Suspecious anycast prefixes

Thu May 5 15:58:27 UTC 2011

On 5/5/2011 11:39 AM, Danny McPherson wrote:
> On May 5, 2011, at 9:43 AM, David Miller wrote:
>
>> In a properly functioning system - folks that consume the service don't need to know which node they are utilizing.
> Right, it doesn't matter IF things are functioning properly.  If they're not, however...

IF things are not functioning properly and the operator of the service 
is depending on end consumers of the service to notify them of which 
node is malfunctioning, then it is time for the operator of the service 
to go back to the drawing board and improve their monitoring and failure 
resolution systems.

>> Providing the capability for well behaved customers to select/prefer a particular node over another would also allow evildoers to select/prefer a particular node over others - thereby increasing the attack surface of this node, yes?
> This isn't expressly about the capability to allow consumers to select one node of another, it's about transparency in which nodes they're using being visible in the control plane - there's no indication of that today.

...but it *is* expressly about selection of nodes...

 From the Introduction of - 
http://tools.ietf.org/html/draft-ietf-grow-unique-origin-as-00.txt :

"Furthermore, control plane discriminators should exist to enable 
operators to know toward which
of a given set of instances a query is being directed, and to enable
detection and alerting capabilities when this changes. Such
discriminators may also be employed to enable anycast node preference
or filtering keys, should local operational policy require it."

> As for attack surface expanse, no.  You could largely already accomplish something of this sort today in the elements of the forwarding path you influence if you were an evildoer aiming to do such a thing.
>

I disagree (see above).

-DM