That being said, whining about lack of transparency is not going to
change the behavior of the operators. The IETF should rather do
something useful, e.g. make sure that IPSEC is easy to deploy...
In other words, we need to develop and deploy network architectures
and technologies that deliberately make it difficult for lower level
(in more ways than one) entities to arbitrarily discriminate in the
traffic they carry.
ISPs and backbone operators have so far evaded being regulated as
common carriers, so we may have to resort to technological means to
achieve the same end. This may become the single most important role
for encryption in the Internet.
But IPSEC isn't enough. Because it isn't yet widely used, they may get
away with simply blocking protocol 50. (Some ISPs already arbitrarily
prohibit VPNs unless you upgrade to an expensive commercial service,
regardless of how little traffic you actually generate.)
We may need to mimic a form of encrypted traffic that is already
widely used by individuals, say TCP connections to port 443 (HTTP over
SSL). Since everyone knows that the only legitimate use of the
Internet is to buy junk with credit cards, no ISP would dare block
that!
As much fun as it would be to put large, monopolistic ISPs like
Comcast or AOL in their place, in all seriousness I would still much
prefer to reason with them. I would try to convince them that
arbitrarily blocking traffic against their end users' wishes is in no
one's long-term interests, including theirs. "We do it because we can"
won't work forever.
If it becomes necessary to riddle the Internet with unfilterable
encrypted tunnels, it will become impossible for the ISPs to filter
even the traffic that everyone *does* want filtered, such as the UDP
packets that propagated the recent Slammer worm. This is why I still
think it would be useful to issue a position statement along the lines
I suggested: that individual end users, not ISPs, must always control
what is and isn't filtered on their behalf.
This could be coupled with IETF-standardized protocols for the end
users to directly control these filtering mechanisms, something that
we already know would be invaluable during a denial-of-service attack.
Phil