This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/raci-list@ripe.net/
[RACI-list] [manrs-community] Routine Monitoring of Source Address Validation Deployment by Operators
- Previous message (by thread): [RACI-list] Routine Monitoring of Source Address Validation Deployment by Operators
- Next message (by thread): [RACI-list] CFP: INDIS Workshop (Deadline August 1st)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Lailson Araujo
lailson.costa at pjm.net.br
Fri Apr 26 18:18:19 CEST 2024
Excelente iniciativa, desde já me disponho juntamente com a PJM Net ( AS266152) a ajudar no que estiver ao nosso alcance, assim como tambem consigo disponibilizar a VM necessária. Em sex., 26 de abr. de 2024 às 12:32, Brandon Zhi <Brandon at huize.asia> escreveu: > Dear MANRS and RIPE members, > > My name is Gaoxing Zhang, and I am a computer enthusiast from the High > School Competition Team at Hangzhou Dongfang High School. > > Recently, I've observed that although MANRS requirements mandate Source > Address Validation(SAV) for its members, some operators have not fully > implemented this practice in their networks. Therefore, I propose to > routinely monitor the deployment status of SAV across ASNs to ensure > compliance with MANRS guidelines and enhance network security. I am > currently unaware of any existing projects with a similar focus. > > It has come to my attention that operators at IXP facilities, even > including major entities like Google, fail to enable SAV. This issue also > persists in-home broadband services obtained through PPPoE, which could > lead to Infected Home Routers becoming sources of DDoS Attacks and Are > Difficult to Trace. In my tests, I announced my IP thought tunnel on a > different operator’s network and configured the Next-hop Address to a home > broadband gateway obtained via PPPoE. The results indicated that Source > Address Validation by China Telecom’s home broadband is only partially > implemented in Mainland China, with most IP addresses from the region being > accessible through this method. > > Here are some methods I have considered for ongoing monitoring: > > 1. Announce a new IP block upstream to receive inbound traffic. > 2. Deploy a tunnel on the device connected to the ISP being tested, which > will link to the upstream receiving the inbound traffic. > 3. The IP block will not be announced to the ISP being tested but only to > the upstream used to receive inbound traffic. Check the connectivity to > major public DNS servers when the Next-hop address is set to the ISP being > tested. > 4. If it is reachable, it indicates that the ISP’s device lacks Source > Address Validation. > > I plan to deploy test equipment at major IXPs (currently seeking equipment > sponsors) and access points for some residential ISPs (with the assistance > of volunteers). The testing environment will be a Linux-based VM, utilizing > Python to switch Next-hop based on test targets and assess the > accessibility to major public DNS servers, as well as to upload data to a > backend system. > > I would really appreciate it if you could share your valuable suggestions > or feedback on this initiative. > > Best regards, > *Brandon Zhang* > HUIZE LTD > www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter > > This e-mail and any attachments or any reproduction of this e-mail in > whatever manner are confidential and for the use of the addressee(s) only. > HUIZE LTD can’t take any liability and guarantee of the text of the email > message and virus. > -- > Manrs-community mailing list > Manrs-community at elists.manrs.org > https://elists.manrs.org/mailman/listinfo/manrs-community > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/raci-list/attachments/20240426/114638c2/attachment.html>
- Previous message (by thread): [RACI-list] Routine Monitoring of Source Address Validation Deployment by Operators
- Next message (by thread): [RACI-list] CFP: INDIS Workshop (Deadline August 1st)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]