Not only that, but unless _everyone_ implements 2 and/or 3, all the bad
people that exploit the things these are meant to protect will migrate to
the networks that lack these measures, mitigating the benefits.
not just the bad people. all the people. a network with 2 or 3 in place
is useless. there is no way to make 2 or 3 happen.
This seems to be a catch-22; no one will implement these for the good
of the net because it costs money, and ignorant competitors that don't
implement them will not share in that expense. Have any such ideas
been implemented in the modern internet? How?
neither 2 or 3 would be for the good of the net. 1 would be. the problem
with 1 is that the person who feels pain when ISP "A" doesn't do 1 is most
likely to be ISP "B". therefore people confuse 1 with "internet altruism"
rather than the "rational selfishness" that it is.
AOL? I believe they proxy almost all their subscribers through several
large datacenters, and don't allow users to run their own servers.
@Home prohibited customer servers on their network, blocked several
ports, and proxied several services.
Its common for ISPs outside of the US to force their customers to
use the ISP's web proxy server, even hijacking connections which attempt
to bypass it.
As part of their anti-spam efforts, several providers block SMTP port 25,
and force their subscribers to only use that provider's SMTP relay/proxy
to send mail. Why not extend those same restrictions to other (all)
protocols?
Many corporate networks already proxy all their user's traffic, and
prohibit direct connections through the corporate firewalls.
I think its a bad idea, but techincally I have a hard time saying its
technically impossible.
Actually, I'm not certain but athome didn't seem to proxy or block
anything. I ran my home linux box off at home for a while and never had
any problem with any ports including http and mail. Also, it seems to me
that I tried something similar for a goof with an aol dialup and it worked
as well.
:Many corporate networks already proxy all their user's traffic, and
:prohibit direct connections through the corporate firewalls.
:
:I think its a bad idea, but techincally I have a hard time saying its
:technically impossible.
Well, it is also technically possible to have users register using
biometrics to access the Internet and that still seems sci-fi distopian
enough that I'm not losing sleep over it yet.
There are definitely service class distinctions between a local DSL
provider and a cable provider, and provided that american competition
laws stave off the converged telcos running the local providers out
of business, there is still hope.
It may be all retro to dredge up the dreaded road metaphor, but these
cable services are really similar to suburbs. They are homogeneous
areas built to serve a set of residential consumers with a limited,
though uniform definition. To get to the "core" they require the use of a
proprietary device or proxy to mediate their interactions with
the rest of civil society.
People pay a premium to be closer to the core and do so because of
a vaguely articulated but strongly felt sense of "quality".
The whole metaphor is irritating, but from a market perspective
the economics are similar. A vast majority of people will give up
the subtle quality of a real connection, for a cheaper version that
serves their relatively limited needs. Since the largest market will
be made of up people with these lower expectations, the only way to
make money will be to serve them.
It makes services closer to the core more scarce, and thus more
expensive to maintain, and it will eventually only be populated by
businesses that can afford the premium, and people that don't pay
at all and have nowhere else to go.
The Internet is starting to look alot like Minneapolis-St. Paul.
At Home's policy was that servers were administratively forbidden. It
ran proactive port scans to detect them (which of course were subject to
firewall ACLs) and actioned them under a complex and changing rule set.
It frequently left enforcement to the local partner depending on
contractual arrangements. It did not block ports. Non-transparent
proxing was used for http - you could opt out if you knew how.
While many DSL providers have taken up filtering port 25, the cable
industry practice is mostly to leave ports alone. I know of one large
cable company that did the right thing and implemented SMTP
authentication for their mail service. The world would be a different
place if client to server mail submission was done in an authenticated
manner consistently across the Internet. Its amazing how many ISPs don't
implement this best practice.
At Home's policy was that servers were administratively forbidden. It
ran proactive port scans to detect them (which of course were subject to
firewall ACLs) and actioned them under a complex and changing rule set.
It frequently left enforcement to the local partner depending on
contractual arrangements. It did not block ports. Non-transparent
proxing was used for http - you could opt out if you knew how.
While many DSL providers have taken up filtering port 25, the cable
industry practice is mostly to leave ports alone. I know of one large
Untrue, AT&T filters the following *on* the CPE:
Ports / Direction / Protocol
137-139 -> any Both UDP
any -> 137-139 Both UDP
137-139 -> any Both TCP
any -> 137-139 Both TCP
any -> 1080 Inbound TCP
any -> 1080 Inbound UDP
68 -> 67 Inbound UDP
67 -> 68 Inbound UDP
any -> 5000 Inbound TCP
any -> 1243 Inbound UDP
And they block port 80 inbound TCP further out in their network. Overall,
cable providers more heavily than cable providers.
I'd say that AT&T represents a fair amount of the people served via cable
internet.
AT&T blocks ports (depending where you are) but won't come
right out and say it. On a call to them over a year ago
while testing DSL versus Cable in San Jose, it took almost an hour to get
them to admit that they were blocking ports 137-139, and even then there
was no formal acknowledgement of this blocking.
If I was a betting man, which I'm not, I'd bet on them blocking udp 53 as
well.
No standard as I see it, depends on the child company managing the cable
service.
In a public press release dated August, they claim to have 1.8 million
Internet customers. How that compares to the global pool of cable
users, I cannot say.
It'll be interesting to see if att exports their filtering policies to
the newly acquired customers. They'll want to support
a uniform configuration across the whole network, I'm sure.
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On
Behalf Of Christopher Schulte
Sent: October 27, 2002 9:22 PM
To: William Warren; nanog@merit.edu
Subject: Re: How to secure the Internet in three easy steps
In a public press release dated August, they claim to have
1.8 million Internet customers. How that compares to the
global pool of cable users, I cannot say.
One cable company I've done business here (Ontario, Canada) has over
500K subscribers, and I don't believe it has the largest number of cable
modems in the country. So you're probably talking around 1.5-2 million
cable modems north of the border. Then you have Europe (I think .nl has
decent cable modem penetration), Asia-Pacific, etc.
It'll be interesting to see if att exports their filtering
policies to the newly acquired customers. They'll want to
support a uniform configuration across the whole network, I'm sure.
They apparently don't have a uniform configuration now; we have lots of
people using AT&T BI complaining about blocked port 80s and whatnot, and
yet we have some other AT&T BI users in different locations (but I think
both were formerly-@Home AT&T BI areas) who don't have any ports
blocked. Bizarre, I have to say.
> In a public press release dated August, they claim to have
> 1.8 million Internet customers. How that compares to the
> global pool of cable users, I cannot say.
One cable company I've done business here (Ontario, Canada) has over
500K subscribers, and I don't believe it has the largest number of cable
modems in the country. So you're probably talking around 1.5-2 million
cable modems north of the border. Then you have Europe (I think .nl has
decent cable modem penetration), Asia-Pacific, etc.
Very cute. It is clear that the posters forgot how cable industry "counts"
subscribers. The details came out during Adelphia bankruptcy. Since that
time every cable co basically said "yep, that's how we do it too".
Here's counting subscribers the cable industry way:
They take a total revenue that's somehow gets associated with selling cable
and divide it by the price of the basic cable. The resulting number is the
number of subscribers that they claim to have.
I realize one way makes more sense from a "we've got more subscribers than
you do sense" but it wouldn't be that hard to count real subscribers one
wouldn't think.
This of course is perfectly fine, as long as all subscribers are only paying
the basic rate. Adjusting for the number of people who pay for premium services
such as movie packages or cable-internet services without knowing the number
of people that have that package is left as an exercise for the auditors and/or
prosecutors...
Blocking ports 137-139 is of great benefit to the vast majority of their
customers. It is also of benefit to AT&T, as it cuts down on support
calls. Of course, documenting this would be good.
