ietf
[Top] [All Lists]

Re: recommendation against publication of draft-cerpa-necp-02.txt

2000-04-07 21:43:51
Keith Moore wrote:
.  .  .
You seem to be saying that because we have a higher service layered
on top of IP that we can disregard the IP service model.  I disagree.

No, I'm saying you purported to be offended by IP address
redirection when what you really objected to was unauthorized
spoofing of services and the delivery of something other than what
the user and/or information provider would have expected. 

Actually I have objections to both - though the objections
to the former are purely technical and mostly in response
to folks who claim that such redirection is deserving of
standardization, or in general is anything more than a crude
short-term hack.  The objections to the latter are both moral
and technical.

That in
turn resulted in your calling for a ban on publication of a
technical document describing a technique which you admit has quite
legitimate applications (e.g. when CNN knows that such IP
interception is going on) because it *could* be used in a manner you
judge to be immoral (i.e. in a case when neither client nor server
knew).

I did not call for a ban on publication of any document.  I suggested
that the RFC Editor consider not devoting its energies to publishing
the document - and I only suggested this after I suggested several
things that could be done to "fix" the document.  Clearly the document 
can be published by other means, nor would I try to prevent such publication.

What you may not realize is that fixing the bugs in documents such
as this one - which at best are on the margin of IETF's mission -
tends to consume inordinate amounts of effort on the part of IESG 
and/or the RFC Editor, who already have lots of work on their plates.  
Their effort, I believe, is better spent on getting more deserving
documents out the door.  

(Such waste of resources is especially annoying when the motivation for 
having the document published appears to be lend IETF's imprimatur 
to an approach by having it published as an RFC - and therefore, 
can be cited as if it were a standard - language in the RFC preamble
to the contrary notwithstanding.)  

So write an RFC Draft and call it "IP Address Spoofing Considered
Harmful". Argue eloquently. Convince everyone and you will be famous
to generations of students to come as the person who saved us from
this pernicious practice, right up there with Djkstra and GOTOs.
Fight ideas with ideas. But banning mention of the technique because
it can be misused? Puuleeze.

again, you're using "ban" incorrectly.

You know, I've been pretty uncomfortable over the past few years at
what I perceive as a growing hostility in some quarters towards
innovation in the name of purity and stability. I agree the Internet
is "important", and we must consider the consequences of our
actions, but personally I think you've gone way over a line here...

I do take a hostile attitude toward so-called innovations which impair
the flexibility and reliability of the Internet and Internet applications,
and I make no apology for it.

now it happens that both of these problems are caused by interception
proxies, which is why I choose to mention both of them in the same
discussion.

Actually, you mistyped "both problems are caused by the *misuse* of
interception proxies". 

tell that to the marketing departments of companaies who are selling
interception proxies to ISPs and as local web caches.  such applications 
of interception proxies *do* cause harm, and yet most of the companies
selling such products would claim that these are legitimate uses.

And you advocate that the IETF prevent
discussion of the very technique because it can be misused. 

nope, not prevent discussion - clearly we are discussing it here -
I'm advocating that IETF not spend resources publishing a biased
description of this technique.

We need to build publishing and distribution services that can scale
to millions, if not billions, of users, and we need them now.
Address interception is a perfectly legitimate technique in our
arsenal of ideas for this task, with some dangers. 

I will agree that legitimate uses of the technique exist, but given 
the widespred misuse of this technique (there seems to be a great
deal more misuse than appropriate use) "perfectly legitimate" 
seems like an oversimplificatiaon.


Bottom line is, you seem pretty confused here.

only if you think that discussing several related topics in a single
mail message is a sign of confusion.

Sorry, you're not convincing me you understand my point. You
acknowledge that it's okay to intercept if CNN knows you're doing
it. 

not quite. I said "if it's okay with CNN".  Knowledge != explicit consent.

So why don't we document how to do that? Oh, you say - that's
because the idea can be misused. "Let these dangerous kooks publish
their innovations elsewhere, so we don't sully the IETF brand".
Fine, if we do that, I guarantee that new ideas will simply migrate
out of this forum. Be careful what you ask for, as you're liable to
get it...

sometimes it's useful if new ideas migrate elsewhere. in certain
circles this is known as the Golgafrinchian Ark B principle.

Publishing of a technical document is not promoting "illegal or
clearly immoral behaviour", any more than publishing instructions on
driving a car is promoting carjacking. 

I would argue that publication of this document, regardless of the 
*intent* in doing so, is likely to have the *effect* of promoting 
illegal and/or immoral behavior.  If the decision is made to publish 
the document in some form, the question becomes one of how to minimize 
this negative effect.

The alternative  - to pretend that there are no social implications
to what we are doing in IETF - strikes me as dangerous and irresponsible.

So because someone can pick up a router and beat someone to death
with it, we shouldn't build routers?

no, if someone designed a router whose primary purpose were to beat
someone to death, we shouldn't endorse such a product.

Okay, I'll see your moral indignation and raise you a moral outrage.
Since when is the publishing of technical information for the
education of the IETF community endorsement of anything other than
the free exchange of ideas? 

and those who cite such documents as if they were standards, in order
to mislead their customers - they're also contributing to the free 
exchange of ideas?  

it mystifies me how it's quite legitimate to promote dubious and clearly
harmful technical practices (this is defended as the free exchange of 
ideas) but to suggest that such publication is likely to cause harm and 
to consume precious energies which are better spent elsewhere is not 
part of the free exchange of ideas - it is branded as censorship.
I suppose calling it censorship is also part of the free exhcnage of
ideas, but it's not exactly persuasive.

Frankly *I'm* morally offended at that
notion as I think it strikes at the very heart of the IETF and what
made it a successfully organization worthy of my support. If this
were to become the way this organization actually does work in the
future, I would predict its speedy demise as a useful place for the
free interchange of ideas.

Get over it.  The RFC has been exercising editorial discretion - or if 
you prefer - rejecting ideas for RFCs, for many years now.  

And absolutely I am making an argument based on my own assessment of
both the morality of the practice and the technical issues associated
with that practice.  Why should it be dangerous or wrong to argue for
what one believes is right?

Because nobody died and made you king and TWIAVBP. I'm offended at
the notion that a former Area Director of the IETF would advocate
censoring what others can publish in the Internet's premier
technical exchange forum based not on the quality of the technical
information, but on how that information may be misused. 

as far as I can tell, you think that my having served on the IESG 
means that I have given up the right to speak out against dangerous 
and harmful practices and against poor uses of the IESG's and RFC
Editor's energies.  

IMHO, that's not merely naive, that's delusional.

Keith



<Prev in Thread] Current Thread [Next in Thread>