Explore the NANOG 82 Virtual Expo  Doors open TODAY

[Nanog News]

NANOG 82 EXPO: Interact + Network Virtually
*The latest technology, all in one space*
The NANOG 82 Expo

is
right around the corner! Network and interact with reps from top tech
companies from your living room, learn about the latest technologies, have
fun at the scavenger hunt  + win raffle prizes.

*Digital doors open June 7 and will remain open until June 25.* Engage in
this one-of-a-kind experience by visiting booths virtually, have the
opportunity to connect with incredible professionals and of course, get
your swag on!

*Sponsored by
Opengear
*

*Scavenger Hunt Rules:* Please visit each NANOG 82 Virtual Expo booth to
search for answers to our daily Scavenger Hunt, beginning on June 14 and
ending on June 16. Submit your answers by 11pm EST/8pm PST for a chance to
win a $100 VISA Gift Card. 1 winner per day. Winners will be notified by
email.
*Scroll on to learn more about each of our exhibitors.*

Visit Expo

Amazon*Interconnect with the Amazon global network.*
Amazon operates a global network covering more than 80 cities and over 200
Points of Presence (POPs). Learn more: peering.aws


Visit Expo Booth

Charter Communications*America's fastest-growing TV, Internet and Voice
provider.*
At Charter Communications, we connect our customers to innovation. From
Spectrum Internet Gig and our path to 10G, to the Spectrum TV App and
Spectrum Mobile, our blazing fast and secure broadband network powers the
future. Learn more: spectrum.com


Visit Expo Booth

Juniper Networks*Engineering Simplicity*
Juniper Networks brings simplicity to networking with products, solutions
and services that connect the world. Through engineering innovation, we
harness the power of networking in the cloud to solve the toughest
challenges. Learn more: juniper.net


Visit Expo Booth

Kentik*Kentik is the network observability company. Our platform is a
must-have for the network front line, whether digital business, corporate
IT, or service provider. *
Kentik® is the network intelligence platform for the connected world,
trusted by leading digital enterprises and service providers. With Kentik,
businesses eliminate the visibility and intelligence gaps associated with
running dynamic and complex networks, and achieve greater network
performance, reliability and security. The Kentik Network Intelligence
Platform ingests diverse data streams from the internet, edge, cloud, data
center and hybrid infrastructures and provides real-time visualizations and
AIOps-powered insights and automation. Learn more: kentik.com


Visit Expo Booth

Microsoft *Learn. Connect. Explore.*
Empowering Others: Our mission is to empower every person and every
organization on the planet to achieve more. Learn more: microsoft.com/en-us



Visit Expo Booth

[image: netscout_expo.png]
Netscout*Visibility Without Borders*
NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) helps assure digital business
services against disruptions in availability, performance, and security.
Our market and technology leadership stems from combining our patented
smart data technology with smart analytics. We provide real-time, pervasive
visibility and insights customers need to accelerate and secure their
digital transformation. Our approach transforms the way organizations plan,
deliver, integrate, test, and deploy services and applications. Our
nGenius™ service assurance solutions provide real-time, contextual analysis
of service, network, and application performance. Learn more: netscout.com


*Swag + Prizes *
$200 Amazon Gift Card Giveaway!
Visit 

[NANOG-announce] Explore the NANOG 82 Virtual Expo  Doors open TODAY

[Nanog News]

NANOG 82 EXPO: Interact + Network Virtually
*The latest technology, all in one space*
The NANOG 82 Expo

is
right around the corner! Network and interact with reps from top tech
companies from your living room, learn about the latest technologies, have
fun at the scavenger hunt  + win raffle prizes.

*Digital doors open June 7 and will remain open until June 25.* Engage in
this one-of-a-kind experience by visiting booths virtually, have the
opportunity to connect with incredible professionals and of course, get
your swag on!

*Sponsored by
Opengear
*

*Scavenger Hunt Rules:* Please visit each NANOG 82 Virtual Expo booth to
search for answers to our daily Scavenger Hunt, beginning on June 14 and
ending on June 16. Submit your answers by 11pm EST/8pm PST for a chance to
win a $100 VISA Gift Card. 1 winner per day. Winners will be notified by
email.
*Scroll on to learn more about each of our exhibitors.*

Visit Expo

Amazon*Interconnect with the Amazon global network.*
Amazon operates a global network covering more than 80 cities and over 200
Points of Presence (POPs). Learn more: peering.aws


Visit Expo Booth

Charter Communications*America's fastest-growing TV, Internet and Voice
provider.*
At Charter Communications, we connect our customers to innovation. From
Spectrum Internet Gig and our path to 10G, to the Spectrum TV App and
Spectrum Mobile, our blazing fast and secure broadband network powers the
future. Learn more: spectrum.com


Visit Expo Booth

Juniper Networks*Engineering Simplicity*
Juniper Networks brings simplicity to networking with products, solutions
and services that connect the world. Through engineering innovation, we
harness the power of networking in the cloud to solve the toughest
challenges. Learn more: juniper.net


Visit Expo Booth

Kentik*Kentik is the network observability company. Our platform is a
must-have for the network front line, whether digital business, corporate
IT, or service provider. *
Kentik® is the network intelligence platform for the connected world,
trusted by leading digital enterprises and service providers. With Kentik,
businesses eliminate the visibility and intelligence gaps associated with
running dynamic and complex networks, and achieve greater network
performance, reliability and security. The Kentik Network Intelligence
Platform ingests diverse data streams from the internet, edge, cloud, data
center and hybrid infrastructures and provides real-time visualizations and
AIOps-powered insights and automation. Learn more: kentik.com


Visit Expo Booth

Microsoft *Learn. Connect. Explore.*
Empowering Others: Our mission is to empower every person and every
organization on the planet to achieve more. Learn more: microsoft.com/en-us



Visit Expo Booth

[image: netscout_expo.png]
Netscout*Visibility Without Borders*
NETSCOUT SYSTEMS, INC. (NASDAQ: NTCT) helps assure digital business
services against disruptions in availability, performance, and security.
Our market and technology leadership stems from combining our patented
smart data technology with smart analytics. We provide real-time, pervasive
visibility and insights customers need to accelerate and secure their
digital transformation. Our approach transforms the way organizations plan,
deliver, integrate, test, and deploy services and applications. Our
nGenius™ service assurance solutions provide real-time, contextual analysis
of service, network, and application performance. Learn more: netscout.com


*Swag + Prizes *
$200 Amazon Gift Card Giveaway!
Visit 

RE: amazon.com multiple SPF records

[Jean St-Laurent via NANOG]

Thanks for the update.

 

Is amazon publishing that old techno since long time or it just appeared 
recently?

 

I don’t recall seeing that with amazon-ses.com.

 

Jean

 

From: NANOG  On Behalf Of Matthew V
Sent: June 7, 2021 2:07 PM
To: nanog@nanog.org
Subject: Re: amazon.com multiple SPF records

 

On 2021-06-07 1:17 p.m., Jean St-Laurent via NANOG wrote:

What is spf2.0/pra ?

 

Is this new?

 

This is the old (now widely abandoned/depreciated) Sender ID standard.

~
Matt

Re: amazon.com multiple SPF records

[Jonathan Leist via NANOG]

SPF 2.0 was used to designate a SenderID policy. It was experimental and
never saw widespread adoption.

On Mon, Jun 7, 2021 at 1:19 PM Jean St-Laurent via NANOG 
wrote:

> What is spf2.0/pra ?
>
>
>
> Is this new?
>
>
>
> Jean
>
>
>
> *From:* NANOG  *On Behalf Of *Alec
> Peterson
> *Sent:* June 7, 2021 10:35 AM
> *To:* Brad Barnett 
> *Cc:* nanog@nanog.org
> *Subject:* Re: amazon.com multiple SPF records
>
>
>
> Hmm, are you sure?
>
>
>
> [ec2-user@ip-10-0-0-50 ~]$ dig amazon.com txt +short|grep spf
> "v=spf1 include:spf1.amazon.com include:spf2.amazon.com include:
> amazonses.com -all"
> "spf2.0/pra include:spf1.amazon.com include:spf2.amazon.com include:
> amazonses.com -all"
> [ec2-user@ip-10-0-0-50 ~]$
>
>
>
> On Mon, Jun 7, 2021 at 7:22 AM Brad Barnett  wrote:
>
>
> If anyone at Amazon is paying attention, you have duplicate spf1 records
> for amazon.com:
>
> # dig -t TXT amazon.com | grep spf
> amazon.com. 281 IN  TXT "spf2.0/pra include:
> spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"
> amazon.com. 281 IN  TXT "v=spf1 include:
> amazon.com include:spf1.amazon.com include:spf2.amazon.com include:
> amazonses.com -all"
> amazon.com. 281 IN  TXT "v=spf1 include:
> spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"
>
> It's causing mail deliverability issues, so users cannot reset their
> password, or even get OTP codes reliably.
>
> (I don't know where else to post, as whois/arin contacts aren't
> responding, and I can't even imagine trying to go through other methods
> of support...)
>
>

-- 
Jonathan Leist
Senior Systems Engineer

Re: amazon.com multiple SPF records

[Matthew V]

On 2021-06-07 1:17 p.m., Jean St-Laurent via NANOG wrote:


What is spf2.0/pra ?

Is this new?


This is the old (now widely abandoned/depreciated) Sender ID standard.

~
Matt

Re: amazon.com multiple SPF records

[Bjørn Mork]

Jean St-Laurent via NANOG  writes:

> What is spf2.0/pra ?

https://datatracker.ietf.org/doc/html/rfc4406

It doesn't say April 1st, but it is pretty close


Bjørn

RE: amazon.com multiple SPF records

[Jean St-Laurent via NANOG]

What is spf2.0/pra ?

 

Is this new?

 

Jean

 

From: NANOG  On Behalf Of Alec 
Peterson
Sent: June 7, 2021 10:35 AM
To: Brad Barnett 
Cc: nanog@nanog.org
Subject: Re: amazon.com multiple SPF records

 

Hmm, are you sure?

 

[ec2-user@ip-10-0-0-50 ~]$ dig amazon.com   txt +short|grep 
spf
"v=spf1 include:spf1.amazon.com   
include:spf2.amazon.com   include:amazonses.com 
  -all"
"spf2.0/pra include:spf1.amazon.com   
include:spf2.amazon.com   include:amazonses.com 
  -all"
[ec2-user@ip-10-0-0-50 ~]$ 

 

On Mon, Jun 7, 2021 at 7:22 AM Brad Barnett mailto:li...@l8r.net> > wrote:


If anyone at Amazon is paying attention, you have duplicate spf1 records
for amazon.com  :

# dig -t TXT amazon.com   | grep spf
amazon.com  . 281 IN  TXT 
"spf2.0/pra include:spf1.amazon.com   
include:spf2.amazon.com   include:amazonses.com 
  -all"
amazon.com  . 281 IN  TXT "v=spf1 
include: amazon.com   include:spf1.amazon.com 
  include:spf2.amazon.com   
include:amazonses.com   -all"
amazon.com  . 281 IN  TXT "v=spf1 
include:spf1.amazon.com   include:spf2.amazon.com 
  include:amazonses.com   -all"

It's causing mail deliverability issues, so users cannot reset their
password, or even get OTP codes reliably.

(I don't know where else to post, as whois/arin contacts aren't
responding, and I can't even imagine trying to go through other methods
of support...)

Re: IPv6 and multicast listener discovery

[Dale W. Carder]

Are your links or hosts limited in some way or broadcast domains
of some unreasonable size?  Most of the competent switching or 
managed wireless products will snoop or otherwise handle this 
overhead in a sane manner.  Otherwise this at best would seem to 
be an over-optimization.

>From my days on a giant campus network the current pps rate of MLD
chatter was much lower than the IPX/SAP broadcasts we had from 
20-25 yrs earlier.

Dale

Thus spake William Herrin (b...@herrin.us) on Fri, Jun 04, 2021 at 02:01:19PM 
-0700:
> Howdy,
> 
> Question for those more versed in IPv6 than I: Is there any harm from
> dropping ICMPv6 multicast listener discovery reports in a network
> which does NOT use any multicast routing (i.e. only uses multicast
> which stays within the local link). I see a LOT of idle node chatter
> in the form of these reports which, of course, flood every station
> since they are themselves multicast. As far as I can tell they are
> used only to tell a multicast router whether to repeat a particular
> set of multicast packets to the instant link. Which in my network is
> -never- because there are no routed multicast packets to be repeated.
> 
> Regards,
> Bill Herrin
> 
> -- 
> William Herrin
> b...@herrin.us
> https://bill.herrin.us/

A survey on BGP MRAI timer values in practice

[shahrooz]

Hi NANOG,

This is Shahrooz, a fourth-year CS Ph.D. student at the University of 
Massachusetts Amherst working under the supervision of prof. Arun 
Venkataramani.



We often read that the Internet (i.e. BGP) has a long convergence delay. 
But why is it so slow? And can we (researchers) do anything about it?
Please help us out to find out by answering our short anonymous survey  
(<10 minutes).



This survey aims at finding the best current practices on the Internet 
about MRAI/"delay out" timer values. We expect the findings to increase 
the understanding of the perceived BGP convergence on the Internet, 
which could then help researchers to design better solutions for BGP 
long convergence delay.


Survey URL: https://forms.gle/VNRpU2MzRU8DX1o57


We expect the questionnaire to be filled out by network operators whose 
job relates to BGP operations. It has a total of 6 questions and should 
take less than 10 minutes to answer.



A summary of the aggregate results will be published as a part of a 
scientific article later (hopefully :) this year.


Thank you so much in advance, and we look forward to read your 
responses! We would be also extremely grateful if you could forward this 
email to any operator you might know who may not read NANOG.



Best,
Shahrooz

Re: amazon.com multiple SPF records

[Alec Peterson]

Hmm, are you sure?

[ec2-user@ip-10-0-0-50 ~]$ dig amazon.com txt +short|grep spf
"v=spf1 include:spf1.amazon.com include:spf2.amazon.com include:
amazonses.com -all"
"spf2.0/pra include:spf1.amazon.com include:spf2.amazon.com include:
amazonses.com -all"
[ec2-user@ip-10-0-0-50 ~]$

On Mon, Jun 7, 2021 at 7:22 AM Brad Barnett  wrote:

>
> If anyone at Amazon is paying attention, you have duplicate spf1 records
> for amazon.com:
>
> # dig -t TXT amazon.com | grep spf
> amazon.com. 281 IN  TXT "spf2.0/pra include:
> spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"
> amazon.com. 281 IN  TXT "v=spf1 include:
> amazon.com include:spf1.amazon.com include:spf2.amazon.com include:
> amazonses.com -all"
> amazon.com. 281 IN  TXT "v=spf1 include:
> spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"
>
> It's causing mail deliverability issues, so users cannot reset their
> password, or even get OTP codes reliably.
>
> (I don't know where else to post, as whois/arin contacts aren't
> responding, and I can't even imagine trying to go through other methods
> of support...)
>
>

Re: amazon.com multiple SPF records

[Stephane Bortzmeyer]

On Sat, Jun 05, 2021 at 07:59:40AM -0400,
 Brad Barnett  wrote 
 a message of 15 lines which said:

> If anyone at Amazon is paying attention, you have duplicate spf1 records
> for amazon.com:

If so, it is now gone. Not one RIPE Atlas probe see this duplication:

% blaeu-resolve -r 100 --ednssize 4096 --type TXT amazon.com
["facebook-domain-verification=d9u57u52gylohx845ogo1axzpywpmq"
"google-site-verification=14wgw2mdnmxchg8plinf7lgqqe0owwhqoq0hkhb7rdq"
"ms=4b600b22799eb2cac0d8ff0a3a3caeca5ee2bf3a"
"pardot326621=b26a7b44d7c73d119ef9dfd1a24d93c77d583ac50ba4ecedd899a9134734403b"
"spf2.0/pra include:spf1.amazon.com include:spf2.amazon.com
include:amazonses.co "v=spf1 include:spf1.amazon.com
include:spf2.amazon.com include:amazonses.com -a
"wrike-verification=mzi3nzm2odo2ndk5mje4njq2mwjmotewmgmxm2mznzjmnwjly2u5zdu4mmvl]
: 95 occurrences
[ (TRUNCATED - EDNS buffer size was 4096 ) ] : 1 occurrences
Test #30676407 done at 2021-06-07T14:31:16Z

Re: amazon.com multiple SPF records

[Josh Luthman]

Not on my servers, but I clearly just did a lookup.

C:\Users\jluthman>dig -t TXT amazon.com|findstr spf
amazon.com. 900 IN  TXT "spf2.0/pra include:
spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"
amazon.com. 900 IN  TXT "v=spf1 include:
spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"

Josh Luthman
24/7 Help Desk: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373


On Mon, Jun 7, 2021 at 10:19 AM Brad Barnett  wrote:

>
> If anyone at Amazon is paying attention, you have duplicate spf1 records
> for amazon.com:
>
> # dig -t TXT amazon.com | grep spf
> amazon.com. 281 IN  TXT "spf2.0/pra include:
> spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"
> amazon.com. 281 IN  TXT "v=spf1 include:
> amazon.com include:spf1.amazon.com include:spf2.amazon.com include:
> amazonses.com -all"
> amazon.com. 281 IN  TXT "v=spf1 include:
> spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"
>
> It's causing mail deliverability issues, so users cannot reset their
> password, or even get OTP codes reliably.
>
> (I don't know where else to post, as whois/arin contacts aren't
> responding, and I can't even imagine trying to go through other methods
> of support...)
>
>

Re: NANOG Digest, Vol 161, Issue 8

[Henry Helmes]

We swear by the Brother P-touch EDGE PTE550W. It’s reasonably priced and
offers an extensive feature set. In addition to the QWERTY keyboard the
built in WiFi allows us to connect it to our laptops and/or smartphones to
print out labels that we generate from Netbox.

Best,
Henry

On Sun, Jun 6, 2021 at 8:00 AM  wrote:

> Send NANOG mailing list submissions to
> nanog@nanog.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.nanog.org/mailman/listinfo/nanog
> or, via email, send a message with subject or body 'help' to
> nanog-requ...@nanog.org
>
> You can reach the person managing the list at
> nanog-ow...@nanog.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of NANOG digest..."
>
>
> Today's Topics:
>
>1. OSI layer 1 and revisiting labelmakers in the year 2021
>   (Eric Kuhnke)
>
>
> --
>
> Message: 1
> Date: Sat, 5 Jun 2021 12:55:10 -0700
> From: Eric Kuhnke 
> To: "nanog@nanog.org list" 
> Subject: OSI layer 1 and revisiting labelmakers in the year 2021
> Message-ID:
>  mpr48pfn8d...@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
>  I am still using a Dymo 4200 [1] which is generally okay. I am wondering
> if anyone or their field tech team has recently changed to a better label
> maker in terms of feature set, battery life/charging or label consumable
> cost.
>
> Surely there must be something better out there. Strong preference for
> QWERTY keyboards, no ABCDE type.
>
> [1]: https://www.dymo.com/en_CA/rhino-industrial-4200-qwy.html
> -- next part --
> An HTML attachment was scrubbed...
> URL: <
> http://mailman.nanog.org/pipermail/nanog/attachments/20210605/2a1873a8/attachment-0001.html
> >
>
> End of NANOG Digest, Vol 161, Issue 8
> *
>
-- 

Henry Helmes

(646) 878-9138 | pilotfiber.com

he...@pilotfiber.com

Re: NAT devices not translating privileged ports

[Alvaro Pereira]

For Linux iptables SNAT (used with --to-source), the default is to change
the packet as little as possible.

https://linux.die.net/man/8/iptables
"If no port range is specified, then source ports below 512 will be mapped
to other ports below 512: those between 512 and 1023 inclusive will be
mapped to ports below 1024, and other ports will be mapped to 1024 or
above.
Where possible, no port alteration will occur."

So, if there are no "collisions", the same src port will be used. If there
are "collisions" (multiple flows with the same src port and dst IP/port),
then another src port within its "range" will be used.

But it can be configured, for example, to use ports 1024-65535, in which
case flows with src port < 1024 will endup using ports > 1024 after they
are NATed.

https://datatracker.ietf.org/doc/html/rfc6335#section-6 is also a good
reference.

Alvaro

On Fri, Jun 4, 2021 at 10:14 AM Blake Hudson  wrote:

> Current gen Cisco ASA firewalls have logic so that if the connection
> from a private host originated from a privileged source port, the NAT
> translation to public IP also uses an unprivileged source port (not
> necessarily the same source port though).
>
> I found out that this behavior can cause issues when you have devices on
> your network that implement older DNS libraries or configs using UDP 53
> as a source and destination port for their DNS lookups. Occasionally the
> source port gets translated to one that ISC BIND servers have in a
> blocklist (chargen, echo, time, and a few others) and the query is
> ignored. As I recall, this behavior is hard coded so patching and
> recompiling BIND is required to work around it.
>
> I forget what the older ASA behavior was. It may have been to leave the
> source port unchanged through the NAT process (I think this is what you
> mean by "not translated"). In that case the client doesn't implement
> source port randomization and the NAT doesn't "upgrade" the connection
> to a random source port so I don't really see it as an issue. Ideally
> the client would implement source port randomization itself so it would
> be using source ports within its ephemeral port range for outgoing
> connections.
>
> --Blake
>
>
> On 6/4/2021 7:36 AM, Jean St-Laurent via NANOG wrote:
> > I believe all devices will translate a privileged ports, but it won't
> translate to the same number on the other side. It will translate to an
> unprivileged port. Is it what you meant or really there are some devices
> that will not translate at all a privileged port?
> >
> > What are you trying to achieve?
> >
> > Jean
> >
> > -Original Message-
> > From: NANOG  On Behalf Of
> Fernando Gont
> > Sent: June 4, 2021 3:00 AM
> > To: nanog@nanog.org
> > Subject: NAT devices not translating privileged ports
> >
> > Folks,
> >
> > While discussing port randomization (in the context of
> https://www.ietf.org/archive/id/draft-ietf-ntp-port-randomization-06.txt
> > ), it has been raised to us that some NAT devices do not translate the
> source port if the source port is a privileged port (<1024).
> >
> > Any clues/examples of this type of NATs?
> >
> > Thanks!
> >
> > Regards,
> > --
> > Fernando Gont
> > Director of Information Security
> > EdgeUno, Inc.
> > PGP Fingerprint: DFBD 63E3 B248 AE79 C598 AF23 EBAE DA03 0644 1531
> >
> >
> >
> >
> >
>
>

amazon.com multiple SPF records

[Brad Barnett]

If anyone at Amazon is paying attention, you have duplicate spf1 records
for amazon.com:

# dig -t TXT amazon.com | grep spf
amazon.com. 281 IN  TXT "spf2.0/pra 
include:spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"
amazon.com. 281 IN  TXT "v=spf1 include: amazon.com 
include:spf1.amazon.com include:spf2.amazon.com include:amazonses.com -all"
amazon.com. 281 IN  TXT "v=spf1 include:spf1.amazon.com 
include:spf2.amazon.com include:amazonses.com -all"

It's causing mail deliverability issues, so users cannot reset their
password, or even get OTP codes reliably.

(I don't know where else to post, as whois/arin contacts aren't
responding, and I can't even imagine trying to go through other methods
of support...)