RE: Port numbers and IPv6(was: I-D ACTION:draft-klensin-iana-reg-policy-00.txt)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



At 17:44 20/07/2005, Hallam-Baker, Phillip wrote:
> layered defenses are a good notion, but mostly when the layers are
> under the same administrative control. all too often people forget
> that relying on the security provided by someone else is a risky
> proposition, as in your example of ISPs providing ingress filtering.

I would restate your assertion:

It is a bad idea to rely on another party that cannot be held
accountable to you.

We all rely on other parties, the Internet is an example of extended
interdependency. The critical issue is accountability.

Dear Hallam,
This precisely the purpose of an intergovernance to apply what they call the "Internet Governance". The idea that an interdependence is managed by a "concept" is not trustworthy: the intergovernance is the complex relational system of all the "local" or "specialised" and "private" governance. The inter-accountability matrix roots in many aspects which can be technical, political, societal, or economics. This results into trust degrees which permit to build a strategy of protection, starting with priorities. In the recent USG Statements, the USA just say that: a country cannot depend on the good will concept of an external voluntary system.

So in the question of ingress filtering what I am looking at is
mechanisms to create accountability.

Just beware that accountability in an interdependence system can only based on the threat of retaliation. What means that you must be a little be more equal than you peers for it to succeed.

The mechanism of intergovernance is to make the numbers of peers in _subsidiarity_ to replace the threat of retaliation. If your mechanism is "provide me a good protection in area A and I will provide one in area B" and your only way to enforce it is that if A degrades, you degrade B, you are better of in having no agreement. If the mechanism is "if A degrades, we all are better off in helping/forcing it to improve" it will work better, or we will have the possibility/help to get A somewhere else.

> If it weren't a good analogy I don't think I would have received so
> many private responses congratulating me for it :-)

This forum is very much wedded to a security architecture based on a
particular set of academic theories. It is no surprise that you find
support here, any more than the original pontifex maximus would no doubt
receive congratulations on his correct determinationof the auspices from
the entrails of a goat.

The fact is that in the wider arena of security practitioners the view
you are advancing is a distinctly minority one that holds almost no
support.

The Internet cannot be secured using an architecture based on
traditional computer security mechanism that absolutely prevent
prohibited actions in advance. It is not possible to know what they are
in advance.

The approach has to be accountability based.

Beware that whatever the accountability, when you are dead, you are dead. Your heirs can revenge you, but you failed your target.

The problem here is if you consider the security of the global system with possible errors corrected through accountability mechanisms; or if you consider the risk zero security you want for your own self within the network. Police accepts a few assassinations a year, and fight their increase through an accountability system based upon investigation and Justice. This is certainly better than telling the murderers to keep quite, but I suppose you prefer making sure you are not to be among the killed ones?

This boils down to three architecture frameworks: authority centric - the law should be obeyed, network centric - mutual accountability framework, user centric - self protection. Real world is a blend of the three, I suppose the Internet makes no exception.
jfc


_______________________________________________

Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Fedora Users]