[Sanctions-Research] Beacon resource accumulation complete.

John Kristoff jtk at dataplane.org
Mon Apr 18 15:06:46 PDT 2022 

On Mon, 11 Apr 2022 16:20:02 +0200
Bill Woodcock <woody at pch.net> wrote:

> I believe we need input now from the research community as to exactly
> how you’d like the strobe function of the beacon configured.  Please
> bear in mind that we’d like to serve web objects from the beacons, so
> that an end-user-visible web page can be loaded, showing the status
> of each beacon… If we strobe, we need the underlying web page to
> update on the same frequency, such that the expected state of each
> beacon is correct relative to the page.

Ideally there would exist a set of stable names and addresses that are
always in the block lists, a set never in the block lists, and a set
that "cycles" in and out of the block list.  As much as possible, the
ability to perform unique look ups or access a unique destination is
beneficial to avoid caching effects and to evaluate change over time.  A
set of proposals to measure those sort of things is below, but we are
certainly open to adjustments required for operations or enhancements to
streamline:

For DNS

* Create a default "allow" RR that is never added to the
  block lists. For example:

  ; allow 
  *.sanctions-beacon.net   300 IN A 192.0.2.1

* Create a "blocked" zone.  Everything at the apex or below the zone
  should go in your block lists.  The zone should have a wildcard A RR
  in order to perform one-time unique queries in the blocked zone.  For
  example:

  ; block all names with regex /block\.sanctions\-beacon\.net$/
  block.sanctions-beacon.net   300 IN A 192.0.2.1
  *.block.sanctions-beacon.net 300 IN A 192.0.2.1

* Once-a-day, add and remove a unique name from the block lists.
  Encode the date into each day's blocked name.  For example:

  ; If date == 1970-01-01
  ;     block19700101.sanctions-beacon.net and only in RPZ
  block19700101.sanctions-beacon.net 300 IN A 192.0.2.1
  block19700102.sanctions-beacon.net 300 IN A 192.0.2.1
  ; ...

For IPv4/IPv6 addresses

Create a "blocked" address/prefix.  This should go in your block
lists.  For example:

  45.154.219.254/32 next-hop /dev/null
  2620:a9:2000:254::/64 next-hop /dev/null

Create an "allowed" address/prefix that is never added to the block
lists.  For example:

  45.154.219.253/32
  2620:a9:2000:253::/64

* Once-a-day, add and remove a unique address/prefix from the block
  lists. Encode the month's day number into the address.  For example:

  ; if day of month = DD
  ;   add only these to block list, remove other DD combinations.
  ; IPv4: 45.154.219.DD/32
  ; IPv6: 2620:19:2000:DD::/64
  45.154.219.15/32 next-hop /dev/null
  2620:a9:2000:15::/64 next-hop /dev/null

Lastly, the web destination should minimally include a generated current
timestamp and the client IP address of the access request. Other
HTTP header information would be useful for analysis or debugging as
well. Note, we may not always use this returned information where
experiments would consider it to be PII.

The names and addresses can all point to the same web systems.

John

More information about the Research mailing list