The following networks and masks are banned from our network at the core due to being smurf amplifiers.
The earlier suggestion to use the vixie blackhole system was rebuffed because the volunteers are just that, and already overworked. But re-using the existing infrastructure with suitable controls and a modest amount of cooperation and agreement has enormous potential. Using communities should be the key to safely adding different hit-lists to AS-7777 feeds. If current recipients of AS-7777 feeds could all simply add tests for specific communities to the existing route-maps being used to implement the black-holing, many different filters with even radically different policies can coexist on the same feed and each site can select which lists it chooses to use. The vixie folks could take additional feeds from selected 3rd parties and suitably tag these with the necessary communities, and yet not have to actively maintain the additional lists themselves. Paul's original list could be 7777:1, and perhaps the unsassigned address blocks should be 7777:2. Karl's list could be 7777:3 Problem areas would be when the same network is on several different hit-lists and needs the communities of each, and the fact that I believe the version of GATED Paul & Co. is running does not support communities. A simplifying rule might be that if a network were already on Pauls list(s) and tagged with 7777:1 or even combinations of communities Paul maintained, it simply would not be propagated with the addition 7777:3 community or whatever used for Karl's list. If it dropped off Paul's list(s), Karl's feed tagged 7777:3 would then be used. Perhaps the newer version of gated Paul hadn't yet installed a while ago solves all this, or perhaps someone has an idle cisco to loan/give Paul that could enable using communities with low impact on the volunteers. I wonder how many of the current recipients can handle adding a community list and then a match statement into their current black-hole route-map so it only does the current function despite additional lists being added, and if any remaining recipients unable or unwilling to deal with communities would mind using the additional filtering. Subject to the current legal agreements Paul demands, perhaps Karl could take Paul's current feed, the list of folks already signed up and authorised for the feed but that want MORE lists tagged with communities, and simply redistribute to them with his own additions suitably tagged. I don't know if they have changed, but the early AS-7777 instructions emphasised using the IP address of *THE* port facing towards Paul's machine. This is not necessary for this multi-hop application and may be difficult in a multi-homed world in any case. A loopback works well.
participants (1)
-
barton@cent.net