Re: dumb question: are any of the RIR's out of IPv4 addresses?

2021-02-16 Thread Rubens Kuhl
On Tue, Feb 16, 2021 at 8:06 PM Michael Thomas  wrote:

>
> Basically are there places that you can't get allocations? If so, what
> is happening?
>
>
In LAC region (LACNIC, NIC.br and NIC.mx), the controlled depletion phases
are now complete and the RIR reached 0 available IPv4 addresses, regardless
of request type (new entrants or not, small or large allocations). There is
a continuous reclaim process that from time to time reallocates previously
allocated addresses, or blocks that might come from IANA reclaim process.
For the requests made in 2020(only new entrants up to /22 allowed), odds
are all got or will get their block this year. For the ones requesting this
year, the outlook is not so favorable and it might take years. Or possibly
never.


Rubens


Re: Past policies versus present and future uses

2021-01-25 Thread Rubens Kuhl
On Mon, Jan 25, 2021 at 1:28 PM Rob McEwen  wrote:

>
> A take on the 1979 movie "When A Stranger Calls" - "have you checked the
> children?" becomes "have you checked the IP registration?"
>
> [image: Have you checked the IP registration?]
>
>
> The vast majority of the time, Ron Guilmette does "the Lord's work" - but
> THIS time - it looks to me like he put his political biases ahead of legit
> anti-abuse, and it's no surprise that we now have a trail of destruction
> left behind, along with much "innocent bystander" collateral damage.
>
> Is DDoS-Guard without blame? Probably not, but them hosting some
> occasional criminals is NOT UNLIKE EVERY OTHER GLOBAL NETWORK! So like
> other large and diversity global networks, anti abuse should focus on
> removing their worst criminals/spammers. By these SAME standards, many
> other large and famous networks should lose most or much of their IPs too!
>
> So here we are, with many OTHER networks now legitimately freaked out
> about losing their IPs, and with massive potential collateral damage that
> might hurt many "innocent bystanders" each time that is done!
>
>
They are not losing IPs because of hosting questionable content. It's very
reassuring to see RIR policies being enforced; there is a sentiment of lack
of accountability in IP allocations and that changing is positive for all
the ecosystem.


Rubens


Re: Newbie Questions: How-to remove spurious IRR records (and keep them out for good)?

2020-10-30 Thread Rubens Kuhl
YMMV, but my take:
1 - You should worry a little, but not much. Filters allowing unwanted
announcements might be created using these erroneous IRR records, but
they won't do any damage by themselves. An actual wrong BGP
announcement is required for any damage to happen, and even without
those IRR records, a wrong announcement will cause some havoc since
not everyone builds filters based on IRR and not everyone runs RPKI
validation.
2 - Most IRR databases will take reports from the RIR-registered
contact of the block seriously. Some databases will react faster than
others; for instance, in TC any such objects will be removed upon
knowledge and if the maintainer recreates those objects, the
maintainer may be permanently excluded from the database.
3 - Unfortunately there is not much you can do since this is caused by
relaxed submission filtering at IRR databases, The RIR-connected IRR
databases are usually very good in preventing such, but the
independent ones usually are not. IRRd versions prior to v4 (thanks
NTT for v4) are also more prone to accept non-compliant records and
can only eliminate them after inclusion.


Rubens



On Fri, Oct 30, 2020 at 10:11 PM Pirawat WATANAPONGSE  wrote:
>
>
> Dear Guru(s),
>
>
> I am seeking advice concerning someone else announcing IRR records on 
> resources belonging to me.
> [I was referred to this mailing list from the DNS-OARC community.]
>
> Context:
> I have already registered all my IP address blocks with ROA/RPKI
> [evidence: 
> https://stat.ripe.net/widget/as-routing-consistency#w.resource=AS9411]
> However, HE reports a lot of spurious IRR records on my resources
> [example: https://bgp.he.net/net/158.108.0.0/16#_irr]
>
> Question #1:
> Should I worry about those spurious records [Yes | No | Depends]?
> My fear is that other sites might accept those records without checking and 
> thus be misled somewhere else, since ROV is not yet the behavior-in-majority.
> My other reasoning is that, if we are not going to keep accurate records, why 
> bother keeping them at all anyway.
>
> Question #2:
> What can I do about it [in case the answer to Question #1 is Yes]?
> Should I notify those Database Admins? Will they consider me a nuisance?
> And most importantly: Will they erase those records for me, or will they just 
> ignore me?
>
> Question #3:
> Did I not do something that can prevent those spurious records from happening 
> in the first place?
> And, anything I can do now to prevent it from ever happening again?
>
>
> Thanks in advance for your advice(s),
>
> Pirawat.
>


Re: Does anyone actually like CenturyLink?

2020-09-03 Thread Rubens Kuhl
The only ones that like CL are the ones with no options. CL is now an
operational threat to the whole Internet due to their hours-long time
to withdraw routes, something that having other providers or not being
a direct customer doesn't prevent.

The outage that happened, while long, was the type that every big
enough infrastructure will face one day or another. But their
inability to process BGP messages is unacceptable, and it has been
like that for a long time.


Rubens

On Sun, Aug 30, 2020 at 12:03 PM Ross Tajvar  wrote:
>
> I've never heard a single positive word about them, and I've had my fair 
> share of issues myself (as an indirect customer). But it seems that lots of 
> people put them in their transit blend. Other than lack of options, why would 
> anyone use them? To me, it just seems like asking for trouble...but maybe I'm 
> missing something?


Re: atmark trading

2020-08-22 Thread Rubens Kuhl
On Sat, Aug 22, 2020 at 5:45 PM Mike Hale  wrote:
>
> I've found it useful to email management if certain sales people refuse to 
> stop contacting you.


My experience is that management of spammer companies tries arguing
it's not spam instead of changing practices.
And this includes so-called reputation providers.

Rubens


Re: SaoPaolo to Frankfurt

2020-07-13 Thread Rubens Kuhl
On Mon, Jul 13, 2020 at 12:01 PM Mark Tinka  wrote:

>
>
> On 12/Jul/20 17:19, Rubens Kuhl wrote:
>
>
>
> Alternative routes before EllaLink comes into operation would be one of
> the Brazil-Africa cables (one to Cameroon, the other to Angola) and then to
> Europe.
>
>
> Are you talking about SAex?
>
> There is SACS as well.
>
>
Brazil-Angola cable is SACS, which for an European route would be paired
with WACS to go from Angola to Portugal.
Brazil-Cameroon cable is SAIL, which to get to Europe would be paired with
ACE to go from Cameroon to Portugal or France.


Rubens


Re: SaoPaolo to Frankfurt

2020-07-12 Thread Rubens Kuhl
On Sun, Jul 12, 2020 at 12:06 PM Max Tulyev  wrote:

> Hi All!
>
> Who can provide a VLAN from SaoPaolo to Frankfurt for remote IX.BR
> participation? Please contact me off-list.
>
> I see there is only one undersea cable going directly from Brazil to
> Europe. Why?
>

And this single cable, Atlantis-2, has very little capacity so its usage is
mostly voice traffic.
There is a new cable in construction called EllaLink (https://ella.link/)
that when installed will add plenty of capacity to this route, but most
Brazil - Germany traffic goes thru the US nowadays.

Alternative routes before EllaLink comes into operation would be one of the
Brazil-Africa cables (one to Cameroon, the other to Angola) and then to
Europe.


Rubens


Re: Layer 3 Switches

2020-06-29 Thread Rubens Kuhl
>
> I've liked the price of the Ubiquiti switches I've seen, but haven't gotten
> to play with them, and based on their EdgeRouter line, am not sure about
> their maturity either.
>
>
A switch's maturity is much more dependent on hardware while a router is
much more dependent on software, so I suggest assessing a switch on their
own merits, regardless of bad experiences with that vendor in the router
realm.


Rubens


Re: RDAP snapshots

2020-06-27 Thread Rubens Kuhl
I don't see any RIR approving a bulk WHOIS request on a weekend alone, but
the way is like this:
https://www.arin.net/reference/research/bulkwhois/

Rubens

On Sat, Jun 27, 2020 at 3:43 PM Lars Prehn  wrote:

> Hi everyone,
>
> Is there a "fast" way to obtain a snapshot of the RDAP databases from
> each RIR (e.g., http://rdap.db.ripe.net/) for local use? I saw some
> presentations on proposals for RDAP monitoring, but couldn't find any
> working implementations. I want to run a massive amount of requests
> against it (for a research project) and would like to keep the load on
> the RIR APIs low.
>
> Unfortunately, our deadline is Monday night. Therefore "fast" really
> boils down to 'till tomorrow'.
>
> Thanks for answers in advance!
>
> Best regards,
>
> Lars
>
>


Re: 60 ms cross-continent

2020-06-21 Thread Rubens Kuhl
> > This is a nice plot for a movie, but not how HFT is really done. It's so
> > much easier to colocate on the same datacenter of the exchange and run
> > algorithms from there; while those algorithms need humans to guide their
> > strategy, the human thought process takes a couple of seconds anyways. So
> > the real HFTs keep using the defined strategy while the human controller
> > doesn't tell it otherwise.
>
> For faster access to one exchange, yes, absolutely, colocate at the
> exchange.  But there's more then one exchange.
>

Yes, but to do real HFT you will need to colocate at each exchange.
Otherwise your competitors have a head start on you.


>
> As one example, many index futures trade in Chicago.  The stocks that
> make up those indices mostly trade in New York.  There's money to be
> made on the arbitrage, if your Chicago algorithms get faster
> information from New York (and vice versa) than everyone else's
> algorithms.
>

Most traded index futures are longer than just that day closing, usually
months to a year in advance.
They are influenced mostly by traders perception on economic futures, and
the current stocks valuation is a poor proxy for it.
There is more chance in reading the news feeds and speculating its impact
on perception than stocks.

Rubens


Re: 60 ms cross-continent

2020-06-21 Thread Rubens Kuhl
On Sat, Jun 20, 2020 at 5:05 PM Marshall Eubanks 
wrote:

> This was also pitched as one of the killer-apps for the SpaceX
> Starlink satellite array, particularly for cross-Atlantic and
> cross-Pacific trading.
>
>
> https://blogs.cfainstitute.org/marketintegrity/2019/06/25/fspacex-is-opening-up-the-next-frontier-for-hft/
>
> "Several commentators quickly caught onto the fact that an extremely
> expensive network whose main selling point is long-distance,
> low-latency coverage has a unique chance to fund its growth by
> addressing the needs of a wealthy market that has a high willingness
> to pay — high-frequency traders."
>
>
This is a nice plot for a movie, but not how HFT is really done. It's so
much easier to colocate on the same datacenter of the exchange and run
algorithms from there; while those algorithms need humans to guide their
strategy, the human thought process takes a couple of seconds anyways. So
the real HFTs keep using the defined strategy while the human controller
doesn't tell it otherwise.

And in order to preserve equality among traders, each exchange already adds
physically (loops of fiber or copper cable) some ns to closer racks so
everyone gets at the system at the same time.

And then comes a really high added latency of the trade risk controller,
which limits what a trader is allowed to expose itself to what is deposited
or agreed with the exchange. And this comes with both latency and jitter
due to its implementation, making even the faster HFT only faster on
average, not faster at every transaction.


Rubens


Re: RPKI race

2020-06-16 Thread Rubens Kuhl
Any default route to a non-ROV enabled upstream ?
Do you receive the test prefix from more than one upstream and the previous
test success could be a function of upstream ROV ?

Rubens


On Tue, Jun 16, 2020 at 8:35 PM Baldur Norddahl 
wrote:

> Hello
>
> I noticed that we regressed and started failing the test at
> https://isbgpsafeyet.com/. Investigating I found that we apparently had
> some routes in the validation state "unknown" that should have been either
> invalid or valid. Including the test prefix which was received via NL-IX
> (and Cogent on IPv6).
>
> We do however have plenty of prefixes that are validated and received from
> the same sources.
>
> This is a Juniper MX204 router running 20.1R1.11. I tried a few things
> including "clear bgp neighbor xxx soft-inbound" (supposed to rerun the
> import policy where RPKI marking and check happens) which did not fix it.
> Doing a "clear bgp neighbor xxx", which disconnects the peer and reconnects
> after a slight delay, did however fix the issue. But I have to do that for
> every peer we received the prefix from and potentially we could have
> trouble with every peer we have :-(
>
> This router was software upgraded and rebooted two days ago. I suspect a
> race condition. What if the router started BGP sessions before it was able
> to communicate with the RPKI validation server or before the RPKI database
> was synchronized?
>
> I find it a bit disappointing that we this easily ended up with a bad
> validation state and apparently there is little I can do about it, except
> for walking through all our peers and BGP reset them. Which frankly is an
> unacceptable disruption of traffic flow.
>
> Regards,
>
> Baldur
>


Re: Curious Cloudflare DNS behavior

2020-05-30 Thread Rubens Kuhl
>
>
>
> Outsourcing stuff like DNS is just a continuation of the trend of sending
> your workloads onto someone else's cloud.  It seems easy -- right up until
> it isn't working the way you want it to.
>
>
Outsourcing DNS recursion isn't a good trade-off IMHO, but outsourcing
threat blocking via DNS is. So, my preferred recursive DNS setup is:
- Caching recursive server on ISP's premises
- Unbound or Knot Resolver based
- Root zone authoritatives to increase both privacy and performance
- Recursion done only for CDN zones (1e100.net, akadns.net etc.) in order
to get the best CDN performance for the access customers
- Forwarding of all non-CDN traffic to security-focused DNS recursives link
Umbrella, Cloudflare, Norton, Quad-9 etc.
- IGP-based anycast

This is also flexible enough to deal with DNSSEC signature expiration, AA
missing on authoritative responses etc., either by configuration on the
recursives themselves or by forwarding specific domains to specific outside
recursives.

Maintaining it requires work, it's not a plug and forget solution; but it
provides a good balance of performance, security and operational
flexibility.


Rubens


Re: "Is BGP safe yet?" test

2020-04-21 Thread Rubens Kuhl
On Tue, Apr 21, 2020 at 1:10 PM Matt Corallo via NANOG 
wrote:

> That’s an interesting idea. I’m not sure that LACNIC would want to issue a
> ROA for RIPE IP space after RIPE issues an AS0 ROA, though. And you’d at
> least need some kind of time delay to give other RIRs and operators and
> chance to discuss the matter before allowing RIPE to issue the AS0 ROA, eg
> in my example mitigation strategy.
>
>
All 5 RIRs can issue ROAs for all the IP address spaces. They don't as a
matter of coordinated operations, but that doesn't prevent court orders
determining that to be done.


Rubens


Re: "Is BGP safe yet?" test

2020-04-20 Thread Rubens Kuhl
On Mon, Apr 20, 2020 at 3:37 PM Denys Fedoryshchenko <
nuclear...@nuclearcat.com> wrote:

> There is simple use case that will prove this page is giving false
> positive
> for their "name" strategy.
> Any AS owner with default route only (yes it happens a lot) users will
> get:
> "YOUR ISP TERRIBLE, HIS BGP NOT SAFE!".
> But he have nothing to validate! His BGP is implemented safely,
> its just his upstream is not validating routes.
>
>
So, that same ISP who is not validating because it has a default route
could push its providers to do validation and then be as safe as other
validating themselves ?


Rubens


Re: COVID-19 vs. our Networks

2020-03-16 Thread Rubens Kuhl
>
>
>
>
> > As readier as the Internet is today, part of the mega spread of the
> > fallout from the Coronavirus is because information is not only
> > traveling way faster, a lot of it is also not (necessarily) verified or
> > moderated before being shared with is consumers.
>
>
> There is no other way to do that information filterning now. Nobody has
> any authority of knowing better than others.
>
> MUAs filters yes. (mail user agent)
>
> Look at all data you receive, identify patterns, then act. That's all
> one can do now.
>
> There are easily identifiable patterns.
>
> Develop trust.
>
>
Most misinformation is being carried nowadays by peer-to-peer messaging
(like WhatsApp) and social networks (like Facebook and Instagram), so even
if a miracle device appeared and was put in front of all mail systems,  it
would have very little effect.

Rubens


Re: COVID-19 vs. our Networks

2020-03-13 Thread Rubens Kuhl
On Thu, Mar 12, 2020 at 3:46 PM g...@1337.io  wrote:

> With talk of there being an involuntary statewide (WA) and then national
> quarantines (house arrest) for multiple weeks, has anyone put thought into
> the impacts of this on your networks if/when this comes to fruition?
>
> We're already pushing the limits with telecommuters / those that are WFH,
> but I can only imagine what things will look like with everyone stuck at
> home for any duration of time.
>


People will turn to you and every other ISP hoping you keep them online. So
besides demand issues, keeping your network up will be important to a whole
lot of people.


Rubens


Re: DNS Recursive Operators: Please enable QNAME minimization (RFC7816) for the enhanced privacy of your users

2020-03-11 Thread Rubens Kuhl
On Tue, Mar 10, 2020 at 5:30 PM Owen DeLong  wrote:

> For anyone considering enabling DOH, I seriously recommend reviewing Paul
> Vixie’s keynote at SCaLE 18x Saturday morning.
>
> https://www.youtube.com/watch?v=artLJOwToVY
>
> It contains a great deal of food for thought on a variety of forms of
> giving control over to corporations over things you probably don’t really
> want corporations controlling in your life.
>
>
Depends on your threat model: ISPs, Big Tech companies, State-level actors,
random hacker at the same Wi-Fi network. The problem with DoH is that
software developer picks the threat model he or she thinks is most
relevant, and applies to all use cases.

Solution is to ask user what is the user threat model and apply it. DoH/DoT
are not harmful per se, their indiscriminate usage is.


Rubens


Re: China’s Slow Transnational Network

2020-03-03 Thread Rubens Kuhl
On Tue, Mar 3, 2020 at 3:23 PM Jakob Heitz (jheitz) via NANOG <
nanog@nanog.org> wrote:

> I can corroborate that. I visited China in August 2019 and had terrible
> internet performance to sites outside of China. This was both with mobile
> and wifi at the homes of two friends, one in Heilongjiang and the other in
> Beijing. When I visited in February 2015, it was much better. Both times, I
> was using VNC on the company VPN. This does not use much bandwidth, but is
> quite latency sensitive.
>
>
GFW has some different settings that they use, similar to "ThreatCon"... if
civil unrest is happening, its working is changed. During party
conventions, they change it too.
So when a foreign visits China, that experience might be different from one
visiting during a different time period.

Also, some hotels that only accept international guests backhaul traffic
thru Hong Kong, providing an experience that looks much closer to US/Europe
broadband.


Rubens


Re: DDoS Mitigation Survey

2020-01-20 Thread Rubens Kuhl
On Mon, Jan 20, 2020 at 12:49 PM Jean | ddostest.me via NANOG <
nanog@nanog.org> wrote:

> uRPF loose or strict.
>
> Which ISP supports it?
>
> So far, I found none through public information.
>
>
With all IPv4 space converging to being allocated, loose uRPF is almost
useless at this point, or will be soon.

Rubens


Re: FYI - Suspension of Cogent access to ARIN Whois

2020-01-10 Thread Rubens Kuhl
On Fri, Jan 10, 2020 at 12:17 PM Tom Hill  wrote:

> On 09/01/2020 17:09, Rubens Kuhl wrote:
> > But at least Cogent is not a security and/or anti-spam vendor (or is
> > it?). A security services company (iThreat) spammed all IANA gTLD
> > contacts this week, with the ever lasting excuse of "it's opt-out".
>
>
> Everlasting, unless you're operating under the purview of the GDPR (i.e.
> emailing long-distance[1]).
>
>
European gTLD operators also got spammed... which now gave me an idea on
how to push back on this specific spammer.


Rubens


Re: FYI - Suspension of Cogent access to ARIN Whois

2020-01-09 Thread Rubens Kuhl
>
> Will Cogent stop pestering the community with illicitly harvested
> contact information? Will they switch to more nefarious tactics? Who
> knows... Everyone likes having money, after-all.
>
>
But at least Cogent is not a security and/or anti-spam vendor (or is it?).
A security services company (iThreat) spammed all IANA gTLD contacts this
week, with the ever lasting excuse of "it's opt-out".


Rubens


Re: ICANN extracts $20m signing fee for $1bn dot-com price increases and guess who's going to pay for it?

2020-01-07 Thread Rubens Kuhl
On Tue, Jan 7, 2020 at 10:58 PM Keith Medcalf  wrote:

>
> On NANOG list , Dan Hollis 
> wrote:
>
> >https://www.theregister.co.uk/2020/01/07/icann_verisign_fees/
>
> Operator of the dot-com registry, Verisign, has decided to pay DNS
> overseer ICANN $4m a year for the next five years in order to “educate
> the wider ICANN community about security threats.”
>
> >98% of the comments were opposed.
>
> >How many / which companies would have to get onboard in order to get
> >enough support for an icann alternative?
>
> >Is such a thing even feasible?
>
> Forget about being opposed or not.  If ICANN wants to buy education
> about security threats why are they receiving money?  Quite obviously
> something fishy is going on (or El Reg is full'o'shit).
>
>
El Reg is more of a tabloid than industry media, but you can read almost
the same views at domain industry blogs:
http://domainincite.com/25129-breaking-verisign-pays-icann-20-million-and-gets-to-raise-com-prices-again
https://domainnamewire.com/2020/01/03/com-prices-are-going-up-after-verisign-pays-off-icann/


Rubens


Re: Starting to Drop Invalids for Customers

2019-12-11 Thread Rubens Kuhl
On Wed, Dec 11, 2019 at 12:16 PM Christopher Morrow 
wrote:

> On Wed, Dec 11, 2019 at 5:52 AM Rubens Kuhl  wrote:
> >
> >
> >>
> >> > Which brings me to my favorite possible RPKI-IRR integration: a ROA
> that says that IRR objects on IRR source x with maintainer Y are
> authoritative for a given number resource. Kinda like SPF for BGP.
> >> >
> >>
> >> Is this required? or a crutch for use until a network can publish all
> >> of their routing data in the RPKI?
> >>
> >
> > It provides an adoption path based on the information already published
> in IRRs by operators for some years. It also covers for the fact that RPKI
> currently is only origin-validation.
>
> I would think that if you(royal you) already are publishing:
>   "these are the routes i'm going to originate (and here are my customer
> lists)"
>
> and you (royal you) are accepting the effort to publish 1 'new' thing
> in the RPKI.
>
> you could just as easily take the 'stuff I'm going to publish in IRR'
> and 'also publish in RPKI'.
> Right? So adoption path aside, because that seems like a weird
> argument (since your automation to make IRR data appear can ALSO just
> send rpki updates), your belief is that: "Hey, this irr object is
> really, really me" is still useful/required/necessary/interesting?
>
>
The history of development of BGP path-validation standards does not give
much hope so far... people never seen to be able to agree on how to do it.
OTOH, people seem comfortable publishing those relations in IRR... and some
using that for prefix-filter building, including AS 15169 that presented
yesterday on an IX conference and said preferring using IRR over RPKI to
automate prefix filtering.

Frankly, I'll take any form of authenticated path-validation that gets
traction in the DFZ, whether it's pretty or not. Pure RPKI for both origin
and path validation looks much better to me, but will it fly ?


Rubens


Re: Starting to Drop Invalids for Customers

2019-12-11 Thread Rubens Kuhl
>
> > Which brings me to my favorite possible RPKI-IRR integration: a ROA that
> says that IRR objects on IRR source x with maintainer Y are authoritative
> for a given number resource. Kinda like SPF for BGP.
> >
>
> Is this required? or a crutch for use until a network can publish all
> of their routing data in the RPKI?
>
>
It provides an adoption path based on the information already published in
IRRs by operators for some years. It also covers for the fact that RPKI
currently is only origin-validation.


Rubens


Re: Starting to Drop Invalids for Customers

2019-12-10 Thread Rubens Kuhl
>
> RPKI ROAs (compared to IRR objects) carry different meaning: the existence
> of a ROA (both by definition and common implementation) supersedes other
> data sources (IRR, LOAs, or comments in whois records, etc), and as such
> can be used on any type of EBGP session for validation of the received
> Internet routing information.
>
>
Which brings me to my favorite possible RPKI-IRR integration: a ROA that
says that IRR objects on IRR source x with maintainer Y are authoritative
for a given number resource. Kinda like SPF for BGP.



Rubens


Re: AT released DANOS code to Linux Foundation

2019-11-18 Thread Rubens Kuhl
On Mon, Nov 18, 2019 at 5:55 PM Brielle  wrote:

> On 11/18/2019 1:31 PM, Jared Geiger wrote:
> > This past Friday, the code for DANOS was released as open source to the
> > Linux Foundation and published at https://github.com/danos
>
> This is pretty awesome news.
>
>  From what I'm reading, it looks like the commercial support options
> will be able to use ZebOS as the routing engine instead of quagga?
> EdgeOS has been using it for a while, and was a huge step up in terms of
> stability and functionality.
>
>
Curiously, at the same time EdgeOS replaced Quagga with ZebOS I started
reading more complaints and more people dropping UBNT altogether in the L3
world.
So I wonder if it was a good decision or not...


Rubens


Re: RPKI adoption (was: Re: Corporate Identity Theft: Azuki, LLC -- AS13389, 216.179.128.0/17)

2019-08-14 Thread Rubens Kuhl
On Wed, Aug 14, 2019 at 1:09 PM John Curran  wrote:

> On 14 Aug 2019, at 11:15 AM, Valdis Klētnieks 
> wrote:
> >
> > On Wed, 14 Aug 2019 02:42:09 -, John Curran said:
> >
> >> You might want want to ask them why they are now a problem when they
> weren’t
> >> before (Also worth noting that many of these ISP's own contracts with
> their
> >> customers have rather similar indemnification clauses.)
> >
> > Actually, it's probably ARIN that should be doing the asking, and seeing
> if
> > they can change the wording and/or rephrase the issue to allay concerns.
> >
> > It sounds to me like ARIN's *intent* was "if you get sued by your
> customers because
> > you screw the pooch on deployment, it's your screw-up to clean up and
> not our
> > problem". Or at least I *hope* that was the intent (see next paragraph)
>
> That is indeed the intent - please deploy routing validation using best
> practices, so that you & your customers don’t suffer any adverse impact
> when ARIN's repository is not available.
>
>
Or, move all your number resources to a subsidiary in the AP region, pay
membership fees to APNIC instead of ARIN, and use their trust anchor
instead of ARIN's.
BTW, since all 5 RIRs have certificates signing the whole IP address space,
it really makes no difference.


Rubens


Re: Mx204 alternative

2019-08-07 Thread Rubens Kuhl
If it's not for an US company, then a Huawei NE-20 could be in order. The
entry model fits 2U.


Rubens




On Thu, Aug 8, 2019 at 12:04 AM Mehmet Akcin  wrote:

> Greetings,
>
> I am looking for some suggestions on alternatives to mx204.
>
> Any recommendations on something more affordable which can handle full
> routing tables from two providers?
>
> Prefer Juniper but happy to look alternatives.
> Min 6-8 10G ports are required
> 1G support required
>
> Thanks in advance!
>
> Mehmet
> --
> Mehmet
> +1-424-298-1903
>


Re: User Unknown (WAS: really amazon?)

2019-08-04 Thread Rubens Kuhl
On Sun, Aug 4, 2019 at 5:17 AM Scott Christopher  wrote:

> John Curran wrote:
>
> ...
>
> As I have noted previously, I have zero doubt in the enforceability of the
> ARIN registration services agreements in this regard – so please carefully
> consider proposed policy both from the overall community benefit being
> sought, and from the implications faced as a number resource holder having
> to comply oneself with the new obligations.
>
>
> I completely agree that ARIN can revoke an organization's resources.
> Nobody has ever doubted that.
>
> What I have been saying is that if ARIN revoked Amazon's resources because
> of a trivial matter of bounced Abuse PoC, even if the small "community" of
> network operators and other interested parties passed a rule supporting
> this, the backlash would be *enormous* and lead to media attention,
> litigation, police, investigation by U.S. Congress, etc.
>
> The interests of the public affected by a global Amazon/AWS outage would
> greatly outweigh the rights of this small "community" which would
> ultimately be stripped away, I'd think.
>
> This is moot, of course, because ARIN would give ample notices and time to
> Amazon and they would dutifully comply. But the original poster to which I
> replied invited us to imagine such a situation.
>
>

I don't think that "companies with tons of lawyers" should be a factor in
making resource allocation policies. But considering either small or big
networks, an escalation path would reduce friction and increase overall
compliance... for instance, failure to have functioning abuse PoC could
lead first to being inegible to receive new resources.


Rubens


Re: Puerto Rico Internet Exchange

2019-07-06 Thread Rubens Kuhl
It would be interesting if ICANN, Verisign and Afilias were able to join
the IX as well making the root and .com/.net/.org/.pr zones available even
if the island is cut off from the globe. There is so much fixation in bits
per second while IX'es are resiliency tools, more than bandwidth saving
tools.


Rubens


On Sat, Jul 6, 2019 at 6:19 PM Mehmet Akcin  wrote:

> Hey there, just a very brief update
>
> We are in the process of RE-launching Internet Exchange in San Juan,
> Puerto Rico in a few weeks. We've got multiple networks in San Juan agreed
> to join the IX in a common neutral point.  If you are able to help with the
> project or interested in learning more about it, please contact me offlist.
> (especially if you are in Puerto rico)
>
> Once everything is operational and the website is set up, I hope to
> contact back and update once we've got mrtg, etc is operational.
>
> thank you
>


Re: NTP question

2019-05-01 Thread Rubens Kuhl
On Wed, May 1, 2019 at 9:56 PM William Herrin  wrote:

> On Wed, May 1, 2019 at 5:48 PM Keith Medcalf  wrote:
>
>> If you have one such installation, then you really do not care about the
>> "accuracy" of the time.  However if you have multiple such installations
>> then you want them all to have the same time (if you will be comparing logs
>> between them, for example).  At some point it becomes "cheaper" to spend
>> thousands of dollars per site to have a single Stratum 0 timesource (for
>> example, the GPS system) at each site (and thus comparable time stamps)
>> than it is to pay someone to go though the rigamarole of computing offsets
>> and slew rates between sites to be able to do accurate comparison.  And if
>> you communicate any of that info to outsiders then being able to say "my
>> log timestamps are accurate to +/- 10 nanoseconds so it must be you who is
>> farked up" (and be able to prove it) has immense value.
>>
>
> If your network is air gapped from the Internet then sure. If it's not,
> you can run NTP against a reasonably reliable set of time sources (not
> random picks from Pool) and be able to say, "my log timestamps are accurate
> to +/- 10 milliseconds so it must be you who is farked up." While my
> milliseconds loses the pecking order contest, it's just as good for
> practical purposes and a whole lot less expensive.
>
>
And while time source stability is a good criteria, the most important NTP
criteria is path latency symmetry between directions. It's better to have a
path that is 100 ms of 1-way latency both ways than a path that is 1 ms one
way, 100 ms the other way.


Rubens


Re: NTP question

2019-05-01 Thread Rubens Kuhl
Perhaps using a rubidium source instead of GPS ? The actual time can be
obtained thru NTP, all you actually need is a precision source to keep time
accurate thereafter.


Rubens


On Wed, May 1, 2019 at 4:24 PM Mehmet Akcin  wrote:

> hey there Nanog,
>
> I am trying to buy a GPS based NTP server like this one
>
> https://timemachinescorp.com/product/gps-time-server-tm1000a/
>
> but I will be placing this inside a data center, do these need an actual
> view of a sky to be able to get signal or will they work fine inside a data
> center building? if you have any other hardware requirements to be able to
> provide stable time service for hundreds of customers, please let me know.
>
> mehmet
>
>
>


Re: Looking for a AS15169 Google contact to update their PeeringDB records

2019-03-13 Thread Rubens Kuhl
While I hope you get the contact you asked for, you can use IX.br
communities to manipulate how your route announcement reaches them or not,
so that even with the lack of other network cooperation, you might be able
to achieve your goals.


Rubens


On Thu, Mar 14, 2019 at 12:43 PM Siyuan Miao  wrote:

> Hi,
>
> We're noticed that PeeringDB records of AS15169 in IX.br (PTT.br) São
> Paulo is outdated.
>
> I've tried to contact AS15169 to update it via IX Session Turnup ticket
> and n...@google.com but didn't get a reasonable response.
>
> That's what I got from n...@google.com:
>
> > Dear Team,
> > Thank you for contacting the Google NOC, as 15169.
> >
> > With the details provided we were unable to identify the relevant link.
> >
> > Please provide following items to identify which session is impacted:
> >
> >  * Peering City
> >  * BGP peering ASNs, including your own AS
> >  * BGP peer IP addresses
> >
> > Thanks & Regards,
> > [redacted]
> >
> > Google Network Operation Center (GNOC) |n...@google.com |
> > [redacted]
>
> Can someone contact me off list about this issue?
>
> Regards,
> Siyuan Miao
>


Re: 2FA, was A Deep Dive on the Recent Widespread DNS Hijacking

2019-02-25 Thread Rubens Kuhl
On Tue, Feb 26, 2019 at 12:14 AM John Levine  wrote:

> In article <24679.1551146...@turing-police.cc.vt.edu> you write:
> >So what registries/registrars are supporting 2FA that's better than SMS?
>
> Opensrs does TOTP.  It's certainly not bulletproof, but it's tied to
> your actual phone rather than the phone number.  (We careful folk put
> our TOTP keys on a couple of our devices in case the phone dies or
> gets lost.)  It's very easy to implement, it's an IETF open
> specification, and there are lots of clients that support it.
>
> FIDO keys (like Yubikey) also seem OK but I haven't looked at how hard
> they are to implement.
>
>
https://twofactorauth.org/#domains gives a good view of the domain
management landscape regarding 2FA.


Rubens


Re: CenturyLink

2018-12-29 Thread Rubens Kuhl
On Fri, Dec 28, 2018 at 9:24 PM Yang Yu  wrote:

> On Fri, Dec 28, 2018 at 12:05 AM Stephane Bortzmeyer 
> wrote:
> > Is this problem also responsible for the 911 outage? If so, the
> > post-mortem analysis is not useful only for CenturyLink customers but
> > for everyone on the west coast.
>
> Looks like most time.nist.gov servers (3 x NIST sites on AS49) are
> single homed on CenturyLink, anyone noticed NTP issues yesterday?
>
> https://tf.nist.gov/tf-cgi/servers.cgi


NIST could take a hint from the ntp.br project:

pool.ntp.br has address 200.186.125.195 => CenturyLink

pool.ntp.br has address 200.20.186.76 => RNP (Local academic network)

pool.ntp.br has address 200.160.7.193 => NIC.br (Local ccTLD, IX, NTP and
other services)

pool.ntp.br has address 200.160.7.186 => NIC.br

pool.ntp.br has address 200.160.7.209 => NIC.br

pool.ntp.br has address 200.160.0.8 => NIC.br (distributed in different
buildings, rack clusters, NTP hierarchy)

pool.ntp.br has IPv6 address 2001:12ff::8

pool.ntp.br has IPv6 address 2001:12ff:0:7::186
pool.ntp.br has IPv6 address 2001:12ff:0:7::193 (unfortunately there is
lack of IPv6 diversity at this point)

a.st1.ntp.br  200.160.7.186 2001:12ff:0:7::186 => NIC.br
b.st1.ntp.br 201.49.148.135 => STF (Local Supreme Court)
c.st1.ntp.br 200.186.125.195 => CenturyLink
d.st1.ntp.br 200.20.186.76 => RNP (Rio)
a.ntp.br 200.160.0.8 e 2001:12ff::8 => NIC.br
b.ntp.br 200.189.40.8 => Globenet Fortaleza (Cable Landing Station)
c.ntp.br 200.192.232.8 => RNP (Brasilia)
gps.ntp.br 200.160.7.193 e 2001:12ff:0:7::193 => NIC.br

Perhaps what happened in NIST was a bad governmental RFP not requiring
diversity ?


Rubens


Re: Network instability 12956 <=> 18881

2018-12-21 Thread Rubens Kuhl
They are both Telefónica operations; 12956 is TIWS/Telxius, 18881 is a CLEC
they bought a few years ago, previously known as GVT.
Could be a cable cut in SAM-1, the submarine fiber system operated by
Telxius (the cable is also known as Emergia).



Rubens


On Fri, Dec 21, 2018 at 6:24 PM Jared Mauch  wrote:

> Does anyone know what’s going on here?  There’s a lot of BGP churn coming
> from this network edge.
>
> - Jared


Re: TIMELY - Nominations close today at 5PM ET for NRO Number Council position

2018-07-31 Thread Rubens Kuhl
Only hat-wearing candidates may apply, otherwise ICANN will have 1 less hat.

Rubens

Em ter, 31 de jul de 2018 11:56, John Curran  escreveu:

> Folks -
>
> Nominations are still being accepted until 5:00 PM EDT today, Tuesday, 31
> July 2018 for candidates from the ARIN region to fill one seat on the
> Number Resource Organization Number Council (NRO NC) that will become
> vacant when Louie Lee’s term expires on 31 December 2018.
>
> If you aware of anyone who would be good at serving on the NRO NC and is
> interested in running, please nominate them ASAP!
>
> For more information see <
> https://lists.arin.net/pipermail/arin-announce/2018-July/002248.html>, or
> review the details attached to this message.
>
> Thanks!
> /John
>
> John Curran
> President and CEO
> ARIN
>
> ===
>
> Begin forwarded message:
>
> From: ARIN mailto:i...@arin.net>>
> Subject: [arin-announce] 2018 Call for Nominations: NRO NC
> Date: 31 July 2018 at 10:45:45 AM EDT
> To: mailto:arin-annou...@arin.net>>
>
> Nominations are still being accepted until 5:00 PM EDT today, Tuesday, 31
> July 2018 for candidates from the ARIN region to fill one seat on the
> Number Resource Organization Number Council (NRO NC) that will become
> vacant when Louie Lee’s term expires on 31 December 2018.
>
> Nominees for the NRO NC must reside within the ARIN region and be willing
> and available to serve a three-year term beginning 1 January 2019.
> Incumbents may be nominated for consecutive terms.
>
> NRO NC representatives are expected to attend all regularly-scheduled
> ARIN, ICANN, and ASO in-person meetings and teleconferences and serve as
> representatives from the ARIN region on the ICANN Address Supporting
> Organization Advisory Council (ASOAC).
>
> To view the role of the NRO NC and the function of the ASO, please visit:
>
> https://www.arin.net/about_us/nronc.html
>
> To view initial requirements and responsibilities of the NRO NC, please
> visit:
>
> https://www.arin.net/about_us/nronc_requirements.html
>
> Any individual, regardless of ARIN Member affiliation, may self-nominate
> or nominate one or more candidates for any open NRO NC position. All
> nominations must be received by 5:00 PM EDT, today, Tuesday, 31 July.
> Nominees who accept their nomination will have until 5:00 PM EDT Friday, 3
> August to complete and submit their questionnaire.
>
> A final slate of NRO NC candidates will be announced on Monday, 24
> September and elections will open to North American Network Operators Group
> (NANOG) and ARIN meeting attendees only on Monday, 1 October. Elections
> open to all eligible ARIN Member organizations’ Voting Contacts on
> Thursday, 4 October.
>
> To submit a nomination now, please click on the following link:
>
> https://www.surveymonkey.com/r/ARIN2018Nominations
>
> For more information on the nomination process and nominee eligibility
> requirements and responsibilities, including viewing ARIN’s region, please
> visit:
>
> https://www.arin.net/participate/elections/nronumbercouncil.html
>
> For questions or to request additional information, please email the ARIN
> Member Services team at memb...@arin.net.
>
> Regards,
>
> Wendy Leedy
> Member Engagement Coordinator
> American Registry for Internet Numbers (ARIN)
>
>
>
> ___
> ARIN-Announce
> You are receiving this message because you are subscribed to
> the ARIN Announce Mailing List (arin-annou...@arin.net).
> Unsubscribe or manage your mailing list subscription at:
> https://lists.arin.net/mailman/listinfo/arin-announce
> Please contact i...@arin.net if you experience any issues.
>
>


Re: IPv6 faster/better proof? was Re: Need /24 (arin) asap

2018-06-11 Thread Rubens Kuhl
On Mon, Jun 11, 2018 at 6:29 PM Job Snijders  wrote:

> I suspect that this may not be an apples to apples comparison.
>
> Perhaps lack of IPv6 is more prevalent in rural areas with poorer
> connectivity to the rest of the Internet? Perhaps both these CDNs
> serve content for different types of devices over the different AFIs
> (maybe old mediaboxes with a slow cpu prefer IPv4?). Perhaps networks
> that deploy IPv6 are more likely to allow and accommodate on-net
> caches?
>
> I theorize that the described speed difference between IPv4 and IPv6
> is an artifact of how the data is analysed rather than an
> architectural speed difference between the protocols themselves.
>
>
Besides the data bias that could indeed exist, I noticed many deployed
traffic shapers not supporting IPV6, and imagine that some traffic
engineering is currently being focused on IPv4 traffic. So even the
protocol themselves having comparable performance, IPv6 bandwidth could be
smoother than IPv4 bandwidth for some users.

Perhaps instead of looking at global averages, we could look at speed
comparison for dual-stacked users, like in how many of them see better or
worse performance with v4/v6.

Rubens


Re: VPOP/Equipment rental contacts for any DC of IX.br / PTT.br Fortaleza

2018-06-07 Thread Rubens Kuhl
If you think the DC itself will be able to help, the contacts for DCs in
IX.br @ Fortaleza are:
http://ix.br/adesao/ce

Of the listed DCs, Eletronet is the more likely to have STM-1 gear, since
they used STM-n in their fiber ring for a long time.

Globenet connection to IX.br is still under construction, so they are not
listed above; u...@globenet.net is their US office e-mail address.

I'll send privately the contact of a local Fortaleza network consultant.

Rubens


On Thu, Jun 7, 2018 at 11:57 AM Eric Loos  wrote:

> Hi Everyone,
>
> Does anyone know whom could help me get a conversion done from STM-1 to
> Ethernet at any DC which has a IX.br  presence in
> Fortaleza?
>
> Please contact me off-list, thanks!
>
> (yes I already tried ix.br  contacts, no joy)
>
> Kind regards,
>
> Eric Loos


Re: ICANN GDPR lawsuit

2018-06-05 Thread Rubens Kuhl
On Tue, Jun 5, 2018 at 4:31 PM, McBride, Mack 
wrote:

> PeeringDB is already 100% opt-in.
>

Domain registration is also opt-in, and still registrars, registries and
ICANN have to change things to comply with GDPR.


Rubens


Re: ICANN GDPR lawsuit

2018-06-04 Thread Rubens Kuhl
On Mon, Jun 4, 2018 at 9:34 PM, Dan Hollis  wrote:

> On Mon, 4 Jun 2018, Rubens Kuhl wrote:
>
>> On Fri, Jun 1, 2018 at 1:56 AM, Hank Nussbacher 
>> wrote:
>> Usually, identifying attackers at other online services is a duty on RIR
>> directories, and even the RIPE one is not suffering that many changes due
>> to GDPR.
>>
>> Also, GDPR doesn't prevent law enforcement access.
>>
>
> It might be desirable to provide enough contact information to mitigate
> issues before it has to end up in the hands of law enforcement.
>

Specifically on gTLD domains GDPR effects, domain contacts will still be
reachable thru a web-form or short-term anonymised email. European ccTLDs
adopted a myriad of solutions but they usually trend towards maintaining
reachability somehow.



> black hats and bullet proof hosting are definitely going to enjoy using
> gdpr to hide behind though.


Like they already do signing up for domain privacy services ? Currently,
only the poor criminals or the newbie ones do not elect privacy when
registering domains.


Rubens


Re: ICANN GDPR lawsuit

2018-06-04 Thread Rubens Kuhl
On Fri, Jun 1, 2018 at 1:56 AM, Hank Nussbacher 
wrote:

> On 31/05/2018 21:44, John Peach wrote:
> > On 05/31/2018 02:37 PM, Dan Hollis wrote:
> >> On Thu, 31 May 2018, b...@theworld.com wrote:
> >>> FWIW a German court has just ruled against ICANN's injunction and in
> >>> favor of Tucows/EPAG.
> >>>   https://www.icann.org/news/announcement-4-2018-05-30-en
> >>
> >> Welcome to contact-free whois?
> >>
> >> -Dan
> >
> >
> > Already been bitten by it and trying to get the contact info reinstated.
> >
> >
> >
> The entire whois debacle will only get resolved when some hackers attack
> www.eugdpr.org, ec.europa.eu and some other key .eu sites.  When the
> response they get will be "sorry, we can't determine who is attacking
> you since that contravenes GDPR", will the EU light bulb go on that
> something in GDPR needs to be tweaked.
>

Usually, identifying attackers at other online services is a duty on RIR
directories, and even the RIPE one is not suffering that many changes due
to GDPR.

Also, GDPR doesn't prevent law enforcement access.


Rubens


Re: Impacts of Encryption Everywhere (any solution?)

2018-05-28 Thread Rubens Kuhl
On Mon, May 28, 2018 at 1:55 PM, Keith Medcalf  wrote:

>
> >I'm also not foolish enough to think this thread will affect the
> >encrypt-everything crowd as it is more of a religion\ideology than a
> >practical matter. However, maybe it'll shed some light on technical
> >ways of dealing with this at the service-provider level or plant some
> >doubt in someone's mind the next time they think they need to encrypt
> >non-sensitive information.
>
> Good Luck, especially in light of the poo-for-brains at Google responsible
> for the Chrome browser who (wrongly) equate "secure" with Transport
> Encryption and "unsecure" with not having Transport Encryption; when all
> that Transport Encryption really implies is Transport Encryption and not
> much else.  It has little to do with whether or not a site is "secure".
> Generally speaking, I have found that sites engaging Transport Security are
> much more "unsecure" (as in subject to security breaches and flaws) than
> those that do not engage Transport Security for no reason.
>
> However, the poo-for-brains crowd will get everyone to engage Transport
> Security so the will be called "Secure", whether trustworthy or not.
>
>
Actually, starting July Chrome will no longer say "secure" for sites with
Transport Security. It will only say "not secure" for sites without, so it
will no longer provide the false impression of equating Transport Security
with Application/Operational Security.


Rubens


Re: Curiosity about AS3356 L3/CenturyLink network resiliency (in general)

2018-05-20 Thread Rubens Kuhl
CenturyLink bought Level 3, which bought Global Crossing, which bought
Impsat; this makes every market unique, for the good and bad of it.

What I have as a customer feeling is that Global Crossing was the most
quality-minded of the 4, while the other 3 is/were more "take what we give
you and shut up".


Rubens


On Wed, May 16, 2018 at 1:59 PM, David Hubbard <
dhubb...@dino.hostasaurus.com> wrote:

> I’m curious if anyone who’s used 3356 for transit has found shortcomings
> in how their peering and redundancy is configured, or what a normal
> expectation to have is.  The Tampa Bay market has been completely down for
> 3356 IP services twice so far this year, each for what I’d consider an
> unacceptable period of time (many hours).  I’m learning that the entire
> market is served by just two fiber routes, through cities hundreds of miles
> away in either direction.  So, basically two fiber cuts, potentially 1000+
> miles apart, takes the entire region down.  The most recent occurrence was
> a week or so ago when a Miami-area cut and an Orange, Texas cut (1287
> driving miles apart) took IP services down for hours.  It did not take
> point to point circuits to out of market locations down, so that suggests
> they even have the ability to be more redundant and simply choose not to.
>
> I feel like it’s not unreasonable to expect more redundancy, or a much
> smaller attack surface given a disgruntled lineman who knows the routes
> could take an entire region down with a planned cut four states apart.
> Maybe other regions are better designed?  Or are my expectations
> unreasonable?  I carry three peers in that market, so it hasn’t been
> outage-causing, but I use 3356 in other markets too, and have plans for
> more, but it makes me wonder if I just haven't had the pleasure of similar
> outages elsewhere yet and I should factor that expectation into the
> design.  It creates a problem for me in one location where I can only get
> them and Cogent, since Cogent can't be relied on for IPv6 service, which I
> need.
>
> Thanks
>
>
>


Re: Is WHOIS going to go away?

2018-04-25 Thread Rubens Kuhl
On Wed, Apr 25, 2018 at 2:47 PM, Rob McEwen  wrote:

> On 4/25/2018 11:39 AM, Aaron C. de Bruyn via NANOG wrote:
>
>> don't happen if I use private registration
>>
>
>
> SUGGESTION: Initially register with private registration - then change it
> to regular non-hidden registration a few weeks later or so. (hopefully
> before putting it into production, especially if used for/with/in emails) I
> think this will cut down on the majority of those crazy spam phone calls.


I sometimes get those e-mails a few months after registration. So while
your suggestion will cut down a part of it, there will still be a good
chunk left.
And when it comes up for renewal, it gets up again.

Rubens


Re: Is WHOIS going to go away?

2018-04-20 Thread Rubens Kuhl
On Fri, Apr 20, 2018 at 7:38 PM, Mark Andrews  wrote:

> Whois contact details need to work so you can contact the zone owner when
> the DNS is broken for the zone.
>
> Publishing Whois data in the zone does not work for this purpose.
>
> This is not to discount other reasons for having a independent
> communications channel.
>

Note that the current draft gTLD WHOIS mechanism to abide by GDPR includes
a communications channel that one can use to contact a domain owner,  a web
form. So this is ability is not being taken away for specific domains. But
if someone finds out a vulnerability and needs a mass-scale delivery system
to notify affected parties, then this wouldn't work.

Also of notice is that if DNS resolution is working, a website or mail
services points to an IP address somewhere. And that still provides
reachability. So except for the broken DNS zone use case, a good number of
cases have other means to achieve the same goals.


Rubens


Re: Is WHOIS going to go away?

2018-04-20 Thread Rubens Kuhl
On Fri, Apr 20, 2018 at 6:35 PM, Aaron C. de Bruyn via NANOG <
nanog@nanog.org> wrote:

> On Fri, Apr 20, 2018 at 2:27 PM Naslund, Steve 
> wrote:
>
> > They did not in fact have the "right" to publish those pamphlets.
>
>
> Now we're way off-topic, but our constitution acknowledges that is a
> pre-existing right.  The constitution didn't grant it to you.  (Rights are
> inherent, privileges are granted)
>
> People have the right to speak, write, and publish whatever they want.
>
> -A
>


Free speech is not the same as anonymity in all jurisdictions. In mine,
anonymity is forbidden by the constitution... in some, anonymity is
considered part of free speech. Matching local laws to a global policy is a
challenge.


Rubens


Re: Is WHOIS going to go away?

2018-04-20 Thread Rubens Kuhl
On Fri, Apr 20, 2018 at 4:10 PM,  wrote:

>
> On April 20, 2018 at 12:03 oscar.vi...@gmail.com (Tei) wrote:
>  > Maybe a good balance for whois is to include organization information
>  > so I know where a website is hosted, but not personal information, so
>  > I can't show in their house and steal their dog.
>  >
>  > I feel uneasy about having my phone available to literally everyone on
>  > the internet.
>
> There are various privacy options available when one registers a
> domain, generally a matter of checking a box and usually free.
>

Those privacy options work until one wants to transfer a domain to a
different registrar. Almost always that will imply in a brief removal of
privacy, during which an adversary (either a nation-state or some Sideshow
Bob-type wacko) will learn the true identity of the domain holder.


Rubens


Re: Is WHOIS going to go away?

2018-04-18 Thread Rubens Kuhl
On Wed, Apr 18, 2018 at 5:51 PM, Florian Weimer  wrote:

> * Filip Hruska:
>
> > On 04/14/2018 07:29 PM, Florian Weimer wrote:
> >> * Filip Hruska:
> >>
> >>> EURID (.eu) WHOIS already works on a basis that no information about
> the
> >>> registrant is available via standard WHOIS.
> >>> In order to get any useful information you have to go to
> >>> https://whois.eurid.eu and make a request there.
> >>>
> >>> Seems like a reasonable solution.
> >> Why?  How does the protocol matter?
> >>
> >> Either you may publish individual personal information for use by the
> >> general public, or you may not.  Adding a 4 to the port number doesn't
> >> change that.
> >>
> >
> > The EURID webwhois cannot be scraped, there are anti-bot measures in
> > place (captcha, throttling, all information displayed in images).
> > Scraping WHOIS systems for thousands domains at once using the WHOIS
> > protocol is easy though. There are "WHOIS History" sites which scrape
> > all domains and then publish the data along with the date of retrieval.
> >
> > GDPR contains this in relation to the right to erasure:
> >
> >  1. Where the controller has made the personal data public and is
> > obliged pursuant to paragraph 1 to erase the personal data, *the
> > controller, taking account of available technology and the cost of
> > implementation, shall take reasonable steps, including technical
> > measures, to inform controllers which are processing the personal
> > data that the data subject has requested the erasure* by such
> > controllers of any links to, or*copy or replication of, those
> > personal data*.
>
> Wouldn't that require a channel to the recipient of WHOIS data, so
> that the controller can notify those who have accessed it once erasure
> is requested?
>
> A simple webform doesn't achieve that because it's not much different
> from the way traditional WHOIS works.
>

A simple webform doesn't provide the personal data, just relay a message.
Anyways, I heard registrars mentioning a double form where the e-mail
address of the party sending the message to the domain owner is first
confirmed before relaying the message.
That would provide accountability for who sent what, if the message turns
out to be harassment, threatening or alike.


Rubens


Re: Is WHOIS going to go away?

2018-04-14 Thread Rubens Kuhl
On Sat, Apr 14, 2018 at 6:46 PM,  wrote:

>
> GDPR only has jurisdiction over individuals who are citizens of
> countries which are members of the EU. About 27 countries out of
> almost 200 in this world. And companies which manage that data and are
> also within the EU's jurisdiction.
>
>
Try finding a company in this area that does not have a subsidiary in the
EU, acquired an EU company, is based in the EU or has EU resellers.



> But that jurisdiction arises from an individual's EU nation
> citizenship.
>
> So why not just have a checkmark at domain registration which asks
> whether you believe yourself to be within the EU's jurisdiction and,
> if so, no WHOIS publication for you, or very limited.
>

For the companies that are subject to GDPR, they have to do this for every
natural person, not only the EU ones.

So this checkmark could in fact be "The registrant is a legal person, not a
natural person".


Rubens


Re: Is WHOIS going to go away?

2018-04-14 Thread Rubens Kuhl
On Sat, Apr 14, 2018 at 2:24 PM, DaKnOb  wrote:

> As far as IP Addresses go (and domains too), currently GDPR recognizes the
> rights of individuals, not companies, which means that a company can be in
> the whois query, since it does not have the right to privacy.
>
> My understanding is that this will only affect natural persons.
>
>
The domain contacts of a domain owned by a legal entity are natural
persons, and are also protected by GDPR. So unless a domain contact is
something generic like "Technical Contact - tech...@example.com" or similar
role accounts, that contact data is also considered PII.


Rubens


Re: Is WHOIS going to go away?

2018-04-14 Thread Rubens Kuhl
On Sat, Apr 14, 2018 at 11:21 AM, Filip Hruska  wrote:

> EURID (.eu) WHOIS already works on a basis that no information about the
> registrant is available via standard WHOIS.
> In order to get any useful information you have to go to
> https://whois.eurid.eu and make a request there.
>
> Seems like a reasonable solution.


GDPR and other privacy regimes apply to both port-43 and WebWHOIS.

Rubens


Re: Is WHOIS going to go away?

2018-04-14 Thread Rubens Kuhl
On Sat, Apr 14, 2018 at 11:06 AM, Brian Kantor  wrote:

> There is concern that the WHOIS database service will be in violation
> of the new European GDPR which takes effect May 25th, and may have
> to shut down.
>
> http://www.theregister.co.uk/2018/04/14/whois_icann_gdpr_europe/
>
> https://www.icann.org/en/system/files/correspondence/
> jelinek-to-marby-11apr18-en.pdf
>
> - Brian
>
>
Some more detailed info available at
http://domainincite.com/22854-panic-stations-as-europe-plays-hardball-on-whois-privacy
.
TL;DR: WHOIS will have less personally identifiable information, it won't
be shutdown.



Rubens


Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Rubens Kuhl
On Mon, Apr 2, 2018 at 4:32 PM, Marty Strong  wrote:

> Do you have one?
>

Yes, supplied by local broadband provider Vivo. FTTH GPON connection,
router with broadband and IPTV services.


> Do you know what is causing it to fail? i.e. IP on internal interface etc.
>

Interface table:

eth5.2 (WAN2) Static 10.200.a.b 255.255.128.0 10.200.0.1 Connected NONE
527220
eth5.3 (WAN4) DHCP   Unconfigured NONE 0
eth5.4 (WAN5) DHCP   Unconfigured NONE 0
ppp0.1/eth5.1 (WAN1) PPPoE 179.x.y.z 255.255.255.255 200.d.e.f Connected
NONE 527200
ppp1/wan3g (WAN3) PPPoE   Unconfigured NONE 0
LAN INTERFACE STATUS

Name
Status
IP Address
Subnet Mask
br0 Enable 192.168.1.1 255.255.255.0
br0:0 Enable 1.1.1.1 255.255.255.0

Routing table:

200.x.y.z 0.0.0.0 255.255.255.255 UH 0 ppp0.1
192.168.1.0 0.0.0.0 255.255.255.0 U 0 br0
1.1.1.0 0.0.0.0 255.255.255.0 U 0 br0
10.200.0.0 0.0.0.0 255.255.128.0 U 0 eth5.2
0.0.0.0 200.100.88.195 0.0.0.0 UG 0 ppp0.1

Rubens


Re: Cloudflare 1.1.1.1 public DNS broken w/ AT CPE

2018-04-02 Thread Rubens Kuhl
D-Link DMG-6661 as well.


Rubens


On Mon, Apr 2, 2018 at 12:26 PM, Marty Strong via NANOG 
wrote:

> So far we know about a few CPEs which answer for 1.1.1.1 themselves:
>
> - Pace 5268
> - Calix GigaCenter
> - Various Cisco Wifi access points
>
> If you know of others please send them my way so we can investigate.
>
> Regards,
> Marty Strong
> --
> Cloudflare - AS13335
> Network Engineer
> ma...@cloudflare.com
> +44 7584 906 055
> smartflare (Skype)
>
> https://www.peeringdb.com/asn/13335
>
> > On 2 Apr 2018, at 16:16, Jason Kuehl  wrote:
> >
> > Just like "S3 dependency check day" Thus begins "National 1.1.1.1 change
> > week" I've already around a few peaces of equipment sets with 1.1.1.1
> >
> > On Mon, Apr 2, 2018 at 11:05 AM, Matt Hoppes <
> > mattli...@rivervalleyinternet.net> wrote:
> >
> >> Seeing as how 1.1.1.1 isn’t suppose to be routed I’m not surprised this
> is
> >> causing odd issues.
> >>
> >>> On Apr 2, 2018, at 11:03, Darin Steffl 
> wrote:
> >>>
> >>> I am behind a Calix router at home for my ISP and 1.1.1.1 goes to my
> >> router
> >>> and not any further. When I enter the IP into my browser, it opens the
> >>> login page for my router. So it appears 1.1.1.1 is used as a loopback
> in
> >> my
> >>> Calix router.
> >>>
> >>> 1.0.0.1 goes to the proper place fine.
> >>>
> >>> On Sun, Apr 1, 2018 at 3:59 PM, Jeremy L. Gaddis 
> >>> wrote:
> >>>
>  Greetings,
> 
>  If anyone at 7018 wants to pass a message along to the correct folks,
>  please let them know that Cloudflare's new public DNS service
> (1.1.1.1)
>  is completely unusable for at least some of AT's customers.
> 
>  There is apparently a bug with some CPE (including the 5268AC). From
>  behind such CPE, the services at 1.1.1.1 are completely unreachable,
>  whether via (ICMP) ping, DNS, or HTTPS.
> 
>  Using the 5268AC's web-based diagnostic tools, pinging 1.1.1.1 returns
>  the following results:
> 
>  ping successful: icmp seq:0, time=2.364 ms
>  ping successful: icmp seq:1, time=1.085 ms
>  ping successful: icmp seq:2, time=1.160 ms
>  ping successful: icmp seq:3, time=1.245 ms
>  ping successful: icmp seq:4, time=0.739 ms
> 
>  RTTs to the CPE's default gateway are, at minimum, ~20 ms.
> 
>  A traceroute (using the same web-based diagnostic tool built-in to the
>  CPE) reports, simply:
> 
>  traceroute 1.1.1.1 with: 64 bytes of data
> 
>  1: 1.1.1.1(1dot1dot1dot1.cloudflare-dns.com), time=0 ms
> 
>  I haven't bothered to report this to AT through the standard
> customer
>  support channels (for reasons that should be obvious to anyone who has
>  ever called AT's consumer/residential technical support) but if
> anyone
>  at AT wants to pass the info along to the appropriate group, it
> would
>  certainly be appreciated.
> 
>  Thanks,
>  -Jeremy
> 
>  --
>  Jeremy L. Gaddis
> 
> 
>  "The total budget at all receivers for solving senders' problems is
>  $0. If you want them to accept your mail and manage it the way you
>  want, send it the way the spec says to."  --John Levine
> 
> 
> >>>
> >>>
> >>> --
> >>> Darin Steffl
> >>> Minnesota WiFi
> >>> www.mnwifi.com
> >>> 507-634-WiFi
> >>>  Like us on Facebook
> >>> 
> >>
> >
> >
> >
> > --
> > Sincerely,
> >
> > Jason W Kuehl
> > Cell 920-419-8983
> > jason.w.ku...@gmail.com
>
>


Re: Nominum NS2 Reach

2018-03-06 Thread Rubens Kuhl
Thanks for that. While it's still more into the "money is made here" arena,
it actually confirm that it needs HTTP traffic.
I wonder if they also suggest operators to redirect DNS traffic meant to
other servers to them, hijacking all DNS traffic as well.


Rubens


On Tue, Mar 6, 2018 at 3:23 PM, <li...@as23738.net> wrote:

> I found this, if it helps. Reuploaded to imgur, since not sure if
> nanog-list takes attachments.
>
> https://i.imgur.com/waVW7zi.png
>
> On Tue, Mar 6, 2018, at 9:51 AM, Rubens Kuhl wrote:
> > Hi there.
> >
> > I found the available product information on NS2 Reach (Nominum) to not
> > dive into real product behavior like if it requires every HTTP traffic to
> > be PBR to the box, or possible deployment scenarios without intercepting
> > all HTTP traffic.
> >
> > Anyone can shed a light on its workings, or point to a NetEng description
> > of it ?
> >
> >
> > Tks,
> > Rubens
>


Nominum NS2 Reach

2018-03-06 Thread Rubens Kuhl
Hi there.

I found the available product information on NS2 Reach (Nominum) to not
dive into real product behavior like if it requires every HTTP traffic to
be PBR to the box, or possible deployment scenarios without intercepting
all HTTP traffic.

Anyone can shed a light on its workings, or point to a NetEng description
of it ?


Tks,
Rubens


Re: ccTLDs - Become a Registrar

2017-12-01 Thread Rubens Kuhl
http://rick.eng.br/dnssecstat/ is more on topic of we what discussing,
although the monitor is interesting too.


Rubens


On Fri, Dec 1, 2017 at 5:35 PM, Rubens Kuhl <rube...@gmail.com> wrote:

>
>
> On Fri, Dec 1, 2017 at 5:20 PM, Christopher Morrow <
> morrowc.li...@gmail.com> wrote:
>
>>
>>
>> On Fri, Dec 1, 2017 at 1:45 PM, Rubens Kuhl <rube...@gmail.com> wrote:
>>
>>>
>>> .br also has such requirements. OpenSRS reference chart has a good hint
>>> of
>>> which ccTLDs have such requirements:
>>> http://bit.ly/OpenSRS_TLD_Reference_Chart
>>
>>
>> wow, 256 of 539 report "no" for DNSSEC.
>>
>
> For DNSSEC this one is more reliable:
> http://rick.eng.br/mon/
>
>
> Rubens
>
>
>


Re: ccTLDs - Become a Registrar

2017-12-01 Thread Rubens Kuhl
On Fri, Dec 1, 2017 at 5:20 PM, Christopher Morrow <morrowc.li...@gmail.com>
wrote:

>
>
> On Fri, Dec 1, 2017 at 1:45 PM, Rubens Kuhl <rube...@gmail.com> wrote:
>
>>
>> .br also has such requirements. OpenSRS reference chart has a good hint of
>> which ccTLDs have such requirements:
>> http://bit.ly/OpenSRS_TLD_Reference_Chart
>
>
> wow, 256 of 539 report "no" for DNSSEC.
>

For DNSSEC this one is more reliable:
http://rick.eng.br/mon/


Rubens


Re: ccTLDs - Become a Registrar

2017-12-01 Thread Rubens Kuhl
On Fri, Dec 1, 2017 at 4:24 PM, Ryan Finnesey  wrote:

> I was wonder if anyone within the group has done this research and might
> be able to save me a bit of time.  I am in the process of putting together
> a new Registrar and we would like complete ccTLD coverage.  I know for
> example CIRA (.ca)  has a Canadian Presence Requirement and we have formed
> a Canadian Corporation to meet this requirement.
>
> I am hoping to find what other TLD operators may have similar requirements.
>

.br also has such requirements. OpenSRS reference chart has a good hint of
which ccTLDs have such requirements:
http://bit.ly/OpenSRS_TLD_Reference_Chart

While it details the registration requirements, usually they are aligned:
most ccTLDs that are restricted to local residents also restrict registrars
to be locally incorporated.


Rubens


Re: Hurricane Maria: Summary of communication status - and lack of

2017-09-22 Thread Rubens Kuhl
On Fri, Sep 22, 2017 at 11:43 AM, Sean Donelan  wrote:

>
> Following up - there are three cable landing stations and 9 submarine
> cable systems connecting Puerto Rico.
>
> One of the cable landing stations experienced flooding, and shutdown its
> power system affecting some circuits.  I haven't been able to determine how
> many submarine cable systems are affected, since they share cable landing
> stations.
>
>
And that shutdown affected Internet capacity throughout South America.


Rubens


Re: any known outage in BR?

2017-05-11 Thread Rubens Kuhl
I'm not aware of a South America NOG list, and South Asia already uses
SANOG... but there is one outages-like list for Brazil called Caiu
(Portuguese for "dropped down") at
https://eng.registro.br/mailman/listinfo/caiu) and there is a NOG list for
Latin America called LACNOG at
https://mail.lacnic.net/mailman/listinfo/lacnog .



Rubens


On Thu, May 11, 2017 at 9:18 PM, Andrew J. Caines 
wrote:

> On 05/11/2017 02:19 PM, Kurt Kraut wrote:
> > Do you mean Brazil?
>
> If there isn't a SANOG, there is an Outages list[1].
>
> "Where would we be if we didn't follow the correct procedures?" -
> Sam Lowry
>
>
> [1] https://puck.nether.net/mailman/listinfo/outages
>
> --
> -Andrew J. Caines-   Unix Systems Architect   a.j.cai...@halplant.com
>   "Machines take me by surprise with great frequency" - Alan Turing
>


Re: IRR database for local usage

2017-03-01 Thread Rubens Kuhl
Yeap. If you look at http://irr.net/docs/list.html , all of them list FTP
sites where you can get all information in bulk, load into your IRR daemon
and have a fast look-up for all that data.


Rubens




On Wed, Mar 1, 2017 at 7:49 AM, Nagarjun Govindraj via NANOG <
nanog@nanog.org> wrote:

> Hi nanog,
>
> Is it possible to maintian an IRR database locally for quering route
> objects from various RIR's and do a regular sync like what RPKI validator
> does for ROA's.
>
> - Nagarjun
>


Re: Prepending with another ASN you don't own

2016-12-16 Thread Rubens Kuhl
Even in that case I believe you should encapsulate between two instances of
your own ASN. Your example follows this but the text says only about the
last one in the path, while having both last and at least one previous is
better since you won't be implying that some other AS has connection to yet
another AS, it's just you doing this.

Rubens


On Thu, Dec 15, 2016 at 4:54 PM, Andrew Imeson 
wrote:

> Is it acceptable to prepend using another networks ASN as long as your
> ASN is the last one in the path? I can think of a few scenarios where
> this is helpful.
>
> One scenario: Anycast content provider with an ISP (who you aren't
> directly peering with) is choosing to send all traffic to a PoP on
> another
> continent.
>
> Solution:
> Prepend at the geographically-distant PoP so that the AS path looks
> like   , and thus that service provider
> ()
> views it as a routing loop and chooses one of your other PoPs. Sure
> there are better solutions like communities, but why (if it is) would
> this
> be "bad?"
>
> --
> Andrew Imeson
> and...@andrewimeson.com
>


Re: WHOIS Privacy & Proxy Services?

2016-11-13 Thread Rubens Kuhl
On Sun, Nov 13, 2016 at 8:36 PM, Ryan Finnesey  wrote:

> Is there any news out of the ICANN meeting that just concluded regarding
> new policy's around  WHOIS Privacy & Proxy Services?
>

The Implementation Review Team is just starting its work, so there won't be
much news for a while in this topic.

You can see presentations and hear recordings of the 2 sessions:

https://icann572016.sched.org/event/8cwR/privacy-and-proxy-services-accreditation-implementation-review-team-project-overview

https://icann572016.sched.org/event/8dQg/privacy-and-proxy-services-accreditation-program-implementation-review-team-working-meeting


But the short version is "ongoing work".


Rubens


Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

2016-09-23 Thread Rubens Kuhl
On Fri, Sep 23, 2016 at 2:58 PM, Grant Ridder 
wrote:

> Didn't realize Akamai kicked out or disabled customers
> http://www.zdnet.com/article/krebs-on-security-booted-off-
> akamai-network-after-ddos-attack-proves-pricey/
>
> "Security blog Krebs on Security has been taken offline by host Akamai
> Technologies following a DDoS attack which reached 665 Gbps in size."
>


So much for defending free speech...


Rubens


Re: DNS Services for a registrar

2016-08-12 Thread Rubens Kuhl
On Fri, Aug 12, 2016 at 3:28 PM, Filip Hruska  wrote:

> Hi,
>
> If you are going the IaaS route, definitely checkout KnotDNS project.
> According to their benchmarks [1], it does much better than other DNS
> servers in about every workload.
>
>
The problem with KnotDNS/Yadifa/NSD is that they are too optimized for
servers with a small number of zones containing large numbers of records,
usually delegation-only. That is the use of TLD registries, but not the use
case of registrars...

... all those 3 are getting better in supporting large number of zones with
small number of records, but the canonical solution in that space is Power
DNS. Things that TLDs usually don't like, SQL-backend for instance, makes
perfect sense for this use case.

Note that the only workload they tested is serving the root zone, not
multiple number of zones with variable number of RR-sets... so aligning the
testing with the actual use case is crucial to make good decisions.

What I strongly support, though, is getting out of the BIND comfort zone.

Rubens


Re: Speedtest.net not accessible in Chrome due to deceptive ads

2016-07-20 Thread Rubens Kuhl
On Wed, Jul 20, 2016 at 3:56 PM, David  wrote:

> On 2016-07-20 12:52 PM, Jacques Latour wrote:
>
>> In that case, for Canadians, go to http://performance.cira.ca, it's
>> MLAB-NDT based and checks IPv6 and DNSSEC :-)
>>
>> 100% ad free
>>
>>
> And on the flip side, refuses to work with Safari.
>

Working with Safari might require Java which is also not a popular choice
among security conscious users... ... http://simet.nic.br requires either
Chrome or a Java-enabled browser.


Rubens


Re: New ICANN registrant change process

2016-07-07 Thread Rubens Kuhl
On Wed, Jul 6, 2016 at 11:13 PM, David Conrad <d...@virtualized.org> wrote:

> Rubens,
>
> On Jul 6, 2016, at 2:20 PM, Rubens Kuhl <rube...@gmail.com> wrote:
> >> Not sure the RPZ hammer has been brought out in force yet. I've seen a
> few recommendations on various mailing lists, but no concerted effort.
> Unfortunately, there is no easy/scalable way to determine who a registrar
> for a given name is,
> > That is called RDAP,
>
> I said "scalable".
>
> Given RDAP is based on TCP and there is this concept known as
> "registration data lookup rate limiting", I'm somewhat skeptical RDAP is
> the appropriate choice for (e.g.,) a "DNS Block List"-like solution that
> would (say) dump email that came from domains registered via
> operator-specified registrars.
>

Fair enough. There are though non-standard UDP-based domain lookup
implementations like isavail that could address both this use case and
provide faster availability searches.


> > but ICANN currently blocks gTLD registries from offering RDAP.
>
>
> Ignoring the above, and as I'm sure you're aware, the community has not
> determined the policies by which RDAP may be offered as an official
> registry service using production data, e.g., whether and how
> differentiated services will be permitted among other details.  As such, it
> is more accurate to say that registries are not permitted to deploy new
> services because of contractual obligations the registries entered into
> that requires them to have new services evaluated to ensure those services
> don't impact DNS security, stability or competition, something the
> community required ICANN enforce as a result of the SiteFinder episode ages
> ago. Registries can, of course, request that evaluation and I'm told some
> have and are actually offering RDAP.
>
> But I would agree it is much easier to simply blame ICANN.
>
>
RDAP is totally different from other possible registry services since it's
already baked into registries contracts...
https://newgtlds.icann.org/sites/default/files/agreements/agreement-approved-09jan14-en.htm
specification 4. It's basically the same service already offered thru
WHOIS, RDDS, over a different protocol.

The contract already allows ICANN to trigger a requirement to support RDAP,
but doesn't allow registries to support if before they are required. ICANN
could have, and has been suggested to, allow it before it triggers the
requirement in order to have willing registries support it, and hasn't done
it.

So in this particular case I don't have any problems blaming ICANN... and
the great level of transparency of ICANN meetings being recorded and
transcribed provides plenty of evidence in that regard.

As for gTLD registries offering RDAP, I couldn't find any at
https://www.icann.org/resources/pages/rsep-2014-02-19-en, the page where
new registry services are described and published for comments... the only
registries I know deploying RDAP are ccTLDs, which do not operate inside
ICANN gTLD policy framework.
https://rdap.registro.br/domain/icannsaopaulo.br
https://rdap.nic.cz/domain/nic.cz



Rubens


Re: New ICANN registrant change process

2016-07-06 Thread Rubens Kuhl
>
> Not sure the RPZ hammer has been brought out in force yet. I've seen a few
> recommendations on various mailing lists, but no concerted effort.
> Unfortunately, there is no easy/scalable way to determine who a registrar
> for a given name is,



That is called RDAP, but ICANN currently blocks gTLD registries from
offering RDAP.


Rubens


Re: New ICANN registrant change process

2016-07-04 Thread Rubens Kuhl
On Mon, Jul 4, 2016 at 2:54 PM, Jay R. Ashworth  wrote:

> I'll go ahead and assume I wasn't the last person to get this memo
> (courtesy
> Lauren Weinstein's PRIVACY Digest):
>
>
> https://opensrs.com/blog/2016/06/icanns-new-transfer-policy-will-impact-business-customers/
>
> It does seem that this is going to make life difficult for a bunch of
> pretty
> normal business processes.
>
> If you didn't know about it either... ask yourself why not.
>

Although I'm not a member of the WG that defined such policy, having seen
the many occasions where domain hijacks occurred, I'm totally fine with the
outcome. I only see real impact for "wholesale" registrars, like OpenSRS,
eNom and Endurance, since they have to figure out a way to be compliant
with policy without actually having contact with the registrants, and this
kind of problem will continue to haunt them as they just operate a way for
companies to operate in the gTLD market outside of its framework.


Rubens


Re: IPv6 is better than ipv4

2016-06-02 Thread Rubens Kuhl
On Thu, Jun 2, 2016 at 11:47 AM, Ca By  wrote:

>
> https://blogs.akamai.com/2016/06/preparing-for-ipv6-only-mobile-networks-why-and-how.html
>
> Wherein akamai explains a detailed study showing ipv6 is "well
> over 10%" faster than ipv4 on mobile, and they reference corroborating
> studies from Linkedin and Facebook.
>

Says the company that consistently refused to dual-stack its customers by
default...



Rubens


Re: Stop IPv6 Google traffic

2016-04-11 Thread Rubens Kuhl
On Mon, Apr 11, 2016 at 5:56 PM, Ricky Beam <jfb...@gmail.com> wrote:

> On Sun, 10 Apr 2016 20:09:04 -0400, Rubens Kuhl <rube...@gmail.com> wrote:
>
>> If your users are seeing captchas, one or a few or them are likely to be
>> infected to the point of generating too much requests to Google.
>>
>
> If that were the case, they'd be seeing the same via IPv4. And apparently,
> they aren't.
>

Nope. If you have both A and  IP addresses in DNS responses and have
both IPv4 and IPv6 connectivity, IPv6 will be preferred, with even a bit of
latency handicap favoring IPv6 in current Happy Eyeballs implementations.
Remember that the symptom is not unresponsive website, but an answer with
an inconvenience (the captcha), so the browser and the network stack won't
deem it as IPv6 load failure.



> This also points out the problems with *ASSUMING* you know the size of
> someone's netblock. If you think "/64", then you'd be wrong. Just as
> wrong as assuming all IPv4 is "/24". And on the same side of that coin
> is the over-reaching "block all of Asia" blacklist. Sure, that'll kill
> a heap of nonsense, but if you actually have business in Asia...
>


> (Yes, *I* banish APNIC. "works for me", not recommended for others.)
>

One known issue in both APNIC and LACNIC regions is that some addresses are
indeed countries instead of single networks, due to NIRs (National Internet
Registries).


Rubens


Re: Stop IPv6 Google traffic

2016-04-10 Thread Rubens Kuhl
On Sun, Apr 10, 2016 at 10:29 AM, Max Tulyev  wrote:

> Hi All,
>
> I need to stop IPv6 web traffic going from our customers to Google
> without touching all other IPv6 and without blackhole IPv6 Google
> network (this case my customers are complaining on long timeouts).
>
> What can you advice for that?
>

If your users are seeing captchas, one or a few or them are likely to be
infected to the point of generating too much requests to Google.

Flow-based analysis might reveal who those users are.


Rubens


Re: Southwest Airlines captive portal

2016-02-27 Thread Rubens Kuhl
On Sat, Feb 27, 2016 at 3:26 PM, Frank Bulk  wrote:

> Anyone from Southwest Airlines on this list?
>
> On a recent flight I discovered I couldn't complete payment through PayPal
> because my web browsers properly noticed that the Southwest Airlines SSL
> certificate that the captive portal was giving for PayPal didn't match up.
> =)  I had to create an exception for PayPal just to complete payment.
>
>
Perhaps not a captive portal but a TLS accelerator that is sometimes used
in satellite connections, that does act as MITM like corporate security
products but with a performance focus.

Since many commonly used web properties are moving to HSTS + HPKP + CT it
will become increasingly difficult to balance performance and security in
high latency connections, but when it comes to a payment gateway, that
airline should probably turn off acceleration for paypal.com and 3-D Secure
bank pages.


Rubens


Re: UDP Amplification DDoS - Help!

2016-02-08 Thread Rubens Kuhl
1. Move the website to DDoS-resistant reverse proxy like Cloudflare or
Incapsula, using its current IP address; won't make much of a difference as
attacker will go back to attacking the last known IP address.
2. Change the site IP address and only update it at the reverse proxy
provider, not at any DNS record whatsoever.

This should do the trick unless attacker starts a full-range CIDR block
attack, at which point your next escalation path is GRE-based DDoS
providers like, but not limited to, Black Lotus.


Rubens


On Mon, Feb 8, 2016 at 9:14 PM, Mitch Dyer 
wrote:

> Hello,
>
> Hoping someone can point me in the right direction here, even just
> confirming my suspicions would be incredibly helpful.
>
> A little bit of background: I have a customer I'm working with that is
> downstream of a 1Gb link that is experiencing multiple DDoS attacks on a
> daily basis. Through several captures I've seen what appear to be a mixture
> of SSDP and DNS amplification attacks (though not at the same time). The
> attack itself seems to target the PAT address associated with a specific
> site, if we change the PAT address for the site, the attack targets the new
> address at the next occurance. We've tried setting up captures and logging
> inside the network to determine if the SSDP/DNS request originate within
> the network but that does not appear to be the case.
>
> We've reached out for some assistance from the upstream carrier but
> they've only been able to enforce a 24-hour block.
>
> I'm hoping someone with some experience on this topic would be able to
> shed some light on a better way to attack this or would be willing to
> confirm that we are simply SOL without prolonged assistance from the
> upstream carrier.
>
> Thanks in advance for any insight.
>
> Mitch
>
>


Re: REMINDER: LEAP SECOND

2015-07-01 Thread Rubens Kuhl
On Wed, Jul 1, 2015 at 3:17 PM, Chris Adams c...@cmadams.net wrote:

 Once upon a time, Mike Hammett na...@ics-il.net said:
  v5 is 2.4, v6 3.3.5

 Don't know why a 3.3.5 kernel would have deadlocked; don't think there
 are any known issues that would cause that, unless there are Mikrotik
 specific patches that caused the problem.

 I believe the bug from the 2008 leap second was present in kernels in
 2.4 up through 2.6.26 (although Red Hat at least patched it in their
 older version long-term support kernels).


3.3 was listed as buggy in this regard as well.


Rubens


Re: REMINDER: LEAP SECOND

2015-07-01 Thread Rubens Kuhl
On Wed, Jul 1, 2015 at 10:17 AM, Mike Hammett na...@ics-il.net wrote:

 It looks to have only affected the CCR line and only those running the NTP
 and not the SNTP package.


That's Mikrotik's position, but reports of some users contradict their
version (both in the need for NTP and for only affecting CCR line),
although the NTP package is clearly a contributing factor.



Rubens


Re: REMINDER: LEAP SECOND

2015-07-01 Thread Rubens Kuhl
On Wed, Jul 1, 2015 at 11:15 AM, Michel Luczak fr...@shrd.fr wrote:

  I had problems with Leap Second with mikrotik in versions 6.29.1, 6.28,
 6.5 and other versions.
 
  Configured NTP Client in all of them.
 
  Anyone else had this problem?

 Apparently 6.27 was the safe version to have (no issues on our CRS and CCR
 routers).



Not quite. Reported crashes included 6.27, so it's possible that some other
mitigating factor helped not to crash (like using SNTP instead of NTP,
although there seems to be people with crashes using SNTP or no SNTP/NTP at
all).

Variations also include whether hardware watchdog was able to reboot the
box or it just froze (including frontal display not responding).

Rubens


Re: Access to nanog.cluepon.net

2015-06-16 Thread Rubens Kuhl
On Sat, Jun 6, 2015 at 2:27 PM, Frank Bulk frnk...@iname.com wrote:

 I'd like to update some material on nanog.cluepon.net (not very responsive
 to HTTP requests right now) and my account doesn't work anymore.  I reached
 out to Richard S. but have not heard back from him - anyone else here who
 has admin access and can set me up again?


*.cluepon.net { nanog, cisco, juniper } still down for me...


Rubens


Re: AS4788 Telecom Malaysia major route leak?

2015-06-14 Thread Rubens Kuhl
On Sun, Jun 14, 2015 at 9:07 PM, Mel Beckman m...@beckman.org wrote:

 SLAs are part of a contract, and thus only apply to the parties of the
 contract. There are no payments due to other parties. The Internet is a
 best effort network, with zero guarantees.

  -mel beckman


Ok, I'll bite: my $dayjob is a Level 3 client that was directly affected by
lack of availability due to recovery attempt Level 3 tried in our region.
Where $dayjob can collect $ for this incident ?


Rubens


Re: Open letter to Level3 concerning the global routing issues on June 12th

2015-06-13 Thread Rubens Kuhl

 At 08:44 UTC on Friday 12th of June, one of your transit customers,
 Telekom Malaysia (AS4788) began announcing the full Internet table back
 to you, which you accepted and propagated to your peers and customers,
 causing global outages for close to 3 hours.


One thing of notice is that AS Paths were really not short, so some kind of
local preference has to be in place. Although it's usual to apply local
preference to transit customers, it's probably wise to only do it for
prefixes belonging to customer or registered at IRRs. So, if someone does
not want to filter prefixes from customers, at least could not apply larger
preference to all such prefixes. Focus on the know prefixes and let AS Path
sort out those weird paths.


Rubens


Re: Looking for a provider in Ecuador

2015-04-27 Thread Rubens Kuhl
Level 3 wholesale (former Global Crossing), Telefónica Wholesale, Tata
Communications(former Teleglobe) and LANautilus(TI/Sparkle).
Possible local providers could be TelcoNet (private) or CNT
(government-owned).


Rubens









On Mon, Apr 27, 2015 at 9:15 PM, Eric C. Miller e...@ericheather.com
wrote:

 Hello,

 Does anyone have a recommendation for a provider who can service the west
 coast of Ecuador at speeds 100Mbps - 1Gbps?

 Thanks!



 Eric Miller, CCNP
 Network Engineering Consultant
 (407) 257-5115






Re: ASN to IP Mapping

2015-03-07 Thread Rubens Kuhl
On Sat, Mar 7, 2015 at 12:37 PM, Andrew Iwamoto 
aiwam...@unleashed-technologies.com wrote:

 Is there a tool or method to determine IP blocks assigned to an
 organization by ASN?  I.e. if I have an organization's ASN number I want to
 know all blocks assigned to that ASN.


That's RIR/NIR-dependent, so you probably have to go thru all of them to
map all possible IP blocks. Other references suggested bgp.he.net that will
only list advertised networks, and IRRs will only have IRR-listed networks.

For instance, on ARIN for AS 15141:

http://whois.arin.net/rest/asn/AS15141

Find the organization name; click on the link
http://whois.arin.net/rest/org/BAUSCH-1.html

Find the networks link:
http://whois.arin.net/rest/org/BAUSCH-1/nets

Network ResourcesBAUSCH-LOMB (NET-161-242-0-0-1
http://whois.arin.net/rest/net/NET-161-242-0-0-1.html)161.242.0.0 -
161.242.255.255

Look for the other RIRs; rinse and repeat.



Rubens


Re: whois server features

2015-01-07 Thread Rubens Kuhl

  So, you’re not running into a poorly-documented mystery, you’ve run
 afoul of one of the rotten armpits of the shub-Internet.
 

 So there's no consensus between NICs for the information they should
 have in whois and what search mechanisms they should provide? I guess
 what you're saying is that whois is just a protocol definition and
 nothing else?


Might not even qualify for protocol definition, and RFC 3912 ACKs this:

https://tools.ietf.org/html/rfc3912


Rubens


Re: whois server features

2015-01-07 Thread Rubens Kuhl
 This is not the response I was looking for (and reading the RFC makes
 me feel even worse).

 Is there a better mechanism for querying NICs for host/owner information?


There will be, one day. And the start (although not the whole journey) will
be when this I-D follows the standard path all the way to STD:
http://tools.ietf.org/html/draft-ietf-weirds-rdap-query-18.html


Rubens


Re: Internet Service Providers in Bogota Colombia.

2014-12-21 Thread Rubens Kuhl
It's very likely that your family member has either ETB (local city-owned
access) or Telmex Colombia. Both players have multiple technology options
(ADSL and WiMAX for both, coax and fiber for Telmex Colombia), so besides
replacing one for the other, it might be possible to improve access by
using a different technology from the same vendor already in place.

Knowing which technology options are available from each vendor at where
you will be will probably be key in defining a way forward.


Rubens



On Sun, Dec 21, 2014 at 11:23 PM, Javier J jav...@advancedmachines.us
wrote:

 My apologies in advance If there is a better list, please let me know.

 I will be traveling to Bogota, Colombia for a few weeks in the spring and a
 family member who is working there on a contract (where I will be staying)
 has crappy internet. I want to kill 2 birds with one stone. Make sure I
 have reliable internet and improve what they have. I'm just not sure what
 options are available there.

 I speak the language just not familiar with the options.

 Any help would be greatly appreciated.



Re: ASN Domain for rDNS

2014-12-10 Thread Rubens Kuhl
And considering browsers use domains to define whether to send cookies or
not along a request, not having access customers on the same domain of your
website is a security benefit.


Rubens


On Wed, Dec 10, 2014 at 3:13 AM, Kate Gerry k...@quadranet.com wrote:

 Short answer: I just like doing it.

 Long answer: It allows me to create as many hosts on a segregated domain
 instead of making my company DNS zone 3000 records long.

 -Original Message-
 From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Fred
 Sent: Tuesday, December 09, 2014 4:36 PM
 To: nanog@nanog.org
 Subject: Re: ASN Domain for rDNS

 I'd say this is mostly for whitelabelling reason rather than a technical
 one?

 Keefe John:
  I've been seeing more and more carriers(and even small ISPs) using
  as.net as their domain for rDNS on IP space.  What are the pros
  and cons for doing this versus using your primary business domain name?
 
  Keefe John



Re: Followup: Survey results for the ARIN RPA

2014-12-08 Thread Rubens Kuhl


 One could easily presume the ARIN region RPKI deployment statistics are
 lower as a result of the RPA situation (and no doubt that it part of the
 issue), but as noted earlier, it's unlikely to be the full story since
 we also have a region (APNIC) where RPKI deployment also rather low that
 and yet does not have these RPA legal entanglements.

 It was suggested earlier that this may be due to a combination of factors
 (education, promotion) beyond the RPA legal issues that are now being
 worked - so that will also need to be addressed once the RPA is resolved.


Are the US litigation risks that much higher than other jurisdictions so
that ARIN needs to take a different approach than other RIRs ? If they are,
perhaps a confederation design instead of centralized one would help
scatter those risks ?


Rubens


Re: Google public DNS - getting SERVFAIL for any domains delegated to GoDaddy NSs

2014-12-07 Thread Rubens Kuhl

 Maybe a geo-specific issue then, which is even more weird, because it's
 still not working for me from two different ASs, though both in Toronto,
 and a traceroute makes it appear like they're not hitting the same nodes
 (but maybe they are).

 What's even more weird is I can actually resolve one domain,
 startupong.com, but still not targetly.co and others.


Last time we had weird DNS issues with GoDaddy, it was dependent on the
querying IP address due to load-balancing issues on their side. Try issuing
queries from even and odd IP addresses to see if that makes any difference.


Rubens


Re: Why is .gov only for US government agencies?

2014-10-19 Thread Rubens Kuhl
On Sun, Oct 19, 2014 at 10:05 AM, Matthew Petach mpet...@netflight.com
wrote:

 Wondering if some of the long-time list members
 can shed some light on the question--why is the
 .gov top level domain only for use by US
 government agencies?  Where do other world
 powers put their government agency domains?


Note that .mil is also restricted to US DoD, and that although .com is not
restricted to US citizens and companies, it is under contract with US DoC.
The only legacy gTLDs that are not in US control of some sort are .net and
.org.


Rubens


Re: Scotland ccTLD?

2014-09-16 Thread Rubens Kuhl
On Tue, Sep 16, 2014 at 12:39 PM, Suresh Ramasubramanian 
ops.li...@gmail.com wrote:

 Alba was the ancient roman name for England, meaning white, because if the
 white cliffs of Dover

 They called Scotland Caledonia and Ireland Hibernia

 Scotland is named for an ancient / mythical queen named Scota so they
 should be fine with say sc


sc is Seychelles. Available s* include sf, sp, sq, su and sw. They should
pick .sf, use .scot for in-country domains and sell all .sf domains to San
Francisco residents.


Rubens


Re: Scotland ccTLD?

2014-09-16 Thread Rubens Kuhl
On Tue, Sep 16, 2014 at 1:26 PM, David Conrad d...@virtualized.org wrote:

 On Sep 16, 2014, at 8:45 AM, Rubens Kuhl rube...@gmail.com wrote:
  Available s* include sf, sp, sq, su and sw.

 SF (Finland, from “Suomi Finland”) is “transitionally reserved” meaning it
 is allocated but will be removed from the allocated list “soon” (for some
 value of the variable “soon”). I believe the hold down timer for
 transitionally reserved is something like 50 years now. As such, it’s not
 available.

 SU is the Soviet Union, now classified as “exceptionally reserved” which
 IANA treats as available for assignment (other exceptionally reserved codes
 are EU, UK, and AC).  Don’t get me started on why SU is exceptionally
 reserved instead of transitionally reserved.


Why SU is not transitionally reserved:
http://vimeo.com/87939821


Rubens


Re: Scotland ccTLD?

2014-09-16 Thread Rubens Kuhl
On Tue, Sep 16, 2014 at 8:57 PM, Masataka Ohta 
mo...@necom830.hpcl.titech.ac.jp wrote:

 What will happen to .uk if England is left alone?


Will be reserved to a future United Korea if that happens...


Rubens


Akamai DNS off-line contact

2014-09-09 Thread Rubens Kuhl
We are seeing a high profile DNS zone hosted at Akamai with DNSSEC
algorithm mismatch (KSK is algorithm 7, ZSK is algorithm 8).

If someone could contact me off-list...


Rubens


Re: The Next Big Thing: Named-Data Networking

2014-09-06 Thread Rubens Kuhl

 There would be a root, or multiple roots, which would respond to
 requests to locate who should be asked about a domain, for example if
 you want to know the ip address for world.std.com the conversation
 goes roughly:

(To Root Server):   Where is the COM server?
(From Root Server): SOMEHOST
(TO SOMEHOST):  Where is the STD.COM server?
(From SOMEHOST):192.137.74.112
(TO 192.74.137.112):WHAT IS WORLD.STD.COM's IP ADDRESS (A RECORD)?
(FROM 192.74.137.112):  192.74.137.5

 Not quite right. It actually goes like this on the wire:

(To Root Server):   WHAT IS WORLD.STD.COM http://world.std.com/'s
IP ADDRESS (A RECORD)?
   (From Root Server): I don't know, but SOMEHOST is the one to ask
about COM
   (TO SOMEHOST):   WHAT IS WORLD.STD.COM http://world.std.com/'s IP
ADDRESS (A RECORD)?
   (From SOMEHOST): I don't know, but 192.74.137.112 is the one to ask
about STD.COM
   (TO 192.74.137.112):WHAT IS WORLD.STD.COM http://world.std.com/'s
IP ADDRESS (A RECORD)?
   (FROM 192.74.137.112):  192.74.137.5

Or the DNSSEC option:

(To Root Server):   WHAT IS WORLD.STD.COM http://world.std.com/'s
IP ADDRESS (A RECORD)?
   (From Root Server): I don't know, but SOMEHOST is the one to ask
about COM, and you can trust SOMEONE if it signs with COM-Key. Signed with
ROOT-Key.
   (TO SOMEHOST):   WHAT IS WORLD.STD.COM http://world.std.com/'s IP
ADDRESS (A RECORD)?
   (From SOMEHOST): I don't know, but 192.74.137.112 is the one to ask
about STD.COM, and and you can't tell whether you are really talking to
192.74.137.112  since it's not signed. Signed with COM-Key.
   (TO 192.74.137.112):WHAT IS WORLD.STD.COM http://world.std.com/'s
IP ADDRESS (A RECORD)?
   (FROM 192.74.137.112):  192.74.137.5.


Rubens


Re: Akamai charges for IPv6 support?

2014-08-18 Thread Rubens Kuhl
On Mon, Aug 18, 2014 at 1:38 PM, Aaron Hopkins li...@die.net wrote:

 Is it normal to bill for IPv6 service as a separate product?  I was
 surprised to hear from from my Akamai rep they they do:

  Hi Aaron, We can add the IPV6 service to the contract at an additional
 cost of $XXX/month. Please let me know if you would like to go ahead with
 the service and I can create the contract and send it for your review.


 I've been working on adding IPv6 support to my current project on my own
 time, and am now ready to enable it.  But as soon as there is a recurring
 cost associated with IPv6 support, I need to be able to justify it.  And
 I'm
 afraid that I can't currently explain a benefit of enabling IPv6 for our
 users.  I'll likely end up not doing so while we're still an Akamai
 customer.

 It's Akamai's network, so it's their choice.  But big players adding
 friction to enabling IPv6 certainly doesn't seem in everyone's best
 interests in the long-term.



Is there a chargemoreforipv6.die.die.die newsgroup around ?


Rubens


Re: Akamai charges for IPv6 support?

2014-08-18 Thread Rubens Kuhl
On Mon, Aug 18, 2014 at 10:03 PM, Justin M. Streiner 
strei...@cluebyfour.org wrote:

 On Tue, 19 Aug 2014, Mark Andrews wrote:

  No, I expect it to be part and parcel of the basic fees, as IPv4
 is, which I'm happy to hear it is in this case.


 Based on a response I saw in this thread earlier today, it sounds like
 IPv6 support is no longer a separate charge from Akamai.  Perhaps that
 hasn't filtered out to the salescritters yet.


Or they did get the memo, but realised that no sale == no commission.


Rubens


Re: Public DNS64

2014-08-15 Thread Rubens Kuhl
On Fri, Aug 15, 2014 at 3:29 PM, Tim Durack tdur...@gmail.com wrote:

 Anyone know of a reliable public DNS64 service?

 Would be cool if Google added a Public DNS64 service, then I could point
 the NAT64 prefix at appropriately placed boxes in my network.

 Why? Other people are better than me at running DNS resolvers :-)


No one is better than you at running DNS resolvers with low latency from
your network. Even if they can run DNS resolvers with magical capabilities,
they will still suffer from transit time.


Rubens


  1   2   3   >