From nanog-bounces@nanog.org Mon May 26 21:16:58 2008 Date: Tue, 27 May 2008 07:46:26 +0530 From: "Suresh Ramasubramanian" <ops.lists@gmail.com> To: "Colin Alston" <karnaugh@karnaugh.za.net> Subject: Re: amazonaws.com? Cc: nanog@merit.edu
On Tue, May 27, 2008 at 1:10 AM, Colin Alston <karnaugh@karnaugh.za.net> wrote:
On 26/05/2008 18:13 Suresh Ramasubramanian wrote:
I didnt actually, Bonomi did .. but going on ..
Mis-credit where mis-credit isn't due ... Twasn't me, either. <grin> I just commented that I couldn't think of a reason for a _compute_ cluster to need access to unlimited remote machines/ports. And that it could 'trivially' be made an _automatic_ part of the 'compute session' config -- to allow access to a laundry-list of ports/machines, and those ports/machines -only-. If Amazon were a 'good neighbor', they _would_ implement something like this. That they see no need to do _anything_ -- when _actual_ problems, which are directly attributable to their failure to do so, have been brought to their attention -- does argue in favor of wholesale firewalling of the EC2 address- space. If the address-space owner won't police it's own property, there is no reason for the rest of the world to spend the time/effort to _selectively_ police it for them. Amazon _might_ 'get a clue' if enough providers walled off the EC2 space, and they found difficulty selling cycles to people who couldn't access the machines to set up their compute applications.
If the address-space owner won't police it's own property, there is no reason for the rest of the world to spend the time/effort to _selectively_ police it for them.
Exactly!!! If an SMTP server operator is not willing to police their server by implementing a list of approved email partners, then why should the rest of the Internet have to block outgoing port 25 connections? The buck needs to stop right where the problem is and that is on the SMTP servers that are promiscuously allowing almost any IP address to open an socket with them and inject email messages.
Amazon _might_ 'get a clue' if enough providers walled off the EC2 space, and they found difficulty selling cycles to people who couldn't access the machines to set up their compute applications.
Amazon might get a clue and sue companies who take such outrageously extreme action. Even if you are being slammed by millions of email messaged from Amazon address space, that is not justification for blocking all access to the space. It's a point problem on your mail server so leave the shotgun alone, and put an ACL blocking port 25 access to your mail server. I don't believe that horrendously broken email architecture and email operators with no vision, are sufficient justification for blocking new and innovative business models on the Internet. 10 months of the year, Amazon has 10 times as many servers as they need. They want to rent them out piecemeal and I applaud their innovation. Maybe their model is not perfect yet, but the solution to that is not to raise a lynch mob. Instead you should build a better cloud computing business and beat them that way. --Michael Dillon
On 27 May 2008, at 16:33, Robert Bonomi wrote:
From nanog-bounces@nanog.org Mon May 26 21:16:58 2008 Date: Tue, 27 May 2008 07:46:26 +0530 From: "Suresh Ramasubramanian" <ops.lists@gmail.com> To: "Colin Alston" <karnaugh@karnaugh.za.net> Subject: Re: amazonaws.com? Cc: nanog@merit.edu
On Tue, May 27, 2008 at 1:10 AM, Colin Alston <karnaugh@karnaugh.za.net> wrote:
On 26/05/2008 18:13 Suresh Ramasubramanian wrote:
I didnt actually, Bonomi did .. but going on ..
Mis-credit where mis-credit isn't due ... Twasn't me, either. <grin>
I just commented that I couldn't think of a reason for a _compute_ cluster to need access to unlimited remote machines/ports. And that it could 'trivially' be made an _automatic_ part of the 'compute session' config -- to allow access to a laundry-list of ports/machines, and those ports/machines -only-.
If Amazon were a 'good neighbor', they _would_ implement something like this. That they see no need to do _anything_ -- when _actual_ problems, which are directly attributable to their failure to do so, have been brought to their attention -- does argue in favor of wholesale firewalling of the EC2 address- space.
If the address-space owner won't police it's own property, there is no reason for the rest of the world to spend the time/effort to _selectively_ police it for them.
Amazon _might_ 'get a clue' if enough providers walled off the EC2 space, and they found difficulty selling cycles to people who couldn't access the machines to set up their compute applications.
This is a classic example of externalities in the economics of security. Currently, any damage caused by Amazon customers costs Amazon little or nothing. The costs are borne by the victims of that damage. On the other hand mitigating this damage would cause Amazon costs, in engineering and lost revenue. So in economic terms they have no incentive to 'do the right thing'. So to get Amazon to police their customers either requires regulation or an external economic pressure. Blocking AWS from folk's mail servers would apply some pressure, making areas of the net go dark to AWS would apply more pressure faster. A considerable amount of pressure could be placed by a big enough money damages lawsuit but that has a feedback delay of months to years.
nanog@ian.co.uk (Ian Mason) writes:
On 27 May 2008, at 16:33, Robert Bonomi wrote:
Amazon _might_ 'get a clue' if enough providers walled off the EC2 space, and they found difficulty selling cycles to people who couldn't access the machines to set up their compute applications.
This is a classic example of externalities in the economics of security.
Currently, any damage caused by Amazon customers costs Amazon little or nothing. The costs are borne by the victims of that damage. On the other hand mitigating this damage would cause Amazon costs, in engineering and lost revenue. So in economic terms they have no incentive to 'do the right thing'.
i've heard this called "the chemical polluter business model".
So to get Amazon to police their customers either requires regulation or an external economic pressure. Blocking AWS from folk's mail servers would apply some pressure, making areas of the net go dark to AWS would apply more pressure faster. A considerable amount of pressure could be placed by a big enough money damages lawsuit but that has a feedback delay of months to years.
to that end, i don't accept e-mail from any free e-mail provider, including gmail, nor from most ISP mail servers. all of them face this same economics decision, and all of them end up spewing quite a bit of spam, and there's no end in sight. e-mail sourcing doesn't scale. the highest quality e-mail comes from the smallest communities. EC2 will probably face some boycotts. i don't think these will change the endgame, whatever it is. -- Paul Vixie
So to get Amazon to police their customers either requires regulation or an external economic pressure. Blocking AWS from folk's mail servers would apply some pressure,
No it would not. That is what AWS wants you to to.
making areas of the net go dark to AWS would apply more pressure faster. A considerable amount of pressure could be placed by a big enough money damages lawsuit but that has a feedback delay of months to years.
And such lawsuits can go both ways. As soon as a company moves beyond protective blocking of port 25, to punitive blocking of all traffic from AWS, they run the risk of being the target of a damages lawsuit. Not to mention complaints from their own customers. There simply is no simple solution to this problem. --Michael Dillon
participants (4)
-
Ian Mason
-
michael.dillon@bt.com
-
Paul Vixie
-
Robert Bonomi