From mark at tinka.africa Sat Apr 1 09:14:24 2023 From: mark at tinka.africa (Mark Tinka) Date: Sat, 1 Apr 2023 11:14:24 +0200 Subject: 100G-LR1 (DR/FR) In-Reply-To: References: <2946A06F-B335-4997-B78C-0D795DEEBFF8@puck.nether.net> Message-ID: On 3/31/23 15:51, Ca By wrote: > We use a lot of 100g-FR > > For dense deployment and limited faceplate space, 100g-fr / dr are the > only way. > > LR4 is dead to me. We run the SR4 optics for in-rack cabling, because they are about 4X cheaper than all the single-mode options. We have been heavy on the LR4 optics, but are now starting to test (and if happy, switch to) the FR units, as they are even cheaper than the LR4 option. The DR options don't make much sense for us, because we prefer the SR4 for in-rack cabling, and given how large data centres are nowadays, 500m might not enough to interconnect with customers. But for un-amplified Metro-E deployments, we are looking forward to testing Adva's 100G-ZR, which is also a single lane optic. Mark. -------------- next part -------------- An HTML attachment was scrubbed... URL: From arizonagull at gmail.com Mon Apr 3 00:14:05 2023 From: arizonagull at gmail.com (David Siegel) Date: Sun, 2 Apr 2023 18:14:05 -0600 Subject: 100G-LR1 (DR/FR) In-Reply-To: <2946A06F-B335-4997-B78C-0D795DEEBFF8@puck.nether.net> References: <2946A06F-B335-4997-B78C-0D795DEEBFF8@puck.nether.net> Message-ID: At this point, I'd be happy to see others happily deploy a single-lambda optic of almost any variety! Since deploying 400G in a clients network (but 100G still being the preferred connection choice), any inquiry with respect to LR1, FR1 or DR+ is met with "no thanks, LR4 please." If asked, I'd recommend FR1. They're available at a great price-point, and 2km reach is adequate for most applications. On Fri, Mar 31, 2023 at 7:25?AM Jared Mauch wrote: > The common tech is 100G-LR4 these days - I'm wondering how many operators > are supporting the LR1 to allow its use on 400G and future 800G optics as > those use breakout to support 100G ports. > > Would you rather do a 400G port on a router vs 100LR1? > > Curious what others think. > > Sent via RFC1925 compliant device -------------- next part -------------- An HTML attachment was scrubbed... URL: From nanog at ics-il.net Mon Apr 3 05:21:29 2023 From: nanog at ics-il.net (Mike Hammett) Date: Mon, 3 Apr 2023 00:21:29 -0500 (CDT) Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging Message-ID: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> We have a Nexus 3064 that is setup with partial BGP tables and is routing based on that. I've done a show ip bgp for an IP of interest and it has an expected next hop IP. I show ip arp on that next hop IP and it has the expected interface. However, sFlows show the packets leaving on a different interface, the one that would carry the default route for routes not otherwise known. If the next hop IP is expected and the ARP of that next hop IP is expected, why are packets leaving out an unexpected interface? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From contemno at gmail.com Mon Apr 3 05:35:43 2023 From: contemno at gmail.com (Joshua Miller) Date: Mon, 3 Apr 2023 01:35:43 -0400 Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> Message-ID: Is the BGP route getting installed into the rib? On Mon, Apr 3, 2023, 01:24 Mike Hammett wrote: > We have a Nexus 3064 that is setup with partial BGP tables and is routing > based on that. > > > I've done a show ip bgp for an IP of interest and it has an expected next > hop IP. I show ip arp on that next hop IP and it has the expected interface. > > > > However, sFlows show the packets leaving on a different interface, the one > that would carry the default route for routes not otherwise known. > > > If the next hop IP is expected and the ARP of that next hop IP is > expected, why are packets leaving out an unexpected interface? > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jay at west.net Mon Apr 3 05:44:54 2023 From: jay at west.net (Jay Hennigan) Date: Sun, 2 Apr 2023 22:44:54 -0700 Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> Message-ID: <7c3e93b2-748a-a9a3-66a5-1a3adcee1ee5@west.net> On 4/2/23 22:21, Mike Hammett wrote: > We have a Nexus 3064 that is setup with partial BGP tables and is > routing based on that. > > > I've done a show ip bgp for an IP of interest and it has an expected > next hop IP. I show ip arp on that next hop IP and it has the expected > interface. > > > However, sFlows show the packets leaving on a different interface, the > one that would carry the default route for routes not otherwise known. What does traceroute to that IP show? -- Jay Hennigan - jay at west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV From jay at west.net Mon Apr 3 06:02:42 2023 From: jay at west.net (Jay Hennigan) Date: Sun, 2 Apr 2023 23:02:42 -0700 Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> Message-ID: On 4/2/23 22:21, Mike Hammett wrote: > We have a Nexus 3064 that is setup with partial BGP tables and is > routing based on that. > > > I've done a show ip bgp for an IP of interest and it has an expected > next hop IP. I show ip arp on that next hop IP and it has the expected > interface. > > > However, sFlows show the packets leaving on a different interface, the > one that would carry the default route for routes not otherwise known. > > > If the next hop IP is expected and the ARP of that next hop IP is > expected, why are packets leaving out an unexpected interface? Another route to the destination from a routing protocol with a lower distance? What does "show ip route [destination]" look like? -- Jay Hennigan - jay at west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV From mhuff at ox.com Mon Apr 3 10:38:23 2023 From: mhuff at ox.com (Matthew Huff) Date: Mon, 3 Apr 2023 10:38:23 +0000 Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> Message-ID: <9fe9fab599304900b93393540cba97c4@ox.com> switch-core1# sh forwarding route x.x.x.x slot 1 ======= IPv4 routes for table default/base ------------------+-----------------------------------------+----------------------+-----------------+----------------- Prefix | Next-hop | Interface | Labels | Partial Install ------------------+-----------------------------------------+----------------------+-----------------+----------------- x.x.x.x/24 x.x.x.250 Ethernet1/29 switch-core1# show routing hash x.x.x.x y.y.y.y Load-share parameters used for software forwarding: load-share mode: address source-destination port source-destination Hash for VRF "default" Hashing to path *y.y.y.y Eth1/29 For route: y.y.y.0/24, ubest/mbest: 1/0 *via z.z.z.z, Eth1/29, [90/3072], 1w2d, eigrp-100, internal From: NANOG On Behalf Of Mike Hammett Sent: Monday, April 3, 2023 1:21 AM To: NANOG Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging We have a Nexus 3064 that is setup with partial BGP tables and is routing based on that.? I've done a show ip bgp for an IP of interest and it has an expected next hop IP. I show ip arp on that next hop IP and it has the expected interface.? However, sFlows show the packets leaving on a different interface, the one that would carry the default route for routes not otherwise known.? If the next hop IP is expected and the ARP of that next hop IP is expected, why are packets leaving out an unexpected interface?? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From mark at tinka.africa Mon Apr 3 11:04:03 2023 From: mark at tinka.africa (Mark Tinka) Date: Mon, 3 Apr 2023 13:04:03 +0200 Subject: 100G-LR1 (DR/FR) In-Reply-To: References: <2946A06F-B335-4997-B78C-0D795DEEBFF8@puck.nether.net> Message-ID: On 4/3/23 02:14, David Siegel wrote: > At this point, I'd be happy to see others happily deploy a > single-lambda optic of almost any variety!? Since deploying 400G in a > clients network (but 100G still being the preferred connection > choice), any inquiry?with respect to LR1, FR1 or DR+ is met with "no > thanks, LR4 please." > > If asked, I'd recommend FR1.? They're available at a great > price-point, and 2km reach is adequate for most applications. Agreed. Pricing between LR4, FR and DR is not too far apart. The only optic that is substantially cheaper than all of them is the SR4. So in my mind, FR is the most ideal, although I'd still use SR4 for in-rack, multi-mode cabling. Mark. From nanog at ve4.ca Sun Apr 2 05:12:07 2023 From: nanog at ve4.ca (Glen A. Pearce) Date: Sat, 1 Apr 2023 23:12:07 -0600 Subject: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...) Message-ID: <353e8a6d-56f0-ac2f-4b80-d9d9f88ccaaa@ve4.ca> Hi All: I received an E-mail with an attachment claiming something on my network is infected and that I should look at the attachment to find out what. Normally I think everything with an attachment is phishing to get me to run malware but: #1: The sites linked to in it seem to be legit German ??? government websites based on Wikipedia entries that ??? haven't changed in several years. ??? (Looked at archive.org) #2: The attachment is a .txt file which I've normally ??? assumed to be safe. #3: None of the usual dead giveaways that most phishing ??? E-mails have. If it is a phishing E-mail it has got to be the cleverest one I've ever seen, though someone would try to be cleaver considering the target would be holders of IP blocks. I right clicked and checked properties to make sure the attached ip_addresses.txt file really is a text file and not some fancy trickery with reverse direction characters ( As seen on https://www.youtube.com/watch?v=ieQUy8YTbFU ) I tried poking around to see if there was some vulnerability in notepad (or some versions of it) that I didn't know about and only found a vulnerability in the text editor on Macs but nothing with Windows Notepad. The other thing I felt was a bit off is that the originating mail server is in Deutsche Telekom AG space and not IP Space registered to the German government.? I'm thinking someone could rent some IP space from Deutsche Telekom AG with a connection to them in a data center and get the DNS delegated to them so they could set the reverse DNS to whatever they want. A lot of effort to try to look legit by coming out of Germany and having a government domain in the reverse DNS to look like a plausible legit outsourcing but again Network operators are the target audience so the normal tricks that work on the general public won't work with this group so I can see someone going that far. I'll attach the E-mail below with all headers.? Has anyone else gotten these?? Is there some security risk opening it in Windows Notepad that I don't know about or is it actually safe to open this? Return-Path: Delivered-To: [REDACTED] Received: from ezp08-pco.easydns.vpn ([10.5.10.148]) ?? ?by ezb03-pco.easydns.vpn with LMTP ?? ?id oCfeBO/yEmTokhgAzaFxkQ ?? ?(envelope-from ) ?? ?for <[REDACTED]>; Thu, 16 Mar 2023 10:43:59 +0000 Received: from smtp.easymail.ca ([127.0.0.1]) ?? ?by ezp08-pco.easydns.vpn with LMTP ?? ?id WCB5BO/yEmSHdgEABcrfzg ?? ?(envelope-from ); Thu, 16 Mar 2023 10:43:59 +0000 Received: from localhost (localhost [127.0.0.1]) ?? ?by smtp.easymail.ca (Postfix) with ESMTP id 0DC85557DF ?? ?for ; Thu, 16 Mar 2023 10:43:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ezp08-pco.easydns.vpn X-Spam-Flag: NO X-Spam-Score: 0.075 X-Spam-Level: X-Spam-Status: No, score=0.075 required=4 tests=[BAYES_00=-1.9, ?? ?DEAR_SOMETHING=1.973, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, ?? ?SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from smtp.easymail.ca ([127.0.0.1]) ?? ?by localhost (ezp08-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) ?? ?with ESMTP id d0XbPteZN-Io for ; ?? ?Thu, 16 Mar 2023 10:43:55 +0000 (UTC) Received: from mail.cyber.bka.de (mail.cyber.bka.de [80.146.190.22]) ?? ?by smtp.easymail.ca (Postfix) with ESMTPS id 0BC0C557DC ?? ?for ; Thu, 16 Mar 2023 10:43:54 +0000 (UTC) Date: Thu, 16 Mar 2023 10:43:53 +0000 To: arin at ve4.ca From: BKA Wiesbaden - Abteilung Cybercrime Reply-To: BKA Wiesbaden - Abteilung Cybercrime Subject: Information regarding possible infection with malware Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; ?boundary="b1_M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA" Content-Transfer-Encoding: 8bit Dear Sir or Madam, As part of criminal proceedings, the German Federal Criminal Police Office (Bundeskriminalamt) has been informed about public IP addresses and timestamps which indicate a potential infection by the malicious software "Bumblebee" of one or more systems behind the respective public IP address. Within this letter, the BKA is providing you with the data of the respective IP addresses which have been assigned to you as the appropriate provider. You are asked to take appropriate measures to inform your customers about the potential infection. The following information will be provided: 1. Public IP address 2. Last known timestamp of contact by the public IP address 3. Possible system name or username on the potentially infected system The following information may be sent to your customers in addition to the message of concern. What should you do now? 1. Don???t panic! 2. Check your systems/networks for possible infections. If other institutions have already made you aware of infected systems recently, follow the action guidelines which you may have received from them. 3. For further information on cleaning up infections, please visit the English website of the Federal Office for Information Security (BSI): https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Infizierte-Systeme-bereinigen/infizierte-systeme-bereinigen_node.html Yours sincerely, Bundeskriminalamt Wiesbaden -- Glen A. Pearce gap at ve4.ca Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk. Very Eager 4 Tees http://www.ve4.ca ARIN Handle VET-17 From ops.lists at gmail.com Mon Apr 3 11:35:25 2023 From: ops.lists at gmail.com (Suresh Ramasubramanian) Date: Mon, 3 Apr 2023 11:35:25 +0000 Subject: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...) In-Reply-To: <353e8a6d-56f0-ac2f-4b80-d9d9f88ccaaa@ve4.ca> References: <353e8a6d-56f0-ac2f-4b80-d9d9f88ccaaa@ve4.ca> Message-ID: It appears legit. BKA.DE is the German Bundeskriminalamt (Federal Police) And the PTR records, SPF etc check out for the domain. Might as well check the IP in question for malware if they?ve provided date / timestamps and such --srs From: NANOG on behalf of Glen A. Pearce Date: Monday, 3 April 2023 at 12:29 PM To: nanog at nanog.org Subject: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...) Hi All: I received an E-mail with an attachment claiming something on my network is infected and that I should look at the attachment to find out what. Normally I think everything with an attachment is phishing to get me to run malware but: #1: The sites linked to in it seem to be legit German government websites based on Wikipedia entries that haven't changed in several years. (Looked at archive.org) #2: The attachment is a .txt file which I've normally assumed to be safe. #3: None of the usual dead giveaways that most phishing E-mails have. If it is a phishing E-mail it has got to be the cleverest one I've ever seen, though someone would try to be cleaver considering the target would be holders of IP blocks. I right clicked and checked properties to make sure the attached ip_addresses.txt file really is a text file and not some fancy trickery with reverse direction characters ( As seen on https://www.youtube.com/watch?v=ieQUy8YTbFU ) I tried poking around to see if there was some vulnerability in notepad (or some versions of it) that I didn't know about and only found a vulnerability in the text editor on Macs but nothing with Windows Notepad. The other thing I felt was a bit off is that the originating mail server is in Deutsche Telekom AG space and not IP Space registered to the German government. I'm thinking someone could rent some IP space from Deutsche Telekom AG with a connection to them in a data center and get the DNS delegated to them so they could set the reverse DNS to whatever they want. A lot of effort to try to look legit by coming out of Germany and having a government domain in the reverse DNS to look like a plausible legit outsourcing but again Network operators are the target audience so the normal tricks that work on the general public won't work with this group so I can see someone going that far. I'll attach the E-mail below with all headers. Has anyone else gotten these? Is there some security risk opening it in Windows Notepad that I don't know about or is it actually safe to open this? Return-Path: Delivered-To: [REDACTED] Received: from ezp08-pco.easydns.vpn ([10.5.10.148]) by ezb03-pco.easydns.vpn with LMTP id oCfeBO/yEmTokhgAzaFxkQ (envelope-from ) for <[REDACTED]>; Thu, 16 Mar 2023 10:43:59 +0000 Received: from smtp.easymail.ca ([127.0.0.1]) by ezp08-pco.easydns.vpn with LMTP id WCB5BO/yEmSHdgEABcrfzg (envelope-from ); Thu, 16 Mar 2023 10:43:59 +0000 Received: from localhost (localhost [127.0.0.1]) by smtp.easymail.ca (Postfix) with ESMTP id 0DC85557DF for ; Thu, 16 Mar 2023 10:43:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ezp08-pco.easydns.vpn X-Spam-Flag: NO X-Spam-Score: 0.075 X-Spam-Level: X-Spam-Status: No, score=0.075 required=4 tests=[BAYES_00=-1.9, DEAR_SOMETHING=1.973, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from smtp.easymail.ca ([127.0.0.1]) by localhost (ezp08-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0XbPteZN-Io for ; Thu, 16 Mar 2023 10:43:55 +0000 (UTC) Received: from mail.cyber.bka.de (mail.cyber.bka.de [80.146.190.22]) by smtp.easymail.ca (Postfix) with ESMTPS id 0BC0C557DC for ; Thu, 16 Mar 2023 10:43:54 +0000 (UTC) Date: Thu, 16 Mar 2023 10:43:53 +0000 To: arin at ve4.ca From: BKA Wiesbaden - Abteilung Cybercrime Reply-To: BKA Wiesbaden - Abteilung Cybercrime Subject: Information regarding possible infection with malware Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="b1_M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA" Content-Transfer-Encoding: 8bit Dear Sir or Madam, As part of criminal proceedings, the German Federal Criminal Police Office (Bundeskriminalamt) has been informed about public IP addresses and timestamps which indicate a potential infection by the malicious software "Bumblebee" of one or more systems behind the respective public IP address. Within this letter, the BKA is providing you with the data of the respective IP addresses which have been assigned to you as the appropriate provider. You are asked to take appropriate measures to inform your customers about the potential infection. The following information will be provided: 1. Public IP address 2. Last known timestamp of contact by the public IP address 3. Possible system name or username on the potentially infected system The following information may be sent to your customers in addition to the message of concern. What should you do now? 1. Don???t panic! 2. Check your systems/networks for possible infections. If other institutions have already made you aware of infected systems recently, follow the action guidelines which you may have received from them. 3. For further information on cleaning up infections, please visit the English website of the Federal Office for Information Security (BSI): https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Infizierte-Systeme-bereinigen/infizierte-systeme-bereinigen_node.html Yours sincerely, Bundeskriminalamt Wiesbaden -- Glen A. Pearce gap at ve4.ca Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk. Very Eager 4 Tees http://www.ve4.ca ARIN Handle VET-17 -------------- next part -------------- An HTML attachment was scrubbed... URL: From nanog at ics-il.net Mon Apr 3 12:47:07 2023 From: nanog at ics-il.net (Mike Hammett) Date: Mon, 3 Apr 2023 07:47:07 -0500 (CDT) Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> Message-ID: <101757534.300.1680526022074.JavaMail.mhammett@Thunderfuck2> It shows the desired result. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Jay Hennigan" To: nanog at nanog.org Sent: Monday, April 3, 2023 1:02:42 AM Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging On 4/2/23 22:21, Mike Hammett wrote: > We have a Nexus 3064 that is setup with partial BGP tables and is > routing based on that. > > > I've done a show ip bgp for an IP of interest and it has an expected > next hop IP. I show ip arp on that next hop IP and it has the expected > interface. > > > However, sFlows show the packets leaving on a different interface, the > one that would carry the default route for routes not otherwise known. > > > If the next hop IP is expected and the ARP of that next hop IP is > expected, why are packets leaving out an unexpected interface? Another route to the destination from a routing protocol with a lower distance? What does "show ip route [destination]" look like? -- Jay Hennigan - jay at west.net Network Engineering - CCIE #7880 503 897-8550 - WB6RDV -------------- next part -------------- An HTML attachment was scrubbed... URL: From nanog at ics-il.net Mon Apr 3 12:47:12 2023 From: nanog at ics-il.net (Mike Hammett) Date: Mon, 3 Apr 2023 07:47:12 -0500 (CDT) Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <9fe9fab599304900b93393540cba97c4@ox.com> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> <9fe9fab599304900b93393540cba97c4@ox.com> Message-ID: <929328215.303.1680526028089.JavaMail.mhammett@Thunderfuck2> It shows the desired result. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Matthew Huff" To: "Mike Hammett" , "NANOG" Sent: Monday, April 3, 2023 5:38:23 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging switch-core1# sh forwarding route x.x.x.x slot 1 ======= IPv4 routes for table default/base ------------------+-----------------------------------------+----------------------+-----------------+----------------- Prefix | Next-hop | Interface | Labels | Partial Install ------------------+-----------------------------------------+----------------------+-----------------+----------------- x.x.x.x/24 x.x.x.250 Ethernet1/29 switch-core1# show routing hash x.x.x.x y.y.y.y Load-share parameters used for software forwarding: load-share mode: address source-destination port source-destination Hash for VRF "default" Hashing to path *y.y.y.y Eth1/29 For route: y.y.y.0/24, ubest/mbest: 1/0 *via z.z.z.z, Eth1/29, [90/3072], 1w2d, eigrp-100, internal From: NANOG On Behalf Of Mike Hammett Sent: Monday, April 3, 2023 1:21 AM To: NANOG Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging We have a Nexus 3064 that is setup with partial BGP tables and is routing based on that. I've done a show ip bgp for an IP of interest and it has an expected next hop IP. I show ip arp on that next hop IP and it has the expected interface. However, sFlows show the packets leaving on a different interface, the one that would carry the default route for routes not otherwise known. If the next hop IP is expected and the ARP of that next hop IP is expected, why are packets leaving out an unexpected interface? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From nanog at ics-il.net Mon Apr 3 12:48:17 2023 From: nanog at ics-il.net (Mike Hammett) Date: Mon, 3 Apr 2023 07:48:17 -0500 (CDT) Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> Message-ID: <41064163.306.1680526093901.JavaMail.mhammett@Thunderfuck2> What started this investigation was a client complained of traffic coming from another upstream instead of our direct connection. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Mike Hammett" To: "NANOG" Sent: Monday, April 3, 2023 12:21:29 AM Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging We have a Nexus 3064 that is setup with partial BGP tables and is routing based on that. I've done a show ip bgp for an IP of interest and it has an expected next hop IP. I show ip arp on that next hop IP and it has the expected interface. However, sFlows show the packets leaving on a different interface, the one that would carry the default route for routes not otherwise known. If the next hop IP is expected and the ARP of that next hop IP is expected, why are packets leaving out an unexpected interface? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mhuff at ox.com Mon Apr 3 12:50:08 2023 From: mhuff at ox.com (Matthew Huff) Date: Mon, 3 Apr 2023 12:50:08 +0000 Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <929328215.303.1680526028089.JavaMail.mhammett@Thunderfuck2> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> <9fe9fab599304900b93393540cba97c4@ox.com> <929328215.303.1680526028089.JavaMail.mhammett@Thunderfuck2> Message-ID: SFlow misconfiguration or bug on either the nexus or the sflow monitor? On the monitor, can you verify that the snmp interfaces are mapped to the correct ones on the nexus? From: Mike Hammett Sent: Monday, April 3, 2023 8:47 AM To: Matthew Huff Cc: NANOG Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging It shows the desired result. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ________________________________ From: "Matthew Huff" > To: "Mike Hammett" >, "NANOG" > Sent: Monday, April 3, 2023 5:38:23 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging switch-core1# sh forwarding route x.x.x.x slot 1 ======= IPv4 routes for table default/base ------------------+-----------------------------------------+----------------------+-----------------+----------------- Prefix | Next-hop | Interface | Labels | Partial Install ------------------+-----------------------------------------+----------------------+-----------------+----------------- x.x.x.x/24 x.x.x.250 Ethernet1/29 switch-core1# show routing hash x.x.x.x y.y.y.y Load-share parameters used for software forwarding: load-share mode: address source-destination port source-destination Hash for VRF "default" Hashing to path *y.y.y.y Eth1/29 For route: y.y.y.0/24, ubest/mbest: 1/0 *via z.z.z.z, Eth1/29, [90/3072], 1w2d, eigrp-100, internal From: NANOG > On Behalf Of Mike Hammett Sent: Monday, April 3, 2023 1:21 AM To: NANOG > Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging We have a Nexus 3064 that is setup with partial BGP tables and is routing based on that. I've done a show ip bgp for an IP of interest and it has an expected next hop IP. I show ip arp on that next hop IP and it has the expected interface. However, sFlows show the packets leaving on a different interface, the one that would carry the default route for routes not otherwise known. If the next hop IP is expected and the ARP of that next hop IP is expected, why are packets leaving out an unexpected interface? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From nanog at ics-il.net Mon Apr 3 12:59:53 2023 From: nanog at ics-il.net (Mike Hammett) Date: Mon, 3 Apr 2023 07:59:53 -0500 (CDT) Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> <9fe9fab599304900b93393540cba97c4@ox.com> <929328215.303.1680526028089.JavaMail.mhammett@Thunderfuck2> Message-ID: <1449551141.352.1680526788034.JavaMail.mhammett@Thunderfuck2> It could be an sFlow bug, but I come at this from a reported problem and gathering data on that problem as opposed to looking at data for problems. The snmp if index reported by the Nexus matches the if index in ElastiFlow. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Matthew Huff" To: "Mike Hammett" Cc: "NANOG" Sent: Monday, April 3, 2023 7:50:08 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging SFlow misconfiguration or bug on either the nexus or the sflow monitor? On the monitor, can you verify that the snmp interfaces are mapped to the correct ones on the nexus? From: Mike Hammett Sent: Monday, April 3, 2023 8:47 AM To: Matthew Huff Cc: NANOG Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging It shows the desired result. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Matthew Huff" < mhuff at ox.com > To: "Mike Hammett" < nanog at ics-il.net >, "NANOG" < nanog at nanog.org > Sent: Monday, April 3, 2023 5:38:23 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging switch-core1# sh forwarding route x.x.x.x slot 1 ======= IPv4 routes for table default/base ------------------+-----------------------------------------+----------------------+-----------------+----------------- Prefix | Next-hop | Interface | Labels | Partial Install ------------------+-----------------------------------------+----------------------+-----------------+----------------- x.x.x.x/24 x.x.x.250 Ethernet1/29 switch-core1# show routing hash x.x.x.x y.y.y.y Load-share parameters used for software forwarding: load-share mode: address source-destination port source-destination Hash for VRF "default" Hashing to path *y.y.y.y Eth1/29 For route: y.y.y.0/24, ubest/mbest: 1/0 *via z.z.z.z, Eth1/29, [90/3072], 1w2d, eigrp-100, internal From: NANOG < nanog-bounces+mhuff=ox.com at nanog.org > On Behalf Of Mike Hammett Sent: Monday, April 3, 2023 1:21 AM To: NANOG < nanog at nanog.org > Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging We have a Nexus 3064 that is setup with partial BGP tables and is routing based on that. I've done a show ip bgp for an IP of interest and it has an expected next hop IP. I show ip arp on that next hop IP and it has the expected interface. However, sFlows show the packets leaving on a different interface, the one that would carry the default route for routes not otherwise known. If the next hop IP is expected and the ARP of that next hop IP is expected, why are packets leaving out an unexpected interface? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From mhuff at ox.com Mon Apr 3 13:06:51 2023 From: mhuff at ox.com (Matthew Huff) Date: Mon, 3 Apr 2023 13:06:51 +0000 Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <1449551141.352.1680526788034.JavaMail.mhammett@Thunderfuck2> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> <9fe9fab599304900b93393540cba97c4@ox.com> <929328215.303.1680526028089.JavaMail.mhammett@Thunderfuck2> <1449551141.352.1680526788034.JavaMail.mhammett@Thunderfuck2> Message-ID: <494acdaf5b9e4d3a9d5706ad5c5ea05f@ox.com> What about VRFs and/or policy based routing? switch-core1# show vrf VRF-Name VRF-ID State Reason default 1 Up -- management 2 Up -- switch-core1# show route-map route-map rmap_bgp_to_eigrp_b2b, permit, sequence 10 Match clauses: interface: Ethernet1/33 route-type: internal Set clauses: metric 40000000 10 255 1 1500 route-map rmap_bgp_to_eigrp_b2b, permit, sequence 20 Match clauses: interface: Ethernet1/34 route-type: internal Set clauses: metric 40000000 30 255 1 1500 route-map rmap_static_to_eigrp, permit, sequence 10 Match clauses: ip address prefix-lists: prefix_static_to_eigrp Set clauses: route-map rmap_static_to_eigrp_v6, permit, sequence 10 Match clauses: ipv6 address prefix-lists: prefix_ipv6_static_to_eigrp Set clauses: From: Mike Hammett Sent: Monday, April 3, 2023 9:00 AM To: Matthew Huff Cc: NANOG Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging It could be an sFlow bug, but I come at this from a reported problem and gathering data on that problem as opposed to looking at data for problems. The snmp if index reported by the Nexus matches the if index in ElastiFlow. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ________________________________________ From: "Matthew Huff" To: "Mike Hammett" Cc: "NANOG" Sent: Monday, April 3, 2023 7:50:08 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging SFlow misconfiguration or bug on either the nexus or the sflow monitor? On the monitor, can you verify that the snmp interfaces are mapped to the correct ones on the nexus? ? ? ? ? ? From: Mike Hammett Sent: Monday, April 3, 2023 8:47 AM To: Matthew Huff Cc: NANOG Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging ? It shows the desired result. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ? ________________________________________ From: "Matthew Huff" To: "Mike Hammett" , "NANOG" Sent: Monday, April 3, 2023 5:38:23 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging switch-core1# sh forwarding route x.x.x.x slot ?1 ======= IPv4 routes for table default/base ------------------+-----------------------------------------+----------------------+-----------------+----------------- Prefix ? ? ? ? ? ?| Next-hop ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?| Interface ? ? ? ? ? ?| Labels ? ? ? ? ?| Partial Install ------------------+-----------------------------------------+----------------------+-----------------+----------------- x.x.x.x/24 ? ? ?x.x.x.250 ? ? ? ? ? ? ? ? ? ? ? ? ? ?Ethernet1/29 ? ? ? ? switch-core1# show routing hash x.x.x.x y.y.y.y Load-share parameters used for software forwarding: load-share mode: address source-destination port source-destination Hash for VRF "default" Hashing to path *y.y.y.y Eth1/29 For route: y.y.y.0/24, ubest/mbest: 1/0 ?? ?*via z.z.z.z, Eth1/29, [90/3072], 1w2d, eigrp-100, internal From: NANOG On Behalf Of Mike Hammett Sent: Monday, April 3, 2023 1:21 AM To: NANOG Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging We have a Nexus 3064 that is setup with partial BGP tables and is routing based on that.? I've done a show ip bgp for an IP of interest and it has an expected next hop IP. I show ip arp on that next hop IP and it has the expected interface.? However, sFlows show the packets leaving on a different interface, the one that would carry the default route for routes not otherwise known.? If the next hop IP is expected and the ARP of that next hop IP is expected, why are packets leaving out an unexpected interface?? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ? From mel at beckman.org Mon Apr 3 13:21:09 2023 From: mel at beckman.org (Mel Beckman) Date: Mon, 3 Apr 2023 13:21:09 +0000 Subject: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...) In-Reply-To: References: <353e8a6d-56f0-ac2f-4b80-d9d9f88ccaaa@ve4.ca> Message-ID: <72109B56-62B9-4853-AA42-F6A4D3BFFBB5@beckman.org> Any security ?authority? that sends a warning email that requires opening _any_ attachment doesn?t deserve to be taken seriously. This include the MPAA et al. Also, if they don?t send it to your registered abuse email, into the trash it should go without a glance. -mel beckman On Apr 3, 2023, at 4:37 AM, Suresh Ramasubramanian wrote: ? It appears legit. BKA.DE is the German Bundeskriminalamt (Federal Police) And the PTR records, SPF etc check out for the domain. Might as well check the IP in question for malware if they?ve provided date / timestamps and such --srs From: NANOG on behalf of Glen A. Pearce Date: Monday, 3 April 2023 at 12:29 PM To: nanog at nanog.org Subject: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...) Hi All: I received an E-mail with an attachment claiming something on my network is infected and that I should look at the attachment to find out what. Normally I think everything with an attachment is phishing to get me to run malware but: #1: The sites linked to in it seem to be legit German government websites based on Wikipedia entries that haven't changed in several years. (Looked at archive.org) #2: The attachment is a .txt file which I've normally assumed to be safe. #3: None of the usual dead giveaways that most phishing E-mails have. If it is a phishing E-mail it has got to be the cleverest one I've ever seen, though someone would try to be cleaver considering the target would be holders of IP blocks. I right clicked and checked properties to make sure the attached ip_addresses.txt file really is a text file and not some fancy trickery with reverse direction characters ( As seen on https://www.youtube.com/watch?v=ieQUy8YTbFU ) I tried poking around to see if there was some vulnerability in notepad (or some versions of it) that I didn't know about and only found a vulnerability in the text editor on Macs but nothing with Windows Notepad. The other thing I felt was a bit off is that the originating mail server is in Deutsche Telekom AG space and not IP Space registered to the German government. I'm thinking someone could rent some IP space from Deutsche Telekom AG with a connection to them in a data center and get the DNS delegated to them so they could set the reverse DNS to whatever they want. A lot of effort to try to look legit by coming out of Germany and having a government domain in the reverse DNS to look like a plausible legit outsourcing but again Network operators are the target audience so the normal tricks that work on the general public won't work with this group so I can see someone going that far. I'll attach the E-mail below with all headers. Has anyone else gotten these? Is there some security risk opening it in Windows Notepad that I don't know about or is it actually safe to open this? Return-Path: Delivered-To: [REDACTED] Received: from ezp08-pco.easydns.vpn ([10.5.10.148]) by ezb03-pco.easydns.vpn with LMTP id oCfeBO/yEmTokhgAzaFxkQ (envelope-from ) for <[REDACTED]>; Thu, 16 Mar 2023 10:43:59 +0000 Received: from smtp.easymail.ca ([127.0.0.1]) by ezp08-pco.easydns.vpn with LMTP id WCB5BO/yEmSHdgEABcrfzg (envelope-from ); Thu, 16 Mar 2023 10:43:59 +0000 Received: from localhost (localhost [127.0.0.1]) by smtp.easymail.ca (Postfix) with ESMTP id 0DC85557DF for ; Thu, 16 Mar 2023 10:43:59 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at ezp08-pco.easydns.vpn X-Spam-Flag: NO X-Spam-Score: 0.075 X-Spam-Level: X-Spam-Status: No, score=0.075 required=4 tests=[BAYES_00=-1.9, DEAR_SOMETHING=1.973, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no Received: from smtp.easymail.ca ([127.0.0.1]) by localhost (ezp08-pco.easydns.vpn [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d0XbPteZN-Io for ; Thu, 16 Mar 2023 10:43:55 +0000 (UTC) Received: from mail.cyber.bka.de (mail.cyber.bka.de [80.146.190.22]) by smtp.easymail.ca (Postfix) with ESMTPS id 0BC0C557DC for ; Thu, 16 Mar 2023 10:43:54 +0000 (UTC) Date: Thu, 16 Mar 2023 10:43:53 +0000 To: arin at ve4.ca From: BKA Wiesbaden - Abteilung Cybercrime Reply-To: BKA Wiesbaden - Abteilung Cybercrime Subject: Information regarding possible infection with malware Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="b1_M47LJRZpjy1zymUJDKsNtrYm3RimkafZfZTqeZpauZA" Content-Transfer-Encoding: 8bit Dear Sir or Madam, As part of criminal proceedings, the German Federal Criminal Police Office (Bundeskriminalamt) has been informed about public IP addresses and timestamps which indicate a potential infection by the malicious software "Bumblebee" of one or more systems behind the respective public IP address. Within this letter, the BKA is providing you with the data of the respective IP addresses which have been assigned to you as the appropriate provider. You are asked to take appropriate measures to inform your customers about the potential infection. The following information will be provided: 1. Public IP address 2. Last known timestamp of contact by the public IP address 3. Possible system name or username on the potentially infected system The following information may be sent to your customers in addition to the message of concern. What should you do now? 1. Don???t panic! 2. Check your systems/networks for possible infections. If other institutions have already made you aware of infected systems recently, follow the action guidelines which you may have received from them. 3. For further information on cleaning up infections, please visit the English website of the Federal Office for Information Security (BSI): https://www.bsi.bund.de/EN/Themen/Verbraucherinnen-und-Verbraucher/Informationen-und-Empfehlungen/Cyber-Sicherheitsempfehlungen/Infizierte-Systeme-bereinigen/infizierte-systeme-bereinigen_node.html Yours sincerely, Bundeskriminalamt Wiesbaden -- Glen A. Pearce gap at ve4.ca Network Manager, Webmaster, Bookkeeper, Fashion Model and Shipping Clerk. Very Eager 4 Tees http://www.ve4.ca ARIN Handle VET-17 -------------- next part -------------- An HTML attachment was scrubbed... URL: From nanog at ics-il.net Mon Apr 3 13:26:30 2023 From: nanog at ics-il.net (Mike Hammett) Date: Mon, 3 Apr 2023 08:26:30 -0500 (CDT) Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <494acdaf5b9e4d3a9d5706ad5c5ea05f@ox.com> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> <9fe9fab599304900b93393540cba97c4@ox.com> <929328215.303.1680526028089.JavaMail.mhammett@Thunderfuck2> <1449551141.352.1680526788034.JavaMail.mhammett@Thunderfuck2> <494acdaf5b9e4d3a9d5706ad5c5ea05f@ox.com> Message-ID: <517858062.383.1680528390235.JavaMail.mhammett@Thunderfuck2> Only two VRFs, default and manangement. IIRC, everything I saw before mentioned the default VRF. I do see a ton of route-maps. It's mostly Greek to me, so I'll have to dig through this a bit to see what's going on. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "Matthew Huff" To: "Mike Hammett" Cc: "NANOG" Sent: Monday, April 3, 2023 8:06:51 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging What about VRFs and/or policy based routing? switch-core1# show vrf VRF-Name VRF-ID State Reason default 1 Up -- management 2 Up -- switch-core1# show route-map route-map rmap_bgp_to_eigrp_b2b, permit, sequence 10 Match clauses: interface: Ethernet1/33 route-type: internal Set clauses: metric 40000000 10 255 1 1500 route-map rmap_bgp_to_eigrp_b2b, permit, sequence 20 Match clauses: interface: Ethernet1/34 route-type: internal Set clauses: metric 40000000 30 255 1 1500 route-map rmap_static_to_eigrp, permit, sequence 10 Match clauses: ip address prefix-lists: prefix_static_to_eigrp Set clauses: route-map rmap_static_to_eigrp_v6, permit, sequence 10 Match clauses: ipv6 address prefix-lists: prefix_ipv6_static_to_eigrp Set clauses: From: Mike Hammett Sent: Monday, April 3, 2023 9:00 AM To: Matthew Huff Cc: NANOG Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging It could be an sFlow bug, but I come at this from a reported problem and gathering data on that problem as opposed to looking at data for problems. The snmp if index reported by the Nexus matches the if index in ElastiFlow. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ________________________________________ From: "Matthew Huff" To: "Mike Hammett" Cc: "NANOG" Sent: Monday, April 3, 2023 7:50:08 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging SFlow misconfiguration or bug on either the nexus or the sflow monitor? On the monitor, can you verify that the snmp interfaces are mapped to the correct ones on the nexus? From: Mike Hammett Sent: Monday, April 3, 2023 8:47 AM To: Matthew Huff Cc: NANOG Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging It shows the desired result. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ________________________________________ From: "Matthew Huff" To: "Mike Hammett" , "NANOG" Sent: Monday, April 3, 2023 5:38:23 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging switch-core1# sh forwarding route x.x.x.x slot 1 ======= IPv4 routes for table default/base ------------------+-----------------------------------------+----------------------+-----------------+----------------- Prefix | Next-hop | Interface | Labels | Partial Install ------------------+-----------------------------------------+----------------------+-----------------+----------------- x.x.x.x/24 x.x.x.250 Ethernet1/29 switch-core1# show routing hash x.x.x.x y.y.y.y Load-share parameters used for software forwarding: load-share mode: address source-destination port source-destination Hash for VRF "default" Hashing to path *y.y.y.y Eth1/29 For route: y.y.y.0/24, ubest/mbest: 1/0 *via z.z.z.z, Eth1/29, [90/3072], 1w2d, eigrp-100, internal From: NANOG On Behalf Of Mike Hammett Sent: Monday, April 3, 2023 1:21 AM To: NANOG Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging We have a Nexus 3064 that is setup with partial BGP tables and is routing based on that. I've done a show ip bgp for an IP of interest and it has an expected next hop IP. I show ip arp on that next hop IP and it has the expected interface. However, sFlows show the packets leaving on a different interface, the one that would carry the default route for routes not otherwise known. If the next hop IP is expected and the ARP of that next hop IP is expected, why are packets leaving out an unexpected interface? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From giera at belwue.de Mon Apr 3 15:04:47 2023 From: giera at belwue.de (Stefan Giera) Date: Mon, 3 Apr 2023 17:04:47 +0200 Subject: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...) In-Reply-To: <353e8a6d-56f0-ac2f-4b80-d9d9f88ccaaa@ve4.ca> References: <353e8a6d-56f0-ac2f-4b80-d9d9f88ccaaa@ve4.ca> Message-ID: Looks like scam to me, we are based in Germany and from time to time we are getting requests from BKA, all mails were originated from "*@bka.bund.de", never heard about ths "cyber.bka.de" Domain. Also I would expect something more like a specific criminal investigation from the BKA instead of the usual "we found suspicious ip addresses" announcement like Shadowserver is offering. Governmental services within DTAG (AS3320) ip space is pretty common in Germany. HTH, Stefan -- Stefan Giera, BelW? (AS553) BelW?-Koordination, Universit?t Stuttgart Industriestr. 28, 70565 Stuttgart Tel: +49 711/685-65797 | Durchwahl Tel: +49 711/685-88030 | NOC, Netzbetrieb, Router Tel: +49 711/685-88020 | (Schul)Hotline Fax: +49 711/678 83 63 E-Mail: ip at belwue.de - http://www.belwue.de From bjo at schafweide.org Mon Apr 3 16:13:49 2023 From: bjo at schafweide.org (Bjoern Franke) Date: Mon, 3 Apr 2023 18:13:49 +0200 Subject: BKA Wiesbaden - Abteilung Cybercrime (Not sure if this is a phishing E-mail or real...) In-Reply-To: References: <353e8a6d-56f0-ac2f-4b80-d9d9f88ccaaa@ve4.ca> Message-ID: <8573acb9-98cf-aaf8-72dd-3c0b90c9ed01@schafweide.org> Hi, > Governmental services within DTAG (AS3320) ip space is pretty common in > Germany. > but FcrDNS matches. Scammers with access to the bka.de DNS? Regards Bjoern From tony at wicks.co.nz Mon Apr 3 20:54:55 2023 From: tony at wicks.co.nz (Tony Wicks) Date: Tue, 4 Apr 2023 08:54:55 +1200 Subject: 100G-LR1 (DR/FR) In-Reply-To: References: <2946A06F-B335-4997-B78C-0D795DEEBFF8@puck.nether.net>

Message-ID: <00cb01d9666e$8d1b90d0$a752b270$@wicks.co.nz> I have been using the QSFP-100G-CWDM4 2k optics for within rack/DC for a couple of years now. They are about the same price as SR optics but allow the use of simple duplex single mode patches without blasting 10K optics at each other over a 2M patch. Never had one fail or any compatibility issues. -----Original Message----- From: NANOG On Behalf Of Mark Tinka Sent: Monday, April 3, 2023 11:04 PM To: nanog at nanog.org Subject: Re: 100G-LR1 (DR/FR) On 4/3/23 02:14, David Siegel wrote: > At this point, I'd be happy to see others happily deploy a > single-lambda optic of almost any variety! Since deploying 400G in a > clients network (but 100G still being the preferred connection > choice), any inquiry with respect to LR1, FR1 or DR+ is met with "no > thanks, LR4 please." > > If asked, I'd recommend FR1. They're available at a great > price-point, and 2km reach is adequate for most applications. Agreed. Pricing between LR4, FR and DR is not too far apart. The only optic that is substantially cheaper than all of them is the SR4. So in my mind, FR is the most ideal, although I'd still use SR4 for in-rack, multi-mode cabling. Mark. From nanog at ics-il.net Mon Apr 3 21:20:05 2023 From: nanog at ics-il.net (Mike Hammett) Date: Mon, 3 Apr 2023 16:20:05 -0500 (CDT) Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <517858062.383.1680528390235.JavaMail.mhammett@Thunderfuck2> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> <9fe9fab599304900b93393540cba97c4@ox.com> <929328215.303.1680526028089.JavaMail.mhammett@Thunderfuck2> <1449551141.352.1680526788034.JavaMail.mhammett@Thunderfuck2> <494acdaf5b9e4d3a9d5706ad5c5ea05f@ox.com> <517858062.383.1680528390235.JavaMail.mhammett@Thunderfuck2> Message-ID: <631619927.25505.1680556805228.JavaMail.zimbra@ics-il.net> I don't see any route-maps applied to interfaces, so there must not be any PBR going on. I only see ACLs, setting communities, setting local pref, etc. in the route maps that are applied to neighbors. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Mike Hammett" To: "Matthew Huff" Cc: "NANOG" Sent: Monday, April 3, 2023 8:26:30 AM Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging Only two VRFs, default and manangement. IIRC, everything I saw before mentioned the default VRF. I do see a ton of route-maps. It's mostly Greek to me, so I'll have to dig through this a bit to see what's going on. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Matthew Huff" To: "Mike Hammett" Cc: "NANOG" Sent: Monday, April 3, 2023 8:06:51 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging What about VRFs and/or policy based routing? switch-core1# show vrf VRF-Name VRF-ID State Reason default 1 Up -- management 2 Up -- switch-core1# show route-map route-map rmap_bgp_to_eigrp_b2b, permit, sequence 10 Match clauses: interface: Ethernet1/33 route-type: internal Set clauses: metric 40000000 10 255 1 1500 route-map rmap_bgp_to_eigrp_b2b, permit, sequence 20 Match clauses: interface: Ethernet1/34 route-type: internal Set clauses: metric 40000000 30 255 1 1500 route-map rmap_static_to_eigrp, permit, sequence 10 Match clauses: ip address prefix-lists: prefix_static_to_eigrp Set clauses: route-map rmap_static_to_eigrp_v6, permit, sequence 10 Match clauses: ipv6 address prefix-lists: prefix_ipv6_static_to_eigrp Set clauses: From: Mike Hammett Sent: Monday, April 3, 2023 9:00 AM To: Matthew Huff Cc: NANOG Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging It could be an sFlow bug, but I come at this from a reported problem and gathering data on that problem as opposed to looking at data for problems. The snmp if index reported by the Nexus matches the if index in ElastiFlow. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ________________________________________ From: "Matthew Huff" To: "Mike Hammett" Cc: "NANOG" Sent: Monday, April 3, 2023 7:50:08 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging SFlow misconfiguration or bug on either the nexus or the sflow monitor? On the monitor, can you verify that the snmp interfaces are mapped to the correct ones on the nexus? From: Mike Hammett Sent: Monday, April 3, 2023 8:47 AM To: Matthew Huff Cc: NANOG Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging It shows the desired result. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ________________________________________ From: "Matthew Huff" To: "Mike Hammett" , "NANOG" Sent: Monday, April 3, 2023 5:38:23 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging switch-core1# sh forwarding route x.x.x.x slot 1 ======= IPv4 routes for table default/base ------------------+-----------------------------------------+----------------------+-----------------+----------------- Prefix | Next-hop | Interface | Labels | Partial Install ------------------+-----------------------------------------+----------------------+-----------------+----------------- x.x.x.x/24 x.x.x.250 Ethernet1/29 switch-core1# show routing hash x.x.x.x y.y.y.y Load-share parameters used for software forwarding: load-share mode: address source-destination port source-destination Hash for VRF "default" Hashing to path *y.y.y.y Eth1/29 For route: y.y.y.0/24, ubest/mbest: 1/0 *via z.z.z.z, Eth1/29, [90/3072], 1w2d, eigrp-100, internal From: NANOG On Behalf Of Mike Hammett Sent: Monday, April 3, 2023 1:21 AM To: NANOG Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging We have a Nexus 3064 that is setup with partial BGP tables and is routing based on that. I've done a show ip bgp for an IP of interest and it has an expected next hop IP. I show ip arp on that next hop IP and it has the expected interface. However, sFlows show the packets leaving on a different interface, the one that would carry the default route for routes not otherwise known. If the next hop IP is expected and the ARP of that next hop IP is expected, why are packets leaving out an unexpected interface? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From davidbass570 at gmail.com Tue Apr 4 02:12:52 2023 From: davidbass570 at gmail.com (David Bass) Date: Mon, 3 Apr 2023 22:12:52 -0400 Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <631619927.25505.1680556805228.JavaMail.zimbra@ics-il.net> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> <9fe9fab599304900b93393540cba97c4@ox.com> <929328215.303.1680526028089.JavaMail.mhammett@Thunderfuck2> <1449551141.352.1680526788034.JavaMail.mhammett@Thunderfuck2> <494acdaf5b9e4d3a9d5706ad5c5ea05f@ox.com> <517858062.383.1680528390235.JavaMail.mhammett@Thunderfuck2> <631619927.25505.1680556805228.JavaMail.zimbra@ics-il.net> Message-ID: You said that they are seeing traffic from another upstream?are you advertising the prefix to them? Are you advertising their prefix to your upstream? Looks like the route maps are involved in some dual redistribution?might want to make sure everything is matching correctly, and being advertised like you want. On Mon, Apr 3, 2023 at 4:20 PM Mike Hammett wrote: > I don't see any route-maps applied to interfaces, so there must not be any > PBR going on. I only see ACLs, setting communities, setting local pref, > etc. in the route maps that are applied to neighbors. > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > ------------------------------ > *From: *"Mike Hammett" > *To: *"Matthew Huff" > *Cc: *"NANOG" > *Sent: *Monday, April 3, 2023 8:26:30 AM > > *Subject: *Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging > > Only two VRFs, default and manangement. IIRC, everything I saw before > mentioned the default VRF. > > I do see a ton of route-maps. It's mostly Greek to me, so I'll have to dig > through this a bit to see what's going on. > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > ------------------------------ > *From: *"Matthew Huff" > *To: *"Mike Hammett" > *Cc: *"NANOG" > *Sent: *Monday, April 3, 2023 8:06:51 AM > *Subject: *RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging > > What about VRFs and/or policy based routing? > > switch-core1# show vrf > VRF-Name VRF-ID State Reason > > default 1 Up -- > > management 2 Up -- > > > switch-core1# show route-map > route-map rmap_bgp_to_eigrp_b2b, permit, sequence 10 > Match clauses: > interface: Ethernet1/33 > route-type: internal > Set clauses: > metric 40000000 10 255 1 1500 > route-map rmap_bgp_to_eigrp_b2b, permit, sequence 20 > Match clauses: > interface: Ethernet1/34 > route-type: internal > Set clauses: > metric 40000000 30 255 1 1500 > route-map rmap_static_to_eigrp, permit, sequence 10 > Match clauses: > ip address prefix-lists: prefix_static_to_eigrp > Set clauses: > route-map rmap_static_to_eigrp_v6, permit, sequence 10 > Match clauses: > ipv6 address prefix-lists: prefix_ipv6_static_to_eigrp > Set clauses: > > > > From: Mike Hammett > Sent: Monday, April 3, 2023 9:00 AM > To: Matthew Huff > Cc: NANOG > Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging > > It could be an sFlow bug, but I come at this from a reported problem and > gathering data on that problem as opposed to looking at data for problems. > > The snmp if index reported by the Nexus matches the if index in ElastiFlow. > > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > ________________________________________ > From: "Matthew Huff" > To: "Mike Hammett" > Cc: "NANOG" > Sent: Monday, April 3, 2023 7:50:08 AM > Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging > SFlow misconfiguration or bug on either the nexus or the sflow monitor? On > the monitor, can you verify that the snmp interfaces are mapped to the > correct ones on the nexus? > > > > > > From: Mike Hammett > Sent: Monday, April 3, 2023 8:47 AM > To: Matthew Huff > Cc: NANOG > Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging > > It shows the desired result. > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > ________________________________________ > From: "Matthew Huff" > To: "Mike Hammett" , "NANOG" nanog at nanog.org> > Sent: Monday, April 3, 2023 5:38:23 AM > Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging > > switch-core1# sh forwarding route x.x.x.x > > slot 1 > ======= > > > IPv4 routes for table default/base > > > ------------------+-----------------------------------------+----------------------+-----------------+----------------- > Prefix | Next-hop | Interface > | Labels | Partial Install > > ------------------+-----------------------------------------+----------------------+-----------------+----------------- > x.x.x.x/24 x.x.x.250 Ethernet1/29 > > > switch-core1# show routing hash x.x.x.x y.y.y.y > Load-share parameters used for software forwarding: > load-share mode: address source-destination port source-destination > Hash for VRF "default" > Hashing to path *y.y.y.y Eth1/29 > For route: > y.y.y.0/24, ubest/mbest: 1/0 > *via z.z.z.z, Eth1/29, [90/3072], 1w2d, eigrp-100, internal > > > > > From: NANOG On Behalf Of > Mike Hammett > Sent: Monday, April 3, 2023 1:21 AM > To: NANOG > Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging > > We have a Nexus 3064 that is setup with partial BGP tables and is routing > based on that. > > > I've done a show ip bgp for an IP of interest and it has an expected next > hop IP. I show ip arp on that next hop IP and it has the expected > interface. > > > However, sFlows show the packets leaving on a different interface, the one > that would carry the default route for routes not otherwise known. > > > If the next hop IP is expected and the ARP of that next hop IP is > expected, why are packets leaving out an unexpected interface? > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From josmon at rigozsaurus.com Tue Apr 4 02:57:03 2023 From: josmon at rigozsaurus.com (John Osmon) Date: Mon, 3 Apr 2023 20:57:03 -0600 Subject: ABQNOG -- May 4, 2023 Message-ID: <20230404025703.GA6525@jeeves.rigozsaurus.com> For folks that might be in the southwest US (and any that want to visit!), we're going to hold an operators group meeting on May 4, 2023 in Albuquerque, New Mexico. Come to the land of green chile chessburgers, and meet some of the local operators. This inaugural meeting is free. We hope to see you in May! http://abqnog.org From mark at tinka.africa Tue Apr 4 04:44:50 2023 From: mark at tinka.africa (Mark Tinka) Date: Tue, 4 Apr 2023 06:44:50 +0200 Subject: 100G-LR1 (DR/FR) In-Reply-To: <00cb01d9666e$8d1b90d0$a752b270$@wicks.co.nz> References: <2946A06F-B335-4997-B78C-0D795DEEBFF8@puck.nether.net>

<00cb01d9666e$8d1b90d0$a752b270$@wicks.co.nz> Message-ID: <300b460e-cdb0-5ff7-4654-7a96db898eec@tinka.africa> On 4/3/23 22:54, Tony Wicks wrote: > I have been using the QSFP-100G-CWDM4 2k optics for within rack/DC for a couple of years now. They are about the same price as SR optics but allow the use of simple duplex single mode patches without blasting 10K optics at each other over a 2M patch. Never had one fail or any compatibility issues. Our use of multi-mode fibre is historical, from the days when vendors sold line cards that were mode-fixed and not pluggable. The installed base is so large that it's just easier to carry on with multi-mode for in-rack cabling, where it's needed. Mark. From brandon at rd.bbc.co.uk Tue Apr 4 06:54:38 2023 From: brandon at rd.bbc.co.uk (Brandon Butterworth) Date: Tue, 4 Apr 2023 07:54:38 +0100 Subject: 100G-LR1 (DR/FR) In-Reply-To: <00cb01d9666e$8d1b90d0$a752b270$@wicks.co.nz> References: <2946A06F-B335-4997-B78C-0D795DEEBFF8@puck.nether.net>

<00cb01d9666e$8d1b90d0$a752b270$@wicks.co.nz> Message-ID: <20230404065437.GB26837@sunf68.rd.bbc.co.uk> On Tue Apr 04, 2023 at 08:54:55AM +1200, Tony Wicks wrote: > I have been using the QSFP-100G-CWDM4 2k optics for within rack/DC > for a couple of years now. They are about the same price as SR optics > but allow the use of simple duplex single mode patches without blasting > 10K optics at each other over a 2M patch 10k used to be standard part at lower speeds. It's a bogus measure of link budget which is what really matters and is lower for the same rated distance with each speed increase. At 4.3dB an LR4 is hardly blasting. While you are fine in rack with the 1.6dB of FR4, in the average DC with a MMR it is marginal/broken. I'd prefer they had the old 1G LX's 9dB. brandon From nanog at ics-il.net Tue Apr 4 12:45:00 2023 From: nanog at ics-il.net (Mike Hammett) Date: Tue, 4 Apr 2023 07:45:00 -0500 (CDT) Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> <929328215.303.1680526028089.JavaMail.mhammett@Thunderfuck2> <1449551141.352.1680526788034.JavaMail.mhammett@Thunderfuck2> <494acdaf5b9e4d3a9d5706ad5c5ea05f@ox.com> <517858062.383.1680528390235.JavaMail.mhammett@Thunderfuck2> <631619927.25505.1680556805228.JavaMail.zimbra@ics-il.net> Message-ID: <761501209.605.1680612295892.JavaMail.mhammett@Thunderfuck2> sh ip bgp neighbor advertised-routes shows the only routes being advertised to Y are the routes that should be advertised to them. I checked a variety of other peers and have the expected results. >From my perspective: Packets come in on port A, supposed to leave on port X, but they leave on port Y. All of the troubleshooting steps I've done on my own (or suggested by mailing lists) say the packets should be leaving on the desired port X. >From the customer's perspective, they're supposed to be coming from me on port X, but they're arriving on port Y, another network . Port X in both scenarios is our direct connection, while port Y is a mutual upstream provider. Without knowing more about the specific platform, it seems to me like a bug in the platform. If all indicators (not just configurations, but show commands as well) say the packet should be leaving on X and it leaves on Y, then I'm not sure what else it could be, besides a bug. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "David Bass" To: "Mike Hammett" Cc: "Matthew Huff" , "NANOG" Sent: Monday, April 3, 2023 9:12:52 PM Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging You said that they are seeing traffic from another upstream?are you advertising the prefix to them? Are you advertising their prefix to your upstream? Looks like the route maps are involved in some dual redistribution?might want to make sure everything is matching correctly, and being advertised like you want. On Mon, Apr 3, 2023 at 4:20 PM Mike Hammett < nanog at ics-il.net > wrote: I don't see any route-maps applied to interfaces, so there must not be any PBR going on. I only see ACLs, setting communities, setting local pref, etc. in the route maps that are applied to neighbors. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Mike Hammett" < nanog at ics-il.net > To: "Matthew Huff" < mhuff at ox.com > Cc: "NANOG" < nanog at nanog.org > Sent: Monday, April 3, 2023 8:26:30 AM Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging Only two VRFs, default and manangement. IIRC, everything I saw before mentioned the default VRF. I do see a ton of route-maps. It's mostly Greek to me, so I'll have to dig through this a bit to see what's going on. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Matthew Huff" < mhuff at ox.com > To: "Mike Hammett" < nanog at ics-il.net > Cc: "NANOG" < nanog at nanog.org > Sent: Monday, April 3, 2023 8:06:51 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging What about VRFs and/or policy based routing? switch-core1# show vrf VRF-Name VRF-ID State Reason default 1 Up -- management 2 Up -- switch-core1# show route-map route-map rmap_bgp_to_eigrp_b2b, permit, sequence 10 Match clauses: interface: Ethernet1/33 route-type: internal Set clauses: metric 40000000 10 255 1 1500 route-map rmap_bgp_to_eigrp_b2b, permit, sequence 20 Match clauses: interface: Ethernet1/34 route-type: internal Set clauses: metric 40000000 30 255 1 1500 route-map rmap_static_to_eigrp, permit, sequence 10 Match clauses: ip address prefix-lists: prefix_static_to_eigrp Set clauses: route-map rmap_static_to_eigrp_v6, permit, sequence 10 Match clauses: ipv6 address prefix-lists: prefix_ipv6_static_to_eigrp Set clauses: From: Mike Hammett < nanog at ics-il.net > Sent: Monday, April 3, 2023 9:00 AM To: Matthew Huff < mhuff at ox.com > Cc: NANOG < nanog at nanog.org > Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging It could be an sFlow bug, but I come at this from a reported problem and gathering data on that problem as opposed to looking at data for problems. The snmp if index reported by the Nexus matches the if index in ElastiFlow. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ________________________________________ From: "Matthew Huff" To: "Mike Hammett" Cc: "NANOG" Sent: Monday, April 3, 2023 7:50:08 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging SFlow misconfiguration or bug on either the nexus or the sflow monitor? On the monitor, can you verify that the snmp interfaces are mapped to the correct ones on the nexus? From: Mike Hammett Sent: Monday, April 3, 2023 8:47 AM To: Matthew Huff Cc: NANOG Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging It shows the desired result. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ________________________________________ From: "Matthew Huff" To: "Mike Hammett" , "NANOG" Sent: Monday, April 3, 2023 5:38:23 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging switch-core1# sh forwarding route x.x.x.x slot 1 ======= IPv4 routes for table default/base ------------------+-----------------------------------------+----------------------+-----------------+----------------- Prefix | Next-hop | Interface | Labels | Partial Install ------------------+-----------------------------------------+----------------------+-----------------+----------------- x.x.x.x/24 x.x.x.250 Ethernet1/29 switch-core1# show routing hash x.x.x.x y.y.y.y Load-share parameters used for software forwarding: load-share mode: address source-destination port source-destination Hash for VRF "default" Hashing to path *y.y.y.y Eth1/29 For route: y.y.y.0/24, ubest/mbest: 1/0 *via z.z.z.z, Eth1/29, [90/3072], 1w2d, eigrp-100, internal From: NANOG On Behalf Of Mike Hammett Sent: Monday, April 3, 2023 1:21 AM To: NANOG Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging We have a Nexus 3064 that is setup with partial BGP tables and is routing based on that. I've done a show ip bgp for an IP of interest and it has an expected next hop IP. I show ip arp on that next hop IP and it has the expected interface. However, sFlows show the packets leaving on a different interface, the one that would carry the default route for routes not otherwise known. If the next hop IP is expected and the ARP of that next hop IP is expected, why are packets leaving out an unexpected interface? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From nanog at ics-il.net Tue Apr 4 13:04:02 2023 From: nanog at ics-il.net (Mike Hammett) Date: Tue, 4 Apr 2023 08:04:02 -0500 (CDT) Subject: Flow Tools AS-Path In-Reply-To: <2010877999.611.1680613253518.JavaMail.mhammett@Thunderfuck2> Message-ID: <696990415.622.1680613436589.JavaMail.mhammett@Thunderfuck2> One of the reasons to analyze flow data is to make purchase\peering decisions. The sFlow standard seems to only include source and destination AS, though I know some route platforms have extensions to provide additional data. 1) How common is it to have the additional extensions to include that data for analysis? 2) I have seen flow tools that show the entire AS path. Are they just cherry picking which platforms they showcase for the best marketing, or are they enriching the data they receive from "lesser" platforms from an outside source? For that purpose, knowing what ASes your data goes to is useful. It's even more useful to find an upstream network that includes a bunch of those. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From Roland.Dobbins at netscout.com Tue Apr 4 13:30:16 2023 From: Roland.Dobbins at netscout.com (Dobbins, Roland) Date: Tue, 4 Apr 2023 13:30:16 +0000 Subject: Flow Tools AS-Path In-Reply-To: <696990415.622.1680613436589.JavaMail.mhammett@Thunderfuck2> References: <696990415.622.1680613436589.JavaMail.mhammett@Thunderfuck2> Message-ID: On 4 Apr 2023, at 20:04, Mike Hammett > wrote: 2) I have seen flow tools that show the entire AS path. Are they just cherry picking which platforms they showcase for the best marketing, or are they enriching the data they receive from "lesser" platforms from an outside source? Full AS-path information isn?t typically included in flow telemetry records. One typically receives origin-AS and destination-AS from exporting devices, along with BGP next-hop information. Tools which provide the detailed type of information you?re describing typically provide combinatorial analysis of both flow telemetry received from edge routers and either live or offline BGP routing information. [Full disclosure: I work for a vendor of such tools.] -------------------------------------------- Roland Dobbins > -------------- next part -------------- An HTML attachment was scrubbed... URL: From niels=nanog at bakker.net Tue Apr 4 13:50:49 2023 From: niels=nanog at bakker.net (Niels Bakker) Date: Tue, 4 Apr 2023 15:50:49 +0200 Subject: Flow Tools AS-Path In-Reply-To: <696990415.622.1680613436589.JavaMail.mhammett@Thunderfuck2> References: <2010877999.611.1680613253518.JavaMail.mhammett@Thunderfuck2> <696990415.622.1680613436589.JavaMail.mhammett@Thunderfuck2> Message-ID: * nanog at ics-il.net (Mike Hammett) [Tue 04 Apr 2023, 15:06 CEST]: >1) How common is it to have the additional extensions to include >that data for analysis? pmacct is a commonly used tool to enrich flow data with such information. -- Niels. From peter.phaal at gmail.com Tue Apr 4 14:48:29 2023 From: peter.phaal at gmail.com (Peter Phaal) Date: Tue, 4 Apr 2023 07:48:29 -0700 Subject: Flow Tools AS-Path In-Reply-To: <696990415.622.1680613436589.JavaMail.mhammett@Thunderfuck2> References: <2010877999.611.1680613253518.JavaMail.mhammett@Thunderfuck2> <696990415.622.1680613436589.JavaMail.mhammett@Thunderfuck2> Message-ID: Export of destination AS-Path is supported in the sFlow extended_gateway structure. /* Extended Gateway Data */ /* opaque = flow_data; enterprise = 0; format = 1003 */ struct extended_gateway { next_hop nexthop; /* Address of the border router that should be used for the destination network */ unsigned int as; /* Autonomous system number of router */ unsigned int src_as; /* Autonomous system number of source */ unsigned int src_peer_as; /* Autonomous system number of source peer */ as_path_type dst_as_path<>; /* Autonomous system path to the destination */ unsigned int communities<>; /* Communities associated with this route */ unsigned int localpref; /* LocalPref associated with this route */ } Arista EOS supports aspath if you enable sflow extension bgp. Cisco also claims to support the feature on IOS XR platforms. In addition to BGP, there are a number of MPLS, tunnel encap/decap etc. sFlow extended structures. Also optical interface metrics, dropped packet notifications, and more: https://sflow.org/developers/specifications.php On Tue, Apr 4, 2023 at 6:06?AM Mike Hammett wrote: > One of the reasons to analyze flow data is to make purchase\peering > decisions. The sFlow standard seems to only include source and destination > AS, though I know some route platforms have extensions to provide > additional data. > > 1) How common is it to have the additional extensions to include that data > for analysis? > 2) I have seen flow tools that show the entire AS path. Are they just > cherry picking which platforms they showcase for the best marketing, or are > they enriching the data they receive from "lesser" platforms from an > outside source? > > For that purpose, knowing what ASes your data goes to is useful. It's even > more useful to find an upstream network that includes a bunch of those. > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Roland.Dobbins at netscout.com Tue Apr 4 15:03:53 2023 From: Roland.Dobbins at netscout.com (Dobbins, Roland) Date: Tue, 4 Apr 2023 15:03:53 +0000 Subject: Flow Tools AS-Path In-Reply-To: References: <2010877999.611.1680613253518.JavaMail.mhammett@Thunderfuck2> <696990415.622.1680613436589.JavaMail.mhammett@Thunderfuck2> Message-ID: <235FE6CC-F26E-460F-B1FE-080148C5C920@netscout.com> On 4 Apr 2023, at 21:48, Peter Phaal > wrote: Export of destination AS-Path is supported in the sFlow extended_gateway structure. As a consumer of sFlow, [as well as NetFlow, IPFIX, etc.] I haven?t run into the use of this option in production, FWIW. In addition to BGP, there are a number of MPLS, tunnel encap/decap etc. sFlow extended structures. Some of these options are encountered fairly frequently; others, not so much. As you note, they have different applications. Also optical interface metrics, dropped packet notifications, and more: Dropped traffic is pretty much universally supported and utilized, in my experience. Other options, again, not very often. Some flow telemetry implementations support packet export, to one degree or another; and, of course, there?s PSAMP, which utilizes IPFIX as its transport. AFAIK, these aren?t observed very often in production, to date. -------------------------------------------- Roland Dobbins > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jk at ip-clear.de Tue Apr 4 15:13:33 2023 From: jk at ip-clear.de (=?utf-8?q?J=C3=B6rg_Kost?=) Date: Tue, 04 Apr 2023 17:13:33 +0200 Subject: Flow Tools AS-Path In-Reply-To: References: <2010877999.611.1680613253518.JavaMail.mhammett@Thunderfuck2> <696990415.622.1680613436589.JavaMail.mhammett@Thunderfuck2> Message-ID: Hi, Extreme also supports it, and we use it for conducting statistics against dst_as/dst_peer_as to perform "traffic engineering" specifically for the transit paths. dst_as_path can also identify possible future peering situations or undesirable paths. BR J?rg On 4 Apr 2023, at 16:48, Peter Phaal wrote: > Export of destination AS-Path is supported in the sFlow extended_gateway > structure. > > /* Extended Gateway Data */ > /* opaque = flow_data; enterprise = 0; format = 1003 */ > > struct extended_gateway { > next_hop nexthop; /* Address of the border router that should > be used for the destination network */ > unsigned int as; /* Autonomous system number of router */ > unsigned int src_as; /* Autonomous system number of source */ > unsigned int src_peer_as; /* Autonomous system number of source peer */ > as_path_type dst_as_path<>; /* Autonomous system path to the destination */ > unsigned int communities<>; /* Communities associated with this route */ > unsigned int localpref; /* LocalPref associated with this route */ > } > > Arista EOS supports aspath if you enable sflow extension bgp. Cisco > also claims to support the feature on IOS XR platforms. > > In addition to BGP, there are a number of MPLS, tunnel encap/decap > etc. sFlow extended structures. > > Also optical interface metrics, dropped packet notifications, and more: > > https://sflow.org/developers/specifications.php > From jared at puck.nether.net Tue Apr 4 15:39:08 2023 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 4 Apr 2023 11:39:08 -0400 Subject: SF union square area fiber Message-ID: <7A78D4E2-979A-4FC0-9ECA-137A613E0CE3@puck.nether.net> Can someone who is familiar with the fiber assets around the union square area in SF ping me off-list? Thanks. - jared From jared at puck.nether.net Tue Apr 4 15:42:30 2023 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 4 Apr 2023 11:42:30 -0400 Subject: 100G-LR1 (DR/FR) In-Reply-To: References: <2946A06F-B335-4997-B78C-0D795DEEBFF8@puck.nether.net> Message-ID: <56EE0B27-C5B0-443B-AB49-50E6BEDEF5E8@puck.nether.net> We are willing to do 100G-LR1 if someone asks these days. It lets us be able to roll it up into 400G optics on our side as appropriate. The big difference in DR/FR is the receiver sensitivity, they are all compatible optically, so it?s really about the DR/FR being yield rejects for LR1. It?s also less components in the LR1 vs 100G-LR4 since you don?t need 4 transmitters and 4 receivers and if one fails you toss the optic, so fewer components is also lower cost. - Jared > On Apr 2, 2023, at 8:14 PM, David Siegel wrote: > > At this point, I'd be happy to see others happily deploy a single-lambda optic of almost any variety! Since deploying 400G in a clients network (but 100G still being the preferred connection choice), any inquiry with respect to LR1, FR1 or DR+ is met with "no thanks, LR4 please." > > If asked, I'd recommend FR1. They're available at a great price-point, and 2km reach is adequate for most applications. > > On Fri, Mar 31, 2023 at 7:25?AM Jared Mauch wrote: > The common tech is 100G-LR4 these days - I'm wondering how many operators are supporting the LR1 to allow its use on 400G and future 800G optics as those use breakout to support 100G ports. > > Would you rather do a 400G port on a router vs 100LR1? > > Curious what others think. > > Sent via RFC1925 compliant device From jared at puck.nether.net Tue Apr 4 15:44:09 2023 From: jared at puck.nether.net (Jared Mauch) Date: Tue, 4 Apr 2023 11:44:09 -0400 Subject: 100G-LR1 (DR/FR) In-Reply-To: <00cb01d9666e$8d1b90d0$a752b270$@wicks.co.nz> References: <2946A06F-B335-4997-B78C-0D795DEEBFF8@puck.nether.net>

<00cb01d9666e$8d1b90d0$a752b270$@wicks.co.nz> Message-ID: <87EAE876-34C2-4DBF-8A0D-6938A01E5C20@puck.nether.net> > On Apr 3, 2023, at 4:54 PM, Tony Wicks wrote: > > I have been using the QSFP-100G-CWDM4 2k optics for within rack/DC for a couple of years now. They are about the same price as SR optics but allow the use of simple duplex single mode patches without blasting 10K optics at each other over a 2M patch. Never had one fail or any compatibility issues. We saw some issues with the CWDM4 optics failing that caused us to make some changes in how we used those optics. I?ve also heard rumors some of the CWDM4 optics would go 10x the published spec, but I have not tested that myself. - Jared From woody at pch.net Tue Apr 4 15:47:46 2023 From: woody at pch.net (Bill Woodcock) Date: Tue, 4 Apr 2023 17:47:46 +0200 Subject: SF union square area fiber In-Reply-To: <7A78D4E2-979A-4FC0-9ECA-137A613E0CE3@puck.nether.net> References: <7A78D4E2-979A-4FC0-9ECA-137A613E0CE3@puck.nether.net> Message-ID: <22456947-8325-4831-8052-C3F7EA95B03E@pch.net> > On Apr 4, 2023, at 5:39 PM, Jared Mauch wrote: > Can someone who is familiar with the fiber assets around the union square area in SF ping me off-list? Heh. Somewhere, I have photos that Steve Feldman and I took while spelunking around under there trying to find fiber for the NANOG that was held there in 1997. We found a gas-chandelier maintenance department that people had just locked up and walked away from. Tools still spread out on workbenches, lamps half-rebuilt, everything. It was like electrification had hit one day during lunch-hour. -Bill From swmike at swm.pp.se Tue Apr 4 15:50:03 2023 From: swmike at swm.pp.se (Mikael Abrahamsson) Date: Tue, 4 Apr 2023 17:50:03 +0200 (CEST) Subject: 100G-LR1 (DR/FR) In-Reply-To: <56EE0B27-C5B0-443B-AB49-50E6BEDEF5E8@puck.nether.net> References: <2946A06F-B335-4997-B78C-0D795DEEBFF8@puck.nether.net> <56EE0B27-C5B0-443B-AB49-50E6BEDEF5E8@puck.nether.net> Message-ID: On Tue, 4 Apr 2023, Jared Mauch wrote: > We are willing to do 100G-LR1 if someone asks these days. It lets us be > able to roll it up into 400G optics on our side as appropriate. I hope the industry moves to 100G-LR1, as doing 2x100GBASE-LR4 in a 400G port is quite meh when it comes to faceplate capacity. Unfortunately 100GBASE-LR4 will be with us for a long long time. -- Mikael Abrahamsson email: swmike at swm.pp.se From dave.taht at gmail.com Tue Apr 4 15:57:24 2023 From: dave.taht at gmail.com (Dave Taht) Date: Tue, 4 Apr 2023 08:57:24 -0700 Subject: SF union square area fiber In-Reply-To: <22456947-8325-4831-8052-C3F7EA95B03E@pch.net> References: <7A78D4E2-979A-4FC0-9ECA-137A613E0CE3@puck.nether.net> <22456947-8325-4831-8052-C3F7EA95B03E@pch.net> Message-ID: That is a very illustrative photo of the state of the internet plant, even today. I hope you find it! On Tue, Apr 4, 2023 at 8:51?AM Bill Woodcock wrote: > > > On Apr 4, 2023, at 5:39 PM, Jared Mauch wrote: > > Can someone who is familiar with the fiber assets around the union square area in SF ping me off-list? > > Heh. Somewhere, I have photos that Steve Feldman and I took while spelunking around under there trying to find fiber for the NANOG that was held there in 1997. We found a gas-chandelier maintenance department that people had just locked up and walked away from. Tools still spread out on workbenches, lamps half-rebuilt, everything. It was like electrification had hit one day during lunch-hour. > > -Bill > -- AMA March 31: https://www.broadband.io/c/broadband-grant-events/dave-taht Dave T?ht CEO, TekLibre, LLC From Tyler at tgconrad.com Tue Apr 4 16:03:47 2023 From: Tyler at tgconrad.com (Tyler Conrad) Date: Tue, 4 Apr 2023 09:03:47 -0700 Subject: 100G-LR1 (DR/FR) In-Reply-To: References: <2946A06F-B335-4997-B78C-0D795DEEBFF8@puck.nether.net> <56EE0B27-C5B0-443B-AB49-50E6BEDEF5E8@puck.nether.net> Message-ID: Tangentially related to xR1, have any of you started deploying SN connectors on your 400G head-ends? It looks like a pretty clever technology, adding discrete connectors per lane, but curious what the adoption has been thus far. On Tue, Apr 4, 2023 at 8:55?AM Mikael Abrahamsson via NANOG wrote: > On Tue, 4 Apr 2023, Jared Mauch wrote: > > > We are willing to do 100G-LR1 if someone asks these days. It lets us be > > able to roll it up into 400G optics on our side as appropriate. > > I hope the industry moves to 100G-LR1, as doing 2x100GBASE-LR4 in a 400G > port is quite meh when it comes to faceplate capacity. > > Unfortunately 100GBASE-LR4 will be with us for a long long time. > > -- > Mikael Abrahamsson email: swmike at swm.pp.se > -------------- next part -------------- An HTML attachment was scrubbed... URL: From davidbass570 at gmail.com Tue Apr 4 16:39:26 2023 From: davidbass570 at gmail.com (David Bass) Date: Tue, 4 Apr 2023 12:39:26 -0400 Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <761501209.605.1680612295892.JavaMail.mhammett@Thunderfuck2> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> <929328215.303.1680526028089.JavaMail.mhammett@Thunderfuck2> <1449551141.352.1680526788034.JavaMail.mhammett@Thunderfuck2> <494acdaf5b9e4d3a9d5706ad5c5ea05f@ox.com> <517858062.383.1680528390235.JavaMail.mhammett@Thunderfuck2> <631619927.25505.1680556805228.JavaMail.zimbra@ics-il.net> <761501209.605.1680612295892.JavaMail.mhammett@Thunderfuck2> Message-ID: If you are both connected to the same upstream, but the customer wants traffic destined to the upstream to go through you (in and out), then they need to do something on their devices to try and affect the inbound path to their AS. From the upstream carrier in question they?ll take the best path to a prefix, which direct connection is generally going to be preferred over a transit AS (basic BGP best path algorithm stuff) unless there is some manipulation of the prefix advertisement happening. To confirm the path being taken you should be able to do a few trace routes from various locations as well as use looking glasses. Now the sflow data is an entirely different thing to analyze. On Tue, Apr 4, 2023 at 7:45 AM Mike Hammett wrote: > > sh ip bgp neighbor advertised-routes shows the only routes being > advertised to Y are the routes that should be advertised to them. I checked > a variety of other peers and have the expected results. > > > > From my perspective: > > Packets come in on port A, supposed to leave on port X, but they leave on > port Y. All of the troubleshooting steps I've done on my own (or suggested > by mailing lists) say the packets should be leaving on the desired port X. > > > From the customer's perspective, they're supposed to be coming from me on > port X, but they're arriving on port Y, another network. > > Port X in both scenarios is our direct connection, while port Y is a > mutual upstream provider. > > > Without knowing more about the specific platform, it seems to me like a > bug in the platform. If all indicators (not just configurations, but show > commands as well) say the packet should be leaving on X and it leaves on Y, > then I'm not sure what else it could be, besides a bug. > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > ------------------------------ > *From: *"David Bass" > *To: *"Mike Hammett" > *Cc: *"Matthew Huff" , "NANOG" > *Sent: *Monday, April 3, 2023 9:12:52 PM > > *Subject: *Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging > > You said that they are seeing traffic from another upstream?are you > advertising the prefix to them? Are you advertising their prefix to your > upstream? > > Looks like the route maps are involved in some dual redistribution?might > want to make sure everything is matching correctly, and being advertised > like you want. > > On Mon, Apr 3, 2023 at 4:20 PM Mike Hammett wrote: > >> I don't see any route-maps applied to interfaces, so there must not be >> any PBR going on. I only see ACLs, setting communities, setting local pref, >> etc. in the route maps that are applied to neighbors. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> Midwest-IX >> http://www.midwest-ix.com >> >> ------------------------------ >> *From: *"Mike Hammett" >> *To: *"Matthew Huff" >> *Cc: *"NANOG" >> *Sent: *Monday, April 3, 2023 8:26:30 AM >> >> *Subject: *Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >> >> Only two VRFs, default and manangement. IIRC, everything I saw before >> mentioned the default VRF. >> >> I do see a ton of route-maps. It's mostly Greek to me, so I'll have to >> dig through this a bit to see what's going on. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> Midwest-IX >> http://www.midwest-ix.com >> >> ------------------------------ >> *From: *"Matthew Huff" >> *To: *"Mike Hammett" >> *Cc: *"NANOG" >> *Sent: *Monday, April 3, 2023 8:06:51 AM >> *Subject: *RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >> >> What about VRFs and/or policy based routing? >> >> switch-core1# show vrf >> VRF-Name VRF-ID State Reason >> >> default 1 Up -- >> >> management 2 Up -- >> >> >> switch-core1# show route-map >> route-map rmap_bgp_to_eigrp_b2b, permit, sequence 10 >> Match clauses: >> interface: Ethernet1/33 >> route-type: internal >> Set clauses: >> metric 40000000 10 255 1 1500 >> route-map rmap_bgp_to_eigrp_b2b, permit, sequence 20 >> Match clauses: >> interface: Ethernet1/34 >> route-type: internal >> Set clauses: >> metric 40000000 30 255 1 1500 >> route-map rmap_static_to_eigrp, permit, sequence 10 >> Match clauses: >> ip address prefix-lists: prefix_static_to_eigrp >> Set clauses: >> route-map rmap_static_to_eigrp_v6, permit, sequence 10 >> Match clauses: >> ipv6 address prefix-lists: prefix_ipv6_static_to_eigrp >> Set clauses: >> >> >> >> From: Mike Hammett >> Sent: Monday, April 3, 2023 9:00 AM >> To: Matthew Huff >> Cc: NANOG >> Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >> >> It could be an sFlow bug, but I come at this from a reported problem and >> gathering data on that problem as opposed to looking at data for problems. >> >> The snmp if index reported by the Nexus matches the if index in >> ElastiFlow. >> >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> Midwest-IX >> http://www.midwest-ix.com >> >> ________________________________________ >> From: "Matthew Huff" >> To: "Mike Hammett" >> Cc: "NANOG" >> Sent: Monday, April 3, 2023 7:50:08 AM >> Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >> SFlow misconfiguration or bug on either the nexus or the sflow monitor? >> On the monitor, can you verify that the snmp interfaces are mapped to the >> correct ones on the nexus? >> >> >> >> >> >> From: Mike Hammett >> Sent: Monday, April 3, 2023 8:47 AM >> To: Matthew Huff >> Cc: NANOG >> Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >> >> It shows the desired result. >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> Midwest-IX >> http://www.midwest-ix.com >> >> ________________________________________ >> From: "Matthew Huff" >> To: "Mike Hammett" , "NANOG" > nanog at nanog.org> >> Sent: Monday, April 3, 2023 5:38:23 AM >> Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >> >> switch-core1# sh forwarding route x.x.x.x >> >> slot 1 >> ======= >> >> >> IPv4 routes for table default/base >> >> >> ------------------+-----------------------------------------+----------------------+-----------------+----------------- >> Prefix | Next-hop | Interface >> | Labels | Partial Install >> >> ------------------+-----------------------------------------+----------------------+-----------------+----------------- >> x.x.x.x/24 x.x.x.250 Ethernet1/29 >> >> >> switch-core1# show routing hash x.x.x.x y.y.y.y >> Load-share parameters used for software forwarding: >> load-share mode: address source-destination port source-destination >> Hash for VRF "default" >> Hashing to path *y.y.y.y Eth1/29 >> For route: >> y.y.y.0/24, ubest/mbest: 1/0 >> *via z.z.z.z, Eth1/29, [90/3072], 1w2d, eigrp-100, internal >> >> >> >> >> From: NANOG On Behalf Of >> Mike Hammett >> Sent: Monday, April 3, 2023 1:21 AM >> To: NANOG >> Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >> >> We have a Nexus 3064 that is setup with partial BGP tables and is routing >> based on that. >> >> >> I've done a show ip bgp for an IP of interest and it has an expected next >> hop IP. I show ip arp on that next hop IP and it has the expected >> interface. >> >> >> However, sFlows show the packets leaving on a different interface, the >> one that would carry the default route for routes not otherwise known. >> >> >> If the next hop IP is expected and the ARP of that next hop IP is >> expected, why are packets leaving out an unexpected interface? >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> Midwest-IX >> http://www.midwest-ix.com >> >> >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From nanog at ics-il.net Tue Apr 4 16:46:33 2023 From: nanog at ics-il.net (Mike Hammett) Date: Tue, 4 Apr 2023 11:46:33 -0500 (CDT) Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> <1449551141.352.1680526788034.JavaMail.mhammett@Thunderfuck2> <494acdaf5b9e4d3a9d5706ad5c5ea05f@ox.com> <517858062.383.1680528390235.JavaMail.mhammett@Thunderfuck2> <631619927.25505.1680556805228.JavaMail.zimbra@ics-il.net> <761501209.605.1680612295892.JavaMail.mhammett@Thunderfuck2> Message-ID: <815206146.874.1680626788549.JavaMail.mhammett@Thunderfuck2> Via all mechanisms I could find in the router, it thinks the best path is the direct path, the packets just don't go that way. The in traffic isn't a concern at this time, just the out (from my perspective). ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ----- Original Message ----- From: "David Bass" To: "Mike Hammett" Cc: "Matthew Huff" , "NANOG" Sent: Tuesday, April 4, 2023 11:39:26 AM Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging If you are both connected to the same upstream, but the customer wants traffic destined to the upstream to go through you (in and out), then they need to do something on their devices to try and affect the inbound path to their AS. From the upstream carrier in question they?ll take the best path to a prefix, which direct connection is generally going to be preferred over a transit AS (basic BGP best path algorithm stuff) unless there is some manipulation of the prefix advertisement happening. To confirm the path being taken you should be able to do a few trace routes from various locations as well as use looking glasses. Now the sflow data is an entirely different thing to analyze. On Tue, Apr 4, 2023 at 7:45 AM Mike Hammett < nanog at ics-il.net > wrote: sh ip bgp neighbor advertised-routes shows the only routes being advertised to Y are the routes that should be advertised to them. I checked a variety of other peers and have the expected results. >From my perspective: Packets come in on port A, supposed to leave on port X, but they leave on port Y. All of the troubleshooting steps I've done on my own (or suggested by mailing lists) say the packets should be leaving on the desired port X. >From the customer's perspective, they're supposed to be coming from me on port X, but they're arriving on port Y, another network . Port X in both scenarios is our direct connection, while port Y is a mutual upstream provider. Without knowing more about the specific platform, it seems to me like a bug in the platform. If all indicators (not just configurations, but show commands as well) say the packet should be leaving on X and it leaves on Y, then I'm not sure what else it could be, besides a bug. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "David Bass" < davidbass570 at gmail.com > To: "Mike Hammett" < nanog at ics-il.net > Cc: "Matthew Huff" < mhuff at ox.com >, "NANOG" < nanog at nanog.org > Sent: Monday, April 3, 2023 9:12:52 PM Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging You said that they are seeing traffic from another upstream?are you advertising the prefix to them? Are you advertising their prefix to your upstream? Looks like the route maps are involved in some dual redistribution?might want to make sure everything is matching correctly, and being advertised like you want. On Mon, Apr 3, 2023 at 4:20 PM Mike Hammett < nanog at ics-il.net > wrote:

I don't see any route-maps applied to interfaces, so there must not be any PBR going on. I only see ACLs, setting communities, setting local pref, etc. in the route maps that are applied to neighbors. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Mike Hammett" < nanog at ics-il.net > To: "Matthew Huff" < mhuff at ox.com > Cc: "NANOG" < nanog at nanog.org > Sent: Monday, April 3, 2023 8:26:30 AM Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging Only two VRFs, default and manangement. IIRC, everything I saw before mentioned the default VRF. I do see a ton of route-maps. It's mostly Greek to me, so I'll have to dig through this a bit to see what's going on. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com From: "Matthew Huff" < mhuff at ox.com > To: "Mike Hammett" < nanog at ics-il.net > Cc: "NANOG" < nanog at nanog.org > Sent: Monday, April 3, 2023 8:06:51 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging What about VRFs and/or policy based routing? switch-core1# show vrf VRF-Name VRF-ID State Reason default 1 Up -- management 2 Up -- switch-core1# show route-map route-map rmap_bgp_to_eigrp_b2b, permit, sequence 10 Match clauses: interface: Ethernet1/33 route-type: internal Set clauses: metric 40000000 10 255 1 1500 route-map rmap_bgp_to_eigrp_b2b, permit, sequence 20 Match clauses: interface: Ethernet1/34 route-type: internal Set clauses: metric 40000000 30 255 1 1500 route-map rmap_static_to_eigrp, permit, sequence 10 Match clauses: ip address prefix-lists: prefix_static_to_eigrp Set clauses: route-map rmap_static_to_eigrp_v6, permit, sequence 10 Match clauses: ipv6 address prefix-lists: prefix_ipv6_static_to_eigrp Set clauses: From: Mike Hammett < nanog at ics-il.net > Sent: Monday, April 3, 2023 9:00 AM To: Matthew Huff < mhuff at ox.com > Cc: NANOG < nanog at nanog.org > Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging It could be an sFlow bug, but I come at this from a reported problem and gathering data on that problem as opposed to looking at data for problems. The snmp if index reported by the Nexus matches the if index in ElastiFlow. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ________________________________________ From: "Matthew Huff" To: "Mike Hammett" Cc: "NANOG" Sent: Monday, April 3, 2023 7:50:08 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging SFlow misconfiguration or bug on either the nexus or the sflow monitor? On the monitor, can you verify that the snmp interfaces are mapped to the correct ones on the nexus? From: Mike Hammett Sent: Monday, April 3, 2023 8:47 AM To: Matthew Huff Cc: NANOG Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging It shows the desired result. ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com ________________________________________ From: "Matthew Huff" To: "Mike Hammett" , "NANOG" Sent: Monday, April 3, 2023 5:38:23 AM Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging switch-core1# sh forwarding route x.x.x.x slot 1 ======= IPv4 routes for table default/base ------------------+-----------------------------------------+----------------------+-----------------+----------------- Prefix | Next-hop | Interface | Labels | Partial Install ------------------+-----------------------------------------+----------------------+-----------------+----------------- x.x.x.x/24 x.x.x.250 Ethernet1/29 switch-core1# show routing hash x.x.x.x y.y.y.y Load-share parameters used for software forwarding: load-share mode: address source-destination port source-destination Hash for VRF "default" Hashing to path *y.y.y.y Eth1/29 For route: y.y.y.0/24, ubest/mbest: 1/0 *via z.z.z.z, Eth1/29, [90/3072], 1w2d, eigrp-100, internal From: NANOG On Behalf Of Mike Hammett Sent: Monday, April 3, 2023 1:21 AM To: NANOG Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging We have a Nexus 3064 that is setup with partial BGP tables and is routing based on that. I've done a show ip bgp for an IP of interest and it has an expected next hop IP. I show ip arp on that next hop IP and it has the expected interface. However, sFlows show the packets leaving on a different interface, the one that would carry the default route for routes not otherwise known. If the next hop IP is expected and the ARP of that next hop IP is expected, why are packets leaving out an unexpected interface? ----- Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com

-------------- next part -------------- An HTML attachment was scrubbed... URL: From nick at 141networks.com Tue Apr 4 22:01:12 2023 From: nick at 141networks.com (Nick Olsen) Date: Tue, 4 Apr 2023 23:01:12 +0100 Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging In-Reply-To: <815206146.874.1680626788549.JavaMail.mhammett@Thunderfuck2> References: <772176682.250.1680499285558.JavaMail.mhammett@Thunderfuck2> <1449551141.352.1680526788034.JavaMail.mhammett@Thunderfuck2> <494acdaf5b9e4d3a9d5706ad5c5ea05f@ox.com> <517858062.383.1680528390235.JavaMail.mhammett@Thunderfuck2> <631619927.25505.1680556805228.JavaMail.zimbra@ics-il.net> <761501209.605.1680612295892.JavaMail.mhammett@Thunderfuck2> <815206146.874.1680626788549.JavaMail.mhammett@Thunderfuck2> Message-ID: Not that it's a "Fix" but have you tried rebooting the box? If this is a bug in the forwarding plane that might clear/rebuild it. And maybe it works correctly after that. Friend saw something similar on a Juniper MX with DPC cards that had run out of FIB space. It would show correctly in all places, but was failing to install in FIB (Router cut a error about it in the log). So the actual traffic didn't follow the same path. I saw you specifically referenced "forwarding" in one of your copy pastes. And it looked right. But I don't know enough about Cisco to say if that's really what is in FIB. Or just what it thinks is in FIB. On Tue, Apr 4, 2023 at 5:47?PM Mike Hammett wrote: > Via all mechanisms I could find in the router, it thinks the best path is > the direct path, the packets just don't go that way. > > The in traffic isn't a concern at this time, just the out (from my > perspective). > > > > ----- > Mike Hammett > Intelligent Computing Solutions > http://www.ics-il.com > > Midwest-IX > http://www.midwest-ix.com > > ------------------------------ > *From: *"David Bass" > *To: *"Mike Hammett" > *Cc: *"Matthew Huff" , "NANOG" > *Sent: *Tuesday, April 4, 2023 11:39:26 AM > *Subject: *Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging > > If you are both connected to the same upstream, but the customer wants > traffic destined to the upstream to go through you (in and out), then they > need to do something on their devices to try and affect the inbound path to > their AS. From the upstream carrier in question they?ll take the best path > to a prefix, which direct connection is generally going to be preferred > over a transit AS (basic BGP best path algorithm stuff) unless there is > some manipulation of the prefix advertisement happening. > > To confirm the path being taken you should be able to do a few trace > routes from various locations as well as use looking glasses. > > Now the sflow data is an entirely different thing to analyze. > > On Tue, Apr 4, 2023 at 7:45 AM Mike Hammett wrote: > >> >> sh ip bgp neighbor advertised-routes shows the only routes being >> advertised to Y are the routes that should be advertised to them. I checked >> a variety of other peers and have the expected results. >> >> >> >> From my perspective: >> >> Packets come in on port A, supposed to leave on port X, but they leave on >> port Y. All of the troubleshooting steps I've done on my own (or suggested >> by mailing lists) say the packets should be leaving on the desired port X. >> >> >> From the customer's perspective, they're supposed to be coming from me on >> port X, but they're arriving on port Y, another network. >> >> Port X in both scenarios is our direct connection, while port Y is a >> mutual upstream provider. >> >> >> Without knowing more about the specific platform, it seems to me like a >> bug in the platform. If all indicators (not just configurations, but show >> commands as well) say the packet should be leaving on X and it leaves on Y, >> then I'm not sure what else it could be, besides a bug. >> >> >> >> ----- >> Mike Hammett >> Intelligent Computing Solutions >> http://www.ics-il.com >> >> Midwest-IX >> http://www.midwest-ix.com >> >> ------------------------------ >> *From: *"David Bass" >> *To: *"Mike Hammett" >> *Cc: *"Matthew Huff" , "NANOG" >> *Sent: *Monday, April 3, 2023 9:12:52 PM >> >> *Subject: *Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >> >> You said that they are seeing traffic from another upstream?are you >> advertising the prefix to them? Are you advertising their prefix to your >> upstream? >> >> Looks like the route maps are involved in some dual redistribution?might >> want to make sure everything is matching correctly, and being advertised >> like you want. >> >> On Mon, Apr 3, 2023 at 4:20 PM Mike Hammett wrote: >> >>> I don't see any route-maps applied to interfaces, so there must not be >>> any PBR going on. I only see ACLs, setting communities, setting local pref, >>> etc. in the route maps that are applied to neighbors. >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions >>> http://www.ics-il.com >>> >>> Midwest-IX >>> http://www.midwest-ix.com >>> >>> ------------------------------ >>> *From: *"Mike Hammett" >>> *To: *"Matthew Huff" >>> *Cc: *"NANOG" >>> *Sent: *Monday, April 3, 2023 8:26:30 AM >>> >>> *Subject: *Re: Cisco Nexus 3k Route Selection\Packet Forwarding >>> Debugging >>> >>> Only two VRFs, default and manangement. IIRC, everything I saw before >>> mentioned the default VRF. >>> >>> I do see a ton of route-maps. It's mostly Greek to me, so I'll have to >>> dig through this a bit to see what's going on. >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions >>> http://www.ics-il.com >>> >>> Midwest-IX >>> http://www.midwest-ix.com >>> >>> ------------------------------ >>> *From: *"Matthew Huff" >>> *To: *"Mike Hammett" >>> *Cc: *"NANOG" >>> *Sent: *Monday, April 3, 2023 8:06:51 AM >>> *Subject: *RE: Cisco Nexus 3k Route Selection\Packet Forwarding >>> Debugging >>> >>> What about VRFs and/or policy based routing? >>> >>> switch-core1# show vrf >>> VRF-Name VRF-ID State Reason >>> >>> default 1 Up -- >>> >>> management 2 Up -- >>> >>> >>> switch-core1# show route-map >>> route-map rmap_bgp_to_eigrp_b2b, permit, sequence 10 >>> Match clauses: >>> interface: Ethernet1/33 >>> route-type: internal >>> Set clauses: >>> metric 40000000 10 255 1 1500 >>> route-map rmap_bgp_to_eigrp_b2b, permit, sequence 20 >>> Match clauses: >>> interface: Ethernet1/34 >>> route-type: internal >>> Set clauses: >>> metric 40000000 30 255 1 1500 >>> route-map rmap_static_to_eigrp, permit, sequence 10 >>> Match clauses: >>> ip address prefix-lists: prefix_static_to_eigrp >>> Set clauses: >>> route-map rmap_static_to_eigrp_v6, permit, sequence 10 >>> Match clauses: >>> ipv6 address prefix-lists: prefix_ipv6_static_to_eigrp >>> Set clauses: >>> >>> >>> >>> From: Mike Hammett >>> Sent: Monday, April 3, 2023 9:00 AM >>> To: Matthew Huff >>> Cc: NANOG >>> Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >>> >>> It could be an sFlow bug, but I come at this from a reported problem and >>> gathering data on that problem as opposed to looking at data for problems. >>> >>> The snmp if index reported by the Nexus matches the if index in >>> ElastiFlow. >>> >>> >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions >>> http://www.ics-il.com >>> >>> Midwest-IX >>> http://www.midwest-ix.com >>> >>> ________________________________________ >>> From: "Matthew Huff" >>> To: "Mike Hammett" >>> Cc: "NANOG" >>> Sent: Monday, April 3, 2023 7:50:08 AM >>> Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >>> SFlow misconfiguration or bug on either the nexus or the sflow monitor? >>> On the monitor, can you verify that the snmp interfaces are mapped to the >>> correct ones on the nexus? >>> >>> >>> >>> >>> >>> From: Mike Hammett >>> Sent: Monday, April 3, 2023 8:47 AM >>> To: Matthew Huff >>> Cc: NANOG >>> Subject: Re: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >>> >>> It shows the desired result. >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions >>> http://www.ics-il.com >>> >>> Midwest-IX >>> http://www.midwest-ix.com >>> >>> ________________________________________ >>> From: "Matthew Huff" >>> To: "Mike Hammett" , "NANOG" >> nanog at nanog.org> >>> Sent: Monday, April 3, 2023 5:38:23 AM >>> Subject: RE: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >>> >>> switch-core1# sh forwarding route x.x.x.x >>> >>> slot 1 >>> ======= >>> >>> >>> IPv4 routes for table default/base >>> >>> >>> ------------------+-----------------------------------------+----------------------+-----------------+----------------- >>> Prefix | Next-hop | Interface >>> | Labels | Partial Install >>> >>> ------------------+-----------------------------------------+----------------------+-----------------+----------------- >>> x.x.x.x/24 x.x.x.250 Ethernet1/29 >>> >>> >>> switch-core1# show routing hash x.x.x.x y.y.y.y >>> Load-share parameters used for software forwarding: >>> load-share mode: address source-destination port source-destination >>> Hash for VRF "default" >>> Hashing to path *y.y.y.y Eth1/29 >>> For route: >>> y.y.y.0/24, ubest/mbest: 1/0 >>> *via z.z.z.z, Eth1/29, [90/3072], 1w2d, eigrp-100, internal >>> >>> >>> >>> >>> From: NANOG On Behalf Of >>> Mike Hammett >>> Sent: Monday, April 3, 2023 1:21 AM >>> To: NANOG >>> Subject: Cisco Nexus 3k Route Selection\Packet Forwarding Debugging >>> >>> We have a Nexus 3064 that is setup with partial BGP tables and is >>> routing based on that. >>> >>> >>> I've done a show ip bgp for an IP of interest and it has an expected >>> next hop IP. I show ip arp on that next hop IP and it has the expected >>> interface. >>> >>> >>> However, sFlows show the packets leaving on a different interface, the >>> one that would carry the default route for routes not otherwise known. >>> >>> >>> If the next hop IP is expected and the ARP of that next hop IP is >>> expected, why are packets leaving out an unexpected interface? >>> >>> >>> ----- >>> Mike Hammett >>> Intelligent Computing Solutions >>> http://www.ics-il.com >>> >>> Midwest-IX >>> http://www.midwest-ix.com >>> >>> >>> >>> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rbonica at juniper.net Wed Apr 5 16:24:22 2023 From: rbonica at juniper.net (Ron Bonica) Date: Wed, 5 Apr 2023 16:24:22 +0000 Subject: Route Hijacks Message-ID: Folks, Can anyone point me at literature regarding the frequency and cost of BGP route hijacks? Also, please email me privately if there is any information that you can share in confidence. Ron Juniper Business Use Only -------------- next part -------------- An HTML attachment was scrubbed... URL: From news at nanog.org Thu Apr 6 19:25:55 2023 From: news at nanog.org (Nanog News) Date: Thu, 6 Apr 2023 15:25:55 -0400 Subject: Early Bird Reg. Rates End Sunday + Start Your Seattle Coffee Tour Here Message-ID: *NANOG 88 Early Bird Registration Deadline Sunday * *Discounted Rates Will End this Sunday 9 April* Join us for our 88th community-wide meeting, NANOG 88, taking place 12 - 14, June in Seattle, Wa. Register before Sunday, 9 April to receive our most discounted registration rate. *REGISTER NOW * *Start Your Seattle Coffee Tour Here* *Your Guide to the "Coffee Capital" of the U.S.* Coffee is like a fine wine, "the best cup" can only be determined by the person whose pallet it touches. Check out this curated list of legendary cafes in the coffee capital of the United States. Then plan your hunt for the best cup of coffee during your stay in the Emerald City for our upcoming meeting, NANOG 88. *READ NOW * *Don't Wait to Submit Your Presentation for N88!* *Presentation Submission Deadline is Monday, 24 April* The NANOG PC is looking to schedule over 1,600 minutes of content between General Session and Breakout Rooms for NANOG 88 - so don?t wait! Presentation abstracts and draft slides should be submitted before Monday, 24 April. *MORE INFO * -------------- next part -------------- An HTML attachment was scrubbed... URL: From tim at mid.net Fri Apr 7 00:32:41 2023 From: tim at mid.net (Tim Burke) Date: Fri, 7 Apr 2023 00:32:41 +0000 Subject: Auth0 geolocation? Message-ID: <66DA24CF-70F0-4216-918E-9C4B9C22719F@mid.net> Anyone know who Auth0 is using for geolocation services? Have a customer reporting that Auth0, Lowes, Bank of America, and some other sites are reporting their IP in the wrong location. Checked the usual suspects, BrothersWISP.com geolocation providers list, etcetera and they?re all showing in the correct location. Thanks, Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: From tim at mid.net Fri Apr 7 13:46:07 2023 From: tim at mid.net (Tim Burke) Date: Fri, 7 Apr 2023 13:46:07 +0000 Subject: Auth0 geolocation? Message-ID: <9C3A1173-5902-4DA7-BA9F-452E371D0499@mid.net> ?I thought so too, but we already send good geofeed data to Maxmind, and queried their DB to verify. On Apr 7, 2023, at 8:16 AM, Joel Esler wrote: ? I bet money it?s maxmind. ? Sent from my iPhone On Apr 6, 2023, at 20:33, Tim Burke wrote: ? Anyone know who Auth0 is using for geolocation services? Have a customer reporting that Auth0, Lowes, Bank of America, and some other sites are reporting their IP in the wrong location. Checked the usual suspects, BrothersWISP.com geolocation providers list, etcetera and they?re all showing in the correct location. Thanks, Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: From cb.list6 at gmail.com Fri Apr 7 14:05:23 2023 From: cb.list6 at gmail.com (Ca By) Date: Fri, 7 Apr 2023 07:05:23 -0700 Subject: Auth0 geolocation? In-Reply-To: <9C3A1173-5902-4DA7-BA9F-452E371D0499@mid.net> References: <9C3A1173-5902-4DA7-BA9F-452E371D0499@mid.net> Message-ID: On Fri, Apr 7, 2023 at 6:47 AM Tim Burke wrote: > ?I thought so too, but we already send good geofeed data to Maxmind, and > queried their DB to verify. > The worst of the worst is brightcloud / opentext They randomly assigned my arin ip space to china 2 weeks ago This space has 1. Not changed in any way and been with me from arin for 10 years 2. Has a proper geofeed And i opened a ticket with brghtcloud / opentext, they agreed to fix ? a week later not fix? i followed up? they said still working on it ?. Geolocation companies are bad for QA, but brightcloud takes the cake for bizarrely moving my arin space to China and then acknowledging and not fixing. > On Apr 7, 2023, at 8:16 AM, Joel Esler wrote: > > ? I bet money it?s maxmind. > > ? > Sent from my iPhone > > On Apr 6, 2023, at 20:33, Tim Burke wrote: > > ? Anyone know who Auth0 is using for geolocation services? Have a customer > reporting that Auth0, Lowes, Bank of America, and some other sites are > reporting their IP in the wrong location. Checked the usual suspects, > BrothersWISP.com geolocation providers list, etcetera and they?re all > showing in the correct location. > > Thanks, > Tim > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From cscora at apnic.net Fri Apr 7 18:03:36 2023 From: cscora at apnic.net (Routing Table Analysis Role Account) Date: Sat, 8 Apr 2023 04:03:36 +1000 (AEST) Subject: Weekly Global IPv4 Routing Table Report Message-ID: <20230407180336.A8611C0F45@thyme.rand.apnic.net> This is an automated weekly mailing describing the state of the Global IPv4 Routing Table as seen from APNIC's router in Japan. The posting is sent to APOPS, NANOG, AfNOG, SANOG, PacNOG, SAFNOG TZNOG, MENOG, BJNOG, SDNOG, CMNOG, LACNOG and the RIPE Routing WG. Daily listings are sent to bgp-stats at lists.apnic.net. For historical data, please see https://thyme.apnic.net. If you have any comments please contact Philip Smith . IPv4 Routing Table Report 04:00 +10GMT Sat 08 Apr, 2023 BGP Table (Global) as seen in Japan. Report Website: https://thyme.apnic.net Detailed Analysis: https://thyme.apnic.net/current/ Analysis Summary ---------------- BGP routing table entries examined: 917911 Prefixes after maximum aggregation (per Origin AS): 348250 Deaggregation factor: 2.64 Unique aggregates announced (without unneeded subnets): 447962 Total ASes present in the Internet Routing Table: 74298 Prefixes per ASN: 12.35 Origin-only ASes present in the Internet Routing Table: 63737 Origin ASes announcing only one prefix: 26192 Transit ASes present in the Internet Routing Table: 10561 Transit-only ASes present in the Internet Routing Table: 448 Average AS path length visible in the Internet Routing Table: 4.3 Max AS path length visible: 55 Max AS path prepend of ASN (265020) 50 Prefixes from unregistered ASNs in the Routing Table: 1103 Number of instances of unregistered ASNs: 1103 Number of 32-bit ASNs allocated by the RIRs: 41624 Number of 32-bit ASNs visible in the Routing Table: 34433 Prefixes from 32-bit ASNs in the Routing Table: 169845 Number of bogon 32-bit ASNs visible in the Routing Table: 56 Special use prefixes present in the Routing Table: 1 Prefixes being announced from unallocated address space: 713 Number of addresses announced to Internet: 3062021376 Equivalent to 182 /8s, 130 /16s and 189 /24s Percentage of available address space announced: 82.7 Percentage of allocated address space announced: 82.7 Percentage of available address space allocated: 100.0 Percentage of address space in use by end-sites: 99.6 Total number of prefixes smaller than registry allocations: 307012 APNIC Region Analysis Summary ----------------------------- Prefixes being announced by APNIC Region ASes: 242441 Total APNIC prefixes after maximum aggregation: 69292 APNIC Deaggregation factor: 3.50 Prefixes being announced from the APNIC address blocks: 236823 Unique aggregates announced from the APNIC address blocks: 97741 APNIC Region origin ASes present in the Internet Routing Table: 13397 APNIC Prefixes per ASN: 17.68 APNIC Region origin ASes announcing only one prefix: 3937 APNIC Region transit ASes present in the Internet Routing Table: 1808 Average APNIC Region AS path length visible: 4.4 Max APNIC Region AS path length visible: 26 Number of APNIC region 32-bit ASNs visible in the Routing Table: 8686 Number of APNIC addresses announced to Internet: 773675648 Equivalent to 46 /8s, 29 /16s and 90 /24s APNIC AS Blocks 4608-4864, 7467-7722, 9216-10239, 17408-18431 (pre-ERX allocations) 23552-24575, 37888-38911, 45056-46079, 55296-56319, 58368-59391, 63488-64098, 64297-64395, 131072-151865 APNIC Address Blocks 1/8, 14/8, 27/8, 36/8, 39/8, 42/8, 43/8, 49/8, 58/8, 59/8, 60/8, 61/8, 101/8, 103/8, 106/8, 110/8, 111/8, 112/8, 113/8, 114/8, 115/8, 116/8, 117/8, 118/8, 119/8, 120/8, 121/8, 122/8, 123/8, 124/8, 125/8, 126/8, 133/8, 150/8, 153/8, 163/8, 171/8, 175/8, 180/8, 182/8, 183/8, 202/8, 203/8, 210/8, 211/8, 218/8, 219/8, 220/8, 221/8, 222/8, 223/8, ARIN Region Analysis Summary ---------------------------- Prefixes being announced by ARIN Region ASes: 268778 Total ARIN prefixes after maximum aggregation: 122061 ARIN Deaggregation factor: 2.20 Prefixes being announced from the ARIN address blocks: 271173 Unique aggregates announced from the ARIN address blocks: 130691 ARIN Region origin ASes present in the Internet Routing Table: 19085 ARIN Prefixes per ASN: 14.21 ARIN Region origin ASes announcing only one prefix: 6975 ARIN Region transit ASes present in the Internet Routing Table: 1959 Average ARIN Region AS path length visible: 3.7 Max ARIN Region AS path length visible: 24 Number of ARIN region 32-bit ASNs visible in the Routing Table: 4781 Number of ARIN addresses announced to Internet: 1285572096 Equivalent to 76 /8s, 160 /16s and 70 /24s ARIN AS Blocks 1-1876, 1902-2042, 2044-2046, 2048-2106 (pre-ERX allocations) 2138-2584, 2615-2772, 2823-2829, 2880-3153 3354-4607, 4865-5119, 5632-6655, 6912-7466 7723-8191, 10240-12287, 13312-15359, 16384-17407 18432-20479, 21504-23551, 25600-26591, 26624-27647, 29696-30719, 31744-33791 35840-36863, 39936-40959, 46080-47103 53248-55295, 62464-63487, 64198-64296, 393216-401308 ARIN Address Blocks 3/8, 4/8, 6/8, 7/8, 8/8, 9/8, 11/8, 12/8, 13/8, 15/8, 16/8, 17/8, 18/8, 19/8, 20/8, 21/8, 22/8, 23/8, 24/8, 26/8, 28/8, 29/8, 30/8, 32/8, 33/8, 34/8, 35/8, 38/8, 40/8, 44/8, 47/8, 48/8, 50/8, 52/8, 53/8, 54/8, 55/8, 56/8, 57/8, 63/8, 64/8, 65/8, 66/8, 67/8, 68/8, 69/8, 70/8, 71/8, 72/8, 73/8, 74/8, 75/8, 76/8, 96/8, 97/8, 98/8, 99/8, 100/8, 104/8, 107/8, 108/8, 128/8, 129/8, 130/8, 131/8, 132/8, 134/8, 135/8, 136/8, 137/8, 138/8, 139/8, 140/8, 142/8, 143/8, 144/8, 146/8, 147/8, 148/8, 149/8, 152/8, 155/8, 156/8, 157/8, 158/8, 159/8, 160/8, 161/8, 162/8, 164/8, 165/8, 166/8, 167/8, 168/8, 169/8, 170/8, 172/8, 173/8, 174/8, 184/8, 192/8, 198/8, 199/8, 204/8, 205/8, 206/8, 207/8, 208/8, 209/8, 214/8, 215/8, 216/8, RIPE Region Analysis Summary ---------------------------- Prefixes being announced by RIPE Region ASes: 258784 Total RIPE prefixes after maximum aggregation: 121878 RIPE Deaggregation factor: 2.12 Prefixes being announced from the RIPE address blocks: 254754 Unique aggregates announced from the RIPE address blocks: 157516 RIPE Region origin ASes present in the Internet Routing Table: 28287 RIPE Prefixes per ASN: 9.01 RIPE Region origin ASes announcing only one prefix: 12034 RIPE Region transit ASes present in the Internet Routing Table: 3968 Average RIPE Region AS path length visible: 4.3 Max RIPE Region AS path length visible: 31 Number of RIPE region 32-bit ASNs visible in the Routing Table: 11116 Number of RIPE addresses announced to Internet: 717837184 Equivalent to 42 /8s, 201 /16s and 83 /24s RIPE AS Blocks 1877-1901, 2043, 2047, 2107-2136, 2585-2614 (pre-ERX allocations) 2773-2822, 2830-2879, 3154-3353, 5377-5631 6656-6911, 8192-9215, 12288-13311, 15360-16383 20480-21503, 24576-25599, 28672-29695 30720-31743, 33792-35839, 38912-39935 40960-45055, 47104-52223, 56320-58367 59392-61439, 61952-62463, 64396-64495 196608-213403 RIPE Address Blocks 2/8, 5/8, 25/8, 31/8, 37/8, 46/8, 51/8, 62/8, 77/8, 78/8, 79/8, 80/8, 81/8, 82/8, 83/8, 84/8, 85/8, 86/8, 87/8, 88/8, 89/8, 90/8, 91/8, 92/8, 93/8, 94/8, 95/8, 109/8, 141/8, 145/8, 151/8, 176/8, 178/8, 185/8, 188/8, 193/8, 194/8, 195/8, 212/8, 213/8, 217/8, LACNIC Region Analysis Summary ------------------------------ Prefixes being announced by LACNIC Region ASes: 117557 Total LACNIC prefixes after maximum aggregation: 28483 LACNIC Deaggregation factor: 4.13 Prefixes being announced from the LACNIC address blocks: 116872 Unique aggregates announced from the LACNIC address blocks: 49120 LACNIC Region origin ASes present in the Internet Routing Table: 10968 LACNIC Prefixes per ASN: 10.66 LACNIC Region origin ASes announcing only one prefix: 2644 LACNIC Region transit ASes present in the Internet Routing Table: 2289 Average LACNIC Region AS path length visible: 5.0 Max LACNIC Region AS path length visible: 55 Number of LACNIC region 32-bit ASNs visible in the Routing Table: 8773 Number of LACNIC addresses announced to Internet: 176705536 Equivalent to 10 /8s, 136 /16s and 80 /24s LACNIC AS Blocks 26592-26623, 27648-28671, 52224-53247, 61440-61951, 64099-64197, 262144-273820 + ERX transfers LACNIC Address Blocks 177/8, 179/8, 181/8, 186/8, 187/8, 189/8, 190/8, 191/8, 200/8, 201/8, AfriNIC Region Analysis Summary ------------------------------- Prefixes being announced by AfriNIC Region ASes: 29248 Total AfriNIC prefixes after maximum aggregation: 5772 AfriNIC Deaggregation factor: 5.07 Prefixes being announced from the AfriNIC address blocks: 37576 Unique aggregates announced from the AfriNIC address blocks: 12283 AfriNIC Region origin ASes present in the Internet Routing Table: 1729 AfriNIC Prefixes per ASN: 21.73 AfriNIC Region origin ASes announcing only one prefix: 602 AfriNIC Region transit ASes present in the Internet Routing Table: 333 Average AfriNIC Region AS path length visible: 4.9 Max AfriNIC Region AS path length visible: 40 Number of AfriNIC region 32-bit ASNs visible in the Routing Table: 1077 Number of AfriNIC addresses announced to Internet: 107769344 Equivalent to 6 /8s, 108 /16s and 110 /24s AfriNIC AS Blocks 36864-37887, 327680-329727 & ERX transfers AfriNIC Address Blocks 41/8, 45/8, 102/8, 105/8, 154/8, 196/8, 197/8, APNIC Region per AS prefix count summary ---------------------------------------- ASN No of nets /20 equiv MaxAgg Description 9808 9492 8884 51 CHINAMOBILE-CN China Mobile Communicati 7545 5744 786 689 TPG-INTERNET-AP TPG Telecom Limited, AU 4538 4865 4192 75 ERX-CERNET-BKB China Education and Rese 7552 3563 1331 21 VIETEL-AS-AP Viettel Group, VN 7713 3546 1043 65 TELKOMNET-AS-AP PT Telekomunikasi Indon 45899 3383 1872 93 VNPT-AS-VN VNPT Corp, VN 9498 2901 491 237 BBIL-AP BHARTI Airtel Ltd., IN 4766 2555 11252 592 KIXS-AS-KR Korea Telecom, KR 24560 2363 835 442 AIRTELBROADBAND-AS-AP Bharti Airtel Ltd 45090 2184 1438 79 TENCENT-NET-AP Shenzhen Tencent Compute Complete listing at https://thyme.apnic.net/current/data-ASnet-APNIC ARIN Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 16509 8269 10783 2879 AMAZON-02, US 11492 4541 301 610 CABLEONE, US 7155 3967 279 48 VIASAT-SP-BACKBONE, US 22773 3608 3057 281 ASN-CXA-ALL-CCI-22773-RDC, US 6327 3514 1320 64 SHAW, CA 16625 3160 1589 2342 AKAMAI-AS, US 749 3054 50541 2321 DNIC-AS-00749, US 396982 2631 3590 363 GOOGLE-CLOUD-PLATFORM, US 7018 2565 24118 1562 ATT-INTERNET4, US 30036 2488 359 526 MEDIACOM-ENTERPRISE-BUSINESS, US Complete listing at https://thyme.apnic.net/current/data-ASnet-ARIN RIPE Region per AS prefix count summary --------------------------------------- ASN No of nets /20 equiv MaxAgg Description 12479 7244 1705 149 UNI2-AS, ES 39891 4833 286 59 ALJAWWALSTC-AS, SA 20940 4058 3399 164 AKAMAI-ASN1, NL 8551 3885 370 37 BEZEQ-INTERNATIONAL-AS Bezeqint Interne 12389 2954 2292 911 ROSTELECOM-AS, RU 9009 2646 248 1379 M247, RO 34984 2272 359 611 TELLCOM-AS, TR 6849 2076 307 18 UKRTELNET, UA 58224 1850 950 543 TCI, IR 13188 1606 100 26 TRIOLAN, UA Complete listing at https://thyme.apnic.net/current/data-ASnet-RIPE LACNIC Region per AS prefix count summary ----------------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 11211 3343 578 Uninet S.A. de C.V., MX 10620 3499 506 850 Telmex Colombia S.A., CO 13999 2311 370 610 Mega Cable, S.A. de C.V., MX 11830 2264 369 64 Instituto Costarricense de Electricidad 28573 1332 2325 235 Claro NXT Telecomunicacoes Ltda, BR 3816 1303 767 159 COLOMBIA TELECOMUNICACIONES S.A. ESP, C 6503 1299 339 514 Axtel, S.A.B. de C.V., MX 6147 1131 370 22 Telefonica del Peru S.A.A., PE 11664 1101 180 446 Techtel LMDS Comunicaciones Interactiva 26615 1030 2498 45 TIM SA, BR Complete listing at https://thyme.apnic.net/current/data-ASnet-LACNIC AfriNIC Region per AS prefix count summary ------------------------------------------ ASN No of nets /20 equiv MaxAgg Description 24863 1576 393 19 LINKdotNET-AS, EG 24835 1541 533 30 RAYA-AS, EG 36992 1356 1518 275 ETISALAT-MISR, EG 36903 1242 550 99 MT-MPLS, MA 29571 1016 67 48 ORANGE-COTE-IVOIRE, CI 36935 872 520 42 Vodafone-, EG 6713 550 1861 34 IAM-AS, MA 15399 532 54 47 WANANCHI-, KE 37342 493 32 1 MOVITEL, MZ 24757 488 73 5 EthioNet-AS, ET Complete listing at https://thyme.apnic.net/current/data-ASnet-AFRINIC Global Per AS prefix count summary ---------------------------------- ASN No of nets /20 equiv MaxAgg Description 8151 11211 3343 578 Uninet S.A. de C.V., MX 9808 9492 8884 51 CHINAMOBILE-CN China Mobile Communicati 16509 8269 10783 2879 AMAZON-02, US 12479 7244 1705 149 UNI2-AS, ES 7545 5744 786 689 TPG-INTERNET-AP TPG Telecom Limited, AU 4538 4865 4192 75 ERX-CERNET-BKB China Education and Rese 39891 4833 286 59 ALJAWWALSTC-AS, SA 11492 4541 301 610 CABLEONE, US 20940 4058 3399 164 AKAMAI-ASN1, NL 7155 3967 279 48 VIASAT-SP-BACKBONE, US Complete listing at https://thyme.apnic.net/current/data-ASnet Global Per AS Maximum Aggregation summary ----------------------------------------- ASN No of nets Net Savings Description 9808 9492 9441 CHINAMOBILE-CN China Mobile Communications Grou 12479 7244 7095 UNI2-AS, ES 16509 8269 5390 AMAZON-02, US 7545 5744 5055 TPG-INTERNET-AP TPG Telecom Limited, AU 4538 4865 4790 ERX-CERNET-BKB China Education and Research Net 39891 4833 4774 ALJAWWALSTC-AS, SA 11492 4541 3931 CABLEONE, US 7155 3967 3919 VIASAT-SP-BACKBONE, US 20940 4058 3894 AKAMAI-ASN1, NL 8551 3885 3848 BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbo Complete listing at https://thyme.apnic.net/current/data-CIDRnet List of Unregistered Origin ASNs (Global) ----------------------------------------- Bad AS Designation Net Originated Transit AS Transit AS Name 3507 UNALLOCATED 5.105.166.0/24 213035 AS-SERVERION Serverion B.V., 33123 UNALLOCATED 8.10.69.0/24 11168 SCC, US 12169 UNALLOCATED 8.15.207.0/24 32787 PROLEXIC-TECHNOLOGIES-DDOS-M 53775 UNALLOCATED 8.20.88.0/24 7029 WINDSTREAM, US 62828 UNALLOCATED 8.21.130.0/24 3356 LEVEL3, US 393266 UNALLOCATED 8.23.52.0/24 46887 LIGHTOWER, US 396894 UNALLOCATED 8.28.201.0/24 46887 LIGHTOWER, US 394936 UNALLOCATED 8.33.224.0/24 22442 HOU-PHONOSCOPE, US 54338 UNALLOCATED 8.33.241.0/24 6461 ZAYO-6461, US 18798 UNALLOCATED 8.40.106.0/24 6461 ZAYO-6461, US Complete listing at https://thyme.apnic.net/current/data-badAS Prefixes from the Special Purpose Address Registry (Global) ----------------------------------------------------------- Prefix Origin AS Description 192.88.99.0/24 6939 HURRICANE, US Complete listing at https://thyme.apnic.net/current/data-spar Advertised Unallocated Addresses -------------------------------- Unassigned Network ASN Information AS Name 23.131.185.0/24 Origin: 174 COGENT-174, US 23.131.185.0/24 Transit: 2516 KDDI KDDI CORPORATION, JP 23.131.186.0/24 Origin: 174 COGENT-174, US 23.131.186.0/24 Transit: 2516 KDDI KDDI CORPORATION, JP 23.131.187.0/24 Origin: 174 COGENT-174, US 23.131.187.0/24 Transit: 2516 KDDI KDDI CORPORATION, JP 23.131.188.0/24 Origin: 174 COGENT-174, US 23.131.188.0/24 Transit: 2516 KDDI KDDI CORPORATION, JP 23.136.112.0/24 Origin: 54835 UNASSIGNED 23.136.112.0/24 Transit: 21559 OSNET, PR Complete listing at https://thyme.apnic.net/current/data-add-IANA Number of prefixes announced per prefix length (Global) ------------------------------------------------------- /1:0 /2:0 /3:0 /4:0 /5:0 /6:0 /7:0 /8:16 /9:13 /10:39 /11:103 /12:299 /13:578 /14:1198 /15:2036 /16:13471 /17:8269 /18:13858 /19:25180 /20:44264 /21:51593 /22:109702 /23:97592 /24:548972 /25:728 /26:0 /27:0 /28:0 /29:0 /30:0 /31:0 /32:0 Advertised prefixes smaller than registry allocations ----------------------------------------------------- ASN No of nets Total ann. Description 12479 6305 7244 UNI2-AS, ES 8151 5175 11211 Uninet S.A. de C.V., MX 39891 3632 4833 ALJAWWALSTC-AS, SA 11492 3449 4541 CABLEONE, US 8551 3357 3885 BEZEQ-INTERNATIONAL-AS Bezeqint Internet Backbo 6327 3323 3514 SHAW, CA 7155 3039 3967 VIASAT-SP-BACKBONE, US 22773 2675 3608 ASN-CXA-ALL-CCI-22773-RDC, US 30036 2145 2488 MEDIACOM-ENTERPRISE-BUSINESS, US 10620 2053 3499 Telmex Colombia S.A., CO Complete listing at https://thyme.apnic.net/current/data-sXXas-nos Number of /24s announced per /8 block (Global) ---------------------------------------------- 1:1703 2:1237 3:172 4:5 5:4485 6:122 7:6 8:1548 9:1 11:172 12:1558 13:394 14:2310 15:299 16:185 17:371 18:417 20:248 21:4 22:188 23:6158 24:2578 25:6 27:2491 29:19 31:2524 32:97 34:10 35:107 36:1918 37:4644 38:4453 39:805 40:151 41:3959 42:987 43:2345 44:308 45:16542 46:4238 47:363 49:1758 50:1837 51:571 52:1595 54:389 55:855 56:8 57:90 58:1756 59:1128 60:978 61:2444 62:2648 63:1923 64:5689 65:2327 66:4946 67:3020 68:1375 69:4154 70:1255 71:671 72:2974 74:2615 75:1464 76:610 77:2433 78:1863 79:3163 80:2096 81:1745 82:1485 83:1279 84:1533 85:2992 86:747 87:2003 88:1240 89:3626 90:614 91:7687 92:2058 93:2616 94:3598 95:3996 96:1328 97:336 98:1157 99:745 100:73 101:1069 102:2646 103:31259 104:4640 105:483 106:906 107:2507 108:1022 109:4418 110:2079 111:3233 112:2054 113:1563 114:1640 115:2028 116:1933 117:2559 118:2284 119:2023 120:1798 121:1109 122:2624 123:2188 124:1615 125:2537 128:1312 129:1063 130:1002 131:1986 132:801 133:422 134:1902 135:305 136:839 137:945 138:2549 139:1538 140:1234 141:1458 142:1432 143:1499 144:1165 145:346 146:1936 147:1572 148:2345 149:2009 150:870 151:1155 152:1843 153:489 154:4411 155:1421 156:1801 157:1301 158:1054 159:2280 160:2537 161:1532 162:3526 163:1504 164:1592 165:1713 166:1004 167:1717 168:3883 169:939 170:4605 171:880 172:3536 173:2934 174:1072 175:1154 176:3682 177:4546 178:3628 179:2145 180:2410 181:3435 182:3376 183:1929 184:2353 185:20177 186:4678 187:3945 188:4117 189:3559 190:9158 191:1447 192:10923 193:8851 194:7300 195:5152 196:3085 197:2377 198:5966 199:6088 200:7895 201:5878 202:10672 203:10223 204:4623 205:3540 206:4127 207:3457 208:4103 209:4894 210:4433 211:2496 212:4101 213:3573 214:1083 215:59 216:6622 217:2681 218:1295 219:576 220:2018 221:973 222:890 223:2182 End of report From spoofer-info at caida.org Sat Apr 8 17:00:07 2023 From: spoofer-info at caida.org (CAIDA Spoofer Project) Date: Sat, 8 Apr 2023 10:00:07 -0700 Subject: Spoofer Report for NANOG for Mar 2023 Message-ID: <1680973207.697253.11665.nullmailer@caida.org> In response to feedback from operational security communities, CAIDA's source address validation measurement project (https://spoofer.caida.org) is automatically generating monthly reports of ASes originating prefixes in BGP for systems from which we received packets with a spoofed source address. We are publishing these reports to network and security operations lists in order to ensure this information reaches operational contacts in these ASes. This report summarises tests conducted within usa, can. Inferred improvements during Mar 2023: ASN Name Fixed-By 33185 TGLO-VGLO 2023-03-03 54825 PACKET 2023-03-08 62005 AdNet-Telecom 2023-03-20 399445 2023-03-27 Further information for the inferred remediation is available at: https://spoofer.caida.org/remedy.php Source Address Validation issues inferred during Mar 2023: ASN Name First-Spoofed Last-Spoofed 6939 HURRICANE 2016-02-22 2023-03-24 209 CENTURYLINK-US-LEGACY-QWEST 2016-08-16 2023-03-30 20412 CLARITY-TELECOM 2016-09-30 2023-03-31 6181 FUSE-NET 2016-10-10 2023-03-26 25787 ROWE-NETWORKS 2016-10-21 2023-03-30 10796 TWC-10796-MIDWEST 2016-10-24 2023-03-30 271 BCNET 2016-10-24 2023-03-31 1403 EBOX 2016-11-12 2023-03-28 2828 XO-AS15 2016-11-21 2023-03-17 852 ASN852 2017-04-16 2023-03-26 6461 ZAYO-6461 2017-06-21 2023-03-28 33452 RW 2018-09-19 2023-03-26 21804 ACCESS-SK 2019-06-09 2023-03-05 11814 DISTRIBUTEL-AS11814 2020-11-22 2023-03-22 398836 2021-03-12 2023-03-27 22773 ASN-CXA-ALL-CCI-22773-RDC 2021-10-24 2023-03-13 46997 2021-12-22 2023-03-29 394414 E2WS 2022-05-08 2023-03-28 397086 GLOBAL-FRAG-NETWORKS-HOUSTON 2022-06-16 2023-03-27 11976 FIDN 2022-11-16 2023-03-29 12183 TALKIE-COMMUNICATIONS 2022-12-10 2023-03-30 21555 LHTC 2023-01-01 2023-03-24 33185 TGLO-VGLO 2023-02-04 2023-03-03 399852 2023-02-16 2023-03-26 210546 2023-02-27 2023-03-07 203394 asn-Lighting 2023-03-07 2023-03-21 199785 2023-03-11 2023-03-24 211380 2023-03-15 2023-03-29 964 GONET-ASN-17 2023-03-15 2023-03-29 140224 2023-03-18 2023-03-18 199868 2023-03-18 2023-03-24 41378 KirinoNET 2023-03-23 2023-03-30 Further information for these tests where we received spoofed packets is available at: https://spoofer.caida.org/recent_tests.php?country_include=usa,can&no_block=1 Please send any feedback or suggestions to spoofer-info at caida.org From joel at joelesler.net Fri Apr 7 13:15:39 2023 From: joel at joelesler.net (Joel Esler) Date: Fri, 7 Apr 2023 09:15:39 -0400 Subject: Auth0 geolocation? In-Reply-To: <66DA24CF-70F0-4216-918E-9C4B9C22719F@mid.net> References: <66DA24CF-70F0-4216-918E-9C4B9C22719F@mid.net> Message-ID: An HTML attachment was scrubbed... URL: From tim at mid.net Mon Apr 10 13:29:07 2023 From: tim at mid.net (Tim Burke) Date: Mon, 10 Apr 2023 13:29:07 +0000 Subject: Auth0 geolocation? In-Reply-To: <66DA24CF-70F0-4216-918E-9C4B9C22719F@mid.net> References: <66DA24CF-70F0-4216-918E-9C4B9C22719F@mid.net> Message-ID: <6348da2c7af64a269040af873f604283@mid.net> Apple and Best Buy are other ones that just came up over the weekend, seems to be spread out across an entire /17. Oddly, we've had this /17 for close to a year and a half, and this is just popping up... ________________________________ From: NANOG on behalf of Tim Burke Sent: Thursday, April 6, 2023 7:32:41 PM To: NANOG Subject: Auth0 geolocation? Anyone know who Auth0 is using for geolocation services? Have a customer reporting that Auth0, Lowes, Bank of America, and some other sites are reporting their IP in the wrong location. Checked the usual suspects, BrothersWISP.com geolocation providers list, etcetera and they?re all showing in the correct location. Thanks, Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: From jhaas at pfrc.org Tue Apr 11 14:31:05 2023 From: jhaas at pfrc.org (Jeffrey Haas) Date: Tue, 11 Apr 2023 10:31:05 -0400 Subject: Fwd: WG Last Call on draft-ietf-idr-bgp-model-16 References: <71ab1fab3f124b69804ab22d30ec12fd@huawei.com> Message-ID: The IETF BGP YANG module authors would like to draw your collective attention to a Working Group Last Call that has begun for the IETF BGP YANG module. This module provides the base for core IETF BGP technologies, and will serve as the primary point of extension for BGP-related technologies modeled in YANG in the IETF, including the BGP portion of VPN technologies. Your operational wisdom and scrutiny would be greatly appreciated. A URL for the WGLC mail is here: https://mailarchive.ietf.org/arch/msg/idr/263_yrn_ZnNRokmUwgye7Id5mHo/ For those of you who haven't participated in IETF mail lists before, the IDR datatracker page has subscription information for the mailing list: https://datatracker.ietf.org/wg/idr/about/ Thanks! -- Jeff (for the authors) > Begin forwarded message: > > From: "Dongjie (Jimmy)" > Subject: WG Last Call on draft-ietf-idr-bgp-model-16 > Date: April 10, 2023 at 10:17:26 PM EDT > To: "idr at ietf.org" > Cc: "idr-chairs at ietf.org" , "Dongjie (Jimmy)" > Resent-From: > Resent-To: skh at ndzh.com, keyur at arrcus.com, jhaas at pfrc.org, jie.dong at huawei.com > > Hi WG, > > This begins the Working Group Last Call for "YANG Model for Border Gateway Protocol (BGP-4)", draft-ietf-idr-bgp-model-16. The draft could be found at: https://datatracker.ietf.org/doc/html/draft-ietf-idr-bgp-model-16 . > > Since all the IDR chairs are coauthors of this document, I?m helping with this last call procedure. Please reply to the list with your comments. Considering this is a long document with a big YANG model, the last call will last for 4 weeks and conclude on Sunday, 7 May, 2023. > > The authors are requested to state whether they are aware of applicable IPR related to this draft. Similarly, if others in the Working Group are aware of applicable IPR, please also disclose them. > > People are encouraged to indicate whether there is implementation of this document. According to the IDR rule, at least two implementations will be required to advance the document. > > > Best regards, > Jie (on behalf of the IDR chairs) -------------- next part -------------- An HTML attachment was scrubbed... URL: From bobin.public at gmail.com Tue Apr 11 15:12:35 2023 From: bobin.public at gmail.com (Samuel Jackson) Date: Tue, 11 Apr 2023 08:12:35 -0700 Subject: DNS resolution for hhs.gov Message-ID: I wanted to run this by everyone to make sure I am not the one losing my mind over this. A dig +trace cob.cms.hhs.gov fails for me as it looks like the NS for hhs.gov does not seem to resolve the hostname. However dig +trace cms.hhs.gov resolves and so does dig +trace eclkc.ohs.acf.hhs.gov However if I simply ask my local resolver to resolve cob.cms.hhs.gov, it works. Any thoughts on why this is the case? Thanks, -------------- next part -------------- An HTML attachment was scrubbed... URL: From rstory at ant.isi.edu Tue Apr 11 16:16:36 2023 From: rstory at ant.isi.edu (Robert Story) Date: Tue, 11 Apr 2023 12:16:36 -0400 Subject: DNS resolution for hhs.gov In-Reply-To: References: Message-ID: <20230411121636.4de736ca@p1g4.rs.isi.edu> On Tue 2023-04-11 08:12:35-0700 Samuel wrote: > A dig +trace cob.cms.hhs.gov fails for me as it looks like the NS for > hhs.gov does not seem to resolve the hostname. > > However dig +trace cms.hhs.gov resolves and so does dig +trace > eclkc.ohs.acf.hhs.gov > > However if I simply ask my local resolver to resolve cob.cms.hhs.gov, > it works. Any thoughts on why this is the case? Looks like their v6 resolvers are failing, but v4 works fine. DNSVis.net is a good place to check nameserver issues.. -- Regards, Robert -- Robert Story USC Information Sciences Institute Networking and?Cybersecurity?Division From bortzmeyer at nic.fr Tue Apr 11 16:32:55 2023 From: bortzmeyer at nic.fr (Stephane Bortzmeyer) Date: Tue, 11 Apr 2023 18:32:55 +0200 Subject: DNS resolution for hhs.gov In-Reply-To: <20230411121636.4de736ca@p1g4.rs.isi.edu> References: <20230411121636.4de736ca@p1g4.rs.isi.edu> Message-ID: On Tue, Apr 11, 2023 at 12:16:36PM -0400, Robert Story wrote a message of 22 lines which said: > DNSVis.net is a good place to check nameserver issues.. DNSViZ.net. Yes, great service. From bobin.public at gmail.com Tue Apr 11 17:13:08 2023 From: bobin.public at gmail.com (Samuel Jackson) Date: Tue, 11 Apr 2023 10:13:08 -0700 Subject: DNS resolution for hhs.gov In-Reply-To: References: <20230411121636.4de736ca@p1g4.rs.isi.edu> Message-ID: Thanks, Yeah, I did run it on that site too. What I am trying to figure out is why trace does not seem to work. Our DNS servers perform queries similar to what trace would do. They fail to resolve the hostname. They do not use another local resolver. Thanks, On Tue, Apr 11, 2023 at 9:33?AM Stephane Bortzmeyer wrote: > On Tue, Apr 11, 2023 at 12:16:36PM -0400, > Robert Story wrote > a message of 22 lines which said: > > > DNSVis.net is a good place to check nameserver issues.. > > DNSViZ.net. Yes, great service. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From matthew at corp.crocker.com Tue Apr 11 18:10:26 2023 From: matthew at corp.crocker.com (Matthew Crocker) Date: Tue, 11 Apr 2023 18:10:26 +0000 Subject: Santander bank contact Message-ID: If anyone on this list is affiliated with Santander bank please reach me off-list. You are blocking one of my subnets and my customers cannot access your bank website. Thanks -Matt -------------- next part -------------- An HTML attachment was scrubbed... URL: From marka at isc.org Tue Apr 11 23:38:45 2023 From: marka at isc.org (Mark Andrews) Date: Wed, 12 Apr 2023 09:38:45 +1000 Subject: DNS resolution for hhs.gov In-Reply-To: References: Message-ID: The nameservers are not answering all in scope questions being sent to the servers. Something is blocking or not generating NXDOMAIN responses. This impacts on QNAME minimisation queries that usually elicit a NXDOMAIN response. This happens irrespective of DNSSEC records being requested so I doubt that it is a fragmentation issue. Both _.dhhs.gov and foobar.dhhs.gov time out but dhhs.gov itself doesn?t. % dig _.dhhs.gov @158.74.30.103 +dnssec ;; communications error to 158.74.30.103#53: timed out ;; communications error to 158.74.30.103#53: timed out ;; communications error to 158.74.30.103#53: timed out ; <<>> DiG 9.19.11-dev <<>> _.dhhs.gov @158.74.30.103 +dnssec ;; global options: +cmd ;; no servers could be reached % dig dhhs.gov @158.74.30.103 +dnssec ; <<>> DiG 9.19.11-dev <<>> dhhs.gov @158.74.30.103 +dnssec ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18125 ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ; COOKIE: d939ecfdb6cd2d902678cca26435eb2dd6fcebd65fe5c58f (good) ;; QUESTION SECTION: ;dhhs.gov. IN A ;; ANSWER SECTION: dhhs.gov. 9000 IN A 52.7.111.176 dhhs.gov. 9000 IN RRSIG A 8 2 9000 20230416000149 20230410230149 11710 dhhs.gov. YCEsecATdJEHs3OtxQs/kE2A/37/mzgUpGLzQwrPP9xqaGmBq2mDteKx QyUnh0JuURBq0Qy1htxsOD9kX4dxSxUNCEO7/KHw0AOoIbnh2+GL8kc3 jKB2jkcN+whA9+CqThto020nLSCXcgdm7qOfyNBUFICoYNtVrd7/lLCJ kho= dhhs.gov. 9000 IN RRSIG A 8 2 9000 20230416000149 20230410230149 21469 dhhs.gov. OkEdR/ofhV+JogwAkZtLmHyxn3pK2E4zaGUV786kKbtQrI6SzetCk+sC Db3W0LrYRZy1BEqqxZeRnLXVEjyyyKfnYMRPtoP3sCTLPuuDeu8oDmhw eniXLbJ10od6YWywgQDl2bYrTLEt6R8+TGG7up446TGgRk9wOV/uU2Jb d+U= ;; Query time: 308 msec ;; SERVER: 158.74.30.103#53(158.74.30.103) (UDP) ;; WHEN: Wed Apr 12 09:20:13 AEST 2023 ;; MSG SIZE rcvd: 417 % dig foobar.dhhs.gov @158.74.30.103 +dnssec ;; communications error to 158.74.30.103#53: timed out ;; communications error to 158.74.30.103#53: timed out ;; communications error to 158.74.30.103#53: timed out ; <<>> DiG 9.19.11-dev <<>> foobar.dhhs.gov @158.74.30.103 +dnssec ;; global options: +cmd ;; no servers could be reached % dig foobar.dhhs.gov @158.74.30.103 ;; communications error to 158.74.30.103#53: timed out ;; communications error to 158.74.30.103#53: timed out ;; communications error to 158.74.30.103#53: timed out ; <<>> DiG 9.19.11-dev <<>> foobar.dhhs.gov @158.74.30.103 ;; global options: +cmd ;; no servers could be reached % > On 12 Apr 2023, at 01:12, Samuel Jackson wrote: > > I wanted to run this by everyone to make sure I am not the one losing my mind over this. > > A dig +trace cob.cms.hhs.gov fails for me as it looks like the NS for hhs.gov does not seem to resolve the hostname. > > However dig +trace cms.hhs.gov resolves and so does dig +trace eclkc.ohs.acf.hhs.gov > > However if I simply ask my local resolver to resolve cob.cms.hhs.gov, it works. Any thoughts on why this is the case? > > Thanks, > -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From marka at isc.org Wed Apr 12 06:47:04 2023 From: marka at isc.org (Mark Andrews) Date: Wed, 12 Apr 2023 16:47:04 +1000 Subject: Your DNS Servers are not working correctly. Message-ID: <0788A807-DC2B-4E86-92E3-65336C4DBB35@isc.org> I work for a DNS vendor and saw reports about DNS resolution errors when looking up names under dhhs.gov. It looks like your servers are not returning non-existence answers over UDP which breaks servers that are trying to do DNS QNAME minimisation (See RFC 7816). Below are three queries that the servers should be capable of answering if they are following the DNS protocol correctly. dhhs.gov is answered but foobar.dhhs.gov doesn?t return anything and I would expect a NXDOMAIN (Name Error) response. Additionally 355.dhhs.gov should be returning a NODATA/NOERROR response at a minimum as it part of your DNS servers names. If I ask the same questions over TCP instead of UDP I get answers. This really smells like a misconfigured firewall. Mark % dig dhhs.gov @158.74.30.99 ; <<>> DiG 9.19.11-dev <<>> dhhs.gov @158.74.30.99 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 59012 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 7b8cd5530b5fa45190ac7ac264364fe858d1f83093c6da62 (good) ;; QUESTION SECTION: ;dhhs.gov. IN A ;; ANSWER SECTION: dhhs.gov. 9000 IN A 52.7.111.176 ;; Query time: 243 msec ;; SERVER: 158.74.30.99#53(158.74.30.99) (UDP) ;; WHEN: Wed Apr 12 16:30:00 AEST 2023 ;; MSG SIZE rcvd: 81 % dig foobar.dhhs.gov @158.74.30.99 ;; communications error to 158.74.30.99#53: timed out ;; communications error to 158.74.30.99#53: timed out ;; communications error to 158.74.30.99#53: timed out ; <<>> DiG 9.19.11-dev <<>> foobar.dhhs.gov @158.74.30.99 ;; global options: +cmd ;; no servers could be reached [ant-7641:~/git/bind9] marka% dig 355.dhhs.gov @158.74.30.99 ;; communications error to 158.74.30.99#53: timed out ;; communications error to 158.74.30.99#53: timed out ;; communications error to 158.74.30.99#53: timed out ; <<>> DiG 9.19.11-dev <<>> 355.dhhs.gov @158.74.30.99 ;; global options: +cmd ;; no servers could be reached % % dig dhhs.gov @158.74.30.99 +tcp ; <<>> DiG 9.19.11-dev <<>> dhhs.gov @158.74.30.99 +tcp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18254 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: 710a14c38e16a91fd4060d86643652ecca2dce18d21e3144 (good) ;; QUESTION SECTION: ;dhhs.gov. IN A ;; ANSWER SECTION: dhhs.gov. 9000 IN A 52.7.111.176 ;; Query time: 246 msec ;; SERVER: 158.74.30.99#53(158.74.30.99) (TCP) ;; WHEN: Wed Apr 12 16:42:52 AEST 2023 ;; MSG SIZE rcvd: 81 % dig 355.dhhs.gov @158.74.30.99 +tcp ; <<>> DiG 9.19.11-dev <<>> 355.dhhs.gov @158.74.30.99 +tcp ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56223 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ; COOKIE: e10fe6bd8dccc0ed038bbff1643652fb582c8d51b5d3a25c (good) ;; QUESTION SECTION: ;355.dhhs.gov. IN A ;; AUTHORITY SECTION: dhhs.gov. 3600 IN SOA rh120ns1.368.dhhs.gov. hostmaster.psc.hhs.gov. 2023021759 1200 300 2419200 3600 ;; Query time: 246 msec ;; SERVER: 158.74.30.99#53(158.74.30.99) (TCP) ;; WHEN: Wed Apr 12 16:43:07 AEST 2023 ;; MSG SIZE rcvd: 137 % -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka at isc.org From bjorn at mork.no Wed Apr 12 07:16:15 2023 From: bjorn at mork.no (=?utf-8?Q?Bj=C3=B8rn_Mork?=) Date: Wed, 12 Apr 2023 09:16:15 +0200 Subject: DNS resolution for hhs.gov In-Reply-To: (Mark Andrews's message of "Wed, 12 Apr 2023 09:38:45 +1000") References:

Message-ID: <87ile1y3i8.fsf@miraculix.mork.no> Interestingly enough, the company behind this mess decided to sign it: bjorn at canardo:~$ dig dhhs.gov @158.74.30.99 +nsid|grep NSID ; NSID: 4c 65 69 64 6f 73 20 62 75 69 6c 64 20 57 2e 56 45 52 4e 41 20 32 30 32 33 ("Leidos build W.VERNA 2023") Guessing this was done by "security professionals" from https://www.leidos.com/ Bj?rn Mark Andrews writes: > The nameservers are not answering all in scope questions being sent to the servers. Something is blocking or not generating NXDOMAIN responses. This impacts on QNAME minimisation queries that usually elicit a NXDOMAIN response. This happens irrespective of DNSSEC records being requested so I doubt that it is a fragmentation issue. > > Both _.dhhs.gov and foobar.dhhs.gov time out but dhhs.gov itself doesn?t. > > % dig _.dhhs.gov @158.74.30.103 +dnssec > ;; communications error to 158.74.30.103#53: timed out > ;; communications error to 158.74.30.103#53: timed out > ;; communications error to 158.74.30.103#53: timed out > > ; <<>> DiG 9.19.11-dev <<>> _.dhhs.gov @158.74.30.103 +dnssec > ;; global options: +cmd > ;; no servers could be reached > > % dig dhhs.gov @158.74.30.103 +dnssec > > ; <<>> DiG 9.19.11-dev <<>> dhhs.gov @158.74.30.103 +dnssec > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18125 > ;; flags: qr aa rd; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1 > ;; WARNING: recursion requested but not available > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 4096 > ; COOKIE: d939ecfdb6cd2d902678cca26435eb2dd6fcebd65fe5c58f (good) > ;; QUESTION SECTION: > ;dhhs.gov. IN A > > ;; ANSWER SECTION: > dhhs.gov. 9000 IN A 52.7.111.176 > dhhs.gov. 9000 IN RRSIG A 8 2 9000 20230416000149 20230410230149 11710 dhhs.gov. YCEsecATdJEHs3OtxQs/kE2A/37/mzgUpGLzQwrPP9xqaGmBq2mDteKx QyUnh0JuURBq0Qy1htxsOD9kX4dxSxUNCEO7/KHw0AOoIbnh2+GL8kc3 jKB2jkcN+whA9+CqThto020nLSCXcgdm7qOfyNBUFICoYNtVrd7/lLCJ kho= > dhhs.gov. 9000 IN RRSIG A 8 2 9000 20230416000149 20230410230149 21469 dhhs.gov. OkEdR/ofhV+JogwAkZtLmHyxn3pK2E4zaGUV786kKbtQrI6SzetCk+sC Db3W0LrYRZy1BEqqxZeRnLXVEjyyyKfnYMRPtoP3sCTLPuuDeu8oDmhw eniXLbJ10od6YWywgQDl2bYrTLEt6R8+TGG7up446TGgRk9wOV/uU2Jb d+U= > > ;; Query time: 308 msec > ;; SERVER: 158.74.30.103#53(158.74.30.103) (UDP) > ;; WHEN: Wed Apr 12 09:20:13 AEST 2023 > ;; MSG SIZE rcvd: 417 > > % dig foobar.dhhs.gov @158.74.30.103 +dnssec > ;; communications error to 158.74.30.103#53: timed out > ;; communications error to 158.74.30.103#53: timed out > ;; communications error to 158.74.30.103#53: timed out > > ; <<>> DiG 9.19.11-dev <<>> foobar.dhhs.gov @158.74.30.103 +dnssec > ;; global options: +cmd > ;; no servers could be reached > > % dig foobar.dhhs.gov @158.74.30.103 > ;; communications error to 158.74.30.103#53: timed out > ;; communications error to 158.74.30.103#53: timed out > ;; communications error to 158.74.30.103#53: timed out > > ; <<>> DiG 9.19.11-dev <<>> foobar.dhhs.gov @158.74.30.103 > ;; global options: +cmd > ;; no servers could be reached > > % > >> On 12 Apr 2023, at 01:12, Samuel Jackson wrote: >> >> I wanted to run this by everyone to make sure I am not the one losing my mind over this. >> >> A dig +trace cob.cms.hhs.gov fails for me as it looks like the NS for hhs.gov does not seem to resolve the hostname. >> >> However dig +trace cms.hhs.gov resolves and so does dig +trace eclkc.ohs.acf.hhs.gov >> >> However if I simply ask my local resolver to resolve cob.cms.hhs.gov, it works. Any thoughts on why this is the case? >> >> Thanks, >> From cgrundemann at gmail.com Wed Apr 12 14:05:42 2023 From: cgrundemann at gmail.com (Chris Grundemann) Date: Wed, 12 Apr 2023 08:05:42 -0600 Subject: ABQNOG -- May 4, 2023 In-Reply-To: <20230404025703.GA6525@jeeves.rigozsaurus.com> References: <20230404025703.GA6525@jeeves.rigozsaurus.com> Message-ID: Thanks for sharing, John. I'm excited for this event, long overdue! See everyone there - find me wherever the green chile is being served. =) ~Chris On Mon, Apr 3, 2023 at 8:58?PM John Osmon wrote: > For folks that might be in the southwest US (and any that want to > visit!), we're going to hold an operators group meeting on May 4, > 2023 in Albuquerque, New Mexico. > > Come to the land of green chile chessburgers, and meet some of the > local operators. This inaugural meeting is free. We hope to > see you in May! > > http://abqnog.org > > > > -- @ChrisGrundemann http://chrisgrundemann.com -------------- next part -------------- An HTML attachment was scrubbed... URL: From news at nanog.org Wed Apr 12 14:17:30 2023 From: news at nanog.org (Nanog News) Date: Wed, 12 Apr 2023 10:17:30 -0400 Subject: N88 Sponsorships, Peering Forum, Final Call for Presentations + CaribNOG 25 Empowers Underserved Students + Inspires Community Message-ID: *Become a Sponsor of NANOG 88!* *Invest in the Strength of the Community We've Built * *Sponsorship Benefits: * ? Showcase your newest technologies + solutions ? Increase your brand?s visibility + reach ? Amplify your organization?s message ? Connect with industry influencers + decision makers ? Empower people + inspire change *MORE INFO* *Creating Global Connectivity by Connecting Globally* *CaribNOG 25 Empowers Underserved Students + Inspires Community* Network Engineer II at Akamai Technologies, Aaron Atac, is a part of the millennial community at NANOG and serves on the Outreach and Programming Committee. This was his first time attending CaribNOG, and "events like these" originally motivated him to get involved. Atac has a shared mission in helping these communities inspired by his dad, who grew up in Turkey with limited access to education. *READ NOW * *Sign up for the NANOG 88 Peering Forum * *Meet + Greet Peers in this 90 Min Session * The Peering Coordination Forum applications will remain open until 20 applications have been received or until the deadline date of 05, June. The forum provides time for attendees to meet and network with others in the peering community present at NANOG. *MORE INFO* *Fundamentals of Designing and Deploying Computer Networks* *ISOC Presents Moderated Course with Instructor * This course will discuss the fundamentals of networking, Ethernet, and WIFI technologies. It will additionally teach the planning, design, and deployment of simple LANs and cover how to connect a LAN to the Internet. *MORE INFO * *Deadline for N88 Presentations is Approaching!* *Presentation Submission Deadline is Monday, 24 April* The NANOG PC is looking to schedule over 1,600 minutes of content between General Session and Breakout Rooms for NANOG 88 - so don?t wait! *MORE INFO * -------------- next part -------------- An HTML attachment was scrubbed... URL: From 3356 at blargh.com Wed Apr 12 20:36:55 2023 From: 3356 at blargh.com (Andrew Gray) Date: Wed, 12 Apr 2023 14:36:55 -0600 Subject: TLS issues with Lumen (CenturyLink) Message-ID: <4b8ace07-3890-6845-52d1-da8df249d3d2@blargh.com> Can someone from Lumen/CenturyLink contact me off-list? We are seeing issues with some traffic coming from customers inside AS209 (and only AS209) that appear to be hitting some sort of in-the-middle inspection that is causing TLS issues (showing that the certificates are invalid). Thanks! From tim at mid.net Thu Apr 13 13:43:14 2023 From: tim at mid.net (Tim Burke) Date: Thu, 13 Apr 2023 13:43:14 +0000 Subject: Auth0 geolocation? In-Reply-To: <6348da2c7af64a269040af873f604283@mid.net> References: <66DA24CF-70F0-4216-918E-9C4B9C22719F@mid.net>, <6348da2c7af64a269040af873f604283@mid.net> Message-ID: For those following along at home, it appears that Akamai was the culprit. Didn't even know they offered geolocation services! Many thanks and much respect to those who reached out off-list. Best, Tim ________________________________ From: Tim Burke Sent: Monday, April 10, 2023 8:29:07 AM To: NANOG Subject: Re: Auth0 geolocation? Apple and Best Buy are other ones that just came up over the weekend, seems to be spread out across an entire /17. Oddly, we've had this /17 for close to a year and a half, and this is just popping up... ________________________________ From: NANOG on behalf of Tim Burke Sent: Thursday, April 6, 2023 7:32:41 PM To: NANOG Subject: Auth0 geolocation? Anyone know who Auth0 is using for geolocation services? Have a customer reporting that Auth0, Lowes, Bank of America, and some other sites are reporting their IP in the wrong location. Checked the usual suspects, BrothersWISP.com geolocation providers list, etcetera and they?re all showing in the correct location. Thanks, Tim -------------- next part -------------- An HTML attachment was scrubbed... URL: From josh at imaginenetworksllc.com Thu Apr 13 13:56:53 2023 From: josh at imaginenetworksllc.com (Josh Luthman) Date: Thu, 13 Apr 2023 09:56:53 -0400 Subject: Auth0 geolocation? In-Reply-To: References: <66DA24CF-70F0-4216-918E-9C4B9C22719F@mid.net> <6348da2c7af64a269040af873f604283@mid.net> Message-ID: Is there a publicly available email address/form/etc that we can put on TBW page? On Thu, Apr 13, 2023 at 9:43?AM Tim Burke wrote: > For those following along at home, it appears that Akamai was the culprit. > Didn't even know they offered geolocation services! Many thanks and much > respect to those who reached out off-list. > > > Best, > > Tim > ------------------------------ > *From:* Tim Burke > *Sent:* Monday, April 10, 2023 8:29:07 AM > *To:* NANOG > *Subject:* Re: Auth0 geolocation? > > > Apple and Best Buy are other ones that just came up over the weekend, > seems to be spread out across an entire /17. Oddly, we've had this /17 for > close to a year and a half, and this is just popping up... > ------------------------------ > *From:* NANOG on behalf of Tim > Burke > *Sent:* Thursday, April 6, 2023 7:32:41 PM > *To:* NANOG > *Subject:* Auth0 geolocation? > > Anyone know who Auth0 is using for geolocation services? Have a customer > reporting that Auth0, Lowes, Bank of America, and some other sites are > reporting their IP in the wrong location. Checked the usual suspects, > BrothersWISP.com geolocation providers list, etcetera and they?re all > showing in the correct location. > > Thanks, > Tim > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tim at mid.net Thu Apr 13 14:03:57 2023 From: tim at mid.net (Tim Burke) Date: Thu, 13 Apr 2023 14:03:57 +0000 Subject: Auth0 geolocation? In-Reply-To: References: <66DA24CF-70F0-4216-918E-9C4B9C22719F@mid.net> <6348da2c7af64a269040af873f604283@mid.net> , Message-ID: I don't believe so. Someone was gracious enough to dip the Akamai DB for me... I ended up just emailing support at akamai.com after finding the discrepancy, waiting for them to finish processing the changes. There's gotta be a better way to do this, though! ________________________________ From: Josh Luthman Sent: Thursday, April 13, 2023 8:56:53 AM To: Tim Burke Cc: NANOG Subject: Re: Auth0 geolocation? Is there a publicly available email address/form/etc that we can put on TBW page? On Thu, Apr 13, 2023 at 9:43?AM Tim Burke