net.terrorism
Sabri Berisha
sabri at bit.nl
Tue Jan 9 13:25:43 UTC 2001
On Tue, 9 Jan 2001, William Allen Simpson wrote:
> Sabri Berisha wrote:
> > I am concerned. Concerned about people and companies who think they are in
> > the position to be net.gods and for political reasons destroy the free
> > character of the internet.
> I've been involved for over 20 years, and don't remember this "free
> character". Perhaps there is a language translation problem? That
> also applies to the use of the word "terrorism"?
"Free" as in everybody decides their own policies. "Terrorism" as in
forcing your policies on someone elses network.
> > In the history of the internet, people have been trusting each other.
>
> When? I remember the RFCs on policy based routing over a decade ago.
> Have you read them?
No. But if it makes you feel better, I will.
> > In my opinion, announcing a netblock using BGP4 is making a promise to
> > carry traffic to a destination within that netblock. If you feel that
> > parts of that network are against your ethics or AUP, you should not be
> > announcing such a netblock.
>
> Announcing a netblock doesn't promise that every address in that block
> exists or is reachable. A network that is blocked for AUP violations
> doesn't "exist", and usually returns the ICMP message "Unreachable --
> Administratively Prohibited" specifically designed for such situations.
> Have you read "Router Requirements"?
Why do you want me to have read everything you have read? My point is not
policy based routing or which ICMP message I get. My point is not to
announce something you won't route.
> > Above.net is blocking a host in UUnet IP space.
> >...
> > > 194.178.232.55/32. --> this tester is part of a /16 belonging to
> > > uunet, and sends traffic which is in violation of our AUG. we
> > > complained to uunet without any effect. if we have blocked access
> > > from this /32 to our backbone, we are within our rights.
> >
> > After this mail, we contacted Above.net again. They basically told us it
> > was for our own protection because that traffic from that host does not
> > comply to their AUP. We specifically told them we really don't mind them
> > blackholing that host but *announcing* a route for it. So far no response.
> >
> Where did they announce a "host route"? I thought you said they
> announce a route to an netblock -- an entire /16?
Yes, they announced a /16.
> It seems from the email that they clearly stated that the traffic was
> in violation of the AUP. We all block specific sites that harm our
> networks. Otherwise, there would be no capacity left for our
> customers. It's the "policy" part, for which BGP was designed. Go
> read the design RFCs.
Read read read... I'm pretty familiair with BGP.
> If you are participating in tests with 194.178.232.55
> (relaytest.orbs.vuurwerk.nl), then you need a private connection to
> that specific site, just as many academic sites test unstable network
> software. Expensive, but shouldn't be too bad considering that both of
> you are in the Netherlands....
If I want to make sure my traffic gets to that host, I can set up a static
route to our second uplink. But it's not *me* who should be filtering. How
do I know which other hosts are being announced and blackholed?
--
/* Sabri Berisha, non-interesting network dude.
*
* CCNA, BOFH, Systems admin Linux/FreeBSD
*/
More information about the NANOG
mailing list