Schneier: ISPs should bear security burden

• Previous message (by thread): Schneier: ISPs should bear security burden
• Next message (by thread): Schneier: ISPs should bear security burden
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> Ah, but *you* wouldn't get blocked. You maintain your own rDNS and
> presumably have enough clue to not make the rDNS look like a pool of
> dynamic residential IPs that aren't terribly important. To wit:
>
Um, that's not what I thought this discussion was about.  I thought this
discussion was about ISPs that are blocking things like my going out to
port 25 on various random hosts (something mailhost.delong.com does on
a regular basis, as does owen.delong.com, both of which are mail relay
machines, neither of which is an open relay).

> Those are OBVIOUSLY not hostnames that comply with de-facto standards for
> dynamically assigned dialup and broadband pools like
>
I would hope not.  I've put lots of work into naming my hosts. :-)

> The idea is that your ISP should either allow you to run your own DNS or
> give you DNS that doesn't look like something out of a big pool of
> addresses, which makes it much, MUCH easier to decide what to block and
> what not to block. Any IP that a provider allows servers on should have
> distinctive, non-dynamic-looking DNS (and preferably be in a separate
> netblock from the dynamically-assigned IPs).
>
Again, we're talking about apples and oranges.  You're talking about some
other ISP blocking based on rDNS.  I'm talking about my ISP blocking based
on ports.  What other ISPs block is between them and their customers.  Yes,
sometimes it's annoying, but, it's really between them and their customers,
so, little I can do.

What I'm saying is I don't want an ISP that blocks my ports in either
direction by default.  However, I am a residential ADSL customer using
a UNI.

> That way you can be reasonably sure that you're not blocking someone
> whose  ISP has allowed them to run servers.
>
Generally, until someone abuses my network, I don't block anyone trying to
get to any of the ports on which I choose to offer services.

>> Why should an ISP decide what a residential
>> customer can or can't do with their internet connection.  (This is not
>> an advocation for abandoning TOS or allowing abuse.  I am talking about
>> within the confines of legitimate internet use, such as hosting a web
>> site (or even several), running nameservers, mail server(s), etc.)
>
> Your ISP, or the provider of the person deciding whether to block you?
>
Either.

> Is there anything wrong with an ISP saying "you can't run servers on
> certain types of Internet connection"?

Yes.


I can see the ISP saying "You're not allowed to push more than X bandwidth"
on certain types of connections.  I can even see them being unwilling to
provide a static IP.  However, telling me what I can or can't use the
bandwidth for is absurd.  What difference does it make to the ISP which
side initiated the TCP connection or sent the first UDP datagram in a
given flow?

Owen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20050427/bb8f1e29/attachment.sig>

• Previous message (by thread): Schneier: ISPs should bear security burden
• Next message (by thread): Schneier: ISPs should bear security burden
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]