In my own opinion, I would not expect a transit provider to filter anything other than my BGP announcements. However, I would expect my ISP to filter a possible worm infection port(s), as it would completely saturate my lowly-end-user datapipe if they did not, making network access worthless, even if my host was secure. Ofcourse, I would also, not expect to pay a higher fee for this filtering.
I'm probably one of the ones you think is confused. However, I am not, I simply don't think that they need different policies about what packets flow. If the customer doesn't ask for something to be blocked, it shouldn't be blocked. The most probabl worm infection port is 80 or 443. Do you really want those filtered by your ISP? I don't... It would wreak havoc with my web servers.
Additionally, I am curious why any time a technical issue comes up on NANOG (or any other operator list), people resort to terrible analogies that have little to do with the actual content of the discussion?
Personally, I think the analogy was a pretty good one. Just because it doesn't support your point of view doesn't make it a bad analogy. No matter how much you and the person you qouted would like to obscure the fact, default filtration is bad policy for a number of reasons: + It inflicts an unfair cost burden on responsible users who want full internet connectivity. + It inflicts an unfair cost burden on responsible users who don't need full internet connectivity, but, don't need ISP-side filtration, either. + It taxes responsible users in order to reduce the costs of irresponsible users. + It is a transit solution to an end-host problem, thus creating a number of undesirable side-effects, not the least of which is the cost of a continuing arms race between the filters and the malware. Owen
--- Andy
-- If it wasn't crypto-signed, it probably didn't come from me.