ietf-asrg
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Asrg] New draft draft-irtf-asrg-bcp-blacklists-01.txt

2008-03-29 21:19:02
from [Douglas Otis] [Permanent Link] 

On Mar 29, 2008, at 5:04 PM, Matt Sergeant wrote:


On 29-Mar-08, at 10:40 PM, Douglas Otis wrote:


Both open proxy and open relay listings are _not_ routinely  
retested without request.  Open relays and proxies stay active for  
years


While this may be true, often their IPs don't.  Perhaps you should  
reconsider your lack of re-testing policy.


What is the meaning of IP?  Several complained about the initial  
test.  However, these small open proxy and open relay lists provide  
valid reasons NOT to expire listings automatically and require  
additional testing.


I'd rather not block the support of this BCP just because MAPS'  
outdated policies don't match it.


This draft can not be considered a Best Current Practice for operating  
black-hole lists without, at the minimum, clarifying the _only_  
confirmable entity able to assert the governance necessary for  
delisting.
Delisting policy SHOULD BE based upon the actions of the network  
provider, however long that takes.  After all, the network provider  
(the entity advertising the address space) is the _only_ confirmable  
entity able to assert network governance.

This draft defines wishes and desires, but lacks a basis in reality.   
Listing or delisting automation is easily gamed, giving a significant  
advantage to bad actors.  This draft assumes listings can be safely  
added and removed and lacks requisite interactions with network  
providers.  You mentioned something about anti-gaming strategies, but  
then did not clarify the role of the _only_ confirmable entity related  
to the address in question and able to ensure the cessation of  
abuse.   When IPv6 introduces a few quadrillion more IP addresses, the  
complete lack of a confirmable entities associated with individual IP  
addresses will become more apparent.

The black-hole list DNS query mechanism places IP octets in reverse  
order.  This approach facilitates publishing network blocks using  
wildcard entries, and frequently corresponds to AS advertisements.   
While the DNS transaction may be for a single IP address, the listing  
itself often involves a range of IP addresses.

-Doug



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Asrg] New draft draft-irtf-asrg-bcp-blacklists-01.txt, Matt Sergeant
Next by Date:  Re: [Asrg] New draft draft-irtf-asrg-bcp-blacklists-01.txt, Steve Atkins
Previous by Thread:  Re: [Asrg] New draft draft-irtf-asrg-bcp-blacklists-01.txt, Matt Sergeant
Next by Thread:  Re: [Asrg] New draft draft-irtf-asrg-bcp-blacklists-01.txt, Steve Atkins
Indexes:  [Date] [Thread] [Top] [All Lists]