North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Long-term identifiers (was Re: who offers cheap (personal) 1U colo?)

  • From: Sean Donelan
  • Date: Mon Mar 15 05:27:09 2004

On Sun, 14 Mar 2004, Andrew Dorsett wrote:
> In a dorm room situation or an apartment situation, you again know the
> physical port the DHCP request came in on.  You then know which room that
> port is connected to and you therefore have a general idea of who the
> abuser is.  So whats the big deal if you turn off the ports to the room
> until the users complain and the problem is resolved?

It has to do with response time.

If I send an abuse complaint to an organization's mailbox on a Friday
night, will it be dealt with in the next 10 seconds?  Or sometime next
week?  If the computer reboots every 60 seconds, and gets different IP
addresses every time, a single infected computer can appear with lots of
different IP addresses which results in overblocking.  Similar things
happen when a very large corporation has a NAT firewall, and attacks
appear to come from all over their address ranges.  A long-term end-to-end
identifier would let me immediately drop the specific infected computer's
traffic regardless of its rotating IP addresses, even if your abuse
department doesn't open until next monday to track down the user to
permanently fix it.

The other issue is assuming "abuse" is defined the same way.  If I can
uniquly identify the source, we don't have to debate whether my definition
of abuse is the same as your definition.  You might have a three-strike
policy and I have a zero-tolerance policy.  It doesn't matter if there was
an end-to-end long-term identifier.  While you are waiting for the other
strikes, I can immediately block that specific computer regardless of
what IP address it has today.

That way "reputation" could be tied to the infected computer instead of
random address ranges.

If IPsec ever gets fully deployed, then we may be able to negotiate
end-to-end identification.  The long-term end-to-end identifier does not
need to include personally identifiable information.