Re: How to secure the Internet in three easy steps

[Sean Donelan <sean () donelan com>]

On Fri, 25 Oct 2002, Paul Vixie wrote:
> money.  this whole thing is really about money.  but "1" isn't getting
> done because the money that could be saved is by ISP "B" whereas the
> money which must be spent is by ISP "A".  so, the nondeployment of BCP38
> is all about money, too.

As the other Sean (Doran) likes to say, write a check. But that is too
simplistic. It presumes only B saves money and only A spends money. On
any particular day either A or B may be losing money due to attacks.  I
suspect on most days, both A and B are losing money.

Money is probably 4 or 5 on the list of reasons why source address
validation doesn't get implemented.

> the thing i'm trying to work my way back to is that "2" and "3" can be
> argued to restrict desireable freedoms (like reaching SMTP or WWW servers
> without being forced to use a local proxies) whereas "1" has no arguments
> against it, or at least no arguers here on nanog today.  why lump them
> all three together?

Source address validation, or more generally anti-spoofing filters, do
not require providers maintain logs, perform content inspection or
install firewalls. But source address validation won't stop attacks,
viruses, child porn, terrorists, gambling, music sharing or any other
evil that exists in the world. So the proposal "1" gets extended to
include other stuff.  It gives better ROI when more than SAV is included.

"1" is install provider managed firewalls to perform
    a. validate source addresses
    b. perform virus checking
    c. maintain forensic logs
    d. other "policy enforcement" to be determined
    e. anything else someone can think of

What worries me is "scope creep."  All sorts of stuff is getting thrown
into the security pot.