Refering to the 2nd part of your message, I somehow thought we (as a communitiy) have had a long discussion about this in the past (say 2-3 years ago IIRC) and never really found a solution (not sure there really is one that is straight forward). I don't wish to see a bunch of "amateur" net admins from the gov injecting BGP into my network, that's closer to engineering suicide then anything else, or an AS7007 type of scenario.
OTOH I tend to agree that you want to take the heat off the ISPs and get the gov to take responsibility for their requests and actions. Just don't feel that engineering should mix with politics, that's an explosive cocktail. Thomas ----- Original Message ----- From: "philip bridge" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, July 23, 2002 4:28 PM Subject: Re: [swinog] Filtering the backbone is BAD!!! Don't do it!!! > Makes you wonder if there's a business case here. Set up a router in some country with lax laws about this stuff. Set up IP tunnels from that router to IPs at the sites with the offending content - not the IPs of the offending content. Point routes to the IPs of the offending content down the tunnels. Set up tunnels to ISPs that want this content and export the routes down the tunnels with BGP. Packets from ISP to offensive site go through the tunnels, return packets go the normal route. > > In some ways the opposite of a blackhole feed. A whitehole feed! ;-) > > In fact, different people offering such a service could link up - via tunnels - and swap these routes. Looks kind of like a subterranean version of the Internet. > > Remember...the Internet treats censorship as damage, and routes around it. > > > However, having said that, what I would like to see is a blackhole feed sourced and maintained by the authorities. The problem at the moment is that they do not want to be seen as censors...they try to get the ISPs to do it for them, and take the heat. A valid response to these requests would be to offer to set up a blackhole feed capability for them. They enter the IPs they want blocked, and hey presto they are blocked automatically by the ISPs taking the feed. The sites being blocked would be public on the authorities' web site. Then it would be 100% clear who is doing the censorship. > > Next time they come around, why not offer to set that up for them. Offer to put them in control. Gets the ISP off the hook - they have offered to block whatever the authorities configure! Don't think they will take up the offer though... > > Phil > > > > At 09:32 PM 7/23/02 +0200, you wrote: > >* on the Tue, Jul 23, 2002 at 08:05:54PM +0100, philip bridge wrote: > >> It is actually easy to set up and maintain. Resolve the IPs, set > >> up a blackhole to null0 in a core router and distribute a BGP host > >> route to the blackhole throughout the network. No problem to set > >> up and maintain - just check if the offending sites are still > >> active once a week or so. Because it is configured in one place > >> only there isn't much danger of the filters getting forgotten. > > > >Exactly what happened here. > > > >> ># ping www.3ivx.com > >> >PING 3ivx.com (207.228.238.29): 56 data bytes > >> >36 bytes from filter-for-online-gambling-sites-and-RFC1918-addr.zrh1.ch. > >> >colt.net (212.23.224.56): Destination Host Unreachable > > > >It took me five minutes to make them unblock this; but they still > >cling to filtering gambling-sites, because some dork of lawyer told > >them they'd be on the safe side. Of course, one could sue them for > >not blocking *one* single casino, because since they block, they are > >obviously responsible for any illegal content in the whole world. > > > >Cheers > >Seegras > >-- > >Those who give up essential liberties for temporary safety deserve > >neither liberty nor safety. -- Benjamin Franklin > >---------------------------------------------- > >[EMAIL PROTECTED] Maillist-Archive: > >http://www.mail-archive.com/swinog%40swinog.ch/ > > > ---------------------------------------------- > [EMAIL PROTECTED] Maillist-Archive: > http://www.mail-archive.com/swinog%40swinog.ch/ ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
