Even you can be hacked

Owen DeLong owen at delong.com
Fri Jun 11 07:08:16 UTC 2004


> 	It all depends upon what the agreement between the customer and the ISP
> says. It's no unreasonable for the ISP to 'insure' the customer against
> risks he isn't able to mitigate which the ISP is, even if that means
> shutting off his service.
>
True, to some extent, but...


> 	If someone blows up my water line and $1,000,000 worth of water is
> wasted, I don't think the water company is going to expect me to pay for
> it. This is especially true if the water company knew about the leak,
> could have done something to mitigate it, and failed to do so. Even if
> that means shutting off my water, that's what I'd expect them to do, shut
> it off until someone fixes it.
>
Interesting theory.  I don't expect that.  I expect the water company to
tell me how to shut off my water, or, possibly offer to come out and shut
off my water for a fee.  I don't expect them to turn the water off just
to protect me from an outrageous bill if the problem is on my portion of
the line.  I do expect them to shut off your line when it blows up if
it is causing a pressure drop which is affecting other customers, whether
you want them to or not.

> 	Most of the people on this list see things from the ISP's perspective.
> However, step back a bit and see it from the user's perspective. Do you
> expect to pay for phone calls you didn't make or do you expect the person
> whose deliberate conscious action caused those calls to be made? Do you
> expect to be responsible for patrolling your electric lines to make sure
> someone hasn't plugged into your outside outlets?
>
Well, as the step-parent of two teenage daughters, both of whom have cell
phones purchased for them by my wife, I routinely pay for telephone calls
I didn't make with no hope of getting said teenagers to ever pay the bill.
I certainly don't expect the electric company to patrol my outside 
electrical
outlets, and, yes, when someone plugged into one of mine, I did get billed
by the power company.  Why should they pay for it?  They delivered the
electricity to me.  What I did with it afterwards (in this case, giving it
to someone else I didn't expect or condone) is my problem.

> 	For most classes of service, it makes the most sense to only charge the
> customer for the traffic he wants and have the ISP take the responsibility
> for dealing with attacks to the extent they can do so. This is because the
> customer can't afford to hire a full time person to guard his always-on
> DSL connection while he's away for two weeks but his ISP can. This may
> mean that you're disconnected until they can coordinate with you -- such
> is life.
>
If the customer is sending the traffic to the ISP (the issue in this case),
then the ISP has no ability to drop the traffic before it arrives at the
ISP router.  The ISP, in this case, acted responsibly and informed the
customer of their problem.  They were even gracious enough to give the 
customer
credit for some period of time.  The ISP in this case did not control the
CPE, it was the customer's CPE.  As such, the customer is responsible for
maintaining and configuring the CPE to do any desired blocking.

> 	Just be aware, your customers may not have the same expectations you do,
> and you should make your understanding *very* clear to your customers in
> your contracts.
>
I don't make anything for customers in contracts... We have a sales 
department
and a legal department that do that.  I make routers deliver packets, and,
sometimes, I even have to make routers not deliver packets.  Sometimes, I
help sales and legal figure out how to explain things to customers.  Once
in a while, I help them clarify that in the contract.  Fortunately, for the
most part, I run routers, not contracts.  I like it better that way.
However, I will say that the customers I have dealt with on the technical
level have generally expected us to deliver packets, and, expected to pay
for packets we deliver according to their agreement.  When they ask us to
block something, we do, but, I have never had a customer expect not to pay
for their infected system AFTER we told them they were spewing.

YMMV,

Owen


-- 
If it wasn't crypto-signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20040611/8426fb00/attachment.sig>


More information about the NANOG mailing list