RE: Alpha test of MAE filtering capability
---------- From: Paul A Vixie[SMTP:paul@vix.com] But let me turn it around. With no means of detection, why do we suspect that it's a problem? That is, why doesn't the cause for suspicion also work as a means of detection? Well, here is the way I found mine. We keep usage information on all of our router ports, and one day, my FDDI interface to an exchange point jumps by 10Mbps. I haven't added any customers, and going back to examine my traffic patterns for customer ports, I have no cooinciding traffic increase. However, I do show this increase mainly passing from one Exchange point to the other. After isolation all traffic sources that would have created such a jump in traffic, I come up with a big goose egg. So, my next step was to log some flows from the router at the exchange point, and after pouring through quite a few flows, I begin to see traffic from an entity that my company has absolutely no relationship with. This all takes quite a bit of time. I would not want to judge anyone with partial data. Meanwhile bandwidth paid for by my customers, and engineered based upon my customer's needs is being chewed up. My customers are affected. I would prefer to prevent such events from affecting my customers, who I think would agree with this method. IMHO, as long as money is involved, and as long as someone thinks that they have a chance of getting away with something, they will try it. Chris
IMHO, as long as money is involved, and as long as someone thinks that they have a chance of getting away with something, they will try it.
Entirely agreed. On the other hand I have what is turning out to be a unique (here) point of view about this. I don't want to prevent this kind of theft -- I want to discover it, and remove perpetrators from any IXP where they try it. I don't want to block it. I want to ensure that it is never tried twice. I appear to be in the minority wrt this view.
On the other hand I have what is turning out to be a unique (here) point of view about this. I don't want to prevent this kind of theft -- I want to discover it, and remove perpetrators from any IXP where they try it. I don't want to block it. I want to ensure that it is never tried twice. I appear to be in the minority wrt this view.
Currently, the cost of discovery is high. The cost of prevention, where it can be done, PAIX, is low. The result is predictable. randy
I don't want to prevent this kind of theft -- I want to discover it, and remove perpetrators from any IXP where they try it. I don't want to block it. I want to ensure that it is never tried twice.
Amen! -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= = George Phillips Sprintlink ISC = = phillips@sprint.net Network Operations = = "Kill -9 them all and let init(8) sort 'em out!"= =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
On Fri, 31 Jan 1997, Paul A Vixie wrote:
IMHO, as long as money is involved, and as long as someone thinks that they have a chance of getting away with something, they will try it.
Entirely agreed. On the other hand I have what is turning out to be a unique (here) point of view about this. I don't want to prevent this kind of theft -- I want to discover it, and remove perpetrators from any IXP where they try it. I don't want to block it. I want to ensure that it is never tried twice. I appear to be in the minority wrt this view.
No not entirely. We have been at two NAPs for nearly two years. We have over 60 peers now and have never abused those relationships. I would like to think that we are in the majority and that those that fail to meet those standards should be expelled not filtered. --david David S. Holub President CTO Whole Earth Networks (Hooked & The WeLL)
IMHO, as long as money is involved, and as long as someone
they have a chance of getting away with something, they will try it.
Entirely agreed. On the other hand I have what is turning out to be a unique (here) point of view about this. I don't want to prevent
Paul's view of the problem is more long term in that it seeks to end the problem once and for all. I think Chris sees the prophylactic solution as serving his immediate self intrust. If ISPs at a multiple meet points work together it can make the later solution far more effective. Point is ... we need to cooperate to eliminate those who put short term profit above the health of the industry. A healthy Internet makes us better off. --- On Fri, 31 Jan 1997 11:46:06 -0800 Paul A Vixie <paul@vix.com> wrote: thinks that this
kind of theft -- I want to discover it, and remove perpetrators from any IXP where they try it. I don't want to block it. I want to ensure that it is never tried twice. I appear to be in the minority wrt this view.
---------------End of Original Message----------------- -- From: Joseph T. Klein, Titania Corporation http://www.titania.net E-mail: jtk@titania.net Sent: 22:42:14 CST/CDT 01/31/97 If the company nurse drops by, tell her I said "Never mind."
Paul A Vixie writes:
IMHO, as long as money is involved, and as long as someone thinks that they have a chance of getting away with something, they will try it.
Entirely agreed. On the other hand I have what is turning out to be a unique (here) point of view about this. I don't want to prevent this kind of theft -- I want to discover it, and remove perpetrators from any IXP where they try it. I don't want to block it. I want to ensure that it is never tried twice. I appear to be in the minority wrt this view.
From a resource availability point of view, most of us would rather lock our houses than set up a sting operation.
From an operational integrity perspective, I find it difficult to argue that I should leave my infrastructure exposed to a potential problem - even though a technical solution is available to minimize it - just so that I can catch someone in the act and make an example of them.
Ideally you want to be able to detect this specific abuse. The same tools can be useful in diagnosis of pathological problems or for collection of statistics. This filtering is not unlike the concept of a screening table in SMDS where packets are filtered on source and destination E.164 addresses by the SMDS switch. Works fairly well. Some of these switches have software that issues alerts when the screening fails. If they dont already, would the Gigaswitch folks add another knob to send traps or alerts when an access violation happens ? --pushpendra Pushpendra Mohta pushp@cerf.net +1 619 455 3908
participants (7)
-
Chris A. Icide
-
David S. Holub
-
George Phillips
-
Joseph T. Klein
-
Paul A Vixie
-
Pushpendra Mohta
-
randy@psg.com