[179516] in North American Network Operators' Group
Re: Trusted Networks Initiative: DDoS fallback set of AS'es
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Thu Apr 16 15:39:49 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <78C35D6C1A82D243B830523B4193CF5F9F3651C3E0@SBS1.blinker.local>
Date: Thu, 16 Apr 2015 15:39:46 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: David Hofstee <david@mailplus.nl>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
On Thu, Apr 16, 2015 at 6:58 AM, David Hofstee <david@mailplus.nl> wrote:
> Hi,
>
> I saw the following and thought it would be interesting to share. In case=
of a persistent DDoS an ASy can fallback to a small set of (more trustable=
) AS'es for their routing:
> http://www.trustednetworksinitiative.nl/
>
> They have a policy with procedural and technical parts, which may be upgr=
aded later, for parties who want to participate:
> https://www.thehaguesecuritydelta.com/images/20141124_Trusted_Networks_Po=
licy_beta-vs0_7.pdf
>
> Without having an opinion if everybody in the world should join this (I d=
on't know the desired scope of this group), but the idea is interesting. I =
had not seen something like it before.
so...:
"The principles of the solutions are simple: each participating
network at its sole discretion can step to =E2=80=98trusted internet only=
=E2=80=99 if
an emergency situation requires to temporary disconnect from the
global internet."
you're asking your ISP or set of ISPs to 'stop forwarding me packets
from X and Y and Z'
sure, why do we need a new special group and designation for that?
can't you just no-export your routes to your provider today? (or other
similar options).
this seems ... shortsighted at best and incredibly dumb at worst.
