I would like to point out that an effort along these lines was taken about 10-12 years ago and documented here : https://nabcop.org/index.php/DDoS-DoS-attack-BCOP
This likely can be refreshed or used as input material for something new. There are other items on that site and OIX (previously Open-IX) still references the Peering related BCOP. On Fri, Aug 2, 2024 at 3:18 PM Compton, Rich via NANOG <nanog@nanog.org> wrote: > Hi, I would like to volunteer to help with bullet two: “DDoS mitigation. > BCP38, communities for RTBH, packet scrubbing, etc. What can we do > collectively?”. > > > > -Rich > > > > > > *From: *NANOG <nanog-bounces+rich_compton=comcast....@nanog.org> on > behalf of Howard, Lee via NANOG <nanog@nanog.org> > *Date: *Friday, August 2, 2024 at 12:05 PM > *To: *NANOG list <nanog@nanog.org> > *Subject: *Norms and Standards > > Last October at NANOG89 in San Diego, John Curran exhorted us to work > together > <https://urldefense.com/v3/__https:/youtu.be/U1Ip39Qv-Zk?feature=shared__;!!CQl3mcHX2A!CvvxNrHPzj7sjlrV8-3YxEA2AbO8sy-5tG4p2CFqz-PvU2jJTkdbz4Ag3lNojuxp5O9PagUfwH2LFVMcXQ$> > to document best practices before governments developed their own. > > > > John pointed out that in many industries, technical requirements and > standards inform public policy goals, and vice versa. Then, when regulation > is enacted, it refers to the standards developed by those technical > experts. For example, the policy goal of protecting people from house fires > is promoted through building codes (laws) which reference fire and > electrical codes developed by standards bodies. > > > > Governments are instituted by people to provide national defense, perform > public services, protect children and vulnerable people, safeguard privacy > and freedom, and prosecute those who transgress the above[1]. However, > governments don’t operate the Internet, so when there are threats to or > violations of the governmental role, they look to us. As John notes, they > are increasingly looking at their roles with respect to the Internet. > > > > If we don’t work together to provide tools to enable governments to > fulfill their legitimate role, they will do what they think is best. > > > > If we have agreed on some norms and standards, then they can point to > those and say, “This looks like best practice.” In many cases, that gives > us a *safe harbor* against additional action from governments—if I can > show I’m following accepted best practices, I’m less of a target than my > non-compliant competitors. > > > > What should we work on together? > > - We already have MANRS, KINDNS, some anti-spam (no open relays, block > port 25, etc.). > - DDoS mitigation. BCP38, communities for RTBH, packet scrubbing, etc. > What can we do collectively? > - Infrastructure protection. Best practices for protecting your > devices and services. > - Critical infrastructure protection. Do we have a role in protecting > power plants, hospitals, etc., more than others? > - Net neutrality. Is there more than just “don’t inspect above L3”? Do > CDNs or caches privilege some content unfairly? > - IPv6? The government angle is mostly anti-CGN, but this is a greater > problem outside this region. > - Other ideas? > > > > If a group of people can pick one topic and start documenting best > practices, we may be able to do something good. I’m not worried about > process yet: content first. > > > > Is there a topic above, or another one, on which folks would like to > collaborate to describe best practices? > > > > Lee > > > > [1] Even if you disagree that there is a legitimate role for governments, > they think they have these roles, and they have the power to compel. > > > -- [stillwa...@gmail.com ~]$ cat .signature cat: .signature: No such file or directory [stillwa...@gmail.com ~]$ cat .disclaimer All opinions are my own and do not represent any of my employer. [stillwa...@gmail.com ~]$ cat .pronouns He/Him
