Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Owen, You are correct in that RPKI leaves many problems unsolved. One that it does solve is prefix splitting. If I issue a ROA for prefix 10.1.2.0/23, any announcement of 10.1.2.0/24 (including mine) will be declared INVALID, because that announcement is covered by the ROA and the mask length

SAFNOG-4/EANOG/tzNOG: 4 Days To Go!

Hi all. With just about 4 days to go until the 4th edition of the SAFNOG meeting, in collaboration with EANOG and tzNOG, we are geared for an exciting week in warm & sunny Dar Es Salaam. The agenda will cover key topics for the region, such as: * Is Africa's continued telecommunications

Re: Massive Price Increase for X-conns at Telehouse Chelsea, NYC

> On Sep 19, 2018, at 00:44 , Christopher Morrow > wrote: > > > > On Tue, Sep 18, 2018 at 12:28 PM Owen DeLong > wrote: > > I’d argue that the difference between reasonable (≤$500 one-time and ≤$50 > MRC) and $300 MRC is within range of argument, but I cannot see

Re: the prefixes that wont be able to reach Cloudflare by the end of the year (unless RPKI ROAs are fixed)

Yep… It’s also better not to do SSL or IRR entries than to do it badly. Agreed. Owen > On Sep 19, 2018, at 18:00 , Michel Py wrote: > >> Owen DeLong wrote : >> Note to self… It’s better not to do RPKI than to do it badly. > > Not worse than IRR entries or SSL certificates. If you mess it up,

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Looks like a certain CDN has volunteered to do that for you. Owen > On Sep 19, 2018, at 01:19 , Job Snijders wrote: > > On Wed, Sep 19, 2018 at 01:07:42AM -0700, Christopher Morrow wrote: >>> it is about whether it is acceptable that RIRs (and more >>> specifically ARIN in this mailing list's

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 19, 2018, at 00:46 , nusenu wrote: > > Owen DeLong: >> Personally, since all RPKI accomplishes is providing a >> cryptographically signed notation of origin ASNs that hijackers >> should prepend to their announcements in order to create an aura of >> credibility, I think we should

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 19, 2018, at 8:55 PM, Owen DeLong wrote: > > Actually, from my perspective, neither one is practical/useful due to the > lack of supporting data to achieve it. I suggest you look at some of the cool research that was done with various prefixes from different regions. You can see

RE: the prefixes that wont be able to reach Cloudflare by the end of the year (unless RPKI ROAs are fixed)

> Owen DeLong wrote : > Note to self… It’s better not to do RPKI than to do it badly. Not worse than IRR entries or SSL certificates. If you mess it up, resource will go down. Michel. TSI Disclaimer: This message and any files or text attached to it are intended only for the recipients named

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 19, 2018, at 00:44 , Job Snijders wrote: > > On Tue, Sep 18, 2018 at 06:18:00PM -0700, Owen DeLong wrote: >> That depends. If you ONLY allow the maintainer of NET-192.159.10.0/24 >> to update the route objects for it, then the word ONLY is effectively >> present by the lack of any

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On Sep 18, 2018, at 21:29 , Christopher Morrow > wrote: > > > > On Tue, Sep 18, 2018 at 6:22 PM Owen DeLong > wrote: > > > > On Sep 18, 2018, at 15:07 , Job Snijders > > wrote: > > > > On Tue, Sep 18, 2018 at 02:44:30PM -0700, Owen DeLong

Re: the prefixes that wont be able to reach Cloudflare by the end of the year (unless RPKI ROAs are fixed)

Note to self… It’s better not to do RPKI than to do it badly. Owen > On Sep 19, 2018, at 09:32 , nusenu wrote: > > Hi, > > apparently Cloudflare will be enforcing RPKI route origin validation > "by the end of the year" [1]. > > https://blog.cloudflare.com/rpki-details/ > > If this is

Re: Console Servers

There's always the WOOBM! https://mikrotik.com/product/woobm - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Owen DeLong" To: "Mike Hammett" Cc: "Saku Ytti" , nanog@nanog.org Sent: Wednesday,

Re: Console Servers

Why am I picturing you rigging up a Particle Electron as a dongle to each device you want remote access to? Owen > On Sep 19, 2018, at 02:21 , Mike Hammett wrote: > > Except for AT, most incumbents here aren't also mobile wireless providers, > so that is an option in most cases for truly

Re: Console Servers

> On Sep 19, 2018, at 01:50 , Saku Ytti wrote: > > Hey, > >> In some DCs I've done mutual OOB swaps with other telcos in the same >> suite, this is usually cheap or free (excluding the one time xconnect > > We consciously decided to not ask or accept OOB swaps, because of fear > that they

Re: Console Servers

+++ for Opengear. Manages PDUs and UPS, some models have GPS and 4G LTE options. If additional intelligence is needed for a lights out facility, Uplogix has an interesting solution as well. Sincerely, David K. Sent from my mobile device, please excuse any typos or brevity.

RE: the prefixes that wont be able to reach Cloudflare by the end of the year (unless RPKI ROAs are fixed)

> nusenu wrote : > apparently Cloudflare will be enforcing RPKI route origin validation "by the > end of the year" [1]. > https://blog.cloudflare.com/rpki-details/ > If this is actually the case then some prefixes run at risk of loosing the > ability to reach Cloudflare. This is the way we are

Re: Console Servers

Note: newer Lantronix don't require Java for the config interface at all. Also note that you can organize OOBM and in band management with https://guacamole.apache.org/ if needed. On Wed, Sep 19, 2018 at 12:47 PM Jeremy Bresley wrote: > On 9/19/18 04:40, James Bensley wrote: > > On Tue, 18 Sep

Re: Console Servers

On 9/19/18 04:40, James Bensley wrote: On Tue, 18 Sep 2018 at 14:38, Alan Hannan wrote: I'd like your input on suggestions for an alternate serial port manager. Long ago I used Cisco 2511/2611 and was fairly happy. A little later I used portmaster and was less so. Recently I've been using

the prefixes that wont be able to reach Cloudflare by the end of the year (unless RPKI ROAs are fixed)

Hi, apparently Cloudflare will be enforcing RPKI route origin validation "by the end of the year" [1]. https://blog.cloudflare.com/rpki-details/ If this is actually the case then some prefixes run at risk of loosing the ability to reach Cloudflare. This is a heads-up so you can check if you

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On 18 Sep 2018, at 1:23 PM, Owen DeLong wrote: > > Personally, since all RPKI accomplishes is providing a cryptographically > signed notation of origin ASNs that hijackers should prepend to their > announcements in order to create an aura of credibility, I think we should > stop throwing

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

There's a lot to sift through in this thread (most of all assertions lacking evidence), but this needs to be called out: On Tue, Sep 18, 2018 at 06:21:56PM -0700, Owen DeLong wrote: [snip] > Point being that there are very very few ASNs using peer lock. Peer lock Despite the cutesy neologism,

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Phil Lavin: > That said, having recently done this with ARIN... they've got a long > way to go before it's a simple process (like RIPE). Submitting > numerous tickets over a 3 day period doesn't strike me as > particularly efficient. > If outreach was done and widely taken up, I just want to

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> On 19 Sep 2018, at 10:37, Christopher Morrow wrote: > > > > On Wed, Sep 19, 2018 at 1:33 AM Phil Lavin wrote: > > What about an one-off outreach effort? > >> Makes sense to me. As someone who (at least pretends to) care, I was very >> much unaware of RPKI before seeing discussion about

Re: Console Servers

Except for AT, most incumbents here aren't also mobile wireless providers, so that is an option in most cases for truly OOB. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP - Original Message - From: "Saku Ytti" To: "James

Re: Console Servers

On Wed, 19 Sep 2018 at 11:54, James Bensley wrote: > I forgot to mention, it also depends how "out" of band your OOB needs > to be. We use Ciena 6500s for our DWDM infrastructure and they have a > wayside channel (like various DWDM vendors), so it's a separate > channel over the same physical

Re: Console Servers

On Wed, 19 Sep 2018 at 09:50, Saku Ytti wrote: > I think WAN indeed is very market situational, and if you need to > support world, it is beneficial to have solution which supports many > WAN options, without needing external boxes and external power bricks. > We try to do just ethernet, but

Re: Console Servers

On Tue, 18 Sep 2018 at 15:26, Saku Ytti wrote: > > On Tue, 18 Sep 2018 at 16:39, Alan Hannan wrote: > > > Long ago I used Cisco 2511/2611 and was fairly happy. A little later I > > used portmaster and was less so. Recently I've been using Opengear and > > they work fairly well but the price

Re: Massive Price Increase for X-conns at Telehouse Chelsea, NYC

Christopher Morrow wrote: > Whether it actually 'costs' that much to pull a x-connect and maintain > that x-connect is probably not as important as 'gosh it's really hard > to be 'close' to ' right? which is what they are > capitalizing on here.> > Hank, how far away is the next closest large

Re: Console Servers

Hey, > In some DCs I've done mutual OOB swaps with other telcos in the same > suite, this is usually cheap or free (excluding the one time xconnect We consciously decided to not ask or accept OOB swaps, because of fear that they might be provisioned outside processes which might make it

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Christopher Morrow wrote: > This seems bad, at first blush, but you will not always be here to offer > these recalcitrant folk a pointer to how to fix themselves that is correct but I don't expect that (to be around forever) to be necessary, once the amount of invalids are low, big operators

Re: Console Servers

On Tue, 18 Sep 2018 at 14:38, Alan Hannan wrote: > > I'd like your input on suggestions for an alternate serial port manager. > > Long ago I used Cisco 2511/2611 and was fairly happy. A little later I used > portmaster and was less so. Recently I've been using Opengear and they work > fairly

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Wed, Sep 19, 2018 at 1:33 AM Phil Lavin wrote: > > What about an one-off outreach effort? > > Makes sense to me. As someone who (at least pretends to) care, I was very > much unaware of RPKI before seeing discussion about it on NANOG and #ix. > > That said, having recently done this with

RE: Reaching out to ARIN members about their RPKI INVALID prefixes

> What about an one-off outreach effort? Makes sense to me. As someone who (at least pretends to) care, I was very much unaware of RPKI before seeing discussion about it on NANOG and #ix. That said, having recently done this with ARIN... they've got a long way to go before it's a simple

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Wed, Sep 19, 2018 at 1:19 AM Job Snijders wrote: > On Wed, Sep 19, 2018 at 01:07:42AM -0700, Christopher Morrow wrote: > > > it is about whether it is acceptable that RIRs (and more > > > specifically ARIN in this mailing list's context) notify affected > > > parties of their prefixes that

Re: Console Servers

On Tue, 18 Sep 2018 at 15:26, Saku Ytti wrote: > > On Tue, 18 Sep 2018 at 16:39, Alan Hannan wrote: > > > Long ago I used Cisco 2511/2611 and was fairly happy. A little later I > > used portmaster and was less so. Recently I've been using Opengear and > > they work fairly well but the price

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Wed, Sep 19, 2018 at 01:07:42AM -0700, Christopher Morrow wrote: > > it is about whether it is acceptable that RIRs (and more > > specifically ARIN in this mailing list's context) notify affected > > parties of their prefixes that suffer from stale ROAs. > > This I still think is a bad plan..

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Wed, Sep 19, 2018 at 12:51 AM nusenu wrote: > Owen DeLong: > > Personally, since all RPKI accomplishes is providing a > > cryptographically signed notation of origin ASNs that hijackers > > should prepend to their announcements in order to create an aura of > > credibility, I think we should

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

> > in which case MD5 passwords on your BGP sessions pretty much > > accomplishes the same thing with a lot less kerfuffle. > > > oh gosh, sorry I missed this in the previous conversation... for folk following along at home: TCP-MD5 is really REALLY just: "better CRC(checksum)" on your BGP

Re: netflix OCA in a CG-NAT world

On Tue, Sep 18, 2018 at 1:21 AM Radu-Adrian Feurdean < na...@radu-adrian.feurdean.net> wrote: > On Mon, Sep 17, 2018, at 17:48, Jared Mauch wrote: > > > I also strongly suggest you look at how to get native IPv6 from your > > clients behind the CG-NAT rolled out. I know many folks have had

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

Owen DeLong: > Personally, since all RPKI accomplishes is providing a > cryptographically signed notation of origin ASNs that hijackers > should prepend to their announcements in order to create an aura of > credibility, I think we should stop throwing resources down this > rathole. regardless of

Re: Massive Price Increase for X-conns at Telehouse Chelsea, NYC

On Tue, Sep 18, 2018 at 12:28 PM Owen DeLong wrote: > > I’d argue that the difference between reasonable (≤$500 one-time and ≤$50 > MRC) and $300 MRC is within range of argument, but I cannot see any way in > which an argument can be made that $5840 MRC is not a distortion in that > same

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

On Tue, Sep 18, 2018 at 06:18:00PM -0700, Owen DeLong wrote: > That depends. If you ONLY allow the maintainer of NET-192.159.10.0/24 > to update the route objects for it, then the word ONLY is effectively > present by the lack of any other route objects. Ah, so you are now applying the RPKI

Re: Piter-IX and GOOGLE (AS15169)

On Tue, Sep 18, 2018 at 11:31 PM A.T wrote: > Hello! > > Thanks for reply! > Announcement from route server contains only 15169 in as-path. > > ok, cool... Ideally the folk with peering-db access are already along fixing the records :) (it's totally possible they are still sleeping... but

Re: Piter-IX and GOOGLE (AS15169)

Hello! Thanks for reply! Announcement from route server contains only 15169 in as-path. Best regards, A.T > On Tue, Sep 18, 2018 at 3:34 PM A.T wrote: > >> Hello, >> >> I see AS15169 announcements from Piter-IX >> (https://www.peeringdb.com/ix/2149), but Google PeeringDB entry don't >> seem >>