[76862] in North American Network Operators' Group
Re: IPv6, IPSEC and deep packet inspection
daemon@ATHENA.MIT.EDU (bmanning@vacation.karoshi.com)
Sat Jan 1 23:44:56 2005
Date: Sun, 2 Jan 2005 04:44:13 +0000
From: bmanning@vacation.karoshi.com
To: Sean Donelan <sean@donelan.com>
Cc: nanog@merit.edu
In-Reply-To: <Pine.GSO.4.58.0501012156490.8905@clifden.donelan.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, Jan 01, 2005 at 10:09:24PM -0500, Sean Donelan wrote:
> > That depends very much on what is being reached. Would it be reasonable
> > for a.gtld-servers.net and b.gtld-servers.net to start silently
> > blocking v6 datagrams on a whim?
>
> There are *.root-servers.net (or the networks they're behind) which
> have/do block v4 datagrams on a whim, political winds, or the phase of
> the moon. Sometimes they drop them from just certain countries. Other
> times its difficult for the external observer to guess their motivation.
odd... that very behaviour crops up in nearly every ISP
i've had the pleasure to interact w/ these few years.
local policy tends to always have a clause that sez something
about "reserve the right to defend in case of attack" - where
a defense is to block/drop/filter packets. And virtually noone
has the local policy that sez they must explain their actions
to random (or not) people who want to intrude on their business.
as for me, if there is an apparent DDos, the prefix will be
filtered. getting on is easy. getting off takes some work.
and if your not a directly affected party (e.g. its not your
prefix) its not likely i'll tell you anyting about it w/o a
court order.
> On the other hand, all the gtld-servers.net happen to be operated by a
> single organization. What does their contract say they can do with v6,
> v4 or DECNET packets? Are they required to provide v4 or v6 service at
> all?
perhaps you could ask them to allow you to become their spokesman
and you can interprete their contractual obligations for the
rest of us JQ Public?
> Its amazing how sometimes people want providers to drop all sorts of
> packets, and other times people get upset when providers drop all sorts
> of packets.
>
> ipv6
> e-dns
> smtp
> netbios
> icmp
> net-10.0.0.0
> multicast
> directed-broadcast
true, true... that whole expectation of a single Internet is
powerful... too bad that human nature has caused operators to
be burned so often that they are gunshy about facilitating a truely
open, global network mesh. Welcome to the walled garden, Internet
of the future.
--bill
