On Fri, 31 Jan 2003 Valdis.Kletnieks@vt.edu wrote:
in this. My question is why large providers couldn't interlink themselves and establish guidelines for notification and resolution of network issues. They manage it for peering, why not for overall performance and security issues?
"I'll get back to you Tuesday or when NANOG posts embarrass me" works for peering issues, but not for security issues.
Actually it works about as well for both issues. When John Markoff from the New York Times calls companies take an interest. The reality is companies act in their own self-interest. Both peering and security have asymetric costs, i.e. more pain or gain for one of the parties. Being a "good neighbor" is noble, but it doesn't pay. Although everyone could win if all parties cooperated, one party has an advantage by defecting because they save the expense but still get the benefit of everyone else doing it (tragedy of the commons, prisoners' delima, etc). What is interesting is the flip between large and small providers on who benefits the most from peering or security. Peering is a much bigger "win" for a smaller provider than a large provider. So the small provider has an incentive to peer, while the large provider doesn't. For the large provider, peering is just another expense they would prefer not to spend. On the other hand, security is a much bigger "win" for a larger provider than for a small provider. As Willie Sutton use to say, he robbed banks because that's were the money was. Larger providers have more exposure, and more to loose. Even a non-directed attack such as a worm tends to impact larger providers more than smaller providers. The larger provider has more incentive to work on security. For a small provider, security is just another expense they would prefer not to spend. And let's face it, bank security exists to protect the bank's money.