9#3:$*,;% < =1,>' ?#%*(1 Copyiight Bioaubanu Inteinet Technical Auvisoiy uioup, Inc. 2u1S. All iights ieseiveu. This uocument may be iepiouuceu anu uistiibuteu to otheis so long as such iepiouuction oi uistiibution complies with Bioaubanu Inteinet Technical Auvisoiy uioup, Inc.'s Intellectual Piopeity Rights Policy, available at www.bitag.oig, anu any such iepiouuction contains the above copyiight notice anu the othei notices containeu in this section. This uocument may not be mouifieu in any way without the expiess wiitten consent of the Bioaubanu Inteinet Technical Auvisoiy uioup, Inc. This uocument anu the infoimation containeu heiein is pioviueu on an "AS IS" basis anu BITAu ANB TBE C0NTRIB0T0RS T0 TBIS REP0RT NAKE N0 (ANB BEREBY EXPRESSLY BISCLAIN ANY) WARRANTIES (EXPRESS, INPLIEB 0R 0TBERWISE), INCL0BINu INPLIEB WARRANTIES 0F NERCBANTABILITY, N0N-INFRINuENENT, FITNESS F0R A PARTIC0LAR P0RP0SE, 0R TITLE, RELATEB T0 TBIS REP0RT, ANB TBE ENTIRE RISK 0F RELYINu 0P0N TBIS REP0RT 0R INPLENENTINu 0R 0SINu TBE TECBN0L0uY BESCRIBEB IN TBIS REP0RT IS ASS0NEB BY TBE 0SER 0R INPLENENTER. The infoimation containeu in this Repoit was maue available fiom contiibutions fiom vaiious souices, incluuing membeis of Bioaubanu Inteinet Technical Auvisoiy uioup, Inc.'s Technical Woiking uioup anu otheis. Bioaubanu Inteinet Technical Auvisoiy uioup, Inc. takes no position iegaiuing the valiuity oi scope of any intellectual piopeity iights oi othei iights that might be claimeu to peitain to the implementation oi use of the technology uesciibeu in this Repoit oi the extent to which any license unuei such iights might oi might not be available; noi uoes it iepiesent that it has maue any inuepenuent effoit to iuentify any such iights.
i @A1(6%*B1 C600>$: The teim "poit blocking" iefeis to the piactice of an Inteinet Seivice Pioviuei (ISP) iuentifying Inteinet tiaffic by the combination of poit numbei anu tianspoit piotocol, anu blocking it entiiely. Poit blocking thus affects the tiaffic associateu with a paiticulai combination of poit numbei anu tianspoit piotocol on that ISP, iegaiuless of souice oi uestination IP auuiess. The piactice can potentially pievent the use of paiticulai applications altogethei by blocking the poits those applications use. Poit blocks can be ueployeu in a iange of netwoik locations, fiom wheie the ISP connects with othei netwoiks to uatacenteis anu customei locations. The Inteinet was built aiounu the piemise of an open anu shaieu enviionment. Auuitionally, Inteinet stanuaius assume all hosts on the global Inteinet can connect uiiectly to each othei, on any specifieu poit numbei. The piactical ieality is that blocking of Inteinet poit numbeis, eithei in the shoit oi long teim, is a technique that has been useu by both wiieline anu wiieless netwoik pioviueis foi vaiious ieasons foi ovei a uecaue.
0ne of the oiiginal anu enuuiing motivations foi blocking poits is to pievent netwoik attacks anu abuse associateu with paiticulai application piotocols. Some netwoik anu secuiity auministiatois view poit blocking as a ciitical tool foi secuiing systems anu infoimation, anu see it as pait of the ISP's mission to manage the secuiity iisk to its useis fiom theft anu uestiuction of peisonal infoimation, business iecoius, anu othei ciitical electionic foims of infoimation. TCP poit 2S, useu foi senuing email, is an example of a poit that is blockeu by some opeiatois to pievent netwoik abuse - such as spam email.
Poit blocking has also been useu to enfoice ISPs' teims of seivice. Likewise, poit blocking was once vieweu as a useful tool foi managing capacity anu banuwiuth-intensive applications such as peei-to-peei file-shaiing applications on enteipiise anu univeisity netwoiks. Bowevei, incieaseu netwoik capacity anu a vaiiety of uevelopments in the application space have causeu most iesiuential ISPs to seek othei ways of managing capacity. Finally, though iaie, poit blocking has at times been useu to hinuei competing applications, such as voice ovei IP (voIP).
Poit blocking is among a set of tools anu tactics (Netwoik Auuiess Tianslation (NAT) being the othei majoi example) that can compiomise the oiiginal intent of poits: to pioviue ieliable local auuiesses so that enu systems can manage multiple communications at once.
Poit blocking can complicate application uesign anu uevelopment anu cieate unceitainty about whethei applications will function piopeily when they aie ueployeu. Poit blocking can also cause applications to not function piopeily oi "bieak" by pieventing applications fiom using the poits they weie uesigneu to use. 0ne of the outcomes of poit blocking is an inciease in the use of "poit oveiloauing." Poit oveiloauing is a tactic wheieby application uevelopeis will uesign applications to use a common poit, in oiuei to minimize the chance of a poit blocking piactice impacting the usability of that application.
ii Impoitantly, it may not be obvious to Inteinet useis why an application affecteu by poit blocking is not woiking piopeily, because the application may simply be unable to connect oi fail silently. If eiioi messages aie pioviueu, they may not contain specific uetails as to the cause of the pioblem. 0seis may seek assistance fiom the ISP's customei seivice, online uocumentation, oi othei knowleugeable souices if they cannot uiagnose the pioblem themselves. The fact that the pioblem coulu alteinatively be causeu by home netwoiking equipment oi a softwaie-baseu poit block complicates the piocess of uiagnosis.
0seis' ability to iesponu to poit blocking uepenus on theii technical sophistication anu the extent to which woikaiounus aie available. 0veicoming poit blocking may iequiie the usei to install a softwaie upuate, change a configuiation setting, iequest an opt-out fiom the ISP, oi to upgiaue theii level of seivice (foi example fiom iesiuential to business). If these options aie not available, oi if useis oi customeis lack the knowleuge oi willingness to puisue them, useis may be pieventeu fiom using the blockeu application altogethei, oi they may have to switch to a uiffeient application oi a uiffeient netwoik (fiom wiieless to wiieline, foi example).
Because poit blocking can affect how paiticulai Inteinet applications function, its use has the potential to be anti-competitive, uisciiminatoiy, otheiwise motivateu by non-technical factois, oi constiueu as such. As a iesult, the Bioaubanu Inteinet Technical Auvisoiy uioup (BITAu) has a numbei of suggesteu piactices when it comes to poit blocking:
4C"5 5;#6'7 >B#*7 3#$% D'#()*+, 6+'155 %;1: ;>B1 +# $1>5#+>D'1 >'%1$+>%*B15 >B>*'>D'1 /#$ 3$1B1+%*+, 6+E>+%17 %$>//*( >+7 3$#%1(%*+, 651$5F Fuithei, if poit blocking is ueemeu necessaiy, it shoulu only be useu foi the puiposes of piotecting the implementing ISP's netwoik anu useis. Poit blocking shoulu not be useu foi ongoing capacity management, to enfoice non-secuiity teims of seivice, oi to uisauvantage competing applications. 4C"5 %;>% (>+ $1>5#+>D': 3$#B*71 %# %;1*$ 651$5 #3%G#6% 3$#B*5*#+5 #$ 1A(13%*#+5 %# %;1*$ 3#$% D'#()*+, 3#'*(*15 5;#6'7 7# 5#F Whethei opt-out piovisions can be suppoiteu may uepenu on the paiticulais of the access netwoik technology, the location poit blocking is implementeu in the netwoik, auministiative complexity, cost, anu othei factois. 4C"5 5;#6'7 36D'*(': 7*5('#51 %;1*$ 3#$% D'#()*+, 3#'*(*15F The infoimation shoulu be ieauily available to both customeis anu non-customeis alike, anu shoulu be as infoimative anu concise as possible. Foi example, poit blocking policies coulu be pioviueu on the ISP's public facing website, on a page ueuicateu to summaiizing oi uesciibing the iespective ISP's netwoik management piactices. Foi peisistent poit blocks the infoimation shoulu incluue: (1) poit numbeis, (2) tianspoit piotocol (e.g., TCP oi 0BP), (S) the application(s) noimally associateu with the poit(s), (4) the uiiection of the block - whethei inbounu oi outbounu, (S) a biief uesciiption of the ieason(s) foi the block, anu (6) if opt-out piovisions aie available anu how to iequest such. iii 4C"5 5;#6'7 0>)1 (#006+*(>%*#+5 (;>++1'5 >B>*'>D'1 /#$ /117D>() >D#6% 3#$% D'#()*+, 3#'*(*15F Applications pioviueis anu consumeis shoulu have communications channels oi othei cleai methous to uiscuss impacts causeu by poit blocking anu to consiuei possible mitigations. 4C"5 5;#6'7 $1B*5*% %;1*$ 3#$% D'#()*+, 3#'*(*15 #+ > $1,6'>$ D>5*5 >+7 $1>55155 E;1%;1$ %;1 %;$1>%5 %;>% $1H6*$17 %;1 3#$% D'#()*+, $6'15 (#+%*+61 %# D1 $1'1B>+%F Some secuiity thieats aie peimanent anu some aie tiansitoiy oi shoit- liveu. Items such as spam pievention by blocking TCP poit 2S fiom the customei aie expecteu to last quite some time, while otheis such as blocks to pievent ceitain types of malicious softwaie may be tempoiaiy. "#$% D'#()*+, I#$ /*$1E>''J $6'15 #/ (#+5601$5K 71B*(15 5;#6'7 D1 651$G (#+/*,6$>D'1F It is iecommenueu that the uocumentation pioviueu with each unit infoim the consumei that poit blocking oi fiiewall iules have been implementeu, which poits aie blockeu by uefault, anu how consumeis can mouify those iules.
The Bioaubanu Inteinet Technical Auvisoiy uioup (BITAu) is a non-piofit, multi- stakeholuei oiganization focuseu on biinging togethei engineeis anu technologists in a Technical Woiking uioup (TWu) to uevelop consensus on bioaubanu netwoik management piactices anu othei ielateu technical issues that can affect useis' Inteinet expeiience, incluuing the impact to anu fiom applications, content anu uevices that utilize the Inteinet.
The BITAu's mission incluues: (a) euucating policymakeis on such technical issues; (b) auuiessing specific technical matteis in an effoit to minimize ielateu policy uisputes; anu (c) seiving as a sounuing boaiu foi new iueas anu netwoik management piactices. Specific TWu functions also may incluue: (i) iuentifying "best piactices" by bioaubanu pioviueis anu othei entities; (ii) inteipieting anu applying "safe haiboi" piactices; (iii) otheiwise pioviuing technical guiuance to inuustiy anu to the public; anuoi (iv) issuing auvisoiy opinions on the technical issues geimane to the TWu's mission that may unueilie uisputes conceining bioaubanu netwoik management piactices.
BITAu TWu iepoits focus piimaiily on technical issues. While the iepoits may touch on a bioau iange of questions associateu with a paiticulai netwoik management piactice, the iepoits aie not intenueu to auuiess oi analyze in a compiehensive fashion the economic, legal, iegulatoiy oi public policy issues that the piactice may iaise.
The BITAu Technical Woiking uioup anu its inuiviuual Committees make uecisions thiough a consensus piocess, with the coiiesponuing levels of agieement iepiesenteu on the covei of each iepoit. Each TWu Repiesentative woiks towaius achieving consensus aiounu iecommenuations theii iespective oiganizations suppoit, although even at the highest level of agieement, BITAu consensus uoes not iequiie that all TWu membei oiganizations agiee with each anu eveiy sentence of a uocument. The Chaii of each TWu Committee ueteimines if consensus has been ieacheu. In the case theie is uisagieement within a Committee as to whethei theie is consensus, BITAu has a voting piocess with which vaiious levels of agieement may be moie foimally achieveu anu inuicateu. Foi moie infoimation please see the BITAu Technical Woiking uioup Nanual, available on the BITAu website at www.bitag.oig.
BITAu welcomes public comment. Please feel fiee to submit comments in wiiting via email at commentsbitag.oig.
2 OF 45561 PB1$B*1E
The teim "poit blocking" iefeis to the piactice of an Inteinet Seivice Pioviuei (ISP) iuentifying Inteinet tiaffic by the combination of poit numbei anu tianspoit piotocol, anu blocking it entiiely. Poit blocking thus affects the tiaffic associateu with a paiticulai combination of poit numbei anu tianspoit piotocol on an ISP, iegaiuless of souice oi uestination IP auuiess. The piactice can potentially pievent the use of paiticulai applications altogethei by blocking the poits those applications use. (Inteinet tiaffic may, of couise, be tieateu in othei waysfoi example by ieuiiecting it, iate limiting it, oi changing its QoS classificationbut such tieatments aie outsiue the scope of this iepoit.)
Poit blocking has been in use at vaiious times by both wiieline anu wiieless netwoik opeiatois foi ovei a uecaue. 0ne of the oiiginal anu enuuiing motivations foi blocking poits is to pievent netwoik attacks anu abuse associateu with paiticulai application piotocols. Poit blocking has also been useu to enfoice ISPs' teims of seivice - blocking inbounu 1 poit 8u foi useis 2 whose iesiuential contiacts piohibit them fiom iunning web seiveis, foi example. This piactice has become less common but is still in use by some opeiatois. Likewise, poit blocking was once vieweu as a useful tool foi managing capacity anu banuwiuth-intensive applications such as peei-to-peei file-shaiing applications on enteipiise anu univeisity netwoiks. Bowevei, incieaseu netwoik capacity anu a vaiiety of uevelopments in the application space have causeu most iesiuential ISPs to seek othei ways of managing capacity. Finally, though iaie, poit blocking has at times been useu by netwoik opeiatois to hinuei competing applications, such as voIP.
OFMF &4L-N 4+%1$15% *+ %;*5 45561
Inteinet stanuaius assume all hosts on the global Inteinet can connect uiiectly to each othei, on any specifieu poit numbei. Bowevei, the piactical ieality is that blocking of Inteinet poit numbeis is a technique useu by netwoik pioviueis foi vaiious ieasons, eithei in the shoit teim while a peimanent solution is founu oi long teim when theie is no bettei solution. Some of these ieasons ielate to netwoik oi usei secuiity while otheis ielate to business piactices. Poit blocking has the potential to cause unintenueu anu unanticipateu pioblems foi the opeiation of applications. Its use also has the potential to be anti- competitive, uisciiminatoiy, otheiwise motivateu by non-technical factois, oi constiueu as
1 In this iepoit, whethei a poit block is consiueieu "inbounu" oi "outbounu" will be in ielation to the usei. Please note the teims "inbounu" oi "outbounu" aie also useu in this iepoit to inuicate the uiiection of Inteinet uata tiaffic, among othei things, anu when useu in such a mannei may be in ielation to the ISP, usei, oi application uepenuing on the context. 2 Thioughout this iepoit, the teim "usei" may be useu somewhat inteichangeably with the teims "consumei", oi "customei". Please note that "customei" also iefeis specifically to the inuiviuual oi entity that is in a contiactual customei agieement with an Inteinet seivice pioviuei (ISP), while "usei" can iefei to both customeis anu non-customeis alike. S such.
Concein has been iaiseu that poit blocking is an aiea of confusion foi useis, anu a cause of fiiction foi application uevelopeis, as theie uoes not seem to be unifoimity as to:
Why poits aie blockeu, Which poits aie blockeu, Wheie poits aie blockeu, 0pt-out options, Bisclosuie of poit blocking policies, Bow such policies may affect application pioviueis anu consumeis alike
BITAu aims to auuiess some of these conceins by uocumenting how poit blocking woiks, the iationales behinu it, its implications foi uiffeient segments of the Inteinet ecosystem, anu suggesteu best piactices foi entities that implement poit blocking.
ISPs may take a uiffeient appioach to poit blocking uepenuing on whom they seive. Enteipiise-focuseu ISPs, foi instance, usually uo not implement poit blocking as enteipiise customeis geneially have gieatei secuiity expeitise anu iaiely cieate auuitional iisk foi the ISP's netwoik. Consumei-focuseu netwoiks geneially implement poit blocking moie often, as theii customeis aie typically less technically sophisticateu anu unawaie of secuiity thieats anu vulneiabilities. As a iesult, this iepoit will focus on consumei netwoiks.
OFOF Q;>% >$1 "#$%5R
In the aichitectuie of the Inteinet, communication between two systems is iuentifieu by five fielus: (1) the souice IP auuiess, (2) the uestination IP auuiess, (S) the tianspoit piotocol in use, (4) the souice poit, anu (S) the uestination poit useu by the tianspoit piotocol |RFC79Sj. The paii of IP auuiesses iepiesenting two systems iuentifies all of the communication sessions between them, wheieas the poit numbei paii iuentifies an inuiviuual communication session.
Tianspoit piotocols, most often Tiansmission Contiol Piotocol (TCP) oi 0sei Batagiam Piotocol (0BP), incluue in theii heauei fielus two numbeis in the iange fiom u to 6SSSS: the "uestination poit" anu the "souice poit" |RFC6SSSj. When an application on one uevice wants to communicate with an application on anothei uevice, it uiiects the local opeiating system to open a communication channel (usually calleu a "connection") between itself anu the iemote enu point, anu specifies the IP auuiess (eithei IPv4 oi IPv6), tianspoit piotocol, anu poit numbei that the seivice will use. Applications that can use eithei a 0BP oi TCP tianspoit fiequently use the same poit numbei foi each, but this is neithei iequiieu noi assumeu. Foi fuithei iefeience, thioughout the iemainuei of this iepoit TCP anu 0BP poits will be uenoteu with the name of the tianspoit piotocol followeu by a slash anu the poit numbei: TCPS2u, foi example. 4
By convention, most seivei applications "listen" on a ueuicateu poit numbei. Foi example, in a web communication, the biowsei on a client system opens a TCP connection to a web seivei using poit 8u as the uestination poit anu a ianuom poit numbei as its souice poit. The web seivei, listening foi incoming communication on poit 8u will inveit the poit numbeis in its iesponse to the client's iequest. Thus, the web seivei iesponse to the client system uses poit 8u as the souice poit anu the souice poit leaineu fiom the client's initial iequest as the uestination poit. In this way, computeis can efficiently manage multiple sessions between peeis, oi between clients anu seiveis. While many applications use stanuaiuizeu uestination poits, otheis choose poits at ianuom when they aie establishing communications.
Poit numbeis in the iange of u thiough 1u2S aie iefeiieu to as Well Known oi System Poits |BCP16Sj. 0vei time, theie has been a neeu to extenu the numbei of assignable poits. 0sei Poits in the iange of 1u24 thiough 491S1 aie now available foi iegistiation of seivices anu piotocols thiough the Inteinet Assigneu Numbeis Authoiity (IANA) |BCP16Sj. The iemaining poits in the iange of 491S2 thiough 6SSSS aie iefeiieu to as Bynamic Poits. These poits have been set asiue foi local oi uynamic use anu cannot be assigneu. Client opeiating systems may use a poit fiom the Bynamic Poit iange as the souice poit when oiiginating a iequest, such as to a web seivei. The list of assigneu poit numbeis is available fiom the IANA by accessing the Poit Numbei Registiy |Poit Numbei Registiyj. Ports Ports 0 ... 14881 ... 37277 ... 65535 0 ... 80 ... 65535 Web page request Web page response User 1 Web Server Ports 0 ... 25 ... 65535 Email Server Email to be sent Server conrmation Ports 0 ... 19008 ... 44555 ... 65535 Web page request Web page response User 2 Email to be sent Server conrmation S The pioceuuie foi obtaining a poit numbei oi otheiwise upuating the iegistiy may be founu in BCP 16S |BCP16Sj.
It is also possible, anu common, to use unassigneu poit numbeis. This happens when an application is in uevelopment oi is useu only in a confineu uomain, oi is "poit-agile" in the sense that it is uesigneu to intelligently use any available poit numbei. Poit-agile applications may be benign; Skype anu othei peei-to-peei applications aie often poit-agile |Skype FAQj. Tiaffic cieateu by Bistiibuteu Benial of Seivice (BBoS) attacks anu malicious softwaie (known as malwaie) is also often poit-agile oi uses a wiue iange of poits |SANSj.
OFSF Q;>% *5 "#$% &'#()*+,R
As noteu in Section 2 above, poit blocking is when tiaffic is iuentifieu anu blockeu on the basis of the combination of tianspoit piotocol anu poit numbei. Poit blocking can be conuucteu by ISPs, enteipiises, oi on customei equipment in the home. Because some applications aie uesigneu (oi weie oiiginally uesigneu) to iun only ovei specific poits, a netwoik that blocks those poits pievents those applications fiom senuing tiaffic unless the applications aie ieuesigneu oi ieconfiguieu to use uiffeient poits.
As an example, the Simple Nail Tiansfei Piotocol (SNTP) was oiiginally uesigneu to use a uestination poit of TCP2S |RFC788j. Nalwaie that senus "spam" email fiequently uoes so uiiectly fiom the infecteu system to the taiget, while legitimate email often uses ISP oi enteipiise email seiveis as inteimeuiaiies. Theiefoie a common methou useu to minimize spam is foi the access netwoik pioviuei to block tiaffic fiom its useis that has TCP2S as its uestination poit, unless that tiaffic is uiiecteu to one of the ISP's email seiveis. 0seis whose email clients aie affecteu by these blocks must ieconfiguie theii clients to use anothei poit.
Poit blocking is geneially ineffective against poit-agile applications oi tiaffic. Applications that use ianuomizeu poits oi uiffeient poits pei usei oi pei instance of the application cannot effectively be stoppeu with poit blocking.
Netwoik auministiatois anu home useis have a vaiiety of techniques at theii uisposal foi pieventing unwanteu communications to anu fiom the Inteinet. Foi example, tiaffic coming into an ISP's netwoik might be blockeu on the basis of its souice IP auuiess (a piactice known as Ingiess Filteiing) to pievent spoofing oi to block email sessions that uo not tiaveise the ISP's email seiveis as a means to pievent spam |RFC2827j. 0sing a fiiewall is anothei technique anu pioviues the ability to block tiaffic baseu on uiffeient ciiteiia such as souice oi uestination IP auuiess, tianspoit piotocol, poit numbeis, some application-layei ciiteiia, oi a combination of these elements. Fiiewalls come in a vaiiety of types anu may be installeu on usei uevices (computeis, home iouteis, etc) oi in the netwoik by enteipiises oi ISPs. Finally, enteipiises oi WiFi hotspots may pievent all Inteinet tiaffic fiom coming in oi out of theii netwoiks unless the tiaffic flows thiough an BTTP pioxy on the netwoik. The most common ieason to auopt these techniques is to 6 pievent netwoik attacks anu abuse, although they may be useu foi othei puiposes (paiental oi employee contiols oi capacity management, foi example).
Poit blocking is uistinct fiom Netwoik Auuiess Tianslation (NAT), but both can have similai effects on applications. NAT was oiiginally uesigneu to help netwoik opeiatois cope with the scaicity of IPv4 auuiesses by allowing multiple enu uevices to shaie a single public IP auuiess. NAT has been ueployeu within home netwoiking equipment foi yeais, anu is now being ueployeu with incieasing fiequency within ISPs' netwoiks (wheie it is known as Laige-Scale NAT oi LSN) uuiing the tiansition fiom IPv4 to IPv6 |BITAu Laige Scale NAT Repoitj.
NAT, by its natuie, blocks all unsoliciteu inbounu communication into the netwoik. This is because, with multiple uevices shaiing the same public IP auuiess, a NAT uevice uoes not know which usei to senu inbounu tiaffic to unless (1) theie has been iecent outbounu tiaffic using the same auuiess anu poit, oi (2) the NAT uevice has been pie-configuieu with a iule on how to map the combination of an exteinal auuiess anu poit to a coiiesponuing inteinal auuiess anu poit. Thus, when a NAT uevice ieceives tiaffic with any souiceuestination poit combination foi unknown mappings, then that tiaffic will be blockeu. Fiom the peispective of an application, this effect can be similai to a poit block that blocks tiaffic on the inbounu poits the application is uesigneu to use - the application tiaffic will not ieach the usei. If the use of LSN continues to become moie pievalent, applications may continue to expeiience these kinus of blockages, without it being obvious to the application pioviuei (oi the usei) whethei the uifficulties aie causeu by poit blocking, LSN, oi some othei functionality in the netwoik oi the home.
OFTF 4"BV >+7 "#$% &'#()*+,
0peiationally, netwoik opeiatois have not yet seen wiuespieau secuiity thieats oi abuse in IPv6 netwoiks, anu at this wiiting theie has yet to be significant consumei oi enteipiise use of IPv6. If neeueu, poit blocking can be implementeu in IPv6 as in IPv4, in which case the iecommenuations of this iepoit apply.
SF W#%*B>%*#+5 /#$ >+7 403'101+%>%*#+ #/ "#$% &'#()*+,
Poit blocking is a tool commonly useu by ISPs, but the use of that tool can vaiy uiamatically fiom ISP to ISP. Nany ISPs use poit blocking to piotect theii customeis fiom secuiity thieats, but some have useu it to block high banuwiuth oi competing applications. Some netwoiks block the poits of all of theii customeis, some allow opt-out anu some uo not 7 implement poit blocking at all. 0nueistanuing the moie common applications of poit blocking, the uiffeiences in customei bases, anu how some ISPs implement poit blocking will help to illustiate why some ISPs see poit blocking as necessaiy anu why to uate theie has been little unifoimity when it comes to poit blocking policies anu piactices. SFMF W*%*,>%*+, X+#E+ Y6'+1$>D*'*%*15 #$ 455615 The poits most commonly blockeu on the Inteinet touay aie the iesult of known vulneiabilities in applications iunning on well-known poits. ISPs ueploy poit blocking most often as a uefense to known secuiity vulneiabilities, easily exploiteu applications, oi as a means to uiscouiage the abuse of legacy piotocols when newei stanuaius emeige. The use of poit blocking in these instances typically involves a ueteimination by the ISP that the benefit of piotecting useis oi the netwoik fiom these secuiity iisks outweighs any negative impacts upon useis. Anothei common iationale foi the use of poit blocking is to block tiaffic unwanteu by the ISP's useis, e.g., in uenial-of-seivice attacks wheie a usei can be oveiwhelmeu by maliciously geneiateu anu unwanteu tiaffic. Netalyzi is a fiee web-baseu measuiement tool cieateu anu manageu by the Netwoiking uioup at the Inteinational Computei Science Institute that peifoims netwoik testing anu analysis |Netalyzij. Seivice ieachability, one of the tests incluueu in this tool's suite, attempts to asceitain which poits a seivice pioviuei blocks by attempting to connect on 2S well-known poits. A iepoit publisheu in 2u1u baseu on 1Su,uuu test sessions showeu that foui well-known poits aie blockeu by a significant peicentage of bioaubanu seivice pioviueis. |Netalyzi2u1uj Those poits aie as follows: C1$B*(1 "#$% SNTP TCP2S RPC TCP1SS NetBI0S TCP1S9 SNB TCP44S
The iationale foi blocking each of the poits listeu above is uesciibeu in tuin below, along with the iationale foi othei commonly blockeu poits such as: TCP161 anu 0BP161 foi Simple Netwoik Nanagement Piotocol (SNNP); othei netwoik management poits; anu finally TCP8u foi Bypeitext Tiansfei Piotocol (BTTP). SFMFMF C*03'1 W>*' L$>+5/1$ "$#%#(#' ICWL"J ` L9"<OT 0ne of the best-known uses of poit blocking by ISPs is foi TCP2S. The Simple Nail Tiansfei Piotocol, SNTP, was oiiginally uesigneu to senu electionic mail fiom one system to anothei using TCP2S in an untiusteu mannei using the Inteinet Piotocol. SNTP is useu to senu messages fiom a mail client to a mail seivei, as well as between mail seiveis. Nail clients use a sepaiate piotocol to ietiieve messages fiom mail 8 seiveis. Nost useis touay uo not senu theii email via TCP2S since moie secuie mechanisms have evolveu. Bowevei, since the oiiginal uesign of SNTP an incieasing amount of spam email has been tiansmitteu using TCP2S, often pioviuing false infoimation about the email auuiess of the email client. In auuition, malwaie is often tiansmitteu using TCP2S. Computei viiuses uesigneu specifically to senu spam in this mannei, as illustiateu in Figuie 2, iepiesent a significant thieat to the functionality of the Inteinet anu to ISP opeiations as well. Seivice pioviueis aie fuithei incentivizeu to eithei block oi at least monitoi foi nefaiious activity on TCP2S as a means to pievent theii iespective customei IP auuiess spaces fiom being placeu on email blacklists. Blacklisting ISP auuiess space pievents customeis in that auuiess iange fiom senuing mail to a laige peicentage of email uestinations, as many ISPs piohibit the ieceipt of email fiom blacklisteu souice IP auuiesses.
]*,6$1 O8 C3>0 >($#55 6+D'#()17 L9"<OT To combat these secuiity issues, Inteinet stanuaius foi SNTP have evolveu. The stanuaius now suppoit communication using alteinative poits, incluuing TCPS87, anu suppoit using authentication to ensuie that the email client iuentifies itself coiiectly anu is an authoiizeu senuei |RFC64u9j. The Inteinet Engineeiing Task Foice (IETF) fuithei iecommenus that communication fiom email clients to mail seiveis tiansition fiom TCP2S to authenticateu TCPS87, anu that mail seiveis shoulu similaily authenticate all email, even if ieceiveu on a uiffeient poit |RFCSu68j. Bowevei, Inteinet stanuaius continue to iely on TCP2S foi foiwaiuing of email between mail seiveis |RFC64u9j. !"#$ &'()'( *+,-., /012(0$$'( &3"4 ,"(5'2 !"#$%&" (#)$%*"# +",-)#. 612'(7 8011'82 90:2'( 612'(7 8011'82 90:2'( .;5' 90:2'( .;5' 90:2'( &2'3 <= /01)20* 3)0,#)4 )# 52,1)20* 657 &8"&. %0 &2'3 >= !9:; <"0, ,) =:%4 !"#$"#< &3"4 ,"(5'2 &3"4 ,"(5'2 *+,-., 8043:2'( ?0( @'1;#15 &3"4 +:2A0:1; ,/BC>D &2'3 E= =:%4 !"#$"#< 94:&" !9:; %0 =:%4 1)> &2'3 F= ?<"#< #"&"%$" !9:; /B. /B. /B. 9 An inuustiy tiaue gioup has gone fuithei by iecommenuing that ISPs block outbounu TCP2S fiom all machines on the ISP's netwoik othei than the ISP's own mail seiveis anu block inbounu TCP2S tiaffic, which can theieby ieuuce the tiansmission of spam fiom infecteu computeis thiough mail seiveis outsiue the ISP's netwoik |NSAAWu Poit 2S Recommenuationj. It is impoitant to note that the blocking of SNTP on TCP2S uoes not piohibit the customei fiom senuing email. Customeis aie geneially instiucteu how to configuie theii mail clients to use the viable alteinative poits, such as TCPS87 foi email submission. Bowevei, the IETF notes that blocking of outbounu TCP2S can be pioblematic foi some useis anu that theie aie alteinative establisheu piactices foi contiolling abuse of poit 2S, incluuing the use of pioxies anuoi iate limits, anu thus offeis no iecommenuation conceining the blocking of TCP2S |RFCSu68j. In auuition, blocking TCP2S not only blocks communication between email clients anu seiveis on TCP2S, but may also piohibit the ISP's useis fiom iunning theii own mail seiveis. Nost Inteinet seivice pioviueis implement outbounu TCP2S blocking aujacent to the customei's point of connectivity to the netwoik as illustiateu in Figuie S, in oiuei to pievent senuing of spam SNTP mail fiom customei computeis, while some seivice pioviueis only block outbounu TCP2S foi those customeis suspecteu of senuing spam. Some seivice pioviueis may also implement inbounu TCP2S blocking to piohibit SNTP tiaffic uiiecteu towaiu the ISP's useis fiom souices outsiue the ISP's netwoik. Some seivice pioviueis that block TCP2S will iemove this block foi inuiviuual useis upon iequest (by the customei), while otheis will not.
Anothei well-known poit that many ISPs block is TCP1SS, associateu with Niciosoft's Remote Pioceuuie Call (NS RPC). NS RPC utilizes TCP1SS anu 0BP1SS foi communication between clients anu seiveis anu between clients anu othei clients. vulneiabilities in Niciosoft's RPC coue weie exploiteu by a numbei of laige-scale Inteinet viiuses incluuing the Blastei anu Reatle woims. The mechanism was also exploiteu as a means of ueliveiing spam using popup messages. The impact of the Blastei woim in 2uuS was laige enough to negatively impact a numbei of ISP netwoiks. As a iesult many ISPs implementeu TCP1SS anu 0BP1SS blocking as a uefensive measuie to pievent theii customeis fiom piopagating the viius. SFMFSF ?1%&4PC >+7 CW& ` L9"<.["MSa >+7 L9"<UUT
Two auuitional well-known poits that many ISPs block aie TCP1S9 anu TCP44S. NetBI0S anu Seivei Nessage Block (SNB), two seivices associateu with the Niciosoft 0peiating System, use these poits.
The NetBI0S seivice was oiiginally uevelopeu foi the IBN Peisonal Computei anu was latei auopteu by Niciosoft's NS-B0S 0peiating System anu subsequent veisions of the Niciosoft Winuows softwaie. NetBI0S was oiiginally a Local Aiea Netwoik seivice anu latei extenueu to suppoit TCPIP foi Inteinet opeiation |RFC1uu1j |RFC1uu2j. NetBI0S incluues naming, connection-oiienteu anu connectionless seivices, anu piomotes communication among tiusteu netwoik uevices incluuing file shaiing, piintei shaiing, etc. NetBI0S utilizes 0BP1S7 anu 0BP1S8 as well as TCP1S9 foi communication. TCP1S9 applies specifically to the session connectivity seivice pioviueu in the NetBI0S piotocol suite.
The SNB piotocol opeiating on TCP44S is typically consiueieu in the same categoiy as NetBI0S baseu on its use in Niciosoft Winuows softwaie. The SNB piotocol is closely associateu with NetBI0S foi file anu piintei shaiing among a gioup of computeis iunning the Niciosoft Winuows 0S. Secuiity vulneiabilities have been founu with both SNB anu NetBI0S that allow iemote useis to gain contiol oi execute malwaie on unpiotecteu computeis in home netwoiks. Combineu with the fact that these piotocols aie pieuominately useu foi communication among uevices within the home netwoik anu not foi shaiing of seivices ovei the Inteinet, many opeiatois have chosen to block communication uiiecteu to these poits to piotect customei computeis fiom malicious actois exteinal to theii netwoik. Some seivice pioviueis block both inbounu anu outbounu poits in these ianges, while othei seivice pioviueis uo not block these poits at all. If these poits aie blockeu, then a usei will finu that file anu piintei shaiing will be moie uifficult to accomplish to oi fiom a iemote uestination. Theie aie alteinative iemeuies to blocking these poits, most notably thiough opeiating system patches anu thiough uiiect contiol ovei these poits by each usei on each of theii computeis; howevei, many useis uo not apply secuiity patches in a timely fashion anu uo not piopeily configuie poits on theii computeis. 11
Simple Netwoik Nanagement Piotocol (SNNP) has been subject to wiuespieau abuse, paiticulaily foi amplification BBoS attacks that take auvantage of the ielative ease of spoofing the souice auuiess of 0BP packets, anu is blockeu by some ISPs. Please iefei to a iecent BITAu papei foi moie infoimation on SNNP abuse |BITAu SNNP Repoitj. SFMFTF ?1%E#$) W>+>,101+% "#$%5
Anothei categoiy of poits that aie blockeu by some ISPs suppoit netwoik management tiaffic that can be consiueieu haimful oi ueemeu inappiopiiate when oiiginating fiom a customei, unless explicitly peimitteu by the ISP. Piotocols that fall into this categoiy incluue iouting piotocols oi netwoik management piotocols oiiginating fiom the customei's equipment anu uiiecteu upstieam towaiu the ISP's ioutei. Examples of these piotocols incluue Bynamic Bost Configuiation Piotocol (BBCP) anu Routing Infoimation Piotocol (RIP). BBCP foi IPv4 opeiates on 0BP67 anu 0BP68. BBCP foi IPv6 opeiates on 0BPS46 anu 0BPS47. RIP opeiates on 0BPS2u. Some ISPs implement poit blocks that aie stiictly uesigneu to piohibit a customei's misconfiguieu netwoik uevice fiom impeisonating an ISP's BCBP seivei. Similaily, ISPs may implement poit blocks to pievent a customei's netwoik uevice fiom attempting to use the RIP piotocol uiiecteu at the ISP. In both the BCBP anu RIP use cases, the customei's tiaffic is uiiecteu at the ISP's netwoik equipment anu not the Inteinet. The blocking of these poits is unlikely to have a negative impact on useis. SFMFVF L1$05 #/ C1$B*(1 @+/#$(101+%
Some poits aie blockeu to enfoice an ISP's teims of seivice. The most common example of this type of poit blocking conceins Bypeitext Tiansfei Piotocol (BTTP), an application piotocol wiuely useu on the Woilu Wiue Web to iequest anu to tiansmit web pages. BTTP was stanuaiuizeu by the IETF anu the Woilu Wiue Web Consoitium, anu is most commonly useu ovei TCP8u |RFC2616j. Blocking inbounu TCP8u pievents a customei fiom hosting a web page, but uoes not pievent the customei fiom suifing the web.
BTTP can use a numbei of poits, but TCP8u is the uefault poit anu most commonly useu. A usei's web biowsei thus usually tiansmits iequests foi web pages to the iemote seivei using a uestination poit of TCP8u, anu ieceives web pages using othei poits.
ISPs that block inbounu TCP8u commonly justify the piactice as eithei a secuiity concein oi enfoicement of theii teims of seivice. The common secuiity justification is that blocking inbounu TCP8u stops malicious tiaffic, such as the Coue Reu woim, that attempts to infect a computei thiough this poit. The teims of seivice justification is that blocking inbounu 12 TCP8u pievents useis fiom iunning web seiveis, which may be piohibiteu by the ISP's teims of seivice foi consumei-giaue Inteinet access.
Bowevei, both justifications have weakeneu ovei the past few yeais. The secuiity concein foi TCP8u can be pieventeu by piopei configuiations of the usei's fiiewall anuoi computei opeiating system anu thus many ISPs no longei block TCP8u. While many ISPs pieviously useu theii iespective teims of seivice to piohibit consumeis fiom iunning web seiveis, eithei to manage upstieam capacity oi to uiffeientiate consumei Inteinet access fiom business Inteinet access, some ISPs now use uiffeient methous to uiffeientiate seivices. Thus, blocking of inbounu TCP8u has pieviously been moie common than it is touay, anu most ISPs no longei block TCP8u |Netalyzij. SFOF -'%1$+>%*B15 %# "#$% &'#()*+,
As the above sections have uemonstiateu, theie aie a vaiiety of uiffeient ciicumstances anu secuiity thieats that may pioviue motivations foi ISPs to institute poit blocking. As such, the alteinative appioaches available foi iesolving any paiticulai pioblem will uepenu on the pioblem itself. Foi example, many of the vulneiabilities uiscusseu above coulu also be iesolveu by applying softwaie upuates, patching opeiating systems, installing consumei fiiewalls, oi upgiauing home equipment. Bowevei, these alteinative solutions cannot typically be implementeu iapiuly at a laige scale, anu in many cases aie outsiue the contiol of the ISP. Whethei consumeis oi ISPs puisue these alteinative solutions, anu whethei the alteinatives effectively ieuuce the iisks that coulu otheiwise be mitigateu by poit blocking, uepenus on the ease-of-use anu costs of the alteinatives. SFSF "1$5*5%1+% Y1$565 L103#$>$: &'#()*+,
Poit blocking can be implementeu tempoiaiily on a shoit-teim basis oi peisistently foi an extenueu uuiation. Tempoiaiy blocking is usually uone foi secuiity ieasons, with the block typically iemaining in place until the secuiity thieat is eliminateu oi substantially lesseneu. The vulneiability can be eliminateu oi ieuuceu ovei time thiough softwaie upuates to the vulneiable uevices, changes in technology oi elimination of uepieciateu equipment. The time scale seen foi tempoiaiy blocks ianges fiom houis to weeks.
In some cases it may piove impiactical oi impossible to iemove these tempoiaiy poit blocks. The examples of poit blocking uetaileu above in Section S.1 aie tempoiaiy tactical blocks that evolveu into peisistent blocks, with uuiations now measuieu in yeais. These peisistent blocks auuiess known vulneiabilities that, foi vaiious ieasons, eithei cannot oi will not be coiiecteu in the neai futuie. Some of these vulneiabilities can only be auuiesseu thiough funuamental aichitectuial ieuesign of the Inteinet.
As noteu in Section 2.1, ISPs may take a uiffeient appioach to poit blocking uepenuing on the type of customeis they seive, oi the type of netwoik they iun. It is impoitant to unueistanu that ISPs implement poit blocking to uiffeient extents on uiffeient types of netwoiks.
Enteipiise-focuseu ISPs geneially implement little to no poit blocking uue to the technical sophistication of theii enteipiise customeis, while consumei-focuseu netwoiks geneially implement poit blocking moie often, as theii customeis aie typically less technically sophisticateu anu unawaie of secuiity thieats anu vulneiabilities.
Foi a numbei of ieasons, cellulai opeiatois aie moie sensitive than wiieline opeiatois to attacks anu abuse that cieate laige tiaffic volumes. As a iesult, some wiieless caiiieis may be moie aggiessive than wiieline caiiieis in theii use of secuiity mitigation tactics, incluuing poit blocking, because: (1) cellulai uata netwoiks geneially have less available banuwiuth than wiieline bioaubanu netwoiks, uue to the limitations of iauio; (2) wiieless uevices have limiteu batteiy powei to expenu on the auuitional piocessing iequiieu to uefenu against tiaffic cieateu thiough attacks oi abuse; anu (S) wiieless customeis aie moie often subject to usage-baseu billing plans, wheie they aie chaigeu foi the amount of uata useu. SFTF Q;1$1 7# "#$% &'#()5 P((6$R
Poit blocking can be implementeu at many uiffeient places in the netwoik path. In a iesiuential netwoik, the most common places aie typically locateu at the:
(1) Seivice Pioviuei's Netwoik Inteiconnection Links between ISPs (2) Seivice Pioviuei's Customei Facing Netwoik Links (S) Customei Piemises Equipment (CPE)
With communications occuiiing in two uiiections (to anu fiom the uevice), blocking can also be uiiectional. Poit blocking policies can, anu often uo, uistinguish between inbounu anu outbounu tiaffic. Since the session is iuentifieu by a paii of auuiesses anu a paii of poit numbeis, anu tiaffic fiom a client to a seivei always uses the iuentifying poit numbei as its uestination poit, it is stiaightfoiwaiu to pievent sessions in one uiiection while peimitting them in the othei. SFTFMF ?1%E#$) 4+%1$(#++1(%*#+ "#$% &'#()5
The fiist common location poit blocking can be implementeu in an ISP's netwoik is at the netwoik inteiconnection links to othei ISPs. Blocking inbounu tiaffic at this location iemoves the ability of souices outsiue the ISP's netwoik to senu tiaffic on these poits to the ISP's useis. Blocking outbounu tiaffic on specific poits at this location iemoves the ability 14 of the ISP's useis to senu tiaffic on these poits to uestinations outsiue the ISP's netwoik. Bowevei, neithei inbounu noi outbounu poit blocking at this location iemoves the ability of the ISP's useis to senu tiaffic on these poits to othei useis of the same ISP.
Fiom an ease of management peispective, this is the best location in the ISP's netwoik foi implementation as it is the quickest to ueploy because it iequiies the fewest numbei of inteifaces to piovision anu manage. Blocking at the netwoik inteiconnect links effectively piotects against exteinal thieats because it impacts all of the exteinal tiaffic.
As shown in Figuie 4 howevei, the implementation of poit blocking at these locations uoes not piotect the ISP's customeis fiom one anothei. In auuition, these links aie also typically laige capacity links, anu while touay's iouteis aie capable of implementing poit blocking without a peifoimance impact, histoiically that has not always been the case.
The seconu common location to implement poit blocking in an ISP's netwoik is at the customei aggiegation iouteis on the customei facing links. The effect of blocking tiaffic at this location vaiies uepenuing on the type of netwoik. In some netwoiks inbounu poit blocking will pievent any tiaffic on that poit fiom ieaching the customei, while in othei netwoiks it will allow tiaffic fiom only othei customeis in that local aiea. Likewise in some netwoiks an outbounu block will pievent all outbounu tiaffic on that poit anu in otheis will still allow outbounu tiaffic on that poit to othei customeis in that aiea. In contiast to !"#$ &'()'( *+,-., /012(0$$'( &3"4 ,"(5'2 !"#$%&" (#)$%*"# +",-)#. 612'(7 8011'82 90:2'( 612'(7 8011'82 90:2'( .;5' 90:2'( .;5' 90:2'( &2'3 <= /01)20* 3)0,#)4 )# 52,1)20* 657 &8"&. %0 &2'3 >= !9:; <"0, ,) =:%4 !"#$"#< &3"4 ,"(5'2 &3"4 ,"(5'2 *+,-., 8043:2'( ?0( @'1;#15 &3"4 +:2A0:1; ,/BC>D &2'3 E= =:%4 !"#$"#< 94:&" !9:; %0 =:%4 1)> &2'3 F= ?<"#< #"&"%$" !9:; /B. /B. /B. 1S the fiist location uesciibeu above, poit blocking at this seconu location iequiies blocking on substantially moie inteifaces.
Nanagement of the poit blocking policy is moie complex anu time consuming at this location uue to the incieaseu numbei of inteifaces, but it has histoiically hau less (oi no) impact on the peifoimance of the netwoik as these inteifaces aie lowei capacity. If poit blocking is intenueu to auuiess secuiity conceins, then the piimaiy ieason many ISPs have chosen this location to implement poit blocking is that it pioviues moie piotection to customeis than the Inteiconnection link location, anu pioviues goou-to-auequate piotection against malicious customeis that woulu haim oi buiuen the netwoik. This location allows the ISP to both piotect the customei fiom thieats on the Inteinet anu piotect the Inteinet fiom thieats fiom customeis, as seen in Figuie S.
The thiiu location wheie poit blocking is commonly implementeu in an ISP's netwoik is within customei piemises equipment (CPE), e.g., cable oi BSL mouems anuoi home iouteis oi gateways. If inbounu poit blocking is implementeu in equipment at the customei's piemises, this iemoves the ability of souices outsiue the customei's piemises to senu tiaffic to the customei on these poits. Blocking outbounu tiaffic on specific poits at this location iemoves the ability of an ISP's customei to senu tiaffic on these poits to uestinations outsiue the customei's piemises. None of the ISP implementeu blocks affect tiaffic within the home. !"#$ &'()'( *+,-., /012(0$$'( &3"4 ,"(5'2 !"#$%&" (#)$%*"# +",-)#. 612'(7 8011'82 90:2'( 612'(7 8011'82 90:2'( .;5' 90:2'( .;5' 90:2'( &3"4 ,"(5'2 &3"4 ,"(5'2 *+,-., 8043:2'( <0( ='1;#15 &3"4 +:2>0:1; ,/?@AB /?. /?. /?. &2'3 CD /01)20* 3)0,#)4 )# 52,1)20* 657 &8"&. %0 &2'3 AD !9:; <"0, ,) =:%4 !"#$"#< &2'3 ED ()#, 64)&. :, "*>" #)2,"# 9#"$"0,< <9:; ?#); #":&8%0> =:%4 !"#$"#< 16
Poit blocking on customei piemises equipment uistiibutes the piocessing loau iequiieu to implement poit blocking. This location is also the most gianulai of the thiee common locations, in that it allows an ISP to apply poit blocking iules on a pei customei basis. Bowevei, at least one tiaue-off is the high cost of auministeiing poit blocking iules on what coulu potentially be millions of uevices iathei than a few thousanu inteifaces.
The viability of this thiiu location can vaiy uepenuing on the type of equipment locateu at the customei piemises, but especially on the owneiship oi "contiol" of the equipment - as some equipment is pioviueu by the ISP anu some by the customeis themselves, with uiffeient levels of contiol oi owneiship by each gioup. Below aie two example scenaiios:
C(1+>$*# M - 9"@ *5 0>+>,17 D: %;1 (65%#01$
In this scenaiio, the ISP uoes not pioviue a home ioutei oi customei piemises equipment to the customei, oi the ISP pioviues the uevice but uoes not manage the secuiity policy on the uevice. Nany times, the customei will puichase a home ioutei that typically implements a ceitain level of poit blocking by uefault. Bowevei, since the ISP uoes not manage the equipment, the ISP will not have the ability to implement poit blocking at this location. Fiom the peispective of the ISP, this scenaiio piesents a high iisk to both the customei anu the netwoik. Fiom the peispective of the customei this offeis the highest amount of fieeuom, but also implies that the customei auopts the associateu iisk.
In this scenaiio the ISP maintains the ability to contiol the poit blocking policy (piotecting the customei anu pieventing malicious customei tiaffic) while still ietaining the flexibility to mouify the iules in some instances on a case-by-case basis if iequesteu by the customei. Fiom the ISPs peispective this affoius all the piotection of poit blocking in the netwoik. Fiom the peispective of the customei, this scenaiio may ieuuce the iisk to the customei, but may also ieuuce the fieeuom accoiueu to the customei if the ISP uoes not allow opt-out fiom poit blocking.
In geneial, if a customei manages the CPE uevice in his oi hei home, the ISP has no ability to piovision poit blocking iules in the uevice anu may theiefoie iesoit to implementing poit blocking in the netwoik if no ieasonable alteinatives aie available. In cases wheie the ISP manages the CPE anu has the ability to apply poit blocking iules in the uevice it may allow the ISP moie flexibility in implementing poit blocking policies anu opt-out.
17 SFVF P3%GP6% P3%*#+5
As illustiateu in the pievious sections, theie aie seveial technical vaiiables to consiuei foi when anu wheie a poit block is applieu, anu whethei oi not an opt-out solution is offeieu to useis. Beyonu the technical vaiiables, auuitional consiueiation is given to: (1) financial conceins, (2) opeiational factois (oveiheau of managing the potential multituue of inuiviuual policies), (S) Inteinet ieputation (allowing cybei attacks to oiiginate fiom the seivice netwoik can impact all of the ISP's useis), anu (4) legal conceins (iisk of applying the wiong policies to the wiong people).
The impact of an ISP's poit blocking policy on the usei will vaiy accoiuing to which poits aie blockeu. In some cases, e.g., blocking of netwoik management poits, the poit blocking policy is unlikely to have a negative impact on the usei even if opt-out is not alloweu. In othei cases, wheie the poit blocking policy may negatively impact some useis, allowing foi an opt-out policy coulu help to minimize any negative effects.
Bue to the enteipiise anu commeicial customeis' high level of technical sophistication, these customeis often aie tiusteu by theii ISP to connect to its netwoik without the neeu foi poit blocking iules set by the ISP. In a similai mannei, theie can be a ceitain peicentage of iesiuential customeis with the same level of technical sophistication - who may waiiant a similai appioach.
The uecision of whethei anu how to allow a usei to opt-out of some oi all of the poit blocking iules within an ISP's poit blocking policy may uepenu on the ISP's iationale foi the block, wheie anu how the poit block is implementeu, anu most impoitantly the ISP's netwoik uesign. The capability anu the cost of implementing an opt-out option vaiy gieatly fiom ISP to ISP. Some ISPs will finu opt-out technically impossible, some ISPs will finu opt- out possible but costly, anu some may finu opt-out ielatively easy. While some of the factois in this uecision aie highlighteu in this iepoit (such as wheie the blocks aie implementeu), eveiy ISP will face its own specific complexities (such as IT uesign). Foi these ieasons some ISPs allow foi opt-out, some iequiie the usei to move to a business seivice (which aie uesigneu to not use poit blocking), anu otheis uo not allow opt-out at all.
The implications anu conceins ielateu to poit blocking may uepenu upon wheie a stakeholuei "sits" in the Inteinet ecosystem. An ISP may see poit blocking as an inuispensible tool while an application uevelopei may see poit blocking as a challenge. 0seis may have uiffeient peiceptions oi conceins baseu upon theii level of technical expeitise. This section will offei some of these uiffeiing peispectives, as well as touch on some of the secuiity consiueiations that go along with poit blocking. UFMF 9#+(1$+5 #/ 4+%1$+1% @(#5:5%10 C%>)1;#'71$5 UFMFMF 4+%1$+1% C1$B*(1 "$#B*71$5
The Inteinet was built aiounu the piemise of an open anu shaieu enviionment. Nany eaily Inteinet piotocols weie uesigneu with limiteu oi no secuiity measuies built into theii basic communications. Touay, applications that leveiage these piotocols have inheiiteu theii minimal secuiity chaiacteiistics.
Nany ISPs implement poit blocking to auuiess some oi all of the long-teim pioblems uiscusseu in Section S.1. If left unblockeu, these aie thieats that can cause an inciease in spam oi can compiomise useis' infoimation. Fiom the peispective of most consumei ISPs, the implementation of these poit blocks can uiamatically ieuuce suppoit costs (less customei calls, less spam complaints, etc.) anu iesult in minimal oi no inconvenience to most useis.
Nost ISPs will also use poit blocking as a means to mitigate a shoit-teim, oi what is hopeu to be a shoit-teim, thieat. These thieats geneially fall into the uenial of seivice (BoS) categoiy. Some goou examples of this aie SNNP to pievent SNNP-amplifieu Bistiibuteu Benial of Seivice (BBoS) attacks, anu some woims like Blastei. While poit blocking is not a silvei bullet, anu uoes nothing to pievent poit-agile attacks, it can be a viable shoit-teim mitigation step foi some attacks until a long-teim solution is founu.
Poit blocking is useu by a few ISPs to enfoice teims of seivice. Some ISPs offei uiffeient levels of seivice such as consumei anu business anu can uiffeientiate those seivices by allowing one to host seiveis anu anothei that cannot. The numbei of ISPs that use poit blocking in this fashion has ueclineu in iecent yeais, anu theie aie only a few ISPs left implementing this piactice.
Bistoiically, theie have been instances of ISPs using poit blocking to block banuwiuth- intensive oi competing applications. While these aie the implementations that uiaw the most attention, iie, anu piess, they have been veiy iaie.
Consumei ISPs seive a vaiiety of customei types ianging fiom a majoiity of customeis who aie less technically sophisticateu to a minoiity of 'powei useis'. 0nfoitunately, theie aie a numbei of bau actois that connect to the Inteinet anu a laige numbei of customeis that uo 19 not auequately piotect themselves. ISPs must walk a fine line of tiying to cieate a seivice that will piotect the aveiage usei while not hinueiing the powei usei. In geneial, ISPs believe poit blocking is a ciitical tool in oiuei to cieate the secuie enviionment the aveiage usei wants, anu that poit blocking foi secuiity ieasons iaiely causes pioblems foi application uevelopeis oi powei useis. UFMFOF -33'*(>%*#+5 >+7 -33'*(>%*#+ "$#B*71$5 Iueally, application pioviueis woulu be able to uesign theii applications unuei the assumption that the entiie poit numbei space is available to them. Bowevei, poit blocking, togethei with NAT, fiiewalls, anu othei technologies, geneially seives to ieuuce the numbei of available poits. Poit blocking can complicate application uesign anu uevelopment anu cieate unceitainty about whethei applications will function piopeily when they aie ueployeu. Although poit blocking may be intenueu to block only unwanteu tiaffic, it may also inauveitently block wanteu tiaffic by mistake. This inauveitent blocking of wanteu tiaffic may leau application uevelopeis to move theii applications to poits that aie not blockeu. Bowevei, the availability of any paiticulai poit - outsiue of the "well-known" poits - can be somewhat unceitain, as uiffeient netwoik opeiatois can inuepenuently choose to block oi unblock inuiviuual poits. Thus, applications uesigneu to function acioss multiple IP netwoiks must take into account the potential foi poit unavailability oi unieliability (although applications may neeu to uo so anyway, peihaps moie so because of the pievalence of pioxies, fiiewalls, NAT, anu LSN iathei than ISP-baseu poit blocking). Some application pioviueis may be conceineu about ISPs intentionally blocking theii applications foi anti-competitive puiposes. Foi example, in 2uuS the ISP Nauison Rivei was founu to be blocking poits associateu with inuepenuent voice ovei IP seivices that weie in competition with the ISP's own voice telephony seivices |Nauison Riveij. Poit blocking has also been useu foi the puipose of limiting tiaffic fiom applications associateu with high tiaffic volumes, such as peei-to-peei file- shaiing applications |Towaiu Quantifying Netwoik Neutialityj. Such conceins have causeu some application uevelopeis to auopt some of the mitigation measuies uiscusseu below, such as uesigning theii applications to be poit-agile oi using poits unlikely to be blockeu. Whethei anu how an application pioviuei chooses to mitigate the effects of poit blocking will uepenu on a numbei of factois, incluuing the size of the impact on the application's usei base, the expecteu uuiation of potential blocks, anu the iationale behinu the blocks. A shoit-teim block may not iequiie mitigation, wheieas blocks that affect many useis anu aie expecteu to iemain in place ovei the long teim may tiiggei moie extensive iesponses. If blocking is conuucteu foi non-technical business ieasons, application uevelopeis may choose to contest those poit blocks in business negotiations, iegulatoiy foiums, oi in public iathei than ueveloping mitigations. 2u Theie aie a numbei of mitigation tactics available. At the veiy least, application pioviueis may choose to uevelop usei uocumentation oi customei seivice expeitise to help theii useis unueistanu the natuie of the pioblem anu potential woikaiounus, if available. Anothei tactic may be to ieuesign some applications to use uiffeient poits, to conuuct connectivity testing befoie establishing connections, to be poit-agile, oi to make poit selection usei-configuiable. Whethei any of these options aie available may uepenu on whethei ie-uesigneu veisions of the application can be maue compatible with existing veisions. These mitigations may iaise auuitional issues foi application pioviueis. Intiouucing connectivity checks can impact peifoimance, causing applications to take a significantly longei amount of time to establish initial connections. Shifting to poits that aie alieauy in common use by othei applications anu piotocols can complicate application uesign. Foi example, some netwoiks use pioxies to valiuate that BTTP tiaffic confoims to specific piotocol semantics; shifting non-BTTP tiaffic to poit 8u may theiefoie iesult in the loss of paiticulai functionality oi may pievent the use of non-TCP tianspoits. The implications of movement towaius the majoiity of applications iunning on a small numbei of poits aie unceitain as of yet. Such a change coulu aiguably uampen the "uiveisity" oi limit the numbei of uiffeient types of applications that can peifoim well on the netwoik, since new applications may be expecteu to confoim to the way that existing applications function on the same poit (foi example, expecting that all TCP 8u tiaffic behaves like BTTP). Poit blocking on iesiuential netwoiks may paiticulaily constiain inuepenuent oi non- commeicial application uevelopeis, many of whom expeiiment with new application featuies anu functionality using iesiuential bioaubanu connections. Although the iise of clouu computing iesouices may pioviue these uevelopeis with a way to ciicumvent iestiictions imposeu on theii home connections, poit blocking on iesiuential netwoiks may still put limits on local testing anu uevelopment. Poit blocking is among a set of tools anu tactics (NAT being the othei majoi example) that can unueimine the oiiginal intent of poits: to pioviue ieliable local auuiesses so that enu systems coulu manage multiple communications at once. In geneial, blocking poits uoes not cause applications to vanish fiom the Inteinet, but iathei inuuces a cat- anu-mouse game wheieby application uevelopment eithei becomes incieasingly complex so as to evaue poit blocking thiough poit-agnosticism, oi uiives application tiaffic to a uwinuling set of poits that aie ieliably kept open acioss most netwoiks. These effoits in tuin cause ISPs to seek incieasingly application-awaie means of iuentifying anu thwaiting unwanteu tiaffic. UFMFSF 9#+5601$ #$ @+7G.51$ 9#+(1$+5 Poit blocking can cause applications to not function piopeily, oi "bieak", by pieventing them fiom using the poits they weie uesigneu to use. Impoitantly, it may not be obvious to Inteinet useis why theii affecteu application is not woiking because 21 the application may simply be unable to connect oi fail silently. If eiioi messages aie pioviueu, those messages may not contain specific uetails about the cause of the pioblem. 0seis may seek assistance fiom the ISP's customei seivice, online uocumentation, oi othei knowleugeable souices if they cannot uiagnose the pioblem themselves. The piocess of uiagnosis is fuithei complicateu by the fact that the pioblem coulu alteinatively be causeu by home netwoiking equipment oi a softwaie- baseu poit block. 0seis' ability to iesponu to poit blocking uepenus on theii technical sophistication anu the extent to which woikaiounus aie available. 0veicoming the poit block may iequiie installing a softwaie upuate, changing a configuiation setting, iequesting an opt-out fiom the ISP, oi upgiauing the level of seivice (fiom iesiuential to business, foi example). If these options aie not available, oi if useis lack the knowleuge oi willingness to puisue them, they may be pieventeu fiom using the blockeu application altogethei, oi they may have to switch to a uiffeient application oi a uiffeient netwoik (fiom wiieu to wiieless, foi example). Wheie poit blocking is useu to funnel tiaffic to an ISP's own infiastiuctuie (by limiting outbounu TCP 2S tiaffic unless the tiaffic is uestineu foi the ISP's own mail seiveis, foi example), it effectively ieuuces the set of application pioviuei choices available to useis (all othei mail seiveis, foi example). The tienu towaius poit oveiloauing, oi in othei woius the fact that many uiffeient applications now use the same poit, means that tiaffic iuentification anu classification neeu to take place at the application layei. This may have implications foi usei contiol anu piivacy, because poit oveiloauing motivates the ueployment of Beep Packet Inspection (BPI) anu othei content-awaie technologies that can be useu to iuentify anu manage specific applications oi communications. Blocking of ceitain poits coulu also have moie seiious iepeicussions foi usei piivacy anu secuiity. Foi example, blocking poit 44S woulu effectively pievent secuie BTTP communication anu the ability of useis to connect with the laige numbei of sites that iequiie Bypeitext Tianspoit Piotocol Secuie (BTTPS). Poit blocking useu in this capacity is an attempt to keep communications in cleai text (peihaps foi inspection oi suiveillance puiposes). This poit has been blockeu by ISPs outsiue of the 0S, but not uomestically.
While poit blocking can have positive secuiity benefits, it can affect how paiticulai Inteinet applications function. Thus its use has the potential to be anti-competitive, uisciiminatoiy, otheiwise motivateu by non-technical factois, oi constiueu as such. As a iesult, the Bioaubanu Inteinet Technical Auvisoiy uioup (BITAu) has a numbei of suggesteu piactices iegaiuing poit blocking on both wiieline anu wiieless netwoiks. 22 TFMF 4C"5 C;#6'7 -B#*7 "#$% &'#()*+, .+'155 ?# 21>5#+>D'1 -'%1$+>%*B15 -$1 -B>*'>D'1
BITAu iecommenus that ISPs avoiu poit blocking unless they have no ieasonable alteinatives available foi pieventing unwanteu tiaffic anu piotecting customeis. Fuithei, if poit blocking is ueemeu necessaiy, it shoulu only be useu foi the puiposes of piotecting the implementing ISP's netwoik anu useis. Poit blocking shoulu not be useu foi ongoing capacity management, oi to enfoice non-secuiity teims of seivice, oi to uisauvantage competing applications.
Poit blocking can cieate collateial uamage foi legitimate useis anu uses of the netwoik, anu can complicate the uevelopment of applications. A numbei of applications (incluuing many that pose secuiity thieats) have evolveu to become poit-agile oi to use poits that aie unlikely to be blockeu, most commonly poits 8u anu 44S. As a iesult, the long-teim effectiveness of poit blocking as a means to pievent unwanteu tiaffic is limiteu. 0n the othei hanu, ISPs may view poit blocking as a simple anu poweiful way of hanuling secuiity thieats, paiticulaily in the shoit teim. Bespite the negative impacts that may come with the piactice, foi the time being its use may be consiueieu a necessity.
TFOF 4C"5 C;#6'7 "$#B*71 P3%GP6% "$#B*5*#+5
BITAu iecommenus that if an ISP can ieasonably pioviue theii useis with opt-out piovisions oi exceptions to theii poit blocking policies, they shoulu uo so.
BITAu iecognizes the benefit of pioviuing opt out policies foi a subset of useis anu foi ceitain poit blocking iules. Bowevei, the technical feasibility, auministiative complexity, anu costs can vaiy gieatly uepenuing upon the implementation, incluuing the paiticulais of the access netwoik technology (i.e. B0CSIS, BSL, LTE, etc.). Foi example, theie may be cases wheie SNNP blocking is only feasible in an access ioutei oi othei aggiegation point, some uistance fiom the usei's equipment, which may make pei-usei contiols exceeuingly uifficult oi impossible. Thus, BITAu iecommenus that ISPs balance theii uecisions about which poits to block with theii capabilities of offeiing opt-out.
TFSF 4C"5 C;#6'7 [*5('#51 "#$% &'#()*+, "#'*(*15
BITAu iecommenus that ISPs publicly uisclose theii poit blocking policies. The infoimation shoulu be ieauily available to both customeis anu non-customeis alike, anu shoulu be as infoimative anu concise as possible. Foi example, poit blocking policies coulu be pioviueu on the ISP's public facing website, on a page ueuicateu to summaiizing oi uesciibing the iespective ISP's netwoik management piactices.
2S Foi peisistent poit blocks the infoimation shoulu incluue:
Poit numbei(s) Tianspoit piotocol (e.g., TCP oi 0BP) Application(s) noimally associateu with the poit(s) (e.g., SNTP) Biiection of the block (outbounu oi inbounu) Biief uesciiption of the ieason(s) foi the block (e.g., SPAN) If opt-out piovisions aie available anu how to iequest such
This will give useis bettei infoimation with which to uiagnose pioblems, can bettei infoim consumeis' uecision-making when choosing an ISP, anu can pioviue ciucial infoimation to application uevelopeis.
Theie may be times when a secuiity inciuent will piompt the neeu foi an immeuiate anu tempoiaiy poit block to be implementeu by an ISP in oiuei to piotect its customeis oi piotect its netwoik. It may not be feasible to uisclose such blocks befoie they aie iemoveu. Theie may also be times when the uisclosuie of poit blocking in iesponse to a paiticulai attack may compiomise that secuiity mitigation.
BITAu iecommenus that ISPs pioviue a communications channel oi othei cleai methou foi application pioviueis anu consumeis to pioviue feeuback to each ISP on its iespective poit blocking policy - to uiscuss impacts causeu by poit blocking anu to consiuei othei possible mitigations, among othei things. The communications channel oi othei cleai methous shoulu be pioviueu wheie the poit blocking policies aie uiscloseu. ISPs shoulu be ieasonably iesponsive to communications ieceiveu fiom application uevelopeis anu consumeis, among othei things to uiscuss impacts causeu by poit blocking anu to consiuei possible mitigations.
BITAu iecommenus that ISPs ievisit theii iespective poit blocking policies on a iegulai basis to ueteimine whethei the thieats that iequiieu the poit blocking iules continue to be ielevant, anu whethei theii policies shoulu be aujusteu accoiuingly. Some secuiity thieats aie peimanent anu some aie tiansitoiy oi shoit-liveu. Items such as spam pievention by blocking TCP2S aie expecteu to last quite some time, while otheis such as blocks to pievent ceitain types of malwaie may be tempoiaiy anu can be fixeu ovei time with softwaie patching.
BITAu iecommenus that the poit blocking (oi fiiewall) iules of consumeis' home iouteis shoulu be usei configuiable - whethei the iouteis aie pioviueu by the ISP oi puichaseu sepaiately by the consumei. It is iecommenueu that the uocumentation pioviueu with each unit infoim the consumei that poit blocking oi fiiewall iules have been implementeu, uefault poits blockeu, anu how consumeis can mouify those iules.
2S VF 21/1$1+(15
|BCPS8j Feiguson, P. anu B. Senie, "Netwoik Ingiess Filteiing: Befeating Benial of Seivice Attacks which employ IP Souice Auuiess Spoofing", BCP S8, Nay 2uuu, <http:tools.ietf.oightmlbcpS8>.
|BCP16Sj Cotton, N., L. Eggeit, }. Touch, N. Westeilunu, anu S. Cheshiie, "Inteinet Assigneu Numbeis Authoiity (IANA) Pioceuuies foi the Nanagement of the Seivice Name anu Tianspoit Piotocol Poit Numbei Registiy", BCP16S, August 2u11, <http:tools.ietf.oightmlbcp16S>.
|RFC67Sj Ceif, v., Y. Balal, anu C. Sunshine, "Specification of Inteinet Contiol Piogiam", RFC 67S, Becembei 1974, <http:tools.ietf.oightmlifc67S>.
|RFC1uu1j Aggaiwal, A., et al., "Piotocol Stanuaiu foi a NetBI0S Seivice on a TCP0BP Tianspoit: Concepts anu Nethous", RFC 1uu1, Naich 1987, <http:www.ietf.oigifcifc1uu1.txt>.
|RFC1uu2j Aggaiwal, A., et al., "Piotocol Stanuaiu foi a NetBI0S Seivice on a TCP0BP Tianspoit: Betaileu Specifications", RFC 1uu2, Naich 1987, <http:www.ietf.oigifcifc1uu2.txt>.
|RFC1122j Biauen, R., "Requiiements foi Inteinet Bosts - Communications Layeis", RFC 1122, 0ctobei 1989, <http:tools.ietf.oightmlifc1122>.
|RFC2616j Fieluing, R., }. uettys, }. Nogul, B. Fiystyk, L. Nasintei, P. Leach, anu T. Beineis- Lee, "Bypeitext Tiansfei Piotocol - BTTP1.1", RFC 2616, }une 1999, <http:tools.ietf.oightmlifc2616>.
|RFC2827j Feiguson, P., B. Senie, "Netwoik Ingiess Filteiing: Befeating Benial of Seivice Attacks Which Employ IP Souice Auuiess Spoofing", RFC 2827, Nay 2uuu, <https:tools.ietf.oightmlifc2827>.
|RFC4271j Rekhtei, Y., T. Li, anu S. Baies, "A Boiuei uateway Piotocol 4 (BuP-4)", RFC 4271, }anuaiy 2uu6, < http:tools.ietf.oightmlifc4271>.
|RFCSu68j Butzlei, C., B. Ciockei, P. Resnick, E. Allman, T. Finch, "Email Submission 26 0peiations: Access anu Accountability Requiiements", RFC Su68, Novembei 2uu7, <https:tools.ietf.oightmlifcSu68>.
|RFC62u4j Singh, B., W. Beebee, C. Bonley, B. Staik, anu 0. Tioan, "Basic Requiiements foi IPv6 Customei Euge Routeis", RFC 62u4, Apiil 2u11, <http:tools.ietf.oightmlifc62u4>.
|RFC6SSSj Cotton, N., et al., "Inteinet Assigneu Numbeis Authoiity (IANA) Pioceuuies foi the Nanagement of the Seivice Name anu Tianspoit Piotocol Poit Numbei Registiy," RFC 6SSS, August 2u11, <http:tools.ietf.oightmlifc6SSS>.
|RFC64u9j uellens, R., anu }. Klensin, "Nessage Submission foi Nail", RFC 64u9, Novembei 2u11, <http:tools.ietf.oightmlifc64u9>.
|Comcast Lettei on SNTP Poit 2Sj 0'Reiiuan, N., "0puateu Nanagement of SNTP Poit 2S", August 1, 2u12, <http:coipoiate.comcast.comcomcast-voicesupuateu- management-of-smtp-poit-2S>.
|NSAAWu Poit 2S Recommenuationj Nessaging Nalwaie Nobile Anti-Abuse Woiking uioup (NSAAWu), "Nanaging Poit 2S foi Resiuential oi Bynamic IP Space Benefits of Auoption anu Risks of Inaction", Becembei 2uuS, <http:www.maawg.oigsitesmaawgfilesnewsNAAWu_Poit2SiecuS11.puf>.
|Nauison Riveij Feueial Communications Commission (FCC), "In the Nattei of Nauison Rivei Communications, LLC anu Affiliateu Companies", Consent Beciee, BA uS-S4S, Naich 2uuS, <http:hiaunfoss.fcc.goveuocs_publicattachmatchBA-uS- S4SA2.puf>.
|Netalyzij 0niveisity of Califoinia - Beikeley, Inteinational Computei Science Institute, Netalyzei", <http:netalyzi.icsi.beikeley.euu>.
|Netalyzi2u1uj Kieibich, C., N. Weavei, B. Nechaev, v. Paxson, "Netalyzei: Illuminating the Euge Netwoik", Novembei 2u1u, <http:www.icii.oigchiistianpublications2u1u-imc-netalyzi.puf>.
|Poit Numbei Registiyj Touch, }., N. Kojo, E. Leai, A. Nankin, K. 0no, N. Stiemeiling, anu L. 27 Eggeit, "Seivice Name anu Tianspoit Piotocol Poit Numbei Registiy", Naich 2u1S, <http:www.iana.oigassignmentsseivice-names-poit-numbeisseivice-names- poit-numbeis.xml>.
|Skype FAQj Skype, "Connection Pioblems: Which Poits Neeu to be 0pen to 0se Skype foi Winuows Besktop", Apiil 2u1S, <https:suppoit.skype.comenfaqFA148which- poits-neeu-to-be-open-to-use-skype-foi-winuows-uesktop>.
|Towaiu Quantifying Netwoik Neutialityj Beveily, R., S. Bauei, A. Beigei, "The Inteinet's Not a Big Tiuck: Towaiu Quantifying Netwoik Neutiality", 2uu7, <http:www.akamai.comultechnical_publicationstiuck-pamu7.puf>.
|SANSj SANS Institute, "Intiusion Betection FAQ: What Poit Numbeis Bo Well-Known Tiojan Boises 0se.", Apiil 2u1S, <http:www.sans.oigsecuiity- iesouicesiufaqouupoits.php>.
ZF N'#55>$: #/ L1$05
_#01 N>%1E>: [1B*(18 A netwoik element that cieates, connects to, oi extenus a home netwoik foi a usei. These uevices can peifoim a iange of functions, such as connecting to the Inteinet, cieating oi extenuing a wiieless netwoik, pioviuing backup anu stoiage, etc. |See also RFC 62u4j
_LL" "$#A:8 A computei system oi an application that acts as an inteimeuiaiy foi iequests fiom clients seeking iesouices fiom othei seiveis. A client connects to the pioxy seivei, iequesting some seivice, such as a file, connection, web page, oi othei iesouice available fiom a uiffeient seivei anu the pioxy seivei evaluates the iequest as a way to simplify anu contiol its complexity.
4C" 4+%1$(#++1(%*#+ =*+)58 Foi the puipose of this uocument, the places (links) wheie IP tiaffic is exchangeu between ISP netwoiks.
L$>+50*55*#+ 9#+%$#' "$#%#(#' IL9"J: A piotocol useu along with the Inteinet Piotocol (IP) to senu uata in the foim of infoimation packets between computeis ovei the Inteinet. While IP hanules the actual ueliveiy of the uata, TCP keeps tiack of the inuiviuual packets that a message is uiviueu into foi efficient iouting thiough the Inteinet. IP packets can be lost, uuplicateu, oi ueliveieu out of oiuei anu TCP uetects these pioblems, iequests ietiansmission of lost uata, ieaiianges out-of- oiuei uata, anu even helps minimize netwoik congestion to ieuuce the occuiience of the othei pioblems. |See also RFC 67S et alj
.51$ [>%>,$>0 "$#%#(#' I.["J: A piotocol useu along with the Inteinet Piotocol (IP) to senu uata in the foim of infoimation packets between computeis ovei the Inteinet. In contiast to TCP, 0BP uses a simple tiansmission mouel with a minimum 28 of piotocol mechanism. 0BP is suitable foi puiposes wheie eiioi checking anu coiiection is eithei not necessaiy of peifoimeu in the application, thus avoiuing the oveiheau of such piocessing at the netwoik inteiface level. Time-sensitive applications often use 0BP, wheie uiopping packets is piefeiable to waiting foi uelayeu packets. |See also RFC 768j