<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi Giuliano, <div class="moz-cite-prefix">On 4/11/17 11:07 AM, Giuliano Peritore wrote: </div> <blockquote cite="mid:13082374.35117.1491901644856.JavaMail.perit@PERNOC" type="cite"> <pre wrap="">Hi, in my (humble) opionion we've all to cooperate to preserve the "End-to-end" principle of "the" internet. Any middleware or filter *imposed* by SPs violates this principle. Indeed, a "rule" to fully disconnect a connection service because of compromised "things" would never be probably accepted by regulation. The internet has evolved till now because intelligence has migrated in the edges, outside the core network. The devices have to be secure, and security has to be implemented on the end point (CPEs ?, user protection devices ?, virual protection devices ?). Yes, it can be a security service given by customer's SP, but it *has* to be a security service which can be deactivated or activated by demand of the customer. The customer has to be able to buy a connection service *without* the protection service. </pre> </blockquote> I think there are two cases: <ol> <li>The consumer is creating a negative externality. Where does responsibility rest with remedying it (if anywhere)?</li> <li>The consumer is motivated to protect him- or herself.</li> </ol> These are not mutually exclusive, and it is possible that (2) will Trump (1) over time, where it hasn't in the past. A reasonable question for this group is how they view (1) and (2) in the context of provider policies and responsibilities. Based on that, what capabilities should CPE and PE devices have? And what further network management capabilities should they have? Going to your other point, preserving end-to-end doesn't mean that we can't throw breakers on unwanted communications where the network can easily detect them (say L3/L4 info), and where they are clearly understood to be unwanted. Is that of interest? Eliot </body> </html>