North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: amazonaws.com?

  • From: Robert Bonomi
  • Date: Tue May 27 14:53:45 2008

> From [email protected]  Tue May 27 12:06:50 2008
> Subject: RE: amazonaws.com?
> Date: Tue, 27 May 2008 18:08:16 +0100
> From: <[email protected]>
> To: <[email protected]>
>
> > If the address-space owner won't police it's own property, 
> > there is no reason for the rest of the world to spend the 
> > time/effort to _selectively_ police it for them.
>
> Exactly!!! 
> If an SMTP server operator is not willing to police their server
> by implementing a list of approved email partners, then why should
> the rest of the Internet have to block outgoing port 25 connections?

Because the _privilege_ to send packets to other networks has been, from
'day one', conditional on the presumption that the sending network _is_
a "good neighbor" to the networks receiving their traffic.

AS SUCH, they have a firm 'moral responsibility' to *NOT* let _their_
users =originate= traffic that is harmful/offensive/abusive to the 
receiving/destination network.


Or, are you arguing for _no_ "acceptable use" policies for _anything_ on
the 'net.  That anyone should be free to attempt anything against any
server/network, and that it is the sole responsibility of the receiving
system to build and maintain the defenses against "whatever" any 
malefactor might decide to do?  *AND* that the party providing that black
hat' with connectivity should bear no responsibility for anything that
their customer's do?   Thinking about it, I realize that asking _you_ (an
employee of major telephone company) is a silly question -- you have a
biased viewopoint from a government-regulated monopoly

> The buck needs to stop right where the problem is and that is
> on the SMTP servers that are promiscuously allowing almost any
> IP address to open an socket with them and inject email messages.

Since one _cannot_ stop the -attempts- at the destination end, and the
volume of -attempts- (even though they're blocked at the fence-line) 
*CAN* be enough to to render 'normal' operations of the receiving network
impossible -- "it should be obvious to the meanest intelligence" that 
the matter *must* be addressed at a point _upstream_ from the destination
network.

It is universally recognized in the real world that 'toxic waste' issues 
must be dealt with at the _source_ point -- where that toxic waste is
produced.  AND that the costs of doing so should fall on those who produce
them.  

There is no reason that the Internet should be any different.  The polluter
is the party who *should* get hits with the  majority of the costs of handling
the toxic waste they produce, not the party simply tryng to enjoy the 'quiet
satisfaction' of their own property.

It is arguable that the Internet has advanced from the 'early pioneer' days 
of the '80s, to a state that is comparable to the height of the "Robber Baron"
era -- where everybody was out for 'me first, and to h*ll with whomever isn't
big enough, mean enough, and tough enough to stand up to whatever I want to
do to take advantage of them.  History shows that such attitudes weren't right
_for_the_world_as_a_whole_ then, and societal barriers were put in place to
prevent such abuses from re-occuring.


> > Amazon _might_ 'get a clue' if enough providers walled off 
> > the EC2 space, and they found difficulty selling cycles to 
> > people who couldn't access the machines to set up their 
> > compute applications.
>
> Amazon might get a clue and sue companies who take such outrageously
> extreme action.

*SNICKER*   The results of such a suit are _utterly_ predictable. There's
established case-law going back a couple of _decades_. For, example, look at
any of the (100% _unsuccessful) suits that "Cyber Promotions, Inc." filed
against any of the several providers that did exactly that to said plaintiff.

There's similar case law in England, the Netherlands, Germany, Switzerland,
Norway, Finland, and Austrailia -- just to name a few of the places where
the matter has been litigated.

There are no "rights" on the Internet, only "privileges".  Your right to 
access any part of my network exists only -if- I extend you that privilege.  
And it _is_ revokable at whim.  WITHOUT any need to 'show cause why'.   Such
a suit as you suggest runs the very real risk that the filing party would be
sanctioned as regards "frivolous" filings.

>                 Even if you are being slammed by millions of email
> messaged from Amazon address space, that is not justification for
> blocking all access to the space. It's a point problem on your
> mail server so leave the shotgun alone, and put an ACL blocking
> port 25 access to your mail server.

FALSE TO FACT.

If they generate _enough_ 'unwanted' traffic towards me, that can/will
constitute a fairly effective (D)DOS attack -- admittedly, it's only 
'slightly' distributed, and it's coming from a single block, so it can
be dealt with by some forms of point responses.

I _cannot_ deal with volume-based DOS at -my- end of my pipes; it -requires-
blocking/limiting the traffic *before* it hits the choke-point that is my 
external connectivity.  When that traffic is coming from a 'well defined'
source under a single entity's control, *THAT* -- the source -- is the 
appropriate place to deal with it.  In the alternate case -- a widely
distributed set of disparate sources -- other methods (usually involving
the immediate "upstreams" -- who presumably have enough bigger resources to 
be able to 'absorb' a volume of toxic waste that would be fatal to me) are
necessary.  The fact that such methods are necessary in some circumstances
does -not- mean that they are the _preferred_ method in all circumstances.

>
> I don't believe that horrendously broken email architecture and email
> operators with no vision, are sufficient justification for blocking new and
> innovative business models on the Internet. 10 months of the year, Amazon 
> has 10 times as many servers as they need. They want to rent them out 
> piecemeal and I applaud their innovation. Maybe their model is not perfect 
> yet, but the solution to that is not to raise a lynch mob. Instead you 
> should build a better cloud computin> business and beat them that way.

I applaud their _intentions_, and deplore their *implementation*.

They, like many others, have forgotten that "the Internet" is, in fact, a
fairly -unique- institution/facility -- where the 'value' of what _you_ 
offer is contingent on the 'courtesies' you get for free from the rest of 
the world.  Every internet service provider and service offerer *needs* 
the 'good will' of its competitors _more_ than it needs any of its own 
customers.

Something like the initial part of the Hippocratic Oath is needed for those
who consider Internet-based service offerings -- "First, do no evil."

People who fail to control the toxic waste emissions from their property
are _not_ "good neighbors", and fail that 'do no evil' test.

The same for those who allow toxic waste emissions to flow from their networks
over the Internet.