ISP port blocking practice

Joe Greco jgreco at ns.sol.net
Sat Oct 24 19:07:42 UTC 2009


> On Oct 24, 2009, at 3:17 AM, Joe Greco wrote:
> >>> Isn't blocking any port against the idea of Net Neutrality?
> >>
> >> Yes.
> >>
> >> Owen
> >
> > No.
> >
> > The idea of net neutrality, in this context, is for service providers
> > to avoid making arbitrary decisions about the services that a customer
> > will be allowed.
>
> Right.
> 
> > Blocking 25, or 137-139, etc., are common steps taken to promote the
> > security of the network.  This is not an arbitrary decision (and I am
> > defining it this way; I will not play semantics about "arbitrary".
> > Read along and figure out what I mean.)  For 25, SMTP has proven to be
> > a protocol that has adapted poorly to modern life, and a variety of
> > issues have conspired that make it undesirable to allow random home
> > PC's to use 25.  Reasonable alternatives exist, such as using 587, or
> > the ISP's mail server.  A customer isn't being disallowed the use of
> > SMTP to send mail (which WOULD be a problem).  A customer may use any
> > number of other mail servers to send mail.  Not a serious issue, and
> > not arbitrary...  it's generally considered a good, or even best
> > current, practice.
>
> A common practice of breaking the network for your customers does not
> make the network any less broken and does not make the action network
> neutral
> 
> The SMTP protocol has adapted just fine.  Certain operators of SMTP
> servers, on the other hand, are a different issue.  I don't take  
> exception
> if you want to block those SMTP servers.  I do take exception if you
> block the protocol entirely.
> 
> 587 is the exact same protocol as 25, just with different host  
> configuration
> policies.  As such, I would hold up 587 as an example to prove my point.

Except it doesn't.  587 is "submission done right"; whereas 25 is
"transit."  587 and 25 are conceptually completely different, even if
they use a common underlying protocol.  That's why 587 not only does
not prove your point, but it actually allows me to show that it isn't
SMTP being interfered with, but rather just the uncontrolled submission
of e-mail to remote machines.

Does network neutrality mean that dialup operators will have to allow
PPP users to connect without a login and password?

> > Blocking VoIP from your network to Vonage, because you want your
> > customers to buy your own VoIP service?  That's a very clear problem.
> > There's no justifiable reason that any viable broadband service
> > provider would have for blocking VoIP.  Yet there could be a reason
> > to forbid VoIP; I can, for example, imagine some of the rural WISP
> > setups where the loads caused on the infrastructure interfere with
> > providing service.
>
> Some providers block outbound 25 to other email service providers
> because they want your outgoing email to go only through their
> own unauthenticated, unsecure mail servers. (I have had at least
> one former ISP refuse to unblock port 25 or 587 for me to a host
> that was running TLS and SMTPAUTH while they insisted that
> I use their port 25 server which did not listen on port 587 and
> would not accept TLS or SMTPAUTH).

Blocking 25 isn't a problem.  Blocking 587 is.  Requiring all e-mail
to go through their servers is also a problem.  That's because there
is a good reason for the 25 blocking, one that you can trivially
work around on 587.  Blocking 587 is overreaching, and is dictating
that you must use their servers.  That is not neutral.

> > Similarly, it'd be ridiculous to expect an 802.11b based rural WISP
> > to be able to support HD Netflix streaming, or dialup ISP's to be
> > able to support fast downloading of movies.  These are not arbitrary
> > restrictions, but rather technological ones.  When you buy a 56k
> > dialup, you should expect you won't get infinite speed.  When you
> > buy WISP access on a shared 802.11b setup, you should expect that
> > you're sharing that theoretical max 11Mbps with other subs.
>
> Right... Those are not arbitrary, they are valid.  Blocking all access
> to port 25 is, on the other hand, arbitrary.

It's not, because there is an obvious ongoing problem with infected
end-user machines sending spam, and no particular reason that an end-
user machine needs to be able to send e-mail to random remote sites.
A huge amount of good is accomplished for the 'net as a whole when a
service provider blocks 25.  They're not preventing you from sending
e-mail, they're just requiring that it be sent in a manner that
complies with current community standards.  And there are standards,
and you can submit via 587 to alternative e-mail services of your
choice.

It is not entirely ideal, but it is laughable to construe 25 blocking
as making it impossible (or even hard) to send e-mail, given that it
most certainly isn't.

> > There's lots of interesting stuff to think about.  Net neutrality
> > isn't going to mean that we kill BCP38 and port 25 filtering.  It
> > is about service providers arbitrarily interfering with the service
> > that they're providing.  Customers should be given, to the maximum
> > extent reasonably possible, Internet connectivity suitable for
> > general purpose use.  Where service providers start infringing on
> > that, that's what should be addressed by network neutrality.
>
> BCP-38 is good.  SMTP blocking is not in BCP-38.
> 
> Not allowing a user to send forged packets is a perfectly legitimate
> action.  Not allowing a user to send or receive valid packets
> properly formatted, carrying legitimate traffic for purposes which
> are not a violation of the providers AUP, on the other hand, is
> not good.

Oh.  Really.  But the problem is, you can't play both "BCP38 is good"
and "25 blocking is bad."  They're of the same cloth.

If I'm assigned 24.1.2.3 by Comcast, and Comcast filters my ingress to
prevent me from emitting other addresses, you claim that's fine because
it's BCP38.

There's a problem:  I can validly emit a variety of other addresses, in
particular any address in 206.55.64.0/20 and some other networks.  I am
not "forging" packets if I emit 206.55.64.0/20-sourced addresses down a
Comcast pipe.

How many people realistically have this problem?  Well, potentially,
lots.  Anyone who uses a VPN could have a legitimate IP address on their
machine; because of BCP38 (and other security policy) it is common
for a VPN setup to forward Internet-bound traffic back to the VPN
server rather than directly out the Internet.  In some cases, one could
reasonably argue that this is undesirable.

But overall, security is greatly increased by eliminating the ability
to inject forged traffic.  We do this through BCP38.  BCP38 carries with
it some amount of inconvenience to users whose legitimate traffic can 
not be sent due to the simplistic filtering typically employed.

This does not mean BCP38 violates net neutrality, any more than it means
25 blocking violates it.  On the other hand, if your ISP is intercepting
your DNS, forcing /all/ SMTP through their servers, mandating the use of
web proxy servers that add banner ads, blocking VoIP, and RST'ing 
BitTorrent traffic, then you have a serious net neutrality problem.

As operators, the readers in this group should be uniquely qualified to
understand:  common technical steps taken to ensure the security and
continued smooth operation of your network are probably not violating
net neutrality, but once you move into the realm of steps taken that
damage a competitor, degrade or forbid particular services, or other
decisions made for "business" reasons, where such things affect the set
of potential things a user could reasonably expect to want to be able
to do, then you have to look a bit more carefully at it.

... JG
-- 
Joe Greco - sol.net Network Services - Milwaukee, WI - http://www.sol.net
"We call it the 'one bite at the apple' rule. Give me one chance [and] then I
won't contact you again." - Direct Marketing Ass'n position on e-mail spam(CNN)
With 24 million small businesses in the US alone, that's way too many apples.




More information about the NANOG mailing list