On 2021-08-28 00:58, Tom Beecher wrote:
Fundamentally I think everyone should care about this situation. As I
read it, it breaks down as :
- AFRINIC and Cloud Innovation are engaged in a dispute over number
assignment policies.
- AFRINIC invokes the clause that they are reclaiming the space i
On 2020-12-14 16:48, Mark Tinka wrote:
On 12/14/20 18:38, David Bass wrote:
It becomes more clear when you think about the options out there, and
get a little creative. Now a days it’s definitely chess that’s being
played.
You're right, it really doesn't take much. Preying on humanity
Bitcoin.
There wasn't much purpose to 'hacking' for a long time. Even when
talking about DDoS stuff, it's still just temporary vandalism, it's only
an inconvenience, and it can be undone pretty quickly. The whole idea
of providing security has been turned into a wink-wink scam where people
On 2020-04-29 17:51, Mukund Sivaraman wrote:
On Wed, Apr 29, 2020 at 01:49:14PM -0400, Tom Beecher wrote:
What if I am at home, and while working on a project, fire off a wide
ranging nmap against say a /19 work network to validate something
externally? Should my ISP detect that and make a de
On 2019-08-02 16:42, James Downs wrote:
On Fri, Aug 02, 2019 at 11:19:08AM -0500, Hunter Fuller wrote:
This one has since been released, and it has a laptop compartment. My
Yeah, I definitely look for some sort of laptop compartment. If not
padded on its own, I stick the laptop into a padde
On 2018-10-17 02:35, Michael Thomas wrote:
I believe that the IETF party line these days is that Postel was wrong
on this point. Security is one consideration, but there are others.
Postel's maxim also allowed extensibility. If our network code rejects
(or crashes) on things we don't curre
On 2017-12-28 23:28, Brock Tice wrote:
On 12/28/2017 03:44 PM, James R Cutler wrote:
There is no prohibition of requesting an allocation which matches your network.
That is, simply request what is needed with suitable data for justification and
get your /40 or whatever.
We are currently han
On 2017-12-28 17:55, Michael Crapse wrote:
Yes, let's talk about waste, Lets waste 2^64 addresses for a ptp.
If that was ipv4 you could recreate the entire internet with that many
addresses.
After all these years people still don't understand IPv6 and that's why
we're back to having to do NA
On 2017-12-27 22:38, Jima wrote:
On 2017-12-27 14:10, Jared Mauch wrote:
On Dec 27, 2017, at 3:50 PM, Grant Taylor via NANOG
wrote:
Doesn't Hulu (et al) have an obligation to provide service to their
paying customers?
Does this obligation extend to providing service independent of the
car
On 2017-06-20 23:12, James Braunegg wrote:
Dear All
Just wondering if anyone else saw this yesterday afternoon ?
Jun 20 16:57:29:E:BGP: From Peer 38.X.X.X received Long AS_PATH= AS_SEQ(2) 174
12956 23456 23456 23456 23456 23456 23456 23456 23456 23456 23456 23456 23456
23456 23456 23456 2345
On 2016-10-27 23:24, Ronald F. Guilmette wrote:
I put forward what I think is a reasonbly modest scheme to try to get
IoT things to place hard limits on their "unsolicited" packet output at
the kernel level, and I'm going to go off now and try to find and then
engage some Linux embedded kernel pe
On 2016-10-22 00:39, Ronald F. Guilmette wrote:
P.S. To all of you Ayn Rand devotees out there who still vociferously
argue that it's nobody else's business how you monitor or police your
"private" networks, and who still refuse to take even minimalist steps
(like BCP 38), congratulations.
Wh
On 2016-09-26 18:03, John Levine wrote:
If you have links from both ISP A and ISP B and decide to send traffic
out ISP A's link sourced from addresses ISP B allocated to you, ISP A
*should* drop that traffic on the floor.
This is a legitimate and interesting use case that is broken by BCP38.
On 2016-09-26 15:12, Hugo Slabbert wrote:
On Mon 2016-Sep-26 10:47:24 -0400, Ken Chase wrote:
This might break some of those badly-behaving "dual ISP" COTS routers
out there
that use different inbound from outbound paths since each is the
fastest of
either link.
As it should.
If you hav
On 2016-09-09 19:52, Dan White wrote:
Are there any products you're using which are dedicated to responding to
customer facing pings?
PaaS (pong-as-a-service)?
I know this is against the popular religion here but how is this abuse
on the part of your customer? Google, Level3 and many others also run
open resolvers, because they're useful services. This is why we can't
have nice things.
On 2016-08-29 15:55, Jason Lee wrote:
NANOG Community,
I was
On 2016-06-08 18:57, Javier J wrote:
Tony, I agree 100% with you. Unfortunately I need ipv6 on my media subnet
because it's part of my lab. And now that my teenage daughter is
complaining about Netflix not working g on her Chromebook I'm starting to
think consumers should just start complaining
On 2016-06-08 16:12, Owen DeLong wrote:
It’s a link, just like any other link, over which IPv6 can be transmitted.
You can argue that it’s a lower quality link than some alternatives, but I have
to tell you I’ve gotten much more reliable service at higher bandwidth from
that link than from my
On 2016-06-06 19:39, Christopher Morrow wrote:
Doing any sort of 'authentication' or 'authorization' on src-IP is just ..
broken.
This.
Netflix is pretending to have a capability (geolocation by src ip) that
doesn't exist and there is collateral damage from the application of
their half
On 2016-06-06 15:21, Tore Anderson wrote:
But Netflix shouldn't have any need to ask in the first place. Their
customers need to log in to their own personal accounts in order to
access any content, when they do Netflix can discover their addresses.
Tore
Hey there's an idea, how about they A
On 2016-06-05 23:45, Damian Menscher wrote:
Who are these non-technical Netflix users who accidentally stumbled
into having a HE tunnel broker connection without their knowledge? I
wasn't aware this sort of thing could happen without user consent, and
would like to know if I'm wrong. Only th
On 2016-06-05 22:48, Damian Menscher wrote:
What *is* standard about them? My earliest training as a sysadmin taught
me that any time you switch away from a default setting, you're venturing
into the unknown. Your config is no longer well-tested; you may experience
strange errors; nobody els
On 2016-06-05 21:18, Damian Menscher wrote:
This entire thread confuses me. Are there normal home users who are being
blocked from Netflix because their ISP forces them through a HE VPN? Or is
this massive thread just about a handful of geeks who think IPv6 is cool
and insist they be allowed to
On 2016-06-03 19:37, Matthew Huff wrote:
I would imagine it was done on purpose. The purpose of the Netflix VPN
detection was to block users from outside of different regions due to content
providers requests. Since HE provides free ipv6 tunnels, it's an easy way to
get around the blockage, h
On 2016-05-13 14:12, Lamar Owen wrote:
On 05/11/2016 09:46 PM, Josh Reynolds wrote:
maybe try [setting up an NTP server] with an odroid?
...
You really have to have at least a temperature compensated quartz
crystal oscillator (TCXO) to even begin to think about an NTP server,
for anything
On 2016-05-10 15:36, Mike wrote:
On 5/10/2016 11:22 AM, Leo Bicknell wrote:
In a message written on Mon, May 09, 2016 at 11:01:23PM -0400, b f wrote:
In search of stable, disparate stratum 1 NTP sources.
http://wpollock.com/AUnix2/NTPstratum1PublicServers.htm
We tried using “time.nist.gov”
On 2016-04-29 12:48, Nick Hilliard wrote:
Alain Hebert wrote:
PS: "Superfluous" is a nice way to say that the best path of a
subnet is the same as his supernet.
... from the point of view of the paths that you see, which is to say
two egress paths. Someone else on the internet may have a
On 2016-04-28 11:06, Alain Hebert wrote:
Well,
Once you eliminate the ~160k superfluous prefixes (last time I
checked)... This is a none issue.
Some work on some sort summary function would keep those devices
alive... but we all know there is more money to be made the faster t
On 2016-04-13 05:57, Todd Crane wrote:
As to a solution, why don’t we just register the locations (more or less) with
ARIN? Hell, with the amount of money we all pay them in annual fees, I can’t
imagine it would be too hard for them to maintain. They could offer it as part
of their public who
On 2016-04-11 18:15, John Levine wrote:
Bodies of water probably are the least bad alternative. I wonder if
they're going to hydrolocate all of the unknown addresses, or only the
ones where they get publically shamed.
R's,
John
I imagine some consumers of the data will 'correct' the positi
Why not use the locations of their own homes? They're indirectly
sending mobs to randomly chosen locations. There's enough middle men
involved so they can all say they're doing nothing wrong, but wrong is
being done.
-Laszlo
On 2016-04-11 17:34, Steve Mikulasik wrote:
Just so everyone is
Mike,
Csaba's front page previously described the software as being a
'routerOS', like in the very first sentence on the page. I'm assuming
that the person who complained about that didn't read past the first
sentence and just wanted to troll. It's obvious to me that decades of
work have go
On 2015-09-27 12:24, John Schimmel wrote:
Most Web application firewalls have cross-site request forgery protection.
When a form is downloaded, the firewall inserts a hidden field or cookie
that contains the IP address of the request. When the form is submitted,
the firewall then verifies that t
On 2015-09-26 14:34, David Hubbard wrote:
Websites that require some type of authentication that is handled via
session cookies have been booting our users out randomly with "your ip
address has changed" type message. This occurs when their Mac decides
to switch between protocols because the si
On Jul 9, 2015, at 11:08 PM, Owen DeLong wrote:
>
>> On Jul 9, 2015, at 15:55 , Ricky Beam wrote:
>>
>> On Thu, 09 Jul 2015 18:23:29 -0400, Naslund, Steve
>> wrote:
>>> That would be Tivo's fault wouldn't it.
>>
>> Partially, even mostly... it's based on Bonjour. That's why the shit doesn't
"Your phone doesn't work with our network, so you should buy one that does"
vs
"Hey we can't connect, fix your network"
Kind of similar to the streaming video vs eyeball network thing.. blaming the
bad user experience on the other guy.
-Laszlo
On Jun 12, 2015, at 2:18 AM, Matthew Petach wrot
twork side and the client side end up having to support the
whole matrix of possible configurations, if the end goal is to provide a good
user experience, but this is not a good OS developer and network operator
experience because it creates more work for everyone and more trouble for users
when t
Lorzenzo is probably not going to post anymore because of this.
It looks to me like Lorenzo wants the same thing as most everyone here, aside
from the university net nazis, and he's got some balls to come defend his
position against the angry old men of NANOG. Perhaps the approach of attacking
Mike,
I think it's fine to cut it up smaller than /24, and might actually help in
keeping people from routing the IX prefix globally.
-Laszlo
On Apr 5, 2015, at 12:35 AM, Mike Hammett wrote:
> Okay, so I decided to look at what current IXes are doing.
>
> It looks like AMS-IX, Equinix and
Is it possible that they are getting return traffic and it's just a localized
activity? The attacker could announce that prefix directly to the target
network in an IXP peering session (maybe with no-export) so that it wouldn't
set off your bgpmon. I guess that would make more sense if they we
If you're selling to end users, under promise and over deliver. Tell them
20Mbit but provision for 25. That way when they run their speedtest,
they're delighted that they're getting more, instead of being disappointed
and feeling screwed. In practice they will leave it idle most of the time
anyw
On Jun 23, 2014, at 3:32 AM, "Kalnozols, Andris" wrote:
>
> On 6/22/2014 7:41 PM, Frank Bulk wrote:
>> Did they ever explain why? Did the SMC function as a router, and act as the
>> customer side of a stub network that allowed that /29 to hang off the
>> router? If that was the case, and the
On Jun 19, 2014, at 12:18 PM, "STARNES, CURTIS"
wrote:
>
> At 18,446,744,073,709,551,616 per /64, that is a lot of address.
> Right now I cannot get IPv6 at home so I will take getting "screwed" with a
> /56 or /60 and be estatic about it.
>
> Curtis
>
>
>
Would be nice if everyone kept i
I'd just like to point out that a lot of people are in fact using their
upstream capability, and the operators always throw a fit and try to cut off
specific applications to force it back into the idle state. For example P2P
things like torrents and most recently the open NTP and DNS servers.
This CARP thing is the best troll I've seen yet. Over a decade old and people
are still on about it.
-Laszlo
On May 8, 2014, at 1:15 AM, Blake Dunlap wrote:
> Except for that whole mac address thing, that crashes networks...
>
> -Blake
>
> On Wed, May 7, 2014 at 8:03 PM, Constantine A. Mur
Two different sessions using two different transport protocols. The v4 BGP
session should have address family v6 disabled and vice versa. Exchange v4
routes over a v4 TCP connection, exchange v6 routes over a v6 TCP connection.
Just treat them as independent protocols.
-Laszlo
On May 2, 2
The generally accepted and scalable way to accomplish this is to advertise your
freshness preferences using the SOA record of your domain. It would be pretty
tricky to make this work with a swivel chair type system for every domain and
host on the internet. You would have to contact every user
. Their
> policy considers only effects mail originating from their users. Yahoo
> subscribers can receive messages form nanog just fine, but they can't send to
> it.
>
> Miles
>
> Laszlo Hanyecz wrote:
>> I don't see what the big deal is here. They d
I don't see what the big deal is here. They don't want your messages and they
made that clear. Their policy considers these messages spam. If you really
want to get your mailing list messages through, then you need to evade their
filters just like every other spammer has to.
-Laszlo
On Apr
You can still potentially access all the same information since it all goes
through the load balancer. Interesting bits of info are things like Cookie:
headers being sent by clients and sitting in a buffer. Try one of the testing
tools mentioned and see if you can see any info from other clien
They're just leaking every route right?
Is it possible to poison the AS paths you announce with their own AS to get
them to let go of your prefixes until it's fixed?
Would that work, or some other trick that can be done without their cooperation?
Thanks,
Laszlo
't trust end user devices or ISP CPE to be secure against
> intrusion)
>
> Scott Buettner
> Front Range Internet Inc
> NOC Engineer
>
> On 3/26/2014 8:33 AM, Laszlo Hanyecz wrote:
>> Maybe you should focus on delivering email instead of refusing it. Or just
>
Maybe you should focus on delivering email instead of refusing it. Or just
keep refusing it and trying to bill people for it, until you make yourself
irrelevant. The ISP based email made more sense when most end users - the
people that we serve - didn't have persistent internet connections. T
Maybe we could give everyone globally unique numbers and end to end
connectivity. Then maybe the users themselves can send email directly to each
other without going through this ESP cartel.
-Laszlo
On Mar 26, 2014, at 2:51 AM, Rob McEwen wrote:
> On 3/25/2014 10:25 PM, Brielle Bruns wrote:
The OP doesn't have control over the reverse DNS on the AT&T 6rd. Spam
crusades aside, it can be seen as just another case of 'putting people in their
place', reinforcing that your end user connection is lesser and doesn't entitle
to you to participate in the internet with the big boys. How do
The usefulness of reverse DNS in IPv6 is dubious. Maybe the idea is to cause
enough pain that eventually you fold and get them to host your email too.
-Laszlo
On Mar 25, 2014, at 8:57 PM, Brielle Bruns wrote:
> On 3/25/14, 11:56 AM, John Levine wrote:
>> I think this would be a good time to
On Mar 24, 2014, at 5:05 PM, "Patrick W. Gilmore" wrote:
> On Mar 24, 2014, at 12:21, William Herrin wrote:
>> On Sun, Mar 23, 2014 at 11:07 PM, Naslund, Steve
>> wrote:
>
>>> I am not sure I agree with the basic premise here. NAT or Private
>>> addressing does not equal security.
>
>> M
On Mar 23, 2014, at 4:57 PM, Mark Andrews wrote:
>
>
> Basically because none of them have ever been on the Internet proper
> where they can connect to their home machines from wherever they
> are in the world directly. If you don't know what it should be
> like you don't complain when you a
It's temporary unless it works.
-Laszlo
On Mar 18, 2014, at 11:30 PM, Jay Ashworth wrote:
> - Original Message -
>> From: "Stephen Sprunk"
>
>> On 18-Mar-14 17:54, Niels Bakker wrote:
>>> * w...@typo.org (Wayne E Bouchard) [Tue 18 Mar 2014, 23:53 CET]:
I have had to do this at t
Good question, but the reality is that a lot of them are this way. They just
forward everything from any source. Maybe it was designed that way to support
DDoS as a use case.
Imagine a simple iptables rule like -p udp --dport 53 -j DNAT --to 4.2.2.4
I think some forwarders work this way - the
Filtering will always break something. Filtering 'abusive' network traffic is
intentionally difficult - you either just let it be, or you filter it along
with the 'good' network traffic that it's pretending to be. How can you even
tell it's NTP traffic - maybe by the port numbers? What if som
send only a few seconds worth of
flooding each time.
On Feb 4, 2014, at 6:52 PM, William Herrin wrote:
> On Tue, Feb 4, 2014 at 1:45 PM, Laszlo Hanyecz wrote:
>> Why not just provide a public API that lets users specify which
>> of your customers they want to null route?
>
Why not just provide a public API that lets users specify which of your
customers they want to null route? It would save operators the trouble of
having to detect the flows.. and you can sell premium access that allows the
API user to null route all your other customers at once.
Once everyone
Yes, a /27 is too small. You need at least a /24.
On Jan 25, 2014, at 9:17 PM, Drew Linsalata wrote:
> Yeah, its been a while since I had to get involved in this. We have a
> customer with their own IPv4 allocation that wants us to announce a /27 for
> them. Back in "the day", it was /24 or la
It's standard to filter out anything longer than /48.
Your /36 prefix was chosen based on the number of sites, with a /48 per site,
so just keep it simple. Trying to manage it in the way IPv4 addresses were
managed will just ensure that you will have the same headaches of micro
managing sub al
When a user signs up for a social media account they generally do so by
providing an email address like vic...@freewebmailsite.com and selecting a
password. The social media site can obviously probe freewebmailsite.com and
attempt to authenticate using the same password that you just provided t
66 matches
Mail list logo