IETF Logo Mail Archive

Re: Requesting comments on draft-cheney-safe-02.txt

"Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil> Sat, 08 August 2009 05:16 UTC

Received: from balder-227.proper.com (localhost [127.0.0.1]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n785GoBY023579 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Fri, 7 Aug 2009 22:16:50 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
Received: (from majordom@localhost) by balder-227.proper.com (8.14.2/8.13.5/Submit) id n785Gon4023578; Fri, 7 Aug 2009 22:16:50 -0700 (MST) (envelope-from owner-ietf-smtp@mail.imc.org)
X-Authentication-Warning: balder-227.proper.com: majordom set sender to owner-ietf-smtp@mail.imc.org using -f
Received: from mxoutps1.us.army.mil (mxoutps1.us.army.mil [143.69.250.38]) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id n785Gn1w023571 for <ietf-smtp@imc.org>; Fri, 7 Aug 2009 22:16:50 -0700 (MST) (envelope-from austin.cheney@us.army.mil)
DomainKey-Signature: s=ako; d=us.army.mil; c=nofws; q=dns; h=From:X-AKO:X-IronPort-AV:Received:Received:To:Cc: Message-ID:Date:X-Mailer:MIME-Version:Content-Language: Subject:X-Accept-Language:Priority:In-Reply-To:References: Content-Type:Content-Disposition: Content-Transfer-Encoding; b=E1KNovYL+D7x0rjLzmUjzdUtoyPDiQIHycoJ+7wYPqtRamLGSigjIctC S270ZAzppZD2n3Zxe6LZUwV//D+WrQ==;
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=us.army.mil; i=austin.cheney@us.army.mil; q=dns/txt; s=akodkim; t=1249708610; x=1281244610; h=from:sender:reply-to:subject:date:message-id:to:cc: mime-version:content-transfer-encoding:content-id: content-description:resent-date:resent-from:resent-sender: resent-to:resent-cc:resent-message-id:in-reply-to: references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:list-owner:list-archive; z=From:=20"Cheney,=20Edward=20A=20SSG=20RES=20USAR=20USARC "=20<austin.cheney@us.army.mil>|Subject:=20Re:=20Requesti ng=20comments=20on=20draft-cheney-safe-02.txt|Date:=20Sat ,=2008=20Aug=202009=2009:16:49=20+0400|Message-ID:=20<f73 2828f180f6.4a7d4281@us.army.mil>|To:=20John=20C=20Klensin =20<john+smtp@jck.com>|Cc:=20Rich=20Kulawiec=20<rsk@gsp.o rg>,ietf-smtp@imc.org|MIME-Version:=201.0 |Content-Transfer-Encoding:=207bit|In-Reply-To:=20<FFFD90 66BE1617C943428AF6@PST.JCK.COM>|References:=20<f6fecbd18a f7.4a721c99@us.army.mil>=0D=0A=20<4A720D35.1000306@cybern othing.org>=0D=0A=20<f6e091e580a6.4a7258af@us.army.mil> =20<20090807100147.GA16131@gsp.org>=0D=0A=20<FFFD9066BE16 17C943428AF6@PST.JCK.COM>; bh=LZtThaaeMI/ytTyM/dUEkjDe8hrQZiP01Y/rHU8vJI4=; b=OgJNTKzEYiqdXxYsp9QKanA41eExaLWODLE3S8jzlDbfidZNvMhMx/Vp QppnoYnzzmCO/NO0lrnLJ3veKYwkFSI19ajx5+fwZnXpsMM3VPZB9KUFv yuxNTAimX64AGA30OfL3NCSUDEeEKWDKow6FTV1NHJ9NuZ87cvhUijTY0 U=;
From: "Cheney, Edward A SSG RES USAR USARC" <austin.cheney@us.army.mil>
X-AKO: 100437563:10.224.29.21:08 Aug 2009 05:16:49 +0000:$Webmail:None
X-IronPort-AV: E=Sophos;i="4.43,345,1246838400"; d="scan'208";a="100437563"
Received: from lb2pip21.int.ps1.us.army.mil (HELO us.army.mil) ([10.224.29.21]) by mxoutps1.us.army.mil with ESMTP; 08 Aug 2009 05:16:49 +0000
Received: from [10.101.32.171] (Forwarded-For: 214.13.1.73, [10.101.32.171]) by mail15.int.ps1.us.army.mil (mshttpd); Sat, 08 Aug 2009 09:16:49 +0400
To: John C Klensin <john+smtp@jck.com>
Cc: Rich Kulawiec <rsk@gsp.org>, ietf-smtp@imc.org
Message-ID: <f732828f180f6.4a7d4281@us.army.mil>
Date: Sat, 08 Aug 2009 09:16:49 +0400
X-Mailer: Sun Java(tm) System Messenger Express 6.3-6.03 (built Mar 14 2008; 32bit)
MIME-Version: 1.0
Content-Language: en
Subject: Re: Requesting comments on draft-cheney-safe-02.txt
X-Accept-Language: en
In-Reply-To: <FFFD9066BE1617C943428AF6@PST.JCK.COM>
References: <f6fecbd18af7.4a721c99@us.army.mil> <4A720D35.1000306@cybernothing.org> <f6e091e580a6.4a7258af@us.army.mil> <20090807100147.GA16131@gsp.org> <FFFD9066BE1617C943428AF6@PST.JCK.COM>
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Sender: owner-ietf-smtp@mail.imc.org
Precedence: bulk
List-Archive: <http://www.imc.org/ietf-smtp/mail-archive/>
List-ID: <ietf-smtp.imc.org>
List-Unsubscribe: <mailto:ietf-smtp-request@imc.org?body=unsubscribe>

John,

In addition to my reply to Rich I want to address the cost of doing
business with regard to security mitigation.

For a moment I would like to jump to another more email centric example:
SPAM.  SPAM can be easily mitigated using the latest email server
software and performing the best current procedures to minimize the
impact of SPAM upon an organizations systems and users.  Even after all
possible efforts are considered SPAM can still get through.  If SPAM
does not get through it still consumes bandwidth across networking
devices and bandwidth on the email server.  SPAM mitigation costs CPU
cycles on email servers that could be used for other more productive
tasks.  Those wasted CPU cycles increase load, which is a management
concern for server load balancing and power distribution costs in a
server farm.

No matter what we do and even if no SPAM gets through to the end user
the administrator has still spent time, money, and resources to defend
their network.  From the perspective of a project manager or a business
owner that is funding that could be invested to grow the business if not
wasted on mitigation.  That is additional personnel and equipment that
could be retasked to perform other operations to make the organization
more productive and competitive.  At the end of the day the final
business result is additional costs.

Security vulnerabilities, much like SPAM, are a high cost and a drain on
any organization.  Even if mitigation completely eliminated 100% of the
problem 100% of the time it still comes at a cost, a cost that is
unnecessary if those vulernabilities were eliminated.

If I were a key decision maker in the investment of business assets
across a large organization I would want to eliminate costs to the
business as much as possible.  If there are positive benefits associated
with, but not directly related to, those cost savings that is simply an
unintended business benefit even if the technology benefits are
intentional.

In summary, after all technology decisions and impacts are considered at
the end of the process will this result in a savings to business.  I
believe it will result in an astounding cost savings if a significant
majority of reported vulnerabilities could be either eliminated or
substantially reduced.

Thank you,
Austin

v2.23.0 | Report a Bug | By Email