[server-admins] Fwd: Re: routes

Jonathan Marsden jmarsden at fastmail.fm
Thu May 13 16:03:25 MST 2010 

Troy A. Griffitts wrote:

> OK guys.  Here's the updated history of this conversation between me
> and our ISP.  What do you guys think?

PHILOSOPHY:

You pay an ISP for connectivity to the Internet.  All of the Internet.
Not just for connectivity to the fraction of it they wish to allow you
to communicate with, based on *their* private and unpublished definition
of what they think are "OK" countries or networks.

I've no issue with an ISP blocking individual IP addresses or even Class
C subnets for clearly abusive behaviour, for some defined time, say 30
days.  But to block many large (class A or B sized) subnets forever,
with no apparent mechanism to check whether the abuse continues, is ...
not the level of Internet connectivity you thought you were paying for
(if they are giving you this connectivity for free, obviously that's a
very different situation!).

Assuming you are a paying customer, I'd either get them to agree to
remove all such blanket blocking unless they have fresh evidence (within
say the last 30 days) of continuing abuse... or seek a different way to
get your connectivity.

SIZE OF BLOCKING ENTRIES:

To my mind, there is a really *huge* difference between:

>> I have 8 pages of "ip route 46.1.0.0 0.0.0.255 null0".

which (I think?) is a /8, a Class A sized netblock, 46.*.*.* being
blocked, and

>> ip route 150.135.40.100 255.255.255.255 null0
>> ip route 77.238.198.226 255.255.255.255 null0

which are single IPv4 addresses being null routed.  The email you
received makes no distinction at all between these, which seems both
strange and unfortunate.

Eight pages of single IP blocks would be perhaps 500 IP addresses.
That's unfortunate, but perhaps tolerable.  Eight pages of Class A's...
blocks more than the entire IPv4 address space!  How wide these blocking
entries are really makes a difference.

MIDDLE GROUND?:

Perhaps you could compromise: if they were to (a) remove all blocks
wider than a /24 (i.e blocking more than a single class C sized subnet),
and all blocks for which they have no evidence of attempted attacks in
the last 30 days, and (b) provide you with a list of what blocks remain
in place, with the last known date on which each such blocked IP or
subnet attacked their address space, and (c) agree to update you
regarding this information as they change it, that would probably be
tolerable "if we have to put up with it, we will" territory, for me.

You'll need the date info in (b) so you can regularly remind them to
please remove all 'expired' blocks from the list... :)

>> Id rather not have to blindly remove all of those.

Respond by making it very clear that such blind removal is *not* what
you are requiring.  Instead, you need them to remove ONLY entries
blocking more than a single /24 block of IP addresses (because they are
overly broad), and entries from which they lack clear evidence of
serious attack attempts in the last 30 days (because they are out of
date).  All the rest, including all the single IP ones (which presumably
are based on actual specific attack attempts), could probably stay in
place without unduly affecting crosswire.org.

BOTTOM LINE:

If they continue to respond with what amounts to "we'll block whatever
we feel like, in large quantities, and we will unblock only a few
specific IPs that you ask us about", then... it's time to search for a
new supplier of Internet connectivity.

Jonathan

More information about the server-admins mailing list