[swinog] Re: Swisscom DNS issue: spectrum-conference.org wrongfully resolves to a bluewin address in swisscom mobile networks
Hi, On Tue, Apr 23, 2024 at 08:55:49AM +0200, Serge Droz via swinog wrote: > Yes, I understand the technical issues. And yes it's ugly. It's not "ugly", it's outright failing to achieve anything, except signal "things are not working". Why have a report form at all if it can not be loaded due to certificate mismatch? The world is no longer HTTP-only... > But do you have a better solution? Since this is not a "solution", just a new sort of problem, it doesn't even qualify for a comparison. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Ingo Lalla, Karin Schuler Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list -- swinog@lists.swinog.ch To unsubscribe send an email to swinog-le...@lists.swinog.ch
Re: [swinog] Coop.ch geoblocking?
Hi, On Wed, Mar 03, 2021 at 10:44:25AM +0100, Benoît Panizzon wrote: > Also L2TP and PPTP is accessible, so I can access my private ipv4 space > from outside. So did they scan for those services and flag it as > 'proxy'? Given that PPTP auth is roughly equivalent to "no access control", I'd strongly recommend against using that in 2021... (https://www.heise.de/security/artikel/Der-Todesstoss-fuer-PPTP-1701365.html - this was 2012) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Swisscom IPv6 Routing weirdness
Hi, On Fri, Feb 26, 2021 at 05:01:38PM +0100, Claudio Luck wrote: > Checksum errors are rather common to originate in virtualization > platforms. It is one of the things to check for when deploying new > infrastructure. Even some bigger resellers hand out VMs with these > problems: I occasionally have to add a "ethtool -K $IFACE rx off tx off" > command to the boot process. These are not true checksum "errors". It's just that the kernel knows it does not need to bother, because hardware will take care of it, so spends your CPU cycles for more useful work. *tcpdump* does not know. All tcpdump can see is "I see a packet handed towards the NIC, and the checksum does not match" - which is reported. Tcpdump does not see how the packet will end up on the wire. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Handling of UCE / RBL while minor misconfigurations
Hi, On Tue, Oct 27, 2020 at 01:00:59PM +0100, Jeroen Massar wrote: > Making sure one only egress mail that one is supposed to send > (SPF/DKIM/DMARC/ARC) is the only way to do that and would mean being a > good citizen on the Internet, Much easier said than done... > which is why lists like UCEProtect exist: > if you configure your stuff correctly, you won't end up on them. You totally miss the "you have a contract with the customer to run their mail for them, so of course you accept the mail, and then they mess up their SPF records in DNS" part. And then your whole mail server is blocked. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Handling of UCE / RBL while minor misconfigurations
Hi, On Tue, Oct 27, 2020 at 08:40:39AM +0100, Jeroen Massar wrote: > Mail server admin can do a SPF check (or have a list of allowed source > email domains) before outbound and reject forwarding these emails. I read this and I wonder "which of the MTAs out there can do that" - that is, check SPF (and others) for outgoing mails. "Blaiming all on the MTA operator" isn't totally reasonable either - you might have a totally valid configuration, and then someone whose mail you legitimately sent before (either forward rules that had no conflicting SPF yet, or your server was listed, or...) changes *their* SPF stuff, making *your* MTA noncompliant. Is this an error? Yes, surely. Is the MTA operator to blaim for it? Possibly sometimes, but certainly not "always, and solely". Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Looking for a VoLTE-SIP gateway
Hi, On Mon, Sep 28, 2020 at 08:51:19AM +0200, Stanislav Sinyagin wrote: > -- OpenVPN of an old release, with some buggy TLS. Certificate-based > authentication doesn't work because of that. Had to do shared-secret > authentication. It always hurts me (as one of the OpenVPN maintainers) if I read such. So - if someone from beroNet has interest in working on that, feel free to contact me. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] SafeHost AS21217 accused to leak routes for two hours to China Telecom AS4134 - anyone from SafeHost to comment?
Hi, On Sun, Jun 09, 2019 at 11:47:19AM +, robert.guentensper...@swisscom.com wrote: > Nobody of us made ever a typo... This is why peers and upstreams have security mechanisms in place... like max-pfx on peers, and strict prefix filters on downstreams. We all have that, of course... have we? Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 smime.p7s Description: S/MIME cryptographic signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] are you also seeing more ssh attacks ?
Hi, On Mon, Jul 02, 2018 at 12:25:13PM +0200, Manuel Schweizer wrote: > Not seeing what you are seeing, but I can really recommend Fail2Ban if you > are not using it already. Seconded. Even if we do not allow "plain password" authentication on the Jumphost (it's using PIN + LinOTP tokens), if only to keep the noice in the logs down and to annoy the brute-forcers a bit :-) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] RIPE database and more specific routes
Hi, On Mon, Nov 20, 2017 at 11:03:18AM +0100, Vincent Bernat wrote: > But I am concerned some people may build filters using only exact > matches, so it seems safer to have route objects for more specifics. Generally speaking, you should have route objects for what you intend to announce. *Some* upstreams might be libral and accept everything up to a /24 from the blocks you define, but others are very strict. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] background migration of swisscom connection from IPv4 native to v6 + DS-Lite
Hi, On Sun, Oct 29, 2017 at 02:53:41PM -0700, Scott Weeks wrote: > I was not around for those discussions (and not being a computer > science person, nor wanting to go on this for too long as has been > endlessly done on other lists), but it seems TLV would have allowed > 4 to be a subset of the new space. I never heard that discussed > much and that's what I meant by my comment. The point is: if you introduce a change to the packet format (and TLV would be), you are no longer compatible with IPv4. Which makes the whole "I want this to be compatible so I do not have to change infra or end points" totally moot. Worse, then you have "old IPv4" and "new IPv4" machines who might or might not be able to talk to each other, depending on which IPv4 address the "new IPv4" got (a long one or a short one) - while with IPv6, you have unmodified old IPv4 to ensure compatibility during the transition, and then you turn it off (in 10 years or so). Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] background migration of swisscom connection from IPv4 native to v6 + DS-Lite
Hi, On Sun, Oct 29, 2017 at 12:57:54PM -0700, Scott Weeks wrote: > Yeah, it's quite unfortunate that IPv4 ran out so suddenly, > barely 15 years after people were told to move towards IPv6. > --- > > > Especially after IETF made it backwards compatible and made > it so easy to switch from 4 to 6... ;-) There's no way to make "something with longer addresses" compatible without IPv4 without changing everything (routers, endpoints) - so, that argument is usually one brought forward as one of a long list of standard excuses to avoid deploying IPv6, while at the same time blaming everyone else for the problems with IPv4. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] background migration of swisscom connection from IPv4 native to v6 + DS-Lite
Hi, On Sun, Oct 29, 2017 at 10:32:03AM +0100, WolfSec-Support wrote: > The vpn needs to run on v4 > Its not site 2 site in this case. > > As all know it is still rare to get v6 access everywhere > > But in general it would be better if an ISP informs the customer BEFORE > such a change. > > To implement CGN without making sure the customer gets a notice was simply > the root of the problem Yeah, it's quite unfortunate that IPv4 ran out so suddenly, barely 15 years after people were told to move towards IPv6. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] DDOS >1Tbps - Swiss-wide (regional) BGP propagation?!
Hi, On Sat, Oct 01, 2016 at 04:51:36PM +0200, Fredy Kuenzler wrote: > To achieve this I think we need a collaborative community effort setting > up a common procedure and define a BGP communitiy with the effect "do > not announce beyond Switzerland". I think this is an awesome idea. The situation is similar here in DE - nobody could stand an 1 Tbit DDoS attack, and a large number of content offerings are targeted only to german speaking customers, so if DE/A/CH work, 99% of the customers are still able to reach the site. I'm not really sure how this would work in your example - what if you have two customers in a given BGP announcement, one of them *does* want to be reached world-wide (like, corporate VPNs) and the other one is attacked? Split the aggregate, or bit the bullet and have all of them with limited reach, for the time being? (We currently work this "the other way round" by using the "out of country" and "out of continent" blackhole communities offered by NTT - so the customer under attack would be announced as a "faraway RTBH" route - but this isn't good enough yet either, as not all transits offer this...) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Swiss ISPs and IPv6 --- 2016 edition
Hi, On Tue, Sep 20, 2016 at 03:20:56PM +0200, Jeroen Massar wrote: > On 2016-09-20 14:56, René Gallati wrote: > [..] > > I've activate IPv6 in my home network in 2011 > > 2011, thus 5 years after 6bone had shut down and 12 years after RIR > space has been available. Welcome to IPv6! ;) > > /me waves at DE-SPACE-19990812 as well, Gert is on this list likely ;) ... which was allocated about two years after we had our first IPv6 router running... that box was decommissioned about 10 years *ago*... :-) > Anybody has a proper excuse? :) "I can make much more money by selling multi-stage NAT boxes and consulting services to go with it"! Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] Swiss ISPs and IPv6 --- 2016 edition
Hi, On Thu, Sep 15, 2016 at 12:11:44PM +0200, Jeroen Massar wrote: > Oh and note: Dual-stack IPv4 + IPv6, along with a /56 per user. What do you want this IPv4 stuff for? That's even, like, 40+ years old. gert -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] peering request
Hi, On Sat, Aug 27, 2016 at 07:58:55PM +0200, Julien Sansonnens wrote: > We would like to get one or two transit upstreams to ensure > some redundancy in providing connectivity. We propose > a BGP session via 6to4 or OpenVPN tunnel, preferably. Who's providing your IPv4 transit? Why don't they have IPv6? (btw, it's not "6to4" but "proto-41" - 6to4 is the 2002:xx:xx: stuff for automatic tunneling windows likes to use, and you really do not want do BGP across that) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] mobile providers with IPv6 in switzerland?
Hi Martin, On Mon, Jun 13, 2016 at 06:12:34AM +, martin.g...@swisscom.com wrote: > Swisscom does not offer IPv6 for internet access yet, and as far > as I know none of the competitors in CH do that either. We've tested > T-Mobile US' approach with 464XLAT. Works well for those handsets > that support it. We're focusing on a new approach that would make > use of IPv6 for all handsets and that will look like dual-stack to > the handsets. Thanks for the update. Do you have a timeline for that already? (Maybe we can test and enjoy this next year at the conference?) > Voice over LTE has been using an IPv6-only APN since its launch last year. This is good :-) - but not very visible on the outside, so content providers can still lean back and defer their IPv6 implementation, pointing to the mobile operators "see, even if we did v6, nobody would use it..." Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 signature.asc Description: PGP signature ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] mobile providers with IPv6 in switzerland?
Hi, preparing myself for the panel discussion on Silvia's IPv6 conference next week, I wonder if there are any mobile providers in Switzerland that are offering IPv6 connectivity today - and if yes, which flavor (single-stack IPv6 with NAT64/DNS64 like TMO USA, or dual-stack v4+v6 with v4 CGN like T-Mobile DE), and whether it's default-on for anything yet... thanks :-) Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] PPTP over Swisscom DSL centro grande
Hi, On Fri, Nov 20, 2015 at 02:28:00PM +, Daniel Borer wrote: > Is there a known issue with centro grande dsl router and PPTP VPN over > swisscom net? We have several customers that can???t establish a connection > any more - since about 2 or 3 weeks. I don't know, but when you mention PPTP VPN I'd just like to point out that this has been totally broken last year, so it's about as good as transmitting your data in plain text... Technically, it might be due to the GRE tunnel used by PPTP - and if there is a carrier grade NAT involved, they usually fail to handle this. I'd recommend going from PPTP VPN to OpenVPN - it is much more robust to mistreatment by NATs, and more secure as well. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Re: [swinog] RFC1918 IP's im Internet-Trace outbound - eine Unsitte - oder liege ich falsch ?
Hi, On Fri, Mar 06, 2015 at 08:02:43AM +0100, Stephan Wolf wrote: Ist das meine best practice, KEINE RFC1918 IPs im Internet zu verwenden, So steht es im nämlichen RFC. Keine Pakete mit diesen Sourcen rauslassen. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
[swinog] technischen Kontakt bei swisssign.net gesucht
Huhu, kann mir jemand von Euch mit einem technischen Kontakt bzgl. Routing bei swisssign.net weiterhelfen? Soweit ich von hier sehen kann gibt es da ein Problem mit dem Rückweg swisssign.net (AS43183) - Space.NET (AS5539), was ein paar unserer Kunden höchst unglücklich stimmt... (DNS-Auflösung von crl.swisssign.net geht nimmer - und selbst wenn sie ginge, geht natürlich der CRL-Zugriff dann auch nimmer). Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AGVorstand: Sebastian v. Bomhard Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 ___ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog