94 comments

[ 3.5 ms ] story [ 185 ms ] thread
Does anyone know why I can't reach archive.is anymore from The Netherlands these days?
I have Cloudflare with fallback to Google and I need to refresh a few times to make it fallback and work. This spat is kinda ridiculous.
I’m not really understanding the crux of it. Even if archive.is doesn’t get your location via DNS, won’t they get it anyways immediately one millisecond later when you issue an HTTP GET request?
Yes, the receiving webserver will get the IP with the HTTP GET, but it's mostly too late to be useful for serving users from a server with minimal latency.

The EDNS client subnet feature reveals the clients subnet (but not entire IP) to the nameserver that answers the DNS query, which is then cached by Cloudflare/Google. This allows the nameserver to do geolocation at the DNS stage and direct the end user to a server with minimal latency.

Without EDNS client subnet, you could get the IP for an archive.is frontend in a different continent and have a slow site experience. While the frontend server will get your IP, it's too late to do much about it under normal circumstances. An HTTP redirect would cost time, and you'd have to have different domains for each data center/region which is one thing you can avoid with the client subnet feature to start with.

Frankly they (archive.is) wouldn't have this issue if they used BGP anycast. DNS was never designed to facilitate regional load balancing.
I thought anycast wasn't reliable for TCP sessions?

You can serve UDP services (eg DNS) by anycast, but if you hosted a tcp service, there's no guarantee the same server would receive consecutive packets from the tcp stream

It is rarely an issue in practice. There are workarounds to minimize connection resets. Using ECMP hashing on routers and a tiered load balancing topology are important.

https://vincent.bernat.ch/en/blog/2018-multi-tier-loadbalanc...

https://blog.cloudflare.com/high-availability-load-balancers...

https://engineering.linkedin.com/network-performance/tcp-ove...

Seems like LinkedIn had to do some finessing and still couldn't go with global anycast.

How do CDNs work without controlling DNS resolution by source subnet?

Presumably a CDN has better and more direct peerings with ISPs than LinkedIn, or admittedly archive.is.
Cloudflare uses any cast, and they deal with it by making every external node able to handle every public IP that they have. If packets in a TCP stream end up going to different nodes, then they deal with that in their infrastructure.
> won’t they get it anyways immediately one millisecond later when you issue an HTTP GET request?

Not if you're using a VPN in addition to Cloudflare servers.

True. In that case, why wouldn’t you send all traffic via the VPN including your DNS?
Is this a Mac thing? You're not meant to use DNS fallback for different providers.
I can't see what a Mac has to do with this at all.

Also I can't imagine why you might think that "You're not meant to use DNS fallback for different providers." That was precisely the point it was originally designed for. The whole point of multiple resolvers is to have diversity of risk. If both your resolvers are from the same organization there's a higher chance that whatever took one out took the other out as well.

Oh man this explains so many issues I have had with archive.is, I couldn’t pinpoint the problem. Thanks for sharing this, things finally make sense now.
I'm surprised Cloudflare don't provide security by obfuscating EDNS info.
(comment deleted)
(comment deleted)
(comment deleted)
did someone roll a nat 20 in shadowrun
Doesn’t shadowrun only use d6 for all rolls?
Why does the federal government STILL have control over 6% of the internet IP's?

Edit: added the word still. I know the history but that was like 20 years or more ago.

Why did they still have so much IP space?

Because they paid to create it initially and have yet to sell their address space. There are some great stories early on that break down to: “Why are all these civilians on our network?”
Because they can.

Who's going to take it off them?

No because it was first come first served in addition to having sprouted from a government program.

Universities who got on the bandwagon first also tended to have multiple class B addresses.

I know several individuals who have /24's ("class C") blocks, including myself. I always regret not going for the class B. It would've just taken a couple of emails back in 1993.
The first place I was a network admin at they had a /16. I didn't deal with private IPs until I left that company in 2015. Even the printers were on a public IP.
(comment deleted)
A great answer in the late 70s, what's the reason for holding on to them today?
Possession is 9/10th of the law? They already have them, making it easy for them to keep them.
Back when IPv4 was enough for everyone, huge blocks of IPs were granted to corporations and governments.
Because the internet originated from a federal government project. The federal government of the USA also owns 28% of the land in the USA, means it owns 1.7% of the total land on earth.

Also, early owners got huge allocations. And the US government is an early owner.

Do you like this state of affairs having such a massive federal govt?
The same reason Apple, Ford, and Bell Labs still have giant blocks — they got in at the beginning when allocation of 4 billion addresses seemed like a non-problem, and haven’t sold out.

https://www.iana.org/assignments/ipv4-address-space/ipv4-add...

Holy moly, Apple owns all of 17 . * . * . * (workaround for HN formatting)? Wow. That's over 16 million IP addresses. Fun.
Apple at least is a major IT company, but Ford!
They needed IP addresses for all their computers. ;-)
Use \*: 17.*.*.*
This is already old news, the current who's who in the network is related to IPv6

You bet everybody already jumped in that boat. It would be interesting to know who and how.

I think I found a way for the USPS to fund the pensions for all their future yet-to-be-born workers…
"The internet", in the sense of the big TCP/IP v4 network we know today, was a DARPA-funded enhancement to the original ARPANET.

The Pentagon owns a big chunk of the internet because the Pentagon paid for the internet, basically. The more interesting bit is how much it they gave away for free, not how much it kept.

We paid for the internet. The Pentagon is paid for by taxes.
Alright, and the "we" you refer to still technically own those addresses.
But why? after all these years why did they still have those?
It’s a strategic asset. The same reason there are giant collections of old military planes out in the desert. You never know when you might need it.
I wondered about those lately. Do you happen to know if they are really in a state to make them flightworthy again if push came to shove?

I would have expected them to have deteriorated to a point where restoring them becomes a bigger effort than building new planes.

It's a dry climate and aluminum doesn't just rot. It would obviously take some money and work to bring planes out of mothballs, and probably in some cases unrepairable damage would be discovered, but I would expect most of the planes to successfully reactivate if the need was great enough. Those that couldn't be reactivated could be cannibalized for spare parts.

Consider that the Iowa class battleships spent some decades deactivated, sitting in salt water, before being reactivated several times.

They know what they're doing. But there aren't really old planes in the boneyard now. 1980s vintage and later plus a few muesum pieces that haven't been towed to the museum yet. The oddest thing out there is the tooling to make B1-B airframes.
It used to have control over 100% of them, so this is a big improvement.
The internet was created by DARPA.
This can be independently verified by running a reverse DNS lookup, which asks the name server for a magic domain: 1.2.3.4 becomes ”4.3.2.1.in-addr.arpa”, which then yields NS records for the actual domains served from that address.
To address your edit, they still do because it doesn’t really matter. We have mitigated IPv4 exhaustion with NAT, and IPv6 adoption is still growing. No one cares enough to try to do anything about it.

If you made a list of “most popular concerns about the Internet in 2021,” the size of U.S. federal IP space would be pretty far down.

NAT has problems. It isn't the same as having an IP address.

IPV6 is the solution but has been in adoption forever.

I just don't understand what the government needs with all of those IP addresses and what kind of sneaky stuff it's doing behind the scenes.

It’s not sneaky to own that much address space; just inertia. Remember that the Internet is an outgrowth of ARPANET.
The article was literally referring to some super sneaky stuff.
They use a ton of it. Millions and millions of devices around the globe on a bunch of networks.
Defense Digital Service is pretty solid. I’m not worried about this.
You don't wonder at all why they needed a private company?
Cover story. As in the DDS is the cover story for how easy it is to do a money grab in the US gov.
For tech & engineering specifically, sometimes used to get above the govt salary caps. But standard industrial complex profit maker makes sense too lol
Having talked with a guy basically trying to recruit for it at the aerospace village at Defcon one year, I can say that working for the government without really working for them (e.g. not wearing suits) was a big part of how he sold it. That you're still a civilian and things like that, but get to work on cool stuff like hacking aircrafts
Linking to paywalls should not be allowed. Obvious example of our intelligentsia thinking it's magically special in all domains of life, and now that Reddit has spread to every last corner of the internet, we just accept it.
Could this be related to the SolarWinds hack? Maybe the Pentagon was monitoring traffic to surveil vulnerable corporate infrastructure.
Could you explain how this would work?
Not exactly but here’s some quotes from an article earlier this year [1]:

> Goldstein described the project as one of the Defense Department's "many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated."

> Expanding on his [Madory] point that the Defense Department may want to "scare off any would-be squatters," he wrote that "there is a vast world of fraudulent BGP routing out there. As I've documented over the years, various types of bad actors use unrouted address space to bypass blocklists in order to send spam and other types of malicious traffic."

> On the Defense Department's goal of collecting "background Internet traffic for threat intelligence," Madory noted that "there is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space."

[1] https://arstechnica.com/information-technology/2021/04/penta...

I wonder if that company was a shell company setup by a 3 letter agency
That seems like a fairly dumb idea. The point of a CIA shell company is to hide the link to the government, isn't it?
Under what circumstances can internal traffic leak to external addresses in 11.0.0.0/8? I’d have thought it wouldn’t have been routed via a gateway if the traffic is local.
Routing decisions are made via route tables, which may include routes learned from different means: connected routes ("I have an interface in this network"), static routes, and routes learned from routing protocols (BGP, OSPF, et al). While any given routing protocol has it's own cost metric for selecting the best path, if a router has multiple routes to a network, learned from different means, there must be a way to select which route to install in the route table.

This can be tuned, but often goes in order of connected, static, external BGP, followed by internal BGP and other interior gateway protocols.

So, yeah if you learn a route from eBGP, you very well may take that path out of your own AS out to the global Internet, as opposed to internally where you are (incorrectly) using someone else's public space.

(Edit: network here includes a prefix length, where more specific prefixes are chosen over less specific ones. In the case, the public announcement is 11.0.0.0/8. If you were using this space internally, you would presumably have more specific routes than a /8)

Is it possible this is cronyism?

Wasn't the US Government looking to sell these unused addresses to bring money in?

What if this secretive shell company is just something run by a great campaign donor or someone close to the administration who planned on a good cut of these profits?

It makes me very curious who is really behind this storefront in Plantation, FL.

I'm willing to bet some money that, whoever they are, they play golf at Mar-a-Lago.
These type of comments belong on reddit
The value of these addresses is peanuts to the DOD... although it would be a fortune if it made its way into someone's pocket.
This would be my bet, as well. The company being registered in Florida also supports it, even if it’s not definitive.

People get thrown off by it being the Pentagon and come up with all these James-Bond-level theories. But DoD just happens to be the owner for historic reason.

> The company being registered in Florida also supports it, even if it’s not definitive.

Supports which baseless claim, that the orange Florida man paid kickbacks with ipv4 space? With a Florida registered foreign LLC pointing back to Delaware? Seriously?

I don't really understand the premise of the article. There's no need to change control of an ip space in a registry to assign it to some piece of network hardware. The ownership change seems to serve no purpose under the offered explanation that its purpose was bulk collection.
I was reading a thread on this site about the program and there was speculation that since these IPs are mothballed, lots of people use the address range for internal networks, particularly in China, and potentially this experiment was to get lots of networks worldwide to accidentally leak internal network traffic to the pentagon. Who knows what this thing was, but that sounds like something a government would do.
Network engineer here with more than a decade of BGP peering experience on a T1 ISP: This theory is stupid for a variety of reasons. Doesn't even make sense if you understand how peering and routing actually works on the internet. This is Q-anon/ivermectin type conspiracy crap that only gets traction amongst the gullible.
Perhaps you'd care to explain why it's such a silly assumption?
Got a link? I've never heard of network engineers using an IP range because it's "mothballed".
It was a thread on this site early this year where that was part of the discussion. I don't have one, and I'm not even saying it is true, just that I found that angle interesting.