"Michel Py" <michel@arneill-py.sacramento.ca.us> writes:
> There is a regrouping of BGP feeds for various "questionable" hosts and
> networks around AS29467;
That is actually not correct. The AS29467 will stay as being used for
BOGON and similar data. It is quite likely that other ASNs would be used
for other "questionable" hosts, possibly one for various anti-spam lists
and other for yet more "questionable" hosts such as DoS sources, etc.
Current problem is that RIR policies are not allowing for ASNs to be
allocated for this activity and they want it proven as working concept
before addition of policy for this matters is considered (I have partially
written draft for ARIN policy proposal that can change it but want to see
how it works out with AS29467 first too; until then hopefull experimental
resource policies can be used or ASNs would come from RIPE, which is more
open to community needs in general)
>read
> http://arneill-py.sacramento.ca.us/draft-py-idr-redisfilter-01.txt and
> feel free to contact the authors.
It behooves the prospective user of said feed to read and understand
draft-py,
Which you do not appear to have done as the info you gave is either wrong
(possibly based on rumors which are not correct) or is taken based on
information that is coming from places other then the draft itself and
is in the development stage.
The draft is not about data sources the draft about the changes that need
to be done to the router software in handing BGP that would actually allow
for use of outside BGP feed for filtering (or marking) routes (allowing
for such feeds to come from AS numbers other then your own). Nothing in
that draft is being done in real life yet and current bogon bgp feed
implementatations are done through what can be called a bgp hack which
breaks default route, causes leaks to outsiders if not properly filtered
and has limitations on implementation. That draft discusses using distributed
prefix filtering (which typically comes from IBGP peer to effect routes
being sent to that peer) and extending that to allow routes from EBGP
peer to effect routes coming from or going to other peers.
The draft which was originally only for bogon filtering during private
discussions between authors it was changed to be more general to be used
for other situations, unfortunetly it does still suffer from being too
BOGON specific and when draft was sent to IDR they immediatly complained
about that too. It is however intention of the authors that any specifics
about what is currently being done (and any urls mentioned) and examples
to be taken as only the examples and not as part of the draft's discussed
concept of distributing filtering filtering through BGP.
carefully research the pedigree of the data sources that go
into the soup, and draw his own conclusions - taking as conservative
and discriminating an approach as he deems necessary in terms of what
he accepts.
There is no "soup" - mixing different lists into same one is discouraged.
Its expected that specific filter-list route servers would carry one or
more of one or more kinds of bgp filtering lists. The ASNs used would be
either for certain concepts (like bogons) or for groups of route servers
that carry common feeds. Each route server group would have to be identified
by differnt ASN and in order for that route server to carry multiple lists
the lists are separated based on different communities which route server
would identify through some website or by other means. It is up to the
actual route server maintainer to decide which lists they would carry as
being available for their users and futher up to the actual users to decide
which of the lists available at the route server they would choose to use.
Currently only bogon route server has been partially tested, there is
nothing other then bogon lists that were tested under the brs, i.e. under
the ASN29467. The lists that cymru is providing are not being done under
this ASN and they also provide couple other "private" filtering lists, which
I hope would stay under different ASN. I also tested couple other lists
and also under different private ASN (and those are not currently in active
production as I find current bgp filtering technique to be inadequate).
Wait, you say, filtering routes is easily done by any experienced
user, right? Well, yes. Not everyone's an experienced user, though.
My primary concern here is one of education; the danger with a roll-up
feed such as this one is that the default case is to accord equal
credence to every blacklist;
I find that most admins that decides on RBL lists are well educated about
what lists they choose to use are (the end-users are however not always
well informed about it and that is where most of the complaints are
coming from). I suspect that BGP admins are by their nature even better
educated and will likely do even more research prior to using anything.
the naive end-user would discover that
not only had he signed up for the spiritual equivalent of MAPS
(conservative, responsive, and responsible)
Your knowledge of MAPS is somewhat historical. Its no longer considered
responsive and is least effective of all spam lists and not well
maintained and that is despite that its almost the only list that people
are actually paying for. Nevertheless I'm certain many/most in the internet
community are forever greatefull to MAPS for introducing this concept.
but also SPEWS
(hard-to-reach, petty, vindictive, and probably going to list my home
mail server or maybe my whole /24 in retalliation for casting them in
a negative light in a public forum).
As some know I'm not big fan of spews, I do not like their tactics of
listing entire ISP blocks including users that have nothing to do with
the particular spamming incidents (although their approach has certain
effectiveness as seen for example in recent case with NAC). I do not
however find it likely that they would list somebody just because of
anti-spews comments, nor do other things you listed for them really
apply as they do good research before listing blocks. There is also
certain misconceptions between people who do not understand different
"levels" in spews listings and complain that their block is listed
eventhough it is often only being "watched" (which is a good reminder for
ISP to pay closer attention to their abuse handling situation).
> The different sources have different but commonly known communities.
... which are undocumented in draft-py itself, and among the URLs
listed in Section 2 for more information, only Team Cymru offers a BGP
community advisory on their web page. So, I must not be part of the
"in-crowd" to know these "commonly known" communities...
It has been suggested that draft be rewritten and even more be removed from
it to be less bogon specific and to only describe this kind of filtering
in the concept with non-specific examples if possible. Do not take the
draft to be directly associated with bogon route server or any other bgp
filtering projects except that it describes how these kind of filtering
services would operate.