[145910] in North American Network Operators' Group
Re: Outgoing SMTP Servers
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Oct 26 09:30:22 2011
In-Reply-To: <CAAAas8GXF=VAdWUXFRSofPyW7bH=M63GyW66pNzN9Tey79STzA@mail.gmail.com>
From: Owen DeLong <owen@delong.com>
Date: Wed, 26 Oct 2011 07:24:23 -0600
To: Mike Jones <mike@mikejones.in>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
>=20
>=20
>=20
> In a perfect world we would all have as many static globally routed IP
> addresses as we want with nothing filtered, in the real world a
> residential ISP who gives their customers globally routable IPv4
> addresses for each computer (ie. a CPE that supports multiple
> computers without NAT) with no filtering at all is probably going to
> have to hire more support staff to deal with it, even before people
> from this list start null routing their IP space for being a rogue ISP
> that clearly doesn't give a damn etc :)
Agreed that we should get to the point where everyone can have thousands of s=
tatic globally routed subsets as soon as possible. The technology already ex=
ists and I use it wherever it is available. I have 65,536 static globally ro=
uted subsets available in my network, though I do not currently use that man=
y. The reason we don't all have that yet is merely delay and inaction by tho=
se who have not yet implemented current IP technologies.
>=20
> Perhaps our next try with IPv6 can be a perfect world where hosts are
> secure enough for open end to end connectivity and infected machines
> are rarely a problem? IPv6 enabled systems are more secure than a lot
> of the systems we have floating around on IPv4 networks, but I still
> think we're going to end up with port blocking becoming reasonably
> common on IPv6 as well once that starts getting widely deployed to
> residential users.
>=20
Firewalls are perfectly valid and I have no general objection to filtering p=
ackets based on the policy set by a site. What I object to is having someone=
I pay to move my packets tell me that they won't move some of those packets=
because they feel it is some form of best practice to eliminate my perfectl=
y valid packets in order to prevent someone else from committing some form o=
f abuse on the same protocol.
I object even more strenuously to someone who redirects my packets for their=
intended destination to some man in the middle attack destination of their c=
hoosing.
Redirecting someones SMTP is a man I. The middle attack. It is every bit as e=
vil as any other form of network abuse or hijacking.
Owen
