I’m sure some of you have read about this recent
incident; https://bgpstream.com/event/144058 .
Nowadays we’re talking about transport security,
https-per-default, etc. but the most fundamental parts of the
internet such as BGP, are basically broken from a security
perspective. While RPKI/ROA/ROV could fix most of the current
security-related struggles, their deployment currently competes
somewhat with IPv6 - or even worse - and therefore won’t be a
practical solution in the forseeable future. Strict IRRDB and
route object filtering is complicated (or almost impossible) as
well.
So I’m wondering, why can't we just have an
automated blacklist like RBL's for mailservers, where all AS'es
detected for hijacking prefixes are automatically blacklisted,
similiar to Team Cymru's fullbogons feed? The list combined with
some scripting could then be used for realtime AS-path filtering
at border routers. Delisting of blacklisted ASNs should happen
only after a pre-defined amount of time (eg. 14 days) or after
paying a fee to a charity/non-profit and providing a statement
on the issue which is publicy released. The idea is to hurt
those who can’t get their stuff - especially prefix filtering -
together.
I still remember the days where everyone complained
about RBLs, nowadays almost every mailserver setup relies on
them. Sometimes extreme problems require extrem solutions.
Mit besten Grüßen
Kind Regards
Dominic Schallert, BA
| schallert.com e.U. | Hauptstraße 35b, 6800 Feldkirch, Austria |
| FN: 440372g | UID: ATU66209211 | Gerichtsstand: Feldkirch |
| Tel.: +43 680 146 1947 | Fax: +43 134 242 642 616 |
| www.schallert.com | office@schallert.com |
_______________________________________________ members-discuss mailing list members-discuss@ripe.net https://lists.ripe.net/mailman/listinfo/members-discuss Unsubscribe: https://lists.ripe.net/mailman/options/members-discuss/ml%40servperso.com