Hi,
I saw the following and thought it would be interesting to share. In case of a persistent DDoS an ASy can fallback to a small set of (more trustable) AS'es for their routing:
http://www.trustednetworksinitiative.nl/
They have a policy with procedural and technical parts, which may be upgraded later, for parties who want to participate:
https://www.thehaguesecuritydelta.com/images/20141124_Trusted_Networks_Policy_beta-vs0_7.pdf
Without having an opinion if everybody in the world should join this (I don't know the desired scope of this group), but the idea is interesting. I had not seen something like it before. Yours sincerely,
David Hofstee
Deliverability Management
MailPlus B.V. Netherlands (ESP)
so...:
"The principles of the solutions are simple: each participating
network at its sole discretion can step to ‘trusted internet only’ if
an emergency situation requires to temporary disconnect from the
global internet."
you're asking your ISP or set of ISPs to 'stop forwarding me packets
from X and Y and Z'
sure, why do we need a new special group and designation for that?
can't you just no-export your routes to your provider today? (or other
similar options).
this seems ... shortsighted at best and incredibly dumb at worst.
How does sending your route for AS1312 with no-export keep packets *from*
AS1312 from reaching you?
If you don't want packets from 1312 don't announce to them?
Kind regards,
Job
I'm probably at least 4-5 AS's away, and you're probably routed to us
through Cogent or similar large transit. Feel free to not announce your
routes to Cogent because you don't want packets from my AS...
(For whatever value of "Cogent" you have for your upstream)
bearing in mind that transit providers rarely give you communities to
influence their customers, just peers. There is an illusion of control
that provider no export communities provide that always requires
confirmation when applied. if 1312 buys the full internet cone they can
also install a default. so they can send you packets even if they in
fact do not have your route.
my assumption is there is more default out there then generally assumed
and work to replicate the findings in
http://www.eecs.qmul.ac.uk/~steve/papers/imc099-bush.pdf
would probably find the same thing.
lesson learned don't use an example...
Note I also said:
" (or othersimilar options)."
(ha! here's more examples!)
o poison the route with remote asn' in the aspath! (except for
default followers)
o ask for packet filter from upstream isp
o stop announcing your route
o filter on your side of the fence.
in any case the idea still seems silly.
in any case the idea still seems silly.
not if you need to appear to be DOING SOMETHING!!!
to be fair, I do tend to forget this point 
It's only a problem when it distracts from actually doing something.
randy, please excuse tiPos
Of course there is that. But in order to be appear to be doing something
one has to pledge to do BCP38 and various other things I would consider
BCP. All little bits help.
Daniel (no affiliation with this particular initiative)
in any case the idea still seems silly.
not if you need to appear to be DOING SOMETHING!!!
Of course there is that. But in order to be appear to be doing something
one has to pledge to do BCP38 and various other things I would consider
BCP. All little bits help.
except the big logo marketing has the implication that all the rest of
us unwashed networks are untrustable. this is not the cooperative
internet.
randy
is this any different than the architecture Rodney Joffe built 20 years ago?
manning
bmanning@karoshi.com
PO Box 12317
Marina del Rey, CA 90295
310.322.8102
It is indeed an interesting proposal, though not one that’s perhaps fully informed of the intricacies of commercial routing economics.
Two things worthy of note for this audience, I think:
First, I don’t know that anyone is expecting networks that do not consider themselves to be principally Dutch in nationality to participate.
Second, this is a proposal of the Hague Security Delta, which is, in essence, a group of think-tanks. It is not a proposal of the Dutch government, nor of the Dutch Internet Service Providers. That is not intended to speak to the merit of the proposal, which has both good and bad points. Just to indicate that it is neither a home-grown ISP thing, nor something the Dutch government is mandating or advocating.
-Bill
hi lazarus,
in any case the idea still seems silly.
not if you need to appear to be DOING SOMETHING!!!
Of course there is that. But in order to be appear to be doing
something one has to pledge to do BCP38 and various other things I
would consider BCP. All little bits help.
except the big logo marketing has the implication that all the rest
of us unwashed networks are untrustable. this is not the
cooperative internet.
You can apply to become a member in the initiative.
is this any different than the architecture Rodney Joffe built 20
years ago?
as the recent L(3)/TM global disaster made quite clear, it is not
architecture; it's marketing literature. we can get that stuff printed
at a local copy shop.
randy
as the recent L(3)/TM global disaster made quite clear, it is not
architecture; it's marketing literature.
and let's give a shoutout to jared and mike
randy