Re: net.terrorism

[Sabri Berisha <sabri () bit nl>]

On Tue, 9 Jan 2001, William Allen Simpson wrote:

> Sabri Berisha wrote:

> > I am concerned. Concerned about people and companies who think they are in
> > the position to be net.gods and for political reasons destroy the free
> > character of the internet.

> I've been involved for over 20 years, and don't remember this "free
> character".  Perhaps there is a language translation problem?  That
> also applies to the use of the word "terrorism"?

"Free" as in everybody decides their own policies. "Terrorism" as in
forcing your policies on someone elses network.

> > In the history of the internet, people have been trusting each other.
>
> When?  I remember the RFCs on policy based routing over a decade ago.
> Have you read them?

No. But if it makes you feel better, I will.

> > In my opinion, announcing a netblock using BGP4 is making a promise to
> > carry traffic to a destination within that netblock. If you feel that
> > parts of that network are against your ethics or AUP, you should not be
> > announcing such a netblock.
>
> Announcing a netblock doesn't promise that every address in that block
> exists or is reachable.  A network that is blocked for AUP violations
> doesn't "exist", and usually returns the ICMP message "Unreachable --
> Administratively Prohibited" specifically designed for such situations.
> Have you read "Router Requirements"?

Why do you want me to have read everything you have read? My point is not
policy based routing or which ICMP message I get. My point is not to
announce something you won't route.

> > Above.net is blocking a host in UUnet IP space.
> > ...
> > > 194.178.232.55/32. --> this tester is part of a /16 belonging to
> > > uunet, and sends traffic which is in violation of our AUG.  we
> > > complained to uunet without any effect.  if we have blocked access
> > > from this /32 to our backbone, we are within our rights.
> >
> > After this mail, we contacted Above.net again. They basically told us it
> > was for our own protection because that traffic from that host does not
> > comply to their AUP. We specifically told them we really don't mind them
> > blackholing that host but *announcing* a route for it. So far no response.
> Where did they announce a "host route"?  I thought you said they
> announce a route to an netblock -- an entire /16?

Yes, they announced a /16.

> It seems from the email that they clearly stated that the traffic was
> in violation of the AUP.  We all block specific sites that harm our
> networks.  Otherwise, there would be no capacity left for our
> customers.  It's the "policy" part, for which BGP was designed.  Go
> read the design RFCs.

Read read read... I'm pretty familiair with BGP.

> If you are participating in tests with 194.178.232.55
> (relaytest.orbs.vuurwerk.nl), then you need a private connection to
> that specific site, just as many academic sites test unstable network
> software.  Expensive, but shouldn't be too bad considering that both of
> you are in the Netherlands....

If I want to make sure my traffic gets to that host, I can set up a static
route to our second uplink. But it's not *me* who should be filtering. How
do I know which other hosts are being announced and blackholed?

-- 
/*  Sabri Berisha, non-interesting network dude.
 *
 *  CCNA, BOFH, Systems admin Linux/FreeBSD
 */