nanog mailing list archives
Re: Any way to P-T-P Distribute the RBL lists?
From: Jay Kline <list () slushpupie com>
Date: Thu, 25 Sep 2003 15:12:13 -0500
On Thu, 25 Sep 2003 13:44:59 -0600 (MDT) Aaron Dewell <acd () woods net> wrote:
On Thu, 25 Sep 2003, Eric A. Hall wrote:I know you all have probably already thought of this, but can anyone think of a feasible way to run a RBL list that does not have a single point of failure? Or any attackable entry?Easy. Have the master server only be reachable by replication partners through a VPN connection, and have dozens of secondaries advertising through multiple anycast addresses.So why couldn't you follow this plan without the VPN and anycast? Have a couple of master servers totally unpublished (nobody except the secondaries know about it), then have dozens of secondaries that are the ones actually used (or AXFR'd off of). You can't attack all the secondaries at once if there are enough of them, and the master server is unknown (hopefully).
Its been said before, security through obscurity isnt security at all. There should be a way where every can know the ins and outs of a system, and still not compromise it.
Even better - Publish all the servers, nobody knows who the masters are of this list of N servers, and rotate it when needed or every so often.
How about publishing a list of servers, but use the PGP web of trust model to allow updating of each other? That way there is no centralized source. If a group of admins dont like the updates coming from a server, dont trust it any longer. If you make this more like a social network, you dont have to have a central authority. The trick then will be to have as many different participants as possible, and to have each participant share who it thinks the other participants are (or explicitly are not). Then if you take out one node, the others are not prevented from functioning. Jay
Current thread:
- Any way to P-T-P Distribute the RBL lists? Drew Weaver (Sep 24)
- Re: Any way to P-T-P Distribute the RBL lists? william (Sep 24)
- Re: Any way to P-T-P Distribute the RBL lists? Eric Kagan (Sep 24)
- Re: Any way to P-T-P Distribute the RBL lists? Eric Kuhnke (Sep 24)
- Re: Any way to P-T-P Distribute the RBL lists? Todd Vierling (Sep 24)
- Re: Any way to P-T-P Distribute the RBL lists? Eric A. Hall (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Aaron Dewell (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Eric A. Hall (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Dan Hollis (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Jay Kline (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Dan Hollis (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Matthew Sullivan (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Aaron Dewell (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Matthew Sullivan (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? ratul mahajan (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Andy Smith (Sep 26)
- <Possible follow-ups>
- Re: Any way to P-T-P Distribute the RBL lists? Rich Braun (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? Patrick (Sep 25)
- Re: Any way to P-T-P Distribute the RBL lists? JC Dill (Sep 25)