Re: Schneier: ISPs should bear security burden

[Douglas Otis <dotis () mail-abuse org>]

On Wed, 2005-04-27 at 13:39 -0400, Steven M. Bellovin wrote:
<snip>
> At a recent forum at Fordham Law School, Susan Crawford -- an attorney, 
> not a network operator -- expressed it very well: "if we make ISPs into
> police, we're all in the ghetto".
>
> Bruce is a smart guy, and a good friend of mine, but he's not a network 
> operator or architect.  There are a small number of times when 
> operators can, should, and -- in a very few cases -- act, but those 
> are rare.  The most obvious case is flooding attacks, since they represent 
> an abuse of the network itself; operators also have responsibility for 
> other pieces of the infrastructure they control, such as (many) name 
> servers.

Internet service providers should ensure protective strategies do not
harm hapless consumers.  While an ISP's protective obligations easily
include Domain Name and routing services, few systems withstand
unfettered abuse or tampering.  Should a provider expect active
cooperation from others granted access to their networks?  The strength
of the Internet is dependent upon cooperation and policy enforcement.
While an egalitarian view would insist all be granted equal access, a
response to abuse should be considered, even when only guarding
essential services.

What is a reasonable threshold before a provider "rarely" acts?  You
listed only one, a flood attack.

-Doug