North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: BL of Compromised Hosts?

  • From: Michel Py
  • Date: Sun Feb 22 21:46:48 2004

> Robert E. Seastrom wrote:
> [..]

Keep in mind one thing: the draft is aimed at developing/standardizing
the mechanism to propagate filtering info, _not_ to regulate nor
recommend the way it should be done in production nor who should do it.
I have not heard anything so far about this being unclear, as I
presented it at the last IETF: It seems to me that
you are jumping into the boat late without a complete understanding of
the history behind it.

You put the car before the horse: we don't have such a mechanism yet,
how could you judge it?

One step at a time: first, we need vendors to implement. So far, only
Cisco has shown some interest in it (CSCed45744). Some of us have set
aside a 7500 to monkey with the beta code when it finally arrives

Then, all interesting parties (an when I whois AS29467 I see some
legitimacy here) will evaluate how good the extended BGP feed mechanism
is. If you think it stinks, just don't use it.

As of myself, I welcome the efforts of Deepak and Daniel and invite them
to join their efforts to a diverse group that is willing to spend some
time for the common good.

-----Original Message-----
From: Robert E. Seastrom [mailto:[email protected]] 
Sent: Sunday, February 22, 2004 3:20 PM
To: Michel Py
Cc: Deepak Jain; [email protected]
Subject: Re: BL of Compromised Hosts?

"Michel Py" <[email protected]> writes:

> There is a regrouping of BGP feeds for various "questionable" hosts
> networks around AS29467; read
> and
> feel free to contact the authors. 

It behooves the prospective user of said feed to read and understand
draft-py, carefully research the pedigree of the data sources that go
into the soup, and draw his own conclusions - taking as conservative
and discriminating an approach as he deems necessary in terms of what
he accepts.

I anticipate wide variance in the quality of feeds provided, based on
previous conduct of the proposed initial participants.  As the primary
author has said in a private communique, "it's like RBL mailing lists:
there are good and bad ones".  Unfortunately, my reading of draft-py
is that in this case, they're to be rolled up into a single feed,
discernable only by community.  I believe that's a step away from

Wait, you say, filtering routes is easily done by any experienced
user, right?  Well, yes.  Not everyone's an experienced user, though.
My primary concern here is one of education; the danger with a roll-up
feed such as this one is that the default case is to accord equal
credence to every blacklist; the naive end-user would discover that
not only had he signed up for the spiritual equivalent of MAPS
(conservative, responsive, and responsible) but also SPEWS
(hard-to-reach, petty, vindictive, and probably going to list my home
mail server or maybe my whole /24 in retalliation for casting them in
a negative light in a public forum).  Of course, the RBL-consumer will
learn about this when his customers call.  Surprise, surprise,

> The different sources have different but commonly known communities.

... which are undocumented in draft-py itself, and among the URLs
listed in Section 2 for more information, only Team Cymru offers a BGP
community advisory on their web page.  So, I must not be part of the
"in-crowd" to know these "commonly known" communities...