Its my understanding that since Akamai is based on DNS resolves if you where to use the method of blocking it within the DNS system it would make no difference. Although I'm no Akamai expert. -Jim -----Original Message----- From: Daniel Concepcion [mailto:dani@intelideas.com] Sent: Thursday, November 14, 2002 11:59 AM To: Alif The Terrible; nanog@merit.edu Subject: Re: Blocking specific sites within certain countries. Hi, In Spain Some provideers are blocking the resolv of this domains in their dns servers. Others block in the edge the ip actually associated with this domains. Others don't block ;) Is very interesting know what happening if this domains move to Akamai or Digital Island. Deny this traffic without break others lays will be very difficult. Regards, Daniel On Thursday 14 November 2002 16:55, Alif The Terrible wrote:
Good Morning,
I am interested in how everyone who is affected by the recent Spanish Judicial order to block specific "terrorist affiliated" sites from access to Spanish nationals?
Without re-starting the endless debate over how impossible this is in fact, since that is obvious - how is everyone "complying" with this order?
-- On Thursday, November 14, 2002 12:11 PM -0500 -- Jim Deleskie <jdeleski@rci.rogers.com> supposedly wrote:
Its my understanding that since Akamai is based on DNS resolves if you where to use the method of blocking it within the DNS system it would make no difference. Although I'm no Akamai expert.
The issue is really not Akamai or Digital Island or any other service someone might buy. The end user is completely unaware of the machinations behind the scene, they are just going to type "www.terrorist.com" into their browser. If "terroris.com" is a Bad Domain and ISPs refuse to resolve anything in that domain, then nothing else can happen. The first step is the end user's machine going to the ISP's name server asking for the IP address of "www.terrorist.com". It does not matter if that hostname is CNAME'd to another company / host / whatever, the resolution will stop immediately and the user will be unable to see the web page. Or they can just use a publicly available web proxy, in which case it will not matter if the domain is Akamaized or not. =)
-Jim
-- TTFN, patrick
This all strikes me as incorrect. The function of the domain name system is primarily to translate an IP number into a domain name, vice versa. If a user wishes to browse to <http://64.236.16.20> he/she will arrive also at <www.cnn.com>. The domain name is propagated and subsequently refreshed throughout the World. A browser request and reply may take each time hundreds of different routes through the Internet from end-to-end. If Spain would want to deploy blocking of the domain CNN.com (or in fact any other domain) it would have to factually block individual IP's at the telco 'in and out of Spain routes' to accomplish that. This, by the way is currently e.g. done in the Peoples Republic of China, be it not really successful :) It is also so easy to set up secondary dns's anywhere else on the globe with a ptr to some other IP no., that a dns block sec would never be a successful action. Blocking a /24 in Spain may be effective, but if the Spanish site would be hosted elsewhere, or would have a mirror hosted elsewhere, the elsewhere legislation would be the regulations the telco's are confronted with, and looking at. Ola ! Bert Fortrie At 12:27 PM 11/14/2002, you wrote:
-- On Thursday, November 14, 2002 12:11 PM -0500 -- Jim Deleskie <jdeleski@rci.rogers.com> supposedly wrote:
Its my understanding that since Akamai is based on DNS resolves if you where to use the method of blocking it within the DNS system it would make no difference. Although I'm no Akamai expert.
The issue is really not Akamai or Digital Island or any other service someone might buy. The end user is completely unaware of the machinations behind the scene, they are just going to type "www.terrorist.com" into their browser.
If "terroris.com" is a Bad Domain and ISPs refuse to resolve anything in that domain, then nothing else can happen. The first step is the end user's machine going to the ISP's name server asking for the IP address of "www.terrorist.com". It does not matter if that hostname is CNAME'd to another company / host / whatever, the resolution will stop immediately and the user will be unable to see the web page.
Or they can just use a publicly available web proxy, in which case it will not matter if the domain is Akamaized or not. =)
-Jim
-- TTFN, patrick
-- On Thursday, November 14, 2002 8:52 PM +0100 -- hostmaster <hostmaster@nso.org> supposedly wrote:
This all strikes me as incorrect. The function of the domain name system is primarily to translate an IP number into a domain name, vice versa. If a user wishes to browse to <http://64.236.16.20> he/she will arrive also at <www.cnn.com>. The domain name is propagated and subsequently refreshed throughout the World. A browser request and reply may take each time hundreds of different routes through the Internet from end-to-end. If Spain would want to deploy blocking of the domain CNN.com (or in fact any other domain) it would have to factually block individual IP's at the telco 'in and out of Spain routes' to accomplish that. This, by the way is currently e.g. done in the Peoples Republic of China, be it not really successful :) It is also so easy to set up secondary dns's anywhere else on the globe with a ptr to some other IP no., that a dns block sec would never be a successful action. Blocking a /24 in Spain may be effective, but if the Spanish site would be hosted elsewhere, or would have a mirror hosted elsewhere, the elsewhere legislation would be the regulations the telco's are confronted with, and looking at.
Suppose they just make it a law that each ISP has to block "domain.com" in their caching name servers? Sure, the user could telnet somewhere and find the IP address themselves, but it would stop 99.99% of the lusers out there. -- TTFN, patrick
-- On Thursday, November 14, 2002 8:52 PM +0100 -- hostmaster <hostmaster@nso.org> supposedly wrote:
This all strikes me as incorrect. The function of the domain name system is primarily to translate an IP number into a domain name, vice versa. If a user wishes to browse to <http://64.236.16.20> he/she will arrive also at <www.cnn.com>. The domain name is propagated and subsequently refreshed throughout the World. A browser request and reply may take each time hundreds of different routes through the Internet from end-to-end. If Spain would want to deploy blocking of the domain CNN.com (or in fact any other domain) it would have to factually block individual IP's at the telco 'in and out of Spain routes' to accomplish that. This, by the way is currently e.g. done in the Peoples Republic of China, be it not really successful :) It is also so easy to set up secondary dns's anywhere else on the globe with a ptr to some other IP no., that a dns block sec would never be a successful action. Blocking a /24 in Spain may be effective, but if the Spanish site would be hosted elsewhere, or would have a mirror hosted elsewhere, the elsewhere legislation would be the regulations the telco's are confronted with, and looking at.
Suppose they just make it a law that each ISP has to block "domain.com" in their caching name servers? Who is 'they', Patrick ? Suppose Spain introduces that law. Fine, but that doesn't mean that other countries have to (or will ever) abide by that. Certainly in the U.S. you won't find that many who would support even the idea. Sure, the user could telnet somewhere and find the IP address themselves, but it would stop 99.99% of the lusers out there. Thousands of non-Spanish dns servers (not under the Spanish restriction) would have cached the propagated terror.com url from Akamai. Any Spanish user really wanting to see terror.com will get it. To make it a more
At 05:28 PM 11/14/2002, Patrick W. Gilmore most definitely admitted: permanent experience the Spanish conquistador should install his own winooz 95 dns service (I believe it's free), and peg it to a secondary dns outside his beautiful country. Bert Fortrie
-- On Friday, November 15, 2002 12:45 AM +0100 -- hostmaster <hostmaster@nso.org> supposedly wrote:
At 05:28 PM 11/14/2002, Patrick W. Gilmore most definitely admitted:
Suppose they just make it a law that each ISP has to block "domain.com" in their caching name servers?
Who is 'they', Patrick ? Suppose Spain introduces that law. Fine, but that doesn't mean that other countries have to (or will ever) abide by that. Certainly in the U.S. you won't find that many who would support even the idea.
This thread was started 'cause the Spanish (?) government wanted to do blocking. So it would stop all the people in Spain. And I seriously doubt they care what the US government or its citizens do outside of Spain. IOW: You are right, but that's not the point of this thread.
Sure, the user could telnet somewhere and find the IP address themselves, but it would stop 99.99% of the lusers out there.
Thousands of non-Spanish dns servers (not under the Spanish restriction) would have cached the propagated terror.com url from Akamai. Any Spanish user really wanting to see terror.com will get it. To make it a more permanent experience the Spanish conquistador should install his own winooz 95 dns service (I believe it's free), and peg it to a secondary dns outside his beautiful country.
1) I submit over 99% of users would not even know what "dns service" is, more or less how to install it, or even that they CAN install it. 2) It is trivial to filter all port 53 and/or redirect all name service queries in your network to your name server. 3) We are discussing the government making a law about Internet technology. I am impressed they even know what a domain name is, and not surprised at all that their suggested "fix" is full holes. IOW: You are right again, but that's still not the point of this thread. =)
Bert Fortrie
-- TTFN, patrick P.S. This is NANOG, please use ASCII with "quote characters" (e.g. ">") to distinguish your text from other's. Reading your e-mails is a bit confusing. (At least you use Eudora and not Outlook, but still....)
Who is 'they', Patrick ? Suppose Spain introduces that law. Fine, but that doesn't mean that other countries have to (or will ever) abide by that. Certainly in the U.S. you won't find that many who would support even the idea.
This thread was started 'cause the Spanish (?) government wanted to do blocking. So it would stop all the people in Spain. And I seriously doubt they care what the US government or its citizens do outside of Spain.
This is not correct. Such laws tend to cover whatever is shown to the Spanish citizens, no matter by whom. One can be not really concerned about it if one has good lawers. Otherwise one would end up in the position Google and Yahoo ended up in Germany. Alex
Unnamed Administration sources reported that alex@yuriev.com said:
This is not correct. Such laws tend to cover whatever is shown to the Spanish citizens, no matter by whom.
Oh? A friend of mine is such. He just happens to live in the DC area, and has for 30 years... How would such a block be enforced...? -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
Unnamed Administration sources reported that alex@yuriev.com said:
This is not correct. Such laws tend to cover whatever is shown to the Spanish citizens, no matter by whom.
Oh?
A friend of mine is such. He just happens to live in the DC area, and has for 30 years...
How would such a block be enforced...?
Very simple. Someone names him in a lawsuit. A spanish judge issues subpoena. He ignores it and does not appear in court. The same judge would order an equivalent of a bench warrant to be issued. At some point your friend will end up going through a passport control at an international airport and as opposite to going to vacation in Amsterdam, he will end up in a lovely jail pending extradition to Spain. Welcome to the lovely world that you want to ignore. Alex
At 11:20 AM 11/15/2002, alex@yuriev.com wrote:
Unnamed Administration sources reported that alex@yuriev.com said:
This is not correct. Such laws tend to cover whatever is shown to the Spanish citizens, no matter by whom.
Oh?
A friend of mine is such. He just happens to live in the DC area, and has for 30 years...
How would such a block be enforced...?
Very simple. Someone names him in a lawsuit. A spanish judge issues subpoena. He ignores it and does not appear in court. The same judge would order an equivalent of a bench warrant to be issued. At some point your friend will end up going through a passport control at an international airport and as opposite to going to vacation in Amsterdam, he will end up in a lovely jail pending extradition to Spain. Welcome to the lovely world that you want to ignore. Alex
I have a bit of news for you here. Dutch authorities do not recognize Spanish bench warrants, and more importantly border patrols do not check for passports in the Schengen area (except for airport/seaport checks if you are arriving from outside that area). The Schengen area is virtually the same as all member countries within the European Community, except for (how is it possible..:)) the United Kingdom. The first point a bit elaborated....only Europol has extra territorial authority within the EU. Spanish law (civil and criminal) is and remains for Spain only. And some more news....it is not possible within the Schengen area to extradite one citizen from one member state to another. If one commits a crime, one is prosecuted and jailed in the country where the crime took place. Even more news.....criminal law of one country can be and is different than for another. Here's a nice one....if you are Spanish and commit something that is a crime in Spain, but you do it in Germany where it happens not to be a crime, you cannot be prosecuted in your own country (Spain). If you like more exotic examples, let me know. We happen to be in a EU advisory board that deals with this sort of hmmmm relationships :) best Bert Fortrie
A friend of mine is such. He just happens to live in the DC area, and has for 30 years...
How would such a block be enforced...?
Very simple. Someone names him in a lawsuit. A spanish judge issues subpoena. He ignores it and does not appear in court. The same judge would
I want to be sure I grok this. All this legal attacking will take place against: The Spanish citizen living in DC? The US ISP he deals with The support person for that ISP who bums through the EU one summer... or.... {Leaving the legal fiction vs. reality for hostmaster and others; at least for now...} -- A host is a host from coast to coast.................wb8foz@nrk.com & no one will talk to a host that's close........[v].(301) 56-LINUX Unless the host (that isn't close).........................pob 1433 is busy, hung or dead....................................20915-1433
A friend of mine is such. He just happens to live in the DC area, and has for 30 years...
How would such a block be enforced...?
Very simple. Someone names him in a lawsuit. A spanish judge issues subpoena. He ignores it and does not appear in court. The same judge would
I want to be sure I grok this. All this legal attacking will take place against:
The Spanish citizen living in DC?
The US ISP he deals with
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ This one is the most likely. We have a set of precidents (granted not Spanish) in case of Yahoo being sued by one of those Jewish groups for displaying Nazi memorabilia on its auction site. Yahoo decided it was better to pull that than deal with the lawsuite. Alex
Unnamed Administration sources reported that alex@yuriev.com said:
This is not correct. Such laws tend to cover whatever is shown to the Spanish citizens, no matter by whom.
Oh?
A friend of mine is such. He just happens to live in the DC area, and has for 30 years...
How would such a block be enforced...?
Very simple. Someone names him in a lawsuit. A spanish judge issues subpoena. He ignores it and does not appear in court. The same judge would order an equivalent of a bench warrant to be issued. At some point your friend will end up going through a passport control at an international airport and as opposite to going to vacation in Amsterdam, he will end up in a lovely jail pending extradition to Spain. Welcome to the lovely world that you want to ignore. Alex
I have a bit of news for you here. Dutch authorities do not recognize Spanish bench warrants, and more importantly border patrols do not check for passports in the Schengen area (except for airport/seaport checks if you are arriving from outside that area).
Not correct. Should one be entering Schengen-country from another Schengen-country there is no passport control. Should one be carrying EU-passport it will not be checked upon crossing into another EU country. Should one be carrying another passport it will be. The exception to the last rule are countries participating in the Visa Waiver programs and those that have bi-lateral agreements, Dutch authorities do recognize international bench warrants. Bother to check before making silly claims - it had all been rehearsed during the Pinochet's trial.
The Schengen area is virtually the same as all member countries within the European Community, except for (how is it possible..:)) the United Kingdom.
There is no such thing as EC. It is called EU. Schengen countries are : Austria, Belgium, Denmark, Finland, France, Germany, Iceland, Italy, Greece, Luxembourg, Netherlands, Norway, Portugal, Spain and Sweden.
The first point a bit elaborated....only Europol has extra territorial authority within the EU. Spanish law (civil and criminal) is and remains for Spain only.
And some more news....it is not possible within the Schengen area to extradite one citizen from one member state to another. If one commits a crime, one is prosecuted and jailed in the country where the crime took place. Even more news.....criminal law of one country can be and is different than for another. Here's a nice one....if you are Spanish and commit something that is a crime in Spain, but you do it in Germany where it happens not to be a crime, you cannot be prosecuted in your own country (Spain). If you like more exotic examples, let me know. We happen to be in a EU advisory board that deals with this sort of hmmmm relationships :)
This again is not correct. It can be easily looked up should one be bothered to do so, just as it can be looked up that there is no such thing as EC. Rather it is called EU. Alex
for Spain only. And some more news....it is not possible within the Schengen area to extradite one citizen from one member state to another. If one commits a crime, one is prosecuted and jailed in the country where the crime took place. Even more news.....criminal law
Simply not true. See the kidnap case that was solved with cooperation between the Swedish and French police. The kidnapers in France was extradited to Sweden although they where arrested in France because they received the ransom there. - kurtis -
Simply not true. See the kidnap case that was solved with cooperation between the Swedish and French police. The kidnapers in France was extradited to Sweden although they where arrested in France because they received the ransom there.
Where was the crime commited though? If the kidnapping was in Sweden then that was within the rules. Neil. -- Neil J. McRae - Alive and Kicking neil@DOMINO.ORG
Simply not true. See the kidnap case that was solved with cooperation between the Swedish and French police. The kidnapers in France was extradited to Sweden although they where arrested in France because they received the ransom there.
Where was the crime commited though? If the kidnapping was in Sweden then that was within the rules.
Well, good question. I am no lawyer but the kidnapping was in Sweden and the ransom was payed and received in France. Not sure what that means in legal terms. But perhaps we should get back to some operational discussion. - kurtis -
On Thu, 14 Nov 2002 12:11:14 EST, Jim Deleskie <jdeleski@rci.rogers.com> said:
Its my understanding that since Akamai is based on DNS resolves if you where to use the method of blocking it within the DNS system it would make no difference. Although I'm no Akamai expert.
The Akamai gotcha is that if you block www.terrorist.com, where terrorist.com points to an Akamai server, you *ALSO* break the 4,934 *other* websites that happen to have content on that same server. -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
-- On Thursday, November 14, 2002 4:52 PM -0500 -- Valdis.Kletnieks@vt.edu supposedly wrote:
On Thu, 14 Nov 2002 12:11:14 EST, Jim Deleskie <jdeleski@rci.rogers.com> said:
Its my understanding that since Akamai is based on DNS resolves if you where to use the method of blocking it within the DNS system it would make no difference. Although I'm no Akamai expert.
The Akamai gotcha is that if you block www.terrorist.com, where terrorist.com points to an Akamai server, you *ALSO* break the 4,934 *other* websites that happen to have content on that same server.
Not if you block the domain name terrorist.com from resolving at the caching name server, only if you block the IP address to which is resolves on your routers. (Which in many cases will be an Akamai server inside your network - if not, just ask. :) -- TTFN, patrick
On Thu, 14 Nov 2002 17:26:21 EST, "Patrick W. Gilmore" <patrick@ianai.net> said:
Not if you block the domain name terrorist.com from resolving at the caching name server, only if you block the IP address to which is resolves on your routers. (Which in many cases will be an Akamai server inside your network - if not, just ask. :)
http://a1016.g.akamai.net/f/1016/606/1d/(rest deleted) So tell me again how you're going to filter a1016.g.akamai.net? And how you're not going to piss off the OTHER sites on that server? (Yes, I know that the virtualized hostname is down in the (rest deleted) part of the URL - is that what you want to try to filter in a firewall? Especially when the name could (and probably will) be % encoded or whatever? Or are we simply assuming that all terrorists are dumb enough to not know how to use a proxy? (Remember that we *are* worried they're smart enough to use strong crypto...) -- Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Once upon a time, Valdis.Kletnieks@vt.edu <Valdis.Kletnieks@vt.edu> said:
On Thu, 14 Nov 2002 17:26:21 EST, "Patrick W. Gilmore" <patrick@ianai.net> said:
Not if you block the domain name terrorist.com from resolving at the caching name server, only if you block the IP address to which is resolves on your routers. (Which in many cases will be an Akamai server inside your network - if not, just ask. :)
http://a1016.g.akamai.net/f/1016/606/1d/(rest deleted)
So tell me again how you're going to filter a1016.g.akamai.net? And how you're
You don't. If you configure your name server to block resolution of terrorist.com, you'll never find out that it goes to an Akamai server. If it is really important, you then force all of your customers to use your name servers for recursive resolution. Then if your customer types "http://www.terrorist.com/" in their web browser, it resolves to nothing. They never get sent to an Akamai server. -- Chris Adams <cmadams@hiwaay.net> Systems and Network Administrator - HiWAAY Internet Services I don't speak for anybody but myself - that's enough trouble.
On Thu, 14 Nov 2002 17:59:59 CST, Chris Adams <cmadams@hiwaay.net> said:
You don't. If you configure your name server to block resolution of terrorist.com, you'll never find out that it goes to an Akamai server.
Unfortunately, the politicians would actually believe that.
-- On Thursday, November 14, 2002 11:11 PM -0500 -- Valdis.Kletnieks@vt.edu supposedly wrote:
On Thu, 14 Nov 2002 17:59:59 CST, Chris Adams <cmadams@hiwaay.net> said:
You don't. If you configure your name server to block resolution of terrorist.com, you'll never find out that it goes to an Akamai server.
Unfortunately, the politicians would actually believe that.
I am not so sure it is "unfortunate" politicians are ignorant of many things. :) -- TTFN, patrick
-- On Thursday, November 14, 2002 6:01 PM -0500 -- Valdis.Kletnieks@vt.edu supposedly wrote:
On Thu, 14 Nov 2002 17:26:21 EST, "Patrick W. Gilmore" <patrick@ianai.net> said:
Not if you block the domain name terrorist.com from resolving at the caching name server, only if you block the IP address to which is resolves on your routers. (Which in many cases will be an Akamai server inside your network - if not, just ask. :)
http://a1016.g.akamai.net/f/1016/606/1d/(rest deleted)
So tell me again how you're going to filter a1016.g.akamai.net? And how you're not going to piss off the OTHER sites on that server? (Yes, I know that the virtualized hostname is down in the (rest deleted) part of the URL - is that what you want to try to filter in a firewall? Especially when the name could (and probably will) be % encoded or whatever?
Well, believe it or not, you can filter on aXXXX. :) But more importantly, no user is ever going to type "aXXX.g.akamai.com/foo/bar/etc...". They are going to type "www.ticketmaster.com", which is a CNAME for aXXX. If the ISP's name server filters the "ticketmaster.com" domain, your random luser is not going to be able to get to www.ticketmaster.com.
Or are we simply assuming that all terrorists are dumb enough to not know how to use a proxy? (Remember that we *are* worried they're smart enough to use strong crypto...)
I did not think this is about stopping terrorists from getting to special sites. I thought this was about a government censoring its citizens from seeing "bad" web sites. Which is a Bad Idea IMHO, but I doubt the Spanish government cares what I think. Besides, what's to stop Joe User from using a public proxy outside his country? :)
Valdis Kletnieks
-- TTFN, patrick
participants (9)
-
alex@yuriev.com
-
Chris Adams
-
David Lesher
-
hostmaster
-
Jim Deleskie
-
Kurt Erik Lindqvist
-
neil@DOMINO.ORG
-
Patrick W. Gilmore
-
Valdis.Kletnieks@vt.edu