more on filtering

• Previous message (by thread): more on filtering
• Next message (by thread): more on filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Recently, alex at yuriev.com (Alex Yuriev) wrote:
> 
> > So, electric grids do not have any mechanisms to disconnect from other
> > grids ( ie, stop "transiting" their electricity ) if one is doing something
> > that causes problems on the local grid?  As a customer I would very
> > much like my provider to filter out waveforms that would prevent their
> > ability to provide me with my service.
> 
> They disconnect the SOURCE of the problem forcing the SOURCE to behave. That
> is equivalent of forcing the ES to behave.

Unfortunately, as the Northeast seaboard of the US discovered
not too long ago, the electrical system is somewhat like the
Internet; it attempts to route around failures, meaning that
simply shutting down the link along which the damaging
waveform is propagating does not prevent it from entering
your grid; it simply follows a different pathway in.  And
in shutting down the direct pathway, you may well cause
more stability problems as the flow shifts onto alternate
interconnects.

Likewise, if I am network A, and a customer of mine is
sending attack packets towards a customer of network B,
simply shutting down the peering links between network
A and network B does nothing to prevent the attack packets
from entering network B.  Network B would have to isolate
itself completely from the rest of the Internet core in
order to ensure my bad packets did not enter their network.
Anything less, and as long as there is some transit path
that can be used to get from my network to network B,
the attack packets will still flow and enter network B.

I don't think anyone here would defend isolating themselves
from the rest of the Internet as being a "better" solution 
than say putting in filters to block port 1434 traffic.
 
> Traffic to port X cannot be specified as valid or invalid for any IS,
> because the IS does not know why such traffic exists. 

We're not saying the traffic is invalid; we're saying the
traffic is causing us harm.  As with most organisms, there
is a strong instinct for self-preservation.  If the traffic
is causing extensive degredation to the IS, it's better for
the IS to try to preserve itself by limiting the impact of
the traffic, regardless of whether it is valid or not.

I'm starting to get the sense that you've never actually
been in the hot seat of a major network before, so for the
sake of everyone who has, who is no doubt getting rather
tired of your stubborn stance, I'll make this my last
public response on the issue.  Feel free to continue this
via private email if you'd like. 

> Alex

Matt

• Previous message (by thread): more on filtering
• Next message (by thread): more on filtering
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]