On Sun, 14 Mar 2004, Andrew Dorsett wrote:
In a dorm room situation or an apartment situation, you again know the physical port the DHCP request came in on. You then know which room that port is connected to and you therefore have a general idea of who the abuser is. So whats the big deal if you turn off the ports to the room until the users complain and the problem is resolved?
It has to do with response time. If I send an abuse complaint to an organization's mailbox on a Friday night, will it be dealt with in the next 10 seconds? Or sometime next week? If the computer reboots every 60 seconds, and gets different IP addresses every time, a single infected computer can appear with lots of different IP addresses which results in overblocking. Similar things happen when a very large corporation has a NAT firewall, and attacks appear to come from all over their address ranges. A long-term end-to-end identifier would let me immediately drop the specific infected computer's traffic regardless of its rotating IP addresses, even if your abuse department doesn't open until next monday to track down the user to permanently fix it. The other issue is assuming "abuse" is defined the same way. If I can uniquly identify the source, we don't have to debate whether my definition of abuse is the same as your definition. You might have a three-strike policy and I have a zero-tolerance policy. It doesn't matter if there was an end-to-end long-term identifier. While you are waiting for the other strikes, I can immediately block that specific computer regardless of what IP address it has today. That way "reputation" could be tied to the infected computer instead of random address ranges. If IPsec ever gets fully deployed, then we may be able to negotiate end-to-end identification. The long-term end-to-end identifier does not need to include personally identifiable information.