There are only a handful of buildings where you need to be in order to just be a cross-connect or switch fabric away from nearly every network in the world.
You're seeing this because that's where Comcast primarily buys transit and peers with other networks; those edges are where the congested ports are. They generally have plenty of capacity between SV1 and their CMTSes (even if they have to take you from Oakland to Sac-town to get from SF to San Jose).
This is a route leak, plain and simple. Don't forget to apply Occam's Razor. All of those sites which are "coincidentally" misbehaving are located in the same /24.
This is what is actually happening. Virgin Media peers with Cogent. Virgin prefers routes from peers over transit. Cogent is turrible at provisioning and filtering, and is a large international transit provider.
Let's look at the route from Cogent's perspective:
BGP routing table entry for 199.58.210.0/24, version 2031309347
Paths: (1 available, best #1, table Default-IP-Routing-Table)
54098 11557 4436 40015 54876
38.122.66.186 (metric 10105011) from 154.54.66.76 (154.54.66.76)
Origin incomplete, metric 0, localpref 130, valid, internal, best
Community: 174:3092 174:10031 174:20999 174:21001 174:22013
If Cogent was competent at filtering, they'd never learn a route transiting 4436 via a customer port in the first place, but most likely someone at Lionlink (54098) is leaking from one of their transit providers (Sidera, 11557) to another (Cogent, 174).
Also, traffic passing through Switzerland is a red herring -- the poster is using a geoip database to look up where a Cogent router is. GeoIP databases are typically populated by user activity, e.g., mobile devices phoning home to get wifi-based location, credit card txns, etc. None of this traffic comes from a ptp interface address on a core router. GeoIP databases tend to have a resolution of about a /24, whereas infrastructure netblocks tend to be chopped up into /30s or /31s for ptp links and /32s for loopbacks, so two adjacent /32s could physically be located in wildly different parts of the world. More than likely, that IP address was previously assigned to a customer. The more accurate source of information would be the router's hostname, which clearly indicates that it is in London. The handoff between Virgin and Cogent almost certainly happens at Telehouse in the Docklands.
If someone were, in fact, trying to intercept your traffic, they could almost certainly do so without you noticing (at least at layer 3.)
> If someone were, in fact, trying to intercept your traffic, they could almost certainly do so without you noticing (at least at layer 3.)
Then again, doing it like here would give them plausible deniability ("what? we? tracking? no, someone misconfigured a router."). Or maybe, given how those sites visibly disappear, it is an example of Zersetzung[0]?.
Welcome to post-Snowden world. We just cut ourselves with Ockham's razor and now are bleeding paranoid.
Openness won in the early iterations of online services in part because there was a neutral medium over which you were able to connect to your choice of service: the PSTN.
"The difference is that cables are forever. They get better with age while components will always need to be replaced do to wear or upgraded because of improvements in technology."
The entire premise of that paper is misguided. It's fairly common for large providers[1], e.g., BT, Sprint, T-Mobile, to use several of the non-Internet-connected DOD /8s for management addresses, once they've exhausted RFC1918.
Considering the number of IP addresses they'll probably have to dedicate to every CF distribution with a custom certificate (at least one for each edge location), it's definitely reasonable.
That being said, I'm hoping they'll switch to SNI at some point. Windows XP won't be around forever (well, one can hope...). IMHO SNI is the better long-term solution (especially when it comes to costs), so once the number of clients not supporting SNI drops to a negligible number, they should go for it.
I'm curious, in addition to a lack of compatibility with Windows XP and early versions of certain browsers, is there any other reason that one wouldn't want to use SNI?
theres the (lack of) security when the client advertises the expected cert cn outside of the secure session. bu the real reason is simply client support. last i looked about 50% of requests looked like they came from clients that didnt support sni. suppose a ridiculously optimistic estimate of 90% support. is it acceptable for 10% of your clients to have security warnings when visiting your site? that's an unacceptable customer experience, personally.
I'd be curious to know what the actual numbers are...IE 7 even supports SNI, as long as it is running on Vista+. I've seen stats that say XP usage is near 15% now, and some portion of that must include non-IE browsers, so perhaps 10% might be an accurate estimate? When you "last looked", where did you find that 50% stat?
With regards to the security hole, do you mean to say that having the domain name sent in the clear before the secure session is established is the problem? Other than some narrow privacy concerns, I can't see the real issue here, given that most of the time a certain IP address implies a certain domain name, and the destination IP address needs to be sent in the clear.
Actually, you'd be surprised -- Comcast is leading the charge on the residential IPv6 front in the US, and Time Warner Cable isn't too far behind. Verizon, the largest carrier in the US not owned by a content company (by my back-of-napkin math), has been slower in deployment of IPv6, by contrast. (OTOH, since IPv6 is critical to LTE deployment, VZW et al have been much quicker on the uptake.)
I actually think that the content hosting folks are behind the curve here. Amazon is one of the biggest hold-outs; their IPv6 rollout has thus far been a total joke. No IPv6 for Cloudfront? No IPv6 glue for Route53 authoritative nameservers? No IPv6 on VPC, barely on EC2 at all, etc., etc. From what I've heard, the management at Amazon doesn't really care about the network behind their infrastructure; instead of investing in building a backbone that could do a better job supporting this kind of stuff -- and all kinds of inter-region applications which would be useful -- they want pretend the network doesn't exist and that nothing needs to change. It's too bad. I think we'd see more IPv6 usage if Amazon would get their act together.
I have TWC residential service. Coincidentally, I just experimented with setting up IPv6 yesterday on my Airport Extreme. TWC is not issuing IPv6 addresses at my location. So I went with an automatic tunnel (192.88.99.1). That IP is 16 hops and 150 ms away for me (anycast by Congent in my case) and its performance was awful.
I switched to a manual tunnel from HE (tunnelbroker.net). I confirmed this worked, that my Apple devices behind the Airport Express all got IPv6 addresses and so forth, and that the performance was decent.
Experience in hand, I then tore it all down, since I couldn't think of a good reason why I really needed IPv6 at home. :-)
That's a deliberate choice on his part. He leaves out pertinent information so as to increase the reader's feeling of helplessness. If you ever read a story of his about a subject you happen to be familiar with the amount of manipulation he engages in is nauseating.
I'm not saying this to blow off the story, I'm alarmed that there's more rate-fixing going on and suspect that we'll hear about more again. But Taibbi writes to incite, not to inform. I don't trust him any more than I trust Glenn Beck or Alex Jones.
The government, banks, big business, whatever pull out all the stops to manipulate "us" to force their view of the world. So, if the opposition are bland and straight up factual, the opposing view will not have the same impact.
I think of the political scare and hate ads that I (as a non US citizen) associate with US right wing politics, and that the US left (still right from a UK perspective) don't seem to do that, so lose out in the attention seeking stakes. People react to fear. Scare them and they will react. Sort of like with terrorists and how gov uses that fear to implement draconian policies.
But, when the non right, non business, non government, non banking people over do the emotive stuff, they get criticised. But I think they, sadly, have to play that game to compete in the information and ideas competition. You need to scream, manipulate, and scare to get heard.
Its awful, horrible and not what I want at all, but I dont see any other way. If this article makes people think, better still act, or at least wake up, then its done its job, IMHO.
