On Mar 29, 2008, at 5:04 PM, Matt Sergeant wrote:
On 29-Mar-08, at 10:40 PM, Douglas Otis wrote:
Both open proxy and open relay listings are _not_ routinely
retested without request. Open relays and proxies stay active for
years
While this may be true, often their IPs don't. Perhaps you should
reconsider your lack of re-testing policy.
What is the meaning of IP? Several complained about the initial
test. However, these small open proxy and open relay lists provide
valid reasons NOT to expire listings automatically and require
additional testing.
I'd rather not block the support of this BCP just because MAPS'
outdated policies don't match it.
This draft can not be considered a Best Current Practice for operating
black-hole lists without, at the minimum, clarifying the _only_
confirmable entity able to assert the governance necessary for
delisting.
Delisting policy SHOULD BE based upon the actions of the network
provider, however long that takes. After all, the network provider
(the entity advertising the address space) is the _only_ confirmable
entity able to assert network governance.
This draft defines wishes and desires, but lacks a basis in reality.
Listing or delisting automation is easily gamed, giving a significant
advantage to bad actors. This draft assumes listings can be safely
added and removed and lacks requisite interactions with network
providers. You mentioned something about anti-gaming strategies, but
then did not clarify the role of the _only_ confirmable entity related
to the address in question and able to ensure the cessation of
abuse. When IPv6 introduces a few quadrillion more IP addresses, the
complete lack of a confirmable entities associated with individual IP
addresses will become more apparent.
The black-hole list DNS query mechanism places IP octets in reverse
order. This approach facilitates publishing network blocks using
wildcard entries, and frequently corresponds to AS advertisements.
While the DNS transaction may be for a single IP address, the listing
itself often involves a range of IP addresses.
-Doug
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg