nanog mailing list archives

Re: IPv6, IPSEC and deep packet inspection

From: bmanning () vacation karoshi com
Date: Sun, 2 Jan 2005 04:44:13 +0000


On Sat, Jan 01, 2005 at 10:09:24PM -0500, Sean Donelan wrote:

That depends very much on what is being reached. Would it be reasonable
for a.gtld-servers.net and b.gtld-servers.net to start silently
blocking v6 datagrams on a whim?


There are *.root-servers.net (or the networks they're behind) which
have/do block v4 datagrams on a whim, political winds, or the phase of
the moon.  Sometimes they drop them from just certain countries.  Other
times its difficult for the external observer to guess their motivation.


        odd... that very behaviour crops up in nearly every ISP
        i've had the pleasure to interact w/ these few years.
        local policy tends to always have a clause that sez something
        about "reserve the right to defend in case of attack" - where
        a defense is to block/drop/filter packets.  And virtually noone
        has the local policy that sez they must explain their actions
        to random (or not) people who want to intrude on their business.
        as for me, if there is an apparent DDos, the prefix will be
        filtered.  getting on is easy. getting off takes some work.
        and if your not a directly affected party (e.g. its not your 
        prefix) its not likely i'll tell you anyting about it w/o a 
        court order.

On the other hand, all the gtld-servers.net happen to be operated by a
single organization.  What does their contract say they can do with v6,
v4 or DECNET packets?  Are they required to provide v4 or v6 service at
all?


        perhaps you could ask them to allow you to become their spokesman
        and you can interprete their contractual obligations for the
        rest of us JQ Public?

Its amazing how sometimes people want providers to drop all sorts of
packets, and other times people get upset when providers drop all sorts
of packets.

ipv6
e-dns
smtp
netbios
icmp
net-10.0.0.0
multicast
directed-broadcast


        true, true... that whole expectation of a single Internet is
        powerful... too bad that human nature has caused operators to
        be burned so often that they are gunshy about facilitating a truely
        open, global network mesh.  Welcome to the walled garden, Internet
        of the future.

--bill

Current thread:

Re: IPv6, IPSEC and deep packet inspection Christopher L. Morrow (Dec 31)
- <Possible follow-ups>
- Re: IPv6, IPSEC and deep packet inspection Stephen Sprunk (Dec 31)
  - Re: IPv6, IPSEC and deep packet inspection Joe Abley (Jan 01)
    - Re: IPv6, IPSEC and deep packet inspection Sean Donelan (Jan 01)
    - Re: IPv6, IPSEC and deep packet inspection bmanning (Jan 01)
  - Re: IPv6, IPSEC and deep packet inspection Hank Nussbacher (Jan 01)
    - Re: IPv6, IPSEC and deep packet inspection Nicolas FISCHBACH (Jan 01)
  - Re: IPv6, IPSEC and deep packet inspection Kevin Oberman (Jan 01)
- Re: IPv6, IPSEC and deep packet inspection Manish Karir (Jan 01)
- Re: IPv6, IPSEC and deep packet inspection Nils Ketelsen (Jan 04)