Paul Vixie wrote:
have been able to bind a reputation to an IP address and act in some way based on that reputation because TCP more or less requires that a real IP address be used. we're seeing cracks at the edges of this model now, because so many core routers have login: cisco; password: cisco, and it's now trivial for any spammer to inject BGP that either lights up unallocated space or cuts out a piece of somebody else's allocated block. this makes it possible to very temporarily and untraceably speak TCP from addresses that have no reputation (if they're unallocated) or that have a good reputation (if they're cutouts). ... i've pondered whether a network reputation service based on morality rather than behaviour could possibly work. ... would anyone be willing to deny service to them -- to paint them as having a negative reputation even though their "sin" is laziness or cluelessness rather than malevolent intent? ... Yes, I've long been an advocate. Heck, the entire community had to take this approach temporarily to slow/stop 2 worms (so far), because the damage was so great that we couldn't operate otherwise.
However, I'd argue semantically that this is "behaviour" as well -- under a negligence or attractive nuisance doctrine. My previous solution involved extensive AUPs, but over time I've found AUPs to be almost entirely unenforcible. Action turns out to be very expensive, courts don't understand them, and are reluctant to support the "outsider" ISP over their small business that belongs to the local chamber. I was pleased by community action for de-peering this last year, although it took several years of mounting evidence and national media exposure. Do we need a law?