summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc4084.txt
blob: b05d189bb040149464889d76390bd75ae4d75fb6 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
Network Working Group                                         J. Klensin
Request for Comments: 4084                                      May 2005
BCP: 104
Category: Best Current Practice


            Terminology for Describing Internet Connectivity

Status of This Memo

   This document specifies an Internet Best Current Practices for the
   Internet Community, and requests discussion and suggestions for
   improvements.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2005).

Abstract

   As the Internet has evolved, many types of arrangements have been
   advertised and sold as "Internet connectivity".  Because these may
   differ significantly in the capabilities they offer, the range of
   options, and the lack of any standard terminology, the effort to
   distinguish between these services has caused considerable consumer
   confusion.  This document provides a list of terms and definitions
   that may be helpful to providers, consumers, and, potentially,
   regulators in clarifying the type and character of services being
   offered.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
       1.1.  The Problem and the Requirement  . . . . . . . . . . . .  2
       1.2.  Adoption and a Non-pejorative Terminology  . . . . . . .  2
   2.  General Terminology  . . . . . . . . . . . . . . . . . . . . .  3
   3.  Filtering or Security Issues and Terminology . . . . . . . . .  5
   4.  Additional Terminology . . . . . . . . . . . . . . . . . . . .  7
   5.  Security Considerations  . . . . . . . . . . . . . . . . . . .  9
   6.  Acknowledgements . . . . . . . . . . . . . . . . . . . . . . .  9
   7.  Informative References . . . . . . . . . . . . . . . . . . . .  9










Klensin                  Best Current Practice                  [Page 1]
^L
RFC 4084                    IP Service Terms                    May 2005


1.  Introduction

1.1.  The Problem and the Requirement

   Different ISPs and other providers offer a wide variety of products
   that are identified as "Internet" or "Internet access".  These
   products offer different types of functionality and, as a result,
   some may be appropriate for certain users and uses and not others.
   For example, a service that offers only access to the Web (in this
   context, the portion of the Internet that is accessible via the HTTP
   and HTTPS protocols) may be appropriate for someone who is
   exclusively interested in browsing and in Web-based email services.
   It will not be appropriate for someone who needs to download files or
   use email more frequently.  And it is likely to be even less
   appropriate for someone who needs to operate servers for other users,
   who needs virtual private network (VPN) capabilities or other secured
   access to a remote office, or who needs to synchronize mail for
   offline use.

   Recent and rapidly evolving changes to the Internet's email
   environment have led to additional restrictions on sending and
   retrieving email.  These restrictions, most of them developed as part
   of well intentioned attempts to prevent or fight unsolicited mail,
   may be imposed independently of the service types described below and
   are discussed separately in Section 3.

   This document describes only the functions provided or permitted by
   the service provider.  It does not and cannot specify the functions
   that pass through and are supported by various user-provided
   equipment.

   The terms SHOULD, MUST, or MAY are capitalized in this document, as
   defined in [1].

1.2.  Adoption and a Non-pejorative Terminology

   The definitions proposed here are of little value if service
   providers and vendors are not willing to adopt them.  The terms
   proposed are intended not to be pejorative, despite the belief of
   some members of the IETF community that some of these connectivity
   models are simply "broken" or "not really an Internet service".  The
   mention of a particular service or model in this document does not
   imply any endorsement of it, only recognition of something that
   exists or might exist in the marketplace.  Thus, the Best Current
   Practice described in this document is about terminology and
   information that should be supplied to the user and not about the
   types of service that should be offered.




Klensin                  Best Current Practice                  [Page 2]
^L
RFC 4084                    IP Service Terms                    May 2005


2.  General Terminology

   This section lists the primary IP service terms.  It is hoped that
   service providers will adopt these terms, to better define the
   services to potential users or customers.  The terms refer to the
   intent of the provider (ISP), as expressed in either technical
   measures or terms and conditions of service.  It may be possible to
   work around particular implementations of these characteristic
   connectivity types, but that freedom is generally not the intent of
   the provider and is unlikely to be supported if the workarounds stop
   working.

   The service terms are listed in order of ascending capability, to
   reach "full Internet connectivity".

   o  Web connectivity.

      This service provides connectivity to the Web, i.e., to services
      supported through a "Web browser" (such as Firefox, Internet
      Explorer, Mozilla, Netscape, Lynx, or Opera), particularly those
      services using the HTTP or HTTPS protocols.  Other services are
      generally not supported.  In particular, there may be no access to
      POP3 or IMAP4 email, encrypted tunnels or other VPN mechanisms.

      The addresses used may be private and/or not globally reachable.
      They are generally dynamic (see the discussion of dynamic
      addresses in Section 3 for further discussion of this terminology
      and its implications) and relatively short-lived (hours or days
      rather than months or years).  These addresses are often announced
      as "dynamic" to those who keep lists of dial-up or dynamic
      addresses.  The provider may impose a filtering Web proxy on the
      connections; that proxy may change and redirect URLs to other
      sites than the one originally specified by the user or embedded
      link.

   o Client connectivity only, without a public address.

      This service provides access to the Internet without support for
      servers or most peer-to-peer functions.  The IP address assigned
      to the customer is dynamic and is characteristically assigned from
      non-public address space.  Servers and peer-to-peer functions are
      generally not supported by the network address translation (NAT)
      systems that are required by the use of private addresses.  (The
      more precise categorization of types of NATs given in [2] are
      somewhat orthogonal to this document, but they may be provided as
      additional terms, as described in Section 4.)





Klensin                  Best Current Practice                  [Page 3]
^L
RFC 4084                    IP Service Terms                    May 2005


      Filtering Web proxies are common with this type of service, and
      the provider SHOULD indicate whether or not one is present.

   o Client only, public address.

      This service provides access to the Internet without support for
      servers or most peer-to-peer functions.  The IP address assigned
      to the customer is in the public address space.  It is usually
      nominally dynamic or otherwise subject to change, but it may not
      change for months at a time.  Most VPN and similar connections
      will work with this service.  The provider may prohibit the use of
      server functions by either legal (contractual) restrictions or by
      filtering incoming connection attempts.

      Filtering Web proxies are uncommon with this type of service, and
      the provider SHOULD indicate if one is present.

   o Firewalled Internet Connectivity.

      This service provides access to the Internet and supports most
      servers and most peer-to-peer functions, with one or (usually)
      more static public addresses.  It is similar to "Full Internet
      Connectivity", below, and all of the qualifications and
      restrictions described there apply.  However, this service places
      a provider-managed "firewall" between the customer and the public
      Internet, typically at customer request and at extra cost compared
      to non-firewalled services.  Typically by contractual arrangements
      with the customer, this may result in blocking of some services.

      Other services may be intercepted by proxies, content-filtering
      arrangements, or application gateways.  The provider SHOULD
      specify which services are blocked and which are intercepted or
      altered in other ways.

      In most areas, this service arrangement is offered as an add-on,
      extra-cost, option with what would otherwise be Full Internet
      Connectivity.  It is distinguished from the models above by the
      fact that any filtering or blocking services are ultimately
      performed at customer request, rather than being imposed as
      service restrictions.

   o Full Internet Connectivity.

      This service provides the user full Internet connectivity, with
      one or more static public addresses.  Dynamic addresses that are
      long-lived enough to make operating servers practical without
      highly dynamic DNS entries are possible, provided that they are
      not characterized as "dynamic" to third parties.



Klensin                  Best Current Practice                  [Page 4]
^L
RFC 4084                    IP Service Terms                    May 2005


      Filtering Web proxies, interception proxies, NAT, and other
      provider-imposed restrictions on inbound or outbound ports and
      traffic are incompatible with this type of service.  Servers on a
      connected customer LAN are typically considered normal.  The only
      compatible restrictions are bandwidth limitations and prohibitions
      against network abuse or illegal activities.

3.  Filtering or Security Issues and Terminology

   As mentioned in the Introduction, the effort to control or limit
   objectionable network traffic has led to additional restrictions on
   the behavior and capabilities of internet services.  Such
   objectionable traffic may include unsolicited mail of various types
   (including "spam"), worms, viruses, and their impact, and in some
   cases, specific content.

   In general, significant restrictions are most likely to be
   encountered with Web connectivity and non-public-address services,
   but some current recommendations would apply restrictions at all
   levels.  Some of these mail restrictions may prevent sending outgoing
   mail (except through servers operated by the ISP for that purpose),
   may prevent use of return addresses of the user's choice, and may
   even prevent access to mail repositories (other than those supplied
   by the provider) by remote-access protocols such as POP3 or IMAP4.
   Because users may have legitimate reasons to access remote file
   services, remote mail submission servers (or, at least, to use their
   preferred email addresses from multiple locations), and to access
   remote mail repositories (again, a near-requirement if a single
   address is to be used), it is important that providers disclose the
   services they are making available and the filters and conditions
   they are imposing.

   Several key issues in email filtering are of particular importance.

   o Dynamic Addresses.

      A number of systems, including several "blacklist" systems, are
      based on the assumption that most undesired email originates from
      systems with dynamic addresses, especially dialup and home
      broadband systems.  Consequently, they attempt to prevent the
      addresses from being used to send mail, or perform some other
      services, except through provider systems designated for that
      purpose.

      Different techniques are used to identify systems with dynamic
      addresses, including provider advertising of such addresses to
      blacklist operators, heuristics that utilize certain address
      ranges, and inspection of reverse-mapping domain names to see if



Klensin                  Best Current Practice                  [Page 5]
^L
RFC 4084                    IP Service Terms                    May 2005


      they contain telltale strings such as "dsl" or "dial".  In some
      cases, the absence of a reverse-mapping DNS address is taken as an
      indication that the address is "dynamic".  (Prohibition on
      connections based on the absence of a reverse-mapping DNS record
      was a technique developed for FTP servers many years ago; it was
      found to have fairly high rates of failure, both prohibiting
      legitimate connection attempts and failing to prevent illegitimate
      ones).  Service providers SHOULD describe what they are doing in
      this area for both incoming and outgoing message traffic, and
      users should be aware that, if an address is advertised as
      "dynamic", it may be impossible to use it to send mail to an
      arbitrary system even if Full Internet Connectivity is otherwise
      provided.

   o  Non-public addresses and NATs.

      The NAT systems that are used to map between private and public
      address spaces may support connections to distant mail systems for
      outbound and inbound mail, but terms of service often prohibit the
      use of systems not supplied by the connectivity provider and
      prohibit the operation of "servers" (typically not precisely
      defined) on the client connection.

   o Outbound port filtering from the provider.

      Another common technique involves blocking connections to servers
      outside the provider's control by blocking TCP "ports" that are
      commonly used for messaging functions.  Different providers have
      different theories about this.  Some prohibit their customers from
      accessing external SMTP servers for message submission, but they
      permit the use of the mail submission protocol ([3]) with sender
      authentication.  Others try to block all outgoing messaging-
      related protocols, including remote mail retrieval protocols;
      however, this is less common with public-address services than
      those that are dependent on private addresses and NATs.  If this
      type of filtering is present, especially with "Client only, public
      address" and "Full Internet Connectivity" services, the provider
      MUST indicate that fact (see also Section 4).

      Still others may divert (reroute) outbound email traffic to their
      own servers, on the theory that this eliminates the need for
      reconfiguring portable machines as they connect from a different
      network location.  Again, such diversion MUST be disclosed,
      especially since it can have significant security and privacy
      implications.






Klensin                  Best Current Practice                  [Page 6]
^L
RFC 4084                    IP Service Terms                    May 2005


      More generally, filters that block some or all mail being sent to
      (or submitted to) remote systems (other than via provider-
      supported servers), or that attempt to divert that traffic to
      their own servers, are, as discussed above, becoming common and
      SHOULD be disclosed.

4.  Additional Terminology

   These additional terms, while not as basic to understanding a service
   offering as the ones identified above, are listed as additional
   information that a service provider might choose to provide to
   complement those general definitions.  A potential customer might use
   those that are relevant to construct a list of specific questions to
   ask, for example.

   o Version support.

      Does the service include IPv4 support only, both IPv4 and IPv6
      support, or IPv6 support only?

   o Authentication support.

      Which technical mechanism(s) are used by the service to establish
      and possibly authenticate connections?  Examples might include
      unauthenticated DHCP, PPP, RADIUS, or HTTP interception.

   o VPNs and Tunnels.

      Is IPSec blocked or permitted?  Are other tunneling techniques at
      the IP layer or below, such as L2TP, permitted?  Is there any
      attempt to block applications-layer tunnel mechanisms such as SSH?

   o Multicast support

      Does the user machine have access to multicast packets and
      services?

   o DNS support.

      Are users required to utilize DNS servers provided by the service
      provider, or are DNS queries permitted to reach arbitrary servers?

   o IP-related services.

      Are ICMP messages to and from end user sites generally blocked or
      permitted?  Are specific functions such as ping and traceroute
      blocked and, if so, at what point in the network?




Klensin                  Best Current Practice                  [Page 7]
^L
RFC 4084                    IP Service Terms                    May 2005


   o Roaming support.

      Does the service intentionally include support for IP roaming and,
      if so, how is this defined?  For "broadband" connections, is some
      dialup arrangement provided for either backup or customer travel?
      If present, does that arrangement have full access to mailboxes,
      etc.

   o Applications services provided.

      Are email services and/or Web hosting provided as part of the
      service, and on what basis?  An email services listing should
      identify whether POP3, IMAP4, or Web access are provided and in
      what combinations, and what types of authentication and privacy
      services are supported or required for each.

   o Use and Blocking of Outbound Applications Services.

      Does the service block use of SMTP or mail submission to other
      than its own servers or intercept such submissions and route them
      to its servers?  Do its servers restrict the user to use of its
      domain names on outbound email?  (For email specifically, also see
      Section 3 above.)  Is the FTP PASV command supported or blocked?
      Are blocks or intercepts imposed on other file sharing or file
      transfer mechanisms, on conferencing applications, or on private
      applications services?

      More generally, the provider should identify any actions of the
      service to block, restrict, or alter the destination of, the
      outbound use (i.e., the use of services not supplied by the
      provider or on the provider's network) of applications services.

   o Blocking of Inbound Applications Services.

      In addition to issues raised by dynamic or private address space
      (when present), does the service take any other measures that
      specifically restrict the connections that can be made to
      equipment operated by the customer?  Specifically, are inbound
      SMTP, HTTP or HTTPS, FTP, or various peer-to-peer or other
      connections (possibly including applications not specifically
      recognized by the provider) prohibited and, if so, which ones?

   o Application Content Filtering.

      The service should declare whether it provides filtering or
      protection against worms or denial of service attacks against its
      customers, virus and spam filtering for its mail services (if




Klensin                  Best Current Practice                  [Page 8]
^L
RFC 4084                    IP Service Terms                    May 2005


      any), non-discretionary or "parental control" filtering of
      content, and so on.

   o Wiretapping and interception.

      The service SHOULD indicate whether traffic passing through it is
      subject to lawful intercept, and whether the provider will make a
      proactive attempt to inform the user of such an intercept when
      such notice is legal.  Analogous questions can be asked for
      traffic data that is stored for possible use by law enforcement.

5.  Security Considerations

   This document is about terminology, not protocols, so it does not
   raise any particular security issues.  However, if the type of
   terminology that is proposed is widely adopted, it may become easier
   to identify security-related expectations of particular hosts, LANs,
   and types of connections.

6.  Acknowledgements

   This document was inspired by an email conversation with Vernon
   Schryver, Paul Vixie, and Nathaniel Bornstein.  While there have been
   proposals to produce such definitions for many years, that
   conversation convinced the author that it was finally time to put a
   strawman on the table to see if the IETF could actually carry it
   forward.  Harald Alvestrand, Brian Carpenter, George Michaelson,
   Vernon Schryver, and others made several suggestions on the initial
   draft that resulted in clarifications to the second one and Stephane
   Bortzmeyer, Brian Carpenter, Tony Finch, Susan Harris, David Kessens,
   Pekka Savola, and Vernon Schryver made very useful suggestions that
   were incorporated into subsequent versions.  Susan Harris also gave
   the penultimate version an exceptionally careful reading, which is
   greatly appreciated, as are editorial suggestions by the RFC Editor.

7.  Informative References

   [1]  Bradner, S., "Key words for use in RFCs to Indicate Requirement
        Levels", BCP 14, RFC 2119, March 1997.

   [2]  Srisuresh, P. and M. Holdrege, "IP Network Address Translator
        (NAT) Terminology and Considerations", RFC 2663, August 1999.

   [3]  Gellens, R. and J. Klensin, "Message Submission", RFC 2476,
        December 1998.






Klensin                  Best Current Practice                  [Page 9]
^L
RFC 4084                    IP Service Terms                    May 2005


Author's Address

   John C Klensin
   1770 Massachusetts Ave, #322
   Cambridge, MA  02140
   USA

   Phone: +1 617 491 5735
   EMail: john-ietf@jck.com










































Klensin                  Best Current Practice                 [Page 10]
^L
RFC 4084                    IP Service Terms                    May 2005


Full Copyright Statement

   Copyright (C) The Internet Society (2005).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an
   "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
   OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET
   ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED,
   INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE
   INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
   WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the IETF's procedures with respect to rights in IETF Documents can
   be found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at
   http://www.ietf.org/ipr.

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at ietf-
   ipr@ietf.org.


Acknowledgement

   Funding for the RFC Editor function is currently provided by the
   Internet Society.






Klensin                  Best Current Practice                 [Page 11]
^L