Re: JunOS/FRR/Nokia et al BGP critical issue

[Steve Noble]

Tom Beecher wrote on 8/30/23 8:22 AM:


 vendors should adopt RFC7606


Yes

  and not be absolutely awful at responding to vulnerability
reporting.


1. This isn't exactly new. It's been possible to do this since the 
original days of BGP.
Literally the first thing that came into my mind was the as-set issue 
from 2 decades ago where some vendors passed it, others dropped sessions..
2. Probably not wise to assume that's accurate just because he thinks 
that is true.


On Wed, Aug 30, 2023 at 11:02 AM > wrote:


Fair update. To be clear, though, the main point of the article
stands, and is maybe even strengthened by the update. A corrupted
attribute def can cause the behavior (personal experience speaking
here with a different attribute) and vendors should adopt RFC7606
and not be absolutely awful at responding to vulnerability reporting.

On Aug 30, 2023 10:43 AM, "Jakob Heitz (jheitz) via NANOG"
mailto:nanog@nanog.org>> wrote:

The blog was updated. Correct link:

https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling

The attribute was not malformed.

This is the hex dump of the attribute: “E0 1C 00”

It is described here.

https://www.rfc-editor.org/rfc/rfc6790#section-5.2

This attribute is deprecated, but that does not prevent
routers from originating it or passing it on.

Kind Regards,

Jakob

- Original message --

From: Mike Lyon mailto:mike.l...@gmail.com>>
To: NANOG list mailto:nanog@nanog.org>>

Ran across this article today and haven't seen posts about it so i
figured I would share:


https://blog.benjojo.co.uk/post/bgp-path-attributes-grave-error-handling?fbclid=IwAR13ePY43Vf3u4X8PDyCDT39DtyXczAKkv6CGXOQbcQv90Y3aIAmTkJxn7k_aem_Ad0hzj2Mh_WlbFZug-vGdlJJdXr2Xo0RFIsPwAU2GviPz6xZDib76YHwFuzU7E0_sJk=Zxz2cZ

Curious if anyone on the list is running VyOS and has
experienced any problems?

Cheers,
Mike

-- 
Mike Lyon

mike.l...@gmail.com 
http://www.linkedin.com/in/mlyon




--
Thank you,
Steven

Re: [External] Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023

[Steve Noble]

William Herrin wrote on 9/16/22 9:28 AM:

On Fri, Sep 16, 2022 at 9:09 AM Steve Noble  wrote:

On Fri, Sep 16, 2022, 8:55 AM John Curran  wrote:

It’s an artifact of our formation that we are presently providing services to 
any customers absent any agreement
and while ARIN continues to do so (by providing basic services to legacy 
customers), the long-term direction is
to provide the same services to all customers under the same agreement and fees 
– anything else wouldn’t be
equitable.

(This is the direction that the ARIN Board of Trustees has set based on 
community input; I will note that
the ARIN Board is itself elected by the community and that we have our annual 
election upcoming –


Unless the rules have changed, this statement is incorrect.

The board is not elected by the community, it is elected by ARIN customers who 
pay for the privilege to vote.

Even though I pay significant money to ARIN I am not allowed to vote, but as 
far as I know, I am a part of the community.

Hi Steve,

Actually, the rules HAVE changed. Under the new fee schedule, every
payer except AS-only payers are eligible to vote. ARIN still has a lot
of structural deficiencies but in this particular respect they made a
major improvement.

Regards,
Bill Herrin


Hi Bill,

I appreciate your response, I remember all of the discussions around 
this change and the positive/negative aspects of it, but it did not 
correct the disenfranchisement of ASN only holders who are customer and 
do have to pay for services which are voted on and affected by the voting.


--
Thank you,
Steven

Re: [External] Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023

[Steve Noble]

John Curran wrote on 9/16/22 9:30 AM:


On 16 Sep 2022, at 12:26 PM, Steve Noble <mailto:sno...@sonn.com>> wrote:



On Fri, Sep 16, 2022, 9:23 AM John Curran <mailto:jcur...@arin.net>> wrote:



Steve -

If you have IPv4 or IPv6 resources under an RSA/LRSA, then you
are an ARIN service member.

ARIN service members in good standing can (via ARIN online or by
contacting the RSD helpdesk) opt
to become ARIN general members and participate in ARIN governance
– this includes agreeing to be
included on the ARIN member list, assigning a voting contact for
your organization, and participating in
ARIN elections.


Hi John,

My point was that you said community, not general members.  I 
understand that I am blocked from voting because I don't pay enough.


There is no additional fee involved in becoming an ARIN general member 
- it’s available
to all service members in good standing upon request (“good standing” 
meaning current

with ARIN on their invoiced fees.)

For more information see here – 
https://www.arin.net/announcements/20211229/


Hi John,

In my reading of that announcement that there is an additional fee. I do 
not have any IPv4 or IPv6 resources so I would need to acquire them and 
pay for them to be allowed to vote on things that directly affect me.  I 
am not sure how this is different than before.  I am still 
disenfranchised as a ASN only customer.


"Presently be an ARIN Service Member in good standing with IPv4 and/or 
IPv6 number resources receiving services under a valid ARIN registration 
services agreement."


--
Thank you,
Steven

Re: [External] Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 20

[Steve Noble]

On Fri, Sep 16, 2022, 9:23 AM John Curran  wrote:

>
> On 16 Sep 2022, at 12:09 PM, Steve Noble  wrote:
>
> (This is the direction that the ARIN Board of Trustees has set based on
>> community input; I will note that
>> the ARIN Board is itself elected by the community and that we have our
>> annual election upcoming –
>>
>
> Unless the rules have changed, this statement is incorrect.
>
> The board is not elected by the community, it is elected by ARIN customers
> who pay for the privilege to vote.
>
> Even though I pay significant money to ARIN I am not allowed to vote, but
> as far as I know, I am a part of the community.
>
>
> Steve -
>
> If you have IPv4 or IPv6 resources under an RSA/LRSA, then you are an ARIN
> service member.
>
> ARIN service members in good standing can (via ARIN online or by
> contacting the RSD helpdesk) opt
> to become ARIN general members and participate in ARIN governance – this
> includes agreeing to be
> included on the ARIN member list, assigning a voting contact for your
> organization, and participating in
> ARIN elections.
>

Hi John,

My point was that you said community, not general members.  I understand
that I am blocked from voting because I don't pay enough.


> See more information here -
> https://www.arin.net/participate/oversight/membership/explained/
>
> Thanks,
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers
>
>

Re: [External] Normal ARIN registration service fees for LRSA entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 20

[Steve Noble]

On Fri, Sep 16, 2022, 8:55 AM John Curran  wrote:

> Tom -
>
> It’s an artifact of our formation that we are presently providing services
> to any customers absent any agreement
> and while ARIN continues to do so (by providing basic services to legacy
> customers), the long-term direction is
> to provide the same services to all customers under the same agreement and
> fees – anything else wouldn’t be
> equitable.
>
> (This is the direction that the ARIN Board of Trustees has set based on
> community input; I will note that
> the ARIN Board is itself elected by the community and that we have our
> annual election upcoming –
>

Unless the rules have changed, this statement is incorrect.

The board is not elected by the community, it is elected by ARIN customers
who pay for the privilege to vote.

Even though I pay significant money to ARIN I am not allowed to vote, but
as far as I know, I am a part of the community.

https://www.arin.net/announcements/20220906-arinslate/ )
>
> FYI,
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers
>
>
> On 16 Sep 2022, at 9:55 AM, Tom Krenn via NANOG  wrote:
>
> Thanks John! I’ve been working on this with our attorneys for almost a
> year. I did send over the revisions and it will be good to see what they
> say. But I’m not sure it will be enough to reduce the perceived risk. Has
> ARIN considered separating the fee structure and service goals from the
> drive to get everyone under an RSA?
>
> Tom Krenn
>
> Network Architect
>
> Enterprise Architecture - Information Technology
>
> *From:* John Curran 
> *Sent:* Thursday, September 15, 2022 8:42 PM
> *To:* Tom Krenn 
> *Cc:* Rubens Kuhl ; North American Network Operators'
> Group 
> *Subject:* Re: [External] Normal ARIN registration service fees for LRSA
> entrants after 31 Dec 2023 (was: Fwd: [arin-announce] Availability of the
> Legacy Fee Cap for New LRSA Entrants Ending as of 31 December 2023)
>
>
>
> On 15 Sep 2022, at 9:29 PM, Tom Krenn via NANOG  wrote:
>
> An interesting idea, but like others have said I think the ship may have
> sailed for RPKI. Really I have no problem with the ARIN fees. They are a
> drop in the bucket for most network budgets. In fact as a legacy holder I
> would gladly pay the same as an RIR-allocated resource holder if it would
> allow the use of the more advanced services. It's the ownership question
> and RSA/LRSA language that throws the wrench in everything.
>
> As John said " I will note that ARIN’s approach is the result of aiming
> for a different target – that more specifically being the lowest possible
> fees administered on an equitable basis for _all resource holders_ in the
> region.". If that's the goal, give us the option to pay the same without
> all the legal mess around signing the RSA/LRSA. I'm sure that's what has
> been holding some organizations back for the couple decades mentioned. It
> has been the major stumbling point for a few of the ones I've been part of
> over the years.
>
>
> Tom -
>
> Over the years, ARIN has made several revisions to the RSA/LRSA to make it
> both clearer and more customer friendly,
> and the most recent version (announced earlier this week - <
> https://www.arin.net/announcements/20220912/
> >)
> strikes
> much of the language in section 7 that some legal teams had objection to…
>   It is likely not everything you want, but I
> would suggest taking a fresh look at it as it was substantially reduced
> specifically to address the most cited customer
> concern regarding the legal obligations in the prior version of the
> RSA/LRSA.
>
> FYI,
> /John
>
> John Curran
> President and CEO
> American Registry for Internet Numbers
>
>
>
>
> *Disclaimer:* If you are not the intended recipient of this message,
> please immediately notify the sender of the transmission error and then
> promptly permanently delete this message from your computer system.
>
>
>

Re: Free Open Source Network Operating Systems

[Steve Noble]

Brandon Martin wrote on 3/9/19 12:18 PM:

On 3/9/19 11:36 AM, Jason Lixfeld wrote:
I could be making this up, but my understanding is that the Broadcom 
SDK is not free, and without the SDK, hardware interaction is limited.


It likely is not.

What would be interesting to know, however, is if the terms under 
which it (or at least the necessary hardware documentation) is 
distributed would permit a clean F/OSS implementation.


If it would, then you just need to find someone at Broadcom to give 
you the time of day...


If you don't need the SDK specifically and are using a Broadcom based 
switch you can get of-dpa or OpenNSL for multiple switches from 
https://github.com/Broadcom-Switch/ .  You can also normally get of-dpa, 
OpenNSL and even SAI from the switch vendor directly.

Re: BGP Experiment

[Steve Noble]

There is no such thing as a fully RFC compliant BGP :

https://www.juniper.net/documentation/en_US/junos/topics/reference/standards/bgp.html 
does not list 7606


Cisco Bug: CSCvf06327 - Error Handling for RFC 7606 not implemented for NXOS

This is as of today and a 2 second google search.. anyone running code 
from before RFC 7606 (2015) would also not be compliant.


I did not see Juniper on the list of BGP speakers tested.

Töma Gavrichenkov wrote on 1/8/19 9:31 AM:

8 Jan. 2019 г., 20:19 mailto:na...@bakker.net>>:
> In the real world, doing the correct thing

— such as writing RFC compliant code —

> is often harder than doing
> an incorrect thing, yes.

Evidently, yes.

Re: AS Numbers unused/sitting for long periods of time

[Steve Noble]

Inaccurate whois data from ARIN is not a good way to tell anything as 
ARIN is terrible to deal with when you need to update an address or 
phone number or anything.  I know personally as I had to fight for years 
to update the data on an ASN that ARIN was billing me to manage the data 
for.



Chris Adams 
January 2, 2018 at 2:56 PM

I know of two (from a former job) that pre-date ARIN that haven't been
used since 1999 because those two companies no longer exist (nor AFAIK
does any successor company). The whois information is bogus at this
point, but I couldn't prove that.

I expect that AS numbers allocated by ARIN and other current RIRs are
not abandoned like that (since they charge annual fees, and I assume
they reclaim for non-payment), so the number of abandoned AS numbers is
probably not growing significantly (and would not grow beyond the
pre-RIR pool).

With 32 bit AS numbers though, what's the point of making an effort to
reclaim the old AS numbers? BGP4 has been shown to handle alternate
length AS numbers, so if somehow 4 billion are allocated, it probably
won't be a big deal to extend BGP again.

James Breeden 
January 2, 2018 at 2:46 PM
Before I take this to the ARIN PPML, wanted to get NANOG's thoughts.


I'm amazed at the number of AS numbers that are assigned, but not 
actively being used. I'm not talking just like they are offline for a 
week or month, this is complete non-use of the AS in the global 
routing table within *years*. They are completely abandoned resources 
- Whois data is inaccurate by 5-10 years, no routeviews data in the 
same time period, the owning organization (if you can find it) 
scratches their heads about responding whether they use it or not, etc.



I know we're currently not in a push to get AS numbers or close to 
exhaustion, but I do believe that people who have global AS numbers 
should have a requirement to use them or return them to the global 
pool. Am I the only one thinking this?



And before you come back with "Well they may be using it internally 
where it doesn't need to be in the GRT" - that's why we have Private 
AS numbers.



I.e. some form of ARIN or global policy that basically says "If AS 
number not routed or whois updated or used in 24 months, said AS 
number can be public noticed via mailing list and website and then 
revoked and reissued to a pending, approved AS request"



Just thinking aloud. Happy New Year all!


James W. Breeden

Managing Partner



[logo_transparent_background]

Arenal Group: Arenal Consulting Group | Acilis Telecom | Pines Media

PO Box 1063 | Smithville, TX 78957

Email: ja...@arenalgroup.co | office 
512.360. | cell 512.304.0745 | 
www.arenalgroup.co

Re: Low Cost 10G Router

[Steve Noble]

You could potentially do it with a Vyatta 5600 or a 6Wind Turbo router
running on a generic server, but I am not sure where the cost crossover
is with physical hardware especially if you go with used hardware.

 Colton Conor mailto:colton.co...@gmail.com
 May 19, 2015 at 10:22 AM
 What options are available for a small, low cost router that has at least
 four 10G ports, and can handle full BGP routes? All that I know of are the
 Juniper MX80, and the Brocade CER line. What does Cisco and others have
 that compete with these two? Any other vendors besides Juniper, Brocade,
 and Cisco to look at?

RE: What happened to Schprokits?

[Steve Noble]

There are other stealth companies the space. I still see activity on
Twitter (favorites, etc) so I he is still active. We will see good things
in the space.
On Mar 13, 2015 11:31 AM, Adrian Beaudin adrian.beau...@nominum.com
wrote:

 it looks like (according to linkedin) that  Jeremy has moved to a stealth
 startup.

 -a


 Adrian Beaudin
 Principal Architect, Special Projects
 Nominum, Inc.
 o: +1.650.587.1513
 adrian.beau...@nominum.com



 
 From: NANOG [nanog-boun...@nanog.org] on behalf of Scott Whyte [
 swh...@gmail.com]
 Sent: Friday, March 13, 2015 11:09 AM
 To: nanog@nanog.org
 Subject: What happened to Schprokits?

 Schprokits was mentioned at NANOG63 but http://www.schprokits.com/
 doesn't look too good.

 What happened?

Re: So Philip Smith / Geoff Huston's CIDR report becomes worth a good hard look today

[Steve Noble]

Sprint also had 192/2 in the RADB :)

manning bill wrote:


Sprint used to proxy aggregate… I remember 128.0.0.0/3

the real question, imho, is if folks are going to look into their 
crystal balls and roadmap where the default offered is a /32 (either 
v4 or v6)

and plan accordingly, or just slap another bandaid on the oozing wound...

/bill
PO Box 12317
Marina del Rey, CA 90295
310.322.8102

Re: Inevitable death, was Re: Verizon Public Policy on Netflix

[Steve Noble]

Hi Jared,

I know you will see the irony in my next statement..

Brett: you should talk to level 3 again, they are looking to connect to
anyone to help with Netflix connectivity.

http://blog.level3.com/global-connectivity/verizons-accidental-mea-culpa/

The above URL is a great place to start.
On Jul 17, 2014 5:21 AM, Jared Mauch ja...@puck.nether.net wrote:


 On Jul 15, 2014, at 9:48 PM, George Herbert george.herb...@gmail.com
 wrote:

  On Jul 15, 2014, at 5:02 PM, Brett Glass na...@brettglass.com wrote:
 
  At 05:10 PM 7/15/2014, George Herbert wrote:
 
  Layer3 runs right through Laramie. With a redundant run slightly
 south.  What conversations have you had with them?...
 
  At first, Level3 completely refused us. Then, they quoted us a rate
 several times higher than either of our existing upstreams for bandwidth.
 Even at that price, they refused to let us link to them via wireless
 (requiring us to either buy easements or buy land adjacent to their
 building, which sits on rented land).
 
  Local fiber provider?  How does everyone else tie in to Layer3 in
 Laramie?
 
  And, find a Layer3 reseller who can handle the cost problem.  There are
 a bunch.  I can recommend one privately if you can't find one.
 
  Buying retail markups from the vendor who wants to sell wholesale only
 does not scale.

 The problem is partly a technological one.  If you have a fiber span from
 east- west it doesn't make sense to OEO when you can just plop in a bidi
 amplifier.  That OEO cost isn't very high, but hitting every city like
 that becomes expensive quickly.  This is why your 10G from EQUINIX-SJ to
 EQUNIX-ASH costs the same as the 10G loop from the DC to your local office.
  The cost is the OEO ends.  If you're not in a fiber rich environment you
 are screwed.  I have att fiber less than 1200 feet from me but they do not
 offer any non-dialtone services in my area.  I'm all-poles to the end of
 the new comcast segment as well but due to a mid-part that doesn't have the
 density required to meet their metrics there continue to be only fixed
 wireless choices here.

 Others have suggested the UBNT gear.  I'm using it myself, but I'll say..
 it still leaves a lot to be desired.  It's mostly meant for use in less
 developed countries.  Their latest 5Ghz access gear often takes 6-12 months
 to get FCC certified to operate in the full 5ghz band.  With the recent
 opening all the way down to 5.1 this spring with the FCC that certification
 process restarted.  They are great for hopping short distances at high
 speeds in the US, but are very susceptible to interference.  (The NanoBeam,
 now PowerBeam is a bit better).

 my backhaul is 3 miles and works well for my use case.  Cheaper than the
 T1 before and higher speeds.  There's a lot of people in wispa around the
 edges you can find doing things, and many others doing it that aren't in
 wispa.  Most are small businesses (Some are larger) and suffer from poor
 business choices, but the biggest problem I see is lack of ability to get
 high speed access as Brett is commenting.  Prices may be low at the major
 DCs but out in these areas expect $10/Mb or more, sometimes not including
 loop.

 - Jared

Re: ARIN Wants Your Feedback

[Steve Noble]

I answered it truthfully, I clicked a lot of 1s.
On Feb 13, 2014 10:21 PM, Randy Bush ra...@psg.com wrote:

 the survey questions are highly biased toward arin's view of itself.
 just one example.  you ask how well arin serves it's members and
 customers.  you do not ask how well it serves the internet community,
 the internet, or society in general.  and that particular bias in
 viewpoint is at the core of arin's failure.

 randy

Re: Possible DNS issues at Networksolutions aka WORLDNIC.COM?

[Steve Noble]

I noticed Kaiser uses them, sites not resolving.. This should be a fun day for 
call centers :(

Robert Glover wrote:

On 10/22/2013 9:59 AM, Mark Keymer wrote:

Anyone else seeing resolving issues on WORLDNIC.COM DNS servers?


Yes.  We started getting calls from customers with domains using
*.worldnic.com (i.e. Network Solutions) in the last 15 minutes or so.

-Bobby

Re: Possible DNS issues at Networksolutions aka WORLDNIC.COM?

[Steve Noble]

It's at least permanente.net which they use for some of their sites:

http://kp.org/mydoctor/denisearvay redirects to permanente.net

Oops! Google Chrome could not find www.permanente.net

  Administrative Contact, Technical Contact:
  Sadayappan, Princeprince.i.sadayap...@kp.org
  Kaiser Permanente
  1800 Harrison st
  Oakland, CA 94612
  US
  510-625-6996


  Record expires on 12-Nov-2017.
  Record created on 12-Nov-1999.
  Database last updated on 22-Oct-2013 12:38:41 EDT.

  Domain servers in listed order:

  NS51.WORLDNIC.COM205.178.190.26
  NS52.WORLDNIC.COM206.188.198.26


Christopher Morrow wrote:

not doubting the call-center thing, but:

;; ANSWER SECTION:
kaiserpermanente.com.   86400   IN  NS  ea-dns14.kp.org.
kaiserpermanente.com.   86400   IN  NS  ea-dns36.kp.org.
kaiserpermanente.com.   86400   IN  NS  ea-dns25.kp.org.

;; ANSWER SECTION:
kaiser.com. 7200IN  NS  ns65.worldnic.com.
kaiser.com. 7200IN  NS  ns66.worldnic.com.

Registrant:
Kaiser Interests
338 Clayton St
#10
Denver, CO 80220
US

Domain Name: KAISER.COM


Promote your business to millions of viewers for only $1 a month
Learn how you can get an Enhanced Business Listing here for your domain 
name.
Learn more at http://www.NetworkSolutions.com/


Administrative Contact:
Kaiser, Hal  kai...@kaiser.com
435 CLAYTON ST
DENVER, CO 80206-4230
US

sure that's the kaiser you're looking for?

On Tue, Oct 22, 2013 at 1:26 PM, Steve Noblesno...@sonn.com  wrote:

I noticed Kaiser uses them, sites not resolving.. This should be a fun day
for call centers :(


Robert Glover wrote:

On 10/22/2013 9:59 AM, Mark Keymer wrote:

Anyone else seeing resolving issues on WORLDNIC.COM DNS servers?


Yes.  We started getting calls from customers with domains using
*.worldnic.com (i.e. Network Solutions) in the last 15 minutes or so.

-Bobby

Re: OpenFlow, please don't start a flame war...

[Steve Noble]

On Dec 14, 2012 8:47 PM, Jeff Kell jeff-k...@utc.edu wrote:

 Yeah, it's the neatest thing since sliced bread, but requires layer-2
 connectivity across the board.  When you exhaust your mac address
 tables, we'll welcome you back to the real world.

I think you are confusing vendor solutions with a protocol.

For OpenFlow related learning and hands on I suggest the routeflow project.

https://sites.google.com/site/routeflow/home