Re: Quad-A records in Network Solutions ?
On Tue, Apr 09, 2013 at 08:13:49PM -0700, Eric Brunner-Williams wrote: On 4/9/13 5:47 PM, Jared Mauch wrote: Can you point is at the right address or form to submit regarding this? Seems like its time for both on and DS. Jared, Joe is an employee of the corporation, a rather high ranking one. As I mentioned in my response to Mark, he _may_ be in a position to encourage both legal to develop new language for future addition to the RAA, and the Registrar Liaison to socialize the issue to those RAA parties who are members of the Registrar Stakeholder Group within the Contracted Parties House of the GNSO, and the Compliance team. As a matter of policy development you should expect that Registrars (recall hat) have been presented with ... proposed new terms and conditions that ... are not universally appreciated, and so one must either (a) impose new conditions unilaterally upon counter-parties, arguing some theory of necessity, or (b) negotiate a mutually agreeable modification. There is a lot of heat lost in the ICANN system, so to re-purpose the off-hand observation of John Curran made recently, operators having some rough consensus on desirable features of RRSet editors may be a necessary predicate to policy intervention. As I observed to John, the ISP Constituency within the ICANN GNSO has been an effective advocate of trademark policy, and no other policy area, since the Montevideo General meeting, in 2001. Eric P.S. I may be turning in my Registrar hat in the near future. From the Beijing mtg of ICANN - There is a real concern about the disparity of requirement; the pre 2009 contracts, the 2009 contracts, the proposed 2013 contracts. unfortunately the 2013 contract language is pretty much baked and the only wiggle room is bringing the old contracts into compliance with the 2013 text. The trigger for the change now is the introduction of new TLDs. the one other avenue is to take this ti the ATRT2 folks and get this included as a matter of ICANN perfomance. OR - just move to a registrar who gives you what you want and not empower ICANN with the ability to set/control operational choice. YMMV of course. /bill
Re: Open Resolver Dataset Update
I sent you a private reply, but also posting publicly… On Apr 9, 2013, at 4:55 PM, A. Pishdadi apishd...@gmail.com wrote: In the last 2 weeks we have seen double the amount of ddos attacks, and way bigger then normal. All of them being amplification attacks. I think the media whoring done during the spamhaus debacle motivated more people to invest time building up there openresolver list, since really no one has disclosed attacks of that size and gave the blueprints of how to do it. Now we know the attack has been around for awhile but no one really knew how big they could take it until a couple weeks ago.. Now I know your openresolver DB is meant to get them closed but it would take only a small amount of someones day to write a script to crawl your database.. You go to fixedorbit.com or something of the sort, look up the as's of the biggest hosting companies, plop there list of ip allocaitons in to a text file, run the script and boom i now have the biggest open resolver list to feed my botnet.. Maybe you should require some sort of CAPTCHA or registration to view that database. While im sure people have other ways of gathering up the open resolvers , you just took away all the work and handed it to them on a silver platter. While i am and others surely are greatful for the data, i think a little more thought should be put in how you are going to deliver the data to who should have it, and that would be the network / AS they are hanging off of. Both systems that return a referral to root and that do full recursion are being abused in attacks. Honestly, if you send 100kpps to 2^32 IPs it would take ~12 hours. If you have 10 hosts to scan at a lower rate and skip all the 'unused' space, e.g.: 0/8 10/8 127/8 224/4 you cut down the time as well. I won't say exactly how long my weekly process takes, but it doesn't take long if you wanted to replicate the data. About 1:122 hosts responds in some fashion. That means for any given /24, expect there to be about 2 responses. While that may not be the case for some blocks, there's a good chance something is responding nearby. At some point the lack of scoping your response will result in a real problem for the person being attacked. Your hosts will get used in an attack. It's not really an IF question anymore. - jared
NANOG - csi reset request (was: RE: NANOG Digest, Vol 63, Issue 45)
to be fair: cloudmark did its best to contact me and it seems that we've been able to resolve the issue. thanks! as a side note: it might be a good idea to have some sort of lookup-tool on the website or an email notification to the netblock owner. thanks again (and also to the people off-list), martin Date: Wed, 10 Apr 2013 03:43:57 + From: Martin Hotze m.ho...@hotze.com To: nanog@nanog.org nanog@nanog.org Cc: bwilli...@cloudmark.com bwilli...@cloudmark.com Subject: RE: NANOG Digest, Vol 63, Issue 45 Message-ID: f02a0931e2e6254680832d6a24940c2ded1...@hx01.srv.hotze.com Content-Type: text/plain; charset=us-ascii Bryan, nope, it didn't make it through to my inbox . I try to contact you through other channels. Martin Date: Wed, 10 Apr 2013 02:41:42 + From: Bryan Williams bwilli...@cloudmark.com To: nanog@nanog.org nanog@nanog.org Subject: NANOG - csi reset request Message-ID: cd8a4959.62cfa%bwilli...@cloudmark.com Content-Type: text/plain; charset=us-ascii Martin, I sent you this email from our corporate email, and haven't heard back. Did you receive this? Regards, Bryan Williams Sr. Solutions Architect Cloudmark, Inc From: Bryan Williams bwilli...@cloudmark.commailto:bwilli...@cloudmark.com Date: Tuesday, April 9, 2013 12:58 PM To: m.ho...@hotze.commailto:m.ho...@hotze.com m.ho...@hotze.commailto:m.ho...@hotze.com Subject: NANOG - csi reset request I searched through the recent requests, and couldn't find any with your email address as the contact email. Can you give me the IP you tried to unblock? Or, try it again and let us know that you did it so we can watch. If there's a bug, we'd like to fix it. Regards, Bryan Williams Sr. Solutions Architect
RPKI Support on the Juniper SRX line
Hello all, I'm working with a Juniper partner in Colombia on a possible RPKI deployment. As far as I understand Juniper's website, only the T, M and MX lines support RPKI, yet the partner insists that Junos 12.3 / 13.1 supports RPKI on the SRX line. I cannot find any document or reference confirming this. Any comments would be appreciated. regards, ~Carlos
Re: RPKI Support on the Juniper SRX line
* Carlos M. martinez the partner insists that Junos 12.3 / 13.1 supports RPKI on the SRX line. JUNOS 12.3 and 13.1 aren't supported on SRX at all. From e.g. http://www.juniper.net/support/downloads/?p=srx5600 : «High: Junos OS Release 12.2, 12.3 and 13.1 are not supported On SRX Series, J Series, LN1000 and WXC-ISM-200( PSN-2012-09-707).» Tore
Re: Quad-A records in Network Solutions ?
In time of response order: There is Leo's reference to the not yet concluded RAA process, in which a para contains possibly relevant registrar shall terms. This is forward looking (the proposed RAA is not yet required by the Corporation) and may apply only to parties contracting with the Corporation for the right to provide registrar services to some, not all, registries, operated under some contract with the Corporation. It may, if read creatively, solve the problem for a new registrar offering registration services for one or more new gTLD(s), but that may be the extent of its applicability. If the creative reading fails, and DS may fall outside of these registrar shall terms. Next, there is Mark's observation, citing the same proposed RAA, that if the registrar provides a web interface (note well the if), and this web interface provides a means to edit A and NS records, there is no additional functional requirement for and/or DS. Mark observes that and DS updates require more from the registrant (also the registrar, when software, testing, staff (technical, support desk, and legal) training are not abstracted by a magic wand), and then observes that: Maintenance of A, , NS and DS records are core functionality and need to be treated as such. Here I personally differ. For those not paying attention to my slightest utterance over the past 15 years of NEWDOM policy and technology... I am sure that v6 matters to some, but not all, at least not in the manditory-to-implement-yesterday sense advocated by the v6 evangelicals (who have captured the Corporation on this issue). I'm also sure that DNSSEC matters to some, but not all, at least not in the manditory-to-implement-yesterday sense advocated by the DNSSEC evangelicals (who have captured the Corporation on this issue). Some 80% of the available-by-contract names in the namespace published by the US DoC through its contractors, Verisign and the Corporation lie in one zone, which became signed as recently as March 31, 2011 (see Matt Larson's note to the DNSSEC deployment list). Of those a very small minority are signed. v6 availability statistics for North America, where over half of the registrars possessing the accreditation of the Corporation to offer registration services for this namespace are domiciled, and by inference, a substantial fraction of the registrant domains are hosted, are similarly a very small minority. It seems to me, and I don't suggest that anyone else hold this view, least of all the v6/DNSSEC evangelicals, that it is possible for one or more registrants to exist who desire neither to sign their domains, nor to ensure their availability via v6. This registrant, or these registrants, would be well served by a registrar which did not offer and/or DS record editing services. It also seems to me, and again, I don't suggest that anyone else hold this view, that the number of such registrants could be sufficient to support a cost recovery operator of a namespace which is not signed, and for which no record, in the namespace published by the US Doc (through its contractors, blah blah) exists. Obviously, the converse view carried the day, though not (yet) for namespaces not operated under contract with the Corporation. Leo's follow-up on input valuable to the consultation would, I think, have scope limited only to new registrars offering registry services to new registries. See the very small minority observations, supra. Finally, Bill points out that there are several contracts still applicable, and the rather turgid nature of the policy and implementation dialog(s) of the opposing parties around the proposed 2013 contracts. There are registrars operating under the pre-2009 and the 2009 contracts looking at forming distinct legal entities to enter into the eventual post-2012 contract, a reasonable scenario is trademark exploitation and exit, iterated across a series of unlikely to be sustainable product launches, and there are registrars that simply won't bother with future landrush sales any more than they bother with current expiry sales. The point being the trigger Bill mentioned isn't universal, it really is limited to those who's registrar business interest in the Corporation is brand extension, or are applicants for vertically integrated registries. Bill observes that the ATRT2 is a possible venue. This may be, but on the whole, the interest of the United States Government in the capture of its delegated rule maker by the regulated businesses is limited. There was one mention ... a group of participants that engage in [Corporation]'s processes to a greater extent than ... in the AoC of September 2009. Subsequent public communications of the Government concerning Notice and Comment obligations, usually referred to as accountability and transparency by the Corporation, are not evident to me. Bill closes with an obvious recommendation -- pick a registrar that works for your definition of
IPv6 Cogent customers
Hello, Any single-homed or more IPv6 AS174 customers willing to take a 5 minute test for me? Please contact me off-list. We are not single homed to them but we have a particular destination that is having issues, and the funky part is that any outbound traffic over the Cogent transit is just bezerk. TCP SYN packets never reach the remote end. Return traffic, even when forced over Cogent however, is fine. I can force outbound traffic to flow over two other transit providers, and all is kosher so long as I never use AS174 to try and _get_ there. Cogent is blaming Level3 just because they appear in the traceroute, therefore I would like if possible a third party to help me since Cogent doesn't seem inclined to do anything other than ping. Thanks in advance and sorry for the noise, Chris
Noction?
gotten a few cold calls from Noction. All I see is some PR about BGP happiness and good feelings with no technical hints about what they actually have to offer. They haven't even hit me directly, rather seem to be chasing us down via corporate listings, so are giving me not-confident feelings I should even return a call to them. Anyone know anything about them? -R
Re: Noction?
I think you answered your own question --Original Message-- From: Ray Wong To: nanog list Subject: Noction? Sent: Apr 10, 2013 5:30 PM gotten a few cold calls from Noction. All I see is some PR about BGP happiness and good feelings with no technical hints about what they actually have to offer. They haven't even hit me directly, rather seem to be chasing us down via corporate listings, so are giving me not-confident feelings I should even return a call to them. Anyone know anything about them? -R
Re: Noction?
It's like the Internap FCP. I think it's been on the market about a year. They're a nice group of guys and the product does what they say it does. Aaron On 4/10/2013 4:30 PM, Ray Wong wrote: gotten a few cold calls from Noction. All I see is some PR about BGP happiness and good feelings with no technical hints about what they actually have to offer. They haven't even hit me directly, rather seem to be chasing us down via corporate listings, so are giving me not-confident feelings I should even return a call to them. Anyone know anything about them? -R
Re: Noction?
We are using the product. It works fairly well although the code is still slightly immature at the moment. Started using it about a year ago in beta and it has greatly improved over time (due to a lot of input from us beta testing it in the process : ) On 4/10/2013 5:56 PM, Aaron Wendel wrote: It's like the Internap FCP. I think it's been on the market about a year. They're a nice group of guys and the product does what they say it does. Aaron On 4/10/2013 4:30 PM, Ray Wong wrote: gotten a few cold calls from Noction. All I see is some PR about BGP happiness and good feelings with no technical hints about what they actually have to offer. They haven't even hit me directly, rather seem to be chasing us down via corporate listings, so are giving me not-confident feelings I should even return a call to them. Anyone know anything about them? -R -- GloboTech Communications Phone: 1-514-907-0050 x 215 Toll Free: 1-(888)-GTCOMM1 Fax: 1-(514)-907-0750 p...@gtcomm.net http://www.gtcomm.net
Re: Noction?
If you run a multi-homed network calling them back can't hurt. Apparently they provide route optimization like Internap but is available for smaller networks. On Wed, Apr 10, 2013 at 02:30:52PM -0700, Ray Wong wrote: gotten a few cold calls from Noction. All I see is some PR about BGP happiness and good feelings with no technical hints about what they actually have to offer. They haven't even hit me directly, rather seem to be chasing us down via corporate listings, so are giving me not-confident feelings I should even return a call to them. Anyone know anything about them? -R