At some point, people have to take responsibility for their actions or in
this case, their home computer. I am not saying that ISPs can't do some
stuff (Good net neighbor policies, like no smurf amplification, don't allow
other sites IP address outbound from your network, block small services,
etc), I agree with you there. BUT it is unreasonable to expect ISPs to take
on the whole security burden.
This might be an bad analogy but here it goes: You don't blame the
Department of Transportation for bad drivers. Every body that owns a car is
responsible for the operation of their vehicle, including safety measure and
insurance in case something does happen. Why can't we expect those same
people to take responsibility for home computers?
Should we make home computer users attend a mandatory licensing class and
teach them safe computing (getting a drivers license)? Maybe we should have
a ticketing system and if they guilty of 3 network violations, they have to
attend class again (the dreaded traffic review course). Or if all else
fails, suspend their access to the network for a year?
Now, how do you do that world wide? It always come down to that final
question....How do you get world buy in?
Beth
-----Original Message-----
From: Paul D. Robertson [mailto:[EMAIL PROTECTED]]
Sent: Friday, June 08, 2001 12:12 PM
To: Young, Beth A.
Cc: '[EMAIL PROTECTED]'
Subject: RE: This is a must read document. (.edu and ISP perspective)
On Fri, 8 Jun 2001, Young, Beth A. wrote:
> OK, enough rambling but I don't see that a public ISP will be any
different
> than this state run ISP. The end users are responsible for their actions.
> As a state entity, we have a slight advantage in that we can do end user
> education on a regular basis but that doesn't seem to make a
difference....
You wouldn't accept BGP routes from them advertising entities outside of
their scope of responsibility, accepting sourced traffic under the same
provisions isn't a big leap.
You wouldn't let them put in CSU/DSUs that locked the one at your end of
the circuit, allowing them to connect routers that don't protect your
backbone isn't a big leap.
There is absolutely no legitimate reason for any ISP to let a customer
generate packets sourced from anything other than (a) their address space
or (b) a multicast group.
Connectivity requirements are fairly easy- just like not accepting IPX or
AT from the customer is pretty easy.
Service providers could *easily* mandate this for connectivity.
I'd be willing to try to dig up the code to re-spin up our anti-spoofing
test tool if we could get the bulk of providers to mandate this as a
connectivity requirement- then providers could get customers to prove
they'd filtered correctly.
Paul
----------------------------------------------------------------------------
-
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
