Re: IPv6 woes - RFC

[Bjørn Mork]

Owen DeLong via NANOG  writes:

> This is my point… That is why I think an announcement of “On X date,
> we will begin charging extra for IPv4 services and define Internet Access
> to be IPv6” by a couple of the larger eyeball ISPs would light a pretty
> big fire under those laggards.
>
> Think about it… Amazon doesn’t want to lose access to Comcast, T-Mobile,
> Verizon Wireless, and/or AT&T eyeballs any more than those ISPs want
> to deal with the call center consequences if they turn off IPv4 before those
> content providers are ready.

By all means, let's just escalate the peering wars between eyeball
networks and content providers.  That will solve all our problems.



Bjørn

Re: IPv6 woes - RFC

[Masataka Ohta]

Owen DeLong via NANOG wrote:


The reality is that if we get content dual-stacked and stop requiring IPv4
for new eyeball installations, that’s the biggest initial win.



This is my point… That is why I think an announcement of “On X date,
we will begin charging extra for IPv4 services and define Internet Access
to be IPv6” by a couple of the larger eyeball ISPs would light a pretty
big fire under those laggards.


Aren't you calling your desire "the reality"?

Masataka Ohta

FCC: Promoting More Resilient Networks

[Sean Donelan]

This month's FCC meeting includes a notice of proposed rulemaking on 
wireless network resilience cooperative framework, outage reporting, and 
backup power arrangements.



https://docs.fcc.gov/public/attachments/DOC-375607A1.pdf

 What the NPRM Would Do:

•  Seek comment on potential improvements to the voluntary Framework, 
including evaluating what triggers its activation, its scope of 
participants, whether existing Framework elements can be strengthened, 
any gaps that need to be addressed, and whether the public would benefit 
from codifying some or all of the Framework.


•  Seek comment on ways to enhance the information available to the 
Commission through NORS and DIRS during disasters and network outages to 
improve situational awareness.


•  Seek comment on communications resiliency strategies for power 
outages, including improved coordination between communications service 
providers and power companies and deploying on-site backup power or other 
alternative measures to reduce the frequency, duration, or severity of 
power-related disruptions to communications services.

Re: Mirai botnet is back — now as "Meris"

[Mel Beckman]

No rest for the wired 🙂

From: NANOG  on behalf of Töma 
Gavrichenkov 
Sent: Thursday, September 9, 2021 10:07 AM
To: Brandon Svec 
Cc: NANOG 
Subject: Re: Mirai botnet is back — now as "Meris"

Peace,

On Thu, Sep 9, 2021 at 7:57 PM Brandon Svec via NANOG  wrote:
> Oof.  I wonder if there is any connection to their DDNS service outage a 
> couple days ago?
> https://forum.mikrotik.com/viewtopic.php?t=178256

No, hardly any.  That one seems to be just a DNS abuse
reporting/delegation issue.

...well, by some wild extension one could imagine that the botnet
operator reported some fake issue just to have the vendor's
infrastructure blocked.  Therefore, IoT vendors that don't enforce
security updates on the devices they sell, should expect criminals to
go to great lengths to keep their update servers and the
infrastructure down once some RCE vulnerabilities are found.  But
that's a wild extension.

--
Töma

Re: AT&T Ethernet sales contact

[TJ Trout]

Fyi there are 3 main ways to buy at&t; direct retail, through an agent and
through a carrier with an att wholesale agreement.

If your looking for DIA that is price fixed no matter the sales channel,
but transport is a fish market... We have sold circuits to customers at
over 50% less than retail quotes so make sure to do your due diligence.

TJ Trout
Volt Broadband

On Thu, Sep 9, 2021, 1:21 PM Brandon Martin 
wrote:

> Can anyone provide a sales contact at AT&T for Ehhernet transport in
> Indiana/Illinois/Ohio?
>
> Unicast replies welcome.
>
> --
> Brandon Martin
>

AT&T Ethernet sales contact

[Brandon Martin]

Can anyone provide a sales contact at AT&T for Ehhernet transport in 
Indiana/Illinois/Ohio?


Unicast replies welcome.

--
Brandon Martin

Re: IPv6 woes - RFC

[Owen DeLong via NANOG]

> On Sep 8, 2021, at 18:55 , Valdis Klētnieks  wrote:
> 
> On Wed, 08 Sep 2021 11:39:50 -0700, Owen DeLong via NANOG said:
> 
>> The reality is that if we get content dual-stacked and stop requiring IPv4
>> for new eyeball installations, that’s the biggest initial win.
> 
> The problem is "get content dual-stacked".
> 
> Somebody made this handy page of the IPv6 status for the Alexa Top 500.
> 
> http://www.delong.com/ipv6_alexa500.html
> 
> Awful lot of red spots even in the top 100.  Hell, even amazon.com
> isn't IPv6 yet.  And the long tail is going to be the death of a thousand
> cuts for the call center unless you have a way to deal with those sites.

This is my point… That is why I think an announcement of “On X date,
we will begin charging extra for IPv4 services and define Internet Access
to be IPv6” by a couple of the larger eyeball ISPs would light a pretty
big fire under those laggards.

Think about it… Amazon doesn’t want to lose access to Comcast, T-Mobile,
Verizon Wireless, and/or AT&T eyeballs any more than those ISPs want
to deal with the call center consequences if they turn off IPv4 before those
content providers are ready.

If they put that date, say, 5 years out, perhaps January 15, 2027 for
example, so that it doesn’t happen during the retail cash cow season,
I suspect it would drive that long tail to shorten. Right now, it’s costing
Amazon (amazon.com, not AWS) nothing to ignore IPv6 and continue
lagging, they’re able to externalize all of those costs onto the eyeball ISPs.

> And the devil is in the details.  cnn.com itself has a quad-A. But looking
> at Chrome loading it with the IPvFoo extension, I see that of the 145
> addresses it hits, only 38 are IPv6, the rest are IPv4.

You don’t think they’d be motivated by a drop-dead date agreed upon
by the eyeball ISPs? I think they would.

> On the other hand, looking at *who* are the IPv4, they seem to be
> overwhelmingly ad servers and analytics sites - so maybe hitting cnn.com as
> IPv6-only is a win for the consumer.  I rather suspect that the CFO of CNN
> would see it differently though

I rather suspect that an announcement of a drop-dead date 5 years out by
a select group of major eyeball providers would get the situation corrected
likely well short of 5 years.

> (Eerily reminiscent of the factoid that 60% of the cost of a long distance
> phone call before the AT&T breakup was keeping the accounting records
> so they could bill the customer)

Yes… IIRC, After the breakup, that jumped to more like 80% until things finally
got to the point that everyone recognized that eliminating the billing records
for such things saved tons of money.

Owen

Call for Participation -- ICANN DNSSEC and Security Workshop for ICANN72 Virtual Annual General Meeting

[Jacques Latour]

Hi all 😊

Hope you all had a great summer!!!  Let us know if you’re interested in 
presenting something DNSSEC or security related.

Thanks,

Jacques



Call for Participation -- ICANN DNSSEC and Security Workshop for ICANN72 
Virtual Annual General Meeting

In cooperation with the ICANN Security and Stability Advisory Committee (SSAC), 
we are planning a DNSSEC and Security Workshop for the ICANN72 Annual General 
Meeting being held virtually from 25-28 October 2021 in the Pacific Daylight 
Time Zone (UTC -7). This workshop date will be determined once ICANN creates a 
block schedule for us to follow; then we will be able to request a day and 
time. The DNSSEC and Security Workshop has been a part of ICANN meetings for 
several years and has provided a forum for both experienced and new people to 
meet, present and discuss current and future DNSSEC deployments.  For 
reference, the most recent session was held at the ICANN71 Virtual Meeting on 
14 June 2021. The presentations and transcripts are available at 
https://71.schedule.icann.org/meetings/3q22SHqif9XF5nFqG
 and 
https://71.schedule.icann.org/meetings/vv7XkuePvghwFaLgt

The DNSSEC Workshop Program Committee is developing a program.  Proposals will 
be considered for the following topic areas and included if space permits.  In 
addition, we welcome suggestions for additional topics either for inclusion in 
the ICANN72 workshop, or for consideration for future workshops.

1.  Global DNSSEC Activities Panel
For this panel, we are seeking participation from those who have been involved 
in DNSSEC deployment as well as from those who have not deployed DNSSEC but who 
have a keen interest in the challenges and benefits of deployment, including 
Root Key Signing Key (KSK) Rollover activities and plans.

2.  DNSSEC Best Practice
Now that DNSSEC has become an operational norm for many registries, registrars, 
and ISPs, what have we learned about how we manage DNSSEC?  Do you still 
submit/accept DS records with Digest Type 1? What is the best practice around 
key roll-overs?  What about Algorithm roll-overs? Do you use and support DNSKEY 
Algorithms 13-16? How often do you review your disaster recovery procedures? Is 
there operational familiarity within your customer support teams? What 
operational statistics have we gathered about DNSSEC? Are there experiences 
being documented in the form of best practices, or something similar, for 
transfer of signed zones?  Activities and issues related to DNSSEC in the DNS 
Root Zone are also desired.

3. DNSSEC Deployment Challenges
The program committee is seeking input from those that are interested in 
implementation of DNSSEC but have general or particular concerns with DNSSEC.  
In particular, we are seeking input from individuals that would be willing to 
participate in a panel that would discuss questions of the following nature:
- Are there any policies directly or indirectly impeding your DNSSEC 
deployment? (RRR model, CDS/CDNSKEY automation)
- What are your most significant concerns with DNSSEC, e.g., complexity, 
training, implementation, operation or something else?
- What do you expect DNSSEC to do for you and what doesn't it do?
- What do you see as the most important trade-offs with respect to doing or not 
doing DNSSEC?

4. Security Panel
The program committee is looking for presentations on DNS and Routing topics 
that could impact the security and/or stability of the internet. .
- DoH and DoT implementation issues, challenges and opportunities
- RPKI adoption and implementation  issues, challenges and opportunities
- BGP/routing/hijack issues, challenges and opportunities
- MANRS implementation challenges and opportunities
- Emerging threats that could impact (real or perceived)  the security and/or 
stability of the internet
- Domain hacking/hijacking prevention, best practice and techniques
- Browser related security implementations
- DMARC Challenges, opportunities and Best Practices
- BGP Flowspec challenges, opportunities and Best Practices

If you are interested in participating, please send a brief (1-2 sentence) 
description of your proposed presentation to 
dnssec-security-works...@icann.org 
by Friday, 17 September 2021

Thank you,
Kathy and Andrew
On behalf of the DNSSEC Workshop Program Committee:
Mark Elkins, DNS/ZACR
Jacques Latour, .CA
Russ Mundy, Parsons
Ondrej Filip, CZ.NIC
Yoshiro Yoneya, JPRS
Fred Baker, ISC
Dan York, Internet Society

Re: Mirai botnet is back — now as "Meris"

[Töma Gavrichenkov]

Peace,

On Thu, Sep 9, 2021 at 7:57 PM Brandon Svec via NANOG  wrote:
> Oof.  I wonder if there is any connection to their DDNS service outage a 
> couple days ago?
> https://forum.mikrotik.com/viewtopic.php?t=178256

No, hardly any.  That one seems to be just a DNS abuse
reporting/delegation issue.

...well, by some wild extension one could imagine that the botnet
operator reported some fake issue just to have the vendor's
infrastructure blocked.  Therefore, IoT vendors that don't enforce
security updates on the devices they sell, should expect criminals to
go to great lengths to keep their update servers and the
infrastructure down once some RCE vulnerabilities are found.  But
that's a wild extension.

--
Töma

Re: Mirai botnet is back — now as "Meris"

[Brandon Svec via NANOG]

Oof.  I wonder if there is any connection to their DDNS service outage a
couple days ago?
https://forum.mikrotik.com/viewtopic.php?t=178256
*Brandon Svec*



On Thu, Sep 9, 2021 at 2:43 AM Töma Gavrichenkov  wrote:

> Peace,
>
> An undisclosed (or, even, yet undiscovered by the vendor)
> vulnerability in SOHO Mikrotik routers seems to be exploited by
> someone.
> Approx. 328 thousand devices already joined the botnet, with each
> having unrestricted access to the uplink (up to 1 Gbps).  42,6% of
> exploited devices reside in the U.S.
>
> https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/
>
> I didn't know Mikrotik was so popular in North America!
> Patching all those SOHO WiFi routers must be fun...
>
> --
> Töma
>

Re: do bgp optimizers think?

[Jared Mauch]

> On Sep 9, 2021, at 11:44 AM, Randy Bush  wrote:
> 
> to control inbound traffic, how do bgp optimizers decide how to tune
> what they announce?  slfow?  exploration?  ouija board?
> 
> randy


Generally via sFlow or other traffic detail models.

- Jared

Re: do bgp optimizers think?

[jim deleskie]

Suspect for most th answer is poorly.  This is a conversation I've had with
a few people about how they could be well made

-jim

On Thu., Sep. 9, 2021, 12:45 p.m. Randy Bush,  wrote:

> to control inbound traffic, how do bgp optimizers decide how to tune
> what they announce?  slfow?  exploration?  ouija board?
>
> randy
>

do bgp optimizers think?

[Randy Bush]

to control inbound traffic, how do bgp optimizers decide how to tune
what they announce?  slfow?  exploration?  ouija board?

randy

PeeringDB 2021 User Survey

[Steve McManus]

Hi All,

Another year has passed since our 2020 survey so we're doing it again. As 
before, we'd like to hear what's working, what's not, and what could be better 
with PeeringDB. Last year's survey heavily influenced our roadmap and 
development over the past year. Your feedback is extremely valuable and 
listened to! In particular, we spent a lot of effort on revamping search ( 
https://docs.peeringdb.com/blog/geographic_search/  
https://docs.peeringdb.com/blog/advanced_search_1/ 
https://docs.peeringdb.com/blog/advanced_search_2/ ) and working on improving 
documentation. 

Please take the survey here: https://surveyhero.com/c/peeringdb2021usersurvey

You have about a month to fill it in - it will be open until 23:59 on October 
8th.

You can read more about the survey here: 
https://docs.peeringdb.com/blog/peeringdb_2021_user_survey/  

Thanks!

-Steve
Chair, PeeringDB Product Committee 

Re: Mirai botnet is back — now as "Meris"

[Mike Hammett]

Mikrotik is a very popular router in small to medium ISPs, running, well, 
everything. 




- 
Mike Hammett 
Intelligent Computing Solutions 
http://www.ics-il.com 

Midwest-IX 
http://www.midwest-ix.com 

- Original Message -

From: "Töma Gavrichenkov"  
To: "NANOG"  
Sent: Thursday, September 9, 2021 4:41:03 AM 
Subject: Mirai botnet is back — now as "Meris" 

Peace, 

An undisclosed (or, even, yet undiscovered by the vendor) 
vulnerability in SOHO Mikrotik routers seems to be exploited by 
someone. 
Approx. 328 thousand devices already joined the botnet, with each 
having unrestricted access to the uplink (up to 1 Gbps). 42,6% of 
exploited devices reside in the U.S. 

https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/ 

I didn't know Mikrotik was so popular in North America! 
Patching all those SOHO WiFi routers must be fun... 

-- 
Töma 

Google Captcha

[Joshua Pool via NANOG]

Last month one of our residential /20 blocks started to get the Captcha
page when searching Google.  Around the same time we get access denied on
QVC.com   So far nothing out of the ordinary has been observed with regards
to the networks and I do not see any blacklisting sites listing the block
in question.   I am open to any ideas and would love to have someone at
Google look into this se we can get to the bottom of this issue.

Regards,
Josh

Mirai botnet is back — now as "Meris"

[Töma Gavrichenkov]

Peace,

An undisclosed (or, even, yet undiscovered by the vendor)
vulnerability in SOHO Mikrotik routers seems to be exploited by
someone.
Approx. 328 thousand devices already joined the botnet, with each
having unrestricted access to the uplink (up to 1 Gbps).  42,6% of
exploited devices reside in the U.S.

https://blog.qrator.net/en/meris-botnet-climbing-to-the-record_142/

I didn't know Mikrotik was so popular in North America!
Patching all those SOHO WiFi routers must be fun...

--
Töma