Comment spammers chewing blogger bandwidth like crazy
Deepak Jain
deepak at ai.net
Tue Jan 16 00:02:03 UTC 2007
>> If you allow anonymous, unauthenticated access to any system it will
>> be abused. Auctions, blogs, chat, mail, phone, etc. IP addresses
>> have never been good authenticators for applications.
>
> This is not true if you control the IP address space and the routers
> around it.
> I mention this merely because "IP addresses have never been good
> authenticators"
> or the like is becoming a truism. For ISPs with good source filtering in
> place
> then IP addresses ARE good first level authenticators (e.g. filter lists
> on management ports). Note: I say FIRST level authenticators; IP
> addresses are
> obviously not suitable as the whole authentication process.
>
I don't know why, but I feel the need to clarify some semantics. I am
sure everyone involved in this discussion already knows what I am about
to say.
I think the word "system" here is being abused and the context is changing.
IPs are reasonable in the authentication process for network-centric
items (like routers, things that make up the lowest levels of the OSI
stack). Systems here means routers, or the networks they make.
IPs are less reasonable the higher up the OSI stack you go. A web server
may authenticate with IPs and find use in them. An application running
on that web server is almost always going to find less value in that
authentication since it is capable of more specific authentication
(password, cookie, post rate limit, etc). This use approaches, but may
not reach, the "zero" asymptote when you consider cases of applications
running on private networks (VPNs, NAT networks, localhost, etc). System
here means anything else, but almost never a router or the underlying
network infrastructure.
Yes, Geotrack has given us some more detail (of varying levels of
precision/accuracy) of where IPs come from. But pretty much IP level
controls (IMO) should stay at the lowest levels of the OSI stack.
Ian looks to me like he was talking about routers & their neighbors.
Which is a very NANOG charter way to look at things.
Sean looks like he was talking about everything else (applications and
things in user space). All things things NANOGers support that pays for
the pretty blinky lights.
I'm done. Hope that was mildly interesting or useful.
Deepak
More information about the NANOG
mailing list