[dns-operations] Storm on the DNS
aboling at gmail.com
Tue Dec 8 20:19:01 UTC 2015
On Tue, Dec 8, 2015 at 12:19 PM, Paul Vixie <paul at redbarn.org> wrote:
> On Tuesday, December 08, 2015 05:04:59 PM Jim Reid wrote:
> > One approach which might be worth trying is to reward BCP38 adopters. For
> > instance, by offering them better terms at IXPs than those who don't do
> > BCP38 or pulling the plug on those who can't/won't do BCP38. Though that
> > approach suffers from the same externality: why should IXP A do this when
> > IXP B isn't?
> right. this can't work for the same reason MLPA's aren't universally used.
Maybe we should be emphasizing which major operators *are* implementing it?
Proving this can be tricky (as has been touched on), but if we assume by
default that BCP-38 is not implemented (a safe assumption) and treat this
as an opt-in initiative, a website presenting this might help drive the
right kind of attention to the matter. Sometimes it's easier to make a case
to executives when you can present a shiny infographic of companies who are
doing what they're supposed to, and present that alongside a list of things
which people are proposing be done to those who don't join in. For the
companies who already implement this it's a free pat on the back.
Yes, it's difficult to prove that they're actually doing it from outside of
their network. Yes, even if there was a token effort to have operators run
a validation script, there's nothing to stop people from being petty and
commenting out the lines that generate packets which should not leave the
network. I still think it's a step in the right direction, and if that same
website were to provide some information for how tech savvy end users can
participate in validation it would help to keep the involved parties honest.
* End user testing would require a remotely listening program be operated
that can see the user generated packets escaping the network. There would
need to be some pre-negotiation in order to differentiate the user traffic
from other spoofed traffic that it sees. Considering the ease at which
false positives could be "submitted" (even if TCP were used to try and
validate the source network behind a given test), the main value of such a
toolchain would be heightened grass roots awareness of whether a user's own
ISPs implements BCP-38. Let's not spend too much list discussion on the
particulars of this piece, I'd rather us focus on the other details.
* It's pretty much a given that such a website and the associated listener
program (if implemented) would be eating DDoS attacks from the enemies of
this initiative. Hosting would need to be designed with this in mind from
the ground up.
* Any imminently obvious flaws in this idea that stem from my ignorance or
brainstorming when someone is two hours late for lunch.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dns-operations