mailing list archives
Re: Tier1 blackholing policy?
From: ML <ml () kenweb org>
Date: Tue, 30 Apr 2013 10:59:24 -0400
On 4/30/2013 10:31 AM, Thomas Schmid wrote:
I know Tier1s are blackholing traffic all the time :) (de-peering,
but did it became a new role for Tier1s to go from transit provider to
We received recently customer complaints stating they can't reach
Investigation showed that the sites were not reachable via Tier1-T,
but fine via
Tier1-L. I contacted Tier1-T and the answer was something like "yeah,
this is a known phishing
site and to protect our customers we blackhole that IP" (btw - it was
2 ASes away from Tier1-T).
Huh? If I want to block something there, it should me my decision or
that of my country's legal
entities by court order and not being decided by some Tier1's
intransparent security department.
(Not even mentioning words like 'CGN', 'legal', 'net neutrality' or
'censorship') This might be
an acceptable policy for a cable provider but not for a Tier1.
Haven't seen something like this in many years. Did I miss a
pardigm-shift here and has this
become a common "service" at Tier1s?
Ideally what should a Tier 1 or default-free network do in this
1) Do nothing - They're supposed deliver any and all bits (Disregarding
a DoS or similiar situation which impedes said network)
2) Prefix filter - Don't be a party (at least in one direction) to the
bad actors traffic.
 Assuming there is some sort of security and/or wrongdoing event that
isn't getting resolved via contact with their peer.