hedrick@topaz.ARPA (Chuck Hedrick) (03/06/85)
I am getting messages from various postmasters complaining about problems in getting mail through our Unix system, Topaz.Arpa. We have a sort of wierd problem, caused by Arpanet access rules. We maintain a number of mailing lists. We distribute them in parallel on the Arpanet and UUCP. The Arpanet mail is distributed from Rutgers.Arpa. The UUCP mail is distributed from Topaz.Arpa. The problem is that people on one side can't respond to postings from the other. Topaz and Rutgers do talk to each other. You can get mail back to the editor of the mailing list, and hence into the mailing list itself from either side. But Arpanet users who try to get Topaz to send a response out to UUCP are treated rudely. (At the moment, in most cases our SMTP won't even talk to Arpanet sites without advance arrangements.) Similarly, attempts by UUCP people to respond to the Arpanet are (I hope) failed. I don't see any obvious way around this. DCA rules simply do not allow a free gateway between Arpanet and UUCP. On the other hand, we would like news groups to be able to go to both worlds. At the moment, we do not have any good way to control opening Internet connections. We have some code from another site that we believe will help in controlling network access, but we hvve not had a chance to put it up yet. So the only tool we could find in 4.2 to prevent unauthorized access is simply not to tell Topaz about our gateway, except for specific hosts. Instead of using routed, or route add for whole networks, we do a separate route add for a few hosts we really need to talk to. We have previously contacted these hosts, and believe that there controls are good enough that our students will not be able to do anything there. This provides a small gap in our mail protection, since if you know which hosts they are, a UUCP user could probably arrange a syntax that would gateway a message through us to that Arpanet host. However we don't think this is going to be a problem in practice. This message is partly just an apology to people who have been confused by an inability to get Topaz to do what it seems like it should. It is also an expression of frustration. As we start getting more and more gateways and mail bridges, it is going to be messier and messier to say that certain links can only be traversed by packets from certain users. I have promised DCA that I will abide by their rules, and I will do so. But it is hard to believe that the Internet community as a whole is really going to be able to keep a wall around the Arpanet in the long run.