[arin-announce] IPv4 Address Space (fwd)

Recently, alex@yuriev.com (Alex Yuriev) wrote:
> > Leave content filtering to the ES, and *force* ES to filter the content.
> Its not content filtering, I'm not filtering only certain html traffic
> (like access to porn sites), I'm filtering traffic that is causing harm to
> my network and if I know what traffic is causing problems for me, I'll
> filter it first chance I get.

It is content filtering. You are filtering packets that you think are
causing problems to the ES that you may not control.
Alex

Alex, please re-read the first paragraph. He said
"I'm filtering traffic that is causing harm to *my* network..."
(emphasis mine).

He's not filtering out packets he thinks are causing problems
to the ES, he's filtering out packets that are causing him
problems directly, as the IS.

Matt

Alex, please re-read the first paragraph. He said
"I'm filtering traffic that is causing harm to *my* network..."
(emphasis mine).

He's not filtering out packets he thinks are causing problems
to the ES, he's filtering out packets that are causing him
problems directly, as the IS.

And since the IS is not the ES, it SHOULD NOT be filtering based on content
since it is NOT IS's content. Again, *force* ES to filter and hold it
responsible for not doing it.

Alex

Do you have a generator in your colo/server space? Why? To follow your
logic out, should you not simply be *forcing* the Electric Company to
provide power and hold it responsible for not doing so? ( Hmm, no
that is slightly different as you are direct customer ). Better example
if you are UPS and a package being shipped is emitting RF that is
interferring with your plane avionics, should you not remove that
package from the shipment ( filter it out, as it were )? Or do you
simply carry on and crash the plane, destroying the other packages
onboard and simply try to hold the sender of the "bad" package
responsible?

It is sound business logic that if something is impacting your ability to
provide service *and* you are provided with the means to address the
problem, that you should utilize those means ( w/ in the extent allowed
by the law and your legal agreements ).

-Chris

> > to the ES, he's filtering out packets that are causing him
> > problems directly, as the IS.
>And since the IS is not the ES, it SHOULD NOT be filtering based on content
>since it is NOT IS's content. Again, *force* ES to filter and hold it
>responsible for not doing it.
Do you have a generator in your colo/server space? Why? To follow your
logic out, should you not simply be *forcing* the Electric Company to
provide power and hold it responsible for not doing so? ( Hmm, no
that is slightly different as you are direct customer ).

I am so glad that you used that example.

The way currently people propose everyone operates is equivalent to a
company that transmits AC to customer deciding that some part of the AC
waveform is "harmful" to its equipment, and therefore should be filtered
out. Of course, no one bothers to tell the customer that the filter exists,
or what is being filtered, or when, or how.

Better example if you are UPS and a package being shipped is emitting RF
that is interferring with your plane avionics, should you not remove that
package from the shipment ( filter it out, as it were )?

Another excellent example - UPS will not remove that. The shipper will.

It is sound business logic that if something is impacting your ability to
provide service *and* you are provided with the means to address the
problem, that you should utilize those means ( w/ in the extent allowed
by the law and your legal agreements ).

The first part of any legal agreement establishes the parties subject to it.
That is exactly what you are missing while being an IS.

Alex

> > > to the ES, he's filtering out packets that are causing him
> > > problems directly, as the IS.
> >And since the IS is not the ES, it SHOULD NOT be filtering based on content
> >since it is NOT IS's content. Again, *force* ES to filter and hold it
> >responsible for not doing it.
> Do you have a generator in your colo/server space? Why? To follow your
> logic out, should you not simply be *forcing* the Electric Company to
> provide power and hold it responsible for not doing so? ( Hmm, no
> that is slightly different as you are direct customer ).

I am so glad that you used that example.

The way currently people propose everyone operates is equivalent to a
company that transmits AC to customer deciding that some part of the AC
waveform is "harmful" to its equipment, and therefore should be filtered
out. Of course, no one bothers to tell the customer that the filter exists,
or what is being filtered, or when, or how.

So, electric grids do not have any mechanisms to disconnect from other
grids ( ie, stop "transiting" their electricity ) if one is doing something
that causes problems on the local grid? As a customer I would very
much like my provider to filter out waveforms that would prevent their
ability to provide me with my service.

If the issue is how to communicate what is being filtered to the customer,
then simply need to find a way to do that. The solution to "it is hard to
communicate what is being filtered to the end-users" is not "oh well,
we won't filter anything". At least not as I see it.

Supposing a network *did* provide a way to inform customers what was
being filtered. Would you still object to the filtering?

Another excellent example - UPS will not remove that. The shipper will.

How? I'm the shipper. I put the RF generating device into package and
give it to UPS. They will do nothing to remove it or not ship it?
It is only up to me to not do it? Al Qaeda would love that to be
true I'm sure.

The first part of any legal agreement establishes the parties subject to it.
That is exactly what you are missing while being an IS.

There is a chain of agreements connecting you to the source/dest of
any traffic on your network. Even if it is a customer of a customer
of a customer, you have a chain of agreements that establishes you
as a party.

In what scenario would there not be a chain of agreements to connect
you as a party?

-Chris

> >The way currently people propose everyone operates is equivalent to a
> >company that transmits AC to customer deciding that some part of the AC
> >waveform is "harmful" to its equipment, and therefore should be filtered
> >out. Of course, no one bothers to tell the customer that the filter exists,
> >or what is being filtered, or when, or how.
>
> So, electric grids do not have any mechanisms to disconnect from other
> grids ( ie, stop "transiting" their electricity ) if one is doing something
> that causes problems on the local grid? As a customer I would very
> much like my provider to filter out waveforms that would prevent their
> ability to provide me with my service.

They disconnect the SOURCE of the problem forcing the SOURCE to behave. That
is equivalent of forcing the ES to behave.

The source of the problem of bad packets is where they ingress to my
network. I disconnect the flow of bad packets thorugh filtering. What
is the difference, other than I do not remove an entire interconnect,
only the portion of packets that is affecting my ability to provide
services?

> If the issue is how to communicate what is being filtered to the customer,
> then simply need to find a way to do that. The solution to "it is hard to
> communicate what is being filtered to the end-users" is not "oh well,
> we won't filter anything". At least not as I see it.

Traffic to port X cannot be specified as valid or invalid for any IS,
because the IS does not know why such traffic exists. Traffic ES<->ES
on port X can be valid or invalid because ES knows if it is valid traffic.
If you want to filter that traffic, filter it for a specific ES (the one
that does not want it) and force whoever is sending you that traffic to play
nicely. It is DIFFERENT from saying "We drop all packets that match port X"

Consider the recent scanning behaviour of the Nachi/Welchia worms. You
have now *many* sources, and *many* destinations. Due to the overwhelming
traffic ( considering that several commonly used networking devices were
not able to keep a forwarding table due to the size of all the src/dest
pairs ) causing problems on the network, what steps would you suggest be
taken?

Consider you are running a network with 10's of thousands of end-users
connecting and disconnecting at random points in the network. Do
you enter a specific reflexive rule for every src/dst pair? Or do
you implement wide-scale filtering of the traffic if it is easily
identifiable based on the "signature" of src port/dst port/payload?

> Supposing a network *did* provide a way to inform customers what was
> being filtered. Would you still object to the filtering?

If I request that traffic, of course I would object!

And if service goes down for you, as I serve a DOS to another customer,
would you also object in that case? Even if other customer had not
yet complained to me about the DOS?

> >Another excellent example - UPS will not remove that. The shipper will.
>
> How? I'm the shipper. I put the RF generating device into package and
> give it to UPS. They will do nothing to remove it or not ship it?
> It is only up to me to not do it? Al Qaeda would love that to be
> true I'm sure.

After that package is removed, you, the shipper, are going to have your
hands slapped very hard, which will force you in future to behave. By doing
this, we successfully enforced ES filtering.

Right, and that assumes that every ES wants to do the right thing, and
knows better. Just like everybody used to have open SMTP relaying as
people who did bad things with SMTP got their hands slapped.

And since UPS is rejecting only certain packages, they have just
implemented filtering as an IS based on the contents of the package
they are being asked to carry, despite my desire as a shipper to
ship it, and a corresponding desire of the receiver to receive it.

> There is a chain of agreements connecting you to the source/dest of
> any traffic on your network. Even if it is a customer of a customer
> of a customer, you have a chain of agreements that establishes you
> as a party.
>
> In what scenario would there not be a chain of agreements to connect
> you as a party?

Even if I have agreement with you that you sell me a GSR for $5.00, which
you have agreement with RS to get from him, I do not have agreement with RS
that lets me get the GSR from him for $5.

I don't see how that is the same thing here. I have an agreement with
cust X to provide services in accordance with my AUP. cust X resells
that service to cust Y, etc. cust Y is bound to the terms and conditions
of my agreement with cust X, despite that I do not have a direct agreement
with cust Y.

-Chris

If the *content* of the packets is breaking your network: Your network
is obviously broken.

Tell that to Cisco, Nortel, and any other vendor that can handle huge rates
of traffic that conform to "typical" but, when the pattern of addresses (or
options) in the packets cause the flow cache to thrash, die under loads far
below line rate. (See Cisco's
http://www.cisco.com/warp/public/63/ts_codred_worm.shtml as an example)

Tell that to any router, switch, or end system vendor who recently found out
what happened when a worm forces near-simultaneous arp requests for every
possible address on a subnet.

I'm afraid that those of us building actual networks are forced to do so
using actual hardware that actually exists today, and using actual hardware
that was actually purchased several years ago and which cannot be forklifted
out.

You call the network "obviously broken", I call it "the only one that can be
built today".

Matthew Kaufman
matthew@eeph.com

[snip]

I'm afraid that those of us building actual networks are forced to do so
using actual hardware that actually exists today, and using actual hardware
that was actually purchased several years ago and which cannot be forklifted
out.

You call the network "obviously broken", I call it "the only one that can be
built today".

It's interesting that many rather sizable networks have weathered these
events without relying on filtering, NAT, or other such behavior.

Even if you're right, that doesn't make me wrong.
Any IP network conformant to Internet standards should be content
transparent. Any network which isn't is broken. Breaking under abnormal
conditions is unacceptable. I am well aware of reality, but the reality
is: some things need to be improved.

This isn't some fundamental law of nature causing these limits. We are
simply seeing the results of the "internet boom" valuation of rapid growth
and profit over correctness and stability.

As the purchasers of this equipment we have the power to demand vendors
produce products which are not broken. Doing so is our professional duty,
settling on workarounds that break communications and fail to actually
solve the problems is negligent. Suggesting that breaking end-to-endness
is a long term solution to these kind of issues is socially irresponsible.

It's interesting that many rather sizable networks have
weathered these events without relying on filtering, NAT, or
other such behavior.

What's more interesting is how many big networks have implemented 98-byte
ICMP filters, blocks on port 135, and other filters on a temporary basis on
one or more (but not all) interfaces, without anyone really noticing that
they're doing that.

It isn't something that's well-publicized, but I know several major
ISPs/NSPs which have had such filters in place, at least briefly, on either
congested edge interfaces or between core and access routers to prevent
problems with devices like TNTs and Shastas.

Even if you're right, that doesn't make me wrong.

True enough.

Any IP network conformant to Internet standards should be
content transparent. Any network which isn't is broken.

Then they're all broken, to one extent or another. Even a piece of wire can
be subjected to a denial of service attack that prevents your content from
transparently reaching the far end.

Breaking under abnormal conditions is unacceptable. I am well
aware of reality, but the reality
is: some things need to be improved.

That some thing need to be improved has been true since the very first day
the Internet began operation. Of course, the users of the end systems were
somewhat better behaved for the first few years, and managed to resist the
temptation to deploy widespread worms until 1988.

This isn't some fundamental law of nature causing these
limits. We are simply seeing the results of the "internet
boom" valuation of rapid growth and profit over correctness
and stability.

True.

As the purchasers of this equipment we have the power to
demand vendors produce products which are not broken.

One can demand all one wants. Getting such a product can be nearly or
totally impossible, depending on which features you need at the same time.

Doing
so is our professional duty, settling on workarounds that
break communications and fail to actually solve the problems
is negligent.

But not using the workarounds that one has available in order to keep the
network mostly working, and instead standing back and throwing up one's
hands and saying "well, all the hardware crashed, guess our network is down
entirely today" is even more negligent. It may also be a salary-reducing
move.

Suggesting that breaking end-to-endness is a
long term solution to these kind of issues is socially irresponsible.

Waiting until provably-correct routers are built, and cheap enough to
deploy, may be socially irresponsible as well. There's a whole lot of good
that has come out of cheap broadband access, and we'd still be waiting if we
insisted on bug-free CPE and bug-free aggregation boxes that could handle
any traffic pattern thrown at them.

Do you actually believe that it was a BAD idea for Cisco to build a router
that is more efficient (to the point of being able to handle high-rate
interfaces at all) when presented with traffic flows that look like real
sessions?

Matthew Kaufman
matthew@eeph.com

Do you actually believe that it was a BAD idea for Cisco to build a router
that is more efficient (to the point of being able to handle high-rate
interfaces at all) when presented with traffic flows that look like real
sessions?

Why buy something that works well only sometimes ("we are very efficient
when it looks like 'real' traffic" from Cisco) when you can buy ("no one
told us that we should have issues with some specific packets") Juniper?

Alex

Well, interestingly, in our network, Juniper makes all of our new core
routers. Specifically because Cisco routers were melting down at an
unacceptable rate.

But there was no such thing as Juniper when we started building (so we still
have a lot of Cisco routers in the network), and they don't make DSLAMs or
DSL/ATM customer aggregation boxes, so we still get to deal with
traffic-dependent performance. And I'm sure we're not the only network in
this situation.

Should I replace every box in the network with a Juniper and pass the cost
along to the customers? (New line item on the bills: "we won't filter worm
traffic tax")

Even if I had an all-Juniper network, I'd still need to decide what to do
about DDOS attacks... Do I just call my circuit vendors and keep adding
OC48s until the problem goes away?

Matthew Kaufman
matthew@eeph.com

Even if I had an all-Juniper network, I'd still need to
decide what to do
about DDOS attacks... Do I just call my circuit vendors and
keep adding
OC48s until the problem goes away?

But isn't this just trying to put a square peg into a round hole? Wouldn't
it be better to let routers route, switches switch, and filter boxen filter?
I know people like to have routers talk directly to each other, but there
are certain high capacity upper layer filter boxen out there that, when
inserted into the link, can handle this nastiness, so a router doesn't
over-work its designed-to-be-lazy processor.

>The way currently people propose everyone operates is equivalent to a
>company that transmits AC to customer deciding that some part of the AC
>waveform is "harmful" to its equipment, and therefore should be filtered
>out. Of course, no one bothers to tell the customer that the filter exists,
>or what is being filtered, or when, or how.

So, electric grids do not have any mechanisms to disconnect from other
grids ( ie, stop "transiting" their electricity ) if one is doing something
that causes problems on the local grid? As a customer I would very
much like my provider to filter out waveforms that would prevent their
ability to provide me with my service.

They disconnect the SOURCE of the problem forcing the SOURCE to behave. That
is equivalent of forcing the ES to behave.

If the issue is how to communicate what is being filtered to the customer,
then simply need to find a way to do that. The solution to "it is hard to
communicate what is being filtered to the end-users" is not "oh well,
we won't filter anything". At least not as I see it.

Traffic to port X cannot be specified as valid or invalid for any IS,
because the IS does not know why such traffic exists. Traffic ES<->ES
on port X can be valid or invalid because ES knows if it is valid traffic.
If you want to filter that traffic, filter it for a specific ES (the one
that does not want it) and force whoever is sending you that traffic to play
nicely. It is DIFFERENT from saying "We drop all packets that match port X"

Supposing a network *did* provide a way to inform customers what was
being filtered. Would you still object to the filtering?

If I request that traffic, of course I would object!

>Another excellent example - UPS will not remove that. The shipper will.

How? I'm the shipper. I put the RF generating device into package and
give it to UPS. They will do nothing to remove it or not ship it?
It is only up to me to not do it? Al Qaeda would love that to be
true I'm sure.

After that package is removed, you, the shipper, are going to have your
hands slapped very hard, which will force you in future to behave. By doing
this, we successfully enforced ES filtering.

>The first part of any legal agreement establishes the parties subject to it.
>That is exactly what you are missing while being an IS.

There is a chain of agreements connecting you to the source/dest of
any traffic on your network. Even if it is a customer of a customer
of a customer, you have a chain of agreements that establishes you
as a party.

In what scenario would there not be a chain of agreements to connect
you as a party?

Even if I have agreement with you that you sell me a GSR for $5.00, which
you have agreement with RS to get from him, I do not have agreement with RS
that lets me get the GSR from him for $5.

Alex