Re: Issues with deliverability to hotmail -- any Microsoft contacts?

[Mark Milhollan]

On Mon, 20 Jul 2020, Brock Tice wrote:


We have been having issues delivering email to [...]


You should probably join the mailop list.


We have repeatedly requested removal of our subnet from their block list
and it has not worked.


You will eventually be conversing with a person if you persist 
responding to the ticket that you opened via the web though initially 
you are not and it might not seem so even after -- do not open multiple 
tickets for the same address/block.



/mark

Re: AS hijacking (Philosophy, rants, GeoMind)

[Mark Milhollan]

On Fri, 29 May 2020, Justin Wilson (Lists) wrote:

One of the companies I work for recently had an issue with AS 2 
(University of Delaware) hijacking a prefix.


Sounds like a misconfigured prepend, someone thinking the value to 
provide is the number of prepends instead of the ASN to prepend.



/mark

Re: Curious Cloudflare DNS behavior

[Mark Milhollan]

On Fri, 29 May 2020, John Sage wrote:


Each one of ping, traceroute, dig and host returns

Host usbank . com not found: 2(SERVFAIL)


Could be a DNSSEC issue.  When it happens check <http://dnsviz.net/> or 
<https://dnssec-debugger.verisignlabs.com/> to see if that's the case.


--
Mark Milhollan
+1-805-901-4009

Re: DHS letters for fuel and facility access

[Mark Milhollan]

On Tue, 17 Mar 2020, Grant Taylor wrote:

On 3/17/20 11:35 AM, Alexandre Petrescu wrote:


But I dont expect me to go to my desk any time since now in one month to 
press the button on the phone to set the voicemail active.


My office had problems with multiple workstations needing someone to kick 
them.  My team had someone volunteer to go in and kick multiple machines to 
get the rest of my team back online.


Given it is only a signal to the switch I'd be surprised if it cannot be 
toggled via an admin interface.  Still, someone to go in and diddle a 
PHY or six sounds quite workable.



/mark

Re: Reaching out to Sony NOC, resolving DDoS Issues - Need POC

[Mark Milhollan]

On Fri, 10 Jan 2020, Octolus Development wrote:

I run a VPN Business dedicated to protecting clients from DDoS Attacks 
that happens "all day long" on PlayStation Network. We need our VPN to 
work on PSN, all our customers uses their service.


They are still investigating the problem, let's see what the results will be.


Does your VPN provide what Sony cares about, which I do not know but 
might include things like only exiting CH customers via CH end-points / 
proxies so that non-CH (e.g., UK) only content can be blocked -- if not 
you may never gain traction with them and even if you do it might be 
quite hard to prove to their satisfaction.



/mark

Re: 5G roadblock: labor

[Mark Milhollan]

On Mon, 30 Dec 2019, Brian J. Murrell wrote:


I'm not saying that maybe one day we won't need 25Mb/s to a hand-held
device, but hologram telephone calling, Netflixing and even video
calling, are not the use-cases, IMHO.


Actually you went on to say that future innovations shouldn't exist 
because that's just crass consumerism, and that we should be satisfied 
with (in particular) HDMI instead of desiring better -- sorry, people 
will want better, e.g., the realism of 4k, 8k and 16k which the devices 
and networks of today either cannot provide (that HDMI flatscreen 
display probably cannot handle even 4k much less 8k+) or would struggle 
to provide (carrying 25+ Mb/s to dozens or hundreds of nodes -- remember 
even pico cells server multiple nodes).


Video to tablets and phones/phablets are indeed a major use case, for 
the majority not you or I -- you don't want high bandwidth video calling 
yet others might, i.e., Facetime is quite the thing and perhaps in 2 
years with enough bandwidth available those holographic calls would be 
too.  Even I might change my mind if my customers began demanding 
high-fidelity video conferencing even while mobile.


Some messages back mention was made of SSH being nice over the reduced 
latency 5G brings which might appeal to you but would be meaningless to 
most users.  I had no issue with SSH even over 1xRTT so I guess 3G need 
not have been deployed.


IoT will need lots of bandwidth but not the low latency nor the reduced 
jitter that 5G can provide.  A single thing generally won't need much 
but that isn't the measure since the idea is there will eventually be 
hundreds of things per household and thousands or millions per business, 
of which dozens, hundreds or thousands will be within the service area 
of a group of cells.  And even if that's still low in toto it translates 
to needing headroom so the things that do need significant individual 
streams won't starve.  Besides we aren't the customers for most of 
these, we're the product.


But there's no need to imagine a killer use case nor even a significant 
set of cases -- they will come if the ability is there.  In NA the key 
will be probably the cost, as another message pointed out.  The 
transition from 3G to 4G didn't proportionally increase the usage 
allowed, at least IME, but it was enough that many make video calls from 
their mobile device and some do watch videos on them.



/mark

RE: FCC proposes $10 Million fine for spoofed robocalls

[Mark Milhollan]

On Thu, 19 Dec 2019, Keith Medcalf wrote:

You should ALWAYS talk to the call center behind the robocaller.  The 
robocaller (the one playing the message) is relatively local and the 
cost of that call is minimal.  When you select to talk to the 
robocaller, that generates an international handoff to a call center 
in India.


Generally the call center phone number is also "local" even if the warm 
body is in some other country as that usually occurs via SIP.



/mark

Re: Is anyone able to contact GTT?

[Mark Milhollan]

On Tuesday 2019-12-10 06:58, Matt Harris wrote:

On Tue, Dec 10, 2019 at 8:51 AM Bottiger  wrote:



I sent an email to noc at gtt.net from 2 different emails and both got a
reply saying:

5.1.0 - Unknown address error 550-'5.4.1 Recipient address rejected:
Access denied [HE1EUR01FT058.eop-EUR01.prod.protection.outlook.com]'

Not sure if this means if they are blocking my email or if their email is
broken.


Could be either, but my money is on them blocking that particular 
address (block perhaps) because it has been sending messages that seem 
to be low quality aka much of which seemed to be spam.  How different 
were the sources?  If both were Office 365 that turns out to not be very 
different and I'll stick with them hating on that particular address 
(block).  If the second was a service provider not using O365 then it 
swings to being more likely that GTT hates all those source (email) 
addresses/domains.



The response indicates that the recipient address was
rejected, not the sender address


It is common to postpone rejections and deferrals until the RCPT TO 
phase, when possible.



/mark

Re: RIPE our of IPv4

[Mark Milhollan]

On Tuesday 2019-11-26 00:13, Sabri Berisha wrote:

Don't get me wrong, I'm not advocating against IPv6 deployment; on the 
contrary. But it is not that simple in the real corporate world. Execs 
have bonus targets. IPv6 is not yet important enough to become part of 
that bonus target: there is no ROI at this point.


Though eyeballs need to change, so does content.  And eyeballs will 
invest if the content were to demand it.  So, perhaps Google will give 
IPv6 hosted content the same tiny boost they gave HTTPS content.



/mark

Re: Unable to email anyone from my primary domain name; thanks Google Mail and G Suite.

[Mark Milhollan]

On Friday 2019-10-25 01:22, Rich Kulawiec wrote:

On Thu, Oct 24, 2019 at 01:21:12PM -0700, Mark Milhollan wrote:


My experience says that: their system has learned that your system(s) 
continued to send messages that their user (yes you, but they don't 
know that) did not want [and nothing influenced] their AI, which makes 
mistakes and will never correct them if not fed correcting info.



It is a worst practice in mail systems engineering to allow input from
putative users into any decision-making process *absent* manual review
of each piece of data by very clueful humans,


Their system, their rules.  Their size makes it all but a certainty that 
plenty of automation will be involved and their modus vivendi is that 
they be AIs, no matter what you or I might think.  Further they do have 
humans in the loop, their user individually and their users collectively 
which want messages from others not directly in the loop it just is not 
quite how we might like it to be when things subjectively "are wrong", 
as in this case.



/mark

Re: Unable to email anyone from my primary domain name; thanks Google Mail and G Suite.

[Mark Milhollan]

On Wednesday 2019-10-23 17:18, Constantine A. Murenin wrote:


I use my own personal domain name for various UNIX stuff, including sending
log-related things to myself out of cron, which end up in my own Gmail.com
account, either directly, or through forwarding (w/o SRS).  (I do not use G
Suite for my own domain name, for obvious reasons; just the consumer-based
gmail.com email address from the old times of invitation-based
registrations.)


Too bad you don't use G Suite as it allows you to notate incoming relays 
where Gmail does not.  It is possible that authenticating (logging in as 
y...@gmail.com) would help you get them delivered to your INBOX.



A couple of months ago, I setup some new scripts that would send me new
nightly emails.  It's all plain text, but had a few dozen of domain names
present (it's logs).  Absolutely no links, just plenty of domains which I
don't control.  So, Gmail has been presenting most of these messages with
their red warning label that the email contains malicious links, even
though all of these emails contained zero links, zero URLs to any of these
unknown domain names, zero URL schemes, zero "http://";, zero "https://";
etc.  You get the idea.


Many an MUA would convert the anything.knowntld (and other) strings 
(some don't even check for known TLDs) into clickable links if no 
adjacent URL was present so it seems that so far as Gmail is concerned 
those strings are something you might eventually be able to click thus 
they are URLs.



Since about a few weeks ago, I am now seeing at least a 95% rejection rate
for my domain name, for ALL email, including the forwards.


My experience says that: their system has learned that your system(s) 
continued to send messages that their user (yes you, but they don't know 
that) did not want, i.e., you left it marked as SPAM or deleted it 
without reading the message, or at least not enough was noted as not 
SPAM *and* read (aka displayed, and not for half a second either) so as 
to influence their AI, which makes mistakes and will never correct them 
if not fed correcting info.



/mark

Re: QoS for Office365

[Mark Milhollan]

On Tue, 9 Jul 2019, Mike O'Connor wrote:


:How do you deal with QoS for Office365, since the IPs are subject to changes ?

How often is the data in:

https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges
https://docs.microsoft.com/en-us/office365/enterprise/office-365-ip-web-service

out of date?


They provide a REST interface ... "Endpoints data is updated at the 
beginning of each month with new IP Addresses and URLs published 30 days 
in advance of being active."  Last updated 6/28.  There's also 
 for 
this specific case.



/mark

Re: Postmaster@

[Mark Milhollan]

On Fri, 14 Jun 2019, Gary E. Miller wrote:


Is it no longer required to monitor the postmaster@ ?

Did RFC 822 and RFC 5321 get repealed?  Or is M$ more special than the
rest of us?


It is monitored just not by humans and you did receive a response that 
could be useful though you didn't like it.  Microsoft is hardly the only 
company that prefers web pages over e-mail these days.



/mark

Re: Charter and Cox contacts

[Mark Milhollan]

On Mon, 13 May 2019, Stephen Satchell wrote:

On 5/13/19 12:11 PM, dan...@pyranah.com wrote:



Does anyone have contacts at Charter (Spectrum) and Cox? For some reason,
our IP has been blocked by them and our customers are unable to send email
via their charter/cox accounts. Thanks


Would you be talking about port 25/tcp outbound?  Lots of ISPs will
block port 25 as a rule;


If this is the case, that your customers cannot use your mail servers to 
relay mail then provide port 587/TCP (SUBMISSION) or even 465/TCP 
(SMTPS, deprecated).


If you mean that your mail servers can't send mail to Charter and Cox 
addresses, then indeed you need to find out what happened, fix it then 
request removal from their (and other) blacklists for which contacts 
there would be helpful (I am not one).



/mark

Re: Packetstream - how does this not violate just about every provider's ToS?

[Mark Milhollan]

On Wed, 24 Apr 2019, Anne P. Mitchell, Esq. wrote:


Just ran into packetstream.io:



How can this not be a violation of the ToS of just about every major provider?


Sounds like a "paid" TOR.  Is TOR a ToS violation too -- the EFF would 
probably like to hear of it if so.  Or just the aspect of reselling 
one's service?



/mark

Re: Gi Firewall for mobile subscribers

[Mark Milhollan]

On Thu, 11 Apr 2019, Tore Anderson wrote:


We've been wanting to replace our all of our ad-hoc OOB links with a
standardised setup based on LTE connectivity to an embedded
login/console server at each PoP. IPv6 would be perfect due to no
CGNAT and infinitesimal levels of background scanning.

Unfortunately Telenor has decided to deploy a central firewall that
drops all inbound connections, making their service totally unusable
for our use case. I guess they don't want our money.


Sounds like the console server will need to "phone home".  That a 
workaround might be possible doesn't make a firewall which the user 
cannot control to some degree less annoying.  Though it might be that 
Telenor just needs to be notified/reminded that power users and business 
customers exist.



/mark

Re: Cellular backup connections

[Mark Milhollan]

On Fri, 28 Dec 2018, Dovid Bender wrote:

>I finally got around to setting up a cellular backup device in our new POP.

>When SSH'ing in remotely the connection seems rather slow.

Perhaps using MOSH can help make the interactive CLI session less 
annoying.

>Verizon they charge $500.00 just to get a public IP and I want to avoid 
>that if possible.

You might look into have it call out / maintain a connection back to 
your infrastructure.


/mark

Re: Monitoring service that has a human component?

[Mark Milhollan]

On Wed, 5 Dec 2018, David H wrote:

>Hey all, was curious if anyone knows of a website monitoring service 
>that has the option to incorporate a human component into the decision 
>and escalation tree?  

Isn't this merely a matter of escalation, since either alerts someone 
and it is just a matter of who, when and how often?  The usual way of 
putting a human in the loop is for some events to create tickets to be 
triaged as staff has time, or all events get tickets but with some 
created in a lower priority queue w/o escalation and others in a high 
priority queue w/escalation.  As a service though, sorry, no I've not 
seen such.


/mark

Re: ARIN RPKI TAL deployment issues

[Mark Milhollan]

On Tue, 25 Sep 2018, Job Snijders wrote:

>We really need to bring it back down to "apt install rpki-cache-validator"

You say this as if no packager has a way to display and perhaps require 
approval of the license nor any way to fetch something remote as part of 
the installation process, e.g., the Microsoft "freely" supplied TTF 
files ...

  # zypper install fetchmsttfonts
  [...packager stuff...]
  (1/1) Installing: fetchmsttfonts-11.4-42.28.noarch 
.[done]
  Running: fetchmsttfonts-11.4-42.28-fetchmsttfonts.sh.txt (fetchmsttfonts, 
/var/adm/update-scripts)
  EULA:
  END-USER LICENSE AGREEMENT FOR
  MICROSOFT SOFTWARE

  IMPORTANT-READ CAREFULLY: This Microsoft End-User License Agreement ("EULA") 
is
  a legal agreement between you (either an individual or a single entity) and
  [...]
  andale32.exe 
(https://sourceforge.net/projects/corefonts/files/the%20fonts/final/andale32.exe):
Fetching   ... done
Extracting ... done
  [...]

I bet apt, dnf, pacman, pkg_add, yum, etc., do as well -- actually I 
know some of those do.  Perhaps fetching as part of installing is less 
desireable than already present at the outset, but it might appease ARIN 
and be workable (or superior) for many.


/mark

Re: Reaching out to ARIN members about their RPKI INVALID prefixes

[Mark Milhollan]

Seems to me that another logical way to work on cleaning-up invalids 
would be for those that want to perform validation to contact their 
direct peers with invalids, though even those contacts can become stale 
there will be some that are still valid and usually involve those 
intimately interested in routing (peering) problems they might otherwise 
cause and with the ability to get them fixed.


/mark

Re: Are any of you starting to get AI robocalls?

[Mark Milhollan]

One can analyze the calling frequency, but even that's problematic as it 
can penalize a successful customer that isn't scamming.  Besides as HAL 
wrote many of these calls are not originating in NA.  If digital 
residential lines hadn't died they might make the original source 
visible making it easier to decide if the call seems legit, but for now 
an auto-attendant seems the easiest solution.


/mark

Re: Juniper Config Commit causes Cisco Etherchannels to go into err-disable state

[Mark Milhollan]

Sounds like the Juniper is leaking a "default" BPDU as it resets the 
various internal chip configurations, which the Cisco receives thus 
triggering the err-disable.


/mark

Re: Yet another Quadruple DNS?

[Mark Milhollan]

On Thu, 29 Mar 2018, Seth Mattinen wrote:

>I'm lazy and have been using 9.9.9.9 at home.

nameserver 1.1


/mark

Re: Krebs on Security booted off Akamai network after DDoS attack proves pricey

[Mark Milhollan]

On Sun, 25 Sep 2016, Stephen Satchell wrote:

>Yeah, right.  I looked at BCP38.info, and there is very little concrete
>information.  

Yeah, it's pretty naked.  But how-to isn't the usual stumbling block, as 
has been pointed out in this thread there needs to be the will to spend 
resources setting it up and thus committing future resources to 
maintenance.

>I've been slogging through the two RFCs, 2827 and 3794, and find
>it tough sledding to extract the nuggets to put into my firewall and routing
>table.  One of the more interesting new additions to my systems is this, to the
>routing tables:

A list of martian addresses is useful to avoid sending to or accepting 
from weird places but it isn't useful for BCP38 purposes, of ensuring a 
node only uses address(es) assigned to it as the source address in the 
packets it creates/sends.

BGP38 checking is not done by the node itself, though that is not 
entirely unreasonable.  Enforcement is performed by the network as close 
to the point of the node's attachment as possible -- failures should be 
discarded or perhaps returned as prohibited and possibly even sampled 
for use by network staff to work on remediation.  In some cases it's 
very simple and effective to just filter toward your upstream(s), i.e., 
allow this area's addresses and drop/reject/log the rest.

>(Has this been published anywhere before?  I haven't found any yet.)

Cymru has lists in various formats and levels of (de)aggregation and 
detail that you can easily turn into those commands, though there's no 
martians-only lists for IPv6.  You might even use one of the "fullbogon" 
lists to block at a very detailed level if you have sufficient resources 
or tools that keep needs light, e.g., ipset.

>In short, I have yet to see a "cookbook" for BGP38 filtering, for ANY filtering
>system -- BSD, Linux, Cisco.

For some it's just uRPF, strict or loose as your needs demand, which 
their router can already perform, e.g.,

  interface your-template/or/range-of-interfaces/etc
ip verify unicast reverse-path
 or ip verify unicast source reachable-via rx
 or ip verify unicast source reachable-via any

Which for Linux is controlled by the net.ipv4.conf.if.rp_filter sysctl 
key where "if" can be "default", "all" or a specific interface name and 
a setting of 1 does strict checking while 2 does loose.

Or there's always plain old packet filters, with varying degrees of ease 
or annoyance, as tightly (per customer applied to incoming packets 
received on their interface) or simply (leaving the pop) as you please 
and makes sense.


/mark

Re: IPv6 Ingress traffic by default

[Mark Milhollan]

On Mon, 20 Jun 2016, Jared Mauch wrote:
>On Jun 20, 2016, at 1:30 PM, Owen DeLong  wrote:
>>On Jun 17, 2016, at 10:10 , Mark Milhollan  wrote:

>>>This (open by default vs closed) has been discussed before, with plenty 
>>>of people on either side.

>>I'm unaware of anyone advocating open inbound by default residential CPE.
>
>I'm sure changing the subject line will draw out the purists at heart :)

Hopefully they'll search the archives first.  Also discussed on ipv6-ops 
IIRC.


/mark

Re: Netflix banning HE tunnels

[Mark Milhollan]

On Tue, 14 Jun 2016, Owen DeLong wrote:
>On Jun 14, 2016, at 11:57 , Ricky Beam  wrote:

>>I've seen many "IPv6 Capable" CPEs that apply ZERO security to IPv6 traffic. 
>
>Those are by definition poorly designed CPE. 

This (open by default vs closed) has been discussed before, with plenty 
of people on either side.


/mark

Re: DNSSEC and ISPs faking DNS responses

[Mark Milhollan]

On Thu, 13 Nov 2015, John Levine wrote:

>At this point very few client resolvers check DNSSEC, so something
>that stripped off all the DNSSEC stuff and inserted lies where
>required would "work" for most clients.  At least until they realized
>they couldn't get to PokerStars and switched their DNS to 8.8.8.8.

Except that the ISP can intercept those queries and respond as it likes.  
Such is already done at all scales.  Not that a government generally 
cares what kind of burden is required once the law is passed, cf CALEA.

True, some users would be able to detect such tampering and many of 
those could work around it.  But most will have no way to do either.

Would the masses ever replace their stub with a full resolver?  
Doubtful, unless their OS vendor does it for them.  Would that be the 
right thing to do for a few billion users of Windows and another couple 
billion using Android most of whose ISPs are providing unfaked answers?  
Would the various authoritiative operators be happy / agree?  How does 
one fit local zones into the picture?

Would the masses setup a VPN to a service provider in a jurisdiction not 
subject to such foolishness so their resolver, whether stub or full, 
would have a chance at unfaked answers?  Again, I'm thinking most would 
be entirely ignorant of the issue, and in any case would be hard pressed 
to set anything up unless it was trivial, e.g., not just part of their 
OS but also Wizard-like with most answers pre-supplied.


/mark

Re: Routes leaked by AS393742 via AS16397

[Mark Milhollan]

On Wed, 30 Sep 2015, Hugo Slabbert wrote:
>On Wed 2015-Sep-30 17:43:40 -0400, Robert Webb  wrote:

>>https://ipinfo.io/AS393742
>
>...I'm so behind the times; my response would have been:
>
> $ finger 393...@peeringdb.com

Whois is often useful as well, not for peering info of course but that 
isn't what Marco would want to discuss ...

  $ whois as393742
  [Querying whois.radb.net]
  [whois.radb.net]
  aut-num:AS393742
  as-name:BIYORT-1
  descr:  Biyort USA Corporation
  admin-c:Biyort USA
  tech-c: Nerwork Biyort
  mnt-by: MAINT-AS393742
  changed:netw...@biyort.com 20150316  #18:54:59Z
  source: RADB

Sometimes my whois program is surprising.  But that's fine and since it 
is Biyort USA, I'd also ask ARIN for info ...

  $ whois -h whois.arin.net as393742
  [Querying whois.arin.net]
  [whois.arin.net]
[...]
  OrgNOCHandle: NBNB3-ARIN
  OrgNOCName:   NOC BIYORT, NOC BIYORT
  OrgNOCPhone:  +1-305-824-9100 
  OrgNOCEmail:  n...@biyort.net.uy
  OrgNOCRef:http://whois.arin.net/rest/poc/NBNB3-ARIN
[...]


/mark

Re: BGAN Optimized Laptops

[Mark Milhollan]

On Thu, 10 Sep 2015, Matthew Petach wrote:

>Just wanted to clear one point up...
>
>The web is *not* a "push" model; it's a "pull" model.

Mostly true, yet there's that little bit that makes it not total truth.

HTTP/2 has push, where instead of waiting for a browser to decide which 
elements to fetch a server can send anything it likes, the basic theory 
being that "everyone" will request certain/all objects so sending them 
without waiting for the requests will enhance performance.  HTTP/2 -- 
derived from / started as SPDY -- became a standard in May and is 
supported by various servers and clients.

WebSockets should probably be mentioned as well.

And the even older content replacing push (ca '95) -- though seldom used 
it is still supported by some browsers.


/mark

Re: NTP versions in production use?

[Mark Milhollan]

On Sat, 11 Jul 2015, Harlan Stenn wrote:

>I'm kinda stunned that folks are running such ancient
>versions of NTP.

This is not surprising at all, nor should you be surprised to find xntp3 
still in use because of the even older software on decrepit but still 
functional hardware.  I.e., in addition to the issues Stephen Satchell 
mentioned as to why vendors might not be keeping up, users may have 
similar needs keeping them from using the latest releases of device 
software.  And then there are those that never even check for updates so 
long as their device keeps them happy.


/mark

Re: Fkiws with destination port 0 and TCP SYN flag set

[Mark Milhollan]

On Wed, 17 Jun 2015, Maqbool Hashim wrote:

>Finally I don't see how it could be, but be interested to hear peoples 
>thoughts, no legitimate application could be generating this traffic 
>could it?  I mean I don't see what use an application could make of 
>such a TCP conversation.  Discarding network analysis etc.  This 
>machine runs a whole host of proprietary control system protocols, so 
>haven't discarded the possibility totally- but I just can't see what an 
>application protocol could find useful in a bunch of reset + ack 
>packets being received from the destination hosts.

Okay, setting aside the malicious possibilities, it may be that someone 
felt they needed something like ping but without the need for a raw 
socket.  I would worry about such code as there is usually sufficient 
proof the host is alive due to ongoing or new sessions.  Still, in 
process control it may be reasonable to check aliveness if, for example, 
there has been no normal activity for a seemingly small period of time, 
e.g., 50ms.  Such a test is only sufficient to prove that the TCP stack 
will respond, not the programs (which is where aliveness within the 
protocols is far more useful, classically PING and PONG).

Or perhaps a fence-post bug, e.g., a program is doing its own port 
selection with a max of 65535 where it accidentally uses max+1 which for 
a 16 bit unsigned value turns out to be 0, i.e., fixing the port number 
(setting it to the min value) after it is used rather than before.


/mark

Re: Need trusted NTP Sources

[Mark Milhollan]

On Thu, 6 Feb 2014, Notify Me wrote:

>According to the auditors, "trusted" means
>
>1. Universities or Research facilities (nuclear/atomic facilities,
>space research (such as NASA) etc.)
>2. Main country internet/telecom providers
>3. Government departments
>4. Satellites (using GPS module)
>
>Which is a bit of a tall order over here.

In general you should probably be asking .

You could run your own NTP server using GPS as its reference clock (#4), 
at least I don't think it would be impossible for you to obtain such a 
device.  But not cheap either.  But then RHEL and an audit suggest you 
have some money to spend.  You might even build your own using ntpd and 
a receiver, e.g., GNSS.  See 
 for more information.

Some stratum 1 or 2 servers (which are generally run by entities 1 thru 
3 from your list) may allow you to obtain time (perhaps using crypto), 
but of course you'd need to contact them directly.  ntp.org has a list: 
.

Generally speaking, you'll need at least 3 sources if you want stablity.


Mark