[111874] in North American Network Operators' Group
Re: Global Blackhole Service
daemon@ATHENA.MIT.EDU (Patrick W. Gilmore)
Sat Feb 14 17:46:08 2009
From: "Patrick W. Gilmore" <patrick@ianai.net>
To: NANOG list <nanog@nanog.org>
In-Reply-To: <87k57swsep.fsf@mid.deneb.enyo.de>
Date: Sat, 14 Feb 2009 17:45:11 -0500
Errors-To: nanog-bounces@nanog.org
On Feb 14, 2009, at 5:43 PM, Florian Weimer wrote:
> * Steven M. Bellovin:
>
>> As Randy and Valdis have pointed out, if this isn't done very
>> carefully
>> it's an open invitation to a new, very effective DoS technique. You
>> can't do this without authoritative knowledge of exactly who owns any
>> prefix; you also have to be able to authenticate the request to
>> blackhole it. Those two points are *hard*.
>
> If you want to run a public exchange point, you need to solve the same
> announcement validation problem. Multiple organizations appear to do
> it successfully, so it can't be that difficult.
No you don't.
And yes it is.
To be clear, I am not saying it should or should not be done, just
that your comparison is invalid.
--
TTFN,
patrick
