Re: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761]
I guess AS18978 didn't learn from their mistake. Got a slew of identical bgpmon alerts for withdrawals and more specifics within the last 30 minutes. Worse than last time. Some still active, like: update time (UTC) Update Type Probe ASn Probe Location Prefix AS path Cleared Duration 2015-03-26 12:18:41 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 4436 29889 Active On 03/26/2015 8:26 pm, ML wrote: Wouldn't it be a BCP to set no-export from the Noction device too? On 3/26/2015 6:20 PM, Nick Rose wrote: Several people asked me off list for more details, here is what I have regarding it. This morning a tier2 isp that connects to our network made an error in their router configuration causing the route leakage. The issue has been addressed and we will be performing a full post mortem to ensure this does not happen again. While investigating the issue we did find that the noction appliance stopped advertising the no export community string with its advertisements which is why certain prefixes were also seen. Regards, Nick Rose CTO @ Enzu Inc. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Rose Sent: Thursday, March 26, 2015 3:49 PM To: a...@djlab.com; Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761] This should be resolved from AS18978. If you experience anything else please let me know and I will get it addressed immediately. Regards, Nick Rose CTO @ Enzu Inc. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy Sent: Thursday, March 26, 2015 12:14 PM To: Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761] On 03/26/2015 9:00 am, Peter Rocca wrote: +1 The summary below aligns with our analysis as well. We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact. +2, after the morning coffee sunk in and helpful off list replies I can finally see it's probably not INDOSAT involved at all. FYI, the more specifics are still active: 2015-03-26 13:56:11 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active 2015-03-26 13:56:11 Update AS4795 ID 198.98.182.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active -- ~Randy
Re: gmail security is a joke
In message 20150526161151.ga14...@pob.ytti.fi, Saku Ytti writes: On (2015-05-26 17:44 +0200), Owen DeLong wrote: Hey, I think opt-out of password recovery choices on a line-item basis is not a bad concept. This sounds reasonable. At least then you could decide which balance of risk/convenience fits their use-case for given service. OTOH, recovery by receiving a token at a previously registered alternate e mail address seems relatively secure to me and I wouldn???t want to opt out of that. It's probably machine sent in seconds or minute after request, so doing short-lived BGP hijack of MX might be reasonably easy way to get the email. Which is easily prevented by authenticating the MX when connecting. Something which as been recommended practice for as long as SMTP has existed. HELO provided weak authentication. We now know and documented how to do this securely on a global scale, we just need to do it. See draft-ietf-dane-smtp-with-dane. You have added the TLSA records for you MTA and signed your zones? You have updated your MTA to support DANE? [ Need to nag ops to add TLSA records for the MX's. We have them for www.isc.org. ] Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Re: gmail security is a joke
On 26 May 2015 at 11:32, Alex Brooks askoorb+na...@gmail.com wrote: Can you not set account recory options which change the way password reset requests are handled. https://support.google.com/accounts/answer/183723 Gives some guidance? Alex Unfortunately, setting these options does not disable the separate account recovery form listed at the bottom of the page, and it is this form that allows you to login with any previous password and to bypass 2-factor auth. I must admit I was surprised by this when I tried it just now. I guess it's time to rethink using Google as a primary account...
Re: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761]
Ignore my noise, I don't think there was new activity today (although something weird def. happened). BGPmon list was sorted by wrong column and I mixed the dates up. Although it's still showing as active since march which I thought said provider resolved... On 03/26/2015 8:26 pm, ML wrote: Wouldn't it be a BCP to set no-export from the Noction device too? On 3/26/2015 6:20 PM, Nick Rose wrote: Several people asked me off list for more details, here is what I have regarding it. This morning a tier2 isp that connects to our network made an error in their router configuration causing the route leakage. The issue has been addressed and we will be performing a full post mortem to ensure this does not happen again. While investigating the issue we did find that the noction appliance stopped advertising the no export community string with its advertisements which is why certain prefixes were also seen. Regards, Nick Rose CTO @ Enzu Inc. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Rose Sent: Thursday, March 26, 2015 3:49 PM To: a...@djlab.com; Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761] This should be resolved from AS18978. If you experience anything else please let me know and I will get it addressed immediately. Regards, Nick Rose CTO @ Enzu Inc. -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Randy Sent: Thursday, March 26, 2015 12:14 PM To: Peter Rocca Cc: nanog@nanog.org Subject: RE: More specifics from AS18978 [was: Prefix hijack by INDOSAT AS4795 / AS4761] On 03/26/2015 9:00 am, Peter Rocca wrote: +1 The summary below aligns with our analysis as well. We've reached out to AS18978 to determine the status of the leak but at this time we're not seeing any operational impact. +2, after the morning coffee sunk in and helpful off list replies I can finally see it's probably not INDOSAT involved at all. FYI, the more specifics are still active: 2015-03-26 13:56:11 Update AS4795 ID 198.98.180.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active 2015-03-26 13:56:11 Update AS4795 ID 198.98.182.0/23 4795 4795 4761 9304 40633 18978 6939 29889 Active -- ~Randy
Re: 10Gb CPE
Any feedback on the new 7250’s yet? On 5/26/15, 3:02 PM, NANOG on behalf of Chris Lane nanog-boun...@nanog.org on behalf of clane1...@gmail.com wrote: We use Brocade ICX 6450s for this. -Chris On Tue, May 26, 2015 at 2:40 PM, Daniel Rohan dro...@gmail.com wrote: With the deluge of 10Gb X device recommendations, I thought I'd hit the list with one more. Does anyone out there running 10Gb managed CPE feel like sharing their experiences? Our use case would be a managed endpoint that would allow for testing and circuit verification while providing a layer 2 extension to our edge gear at the PoPs. We're hoping to find a cheap vendor-supplied solution- not homebrew. If so, which features have been important to you? Which vendors have good products? What price point? Thanks, Dan -- - Chris
looking glass software
hello what software do you use for looking glass. for cisco ios and ios-xr? i use the old cougar/version6.net for ios, but ios-xr is not supported. i came across https://github.com/tmshlvck/ulg/ but did't installed yet. are there any other interesting lg's out there? thanks. -- Bogdan
Re: gmail security is a joke
On May 27, 2015, at 8:09 AM, Harald Koch c...@pobox.com wrote: On 26 May 2015 at 11:32, Alex Brooks askoorb+na...@gmail.com wrote: Can you not set account recory options which change the way password reset requests are handled. https://support.google.com/accounts/answer/183723 Gives some guidance? Alex Unfortunately, setting these options does not disable the separate account recovery form listed at the bottom of the page, and it is this form that allows you to login with any previous password and to bypass 2-factor auth. I must admit I was surprised by this when I tried it just now. I guess it's time to rethink using Google as a primary account... According to this page, the 2-factor authentication does kick in when you finally try to reset the password. http://webapps.stackexchange.com/questions/27258/is-there-a-way-of-disabling-googles-password-recovery-feature http://webapps.stackexchange.com/questions/27258/is-there-a-way-of-disabling-googles-password-recovery-feature “… I was presented with an emailed link to a reset page. When I clicked that link, since I have two-step verification set up, I was presented with a demand for a number provided by the Google Authenticator app on my phone. I provided that number and only then was I allowed to reset the password.” AK smime.p7s Description: S/MIME cryptographic signature
Re: gmail security is a joke
On Tue, May 26, 2015 at 2:15 PM, valdis.kletni...@vt.edu wrote: On Tue, 26 May 2015 19:11:51 +0300, Saku Ytti said: OTOH, recovery by receiving a token at a previously registered alternate email address seems relatively secure to me and I wouldn???t want to opt out of that. It's probably machine sent in seconds or minute after request, so doing short-lived BGP hijack of MX might be reasonably easy way to get the email. To be fair, if your e-mail address is high enough value that somebody is willing to risk getting caught doing a BGP hijack, maybe you have bigger problems to worry about. I suppose the meta of this whole conversation is for the OP: Sure, there are issues with just about every account-recovery setup out there. Where you have X-hundreds of millions of 'not nanog' level users interacting and needing passwd recovery to work reliably and somewhat securely, how would you accomplish this? Tossing grenades in the crowded room is cool and all, but ... you clearly have some thoughts about options/improvements/etc you might get more useful traction by proposing them.
Re: gmail security is a joke
On Tue, 26 May 2015 19:11:51 +0300, Saku Ytti said: OTOH, recovery by receiving a token at a previously registered alternate email address seems relatively secure to me and I wouldn???t want to opt out of that. It's probably machine sent in seconds or minute after request, so doing short-lived BGP hijack of MX might be reasonably easy way to get the email. To be fair, if your e-mail address is high enough value that somebody is willing to risk getting caught doing a BGP hijack, maybe you have bigger problems to worry about. pgpbC5pK9cIWR.pgp Description: PGP signature
10Gb CPE
With the deluge of 10Gb X device recommendations, I thought I'd hit the list with one more. Does anyone out there running 10Gb managed CPE feel like sharing their experiences? Our use case would be a managed endpoint that would allow for testing and circuit verification while providing a layer 2 extension to our edge gear at the PoPs. We're hoping to find a cheap vendor-supplied solution- not homebrew. If so, which features have been important to you? Which vendors have good products? What price point? Thanks, Dan
Re: gmail security is a joke
Hi, On Tue, May 26, 2015 at 3:26 PM, Markus unive...@truemetal.org wrote: Did you know that anyone, anywhere in the world can get into a gmail account merely by knowing its creation date (month and year is sufficient) and the last login date (try today)? What a joke. Can you not set account recory options which change the way password reset requests are handled. https://support.google.com/accounts/answer/183723 Gives some guidance? Alex
Re: gmail security is a joke
Haha I cringe when I do a password recovery at a site and they either email the current pw to me in plain text or just as bad reset it then email it in plain text. Its really sad that stuff this bad is still so common. On Tue, May 26, 2015 at 11:44 AM, Owen DeLong o...@delong.com wrote: On May 26, 2015, at 5:22 PM, Saku Ytti s...@ytti.fi wrote: On (2015-05-26 16:26 +0200), Markus wrote: Hey, Did you know that anyone, anywhere in the world can get into a gmail account merely by knowing its creation date (month and year is sufficient) and the Without any comment on what gmail is or is not doing, the topic interests me. How should recovery be done in scalable manner? Almost invariably when the accounts were initially created there is no strong authentication used, how would, even in theory, it be possible to reauthenticate strongly after password was lost? I think opt-out of password recovery choices on a line-item basis is not a bad concept. For example, I’d want to opt out of recovery with account creation date. If anyone knows the date my gmail account was created, they most certainly aren’t me. OTOH, recovery by receiving a token at a previously registered alternate email address seems relatively secure to me and I wouldn’t want to opt out of that. Recovery by SMS to a previously registered phone likewise seems reasonably secure and I wouldn’t want to opt out of that, either. Recovery by SMS to a phone number provided with the recovery request I would most certainly want to disable. (yes, some sites do this). Recovery by having my password plain-text emailed to me at my alternate address (or worse, an address I supply at the time of recovery request), not so much. (yes, many sites actually do this) Really, you don’t need to strongly authenticate a particular person for these accounts. You need, instead, to authenticate that the person attempting recovery is reasonably likely to be the person who set up the account originally, whether or not they are who they claimed to be at that time. Perhaps some people would trust, if they could opt-in for reauthentication via some legal entity procuring such services. Then during account creation, you'd need to go through same authentication phase, perhaps tied to nationalID or comparable. This might be reasonable, most people probably already trust one of these for much more important authentication than email, but supporting all of them globally seems like very expensive proposal. This also would take away from the benefits of having some level of anonymity in the account creation process, so I think this isn’t such a great idea on multiple levels. YMMV. Owen
Re: gmail security is a joke
On (2015-05-26 17:44 +0200), Owen DeLong wrote: Hey, I think opt-out of password recovery choices on a line-item basis is not a bad concept. This sounds reasonable. At least then you could decide which balance of risk/convenience fits their use-case for given service. OTOH, recovery by receiving a token at a previously registered alternate email address seems relatively secure to me and I wouldn???t want to opt out of that. It's probably machine sent in seconds or minute after request, so doing short-lived BGP hijack of MX might be reasonably easy way to get the email. Recovery by SMS to a previously registered phone likewise seems reasonably secure and I wouldn???t want to opt out of that, either. I have tens of coworkers who could read my SMS. Really, you don???t need to strongly authenticate a particular person for these accounts. You need, instead, to authenticate that the person attempting recovery is reasonably likely to be the person who set up the account originally, whether or not they are who they claimed to be at that time. As long as user has the power to choose which risks are worth carrying, I think it's fine. For my examples, I wouldn't care about email/SMS risk if it's linkedin/twitter/facebook account. But if it's my domain hoster, I probably wouldn't want to carry either risk, as the whole deck of cards collapses if you control my domains (all email recoveries compromised) -- ++ytti
Re: gmail security is a joke
I get what you are saying but my point was more about lack of crypto or reversible crypto than stealing the account. I am all in favor of using crypto when it improves security. But I am also in favor of not obsessing about it in places where it makes no difference. I like what Owen is describing, they should present all account recovery options and let the user toggle on/off which ones they want to be usable this way the user can make their own decisions and live with their own choices. Unfortunately, we have learned over and over again that the nerd instinct to push the security policy decisions onto civilians never ends well. Some people will check every box because more security is better, right? And then they're locked out and make expensive phone calls to your support desk. Others will uncheck every box because they just want to be able to log into the fripping account and it's your fault when their account is stolen. R's, John
Re: gmail security is a joke
On May 26, 2015, at 5:22 PM, Saku Ytti s...@ytti.fi wrote: On (2015-05-26 16:26 +0200), Markus wrote: Hey, Did you know that anyone, anywhere in the world can get into a gmail account merely by knowing its creation date (month and year is sufficient) and the Without any comment on what gmail is or is not doing, the topic interests me. How should recovery be done in scalable manner? Almost invariably when the accounts were initially created there is no strong authentication used, how would, even in theory, it be possible to reauthenticate strongly after password was lost? I think opt-out of password recovery choices on a line-item basis is not a bad concept. For example, I’d want to opt out of recovery with account creation date. If anyone knows the date my gmail account was created, they most certainly aren’t me. OTOH, recovery by receiving a token at a previously registered alternate email address seems relatively secure to me and I wouldn’t want to opt out of that. Recovery by SMS to a previously registered phone likewise seems reasonably secure and I wouldn’t want to opt out of that, either. Recovery by SMS to a phone number provided with the recovery request I would most certainly want to disable. (yes, some sites do this). Recovery by having my password plain-text emailed to me at my alternate address (or worse, an address I supply at the time of recovery request), not so much. (yes, many sites actually do this) Really, you don’t need to strongly authenticate a particular person for these accounts. You need, instead, to authenticate that the person attempting recovery is reasonably likely to be the person who set up the account originally, whether or not they are who they claimed to be at that time. Perhaps some people would trust, if they could opt-in for reauthentication via some legal entity procuring such services. Then during account creation, you'd need to go through same authentication phase, perhaps tied to nationalID or comparable. This might be reasonable, most people probably already trust one of these for much more important authentication than email, but supporting all of them globally seems like very expensive proposal. This also would take away from the benefits of having some level of anonymity in the account creation process, so I think this isn’t such a great idea on multiple levels. YMMV. Owen
Re: gmail security is a joke
In article caknnfz_apy8khbxj0umgoq6ufcd640jtxe9a+2tqu-d761-...@mail.gmail.com you write: Haha I cringe when I do a password recovery at a site and they either email the current pw to me in plain text or just as bad reset it then email it in plain text. Its really sad that stuff this bad is still so common. If they do a reset, what difference does it make whether they send the password in plain text or as a one-time link? Either way, if a bad guy can read the mail, he can steal the account. Given the enormous scale of Gmail, I think they do a reasonable job of account security. If you want to make your account secure with an external account or an external token (a physical one like a yubikey or a software one like the authenticator app), you can. Or if you consider your account to be low value, you can treat it that way, too. R's, John
RE: SAS Drive Enclosure
What are you thinking for connectivity, Ethernet, FiberChannel, Infiniband ... Building *Storage Nodes* or in need of just drive connectivity? -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ray Van Dolson Sent: Tuesday, May 26, 2015 2:53 PM To: Graham Johnston Cc: 'nanog@nanog.org' Subject: Re: SAS Drive Enclosure On Tue, May 26, 2015 at 07:19:59PM +, Graham Johnston wrote: I am looking for information about SAS drive enclosures, is there a list like NANOG that covers that area of IT? I am specifically looking for an enclosure that can handle 12 or more drives, I am looking to create a clustered file system between multiple servers and would like to avoid a drive enclosure that only works with a very small number of approved drives. I am looking to support traditional HDDs as well as SSDs. There were discussions at some point about setting up a storage-centric list via SNIA or something else fairly 'neutral'. Never really materialized, however. Lists like lopsa-tech and the LISA/USENIX SAGE list are general enough you might get some good responses. WRT your question, we've had good luck with the Dell MD1200 line of JBODs. Ray
Re: gmail security is a joke
On Tue, May 26, 2015 at 12:28 PM, Aaron C. de Bruyn aa...@heyaaron.com wrote: If they can e-mail you your existing password (*cough*Netgear*cough*), it means they are storing your credentials in the database un-encrypted. No, it doesn't mean that at all. It means they are storing it unhashed which is probably what you mean. It may well be that they are storing it unencrypted, but you can't outright say that without extra knowledge. Scott
Re: SAS Drive Enclosure
On Tue, May 26, 2015 at 07:19:59PM +, Graham Johnston wrote: I am looking for information about SAS drive enclosures, is there a list like NANOG that covers that area of IT? I am specifically looking for an enclosure that can handle 12 or more drives, I am looking to create a clustered file system between multiple servers and would like to avoid a drive enclosure that only works with a very small number of approved drives. I am looking to support traditional HDDs as well as SSDs. There were discussions at some point about setting up a storage-centric list via SNIA or something else fairly 'neutral'. Never really materialized, however. Lists like lopsa-tech and the LISA/USENIX SAGE list are general enough you might get some good responses. WRT your question, we've had good luck with the Dell MD1200 line of JBODs. Ray
SAS Drive Enclosure
I am looking for information about SAS drive enclosures, is there a list like NANOG that covers that area of IT? I am specifically looking for an enclosure that can handle 12 or more drives, I am looking to create a clustered file system between multiple servers and would like to avoid a drive enclosure that only works with a very small number of approved drives. I am looking to support traditional HDDs as well as SSDs. Thanks, Graham Johnston Network Planner Westman Communications Group 204.717.2829 johnst...@westmancom.commailto:johnst...@westmancom.com P think green; don't print this email.
Re: gmail security is a joke
On Tue, May 26, 2015 at 9:06 AM, John Levine jo...@iecc.com wrote: If they do a reset, what difference does it make whether they send the password in plain text or as a one-time link? Either way, if a bad guy can read the mail, he can steal the account. If they can e-mail you your existing password (*cough*Netgear*cough*), it means they are storing your credentials in the database un-encrypted. -A
Re: 10Gb CPE
We use Brocade ICX 6450s for this. -Chris On Tue, May 26, 2015 at 2:40 PM, Daniel Rohan dro...@gmail.com wrote: With the deluge of 10Gb X device recommendations, I thought I'd hit the list with one more. Does anyone out there running 10Gb managed CPE feel like sharing their experiences? Our use case would be a managed endpoint that would allow for testing and circuit verification while providing a layer 2 extension to our edge gear at the PoPs. We're hoping to find a cheap vendor-supplied solution- not homebrew. If so, which features have been important to you? Which vendors have good products? What price point? Thanks, Dan -- - Chris
RE: 10Gb CPE
I would say these are what you are after, last time I tested these I seem to remember Accedian coming out on top, but they are all good. http://www.rad.com/10/Carrier-Ethernet-Demarcation/27932/ http://accedian.com/ http://www.mrv.com/products/carrier-ethernet -Original Message- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Daniel Rohan Sent: Wednesday, 27 May 2015 6:41 a.m. To: NANOG Subject: 10Gb CPE With the deluge of 10Gb X device recommendations, I thought I'd hit the list with one more. Does anyone out there running 10Gb managed CPE feel like sharing their experiences? Our use case would be a managed endpoint that would allow for testing and circuit verification while providing a layer 2 extension to our edge gear at the PoPs. We're hoping to find a cheap vendor-supplied solution- not homebrew. If so, which features have been important to you? Which vendors have good products? What price point? Thanks, Dan
Re: gmail security is a joke
If they can e-mail you your existing password (*cough*Netgear*cough*), it means they are storing your credentials in the database un-encrypted. What I had in mind was creating a new password and mailing you that. R's, John
Re: gmail security is a joke
*facepalm* Right. Sorry. Forgot which group I was addressing. ;) I swear half of the United States forgot their passwords over the three-day weekend. -A On Tue, May 26, 2015 at 12:39 PM, John R. Levine jo...@iecc.com wrote: If they can e-mail you your existing password (*cough*Netgear*cough*), it means they are storing your credentials in the database un-encrypted. What I had in mind was creating a new password and mailing you that. R's, John
Re: gmail security is a joke
On (2015-05-26 16:26 +0200), Markus wrote: Hey, Did you know that anyone, anywhere in the world can get into a gmail account merely by knowing its creation date (month and year is sufficient) and the Without any comment on what gmail is or is not doing, the topic interests me. How should recovery be done in scalable manner? Almost invariably when the accounts were initially created there is no strong authentication used, how would, even in theory, it be possible to reauthenticate strongly after password was lost? One solution is, that you can opt-out from any password recovery process, which also would mean opt-in for deletion of dormant accounts (no login for 2 years, candidate for deletion?). I personally would opt-in for this in every service I have. I recall gandi allows you to disable password recovery. Perhaps some people would trust, if they could opt-in for reauthentication via some legal entity procuring such services. Then during account creation, you'd need to go through same authentication phase, perhaps tied to nationalID or comparable. This might be reasonable, most people probably already trust one of these for much more important authentication than email, but supporting all of them globally seems like very expensive proposal. -- ++ytti
gmail security is a joke
Did you know that anyone, anywhere in the world can get into a gmail account merely by knowing its creation date (month and year is sufficient) and the last login date (try today)? What a joke. Try it by yourself, its fun. Even worse, once the attacker had control of your account once, and you reset the PW and then enable 2-factor-authentication, he will always come back because it is sufficient for him to know one of the last passwords to reset it again. This will totally work around 2-factor-authentication and allows him to remove/change recovery E-Mail + phone + turn off 2FA. There's no way to get rid of him. What a mess! I have a gmail account that mostly sends mail and barely receives any. This is probably why it works so damn easy. Otherwise the PW recovery process will ask you for the E-Mail addresses of people that you have received mail from in the past. But even this can get easily guessed/researched.
Re: Multiple vendors' IPv6 issues
On Tuesday, May 26, 2015, David Sotnick sotnickd-na...@ddv.com wrote: Hi NANOG, The company I work for has no business case for being on the IPv6-Internet. However, I am an inquisitive person and I am always looking to learn new things, so about 3 years ago I started down the IPv6 path. This was early 2012. Fast forward to today. We have a /44 presence for our company's multiple sites; All our desktop computers have been on the IPv6 Internet since June, 2012 and we have a few s in our external DNS for some key services — and, there have been bugs. *Lots* of bugs. Now, maybe (_maybe_) I can have some sympathy for smaller network companies (like Arista Networks at the time) to not quite have their act together as far as IPv6 goes, but for larger, well-established companies to still have critical IPv6 bugs is just inexcusable! This month has just been the most disheartening time working with IPv6. Vendor 1: Aruba Networks. Upon adding an IPv6 address to start managing our WiFi controller over IPv6, I receive a call from our Telecom Lead saying that or WiFi VoIP phones have just gone offline. WHAT? All I did was add an IPv6 address to a management interface which has *nothing* to do with our VoIP system or SSID, ACLs, policies, roles, etc. Vendor 2: Palo Alto Networks: After upgrading our firewalls from a version which has a nasty bug where the IPv6 neighbor table wasn't being cleaned up properly (which would overflow the table and break IPv6), we now have a *new* IPv6 neighbor discovery bug where one of our V6-enabled DMZ hosts just falls of the IPv6 network. The only solution: clear the neighbor table on the Palo Alto or the client (linux) host. Vendor 3: Arista Networks: We are seeing a very similar ND bug with Arista. This one is slightly more interesting because it only started after upgrading our Arista EOS code — and it only appears to affect Virtual Machines which are behind our RedHat Enterprise Virtualization cluster. None of the hundreds of VMware-connected hosts are affected. The symptom is basically the same as the Palo Alto bug. Neighbor table gets in some weird state where ND breaks and the host is unreachable until the neighbor table is cleared. Oh, and the final straw today, which is *almost* leading me to throw in the IPv6 towel completely (for now): On certain hosts (VMs), scp'ing a file over the [Arista] LAN (10 gigabit LAN) takes 5 minutes over IPv6 and 1 second over IPv4. What happened? It really saddens me that it is still not receiving anywhere near the kind of QA (partly as a result of lack of adoption) that IPv4 has. Oh, and let's not forget everybody's favorite vendor, Cisco. Why is it, Cisco, that I have to restart my IPv6 OSPF3 process on my ASA every time my Palo Alto firewall crashes and fails over, otherwise none of my VPN clients can connect via IPv6? Why do you hurt me so, IPv6? I just wanted to be friends, and now I just want to break up with you. Maybe we can try to be friends again when your vendors get their shit together. -David Had ipv4 ever hurt you ? Me too. CB
Multiple vendors' IPv6 issues
Hi NANOG, The company I work for has no business case for being on the IPv6-Internet. However, I am an inquisitive person and I am always looking to learn new things, so about 3 years ago I started down the IPv6 path. This was early 2012. Fast forward to today. We have a /44 presence for our company's multiple sites; All our desktop computers have been on the IPv6 Internet since June, 2012 and we have a few s in our external DNS for some key services — and, there have been bugs. *Lots* of bugs. Now, maybe (_maybe_) I can have some sympathy for smaller network companies (like Arista Networks at the time) to not quite have their act together as far as IPv6 goes, but for larger, well-established companies to still have critical IPv6 bugs is just inexcusable! This month has just been the most disheartening time working with IPv6. Vendor 1: Aruba Networks. Upon adding an IPv6 address to start managing our WiFi controller over IPv6, I receive a call from our Telecom Lead saying that or WiFi VoIP phones have just gone offline. WHAT? All I did was add an IPv6 address to a management interface which has *nothing* to do with our VoIP system or SSID, ACLs, policies, roles, etc. Vendor 2: Palo Alto Networks: After upgrading our firewalls from a version which has a nasty bug where the IPv6 neighbor table wasn't being cleaned up properly (which would overflow the table and break IPv6), we now have a *new* IPv6 neighbor discovery bug where one of our V6-enabled DMZ hosts just falls of the IPv6 network. The only solution: clear the neighbor table on the Palo Alto or the client (linux) host. Vendor 3: Arista Networks: We are seeing a very similar ND bug with Arista. This one is slightly more interesting because it only started after upgrading our Arista EOS code — and it only appears to affect Virtual Machines which are behind our RedHat Enterprise Virtualization cluster. None of the hundreds of VMware-connected hosts are affected. The symptom is basically the same as the Palo Alto bug. Neighbor table gets in some weird state where ND breaks and the host is unreachable until the neighbor table is cleared. Oh, and the final straw today, which is *almost* leading me to throw in the IPv6 towel completely (for now): On certain hosts (VMs), scp'ing a file over the [Arista] LAN (10 gigabit LAN) takes 5 minutes over IPv6 and 1 second over IPv4. What happened? It really saddens me that it is still not receiving anywhere near the kind of QA (partly as a result of lack of adoption) that IPv4 has. Oh, and let's not forget everybody's favorite vendor, Cisco. Why is it, Cisco, that I have to restart my IPv6 OSPF3 process on my ASA every time my Palo Alto firewall crashes and fails over, otherwise none of my VPN clients can connect via IPv6? Why do you hurt me so, IPv6? I just wanted to be friends, and now I just want to break up with you. Maybe we can try to be friends again when your vendors get their shit together. -David
RE: gmail security is a joke
Perhaps this is still a void in the market? A business which operates small officers at which you can real-world verify your personal being using the most solid evidence available (perhaps in cooperation with governments) for that location/country which works together with the sorts of big-@random-webservice to help recover information? That would remove the need for weak idea's. Either you setup and use a very solid recovery method or you present yourself (or perhaps a family member in case of (emergency/deceased/etc')). With kind regards, Thijs Stuurman Infrastructure Solutions IS (internedservices) Group Wielingenstraat 8 | 1441 ZR Purmerend | The Netherlands T: +31(0)299476185 | M: +31(0)624366778 W: http://www.is.nl | L: http://nl.linkedin.com/in/thijsstuurman -Oorspronkelijk bericht- Van: NANOG [mailto:nanog-boun...@nanog.org] Namens Alex Brooks Verzonden: Tuesday, May 26, 2015 5:32 PM Aan: Markus; nanog Onderwerp: Re: gmail security is a joke Hi, On Tue, May 26, 2015 at 3:26 PM, Markus unive...@truemetal.org wrote: Did you know that anyone, anywhere in the world can get into a gmail account merely by knowing its creation date (month and year is sufficient) and the last login date (try today)? What a joke. Can you not set account recory options which change the way password reset requests are handled. https://support.google.com/accounts/answer/183723 Gives some guidance? Alex
Re: gmail security is a joke
On Tue, May 26, 2015 at 10:26 AM, Markus unive...@truemetal.org wrote: Did you know that anyone, anywhere in the world can get into a gmail account merely by knowing its creation date (month and year is sufficient) and the last login date (try today)? What a joke. We don't even know if this email originated by Markus himself. :-) As for security, the default access for mobile devices (which require no further credentials for Mail, Web, SMS) is a swipe. I too wish the world was bulletproof from birth, but it's not. -Jim P.