Re: Points on your Internet driver's license (was RE: Even you can be

[Adi Linden <adil () adis on ca>]

> > And that is a problem. Unlike your electricity, where the supplier has an
> > obligation to provide a certain level of clean energy, there is nothing
> > like it with internet bandwidth. All the crud and exploits are dutyfully
> > forwarded to the customer.
> Clean internet service is internet service that delivers only valid IP
> datagrams.  Most internet service is clean internet service.  Any internet
> service that looks above layer 3 to make forwarding decisions is not clean
> internet service.

Perhaps this is where our opinions greatly differ. If I am a customer with 
my own block of routable ip space I agree with you 100%. But this about 
the average home user that receives a dynamic ip leased from the ISP.

Clean internet is more than just valid IP datagrams to my IP address. If I 
connect to my ISP and do nothing beyond that, not a single packet, I 
expect to not receive any packets either. If I initiate a GET request to a 
web server I expect the webservers response to be returned unaltered. If I 
have an email account with my ISP I expect only valid email to be 
delivered to my email address. I consider this clean internet service from 
the perspective of the average home user.

> > I argue that this is way overboard. I don't believe anyone should require
> > any particular knowledge to obtain an internet connection and use the
> > internet. Instead internet needs to be available as a clean conditioned
> > service for consumption by the clueless.
> I agree that the IDL is overboard.  I even agree with your second sentence.
> Consumers need to demand software which does not support these exploits from
> their software vendors.  That is the real solution.  The internet is a
> transport, just like the phone line coming into your home.  Nothing prevents
> someone from making an obscene phone call to your house.  The most common
> problem software today is like having a telephone that won't let you hang
> up on the prank caller, then, demanding that the phone company prevent those
> calls from coming in the first place.

As a telephone customer I expect to pickup the phone make a call and hang 
up. I expect to receive calls and hang up. If the phone crashes in the 
middle of a conversation I am not happy, if it cost me money because LD 
charges continue to apply I am even less happy. The manufacturer of the 
phone has a given set of specifications to work with and the phone company 
has a given set of parameters of what the signal of the phone line should 
look like.

What if I call you and put an awful tone on the line that blows your 
eardrums, locks up your phone and causes it to dial on it's own and do the 
same to all your friend from your phone. As bonus you'll get a LD bill 
from the phone company for all the calls your phone made without your 
permission. Who's to blame? The phone company because they transmitted 
harmful signals? The phone manufacturer for building a phone without 
accounting for the possibility of this sound? The customer for picking up 
the phone? How do you prevent future events of this sort? Customer 
education?

All of todays software has flaws, some more some less. While some of these 
flaws should simply not exist while others are an oversight. Many of the 
current exploits have one thing in common, malformed packets addressed at 
machines that never requested the packets they are receiving to begin 
with. Stopping these packets from reaching their target is just as 
important as having the target immune to the attack.

The ISP provides a service to a customer, the ISP should be sensible to 
the customers requirements. If the customer requires clean internet 
service than this is what the ISP should strive for. This doesn't relieve 
the customer from being responsible (like opening any and every attachment 
received) but it is just another layer in reducing the enormous amount of 
garbage traffic we are seeing. 

Adi