On Nov 30, 2012, at 2:52 PM, Montgomery, Douglas wrote: > > I for one have long recognized that the current proposed system may have > limits on its reaction time. Certainly from my perspective, more suited > to pre-publishing preventative data, then creating reactionary data.
And the state of the art in DDoS mitigation doesn't allow this, period. > The question is if there is consensus on the use cases like those above, > if it is impossible to pre-publish the potential origination ROAs before > their need/use, and if not, could the system be made more reactive and at > what other scaling cost? Most folks don't buy DDoS protection services proactively (admittedly, more are beginning to), they buy them when they're being attack. We get a phone call and offer one of n options to mitigation, with a routing assertion being a key techniques employed in the mix. We also have many techniques related to hour core businesses that require routing changes that may not have been pre-envisioned. Many commercial products and solutions allow codifying of this as well, if you so choose. > Remember a ROA is an authorization to originate, not a declaration that is > currently happening. If the business relationships that bring customers > to your DDoS mitigation service are established at a slower rate, might > one pre-publish the necessary ROAs? See above.. And also note that pre-publishing ROAs may well be a *policy* thing (e.g., disclosure attack, "methods") that those who may get attacked don't wish to exposure before absolutely necessary. > My own opinion is ... The observation that ResCerts are inherently linked > to the business process of number resource allocation, and the time scales > that operators seemed comfortable in current systems that construct policy > from out of band data sets. RPKI should be able to move faster than those > current processes. > > Also a personal opinion, but I am not sure that policy systems that > operate much much faster than the underlying processes/human systems they > are linked to, is necessarily a good thing. I hear lots of operator feed > back on relative comfort levels of things becoming "too automated". Talk to anyone on the receiving end of a large scale DDoS attack Doug, you shouldn't have to go far. Go tell them why it may well take hours or days to respond, because we've "secured" the routing system (when we've not done enough for me to justify investment in RPKI to my CFO). As one reasonably skilled in the art of DDoS mitigation services, and commercial products that enable them, and as CSO of Verisign in my day job where we are commonly on the end of lots of targeted and leveraged DDoS attacks, and offer a service to mitigate them, this is my informed opinion. -danny _______________________________________________ sidr mailing list sidr@ietf.org https://www.ietf.org/mailman/listinfo/sidr
