Re: An update on the AfriNIC situation

2021-08-27 Thread Laszlo Hanyecz
On 2021-08-28 00:58, Tom Beecher wrote: Fundamentally I think everyone should care about this situation. As I read it, it breaks down as : - AFRINIC and Cloud Innovation are engaged in a dispute over number assignment policies. - AFRINIC invokes the clause that they are reclaiming the space

Re: "Hacking" these days - purpose?

2020-12-14 Thread Laszlo Hanyecz
On 2020-12-14 16:48, Mark Tinka wrote: On 12/14/20 18:38, David Bass wrote: It becomes more clear when you think about the options out there, and get a little creative.  Now a days it’s definitely chess that’s being played. You're right, it really doesn't take much. Preying on humanity

Re: "Hacking" these days - purpose?

2020-12-14 Thread Laszlo Hanyecz
Bitcoin. There wasn't much purpose to 'hacking' for a long time.  Even when talking about DDoS stuff, it's still just temporary vandalism, it's only an inconvenience, and it can be undone pretty quickly.  The whole idea of providing security has been turned into a wink-wink scam where people

Re: Abuse Desks

2020-04-29 Thread Laszlo Hanyecz
On 2020-04-29 17:51, Mukund Sivaraman wrote: On Wed, Apr 29, 2020 at 01:49:14PM -0400, Tom Beecher wrote: What if I am at home, and while working on a project, fire off a wide ranging nmap against say a /19 work network to validate something externally? Should my ISP detect that and make a

Re: OT: Tech bag

2019-08-02 Thread Laszlo Hanyecz
On 2019-08-02 16:42, James Downs wrote: On Fri, Aug 02, 2019 at 11:19:08AM -0500, Hunter Fuller wrote: This one has since been released, and it has a laptop compartment. My Yeah, I definitely look for some sort of laptop compartment. If not padded on its own, I stick the laptop into a

Re: It's been 20 years today (Oct 16, UTC). Hard to believe.

2018-10-17 Thread Laszlo Hanyecz
On 2018-10-17 02:35, Michael Thomas wrote: I believe that the IETF party line these days is that Postel was wrong on this point. Security is one consideration, but there are others. Postel's maxim also allowed extensibility.  If our network code rejects (or crashes) on things we don't

Re: Waste will kill ipv6 too

2017-12-28 Thread Laszlo Hanyecz
On 2017-12-28 17:55, Michael Crapse wrote: Yes, let's talk about waste, Lets waste 2^64 addresses for a ptp. If that was ipv4 you could recreate the entire internet with that many addresses. After all these years people still don't understand IPv6 and that's why we're back to having to do

Re: Geolocation: IPv4 Subnet blocked by HULU, and others

2017-12-27 Thread Laszlo Hanyecz
On 2017-12-27 22:38, Jima wrote: On 2017-12-27 14:10, Jared Mauch wrote: On Dec 27, 2017, at 3:50 PM, Grant Taylor via NANOG wrote: Doesn't Hulu (et al) have an obligation to provide service to their paying customers? Does this obligation extend to providing service

Re: Long AS Path

2017-06-20 Thread Laszlo Hanyecz
On 2017-06-20 23:12, James Braunegg wrote: Dear All Just wondering if anyone else saw this yesterday afternoon ? Jun 20 16:57:29:E:BGP: From Peer 38.X.X.X received Long AS_PATH= AS_SEQ(2) 174 12956 23456 23456 23456 23456 23456 23456 23456 23456 23456 23456 23456 23456 23456 23456 23456

Re: Spitballing IoT Security

2016-10-27 Thread Laszlo Hanyecz
On 2016-10-27 23:24, Ronald F. Guilmette wrote: I put forward what I think is a reasonbly modest scheme to try to get IoT things to place hard limits on their "unsolicited" packet output at the kernel level, and I'm going to go off now and try to find and then engage some Linux embedded kernel

Re: Death of the Internet, Film at 11

2016-10-21 Thread Laszlo Hanyecz
On 2016-10-22 00:39, Ronald F. Guilmette wrote: P.S. To all of you Ayn Rand devotees out there who still vociferously argue that it's nobody else's business how you monitor or police your "private" networks, and who still refuse to take even minimalist steps (like BCP 38), congratulations.

Re: Request for comment -- BCP38

2016-09-26 Thread Laszlo Hanyecz
On 2016-09-26 18:03, John Levine wrote: If you have links from both ISP A and ISP B and decide to send traffic out ISP A's link sourced from addresses ISP B allocated to you, ISP A *should* drop that traffic on the floor. This is a legitimate and interesting use case that is broken by BCP38.

Re: Request for comment -- BCP38

2016-09-26 Thread Laszlo Hanyecz
On 2016-09-26 15:12, Hugo Slabbert wrote: On Mon 2016-Sep-26 10:47:24 -0400, Ken Chase wrote: This might break some of those badly-behaving "dual ISP" COTS routers out there that use different inbound from outbound paths since each is the fastest of either link. As it

Re: Looking for recommendations for a dedicated ping responder

2016-09-09 Thread Laszlo Hanyecz
On 2016-09-09 19:52, Dan White wrote: Are there any products you're using which are dedicated to responding to customer facing pings? PaaS (pong-as-a-service)?

Re: Handling of Abuse Complaints

2016-08-29 Thread Laszlo Hanyecz
I know this is against the popular religion here but how is this abuse on the part of your customer? Google, Level3 and many others also run open resolvers, because they're useful services. This is why we can't have nice things. On 2016-08-29 15:55, Jason Lee wrote: NANOG Community, I was

Re: Netflix banning HE tunnels

2016-06-08 Thread Laszlo Hanyecz
On 2016-06-08 18:57, Javier J wrote: Tony, I agree 100% with you. Unfortunately I need ipv6 on my media subnet because it's part of my lab. And now that my teenage daughter is complaining about Netflix not working g on her Chromebook I'm starting to think consumers should just start

Re: Netflix VPN detection - actual engineer needed

2016-06-08 Thread Laszlo Hanyecz
On 2016-06-08 16:12, Owen DeLong wrote: It’s a link, just like any other link, over which IPv6 can be transmitted. You can argue that it’s a lower quality link than some alternatives, but I have to tell you I’ve gotten much more reliable service at higher bandwidth from that link than from my

Re: Netflix VPN detection - actual engineer needed

2016-06-06 Thread Laszlo Hanyecz
On 2016-06-06 19:39, Christopher Morrow wrote: ​Doing any sort of 'authentication' or 'authorization' on src-IP is just .. broken.​ This. Netflix is pretending to have a capability (geolocation by src ip) that doesn't exist and there is collateral damage from the application of their

Re: Netflix VPN detection - actual engineer needed

2016-06-06 Thread Laszlo Hanyecz
On 2016-06-06 15:21, Tore Anderson wrote: But Netflix shouldn't have any need to ask in the first place. Their customers need to log in to their own personal accounts in order to access any content, when they do Netflix can discover their addresses. Tore Hey there's an idea, how about they

Re: Netflix VPN detection - actual engineer needed

2016-06-05 Thread Laszlo Hanyecz
On 2016-06-05 23:45, Damian Menscher wrote: Who are these non-technical Netflix users who accidentally stumbled into having a HE tunnel broker connection without their knowledge? I wasn't aware this sort of thing could happen without user consent, and would like to know if I'm wrong. Only

Re: Netflix VPN detection - actual engineer needed

2016-06-05 Thread Laszlo Hanyecz
On 2016-06-05 22:48, Damian Menscher wrote: What *is* standard about them? My earliest training as a sysadmin taught me that any time you switch away from a default setting, you're venturing into the unknown. Your config is no longer well-tested; you may experience strange errors; nobody

Re: Netflix VPN detection - actual engineer needed

2016-06-05 Thread Laszlo Hanyecz
On 2016-06-05 21:18, Damian Menscher wrote: This entire thread confuses me. Are there normal home users who are being blocked from Netflix because their ISP forces them through a HE VPN? Or is this massive thread just about a handful of geeks who think IPv6 is cool and insist they be allowed

Re: Netflix VPN detection - actual engineer needed

2016-06-03 Thread Laszlo Hanyecz
On 2016-06-03 19:37, Matthew Huff wrote: I would imagine it was done on purpose. The purpose of the Netflix VPN detection was to block users from outside of different regions due to content providers requests. Since HE provides free ipv6 tunnels, it's an easy way to get around the blockage,

Re: NIST NTP servers

2016-05-13 Thread Laszlo Hanyecz
On 2016-05-13 14:12, Lamar Owen wrote: On 05/11/2016 09:46 PM, Josh Reynolds wrote: maybe try [setting up an NTP server] with an odroid? ... You really have to have at least a temperature compensated quartz crystal oscillator (TCXO) to even begin to think about an NTP server, for

Re: NIST NTP servers

2016-05-10 Thread Laszlo Hanyecz
On 2016-05-10 15:36, Mike wrote: On 5/10/2016 11:22 AM, Leo Bicknell wrote: In a message written on Mon, May 09, 2016 at 11:01:23PM -0400, b f wrote: In search of stable, disparate stratum 1 NTP sources. http://wpollock.com/AUnix2/NTPstratum1PublicServers.htm We tried using “time.nist.gov”

Re: Friday's Random Comment - About: Arista and FIB/RIB's

2016-04-29 Thread Laszlo Hanyecz
On 2016-04-29 12:48, Nick Hilliard wrote: Alain Hebert wrote: PS: "Superfluous" is a nice way to say that the best path of a subnet is the same as his supernet. ... from the point of view of the paths that you see, which is to say two egress paths. Someone else on the internet may have a

Re: Arista Routing Solutions

2016-04-28 Thread Laszlo Hanyecz
On 2016-04-28 11:06, Alain Hebert wrote: Well, Once you eliminate the ~160k superfluous prefixes (last time I checked)... This is a none issue. Some work on some sort summary function would keep those devices alive... but we all know there is more money to be made the faster

Re: GeoIP database issues and the real world consequences

2016-04-13 Thread Laszlo Hanyecz
On 2016-04-13 05:57, Todd Crane wrote: As to a solution, why don’t we just register the locations (more or less) with ARIN? Hell, with the amount of money we all pay them in annual fees, I can’t imagine it would be too hard for them to maintain. They could offer it as part of their public

Re: GeoIP database issues and the real world consequences

2016-04-11 Thread Laszlo Hanyecz
On 2016-04-11 18:15, John Levine wrote: Bodies of water probably are the least bad alternative. I wonder if they're going to hydrolocate all of the unknown addresses, or only the ones where they get publically shamed. R's, John I imagine some consumers of the data will 'correct' the

Re: GeoIP database issues and the real world consequences

2016-04-11 Thread Laszlo Hanyecz
Why not use the locations of their own homes? They're indirectly sending mobs to randomly chosen locations. There's enough middle men involved so they can all say they're doing nothing wrong, but wrong is being done. -Laszlo On 2016-04-11 17:34, Steve Mikulasik wrote: Just so everyone is

Re: announcement of freerouter

2015-12-28 Thread Laszlo Hanyecz
Mike, Csaba's front page previously described the software as being a 'routerOS', like in the very first sentence on the page. I'm assuming that the person who complained about that didn't read past the first sentence and just wanted to troll. It's obvious to me that decades of work have

Re: Question re session hijacking in dual stack environments w/MacOS

2015-09-28 Thread Laszlo Hanyecz
On 2015-09-27 12:24, John Schimmel wrote: Most Web application firewalls have cross-site request forgery protection. When a form is downloaded, the firewall inserts a hidden field or cookie that contains the IP address of the request. When the form is submitted, the firewall then verifies that

Re: Question re session hijacking in dual stack environments w/MacOS

2015-09-26 Thread Laszlo Hanyecz
On 2015-09-26 14:34, David Hubbard wrote: Websites that require some type of authentication that is handled via session cookies have been booting our users out randomly with "your ip address has changed" type message. This occurs when their Mac decides to switch between protocols because the

Re: Dual stack IPv6 for IPv4 depletion

2015-07-09 Thread Laszlo Hanyecz
On Jul 9, 2015, at 11:08 PM, Owen DeLong o...@delong.com wrote: On Jul 9, 2015, at 15:55 , Ricky Beam jfb...@gmail.com wrote: On Thu, 09 Jul 2015 18:23:29 -0400, Naslund, Steve snasl...@medline.com wrote: That would be Tivo's fault wouldn't it. Partially, even mostly... it's based on

Re: Android (lack of) support for DHCPv6

2015-06-11 Thread Laszlo Hanyecz
Lorzenzo is probably not going to post anymore because of this. It looks to me like Lorenzo wants the same thing as most everyone here, aside from the university net nazis, and he's got some balls to come defend his position against the angry old men of NANOG. Perhaps the approach of attacking

Re: Android (lack of) support for DHCPv6

2015-06-11 Thread Laszlo Hanyecz
don't work. -Laszlo I honestly hope he collects himself and takes the time to respond, because it really is a problem. As much as you may not want DHCPv6 to be a thing, it's already a thing. On Thu, Jun 11, 2015 at 7:42 PM, Laszlo Hanyecz las...@heliacal.net wrote: Lorzenzo

Re: Android (lack of) support for DHCPv6

2015-06-11 Thread Laszlo Hanyecz
Your phone doesn't work with our network, so you should buy one that does vs Hey we can't connect, fix your network Kind of similar to the streaming video vs eyeball network thing.. blaming the bad user experience on the other guy. -Laszlo On Jun 12, 2015, at 2:18 AM, Matthew Petach

Re: Small IX IP Blocks

2015-04-04 Thread Laszlo Hanyecz
Mike, I think it's fine to cut it up smaller than /24, and might actually help in keeping people from routing the IX prefix globally. -Laszlo On Apr 5, 2015, at 12:35 AM, Mike Hammett na...@ics-il.net wrote: Okay, so I decided to look at what current IXes are doing. It looks like

Re: Purpose of spoofed packets ???

2015-03-10 Thread Laszlo Hanyecz
Is it possible that they are getting return traffic and it's just a localized activity? The attacker could announce that prefix directly to the target network in an IXP peering session (maybe with no-export) so that it wouldn't set off your bgpmon. I guess that would make more sense if they

RE: Industry standard bandwidth guarantee?

2014-10-31 Thread Laszlo Hanyecz
If you're selling to end users, under promise and over deliver. Tell them 20Mbit but provision for 25. That way when they run their speedtest, they're delighted that they're getting more, instead of being disappointed and feeling screwed. In practice they will leave it idle most of the time

Re: Ars Technica on IPv4 exhaustion

2014-06-22 Thread Laszlo Hanyecz
On Jun 23, 2014, at 3:32 AM, Kalnozols, Andris and...@hpl.hp.com wrote: On 6/22/2014 7:41 PM, Frank Bulk wrote: Did they ever explain why? Did the SMC function as a router, and act as the customer side of a stub network that allowed that /29 to hang off the router? If that was the case,

Re: Credit to Digital Ocean for ipv6 offering

2014-06-19 Thread Laszlo Hanyecz
On Jun 19, 2014, at 12:18 PM, STARNES, CURTIS curtis.star...@granburyisd.org wrote: At 18,446,744,073,709,551,616 per /64, that is a lot of address. Right now I cannot get IPv6 at home so I will take getting screwed with a /56 or /60 and be estatic about it. Curtis Would be nice

Re: Observations of an Internet Middleman (Level3)

2014-05-16 Thread Laszlo Hanyecz
I'd just like to point out that a lot of people are in fact using their upstream capability, and the operators always throw a fit and try to cut off specific applications to force it back into the idle state. For example P2P things like torrents and most recently the open NTP and DNS servers.

Re: US patent 5473599

2014-05-07 Thread Laszlo Hanyecz
This CARP thing is the best troll I've seen yet. Over a decade old and people are still on about it. -Laszlo On May 8, 2014, at 1:15 AM, Blake Dunlap iki...@gmail.com wrote: Except for that whole mac address thing, that crashes networks... -Blake On Wed, May 7, 2014 at 8:03 PM,

Re: Best practices IPv4/IPv6 BGP (dual stack)

2014-05-02 Thread Laszlo Hanyecz
Two different sessions using two different transport protocols. The v4 BGP session should have address family v6 disabled and vice versa. Exchange v4 routes over a v4 TCP connection, exchange v6 routes over a v6 TCP connection. Just treat them as independent protocols. -Laszlo On May 2,

Re: ATT / Verizon DNS Flush?

2014-04-16 Thread Laszlo Hanyecz
The generally accepted and scalable way to accomplish this is to advertise your freshness preferences using the SOA record of your domain. It would be pretty tricky to make this work with a swivel chair type system for every domain and host on the internet. You would have to contact every

Re: DMARC - CERT?

2014-04-14 Thread Laszlo Hanyecz
I don't see what the big deal is here. They don't want your messages and they made that clear. Their policy considers these messages spam. If you really want to get your mailing list messages through, then you need to evade their filters just like every other spammer has to. -Laszlo On

Re: DMARC - CERT?

2014-04-14 Thread Laszlo Hanyecz
considers only effects mail originating from their users. Yahoo subscribers can receive messages form nanog just fine, but they can't send to it. Miles Laszlo Hanyecz wrote: I don't see what the big deal is here. They don't want your messages and they made that clear. Their policy considers

Re: Serious bug in ubiquitous OpenSSL library: Heartbleed

2014-04-08 Thread Laszlo Hanyecz
You can still potentially access all the same information since it all goes through the load balancer. Interesting bits of info are things like Cookie: headers being sent by clients and sitting in a buffer. Try one of the testing tools mentioned and see if you can see any info from other

Re: BGPMON Alert Questions

2014-04-02 Thread Laszlo Hanyecz
They're just leaking every route right? Is it possible to poison the AS paths you announce with their own AS to get them to let go of your prefixes until it's fixed? Would that work, or some other trick that can be done without their cooperation? Thanks, Laszlo

Re: why IPv6 isn't ready for prime time, SMTP edition

2014-03-27 Thread Laszlo Hanyecz
would make that problem overwhelmingly worse, as MTAs would be expected to accept mail from everywhere, and we obviously can't trust end user devices or ISP CPE to be secure against intrusion) Scott Buettner Front Range Internet Inc NOC Engineer On 3/26/2014 8:33 AM, Laszlo Hanyecz

Re: why IPv6 isn't ready for prime time, SMTP edition

2014-03-26 Thread Laszlo Hanyecz
Maybe you should focus on delivering email instead of refusing it. Or just keep refusing it and trying to bill people for it, until you make yourself irrelevant. The ISP based email made more sense when most end users - the people that we serve - didn't have persistent internet connections.

Re: why IPv6 isn't ready for prime time, SMTP edition

2014-03-25 Thread Laszlo Hanyecz
The usefulness of reverse DNS in IPv6 is dubious. Maybe the idea is to cause enough pain that eventually you fold and get them to host your email too. -Laszlo On Mar 25, 2014, at 8:57 PM, Brielle Bruns br...@2mbit.com wrote: On 3/25/14, 11:56 AM, John Levine wrote: I think this would be a

Re: why IPv6 isn't ready for prime time, SMTP edition

2014-03-25 Thread Laszlo Hanyecz
The OP doesn't have control over the reverse DNS on the ATT 6rd. Spam crusades aside, it can be seen as just another case of 'putting people in their place', reinforcing that your end user connection is lesser and doesn't entitle to you to participate in the internet with the big boys. How

Re: why IPv6 isn't ready for prime time, SMTP edition

2014-03-25 Thread Laszlo Hanyecz
Maybe we could give everyone globally unique numbers and end to end connectivity. Then maybe the users themselves can send email directly to each other without going through this ESP cartel. -Laszlo On Mar 26, 2014, at 2:51 AM, Rob McEwen r...@invaluement.com wrote: On 3/25/2014 10:25 PM,

Re: misunderstanding scale

2014-03-24 Thread Laszlo Hanyecz
On Mar 24, 2014, at 5:05 PM, Patrick W. Gilmore patr...@ianai.net wrote: On Mar 24, 2014, at 12:21, William Herrin b...@herrin.us wrote: On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve snasl...@medline.com wrote: I am not sure I agree with the basic premise here. NAT or Private

Re: misunderstanding scale (was: Ipv4 end, its fake.)

2014-03-23 Thread Laszlo Hanyecz
On Mar 23, 2014, at 4:57 PM, Mark Andrews ma...@isc.org wrote: Basically because none of them have ever been on the Internet proper where they can connect to their home machines from wherever they are in the world directly. If you don't know what it should be like you don't complain

Re: L6-20P - L6-30R

2014-03-18 Thread Laszlo Hanyecz
It's temporary unless it works. -Laszlo On Mar 18, 2014, at 11:30 PM, Jay Ashworth j...@baylink.com wrote: - Original Message - From: Stephen Sprunk step...@sprunk.org On 18-Mar-14 17:54, Niels Bakker wrote: * w...@typo.org (Wayne E Bouchard) [Tue 18 Mar 2014, 23:53 CET]: I have

Re: new DNS forwarder vulnerability

2014-03-15 Thread Laszlo Hanyecz
Good question, but the reality is that a lot of them are this way. They just forward everything from any source. Maybe it was designed that way to support DDoS as a use case. Imagine a simple iptables rule like -p udp --dport 53 -j DNAT --to 4.2.2.4 I think some forwarders work this way - the

Re: Filter NTP traffic by packet size?

2014-02-20 Thread Laszlo Hanyecz
Filtering will always break something. Filtering 'abusive' network traffic is intentionally difficult - you either just let it be, or you filter it along with the 'good' network traffic that it's pretending to be. How can you even tell it's NTP traffic - maybe by the port numbers? What if

Re: TWC (AS11351) blocking all NTP?

2014-02-04 Thread Laszlo Hanyecz
Why not just provide a public API that lets users specify which of your customers they want to null route? It would save operators the trouble of having to detect the flows.. and you can sell premium access that allows the API user to null route all your other customers at once. Once everyone

Re: TWC (AS11351) blocking all NTP?

2014-02-04 Thread Laszlo Hanyecz
and send only a few seconds worth of flooding each time. On Feb 4, 2014, at 6:52 PM, William Herrin b...@herrin.us wrote: On Tue, Feb 4, 2014 at 1:45 PM, Laszlo Hanyecz las...@heliacal.net wrote: Why not just provide a public API that lets users specify which of your customers they want to null route

Re: Will a single /27 get fully routed these days?

2014-01-25 Thread Laszlo Hanyecz
Yes, a /27 is too small. You need at least a /24. On Jan 25, 2014, at 9:17 PM, Drew Linsalata drew.linsal...@gmail.com wrote: Yeah, its been a while since I had to get involved in this. We have a customer with their own IPv4 allocation that wants us to announce a /27 for them. Back in the

Re: IPv6 /48 advertisements

2013-12-18 Thread Laszlo Hanyecz
It's standard to filter out anything longer than /48. Your /36 prefix was chosen based on the number of sites, with a /48 per site, so just keep it simple. Trying to manage it in the way IPv4 addresses were managed will just ensure that you will have the same headaches of micro managing sub

Re: If you're on LinkedIn, and you use a smart phone...

2013-10-26 Thread Laszlo Hanyecz
When a user signs up for a social media account they generally do so by providing an email address like vic...@freewebmailsite.com and selecting a password. The social media site can obviously probe freewebmailsite.com and attempt to authenticate using the same password that you just provided