Suggestion for NANOG Meeting

Paul A Vixie paul at
Mon Jan 20 17:45:09 UTC 1997

> As a carrier, I know that we should not and can not filter/censor/monitor
> any content on our "pipes".  This includes unsolicited emails,
> pornography, whatever, but there comes a point where the amount time to
> respond these issues that I can not perform the job I am paid to do. [...]

You cannot make the determination based on content.  Not because you are
a carrier, but because all three major North American governments have laws
protecting the privacy of other people's information -- your role as a
carrier just means when other people send their information through your
facility you do not "own" it, so it isn't "yours", so you can't peek at it.

You *can* make this determination based on knowledge of the source.  If you
have reason to believe that someone out there is going to put your internal
network to a use you do not agree with, you have every right to block their
traffic at your perimeter.  In other words the same legal protections that
allow you to do GIGAswitch port filtering and prevent someone from using you
as their default route, also gives you the route to install "black hole"
routes in your network so that certain other networks become unreachable.

You do not need any of the things a law enforcement agency would need -- you
do not have to have the court's permission, you do not need probable cause,
you do not have to show that your actions were not personally biased.  (We
will eventually see ISPs licensed in a way that makes this harder, but right
now you are free to do whatever you want with an IP packet, even if you are
a regulated common-carriage telephone company who sometimes deals with SMDS
frames or ATM cells or whatever.)

So it comes down to a business decision, not unlike peering.  Will your
customers complain more if you have a good path to network X, or will they
complain more if you have a bad path to network X?  In the case of peering
as a business decision, it takes a pretty special value of "X" to get, say,
Sprint's customers to complain en masse that they cannot reach that "X".
In the case of spam, though, there are a lot of quite common values of "X"
for which customers will complain more if you CAN reach it than if you CANNOT.

My list of "X", as of this morning, is as follows:

	static {
	        # spam
	        204.141.123 masklen 24  interface lo0   reject;
	        208.9.65 masklen 24     interface lo0   reject;
	        207.14.56 masklen 24    interface lo0   reject;
	        206.154.151 masklen 24  interface lo0   reject;
	        208.1.117 masklen 24    interface lo0   reject;
	        207.32.128 masklen 24   interface lo0   reject;
	        208.8.32 masklen 24     interface lo0   reject;
	        208.197.88 masklen 24   interface lo0   reject; # softcell A
	        208.206.49 masklen 24   interface lo0   reject; # softcell NS
	        208.206.54 masklen 24   interface lo0   reject; # softcell MX

I am working on a free service offering whereby the above list is sent as
a multihop BGP feed to anyone who is willing to indemnify me for any loss
of business or lawsuits which could come about as a result of accepting the
above feed.  (Right now I'm finding that GateD 3.6A2 doesn't do multihop BGP,
but as soon as I back out to 3.5 I think things will start working again.)

Naturally the effect of a large number of people accepting my "blackhole feed"
would be that spammers will have to ask their providers for a new IP address
block every time they do a new spam.  I expect that this will make them less
welcome as customers.

Note that accepting this eBGP feed from me in no way shortens an ISP's
ability to sell IP connectivity to spammers who happen to be on the list.
Your spammer customers will still have complete access to your internal
network and will still have complete access to every part of the Internet
who does not subscribe to my blackhole feed.  On the other hands, spammers
who are not your customers will not be able to interact with anyone who IS
your customer.  (Spammers who are your customers are probably pretty careful
not to annoy nonspammers who are also your customers, since they know what
they're doing is unfriendly and they don't want to get caught by someone who
can pull out their plug.)

I did not do my small part in building this industry only to have to use PGP
to filter out all e-mail that doesn't come from a known, trusted source.  I
will do that as a last resort, and before I do I will fight the good fight to
maintain the way of life I came to this medium for in the first place.

More information about the NANOG mailing list