Re: 10G CPE w/VXLAN - vendors?

[Mark Tinka]

On 6/19/23 02:10, Patrick Cole wrote:

Ciena has supported MPLS-TE on this platform for a long time not just 
TP.    Back 15+ years ago, I buit such a network.  At the time, the 
code was extremely green, did not support FRR, only active/standby 
LSPs.    Although it appeared to work fine in the lab environment, 
when stress tested under extreme rolling BFD flap events in our field 
microwave network, the SW fell apart with control plane data 
corruption and associated HW misprogramming.  The vendors answer to 
debugging and diagnosis was to crontab bcm debug commands and pipe it 
over the network with netcat due to lack of even support for remote 
syslog;  I wouldn't wish it on my worst enemy.   Ripped everything and 
replaced with Cisco ASR, and never slept better.


That's been the general theme with operators who are traditionally Layer 
1 or Layer 2 service providers, looking to dabble into packet switching. 
It often makes sense for them to speak to their Transport vendor, as 
their gear is already an installed base.


Two or so years later, those operators will be ripping those Transport 
boxes out and replacing them with more traditional packet switching 
gear, as you did as well.


Transport vendors continue to push their boxes as being MPLS-capable 
routers. It tends to be a "tick the box that we had that conversation 
this new year, make it last at least 3 seconds, and then carry on with 
real talk" situation :-).


Mark.

Call for Nominations for Board of Trustees and Advisory Council

[John Sweeting]

Hello NANOGers,

Nominations for ARIN’s Board of Trustees and Advisory Council are now open. All 
nominations are “self” nominations. Pleases see message below for further 
details.

Thanks,

John S.
ARIN CCO

From: General-members  on behalf of ARIN 

Date: Friday, June 16, 2023 at 3:01 PM
To: "general-memb...@arin.net" 
Subject: [General-members] Call for Nominations for Board of Trustees and 
Advisory Council


ARIN is accepting nominations now through 7:00 PM ET on Friday, 30 June 2023, 
to fill four seats on the Board of Trustees and six seats on the Advisory 
Council (AC). Candidates elected to full terms are expected to serve three-year 
terms beginning 1 January 2024, and incumbents may be reelected for consecutive 
terms. If you are interested in playing a pivotal role within the ARIN 
community, please be sure to review the requirements and submit your nomination 
today! Nominations may be submitted at:

  *   Board of Trustees Nomination:
https://www.surveymonkey.com/r/2023Board-Nom
  *   Advisory Council Nomination:
https://www.surveymonkey.com/r/2023AC-Nom

Nomination Requirements

Any individual may submit a self-nomination for a seat on either the Board or 
AC. Association with a General Member organization is not required. Nominees 
will be assessed based on the direction received from the Board and AC, as 
outlined in the following guidance letters:

  *   Board Guidance Letter to the Nomination Committee
https://www.arin.net/vault/participate/elections/board_nomcom_guidance2023.pdf
  *   AC Guidance Letter to the Nomination Committee
https://www.arin.net/vault/participate/elections/ac_nomcom_guidance2023.pdf

To view the requirements, expected qualifications, and/or responsibilities for 
these elected positions, please visit:

  *   Board of Trustees:
https://www.arin.net/about/welcome/board/requirements/
  *   Advisory Council:
https://www.arin.net/about/welcome/ac/requirements/

All nominees must confirm that they do not violate the Nomination and 
Appointment Conflict of Interest Requirements found at: 
https://www.arin.net/participate/oversight/elections/processes/conflicts/

Completed nominee questionnaires must be submitted before the Call for 
Nominations closes at 7:00 PM ET on Friday, 30 June. In addition, Board 
nominees must digitally sign a release form allowing an independent third party 
to conduct a background check. Nominees who do not complete the required steps 
will not be eligible for consideration.

Nomination Process and Election Slate Development

For detailed information on the ARIN Election nomination process, please visit:
https://www.arin.net/participate/oversight/elections/processes/#iv-nominations-process

For 2023, the process for evaluating nominees is notably different. The 
Nomination Committee (NomCom) is responsible for helping in the recruitment of 
individuals to self-nominate for the election. All nominees must self-nominate 
and complete all nomination materials to be considered for the Initial 
Candidate Slate. Nominees will be evaluated and assessed by an independent, 
third-party vendor, and all qualified nominees will appear on the ballot. The 
evaluation of qualifications will be based on the nominee questionnaire 
responses, background checks (Board only) and interviews, and the guidance 
letters received from the Board and AC.

The Candidate Slate will include at least five candidates for the Board and at 
least seven candidates for the AC. The open seats up for election will include 
three three-year term seats and one one-year term seat for the Board; for the 
AC, there will be five three-year term seats and one one-year term seat. Seats 
with partial terms are filled by the nonelected candidate who possesses the 
highest number of votes cast for the position and who is willing to serve.

Additional information about the Nomination Process:

  *   NomCom members:
https://www.arin.net/about/welcome/board/committees/#nomination-committee-nomcom
  *   NomCom Charter:
https://www.arin.net/about/welcome/board/committees/charters/#nomcom

Initial Slate

With the completion of its qualification classification process, the NomCom 
will provide an Initial Slate of Candidates for the Board and AC based on the 
assessments and information provided by the third-party vendor. The only 
nominees not included on this initial slate will be individuals who were 
classified as “Unable to Qualify” based on the evaluation criteria. ARIN will 
announce the Initial Slate of Candidates on Tuesday, 5 September 2023.

For more information about ARIN Elections, the 2023 Election Calendar, or 
details of the process, please visit:
https://www.arin.net/participate/oversight/elections/

If you have specific questions or need to request additional information, 
please contact electi...@arin.net.

Regards,

Jason Byrne
Senior Customer Success Analyst
American Registry for Internet Numbers (ARIN)

Individuals whose terms will conclude on 31 Decem

Re: New addresses for b.root-servers.net

[niels=nanog]

* nanog@nanog.org (Cynthia Revström via NANOG) [Sun 18 Jun 2023, 20:52 CEST]:

Naturally C root is fine on HE over IPv4, the issue is with IPv6.
2001:500:2::c is not reachable over HE.


You're absolutely correct. Maybe their LG defaulting to IPv6 made my 
brain short-circuit. (Their looking glass took longer to render that 
than its own cache timeout.)



-- Niels.

Re: New addresses for b.root-servers.net

[Cynthia Revström via NANOG]

Naturally C root is fine on HE over IPv4, the issue is with IPv6.
2001:500:2::c is not reachable over HE.

-Cynthia

On Sun, Jun 18, 2023 at 8:10 PM  wrote:
>
> * na...@as397444.net (Matt Corallo) [Sun 18 Jun 2023, 19:12 CEST]:
> >If its not useful, please describe a mechanism by which an average
> >recursive resolver can be protected against someone hijacking C root
> >on Hurricane Electric (which doesn't otherwise have the announcement
> >at all, last I heard) and responding with bogus data?
>
> No comment on DNSSEC but lg.he.net indicates that they do in fact
> carry a route to C-root:
> ---
> 1   76 ms   *   *   port-channel2.core2.pao1.he.net (72.52.92.65)
> 2   44 ms   63 ms   78 ms   palo-b24-link.ip.twelve99.net (195.12.255.209)
> 3   55 ms   66 ms   103 ms  cogent-ic-344188.ip.twelve99-cust.net 
> (62.115.174.65)
> 4   74 ms   57 ms   120 ms  be2431.ccr41.sjc03.atlas.cogentco.com 
> (154.54.88.189)
> 5   142 ms  99 ms   79 ms   be3142.ccr21.sjc01.atlas.cogentco.com 
> (154.54.1.193)
> 6   53 ms   75 ms   111 ms  be3176.ccr41.lax01.atlas.cogentco.com 
> (154.54.31.189)
> 7   82 ms   133 ms  85 ms   te0-0-2-0.c-root.lax01.atlas.cogentco.com 
> (154.54.27.138)
> 8   60 ms   152 ms  84 ms   c.root-servers.net (192.33.4.12)
> Entry cached for another 60 seconds. 2023-06-18 17:57:17 UTC
> ---
>
> I don't see any ROAs for AS2149's two originated prefixes, though:
> https://irrexplorer.nlnog.net/prefix/192.33.4.0/24 so hijacks might
> still be easier than they could be.
>
> Regards
>
>
> -- Niels.

Re: New addresses for b.root-servers.net

[niels=nanog]

* na...@as397444.net (Matt Corallo) [Sun 18 Jun 2023, 19:12 CEST]:
If its not useful, please describe a mechanism by which an average 
recursive resolver can be protected against someone hijacking C root 
on Hurricane Electric (which doesn't otherwise have the announcement 
at all, last I heard) and responding with bogus data?


No comment on DNSSEC but lg.he.net indicates that they do in fact 
carry a route to C-root:

---
1   76 ms   *   *   port-channel2.core2.pao1.he.net (72.52.92.65)
2   44 ms   63 ms   78 ms   palo-b24-link.ip.twelve99.net (195.12.255.209)
3   55 ms   66 ms   103 ms  cogent-ic-344188.ip.twelve99-cust.net 
(62.115.174.65)
4   74 ms   57 ms   120 ms  be2431.ccr41.sjc03.atlas.cogentco.com 
(154.54.88.189)
5   142 ms  99 ms   79 ms   be3142.ccr21.sjc01.atlas.cogentco.com 
(154.54.1.193)
6   53 ms   75 ms   111 ms  be3176.ccr41.lax01.atlas.cogentco.com 
(154.54.31.189)
7   82 ms   133 ms  85 ms   te0-0-2-0.c-root.lax01.atlas.cogentco.com 
(154.54.27.138)
8   60 ms   152 ms  84 ms   c.root-servers.net (192.33.4.12)
Entry cached for another 60 seconds. 2023-06-18 17:57:17 UTC
---

I don't see any ROAs for AS2149's two originated prefixes, though: 
https://irrexplorer.nlnog.net/prefix/192.33.4.0/24 so hijacks might 
still be easier than they could be.


Regards


-- Niels.

Re: New addresses for b.root-servers.net

[Matt Corallo]

On 6/18/23 12:53 AM, Masataka Ohta wrote:

Matt Corallo wrote:


That's great in theory, and folks should be using DNSSEC [1],


Wrong.

Both in theory and practice, DNSSEC is not secure end to
end


Indeed, but (a) there's active work in the IETF to change that (DNSSEC stapling to TLS certs) and 
(b) that wasn't the point - the above post said "It’s not like you can really trust your packets 
going to B _today_ are going to and from the real B (or Bs)." which is exactly what DNSSEC protects 
against! It may not protect the client, but it protects the recursive resolver, which is often on 
the same AS as the client (or if its not, its usually connected via DoH/DoT, which is itself a 
secure channel).



and is not very useful.


If its not useful, please describe a mechanism by which an average recursive resolver can be 
protected against someone hijacking C root on Hurricane Electric (which doesn't otherwise have the 
announcement at all, last I heard) and responding with bogus data?


Or, alternatively, describe a mechanism which allows a recursive resolver to not return bogus data 
in the case of *any* authoritative server BGP hijack.



For example, root key rollover is as easy/difficult as
updating IP addresses for b.root-servers.net.


Then maybe read the rest of this thread, cause lots of folks pointed out issues with *just* updating 
the IP and not bothering to give it some time to settle :)


Matt

Re: New addresses for b.root-servers.net

[Masataka Ohta]

Matt Corallo wrote:


That's great in theory, and folks should be using DNSSEC [1],


Wrong.

Both in theory and practice, DNSSEC is not secure end to
end and is not very useful.

For example, root key rollover is as easy/difficult as
updating IP addresses for b.root-servers.net.

Masataka Ohta