It appears that Vasilis Giotsas <vasi...@cloudflare.com> said: >-=-=-=-=-=- > >I'm also supportive of this draft, I think it can be very useful if widely >adopted. > >One issue that some of my colleagues identified is the following: >There are malicious ASNs out there who acquire huge amounts of IP6 space >(like multiple /32's) to use for scraping, attacks, etc – they could set >their prefix lengths to 128 and completely blow the storage of any database >that trusts them. >Similarly, a malicious ASN may falsely tag its prefixes as CGNAT so that it >avoids blocking or throttling. > >Maybe the security considerations seconds can cover some of those cases.
Earlier this year I was talking to people at large mail systems who want something like this to help manage IPv6 mail reputations, and the same question came up, what if networks lie? The answer was that you'd only believe the prefix info from networks that already have a good reputation. If the network's reputation is bad, the whole network is bad. A sentence or two could remindpeople that like any other third party data, the data can be arbitrarily hostile so treat it with appropriate scepticism. R's, John PS: It's an example of the general rule that you can't say anything about yourself to improve your own reputation. _______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
