ISP port blocking practice

Owen DeLong owen at
Sat Oct 24 02:54:28 UTC 2009

On Oct 23, 2009, at 3:43 PM, Justin Shore wrote:

> Dan White wrote:
>> On 23/10/09 17:58 -0400, James R. Cutler wrote:
>>> Blocking the well known port 25 does not block sending of mail. Or  
>>> the
>>> message content.
>> It does block incoming SMTP traffic on that well known port.
> Then the customer should have bought a class of service that permits  
> servers.
Then you shouldn't be marketing what the customer bought as "Internet  

>>> I think the relevant neutrality principle is that traffic is not  
>>> blocked
>>> by content.
>> My personal definition doesn't quite gel with that. You're deciding  
>> for the
>> customer how they can use their connection, before you have any  
>> evidence of
>> nefarious activity.
> They decided for themselves when they bought a residential  
> connection instead of a business circuit.  Just because someone  
> bought themselves a Camry doesn't mean that Toyota is deciding for  
> them that they can't haul 1000lbs of concrete with it.  The customer  
> did when they decided to buy a car and not a pickup.
Toyota does not market the Camry as a load hauling truck.

If you are marketing your service as "Residential access to the part  
of the internet
that we think is appropriate for a residence", then, I suppose that's  
fine.  If you're
calling it "Internet Access", then, you're claiming to sell a truck  
when you are
delivering a Camry.  It's a very different comparison.

>> Would you consider restricting a customer's outgoing port 25  
>> traffic to a
>> specific mail server a step over the net neutrality line?
> I do this all the time.  For example I don't let my customers send  
> or receive mail (or any traffic for that matter) from prefixes  
> originating from AS32311 (Colorado spammer Scott Richter).  Now if I  
> was blocking mail to,,, etc or  
> restricting Vonage to .05% of my bandwidth then yeah that would  
> violate net neutrality principles.  The difference is one stifles  
> speech and is anti-competitive.  The other mitigates a network  
> security and stability risk.
I actually admit that I don't have a problem with you blocking traffic  
entering your peering connections from a known SPAM-AS.  That is, as  
you state, a network security issue.

OTOH, filtering what I, as a customer, send/receive at my end without  
my consent is a different issue.

> I see this same argument on Slashdot all too often.  It's usually  
> bundled with an argument against providers doing any sort of traffic  
> aggregation ("if I buy 1.5Mbps then it should be a dedicated pipe  
> straight to the Internet!")  Unfortunately that's simply not  
> reality. You can either live with a small level of controls on your  
> traffic for the sake of stability and security or you can have wide- 
> open ISPs with no security prohibitions whatsoever.  The support  
> costs for the ISPs go through the roof and of course that gets  
> passed onto the customer.  Your 5 9s SLA gets replaced with "use it  
> while you can before it goes down again".  Everyone pays a penalty  
> for having a digital Wild West.  Not to start another thread on a  
> completely OT topic but the same concept can be applied to other  
> things like health care.  Either everyone can pay a little bit for  
> all to have good service or many average consumers can pay lots to  
> make up the losses for those that can't pay at all.
Yeah, I don't buy the aggregation issue.  That's absurd (Of course you  
can stat mux the traffic, that's
what makes packet switched networks cost effective and gives us that  
great residential pricing)

I don't buy the argument that you have to filter your customers to  
keep your support costs down.
I've worked for a number of ISPs that don't filter their customers'  
traffic and don't have astronomical
support costs or even heavy support call volume.

We're not dumb enough to push a 5 9s SLA at residential prices, but,  
I'd say we're probably closer
to 4 9s than 3.


More information about the NANOG mailing list