[02:41] *** dj_goku has joined #arpnetworks
[02:44] *** dj_goku_ has quit IRC (Ping timeout: 250 seconds)
[04:34] *** ziyourenxiang has joined #arpnetworks
[05:25] <pyvpx> everyone adding NTP to their dhcpd after the google announcement? :p
[06:37] <mkb> what google announcement
[06:37] <mkb> please don't say it's the fake time stamp thing
[06:37] <mkb> leap second I mean
[07:56] *** Lucifer333 has joined #arpnetworks
[08:20] <plett> pyvpx: The ones that smear leap seconds? No, it's a silly idea and client applications need to cope with their clocks changing under them for other reasons, so dealing with a leap second should be no problem
[08:33] *** ziyourenxiang has quit IRC (Quit: Leaving)
[08:42] <mercutio> things neding to doesn't describe reality at all
[08:51] <jcv> i've written more than enough code that cares about leap seconds (satellite data) to think google's smear idea is terrible
[08:53] <mercutio> is it terrible for good code, or terrible for bad code?
[09:22] <brycec> mercutio: zeit.arp is also seeing the traffic increase. It's setting off my monitoring constantly :(
[09:22] <brycec> But thanks for mentioning it and the nanog list, at least I can follow along...
[09:23] <brycec> (I really wondered. At a glance, the traffic seemed legit so I put off investigating it.)
[09:26] <mercutio> it's mostly mobile providers seemed to be the thing that was known so far
[09:27] <brycec> I don't have finer-grained record on it, alas, so I can't break down connections by source or what their queries looked like. But I do monitor overall bandwidth which has tripled. 12 Dec was averaging 550kbps, the next few days are 723kbps, 1.26mbps, and 1.45mbps
[09:28] <mercutio> ahh
[09:28] <mercutio> that's much lower than some people see
[09:28] <mercutio> some people have seen 20 megabit
[09:29] <brycec> Yeah I saw Dan Brown's stats (http://seclists.org/nanog/2016/Dec/161) but still that's ~10% of his total traffic, that doesn't seem disproportionately high.
[09:29] <brycec> Well zeit.arp is a relatively low stratum, 2 or 3 I think.
[09:29] <brycec> (I assume higher stratum, eg 1, get more traffic from the NTP Pool)
[09:30] <brycec> In any case, it's better to talk about relative increases rather than absolute numbers. He's see quadruple the bw, we've seen triple, it's all... weird.
[09:30] <mercutio> hmm
[09:30] <brycec> (Zeit used to do ~5GB/day, yesterday it did 15GB :/)
[09:30] <mercutio> yeh
[09:31] <mercutio> some of the servers in thsi neck of the woods bailed ouit recently
[09:31] <mercutio> which i think pushed traffic up further
[09:31] <mercutio> and they're seeing US traffic as well for some reason
[09:32] <mercutio> i dunno why there's so many posts here
[09:32] <mercutio> err on nznog
[09:32] <brycec> And this is the traffic from my own VPS which I also have setup in the Pool under a fairly low stratum) http://imgur.com/a/Ixs1U
[09:32] <mercutio> there's 19 posts on nznog, 13 posts on nanog
[09:33] <mercutio> hmm it looks like it started to go up slower
[09:33] <mercutio> on monday
[09:35] <brycec> Looking at the current traffic to Zeit (and hammering rDNS) I'm seeing a surprising number out UK clients
[09:35] <brycec> (BT, Ireland ISPs, etc)
[09:36] <brycec> (Virgin Mobile, Telus Canada which I know is not UK)
[09:36] <brycec> (Norway, Sweden, Germany...)
[09:37] <brycec> I think I'm most surprised to see requests from AWS EC2 instances though.
[09:37] <brycec> Not a ton, but a few.
[09:37] <brycec> (France, The Netherlands, Switzerland, Brazil)
[09:38] <brycec> (Belgium, Argentina)
[09:45] <mercutio> hmm that is curious
[09:46] <mercutio> so yeah there's two things, the geo location seems wrong
[09:46] <mercutio> and no-one knows why there's heaps more traffic
[09:47] <brycec> I was hoping it was something obvious like "Amazon turned on NTP inside all new EC2 instances" but... 1) That's dumb, and 2) I should see more traffic then, probably.
[12:33] *** Lucifer333 has quit IRC (Quit: Leaving)
[12:53] *** hive-mind has quit IRC (Remote host closed the connection)
[12:54] *** hive-mind has joined #arpnetworks
[16:28] *** dj_goku has quit IRC (Remote host closed the connection)
[16:54] *** ziyourenxiang has joined #arpnetworks
[17:06] *** dj_goku has joined #arpnetworks
[17:40] *** Nahual has joined #arpnetworks
[18:06] <nathani> what tool / software / config can I use to authenticate BGP prefixes to originate from respective ASNs?
[18:08] <mercutio> RPKI
[18:09] <mercutio> it's hardly used though
[18:10] <nathani> like DNSSEC :-)
[18:28] <nathani> https://www.youtube.com/watch?v=P65XdTlk4vA
[18:28] <BryceBot> YouTube video: "Jonathan Zittrain: The Web as random acts of kindness" by TED
[18:37] <mercutio> DNSSEC is used heaps now
[18:37] <mercutio> dnscurve is hardly used
[19:15] *** Nahual has left 
[19:21] <nathani> @google dnscurve
[19:21] <BryceBot> 1,440 total results returned for 'dnscurve', here's 3
[19:21] <BryceBot> DNSCurve - Wikipedia (https://en.wikipedia.org/wiki/DNSCurve) DNSCurve is a proposed new secure protocol for the Domain Name System ( DNS), designed by Daniel J. Bernstein. Contents. [hide]. 1 Description; 2 Security  ...
[19:21] <BryceBot> GitHub - mdempsky/dnscurve: Tools for DNS curve implementation (https://github.com/mdempsky/dnscurve) Tools for DNS curve implementation. Contribute to dnscurve development by  creating an account on GitHub.
[19:21] <BryceBot> DNSCurve – Wikipedia (https://de.wikipedia.org/wiki/DNSCurve) DNSCurve ist eine Technik zur sicheren Auflösung von Domain-Namen in IP- Adressen. Autor des im August 2008 veröffentlichen Protokoll-Vorschlags ist der  ...
[19:22] <nathani> cloudflare has support for dnssec
[19:22] <nathani> even on their free tier
[19:23] * brycec makes use of it :)
[19:24] <nathani> I used to be a heavy dnsmadeeasy user, but can't beat free and all sorts of caching / security features with cloudflare
[19:24] <nathani> does pool.ntp.org resolve to zeit for close clients?
[19:24] <nathani> ie is it part of the public pool?
[19:24] <brycec> It should, yes.
[19:25] <brycec> (otherwise I have no idea how France, Belgium, Germany, the Netherlands, UK... got the address)
[19:25] <nathani> was the spike in traffic across both v4 and v6?
[19:26] <brycec> I can't say for certain, I only monitor the traffic at the interface level.
[19:26] <brycec> Doing periodic tcpdumps, traffic is 99% v4
[19:28] <nathani> do you also monitor skew and time corrections on the vm itself?
[19:31] <brycec> What's really interesting to me is that, at least according to tcpdump's protocol identification, ip6 traffic is exclusively ntpv2 and ntpv3 clients, while ip traffic is about 98% ntpv4
[19:32] <brycec> Yes. It's pretty stable. And perks of NTP, it handles itself fairly well.
[19:47] <nathani> you would think the ipv6 clients would be more capable and request later version of ntp protocol
[19:48] <nathani> dns queries to pool.ntp.org dont seem to return AAAA records when requested
[19:51] <brycec> But 2.pool.ntp.org does
[19:52] <brycec> So any clients with [0123].pool.ntp.org configured, as I've often seen in default ntp.conf will still hit it
[19:53] <nathani> the nanog list mentioned an IOT provider that had configured something differently
[19:54] <nathani> didnt name the provider or device though
[19:56] <brycec> Did it? I don't remember seeing anything like that http://seclists.org/nanog/2016/Dec/index.html#159
[19:57] <nathani> nznog actually
[19:58] <nathani> I have them in the same label in gmail
[19:58] <nathani> "The chatter in #ntp on IRC infers that it was through a change made by a IoT vendor (though that's all the info that's been given, so take that with as much salt as you wish)."
[19:59] <nathani> https://list.waikato.ac.nz/pipermail/nznog/2016-December/022411.html
[20:00] <brycec> Oh nznog :p
[20:01] <nathani> Folks down under need ntp too :-)
[20:01] <brycec> (Thanks for thelink)
[20:01] <brycec> (I didn't have a link to nznog archives)
[20:02] <nathani> there is also AUSnog which I follow: http://lists.ausnog.net/pipermail/ausnog/
[20:04] <mercutio> yeh i dunno why nznog had so much discussion :)
[20:08] <nathani> time servers are 'critical' infrastructure for the internet, kinda like dns servers 'maybe' - it is essential to have them up and running and a spike in traffic of such extent can lead to insufficient capacity to deal with legitimate queries assuming the excess traffic is not legit
[20:28] <up_the_irons> so what's all this about increase in NTP traffic....
[20:28] <up_the_irons> why exactly would Zeit be getting more traffic now?
[20:31] <brycec> up_the_irons: because zeit is a member of pool.ntp.org
[20:31] <brycec> And pool.ntp.org is seeing an unexplained increase in traffic
[20:32] <brycec> It's legitimate traffic so far as anyone can tell, at least. (And not something nefarious like a DDoS or amplification attack)
[20:33] <nathani> https://lists.ntp.org/pipermail/pool/2016-December/007997.html
[20:34] <nathani> this guy had to shut off his ntp server to get his firewall working
[20:34] <brycec> (Though to be fair, it was a Cisco ASA *rimshot*)
[20:35] <nathani> Just a thought, yesterday was Microsoft patch day.  If MS added the pool to all the Windows clients out there, that could certainly account for this traffic.
[20:35] <nathani> ^ lol
[20:35] <brycec> (yeah saw that message)
[20:35] <brycec> Windows still defaults to time.windows.com last I checked.
[20:36] <nathani> where is the page that shows you health of individual servers etc
[20:37] <nathani> I think I was looking for http://www.pool.ntp.org/scores/208.79.89.249
[20:37] <brycec> http://www.pool.ntp.org/scores/2607:f2f8:a650::3
[20:37] <brycec> Yeah
[20:38] <brycec> Zeit ip6 http://www.pool.ntp.org/scores/2607:f2f8:0:102::2317
[20:38] <brycec> Zeit ip4 http://www.pool.ntp.org/scores/208.79.89.249
[20:38] <brycec> for those interested
[20:39] <up_the_irons> brycec: ah OK
[20:39] <up_the_irons> I forgot it was part of that pool
[20:39] <brycec> lol
[20:39] <brycec> up_the_irons: Sorry about the unexpected, unexplained tripling in traffic
[20:40] <nathani> http://irclogger.arpnetworks.com/irclogger_log/arpnetworks?date=2014-06-19,Thu&sel=389#l385
[20:41] <nathani> wow its been 2.5 years
[20:41] <brycec> (Geez look at nathani pulling a brycec, quoting the logs)
[20:42] <nathani> too bad brycebot didnt pull the quote from the url and paste it into the channel :-)
[20:42] <brycec> Maybe someday
[20:43] <up_the_irons> brycec: do you know what the Mbps is?
[20:43] <brycec> up_the_irons: Yes.
[20:43] <brycec> Today's average is 1.89mbps
[20:43] <brycec> Yesterday's is 1.45mbps
[20:43] <brycec> day before 1.26
[20:44] <nathani> thats like 20gb/day
[20:44] <up_the_irons> OK tnx
[20:44] <up_the_irons> so not bad
[20:45] <nathani> I guess folks are concerned if it keeps increasing like that
[20:45] <nathani> the list mentioned 20mbps in some cases
[20:45] <nathani> also its small packets so max pps on firewalls etc
[20:46] <brycec> 16.72GB so far today, yes nathani
[20:47] <brycec> 14.92GB yesterday
[20:47] <brycec> fwiw zeit is configured as 100mbps North America
[20:48] <mercutio> wow
[20:49] <mercutio> i suppose there's lots of higher bandwidth ones
[20:49] <mercutio> it sounded like 50 megabit ones were getting hit hard before
[20:51] <brycec> (today's average is up to 1.91mbps, total 17.01GB, 8.58GB inbound + 8.42GB outbound)
[20:52] <nathani> how is cpu load?
[20:53] <nathani> have you seen  https://developers.google.com/time/
[20:53] <brycec> fairly low, 0-10% CPU usage
[20:53] <brycec> I saw mentions of it. I... don't approve.
[20:54] <brycec> (of "smearing")
[20:54] <nathani> what about all the apps that cant handle leap seconds
[20:54] <brycec> Fix the app.
[20:54] <brycec> Duh :p
[20:55] <brycec> Frankly I don't think I've encountered an application that can't handle leap seconds
[20:57] <nathani> if folks use standard ntp you can correlate events from different systems and be sure the timestamps refer to the same time. No translation as in the case of smearing
[20:58] <brycec> (I mean, I'm not saying affected applications don't exist. I just haven't encountered one personally)