nanog mailing list archives
Re: Any way to P-T-P Distribute the RBL lists?
From: ratul mahajan <ratul () cs washington edu>
Date: Thu, 25 Sep 2003 18:50:08 -0700
something not very far from the discussion on this thread was proposed last year by some researchers at columbia. for those of you who like reading academic papers: http://www1.cs.columbia.edu/~danr/publish/2002/Kero2002:SOS-camera.pdf
-- ratul Aaron Dewell wrote:
On Thu, 25 Sep 2003, Eric A. Hall wrote: > > I know you all have probably already thought of this, but > > can anyone think of a feasible way to run a RBL list that does not have > > a single point of failure? Or any attackable entry? > > Easy. Have the master server only be reachable by replication partners > through a VPN connection, and have dozens of secondaries advertising > through multiple anycast addresses. So why couldn't you follow this plan without the VPN and anycast? Have a couple of master servers totally unpublished (nobody except the secondaries know about it), then have dozens of secondaries that are the ones actually used (or AXFR'd off of). You can't attack all the secondaries at once if there are enough of them, and the master server is unknown (hopefully). You could certainly improve on that system with a VPN, but the service is reasonable without it. Make your secondaries be volunteers who sign an agreement to never tell anyone what your master IP addresses are. If they get out, shift the master files to a secondary, notify the other secondaries by secure channels, and you're back in business. Even better - Publish all the servers, nobody knows who the masters are of this list of N servers, and rotate it when needed or every so often. I'd be a secondary/rotating master in that setup. I'm sure you'd get a bunch of volunteers. Aaron
Current thread:
- Re: Any way to P-T-P Distribute the RBL lists?, (continued)
- Re: Any way to P-T-P Distribute the RBL lists? Eric Kuhnke (Sep 24)
- Re: Any way to P-T-P Distribute the RBL lists? Todd Vierling (Sep 24)
- Re: Any way to P-T-P Distribute the RBL lists? Eric A. Hall (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Aaron Dewell (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Eric A. Hall (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Dan Hollis (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Jay Kline (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Dan Hollis (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Matthew Sullivan (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Aaron Dewell (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Matthew Sullivan (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? ratul mahajan (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Eric Kuhnke (Sep 24)
- Re: Any way to P-T-P Distribute the RBL lists? Andy Smith (Sep 26)
- Re: Any way to P-T-P Distribute the RBL lists? Patrick (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? JC Dill (Sep 25)