NSPs filter?
Richard A Steenbergen
ras at e-gerbil.net
Mon Aug 5 15:18:31 UTC 2002
On Sun, Aug 04, 2002 at 09:15:26PM -0700, Stephen Stuart wrote:
>
> > IMO, Commercial ISPs should never filter customer packets unless
> > specifically requested to do so by the customer, or in response to a
> > security/abuse incident.
>
> Let's say the customer operates some big enterprise network, runs
> their infrastructure in RFC1918 space ("for security," hah), and spews
> a couple kilobits of DNS query from that RFC1918 space toward the root
> nameservers. Assume that either pride or ignorance will prevent the
> customer from ever asking you to filter what you know to be garbage
> traffic. Does your rule to "never filter customer packets" mean you're
> going to sit and watch those packets go by?
>
> If yes, why?
One would hope that, unless there is a complaint, you wouldn't be invading
their private to look at their traffic in the first place.
If a root server operator complained about it, I'd say thats reasonable
grounds to filter it and contact the customer, the same as if they had a
compromised box spewing out DoS.
Filtering piddly stuff like this without consultation is usually unwelcome
at best, and a disruption at worst. It is also a serious investment of
time and acl resources which could be better spent somewhere else. And
lastly, it sets a bad precedent for what ISPs "can" do to proactively
filter. After all, if we "can" do this, why can't we also filter illegal
MP3 exchanges too.
--
Richard A Steenbergen <ras at e-gerbil.net> http://www.e-gerbil.net/ras
PGP Key ID: 0x138EA177 (67 29 D7 BC E8 18 3E DA B2 46 B3 D8 14 36 FE B6)
More information about the NANOG
mailing list