IAB concerns against permanent deployment of edge-based filtering

> and if they are useful to the folks on my network, the ports
> will be opened up.

This is where we are disagreeing.


- The Robustness Principle: "Be conservative in what you do, be liberal
in what you accept from others." [Jon Postel, RFC 793]
- The Principle Of Least Astonishment: A program should always respond
in the way that is least likely to astonish the user. [Traditional,
original source unknown]

  yup. remember those.

Because of this, if not the overall explicit stated (by IETF) goal is
that filtering should NOT happen, it will happen.

  its happend for years and is implicitly allowed.

Yes, it is an ISP, regardless of transit or edge, which is responsible
for their network.

  thank you.

It is my belief that statements like this from the IAB will help, as
ISP's and customers of ISP's both can see what the IAB think the goal
of operations is. Customers can say "hey, IAB says this, why don't you
run your network that way". The ISP can then explain (and in some cases
it of course makes sense what the ISP say).

  Such a statement from the IAB might be construed improperly,
  in much the same way as you claim RFCs are "improperly"
  interpreted by various and sundry ISP/commercial folks.

  If I get a customer who says "hey, IAB says this, why don't you
  run your network that way" and my response will be someing along
  the lines "vendors bugs e.g. the cisco IOS attacks via chargen, daytime
  et.al. or Microsoft RCP weaknesses - FIRST/CERT/SANS recommendations
  to mitigate DDOS. We can have a working, productive network or we
  can have an IAB compliant network." Now its not the IAB's fault
  that implementations make local optimizations or overlook coding
  weaknesses. The IAB should provide a sound architectural framwork
  and direct the IESG/IETF to advance robust, well defined protocols
  done the standards track (they should also encourage publication and
  development of novel ideas, via experimental/informational RFCs, but
  that is another topic). However, in the absence of the network police,
  (you know, the interoperability squad) it is impossible for me to
  put a whole lot of credence on the IAB telling me that it would be
  best if I would ensure that filters are only transitory. Thats nearly
  the same a telling me that being healthy is good. That said, no filters
  are permenant, some just last longer than others, depending on when
  problems are fixed.

  Cast in a different light, let me ask you this, is it better to ship
  products with "security" turned off or turned on?