[AusNOG] NBN must avoid becoming 'failed state'

Dobbins, Roland rdobbins at arbor.net
Mon Sep 20 19:50:37 EST 2010


On Sep 20, 2010, at 4:34 PM, Mark Newton wrote:

> Those who cause BadThings(tm) will have no contractual relationship 
> with NBNCo, and subsequently no requirement to adhere to NBNCo rules.

Of course they would, in terms of bots/attacks emanating from NBN-connected endpoint networks.

Did you in fact see/read the preso, specifically the bit about a master AUP?

> The only entities NBNCo will be able to levy noncompliance sanctions
> against will be entire ISPs.

Actually, that isn't the case - they could go down to the individual end-user level, if that's what they decide to do.

> So the relationship between NBNCo and ISPs will be a complicated one.

Much less complex than if there are no standards, Bad Things ensure, and the finger-pointing and lawyering begins.

> There are probably many models which could potentially be successful.

Concur 100%.

> But I submit that the one you've proposed this evening isn't one of them.

I haven't really proposed a model this evening - the framework I proposed is outlined in the presentation I gave at AusNOG-04.  Did you see/hear it, or read it?

> Perhaps it's good to be thinking about these issues, and if that was
> your goal then great, you earn a gold star.

That is in fact my primary goal.

What's necessary and appropriate in terms of NBN security standards and AUPs shouldn't be a decision made by default, but rather should be explicitly discussed and agreed upon by all relevant stakeholders.

> Ponder for one moment the reaction that Verizon would get in the USA
> if it started to levy penalties against its peers and customers for 
> passing through third-party attacks.

Verizon can in fact disconnect anyone at any time from their network, due to their AUP, acceptance of which is mandatory for peering with them or buying transit from them.

> Verizon, a private company, imposing sanctions and threats of business-ceasing disconnection on
> other ISPs.

It happens all the time, and not just with Verizon.  You seem to have a misinformed view of the role of AUPs and contract law in the USA and elsewhere.

> Congress would go bezerk.  It'd be hilarious.

Congress could care less.

> That's basically what you're suggesting here:  That NBNCo, a private
> company

NBNCo are not a private company, they're a Government Business Enterprise.

> that's supposed to be a monopoly service provider for the entire
> country, could hold a threat of total business destruction over the 
> heads of every ISP in the country if they don't meet some kind of 
> nebulous standard of response against miscreants.

What was posited was capabilities, and it was far from nebulous.

>  And because the threat models change all the time, the standards service providers would
> need to meet would change all the time too.

Welcome to the Internet!

Or do you mean to say that SPs *shouldn't* routinely update their threat models and take appropriate measures, preferring to simply let the packets fall where they may?  

You saw/heard the part in the preso about creating and updating the threat model, yes?

What do Internode do in this regard, if you're allowed/inclined to share?

> So there goes my five-year plan.

That's one of the downsides of five-year-plans, isn't it?  

> NBNCo would be one of the few entities on the planet who'd be in a position to destroy my entire business.

One argument is that the business is already at risk if the appropriate security-related BCPs haven't been deployed.  It's quite easy to find examples of SPs literally driven out of business due to their inability to deal with botnet-driven DDoS attacks.

Another argument is that if a) the primary duty of government is to ensure a reasonable modicum of security and stability, and b) government are getting into the networking business, than c) it follows that government must ensure a reasonable modicum of stability and security on said government network.  

>  That makes them a bigger risk than natural disaster, catastrophic fire, or the world's largest botnet.

Again, if the SP in question isn't already doing these things, that ship sailed long ago.

-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>

 	       Sell your computer and buy a guitar.







More information about the AusNOG mailing list