> From: Brian E Carpenter [mailto:brc@xxxxxxxxxxxxxx] > John, > > (after also reading Michael's response) > > I don't disagree. I think there is scope for writing a list > of desirable properties for SOHO routers in the light of > these various inputs. I'm less certain it can be done for > enterprise boundary routers. But it would be a tricky and > contentious job in both cases. Even draft-ietf-v6ops-nap took > many moons and several major editing passes, and it only > starts the work. SOHO is the one that won't get done otherwise. The enterprise folk have Gartner, Burton and the Jericho forum to express their list of requirements through (and the RFP process to put those requirements on the vendor product roadmaps). From the SOHO perspective I have been saying for years now that many of the problems we have wit bots would be significantly reduced if SOHO routers and cable modems came configured with an outbound firewall by default. The restrictions I would like to see would have zero impact on even the most aggressive residential user participating in peer to peer networks etc. * Prevent routing of spoof source address packets * Limit the number of outbound TCP connections initiated per time interval * General limit * Smaller limit for connections to the same IP * Smaller limit for outbound SMTP connections * Limit the number of DNS requests Even the most generous limits significantly cut the value of a bot. A machine that can only send ten thousand spams an hour will at most fetch 1% of the rent that a bot capable of a million an hour. In the home of the future Mr Coffee will be WiFi capable. I for one do not want to be spending my time dealling with the consequences of botted coffee pots, fidges and light switches. What distinguishes the network from the inter-network is responsibility. I am responsible for the impact that my network has on the inter-network. Even as the perimiter security model becomes obsolete the perimeter will still mark the boundary for accountability.
_______________________________________________ Ietf@xxxxxxxx https://www1.ietf.org/mailman/listinfo/ietf