I've been there -- I know how I feel about it -- but I'd love
to know how ISP operations folk feel about this.
Links here:
http://www.vnunet.com/news/1162720
...and, of course, here:
http://fergdawg.blogspot.com/2005/04/schneier-isps-should-bear-security.html
Off list, if you'd like. Or not.
- ferg
He's right. ISPs owe it to their users, if not to the rest of the
Internet community, to do this.
A lot of it is also part of the MAAWG bcps on spam (though the BCPs,
when implemented, will do a lot more good than just cut down on spam)
I've been there -- I know how I feel about it -- but I'd love
to know how ISP operations folk feel about this.
It means 10 different things to 10 different people. The article was vague. "Security" could mean blocking a few ports, simple Proxy/NAT, blocking port 25 (or 139... or 53.. heh heh) or a thousand different things. There is a market for this, it's called "managed services." ISPs do this type of thing all the time. And customers pay for it. Maybe he means "broadband home users". News flash... home users will get it wherever it's cheap. And cheap means no managed services.
To the author of the article: Should ISPs be *REQUIRED* to do it? Just try it and see what happens.... try to pass a law and regulate the internet, I dare you... 
(I double-dog-dare you to get the law makers to understand it first!)
Every security appliance ven-duh on the planet would be in there, trying to have laws written that would require the use of their own proprietary solutions to the "problem." (and the proposed problem would differ depending upon the "solutions" that the particular ven-duh offered)
Wait a second... this article was FROM security ven-duhs... all offering solutions to these problems...uh-oh.... this is probably their first move in getting a law..... step 1) cause a public outcry....... so it's starting already.
I think we've all seen this act before.........
Some days, the world really annoys me. 
-Jerry
I think it's absurd. I expect my water delivery company not to add
polutants in transit. I expect my water production company to provide
clean water.
This is like asking the phone company to prevent minors from hearing
swear-words on telephone calls or prevent people from being able to make
prank phone calls from pay-phones.
When Mr. Schneier gets that level of service from his phone company, then,
perhaps he can expect the same from his ISP.
The worst part of that article is that it only quotes people with a vested
interest in sellling service-provider based solutions to end-host based
problems.
So much for any sort of journalistic ethic, fact checking, or, unbiased
reporting.
Owen
Why do ISPs owe this to their customers. I expect my ISP to deliver
packets sent to me, and, to pass along packets I send out. That is
the sum total of what I expect from my ISP, and, it's what my contract
says is supposed to happen. Where does this belief that when user A
at company Y sends a packet full of garbage to user B ad company Z
the ISP at either end is responsible for the contents of the packet?
That's like making the phone company responsible for the content of
a conversation or saying that Safeway distribution is responsible
for the content of Arrowhead spring water bottles that reach Safeway
stores.
Owen
Schneier isn't a journalist or reporter; He's a security vendor.
- mark
I think it's absurd. I expect my water delivery company not to add
polutants in transit. I expect my water production company to provide
clean water.
er.. bad analogy warning... please take a sample of tap water to
an independent lab for analysis... and find out just what the
water company is putting into your water.
This is like asking the phone company to prevent minors from hearing
swear-words on telephone calls or prevent people from being able to make
prank phone calls from pay-phones.
more bad analogies...
Owen
>- ferg
that said, if you don't want your ISP to diddle your packets,
may i suggest IPSEC?
--bill
Actually that _is_ a bad analogy.
According to my sister (who works in that area as a regional water
expert), tap-water is held to higher standards than bottled water.
In Canada at least... ymmv.
cheers,
--dr
perhaps you mis-read. water companies -always-
add things to water, to kill off germs, balance mineral content,
etc.. they do this to -meet- the "higher" standards.
and by their tampering, they pollute the water...
their pollution may make the water drinkable and safe.
does n ot change the fact that the water was tampered with.
--bill
Yeah, gotta to clean it up from pollutants [spam, ddos], add antibacterial [antivirus] agents, check that the supply [latency] is not too low [high],
make sure there are no leaks [anauthorized access].
Ferg, you asked for it.
I've been there -- I know how I feel about it -- but I'd love
to know how ISP operations folk feel about this.Links here:
http://www.vnunet.com/news/1162720
Schneier has a profound interest in the ISPs being forced to buy his
(or his competitors) security gear to fulfill the customers' dreams
of a "clean Internet connection". Pretty biased, if you don't mind.
What he lacks to understand is the reasons why ISPs don't do it.
It's not just lazyness (only part) or lack of responsibility; it's
more like that it's expensive and nobody would pay for it - no, not
the customers; they like to get everything for free, remember?
The most prominent reason keeping ISPs from filtering their clients'
data streams is - tada - jurisdiction. It's simply not allowed in
countries that don't officially harvest everything they can get their
hands on. There is something called "privacy rights". Nobody may
legally interfere with the data stream that reaches my boxes, and
nobody - not even my boss! - must fiddle with my email if not expressly
allowed by myself. So it is a damn good sign of the ISP's responsibility
if it does _not_ place filters in the data stream.
But then, my sympathies for Bruce have long evaporated, so I am of
course biased as well.
Elmar.
william@elan.net (william(at)elan.net) wrote:
>According to my sister (who works in that area as a regional water
>expert), tap-water is held to higher standards than bottled water.
>In Canada at least... ymmv.Yeah, gotta to clean it up from pollutants [spam, ddos], add antibacterial
[antivirus] agents, check that the supply [latency] is not too low [high],
make sure there are no leaks [anauthorized access].
In fact, the tap-water analogy is a very bad and at the same time a very
good one.
(1) In some countries, tap water is really pure and clean, often a lot
better than what you can buy in bottles. This is especially true
for Germany, Austria, and, according to Dragos, for Canada, too.
The reason for the water quality here in ol' Europe is defined
quality standards and ongoing tests.
(2) In other countries, water companies are allowed to adhere to a
lot less rigid standards. I was pretty surprised how awful water
in the US midwest was. Full of chlorine and tasting dead. I still
cannot believe, people drink it there every day (but they do, it's
what Coke's made with there).
So we do see differences here, some of which stem from the available
water supplies in the area, and some of which are the effect of different
defined standards and - inherently - jurisdiction.
Countries are different, there is - legally spoken - no world-wide Internet.
Everyone falls under the legislation of their home country (for various
values of home...). And while we may not like it, this jurisdiction can be
very different from mine. Or yours.
Elmar.
yep, and the danger is you agree with the article and some politicians or
journalists think you are advocating a full police service which would be bad.
i do think we have an obligation to try to keep the net clean to a certain
degree, think anti-ddos wg's etc but providing full security for all users is
unrealistic. there seems to be some moves to offering partial security and this
is probably a good thing eg blocking common ms ports will likely be effective.
Steve
I was referring to the article which contained the schneier quote, not
schneier. The article was written by someone at least pretending to be
a journalist, and, was put out as news, not editorial or advertising.
As such, it should be held to the standard that should apply to news.
Instead, it was yet another example of advertising disguised as news.
Owen
I think it's absurd. I expect my water delivery company not to add
polutants in transit. I expect my water production company to provide
clean water.er.. bad analogy warning... please take a sample of tap water to
an independent lab for analysis... and find out just what the
water company is putting into your water.
Admittedly, there are contaminants in the water, but, I don't believe
most of them are added in transit. (If I did, I'd be putting pressure
on to get that fixed). If you're talking about fluoridation, I am
fortunate enough to live in an area where they figured out that was a
bad idea.
This is like asking the phone company to prevent minors from hearing
swear-words on telephone calls or prevent people from being able to make
prank phone calls from pay-phones.more bad analogies...
Why is this a bad analogy? Neither of these actions are currently prevented
by the telcos.
that said, if you don't want your ISP to diddle your packets,
may i suggest IPSEC?
Sometimes I use IPSEC, but, I don't want my ISP to diddle my packets
whether they're tunneled or not. Fortunately, so far, I've been able
to find ISPs that don't.
Owen
As complete security as possible, to your end users.
That doesnt extend to applying filters to circuits you provision for
your customers (managed T1 type stuff maybe, but definitely, more
useful in the case of end user stuff like at the edge of broadband /
dialup pools)
> > I think it's absurd. I expect my water delivery company not to add
> > polutants in transit. I expect my water production company to
> > provide clean water.
>
> er.. bad analogy warning... please take a sample of tap water
> to an independent lab for analysis... and find out just what
> the water company is putting into your water.Actually that _is_ a bad analogy.
According to my sister (who works in that area as a regional water
expert), tap-water is held to higher standards than bottled water.
In Canada at least... ymmv.cheers,
--drperhaps you mis-read. water companies -always-
add things to water, to kill off germs, balance mineral content,
etc.. they do this to -meet- the "higher" standards.
and by their tampering, they pollute the water...
their pollution may make the water drinkable and safe.
does n ot change the fact that the water was tampered with.
Bill, I was very specific about transit.
Yes, most water transit companies are also the water supply company, but,
in my analogy, and, in some areas, as a matter of fact, they are not the
same. The chemical tampering of which you speak is done by the water
supply company at the supply point before it is put in the pipes for
transit to the end user.
The water delivery company runs said pipes, and, my expectation from them
is that they deliver what they got from the water supply company without
any additional contaminants.
Think of the web hoster as a water supply company. The household user
is an end user. The ISP is merely a pipeline.
Owen
Yes, most water transit companies are also the water supply company,
Water supply comes from rivers, lakes, etc. While water company take water from those sources, they do not produce it and just take what they can get, clean it up and then deliver around the city.
but, in my analogy, and, in some areas, as a matter of fact, they are not the same. The chemical tampering of which you speak is done by the
water supply company at the supply point before it is put in the pipes for transit to the end user.
I've heard that Israel is considering (or buying already?) water from Turkey. Do you really think they are going to just deliver it as is
or do you think the water company will clean it up on the local level before delivering it to the homes?
And BTW - you do realize "contamination" on the Internet usually at the source, right?
The water delivery company runs said pipes, and, my expectation from them
is that they deliver what they got from the water supply company without
any additional contaminants.
If the water supply was contaminated, I'd fully expect water delivery company to clean it up before delivering to me.
Think of the web hoster as a water supply company. The household user
is an end user. The ISP is merely a pipeline.
In any case, I don't think this is quite the correct analogy.
Water company usually delivers from just one (ok, maybe not one for larger areas but its in lower tens order) source and have typically control (directly or indirectly with signed agreement) over the source.
If you want to compare this to ISP, it would be like me having peering
agreement and direct connection with few dozen content providers
and only giving access to users to those few dozen websites.
Yes, most water transit companies are also the water supply company,
Water supply comes from rivers, lakes, etc. While water company take
water from those sources, they do not produce it and just take what they
can get, clean it up and then deliver around the city.
In many places, the company that obtains and filters the water from these
various sources and the company that delivers it to end users are different
companies. That is what my analogy speaks of. An example would be Palo
Alto, California. The City of San Francisco obtains and processes the
water from Hetch Hetchi and other sources. They then sell it to the city
of Palo Alto which maintains it's own pumping resources and pipelines
to deliver to the end users.
In this case, the city of Palo Alto is analogous to the ISP. The city
of San Francisco is analogous to the end node.
but, in my analogy, and, in some areas, as a matter of fact, they are
not the same. The chemical tampering of which you speak is done by the
water supply company at the supply point before it is put in the pipes
for transit to the end user.I've heard that Israel is considering (or buying already?) water from
Turkey. Do you really think they are going to just deliver it as is
or do you think the water company will clean it up on the local level
before delivering it to the homes?
That depends, I guess, on the quality of water that Turkey delivers and
the SLA that Israel expects. An example of what the situation I describe
is above, and, it is real.
And BTW - you do realize "contamination" on the Internet usually at the
source, right?
Right... Exactly my point. Solving source point contamination in the
transit network isn't a good idea.
The water delivery company runs said pipes, and, my expectation from them
is that they deliver what they got from the water supply company without
any additional contaminants.If the water supply was contaminated, I'd fully expect water delivery
company to clean it up before delivering to me.
In many cases, the water delivery company has no ability or facility to
do so. I expect them to deliver clean water. Frankly, I don't care
too much whether they act as a supply company or a delivery company,
so long as they deliver clean water.
My point was that it is perfectly acceptable for a delivery only company
to deliver without additives or filtration. Sure, in the case of water,
since the delivery company is choosing the source point, they have some
additional responsibilities with regard to the source quality, but,
that isn't the case in the internet. The end user is choosing the
source, and, the ISP is a pure delivery company.
Think of the web hoster as a water supply company. The household user
is an end user. The ISP is merely a pipeline.In any case, I don't think this is quite the correct analogy.
Any analogy will break if you pick at it hard enough.
Water company usually delivers from just one (ok, maybe not one for
larger areas but its in lower tens order) source and have typically
control (directly or indirectly with signed agreement) over the source.
Yes.
If you want to compare this to ISP, it would be like me having peering
agreement and direct connection with few dozen content providers
and only giving access to users to those few dozen websites.
Perhaps I should have used electric companies as a better example.
Owen
Of course Bruce Schneider is going to allocate ISP's handling security so
he can sell them more of his crappy Counterpane products. I find it
offensive that Mr. Schneider would categorize ISPs as lazy and
unresponsible, and it does nothing but encourage me to sell anything BUT
Counterpane to my customers.
Our customers vary greatly, and their security needs differ just as much.
There is no one stop solution for every customer, and it is not the ISP's
responsibility to filter traffic and firewall their customers. Those that
do invariable end up with trouble.