Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.anu.edu.au!harbinger.cc.monash.edu.au!news.rmit.EDU.AU!news.unimelb.EDU.AU!munnari.OZ.AU!spool.mu.edu!news.nd.edu!chi-news.cic.net!hookup!uwm.edu!vixen.cso.uiuc.edu!newsfeed.internetmci.com!sgigate.sgi.com!sdd.hp.com!bone.think.com!blanket.mitre.org!sed.psrw.com!psinntp!psinntp!psinntp!psinntp!cmcl2!newsserv.cs.sunysb.edu!sayre
From: sayre@cs.sunysb.edu (Johannes Sayre)
Newsgroups: comp.protocols.tcp-ip,comp.unix.bsd.misc,comp.unix.bsd.netbsd.misc,comp.unix.bsd.freebsd.misc,comp.unix.osf.misc,comp.unix.sco.misc,comp.security.firewalls,comp.unix.admin,comp.org.usenix,comp.org.uniforum,comp.dcom.net-management,comp.os.ms-windows.networking.tcp-ip,comp.os.netware.misc,comp.os.os2.networking.tcp-ip,alt.dcom.telecom
Subject: Communications Decency Act may corrupt protocols
Date: 11 Apr 1996 05:47:18 GMT
Organization: State University of New York at Stony Brook (guest)
Lines: 291
Message-ID: <4ki6d6$ln7@newsserv.cs.sunysb.edu>
NNTP-Posting-Host: sbpub4.cs.sunysb.edu
Xref: euryale.cc.adfa.oz.au comp.protocols.tcp-ip:43702 comp.unix.bsd.misc:693 comp.unix.bsd.netbsd.misc:2888 comp.unix.bsd.freebsd.misc:17091 comp.unix.osf.misc:3009 comp.unix.sco.misc:16083 comp.security.firewalls:1945 comp.unix.admin:40503 comp.org.usenix:5504 comp.org.uniforum:526 comp.dcom.net-management:2387 comp.os.ms-windows.networking.tcp-ip:21952 comp.os.netware.misc:23805 comp.os.os2.networking.tcp-ip:47669 alt.dcom.telecom:16670
The attached text describes an absolutely outrageous disgrace.
I'm posting it to the large number of newsgroups above because it has direct
practical relevance for sysadmins and developers, and more generally because
it proposes an outrageous impingement on our computing environment
by know-nothings who would sacrifice that environment in pursuit of their
non-computing related, partisan political agendas. There are practicalities
and principles at stake here. I will gladly respond to complaints that this
posting is spam.
In pursuit of ways to enforce the recently enacted Communications Decency
Act, which seeks to control indecent expression on the Internet and is
currently under legal challenge as unconstitutional, the U.S. Department
of Justice is apparently considering recommending that ALL packet traffic
on the Internet contain a bit or flag of some kind indicating its "decency"
status - it would be _integrated into the protocol architecture at the network
level_.
No, this is not a joke. This idea was bandied about when the CDA first
appeared on the scene, generally by less clueful users. Now apparently,
the DoJ is seriously considering this idea.
The essence of this is that U.S. government content control legislation, which
to top it off is currently under attack as unconstitutional infringement
of freedom of expression, would attain physical form as a construct at the
most fundamental layers of the nascent international information
infrastructure.
This is an outrage and a disgrace.
At the most basic level, it is outrageous that the government would
contemplate forcing the technical community to pay attention to the
moralizing legislation of a sectarian political faction, and would have
the gall to propose that government censorship be instantiated in basic
network architecture. This is more reminiscent of a banana republic or
a second-rate East-block nation with a tinpot dictator who goes looking
for ego gratification at the national university ("it's the 'Fuehrer' bit")
than the purported leader of humanity and the community of nations.
It is sadly telling that the U.S. government would consider triggering the
embedding of U.S. content legislation into protocols which are used worldwide.
And it is utterly disgraceful that the same bureaucracy which spent millions
of your and my tax dollars to such good effect, and bought the labor of
thousands to turn out such outstanding creations as the internetworking
protocol suites, which succeeded and surpassed commercial efforts precisely
because they were _not_ designs compromised by political agendas, of whatever
flavor, should now choose to blithely propose that those protocols now add
functionality to recognize the misguided social legislation of the day.
Government is blundering about as it seeks to define its role with respect
to the Internet, but this is pathetic. It brings to mind the stereotype
of self-justifying administration - without enough to do, without the
background to do it, but proceeding onwards as a matter of course, for who
would raise the notion that they are _not_ in fact suited to administer
something.
A few notes: the CDA was driven by religious and social conservatives
in Congress and the general public, such as Ed Meese, Phyllis Schlafly,
the Christian Coalition. Most of the bipartisan majority who voted for it
had no clue, either about the net, or about the particulars of the
legislation which make it patently unconstitutional. The effort was
driven by social conservatives seeking to control expression on new
telecommunications media under the banner of protecting children from
pornography and preventing child pornography. Once the legislation passed,
the Justice Department, an arm of the Clinton administration, was bound
to attempt to implement ways of enforcing it. Clinton has been cautiously
critical of the CDA, DoJ has been mealymouthed since it can't come to terms
with squeals from the right that this is the only way to protect children
from online smut. DoJ's proposing of this particular hairbrained scheme
looks like a fine example of mindless bureaucracy cheerily tromping on areas
outside its purview. But don't let anyone mislead you that anyone but social
conservatives and the Religious Right have been driving this legislation.
For more info, step over to comp.org.eff.talk for a moment, and scan for
articles from EFF and CDT, among others. They will contain URLs and other
pointers to information about the CDA and the current efforts to repeal it.
(The text below originated from testimony in one of the hearings currently
going on.)
If you are in a position to influence policy, in your company, or in a body
which determines protocol architecture or network design, please keep a
watch on this issue. Raise awareness among your colleagues of the proposed
intrusion of sectarian politics into protocol design. Take control and
establish that this is a farcical intrusion of government into techincal
activity which is far more important than the transient scratchings in the
dirt of repressive ignorami, in and out of government. This needs to be
made dead at birth.
Please redistribute this information as appropriate. My intention was to
make the technical community aware of this issue, since we will be the ones
most directly affected by it.
I am not affiliated with any of the groups involved with the CDA & related
issues, just an outraged net user and computer person.
----------
From: declan+@CMU.EDU (Declan B. McCullagh)
Newsgroups: comp.org.eff.talk
Subject: FC: Enforcing the CDA improperly may pervert Internet architecture
Date: 8 Apr 1996 23:54:03 -0700
Message-ID: <klOUXLW00YUv5Ys34v@andrew.cmu.edu.829032840>
The attached paper by Dr. Reed is worth reading -- I haven't seen this
argument raised before. One portion that I found fascinating was:
"It is quite silly to imagine that the Ascend router at the ISP can
figure out if it is me or my child generating each packet."
But that's exactly what the defenders of the CDA are claiming! Here's
some background that might be interesting:
When I was arguing with Bruce Taylor (an architect of the CDA) last
week, we went 'round and 'round on the issue of children on the Net, as
usual. He maintained that every Internet user has to have an account
somewhere, so that account provider is able to tag accounts as minor or adult.
To the best of my ability, I pointed out some of the technical problems
with this, and he responded (I paraphrase from memory here) that
technical problems can be solved by technical people: "Your side comes
across to the court as saying that it can be done but we won't do it.
You're a bunch of geeks who want to protect their porn and the court
isn't going to buy it."
He brought up IP Version 6, which the DoJ has focused on in
cross-examination of one of our witnesses, Scott Bradner from the IETF:
13 Q Would it be fair to say, to summarize what you've just
14 said, that the IP Next Generation group is working on a new
15 generation of the IP Protocol itself?
16 A That is correct.
17 Q Does it have -- does the IP Next Generation group have
18 recommendations regarding a specific architecture of the
19 packet traffic on the Internet, including the format of the
20 packet?
The DoJ and Taylor are going to argue that IP V6 can include such an
adult/minor tag in each datagram! One of their key witnesses is Dan
Olsen, the head of the computer science department at Brigham Young
University and the incoming director of the Human Computer Interaction
Institute at CMU.
Olsen's background is NOT in distributed computing environments and
protocol design -- but that minor detail notwithstanding, it looks like
he'll be testifying this Friday that such a tagging scheme is
technically possible.
Chris Hansen from the ACLU told me last Friday: "Olsen is going to push
this tagging idea that the government has, that you can imbed in your
tag -- in your address -- an adult or minor tag. They're going to
suggest that the market will come into existence that will make that
tagging relevant."
Comments?
-Declan
---------------------------------------------------------------------------
Enforcing the CDA Improperly May Pervert Internet Architecture
by David P. Reed
Friends -
I'd like to call your attention to a situation where misguided
politics (of the "ends-justify-means" sort) threatens one of the
fundamental principles of Internet architecture, in a way that seems
like a slippery slope. I do not normally take public stands of a
political nature, and I do not participate much in Internet
architecture anymore, but I'd like to call your attention to a very
severe perversion of the Internet architectural philosophy that is
being carried out in the name of political and commercial expediency.
No matter what you believe about the issues raised by the
Communications Decency Act, I expect that you will agree that the
mechanism to carry out such a discussion or implement a resolution is
in the agreements and protocols between end users of the network, not
in the groups that design and deploy the internal routers and
protocols that they implement. I hope you will join in and make
suggestions as to the appropriate process to use to discourage the use
of inappropriate architectural changes to the fundamental routing
architecture of the net to achieve political policy goals.
As you know, I am one of the authors, along with Saltzer and Clark, of
the paper "End-to-end arguments in decentralized computer systems",
which first characterized in writing the primary approach to the
Internet's architecture since it was conceived, which approach
arguably has been one of the reasons for its exponential growth. This
philosophy - avoid building special functionality into the net
internals solely to enforce an end-to-end policy - has led to the
simplicity, low cost, and radical scalability of the Internet. One of
the consequences is that IP routers do not enforce policies on a
packet-by-packet basis, so routers can be extremely simple beasts,
compared to the complex beasts that characterize even the simplest
telephone central office switch. End-to-end policies are implemented
by intelligence at the ends (today, the PCs and servers that
communicate over the many consolidated networks that make up the
Internet).
I just read in Inter@ctive Week (March 25, 1996) that Livingston plans
to announce an "Exon box" - a router that is designed to enable ISPs
to restrict access to "indecent sites" or unrated sites unless an
"adult" enters an authorization code when opening a session to enable
the router to transmit packets to the site.
The scam seems to be that Livingston has colluded with Senator Exon's
staff to propose a "solution" to enable ISP's to implement parental
controls. Exon's staff is using the announced solution as an example
to demonstrate how simply ISPs can enforce local community standards
and parental controls, thus supporting interpretations of the CDA
requiring all access providers to include such capability in their
boxes. Exon's staff is quoted as encouraging ISP's to install such
functionality into the routers that serve as access points for nets.
Since I use an Ascend P50 ISDN router to make frequent, short,
bandwidth-on-demand ISDN connections from my "Family LAN" to an Ascend
multi-line ISDN router at my commercial Internet Service Provider, I
am worried that this model is completely unworkable for me, and for
others that will eventually use such a practical system. My family has
minor children and adults who all happily access the Internet. My ISP
has no clue whatsoever whether a child or adult has initiated the
call, and in fact, if my child and I are both on different computers
in different rooms, it is quite silly to imagine that the Ascend
router at the ISP can figure out if it is me or my child generating
each packet.
It is appalling to me that Livingston, which has some responsibility
as a router provider to assist in the orderly growth of the net, is
pandering to Exon's complete misunderstanding of how the Internet is
built. I would hope that Ascend, with its much larger share of the ISP
market, and other router companies such as Cisco and Bay Networks,
would take a principled and likely popular position that the "Exon
box" is not the way to go about this. I would hope that ISP's would in
general avoid use of Livingston's products, and also refuse to cave
into Exon's pressure. I believe, though I may be wrong, that
Livingston has contributed to the RADIUS technology that many ISP's
use to manage dialup access charging in a way that is consistent with
ethe end-to-end philosophy, but any credit they are due is overwhelmed
by the Exon box insanity.
I do work to protect my children from inappropriate material, but
pressure from Senators to mandate technically flawed solutions, and
opportunistic, poorly thought-through technologies from companies like
Livingston are not helpful.
If you agree, please join me in attempting to call off any tendency
for other router vendors and protocol designers to develop Exon box
features. It would seem that the appropriate place for content
restrictions, such as "parental controls", are in the end-to-end
agreements between content providers and their users, not in the
internal switching architecture of the net.
- David P. Reed
Notes: The end-to-end paper was edited and republished in several
forms (with slight variations in title), generalizing its observations
to systems beyond the distributed systems that were its original
focus; the final and most accessible one is: Saltzer, J.H., D.P. Reed,
and D.D. Clark, End-To-End Arguments in System Design. ACM
Transactions on Computer Systems, 1984. 2(4) p. 277-288.
I don't have any more details on Livingston's technology or its
marketing plans than what was presented in Inter@ctive Week. The
Inter@ctive Week article apparently based its information on 'sources'
describing a planned announcement, and also quoted Exon's staff. It is
possible that Livingston will choose not to announce or position its
technology in this form. It seems less likely that Exon's staff will
change its position on forcing ISP's to adopt some kind of
technological solution, however.
- David
[After considering Dr. Reed's comments, I asked him whether he objects
to firewalls in general. His reply:
No, I think firewalls of the sort now deployed can be OK (e.g., packet
filters), as a minimal line of defense. However, they are inherently
flawed, in ways that are well understood (reading Cheswick and
Bellovin gives good insight here). Most security threats ultimately
require end-to-end policies and must be implemented with end-to-end
solutions. As the paper points out, sometimes one can optimize cost of
implementing and end-to-end solution by including some functionality
that is not end-to-end. Firewalls may reduce the cost.
--CEL]