BGP Experiment

Owen DeLong owen at delong.com
Sat Jan 26 19:37:05 UTC 2019 

I think that’s a bit of reductio ad absurdum from what has been said.

I would prefer that researchers collaborate to:

	1.	Compile a list of lists that should be notified of such experiments in
		advance. Try to get the word out to as much of the community
		as possible through various NOGs and other relevant industry
		lists.

	2.	Use said list of lists to provide at least 7 days advance notice of
		such testing, ideally with links to the details of the vulnerability
		in question and known vulnerable and known good code bases
		for as many software/hardware platforms as feasible. (Ideally
		list unknowns and solicit feedback as well).

	3.	Provide contact information for reporting test-related problems,
		issues, affected software versions, etc. Ideally an email address
		for after-action reports of data and a phone number that will
		be monitored during active testing for emergent reports of
		test-related service disruptions.

	4.	Conduct the test for incrementally longer periods over time.
		e.g. start with a 15 minute test on the first try and then run
		30, 60, and multi-hour tests on later dates after addressing
		any reported problems during earlier tests.

I think such behavior would provide the best intersection of encouraging
patching/fixing while also minimizing disruption and harm to innocent
third parties.

Owen


> On Jan 26, 2019, at 8:15 AM, Randy Bush <randy at psg.com> wrote:
> 
> i just want to make sure that folk are really in agreement with what i
> think i have been hearing from a lot of strident voices here.
> 
> if you know of an out-of-spec vulnerability or bug in deployed router,
> switch, server, ... ops and researchers should exploit it as much as
> possible in order to encourage fixing of the hole.
> 
> given the number of bugs/vulns, are you comfortable that this is going
> to scale well?  and this is prudent when our primary responsibility is a
> running internet?
> 
> just checkin'
> 
> randy
> 
> 
> PS: if you think this, speak up so i can note to never hire or recommend
>    you.
> 
> PPS: Anant Shah, Romain Fontugne, Emile Aben, Cristel Pelsser, and Randy
>     Bush; "Disco: Fast, Good, and Cheap Outage Detection"; TMA 2017
>            ^^^^^ :)

More information about the NANOG mailing list