Re: U.S. test of national alerts on Oct. 4 at 2:20pm EDT (1820 UTC)

[Harald Koch]

On Wed, Oct 4, 2023, at 15:09, Grant Taylor via NANOG wrote:
>
> I don't know if today's test is the same thing or not, but I remember in 
> the last X years where there was a presidential test of the EAS and 
> there was supposedly no way to disable it short of turning your device off.
>
> My understanding is that -- let's go with -- lesser priority sources can 
> be silenced, but sufficiently high priority can't be.  If the device is 
> on, it's going to make noise.

It must be nice to live in a country that uses the priorities! Canada's Alert 
Ready decided that people can't be trusted and sends ALL alerts at the 
"national alert" priority.

(When Canada last tested in May, I had my phone on silent - the alert vibrated 
but did not make noise - which is a slight improvement, I guess).

-- 
Harald Koch
c...@pobox.com

Re: Survey on the use of IP blacklists for threat mitigation

[Harald Koch]

On Tue, Jun 16, 2020, at 15:08, J. Hellenthal via NANOG wrote:
> blacklists are not always deny/block/disallow and conformed of things that 
> allow you to take actions whatever your choosing upon their contents and your 
> policies.
> 
> What’s next ? redlisting ? Don’t offend the Russians ... blue ? Don’t want to 
> offend the police ...

How about - don't use colour at all, since it's just a culture-specific proxy 
for the actual meaning? "blacklist" and "whitelist" are challenging for ESL and 
for people from other cultures. Block list, allow list, filter list, etc. are 
all more precise terms that happen to be easier for everyone to understand.

Improving technical jargon is always worthwhile.

-- 
Harald Koch
c...@pobox.com

Re: understanding IPv6

[Harald Koch]

On Sun, Jun 7, 2020, at 12:02, Brandon Martin wrote:
> This is difficult to understate.  "People" are continually amazed when I 
> show them that I can leave TCP sessions up for days at a time (with 
> properly configured endpoints) with absolutely zero keepalive traffic 
> being exchanged.

On the other hand, I'm constantly having to remind developers at $job that 
while this may be normal, it's not guaranteed, and they need to deal with TCP 
sessions that go down without requiring operator intervention.

Reliable networks do not teach developers about fault tolerance ;)

-- 
Harald

Re: Jenkins amplification

[Harald Koch]

Jenkins, like a zillion other developer-oriented tools, should never be 
deployed Internet-facing.

Reflection attacks inside an enterprise are handled by HR. :)

-- 
Harald Koch
c...@pobox.com

Re: What can ISPs do better? Removing racism out of internet

[Harald Koch]

On Mon, Aug 5, 2019, at 11:30, Mel Beckman wrote:
> Keith, what could be more on-topic than an ISP’s status as a common 
> carrier? Seems pretty operational to me. 

American ISPs are not common carriers. When net neutrality was revoked on 
December 14, 2017, so was ISP's common carrier status / protection.

-- 
Harald

Re: Widespread Firefox issues

[Harald Koch]

On Sat, May 4, 2019, at 08:21, Randy Bush wrote:
> so is there a recipe for re-enabling the add-ons?  otherwise, one is
> running pretty nekkid.

>From 
>https://discourse.mozilla.org/t/certificate-issue-causing-add-ons-to-be-disabled-or-fail-to-install/39047:

12:50 p.m. UTC / 03:50 a.m. PDT: We rolled-out a fix for release, beta and 
nightly users on Desktop. The fix will be automatically applied in the 
background within the next few hours, you don’t need to take active steps.

In order to be able to provide this fix on short notice, we are using the 
Studies system. You can check if you have studies enabled by going to Firefox 
Preferences -> Privacy & Security -> Allow Firefox to install and run studies.

You can disable studies again after your add-ons have been re-enabled.

We are working on a general fix that doesn’t need to rely on this and will keep 
you updated.

-- 
Harald Koch
c...@pobox.com

Re: NTP question

[Harald Koch]

On Wed, May 1, 2019, at 19:19, Brandon Martin wrote:
> I've seen things like this when there's a sudden power loss across a 
> small site e.g. a remote PoP.  Think a loss of utility power and UPS 
> fails to transfer for some unanticipated reason.

Or in our case, a Canada Goose lands on the transfer switch, shorting it out 
and disconnecting street, UPS, and generator. TBH I wasn't monitoring NTP at 
the time, being slightly more concerned with critical applications, so I 
concede your point :)

-- 
Harald Koch
c...@pobox.com

Re: NTP question

[Harald Koch]

On Wed, May 1, 2019, at 18:46, Brandon Martin wrote:
> Think about what might happen if you lost time sync as a result of the 
> incident causing said connectivity outage.  Depending on your time 
> sources available, you might see rapid drift or, worst case, lose your 
> time reference entirely as a result of equipment restarts, etc.  GPS, as 
> long as you have a good view of the sky, provides extremely accurate 
> "lights out" time info, both absolute and relative, from a single source 
> with no (mostly) strings attached for that purpose.

Properly deployed NTP should calibrate the local hardware clocks to prevent 
drift even during connectivity outages. (I'm talking both the low resolution 
hardware clocks used for timing across power cycles and reboots, and the 
oscillators used while the OS is running). While most computer hardware is 
temperature sensitive, if your datacenter is suddenly changing temperature 
enough to cause clock drift, well, you have bigger problems. :)

I admit that this is an anecdote, but in our environment, I find that our GPSDO 
loses its GPS signal due to weather more often than we lose our connections to 
internet NTP servers.

On the other hand, we once had a site-wide Kerberos authentication outage 
because all of our Windows clients were using some windows NTP client that by 
default used two NTP sources owned by the software developer; when they both 
suddenly stepped by 20 minutes, Kerberos locked everyone out.

Time is hard :)

-- 
Harald Koch
c...@pobox.com

Re: WIndows Updates Fail Via IPv6 - Update!

[Harald Koch]

On Sun, Mar 3, 2019, at 17:35, Stephen Satchell wrote:

> 
> Yes, some admins don't have fine-enough grain tools to block or throttle
> specific types of ICMP, but that's the fault of the vendors, not the admins.

We call these tunable parameters "nerd knobs".

I used to create those knobs for firewalls. My experience then (and now, with 
my current employer) is that admins turn every knob you give them up to eleven; 
there is no finesse.  The only answer was, and is, to remove the knobs 
altogether.

(Can I join the choir too? :)

-- 
Harald Koch
c...@pobox.com

Re: Facebook doesn't have a route to my ISP's (Cogeco) IPv6 space?

[Harald Koch]

On Thu, Dec 20, 2018, at 14:04, David Hubbard wrote:
> Yikes, they should change their name rather than be mistaken for Cogent lol

Cogent started business in 1999 and Cogeco has been around since the 1950s. Who 
should change their name again?

(To OP: I believe that every last-mile provider in Canda is still offering IPv6 
as a best-effort, unsupported service. As a former Canadian networking guy, 
this ... angers me. Good luck ...)

-- 
Harald Koch
c...@pobox.com

Re: Unsolicited LinkedIn requests

[Harald Koch]

LinkedIn has a "I don't know this person" option when you decline an 
invitation. If a user gets too many of those they're kicked, because LinkedIn 
is explicitly about making cyber connections that you already had IRL.

-- 
Harald

Re: Any Gmail Admins on here?

[Harald Koch]

chilli.nosignal.org has an SSL certificate that expired in *July*.

-- 
Harald


On Thu, 25 Oct 2018 at 12:48, Mike Hammett  wrote:

> https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
>
>
>
> -
> Mike Hammett
> Intelligent Computing Solutions 
> 
> 
> 
> 
> Midwest Internet Exchange 
> 
> 
> 
> The Brothers WISP 
> 
> 
> --
> *From: *"Art Plato" 
> *To: *"nanog" 
> *Sent: *Thursday, October 25, 2018 11:39:36 AM
> *Subject: *Any Gmail Admins on here?
>
> I apologize for putting this out in this forum but I have attempted to
> reach Google/Gmail for several weeks with no response. Their servers have
> flagged my domain with bad reputation even thought he stats say no spam has
> been sent from my domain for the past several months that I can see. Please
> PM me if you are out there.
>
> Thanks,
> Art Plato
>
>
>

Re: Time to add 2002::/16 to bogon filters?

[Harald Koch]

20 years from now when the IETF decides to reclaim / repurpose that prefix,
y'all are going to have to run around removing it from your filters again...

-- 
Harald

Re: IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Harald Koch]

On 1 March 2018 at 18:48, Mark Andrews  wrote:

> ULA provide stable internal addresses which survive changing ISP
> for the average home user.


Yeah this is pretty much what I'm doing. ULA for stable, internal addresses
that I can put into the (internal) DNS: ISP prefixes for global routing.
Renumbering is hard.

All of the objections I've seen to ULA are actually objections to (IPv6)
NAT, which is why I was confused.

(As it turns out my ISP prefix has been static for years, but I'm too lazy
to undo all of the work...)

-- 
Harald

IPv6 Unique Local Addresses (was Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks)

[Harald Koch]

On 1 March 2018 at 15:18, Owen DeLong  wrote:

> Second, RFC-1918 doesn’t apply to IPv6 at all, and (fortunately) hardly
> anyone
> uses ULA (the IPv6 analogue to RFC-1918).
>

Wait. What's the objection to ULA? Is it just that NAT is bad, or is there
something new?

-- 
Harald

Re: IPv4 smaller than /24 leasing?

[Harald Koch]

"IPv6 available upon request. "

LOL.

-- 
Harald

Re: Waste will kill ipv6 too

[Harald Koch]

On 20 December 2017 at 13:23, Mike  wrote:

> in IPv4 for example, when you assign a P2P
> link with a /30, you are using 2 and wasting 2 addresses. But in IPv6,
> due to ping-pong and just so many technical manuals and other advices,
> you are told to "just use a /64' for your point to points.


There are 2^64 *networks* available in IPv6. That's 2^32 times as many
*networks* as there are IPv4 *addresses*. That doesn't mean twice as many;
that means almost 4.3 BILLION times as many. Yeah, go ahead and use a /64
for your point-to-point networks.

Or don't; there are ways to use /128s carved out of a single /64 (I do so
on my private VPNs), and then route the whole /64 to my VPN concentrator).

-- 
Harald

Re: Companies using public IP space owned by others for internal routing

[Harald Koch]

On 17 December 2017 at 17:48, Tom Carter  wrote:

> RFC1918 isn't big enough to cover all use cases. Think about a large
> internet service providers. If you have ten million customers, 10.0.0.0/8
> would be enough to number modems, but what happens when you need to number
> video set top boxes and voice end points? I don't think anyone goes out and
> says "Lets go use someone else's space, because I don't want to use this
> perfectly good private space".
>

:cough:

They could use IPv6. I mean, if the mobile phone companies can figure it
out, surely an ISP can...

-- 
Harald

Re: Companies using public IP space owned by others for internal routing

[Harald Koch]

On 17 December 2017 at 17:57, James Downs  wrote:

> Unless there isn't.. I've worked at more than one company that had used up
> all the private space. Then you have the cases where some M causes
> overlapping IP space.
>

Or places like Ontario, where the government runs a registry service for
net 10/8 because we're all interconnecting our private networks over VPNs
and there were too many NATs.

-- 
Harald

Re: Novice sysadmins

[Harald Koch]

On 6 December 2017 at 13:51, Stephen Satchell  wrote:

> What professional engineers you mentioned do can kill people.  I have yet
> to hear of anyone dying from a sysadmin or netadmin screwing up.
>

Oh c'mon. Now you're being deliberately obtuse.

I work IT for a hospital. Everything I do has the potential to affect
patient safety, and we do have documented cases of patients dying from IT
mishaps.

Perhaps do your research before spouting off more of these unsubstantiated
claims?

-- 
Harald

Re: Novice sysadmins (was: Suggestions for a more privacy conscious email provider)

[Harald Koch]

Thirty years ago I started my sysadmin journey on an Internet that was
filled with helpful, experienced people that were willing to share their
knowledge.

Twenty years ago I was one of three people running CA*net, the
cross-Canada research Internet with three connections to the NSFnet. I
don't remember this world of banishment and exile you're discussing; the
NSFnet staff I dealt with were all friendly and helpful.

I plan to continue to "pay it forward", by being friendly and helpful
to "novice sysadmins". The curmudgeons in this thread can, frankly, get off
my lawn.

-- 
Harald

Re: Question about Customer Population by ASN for Canada

[Harald Koch]

On 2 October 2017 at 16:17, Eric Dugas  wrote:
>
>
> e.g. Teksavvy at 937,855 estimated users. How can they have 937,855 users
> if they "only" have 686,848 IPv4 (https://bgp.he.net/AS5645)?
>

I have one IPv4 and five users in my household...

-- 
Harald
(teksavvy customer)

Re: Bell outage

[Harald Koch]

On 4 August 2017 at 16:54, Rod Beck <rod.b...@unitedcablecompany.com> wrote:

> Well, imagine what happens when you have a body of water like Lake Ontario
> separating the key hubs on each side of the border, 151 Front Street and
> 350 Main Street. The fiber is probably stacked parallel around the lake and
> at certain points is collapsed into one right of way.
>

To generalise - most of Canada's population lives within 160 km of the US
border. That's a 8800 km long, but very skinny piece of territory, and that
makes finding geographically diverse routes ... challenging.

-- 
Harald Koch (with CA*net in the 1990s :)

Re: Domain renawals

[Harald Koch]

There are still many registrars that don't support DNSSEC (possibly only
for a subset of TLDs), and/or have an unusable or cumbersome interface for
adding DNSSEC glue. Just another thing to watch out for...

Re: Netflix banning HE tunnels

[Harald Koch]

My son came home from uni and complained that Netflix wasn't working -
which turned out to be my HE tunnel. So I blocked a few suggested IPv6
addresses, and everything is now fine.

Except that using IPv6 was connecting to some Netflix servers in the US of
A, and using IPv4 connects to the local Netflix caching server hosted by my
ISP here in Toronto. Much lower RTT and zero packet loss.

Amusingly, Netflix's anti-HE stance has actually improved my Netflix
experience...

-- 
Harald

Re: Netflix VPN detection - actual engineer needed

[Harald Koch]

On 6 June 2016 at 19:40, Owen DeLong  wrote:

>
> The problem is that some users travel and they try to watch Netflix using
> their home account in far away lands.
>

Interestingly, audible.com (the audio book people) actually warn you about
this up front - they point out on their site that many titles may not be
available in foreign countries and therefore you should download your
audiobooks before you leave your home country.

In other words, it's not just Netflix that has this problem...

-- 
Harald

Re: Stop IPv6 Google traffic

[Harald Koch]

On 10 April 2016 at 10:36, Filip Hruska  wrote:

> If I'm not mistaken, when there is some "abuse",
> Google typically shows captcha for the single IPs, not for whole provider,
> so only the customers who actually do something nefarious should get
> flagged.
>

You are mistaken. Google flags entire netblocks, more so for IPv6 it seems.

Re: Quick Update on the North American BCOP Efforts

[Harald Koch]

On 1 October 2015 at 00:37, Chris Grundemann  wrote:

>
> Those that have the information are mostly busy
> engineers, for whom writing documentation is not their favorite thing.
>

There's also the issue that if you ask two NANOG engineers a technical
question you'll get (at least) five answers...

Re: Ear protection

[Harald Koch]

I use Etymotic earplugs on my motorcycle as well as in other loud
environments, because they attenuate "without loss of clarity":

http://www.amazon.com/Etymotic-Research-ETY-Plugs-Protection-Earplugs/dp/B0044DEESS
​
-- 
Harald

Re: Dual stack IPv6 for IPv4 depletion

[Harald Koch]

On 9 July 2015 at 09:11, Mike Hammett na...@ics-il.net wrote:

 I think you're confusing very common for a tech guy and very common for
 the common man. I have a dozen or two v4 subnets in my house. Then again, I
 also run my ISP out of my house, so I have a ton of stuff going on. I can't
 even think of a handful of other people that would have more than one.


My son (who is not a tech guy but is a gamer) has four subnets in his
(rented) house already: private LAN, guest network, home control network,
and a separate LAN for the tenant downstairs who is sharing their broadband
connection. And he's just getting started.

The common man is becoming much more sophisticated in their networking
requirements, and they need this stuff to just work. Please don't place
artificially small limits just because you can't see a need.

-- 
Harald

Re: Dual stack IPv6 for IPv4 depletion

[Harald Koch]

On 9 July 2015 at 11:42, Matthew Huff mh...@ox.com wrote:

 What am I missing? Is it just the splitting on the sextet boundary that is
 an issue, or do people think people really need 64k subnets per household?


One thing you're missing is that some of these new-fangled uses for IP
networking will want to do their own subnetting. It's not here's a subnet
for the car, it's here's a /56 for the car to break into smaller pieces
as required.

A /56 isn't 256 subnets, it's 8 levels of subnetting (or 2 levels, if
you're human and want to subnet at nibble boundaries). A /48 is 16 (or 4)
levels. I have four vehicles, so I'd want to carve out a /52 for the car
network to make the routing and security easier to manage, and leave room
for expansion (or for my guests...)

One more consideration for you: we're currently allocating all IPv6
addresses out of 2000::/3. That's 1/8th of the space available. If we
discover we've messed up with this sparse address allocation idea, we have
7/8ths of the remaining space left to do something different.

-- 
Harald

Re: gmail security is a joke

[Harald Koch]

On 26 May 2015 at 23:43, Anil Kumar aku...@anilkumar.com wrote:


 According to this page, the 2-factor authentication does kick in when you
 finally try to reset the password.


 http://webapps.stackexchange.com/questions/27258/is-there-a-way-of-disabling-googles-password-recovery-feature

 “… I was presented with an emailed link to a reset page. When I clicked
 that link, since I have two-step verification set up, I was presented
 with a demand for a number provided by the Google Authenticator
 app on my phone. I provided that number and only then was I allowed
 to reset the password.”


Y'all are way too trusting ;)

If I recall from a brief experiment yesterday, three of the four options on
that page are variations on I'd like to bypass 2-factor authentication.
There is really no point in any of Google's fancy account security if I can
bypass all of it using Google's Identity Verification process, especially
if that process is based on PII that isn't terribly difficult to obtain.

This is just a variation on Apple's give us the last four digits of your
credit card to reset your password gigantic security failure, and frankly
I expected better from Google. Silly me.

-- 
Harald (who once upon a time worked in the IAM space ;)

Re: gmail security is a joke

[Harald Koch]

On 26 May 2015 at 11:32, Alex Brooks askoorb+na...@gmail.com wrote:


 Can you not set account recory options which change the way password
 reset requests are handled.
 https://support.google.com/accounts/answer/183723 Gives some guidance?

 Alex


Unfortunately, setting these options does not disable the separate account
recovery form listed at the bottom of the page, and it is this form that
allows you to login with any previous password and to bypass 2-factor auth.

I must admit I was surprised by this when I tried it just now. I guess it's
time to rethink using Google as a primary account...

Re: Any google network admins out there?

[Harald Koch]

 On 4/4/2015 3:11 AM, Lou Ashtonhurst wrote:

 Randy, you can just use the contact details on their page about it:

 https://support.google.com/websearch/contact/ban

 Ask them for the netflow or other source of proof. My understanding was
 they blocked on /32s not larger subnets which would indicate that the
 traffic is coming from your network, and not someone with a similar
 address, but you should be able to check once they give you the info.


This reply suggests you've never actually used that contact page. Have you
received a response from them?

I get this message about once a month using one or both of my Linode-based
web proxies. Google remains silent; as they say in the contact page: the
process is completely automated and there's nothing mere humans can do
about it.

Bow to our robot overlords.

Re: Comcast thinks it ok to install public wifi in your house

[Harald Koch]

On 10 December 2014 at 21:50, Mr Bugs b...@debmi.com wrote:

 however they use a separate DOCSIS and 802.11 channel so if would follow
 that it would be a separate IP tied to comcast corporate and not the
 subscriber as well as not taking up your bandwidth.



IIRC there are only three non-overlapping channels on 802.11g and six on
802.11n; I can see more networks than that from my basement.

I haven't been keeping up with the technology, but in the ancient of days
wasn't the uplink side of DOCSIS also a limited-bandwidth, shared resource?

-- 
Harald

Re: Credit to Digital Ocean for ipv6 offering

[Harald Koch]

On 19 June 2014 14:07, Daniel Ankers md1...@md1clv.com wrote:


 How does it use those 6 /64s?  That seems to be getting towards the
 interesting times where the way devices work with v6 is very different to
 how they would have worked with v6


Bridging between (slow) 802.11 and (fast) ethernet is hard to do right, so
CeroWRT configures all interfaces as separate LANs and routes between them
instead. It does this on the IPv4 side too; it's not specific to IPv6.

This breaks a lot of things (like Apple Bonjour), so I'm not convinced it's
a *useful* technique for home networks.

-- 
Harald

Re: yahoo.fr is no longer interested in your abuse reports.

[Harald Koch]

On 11 June 2014 16:41, goe...@anime.net wrote:

 It's the content.

 They're spamfiltering their abuse mailbox.



As supporting evidence I offer the fact that this entire conversation ended
up in my (Google) Junk folder.

-- 
Harald

Re: NAT IP and Google

[Harald Koch]

On 20 May 2014 10:27, William Waites w...@styx.org wrote:

 IPv6?


Might help if all your hosts have their own IPv6 addresses - doesn't help
if you run an http proxy. Google blacklists my (personal) IPv6 proxy at
least once a month.

-- 
Harald

Re: Internet Surveillance and Boomerang Routing: A Call for Canadian Network Sovereignty

[Harald Koch]

On 7 September 2013 17:08, Paul Ferguson fergdawgs...@mykolab.com wrote:

 Preliminary analysis of more than 25,000 traceroutes reveals a
 phenomenon we call ‘boomerang routing’ whereby Canadian-to-Canadian
 internet transmissions are routinely routed through the United States.


I sincerely hope that nobody in Canada is surprised by this, since it was
already an issue in 1994 (when I was at CA*net).

-- 
Harald

Re: Vancouver IXP - VanTX - BCNet

[Harald Koch]

On 20 August 2013 09:05, Randy Bush ra...@psg.com wrote:


 ok, i have heard privately from folk who i respect.  cira seems to be on
 the up and up and doing good professional work.


haha. yes, because Canadians are normally so sinister and nefarious...

Re: It's the end of the world as we know it -- REM

[Harald Koch]

Meanwhile, consumer-grade IPv6 still sucks, at I have to turn off IPv6 to
watch YouTube videos levels of suck...

Re: IPV6 in enterprise best practices/white papaers

[Harald Koch]

On 30 January 2013 02:39, Jussi Peltola pe...@pelzi.net wrote:
 High density virtual machine setups can have 100 VMs per host. Each VM
 has at least a link-local address and a routable address. This is 200
 groups per port, 9600 per 48 port switch.

um - let's compare apples to apples here - 100 VMs per host, 9600 per
48 port switch, is a problem for IPv4 also...

-- 
Harald

Re: IPV6 in enterprise best practices/white papaers

[Harald Koch]

On 26 January 2013 17:38, Mark Andrews ma...@isc.org wrote:
 As for breaking your LAN, if the applications take 60 seconds to
 fallback to the other address they were already broken.  Go complain
 to your application vendor.  Some vendors have already fixed this
 problem with their applications.

The question was about *enterprise* deployment, which raises two issues:

1) most vendors are waiting for customer IPv6 demand before
implementing support (or fixing bugs) - chicken and egg problem.
2) I don't know many enterprises running production software less than
a year (or more) old.

In the meantime, the network engineers struggling with this stuff need
workarounds (like the tuning parameters you and others have
mentioned).

-- 
Harald

Re: Adding GPS location to IPv6 header

[Harald Koch]

This also naively assumes that wireless network topology correlates with
geographic location. Any radio engineer (or cell phone user) can explain
why that doesn't work.


On 26 November 2012 17:36, William Herrin b...@herrin.us wrote:

 On Mon, Nov 26, 2012 at 10:20 AM, Eugen Leitl eu...@leitl.org wrote:
  On Mon, Nov 26, 2012 at 12:56:52PM -0200, Carlos M. Martinez wrote:
  Just for redundancy's sake: No, L3 is **not** the place for this kind of
  information. L3 is supposed to be simple, easy to implement, fast to
 
  I agree. You need to put it into L2, and the core usage would
  be for wireless meshes. Consider cases like Serval or cjdns,
  which run on Android headsets and equivalent embeddeds.
  Technically you wouldn't need GPS everywhere if you could
  do ~m scale time domain reflectometry in free space.
  It is possible to build a local contiguous map via
  mutual time of flight triangulation (actually, just visibility
  gives you a very good hint).

 Actually, I think you just articulated the first use for Ammar's idea
 that's not either wrong, absurd on its face or obviously better
 handled at a different location within the protocol stack.

 Suppose you have a large single-owner mesh network, such as a folks
 walking around with cell phones. If you want them to have a stable
 layer 3 address (and you do) then you're handling what amounts to /128
 routes for tens of millions of devices. If you can guarantee that any
 packet *to* that address also contains a rough geographic location
 then you can discard any routes internally once they're more than a
 short geographic distance from the origin and route on the geography
 until you're close enough to find a specific /128 route. Tens of
 millions of routes is no problem if no single router needs to know
 more than a few thousand of them.

 By putting geographic location at layer 3, you're also handling it end
 to end which means you don't need a stateful border device to track
 the current location of all of those /128 routes. The device itself
 doesn't need to add location if it doesn't have the data; it's good
 enough for the receiving tower to attach a rough location.

 There are some assumptions in this model which are problematic. Key ones
 are:

 1. Only valid as an interior gateway protocol (IGP). Geographic
 routing has been proven false for an EGP because it induces traffic to
 cross links for which neither source nor destination has permitted
 access.

 2. Requires the application at the landed end to copy the IP option
 information into the outbound packets as well. This behavior is not
 presently guaranteed.

 3. Assumes that the device will originate communication, receiving
 only replies from the landed end, or will use some intermediary to
 communicate current geographic information if inbound origination is
 required.


 At any rate, I think that discussion of adding a geographic option
 header to IPv6 should be tied up in the discussion of a routing
 protocol which critically depends on its presence and can't reasonably
 be built another way. Otherwise when a needful use case finally comes
 along, you'll discover that the option's rules of operation don't
 adequately enable it.

 Regards,
 Bill Herrin



 --
 William D. Herrin  her...@dirtside.com  b...@herrin.us
 3005 Crane Dr. .. Web: http://bill.herrin.us/
 Falls Church, VA 22042-3004

Re: Big day for IPv6 - 1% native penetration

[Harald Koch]

While looking into the NTP chaos from Monday, I noticed that my personal
servers have an NTP peer running IPv6.

I have no idea how long that's been going on - it was a complete non-event
;).

-- 
Harald

Re: Bell Canada outage?

[Harald Koch]

On 8 August 2012 16:10, Zachary McGibbon
zachary.mcgibbon+na...@gmail.comwrote:

 Thanks for the info, looks like Bell needs to put some filtering on their
 customer links!


I remember when AS577 had those... ;)

-- 
Harald

Re: Gmail Down?

[Harald Koch]

It does appear that gmail going down leads to a DoS against the NANOG 
list. :-)


--
Harald

Re: isprime DOS in progress

[Harald Koch]

Graeme Fowler wrote:

On Tue, 2009-01-20 at 14:55 -0600, Todd T. Fries forwarded:



I've been seeing a lot of noise from the latter two addresses after
switching on query logging (and finishing an application of Team Cymru's
excellent template) so I decided to DROP traffic from the addresses
(with source port != 53) at the hosts in question.

Well, blow me down if they didn't completely stop talking to me. Four
dropped packets each, and they've gone away.
  


I've seen that behaviour in the past, but not this time?

I've seen a few of these attacks bouncing off my nameservers recently, 
and when I add DROP rules to my firewall, the incoming traffic 
disappears soon after. But the most recent set (66.230.160.1 and 
66.230.128.15) are still hammering away...


--
Harald