At 03:54 PM 10/30/2003, Alex Yuriev wrote:
The way currently people propose everyone operates is equivalent to a company that transmits AC to customer deciding that some part of the AC waveform is "harmful" to its equipment, and therefore should be filtered out. Of course, no one bothers to tell the customer that the filter exists, or what is being filtered, or when, or how.
So, electric grids do not have any mechanisms to disconnect from other grids ( ie, stop "transiting" their electricity ) if one is doing something that causes problems on the local grid? As a customer I would very much like my provider to filter out waveforms that would prevent their ability to provide me with my service.
They disconnect the SOURCE of the problem forcing the SOURCE to behave. That is equivalent of forcing the ES to behave.
The source of the problem of bad packets is where they ingress to my network. I disconnect the flow of bad packets thorugh filtering. What is the difference, other than I do not remove an entire interconnect, only the portion of packets that is affecting my ability to provide services?
If the issue is how to communicate what is being filtered to the customer, then simply need to find a way to do that. The solution to "it is hard to communicate what is being filtered to the end-users" is not "oh well, we won't filter anything". At least not as I see it.
Traffic to port X cannot be specified as valid or invalid for any IS, because the IS does not know why such traffic exists. Traffic ES<->ES on port X can be valid or invalid because ES knows if it is valid traffic. If you want to filter that traffic, filter it for a specific ES (the one that does not want it) and force whoever is sending you that traffic to play nicely. It is DIFFERENT from saying "We drop all packets that match port X"
Consider the recent scanning behaviour of the Nachi/Welchia worms. You have now *many* sources, and *many* destinations. Due to the overwhelming traffic ( considering that several commonly used networking devices were not able to keep a forwarding table due to the size of all the src/dest pairs ) causing problems on the network, what steps would you suggest be taken? Consider you are running a network with 10's of thousands of end-users connecting and disconnecting at random points in the network. Do you enter a specific reflexive rule for every src/dst pair? Or do you implement wide-scale filtering of the traffic if it is easily identifiable based on the "signature" of src port/dst port/payload?
Supposing a network *did* provide a way to inform customers what was being filtered. Would you still object to the filtering?
If I request that traffic, of course I would object!
And if service goes down for you, as I serve a DOS to another customer, would you also object in that case? Even if other customer had not yet complained to me about the DOS?
Another excellent example - UPS will not remove that. The shipper will.
How? I'm the shipper. I put the RF generating device into package and give it to UPS. They will do nothing to remove it or not ship it? It is only up to me to not do it? Al Qaeda would love that to be true I'm sure. :)
After that package is removed, you, the shipper, are going to have your hands slapped very hard, which will force you in future to behave. By doing this, we successfully enforced ES filtering.
Right, and that assumes that every ES wants to do the right thing, and knows better. Just like everybody used to have open SMTP relaying as people who did bad things with SMTP got their hands slapped. And since UPS is rejecting only certain packages, they have just implemented filtering as an IS based on the contents of the package they are being asked to carry, despite my desire as a shipper to ship it, and a corresponding desire of the receiver to receive it.
There is a chain of agreements connecting you to the source/dest of any traffic on your network. Even if it is a customer of a customer of a customer, you have a chain of agreements that establishes you as a party.
In what scenario would there not be a chain of agreements to connect you as a party?
Even if I have agreement with you that you sell me a GSR for $5.00, which you have agreement with RS to get from him, I do not have agreement with RS that lets me get the GSR from him for $5.
I don't see how that is the same thing here. I have an agreement with cust X to provide services in accordance with my AUP. cust X resells that service to cust Y, etc. cust Y is bound to the terms and conditions of my agreement with cust X, despite that I do not have a direct agreement with cust Y. -Chris -- \\\|||/// \ StarNet Inc. \ Chris Parker \ ~ ~ / \ WX *is* Wireless! \ Director, Engineering | @ @ | \ http://www.starnetwx.net \ (847) 963-0116 oOo---(_)---oOo--\------------------------------------------------------ \ Wholesale Internet Services - http://www.megapop.net