Some people have compared unwanted Internet traffic to water pollution, and proposed that ISPs should be required to be like water utilities and
be responsible for keeping the Internet water crystal clear and pure.
Several new projects have started around the world to achieve those goals.
ITU anti-botnet initiative
http://www.itu.int/ITU-D/cyb/cybersecurity/projects/botnet.html
France anti-piracy initiative
http://www.culture.gouv.fr/culture/actualites/index-olivennes231107.htm
I'm not sure how to reconcile two things:
1) e2e principle -- if someone starts doing some new
proto 66 thing, how do you make sure it's accessible?
2) protection from unwanted garbage. I don't really want all
these 404 byte udp/1434 packets anymore but the networks that
originate them don't seem to care or notice they're still infected.
one persons unsolicated traffic is anothers debgging/research
project.
I was at a thanksgiving party and made the following postulation:
Within the next 2 major software releases (Microsoft OS) they're
going to by default require signed binaries. This will be the only viable
solution to the malware threat. Other operating systems may follow.
(This was a WAG, based on gut feeling).
This has some interesting implications and would require Microsoft
to be a bit more small-app friendly, and there'd be a knob to twiddle if
you're a developer and don't want to check signatures, but it's one of the
few ways to resolve the issues IMHO, and cut down on the infections. So what
if I own you via your browser, unless the malware i push to your host is
signed, it's not gonna run. Game [closer to] over.
- Jared
No offense, but I think this is an overly political topic, and we
just saw that politics are not supposed to be discussed. There
is a huge political debate on what ISP's should and should not be
doing to traffic that flows through their systems. There are
other groups, like NNsquad, where these types of conversations
are welcome, but even there on the forums, not the mailing list.
But, if it's not viewed as political then...
Your analogy is flawed, because the Internet is not a pipe system
and ISP's are not your local water utility. And, there are many
different ways that water utilities are handled in different
parts of the world. In the US, most if not all water utilities
are handled by the government, usually the county government
where I'm from. ISP's are not government run, and can't be
compared to a water utility for that simple reason. They don't
have the same legal (again, an issue that is not supposed to be
discussed, according to the AUP) requirements nor the legal
protections available to governments (you can't sue most
governments).
And my personal opinion is that ISP's should not do anything to
the traffic that passes through their network as far as
filtering. The only discriminatory behavior that should be
allowed is for QoS, to treat specific types or traffic in a
different manner to give preferential treatment to specific
classifications of traffic. My definition of QoS for the
purposes of this discussion, if it is allowed to continue, would
not include shaping or policing. If an ISP says you have a 5Mb
downstream and a 512K upstream, you should actually be allowed to
send 512K upstream all the time. However, that's not to say that
an ISP should not be able to classify traffic as scavenger over a
particular threshold, and preferentially drop that traffic at
their overprescribed uplink if that is a bottleneck. The end
user should also be allowed to specify their own QoS markings,
and they should be honored as long as they don't go over specific
thresholds as imposed, and documented, by the ISP. For example,
the customer should be able to self-classify certain traffic as
high priority (VoIP) and certain as low (P2P), but if the
customer classified all traffic as high priority the ISP is free
to remark anything over a set threshold (say 128K) as a lower
priority, but NOT police it.
If you want to use an analogy, ISP's are more like >private< road
systems and owners, using >public< lands that have been given a
right to use said >public< lands for >private< profits with
specific restrictions. Some restrictions may be that you can't
discriminate on the payload (and kind of identifying category for
passengers, such as race, ethnicity, gender, etc, which in the
network world would map to type of protocol or payload content,
such as P2P traffic or email), but that you can create an HOV
lane for high occupancy vehicles (QoS). Of course, ISP's are
allowed to make sure the vehicles are in proper working condition
(checking that various layer headers are in compliance). Much
like with the self-marking of traffic with QoS tags, the customer
should also be able to make their own decision and pack two other
people in the car in order to get into that HOV lane. However,
if the users of the road try and pack everything into the HOV
lane, they can be reclassified (busses may have to pay a higher
fee to use the road).
However, in this world of religious warfare (another banned
topic, I'm sure!) it is recognized that a certain level of
profiling is acceptable. So, it may be O.K. for ISP's to profile
and deny traffic depending on the payload only for specific types
of traffic that have been shown to cause issues, and/or only be
present for nefarious reasons. Examples may be known signatures
for virus attacks, worms, or Trojans. Other examples may be
identifying characteristics for SPAM (I'm reluctant to say
"excessive email traffic" because I don't believe that is a
proper identifying characteristic, I should be able to run my own
SMTP server and send out as much legitimate email as I want).
I realize that my views probably won't be shared by the vast
majority of ISP's, and hence are overly political for this group.
That's why I think any discussion is not necessarily on-topic.
Thanks,
Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
What's the networking equivalent of "remember to build your water intake
*upstream* of your sewage plant"?
Or, more accurately - "how do you get all those people with private
wells^Wcomputers to *not* insist on building their leach fields uphill
of their wells?".
There's a limit to what an ISP can do to make it "crustal clear and pure"
without an incredibly intrusive presence. The technically easy way is what
many corporations do - Borg the boxes into an Active Directory domain, and
impose fascist controls via Group Policy (for all of my anti-MS ranting, I'll
grant the AD/GP stuff *is* pretty slick ideas for corporate PC lockdown).
But how do you sell that idea to the consumer user?
The problem with "active content" is that an exploit will quite happily
run in the security context of the browser - and way too many sites insist
on either/both Flash and Javascript. Ever notice that there's been far fewer
pure Java based problems? That's because it started off with a semi-sane
security model. Flash and Javascript didn't.
And you can't allow the browser to create executables, obviously. Unfortunately,
that *also* means that you can't allow the user to use the browser to download
patches, updates, and new software....
(Well - it's at least theoretically *doable* in the right Trusted Computing
type of scenario, but I doubt we're going to get users to buy into it...)
Doesn't Mac OS X Leopard do this already?
I don't understand, how in the world do they plan to differentiate
normal legal traffic from illegal pirating???
I myself and I'm sure most others prefer net neutrality to the horrid
alternative you're suggesting
Horrid? Strong words. What's horrid about allowing an ISP to
prefer that their BGP traffic has a higher priority than end-user
traffic, so that the whole net doesn't fail when pipes are
overprescribed, or there is a virus/worm on the net? What's
horrid about allowing an end-user to decide which of its traffic
should be dropped first, if by definition some traffic HAS to be
dropped due to over-prescription?
If you think it's horrid, then I'd like some examples, because I
suspect that given certain specific scenarios you'd probably
agree with what should happen (as neutral as can possibly be
managed, and transparent).
Thanks,
Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697
Especially as they also want to ban DRM; it's like they gave half the
report to Cory Doctorow to write and half to the MPAA.
Rather than go after distilled water via reverse osmosis, I think a carbon
filter would be a good place to start.
Frank
Welcome to the non-regulated world.
I think this is a general call to engage in these activities.
The last thing I think most of us want to have happen is to wake up
be regulated like the Chemical sector became, eg:
http://www.dhs.gov/xprevprot/laws/gc_1166796969417.shtm
There is an operational part of this whole internet thing that
does matter, and I have to say, we can't just ignore the activities at
the recent Rio, ITU, or other things. Without clued engagement
will the policy wonks make the right choices/decisions? This does
impact network operations.
Take for example the FCC stuff on the emergency alert system.
(excerpt from federal register follows)
-- register excerpt --
Contra Costa states just as
the Internet Protocols enable various kinds of computers to work
together, CAP can provide the basis for a secure ``warning internet''
that can leverage all our warning assets to achieve more than any
single system can alone.
-- register excerpt --
Perhaps you don't care about this stuff, but maybe you'll soon
be required to have your EAS testpoint connected to the local PSAP for
them to do reverse-911 or other activities to users with naked dsl, etc..
If you think this doesn't impact your operational network
or have the potential to, you're sorely mistaken. If you're not
engaged, you may become blindsided by costs that you're unable to
recover from and cause your network to close due to bankruptcy.
I could be insane in thinking this, but I think we're in
that time of the lifecycle where we need to be on-guard.
- Jared
On a more practical/technical level, I'm interested in how French ISPs that worked on the plan to implement it on their networks?
Orange France
Free
Neuf cegetel
AFA
GESTE
SELL
SIMAVELEC
DAILYMOTION
Numericable/Noos
YouTube/Google
AFORST
What technical methods do they believe are going to work as outlined in the working document Annex 1:
http://www.culture.gouv.fr/culture/actualites/conferen/albanel/rapportolivennes231107.pdf
- Filtering URL or IP address (le filtrage d'URL ou d'adresse IP)
- Filtering ports (le filtrage de ports)
- Filtering protocols (le filtrage de protocoles)
- Filtering content (le filtrage de contenus)
- Filtering services (les outils de filtrage par les hibergeurs ou les iditeurs de services)
- External monitoring (Le repirage des flux illicites par l'observation externe)
Unfortunately, Babelfish isn't the best way to read such a document. There are probably some nuances which don't translate easily.
Nokia by default require app installed on the phones to be signed, though one can disable this functionality (and in fact must, in order to run many of the desirable applications). It's been stated in the press that Apple are doing this with the iPhone SDK, too.
Quoting Wu Ming:
Take everybody's ideas of clear and pure and overlay them and
pretty soon the only things allowed to be sent over the Internet
will be Shakespeare and the Bible, and much of that's a grey
area anyway.
I dunno. I've often wished I *could* QoS some of my packets up/down so the
Linux distro ISO I'm downloading doesn't make my SSH get piggy, and I'd
certainly at least *consider* a provider that offered "NNN gig/month of
priority traffic, and unlimited scavenger-class" or similar ideas I've seen
proposed. I'd even be OK with the provider QoS'ing the packets because the
*other* end of the connection did it (hey, you host a distro mirror, you want
to save those bandwidth charges, I can understand and will show solidarity by
playing along).
It's only when my packets get QoS'ed downward because some *third party* paid
the provider that it gets ugly and evil.
(And yes, I know there's the nasty corner cases where I'm sharing a pipe with
my next door neighbor who paid for a bigger slice of pipe. If it was *easy*,
it would already be done rather than a big hairy policy issue.. 
Of course, any *sane* provider will totally ignore what I and the other 2%
lunatic fringe want, and market the plan that extracts maximum profit from
the 98% Joe Sixpack customers out there. 
Some people have compared unwanted Internet traffic to water pollution, and
proposed that ISPs should be required to be like water utilities and
be responsible for keeping the Internet water crystal clear and pure.
Yes -- well, not "unwanted" IMHO, but "abusive". (Much traffic
that's unwanted is not abusive. For example, in the view of some readers
of this mailing list, some of the longer/more caustic/repetitive debates
might very well be unwanted. But that traffic is clearly not abusive.)
Several new projects have started around the world to achieve those goals.
ITU anti-botnet initiative
[snip
France anti-piracy initiative
Only the first one has anything to do with keeping the Internet clean;
the second is a political cave-in to the copyright cartel.
I see a (mostly) clear line between "things that are abusive of
the Internet, systems connected to it, and users of those systems"
and "content that's unwanted, offensive, or claimed to be covered
under someone's interpretation of IP law".
The first category contains things like spam, phishing, spyware,
spam/phishing/spyware support services (dns, web hosting, maildrops),
DoS attacks, hijacked networks, etc.
The second category contains things like porn, religion, politics,
music, movies via whatever means are used to convey them (mail,
web, p2p, etc.) all of which are certain to irritate someone, somewhere,
and much of which could probably be construed (by a sufficiently
creative legal practicioner) to infringe on somebody's IP.
In my view, it's the responsibility of everyone on the net to do
whatever they can to squelch the first. But they have no obligations
at all when it comes to the second -- that way lies the slippery
slope of content policing and censorship.
---Rsk
Roland Dobbins wrote:
Other operating systems may follow. (This was a WAG, based on gut
feeling).Nokia by default require app installed on the phones to be signed,
though one can disable this functionality (and in fact must, in order to
run many of the desirable applications). It's been stated in the press
that Apple are doing this with the iPhone SDK, too.
It is a nearly ubiquitous solution for mobile phones, though many of the
actual implementations have been subverted at one time or other, and
users actually updating the firmware of their mobile devices is actually
a rather infrequent event.
So while they utilize this approach it is not a panacea and they have a
ways to go themselves.
But, if it's not viewed as political then...
Your analogy is flawed, because the Internet is not a pipe system
and ISP's are not your local water utility.
And the internet is not a big truck! It's....It's a series of tubes!
Sorry, I couldn't resist... with all these things clogging all the tubes. 
-Jerry
I'd like to draw attention to nanog AUP, particularly #6: Postings of
political, philosophical, and legal nature are prohibited.
While the "regulation of internet by filtering bad traffic" is clearly
political and/or legal, I do think the *technical* implication of it are
very much on-topic. After all, once this happens, we as network operators
will be responsible for the filtering.
Given that, I'd like to ask everyone to refrain off-hand comments about
tubes and dump trucks - we all hear this joke every day. Discussion of
morality of such filtering is also off-topic.
Discussion of implementation of such filtering and effect of it on network
operations at-large is clearly on-topic. Discussion of separating traffic
(by network operators) into "bad" and "good" is also on-topic.
The list is about technology and operations. This is not ITU. This is not
C-SPAN. This is not 'general banter among network operators' list either.
Before you post to the list, think - would you want to make a presentation
at NANOG-conference based on your post? If it doesn't feel appropriate,
the list post is similarly inappropriate.
Also, this is another reminder that MLC *will* be giving formal warnings
(which will eventually lead to removal from the list) to those who
continue to post off-topic messages.
As usual, should you wish to discuss this post, please do so on
nanog-futures (reply-to has been set accordingly).
Thanks!
-alex [mlc chair]