[NCLUG] Egress Filtering

John L. Bass jbass at dmsd.com
Tue Aug 14 19:21:18 MDT 2001 

	i'm not really talking about the big boys here. they pretty much pass on any
	packet they receive. that is the nature of their business. what i'm talking
	about is the folks who are not 'tier 1'.

As a customer, I view the "cloud" edge starting with my portal. Everybody down stream
is JUST a transport agent - I just happen to pay at the connection points.

	[btw, i believe my "up" stream means the same thing as john's "down" stream]

Using the stream analogy - the data flowing between arbitary clients aggregates down stream
into increasingly larger channels till it hits the backbone, then up stream into increassingly
smaller channels until it hits the destination client - by the analogy the little end is the
upstream end user - the fat end a down stream network service provider peering point.

There are a number of ego centric people who always view themselves as the big end of
any pipe ;-))  

	> 
	> The proposal is a political one, about if ISP's should accept that mandate,
	> rather than their customers. The obvious implication is that ISP's must then

	i don't see it as an either or.

Depends on where you plan to draw the line of responsiblity.

	> chain, even regional ISP's are customers of a down stream provider. Does this
	> mandate extend to the large "ISP's" like MCI, Sprint, Level3, Alternet which
	> form the backbone, and where it's nearly impossible to manage huge long filter
	> lists at every gateway router?

	as i said above, this doesn't make sense for them (even if they had the
	processing power) it is their business to pass packets basically for
	everyone.

My model is that transport is ALWAYS transparent (out of my control) past my portal device.

How do you draw the line between an ISP and NSP (network service provider) when the
big boys are both, and the biggest ISP's (like @home and AOL) manage their own backbone?

	also, what percentage of networks in the global routing tables originate in
	networks described here? 1%? 5%? what i'm all talking about is catching them
	before they get to networks like this.

	> capable of doing IP header routing at wire speed. Many existing routers have a
	> difficult time somewhere between 1mbps and 100mbps, depending on the number of

	i've not seen this. ymmv.

Take a work horse like a CISCO 2500 - three full duplex channels - it can not handle
three ports of full speed 64 byte T-1 packets with the traffic flowing A->B, B->C,
C->A. This would require the router to process about 69K packets/sec ... it does
however have a sporting chance with 1,500 packets where the packet rate drops to
3K packets/second. I have yet to see any production router which handles this worst
case of max data rate with small packets. This is why the core network is switched.

	> Most DSL/Cable customers already deploy a firewall/router capable of handling
	> the task at purchased connection speed. It's also this class of customer which
	> lacks the expertise to prevent the abuses of the most concern. In fact, they
	> are specifically the class of systems targeted by virus and trojan writers.

	most dsl/cable customers i know do _not_ have a box sophisticated enough to
	perform the tasks we've all suggested. also, the lack of expertise cited
	here suggests the solution may not lie with the end customer.

EVERY cable/dsl modem box passes they data thru a medium speed microprocessor with
performance to do this task. New ones have NAT built in. Older ones do not offer
filtering in firmware - would require an upgrade.

	more importantly, if you are a customer of an isp, the isp should have
	filters in place to keep traffic from you limited to the ip addresses
	assigned to you. most of the equipment i've seen for these kinds of
	connections already have this capability built in as part of the customer
	config. this is not a big deal.

That is EXACTLY the debate/mandate/expectation - "isp should have filters"
that we differ on - this is a political/business discussion involving who
accepts the liability when the filters fail. This is not a technical issue.

The ISP will only accept this madate, when compensated for the liability.
Defining the EXACT extent of that liability get GREY as soon as the ISP
accepts ANY liability for customer generated traffic. The only two clear
cases which avoid liability are NONE or ALL.

	> 
	> I believe that everyone is responsible for the devices they directly
	> manage/own,

	i agree, wholeheartedly.

	> and no one else. 

	i disagree. i believe an isp is responsible for the ip space originating
	within it.

WRONG.

Responsiblity equates to Liability.

Clearly not. An ISP is not liable for fraud, criminal activities, losses caused
by customer acctions, .... and a long list. 

Few (if any) ISP's claim full liability for the use of their IP space, so by
definintion few claim responsibility either.

Any mandate to force an ISP to accept responsibility for packets generated from
their IP space, also transfers the liability.

	> 
	> There will always be a class of evil packets for which it is impractical to
	> filter
	> down streams, out bound Code Red attacks for example. The router would not
	> only
	> have to examine the IP headers, but scan packet content for a particular
	> signature.
	> Or DOS attacks using packet flooding of an arbitrary type. Just where does the
	> mandate that the ISP find a techical sollution for all types of evil packets
	> stop?

	whoa! that's a whole new can of worms :)

	if this is the stuff you've been thinking about when saying the technology
	isn't there at wire speed yet, i totally agree.

It's exactly what I've been talking about, coupled with the Responsibility/Liability
rationale of either accepting NONE or ALL to avoid being co-named in every lawsuit.
When you keep sliding down this path it includes Porn filtering, and all types of
content monitoring (NAPSTER, etc) that you just have to say no to at the outset.

	> 
	> I stated that this is a slippery slope, and once you start down this path,
	> it is difficult to stop and is almost certainly going to hit solid technical
	> barriers.

	true. from what i've seen though, this isn't the reason the filtering isn't
	being done. lack of knowledge and laziness seem to top the list.

Try pure business/legal sense.

	> 
	> We can certainly agree to disagree in the end, as each of us has differing
	> experiences,
	> needs and objectives. There is certainly no need to twist any element of this
	> discussion into directed personal attacks, or attempt to force any participant
	> to defend an artifically constructed unpopular position.

	i haven't noticed any personal attacks. sorry if you took anything i wrote
	that way. it surely wasn't intended in that manner.

Wasn't you.

	i don't think we differ much on this issue.

Only in the breadth from when we draw on for the solution space, which
generates radically different solution sets.

John

More information about the NCLUG mailing list