[c-nsp] rate limit dns

[Mark Tinka]

On Sunday, December 29, 2013 02:32:28 PM Dobbins, Roland 
wrote:

> 3.	Liability insurance companies for the bank(s) and
> credit card issuer(s) in question turn around and sue
> the network operator for damages based upon negligence,
> alleging that reasonable and practical security policies
> which could've potentially prevented this fraud from
> being possible weren't implemented.  They might sue
> software vendors - OS vendors, foundations providing
> open-source Web browsers, and so forth, as well.
> 
> 4.	Politicians/regulators get wind of this, and pile 
on.
> 
> A little bit of prudence now could obviate a whole lot of
> financial hurt and heavy-handed legislation/regulation,
> later.

This is where it becomes a slippery slope. 

Who protects the customer against what?

The majority of (phishing) attacks have nothing to do with 
the network, with the exception of having the network 
transport those packets to the user's computing device.

Do they now sue Apple or Samsung for not detecting the 
spurious e-mail? Do they sue Google for not including 
protection within Android? Do they sue Dell for 
manufacturing and selling bundled hardware/software without 
adequate protection? Do they sue the regulator for not 
enacting (and enforcing) policy that protects the end user? 
Do they sue Cisco, Juniper, ALU, Huawei, e.t.c., for not 
providing protection in their network-based devices? 

Where does it end? If we start down this path, at what point 
are we satisfied that the customer is reasonably protected 
from all possible attack vectors? How do customers and 
operators delineate lines between which responsibility lies 
in view of those attack vectors?

Mark.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20131229/edcaff9b/attachment.sig>