Re: [AusNOG] Assistance and Access Bill moves to PJCIS

[Paul Wilkins]

Just this moment submitted my supplementary submission to PJCIS, the most
important point being that TCNs/TANs look to be able meet the criteria
under 313(3)c and 280(1)(b) of the Telecommunications Act 1997, that would
allow Law Enforcement to demand access to carrier metadata streams. Mass
surveillance may not be the stated purpose of the legislation, but the
drafting certainly seems loose enough for a future government to establish
the machinery of a police state. The arguments are made in full in the
submission for anyone interested.

Now I think that exhausts my sense of civic purpose for the foreseeable
future.

Kind regards

Paul Wilkins


On Sat, 24 Nov 2018 at 12:17, Paul Wilkins  wrote:

> s/Fourth Amendment
>
> On Sat, 24 Nov 2018 at 12:15, Paul Wilkins 
> wrote:
>
>> It's a very good question how, when anyone who knows what they're talking
>> about opposes the Bill
>>  as an effective and reasonable approach to fighting terrorism and
>> serious crime in the context of increasing use of encryption, why is the
>> Home Affairs Department foisting this ill considered and poorly developed
>> Bill on the Nation?
>>
>> I think partly it's cultural cringe. The NSA surveil their citizens, and
>> when ministers attend 5 Eyes conferences, they want to be just as macho.
>> But of course, the NSA have a clue, and they're resourced. It's still
>> dazzling that the NSA could have been in breach of the 1st Amendment for as
>> long as they were. In Australia we don't have a Bill of Rights, because
>> government has always observed the Westminster convention that we'll
>> respect the traditions of democracy - until they choose not to.
>>
>> It's not so important whether those pushing the Bill on us understand the
>> technical consequences. They're taking advice from people they trust.
>> Dutton comes from the Queensland Police, and Hastie, the PJCIS Chairman,
>> was a Dutton supporter in the rolling of Turnbull. It's the mandarins
>> within Home Affairs or the Police who are telling the government this is
>> within their capability. As far as I can see, the few submissions
>> supporting the Bill are from police organisations.
>>
>> I think we're beyond Dutton or Hastie caring if the Bill is good for the
>> nation. They're effectively riding a tiger where they've accused anyone
>> opposing the Bill to be weak on terrorism. So instead of a sensible public
>> discussion of how to enable legal intercept for encrypted communications,
>> we're getting the Liberal Trumpists using the Bill as a blunt object to
>> wedge Labor on terrorism and that's all that matters.
>>
>> Kind regards
>>
>> Paul Wilkins
>>
>>
>> On Fri, 23 Nov 2018 at 17:21, Mark Smith  wrote:
>>
>>>
>>>
>>> On Fri., 23 Nov. 2018, 16:46 Robert Hudson >>


 On Fri, 23 Nov 2018 at 14:47, Paul Brooks <
 pbrooks-aus...@layer10.com.au> wrote:

> On 23/11/2018 11:37 AM, Alex Samad wrote:
> > Wondering what the implications of this bill and the recent China
> was stealing our
> > traffic
> >
> > So in theory could china steal / sniff our traffic and because of
> these weakening of
> > encryption allow china to snope on our stuff
> >
> > A
> In theory no - this bill doesn't weaken encryption, and explicitly
> doesn't allow any
> changes that would weaken encryption.
>

 They say that - but I don't believe them.  I don't think they even
 understand what they're suggesting (or if they do understand, they're
 relying on others not understanding, or not caring).

>
> This bill seeks to bypass encryption entirely by giving the agencies
> easier access to
> get into devices and the back-end databases of apps and websites, to
> see what is
> stored in there -bypassing unlock codes, PINS, thumbprint readers etc
> on devices for
> example. So for traffic being sniffed 'in the middle' the information
> is still
> sent/received as fully encrypted - and man-in-the-middle snooper won't
> see anything.
> But if the authorities get hold of your phone or PC, they'll have
> easier access to
> look into your sent/received message stores and read whats in there,
> which is stored
> in your device un-encrypted.
>

 The tools the authorities have access to will invariably fall into the
 hands of others.

>>>
>>>
>>> Or be abused by those who have official access to them.
>>>
>>>
>>> "Queensland in court fight with domestic violence victim whose details
>>> leaked by policeman"
>>>
>>> https://www.theguardian.com/australia-news/2018/aug/21/queensland-in-court-fight-with-domestic-violence-victim-whose-details-leaked-by-policeman
>>>
>>>
>>> "NSA SEXINT IS THE ABUSE YOU’VE ALL BEEN WAITING FOR"
>>>
>>> http://cyberlaw.stanford.edu/blog/2013/11/nsa-sexint-abuse-you
>>> ’ve-all-been-waiting
>>>
>>>
>>>

>
> In practice, if they balls-up the change request given to the device
> manufacturer 

Re: [AusNOG] Assistance and Access Bill moves to PJCIS

[Paul Wilkins]

s/Fourth Amendment

On Sat, 24 Nov 2018 at 12:15, Paul Wilkins  wrote:

> It's a very good question how, when anyone who knows what they're talking
> about opposes the Bill
>  as an effective and reasonable approach to fighting terrorism and serious
> crime in the context of increasing use of encryption, why is the Home
> Affairs Department foisting this ill considered and poorly developed Bill
> on the Nation?
>
> I think partly it's cultural cringe. The NSA surveil their citizens, and
> when ministers attend 5 Eyes conferences, they want to be just as macho.
> But of course, the NSA have a clue, and they're resourced. It's still
> dazzling that the NSA could have been in breach of the 1st Amendment for as
> long as they were. In Australia we don't have a Bill of Rights, because
> government has always observed the Westminster convention that we'll
> respect the traditions of democracy - until they choose not to.
>
> It's not so important whether those pushing the Bill on us understand the
> technical consequences. They're taking advice from people they trust.
> Dutton comes from the Queensland Police, and Hastie, the PJCIS Chairman,
> was a Dutton supporter in the rolling of Turnbull. It's the mandarins
> within Home Affairs or the Police who are telling the government this is
> within their capability. As far as I can see, the few submissions
> supporting the Bill are from police organisations.
>
> I think we're beyond Dutton or Hastie caring if the Bill is good for the
> nation. They're effectively riding a tiger where they've accused anyone
> opposing the Bill to be weak on terrorism. So instead of a sensible public
> discussion of how to enable legal intercept for encrypted communications,
> we're getting the Liberal Trumpists using the Bill as a blunt object to
> wedge Labor on terrorism and that's all that matters.
>
> Kind regards
>
> Paul Wilkins
>
>
> On Fri, 23 Nov 2018 at 17:21, Mark Smith  wrote:
>
>>
>>
>> On Fri., 23 Nov. 2018, 16:46 Robert Hudson >
>>>
>>>
>>> On Fri, 23 Nov 2018 at 14:47, Paul Brooks 
>>> wrote:
>>>
 On 23/11/2018 11:37 AM, Alex Samad wrote:
 > Wondering what the implications of this bill and the recent China was
 stealing our
 > traffic
 >
 > So in theory could china steal / sniff our traffic and because of
 these weakening of
 > encryption allow china to snope on our stuff
 >
 > A
 In theory no - this bill doesn't weaken encryption, and explicitly
 doesn't allow any
 changes that would weaken encryption.

>>>
>>> They say that - but I don't believe them.  I don't think they even
>>> understand what they're suggesting (or if they do understand, they're
>>> relying on others not understanding, or not caring).
>>>

 This bill seeks to bypass encryption entirely by giving the agencies
 easier access to
 get into devices and the back-end databases of apps and websites, to
 see what is
 stored in there -bypassing unlock codes, PINS, thumbprint readers etc
 on devices for
 example. So for traffic being sniffed 'in the middle' the information
 is still
 sent/received as fully encrypted - and man-in-the-middle snooper won't
 see anything.
 But if the authorities get hold of your phone or PC, they'll have
 easier access to
 look into your sent/received message stores and read whats in there,
 which is stored
 in your device un-encrypted.

>>>
>>> The tools the authorities have access to will invariably fall into the
>>> hands of others.
>>>
>>
>>
>> Or be abused by those who have official access to them.
>>
>>
>> "Queensland in court fight with domestic violence victim whose details
>> leaked by policeman"
>>
>> https://www.theguardian.com/australia-news/2018/aug/21/queensland-in-court-fight-with-domestic-violence-victim-whose-details-leaked-by-policeman
>>
>>
>> "NSA SEXINT IS THE ABUSE YOU’VE ALL BEEN WAITING FOR"
>>
>> http://cyberlaw.stanford.edu/blog/2013/11/nsa-sexint-abuse-you
>> ’ve-all-been-waiting
>>
>>
>>
>>>

 In practice, if they balls-up the change request given to the device
 manufacturer or
 app/website developer, anything could happen.

>>>
>>> Yep.  Aside from the direct ramifications, it's the indirect and
>>> unintended consequences that REALLY have the potential to be damaging.
>>>

 P.
 ___
 AusNOG mailing list
 AusNOG@lists.ausnog.net
 http://lists.ausnog.net/mailman/listinfo/ausnog

>>> ___
>>> AusNOG mailing list
>>> AusNOG@lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>> ___
>> AusNOG mailing list
>> AusNOG@lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Assistance and Access Bill moves to PJCIS

[Paul Wilkins]

It's a very good question how, when anyone who knows what they're talking
about opposes the Bill
 as an effective and reasonable approach to fighting terrorism and serious
crime in the context of increasing use of encryption, why is the Home
Affairs Department foisting this ill considered and poorly developed Bill
on the Nation?

I think partly it's cultural cringe. The NSA surveil their citizens, and
when ministers attend 5 Eyes conferences, they want to be just as macho.
But of course, the NSA have a clue, and they're resourced. It's still
dazzling that the NSA could have been in breach of the 1st Amendment for as
long as they were. In Australia we don't have a Bill of Rights, because
government has always observed the Westminster convention that we'll
respect the traditions of democracy - until they choose not to.

It's not so important whether those pushing the Bill on us understand the
technical consequences. They're taking advice from people they trust.
Dutton comes from the Queensland Police, and Hastie, the PJCIS Chairman,
was a Dutton supporter in the rolling of Turnbull. It's the mandarins
within Home Affairs or the Police who are telling the government this is
within their capability. As far as I can see, the few submissions
supporting the Bill are from police organisations.

I think we're beyond Dutton or Hastie caring if the Bill is good for the
nation. They're effectively riding a tiger where they've accused anyone
opposing the Bill to be weak on terrorism. So instead of a sensible public
discussion of how to enable legal intercept for encrypted communications,
we're getting the Liberal Trumpists using the Bill as a blunt object to
wedge Labor on terrorism and that's all that matters.

Kind regards

Paul Wilkins


On Fri, 23 Nov 2018 at 17:21, Mark Smith  wrote:

>
>
> On Fri., 23 Nov. 2018, 16:46 Robert Hudson 
>>
>>
>> On Fri, 23 Nov 2018 at 14:47, Paul Brooks 
>> wrote:
>>
>>> On 23/11/2018 11:37 AM, Alex Samad wrote:
>>> > Wondering what the implications of this bill and the recent China was
>>> stealing our
>>> > traffic
>>> >
>>> > So in theory could china steal / sniff our traffic and because of
>>> these weakening of
>>> > encryption allow china to snope on our stuff
>>> >
>>> > A
>>> In theory no - this bill doesn't weaken encryption, and explicitly
>>> doesn't allow any
>>> changes that would weaken encryption.
>>>
>>
>> They say that - but I don't believe them.  I don't think they even
>> understand what they're suggesting (or if they do understand, they're
>> relying on others not understanding, or not caring).
>>
>>>
>>> This bill seeks to bypass encryption entirely by giving the agencies
>>> easier access to
>>> get into devices and the back-end databases of apps and websites, to see
>>> what is
>>> stored in there -bypassing unlock codes, PINS, thumbprint readers etc on
>>> devices for
>>> example. So for traffic being sniffed 'in the middle' the information is
>>> still
>>> sent/received as fully encrypted - and man-in-the-middle snooper won't
>>> see anything.
>>> But if the authorities get hold of your phone or PC, they'll have easier
>>> access to
>>> look into your sent/received message stores and read whats in there,
>>> which is stored
>>> in your device un-encrypted.
>>>
>>
>> The tools the authorities have access to will invariably fall into the
>> hands of others.
>>
>
>
> Or be abused by those who have official access to them.
>
>
> "Queensland in court fight with domestic violence victim whose details
> leaked by policeman"
>
> https://www.theguardian.com/australia-news/2018/aug/21/queensland-in-court-fight-with-domestic-violence-victim-whose-details-leaked-by-policeman
>
>
> "NSA SEXINT IS THE ABUSE YOU’VE ALL BEEN WAITING FOR"
>
> http://cyberlaw.stanford.edu/blog/2013/11/nsa-sexint-abuse-you
> ’ve-all-been-waiting
>
>
>
>>
>>>
>>> In practice, if they balls-up the change request given to the device
>>> manufacturer or
>>> app/website developer, anything could happen.
>>>
>>
>> Yep.  Aside from the direct ramifications, it's the indirect and
>> unintended consequences that REALLY have the potential to be damaging.
>>
>>>
>>> P.
>>> ___
>>> AusNOG mailing list
>>> AusNOG@lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>>
>> ___
>> AusNOG mailing list
>> AusNOG@lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
> ___
> AusNOG mailing list
> AusNOG@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Equipment upgrade path

[Ahad Aboss]

Hi Paul,

Hope you are well.

Based on the information you’ve shared below are some suggestions that does
not take high availability into account.

Given that you are running a small ISP, my suggestion is to continue using
the ASR1K for Telstra & AAPT ethernet services until you get close to
maxing out the backplane and separate the L2TP or IPOE sessions into a
separate PE. You can always upgrade the PE to ASR1004/1006/1013 as your
customer base grows.

The ASR1K enables you to shape Telstra / AAPT customer circuits at the
headend or per vlan sub-interfaces. It also comes with a lot of features
that a Nexus 9K in L3 setup cannot support/perform as well as the ASR1K.

I am assuming your aggregate traffic handled by ASR1001 for Telstra / AAPT
is less than 4-5Gbps though most ISPs oversubscribe these services 4:1 at
the aggregation point/headend.

Given the above, a key starting point is to separate your residential (DSL)
and corporate (ethernet / fibre) customers into at least 2 pairs of PE
routers – this is a good practice from the HA and operations point of view.

The Nexus 9K is a nice ToR & leaf switch but in a server facing environment
where its often used as a L3 gateway. It supports QoS, BGP and even NAT
with limitations 

I’ll be more than happy to answer any specific questions in terms of the
design or implementation for these services as I’ve deployed it in
small-scale and large-scale ISP environments.

Have a great weekend.

Ahad

On Mon, Nov 19, 2018 at 10:47 AM paul hollanton 
wrote:

> Good morning list,
>
> I hope you all have had a good weekend.
>
> I’m returning to the ISP industry after a longer than expected stint in
> the corporate space and was hoping to get some pointers on some
> infrastructure upgrade options which I’m having to consider.
>
>
>
> I work for a small-ish ISP that offers some (but not a lot) DSL/NBN
> services and a bunch of  TLS such as Telstra’s Ethernet Access and AAPT
> e-lan etc. with the odd mpls layer3 vpn too.
>
>
>
> We’ve been using Cisco ASR1001 routers for L2TP (DSL/NBN) termination as
> well as sub-interfaces for the TLS services with the headend trunks from
> the suppliers terminated on a switch that’s providing a layer2 only
> function.
>
>
>
> Rather than upgrading and continuing to terminate all TLS services on the
> ASR, I thinking of purchasing a layer 3 switch such as the Cisco Nexus
> 9236C or similar and terminating the TLS services on this as well as the
> supplier trunks – the 100Gb port functionality should allow us to have the
> device(s) in operation for some time before needing to upgrade.
>
>
>
> The documentation on the units state that they support mpls and BGP which
> is nice, but if anything too heavy is required for customers with special
> requirements , perhaps we’d leave that to the ASR – which will also
> continue to perform any L2TP and NAT requirements.  To be honest, none of
> the documentation on the Cisco layer 3 switches suggest they are suited to
> what I have in mind, which brings me to my main question...
>
>
> Is whether the introduction of a layer3 switch for this function is a good
> idea, or should we continue to use ASR’s for the job?  My other concern
> is will the Nexus be able (or is suitable) to do the traffic shaping that
> is required for the Telstra Ethernet Access services (which is important
> that it’s done exactly right) and other QoS functions such as voice
> prioritisation.
>
>
>
> If there’s a better design or more suitable equipment I should consider,
> please let me know.  I’d prefer to stay with Cisco as the vendor, primarily
> as the migration path will (should) be simpler and I have reasonably good
> experience with them over the years.
>
>
>
> Thanks,
>
> Paul
>
>
> 
>  Virus-free.
> www.avg.com
> 
> <#m_1899469324380628143_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
> ___
> AusNOG mailing list
> AusNOG@lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog