RE: more on filtering
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Chris Parker Sent: Thursday, October 30, 2003 9:01 PM To: Alex Yuriev Cc: [EMAIL PROTECTED] Subject: Re: more on filtering [...] I don't see how that is the same thing here. I have an agreement with cust X to provide services in accordance with my AUP. cust X resells that service to cust Y, etc. cust Y is bound to the terms and conditions of my agreement with cust X, despite that I do not have a direct agreement with cust Y. Oh christ...network engineers trying to be lawyers. I don't know much, but I do know that legal agreements in the US are NOT transitive in this way, unless each agreement is included by reference in the other. Daryl
RE: more on filtering
I don't see how that is the same thing here. I have an agreement with cust X to provide services in accordance with my AUP. cust X resells that service to cust Y, etc. cust Y is bound to the terms and conditions of my agreement with cust X, despite that I do not have a direct agreement with cust Y. Oh christ...network engineers trying to be lawyers. I don't know much, but I do know that legal agreements in the US are NOT transitive in this way, unless each agreement is included by reference in the other. Yes and no. If my agreement with cust X says that they take responsibility for ensuring that any customers to whom they resell my service (or any traffic they transit into my network, to be more specific) must conform to my AUP, then the fact that it is cust Y that originated the violating traffic has little effect. I can still hold cust X responsible. As a good guy and for good customer service, I will, instead, first ask X to hold Y accountable and rectify the situation. If that doesn't work, you bet X will get disconnected or filtered. Owen -- If it wasn't signed, it probably didn't come from me. pgp0.pgp Description: PGP signature
Re: more on filtering
[EMAIL PROTECTED] wrote: I don't see how that is the same thing here. I have an agreement with cust X to provide services in accordance with my AUP. cust X resells that service to cust Y, etc. cust Y is bound to the terms and conditions of my agreement with cust X, despite that I do not have a direct agreement with cust Y. Oh christ...network engineers trying to be lawyers. I don't know much, but I do know that legal agreements in the US are NOT transitive in this way, unless each agreement is included by reference in the other. They aren't legally, but they are effectively. If X must abide by your AUP, then any traffic they forward for Y must also abide by your AUP (or whatever penalties are in your contract with X will kick in) - it doesn't matter what X's contract with Y says, as your contract is with X and any penalties are to be applied to X; It is therefore in X's best interest to insist Y abides by the AUP or indemnifies X for any penalties, and/or negotiates with you to make sure only Y's traffic is cut off on breach of the AUP by Y, rather than all traffic from X.
RE: more on filtering
-Original Message- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 11:12 AM To: Daryl G. Jurbala; [EMAIL PROTECTED] Subject: RE: more on filtering [...] NOT transitive in this way, unless each agreement is included by reference in the other. Yes and no. If my agreement with cust X says that they take responsibility for ensuring that any customers to whom they resell my service (or any traffic they transit into my network, to be more specific) must conform to my AUP, then the fact that it is cust Y that originated the violating traffic has little effect. I can still hold cust X responsible. As a good guy and for good customer service, I will, instead, first ask X to hold Y accountable and rectify the situation. If that doesn't work, you bet X will get disconnected or filtered. I 100% agree with this (other than the first three words;) ). But legally, the agreement is not transitive. Legally it's YOUR customer only that is responsible to your AUP. It follows logically, but not legally, that your customer binds their customers to an AUP that is at least as restrictive as yours, or YOUR CUSTOMER will be in breach with you, if their customers exercise practices violating your AUP...whether they are allowed to in the contract with their upstream or not. I'm speaking legally only (yes, by random chance, I had my contract attorney on the phone when I first read this post). Logically, you're correctbut law != logic. Daryl
RE: more on filtering
I don't see how that is the same thing here. I have an agreement with cust X to provide services in accordance with my AUP. cust X resells that service to cust Y, etc. cust Y is bound to the terms and conditions of my agreement with cust X, despite that I do not have a direct agreement with cust Y. Oh christ...network engineers trying to be lawyers. Hey, it's only fair - I'm trying to be a network engineer. :-) The concept about which the original poster is speaking is probably that of either sub-licensees or third party beneficiaries (different things, but he is probably thinking of one of those two concepts). In the former, it means that his *users* are bound by the same criteria as is he if he makes a contract with someone (it was the concept we used at Habeas to bind ISP users if an ISP signed a license with Habeas). The latter, third party beneficiaries, is *actually* what one would need to bind a users' own customers to the users' contract, and that must be spelled out explicitly in the contract between ISP and customer X. Anne Anne P. Mitchell, Esq. President/CEO Institute for Spam Internet Public Policy Professor of Law, Lincoln Law School of SJ
RE: more on filtering
I'm well aware that law!=logic. In fact, I have often said that there are two sayings which when recombined provide a more accurate picture of the true situation in the american legal system: 1. Possession is no excuse. 2. Ignorance is 9/10th of the low. (Fee free to run that past your attorney as well) I was stating that although legally, I can't do anything to X's customer directly, I certainly can, for example, block all traffic from Y at my ingress points if X won't get Y to correct their behavior. As such, while the agreement is not legally transitive, the authority it gives me allows me to effectively deal with Y indirectly. Obviously, it also provides an incentive for X to deal with Y directly, but, while I can't effect legal remedy against Y, the contract does allow me to effect network remedy against Y by dropping Y where X connects to me. Owen --On Friday, October 31, 2003 11:18 AM -0500 [EMAIL PROTECTED] wrote: -Original Message- From: Owen DeLong [mailto:[EMAIL PROTECTED] Sent: Friday, October 31, 2003 11:12 AM To: Daryl G. Jurbala; [EMAIL PROTECTED] Subject: RE: more on filtering [...] NOT transitive in this way, unless each agreement is included by reference in the other. Yes and no. If my agreement with cust X says that they take responsibility for ensuring that any customers to whom they resell my service (or any traffic they transit into my network, to be more specific) must conform to my AUP, then the fact that it is cust Y that originated the violating traffic has little effect. I can still hold cust X responsible. As a good guy and for good customer service, I will, instead, first ask X to hold Y accountable and rectify the situation. If that doesn't work, you bet X will get disconnected or filtered. I 100% agree with this (other than the first three words;) ). But legally, the agreement is not transitive. Legally it's YOUR customer only that is responsible to your AUP. It follows logically, but not legally, that your customer binds their customers to an AUP that is at least as restrictive as yours, or YOUR CUSTOMER will be in breach with you, if their customers exercise practices violating your AUP...whether they are allowed to in the contract with their upstream or not. I'm speaking legally only (yes, by random chance, I had my contract attorney on the phone when I first read this post). Logically, you're correctbut law != logic. Daryl -- If it wasn't signed, it probably didn't come from me. pgp0.pgp Description: PGP signature
RE: more on filtering
Tell that to Cisco, Nortel, and any other vendor that can handle huge rates of traffic that conform to typical but, when the pattern of addresses (or options) in the packets cause the flow cache to thrash, die under loads far below line rate. (See Cisco's http://www.cisco.com/warp/public/63/ts_codred_worm.shtml as an example) Tell that to any router, switch, or end system vendor who recently found out what happened when a worm forces near-simultaneous arp requests for every possible address on a subnet. I'm afraid that those of us building actual networks are forced to do so using actual hardware that actually exists today, and using actual hardware that was actually purchased several years ago and which cannot be forklifted out. You call the network obviously broken, I call it the only one that can be built today. Matthew Kaufman [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Greg Maxwell Sent: Thursday, October 30, 2003 7:48 PM To: Chris Parker Cc: Alex Yuriev; [EMAIL PROTECTED] Subject: Re: more on filtering On Thu, 30 Oct 2003, Chris Parker wrote: The source of the problem of bad packets is where they ingress to my network. I disconnect the flow of bad packets thorugh filtering. What is the difference, other than I do not remove an entire interconnect, only the portion of packets that is affecting my ability to provide services? If the *content* of the packets is breaking your network: Your network is obviously broken.
Re: more on filtering
I don't know much, but I do know that legal agreements in the US are NOT transitive in this way, unless each agreement is included by reference in the other. They aren't legally, but they are effectively. Ok, enough legal debate. Let me use a strictly US analogy: The death penalty for shooting a cop is a legal deterrent, but a wise cop still wears a bulletproof vest. Filter to protect your own network, and, when necessary and possible, your customers from each other and the Internet from your customers. Legalisms punish, after the fact. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net.
RE: more on filtering
On Fri, 31 Oct 2003, Matthew Kaufman wrote: [snip] I'm afraid that those of us building actual networks are forced to do so using actual hardware that actually exists today, and using actual hardware that was actually purchased several years ago and which cannot be forklifted out. You call the network obviously broken, I call it the only one that can be built today. It's interesting that many rather sizable networks have weathered these events without relying on filtering, NAT, or other such behavior. Even if you're right, that doesn't make me wrong. Any IP network conformant to Internet standards should be content transparent. Any network which isn't is broken. Breaking under abnormal conditions is unacceptable. I am well aware of reality, but the reality is: some things need to be improved. This isn't some fundamental law of nature causing these limits. We are simply seeing the results of the internet boom valuation of rapid growth and profit over correctness and stability. As the purchasers of this equipment we have the power to demand vendors produce products which are not broken. Doing so is our professional duty, settling on workarounds that break communications and fail to actually solve the problems is negligent. Suggesting that breaking end-to-endness is a long term solution to these kind of issues is socially irresponsible. -- The comments and opinions expressed herein are those of the author of this message and may not reflect the policies of the Martin County Board of County Commissioners.
RE: more on filtering
It's interesting that many rather sizable networks have weathered these events without relying on filtering, NAT, or other such behavior. What's more interesting is how many big networks have implemented 98-byte ICMP filters, blocks on port 135, and other filters on a temporary basis on one or more (but not all) interfaces, without anyone really noticing that they're doing that. It isn't something that's well-publicized, but I know several major ISPs/NSPs which have had such filters in place, at least briefly, on either congested edge interfaces or between core and access routers to prevent problems with devices like TNTs and Shastas. Even if you're right, that doesn't make me wrong. True enough. Any IP network conformant to Internet standards should be content transparent. Any network which isn't is broken. Then they're all broken, to one extent or another. Even a piece of wire can be subjected to a denial of service attack that prevents your content from transparently reaching the far end. Breaking under abnormal conditions is unacceptable. I am well aware of reality, but the reality is: some things need to be improved. That some thing need to be improved has been true since the very first day the Internet began operation. Of course, the users of the end systems were somewhat better behaved for the first few years, and managed to resist the temptation to deploy widespread worms until 1988. This isn't some fundamental law of nature causing these limits. We are simply seeing the results of the internet boom valuation of rapid growth and profit over correctness and stability. True. As the purchasers of this equipment we have the power to demand vendors produce products which are not broken. One can demand all one wants. Getting such a product can be nearly or totally impossible, depending on which features you need at the same time. Doing so is our professional duty, settling on workarounds that break communications and fail to actually solve the problems is negligent. But not using the workarounds that one has available in order to keep the network mostly working, and instead standing back and throwing up one's hands and saying well, all the hardware crashed, guess our network is down entirely today is even more negligent. It may also be a salary-reducing move. Suggesting that breaking end-to-endness is a long term solution to these kind of issues is socially irresponsible. Waiting until provably-correct routers are built, and cheap enough to deploy, may be socially irresponsible as well. There's a whole lot of good that has come out of cheap broadband access, and we'd still be waiting if we insisted on bug-free CPE and bug-free aggregation boxes that could handle any traffic pattern thrown at them. Do you actually believe that it was a BAD idea for Cisco to build a router that is more efficient (to the point of being able to handle high-rate interfaces at all) when presented with traffic flows that look like real sessions? Matthew Kaufman [EMAIL PROTECTED]
RE: more on filtering
Do you actually believe that it was a BAD idea for Cisco to build a router that is more efficient (to the point of being able to handle high-rate interfaces at all) when presented with traffic flows that look like real sessions? Why buy something that works well only sometimes (we are very efficient when it looks like 'real' traffic from Cisco) when you can buy (no one told us that we should have issues with some specific packets) Juniper? Alex
RE: more on filtering
Well, interestingly, in our network, Juniper makes all of our new core routers. Specifically because Cisco routers were melting down at an unacceptable rate. But there was no such thing as Juniper when we started building (so we still have a lot of Cisco routers in the network), and they don't make DSLAMs or DSL/ATM customer aggregation boxes, so we still get to deal with traffic-dependent performance. And I'm sure we're not the only network in this situation. Should I replace every box in the network with a Juniper and pass the cost along to the customers? (New line item on the bills: we won't filter worm traffic tax) Even if I had an all-Juniper network, I'd still need to decide what to do about DDOS attacks... Do I just call my circuit vendors and keep adding OC48s until the problem goes away? Matthew Kaufman [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alex Yuriev Sent: Friday, October 31, 2003 6:29 AM To: Matthew Kaufman Cc: 'Greg Maxwell'; 'Chris Parker'; [EMAIL PROTECTED] Subject: RE: more on filtering Do you actually believe that it was a BAD idea for Cisco to build a router that is more efficient (to the point of being able to handle high-rate interfaces at all) when presented with traffic flows that look like real sessions? Why buy something that works well only sometimes (we are very efficient when it looks like 'real' traffic from Cisco) when you can buy (no one told us that we should have issues with some specific packets) Juniper? Alex
RE: more on filtering
Even if I had an all-Juniper network, I'd still need to decide what to do about DDOS attacks... Do I just call my circuit vendors and keep adding OC48s until the problem goes away? But isn't this just trying to put a square peg into a round hole? Wouldn't it be better to let routers route, switches switch, and filter boxen filter? I know people like to have routers talk directly to each other, but there are certain high capacity upper layer filter boxen out there that, when inserted into the link, can handle this nastiness, so a router doesn't over-work its designed-to-be-lazy processor. -- Scanned for viruses and dangerous content at http://www.oneunified.net and is believed to be clean.
Re: more on filtering
Recently, [EMAIL PROTECTED] (Alex Yuriev) wrote: So, electric grids do not have any mechanisms to disconnect from other grids ( ie, stop transiting their electricity ) if one is doing something that causes problems on the local grid? As a customer I would very much like my provider to filter out waveforms that would prevent their ability to provide me with my service. They disconnect the SOURCE of the problem forcing the SOURCE to behave. That is equivalent of forcing the ES to behave. Unfortunately, as the Northeast seaboard of the US discovered not too long ago, the electrical system is somewhat like the Internet; it attempts to route around failures, meaning that simply shutting down the link along which the damaging waveform is propagating does not prevent it from entering your grid; it simply follows a different pathway in. And in shutting down the direct pathway, you may well cause more stability problems as the flow shifts onto alternate interconnects. Likewise, if I am network A, and a customer of mine is sending attack packets towards a customer of network B, simply shutting down the peering links between network A and network B does nothing to prevent the attack packets from entering network B. Network B would have to isolate itself completely from the rest of the Internet core in order to ensure my bad packets did not enter their network. Anything less, and as long as there is some transit path that can be used to get from my network to network B, the attack packets will still flow and enter network B. I don't think anyone here would defend isolating themselves from the rest of the Internet as being a better solution than say putting in filters to block port 1434 traffic. Traffic to port X cannot be specified as valid or invalid for any IS, because the IS does not know why such traffic exists. We're not saying the traffic is invalid; we're saying the traffic is causing us harm. As with most organisms, there is a strong instinct for self-preservation. If the traffic is causing extensive degredation to the IS, it's better for the IS to try to preserve itself by limiting the impact of the traffic, regardless of whether it is valid or not. I'm starting to get the sense that you've never actually been in the hot seat of a major network before, so for the sake of everyone who has, who is no doubt getting rather tired of your stubborn stance, I'll make this my last public response on the issue. Feel free to continue this via private email if you'd like. Alex Matt
Re: more on filtering
On Thu, 30 Oct 2003, Chris Parker wrote: The source of the problem of bad packets is where they ingress to my network. I disconnect the flow of bad packets thorugh filtering. What is the difference, other than I do not remove an entire interconnect, only the portion of packets that is affecting my ability to provide services? If the *content* of the packets is breaking your network: Your network is obviously broken.
