On Wed, 8 Oct 2014 16:42:38 +0200 Job Snijders <job@instituut.net> wrote:
Just like chicory, personally I don't like it. Yes, Cymru has build a reputation as clearing house for redistribution of security related information. But... (aside from any local safety net filter), it's quite a leap to allow a single entity to inject blackholes for any prefix.
Hi Job, Thanks for your comments. I'm aware of some other projects, including another one, much more elaborate, talked about in another session at NANOG this week. Do note, UTRS does not allow a single entity to inject black holes for any prefix, only a limited number of /32's for their own prefixes. The presentation and the information page I linked to have some additional details.
IXPs could offer BGP or API triggered ACLs which are inserted into the peering fabric and only affect the participant's peering port(s). This way, any blackholing (either correctly applied or malicious) only affects the initator of that blackhole and nobody else. Advantages are that aclserver does not require peers to cooperate with each other and no validation is required.
I've heard of some IXPs recently offering this service, sounds great. It has also been suggested we might talk to ISPs how to RTBH to their customers and see if there was a way for those routes to be passed further along, perhaps to something like UTRS for further dissemination. I'm not sure that would work, but it was an interesting idea too. Thanks for your comments, John