pgp.mit.edu has been sporadically available for me over the last while, but yea AFAIU sks-keyservers
shut down after the DoS drama, as did most of the old servers in the pool.
I believe keyserver.ubuntu.com generally works and doesn't strip all the signatures and whatnot off
keys when they
On 7/19/24 8:44 PM, joel jaeggli wrote:
On 7/19/24 15:07, Sean Donelan wrote:
What is the current estimated diameter of the Internet?
Maximum (worst-case) RTT edge-to-edge?
Most public latency data is now edge-to-cloud, not edge-to-edge. Cloud engineers have done a great
job, and
On 7/6/24 8:06 PM, Robert McKay via NANOG wrote:
On 2024-07-06 21:11, John Von Essen wrote:
Ok…. now a rabbit hole. I looked at some vanity TLDs, and it appears
the ALOT of big companies have their names as TLDs, but almost none of
them are using it for anything. Why is that? Is it just a
On 11/13/23 12:57 PM, Matt Corallo wrote:
I'd be very curious to see a lawsuit over an IP hijack that isn't interfering with the operation of
any of Cogent's services and is restoring service to HE's customers. Doubly so if they prepend
aggressively to avoid it being a preferred path (Cogent
? That would end in a lawsuit and potentially even more
de-peering between them.
Ryan Hamel
*From:* NANOG on behalf of Matt Corallo
*Sent:* Monday, November 13, 2023 11:32 AM
*To:* Bryan Fields
On 11/8/23 2:23 PM, Bryan Fields wrote:
On 11/8/23 2:25 PM, o...@delong.com wrote:
Seems irresponsible to me that a root-server (or other critical DNS provider) would engage in a
peering war to the exclusion of workable DNS.
I've brought this up before and the root servers are not really an
Thank you!
This is awesome and very, very much needed work.
RPKI has plugged some major security issues with the DFZ, but in exchange
introduced substantial other ones. It sucks it took AFRINIC imploding to
motivate more time fixing it, but I’m super glad you’re working on it!
We should also
I believe same for name.au where `name` has a DS record. Same for net.au./DS,
etc.
Matt
On 9/17/23 5:48 PM, Matt Corallo wrote:
Just in case anyone wonders why *.com.au isn't loading for their customers, the RRSIG covering
.com.au/DS expired at 00:05:29 UTC (about 40 minutes ago now).
Matt
Just in case anyone wonders why *.com.au isn't loading for their customers, the RRSIG covering
.com.au/DS expired at 00:05:29 UTC (about 40 minutes ago now).
Matt
I get quite a bit of spam that is a "reply" to old NANOG posts (some dating back a year or more).
Seems to only happen on some specific threads, dunno why though.
Definitely recommend using a nanog-specific alias and auto-spam-folder'ing anything to that alias
that isn't CC nanog@nanog, that
*From:* NANOG on behalf of Matt Corallo
*Sent:* Friday, July 14, 2023 5:46 PM
*To:* Neil Hanlon ; nanog@nanog.org
*Subject:* Re: Request for assistance with Verizon FIOS connection
I've always had good luck
I've always had good luck with https://consumercomplaints.fcc.gov/hc/en-us. This tends to result in
a higher-level tech getting assigned to your ticket at least at larger providers. Depending on where
you are, your local government may have a similar process (e.g. in NYC the city has a similar
Loads for me and just has a "we're shutting down notice", copied below.
But, like they say, modern whois knows where to look, no need to use anything else, I think as long
as you're not stuck trying to use macOS or something else shipping weird ancient un-updated unix tools.
Matt
On 6/20/23 10:20 PM, Masataka Ohta wrote:
Matt Corallo wrote:
So, let's recognize ISPs as trusted authorities and
we are reasonably safe without excessive cost to
support DNSSEC with all the untrustworthy hypes of
HSMs and four-eyes principle.
I think this list probably has a few things
On 6/19/23 8:08 PM, Masataka Ohta wrote:
Matt Corallo wrote:
This is totally unrelated to the question at hand. There wasn't a question about whether a user
relying on trusted authorities can maybe be whacked by said trusted authorities (though there's
been a ton of work in this space, most
On 6/19/23 2:08 AM, Masataka Ohta wrote:
Matt Corallo wrote:
Both in theory and practice, DNSSEC is not secure end to
end
Indeed, but (a) there's active work in the IETF to change that (DNSSEC stapling
to TLS certs)
TLS? What? As was demonstrated by diginotar, PKI
On 6/18/23 12:53 AM, Masataka Ohta wrote:
Matt Corallo wrote:
That's great in theory, and folks should be using DNSSEC [1],
Wrong.
Both in theory and practice, DNSSEC is not secure end to
end
Indeed, but (a) there's active work in the IETF to change that (DNSSEC stapling to TLS certs
or spoofing responses of some of your queries
to a root server, it’s been game over for a long time.
On Sat, Jun 17, 2023 at 10:29 AM Matt Corallo mailto:na...@as397444.net>> wrote:
On 6/17/23 7:12 AM, Tom Beecher wrote:
> Bill-
>
> Don't say, &q
On 6/17/23 7:12 AM, Tom Beecher wrote:
Bill-
Don't say, "We'll keep it up for as long as we feel like it, but at
least a year." That's crap.
30% of the root servers have been renumbered in the last 25 years.
h : 2015
d: 2013
l : 2007
j : 2002
For these 4 cases, only a 6 month
On 6/3/23 4:17 PM, William Herrin wrote:
On Sat, Jun 3, 2023 at 12:46 PM Matt Corallo wrote:
I assume RHEL would ship a root hints update during that time, but such things
can slip through
pretty easily as its not a security update.
Hi Matt,
It *is* a security update. That's a really
On 6/1/23 3:57 PM, William Herrin wrote:
Certainly we would appreciate other opinions about what the right length
of a change-over time would be, especially from the operational
communities that will be most impacted by this change.
A server generation is about 3 years before it's obsolete
Lots of replies saying which of BIRD/exabgp/frr/quagga/openbgpd folks prefer, but they're all pretty
good. Honestly for such a project they're all just as great, it comes down mostly to what you're
used to config-wise. Used to big metal router configuration? You might find BIRD foreign. Used to
Is this in relation to the old opensource archived ElastiFlow or the new proprietary one with only
subscription options above a certain flow count? Presumably the subscription comes with some kind of
support?
I think the only option left for open source flow monitoring is the new
On 3/5/23 7:00 PM, Matt Corallo wrote:
On 3/5/23 12:34 PM, Dave Taht wrote:
I rather enjoyed doing this podcast a few weeks ago, (and enjoy this
podcast a lot, generally), and it talks to what I've been up to for
the past year or so on fixing bufferbloat for ISPs.
https
On 3/5/23 12:34 PM, Dave Taht wrote:
I rather enjoyed doing this podcast a few weeks ago, (and enjoy this
podcast a lot, generally), and it talks to what I've been up to for
the past year or so on fixing bufferbloat for ISPs.
You might try the Mailop list at https://www.mailop.org/, they're definitely
active over there.
Matt
On 12/14/22 11:54 AM, Sam Roche wrote:
If someone from the Yahoo mail admin team is on the list, could you please reach out to me
privately? We had an issue where our customer SMTP server was
It would be nice if IPvFoo showed the bytes and connection/request count. It's going to be a
loonnggg time before we can do consumer internet browsing with no v4, until then it's about reducing
cost of CGNAT with reduced packets/connections.
For twitter, the main site is v4, yea, but
On 9/9/22 1:58 PM, Vincent Bernat wrote:
On 2022-09-09 19:36, Matt Corallo wrote:
The attacker is still limited to the target directory. The attacker can send files that were
excluded or not requested, but they still end up in the target directory. RPKI validators
download stuff
On 9/9/22 2:36 AM, Vincent Bernat wrote:
The attacker is still limited to the target directory. The attacker can send files that were
excluded or not requested, but they still end up in the target directory. RPKI validators download
stuff in a dedicated download directory
Ah, okay, thanks,
Has anyone done an analysis of the rsync CVE-2022-29154 (which "allows malicious remote servers to
write arbitrary files inside the directories of connecting peers") and its potential impact on RPKI
validators? It looks like both Debian [1] and Ubuntu [2] opted *not* to patch rsync in their
On 5/6/22 5:58 PM, Amir Herzberg wrote:
Hi NANOGers,
Questions:
- Do you find zone enumeration a real concern?
I have found that some people who are concerned about such things will have LetsEncrypt certs for
many of the same hosts they were worried about - which of course makes the DNS
Hi network operators,
As RPKI validation continues to become increasingly broadly deployed (yay!), I wanted to highlight
and ask what deployment policies are towards dependency validation and pinning of RPKI validation
software. For example, routinator's dependency graph is somewhat large, and
Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
> Midwest-IX
> http://www.midwest-ix.com
>
> From: "Matt Corallo"
> To: "Mike Hammett" , "NANOG"
> Sent: Thursday, August 5, 2021 3:44:43 PM
> Subject: Re: Abuse
There's a few old threads on this from last year or so, but while unmonitored abuse contacts are terrible, similarly,
people have installed automated abuse contact spammer systems which is equally terrible. Thus, lots of the large hosting
providers have deemed the cost of actually putting a
If anyone has a good contact at Akami, please reach out off-list.
We are getting Akamai Access Denied errors on eyeballs trying to schedule
COVID-19 appointment slots like the below:
Access Denied
You don't have permission to access
, it can avoid
longer negative caching while they work on a real hosting deal.
Matt
> On Jan 14, 2021, at 00:29, William Herrin wrote:
>
> On Wed, Jan 13, 2021 at 9:22 PM Matt Corallo wrote:
>> Sure, I just found it marginally comical that amazon, after making a big
>> stink a
for the domain, so it’s not as
comparable as I understood it to be.
Matt
> On Jan 14, 2021, at 00:10, William Herrin wrote:
>
> On Wed, Jan 13, 2021 at 9:02 PM Valdis Klētnieks
> wrote:
>> On Wed, 13 Jan 2021 18:41:55 -0500, Matt Corallo said:
>>> parler.com.
registrar, but
that would truly be a reach, since they aren't Parler's Web host.
--
Hunter Fuller (they)
Router Jockey
VBH Annex B-5
+1 256 824 5331
Office of Information Technology
The University of Alabama in Huntsville
Network Engineering
On Wed, Jan 13, 2021 at 5:42 PM Matt Corallo wrote:
In case anyone thought Amazon was being particularly *careful* around their enforcement of Parler's ban...this is from
today on parler's new host:
$ dig parler.com ns
...
parler.com. 300 IN NS ns4.epik.com.
parler.com. 300 IN NS ns3.epik.com.
On Nov 15, 2020, at 5:58 PM, Matt Corallo na...@as397444.net wrote:
Has anyone else experienced issues where Telia won't withdraw (though will
happily accept an overriding) prefixes for the past week, at least?
I have seen issues like this in a network that I operated. In that p
For those curious, Johan indicated on Twitter this was a JunOS bug.
https://twitter.com/gustawsson/status/1328298914785730561
Matt
> On Nov 15, 2020, at 23:13, Matt Corallo wrote:
>
> Maybe? Never been an issue before. In this case the route does have a depref
> community on Tel
;
> One of the routing gears on the path don't like the large community inside
> those routes maybe ? :)
> By the way we currently see 2620:6e:a002::/48 at LINX LON1 from Choopa and
> HE...
>
>> Le 16 nov. 2020 à 04:44, Matt Corallo a écrit :
>>
>> Yea, I did try
ago we experienced something similar (it was a router of TI Sparkle
still advertising a prefix of us in Asia to their clients, that they were
previously receiving from our former transit GTT – we were advertising it in
Europe...).
Le 16 nov. 2020 à 02:58, Matt Corallo a écrit :
Has anyone else exper
Has anyone else experienced issues where Telia won't withdraw (though will happily accept an overriding) prefixes for
the past week, at least?
eg 2620:6e:a003::/48 was a test prefix and should not now appear in any DFZ, has not been announced for a few days at
least, but shows up in Telia's LG
Their site is confusing - they were historically (and still are, in most
places) a DSL provider using AT for the last hop into the house. Over the
past few years they’ve built out their own fiber network which currently has a
much smaller footprint. Definitely by far the best residential
While I certainly agree with you, I have a certainly-naive question - what the
difference is between ARIN and RIPE's T:
Aug 3 19:07:15 rpki-validator rpki-client[16164]: The RIPE NCC Certification
Repository is subject to Terms and Conditions
Aug 3 19:07:15 rpki-validator rpki-client[16164]:
ions
often don't involve their abuse system should tell us something.
Matt
On 4/29/20 3:44 AM, Dan Hollis wrote:
> On Tue, 28 Apr 2020, Matt Corallo wrote:
>> Sadly dumb kids are plentiful. If you have to nag an abuse desk every time
>> they sell a server to a kid who’s
&
, William Herrin wrote:
> On Wed, Apr 29, 2020 at 3:36 PM Matt Corallo wrote:
>> I do, in this case, have such a right, because I know exactly what is going
>> on in my network,
>
> Hi Matt,
>
> If someone in your address space is knock-knocking on a stranger's ssh
> ports
I don't think anyone in this thread meant to suggest that there is no reason to
be concerned about such scans, as you
point out they are occasionally compromised hosts and the like. The real
question here is what is the cost of sending
all that mail?
The abuse system as it exists today is
ng to the noise.
>
> On Tue, Apr 28, 2020 at 9:40 AM Matt Corallo via NANOG
> wrote:
>> Please don't use this kind of crap to send automated "we received 3 login
>> attempts on our SSH box..wa" emails.
>> This is why folks don't have abuse contacts
I think we all agree with this. The requl question is...how do we build such a
thing? The abuse process we have clearly
doesn't work. Maybe its the fault of the Big Providers (AWS/GCP/OVH/etc) who
don't invest enough to have a robust
abuse-processing system to actually deal with reports, maybe
of
the real crap out there comes from hosting
providers like the above who don't have the bandwidth to respond.
Matt
On 4/29/20 7:55 AM, Rich Kulawiec wrote:
> On Tue, Apr 28, 2020 at 12:40:12PM -0400, Matt Corallo via NANOG wrote:
>> Please don't use this kind of crap to send automated "
Hi Matt
>
>> On Tue, Apr 28, 2020 at 11:02:04PM -0700, Matt Corallo wrote:
>> DDoS, hijacker, botnet C, compromised hosts,
>> sufficiently-hard-to-deal-with phishing, etc are all things that carry
>> real risk to services that are otherwise well-maintained (primarily in
>>
lis wrote:
>>> On Tue, 28 Apr 2020, Matt Corallo via NANOG wrote:
>>> Please don't use this kind of crap to send automated "we received 3 login
>>> attempts on our SSH box..wa" emails.
>>> This is why folks don't have abuse contacts that are respo
Please don't use this kind of crap to send automated "we received 3 login
attempts on our SSH box..wa" emails.
This is why folks don't have abuse contacts that are responsive to real issues
anymore.
Matt
On 4/28/20 11:57 AM, Mike Hammett wrote:
> I noticed over the weekend that a
ote:
>
>
>
>
>> On Tue, Apr 21, 2020 at 1:10 PM Matt Corallo via NANOG
>> wrote:
>> That’s an interesting idea. I’m not sure that LACNIC would want to issue a
>> ROA for RIPE IP space after RIPE issues an AS0 ROA, though. And you’d at
>> least need some kind o
Not sure how this helps? If RIPE (or a government official/court) decides the
sanctions against Iranian LIRs prevents them from issuing number resources to
said LIRs, they would just remove the delegation. They’d probably then issue an
AS0 ROA to replace out given the “AS0 ROA for bogons”
Right until RIPE finishes deploying AS0 ROAs for bogons, which I recall is
moving forward :p.
> On Apr 21, 2020, at 03:01, Mark Tinka wrote:
>
>
>
>> On 21/Apr/20 08:51, Matt Corallo via NANOG wrote:
>>
>> Instead of RIRs coordinating address space use by k
That’s an interesting idea. I’m not sure that LACNIC would want to issue a ROA
for RIPE IP space after RIPE issues an AS0 ROA, though. And you’d at least need
some kind of time delay to give other RIRs and operators and chance to discuss
the matter before allowing RIPE to issue the AS0 ROA, eg
I don’t really get the point of bothering, then. AWS takes about ~forever to
respond to SES phishing reports, let alone hosting abuse, and other, cheaper,
hosts/mailers (OVH etc come up all the time) don’t bother at all. Unless you
want to automate “1 report = drop customer”, you’re saying that
ote:
>
> On Wed, 01 Apr 2020 12:47:22 -0700, Matt Corallo said:
>
>> No one suggested it isn’t censorship, you’re bating here. Not deploying
>> enough international capacity is absolutely a form or censorship deployed to
>> great avail - if international sites load
No one suggested it isn’t censorship, you’re bating here. Not deploying enough
international capacity is absolutely a form or censorship deployed to great
avail - if international sites load too slow, you can skimp on GF appliances!
Matt
> On Apr 1, 2020, at 12:26, Pengxiong Zhu wrote:
> Many
Note, of course, further, that "the GFW" is not a single appliance, nor
even a standard, common appliance. There are very different "GFWs" based
on which link you're looking at, which telco it is, etc. Indeed, usually
traffic to Hong Kong is effected much less by the GFW than other links
(though
t; Best,
> Pengxiong Zhu
> Department of Computer Science and Engineering
> University of California, Riverside
>
>
> On Mon, Mar 2, 2020 at 8:38 AM Matt Corallo <mailto:na...@as397444.net>> wrote:
>
> It also gives local competitors a leg up by helping domestic apps
It also gives local competitors a leg up by helping domestic apps perform
better simply by being hosted domestically (or making foreign players host
inside China).
> On Mar 2, 2020, at 11:27, Ben Cannon wrote:
>
>
> It’s the Government doing mandatory content filtering at the border. Their
lol no that’s even worse. “We put routing on the blockchain to make it secure
and scalable the two things blockchains generally aren’t, now please buy
our token “.
> On Jan 9, 2020, at 11:28, Aistis Zenkevičius wrote:
>
> So, a bit like this then: https://noia.network/technology
>
>
Ah, right. Fair. I was responding, I suppose, to Rubens' original
description, which was exactly this.
On 12/11/19 5:08 PM, Christopher Morrow wrote:
> On Wed, Dec 11, 2019 at 11:35 AM Matt Corallo wrote:
>>
>> Right, but you’re also taking a strong, cryptographically-authentic
Right, but you’re also taking a strong, cryptographically-authenticated system
and making it sign non-authenticated data. Please don’t do that. If you want to
add the data to RPKI, there should be a way to add the data to RPKI, not sign
away control of your number resources to unauthenticated
Not ideal, sure, but if it’s only for the SYN (as you seem to indicate),
splitting the flow shouldn’t have material performance degradation?
> On Nov 13, 2019, at 11:51, Toke Høiland-Jørgensen wrote:
>
>
>
>> On 13 November 2019 17:20:18 CET, Matt Corallo wrote:
>>
This sounds like a bug on Cloudflare’s end (cause trying to do anycast TCP
is... out of spec to say the least), not a bug in ECN/ECMP.
> On Nov 13, 2019, at 11:07, Toke Høiland-Jørgensen via NANOG
> wrote:
>
>
>>
>> Hello
>>
>> I have a customer that believes my network has a ECN problem.
You find it hypocritical that they host booter services? I find it hypocritical
(and criminal, if anyone could prove it more than laughably strong correlation)
that Cloudflare sales reps had such an impressive knowledge of when sites were
getting DDoSed that they could show up to offer service
How do people view the automated generation of abuse reports? I’ve seen lots of
(understandable) moaning about large providers not handling abuse reports, and
lots of (understandable) suggestions that ARIN test for the reachability of
abuse contacts.
On the flip side, I run a Tor exit node (as
It was mentioned in this (partially related) thread, with all the responses
being the predictable “lol these folks in Silicon Valley need to lay off the
drugs”.
https://mailman.nanog.org/pipermail/nanog/2019-September/103059.html
Matt
> On Sep 30, 2019, at 19:25, Jay R. Ashworth wrote:
>
>
Come on dude, you could just respond with the requested LoAs and purchase
agreements and yet instead you threaten lawsuits. No one with half a brain even
skimming this thread will conclude that you're innocent in this matter (a lapse
in accuracy or two here and there by Mr Guilmette
Because getting each ISP in the world to comply with NSA monitoring requests
was too hard, instead they get to centralize the full list of every website the
everyone in the world visits on a single fleet of servers in Cloudflare's
datacenters. This means we only need to compromise one person to
When using a data-only Fi SIM (which are free if you have an account, just pay
the bandwidth), they always just act as a T-Mobile US MVNO and route back
through the US. Still, latency aside, I've found it incredibly reliable (plus
in many countries you can pick from multiple networks).
If you
Two weeks? We're at two months and counting. Honestly about to walk away
from the contract at this point, fees or no.
Matt
On 7/24/19 12:12 AM, Stephen Frost wrote:
> Since there was a comment on this again, I figure I'll provide an update
> ('just' the facts...)- it's now been two more weeks
I presume they'd be more than happy to if some HAM's were to file a lawsuit
against ARIN (not entirely an un-serious suggestion), but, short that, what do
they care if they cooperated in stealing some otherwise-unused IPs and giving
them to Amazon?
Matt
> On Jul 18, 2019, at 23:44, William
Oops, I mean with a script which removes such routes if there is an
encompassing route which a different upstream takes, as obviously the
more-specific would otherwise still win.
Matt
On 7/6/19 5:44 PM, Matt Corallo wrote:
> On my test net I take ROA_INVALIDs and convert them to unreachab
On my test net I take ROA_INVALIDs and convert them to unreachables with
a low preference (ie so that any upstreams taking only the shorter path
will be selected, but so that such packets will never be routed).
Obviously this isn't a well-supported operation, but I'm curious what
people think of
There's also https://github.com/NLNOG/bgpalerter (which I believe they're
trying to turn into a website frontend based on RIS, but I run it with patches
for as_path regexes and it works pretty well).
> On Jun 16, 2019, at 07:40, Michael Hallgren wrote:
>
> RIS Live API is a choice for this.
>
I presume you were contacting them due to their (apparently) bogus SPF
parsing? Seems they recently broke something and email servers I've been
sending from for 10 years without much configuration change recently
started getting generic SPF-looking failure messages (I guess they don't
properly
Required or not, I've seen a number of networks doing this. At some point
"single global ASN" became a marketable pitch and folks realized they don't
actually have to have a single Network to get it.
Matt
(Oops +nanog, sorry Mel + William)
> On May 30, 2019, at 13:10, Mel Beckman wrote:
>
>
83 matches
Mail list logo