Re: [Nea] UPDATED: WG Review: Network Endpoint Assessment (nea)

[Keith Moore <moore at cs.utk.edu>]

> > no, my argument is that networks are less likely to impose draconian
> > policies on hosts if there is no standard interface by which they can
> > implement those draconian policies. 
>
>   The flies in the face of 20 years of computing history.  Customers
> want a solution, and vendors will supply one to them.  If there is no
> standards-based solution, vendors will supply proprietary solutions.
> This goes for both desktop applications and networking protocols.

I've been involved in IETF for not quite 20 years now, and I've seen 
this argument a lot during that time.  Some vendors want to standardize 
something that is demonstrably harmful, so as to increase the available 
market for such products - and the argument is made that IETF should 
help them do so because it's better if users have the choice of which 
vendor's products they can buy to hurt themselves.  I don't buy it.

my argument is that standardization of NEA as it is currently understood 
(whether through IETF or as a vendor de facto standard) would be a bad 
thing for the Internet community because it would enable more networks 
to impose draconian policies that were harmful to users.  IETF cannot 
really influence whether a particular vendor will be able to impose a 
proprietary standard on the market, but by choosing not to standardize 
NEA it could reduce the probability of having such a standard.  since my 
belief is that any standard (whether an IETF standard or a de facto 
vendor standard) for NEA brings with it significant potential for harm, 
I argue that IETF should not encourage such standardization by 
chartering an NEA working group - at least until we understand how to 
construct a solution that has minimal potential to do such harm.

in short, standardization of a protocol is not a good thing if the 
protocol being standardized does more harm to users than good.
standardization of NEA would allow an access network to impose 
proprietary solutions on users for other protocols or applications, and 
would thereby _reduce_ the ability of users to choose the protocols or 
applications that best suited their needs.

>   The only way to guarantee a free and open network is to build it on
> free and open standards. 

yes.  and an NEA standard would the ability of users to choose free and 
open standards for everything except NEA.

>   Make no mistake, people *will* be deploying access controls for
> their network.  The only choice in front of us now is whether those
> controls are proprietary, or standards-based.

even if something like NEA is inevitable, it does not follow that IETF 
should encourage it.  IETF should only encourage it if by encouraging it 
IETF can significantly reduce the potential for harm.  merely having NEA 
be an IETF standard does not significantly reduce the potential for harm 
-  concrete limitations in the NEA protocol are required to do that. 
for instance, if NEA were defined in such a way that the protocol was 
incapable of asking any questions of a host that were not themselves 
standardized, or were defined in such a way that there was no way for a 
host to sign its answers to questions (so that any host would be capable 
of lying).  but I have a hard time seeing IETF defining NEA in that way.

> > I'm not saying that no networks
> > will do this (as some are already doing this), but I do think it's less
> > likely that networks in will do this  - particularly access networks as
> > opposed to enterprise networks.
>
>   I'm not sure any NEA variant will be applied to access networks.

yup.  pretend it's not a problem, and maybe the problem will go away.

Keith

_______________________________________________
Nea mailing list
Nea at ietf.org
https://www1.ietf.org/mailman/listinfo/nea