ISP port blocking practice

Owen DeLong owen at delong.com
Sat Oct 24 16:13:27 UTC 2009


On Oct 24, 2009, at 3:17 AM, Joe Greco wrote:

>>> Isn't blocking any port against the idea of Net Neutrality?
>>
>> Yes.
>>
>> Owen
>
> No.
>
> The idea of net neutrality, in this context, is for service providers
> to avoid making arbitrary decisions about the services that a customer
> will be allowed.
>
Right.

> Blocking 25, or 137-139, etc., are common steps taken to promote the
> security of the network.  This is not an arbitrary decision (and I am
> defining it this way; I will not play semantics about "arbitrary".
> Read along and figure out what I mean.)  For 25, SMTP has proven to be
> a protocol that has adapted poorly to modern life, and a variety of
> issues have conspired that make it undesirable to allow random home
> PC's to use 25.  Reasonable alternatives exist, such as using 587, or
> the ISP's mail server.  A customer isn't being disallowed the use of
> SMTP to send mail (which WOULD be a problem).  A customer may use any
> number of other mail servers to send mail.  Not a serious issue, and
> not arbitrary...  it's generally considered a good, or even best
> current, practice.
>
A common practice of breaking the network for your customers does not
make the network any less broken and does not make the action network
neutral

The SMTP protocol has adapted just fine.  Certain operators of SMTP
servers, on the other hand, are a different issue.  I don't take  
exception
if you want to block those SMTP servers.  I do take exception if you
block the protocol entirely.

587 is the exact same protocol as 25, just with different host  
configuration
policies.  As such, I would hold up 587 as an example to prove my point.


> Blocking VoIP from your network to Vonage, because you want your
> customers to buy your own VoIP service?  That's a very clear problem.
> There's no justifiable reason that any viable broadband service
> provider would have for blocking VoIP.  Yet there could be a reason
> to forbid VoIP; I can, for example, imagine some of the rural WISP
> setups where the loads caused on the infrastructure interfere with
> providing service.
>
Some providers block outbound 25 to other email service providers
because they want your outgoing email to go only through their
own unauthenticated, unsecure mail servers. (I have had at least
one former ISP refuse to unblock port 25 or 587 for me to a host
that was running TLS and SMTPAUTH while they insisted that
I use their port 25 server which did not listen on port 587 and
would not accept TLS or SMTPAUTH).

> Similarly, it'd be ridiculous to expect an 802.11b based rural WISP
> to be able to support HD Netflix streaming, or dialup ISP's to be
> able to support fast downloading of movies.  These are not arbitrary
> restrictions, but rather technological ones.  When you buy a 56k
> dialup, you should expect you won't get infinite speed.  When you
> buy WISP access on a shared 802.11b setup, you should expect that
> you're sharing that theoretical max 11Mbps with other subs.
>
Right... Those are not arbitrary, they are valid.  Blocking all access
to port 25 is, on the other hand, arbitrary.
>
>
> There's lots of interesting stuff to think about.  Net neutrality
> isn't going to mean that we kill BCP38 and port 25 filtering.  It
> is about service providers arbitrarily interfering with the service
> that they're providing.  Customers should be given, to the maximum
> extent reasonably possible, Internet connectivity suitable for
> general purpose use.  Where service providers start infringing on
> that, that's what should be addressed by network neutrality.
>
BCP-38 is good.  SMTP blocking is not in BCP-38.

Not allowing a user to send forged packets is a perfectly legitimate
action.  Not allowing a user to send or receive valid packets
properly formatted, carrying legitimate traffic for purposes which
are not a violation of the providers AUP, on the other hand, is
not good.

Owen




More information about the NANOG mailing list