[Chapter-delegates] Empowering Interner user (was: blocking tcp/25)
Marcin Cieslak
saper at saper.info
Thu Nov 12 07:04:42 PST 2009
On Thu, 12 Nov 2009, Gilles Massen wrote:
> Hello,
>
> I must confess that I disagree very strongly with any port blocking. It
> is a very short sighted way with the only purpose to ignore the problem
> without solving anything.
I think almost *everyone* blocks udp/135 and tcp/139, the infamous NetBIOS
holes. While it's certainly different than outgoing tcp/25, where can
we draw the line?
> First of all, by blocking ports, you try to solve a *content* problem on
> the *network* layer. The words 'network neutrality' immediately spring
> to my mind. But far worse is that this approach basically burns the port
> 25 for any other use forever. Even if smtp is to be replaced completely,
> these blocks will just stay forever. While this might be acceptable for
> 1 port out of 65000 (and actually there are a few more that are often
> blocked), it is a very unhealthy precedent for reliable communications.
> What prevents an ISP to offer port 80/443 communications only, and ask
> for a fee for each additional port?
> Personnally I would immediately leave an ISP that starts blocking
> whithout offering a very clear opt-out that does not involve more money,
> but that's only me.
Yes, opt-out would be desirable, for example for users of some kind
of embedded device that knows only Simple Mail Transfer Protocol
without its bells and whistles. I usually carry an SMTP MTA
on my laptop and such surprises like blocked 25 are quite common.
Thankfully, there is still UUCP.
> But another danger from the blocking, and from pushing users to port
> 587, is that the malware will simply follow. It will stop using
> straightforward smtp, but rather use the saved credentials to submit the
> spam. And then you are screwed, because that already was plan B.
Yes, we will see more MAPI-based malware, for example. Malware those
days is really sophisticated and such things are already done.
> So I'd strongly argue that if you think that homeusers are a problem,
> and that they should not be allowed to speak to your mailserver, then
> let the mail server handle this: it would be trivial to signal the
> nature of an address pool, so that those who want to go that way can.
> And this way you wouldn't have to solve mail issues on the network and
> you could avoid most collateral damage.
Do you think of something like Dialup Users List DNSBL?
There is another, a bit wider aspect of this. We keep talking on
user-centric Internet. I am always reluctant to split Internet users
into two categories ("business" and "consumer") based on
the network service being delivered. Selective port blocking might be
one way to achieve this, but another - and quite popular one -
is so called "forced disconnect" i.e. breaking of some kind of
session PPP (including PPPoE or PPPoA here of course) that
breaks all your TCP connection and typically assigns you
a new IP address.
In the projected broadband plan for Poland not only content level
filtering is proposed (yes, no more "content inappropriate for
the youth"), but also forced disconnect is made mandatory.
I understand that this measure is taken to prevent people from running
"servers" on their home connections and I am very disturbed by this.
There will be no way to deploy innovative services that require
a server-like application on the user side.
One of those applications that are spreading recently are distributed
version control systems - actually any user can have a repository on
their own local machines and it works best if this machine is directly
reachable under some specified address (and no NAT!) from the rest
of the Internet. Just like founding fathers dream fulfilled.
I believe that growth of new applications like DVCS will finally
create market for direct network-level reachability that IPv6 promises.
In my opinion there are three factors needed to fully empower
the Internet user:
- no forced disconnect
- static IP address
- no NAT in between and direct reachability
- better than mediocre upstream bandwidth
In a normal functioning market, you can switch ISPs to those who
don't do forced disconnect (like many of cable providers in Europe)
or even give you a static public IP address (like on of *two* cable providers
in Warsaw, Poland).
Should this be left to the market or shall we promote better standards
in this area?
--Marcin
More information about the Chapter-delegates
mailing list