A govt. blackhole feed does not actually have to be operated by the govt. amateurs. It could be outsourced to an org with some clue. Also, as with most peerings, ISPs have (or should have) a paranoid defensive posture that includes route filters, limits on prefix numbers, etc. There is no technical or operational reason why this would not work.
The point is, if it is proposed to any govt. as a response to requests to block it will probably not be taken up, but the offer itself might be judged sufficient in the eyes of the law. Phil At 06:22 PM 7/23/02 -0400, you wrote: >Refering to the 2nd part of your message, I somehow thought we (as a >communitiy) have had a long discussion about this in the past (say 2-3 years >ago IIRC) and never really found a solution (not sure there really is one >that is straight forward). I don't wish to see a bunch of "amateur" net >admins from the gov injecting BGP into my network, that's closer to >engineering suicide then anything else, or an AS7007 type of scenario. > >OTOH I tend to agree that you want to take the heat off the ISPs and get the >gov to take responsibility for their requests and actions. Just don't feel >that engineering should mix with politics, that's an explosive cocktail. > >Thomas > >----- Original Message ----- >From: "philip bridge" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Sent: Tuesday, July 23, 2002 4:28 PM >Subject: Re: [swinog] Filtering the backbone is BAD!!! Don't do it!!! > > >> Makes you wonder if there's a business case here. Set up a router in some >country with lax laws about this stuff. Set up IP tunnels from that router >to IPs at the sites with the offending content - not the IPs of the >offending content. Point routes to the IPs of the offending content down the >tunnels. Set up tunnels to ISPs that want this content and export the routes >down the tunnels with BGP. Packets from ISP to offensive site go through the >tunnels, return packets go the normal route. >> >> In some ways the opposite of a blackhole feed. A whitehole feed! ;-) >> >> In fact, different people offering such a service could link up - via >tunnels - and swap these routes. Looks kind of like a subterranean version >of the Internet. >> >> Remember...the Internet treats censorship as damage, and routes around it. >> >> >> However, having said that, what I would like to see is a blackhole feed >sourced and maintained by the authorities. The problem at the moment is that >they do not want to be seen as censors...they try to get the ISPs to do it >for them, and take the heat. A valid response to these requests would be to >offer to set up a blackhole feed capability for them. They enter the IPs >they want blocked, and hey presto they are blocked automatically by the ISPs >taking the feed. The sites being blocked would be public on the authorities' >web site. Then it would be 100% clear who is doing the censorship. >> >> Next time they come around, why not offer to set that up for them. Offer >to put them in control. Gets the ISP off the hook - they have offered to >block whatever the authorities configure! Don't think they will take up the >offer though... >> >> Phil >> >> >> >> At 09:32 PM 7/23/02 +0200, you wrote: >> >* on the Tue, Jul 23, 2002 at 08:05:54PM +0100, philip bridge wrote: >> >> It is actually easy to set up and maintain. Resolve the IPs, set >> >> up a blackhole to null0 in a core router and distribute a BGP host >> >> route to the blackhole throughout the network. No problem to set >> >> up and maintain - just check if the offending sites are still >> >> active once a week or so. Because it is configured in one place >> >> only there isn't much danger of the filters getting forgotten. >> > >> >Exactly what happened here. >> > >> >> ># ping www.3ivx.com >> >> >PING 3ivx.com (207.228.238.29): 56 data bytes >> >> >36 bytes from >filter-for-online-gambling-sites-and-RFC1918-addr.zrh1.ch. >> >> >colt.net (212.23.224.56): Destination Host Unreachable >> > >> >It took me five minutes to make them unblock this; but they still >> >cling to filtering gambling-sites, because some dork of lawyer told >> >them they'd be on the safe side. Of course, one could sue them for >> >not blocking *one* single casino, because since they block, they are >> >obviously responsible for any illegal content in the whole world. >> > >> >Cheers >> >Seegras >> >-- >> >Those who give up essential liberties for temporary safety deserve >> >neither liberty nor safety. -- Benjamin Franklin >> >---------------------------------------------- >> >[EMAIL PROTECTED] Maillist-Archive: >> >http://www.mail-archive.com/swinog%40swinog.ch/ >> >> >> ---------------------------------------------- >> [EMAIL PROTECTED] Maillist-Archive: >> http://www.mail-archive.com/swinog%40swinog.ch/ > >---------------------------------------------- >[EMAIL PROTECTED] Maillist-Archive: >http://www.mail-archive.com/swinog%40swinog.ch/ ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
