Re: "Hacking" these days - purpose?
On 12/16/20 02:38, b...@theworld.com wrote: Somedays I wonder if it's some vast, well-funded, Spectre-like organization whose backers just want to see trust in the internet undermined in the public's eyes on behalf of their own non-internet or anti-internet (think: phone companies who'd love to charge you per email and web page access for example by forcing you onto some private network) enterprises, large bricks+mortars interests etc. If it were, they'd be fighting a losing battle. The Internet has acquired exponential scale. It would never operate in such a pay-to-click model. Mark.
Re: "Hacking" these days - purpose?
On Mon, Dec 14, 2020 at 12:10 PM Miles Fidelman wrote: > David Bass wrote: > > It becomes more clear when you think about the options out there, and > > get a little creative. Now a days it’s definitely chess that’s being > > played. > And here I thought the purpose of hacking is (still) having fun - you > know... hacking. > > As to chess... I've begun to think that the game to master is now Go... > capturing territory, not pieces, and instantaneous global state changes. https://fortune.com/2016/03/12/googles-go-computer-vs-human Donald d3e...@gmail.com Miles Fidelman > > -- > In theory, there is no difference between theory and practice. > In practice, there is. Yogi Berra > > Theory is when you know everything but nothing works. > Practice is when everything works but no one knows why. > In our lab, theory and practice are combined: > nothing works and no one knows why. ... unknown >
Re: "Hacking" these days - purpose?
Somedays I wonder if it's some vast, well-funded, Spectre-like organization whose backers just want to see trust in the internet undermined in the public's eyes on behalf of their own non-internet or anti-internet (think: phone companies who'd love to charge you per email and web page access for example by forcing you onto some private network) enterprises, large bricks+mortars interests etc. -- -Barry Shein Software Tool & Die| b...@theworld.com | http://www.TheWorld.com Purveyors to the Trade | Voice: +1 617-STD-WRLD | 800-THE-WRLD The World: Since 1989 | A Public Information Utility | *oo*
Re: how many bits of entropy do we need for load balancing?
On 12/14/20 16:25, na...@jack.fr.eu.org wrote: There are 3 kind of hashing algorithm Four if you count the trails followed by runners drinking beer. See on-on for instance. The first one is used to check the sanity of input, against bit-swapping error for instance See CRC for instance The second one is used for cryptographic purposes While the output distribution is supposed to be quite good, its most important aspect lies here: it is hard to craft an input matching a specific hash See sha256 for instance The last one combines both speed and output distribution See xxhash for instance -- Jay Hennigan - j...@west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV
Re: Don't need someone with clue @ Network Solutions.
In article <20201215174646.ga970...@jurassic.vpn.malgudi.org> you write: >You or someone else who owns crocker.com appears to have created these >nameserver objects (these are not a part of DNS, except that they may >show up as glue) in the registry: Right. When I query the .COM zone servers, they say quite clearly that there is no crocker.com glue in the .COM zone. See below. The registry nameserver objects are fine. They let his users register domains that use his nameservers. I think that without some clearer indication that something is wrong we can close this issue. R's, John $ dig @g.gtld-servers.net. dns-auth3.crocker.com a ; <<>> DiG 9.10.6 <<>> @g.gtld-servers.net. dns-auth3.crocker.com a ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31790 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 2 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dns-auth3.crocker.com. IN A ;; AUTHORITY SECTION: crocker.com.172800 IN NS ns-8.awsdns-01.com. crocker.com.172800 IN NS ns-1005.awsdns-61.net. crocker.com.172800 IN NS ns-1775.awsdns-29.co.uk. crocker.com.172800 IN NS ns-1317.awsdns-36.org. ;; ADDITIONAL SECTION: ns-8.awsdns-01.com. 172800 IN A 205.251.192.8 ;; Query time: 74 msec ;; SERVER: 2001:503:eea3::30#53(2001:503:eea3::30) ;; WHEN: Tue Dec 15 18:35:38 EST 2020 ;; MSG SIZE rcvd: 202
Re: [EXTERNAL]Need someone with clue @ Network Solutions.
On Tue, Dec 15, 2020 at 9:41 AM Matthew Crocker wrote: > It appears I should have been looking for clue in my own network. Amazon > hosts crocker.com and they have the glue records. Apparently left over from > when the domain was with Network Solutions. I have tickets open with Amazon > to get them removed/updated. Yeah, the basic problem you have is that AWS is not a full service registrar, so when you register and host your domain in Route53, you don't have access to some of the tools a normal registrar gives you. Namely creating and deleting glue records associated with your domain. Even when you host with AWS you're kinda better off registering somewhere else. Regards, Bill Herrin -- Hire me! https://bill.herrin.us/resume/
Re: Need someone with clue @ Network Solutions.
On Tue, Dec 15, 2020 at 04:43:08PM +, Matthew Crocker wrote:
> I need to get Network Solutions to remove glue records for hosts in my
> domain. My domain isn’t registered with Network Solutions and they refuse
> to speak with me as I’m not a customer.
> ;; AUTHORITY SECTION:
>
> .com. 172800 IN NS dns-auth4.crocker.com.
>
> .com. 172800 IN NS dns-auth3.crocker.com.
>
> ;; ADDITIONAL SECTION:
>
> dns-auth4.crocker.com. 172800 IN A 66.59.48.95
>
> dns-auth3.crocker.com. 172800 IN A 66.59.48.94
You or someone else who owns crocker.com appears to have created these
nameserver objects (these are not a part of DNS, except that they may
show up as glue) in the registry:
$ curl https://rdap.verisign.com/com/v1/nameserver/dns-auth4.crocker.com
{"objectClassName":"nameserver","ldhName":"DNS-AUTH4.CROCKER.COM","ipAddresses":{"v4":["66.59.48.95"]},"links":[{"value":"https:\/\/rdap.verisign.com\/com\/v1\/nameserver\/DNS-AUTH4.CROCKER.COM","rel":"self","href":"https:\/\/rdap.verisign.com\/com\/v1\/nameserver\/DNS-AUTH4.CROCKER.COM","type":"application\/rdap+json"}],"events":[{"eventAction":"last
update of RDAP
database","eventDate":"2020-12-15T12:06:46Z"}],"rdapConformance":["rdap_level_0","icann_rdap_technical_implementation_guide_0","icann_rdap_response_profile_0"],"notices":[{"title":"Terms
of Use","description":["Service subject to Terms of
Use."],"links":[{"href":"https:\/\/www.verisign.com\/domain-names\/registration-data-access-protocol\/terms-service\/index.xhtml","type":"text\/html"}]}]}
$ curl https://rdap.verisign.com/com/v1/nameserver/dns-auth3.crocker.com
{"objectClassName":"nameserver","ldhName":"DNS-AUTH3.CROCKER.COM","ipAddresses":{"v4":["66.59.48.94"]},"links":[{"value":"https:\/\/rdap.verisign.com\/com\/v1\/nameserver\/DNS-AUTH3.CROCKER.COM","rel":"self","href":"https:\/\/rdap.verisign.com\/com\/v1\/nameserver\/DNS-AUTH3.CROCKER.COM","type":"application\/rdap+json"}],"events":[{"eventAction":"last
update of RDAP
database","eventDate":"2020-12-15T12:06:46Z"}],"rdapConformance":["rdap_level_0","icann_rdap_technical_implementation_guide_0","icann_rdap_response_profile_0"],"notices":[{"title":"Terms
of Use","description":["Service subject to Terms of
Use."],"links":[{"href":"https:\/\/www.verisign.com\/domain-names\/registration-data-access-protocol\/terms-service\/index.xhtml","type":"text\/html"}]}]}
Other domains can use these objects as their nameservers.
Login into your registar account (which appears to be Amazon) and manage
these nameserver objects. Your registar will usually provide a UI to
"manage nameservers" or something similar under which you should find
these objects.
Mukund
signature.asc
Description: PGP signature
Re: Need someone with clue @ Network Solutions.
Matthew, I haven’t seen this problem in a long time where someone else submits data to cause the out-of-zone glue to appear. It’s possible there’s something happening at NETSOL that is causing this, but the best way is for you to go into your registrar and ensure they’re publishing the proper host records for your in-zone glue which should address this if nobody got back to you yet. It may also be easier to find someone on the dns-operations list than NANOG these days. - Jared > On Dec 15, 2020, at 11:43 AM, Matthew Crocker > wrote: > > I need to get Network Solutions to remove glue records for hosts in my > domain. My domain isn’t registered with Network Solutions and they refuse > to speak with me as I’m not a customer. > > I’ve had my customer attempt to update their domain through Network Solutions > but the only thing they can change is the NS record, not the underlying host > glue record. I don’t think the glue records even need to exist as they are > published by my domain already. > > Does anyone have any contacts at Network Solutions that can help? > > Example: > > dig .com NS @i.gtld-servers.net. > > ; <<>> DiG 9.10.6 <<>> .com NS @i.gtld-servers.net. > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24593 > ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags:; udp: 4096 > ;; QUESTION SECTION: > ;.com.IN NS > > ;; AUTHORITY SECTION: > .com. 172800 IN NS dns-auth4.crocker.com. > .com. 172800 IN NS dns-auth3.crocker.com. > > ;; ADDITIONAL SECTION: > dns-auth4.crocker.com. 172800 IN A 66.59.48.95 > dns-auth3.crocker.com. 172800 IN A 66.59.48.94 > > ;; Query time: 73 msec > ;; SERVER: 192.43.172.30#53(192.43.172.30) > ;; WHEN: Tue Dec 15 11:34:41 EST 2020 > ;; MSG SIZE rcvd: 124 > > The correct servers are: > > dns-auth3.crocker.com. 299IN A 66.59.61.10 > dns-auth4.crocker.com. 299IN A 66.59.61.194
Re: [EXTERNAL]Need someone with clue @ Network Solutions.
Thanks everyone who responded It appears I should have been looking for clue in my own network. Amazon hosts crocker.com and they have the glue records. Apparently left over from when the domain was with Network Solutions. I have tickets open with Amazon to get them removed/updated. -Matt From: NANOG on behalf of Matthew Crocker Date: Tuesday, December 15, 2020 at 11:43 AM To: "nanog@nanog.org" Subject: [EXTERNAL]Need someone with clue @ Network Solutions. CAUTION: This email originated from outside of Crocker. Do not click links or open attachments unless you recognize the sender and know the content is safe. I need to get Network Solutions to remove glue records for hosts in my domain. My domain isn’t registered with Network Solutions and they refuse to speak with me as I’m not a customer. I’ve had my customer attempt to update their domain through Network Solutions but the only thing they can change is the NS record, not the underlying host glue record. I don’t think the glue records even need to exist as they are published by my domain already. Does anyone have any contacts at Network Solutions that can help? Example: dig .com NS @i.gtld-servers.net. ; <<>> DiG 9.10.6 <<>> .com NS @i.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24593 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.com.IN NS ;; AUTHORITY SECTION: .com. 172800 IN NS dns-auth4.crocker.com. .com. 172800 IN NS dns-auth3.crocker.com. ;; ADDITIONAL SECTION: dns-auth4.crocker.com. 172800 IN A 66.59.48.95 dns-auth3.crocker.com. 172800 IN A 66.59.48.94 ;; Query time: 73 msec ;; SERVER: 192.43.172.30#53(192.43.172.30) ;; WHEN: Tue Dec 15 11:34:41 EST 2020 ;; MSG SIZE rcvd: 124 The correct servers are: dns-auth3.crocker.com. 299IN A 66.59.61.10 dns-auth4.crocker.com. 299IN A 66.59.61.194
RE: Need someone with clue @ Network Solutions.
Hi Matt It has been a long time since I’ve used network solutions but from what I remember in their interface you have a section advanced or more settings to create your dns servers before associating them to the domain. And it is in this section where you can create or change the dns name and IP address. Once they are ok, then you go inside the domain where you can assign them to the domain. Sorry no contact Brian From: NANOG On Behalf Of Matthew Crocker Sent: Tuesday, December 15, 2020 5:43 PM To: nanog@nanog.org Subject: Need someone with clue @ Network Solutions. I need to get Network Solutions to remove glue records for hosts in my domain. My domain isn’t registered with Network Solutions and they refuse to speak with me as I’m not a customer. I’ve had my customer attempt to update their domain through Network Solutions but the only thing they can change is the NS record, not the underlying host glue record. I don’t think the glue records even need to exist as they are published by my domain already. Does anyone have any contacts at Network Solutions that can help? Example: dig .com NS @i.gtld-servers.net. ; <<>> DiG 9.10.6 <<>> .com NS @i.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24593 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.com.IN NS ;; AUTHORITY SECTION: .com. 172800 IN NS dns-auth4.crocker.com. .com. 172800 IN NS dns-auth3.crocker.com. ;; ADDITIONAL SECTION: dns-auth4.crocker.com. 172800 IN A 66.59.48.95 dns-auth3.crocker.com. 172800 IN A 66.59.48.94 ;; Query time: 73 msec ;; SERVER: 192.43.172.30#53(192.43.172.30) ;; WHEN: Tue Dec 15 11:34:41 EST 2020 ;; MSG SIZE rcvd: 124 The correct servers are: dns-auth3.crocker.com. 299IN A 66.59.61.10 dns-auth4.crocker.com. 299IN A 66.59.61.194
Need someone with clue @ Network Solutions.
I need to get Network Solutions to remove glue records for hosts in my domain. My domain isn’t registered with Network Solutions and they refuse to speak with me as I’m not a customer. I’ve had my customer attempt to update their domain through Network Solutions but the only thing they can change is the NS record, not the underlying host glue record. I don’t think the glue records even need to exist as they are published by my domain already. Does anyone have any contacts at Network Solutions that can help? Example: dig .com NS @i.gtld-servers.net. ; <<>> DiG 9.10.6 <<>> .com NS @i.gtld-servers.net. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24593 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;.com.IN NS ;; AUTHORITY SECTION: .com. 172800 IN NS dns-auth4.crocker.com. .com. 172800 IN NS dns-auth3.crocker.com. ;; ADDITIONAL SECTION: dns-auth4.crocker.com. 172800 IN A 66.59.48.95 dns-auth3.crocker.com. 172800 IN A 66.59.48.94 ;; Query time: 73 msec ;; SERVER: 192.43.172.30#53(192.43.172.30) ;; WHEN: Tue Dec 15 11:34:41 EST 2020 ;; MSG SIZE rcvd: 124 The correct servers are: dns-auth3.crocker.com. 299IN A 66.59.61.10 dns-auth4.crocker.com. 299IN A 66.59.61.194
Re: how many bits of entropy do we need for load balancing?
Sorry to have sent unedited mail. On 2020/12/15 3:16, Lawrence Wobker wrote: So I’d argue that the pedantic answer is “you need only as many bits of entropy as your largest fan out” — meaning that 10 bits would allow 1024-way ECMP. But I don’t think that’s what you were actually after... But, that is the proper answer for backbones where fair load balancing is really required with many flows from many sources and destinations. As the required number of bits for the entropy is, as you pointed out, very small, at the backbones, even entropy by source and destination addresses should be, in practice, enough. Masataka Ohta
Re: how many bits of entropy do we need for load balancing?
On 2020/12/15 3:16, Lawrence Wobker wrote: So I’d argue that the pedantic answer is “you need only as many bits of entropy as your largest fan out” — meaning that 10 bits would allow 1024-way ECMP. But I don’t think that’s what you were actually after... Most of the challenges I’ve seen are not around how many bits you end up with, but rather how you get to those bits. There are lots of different ways to compute the hash values, but if you want to be “fast” you’re unlikely to also get “good” and “cheap” generally to select a path, we run a hash function against some set of packet fields, then map that hash to one of the member links. A “perfect” balancing algorithm would be crypto grade hash generation with a large output, and a true modulo operation to select which member we use. The reality is that both crypto hash functions and modulo operations are more expensive than lots of other ways to compute it, so vendors (disclaimer, I work for Cisco) have lots and lots of combinations for how it’s actually done. And then you still have the flow issue: since the vast majority of implementation are hashing flows regardless of their actual bandwidth, if you hash even a few ‘elephants’ onto the same link, you’re not going to get good distribution no matter how good your hashing/selection mechanism is. With respect to your comment about standardization, I doubt you’ll ever be able to get a broad consensus on the combination of “how many bits we need given the others constraints for a spec” and “how much we want to assume about the goodness of the hash generator” and “how much I’m willing to just throw bits at the problem” ... —lj —lj From: Lawrence Wobker Sent: Monday, December 14, 2020 12:33:07 PM To: Pascal Thubert (pthubert) ; NANOG Subject: Re: how many bits of entropy do we need for load balancing? So I’d argue that the pedantic answer is “you need only as many bits of entropy as your largest fan out” — meaning that 10 bits would allow 1024-way ECMP. Most of the challenges I’ve seen are not around how many bits you end up with, but rather how you get to that state. There are lots of different ways to compute the hash values, but if you want to be “fast” you’re unlikely to also get “good” and “cheap” generally to select a path, we run a hash function against some set of packet fields, then map that hash to one of the member links. A “perfect” balancing algorithm would be crypto grade hash generation with a large output, and a true modulo operation to select which member we use. The reality is that both crypto hash functions and modulo operations are more expensive than lots of other ways to compute it, so vendors (disclaimer, I work for Cisco) have lots and lots of combinations for how it’s actually done. And then you still have the flow issue: since the vast majority of implementation are hashing flows regardless of their actual bandwidth, if you hash even a few ‘elephants’ onto the same link, you’re not going to get good distribution no matter how good your hashing/selection mechanism is. —lj From: NANOG on behalf of Pascal Thubert (pthubert) via NANOG Sent: Monday, December 14, 2020 9:44:05 AM To: NANOG Subject: how many bits of entropy do we need for load balancing? Dear all: How many bits of entropy do we need for (ECMP) load balancing in the core? This question has kept coming up regularly in many discussions and drafts at the IETF. The IPv6 flow label is 20 bits but hardware implementations do their balancing only on a subset of that, e.g. 12 or 16 bits. There are drafts for MPLS, BIER etc.. that provide their own entropy bit fields of various sizes. I traced to a 6MAN discussion at IETF 78 a claim that 10 or 11 bits were enough. Did someone do the actual exercise? It would be neat to align the IETF specs in the making to whatever truth may be established in the core. Keep safe, Pascal
