Re: "Tactical" /24 announcements

2021-08-16 Thread Jason Pope 
>On Thu, Aug 12, 2021 at 9:41 AM Hank Nussbacher 
wrote:
>> On 12/08/2021 17:59, William Herrin wrote:
>> > If you prune the routes from the Routing Information Base instead, for
>> > any widely accepted size (i.e. /24 or shorter netmask) you break the
>> > Internet.
>>
>> How does this break the Internet?  I would think it would just result in
>> sub-optimal routing (provided there is a covering larger prefix) but
>> everything should continue to work.  Clue me in, please.
>
>A originates 10.0.0.0/16 to paid transit C
>B originates 10.0.1.0/24 also to paid transit C
>C offers both routes to D. D discards 10.0.1.0/24 from the RIB based
>on same-next-hop
>You peer with A and D. You receive only 10.0.0.0/16 since A doesn't
>originate 10.0.1.0/24 and D has discarded it.
>You send packets for 10.0.1.0/24 to A (the shortest path for
>10.0.0.0/16), stealing A's paid transit to C to get to B.
>Unless A filters C-bound packets purportedly from 10.0.1.0/24. B
>doesn't currently transit for A so from B's perspective that's not an
>allowed path. In which case, your path to 10.0.1.0/24 is black holed.
>
>D broke the Internet. If packets from you reach A at all, they do so
>through an unpermitted path.
>
>Regards,
>Bill Herrin

Ok, I apologize, but I have some dumb questions (because I don't BGP
anymore):

1) I assume in the scenario that A "owns" (ARIN assignment) 10.0.0.0/16 and
if B has a /24 assignment out of the block that A "owns", shouldn't that
mean that B has a business relationship with A and some kind of direct
connectivity to A?

2) If "no", then why is B using a /24 out of A's block? If A sold or gave
the block to B without a connectivity agreement, then A should break up
their announcements appropriately to carve the /24 out of their
announcement, right?

3) If "yes", then the connectivity wouldn't be broken, right?

TIA for the tutoring and bearing with me.

Regards,
Jason K Pope

Re: Google uploading your plain text passwords

2021-06-14 Thread Jason Pope 
I am not the brightest bulb in the house, but when I try to go to
passwords.google.com, I get the following response:

Google can't check your passwords for security issues because you set up a
> passphrase to encrypt your passwords in your Google Account. This keeps the
> data private to you. Learn more.
> 


This occurs on my Google Chrome browser, which does sync my passwords
between devices because I have the browser signed into my personal account,
and my Brave browser, which is never signed in with any Google accounts.

I don't remember setting a passphrase, but apparently I did. I can't
remember if I did that because I did see a behaviour, such as showing me
all my passwords with little to no effort, or it was offered as a security
feature and I said, "Yes, please."

Jason K Pope
214.566.8527
boards...@gmail.com
Greater love has no one than this, that one lay down his life for his
friends.
John 15:13

Re: NANOG Digest, Vol 145, Issue 25

2020-02-26 Thread Jason Pope 
Would it be possible to deploy one switch for every three floors? So each
switch would service the floor that they are on, along with the floor below
and the floor above? That would reduce your switch count to ten and you
should be able to use an the vendors ethernet ring protocol. If you use
bidirectional optics, you should be able to set up two ethernet rings of
five switches.

Jason K Pope
Greater love has no one than this, that one lay down his life for his
friends.
John 15:13



> --
>
> Message: 1
> Date: Tue, 25 Feb 2020 13:40:20 +0100
> From: Alex Band 
> To: NANOG list 
> Subject: Re: Has Anyone managed to get Delegated RPKI working with
> ARIN
> Message-ID: <7a5abdfb-56ea-46c5-b553-94346a52e...@nlnetlabs.nl>
> Content-Type: text/plain;   charset=utf-8
>
> An update:
>
> The setup process with ARIN has now been fixed in Krill 0.5.0, which was
> just released:
> https://www.nlnetlabs.nl/news/2020/Feb/25/krill.0.5.0-released/
>
> We have worked around the issue by transforming the child request XML file
> in the user interface using a toggle:
> https://rpki.readthedocs.io/en/latest/krill/parent-interactions.html#arin
>
> The ensured that Krill is compatible with both the old and new response
> file format. Once ARIN conforms to RFC 8183, this toggle will be removed in
> a future version. We have also fixed two blocking issues with APNIC,
> ensuring Krill now works with every RIR implementation.
>
> Looking forward to your feedback on this release.
>
> Cheers,
>
> Alex
>
> > On 13 Feb 2020, at 09:48, Alex Band  wrote:
> >
> > Hi there!
> >
> > There is also this somewhat hacky SED command to transform the Request
> XML into the format that ARIN accepts, in case you’d like to use something
> other than the XSL:
> >
> > https://sed.js.org/?gist=3f08fb293c8825855bb26f2865161575
> >
> > –– Looping in John Curran
> >
> > John, I appreciate ARIN has accepted RFC 8183 compatibility as an ACSP
> suggestion:
> >
> > https://www.arin.net/participate/community/acsp/suggestions/2020-3/
> >
> > Looking at the XML though, the changes needed to make this work are one
> tag, a URL and a version number. Could this please be tracked as a simple
> bug instead of a "feature to include in our future RPKI improvements”?
> >
> > In the mean time I have added a warning to the documentation:
> >
> https://rpki.readthedocs.io/en/latest/krill/manage-cas.html#step-1-get-the-request-xml-file
> >
> > Thanks!
> >
> > -Alex
> >
> >> On 5 Feb 2020, at 16:48, Tim Bruijnzeels  wrote:
> >>
> >> Hi,
> >>
> >> Everyone is welcome to read that list of course, but the TL;DR is:
> >>
> >> ARIN currently uses a pre RFC 8183 format for the identity exchange. It
> would be good if this were updated. New versions of rpkid as well as Krill
> have issues with the old format.
> >>
> >> In the meantime this XSL provided by rpki.net can be of help:
> >>
> https://raw.githubusercontent.com/dragonresearch/rpki.net/master/potpourri/oob-translate.xsl
> >>
> >> Note: if you are planning to give Krill a try we recommend that you
> wait for version 0.5. We expect to have this version ready in 1-2 weeks. It
> will include usability improvements, better monitoring and a UI.
> >>
> >> Kind regards,
> >>
> >> Tim
> >>
> >>
> >>
> >>> On 5 Feb 2020, at 16:03, Christopher Munz-Michielin <
> christop...@ve7alb.ca> wrote:
> >>>
> >>> Brilliant! Thanks for the write up Cynthia, I'll have a read through!
> >>>
> >>> Chris
> >>>
> >>> On 2020-02-05 1:56 a.m., Cynthia Revström wrote:
>  (Re-sent as I forgot to include the ML the first time, oops)
>  Hi Chris,
> 
>  I recently figured it out and posted it on the NLNetLabs RPKI mailing
> list. https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html
> 
>  I hope it helps :)
> 
>  - Cynthia
> 
>  On Wed, Jan 29, 2020 at 6:31 PM Christopher Munz-Michielin <
> christop...@ve7alb.ca > wrote:
> 
>    Hi Nanog,
> 
>    Posting here since my Google-fu is coming up short.  I'm trying to
> setup delegated RPKI in ARIN using rpki.net 's rpkid
> Python daemon and am running into an issue submitting the identity file to
> ARIN's control panel. The same file submitted to RIPE's  test environment
> at https://localcert.ripe.net/#/rpki works without issue, while
> submitting to ARIN results in "Invalid Identity.xml file."
> 
>    The guide I'm following is this one:
> https://github.com/dragonresearch/rpki.net/blob/master/doc/quickstart/xenial-ca.md
> and I'm able to get as far as generating the identity file.
> 
>    Wondering if anyone has gone down this road before and has any
> helpful hints to make this work?
> 
>    Cheers,
>    Chris
> 
> >>
> >
>
>
>
> --
>
> Message: 2
> Date: Tue, 25 Feb 2020 18:32:02 -0800
>

Spectrum/TimeWarner IPv6 routing issue

2017-05-09 Thread Jason Pope 
All,

I apologize for doing this, but is there anyone on the list with
Spectrum/TimeWarner that would be willing to discuss (via e-mail) an IPv6
routing issue to a cable modem? I can't put more time in with the normal
support gauntlet.

Thanks in advance!
Jason

RE: telnet into a netgear switch?

2013-11-25 Thread Jason Pope 
--
Message: 2
Date: Sun, 24 Nov 2013 18:47:09 -0800
From: David Birdsong da...@imgix.com
To: nanog@nanog.org
Subject: telnet into a netgear switch?
Message-ID:
CAOMvUQfeM_Wnc=es1vz0gh_pp-vz+sprk9td-1u0a34c3a6...@mail.gmail.com
Content-Type: text/plain; charset=ISO-8859-1

Hey all, last night while at the datacenter I was in a pinch to extend a
rack's LAN. I compromised and ran out to the local Fry's to buy whatever
switch I could find so as to allow some configuration to happen while
we wait for the real network gear to show up.

I left before confirming I could access the switch remotely; it was very
late and I was pretty groggy and hey, any network gear has to be
telnet'table this day and age. Of course I was mostly wrong.

The switch expects some signed payload before allowing a telnet through. I
found this: https://code.google.com/p/netgear-telnetenable/...but I'm
having a hell of a time getting anything to respond.

The most confounding part is the switch doesn't respond to a single SYN
packet on low ports. I'm scanning all the ports now, but if nothing shows
up, I'm not sure what a payload is good for if the switch doesn't ACK a
single SYN.

I'm curious if anybody's got any tips besides not using Netgear in the
datacenter.

I have the MAC, I've IP'd it via DHCP, and the model number: JGS524E and I
can power cycle the switch as much as needed.


P.S. long time listener, first time caller. i'm more of a sysadmin
dangerously standing in for a proper network person.
--

Seems to me that you need to use their Switch Configuration Utility to
manage the switch.  I didn't read all the documentation, but that is what
jumps out at me after a brief look.  Maybe it will allow you to enable
telnet or ssh from there.  See the following link:

http://downloadcenter.netgear.com/en/product/JGS524E

Jason

Re: telnet into a netgear switch?

2013-11-25 Thread Jason Pope 
On Mon, Nov 25, 2013 at 5:42 PM, David Birdsong da...@imgix.com wrote:


 On Nov 25, 2013 1:51 PM, Jason Pope boards...@gmail.com wrote:
 
  --
  Message: 2
  Date: Sun, 24 Nov 2013 18:47:09 -0800
  From: David Birdsong da...@imgix.com
  To: nanog@nanog.org
  Subject: telnet into a netgear switch?
  Message-ID:
  CAOMvUQfeM_Wnc=
 es1vz0gh_pp-vz+sprk9td-1u0a34c3a6...@mail.gmail.com
  Content-Type: text/plain; charset=ISO-8859-1
 
  Hey all, last night while at the datacenter I was in a pinch to extend a
  rack's LAN. I compromised and ran out to the local Fry's to buy whatever
  switch I could find so as to allow some configuration to happen while
  we wait for the real network gear to show up.
 
  I left before confirming I could access the switch remotely; it was very
  late and I was pretty groggy and hey, any network gear has to be
  telnet'table this day and age. Of course I was mostly wrong.
 
  The switch expects some signed payload before allowing a telnet through.
 I
  found this: https://code.google.com/p/netgear-telnetenable/...but I'm
  having a hell of a time getting anything to respond.
 
  The most confounding part is the switch doesn't respond to a single SYN
  packet on low ports. I'm scanning all the ports now, but if nothing shows
  up, I'm not sure what a payload is good for if the switch doesn't ACK a
  single SYN.
 
  I'm curious if anybody's got any tips besides not using Netgear in the
  datacenter.
 
  I have the MAC, I've IP'd it via DHCP, and the model number: JGS524E and
 I
  can power cycle the switch as much as needed.
 
 
  P.S. long time listener, first time caller. i'm more of a sysadmin
  dangerously standing in for a proper network person.
  --
 
  Seems to me that you need to use their Switch Configuration Utility to
  manage the switch.  I didn't read all the documentation, but that is what
  jumps out at me after a brief look.  Maybe it will allow you to enable
  telnet or ssh from there.  See the following link:
 

 No windows box handy, nor the desire for that hoop.

 ...but what magic is a windows app going to perform to wake up an
 unresponsive TCP stack?

  http://downloadcenter.netgear.com/en/product/JGS524E
 
  Jason


Ahh; I don't use windows either, but I keep a VM handy just in case I need
it.

jp

Re: U.S. spy agencies ... email for cybersecurity

2012-07-10 Thread Jason Pope 
Seriously, on the subject of email for cybersecurity, can we please just
black list NIG NOG nanog...@yahoo.com?

Jason K Pope

Re: HIJACKED: 148.163.0.0/16 -- WTF? Level3 is now doing IP hijacking??

2011-04-05 Thread Jason Pope 
All,

WRT the below route object, DataBank does announce IP space for Hoechst 
Celanese 
Corporation as they are a direct customer of ours:

 $ whois -h whois.radb.net 148.163.0.0
 route:148.163.0.0/16
 descr:/16 for Celanese
 origin:AS13767
 mnt-by:DBANK-MNT
 changed:  jp...@databank.com 20090818
 source:LEVEL3


Currently, we only announce/originate the following prefixes via BGP:

148.163.178.0/24
148.163.179.0/24

via our providers, Level3 and Sprint.  We asked our providers to relax their 
filters for the whole /16, since Celanese owns that IP space.  That may or may 
not be a good idea, depending on your view of network management.  We did this 
in case our customer needed to announce new networks which would save us the 
time/work of placing more/new route objects in the registry.  We have the 
appropriate LOA for this network which is validated through face-to-face 
meetings with their network engineers and representatives.

DataBank is very sensitive to network abuse; we have an AUP in place with all 
of 
our customers and will always work hard to enforce it to prevent network abuse.

I apologize that I didn't respond sooner, but I have gotten behind on my NANOG 
reading.

Thank you,
Jason Pope
DataBank Holdings
214.720.2266 office