Re: Issues encountered with assigning .0 and .255 as usable addresses?

[Justin Krejci]

And since owen has not yet mentioned it, consider something that supports 
having : in its address as well. 

Sort of tangentially related, I had a support rep for a vendor once tell me 
that a 255 in the second or third octet was not valid for an ipv4 address. Hard 
to troubleshoot a problem when I had to first explain how ip addressing worked 
because the rep was so fixated on the 255 we were using on the network. If any 
product really doesn't like 255 in any position then you should consider 
yourself lucky to still be in business at all. Jimmy Hess mysi...@gmail.com 
wrote:On 10/22/12, Paul Zugnoni paul.zugn...@jivesoftware.com wrote:
[snip]
 Any experience or recommendations? Besides replace the ISA proxy…. Since
 it's not mine to replace. Also curious whether there's an RFC recommending
 against the use of .0 or .255 addresses for this reason.

ISA is old, and might not be supported anymore, unless you have an
extended support contract.   If it's not supported anymore, then don't
be surprised if it has breakage you will not be able to repair. I
don't recommend upgrading to TMG, either:  although still supported,
that was just discontinued.

If ISA is refusing traffic to/from IPs ending in .0, then ISA is
either broken, or misconfigured.
Get a support case with the vendor, raise it as a critical issue --
unable to pass traffic to critical infrastructure that ends with a
.255 or .0  IP address,  demand that the vendor provide a resolution,
And explain that changing the IP address of the remote server is not an option.


If the vendor can't or won't provide a resolution,   then  not only is
the proxy server broken,
but malfunctioning in a way   that has an impact on network connectivity.

I would consider its removal compulsory,  as you never know,  when a
network resource, web site, e-mail server, etc. your org has a
business  critical need to access,  or be accessed from;  may be
placed on .255 or  .0

--
-JH

Multi site BGP Routing design

[Justin Krejci]

We have two geographically distinct locations that currently both fall under
the same ASN.

At site 1 we have a particular set of ip networks (/20 and bigger) in use
only locally to this site

At site 2 we have a separate set of ip networks (/20 and bigger) in use only
locally to this site

 

Each site has at least one upstream internet connection advertising with
BGP.

There is also a (reliable) private link between to the two sites where our
routers at each site are all talking iBGP (as well as ospf). There is a
router subnet (/27) that spans the two sites.

We currently advertise all subnets out all upstream connections as if both
sites were only one and traffic routes between sites without issue via the
private link.

 

If the private link between the two sites fails, will BGP allow for us to
access the IP subnets at site 2 from site 1 via the internet given that both
sites are advertising under the same ASN?

Is this a case where having multiple ASNs makes sense to treat each site as
remote peers to each other?

 

Thanks,

Justin

 

RE: Multi site BGP Routing design

[Justin Krejci]

Thanks to all for the on and off list replies, they've been helpful.

We get full BGP routes from all upstream connections (currently they are all
different providers). The upstream bandwidth is cheaper at site 2 than at
site 1 and the private backnet connection is a fixed cost so when previously
considering the multi-ASN approach we would plan for each site using the
other as a transit/gateway using eBGP but put preference on sending out via
site 2 and maybe prepend site 1 AS on the local upstream SP so incoming
favors site 2 as well (we're already doing this preferential routing
anyways).

I don't particularly care for the allow routes for our own ASN arrive from
an upstream BGP session especially when it seems like all carriers would
need to be cooperative on this, which may not be a big deal overall but adds
another layer of complexity and difficulty if we change/add/remove carriers
later on. What if they don't all support it, change their policies, or
upgrade to a new version of router code that makes the default/expected
behavior interfere.

I am thinking the multiple ASN route is the cleanest but the idea of letting
a default gateway (via static route maybe) out the local upstream connection
to reach the other site when the backnet link is down sounds like it would
work with minimal to no headaches but it just some how seems like a duct
tape job. Does this sort of technique have any significant flaws or concerns
associated with it?


-Original Message-
From: Adam Greene [mailto:maill...@webjogger.net] 
Sent: Saturday, June 06, 2009 8:38 AM
To: nanog@nanog.org
Subject: Re: Multi site BGP Routing design

Hi all,

We actually have a very similar setup to what Justin asked about, with the 
exception that we advertise only some of our netblocks to one provider and 
the rest to the other. If one of the providers fails, we then advertise all 
netblocks through the provider which is still up. If the private link 
between our two locations fails, the two halves of our network communicate 
via the Internet.

From what Justin described, I would think he would be able to keep a single

ASN and configure his network so that if the private link goes down, the two

newly disconnected halves of his network advertise only the netblocks they 
can still see (i.e. the ones on their half). As long as his internal 
network is set up with dynamic routing (iBGP / OSPF) the two halves should 
realize they have to get to the other half via the Internet.

In our case, we don't get full routing tables from our providers, just 
default routes. Perhaps in Justin's case something as simple as a floating 
static route via the Internet to the other half of the network would take 
care of any ASN weirdness. It doesn't sound like he really needs his border 
routers to speak BGP with each other while the private link is down. If he 
wanted to remove the BGP session entirely under these circumstances, he 
could do the iBGP peering between RFC 1918 addresses and thus force the iBGP

session to go down if the private link fails.

Thanks,
Adam



- Original Message - 
From: Saqib Ilyas msa...@gmail.com
To: nanog@nanog.org
Sent: Saturday, June 06, 2009 8:21 AM
Subject: Re: Multi site BGP Routing design


 For a given interconnection between the upstream ISPs for the two site, 
 once
 the direct link goes down, the time required for site A to learn the new
 route to site B and vice versa would be different with the different
 proposed solutions, right?
 Thanks and best regards

 On Sat, Jun 6, 2009 at 12:40 PM, Ivan Pepelnjak i...@ioshints.info wrote:

  To rephrase the OP's question, would it be BCP to acquire a
  second ASN, and without further de-aggregating, continue
  advertising each site's IP space to the DFZ, but from
  dissimilar ASs as opposed to the same one?

 This would definitely be the best approach. You're not introducing new IP
 prefixes and you're not extending AS paths, so the net effect on the 
 global
 BGP routing is zero (OK, you might have to use the 4 byte AS number :).

 Just make sure that both ISPs you connect to allow you to advertise
 transit prefixes. If site A public link goes down, but the private link
 is
 up, site B will advertise its own address space plus site A's address 
 space
 with an extra AS number in the AS path (and the upstream ISP might filter
 that).

 Ivan

 http://www.ioshints.info/about
 http://blog.ioshints.info/





 -- 
 Muhammad Saqib Ilyas
 PhD Student, Computer Science and Engineering
 Lahore University of Management Sciences

 

H3C Switches/Routers

[Justin Krejci]

Nanog,

I was just looking at the H3C 12500 enterprise product for which I received
a slideshow presentation on its features and comparisons to Nexus 7018,
Foundry/Brocade RX32, Juniper EX8218 and Force10 E1200. 

It does not look like they have a significant market share but make a lot of
bold claims on side-by-side comparisons to comparable products from their
competition.

Is anyone using H3C products (enterprise or otherwise) here at all? If so,
what are your thoughts on them? Are there any noticeable drawbacks?
Performance issues? Support? Just an overall summary would be nice.

Thanks,
Justin Krejci 

RE: cisco.com

[Justin Krejci]

The IP is back in BGP and the website is working for me now.

Re: accessing multiple devices via a script

[Justin Krejci]

Parallel ssh (pssh) might help you too


--Original Message--
From: Abdullah Al-Malki
To: nanog@nanog.org
Subject: accessing multiple devices via a script
Sent: Jan 15, 2012 11:52 AM

Hi fellows,
I am supporting a big service provider and sometimes I face this problem.
Sometimes I want to access my customer network and want to extract some
verification output show commands from a large number of devices.

What kind of scripting solutions you guys are using this case.

Appreciate the feedback,
Abdullah

Re: enterprise 802.11

[Justin Krejci]

No one has mentioned Belair yet? Serves the Minneapolis network pretty well.

http://www.belairnetworks.com/

 
-Original Message-
From: Greg Ihnen os10ru...@gmail.com
Date: Sun, 15 Jan 2012 19:06:26 
To: Nathan Eisenbergnat...@atlasnetworks.us
Cc: nanog@nanog.orgnanog@nanog.org
Subject: Re: enterprise 802.11

Since we're already top-posting…

I've heard a lot of talk on the WISPA (wireless ISP) forum that 802.11g/n 
starts to fall apart with more than 30 clients associated if they're all 
reasonably active. I believe this is a limitation of 802.11g/n's media access 
control (MAC) mechanism, regardless of who's brand is on the box. This is most 
important if you're doing VoIP or anything else where latency and jitter is an 
issue.

To get around that limitation, folks are using proprietary protocols with 
polling media access control. Ubiquiti calls theirs AirMax. Cisco uses 
something different in the Canopy line. But of course then you've gone to 
something proprietary and only their gear can connect. So it's meant more for 
back-hauls and distribution networks, not for end users unless they use a 
proprietary CPE.

Since you need consumer gear to be able to connect, you need to stick with 
802.11g/n. You should limit to 30 clients per AP. You should stagger your 
2.4GHZ APs on channels 1, 6 and 11, and turn the TX power down and have them 
spaced close enough that no more than 30 will end up connecting to a single AP. 
5.8GHz APs would be better, and you'll want to stagger their channels too and 
turn the TX power down so each one has a small footprint to only serve those 
clients that are nearby.

Stay away from mesh solutions and WDS where one AP repeats another, that 
kills throughput because it hogs airtime. You'll want to feed all the APs with 
Ethernet.

Greg

On Jan 15, 2012, at 4:22 PM, Nathan Eisenberg wrote:

 Ubiquiti's Unifi products are decent, and have *MUCH* improved since their 
 original release (amazing what you can do with better code!).  In the 
 original release, you had to have a management server running on the same L2 
 network as the Aps - they've moved the management to a L3 model so you can 
 put the controller elsewhere.  The big PITA with their system is that any 
 change requires 'reprovisioning' the APs, which means rebooting all of them 
 in sequence.  They've added VLANs, multiple SSID's/AP, wireless 
 backhaul/chaining, guest portalling, and limiters to balance the # of clients 
 / AP.
 
 In a noisy environment, I've found that they top out at around 30 devices / 
 AP for good performance, and 50 devices / AP for 'working/not working'.  In a 
 clean environment, I've seen decent performance with 70 - 100 devices / AP.  
 Of course, if one bad client comes along (with a card that doesn't backoff 
 its TX power, etc), it can wreak havoc with higher densities.  You really 
 can't argue with Unifi's price.
 
 If you move up the price scale, Meraki seems to be a good midrange solution, 
 and they have some really sweet reporting functionality.  They're more 
 expensive, though.
 
 And then, yes, Cisco is the gold standard, but it will cost you some gold to 
 get it.
 
 Nathan
 
 -Original Message-
 From: Mike Lyon [mailto:mike.l...@gmail.com]
 Sent: Sunday, January 15, 2012 11:54 AM
 To: Meftah Tayeb
 Cc: nanog@nanog.org
 Subject: Re: enterprise 802.11
 
 Ubiquity (www.ubnt.com) has their Unifi line of products. It's still pretty 
 new
 in the marketspace and this, working out the bugs. I use their other products
 exclusively for outdoor wireless.
 
 However, in the offices ive done, ive used Cisco's WLC 4402 controller which
 supports 12 access points. They have controllers which support more APs as
 well.
 
 Hit me up offlist if you have any quesrions.
 
 -mike
 
 Sent from my iPhone
 
 On Jan 15, 2012, at 11:39, Meftah Tayeb tayeb.mef...@gmail.com wrote:
 
 Ubiquity
 or ubikity, maybe is miss spelled
 Someone correct the spelling for him please thank you
 - Original Message - From: Ken King kk...@yammer-inc.com
 To: nanog@nanog.org
 Sent: Sunday, January 15, 2012 9:30 PM
 Subject: enterprise 802.11
 
 
 I need to choose a wireless solution for a new office.
 
 up to 600 devices will connect.  most devices are mac books and mobile
 phones.
 
 we can see hundreds of access points in close proximity to our new office
 space.
 
 what are the thoughts these days on the best enterprise solution/vendor?
 
 Thanks for your replies.
 
 
 Ken King
 
 
 
 
 
 
 
 __ Information from ESET NOD32 Antivirus, version of virus
 signature database 6793 (20120113) __
 
 The message was checked by ESET NOD32 Antivirus.
 
 http://www.eset.com
 
 
 
 
 __ Information from ESET NOD32 Antivirus, version of virus
 signature database 6793 (20120113) __
 
 The message was checked by ESET NOD32 Antivirus.
 
 http://www.eset.com
 
 
 
 
 
 
 

Re: Cogent for ISP bandwidth

[Justin Krejci]

+1 for cogent, problem free and good responsive support.

Not sure why don't use only 1 upstream if you care about accessibility has 
anything to do with cogent specifically. Are peering/de-peering disputes more 
likely to occur than all other network/routing issues combined? its just 
another possible cause for an outage.



--Original Message--
From: Mark Stevens
To: nanog@nanog.org
ReplyTo: mana...@monmouth.com
Subject: Re: Cogent for ISP bandwidth
Sent: May 15, 2012 7:21 AM

We use Cogent as one our upstreams and have had nothing but stability 
and excellent support over the years. But as other said, you really need 
multiple upstreams and cannot rely just on one whether it is Cogent or 
any other provider.


Mark

On 5/14/2012 6:03 PM, Jason Baugher wrote:
 The emails on the Outages list reminded me to ask this question...

 I've done some searching and haven't been able to find much in the 
 last 3 years as to their reliability and suitability as an upstream 
 provider. For a regional ISP looking for GigE ports in the Chicago/St. 
 Louis area, is Cogent a reasonable solution? Our gut feeling is that 
 they don't stack up against a Level3 or Sprint, but they are being 
 very aggressive with pricing to try and get our business.

 Thanks,
 Jason

RE: Networking performance

[Justin Krejci]

STG is a very simple windows real time snmp grapher
http://leonidvm.chat.ru/

It is geared at interface throughput but can easily be used for things like
CPU utilization, firewall connection counts, temperature, etc.

-Original Message-
From: Joel Jaeggli [mailto:joe...@bogus.com] 
Sent: Friday, February 06, 2009 12:59 PM
To: Deric Kwok
Cc: nanog@nanog.org
Subject: Re: Networking performance

Deric Kwok wrote:
 Hi
 
 I would like to ask your professional experience about switch throughput
 
 I have Gig Switchs eg: H P3400 /3500, cisco c4 948../ dlink
 In their spec, they said that it can handles Gig
 So far, I couldn't see their ports are used up over 200M in mrtg graph
 when I try to transfer 3G size files to files between computers

So, first off there's the question of sample interval vs the actaul time
the transfer takes... I'd use an instrument other than mrtg to measure
the spead of the transfer for example bytes transfer/wall clock time.

Second, you're benchmarking a bunch of components other than the
network, like your disks for example, which are likely slower than the
125MB/s you're trying to measure... Switch to ttcp or iperf for your
throughput measurement and you'll probably get a lot closer to measuring
what you're in fact trying to measure.

 ls there any limitation in those switchs?
 or I have to do configuration eg: put it full duplex instead of auto

autonegotiation on gigabit interfaces should almost always produce the
desired result.

 Thank you for your help
 

RE: McAfee/ATT Issue

[Justin Krejci]

We've also seen that busy routers are slower to respond to requests directed
at them as opposed to traffic routing thru them which can continue to work
without issue or performance loss.

-Original Message-
From: Kameron Gasso [mailto:kgasso-li...@visp.net] 
Sent: Wednesday, February 18, 2009 12:03 PM
To: Calhoun, Matthew
Cc: NANOG list
Subject: Re: McAfee/ATT Issue

Calhoun, Matthew wrote:
 9   212 ms   200 ms * 12.118.225.22 Problem occurring
here. Sometimes traffic gets through, sometimes it doesn't
 10   29 ms26 ms26 ms  216.143.71.219
 11   26 ms26 ms26 ms  www.mcafeeasap.com [208.69.153.135]

Looks a lot like that hop is rate-limiting ICMP to itself.  Everything 
beyond it seems to be good from the looks of it.

-Kam

RE: dns interceptors

[Justin Krejci]

While not covering all apps you may want to use, it does work for at least
Firefox when web browsing (works on non-windows too) when using an ssh socks
proxy

Go to the address
about:config

filter for dns

toggle network.proxy.socks_remote_dns to true and then firefox will send
its own DNS queries over the socks proxy.



-Original Message-
From: Patrick W. Gilmore [mailto:patr...@ianai.net] 
Sent: Sunday, February 14, 2010 11:42 AM
To: North American Network Operators Group
Subject: Re: dns interceptors

On Feb 14, 2010, at 12:37 PM, Jason Frisvold wrote:
 On Feb 13, 2010, at 4:58 PM, Randy Bush wrote:
 i am often on funky networks in funky places.  e.g. the wireless in
 changi really sucked friday night.  if i ssh tunneled, it would multiply
 the suckiness as tcp would have puked at the loss rate.
 
 You can always run your own local resolver...  Or is there a reason that's
unacceptable?

How does that help?  It still sends port 53 requests to the authorities,
which will be intercepted.

-- 
TTFN,
patrick


 smb whacked me that i should use non-tcp tunnels.
 
 randy
 
 
 -- 
 Jason 'XenoPhage' Frisvold
 xenopha...@gmail.com
 http://blog.godshell.com
 
 

RE: Belkin Router issues this morning?

[Justin Krejci]

https://twitter.com/search?q=%23belkin

Sounds like a bad firmware update most likely.
Presumably the Belkin routers perform caching DNS for the LAN clients for if 
the LAN clients use alternate DNS servers (OpenDNS, Google, your ISPs, etc) 
there are no longer any issues for those devices, as reported by several random 
people on the Internet.



From: Nick Olsen [n...@flhsi.com]
Sent: Tuesday, October 07, 2014 8:56 AM
To: Parrish, Luke; nanog@nanog.org
Subject: re: Belkin Router issues this morning?

Seeing reports bounce around on the WISPA lists. Looks to be widespread.
Reports on their twitter as well.

 I've had one customer with an issue related thus far.

 Nick Olsen
Network Operations  (855) FLSPEED  x106




 From: Parrish, Luke luke.parr...@suddenlink.com
Sent: Tuesday, October 07, 2014 9:48 AM
To: nanog@nanog.org nanog@nanog.org
Subject: Belkin Router issues this morning?
Anyone out there seeing issues with Belkin routers connecting?

I have also noticed that Belkins website has 80 percent packet loss and
their support number is busy.

Luke Parrish | Network Operations Engineer I | Suddenlink Communications |
866.232.5455



The information transmitted is intended only for the person or entity to
which it is addressed and may contain proprietary, confidential and/or
legally privileged material. Any review, retransmission, dissemination or
other use of, or taking of any action in reliance upon, this information by
persons or entities other than the intended recipient is prohibited. If you
received this in error, please contact the sender and delete the material
from all computers.

Comcast Static IP Changed With New Modem?

[Justin Krejci]

Has anyone run into the situation where their static IP address from Comcast 
(on the business class cable modem Internet service) was changed when the modem 
was replaced?

We have a remote site that uses Comcast as a backup Internet connection and 
when we went to use it recently our VPN tunnel would not establish. After 
working with the Comcast support group we discovered Comcast changed our static 
IP address. I am working through trying to figure out the when and the why with 
Comcast still and suspect it was changed when the modem was replaced back in 
December. The modem was replaced by Comcast as our previous modem was 
apparently EOL'ed.

We're now setting up additional monitoring to verify the accessibility of our 
remote site via the Comcast connection so we don't have any future uh-ohs when 
we need to use our backup connection and it too is not fully functional.

TIA,
-Justin

Equipment Supporting 2.5gbps and 5gbps

[Justin Krejci]

I've a couple 10 port Cisco switches that support 2.5 and 5gbps over cat5e, 
just wondering if there are any other vendors out there with offerings that 
support these newer ethernet speeds. Supporting cat5e for these multi-gig 
speeds is a real boon in many circumstances given the wide popularity of it in 
many buildings.

Does anyone have any experience with or knowledge of other products, switches 
in particular, supporting 2.5 and 5 gbps?

Thanks.

RE: Anyone with a clue at Zayo?

[Justin Krejci]

Might help if you indicate type of service as they have lots of services 
covered by different groups: IP transit, wave, dark fiber, voip, Colo, etc. 
Their Enterprise division does yet other services.

Might also help if you provide at least a general location/region.



-Original Message-
From: Patrick Sumby [patrick.su...@sohonet.com]
Received: Friday, 16 Sep 2016, 7:22PM
To: nanog@nanog.org [nanog@nanog.org]
Subject: Anyone with a clue at Zayo?

Have a turnup we've been working on all day and no luck so far. Now
we're being told that nobody can help outside hours :(

Any help much appreciated.

Thanks
Pat

RE: Krebs on Security booted off Akamai network after DDoS attack proves pricey

[Justin Krejci]

If you read the article, it is made clear he was "kicked off" of a free service 
being provided. He was not a paying customer of Akamai and does not fault 
Akamai for their decision.



From: Grant Ridder [shortdudey...@gmail.com]
Sent: Friday, September 23, 2016 12:58 PM
To: nanog@nanog.org
Subject: Krebs on Security booted off Akamai network after DDoS attack proves 
pricey

Didn't realize Akamai kicked out or disabled customers
http://www.zdnet.com/article/krebs-on-security-booted-off-akamai-network-after-ddos-attack-proves-pricey/

"Security blog Krebs on Security has been taken offline by host Akamai
Technologies following a DDoS attack which reached 665 Gbps in size."

-Grant

RE: BGP Route Reflector - Route Server, Router, etc

[Justin Krejci]

Thanks for all of the replies (on and off list). It is appreciated.

Scaling in this context is simply adding more and more routers and 
needing/wanting to avoid configuring full mesh iBGP due to the administrative 
burden of maintaining the growing size of full mesh topology. In one particular 
network in question, I have 11 routers fully meshed and need to add several 
more over the coming 6-12 months, possibly adding as many as 10 more routers in 
that time span. I'd prefer not to continue doing full mesh.

As for 7206VXR with NPE-G1 or G2 cards, we have many sitting in a 
decommissioned state on shelves as well as a few still alive serving a handful 
of T-1 lines and various other legacy connections of that sort. These little 
7200's sit and run, forever near as I can tell. As many routers in this network 
do contain full route eBGP connections I will strongly consider your suggestion 
of avoiding using the 7200's due to potential memory constraints and 
CPU/convergence time capabilities. I don't think I have done any full table 
feeds on a 7200 in many years (days of 200k-300k table size days)

This fits in with the kind of feedback I was hoping for, Thanks!



From: NANOG [nanog-boun...@nanog.org] on behalf of Leo Bicknell 
[bickn...@ufp.org]
Sent: Friday, January 13, 2017 7:23 AM
To: nanog@nanog.org
Subject: Re: BGP Route Reflector - Route Server, Router, etc

In a message written on Thu, Jan 12, 2017 at 08:32:44PM +, Justin Krejci 
wrote:
> I am working on some network designs and am adding some additional routers to 
> a BGP network. I'd like to build a plan of changing all of the existing 
> routers over from full iBGP mesh to something more scalable (ie route 
> reflection).

You might want to better define "scalable".  I don't know your
background or network so I can't guess.  I can say I've seen
the inner workings of some large ISP networks with a lot of hosts
in iBGP that work fine, and then people with 5 routers try and
tell me they have a scaling problem.

What is your actual problem?  Memory usage?  Convergence time?
Configuring the sessions?  Staff understanding of how it works?

> I am wondering if people can point me in the direction to some good resource 
> material on how to select a good BGP route reflector design. Should I just 
> dust off some 7206VXR routers to act as route reflectors?

This is a red flag to me, relative to the questions above.

The 7206VXR, even with an NPE-G2, is a 1.5Ghz Power PC with a paltry
2GB of DRAM.  It was not speedy when new, being roughly equivilent
to the PowerPC G4 processors in Apple Laptops at the time.  It is
approximately 8 times slower than a current iPhone.  Seriously.

If convergence time is anything you care about, a 7206VXR is a very
bad choice.  It may also run out of memory if you have a lot of
edges with full tables.

So what's the actual "scaling" problem?

--
Leo Bicknell - bickn...@ufp.org
PGP keys at http://www.ufp.org/~bicknell/

BGP Route Reflector - Route Server, Router, etc

[Justin Krejci]

Nanog,

I am working on some network designs and am adding some additional routers to a 
BGP network. I'd like to build a plan of changing all of the existing routers 
over from full iBGP mesh to something more scalable (ie route reflection). 
Fortunately, I am also going to be able to decommission some older routers from 
the network and so shrinking the existing iBGP full mesh is something I am all 
too happy to spend time and energy on.

For the purpose of this thread though, I am not really interested in the route 
reflector vs confederation discussion.

In doing some research[1][2][3][4][5] I see a lot of discussions, config 
examples, etc on using route reflectors but most suggest picking a router, or 
more appropriately a set of routers, to become route reflectors within an ASN. 
I have not found many resources discussing using a non-router box as a route 
reflector (ie a device not necessarily in the forwarding path of the through 
traffic). I am thinking things like OpenBGPd and BIRD could make a good route 
reflector though they are most often discussed in the context of IXPs (ie eBGP 
sessions).

I am wondering if people can point me in the direction to some good resource 
material on how to select a good BGP route reflector design. Should I just dust 
off some 7206VXR routers to act as route reflectors? Use a few existing live 
routers and just add the responsibility of being route reflectors, is there a 
performance hit? Install and run BIRD on new server hardware? Buy some newer 
purpose built routers (Cisco, Juniper, Brocade, etc) to act as route reflectors 
and add them to the iBGP topology? GNS3 running IOS on server hardware? 
Something else? How many reflectors should be implemented? Two? Four?

What are the pros and cons of one design over another? On list or private off 
list replies would be great; I'd welcome real world experiences (especially any 
big gotchas or caveats people learned the hard way) as well as just links to 
previous discussions, PDFs, slideshows, etc. Heck even a good book suggestion 
that covers this topic would be appreciated.

[1] - iBGP-to-RR migration slideshow: 
http://meetings.ripe.net/ripe-42/presentations/ripe42-eof-bgp/sld015.html
[2] - General RR design issues: 
http://www.netcraftsmen.com/bgp-route-reflector-design-issues/
[3] - Video intro to RR from Cisco: 
http://www.cisco.com/c/dam/en_us/training-events/le31/le46/cln/qlm/CCIP/bgp/introducing-route-reflectors-2/player.html
[4] - Quagga and BIRD as RR example: 
https://bsdrp.net/documentation/examples/bgp_route_reflector_and_confederation_using_quagga_and_bird
[5] - Countless hours on youtube: 
https://www.youtube.com/results?search_query=bgp+route+reflector

Lots more data is out there of course as that is part of my problem.

Thanks!

Justin

RE: New ASN Assignments in ARIN

[Justin Krejci]

Last few new ASN additions ARIN has issued:

Add AS396022
Add AS396023
Add AS396024
Add AS396025
Add AS396026
Add AS396027


ARIN has a daily mailing list where they indicate all of their newly updated 
number resource registrations.

http://lists.arin.net/pipermail/arin-issued/



From: James Breeden [ja...@arenalgroup.co]
Sent: Thursday, March 23, 2017 12:01 PM
To: 'NANOG'
Subject: New ASN Assignments in ARIN

If requesting a new ASN assignment in the ARIN region these days, what block of 
ASNs is ARIN assigning from?

More curiosity than anything.


James W. Breeden
Managing Partner

[logo_transparent_background]
Arenal Group: Arenal Consulting Group | Acilis Telecom | Pines Media
PO Box 1063 | Smithville, TX 78957
Email: ja...@arenalgroup.co | office 512.360. 
| cell 512.304.0745 | www.arenalgroup.co

Disney+ Streaming

[Justin Krejci]

I see the Disney service went live today, with some load issues according to 
various news reports and down detector. Is it well known where the newly 
released Disney+ streaming service content is sourced? Are they using their own 
servers on AS22604 or using one or more of the established CDNs? Or something 
combination or something else entirely?


As the service grows in popularity, and its breadth of content and manageable 
price is likely to attract a lot of growth, I'd like to plan for any necessary 
augmentations to the network. I have not yet seen a noticeable change in 
traffic trends locally but I am sure during the evening time it is likely to be 
more apparent where it all comes from.

NFL Sunday Ticket - Online Streaming service

[Justin Krejci]

I am looking for a contact in the network group (may be called National 
Escalation team or NatEsc team internally) within AT/DirecTV pertaining to 
the NFL Sunday Ticket online streaming service. I have been attempting to work 
through their normal support process for quite some time, they are extremely 
isolated and handicapped in the support center and I am so frustrated at the 
impossibility to get any traction through their call center to deal with a 
network related issue. I have had 4 cases go to their escalation team and they 
all mysteriously close with no real or valid resolution. I've spoken with about 
4 or 5 supervisors in their Tulsa call center and they are unable to do much. 
It has been a nightmare and I am hoping someone has a contact they can get me 
in touch with.

Venmo - Geolocation Challenges

[Justin Krejci]

Hello,


I am looking for a Venmo network contact that can assist with a geolocation 
error in their systems. We have customers on a particular IP prefix who are 
being flagged by Venmo as outside of the USA but they are not outside of the 
USA. All standard geolocation systems I can find, as well as ARIN, all show the 
IP prefix as within the USA. Normal Venmo support channels are not fruitful to 
resolve the issue, they mostly just indicated users need to use their mobile 
data connection to get a different IP address for Venmo transactions. That is 
fine as a temporary work around but that is not a solution. Venmo support has 
expressed they are not going to do anything more for us in this regard.


So if anyone has a relevant contact I might reach out to at Venmo or knows if 
Venmo uses a particular 3rd party geolocation data set and can share that with 
me that would be appreciated. I don't mind working with any organization to 
straighten out any stale data, I just need some assistance getting to someone 
who has the info or access.


Thanks!!

Justin Krejci

Re: The great Netflix vpn debacle!

[Justin Krejci]

+1 on Bryan's message.


TL;DR

It seems lots of ISPs are struggling to figure out the why and the where of 
many IP addresses or blocks that are suddenly being blacklisted or flagged as 
VPNs or as out of service area.




I would really love to find, as Bryan said, if there is one particular IP 
reputation data provider who either got real aggressive recently or some 
(contaminated?) data was shared around. If there is I have no problem wading 
through their support processes to get it sorted but as it stands I just don't 
know who to call. It just has been very difficult to glean any actionable info 
and of course the normal support teams at the respective streaming providers 
mostly just are telling customers to call their ISP as if every random ISP 
has some special backdoor contact to every streaming provider where we can just 
get problems resolved quickly and easily while we all have a good laugh at 
people being able to watch their preferred movies and shows.


At least with email DNSBL filtering you usually get informed which DNSBL you 
are listed on and you can sort that out directly. In this case, the overall 
system of IP reputation based filtering seems still comparatively immature. The 
most I have gotten is after a very long phone call with someone at Hulu, they 
confirmed there is some issue affecting multiple networks and they are working 
on the issue and suggested I go through a whitelisting request process which 
may solve the problems but just for Hulu obviously.


I have published and tried to register our own geofeed data as defined in 
RFC8805 with as many IP geolocation providers as possible. I have checked 
around to as many IP geolocation and IP reputations sites as I can find and 
everything is either clean/accurate or there is no query method open to the 
public for troubleshooting that I can find. This is just yet another example to 
me of immaturity on dealing with geolocation problems: just spinning my wheels 
in the dark with mud spraying everywhere. There does not appear to be any 
consistency on handling issues by the content providers using IP geolocation 
and reputation to filter. If the content providers want to reject client 
connections they ought to provide more actionable information in their errors 
messages for ISPs since they are all just telling the users to call their ISPs. 
It just feels like a vicious circle.


So currently we are left with multiple video streaming providers that all 
started to flag many customers across many of our IP blocks all beginning 
earlier this month affecting customers, many of whom have been using the same 
IP address for years without issue until now. Do we try and decommission 
multiple IP subnets shuffle users over to new subnets and risk contaminating 
more subnets if this is an ongoing and regularly updated blacklist data set. 
This would further exacerbate the problem across yet more subnets that are 
getting scarcer. As a tangent, I am curious to see how IP geolocation and 
reputation systems are handling IPv6, I suppose they are just grouping larger 
and larger networks together into the same listings.


Someone who knows something concrete about this current issue, please throw us 
ISPs a bone.


With this email I feel like Leia recording a video plea for help addressed to 
Obi-Wan Kenobi help me Nanog Community... you're my only hope.





From: NANOG  on behalf of Bryan 
Holloway 
Sent: Friday, August 27, 2021 4:56 PM
To: Mike Hammett; John Alcock
Cc: nanog@nanog.org
Subject: Re: The great Netflix vpn debacle!

Is there some new DB that major CDNs are using?

We've been getting several reports of prefixes of ours being blocked,
claiming to be VPNs, even though we've been using those subnets without
incident for years.

HBO, Netflix, and Hulu appear to be common denominators. I have to
wonder if they're all siphoning misinformation off of some new DB
somewhere ...


On 8/14/21 1:45 AM, Mike Hammett wrote:
> https://thebrotherswisp.com/index.php/geo-and-vpn/
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions 
> 
> Midwest Internet Exchange 
> 
> The Brothers WISP 
> 
> 
> *From: *"John Alcock" 
> *To: *nanog@nanog.org
> *Sent: *Friday, August 13, 2021 2:11:16 PM
> *Subject: *The great Netflix vpn debacle!
>
> Well,
>
> It happened. I have multiple subscribers calling in. They can not access
> Netflix.
>
> Any 

Re: The great Netflix vpn debacle! (geofeeds)

[Justin Krejci]

Well apparently there are VPN applications that rely on fellow VPN users in a 
P2P fashion to share network connectivity. I guess it is like a commercialized 
version of Tor to some extent. Excluding any potential legal risks for illegal 
behavior tunneled through an unsuspecting fellow user, this has great potential 
to cause a contaminating spread of VPN flagged IP addresses, even with just 
normal usage.


One such VPN application is Hola VPN which also has a premium version using 
their VPN server gateways instead of or perhaps in addition to the community 
method.


Dynamic IP address assignments by an ISP could easily allow for one such user 
to get many IP addresses flagged as a VPN gateway. I have communicated with 
some IP reputation companies and they track VPN users and can even supply the 
specific VPN brand associated with certain IP addresses, with timestamps, they 
have observed and added to their reputation databases as VPN users. How they 
obtain their data I do not know for sure but I can think of a few ways.


So we seem to have a battle between

  *   users
  *   streaming content providers
  *   streaming content owners / copyright holders
  *   ISPs
  *   VPN providers
  *   restrictive/invasive governments or network operators
  *   ??

There is definitely collateral damage from their use that should be considered, 
especially if very prominent streaming content providers take a more 
restrictive posture towards users of these kinds of VPN services.




From: NANOG  on behalf of Haudy 
Kazemi via NANOG 
Sent: Wednesday, September 1, 2021 4:44 PM
To: Owen DeLong; nanog list
Cc: b...@theworld.com
Subject: Re: The great Netflix vpn debacle! (geofeeds)

Some TVs may also try to rescale the inputs, or enhance/process the image in 
ways that can improve perceived video quality. Things like increasing frame 
rates of sources that are lower frame rates (thus the 120 Hz and 240 Hz TVs 
that attempt to make 24, 30, and 60 FPS sources look better), or deinterlacing 
1080i ATSC sources.

Some of this image processing may not work well in specific monitor use cases.

I have had generally good results with using a TV as an HTPC monitor.  Only 
issues I've run into over the years are

1.) a 1080p Sony TV with a VGA input that could not handle 1920x1080 (using 
HDMI worked)
and
2.) a 720p Toshiba that could not show the BIOS screen of the attached computer 
(I think this was either an unsupported resolution issue, or a timing issue 
where the TV couldn't wake up fast enough from the 'signal lost' message to 
display a brand new signal input).

YMMV.


VPNs: there is a race going on between streaming services who want to block 
VPNs, and VPN services who have customers who want to be able to watch streams 
(whether in or out of their regions). Some VPN customers buy VPN services 
because they do not trust their ISP to not do stuff like selling browsing 
histories.

I think ISPs are getting caught in the middle, maybe when they have IP ranges 
near or in the middle of ranges that are suspected by IP reputation companies 
as being used by VPN services. I'd guess the problem is more likely to affect 
smaller ISPs, and not the Comcast/Cox/Charter/Spectrum/CenturyLinks of the 
world. There are also 'distributed VPN' services that let people share their 
connections with others.

We are also seeing fragmentation in the cable/streaming service space, similar 
to what happened in the cable/Dish Network/DirecTV wars. Add it all up, some 
customers may throw up their hands in annoyance at the various platforms and 
then revert to other means of obtaining the content they seek.



On Wed, Sep 1, 2021, 15:13 Owen DeLong via NANOG < 
nanog@nanog.org> wrote:


> On Sep 1, 2021, at 11:25 , b...@theworld.com wrote:
>
>
> Every time I've read a thread about using TVs for monitors several
> people who'd tried would say don't do it. I think the gist was that
> the image processors in the TVs would fuzz text or something like
> that. That it was usable but they were unhappy with their attempts, it
> was tiring on the eyes.

That was definitely true of 480 TVs and older 1080p units, but modern sets
are almost designed to be monitors first and everything else second.

> Maybe that's changed or maybe people happy with this don't do a lot of
> text? Or maybe there are settings involved they weren't aware of, or
> some TVs (other than superficial specs like 4K vs 720p) are better for
> this than others so some will say they're happy and others not so
> much?

There are some tradeoffs… For example, sitting normal computer monitor
distance from a 44” 4K screen, you can damn near see the individual pixels
and that can make text look fuzzy, especially if your GPU or OS are stupid
enough to use a technique called anti-aliasing on text (which is the most
probable source of the fuzziness in your originally quoted complaint).

Older TVs would try to 

Telia is now Arelion

[Justin Krejci]

https://www.arelion.com/




Since all other work is now complete in the world I should have plenty of time 
to update documentation, billing, labels, port names, route-maps, contact email 
addresses, etc.


After watching their marketing video I learned the pronunciation of Arelion is 
not R-Lion but is actually A-Ray-Lee-On but I may continue thinking of it as 
R-Lion because it is shorter and it just sounds cooler in my head.

Prize Picks - gelocation/vpn/fraud system

[Justin Krejci]

Yes, unfortunate geolocation/vpn troubles strike again.


If any from PrizePicks.com are on here I would appreciate if you would reach 
out to me regarding a mutual customer not able to use your services.


If anyone else on NANOG has a contact there, I would appreciate some help 
getting in contact to resolve an issue that the regular support channel is 
unable to do.


Thanks!

Justin Krejci

Re: Akamai Network Partnership

[Justin Krejci]

Hello Edy,


Log into your peeringdb.com account and go to their network, they have a 
peering contact listed there.


https://www.peeringdb.com/net/2




From: NANOG  on behalf of 
em...@edylie.net 
Sent: Tuesday, October 17, 2023 5:10 PM
To: nanog@nanog.org
Subject: Akamai Network Partnership

Dear All,

May I know if anyone could guide me to the right contact for Akamai
Network Partnership?

We are a network operator in Indonesia and is keen to work with Akamai
to speed up access to Akamai Content.

Many Thanks.

Best Regards,
Edy

Re: Geolocation data management practices?

[Justin Krejci]

For corrections/updates, what I have found to be generally successful is


1. make sure to advertise the IP blocks into the DFZ from your ASN as soon as 
possible

2. make sure ARIN data is accurate (we use ARIN, you may use one of the other 
registries)

3. update my geofeed, as referenced already in this thread

4. directly contact organizations that have geolocation services but don't 
subscribe to my geofeed


If anyone has any additional geolocation organizations I didn't list, I would 
be happy to hear about them.



Geofeed subscriptions are in place with these organizations


IP Info
https://ipinfo.io/
https://ipinfo.io/faq/article/49-how-can-i-submit-a-correction
https://ipinfo.io/corrections

dbip
https://db-ip.com/
https://db-ip.com/contact/
support  db-ip.com

IPGeolocation
https://ipgeolocation.io/
support  ipgeolocation.io

Maxmind
https://www.maxmind.com/en/geoip-demo
https://support.maxmind.com/geoip-data-correction-request/

Neustar
https://www.home.neustar/resources/tools/ip-geolocation-lookup-tool
https://www.home.neustar/resources/tools/submit-to-global-ip-database
ipintel  support.neustar

BigDataCloud
https://www.bigdatacloud.com/ip-geolocation/

Digital Element
https://www.digitalelement.com/geolocation/
https://www.digitalelement.com/contact-us/
ip-data  digitalelement.com

ip2location
https://www.ip2location.com/demo
support  ip2location.com
Only accepts feeds when all entries have a city defined

Google
https://isp.google.com
Set geofeed URL within their ISP portal




No geofeed subscriptions in place for these organizations and require 
individual contact for corrections/updates


ipstack
https://ipstack.com/
https://ipstack.com/contact

Geo IP View
https://www.geoipview.com/
andrew  geoipview.com
email address is not currently receiving mail, as such I assume not many are 
using this service

IPligence
http://www.ipligence.com/geolocation
https://www.ipligence.com/contact

ipdata
https://ipdata.co/?ref=iplocation
https://ipdata.co/corrections.html
corrections  ipdata.co
working on adding geofeed support

IPIP
https://en.ipip.net/ip.html
sarah  ipip.net

IPHub
https://iphub.info/

IPinsight
https://ipinsight.io/
william  ipinsight.io

Info Sniper
https://infosniper.net/
https://infosniper.net/geoip-data-correction.php

GeoGuard
https://www.geocomply.com/products/geoguard/
ipintelligence  geoguard.com
More of a "are they using a VPN/hiding service" and not so much of a "Where are 
they" service.



From: NANOG  on behalf of Josh 
Luthman 
Sent: Thursday, April 21, 2022 9:24 AM
To: Rubens Kuhl
Cc: Nanog
Subject: Re: Geolocation data management practices?

Go through this list:
https://thebrotherswisp.com/index.php/geo-and-vpn/

The RFC only works if they're pulling your feed and they'd only know that if 
you contact them in the first place.

On Thu, Apr 21, 2022 at 9:14 AM Rubens Kuhl < 
rube...@gmail.com> wrote:
Besides geofeed, there are also geoidx records in IRRs but whether
geolocation services actually use geofeed or geoidx remains to be
seen. You can see some geoidx: at this IRR entry in TC:
https://bgp.net.br/whois/?q=-s%20TC%20-i%20mnt-by%20MAINT-AS271761

Regarding LACNIC, what LACNIC, NIC.mx and NIC.br do is to select which
RIR or NIR services requests depending on the organisation's country.


Rubens

On Thu, Apr 21, 2022 at 9:53 AM Shawn < 
mailman.nanog@kleinart.net> wrote:
>
> Aloha NANOG,
>
> What is the best practice (or peoples preferred methods) to
> update/correct/maintain geolocation data?
> Do most people start with description field info in route/route6 objects?
>
>
> Also, thoughts and considerations on using IPv4 space from one RIR in
> countries belonging to another RIR?
>
> With IPv4 exhaustion and inter-RIR IPv4 transfers, and geolocation data, it
> seems less applicable than it had been (a decade ago).  The IP's will be
> used for CDN, not by end-users/subscribers.
> Context: trying to work through an administrative "challenge" with LACNIC
> regarding an IPv4 transfer, considering transferring to ARIN and then using
> in LACNIC (then once resolved, transfer from ARIN to LACNIC).  Or just using
> existing ARIN space in Brazil.
> LACNIC is making things more difficult than they need to be.  I know this is
> NANOG... but seeking advice, working on a global network, US HQ, currently
> no active "registration" in LACNIC (except Brazil), but we operate in 5
> countries in the region (data center/colo).  We would use Brazil, but very
> hesitant to use their NIC ( 

Re: Sigh, friends don't let politicians write tech laws

[Justin Krejci]

Leave the private matter of private email handling in the hands of the private 
participants of the private email system.

If congress wants to create a government mandate on political campaign emails, 
the political campaigns themselves ought to be forced to mark their emails as a 
political campaign emails. This would more easily allow sorting and filtering 
of emails by mail providers and by the users and help ensure easier reception 
or easier rejection by the users. I can say "yes, I want campaign emails" and I 
get less or no filtering or I can say "no, I do not want campaign emails" and 
never have to see them again .

I have contacted my reps and expressed my opinions and some relevant facts on 
this matter.



From: NANOG  on behalf of Anne 
Mitchell 
Sent: Friday, July 29, 2022 4:57 PM
To: nanog@nanog.org
Subject: Re: Sigh, friends don't let politicians write tech laws



> On Jul 29, 2022, at 3:37 PM, John Levine  wrote:
>
> It appears that Michael Thomas  said:
>> -=-=-=-=-=-
>>
>>
>> https://www.congress.gov/bill/117th-congress/senate-bill/4409/text?r=9=1
>>
>> the body of the proposed law:
>
> This bill was filed by a bunch of the usual right wing suspects about
> a month ago.  It was referred to committee, like all filed bills, and
> I very much doubt it will ever emerge.

I'm inclined to agree, except that as we've seen Google has already attempted 
to cave, which means that they (the bills' sponsors) will feel even more 
emboldened, and can point to Google's "pilot program" as evidence that "even 
Google admits there is a problem, so we need the law to make the other big 
providers do it."

I believe we can't rely on it being buried without a little help.  It costs 
nothing to send an email to a representative, so..why not provide that help. ;~)

Anne

--
Anne P. Mitchell, Attorney at Law
CEO Institute for Social Internet Public Policy
Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law)
Author: The Email Deliverability Handbook
Board of Directors, Denver Internet Exchange
Dean Emeritus, Cyberlaw & Cybersecurity, Lincoln Law School
Prof. Emeritus, Lincoln Law School
Chair Emeritus, Asilomar Microcomputer Workshop
Counsel Emeritus, eMail Abuse Prevention System (MAPS)

Re: Disney+ Issues

[Justin Krejci]

I'd suggest you reach out to hosting company and have them mark the block(s) in 
question as re-allocated to your organization.  Also Neustar does support 
self-published geofeeds so you could also publish your own + leased IP space 
and them get them to subscribe to your list.



From: NANOG  on behalf of 
Norman Jester 
Sent: Friday, April 29, 2022 12:21 PM
To: nanog@nanog.org
Subject: Re: Disney+ Issues

On Fri, Apr 29, 2022 at 6:07 AM Brian Turnbow  wrote:
>
> Hi Norman
> >Anyone from Disney+ here? If you can reply off-list I'd appreciate it. I 
> >have emailed every place I can think of to solve a geoip problem affecting 
> >hundreds of customers, no reply in weeks.
>
>
> Yeah we just went through the same thing.
> Many other providers in Italy have been impacted as well.
> Only way we found to resolve the issue was single customers opening tickets…
> We tried at the  provider level but were continuously rebuffed.
> The single customers opening TTs had it resolved in minutes and after a bunch 
> did  the others were able to connect...
> If you do find a way to get it done on the provider level I would love to 
> hear about it.
>
> Brian

We're having a heck of a time with this, customers are posting all
over social media about it etc.
The company who does their ip classification is Neustar and we have
been talking to them.
For some reason they do not comprehend the fact that companies in
these days must lease ip space
due to the shortages.  We are delegated ipv4 from a datacenter (in
addition to our own ip space) which
is all used for our eyeball network of home users.  They said "This ip
space is from a hosting company", which
it is not.. it's from a datacenter where some of our core gear
aggregates routes from all the carriers in that hotel.
We backhaul all data out to our pops all over San Diego and it ends up
in customers homes.

Ips are properly delegated, but they tag them as VPN and HOSTING when
they are not. Worse off, they said
they won't change it. I asked them if they monitored NANOG and they
didn't know what it was. Nice to know
the people making those decisions are not paying attention to the
network world and making those decisions that
affect many many people.  With great power comes great responsibility.

Re: FIDO2/Passkey now supported for 2FA for ARIN Online (was: Fwd: [arin-announce] New Features Added to ARIN Online)

[Justin Krejci]

Very interesting news. Improving online security is a win and this sounds 
promising.


Never having used FIDO2 for anything I am left, probably not uniquely, in the 
dark for hardware device support. The only link I found on the ARIN website for 
"hardware keys" was a link to another ARIN page, which as of the time I am 
writing this email, results in a 404.


The page with the link to supported hardware key details near the bottom @ 
https://www.arin.net/reference/materials/security/2fa/2fafaq/

The referenced hardware key details page that is 404 @ 
https://www.arin.net/reference/materials/security/wfa/fido2


I searched generally online for FIDO2 hardware keys and found a lot choices out 
there. Are all hardware keys the same? Will all hardware keys work with ARIN 
Online? I realize this is a brand new offering from ARIN so I am not upset that 
there is little data of the sort I am looking for right now but I would suggest 
ARIN get some better hardware key information on their website for people who 
are curious about but have little or no experience with FIDO2 and hardware 
components. After reading this https://en.wikipedia.org/wiki/FIDO2_Project I am 
wondering, can I simply use a smartphone itself as the hardware token to log 
into ARIN Online? Is there an app needed to do this?

I then discovered this FIDO2 keys page from online searching: 
https://www.yubico.com/store/compare/ which seems like one of many pretty 
popular key makers.
I assume there are possible risks affiliated with buying unknown hardware 
devices and plugging them into our trusted computer systems: key loggers, data 
exfiltration, trojan/malware infections, etc. There are even SFPs with built in 
switches or ones running Linux within the SFP itself able to do packet captures 
and all sorts of fun stuff. All the more reason I would appreciate a 
list/suggestion of well trusted hardware token makers. I did find this on 
Microsoft's website that seems like an easy to digest breakdown of some key 
makers: 
https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-authentication-passwordless#fido2-security-key-providers

Is FIDO2 just another industry buzzword? Am I the last one on NANOG to get into 
FIDO2 and therefore I am just asking a bunch of moronic questions? I rather 
think not and this time it seems like it may be worth getting buzzword 
compliant.

I realize it is not the job of ARIN to educate its customer base on the ins and 
outs of FIDO2 but I think a little extra working information would be quite 
helpful going forward.

Thanks to ARIN for implementing this, 
thanks to those that have pushed for the deployment of this protocol, and 
thanks to those that will respond kindly to me in my ignorance on this topic!!


-Justin



From: NANOG  on behalf of Royce 
Williams 
Sent: Tuesday, January 3, 2023 5:20 PM
To: John Curran
Cc: NANOG
Subject: Re: FIDO2/Passkey now supported for 2FA for ARIN Online (was: Fwd: 
[arin-announce] New Features Added to ARIN Online)

On Tue, Jan 3, 2023 at 11:59 AM John Curran 
mailto:jcur...@arin.net>> wrote:
FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor 
authentication (2FA) - this is a noted priority for some organizations.

John - this is a great step forward! Kudos to the tech team who helped make the 
leap - it can be daunting.

Some feedback, take or leave as you see fit, based on my scars:

First, thanks specifically for the support for unique key names (you might be 
surprised at how many services don't!), and for the FIDO2 support of on-key 
PINs.

Second, I'd like to second ;) - but go beyond - Job's feature request for 
multiple-key support, both in count and additional UX. Support for *more* than 
two keys is recommended, to fit a wider variety of use cases and threat/risk 
models (connector availability, shared/role accounts, offsite key backup, etc 
etc). From my survey of 50 providers of U2F / FIDO / FIDO2, key-count support 
ramps up quickly from one (PayPal - come on, y'all!), two (Bank of America), 
and five (AOL/Yahoo and Coinbase), with the rest supporting *ten or more keys* 
(and yes, higher key counts have use cases, though user experience degrades 
above ten keys). And when multiple key support is added, please consider some 
UX around managing the list of keys (like allowing the user to *modify* key 
names without having to delete and re-add them, showing the timestamp, IP, OS 
family / platform, etc. from where the key was last used). Great key UX 
examples to emulate in this space include Dropbox and Google. (And showing the 
IP's ASN would be a uniquely ARIN twist. :D )

Third, please consider allowing a mix of authenticators (instead of the current 
exclusive choice among TOTP, FIDO2, and SMS). While it will be excellent to 
allow users to *eventually* opt into exclusive use of security keys (as with 
Google's Advanced Protection Program) ... doing so 

Contact for androidpolice.com

[Justin Krejci]

Any contacts available that are responsible for androidpolice.com website 
hosting? Some of our IP space is not able to access their website. Other IP 
addresses of ours are working just fine. This appears to be some kind HTTP 
protocol layer issue but only affecting certain IP addresses. I am guessing it 
is some kind of web application firewall using outdated IP list data.


Yes I know it is hosted at Amazon but every time I have tried to go through 
Amazon for support with websites they are hosting, they have 100% of the time 
told me they can't and/or won't help me with website hosting issues on their 
web platform; I have to go through their customer... which I don't have any 
good contact info for. I've tried reaching them on twitter, I've tried blindly 
emailing people listed on their website guessing their email addresses, etc. I 
have had zero response.



Thanks!

Justin

Re: Verizon Business Contact

[Justin Krejci]

For me it is some AS 6167 destinations.
WHOIS for that ASN says this is Verizon Business.


AS Number:  6167

Org Name:   Verizon Business


I am not sure how I am supposed to accurately or authoritatively discern the 
differences in specific IP prefixes (or ASNs) as to whether they are are used 
in the Verizon Wireless, Verizon Business, Verizon XYZ, etc.
I am also not sure what the value would be understanding the difference as I 
have zero contacts at any Verizon entity: Wireless, Business, or any other.

I imagine at some level, there is a parent Verizon umbrella organization that 
is ultimately responsible for all underling organizations/divisions but I am 
not particularly interested in trying to pick apart the business silos of 
Verizon and then from there trying to chase down specific Verizon entity 
contacts to try and figure out who, might be the right contact to look into 
this. I have made efforts, prior to this NANOG thread even starting, to get 
this issue rectified but I have had zero luck so far getting any appropriate 
person at Verizon to take notice.

It kind of feels like trying to reach out to some company regarding a 
geolocation or IP-reputation type issue... just a lot of "Sorry, I don't know. 
try this other group that you already talked to" or simply "piss off" type 
responses. Both of which I have received in sizable quantities. Now that my 
brain is on that tangent, my favorite geolocation response was when I was told 
"your ISP needs to set the correct bits in the IP packets to designate the 
traffic as coming from the correct geography." I laughed and I cried at that 
one.



-Original Message-
From: Richard Laager 
mailto:richard%20laager%20%3crlaa...@wiktel.com%3e>>
To: Justin Krejci 
mailto:justin%20krejci%20%3cjkre...@usinternet.com%3e>>
Cc: nanog@nanog.org 
mailto:%22na...@nanog.org%22%20%3cna...@nanog.org%3e>>
Subject: Re: Verizon Business Contact
Date: Fri, 16 Feb 2024 20:41:04 -0600

On 2024-02-09 18:10, Justin Krejci wrote:

For a good long while (months) we have had similar issues with various Verizon 
destinations.

Only Verizon Wireless destinations, or other Verizon Business things?

As of today, I'm told (via an upstream provider) that Verizon Business says 
this is a Verizon Wireless issue.

Re: Verizon Business Contact

[Justin Krejci]

For a good long while (months) we have had similar issues with various Verizon 
destinations.
I observed it only happens when passing through certain geographic regions of 
the US. Other regions make it through without issue.

This is directly observable and repeatable using Cogent's Looking glass website.
Do an IPv4 Trace to 63.59.67.68 using their US-Minneapollis router. It dies.
Do an IPv4 Trace to 63.59.67.68 using their US-Los Angeles router. It reaches 
the destination.

I went through a handful of Cogent's looking glass locations and found some 
that work and some that don't and concluded there must be one or more Verizon 
routers in a certain set geographic area that are having the problems.

Ultimately the issue is not resolved for me but I was able to BGP TE the 
traffic around the problem areas to facilitate reachability to the impacted 
destinations. This is obviously a tenuous band-aid.


Long story short: please, please, please, someone at Verizon or someone who has 
the ear of someone at Verizon, please, please, please, look into this.




-Original Message-
From: Richard Laager 
mailto:richard%20laager%20%3crlaa...@wiktel.com%3e>>
To: nanog@nanog.org
Subject: Verizon Business Contact
Date: Thu, 08 Feb 2024 13:01:14 -0600

Can someone from Verizon Business please contact me?

It appears that your network is losing traffic from Verizon Wireless
(e.g. 63.59.39.232, 63.56.37.4, or 63.59.67.68) to me (AS33362, e.g. to
69.89.207.16). Note that 63.59.166.100 -> 69.89.207.16 was successfully
(around 2023-11-27).

This breaks email between us and it's been MONTHS of VZW getting nowhere.

Based on some traceroutes (on 2023-11-27 and again just now), the
working ones go through 140.222.234.223 (0.ae10.GW7.CHI13.ALTER.NET)
while the broken ones stop at 140.222.234.221 (0.ae9.GW7.CHI13.ALTER.NET).

Re: Sling TV Geolocation

[Justin Krejci]

I have Digital Element in my own internal wiki page for managing/documenting IP 
geolocation services headaches.

Searching them up on my page I see noted they have a contact us form that 
specifically lists "IP Address Data Update" as a contact reason. Maybe that 
will give you or others some avenue into the proper eyeballs over there.
https://www.digitalelement.com/contact-us/

I appreciate the follow up and will add a note to my page that Sling TV uses 
Digital Element, at least at the moment.

As always, good luck on your endeavor.



-Original Message-
From: Tim Burke mailto:tim%20burke%20%3c...@mid.net%3e>>
To: nanog@nanog.org 
mailto:%22na...@nanog.org%22%20%3cna...@nanog.org%3e>>
Subject: Re: Sling TV Geolocation
Date: Wed, 24 Jan 2024 20:32:10 +

(long overdue) Follow up on this – after plenty of emails, phone calls, and 
research, and our poor customers having to watch the Packer game, I was able to 
find out that Sling is using Digital Envoy/DigitalElement for geolocation... I 
assume the info on 
https://thebrotherswisp.com/index.php/geo-and-vpn/
 should work for this, but I am waiting for hear back from said geolocation 
vendor with an answer.

Thanks,
Tim



From: Tim Burke
Sent: Thursday, December 7, 2023 11:36 AM
To: nanog@nanog.org 
Subject: Sling TV Geolocation

Yet another geolocation post, because content networks don't pay attention to 
geofeeds... :-)

Anyone know who Sling TV is using for geolocation, or have a contact at Sling 
that can help? We acquired a /19 in July that we just started pushing out to 
customers, it is still geolocating back to the previous owner on Sling TV, 
despite publishing the prefix in our geofeed. Checked the usual lists with no 
luck.

Thanks,
Tim

Re: ipv6 address management - documentation

[Justin Krejci]

I give +1 for phpipam



-Original Message-
From: Justin Wilson (Lists) 
mailto:%22justin%20wilson%20%28lists%29%22%20%3cli...@mtin.net%3e>>
To: NANOG mailto:nanog%20%3cna...@nanog.org%3e>>
Subject: Re: ipv6 address management - documentation
Date: Sun, 19 Nov 2023 23:38:28 -0500

Netbox or PHPipam. Phpipam allows you to break down subnets easier IMHo.


Justin Wilson
j...@j2sw.com

—
https://j2sw.com (AS399332)
https://blog.j2sw.com - Podcast and Blog

On Nov 16, 2023, at 1:09 PM, Jason Biel  wrote:

My recommendation:

https://github.com/netbox-community


On Thu, Nov 16, 2023 at 12:04 PM Aaron Gould 
mailto:aar...@gvtc.com>> wrote:
For years I've used an MS Excel spreadsheet to manage my IPv4
addresses.  IPv6 is going to be maddening to manage in a spreadsheet.
What does everyone use for their IPv6 address prefix management and
documentation?  Are there open source tools/apps for this?