I’m not really understanding the crux of it. Even if archive.is doesn’t get your location via DNS, won’t they get it anyways immediately one millisecond later when you issue an HTTP GET request?
Yes, the receiving webserver will get the IP with the HTTP GET, but it's mostly too late to be useful for serving users from a server with minimal latency.
The EDNS client subnet feature reveals the clients subnet (but not entire IP) to the nameserver that answers the DNS query, which is then cached by Cloudflare/Google. This allows the nameserver to do geolocation at the DNS stage and direct the end user to a server with minimal latency.
Without EDNS client subnet, you could get the IP for an archive.is frontend in a different continent and have a slow site experience. While the frontend server will get your IP, it's too late to do much about it under normal circumstances. An HTTP redirect would cost time, and you'd have to have different domains for each data center/region which is one thing you can avoid with the client subnet feature to start with.
I thought anycast wasn't reliable for TCP sessions?
You can serve UDP services (eg DNS) by anycast, but if you hosted a tcp service, there's no guarantee the same server would receive consecutive packets from the tcp stream
It is rarely an issue in practice. There are workarounds to minimize connection resets. Using ECMP hashing on routers and a tiered load balancing topology are important.
Cloudflare uses any cast, and they deal with it by making every external node able to handle every public IP that they have.
If packets in a TCP stream end up going to different nodes, then they deal with that in their infrastructure.
I can't see what a Mac has to do with this at all.
Also I can't imagine why you might think that "You're not meant to use DNS fallback for different providers." That was precisely the point it was originally designed for. The whole point of multiple resolvers is to have diversity of risk. If both your resolvers are from the same organization there's a higher chance that whatever took one out took the other out as well.
Oh man this explains so many issues I have had with archive.is, I couldn’t pinpoint the problem. Thanks for sharing this, things finally make sense now.
Because they paid to create it initially and have yet to sell their address space. There are some great stories early on that break down to: “Why are all these civilians on our network?”
I know several individuals who have /24's ("class C") blocks, including myself. I always regret not going for the class B. It would've just taken a couple of emails back in 1993.
The first place I was a network admin at they had a /16. I didn't deal with private IPs until I left that company in 2015. Even the printers were on a public IP.
Because the internet originated from a federal government project. The federal government of the USA also owns 28% of the land in the USA, means it owns 1.7% of the total land on earth.
Also, early owners got huge allocations. And the US government is an early owner.
The same reason Apple, Ford, and Bell Labs still have giant blocks — they got in at the beginning when allocation of 4 billion addresses seemed like a non-problem, and haven’t sold out.
CIDR notation is how you notate these; Apple owns 17.0.0.0/8; the /8 meaning "8 bits identify the network portion", so just the first octet, or the 17.
"The internet", in the sense of the big TCP/IP v4 network we know today, was a DARPA-funded enhancement to the original ARPANET.
The Pentagon owns a big chunk of the internet because the Pentagon paid for the internet, basically. The more interesting bit is how much it they gave away for free, not how much it kept.
It's a dry climate and aluminum doesn't just rot. It would obviously take some money and work to bring planes out of mothballs, and probably in some cases unrepairable damage would be discovered, but I would expect most of the planes to successfully reactivate if the need was great enough. Those that couldn't be reactivated could be cannibalized for spare parts.
Consider that the Iowa class battleships spent some decades deactivated, sitting in salt water, before being reactivated several times.
They know what they're doing. But there aren't really old planes in the boneyard now. 1980s vintage and later plus a few muesum pieces that haven't been towed to the museum yet. The oddest thing out there is the tooling to make B1-B airframes.
This can be independently verified by running a reverse DNS lookup, which asks the name server for a magic domain: 1.2.3.4 becomes ”4.3.2.1.in-addr.arpa”, which then yields NS records for the actual domains served from that address.
To address your edit, they still do because it doesn’t really matter. We have mitigated IPv4 exhaustion with NAT, and IPv6 adoption is still growing. No one cares enough to try to do anything about it.
If you made a list of “most popular concerns about the Internet in 2021,” the size of U.S. federal IP space would be pretty far down.
For tech & engineering specifically, sometimes used to get above the govt salary caps. But standard industrial complex profit maker makes sense too lol
Having talked with a guy basically trying to recruit for it at the aerospace village at Defcon one year, I can say that working for the government without really working for them (e.g. not wearing suits) was a big part of how he sold it. That you're still a civilian and things like that, but get to work on cool stuff like hacking aircrafts
Linking to paywalls should not be allowed. Obvious example of our intelligentsia thinking it's magically special in all domains of life, and now that Reddit has spread to every last corner of the internet, we just accept it.
Not exactly but here’s some quotes from an article earlier this year [1]:
> Goldstein described the project as one of the Defense Department's "many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated."
> Expanding on his [Madory] point that the Defense Department may want to "scare off any would-be squatters," he wrote that "there is a vast world of fraudulent BGP routing out there. As I've documented over the years, various types of bad actors use unrouted address space to bypass blocklists in order to send spam and other types of malicious traffic."
> On the Defense Department's goal of collecting "background Internet traffic for threat intelligence," Madory noted that "there is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space."
Under what circumstances can internal traffic leak to external addresses in 11.0.0.0/8? I’d have thought it wouldn’t have been routed via a gateway if the traffic is local.
Routing decisions are made via route tables, which may include routes learned from different means: connected routes ("I have an interface in this network"), static routes, and routes learned from routing protocols (BGP, OSPF, et al). While any given routing protocol has it's own cost metric for selecting the best path, if a router has multiple routes to a network, learned from different means, there must be a way to select which route to install in the route table.
This can be tuned, but often goes in order of connected, static, external BGP, followed by internal BGP and other interior gateway protocols.
So, yeah if you learn a route from eBGP, you very well may take that path out of your own AS out to the global Internet, as opposed to internally where you are (incorrectly) using someone else's public space.
(Edit: network here includes a prefix length, where more specific prefixes are chosen over less specific ones. In the case, the public announcement is 11.0.0.0/8. If you were using this space internally, you would presumably have more specific routes than a /8)
Wasn't the US Government looking to sell these unused addresses to bring money in?
What if this secretive shell company is just something run by a great campaign donor or someone close to the administration who planned on a good cut of these profits?
It makes me very curious who is really behind this storefront in Plantation, FL.
This would be my bet, as well. The company being registered in Florida also supports it, even if it’s not definitive.
People get thrown off by it being the Pentagon and come up with all these James-Bond-level theories. But DoD just happens to be the owner for historic reason.
> The company being registered in Florida also supports it, even if it’s not definitive.
Supports which baseless claim, that the orange Florida man paid kickbacks with ipv4 space? With a Florida registered foreign LLC pointing back to Delaware? Seriously?
I don't really understand the premise of the article. There's no need to change control of an ip space in a registry to assign it to some piece of network hardware. The ownership change seems to serve no purpose under the offered explanation that its purpose was bulk collection.
I was reading a thread on this site about the program and there was speculation that since these IPs are mothballed, lots of people use the address range for internal networks, particularly in China, and potentially this experiment was to get lots of networks worldwide to accidentally leak internal network traffic to the pentagon. Who knows what this thing was, but that sounds like something a government would do.
Network engineer here with more than a decade of BGP peering experience on a T1 ISP: This theory is stupid for a variety of reasons. Doesn't even make sense if you understand how peering and routing actually works on the internet. This is Q-anon/ivermectin type conspiracy crap that only gets traction amongst the gullible.
It was a thread on this site early this year where that was part of the discussion. I don't have one, and I'm not even saying it is true, just that I found that angle interesting.
94 comments
[ 3.5 ms ] story [ 185 ms ] threadhttps://jarv.is/notes/cloudflare-dns-archive-is-blocked/
The EDNS client subnet feature reveals the clients subnet (but not entire IP) to the nameserver that answers the DNS query, which is then cached by Cloudflare/Google. This allows the nameserver to do geolocation at the DNS stage and direct the end user to a server with minimal latency.
Without EDNS client subnet, you could get the IP for an archive.is frontend in a different continent and have a slow site experience. While the frontend server will get your IP, it's too late to do much about it under normal circumstances. An HTTP redirect would cost time, and you'd have to have different domains for each data center/region which is one thing you can avoid with the client subnet feature to start with.
You can serve UDP services (eg DNS) by anycast, but if you hosted a tcp service, there's no guarantee the same server would receive consecutive packets from the tcp stream
https://vincent.bernat.ch/en/blog/2018-multi-tier-loadbalanc...
https://blog.cloudflare.com/high-availability-load-balancers...
https://engineering.linkedin.com/network-performance/tcp-ove...
How do CDNs work without controlling DNS resolution by source subnet?
Not if you're using a VPN in addition to Cloudflare servers.
Also I can't imagine why you might think that "You're not meant to use DNS fallback for different providers." That was precisely the point it was originally designed for. The whole point of multiple resolvers is to have diversity of risk. If both your resolvers are from the same organization there's a higher chance that whatever took one out took the other out as well.
In any case in order to maintain privacy I use https://dnscrypt.info it has an anonymized DNS option https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Anonymized-D...
I then just use unbound and forward that to DNSCrypt on my router. https://wiki.archlinux.org/title/DNSCrypt#Unbound
Edit: added the word still. I know the history but that was like 20 years or more ago.
Why did they still have so much IP space?
Who's going to take it off them?
Universities who got on the bandwagon first also tended to have multiple class B addresses.
Also, early owners got huge allocations. And the US government is an early owner.
https://www.iana.org/assignments/ipv4-address-space/ipv4-add...
https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing...
Coincidentally, CIDR doesn't conflict with the HN comment syntax.
Sometimes shortened to 17/8, but… I wouldn't recommend that.
This isn't Ipv6! :P
You bet everybody already jumped in that boat. It would be interesting to know who and how.
The Pentagon owns a big chunk of the internet because the Pentagon paid for the internet, basically. The more interesting bit is how much it they gave away for free, not how much it kept.
I would have expected them to have deteriorated to a point where restoring them becomes a bigger effort than building new planes.
Consider that the Iowa class battleships spent some decades deactivated, sitting in salt water, before being reactivated several times.
If you made a list of “most popular concerns about the Internet in 2021,” the size of U.S. federal IP space would be pretty far down.
IPV6 is the solution but has been in adoption forever.
I just don't understand what the government needs with all of those IP addresses and what kind of sneaky stuff it's doing behind the scenes.
> Goldstein described the project as one of the Defense Department's "many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats. We are partnering throughout DoD to ensure potential vulnerabilities are mitigated."
> Expanding on his [Madory] point that the Defense Department may want to "scare off any would-be squatters," he wrote that "there is a vast world of fraudulent BGP routing out there. As I've documented over the years, various types of bad actors use unrouted address space to bypass blocklists in order to send spam and other types of malicious traffic."
> On the Defense Department's goal of collecting "background Internet traffic for threat intelligence," Madory noted that "there is a lot of background noise that can be scooped up when announcing large ranges of IPv4 address space."
[1] https://arstechnica.com/information-technology/2021/04/penta...
This can be tuned, but often goes in order of connected, static, external BGP, followed by internal BGP and other interior gateway protocols.
So, yeah if you learn a route from eBGP, you very well may take that path out of your own AS out to the global Internet, as opposed to internally where you are (incorrectly) using someone else's public space.
(Edit: network here includes a prefix length, where more specific prefixes are chosen over less specific ones. In the case, the public announcement is 11.0.0.0/8. If you were using this space internally, you would presumably have more specific routes than a /8)
Wasn't the US Government looking to sell these unused addresses to bring money in?
What if this secretive shell company is just something run by a great campaign donor or someone close to the administration who planned on a good cut of these profits?
It makes me very curious who is really behind this storefront in Plantation, FL.
People get thrown off by it being the Pentagon and come up with all these James-Bond-level theories. But DoD just happens to be the owner for historic reason.
Supports which baseless claim, that the orange Florida man paid kickbacks with ipv4 space? With a Florida registered foreign LLC pointing back to Delaware? Seriously?