[175164] in North American Network Operators' Group
RE: Unwanted Traffic Removal Service (UTRS)
daemon@ATHENA.MIT.EDU (Naslund, Steve)
Thu Oct 9 18:19:48 2014
X-Original-To: nanog@nanog.org
From: "Naslund, Steve" <SNaslund@medline.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Date: Thu, 9 Oct 2014 22:19:40 +0000
In-Reply-To: <20141009164736.3b1ebac8@localhost>
Errors-To: nanog-bounces@nanog.org
I understand the concerns but it seems to me that there are already plenty =
of ways for any large government to black hole whatever they want and they =
do not need UTRS to do so. The only thing stopping (most) governments from=
doing this regularly are fears of turning the Internet into another arms r=
ace. It's a stigma thing like the different between launching the first nu=
ke vs. being the responder. We all know they do a lot of cyber stuff out t=
here but it is mostly behind a veil of deniability.=20
First, if they have access to a tier 1 carrier (or at least enough carriers=
to make an impact) in their jurisdiction they could just order that carrie=
r to do it with whatever court system (or not) is required. Most large gov=
ernments also have enough connectivity to bury a route by brute force. The=
only thing stopping (most) governments from doing this regularly are fears=
of turning the Internet into another arms race and possibly losing easy ac=
cess to that resource. We all know they do a lot of cyber crime stuff out =
there but it is mostly behind a veil of deniability.=20
There has actually been more black hole events that occur by accident or as=
part of denial of service attacks than government launched. The global ro=
uting structure of the Internet has always been highly cooperative and vuln=
erable to a bad actor at a lot of points. My only real concern with UTRS i=
s designing a system that cannot be gamed or exploited to turn it into a ve=
ry effective DoS weapon system. I admit that I don't know enough about how=
it works to make that decision yet.
Steven Naslund
Chicago IL
=20
>Subject: Re: Unwanted Traffic Removal Service (UTRS)
>On Thu, 09 Oct 2014 22:58:05 +0200
>Christian Seitz <chris@in-berlin.de> wrote:
>> What I do not like at this UTRS idea is that I cannot announce a=20
>> prefix via BGP. Somebody has to inject it for me. I would like to=20
>> announce it in real time and not with delay because of manual=20
>> approval.
>While true today, it might not be true for long. It requires code to be w=
ritten in order to perform the desired verification we want before blindly =
passing along an announcement. Code we're not motivated to write if there i=
s >insufficient interest in UTRS. Interest is looking good, so the code may=
soon follow. In other words, this a valid complaint, but it may have a lim=
ited life span.
>> One problem that I also see here is that this single entity could be=20
>> forced by someone (eg. government) to blackhole some prefix. If this=20
>> ever happens such a project will have to be terminated.
>I've heard this once before too. I admit we probably can't provide a sati=
sfactory answer to some who will be so distrustful of government or influen=
ce peddling to win them over, but I'll try to offer a response that I hope =
is >fairly reasonable and satisfies the majority, and presumably any of the=
actual participants.
>There are legal questions, maneuvers and responses that might be interesti=
ng to speculate on, but I'll say simply this. Team Cymru, while establishe=
d and operated within the U.S., is a global organization with team members =
outside >of the U.S. and we rely heavily on the cooperation of global partn=
ers to do what we do. If we could be compelled to announce a black hole by=
someone, government or otherwise, the cooperation and inherent trust we mi=
ght have with >the Internet community is probably gone and we are likely fi=
nished as an organization. It would be counter to our very existence and so=
on that basis I hope most would agree is extremely unlikely to occur. Now=
if someone came up to >me with a gun to my head and said type the equivale=
nt of "ip route foonet mask 192.0.2.1" or die, I might just type it out of =
self preservation.
>> We also had some DDoS attacks via IPv6. I think it's important to also=20
>> have such a service for IPv6. Starting with IPv4 is ok and better than=20
>> nothing, but IPv6 should not be on the roadmap for
>> 2018 ;-)
>You are only the second person I've heard from to explicitly state as such=
. This is actually not terribly hard to do and I'm pretty certain could be=
done way before 2018. Simple to start, careful and necessary improvements=
as we >go.
>Thanks for your comments Chris,
>John
