Krebs on Security booted off Akamai network after DDoS attack proves pricey

Florian Weimer fw at
Sun Oct 9 11:20:00 UTC 2016

* Eliot Lear:

> Not my end goal.  My end goal is that consumers have a means to limit
> risk in their home environments, and service providers have a means to
> deliver that to them.

They already have, with today's technology.  It's just not a
mass-market business.  Consumers either have to educate themselves
(which is not that hard), and service providers need to provide actual
service, instead charging a fee for access to a computer system.

There is little interest in this, however.  There's a comparable
business case for providing managed PCs to consumers, and I'm not sure
if any such companies are still left.

>> I'm not convinced that expected traffic profiles are the right answer.
>> We already have that in the server hosting market, and it does
>> constraint the types of services you can run on hosted servers (for
>> the hosting providers who does this).  I'm wary of the network putting
>> severe constraints on application architecture, way beyond what is
>> dictated by current technology.  NAT more or less killed servers on
>> consumer networks, and this kind of traffic profiling has begun to
>> kill clients on server networks.
> The whole point of MUD is to leave control in the hands of those who
> have developed and have to support Things.  It is not simply for the SP
> to decide what traffic is ok, or to charge more for it, but to respect
> the wishes of the developers.  That may be sufficient to stop a lot of
> bad things from happening to a lot of Things.

Nobody respects what developers want, otherwise we wouldn't have any
shipping products at all.

What I'm trying to say: Cutting corners is more often a
non-development decision.  If you can ship today without any security,
or at some unknowable date in the future, with additional security
features whose impact may not matter, things usually head for the
earlier shipping date.

I used to be frustrated by such decisions, but over the past few
years, I've come to realize that most of us have so little data on the
effectiveness of security features that mandates for them are
essentially arbitrary.

> And again, this is the wrong way to look at it.  The consumer should
> always get final say.  They're the customer.  This is a chance for the
> manufacturer of the device they're using to explain how the device is
> supposed to behave on the network.

If we want to make consumers to make informed decisions, they need to
learn how things work up to a certain level.  And then current
technology already works.

(Sorry that I'm not inclined to read upon the specs—I do wonder how
this an improvement over UPnP.)

More information about the NANOG mailing list