[53578] in North American Network Operators' Group
Re: CogentCo
daemon@ATHENA.MIT.EDU (David Schwartz)
Mon Nov 18 15:51:22 2002
From: David Schwartz <davids@webmaster.com>
To: <meuon@highertech.net>, <nanog@merit.edu>
Date: Mon, 18 Nov 2002 12:50:49 -0800
In-Reply-To: <Pine.LNX.4.33.0211181429540.6894-100000@mikey.highertech.net>
Errors-To: owner-nanog-outgoing@merit.edu
On Mon, 18 Nov 2002 14:46:51 -0500 (EST), Mike (meuon) Harrison=
wrote:
>It also appears to block Gnutella and similar protocols.
=09You should never sign an IP access agreement that doesn't give=
you access to
the filtering rules that affect your traffic. Ideally, you should=
strongly
avoid agreements that don't let you opt out of filtering you=
don't want.
=09Here's the type of language we typically insist on. If a=
provider won't
agree to this type of language, odds are very high they plan to=
filter your
in strange ways or aren't serious about providing business-class=
IP services.
1) XXXXXX agrees to provide YYYYYYYY with information about any=
filtering
rules that apply to traffic to or from YYYYYYYY. Such information=
shall
include a precise description of what types of traffic the filter=
affects.
2) Where possible, XXXXXX agrees to provide YYYYYYYY with 2=
business days
advanced notice to any planned filtering changes. In the event=
that XXXXXX
makes an emergency or expedited filtering change that affects=
traffic to or
from YYYYYYYY, XXXXXX agrees to notify YYYYYYYY as soon as=
practical.
3) In the event XXXXXX makes a filtering change that affects=
traffic to or
from YYYYYYYY, and such change is not justified by technical=
necessity or
emergency, XXXXXX agrees to, at YYYYYYYY's request, either remove=
the filter
or exempt traffic to and from YYYYYYYY's network from the=
filter.
To qualify as an emergency filter, a filter must be temporary.=
Technical
necessity includes, but is not limited to, the following types=
of
filtering:
A) Dropping packets with invalid source addresses. This would=
include
RFC1918 or unassigned addresses.
B) Dropping packets at the request of the originator or recipient=
of those
packets.
The following types of filtering are not considered technical=
necessity:
A) Blocking specific ports or protocols because an exploit or=
attack might
use them in the absence of knowledge of a specific attack source=
or
destination. This would including blocking a particular TCP or=
UDP port in
response to its being used by a trojan or probe.
B) Blocking specific types of packets (by port or protocol) even=
though they
are technically valid IP packets with valid source and=
destination addresses
for purposes of disabling particular applications or protocols.=
This would
include, for example, blocking packets with an IP type of 255=
(raw IP).
=09A dialup account is one thing. But 100Mbps business-class access=
is another
story. You should know exactly what's happening to *your*=
traffic.
=09DS
