[80245] in North American Network Operators' Group
Re: Schneier: ISPs should bear security burden
daemon@ATHENA.MIT.EDU (Daniel Senie)
Wed Apr 27 15:09:28 2005
Date: Wed, 27 Apr 2005 15:02:08 -0400
To: "Steven M. Bellovin" <smb@cs.columbia.edu>
From: Daniel Senie <dts@senie.com>
Cc: nanog@merit.edu
In-Reply-To: <20050427173926.8DFEB3BFF78@berkshire.machshav.com>
Errors-To: owner-nanog@merit.edu
At 01:39 PM 4/27/2005, you wrote:
>In message <20050426.200918.11519.516537@webmail04.lax.untd.com>, "Fergie
>(Paul
> Ferguson)" writes:
> >
> >
> >I've been there -- I know how I feel about it -- but I'd love
> >to know how ISP operations folk feel about this.
> >
> >Links here:
> >http://www.vnunet.com/news/1162720
> >
>
>At a recent forum at Fordham Law School, Susan Crawford -- an attorney,
>not a network operator -- expressed it very well: "if we make ISPs into
>police, we're all in the ghetto".
>
>Bruce is a smart guy, and a good friend of mine, but he's not a network
>operator or architect. There are a small number of times when
>operators can, should, and -- in a very few cases -- act, but those
>are rare. The most obvious case is flooding attacks, since they represent
>an abuse of the network itself; operators also have responsibility for
>other pieces of the infrastructure they control, such as (many) name
>servers.
While this stance works for backbone network operators, I'm not entirely
convinced it's a viable business strategy for ISPs dealing directly with
end user customers (business or residential). The problem at the edge is
customers insist they don't want the spam and viruses, and expect the ISP
to help. Earthlink and AOL provide such services, and in the course of
doing this raise an expectation.
Now a regional or local ISP can either say "it's not our job to protect
you" and have their customers migrate away, or they can make efforts to
help and retain customers. So, is this a technical issue or a business
issue? Network engineers are not necessarily qualified to make business
decisions, unless they wear both hats.
Customers at the retail level expect basic protection services as a part of
the price of service. Whether that's a good thing or not, it's where we are
on the business side of providing retail ISP services.
