Robert E. Seastrom wrote: [..]

Keep in mind one thing: the draft is aimed at developing/standardizing the mechanism to propagate filtering info, _not_ to regulate nor recommend the way it should be done in production nor who should do it. I have not heard anything so far about this being unclear, as I presented it at the last IETF: http://arneill-py.sacramento.ca.us/redisfilter.ppt. It seems to me that you are jumping into the boat late without a complete understanding of the history behind it. You put the car before the horse: we don't have such a mechanism yet, how could you judge it? One step at a time: first, we need vendors to implement. So far, only Cisco has shown some interest in it (CSCed45744). Some of us have set aside a 7500 to monkey with the beta code when it finally arrives [hint]. Then, all interesting parties (an when I whois AS29467 I see some legitimacy here) will evaluate how good the extended BGP feed mechanism is. If you think it stinks, just don't use it. As of myself, I welcome the efforts of Deepak and Daniel and invite them to join their efforts to a diverse group that is willing to spend some time for the common good. Michel. -----Original Message----- From: Robert E. Seastrom [mailto:rs@seastrom.com] Sent: Sunday, February 22, 2004 3:20 PM To: Michel Py Cc: Deepak Jain; nanog@merit.edu Subject: Re: BL of Compromised Hosts? "Michel Py" <michel@arneill-py.sacramento.ca.us> writes:

There is a regrouping of BGP feeds for various "questionable" hosts and networks around AS29467; read http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt and feel free to contact the authors.

It behooves the prospective user of said feed to read and understand draft-py, carefully research the pedigree of the data sources that go into the soup, and draw his own conclusions - taking as conservative and discriminating an approach as he deems necessary in terms of what he accepts. I anticipate wide variance in the quality of feeds provided, based on previous conduct of the proposed initial participants. As the primary author has said in a private communique, "it's like RBL mailing lists: there are good and bad ones". Unfortunately, my reading of draft-py is that in this case, they're to be rolled up into a single feed, discernable only by community. I believe that's a step away from goodness. Wait, you say, filtering routes is easily done by any experienced user, right? Well, yes. Not everyone's an experienced user, though. My primary concern here is one of education; the danger with a roll-up feed such as this one is that the default case is to accord equal credence to every blacklist; the naive end-user would discover that not only had he signed up for the spiritual equivalent of MAPS (conservative, responsive, and responsible) but also SPEWS (hard-to-reach, petty, vindictive, and probably going to list my home mail server or maybe my whole /24 in retalliation for casting them in a negative light in a public forum). Of course, the RBL-consumer will learn about this when his customers call. Surprise, surprise, surprise...

The different sources have different but commonly known communities.

... which are undocumented in draft-py itself, and among the URLs listed in Section 2 for more information, only Team Cymru offers a BGP community advisory on their web page. So, I must not be part of the "in-crowd" to know these "commonly known" communities... ---Rob