Re: IAB concerns against permanent deployment of edge-based filtering
why the heck does the IAB think they should tell me how to run my network?
... part of the INTERnet, and we would like it all to interoperate end to end.
that must be the royal "we"...
you have been here long enough to remember when the internet was a cooperation between operators, yes?
Sure. and why the ARPAnet evolved into MILnet/CSnet/BITnet, the NSF regionals, NSI et.al. That whole "trust but verify" threat model. And then the "evolution" into more specialized architectures, w/ folk focusing on edge & core - content and eyeballs etc.
Absolutely correct. What I personally am afraid of is if we get a network where we by choice (yes, your choice as the operator) get vertically oriented services instead of horisontal. Where you only can connect to a service if you get IP packets of a specific flavor from a specific ISP.
here in is the nut. Internet Protocols should, by design, presume a fully end2end, always on model. Packets should be emitted w/ the presumption that they can reach their target. If not, its not reachable. period. If my node is in a MANET, then I should be able to reach all the nodes in that MANET. If its on Mars, then DTN should take care of packet delivery. If the transit ISP filters my prefix and throws the bits on the floor, I should complain. If the transit ISP filters the port and throws the bits on the floor, I should complain. But that is the transit ISP choice. Local Optimizations - trying to be smart about what is reachable over what transport by some "middle-box" - that is harmful. Operationally, I may chose to take links down, filter out some traffic, groom for specific network performance -over infrastructure i pay for- the whole "middle-box, firewall, NAT, or generic tunneling techniques are in play to allow end-users to circumvent network policy ... and that is bad. if there is really a concern that port filtering is inherently bad and should only be exercised as a temporary expediant, then why not open up all ports on the end systems? blocking ports 5, 7, 9, 11 and 19 are fairly common these days. is the IAB seriously suggesting that ISPs remove the filters on/for these ports? I'll stand by this mantra for -EDGE- networks: "allow what you use, block what you don't." when new, inovative applications evolve, I expect they should have thier own port(s) assigned, just like has occured in the Internet over the last 25 years. and if they are useful to the folks on my network, the ports will be opened up. stuff that tunnels w/o authorization, will be found and squashed.
The INETRnet works because as soon as you get IP packets from The INTERnet somewhere, you can access any service which runs on top of IP because of the transparent peering/transit agreements which exists.
But where is the presumption made that -operationally- all transport substrates are interconnected?
Because of this, it is a bad thing, and really the start of a very slippery slope, if AS:es start filtering at their edges. It can be done for various practical reasons in short term (as you say, you are responsible for YOUR network, YOUR part of The INTERnet), but as a long term thing, nope.
You might want to consider why EGP protocols were built in the first place... :) EGP/BGP have -policy- constraints designed in to restrict traffic.
paf -- speaking personally, but member of the IAB
--bill -- speaking as devils advocate and w/o having taken my meds today. ... granted it is nice to see the IAB take an interest and take a stance. I'm more afraid that such a document will aquire the patina of "gospel" by ISPs who won't think for themselves as to why some choices should be made.
On Sat, 18 Oct 2003 14:28:10 PDT, bmanning@karoshi.com said:
... part of the INTERnet, and we would like it all to interoperate end to end.
that must be the royal "we"...
Nope. The collective we. If you aren't in the set of people who wants things to interoperate, why are you subscribed to NANOG? ;)
if there is really a concern that port filtering is inherently bad and should only be exercised as a temporary expediant, then why not open up all ports on the end systems?
There's a distinction between filtering ports at the ISP and opening them up on the end systems, which you are trying to gloss over - when in fact the distinction is important.
blocking ports 5, 7, 9, 11 and 19 are fairly common these days. is the IAB seriously suggesting that ISPs remove the filters on/for these ports?
My machine is quite able to decide if it wants to accept traffic on those ports, or reject it with an appropriate error message, or silently discard it. In the unlikely event of a DDoS attack involving those ports, I will discuss mitigation with my provider. The only reason we're having this discussion is because there's a majority market share by vendors who have traditionally shipped systems that are unable to make reasonable decisions about accepting traffic (yes, vendors plural. Fortunately, most have recanted over the past few years). And yes, I read it as "the IAB is suggesting the time for filtering those ports is either passed or will soon be" - how many vendors are *still* shipping code that does the default things on those ports?
participants (2)
-
bmanning@karoshi.com
-
Valdis.Kletnieks@vt.edu