Trusted Networks Initiative: DDoS fallback set of AS'es
Hi, I saw the following and thought it would be interesting to share. In case of a persistent DDoS an ASy can fallback to a small set of (more trustable) AS'es for their routing: http://www.trustednetworksinitiative.nl/ They have a policy with procedural and technical parts, which may be upgraded later, for parties who want to participate: https://www.thehaguesecuritydelta.com/images/20141124_Trusted_Networks_Polic... Without having an opinion if everybody in the world should join this (I don't know the desired scope of this group), but the idea is interesting. I had not seen something like it before. Yours sincerely, David Hofstee Deliverability Management MailPlus B.V. Netherlands (ESP)
On Thu, Apr 16, 2015 at 6:58 AM, David Hofstee <david@mailplus.nl> wrote:
Hi,
I saw the following and thought it would be interesting to share. In case of a persistent DDoS an ASy can fallback to a small set of (more trustable) AS'es for their routing: http://www.trustednetworksinitiative.nl/
They have a policy with procedural and technical parts, which may be upgraded later, for parties who want to participate: https://www.thehaguesecuritydelta.com/images/20141124_Trusted_Networks_Polic...
Without having an opinion if everybody in the world should join this (I don't know the desired scope of this group), but the idea is interesting. I had not seen something like it before.
so...: "The principles of the solutions are simple: each participating network at its sole discretion can step to ‘trusted internet only’ if an emergency situation requires to temporary disconnect from the global internet." you're asking your ISP or set of ISPs to 'stop forwarding me packets from X and Y and Z' sure, why do we need a new special group and designation for that? can't you just no-export your routes to your provider today? (or other similar options). this seems ... shortsighted at best and incredibly dumb at worst.
On Thu, 16 Apr 2015 15:39:46 -0400, Christopher Morrow said:
you're asking your ISP or set of ISPs to 'stop forwarding me packets from X and Y and Z'
sure, why do we need a new special group and designation for that? can't you just no-export your routes to your provider today? (or other similar options).
How does sending your route for AS1312 with no-export keep packets *from* AS1312 from reaching you?
On Thu, Apr 16, 2015 at 04:09:43PM -0400, Valdis.Kletnieks@vt.edu wrote:
On Thu, 16 Apr 2015 15:39:46 -0400, Christopher Morrow said:
you're asking your ISP or set of ISPs to 'stop forwarding me packets from X and Y and Z'
sure, why do we need a new special group and designation for that? can't you just no-export your routes to your provider today? (or other similar options).
How does sending your route for AS1312 with no-export keep packets *from* AS1312 from reaching you?
If you don't want packets from 1312 don't announce to them? Kind regards, Job
On Thu, 16 Apr 2015 22:13:56 +0200, Job Snijders said:
If you don't want packets from 1312 don't announce to them?
I'm probably at least 4-5 AS's away, and you're probably routed to us through Cogent or similar large transit. Feel free to not announce your routes to Cogent because you don't want packets from my AS... (For whatever value of "Cogent" you have for your upstream)
On 4/16/15 1:30 PM, Valdis.Kletnieks@vt.edu wrote:
On Thu, 16 Apr 2015 22:13:56 +0200, Job Snijders said:
If you don't want packets from 1312 don't announce to them?
I'm probably at least 4-5 AS's away, and you're probably routed to us through Cogent or similar large transit. Feel free to not announce your routes to Cogent because you don't want packets from my AS...
(For whatever value of "Cogent" you have for your upstream)
bearing in mind that transit providers rarely give you communities to influence their customers, just peers. There is an illusion of control that provider no export communities provide that always requires confirmation when applied. if 1312 buys the full internet cone they can also install a default. so they can send you packets even if they in fact do not have your route. my assumption is there is more default out there then generally assumed and work to replicate the findings in http://www.eecs.qmul.ac.uk/~steve/papers/imc099-bush.pdf would probably find the same thing.
On Thu, Apr 16, 2015 at 4:42 PM, joel jaeggli <joelja@bogus.com> wrote:
On 4/16/15 1:30 PM, Valdis.Kletnieks@vt.edu wrote:
On Thu, 16 Apr 2015 22:13:56 +0200, Job Snijders said:
If you don't want packets from 1312 don't announce to them?
I'm probably at least 4-5 AS's away, and you're probably routed to us through Cogent or similar large transit. Feel free to not announce your routes to Cogent because you don't want packets from my AS...
(For whatever value of "Cogent" you have for your upstream)
bearing in mind that transit providers rarely give you communities to influence their customers, just peers. There is an illusion of control that provider no export communities provide that always requires confirmation when applied. if 1312 buys the full internet cone they can also install a default. so they can send you packets even if they in fact do not have your route.
lesson learned don't use an example... Note I also said: " (or othersimilar options)." (ha! here's more examples!) o poison the route with remote asn' in the aspath! (except for default followers) o ask for packet filter from upstream isp o stop announcing your route o filter on your side of the fence. in any case the idea still seems silly.
It's only a problem when it distracts from actually doing something. randy, please excuse tiPos
On Apr 17, 2015, at 12:31, Christopher Morrow <morrowc.lists@gmail.com> wrote:
On Thu, Apr 16, 2015 at 9:49 PM, Randy Bush <randy@psg.com> wrote:
in any case the idea still seems silly.
not if you need to appear to be DOING SOMETHING!!!
to be fair, I do tend to forget this point :(
On 17.04.15 3:49 , Randy Bush wrote:
in any case the idea still seems silly.
not if you need to appear to be DOING SOMETHING!!!
Of course there is that. But in order to be appear to be doing something one has to pledge to do BCP38 and various other things I would consider BCP. All little bits help. Daniel (no affiliation with this particular initiative)
in any case the idea still seems silly. not if you need to appear to be DOING SOMETHING!!! Of course there is that. But in order to be appear to be doing something one has to pledge to do BCP38 and various other things I would consider BCP. All little bits help.
except the big logo marketing has the implication that all the rest of us unwashed networks are untrustable. this is not the cooperative internet. randy
Randy, On Thu, 30 Apr 2015, Randy Bush wrote:
in any case the idea still seems silly. not if you need to appear to be DOING SOMETHING!!! Of course there is that. But in order to be appear to be doing something one has to pledge to do BCP38 and various other things I would consider BCP. All little bits help.
except the big logo marketing has the implication that all the rest of us unwashed networks are untrustable. this is not the cooperative internet.
You can apply to become a member in the initiative. Jac -- Jac Kloots Network Services SURFnet bv
is this any different than the architecture Rodney Joffe built 20 years ago? manning bmanning@karoshi.com PO Box 12317 Marina del Rey, CA 90295 310.322.8102 On 1May2015Friday, at 15:41, Jac Kloots <Jac.Kloots@surfnet.nl> wrote:
Randy,
On Thu, 30 Apr 2015, Randy Bush wrote:
in any case the idea still seems silly. not if you need to appear to be DOING SOMETHING!!! Of course there is that. But in order to be appear to be doing something one has to pledge to do BCP38 and various other things I would consider BCP. All little bits help.
except the big logo marketing has the implication that all the rest of us unwashed networks are untrustable. this is not the cooperative internet.
You can apply to become a member in the initiative.
Jac
-- Jac Kloots Network Services SURFnet bv
hi lazarus,
in any case the idea still seems silly. not if you need to appear to be DOING SOMETHING!!! Of course there is that. But in order to be appear to be doing something one has to pledge to do BCP38 and various other things I would consider BCP. All little bits help. except the big logo marketing has the implication that all the rest of us unwashed networks are untrustable. this is not the cooperative internet. You can apply to become a member in the initiative. is this any different than the architecture Rodney Joffe built 20 years ago?
as the recent L(3)/TM global disaster made quite clear, it is not architecture; it's marketing literature. we can get that stuff printed at a local copy shop. randy
On Apr 16, 2015, at 3:58 AM, David Hofstee <david@mailplus.nl> wrote:
Hi,
I saw the following and thought it would be interesting to share. In case of a persistent DDoS an ASy can fallback to a small set of (more trustable) AS'es for their routing: http://www.trustednetworksinitiative.nl/
It is indeed an interesting proposal, though not one that’s perhaps fully informed of the intricacies of commercial routing economics. Two things worthy of note for this audience, I think: First, I don’t know that anyone is expecting networks that do not consider themselves to be principally Dutch in nationality to participate. Second, this is a proposal of the Hague Security Delta, which is, in essence, a group of think-tanks. It is not a proposal of the Dutch government, nor of the Dutch Internet Service Providers. That is not intended to speak to the merit of the proposal, which has both good and bad points. Just to indicate that it is neither a home-grown ISP thing, nor something the Dutch government is mandating or advocating. -Bill
participants (10)
-
Bill Woodcock
-
Christopher Morrow
-
Daniel Karrenberg
-
David Hofstee
-
Jac Kloots
-
Job Snijders
-
joel jaeggli
-
manning
-
Randy Bush
-
Valdis.Kletnieks@vt.edu