IETF Logo Mail Archive

RE: Domain Centric Administration

"Hallam-Baker, Phillip" <pbaker@verisign.com> Tue, 03 July 2007 19:54 UTC

Return-path: <ietf-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1I5oSe-000879-NJ; Tue, 03 Jul 2007 15:54:56 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1I5oSc-00086z-NG for ietf@ietf.org; Tue, 03 Jul 2007 15:54:54 -0400
Received: from colibri.verisign.com ([65.205.251.74]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1I5oSU-0002Ts-6j for ietf@ietf.org; Tue, 03 Jul 2007 15:54:54 -0400
Received: from MOU1WNEXCN02.vcorp.ad.vrsn.com (mailer2.verisign.com [65.205.251.35]) by colibri.verisign.com (8.13.6/8.13.4) with ESMTP id l63Jsduo030181; Tue, 3 Jul 2007 12:54:39 -0700
Received: from MOU1WNEXMB04.vcorp.ad.vrsn.com ([10.25.13.157]) by MOU1WNEXCN02.vcorp.ad.vrsn.com with Microsoft SMTPSVC(6.0.3790.1830); Tue, 3 Jul 2007 12:54:38 -0700
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 03 Jul 2007 12:53:01 -0700
Message-ID: <198A730C2044DE4A96749D13E167AD37012F6951@MOU1WNEXMB04.vcorp.ad.vrsn.com>
In-Reply-To: <628B2522-ABD8-4F06-B862-E2A2C0C15D92@mail-abuse.org>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Domain Centric Administration
Thread-Index: Ace9plT5P2CixlpASEG8EUvofWHHgwAAehdQ
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
To: Douglas Otis <dotis@mail-abuse.org>, John C Klensin <john-ietf@jck.com>
X-OriginalArrivalTime: 03 Jul 2007 19:54:38.0612 (UTC) FILETIME=[FD107540:01C7BDAB]
X-Spam-Score: 0.1 (/)
X-Scan-Signature: e1b0e72ff1bbd457ceef31828f216a86
Cc: ietf@ietf.org, Jeffrey Hutzelman <jhutz@cmu.edu>
Subject: RE: Domain Centric Administration
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Errors-To: ietf-bounces@ietf.org

Doug,

You are entirely right about the internet crime issues. In my book (to be published in the Fall, Addison Wesley) I mention default deny and domain centric of course but they are not what I would regard as my first line of defense.

The problem we always get to with Internet crime is the 'The problem is X/ no its Y/ no its Z' debate. The problem is X, Y and Z and A through W as well. The idea of the book is to set out a straw man for a comprehensive solution so that instead of having that debate people can instead say 'your solution to X sucks, here is a better one', and I can reply 'thanks, now I can write the second edition'.


The point here is that I want to help people deploy IPv6 even though it is not the very top of my list of priorities and I am not a network routing person (not done work on that layer since my undergraduate thesis and proofs of deadlock freedom for routing protocols).

What I have learned from deploying security is that even though people say that security is their #1 concern, they lie. Their #1 concern is always going to be something else. But security will always top every poll of top 5 priorities because it is everyone's #2 or #3 issue.


We are dealling with very fine tipping points here. 95% right means zero deployment, get it to 96% and suddenly it takes over the world in 18 months. The gap between the Web and gopher or HyperG is very very small. HyperG was in many ways technically superior, certainly the application software was better right up to 1995/6 or so.




> -----Original Message-----
> From: Douglas Otis [mailto:dotis@mail-abuse.org] 
> Sent: Tuesday, July 03, 2007 3:13 PM
> To: John C Klensin
> Cc: ietf@ietf.org; Jeffrey Hutzelman
> Subject: Re: Domain Centric Administration,RE: 
> draft-ietf-v6ops-natpt-to-historic-00.txt
> 
> 
> On Jul 2, 2007, at 11:06 AM, John C Klensin wrote:
> 
> > Of course, almost none of the issues above are likely to go 
> away, or 
> > even get better, with IPv6... unless we make some improvements
> > elsewhere.   And none of them make NAT a good idea, just a  
> > "solution" that won't easily go away unless we have plausible 
> > alternatives for _all_ of its purported advantages, not just the 
> > address space one.
> 
> The initial use of IPv6 in North America will likely involve 
> Teredo enabled NATs and Teredo servers.  It does not seem 
> NATs will go away anytime soon, especially those adding 
> Teredo compliance to ensure multi-player games function 
> without router configuration.
> 
> Unfortunately many exploits now bypass protections once 
> afforded by NATs or peripheral firewalls.  Browsers are 
> always in transition and can be exploited with their many 
> hooks into OS services and applications.  It seems security 
> is sacrificed to enable some new proprietary interface.  This 
> is an area where standardization has seemly failed.
> 
> Browser exploits have become so pervasive as to require our 
> company to extensively retool behavior evaluations.  For 
> example, SMTP reputations are being converted to a 
> progressive scale to adjust for the growing prevalence of 
> 0wned systems.  It seems much of the malware activity is just 
> harder to detect.
> 
> It gets worse.  NATs are not a complete solution, and 
> represent a new challenge.  PNRP clouds combined with new 
> complex routing paths represents a risk that will be even 
> harder to evaluate and to enforce policies in a scaleable fashion.
> 
> In the early days of the Internet, the level of commerce and 
> related crime was far lower than it is today.  People are now 
> filing their Federal taxes on-line.  What the Internet is 
> being used for has changed significantly.  When defending 
> against criminal exploits, there is less doubt about risks.  
> The hazards are very apparent, although they might be harder 
> to detect.
> 
> The security section for the "next great idea" should carefully  
> review and strategize how the world is to handle resulting abuse.   
> That section is unfortunately significantly growing in 
> importance every day.  What seemed like a good idea, can 
> easily become a nightmare.
> 
> -Doug
> 
> _______________________________________________
> Ietf mailing list
> Ietf@ietf.org
> https://www1.ietf.org/mailman/listinfo/ietf
> 

_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email