Re: Subsea availability

[Mehmet Akcin]

yup that one too, i have noticed. the issue with this one, it does not load
for me unless i accept some scripts to load. I will speak to Greg about how
to get around it and i am already using his database.

On Mon, May 21, 2018 at 10:54 PM, Reid Fishler 
wrote:

> Not to mention:
> https://www.cablemap.info/
>
> Reid
>
>
> On Tue, May 22, 2018 at 1:46 AM james jones  wrote:
>
>> Not interactive but cool animation:
>>
>> https://www.youtube.com/watch?v=IlAJJI-qG2k
>>
>> On Tue, May 22, 2018 at 1:37 AM, Mehmet Akcin  wrote:
>>
>> > yeah, I know and already reached out to my friends at Telegeography on
>> how
>> > to make www.submarinecablemap.com interactive
>> >
>> > On Mon, May 21, 2018 at 10:35 PM, Martin Hepworth 
>> > wrote:
>> >
>> > > I'll put this as a starter
>> > >
>> > > http://submarine-cable-map-2018.telegeography.com/
>> > >
>> > > There's probably better by now
>> > >
>> > > Martin
>> > >
>> > > On Tue, 22 May 2018 at 06:13, Mehmet Akcin  wrote:
>> > >
>> > >> Hello there,
>> > >>
>> > >> I am working on a masters project idea to create an interactive map
>> of
>> > the
>> > >> world’s subsea cables (cls to cla without local loops from cls to dc)
>> > >>
>> > >> I would like to know if anyone have worked with something like this
>> in
>> > the
>> > >> past, and whether you think it would be cool to have a map where you
>> can
>> > >> see subsea cable availability.
>> > >>
>> > >> I am also going to be at nanog denver to talk about this project with
>> > >> people. Let me know if you are available and interested in talking on
>> > ways
>> > >> to collaborate.
>> > >>
>> > >> I have few ideas on how to make this work with using ripe atlas probe
>> > like
>> > >> devices installed in strategic locations.
>> > >>
>> > >> Mehmet
>> > >>
>> > > --
>> > > --
>> > > Martin Hepworth, CISSP
>> > > Oxford, UK
>> > >
>> >
>
>

Re: Subsea availability

[james jones]

Not interactive but cool animation:

https://www.youtube.com/watch?v=IlAJJI-qG2k

On Tue, May 22, 2018 at 1:37 AM, Mehmet Akcin  wrote:

> yeah, I know and already reached out to my friends at Telegeography on how
> to make www.submarinecablemap.com interactive
>
> On Mon, May 21, 2018 at 10:35 PM, Martin Hepworth 
> wrote:
>
> > I'll put this as a starter
> >
> > http://submarine-cable-map-2018.telegeography.com/
> >
> > There's probably better by now
> >
> > Martin
> >
> > On Tue, 22 May 2018 at 06:13, Mehmet Akcin  wrote:
> >
> >> Hello there,
> >>
> >> I am working on a masters project idea to create an interactive map of
> the
> >> world’s subsea cables (cls to cla without local loops from cls to dc)
> >>
> >> I would like to know if anyone have worked with something like this in
> the
> >> past, and whether you think it would be cool to have a map where you can
> >> see subsea cable availability.
> >>
> >> I am also going to be at nanog denver to talk about this project with
> >> people. Let me know if you are available and interested in talking on
> ways
> >> to collaborate.
> >>
> >> I have few ideas on how to make this work with using ripe atlas probe
> like
> >> devices installed in strategic locations.
> >>
> >> Mehmet
> >>
> > --
> > --
> > Martin Hepworth, CISSP
> > Oxford, UK
> >
>

Re: Whois vs GDPR, latest news

[Matthew Kaufman]

On Mon, May 21, 2018 at 7:03 PM Jason Hellenthal 
wrote:

> Mind pointing out where in the GDPR that it directly relates to these
> types of mail services ?
>
>
>
Like most regulations, it doesn’t call out a specific thing like email or
social networking sites or ecommerce. But it follows quite directly:

GDPR covers processing of personal data of EU subjects.

Email addresses are personal data.

Article 14 says that if you receive personal data but not directly from the
subject, you must notify the subject and provide them with a variety of
information.

There are exceptions for things like scientific studies and archival
purposes... but not because it is simply inconvenient to do so.

That this probably just isn’t going to happen for any email servers or
search engine crawlers doesn’t mean the law doesn’t say what it says.

Matthew

Re: Subsea availability

[Mehmet Akcin]

yeah, I know and already reached out to my friends at Telegeography on how
to make www.submarinecablemap.com interactive

On Mon, May 21, 2018 at 10:35 PM, Martin Hepworth  wrote:

> I'll put this as a starter
>
> http://submarine-cable-map-2018.telegeography.com/
>
> There's probably better by now
>
> Martin
>
> On Tue, 22 May 2018 at 06:13, Mehmet Akcin  wrote:
>
>> Hello there,
>>
>> I am working on a masters project idea to create an interactive map of the
>> world’s subsea cables (cls to cla without local loops from cls to dc)
>>
>> I would like to know if anyone have worked with something like this in the
>> past, and whether you think it would be cool to have a map where you can
>> see subsea cable availability.
>>
>> I am also going to be at nanog denver to talk about this project with
>> people. Let me know if you are available and interested in talking on ways
>> to collaborate.
>>
>> I have few ideas on how to make this work with using ripe atlas probe like
>> devices installed in strategic locations.
>>
>> Mehmet
>>
> --
> --
> Martin Hepworth, CISSP
> Oxford, UK
>

Re: Subsea availability

[Martin Hepworth]

I'll put this as a starter

http://submarine-cable-map-2018.telegeography.com/

There's probably better by now

Martin

On Tue, 22 May 2018 at 06:13, Mehmet Akcin  wrote:

> Hello there,
>
> I am working on a masters project idea to create an interactive map of the
> world’s subsea cables (cls to cla without local loops from cls to dc)
>
> I would like to know if anyone have worked with something like this in the
> past, and whether you think it would be cool to have a map where you can
> see subsea cable availability.
>
> I am also going to be at nanog denver to talk about this project with
> people. Let me know if you are available and interested in talking on ways
> to collaborate.
>
> I have few ideas on how to make this work with using ripe atlas probe like
> devices installed in strategic locations.
>
> Mehmet
>
-- 
-- 
Martin Hepworth, CISSP
Oxford, UK

Subsea availability

[Mehmet Akcin]

Hello there,

I am working on a masters project idea to create an interactive map of the
world’s subsea cables (cls to cla without local loops from cls to dc)

I would like to know if anyone have worked with something like this in the
past, and whether you think it would be cool to have a map where you can
see subsea cable availability.

I am also going to be at nanog denver to talk about this project with
people. Let me know if you are available and interested in talking on ways
to collaborate.

I have few ideas on how to make this work with using ripe atlas probe like
devices installed in strategic locations.

Mehmet

Telecommunications Outage Report: Northern California Firestorm 2017

[Sean Donelan]

A report on the telecommunications outages that affected Mendocino, Napa 
and Sonoma Counties in the wake of the devastating fires of 2017.


http://www.mendocinobroadband.org/wp-content/uploads/1.-NBNCBC-Telecommunications-Outage-Report-2017-Firestorm.pdf


[...]
Results show that in the 3-county area, 66% of residents lost landline 
services, 74% of residents lost cellular services, and 66% of residents 
lost Internet services with Napa County experiencing the most severe 
impacts. The 3-county average of service loss for these combined 
technologies is 71%. Many of these outages impacted residents that were 
geographically far from the actual burn areas.



[...]
During the 2017 wildfires, there were no forms of communications or 
technologies that worked better than the rest. Each method used for 
emergency notification played a crucial role in preparing residents for 
disaster. Technologies used by residents varied from many conventional
methods to many non-conventional forms of communications. Regardless of 
the ways residents were notified, collectively the different methods 
played a major role in saving lives.



[...]
In the entire 2017 Northern California wildfires’ footprint, it is
estimated that 160,000 wireline and 85,000 wireless customers lost 
service, including 11-15 Public Safety Answering points losing service. 
Over 340 cell sites were completely destroyed or damaged.


[...]
Internet outages affected (22) internet provider services over the 
3-county region; however, not all (22) providers are available within each 
County.



[...]
When you evacuated your residence, how did you receive warning/notice to
evacuate?

did not receive any warning from anyone outside my own home (23.48%)
other response (17.15%)
received a phone alert of some kind (text alert, amber alert) (15.67%)
received a phone call from a neighbor, family, friend (13.52%)
received warning from a neighbor physically at my door (12.05%)
received warning from public safety official physically at my door (6.88%)
received a reverse 9-1-1 call (3.5%)
heard sirens/bullhorns/public safety officials outside my home (3.44%)
received notice on the radio (2.03%)
heard a power outage alarm at my home (1.23%)
received notice from a press event (0.86%)
received notice from a ham radio operator (0.18%)

Re: Whois vs GDPR, latest news

[Jason Hellenthal]

Mind pointing out where in the GDPR that it directly relates to these types of 
mail services ?

> On May 21, 2018, at 20:07, Matthew Kaufman  wrote:
> 
> On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge  wrote:
> 
>> What about my right to not have this crap on NANOG?
>> 
> 
> 
> What about the likely truth that if anyone from Europe mails the list, then
> every mail server operator with subscribers to the list must follow the
> GDPR Article 14 notification requirements, as the few exceptions appear to
> not apply (unless you’re just running an archive).
> 
> Matthew


-- 

The fact that there's a highway to Hell but only a stairway to Heaven says a 
lot about anticipated traffic volume.

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Aaron Gould]

9010 and 7609 Small? 

Aaron

> On May 19, 2018, at 3:51 PM, Ben Cannon  wrote:
> 
> Isn’t that the ASR9010?  (And before that 7609?)
> 
> -Ben
> 
>>> On May 18, 2018, at 4:20 AM, Tom Hill  wrote:
>>> 
>>> On 17/05/18 14:24, Mike Hammett wrote:
>>> There's some industry hard-on with having a few ginormous routers instead 
>>> of many smaller ones.
>> 
>> "Industry hard-on", ITYM "Greedy vendors".
>> 
>> Try finding a 'small' router with a lot of ports (1 & 10GE) for your
>> customers, and the right features/TCAM/CP performance, for a price that
>> permits you to buy a lot of them.
>> 
>> -- 
>> Tom

Re: Whois vs GDPR, latest news

[Matthew Kaufman]

On Mon, May 21, 2018 at 1:56 PM Fletcher Kittredge  wrote:

> What about my right to not have this crap on NANOG?
>


What about the likely truth that if anyone from Europe mails the list, then
every mail server operator with subscribers to the list must follow the
GDPR Article 14 notification requirements, as the few exceptions appear to
not apply (unless you’re just running an archive).

Matthew

Re: Segment Routing

[dip]

Matt,

Just to clarify, Are you asking for SR and LDP interop or SR over LDP? Two
different things.

Thanks
Dip

On Fri, May 18, 2018 at 3:11 AM, Matt Geary  wrote:

> Hello maillist anyone had any experience with segment routing and its
> performance over LDP? We are evaluating the option to move to SR over LDP
> so we can label switch across our Nexus L3 switching environment.
>
> Thanks
> Packet Plumber
>

-- 
Sent from iPhone

Re: AT mobile intercepting TCP sockets?

[Eric Kuhnke]

Oh, I'm sure that'll never be abused by any hostile nation-state-owned
monopoly telecom that likes to block/ban/MITM traffic, ever!



On Mon, May 21, 2018 at 1:53 PM, Ca By  wrote:

> On Mon, May 21, 2018 at 1:11 PM  wrote:
>
> > IME ATT has intercepted virtually everything on mobile (this is on a
> > hotspot) -
> >
> > If I curl a HTTP vs HTTPS site, I get a different IP on each (one is
> > obviously a shared web proxy); if I download images, they won't match
> > md5-wise with the original version, etc. I have trouble connecting to
> VPNs
> > that aren't standard SSL VPNs. They appear to MITM all web traffic they
> > can. Using third party DNS servers has questionable results.
> >
>
> AT is also a key player in undermining http2 security with their
> “trusted proxy”
>
> https://tools.ietf.org/html/draft-loreto-httpbis-trusted-proxy20-01
>
>
>
>
> >
> > On Mon, May 21, 2018, at 12:35 PM, Chris Adams wrote:
> > > I ran into an odd issue with access to a website I manage from AT
> > > mobile devices this weekend.  The website worked for everybody not on
> > > AT mobile, and AT mobile users could access other sites; the
> problem
> > > was just this combination.
> > >
> > > Android and iOS phones, as well as a Linux system tethered to an
> Android
> > > phone, all had the same problem.  On the Linux system, I disabled IPv6
> > > in Firefox, and it could then connect.  Browsers got various
> "connection
> > > reset" type errors; on Linux, I could telnet to port 80 or 443, and it
> > > would connect and immediately close.
> > >
> > > The site does have an IPv6 address, but I had missed getting the
> > > webserver to listen on IPv6 (my mistake).  Adding that looks to have
> > > solved the problem.
> > >
> > > When I ran tcpdump on the server and had someone try to connect from
> > > their AT mobile iPhone, I saw three connection attempts a few tenths
> > > of a second apart (all refused by the server).
> > >
> > > My question is this: is AT mobile intercepting the TCP socket (and
> > > not handling "connection refused" correctly)?  Is that a known thing?
> > >
> > > --
> > > Chris Adams 
> >
>

Re: Whois vs GDPR, latest news

[valdis . kletnieks]

On Thu, 17 May 2018 14:06:27 -0400, Fletcher Kittredge said:
> What about my right to not have this crap on NANOG?

procmail is your friend.


pgpSkSM4c3_8E.pgp
Description: PGP signature

Re: AT mobile intercepting TCP sockets?

[Eric Kuhnke]

The short answer is, yes.

This is a strong argument in favor of three things:

a) Redirect all http trafifc on webservers you control to https , such as
the following apache2 configuration file snippet for a virtualhost

RewriteEngine on
RewriteCond %{SERVER_NAME} =domainname.com [OR]
RewriteCond %{SERVER_NAME} =www.domainname.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]


b) Force TLS1.2 on all connections, the population of web browsers that do
not understand TLS1.2 is now less than 1% by market share.

c) Use HTTPS strict transport security


On Mon, May 21, 2018 at 12:35 PM, Chris Adams  wrote:

> I ran into an odd issue with access to a website I manage from AT
> mobile devices this weekend.  The website worked for everybody not on
> AT mobile, and AT mobile users could access other sites; the problem
> was just this combination.
>
> Android and iOS phones, as well as a Linux system tethered to an Android
> phone, all had the same problem.  On the Linux system, I disabled IPv6
> in Firefox, and it could then connect.  Browsers got various "connection
> reset" type errors; on Linux, I could telnet to port 80 or 443, and it
> would connect and immediately close.
>
> The site does have an IPv6 address, but I had missed getting the
> webserver to listen on IPv6 (my mistake).  Adding that looks to have
> solved the problem.
>
> When I ran tcpdump on the server and had someone try to connect from
> their AT mobile iPhone, I saw three connection attempts a few tenths
> of a second apart (all refused by the server).
>
> My question is this: is AT mobile intercepting the TCP socket (and
> not handling "connection refused" correctly)?  Is that a known thing?
>
> --
> Chris Adams 
>

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Robert DeVita]

If this is a know issue and has happened before and point to point circuits 
aren’t effected you always have the opportunity to diversify your own network 
and get private lines back to Miami, Jax, Atlanta or Dallas to create your own 
diversity don’t you?

Robert DeVita
Managing Director
Mejeticks
c. 469-441-8864
e. radev...@mejeticks.com
_
From: David Hubbard 
Sent: Wednesday, May 16, 2018 12:03 PM
Subject: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)
To: 


I’m curious if anyone who’s used 3356 for transit has found shortcomings in how 
their peering and redundancy is configured, or what a normal expectation to 
have is. The Tampa Bay market has been completely down for 3356 IP services 
twice so far this year, each for what I’d consider an unacceptable period of 
time (many hours). I’m learning that the entire market is served by just two 
fiber routes, through cities hundreds of miles away in either direction. So, 
basically two fiber cuts, potentially 1000+ miles apart, takes the entire 
region down. The most recent occurrence was a week or so ago when a Miami-area 
cut and an Orange, Texas cut (1287 driving miles apart) took IP services down 
for hours. It did not take point to point circuits to out of market locations 
down, so that suggests they even have the ability to be more redundant and 
simply choose not to.

I feel like it’s not unreasonable to expect more redundancy, or a much smaller 
attack surface given a disgruntled lineman who knows the routes could take an 
entire region down with a planned cut four states apart. Maybe other regions 
are better designed? Or are my expectations unreasonable? I carry three peers 
in that market, so it hasn’t been outage-causing, but I use 3356 in other 
markets too, and have plans for more, but it makes me wonder if I just haven't 
had the pleasure of similar outages elsewhere yet and I should factor that 
expectation into the design. It creates a problem for me in one location where 
I can only get them and Cogent, since Cogent can't be relied on for IPv6 
service, which I need.

Thanks

Re: Whois vs GDPR, latest news

[Joly MacFie]

If of use, last Monday I recorded and posted video of Jonathan Zuck's
briefing to NARALO on ICANN's interim plan .


> ​https://youtu.be/9WVI4aFg0Lc​



-- 

Joly MacFie
President - Internet Society New York Chapter (ISOC-NY)
http://isoc-ny.org  218 565 9365

Re: Juniper BGP Convergence Time

[Phil Lavin]

Ask if they will configure BFD for you. I’ve not found many transit providers 
that will, but it’s worth a shot and it will lower failure detection to circa 1 
second.


> On 16 May 2018, at 17:49, Adam Kajtar  wrote:
> 
> I could use static routes but I noticed since I moved to full routes I have
> had a lot fewer customer complaints about latency(especially when it comes
> to Voice and VPN traffic).
> 
> I wasn't using per-packet load balancing. I believe juniper default is per
> IP.
> 
> My timers are as follows
> Active Holdtime: 90
> Keepalive Interval: 30
> 
> Would I be correct in thinking I need to contact my ISP to lower these
> values?
> 
> An interesting note is when I had both ISPs connected into a single MX104
> the failover was just a few seconds.
> 
> Thanks again.
> 
> 
> 
>> On Tue, May 15, 2018 at 8:42 PM Ben Cannon  wrote:
>> 
>> Have you checked your timeouts ?
>> 
>> -Ben
>> 
>>> On May 15, 2018, at 4:09 PM, Kaiser, Erich  wrote:
>>> 
>>> Do you need full routes?  What about just a default route from BGP?
>>> 
>>> Erich Kaiser
>>> The Fusion Network
>>> er...@gotfusion.net
>>> Office: 815-570-3101
>>> 
>>> 
>>> 
>>> 
 On Tue, May 15, 2018 at 5:38 PM, Aaron Gould  wrote:
 
 You sure it doesn't have something to do with 60 seconds * 3 = 180 secs
>> of
 BGP neighbor Time out before it believes neighbor is dead and remove
>> routes
 to that neighbor?
 
 Aaron
 
> On May 15, 2018, at 9:10 AM, Adam Kajtar 
 wrote:
> 
> Hello:
> 
> I'm running two Juniper MX104s. Each MX has 1 ISP connected running
> BGP(full routes). iBGP is running between the routers via a two port
>> 20G
> lag. When one of the ISPs fails, it can take upwards of 2 minutes for
> traffic to start flowing correctly. The router has the correct route in
 the
> routing table, but it doesn't install it in the forwarding table for
>> the
> full two mins.
> 
> I have a few questions if anyone could answer them.
> 
> - What would a usual convergence time be for this setup?
> - Is there anything I could do speed this process up? (I tried
 Multipath)
> - Any tips and tricks would be much appreciated
> 
> Thanks in Advance
> --
> Adam Kajtar
> Systems Administrator
> City of Wadsworth
> akaj...@wadsworthcity.org
> -
> http://www.wadsworthcity.com
> 
> Facebook * |* Twitter
>  *|* Instagram
>  *|* YouTube
> 
 
 
>> 
> 
> 
> -- 
> Adam Kajtar
> Systems Administrator, Safety Services
> City of Wadsworth
> Office 330.335.2865
> Cell 330.485.6510
> akaj...@wadsworthcity.org
> -
> http://www.wadsworthcity.com
> 
> Facebook * |* Twitter
>  *|* Instagram
>  *|* YouTube
> 

PlayStation Network Contact

[Nathaniel Gerencser]

Anybody have a contact that can help me with a prefix that is blocked from 
access to PlayStation Network?

Nathan Gerencser, Network Engineer
MetaLINK Technologies * 417 Wayne Ave * Defiance, OH 43512
office 419.990.0352 * cell 419.438.6356
ngerenc...@team-meta.net | 
www.metalink.net

[http://www.metalink.net/emailsigs/MetaLINK_Technologies_Logo.png]

Segment Routing

[Matt Geary]

Hello maillist anyone had any experience with segment routing and its
performance over LDP? We are evaluating the option to move to SR over LDP
so we can label switch across our Nexus L3 switching environment.

Thanks
Packet Plumber

Re: Whois vs GDPR, latest news

[Mark Rousell]

On 17/05/2018 19:03, Zbyněk Pospíchal wrote:
> Dne 17/05/2018 v 18:14 Sander Steffann napsal(a):
>> Hi,
>>
>> But this regulation increases essential liberty for individuals, so I don't 
>> understand your argument...
> No, it don't. It has two aspects:
>
> [...]

Very well said.

-- 
Mark Rousell

Writing a Book about Open Networking and Dis-aggregation

[Marcus Leske]

Hi,

Is anyone interested in working on a book that covers topics like:

```
. Network Operating System types.
. Classic vs Open Networking.
. Open Networking and SDN.
. Forwarding Chips.
. The new stack.
. Disaggregation.
. Automation.
. Telemetry.
```

I'm thinking of covering the reasons why dis-aggregation was delayed
with networking, what are the advantages and disadvantages of that
approach, the new stack on new platforms...etc

The goal of the book is to educate and not to promote one vendor over
the other, but i'd prefer providing exmaples using Cumulus Linux VX,
Open Networking Linux, Sonic.

Direct Msg me if interested to talk more.

Thanks,
Marcus

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Luca Salvatore via NANOG]

To answer your specific question - In the regions we use 3356 (NYC and
SFO/Bay Area) 3356 have been solid. I’d even say they have less issues than
the other usual tier 1 providers... for example 1299 had a hell of a week
last week around SFO was 3356 was stable.

Can’t comment on what I’d say are small regions like Tampa though.

On Sat, May 19, 2018 at 5:56 PM David Hubbard 
wrote:

> Yes, I do, as stated in my initial email.  My inquiry is about whether
> this level of downtime, and lack of redundancy for a given region, is
> normal for 3356.  There are some markets where diverse paths are not so
> easy to acquire.
> 
> From: Robert DeVita 
> Sent: Saturday, May 19, 2018 5:36:23 PM
> To: David Hubbard; nanog@nanog.org
> Subject: Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in
> general)
>
> If this is a know issue and has happened before and point to point
> circuits aren’t effected you always have the opportunity to diversify your
> own network and get private lines back to Miami, Jax, Atlanta or Dallas to
> create your own diversity don’t you?
>
> Robert DeVita
> Managing Director
> Mejeticks
> c. 469-441-8864
> e. radev...@mejeticks.com
> _
> From: David Hubbard 
> Sent: Wednesday, May 16, 2018 12:03 PM
> Subject: Curiosity about AS3356 L3/CenturyLink network resiliency (in
> general)
> To: 
>
>
> I’m curious if anyone who’s used 3356 for transit has found shortcomings
> in how their peering and redundancy is configured, or what a normal
> expectation to have is. The Tampa Bay market has been completely down for
> 3356 IP services twice so far this year, each for what I’d consider an
> unacceptable period of time (many hours). I’m learning that the entire
> market is served by just two fiber routes, through cities hundreds of miles
> away in either direction. So, basically two fiber cuts, potentially 1000+
> miles apart, takes the entire region down. The most recent occurrence was a
> week or so ago when a Miami-area cut and an Orange, Texas cut (1287 driving
> miles apart) took IP services down for hours. It did not take point to
> point circuits to out of market locations down, so that suggests they even
> have the ability to be more redundant and simply choose not to.
>
> I feel like it’s not unreasonable to expect more redundancy, or a much
> smaller attack surface given a disgruntled lineman who knows the routes
> could take an entire region down with a planned cut four states apart.
> Maybe other regions are better designed? Or are my expectations
> unreasonable? I carry three peers in that market, so it hasn’t been
> outage-causing, but I use 3356 in other markets too, and have plans for
> more, but it makes me wonder if I just haven't had the pleasure of similar
> outages elsewhere yet and I should factor that expectation into the design.
> It creates a problem for me in one location where I can only get them and
> Cogent, since Cogent can't be relied on for IPv6 service, which I need.
>
> Thanks
>
>
>
>
>

Re: Whois vs GDPR, latest news

[Fletcher Kittredge]

What about my right to not have this crap on NANOG?

On Thu, May 17, 2018 at 2:03 PM, Zbyněk Pospíchal 
wrote:

> Dne 17/05/2018 v 18:14 Sander Steffann napsal(a):
> > Hi,
> >
> > But this regulation increases essential liberty for individuals, so I
> don't understand your argument...
>
> No, it don't. It has two aspects:
>
> 1. It brings new positive defined rights. But as with any other positive
> defined rights, it brings an obligation for anyone other to provide such
> rights, it requires enforcement, inspections/whatever which anyone in
> Europe must pay from taxes and it requires implementation of a lot of
> rules, possible changing of existing internal systems etc. etc. in
> companies which will be paid from their revenue, so again from consumer
> money.
>
> 2. It would be the true in an ideal situation. In the real world, there
> is no ideal situation. Accept the fact that if you would like to keep
> any data private, you must not tell them to anyone. You. You are the one
> who can decide about your data and who can really protect your data, no
> one else, no government, no GDPR. There is a lot of anonymization
> techniques, strong encryption and other things helping to cover who
> used/published/steal your private data when it is done by experienced
> professionals. It could help a little bit to keep private data protected
> againest beginner and intermediate data thieves and perhaps againest
> some kinds of stupid mistakes, maybe. Nothing more. Is it enough when we
> mention all the costs, including hidden? I don't think so.
>
>
> BTW, nobody told me he is going to propose such regulation before the
> last EP elections, no party I have been able to vote has anything like
> this nor oposing anything like this in their program.
>
> --
> Regards,
> Zbynek
>



-- 
Fletcher Kittredge
GWI
207-602-1134
www.gwi.net

Re: Whois vs GDPR, latest news

[Badiei, Farzaneh]

The privacy implications that WHOIS had for domain name registrants was not 
only acknowledged by Europe. For a long time we were in a battle to get minimum 
privacy for domain registrants and the privacy proxy services provided some 
sort of relief. But the intellectual property interest with the backing of 
governments always dominated the discussions. otherwise IETF had recognized the 
privacy issues of WHOIS as early as 2002 and protocols were recommended that 
could respect registrants privacy rights.

This was not solely a European issue. It was a global issue and with GDPR 
coming into effect it only made the process faster and diluted the power of ip 
people and those who were piggy backing on their power. It's time to move on. 
GDPR is not a great law but a community that for so many years violated the 
privacy rights of domain name registrants had to be somehow stopped. It's 
unfortunate that we didn't deal with this through innovative ways... But  
saying Europe and GDPR brought this upon us is false.

Get Outlook for iOS

From: NANOG  on behalf of Brian Kantor 
Sent: Thursday, May 17, 2018 10:23:22 AM
To: North American Network Operators' Group
Subject: Re: Whois vs GDPR, latest news

An article in The Register on the current status of Whois and the GDPR.

https://www.theregister.co.uk/2018/05/16/whois_privacy_shambles/

Re: BGP Optimizers (Was: Validating possible BGP MITM attack)

[Francois Devienne]

Hi Job,



I believe your disclaimer makes a lot of sense. From our perspective using more 
specifics is one of the options to make BGP follow the optimized path instead 
of the « natural » path. We used to be doing more specifics because with the 
same prefix being announced, we were simply not getting a best route announced 
back to the optimiser. Since the adoption of BGP ADD-PATH, our solution does 
not need to use more specifics to maintain a full collection of the routers BGP 
table. (In addition, it has actually never been a strong a requirement due to 
the use of other SNMP collection processes.)
Therefore LOCAL_PREF is the option we advise and implement.



The examples you mention confirm the issues are mainly due to poorly configured 
networks where routes are leaked out although they shouldn’t be. Adequate 
routers are able to filter out prefixes based on attributes like communities, 
which we set by default.
We’ve had an instance of such an issue with one of our customers a few years 
ago; it turned out to be mistaken CLI commands that the engineer gave to the 
router.
Our XCA software service and platform has hundreds of ASs running for years and 
none are making any noise.



Another point of discussion is the fact that transit and large content 
providers actually accept thousands of routes coming from anywhere, there is a 
lot of room for optimization. And I know how much you personally try to 
contribute to enhance this.

There actually is a reason for operating BGP optimizers. The BGP protocol, 
while robust and scalable, doesn't know anything about link capacity, doesn’t 
apply performance analytics and can easily drive links into saturation, 
introducing packet loss. Also, it is not aware of commercial agreements like 
CDR, generating costs that could be prevented. It also, of course, ignores the 
performance of available paths.
All of the above actually impacts customer traffic and business performance.
Since a few years we see our Customers take more care of quality and capacity 
management… and stop relying on BGP « blindly ».



Most transit providers like to explain that their service are premium and 
that’s the reason why their prices are premium. But when you look at actual 
performance measurements, some premium providers are actually just behind the 
cheaper ones.



I’m in RIPE 76 tomorrow, I’ll be more than happy to discuss this topic further 
with you.



Kind regards,
François

(I’m a product engineer at Border 6 - Expereo, a BGP optimization software 
company.)

François DEVIENNE
Mobile: +33.651.937.927
E-mail: francois.devie...@expereo.com
BORDER 6 S.A.S. - EXPEREO



On Aug 31, 2017 (35), at 22:06, Job Snijders 
> wrote:

Dear all,

disclaimer:

   [ The following is targetted at the context where a BGP optimizer
   generates BGP announcement that are ordinarily not seen in the
   Default-Free Zone. The OP indicated they announce a /23, and were
   unpleasantly surprised to see two unauthorized announcements for /24
   more-specifics pop up in their alerting system. No permission was
   granted to create and announce these more-specifics. The AS_PATH
   for those /24 announcements was entirely fabricated. Original thread
   https://mailman.nanog.org/pipermail/nanog/2017-August/092124.html ]

On Thu, Aug 31, 2017 at 11:13:18AM -0700, Andy Litzinger wrote:
Presuming it was a route optimizer and the issue was ongoing, what
would be the suggested course of action?

I strongly recommend to turn off those BGP optimizers, glue the ports
shut, burn the hardware, and salt the grounds on which the BGP optimizer
sales people walked.

It is extremely irresponsible behavior to use software that generates
_fake_ BGP more-specifics for the purpose of traffic engineering. You
simply cannot expect that those more-specifics will never escape into
the global DFZ! Relying on NO_EXPORT is not sufficient: we regularly see
software bugs related to NO_EXPORT, and community-squashing
configuration mistakes happen all the time.

Consider the following: if you leak your own internal more-specifics, at
least you are the legitimate destination. (You may suffer from
suboptimal routing, but it isn't guaranteed downtime.) However if you
generate fake more-specifics for prefixes belonging to OTHER
organisations, you essentially are complicit in BGP hijacking. If those
fake more-specifics accidentally leak into the DFZ, you are bringing
down the actual owner of such prefixes, and depriving people from access
to the Internet. Example case:
https://mailman.nanog.org/pipermail/nanog/2013-January/054846.html

reach out to those 2 AS owners and see if they could stop it?

Yes, absolutely! And if everyone of the affected parties of this
localized hijack leak (or should we say 'victims') reaches out to the
wrongdoers, they contribute peer pressure to rectify the situation. Just
make sure you assign blame to the correct party. :)

Or is it 

AS 205869 - BGP hijacking source

[McBride, Mack]

I am sending this notification as I have become aware that 205869 appears to be 
performing BGP hijacking and spoofing AS paths as well.
Impacted organizations may wish to contact the upstream providers of this ASN.

Mack McBride
Contractor

The contents of this message are my own and are not the opinions or nor do they 
represent my employer.
E-MAIL CONFIDENTIALITY NOTICE: 
The contents of this e-mail message and any attachments are intended solely for 
the addressee(s) and may contain confidential and/or legally privileged 
information. If you are not the intended recipient of this message or if this 
message has been addressed to you in error, please immediately alert the sender 
by reply e-mail and then delete this message and any attachments. If you are 
not the intended recipient, you are notified that any use, dissemination, 
distribution, copying, or storage of this message or any attachment is strictly 
prohibited.

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Ben Cannon]

Isn’t that the ASR9010?  (And before that 7609?)

-Ben

> On May 18, 2018, at 4:20 AM, Tom Hill  wrote:
> 
>> On 17/05/18 14:24, Mike Hammett wrote:
>> There's some industry hard-on with having a few ginormous routers instead of 
>> many smaller ones.
> 
> "Industry hard-on", ITYM "Greedy vendors".
> 
> Try finding a 'small' router with a lot of ports (1 & 10GE) for your
> customers, and the right features/TCAM/CP performance, for a price that
> permits you to buy a lot of them.
> 
> -- 
> Tom

Re: is odd number of links in lag group ok

[Ben Cannon]

While it goes without saying that you need the same (can be 5!) number of links 
to each router in a multichassis LAG, what isn’t so obvious are things like 
port groups etc.

If you have an oversubscribed platform, you might need to look at running each 
wire in a LAG to different port groups, and then look at things like switch 
ASICs and span those as well.

Even try to span diverse slots/modules if you can.

But 5 6 or 4 per chassis shouldn’t make a huge difference. 

-Ben

> On May 16, 2018, at 3:48 PM, Wayne Bouchard  wrote:
> 
> As others have noted, there can be implementation specific issues that
> you can't necessarily predict but most typically when I hear "odd vs
> even" discussions, usually the caveat is not a trunk but a redundant
> connection. Putting three links on router A and two links on router B
> obviously doesn't work well.
> 
>> On Tue, May 15, 2018 at 10:15:19AM -0500, Aaron Gould wrote:
>> I have (2) 10 gig links bundled in a lag to my upstream internet provider.
>> and we need more internet capacity.  Is it cool to add a third 10 gig to my
>> existing 20 gig lag internet connection?
>> 
>> 
>> 
>> I'm asking since I heard in the past something negative about odd numbers of
>> lag members.  .but I also have heard that it's not a big deal.  Let me know
>> please
>> 
>> 
>> 
>> -Aaron
>> 
>> 
>> 
>> 
> 
> ---
> Wayne Bouchard
> w...@typo.org
> Network Dude
> http://www.typo.org/~web/

Verizon/UUNET AS701 blocking Tor "directory" server (IPv4 86.59.21.38)

[Neel Chauhan]

Hi nanog mailing list,

Keep in mind that I am not a practicing network engineer, although I do 
have interest and knowledge on networking topics. I do not work for 
Verizon. I subscribe to Verizon FiOS, but not Verizon Wireless or 
Verizon's enterprise services.


The Tor "directory" server with the IPv4 address 86.59.21.38 has been 
blocked by Verizon's AS701 backbone for a few months now. AS701 provides 
Internet connectivity to Verizon FiOS and Wireless.


The design of Tor is that even though anyone can set up a "relay", there 
are a few central directory servers which clients go to first to get a 
list of relay servers and build a circuit (which is a path of three 
relays to reach a destination). A more descriptive overview of Tor is 
available here: https://www.torproject.org/about/overview.html.en .


While I can still access other Tor directory servers from Verizon FiOS 
as running Tor as a client or relay does not require every directory 
server be unblocked, blocking one of them could possibly mean breaking 
some part of the Internet for a Verizon customer.


A traceroute to 86.59.21.38 from FiOS shows that I can get through 
verizon-gni.net which is Verizon's internal FiOS network, but not 
ALTER.NET, which is Verizon's UUNet backbone:


neel@xb2:~ % traceroute 86.59.21.38
traceroute to 86.59.21.38 (86.59.21.38), 64 hops max, 40 byte packets
  1  unknown (192.168.1.1)  1.128 ms  0.780 ms  0.613 ms
  2  lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1)  1.001 ms  
3.632 ms  0.900 ms

  3  B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96)  2.291 ms
 B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94)  3.172 ms  
4.046 ms

  4  * * *
  5  * * *
  6  * * *
  7  * * *
  8  * * *
  9  * * *
^C
neel@xb2:~ %

In a normal traceroute, I would see ALTER.NET on hop 5. Also, this 
filtering is not a subnet filtering. A traceroute to 86.59.21.1 works:


neel@xb2:~ % traceroute 86.59.21.1
traceroute to 86.59.21.1 (86.59.21.1), 64 hops max, 40 byte packets
  1  unknown (192.168.1.1)  0.863 ms  0.757 ms  0.579 ms
  2  lo0-100.NYCMNY-VFTTP-401.verizon-gni.net (173.68.77.1)  1.010 ms  
1.545 ms  1.034 ms

  3  B3401.NYCMNY-LCR-22.verizon-gni.net (100.41.137.96)  3.616 ms
 B3401.NYCMNY-LCR-21.verizon-gni.net (100.41.137.94)  5.696 ms  
10.062 ms

  4  * * *
  5  0.et-5-1-5.BR3.NYC4.ALTER.NET (140.222.2.127)  3.492 ms  3.506 ms  
2.996 ms

  6  204.255.168.118 (204.255.168.118)  8.462 ms  7.479 ms  7.252 ms
  7  144.232.4.84 (144.232.4.84)  5.041 ms  4.688 ms
 sl-crs3-lon-0-6-3-0.sprintlink.net (144.232.9.165)  71.865 ms
  8  sl-crs2-lon-0-0-3-0.sprintlink.net (213.206.128.181)  72.214 ms  
73.579 ms  72.339 ms

  9  213.206.129.142 (213.206.129.142)  81.390 ms
 sl-crs4-ams-0-7-0-3.sprintlink.net (213.206.129.139)  85.854 ms  
93.238 ms

10  217.149.47.46 (217.149.47.46)  79.004 ms  85.669 ms  79.392 ms
11  ams5-core-1.bundle-ether1.tele2.net (130.244.82.54)  86.507 ms  
78.374 ms  77.740 ms
12  ams-core-2.bundle-ether9.tele2.net (130.244.82.57)  79.642 ms  
77.926 ms  81.515 ms
13  wen3-core-2.bundle-ether15.tele2.net (130.244.71.47)  105.400 ms  
105.089 ms  109.751 ms
14  tele2at-bundle2-vie3.net.uta.at (212.152.189.65)  122.716 ms  
110.820 ms  114.354 ms

15  86.59.21.1 (86.59.21.1)  106.389 ms *  105.379 ms
neel@xb2:~ %

I had posted this finding on Tor's mailing list 
(https://lists.torproject.org/pipermail/tor-relays/2018-May/015218.html). 
I am posting here as (I believe) Verizon NOC people are more likely to 
read NANOG mailing lists than Tor mailing lists, although this post is 
modified from the original because not all network engineers may know 
how Tor works.


From Tor developer Roger Dingledine (at the Tor mailing list), the 
reason why Verizon blocked 86.59.21.38 in the first place is probably 
the WannaCry ransomware, and the VZ NOC didn't realize it was a Tor IP 
address (or how Tor works), and then whoever did this block forgot about 
it and moved on. I can understand that you all may not know how Tor 
works either, so I included an overview link above. It could also be 
possible that it's the NN repeal (but less likely since it is on the 
level of UUNET not FiOS).


I also contacted the operator of 86.59.21.38 as well as Verizon FiOS 
support, and neither were of much help (the former is obvious as he's 
Austrian).


Well, thank you for reading.

Best,

Neel Chauhan

===

https://www.neelc.org/

Re: AT mobile intercepting TCP sockets?

[lists]

IME ATT has intercepted virtually everything on mobile (this is on a hotspot) -

If I curl a HTTP vs HTTPS site, I get a different IP on each (one is obviously 
a shared web proxy); if I download images, they won't match md5-wise with the 
original version, etc. I have trouble connecting to VPNs that aren't standard 
SSL VPNs. They appear to MITM all web traffic they can. Using third party DNS 
servers has questionable results.


On Mon, May 21, 2018, at 12:35 PM, Chris Adams wrote:
> I ran into an odd issue with access to a website I manage from AT
> mobile devices this weekend.  The website worked for everybody not on
> AT mobile, and AT mobile users could access other sites; the problem
> was just this combination.
> 
> Android and iOS phones, as well as a Linux system tethered to an Android
> phone, all had the same problem.  On the Linux system, I disabled IPv6
> in Firefox, and it could then connect.  Browsers got various "connection
> reset" type errors; on Linux, I could telnet to port 80 or 443, and it
> would connect and immediately close.
> 
> The site does have an IPv6 address, but I had missed getting the
> webserver to listen on IPv6 (my mistake).  Adding that looks to have
> solved the problem.
> 
> When I ran tcpdump on the server and had someone try to connect from
> their AT mobile iPhone, I saw three connection attempts a few tenths
> of a second apart (all refused by the server).
> 
> My question is this: is AT mobile intercepting the TCP socket (and
> not handling "connection refused" correctly)?  Is that a known thing?
> 
> -- 
> Chris Adams 

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Scott Weeks]

--- joe...@bogus.com wrote:
From: joel jaeggli 

alcatel/nokia 7750 (L3's newer PE platform) is large but 
not outlandish and they've been deployed for a couple 
years. 
--


More than a couple...  I was using them for MPLS over 10 
years ago.  They're really good.  Also, they have different 
sizes; from the itty bitty 7750 SR-1 (2ru) all the way to 
the BFR 7750 SR-12e (22ru)

https://onestore.nokia.com/asset/164728/Nokia_7750_SR_R15-1_Data_Sheet_EN.pdf

scott

Re: AT mobile intercepting TCP sockets?

[Jared Mauch]

> On May 21, 2018, at 3:35 PM, Chris Adams  wrote:
> 
> I ran into an odd issue with access to a website I manage from AT
> mobile devices this weekend.  The website worked for everybody not on
> AT mobile, and AT mobile users could access other sites; the problem
> was just this combination.
> 
> Android and iOS phones, as well as a Linux system tethered to an Android
> phone, all had the same problem.  On the Linux system, I disabled IPv6
> in Firefox, and it could then connect.  Browsers got various "connection
> reset" type errors; on Linux, I could telnet to port 80 or 443, and it
> would connect and immediately close.
> 
> The site does have an IPv6 address, but I had missed getting the
> webserver to listen on IPv6 (my mistake).  Adding that looks to have
> solved the problem.
> 
> When I ran tcpdump on the server and had someone try to connect from
> their AT mobile iPhone, I saw three connection attempts a few tenths
> of a second apart (all refused by the server).
> 
> My question is this: is AT mobile intercepting the TCP socket (and
> not handling "connection refused" correctly)?  Is that a known thing?


Yes they are.  You can see this in test-ipv6.com it will report the proxy/Via
Header addition.

- jared

AT mobile intercepting TCP sockets?

[Chris Adams]

I ran into an odd issue with access to a website I manage from AT
mobile devices this weekend.  The website worked for everybody not on
AT mobile, and AT mobile users could access other sites; the problem
was just this combination.

Android and iOS phones, as well as a Linux system tethered to an Android
phone, all had the same problem.  On the Linux system, I disabled IPv6
in Firefox, and it could then connect.  Browsers got various "connection
reset" type errors; on Linux, I could telnet to port 80 or 443, and it
would connect and immediately close.

The site does have an IPv6 address, but I had missed getting the
webserver to listen on IPv6 (my mistake).  Adding that looks to have
solved the problem.

When I ran tcpdump on the server and had someone try to connect from
their AT mobile iPhone, I saw three connection attempts a few tenths
of a second apart (all refused by the server).

My question is this: is AT mobile intercepting the TCP socket (and
not handling "connection refused" correctly)?  Is that a known thing?

-- 
Chris Adams 

Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

[Large Hadron Collider]

I would go as far as to say that Tier 1 is a derogatory designation, but 
I have a beef with Cogent because they're expecting otherwise Tier 1 
IPv6 ISP Hurricane Electric to bow to the altar of Cogent.



On 05/20/2018 15:19, Mark Tinka wrote:


On 20/May/18 09:16, Baldur Norddahl wrote:


The question was if downtime on a transit provider of many hours is
unacceptable. I am offering my experience that this happens to all of
them. Some of them can have problems that last days not hours. Do not
ever assume that a so called "tier 1" network is good as your only
transit.

And that is where the sage advice is...

Just because they are "large", "global", "transit-free",
"international", "Tier this or Tier that", don't think they are beyond
fault. And more importantly, don't allow your customers to assume they
are beyond fault, just because you aren't them.

Take control of your situation, especially if you can.

Mark.

Need AT / Ameritech DNS contact

[Wes Hardaker]

Every other path at filing a bug has failed me...  If there is someone
here with control over ameritech.net's name servers, can you reach out
to me please?

-- 
Wes Hardaker 
USC/ISI