[187792] in North American Network Operators' Group
Re: Thank you, Comcast.
daemon@ATHENA.MIT.EDU (David Bass)
Fri Feb 26 10:54:32 2016
X-Original-To: nanog@nanog.org
From: David Bass <davidbass570@gmail.com>
In-Reply-To: <df93d62ef8e6cb4db2e0fd81f856cac1@mail.dessus.com>
Date: Fri, 26 Feb 2016 10:54:26 -0500
To: Keith Medcalf <kmedcalf@dessus.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
I agree with this...from a customer perspective. I've seen ISPs block other=
traffic as well...even on "business" accounts, and break their customers ne=
tworks. =20
It's the Internet not a private network...
I've never been a typical user though...maybe one of the "dozen" Mike refers=
to that runs a email server, web server, dns server, etc, etc, etc out of t=
heir house.=20
> On Feb 26, 2016, at 9:31 AM, Keith Medcalf <kmedcalf@dessus.com> wrote:
>=20
>=20
> ISP's should block nothing, to or from the customer, unless they make it c=
lear *before* selling the service (and include it in the Terms and Condition=
s of Service Contract), that they are not selling an Internet connection but=
are selling a partially functional Internet connection (or a limited Intern=
et Service), and specifying exactly what the built-in deficiencies are.
>=20
> Deficiencies may include:
> port/protocol blockage toward the customer (destination blocks)
> port/protocol blockage toward the internet (source blocks)
> DNS diddling (filtering of responses, NXDOMAIN redirection/wildcards, etc=
)
> Traffic Shaping/Policing/Congestion policies, inbound and outbound
>=20
> Some ISPs are good at this and provide opt-in/out methods for at least the=
first three on the list. Others not so much.
>=20
>> -----Original Message-----
>> From: NANOG [mailto:nanog-bounces@nanog.org] On Behalf Of Maxwell Cole
>> Sent: Friday, 26 February, 2016 07:19
>> To: Mikael Abrahamsson
>> Cc: NANOG list
>> Subject: Re: Thank you, Comcast.
>>=20
>> I agree,
>>=20
>> At the very least things like SNMP/NTP should be blocked. I mean how many=
>> people actually run a legit NTP server out of their home? Dozens? And the=
>> people who run SNMP devices with the default/common communities aren=E2=80=
=99t the
>> ones using it.
>>=20
>> If the argument is that you need a Business class account to run a mail
>> server then I have no problem extending that to DNS servers also.
>>=20
>> Cheers,
>> Max
>>=20
>>>> On Feb 26, 2016, at 8:55 AM, Mikael Abrahamsson <swmike@swm.pp.se>
>>> wrote:
>>>=20
>>>> On Fri, 26 Feb 2016, Nick Hilliard wrote:
>>>>=20
>>>> Traffic from dns-spoofing attacks generally has src port =3D 53 and dst=
>> port =3D random. If you block packets with udp src port=3D53 towards
>> customers, you will also block legitimate return traffic if the customers=
>> run their own DNS servers or use opendns / google dns / etc.
>>>=20
>>> Sure, it's a very interesting discussion what ports should be blocked or=
>> not.
>>>=20
>>> http://www.bitag.org/documents/Port-Blocking.pdf
>>>=20
>>> This mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been
>> blocked for a very long time to fix some issues, even though there is
>> legitimate use for these ports.
>>>=20
>>> So if you're blocking these ports, it seems like a small step to block
>> UDP/TCP/53 towards customers as well. I can't come up with an argument
>> that makes sense to block TCP/25 and then not block port UDP/TCP/53 as
>> well. If you're protecting the Internet from your customers
>> misconfiguraiton by blocking port 25 and the MS ports, why not 53 as well=
?
>>>=20
>>> This is a slippery slope of course, and judgement calls are not easy to
>> make.
>>>=20
>>> --
>>> Mikael Abrahamsson email: swmike@swm.pp.se
>=20
>=20
>=20
>=20
