Re: Tier1 blackholing policy?

[ML <ml () kenweb org>]

On 4/30/2013 10:31 AM, Thomas Schmid wrote:
> Greetings,
>
> I know Tier1s are blackholing traffic all the time :) (de-peering,
> congestion etc.)
> but did it became a new role for Tier1s to go from transit provider to
> transit blocker?
>
> We received recently customer complaints stating they can't reach
> certain websites.
> Investigation showed that the sites were not reachable via Tier1-T,
> but fine via
> Tier1-L. I contacted Tier1-T and the answer was something like "yeah,
> this is a known phishing
> site and to protect our customers we blackhole that IP" (btw - it was
> 2 ASes away from Tier1-T).
>
> Huh? If I want to block something there, it should me my decision or
> that of my country's legal
> entities by court order and not being decided by some Tier1's
> intransparent security department.
> (Not even mentioning  words like 'CGN', 'legal', 'net neutrality' or
> 'censorship') This might be
> an acceptable policy for a cable provider but not for a Tier1.
>
> Haven't seen something like this in many years. Did I miss a
> pardigm-shift here and has this
> become a common "service" at Tier1s?
>
>    Thomas


Ideally what should a Tier 1 or default-free network do in this
situation[1]?

1) Do nothing - They're supposed deliver any and all bits (Disregarding
a DoS or similiar situation which impedes said network)
2) Prefix filter - Don't be a party (at least in one direction) to the
bad actors traffic.
3) ?

[1] Assuming there is some sort of security and/or wrongdoing event that
isn't getting resolved via contact with their peer.