Hey all
A friend just told me that Cybernet told him there is a Switzerlandwide Internet Problem.
Does anybody know something?
Cheers
Michele
--------
Online Consulting AG, Michele Capobianco, System Administrator, Weststrasse 38, CH-9500 Wil
Phone +41 (0)71 913 31 31, Fax +41 (0)71 913 31 32
http://www.online.ch, michele.capobianco(a)online.ch<mailto:michele.capobianco@online.ch>
--------
Hello Nico / everybody
Yesterday, I was contacted by Silvia (and others) about that task. I was then not registered with that list.
Let me introduce me shortly.
My name is Urs Mueller. I am working together with my colleague Hans-Peter at SBB in the IT department.
We are the stack owners of network & network security on behalf of the IT department. Our network is built and operated by our colleagues from SBB Telecom.
IPv6 is a goal we tried to reach since several years, at least since I attended an IPv6 congress in Hannover many years ago.
We were struggling with convincing the management to fund projects until last year.
The current solution is more or less a workaround and this year, we are trying to achieve a direct connection to our webservers.
Currently, there are seeing around 2 Mbit/s incoming and 20 Mbit/s outgoing on IPv6. This is approx. 20% of the total traffic, we are actually handling for our webserver through regular http/s from browsers.
This year, we will give more effort on the subject. But our network is quite complex and grown over the years. So there is no way to "just put a box in between and some cables" ;-)
If you Nico, would like to contact me about your thesis, feel free. Perhaps we can arrange something.
Regards, Urs
-----Ursprüngliche Nachricht-----
Von: swinog-bounces(a)lists.swinog.ch <swinog-bounces(a)lists.swinog.ch> Im Auftrag von Nico Schottelius
Gesendet: Dienstag, 12. März 2019 15:55
An: Silvia Hagen <silvia.hagen(a)sunny.ch>
Cc: Nico Schottelius <nico-swinog-2(a)schottelius.org>; swinog(a)lists.swinog.ch
Betreff: Re: [swinog] SBB.ch / IPv6 MTU / fragmentation problem
Hey Silvia,
thanks a lot for the insight! I did not expect this answer when asking this morning.
I am currently doing my master thesis [0] about IPv6 in fully programmable
P4 switches (my hardware platform will be Barefoot Tofino in the end) - I assume this might be rather interesting for SBB, as it potentially can solve all problems [tm] in the network. Also I hear the 6.5 TBit/s switches are not that crazy expensive anymore.
If you could get me in touch with the right people at SBB, this would be very interesting to talk about their network.
Best,
Nico
[0] https://gitlab.ethz.ch/nicosc/master-thesis
Silvia Hagen <silvia.hagen(a)sunny.ch> writes:
> Hi guys
>
> Here's some info from SBB (I was working with them and just spoke with them today).
>
> . They are aware of the problem.
> . The problem only happens when someone uses smaller packet sizes (often when using some tunnelling techniques).
> . Currently the webserver is in an IPv4 zone, the Internet router is a Cisco box which does 64 Translation. The packets go through an F5 LB to reach the webserver.
> . When the packets go out and the Cisco box asks for fragmention, it sends the ICMP packet to the webserver. The F5 box has a bug, something with the checksum goes wrong and the F5 discards the ICMP packet.
> . They have had a neverending incident with F5 and F5 does not seem to be able to fix that. SBB has given up on this incident.
>
> The plan:
> . SBB is currently enabling IPv6 on the routing layer, plan to be accomplished by summer 2019.
> . Next step on the plan is to enable v6 out to the datacenter, with priority on the webserver zone. So with that the problems should go away.
>
> SBB was attending the last swinog event in Switzerland. They will also come again and they offered to have a talk if desired. I can connect to the right person if you are interested.
>
> Thanks, Silvia
>
>
> -----Ursprüngliche Nachricht-----
> Von: swinog-bounces(a)lists.swinog.ch
> [mailto:swinog-bounces@lists.swinog.ch] Im Auftrag von Nico
> Schottelius
> Gesendet: Dienstag, 12. März 2019 10:33
> An: swinog(a)lists.swinog.ch
> Betreff: [swinog] SBB.ch / IPv6 MTU / fragmentation problem
>
>
> Good morning,
>
> is anyone from sbb.ch reading here?
>
> https://sbb.ch does not load on IPv6 for us.
> It seems that packets > 1420 bytes are dropped inside the SBB network,
>
> Local PMTU / fragmentation seems to work, my local outgoing MTU is 1420. MTR below.
>
> Best,
>
> Nico
>
>
> [10:23] line:~% mtr -w -c1 -s 1500 sbb.ch
> Start: 2019-03-12T10:24:17+0100
> HOST: line Loss% Snt Last Avg Best Wrst StDev
> 1.|-- 2a0a:e5c1:111:111::42 0.0% 1 11.2 11.2 11.2 11.2 0.0
> 2.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 3.|-- 2a0a:e5c0:2:12::7 0.0% 1 69.8 69.8 69.8 69.8 0.0
> 4.|-- 2a0a:e5c0:1:1::9 0.0% 1 74.3 74.3 74.3 74.3 0.0
> 5.|-- 2001:1620:20e6::1 0.0% 1 69.4 69.4 69.4 69.4 0.0
> 6.|-- r1zrh2.core.init7.net 0.0% 1 69.1 69.1 69.1 69.1 0.0
> 7.|-- r1olt2.core.init7.net 0.0% 1 58.0 58.0 58.0 58.0 0.0
> 8.|-- r1brn1.core.init7.net 0.0% 1 62.8 62.8 62.8 62.8 0.0
> 9.|-- r2brn1.core.init7.net 0.0% 1 65.4 65.4 65.4 65.4 0.0
> 10.|-- r1epe1.core.init7.net 0.0% 1 75.2 75.2 75.2 75.2 0.0
> 11.|-- r1qls1.core.init7.net 0.0% 1 78.4 78.4 78.4 78.4 0.0
> 12.|-- r1gva3.core.init7.net 0.0% 1 81.0 81.0 81.0 81.0 0.0
> 13.|-- gw-sunrise.init7.net 0.0% 1 64.4 64.4 64.4 64.4 0.0
> 14.|-- 2001:1700:1:7:120::2 0.0% 1 84.4 84.4 84.4 84.4 0.0
> 15.|-- 2001:1700:4d00:2::2 0.0% 1 81.3 81.3 81.3 81.3 0.0
> 16.|-- 2a00:4bc0:ffff:ff00::1d 0.0% 1 67.0 67.0 67.0 67.0 0.0
> 17.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> [10:24] line:~% mtr -w -c1 -s 1400 sbb.ch
> Start: 2019-03-12T10:24:35+0100
> HOST: line Loss% Snt Last Avg Best Wrst StDev
> 1.|-- 2a0a:e5c1:111:111::42 0.0% 1 3.2 3.2 3.2 3.2 0.0
> 2.|-- 2a0a:e5c1:100::1 0.0% 1 69.0 69.0 69.0 69.0 0.0
> 3.|-- 2a0a:e5c0:2:12::7 0.0% 1 74.7 74.7 74.7 74.7 0.0
> 4.|-- 2a0a:e5c0:1:1::9 0.0% 1 69.9 69.9 69.9 69.9 0.0
> 5.|-- 2001:1620:20e6::1 0.0% 1 60.5 60.5 60.5 60.5 0.0
> 6.|-- r1zrh2.core.init7.net 0.0% 1 75.3 75.3 75.3 75.3 0.0
> 7.|-- r1olt2.core.init7.net 0.0% 1 70.7 70.7 70.7 70.7 0.0
> 8.|-- r1brn1.core.init7.net 0.0% 1 69.1 69.1 69.1 69.1 0.0
> 9.|-- r2brn1.core.init7.net 0.0% 1 54.6 54.6 54.6 54.6 0.0
> 10.|-- r1epe1.core.init7.net 0.0% 1 75.9 75.9 75.9 75.9 0.0
> 11.|-- r1qls1.core.init7.net 0.0% 1 78.8 78.8 78.8 78.8 0.0
> 12.|-- r1gva3.core.init7.net 0.0% 1 79.8 79.8 79.8 79.8 0.0
> 13.|-- gw-sunrise.init7.net 0.0% 1 69.9 69.9 69.9 69.9 0.0
> 14.|-- 2001:1700:1:7:120::2 0.0% 1 77.5 77.5 77.5 77.5 0.0
> 15.|-- 2001:1700:4d00:2::2 0.0% 1 59.3 59.3 59.3 59.3 0.0
> 16.|-- 2a00:4bc0:ffff:ff00::1d 0.0% 1 70.1 70.1 70.1 70.1 0.0
> 17.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 18.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 19.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 20.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 21.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 22.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 23.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 24.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 25.|-- 2a00:4bc0:ffff:ffff::c296:f58e 0.0% 1 58.3 58.3 58.3 58.3 0.0
> [10:24] line:~%
>
> [10:25] line:~% mtr -w -c1 -s 1420 sbb.ch
> Start: 2019-03-12T10:25:44+0100
> HOST: line Loss% Snt Last Avg Best Wrst StDev
> 1.|-- 2a0a:e5c1:111:111::42 0.0% 1 16.3 16.3 16.3 16.3 0.0
> 2.|-- 2a0a:e5c1:100::1 0.0% 1 77.0 77.0 77.0 77.0 0.0
> 3.|-- 2a0a:e5c0:2:12::7 0.0% 1 67.0 67.0 67.0 67.0 0.0
> 4.|-- 2a0a:e5c0:1:1::9 0.0% 1 66.7 66.7 66.7 66.7 0.0
> 5.|-- 2001:1620:20e6::1 0.0% 1 78.8 78.8 78.8 78.8 0.0
> 6.|-- r1zrh2.core.init7.net 0.0% 1 64.5 64.5 64.5 64.5 0.0
> 7.|-- r1olt2.core.init7.net 0.0% 1 68.3 68.3 68.3 68.3 0.0
> 8.|-- r1brn1.core.init7.net 0.0% 1 74.9 74.9 74.9 74.9 0.0
> 9.|-- r2brn1.core.init7.net 0.0% 1 73.6 73.6 73.6 73.6 0.0
> 10.|-- r1epe1.core.init7.net 0.0% 1 62.2 62.2 62.2 62.2 0.0
> 11.|-- r1qls1.core.init7.net 0.0% 1 74.3 74.3 74.3 74.3 0.0
> 12.|-- r1gva3.core.init7.net 0.0% 1 63.6 63.6 63.6 63.6 0.0
> 13.|-- gw-sunrise.init7.net 0.0% 1 69.1 69.1 69.1 69.1 0.0
> 14.|-- 2001:1700:1:7:120::2 0.0% 1 77.4 77.4 77.4 77.4 0.0
> 15.|-- 2001:1700:4d00:2::2 0.0% 1 78.8 78.8 78.8 78.8 0.0
> 16.|-- 2a00:4bc0:ffff:ff00::1d 0.0% 1 75.7 75.7 75.7 75.7 0.0
> 17.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 18.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 19.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 20.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 21.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 22.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 23.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 24.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 25.|-- 2a00:4bc0:ffff:ffff::c296:f58e 0.0% 1 83.8 83.8 83.8 83.8 0.0
> [10:25] line:~% mtr -w -c1 -s 1430 sbb.ch
> Start: 2019-03-12T10:25:55+0100
> HOST: line Loss% Snt Last Avg Best Wrst StDev
> 1.|-- 2a0a:e5c1:111:111::42 0.0% 1 7.3 7.3 7.3 7.3 0.0
> 2.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> 3.|-- 2a0a:e5c0:2:12::7 0.0% 1 60.4 60.4 60.4 60.4 0.0
> 4.|-- 2a0a:e5c0:1:1::9 0.0% 1 61.9 61.9 61.9 61.9 0.0
> 5.|-- 2001:1620:20e6::1 0.0% 1 72.2 72.2 72.2 72.2 0.0
> 6.|-- r1zrh2.core.init7.net 0.0% 1 65.2 65.2 65.2 65.2 0.0
> 7.|-- r1olt2.core.init7.net 0.0% 1 64.9 64.9 64.9 64.9 0.0
> 8.|-- r1brn1.core.init7.net 0.0% 1 64.9 64.9 64.9 64.9 0.0
> 9.|-- r2brn1.core.init7.net 0.0% 1 71.7 71.7 71.7 71.7 0.0
> 10.|-- r1epe1.core.init7.net 0.0% 1 64.4 64.4 64.4 64.4 0.0
> 11.|-- r1qls1.core.init7.net 0.0% 1 63.2 63.2 63.2 63.2 0.0
> 12.|-- r1gva3.core.init7.net 0.0% 1 77.9 77.9 77.9 77.9 0.0
> 13.|-- gw-sunrise.init7.net 0.0% 1 64.5 64.5 64.5 64.5 0.0
> 14.|-- 2001:1700:1:7:120::2 0.0% 1 63.5 63.5 63.5 63.5 0.0
> 15.|-- 2001:1700:4d00:2::2 0.0% 1 81.7 81.7 81.7 81.7 0.0
> 16.|-- 2a00:4bc0:ffff:ff00::1d 0.0% 1 74.4 74.4 74.4 74.4 0.0
> 17.|-- ??? 100.0 1 0.0 0.0 0.0 0.0 0.0
> [10:26] line:~%
>
>
> icmp6, frag works locally:
>
> 10:29:44.919328 IP6 2a0a:e5c1:111:111:3185:e802:6548:658c >
> 2a00:4bc0:ffff:ffff::c296:f58e: frag (0|1368) ICMP6, echo request, seq
> 33000, length 1368
> 10:29:44.919368 IP6 2a0a:e5c1:111:111:3185:e802:6548:658c >
> 2a00:4bc0:ffff:ffff::c296:f58e: frag (1368|92)
--
Your Swiss, Open Source and IPv6 Virtual Machine. Now on www.datacenterlight.ch.
_______________________________________________
swinog mailing list
swinog(a)lists.swinog.ch
http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hello List
We have some issues with emails sent from the kpt.ch online plattform
over Swisscom Mobile IP Range:
inetnum: 138.188.0.0 - 138.188.255.255
netname: Swisscom-Mobile
country: CH
There is no SPF entry and the sending ip addresses are not listed by
dnswl.org nor the Swinog Whitelist, causing greylisting to delay emails
(containing login tokens valid for a couple of minutes only) from
those potentially infected end customer ip ranges :-)
Has Swisscom started to assign IP Addresses from this range to
it's email sending platform? The hostname and swisscom's own SPF
entry let's me suspect this is the case:
mailout153.swisscom.com[138.188.176.153]
spf.swisscom.com descriptive text "v=spf1 ip4:193.222.81.224/27 ip4:193.222.81.96/27 ip4:194.11.148.48/28 ip4:194.11.148.64/28 ip4:194.6.164.0/24 ip4:138.190.12.80/28 ip4:138.190.12.32/27 ip4:138.188.176.0/26 ip4:138.188.176.128/26 ip4:138.188.166.96/27 ~all"
Well I guess I add those ranges to the SWINOG Whitelist.
Mit freundlichen Grüssen
-Benoît Panizzon-
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
Dear List
SWITCH is hosting the 1st DNSHeads Meetup in Switzerland on May 16 from 15:00 on.
If you run a resolver or an authoritative DNS Server you might want to join us in Zurich to discuss DNS-specific topics in an informal setup (yes, this could mean beer is involved.)
More Information and registration is here:
https://www.meetup.com/de-DE/DNSHeads-Switzerland/events/259123657/
Hope to see you in Zurich!
Michael
------------------------------------
Michael Hausding,
Competence Lead DNS & Domain Abuse
SWITCH-CERT
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 77, incident phone +41 44 268 15 40
michael.hausding(a)switch.ch
http://securityblog.switch.ch
The Security Chat is Back!
We are gathering for an evening of short security-related presentations and networking with peers in the industry.
Security Chat 5.0
Monday, March 25th, 18.00 - 20.30
AdNovum Informatik AG (Headquarters), 22 Röntgenstrasse, 8005 Zürich
(free) singup at: http://bit.ly/securitychat50
If you are interested in giving a short presentation, please indicate on the signup or email me directly. Any topics are welcome: Projects, research, questions you would like to get answers from the attendees, an embarrassing security story - the stage is yours.
Keep the rest of your evening open if you can. Last time people stayed until 11pm; chatting and networking.
Hope to see you at the event!
-Raffy
SAVE THE DATE!
The Security Chat 5.0 will be taking place in Zurich on Monday the 25th
of March at 6pm.
This is a free event open to anyone who has an interest in security. We
will listen to a few short (10-15 minute) presentations and then have a
chance to network with each other. Last time we had a fabulous turn out
of security practitioners, startup founders, geeks, cyber experts, and
people who like to mingle until 11pm, making new friends in the security
community.
The exact location and signup information will follow soon. For now,
mark your calendar and spread the word! You will have a chance to sign
up to give a presentation when the official invite goes out.
Hope to see you all in a couple of weeks!
-Raffy
Hi
Has anybody else seen this weird announcement to the bluewin.ch /24 through AS60633?
Network Path
*> 213.3.75.0/24 1836 59622 64521 60633 i
* 213.3.75.0/24 1836 59622 64521 60633 i
Cheers,
Martin