[151172] in North American Network Operators' Group
Re: Whitelist of update servers
daemon@ATHENA.MIT.EDU (Jeff Kell)
Mon Mar 12 22:11:42 2012
Date: Mon, 12 Mar 2012 22:10:42 -0400
From: Jeff Kell <jeff-kell@utc.edu>
To: "nanog@nanog.org" <nanog@nanog.org>
In-Reply-To: <m2y5r5gw70.wl%randy@psg.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
An "IP-based" whitelist is pretty much doomed from the start. Many
vendors use content delivery networks and that is too large and volatile
to chase.
We have had some success in captive portal environments with DNS
manipulation, allowing only certain domains to resolve, and redirecting
everything else to the portal. The list is still non-trivial, but
manageable.
So don't manage it at the router level, you will have better luck at the
DNS layer.
Jeff
On 3/12/2012 8:51 PM, Randy Bush wrote:
> i tend to two defenses
>
> o if it is not an urgent update, i wait to hear from peers that
> it is safe.
>
> o i generally do not accept pop-up updates. if one looks tasty,
> when possible i navigate directly to the site (yes, i know about
> dns spoofing) and download.
