Paramount+ anyone here? Please contact off list

[Norman Jester]

Looking for some connectivity help with routing, a unique problem.
Please contact me off-list.

Norman Jester
619-319-7055 (I prefer WhatsApp or Text if you do too.)

Re: constraining RPKI Trust Anchors

[Matt Corallo]

Thank you!

This is awesome and very, very much needed work.

RPKI has plugged some major security issues with the DFZ, but in exchange 
introduced substantial other ones. It sucks it took AFRINIC imploding to 
motivate more time fixing it, but I’m super glad you’re working on it!

We should also consider further constraining RPKI, IMO, though how isn’t 
entirely clear. One further possible change would be for RIR allocation changes 
time to be delayed by validators such that any loss of address space by RPKI 
enforcement takes a few months, giving operators some time to respond.

Matt

> On Sep 26, 2023, at 09:56, Job Snijders via NANOG  wrote:
> 
> Dear all,
> 
> Two weeks ago AFRINIC was placed under receivership by the Supreme Court
> of Mauritius. This event prompted me to rethink the RPKI trust model and
> associated risk surface.
> 
> The RPKI technology was designed to be versatile and flexible to
> accommodate a myriad of real-world deployment scenarios including
> multiple trust anchors existing, inter-registry transfers, multiple
> transports, and permissionless innovation for signed objects, for
> example. All good and well ... but ofcouse there is a fine print. :-)
> 
> Over the years various people have expressed astonishment about each RIR
> having issued so-called 'all-resources' (0.0.0.0/0 + ::/0) trust anchor
> certificates, but this aspect often is misunderstood: the risk is not
> necessarily in the listing of 'all-resources' itself, it is in the RIR
> being able to issue an 'all-resources' certificate in the first place.
> RPKI trust anchor operators indeed can voluntarily reduce the scope of
> subordinate Internet Number Resources, but just as easily increase the
> scope of their authority. In other words, a trust anchor cannot truly
> constrain itself.
> 
> Upon reconsideration on how exactly RPKI hooks into the real world; I
> concluded trust anchors do not require unbounded trust in order to
> provide constructive services in the realm of BGP routing security.
> 
> Some examples: ARIN does not support inter-RIR IPv6 transfers, so it
> would not make any sense to see a ROA subordinate to ARIN's trust anchor
> covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense
> to observe a ROA covering ARIN-managed IPv6 space under APNIC's,
> LACNIC's, or RIPE's trust anchor - even if a cryptographically valid
> certificate path existed. Along these lines AFRINIC doesn't support
> inter-RIR transfers of any kind; and none of the RIRs have authority
> over private resources like 10.0.0.0/8 or AS 65535. It seems feasible to
> paint constraints around RPKI trust anchors in broad strokes.
> 
> Over the last two weeks I've diligently worked with Theo Buehler to
> research RIR transfer policies, untangle the history of the IANA->RIR
> and RIR->RIR allocation spaghetti, design & implement a maintainable
> constraints mechanism for rpki-client(8), and publicly document the
> concept of applying operator-defined policy to derived trust arcs.
> 
> Please take a moment to read
> https://www.ietf.org/archive/id/draft-snijders-constraining-rpki-trust-anchors-00.html
> 
> Your feedback is appreciated.
> 
> Kind regards,
> 
> Job

RE: SMTP-friendly VPS provider where I can also get a BGP feed

[Tony Wicks]

Oh, well that's fair enough then. Most engineers I know have sold off the 
goldmine that is historic IP blocks at this point. I'd doubt there is much 
advantage in using your own at this point though with Google moving to their 
highly annoying reputation based blocking. So having no email coming from an IP 
is almost as bad as having spam coming from other IP's in the block. They will 
"spam folder" email from fresh IP's until enough users "mark as not spam". I've 
taken to spending an hour or two replying to my own emails and "marking as not 
spam" if I change IP on an email host and it clears up eventually. Microsoft 
can randomly block at any time but reporting it here -  
https://olcsupport.office.com/ generally gets a human in a day or two that 
manually whitelists the IP. Google and V6 has been a total nightmare as they 
just randomly hard block for no reason and there is no way to ever have any 
human fix it (after ensuring all their guidelines are followed) so I've given 
up trying to use V6 to send email to google.




-Original Message-
From: Mel Beckman  
Sent: Wednesday, September 27, 2023 7:51 AM
To: Tony Wicks 
Cc: Daniel Corbe ; nanog@nanog.org
Subject: Re: SMTP-friendly VPS provider where I can also get a BGP feed

Tony,

BGP is helpful for email servers if you own your own clean IP space, because 
much cloud IP space is black listed. 

-mel via cell

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Delong.com via NANOG]

I’ve had great luck with Netactuate. Their pricing is decent, but not super 
cheap, but they provide
excellent customer service and are very friendly and responsive. Their network 
is also top notch
and trouble free.

Owen



> On Sep 26, 2023, at 11:50, Mel Beckman  wrote:
> 
> Tony,
> 
> BGP is helpful for email servers if you own your own clean IP space, because 
> much cloud IP space is black listed. 
> 
> -mel via cell
> 
>> On Sep 26, 2023, at 11:41 AM, Tony Wicks  wrote:
>> 
>> I can't speak to the bgp feed as this seems like unnecessary complication 
>> to me, but I use https://www.racknerd.com/ for personal email/web hosting 
>> KVM VM's and have found them to be excellent. They have yearly black Friday 
>> specials (last years - https://www.racknerd.com/BlackFriday/ ) that are very 
>> attractive. They don't block any ports on their US/Europe VM's. I use a 
>> primary pair in one city and rsync everything to a backup pair in another 
>> city (as well as home just to make sure). Not all cities can get V6 but most 
>> do.
>> 
>> 
>> 
>> -Original Message-
>> From: NANOG  On Behalf Of Daniel 
>> Corbe
>> Sent: Tuesday, September 26, 2023 11:09 PM
>> To: nanog@nanog.org
>> Subject: SMTP-friendly VPS provider where I can also get a BGP feed
>> 
>> Hey all,
>> 
>> I apologize if this isn't the right place to post this; however, I thought 
>> maybe the NANOG community would be able to point me in the right direction.
>> 
>> I'm looking for a place that I can host a mailer.  My primary use case is a 
>> Mailman-style technical discussion list; much like NANOG but software 
>> related instead of network related: READ: non-commercial in nature.
>> 
>> I'm currently a vultr customer, but they're refusing to unblock port 25 on 
>> my account.  I've tried explaining my use case but no matter who I talk to 
>> over there they just keep pointing me to their spam policy.
>> 
>> Thanks!
>> -Daniel
>> 

Re: constraining RPKI Trust Anchors

[Job Snijders via NANOG]

Dear Matthew,

See below

On Tue, 26 Sep 2023 at 20:49, Matthew Petach  wrote:

>
> Job,
>
> This looks fantastic, thank you!
>
> For my edification and clarification, the reason you don't need a
>
> deny 2000::/3
>
> or
>
> deny 0::/0
>
> at the bottom of the ARIN list of allows is that every file comes with an
> implicit "deny all", is that correct?
>
> Is there a drawback to adding the explicit "deny 0::/0" at the bottom of
> the file, to make it clear that everything else will return "invalid"?
> I tend to prefer being explicit in my configurations, rather than
> depending upon implicit behaviours which might change with future versions
> of software releases.
>


Sorry, the lede is a bit buried on how exactly the policy language works.
It’s in the appendix, and the example source code offers hints too
https://marc.info/?l=openbsd-tech=169574305230941=2

I’ll elaborate a bit here: the order of the entries in each constraints
file is not significant. All “deny” entries take precedence over all “allow
entries”. Individual “deny” entries may not overlap with any other “deny”
entries. Individual “allow” entries may not overlap with other “allow”
entries. Deny entries are available to punch holes in allow entries, as a
shortcut. If overlapping constraints are configured the program errors.

If a constraint is applied to a resource class (for example by specifying
just a single “allow 2000::/3” entry), all EE certificates with IPv6
resources in their respective RFC 3779 extensions under that TA must be
encompassed in that single allow entry. So the “implicit deny” comes into
effect the moment you’d configure at least one allow entry for a resource
class (IPv4, IPv6, or AS numbers). This is why no additional “deny the
rest” line is needed in the case of ARIN.

This approach was the best I could muster on short notice. My objective
wasn’t to invent a policy language everyone should adopt, but rather to
draw attention to the concept of constraining RPKI trust anchors and
provide some running code to advance the dialogue.

Thank you for reading the document and asking questions!

Kind regards,

Job

>

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Mel Beckman]

Tony,

BGP is helpful for email servers if you own your own clean IP space, because 
much cloud IP space is black listed. 

-mel via cell

> On Sep 26, 2023, at 11:41 AM, Tony Wicks  wrote:
> 
> I can't speak to the bgp feed as this seems like unnecessary complication to 
> me, but I use https://www.racknerd.com/ for personal email/web hosting KVM 
> VM's and have found them to be excellent. They have yearly black Friday 
> specials (last years - https://www.racknerd.com/BlackFriday/ ) that are very 
> attractive. They don't block any ports on their US/Europe VM's. I use a 
> primary pair in one city and rsync everything to a backup pair in another 
> city (as well as home just to make sure). Not all cities can get V6 but most 
> do.
> 
> 
> 
> -Original Message-
> From: NANOG  On Behalf Of Daniel 
> Corbe
> Sent: Tuesday, September 26, 2023 11:09 PM
> To: nanog@nanog.org
> Subject: SMTP-friendly VPS provider where I can also get a BGP feed
> 
> Hey all,
> 
> I apologize if this isn't the right place to post this; however, I thought 
> maybe the NANOG community would be able to point me in the right direction.
> 
> I'm looking for a place that I can host a mailer.  My primary use case is a 
> Mailman-style technical discussion list; much like NANOG but software related 
> instead of network related: READ: non-commercial in nature.
> 
> I'm currently a vultr customer, but they're refusing to unblock port 25 on my 
> account.  I've tried explaining my use case but no matter who I talk to over 
> there they just keep pointing me to their spam policy.
> 
> Thanks!
> -Daniel
> 

Re: constraining RPKI Trust Anchors

[Matthew Petach]

Job,

This looks fantastic, thank you!

For my edification and clarification, the reason you don't need a

deny 2000::/3

or

deny 0::/0

at the bottom of the ARIN list of allows is that every file comes with an
implicit "deny all", is that correct?

Is there a drawback to adding the explicit "deny 0::/0" at the bottom of
the file, to make it clear that everything else will return "invalid"?
I tend to prefer being explicit in my configurations, rather than depending
upon implicit behaviours which might change with future versions of
software releases.

Thanks!

Matt


On Tue, Sep 26, 2023 at 9:57 AM Job Snijders via NANOG 
wrote:

> Dear all,
>
> Two weeks ago AFRINIC was placed under receivership by the Supreme Court
> of Mauritius. This event prompted me to rethink the RPKI trust model and
> associated risk surface.
>
> The RPKI technology was designed to be versatile and flexible to
> accommodate a myriad of real-world deployment scenarios including
> multiple trust anchors existing, inter-registry transfers, multiple
> transports, and permissionless innovation for signed objects, for
> example. All good and well ... but ofcouse there is a fine print. :-)
>
> Over the years various people have expressed astonishment about each RIR
> having issued so-called 'all-resources' (0.0.0.0/0 + ::/0) trust anchor
> certificates, but this aspect often is misunderstood: the risk is not
> necessarily in the listing of 'all-resources' itself, it is in the RIR
> being able to issue an 'all-resources' certificate in the first place.
> RPKI trust anchor operators indeed can voluntarily reduce the scope of
> subordinate Internet Number Resources, but just as easily increase the
> scope of their authority. In other words, a trust anchor cannot truly
> constrain itself.
>
> Upon reconsideration on how exactly RPKI hooks into the real world; I
> concluded trust anchors do not require unbounded trust in order to
> provide constructive services in the realm of BGP routing security.
>
> Some examples: ARIN does not support inter-RIR IPv6 transfers, so it
> would not make any sense to see a ROA subordinate to ARIN's trust anchor
> covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense
> to observe a ROA covering ARIN-managed IPv6 space under APNIC's,
> LACNIC's, or RIPE's trust anchor - even if a cryptographically valid
> certificate path existed. Along these lines AFRINIC doesn't support
> inter-RIR transfers of any kind; and none of the RIRs have authority
> over private resources like 10.0.0.0/8 or AS 65535. It seems feasible to
> paint constraints around RPKI trust anchors in broad strokes.
>
> Over the last two weeks I've diligently worked with Theo Buehler to
> research RIR transfer policies, untangle the history of the IANA->RIR
> and RIR->RIR allocation spaghetti, design & implement a maintainable
> constraints mechanism for rpki-client(8), and publicly document the
> concept of applying operator-defined policy to derived trust arcs.
>
> Please take a moment to read
>
> https://www.ietf.org/archive/id/draft-snijders-constraining-rpki-trust-anchors-00.html
>
> Your feedback is appreciated.
>
> Kind regards,
>
> Job
>

RE: SMTP-friendly VPS provider where I can also get a BGP feed

[Tony Wicks]

I can't speak to the bgp feed as this seems like unnecessary complication to 
me, but I use https://www.racknerd.com/ for personal email/web hosting KVM VM's 
and have found them to be excellent. They have yearly black Friday specials 
(last years - https://www.racknerd.com/BlackFriday/ ) that are very attractive. 
They don't block any ports on their US/Europe VM's. I use a primary pair in one 
city and rsync everything to a backup pair in another city (as well as home 
just to make sure). Not all cities can get V6 but most do.



-Original Message-
From: NANOG  On Behalf Of Daniel Corbe
Sent: Tuesday, September 26, 2023 11:09 PM
To: nanog@nanog.org
Subject: SMTP-friendly VPS provider where I can also get a BGP feed

Hey all,

I apologize if this isn't the right place to post this; however, I thought 
maybe the NANOG community would be able to point me in the right direction.

I'm looking for a place that I can host a mailer.  My primary use case is a 
Mailman-style technical discussion list; much like NANOG but software related 
instead of network related: READ: non-commercial in nature.

I'm currently a vultr customer, but they're refusing to unblock port 25 on my 
account.  I've tried explaining my use case but no matter who I talk to over 
there they just keep pointing me to their spam policy.

Thanks!
-Daniel

NANOG 89 Agenda is LIVE! + "Network Automation Could Save Your Life" + More

[Nanog News]

*NANOG 89 Agenda is LIVE! *
*Sync Your Calendars Now + Never Miss a Talk! *

*Have you registered yet for NANOG 89?* Check out the full agenda with talk
date/time, abstract, + speaker info to create your personal NANOG 89
schedule.

*VIEW AGENDA * 

*Guest Columnist: Scott Robohn*
*"Network Automation Could Save Your Life — Maybe Not Your Life, but
Probably Your Career"*

*Network Automation* is receiving a much-needed boost in attention, partly
due to the efforts of NANOG, the Network Automation Forum (NAF), and other
organizations.
Why this boost? Network Automation is moving slower than we thought it
should and perhaps slower than we need it to move.

*READ MORE
*

*Video of the Week*
*NANOG 87 Recap *

NANOG 89 is less than three short weeks away! Get into the NANOG spirit +
take a trip down memory lane.
Watch the NANOG 87 recap video now — meeting location: Atlanta.


*WATCH NOW  *
*Attend NANOG Virtually!*
*Can't make it to our next meeting in San Diego? Join us virtually!*

Stream live presentations, participate in real-time chat forums, enjoy 360
views of General Session + more.

*REGISTER NOW! * 

[NANOG-announce] NANOG 89 Agenda is LIVE! + "Network Automation Could Save Your Life" + More

[Nanog News]

*NANOG 89 Agenda is LIVE! *
*Sync Your Calendars Now + Never Miss a Talk! *

*Have you registered yet for NANOG 89?* Check out the full agenda with talk
date/time, abstract, + speaker info to create your personal NANOG 89
schedule.

*VIEW AGENDA * 

*Guest Columnist: Scott Robohn*
*"Network Automation Could Save Your Life — Maybe Not Your Life, but
Probably Your Career"*

*Network Automation* is receiving a much-needed boost in attention, partly
due to the efforts of NANOG, the Network Automation Forum (NAF), and other
organizations.
Why this boost? Network Automation is moving slower than we thought it
should and perhaps slower than we need it to move.

*READ MORE
*

*Video of the Week*
*NANOG 87 Recap *

NANOG 89 is less than three short weeks away! Get into the NANOG spirit +
take a trip down memory lane.
Watch the NANOG 87 recap video now — meeting location: Atlanta.


*WATCH NOW  *
*Attend NANOG Virtually!*
*Can't make it to our next meeting in San Diego? Join us virtually!*

Stream live presentations, participate in real-time chat forums, enjoy 360
views of General Session + more.

*REGISTER NOW! * 
___
NANOG-announce mailing list
NANOG-announce@nanog.org
https://mailman.nanog.org/mailman/listinfo/nanog-announce

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Jim Shankland via NANOG]

That is extremely good and important advice! It seemed much less 
pertinent back when I was in my 30's, but planning for the unexpected 
is, or should be, a key part of all our jobs.



Jim Shankland



On 9/26/23 10:01 AM, Mel Beckman wrote:
One thing you should consider about running a "family" mail server (or 
any other IT services for friends and family): that you have a clearly 
documented path of management succession. A dear friend of mine passed 
away  last year and was running just such an email server. Nobody 
really knew how to get into it for maintenance, and a couple weeks 
after he passed. it crashed, and none of us knew precisely where it 
was physically located (on the end of a VPN tunnel, it tuns out). This 
took down email for 100 of his closest friends and family members for 
several weeks. We couldn't even unlock the domain,


Personally, this has spurred me to create much better documentation 
of  my own client services, and to involve a successor unlikely to be 
traveling with me 


 -mel

*From:* NANOG  on behalf of 
Jim Shankland via NANOG 

*Sent:* Tuesday, September 26, 2023 9:46 AM
*To:* nanog@nanog.org 
*Subject:* Re: SMTP-friendly VPS provider where I can also get a BGP feed
I've been using Linode, also; works fine on the Linode end, but I still
see occasional rejections based on my Linode IP address (most recently
from outlook.com). It's nothing my specific IP is doing, but appears to
be blacklisting of an address range. And gmail randomly puts some
outgoing mail into recipients' spam folders. Trying to get an address
unblocked by a major provider works almost as well as howling into the 
wind.


Maybe I'm being stubborn to insist on continuing to run what's basically
a family mail server, but it does seem like there's a matter of
principle there: it should be possible to have an email account without
having all the emails stored by a third party. If the answer ends up
being, "Oh, just use gmail, everybody else does!" ... well, so be it, I
guess, but we should be clear that something got lost in that transition.

Jim Shankland

On 9/26/23 9:10 AM, Jay R. Ashworth wrote:
> I've run a mail server on Linode for 6 or 7 years now; no technical 
problems.

>
> End-node, Zimbra, postfix.
>
> Cheers,
> -- jra
>
> - Original Message -
>> From: "Jonathan Leist via NANOG" 
>> To: "Daniel Corbe" 
>> Cc: nanog@nanog.org
>> Sent: Tuesday, September 26, 2023 10:32:51 AM
>> Subject: Re: SMTP-friendly VPS provider where I can also get a BGP feed
>> Pretty much every popular provider blocks port 25 out by default, and
>> they'll instead try to steer customers to use a smart host. 
However, some,

>> including Linode, will unblock port 25 by request:
>> 
https://www.linode.com/docs/guides/running-a-mail-server/#sending-email-on-linode

>>
>> On Tue, Sep 26, 2023 at 6:11 AM Daniel Corbe  wrote:
>>
>>> Hey all,
>>>
>>> I apologize if this isn't the right place to post this; however, I
>>> thought maybe the NANOG community would be able to point me in the 
right

>>> direction.
>>>
>>> I'm looking for a place that I can host a mailer.  My primary use case
>>> is a Mailman-style technical discussion list; much like NANOG but
>>> software related instead of network related: READ: non-commercial in
>>> nature.
>>>
>>> I'm currently a vultr customer, but they're refusing to unblock 
port 25

>>> on my account.  I've tried explaining my use case but no matter who I
>>> talk to over there they just keep pointing me to their spam policy.
>>>
>>> Thanks!
>>> -Daniel
>>>
>>
>> --
>> Jonathan Leist
>> Staff Engineer

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Chris Adams]

Once upon a time, Grant Taylor  said:
> N.B. you will need to tweak IPv6 routing to favor the new dedicated
> /64 over the shared /64.

Yeah, it appears Linode implements the dedicated /64 by routing it to
the shared /64 address, so you can't just remove the shared /64.

And unfortunately, for Linux distributions that use NetworkManager
(which is probably most current releases), NM changed which v6 address
is "preferred" at one point; in old versions, it was the last specified
address, but then it changed to the first specified address (which
probably makes more sense but was still an annoying change).

-- 
Chris Adams 

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Mel Beckman]

One thing you should consider about running a "family" mail server (or any 
other IT services for friends and family): that you have a clearly documented 
path of management succession. A dear friend of mine passed away  last year and 
was running just such an email server. Nobody really knew how to get into it 
for maintenance, and a couple weeks after he passed. it crashed, and none of us 
knew precisely where it was physically located (on the end of a VPN tunnel, it 
tuns out). This took down email for 100 of his closest friends and family 
members for several weeks. We couldn't even unlock the domain,

Personally, this has spurred me to create much better documentation of  my own 
client services, and to involve a successor unlikely to be traveling with me 

 -mel

From: NANOG  on behalf of Jim 
Shankland via NANOG 
Sent: Tuesday, September 26, 2023 9:46 AM
To: nanog@nanog.org 
Subject: Re: SMTP-friendly VPS provider where I can also get a BGP feed

I've been using Linode, also; works fine on the Linode end, but I still
see occasional rejections based on my Linode IP address (most recently
from outlook.com). It's nothing my specific IP is doing, but appears to
be blacklisting of an address range. And gmail randomly puts some
outgoing mail into recipients' spam folders. Trying to get an address
unblocked by a major provider works almost as well as howling into the wind.

Maybe I'm being stubborn to insist on continuing to run what's basically
a family mail server, but it does seem like there's a matter of
principle there: it should be possible to have an email account without
having all the emails stored by a third party. If the answer ends up
being, "Oh, just use gmail, everybody else does!" ... well, so be it, I
guess, but we should be clear that something got lost in that transition.

Jim Shankland

On 9/26/23 9:10 AM, Jay R. Ashworth wrote:
> I've run a mail server on Linode for 6 or 7 years now; no technical problems.
>
> End-node, Zimbra, postfix.
>
> Cheers,
> -- jra
>
> - Original Message -
>> From: "Jonathan Leist via NANOG" 
>> To: "Daniel Corbe" 
>> Cc: nanog@nanog.org
>> Sent: Tuesday, September 26, 2023 10:32:51 AM
>> Subject: Re: SMTP-friendly VPS provider where I can also get a BGP feed
>> Pretty much every popular provider blocks port 25 out by default, and
>> they'll instead try to steer customers to use a smart host. However, some,
>> including Linode, will unblock port 25 by request:
>> https://www.linode.com/docs/guides/running-a-mail-server/#sending-email-on-linode
>>
>> On Tue, Sep 26, 2023 at 6:11 AM Daniel Corbe  wrote:
>>
>>> Hey all,
>>>
>>> I apologize if this isn't the right place to post this; however, I
>>> thought maybe the NANOG community would be able to point me in the right
>>> direction.
>>>
>>> I'm looking for a place that I can host a mailer.  My primary use case
>>> is a Mailman-style technical discussion list; much like NANOG but
>>> software related instead of network related: READ: non-commercial in
>>> nature.
>>>
>>> I'm currently a vultr customer, but they're refusing to unblock port 25
>>> on my account.  I've tried explaining my use case but no matter who I
>>> talk to over there they just keep pointing me to their spam policy.
>>>
>>> Thanks!
>>> -Daniel
>>>
>>
>> --
>> Jonathan Leist
>> Staff Engineer

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Grant Taylor via NANOG]

On 9/26/23 11:41 AM, Chris Adams wrote:
Same, although for about 15 years now.  One suggestion I'd make is 
to use IPv6 and get a dedicated /64 (free on request) - it can help 
a little with "unclean neighborhood" reputation (an issue with any 
VPS as they can't police everything).


+1 for the dedicated /64.

This is relatively simple and avoids unsavory neighbors in a shared /64.

N.B. you will need to tweak IPv6 routing to favor the new dedicated /64 
over the shared /64.




--
Grant. . . .
unix || die

constraining RPKI Trust Anchors

[Job Snijders via NANOG]

Dear all,

Two weeks ago AFRINIC was placed under receivership by the Supreme Court
of Mauritius. This event prompted me to rethink the RPKI trust model and
associated risk surface.

The RPKI technology was designed to be versatile and flexible to
accommodate a myriad of real-world deployment scenarios including
multiple trust anchors existing, inter-registry transfers, multiple
transports, and permissionless innovation for signed objects, for
example. All good and well ... but ofcouse there is a fine print. :-)

Over the years various people have expressed astonishment about each RIR
having issued so-called 'all-resources' (0.0.0.0/0 + ::/0) trust anchor
certificates, but this aspect often is misunderstood: the risk is not
necessarily in the listing of 'all-resources' itself, it is in the RIR
being able to issue an 'all-resources' certificate in the first place.
RPKI trust anchor operators indeed can voluntarily reduce the scope of
subordinate Internet Number Resources, but just as easily increase the
scope of their authority. In other words, a trust anchor cannot truly
constrain itself.

Upon reconsideration on how exactly RPKI hooks into the real world; I
concluded trust anchors do not require unbounded trust in order to
provide constructive services in the realm of BGP routing security.

Some examples: ARIN does not support inter-RIR IPv6 transfers, so it
would not make any sense to see a ROA subordinate to ARIN's trust anchor
covering RIPE-managed IPv6 space. Conversely, it wouldn't make sense
to observe a ROA covering ARIN-managed IPv6 space under APNIC's,
LACNIC's, or RIPE's trust anchor - even if a cryptographically valid
certificate path existed. Along these lines AFRINIC doesn't support
inter-RIR transfers of any kind; and none of the RIRs have authority
over private resources like 10.0.0.0/8 or AS 65535. It seems feasible to
paint constraints around RPKI trust anchors in broad strokes.

Over the last two weeks I've diligently worked with Theo Buehler to
research RIR transfer policies, untangle the history of the IANA->RIR
and RIR->RIR allocation spaghetti, design & implement a maintainable
constraints mechanism for rpki-client(8), and publicly document the
concept of applying operator-defined policy to derived trust arcs.

Please take a moment to read
https://www.ietf.org/archive/id/draft-snijders-constraining-rpki-trust-anchors-00.html

Your feedback is appreciated.

Kind regards,

Job

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Ward Vandewege]

True, but only for IPv4; IPv6 outbound port 25 is summarily blocked:
 https://docs.digitalocean.com/products/networking/ipv6/details/limits/

Thanks,
Ward.


Mel Beckman  schreef op 26 september 2023 10:43:51 EDT:
>DigitalOcean.com also lets you send and receive on port 25, provided your MTA 
>isn’t configured as an open relay.
>
> -mel
>
>> On Sep 26, 2023, at 7:38 AM, Brandon Martin  wrote:
>> 
>> On 9/26/23 06:09, Daniel Corbe wrote:
>>> I'm looking for a place that I can host a mailer.  My primary use case is a 
>>> Mailman-style technical discussion list; much like NANOG but software 
>>> related instead of network related: READ: non-commercial in nature.
>>> 
>>> I'm currently a vultr customer, but they're refusing to unblock port 25 on 
>>> my account.  I've tried explaining my use case but no matter who I talk to 
>>> over there they just keep pointing me to their spam policy.
>> 
>> I've been a happy customer of prgmr.com now TornadoVPS.  They will 
>> definitely allow port 25 outbound.  It was unblocked by default when I 
>> signed up years ago and I think still is even on new accounts.
>> 
>> I don't know if they will do BGP.  In the past, they had said they would by 
>> request provided you had your own AS and IP space. I think they also had 
>> offered to do one under a private ASN for route collection.
>> 
>> --
>> Brandon Martin
>> 

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Jim Shankland via NANOG]

I've been using Linode, also; works fine on the Linode end, but I still 
see occasional rejections based on my Linode IP address (most recently 
from outlook.com). It's nothing my specific IP is doing, but appears to 
be blacklisting of an address range. And gmail randomly puts some 
outgoing mail into recipients' spam folders. Trying to get an address 
unblocked by a major provider works almost as well as howling into the wind.


Maybe I'm being stubborn to insist on continuing to run what's basically 
a family mail server, but it does seem like there's a matter of 
principle there: it should be possible to have an email account without 
having all the emails stored by a third party. If the answer ends up 
being, "Oh, just use gmail, everybody else does!" ... well, so be it, I 
guess, but we should be clear that something got lost in that transition.


Jim Shankland

On 9/26/23 9:10 AM, Jay R. Ashworth wrote:

I've run a mail server on Linode for 6 or 7 years now; no technical problems.

End-node, Zimbra, postfix.

Cheers,
-- jra

- Original Message -

From: "Jonathan Leist via NANOG" 
To: "Daniel Corbe" 
Cc: nanog@nanog.org
Sent: Tuesday, September 26, 2023 10:32:51 AM
Subject: Re: SMTP-friendly VPS provider where I can also get a BGP feed
Pretty much every popular provider blocks port 25 out by default, and
they'll instead try to steer customers to use a smart host. However, some,
including Linode, will unblock port 25 by request:
https://www.linode.com/docs/guides/running-a-mail-server/#sending-email-on-linode

On Tue, Sep 26, 2023 at 6:11 AM Daniel Corbe  wrote:


Hey all,

I apologize if this isn't the right place to post this; however, I
thought maybe the NANOG community would be able to point me in the right
direction.

I'm looking for a place that I can host a mailer.  My primary use case
is a Mailman-style technical discussion list; much like NANOG but
software related instead of network related: READ: non-commercial in
nature.

I'm currently a vultr customer, but they're refusing to unblock port 25
on my account.  I've tried explaining my use case but no matter who I
talk to over there they just keep pointing me to their spam policy.

Thanks!
-Daniel



--
Jonathan Leist
Staff Engineer

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Chris Adams]

Once upon a time, Jay R. Ashworth  said:
> I've run a mail server on Linode for 6 or 7 years now; no technical problems.

Same, although for about 15 years now.  One suggestion I'd make is to
use IPv6 and get a dedicated /64 (free on request) - it can help a
little with "unclean neighborhood" reputation (an issue with any VPS as
they can't police everything).

-- 
Chris Adams 

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Collider]

Yes, that is the case (read the original post, this is addressed).

Le 26 septembre 2023 16:13:37 UTC, Bryan Holloway  a écrit :
>Not sure if this helps, but they only appear to block 25 for IPv4.
>
>IPv6 works fine.
>
>Supposedly you can open a support-ticket to have this block removed, but I'm 
>assuming you've already done that?
>
>   - bryan
>
>
>On 9/26/23 12:09, Daniel Corbe wrote:
>> Hey all,
>> 
>> I apologize if this isn't the right place to post this; however, I thought 
>> maybe the NANOG community would be able to point me in the right direction.
>> 
>> I'm looking for a place that I can host a mailer.  My primary use case is a 
>> Mailman-style technical discussion list; much like NANOG but software 
>> related instead of network related: READ: non-commercial in nature.
>> 
>> I'm currently a vultr customer, but they're refusing to unblock port 25 on 
>> my account.  I've tried explaining my use case but no matter who I talk to 
>> over there they just keep pointing me to their spam policy.
>> 
>> Thanks!
>> -Daniel

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Bryan Holloway]

Not sure if this helps, but they only appear to block 25 for IPv4.

IPv6 works fine.

Supposedly you can open a support-ticket to have this block removed, but 
I'm assuming you've already done that?


- bryan


On 9/26/23 12:09, Daniel Corbe wrote:

Hey all,

I apologize if this isn't the right place to post this; however, I 
thought maybe the NANOG community would be able to point me in the right 
direction.


I'm looking for a place that I can host a mailer.  My primary use case 
is a Mailman-style technical discussion list; much like NANOG but 
software related instead of network related: READ: non-commercial in 
nature.


I'm currently a vultr customer, but they're refusing to unblock port 25 
on my account.  I've tried explaining my use case but no matter who I 
talk to over there they just keep pointing me to their spam policy.


Thanks!
-Daniel

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Jay R. Ashworth]

I've run a mail server on Linode for 6 or 7 years now; no technical problems.

End-node, Zimbra, postfix.

Cheers,
-- jra

- Original Message -
> From: "Jonathan Leist via NANOG" 
> To: "Daniel Corbe" 
> Cc: nanog@nanog.org
> Sent: Tuesday, September 26, 2023 10:32:51 AM
> Subject: Re: SMTP-friendly VPS provider where I can also get a BGP feed

> Pretty much every popular provider blocks port 25 out by default, and
> they'll instead try to steer customers to use a smart host. However, some,
> including Linode, will unblock port 25 by request:
> https://www.linode.com/docs/guides/running-a-mail-server/#sending-email-on-linode
> 
> On Tue, Sep 26, 2023 at 6:11 AM Daniel Corbe  wrote:
> 
>> Hey all,
>>
>> I apologize if this isn't the right place to post this; however, I
>> thought maybe the NANOG community would be able to point me in the right
>> direction.
>>
>> I'm looking for a place that I can host a mailer.  My primary use case
>> is a Mailman-style technical discussion list; much like NANOG but
>> software related instead of network related: READ: non-commercial in
>> nature.
>>
>> I'm currently a vultr customer, but they're refusing to unblock port 25
>> on my account.  I've tried explaining my use case but no matter who I
>> talk to over there they just keep pointing me to their spam policy.
>>
>> Thanks!
>> -Daniel
>>
> 
> 
> --
> Jonathan Leist
> Staff Engineer

-- 
Jay R. Ashworth  Baylink   j...@baylink.com
Designer The Things I Think   RFC 2100
Ashworth & Associates   http://www.bcp38.info  2000 Land Rover DII
St Petersburg FL USA  BCP38: Ask For It By Name!   +1 727 647 1274

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[David Guo via NANOG]

You can try v.ps from xTom, we can provide BGP sessions in some locations as 
well as port 25 unblock.

From: NANOG  on behalf of Phil Lavin 
via NANOG 
Date: Wednesday, September 27, 2023 at 01:12
To: Daniel Corbe 
Cc: nanog@nanog.org 
Subject: Re: SMTP-friendly VPS provider where I can also get a BGP feed
> On 26 Sep 2023, at 11:09, Daniel Corbe  wrote:
>
> I'm currently a vultr customer, but they're refusing to unblock port 25 on my 
> account.  I've tried explaining my use case but no matter who I talk to over 
> there they just keep pointing me to their spam policy.


I run an MTA in Hetzner. Once you’ve paid a bill, you can raise a request to 
unblock port 25

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Phil Lavin via NANOG]

> On 26 Sep 2023, at 11:09, Daniel Corbe  wrote:
> 
> I'm currently a vultr customer, but they're refusing to unblock port 25 on my 
> account.  I've tried explaining my use case but no matter who I talk to over 
> there they just keep pointing me to their spam policy.


I run an MTA in Hetzner. Once you’ve paid a bill, you can raise a request to 
unblock port 25

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Jonathan Leist via NANOG]

Pretty much every popular provider blocks port 25 out by default, and
they'll instead try to steer customers to use a smart host. However, some,
including Linode, will unblock port 25 by request:
https://www.linode.com/docs/guides/running-a-mail-server/#sending-email-on-linode

On Tue, Sep 26, 2023 at 6:11 AM Daniel Corbe  wrote:

> Hey all,
>
> I apologize if this isn't the right place to post this; however, I
> thought maybe the NANOG community would be able to point me in the right
> direction.
>
> I'm looking for a place that I can host a mailer.  My primary use case
> is a Mailman-style technical discussion list; much like NANOG but
> software related instead of network related: READ: non-commercial in
> nature.
>
> I'm currently a vultr customer, but they're refusing to unblock port 25
> on my account.  I've tried explaining my use case but no matter who I
> talk to over there they just keep pointing me to their spam policy.
>
> Thanks!
> -Daniel
>


-- 
Jonathan Leist
Staff Engineer

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Mel Beckman]

DigitalOcean.com also lets you send and receive on port 25, provided your MTA 
isn’t configured as an open relay.

 -mel

> On Sep 26, 2023, at 7:38 AM, Brandon Martin  wrote:
> 
> On 9/26/23 06:09, Daniel Corbe wrote:
>> I'm looking for a place that I can host a mailer.  My primary use case is a 
>> Mailman-style technical discussion list; much like NANOG but software 
>> related instead of network related: READ: non-commercial in nature.
>> 
>> I'm currently a vultr customer, but they're refusing to unblock port 25 on 
>> my account.  I've tried explaining my use case but no matter who I talk to 
>> over there they just keep pointing me to their spam policy.
> 
> I've been a happy customer of prgmr.com now TornadoVPS.  They will definitely 
> allow port 25 outbound.  It was unblocked by default when I signed up years 
> ago and I think still is even on new accounts.
> 
> I don't know if they will do BGP.  In the past, they had said they would by 
> request provided you had your own AS and IP space. I think they also had 
> offered to do one under a private ASN for route collection.
> 
> --
> Brandon Martin
> 

Re: SMTP-friendly VPS provider where I can also get a BGP feed

[Brandon Martin]

On 9/26/23 06:09, Daniel Corbe wrote:
I'm looking for a place that I can host a mailer.  My primary use case 
is a Mailman-style technical discussion list; much like NANOG but 
software related instead of network related: READ: non-commercial in 
nature.


I'm currently a vultr customer, but they're refusing to unblock port 
25 on my account.  I've tried explaining my use case but no matter who 
I talk to over there they just keep pointing me to their spam policy.


I've been a happy customer of prgmr.com now TornadoVPS.  They will 
definitely allow port 25 outbound.  It was unblocked by default when I 
signed up years ago and I think still is even on new accounts.


I don't know if they will do BGP.  In the past, they had said they would 
by request provided you had your own AS and IP space. I think they also 
had offered to do one under a private ASN for route collection.


--
Brandon Martin

Latest NETSCOUT DDoS Threat Intelligence Report published, no registration required.

[Dobbins, Roland via NANOG]

This issue covers 1H2023, and the full report is available online:



We make these findings freely available as a service to the operational 
community; feedback welcome.

Again, no registration is required to view the full report online.  A .pdf 
summary is available for download; registration is required to download the 
.pdf.

[Full disclosure: I am employed by NETSCOUT and am a contributor to this 
report.]


Roland Dobbins mailto:roland.dobb...@netscout.com>>

SMTP-friendly VPS provider where I can also get a BGP feed

[Daniel Corbe]

Hey all,

I apologize if this isn't the right place to post this; however, I 
thought maybe the NANOG community would be able to point me in the right 
direction.


I'm looking for a place that I can host a mailer.  My primary use case 
is a Mailman-style technical discussion list; much like NANOG but 
software related instead of network related: READ: non-commercial in nature.


I'm currently a vultr customer, but they're refusing to unblock port 25 
on my account.  I've tried explaining my use case but no matter who I 
talk to over there they just keep pointing me to their spam policy.


Thanks!
-Daniel


OpenPGP_0x8E96B69A30C1993B.asc
Description: OpenPGP public key


OpenPGP_signature.asc
Description: OpenPGP digital signature