[186589] in North American Network Operators' Group
Re: de-peering for security sake
daemon@ATHENA.MIT.EDU (Baldur Norddahl)
Thu Dec 24 20:41:18 2015
X-Original-To: nanog@nanog.org
In-Reply-To: <567C9AF3.7070207@satchell.net>
Date: Fri, 25 Dec 2015 02:41:14 +0100
From: Baldur Norddahl <baldur.norddahl@gmail.com>
To: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I am afraid people are already doing this. Every time I bring a new IP
series into production, my users will complain that they are locked out
from sites including many government sites. This is because people will
load IP location lists into their firewall and drop packets at the border.
Of course they will not update said lists and load year old lists into
their firewalls.
So now my users can not access government sites because the IP ranges were
owned by a company in a different country two years ago.
Take a guess on how responsive site owners are when we complain about their
firewall. Most refuse to acknowledge they do any blocking and insist the
problem is at our end. That is if they respond at all.
Regards,
Baldur
On 25 December 2015 at 02:25, Stephen Satchell <list@satchell.net> wrote:
> On 12/24/2015 04:50 PM, Daniel Corbe wrote:
>
>> Let=E2=80=99s just cut off the entirety of the third world instead of ha=
ving
>> a tangible mitigation plan in place.
>>
>
> While you thing you are making a snarky response, it would be handy for
> end users to be able to turn on and off access to other countries retail.
> If *they* don't need access to certain third world countries, it would be
> their decision, not the operator's decision.
>
> For example, here on my little network we have no need for connectivity t=
o
> much of Asia, Africa, or India. We do have need to talk to Europe,
> Australia, and some countries in South America.
>
>
