Re: Fwd: Re: Digital Island sponsors DoS attempt
I am sure, Digital Island gets the necessary permissions from network owners before hammering them with those requests, right?
The same "permissions" that allow seamless end-to-end connectivity across the entire Internet. The same "permissions" you granted to others when you signed the connectivity agreement.
"everything not expressly forbidden is allowed" is a workable model for peering relationships and even transit relationships, but it only works within the context of a direct relationship of some kind. in the case where the sender and receiver are communicating between one or many third parties, there is no direct relationship and thus no apriori terms of service to which the traffic must conform. for this, we reverse the model: "everything not welcomed is forbidden" and thus create a prior restraint problem which goes by the name "what, then, is implicitly welcome or unwelcome?" generally any traffic which unequally benefits the sender isn't welcome. ping traffic, even ping traffic which helps one network figure out how to best route traffic to another, still unequally benefits the sender. one ought not, in my opinion, ever have to ask that such pings be stopped. another test for "welcome" is "if everybody did this, would the recipient be injured?" clearly this is the same profile as "unequal benefit to the sender" and the answer in the case of these pings is "yes, ouch." smurf, ddos in general, and spam also classify well by this criteria. it *is* possible to know before initiating communication whether it's implicitly "welcome" by this standard, even if you have no direct relationship to the recipient whose terms and conditions would explicitly tell you the answer.
On 25 Oct 2001, Paul Vixie wrote:
"everything not expressly forbidden is allowed" is a workable model for peering relationships and even transit relationships, but it only works within the context of a direct relationship of some kind.
in the case where the sender and receiver are communicating between one or many third parties, there is no direct relationship and thus no apriori terms of service to which the traffic must conform. for this, we reverse the model: "everything not welcomed is forbidden" and thus create a prior restraint problem which goes by the name "what, then, is implicitly welcome or unwelcome?"
Until there are standards and technology available to push subscriber policy to the edge of the network and beyond, the subscriber has explicitly accepted the overall terms and conditions by which the service is to be provided. Since peering agreements are typically "not forbidden is allowed", subscribers too have adopted this policy by their express consent to the service providers terms of service. Service providers stand on this high ground frequently when they deny their subscribers access to particular hosts on the Internet for violations of "Acceptable Use" policies. When technology and standards are in place to enforce subscriber policy globally, then we can both establish and charge for specific subscriber terms and conditions. This sounds pretty ludicrous, if not dangerous.
generally any traffic which unequally benefits the sender isn't welcome. ping traffic, even ping traffic which helps one network figure out how to best route traffic to another, still unequally benefits the sender. one ought not, in my opinion, ever have to ask that such pings be stopped.
I am assuming in this discussion that when you refer to "benefit", you are in fact refering to "financial benefit". If this is the case I would be forced to disagree. Packets exchanged between parties that participate in a Sender Keep All settlement relationship cannot be to the exclusive benefit of a single party. The parties have already agreed on settlement, and thus are already getting compensated for the delivery of said packets. (This is of course true regardless of the settlement model.)
another test for "welcome" is "if everybody did this, would the recipient be injured?"
An interesting hypothesis, but it is seldom the case that the sender of traffic knows the details of the recipients infrastructure. One-hundred-million clients attempting to access a news agency during a crisis may certainly produce a denial of service, but this was surely not the intent of the originator.
smurf, ddos in general, and spam also classify well by this criteria. it
Smurf and DDOS attacks are precisely that - attacks. They are intentionally initiated for the purpose of disrupting infrastructure or service. They are illegal. Spam - and here we are again. Since it is nearly universally accepted that spam creates an unfair financial benefit for the spammer, then it is safe to suggest that the cost arrangement should be completely reversed. This breaks most provider settlement relationships. (This of course, all ignoring the fact that spammers already break acceptable use policies for their own providers.)
*is* possible to know before initiating communication whether it's implicitly "welcome" by this standard, even if you have no direct relationship to the recipient whose terms and conditions would explicitly tell you the answer.
It is? I am curious as to what exactly you are referring to. Regards, James
On 25 Oct 2001, Paul Vixie wrote:
another test for "welcome" is "if everybody did this, would the recipient be injured?" clearly this is the same profile as "unequal benefit to the sender" and the answer in the case of these pings is "yes, ouch."
As the saying goes, even too much of a good thing can be bad. So looking at this from the 'too much' side, how can you tell if it was bad because it was all bad, or if it was just too much good, and that made it bad? I don't think you can infer that because the extreme case (everyone doing it) is bad (unequal), therefore the singular case is also bad/unequal. Most things tend to be viewed as 'equal' or otherwise tolerably 'fair' within certain ranges we call 'reasonable', and outside of those ranges is where they are considered unequally balanced.
this criteria. it *is* possible to know before initiating communication whether it's implicitly "welcome" by this standard, even if you have no direct relationship to the recipient whose terms and conditions would explicitly tell you the answer.
By this reasoning, I could never send an email or make a phone call or go visit everyone (especially a new acquaintance), because if /everyone/ sent them an email, or called them, or visited them, it would certainly be unwelcome (and possibly cause injury). My singular action is within the range considered fair and reasonable, where everyone doing it (or in fact, even just a few dozen people doing it) would probably not. Pete.
On Fri, Oct 26, 2001 at 01:02:29AM -0600, Pete Kruckenberg stated: [snip]
By this reasoning, I could never send an email or make a phone call or go visit everyone (especially a new acquaintance), because if /everyone/ sent them an email, or called them, or visited them, it would certainly be unwelcome (and possibly cause injury). My singular action is within the range considered fair and reasonable, where everyone doing it (or in fact, even just a few dozen people doing it) would probably not.
therefore, given current technology, it is up to the receiver to state when he/she/they no longer wish to receive traffic of type X (be it network probes well-intentioned or otherwise). And it is up to the sender to STOP sending said traffic upon receipt of such a statement. Not to reply saying, "We've done nothing wrong, we're just trying to improve network performance" (note that this performance gain is obviously not going to be on the receivers' side; at least not during the scans) and continue the inappropriate traffic. As with many things, there is a need for common sense and common courtesy. Neither of which are nearly as common as they should be.
Pete.
-- Scott Francis darkuncle@ [home:] d a r k u n c l e . n e t Systems/Network Manager sfrancis@ [work:] t o n o s . c o m UNIX | IP networks | security | sysadmin | caffeine | BOFH | general geekery GPG public key 0xCB33CCA7 illum oportet crescere me autem minui
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
in the case where the sender and receiver are communicating between one or many third parties, there is no direct relationship and thus no apriori terms of service to which the traffic must conform. for this, we reverse the model: "everything not welcomed is forbidden" and thus create a prior restraint problem which goes by the name "what, then, is implicitly welcome or unwelcome?"
And how does the owner communicate this to the sender ahead of time? I don't think you can, else there would not be a spam problem. Therefore, the only logical position the sender can take, if he is to act at all, is to assume that whatever is not actively prevented or refused, is welcome, until such time as he is notified otherwise. If it is not this way, how can ANY unsolicited communication take place? Must I ask permission to ask permission? - --- "The avalanche has already begun. It is too late for the pebbles to vote" - Kosh -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com> iQA/AwUBO9mUbEksS4VV8BvHEQJeQACfUpIpxRMDkZl/4CWpc/fUKF8wOFEAoKj2 1bhQXIg33MwAqB++ZOjlLr0r =6hu1 -----END PGP SIGNATURE-----
At 10:45 PM 10/25/2001, Paul Vixie wrote:
I am sure, Digital Island gets the necessary permissions from network owners before hammering them with those requests, right?
The same "permissions" that allow seamless end-to-end connectivity across the entire Internet. The same "permissions" you granted to others when you signed the connectivity agreement.
"everything not expressly forbidden is allowed" is a workable model for peering relationships and even transit relationships, but it only works within the context of a direct relationship of some kind.
I remember when the Internet was a collaborative collection of networks and network operators attempting to allow seamless connectivity among the users/content on each network. Based on the tone of this thread, those days are long gone. How much money do I need to send each of you for forcing this email, with an opinion that is contrary to yours, to traverse your network without your expressly stated consent? Greg U
I remember when the Internet was a collaborative collection of networks and network operators attempting to allow seamless connectivity among the users/content on each network. Based on the tone of this thread, those days are long gone.
How much money do I need to send each of you for forcing this email, with an opinion that is contrary to yours, to traverse your network without your expressly stated consent?
The email that you have sent us is part of a discussion. If any one of us is unhappy with your opinion or the amount of mail on this list thay can easily unsubscribe. Also keep in mind that all of us have "opted-in" for this list. The Internet stopped being free when individuals started to abuse its open policies. If we did not have theft and violence in our seciety, we would have no need for police, security, locks on doors. Digital Island violated common courtesy by not informing users that it was scanning ahead of time. Listservs like this one reach a very large number of people and could have been a start of getting information out there. I am not opposed to certain probes, I am opposed to probes that I do not know about.
[At least we are back on topic.] At 04:18 PM 10/29/2001 -0500, Wojtek Zlobicki wrote:
Digital Island violated common courtesy by not informing users that it was scanning ahead of time. Listservs like this one reach a very large number of people and could have been a start of getting information out there. I am not opposed to certain probes, I am opposed to probes that I do not know about.
Even if you ask for DI content? DI said they only ping people who download DI web pages (or DI customer pages or something). If that is the case, and assuming the "probes" are a small fraction of the total amount of data downloaded (say low-single-digit-percentages), would you still be opposed to such probes? How about if they had a web page or e-mail address or something else where you could tell them "don not scan CIDR x.y.z.0/nn"? -- TTFN, patrick
participants (8)
-
Gregory Urban
-
James Thomason
-
Mike Batchelor
-
Patrick W. Gilmore
-
Paul Vixie
-
Pete Kruckenberg
-
Scott Francis
-
Wojtek Zlobicki