There’s a tension between network neutrality – essentially the principle that a network should be a dumb pipe that treats every packet alike – and network security, which may require some packets to be dropped to protect either the network or its users. Some current attacks simply can’t be dealt with by devices at the edge of the network: if a denial of service attack is filling your access link with junk then nothing you do at the far end of that link can help. Other security threats, such as phishing websites, could in theory be dealt with separately at every endpoint but it’s much more efficient, and less error-prone, to do it in a smaller number of more central locations. Attacks involving address forgery can only be detected at points within the network where it’s apparent that the traffic is coming from somewhere it shouldn’t be.
Fortunately the draft Open Internet Regulation that has just been agreed by the European Parliament, Commission and Council seems to recognise the need for a balance. The Regulation’s aim is “to safeguard equal and non-discriminatory treatment of traffic in the provision of internet access services” (Article 1(1)), but recital 9aa recognises that exceptions may be required “to protect the integrity and security of the network, for instance in preventing cyber-attacks through the spread of malicious software or end-users’ identity theft through spyware”. Article 3(3)(b) therefore permits a network provider to “block, slow down, alter, restrict, interfere with, degrade or discriminate between specific content, applications or services, or specific categories thereof” where this is necessary to “preserve the integrity and security of the network, services provided via this network, and the end-users’ terminal equipment”.
The Regulation raises one interesting issue, by saying that such restrictions are only permitted “for as long as necessary”. That might suggest that security controls should only be turned on after an attack has been detected. For attacks that vary, including many denial of service attacks, that’s probably right: until the attack starts you don’t know which traffic needs to be blocked. However for things that are always bad, like address forgery and phishing pages, it may be more effective to use a permanent, relatively dumb, filter that can stop the first bad packets too. A permanent filter may also involve less processing of process personal data (as required by Article 3(4)) as it doesn’t need to inspect traffic to determine when it needs to turn itself on.
Janet and other private networks aren’t formally covered by the draft Regulation but, as the Janet Security Policy makes clear, neutrality is even more important for us as it’s essential for the research and innovative uses that are the reason for having the network. Even so, sometimes we do need to install limited restrictions (e.g. last year on NTP packets used for denial of service attacks) to protect the network or its customers. So it’ll be interesting to see how national regulators strike the required balance between network openness and network security.