nanog mailing list archives
Re: more on filtering
From: matt () petach org
Date: Thu, 30 Oct 2003 18:17:12 -0800 (PST)
Recently, alex () yuriev com (Alex Yuriev) wrote:
So, electric grids do not have any mechanisms to disconnect from other grids ( ie, stop "transiting" their electricity ) if one is doing something that causes problems on the local grid? As a customer I would very much like my provider to filter out waveforms that would prevent their ability to provide me with my service.They disconnect the SOURCE of the problem forcing the SOURCE to behave. That is equivalent of forcing the ES to behave.
Unfortunately, as the Northeast seaboard of the US discovered not too long ago, the electrical system is somewhat like the Internet; it attempts to route around failures, meaning that simply shutting down the link along which the damaging waveform is propagating does not prevent it from entering your grid; it simply follows a different pathway in. And in shutting down the direct pathway, you may well cause more stability problems as the flow shifts onto alternate interconnects. Likewise, if I am network A, and a customer of mine is sending attack packets towards a customer of network B, simply shutting down the peering links between network A and network B does nothing to prevent the attack packets from entering network B. Network B would have to isolate itself completely from the rest of the Internet core in order to ensure my bad packets did not enter their network. Anything less, and as long as there is some transit path that can be used to get from my network to network B, the attack packets will still flow and enter network B. I don't think anyone here would defend isolating themselves from the rest of the Internet as being a "better" solution than say putting in filters to block port 1434 traffic.
Traffic to port X cannot be specified as valid or invalid for any IS, because the IS does not know why such traffic exists.
We're not saying the traffic is invalid; we're saying the traffic is causing us harm. As with most organisms, there is a strong instinct for self-preservation. If the traffic is causing extensive degredation to the IS, it's better for the IS to try to preserve itself by limiting the impact of the traffic, regardless of whether it is valid or not. I'm starting to get the sense that you've never actually been in the hot seat of a major network before, so for the sake of everyone who has, who is no doubt getting rather tired of your stubborn stance, I'll make this my last public response on the issue. Feel free to continue this via private email if you'd like.
Alex
Matt
Current thread:
- Re: [arin-announce] IPv4 Address Space (fwd), (continued)
- Re: [arin-announce] IPv4 Address Space (fwd) Chris Parker (Oct 30)
- more on filtering Alex Yuriev (Oct 30)
- Re: more on filtering Chris Parker (Oct 30)
- Re: more on filtering Greg Maxwell (Oct 30)
- RE: more on filtering Matthew Kaufman (Oct 31)
- RE: more on filtering Greg Maxwell (Oct 31)
- RE: more on filtering Matthew Kaufman (Oct 31)
- RE: more on filtering Alex Yuriev (Oct 31)
- RE: more on filtering Matthew Kaufman (Oct 31)
- RE: more on filtering Ray Burkholder (Oct 31)
- Re: more on filtering matt (Oct 30)
- Re: [arin-announce] IPv4 Address Space (fwd) Valdis . Kletnieks (Oct 30)
- Re: [arin-announce] IPv4 Address Space (fwd) Alex Yuriev (Oct 31)
- Re: [arin-announce] IPv4 Address Space (fwd) Owen DeLong (Oct 31)
- Re: [arin-announce] IPv4 Address Space (fwd) Alex Yuriev (Oct 31)
- RE: [arin-announce] IPv4 Address Space (fwd) Matthew Kaufman (Oct 31)
- RE: [arin-announce] IPv4 Address Space (fwd) Alex Yuriev (Oct 31)