[CentOS-mirror] IRC meeting regarding new mirroring system for CentOS

Wed Nov 10 22:52:11 UTC 2010
Jonathan Thurman <JThurman at nwresd.k12.or.us>

> My only concern is that I wouldn't want just anyone to be able to choose my
> mirrors as a default.  Let's say the new guy accidentally tells his 10,000
> servers to hit our california mirror as their primary mirror, we'd be in trouble.

What's to stop someone from doing this now? It is a risk that you take being a public mirror.  Hopefully the only one in trouble is the 'new guy' when you rate/connection limit him and his updates take forever...

> Summary: It should be up to the mirror maintainer to determine what traffic is
> artificially steered to it, and he should only be only allowed to be steer
> traffic from IPs under his direct control (AS).

I completely agree that any manipulation of a netblock need to be somehow validated (whois contact email used for authorizing block addition for example).  However I don't believe this should be limited to the mirror maintainer and only the AS/netblocks they control.  For example, say a customer of ours wants to point their entire AS at our mirror as we have a dedicated link and plenty of bandwidth.  They announce their own AS, so that's out.  GeoIP says that the OSU mirror is closer, but it's really a horrible 19 hop slow transit connection that is a much larger financial impact.

So the options are to allow the mirror maintainer to add additional AS / netblocks (with validation), or allow anyone to create an account and change the traffic flows (for validated blocks).  I would favor the second option, especially if an OpenID system was used for authentication.  The first option doesn't give the actual netblock owner the ability to change their mind.  Perhaps as an additional safe-guard against the 10,000 server hit there could be a request sent to the mirror maintainer to approve custom routes to their servers.