nanog mailing list archives
RE: Even you can be hacked
From: Owen DeLong <owen () delong com>
Date: Fri, 11 Jun 2004 00:08:16 -0700
It all depends upon what the agreement between the customer and the ISP says. It's no unreasonable for the ISP to 'insure' the customer against risks he isn't able to mitigate which the ISP is, even if that means shutting off his service.
True, to some extent, but...
If someone blows up my water line and $1,000,000 worth of water is wasted, I don't think the water company is going to expect me to pay for it. This is especially true if the water company knew about the leak, could have done something to mitigate it, and failed to do so. Even if that means shutting off my water, that's what I'd expect them to do, shut it off until someone fixes it.
Interesting theory. I don't expect that. I expect the water company to tell me how to shut off my water, or, possibly offer to come out and shut off my water for a fee. I don't expect them to turn the water off just to protect me from an outrageous bill if the problem is on my portion of the line. I do expect them to shut off your line when it blows up if it is causing a pressure drop which is affecting other customers, whether you want them to or not.
Most of the people on this list see things from the ISP's perspective. However, step back a bit and see it from the user's perspective. Do you expect to pay for phone calls you didn't make or do you expect the person whose deliberate conscious action caused those calls to be made? Do you expect to be responsible for patrolling your electric lines to make sure someone hasn't plugged into your outside outlets?
Well, as the step-parent of two teenage daughters, both of whom have cell phones purchased for them by my wife, I routinely pay for telephone calls I didn't make with no hope of getting said teenagers to ever pay the bill.I certainly don't expect the electric company to patrol my outside electrical
outlets, and, yes, when someone plugged into one of mine, I did get billed by the power company. Why should they pay for it? They delivered the electricity to me. What I did with it afterwards (in this case, giving it to someone else I didn't expect or condone) is my problem.
For most classes of service, it makes the most sense to only charge the customer for the traffic he wants and have the ISP take the responsibility for dealing with attacks to the extent they can do so. This is because the customer can't afford to hire a full time person to guard his always-on DSL connection while he's away for two weeks but his ISP can. This may mean that you're disconnected until they can coordinate with you -- such is life.
If the customer is sending the traffic to the ISP (the issue in this case), then the ISP has no ability to drop the traffic before it arrives at the ISP router. The ISP, in this case, acted responsibly and informed thecustomer of their problem. They were even gracious enough to give the customer
credit for some period of time. The ISP in this case did not control the CPE, it was the customer's CPE. As such, the customer is responsible for maintaining and configuring the CPE to do any desired blocking.
I don't make anything for customers in contracts... We have a sales departmentJust be aware, your customers may not have the same expectations you do, and you should make your understanding *very* clear to your customers in your contracts.
and a legal department that do that. I make routers deliver packets, and, sometimes, I even have to make routers not deliver packets. Sometimes, I help sales and legal figure out how to explain things to customers. Once in a while, I help them clarify that in the contract. Fortunately, for the most part, I run routers, not contracts. I like it better that way. However, I will say that the customers I have dealt with on the technical level have generally expected us to deliver packets, and, expected to pay for packets we deliver according to their agreement. When they ask us to block something, we do, but, I have never had a customer expect not to pay for their infected system AFTER we told them they were spewing. YMMV, Owen -- If it wasn't crypto-signed, it probably didn't come from me.
Attachment:
_bin
Description:
Current thread:
- Re: Even you can be hacked, (continued)
- Re: Even you can be hacked Jeff Shultz (Jun 10)
- Re: Even you can be hacked Laurence F. Sheldon, Jr. (Jun 10)
- Re: Even you can be hacked Patrick W . Gilmore (Jun 10)
- RE: Even you can be hacked David Schwartz (Jun 10)
- Re: Even you can be hacked Laurence F. Sheldon, Jr. (Jun 10)
- Re: Even you can be hacked Patrick W . Gilmore (Jun 10)
- Re: Even you can be hacked Patrick W . Gilmore (Jun 10)
- Message not available
- Re: Even you can be hacked Patrick W . Gilmore (Jun 10)
- Re: Even you can be hacked Jeff Shultz (Jun 10)
- RE: Even you can be hacked David Schwartz (Jun 10)
- Re: Even you can be hacked Adrian Chadd (Jun 10)
- RE: Even you can be hacked Owen DeLong (Jun 11)
- Re: Even you can be hacked Sean Donelan (Jun 10)
- Re: Even you can be hacked bmanning (Jun 10)
- Re: Even you can be hacked Jeff Shultz (Jun 10)
- Re: Even you can be hacked Robert Blayzor (Jun 10)
- Re: Even you can be hacked Andy Dills (Jun 10)
- Re: Even you can be hacked Crist Clark (Jun 10)
- Re: Even you can be hacked Owen DeLong (Jun 10)
- Re: Even you can be hacked Andy Dills (Jun 10)
- Re: Even you can be hacked Laurence F. Sheldon, Jr. (Jun 10)
- [OT] common list sense (Re: Even you can be hacked) Paul Jakma (Jun 11)