Thank you, Comcast.

Jay Nugent jjn at nuge.com
Fri Feb 26 15:52:55 UTC 2016 

Greetings,

On Fri, 26 Feb 2016, Keith Medcalf wrote:

>
> ISP's should block nothing, to or from the customer, unless they make it 
> clear *before* selling the service (and include it in the Terms and 
> Conditions of Service Contract), that they are not selling an Internet 
> connection but are selling a partially functional Internet connection 
> (or a limited Internet Service), and specifying exactly what the 
> built-in deficiencies are.
>
> Deficiencies may include:
>  port/protocol blockage toward the customer (destination blocks)
>  port/protocol blockage toward the internet (source blocks)
>  DNS diddling (filtering of responses, NXDOMAIN redirection/wildcards, etc)
>  Traffic Shaping/Policing/Congestion policies, inbound and outbound
>
> Some ISPs are good at this and provide opt-in/out methods for at least 
> the first three on the list.  Others not so much.


    I wholeheartedly agree!  When purchasing an "Internet connection", we 
expect that to be full access to the Internet.  Granted, *some* parts of 
the Internet are up/down or never available, but the *protocols* should 
*ALL* be available.

    Customers regularly use various VPN protocols from GRE, SIT, and IPIP, 
monitoring protocols such as SNMP, as well as RTP and SIP (where we spend 
the bulk of our time troubleshooting).  Customers EXPECT their packets to 
be passed unhampered.  Otherwise, all the provider is giving them is acces 
to email and to surf for porn.  That provider would simply be offering an 
"entertainment" connection to the public Internet, not full Internet 
access.

    However, if a 'provider' wishes to block ANYTHING, then they need to 
inform the customer IN WRITING exactly what will be blocked so that 
customer doesn't waste their time and money with said (limited) service 
and vote with their wallet by buying *real* Internet service, elsewhere.

       --- Jay Nugent
           Nugent Telecommunications consulting
           Ypsilanti, Michigan


>> -----Original Message-----
>> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Maxwell Cole
>> Sent: Friday, 26 February, 2016 07:19
>> To: Mikael Abrahamsson
>> Cc: NANOG list
>> Subject: Re: Thank you, Comcast.
>>
>> I agree,
>>
>> At the very least things like SNMP/NTP should be blocked. I mean how many
>> people actually run a legit NTP server out of their home? Dozens? And the
>> people who run SNMP devices with the default/common communities aren’t the
>> ones using it.
>>
>> If the argument is that you need a Business class account to run a mail
>> server then I have no problem extending that to DNS servers also.
>>
>> Cheers,
>> Max
>>
>>> On Feb 26, 2016, at 8:55 AM, Mikael Abrahamsson <swmike at swm.pp.se>
>> wrote:
>>>
>>> On Fri, 26 Feb 2016, Nick Hilliard wrote:
>>>
>>>> Traffic from dns-spoofing attacks generally has src port = 53 and dst
>> port = random.  If you block packets with udp src port=53 towards
>> customers, you will also block legitimate return traffic if the customers
>> run their own DNS servers or use opendns / google dns / etc.
>>>
>>> Sure, it's a very interesting discussion what ports should be blocked or
>> not.
>>>
>>> http://www.bitag.org/documents/Port-Blocking.pdf
>>>
>>> This mentions on page 3.1, TCP(UDP)/25,135,139 and 445. They've been
>> blocked for a very long time to fix some issues, even though there is
>> legitimate use for these ports.
>>>
>>> So if you're blocking these ports, it seems like a small step to block
>> UDP/TCP/53 towards customers as well. I can't come up with an argument
>> that makes sense to block TCP/25 and then not block port UDP/TCP/53 as
>> well. If you're protecting the Internet from your customers
>> misconfiguraiton by blocking port 25 and the MS ports, why not 53 as well?
>>>
>>> This is a slippery slope of course, and judgement calls are not easy to
>> make.
>>>
>>> --
>>> Mikael Abrahamsson    email: swmike at swm.pp.se
>
>
>
>
>

-- 

         () ascii ribbon campaign in
         /\ support of plain text e-mail

  o Averaging at least 3 days of MTBWTF!?!?!?
  o The solution for long term Internet growth is IPv6.
+------------------------------------------------------------------------+
| Jay Nugent   jjn at nuge.com    (734)484-5105    (734)649-0850/Cell       |
|   Nugent Telecommunications  [www.nuge.com]                            |
|   Internet Consulting/Linux SysAdmin/Engineering & Design              |
|   ISP Monitoring [www.ispmonitor.org] ISP Performance Monitoring       |
+------------------------------------------------------------------------+
10:01:01 up 6 days, 20:04, 2 users, load average: 0.40, 0.54, 0.43

More information about the NANOG mailing list