On 05/31/2013 12:36 AM, S. Dale Morrey wrote:
I should clarify that the real risk is this data leaving Colorado. A point
to point connection isn't feasible, the data needs to traverse the
internet, but do so only within the state of Colorado. If it crosses
statelines it becomes a legal issue, not a technical one. Think about the
way courts treat internet gambling (i.e. it falls under federal
jurisdiction because the data crosses state lines even if both parties are
in the same state). This gives you an idea of the reasoning, but no it's
not gambling.
To do something like this would require the cooperation of every router
in between, or ip source routing. Source routing is out, as it's been a
security concern from almost the beginning, and most every router has
source routing turned off by default. So you are going to have to deal
with cooperation of every router in between.
Point-to-point leased lines would seem easiest, but the truth of the
matter is, you have absolutely no control over anything but last mile.
Telcos route the packets every which way across their network depending
on tariffs, contracts, load, prevailing weather patterns, whim, etc.
You might thing a telco would be sane enough to use the shortest linear
distance between two points. I'll offer two counter examples.
At the turn of the century, MCI/Worldcom was routing calls from one end
of the US to the other through Canada, even though it was a more
expensive route overall. Why? Because the connection fees charged for
routing through local telcos along the way were charged to the last
network holding the call before it crossed international borders. So
MCI routed calls through Canada, and left AT&T holding the bag. AT&T
sued, and they eventually settled.
Second example. When I do a traceroute from my home connection on
Spanish Fork Community Network to BYU campus (a linear distance of 14
miles), my packets route through San Jose; a much longer route, though
there is a faster and shorter option available to route through. Why?
At one point there wasn't a shorter network path. Eventually a shorter
path became available as each network added more multi-homed
connections. But, when they tried to adjust their BGP route policies to
prefer the shorter route, one of the networks couldn't get it right,
resulting in an asynchronous path. Stateful firewalls don't like async
paths, and drop the packets. After a week of packets dropping at the
firewall, they both gave up and continued routing through San Jose.
If you were able to:
* get every organization managing every router in between to agree to
set the route policy to keep packets in-state,
* and set their access control lists to drop any of your packets queued
for an inter-state line,
* and do continual trace routes to constantly verify the route stays in
state
* with a contingency of ceasing all sensitive traffic should the
requirement not be met
then you have a chance of keeping things in-state. You might also try
microwave point-to-point connections, but you should verify that using
FCC controlled spectrum does not constitute traffic leaving the state.
Grazie,
Daniel Fussell
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
