Comcast business IPv6 vs rbldnsd & PSBL
First of all, kudos to Comcast for trying to roll out IPv6 across their entire network. Static IPv6 netblocks seem to be available for Comcast business users, and IPv6 is enabled unconditionally in the CPE routers used by Comcast business class internet. Unfortunately, the software in the two available CPE routers (SMC & Cisco) is horribly broken when it comes to IPv6. The TL;DR summary: even when IPv6 firewalling is disabled in the configuration, the router still tracks every IPv6 "connection", which causes every single DNS lookup to fill up a slot in its connection tracking table. The router's logs say it blocks tens of thousands of IPv6 connections every day, despite firewalling being "disabled" on the router. Once the connection tracking table fills up, both IPv6 and IPv4 start having trouble, with packet loss on ICMP, high ping times to the local router (and the internet), and new connections not establishing. The router randomly crashes and reboots too, sometimes multiple times a day. This ends up breaking both IPv6 and IPv4. It only takes about 300kbit/s of DNS traffic to trigger the bug, in both the SMC and the Cisco routers. Are there any Comcast NOC or other technical people present who could help? I am interested both in helping resolve the firmware issues in the routers (there will no doubt be other customers who hit this in the future, as IPv6 becomes ore common) or, if that is not an option, finding some way to avoid the issue. http://forums.businesshelp.comcast.com/t5/Equipment-Modems-Gateways/Cis co-DPC3941B-slows-to-a-crawl-and-crashes-several-times-a-day/td-p/30807 -- All Rights Reversed. signature.asc Description: This is a digitally signed message part
Re: Softlayer abuse contact
[ Has been coming up a lot lately. A public response may be useful, YMMV ] After abuse@, which many still do answer, I try the SOA (which is really old fashioned I guess) if I don't get an answer from abuse@ ;; ANSWER SECTION: softlayer.com.900INSOAns1.softlayer.net. root.softlayer.com. 2016101401 7200 600 1728000 43200 More and more blocking cases these days are also related to IP reputation and malware infections. I'm not aware of any self service capabilities for at least confirmation. Once you're spotted, many application layer firewalls refuse to service your requests e.g. webserver claiming "not allowed". Softlayer was also acquired by IBM. Could try their SOA: ;; ANSWER SECTION: ibm.com.86400INSOAasia3.akam.net. hostmaster.akamai.com. 1480273175 43200 7200 604800 3600 [ I'd go with whoever owns the IP address space you are trying to reach regardless of a packet filter or application filter ] WHOIS queries on the domain occasionally point to someone with clue. Registry Registrant ID: Registrant Name: Domain Administrator Registrant Organization: Softlayer Technologies, Inc. Registrant Street: 4849 Alpha Road Registrant City: Dallas Registrant State/Province: TX Registrant Postal Code: 75244 Registrant Country: US Registrant Phone: (look it up, it's there ) Registrant Phone Ext: Registrant Fax: Registrant Fax Ext: Registrant Email: XX In the last few years, and when near the end of the road, the twittersphere has proven an awesome mechanism to reach out and touch someone. I've had 100% success there. If you have a peering relationship, IMHO opinion it is fair game to try them if all else fails. Most peering teams are super happy to help get you to the right people and especially if you've tried. Helping someone solve a problem via peering relationships has always brought a smile to my face and made that five o'clock beer taste even better. Good luck! Cheers, -M< On Mon, Nov 28, 2016 at 8:13 AM, Brian Ellwood via NANOG wrote: > Could someone with Softlayer abuse contact me off list? > > I have a netblock that cannot communicate with your network - emailed > abuse@ about 2 weeks ago and didn't hear back. > > Thank you. > >
Re: Accepting a Virtualized Functions (VNFs) into Corporate IT
On Mon, Nov 28, 2016 at 01:44:25PM -0500, Rich Kulawiec wrote: > On Mon, Nov 28, 2016 at 09:53:41AM -0800, Kasper Adel wrote: > > Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they > > refuse to give you root access, or any means necessary to do 'maintenance' > > kind of work, whether its applying security updates, or any other similar > > type of task that is needed for you to integrate the Linux VM into your IT > > eco-system. > > Thus simultaneously (a) making vendor X a far more attractive target for > attacks and (b) ensuring that when -- not if, when -- vendor X has its > infrastructure compromised that the attackers will shortly thereafter > own part of your network, for a value of "your" equal to "all customers > of vendor X". > > (By the way, this isn't really much of a leap on my part, since it's > already happened.) Sure. But that's mostly the risk of running a black-box appliance. It doesn't really matter if it's a VM or a piece of hardware. Businesses that are comfortable with physical appliances (running on Intel hardware under the covers) for Router/Firewall/Whatever accept little additional risk if they then run that same code on a VM. (Sure, there's the possibility of the virtual appliance being compromised, and then being used to exploit a hypervisor bug that allows breaking out of the VM. So the risk isn't *zero*. But the overwhelming majority of the risk comes from the decision to run the appliance, not the HW vs. VM decision.) -- Brett
Re: Accepting a Virtualized Functions (VNFs) into Corporate IT
On Mon, Nov 28, 2016 at 09:53:41AM -0800, Kasper Adel wrote: > Would this be an acceptable offering in today's IT from different type of > Enterprises (Minux the Googles, Facebooks...etc) ? The comments from others on this thread have some good points to make, but in my experience, even at places that outsource to SaaS, a black box on the internal network isn't going to fly. Cheers, -j
Re: Accepting a Virtualized Functions (VNFs) into Corporate IT
On Mon, Nov 28, 2016 at 09:53:41AM -0800, Kasper Adel wrote: > Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they > refuse to give you root access, or any means necessary to do 'maintenance' > kind of work, whether its applying security updates, or any other similar > type of task that is needed for you to integrate the Linux VM into your IT > eco-system. Thus simultaneously (a) making vendor X a far more attractive target for attacks and (b) ensuring that when -- not if, when -- vendor X has its infrastructure compromised that the attackers will shortly thereafter own part of your network, for a value of "your" equal to "all customers of vendor X". (By the way, this isn't really much of a leap on my part, since it's already happened.) ---rsk
Softlayer abuse contact
Could someone with Softlayer abuse contact me off list? I have a netblock that cannot communicate with your network - emailed abuse@ about 2 weeks ago and didn't hear back. Thank you.
Re: Voice channels (FTTH, DOCSIS, VoLTE)
On Sun, Nov 27, 2016 at 9:47 PM, Jay R. Ashworth wrote: > That is congruent with my understanding of how cableco voice is > provisioned; > it has different rules WRT VoN -- specifically about 911 -- because the > cable > company segregates it and handles it differently (your cablemodem is > expected > to be tied to your service address -- or whatever terminal device does the > voice). > I've seen some telco types refer to this as VuIP i.e. "under IP" to differentiate from VoIP such as Skype , Vonage, etc Not sure if this applies to LTE. j -- Joly MacFie President - Internet Society New York Chapter (ISOC-NY) http://isoc-ny.org 218 565 9365
Re: Accepting a Virtualized Functions (VNFs) into Corporate IT
On 28/Nov/16 20:10, Jared Mauch wrote: > my experiences say that most people would accept this. things like IT are a > cost > and any way to externalize that cost makes sense. If you look at something > like > a SMB service, where you have mandatory NID or provider managed CPE/handoff, > having a solution pre-built seems like a no-brainer. Agreed - if the customer neither has nor wants to maintain the skill-set necessary to operate the solution, then outsourcing it to a vendor (or their partner) means they will want to make sure the customer does not have the chance to mess it up. So yes, if I were in the vendor's/partner's position, I'd lock down root as well. But if you're a power user and have the team for this, I'd walk. Mark.
Re: Accepting a Virtualized Functions (VNFs) into Corporate IT
> On Nov 28, 2016, at 12:53 PM, Kasper Adel wrote: > > Hi, > > Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they > refuse to give you root access, or any means necessary to do 'maintenance' > kind of work, whether its applying security updates, or any other similar > type of task that is needed for you to integrate the Linux VM into your IT > eco-system. > > Would this be an acceptable offering in today's IT from different type of > Enterprises (Minux the Googles, Facebooks...etc) ? my experiences say that most people would accept this. things like IT are a cost and any way to externalize that cost makes sense. If you look at something like a SMB service, where you have mandatory NID or provider managed CPE/handoff, having a solution pre-built seems like a no-brainer. Of course, if you’re on nanog@ chances are you could build your own pfSense based solution or iptables setup. The question is does it scale, or how do you scale or automate it? There are only so many Mark/Jared/Kasper’s out there. I look at what happened with Hotel networking, with consolidation by a few players like wayport, er AT&T and you have a mostly stable workable product that has all the warts you’d expect from a consistent product delivery. What I’ve observed from our customers, they appreciate consistent service delivery globally, and the same would likely apply to those wanting to purchase a managed firewall service. - jared
Re: Accepting a Virtualized Functions (VNFs) into Corporate IT
On 28/Nov/16 19:53, Kasper Adel wrote: > Hi, > > Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they > refuse to give you root access, or any means necessary to do 'maintenance' > kind of work, whether its applying security updates, or any other similar > type of task that is needed for you to integrate the Linux VM into your IT > eco-system. > > Would this be an acceptable offering in today's IT from different type of > Enterprises (Minux the Googles, Facebooks...etc) ? Vote with your feet. Mark.
Accepting a Virtualized Functions (VNFs) into Corporate IT
Hi, Vendor X wants you to run their VNF (Router, Firewall or Whatever) and they refuse to give you root access, or any means necessary to do 'maintenance' kind of work, whether its applying security updates, or any other similar type of task that is needed for you to integrate the Linux VM into your IT eco-system. Would this be an acceptable offering in today's IT from different type of Enterprises (Minux the Googles, Facebooks...etc) ? Thanks
Re: IPv6 dumps on Oregon route views
Hi John
http://archive.routeviews.org/route-views6/bgpdata/
makes sense and gives a reasonable view of table I was looking for.
Thanks for your reply!
On Thu, Nov 24, 2016 at 11:47 PM, John Kemp <
k...@network-services.uoregon.edu> wrote:
>
> We don't save from the hardware router, i.e. route-views.routeviews.org.
>
> We had done that for quite some time, I think up until 2008. But the
> load on
> doing full dumps from the command-line was too much, and interfered with
> normal users. So at that point, we switched the ASCII dumps to
> route-views2.
>
> Easiest way to look at V6 is just use route-views6.routeviews.org. That's
> a dedicated V6 box. You can libbgpdump bgpdump command to decode.
> {rsync,ftp,http}://archive.routeviews.org/route-views6/bgpdata/
>
> That's multi-hop. If you want an exchange collector for V6, then you might
> want paix, sydney, linx, eqix, saopaulo, sg... instead.
>
> John Kemp
> h...@routeviews.org
>
>
> On 11/24/2016 06:46 AM, Anurag Bhatia wrote:
> > Hello everyone
> >
> >
> >
> > Was wondering if anyone is aware of mrt dump link for IPv6 dumps of
> Oregon
> > route views?
> >
> > I see on the website it links to http://archive.routeviews.org/ipv6/
> which
> > gives a list of various collectors except for Oregon. The default
> "bgpdata"
> > directory inside has dumps which are empty.
> >
> >
> >
> >
> > On the Oregon route-views route-views.routeviews.org CLI:
> >
> >
> > route-views> sh bgp ipv6 unicast summary
> > BGP router identifier 128.223.51.103, local AS number 6447
> > BGP table version is 46628425, main routing table version 46628425
> > 36322 network entries using 9879584 bytes of memory
> > 700439 path entries using 100863216 bytes of memory
> > 331618/17259 BGP path/bestpath attribute entries using 82241264 bytes of
> > memory
> > 3607348 BGP AS-PATH entries using 175182046 bytes of memory
> > 111346 BGP community entries using 11638354 bytes of memory
> > 793 BGP extended community entries using 34044 bytes of memory
> > 0 BGP route-map cache entries using 0 bytes of memory
> > 0 BGP filter-list cache entries using 0 bytes of memory
> > BGP using 379838508 total bytes of memory
> > BGP activity 8323321/7623230 prefixes, 545522618/517975111 paths, scan
> > interval 60 secs
> >
> > NeighborV AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down
> > State/PfxRcd
> > 2001:388:1::13 4 7575 0 0100 never
> > Active
> > 2001:388:1::16 4 7575 573441861 4662830200
> 14:12:16
> >34047
> > 2001:418:0:1000::F016
> > 4 2914 1481297618 4662830200 2d10h
> > 32871
> > 2001:470:0:1A::1
> > 4 6939 14390766 202805 4662830200 18w2d
> > 32990
> > 2001:590::451F:6FF4
> > 4 4436 0 0100 never
> > Active
> > 2001:668:0:3::0:ADCD:39EA
> > 453364 1255881 57104 4662830200 5w1d
> >33142
> > 2001:918:0:5::1 4 3303 611233849 4662830200 2d10h
> > 32994
> >
> >
> > and much more.
> >
> >
> >
> > I am trying to look for mrt dump of this specific collector.
> >
> >
> >
> >
> > Thanks.
> >
>
>
--
Anurag Bhatia
anuragbhatia.com
