nanog mailing list archives

Re: BGP Experiment

From: Owen DeLong <owen () delong com>
Date: Sat, 26 Jan 2019 11:37:05 -0800

I think that’s a bit of reductio ad absurdum from what has been said.

I would prefer that researchers collaborate to:

        1.      Compile a list of lists that should be notified of such experiments in
                advance. Try to get the word out to as much of the community
                as possible through various NOGs and other relevant industry
                lists.

        2.      Use said list of lists to provide at least 7 days advance notice of
                such testing, ideally with links to the details of the vulnerability
                in question and known vulnerable and known good code bases
                for as many software/hardware platforms as feasible. (Ideally
                list unknowns and solicit feedback as well).

        3.      Provide contact information for reporting test-related problems,
                issues, affected software versions, etc. Ideally an email address
                for after-action reports of data and a phone number that will
                be monitored during active testing for emergent reports of
                test-related service disruptions.

        4.      Conduct the test for incrementally longer periods over time.
                e.g. start with a 15 minute test on the first try and then run
                30, 60, and multi-hour tests on later dates after addressing
                any reported problems during earlier tests.

I think such behavior would provide the best intersection of encouraging
patching/fixing while also minimizing disruption and harm to innocent
third parties.

Owen

On Jan 26, 2019, at 8:15 AM, Randy Bush <randy () psg com> wrote:

i just want to make sure that folk are really in agreement with what i
think i have been hearing from a lot of strident voices here.

if you know of an out-of-spec vulnerability or bug in deployed router,
switch, server, ... ops and researchers should exploit it as much as
possible in order to encourage fixing of the hole.

given the number of bugs/vulns, are you comfortable that this is going
to scale well?  and this is prudent when our primary responsibility is a
running internet?

just checkin'

randy


PS: if you think this, speak up so i can note to never hire or recommend
   you.

PPS: Anant Shah, Romain Fontugne, Emile Aben, Cristel Pelsser, and Randy
    Bush; "Disco: Fast, Good, and Cheap Outage Detection"; TMA 2017
           ^^^^^ :)

Current thread:

Re: BGP Experiment, (continued)
- - - Re: BGP Experiment Töma Gavrichenkov (Jan 23)
    - Global statistics during the experiment (was Re: BGP Experiment) Mike Tancsa (Jan 24)
    - Re: Global statistics during the experiment (was Re: BGP Experiment) Töma Gavrichenkov (Jan 24)
    - Re: BGP Experiment Mike Hale (Jan 24)
    - Re: BGP Experiment valdis . kletnieks (Jan 24)
    - Re: BGP Experiment Tom Beecher (Jan 25)
    - Re: BGP Experiment Randy via NANOG (Jan 25)
    - Re: BGP Experiment Mark Tees (Jan 25)
    - Re: BGP Experiment Mark Tees (Jan 25)
    - Re: BGP Experiment Randy Bush (Jan 26)
    - Re: BGP Experiment Owen DeLong (Jan 26)
    - Re: BGP Experiment valdis . kletnieks (Jan 26)
    - Re: BGP Experiment Owen DeLong (Jan 26)
    - Re: BGP Experiment Randy Bush (Jan 26)
    - Re: BGP Experiment Eric Kuhnke (Jan 26)
    - Re: BGP Experiment Nick Hilliard (Jan 26)
    - Re: BGP Experiment Randy Bush (Jan 26)
    - Re: BGP Experiment William Allen Simpson (Jan 27)
    - [2019/01/27] Re: BGP Experiment Hansen, Christoffer (Jan 27)
    - Re: BGP Experiment Randy Bush (Jan 27)
    - Re: BGP Experiment Nick Hilliard (Jan 27)

(Thread continues...)