> From: Jeffrey Hutzelman [mailto:jhutz@xxxxxxx] > Sure. But a policy enforcement point must necessarily be > configured; otherwise, how is it going to know what policy to enforce? The policy can be generated automatically from the network configuration and the authorized hosts and applications authorized to run on those hosts. Forget the administration model where you administer the machines. Administer the network instead. Machine config should be generated from network config. The model can be applied in either the home or the enterprise setting. The home setting is the most challenging because it has to be transparent. But users already have machines that have internal firewalls. There is no reason why that config should not be exportable to the edge policy enforcement point as well. > > First people have the model wrong, ask not how you can > protect yourself > > from the Internet, ask how to protect the Internet from you. > > No. Being a good neighbor is desirable, but does not replace > protecting > yourself from bad neighbors and evildoers. I cannot provide you with a foolproof way to protect your machine from any attack that an Internet criminal might throw at it. Nor can anyone else without reducing it to a functionaless heap of junk. What I can do is make your machine as uninteresting a target to an attacker as possible. Make it so that its value on the botnet wholesale market is as close to zero as possible. > What a "rogue server"? What distinguishes a ddos bot from a P2P file > sharing application? No P2P file sharing application I am aware of uses spoofed source addresses in IP packets. The data bandwidth is high but the control bandwidth is not excessive. DDoS bots are mostly attacking the control channel rather than data. > What distinguishes a Windows virus from > a krb524 > client (hint: nothing; several network providers and common firewall > configuration block outgoing UDP traffic to port 4444, with > the result that > getting krb4 tickets and AFS tokens doesn't work from inside such a > network). Who updates the configuration on these filters as new > applications and new malware appear? To do damage to the rest of the net the virus has to be hammering port 4444. The type of controls people are suggesting is limiting the number of outbound control connections (SYN packets, DNS packets) to a rate that is large compared to typical consumer uses but small compared to bot uses. This is a 98%/2% solution. The vast majority of users do not need or want to make 1000 outbound TCP session initiation attempts per second. Any site that is doing that on a sustained basis for several hours is highly unlikely to be doing something legitimate. > I should be required to have a device which limits my ability > to use the > network connection I've paid for to a limited set of > applications chosen by > my network provider? You should not be allowed to connect to the net at all, yes this is all about you personally. Actually my proposal is to ship the devices with the default setting to 'on' but allow idiots to turn it off if they must. Otherwise we end up with a black market in unrestricted machines > That's not only insane; it would probably be legally > very stupid for my network provider; by restricting what I'm > allowed to do, they take some responsibility for what I do. You are not a lawyer, but you are playing one on the net. While that particular view of negligence has some currency in the US the law of negligence does not contain an ostritch exception. I am not a lawyer either. I suggest that anyone running an ISP ask their actual lawyers what the situation is here: If you are selling a service to consumers, if the harm is forseeable, if the probability of harm and the cost of the harm are great, if the cost of limiting that harm is small, are you better off helping the consumer limit that harm or ignoring it. > I see you're among those who think users and customers should > be required > to enforce policy counter to their interests, and that the > network should > trust that they do so. No, the rules are generated from configuration commands made by the user. It is simply enforcing the old security principle of least privillege. > One of the basic rules of distributed systems > design is that service providers MUST NOT depend on clients > to enforce > policy for them, because anyone can make a rogue client. That's not a rule it's a dogmatic interpretation of security principles that were probably wrong when they were proposed. Until the Internet is secure please save us the dogma. > Except that the user won't get to do that; the user's network > provider Yeah yeah yeah, stop worrying about the bogeyman and worry about the real attackers. The balance of power in this case is mostly with the consumer. Most houses have at least two wires going into them. Do not try to build your political systems into protocol design unless you understand people and understand economics. _______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf