Re: How to secure the Internet in three easy steps
1. Require all providers install and manage firewalls on all subscriber connections enforcing source address validation.
i can see how the end to end principle applies in cases 2 and 3, but not 1.
I didn't make any of these up. They've all been proposed by serious, well-meaning people.
i recommend caution with your choice of words. apparently not everyone treats "well meaning" as the compliement that it is.
If you have 2 and 3, why do you need to waste global addresses on 1.
i don't believe that 2 or 3 will ever happen, for simple market reasons -- it is harder to make money if you do 2 or 3. however, 1 only costs a small bit of ops expense, and has no market impact at all, so it's practical in simple economic terms.
Its a mis-understanding of what source address validation is. Some folks think it should work like ANI, where the telephone company writes the "correct" number on the call at the switch.
ouch. i guess you're right. perhaps a copy of BCP38 should come with every router sold?
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu]On Behalf Of Paul Vixie Sent: Friday, October 25, 2002 12:39 PM
i can see how the end to end principle applies in cases 2 and 3, but not 1.
I didn't make any of these up. They've all been proposed by serious, well-meaning people.
i recommend caution with your choice of words. apparently not everyone treats "well meaning" as the compliement that it is.
I forget what they paved the road to hell with.... Sameer
"Sameer R. Manek" wrote:
Paul Vixie wrote:
Sean Donelan wrote:
I didn't make any of these up. They've all been proposed by serious, well-meaning people.
i recommend caution with your choice of words. apparently not everyone treats "well meaning" as the compliement that it is.
I forget what they paved the road to hell with....
Good intentions. -- Only the mediocre are always at their best. Jean Giraudoux
i don't believe that 2 or 3 will ever happen, for simple market reasons -- it is harder to make money if you do 2 or 3. however, 1 only costs a small bit of ops expense, and has no market impact at all, so it's practical in simple economic terms.
Not only that, but unless _everyone_ implements 2 and/or 3, all the bad people that exploit the things these are meant to protect will migrate to the networks that lack these measures, mitigating the benefits. This seems to be a catch-22; no one will implement these for the good of the net because it costs money, and ignorant competitors that don't implement them will not share in that expense. Have any such ideas been implemented in the modern internet? How?
This seems to be a catch-22; no one will implement these for the good of the net because it costs money, and ignorant competitors that don't implement them will not share in that expense. Have any such ideas been implemented in the modern internet? How?
Not to mention that 2 or 3 wouldn´t do any good for the net. There are private ALG-based networks where you get to pay your premiums for your bits, if you need that functionality, there is no reason to break the internet, you just subscribe to your local X.400 service for email, etc. Pete
participants (5)
-
Etaoin Shrdlu -
Paul Vixie -
Petri Helenius -
Ryan Fox -
Sameer R. Manek