>That being said, whining about lack of transparency is not going to >change the behavior of the operators. The IETF should rather do >something useful, e.g. make sure that IPSEC is easy to deploy... In other words, we need to develop and deploy network architectures and technologies that deliberately make it difficult for lower level (in more ways than one) entities to arbitrarily discriminate in the traffic they carry. ISPs and backbone operators have so far evaded being regulated as common carriers, so we may have to resort to technological means to achieve the same end. This may become the single most important role for encryption in the Internet. But IPSEC isn't enough. Because it isn't yet widely used, they may get away with simply blocking protocol 50. (Some ISPs already arbitrarily prohibit VPNs unless you upgrade to an expensive commercial service, regardless of how little traffic you actually generate.) We may need to mimic a form of encrypted traffic that is already widely used by individuals, say TCP connections to port 443 (HTTP over SSL). Since everyone knows that the only legitimate use of the Internet is to buy junk with credit cards, no ISP would dare block that! As much fun as it would be to put large, monopolistic ISPs like Comcast or AOL in their place, in all seriousness I would still much prefer to reason with them. I would try to convince them that arbitrarily blocking traffic against their end users' wishes is in no one's long-term interests, including theirs. "We do it because we can" won't work forever. If it becomes necessary to riddle the Internet with unfilterable encrypted tunnels, it will become impossible for the ISPs to filter even the traffic that everyone *does* want filtered, such as the UDP packets that propagated the recent Slammer worm. This is why I still think it would be useful to issue a position statement along the lines I suggested: that individual end users, not ISPs, must always control what is and isn't filtered on their behalf. This could be coupled with IETF-standardized protocols for the end users to directly control these filtering mechanisms, something that we already know would be invaluable during a denial-of-service attack. Phil