Re: New addresses for b.root-servers.net
Matt Corallo wrote: As PKI, including DNSSEC, is subject to MitM attacks, is not cryptographically secure, does not provide end to end security and is not actually workable, why do you bother? It sounds like you think nothing is workable, we simply cannot make anything secure If an end and another end directly share a secret key without involving untrustworthy trusted third parties, the ends are secure end to end. - if we should give up on WebPKI (and all its faults) and DNSSEC (and all its faults) and RPKI (and all its faults), what do we have left? An untrustworthy but light weight and inexpensive (or free) PKI may worth its price and may be useful to make IP address based security a little better. Masataka Ohta
Re: New addresses for b.root-servers.net
On 6/20/23 10:20 PM, Masataka Ohta wrote: Matt Corallo wrote: So, let's recognize ISPs as trusted authorities and we are reasonably safe without excessive cost to support DNSSEC with all the untrustworthy hypes of HSMs and four-eyes principle. I think this list probably has a few things to say about "ISPs as trusted authorities" I'm afraid you miss the point. My point is that trusted third parties of CAs including DNSSEC providers are at least as untrustworthy as ISPs. - is everyone on this list already announcing and enforcing an exact ASPA policy (or BGPSec or so) and ensuring the full path for each packet they send is secure and robust to ensure it gets to its proper destination? I'm afraid that is a hype as bad as HSMs and four-eyes principle. Somehow I don't think this model is workable, As PKI, including DNSSEC, is subject to MitM attacks, is not cryptographically secure, does not provide end to end security and is not actually workable, why do you bother? It sounds like you think nothing is workable, we simply cannot make anything secure - if we should give up on WebPKI (and all its faults) and DNSSEC (and all its faults) and RPKI (and all its faults), what do we have left? Indeed, all of those things suck, they have had major hacks, minor hacks, and protocol design issues for years (okay, RPKI less so, but its newer, give it time), but what alternative do we have? I'd rather we use the tools we have, in all their faults, than not bother building any security on the internet :) Matt
Re: New addresses for b.root-servers.net
Matt Corallo wrote: So, let's recognize ISPs as trusted authorities and we are reasonably safe without excessive cost to support DNSSEC with all the untrustworthy hypes of HSMs and four-eyes principle. I think this list probably has a few things to say about "ISPs as trusted authorities" I'm afraid you miss the point. My point is that trusted third parties of CAs including DNSSEC providers are at least as untrustworthy as ISPs. - is everyone on this list already announcing and enforcing an exact ASPA policy (or BGPSec or so) and ensuring the full path for each packet they send is secure and robust to ensure it gets to its proper destination? I'm afraid that is a hype as bad as HSMs and four-eyes principle. Somehow I don't think this model is workable, As PKI, including DNSSEC, is subject to MitM attacks, is not cryptographically secure, does not provide end to end security and is not actually workable, why do you bother? Masataka Ohta
Re: New addresses for b.root-servers.net
On 6/19/23 8:08 PM, Masataka Ohta wrote: Matt Corallo wrote: This is totally unrelated to the question at hand. There wasn't a question about whether a user relying on trusted authorities can maybe be whacked by said trusted authorities (though there's been a ton of work in this space, most notably requiring CT these days), So, let's recognize ISPs as trusted authorities and we are reasonably safe without excessive cost to support DNSSEC with all the untrustworthy hypes of HSMs and four-eyes principle. I think this list probably has a few things to say about "ISPs as trusted authorities" - is everyone on this list already announcing and enforcing an exact ASPA policy (or BGPSec or so) and ensuring the full path for each packet they send is secure and robust to ensure it gets to its proper destination? Somehow I don't think this model is workable, but what do I know, I was just responding to someone on this list who mentioned it was dumb to rely on IP destination as being secure :) Matt
Re: FCC Chair Rosenworcel Proposes to Investigate Impact of Data Caps
On 6/20/23 16:09, sro...@ronan-online.com wrote: Or the investment to upgrade doesn’t make financial sense. It never makes sense if you are printing money with no competition. Mark.
Re: FCC Chair Rosenworcel Proposes to Investigate Impact of Data Caps
Or the investment to upgrade doesn’t make financial sense. > On Jun 20, 2023, at 9:54 AM, Mark Tinka wrote: > > > >> On 6/20/23 15:20, Mike Hammett wrote: >> >> Sometimes yes, sometimes no. >> >> When you go down in density, your fixed cost per customer really escalates >> and you simply can't afford to provision as much as you'd like to. When you >> leave glass as a transport mechanism, scaling isn't easy. When you don't >> have a wireline to the customer prem, scaling isn't easy. >> >> You might have a licensed backhaul going 10 - 20 miles to feed a remote >> cluster of customers (be it wireless, copper, coax, or glass as the last >> mile). Those are more or less limited to about 1.5 gb/s. Spectrum >> availability can reduce that. You can sometimes stack them, but again, >> spectrum availability would be king in that decision. >> You might have fixed wireless as the last mile. We're starting to see >> platforms capable of multi-hundred megabit per customer with a sector >> capacity of low gigabits, but again, spectrum availability comes into play >> here. Those solutions require line of sight (or close to it) and only go a >> few miles. The systems that can penetrate foliage really cut your per-sector >> capacity to around 100 megabit, shared amongst all customers. Those are >> simply limitations of physics. >> >> >> When you don't have the benefits of scale, the only viable path forward in a >> managed setting is usage-based billing, with some amount of included data. > > We are saying the same thing re: mobile (when I say mobile I mean wireless) > providers. Because spectrum is a limitation, capped services make sense. > > When I say "fixed line", I mean end-to-end, i.e., from CPE to nearest ISP > PoP, all on wire. In such a case, if an operator is still offering a capped > service, it is because they have no incentive (competition) to do otherwise. > > Mark.
Re: FCC Chair Rosenworcel Proposes to Investigate Impact of Data Caps
On 6/20/23 15:20, Mike Hammett wrote: Sometimes yes, sometimes no. When you go down in density, your fixed cost per customer really escalates and you simply can't afford to provision as much as you'd like to. When you leave glass as a transport mechanism, scaling isn't easy. When you don't have a wireline to the customer prem, scaling isn't easy. You might have a licensed backhaul going 10 - 20 miles to feed a remote cluster of customers (be it wireless, copper, coax, or glass as the last mile). Those are more or less limited to about 1.5 gb/s. Spectrum availability can reduce that. You can sometimes stack them, but again, spectrum availability would be king in that decision. You might have fixed wireless as the last mile. We're starting to see platforms capable of multi-hundred megabit per customer with a sector capacity of low gigabits, but again, spectrum availability comes into play here. Those solutions require line of sight (or close to it) and only go a few miles. The systems that can penetrate foliage really cut your per-sector capacity to around 100 megabit, shared amongst all customers. Those are simply limitations of physics. When you don't have the benefits of scale, the only viable path forward in a managed setting is usage-based billing, with some amount of included data. We are saying the same thing re: mobile (when I say mobile I mean wireless) providers. Because spectrum is a limitation, capped services make sense. When I say "fixed line", I mean end-to-end, i.e., from CPE to nearest ISP PoP, all on wire. In such a case, if an operator is still offering a capped service, it is because they have no incentive (competition) to do otherwise. Mark.
Re: FCC Chair Rosenworcel Proposes to Investigate Impact of Data Caps
Sometimes yes, sometimes no. When you go down in density, your fixed cost per customer really escalates and you simply can't afford to provision as much as you'd like to. When you leave glass as a transport mechanism, scaling isn't easy. When you don't have a wireline to the customer prem, scaling isn't easy. You might have a licensed backhaul going 10 - 20 miles to feed a remote cluster of customers (be it wireless, copper, coax, or glass as the last mile). Those are more or less limited to about 1.5 gb/s. Spectrum availability can reduce that. You can sometimes stack them, but again, spectrum availability would be king in that decision. You might have fixed wireless as the last mile. We're starting to see platforms capable of multi-hundred megabit per customer with a sector capacity of low gigabits, but again, spectrum availability comes into play here. Those solutions require line of sight (or close to it) and only go a few miles. The systems that can penetrate foliage really cut your per-sector capacity to around 100 megabit, shared amongst all customers. Those are simply limitations of physics. When you don't have the benefits of scale, the only viable path forward in a managed setting is usage-based billing, with some amount of included data. - Mike Hammett Intelligent Computing Solutions http://www.ics-il.com Midwest-IX http://www.midwest-ix.com - Original Message - From: "Mark Tinka" To: "Mike Hammett" Cc: nanog@nanog.org, "Josh Luthman" Sent: Tuesday, June 20, 2023 12:44:54 AM Subject: Re: FCC Chair Rosenworcel Proposes to Investigate Impact of Data Caps On 6/19/23 14:56, Mike Hammett wrote: You're assuming that an uncapped service is viable to offer. In many areas, it is. In many areas, it is not. It is viable for mobile services, even though I think mobile operators have taken the model a little too far. But for fixed line services, it is mainly used to print free money, or limit investment in the network. I'm okay with either model an operator chooses to take, because until someone else comes along to break capped services on fixed line, there isn't much anyone can do about it. Mark.