Unwanted Traffic Removal Service (UTRS)

John Kristoff jtk at cymru.com
Thu Oct 9 21:47:36 UTC 2014


On Thu, 09 Oct 2014 22:58:05 +0200
Christian Seitz <chris at in-berlin.de> wrote:

> What I do not like at this UTRS idea is that I cannot announce a
> prefix via BGP. Somebody has to inject it for me. I would like to
> announce it in real time and not with delay because of manual
> approval.

While true today, it might not be true for long.  It requires code to
be written in order to perform the desired verification we want before
blindly passing along an announcement. Code we're not motivated to write
if there is insufficient interest in UTRS. Interest is looking good, so
the code may soon follow. In other words, this a valid complaint, but it
may have a limited life span.

> One problem that I also see here is that this single entity could be
> forced by someone (eg. government) to blackhole some prefix. If this
> ever happens such a project will have to be terminated.

I've heard this once before too.  I admit we probably can't provide
a satisfactory answer to some who will be so distrustful of government
or influence peddling to win them over, but I'll try to offer a
response that I hope is fairly reasonable and satisfies the majority,
and presumably any of the actual participants.

There are legal questions, maneuvers and responses that might be
interesting to speculate on, but I'll say simply this.  Team Cymru,
while established and operated within the U.S., is a global
organization with team members outside of the U.S. and we rely heavily
on the cooperation of global partners to do what we do.  If we could
be compelled to announce a black hole by someone, government or
otherwise, the cooperation and inherent trust we might have with the
Internet community is probably gone and we are likely finished as an
organization. It would be counter to our very existence and so on that
basis I hope most would agree is extremely unlikely to occur.  Now if
someone came up to me with a gun to my head and said type the
equivalent of "ip route foonet mask 192.0.2.1" or die, I might just
type it out of self preservation.

> We also had some DDoS attacks via IPv6. I think it's important to
> also have such a service for IPv6. Starting with IPv4 is ok and
> better than nothing, but IPv6 should not be on the roadmap for
> 2018 ;-)

You are only the second person I've heard from to explicitly state as
such.  This is actually not terribly hard to do and I'm pretty certain
could be done way before 2018.  Simple to start, careful and necessary
improvements as we go.

Thanks for your comments Chris,

John



More information about the NANOG mailing list