On Wed, Sep 18, 2024 at 07:33:37AM -0400, Steven Wallace wrote:
> Internet2 uses Cloudflare’s https://rpki.cloudflare.com/rpki.json as
> an alternate source for RPKI-ROA information. We recently discovered
> that this file omits IPv4 ROAs longer than /24. It would be helpful if
> it included all RO
Dear all,
I'd like to share an update on RFC 9234 deployment. RFC 9234 titled
"BGP Open Policy" aka the "Only-To-Customer" (OTC) BGP Path Attribute is
an anti-route-leak mechanism which is *NOT* based on RPKI! (yes ...
routing security is more than just RPKI! :-)
The basic idea of 9234 is that BG
On Mon, Jul 29, 2024 at 04:32:40AM +, Christopher Hawker wrote:
> When it comes to RPKI, its deployment and usage, there is a fair bit
> of information available on the Internet. Each RIR has their own
> guides for creating ROAs, each router vendor and developer has their
> own guides for deplo
On Wed, Jul 10, 2024 at 07:10:48PM -0400, Aliaksei Sheshka wrote:
> nothing! I suspect the mirror is out of sync.
>
> Now NTT mirror:
Seems reloading helped:
$ date
Thu Jul 11 03:50:22 UTC 2024
$ whois -h rr.ntt.net 199.52.73.0/24
route: 199.52.73.0/24
origin: AS132055
descr:
On Wed, Jul 10, 2024 at 09:37:22PM -0400, Aliaksei Sheshka wrote:
> On Wed, Jul 10, 2024 at 9:26 PM Job Snijders via NANOG
> wrote:
>
> > Indeed, it appears both NTT’s and RADB’s mirror instances are
> > desynchronized in relationship to ARIN’s IRR. Both NTT and RADB
>
Rubens,
ARIN-NONAUTH was deprecated two years ago:
https://www.arin.net/vault/announcements/20220404-irr/
Aliaksei,
Indeed, it appears both NTT’s and RADB’s mirror instances are
desynchronized in relationship to ARIN’s IRR. Both NTT and RADB should do a
database reload to rectify the issue.
Des
On Fri, 5 Jul 2024 at 06:59, Randy Bush wrote:
> not to distract from everyone diagnosing someone else's problem, but ...
>
> what foss dns monitoring tools do folk use to alert of
> - iminent delegation expiry
> - inconsistent service (lame, soa mismatches, ...)
> - dnssec signing and time
On Thu, May 16, 2024 at 07:17:37PM -0400, Brandon Martin wrote:
> I suspect that's why we've had some success with getting BGP security
> not just addressed in guidance but actually practically improved.
Ben Cartwright-Cox's axiom (paraphrased): "The real reason the Internet
works is that we want
Dear all,
A fact sheet has now been published, with much more detail and
considerations: https://docs.fcc.gov/public/attachments/DOC-402609A1.pdf
This is a VERY interesting read!
Kind regards,
Job
On Thu, May 16, 2024 at 04:05:21PM -0400, Josh Luthman wrote:
> Now do you think they're going to properly understand what an SS7 or
> vulnerability is?
The FCC organised several sessions (private and public) where they
invited knowledgeable people from this community to help edifice them on
what
On Thu, May 16, 2024 at 02:23:52PM -0400, Nanog News wrote:
> *Jonathan Black has been appointed NANOG Executive Director*
>
> In his new role, Jonathan will be responsible for the organization's
> operational management and will collaborate with the NANOG Board to
> refine, articulate, and implem
Dear all,
FYI:
https://docs.fcc.gov/public/attachments/DOC-402579A1.pdf
Kind regards,
Job
Dear Carlos, LACNIC, and wider community,
I very much appreciate how LACNIC worked with various stakeholders
before publicly commiting to the schedule outlined in Carlos' email.
>From what I can see, LACNIC pro-actively and properly tested their
purported post-migration environment with very broa
On Mon, Feb 26, 2024 at 05:41:12PM +, Ray Orsini via NANOG wrote:
> What tools are you using to monitor BGP announcements and route changes?
The wonderful BGP.tools already has been mentioned a few times.
Another excellent option is https://Packetvis.com, I find their RPKI
monitoring approach
On Mon, Feb 12, 2024 at 05:01:35PM -0600, Richard Laager wrote:
> On 2024-02-12 15:18, Job Snijders via NANOG wrote:
> > On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:
> > > I was making an observation that the presentation material was
> > > referring to
On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:
> > On 12 Feb 2024, at 3:14 pm, Job Snijders via NANOG wrote:
> > At NANOG 90, Merit presented on their IRRd v4 deployment. At the
> > microphone Geoff Huston raised a comment which I interpreted as:
> >
&g
Dear all,
At NANOG 90, Merit presented on their IRRd v4 deployment. At the
microphone Geoff Huston raised a comment which I interpreted as:
"Can an exception be made for my research prefixes?"
There are two sides to this:
INSERTING RPKI-invalid route/route6 objects
=
On Tue, Jan 30, 2024 at 07:28:01PM +0300, Frank Habicht wrote:
> I believe that the entry of
> route: 0.0.0.0/32
>
> does not serve any good purpose?
I don't think so either, I've created an issue to prevent that in future
releases of IRRd v4: https://github.com/irrdnet/irrd/issues/906
Dear all,
Happy new year everyone! Having just closed chapter 2023 - let's look
back at the previous year.
In this memo I'll share some RPKI statistics, summarize highlights from
the IETF Standards Development process, and reflect on emerging trends.
Year to Year Growth of the distributed RPKI
Dear NANOG,
It appears the WHOIS service at whois.radb.net is now filtering out
RPKI-invalid IRR route/route6 objects for common expansion queries!
This really is exciting and excellent news. I'll elaborate a bit on what
this exactly means.
Example ROA & IRR object
Take
Dear Amir,
On Fri, Nov 10, 2023 at 06:02:48PM -0500, Amir Herzberg wrote:
> We will present our new work, titled: `BGP-iSec: Improved Security of
> Internet Routing Against Post-ROV Attacks', in NDSS'24.
>
> If you're interested in security of Internet routing (BGP), and want a
> copy, see URL be
On Tue, Oct 24, 2023 at 05:28:31PM -0700, Owen DeLong wrote:
> Yes, but we weren’t talking about an IXP here.
> We’re talking about an ISP.
Sure, perhaps you were
I intended to submit an example where a resource holder constructively
uses a ROA designating AS 0 as purported originator, actually h
On Sun, 22 Oct 2023 at 20:33, Tom Beecher wrote:
> Basically, I guess, it means that the AS 0 solution shouldn't be used, at
>> least not usually.
>>
>
> It's like everything else. Understand what the tools do and what they
> don't do, and use them appropriately.
>
A primary risk for an IXP is
On Sun, 22 Oct 2023 at 19:35, Owen DeLong wrote:
> Actually, Job, the 1.2.0/20 would be the longest prefix announced for
> 1.2.4/24 and 1.2.7/24 in this case. It’s a rather clever end-run. The /20
> won’t match the more specific as0 ROAs, so it gets accepted. The /24s
> either aren’t advertised o
On Sun, 22 Oct 2023 at 18:10, William Herrin wrote:
> Then someone comes along and advertises a portion of the RIR space
> larger than any allocation. Since your subnet is intentionally absent
> from the Internet, that larger route draws the packets allowing a
> hijack of your address space.
>
>
On Sun, 22 Oct 2023 at 17:42, Amir Herzberg wrote:
> Bill, thanks! You explained the issue much better than me. Yes, the
> problem is that, in my example, the operator was allocated 1.2.4/22 but
> the attacker is announcing 1.2.0/20, which is larger than the allocation,
> so the operator cannot
On Thu, 19 Oct 2023 at 12:12, Aftab Siddiqui
wrote:
> A quick check to my routing table suggests that I have 206700
> preferred routes (v4/v6) to notfound (unknown) destinations. So yeah I
> don't think anyone can afford to do this right now.
>
I don’t think anyone can afford to ever do this, r
On Thu, 19 Oct 2023 at 11:56, Owen DeLong wrote:
>
> On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG
> wrote:
>
>> A question for network operators out there that implement ROV…
>>
>> Is anyone rejecting RPKI unknown routes at this time?
>>
>> I know that it’s popular to reject RPKI invalid
On Thu, 19 Oct 2023 at 11:46, Owen DeLong via NANOG wrote:
> A question for network operators out there that implement ROV…
>
> Is anyone rejecting RPKI unknown routes at this time?
>
> I know that it’s popular to reject RPKI invalid (a ROA exists, but doesn’t
> match the route), but I’m wonderin
Dear Martin,
On Wed, Oct 11, 2023 at 10:01:53AM +0200, Martin Pels wrote:
> I think this is important work.
Thanks!
> As you indicated in your mail you have spent quite some time compiling
> the constraints files in the appendix. Keeping them up to date
> requires tracking allocations and policy
Dear all,
Please see the below announcement, I think this is really good news!
RPKI-based filtering at large databases and mirror services like RADB
really helps take the sting out of potentially harmful RPKI-invalid IRR
route objects. This will positively impact operators who use bgpq3, irrpt,
o
Dear Matthew,
See below
On Tue, 26 Sep 2023 at 20:49, Matthew Petach wrote:
>
> Job,
>
> This looks fantastic, thank you!
>
> For my edification and clarification, the reason you don't need a
>
> deny 2000::/3
>
> or
>
> deny 0::/0
>
> at the bottom of the ARIN list of allows is that every file
Dear all,
Two weeks ago AFRINIC was placed under receivership by the Supreme Court
of Mauritius. This event prompted me to rethink the RPKI trust model and
associated risk surface.
The RPKI technology was designed to be versatile and flexible to
accommodate a myriad of real-world deployment scena
On Fri, Sep 01, 2023 at 11:54:57AM +0100, Nick Hilliard wrote:
> it's not really. If the receiving BGP stack understands the attribute,
> then it should be parsed as default, i.e. carefully. Unfortunately,
> junos slipped up on this and didn't validate the input correctly,
> which is a parsing bug
On Fri, 11 Aug 2023 at 17:54, Graham Johnston via NANOG
wrote:
> I've been busy over the last few days trying to clean up IRR information
> for our subnets and issue ROAs for our address space. Invariably I came
> across stale entries in various IRR databases. They aren't really hurting
> me, but
Dear Mark,
Thank you for sharing all the details in your previous email. For
brevity I'm snipping most of your reply.
On Tue, Aug 08, 2023 at 03:59:19PM +, Mark Kosters wrote:
> Job Snijders wrote:
>
> > Would it not be advantageous to create at a minimum the 256 of the
&g
Dear John, ARIN, NANOG,
On Mon, Aug 07, 2023 at 06:24:09PM +, John Curran wrote:
> We have made some fairly significant changes for those customers using
> ARIN Online for routing security administration – see attached message
> for specifics.
Yes, significant changes! I very much appreciate
Heya NANOG,
I thought this email conversation might be of interest to the group:
https://mailarchive.ietf.org/arch/msg/sidrops/RdbccLbXEHUrmmdIS5K9GOdJFXA/
Kind regards,
Job
- Forwarded message from Job Snijders -
Date: Fri, 19 May 2023 20:54:26 +0200
From: Job Snijders
To: sidr
Dear John,
On Tue, Jan 03, 2023 at 08:57:47PM +, John Curran wrote:
> NANOGers -
>
> FYI - ARIN Online now has FIDO2/Passkey as an option for two-factor
> authentication (2FA) - this is a noted priority for some
> organizations.
Thank you for sharing this wonderful news! I tried the new shin
Dear all,
With 2023 at our doorstep, I'd like to share some perspective on how
RPKI evolved in the year 2022.
Impact on the Global Internet Routing System
Decision makers might wonder: is investing time and resources worth it?
What is the effectivenes
On Sat, Dec 17, 2022 at 04:58:18PM -0800, Randy Bush wrote:
> https://www.rfc-archive.org/getrfc?rfc=9092
>
> and note that massimo has a collio toolset
>
> https://github.com/massimocandela/geofeed-finder
Rpki-client (version 8.2 and higher) supports authenticating signed
Geofeed data a
The Internet delivers when we need it the most! :-)
https://is2000slash12announcedagain.com/
Props to Ben Cartwright-Cox
Hi all,
On Wed, Dec 07, 2022 at 08:24:54PM -0800, Ryan Hamel wrote:
> AS3356 has been announcing 2000::/12 for about 3 hours now, an aggregate
> covering over 23K prefixes (just over 25%) of the IPv6 DFZ.
A few months ago I wrote: "Frequently Asked Questions about 2000::/12
and related routing er
Hi all,
It appears PacketVis correctly identified an issue.
AFRINIC's self-signed root AfriNIC.cer [1] points via its SIA to
'afrinic-ca.cer' [2] which in turn references a RPKI Manifest named
'K1eJenypZMPIt_e92qek2jSpj4A.mft'.
The K1eJenypZMPIt_e92qek2jSpj4A Manifest lists 499 Certificate
Autho
Dear 孙乐童,
On Mon, Nov 07, 2022 at 08:40:57PM +0800, 孙乐童 wrote:
> We learned from Cloudflare's https://isbgpsafeyet.com/ that some ASes
> have deployed RPKI Origin Validation (ROV). However, we downloaded BGP
> collection data from RouteViews and RipeRis platforms and found that
> some ROV-ASes can
Hi Dustin, others,
Sure thing! Someone from the Fastly peering team will follow up with you
off-list.
Information about peering with Fastly: https://www.peeringdb.com/asn/54113
and https://www.fastly.com/peering/
Kind regards,
Job
On Fri, 30 Sep 2022 at 14:39, Dustin Brooks wrote:
> Can som
Dear all,
I'd like to ask help from the EBGP hivemind: the shiny new BGP looking
glass at https://lg.ring.nlnog.net/ supports displaying text strings
mapped from BGP community values (both simple and large communities).
Mapping BGP Community values to simple English human-readable text
phrases ca
Dear Mark,
I’ll follow up off-list.
Kind regards,
Job
On Fri, 16 Sep 2022 at 20:06, Mark Spring wrote:
> In short, I am having issues with a couple of our subnets not being able
> to traverse a fastly peer which I don't manage, it is upstream from me. I
> need to get this resolved as it is ca
On Tue, Aug 30, 2022 at 01:28:18PM -0700, Hugo Slabbert wrote:
> @Job:
>
> Thanks! I was aware of the RIPE whois option, but the relevant resources
> for us are in ARIN. I wasn't aware of the RPSL *remark* option for
> providing that. We should be able to give that a bash.
Hmmm, there might be
Dear Hugo,
On Tue, Aug 30, 2022 at 12:34:41PM -0700, Hugo Slabbert wrote:
> Google folks:
>
> I see historical reference to needing to use the Google Peering Portal (
> http://peering.google.com) if you need to provide Google with geofeed info
> for GeoIP info on network blocks, ref
> https://mai
Heya,
On Wed, Aug 24, 2022 at 09:17:03AM +0200, Claudio Jeker wrote:
> On Tue, Aug 23, 2022 at 08:07:29PM +0200, Job Snijders via NANOG wrote:
> > In this sense, ASPA (just by itself) suffers the same challenge as
> > RPKI ROA-based Origin Validation: the input (the BGP AS_PATH)
Hi Douglas, group,
On Tue, Aug 23, 2022 at 03:03:31PM -0300, Douglas Fischer wrote:
> I was thinking a little about this case...
>
> I'm almost certain that this case cited by Siyuan would have been
> avoided if there was a cross-check between the items contained in the
> AS-SET objects (and othe
On Tue, Aug 23, 2022 at 05:18:42PM +, Compton, Rich A wrote:
> I was under the impression that ASPA could prevent route leaks as well
> as path spoofing. This "BGP Route Security Cycling to the Future!"
> presentation from NANOG seems to indicate this is the case:
> https://youtu.be/0Fi2ghCnXi
Dear Siyuan, others,
Thank you for the elaborate write-up and the log snippets. You
contributed a comprehensive overview of what transpired from a
publicly-visible perspective, what steps led up to the strike.
I want to jump in on one small point which I often see as a point of
confusion in our i
On Fri, Aug 05, 2022 at 11:16:03AM -0400, Justin Wilson (Lists) wrote:
> Whats the availability of two byte asns look like? Anyone able to
> obtain one recently?
Yes, at $work we obtained one recently (without hassle, thank you ARIN
hostmasters!).
So, I recommend to follow normal procedure and j
Hi Randy,
On Sun, 19 Jun 2022 at 23:07, Randy Bush wrote:
> >> It will also take much less RAM if you turn RPKI validation off.
> >
> > oh dear ghod. do i need to turn the dancing donkeys off too?
> >
> > "Make each program do one thing well. To do a new job, build afresh
> > rather than compli
Hi,
I recommend taking a look at
https://github.com/nttgin/BGPalerter
https://www.lacnic.net/innovaportal/file/4489/1/bgpalerter_lacnic33.pdf
It offers a great blend of BGP and RPKI ROA monitoring
Kind regards,
Job
On Wed, 15 Jun 2022 at 16:45, Mehmet Akcin wrote:
> Hi there
>
> What are th
On Wed, May 11, 2022 at 01:22:32PM -0600, Grant Taylor via NANOG wrote:
> On 5/11/22 10:53 AM, Job Snijders via NANOG wrote:
> > This knob slightly increase your own memory consumption, but makes your
> > router more “neighbourly”! :-)
>
> I question how accurate &
Hi!
In current versions I think enabling “soft-reconfiguration-inbound always”
(also described at
https://bgpfilterguide.nlnog.net/guides/reject_invalids/#cisco-ios-xr )
should be enough.
Make sure to enable it on every EBGP peer you apply ROV to, or just all
EBGP peers.
This knob slightly incre
Hi Shawn,
On Wed, Apr 20, 2022 at 01:14:29PM -1000, Shawn wrote:
> What is the best practice (or peoples preferred methods) to
> update/correct/maintain geolocation data?
> Do most people start with description field info in route/route6 objects?
>
> [snip]
>
> Maybe I am not using the magic word
Hi Dan!
You highlight a common pitfall in IRR-based prefix filter generation.
On Mon, Apr 11, 2022 at 09:56:59AM -0700, Dan Mahoney (Gushi) wrote:
> [snip]
> as-set: AS-PEERS
> descr: Peer AS Numbers
> members:AS132251,AS132561,AS132516
> source: APNIC
>
> as-set
On Mon, Apr 04, 2022 at 06:35:31PM -0400, Jon Lewis wrote:
> On Tue, 5 Apr 2022, Job Snijders wrote:
> > > Are others jumping ship or planning to from ALTDB (no offense intended,
> > > and
> > > grateful for the service you've provided) and other non-auth
Dear Jon, others,
On Mon, Apr 04, 2022 at 05:48:42PM -0400, Jon Lewis wrote:
> On Mon, 4 Apr 2022, Kenneth Finnegan wrote:
> > While I agree that it might be politically entertaining to let this
> > one blow up as a demonstration of how ARIN conducts business, this
> > list of networks includes to
Dear all,
On Sat, Apr 02, 2022 at 09:09:58PM +, John Curran wrote:
> As previously reported here, ARIN will be shutting down the
> ARIN-NONAUTH IRR database on Monday, 4 April 2022 at 12:00 PM ET.
>
> It is quite likely that some network operators will see different
> route processing as a re
Hi all,
It's super official now: no more software bugs in networking gear.
Sorry it took so long to document what the best current practise is!
Kind regards,
Job / Chris / Remco
- Forwarded message from rfc-edi...@rfc-editor.org -
Date: Fri, 1 Apr 2022 10:17:37 -0700 (PDT)
From: rfc-ed
On Wed, Mar 30, 2022 at 01:29:25PM +, Drew Weaver wrote:
> Ex 45.176.191.0/24 3356 3549 11172 270150
>
> RPKI ROA entry for 45.176.191.0/24-24
> Origin-AS: 265621
>
> Two questions:
>
> First, are you also seeing this on this specific route?
It is visible in a few places, but the 61% sc
On Mon, Mar 28, 2022 at 12:33:05PM +, Drew Weaver wrote:
> Is anyone else seeing this route destined for Twitter in the US being
> directed through 8359 announced by 8342?
>
> 104.244.42.0/24
>
> Just curious, replies off list welcome.
Seems visible in a handful of places:
$ w3m -dump
'htt
Hi Allen,
Yes, it can be this quiet. It’s good news, it means the thing is mostly
working :-)
I wish everyone a happy and calm 2022!
Kind regards,
Job
On Mon, 3 Jan 2022 at 20:47, Allen McKinley Kitchen (gmail) <
allenmckinleykitc...@gmail.com> wrote:
> Or has NANOG also succumbed to a signed
Hi all,
On Fri, 17 Dec 2021 at 19:50, Adrian Perrig wrote:
> other proposed approaches such as RPKI that only protects a route’s origin
> first AS, or BGPsec that requires widespread adoption and significant
> infrastructure upgrades.
>
For both RPKI-based BGP Route Origin Validation and RPKI-
Hi Anurag,
Circular dependencies definitely are a thing to keep in mind when designing
IRR and RPKI pipelines!
In the case of IRR: It is quite rare to query the RIR IRR services
directly. Instead, the common practise is that utilities such as bgpq3,
peval, and bgpq4 query “IRRd” (https://IRRd.net
On Fri, Oct 29, 2021 at 01:20:33AM +0400, Musa Stephen Honlue wrote:
> Personally I recommend dropping them invalids.
100%
> However, you could set local preferences as follows:
> - Valids routes get the highest local pref
> - unknown routes get a medium local pref
> - Invalids routes get the lo
On Tue, Oct 26, 2021 at 04:58:20PM -0700, Randy Bush wrote:
> i run a FORT RPKI relying party instance. i am looking for some
> visibility into its operation.
>
> is it up: both ways, fetching and serving routers?
>
> from what CAs has it pulled, how recently and frequently with
> what suc
Dear Edvinas,
On Mon, Oct 25, 2021 at 11:49:09PM +0300, Edvinas Kairys wrote:
> We're thinking of enabling BGP ROA, because more and more ISPs are using
> strict RPKI mode.
>
> Does enabling Hosted Mode (where it doesn't requires any additional
> configuration on client end) on RPKI could for som
On Mon, Oct 25, 2021 at 04:20:28PM -0400, Jared Mauch wrote:
> Some of the other CDNs do have IPv6 on the authorities and
> should work without issues.
>
> eg:
>
> dig -6 +trace www.akamai.com.
Yes of course :-)
dig -6 +trace www.fastly.com.
Kind regards,
Job
Hi everyone, goedenmiddag Marco!
On Fri, Oct 22, 2021 at 01:40:42PM +0200, Marco Davids via NANOG wrote:
> We currently live in times where is actually fun to go IPv6-only. In my
> case, as in: running a FreeBSD kernel compiled without the IPv4-stack.
Indeed, this is fun experimentation. Shaking
Dear Lee,
*ring ring* - "IRR/RPKI helpdesk how may I help you today?" :-)
On Fri, Oct 22, 2021 at 08:25:10AM -0500, Lee Fawkes wrote:
> I have a couple of questions about best practices for Internet Routing
> Registries. I'm able to find lots of documentation about *how* to do
> things, but not a
Hi Bryan,
On Thu, 16 Sep 2021 at 19:53, Bryan Holloway wrote:
> Hey all ... looking for a Fastly (54113) peering contact that might be
> able to get me in touch with the right folks to do stuff.
I’ll follow up with you off-list.
Kind regards,
Job
Dear Rubens,
On Mon, Aug 09, 2021 at 08:41:48AM -0300, Rubens Kuhl wrote:
> From a Cogent support ticket:
>> Please see the attached LOA.
>>
>> Regarding the RPKI ROA, for now, we don't create ROA for our prefixes
>> nor for prefixes that we assign to our customers and we don't plan to
>> do it.
On Mon, May 24, 2021 at 02:04:32PM -0400, Luca Salvatore wrote:
> Curious if anyone is aware of other Tier1s deprecating support for RADB?
Rather than deprecating RADB, I think the industry would be better off
if either RADB or the Tier1s (in their local caching layer) deploy IRR
database software
Dear Ruben, all,
On Tue, Apr 27, 2021 at 10:18:32PM -0300, Rubens Kuhl wrote:
> TC IRR, an IRR operator focused on Brazilian networks, just changed to
> IRRd 4.2. The new version allowed TC to deploy RPKI validation
> (thanks NTT for sponsoring that development) and expose HTTPS
> endpoints for W
Hi Robert, NANOG,
On Mon, Apr 26, 2021 at 09:29:27AM -0400, Robert Blayzor via NANOG wrote:
> According to Cloudflares isbgpsafeyet.com, Cogent has been considered "safe"
> and is filtering invalids.
>
> But I have found that to be untrue (mostly). It appears that some days they
> filter IPv4, so
On Thu, Apr 22, 2021 at 02:29:31PM +0300, Alexandre Snarskii wrote:
> 9002. Hit by Juniper PR1562090, route stuck in DeletePending..
> Workaround applied, sessions with 6939 restarted, route is gone.
Thank you for the details and clearing the issue.
Kind regards,
Job
On Wed, Apr 21, 2021 at 09:22:57PM +, Jakob Heitz (jheitz) wrote:
> I'd like to get some data on what actually happened in the real cases
> and analyze it.
>
> [snip]
>
> TCP zero window is possible, but many other things could
> cause it too.
Indeed. There could be a number of reasons that c
Dear Jakob, group,
On Wed, Apr 21, 2021 at 08:59:06PM +, Jakob Heitz (jheitz) via NANOG wrote:
> Ben's blog details an experiment in which he advertises routes and then
> withdraws them, but some of them remain stuck for days.
>
> I'd like to get to the bottom of this problem.
I think there
Dear John,
Thank you for extending the deadline with another 6 months. Obviously 6
months amidst a global pandamic would never be enough time. :-)
Both John Sweeting [1] and myself [2] assert there are tens of thousands
of objects for which the relationship between the object's existence and
the
Dear Hank,
On Sat, Feb 20, 2021 at 07:37:08PM +0200, Hank Nussbacher wrote:
> Is there a place where one can examine RPKI invalid logs for a specific date
> & time
I have set up a publicly accessible archiver instance in Dallas, and one
in Amsterdam which capture and archive data every 20 minute
On Tue, Feb 16, 2021 at 01:37:35PM -0600, John Kristoff wrote:
> I'd like to start a thread about the most famous and widespread Internet
> operational issues, outages or implementation incompatibilities you
> have seen.
>
> Which examples would make up your top three?
This was a fantastic outage
On Mon, Feb 08, 2021 at 04:02:14PM -0500, Justin Wilson (Lists) wrote:
> I enabled 134.195.47.1 on one of our routers.
Cool! I noticed the following: from many NLNOG RING nodes I can reach
that IP address, but not from 195.66.134.42:
deepmedia01.ring.nlnog.net:~$ mtr -z -w -r 134.195.47.1
Dear Justin,
On Mon, Feb 08, 2021 at 03:14:47PM -0500, Justin Wilson (Lists) wrote:
> It acts like the IP block was blacklisted at some point and got on
> some bad lists but I don’t want ti limit myself to that theory.
> I have opened up a ticket with ARIN asking for any guidance. Has
> anyone ran
Hi Sean, Will, group,
On Sun, Jan 17, 2021 at 03:01:22PM -0800, William Herrin wrote:
> On Sun, Jan 17, 2021 at 1:37 PM Sean Donelan wrote:
> > Some people think its funny to ghost subscribe email addresses, and
> > the NANOG mailing list auomation doesn't catch them in the verification
> > proce
Dear all,
On Mon, Jan 18, 2021 at 11:17:06AM -0700, Anne P. Mitchell, Esq. wrote:
> Either Alexandria Ocasio-Cortez' office is on the NANOG list or
> someone is forwarding NANOG email to AOC's press office (in which case
> either spoofed as the original sender or AOC's office sends an ack to
> eve
.net/LACNIC.CURRENTSERIAL
NRTM Host: irr.lacnic.net
NRTM Port:43
When LACNIC enables NRTM in the coming days, other IRRs such as RADB and NTT
will begin mirroring the LACNIC source.
We would also like to thank the DashCare team (https://dashcare.nl/), Job
Snijders (NTT) and the RADB team for
On Fri, Nov 20, 2020 at 12:02:04PM -0500, Tom Beecher wrote:
> In before snark of "OMG "http" links to RPKI info HURF BLURF!"
But Tom, that is exactly the whole point of the RPKI :-)
It's funny, but true! You really can safely use the RPKI data from the
console website in your own production envi
Dear all,
I'd like to introduce another tool to inspect RPKI data... the
rpki-client console! Comes with an authentic 90s look & feel :-)
The Frontpage - http://console.rpki-client.org/
---
On the front page you can see stdout + stderr of the most recen
Dear Pirawat,
On Mon, Oct 26, 2020 at 08:13:19PM +0700, Pirawat WATANAPONGSE wrote:
> I am seeking advice concerning someone else announcing IRR records on
> resources belonging to me.
Change is underway in the IRR ecosystem! The situation we are all used
to is that it is rather cumbersome to get
On Mon, Nov 02, 2020 at 09:13:16AM +0100, Tim Bruijnzeels wrote:
> On the other hand, the fallback exposes a Malicious-in-the-Middle
> replay attack surface for 100% of the prefixes published using RRDP,
> 100% of the time. This allows attackers to prevent changes in ROAs to
> be seen.
This is a m
On Fri, Oct 30, 2020 at 12:47:44PM +0100, Alex Band wrote:
> > On 30 Oct 2020, at 01:10, Randy Bush wrote:
> > i'll see your blog post and raise you a peer reviewed academic paper
> > and two rfcs :)
>
> For the readers wondering what is going on here: there is a reason
> there is only a vague me
On Thu, Oct 29, 2020 at 09:14:16PM +0100, Alex Band wrote:
> In fact, we argue that it's actually a bad idea to do so:
>
> https://blog.nlnetlabs.nl/why-routinator-doesnt-fall-back-to-rsync/
>
> We're interested to hear views on this from both an operational and
> security perspective.
I don't se
Hi all,
About eight months ago I discovered a number of issues in the validation
procedure of most RPKI validator softwares (including the RIPE NCC
Validator, Routinator, and OctoRPKI). The impact of improper
verification of Manifests (and associated aspects of the X.509 system)
in the RPKI can ha
Dear Kevin,
I am the maintainer of NLNOG's IRRexplorer and can help.
On Wed, Oct 07, 2020 at 08:37:00PM +, Kevin McCormick wrote:
> There seems to an issue with IRR Explorer.
>
> I check the following prefix and I get the message, “The server
> encountered an internal error and was unable to
1 - 100 of 510 matches
Mail list logo