nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Should ISP block child pornography?

From: Max Tulyev <maxtul () netassist ua>
Date: Sat, 8 Dec 2018 20:31:03 +0200
Correct.

Also if you update IPs automatically by cron (and you have to automate
it as lists only growing and growing) - blocked sites will troll the
censorship system.

They put IP of some government or critical (for example, VISA/Mastercard
processing) sites in their blocked domain - and those victim sites will
be blocked. This trolling is very popular in Russia, for example.

08.12.18 19:41, Hank Nussbacher пише:

On 07/12/2018 20:48, Max Tulyev wrote:

Yes, you may nullroute some IP with some site, but as the collateral
damage you will block part of Cloudflare or Amazon, for example. So
you have to buy and install additional equipment and software to do it
a bit less painful. That's not so cheap, that should be planned,
brought, installed, checked and personal should be learned. After
that, your system will be capable to block some website for ~90% of
your customers will not proactively avoid blocking. And for *NONE* who
will, as CP addicts, terrorists, blackmarkets, gambling, porn and
others do.

It is even more complex.  As you said filtering by IP address causing
collateral damage to multi-host sites.
But there are sites that use primarily IPv6 addresses so you need to
filter  not only IPv4 but IPv6 as well.
Also, sites change their IP address after they find out they are
blocked, so you need a cron job which checks the IP addresses every
10-15 minutes and updates the filters (if you are willing to accept
collateral damage).

But when requested to block a FQDN, and filtering by IPv4 or IPv6 is not
an option, again there are issues.

You filter/block in your central DNS server, but what about the user at
home who is using 8.8.8.8 or 9.9.9.9?  Or the corporate link to some
Fortune 500 company with their own DNS servers that bypass the ISP
servers.  So now you are in a situation where you have to divert/capture
*all *udp/53 and tcp/53 and pass it to some scrubbing server which will
only block the requests to the forbidden FQDNs.   Oh but wait, what
about DoH?

Governments that require ISPs to block "certain" sites have no clue what
is required technologically to adhere to their demands.

-Hank
Previous By Date Next
Previous By Thread Next

Current thread: