this. I've asked for additional information >to 
>help us understand the nature of the dispute. In that time we received another 
>request to stop announcing the prefix(s) in addition to a new set of 
>>prefixes, and a threat to contact our upstream providers as well as ARIN - 
>which is not the RIR the disputed resources are allocated to.
>
>This is a new(er) customer, so there is some merit to dropping the prefix and 
>letting them sort it out based on the current RIR contact(s). However, >there 
>is obvious concern over customer service and dropping such a large block of 
>IPs. 
>
>I'm definitely leaning toward "let the customer (or customer's customer) and 
>the RIR sort it out" if the POC validates the request weighed responsibly 
>>against customer age. However, from a customer service perspective, I think 
>we owe it to our customers to make sure a request is legitimate before we 
>>knock them offline. With a limited toolset to validate that information, I 
>can't help but feel conflicted.
>
>I appreciate all the feedback this thread has generated so far!

Re: Spiffy Netflow tools?

[Scott Fisher]

Mike,

All of the architecture's listed are pretty good. Nfsen is great if you
have multiple routers exporting various netflow versions with a single
daemon, but its a bit older and not as pretty/quick as something using
elastic.

Team Cymru has a netflow analyzer that matches your netflow data to
known 'bad IPs'. http://www.team-cymru.org/Flow-Sonar.html


Thanks,
Scott

Thanks,
Scott

On 3/12/18 7:24 PM, mike.l...@gmail.com wrote:
> Howdy!
> 
> Checking out various Netflow tools and wanted to see what others are using? 
> 
> Kentik is cool. Are they the only SaaS based flow digester? I don’t seem to 
> see any others.
> 
> Also curious about on-prem solutions as well.
> 
> Thanks!
> Mike
> 

contact for www.upack.com (http 403)

[Matthew Dittmer]

Is there a contact at upack.com that can help us?  All of our subscribers 
receive an error 403 access denied.

Thank you,
Matt Dittmer
AS20298

RE: IPv4 smaller than /24 leasing?

[Naslund, Steve]

It might be archaic thinking but back in the day routers were not all that 
powerful and table size was a concern so /24 was it.  ARIN kind of figured if 
you were smaller than a /24 you were not really on their radar and you needed 
to talk to an upstream provider.  It is a big system to manage and they had to 
draw a line somewhere.  Today that is kind of painful but it will be really 
difficult to change on a global basis.  I would work on finding an 
understanding upstream provider that would let you announce one of their blocks 
via multiple upstream providers.  I might remind them that allowing me to do 
that kind of ties me to their service which is good for them.  I have found 
that a lot of carriers don't mind doing that as long as you can justify the 
reasoning which it looks like you can.

As far as justification for the RIR, it should be sufficient to say that you 
need redundant upstream carriers as a service provider and cannot make that 
work with less than a /24.  It would also help to show an IPv6 strategy that 
really needs the IPv4 for infrastructure purposes.  It is not all about 
utilization only.  The RIRs know how that works.  I know that ARIN for sure can 
look at a network architecture in addition to pure utilization which is why 
global entities can often get a larger allocation to allow for regionally based 
sub-allocations.  I think you will find them cooperative.  Feel free to talk to 
them about it.  They really are reasonable people who get it.

Steven Naslund
Chicago IL

>On Tue, Mar 13, 2018 at 2:14 PM, Justin Wilson  wrote:
> Even to buy it on the secondary market you have to have justification and 
> show usage.  So if someone buys a /24 and really only needs a /25 then what?

Re: Proof of ownership; when someone demands you remove a prefix

[Naslund, Steve]

The fact that it is a newer customer would make me talk to the RIR direct and 
verify that a dispute is really in progress.  I would also look at some looking 
glasses and see if the prefix is being announced elsewhere, if so that might 
indicate that your customer is indeed stepping on a legit owner.  I would also 
make it clear to the new customer that they are on thin ice here to light a 
fire under their process.  Let them know that it is up to them to convince you 
that they are the legit owner.  No one wants to lose a customer but they are 
threatening your business and putting you in legal jeopardy if they are not 
legit.

Steven Naslund
Chicago IL

>-Original Message-
>From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Sean Pedersen
>Sent: Tuesday, March 13, 2018 12:39 PM
>To: nanog@nanog.org
>Subject: RE: Proof of ownership; when someone demands you remove a prefix
>
>This is more or less the situation we're in. We contacted the customer and 
>they informed us the matter is in dispute with the RIR and that their 
>>customer (the assignee) is in the process of resolving the issue. We have to 
>allow them time to accomplish this. I've asked for additional information >to 
>help us understand the nature of the dispute. In that time we received another 
>request to stop announcing the prefix(s) in addition to a new set of 
>>prefixes, and a threat to contact our upstream providers as well as ARIN - 
>which is not the RIR the disputed resources are allocated to.
>
>This is a new(er) customer, so there is some merit to dropping the prefix and 
>letting them sort it out based on the current RIR contact(s). However, >there 
>is obvious concern over customer service and dropping such a large block of 
>IPs. 
>
>I'm definitely leaning toward "let the customer (or customer's customer) and 
>the RIR sort it out" if the POC validates the request weighed responsibly 
>>against customer age. However, from a customer service perspective, I think 
>we owe it to our customers to make sure a request is legitimate before we 
>>knock them offline. With a limited toolset to validate that information, I 
>can't help but feel conflicted.
>
>I appreciate all the feedback this thread has generated so far!

Re: IPv4 smaller than /24 leasing?

[William Herrin]

On Tue, Mar 13, 2018 at 2:14 PM, Justin Wilson  wrote:
> Even to buy it on the secondary market you have to have justification and 
> show usage.  So if someone buys a /24 and really only needs a /25 then what?

Hi Justin,

If you can't justify a /24 with a single hypervisor, you aren't being
creative enough. Seriously. Optimize your network _plan_ for address
consumption. You need a /29 (or two /30s) to connect each VM to the
primary and backup router VMs and that's before you assign virtual IPs
to web servers on the VMs.

In your initial allocation, ARIN won't hold you to your plan. You just
have to have a plan where the numbers add up to justified need. If
you're not comfortable going it on your own, contract someone who's
been through it before to shepherd you through the process. ARIN's
process is convoluted and arcane, but if you're ready to pay the cost
of multihoming you truly won't have any trouble justifying an ARIN
/24.

Regards,
Bill Herrin

-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Websurfing trouble to .gov and .il.us

[valdis . kletnieks]

On Mon, 12 Mar 2018 17:44:47 -, Sam Kretchmer said:

> I am part of a small ISP based in Chicago. We have several clients
> complaining of an inability to hit a couple specific government websites,
> specifically http://tierii.iema.state.il.us/TIER2MANAGER/Account/Login.aspx 
> and
> https://www.deadiversion.usdoj.gov/. It does seem to be related to the IP's
> they use, specifically parts of 213.159.132/22

First thing that comes to mind:  Fire up wireshark and
see if anything pops out.

Second thing: PMTU black hole or similar - the 3 packet handshake
completes, and TLS fires up, and then comes to a screeching halt
when something large causes a MTU-sized packet to happen.

Double-check the pages, make sure they aren't doing something
squirrelly like fetching CSS from some *other* site that's down
or PMTU black holed.

Oh, and 519 lashes with a wet noodle for the IL state division of IT
for having a Login.aspx on an http: site. ;)


pgpFFLigylybv.pgp
Description: PGP signature

Re: IPv4 smaller than /24 leasing?

[Martin List-Petersen]

Hi,

needing a /24 to participate in BGP has always been sort of a world-wide 
standard.


Even before the explosion of the IPv4 BGP full table (which has more 
than doubled in the last decade), that was the standard.


Because . if carriers (and ISPs) accepted upstream < /24, then you'd 
have an entirely different animal at large.


The issue here is not ARIN, or RIPE, or APNIC, or AfriNIC etc.

The issue is, that the industry standard is to filter the upstream table 
and not to accept smaller than /24 ... so even if the policies were 
changed your 

It would take decades before you'd see it routable everywhere .. if at 
all .. as ISPs and Carriers relax their filters.


And before that happens, IPv6 will be the norm  so it won't happen.

Kind regards,
Martin List-Petersen
Airwire Ltd.


On 13/03/18 18:14, Justin Wilson wrote:

Even to buy it on the secondary market you have to have justification and show 
usage.  So if someone buys a /24 and really only needs a /25 then what? It 
ARIN, or others for that matter, going to relax those requirements?  If I am an 
ISP and need to do BGP, maybe because I have a big downstream customer, I have 
to have a /24 to participate in BGP.   I see these scenarios more and more.

Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com


On Mar 13, 2018, at 2:08 PM, Bob Evans  wrote:

Marketplaces - supply and demand and costs to operate as Bill noted (never
thought of that) will settle out the need.

Thank You
Bob Evans
CTO





I am looking at it from an ARIN justification point.  If you are a small
operator and need a /24 you have justification if you give customer’s
publics, but is it a great line if you are only giving out publics for
people who need cameras or need to connect in from the outside world. If I
need a /24 and I don’t really use it all am I being shady?  It becomes a
“how much of a grey area is there” kind of thing.


Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com


On Mar 13, 2018, at 1:37 PM, William Herrin  wrote:

On Tue, Mar 13, 2018 at 1:19 PM, Justin Wilson  wrote:

I agree that the global routing table is pretty bloated as is.  But
what kind of a solution for providers who need to participate in BGP
but only need a /25?


Hi Justin,

If you need a /25 and BGP for multihoming or anycasting, get a /24.
The cost you impose on the system by using BGP *at all* is much higher
than the cost you impose on the system by consuming less than 250
"unneeded" Ip addresses.

I did a cost analysis on a BGP announcement a decade or so ago. The
exact numbers have changed but the bottom line hasn't: it's
ridiculously consumptive.

Regards,
Bill Herrin



--
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 












--
Airwire Ltd. - Ag Nascadh Pobail an Iarthair
http://www.airwire.ie
Phone: 091-395 000
Registered Office: Moy, Kinvara, Co. Galway, 091-395 000 - Registered in 
Ireland No. 508961

Re: Proof of ownership; when someone demands you remove a prefix

[William Herrin]

On Tue, Mar 13, 2018 at 1:38 PM, Sean Pedersen
 wrote:
> This is more or less the situation we're in. We contacted the customer and 
> they informed us the matter is in dispute with the RIR and that their 
> customer (the assignee) is in the process of resolving the issue. We have to 
> allow them time to accomplish this. I've asked for additional information to 
> help us understand the nature of the dispute. In that time we received 
> another request to stop announcing the prefix(s) in addition to a new set of 
> prefixes, and a threat to contact our upstream providers as well as ARIN - 
> which is not the RIR the disputed resources are allocated to.

Sean,

If you've been announcing the route for the past year before this
complaint came in then you are, of course, correct. It would be
unconscionable to suddenly cut a customer over a paperwork problem.


> This is a new(er) customer, so there is some merit to dropping the prefix and 
> letting them sort it out based on the current RIR contact(s). However, there 
> is obvious concern over customer service and dropping such a large block of 
> IPs.

If you've been announcing the route for the past week before this
complaint came in then you are causing someone else a big operational
headache. You must stop. Insist that the customer straighten out their
problem with the RIR before you announce the route.


You can ignore the threat to contact ARIN. ARIN does not involve
itself in routing disputes. Your upstream (and their upstream, et
cetera) will act to preserve their reputations. If that includes
manually blocking some of your announcements, you'll have a devil of a
time undoing it later.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: IPv4 smaller than /24 leasing?

[Justin Wilson]

Even to buy it on the secondary market you have to have justification and show 
usage.  So if someone buys a /24 and really only needs a /25 then what? It 
ARIN, or others for that matter, going to relax those requirements?  If I am an 
ISP and need to do BGP, maybe because I have a big downstream customer, I have 
to have a /24 to participate in BGP.   I see these scenarios more and more.  

Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com

> On Mar 13, 2018, at 2:08 PM, Bob Evans  wrote:
> 
> Marketplaces - supply and demand and costs to operate as Bill noted (never
> thought of that) will settle out the need.
> 
> Thank You
> Bob Evans
> CTO
> 
> 
> 
> 
>> I am looking at it from an ARIN justification point.  If you are a small
>> operator and need a /24 you have justification if you give customer’s
>> publics, but is it a great line if you are only giving out publics for
>> people who need cameras or need to connect in from the outside world. If I
>> need a /24 and I don’t really use it all am I being shady?  It becomes a
>> “how much of a grey area is there” kind of thing.
>> 
>> 
>> Justin Wilson
>> j...@mtin.net
>> 
>> www.mtin.net
>> www.midwest-ix.com
>> 
>>> On Mar 13, 2018, at 1:37 PM, William Herrin  wrote:
>>> 
>>> On Tue, Mar 13, 2018 at 1:19 PM, Justin Wilson  wrote:
 I agree that the global routing table is pretty bloated as is.  But
 what kind of a solution for providers who need to participate in BGP
 but only need a /25?
>>> 
>>> Hi Justin,
>>> 
>>> If you need a /25 and BGP for multihoming or anycasting, get a /24.
>>> The cost you impose on the system by using BGP *at all* is much higher
>>> than the cost you impose on the system by consuming less than 250
>>> "unneeded" Ip addresses.
>>> 
>>> I did a cost analysis on a BGP announcement a decade or so ago. The
>>> exact numbers have changed but the bottom line hasn't: it's
>>> ridiculously consumptive.
>>> 
>>> Regards,
>>> Bill Herrin
>>> 
>>> 
>>> 
>>> --
>>> William Herrin  her...@dirtside.com  b...@herrin.us
>>> Dirtside Systems . Web: 
>>> 
>> 
>> 
> 
> 

Re: IPv4 smaller than /24 leasing?

[Bob Evans]

Marketplaces - supply and demand and costs to operate as Bill noted (never
thought of that) will settle out the need.

Thank You
Bob Evans
CTO




> I am looking at it from an ARIN justification point.  If you are a small
> operator and need a /24 you have justification if you give customer’s
> publics, but is it a great line if you are only giving out publics for
> people who need cameras or need to connect in from the outside world. If I
> need a /24 and I don’t really use it all am I being shady?  It becomes a
> “how much of a grey area is there” kind of thing.
>
>
> Justin Wilson
> j...@mtin.net
>
> www.mtin.net
> www.midwest-ix.com
>
>> On Mar 13, 2018, at 1:37 PM, William Herrin  wrote:
>>
>> On Tue, Mar 13, 2018 at 1:19 PM, Justin Wilson  wrote:
>>> I agree that the global routing table is pretty bloated as is.  But
>>> what kind of a solution for providers who need to participate in BGP
>>> but only need a /25?
>>
>> Hi Justin,
>>
>> If you need a /25 and BGP for multihoming or anycasting, get a /24.
>> The cost you impose on the system by using BGP *at all* is much higher
>> than the cost you impose on the system by consuming less than 250
>> "unneeded" Ip addresses.
>>
>> I did a cost analysis on a BGP announcement a decade or so ago. The
>> exact numbers have changed but the bottom line hasn't: it's
>> ridiculously consumptive.
>>
>> Regards,
>> Bill Herrin
>>
>>
>>
>> --
>> William Herrin  her...@dirtside.com  b...@herrin.us
>> Dirtside Systems . Web: 
>>
>
>

Centurylink SOC contact?

[Brian Rak]

Does anyone have a contact for the SOC at centurylink?  I've tried 
soc@centurylink and noc@centurylink, with no answer.


For whatever reason, they're mangling IP address in abuse reports, which 
requires us to manually review every report.  We'd really like them to 
stop, and just include the IP address in the body of the report.


They seem to be the only ones that do this, pretty much all the other 
reports we get list a normal IP address.

Re: Websurfing trouble to .gov and .il.us

[lists]

On Mon, Mar 12, 2018, at 10:44 AM, Sam Kretchmer wrote:
> IP's they use, specifically parts of 213.159.132/22. They can surf any 

This block appears to have shifted over from RIPE into ARIN space.

I've seen a few firewalls and filtering systems that block countries or block 
unallocated/weird/bogon ranges in broken ways (probably more so if it was an 
enterprise/government/finance situation). They could be locally terminating 
connections at the entry point or something in a browser, which might produce 
oddities like the loading/connecting/loading. 

Alternatively, I've also seen some crappy fw/transparent proxies have problems 
dealing with IPs that end in .0 and .255 and sometimes .254.

Re: Proof of ownership; when someone demands you remove a prefix

[Job Snijders]

Dear Sean,

On Tue, Mar 13, 2018 at 10:38:49AM -0700, Sean Pedersen wrote:
> This is more or less the situation we're in. We contacted the customer
> and they informed us the matter is in dispute with the RIR and that
> their customer (the assignee) is in the process of resolving the
> issue. We have to allow them time to accomplish this. I've asked for
> additional information to help us understand the nature of the
> dispute. In that time we received another request to stop announcing
> the prefix(s) in addition to a new set of prefixes, and a threat to
> contact our upstream providers as well as ARIN - which is not the RIR
> the disputed resources are allocated to.

I've seen disputes too between end users and RIRs - usually this is due
to non-payment. It can be helpful to do two things: set a reasonable
deadline for the customer to resolve this, and verify with the RIR
whether the dispute is actually ongoing or whether the RIR closed the
case. Example case: customer said they were in dispute, but RIR
indicated that the case was closed. If the RIR closed the case, I'd lean
to dropping the announcement.

> This is a new(er) customer, so there is some merit to dropping the
> prefix and letting them sort it out based on the current RIR
> contact(s). However, there is obvious concern over customer service
> and dropping such a large block of IPs. 

Size of the block often is a poor indicator for legitimacy.

Kind regards,

Job

[NANOG-announce] NANOG 73 Call for Presentations is open

[Ryan Woolley via NANOG-announce]

This message has been wrapped due to the DMARC policy setting to
prevent NANOG subscribers from being unsubscribed due to bounces.
--- Begin Message ---
NANOG Community,

The NANOG Program Committee is excited to announce that we are now
accepting proposals for all sessions at NANOG 73 in Denver, CO, June 25-27,
2018.  Below is a summary of key details and dates from the Call For
Presentations on the NANOG website, which can be found at:
http://www.cvent.com/d/ttqv1z/6K

The NANOG Program Committee seeks proposals for presentations, panels,
tutorials, and track sessions for the NANOG 73 program.  We welcome
suggestions of speakers or topic ideas.  Presentations may cover current
technologies already deployed or soon-to-be deployed in the Internet.
Vendors are welcome to submit talks which cover relevant technologies and
capabilities, but presentations must not be promotional or discuss
proprietary solutions. NANOG 73 submissions can be entered on the NANOG
Program Committee Tool at https://pc.nanog.org

The primary speaker, moderator, or author should submit a presentation
proposal and an abstract in the Program Committee Tool.
- Select “Propose Talk” from the Talks menu
- Select NANOG 73 from the Meeting menu
- Select the appropriate *Session* the talk will be presented in (General
Session 30-45 minutes; Tutorial 90-120 minutes; Track 90-120 minutes)

Timeline for submission and proposal review:
- Submitter enters abstract (and draft slides if possible) in Program
Committee Tool: any time following Call for Presentations and prior to CFP
deadline for slide submission
- PC performs initial review and assigns a “shepherd” to help develop the
submission: within 2 weeks
- Submitter develops draft slides of talk.  Please submit initial draft
slides early.  Panel and Track submissions should provide topic list and
intended/confirmed participants
- PC reviews slides and continues to work with Submitter as needed to
develop topic
- Draft presentation slides should be submitted prior to published deadline
for slides
- PC accepts or declines submission
- Agenda assembled and posted
- Submitters notified

If you think you have an interesting topic but want feedback or suggestions
for developing an idea into a presentation, please email the Program
Committee, and a representative of the Program Committee will respond.
Otherwise, submit your talk, keynote, track, or panel proposal to the
Program Committee Tool without delay!  We look forward to reviewing your
submission.

Key Dates for NANOG 73:

Tuesday, 03/13/18 Registration for NANOG 73 Opens
Tuesday, 03/13/18 Agenda Outline for NANOG 73 Posted
Tuesday, 05/08/18 CFP Deadline: Presentation Slides Due
Tuesday, 05/08/18 CFP Topic List and NANOG Highlights Page
Monday, 06/18/18 Speaker FINAL presentation Slides to PC Tool
Sunday, 06/24/18 Lightning Talk Submissions Open (Abstracts Only)
Sunday, 06/24/18 On-site Registration

Finals slides must be submitted by Monday, June 18, 2018, and no changes
will be accepted between that date and the conference.  Materials received
after that date will be updated on the web site after the completion of the
conference.

We look forward to seeing you in June in Denver!

Sincerely,

Ryan Woolley
NANOG PC
--- End Message ---
___
NANOG-announce mailing list
nanog-annou...@nanog.org
https://mailman.nanog.org/mailman/listinfo/nanog-announce

[NANOG-announce] NANOG 73 Call for Presentations is open

[Ryan Woolley via NANOG-announce]

This message has been wrapped due to the DMARC policy setting to
prevent NANOG subscribers from being unsubscribed due to bounces.
--- Begin Message ---
NANOG Community,

The NANOG Program Committee is excited to announce that we are now
accepting proposals for all sessions at NANOG 73 in Denver, CO, June 25-27,
2018.  Below is a summary of key details and dates from the Call For
Presentations on the NANOG website, which can be found at:
http://www.cvent.com/d/ttqv1z/6K

The NANOG Program Committee seeks proposals for presentations, panels,
tutorials, and track sessions for the NANOG 73 program.  We welcome
suggestions of speakers or topic ideas.  Presentations may cover current
technologies already deployed or soon-to-be deployed in the Internet.
Vendors are welcome to submit talks which cover relevant technologies and
capabilities, but presentations must not be promotional or discuss
proprietary solutions. NANOG 73 submissions can be entered on the NANOG
Program Committee Tool at https://pc.nanog.org

The primary speaker, moderator, or author should submit a presentation
proposal and an abstract in the Program Committee Tool.
- Select “Propose Talk” from the Talks menu
- Select NANOG 73 from the Meeting menu
- Select the appropriate *Session* the talk will be presented in (General
Session 30-45 minutes; Tutorial 90-120 minutes; Track 90-120 minutes)

Timeline for submission and proposal review:
- Submitter enters abstract (and draft slides if possible) in Program
Committee Tool: any time following Call for Presentations and prior to CFP
deadline for slide submission
- PC performs initial review and assigns a “shepherd” to help develop the
submission: within 2 weeks
- Submitter develops draft slides of talk.  Please submit initial draft
slides early.  Panel and Track submissions should provide topic list and
intended/confirmed participants
- PC reviews slides and continues to work with Submitter as needed to
develop topic
- Draft presentation slides should be submitted prior to published deadline
for slides
- PC accepts or declines submission
- Agenda assembled and posted
- Submitters notified

If you think you have an interesting topic but want feedback or suggestions
for developing an idea into a presentation, please email the Program
Committee, and a representative of the Program Committee will respond.
Otherwise, submit your talk, keynote, track, or panel proposal to the
Program Committee Tool without delay!  We look forward to reviewing your
submission.

Key Dates for NANOG 73:

Tuesday, 03/13/18 Registration for NANOG 73 Opens
Tuesday, 03/13/18 Agenda Outline for NANOG 73 Posted
Tuesday, 05/08/18 CFP Deadline: Presentation Slides Due
Tuesday, 05/08/18 CFP Topic List and NANOG Highlights Page
Monday, 06/18/18 Speaker FINAL presentation Slides to PC Tool
Sunday, 06/24/18 Lightning Talk Submissions Open (Abstracts Only)
Sunday, 06/24/18 On-site Registration

Finals slides must be submitted by Monday, June 18, 2018, and no changes
will be accepted between that date and the conference.  Materials received
after that date will be updated on the web site after the completion of the
conference.

We look forward to seeing you in June in Denver!

Sincerely,

Ryan Woolley
NANOG PC
--- End Message ---
___
NANOG-announce mailing list
NANOG-announce@nanog.org
https://mailman.nanog.org/mailman/listinfo/nanog-announce

Re: IPv4 smaller than /24 leasing?

[Justin Wilson]

I am looking at it from an ARIN justification point.  If you are a small 
operator and need a /24 you have justification if you give customer’s publics, 
but is it a great line if you are only giving out publics for people who need 
cameras or need to connect in from the outside world. If I need a /24 and I 
don’t really use it all am I being shady?  It becomes a “how much of a grey 
area is there” kind of thing.


Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com

> On Mar 13, 2018, at 1:37 PM, William Herrin  wrote:
> 
> On Tue, Mar 13, 2018 at 1:19 PM, Justin Wilson  wrote:
>> I agree that the global routing table is pretty bloated as is.  But what 
>> kind of a solution for providers who need to participate in BGP but only 
>> need a /25?
> 
> Hi Justin,
> 
> If you need a /25 and BGP for multihoming or anycasting, get a /24.
> The cost you impose on the system by using BGP *at all* is much higher
> than the cost you impose on the system by consuming less than 250
> "unneeded" Ip addresses.
> 
> I did a cost analysis on a BGP announcement a decade or so ago. The
> exact numbers have changed but the bottom line hasn't: it's
> ridiculously consumptive.
> 
> Regards,
> Bill Herrin
> 
> 
> 
> -- 
> William Herrin  her...@dirtside.com  b...@herrin.us
> Dirtside Systems . Web: 
> 

Re: Websurfing trouble to .gov and .il.us

[Stephen Satchell]

On 03/12/2018 10:44 AM, Sam Kretchmer wrote:

specifically http://tierii.iema.state.il.us/TIER2MANAGER/Account/Login.aspx  
andhttps://www.deadiversion.usdoj.gov/.


Wireshark?  It could be a problem with the sides having an infinite 
referral loop.  It doesn't necessarily have to be a network problem per se.

RE: Proof of ownership; when someone demands you remove a prefix

[Sean Pedersen]

This is more or less the situation we're in. We contacted the customer and they 
informed us the matter is in dispute with the RIR and that their customer (the 
assignee) is in the process of resolving the issue. We have to allow them time 
to accomplish this. I've asked for additional information to help us understand 
the nature of the dispute. In that time we received another request to stop 
announcing the prefix(s) in addition to a new set of prefixes, and a threat to 
contact our upstream providers as well as ARIN - which is not the RIR the 
disputed resources are allocated to.

This is a new(er) customer, so there is some merit to dropping the prefix and 
letting them sort it out based on the current RIR contact(s). However, there is 
obvious concern over customer service and dropping such a large block of IPs. 

I'm definitely leaning toward "let the customer (or customer's customer) and 
the RIR sort it out" if the POC validates the request weighed responsibly 
against customer age. However, from a customer service perspective, I think we 
owe it to our customers to make sure a request is legitimate before we knock 
them offline. With a limited toolset to validate that information, I can't help 
but feel conflicted.

I appreciate all the feedback this thread has generated so far!

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Naslund, Steve
Sent: Tuesday, March 13, 2018 8:27 AM
To: nanog@nanog.org
Subject: RE: Proof of ownership; when someone demands you remove a prefix

Yes, absolutely go with the RIR.  Only thing I might adjust it whether I let 
the customer launch a dispute with the RIR before or after I make the change 
and to me that would depend on the preponderance of the evidence either way.  I 
might give the long term customer the reasonable doubt.  A new customer with a 
new advertisement not so much.  Talk to your legal people of course but I would 
think if the RIR could verify a dispute in progress, you are covered until the 
dispute is resolved.  Seems legally reasonable to me and shows due diligence on 
your part without you getting in the middle.

Steven Naslund
Chicago IL

>Hi Sean,
>
>There is a definitive technical means. It's called contact the POC published 
>in WHOIS by the RIR and ask. It isn't flawless and you don't have to like >it, 
>but there it is.
>
>If you contacted the POC and the POC replied stop, you stop. If the POC was 
>hijacked at the RIR, that's between your customer and the RIR.
>The RIR has a standard process and an expert team for dealing with these 
>situations. It's their job.
>
>Regards,
>Bill Herrin

Re: IPv4 smaller than /24 leasing?

[William Herrin]

On Tue, Mar 13, 2018 at 1:19 PM, Justin Wilson  wrote:
> I agree that the global routing table is pretty bloated as is.  But what kind 
> of a solution for providers who need to participate in BGP but only need a 
> /25?

Hi Justin,

If you need a /25 and BGP for multihoming or anycasting, get a /24.
The cost you impose on the system by using BGP *at all* is much higher
than the cost you impose on the system by consuming less than 250
"unneeded" Ip addresses.

I did a cost analysis on a BGP announcement a decade or so ago. The
exact numbers have changed but the bottom line hasn't: it's
ridiculously consumptive.

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: Websurfing trouble to .gov and .il.us

[William Herrin]

On Mon, Mar 12, 2018 at 1:44 PM, Sam Kretchmer  wrote:
> We have several clients complaining of an inability to hit a couple specific 
> government websites,

Hi Sam,

Some basic troubleshooting:

1. traceroute? TCP traceroute?

2. From an affected address, do you get a TCP connect to the site or
not? e.g. "telnet tierii.iema.state.il.us 80"

Regards,
Bill Herrin



-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

Re: IPv4 smaller than /24 leasing?

[Justin Wilson]

On the consulting side, I do smaller than /24 blocks to customers over tunnels. 
 So far this is the only option we have found that works for the smaller ISP. 
We all know the routing table is bloated. We all know everyone *should* be 
moving toward IPV6.  A whole different discussion.  But, for now you have a 
subset of operators that are big enough to do BGP, maybe join an exchange, but 
not big enough to afford buying v4 space for each of their customers.  So they 
are utilizing a full /24 just to utilize it.  Things such as doing 1:many nat 
at each tower, doing Carrier Grade nat, and other things make it where they 
don’t necessarily need an IP per customer.  We all know that is ideal, but it’s 
not practical for the small to medium ISP.   Folks have brought up the argument 
that buying IPS is just the cost of doing business these days.  I argue that it 
isn’t.  I see networks with 2000 users and only a /24 running along very happy. 
 

I agree that the global routing table is pretty bloated as is.  But what kind 
of a solution for providers who need to participate in BGP but only need a /25? 
I can’t see going below that.


Justin Wilson
j...@mtin.net

www.mtin.net
www.midwest-ix.com

> On Mar 13, 2018, at 10:56 AM, Naslund, Steve  wrote:
> 
> 
> Yes, exactly right.  You would probably have to tunnel the /27 back to where 
> the >/24 lives.  That's the only way I can see of it working "anywhere".  
> That's a technically valid solution but maybe not so hot if you are looking 
> for high redundancy/availability since you are dependent on the tunnel being 
> up and working.
> 
> As always the reputation of the aggregate is going to be critical as to how 
> well this works for you.  It seems to me that increasingly these "portable" 
> blocks have murky histories as spam and malware sources.  I would rather have 
> a block assigned by a reputable upstream provider than to do this.
> 
> Steven Naslund
> Chicago IL
> 
>> Le 2018-01-04 20:16, Job Snijders a écrit :
>>> On Thu, 4 Jan 2018 at 20:13, Filip Hruska  wrote:
>>> 
 I have stumbled upon this site [1] which seems to offer /27 IPv4 
 leasing.
 They also claim "All of our IPv4 address space can be used on any 
 network in any location."
 
 I thought that the smallest prefix size one could get routed 
 globally is /24?
>>> 
>>> 
>>> Yes
>>> 
>>> So how does this work?
 
>>> Probably with GRE, IPIP or OpenVPN tunnels.
>>> 
>>> Kind regards,
>>> 
>>> Job
>> 
>> IPv4 /24 is commonly the minimal chunk advertised to (and accepted by)
>> neighbors. If I run a global (or regional) network, I may advertise this
>> /24 -- or rather an aggregate covering it -- over my diverse
>> interconnection with neighbors, your /27 being part of the chunk and
>> routed to you internally (if you're va customer)-- no need for
>> encapsulation efforts. Similar scenario may be multi-upstream, subject
>> to acceptance of "punching holes in aggregates"... Am I missing
>> something? What's the trigger for doing tunneling here?
>> 
>> Happy New Year '18, by the way !
>> 
>> mh
>> 
> 
> 

Re: Spiffy Netflow tools?

[Stefan]

Not necessarily (only) for *flow, but very nice combo: Luca Deri's
ntopng+nprobe (https://www.ntop.org/products/traffic-analysis/ntop/)

***Stefan

On Mon, Mar 12, 2018, 6:26 PM  wrote:

> Howdy!
>
> Checking out various Netflow tools and wanted to see what others are using?
>
> Kentik is cool. Are they the only SaaS based flow digester? I don’t seem
> to see any others.
>
> Also curious about on-prem solutions as well.
>
> Thanks!
> Mike

RE: IPv4 smaller than /24 leasing?

[Bob Evans]

Agreed, Reputation is everything. It is why we only work with well known
Legacy IPv4 space at this time (hence, use anywhere statement). Our space
rents for about 4x other space found on other sites. We don't do the
volume business of our competitors. Those businesses with questionable
address space will always be around as there are always customers for
fast, cheap, without the good reputation. Most customers for that fast
cheap space have no clue how to verify space until a problem arises. After
the fact, they usually end up in trouble, spending much more money to not
only educate themselves but also on the labor involved in re-numbering.

About your second point  - "would rather have a block assigned by a
reputable upstream provider" - I agree, if it was for say a real estate
office access, one could simply ask everyone to wait it out or send
everyone home and ask them to use their DSL or cable operator when it's
broke.

We rent out /24s (and up) because some upstreams won't provide a full /24
and some of those networks send those customers to us. Do to the limited
IPv4 availability, many no longer entertain portability for their assigned
space. Multi-homing become issues of labor and they don't want to deal
with it with their assigned space. With one ASN announcing your space, it
means your down when they have maintenance or limited reach when they have
other routing issues. Today, it makes sense to go with quality wholesale
IPv4 space from a 3rd party. You can look at the IPs as an R.O.I
opportunity as customers understand supply-demand and will pay 10x for
space they need. It more than pays for itself in network reliability and
labor saved. For those that don't need multi-home today, it's wise to
consider expansion down the road and have already planned tomorrow's
improved network ability to multi-home. As the cost later to re-number to
multi-home. Or worse, discover you need to re-number because that network
that provided you the space called it back to give to a bigger customer or
won't let you announce it on other networks they specify where your cost
for bandwidth would be lower.

So, there are many reasons to obtain clean independent space - but most
are related to future expansion abilities and future flexibility.

"There is a market somewhere for just about anything."

Hope this info helps,

Thank You
Bob Evans
CTO




>
> Yes, exactly right.  You would probably have to tunnel the /27 back to
> where the >/24 lives.  That's the only way I can see of it working
> "anywhere".  That's a technically valid solution but maybe not so hot if
> you are looking for high redundancy/availability since you are dependent
> on the tunnel being up and working.
>
> As always the reputation of the aggregate is going to be critical as to
> how well this works for you.  It seems to me that increasingly these
> "portable" blocks have murky histories as spam and malware sources.  I
> would rather have a block assigned by a reputable upstream provider than
> to do this.
>
> Steven Naslund
> Chicago IL
>
>> Le 2018-01-04 20:16, Job Snijders a écrit :
>>> On Thu, 4 Jan 2018 at 20:13, Filip Hruska  wrote:
>>>
 I have stumbled upon this site [1] which seems to offer /27 IPv4
 leasing.
 They also claim "All of our IPv4 address space can be used on any
 network in any location."

 I thought that the smallest prefix size one could get routed
 globally is /24?
>>>
>>>
>>> Yes
>>>
>>> So how does this work?

>>> Probably with GRE, IPIP or OpenVPN tunnels.
>>>
>>> Kind regards,
>>>
>>> Job
>>
>> IPv4 /24 is commonly the minimal chunk advertised to (and accepted by)
>> neighbors. If I run a global (or regional) network, I may advertise this
>> /24 -- or rather an aggregate covering it -- over my diverse
>> interconnection with neighbors, your /27 being part of the chunk and
>> routed to you internally (if you're va customer)-- no need for
>> encapsulation efforts. Similar scenario may be multi-upstream, subject
>> to acceptance of "punching holes in aggregates"... Am I missing
>> something? What's the trigger for doing tunneling here?
>>
>> Happy New Year '18, by the way !
>>
>> mh
>>
>
>
>

RE: Spiffy Netflow tools?

[Luke Guillory]

There is also https://github.com/robcowart/elastiflow which uses the ELK stack.





Luke Guillory
Vice President – Technology and Innovation

Tel:985.536.1212
Fax:985.536.0300
Email:  lguill...@reservetele.com

Reserve Telecommunications
100 RTC Dr
Reserve, LA 70084

_

Disclaimer:
The information transmitted, including attachments, is intended only for the 
person(s) or entity to which it is addressed and may contain confidential 
and/or privileged material which should not disseminate, distribute or be 
copied. Please notify Luke Guillory immediately by e-mail if you have received 
this e-mail by mistake and delete this e-mail from your system. E-mail 
transmission cannot be guaranteed to be secure or error-free as information 
could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or 
contain viruses. Luke Guillory therefore does not accept liability for any 
errors or omissions in the contents of this message, which arise as a result of 
e-mail transmission. .

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Hugo Slabbert
Sent: Tuesday, March 13, 2018 10:44 AM
To: Fredrik Korsbäck
Cc: nanog@nanog.org
Subject: Re: Spiffy Netflow tools?


On Tue 2018-Mar-13 00:50:26 +0100, Fredrik Korsbäck  wrote:
>
>Kentik is probably top of the foodchain right now.
>
>But they are certainly not alone in the biz. Ontop of my head...
>
>* Flowmon
>* Talaia
>* Arbor Peakflow
>* Deepfield
>* Pmacct + supporting toolkit
>* NFsen/Nfdump/AS-stats
>* Put kibana/ES infront of any collector

Logstash has a netflow plugin as of 5.x or something
(https://www.elastic.co/guide/en/logstash/current/netflow-module.html) to act 
as a collector.

A walkthrough:
http://www.routereflector.com/2017/07/elk-as-a-free-netflow-ipfix-collector-and-visualizer/

Using the logstash module setup thing adds a whole bunch of pretty netflow 
graphs and visualizations and such into Kibana for you.

Caveat:
Supports netflow v5 and v9, but does not indicate support for IPFIX explicitly. 
 It definitely does not support sFlow, though if you really want you can stick 
sflowtool in front of it to translate sFlow->netflow, e.g. 
http://blog.sflow.com/2011/12/sflowtool.html.

>* Solarwinds something something
>* Different vendor toolkits
>
>--
>hugge

--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal

Re: Spiffy Netflow tools?

[Babak Farrokhi]

Plixer is also interesting.

nfdump works great with NetFlow but support for IPFIX is somehow limited 
to basics.



--
Babak


On 13 Mar 2018, at 3:20, Fredrik Korsbäck wrote:


On 2018-03-13 00:24, mike.l...@gmail.com wrote:

Howdy!

Checking out various Netflow tools and wanted to see what others are 
using?


Kentik is cool. Are they the only SaaS based flow digester? I don’t 
seem to see any others.


Also curious about on-prem solutions as well.

Thanks!
Mike



Kentik is probably top of the foodchain right now.

But they are certainly not alone in the biz. Ontop of my head...

* Flowmon
* Talaia
* Arbor Peakflow
* Deepfield
* Pmacct + supporting toolkit
* NFsen/Nfdump/AS-stats
* Put kibana/ES infront of any collector
* Solarwinds something something
* Different vendor toolkits



--
hugge

Websurfing trouble to .gov and .il.us

[Sam Kretchmer]

Nanog,

I am part of a small ISP based in Chicago. We have several clients complaining 
of an inability to hit a couple specific government websites, specifically 
http://tierii.iema.state.il.us/TIER2MANAGER/Account/Login.aspx and 
https://www.deadiversion.usdoj.gov/. It does seem to be related to the IP's 
they use, specifically parts of 213.159.132/22. They can surf any other site we 
can think of, do email, IPSec tunnels, anything apparently but surf these 
sites. The listed sites show "loading" then "connecting" then back to "loading" 
and so on. I have checked all the blacklist sites I can get out of google. and 
they all show all green. I am at a loss as to what else might be contributing 
to the issue. Is there anyone on list here from either of those sites who might 
be able to help who can hit me off list, or anyone at all who might have some 
advice? It would be appreciated. All I need to do is to assign different IP's 
to the client and it works fine (hopefully eliminating Layer 1 and Layer 2, 
i.e. routers, circuits, etc..) My apologies if this is not the correct forum 
for this kind of question.

Thanks

Sam

Re: Spiffy Netflow tools?

[Hugo Slabbert]

On Tue 2018-Mar-13 00:50:26 +0100, Fredrik Korsbäck  wrote:


Kentik is probably top of the foodchain right now.

But they are certainly not alone in the biz. Ontop of my head...

* Flowmon
* Talaia
* Arbor Peakflow
* Deepfield
* Pmacct + supporting toolkit
* NFsen/Nfdump/AS-stats
* Put kibana/ES infront of any collector


Logstash has a netflow plugin as of 5.x or something 
(https://www.elastic.co/guide/en/logstash/current/netflow-module.html) to 
act as a collector.


A walkthrough:
http://www.routereflector.com/2017/07/elk-as-a-free-netflow-ipfix-collector-and-visualizer/

Using the logstash module setup thing adds a whole bunch of pretty netflow 
graphs and visualizations and such into Kibana for you.


Caveat:
Supports netflow v5 and v9, but does not indicate support for IPFIX 
explicitly.  It definitely does not support sFlow, though if you really 
want you can stick sflowtool in front of it to translate sFlow->netflow, 
e.g. http://blog.sflow.com/2011/12/sflowtool.html.



* Solarwinds something something
* Different vendor toolkits

--
hugge


--
Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
pgp key: B178313E   | also on Signal


signature.asc
Description: Digital signature

RE: Spiffy Netflow tools?

[Loiacono, Joe]

FlowViewer is a robust user interface complement to Carnegie Mellon's SiLK 
netflow capture and analysis tool suite.

FlowViewer provides the user with text/graphical analysis tools, multiple 
dashboards, long-term tracking of filtered sets, automatic storage management, 
raw netflow packet analysis, etc..

All open-source. Easy install. Runs on Linux.

FlowViewer:  https://sourceforge.net/projects/flowviewer/
SiLK: https://tools.netsa.cert.org/silk/

 Joe Loiacono

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of mike.l...@gmail.com
Sent: Monday, March 12, 2018 7:25 PM
To: NANOG list 
Subject: Spiffy Netflow tools?

Howdy!

Checking out various Netflow tools and wanted to see what others are using?

Kentik is cool. Are they the only SaaS based flow digester? I don’t seem to see 
any others.

Also curious about on-prem solutions as well.

Thanks!
Mike


DXC Technology Company -- This message is transmitted to you by or on behalf of 
DXC Technology Company or one of its affiliates.  It is intended exclusively 
for the addressee.  The substance of this message, along with any attachments, 
may contain proprietary, confidential or privileged information or information 
that is otherwise legally exempt from disclosure. Any unauthorized review, use, 
disclosure or distribution is prohibited. If you are not the intended recipient 
of this message, you are not authorized to read, print, retain, copy or 
disseminate any part of this message. If you have received this message in 
error, please destroy and delete all copies and notify the sender by return 
e-mail. Regardless of content, this e-mail shall not operate to bind DXC 
Technology Company or any of its affiliates to any order or other contract 
unless pursuant to explicit written agreement or government initiative 
expressly permitting the use of e-mail for such purpose.

RE: Proof of ownership; when someone demands you remove a prefix

[Naslund, Steve]

Yes, absolutely go with the RIR.  Only thing I might adjust it whether I let 
the customer launch a dispute with the RIR before or after I make the change 
and to me that would depend on the preponderance of the evidence either way.  I 
might give the long term customer the reasonable doubt.  A new customer with a 
new advertisement not so much.  Talk to your legal people of course but I would 
think if the RIR could verify a dispute in progress, you are covered until the 
dispute is resolved.  Seems legally reasonable to me and shows due diligence on 
your part without you getting in the middle.

Steven Naslund
Chicago IL

>Hi Sean,
>
>There is a definitive technical means. It's called contact the POC published 
>in WHOIS by the RIR and ask. It isn't flawless and you don't have to like >it, 
>but there it is.
>
>If you contacted the POC and the POC replied stop, you stop. If the POC was 
>hijacked at the RIR, that's between your customer and the RIR.
>The RIR has a standard process and an expert team for dealing with these 
>situations. It's their job.
>
>Regards,
>Bill Herrin

RE: Proof of ownership; when someone demands you remove a prefix

[Naslund, Steve]

Biggest problems we had as a service provider is that the block is registered 
to a corporate entity which is then acquired or dissolves and then you have to 
figure out who actually has control.  We always tried to push the dispute 
process to go between the customer and the RIR when this happens.  It takes too 
many legal resources to get involved in figuring out who owns what during an 
acquisition or dissolution.  Often this particular resources does not get 
called out specifically and can be a problem.  Sometimes they get treated like 
corporate intellectual property and sometimes they get treated more like a 
utility.  It’s a legal nightmare to get in the middle of it.  I have had cases 
where it was so complex we forced one of the parties to get a court order one 
way or another.

Steven Naslund
Chicago IL

> it's a real shame there is no authorative cryptographically verifyable 
> attestation of address ownership.
>

Re: Proof of ownership; when someone demands you remove a prefix

[William Herrin]

On Tue, Mar 13, 2018 at 10:23 AM, Sean Pedersen
 wrote:
> In this case we defaulted to trusting our customer and their LOA over a 
> stranger on the Internet and asked our customer to review the request. 
> Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't 
> the actual assignee. A means to definitively prove "ownership" from a 
> technical angle would be great.

Hi Sean,

There is a definitive technical means. It's called contact the POC
published in WHOIS by the RIR and ask. It isn't flawless and you don't
have to like it, but there it is.

If you contacted the POC and the POC replied stop, you stop. If the
POC was hijacked at the RIR, that's between your customer and the RIR.
The RIR has a standard process and an expert team for dealing with
these situations. It's their job.

Regards,
Bill Herrin


-- 
William Herrin  her...@dirtside.com  b...@herrin.us
Dirtside Systems . Web: 

RE: Proof of ownership; when someone demands you remove a prefix

[Naslund, Steve]

I would insist that this customer get with the RIR and resolve ownership of the 
account and prove that they did so.  I would leave the burden on the RIR to 
figure out who is the rightful owner and not make any changes until that is 
done.

Do you have a record of what the RIR account contact was when you began 
announcing the block?  The fact that the requester has the RIR account and the 
email of the account contact makes me wonder if your customer did not renew 
with the RIR or something else that caused them to lose ownership of the net 
block.  I could see this happen during an acquisition or change of ownership of 
a company or entity.  I would give the customer a short period of time to open 
a dispute with the RIR and then hold the changes until the RIR makes a 
determination.  I think that protects you from a legal perspective more than 
deciding on your own.  Of course, keep a good record of all communications on 
this subject especially with the RIR, this could get ugly.

Steven Naslund
Chicago IL

>-Original Message-
>From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Sean Pedersen
>Sent: Tuesday, March 13, 2018 9:23 AM
>To: nanog@nanog.org
>Subject: RE: Proof of ownership; when someone demands you remove a prefix
>
>In this case we defaulted to trusting our customer and their LOA over a 
>stranger on the Internet and asked our customer to review the request. 
>>Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't 
>the actual assignee. A means to definitively prove "ownership" from a 
>>technical angle would be great.
>
>In the example provided in my original e-mail, it appears that an IP broker or 
>related scammer gained access to the assignee's RIR account and made >some 
>object updates (e-mail, country, etc.) that they could use to "prove" they had 
>authority to make the request. I assume their offer of proof would >have been 
>to send us an email from the dubious @yahoo.com account they had listed as the 
>admin contact. 
>
>I agree with a private response that I received that at some point lawyers 
>probably need to take over if a technical solution to verification is not 
>>reached. 
>
>I'm not terribly current on resource certification, but would RPKI play a role 
>here? It looks like its application is limited to authenticating the 
>>announcement of resources to prevent route hijacking. If you've authorized a 
>3rd party to announce your routes, could you assign a certificate to that >3rd 
>party for a specific resource and then revoke it if they are no longer 
>authorized? Would it matter if someone gains access to your RIR/LIR account 
>>and revokes the certificate? This would assume protocol compatibility, that 
>everyone is using it, etc. 

Re: Proof of ownership; when someone demands you remove a prefix

[Dovid Bender]

Finally a use for block chain :p


On Mon, Mar 12, 2018 at 7:11 PM, Randy Bush  wrote:

> it's a real shame there is no authorative cryptographically verifyable
> attestation of address ownership.
>

RE: Proof of ownership; when someone demands you remove a prefix

[Naslund, Steve]

Another thing that would affect me as a service provider would be the account 
history.  I would probably be more skeptical if this was a long term customer 
who has been announcing this prefix for a long period of time vs a new customer 
that just began announcing it.

i.e.  If I just began announcing it and there is an ownership dispute right 
away, I might suspect my new customer misappropriated the block.  If he had 
been announcing it for years and now someone wants it taken down, that is a 
higher burden of proof for me.  As always bottom line is who has the block 
registered with RAR is the final authority.

Steven Naslund
Chicago IL


On Mon, Mar 12, 2018 at 11:46:31AM -0700, Sean Pedersen wrote:
> We recently received a demand to stop announcing a "fraudulent" 
> prefix. Is there an industry best practice when handling these kind of 
> requests? Do you have personal or company-specific preferences or 
> requirements? To the best of my knowledge, we've rarely, if ever, 
> received such a request. This is relatively new territory.
 

RE: IPv4 smaller than /24 leasing?

[Naslund, Steve]

Yes, exactly right.  You would probably have to tunnel the /27 back to where 
the >/24 lives.  That's the only way I can see of it working "anywhere".  
That's a technically valid solution but maybe not so hot if you are looking for 
high redundancy/availability since you are dependent on the tunnel being up and 
working.

As always the reputation of the aggregate is going to be critical as to how 
well this works for you.  It seems to me that increasingly these "portable" 
blocks have murky histories as spam and malware sources.  I would rather have a 
block assigned by a reputable upstream provider than to do this.

Steven Naslund
Chicago IL

> Le 2018-01-04 20:16, Job Snijders a écrit :
>> On Thu, 4 Jan 2018 at 20:13, Filip Hruska  wrote:
>>
>>> I have stumbled upon this site [1] which seems to offer /27 IPv4 
>>> leasing.
>>> They also claim "All of our IPv4 address space can be used on any 
>>> network in any location."
>>>
>>> I thought that the smallest prefix size one could get routed 
>>> globally is /24?
>>
>>
>> Yes
>>
>> So how does this work?
>>>
>> Probably with GRE, IPIP or OpenVPN tunnels.
>>
>> Kind regards,
>>
>> Job
>
> IPv4 /24 is commonly the minimal chunk advertised to (and accepted by)
> neighbors. If I run a global (or regional) network, I may advertise this
> /24 -- or rather an aggregate covering it -- over my diverse
> interconnection with neighbors, your /27 being part of the chunk and
> routed to you internally (if you're va customer)-- no need for
> encapsulation efforts. Similar scenario may be multi-upstream, subject
> to acceptance of "punching holes in aggregates"... Am I missing
> something? What's the trigger for doing tunneling here?
>
> Happy New Year '18, by the way !
>
> mh
>

Re: Proof of ownership; when someone demands you remove a prefix

[Joe Provo]

On Mon, Mar 12, 2018 at 11:46:31AM -0700, Sean Pedersen wrote:
> We recently received a demand to stop announcing a "fraudulent" prefix. Is
> there an industry best practice when handling these kind of requests? Do you
> have personal or company-specific preferences or requirements? To the best
> of my knowledge, we've rarely, if ever, received such a request. This is
> relatively new territory.
 
Best practice is for the prefix-user to have correct data of 
subdelegation in the correct RIR. LOA letters have been forged
since well before runout, in the days when they were faxed. 
Issues with potential RIR haacks should be taken straight to 
that RIR; those hve also been unfortunately common. These 
days, ROAs would be nice to see for anyone up-to-date on methods.  
At the very least, the low bar of IRR data should be present.

If there's only a private letter between two parties, no one 
a few hops away can validate that, so the user of the space 
flatly should expect poor propagation.  If there's no data
published that a remote party can use, there should be zero
expectation any remote party will accept the prefix on that
path.

IME this is pretty old territory, and should be part of any 
providers' M for handling PI space.

Cheers,

Joe

-- 
Posted from my personal account - see X-Disclaimer header.
Joe Provo / Gweep / Earthling 

Re: Proof of ownership; when someone demands you remove a prefix

[Jimmy Hess]

On Tue, Mar 13, 2018 at 9:23 AM, Sean Pedersen
 wrote:

> In this case we defaulted to trusting our customer and their LOA over a 
> stranger on the
> Internet and asked our customer to review the request. Unfortunately, that 
> doesn't
> necessarily mean a stranger on the Internet isn't the actual assignee.  
> [..]

I believe the suggested process would be   submit the stranger's request to
the administrative & technical contacts listed for the organization
and IP resource
in public WHOIS  at the time the request is received,  and in order to
confirm:

Request whether their organization approves that the announcements must be
withdrawn,  and if so:  that they also submit to you a signed official
form to either
revise,  rescind, or repudiate  the existing LOA provided by that WHOIS contact.


Then reply to the  "stranger"  that official documentation is required
to cancel the
announcement, and you are unable to verify you have the right to make
the request,
and you will forward their message to the IP Address registry and
officially listed WHOIS and customer technical contacts  who must
approve of the request,
before any further actions can be taken.

--
-JH

Re: IPv4 smaller than /24 leasing?

[Bob Evans]

That site you quoted looks like text that I created. For CloudIPv4.com
(part of RentIPv4.com).

To peer most networks require assigned IPv4 space. Most networks do not
want to burn a /24 to peer.  The local peering routers will propagate a
/25... /30.. etc. from the peering platform to the rest of the their own
network's routers but usually never beyond - keeps it internal within the
network's own BGP sessions.

However,  you can not expect the /25.. /30 to be propagated beyond the
network you have a BGP session with - I.E. transits will filter the
subnets /25.../30.  I have seen an exception locally or regionally it was
agreed too propagate outside the network.


Thank You
Bob Evans
CTO




> Le 2018-01-04 20:16, Job Snijders a écrit :
>> On Thu, 4 Jan 2018 at 20:13, Filip Hruska  wrote:
>>
>>> I have stumbled upon this site [1] which seems to offer /27 IPv4
>>> leasing.
>>> They also claim "All of our IPv4 address space can be used on any
>>> network
>>> in any location."
>>>
>>> I thought that the smallest prefix size one could get routed globally
>>> is
>>> /24?
>>
>>
>> Yes
>>
>> So how does this work?
>>>
>> Probably with GRE, IPIP or OpenVPN tunnels.
>>
>> Kind regards,
>>
>> Job
>
> IPv4 /24 is commonly the minimal chunk advertised to (and accepted by)
> neighbors. If I run a global (or regional) network, I may advertise this
> /24 -- or rather an aggregate covering it -- over my diverse
> interconnection with neighbors, your /27 being part of the chunk and
> routed to you internally (if you're va customer)-- no need for
> encapsulation efforts. Similar scenario may be multi-upstream, subject
> to acceptance of "punching holes in aggregates"... Am I missing
> something? What's the trigger for doing tunneling here?
>
> Happy New Year '18, by the way !
>
> mh
>

RE: Proof of ownership; when someone demands you remove a prefix

[Sean Pedersen]

In this case we defaulted to trusting our customer and their LOA over a 
stranger on the Internet and asked our customer to review the request. 
Unfortunately, that doesn't necessarily mean a stranger on the Internet isn't 
the actual assignee. A means to definitively prove "ownership" from a technical 
angle would be great.

In the example provided in my original e-mail, it appears that an IP broker or 
related scammer gained access to the assignee's RIR account and made some 
object updates (e-mail, country, etc.) that they could use to "prove" they had 
authority to make the request. I assume their offer of proof would have been to 
send us an email from the dubious @yahoo.com account they had listed as the 
admin contact. 

I agree with a private response that I received that at some point lawyers 
probably need to take over if a technical solution to verification is not 
reached. 

I'm not terribly current on resource certification, but would RPKI play a role 
here? It looks like its application is limited to authenticating the 
announcement of resources to prevent route hijacking. If you've authorized a 
3rd party to announce your routes, could you assign a certificate to that 3rd 
party for a specific resource and then revoke it if they are no longer 
authorized? Would it matter if someone gains access to your RIR/LIR account and 
revokes the certificate? This would assume protocol compatibility, that 
everyone is using it, etc. 

-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Jason Hellenthal
Sent: Monday, March 12, 2018 6:40 PM
To: George William Herbert 
Cc: nanog@nanog.org
Subject: Re: Proof of ownership; when someone demands you remove a prefix

How about signed ownership ? (https://keybase.io) if you are able to update the 
record … and it is able to be signed then shouldn’t that be proof enough of 
ownership of the ASN ?

If you can update a forward DNS record then you can have the reverse record 
updated in the same sort of fashion and signed by a third party to provide 
first party of authoritative ownership… Assuming you have an assigned ASN and 
the admin has taken the time to let alone understand the concept and properly 
prove the identity in the first place… (EV cert ?)


Just a light opinion from … https://jhackenthal.keybase.pub

Trust is a big issue these days and validation even worse given SSL trust.

-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.





> On Mar 12, 2018, at 21:20, George William Herbert  
> wrote:
> 
> Ownership?...
> 
> (Duck)
> 
> -george 
> 
> Sent from my iPhone
> 
>> On Mar 12, 2018, at 4:11 PM, Randy Bush  wrote:
>> 
>> it's a real shame there is no authorative cryptographically verifyable
>> attestation of address ownership.