Re: RBL resource to check entire netblock

[Eric Oosting]

On Thu, Feb 18, 2016 at 12:46 PM, greg whynott 
wrote:

> Team NANOG,
>
> I will summarize once I get to looking at things.   This isn't an immediate
> need but with that said I expect to start on it next week.   I may not
> evaluate all of them but what I do try I will share.
>
> My next challenge is finding a router that will forward on 4 x 1 gig
> interfaces (2 inside 2 outside) for less than 30k...
>

Without knowing much about your requirements I can say that the edgerouter
pro from ubiquiti doesn't suck, and is fantastic for the price. Cheap
enough to self spare, and

-e


>
> -greg
>
>
>
> On Wed, Feb 17, 2016 at 1:32 PM, Roberto Alvarado 
> wrote:
>
> > You can try this script:
> >
> > https://github.com/DjinnS/check-rbl
> >
> >
> > -i,--ip The IP or subnet to check
> >
> > I’m using it to check my subnets
> >
> >
> > Roberto
> >
> >
> >
> >
> >
> > > On Feb 17, 2016, at 15:25, Bernd Spiess 
> wrote:
> > >
> > >> I find many sites where you can enter 1 IP to
> > >> do a check but they don't seem to accept subnets to check.
> > >
> > > Maybe this is a help?
> > > https://www.senderbase.org/
> > >
> > > Bernd
> >
> >
>

Re: verizon fios bounced a legit private email of mine telling me it was spam and they would not allow it

[Eric Oosting]

On Thu, Jan 14, 2016 at 11:20 AM, Christopher Morrow <
morrowc.li...@gmail.com> wrote:

> '4 MILLION IP ADDRESSES!!!'
>

What is that, an /106?

-e


> On Wed, Jan 13, 2016 at 4:55 PM, Dan Hollis 
> wrote:
> > This is what's going on at verizon.
> >
> > http://www.spamhaus.org/news/article/726/
> >
> > -Dan
> >
> >
> > On Wed, 13 Jan 2016, Gordon Cook wrote:
> >
> >> dear Nanog
> >>
> >> Sorry to bother you,   I am sitting here in shock,   I have been a
> Verizon
> >> to  FiOS customer for about the past six years at least I think maybe
> eight.
> >> every now and then the Verizon server will bounce an email back and
> tell me
> >> that it’s busy or not functioning but just now it bounced one back and
> I’m
> >> sorry I don’t have a screenshot of what it said but it clearly said
> that it
> >> considered me to be a spammer.   I may be a lot of things but a spammer
> I am
> >> not.  ;-)   when I get an email bounced back Apple OS X  always
> volunteers
> >> to use the pair networks server and I always automatically take that
> choice
> >> giving it never a second thought.
> >>
> >> it also reminded me that there was a limit on the amount of private
> emails
> >> a customer could send.
> >>
> >> And it said I needed to take the alleged spam and send it to
> >>
> >> spamdetector.upd...@verizon.net  and if I remember correctly wait at
> least
> >> an hour and then try to send the message again.
> >>
> >> Stating very clearly that no human being would talk to me.
> >>
> >> what in God’s name is going on?   Please a year and a half or two years
> >> ago when a route  to Ecuador was being filtered a couple of NANOG folk
> knew
> >> whom to contact and the problem was fixed in record time.   I am hoping
> >> that I will experience the same thing.   I should not be a stranger to
> any
> >> old time Nanog-ers.   but right now I’m feeling really paranoid!
> >>
> >
>

Re: nanog website down

[Eric Oosting]

At this time, we believe all services have been restored.

On Wed, Jun 3, 2015 at 11:16 AM, Eric Oosting eric.oost...@gmail.com
wrote:

 This morning we suffered a hardware failure in our production environment.
 The outage affected nanog mail and web services. While mail services have
 recovered, web services are still down.

 We apologize for the inconvenience.

 -e

nanog website down

[Eric Oosting]

This morning we suffered a hardware failure in our production environment.
The outage affected nanog mail and web services. While mail services have
recovered, web services are still down.

We apologize for the inconvenience.

-e

Re: ARO Security

[Eric Oosting]

On Mon, May 18, 2015 at 12:30 PM, Nicholas Schmidt 
nicholas.schm...@controlgroup.com wrote:

 I cant find a way to reach out to whoever manages ARO directly so I figure
 it would be best to publish this to the list.


Nicholas,

It's normally a good idea to email any questions you have to
nanog-supp...@nanog.org. They should always get you an answer or point you
in the correct direction.

We are a group of network operators who are failing at enforcing extremely
 basic security in our own applications.

 1.) Retrieving an ARO password sends a plain text email of your current
 password. Im sure this is minor as its just ARO and none of us would ever
 re-use a password in more critical systems.


This is a known problem and I assure you NANOG is working with their vendor
to address it.



 2.) The SSL cert for secretariat.nanog.org is invalid. It looks to be
 trying to use the wildcard for amsl.com


I'm curious what is going on, but I wonder if it doesn't have something to
do with the openssl command you've entered below.

When using firefox, chrome, or safari from my laptop and internet explorer
from within a VM, I'm being offered the *.nanog.org wildcard cert, not an
amsl.com cert. I checked a popular online ssl certificate checker and
similarly received the proper certificate.

Are you receiving a certificate error of some type in your browser? If so,
let's take the conversation off of nanog to spare the list.

-e



 $ openssl s_client -showcerts -connect secretariat.nanog.org:443

 CONNECTED(0003)

 depth=0 /OU=Domain Control Validated/CN=*.amsl.com

 verify error:num=20:unable to get local issuer certificate

 verify return:1

 depth=0 /OU=Domain Control Validated/CN=*.amsl.com

 verify error:num=27:certificate not trusted

 verify return:1

 depth=0 /OU=Domain Control Validated/CN=*.amsl.com

 verify error:num=21:unable to verify the first certificate

 verify return:1

 ---

 Certificate chain

  0 s:/OU=Domain Control Validated/CN=*.amsl.com

i:/C=US/ST=Arizona/L=Scottsdale/O=Starfield Technologies, Inc./OU=
 http://certs.starfieldtech.com/repository//CN=Starfield Secure Certificate
 Authority - G2

NANOG 62 and a new tool for presentation submissions

[Eric Oosting]

Today we began an upgrade to the site/tool located at pc.nanog.org, known
as the pc tool, which is designed to allow the community to propose talks
for the next NANOG. The new site has some of the latest fads in web 2.0 web
design and buzzwords, for instance we've decided to use a programming
language with silent d in the name. Don't worry, it's somewhere short of
having tag clouds.

We hope you like it. Or at least, we hope not too many of you despise it.

Please hold of on any talk submissions for a few days while we migrate the
data from the old tool to the new. The NANOG Program Committee will issue
the NANOG61 call for presentations shortly, marking the availability of the
new tool.

Thanks,
-e

-- 
Eric Oosting
Network Architect
eoost...@netuf.net | 404-941-6678

Re: NANOG Mail Server Maintenance

[Eric Oosting]

As a reminder, this work will begin in approximately 6 hours.

-e


On Sat, Apr 19, 2014 at 12:55 PM, Larry J. Blunk l...@merit.edu wrote:


 Greetings,
   The NANOG Mail server will be transitioning to a
 new system next Saturday, April 26th.  The maintenance
 window for this transition will be from
 10:00 - 10:30 UTC.  This will impact the main NANOG
 list and associated lists hosted on mailman.nanog.org.
 The addresses for the server will be changing, but they
 will remain within the same prefixes (50.31.151.64/28
 and 2001:1838:2001:8::/64).

  Regards,
Larry Blunk
NANOG Communications Committee

Re: turning on comcast v6

[Eric Oosting]

On Fri, Dec 20, 2013 at 5:16 PM, Matthew Huff mh...@ox.com wrote:

 Owen,

 Have you ever worked in a corporate environment? Replacing equipment can
 be a 5-7 year window and has to be justified and budgeted. Replacing a
 piece of equipment because it's an incomplete IPv6 implementation (which
 has changed considerably as it has been deployed), isn't feasible.


Not to put words in Owen's mouth, but let me explain how I interpret what
he was saying: Vote with your feet.

It's simple ... maybe you can't replace everything in your network that
doesn't support IPv6, ( I wish we all had that kind of discretionary
budgets) but you can still base purchasing decisions on IPv6 support, and
by and large, that isn't happening. Enterprise purchasing just isn't driven
by IPv6 features ... if anything, its a check box feature for vendors and
ignored by decision makers.

Until the enterprise says to the widget salesperson: i'm not buying this
until and unless you truly commit to supporting IPv6 we're stuck where we
are.

We don't necessarily need you to replace everything in your network that
doesn't support it today, we need you to not put a single thing in your
network new, or used, that doesn't. Believe me, the vendors will get the
message and suddenly even the legacy stuff will start to be fixed. Remember
what a PITA it was to get novel to support IPv4? They didn't do it until
they had to.

-e


  There are a lot of things that have changed as IPv6 has been deployed
 such as DHCPv6 (not even talking about setting default GW via DHCP, but
 things such as DNS servers, DNS domain name, etc). Not all vendors
 especially ones in niche markets can update the firmwares that often, and
 certainly not unless they have a business justification.



 On Dec 20, 2013, at 4:07 PM, Owen DeLong o...@delong.com wrote:

 
  On Dec 20, 2013, at 12:50 PM, Matthew Huff mh...@ox.com wrote:
 
 
  On Dec 20, 2013, at 3:23 PM, Owen DeLong o...@delong.com wrote:
 
 
  On Dec 20, 2013, at 6:29 AM, Matthew Huff mh...@ox.com wrote:
 
  With RA, what is the smallest interval failover will work? Compare
 that with NHRP such as HSRP, VRRP, etc with sub-second failover.
 
  RA and VRRP are not mutually exclusive. What you can’t have
 (currently) is routing information distributed by a DHCP server which may
 or may not actually know anything about the routing environment to which it
 is sending such information.
 
  In corporate networks most of the non-client systems will be
 statically addressed with privacy addresses turned off. This is for
 regulatory, audit, security and monitoring requirement. One of the many
 challenges of ipv6 in a corporate environment.
 
  There’s no problem doing this in IPv6. You can easily statically
 address a system and you can easily turn off privacy addresses. You can
 even do that and still get your default router via RA or you can statically
 configure the default router address.
 
  As such, can someone please explain what is the actual missing or
 problematic requirement for the corporate world?
 
  Owen
 
  Reality.
 
  Owen, not all OS and especially hardware appliances (dedicated NTP
 appliances, UPS cards, ILO), etc... will work with RA and static addresses.
 They just don't. Some OS's won't disable SLAAC unless you disable autoconf
 on the switch. When you
 
  Not all devices have working IPv6 stacks. OK, they’re broken, complain
 to the vendor and get them to fix their product or buy a working product
 from a different vendor.
 
  do that, they loose the ability to pickup RA. Some will only work with
 link local gateway addresses, some will only work with link global gateway
 addresses. There is a lot of cruft out there in the enterprise world that
 claims IPv6
 
  Link Local gateway addresses are required functionality in IPv6. A
 device which requires a global gateway address is
  broken. See above.
 
  compatibility, but in the real world doesn't work consistently. Almost
 all can be made to work, but require custom configuration. Far too much
 work for many organizations to see value in deployment. In at least on IT
 department I know of, IPv6 is banned because the CIO read about one of the
 “advantages of IPv6 is bringing back the p2p model of IP, and most
 corporate management has zero interest in having any p2p connectivity
 within their network.
 
  IPv4 didn’t work perfectly in the beginning either. Enterprises spent
 many years getting vendors to correct issues with their iPv4 products and
 we’re just starting that process with IPv6.
 
  I’m asking what’s broken in the protocol design since that’s what the
 IETF can attempt to fix.
 
 
  For our desktop environments (Windows 7 and RHEL6) we have two
 different configurations on the switches on separate VLANs using SLAAC with
 DHPCv6 and that works fine with RA announcing the NHRP. Other equipment,
 not so much.
 
  Sounds like you need to contact the vendors for that other equipment and
 get them to fix their IPv6 implementations.
 
  Owen
 

Re: turning on comcast v6

[Eric Oosting]

On Wed, Dec 11, 2013 at 8:17 AM, Randy Bush ra...@psg.com wrote:

 Randy Bush wrote:
  http://comcast6.net/ tells me that the local cmts is v6 enabled.  my
  modem, a cisco dpc3008, is in the supported products list.  so how do
  i turn the sucker on?
 
  randy

 after a lot of messing about with the massive help of Chris Adams and
 John Brzozowski, problem solved.  see http://rtechblog.psg.com/


It brings a tear to my eye that it takes:

0) A long standing and well informed internet technologist;
1) specific, and potentially high end, CPE for the res;
2) specific and custom firmware, unsupported by CPE manufacturer ... or
anyone;
3) hand installing several additional packages;
4) hand editing config files;
5) sysctl kernel flags;
6) several shout outs to friends and coworkers for assistance (resources
many don't have access to);
7) oh, and probably hours and hours twiddling with it.

just to get IPv6 to work correctly.

Yea, that's TOTALLY reasonable.

-e




 randy

Re: turning on comcast v6

[Eric Oosting]

On Wed, Dec 11, 2013 at 10:40 AM, Randy Bush ra...@psg.com wrote:

  just to get IPv6 to work correctly.

 i would not have had this problem if i had not done the openwrt thing.
 the stock netgear would have been fine.  i brought this on myself
 because i wanted to also run things such as an openvpn server.

 i was documenting for the next to follow, not to whine.


To be clear, I wasn't accusing you of whining. And thanks for documenting
it for the next guy.

Stock netgear does PD and works out of the box? Didn't realize that.

-e



 randy

Re: 844 INWATS prefix activated

[Eric Oosting]

How does team-cymru.org not have a bgp feed of these?


On Sun, Dec 8, 2013 at 1:57 AM, Jay Ashworth j...@baylink.com wrote:

 Note, if you're the PBX guy somewhere, too, that the +1 844 toll free
 prefix
 was activated at 1200EST today.

 Cheers,
 -- jra

 --
 Make Election Day a federal holiday: http://wh.gov/lBm94  100k sigs by
 12/14

 Jay R. Ashworth  Baylink
 j...@baylink.com
 Designer The Things I Think   RFC
 2100
 Ashworth  Associates http://baylink.pitas.com 2000 Land
 Rover DII
 St Petersburg FL USA   #natog  +1 727 647
 1274

Re: ATT UVERSE Native IPv6, a HOWTO

[Eric Oosting]

On Mon, Dec 2, 2013 at 11:11 PM, Rob Seastrom r...@seastrom.com wrote:


 Ricky Beam jfb...@gmail.com writes:

  On Fri, 29 Nov 2013 08:39:59 -0500, Rob Seastrom r...@seastrom.com
 wrote:
  So there really is no excuse on ATT's part for the /60s on uverse
 6rd...
  ...
  Handing out /56's like Pez is just wasting address space -- someone
  *is*  paying for that space. Yes, it's waste; giving everyone 256
  networks when  they're only ever likely to use one or two (or maybe
  four), is  intentionally wasting space you could've assigned to
  someone else. (or  **sold** to someone else :-)) IPv6 may be huge to
  the power of huge, but  it's still finite. People like you are
  repeating the same mistakes from  the early days of IPv4...

 There's finite, and then there's finite.  Please complete the
 following math assignment so as to calibrate your perceptions before
 leveling further allegations of profligate waste.


I know this is rhetorical, but my hobby is answering peoples rhetorical
questions.



Suppose that every mobile phone on the face of the planet was an end
site in the classic sense and got a /48 (because miraculously,
the mobile providers aren't being stingy).


Very well, I'll play your silly game.

48 bits remaining.



Now give such a phone to every human on the face of the earth.


33 bits should do it. That gets us to nearly 9 billion people.

15 bits remaining.


Unfortunately for our conservation efforts, every person with a
cell phone is actually the cousin of either Avi Freedman or Vijay
Gill, and consequently actually has FIVE cell phones on active
plans at any given time.


5 is inconvenient. Lets give everyone 8 mobil phones, using 3 bits.

12 bits remaining.



Assume 2:1 overprovisioning of address space because per Cameron
Byrne's comments on ARIN 2013-2, the cellular equipment providers
can't seem to figure out how to have N+1 or N+2 redundancy rather
than 2N redundancy on Home Agent hardware.


1 bit for that.

11 bits remaining.

Now we're assigning space out of 2000::/3 for now ... lets keep the other
7/8ths of the ipv6 address block in reserve, using another 3 bits ...
leaving ... carry the one ... 8 bits.



 What percentage of the total available IPv6 space have we burned
 through in this scenario?  Show your work.


If we give every man, woman, and child on the face of the earth the
equivalent to (16) /48s each, we'll will have used 1/256th of the first
1/8th of the IPv6 address space.

Wolfram says there have been 110 billion homo sapiens that have ever lived.
We need to give every person who has literally ever lived on planet earth
their own /40 before we've used up 2000::/3, and need to move on to the
remaining 87.5% of the address space. (this is where someone will ding me
for the misuse of literally somehow with a pointer to theoatmeal comic,
right)

-e



 -r

CGN fixed/hashed nat question

[Eric Oosting]

Let me start out by saying I'm allergic to CGN, but I got to ask the
question:

Some of the CGN providers are coming out with fixed nat solutions for
their IPv6 transition/IPv4 preservation technologies to reduce logging.
This appears to provide for a static mapping of outside ports/IPs to a
particular customer such that the service provider doesn't need to log
literally every session through the box.

At the last nanog, I seem to remember someone stepping up and discussing
the problems associated with just taking ports 1025 through 1025+X and
giving it to some customer and had brought up the idea of using a hash or
salt to map what would appear to be random ports to a customer in such a
way that you could reverse the port back to the customer later if need be.
For the life of me, I can't find anything on the internets about this
concept.

I had it in my head it was a lightning talk or something, but reviewing the
agenda doesn't ring any bells. Anyone know what I'm talking about and what
it's called?

-e

Re: CGN fixed/hashed nat question

[Eric Oosting]

On Mon, Jan 21, 2013 at 12:18 PM, Nick Hilliard n...@foobar.org wrote:

 draft-donley-behave-deterministic-cgn


That's it. Or more specifically, the section of that draft that points to
https://tools.ietf.org/html/rfc6431#section-2.2

Thanks.

-e