Re: IAB concerns against permanent deployment of edge-based filtering
On 18 okt 2003, at 23.28, bmanning@karoshi.com wrote:
and if they are useful to the folks on my network, the ports will be opened up.
This is where we are disagreeing.
Remember:
- The Robustness Principle: "Be conservative in what you do, be liberal in what you accept from others." [Jon Postel, RFC 793] - The Principle Of Least Astonishment: A program should always respond in the way that is least likely to astonish the user. [Traditional, original source unknown]
yup. remember those.
Because of this, if not the overall explicit stated (by IETF) goal is that filtering should NOT happen, it will happen.
its happend for years and is implicitly allowed.
Yes, it is an ISP, regardless of transit or edge, which is responsible for their network.
thank you.
It is my belief that statements like this from the IAB will help, as ISP's and customers of ISP's both can see what the IAB think the goal of operations is. Customers can say "hey, IAB says this, why don't you run your network that way". The ISP can then explain (and in some cases it of course makes sense what the ISP say).
Such a statement from the IAB might be construed improperly, in much the same way as you claim RFCs are "improperly" interpreted by various and sundry ISP/commercial folks. If I get a customer who says "hey, IAB says this, why don't you run your network that way" and my response will be someing along the lines "vendors bugs e.g. the cisco IOS attacks via chargen, daytime et.al. or Microsoft RCP weaknesses - FIRST/CERT/SANS recommendations to mitigate DDOS. We can have a working, productive network or we can have an IAB compliant network." Now its not the IAB's fault that implementations make local optimizations or overlook coding weaknesses. The IAB should provide a sound architectural framwork and direct the IESG/IETF to advance robust, well defined protocols done the standards track (they should also encourage publication and development of novel ideas, via experimental/informational RFCs, but that is another topic). However, in the absence of the network police, (you know, the interoperability squad) it is impossible for me to put a whole lot of credence on the IAB telling me that it would be best if I would ensure that filters are only transitory. Thats nearly the same a telling me that being healthy is good. That said, no filters are permenant, some just last longer than others, depending on when problems are fixed. Cast in a different light, let me ask you this, is it better to ship products with "security" turned off or turned on?
paf
participants (1)
-
bmanning@karoshi.com