Blocking specific sites within certain countries.
Patrick W. Gilmore
patrick at ianai.net
Fri Nov 15 01:41:25 UTC 2002
-- On Thursday, November 14, 2002 6:01 PM -0500
-- Valdis.Kletnieks at vt.edu supposedly wrote:
> On Thu, 14 Nov 2002 17:26:21 EST, "Patrick W. Gilmore"
> <patrick at ianai.net> said:
>
>> Not if you block the domain name terrorist.com from resolving at the
>> caching name server, only if you block the IP address to which is
>> resolves on your routers. (Which in many cases will be an Akamai
>> server inside your network - if not, just ask. :)
>
> http://a1016.g.akamai.net/f/1016/606/1d/(rest deleted)
>
> So tell me again how you're going to filter a1016.g.akamai.net? And how
> you're not going to piss off the OTHER sites on that server? (Yes, I know
> that the virtualized hostname is down in the (rest deleted) part of the
> URL - is that what you want to try to filter in a firewall? Especially
> when the name could (and probably will) be % encoded or whatever?
Well, believe it or not, you can filter on aXXXX. :)
But more importantly, no user is ever going to type
"aXXX.g.akamai.com/foo/bar/etc...". They are going to type
"www.ticketmaster.com", which is a CNAME for aXXX. If the ISP's name
server filters the "ticketmaster.com" domain, your random luser is not
going to be able to get to www.ticketmaster.com.
> Or are we simply assuming that all terrorists are dumb enough to not know
> how to use a proxy? (Remember that we *are* worried they're smart enough
> to use strong crypto...)
I did not think this is about stopping terrorists from getting to special
sites. I thought this was about a government censoring its citizens from
seeing "bad" web sites. Which is a Bad Idea IMHO, but I doubt the Spanish
government cares what I think.
Besides, what's to stop Joe User from using a public proxy outside his
country? :)
> Valdis Kletnieks
--
TTFN,
patrick
More information about the NANOG
mailing list