From Steve.Nash at theiet.org Tue Jan 17 17:52:05 2017 From: Steve.Nash at theiet.org (Steve Nash) Date: Tue, 17 Jan 2017 16:52:05 +0000 Subject: [bcop] Mutually beneficial or altruistic? Message-ID: <114fffd0-cc5a-3cbd-b8a0-1014b61a9fbf@theiet.org> Some thoughts on BCOP TF objectives. The current statements of BCOP TF Charter and activities do not make distinctions between Practices that are good for the Internet (mutually beneficial) and Practices that are good recommendations for the individual Operator (altruistic). MANRS clearly sits in the former, but does contain some altruistic recommendations also. I suggest that the BCOP TF charter should be clarified to state clearly whether its scope is solely BCOPs that are mutually beneficial. There seem to me to be a lot of opportunities for more altruistic output, but these are not being discussed. I happen to be employed by Arbor Networks so I hear a lot about bad things that happen across the Internet. Considerations for BCOPs that could be worked on: * Amplification attacks. Avoid being an Amplifier. Do not respond to connectionless service requests from outside of your own address space. DNS, NTP, Chargen... Configure your servers and ingress filters accordingly. (mutually beneficial) * For Internet Access providers, consider offering, as the default entry level Internet Access Service, something which does not allow external DNS / NTP resolution, to limit some of the methods available to 'malware' that gets on to consumer systems. (mutually beneficial) * Implement a separate network for monitoring and managing your network. Otherwise, a large traffic anomaly, like a DoS attack, may flood your internal links and make your network invisible and uncontrollable. A physically separate network is best because virtual networks have to have classifiers that decide the priority/VLAN for arriving traffic and these can also be overwhelmed by large anomalies, with the same bad results. (altruistic) * When acquiring routers and networking equipment, pay attention to the need to monitor. Can a new device generate flow reports and process SNMP requests at useful rates without impairing your forwarding performance below the level you need? Be prepared for exceptional packet rates, not just bit rates. (altruistic) * Discuss Flowspec opportunities with your peers and transit providers to give yourself as many opportunities as possible for traffic engineering to achieve mitigation. (altruistic) * Customer contracts and DoS attacks. Make it clear that the customer is contracting to receive a limited amount of bandwidth (and packet rate). If they attract a higher rate of traffic, the ISP will HAVE to drop some traffic randomly, and may need to drop all traffic to protect its other customers. Consider offering mitigation services to customers that wish to protect themselves against these incidents. (altruistic) * Customers that have totally free access to the Internet represent additional risk to you, the ISP. For customers that want the full experience, cover your additional risk mitigation costs. (altruistic) Regards Steve -------------- next part -------------- An HTML attachment was scrubbed... URL: From wwaites at tardis.ed.ac.uk Tue Jan 17 21:15:42 2017 From: wwaites at tardis.ed.ac.uk (William Waites) Date: Tue, 17 Jan 2017 20:15:42 +0000 Subject: [bcop] Mutually beneficial or altruistic? In-Reply-To: <114fffd0-cc5a-3cbd-b8a0-1014b61a9fbf@theiet.org> References: <114fffd0-cc5a-3cbd-b8a0-1014b61a9fbf@theiet.org> Message-ID: > ? For Internet Access providers, consider offering, as the default entry level Internet Access Service, something which does not allow external DNS / NTP resolution, to limit some of the methods available to 'malware' that gets on to consumer systems. (mutually beneficial) Using external DNS servers is an easy way to avoid some kinds of censorship (i.e. that which is implemented in the DNS). What you are really saying here is that users should have to pay more for an uncensored service. Are you seriously advocating this as a best practice? It?s not April 1st yet, I don?t think. > ? Customers that have totally free access to the Internet represent additional risk to you, the ISP. For customers that want the full experience, cover your additional risk mitigation costs. (altruistic) Either I am misunderstanding, or you are using words in a very non-standard way. "willingness to do things that bringadvantages to others, even if it results in disadvantage for yourself" https://dictionary.cambridge.org/dictionary/english/altruism What you seem to be describing is, in fact, the opposite of altruism, "the act of considering the advantage to yourself when making decisions, and deciding to do what is best for you" https://dictionary.cambridge.org/dictionary/english/self-interest Is today upside-down day? Cheers, -w William Waites Laboratory for Foundations of Computer Science School of Informatics, University of Edinburgh Informatics Forum 5.38, 10 Crichton St. Edinburgh, EH8 9AB, Scotland The University of Edinburgh is a charitable body, registered in Scotland, with registration number SC005336. From zorz at isoc.org Thu Jan 19 12:16:31 2017 From: zorz at isoc.org (Jan Zorz - ISOC) Date: Thu, 19 Jan 2017 12:16:31 +0100 Subject: [bcop] Mutually beneficial or altruistic? In-Reply-To: References: <114fffd0-cc5a-3cbd-b8a0-1014b61a9fbf@theiet.org> Message-ID: On 17/01/2017 21:15, William Waites wrote: >> ? For Internet Access providers, consider offering, as the default >> entry level Internet Access Service, something which does not allow >> external DNS / NTP resolution, to limit some of the methods >> available to 'malware' that gets on to consumer systems. (mutually >> beneficial) > > Using external DNS servers is an easy way to avoid some kinds of > censorship (i.e. that which is implemented in the DNS). What you are > really saying here is that users should have to pay more for an > uncensored service. Are you seriously advocating this as a best > practice? It?s not April 1st yet, I don?t think. Hey, This is not the best possible idea, I agree. There are other ways how to mitigate malware DNS queries from end-users, not just simply blocking them. > >> ? Customers that have totally free access to the Internet represent >> additional risk to you, the ISP. For customers that want the full >> experience, cover your additional risk mitigation costs. >> (altruistic) > > Either I am misunderstanding, or you are using words in a very > non-standard way. > > "willingness to do things that bringadvantages to others, even if it > results in disadvantage for yourself" > https://dictionary.cambridge.org/dictionary/english/altruism > > What you seem to be describing is, in fact, the opposite of > altruism, > > "the act of considering the advantage to yourself when making > decisions, and deciding to do what is best for you" > https://dictionary.cambridge.org/dictionary/english/self-interest I think we need to do ":0,$s/altruism/self-interest/g" in Steve's email ;) Cheers, Jan > > Is today upside-down day? > > Cheers, -w > > > William Waites Laboratory for Foundations of Computer Science School > of Informatics, University of Edinburgh Informatics Forum 5.38, 10 > Crichton St. Edinburgh, EH8 9AB, Scotland > > The University of Edinburgh is a charitable body, registered in > Scotland, with registration number SC005336. > > -- Jan Zorz Internet Society mailto: ------------------------------------------ "Time is a lake, not a river..." - African From zorz at isoc.org Thu Jan 19 12:23:51 2017 From: zorz at isoc.org (Jan Zorz - ISOC) Date: Thu, 19 Jan 2017 12:23:51 +0100 Subject: [bcop] Mutually beneficial or altruistic? In-Reply-To: <114fffd0-cc5a-3cbd-b8a0-1014b61a9fbf@theiet.org> References: <114fffd0-cc5a-3cbd-b8a0-1014b61a9fbf@theiet.org> Message-ID: Hi, On 17/01/2017 17:52, Steve Nash wrote: > Some thoughts on BCOP TF objectives. > > The current statements of BCOP TF Charter and activities do not make > distinctions between Practices that are good for the Internet (mutually > beneficial) and Practices that are good recommendations for the > individual Operator (altruistic). MANRS clearly sits in the former, but > does contain some altruistic recommendations also. > > I suggest that the BCOP TF charter should be clarified to state clearly > whether its scope is solely BCOPs that are mutually beneficial. There > seem to me to be a lot of opportunities for more altruistic output, but > these are not being discussed. Altruism is also very welcome, self-interest a little bit less :) > > I happen to be employed by Arbor Networks so I hear a lot about bad > things that happen across the Internet. > > Considerations for BCOPs that could be worked on: > > * Amplification attacks. Avoid being an Amplifier. Do not respond to > connectionless service requests from outside of your own address > space. DNS, NTP, Chargen... Configure your servers and ingress > filters accordingly. (mutually beneficial) Agree. > * For Internet Access providers, consider offering, as the default > entry level Internet Access Service, something which does not allow > external DNS / NTP resolution, to limit some of the methods > available to 'malware' that gets on to consumer systems. (mutually > beneficial) Censorship. ISP should not deal with L4 filtering. > * Implement a separate network for monitoring and managing your > network. Otherwise, a large traffic anomaly, like a DoS attack, may > flood your internal links and make your network invisible and > uncontrollable. A physically separate network is best because > virtual networks have to have classifiers that decide the > priority/VLAN for arriving traffic and these can also be overwhelmed > by large anomalies, with the same bad results. (altruistic) Agree. It's about self-protection. > * When acquiring routers and networking equipment, pay attention to > the need to monitor. Can a new device generate flow reports and > process SNMP requests at useful rates without impairing your > forwarding performance below the level you need? Be prepared for > exceptional packet rates, not just bit rates. (altruistic) Interesting one. Are there any known measurements and tests for this HW capability? > * Discuss Flowspec opportunities with your peers and transit providers > to give yourself as many opportunities as possible for traffic > engineering to achieve mitigation. (altruistic) Good set of bullet points needed for that discussion would be useful. > * Customer contracts and DoS attacks. Make it clear that the customer > is contracting to receive a limited amount of bandwidth (and packet > rate). If they attract a higher rate of traffic, the ISP will HAVE > to drop some traffic randomly, and may need to drop all traffic to > protect its other customers. Consider offering mitigation services > to customers that wish to protect themselves against these > incidents. (altruistic) This one can be hard to generalize, as every ISP is different. Worth trying anyway. > * Customers that have totally free access to the Internet represent > additional risk to you, the ISP. For customers that want the full > experience, cover your additional risk mitigation costs. (altruistic) Not sure I understand this one... Which ISP gives to their customers free access? > > Regards any volunteers in the group to take on and help with any of the above ideas? Cheers, Jan