On Jun 10, 2004, at 10:07 PM, David Schwartz wrote:
It all depends upon what the agreement between the customer and the ISP says. It's no unreasonable for the ISP to 'insure' the customer against risks he isn't able to mitigate which the ISP is, even if that means shutting off his service.
While it may not be unreasonable, it is also not unreasonable for the ISP to *not* insure the customer against such risks.
It all depends. :)
Well, it depends upon the class of service. For lower classes of service, it's generally a non-issue because the service isn't billed based upon usage. But I would argue that for low-end service (like home DSL) that is billed based upon usage, it's unreasonable for the ISP to bill customers for attack traffic. Obviously, it's possible that someone could offer this and get a customer to agree to it, but I'd be really suspicious as to whether they actually had a meeting of the minds with the customer about the consequences.
Also, you did not really address my question: Are you willing to sell me the service I asked for above?
I've acted as a negotiator for several companies who were looking to obtain connectivity. I've had no trouble negotiating agreements where the customer does not pay for attack traffic. Some companies want a 'per incident' fee, some don't. Usually these fees are reasonable and include firewalls and tracking and other things that are worth paying for. You can certainly get flat rate connections and you can get connections where if your service goes over X dollars, they rate limit you unless you agree to let more in. Yes, you can get almost any combination of service features. Obviously, some cost more than others. However, you can certainly get your ISP to insure you if you want. Heck, buy a flat rate 100Mbps line from any carrier and they're paying for any attack traffic over 100Mbps. Put in a filter and they're paying to carry all the attack traffic to the filter.
Most of the people on this list see things from the ISP's perspective. However, step back a bit and see it from the user's perspective. Do you expect to pay for phone calls you didn't make or do you expect the person whose deliberate conscious action caused those calls to be made? Do you expect to be responsible for patrolling your electric lines to make sure someone hasn't plugged into your outside outlets?
Actually, I Am Not An Isp. (Yes, that is really what is stands for.) I do see things from a user perspective. And I still do not agree with you.
For instance, I do believe if someone comes by and plugs something into an outside socket on my house that I should pay the bill. The power was used, it cost something, and the power company sure as hell was not responsible. Of course, if I can find the culprit, I can force him to pay. But that does not mean the power company should eat the difference.
It does if the person got to your house over the power company's lines. It does if the power company knows about it. Unfortunately, every analogy breaks down.
Take some responsibility.
How does a person with a DSL line at home take responsibilty if he's away for a month? Is he supposed to hire someone?
This whole thing reminds me of when we were kids and I loaned my middle brother my walkman. He left it on the floor where my baby brother was playing - who promptly smashed it with some random toy and destroyed it. My middle brother claimed it was not his fault, my baby brother did it. I was out a walkman (big bux in those days!), but I learned a valuable lesson: Never trust someone who is not willing to take responsibility.
Certainly it was both of their faults and you're technically entitled to collect from either of them.
Since you seem to disagree with me, care to put your money where your mouth is? Sell me a service where I only pay for what I expect. I'm happy to have you shut me off if you notice traffic out of profile, but don't expect me to pay more than what I think I should. Oh, and you should be prepared to turn the service back on when I "fix" the problem (even if it is just going to happen again, and again, and again, and again...).
As I said, this kind of service is *definitely* available. You can get flat rate service where you only pay what for traffic you expect. You can get service where you can set a rate limit dynamically. You can get service where filters are put up at your whim and you do not pay for traffic that hits the filters. I think you're mostly being glib with clauses like "more than what I think I should", but it is definitely possible to negotiate contracts where you don't pay for attack traffic. It is definitely possible to negotiate contracts where there's a fixed maximum you can pay. In fact, I've never seen a contract that makes the customer responsible for attack traffic that doesn't make it to the customers' line (except for a per-incident fee). I don't that such a thing exists, but I've never seen or heard of it. As for inbound traffic, you would *definitely* bitch if you had to pay for inbound calls from telemarketers, and inbound attack traffic is much the same. DS