At a recent forum at Fordham Law School, Susan Crawford -- an attorney,
not a network operator -- expressed it very well: "if we make ISPs into
police, we're all in the ghetto".
Bruce is a smart guy, and a good friend of mine, but he's not a network
operator or architect. There are a small number of times when
operators can, should, and -- in a very few cases -- act, but those
are rare. The most obvious case is flooding attacks, since they represent
an abuse of the network itself; operators also have responsibility for
other pieces of the infrastructure they control, such as (many) name
servers.
--Prof. Steven M. Bellovin, http://www.cs.columbia.edu/~smb
While this stance works for backbone network operators, I'm not entirely convinced it's a viable business strategy for ISPs dealing directly with end user customers (business or residential). The problem at the edge is customers insist they don't want the spam and viruses, and expect the ISP to help. Earthlink and AOL provide such services, and in the course of doing this raise an expectation.
Now a regional or local ISP can either say "it's not our job to protect you" and have their customers migrate away, or they can make efforts to help and retain customers. So, is this a technical issue or a business issue? Network engineers are not necessarily qualified to make business decisions, unless they wear both hats.
Customers at the retail level expect basic protection services as a part of the price of service. Whether that's a good thing or not, it's where we are on the business side of providing retail ISP services.
<snip>
At a recent forum at Fordham Law School, Susan Crawford -- an attorney,
not a network operator -- expressed it very well: "if we make ISPs into
police, we're all in the ghetto".
Bruce is a smart guy, and a good friend of mine, but he's not a network
operator or architect. There are a small number of times when
operators can, should, and -- in a very few cases -- act, but those
are rare. The most obvious case is flooding attacks, since they represent
an abuse of the network itself; operators also have responsibility for
other pieces of the infrastructure they control, such as (many) name
servers.
Internet service providers should ensure protective strategies do not
harm hapless consumers. While an ISP's protective obligations easily
include Domain Name and routing services, few systems withstand
unfettered abuse or tampering. Should a provider expect active
cooperation from others granted access to their networks? The strength
of the Internet is dependent upon cooperation and policy enforcement.
While an egalitarian view would insist all be granted equal access, a
response to abuse should be considered, even when only guarding
essential services.
What is a reasonable threshold before a provider "rarely" acts? You
listed only one, a flood attack.
-Doug
[1] Soon to be Big Three, but currently Comcast, Time Warner, Charter, and
Adelphia.