Dear fellow networkers, > A new version of the proposal "prop-110: Designate 1.2.3.0/24 as > Anycast to support DNS Infrastructure" has been sent to the Policy SIG > for review. > > Information about earlier versions is available from: > > http://www.apnic.net/policy/proposals/prop-110 > > You are encouraged to express your views on the proposal: > > - Do you support or oppose this proposal? - Is there anything in the > proposal that is not clear? - What changes could be made to this > proposal to make it more effective?
I am a time traveller, just got back from 2016. In my time slice the internet has become unusable due to ongoing gigantic amplification attacks and security issues. Therefor I am here to warn you about prop-110 and highlight some past events: In July 2014, prop-110 is ratified and small group of operators start anycasting the 1.2.3.0/24 prefix. By September 2014, the 1.2.3.0/24 prefix gains traction, it has become globally visible despite recommendations to only propagate in a localized scope. Many operators pride themselves in providing this service to the general public. A milestone: In december 2014 a large merchant silicon CPE vendor hardcoded 1.2.3.4 as the sole caching resolver in its firmware. Milions of end-users rely on the community-run DNS service. However, in 2015 things took a turn for the worst. The internet community so far was not able to come up with a way to either authenticate or deprecate UDP, nor has any form of *SEC been made available on the last mile between client and resolver. Most of the early adoptors who leaked paths to 1.2.3.4-resolvers lost interest or moved to other jobs, thousands of instances around the world now run on auto-pilot. Evil do-ers from all walks of life realized the fantastic mess we created with prop-110 and launched campaigns: - ISPs drop queries from competing networks 1 out of 100 times, end-users experience a degraded service. - 1.2.3.4-instances around the globe send massive amounts of traffic to innocent victims, only one out of 50 operators implemented RRL in any form. Companies stop investing in backbone capacity, no-one can afford pipes big enough to sustain the amplification attacks. - Operators of phising farms realize the brilliant value of hosting a 1.2.3.4-instance which responds with crafted messages for all banking services. Financial sector looses all confidence in internet. - Support desk industry triples in size, the flood of calls from users experiencing some form of DNS issue keeps growing. Geeks realize that debugging any 1.2.3.4-issue is impossible. OK I've run out of time, I gotta go forward to 2016 - someone just emailed prop-194 "Repurposing 1.1.1.1 as public Anycasted NTP service". Kind regards, Job
pgpBewZ40gd6u.pgp
Description: PGP signature
* sig-policy: APNIC SIG on resource management policy * _______________________________________________ sig-policy mailing list [email protected] http://mailman.apnic.net/mailman/listinfo/sig-policy
