> IOS-XR has duplicate update suppression logic for EBGP sessions
as, i believe, do most all implementations, to protect best path
computation costs.
randy
term blocked-ports {
from {
protocol [ tcp udp ];
first-fragment;
destination-port
[ 0 sunrpc 135 netbios-ns netbios-dgm netbios-ssn 111 445 syslog
11211];
}
then {
sample;
discard;
}
}
and i block all external access
would love to get to our racks through a back door through equnix
exchange in the informart. our router is at
ipv4 address 206.223.118.94 255.255.254.0
ipv6 address 2001:504:0:5::4128:1/64
asn 4128
thanks!
randy
> would love to get to our racks through a back door through equnix
> exchange in the informart. our router is at
>
> ipv4 address 206.223.118.94 255.255.254.0
> ipv6 address 2001:504:0:5::4128:1/64
> asn 4128
solved
randy
tl;dr:
comcast: does your 50.242.151.5 westin router receive the announcement
of 147.28.0.0/20 from sprint's westin router 144.232.9.61?
details:
3130 in the westin announces
147.28.0.0/19 and
147.28.0.0/20
to sprint, ntt, and the six
and we want to remove the /19
when we stop announcing th
> tl;dr:
>
> comcast: does your 50.242.151.5 westin router receive the announcement
> of 147.28.0.0/20 from sprint's westin router 144.232.9.61?
tl;dr: diagnosed by comcast. see our short paper to be presented at imc
tomorrow https://archive.psg.com/200927.imc-rp.pdf
lesson: route origin
> Most folk from various fora suggested Location Services were to
> blame. I turned all of mine off, no joy.
you only *think* you turned off location services. as they are a vital
component of providing a good user experience ...
:(
>>> tl;dr:
>>>
>>> comcast: does your 50.242.151.5 westin router receive the announcement
>>> of 147.28.0.0/20 from sprint's westin router 144.232.9.61?
>>
>> tl;dr: diagnosed by comcast. see our short paper to be presented at imc
>> tomorrow https://archive.psg.com/200927.imc-rp.pdf
>>
>
i'll see your blog post and raise you a peer reviewed academic paper and
two rfcs :)
in dnssec, we want to move from the old mandatory to implement (mti) rsa
signatures to the more modern ecdsa.
how would the world work out if i fielded a validating dns cache server
which *implemented* rsa, becau
> If there is a covering less specific ROA issued by a parent, this will
> then result in RPKI invalid routes.
i.e. the upstream kills the customer. not a wise business model.
> The fall-back may help in cases where there is an accidental outage of
> the RRDP server (for as long as the rsync ser
>- Randy says: "finding the fort rp to be pretty solid!" I'll say that
>if you loaded a fresh Fort and fresh Routinator install, they would both
>have your ROAs.
>- The sense of "stickiness" is local only; hence to my mind the
>protection against "downgrade" attack is somewhat
> r0.sea#sh ip bgp rpki table | i 3130
> 147.28.0.0/2020 3130 0 147.28.0.84/323
> 147.28.0.0/1919 3130 0 147.28.0.84/323
> 147.28.64.0/19 19 3130 0 147.28.0.84/323
> 147.28.96.0/19 19 3130 0 147.28.0.84
> cc.rg.net was unavailable over rsync for several days this week as
> well.
sorry. it was cb and cc. it seems some broken RPs did not have the
ROA needed to get to our westin pop. cf this whole thread.
luckily such things never happen in real operations. :)
randy
> The fact that we haven't been able to identify a factual relationship,
> does not mean that there isn't any.
just wow
and, for all we know, the back side of the moon is green cheese
> Admittedly someone (randy) injected a pretty pathological failure
> mode into the system
really? could you be exact, please? turning an optional protocol off
is not a 'failure mode'.
randy
>> really? could you be exact, please? turning an optional protocol off
>> is not a 'failure mode'.
> I suppose it depends on how you think you are serving the data.
> If you thought you were serving it on both protocols, but 'suddenly'
> the RRDP location was empty that would be a failure.
not
i may understand one place you could get confused. unlike a root CA
which publishes a TAL which describes transports, a non-root CA does not
publish a TAL describing what transports it supports. of course, rsync
is mandatory to provide; but anything else is "if it works, enjoy it.
otherwise use r
> The larger story here is...
>
> "7. Routing. Routers connect T-Mobile’s LTE towers to T-Mobile’s LTE
> network. These routers utilize a routing protocol called Open
> Shortest Path First."
you can blow it with is-is, just as you can with ospf, just as you can
with pretty much any dynamic [rou
< advertisement >
https://datatracker.ietf.org/doc/draft-ymbk-opsawg-finding-geofeeds/
there is a draft-ietf-opsawg-finding-geofeeds as soon as draft
submission opens
randy
> “Saw the same” after installing yesterday Big Sur and suddenly
> received a notification “this version of little snitch is no longer
> supported by macOS. It’s looks like I have to pay 25€ for a new
> compatible version.
and big slur bypasses it for some nefarious uses, e.g. [un]trustd
i am sti
> Our key differentiator is that we encrypt our backbone links.
care to give detail of the tech used?
randy
> In the traditional sense, by "showpiece NOC" I mean a room designed for the
> purpose of having large situational awareness displays on a wall, network
> weathermaps and charts, alerting systems, composed of four or more big flat
> panel displays. Ideally configured to be actually useful for NOC
> In article <474fe6a6-9aa8-47a7-82c6-860a21b0e...@ronan-online.com> you write:
>> When I actively hosted USENET servers, I was repeatedly warned by in-house
>> and external counsel, not to moderate which groups I hosted
>> based on content, less I become responsible for moderating all groups,
>>
> By comparison, that's about what Google makes every 10 days or what
> Apple makes every week. Verisign is a highly profitable fish in a tiny
> pool.
by a very late stage capitalism definition of 'tiny'
randy
email from a friend who uses protonmail as their MTA suddenly started to
be opportunistically encrypted with pgp; i.e. the sender's MUA did
nothing to cause the encryption. i believe this started when i provided
my pgp public key over WKD [0].
i have a guess. i suspect that protonmail opportunis
fyi, i was contacted by a clue holder from protonmail. my guess was
correct. they pointed me to the wkd section of
https://protonmail.com/blog/security-updates-2019/
as i responded to them:
i am definitely wondering how well it scales. it adds query
burden, often toward a server differ
> due to it being so massive and unused for so long, certain large
> corporations that have run out of RFC1918, etc. space have started
> using it internally.
i first saw that on a traceroute from my hotel at ripe bologna in 2001.
i was told i was lng late to finding it.
randy
> I’m sure we all remember Y2k (well, most of us, there could be some
> young-uns on the list). That day was happening whether we wanted it to
> or not. It was an unchangeable, unmovable deadline.
but i thought 3gpp was gong to force ipv6 adoption
>> I’m sure we all remember Y2k (well, most of us, there could be some
>> young-uns on the list). That day was happening whether we wanted it to
>> or not. It was an unchangeable, unmovable deadline.
>
> but i thought 3gpp was gong to force ipv6 adoption
let me try it a different way
why should
is there a list of public resolvers? e.g. 1.1.1.1, 4.4.4.4, 8.8.8.8,
etc.?
we have a measurement set which contains a list of resolvers, some of
which we suspect are intentionally open, some unintentionally open,
and some not open. we are trying to filter that first set, the
intentionally open.
>> is there a list of public resolvers? e.g. 1.1.1.1, 4.4.4.4, 8.8.8.8,
>> etc.?
>
> https://public-dns.info/
interesting, but probably too broad.
but i suspect my question was too broad.
>> we have a measurement set which contains resolvers, some of which we
>> suspect are intentionally open,
i must say i am impressed that the ipv6 must be deployed now and it
solves it all religion is still being shouted from the street corner 25
years on. it is as if the shouters think they will convince any body or
change anything. folk will deploy X when they perceive that the
cost:benefit is in X'
>> i must say i am impressed that the ipv6 must be deployed now and it
>> solves it all religion is still being shouted from the street corner
>> 25 years on. it is as if the shouters think they will convince any
>> body or change anything. folk will deploy X when they perceive that
>> the cost:b
> Perhaps it's time that we made good friends with the folk accelerating
> pr0n, and did a deal with them where someone's fetish was only
> available over IPv6.
hint: that idea is from the late '90s. the next bright idea for what
would help ipv6 take over the internet was 3gpp. it's been a long
> it’s unclear if there’s been any systematic look-back or institutional
> learning coming out of the entire experience.
i am always impressed by optimism in the face of cold reality
> From the latest update it sounds like rolling power outages in Dallas as
> most places in Texas
https://www.texastribune.org/2011/02/08/texplainer-why-does-texas-have-its-own-power-grid/
actually, the 129/8 incident was as damaging as 7007, but folk tend not
to remember it; maybe because it was a bit embarrassing
and the baltimore tunnel is a gift that gave a few times
and the quake/mudslides off taiwan
the tohoku quake was also fun, in some sense of the word
but the list of re
> actually, the 129/8 incident
a friend pointed out that it was the 128/9 incident
> but folk tend not to remember it
qed, eh? :)
when employer had shipped 2xJ to london, had the circuits up, ...
the local office sat on their hands. for weeks. i finally was
pissed enough to throw my toolbag over my shoulder, get on a
plane, and fly over. i walked into the fancy office and said
"hi, i am randy, vp eng, here to help you turn
> But it looks like a "crypto sign and publishes" anything related to an
> organization.
that is the problem with this discussion. it does not. it allows one
to show ownership of an AS or prefix. it does not show ownership or
authority over an organization. keep your trust model straight.
ran
> are you asking about something like this:
> https://datatracker.ietf.org/doc/draft-spaghetti-sidrops-rpki-rsc/
>
> Which COULD be used to, as an AS holder:
> "sign something to be sent between you and the colo and your intended peer"
>
> that you could sign (with your rpki stuffs) and your
>> way back, the rirs were very insistant that their use of rpki authority
>> was most emphatically not to be considered an identity service. this
>> permeated the design; e.g., organization names were specifically
>> forbidden in certificate CN, Subject Alternative Name, etc.
>>
>
> yup, I agree
>> What if PeeringDB would be the CA for the Facilities?
>> Supposedly this solves the CA problem of the "Colo Folks".
>
> I think pushing your security identification out (as the notional
> equinix) to a third party where you can't revoke/change/etc is asking
> for dangerous things to happen.
th
> Really, does anyone here think that it is good form to send email with
> font size *SMALL*?
rofl!
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header mangling
> you can sign over something which ways "the person identified by the
> following public key is to be permitted to ..."
you mean the fraudlent attacker who owned that INR seems to have signed
this request for a €1.000.000,49 wire transfer to their iban. a person
is not identified by that signatu
>>> you can sign over something which ways "the person identified by the
>>> following public key is to be permitted to ..."
>>
>> you mean the fraudlent attacker who owned that INR seems to have signed
>> this request for a €1.000.000,49 wire transfer to their iban. a person
>> is not identified
maybe late '60s or so, we had a few 2314 dasd monsters[0]. think maybe
4m x 2m with 9 drives with removable disk packs.
a grave shift operator gets errors on a drive and wonders if maybe they
swap it into another spindle. no luck, so swapped those two drives with
two others. one more iteration,
anyone else have the privilege of running 2321 data cells? had a bunch.
unreliable as hell. there was a job running continuously recovering
transactions off of log tapes. one night at 3am, head of apps program
(i was systems) got a call that a tran tape was unmounted with a console
message that
the conjecturbation is only surpassed by the vitrol
> No, French Superheroes flew in from Le Café du Peintre near the
> Bastille in under 30 nanoseconds. However, it was still futile.
jingoism does not deter fires
>> Statement (in French) from Octave Klaba, containing some discussion
>> of the development of the fire (starts at ~ 4:30):
>> https://www.ovh.com/fr/images/sbg/index-fr.html
> English:
> https://www.ovh.com/fr/images/sbg/index-en.html
and a few hundred of us hoping we never have to stand in fron
> It surprises that important sites don't do mirroring.
depends on what you mean by 'mirroring.' think latency.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back thanks to dmarc header mangling
>>> It surprises that important sites don't do mirroring.
>> depends on what you mean by 'mirroring.' think latency.
> Though a best effort to mirror would be acceptable. Maybe not up to
> the minute but at least a recovery.
depends on if the writer has to wait for it to hit the spinning oxide
1,
> https://www.itc.sa/en/
mehmet, you actually answered rod's question. that is not allowed on
the nanog list. you need to start a 20 message thread excoriating him
for asking for actual operational help finding a circuit in a difficult
place.
what is this world coming to? sheesh!
randy
---
r
i do not find the volume or diversity on the nanog list problematic.
in fact, i suspect its diversity and openness are major factors in
it being the de facto global anything-ops list. perhaps we do not
need to fix that.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra
> Agreed. Don't fix what isn't broken.
ryuu.rg.net:/Users/randy> whois oldnog.org
GeekTools Whois Proxy v5.0.6 Ready.
Checking access for 162.195.241.81... ok.
Checking server [whois.publicinterestregistry.net]
Results:
NOT FOUND
>>> Last update of WHOIS database: 20
> ...not to mention that all mature networks are moving more towards GUI
> front ends for their automated network. As the complexity of a network
> increases, CLI access becomes considerably more risky.
>
> The idea that "real engineers use the CLI" is dinosaur thinking that will
> eventually lan
> I think you will find that most SMTP / anti-spam focused RBL tools
> give a very similar result for IP reputation on a per /24 block basis
got cites? this got me curious the other day.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back
in 2010, the internet society made some videos on possible internet
futures ten years out, i.e. nowish. nothing spot on, but themes
can be seen for sure.
https://www.youtube.com/watch?v=PB4zfGwctGc
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
sign
> tl;dr - If I only have a /24 PI - is there any way to use this and not
> “chop it up / deagg” to use for ptp/loopbacks ?
i take real addresses out of the /24 for p2p
i take 1918 addresses for ibgp loopbacks
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com
> I'd add to that that people probably shouldn't treat phones as a
> significant increase in security, it's not really the out-of-band
> device that it used to be/was in the 1990s. Today, it basically
> equates to a second computer and the probability that the second
> computer is also compromised
john,
my altzheimer's device tells me that some years back there was a
documented written agreement between arin and the dod along the lines of
dod getting a large swath of ipv6 space[0] in exchange for agreeing to
return[1] or otherwise put into public use a half dozen ipv4 /8s.
could you refres
anyone seeing roas in 11/8? i am not.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
pe community.
---
From: Randy Bush
Subject: Re: [anti-abuse-wg] AS8003 and U.S. Department of Defense routing
To: Brian Nisbet
Cc: Anti Abuse WG
Date: Tue, 27 Apr 2021 08:22:16 -0700
interesting wg to do routing security analysis.
as i do really not know the dod's or their proxy'
>> what i hope is that they publish the results of their experiment. a
>> bit more depth in discussion in ripe community.
>
> https://bgp.he.net/AS8003#_prefixes
those are not results of an experiment. those are some visible artifacts
of (possibly part of) an experimental setup.
what i meant wa
> 1) unreachable publication point / CA == 'ok, see you in 30 mins on my
> next cycle through the world' (no real changes)
yup. much ado about nothing
> b) revoking some portion of their claimed resources in various forms of
> CA == 'ideally a bunch of routes suddenly go unknown' == 'ok'
>
> We already know how to make DFZ convergence really fast (or at least
> orders of magnitude faster than it is), that information exists, but
> that isn't deployed because customers are not asking for it, so
> providers are not aware that there is room for improvements.
are we confident that in th
> this change means that NTT's IRR mirror service will now use RPKI
> Validated ROAs to filter out invalid IRR objects! This filtering
> strategy is similar to RIPE-731.
>
> Creation of RPKI ROAs will trigger deletion of conflicting IRR
> objects, this helps clean up stale objects. Existing RPKI R
>> i am sure there are more things to do; and hope that wiser folk will
>> expand, comment, and correct.
>
> Stay far away from AS0...
one of 42 ways, invented by clever people, to shoot yourself in the foot
randy
> Finding vulnerabilities and how to exploit them to run malware
> in closed source code is nigh on impossible.
which explains why it never happens
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
> I just noticed (although it appears to have come in version 13.0) that
> FreeBSD's "ping" app now defaults to IPv6, i.e., no need for ping6:
pola breakage. especially fun if you have tools which run on both sides
of the koolaid.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-l
> Well, for SLAAC you need a /64
this is not true
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
On Mon, 19 Jul 2021 09:27:13 -0700,
Nathan Angelacos wrote:
>
> On Mon, 2021-07-19 at 08:51 -0700, Randy Bush wrote:
> > > Well, for SLAAC you need a /64
> >
> > this is not true
> >
> > randy
>
>
> That is cool! Can you point me to the
[ uncloak: i work at arrcus, but at the far back of the company ]
> I'd reach out to Arrcus as well. They are a NOS house, but they can
> also provide hardware options that suit what you want.
thanks, mark.
while arrcus provides stunning world class layer three: bgp, is-is,
ospf, evpn, srv6, bla
> Very often the corrective and preventive actions appear to be
> different versions and wordings of 'dont make mistakes', in this case:
>
> - Reviewing and improving input safety checks for mapping components
> - Validate and strengthen the safety checks for the configuration
> deployment zoning
we, verio, did anycast tcp streaming (hour long) of the tony awards in
about '96. solid.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header butchery
https://www.businessinsider.com/russia-cuts-self-off-from-global-internet-tests-defenses-rbc-2021-7
says "Russia disconnected itself from the rest of the internet, a test
of its new defense from cyber warfare, report says"
did this show up in bgp? e.g. rv/ris?
randy
> Looks like it did shown on news only.
:)
i wondered
> One thing I've been thinking for long time is to consider policy
> proposals to enforce the usage of the abuse mailbox together with
> X-ARF/RFC5965/RFC6650. That will automate probably a so big % of abuse
> handling that makes sense even if you need to make some programming,
> even if there are
>> It was intended to be an IPv4 replacement to provide connectivity.
>> Do majority of smart handsets OS today support v6?
> Actually, yes. Many mobile networks are all v6 internally with NAT to
> external v4 sites.
what i love most about the why ipv6 {has not deployed | does not work
for me | m
> He'd be 78 today.
yes, being a year senior, he used to give me a hard time about his being
older and wiser. i think it was just his way of pulling rank :)
> Still miss him, he was a great mentor and human being.
indeed.
still at usc; cool! patience and perseverance.
randy
have you looked at the validation log report at the warning and error
levels? not pretty. not a very pleasing picture of the state of the
RPKI repos out there.
randy
---
ra...@psg.com
`gpg --locate-external-keys --auto-key-locate wkd ra...@psg.com`
signatures are back, thanks to dmarc header bu
hi jakob,
i am confused between
> There is no expansion to prefix-set.
and your earlier
>> We have introduced the scalable as-set into the XR route policy language.
>> as-path-set does not scale well with 1000's of ASNs.
>> Now, you don't need to expand AS-SET into prefix-set, just enter it dir
> Somewhat related, when JNPR implemented RTR the architecture was
> planned so that the RTR implementation itself isn't tightly coupled to
> RPKI validity. It was planned day1 that customers could have multiple
> RTR setups feeding prefixes and the NOS side could use these for other
> purposes too
for junos, i build the prefix list externally and push config. sad to
say, the code is so old ('90s) that it's pearl and uses `peval`. i
should fix but (copious spare time) == 0.
originally i tried to also build and push for cisco ios classic, but it
died in the push. breathe on the router and
> Currently RPKI can only validate origin, not paths.
not exactly you ar speaking of route origin validation
RPKI
The RPKI is an X.509 based hierarchy [RFC 6481] which is congruent
with the internet IP address allocation administration, the IANA,
RIRs, ISPs, ... It is just a da
> The difference is, if you are able to use PeeringDB as a single
> source of truth, it is a lot easier to grab the data you need.
< pushing the analogy to the absurd >
great idea! please tell me when i can use peeringdb as the single
source of truth for my bank balance? how about i can learn
https://www.vice.com/en/article/jg84yy/data-brokers-netflow-data-team-cymru
used to get dissidents, activists, and journos killed
at&t, comcast, ... zayo, please tell us you do not do this.
randy
lotta words. i put my money where my mouth was days ago. you should
too.
randy
i am not a fiber/sfp/... geek, so clue bat please
on my left, i have a delta 9020SL running arcos, female 40g qsfp
on my right, i have incoming 10g 1310nm single mode from the seattle
internet exchange. it is currently into a redstone 10g sfp
NAMEVALUE
--
> I believe that these (and the AOC option) require that the switch
> understand / supports splitting the 40G interface into 4x10s
arcos does what i expect, sub units
as i have no problem wasting ports on the delta box (there are 48 and i
only need two :) i think ben's
https://www.fs.com/pr
> However, if you just need to use 10g of the 40g port, you can do it
> much cheaper and easier with just this part:
>
> https://www.fs.com/products/72582.html
we will test to be sure this appears as one port of a breakout
randy
>>> good golly, so glad everyone's enterprise is a hard candy version of same.
>>> no need for these remote workers, or discontiguous offices, or
>>> 'internet centric workforces'.
>>
>> VPN.
>
> I love it when my home network gets full access to the corporate network!
make things simpler and L2
> I recently figured it out and posted it on the NLNetLabs RPKI mailing list.
> https://lists.nlnetlabs.nl/pipermail/rpki/2020-February/000124.html
nice. thank you.
randy
Feb 7 05:30:12 rpd[1752]: Prefix Send failed ! 103.148.40.0/24
bgp_rt_trace_too_big_message:1209 path attribute too big. Cannot build update.
anyone else seen this one? another kiddie?
randy
responding to private email
> Yes, something was up, as seen at the AS22211 openbgpd logger "flight
> recorder". I only looked near the time stamp you had.
>
> # mrt2bgpdump /pool0/var/log/bgpd/all-in-2020-02-07-05-26 |grep 103.148.40
> BGP4MP|02/07/20 05:30:15|A|66.79.132.1|22211|103.148.40.0/2
> I feel like I saw this once with large communities, but memory is a
> bit fuzzy.
yes, with this large an ops community, the clue distribution will likely
be long tailed :)
am i correct that the only option to drop a ubiquiti infinity into an
IS-IS LAN and have RPKI-based ROV too is FRR? if so, would someone
who has been to the movie care to share some clue off-list? thanks.
randy
> We use plenty of multi-mode, but only in the data centre, between our
> own kit, for racks within the same cage.
so you have to stock both single and multi? hmmm
randy
1 - 100 of 2197 matches
Mail list logo