From nanog-bounces@nanog.org Mon May 26 21:16:58 2008
Date: Tue, 27 May 2008 07:46:26 +0530
From: "Suresh Ramasubramanian" <ops.lists@gmail.com>
To: "Colin Alston" <karnaugh@karnaugh.za.net>
Subject: Re: amazonaws.com?
Cc: nanog@merit.edu
>>
I didnt actually, Bonomi did .. but going on ..
Mis-credit where mis-credit isn't due ... Twasn't me, either. <grin>
I just commented that I couldn't think of a reason for a _compute_ cluster to
need access to unlimited remote machines/ports. And that it could 'trivially'
be made an _automatic_ part of the 'compute session' config -- to allow access
to a laundry-list of ports/machines, and those ports/machines -only-.
If Amazon were a 'good neighbor', they _would_ implement something like this.
That they see no need to do _anything_ -- when _actual_ problems, which are
directly attributable to their failure to do so, have been brought to their
attention -- does argue in favor of wholesale firewalling of the EC2 address-
space.
If the address-space owner won't police it's own property, there is no reason
for the rest of the world to spend the time/effort to _selectively_ police it
for them.
Amazon _might_ 'get a clue' if enough providers walled off the EC2 space, and
they found difficulty selling cycles to people who couldn't access the machines
to set up their compute applications.
If the address-space owner won't police it's own property,
there is no reason for the rest of the world to spend the
time/effort to _selectively_ police it for them.
Exactly!!!
If an SMTP server operator is not willing to police their server
by implementing a list of approved email partners, then why should
the rest of the Internet have to block outgoing port 25 connections?
The buck needs to stop right where the problem is and that is
on the SMTP servers that are promiscuously allowing almost any
IP address to open an socket with them and inject email messages.
Amazon _might_ 'get a clue' if enough providers walled off
the EC2 space, and they found difficulty selling cycles to
people who couldn't access the machines to set up their
compute applications.
Amazon might get a clue and sue companies who take such outrageously
extreme action. Even if you are being slammed by millions of email
messaged from Amazon address space, that is not justification for
blocking all access to the space. It's a point problem on your
mail server so leave the shotgun alone, and put an ACL blocking
port 25 access to your mail server.
I don't believe that horrendously broken email architecture and email
operators
with no vision, are sufficient justification for blocking new and
innovative
business models on the Internet. 10 months of the year, Amazon has 10
times as
many servers as they need. They want to rent them out piecemeal and I
applaud
their innovation. Maybe their model is not perfect yet, but the solution
to that
is not to raise a lynch mob. Instead you should build a better cloud
computing
business and beat them that way.
--Michael Dillon
This is a classic example of externalities in the economics of security.
Currently, any damage caused by Amazon customers costs Amazon little or nothing. The
costs are borne by the victims of that damage. On the other hand mitigating this
damage would cause Amazon costs, in engineering and lost revenue. So in economic
terms they have no incentive to 'do the right thing'.
So to get Amazon to police their customers either requires regulation or an external
economic pressure. Blocking AWS from folk's mail servers would apply some pressure,
making areas of the net go dark to AWS would apply more pressure faster. A considerable
amount of pressure could be placed by a big enough money damages lawsuit but that has
a feedback delay of months to years.
nanog@ian.co.uk (Ian Mason) writes:
> Amazon _might_ 'get a clue' if enough providers walled off the EC2
> space, and they found difficulty selling cycles to people who couldn't
> access the machines to set up their compute applications.
This is a classic example of externalities in the economics of security.
Currently, any damage caused by Amazon customers costs Amazon little or
nothing. The costs are borne by the victims of that damage. On the other
hand mitigating this damage would cause Amazon costs, in engineering and
lost revenue. So in economic terms they have no incentive to 'do the
right thing'.
i've heard this called "the chemical polluter business model".
So to get Amazon to police their customers either requires regulation or
an external economic pressure. Blocking AWS from folk's mail servers
would apply some pressure, making areas of the net go dark to AWS would
apply more pressure faster. A considerable amount of pressure could be
placed by a big enough money damages lawsuit but that has a feedback
delay of months to years.
to that end, i don't accept e-mail from any free e-mail provider, including
gmail, nor from most ISP mail servers. all of them face this same
economics decision, and all of them end up spewing quite a bit of spam, and
there's no end in sight. e-mail sourcing doesn't scale. the highest
quality e-mail comes from the smallest communities. EC2 will probably face
some boycotts. i don't think these will change the endgame, whatever it is.
So to get Amazon to police their customers either requires
regulation or an external economic pressure. Blocking AWS
from folk's mail servers would apply some pressure,
No it would not. That is what AWS wants you to to.
making
areas of the net go dark to AWS would apply more pressure
faster. A considerable amount of pressure could be placed by
a big enough money damages lawsuit but that has a feedback
delay of months to years.
And such lawsuits can go both ways. As soon as a company moves
beyond protective blocking of port 25, to punitive blocking of
all traffic from AWS, they run the risk of being the target of
a damages lawsuit. Not to mention complaints from their own
customers.
There simply is no simple solution to this problem.
--Michael Dillon