de-peering for security sake
Owen DeLong
owen at delong.com
Sat Dec 26 20:28:07 UTC 2015
I think as granular as practicable. In some cases, that will be a /32 or /128. In some cases, that will be a /24 or /64.
In some cases, it may be an entire ASN.
Each network will need to decide for themselves based on the constraints of the time they have to address the issue, the level of automation for addressing these things, memory in their routing platform(s), etc.
There is no one-size-fits all answer.
Owen
> On Dec 26, 2015, at 06:19 , Mike Hammett <nanog at ics-il.net> wrote:
>
> How much is an acceptable standard to the community? Individual /32s ( or /64s)? Some tipping point where 50% of a /24 (or whatever it's IPv6 equivalent would be) has made your naughty list that you block the whole prefix?
>
>
>
>
> -----
> Mike Hammett
> Intelligent Computing Solutions
> http://www.ics-il.com
>
>
>
> Midwest Internet Exchange
> http://www.midwest-ix.com
>
>
> ----- Original Message -----
>
> From: "Owen DeLong" <owen at delong.com>
> To: "Dan Hollis" <goemon at anime.net>
> Cc: "Mike Hammett" <nanog at ics-il.net>, "NANOG" <nanog at nanog.org>
> Sent: Saturday, December 26, 2015 1:00:35 AM
> Subject: Re: de-peering for security sake
>
>
>> On Dec 25, 2015, at 22:16 , Dan Hollis <goemon at anime.net> wrote:
>>
>> On Fri, 25 Dec 2015, Owen DeLong wrote:
>>> Merely because people are asleep at the switch does not give those of us in a position to understand the consequences license to abuse our position.
>>
>> At what point do you cut the wire? How abusive is acceptable?
>
> IMHO, you never cut the wire. You may filter selectively, but cutting the wire comes with far more collateral damage than actual useful effect.
>
> Owen
>
More information about the NANOG
mailing list