How to secure the Internet in three easy steps

Paul_A_Vixie · October 25, 2002, 7:38pm

> > 1. Require all providers install and manage firewalls on all subscriber
> > connections enforcing source address validation.
>
> i can see how the end to end principle applies in cases 2 and 3, but not 1.

I didn't make any of these up. They've all been proposed by serious,
well-meaning people.

i recommend caution with your choice of words. apparently not everyone
treats "well meaning" as the compliement that it is.

If you have 2 and 3, why do you need to waste global addresses on 1.

i don't believe that 2 or 3 will ever happen, for simple market reasons --
it is harder to make money if you do 2 or 3. however, 1 only costs a small
bit of ops expense, and has no market impact at all, so it's practical in
simple economic terms.

Its a mis-understanding of what source address validation is. Some folks
think it should work like ANI, where the telephone company writes the
"correct" number on the call at the switch.

ouch. i guess you're right. perhaps a copy of BCP38 should come with
every router sold?

Sameer_R_Manek · October 25, 2002, 8:36pm

I forget what they paved the road to hell with....

Sameer

Etaoin_Shrdlu · October 25, 2002, 9:06pm

"Sameer R. Manek" wrote:

Paul Vixie wrote:

> Sean Donelan wrote:

> > I didn't make any of these up. They've all been proposed by serious,
> > well-meaning people.
>
> i recommend caution with your choice of words. apparently not everyone
> treats "well meaning" as the compliement that it is.

I forget what they paved the road to hell with....

Good intentions.

Ryan_Fox · October 25, 2002, 9:06pm

i don't believe that 2 or 3 will ever happen, for simple market reasons --
it is harder to make money if you do 2 or 3. however, 1 only costs a

small

bit of ops expense, and has no market impact at all, so it's practical in
simple economic terms.

Not only that, but unless _everyone_ implements 2 and/or 3, all the bad
people that exploit the things these are meant to protect will migrate to
the networks that lack these measures, mitigating the benefits.

This seems to be a catch-22; no one will implement these for the good of the
net because it costs money, and ignorant competitors that don't implement
them will not share in that expense. Have any such ideas been implemented
in the modern internet? How?

Petri_Helenius · October 25, 2002, 9:27pm

This seems to be a catch-22; no one will implement these for the good of the
net because it costs money, and ignorant competitors that don't implement
them will not share in that expense. Have any such ideas been implemented
in the modern internet? How?

Not to mention that 2 or 3 wouldn�t do any good for the net. There are private
ALG-based networks where you get to pay your premiums for your bits, if you
need that functionality, there is no reason to break the internet, you just
subscribe
to your local X.400 service for email, etc.

Pete