Points on your Internet driver's license (was RE: Even you can be
Adi Linden
adil at adis.on.ca
Sun Jun 13 23:46:35 UTC 2004
> > And that is a problem. Unlike your electricity, where the supplier has an
> > obligation to provide a certain level of clean energy, there is nothing
> > like it with internet bandwidth. All the crud and exploits are dutyfully
> > forwarded to the customer.
> >
> Clean internet service is internet service that delivers only valid IP
> datagrams. Most internet service is clean internet service. Any internet
> service that looks above layer 3 to make forwarding decisions is not clean
> internet service.
Perhaps this is where our opinions greatly differ. If I am a customer with
my own block of routable ip space I agree with you 100%. But this about
the average home user that receives a dynamic ip leased from the ISP.
Clean internet is more than just valid IP datagrams to my IP address. If I
connect to my ISP and do nothing beyond that, not a single packet, I
expect to not receive any packets either. If I initiate a GET request to a
web server I expect the webservers response to be returned unaltered. If I
have an email account with my ISP I expect only valid email to be
delivered to my email address. I consider this clean internet service from
the perspective of the average home user.
> > I argue that this is way overboard. I don't believe anyone should require
> > any particular knowledge to obtain an internet connection and use the
> > internet. Instead internet needs to be available as a clean conditioned
> > service for consumption by the clueless.
> >
> I agree that the IDL is overboard. I even agree with your second sentence.
> Consumers need to demand software which does not support these exploits from
> their software vendors. That is the real solution. The internet is a
> transport, just like the phone line coming into your home. Nothing prevents
> someone from making an obscene phone call to your house. The most common
> problem software today is like having a telephone that won't let you hang
> up on the prank caller, then, demanding that the phone company prevent those
> calls from coming in the first place.
As a telephone customer I expect to pickup the phone make a call and hang
up. I expect to receive calls and hang up. If the phone crashes in the
middle of a conversation I am not happy, if it cost me money because LD
charges continue to apply I am even less happy. The manufacturer of the
phone has a given set of specifications to work with and the phone company
has a given set of parameters of what the signal of the phone line should
look like.
What if I call you and put an awful tone on the line that blows your
eardrums, locks up your phone and causes it to dial on it's own and do the
same to all your friend from your phone. As bonus you'll get a LD bill
from the phone company for all the calls your phone made without your
permission. Who's to blame? The phone company because they transmitted
harmful signals? The phone manufacturer for building a phone without
accounting for the possibility of this sound? The customer for picking up
the phone? How do you prevent future events of this sort? Customer
education?
All of todays software has flaws, some more some less. While some of these
flaws should simply not exist while others are an oversight. Many of the
current exploits have one thing in common, malformed packets addressed at
machines that never requested the packets they are receiving to begin
with. Stopping these packets from reaching their target is just as
important as having the target immune to the attack.
The ISP provides a service to a customer, the ISP should be sensible to
the customers requirements. If the customer requires clean internet
service than this is what the ISP should strive for. This doesn't relieve
the customer from being responsible (like opening any and every attachment
received) but it is just another layer in reducing the enormous amount of
garbage traffic we are seeing.
Adi
More information about the NANOG
mailing list