From: Jeffrey Hutzelman [mailto:jhutz(_at_)cmu(_dot_)edu]
Sure. But a policy enforcement point must necessarily be
configured; otherwise, how is it going to know what policy to enforce?
The policy can be generated automatically from the network configuration and
the authorized hosts and applications authorized to run on those hosts.
Forget the administration model where you administer the machines. Administer
the network instead. Machine config should be generated from network config.
The model can be applied in either the home or the enterprise setting. The home
setting is the most challenging because it has to be transparent. But users
already have machines that have internal firewalls. There is no reason why that
config should not be exportable to the edge policy enforcement point as well.
First people have the model wrong, ask not how you can
protect yourself
from the Internet, ask how to protect the Internet from you.
No. Being a good neighbor is desirable, but does not replace
protecting
yourself from bad neighbors and evildoers.
I cannot provide you with a foolproof way to protect your machine from any
attack that an Internet criminal might throw at it. Nor can anyone else without
reducing it to a functionaless heap of junk.
What I can do is make your machine as uninteresting a target to an attacker as
possible. Make it so that its value on the botnet wholesale market is as close
to zero as possible.
What a "rogue server"? What distinguishes a ddos bot from a P2P file
sharing application?
No P2P file sharing application I am aware of uses spoofed source addresses in
IP packets. The data bandwidth is high but the control bandwidth is not
excessive. DDoS bots are mostly attacking the control channel rather than data.
What distinguishes a Windows virus from
a krb524
client (hint: nothing; several network providers and common firewall
configuration block outgoing UDP traffic to port 4444, with
the result that
getting krb4 tickets and AFS tokens doesn't work from inside such a
network). Who updates the configuration on these filters as new
applications and new malware appear?
To do damage to the rest of the net the virus has to be hammering port 4444.
The type of controls people are suggesting is limiting the number of outbound
control connections (SYN packets, DNS packets) to a rate that is large compared
to typical consumer uses but small compared to bot uses.
This is a 98%/2% solution. The vast majority of users do not need or want to
make 1000 outbound TCP session initiation attempts per second. Any site that is
doing that on a sustained basis for several hours is highly unlikely to be
doing something legitimate.
I should be required to have a device which limits my ability
to use the
network connection I've paid for to a limited set of
applications chosen by
my network provider?
You should not be allowed to connect to the net at all, yes this is all about
you personally.
Actually my proposal is to ship the devices with the default setting to 'on'
but allow idiots to turn it off if they must. Otherwise we end up with a black
market in unrestricted machines
That's not only insane; it would probably be legally
very stupid for my network provider; by restricting what I'm
allowed to do, they take some responsibility for what I do.
You are not a lawyer, but you are playing one on the net.
While that particular view of negligence has some currency in the US the law of
negligence does not contain an ostritch exception.
I am not a lawyer either. I suggest that anyone running an ISP ask their actual
lawyers what the situation is here: If you are selling a service to consumers,
if the harm is forseeable, if the probability of harm and the cost of the harm
are great, if the cost of limiting that harm is small, are you better off
helping the consumer limit that harm or ignoring it.
I see you're among those who think users and customers should
be required
to enforce policy counter to their interests, and that the
network should
trust that they do so.
No, the rules are generated from configuration commands made by the user.
It is simply enforcing the old security principle of least privillege.
One of the basic rules of distributed systems
design is that service providers MUST NOT depend on clients
to enforce
policy for them, because anyone can make a rogue client.
That's not a rule it's a dogmatic interpretation of security principles that
were probably wrong when they were proposed.
Until the Internet is secure please save us the dogma.
Except that the user won't get to do that; the user's network
provider
Yeah yeah yeah, stop worrying about the bogeyman and worry about the real
attackers.
The balance of power in this case is mostly with the consumer. Most houses have
at least two wires going into them.
Do not try to build your political systems into protocol design unless you
understand people and understand economics.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf