net.terrorism

Hi,

My name is Sabri. I'm just another dude involved in internetworking and I
work for a small isp in The Netherlands.

I am concerned. Concerned about people and companies who think they are in
the position to be net.gods and for political reasons destroy the free
character of the internet.

In the history of the internet, people have been trusting each other. On
the lower technical levels, great things like peering have been developed.
At the various IX'es, commercial and non-profit companies exchange
information about each others routes using BGP4 and various other routing
protocols.

In my opinion, announcing a netblock using BGP4 is making a promise to
carry traffic to a destination within that netblock. If you feel that
parts of that network are against your ethics or AUP, you should not be
announcing such a netblock. If you do so, you will make a promise which
you do not forfill. That is not a nice thing to do in a world which is
based on trust and agreements between parties.

I was shocked to find out that one of the larger transit providers (which
the company I work for buys transit from) is actively violating the trust
it has been given by the internetworld.

Above.net is blocking a host in UUnet IP space. After finding out about
this we notified Above.net in The Netherlands and asked what it was about
and requested them to stop announcing the netblock if they would continue
to nullroute the host involved. After various contacts about this matter,
Above.net answered with the following statements (according to the
salesdroid it came from Paul Vixie himself):

194.178.232.55/32. --> this tester is part of a /16 belonging to
uunet, and sends traffic which is in violation of our AUG. we
complained to uunet without any effect. if we have blocked access
from this /32 to our backbone, we are within our rights.

After this mail, we contacted Above.net again. They basically told us it
was for our own protection because that traffic from that host does not
comply to their AUP. We specifically told them we really don't mind them
blackholing that host but *announcing* a route for it. So far no response.

More information and logs on http://www.bit.nl/~sabri/above/

Sabri Berisha wrote:

I am concerned. Concerned about people and companies who think they are in
the position to be net.gods and for political reasons destroy the free
character of the internet.

I've been involved for over 20 years, and don't remember this "free
character". Perhaps there is a language translation problem? That
also applies to the use of the word "terrorism"?

In the history of the internet, people have been trusting each other.

When? I remember the RFCs on policy based routing over a decade ago.
Have you read them?

In my opinion, announcing a netblock using BGP4 is making a promise to
carry traffic to a destination within that netblock. If you feel that
parts of that network are against your ethics or AUP, you should not be
announcing such a netblock.

Announcing a netblock doesn't promise that every address in that block
exists or is reachable. A network that is blocked for AUP violations
doesn't "exist", and usually returns the ICMP message "Unreachable --
Administratively Prohibited" specifically designed for such situations.
Have you read "Router Requirements"?

Above.net is blocking a host in UUnet IP space.
...
> 194.178.232.55/32. --> this tester is part of a /16 belonging to
> uunet, and sends traffic which is in violation of our AUG. we
> complained to uunet without any effect. if we have blocked access
> from this /32 to our backbone, we are within our rights.

After this mail, we contacted Above.net again. They basically told us it
was for our own protection because that traffic from that host does not
comply to their AUP. We specifically told them we really don't mind them
blackholing that host but *announcing* a route for it. So far no response.

Where did they announce a "host route"? I thought you said they
announce a route to an netblock -- an entire /16?

It seems from the email that they clearly stated that the traffic was
in violation of the AUP. We all block specific sites that harm our
networks. Otherwise, there would be no capacity left for our
customers. It's the "policy" part, for which BGP was designed. Go
read the design RFCs.

If you are participating in tests with 194.178.232.55
(relaytest.orbs.vuurwerk.nl), then you need a private connection to
that specific site, just as many academic sites test unstable network
software. Expensive, but shouldn't be too bad considering that both of
you are in the Netherlands....

WSimpson@UMich.edu
    Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32

That's the idea (i.e. make it as inconvenient as possible for those who
hurt the rest of the 'net). The fact that you're upset proves that it
works. Don't complain here - complain to UUNet.

The procedure to be removed from their filters is fairly simple, IIRC. If
you expect sympathy here, you may as well bathe in honey and dive
head-first into a bees'-nest.

Once UUNet removes or corrects the offending user/network, you'll have the
connectivity you expect, and the rest of us will have one less a-hole to
worry about.

:My name is Sabri. I'm just another dude involved in internetworking and I
:work for a small isp in The Netherlands.
:
:I am concerned. Concerned about people and companies who think they are in
:the position to be net.gods and for political reasons destroy the free
:character of the internet.

s/destroy/preserve/

:In the history of the internet, people have been trusting each other. On
:the lower technical levels, great things like peering have been developed.
:At the various IX'es, commercial and non-profit companies exchange
:information about each others routes using BGP4 and various other routing
:protocols.

Exactly.

:In my opinion, announcing a netblock using BGP4 is making a promise to
:carry traffic to a destination within that netblock. If you feel that
:parts of that network are against your ethics or AUP, you should not be
:announcing such a netblock. If you do so, you will make a promise which
:you do not forfill. That is not a nice thing to do in a world which is
:based on trust and agreements between parties.

Using any routing protocol is a promise to be able to deliver packets to
a given destination. It's not just your opinion, it's rfc-documented.
Above only makes such announements to those who *WANT* to listen.

:I was shocked to find out that one of the larger transit providers (which
:the company I work for buys transit from) is actively violating the trust
:it has been given by the internetworld.

Most folks at the "larger transit providers" agree with Above's approach.
You wouldn't happen to be in marketing, would you?

:Above.net is blocking a host in UUnet IP space. After finding out about
:this we notified Above.net in The Netherlands and asked what it was about
:and requested them to stop announcing the netblock if they would continue
:to nullroute the host involved. After various contacts about this matter,
:Above.net answered with the following statements (according to the
:salesdroid it came from Paul Vixie himself):

If you expect sympathy, nanog is probably not the best place to bitch
about Vixie.

:> 194.178.232.55/32. --> this tester is part of a /16 belonging to
:> uunet, and sends traffic which is in violation of our AUG. we
:> complained to uunet without any effect. if we have blocked access
:> from this /32 to our backbone, we are within our rights.
:
:After this mail, we contacted Above.net again. They basically told us it
:was for our own protection because that traffic from that host does not
:comply to their AUP. We specifically told them we really don't mind them
:blackholing that host but *announcing* a route for it. So far no response.

Again, only those who want to listen will hear the route.

Talk to your own noc.

bwahahaha

dude, get a clue. You're learning this route because you pay abovenet
to send you all the routes that they know about (transit).

If you don't like abovenet's decision not to allow traffic to a certain host
to pass across their network, you have three simple choices:

1) filter the route from abovenet
2) change providers
3) do nothing

whinging here isn't going to do anything

Sabri Berisha wrote:

> I am concerned. Concerned about people and companies who think they are in
> the position to be net.gods and for political reasons destroy the free
> character of the internet.

I've been involved for over 20 years, and don't remember this "free
character". Perhaps there is a language translation problem? That
also applies to the use of the word "terrorism"?

"Free" as in everybody decides their own policies. "Terrorism" as in
forcing your policies on someone elses network.

> In the history of the internet, people have been trusting each other.

When? I remember the RFCs on policy based routing over a decade ago.
Have you read them?

No. But if it makes you feel better, I will.

> In my opinion, announcing a netblock using BGP4 is making a promise to
> carry traffic to a destination within that netblock. If you feel that
> parts of that network are against your ethics or AUP, you should not be
> announcing such a netblock.

Announcing a netblock doesn't promise that every address in that block
exists or is reachable. A network that is blocked for AUP violations
doesn't "exist", and usually returns the ICMP message "Unreachable --
Administratively Prohibited" specifically designed for such situations.
Have you read "Router Requirements"?

Why do you want me to have read everything you have read? My point is not
policy based routing or which ICMP message I get. My point is not to
announce something you won't route.

> Above.net is blocking a host in UUnet IP space.
>...
> > 194.178.232.55/32. --> this tester is part of a /16 belonging to
> > uunet, and sends traffic which is in violation of our AUG. we
> > complained to uunet without any effect. if we have blocked access
> > from this /32 to our backbone, we are within our rights.
>
> After this mail, we contacted Above.net again. They basically told us it
> was for our own protection because that traffic from that host does not
> comply to their AUP. We specifically told them we really don't mind them
> blackholing that host but *announcing* a route for it. So far no response.
>
Where did they announce a "host route"? I thought you said they
announce a route to an netblock -- an entire /16?

Yes, they announced a /16.

It seems from the email that they clearly stated that the traffic was
in violation of the AUP. We all block specific sites that harm our
networks. Otherwise, there would be no capacity left for our
customers. It's the "policy" part, for which BGP was designed. Go
read the design RFCs.

Read read read... I'm pretty familiair with BGP.

If you are participating in tests with 194.178.232.55
(relaytest.orbs.vuurwerk.nl), then you need a private connection to
that specific site, just as many academic sites test unstable network
software. Expensive, but shouldn't be too bad considering that both of
you are in the Netherlands....

If I want to make sure my traffic gets to that host, I can set up a static
route to our second uplink. But it's not *me* who should be filtering. How
do I know which other hosts are being announced and blackholed?

> In the history of the internet, people have been trusting each other.

When? I remember the RFCs on policy based routing over a decade ago.
Have you read them?

Thats rediculous.

Every time you setup a peer without a access-list (and don't everyone go
saying you don't do that!), you're trusting the other party not to be
AS7007.

Announcing a netblock doesn't promise that every address in that block
exists or is reachable. A network that is blocked for AUP violations
doesn't "exist", and usually returns the ICMP message "Unreachable --
Administratively Prohibited" specifically designed for such situations.
Have you read "Router Requirements"?

It's commonly accepted that if you announce a route, you can carry the
packet to the intended and correct destination. Existence of the host is
irrelevant; 'owning' (and I use that term loosely, ARIN) the block and
delivering it to where that netblock exists. If said 'owner' wants to
block, drop, blackhole, whatever the packet, then it is their option.

I applaud Above for trying to cut down on the Spam. But, shouldn't that be
up to UU to do, since this is a UU customer?

It seems from the email that they clearly stated that the traffic was
in violation of the AUP. We all block specific sites that harm our
networks. Otherwise, there would be no capacity left for our
customers. It's the "policy" part, for which BGP was designed. Go
read the design RFCs.

From what I can tell, it can't be in violaton of Above's AUP because that

enduser isn't subscribed to a service that the Above AUP applies to; also,
I doubt that UU subscribes to Above's AUP as well.

[snip /32 blocked]

dude, get a clue. You're learning this route because you pay abovenet
to send you all the routes that they know about (transit).

We pay Abovenet to send traffic, not to throw it away.

If you don't like abovenet's decision not to allow traffic to a certain host
to pass across their network, you have three simple choices:

1) filter the route from abovenet

They should not be announcing in the first place.

2) change providers

We have multiple providers.

3) do nothing

That's always an option. Hey, they are killing all asian people, let's
look the other way... Hey, they are killing russians now, let's look the
other way... Hey, they are killing americans now, let's look the other
way... Hey, they are killing europea EOF

I was just about to say the same thing. I don't quite think of it
as terrorism, I just think its not nice for someone to decide
part of a net block they're passing the announcements for is being
selectively filtered inside their own network.

the host in question isn't even an above.net client - its a uunet
client.

If you have a problem with it, drop announcing the /16 to customers.
When customers complain about unreachability to a site, tell them
that uunet (note *uunet*, not vuurwerk) are breaking their AUP and
they should complain to uunet. You're still 'protecting' your
customers.

I'd rather get partial announcements than traffic-filtered announcements.
That way, my other network pipes (which hopefully have a path without
above.net in it to vuurwerk) will take over. above.net are happy.
vuurwerk is happy. life is good. no bitching or extra configuration.

(oh, and note: this opinion has nothing to do with my employer,
interpersonal relationships or my opinion of orbs. You might be
surprised how unrelated it is.)

Adrian

We pay Abovenet to send traffic, not to throw it away.

And if you know they can't/won't send traffic to certain destinations, you
can static route those destinations to another carrier.

> 1) filter the route from abovenet

They should not be announcing in the first place.

They're not really announcing...they're propogating a route someone else
announced. As Vixie said, it's highly impractical to carve up a /16
(especially if it's not their space) just to avoid propogating a route for
a host they don't want to carry traffic to.

That's always an option. Hey, they are killing all asian people, let's
look the other way... Hey, they are killing russians now, let's look the
other way... Hey, they are killing americans now, let's look the other
way... Hey, they are killing europea EOF

And you're saying Above should look the other way while ORBS abuses their
network?

I think it's just about procmail time if this thread continues.

> We pay Abovenet to send traffic, not to throw it away.

And if you know they can't/won't send traffic to certain destinations, you
can static route those destinations to another carrier.

That's my point. How do I know? Do they provide a static listing with host
they blackhole? Not that I know of. I only see *some* of my traffic ending
up in /dev/null...

> > 1) filter the route from abovenet
>
> They should not be announcing in the first place.

They're not really announcing...they're propogating a route someone else
announced. As Vixie said, it's highly impractical to carve up a /16
(especially if it's not their space) just to avoid propogating a route for
a host they don't want to carry traffic to.

If they are able to route the host to /dev/null, they will probably be
able to filter that advertisement out...

And you're saying Above should look the other way while ORBS abuses their
network?

No. Why do we keep getting the ORBS discussion in this? This is about
announcing and nullrouting, not mailrelaytesting.

I think it's just about procmail time if this thread continues.

That's also a nullroute

Sabri Berisha wrote:

They should not be announcing in the first place.

They aren't.

Above.net has an internal blackhole route for 194.178.232.55/32, but they do
not advertise it. They are within their rights for maintaining this route
internally. They are not exporting the host route. I don't think this can
be made any clearer.

What Above.net is passing you is a route for the 194.178.0.0/16 network that
they receive from UUNet. The decision to make use of this route or not is
yours. You are paying them to carry your traffic, they haven't made any
promises that they can't keep. They haven't tried to manipulate your
routing decision by sending you a more-specific. You can't complain because
you send them something that they drop for policy reasons. You agreed to
their terms when you signed up. Even so, I can understand your frustration
over this incident, but you've got another route, so use it.

I think everyone agrees that this matter is closed. I'll let you have the
last word if you'd like, but at this point, it's just going to be more
noise.

Mark

Yeah, last time I checked, the Internet was primarily made up of privately-
owned pieces of cable, hooked together through privately-owned pieces of
equipment, residing in privately-owned buildings, monitored and maintained
by employees of privately and shareholder-owned companies.

Information may want to be free, but fiber optic cable wants to be
a million US dollars per mile.

Then stop using them.

Isn't this just the kind of thing BGP communities can be used for?

Perhaps rfc 1998 is applicable here, depending on Sabri's architecture,
although one would probably have to go beyond the NOC frontline to have
6461 tag the blackhole announcements.

Without having an above feed to hand, I couldn't say if they already do.

joshua

Inasmuch as there exists a "free character of the Internet," you're
complaining about one of its principal promulgators and defenders.

If Paul did not feel that he were free to respond to threats to his
network, the quality of the internet would decline. Not just because
AboveNet would be less able to preserve its ability to deliver traffic to
sites which _do_ meet its AUP, but much more importantly because other
people, those who don't think quite so much for themselves, would follow
suit, not take an activist position, and would fail to protect their
customers from threats.

I don't think you're taking the side of this argument that you believe
you're taking.

And I think you probably want to stop replying to this thread before
your name makes too permanent an impression in the minds of your peers.
Cross posting something to NANOG and UUNet abuse was not good judgement.

                                -Bill

The problem with communities here is that:

* bgp communities apply to a route announcement, not an arbitrary network.
  The /16 is being announced here and passing through above.net, and if
  above.net wanted to tag the specific host they'd have to announce the /32.

* besides the few well-known ones, each router participating needs to
  know what the community maps to.

So unless I've missed something here, you can't use BGP communities.

Adrian

That's my point. How do I know? Do they provide a static listing with host
they blackhole? Not that I know of. I only see *some* of my traffic ending
up in /dev/null...

Probably the same way you found out about this one. Somebody notices a
site seems to be down only from your network and they complain. You look
into it, and find that someone is filtering your traffic.

If they are able to route the host to /dev/null, they will probably be
able to filter that advertisement out...

Please show us the config necessary to do that. Assume they'll be using
Cisco routers running any recent version of IOS.

> And you're saying Above should look the other way while ORBS abuses their
> network?

No. Why do we keep getting the ORBS discussion in this? This is about
announcing and nullrouting, not mailrelaytesting.

Because the behavior of ORBS is the reason (I'm assuming that...I don't
actually know it) that Above has null routed that IP.

> I think it's just about procmail time if this thread continues.

That's also a nullroute

But it's my mail, and I get to decide how to process it.

:0
* ^From:.*<sabri@bit\.nl>
/dev/null

OK.. I'll bite. Who's originally announcing the route?

Is the route in question the original announcement for the ORBS site, which
above.net is then passing along because it's a pain to punch a hole in a /16,
but above.net then blackholes the actual traffic internal to their net?

Or is the route in question a blackhole route announced by somebody else
to cause routing of traffic to a blackhole?

If it's the first, then it's time for procmail filters - I disagree with
above.net's policy, but as long as they are up-front about it, I'll not
have a religious war about it (btw - is above.net blackholing anybody else
officially, and is there an on-line list of what's being blackholed?).
As has been pointed out, you can always change providers or play routing
games if you multi-home - but it would make it a lot easier if your providers
tell you "We blackhole X Y and Z, find alternate routes yourself" so you
can avoid trouble-shooting a non-problem.

If it's the second, then words escape me. Although black-hole routes are
an accepted part of doing business (witness Vixies's RBL BGP4 feed), they
shouldn't be passed along to non-consenting peers.

Sabri, did you not understand this...

Announcing a netblock doesn't promise that every address in that block
exists or is reachable. A network that is blocked for AUP violations
doesn't "exist", and usually returns the ICMP message "Unreachable --
Administratively Prohibited" specifically designed for such situations.
Have you read "Router Requirements"?

It specifically states that a block can be announced but that does not
guarantee that all hosts will be reachable. You buy transit from abovenet,
the block in question goes against their AUP, live with it. And
furthermore, how can you even begin to take part in this conversation if you
haven't read all the relevant literature? I also strongly suggest you think
twice before you accuse a company of "terrorism" in the future.

-John Belcher

The problem with communities here is that:

* bgp communities apply to a route announcement, not an arbitrary network.
  The /16 is being announced here and passing through above.net, and if
  above.net wanted to tag the specific host they'd have to announce the /32.

Which shouldn't be a problem for transit customers, and I'd have a hard
time believing that Above's European edges don't have the CPU/memory to
carry the set of blackholes.

* besides the few well-known ones, each router participating needs to
  know what the community maps to.

Hopefully not a major configuration issue for either party.

Why would anyone want to do this, given that blackholing is generally only
against abusive hosts? Here's one hypothetical: Let's say you run a
database of known open relays. You have transit from a stable,
well-maintained provider.

However... you don't want your transit RBLd (etc), or your system may
return false negatives. Perhaps there are other reasons. For example, that
reverse lookup "relaytest.orbs.vuurwerk.nl" indicates experimentation, not
abuse.

How's that for a more positive suggestion.

joshua