[Sanctions-Research] Beacon
Bill Woodcock
woody at pch.net
Sat Mar 19 02:00:29 PDT 2022
> On Mar 19, 2022, at 12:58 AM, Bill Woodcock <woody at pch.net> wrote:
> I propose the following:
> - 69.166.14.53
> - beacon.sanctions.net, which would resolve to:
> - 69.166.14.54
This won’t work. Undoubtedly some people will over-block the sanctioned /32 to a /24 by policy, and that will render all the other more-specific stuff unreachable.
So, on the IPv4 side, we need to use a fresh swamp C, put a sanctioned /32 beacon in the feed, but also BGP advertise the whole /24, with another target outside the sanctioned /32, so that they can be compared, and a control in an unrelated prefix (which should probably be the project web site itself). Same thing on the IPv6 side, except we don’t need an independent allocation, just a /64 that can be independently advertised.
On the domain side, we need to distinguish between over-blocking up the hierarchy, DNSSEC issues, and lack of dual-stacking on the client and intervening transit networks…
So there, I think we need to beacon a matrix of signed/unsigned A/AAAA and a control.
Thoughts? Further refinement?
-Bill
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.sanctions.net/pipermail/research/attachments/20220319/deab7321/attachment.sig>
More information about the Research
mailing list