Measured Internet good v. "bad" traffic

<snip>

  I sympathize with the customer. There is no reason he should pay for
traffic he did not request and does not want. If unwanted traffic raises
your cost of providing the service for which you are paid (providing wanted
traffic) then you should raise your rates.

<snip>

Then why should _I_ bear the cost of traffic destined to you?
Somebody has to pay, and I'ld rather you pay for it, you seem to
believe that I (and all of the rest of PROVIDER's customers should
pay). Which is more or less fair?

<snip>
> I sympathize with the customer. There is no reason he should pay for
> traffic he did not request and does not want. If unwanted traffic raises
> your cost of providing the service for which you are paid
> (providing wanted
> traffic) then you should raise your rates.
<snip>

Then why should _I_ bear the cost of traffic destined to you?

  If you don't want to, don't accept that traffic. It's just like a store
stocking Christmas toys. If they don't sell, you're stuck with them. A
customer will only pay for what he wants, not what you think he should want.

Somebody has to pay, and I'd rather you pay for it, you seem to
believe that I (and all of the rest of PROVIDER's customers should
pay).

  Of course the customer pays for it however you slice it.

Which is more or less fair?

  Both are equally fair if all sides explicitly agree. Burger King could, for
example, raise prices in high crime areas, that would be perfectly fair
since the crime costs them. But they could also decide that customers prefer
more uniformity in pricing and feel they should not pay for other people's
crimes, so they'll distribute the cost of crime by raising prices for
everyone.

  Similary, customers don't want to worry about DoS attacks over which they
have no control. They may not feel it's fair to pay for something they do
not want. So many ISPs find that the uniformity of pricing is worth more to
their customers.

  Neither is inherently more fair or more unfair. They're just different
approaches.

  My point is not that it's unfair to make customers pay for DoS attack
traffic. My point is that one-sided arguments make no actual business sense.
There is no 'unfair' when all participants agree.

  The one-sided views are harmful because the people who hold them may be
totally blind-sided when their customers come back with the other side, a
side they never really looked at because it seemed unreasonable at first
blush. Yes, businesses routinely eat costs that affect transactions
non-uniformly and build them into more uniform prices. They do this because
it provides better billing predictability to their customers. A customer's
understand of "your traffic" may not be the same as your understanding and
you had better make sure you make it clear.

  If FedEx delivers a bomb to me postage due, they had better not expect me
to pay the charges. I don't want it and the fact that someone told FedEx I
wanted it doesn't change anything.

  DS

My car gets horrible mileage, therefore, I will only pay for the
amount of gas that SHOULD be used according to the factory sticker,
not the rest burned up by my fuel-inefficient driving methods.

I just rented a truck. A construction detour forced me to put more
mileage on the truck than I intended, therefore, I will only pay for
the mileage that I would have accumulated had there been no detours
due to construction.

No, this is not a store stocking Christmas toys, or a Progressive(tm)
insurance commercial. This is bandwidth.

Oops, didn't fully understand the post before I hit reply.

Ignore that little rant.

I realize that you rescinded this post, but I still think it's worth
responding to the arguments to show why they're wrong.

> If you don't want to, don't accept that traffic. It's just
> like a store
> stocking Christmas toys. If they don't sell, you're stuck with them. A
> customer will only pay for what he wants, not what you think he
> should want.

My car gets horrible mileage, therefore, I will only pay for the
amount of gas that SHOULD be used according to the factory sticker,
not the rest burned up by my fuel-inefficient driving methods.

  Suppose most people did get the posted gas mileage, but one or two people
suddenly got stuck with a bill for twenty times the usual amount. It would
be very reasonable for car companies to 'insure' people against being that
unlucky person because people do try to budget for fuel.

  Unlike DoS attacks, however, this hits everyone evenly anyway. It isn't a
large, unpredictable cost over which the customer has no control.

I just rented a truck. A construction detour forced me to put more
mileage on the truck than I intended, therefore, I will only pay for
the mileage that I would have accumulated had there been no detours
due to construction.

  Some rental companies actually do this. They bill you based upon the
expected mileage for a trip (usually subject to some limit to discourage
lying). If people really did fear this (if it was significant), they might
well seek insurance against such unexpected expenses and it would make sense
for the rental agencies to provide this insurance themselves.

  Another key difference is that there's nothing truck rental agencies can do
about construction. On the other hand, there are many things ISPs can do
about DoS attacks.

No, this is not a store stocking Christmas toys, or a Progressive(tm)
insurance commercial. This is bandwidth.

  Right, and it's a product just like any other product that can be sold by
widely differing business models. Make sure you and your customer (or you
and your ISP) have a common understanding. Any fixed rate contract has some
insurance aspects.

  All of these arguments reflect technical thinking rather than business
thinking. The business model that seems obvious to you is not the only
possible business model. What seems reasonable from one side of the table
seems reasonable from the other.

  Again, I present the factual counter-exemple. I have never had a problem
getting an ISP to agree not to bill for DoS attacks provided notification
was timely (and I have negotiated on others' behalf several times). Some did
insist on a reasonable per-incident fee ($400-$500), though oddly none have
ever actually charged for that fee.

  By the way, another thing I always negotiate for is the ability to opt-out
of any permanent filtering of apparently valid traffic. We, of course, allow
things like spoof prevention and emergency filters to deal with worms or
other problems.

  DS