more on filtering

• Previous message (by thread): more on filtering
• Next message (by thread): more on filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 03:54 PM 10/30/2003, Alex Yuriev wrote:
> > >The way currently people propose everyone operates is equivalent to a
> > >company that transmits AC to customer deciding that some part of the AC
> > >waveform is "harmful" to its equipment, and therefore should be filtered
> > >out. Of course, no one bothers to tell the customer that the filter 
> exists,
> > >or what is being filtered, or when, or how.
> >
> > So, electric grids do not have any mechanisms to disconnect from other
> > grids ( ie, stop "transiting" their electricity ) if one is doing something
> > that causes problems on the local grid?  As a customer I would very
> > much like my provider to filter out waveforms that would prevent their
> > ability to provide me with my service.
>
>They disconnect the SOURCE of the problem forcing the SOURCE to behave. That
>is equivalent of forcing the ES to behave.

The source of the problem of bad packets is where they ingress to my
network.  I disconnect the flow of bad packets thorugh filtering.  What
is the difference, other than I do not remove an entire interconnect,
only the portion of packets that is affecting my ability to provide
services?

> > If the issue is how to communicate what is being filtered to the customer,
> > then simply need to find a way to do that.  The solution to "it is hard to
> > communicate what is being filtered to the end-users" is not "oh well,
> > we won't filter anything".  At least not as I see it.
>
>Traffic to port X cannot be specified as valid or invalid for any IS,
>because the IS does not know why such traffic exists. Traffic ES<->ES
>on port X can be valid or invalid because ES knows if it is valid traffic.
>If you want to filter that traffic, filter it for a specific ES (the one
>that does not want it) and force whoever is sending you that traffic to play
>nicely. It is DIFFERENT from saying "We drop all packets that match port X"

Consider the recent scanning behaviour of the Nachi/Welchia worms.  You
have now *many* sources, and *many* destinations.  Due to the overwhelming
traffic ( considering that several commonly used networking devices were
not able to keep a forwarding table due to the size of all the src/dest
pairs ) causing problems on the network, what steps would you suggest be
taken?

Consider you are running a network with 10's of thousands of end-users
connecting and disconnecting at random points in the network.  Do
you enter a specific reflexive rule for every src/dst pair?  Or do
you implement wide-scale filtering of the traffic if it is easily
identifiable based on the "signature" of src port/dst port/payload?

> > Supposing a network *did* provide a way to inform customers what was
> > being filtered.  Would you still object to the filtering?
>
>If I request that traffic, of course I would object!

And if service goes down for you, as I serve a DOS to another customer,
would you also object in that case?  Even if other customer had not
yet complained to me about the DOS?

> > >Another excellent example - UPS will not remove that. The shipper will.
> >
> > How?  I'm the shipper.  I put the RF generating device into package and
> > give it to UPS.  They will do nothing to remove it or not ship it?
> > It is only up to me to not do it?  Al Qaeda would love that to be
> > true I'm sure.  :)
>
>After that package is removed, you, the shipper, are going to have your
>hands slapped very hard, which will force you in future to behave. By doing
>this, we successfully enforced ES filtering.

Right, and that assumes that every ES wants to do the right thing, and
knows better.  Just like everybody used to have open SMTP relaying as
people who did bad things with SMTP got their hands slapped.

And since UPS is rejecting only certain packages, they have just
implemented filtering as an IS based on the contents of the package
they are being asked to carry, despite my desire as a shipper to
ship it, and a corresponding desire of the receiver to receive it.

> > There is a chain of agreements connecting you to the source/dest of
> > any traffic on your network.  Even if it is a customer of a customer
> > of a customer, you have a chain of agreements that establishes you
> > as a party.
> >
> > In what scenario would there not be a chain of agreements to connect
> > you as a party?
>
>Even if I have agreement with you that you sell me a GSR for $5.00, which
>you have agreement with RS to get from him, I do not have agreement with RS
>that lets me get the GSR from him for $5.

I don't see how that is the same thing here.  I have an agreement with
cust X to provide services in accordance with my AUP.  cust X resells
that service to cust Y, etc.  cust Y is bound to the terms and conditions
of my agreement with cust X, despite that I do not have a direct agreement
with cust Y.

-Chris
--
    \\\|||///  \          StarNet Inc.      \         Chris Parker
    \ ~   ~ /   \       WX *is* Wireless!    \   Director, Engineering
    | @   @ |    \   http://www.starnetwx.net \      (847) 963-0116
oOo---(_)---oOo--\------------------------------------------------------
                   \ Wholesale Internet Services - http://www.megapop.net

• Previous message (by thread): more on filtering
• Next message (by thread): more on filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]