[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] keyserver stats gathering
|
From: |
Mire, John |
|
Subject: |
Re: [Sks-devel] keyserver stats gathering |
|
Date: |
Wed, 24 Feb 2016 09:19:08 +0000 |
On 2/24/2016 00:31, Phil Pennock wrote:
> On 2016-02-24 at 06:17 +0000, Mire, John wrote:
>> What is the process for the keyserver status page generation
>> (https://sks-keyservers.net/status/)
>> i.e., what scripts/queries are executed against the individual keyserver?
>> How often?
>> Campus is setting up Palo Alto firewalls with traffic/application inspection
>> and profiling
> It's an HTTP request, against the regular HKP service, just on a special
> endpoint; eg:
>
> http://sks.spodhuis.org:11371/pks/lookup?op=stats
>
> The only thing different about this is `op=stats` instead of `op=index`
> or whatever.
>
> This is considered public information, because your peers expect to be
> able to look at this to diagnose problems with the peering: your
> problems can become their problems, if you fall too far behind.
>
> Kristian has some PHP scripts which do the work for the
> sks-keyservers.net pages; I have other tooling, others will use
> browsers. Kristian's service is considered "canonical" by most, but is
> not in any way using privileged access.
>
> If you start blocking "unusual" requests for the stats which aren't at
> DoS levels then you'll upset your peers and lose peering.
>
> -Phil
>
The gossip, queries and stats traffic is not a problem, according to
Security, what they were questioning me about was the queries to the
server flagging CVE-2014-3207 as a concern. I had to look up this vuln
and couldn't answer their questions. I know I'm running >= 1.1.5 so I
don't have to worry. So if there are scripts being run against the
server that should be whitelisted, it's not documented anywhere they
could find, including the wiki and the associated links for source.
/john
--
John Mire: address@hidden
LSU Health System