North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Providers removing blocks on port 135?

  • From: Owen DeLong
  • Date: Fri Sep 19 13:55:12 2003


I disagree.  In my opinion a NSP shouldn't filter traffic unless one of
its customers requests it.  However I strongly believe that an ISP (where
it's customers are Joe Blow average citizen and Susy Homemaker) should
take every reasonable step to protect it's users from malicious traffic
and that includes filtering ports.  For example I have no reservation
about NATing basic dialup users.  I also have no problem with filtering
ports for services they shouldn't be running on a dialup connection (HTTP,
FTP, DNS)  or for services that IMHO have no business on the public
internet (including every single Microsoft port I can identify).  To not
do so is IMHO to run a network in an extremely negligent manner.

Why do you get to decide that, I can't, from a hotel room, call my ISP and
put up a web server on my dialup connection so someone behind a firewall
can retrieve a document I desperately need to get to them?  Why _SHOULDN'T_
I run a web server to do this over a dialup connection?  Why do you get
to dictate to _ANYONE_ what things they can and can't do with their most
portable internet access?  How can you say that it is negligent to refuse
to DOS your customers unless they request it?  (blocking traffic to me
that I want is every bit as much a denial of service as flooding my link).

We do this very thing with email.  We filter known malicious messages,
attachments, and spam from email.  I don't think there's a reasonable
person among us that can complain about that.  Why not do it to network
traffic then?  If we should allow every bit of traffic to pass unmolested
by ACLs then we should allow all email to pass by unmolested by
anti-virus  and spam checks.  It's a two-way street.

I leave it to the community to decide whether I am a reasonable person or
not, but, generally, I tend to think that I am viewed as such.
However, I would complain about the parctices you describe above
if I was your customer. If I ask you to filter SPAM, fine. If I ask you not
to filter SPAM, then I should receive every email addressed to me. If I
cannot, then, I won't be your customer. As far as I'm concerned, if an ISP
wants to run anti-virus or spam-checks, they should run them as an opt-in
value added service, _NOT_ as a "we're deleting your mail for you whether
you like it or not" thing.

On the other hand, what's a provider to do when their access hardware
can't deal with a pathological set of flows or arp entries? There isn't
[snip]
A good point.
Yes. I responded to this in a previous post. We must do what we must do
temporarily to keep things running. However, breaking the net is not a long
term solution. We must work to solve the underlying problem or it just becomes
an arms-race where eventually, no services are useful.


Owen