On Sat, 12 Jun 2004, John Curran wrote:
The real challenge here is that the "default" Internet service is wide-open Internet Protocol, w/o any safeties or controls. This made a lot of sense when the Internet was a few hundred sites, but is showing real scaling problems today (spam, major viruses, etc.)
One could imagine changing the paradigm (never easy) so that the normal Internet service was proxied for common applications and NAT'ed for everything else... This wouldn't eliminate all the problems, but would dramatically cut down the incident rate.
This sounds like a fantastic idea, for instance: How much direct IP does joe-average Internet user really require? Do they require anything more than imap(s)/pop(s)/smtp(+tls) and dns/http/https ? I suppose they also need: 1) internet gaming 2) voip 3) kazaa/p2p-app(s)-of-choice 4) IM Actually I'm sure there are quite a few things they need, things which require either very smart NAT/Proxy devices or open access. The filtering of IP on the broad scale will hamper creativity and innovation. I'm fairly certain this was not what we want in the long term, is it?
If a site wants wide-open access, just give it to them. If that turns out to cause operational problems (due to open mail proxies, spam origination, etc), then put 'em back behind the relays.
We have methods of dealing with these abuse problems today, unfortanately as Paul Vixie often points out there are business reasons why these problems persist. Often the 'business' reason isn't the tin-foil-hat-brigade's reason so much as 'we can't afford to keep these abuse folks around since they don't make money for the company'. Downstream from the ISP, the individuals are not taking responsibility for their actions/in-actions with respect to 'security'. Vendors are not providing safe environments for their consumers either. I understand that shipping an OS with 100% of things enabled might 'foster innovation' or 'make things easier for the end user', however, so would well thought instructions for enabling (safely) these same features. 99% of computer users never ever need to share files, yet file sharing is enabled by defailt on some operating systems... This is a major vector for infection and abuse. Education and awareness are also lacking in the industry as a whole, well not the 'industry' so much as 'the culture' I think. "Why should anyone want to hack my machine? I'm not some big corporation with lots of 'secrets'." No, they want your machine for the simple fact it's connected to the global Internet and it's NOT their ip address so abuse of it won't harm 'them' :( -Chris