[80331] in North American Network Operators' Group
Re: Schneier: ISPs should bear security burden
daemon@ATHENA.MIT.EDU (Owen DeLong)
Thu Apr 28 18:25:16 2005
Date: Thu, 28 Apr 2005 15:22:43 -0700
From: Owen DeLong <owen@delong.com>
To: Andy Johnson <andyjohnson@ij.net>, nanog@merit.edu
In-Reply-To: <42712562.5070901@ij.net>
Errors-To: owner-nanog@merit.edu
--==========968288EC632C9E83F612==========
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
> In my own opinion, I would not expect a transit provider to filter
> anything other than my BGP announcements. However, I would expect my ISP
> to filter a possible worm infection port(s), as it would completely
> saturate my lowly-end-user datapipe if they did not, making network
> access worthless, even if my host was secure. Ofcourse, I would also, not
> expect to pay a higher fee for this filtering.
>
I'm probably one of the ones you think is confused. However, I am not,
I simply don't think that they need different policies about what packets
flow. If the customer doesn't ask for something to be blocked, it shouldn't
be blocked.
The most probabl worm infection port is 80 or 443. Do you really want those
filtered by your ISP? I don't... It would wreak havoc with my web servers.
> Additionally, I am curious why any time a technical issue comes up on
> NANOG (or any other operator list), people resort to terrible analogies
> that have little to do with the actual content of the discussion?
>
Personally, I think the analogy was a pretty good one. Just because it
doesn't support your point of view doesn't make it a bad analogy. No matter
how much you and the person you qouted would like to obscure the fact,
default filtration is bad policy for a number of reasons:
+ It inflicts an unfair cost burden on responsible users
who want full internet connectivity.
+ It inflicts an unfair cost burden on responsible users
who don't need full internet connectivity, but, don't
need ISP-side filtration, either.
+ It taxes responsible users in order to reduce the costs
of irresponsible users.
+ It is a transit solution to an end-host problem, thus
creating a number of undesirable side-effects, not the
least of which is the cost of a continuing arms race
between the filters and the malware.
Owen
> ---
> Andy
--
If it wasn't crypto-signed, it probably didn't come from me.
--==========968288EC632C9E83F612==========
Content-Type: application/pgp-signature
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
iD8DBQFCcWI0n5zKWQ/iqj0RAoT+AJ9CMe0h+u8l2vNND8UrtxenC+POZwCbBArC
zWzzZg8sk4fXeUkzd4ZQBeU=
=/rOW
-----END PGP SIGNATURE-----
--==========968288EC632C9E83F612==========--
