Re: Trusted Networks Initiative: DDoS fallback set of AS'es
> as the recent L(3)/TM global disaster made quite clear, it is not > architecture; it's marketing literature. and let's give a shoutout to jared and mike randy
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
hi lazarus, >> in any case the idea still seems silly. > not if you need to appear to be DOING SOMETHING!!! Of course there is that. But in order to be appear to be doing something one has to pledge to do BCP38 and various other things I would consider BCP. All little bits help. >>> except the big logo marketing has the implication that all the rest >>> of us unwashed networks are untrustable. this is not the >>> cooperative internet. >> You can apply to become a member in the initiative. > is this any different than the architecture Rodney Joffe built 20 > years ago? as the recent L(3)/TM global disaster made quite clear, it is not architecture; it's marketing literature. we can get that stuff printed at a local copy shop. randy
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
> On Apr 16, 2015, at 3:58 AM, David Hofstee wrote: > > Hi, > > I saw the following and thought it would be interesting to share. In case of > a persistent DDoS an ASy can fallback to a small set of (more trustable) > AS'es for their routing: > http://www.trustednetworksinitiative.nl/ It is indeed an interesting proposal, though not one that’s perhaps fully informed of the intricacies of commercial routing economics. Two things worthy of note for this audience, I think: First, I don’t know that anyone is expecting networks that do not consider themselves to be principally Dutch in nationality to participate. Second, this is a proposal of the Hague Security Delta, which is, in essence, a group of think-tanks. It is not a proposal of the Dutch government, nor of the Dutch Internet Service Providers. That is not intended to speak to the merit of the proposal, which has both good and bad points. Just to indicate that it is neither a home-grown ISP thing, nor something the Dutch government is mandating or advocating. -Bill signature.asc Description: Message signed with OpenPGP using GPGMail
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
is this any different than the architecture Rodney Joffe built 20 years ago? manning bmann...@karoshi.com PO Box 12317 Marina del Rey, CA 90295 310.322.8102 On 1May2015Friday, at 15:41, Jac Kloots wrote: > > Randy, > > On Thu, 30 Apr 2015, Randy Bush wrote: > > in any case the idea still seems silly. not if you need to appear to be DOING SOMETHING!!! >>> Of course there is that. But in order to be appear to be doing something >>> one has to pledge to do BCP38 and various other things I would consider >>> BCP. All little bits help. >> >> except the big logo marketing has the implication that all the rest of >> us unwashed networks are untrustable. this is not the cooperative >> internet. > > You can apply to become a member in the initiative. > > Jac > > -- > Jac Kloots > Network Services > SURFnet bv
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
Randy, On Thu, 30 Apr 2015, Randy Bush wrote: in any case the idea still seems silly. not if you need to appear to be DOING SOMETHING!!! Of course there is that. But in order to be appear to be doing something one has to pledge to do BCP38 and various other things I would consider BCP. All little bits help. except the big logo marketing has the implication that all the rest of us unwashed networks are untrustable. this is not the cooperative internet. You can apply to become a member in the initiative. Jac -- Jac Kloots Network Services SURFnet bv
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
>>> in any case the idea still seems silly. >> not if you need to appear to be DOING SOMETHING!!! > Of course there is that. But in order to be appear to be doing something > one has to pledge to do BCP38 and various other things I would consider > BCP. All little bits help. except the big logo marketing has the implication that all the rest of us unwashed networks are untrustable. this is not the cooperative internet. randy
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
On 17.04.15 3:49 , Randy Bush wrote: >> in any case the idea still seems silly. > > not if you need to appear to be DOING SOMETHING!!! > > Of course there is that. But in order to be appear to be doing something one has to pledge to do BCP38 and various other things I would consider BCP. All little bits help. Daniel (no affiliation with this particular initiative)
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
It's only a problem when it distracts from actually doing something. randy, please excuse tiPos > On Apr 17, 2015, at 12:31, Christopher Morrow wrote: > > On Thu, Apr 16, 2015 at 9:49 PM, Randy Bush wrote: >>> in any case the idea still seems silly. >> >> not if you need to appear to be DOING SOMETHING!!! > > to be fair, I do tend to forget this point :(
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
On Thu, Apr 16, 2015 at 9:49 PM, Randy Bush wrote: >> in any case the idea still seems silly. > > not if you need to appear to be DOING SOMETHING!!! to be fair, I do tend to forget this point :(
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
> in any case the idea still seems silly. not if you need to appear to be DOING SOMETHING!!!
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
On Thu, Apr 16, 2015 at 4:42 PM, joel jaeggli wrote: > On 4/16/15 1:30 PM, valdis.kletni...@vt.edu wrote: >> On Thu, 16 Apr 2015 22:13:56 +0200, Job Snijders said: >> >>> If you don't want packets from 1312 don't announce to them? >> >> I'm probably at least 4-5 AS's away, and you're probably routed to us >> through Cogent or similar large transit. Feel free to not announce your >> routes to Cogent because you don't want packets from my AS... >> >> (For whatever value of "Cogent" you have for your upstream) > > bearing in mind that transit providers rarely give you communities to > influence their customers, just peers. There is an illusion of control > that provider no export communities provide that always requires > confirmation when applied. if 1312 buys the full internet cone they can > also install a default. so they can send you packets even if they in > fact do not have your route. lesson learned don't use an example... Note I also said: " (or othersimilar options)." (ha! here's more examples!) o poison the route with remote asn' in the aspath! (except for default followers) o ask for packet filter from upstream isp o stop announcing your route o filter on your side of the fence. in any case the idea still seems silly.
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
On 4/16/15 1:30 PM, valdis.kletni...@vt.edu wrote: > On Thu, 16 Apr 2015 22:13:56 +0200, Job Snijders said: > >> If you don't want packets from 1312 don't announce to them? > > I'm probably at least 4-5 AS's away, and you're probably routed to us > through Cogent or similar large transit. Feel free to not announce your > routes to Cogent because you don't want packets from my AS... > > (For whatever value of "Cogent" you have for your upstream) bearing in mind that transit providers rarely give you communities to influence their customers, just peers. There is an illusion of control that provider no export communities provide that always requires confirmation when applied. if 1312 buys the full internet cone they can also install a default. so they can send you packets even if they in fact do not have your route. my assumption is there is more default out there then generally assumed and work to replicate the findings in http://www.eecs.qmul.ac.uk/~steve/papers/imc099-bush.pdf would probably find the same thing. signature.asc Description: OpenPGP digital signature
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
On Thu, 16 Apr 2015 22:13:56 +0200, Job Snijders said: > If you don't want packets from 1312 don't announce to them? I'm probably at least 4-5 AS's away, and you're probably routed to us through Cogent or similar large transit. Feel free to not announce your routes to Cogent because you don't want packets from my AS... (For whatever value of "Cogent" you have for your upstream) pgpjF46BxDt0p.pgp Description: PGP signature
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
On Thu, Apr 16, 2015 at 04:09:43PM -0400, valdis.kletni...@vt.edu wrote: > On Thu, 16 Apr 2015 15:39:46 -0400, Christopher Morrow said: > > you're asking your ISP or set of ISPs to 'stop forwarding me packets > > from X and Y and Z' > > > > sure, why do we need a new special group and designation for that? > > can't you just no-export your routes to your provider today? (or other > > similar options). > > How does sending your route for AS1312 with no-export keep packets *from* > AS1312 from reaching you? If you don't want packets from 1312 don't announce to them? Kind regards, Job
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
On Thu, 16 Apr 2015 15:39:46 -0400, Christopher Morrow said: > you're asking your ISP or set of ISPs to 'stop forwarding me packets > from X and Y and Z' > > sure, why do we need a new special group and designation for that? > can't you just no-export your routes to your provider today? (or other > similar options). How does sending your route for AS1312 with no-export keep packets *from* AS1312 from reaching you? pgpuxujeQnpQG.pgp Description: PGP signature
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
On Thu, Apr 16, 2015 at 6:58 AM, David Hofstee wrote: > Hi, > > I saw the following and thought it would be interesting to share. In case of > a persistent DDoS an ASy can fallback to a small set of (more trustable) > AS'es for their routing: > http://www.trustednetworksinitiative.nl/ > > They have a policy with procedural and technical parts, which may be upgraded > later, for parties who want to participate: > https://www.thehaguesecuritydelta.com/images/20141124_Trusted_Networks_Policy_beta-vs0_7.pdf > > Without having an opinion if everybody in the world should join this (I don't > know the desired scope of this group), but the idea is interesting. I had not > seen something like it before. so...: "The principles of the solutions are simple: each participating network at its sole discretion can step to ‘trusted internet only’ if an emergency situation requires to temporary disconnect from the global internet." you're asking your ISP or set of ISPs to 'stop forwarding me packets from X and Y and Z' sure, why do we need a new special group and designation for that? can't you just no-export your routes to your provider today? (or other similar options). this seems ... shortsighted at best and incredibly dumb at worst.
