[98013] in North American Network Operators' Group
RE: How should ISPs notify customers about Bots (Was Re: DNS Hijacking
daemon@ATHENA.MIT.EDU (Chris L. Morrow)
Mon Jul 23 16:05:32 2007
Date: Mon, 23 Jul 2007 19:48:40 +0000 (GMT)
From: "Chris L. Morrow" <christopher.morrow@verizonbusiness.com>
In-reply-to:
<D03E4899F2FB3D4C8464E8C76B3B68B0B9E9C5@E03MVC4-UKBR.domain1.systemhost.net>
To: michael.dillon@bt.com
Cc: nanog@merit.edu
Errors-To: owner-nanog@merit.edu
On Mon, 23 Jul 2007 michael.dillon@bt.com wrote:
>
> > Running email abuse desks for about a decade now makes me
> > tend to agree with you .. and completely unfiltered pipes to
> > the internet for customer broadband are a pipe dream, most places.
>
> If ISPs were able to standardize consumer Internet access services using
> a gateway box, then the necessary filtering could be done on the gateway
> which runs a secure OS. Of course its not too late to do this.
> Essentially all the consumer edge infrastructure needs to be upgraded to
> transition to IPv6. Rather than providing raw unfiltered Internet access
> over IPv6, ISPs could use a standard gateway box.
would you like that in black plastic? with a nice dial on top to spin? :)
>
> When I say "standardize", I mean that ISPs could collectively work out
> the specs for such an IPv6 Internet gateway in the IETF along with
> vendors and other interested parties. Once a standard spec is agreed
> upon, vendors will make such boxes at the price-point that you need.
I think that was discussed in v6ops actually just 5 mins ago.
>
> I would also expect that I can buy such a box and manage it myself if I
> choose, rather than having the ISP manage it for me as with most users.
>
but it connects to my network, and if you touch it you could damage my
network... we could maybe get some legislation to fix this...
> I would also expect the box to have no NAT, use real IPv6 addresses, and
> provide various firewall features to protect my home network better than
> an IPv4 NAT box without preventing me from using new peer-to-peer
> protocols like SIP.
See the v6ops draft on CPE security... maybe that's a step in the right
direction? I'm sure the author would like some commentary.
