North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Schneier: ISPs should bear security burden

  • From: Owen DeLong
  • Date: Thu Apr 28 02:50:22 2005

Ah, but *you* wouldn't get blocked. You maintain your own rDNS and
presumably have enough clue to not make the rDNS look like a pool of
dynamic residential IPs that aren't terribly important. To wit:

Um, that's not what I thought this discussion was about.  I thought this
discussion was about ISPs that are blocking things like my going out to
port 25 on various random hosts (something mailhost.delong.com does on
a regular basis, as does owen.delong.com, both of which are mail relay
machines, neither of which is an open relay).

Those are OBVIOUSLY not hostnames that comply with de-facto standards for
dynamically assigned dialup and broadband pools like

I would hope not.  I've put lots of work into naming my hosts. :-)

The idea is that your ISP should either allow you to run your own DNS or
give you DNS that doesn't look like something out of a big pool of
addresses, which makes it much, MUCH easier to decide what to block and
what not to block. Any IP that a provider allows servers on should have
distinctive, non-dynamic-looking DNS (and preferably be in a separate
netblock from the dynamically-assigned IPs).

Again, we're talking about apples and oranges.  You're talking about some
other ISP blocking based on rDNS.  I'm talking about my ISP blocking based
on ports.  What other ISPs block is between them and their customers.  Yes,
sometimes it's annoying, but, it's really between them and their customers,
so, little I can do.

What I'm saying is I don't want an ISP that blocks my ports in either
direction by default.  However, I am a residential ADSL customer using
a UNI.

That way you can be reasonably sure that you're not blocking someone
whose  ISP has allowed them to run servers.

Generally, until someone abuses my network, I don't block anyone trying to
get to any of the ports on which I choose to offer services.

Why should an ISP decide what a residential
customer can or can't do with their internet connection.  (This is not
an advocation for abandoning TOS or allowing abuse.  I am talking about
within the confines of legitimate internet use, such as hosting a web
site (or even several), running nameservers, mail server(s), etc.)
Your ISP, or the provider of the person deciding whether to block you?

Either.

Is there anything wrong with an ISP saying "you can't run servers on
certain types of Internet connection"?
Yes.


I can see the ISP saying "You're not allowed to push more than X bandwidth"
on certain types of connections.  I can even see them being unwilling to
provide a static IP.  However, telling me what I can or can't use the
bandwidth for is absurd.  What difference does it make to the ISP which
side initiated the TCP connection or sent the first UDP datagram in a
given flow?

Owen

Attachment: pgp00038.pgp
Description: PGP signature