At some point, people have to take responsibility for their actions or in this case, their home computer. I am not saying that ISPs can't do some stuff (Good net neighbor policies, like no smurf amplification, don't allow other sites IP address outbound from your network, block small services, etc), I agree with you there. BUT it is unreasonable to expect ISPs to take on the whole security burden. This might be an bad analogy but here it goes: You don't blame the Department of Transportation for bad drivers. Every body that owns a car is responsible for the operation of their vehicle, including safety measure and insurance in case something does happen. Why can't we expect those same people to take responsibility for home computers? Should we make home computer users attend a mandatory licensing class and teach them safe computing (getting a drivers license)? Maybe we should have a ticketing system and if they guilty of 3 network violations, they have to attend class again (the dreaded traffic review course). Or if all else fails, suspend their access to the network for a year? Now, how do you do that world wide? It always come down to that final question....How do you get world buy in? Beth -----Original Message----- From: Paul D. Robertson [mailto:proberts@patriot.net] Sent: Friday, June 08, 2001 12:12 PM To: Young, Beth A. Cc: 'Firewalls@Lists.GNAC.NET' Subject: RE: This is a must read document. (.edu and ISP perspective) On Fri, 8 Jun 2001, Young, Beth A. wrote: > OK, enough rambling but I don't see that a public ISP will be any different > than this state run ISP. The end users are responsible for their actions. > As a state entity, we have a slight advantage in that we can do end user > education on a regular basis but that doesn't seem to make a difference.... You wouldn't accept BGP routes from them advertising entities outside of their scope of responsibility, accepting sourced traffic under the same provisions isn't a big leap. You wouldn't let them put in CSU/DSUs that locked the one at your end of the circuit, allowing them to connect routers that don't protect your backbone isn't a big leap. There is absolutely no legitimate reason for any ISP to let a customer generate packets sourced from anything other than (a) their address space or (b) a multicast group. Connectivity requirements are fairly easy- just like not accepting IPX or AT from the customer is pretty easy. Service providers could *easily* mandate this for connectivity. I'd be willing to try to dig up the code to re-spin up our anti-spoofing test tool if we could get the bulk of providers to mandate this as a connectivity requirement- then providers could get customers to prove they'd filtered correctly. Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions proberts@patriot.net which may have no basis whatsoever in fact." - [To unsubscribe, send mail to majordomo@lists.gnac.net with "unsubscribe firewalls" in the body of the message.]