North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: IAB concerns against permanent deployment of edge-based filtering

  • From: Leo Bicknell
  • Date: Sat Oct 18 10:58:11 2003

In a message written on Sat, Oct 18, 2003 at 07:39:37AM -0700, bmanning@karoshi.com wrote:
> why the heck does the IAB think they should tell me how to run my network?

I think the IAB has a legitimate point.

Network operators rely today on the fact that different services use
different ports, so they can block particular types of access/behavior
by blocking ports.

However, this behavior has already started to change how applications
work.  We've all seen the streaming media clients, or IM programs
that will use port 80 to get past a firewall, even though they are
not http traffic.  Virus writers have done the same thing.  New VPN
technologies use SSL, on the SSL web server port, but then send IP
packets over them, not web requests.

There is a real danger that long-term continued blocking will lead
to "everything on one port" (probably 80).  This will have the end
result that ISP's will be unable to filter out the bad traffic
anymore by using a port based filter, nor will they be able to
collect statistics or other usage data.  Additionally, this moves
the problem up the stack as if everything runs on port 80 some
"intelligent" demuxer will be needed at a higher layer for a box
that wants to run multiple services.

I'm not saying ISP's shouldn't filter, but the long term filtering
is a problem.  It will cause application developers to do things
that will make long term filtering not work, in the end.

-- 
       Leo Bicknell - bicknell@ufp.org - CCIE 3440
        PGP keys at http://www.ufp.org/~bicknell/
Read TMBG List - tmbg-list-request@tmbg.org, www.tmbg.org

Attachment: pgp00025.pgp
Description: PGP signature