[33348] in North American Network Operators' Group
Re: net.terrorism
daemon@ATHENA.MIT.EDU (Sabri Berisha)
Tue Jan 9 08:39:52 2001
X-Envelope-To: nanog@merit.edu
Date: Tue, 9 Jan 2001 14:25:43 +0100 (CET)
From: Sabri Berisha <sabri@bit.nl>
To: William Allen Simpson <wsimpson@greendragon.com>
Cc: <nanog@merit.edu>
In-Reply-To: <3A5B0D07.E96A22C1@greendragon.com>
Message-ID: <Pine.LNX.4.30.0101091419170.15666-100000@pomo.bit.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Errors-To: owner-nanog-outgoing@merit.edu
On Tue, 9 Jan 2001, William Allen Simpson wrote:
> Sabri Berisha wrote:
> > I am concerned. Concerned about people and companies who think they are in
> > the position to be net.gods and for political reasons destroy the free
> > character of the internet.
> I've been involved for over 20 years, and don't remember this "free
> character". Perhaps there is a language translation problem? That
> also applies to the use of the word "terrorism"?
"Free" as in everybody decides their own policies. "Terrorism" as in
forcing your policies on someone elses network.
> > In the history of the internet, people have been trusting each other.
>
> When? I remember the RFCs on policy based routing over a decade ago.
> Have you read them?
No. But if it makes you feel better, I will.
> > In my opinion, announcing a netblock using BGP4 is making a promise to
> > carry traffic to a destination within that netblock. If you feel that
> > parts of that network are against your ethics or AUP, you should not be
> > announcing such a netblock.
>
> Announcing a netblock doesn't promise that every address in that block
> exists or is reachable. A network that is blocked for AUP violations
> doesn't "exist", and usually returns the ICMP message "Unreachable --
> Administratively Prohibited" specifically designed for such situations.
> Have you read "Router Requirements"?
Why do you want me to have read everything you have read? My point is not
policy based routing or which ICMP message I get. My point is not to
announce something you won't route.
> > Above.net is blocking a host in UUnet IP space.
> >...
> > > 194.178.232.55/32. --> this tester is part of a /16 belonging to
> > > uunet, and sends traffic which is in violation of our AUG. we
> > > complained to uunet without any effect. if we have blocked access
> > > from this /32 to our backbone, we are within our rights.
> >
> > After this mail, we contacted Above.net again. They basically told us it
> > was for our own protection because that traffic from that host does not
> > comply to their AUP. We specifically told them we really don't mind them
> > blackholing that host but *announcing* a route for it. So far no response.
> >
> Where did they announce a "host route"? I thought you said they
> announce a route to an netblock -- an entire /16?
Yes, they announced a /16.
> It seems from the email that they clearly stated that the traffic was
> in violation of the AUP. We all block specific sites that harm our
> networks. Otherwise, there would be no capacity left for our
> customers. It's the "policy" part, for which BGP was designed. Go
> read the design RFCs.
Read read read... I'm pretty familiair with BGP.
> If you are participating in tests with 194.178.232.55
> (relaytest.orbs.vuurwerk.nl), then you need a private connection to
> that specific site, just as many academic sites test unstable network
> software. Expensive, but shouldn't be too bad considering that both of
> you are in the Netherlands....
If I want to make sure my traffic gets to that host, I can set up a static
route to our second uplink. But it's not *me* who should be filtering. How
do I know which other hosts are being announced and blackholed?
--
/* Sabri Berisha, non-interesting network dude.
*
* CCNA, BOFH, Systems admin Linux/FreeBSD
*/
