On 4/30/2013 10:31 AM, Thomas Schmid wrote: > Greetings, > > I know Tier1s are blackholing traffic all the time :) (de-peering, > congestion etc.) > but did it became a new role for Tier1s to go from transit provider to > transit blocker? > > We received recently customer complaints stating they can't reach > certain websites. > Investigation showed that the sites were not reachable via Tier1-T, > but fine via > Tier1-L. I contacted Tier1-T and the answer was something like "yeah, > this is a known phishing > site and to protect our customers we blackhole that IP" (btw - it was > 2 ASes away from Tier1-T). > > Huh? If I want to block something there, it should me my decision or > that of my country's legal > entities by court order and not being decided by some Tier1's > intransparent security department. > (Not even mentioning words like 'CGN', 'legal', 'net neutrality' or > 'censorship') This might be > an acceptable policy for a cable provider but not for a Tier1. > > Haven't seen something like this in many years. Did I miss a > pardigm-shift here and has this > become a common "service" at Tier1s? > > Thomas
Ideally what should a Tier 1 or default-free network do in this situation[1]? 1) Do nothing - They're supposed deliver any and all bits (Disregarding a DoS or similiar situation which impedes said network) 2) Prefix filter - Don't be a party (at least in one direction) to the bad actors traffic. 3) ? [1] Assuming there is some sort of security and/or wrongdoing event that isn't getting resolved via contact with their peer.
