Re: [swinog] Fwd: [routing-wg] RPKI Outage Post-Mortem

[Roque Gagliano]

Hi Massimiliano,

It would be nice to clarify which CA was rolled-over. Was it the root key
that is present in the TAR files or the root RIPE CA or the hosted-CA keys?

Regards,
Roque


On Tue, Feb 25, 2020 at 3:31 PM Massimiliano Stucchi  wrote:

>
> If you're not on the routing-wg mailing list, there's something you
> should know
>
>
>  Forwarded Message 
> Subject: [routing-wg] RPKI Outage Post-Mortem
> Date: Tue, 25 Feb 2020 15:12:15 +0100
> From: Nathalie Trenaman 
> To: routing...@ripe.net
>
> Dear colleagues,
>
> From Saturday 22 February at 08:24 (CET), any newly created, modified,
> or deleted ROAs (176 in total) could not be added to our publication
> server due to a disk problem. From that moment on, all the data was
> stored on the database, but the publication did not happen. The disk did
> not report any problems and, therefore, no engineer was alerted of this
> incident.
>
> Due to the disk problem, starting from Sunday 23 February at 09:10
> (CET), our CRL expired and our repository could not be properly updated.
> This was reported to us on Monday 24 February at 11:44 (CET).
> Immediately, our engineers fixed the disk problem, however, since the
> CRL expired, all underlying objects also expired. Depending on the
> Relying Party software an operator used, this abnormal behaviour
> appeared differently.
>
> Initially, our engineers tried to do a full re-population of the RPKI
> repository, but unfortunately, this did not update the CRL in the
> validation tree. At 15:03 (CET), we performed a full CA key-roll, which
> was completed at 21:02 (CET) and resolved the problem. At 19:58 (CET),
> all objects in the backlog were published.
>
> We apologise for any inconvenience this may have caused and we are
> taking all the necessary steps to ensure this incident does not appear
> again in the future.
>
> Kind regards,
>
> Nathalie Trenaman
> Routing Security Programme Manager
> RIPE NCC
>
>
>
> ___
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
>


-- 


At least I did something
Don Draper - Mad Men

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] IANA Transition: Invitation to National ISOC-CH Event on Thu Nov 13th at 6 p.m. in Bern

[Roque Gagliano]

Dear all,

Forwarding invitation from ISOC-CH

Roque


>
> *Invitation to National ISOC-CH Event on Thu Nov 13th at 6 p.m. in Bern*
>
> We, the Internet Society Switzerland Chapter (ISOC-CH), are happy to
> invite you to our National Event 2014 on a currently heavily debated matter
> "What happens to IANA?" or in other words "How much control over the
> Internet will the US government maintain in future?"
>
> *Speakers include:*
>
>- *Konstantinos Komaitis*,* Internet Society (ISOC*), Policy Advisor
>- *Massimiliano Stucchi* from *RIPE NCC*
>- *Brian Trammell*, member of the *IAB (Internet Architecture Board)*
>
>
> *Introduction:*
>
> For a long time core functions of the Internet, such as the the overall
> administration of Internet Corporation for Assigned Names and Numbers
> (IANA), have been under supervision of the US government. Recently, the US
> government announced its intent to transition part of its oversight role to
> the global multistakeholder community. This announcement attracted a great
> deal of attention and has sparked some very lively discussions. You can
> find more information on ISOC’s IANA transition website
> .
>
> We invite you to an event where the IANA transition process will be
> explained by experts. You will also get an update on its status and other
> interesting topics regarding ICANN and IANA.
>
> *Details and registration:*
>
> The event will take place on Nov 13th, 2014 at 6 p.m. in the University of
> Bern. Please find more information and registration (spaces are limited /
> first-come - first served) on:
>
>http://www.isoc.ch/events/what-happens-to-iana
>
> *Deadline for registration: 10.11.2014 (noon)*
>
> Note:
> This event is public and guests are more than welcome to join. Please
> forward this invitation to anyone who may be interested in.
>
> Looking forward to your registrations!
>
> Kind regards,
>  Bernie Höneisen, ISOC-CH Chairman
>
>
> --
>
>
> At least I did something
> Don Draper - Mad Men
>



-- 


At least I did something
Don Draper - Mad Men

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] April 4 - ISOC-CH meeting invitation on Swiss current topics been discuseed in Bern

[Roque Gagliano]

Hi,

The Internet Society Switzerland Chapter (ISOC-CH) invites you to an event
on actual Internet topics in Switzerland, including Net Neutrality, Lawful
Interception (BÜPF) and copyright legislation change proposals. Speakers
include National Councilor Balthasar Glättli (head of the Green fraction in
the Swiss parliament), the Swiss Pirate Party's chair Alexis Roussel and
Silvia Hagen (head of the Swiss IPv6 council).

Please find more information and registration on:

http://www.isoc.ch/events/annual-general-assembly-2014 (part 1)

This event is open to the public and free of charge! Feel free to forward
this email to anybody who may be interested in.

To join us, please register now!

We will have coffee and snacks.
After these talks there will be the official General Assembly (part 2) of
ISOC-CH.

An apero will follow as a way to close the day.

Kind regards,
 Board of the Internet Society Switzerland Chapter


PS:
If you are already a member of ISOC-CH you'll have a chance to exercise
your voting rights during the General Assembly (part 2), which you can
register independently for.
If you are not yet a member of ISOC-CH, your are most welcome the sign up
for membership: http://www.isoc.ch/membership



-- 


At least I did something
Don Draper - Mad Men

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] DDOS DNS Attack by Netgear Products caused by CNAME instead of A record?

[Roque Gagliano]

IMHO, this is also one of the things that unbound is superior to BIND.

You can simply configure "local-data" in the general configuration file in
one line:
local-data: "time-g.netgear.com 9600 IN A 209.249.181.22"

Ref: http://www.unbound.net/documentation/unbound.conf.html

Roque

On Sat, May 25, 2013 at 1:40 PM, Roman Hochuli
wrote:

> Hello Jeroen
>
> > If you are doing that, do it only for time-g.netgear.com by defining
> > a zone for that and using '@' to get the record defined, that way you
> > don't cause colateral damage to the many other records that might
> > exist in netgear.com
>
> Thanks for pointing out. Your solution is much a nicer than my approach.
> Looks like Scalpell vs. Hammer. :)
>
>
> > Tranalyzer only analyzes as far as I recall and the slides do not
> > indicate differently...
>
> You are right. I was more referring to his presentation-style at SwiNOG
> #26 which referred a lot to "what's that hex?" ;)
>
> --
> Best regards,
> Roman Hochuli
> Operations Manager
>
> nexellent ag
> Saegereistrasse 33
> CH-8152 Glattbrugg
>
> Phone:   +41 44 872 20 00
> Fax: +41 44 872 20 01
> URL: www.nexellent.ch
> X-NCC-RegID: ch.nexellent
>
> Imagination is the one weapon in the war
> against reality.
> -- Jules de Gaultier
>
>
>
> ___
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
>



-- 


At least I did something
Don Draper - Mad Men

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] Fwd: [ISOC-CH Ann] Invitation to WCIT Digest (8 March / 15:30 / Bern)

[Roque Gagliano]

Tris event may be of interest for some of you as it is related to a recent
talk at swnog.

Roque



-- Forwarded message --
From: *Bernie Hoeneisen*
Date: Wednesday, February 20, 2013
Subject: [ISOC-CH Ann] Invitation to WCIT Digest (8 March / 15:30 / Bern)
To: announceme...@lists.isoc.ch


Dear ISOC-CH Members,

You are cordially invited to join our "WCIT Digest" event, a panel
discussion with:

   - Richard Hill, independent consultant (former senior ITU staff member)
   - Markus Kummer, Internet Society, Vice President Public Policy
   - Frédéric Riehl, OFCOM/BAKOM, Vice Director, Head of International
   Relations Service
   - Monika Ermert, journalist (discussion leader)

WCIT (World Conference on International Telecommunications) was recently
taking place in Dubai (VAE). A key issue discussed there was whether or not
the Internet should be part of the revised International Telecommunication
Regulations, and if yes to what extent. Please find more information about
WCIT on:

http://www.internetsociety.org/wcit

Our "WCIT Digest" is taking place on *Friday, 8 March 2013, 15:30-17:30,
Bern *(i.e. shortly before our General
Assembly).
The event is public and free of charge. Registration and more information
on:
*
*
*http://www.isoc.ch/wcit-digest*

Looking forward to meet you soon!

All the best,
 Bernie, ISOC-CH, Vice-Chair Internal

*
*PS: Fell free to forward this invitation to your friends or anybody who
may be interested in joining this event!


--

http://ucom.ch/
Tech Consulting for Internet Technology





-- 


At least I did something
Don Draper - Mad Men

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] (secret) ITU conference in Dubai: Swiss Delegation?

[Roque Gagliano]

Hi Fredy,

A couple of months ago the chairman of ISOC-CH (Vicenzo Palotti)
reached out to OFCOM and asked for their position and any plan to
reach out to the civil society.

The answer was that they will basically follow the EU position (which
is not a bad thing). They also stated that they did not had any plans
for open consultation to the civil society, which we made clear is not
what is expected as part of the current internet governance principles
from the WSIS summit.

I have no opposition to the core team to make a statement.

Regards,
Roque

On Wed, Nov 28, 2012 at 12:37 AM, Fredy Kuenzler  wrote:
> Am 27.11.2012 22:37, schrieb Fredy Kuenzler:
>>
>> Does anyone know the Swiss delegate of the upcoming ITU conference in
>> Dubai? [...]
>
>
> In response to my tweet pointing to this email in the SwiNOG mailinglist
> archive I got a response with five names of the Swiss Delegation:
>
>> There was the accreditation list mailed to some ISOC list last week, 5
>> people on the Swiss delegation:
>>
>> Mr Frédéric RIEHL, Chef des Affaires Internationales, OFCOM (Suisse) /
>> BAKOM, frederic dot riehl at bakom dot admin dot ch
>>
>> Mr Hassane MAKKI, Affaires Internationales, Federal Office of
>> Communications - OFCOM, hassane dot makki at bakom dot admin dot ch
>>
>> Mr Raphael SCHERRER, Conseiller Economiste, OFCOM (Suisse) / BAKOM,
>> raphael dot scherrer at bakom dot admin dot ch
>>
>> Mr Dirk-Olivier VON DER EMDEN, Conseiller juridique, Office Fédéral de la
>> Communication (OFCOM/BAKOM), dirk-olivier dot von-der-emden at bakom dot
>> admin dot ch
>>
>> Mr Rolf WEBER, Professor, Faculty of Law, University of Zurich
>>
>> First one is flagged as Head of delegation, second one is deputy.
>
>
> So we know now that mainly BAKOM/OFCOM people are traveling to Dubai.
>
> Please all individuals refrain from sending personal emails the delegation!
> They don't need geeky comments or even stupid insulting.
>
> I'd rather suggest that the SwiNOG core team is going to formulate a clear
> statement to the Swiss ITU delegation (please note that I left the SwiNOG
> core team >1y ago). SwiNOG needs to speak in a united voice in this matter.
>
> I also hope that general interest media (Swiss television, Tages-Anzeiger,
> Blick et.al.) would pick this out as a central theme, along with special
> interest media (computer/telecommunication). It would be simply great to
> read a large interview with the delegates, where they commit themselves to
> stand for the self-regulated bottom-up Internet as we know and love. Support
> not only from this community but also from general media and us, the Swiss
> people, would strenghten their position... so please, dear journalists
> around, make a move :-) It will have an impact not only in Switzerland, but
> also in neighbouring countries.
>
> Except from heise.de I haven't seen much yet about the ITU conference in
> special interest media (computers/telecommunications). Not sure why, I guess
> inside-it.ch et.al. have some backlog... *hint*
>
> Meanwhile I hope everyone would help to share the link and video I mentioned
> in my previous mail:
>
> https://www.whatistheitu.org/
> http://www.youtube.com/watch?v=XzNQarkk95Q
>
> Also I would like to include the link to the slides of SwiNOG #25 of Arnold
> Nipper with some unbiased information:
> http://www.swinog.ch/meetings/swinog25/p/11_SwiNOG25-WCIT-20121107.pdf
>
> Thanks for listening and sharing!
>
> --
> Fredy Künzler
>
> Init7 (Switzerland) AG
> AS13030
> Elias-Canetti-Strasse 7
> CH-8050 Zürich
> Skype:   flyingpotato
> Phone:   +41 44 315 4400
> Fax: +41 44 315 4401
> Twitter: @init7
> http://www.init7.net/
>
>
>
> ___
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog



-- 


At least I did something
Don Draper - Mad Men


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] Invitation 1st National ISOC Switzerland Chapter event

[Roque Gagliano]

Hi Swinogers,

I believe you would be interested in this event organized by the ISOC
Switzerland Chapter this month.

Roque Gagliano
Treasurer - ISOC Switzerland Chapter

---

We are happy to invite you to the 1st National Event of the ISOC
Switzerland Chapter.

Date/Time: 27 November 2012 / 18:00 – 21:00 h

Place: Käfigturm, Marktgasse 67, Bern (close to main railway station)

Topics:

The Open Internet under Threat
by Brian Trammell, research associate, Communication Systems
Group, ETH Zurich

Internet Related Topics in Swiss Politics
by Balthasar Glättli, entrepreneur and politician, member of
the Swiss Parliament
Language: English

More Information: http://www.isoc.ch/events/national-isoc-ch-event-2012-bern

Registration: http://www.isoc.ch/events/national-isoc-ch-event-2012-bern
Please register latest by Tue, 20.11.2012, noon!


Further Notes:

This event is free of charge.
ISOC Members as well as guests are welcome!
Feel free to forward this invitation to your colleagues and friends
For this National Event we deliberately choose the central
location Bern, as it can easiest be reached from all parts of
Switzerland.
We are looking forward to many ISOC members from various parts of
Switzerland joining and getting to know each other.


This event is sponsored by:

Main Sponsor: Sunny Connection AG (sunny.ch)
Networks, Education & Consulting

Additional Sponsor: Ucom Standards Track Solutions GmbH (Ucom.ch)
Technical Consulting for Internet Technology


Looking forward to see you in Bern!

--

-- 


At least I did something
Don Draper - Mad Men


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] Presentation from last SWNOG meeting

[Roque Gagliano]

Hi SWnogers,

I am looking for the presentation from last meeting. It seams that they are
not available at the usual place. Any change here or "work in progress"?

Regards,
Roque

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] "arping" for IPv6

[Roque Gagliano]

Here you have:
http://www.remlab.net/ndisc6/

Roque

On Mon, Jun 4, 2012 at 9:59 PM, Tobias Brunner wrote:

> Hi,
>
> Does someone know if there is a tool for linux which can send a neighbor
> advertisement for a fast update of the neighbor table of a router?
> Like to good old "arping -U" for ipv4 which sends gratuitous/unsolicited
> arp messages...
>
> Have a nice evening!
>
> Cheers,
> Tobias
>
> --
> Nine Internet Solutions AG, Albisriederstr. 243a, CH-8047 Zuerich
> Support +41 44 637 40 40 | Tel +41 44 637 40 00 | Direct +41 44 637 40 13
> Skype nine.ch_support
>
>
> __**_
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-**bin/mailman/listinfo/swinog
>



-- 


At least I did something
Don Draper - Mad Men

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] ISOC Switzerland Chapter

[Roque Gagliano]

Hi SWINOG,

As I mentioned in the mic today, yesterday the ISCO Switzerland Chapter was
approved.

The chapter website is: http://www.isoc.ch

If you want to become a member, you need to fill the form at the global
ISOC page here:
http://www.internetsociety.org/get-involved/join-community/individuals

Cheers!
Roque
-- 


At least I did something
Don Draper - Mad Men

___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

[swinog] Using MED for outgoing traffic management

[Roque Gagliano]

Hi all,

As I mentioned in the mic at the end of the previous session.

The MED attribute is often also used by content providers to be able
to manage outgoing traffic by affecting the selection criteria when
there is a tie in the ASPATH.

This "new" use of the attribute (rather than the "cold potato" routing
mentioned) is very well described in this NANOG presentation:
http://www.nanog.org/meetings/nanog46/abstracts.php?pt=MTM3MiZuYW5vZzQ2&nm=nanog46

Roque

-- 


At least I did something
Don Draper - Mad Men


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] BGP Origin ASN Validation

[Roque Gagliano]

Thanks Jeroen,

Should add the standards references to the slides.

Roque

On Mon, Nov 15, 2010 at 1:16 PM, Jeroen Massar  wrote:
> On 2010-11-15 13:05, Oliver Schad wrote:
>> Am Monday 15 November 2010 schrieb mir Roque Gagliano:
>>> I believe Tim has a point in this comment, we already analyze it
>>> positively internally to add that capability.
>>
>> Does somebody at cisco try to build a standard from that filtering stuff
>> mabye together with other player on the market or do we get another
>> isolated application with some patents on top to deny implementations on
>> other platforms than cisco?
>
> The configuration might be different, the work and protocols come from
> the IETF, see the SIDR working group
>
> And for instance:
> http://www.ripe.net/ripe/meetings/ripe-60/presentations/Bush-The_RPKI_Origin_Validation.pdf
>
> and
> http://www.netnod.se/presentations/netnodevent1002/20100217--18-netnod-rpki.pdf
>
> Which contains: https://subvert-rpki.hactrn.net/ which is even open source
>
> google(BGP Origin ASN Validation) aka the subject for more details
>
> Thanks Roque for introducing folks to what is and has to come!
>
> Greets,
>  Jeroen
>
>
> ___
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
>



-- 


At least I did something
Don Draper - Mad Men


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog

Re: [swinog] BGP Origin ASN Validation

[Roque Gagliano]

Hi Viktor,

I believe Tim has a point in this comment, we already analyze it
positively internally to add that capability.

When all of these starts rolling-out, you would have a huge percentage
of "not-found", that is why you would not want to deny those. There
you can see the importance of generating your ROAs, although you are
not particularly interested in filtering.

Regards and thanks Tim for the catch,

Roque


On Mon, Nov 15, 2010 at 11:27 AM, Viktor Steinmann  wrote:
> Wouldn't that do it?
>
> !
> route-map bar deny 10
> match invalid
> !
>
> Cheers,
> Viktor
>
> On 15.11.2010 11:06, tim wrote:
>>
>> Hi all,
>>
>> About the talk "BGP Origin ASN Validation" from Roque Gagliano at SwiNOG
>> #21 I talked afterwards with him with the following remark:
>>
>> Roque showed a route-map like this one:
>>
>> route-map foo seq 10
>>  match invalid
>>  set local-preference 50
>> !
>> route-map foo seq 20
>>  match incomplete
>>  set local-preference 100
>> !
>> route-map foo seq 30
>>  match valid
>>  set local-preference 200
>> !
>>
>> This will not fix the "youtube vs. Pakistan"-problem.
>>
>> For example, youtube announces a /22, signed, gets local-pref 200.
>> "Bad ISP" announces a /24 out of the /22, unsigned, gets local-pref 50,
>> BUT gets into my routing table!
>>
>> I think it whould by cool to have a system to prevent an *unsigned*
>> prefix, which is more specific than a *signed* prefix, to be accepted.
>>
>> Maybe this could be done in IOS Code, for example with the configuration
>> option "do not allow an unsigned more specific prefix within a signed
>> prefix".
>>
>> This will allow us to configure the route-map as shown above and accept
>> invalid/incomplete prefixes.  But the accepted invalid/incomplete
>> prefixes are not more specific than a signed prefix.
>>
>> If someone does know more, please comment.
>>
>> Cheers,
>>     Tim
>>
>>
>>
>> ___
>> swinog mailing list
>> swinog@lists.swinog.ch
>> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
>
>
>
> ___
> swinog mailing list
> swinog@lists.swinog.ch
> http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
>



-- 


At least I did something
Don Draper - Mad Men


___
swinog mailing list
swinog@lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog