Re: Spam, ASNs, CIDRs, and d-u
* Karsten M. Self:
> Background: ASN identifies the Autonomous System. Effectively, these
> are the networks the Internet is networking between. Each is defined by
> a single span of routing authorities, peers, etc., and largely,
> organizational authority. In other words: you've got an identifiable,
> accountable entity with a definable network space. More to the point:
> they're _accountable_ for that space, and had damned well better be
> keeping it clean.
And there are only a few thousand ASNs which are actually used in the
Internet routing table, which means that maintaining a list of
responsible ones is indeed feasible.
> For more general information:
> The data are compiled directly from BGP router maps. My understanding
> is that the zonefiles are downloadable (I'm checking on this now).
> They're certainly cacheable.
I've got a tool that builds optimized zone files from BGP table dumps.
However, you need quite a bit of RAM on the authoritative name server
(BIND 9 grows by 120 MB, I haven't tried nsd so far). All you need is
a BGP (and Quagga), but we should be able to get one on some Debian
machine if we really want to try this approach.
Unfortunately, using BGP to combat spam on a large scale will result
in more spammers attacking BGP. As BGP provides no real
authentication of announcements (there's no end-to-end mechanism, and
a trusted route registry faces huge organizational challenges), and
out-of-band documentation is *extremely* poor, this can result in very
annoying problems. What's worse, tatical hijacking of netblocks for
spamming purposes is no longer a theoretical possibility, it has
already happened. 8-(