Re: Root Cause Re: 202401102221.AYC Re: Streamline The CG-NAT Re: 202401100645.AYC Re: IPv4 address block
Would it be possible for you to reply in-thread, rather than creating a new thread with a new subject line every time you reply to someone? Trying to follow the conversation becomes very difficult for no reason. On Friday, January 12th, 2024 at 2:55 PM, Abraham Y. Chen wrote: > Hi, Tony: > > 0) As the saying goes, there is more than one way to skin a cat. We do not > need to address a request by literally following the thought trend. In > troubleshooting, engineers are taught to look for the Root-Cause which more > than often turns out to be something else originally thought. In this case, > the "Any idea" hints that requester is open-minded for possible alternatives > other than stated on the surface. > > 1) When reviewing a problem, we need to go one or more steps toward the > source or the origin to look for the solution. Since the predominant > operation model is CDN supported by CG-NAT, the primary reason to look for a > publicly routable IPv4 address is to create another CG-NAT cluster. On the > other hand, if there is a way to expand the capacity of the existing CG-NAT > cluster, the need for additional publicly routable IPv4 address is reduced. > > Regards, > > Abe (2024-01-12 14:54) > > On 2024-01-10 23:26, Tony Wicks wrote: > >> 2) "... an operator clearly looking to acquire *publicly routable* space >> without being clear that this suggestion wouldn't meet their needs. ": >> >> Since 240/4 has 256M addresses while 100.64/10 has only 4M, a current CG-NAT >> cluster can be expanded 64 fold once the 240/4 is used. Looking from another >> angle, an IAP will then be able to expand the subscriber set 64 fold with >> still the original one publicly routable IPv4 address. >> >> The OP asked for “Any idea please on the best way to buy IPv4 blocs and what >> is the price”. I would expect they want actual public IPv4 address blocks >> and not internal CGNAT space. While the idea of using 240/4 instead of >> 100.64/10 would certainly have some merit I don’t believe its in any way >> related to what this OP asked for. >> >> regards > > https://www.avast.com/sig-email > Virus-free.[www.avast.com](https://www.avast.com/sig-email)#DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2
Re: ISP data collection from home routers
You're statement seems to imply that if someone publicizes certain personal data on Facebook that they shouldn't care about any other data being collected any other entity, do I have that right? While I agree that many consumers don't place much value on their own data, resulting in them not particularly caring about that data, in my experience it often stems from ignorance of what can be done with that data (if they even know that the data is being collected in the first place). Once the implications of sharing specific data is known, my anecdata has shown that the average person will make some adjustments to their data-sharing habits. At the very least, an informed decision can be made. However, when it comes to intricate technical data from their home routers being hoarded, we can't really expect the average consumer to form an informed decision on the data being shared, can we? I don't think the default should be "collect as much as we can because they probably won't care" in the absence of an informed consumer. Regards, Mu --- Original Message --- On Thursday, March 24th, 2022 at 9:26 AM, Josh Luthman wrote: > I'm surprised we're having this discussion about an internet device that the > customer is using to publicize all of their information on Facebook and > Twitter. Consumers do not care enough about their privacy to the point where > they are providing the information willingly. > >>Consumers should have legal say in how or wether their data are harvested and >>also sold. > > They do. https://www.fcc.gov/general/customer-privacy > > On Thu, Mar 24, 2022 at 9:12 AM Lady Benjamin Cannon of Glencoe, ASCE > wrote: > >> This is an enormous problem, see: >> https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-staff-report-finds-many-internet-service-providers-collect-troves-personal-data-users-have-few >> >> Consumers should have legal say in how or wether their data are harvested >> and also sold. >> >> Ms. Lady Benjamin PD Cannon of Glencoe, ASCE >> 6x7 Networks & 6x7 Telecom, LLC >> CEO >> l...@6by7.net >> "The only fully end-to-end encrypted global telecommunications company in >> the world.” >> >> FCC License KJ6FJJ >> >> Sent from my iPhone via RFC1149. >> >>> On Mar 24, 2022, at 3:44 AM, Giovane C. M. Moura via NANOG >>> wrote: >> >>> Hello there, >>> >>> Several years ago, a friend of mine was working for a large telco and his >>> job was to detect which clients had the worst networking experience. >>> >>> To do that, the telco had this hadoop cluster, where it collected _tons_ of >>> data from home users routers, and his job was to use ML to tell the signal >>> from the noise. >>> >>> I remember seeing a sample csv from this data, which contained _thousands_ >>> of data fields (features) from each client. >>> >>> I was _shocked_ by the amount of (meta)data they are able to pull from home >>> routers. These even included your wifi network name _and_ password! >>> (it's been several years since then). >>> >>> And home users are _completely_ unaware of this. >>> >>> So my question to you folks is: >>> >>> - What's the policy regulations on this? I don't remember the features >>> (thousands) but I'm pretty sure you could some profiling with it. >>> >>> - Is anyone aware of any public discussion on this? I have never seen it. >>> >>> Thanks, >>> >>> Giovane Moura
Re: Russia attempts mandating installation of root CA on clients for TLS MITM
>Mozilla is the only browser vendor these days that maintains its own >independent root CA storage for the browser. Chrome, Chromium, Safari, Edge, >IE etc all use whatever root CAs are trusted by the operating system. If they >can get Windows 10 client PCs pushed to retail with an image that includes >their CA... Google Chrome has it's own root program, and all vendors have been reliant on Mozilla's setup for some time. They don't just blindly trust the OS. --- Original Message --- On Friday, March 11th, 2022 at 1:34 PM, Eric Kuhnke wrote: > Considering that 99% of non-technical end users of windows, macos, android, > ios client devices have no idea what a root CA is, if an authoritarian regime > can mandate the installation of a government-run root CA in the operating > system CA trust store of all new devices sold at retail, as equipment is > discarded/upgraded/replaced incrementally over a period of years, they could > eventually have the capability of MITM of a significant portion of traffic. > > Presumably with Apple ending shipment of new MacOS devices to Russia and > retail sales of new devices, this wouldn't be so much of an issue with MacOS. > The process of re-imaging a modified MacOS install .DMG onto a "blank" > macbook air or similar with a new root CA included would be non trivial, and > hopefully might be impossible due to crypto signature required for a legit > MacOS bootable install image. > > Mozilla is the only browser vendor these days that maintains its own > independen root CA storage for the browser. Chrome, Chromium, Safari, Edge, > IE etc all use whatever root CAs are trusted by the operating system. If they > can get Windows 10 client PCs pushed to retail with an image that includes > their CA... > > On Thu, 10 Mar 2022 at 18:27, Dario Ciccarone (dciccaro) via NANOG > wrote: > >> I think the point Eric was trying to make is that while, indeed, the >> initial, stated goal might be to be able to issue certificates to replace >> those expired or expiring, there's just a jump/skip/hop to force >> installation of this root CA certificate in all browsers, or for Russia to >> block downloads of Firefox/Chrome from outside the Federation, and instead >> distribute versions which would already include this CA's certificate. And >> then MITM the whole population without their knowledge or approval. >> >> GIVEN: savvy users might know how to delete the certificate, or others may >> teach them how, and how to download other CA's certificates (if the >> government was to ship only this certificate with the browser). Cat and >> mouse game. The North Korean and Chinese governments have been doing these >> kind of shenanigans for a long time - I am sure Russia could copy their >> model. And considering the tight media control they’re already exercising, I >> don't think it is crazy or paranoid to think Internet will be next. They >> seem to be already going down that path. >> >> PS: opinions and statements, like the above, are my very own personal take >> or opinion. Nothing I say should be interpreted to be my employer's >> position, nor be supported by my employer. >> >> On 3/10/22, 7:38 PM, "NANOG on behalf of Sean Donelan" >> >> wrote: >> >> On Thu, 10 Mar 2022, Eric Kuhnke wrote: >>> I think we'll see a lot more of this from authoritarian regimes in the >>> future. For anyone unfamiliar with their existing distributed DPI >>> architecture, google "Russia SORM". >> >> Many nation's have a government CA. >> >> The United States Government has its Federal Public Key Infrastructure, >> and Federal Bridge CA. >> >> https://playbooks.idmanagement.gov/fpki/ca/ >> >> If you use DOD CAC ID's or FCEB PIV cards or other federal programs, your >> computer needs to have the FPKI CA's. You don't need the FPKI CA's for >> other purposes. >> >> Some countries CA's issue for citizen and business certificates. >> >> While X509 allows you to specify different CA's for different purposes, >> since the days of Netscape, browsers trust hundreds of root or bridged CA >> in its trust repository for anything. >> >> Neither commercial or government CA's are inherently more (or less) >> trustworthy. There have been trouble with CA's of all types. >> >> A X509 certificate is a big integer number, in a fancy wrapper. Its not a >> magical object.
