[RACI-list] [manrs-community] Routine Monitoring of Source Address Validation Deployment by Operators
- Previous message (by thread): [RACI-list] Routine Monitoring of Source Address Validation Deployment by Operators
- Next message (by thread): [RACI-list] CFP: INDIS Workshop (Deadline August 1st)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Lailson Araujo
lailson.costa at pjm.net.br
Fri Apr 26 18:18:19 CEST 2024
Excelente iniciativa, desde já me disponho juntamente com a PJM Net ( AS266152) a ajudar no que estiver ao nosso alcance, assim como tambem consigo disponibilizar a VM necessária. Em sex., 26 de abr. de 2024 às 12:32, Brandon Zhi <Brandon at huize.asia> escreveu: > Dear MANRS and RIPE members, > > My name is Gaoxing Zhang, and I am a computer enthusiast from the High > School Competition Team at Hangzhou Dongfang High School. > > Recently, I've observed that although MANRS requirements mandate Source > Address Validation(SAV) for its members, some operators have not fully > implemented this practice in their networks. Therefore, I propose to > routinely monitor the deployment status of SAV across ASNs to ensure > compliance with MANRS guidelines and enhance network security. I am > currently unaware of any existing projects with a similar focus. > > It has come to my attention that operators at IXP facilities, even > including major entities like Google, fail to enable SAV. This issue also > persists in-home broadband services obtained through PPPoE, which could > lead to Infected Home Routers becoming sources of DDoS Attacks and Are > Difficult to Trace. In my tests, I announced my IP thought tunnel on a > different operator’s network and configured the Next-hop Address to a home > broadband gateway obtained via PPPoE. The results indicated that Source > Address Validation by China Telecom’s home broadband is only partially > implemented in Mainland China, with most IP addresses from the region being > accessible through this method. > > Here are some methods I have considered for ongoing monitoring: > > 1. Announce a new IP block upstream to receive inbound traffic. > 2. Deploy a tunnel on the device connected to the ISP being tested, which > will link to the upstream receiving the inbound traffic. > 3. The IP block will not be announced to the ISP being tested but only to > the upstream used to receive inbound traffic. Check the connectivity to > major public DNS servers when the Next-hop address is set to the ISP being > tested. > 4. If it is reachable, it indicates that the ISP’s device lacks Source > Address Validation. > > I plan to deploy test equipment at major IXPs (currently seeking equipment > sponsors) and access points for some residential ISPs (with the assistance > of volunteers). The testing environment will be a Linux-based VM, utilizing > Python to switch Next-hop based on test targets and assess the > accessibility to major public DNS servers, as well as to upload data to a > backend system. > > I would really appreciate it if you could share your valuable suggestions > or feedback on this initiative. > > Best regards, > *Brandon Zhang* > HUIZE LTD > www.huize.asia <https://huize.asia/>| www.ixp.su | Twitter > > This e-mail and any attachments or any reproduction of this e-mail in > whatever manner are confidential and for the use of the addressee(s) only. > HUIZE LTD can’t take any liability and guarantee of the text of the email > message and virus. > -- > Manrs-community mailing list > Manrs-community at elists.manrs.org > https://elists.manrs.org/mailman/listinfo/manrs-community > -- -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/raci-list/attachments/20240426/114638c2/attachment.html>
- Previous message (by thread): [RACI-list] Routine Monitoring of Source Address Validation Deployment by Operators
- Next message (by thread): [RACI-list] CFP: INDIS Workshop (Deadline August 1st)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]