|
North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: IAB concerns against permanent deployment of edge-based filtering
> >> why the heck does the IAB think they should tell me how to run my
> >> network?
> >
> > ... part of the INTERnet, and we
> > would like it all to interoperate end to end.
that must be the royal "we"...
> > you have been here
> > long enough to remember when the internet was a cooperation between
> > operators, yes?
Sure. and why the ARPAnet evolved into MILnet/CSnet/BITnet,
the NSF regionals, NSI et.al. That whole "trust but verify"
threat model. And then the "evolution" into more specialized
architectures, w/ folk focusing on edge & core - content and
eyeballs etc.
> Absolutely correct. What I personally am afraid of is if we get a
> network where we by choice (yes, your choice as the operator) get
> vertically oriented services instead of horisontal. Where you only can
> connect to a service if you get IP packets of a specific flavor from a
> specific ISP.
here in is the nut. Internet Protocols should, by design,
presume a fully end2end, always on model. Packets should
be emitted w/ the presumption that they can reach their
target. If not, its not reachable. period. If my node is
in a MANET, then I should be able to reach all the nodes in
that MANET. If its on Mars, then DTN should take care of
packet delivery. If the transit ISP filters my prefix and
throws the bits on the floor, I should complain. If the transit
ISP filters the port and throws the bits on the floor, I
should complain. But that is the transit ISP choice.
Local Optimizations - trying to be smart about what is reachable
over what transport by some "middle-box" - that is harmful.
Operationally, I may chose to take links down, filter out
some traffic, groom for specific network performance -over
infrastructure i pay for- the whole "middle-box, firewall,
NAT, or generic tunneling techniques are in play to allow
end-users to circumvent network policy ... and that is bad.
if there is really a concern that port filtering is
inherently bad and should only be exercised as a temporary
expediant, then why not open up all ports on the end systems?
blocking ports 5, 7, 9, 11 and 19 are fairly common these
days. is the IAB seriously suggesting that ISPs remove the
filters on/for these ports?
I'll stand by this mantra for -EDGE- networks:
"allow what you use, block what you don't."
when new, inovative applications evolve, I expect they should
have thier own port(s) assigned, just like has occured in the
Internet over the last 25 years.
and if they are useful to the folks on my network, the ports
will be opened up. stuff that tunnels w/o authorization, will
be found and squashed.
> The INETRnet works because as soon as you get IP packets from The
> INTERnet somewhere, you can access any service which runs on top of IP
> because of the transparent peering/transit agreements which exists.
But where is the presumption made that -operationally-
all transport substrates are interconnected?
> Because of this, it is a bad thing, and really the start of a very
> slippery slope, if AS:es start filtering at their edges. It can be done
> for various practical reasons in short term (as you say, you are
> responsible for YOUR network, YOUR part of The INTERnet), but as a long
> term thing, nope.
You might want to consider why EGP protocols were built in
the first place... :) EGP/BGP have -policy- constraints
designed in to restrict traffic.
> paf -- speaking personally, but member of the IAB
--bill -- speaking as devils advocate and w/o having taken my meds
today. ... granted it is nice to see the IAB take an interest
and take a stance. I'm more afraid that such a document will
aquire the patina of "gospel" by ISPs who won't think for themselves
as to why some choices should be made.
|