On Dec 11, 2008, at 1:51 PM, John C Klensin wrote:
As soon as one starts talking about a registry of "legitimate" sources, one opens up the question of how "legitimate" is determined. I can think of a whole range of possibilities -- you, the ITU Secretary-General, anyone who claims to have the FUSSP, governments (for their own countries by licensing or more generally), ICANN or something ICANN-like, "large email providers", and so on. Those options have two things in common. Most (but not all) of them would actually be dumb enough to take the job on and they are all unacceptable if we want to continue to have a distributed-administration email environment in which smaller servers are permitted to play and people get to send mail without higher-level authorization and certification.
Perhaps I should not have used the word legitimate. The concept of registry should engender a concept of accountability.
Once one considers IPv6, just the network portion covers 2^32 times as many IP addresses as are present in IPv4. In this quantity, IPv6 addresses do not offer a scalable means upon which a server is able to impose a defense against abuse. The server will handle addresses in rather large groups as the only method left available. The consolidation of addresses into large groups will be the enemy of an egalitarian effort wanting to ensure access to all players.
Counter to this, much of the email abuse has been squelched by third- parties who allow network providers a means to indicate what traffic of which they are accountable. This is done in part by the assignment of address ranges as belonging to dynamically assigned users. It does seem as though a more formalized method though a registry support by provider fees would prove extremely beneficial at reducing the scale of the IP address range problem raised by IPv6. By formalizing a registration of accountable use, along with some type of reporting structure or clearinghouse, IPv6 would have a better chance of gaining acceptance. It would also empower providers to say what potentially abused uses they which to support.
While I freely admit that I have not had hands-on involvement in managing very large email systems in a large number of years now, I mostly agree with Ned that some serious standards and documentation of clues would be useful in this general area. But I see those as useful if they are voluntary standards, not licensing or external determination of what is legitimate. And they must be the result of real consensus processes in which anyone interested, materially concerned, and with skin in the game gets to participate in development and review/evaluation, not specifications developed by groups driven by any single variety of industry interests and then presented to the IETF (or some other body) on the grounds that they must be accepted because anyone who was not part of the development group is obviously an incompetent idiot who doesn't have an opinion worth listening to.
Agreed.
That has been my main problem with this discussion, and its variants, all along. While I've got my own share of anecdotes, I don't see them as directly useful other than as refutations of hyperbolic claims about things that "never" or "always" happen. But, when the IETF effectively says to a group "ok, that is a research problem, go off and do the research and then come back and organize a WG", it ought to be safe for someone who is interested in the problem and affected by it --but whose primary work or interests lie elsewhere-- to more or less trust the RG to produce a report and then to re-engage when that WG charter proposal actually appears. Here, the RG produced standards-track proposals, contrary to that agreement, and then several of its participants took the position that those proposals already represented consensus among everyone who counted or was likely to count. Independent of the actual content of the proposal(s), that is not how I think we do things around here... nor is laying the groundwork for an official determination of who is "legitimate" and who is not.
A registry of accountable use in conjunction with some type of reporting structure seems a necessity if one hopes to ensure a player can obtain the access that they expect. In other words, not all things will be possible from just any IP address. Providers should first assure the Internet what they are willing to monitor for abuse, where trust can be established upon this promise. Not all providers will be making the same promise of stewardship. Those providers that provide the necessary stewardship for the desired use should find both greater acceptance and demand. Such demand may help avoid an inevitable race to the bottom.
-Doug _______________________________________________ Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf