The End-To-End Internet (was Re: Blocking MX query)

Michael Thomas mike at
Tue Sep 4 20:19:04 UTC 2012

On 09/04/2012 01:07 PM, David Miller wrote:

> There is no requirement that all endpoints be *permitted* to connect to
> and use any service of any other endpoint.  The end-to-end design
> principle does not require a complete lack of authentication or
> authorization.
> I can refuse connections to port 25 on my endpoint (mail server) from
> hosts that do not conform to my requirements (e.g. those that do not
> have forward-confirmed reverse DNS) without violating the end-to-end
> design principle in any way.

The thing that has never set well with me with ISP blanket port 25
blocking is that the fate sharing is not correct. If I have a mail server
and I refuse to take incoming connects from dynamic "home" IP
blocks, the fate sharing is correct: I'm only hurting myself if there's
collateral damage. When ISP's have blanket port 25, the two parties
of the intended conversation never get a say: things just break
mysteriously as far as both parties are concerned, but the ISP isn't
hurt at all. So they have no incentive to drop their false positive
rate. That's not good.


More information about the NANOG mailing list