[c-nsp] rate limit dns

Dobbins, Roland rdobbins at arbor.net
Sun Dec 29 07:32:28 EST 2013 

On Dec 29, 2013, at 7:21 PM, Gert Doering <gert at greenie.muc.de> wrote:

> And that is where we differ.  You find it OK to limit the protocol du jour to "what users do not need", I do not agree to it.  Even if I agree with
> you that "most users would not notice".

I'm not proposing blocking DNS.  I'm proposing a default policy for consumer broadband users which assumes that they'll use the DNS recursors provided by the broadband network operator, unless the use chooses to opt-out.

> in reasonable countries, ISPs are protected from charges for traffic they transport *unless* they start messing with it - if you start filtering 
> traffic for "protocol X", but leave through the evil packets for "protocol Z", you're *way* more likely to be made liable for it.

Again, this isn't the same thing.  Nobody's talking about blocking the DNS.

Here's the risk that I see for network operators, moving forward, if they don't implement sensible, low-impact default (with the ability to opt-out, which would include indemnification) policies of this nature to protect their user bases:

1.	Consumer user X ends up getting phished/compromised, attacker empties his bank account, maxes his credit cards, applies for new credit cards in the user's name but delivered to another mailing address under the control of the attacker or his minions, etc.

2.	User X ends up suing the bank(s) and credit card issuer(s) in question, alleging that those entities didn't take reasonable security precautions, and are now liable for all the actual and punitive damages claimed by user X as he struggles to get his money back, clear his credit history, etc.

3.	Liability insurance companies for the bank(s) and credit card issuer(s) in question turn around and sue the network operator for damages based upon negligence, alleging that reasonable and practical security policies which could've potentially prevented this fraud from being possible weren't implemented.  They might sue software vendors - OS vendors, foundations providing open-source Web browsers, and so forth, as well.

4.	Politicians/regulators get wind of this, and pile on.

A little bit of prudence now could obviate a whole lot of financial hurt and heavy-handed legislation/regulation, later.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

	  Luck is the residue of opportunity and design.

		       -- John Milton

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 243 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20131229/74d21b32/attachment-0001.sig>

More information about the cisco-nsp mailing list