Re: Small Internet border router options?

[Richard Holbo]

+1 on the Ubiquiti Infinity.. I've used a number of them in various roles..
Linux based and have had 1 hardware failure after a couple years.  Try to
keep bridging to a minimum as it'll eat the processor, but for routed
traffic, no issues.
/rh


On Mon, May 13, 2024 at 11:56 AM Tom Samplonius  wrote:

>
>   What are using for small campus border routers?  So four to eight 10G
> ports with a FIB for full scale L3?
>
>
> Tom
>
>
>

Re: Best TAC Services from Equipment Vendors

[Richard Laager]

On 2024-03-07 05:08, Pedro Prado wrote:

* I am biased, I’m from Arista * but having said that have you guys experienced 
Arista TAC?


Yes.


As you guys said scale may change things down the road, but at the current 
scale it’s still an engineer that answers your call, straight away.


I think the scale has worsened this, slightly, already. It was great 
initially.


Opening a ticket via web/email after hours seems to get clueless 
first-level support.


Calling during U.S. business hours has been fine, but I'm generally only 
doing that to get a ticket moving after it has stalled.


If I have an issue that needs to be escalated to 
engineering/development, I've had very good to great experiences with 
the engineers/developers in India after hours. It's a bad day if I need 
them, but it's great to have them.


FWIW, I haven't tried calling after hours.

On the other hand, the sales engineers have been great!

--
Richard

Re: Verizon Business Contact

[Richard Laager]

To close the loop on this, Verizon Wireless reported to me that they 
fixed the issue (whatever it was).


They further said that 63.56.37.4 was a typo; all IPs should have been 
in 63.59.x.x.


I am able to reach the 63.59.0.0/16 IPs in question: 63.59.39.232 & 
63.59.67.68.


Justin: Thanks for the detail that this was reproducible from Cogent's 
looking glass. I think there's a good chance that contributed to them 
being able to find it (i.e. having an easy way for them to test).


--
Richard

Re: Verizon Business Contact

[Richard Laager]

I see the route originated by two different ASNs. I agree that when I 
use the AS6167 path, it is broken (for the destinations where it is 
broken; 63.59.166.100 was working despite using the AS6167 path).


BGP routing table entry for 63.59.0.0/16
 Paths: 2 available
  6939 701 22394
184.105.34.254 from 184.105.34.254 (216.218.253.228)
  Origin IGP, metric 0, localpref 60, IGP metric 0, weight 0, tag 0
  Received 21d19h ago, valid, external, best
  Rx SAFI: Unicast
  6461 701 6167
69.89.205.202 from 69.89.205.202 (69.89.205.202)
  Origin IGP, metric 887, localpref 60, IGP metric 40, weight 0, tag 0
  Received 4d03h ago, valid, internal
  Community: 6461:5997
  Rx SAFI: Unicast

Based on the names in WHOIS, I would say that both AS6167 and AS22394 
are Verizon Wireless.


--
Richard

Re: Verizon Business Contact

[Richard Laager]

On 2024-02-09 18:10, Justin Krejci wrote:
For a good long while (months) we have had similar issues with various 
Verizon destinations.


Only Verizon *Wireless* destinations, or other Verizon *Business* things?

As of today, I'm told (via an upstream provider) that Verizon Business 
says this is a Verizon Wireless issue.


--
Richard

Re: IRRD & exceptions to RPKI-filtering

[Richard Laager]

On 2024-02-12 18:12, Job Snijders wrote:

On Mon, Feb 12, 2024 at 05:01:35PM -0600, Richard Laager wrote:

On 2024-02-12 15:18, Job Snijders via NANOG wrote:

On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:

I was making an observation that the presentation material was
referring to "RPKI-Invalid" while their implementation was using
"ROA-Invalid" There is a difference between these two terms, as I'm
sure you're aware.


I'm sure Job is aware, but I'm not. Anyone want to teach me the
difference?


... more good explanation snipped ...


A ROA can be invalid (for example, because its X.509 EE certificate
expired); a BGP route can be invalid (because no valid RPKI ROA attest
that the route could originate from the ASN at hand), and an IRR object
can be invalid (because no Valid ROA attest the route object's "origin:"
could originate the prefix at hand).


Thanks!

This makes perfect sense now that you say it. I just wasn't seeing it 
immediately before. I figured best to ask and learn something. :)


--
Richard

Re: IRRD & exceptions to RPKI-filtering

[Richard Laager]

On 2024-02-12 15:18, Job Snijders via NANOG wrote:

On Mon, Feb 12, 2024 at 04:07:52PM -0500, Geoff Huston wrote:

I was making an observation that the presentation material was
referring to "RPKI-Invalid" while their implementation was using
"ROA-Invalid" There is a difference between these two terms, as I'm
sure you're aware.


I'm sure Job is aware, but I'm not. Anyone want to teach me the difference?

--
Richard

Verizon Business Contact

[Richard Laager]

Can someone from Verizon Business please contact me?

It appears that your network is losing traffic from Verizon Wireless 
(e.g. 63.59.39.232, 63.56.37.4, or 63.59.67.68) to me (AS33362, e.g. to 
69.89.207.16). Note that 63.59.166.100 -> 69.89.207.16 was successfully 
(around 2023-11-27).


This breaks email between us and it's been MONTHS of VZW getting nowhere.

Based on some traceroutes (on 2023-11-27 and again just now), the 
working ones go through 140.222.234.223 (0.ae10.GW7.CHI13.ALTER.NET) 
while the broken ones stop at 140.222.234.221 (0.ae9.GW7.CHI13.ALTER.NET).


--
Richard Laager
Wikstrom Telephone Company

Re: .US Harbors Prolific Malicious Link Shortening Service

[Richard Holbo]

There are LOTS of small business that have .us domains.  I've got several
that just use these domains as well as locality specific things such as
schools or towns that use them rather than the longer ones supplied to
municipal entities.

/rh

On Thu, Nov 2, 2023 at 1:34 PM goemon--- via NANOG  wrote:

>
> https://krebsonsecurity.com/2023/10/us-harbors-prolific-malicious-link-shortening-service/
>
> "The NTIA recently published a proposal that would allow registrars to
> redact all registrant data from WHOIS registration records for .US
> domains. A broad array of industry groups have filed comments opposing the
> proposed changes, saying they threaten to remove the last vestiges of
> accountability for a top-level domain that is already overrun with
> cybercrime activity."
>
> What hope is there when registrars are actively aiding and abeting
> criminal enterprises?
>
> Are there any legitimate services running solely on .us domain names?
>
> -Dan
>

Re: Zayo woes

[Richard Holbo]

Laughing out Loud, really, good views all...
Having been through this a few times.. and being one of those who is now
the one of the hated C level guys..
Much truth is spoken here.  EBITA and size are the issues IMHO in our
current system.
Having been the owner of a few "smallish" retail ISPs in the west.. I can
say with certainty that size is an issue.  in the world of today a
small/medium ISP can do OK, but can never access the funds or resources
necessary to actually be a long term survivor.  To that end we look at
sources of money that require us to sell a majority interest in our company
to make it to the next level, that and exhaustion from staying awake nights
wondering how to make next payroll because we spent a couple million on new
gear.
This money seeking then comes with an interview system where we court the
guys with money and they court us.. The outcome is always iffy.  You can
partner with money that has a good plan or one that sucks (done both).
Even if you get good money, you will suffer from culture issues.  Small
ISP's tend to focus on the people and the customers, the larger you get the
more important the money becomes (EBITA) which for a lot of the employees
is, well, hard.
But staying small in general = extinction so  you do what you do to keep
employees working (at least that's what I tell myself).
Good views all, and I totally agree with @Matthew Petach miracles
statement.. I'm no longer that guy, but I like to think I was in the past,
and I've got a bunch of them working for me now, so I try really hard to
appreciate it and to recognize that that is what is happening, I fight for
the money to do it as right as possible.. but I do depend on  you
miracle workers.

/thanks
/rh

On Wed, Sep 20, 2023 at 9:30 AM Matthew Petach 
wrote:

>
>
> On Tue, Sep 19, 2023 at 12:21 PM Mike Hammett  wrote:
>
>> Well sure, and I would like to think (probably mistakenly) that just no
>> one important enough (to the money people) made the money people that these
>> other things are *REQUIRED* to make the deal work.
>>
>> Obviously, people lower on the ladder say it all of the time, but the
>> important enough money people probably don't consider those people
>> important enough to listen to.
>>
>
>
> Not quite.
>
> It's more of what Mark said:
>
> "  I blame this on the success of how well we have built the Internet
> with whatever box and tool we have, as network engineers."
>
> I have worked time and time again with absolute miracle workers in the
> networking field.
> They say over and over again "to make this work, we need $X M to get the
> right hardware", even directly to the CFO.
>
> They get handed a roll of duct tape, some baling wire, a used access point
> and a $25 gift card from Office Depot, and they turn it into a functional
> BGP-speaking backbone, because that's what they're good at.
>
> The CFO and the rest of the executives that said "no" to the request for
> $X M to make the integration work properly pat themselves on the back,
> saying "see, we knew they didn't really NEED that money to make it work."
>
> A year down the line, customers are posting to NANOG wondering why things
> are going to hell in a handbasket at ISP A, as the BGP-speaking access
> point with some duct tape, baling wire, and SFPs purchased from Office
> Depot that ties the two networks together starts failing.
>
> As network engineers, we collectively set ourselves up for this by being
> so damn good at pulling miracles out of our backside to keep things running.
> We've effectively been training our executives that if they habitually
> turn down our requests for resources, we'll still find some way of making
> things work.
>
> We pride ourselves on being able to keep a dozen spinning plates going
> like a circus performer, without letting any of them crash to the floor.
>
> It's a hard thing to do, but one lesson I've taught junior network
> engineers of all ages is that sometimes, you have to step back, and watch a
> plate smash into the floor, *even if you could have rescued it*, if it
> seems like that's the only way your executive team will understand that if
> requests for necessary resources are denied, there will be operational
> impacts.
>
> Now, it's not something you should do lightly, and not something to do
> without first working with the executives to understand why the resource
> request is being denied.
> If you are working at a startup, and the money is running out, and the
> company is one step ahead of the creditors, probably not the time to put
> the foot down and intentionally let things crash and burn.
>
> But if the company is doing well, has the money, and the executives just
> want the numbers to look good for wall street analysts, then it's time to
> pause the miracle working, and help them understand that they cannot simply
> expect you to pull a miracle out of your backside every time, just so they
> can look good.
>
> If we continue to pull off miracles after telling executives 

Re: it's mailman time again

[Richard Porter]

Pouring kerosine on fire? *flame me back if warranted*

Voice networks have no POTS left in them? *mostly?* ….

Get Outlook for iOS

From: NANOG  on behalf of 
Randy Bush 
Sent: Saturday, September 2, 2023 4:30:07 PM
To: Jim Popovitch via NANOG 
Subject: Re: it's mailman time again

> Mail in transit is mostly TLS transport these days,

yep.  mostly.  opsec folk are not fond of 'mostly.'

> BUT mail in storage and idle state isn't always secured.  I'm sure
> that most any of us could find a public s3 bucket with an mbox file on
> it if we cared to look.

sigh

randy

Re: Fred Brooks has died

[Richard Porter]

Some of us all getting old (For those that still know what POTS stands for
or remember the 3volt Phone that would stay on, when power went off)

Maybe the NANOG community should put up a digital memorial of the greats we
are loosing?

On Fri, Nov 18, 2022 at 5:22 PM Michael Thomas  wrote:

>
> His Mythical Man Month is a must read for anybody even remotely adjacent
> to coding, and frankly it should be read out of that context too.
>
> RIP Fred and thank you, that was one of the most important books I've
> ever read.
>
> Mike
>
>

Re: any dangers of filtering every /24 on full internet table to preserve FIB space ?

[Richard Golodner]

The /24 is as small as it will get before it cuts into profits for the tiny bit 
of administration it would take to announce /25, /26. This argument is almost 
as old as my kids. Is it fair or just, probably not, but that's they way the 
consensus seems to want it.RichardRichard GolodnerInfratection IT Services
 Original message From: William Herrin  Date: 
10/11/22  16:00  (GMT-06:00) To: Matthew Petach  Cc: 
nanog@nanog.org Subject: Re: any dangers of filtering every /24 on full 
internet table to
  preserve FIB space ? On Tue, Oct 11, 2022 at 1:15 PM Matthew Petach 
 wrote:> Wouldn't that same argument mean that every ISP 
that isn't honoring> my /26 announcement, but is instead following the covering 
/24, or /20,> or whatever sized prefix is equally in the wrong?>> What makes 
/24 boundaries magically "OK" to filter on,Hi Matthew,/24 is the consensus 
filtering level for Internet-wide routes and ithas been for decades. It became 
the consensus as a holdover from"class C" and remains the consensus because too 
many people would haveto cooperate to change it. Indeed, a little over a decade 
ago somefolks tried to change it to /19 and then /20 for prefixes outside 
"theswamp" and, well, they failed. Likewise, more than a few folksannounce 
/26's to their immediate transit providers and they simplydon't move very deep 
into the system -- nobody has any expectationthat they will.> To wrap up--I 
disagree with your assertion because it depends entirely> on a 'magic' /24 
boundary that makes it OK to filter more specifics smaller> than it, but not OK 
to filter larger than that and depend instead on covering> prefixes, without 
actually being based on anything concrete in BGP or> published standards.Got 
any better reasons besides disliking the consensus?Regards,Bill Herrin-- For 
hire. https://bill.herrin.us/resume/

RE: FCC proposes higher speed goals (100/20 Mbps) for USF providers

[Richard Irving]

I will out an old member of list, not myself, he still runs Old Cisco (ASA 
managed, “fully”, might be debatable) firewall, capable of full duplex 100 Mbs, 
on -both- sides.  (WHOA)
His optic provider gave him a converter between the full optic GigE run into 
his house, and the 100 FD at the ASA. (It was a special deal, free installation
and more reliable than the competitor) (Both were actually =true=, can you 
imagine ?)

He runs a business in his basement that monitors several well known big 
services his business relies upon 24x7x365, for over 25 years.
All interruptions are noticed (within reason) and monitored, logged and alarmed 
accordingly.

He and his wife has raised 2 children through college, (one’s on his MBA), his 
retirement business.. -everyone- streams, there is no “cable” per se, he “cut 
the wire” when it was fashionable….
and their children would rather video chat than walk across the room, or go out 
somewhere.

He adores telling me about how salespeople are *constantly* calling him to 
upgrade the service. “Why, we can fit 5GigE down to you now!” said the
salesperson with garish clothes and floppy clown feet. “You just *can’t* live 
without it!” “thump-thump” goes those feet…..

He always asks them for the packet loss ratio on the existing link….. the call 
sorta ends after that.

FWIW, he always starts this story out with a snicker, and some latest and 
greatest gourmet drink..… :-P



Sent from Mail for Windows

From: Mike Hammett via NANOG
Sent: Saturday, May 28, 2022 4:20 PM
To: Aaron Wendel
Cc: nanog@nanog.org
Subject: Re: FCC proposes higher speed goals (100/20 Mbps) for USF providers

Most households have no practical use for more than 25 megs. More is better, 
but let's not just throw money into a fire because of a marketing machine.


-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

Midwest-IX
http://www.midwest-ix.com


From: "Aaron Wendel" 
To: nanog@nanog.org
Sent: Monday, May 23, 2022 1:49:13 PM
Subject: Re: FCC proposes higher speed goals (100/20 Mbps) for USF providers

The Fiber Broadband Association estimates that the average US household
will need more than a gig within 5 years.  Why not just jump it to a gig
or more?


On 5/23/2022 1:40 PM, Sean Donelan wrote:
>
> https://www.fcc.gov/document/fcc-proposes-higher-speed-goals-small-rural-broadband-providers-0
>
>
> The Federal Communications Commission voted [May 19, 2022] to seek
> comment on a proposal to provide additional universal service support
> to certain rural carriers in exchange for increasing deployment to
> more locations at higher speeds. The proposal would make changes to
> the Alternative Connect America Cost Model (A-CAM) program, with the
> goal of achieving widespread deployment of faster 100/20 Mbps
> broadband service throughout the rural areas served by rural carriers
> currently receiving A-CAM support.
>

fs.com Ethernet switches

[Richard Angeletti]

Wondering if anyone on the list has any experiences with fs.com Ethernet
switches that they are willing to share (good or bad)?

We're looking for some cost effective L2 only 10Gb-T switches and their
S58XX switches have come up as a potential option.

Thanks,
Rich

RE: Class D addresses? was: Redploying most of 127/8 as unicast public

[Richard Irving]

“In the early to mid 90's it was still a crap shoot of whether IP was
going to win (though it was really the only game in town for non-lan)
but by when I started at Cisco in 1998 it was the clear winner with
broadband starting to roll out”



IP was the clear winner since the Clinton-Gore Initiative of 1991, as we called 
it in 1991. (History records this as the  “Gore Bill”, feel free to Google.) [ 
He invented the Internet, you know!  ] at which time we began prototype 
conversion of non-DOD Government agencies to “The IP Paradigm”, till about 
94-95, when the next phase was rollout to K-12 and Public libraries, as well as 
mainstream ISP’s.  This necessitated the birth of the NAP’s. These NAP’s were 
supposed to be -Private- sector, not Public. Many of us “Riding the Bill” left 
Public sector contracting to Private sector to facilitate this transition. 
(Hence the date of my ARIN-POC, actually just POC, ARIN didn’t exist yet) The 
debate in 95 was not “IP or not IP”, it was “Will your NAP be FDDI like the 
MAE’s, ATM, or even the LINX model of a GIGE switch. (Frame was already fading) 
“ While in private sector there may have been some doubt, the IP Juggernaut was 
well underway in Government by almost half a decade, and as they say “That is 
the sound of inevitability, Neo”, at that point.  IP was as “nailed to the 
wall” early to mid 90’s as Tony Li’s resignation was to his bosses door, at 
Cisco, a year or so, later. However, FWIW, the private sector had yet to hear 
the sound of the train. Many brand protocol loyalist fought IP adoption all the 
way until their favorite brand -adopted- it, so I understand your perspective.

FWIW, I miss being able to fit into my “No 53” Tee Shirt. ☹

Matter of fact, many of us missed the foreshadowing of the “woke” generation 
when we got in trouble for painting cross hairs on a backhoe for a NANOG Tee… 
it got “banned” for “possibly inciting violence against backhoe operators” .

:-*



Sent from Mail for Windows

From: Michael Thomas
Sent: Saturday, November 20, 2021 3:52 PM
To: William Herrin
Cc: nanog@nanog.org
Subject: Re: Class D addresses? was: Redploying most of 127/8 as unicast public


On 11/20/21 12:37 PM, William Herrin wrote:
> On Sat, Nov 20, 2021 at 12:03 PM Michael Thomas  wrote:
>> Was it the politics of ipv6 that
>> this didn't get resolved in the 90's when it was a lot more tractable?
> No, in the '90s we didn't have nearly the basis for looking ahead. We
> might still have invented a new way to use IP addresses that required
> a block that wasn't unicast. It was politics in the 2000's and the
> 2010's, as it is today.

In the early to mid 90's it was still a crap shoot of whether IP was
going to win (though it was really the only game in town for non-lan)
but by when I started at Cisco in 1998 it was the clear winner with
broadband starting to roll out. It was also obvious that v4 address
space was going to run out which of course was the core reason for v6.
So I don't understand why this didn't get done then when it was a *lot*
easier. It sure smacks of politics.

Mike

Re: strange scam? email claiming to be from the fbi

[Richard]

> Date: Monday, November 15, 2021 10:14:30 -0500
> From: Christopher Morrow 
>
> https://www.washingtonpost.com/nation/2021/11/14/fbi-hack-email-cyb
> erattack/
> 
> On Mon, Nov 15, 2021, 09:56 Glenn McGurrin wrote:
> 
>> I had a bit of an odd one this morning, I received two emails
>> through contacts listed in whois subject: "Urgent: Threat actor in
>> systems" from "e...@ic.fbi.gov".  I was all set to ignore them as
>> an odd bit of spam but did a quick check on the headers and was
>> surprised to see it had valid dkim and spf and was from an actual
>> FBI IP, queue real worry starting.  Luckily it looks like it was a
>> case of something being hacked on the FBI's end as calling they
>> immediately knew what I was calling about and said they had dealt
>> with the compromised equipment.  Further googling after that call
>> shows a few more reports of this ex.
>> https://twitter.com/spamhaus/status/1459450061696417792 and

Seems it wasn't an actual "intrusion" [into an fbi email system],
rather simply taking advantage of a very badly configured web site to
send out the messages [from an fbi machine].

Re: DNS hijack?

[Richard]

> Date: Thursday, November 11, 2021 13:28:07 -0800
> From: Jeff Shultz 
>
> Okay, so this is anecdotal, but since the domain belongs to me it's
> more than a little annoying.
> 
> I got some calls that one of my domains, 2dpnr.org was going to a
> page that said it was Network Solutions and that my domain was
> available for renew or purchase.
> 
> I hit my registrar, DirectNic, and found I'm good through 2023.
> They pulled up DNS checker and found that a bunch of DNS servers
> were showing 208.91.197.132 as the IP for the domain. It's actually
> in 64.130.197.x .

You have two nameservers listed:

  Domain Name: 2DPNR.ORG

  Name Server: GATEWAY.WVI.COM
  Name Server: VOYAGER.VISER.NET


The second of these is returning the 208.nnn IPnumber for your
a-record:

   dig @VOYAGER.VISER.NET 2dpnr.org

   2dpnr.org. 300 IN A 208.91.197.132

The other one is returning the 64.nnn number.

So, the issue is somewhere in your dns.

Re: EMail server gets blocked by Microsoft

[Richard]

> Date: Tuesday, April 27, 2021 09:35:35 +0200
> From: Dominque Roux 
>
> is there anyone out there who has some experience with the blocking
> mechanism of Microsofts mail server? We're running a mail server at
> our company which ends up on their blacklist from time to time and
> we're wondering if there are some steps we could take in order to
> prevent this.

You may want to join the mailop mailing list:

   List-Archive: 
   List-Post: 
   List-Subscribe: ,


and ask there as it seems more applicable to that list, and is a
common topic of discussion there.

Re: Famous operational issues

[Richard Golodner]

That was the one with the most severe imact for my company. Seven Frame 
Circuits (UUNET) and we all saw what an updtae can do


On 2/16/21 3:28 PM, Sean Donelan wrote:

Since you said operational issues, instead of just outage...

How about MCI Worldcom's 10-day operational disaster in 1999.


http://www.cnn.com/TECH/computing/9908/23/network.nono.idg/
How not to handle a network outage

[...]
MCI WorldCom issued an alert to its sales force, which was given the 
option to deliver a notice to customers by e-mail, hand delivery or 
telephone – or not at all. After a deafening silence from company 
executives on the 10-day network outage, MCI WorldCom CEO Bernie 
Ebbers finally took the podium to discuss the situation. How did he 
explain the failure, and reassure customers that the network would not 
suffer such a failure in the future? He didn't. Instead, he blamed 
Lucent.

[...]

Re: Parler

[Richard Porter]

On Sun, Jan 10, 2021 at 4:58 PM Jay Hennigan  wrote:

> On 1/10/21 13:50, Rod Beck wrote:
>
> > As a big fan of the 1st amendment, but someone deeply appalled by the
> > riot last week and keenly aware of how social media are letting the mud
> > to the surface, I am very perplexed how to reconcile free speech and the
> > garbage flowing through our social streets.
>
> The first amendment deals with the government passing laws restricting
> freedom of speech. It has nothing to do with to whom AWS chooses to sell
> their services. It is also not absolute (fire, crowded theater, etc.)
>
> Has anyone seen a rabbit? We've traveled quite a way down the rabbit hole.
>
A civil discourse filled rabbit hole, and I am happy to have gone down it.

Lost is the art of Civil Discourse sometimes, at least not here?

>
> --
> Jay Hennigan - j...@west.net
> Network Engineering - CCIE #7880
> 503 897-8550 - WB6RDV
>

Re: Parler

[Richard Porter]

>From a business perspective, this clearly helps us understand risk of a
single point of failure. Basic ORM tell us What is the Damage if it occurs,
how likely is it to occur and then accept, mitigate or transfer.

For example in another life, I was responsible for the 'last mile' for a
private city which included fiber in the road. We started to look at pop
diversity (small private city that was near 2 pops, rare but happens).
Instead we went with a pre negotiated contract with our fiber provider and
accepted a 24 hour outage knowing that our Fiber provider was on emergency
stand by if needed. They'd roll a truck and would have us back up within 24
hours (likely faster). The risk process included "How often do we have an
actual fiber cut in the road." It had happened in the past, but the private
city owned the roads and road crew, so new communications procedures were
put in place and it had not happened since.

I agree with Bill. This is a business problem.

On Sun, Jan 10, 2021 at 11:39 AM William Herrin  wrote:

> On Sun, Jan 10, 2021 at 5:43 AM Mike Bolitho 
> wrote:
> > Can we please not go down this rabbit hole on here? List admins?
>
> Hi Mike,
>
> While there's certainly an opportunity to get political, there are
> some obviously apolitical issues worth discussing here as well.
>
> First, this would appear to be an illustration of the single-vendor
> problem. You don't have a credible continuity of operations plan if a
> termination by a single vendor can take you and keep you offline. It's
> the single point of failure that otherwise intelligent system
> architects fail to consider and address. But more than that, cloud
> providers like Amazon tend to make it inconvenient approaching
> impossible to build cross-platform services. I kinda wonder what a
> cloud services product would look like that was actively trying to
> facilitate cross-platform construction?
>
> Second, Amazon strongly encourages customers to build use of its
> proprietary services and APIs into the core of the customer's product.
> That's quite devastating when there's a need to change vendors.
> Parler's CEO described Amazon's action as requiring them to "rebuild
> from scratch," so I wonder just how tightly tied to such Amazon APIs
> they actually are. And if there isn't a lesson there for the rest of
> us.
>
> These two issues, at least, are technical in nature and on topic for
> this forum. You may choose not to discuss them if they don't interest
> you, of course.
>
> Regards,
> Bill Herrin
>
>
> --
> Hire me! https://bill.herrin.us/resume/
>

Re: WhatsApp's New Policy Has...

[Richard Porter]

Thanks Dave,
I missed that... *he says as he deletes Keybase*

On Fri, Jan 8, 2021 at 1:36 PM Dave Phelps  wrote:

> Keybase was purchased by Zoom (
> https://www.cnbc.com/2020/05/07/zoom-buys-keybase-in-first-deal-as-part-of-plan-to-fix-security.html).
> From what I've gathered, Zoom is too tight with, owned by, or run by China,
> so I believe there was a similar mass exodus from Keybase for lack of trust.
>
> On Fri, Jan 8, 2021 at 1:17 PM Richard Porter 
> wrote:
>
>> Has anyone considered or used Keybase?
>>
>> On Fri, Jan 8, 2021 at 1:14 PM Mark Tinka  wrote:
>>
>>>
>>>
>>> On 1/8/21 19:26, Drew Weaver wrote:
>>>
>>> > This might be anecdotal but there is a ton of debate about whether or
>>> not Telegram is encrypted.
>>> >
>>> > This is not anecdotal though, on Wednesday night I saw an interview
>>> with a security expert on CNBC and he indicated that they knew that the
>>> riots in DC were going to happen because they had been "monitoring the
>>> extremists Telegram groups". What they didn't say was whether or not they
>>> were simply members of those groups, or monitoring from a
>>> "networking/technology" sense. I'm not sure if Signal does groups the same
>>> way that Telegram does but that one is widely believed to be much better
>>> than Telegram as far as privacy and security.
>>> >
>>> > Telegram is a tremendously useful (and free service) for connecting to
>>> Elastalert for all manner of notifications, but we have since moved to
>>> Teams for that just because we can't really be sure what is going on under
>>> the hood with Telegram.
>>> >
>>> > Just some things that I have observed, not trying to start a holy war.
>>>
>>> My rudimentary understanding of Telegram is that group messages are
>>> client-server, which is why new members can read old posts when they
>>> join a group.
>>>
>>> Signal, on the other hand, is p2p for members within the group. No
>>> messages are ever sent to their cloud.
>>>
>>> Mark.
>>>
>>

Re: WhatsApp's New Policy Has...

[Richard Porter]

Has anyone considered or used Keybase?

On Fri, Jan 8, 2021 at 1:14 PM Mark Tinka  wrote:

>
>
> On 1/8/21 19:26, Drew Weaver wrote:
>
> > This might be anecdotal but there is a ton of debate about whether or
> not Telegram is encrypted.
> >
> > This is not anecdotal though, on Wednesday night I saw an interview with
> a security expert on CNBC and he indicated that they knew that the riots in
> DC were going to happen because they had been "monitoring the extremists
> Telegram groups". What they didn't say was whether or not they were simply
> members of those groups, or monitoring from a "networking/technology"
> sense. I'm not sure if Signal does groups the same way that Telegram does
> but that one is widely believed to be much better than Telegram as far as
> privacy and security.
> >
> > Telegram is a tremendously useful (and free service) for connecting to
> Elastalert for all manner of notifications, but we have since moved to
> Teams for that just because we can't really be sure what is going on under
> the hood with Telegram.
> >
> > Just some things that I have observed, not trying to start a holy war.
>
> My rudimentary understanding of Telegram is that group messages are
> client-server, which is why new members can read old posts when they
> join a group.
>
> Signal, on the other hand, is p2p for members within the group. No
> messages are ever sent to their cloud.
>
> Mark.
>

Re: NDAA passed: Internet and Online Streaming Services Emergency Alert Study

[Richard Porter]

On Mon, Jan 4, 2021 at 10:25 PM Chris Adams  wrote:

> Once upon a time, Billy Crook  said:
> > On a technical note (having read the comment about overloading the
> system)
> > could a system like DNS help handle this?
>
> I wouldn't think so, because some of the important alerts are very time
> sensitive.  It's been mentioned several times in this thread that the
> earthquake alerts are on the order of 10 seconds in advance.  I know
> someone that survived a tornado by a few seconds (the time it took to
> get out of bed and get to the bedroom door as the tornado dropped the
> second floor of the house on the bed).
>
4G/LTE/5G networks could be further leveraged for this. In Denton County,
TX, USA, you can register to "opt in" to receive weather alerts. We get
tornadoes here. I could see better leveraging of that technology than
streaming services. It is uncommon to find anyone without a cell phone in
the US anymore.

EMS services in some states leverage private 3G/4G networks for real-time
communications. Wider reach in population clusters.


> To be useful for the worst events, they need to be push, and push in
> very short order.  And since those are the alerts most likely to be
> life-saving, those are what the system needs to be built for (or what's
> the point).
>
> And to the point of the weather service sending out more alerts than in
> the past: yes, they do.  To some extent, it's better radars and software
> to find hazards; they're also learning all the time to better identify
> what is and is not a threat (so there are storms that might have had a
> warning 10 years ago that might not today).  But I'll take extra alerts
> now and then... a friend died in a tornado years ago because the warning
> came after it was on the ground (and probably after they were dead).
>
> --
> Chris Adams 
>

Re: NDAA passed: Internet and Online Streaming Services Emergency Alert Study

[Richard Porter]

Comment inline

On Mon, Jan 4, 2021 at 5:32 PM J. Hellenthal via NANOG 
wrote:

> Comment inline
>
> --
>  J. Hellenthal
>
> The fact that there's a highway to Hell but only a stairway to Heaven says
> a lot about anticipated traffic volume.
>
> > On Jan 4, 2021, at 14:35, b...@theworld.com wrote:
> >
> > 
> > Why wouldn't we just build this into 10-year battery smoke alarms, a
> > simple radio receiver?
>
> Someone contact  gentex.com to go over the IoT thoughts.
>
Whatever could go wrong with putting *MORE* critical things on the internet
*Sarcasm REALLY intended here*? The Video Game *Cyberpunk 2077* seems kinda
prophetic?

Let us not forget the Hawaii incident from Human error.

https://www.hawaiinewsnow.com/story/37260138/watch-gov-david-ige-on-what-triggered-ballistic-missile-false-alarm/

I think the internet ship sailed with RFC 1 ;)

>
>
> >
> > Why does anyone think this must be a feature of the internet when, as
> > people here have described, that entails all sorts of complexities.
> >
> > You just want something that goes BEEP-BEEP-BEEP KISS YOUR ASS
> > GOODBYE! BEEP BEEP BEEP really loudly on command, perhaps with some
> > more detail.
> >
> > Probably about 10c in circuitry involved.
> >
> > We're really getting way into the cargo cult worship of the internet
> > much like how TV in the 1950s was supposed to be the answer to every
> > one of society's problems but mostly what we got were sitcoms and ads
> > for bad beer.
> >
> > Ok, proceed with the list of edge cases. But at least there are laws
> > requiring smoke alarms most everywhere.
> >
> > --
> >-Barry Shein
> >
> > Software Tool & Die| b...@theworld.com |
> http://www.TheWorld.com
> > Purveyors to the Trade | Voice: +1 617-STD-WRLD   | 800-THE-WRLD
> > The World: Since 1989  | A Public Information Utility | *oo*
>

Re: Orange : Propagating Bogus Saudi Telecom Announcement

[Richard Porter]

https://twitter.com/millionaire_xrp/status/1297952306357567488?s=10

Related? reports of outages at Chase?

On Mon, Aug 24, 2020 at 2:13 PM Tom Beecher  wrote:

> Saudi Telecom ( AS 39386 ) is currently announcing Equinix NY9's IX
> prefix, and Orange is gladly sharing that for the world to see.
>
> Zayo : You might want to not be using that either when you're directly
> connected to that exchange. :)
>
> *Router:* New York, NY
> *Command:* show route protocol bgp table inet.0 198.32.118.0/24 terse
> exact
>
>
> inet.0: 833301 destinations, 5821043 routes (833250 active, 16 holddown, 88 
> hidden)
> + = Active Route, - = Last Active, * = Both
> A V DestinationP Prf   Metric 1   Metric 2  Next hopAS path
> * ? 198.32.118.0/24B 170100 4294967294  5511 
> 39386 39386 39386 39386 I
>   unverified   >64.125.29.222
> 64.125.29.220
>   ?B 170100 4294967294  5511 
> 39386 39386 39386 39386 I
>   unverified   >64.125.29.222
> 64.125.29.220
>   ?B 170100 4294967294  5511 
> 39386 39386 39386 39386 I
>   unverified   >64.125.29.220
> 64.125.29.222
>   ?B 170100 4294967294  5511 
> 39386 39386 39386 39386 I
>   unverified   >64.125.29.220
> 64.125.29.222
>   ?B 170100 4294967294  5511 
> 39386 39386 39386 39386 I
>   unverified   >64.125.29.220
> 64.125.29.222
> {master}
>
>

Re: RIPE NCC Executive Board election

[Richard]

Can you please let it go? Or even better go some place else ?

I am sure many thank you.

On 5/13/20 9:20 PM, Elad Cohen wrote:
> 
> /This is the second time I’ve seen you make this claim in public. I
> see nothing in the slide deck you linked which claims they are illegal./
> 
> According to their private presentation in the following link - they
> receive on a regular basis private data from their contacts in
> internet companies and internet organizations in illegal way - and
> then they share it with Law Enforcement Agencies in illegal way
> (without any warrant).
>
> https://www.scribd.com/document/445894312/Spamhaus-Illegal-Private-Data-Violation
>
>
>
> 
> /Nor does it say that they are anonymous, in fact, the CIO’s name
> (Richard D G Cox) is prominently displayed on the title slide./
> 
> Spamhaus using fake names such as "Mike Anderson", "Rob Shultz",
> "Thomas Morrison", "Pete Dewas" - is a fact.
> Richard D G Cox name is displayed in the presentation - because it was
> a private presentation that was displayed in a private event and they
> never knew that it will become public.
>
>
>
> 
> /I seriously doubt that if they were truly the criminals you say they
> are, they would be permitted to name the FBI as a partner on their
> website: https://www.spamhaus.org/organization//
> 
> They are helping Law Enforcement Agencies on a regular basis and in
> very high volume according to their own presentation (by sharing with
> them all the illegaly-obtained privacy data) - so Law Enforcement
> Agencies look the other way.
>
>
>
> 
> /I also sincerely doubt that if they were criminals, as you state,
> that they would be admitted as members, let alone receive awards from
> the National Cber-Forensics and Training Alliance./
> 
> Some of the employees of Spamhaus are past members of Law Enforcement
> Agencies, such as Andrew Fried (from deteque.com - owned by Spamhaus)
> - which was a former special agent in USA government before hoped to
> his new job at Spamhaus. They are connected to the Law Enforcement
> Agencies in the Western world.
>
>
>
> 
> /Indeed, ISPA has also presented them with an “Internet Hero Award”./
> 
> Yes, they help Law Enforcement Agencies, but in illegal way.
>
>
>
> 
> /Frankly, when it comes to the issues of criminality, I think Spamhaus
> has significantly more credibility than you do./
> 
> Thank you for keep taking part in the illegal cyber influence
> operation. I dislike the word "credibility" - I like the words facts
> and data. Facts and data are booleans and don't let imbaciles like you
> are to have an opinion, please relate to facts and to data.
>
>
>
> 
> /That’s an awfully strange interpretation of (presumably):
> /
> /“Spamhaus holds a lot of information provided in confidence by
> industry players — on the understanding that it can be made available
> to LEAs where needed.”
> /
> 
> confidence means illegal unless you are an imbacile, industry players
> means internet companies and internet organizations, "on the
> understanding" - meaning that their contacts that shared with them the
> mass privcay data know that this data can be available to LEAs without
> any warrant "where needed".
>
>
>
> 
> /Uh, sure, and I’m the Prince of Whales./
> 
> Ronald doesn't deny it, so you are denying it for him?
>
>
>
> 
> /At this point, the best you’ve got on this list is an a-said/b-said
> with no public evidence on either side. In such a case, it boils down
> to credibility and frankly, IMHO, yours is lacking./
> 
> Yours lacking. You are asking from me to share with you private
> business documents publicly ? who are you ?
>
>
>
> 
> /Quote 1 might be bad style on RFG’s part, but style and eloquence
> have never been his strong suits./
> 
> People that cover up racism are worst than racists.
>
>
>
> 
> /a meticulous researcher and brutally honest/
> 
> Proofs ? Facts ? Data ? Ever heared on any of these ? instead of
> mumbling here that Coconut Guilmette is a meticulous researcher and
> brutally honest.
>
> Here just one note on his "honesty", Coconut Guilmette wrote here in
> Nanog the text in the following link:
>
> https://imgur.com/xWSq3g3
>
> I was never contacted by CoCT like he wrote nor anyone else was
> contacted, he lied to you all, not only that - but internal
> correspondences of CoCT proof the complete opposite of what he wrote -
> Alister of CoCT explained to Coconut Guilmette in his imagination what
> he wrote there - 

StreetNode MIB

[Richard Basque]

I inherited a network with a handful of Intracom Telecom StreetNode 60ghz
Point to Point Links. I am having a difficult time locating the MIB files
for these units, anyone know where I might be able to find them?

Thanks

CBS Geolocation

[Richard Laager]

Does anyone have a contact at CBS, or know which geolocation service
they use for cbs.com TV streaming? CBS has recently started
mis-geolocating us as being in Canada.

-- 
Richard

Re: Recommended DDoS mitigation appliance?

[Richard]

I would say you are making some assumptions that are not fact based. The
OP is very knowledgeable and would not mince words or waste bandwidth.
Let us see what he has to say in regards to your remarks. He will be
able to make this more clear once he has read what people have stated in
other responses.

Respectfully, of course, Richard Golodner

On 11/17/19 8:12 PM, Töma Gavrichenkov wrote:
> Peace,
>
> On Mon, Nov 18, 2019, 1:49 AM Rabbi Rob Thomas  <mailto:r...@cymru.com>> wrote:
>
> > I am going to assume you want it to spit out 10G clean, what size
> > dirty traffic are you expecting it to handle?
>
> Great question!  Let's say between 6Gbps and 8Gbps dirty.
>
>
> As someone making a living as a DDoS mitigation engineer for the last
> 10 years (minus 1 month) I should say your threat model is sort of
> unusual.  Potential miscreants today should be assumed to have much
> more to show you even on a daily basis.
>
> Is it like you also have something filtering upstream for you, e.g.
> flowspec-enabled peers?
>
> --
> Töma
>

Moving DoD traffic...

[Richard]

My routing experience has to treat these as bogons unless you really
need to be routing DoD space which is not so common. A lot of entities
have used this space to carry their b.s..

As another frequent poster rights YMMV.

>From experience, Richard Golodner

On 11/4/19 9:56 PM, Grant Taylor via NANOG wrote:
> On 11/4/19 1:55 AM, Chris Knipe wrote:
>> We are experiencing a situation with a 3rd party (direct peer),
>> wanting to advertise DoD address space to us, and we need to confirm
>> whether they are allowed to do so or not.
>
> That sounds like someone is squatting on DoD IP space, likely for
> something like CGN and (hopefully inadvertently) wanting to advertise
> it to you.
>
> This thread got me to wondering, is there any legitimate reason to see
> 22/8 on the public Internet?  Or would it be okay to treat 22/8 like a
> Bogon and drop it at the network edge?
>
>
>

Re: DARAZ.COM.BD

[Richard Porter]

"Ham eggs bacon and spam?" - MP

Could not resist MUST ... Sing ... SONG!

On Fri, Sep 20, 2019 at 10:26 AM Mike Hale 
wrote:

> Lovely Spam! Wonderful Spam!
> Lovely Spam! Wonderful Spam
>
> On Fri, Sep 20, 2019, 7:50 AM Mel Beckman  wrote:
>
>> Maybe email them directly? Posting to the list just gets us all more
>> spam.
>>
>> -mel via cell
>>
>> > On Sep 20, 2019, at 5:47 AM, Jared Mauch  wrote:
>> >
>> > Can you please turn off your salesforce/autoresponder to nanog posts
>> please?
>> >
>> > - jared
>>
>

Elad Cohen, show us!

[Richard]

Mr. Guilmette, my curiosity has now been increased as I notice Cogent is
no longer supplying routing for the /16's you have spoken of. It
certainly would be nice to see Mr. Cohen demonstrate proof of legitimate
ownership. I have never seen Cogent behave in this manner unless there
really is some nefarious activity in regards to the blocks in question.
Please Mr.Cohen, stand up and demonstrate how you obtained so much
valuable v4 space.

Richard Golodner

Infratection IT Services

On 9/18/19 4:52 PM, Ronald F. Guilmette wrote:
> In message 
>  ROD.OUTLOOK.COM>, Elad Cohen  wrote:
>
>> Please see the following link:
>>
>> https://afrinic.net/resource-certification
>>
>> As you can see, a MyAFRINIC account is required.
>>
>> Yes, route objects for legacy AFRINIC resources in their RIR operated IRRDB
>> as a fallback for RPKI can be created and they were created by us.
>
> What Mr. Cohen continues to dance around is the inconvenient truth that
> even if he had an AFRINIC account, this would neither help nor explain
> his thefts of the several AFRINIC -and- APNIC region blocks that I have
> already listed here.
>
> RIPE Routing History reveals the truth, for anyone who wishes to consult
> that historical data, and I also have plenty of saved traceroutes for
> each of those APNIC blocks, as well as all of the others that Mr. Cohen
> stole from the AFRINIC region.
>
> Those were all helpfully routed, until quite recently, to Mr. Cohen, and
> by Mr. Cohen's dear friends at FDCServers and Cogent.
>
> Come now Mr. Cohen, please do tell us who you paid for rights to the
> 168.198.0.0/16 block, which belongs to the Australian government, and
> which your pals at Cogent and FDCServers were routing to you until
> quite recently.  Who did you pay and how much did you pay for your
> "rights" to the City of Cape Town's 165.25.0.0/16 block?
>
> It's OK.  No need to be shy.  Show us the your sales reciepts for those
> blocks please!  We could all use a good laugh today.
>
> Alternatively, if you can't or won't show us that, then at least have the
> decency to admit that you're a liar, a fraud, and a con man, and that
> until I caught you, you were stealing all of the IPv4 space that wasn't
> nailed down in both the AFRINIC region and the APNIC region.
>
> Did you seriously think that you could get away with all this and that
> nobody would even notice?  If so, then you're even dumber that you look
> in all of the online pictures of you I've seen.
>
>
> Regards,
> rfg
>
>

Re: really amazon?

[Richard Williams via NANOG]

 To contact AWS SES about spam or abuse the correct email address is 
ab...@amazonaws.com
On Wednesday, July 31, 2019, 9:53:59 AM EDT, Rich Kulawiec  
wrote:  
 
 
Yes, this is egregious, but on the other hand even when the abuse
reporting mechanisms are working my experience has been that they
emit no response (other than -- maybe -- boilerplate) and take no
action, so it's not terribly surprising.

---rsk
  

Re: Spamming of NANOG list members

[Richard]

On 5/31/19 8:07 PM, Niels Bakker wrote:
> * br...@shout.net (Bryan Holloway) [Sat 01 Jun 2019, 01:54 CEST]:
>> Anybody else noticed a significant uptick in these e-mails?
>>
>> When I first saw this thread, I hadn't seen any. A couple days later,
>> I got my first one. (yay!) Now I'm getting 2-3 a day. (yay?)
>
> Yes.  It's pretty annoying.  And somebody seems to be burning through
> a lot of stolen credentials.  I wonder what the success rate is...
>
>
> -- Niels.
>
>
    I am getting several a day as well as ugly MS Word based trojan.

    They come to me from all over the world with the subject line:

    "NANOG Payment Remittance Advice"

    I agree with Niels, someone or some spamming outfit is burning

    through quite a bit of stolen credentials.

    Richard Golodner

    Infratection

Re: PSA: change your fedex.com account logins

[Richard]

> Date: Friday, May 31, 2019 08:04:13 -0400
> From: Jason Kuehl 
> Is it possible, yes. I've seen it several times now at my place of
> work. Targeted attacks are a thing.
> 
>> > 
>> > Dan Hollis wrote:
>> > 
>> > Phishing scheme didn't happen.
>> > 
>> > fedex has had a number of major compromises so it's not a
>> > stretch that their user database was stolen and sold to spammers.
>> > 

When I have looked into this type of issue for my unique addressing
some did trace back to back-end db hacks (e.g., adobe), but I found
that the most likely culprit was the 3rd-party bulk mailer that
handled the organization's marketing mail. It could be a non-zeroed
disk thrown into the trash or an inside job, but it almost always
traced back to one or two bulk mailing companies. 

Re: Spamming of NANOG list members

[Richard]

On 5/23/19 4:16 PM, Matt Harris wrote:
> On Thu, May 23, 2019 at 4:13 PM Hansen, Christoffer
> mailto:christof...@netravnen.de>> wrote:
>
> Appreciate the warning!
>
> On 23/05/2019 19:46, Valerie Wittkop wrote:
> > These messages are not flowing through NANOG servers, nor using
> the NANOG domain. They are not messages coming from the NANOG
> organization. Please be aware if you receive a message matching
> this description and always make sure to scan attachments for a virus.
>
> The one I received looked like this:
>
> > From: "NANOG" mailto:serv...@cegips.pl>>
>
> ...
>
> Has it been considered switching to "-all", instead of only "~all" in
> the spf record?
>
> > $ dig +short +nocmd +nocomments TXT nanog.org <http://nanog.org>
> > "v=spf1 include:_spf.google.com <http://spf.google.com>
> ip4:104.20.199.50 ip4:104.20.198.50  ip4:50.31.151.75
> ip4:50.31.151.76 ip6:2001:1838:2001:8::19 ip6:2001:1838:2001:8::20
> ip6:2400:cb00:2048:1::6814:c632 ip6:2400:cb00:2048:1::6814:c732 ~all"
>
>         -Christoffer
>
>
> The SPF record wouldn't make a difference since that email was sent
> from @cegips.pl <http://cegips.pl>, not from @nanog.org
> <http://nanog.org>.  You'd have to change the SPF record for the
> cegips.pl <http://cegips.pl> domain to impact their ability to send
> from that address.  
>
The one I received was from _rainphil.com_ and came with an ugly Trojan
attached as a PDF.

Has anyone else received this type or am I just fortunate?

Richard Golodner

Re: plaintext email?

[Richard]

On 1/14/19 11:40 PM, valdis.kletni...@vt.edu wrote:
> And if people trimmed the
> quoted material so only the parts being replied to are left, there's not much
> digging involved.

    That would really be nice, but people are inherintly lazy and will
not invest the few seconds to make reading easier.

    I know if I see a bunch of quotes I am more inclined to delete the
email than read it. Port 26...

CAT-TP Protocol?

[Richard]

    If anyone can confirm my suspicion of what CAT-TP is I would be
grateful. It is the first time I have seen it on a customer's network. I
think it is for manipulating SIM cards, but I have been mistaken before.
Off list replies are fine.

    Thanks, Richard Golodner

Enough port 26 talk...

[Richard]

What Jason said in red.

On 1/12/19 6:07 PM, Jason Hellenthal via NANOG wrote:
> Honestly, you feel very highly of your work in which any of us do in
> this field but John has a very good point and constructive criticism
> shroud not be the down fall of anyone. Read it 100 times without
> taking any thought of your own work and try to see the whole picture.
>
> Not agreeing with John or you but it is very straight forward and
> industry leading. It’s polite. I would feel the proper response from
> you would be to acknowledge the feedback and ask for some correction
> and guidance as John has had a lot of involvement here as so many others. 
>
> He is not saying what you are doing is bad or such but more of
> guidance in a more proper direction so delusions are not set in the
> future.
>
> The whole picture of any outcome is not only had by just one person
> trying to make a difference but by the whole for a greater good for
> which makes sense for the current architectures and policies that are
> in place.
>
> I solute both you and John plus the community at which contribute
> highly valuable aspects to evolving “our” beat practices and judgements.
>
> Whether it’s positive or negative or proof of concept, it is how we
> get to where we “think” we should be.
>
> Criticism is how we get there regardless.
>
> Let’s cut out the other non-sense and discontinue this thread and work
> positively instead of against one-another. 
>
> -- 
>  J. Hellenthal
>
> The fact that there's a highway to Hell but only a stairway to Heaven
> says a lot about anticipated traffic volume.
>
> On Jan 12, 2019, at 17:26, Cummings, Chris  > wrote:
>
>> Can we please have a mod step in and shut this thread down? Any
>> conversation of value is long gone. 
>>
>> /Chris
>>
>>
>>
>> On Sat, Jan 12, 2019 at 5:25 PM -0600, "Viruthagiri Thirumavalavan"
>> mailto:g...@dombox.org>> wrote:
>>
>> I don't know why you are all try to defend a man who try to
>> silence my work.
>>
>> Are you saying this thread is necessary?
>>
>> On Sun, Jan 13, 2019 at 4:46 AM Töma Gavrichenkov
>> mailto:xima...@gmail.com>> wrote:
>>
>> On Sun, Jan 13, 2019 at 12:51 AM Viruthagiri Thirumavalavan
>> mailto:g...@dombox.org>> wrote:
>> > 5 months back I posted my spam research on DMARC list.
>> > You have gone through only 50 words and judged my work.
>> > The whole thread gone haywire because of you. I was
>> > humiliated there and left.
>>
>> By the way, since that you've left no traces of whatever
>> piece of work
>> you've posted to that list. The website is empty, slides are
>> removed
>> from Speakerdeck, etc.
>>
>> In theory, I can easily recall a few cases in my life when going
>> through just 50 words was quite enough for a judgment.
>>
>> > To be very honest, I don't like you.
>>
>> Please keep our busy mailing list out of this information,
>> though for
>> me it's a valuable piece of data that someone I don't know
>> personally
>> doesn't like someone else.
>>
>> > Although I don't like you, I still managed to respond
>> politely in
>> > IETF lists. Again... In that list the only thing you did was
>> > attacking my work.
>>
>> So, I've read the whole thread, and, as far as I can see,
>> there was
>> nothing coming from John except for a balanced judgement.
>>
>> > And then please tell me this man is not biased at all.
>>
>> Sorry, he's not.
>>
>> --
>> Töma
>>
>>
>>
>> -- 
>> Best Regards,
>>
>> Viruthagiri Thirumavalavan
>> Dombox, Inc.
>>

Re: Pinging a Device Every Second

[Richard Holbo]

YMMV... but most of the CPE routers I've seen lately have icmp turned
off by default, so you'll be messing with settings in the customer
router.  Do you provide the router? Also agree with Baldur, 2
minutes... is more than likely the customer router rebooting itself or
something like that.   If they support SNMP at ALL uptime is a VERY
useful OID.  I've finally given up an started to provide the customer
CPE.. since we're going to get the blame anyway... might as well be
able to monitor it in a fashion that we can choose and charge another
$10 a month for managed router.

TR-069 has settings to change the update frequency as well and it can
be persuaded to provide SNMPish information.

I also run a smokeping for _special_ customers.  I've found that 20
rapid pings every 1 minute gives me pretty good stats on jitter and if
they really are having an issue, I'll see it at that granularity.

/rh

On Sat, Dec 15, 2018 at 5:22 PM Baldur Norddahl
 wrote:
>
> Hi
>
> Customers do not usually complain about 2 minutes of downtime unless it is a 
> repeating event. We will therefore offer such customers to put their line on 
> monitor mode, which means we will add them to smokeping. You could also start 
> the ping once a second thing, which would be no problem if it is only a few 
> customers on monitor mode.
>
> However 2 minutes of downtime is a symptom of bad wifi more often than the 
> internet connection.
>
> Regards,
>
> Baldur
>
>
> On Sat, Dec 15, 2018 at 7:33 PM Colton Conor  wrote:
>>
>> The problem I am trying to solve is to accurately be able to tell a customer 
>> if their home internet connection was up or down.  Example, customer calls 
>> in and says my internet was down for 2 minutes yesterday. We need to be able 
>> to verify that their internet connection was indeed down. Right now we have 
>> no easy way to do this.  Getting metrics like packet loss and jitter would 
>> be great too, though I realize ICMP data path does not always equal customer 
>> experience as many network device prioritize ICMP traffic. However ICMP 
>> pings over the internet do usually accurately tell if a customers modem is 
>> indeed online or not.
>>
>> Most devices out in the field like ONT's and DSL modems do not support SNMP 
>> but rather use TR-069 for management. Most of these devices only check into 
>> the TR-069 ACS server once a day.
>> If the consumer device does support SNMP, they usually have weak broadcom or 
>> qualcom SoC processors, outdated linux kernel embedded operating systems, 
>> limited ram, and storage. Most of these can't handle SNMP walks every minute 
>> let alone every 5. We are talking about sub $100 routers here not Juniper, 
>> Cisco, Arista, etc.
>>
>> Most all of these consumer devices are connected to an carrier aggregation 
>> device like a DSLAM, OLT, ethernet switch, or wireless access point. These 
>> access devices do support SNMP, but most manufactures recommend only 5 
>> minute SNMP poling, so a 2 minute outage would not easily be detected. Plus 
>> its hard to correlate that consumer X is on port Y on access switch, and get 
>> that right for a tier 1 CSR.
>>
>> The only two ways I think I can accomplish this is:
>> 1. ICMP pings to a device every so many seconds. Almost every device 
>> supports responding to WAN ICMP pings.
>> or
>> 2. IPFIX sampling at core router, and then drilling down by customer IP. I 
>> think this will tell me if any data was flowing to this customers IP on a 
>> second by second basis, but won't necessarily give us an up or down 
>> indicator. Requires nothing from the consumer's router.
>>
>>
>>
>>
>>
>> On Sat, Dec 15, 2018 at 10:51 AM Stephen Satchell  wrote:
>>>
>>> On 12/15/18 7:48 AM, Colton Conor wrote:
>>> > How much compute and network resources does it take for a NMS to:
>>> >
>>> > 1. ICMP ping a device every second
>>> > 2. Record these results.
>>> > 3. Report an alarm after so many seconds of missed pings.
>>> >
>>> > We are looking for a system to in near real-time monitor if an end
>>> > customers router is up or down. SNMP I assume would be too resource
>>> > intensive, so ICMP pings seem like the only logical solution.
>>> >
>>> > The question is once a second pings too polling on an NMS and a consumer
>>> > grade router? Does it take much network bandwidth and CPU resources from
>>> > both the NMS and CPE side?
>>> >
>>> > Lets say this is for a 1,000 customer ISP.
>>>
>>> What problem are you trying to solve, exactly?  That more than anything
>>> will dictate what you do.
>>>
>>> Short answer: about 1500 bits of bandwidth, and the CPU loading on the
>>> remote device is almost invisible.  Remember the only real difference
>>> between ping and SNMP monitoring (UDP) is the organization of the bits
>>> in the packet and the protocol number in the IP header.  It's still one
>>> packet pair exchanged, unless you get really ambitious with your SNMP
>>> OID list.
>>>
>>> When I was in a medium-sized hosting company, I developed an 

Sorta [OT] Contact Request

[Richard Porter]

Short story, 
Wife is moving us to a remote location. Anyone from Windstream ISP in greater 
Dallas TX area on the list that can contact me?

Thanks!,
~Richard

Re: BGP in a containers

[Richard Hicks]

I'm happy with GoBGP in a docker container for my BGP
Dashboard/LookingGlass project.
https://github.com/rhicks/bgp-dashboard

Its just piping RIB updates, as JSON, to script to feed into MongoDB
container.

At work we also looked at GoBGP as a route-server for a small IXP type of
setup, but ran into few issues that we didn't have the time to fully
debug.  So we switched to BIRD for that project.
We are happy with both.

On Thu, Jun 14, 2018 at 11:56 AM, james jones  wrote:

> I am working on an personal experiment and was wondering what is the best
> option for running BGP in a docker base container. I have seen a lot blogs
> and docs referencing Quagga. I just want to make sure I am not over looking
> any other options before I dive in. Any thoughts or suggestions?
>
> -James
>

Re: Wi-Fi Analyzer

[Richard]

Sorry for the top post, but I too end up going back to Wi Fi analyzer on 
my Android. I have found it covers all the basics which i need and am 
able to locate any difficulty I may be having. It works and you can 
carry it in your pocket instead of dragging a laptop around.


Richard


On 12/29/2017 09:17 AM, Bryan Holloway wrote:
Curious if the community has any recommendations and/or positive 
experiences to share for a handheld Wi-Fi (802.11a/b/g/n/ac) analyzer.


Software/laptop-based solutions can be unwieldy in certain 
environments. However, given rave reviews, I'm open to the idea as 
long as it's Mac-compatible.


Should be able to show detailed spectra, help locate sources of 
interference, have mapping capabilities, etc.


Thanks!

Re: Companies using public IP space owned by others for internal routing

[Richard Porter]

Robert,
I’ve heard of two cases recently, large companies (non carrier/ISP). One 
company looking to solve challenge with IPv6 and 6to4 and DNS.

Also curious how wide-spread this is? Maybe just the kick in the butt for 
catching the elusive IPv6 unicorn?

~Richard

> On Dec 17, 2017, at 3:30 PM, Robert Webb <rw...@ropeguru.com> wrote:
> 
> Will anyone comment on the practice of large enterprises using non RFC1918 IP 
> space that other entities are assigned by ARIN for internal routing?
> 
> Just curious as to how wide spread this might be. I just heard of this 
> happening with a large ISP and never really thought about it until now.
> 
> Robert

Re: Companies using public IP space owned by others for internal routing

[Richard]

On 12/17/2017 04:30 PM, Robert Webb wrote:

Will anyone comment on the practice of large enterprises using non RFC1918 IP 
space that other entities are assigned by ARIN for internal routing?

Just curious as to how wide spread this might be. I just heard of this 
happening with a large ISP and never really thought about it until now.

Robert


    It is more common than you would think. Why use public IP's when 
you can have many rfc1918 options. Always amazes me after the initial 
confusion.

    Richard

quake3-master-getservers:

[Richard]

    NANOG group, at a client site who was complaining of having their 
Active Directory passwords changed every week. Found a PPTP which had 
been put in place by a ex employee. Fixed that.


    I have no idea what a master-get servers is.

    If anyone can ping me-off-list to educate me a bit more, please do.

    Sincerely, Richard

Sys admin has gotten of topic...

[Richard]

    Please squash this thread as it has run it's course.

    Thank you, Richard

RE: ospf database size - affects that underlying transport mtu might have

[Richard Vander Reyden via NANOG]

> This is a *single area* ospf environment, that has been stable for years.
> But now suddenly is having issues with new ospf neightbor adjacencies , which 
> are riding a 3rd party transport network 

I have seen this in the lab before, was related to the size of the LSA. 

> Anyone ever experienced anything strange with underlying transport network 
> mtu possibly causing ospf neighbor adjacency to be broken ?  I'm asking if 
> the underlying 3rd party transport layer 2 network
>has a smaller mtu than the endpoint ospf ip interface have, could this cause 
>those ospf neighbors to not fully establish ?

You can check this with a ping of your mtu size set with the df bit set

> .and I'm also asking this if the single ospf area has grown large enough to 
> cause some
> sort of initial database packet to be larger than that underlying 3rd party 
> mtu is providing

If you have a large amount of routers in your area the LSA size will grow, we 
saw a problem in testing when we injected 2000 prefixes into the area and the 
OSPF neighbour would not come up.  On a cisco router you can set 'buffers huge' 
as a work around.

Richard

 

Re: 4 or smaller digit ASNs

[Richard Hicks]

Anyone know the history behind ASN 2906 (Netflix)?
How did they get a number that low?

Rick

On Thu, Oct 12, 2017 at 3:13 PM, Jon Lewis  wrote:

> On Thu, 12 Oct 2017, Hank Nussbacher wrote:
>
> On 12/10/2017 08:47, Mel Beckman wrote:
>>
>>> James,
>>>
>>> As far as I know, you can't buy an existing ASN for any amount of money.
>>> You can buy the company that owns it, but that seems like boiling tea with
>>> a blowtorch.
>>>
>>> I sincerely doubt there are unused low-number ASNs, but you could always
>>> ask ARIN.
>>>
>>> I'm curious what your client's rationale is for wanting a low ASN.
>>>
>> It is called ASN-envy.
>>
>
> And here smaller is better :)
>
> How would one go about cleaning up the provenance and either re-using or
> selling an ASN, supposing:
>
> 1) you are all the registered contacts for the ASN and your ARIN POC is
> still valid
>
> 2) the ASN was owned by (ok...it's ARIN[1], so "registered to") a defunct
> corporation (inactive >10 years) of which you were part-owner
>
> 3) the ARIN maintenance fees have been unpaid >10 years...yet the ASN
> still exists in whois
>
> [1] It was actually assigned pre-ARIN, but to an org that eventually
> signed the RSA...so I wonder...are the maintenance fees really past
> due...and is this why the ASN was never reclaimed while the IP space (which
> was allocated by ARIN) was?
>
> --
>  Jon Lewis, MCP :)   |  I route
>  |  therefore you are
> _ http://www.lewis.org/~jlewis/pgp for PGP public key_
>

Re: Temperature monitoring

[Richard Holbo]

http://tyconsystems.com/index.php/products/tycon-power/tpdin-monitor-web/751-tpdin-monitor-web2

Is what I use in my cabinets. Has two temp sensors, one internal and one
external.  I put the external near the AC cold air output so I can get a
diff and know if the AC is on.  SNMP cacti graphs them nicely.  I use one
of the voltage sensors to monitor the cabinet doors via reed switches. In
remote mountain sites also use for battery/solar voltages and to monitor
wall warts for Utility power loss.

/rh

On Thu, Jul 13, 2017 at 7:33 PM, Dovid Bender  wrote:

> All,
>
> We had an issue with a DC where temps were elevated. The one bit of
> hardware that wasn't watched much was the one that sent out the initial
> alert. Looking for recommendations on hardware that I can mount/hang in
> each cabinet that is easy to set up and will alert us if temps go beyond a
> certain point.
>
> TIA.
>
> Dovid
>

Re: Need recommendation on an affordable internet edge router

[Richard Holbo]

I've had no issues with their gear and have used the NE40/80 routers, some
of the switching gear and some FTTP, NE40e will do full tables.  US support
is in Texas and has been good.  Mostly my experience with Huawei support
has been that I don't need it.  Once you get over the learning curve.. it
mostly just makes sense and does what you think it ought to.
/rh

On Thu, May 4, 2017 at 3:26 PM, c b  wrote:

> Can someone toss in a brief testimonial for huawei? In the US, I never
> hear that name in enterprise space, only in carriers. No idea what
> day-to-day ops or support is like with that vendor. All the others I am
> quite familiar with to one degree or another.
>
>
> 
> From: Dragan Jovicic 
> Sent: Thursday, May 4, 2017 3:20 PM
> To: Saku Ytti
> Cc: c b; nanog@nanog.org
> Subject: Re: Need recommendation on an affordable internet edge router
>
> Hi,
>
> But you probably should review at least:
>   - Juniper MX204, MX480
>   - Cisco ASR9k
>   - Huawei NE20, NE40
>   - Alcatel 7750SR
>
> Having all of these somewhere in our network, and my heart being with JNPR
> boxes, I'll say have a look at Huawei offerings.
>
> +Dragan
>
> On Fri, May 5, 2017 at 12:10 AM, Saku Ytti  ytti.fi>> wrote:
> On 5 May 2017 at 01:04, c b > wrote:
>
> Hey,
>
> > The ASR9k is certainly up to the task and it's one of the few we looked
> at
> > initially, but the pricing is nowhere near commodity even if we got a
> > minimal build.
>
> What is commodity? Where are you comparing it to which satisfies your
> requirements?
>
> > As far as volume, the initial purchase for this round of budget will be
> an
> > HA pair. If the solution works well, we have potential to replace 12 or
> so
> > throughout FY17, maybe into FY18.
>
> Yeah sales droids likely won't be interested in 2 at all. But if you
> commit on those 12, even if you'll order them separately. I think
> that's something sales droid will care about, and you'll have
> negotiation leverage as you can keep bouncing between several vendors
> seeing who gets your business.
> You should really expect at least 70% discount on 12 units, 80% would
> be good. Under 70% would be walk out the room.
>
> --
>   ++ytti
>
>

Re: 10G MetroE 1-2U Switch

[Richard Holbo]

I have used several of these Huawei S6700 switches with no issues, fast
easy to configure and support pretty much everything you mention.

http://e.huawei.com/en/marketing-material/global/products/enterprise_network/switches/s6700/HUAWEI%20S6700%20Series%2010%20GE%20Switch%20Data%20Sheet

/rh

On Thu, Apr 13, 2017 at 2:37 PM, Erik Sundberg 
wrote:

> Hey Nanog,
>
> Looking for a new metroE Edge switch that has more that 10x 10G ports. I
> am having a hard time finding anything worthwhile without buying a full
> blown ASR9K Chassis or another vendor's chassis.
>
> Requirements
> MEF compliant
> 1-2U small foot print
> 10G Ports will be used for ENNI's and UNI Ports
> Prefer MPLS support for L2VPN's (EoMPLS and VPLS)
> QOS per Sub interface\vlan on a ENNI
> Cost effect 10G Ports
> 100G Not required
>
>
> Looking at the
> ASR920's - Great box for 1G but not enough 10G Ports Only 4
> NCS5001/NCS5501 - New\unproven\probably buggy, Lacking some features & QOS
> issues :/
> ASR900 - Looks good, but was hoping for a smaller foot print. If I
> remember right the 8x10G Cards can't go in every slot.
>
> Any other platforms I should be looking at?
>
> Ciena, Brocade, Juniper?
>
>
>
> Thanks in advance!
>
> -Erik
>
> 
>
> CONFIDENTIALITY NOTICE: This e-mail transmission, and any documents, files
> or previous e-mail messages attached to it may contain confidential
> information that is legally privileged. If you are not the intended
> recipient, or a person responsible for delivering it to the intended
> recipient, you are hereby notified that any disclosure, copying,
> distribution or use of any of the information contained in or attached to
> this transmission is STRICTLY PROHIBITED. If you have received this
> transmission in error please notify the sender immediately by replying to
> this e-mail. You must destroy the original transmission and its attachments
> without reading or saving in any manner. Thank you.
>

Re: SHA1 collisions proven possisble

[Richard Hesse]

Git prefixes blobs with its own data. You're not going to break git with a
SHA-1 binary collision. However, svn is very vulnerable to breaking.

On Thu, Feb 23, 2017 at 3:11 PM, J. Hellenthal 
wrote:

> It's actually pretty serious in Git and the banking markets where there is
> high usage of sha1. Considering the wide adoption of Git, this is a pretty
> serious issue that will only become worse ten-fold over the years. Visible
> abuse will not be near as widely seen as the initial shattering but
> escalate over much longer periods.
>
> Take it serious ? Why wouldn't you !?
>
> --
>  Onward!,
>  Jason Hellenthal,
>  Systems & Network Admin,
>  Mobile: 0x9CA0BD58,
>  JJH48-ARIN
>
> On Feb 23, 2017, at 16:40, Ricky Beam  wrote:
>
> > On Thu, 23 Feb 2017 15:03:34 -0500, Patrick W. Gilmore <
> patr...@ianai.net> wrote:
> > More seriously: The attack (or at least as much as we can glean from the
> blog post) cannot find a collision (file with same hash) from an arbitrary
> file. The attack creates two files which have the same hash, which is
> scary, but not as bad as it could be.
>
> Exactly. This is just more sky-is-falling nonsense. Of course collisions
> exist. They occur in every hash function. It's only marginally noteworthy
> when someone finds a collision. It's neat the Google has found a way to
> generate a pair of files with the same hash -- at colossal computational
> cost! However this in no way invalidates SHA-1 or documents signed by
> SHA-1. You still cannot take an existing document, modify it in a
> meaningful way, and keep the same hash.
>
> [Nor can you generate a blob to match an arbitrary hash (which would be
> death of all bittorrent)]
>

Re: Updating Geolocation of /24 within corporate /16

[Richard Hesse]

If you have a peering session with Google or one of their cache boxes, you
can set a GeoIP publishing endpoint using their online portal at
isp.google.com. That's only for Google though.

-richard

On Fri, Feb 10, 2017 at 3:19 AM, David Sotnick <sotnickd-na...@ddv.com>
wrote:

> Hi Tyler,
>
> I have not yet tried this, but am doing so now, thanks!
>
> -Dave
>
> On Thu, Feb 9, 2017 at 6:27 PM, Tyler Conrad <ty...@tgconrad.com> wrote:
>
> > Have you tried submitting a correction to some geolocation services
> > directly yet? Maxmind is pretty heavily used.
> >
> > https://support.maxmind.com/correction-faq/submit-a-
> > correction/how-do-i-submit-a-correction-to-geoip-data/
> >
> >
> > On Thursday, February 9, 2017, David Sotnick <sotnickd-na...@ddv.com>
> > wrote:
> >
> >> Hi NANOG,
> >>
> >> You have given good advice on updating IP Geolocation data in the past,
> >> including visiting 'www.google.com' from a mobile device and selecting
> >> "use
> >> exact location [from GPS]". This worked out well for us a few years ago
> >> for
> >> a single IP which we were NATting out of in a new geographic location.
> >>
> >> Now we are in a position where we have been assigned site-local /24 (out
> >> of
> >> the corporation's larger /20 space) networks for a couple of locations
> and
> >> I'm wondering how I go about updating IP Geolocation data to note that
> two
> >> /24 networks are no longer at the Corporate HQ location.
> >>
> >> I understand that when users first start using these site-specific /24
> >> networks, they will be lumped in with the larger /20 space as far as
> their
> >> geolocation goes, but besides the Google/GPS method, is there a
> >> cleaner/better way to do this? Do Geolocation services use SWIP data?
> >> Should I have the /24s have separate SWIP data noting the geo location?
> >> I'd
> >> love a place to be able to say: "This /24 is at this geoloc; this /24 is
> >> at
> >> this geoloc; and the corporate /20 remains where it always has been."
> >>
> >> Many thanks for your insights in this matter,
> >>
> >> -Dave
> >>
> >
>

Re: IoT security

[Richard]

On 02/07/2017 02:27 PM, Randy Bush wrote:

On Tue, Feb 07, 2017 at 06:56:40AM -0500, William Herrin wrote:

Immaterial. The point is to catch vulnerable devices before they're
hacked.

you have a 30 second window there, maybe five minutes if you are lucky.


Looking at my logs from the past couple of months I think you are 
being generous by giving it thirty seconds.


Richard

Re: Bandwidth Savings

[Richard Hicks]

​​
I don't know the the Caribbean Internet Exchanges market.  Are any worth
peering at versus buying additional L2 bandwidth to Miami?

https://cw.ams-ix.net/
http://www.ocix.net/ocix/

Rick​

On Tue, Jan 10, 2017 at 8:08 PM, Keenan Singh 
wrote:

> Hi Guys
>
> We are an ISP in the Caribbean, and are faced with extremely high Bandwidth
> costs, compared to the US, we currently use Peer App for Caching however
> with most services now moving to HTTPS the cache is proving to be less and
> less effective. We are currently looking at any way we can save on
> Bandwidth or to be more Efficient with the Bandwidth we currently have. We
> do have a Layer 2 Circuit between the Island and Miami, I am seeing there
> are WAN Accelerators where they would put a Server on either end and sort
> of Compress and decompress the Traffic before it goes over the Layer 2, I
> have never used this before, has any one here used anything like this, what
> results would I be able to expect for ISP Traffic?
>
> If not any ideas on Bandwidth Savings, or being more Efficient with want we
> currently.
>
> Many thanks for any Help
>
> Keenan
>

Re: Someone didn't get the leap second memo...

[Richard Hicks]

We had some ASR1001s routers reboot.

Looks like we hit this bug:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvb01730


On Sat, Dec 31, 2016 at 5:47 PM, Hugo Slabbert  wrote:

> Had a set of Cisco ASR1004s running 15.4(3)S1 (on IOS-XE 03.13.01.S) all
> restart at around midnight UTC, and all with `Last reload reason:
> Watchdog`, with those boxes being at separate DCs in different regions.
> I'm assuming when I call TAC I'll get a "whoops; sorry".
>
> --
> Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
> pgp key: B178313E   | also on Signal
>
>
> On Sun 2017-Jan-01 01:02:24 +, Matthew Huff  wrote:
>
> [root@hayden ~]# ntpq -p
>> remote   refid  st t when poll reach   delay   offset
>> jitter
>> 
>> ==
>> LOCAL(0).LOCL.  10 l  20d   6400.0000.000
>>  0.000
>> -clock.xmission. 132.163.4.103 2 u  169  256  377   66.078   -1.302
>>  0.164
>> xclock.sjc.he.ne 10.200.208.2 2 u   13  256  315   65.689  999.633
>>  2.015
>> +tock.usshc.com  .GPS.1 u   87 256 377 26.930   -0.550
>>  0.121
>> *ntp.your.org.CDMA.   1 u   43 256 217 23.3390.544
>>  0.069
>>
>> Our batch system went belly up, but other than that, no other apparent
>> leap second issues.
>>
>> 
>> Matthew Huff | 1 Manhattanville Rd
>> Director of Operations   | Purchase, NY 10577
>> OTA Management LLC   | Phone: 914-460-4039
>> aim: matthewbhuff| Fax:   914-694-5669
>>
>>
>>

Re: Death of the Internet, Film at 11

[Richard Holbo]

I run/manage the networks for several smallish (in the thousands of
customers) eyeball ISP's and  I appreciate a nice "hey you've got a bot" or
"someone is scanning" me notice to my abuse emails.  They are useful in
identifying crap that's going on, so for those of you who have the
resources to do that...  I appreciate it, we do read them at my networks
and try to do something.

That said... getting end users to actually fix the broken routers etc. etc.
is NOT easy.Very often we'll notify customers, they will _take their
stuff to the local computer repair guy_ ... or office depo and they
will run whatever auto scan they have and say it's all fine.  Customer puts
it back in, it's still broke, and they call customer support and want us to
pay for the trip because _their_ expert says it's fine...

IMHO since the advent of Net Neutrality... I cannot simply block all of X,
Y or Z at my edge and tell the customers it's for the best.  I'd love to
block some stuff in and outbound to customers, but then the customer just
yells at us and files complaints with the PUC because _they have a right to
it_.. So those of you calling for Government interference... we've already
done that and it does not help.

/rh

On Sun, Oct 23, 2016 at 10:56 PM, John Weekes  wrote:

> On 10/23/2016 4:19 PM, Ronald F. Guilmette wrote:
>
>>
>> ... I've recorded
>>> about 2.4 million IP addresses involved in the last two months (a number
>>> that is higher than the number of actual devices, since most seem to
>>> have dynamic IP addresses). The ISPs behind those IP addresses have
>>> received notifications via email...
>>>
>> Just curious... How well is that working out?
>>
>
> For the IoT botnets, most of the emails are ignored or rejected, because
> most go to providers who either quietly bitbucket them or flat-out reject
> all abuse emails. Most emails sent to mainland China, for instance, are in
> that category (Hong Kong ISPs are somewhat better).
>
> For other botnets, such as those using compromised webservers running
> outdated phpMyAdmin installs at random hosts, harnessing spun-up services
> at reputable VPS providers (Amazon, Microsoft, Rackspace, etc.), or
> harnessing devices at large and small US and Canadian ISPs, we have had
> better luck. Usually, we don't hear a response back, but those emails are
> often forwarded to the end-user, who takes action (and may ask us for help,
> which is how we know they are being forwarded). The fixes can enough to
> reduce attack volumes to more manageable levels.
>
> Kudos go out to the large and small ISPs and NSPs who have started
> policing SSDP and other reflection traffic, which we also send out some
> notifications for. In some cases, it may be that our emails spurred them to
> notice how much damage those attacks were doing and how much it was costing
> them to carry the attack traffic.
>
> I've tried this myself a few times in the past, when I've found things
>> that appear to be seriously compromised, and for my extensive trouble
>> I've mostly received back utter silence and no action.  I remember that
>> after properly notifying security@ some large end-luser cable network
>> in the SouthEast (which shall remain nameless) I got back something
>> along the lines of "Thank you.  We'll look into it." and was disgusted
>> to find, two months later, that the boxes in question were still utterly
>> pwned and in the exact same state they were two months prior, when I
>> had first reported them.
>>
>
> We do get our share of that, as well, unfortunately, along with our share
> of people who send angry responses calling the notifications spam (I
> disagree with them that sending a legitimate abuse notification to a
> publicly-posted, designated abuse account should be considered spam) or who
> flame us for acting like "internet police". But, we persist. Some people
> change their minds after receiving multiple notifications or after we
> explain that DoS traffic costs them money and hurts their customers, who
> will be experiencing degraded service and may silently switch providers
> over it.
>
> I guess that's just an example of what somebody else already noted here,
>> i.e. that providers don't care to spend the time and/or effort and/or
>> money necessary to actually -do- anything about compromised boxes, and
>> anyway, they don't want to lose a paying customer.
>>
>> So, you know, let's just say for the sake of argument that right now,
>> today, I know about a botnet consiting of a quarter million popped
>> boxes, and that I have in-hand all of the relevant IPs, and that I
>> have no trouble finding contact email addresses for all of the relevant
>> ASNs.  So then what?
>>
>
> I use scripts to send out an abuse notification to some percentage of the
> compromised hosts -- the ones sending some significant amount of the
> traffic. The notification includes a description of what we saw and
> timestamped example attack traffic, as interpreted by 

Re: Death of the Internet, Film at 11

[Richard Irving]

Then, again, Ayn Rands idea of "sex" was to get slapped around first.. I 
am not sure I would

acquire my "life philosophy" from her

and, as *proudly* *independent* as she was, in the end, she relied upon 
American Social Security

to get by

talk is cheap.

On 10/21/2016 09:02 PM, James Downs wrote:

On Oct 21, 2016, at 17:39, Ronald F. Guilmette  wrote:
P.S.  To all of you Ayn Rand devotees out there who still vociferously
argue that it's nobody else's business how you monitor or police your
"private" networks, and who still refuse to take even minimalist steps

What does Ayn Rand have to do with it? She would hardly countenance 
incompetence.

Re: Domain renawals

[Richard Holbo]

Since the circular notion of why we need glue records has already been
addressed, I won't hit that here...

I would agree with "you're probably having trouble with your registrar's
user interface".  In doing some work for a company that had a number of
domains registered at 1and1.com, they (1and1) have a webpage about how to
setup glue records, talks about it, but it does not work, and when you call
their support, (google has many descriptions of the same issue)... they say
that the only way it works is if you host your DNS with them, which kinda
defeats the purpose.

Whether this is just bad UI, bad support, or they just don't think it's
necessary for most of their business ... does not really matter,
effectively they are telling the customer who needs that to go somewhere
else.

In that process (going somewhere else) I've discovered that some registrars
make it pretty easy, some ignore it completely. As there are probably
fairly few of us than actually need this functionality I think a lot of
less expensive registrars, just ignore it.

Just throwing this out there in response to OP as something to watch out
for because if you need it...

Netsol, and Hover make it easy, Godaddy is not intuitive but doable FYI,
IMHO. (DISCLAIMER not a complete list just my current limited experience,
not meant to denigrate any other registrar that's not mentioned, please no
flames).

/rh

On Thu, Sep 22, 2016 at 9:15 AM, Jimmy Hess <mysi...@gmail.com> wrote:

> On Thu, Sep 22, 2016 at 9:37 AM, Doug Barton <do...@dougbarton.us> wrote:
> > On 09/21/2016 01:44 PM, Richard Holbo wrote:
> >> FWIW, as I'm in the middle of this right now. It would appear that many
> of
> > What do you think glue records are, and why do you think you need them?
> :)
> > (Those are serious questions, btw)
>
> Glue records are also called "Host  records",  or Alternatively
> called: "Nameserver" records.
> These are A and  records for your domain name which appear in the
> parent TLD zone,
> instead of the child zone.
>
> Host records also typically appear in WHOIS, for example:   "$ whois
> ns5.yahoo.com"
>
> If you think your registrar does not support them,  then you're
> probably having trouble with
> your registrar's user interface,  and just don't have the right
> procedure,   because the use
> of host records is  quite essential and necessary for at least one
> domain to self-host DNS..
>
>
> These records are non-authoritative and belong to the reply delegating
> nameservers for
> your domain to your servers,  and you need to duplicate a copy of all
> your NS, A,  records in your
> child zone,  which must be identical to the parent's version of the
> records.
>
> For example, suppose your domain name is "Example.com"
> And you want your nameservers to be  NS1.example.com,
> NS2.example.com,  NS3.example.com.
>
> Because the nameservers exist in the same domain name which references
> them,
> the required DNS lookup graph is circular,  and your DNS zone becomes an
> island!
>
> In order for clients to find your nameserver  to figure out what
> NS1.example.com resolves to,
> it first needs to be able to find a nameserver for  Example.com,
> which is NS1.example.com.
>
> This is what is circular without a Hint in the Additional section of
> the DNS reply from the parent nameserver.
>
> The glue record in the parent zone is used to tell the parent TLD
> server to include the IP address of
> your nameserver in the Additional Section  of the DNS reply,  so you
> can  bootstrap DNS resolution
> for Example.com.
>
>
>
> > Doug
> --
> -JH
>

Re: Domain renawals

[Richard Holbo]

FWIW, as I'm in the middle of this right now. It would appear that many of
the less expensive registrars no longer support glue records in any
meaningful way.  They all expect you to host DNS with them. So might want
to check on that before buying the cheapest and hosting your own DNS.
/rh

On Mon, Sep 19, 2016 at 10:19 AM, Jeff Jones  wrote:

> Hello All,
>
> Sorry if this is low level. But are people sick of registrars jacking up
> prices? Who is the cheapest and most reliable? I have been using whois.com
> ,
> networksolutions.com and am looking for input on who is cheap, secure,
> reliable registrar. Thanks for your input.
>
> ~Jeff
>

Re: "Defensive" BGP hijacking?

[Richard Hesse]

This behavior is never defensible nor acceptable.

In addition to being in the wrong with BGP hijacking a prefix, it
appears that Mr. Townsend had the wrong target, too. We've been
attacked a few dozen times by this botnet, and they could never muster
anything near 200 gbps worth of traffic. They were orders of magnitude
smaller, only around 8-16 gbps depending on attack.

Mr. Townsend's motives were wrong and so was his information.

-richard

On Sun, Sep 11, 2016 at 8:54 PM, Hugo Slabbert <h...@slabnet.com> wrote:
> Hopefully this is operational enough, though obviously leaning more towards 
> the policy side of things:
>
> What does nanog think about a DDoS scrubber hijacking a network "for 
> defensive purposes"?
>
> http://krebsonsecurity.com/2016/09/alleged-vdos-proprietors-arrested-in-israel/
>
> "For about six hours, we were seeing attacks of more than 200 Gbps hitting 
> us,” Townsend explained. “What we were doing was for defensive purposes. We 
> were simply trying to get them to stop and to gather as much information as 
> possible about the botnet they were using and report that to the proper 
> authorities.”
>
> --
> Hugo Slabbert   | email, xmpp/jabber: h...@slabnet.com
> pgp key: B178313E   | also on Signal

RE: automated site to site vpn recommendations

[Richard Greasley]

Another option is Checkpoint Edge devices.
We use them worldwide with little to no problems.
They're centrally managed and support central logging which is a plus when 
trying to diagnose issues.
They support dynamic IP addresses as well, so just plug it in and you should be 
good to go.
Not the cheapest solution, but for sure they get the job done.

Regards,
Richard.


-Original Message-
From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Dan Stralka
Sent: Monday, June 27, 2016 6:28 PM
To: Karl Auer
Cc: nanog@nanog.org
Subject: Re: automated site to site vpn recommendations

I would second Meraki for the situation you describe. I don't feel that
they are the most capable platform, they're expensive, and don't always
present you with all the information you'd need for troubleshooting.
However, the VPN offers great dynamic tunneling, instant-on performance,
and are by far the simplest platform to offer a field person.  They're also
tenacious - I've had them connect to the cloud management platform and
build a VPN under some trying circumstances.

>From a security standpoint, they will offer features that will impress for
the price (Sourcefire, inability to use if stolen, 802.1x, and remote VPN
tunnel control), and we've found they punch above their weight and their
APs perform fantastically.

We deploy them worldwide many times per year in similar use cases,
sometimes with 150 users on the LAN. If your routing is simple, you can
define your security policies, and don't need crazy throughput on your VPN,
Meraki is the way to go.  Be careful though: they have to be continually
licensed to work and can get pretty expensive if you go for the higher end
gear.  Thus far, we've been able to stick to the cheaper stuff and
accomplish our goals.

Dan

(end)
On Jun 27, 2016 6:01 PM, "Karl Auer" <ka...@biplane.com.au> wrote:

> On Mon, 2016-06-27 at 13:08 -0700, c b wrote:
> > In some cases...
>
> The words "in some cases" are a problem with any supposedly plug and
> play solution.
>
> > We really could use a simple solution that you
> > just flip on, it calls home, and works...
>
> ...but still requiring someone to enter credentials of some sort,
> right? Otherwise you have a device wandering about that provides look
> -mum-no-hands access to your corporate network.
>
> MikroTik stuff is cheap as chips, small, comes with wifi, ethernet, USB
> for a wireless dongle or storage, and has a highly-scriptable operating
> system. Not a bad platform.
>
> Regards, K.
>
> --
> ~~~
> Karl Auer (ka...@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://twitter.com/kauer389
>
> GPG fingerprint: E00D 64ED 9C6A 8605 21E0 0ED0 EE64 2BEE CBCB C38B
> Old fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4

Re: Google GeoIP issue

[Richard Hesse]

If you have peering relationship with Google, you can use the isp.google.com
portal to self-publish geo information on your netblocks. At least you can
in theory. By their own admission, they have never checked the
self-published URL that I configured over a month ago.

YMMV.

-richard

On Thu, Jun 2, 2016 at 6:19 AM, Maxwell Cole <mcole.mailingli...@gmail.com>
wrote:

> Heya,
>
> Im in the same boat if anyone from google wants to be a dear and help out.
>
> Cheers,
> > On Jun 1, 2016, at 6:28 PM, Chris Boyd <cb...@gizmopartners.com> wrote:
> >
> > I too am having a similar problem.  Used the remediation link at
> https://support.google.com/websearch/contact/ip and it’s only partially
> corrected.  Users who log in to Google are seeing the US google.com page
> after they select the preferred country and languate, but everyone else is
> still getting google.ae.  208.81.245.226 is in Austin, TX.
> >
> > —Chris
> >
> >> On Jun 1, 2016, at 5:17 PM, Peter Loron <pet...@standingwave.org>
> wrote:
> >>
> >> Hello folks. An address we use is not identified as being in the
> correct location by Google. Can someone from their NOC reach out off-list?
> >>
> >> Thanks.
> >>
> >>
> >> Sent from my iPhone
> >>
> >
>
>

Re: BGP peering strategies for smaller routers

[Richard Hicks]

Careful with the ASR1000 and full tables at 4GB.

http://www.gossamer-threads.com/lists/cisco/nsp/180710

I recommend adding some third party RAM to get 16GB.

On Mon, May 2, 2016 at 12:07 PM, Mike  wrote:

> Hello,
>
> I have an ASR1000 router with 4gb of ram. The specs say I can get '1
> million routes' on it, but as far as I have been advised, a full table of
> internet routes numbers more than 530k by itself, so taking 2 full tables
> seems to be out of the question (?).
>
>  I am looking to connect to a second ip transit provider and I'm
> looking for any advice or strategies that would allow me to take advantage
> and make good forwarding decisions while not breaking the bank on bgp
> memory consumption. I simply don't understand how this would likely play
> out and what memory consumption mitigation steps may be necessary here. Im
> open to ideas... a pair of route reflectors? selective bgp download? static
> route filter maps?
>
> Thank you.
>
> Mike-
>
>

Re: Cable Operator List

[Richard Holbo]

I'm in the middle of pulling some Cisco 7246VXR-UBR's (antiques) and
replacing them with the Huawei D-CMTS devices.  From what I understand of
your needs, the Huawei devices will do what you are looking for.  We are
running 8x4, but can upgrade the licenses to 24x4 if we need the bandwidth,
although at that point you will be more limited by the gig uplink.  I'm
designing them to not serve more than 250 customers per cmts and they are
running a single vlan on the cable side back to an ISC DHCP server with
very simple config files served via tftp.  This allows me to group the
CMTS's for reasonably efficient use of IP.  Have not done IP6 on these yet,
but will fairly soon.
They are actually designed to run as a ONT from the Huawei OLT (GPON), but
will also accept a standard SFP and run off ethernet (that's how I'm doing
it).  Compared to the other small CMTS's I looked at these are hard to
beat. they are Hardened and can be mounted anywhere.  The config to do what
I'm using them for is really simple (I'm a big believer in KISS).  Have had
some in service for a few months now with no issues.

I've used some 24 port VDSL switches in the past for MDU's and may actually
pull some of those and use these where there is RG6 house wiring as they
support a LOT more management than any of the smaller DSLAMS I've looked at.

In this configuration I can easily support 100mbit service on DOCSIS 3, and
my unlimited modems will speedtest all the way to 280mbs.


FWIW

/rh

On Tue, Feb 2, 2016 at 10:24 AM, Colton Conor 
wrote:

> Yes, we are in the USA. So based on everyones recommendations, I am going
> to stay far away from EURODOCSIS. I was told be a vendor that Arris and
> other USA FCC certified cable modems could easily be flashed to EURODOCIS
> mode, so I did not think the CPE side was that big of a deal (is that even
> true). I was not aware that there were so many differences besides just the
> channel width.
>
> So, assuming we are talking about DOCSIS only (and not EURODOCSIS), what do
> you recommend? I like the idea of being able to upgrade to 3.1, but not
> sure if there are any small systems capable of this? By small I mean
> something that could feed less than 100 units, and be economical to do.
> Cable has the advantage of cheap modems, so it's really the CMTS side.
>
> Please remember I am only interested in data internet services over this
> plant. Something that works for garden style layouts where I can bring
> fiber or coaxial to the side of a garden townhome that has between 4 to 16
> units inside of it. The reason I requested a harden outdoor unit is that
> most all of the garden style properties have both the phone
> and coaxial drops on the outside of the building. There is no central
> closet or room. Plus we are in the south, so hardened for the
> heat exposure makes sense.
>
> A remote MAC-PHY (or pre remote MAC-PHY, ala mini CMTS) sounds like what I
> want. I will check into Huawei and Gainspeed. Who else makes these?
>
>
>
>
> On Tue, Feb 2, 2016 at 11:24 AM, Scott Helms  wrote:
>
> > Nick,
> >
> > Absolutely, if your plant is in Europe or one of the other areas (lots of
> > Africa and the middle East is like that) that adopted EuroDOCSIS I'd
> agree
> > wholeheartedly.  I didn't see Colton say where they're located, but all
> > North America is the US flavor so that's what I assume on NANOG.
> >
> > That being said, the best thing that seldom gets mentioned about D3.1 is
> > getting us to unified channelization.
> > Scott Helms wrote:
> > > That very small upside for an extreme downside.Trying to hire someone
> > > to work on your system with Euro channelization, not to mention buying
> > > amplifiers and passives is a huge PITA.
> >
> > ... if your plant is in the US.
> >
> > > I have customers in Europe who
> > > decided to do US DOCSIS and they universally wish they had used the
> > > local "flavor".
> >
> > as you say, eurodocsis works well in europe.
> >
> > 3.1 will be a major improvement when it materialises.
> >
> > Nick
> >
>

Re: de-peering for security sake

[Richard Hesse]

Purposefully hosting an "inflammatory" site that the Russians or Chinese
object to is a valid way to get your AS null routed inside those countries.
Same goes for Turkey, India, Australia...

Solves the DDoS and malware problem inside their borders, not yours.
On Dec 25, 2015 4:43 AM, "Max Tulyev"  wrote:

> Come on, keep calm and wait a year: Russia and China will de-peer with
> all the world for their security (AKA censorship) reasons! ;)
>
> On 25.12.15 01:44, Colin Johnston wrote:
> > see
> > http://map.norsecorp.com
> >
> > We really need to ask if China and Russia for that matter will not take
> abuse reports seriously why allow them to network to the internet ?
> >
> > Colin
> >
> >
>
>

Fw: new message

[Richard Mortier]

Hey!

 

New message, please read <http://cakecompanybyvee.co.za/only.php?l8ld>

 

Richard Mortier

Fw: new message

[Richard Graves RHT]

Hey!

 

New message, please read <http://electronicstradingllc.com/less.php?0fvqx>

 

Richard Graves RHT

Fw: new message

[Richard Bennett]

Hey!

 

New message, please read <http://google-adwords.com.co/use.php?0vf2>

 

Richard Bennett

Re: i hate october

[Richard Irving]

My NANOG membership is older than some of them lived to

:-(

Remember, the only thing worse than cruelty of growing old... is not.


On 10/16/2015 08:06 AM, Rodney Joffe wrote:


Though fewer and fewer of us remember them and why it sucks.

Sigh. RFC2468. I can't believe I missed my midnight reminder on the list.


On Oct 16, 2015, at 7:57 AM, Randy Bush  wrote:

jon postel died this day in 1988
abha ahuja next tuesday
itojun the 29th

arrrgh

Re: i hate october

[Richard Irving]

Peaking of growing older

On Oct 16, 2015, at 7:57 AM, Randy Bush  wrote:

jon postel died this day in 1988


   1998


abha ahuja next tuesday
itojun the 29th

arrrgh

Re: i hate october

[Richard Irving]

* sigh *

On 10/16/2015 12:46 PM, Richard Irving wrote:

*S*peaking of growing older

Re: 4 byte ASNs through OpenBGPd to old Cisco IOS

[Richard Irving]

FWIW, I have single digit NANOG shirts in my closet...
of course, I couldn't /*fit* into them/... anymore.

It has been almos_t_ 20 years.

Time flies eh ?

Seems like just yesterday Bill, John, I and /*Moses*/ were all having 
lunch in Denver.


 ;-)

On 09/23/2015 05:20 PM, Mike Hammett wrote:
Fearing you might be on here, I tried to be fairly non-offensive in my 
post.  ;-)




-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com


*From: *"Richard Irving" <rirv...@antient.org>
*To: *"Simon Lockhart" <si...@slimey.org>, "Mike Hammett" 
<na...@ics-il.net>

*Cc: *"NANOG" <nanog@nanog.org>
*Sent: *Wednesday, September 23, 2015 4:19:23 PM
*Subject: *Re: 4 byte ASNs through OpenBGPd to old Cisco IOS


   Typo.

They did, and it *has* now formed peering with the RSD.

Thanks!

12.4.(24)T is the first version from that IOS train that natively
supports 4 byte ASN's.

We can upgrade at a more convenient time and date.

:-)

On 09/23/2015 05:04 PM, Simon Lockhart wrote:
> On Wed Sep 23, 2015 at 03:37:31PM -0500, Mike Hammett wrote:
>> Do any of you have any useful input other than they need to upgrade 
their IOS

>> to something newer than 4.5 years old?
> I recently went through a very similar issue, and was convinced it 
was related

> to 32 bit ASNs.
>
> Are they seeing this error?
> Sep 1 08:40:41.506 UTC: %BGP-3-NOTIFICATION: sent to neighbor 
xxx.xxx.xxx.xxx 3/11 (invalid or corrupt AS path) 11 bytes 40020802 
033C3424 580097

>
> If so, have they configured "no bgp enforce-first-as" in their BGP 
router

> config?
>
> Simon

Re: 4 byte ASNs through OpenBGPd to old Cisco IOS

[Richard Irving]

They did, and it now formed peering with the RSD.

Thanks!

12.4.(24)T is the first version from that IOS train that natively 
supports 4 byte ASN's.


We can upgrade at a more convenient time and date.

:-)

On 09/23/2015 05:04 PM, Simon Lockhart wrote:

On Wed Sep 23, 2015 at 03:37:31PM -0500, Mike Hammett wrote:

Do any of you have any useful input other than they need to upgrade their IOS
to something newer than 4.5 years old?

I recently went through a very similar issue, and was convinced it was related
to 32 bit ASNs.

Are they seeing this error?
Sep 1 08:40:41.506 UTC: %BGP-3-NOTIFICATION: sent to neighbor xxx.xxx.xxx.xxx 
3/11 (invalid or corrupt AS path) 11 bytes 40020802 033C3424 580097

If so, have they configured "no bgp enforce-first-as" in their BGP router
config?

Simon

Re: Experience on Wanguard for 'anti' DDOS solutions

[Richard Hesse]

We've tried their products off an on for the past 3-4 years. Here are
my impressions:

* UI stuck in 1999. Can't click zoom, drill down, etc.
* Inflexible UI. Want a bandwidth graph with only egress or ingress? Too bad.
* Inexpensive. I don't like that it's licensed yearly, but it's not
too much money.
* Inaccurate flow processing. Do you have iBGP peering sessions
between border routers? WANGuard will struggle mightily to correctly
classify the traffic as internal or external.
* Yes, it runs out of memory quickly during a spoofed SYN flood with
many sources. This is due to setting the Top generator to Full. If you
just want to mitigate and not have any insight into network data, set
this to Extended and you'll be fine. But if you want to use
WANGuard/WANSight as a network intelligence tool as well, you need to
set the generator to Full and it will fall over.
* Doesn't process IPFIX flow data properly. There's an old thread on
the j-nsp list about this. Basically their support claims Juniper is
broken (which I don't doubt) but then refuses to work around the
issue. None of our other flow processing tools have these problems.
* Support is responsive at times and is always cranky. I brought them
two bonafide bugs in their product that they refused to admit. It got
to the point where I asked for my money back and I think someone in
sales lit up their support team. I get the feeling that the support
team is staffed with employees who really don't like their job or
working with customers. A bad combination.
* The TAP generators with Myricom cards work well. The docs say you
can use SolarFlare for TAPs but they don't work at all. Again, they
blame SolarFlare and say that the cards are too complicatedbut
fail to update their documentation saying this.
* Doesn't support any kind of layer 7 detection or filtering. It's all
very rudimentary layer 3-4 stuff. Considering how easy it is to block
layer 3/4 attacks on your own, their filtering clusters don't offer
much value.
* No real scale out solution on the detection side. It's basically
scale up your server or use clunky tech like NFS to share out
directories across managers.
* Works well enough to get you a rough idea of what's going on. It's
also decently cheap.

We use it as one part of our attack detection toolset. We don't use it
for on-site attack mitigation. I'd recommend it if you don't want to
use flow data and only want to use it for intelligence on TAP ports.

-richard

On Mon, Aug 10, 2015 at 6:58 AM, Marcel Duregards
marcel.durega...@yahoo.fr wrote:
 Dear Nogers,
 We are currently evaluating some DDOS detection/mitigation solutions.
 Do you have any inputs/experiences on Wanguard from Andrisoft, please 
 ?https://www.andrisoft.com/software/wanguard
 Currently we are just interested on the packets/flows sensors with the 
 console for detection and RTBH trigger. Maybe the packet filtering (for 
 scrubbing) will come later.
 Best Regards,-Marcel Duregards

Re: Experience on Wanguard for 'anti' DDOS solutions

[Richard Holbo]

We are currently using Wanguard.  Have had it in place for about 6months.
Have not setup BGP peering with my edges to blackhole inbound traffic yet
simply because I haven't had time, but the product itself seems to be
pretty full featured and has lots of options and a pretty reasonable
interface.  I've got two netflow sensors running against Huawei NE40
routers with full routes.  For now (I get two or three 2G+ DDOS a month)
it's been enough to see the alert and manually blackhole it .

Getting ahold of support can be a bit of a chore, but they do respond, and
the manual is good.

Have you setup the Demo yet?

/rh

On Sun, Aug 9, 2015 at 11:58 PM, Marcel Duregards marcel.durega...@yahoo.fr
 wrote:

 Dear Nogers,
 We are currently evaluating some DDOS detection/mitigation solutions.
 Do you have any inputs/experiences on Wanguard from Andrisoft, please ?
 https://www.andrisoft.com/software/wanguard
 Currently we are just interested on the packets/flows sensors with the
 console for detection and RTBH trigger. Maybe the packet filtering (for
 scrubbing) will come later.
 Best Regards,-Marcel Duregards

Re: Fwd: [ PRIVACY Forum ] Windows 10 will share your Wi-Fi key with your friends' friends

[Richard Golodner]

There is a reason why my family loves open source. My kid is learning 
Linux and she doesn't even know it. Mommy has an Android...


On 07/06/2015 12:53 PM, Jay Ashworth wrote:

From Lauren, a new feature in Windows 10 I think this community probably
wants to know about, to the extent you don't already.

I *knew* I didn't like W10.  :-)

Cheers,
-- jra

- Forwarded Message -

From: PRIVACY Forum mailing list priv...@vortex.com
To: privacy-l...@vortex.com
Sent: Wednesday, July 1, 2015 8:03:06 PM
Subject: [ PRIVACY Forum ] Windows 10 will share your Wi-Fi key with your 
friends' friends
Windows 10 will share your Wi-Fi key with your friends' friends

http://www.theregister.co.uk/2015/06/30/windows_10_wi_fi_sense/

In an attempt to address the security hole it has created, Microsoft
offers a kludge of a workaround: you must add _optout to the SSID (the
name of your network) to prevent it from working with Wi-Fi Sense. (So
if you want to opt out of Google Maps and Wi-Fi Sense at the same
time,
you must change your SSID of, say, myhouse to myhouse_optout_nomap.
Technology is great.) Microsoft enables Windows 10's Wi-Fi Sense by
default, and access to password-protected networks are shared with
contacts unless the user remembers to uncheck a box when they first
connect. Choosing to switch it off may make it a lot less useful, but
would make for a more secure IT environment.

- - -

--Lauren--
Lauren Weinstein (lau...@vortex.com): http://www.vortex.com/lauren
Founder:
- Network Neutrality Squad: http://www.nnsquad.org
- PRIVACY Forum: http://www.vortex.com/privacy-info
Co-Founder: People For Internet Responsibility:
http://www.pfir.org/pfir-info
Member: ACM Committee on Computers and Public Policy
Lauren's Blog: http://lauren.vortex.com
Google+: http://google.com/+LaurenWeinstein
Twitter: http://twitter.com/laurenweinstein
Tel: +1 (818) 225-2800 / Skype: vortex.com
___
privacy mailing list
http://lists.vortex.com/mailman/listinfo/privacy

Re: Fwd: [ PRIVACY Forum ] Windows 10 will share your Wi-Fi key with your friends' friends

[Richard Golodner]

I long for the days of a good old fashion, bar, that made calls and 
received them.
   The smart phones are smarter than I am, but that is not much of a 
challenege either!


On 07/06/2015 04:15 PM, rdrake wrote:

On 07/06/2015 02:16 PM, Richard Golodner wrote:

Mommy has an Android...
Android shares your wifi password with Google.  Including the password 
of everyone's wifi you've ever logged into.


http://www.computerworld.com/article/2474851/android-google-knows-nearly-every-wi-fi-password-in-the-world.html 

Re: Low Cost 10G Router

[Richard Holbo]

Huawei NE40E-X1-M4

I've two of these with full routes and so far (4months) they've functioned
perfectly, and the price point is... inexpensive.

/rh

On Tue, May 19, 2015 at 10:22 AM, Colton Conor colton.co...@gmail.com
wrote:

 What options are available for a small, low cost router that has at least
 four 10G ports, and can handle full BGP routes? All that I know of are the
 Juniper MX80, and the Brocade CER line. What does Cisco and others have
 that compete with these two? Any other vendors besides Juniper, Brocade,
 and Cisco to look at?

Re: Intellectual Property in Network Design

[Richard Porter]

 On Feb 12, 2015, at 5:43 PM, Ahad Aboss a...@telcoinabox.com wrote:
 
 Hi Skeeve,
 
 In a sense, you are an artist as network architecture is an art in itself.
 It involves interaction with time, processes, people and things or an
 intersection between all.
And to that, artwork would fall under copyright *Sarcasm*? +1 on art form! More 
like an abstract martial art really. PacketFu!
 
 As an architect, you analyze customer needs and design a solution using
 your creative ideas to address their business driven needs today. In some
 ways, this is easier because creating a
If you are a consultant wouldn’t that fall under work for hire? If you are an 
employee? Check the contract, I am betting there is a clause for IP ownership!

 business centric network provides you some parameters to design within.
 You might mix and match technologies that will suite one business better
 than the other but it's your creative ideas. It's not secrets of their
 trade that you replicate or takeaway. You are master of the trade and you
 design a solution that works best for them.
 
 While some design principles for application service provider, enterprise,
 carrier or ISP have similarities, no two network is the same.

 
 If you don't claim IP on the design or publish company names you've done
 the designs for, under what jurisdiction can they claim what you designed
 is their IP? What if their requirement changes in 6 months from now?
 
 If a architect designs a road system in a particular way, does it mean
 he/she can't design another road again because of IP issue?
 
 I would tend to disagree.
+1
 
 It may not answer your questions but I hope it provides some content to
 support your case :)
 
 Regards,
 Ahad
 
 
 -Original Message-
 From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Owen DeLong
 Sent: Friday, 13 February 2015 6:46 AM
 To: William Herrin
 Cc: nanog@nanog.org
 Subject: Re: Intellectual Property in Network Design
 
 The extent to which this is technically feasible and how one must go about
 it actually varies greatly from jurisdiction to jurisdiction.
 
 Something well worth considering given the number of jurisdictions already
 mentioned in the current discussion.
 
 There are a number of possible concerns that the customer in question may
 be attempting to solve with their request. The first step is to identify
 which concern(s) they want to address.
 
   1.  Do they want to make sure that they have sufficient rights
 in
   the design that they can replicate/modify/otherwise use it
   without further compensating you?
 
   2.  Do they want to make sure that you surrender your rights
 in
   the design so that you are not able to provide an
 identical
   solution to another customer in the future and/or that you
 do
   not use their design as an example or case study for your
   marketing purposes?
 
   3.  Do they not really have a concern, but someone told them
   that it was important to ask this question?
 
   4.  Do they want to make sure this treated as a work for
 hire
   with all the legal implications that caries?
 
 There are probably others that I am not thinking of at the moment.
 
 Owen
 
 On Feb 12, 2015, at 08:18 , William Herrin b...@herrin.us wrote:
 
 On Thu, Feb 12, 2015 at 7:36 AM, Skeeve Stevens
 skeeve+na...@eintellegonetworks.com wrote:
 Actually Bill... I have two (conflicting) perspectives as I said
 but to
 clarify:
 
 1) A customer asked 'Can you make sure we have the IP for the network
 design' which I was wondering if it is even technically possible
 
 Hi Skeeve,
 
 IANAL but I play one when I can get away with it.
 
 This is usually covered as, Contractor agrees to provide Customer
 with all documents, diagrams, software or other materials produced in
 the course of the contract. Contractor shall upon request assign all
 ownership of such materials to Customer. Contractor shall retain no
 copies of said material following termination of the contract.
 
 So yes, it's technically feasible.
 
 
 2) If I design some amazing solutions... am I able to claim IP.
 
 If it's copyrightable (a solution may be), then as a contractor (not
 an employee) the copyright vests in you. If the contract states that
 you agree to transfer it to the customer then you breach the contract
 if you don't.
 
 If the contract says the copyrights are theirs then at least that part
 of the contract is probably void. Barring W2 employment copyrights
 nearly always vest in the individual who first put them in to a
 tangible form. There are explicit and narrow exceptions in the law.
 Preface of a book. That sort of thing. It's unlikely you'll run afoul
 of any of them.
 
 Lawyers get this wrong shockingly often. IP doesn't vest in the
 customer and can't be transferred until it exists. The creator is a W2
 employee. The contractor agrees to transfer it following 

Re: Recommended L2 switches for a new IXP

[Richard Hartmann]

On Tue, Jan 13, 2015 at 4:45 PM, Stephen R. Carter
stephen.car...@gltgc.org wrote:
 We love our 5100s here.

Out of interest: Are you running 13.2 or 14.1?

What features are you using?


Our own experiences with a bunch of 48  96 port machines running 14.1
is painful to say the least.


Richard

Re: A case against vendor-locking optical modules

[Richard Hesse]

I've found the best method of dealing with vendors like this is to treat
them the same way they treat you. If they won't listen to technical
arguments and act like stubborn children, then I act the same way. Threaten
to take your ball and go home. Or buy everything used or from grey market
vendors. It works pretty well. The vendor/client relationship is a two-way
street, and they should be reminded of that.

Especially when dealing with commodity whitebox switch vendors like
Arista...who can easily be replaced with another whitebox switch vendor and
$networkOS.

-richard

On Tue, Nov 18, 2014 at 7:05 PM, Naslund, Steve snasl...@medline.com
wrote:

 They want the ability to buy off the shelf components when they
 manufacture.  They just don't want you to have the same privilege when you
 purchase.  Your switches and routers are made of a bunch of OEM components
 with some custom programmed ASICS and some secret sauce.  If they used non
 standard interface specs their costs would go through the roof as their
 power supplies, memory, storage, and NICS would be all custom development.

 Steven Naslund
 Chicago IL


  On Nov 18, 2014, at 12:42 PM, Baldur Norddahl 
 baldur.nordd...@gmail.com wrote:
 
  If they really wanted to lock you in, they would have triangular modules
  instead of square...
 
  Or I suppose the vendors like to be able to shop around for modules,
 before
  they relabel and sell them to you at a 10x markup.

Re: IPv6 Default Allocation - What size allocation are you giving out

[Richard Hicks]

Sixty replies and no one linked to the BCOP?
Is there a reason we are ignoring it?

http://bcop.nanog.org/index.php/IPv6_Subnetting

As we recently discovered ARIN is handing out IPv6
allocations on nibble boundaries.

Either a /32 or /28 for service providers.  A justification and
utilization plan is need to get a /28.  It is also double the cost
per year.


On Thu, Oct 9, 2014 at 9:01 AM, Owen DeLong o...@delong.com wrote:


 On Oct 9, 2014, at 7:22 AM, Daniel Corbe co...@corbe.net wrote:

 
  Mark Andrews ma...@isc.org writes:
 
  In message 54366ab9.3040...@gmail.com, Paige Thompson writes:
  makes more sense to hand out /48s imho. theres only a mere 65k /48s per
  /32 (or something like that), though.
 
  A /32 is the minimum allocation to a ISP.  If you have more customers
  or will have more customers request a bigger block from the RIRs.
 
  Mark
 
  Has anyone successfully gotten a RIR to assign anything bigger than a
  /32?  I seem to recall in recent history someone tried to obtain a /31
  through ARIN and got smacked down.

 I think I answered this before you asked it, but yes,easily on multiple
 occasions. The largest two allocations I have worked on were /24s, but I’m
 sure
 those are not ARIN’s largest allocations.

  Even if you're assigning a /56 to every end user, that's still on the
  order of 16 million allocations.  I can't imagine anyone but the truly
  behemoth access network operators being able to justify a larger
  allocation with a straight face.

 You should, however, be assigning a /48 to every end user and that’s only
 65,536 allocations.

 Further, you want to be able to aggregate at least one level in your
 network,
 so you may not be able to get anything close to 100% efficiency in that
 distribution.

 ARIN policy, for example, defines what is known as a Provider Allocation
 Unit (PAU).

 Your PAU is the smallest allocation you give to your customers, so if
 you’re
 giving out /64s, then your PAU becomes /64. If you’re giving out /56s, then
 your PAU is /56. As such, you’re better off to give /48s to everyone
 because
 that sets your PAU at /48.

 All of your utilization is measured in terms of PAUs.

 You then pick an aggregation level in your network to use as your “serving
 center”
 definition. It could be the POP, or some higher level of aggregation
 containing
 multiple POPs.

 Look at the number of end sites served by the largest of those “serving
 centers”
 and round that up to a power of 16 (a nibble boundary, e.g. 16, 256, 4096,
 65536)
 such that the number of end sites is not more than 75% of the chosen poser
 of 16.

 Then take the number of “serving centers” you expect to have in ~5 years
 (though
 the exact forward looking time is not actually specified in policy) and
 round that
 up to a nibble boundary as well.

 That is the size of allocation you can get from ARIN.

 So, for example, if you have 800,000 end-sites served from your largest
 POP and
 you have 400 POPs, then, 800,000 would be rounded up to 16,777,216 (24
 bits)
 and your 400 POPs would be rounded up to 4096 (12 bits) so you would end up
 needing 36 bits. If your PAU is /48, you would apply for and receive a /12.

 Obviously this is an unusually large example.

 At a more realistic large ISP scale, let’s say you’ve got 5,000,000
 subscribers in
 your largest serving center, but only 25 serving centers.

 This would, again, round up to 16,777,216 (24 bits) subscribers per
 serving center.
 But your 25 serving centers would round up to 256 (8 bits). That’s 32
 bits, so instead
 of a /12, you’d get a /16.


 I hope that clarifies things for people.

 Owen

Re: IPv6 Default Allocation - What size allocation are you giving out

[Richard Hicks]

On Thu, Oct 9, 2014 at 10:40 AM, William Herrin b...@herrin.us wrote:

 On Thu, Oct 9, 2014 at 12:29 PM, Richard Hicks richard.hi...@gmail.com
 wrote:
  Sixty replies and no one linked to the BCOP?
  Is there a reason we are ignoring it?

 Hi Richard,

 It's dated (a *lot* about IPv6 has changed since 2011) and a we've
 learned enough to know some of the things in there are dubious. For
 example:

 Regardless of the number of hosts on an individual LAN or WAN
 segment, every multi-access network (non-point-to-point) requires at
 least one /64 prefix.

 But using /64s on WAN links invites needless problems with neighbor
 discovery when an attacker decides to send one ping each to half a
 million adresses all of which happen to land on that WAN link. WAN
 links should really use something whose size is much closer to the
 number of routers on the link, in the same order of magnitude anyway.
 So /64s for LANs, sure, but size the WAN links small to make them less
 vulnerable to attack.


The BCOP specfically addresses this in 4b:
 *b. Point-to-point links should be allocated a /64 and configured with a
/126 or /127*


 And:

 Only subnet on nibble boundaries is not reasonable. When I need two
 LANs in a building I should burn 14 more to get to a nibble boundary?
 Really?

 Only delegate on nibble boundaries is a more reasonable statement.
 When you assign addresses to your customer or to a different internal
 team's control, THAT should be on a nibble boundary for the customer's
 convenience understanding the written-down version of what network is
 theirs and for your convenience when it comes time to delegate reverse
 DNS.

 Inside your network under control of the same engineers, subnet and
 route just as you would with IPv4.

 Regards,
 Bill Herrin



 --
 William Herrin  her...@dirtside.com  b...@herrin.us
 Owner, Dirtside Systems . Web: http://www.dirtside.com/
 May I solve your unusual networking challenges?

Re: A few Baltimore tips for this week

[Richard Irving]

/lurk

Anyone coming or leaving via BWI airport :

http://www.bwiairport.com/en/shops/shop-dine/store/obryckisab/

*Obrycki's *is an absolute /*must*/ for Authentic Maryland crab cakes, 
the ones

they show on the food channel, and my grandmother made.
Get them *pan fried*, ignore all the other pretend methods of creating an
Authentic Maryland Crab cake, they are not authentic.

You may want to eat them with Heinz on the side, like a dip.
Don't worry about asking for ketchup, no chef in Maryland will complain,
it will probably be on the table, anyway.

Next time you see Bobby Flay winning a throw down with _Maryland__
__Blue Crab,_ Crab Cakes, you can say you have had the real thing,
and will understand /why/ he won.

   And heed our good friends advice here, and don't get too far
off the beaten path  You may become a Bawlmer Merlund statistic, hon.

lurk
On 10/06/2014 01:11 PM, Rich Kulawiec wrote:

Restaurants worth visiting: the Waterfront Kitchen (pricey, worth it,
harbor views), The Helmand (Afghan, delicious, charming hosts),
McCormick  Schmick's (seafood, harbor views), The Black Olive (Greek),
BO Brasserie (great cocktails too), Sotto Sopra (Italian),
Da Mimmo's (Italian)

IPV6 Multicast Listener storm control?

[Richard Holbo]

(originally posted to wispa ipv6 list, and someone there mentioned that
folks here might have some suggestions, so apologize if you are a member of
both.)

I am seeing issues with IPV6 multicast storms in my network that are fairly
low volume (1-2mbit), but that are causing service disruptions due to CPU
load on the switches and that the network is a Point to MultiPoint wireless
network.

I have about 500 IPV4 clients on a vlan served by Cisco ME3400, Catalyst
3750 and 3560 switches.  These are switched back to a routed interface and
IP addresses are assigned by DHCP.  We are not using IPV6 at all, and I
don't have control of the clients.

What I'm seeing is IPV6 Multicast Listener requests from a single client
(different clients at different times) going out on the network, the
switches manage them in software, so CPU goes up (not a lot, but it seems
to impact performance quite a bit), but the larger problem is that all
other IPV6 clients respond to the multicast broadcast address generating a
1-2mbit storm of traffic to all ports all the time.  This then transits the
bandwidth constrained wireless network in a steady state, causing high
collisions which causes _significant_ performance degradation in the
wireless network.

It would appear that this is _generally_ caused by Dell or HP workstations
with buggy network interface cards in hibernate mode.

http://blog.bimajority.org/2014/09/05/the-network-nightmare-that-ate-my-week/

http://packetpushers.net/good-nics-bad-things-blast-ipv6-multicast-listener-discovery-queries/

Now it looks like from my reading that CISCO MLD snooping would _help_ with
this, though it would not stop the offender from generating the multicast
requests, it might keep if from reaching _all_ ports, but it would still
affect any ports that had _subscribed_ IPV6 clients, and it would require
changing the SDM template and a reload on all the switches.  So not a real
answer and very painful.

Right now, I'm just tracking the source down and shutting it off.  Do not
really want to get into an argument about switched vs routed, and am
working on reducing the size of the broadcast domain now, but this is a new
issue, and I need to come up with some kind of plan to resolve with my
current equipment/network.

Any thoughts?? Ideas?  I suspect this will become more of an issue for more
folks in the near future.

/thanks

-- 
Richard Holbo
Southern Oregon Network Support Services
richard.ho...@sonss.net - 541.890.8067
http://www.sonss.net

Urgent...

[Richard Golodner]

All kidding aside, did someone contact the OP off-list to get him the
help he needs?
Richard

Re: On a future of open settlement free peering

[Richard Bennett]

 and Netflix are actually their 
own worst enemies, see: 
http://apps.fcc.gov/ecfs/document/view?id=7521706465 , page 13, and 
http://apps.fcc.gov/ecfs/document/view?id=7521389953 , page 8.


So yeah, the demand for free and open interconnection is front and 
center, and it tends to submerge questions about the obligations of 
traffic sources to deliver to the best locations in an efficient way. 
There certainly are opportunities for abuse on both sides of the gateway.


RB

On 7/29/14, 10:30 AM, William Herrin wrote:

Howdy folks,

It seems to me that we're moving in a direction where either
ratioless, high-capacity settlement-free peering will be a industry
requirement exercised voluntarily, or where some heavy-handed
government regulation will compel some kind of interconnection that
the holdouts find even less desirable. I can only hope the holdouts
will see the light before the weight of government crashes down on
them -- regulation has no winners, only losers and bigger losers. And
sometimes the worst thing that can happen is you get what you ask for
with no opportunity to later change your mind.

I'm curious what lies beyond that horizon. If we stipulate for the
sake of the discussion that open peering is the way it going to be, a
critical part of network neutrality, what exactly will that mean?


Will it be permissible for one network to ask the other to pay a
one-time port cost for the initial interconnect, assuming its
representative of the actual cost of a one-time equipment addition?

To what degree is redundancy a requirement? If a network refuses to
peer in more than one chancy location, does that mean their peering
policy isn't really open?

Will a network be compliant if the open peering connections are only
available in its own data center? Or will they need to be available in
neutral data centers?

Would a refusal to connect to neutral peering fabrics constitute a
refusal to connect to smaller networks? Or is it reasonable to state
that anybody who can't come up with 10 gig ports and cross-connects
isn't of threshold size?

Can a peering policy be open if it's regionally restricted? If my
peering points for the mid-Atlantic states only announce routes tied
to my mid-Atlantic customers and only propagate your routes to those
mid-Atlantic customers, is that acceptable behavior? Or have I
mis-served my customers if I don't pull all of them to the location
you find it convenient to peer?


Food for thought,
Bill Herrin




--
Richard Bennett
Visiting Fellow, American Enterprise Institute
Center for Internet, Communications, and Technology Policy
Editor, High Tech Forum

Re: On a future of open settlement free peering

[Richard Bennett]

So when you said: I can only hope the holdouts will see the light 
before the weight of government crashes down on them you were positing 
an unlikely outcome? For  what purpose, trolling?


BTW, I'm not a lobbyist, but you already knew that.

RB

On 7/29/14, 4:12 PM, William Herrin wrote:

On Tue, Jul 29, 2014 at 6:21 PM, Richard Bennett rich...@bennett.com wrote:

It's interesting that an FCC ban on paid peering (or on-net transit if you
prefer that expression) is now seen as a plausible and even likely outcome
of the FCC's net neutrality expedition.

I don't think an FCC ban on paid peering is a plausible outcome this
go-around. The question, as I understand it, is reclassification of
broadband. If they actually go for reclassification, then you guys are
screwed. Paid peering would be the least of the dominoes to fall in
the follow-on rulemaking which would be necessary as a result of
reclassification.

Reclassification might bring a serious discussion of L1/L2 structural
separation to the table. It wouldn't be the FCC's first foray into
structural separation and as far as I know the laws which allow are
still on the books.

If I was one of the eyeball network lobbyists, I'd be begging the FCC
to let me try open peering and give it a chance to achieve the
commission's public policy objectives WITHOUT reclassification.

But then I guess that's why I'm not a telecom-paid lobbyist, eh? ;)

Regards,
Bill Herrin






--
Richard Bennett
Visiting Fellow, American Enterprise Institute
Center for Internet, Communications, and Technology Policy
Editor, High Tech Forum

Re: Richard Bennett, NANOG posting, and Integrity

[Richard Bennett]

It's hard to see a revolution when you're in the middle of it. As 
consumers transition from watching multicast TV on the networks' 
schedule past time-shifting and on to VoD, the traffic demands on the 
infrastructure will grow by 25 - 40 times. Similarly, the Internet will 
shift from a tool for reading web sites and watching occasional cat 
videos to a system whose main job (from the perspective of traffic) is 
video streaming. The magnitude of the change will necessarily cause a 
re-evaluation of the norms for interconnection, aggregation, content 
placement, and protocol design.


I think it's a mistake to approach this transformation in a nothing to 
see here, move along manner. It's reality that packet networks are 
statistical, especially at the level of aggregation and middle-mile 
distribution. The Internet's traditional financial model is one in which 
infrastructure providers make the most serious investments and edge 
services extract the highest profits. This model may not be the most 
sustainable one, and it may not be consistent with supporting the 
upgrades the infrastructure needs for adaptation to this new 
application.  Alternative models - such as Europe's open access regime - 
fare even worse in this regard than the vertical integration model 
that's the norm in North America and East Asia.


I don't claim to have all the answers here, or even any of them, but I 
think it's important to keep an open mind and pay attention to what 
works. I'm also not enthusiastic about relying on government programs to 
upgrade infrastructure to fiber of some random spec, because the entry 
of government into this market suppresses investments by independent 
fiber contractors and doesn't necessarily lead to optimal placement of 
new fiber routes. The First Net experience is proving that to be the 
case, I believe.


In other words, the Internet that we have today isn't the best of all 
possible networks, it's just the devil we know.


RB


On 7/28/14, 10:56 AM, William Herrin wrote:

On Mon, Jul 28, 2014 at 1:53 AM, Richard Bennett rich...@bennett.com wrote:

You've designed your network to handle the traffic demands of web browsing?
That's cute, now rebuild it to handle 40 times more traffic while I sit back
and call you a crook for not anticipating my innovation.

Right, because how could anyone anticipate that more than a handful of
folks might want to use 5 or 6 mbps of traffic on a 25mbps flat-rate
product for hours at a time. How rude to suggest that an allegedly
high speed network designed only to handle the traffic demands of web
browsing is little different than that age old confidence scheme, the
pig in a poke.

Regards,
Bill Herrin





--
Richard Bennett
Visiting Fellow, American Enterprise Institute
Center for Internet, Communications, and Technology Policy
Editor, High Tech Forum

Re: Richard Bennett, NANOG posting, and Integrity

[Richard Bennett]

Owen, your mother should have told you that you need to play nice if you 
want the other children to play with you.


On 7/28/14, 12:02 PM, Owen DeLong wrote:

On Jul 27, 2014, at 9:08 PM, Richard Bennett rich...@bennett.com wrote:


I don't think it's conflation, Joly, since the essence of NN is for the eyeballs to pay 
for the entire cost of the network and for edge providers to use it for free; isn't that 
what Netflix is asking the FCC to impose under the guise of strong net 
neutrality? Professor van Schewick is pretty clear about making the users pay for 
the edge providers in her tome on Internet architecture and innovation.

This is as absurd as the people you shill^wpoopy-head (per your request) for.

The users pay either way.

Either the content provider(s) pay the carriers and then bill the users (at a 
mark up) or the users pay directly (hopefully without the markup).

We are, after all, not talking about data that Netflix wants to inflict on the 
unsuspecting user. We are talking about data that the user REQUESTED from 
Netflix.

Saying “Content providers should pay” sounds great, because it sounds like it 
gives the end-user a free ride, but the reality is a little different.
Let’s have a look at the unintended consequences of such a policy:

1.  End users get billed more by the content providers to cover 
this additional cost.
2.  Content providers have to mark up what they are charged by the 
end-user’s ISPs, and they want to charge a uniform
rate to all customers, so the most likely result is that they 
bill end users based on a marked up rate from the most
expensive eyeball ISP they are forced to pay.
3.  As a result of these additional charges, you create barriers to 
competition in the content space which begins to turn
content into more of an oligopoly like access currently is. Its 
a giant step in the exact opposite direction of good.

Frankly, I give Netflix a lot of credit for fighting this instead of taking the 
benefits it could provide and screwing over their customers and
their competition.



Competition is a wonderful thing where it can work, but it's not a panacea, 
especially for the poor and for high-cost, rural areas. Communication policy 
has pretty much always relied on some form of subsidy for these situations, 
that's the universal service fee we pay on our phone bills.

How would you know… Let’s _TRY_ it and see what happens? Subsidy for those 
situations is probably necessary, but so far, subsidy has always been 
structured to subsidize monopolies and block competition (at the 
request(demand) of the very people you shill^wpoopy-head for).

If we changed the subsidies a tiny bit so that all subsidized infrastructure 
was built in a manner open to multiple higher-level service providers (e.g. 
subsidized open fiber builds to serving wire centers with colocation 
capabilities) and made those facilities available to all service providers on 
an equal footing (same cost, same ToS, same SLA, same ticket priority, etc.) I 
bet you’d see a very different situation develop rather quickly.


Susan Crawford explicitly complains that American ISPs gouge the rich by 
charging more than the OECD norm for high-speed (50 Mbps and above) service, but she 
fails to point out that they also charge less than the norm for low-speed (15 Mbps and 
below) service.

Whatever… The bottom line is that overall, throughout the US, even in the most 
densely populated areas, we are far behind what you can get in places like NL, 
KR, SG, SE, etc. and paying generally more for it.


I think it's easy to create unintended consequences if you don't look at how 
specific regulations affect real people, no matter how high-minded and 
principled they may appear at the surface.

OK, so please tell me what are the horrible unintended consequences of making 
layer 1 an open platform available on an equal footing to all competing L2+ 
providers that want to compete? As you point out, most L1 has been built with 
taxpayer money and/or subsidy, so what’s the horrible downside to letting it 
actually work or the taxpayers instead of the oligopolistic law firms 
masquerading as communications companies?

Owen


RB


On 7/27/14, 7:08 PM, Joly MacFie wrote:

Conflating zero-rating with NN is not necessarily helpful.  I somehow doubt 
that is ultimately what convinced all those groups to suddenly come out against 
NN at the last minute.

The EFF did recently address the issue.

https://www.eff.org/deeplinks/2014/07/net-neutrality-and-global-digital-divide

quote

However, we worry about the downside risks of the zero rated services. Although 
it may seem like a humane strategy to offer users from developing countries 
crumbs from the Internet's table in the form of free access to walled-garden 
services, such service may thrive at the cost of stifling the development of 
low-cost, neutral Internet access in those countries

Re: Richard Bennett, NANOG posting, and Integrity

[Richard Bennett]

On 7/28/14, 12:39 PM, William Herrin wrote:
There is nothing new under the sun, no matter how much you may protest 
otherwise...


This is a self-fulfilling prophecy that reflects the intense 
conservatism of a certain part of the Internet establishment. I'm 
inclined to go for new services, new norms, and progress. But that's 
just my personal bias, not a law of nature.


RB

--
Richard Bennett
Visiting Fellow, American Enterprise Institute
Center for Internet, Communications, and Technology Policy
Editor, High Tech Forum

Re: Richard Bennett, NANOG posting, and Integrity

[Richard Bennett]

This is one of the more clueless smears I've seen. The astroturf 
allegation is hilarious because it shows a lack of understanding of what 
the term means: individuals can't be astroturf by definition; it takes 
an organization.


Groups like Free Press are arguably astroturf because of their funding 
and collaboration with commercial interests, but even if you buy the 
blogger's claim that AEI is taking orders from Comcast (which it isn't), 
it doesn't pretend to be speaking for the grassroots. After 76 years in 
operation, people engaged in public policy have a very clear idea of the 
values that AEI stands for, and the organization goes to great lengths 
to firewall fundraising from scholarship. AEI's management grades itself 
in part on being fired by donors, in part; this is actually a goal.


The thing I most like about  AEI is that it doesn't take official 
positions and leaves scholars the freedom to make up their own minds and 
to disagree with each other. Although we do tend to be skeptical of 
Internet regulation, we're certainly not of one mind about what needs to 
be regulated and who should do it. AEI is a real think thank, not an 
advocacy organization pretending to be a think tank.


The article is riddled with factual errors that I've asked Esquire to 
correct, but it has declined, just as it declined to make proper 
corrections to the blogger's previous story alleging the FCC had 
censored 500,000 signatures from a petition in support of Title II. See: 
http://www.esquire.com/blogs/news/comcast-astroturfing-net-neutrality?fb_comment_id=fbc_734581913271304_735710019825160_735710019825160#f35206a395cd434


The blogger came to my attention when he was criticized on Twitter by 
journalists who support net neutrality for that shoddy piece of 
sensationalism; see the dialog around this tweet: 
https://twitter.com/oneunderscore__/status/489212137773215744


The net neutrality debate astonishes me because it rehashes arguments I 
first heard when writing the IEEE 802.3 1BASE5 standard (the one that 
replaced coaxial cable Ethernet with today's scalable hub and spoke 
system) in 1984. Even then some people argued that a passive bus was 
more democratic than an active hub/switch despite its evident 
drawbacks in terms of cable cost, reliability, manageability, 
scalability, and media independence. Others argued that all networking 
problems can be resolved by throwing bandwidth at them and that all QoS 
is evil, etc. These talking points really haven't changed.


The demonization of Comcast is especially peculiar because it's the only 
ISP in the US still bound by the FCC's 2010 Open Internet order. It 
agreed to abide by those regulations even if they were struck down by 
the courts, which they were in January. What happens with the current 
Open Internet proceeding doesn't have any bearing on Comcast until its 
merger obligations expire, and its proposed merger with TWC would extend 
them to a wider footprint and reset the clock on their expiration.


Anyhow, the blogger did spell my name right, to there's that.

RB

On 7/22/14, 9:07 AM, Paul WALL wrote:

Provided without comment:

http://www.esquire.com/blogs/news/comcast-astroturfing-net-neutrality

Drive Slow,
Paul Wall


--
Richard Bennett
Visiting Fellow, American Enterprise Institute
Center for Internet, Communications, and Technology Policy
Editor, High Tech Forum

Re: Net Neutrality...

[Richard Bennett]

Minor nit: McDowell is a former two term commissioner, but was not a 
chairman. He is, however, a real standout in terms of understanding the 
Internet and has many of the most coherent comments of any commissioner 
since his appointment. He was a leader in the campaign to push back the 
attempts of the ITU to establish sovereignty over interconnection and to 
apply telecom tariffs to the Internet.


It's worth noting that there was a time when Internet policy at the 
national level was not the ideological exercise that it has become. 
There was very little difference between Clinton's last FCC chairman 
(Kennard) and Bush 43's first chairman (Powell) on the general approach 
of the federal government to the Internet. Powell was, after all, the 
chairman who first articulated Internet Freedom goals in his famous 
Four Freedoms speech in Boulder in 2004; see: 
http://www.jthtl.org/content/articles/V3I1/JTHTLv3i1_Powell.PDF


It's a shame that people can't discuss principles of network policy 
today without first signing a loyalty oath to one of the political 
parties. It seems to me that Kennard, Powell, Wheeler, McDowell, and 
current commissioner Pai have all articulated great ideas about Internet 
policy that stand on their own without regard to political affiliations.


RB

On 7/16/14, 7:50 AM, Fred Baker (fred) wrote:

Relevant article by former FCC Chair

http://www.washingtonpost.com/posteverything/wp/2014/07/14/this-is-why-the-government-should-never-control-the-internet/


--
Richard Bennett
Visiting Fellow, American Enterprise Institute
Center for Internet, Communications, and Technology Policy
Editor, High Tech Forum

Re: Richard Bennett, NANOG posting, and Integrity

[Richard Bennett]

So we're supposed to believe that NAACP and LULAC are phony 
organizations but pro-neutrality groups like Free Press and Public 
Knowledge that admit to collaborating with Netflix and Cogent are legit? 
Given their long history, I think this is a bit of a stretch.


It's more plausible that NAACP and LULAC have correctly deduced that net 
neutrality is a de facto subsidy program that transfers money from the 
pockets of the poor and disadvantaged into the pockets of super-heavy 
Internet users and some of the richest and most profitable companies in 
America, the content resellers, on-line retailers, and advertising 
networks.


Recall what happened to entry-level broadband plans in Chile when that 
nation's net neutrality law was just applied: the ISPs who provided free 
broadband starter plans that allowed access to Facebook and Wikipedia 
were required to charge the poor:


A surprising decision in Chile shows what happens when policies of 
neutrality are applied without nuance. This week, Santiago put an end to 
the practice, widespread in developing countries 
http://techcrunch.com/2014/05/29/twitters-emerging-market-strategy-includes-its-own-version-of-a-facebook-zero-like-service-called-twitter-access/, 
of big companies “zero-rating” access to their services. As Quartz has 
reported 
http://qz.com/5180/facebooks-plan-to-find-its-next-billion-users-convince-them-the-internet-and-facebook-are-the-same/, 
companies such as Facebook, Google, Twitter and Wikipedia strike up 
deals 
http://qz.com/69163/the-one-reason-a-facebook-phone-would-make-sense/ 
with mobile operators around the world to offer a bare-bones version of 
their service without charging customers for the data.


It is not clear whether operators receive a fee 
http://techcrunch.com/2014/05/29/twitters-emerging-market-strategy-includes-its-own-version-of-a-facebook-zero-like-service-called-twitter-access/ 
from big companies, but it is clear why these deals are widespread. 
Internet giants like it because it encourages use of their services in 
places where consumers shy away from hefty data charges. Carriers like 
it because Facebook or Twitter serve as a gateway to the wider 
internet, introducing users to the wonders of the web and encouraging 
them to explore further afield—and to pay for data. And it’s not just 
commercial services that use the practice: Wikipedia has been an 
enthusiastic adopter of zero-rating as a way to spread its free, 
non-profit encyclopedia.


http://qz.com/215064/when-net-neutrality-backfires-chile-just-killed-free-access-to-wikipedia-and-facebook/

Internet Freedom? Not so much.

RB


On 7/27/14, 5:07 PM, Joly MacFie wrote:

Now, this is astroturfing.

http://www.thenation.com/blog/180781/leading-civil-rights-group-just-sold-out-net-neutrality


On Sun, Jul 27, 2014 at 4:26 PM, Richard Bennett rich...@bennett.com 
mailto:rich...@bennett.com wrote:


This is one of the more clueless smears I've seen. The astroturf
allegation is hilarious because it shows a lack of understanding
of what the term means: individuals can't be astroturf by
definition; it takes an organization.

Groups like Free Press are arguably astroturf because of their
funding and collaboration with commercial interests, but even if
you buy the blogger's claim that AEI is taking orders from Comcast
(which it isn't), it doesn't pretend to be speaking for the
grassroots. After 76 years in operation, people engaged in public
policy have a very clear idea of the values that AEI stands for,
and the organization goes to great lengths to firewall fundraising
from scholarship. AEI's management grades itself in part on being
fired by donors, in part; this is actually a goal.

The thing I most like about  AEI is that it doesn't take official
positions and leaves scholars the freedom to make up their own
minds and to disagree with each other. Although we do tend to be
skeptical of Internet regulation, we're certainly not of one mind
about what needs to be regulated and who should do it. AEI is a
real think thank, not an advocacy organization pretending to be a
think tank.

The article is riddled with factual errors that I've asked Esquire
to correct, but it has declined, just as it declined to make
proper corrections to the blogger's previous story alleging the
FCC had censored 500,000 signatures from a petition in support of
Title II. See:

http://www.esquire.com/blogs/news/comcast-astroturfing-net-neutrality?fb_comment_id=fbc_734581913271304_735710019825160_735710019825160#f35206a395cd434

The blogger came to my attention when he was criticized on Twitter
by journalists who support net neutrality for that shoddy piece of
sensationalism; see the dialog around this tweet:
https://twitter.com/oneunderscore__/status/489212137773215744

The net neutrality debate astonishes me because it rehashes
arguments I first heard when

Re: Richard Bennett, NANOG posting, and Integrity

[Richard Bennett]

I prefer the term poopy head because it's so much more sophisticated.

RB

On 7/27/14, 5:39 PM, goe...@anime.net wrote:

On Sun, 27 Jul 2014, Richard Bennett wrote:
This is one of the more clueless smears I've seen. The astroturf 
allegation is hilarious because it shows a lack of understanding of 
what the term means: individuals can't be astroturf by definition; 
it takes an organization.


Individuals can be paid shills though.

-Dan


--
Richard Bennett
Visiting Fellow, American Enterprise Institute
Center for Internet, Communications, and Technology Policy
Editor, High Tech Forum

Re: Richard Bennett, NANOG posting, and Integrity

[Richard Bennett]

Maybe it would help if you tried to address the issues in a serious way 
instead of just trying to be cute.


Just a thought...

RB

On 7/27/14, 8:52 PM, Matt Palmer wrote:

On Mon, Jul 28, 2014 at 08:16:36AM +0530, Suresh Ramasubramanian wrote:

  On 28-Jul-2014 8:06 am, Matt Palmer mpal...@hezmatt.org wrote:

On Sun, Jul 27, 2014 at 05:28:08PM -0700, Richard Bennett wrote:

It's more plausible that NAACP and LULAC have correctly deduced that
net neutrality is a de facto subsidy program that transfers money
from the pockets of the poor and disadvantaged into the pockets of
super-heavy Internet users and some of the richest and most
profitable companies in America, the content resellers, on-line
retailers, and advertising networks.

I've got to say, this is the first time I've heard Verizon and Comcast
described as poor and disadvantaged.


Recall what happened to entry-level broadband plans in Chile when
that nation's net neutrality law was just applied: the ISPs who
provided free broadband starter plans that allowed access to
Facebook and Wikipedia were required to charge the poor:

[...]


Internet Freedom? Not so much.

I totally agree.  You can't have Internet Freedom when some of the
richest and most profitable companies in America, the content resellers,
on-line retailers, and advertising networks, are paying to have eyeballs
locked into their services.  Far better that users be given an
opportunity to browse the Internet free of restriction, by providing
reasonable cost services through robust and healthy competition.

Or is that perhaps not what you meant?

I think he meant the actual poor people that broadband subsidies and free
walled garden internet to access only fb and Wikipedia are supposed to
benefit, but I could be wrong

I've got a whopping great big privilege that's possibly obscuring my view,
but I fail to see how only providing access to Facebook and Wikipedia is (a)
actual *Internet* access, or (b) actually beneficial, in the long run, to
anyone other than Facebook and Wikipedia.  I suppose it could benefit the
(no doubt incumbent) telco which is providing the service, since it makes it
much more difficult for competition to flourish.  I can't see any lasting
benefit to the end user (or should I say product?).

- Matt



--
Richard Bennett
Visiting Fellow, American Enterprise Institute
Center for Internet, Communications, and Technology Policy
Editor, High Tech Forum