On Oct 24, 2009, at 3:17 AM, Joe Greco wrote:
Isn't blocking any port against the idea of Net Neutrality?
Yes.
Owen
No.
The idea of net neutrality, in this context, is for service providers to avoid making arbitrary decisions about the services that a customer will be allowed.
Right.
Blocking 25, or 137-139, etc., are common steps taken to promote the security of the network. This is not an arbitrary decision (and I am defining it this way; I will not play semantics about "arbitrary". Read along and figure out what I mean.) For 25, SMTP has proven to be a protocol that has adapted poorly to modern life, and a variety of issues have conspired that make it undesirable to allow random home PC's to use 25. Reasonable alternatives exist, such as using 587, or the ISP's mail server. A customer isn't being disallowed the use of SMTP to send mail (which WOULD be a problem). A customer may use any number of other mail servers to send mail. Not a serious issue, and not arbitrary... it's generally considered a good, or even best current, practice.
A common practice of breaking the network for your customers does not make the network any less broken and does not make the action network neutral
The SMTP protocol has adapted just fine. Certain operators of SMTP servers, on the other hand, are a different issue. I don't take exception if you want to block those SMTP servers. I do take exception if you block the protocol entirely.
587 is the exact same protocol as 25, just with different host configuration policies. As such, I would hold up 587 as an example to prove my point.
Except it doesn't. 587 is "submission done right"; whereas 25 is "transit." 587 and 25 are conceptually completely different, even if they use a common underlying protocol. That's why 587 not only does not prove your point, but it actually allows me to show that it isn't SMTP being interfered with, but rather just the uncontrolled submission of e-mail to remote machines. Does network neutrality mean that dialup operators will have to allow PPP users to connect without a login and password?
Blocking VoIP from your network to Vonage, because you want your customers to buy your own VoIP service? That's a very clear problem. There's no justifiable reason that any viable broadband service provider would have for blocking VoIP. Yet there could be a reason to forbid VoIP; I can, for example, imagine some of the rural WISP setups where the loads caused on the infrastructure interfere with providing service.
Some providers block outbound 25 to other email service providers because they want your outgoing email to go only through their own unauthenticated, unsecure mail servers. (I have had at least one former ISP refuse to unblock port 25 or 587 for me to a host that was running TLS and SMTPAUTH while they insisted that I use their port 25 server which did not listen on port 587 and would not accept TLS or SMTPAUTH).
Blocking 25 isn't a problem. Blocking 587 is. Requiring all e-mail to go through their servers is also a problem. That's because there is a good reason for the 25 blocking, one that you can trivially work around on 587. Blocking 587 is overreaching, and is dictating that you must use their servers. That is not neutral.
Similarly, it'd be ridiculous to expect an 802.11b based rural WISP to be able to support HD Netflix streaming, or dialup ISP's to be able to support fast downloading of movies. These are not arbitrary restrictions, but rather technological ones. When you buy a 56k dialup, you should expect you won't get infinite speed. When you buy WISP access on a shared 802.11b setup, you should expect that you're sharing that theoretical max 11Mbps with other subs.
Right... Those are not arbitrary, they are valid. Blocking all access to port 25 is, on the other hand, arbitrary.
It's not, because there is an obvious ongoing problem with infected end-user machines sending spam, and no particular reason that an end- user machine needs to be able to send e-mail to random remote sites. A huge amount of good is accomplished for the 'net as a whole when a service provider blocks 25. They're not preventing you from sending e-mail, they're just requiring that it be sent in a manner that complies with current community standards. And there are standards, and you can submit via 587 to alternative e-mail services of your choice. It is not entirely ideal, but it is laughable to construe 25 blocking as making it impossible (or even hard) to send e-mail, given that it most certainly isn't.
There's lots of interesting stuff to think about. Net neutrality isn't going to mean that we kill BCP38 and port 25 filtering. It is about service providers arbitrarily interfering with the service that they're providing. Customers should be given, to the maximum extent reasonably possible, Internet connectivity suitable for general purpose use. Where service providers start infringing on that, that's what should be addressed by network neutrality.
BCP-38 is good. SMTP blocking is not in BCP-38.
Not allowing a user to send forged packets is a perfectly legitimate action. Not allowing a user to send or receive valid packets properly formatted, carrying legitimate traffic for purposes which are not a violation of the providers AUP, on the other hand, is not good.
Oh. Really. But the problem is, you can't play both "BCP38 is good" and "25 blocking is bad." They're of the same cloth. If I'm assigned 24.1.2.3 by Comcast, and Comcast filters my ingress to prevent me from emitting other addresses, you claim that's fine because it's BCP38. There's a problem: I can validly emit a variety of other addresses, in particular any address in 206.55.64.0/20 and some other networks. I am not "forging" packets if I emit 206.55.64.0/20-sourced addresses down a Comcast pipe. How many people realistically have this problem? Well, potentially, lots. Anyone who uses a VPN could have a legitimate IP address on their machine; because of BCP38 (and other security policy) it is common for a VPN setup to forward Internet-bound traffic back to the VPN server rather than directly out the Internet. In some cases, one could reasonably argue that this is undesirable. But overall, security is greatly increased by eliminating the ability to inject forged traffic. We do this through BCP38. BCP38 carries with it some amount of inconvenience to users whose legitimate traffic can not be sent due to the simplistic filtering typically employed. This does not mean BCP38 violates net neutrality, any more than it means 25 blocking violates it. On the other hand, if your ISP is intercepting your DNS, forcing /all/ SMTP through their servers, mandating the use of web proxy servers that add banner ads, blocking VoIP, and RST'ing BitTorrent traffic, then you have a serious net neutrality problem. As operators, the readers in this group should be uniquely qualified to understand: common technical steps taken to ensure the security and continued smooth operation of your network are probably not violating net neutrality, but once you move into the realm of steps taken that damage a competitor, degrade or forbid particular services, or other decisions made for "business" reasons, where such things affect the set of potential things a user could reasonably expect to want to be able to do, then you have to look a bit more carefully at it. ... JG -- Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net "We call it the 'one bite at the apple' rule. Give me one chance [and] then I won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN) With 24 million small businesses in the US alone, that's way too many apples.