[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
more notes from last call iesg input and discussion
there is a difference between describing good security practice and
mandating technical and business processes which may not be universally
implementable, universally applicable, or particularly sensible.
the following are examples. as mo says, the problem is actually the
pervasive attitude. many of the examples would be much more reasonable
if phrased as advice, e.g. "standards for better email security are
evolving, see for example [rfcfoux rfcbarre]. it would be constructive
if isps kept abreast of these advances, tried to support them, and kept
their customer base aware of them and how to take advantage of them."
it is believed to be generally accepted practice that, until
vulnerabilities are closed, announcing them 'pomptly' is ill-advised.
yet, in the guise of good communication, we see the following:
When security incidents occur that affect components of an ISP's
infrastructure the ISP should promptly report to their customers
- who is coordinating response to the incident
- the vulnerability
- how service was affected
- what is being done to respond to the incident
- whether customer data may have been compromised
- what is being done to eliminate the vulnerability
- the expected schedule for response, assuming it can be
given the sadly high number of rotten apples in today's barrels, is the
following really wise?
Many ISPs have established procedures for notifying customers of
outages and service degradation. It is reasonable for the ISP to use
these channels for reporting security-related incidents. In such
cases, the customer's security point of contact might not be the
person notified. Rather, the normal point of contact will receive
the report. Customers should be aware of this and make sure to route
such notifications appropriately.
separation of vetted security channels is becoming more the norm. and
an isp may not want to tell non-vetted customers about vulnerabilities
and their exploitations.
Whether or not an ISP has a CSIRT, they should have a well-advertised
way to receive and handle reported incidents from their customers.
In addition, they should clearly document their capability to respond
to reported incidents ...
some wondered if this was requiring "dear crackers. we are not very
capable of responding to incidents [of type x]..."
Every ISP SHOULD have an Appropriate Use Policy (AUP).
An AUP should clearly identify what customers shall and shall not do
on the various components of a system or network, including the type
of traffic allowed on the networks. The AUP should be as explicit as
possible to avoid ambiguity or misunderstanding. For example, an AUP
might prohibit IP spoofing.
this seems to prescribe legal aspects of how an isp does business, and
at level of detail which one would only expect from paid council.
In addition to communicating their AUP to their customers ISPs should
publish their policy in a public place such as their web site so that
the community can be aware of what the ISP considers appropriate and
can know what action to expect in the event of inappropriate
do we really have the prerogative to tell an isp that and how they
should reveal the terms and conditions of their customer contracts?
Many jurisdictions have Data Protection Legislation. Where such
legislation applies, ISPs should consider the personal data they hold
and, if necessary, register themselves as Data Controllers and be
prepared to only use the data in accordance with the terms of the
this seems to assume pre-knowledge of local legislation. what if the
local legislagtion is about protecting information on what chocolate is
consumed, and not about personal data? this seems to specify *what*
subjects are protected by local legislation, and we can't really know
ISPs are commonly responsible for maintaining the data that is stored
in global repositories such as the Internet Routing Registry (IRR)
and the APNIC, InterNIC and RIPE databases. Updates to this data
should only be possible using strong authentication.
is "internic" the correct term these days?
some isps do not believe in the registries and do not choose to use
them. that is their prerogative. it actually seems to make them no
less stable than those which use registries and filtering. this may be
partially due to the data being less usable than advertised (routers
will not handle an acl the size of a tier-1's).
and not all registries support strong authentication. and even if they
did, do we have the prerogative to tell isps how to do business with
registries? yes, it might be a good idea. but this waxes overly-
ISPs should 'SWIP' (Shared WhoIs Project) the address space that they
assign to their customers so that there is more specific contact
information for the delegated space.
swip is an americanism. and a dying one (see distributed whois, which
An ISP's ability to route traffic to the correct destination depends
on routing policy as configured in the routing registries [RFC1786].
not necessarily. some really don't do it that way.
ISPs should also strongly encourage their customers to disable open
relaying on their mail servers. Sanctions for running an open mail
relay should be covered in an ISP's AUP.
there are knowledgable isp lawyers who seem not to support this advice.
it seems to have to do with it being hard to show that a customer
running an open relay directly damages the isp. that it incites net
vigilantes to write nastygrams to one;s management and noc may not be
any more evil than, e.g., a porn site (which we may not like, but may
not have the legal prerogative to proscribe).
"open mail relay" is sometimes a matter of degree; the language, as
written, seems to leave determination of whether or not my relay is open
up to the anti-spam crazies.