From: Brian E Carpenter [mailto:brc(_at_)zurich(_dot_)ibm(_dot_)com]
John,
(after also reading Michael's response)
I don't disagree. I think there is scope for writing a list
of desirable properties for SOHO routers in the light of
these various inputs. I'm less certain it can be done for
enterprise boundary routers. But it would be a tricky and
contentious job in both cases. Even draft-ietf-v6ops-nap took
many moons and several major editing passes, and it only
starts the work.
SOHO is the one that won't get done otherwise. The enterprise folk have
Gartner, Burton and the Jericho forum to express their list of requirements
through (and the RFP process to put those requirements on the vendor product
roadmaps).
From the SOHO perspective I have been saying for years now that many of the
problems we have wit bots would be significantly reduced if SOHO routers and
cable modems came configured with an outbound firewall by default.
The restrictions I would like to see would have zero impact on even the most
aggressive residential user participating in peer to peer networks etc.
* Prevent routing of spoof source address packets
* Limit the number of outbound TCP connections initiated per time interval
* General limit
* Smaller limit for connections to the same IP
* Smaller limit for outbound SMTP connections
* Limit the number of DNS requests
Even the most generous limits significantly cut the value of a bot. A machine
that can only send ten thousand spams an hour will at most fetch 1% of the rent
that a bot capable of a million an hour.
In the home of the future Mr Coffee will be WiFi capable. I for one do not want
to be spending my time dealling with the consequences of botted coffee pots,
fidges and light switches.
What distinguishes the network from the inter-network is responsibility. I am
responsible for the impact that my network has on the inter-network. Even as
the perimiter security model becomes obsolete the perimeter will still mark the
boundary for accountability.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf