[Sanctions-Research] Beacon

Bill Woodcock woody at pch.net
Fri Mar 18 19:32:34 PDT 2022 


> On Mar 19, 2022, at 3:18 AM, John Kristoff <jtk at dataplane.org> wrote:
> 
> On Sat, 19 Mar 2022 00:58:32 +0100
> Bill Woodcock <woody at pch.net> wrote:
> 
>> - beacon.sanctions.net, which would resolve to:
> 
> The answer to this name may be cached by resolvers or forwarders.
> Would it be possible to also provide a zone to be blocked?  One that has
> a wildcard A RR that can be queried for a one-time unique name.

Heck, we can do whatever’s useful…  Yes, that sounds like a good plan.  I guess we’d need to do both if we were going to do a visual indicator on a web page.

>> Thoughts?  What else might we want to set up prior to day one?
> 
> What data exactly do you plan to collect at the authoritative DNS
> servers and at the addresses?  What can be used for research
> measurements?

Can you use more words, and explain the questions more fully?

I’m trying to make sure we provide beacons to support research, and support a visualization for users, but I wasn’t planning on collecting any data, except in support of research that you or others might specify.

> Have you worked out the feed formats and how they will be published?

The BGP feed of IP addresses is pretty straight-forward… We’re still talking with operators to make sure that we do the simplest thing that’s not too simple to work.  We haven’t yet figured out a simple way to include ASNs, still mulling that over.  The RPZ feed will be standard as-produced-by-BIND.

> Will there will be some sort of official history of changes to the
> feeds maintained somewhere?

We will announce any change (except to the beacons) on the announce mailing list, and document it on the web site.  To be clear, we’re not anticipating that this will be a frequent event.  So we’re anticipating that the web site will display a complete log, and a complete log could be scraped from the announce mailing list as well.

> One other potentially useful approach to generating a beacon is to
> periodically add or remove a one-time use beacon (e.g. name or address)
> over time. This could be especially useful when trying to measure
> whether use of the feed is in sync with current published feed data.
> I realize this might be harder with IPv4 since I presume you don't have
> lots of spare v4 addresses.

Some, but not an infinite number.  Would just cycling periodically between two addresses do the trick?  i.e. we beacon one on even weeks and the other on odd weeks?  I guess you’re wanting to see whether people somehow get stuck on an old policy?  I don’t _imagine_ people would ingest this and then transform it into permanent policy, but you’re right that that’s a possibility, and I guess we’d want to know if people were doing that.  Probably more likely with the domain names than the IP addresses.

                                -Bill

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.sanctions.net/pipermail/research/attachments/20220319/0898c98e/attachment.sig>

More information about the Research mailing list