Hi Ewen, I like you have been thinking about Geoff's provocative presentation, and also Dean's incisive ;-) , witty analysis of why the Internet sucks. Standing back a bit isn't what has been discussed simply an angle on wholesale connectivity (lego set) and retail service (toaster). Also - like you suggest - it's fairly straight forward to offer both at the same time - all we need to do is work out a "protocol" for determining whether those requesting lego connectivity when connected will not break it for the rest of us. Is being in the NZNOG 'community' exactly a way of working that out? To me what is interesting however, is working out an architecture to deliver n00b Internet. Perhaps a return to the mainframe/thin client? ;-) - but then there's all these complicated trust issues. Dammit. jamie On Sun, 2004-02-01 at 11:17, Ewen McNeill wrote:
One of the things discussed at the (excellent, thanks everyone) NZNOG 2004 conference was that the Internet sucks, and that a large portion of this suckage is due to ignorant n00bs who do the wrong thing, get 0wned, etc.
It was suggested that the "only" fix to this problem was to kill the end to end Internet, making the "Internet" a core exchange network (a la telco style), and allowing users only access to a local proxy at their ISP for a very limited set of services.
Aside from my objection that this won't help much except in the short term (plenty of protocols already tunnel around such firewall limitations -- eg, look at everything that's been tunneled through HTTP), this really sucks for the l33t who find it awfully restrictive.
An alternative approach to that type of thing is possibly just to heavily firewall -- at the ISP end of the link -- connections to all "potential n00b" users (SMTP to ISP mail server, POP/IMAP/HTTP/HTTPS to whereever and a few other common things) by default.
And then provide an "opt out" system that anyone with a clue can use to disable the default firewalling. I would suggest:
telnet ihaveaclue.$ISP
where you have to enter "My name is $NAME, and I have a clue" (with $NAME expanded, but otherwise literally). Possibly that setting could be sticky; possibly it would need to be done on each reconnection.[0]
The remaining aspect is that anyone who claimed to have a clue in this manner and then lets something on their connection get 0wned or otherwise abuses the privilege, (a) loses the ability to unblock themselves, and (b) gets their name published on a list of shame.
This could pretty much be implemented today by anyone with a firewall (or customer facing ACLs) which can be set on a per-customer basis. Various RAS boxes have this sort of facility already; at least one ISP I know of firewalls accounts that are over due so they can reach the accounting website and that's about it.
The alternative seems to be that the clueful will just tunnel everything through whatever still works. Tunnelling through DNS requests is painful but doable; tunnelling through most other things is almost tolerably efficient by comparision. And I guess bandwidth is cheap enough now that we can cope with a 20-50% overhead due to tunnelling.[1]
Ewen
[0] Anyone who can't automate doing it on each reconnection doesn't have a clue.
[1] Still, it'll make the ATM tax look cheap. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog