EC2 and GAE means end of ip address reputation industry? (Re: Intrustion attempts from Amazon EC2 IPs)

Eliot Lear lear at cisco.com
Mon Jun 23 02:02:04 CDT 2008


Hi Paul,

Let's go back to the case and point: Amazon is claimed not to behave as 
a good Netizen.[*]  In these circumstances we have to ask why the 
traditional system doesn't work.  This is precisely the case when you 
want to ding someone's reputation.  Your argument that many good 
applications will be running to counterbalance the bad depends on 
whether those running the good applications will tolerate intermittent 
outages because the bad applications cause the sites to get blacklisted.

Also, let's remember that reputation means different things in different 
contexts.  One could easily envision a cloud having a good web 
reputation and a lousy or at best neutral email reputation.[**]  In 
addition, the risks of infection are also very different.  In the web 
case, if a host connects to a known infected site, its risk of becoming 
infected is very high, compared to the risk of someone receiving an 
email message that points to spam.  This means to me that end users who 
are protecting themselves with some sort of web reputation service are 
likely to guard against clouds and not quickly whitelist them.

But there's also the possibility for web reputation services to improve 
granularity above and beyond the IP address, but this depends on quite a 
number of things, such as whether SSL is used and where and how 
information is collected by the services.[***]

And so the question boils down to this: will Amazon and its ilk adapt to 
the current reputation services model or will it be the other way 
around?  I think it will be both, but more the former than the latter.

Eliot

[*] Not my claim.
[**] Email reputation is commonly applied to messages and to TCP/25.  
For our purposes, although it's overly simplistic, let's view web 
reputation as everything else.
[***] Self-signed certs are a clearly interesting area to consider when 
it comes to THEIR reputations.  The same can be said for any X.509 CA 
that itself doesn't do a good job of confirming the identity of a 
requestor.  I don't suggest that this should be a sole input or even a 
significant discriminator in and of itself, of course.




More information about the NANOG mailing list