RE: IPv6 Unique Local Addresses

Please don't take away ULA. >> You really think that doing ULA according to the RFCs (collision >> avoidance algorithm and all) is easier than filling out a form at HE? >> REALLY? > > Yes. It's hard enough to sell ipv6 for LAN without adding having to get a tunnel, register with a RIR,

Comcast NOC Contact

I know Virginia is having wind issues today. But can anyone from Comcast comment on intermittent routing issues between Charlottesville, VA and Ashburn, VA on their backbone? Issue appears to be between 69.139.206.9 ae-45-ar02.charlvilleco.va.ibone.comcast.net and 68.86.91.53

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

On 03/01/2018 02:55 PM, Royce Williams wrote: pstream, until two days ago, the default was to listen on all interfaces. https://github.com/memcached/memcached/wiki/ReleaseNotes156 The package maintainers were (thankfully) injecting additional sanity. Yes, they did, in commit dbb7a8af. Here

Weekly Routing Table Report

This is an automated weekly mailing describing the state of the Internet Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG, CaribNOG TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG, IRNOG and the RIPE Routing WG. Daily listings are

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Testing on a recently-load VM of CentOS 7.3: [root@localhost odd]# netstat -tan | grep 11211 [root@localhost odd]# netstat -uan | grep 11211 [root@localhost odd]# yum install memcached [root@localhost odd]# systemctl start memcached.service [root@localhost odd]# netstat -tan | grep 11211 tcp

Re: IPv6 Unique Local Addresses

> On Mar 2, 2018, at 7:55 AM, Nicholas Warren wrote: > > Please don't take away ULA. > >>> You really think that doing ULA according to the RFCs (collision >>> avoidance algorithm and all) is easier than filling out a form at HE? >>> REALLY? >> >> Yes. > > It's

RE: Comcast NOC Contact

Thanks to all off list replies. Comcast rep was able to help out getting info over to the NOC. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Robert Webb Sent: Friday, March 2, 2018 10:53 AM To: nanog@nanog.org Subject: Comcast NOC Contact I know Virginia

Re: BCP 38 addendum (was: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

https://en.wikipedia.org/wiki/Reverse_path_forwarding#Loose_mode towards transit. https://en.wikipedia.org/wiki/Reverse_path_forwarding#Strict_mode towards customers. Peers... *shrugs*. - Mike Hammett Intelligent Computing Solutions Midwest Internet Exchange The Brothers WISP

Re: dnswl.org contact

> Am 02.03.2018 um 00:55 schrieb Randy Bush : > > anyone have contact with the dnswl.org folk? replied off-list. — Matthias

Re: BCP 38 addendum

On 3/1/18 10:57 AM, Todd Crane wrote: > Question: > Since we cannot count on everyone to follow BCP 38 or investigate their > abuse@, I was thinking about the feasibility of using filtering to prevent > spoofing from peers’ networks. > > With the exception of a few edge cases, would it be

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Are you insane. ISPs should never use RFC 1918 addresses for stuff that talks to their customers. They have no way of knowing which addresses the customers are using. Traffic from RFC 1918 addresses should be dropped by any sane border router which all routers connecting to a ISP are. --

BCP 38 addendum (was: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Question: Since we cannot count on everyone to follow BCP 38 or investigate their abuse@, I was thinking about the feasibility of using filtering to prevent spoofing from peers’ networks. With the exception of a few edge cases, would it be possible to filter inbound traffic allowing only

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Not sure if this is the common thought, but if anyone has a network which requires static IP assignments, they can probably justify a request for a /48 from an RIR. After all, ARIN's requirement for an end-user IPv6 block is, at minimum: "Justify why IPv6 addresses from an ISP or other LIR are

Re: IPv6 Unique Local Addresses

Exactly what Matt Harris says here... ULA is free. Space obtained from ARIN is not. You want to discourage someone from doing the right thing, charge a lot for that. Matthew Kaufman On Fri, Mar 2, 2018 at 11:30 AM Matt Harris wrote: > On Fri, Mar 2, 2018 at 11:08 AM, Owen

Re: IPv6 Unique Local Addresses

On Fri, Mar 2, 2018 at 2:45 PM, Owen DeLong wrote: > Space from tunnel brokers is also free. > > Owen > For myriad reasons (added latency, reliability concerns related to relying on traffic over a connection which doesn't offer an SLA or recourse for downtime, lack of support

Re: IPv6 Unique Local Addresses

On Fri, Mar 2, 2018 at 11:08 AM, Owen DeLong wrote: > > I doubt anyone is taking it away, pointless and useless as it is. > > Owen > I'm not sure I'd say it's pointless and useless. It's free, which gives it at least some point/use case, versus IPv6 space obtained from an RIR

Re: IPv6 Unique Local Addresses

Space from tunnel brokers is also free. Owen > On Mar 2, 2018, at 12:40 PM, Matthew Kaufman wrote: > > Exactly what Matt Harris says here... ULA is free. Space obtained from ARIN > is not. You want to discourage someone from doing the right thing, charge a > lot for that.

Re: BCP 38 addendum (was: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Hi Todd, What you are describing is uRPF VRF mode. This was phase 3 of the uRPF work. Russ White and I worked on it while at Cisco. Given that you are setting up prefix filters with your peers, you can add to the peering agreement that you will only accept packets whose source addresses

Re: IPv6 Unique Local Addresses

Once again, you’re talking about usability of the addresses for internet connectivity. I don’t understand the relevance since we’re talking about a GUA based substitute for ULA. What am I missing? Owen > On Mar 2, 2018, at 1:29 PM, Bryan Holloway wrote: > > Another problem

Re: IPv6 Unique Local Addresses

On Sat, Mar 3, 2018 at 12:33 AM, Owen DeLong wrote: > Sure… You have to maintain the tunnel or they may reassign/reallocate the > address. Here’s the reality of that, however: > > 1. Unless you care about reaching the customer they reassigned it to from > your network, you don’t

Re: IPv6 Unique Local Addresses

> On Mar 2, 2018, at 1:06 PM, Matt Harris wrote: > > On Fri, Mar 2, 2018 at 2:45 PM, Owen DeLong > wrote: > Space from tunnel brokers is also free. > > Owen > > For myriad reasons (added latency, reliability concerns related to

Re: IPv6 Unique Local Addresses

Sure… You have to maintain the tunnel or they may reassign/reallocate the address. Here’s the reality of that, however: 1. Unless you care about reaching the customer they reassigned it to from your network, you don’t care. 2. Using it for ULA in addition to the tunnel isn’t really

Re: IPv6 Unique Local Addresses

On Sat, Mar 03, 2018 at 12:38:58AM -0600, Matt Harris wrote: > I'm not sure where you're getting the $100 figure from, ARIN's minimum fee > for an allocation is $250/year [...] End Users have a different fee structure: Annual maintenance fees are $100 for each IPv4 address block, $100 for

Re: IPv6 Unique Local Addresses

> On Mar 2, 2018, at 10:38 PM, Matt Harris wrote: > > On Sat, Mar 3, 2018 at 12:33 AM, Owen DeLong > wrote: > Sure… You have to maintain the tunnel or they may reassign/reallocate the > address. Here’s the reality of that, however:

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

In article you write: >What can you do with ULA that GUA isn’t suitable for? I have a home network with two segments, one wired and one wireless. It has IPv6 addresses assigned by my ISP, Spectrum nee TWC, which probably won't change but who

Re: Peering with abusers...good or bad?

On Sat, 3 Mar 2018 at 01:08, Bryan Holloway wrote: > > On 3/2/18 5:29 PM, Ca By wrote: > > On Fri, Mar 2, 2018 at 2:13 PM Matthew Petach > wrote: > > > >> On Tue, Feb 27, 2018 at 4:13 PM, Dan Hollis > >> wrote: > >>> OVH does not

Peering with abusers...good or bad?

On Tue, Feb 27, 2018 at 4:13 PM, Dan Hollis wrote: > OVH does not suprise me in the least. > > Maybe this is finally what it will take to get people to de-peer them. > If I de-peer them, I pay my upstream to carry the attack traffic. If I maintain peering with them, the

Re: Peering with abusers...good or bad?

On Fri, Mar 2, 2018 at 2:13 PM Matthew Petach wrote: > On Tue, Feb 27, 2018 at 4:13 PM, Dan Hollis > wrote: > > OVH does not suprise me in the least. > > > > Maybe this is finally what it will take to get people to de-peer them. > > > > If I

Re: Peering with abusers...good or bad?

On Sat, 3 Mar 2018 at 01:23, Baldur Norddahl wrote: > So I want to buy additional ports at each IX. The slowest speed they offer. > If I am lucky they have a free 100 Mbps. And then I just announce the > prefix I want to blackhole. Doesn't matter that the port

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

They use separate service flows and layer 3 interfaces (usually) in DOCSIS networks but they often use the same DNS infrastructure which is why I piped up. Scott Helms On Mar 2, 2018 4:46 PM, "Michel 'ic' Luczak" wrote: The ones I know do so on private VLANs (or ATM

Average number of ports on OLT cards

Quick question: (sanity check). For a deployment happening now by an incumbent telco (aka: serving large number of homes), how many GPON ports would it want per each OLT card ? or more precisely, what sort of range is there for the number of ports for such a deployment? (The CRTC in Canada is

Re: Peering with abusers...good or bad?

So I want to buy additional ports at each IX. The slowest speed they offer. If I am lucky they have a free 100 Mbps. And then I just announce the prefix I want to blackhole. Doesn't matter that the port overloads. I am just going to null route the traffic anyway... Regards Baldur Den 3. mar.

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

I won't comment on the sanity of doing so, but _many_ service providers use EMTAs, ATAs, and other voice devices over RFC1918 space back to their core. On Fri, Mar 2, 2018 at 4:11 PM, Mark Andrews wrote: > Are you insane. ISPs should never use RFC 1918 addresses for stuff that >

Re: IPv6 Unique Local Addresses

Section 3 of https://tunnelbroker.net/tos.php It isn't "free". It may be included with a service that is currently available for free, but they aren't providing free address space for an unlimited period. Matthew Kaufman On Fri, Mar 2, 2018 at 12:45 PM Owen DeLong wrote: >

Re: IPv6 Unique Local Addresses

Another problem with tunnel brokers is that they are sometimes flagged by content providers as being some sort of "proxy", and consequently won't send you traffic. Notably, Netflix. On 3/2/18 3:06 PM, Matt Harris wrote: On Fri, Mar 2, 2018 at 2:45 PM, Owen DeLong wrote:

Re: Peering with abusers...good or bad?

On 3/2/18 5:29 PM, Ca By wrote: On Fri, Mar 2, 2018 at 2:13 PM Matthew Petach wrote: On Tue, Feb 27, 2018 at 4:13 PM, Dan Hollis wrote: OVH does not suprise me in the least. Maybe this is finally what it will take to get people to de-peer

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Hi, On Thu, Mar 01, 2018 at 09:30:32PM -0500, Harald Koch wrote: > On 1 March 2018 at 18:48, Mark Andrews wrote: > > > ULA provide stable internal addresses which survive changing ISP > > for the average home user. > > > Yeah this is pretty much what I'm doing. ULA for stable,

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Enno et al ULA fans I could not agree more. Either you provide your enterprise customers transportable address or ULA. If you assign and promote them to use your 'PA' address, they will take your PA address with them when they change operator 10 years from now, and if you reuse it, these two

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On Mar 2, 2018, at 19:25, Bjørn Mork wrote: > > Owen DeLong writes: > >>> On Mar 2, 2018, at 3:17 AM, Bjørn Mork wrote: >>> >>> Owen DeLong writes: >>> What can you do with ULA that GUA isn’t suitable for? >>> >>> 1)

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On Mar 2, 2018, at 1:50 AM, Saku Ytti wrote: > > Enno et al ULA fans > > I could not agree more. > > Either you provide your enterprise customers transportable address or > ULA. If you assign and promote them to use your 'PA' address, they > will take your PA address with them

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Owen DeLong writes: > What can you do with ULA that GUA isn’t suitable for? 1) get 2) keep 3) move Granted, many of us can do that with GUAs too. But with ULA those features are avaible to everyone everywhere. Which is useful for a number of applications where you care

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

Owen DeLong writes: >> On Mar 2, 2018, at 3:17 AM, Bjørn Mork wrote: >> >> Owen DeLong writes: >> >>> What can you do with ULA that GUA isn’t suitable for? >> >> 1) get >> 2) keep >> 3) move > > Wrong. > > 1) get > Easy as going to

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

Owen DeLong writes: > I don’t agree that making RFC-1918 limitations a default in any daemon makes > any > sense whatsoever. +1 One of the more annoying anti-features I know of in this regard is the dnsmasq rebind "protection". It claims to protect web browsers on the LAN

Re: IPv6 Unique Local Addresses

> > ULA at inside and 1:1 to operator address in the edge is what I've > > been recommending to my enterprise customers since we started to offer > > IPv6 commercially. Fits their existing processes and protects me from > > creating tainted unusable addresses. > > Oh, please. NAT all over again?

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On Mar 1, 2018, at 6:30 PM, Harald Koch wrote: > > On 1 March 2018 at 18:48, Mark Andrews wrote: > >> ULA provide stable internal addresses which survive changing ISP >> for the average home user. > > > Yeah this is pretty much what I'm doing. ULA for

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On Mar 1, 2018, at 5:30 PM, Mark Andrews wrote: > > >> On 2 Mar 2018, at 11:48 am, Matt Erculiani wrote: >> >> Not sure if this is the common thought, but if anyone has a network >> which requires static IP assignments, they can probably justify a >>

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

> On Mar 2, 2018, at 3:17 AM, Bjørn Mork wrote: > > Owen DeLong writes: > >> What can you do with ULA that GUA isn’t suitable for? > > 1) get > 2) keep > 3) move Wrong. 1) get Easy as going to http://tunnelbroker.net and

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

For that matter, if we can kill IPv4, we have plenty of headroom for a LOT of IPv6 PI space. Owen > On Mar 1, 2018, at 4:48 PM, Matt Erculiani wrote: > > Not sure if this is the common thought, but if anyone has a network > which requires static IP assignments, they can

Re: IPv6 Unique Local Addresses

> On Mar 2, 2018, at 3:50 AM, sth...@nethelp.no wrote: > >>> ULA at inside and 1:1 to operator address in the edge is what I've >>> been recommending to my enterprise customers since we started to offer >>> IPv6 commercially. Fits their existing processes and protects me from >>> creating