swinog March 2021

swinog@lists.swinog.ch

13 participants
7 discussions

by Jeroen Massar

As it is 1 april tomorrow, some things expired yesterday: Not After : Mar 30 13:28:58 2021 GMT That thing is.... the COMLOT key to verify those Geldspielgesetz keys for their fun list of worldwide casinos: https://blacklist.comlot.ch/comlot_blacklist.txt see full cert details below. You can get the key with or attached: $ wget -vS https://blacklist.comlot.ch/blacklist.comlot.ch.pub --2021-03-31 16:50:00-- https://blacklist.comlot.ch/blacklist.comlot.ch.pub Resolving blacklist.comlot.ch (blacklist.comlot.ch)... 194.187.88.5 Connecting to blacklist.comlot.ch (blacklist.comlot.ch)|194.187.88.5|:443... connected. HTTP request sent, awaiting response... HTTP/1.1 200 OK Server: nginx/1.14.2 Date: Wed, 31 Mar 2021 14:50:01 GMT Content-Type: application/octet-stream Content-Length: 2927 Connection: keep-alive Last-Modified: Wednesday, 31-Mar-2021 14:50:01 GMT Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0 Strict-Transport-Security: max-age=15768000 Accept-Ranges: bytes Length: 2927 (2.9K) [application/octet-stream] Saving to: ‘blacklist.comlot.ch.pub’ blacklist.comlot.ch.pub 100%[==========================================================>] 2.86K --.-KB/s in 0s 2021-03-31 16:50:01 (558 MB/s) - ‘blacklist.comlot.ch.pub’ saved [2927/2927] Funny that nginx claims the file changed... the moment I downloaded it, bit strange for a static file. Anybody has contacts at COMLOT. As technically speaking, we should not be updating the list anymore into RPZ now; the process I have is thus stuck at the list from yesterday.... (not that it matters, with such a nice list, a bit of VPN and/or simply choosing any non-provider DNS server and voila... bypassed the law.... you, know, Their Law! https://www.youtube.com/watch?v=zKNoU2P0dQc Enjoy! Greet, Jeroen -- openssl x509 -in blacklist.comlot.ch.pub -text Certificate: Data: Version: 3 (0x2) Serial Number: 61:5d:a4:eb:83:eb:a0:a3:be:97:59:c9:56:9b:28:e9 Signature Algorithm: sha256WithRSAEncryption Issuer: C = CH, O = SwissSign AG, CN = SwissSign CH Person Platinum CA 2017 - G22, organizationIdentifier = NTRCH-CHE-109.357.012 Validity Not Before: Mar 30 13:28:58 2020 GMT Not After : Mar 30 13:28:58 2021 GMT Subject: C = CH, L = Bern, ST = BE, organizationIdentifier = NTRCH-CHE-196.380.112, O = Lotterie- und Wettkommission Comlot, CN = Lotterie- und Wettkommission Comlot Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (2048 bit) Modulus: 00:8d:2c:7f:48:c2:07:30:b9:fa:29:26:1d:29:83: 82:41:ef:73:2e:8e:dc:de:28:a4:6b:0b:93:0d:19: b6:ee:d2:c5:63:95:3f:d0:ed:a7:f3:80:70:e3:07: 48:6e:f3:e7:5a:d1:fd:80:d5:2e:4e:6d:3d:e1:db: 8e:44:2f:4f:a7:21:58:1d:c9:59:40:9b:97:85:4c: b6:5a:f6:cc:1a:71:a1:ef:59:59:65:f2:6c:be:25: 74:15:37:29:40:b1:6c:6d:3b:43:82:85:ee:5b:e8: 01:86:92:32:a5:f8:a9:ba:8b:85:6e:14:6e:ca:cc: 33:35:ff:7e:b7:fb:1c:c6:dc:c3:c4:f8:31:7b:73: c8:91:86:59:07:4b:75:1f:10:68:50:61:93:19:5b: ac:3d:43:c4:49:0a:ea:17:1b:ea:0e:f5:c1:7f:d5: db:c0:58:c5:61:19:dd:05:b7:b5:35:27:85:ea:ec: 70:6e:c5:a6:d5:c1:ca:5b:85:3e:42:08:14:f0:01: aa:b5:47:93:ed:ed:eb:20:35:db:d8:d8:58:da:6b: dc:3d:14:ee:e1:91:c8:85:12:d5:59:9c:fc:4f:04: 0e:f5:a4:d5:c0:ab:ec:57:6b:c1:d9:8f:1d:6b:dc: bf:5a:0e:58:a0:4c:01:0f:13:31:c0:0b:dd:ac:aa: 2b:6f Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature X509v3 Basic Constraints: CA:FALSE X509v3 Subject Key Identifier: 1B:2B:A0:91:2C:6F:2B:92:49:EC:96:04:BD:1C:8D:36:35:45:4D:76 X509v3 Authority Key Identifier: keyid:1E:C8:04:6D:FB:72:62:51:60:A2:73:24:6F:BE:F2:5F:4D:34:92:FC X509v3 CRL Distribution Points: Full Name: URI:http://crl.swisssign.net/1EC8046DFB72625160A273246FBEF25F4D3492FC Full Name: URI:ldap://directory.swisssign.com/CN=1EC8046DFB72625160A273246FBEF25F4D349… X509v3 Certificate Policies: Policy: 2.16.756.1.89.1.1.1.1.10 CPS: https://repository.swisssign.com/SwissSign-Platinum-CP-CPS.pdf User Notice: Explicit Text: regulated certificate Policy: 0.4.0.194112.1.3 Authority Information Access: CA Issuers - URI:http://swisssign.net/cgi-bin/authority/download/1EC8046DFB72625160A2732… OCSP - URI:http://platinum-g2.ocsp.swisssign.net/1EC8046DFB72625160A273246FBEF25F4… qcStatements: 0c0......F..0B.....F..08.2https://repository.swisssign.com/SwissSign-PDS.pd…... Signature Algorithm: sha256WithRSAEncryption 10:08:b0:64:2d:63:90:e2:07:4e:ed:d1:87:62:0a:43:88:c8: 87:b9:85:91:ae:ba:8b:f7:f6:33:d3:cd:a0:63:37:28:28:4f: c0:ec:15:06:a7:e4:86:1f:03:28:ad:e5:32:68:14:e2:ee:6e: 62:97:fc:95:7a:ac:fe:b1:a4:24:d1:99:89:2e:cd:ee:ca:c3: 76:c9:38:8e:3b:16:bd:6f:89:5e:4a:94:d5:ea:f1:73:46:15: 41:45:a4:8a:0b:8a:14:22:35:36:8c:fa:70:bb:19:73:6e:39: 93:5d:0d:5c:43:60:8e:0e:38:ed:ac:96:74:0a:b9:51:bc:23: 51:80:4d:cf:e2:64:02:80:af:dd:ef:40:b9:ba:36:0e:aa:3d: 88:d9:29:20:56:68:39:a8:74:46:79:81:df:d0:c8:fb:4b:76: 2b:c4:41:42:e8:c6:16:f7:94:7f:30:de:ba:22:d9:67:94:a7: c2:01:4f:1f:31:2b:52:16:f3:ae:c4:b6:a4:f8:87:df:7f:92: 73:e1:89:07:05:9b:8d:e9:c1:21:8a:b6:87:59:04:12:fb:b0: f3:1a:95:0e:29:5d:95:af:a2:82:54:cb:9f:77:d7:90:00:42: 06:53:88:d4:9f:26:b0:43:e9:b0:c1:9a:24:17:69:fc:87:66: e3:67:01:bf -----BEGIN CERTIFICATE----- MIIG9zCCBd+gAwIBAgIQYV2k64ProKO+l1nJVpso6TANBgkqhkiG9w0BAQsFADB5 MQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMTMwMQYDVQQDEypT d2lzc1NpZ24gQ0ggUGVyc29uIFBsYXRpbnVtIENBIDIwMTcgLSBHMjIxHjAcBgNV BGETFU5UUkNILUNIRS0xMDkuMzU3LjAxMjAeFw0yMDAzMzAxMzI4NThaFw0yMTAz MzAxMzI4NThaMIGlMQswCQYDVQQGEwJDSDENMAsGA1UEBxMEQmVybjELMAkGA1UE CBMCQkUxHjAcBgNVBGETFU5UUkNILUNIRS0xOTYuMzgwLjExMjEsMCoGA1UEChMj TG90dGVyaWUtIHVuZCBXZXR0a29tbWlzc2lvbiBDb21sb3QxLDAqBgNVBAMTI0xv dHRlcmllLSB1bmQgV2V0dGtvbW1pc3Npb24gQ29tbG90MIIBIjANBgkqhkiG9w0B AQEFAAOCAQ8AMIIBCgKCAQEAjSx/SMIHMLn6KSYdKYOCQe9zLo7c3iikawuTDRm2 7tLFY5U/0O2n84Bw4wdIbvPnWtH9gNUuTm094duORC9PpyFYHclZQJuXhUy2WvbM GnGh71lZZfJsviV0FTcpQLFsbTtDgoXuW+gBhpIypfipuouFbhRuyswzNf9+t/sc xtzDxPgxe3PIkYZZB0t1HxBoUGGTGVusPUPESQrqFxvqDvXBf9XbwFjFYRndBbe1 NSeF6uxwbsWm1cHKW4U+QggU8AGqtUeT7e3rIDXb2NhY2mvcPRTu4ZHIhRLVWZz8 TwQO9aTVwKvsV2vB2Y8da9y/Wg5YoEwBDxMxwAvdrKorbwIDAQABo4IDTDCCA0gw DgYDVR0PAQH/BAQDAgeAMAwGA1UdEwQFMAMBAQAwHQYDVR0OBBYEFBsroJEsbyuS SeyWBL0cjTY1RU12MB8GA1UdIwQYMBaAFB7IBG37cmJRYKJzJG++8l9NNJL8MIIB BAYDVR0fBIH8MIH5MEegRaBDhkFodHRwOi8vY3JsLnN3aXNzc2lnbi5uZXQvMUVD ODA0NkRGQjcyNjI1MTYwQTI3MzI0NkZCRUYyNUY0RDM0OTJGQzCBraCBqqCBp4aB pGxkYXA6Ly9kaXJlY3Rvcnkuc3dpc3NzaWduLmNvbS9DTj0xRUM4MDQ2REZCNzI2 MjUxNjBBMjczMjQ2RkJFRjI1RjREMzQ5MkZDJTJDTz1Td2lzc1NpZ24lMjBBRyUy Q0M9Q0g/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNz PWNSTERpc3RyaWJ1dGlvblBvaW50MIGXBgNVHSAEgY8wgYwwfwYKYIV0AVkBAQEB CjBxMEoGCCsGAQUFBwIBFj5odHRwczovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNv bS9Td2lzc1NpZ24tUGxhdGludW0tQ1AtQ1BTLnBkZjAjBggrBgEFBQcCAjAXDBVy ZWd1bGF0ZWQgY2VydGlmaWNhdGUwCQYHBACL7EABAzCB0gYIKwYBBQUHAQEEgcUw gcIwZAYIKwYBBQUHMAKGWGh0dHA6Ly9zd2lzc3NpZ24ubmV0L2NnaS1iaW4vYXV0 aG9yaXR5L2Rvd25sb2FkLzFFQzgwNDZERkI3MjYyNTE2MEEyNzMyNDZGQkVGMjVG NEQzNDkyRkMwWgYIKwYBBQUHMAGGTmh0dHA6Ly9wbGF0aW51bS1nMi5vY3NwLnN3 aXNzc2lnbi5uZXQvMUVDODA0NkRGQjcyNjI1MTYwQTI3MzI0NkZCRUYyNUY0RDM0 OTJGQzBxBggrBgEFBQcBAwRlMGMwCAYGBACORgEEMEIGBgQAjkYBBTA4FjJodHRw czovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNvbS9Td2lzc1NpZ24tUERTLnBkZhMC ZW4wEwYGBACORgEGMAkGBwQAjkYBBgIwDQYJKoZIhvcNAQELBQADggEBABAIsGQt Y5DiB07t0YdiCkOIyIe5hZGuuov39jPTzaBjNygoT8DsFQan5IYfAyit5TJoFOLu bmKX/JV6rP6xpCTRmYkuze7Kw3bJOI47Fr1viV5KlNXq8XNGFUFFpIoLihQiNTaM +nC7GXNuOZNdDVxDYI4OOO2slnQKuVG8I1GATc/iZAKAr93vQLm6Ng6qPYjZKSBW aDmodEZ5gd/QyPtLdivEQULoxhb3lH8w3roi2WeUp8IBTx8xK1IW867EtqT4h99/ knPhiQcFm43pwSGKtodZBBL7sPMalQ4pXZWvooJUy59315AAQgZTiNSfJrBD6bDB miQXafyHZuNnAb8= -----END CERTIFICATE-----

1 year, 11 months

Mail rejection at bluewin

by Peter Rohrer

Hello everybody Since yesterday, we see a lot of bounced messages to bluewin addresses with SMTP code 554, for example: relay=mxbw-bluewin-ch.hdb-cs04.ellb.ch[195.186.227.50]:25, delay=0.16, delays=0/0.01/0.09/0.05, dsn=5.2.0, status=bounced (host mxbw-bluewin-ch.hdb-cs04.ellb.ch[195.186.227.50] said: 554 5.2.0 sc976: Rejected due to policy reasons - https://support.bluewin.ch/provider/bounce/XXXXXXXXXXXXXXXXX[redacted]== (in reply to end of DATA command)) Unfortunately, sc976 is not documented on https://postmaster.bluewin.ch/content/de/technical-details/ We can't see any general pattern behind those rejections (hosts trough our entire IP range are affected), switching to a different IP address for delivery works in most cases. Do you see the same and have any insight what is going on here? Greetings Peter

1 year, 11 months

Re: [swinog] Swisscom IPv6 Routing weirdness

by Jeroen Massar

> On 20210225, at 16:52, Jean-Pierre Schwickerath <swinog(a)hilotec.net> wrote: > > Hi Jeroen >> that "sinkhole" is just a misconfigured/internet-ignorant "load >> balancer": those things do not care about ICMP... >> >> you are thus reaching the dest, it is just misconfigured: the Internet >> is just HTTP for many, they do not care about this TCP, ICMP or IP >> thing... be happy there is some kind of IPv6... >> > I wouldn't have noticed the issue if the loadbalancer / webserver had > actually returned a webpage on port TCP/443. But it doesn't. So I tried > from a different network to see if the issue is reproducible and that > when I noticed the path taken by the traceroute packets. > Check with a tcpdump, don't forget to include ICMP. Could also be an MTU issue or something on your side killing it. Of course the behavior of the "load balancer" says quite a few things... sbb.ch is like that too... >> >> Btw, when complaining about something, it is wise to include IP >> addresses, especially for the source... >> > The first hop of the traceroute is actually a good indicator for the > source. 192.168.205.240 ? DNS is ambiguous and reverses do not always match forwards. Including the actual IPs can thus be very useful... That is, if you actually want it resolved. You might want contact swisscom directly (good luck with that) or at least your ISPs that provide the connectivity, they might have better chance at contacting them. (taking transit over swissix is a fun one; but yea it is not that swisscom likes to peer, what else would a monopoly do) Greets, Jeroen

1 year, 11 months

DENOG Leadership Meetup #1 -- Save the DATE: Mittwoch 24. März 2021, 18:30 Uhr

by Stefan Funke

Good afternoon SWINOG! Since SWINOG is also a German-speaking network operator group, I wanted to take the chance to invite you to the first DENOG Leadership Meetup. The new meeting series will start on Wednesday, 24th March 2021, at 18:30 CET. It will come in a variety of different formats and is all about leadership. This series's target audience is people in the network operator community who currently are in leadership roles or are interested in leadership roles, either in your career or voluntary appearances. The first meeting is about leadership and managing a team during a global pandemic, including hidden challenges. You will find more details, the preliminary plan, and a way to register for a free ticket at https://www.denog.de/de/events/leadership.html. The event will be in GERMAN only! Greetings from DENOG. We would be pleased to see you at our Meetup next Wednesday. Regards, -Stefan

2 years

Bluewin SMTP server reachable from outside bluewin/swisscom?

by Jeroen Massar

Hi, (Possibly in relation to http://lists.swinog.ch/public/swinog/2021-March/007457.html, but in this case not even a TCP ACK...) It seems smtp.bluewin.ch (25 and 465 tested) is unreachable from all places I checked (Init7, Quickline, BIT.nl). Is that service normally open for Bluewin customers to connect to smtp.bluewin.ch? As apparently Swisscom is sending out mails to providers that their customers are complaining that their customers on non-swisscom/bluewin cannot use their SMTP service..... But telnet does not even answer.... (no TCP ACK at all, no ICMP, nada nothing), thus looks like it is firewalled away. Greets, Jeroen

2 years

OVH datacenter SBG2 in Strasbourg on fire 🔥

by Fredy Kuenzler

Very sad day for our colleagues at OVH AS16276 as they lost their datacenter SBG-2 in Strasbourg completly („everything is destroyed“) in a fire 🔥 and the neighboring SBG1/SBG3/SBG4 at least temporary. https://www.dna.fr/amp/faits-divers-justice/2021/03/10/strasbourg-important… -- Fredy Künzler Init7 (Switzerland) Ltd. Technoparkstrasse 5 CH-8406 Winterthur https://www.init7.net/

2 years

Coop.ch geoblocking?

by Benoit Panizzon

Dear List Having issue in accessing www.coop.ch "Aus Sicherheitsgründen ist ein Login aus Ihrem Land nicht erlaubt". And a hint I shall not use a VPN or Proxy. No proxy or VPN in use, just IPv4 NAT, as confirmed by 'wieistmeineip'. (www.coop.ch is not IPv6 yet) So I supposed a messed up GeoIP Database and changed my SNAT IP a couple of times (all those IP are registered with country=CH @RIPE since decades and I never had such issues) 157.161.57.65 => blocked (main NAT ip) 157.161.57.66 => Ok (a static server ip not used anymore) 157.161.57.68 => Ok (a static client ip) 157.161.57.70 => blocked (alternate NAT ip seldom used) 157.161.5.199 => blocked (Gateway IP, not usually used as src, except local stuff on the Mtik like DNS) Weird! Anyone has insight in what geoIP database coop uses? Or if there are other criteria they use for blocking? -- -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________

2 years

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

swinog March 2021