On 2/1/04, ewen(a)naos.co.nz thus spake:

It was suggested that the "only" fix to this problem was to kill the end to end Internet, making the "Internet" a core exchange network (a la telco style), and allowing users only access to a local proxy at their ISP for a very limited set of services.

I suspect a combination of the two approaches makes sense. Assuming the signal-noise ratio becoming so skewed that Dean's Nana goes back to the PSTN, a core-exchange setup would allow the ISP to provide a value- add (and charge extra for it). It allows Nana to have a usable signal- noise ratio, presumably relieves her of worries about windoze virus-du- jour, and it allows the 1337 to have a normal (and assumedly cheaper) connection. In combination with some sort of ban list, n00b5 who opted for the cheap connection and got 0wned would theoretically get pushed into the core bit or disconnected altogether, and those wishing for legos and competent to play with them are still set. Obviously the default would be to put n00b5 into the core-exchange group. I do suspect that once the noise level gets too high the non-1337 will be actively seeking a solution and be more than happy to pay for it-brightmail is an excellent example of an early implementation of this(non-1337 fork over extra cash for an ISP offering a brightmail policed account, 1337 implement spamassassin or some other procmail sanitizer type solution). So I suppose what I'm proposing here differs from your proposition mainly in that I think there could be a place for a core-exchange, in addition to a 1337 opt-out. I don't think that using existing firewalling and such will be sufficient, precisely because of the tunneling holes. If an ACL is the primary method of protection, the spam/malware crowd will just find a way to tunnel their wares. A core-exchange type setup would presumably make it very difficult to get into the exchange without coming from one of the big players (such that I guess you'd have to somehow tunnel into the core, gain authorization, and distribute to the core users-a properly designed core system would make this a tall order). I do see one obvious problem though-deciding what sort of transgressions are sufficient to force n00b5 into core-exchange would be troublesome. Also, one would hope that there would be some way for them to redeem themselves. Some n00b5 get 1337, and being banned for life because they were once 14 and king of the world would suck. Perhaps some sort of PGP-ish web of trust solution could work. Though that raises a lot of administrative problems as well. And maybe this is all just hot air and the 1337 will find their Valinor. Regards, Ed Hintz ed(a)hintz.org

Hi Ewen, I like you have been thinking about Geoff's provocative presentation, and also Dean's incisive ;-) , witty analysis of why the Internet sucks. Standing back a bit isn't what has been discussed simply an angle on wholesale connectivity (lego set) and retail service (toaster). Also - like you suggest - it's fairly straight forward to offer both at the same time - all we need to do is work out a "protocol" for determining whether those requesting lego connectivity when connected will not break it for the rest of us. Is being in the NZNOG 'community' exactly a way of working that out? To me what is interesting however, is working out an architecture to deliver n00b Internet. Perhaps a return to the mainframe/thin client? ;-) - but then there's all these complicated trust issues. Dammit. jamie On Sun, 2004-02-01 at 11:17, Ewen McNeill wrote:

One of the things discussed at the (excellent, thanks everyone) NZNOG 2004 conference was that the Internet sucks, and that a large portion of this suckage is due to ignorant n00bs who do the wrong thing, get 0wned, etc.

It was suggested that the "only" fix to this problem was to kill the end to end Internet, making the "Internet" a core exchange network (a la telco style), and allowing users only access to a local proxy at their ISP for a very limited set of services.

Aside from my objection that this won't help much except in the short term (plenty of protocols already tunnel around such firewall limitations -- eg, look at everything that's been tunneled through HTTP), this really sucks for the l33t who find it awfully restrictive.

An alternative approach to that type of thing is possibly just to heavily firewall -- at the ISP end of the link -- connections to all "potential n00b" users (SMTP to ISP mail server, POP/IMAP/HTTP/HTTPS to whereever and a few other common things) by default.

And then provide an "opt out" system that anyone with a clue can use to disable the default firewalling. I would suggest:

telnet ihaveaclue.$ISP

where you have to enter "My name is $NAME, and I have a clue" (with $NAME expanded, but otherwise literally). Possibly that setting could be sticky; possibly it would need to be done on each reconnection.[0]

The remaining aspect is that anyone who claimed to have a clue in this manner and then lets something on their connection get 0wned or otherwise abuses the privilege, (a) loses the ability to unblock themselves, and (b) gets their name published on a list of shame.

This could pretty much be implemented today by anyone with a firewall (or customer facing ACLs) which can be set on a per-customer basis. Various RAS boxes have this sort of facility already; at least one ISP I know of firewalls accounts that are over due so they can reach the accounting website and that's about it.

The alternative seems to be that the clueful will just tunnel everything through whatever still works. Tunnelling through DNS requests is painful but doable; tunnelling through most other things is almost tolerably efficient by comparision. And I guess bandwidth is cheap enough now that we can cope with a 20-50% overhead due to tunnelling.[1]

Ewen

[0] Anyone who can't automate doing it on each reconnection doesn't have a clue.

[1] Still, it'll make the ATM tax look cheap. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Dear Ewen, What an interesting rant! I agree that the net has become frustrating for power users and hear your cry loud and clear. My recommendation for you is a holiday away from the net. If all power users were to take a 3 month holiday, the whole net would stop working. Some times the best way to fix something is to allow it to break to the point where it just doesn't work at all. I'm sure all readers can work out what happens next :) Cheers Don On Sun, 01 Feb 2004 11:17:17 +1300, Ewen McNeill wrote

One of the things discussed at the (excellent, thanks everyone) NZNOG 2004 conference was that the Internet sucks, and that a large portion of this suckage is due to ignorant n00bs who do the wrong thing, get 0wned, etc.

It was suggested that the "only" fix to this problem was to kill the end to end Internet, making the "Internet" a core exchange network (a la telco style), and allowing users only access to a local proxy at their ISP for a very limited set of services.

Aside from my objection that this won't help much except in the short term (plenty of protocols already tunnel around such firewall limitations -- eg, look at everything that's been tunneled through HTTP), this really sucks for the l33t who find it awfully restrictive.

An alternative approach to that type of thing is possibly just to heavily firewall -- at the ISP end of the link -- connections to all "potential n00b" users (SMTP to ISP mail server, POP/IMAP/HTTP/HTTPS to whereever and a few other common things) by default.

And then provide an "opt out" system that anyone with a clue can use to disable the default firewalling. I would suggest:

telnet ihaveaclue.$ISP

where you have to enter "My name is $NAME, and I have a clue" (with $NAME expanded, but otherwise literally). Possibly that setting could be sticky; possibly it would need to be done on each reconnection.[0]

The remaining aspect is that anyone who claimed to have a clue in this manner and then lets something on their connection get 0wned or otherwise abuses the privilege, (a) loses the ability to unblock themselves, and (b) gets their name published on a list of shame.

This could pretty much be implemented today by anyone with a firewall (or customer facing ACLs) which can be set on a per-customer basis. Various RAS boxes have this sort of facility already; at least one ISP I know of firewalls accounts that are over due so they can reach the accounting website and that's about it.

The alternative seems to be that the clueful will just tunnel everything through whatever still works. Tunnelling through DNS requests is painful but doable; tunnelling through most other things is almost tolerably efficient by comparision. And I guess bandwidth is cheap enough now that we can cope with a 20-50% overhead due to tunnelling.[1]

Ewen

[0] Anyone who can't automate doing it on each reconnection doesn't have a clue.

[1] Still, it'll make the ATM tax look cheap. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Don Gould Ask not what your telephone company should do for you... ...but what you can do for your community!

On Mon, 2004-02-02 at 00:17, Ewen McNeill wrote:

An alternative approach to that type of thing is possibly just to heavily firewall -- at the ISP end of the link -- connections to all "potential n00b" users (SMTP to ISP mail server, POP/IMAP/HTTP/HTTPS to whereever and a few other common things) by default.

In a sense this is what we do at the university. All addresses are heavily firewalled by default but departmental IT support staff can set up (with a few restrictions) pretty what ever they want (or will be when I implement the next set of changes when I get back from leave -- for some reason nobody liked the idea of me doing just before I disappeared for a month). The current system is based on a large (and confusing :( ) set of access classes because that was the way our old firewall worked. We now are using OBSD's pf and I have written a nice web/mysql interface as part of our network management system that will allow much more flexibility. This system works well. I do occasional sanity checks and every now and again I will question why something is set up the way it is (usually there is a good explanation, but sometime people have misunderstood requirements or have simply open things right up to get something going and either forgot or not bothered to tighten things up again). We also do extensive monitoring of both in bound and out bound traffic and (although we don't do it) you could automatically quarantine users that appear to be infected or 0wned. A quarantined user could still get to their email which would tell them what was happening and to the support web site that would give them guidance in what to do, but would isolate them from the 'Net at large. In case anyone is interested what we actually do when we find that machines have problems is contact the departmental or faculty IT support staff who deal with it. In the case where there is evidence of active 'cracker' activity we isolate the machine at the firewall, but this is a manual process. I believe that network administrators (both corporate and ISP) need to be proactive in looking for trouble and to have effective means of dealing with machines that are causing it. It has been quite a while since I looked but it it very clear from the monitoring that I do which NZ ISPs are proactive in this area and which are not. At the moment I suspect this simply reflects the how the respective ISPs deal with abuse notices. -- Russell Fulton /~\ The ASCII Network Security Officer \ / Ribbon Campaign The University of Auckland X Against HTML New Zealand / \ Email!