Schneier: ISPs should bear security burden

Owen DeLong owen at delong.com
Thu Apr 28 22:22:43 UTC 2005


> In my own opinion, I would not expect a transit provider to filter
> anything other than my BGP announcements. However, I would expect my ISP
> to filter a possible worm infection port(s), as it would completely
> saturate my lowly-end-user datapipe if they did not, making network
> access worthless, even if my host was secure. Ofcourse, I would also, not
> expect to pay a higher fee for this filtering.
> 
I'm probably one of the ones you think is confused.  However, I am not,
I simply don't think that they need different policies about what packets
flow.  If the customer doesn't ask for something to be blocked, it shouldn't
be blocked.

The most probabl worm infection port is 80 or 443.  Do you really want those
filtered by your ISP?  I don't... It would wreak havoc with my web servers.

> Additionally, I am curious why any time a technical issue comes up on
> NANOG (or any other operator list), people resort to terrible analogies
> that have little to do with the actual content of the discussion?
> 
Personally, I think the analogy was a  pretty good one.  Just because it
doesn't support your point of view doesn't make it a bad analogy.  No matter
how much you and the person you qouted would like to obscure the fact,
default filtration is bad policy for a number of reasons:

	+	It inflicts an unfair cost burden on responsible users
		who want full internet connectivity.

	+	It inflicts an unfair cost burden on responsible users
		who don't need full internet connectivity, but, don't
		need ISP-side filtration, either.

	+	It taxes responsible users in order to reduce the costs
		of irresponsible users.

	+	It is a transit solution to an end-host problem, thus
		creating a number of undesirable side-effects, not the
		least of which is the cost of a continuing arms race
		between the filters and the malware.

Owen

> ---
> Andy



-- 
If it wasn't crypto-signed, it probably didn't come from me.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20050428/974519fb/attachment.sig>


More information about the NANOG mailing list