Accountable Use Registry was: How I deal with (false positive) IP-address blacklists...
2008-12-11 19:37:18
On Dec 11, 2008, at 1:51 PM, John C Klensin wrote:
As soon as one starts talking about a registry of "legitimate"
sources, one opens up the question of how "legitimate" is
determined. I can think of a whole range of possibilities -- you,
the ITU Secretary-General, anyone who claims to have the FUSSP,
governments (for their own countries by licensing or more
generally), ICANN or something ICANN-like, "large email providers",
and so on. Those options have two things in common. Most (but not
all) of them would actually be dumb enough to take the job on and
they are all unacceptable if we want to continue to have a
distributed-administration email environment in which smaller
servers are permitted to play and people get to send mail without
higher-level authorization and certification.
Perhaps I should not have used the word legitimate. The concept of
registry should engender a concept of accountability.
Once one considers IPv6, just the network portion covers 2^32 times as
many IP addresses as are present in IPv4. In this quantity, IPv6
addresses do not offer a scalable means upon which a server is able to
impose a defense against abuse. The server will handle addresses in
rather large groups as the only method left available. The
consolidation of addresses into large groups will be the enemy of an
egalitarian effort wanting to ensure access to all players.
Counter to this, much of the email abuse has been squelched by third-
parties who allow network providers a means to indicate what traffic
of which they are accountable. This is done in part by the assignment
of address ranges as belonging to dynamically assigned users. It does
seem as though a more formalized method though a registry support by
provider fees would prove extremely beneficial at reducing the scale
of the IP address range problem raised by IPv6. By formalizing a
registration of accountable use, along with some type of reporting
structure or clearinghouse, IPv6 would have a better chance of gaining
acceptance. It would also empower providers to say what potentially
abused uses they which to support.
While I freely admit that I have not had hands-on involvement in
managing very large email systems in a large number of years now, I
mostly agree with Ned that some serious standards and documentation
of clues would be useful in this general area. But I see those as
useful if they are voluntary standards, not licensing or external
determination of what is legitimate. And they must be the result of
real consensus processes in which anyone interested, materially
concerned, and with skin in the game gets to participate in
development and review/evaluation, not specifications developed by
groups driven by any single variety of industry interests and then
presented to the IETF (or some other body) on the grounds that they
must be accepted because anyone who was not part of the development
group is obviously an incompetent idiot who doesn't have an opinion
worth listening to.
Agreed.
That has been my main problem with this discussion, and its
variants, all along. While I've got my own share of anecdotes, I
don't see them as directly useful other than as refutations of
hyperbolic claims about things that "never" or "always" happen. But,
when the IETF effectively says to a group "ok, that is a research
problem, go off and do the research and then come back and organize
a WG", it ought to be safe for someone who is interested in the
problem and affected by it --but whose primary work or interests lie
elsewhere-- to more or less trust the RG to produce a report and
then to re-engage when that WG charter proposal actually appears.
Here, the RG produced standards-track proposals, contrary to that
agreement, and then several of its participants took the position
that those proposals already represented consensus among everyone
who counted or was likely to count. Independent of the actual
content of the proposal(s), that is not how I think we do things
around here... nor is laying the groundwork for an official
determination of who is "legitimate" and who is not.
A registry of accountable use in conjunction with some type of
reporting structure seems a necessity if one hopes to ensure a player
can obtain the access that they expect. In other words, not all
things will be possible from just any IP address. Providers should
first assure the Internet what they are willing to monitor for abuse,
where trust can be established upon this promise. Not all providers
will be making the same promise of stewardship. Those providers that
provide the necessary stewardship for the desired use should find both
greater acceptance and demand. Such demand may help avoid an
inevitable race to the bottom.
-Doug
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf
<Prev in Thread] |
Current Thread |
[Next in Thread>
|
- RE: How I deal with (false positive) IP-address blacklists..., (continued)
- Re: How I deal with (false positive) IP-address blacklists..., Douglas Otis
- Re: How I deal with (false positive) IP-address blacklists..., John C Klensin
- Accountable Use Registry was: How I deal with (false positive) IP-address blacklists...,
Douglas Otis <=
- Re: Accountable Use Registry was: How I deal with (false positive) IP-address blacklists..., John C Klensin
- RE: How I deal with (false positive) IP-address blacklists..., Tony Hain
- Re: How I deal with (false positive) IP-address blacklists..., Dave CROCKER
- RE: How I deal with (false positive) IP-address blacklists..., ned+ietf
- Re: How I deal with (false positive) IP-address blacklists..., Dave CROCKER
- RE: How I deal with (false positive) IP-address blacklists..., michael.dillon
- Re: How I deal with (false positive) IP-address blacklists..., Dave CROCKER
Re: How I deal with (false positive) IP-address blacklists..., Dave CROCKER
|
|
|