level3 europe problems
hello from friday, after a peer reset from level3, we've started to have some issues with the bgp session with level3 1. first they sent us just around 4000 prefixes (instead of ~300k) 2. then nothing, we opened a trouble ticket and they said they rebooted a router, and so on. (we saw an interesting graph in decix http://www.decix.net/content/network.html ) 3. after that, the connection seemed to be ok. all prefixes received but: - some websites, including level3.net were loading very slow sometimes, sometimes not at all. - dns issues with hosts around the world - some ipsec tunnel around the world not working, some did, and same with telnet/snmp. - mtr not working to some hosts, ping always looked ok. 4. the second i shutd the neighbor, all communication was ok. i made several tests, and as soon as the peer was up, the problem begun. peer down - all was ok on the other providers. did anyone else exeprienced this kind of issues? the ticket is still open, but we did't recieved any rfo etr for 2,5 days :)
Re: Is there anyone from ASPEWS on this list?
William wrote: Hi, Perhaps people wouldn't have to email you if the robot actually did what it said it was going to do. Your website promises that the robot will get things delisted out of the DUHL zone in 3 to 5 hours. Please feel free to show me *any* SORBS webpage that says this because the robot cannot delist you, it just approves you for delisting. It has been more than 3 to 5 hours, and it is costing me money. Considering that you shouldn't have listed the space to begin with, I think it would be fantastic if you updated the website to reflect the reality of the situation. Then tell me where it says 3-5 hours and I'll correct the text. While I am sorry to hear that most of the people you deal with are morons, it does not change the facts that SORBS listed IP address space for no valid reason, other than the first version of the RDNS not having .static. in it. The robot doesn't list or delist so the entry was added at some point because of either spam, or it's an old entry that has not had any requests to update. The robot will reject certain patterns of DNS, you can always reply to the ticket as the whois contact to get delisted outside of what the robot says (as it says in the robot reply) thought it should be noted that I don't care who contacts me, if the rDNS is clearly dynamic (eg: some.ip.dyn.domain.tld) you're not going to get delisted at all. Perhaps if this sort of thing didn't keep happening, on a regular basis, we would never hear about SORBS, MAPS, or any other RBLs on NANOG in a bad light. Personally, I like SORBS. I would like to continue to be able to use SORBS on my mail servers. The fact that my addresses are listed as being dynamic in SORBS when they are not, and it hasn't been fixed in the timeframe that the website promises it would be fixed in, is making me re-evaluate whether or not I should use SORBS and recommend it to people looking for good DNSBLs to use on their mailservers. NO I DO NOT ACCEPT DELISTING REQUESTS OUT OF THE SUPPORT SYSTEM! Then you should make your delisting process more streamlined. You already have a robot for most things, make it do the next step and just delist the IP ranges it is given. The process has been more and more streamlined as time has progressed. The support system will ask questions and will allow you to either delist or request delisting very easily. If you are an ISP you can (at the moment) use the mail/contact form to submit a request to the manual queue immediately... and anyone can send requests by email to the support system bypassing the whole we'll gather the information via a web form script, but the robot will reply, and if you do not meet the acceptance criteria by the robot you need to read the message and act upon it (eg: it will usually tell you to reply to the ticket after correcting something). In your case I have reviewed the address space and I see the robot will approve it for delisting, no questions (or should do) however it will have replied with something like the following: I'm a robot writing you on behalf of the SORBS' admins. The reason you're getting this automated response, is our desire to provide you with consistent and fast responses. I'm prepared to correctly analyze most of the cases appearing in the DUHL queue. You might want to keep your responses as short as possible (and to trim my own responses) to help humans better serve you should the need arise. I'm glad to report that the IP space will be submitted for delisting from the DUHL. Best regards. SORBS Read the last paragraph again.. will be submitted for delisting .. not has been delisted and it will take 3-5 hours to propagate... I have to process all removals manually after the robot because the robot does get it wrong, and then you have the likes of JustHost and the spammers there that keep requesting delisting with totally bogus (but static looking) hosts. Michelle
Re: news from Google
If you aren't breaking the law, the government won't be looking for your data, and won't ask Google/Yahoo/Bing/AltaVista or other search companies for your data. This seems overly optimistic. Remember the whole telecom fiasco? Even if you are breaking the law in some mild way, do you really want the government to be using toll records or traffic-cams to enforce speeding laws, etc? ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again. - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
I really am honestly sick of people thinking IPv6 is a panacea. It isn't. UPnP is rather a bit of a hack for sure, protocols should be better designed, but in this modern age of Peer To Peer you need a way for applications to ask the firewall to selectively open incoming ports. If the addresses of your gaming machines are no longer dynamic and their ports are no longer getting dynamically remapped, why do you need that instead of a way to tell the firewall that X machine is allowed to receive packets on Y ports from Z hostlist (where X,Z can be wildcarded, and, Y can be some form of list, range, or list of ranges)? No, IPv6 is not a panacea. However, IPv6 does eliminate the need for rapidly changing addresses on hosts that need to accept inbound connections, which makes it possible to define policy for those hosts rather than just trusting unauthenticated arbitrary applications to amend your security policy at your border. UPnP is the firewall equivalent of having US CBP admit any person who has someone in the US say that they should be admitted. While I do support some level of immigration reform and more open borders than has been the trend of late, even I would not go that far. Owen
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT. wishful thinking. you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it. Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all? I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them. Owen
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Mon, 2009-12-14 at 00:58 -0800, Owen DeLong wrote: However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all? I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them. Well, for many years I've argued (since I read an early draft of the proposal for uPnP ) that it really stood for Unstoppable-Peek-and-Poke. It scares the hell outta me, full stop, way more than the users themselves - and they scare me a lot anyways. Seems a good time to ask while everyone's thinking about it: I wonder if anyone actually has first-hand experience of any el-cheapo plastic home user routers (say sub-50$US) that are worth a look at for low-end system trials? Zyxel maybe? I see Andrews Arnold (in the UK) sell them and seem to rate them quite highly, yet the price is, frankly, a giveaway. Any thoughts? Ignoring, of course, the sad and embarassing fact that much of the UK's national telco backbone isn't v6 capable - a long (and buggy) story in itself, once you start trying to implement practical v6 end-to-end ) Gord
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Once upon a time, Owen DeLong o...@delong.com said: I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them. Well, any applet a user clicks on should not have permission to talk to random devices on the network (for example, Java applets can't do that), so I don't think it quite as bad as you make it out to be. I also don't really find the computer is already compromised case all that interesting, as at that point, all bets are off (since with CC servers, compromised computers are already accessible to the outside world without UPnP). A firewall protects against unwanted inbound connections to things like file/print sharing, DNS proxies, etc. You also don't get port scans and such (even with a few open ports, the majority being drop slows down scanners significantly). You can also configure it to prevent certain outbound connections (e.g. connecting to random mail servers from desktop PCs). I would hope that you can configure firewall rules to override UPnP requests. -- Chris Adams cmad...@hiwaay.net Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
Global Crossing IPv6 on hold?
Hi All, We recently received our ::/32 allocation from ARIN, and when we went to set up IPv6 BGP with one of our transit providers, Global Crossing, we were told new IPv6 sessions were (direct quote) not available at this time. Attempts to get an ETA or even an explanation why have so far been fruitless. Can that be right? I've always thought of Global Crossing as an IPv6 leader. Has anyone else heard anything about this? Thanks, Jeff
Re: Is there anyone from ASPEWS on this list?
Michelle Sullivan(matt...@sorbs.net)@Mon, Dec 14, 2009 at 11:32:48AM +0100: William wrote: Hi, Perhaps people wouldn't have to email you if the robot actually did what it said it was going to do. Your website promises that the robot will get things delisted out of the DUHL zone in 3 to 5 hours. Please feel free to show me *any* SORBS webpage that says this because the robot cannot delist you, it just approves you for delisting. It has been more than 3 to 5 hours, and it is costing me money. Considering that you shouldn't have listed the space to begin with, I think it would be fantastic if you updated the website to reflect the reality of the situation. Then tell me where it says 3-5 hours and I'll correct the text. On http://www.au.sorbs.net/cgi-bin/support , I read: This will route any created ticket to the robot handler which will process and delist the netblock (upto /24) within a few hours That says the robot will delist (not schedule to delist) within a few hours. -- Bill Weiss
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Mon, 14 Dec 2009, Owen DeLong wrote: UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT. wishful thinking. you're likely to still have a stateful firewall and in the consumer space someone is likely to want to punch holes in it. Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all? Because of the least surprise principle: Users get used to have NAT ~ they expect similar stateful firewall in IPv6. They get used to use UPnP in IPv4 ~ they expect something similar in IPv6. I don't think this is good, but bad engineering decision of UPnP cannot replaced with better ones overnight. Best Regards, Janos Mohacsi
Re: Is there anyone from ASPEWS on this list?
On 12/14/2009 04:32 AM, Michelle Sullivan wrote: snip I'm a robot writing you on behalf of the SORBS' admins. The reason you're getting this automated response, is our desire to provide you with consistent and fast responses. I'm prepared to correctly analyze most of the cases appearing in the DUHL queue. snip This last sentence seems to be my point of contention here. I am trying to get a /18 removed from the DUHL and every time the robot tells me some arbitrary ranges I did not mention explicitly are being tested and/or not eligible for delisting. Since the ranges not eligible are configured the same as those that are, I can't figure this out. Replying to the robot resulted in no response for a month, so I ended up submitting a ticket via the ISP contact form directly, with all the information requested, but the first time, someone just pushed my request back to the robot and it refused ranges again. I understand you get a lot of traffic to your ticket system, but I have to wonder whether a system which is so complex and large that it is near impossible to support and keep maintained accurately is actually still useful. I assume you love (to some degree) helping kill spammers, but maybe you need to solicit (screened) volunteers to expand your staffing? -- Kevin Stange Chief Technology Officer Steadfast Networks http://steadfast.net Phone: 312-602-2689 ext. 203 | Fax: 312-602-2688 | Cell: 312-320-5867 signature.asc Description: OpenPGP digital signature
Re: Is there anyone from ASPEWS on this list?
On Mon, 2009-12-14 at 11:32 +0100, Michelle Sullivan wrote: Read the last paragraph again.. will be submitted for delisting .. not has been delisted and it will take 3-5 hours to propagate... I have to process all removals manually after the robot because the robot does get it wrong, and then you have the likes of JustHost and the spammers there that keep requesting delisting with totally bogus (but static looking) hosts. And then you take several days if not several weeks to delist them. You have spent a considerably longer time replying to people on NANOG discussing your policies on NANOG, when you could just delist the IPs in question already. Like I said before, I am sorry that you deal with a lot of morons, but maybe like others have said, you need to add more staff to your project. William
Re: Global Crossing IPv6 on hold?
Thanks to all who responded. Someone at Global Crossing saw my message and they were supremely helpful in identifying the problem. Long story short, we provisioned that circuit through a third party, and there was some propagation error during the IPv6 order processing. Short story shorter: Global Crossing IPv6 on hold? No. Thanks, Jeff
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
Owen DeLong wrote: UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT. wishful thinking. you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it. Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all? I'm a consumer, I want to buy something, take it home, turn it on and have it work. I don't have an IT department. How the manufacturers solve that is their problem. As a consumer my preferences for a security posture to the extent that I have one are: don't hose me don't make my life any more complicated than necessary I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them. Stable outgoing connections for p2p apps, messaging, gaming platforms and foo website with java script based rpc mechanisms have similar properties. I don't sleep soundly at night becasuse the $49 buffalo router I bought off an endcap at frys uses iptables, I sleep soundly because I don't care. Owen
IP to authoritative CIDR webservices
Hi, Does anyone know of a webservice that converts a given IP into the public CIDR range that belongs to? I am developing a tool where IP to CIDR conversion based on RIR whois data would be useful for implementing filtersets. William
Re: Consumer Grade - IPV6 Enabled Router Firewalls.
On Dec 14, 2009, at 11:47 PM, Joel Jaeggli wrote: Owen DeLong wrote: UPnP is a bad idea that (fortunately) doesn't apply to IPv6 anyway. You don't need UPnP if you'r not doing NAT. wishful thinking. you're likely to still have a staeful firewall and in the consumer space someone is likely to want to punch holes in it. Yes, SI will still be needed. However, UPnP is, at it's heart a way to allow arbitrary unauthenticated applications the power to amend your security policy to their will. Can you possibly explain any way in which such a thing is at all superior to no firewall at all? I'm a consumer, I want to buy something, take it home, turn it on and have it work. I don't have an IT department. How the manufacturers solve that is their problem. As a consumer my preferences for a security posture to the extent that I have one are: don't hose me don't make my life any more complicated than necessary I would argue that a firewall that can be reconfigured by any applet a user clicks on (whether they know it or not) is actually less useful than no firewall because it creates the illusion in the users mind that there is a firewall protecting them. Stable outgoing connections for p2p apps, messaging, gaming platforms and foo website with java script based rpc mechanisms have similar properties. I don't sleep soundly at night becasuse the $49 buffalo router I bought off an endcap at frys uses iptables, I sleep soundly because I don't care. Precisely. And if you want to get picky, remember that availability is part of the standard definition of security. A firewall that doesn't let me play Chocolate-Sucking Zombie Monsters is an attack on the availability of that gmae, albeit from the purest of motives. No, I'm not saying that this is good. I am saying that in the real world, it *will* happen. --Steve Bellovin, http://www.cs.columbia.edu/~smb
Re: IP to authoritative CIDR webservices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, Dec 14, 2009 at 8:57 PM, William Pitcock neno...@systeminplace.net wrote: Hi, Does anyone know of a webservice that converts a given IP into the public CIDR range that belongs to? I am developing a tool where IP to CIDR conversion based on RIR whois data would be useful for implementing filtersets. WHOIS? Alternatively, use the Team Cymru tool to find the AS, then the CIDR Report portal to determine all perfixes originated by the AS in question: http://asn.cymru.com/ http://www.cidr-report.org/ Apologies if you are seeking other magic... - - ferg -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.5.3 (Build 5003) wj8DBQFLJxq3q1pz9mNUZTMRArwbAKDDc0cVkSzbFegAR2iaPzyYvE5vGgCdHeZ2 Sq9wnK0xuf9bz4Z+pxprkX8= =a0cv -END PGP SIGNATURE- -- Fergie, a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawgster(at)gmail.com ferg's tech blog: http://fergdawg.blogspot.com/
Re: IP to authoritative CIDR webservices
Hi, On Mon, 2009-12-14 at 21:10 -0800, Mehmet Akcin wrote: Current RIR whois actually does that. ie: search for 199.4.29 it will show you 199.4.28/22 Yes, but it has to be parsed, and RIRs have varying whois formats. ARIN vs RIPE whois output, for example. William
Re: IP to authoritative CIDR webservices
Hi, On Mon, 2009-12-14 at 21:12 -0800, Paul Ferguson wrote: On Mon, Dec 14, 2009 at 8:57 PM, William Pitcock neno...@systeminplace.net wrote: Hi, Does anyone know of a webservice that converts a given IP into the public CIDR range that belongs to? I am developing a tool where IP to CIDR conversion based on RIR whois data would be useful for implementing filtersets. WHOIS? Alternatively, use the Team Cymru tool to find the AS, then the CIDR Report portal to determine all perfixes originated by the AS in question: http://asn.cymru.com/ Looks like their WHOIS server in verbose mode will do the trick for what I want, as it provides predictable output. Thank you. William
Re: IP to authoritative CIDR webservices
On Mon, 14 Dec 2009 23:13:28 -0600 William Pitcock neno...@systeminplace.net wrote: On Mon, 2009-12-14 at 21:10 -0800, Mehmet Akcin wrote: Current RIR whois actually does that. ie: search for 199.4.29 it will show you 199.4.28/22 Yes, but it has to be parsed, and RIRs have varying whois formats. ARIN vs RIPE whois output, for example. You might could modify the CyberAbuse Whois (zcw) client[1] to also output CIDR information. It already outputs range information, so shouldn't be hard to add CIDR support to what it displays. I'll contact the author to see if he could add that, as it would be a useful feature for all. ~reed [1] http://www.cyberabuse.org/whois/ -- Reed Loden - r...@reedloden.com pgpdIU4lttjJX.pgp Description: PGP signature