i may understand one place you could get confused. unlike a root CA
which publishes a TAL which describes transports, a non-root CA does not
publish a TAL describing what transports it supports. of course, rsync
is mandatory to provide; but anything else is "if it works, enjoy it.
otherwise use
>> Following staff home and picking them off with a rifle is so much
>> cheaper and carries a better probability of success.
>>
And give law enforcement much better probability of success as well.
> The safety measures were thorough and
> rigorous: it would have been very hard to
> screw up and
On 11/6/20 2:49 PM, Sabri Berisha wrote:
- On Nov 6, 2020, at 2:07 AM, Dovid Bender wrote:
Hi,
Sorry if this is a bit OT. Recently several different vendors (in completely
different fields) where they white label for us asked us to remove A records
that we have going to them and replace
Hi,
Sorry if this is a bit OT. Recently several different vendors (in
completely different fields) where they white label for us asked us to
remove A records that we have going to them and replace them with CNAME
records. Is there anything *going around* in the security aranea that has
caused
Hi,
They will set a dynamic IP address on the server, or use a CDN service.
---
Jun Tanaka
[do...@telecurve.com - Fri, 6 Nov 2020 05:07:26 -0500]:
> Hi,
>
> Sorry if this is a bit OT. Recently several different vendors (in
> completely different fields) where they white label for us asked us
It's not a security thing. We do this with the the resellers who white label
our VOIP. CNAMEs allow us to be flexible with our own hosts and infrastructure
without having all of our resellers change DNS records.
Ray Orsini
Chief Executive Officer
OIT, LLC
Interesting. We got a few requests at the same time which is what made we
wonder. I wanted to make sure that there wasn't something I was missing.
On Fri, Nov 6, 2020 at 5:25 AM Ray Orsini wrote:
> It's not a security thing. We do this with the the resellers who white
> label our VOIP. CNAMEs
> Admittedly someone (randy) injected a pretty pathological failure
> mode into the system
really? could you be exact, please? turning an optional protocol off
is not a 'failure mode'.
randy
*Register now for our NANOG U Webinar*
Join us next Friday, November 13 for a panel discussion on career
opportunities in network engineering, and virtually connect + engage with
members of our community from Akamai Technologies, Amazon, Microsoft, and
Netflix. Registration is free + open to all!
On 11/6/20 09:08, Matt Hoppes wrote:
Could you be running up against a MAC table limit on the circuit?
Unlikely. The only MACs that should be in play are our gateway on our PE
router and the customer's router and those are both in the address table
and ARP. At layer 3, customer can
Hi,
1. I know y'all know it, but too often I come across customers
using CDN Dashboard without 2FA.
In my experience this has been the most abused security vector in
the cases I saw.
2. Matthias point is extremely valid.
I would add: Externally monitoring the
On Fri, Nov 6, 2020 at 1:28 AM Christopher Morrow
wrote:
> I think a way forward here is to offer a suggestion for the software
> folk to cogitate on and improve?
>"What if (for either rrdp or rsync) there is no successful
> update[0] in X of Y attempts,
>attempt the other protocol to
We have a strange issue that defies logic. We have a NNI at our POP with
Frontier serving as an aggregation circuit with different customers on
different VLANs. It's working well to several customers.
Bringing up a new customer shows roughly half of the IP addresses
unreachable across the
I have similar Frontier NNI's out of One Wilshire, some 1gig some 10.
While I haven't seen the half-IP-reachable issue you describe I have spent
days and days chasing performance issues on them. I finally got gig
line-rate capable iperf3 boxes at both ends and see distinct differences
in
On 11/6/20 10:14, Mike Lyon wrote:
What hardware is on each side?
On our aggregate side an ASR920. Customer has a RAD device as the
Frontier handoff. We've seen the same issue with multiple devices at the
customer side including a laptop direct to the RAD.
--
Jay Hennigan - j...@west.net
Are you using A records in a domain you own and pointing at their IPs? I'm
not aware of any security vulnerability exploiting A vs CNAME. If they are
hosting on a domain they own vs one you own, the use of a CNAME would allow
them to change the A record IP without less impact to you, it would
This is an automated weekly mailing describing the state of the Internet
Routing Table as seen from APNIC's router in Japan.
The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG
TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG.
Daily listings are sent to
While the change from A to CNAME itself is probably not based on
security considerations, a CNAME pointing to a CDN or similar can result
in future security issues, i.e. you want to closely monitor your
externally pointing CNAMEs when you get rid of external services:
Could you be running up against a MAC table limit on the circuit?
On 11/6/20 11:59 AM, Jay Hennigan wrote:
We have a strange issue that defies logic. We have a NNI at our POP with
Frontier serving as an aggregation circuit with different customers on
different VLANs. It's working well to
EVPL (eline) should not be learning macs. So mac table size should be a
non-issue. Unless someone somewhere has constructed a 2-part bridge domain
(mef-speak, etree or elan of sorts) which would have mac learning, then Matt's
question comes into play.
-Aaron
-Original Message-
From:
What hardware is on each side?
> On Nov 6, 2020, at 10:08, w...@loopfree.net wrote:
>
> I have similar Frontier NNI's out of One Wilshire, some 1gig some 10.
>
> While I haven't seen the half-IP-reachable issue you describe I have spent
> days and days chasing performance issues on them. I
Jay, I previously ran the engineering org over there, so sent this to my old
team to look at, including the best engineer I know in regard to the RADs. Will
pass along anything they come back with.
Thanks,
-Jeff
> On Nov 6, 2020, at 8:59 AM, Jay Hennigan wrote:
>
> We have a strange issue
Am Freitag, 6. November 2020, 10:31:25 schrieb Jay Hennigan:
> On 11/6/20 10:14, Mike Lyon wrote:
> > What hardware is on each side?
>
> On our aggregate side an ASR920. Customer has a RAD device as the
> Frontier handoff. We've seen the same issue with multiple devices at the
> customer side
This is my biggest complaint about non-wavelength transport. The provider is
overselling a port somewhere in the circuit, unless it's a wave.
-
Mike Hammett
Intelligent Computing Solutions
Midwest Internet Exchange
The Brothers WISP
- Original Message -
From:
On Fri, Nov 6, 2020 at 5:47 AM Randy Bush wrote:
>
> > Admittedly someone (randy) injected a pretty pathological failure
> > mode into the system
>
> really? could you be exact, please? turning an optional protocol off
> is not a 'failure mode'.
I suppose it depends on how you think you are
Recently saw a relatively same problem when Wave migrated us off of their
antiquated 6500 to a brand new ASR920. EVPL had been working flawlessly for
years on the 6500, but then stopped working when migrated to the ASR. Tried
multiple ports on the ASR and then even another brand new ASR, same
On Fri, Nov 6, 2020 at 12:00 PM Rich Kulawiec wrote:
> p.s.2: The large quantities of power conduits, cables, shelving, racks,
> HVAC ductwork, etc. that are typical of datacenters constitute a haphazard
> but modestly effective EM shield, as measured on an ad hoc basis by anyone
> who tries to
/Friday afternoon
On Thu, Nov 05, 2020 at 09:05:34AM -0800, William Herrin wrote:
> Following staff home and picking them off with a rifle is so much
> cheaper and carries a better probability of success.
So does following them home and leaving them brand new unopened large
bottles of Woodford
>> really? could you be exact, please? turning an optional protocol off
>> is not a 'failure mode'.
> I suppose it depends on how you think you are serving the data.
> If you thought you were serving it on both protocols, but 'suddenly'
> the RRDP location was empty that would be a failure.
not
My coworker is having similar issues with PS Lightwave and Alpheus/Logix
from San Antonio to Houston whereas some things work and somethings don't
-Aaron
- On Nov 6, 2020, at 2:07 AM, Dovid Bender wrote:
Hi,
> Sorry if this is a bit OT. Recently several different vendors (in completely
> different fields) where they white label for us asked us to remove A records
> that we have going to them and replace them with CNAME records. Is there
>
*Register now for our NANOG U Webinar*
Join us next Friday, November 13 for a panel discussion on career
opportunities in network engineering, and virtually connect + engage with
members of our community from Akamai Technologies, Amazon, Microsoft, and
Netflix. Registration is free + open to all!
32 matches
Mail list logo
