At 17:44 20/07/2005, Hallam-Baker, Phillip wrote:
> layered defenses are a good notion, but mostly when the layers are
> under the same administrative control. all too often people forget
> that relying on the security provided by someone else is a risky
> proposition, as in your example of ISPs providing ingress filtering.
I would restate your assertion:
It is a bad idea to rely on another party that cannot be held
accountable to you.
We all rely on other parties, the Internet is an example of extended
interdependency. The critical issue is accountability.
Dear Hallam,
This precisely the purpose of an intergovernance to apply what they call
the "Internet Governance". The idea that an interdependence is managed by a
"concept" is not trustworthy: the intergovernance is the complex relational
system of all the "local" or "specialised" and "private" governance. The
inter-accountability matrix roots in many aspects which can be technical,
political, societal, or economics. This results into trust degrees which
permit to build a strategy of protection, starting with priorities. In the
recent USG Statements, the USA just say that: a country cannot depend on
the good will concept of an external voluntary system.
So in the question of ingress filtering what I am looking at is
mechanisms to create accountability.
Just beware that accountability in an interdependence system can only based
on the threat of retaliation. What means that you must be a little be more
equal than you peers for it to succeed.
The mechanism of intergovernance is to make the numbers of peers in
_subsidiarity_ to replace the threat of retaliation. If your mechanism is
"provide me a good protection in area A and I will provide one in area B"
and your only way to enforce it is that if A degrades, you degrade B, you
are better of in having no agreement. If the mechanism is "if A degrades,
we all are better off in helping/forcing it to improve" it will work
better, or we will have the possibility/help to get A somewhere else.
> If it weren't a good analogy I don't think I would have received so
> many private responses congratulating me for it :-)
This forum is very much wedded to a security architecture based on a
particular set of academic theories. It is no surprise that you find
support here, any more than the original pontifex maximus would no doubt
receive congratulations on his correct determinationof the auspices from
the entrails of a goat.
The fact is that in the wider arena of security practitioners the view
you are advancing is a distinctly minority one that holds almost no
support.
The Internet cannot be secured using an architecture based on
traditional computer security mechanism that absolutely prevent
prohibited actions in advance. It is not possible to know what they are
in advance.
The approach has to be accountability based.
Beware that whatever the accountability, when you are dead, you are dead.
Your heirs can revenge you, but you failed your target.
The problem here is if you consider the security of the global system with
possible errors corrected through accountability mechanisms; or if you
consider the risk zero security you want for your own self within the
network. Police accepts a few assassinations a year, and fight their
increase through an accountability system based upon investigation and
Justice. This is certainly better than telling the murderers to keep quite,
but I suppose you prefer making sure you are not to be among the killed ones?
This boils down to three architecture frameworks: authority centric - the
law should be obeyed, network centric - mutual accountability framework,
user centric - self protection. Real world is a blend of the three, I
suppose the Internet makes no exception.
jfc
_______________________________________________
Ietf@xxxxxxxx
https://www1.ietf.org/mailman/listinfo/ietf