BGP Experiment
Owen DeLong
owen at delong.com
Sat Jan 26 19:37:05 UTC 2019
I think that’s a bit of reductio ad absurdum from what has been said.
I would prefer that researchers collaborate to:
1. Compile a list of lists that should be notified of such experiments in
advance. Try to get the word out to as much of the community
as possible through various NOGs and other relevant industry
lists.
2. Use said list of lists to provide at least 7 days advance notice of
such testing, ideally with links to the details of the vulnerability
in question and known vulnerable and known good code bases
for as many software/hardware platforms as feasible. (Ideally
list unknowns and solicit feedback as well).
3. Provide contact information for reporting test-related problems,
issues, affected software versions, etc. Ideally an email address
for after-action reports of data and a phone number that will
be monitored during active testing for emergent reports of
test-related service disruptions.
4. Conduct the test for incrementally longer periods over time.
e.g. start with a 15 minute test on the first try and then run
30, 60, and multi-hour tests on later dates after addressing
any reported problems during earlier tests.
I think such behavior would provide the best intersection of encouraging
patching/fixing while also minimizing disruption and harm to innocent
third parties.
Owen
> On Jan 26, 2019, at 8:15 AM, Randy Bush <randy at psg.com> wrote:
>
> i just want to make sure that folk are really in agreement with what i
> think i have been hearing from a lot of strident voices here.
>
> if you know of an out-of-spec vulnerability or bug in deployed router,
> switch, server, ... ops and researchers should exploit it as much as
> possible in order to encourage fixing of the hole.
>
> given the number of bugs/vulns, are you comfortable that this is going
> to scale well? and this is prudent when our primary responsibility is a
> running internet?
>
> just checkin'
>
> randy
>
>
> PS: if you think this, speak up so i can note to never hire or recommend
> you.
>
> PPS: Anant Shah, Romain Fontugne, Emile Aben, Cristel Pelsser, and Randy
> Bush; "Disco: Fast, Good, and Cheap Outage Detection"; TMA 2017
> ^^^^^ :)
More information about the NANOG
mailing list