This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[ripe-list] Routine Monitoring of Source Address Validation Deployment by Operators
- Previous message (by thread): [ripe-list] Mastodon for the RIPE Community
- Next message (by thread): [ripe-list] Routine Monitoring of Source Address Validation Deployment by Operators
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Brandon Zhi
Brandon at huize.asia
Fri Apr 26 17:25:08 CEST 2024
Dear MANRS and RIPE members, My name is Gaoxing Zhang, and I am a computer enthusiast from the High School Competition Team at Hangzhou Dongfang High School. Recently, I've observed that although MANRS requirements mandate Source Address Validation(SAV) for its members, some operators have not fully implemented this practice in their networks. Therefore, I propose to routinely monitor the deployment status of SAV across ASNs to ensure compliance with MANRS guidelines and enhance network security. I am currently unaware of any existing projects with a similar focus. It has come to my attention that operators at IXP facilities, even including major entities like Google, fail to enable SAV. This issue also persists in-home broadband services obtained through PPPoE, which could lead to Infected Home Routers becoming sources of DDoS Attacks and Are Difficult to Trace. In my tests, I announced my IP thought tunnel on a different operator’s network and configured the Next-hop Address to a home broadband gateway obtained via PPPoE. The results indicated that Source Address Validation by China Telecom’s home broadband is only partially implemented in Mainland China, with most IP addresses from the region being accessible through this method. Here are some methods I have considered for ongoing monitoring: 1. Announce a new IP block upstream to receive inbound traffic. 2. Deploy a tunnel on the device connected to the ISP being tested, which will link to the upstream receiving the inbound traffic. 3. The IP block will not be announced to the ISP being tested but only to the upstream used to receive inbound traffic. Check the connectivity to major public DNS servers when the Next-hop address is set to the ISP being tested. 4. If it is reachable, it indicates that the ISP’s device lacks Source Address Validation. I plan to deploy test equipment at major IXPs (currently seeking equipment sponsors) and access points for some residential ISPs (with the assistance of volunteers). The testing environment will be a Linux-based VM, utilizing Python to switch Next-hop based on test targets and assess the accessibility to major public DNS servers, as well as to upload data to a backend system. I would really appreciate it if you could share your valuable suggestions or feedback on this initiative. Best regards, *Brandon Zhang* HUIZE LTD www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter This e-mail and any attachments or any reproduction of this e-mail in whatever manner are confidential and for the use of the addressee(s) only. HUIZE LTD can’t take any liability and guarantee of the text of the email message and virus. -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/ripe-list/attachments/20240426/d6cc944c/attachment.html>
- Previous message (by thread): [ripe-list] Mastodon for the RIPE Community
- Next message (by thread): [ripe-list] Routine Monitoring of Source Address Validation Deployment by Operators
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]