----- Original Message ----- From: "John Leslie" <john@xxxxxxx> To: "Richard L. Barnes" <rbarnes@xxxxxxx> Cc: "IETF Discussion" <ietf@xxxxxxxx> Sent: Friday, December 31, 2010 7:38 PM > Richard L. Barnes <rbarnes@xxxxxxx> wrote: > > > > ISTM that the success of changes to the infrastructure depends on the > > value those changes deliver to participants in the Internet economy... > > So the question is rather how many problems there are in the current > > infrastructure that cause people enough pain to do something. > > Indeed -- _an_ interesting question... but perhaps not phrased quite > right: in truth, there are an arbitrarily large number of problems that > cause _somebody_ enough pain to do something. > > > I think there are at least a couple (improving BGP security, for > > example), and the number will probably slowly shrink over time, > > but in the long run, I expect there will ultimately always be a few > > big things that need to be done that can't be done in end systems. > > Start from the end: there _will_ be a number of things that shouldn't > be done in end systems. End systems _really_don't_ want to worry about > the route packets follow -- at most they want to worry about delay, > jitter, and order of delivery. But they _will_ work with whatever tools > are available to ameliorate such worries. > > The number of problems will most surely _increase_ over time, not > shrink. > > BGP security is a _dreadful_ example. It conflates weaknesses of the > original design with issues entirely out-of-scope of the original design. > And the original design was seriously flawed by defining algorithms > instead of meanings. > > Nonetheless, the example does serve to illustrate a weakness of IETF > process -- that it's much easier to get traction on small fixes to > parts of the problem than on migration to a design which avoids the > problems. > > BTW, I find it interesting to see how little of the work originating > in the Security area has gained traction. I wonder to what extent this > results from: > > - cycles being expended on cross-area reviews; > > - recommending IPsec whether or not it could be deployed for the use; > > - the inherent complexity of key infrastructure? Security is different in kind from a functional enhancement, of the sort one sees in successive generations of mobile, in successive versions of Windows etc. With these, you pay, you get. Security you pay for what you don't get, fraud and crime. Long experience teaches me that noone will pay until after the security breach has cost them; only when a bank loses billions to fraud will a few millions preventing it seem like a good investment. All we can do is have the solutions ready in advance of the attacks, so that when the latter happen, we can say, what a coincidence, we just happen to have the solution ready and waiting. Tom Petch > -- > John Leslie <john@xxxxxxx> _______________________________________________ Ietf mailing list Ietf@xxxxxxxx https://www.ietf.org/mailman/listinfo/ietf