Re: Open relays and open proxies

[Paul Vixie <paul () vix com>]

> > anyone who was facile with perl could transform a full list of open relays
> > or proxies into something that avibgpd could use, so that you could have
> > your access controls implemented as routes rather than acl's.  if you
> > combine that with policy routing so that you can blackhole traffic based
> > on source rather than destination, you could get the added benefit of not
> > having to take/deliver the SYN only to blackhole the resulting SYN-ACK.
>
> But how will the average BGP speaking router deal with an additional half
> million routes today or million routes in a few months?  My guess is "not
> well"...or do you suggest some form of aggregation that would reduce the
> number of routes but penalize the innocent for being in the same
> /something as open systems?

i guess i have hopes of discovering a new and better equilibrium point,
such that widely scalable, mechanistic shunning of open proxies would
cause the owners of those hosts to wake up, smell the burning coffee,
and contact their software vendor to demand improved security.

but you're right, a half million additional routes would Break Stuff in
most places.  one could pixelize, aggregate on /28 or /24 boundaries, or
maintain some kind of MRU.  but it's all very hacky compared to "upgrade
the bgp core to be able to handle a million more route$".