[LINK] RFC: "No End User Servers" Policies are brain dead (consolidated response)

Saliya Wimalaratne saliya@hinet.net.au
Thu Nov 28 21:34:17 EST 2002 

On Thu, 28 Nov 2002, bscott@gtlaw.com.au wrote:

> 4. Security issues - more end user servers means greater chance of spam
> (via open relays + lack of proper admin) [Andrew]
> On link response: doesn't justify blanket ban on all servers.  Perhaps
> justifies blanket ban on open relays or on mail servers [Craig]
> My view: Why wouldn't this be solved by a ban on open relays/an authorised
> list of mail server products (ie those with high security as default)?
> Carrier's compliance costs would be no greater than their current costs.

Hi,

Sorry, but this isn't correct. SMTP isn't the only vulnerable service, and
SMTP does not have to run on a given port. 

The only 'safe' way is "don't permit inbound connections unless it's
part of an established connection or the subscriber has explicitly requested
inbound connects on this port". 

Additionally, the list of 'open ports' for each subscriber must be periodically
checked with automated scanning tools to verify that the subscriber is still
'safe' from current vulnerabilities. 

Administering/maintaining this type of regime *is* significantly more 
expensive than a blanket ban on servers :)

> 5. Security issues - more end user servers means more viruses (similar
> reason to 4) [Andrew]
> On link reponse: Nothing peculiar about cable modems.
> My view: server viruses are only an example of a broader problem. This
> argument would imply that carriers should ban end users from running
> outlook.

Most carriers don't care unless it's affecting their bottom line. Since 
most Australian carriers charge Joe Average by-the-byte, any traffic is
"good" for them (I personally disagree with this philosophy, but you 
can see it in action at your friendly Local Telco). 

If the carrier were sued for being the originator of a particular virus
outbreak, this philosophy would change - but this is unlikely, no ?

> 6. QoS - if an end user server becomes popular it will overload the link
> [Eric]
> My view: I don't really understand this argument. It is only relevant for
> the difference between end user hosting (at a terminating node) and carrier
> hosting (at a more central node).  So congestion on links to and from the
> central nodes is not relevant, it's only on the last mile node or nodes.

You're assuming that the end-user nodes and the central hosting services
are all serviced by the same upstream link(s); frequently, this is not
the case. Generally, SPs provision capacity based on estimates of what
will be required; and "hosting services" should have enough capacity 
to deal with demand. 

> The people accessing the server will get a poor response.  I don't
> understand why this has an impact on others (traffic from page requests is
> unlikely to saturate the last mile downstream capacity?).

The problem is the other customers who are affected by a single customer
on a DSL head-end being slashdotted. If this happened with a hosting service,
you would be looking around very quickly to find a better-provisioned 
hosting service. 

> The security issues cause pause, but overall I don't find the arguments
> against end user servers all that compelling. My main argument in favour of
> end user servers is that they create a content source on the network and
> therefore drive the value of that network both through (a) interconnection
> fees with other carriers and (b) fees to other end users who download that
> content.  That value is current throttled by the need to take out a

I think that the security issue has to be compelling. Stuff like Nimda
does damage pretty much in proportion to available bandwidth; thus, 
broadband connections have a responsibility to be proportionally more
resistant to these types of attacks. 

> professional server product.  This operates as a barrier to entry,
> unnecessarily depressing the market.  I guess the question is whether the
> costs of administering an end user servers policy outweighs the
> interconnection benefits.

At present it does; because there are virtually zero interconnection benefits
(thus, any cost outweighs them). 

> The vote tally so far:
> yes it's brain dead - 3 [Craig, me, one off link response]
> no, there's a reason for it - 2 [Eric, Andrew]
> not directly addressing the question - 2 [Howard, Daniel]

"no"; because dealing with end-user-servers properly is not factored into the 
current pricing regime. 

Regards,

Saliya

More information about the Link mailing list