You should never sign an IP access agreement that doesn't give you access to
the filtering rules that affect your traffic. Ideally, you should strongly
avoid agreements that don't let you opt out of filtering you don't want.
Here's the type of language we typically insist on. If a provider won't
agree to this type of language, odds are very high they plan to filter your
in strange ways or aren't serious about providing business-class IP services.
1) XXXXXX agrees to provide YYYYYYYY with information about any filtering
rules that apply to traffic to or from YYYYYYYY. Such information shall
include a precise description of what types of traffic the filter affects.
2) Where possible, XXXXXX agrees to provide YYYYYYYY with 2 business days
advanced notice to any planned filtering changes. In the event that XXXXXX
makes an emergency or expedited filtering change that affects traffic to or
from YYYYYYYY, XXXXXX agrees to notify YYYYYYYY as soon as practical.
3) In the event XXXXXX makes a filtering change that affects traffic to or
from YYYYYYYY, and such change is not justified by technical necessity or
emergency, XXXXXX agrees to, at YYYYYYYY's request, either remove the filter
or exempt traffic to and from YYYYYYYY's network from the filter.
To qualify as an emergency filter, a filter must be temporary. Technical
necessity includes, but is not limited to, the following types of
A) Dropping packets with invalid source addresses. This would include
RFC1918 or unassigned addresses.
B) Dropping packets at the request of the originator or recipient of those
The following types of filtering are not considered technical necessity:
A) Blocking specific ports or protocols because an exploit or attack might
use them in the absence of knowledge of a specific attack source or
destination. This would including blocking a particular TCP or UDP port in
response to its being used by a trojan or probe.
B) Blocking specific types of packets (by port or protocol) even though they
are technically valid IP packets with valid source and destination addresses
for purposes of disabling particular applications or protocols. This would
include, for example, blocking packets with an IP type of 255 (raw IP).
A dialup account is one thing. But 100Mbps business-class access is another
story. You should know exactly what's happening to *your* traffic.