Hello,
First, is there a need to constantly rename subjects? I find this more confusing than helpful to keep track of a conversation on this list.
On 30 May 2021, at 10:15, Peter Müller peter.mueller@ipfire.org wrote:
Hello Michael, hello *,
before I start coding, I just wanted to share my current idea of importing IP feeds from Amazon AWS in a less insecure way. Comments, etc. are appreciated. :-)
You already submitted some code before. What happened to that?
(a) Run "location-importer update-whois" and "location-importer update-announcements", as we did before. (b) Introduce something like "location-importer update-3rd-party-feeds", which is a blanket function for updating all the 3rd party feeds we will have at some day, as Amazon for sure won't be the only one.
Does this need a third command? Why can this not be part of “update-whois”?
(c) In case of Amazon, download their feed, parse it and put the results in a temporary table. (d) Process a list of Autonomous Systems owned or controlled by Amazon.
Where is this list coming from?
(d) Delete every IP network from this temporary table which is not announced by one of the Autonomous Systems. That way, we limit potential damage by a broken or manipulated Amazon IP feed to their ASNs.
This is your second step (d).
When you say you are comparing this, what is the authority for this? The BGP feed? Whois?
(e) Anything left in the temporary table is safe to go, and will be merged into the overrides table.
Sounds a bit complicated than my first patch looked like, but is more versatile and robust. :-)
I kind of liked the first patch. It was simple and it worked.
Speaking of robustness, do we want a "source" column for the overrides table as well? Although it won't appear in the generated database or it's .txt dump, it might be worth having, so we still have transparency on 3rd party feeds at this point.
I do not think it is worth it, because it is easy to check. If you want it, I wouldn’t object either.
Thanks, and best regards, Peter Müller