nanog mailing list archives
Re: Open relays and open proxies
From: Paul Vixie <paul () vix com>
Date: Thu, 24 Apr 2003 23:33:48 +0000
anyone who was facile with perl could transform a full list of open relays or proxies into something that avibgpd could use, so that you could have your access controls implemented as routes rather than acl's. if you combine that with policy routing so that you can blackhole traffic based on source rather than destination, you could get the added benefit of not having to take/deliver the SYN only to blackhole the resulting SYN-ACK.But how will the average BGP speaking router deal with an additional half million routes today or million routes in a few months? My guess is "not well"...or do you suggest some form of aggregation that would reduce the number of routes but penalize the innocent for being in the same /something as open systems?
i guess i have hopes of discovering a new and better equilibrium point, such that widely scalable, mechanistic shunning of open proxies would cause the owners of those hosts to wake up, smell the burning coffee, and contact their software vendor to demand improved security. but you're right, a half million additional routes would Break Stuff in most places. one could pixelize, aggregate on /28 or /24 boundaries, or maintain some kind of MRU. but it's all very hacky compared to "upgrade the bgp core to be able to handle a million more route$".
Current thread:
- Re: Open relays and open proxies, (continued)
- Re: Open relays and open proxies Jack Bates (Apr 24)
- Re: Open relays and open proxies Valdis . Kletnieks (Apr 25)
- Re: Open relays and open proxies Daniel Concepcion (Apr 25)
- Re: Open relays and open proxies Valdis . Kletnieks (Apr 25)
- Re: Open relays and open proxies John Payne (Apr 25)
- Re: Open relays and open proxies Daniel Concepcion (Apr 25)
- Re: Open relays and open proxies John Payne (Apr 25)
- Re: Open relays and open proxies Jack Bates (Apr 25)
- Re: Open relays and open proxies Adi Linden (Apr 25)
- Re: Open relays and open proxies jlewis (Apr 24)
- Re: Open relays and open proxies Paul Vixie (Apr 24)
- Re: Open relays and open proxies Jack Bates (Apr 24)
- Re: Open relays and open proxies John Payne (Apr 24)
- Re[2]: Open relays and open proxies Richard Cox (Apr 25)
- RE: Open relays and open proxies Joseph Barnhart (Apr 30)