Merit Network
 Can't find what you're looking for? Search the Mail Archives.
  About Merit   Services   Network   Resources & Support   Network Research   News   Events   Home

Discussion Communities: Merit Network Email List Archives
North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Clueless service restrictions (was RE: Anti-spam System Idea)

  • From: Alex Bligh
  • Date: Tue Feb 17 16:50:58 2004 


--On 17 February 2004 12:17 -0800 Tony Hain <alh-ietf@tndh.net> wrote:

[with apologies for rearrangement]


The Internet has value because it allows arbitrary interactions where new
applications can be developed and fostered. The centrally controlled model
would have prevented IM, web, sip applications, etc. from ever being
deployed. If there are any operators out there who still understand the
value in allowing the next generation of applications to incubate, you
need to push back on this tendency to limit the Internet to an 'approved'
list of ports and service models.

...

Seriously, filtering is about attempting to prevent the customer from
using their target application. Central registration is no better, as its
only purpose is exercising power through extortion of additional funds for
'allowing' that application.


Quite right in general.

However
a) Some forms of filtering, which do occasionally prevent the customer
  from using their target application, are in general good, as the
  operational (see, on topic) impact of *not* applying tends to be
  worse than the disruption of applying them. Examples: source IP
  filtering on ingress, BGP route filtering. Both of these are known
  to break harmless applications. I would suggest both are good things.

b) The real problem here is that there are TWO problems which interact.
  It is a specific case of the following general problem:
  * A desire for any to any end to end connectivity using the
    protocol concerned => filter free internet
  * No authentication scheme

Applying filters based on IP address & protocol (whether it's by filtering
or RBL) is in effect attempting to do authentication by IP address. We know
this is not a good model. People do, however, use it because there
currently is no realistic widely deployed alternative available. Those
that are currently available (e.g. SPF) are not widely deployed, and
in any case are far from perfect. Whilst we have no hammer, people will
keep using the screwdriver to drive in nails, and who can blame them?

Alex


Discussion Communities


About Merit | Services | Network | Resources & Support | Network Research
News | Events | Contact | Site Map | Merit Network Home


Merit Network, Inc.