Mutually beneficial or altruistic?
Some thoughts on BCOP TF objectives. The current statements of BCOP TF Charter and activities do not make distinctions between Practices that are good for the Internet (mutually beneficial) and Practices that are good recommendations for the individual Operator (altruistic). MANRS clearly sits in the former, but does contain some altruistic recommendations also. I suggest that the BCOP TF charter should be clarified to state clearly whether its scope is solely BCOPs that are mutually beneficial. There seem to me to be a lot of opportunities for more altruistic output, but these are not being discussed. I happen to be employed by Arbor Networks so I hear a lot about bad things that happen across the Internet. Considerations for BCOPs that could be worked on: * Amplification attacks. Avoid being an Amplifier. Do not respond to connectionless service requests from outside of your own address space. DNS, NTP, Chargen... Configure your servers and ingress filters accordingly. (mutually beneficial) * For Internet Access providers, consider offering, as the default entry level Internet Access Service, something which does not allow external DNS / NTP resolution, to limit some of the methods available to 'malware' that gets on to consumer systems. (mutually beneficial) * Implement a separate network for monitoring and managing your network. Otherwise, a large traffic anomaly, like a DoS attack, may flood your internal links and make your network invisible and uncontrollable. A physically separate network is best because virtual networks have to have classifiers that decide the priority/VLAN for arriving traffic and these can also be overwhelmed by large anomalies, with the same bad results. (altruistic) * When acquiring routers and networking equipment, pay attention to the need to monitor. Can a new device generate flow reports and process SNMP requests at useful rates without impairing your forwarding performance below the level you need? Be prepared for exceptional packet rates, not just bit rates. (altruistic) * Discuss Flowspec opportunities with your peers and transit providers to give yourself as many opportunities as possible for traffic engineering to achieve mitigation. (altruistic) * Customer contracts and DoS attacks. Make it clear that the customer is contracting to receive a limited amount of bandwidth (and packet rate). If they attract a higher rate of traffic, the ISP will HAVE to drop some traffic randomly, and may need to drop all traffic to protect its other customers. Consider offering mitigation services to customers that wish to protect themselves against these incidents. (altruistic) * Customers that have totally free access to the Internet represent additional risk to you, the ISP. For customers that want the full experience, cover your additional risk mitigation costs. (altruistic) Regards Steve
• For Internet Access providers, consider offering, as the default entry level Internet Access Service, something which does not allow external DNS / NTP resolution, to limit some of the methods available to 'malware' that gets on to consumer systems. (mutually beneficial)
Using external DNS servers is an easy way to avoid some kinds of censorship (i.e. that which is implemented in the DNS). What you are really saying here is that users should have to pay more for an uncensored service. Are you seriously advocating this as a best practice? It’s not April 1st yet, I don’t think.
• Customers that have totally free access to the Internet represent additional risk to you, the ISP. For customers that want the full experience, cover your additional risk mitigation costs. (altruistic)
Either I am misunderstanding, or you are using words in a very non-standard way. "willingness to do things that bringadvantages to others, even if it results in disadvantage for yourself" https://dictionary.cambridge.org/dictionary/english/altruism What you seem to be describing is, in fact, the opposite of altruism, "the act of considering the advantage to yourself when making decisions, and deciding to do what is best for you" https://dictionary.cambridge.org/dictionary/english/self-interest Is today upside-down day? Cheers, -w William Waites Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh Informatics Forum 5.38, 10 Crichton St. Edinburgh, EH8 9AB, Scotland The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
On 17/01/2017 21:15, William Waites wrote:
• For Internet Access providers, consider offering, as the default entry level Internet Access Service, something which does not allow external DNS / NTP resolution, to limit some of the methods available to 'malware' that gets on to consumer systems. (mutually beneficial)
Using external DNS servers is an easy way to avoid some kinds of censorship (i.e. that which is implemented in the DNS). What you are really saying here is that users should have to pay more for an uncensored service. Are you seriously advocating this as a best practice? It’s not April 1st yet, I don’t think.
Hey, <with my co-chair hat off, speaking as a member of community> This is not the best possible idea, I agree. There are other ways how to mitigate malware DNS queries from end-users, not just simply blocking them.
• Customers that have totally free access to the Internet represent additional risk to you, the ISP. For customers that want the full experience, cover your additional risk mitigation costs. (altruistic)
Either I am misunderstanding, or you are using words in a very non-standard way.
"willingness to do things that bringadvantages to others, even if it results in disadvantage for yourself" https://dictionary.cambridge.org/dictionary/english/altruism
What you seem to be describing is, in fact, the opposite of altruism,
"the act of considering the advantage to yourself when making decisions, and deciding to do what is best for you" https://dictionary.cambridge.org/dictionary/english/self-interest
I think we need to do ":0,$s/altruism/self-interest/g" in Steve's email ;) Cheers, Jan
Is today upside-down day?
Cheers, -w
William Waites Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh Informatics Forum 5.38, 10 Crichton St. Edinburgh, EH8 9AB, Scotland
The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336.
-- Jan Zorz Internet Society mailto:<zorz@isoc.org> ------------------------------------------ "Time is a lake, not a river..." - African
Hi, On 17/01/2017 17:52, Steve Nash wrote:
Some thoughts on BCOP TF objectives.
The current statements of BCOP TF Charter and activities do not make distinctions between Practices that are good for the Internet (mutually beneficial) and Practices that are good recommendations for the individual Operator (altruistic). MANRS clearly sits in the former, but does contain some altruistic recommendations also.
I suggest that the BCOP TF charter should be clarified to state clearly whether its scope is solely BCOPs that are mutually beneficial. There seem to me to be a lot of opportunities for more altruistic output, but these are not being discussed.
Altruism is also very welcome, self-interest a little bit less :)
I happen to be employed by Arbor Networks so I hear a lot about bad things that happen across the Internet.
Considerations for BCOPs that could be worked on:
* Amplification attacks. Avoid being an Amplifier. Do not respond to connectionless service requests from outside of your own address space. DNS, NTP, Chargen... Configure your servers and ingress filters accordingly. (mutually beneficial)
Agree.
* For Internet Access providers, consider offering, as the default entry level Internet Access Service, something which does not allow external DNS / NTP resolution, to limit some of the methods available to 'malware' that gets on to consumer systems. (mutually beneficial)
Censorship. ISP should not deal with L4 filtering.
* Implement a separate network for monitoring and managing your network. Otherwise, a large traffic anomaly, like a DoS attack, may flood your internal links and make your network invisible and uncontrollable. A physically separate network is best because virtual networks have to have classifiers that decide the priority/VLAN for arriving traffic and these can also be overwhelmed by large anomalies, with the same bad results. (altruistic)
Agree. It's about self-protection.
* When acquiring routers and networking equipment, pay attention to the need to monitor. Can a new device generate flow reports and process SNMP requests at useful rates without impairing your forwarding performance below the level you need? Be prepared for exceptional packet rates, not just bit rates. (altruistic)
Interesting one. Are there any known measurements and tests for this HW capability?
* Discuss Flowspec opportunities with your peers and transit providers to give yourself as many opportunities as possible for traffic engineering to achieve mitigation. (altruistic)
Good set of bullet points needed for that discussion would be useful.
* Customer contracts and DoS attacks. Make it clear that the customer is contracting to receive a limited amount of bandwidth (and packet rate). If they attract a higher rate of traffic, the ISP will HAVE to drop some traffic randomly, and may need to drop all traffic to protect its other customers. Consider offering mitigation services to customers that wish to protect themselves against these incidents. (altruistic)
This one can be hard to generalize, as every ISP is different. Worth trying anyway.
* Customers that have totally free access to the Internet represent additional risk to you, the ISP. For customers that want the full experience, cover your additional risk mitigation costs. (altruistic)
Not sure I understand this one... Which ISP gives to their customers free access?
Regards
any volunteers in the group to take on and help with any of the above ideas? Cheers, Jan
participants (3)
-
Jan Zorz - ISOC -
Steve Nash -
William Waites