[186612] in North American Network Operators' Group

home help back first fref pref prev next nref lref last post

Re: de-peering for security sake

daemon@ATHENA.MIT.EDU (Lee)
Fri Dec 25 14:50:21 2015

X-Original-To: nanog@nanog.org
In-Reply-To: <CAPkb-7AZCbj=50pmb_AkT2BGGRAGkvrThhH7goxYKCwsBX8S-g@mail.gmail.com>
Date: Fri, 25 Dec 2015 14:06:33 -0500
From: Lee <ler762@gmail.com>
To: Baldur Norddahl <baldur.norddahl@gmail.com>
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org

On 12/24/15, Baldur Norddahl <baldur.norddahl@gmail.com> wrote:
> I am afraid people are already doing this. Every time I bring a new IP
> series into production, my users will complain that they are locked out
> from sites including many government sites. This is because people will
> load IP location lists into their firewall and drop packets at the border=
.
> Of course they will not update said lists and load year old lists into
> their firewalls.

Enable IPv6 for your users.  1) it's not going to have any "history" &
2) ipv6 probably isn't blocked.

> So now my users can not access government sites because the IP ranges wer=
e
> owned by a company in a different country two years ago.

Find one of your users that's a citizen of said gov't & forward their
complaint to the gov't sites.  Non-citizen complaints are much easier
to ignore..

Regards,
Lee


> Take a guess on how responsive site owners are when we complain about the=
ir
> firewall. Most refuse to acknowledge they do any blocking and insist the
> problem is at our end. That is if they respond at all.
>
> Regards,
>
> Baldur
>
>
> On 25 December 2015 at 02:25, Stephen Satchell <list@satchell.net> wrote:
>
>> On 12/24/2015 04:50 PM, Daniel Corbe wrote:
>>
>>> Let=E2=80=99s just cut off the entirety of the third world instead of h=
aving
>>> a tangible mitigation plan in place.
>>>
>>
>> While you thing you are making a snarky response, it would be handy for
>> end users to be able to turn on and off access to other countries retail=
.
>> If *they* don't need access to certain third world countries, it would b=
e
>> their decision, not the operator's decision.
>>
>> For example, here on my little network we have no need for connectivity
>> to
>> much of Asia, Africa, or India.  We do have need to talk to Europe,
>> Australia, and some countries in South America.
>>
>>
>

home help back first fref pref prev next nref lref last post