Douglas Otis wrote:
On Mar 29, 2008, at 5:04 PM, Matt Sergeant wrote:
On 29-Mar-08, at 10:40 PM, Douglas Otis wrote:
Both open proxy and open relay listings are _not_ routinely
retested without request. Open relays and proxies stay active for
years
While this may be true, often their IPs don't. Perhaps you should
reconsider your lack of re-testing policy.
What is the meaning of IP? Several complained about the initial
test. However, these small open proxy and open relay lists provide
valid reasons NOT to expire listings automatically and require
additional testing.
My experience has been that if you use a open proxy or open relay list
that don't retest starts yielding significantly higher FPs as the age of
the entry increases.
So much so that I (and I note Spamhaus also in the case of the XBL)
check the entry age in NJABL proxy, and ignore entries older than (I
think in both our cases) 120 days.
Part of the reason that I found SORBS lists of these types of
vulnerabilities problemmatic. You couldn't get entry age info, I
understand that SORBS did not (and perhaps still doesn't) expire
entries, and the FP rate was higher than I was willing to accept. So we
stopped using them.
I'd rather not block the support of this BCP just because MAPS'
outdated policies don't match it.
This draft can not be considered a Best Current Practice for operating
black-hole lists without, at the minimum, clarifying the _only_
confirmable entity able to assert the governance necessary for
delisting.
Delisting policy SHOULD BE based upon the actions of the network
provider, however long that takes. After all, the network provider
(the entity advertising the address space) is the _only_ confirmable
entity able to assert network governance.
You would require an ISP's hostmaster request delisting of an IP that
belongs to a, say, business class customer with their own infrastructure
and admin staff simply because the customer doesn't have their own ASN.
Or even a corporate with multiple divisions with their own staff.
That's simply not going to fly.
Not the least being that the network provider usually does NOT have
access to the equipment with the problem. They may be confirmable, but
they can't necessarily assert true (as in, _fix_ specific problems)
governance, short of disconnection.
This draft defines wishes and desires, but lacks a basis in reality.
Listing or delisting automation is easily gamed, giving a significant
advantage to bad actors.
Check out Makey's DNSBL statistics. The CBL/XBL is proof to the contrary.
The black-hole list DNS query mechanism places IP octets in reverse
order. This approach facilitates publishing network blocks using
wildcard entries, and frequently corresponds to AS advertisements.
While the DNS transaction may be for a single IP address, the listing
itself often involves a range of IP addresses.
That's stating the obvious.
_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/asrg