Re: Tier1 blackholing policy?

[Jon Lewis <jlewis () lewis org>]

On Tue, 30 Apr 2013, Thomas Schmid wrote:

> I know Tier1s are blackholing traffic all the time :) (de-peering, 
> congestion etc.) but did it became a new role for Tier1s to go from 
> transit provider to transit blocker?
>
> We received recently customer complaints stating they can't reach 
> certain websites. Investigation showed that the sites were not reachable 
> via Tier1-T, but fine via Tier1-L. I contacted Tier1-T and the answer 
> was something like "yeah, this is a known phishing site and to protect 
> our customers we blackhole that IP" (btw - it was 2 ASes away from 
> Tier1-T).
>
> Huh? If I want to block something there, it should me my decision or 
> that of my country's legal entities by court order and not being decided 
> by some Tier1's intransparent security department. (Not even mentioning 
> words like 'CGN', 'legal', 'net neutrality' or 'censorship') This might 
> be an acceptable policy for a cable provider but not for a Tier1.
>
> Haven't seen something like this in many years. Did I miss a 
> pardigm-shift here and has this become a common "service" at Tier1s?

I vaguely recall having the same sort of problem many years ago with 
Above.net transit.  IIRC, the sentiment back then was similarly that this 
was inappropriate behavior for a Tier1/2 transit provider.  If you're 
going to propagate the routes, deliver the traffic.  I suppose an argument 
could be made though that if there's phishing or malicious traffic 
targeting your customers from a single IP, it could be appropriate to 
blackhole the IP rather than reject the advertisement for an entire CIDR.

----------------------------------------------------------------------
 Jon Lewis, MCP :)           |  I route
                             |  therefore you are
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________