swinog February 2021

swinog@lists.swinog.ch

14 participants
8 discussions

Re: [swinog] Swisscom IPv6 Routing weirdness

by Jeroen Massar

> On 20210225, at 16:52, Jean-Pierre Schwickerath <swinog(a)hilotec.net> wrote: > > Hi Jeroen >> that "sinkhole" is just a misconfigured/internet-ignorant "load >> balancer": those things do not care about ICMP... >> >> you are thus reaching the dest, it is just misconfigured: the Internet >> is just HTTP for many, they do not care about this TCP, ICMP or IP >> thing... be happy there is some kind of IPv6... >> > I wouldn't have noticed the issue if the loadbalancer / webserver had > actually returned a webpage on port TCP/443. But it doesn't. So I tried > from a different network to see if the issue is reproducible and that > when I noticed the path taken by the traceroute packets. > Check with a tcpdump, don't forget to include ICMP. Could also be an MTU issue or something on your side killing it. Of course the behavior of the "load balancer" says quite a few things... sbb.ch is like that too... >> >> Btw, when complaining about something, it is wise to include IP >> addresses, especially for the source... >> > The first hop of the traceroute is actually a good indicator for the > source. 192.168.205.240 ? DNS is ambiguous and reverses do not always match forwards. Including the actual IPs can thus be very useful... That is, if you actually want it resolved. You might want contact swisscom directly (good luck with that) or at least your ISPs that provide the connectivity, they might have better chance at contacting them. (taking transit over swissix is a fun one; but yea it is not that swisscom likes to peer, what else would a monopoly do) Greets, Jeroen

2 years, 2 months

Coop.ch geoblocking?

by Benoit Panizzon

Dear List Having issue in accessing www.coop.ch "Aus Sicherheitsgründen ist ein Login aus Ihrem Land nicht erlaubt". And a hint I shall not use a VPN or Proxy. No proxy or VPN in use, just IPv4 NAT, as confirmed by 'wieistmeineip'. (www.coop.ch is not IPv6 yet) So I supposed a messed up GeoIP Database and changed my SNAT IP a couple of times (all those IP are registered with country=CH @RIPE since decades and I never had such issues) 157.161.57.65 => blocked (main NAT ip) 157.161.57.66 => Ok (a static server ip not used anymore) 157.161.57.68 => Ok (a static client ip) 157.161.57.70 => blocked (alternate NAT ip seldom used) 157.161.5.199 => blocked (Gateway IP, not usually used as src, except local stuff on the Mtik like DNS) Weird! Anyone has insight in what geoIP database coop uses? Or if there are other criteria they use for blocking? -- -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________

2 years, 3 months

Swisscom IPv6 Routing weirdness

by Jean-Pierre Schwickerath

Dear Swisscom Routing-Experts Are you not peeing at swissIX anymore? Your webserver www.swisscom.ch (2a02:a90:c400:4001::2) gives me a hard time to be reached. Either it wants it traffic to be routed from Berne via NL, UK, US and ends in a sinkhole or it uses what looks like using private peering from tineo/netrics/finecom to the same sinkhole: tracepath6 2a02:a90:c400:4001::2 1?: [LOCALHOST] 0.367ms pmtu 1500 1: sv96.hilotec.net 0.776ms 1: sv96.hilotec.net 0.740ms 2: 2a00:c38::1:0:2a 1.538ms 3: lo0.01.p.cbn.ch.as15576.nts.ch 1.725ms 4: lo0.01.p.czh.ch.as15576.nts.ch 4.075ms 5: lo0.02.p.czh.ch.as15576.nts.ch 4.354ms 6: zayog.swissix.ch 10.184ms 7: no reply 8: ae2.cs1.ams17.nl.eth.zayo.com 151.857ms asymm 25 9: no reply 10: no reply 11: no reply 12: ae5.cs1.lhr11.uk.eth.zayo.com 153.354ms asymm 21 13: no reply 14: 2001:438:ffff::407d:1d13 151.202ms asymm 19 15: ae6.cs1.sjc2.us.eth.zayo.com 159.227ms asymm 18 16: ae9.mpr1.pao1.us.zip.zayo.com 152.345ms 17: 2001:438:fffe::2456 153.873ms asymm 10 18: 2001:c10:80:1::e51 259.737ms asymm 10 19: 2001:c10:80:1::b96 265.511ms asymm 11 20: 2001:c10:80:2::ad2 243.109ms asymm 10 21: geb-030-lo0-0.ip6.ip-plus.net 247.019ms asymm 9 22: geb-015-loo6.ip6.ip-plus.net 236.957ms asymm 8 23: gem-005-loo6.ip6.ip-plus.net 242.943ms asymm 8 24: 2001:918:100:63::1 230.491ms asymm 7 25: 2001:918:100:4c::1 240.121ms asymm 8 26: 2001:918:100:52::1 247.741ms asymm 7 27: 2001:918:ce::49 241.013ms asymm 8 28: 2a02:a90:4024:fff::14 247.804ms asymm 9 29: 2a02:a90:4024:fff::15 234.473ms asymm 8 30: no reply Too many hops: pmtu 1500 Resume: pmtu 1500 tracepath 2a02:a90:c400:4001::2 1?: [LOCALHOST] 0.030ms pmtu 1500 1: router.3550.ch 0.418ms 1: router.3550.ch 0.410ms 2: bd4.lar01.lna001.bb.fcom.ch 4.561ms 3: no reply 4: no reply 5: 2001:4d98:a000::1b4 3.218ms asymm 4 6: zhh-015-lo0-0.ip6.ip-plus.net 11.088ms asymm 5 7: 2001:918:ce::45 6.146ms asymm 6 8: 2a02:a90:4024:fff:8000::15 5.452ms 9: no reply 10: no reply 11: no reply 12: no reply 13: no reply 14: no reply 15: no reply 16: no reply 17: no reply 18: no reply 19: no reply 20: no reply 21: no reply 22: no reply 23: no reply 24: no reply 25: no reply 26: no reply 27: no reply 28: no reply 29: no reply 30: no reply Too many hops: pmtu 1500 Resume: pmtu 1500 Is that a management decision or a technical issue? Cheers Jean-Pierre -- HILOTEC Engineering + Consulting AG - Langnau im Emmental IT für KMUs: Netzwerke, Server, PCs, Linux, Telefonanlagen, VOIP, Hosting, Datenbanken, Entwicklung, WLAN, Cloud, Firewalls Tel: +41 34 408 01 00 - https://www.hilotec.com/

2 years, 3 months

Bluewin / Swisscom Postmaster Contact

by Michael Naef

Hi all We (Hostpoint) see increasing problems sending automated Mails to bluewwin recipients (such as account confirmation emails). Respectively we see them identiefd as spam mails. Can a Swisscom/Bluewin Postmaster please get in touch with me/us to identify the cause? Thanks, Michael Naef Head of System Engineering, Hostpoint AG

2 years, 3 months

Fwd: [ncc-announce] Attack on RIPE NCC Access - Please Enable Two-Factor Authentication

by Massimiliano Stucchi

-------- Forwarded Message -------- Subject: [ncc-announce] Attack on RIPE NCC Access - Please Enable Two-Factor Authentication Date: Thu, 18 Feb 2021 16:49:59 +0100 From: Ivo Dijkhuis <ivo.dijkhuis(a)ripe.net> To: ncc-announce(a)ripe.net Dear colleagues, Last weekend, RIPE NCC Access, our single sign-on (SSO) service was affected by what appears to be a deliberate ‘credential-stuffing’ attack, which caused some downtime. We mitigated the attack, and we are now taking steps to ensure that our services are better protected against such threats in the future. Our preliminary investigations do not indicate that any SSO accounts have been compromised. If we do find that an account has been affected in the course of our investigations, we will contact the account holder individually to inform them. We would like to ask you to enable two-factor authentication on your RIPE NCC Access account if you have not already done so to ensure that your account is secure. In general, using two-factor authentication across all your accounts can help limit your exposure to such attacks. If you notice any suspicious activity in your RIPE NCC Access account, please contact us immediately at <security(a)ripe.net>. Best regards, Ivo Dijkhuis Senior Information Security Officer, RIPE NCC

2 years, 3 months

Quad9 moves to Switzerland

by Michael Hausding

Dear Swinog I am very pleased to inform you first-hand that SWITCH and Quad9 are jointly announcing today the relocation of Quad9's headquarters from California to Zurich. Quad9, a public domain name service, will thus offer its users worldwide maximum internet privacy protection. The move to Switzerland is being facilitated in large part by SWITCH. The joint mission of SWITCH and Quad9 - to provide security and robust services to internet users around the world - was a key factor in this collaboration. More information can be found in the joint media release https://www.switch.ch/news/Quad9-moves-to-Switzerland/ and on the Quad9 website https://quad9.net/ Should you have any questions about this, please don't hesitate to contact me or Quad9 directly. Best regards, Michael ------------------------------------ Michael Hausding, Competence Lead DNS & Domain Abuse SWITCH-CERT Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland phone +41 44 268 15 77, incident phone +41 44 268 15 40 michael.hausding(a)switch.ch http://securityblog.switch.ch

2 years, 3 months

Bluewin quarantines outgoing mails

by Maxim Samo

Hi, Sometimes I have users send me email from bluewin. Those emails can be significantly delayed. An example just came in this morning: Received: from quar.lb.bluewin.ch ([195.186.123.234]) by vimdzmsp-sfwd04.bluewin.ch Swisscom AG with ESMTP id 9FbplVkv74QBH9Fc9l0UVW; Tue, 09 Feb 2021 00:06:41 +0100 Received: from vimdzmsp-sfwd04.bluewin.ch ([195.186.227.132]) by vimdzmsp-quar01.bluewin.ch Swisscom AG with SMTP id 82c8lv39dIuiP82c8lqzVg; Fri, 05 Feb 2021 16:01:41 +0100 Delayed from Friday until Tuesday by quar.lb.bluewin.ch. Quar seems to be short for "quarantine". The sending user had no idea that this happened. I previously asked in the Swisscom community about this and they confirmed that this happens when the server suspects it's spam. The questions I have now though are: - How is the sending user supposed to know that this happened? - It seems that they really expect the sending user to call their support line and ask the mail to be released (!). - How did the mail get released in this case? The length of the quarantine seems to change and you could suspect that it's a human looking through those emails. regards, Maxim

2 years, 3 months

Bluewin / SMTP UTF8

by Rémy DUCHET

Hello Swinog, Does anybody from Bluewin can check SMTP host configuration ? It seems that mx doesnt support SMTP UTF8 (we have customers with email address that contains ~ (for example): SMTPUTF8 is required, but was not offered by host mxbw.lb.bluewin.ch[195.186.227.50] Thanks, Rémy

2 years, 4 months

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

swinog February 2021