This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/routing-wg@ripe.net/
[routing-wg] request to enable ICMP echo-reply on rpki.ripe.net?
- Previous message (by thread): [routing-wg] request to enable ICMP echo-reply on rpki.ripe.net?
- Next message (by thread): [routing-wg] request to enable ICMP echo-reply on rpki.ripe.net?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Jared Mauch
jared at puck.nether.net
Wed May 5 12:32:51 CEST 2021
Sure the most secure system doesn't allow any remote access and is likely turned off. For a networked system having some limited exposure for diagnostics is helpful when you may have hashing or MTU issues to diagnose. One of my carriers had issues yesterday with 1500 frames to specific destinations. Do we want to be able to debug the routing system? Sent from my TI-99/4a > On May 5, 2021, at 6:30 AM, Kurt Kayser <kurt_kayser at gmx.de> wrote: > > Hello Job, > > I understand your point. But there is really no big effort to check if > Port 873 is working: > > <host>nc -zvw100 rpki.ripe.net 873 > Connection to rpki.ripe.net 873 port [tcp/rsync] succeeded! > > Let's make a security comparison, if this is really a necessary feature? > > regards, > > Kurt > > >> Am 05.05.21 um 12:23 schrieb Job Snijders via routing-wg: >> Hi RIPE NCC, hi all, >> >> In today's troubleshooting adventure, an operator experienced difficulty >> pinpointing where exactly a connectivity issue between them and >> rpki.ripe.net (193.0.6.138 + 2001:67c:2e8:22::c100:68a) resided. >> >> It would be helpful if RIPE NCC reverted disabling responding to ICMP >> echo requests originating from the Internet. Would it be possible to >> adjust the firewall settings to accomodate troubleshooting and >> monitoring? >> >> Right now connectivity testing has to be performed directly against the >> rsync daemon's internet-exposed TCP port (873) - but it would be much >> cheaper and faster for both the tester and the service hoster if instead >> ICMP echo requests could be used as an early warning system (rather than >> the rsync service itself). >> >> $ ping -c 6 rpki.ripe.net >> PING rpki.ripe.net (193.0.6.138): 56 data bytes >> >> --- rpki.ripe.net ping statistics --- >> 6 packets transmitted, 0 packets received, 100.0% packet loss >> >> The above test result differs compared to sending echo requests to >> molamola.ripe.net or manus.authdns.ripe.net. >> >> Kind regards, >> >> Job >>
- Previous message (by thread): [routing-wg] request to enable ICMP echo-reply on rpki.ripe.net?
- Next message (by thread): [routing-wg] request to enable ICMP echo-reply on rpki.ripe.net?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]