Internet2 Network Security SIG

[Bill Jensen <>]

Would implementing RPKI help with this or would its value, in the case 
of blackholing, be limited to only whom you peer with?

-wej

On 7/26/16 9:19 AM, Spears, Christopher M. wrote:
> > On Jul 26, 2016, at 9:44 AM, Grover Browning 
> > <>
> >  wrote:
> >
> > David,
> >
> > Do you see a downside to transiting?
>
> (Answering for myself, not David :)
>
> IMHO, it’s an issue of trust/verification.  At a fixed point in time, you may 
> trust a certain peer network; however you cannot control who they peer with, 
> or what they accept from those peers, or their peers, etc.   That said, the 
> route will be propagated, so you can always limit the origin-as you’ll accept 
> this from.  Of course, you’re then back to a per-peer blackhole policy, just 
> using a well-known BGP community.
>
> > For BLACKHOLE, everything I can think of begins with: "First, hijack the 
> > route …”
> Blackholing is the ultimate DOS - you get your target /32s blackholed, and 
> you’ve won.  Again, trust.  This is all destination-based hinting, not 
> source-specific ingress filtering for DDOS, and has nothing to do with route 
> hijacking.  BCP38, anti-virus/malware, anti-botnet efforts, and bleach are 
> the only solutions for DDOS at the moment.  Route hijacking has a mixed bag 
> of arguably effective tools, as well.
>
> -Chris
>
>
> > -Grover
> >
> >
> > > On Jul 25, 2016, at 7:55 PM, David Farmer 
> > > <>
> > >  wrote:
> > >
> > > if experiments show it's useful I'd support it, but right now I'm skeptical 
> > > how useful transiting this would be for us.

--
Bill Jensen, Network Engineer
UW-Madison DoIT Network Services
Rm B116 CSSC, 1210 W. Dayton St., Madison, WI  53706
voice: 608-263-9325  efax: 413-208-1297
email: 

   cell: 608-576-8345
sms: